From 65ff0bc4f0bb27844bcbba49593b73122aa2a156 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 17 Mar 2006 20:29:37 +0000 Subject: [PATCH] * Fri Mar 10 2006 Dan Walsh 1.29.27-1 - Add restorecond --- .cvsignore | 2 + policycoreutils-rhat.patch | 1956 ++++++++++++++++-------------------- policycoreutils.spec | 20 +- sources | 2 +- 4 files changed, 909 insertions(+), 1071 deletions(-) diff --git a/.cvsignore b/.cvsignore index 76a3521..327fcc1 100644 --- a/.cvsignore +++ b/.cvsignore @@ -92,3 +92,5 @@ policycoreutils-1.29.19.tgz policycoreutils-1.29.20.tgz policycoreutils-1.29.23.tgz policycoreutils-1.29.26.tgz +policycoreutils-1.29.27.tgz +policycoreutils-1.30.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index f648ed8..a0f7c39 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,324 +1,876 @@ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.29.26/audit2allow/audit2allow ---- nsapolicycoreutils/audit2allow/audit2allow 2005-12-08 12:52:44.000000000 -0500 -+++ policycoreutils-1.29.26/audit2allow/audit2allow 2006-03-06 09:44:31.000000000 -0500 -@@ -25,6 +25,118 @@ - # - # - import commands, sys, os, pwd, string, getopt, re, selinux -+ -+obj="(\{[^\}]*\}|[^ \t:]*)" -+allow_regexp="allow[ \t]+%s[ \t]*%s[ \t]*:[ \t]*%s[ \t]*%s" % (obj, obj, obj, obj) -+ -+awk_script='/^[[:blank:]]*interface[[:blank:]]*\(/ {\n\ -+ IFACEFILE=FILENAME\n\ -+ IFACENAME = gensub("^[[:blank:]]*interface[[:blank:]]*\\\\(\`?","","g",$0);\n\ -+ IFACENAME = gensub("\'?,.*$","","g",IFACENAME);\n\ -+}\n\ -+\n\ -+/^[[:blank:]]*allow[[:blank:]]+.*;[[:blank:]]*$/ {\n\ -+\n\ -+ if ((length(IFACENAME) > 0) && (IFACEFILE == FILENAME)){\n\ -+ ALLOW = gensub("^[[:blank:]]*","","g",$0)\n\ -+ ALLOW = gensub(";[[:blank:]]*$","","g",$0)\n\ -+ print FILENAME "\\t" IFACENAME "\\t" ALLOW;\n\ -+ }\n\ -+}\ -+' -+ -+class accessTrans: -+ def __init__(self): -+ self.dict={} -+ try: -+ fd=open("/usr/share/selinux/devel/include/support/obj_perm_sets.spt") -+ except IOError, error: -+ raise IOError("Reference policy generation requires the policy development package.\n%s" % error) -+ records=fd.read().split("\n") -+ regexp="^define *\(`([^']*)' *, *` *\{([^}]*)}'" -+ for r in records: -+ m=re.match(regexp,r) -+ if m!=None: -+ self.dict[m.groups()[0]] = m.groups()[1].split() -+ fd.close() -+ def get(self, var): -+ l=[] -+ for v in var: -+ if v in self.dict.keys(): -+ l += self.dict[v] -+ else: -+ if v not in ("{", "}"): -+ l.append(v) -+ return l -+ -+class interfaces: -+ def __init__(self): -+ self.dict={} -+ trans=accessTrans() -+ (input, output) = os.popen2("awk -f - /usr/share/selinux/devel/include/*/*.if 2> /dev/null") -+ input.write(awk_script) -+ input.close() -+ records=output.read().split("\n") -+ input.close() -+ if len(records) > 0: -+ regexp="([^ \t]*)[ \t]+([^ \t]*)[ \t]+%s" % allow_regexp -+ for r in records: -+ m=re.match(regexp,r) -+ if m==None: -+ continue -+ else: -+ val=m.groups() -+ file=os.path.basename(val[0]).split(".")[0] -+ iface=val[1] -+ Scon=val[2].split() -+ Tcon=val[3].split() -+ Class=val[4].split() -+ Access=trans.get(val[5].split()) -+ for s in Scon: -+ for t in Tcon: -+ for c in Class: -+ if (s, t, c) not in self.dict.keys(): -+ self.dict[(s, t, c)]=[] -+ self.dict[(s, t, c)].append((Access, file, iface)) -+ def out(self): -+ keys=self.dict.keys() -+ keys.sort() -+ for k in keys: -+ print k -+ for i in self.dict[k]: -+ print "\t", i -+ -+ def match(self, Scon, Tcon, Class, Access): -+ keys=self.dict.keys() -+ ret=[] -+ if (Scon, Tcon, Class) in keys: -+ for i in self.dict[(Scon, Tcon, Class)]: -+ if Access in i[0]: -+ if i[2].find(Access) >= 0: -+ ret.insert(0, i) -+ else: -+ ret.append(i) -+ return ret -+ if ("$1", Tcon, Class) in keys: -+ for i in self.dict[("$1", Tcon, Class)]: -+ if Access in i[0]: -+ if i[2].find(Access) >= 0: -+ ret.insert(0, i) -+ else: -+ ret.append(i) -+ return ret -+ if (Scon, "$1", Class) in keys: -+ for i in self.dict[(Scon, "$1", Class)]: -+ if Access in i[0]: -+ if i[2].find(Access) >= 0: -+ ret.insert(0, i) -+ else: -+ ret.append(i) -+ return ret -+ else: -+ return ret -+ -+ - class serule: - def __init__(self, type, source, target, seclass): - self.type=type -@@ -32,6 +144,8 @@ - self.target=target - self.seclass=seclass - self.avcinfo={} -+ self.iface=None -+ - def add(self, avc): - for a in avc[0]: - if a not in self.avcinfo.keys(): -@@ -67,6 +181,33 @@ - ret=ret + " : " + i - return ret - -+ def gen_reference_policy(self, iface): -+ ret="" -+ Scon=self.source -+ Tcon=self.gettarget() -+ Class=self.seclass -+ Access=self.getAccess() -+ m=iface.match(Scon,Tcon,Class,Access) -+ if len(m)==0: -+ return self.out() -+ else: -+ file=m[0][1] -+ ret="\n#%s\n"% self.out() -+ ret += "optional_policy(`%s', `\n" % m[0][1] -+ first=True -+ for i in m: -+ if file != i[1]: -+ ret += "')\ngen_require(`%s', `\n" % i[1] -+ file = i[1] -+ first=True -+ if first: -+ ret += "\t%s(%s)\n" % (i[2], Scon) -+ first=False -+ else: -+ ret += "#\t%s(%s)\n" % (i[2], Scon) -+ ret += "');" -+ return ret -+ - def gettarget(self): - if self.source == self.target: - return "self" -@@ -81,7 +222,12 @@ - self.types=[] - self.roles=[] - self.load(input, te_ind) -- -+ self.gen_ref_policy = False -+ -+ def gen_reference_policy(self): -+ self.gen_ref_policy = True -+ self.iface=interfaces() -+ - def warning(self, error): - sys.stderr.write("%s: " % sys.argv[0]) - sys.stderr.write("%s\n" % error) -@@ -104,7 +250,8 @@ - while line: - rec=line.split() - for i in rec: -- if i=="avc:" or i=="message=avc:": -+ if i=="avc:" or i=="message=avc:" or i=="msg='avc:": -+ - found=1 - else: - avc.append(i) -@@ -166,7 +313,7 @@ - self.add_seclass(seclass, access) - self.add_type(tcon) - self.add_type(scon) -- if (type, scon, tcon, seclass) not in self.seRules.keys(): -+ if (rule_type, scon, tcon, seclass) not in self.seRules.keys(): - self.seRules[(rule_type, scon, tcon, seclass)]=serule(rule_type, scon, tcon, seclass) - - self.seRules[(rule_type, scon, tcon, seclass)].add((access, msg, comm, name )) -@@ -182,9 +329,10 @@ - if "security_compute_sid" in avc: - return - -+ if "load_policy" in avc and self.last_reload: -+ self.seRules={} -+ - if "granted" in avc: -- if "load_policy" in avc and self.last_reload: -- self.seRules={} - return - try: - for i in range (0, len(avc)): -@@ -292,7 +440,10 @@ - keys=self.seRules.keys() - keys.sort() - for i in keys: -- rec += self.seRules[i].out(verbose)+"\n" -+ if self.gen_ref_policy: -+ rec += self.seRules[i].gen_reference_policy(self.iface)+"\n" -+ else: -+ rec += self.seRules[i].out(verbose)+"\n" - return rec - - if __name__ == '__main__': -@@ -342,11 +493,12 @@ - buildPP=0 - input_ind=0 - output_ind=0 -+ ref_ind=False - te_ind=0 - - fc_file="" - gopts, cmds = getopt.getopt(sys.argv[1:], -- 'adf:hi:lm:M:o:rtv', -+ 'adf:hi:lm:M:o:rtvR', - ['all', - 'dmesg', - 'fcfile=', -@@ -356,6 +508,7 @@ - 'module=', - 'output=', - 'requires', -+ 'reference', - 'tefile', - 'verbose' - ]) -@@ -397,6 +550,9 @@ - if auditlogs: - usage() - te_ind=1 -+ if o == "-R" or o == "--reference": -+ ref_ind=True -+ - if o == "-o" or o == "--output": - if module != "" or a[0]=="-": - usage() -@@ -413,6 +569,10 @@ - - out=seruleRecords(input, last_reload, verbose, te_ind) +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/Makefile policycoreutils-1.29.27/Makefile +--- nsapolicycoreutils/Makefile 2005-11-29 10:55:01.000000000 -0500 ++++ policycoreutils-1.29.27/Makefile 2006-03-15 16:06:43.000000000 -0500 +@@ -1,4 +1,4 @@ +-SUBDIRS=setfiles semanage load_policy newrole run_init restorecon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand setsebool po ++SUBDIRS=setfiles semanage load_policy newrole run_init restorecon restorecond audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand setsebool po + all install relabel clean: + @for subdir in $(SUBDIRS); do \ +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-1.29.27/restorecond/Makefile +--- nsapolicycoreutils/restorecond/Makefile 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.29.27/restorecond/Makefile 2006-03-15 16:08:46.000000000 -0500 +@@ -0,0 +1,29 @@ ++# Installation directories. ++PREFIX ?= ${DESTDIR}/usr ++SBINDIR ?= $(PREFIX)/sbin ++MANDIR = $(PREFIX)/share/man ++INITDIR = $(DESTDIR)/etc/rc.d/init.d ++SELINUXDIR = $(DESTDIR)/etc/selinux + -+ if ref_ind: -+ out.gen_reference_policy() ++CFLAGS ?= -g -Werror -Wall -W ++override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 ++LDLIBS += -lselinux -L$(PREFIX)/lib + - if auditlogs: - input=os.popen("ausearch -m avc") - out.load(input) -@@ -423,15 +583,15 @@ - output.flush() - if buildPP: - cmd="checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module) -- print "Compiling policy: %s" % cmd -+ print "Compiling policy" -+ print cmd - rc=commands.getstatusoutput(cmd) - if rc[0]==0: - cmd="semodule_package -o %s.pp -m %s.mod" % (module, module) -- print cmd - if fc_file != "": - cmd = "%s -f %s" % (cmd, fc_file) - -- print "Building package: %s" % cmd -+ print cmd - rc=commands.getstatusoutput(cmd) - if rc[0]==0: - print ("\n******************** IMPORTANT ***********************\n") -@@ -446,6 +606,6 @@ - except ValueError, error: - errorExit(error.args[0]) - except IOError, error: -- errorExit(error.args[1]) -+ errorExit(error) - except KeyboardInterrupt, error: - sys.exit(0) -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-1.29.26/audit2allow/audit2allow.1 ---- nsapolicycoreutils/audit2allow/audit2allow.1 2005-12-01 10:11:27.000000000 -0500 -+++ policycoreutils-1.29.26/audit2allow/audit2allow.1 2006-02-23 16:32:45.000000000 -0500 -@@ -65,6 +65,9 @@ - .B "\-r" | "\-\-requires" - Generate require output syntax for loadable modules. - .TP -+.B "\-R" | "\-\-reference" -+Generate reference policy using installed macros -+.TP - .B "\-t " | "\-\-tefile" - Indicates input file is a te (type enforcement) file. This can be used to translate old te format to new policy format. - .TP -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.29.26/scripts/chcat ---- nsapolicycoreutils/scripts/chcat 2006-01-27 01:16:33.000000000 -0500 -+++ policycoreutils-1.29.26/scripts/chcat 2006-03-03 18:21:05.000000000 -0500 -@@ -320,7 +320,7 @@ - if len(cats) > 1 and cats[1] != "s0": - print "%s: %s" % (u, cats[1]) - else: -- print "%s:" % u -+ print "%s: %s" % (u, cats[0]) - - def error(msg): - print "%s: %s" % (sys.argv[0], msg) -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.29.26/scripts/fixfiles ++all: restorecond ++ ++restorecond: restorecond.o utmpwatcher.o stringslist.o ++ $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) ++ ++install: all ++ [ -d $(MANDIR)/man8 ] || mkdir -p $(MANDIR)/man8 ++ -mkdir -p $(SBINDIR) ++ install -m 755 restorecond $(SBINDIR) ++ install -m 644 restorecond.8 $(MANDIR)/man8 ++ -mkdir -p $(INITDIR) ++ install -m 644 restorecond.init $(INITDIR)/restorecond ++ -mkdir -p $(SELINUXDIR) ++ install -m 600 restorecond.conf $(SELINUXDIR)/restorecond.conf ++ ++clean: ++ -rm -f restorecond *.o *~ ++ +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-1.29.27/restorecond/restorecond.8 +--- nsapolicycoreutils/restorecond/restorecond.8 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.29.27/restorecond/restorecond.8 2006-03-15 16:06:43.000000000 -0500 +@@ -0,0 +1,31 @@ ++.TH "restorecond" "8" "2002031409" "" "" ++.SH "NAME" ++restorecond \- daemon that watches for file creation and then corrects file context ++ ++.SH "SYNOPSIS" ++.B restorecond [\-d] ++.P ++ ++.SH "DESCRIPTION" ++This manual page describes the ++.BR restorecond ++program. ++.P ++This daemon uses inotify to watch files listed in the /etc/selinux/POLICYTYPE/restorconfiles.conf, when they are created, this daemon will make sure they have ++the correct file context associated with the policy. ++ ++.SH "OPTIONS" ++.TP ++.B \-d ++Turns on debugging mode. Application will stay in the foreground and lots of ++debugs messages start printing. ++ ++.SH "AUTHOR" ++This man page was written by Dan Walsh . ++The program was written by Dan Walsh . ++ ++.SH "FILES" ++/etc/selinux/POLICYTYPE/restorconfiles.conf ++ ++.SH "SEE ALSO" ++.BR restorecon (8), +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-1.29.27/restorecond/restorecond.c +--- nsapolicycoreutils/restorecond/restorecond.c 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.29.27/restorecond/restorecond.c 2006-03-15 16:06:43.000000000 -0500 +@@ -0,0 +1,463 @@ ++/* ++ * restorecond ++ * ++ * AUTHOR: Dan Walsh ++ * ++ * Copyright (C) 2006 Red Hat ++ * see file 'COPYING' for use and warranty information ++ * ++ * semanage is a tool for managing SELinux configuration files ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License as ++ * published by the Free Software Foundation; either version 2 of ++ * the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++.* ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA ++ * 02111-1307 USA ++ * ++*/ ++ ++/* ++ * PURPOSE: ++ * This daemon program watches for the creation of files listed in a config file ++ * and makes sure that there security context matches the systems defaults ++ * ++ * USAGE: ++ * restorecond [-d] ++ * ++ * -d Run in debug mode ++ * ++ * EXAMPLE USAGE: ++ * restorecond ++ * ++ */ ++ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "restorecond.h" ++#include "stringslist.h" ++#include "utmpwatcher.h" ++ ++extern char *dirname(char *path); ++static int master_fd=-1; ++static int master_wd=-1; ++#include ++#include ++ ++/* size of the event structure, not counting name */ ++#define EVENT_SIZE (sizeof (struct inotify_event)) ++/* reasonable guess as to size of 1024 events */ ++#define BUF_LEN (1024 * (EVENT_SIZE + 16)) ++ ++static int debug_mode=0; ++ ++static void restore(const char *filename); ++ ++struct watchList { ++ struct watchList *next; ++ int wd; ++ char *dir; ++ struct stringsList *files; ++}; ++struct watchList *firstDir=NULL; ++ ++/* Compare two contexts to see if their differences are "significant", ++ * or whether the only difference is in the user. */ ++static int only_changed_user(const char *a, const char *b) ++{ ++ char *rest_a, *rest_b; /* Rest of the context after the user */ ++ if (!a || !b) return 0; ++ rest_a = strchr(a, ':'); ++ rest_b = strchr(b, ':'); ++ if (!rest_a || !rest_b) return 0; ++ return (strcmp(rest_a, rest_b) == 0); ++} ++ ++/* ++ A file was in a direcroty has been created. This function checks to ++ see if it is one that we are watching. ++*/ ++ ++static int watch_list_find(int wd, const char *file) { ++ struct watchList *ptr=NULL; ++ ptr=firstDir; ++ ++ if (debug_mode) ++ printf("%d: File=%s\n", wd, file); ++ while (ptr != NULL) { ++ if (ptr->wd == wd) { ++ if (strings_list_find(ptr->files, file) == 0) { ++ char *path=NULL; ++ if (asprintf(&path, "%s/%s",ptr->dir, file) < 0) ++ exitApp("Error allocating memory."); ++ restore (path); ++ free(path); ++ return 0; ++ } ++ if (debug_mode) ++ strings_list_print(ptr->files); ++ ++ /* Not found in this directory */ ++ return -1; ++ } ++ ptr=ptr->next; ++ } ++ /* Did not find a directory */ ++ return -1; ++} ++ ++static void watch_list_free(int fd) { ++ struct watchList *ptr=NULL; ++ struct watchList *prev=NULL; ++ ptr=firstDir; ++ ++ while (ptr!=NULL) { ++ inotify_rm_watch(fd, ptr->wd); ++ strings_list_free(ptr->files); ++ free(ptr->dir); ++ prev=ptr; ++ ptr=ptr->next; ++ free(prev); ++ } ++ firstDir=NULL; ++} ++ ++/* ++ Set the file context to the default file context for this system. ++ Same as restorecon. ++*/ ++static void restore(const char *filename) { ++ int retcontext=0; ++ security_context_t scontext=NULL; ++ security_context_t prev_context=NULL; ++ struct stat st; ++ char path[PATH_MAX+1]; ++ if (debug_mode) ++ printf("restore %s\n", filename); ++ ++ if (lstat(filename, &st)!=0) return; ++ ++ if (S_ISLNK(st.st_mode)) { ++ char *p = NULL, *file_sep; ++ char *tmp_path = strdupa(filename); ++ size_t len=0; ++ if (!tmp_path) { ++ exitApp("Out of Memory"); ++ } ++ file_sep = strrchr(tmp_path, '/'); ++ if(file_sep) ++ { ++ *file_sep = 0; ++ file_sep++; ++ p = realpath(tmp_path, path); ++ } ++ else { ++ file_sep = tmp_path; ++ p = realpath("./", path); ++ } ++ if(p) ++ len = strlen(p); ++ if (!p || len + strlen(file_sep) + 2 > PATH_MAX) { ++ syslog(LOG_ERR,"realpath(%s) failed %s\n", filename, strerror(errno)); ++ return; ++ } ++ p += len; ++ *p = '/'; ++ p++; ++ strcpy(p, file_sep); ++ filename = path; ++ } else { ++ char *p; ++ p = realpath(filename, path); ++ if (!p) { ++ syslog(LOG_ERR,"realpath(%s) failed %s\n", filename, strerror(errno)); ++ return; ++ } ++ filename = p; ++ } ++ if (matchpathcon(filename, st.st_mode, &scontext) < 0) { ++ if (errno == ENOENT) ++ return; ++ syslog(LOG_ERR,"matchpathcon(%s) failed %s\n", filename,strerror(errno)); ++ return; ++ } ++ retcontext=lgetfilecon(filename,&prev_context); ++ ++ if (retcontext >= 0 || errno == ENODATA) { ++ if (retcontext < 0) prev_context=NULL; ++ if (retcontext < 0 || ++ (strcmp(prev_context,scontext) != 0)) { ++ ++ if (only_changed_user(scontext, prev_context) != 0) { ++ free(scontext); ++ free(prev_context); ++ return; ++ } ++ ++ if (lsetfilecon(filename,scontext) < 0) { ++ syslog(LOG_ERR,"set context %s->%s failed:'%s'\n", ++ filename, scontext, strerror(errno)); ++ if (retcontext >= 0) ++ free(prev_context); ++ free(scontext); ++ return; ++ } ++ syslog(LOG_WARNING,"Reset file context %s: %s->%s\n", filename, prev_context, scontext); ++ } ++ if (retcontext >= 0) ++ free(prev_context); ++ } ++ else { ++ syslog(LOG_ERR,"get context on %s failed: '%s'\n", ++ filename, strerror(errno)); ++ } ++ free(scontext); ++} ++ ++static void process_config(int fd, FILE *cfg) { ++ char *line_buf=NULL; ++ unsigned int len=0; ++ ++ while (getline(&line_buf, &len, cfg)>0) { ++ char *buffer=line_buf; ++ while(isspace(*buffer)) ++ buffer++; ++ if(buffer[0] == '#') continue; ++ int l=strlen(buffer)-1; ++ if ( l <= 0 ) continue; ++ buffer[l]=0; ++ if(buffer[0] == '~') ++ utmpwatcher_add(fd, &buffer[1]); ++ else { ++ watch_list_add(fd, buffer); ++ } ++ } ++ free(line_buf); ++} ++ ++/* ++ Read config file ignoring Comment lines ++ Files specified one per line. Files with "~" will be expanded to the logged in users ++ homedirs. ++*/ ++ ++static void read_config(int fd) { ++ char *watch_file_path="/etc/selinux/restorecond.conf"; ++ ++ FILE *cfg = NULL; ++ if (debug_mode) ++ printf("Read Config\n"); ++ ++ watch_list_free(fd); ++ ++ cfg=fopen(watch_file_path, "r"); ++ if (!cfg) exitApp("Error reading config file."); ++ process_config(fd, cfg); ++ fclose(cfg); ++ ++ inotify_rm_watch(fd, master_wd); ++ master_wd=inotify_add_watch (fd, watch_file_path, IN_MOVED_FROM | IN_MODIFY); ++} ++ ++/* ++ Inotify watch loop ++*/ ++static int watch(int fd) { ++ char buf[BUF_LEN]; ++ int len, i = 0; ++ len = read(fd, buf, BUF_LEN); ++ if (len < 0) { ++ return -1; ++ } else if (!len) ++ /* BUF_LEN too small? */ ++ return -1; ++ while (i < len) { ++ struct inotify_event *event; ++ event = (struct inotify_event *) &buf[i]; ++ if (debug_mode) ++ printf ("wd=%d mask=%u cookie=%u len=%u\n", ++ event->wd, event->mask, ++ event->cookie, event->len); ++ if (event->wd == master_wd) ++ read_config(fd); ++ else { ++ switch (utmpwatcher_handle(fd, event->wd)) { ++ case -1: /* Message was not for utmpwatcher */ ++ if (event->len) ++ watch_list_find (event->wd, event->name); ++ break; ++ ++ case 1: /* utmp has changed need to reload */ ++ read_config(fd); ++ break; ++ ++ default: /* No users logged in or out */ ++ break; ++ } ++ } ++ ++ ++ i += EVENT_SIZE + event->len; ++ } ++ return 0; ++} ++ ++static const char *pidfile = "/var/run/restorecond.pid"; ++ ++static int write_pid_file(void) ++{ ++ int pidfd, len; ++ char val[16]; ++ ++ len = snprintf(val, sizeof(val), "%u\n", getpid()); ++ if (len < 0) { ++ syslog(LOG_ERR, "Pid error (%s)", strerror(errno)); ++ pidfile = 0; ++ return 1; ++ } ++ pidfd = open(pidfile, O_CREAT | O_TRUNC | O_NOFOLLOW | O_WRONLY, 0644); ++ if (pidfd < 0) { ++ syslog(LOG_ERR, "Unable to set pidfile (%s)", ++ strerror(errno)); ++ pidfile = 0; ++ return 1; ++ } ++ (void)write(pidfd, val, (unsigned int)len); ++ close(pidfd); ++ return 0; ++} ++ ++/* ++ * SIGTERM handler ++ */ ++static void term_handler() ++{ ++ /* trigger a failure in the watch */ ++ close(master_fd); ++} ++ ++ ++static void usage(char *program) { ++ printf("%s [-d] \n", program); ++ exit(0); ++} ++ ++void exitApp(const char *msg) { ++ perror(msg); ++ exit(-1); ++} ++ ++/* ++ Add a file to the watch list. We are watching for file creation, so we actually ++ put the watch on the directory and then examine all files created in that directory ++ to see if it is one that we are watching. ++*/ ++ ++void watch_list_add(int fd, const char *path) { ++ struct watchList *ptr=NULL; ++ struct watchList *prev=NULL; ++ char *x=strdup(path); ++ if (!x) exitApp("Out of Memory"); ++ char *dir=dirname(x); ++ char *file=basename(path); ++ ptr=firstDir; ++ ++ restore(path); ++ ++ while (ptr!=NULL) { ++ if (strcmp(dir, ptr->dir) == 0) { ++ strings_list_add(&ptr->files, file); ++ free(x); ++ return; ++ } ++ prev=ptr; ++ ptr=ptr->next; ++ } ++ ptr=calloc(1, sizeof(struct watchList)); ++ ++ if (!ptr) exitApp("Out of Memory"); ++ ptr->wd=inotify_add_watch (fd, dir, IN_CREATE); ++ ++ ptr->dir=strdup(dir); ++ if (!ptr->dir) exitApp("Out of Memory"); ++ ++ strings_list_add(&ptr->files, file); ++ if (prev) ++ prev->next=ptr; ++ else ++ firstDir=ptr; ++ ++ if (debug_mode) ++ printf("%d: Dir=%s, File=%s\n", ptr->wd, ptr->dir, file); ++ ++ free(x); ++} ++ ++int main(int argc, char **argv) { ++ int opt; ++ struct sigaction sa; ++ ++#ifndef DEBUG ++ /* Make sure we are root */ ++ if (getuid() != 0) { ++ fprintf(stderr, "You must be root to run this program.\n"); ++ return 4; ++ } ++#endif ++ ++ /* Register sighandlers */ ++ sa.sa_flags = 0 ; ++ sa.sa_handler = term_handler; ++ sigemptyset( &sa.sa_mask ) ; ++ sigaction( SIGTERM, &sa, NULL ); ++ ++ master_fd = inotify_init (); ++ if (master_fd < 0) ++ exitApp("inotify_init"); ++ ++ while ((opt = getopt(argc, argv, "d")) > 0) { ++ switch (opt) { ++ case 'd': ++ debug_mode = 1; ++ break; ++ case '?': ++ usage(argv[0]); ++ } ++ } ++ read_config(master_fd); ++ ++ write_pid_file(); ++ ++ if (! debug_mode) ++ daemon(0, 0); ++ ++ while (watch(master_fd) == 0 ) {}; ++ ++ watch_list_free(master_fd); ++ close(master_fd); ++ if (pidfile) ++ unlink(pidfile); ++ ++ return 0; ++} +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-1.29.27/restorecond/restorecond.conf +--- nsapolicycoreutils/restorecond/restorecond.conf 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.29.27/restorecond/restorecond.conf 2006-03-15 16:06:43.000000000 -0500 +@@ -0,0 +1,3 @@ ++/etc/resolv.conf ++/etc/mtab ++~/public_html +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-1.29.27/restorecond/restorecond.h +--- nsapolicycoreutils/restorecond/restorecond.h 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.29.27/restorecond/restorecond.h 2006-03-15 16:06:43.000000000 -0500 +@@ -0,0 +1,4 @@ ++void exitApp(const char *msg); ++void watch_list_add(int inotify_fd, const char *path); ++ ++ +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-1.29.27/restorecond/restorecond.init +--- nsapolicycoreutils/restorecond/restorecond.init 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.29.27/restorecond/restorecond.init 2006-03-15 16:13:32.000000000 -0500 +@@ -0,0 +1,54 @@ ++#!/bin/sh ++# ++# restorecond: Daemo used to maintain path file context ++# ++# chkconfig: 2345 10 90 ++# description: restorecond uses inotify to look for creation of new files listed in the ++# /etc/selinux/POLICYTYPE/restorefiles.conf file, and sets the correct security ++# context. ++# ++ ++# Source function library. ++. /etc/rc.d/init.d/functions ++ ++start() ++{ ++ echo -n $"Starting restorecond: " ++ daemon /usr/sbin/restorecond ++ ++ touch /var/lock/subsys/restorecond ++ echo ++} ++ ++stop() ++{ ++ echo -n $"Shutting down restorecond: " ++ killproc restorecond ++ ++ rm -f /var/lock/subsys/restorecond ++ echo ++} ++ ++[ -f /usr/sbin/restorecond ] || exit 0 ++ ++# See how we were called. ++case "$1" in ++ start) ++ start ++ ;; ++ stop) ++ stop ++ ;; ++ restart|reload) ++ stop ++ start ++ ;; ++ condrestart) ++ [ -e /var/lock/subsys/restorecond ] && (stop; start) ++ ;; ++ *) ++ echo $"Usage: $0 {start|stop|restart|reload|condrestart}" ++ exit 1 ++esac ++ ++exit 0 +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecond/stringslist.c policycoreutils-1.29.27/restorecond/stringslist.c +--- nsapolicycoreutils/restorecond/stringslist.c 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.29.27/restorecond/stringslist.c 2006-03-15 16:06:43.000000000 -0500 +@@ -0,0 +1,120 @@ ++/* ++ ++ * AUTHOR: Dan Walsh ++ ++ * Copyright (C) 2006 Red Hat ++ * see file 'COPYING' for use and warranty information ++ * ++ * semanage is a tool for managing SELinux configuration files ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License as ++ * published by the Free Software Foundation; either version 2 of ++ * the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++.* ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA ++ * 02111-1307 USA ++ * ++*/ ++ ++#include ++#include ++#include ++#include "stringslist.h" ++#include "restorecond.h" ++ ++/* Sorted lists */ ++void strings_list_add(struct stringsList **list, const char *string) { ++ struct stringsList *ptr=*list; ++ struct stringsList *prev=NULL; ++ struct stringsList *newptr=NULL; ++ while(ptr) { ++ int cmp=strcmp(string, ptr->string); ++ if (cmp < 0) break; /* Not on list break out to add */ ++ if (cmp == 0) return; /* Already on list */ ++ prev=ptr; ++ ptr=ptr->next; ++ } ++ newptr=calloc(1, sizeof(struct stringsList)); ++ if (!newptr) exitApp("Out of Memory"); ++ newptr->string=strdup(string); ++ newptr->next = ptr; ++ if (prev) ++ prev->next=newptr; ++ else ++ *list=newptr; ++} ++ ++int strings_list_find(struct stringsList *ptr, const char *string) { ++ while (ptr) { ++ int cmp=strcmp(string, ptr->string); ++ if (cmp < 0) return -1; /* Not on list break out to add */ ++ if (cmp == 0) return 0; /* Already on list */ ++ ptr=ptr->next; ++ } ++ return -1; ++} ++ ++void strings_list_free(struct stringsList *ptr) { ++ struct stringsList *prev=NULL; ++ while (ptr) { ++ free(ptr->string); ++ prev=ptr; ++ ptr=ptr->next; ++ free(prev); ++ } ++} ++ ++int strings_list_diff(struct stringsList *from, struct stringsList *to) { ++ while (from != NULL && to != NULL) { ++ if (strcmp(from->string, to->string) != 0) return 1; ++ from=from->next; ++ to=to->next; ++ } ++ if (from != NULL || to != NULL) return 1; ++ return 0; ++} ++ ++void strings_list_print(struct stringsList *ptr) { ++ while (ptr) { ++ printf("%s\n", ptr->string); ++ ptr=ptr->next; ++ } ++} ++ ++ ++#ifdef TEST ++void exitApp(const char *msg) { ++ perror(msg); ++ exit(-1); ++} ++ ++int main(int argc, char **argv) { ++ struct stringsList *list=NULL; ++ struct stringsList *list1=NULL; ++ strings_list_add(&list, "/etc/resolv.conf"); ++ strings_list_add(&list, "/etc/walsh"); ++ strings_list_add(&list, "/etc/mtab"); ++ strings_list_add(&list, "/etc/walsh"); ++ if (strings_list_diff(list, list) != 0) printf ("strings_list_diff test1 bug\n"); ++ strings_list_add(&list1, "/etc/walsh"); ++ if (strings_list_diff(list, list1) == 0) printf ("strings_list_diff test2 bug\n"); ++ strings_list_add(&list1, "/etc/walsh"); ++ strings_list_add(&list1, "/etc/resolv.conf"); ++ strings_list_add(&list1, "/etc/mtab1"); ++ if (strings_list_diff(list, list1) == 0) printf ("strings_list_diff test3 bug\n"); ++ printf ("strings list\n"); ++ strings_list_print(list); ++ printf ("strings list1\n"); ++ strings_list_print(list1); ++ strings_list_free(list); ++ strings_list_free(list1); ++} ++#endif +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecond/stringslist.h policycoreutils-1.29.27/restorecond/stringslist.h +--- nsapolicycoreutils/restorecond/stringslist.h 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.29.27/restorecond/stringslist.h 2006-03-15 16:06:43.000000000 -0500 +@@ -0,0 +1,10 @@ ++struct stringsList { ++ struct stringsList *next; ++ char *string; ++}; ++ ++void strings_list_free(struct stringsList *list); ++void strings_list_add(struct stringsList **list, const char *string); ++void strings_list_print(struct stringsList *list); ++int strings_list_find(struct stringsList *list, const char *string); ++int strings_list_diff(struct stringsList *from, struct stringsList *to); +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecond/utmpwatcher.c policycoreutils-1.29.27/restorecond/utmpwatcher.c +--- nsapolicycoreutils/restorecond/utmpwatcher.c 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.29.27/restorecond/utmpwatcher.c 2006-03-15 16:06:43.000000000 -0500 +@@ -0,0 +1,105 @@ ++/* ++ * restorecond ++ * ++ * AUTHOR: Dan Walsh ++ * ++ * Copyright (C) 2006 Red Hat ++ * see file 'COPYING' for use and warranty information ++ * ++ * semanage is a tool for managing SELinux configuration files ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License as ++ * published by the Free Software Foundation; either version 2 of ++ * the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++.* ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA ++ * 02111-1307 USA ++ * ++*/ ++ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include "restorecond.h" ++#include "utmpwatcher.h" ++#include "stringslist.h" ++ ++static struct stringsList *utmp_ptr=NULL; ++static int utmp_wd=-1; ++ ++unsigned int utmpwatcher_handle(int inotify_fd, int wd) { ++ int changed=0; ++ struct utmp u; ++ char *utmp_path="/var/run/utmp"; ++ struct stringsList *prev_utmp_ptr=utmp_ptr; ++ if (wd != utmp_wd) return -1; ++ ++ utmp_ptr=NULL; ++ FILE *cfg=fopen(utmp_path, "r"); ++ if (!cfg) exitApp("Error reading config file."); ++ ++ while (fread(&u, sizeof(struct utmp), 1, cfg) > 0) { ++ if (u.ut_type == USER_PROCESS) ++ strings_list_add(&utmp_ptr, u.ut_user); ++ } ++ fclose(cfg); ++ if (utmp_wd >= 0) ++ inotify_rm_watch(inotify_fd, utmp_wd); ++ ++ utmp_wd=inotify_add_watch (inotify_fd, utmp_path, IN_MOVED_FROM | IN_MODIFY); ++ if (prev_utmp_ptr) { ++ changed=strings_list_diff(prev_utmp_ptr, utmp_ptr); ++ strings_list_free(prev_utmp_ptr); ++ } ++ return changed; ++} ++ ++static void watch_file(int inotify_fd, const char *file) { ++ struct stringsList *ptr=utmp_ptr; ++ ++ while(ptr) { ++ struct passwd *pwd=getpwnam(ptr->string); ++ if (pwd) { ++ char *path=NULL; ++ if (asprintf(&path, "%s%s",pwd->pw_dir, file) < 0) ++ exitApp("Error allocating memory."); ++ watch_list_add(inotify_fd, path); ++ free(path); ++ } ++ ptr=ptr->next; ++ } ++} ++ ++void utmpwatcher_add(int inotify_fd, const char *path) { ++ if (utmp_ptr == NULL) { ++ utmpwatcher_handle(inotify_fd, utmp_wd); ++ } ++ watch_file(inotify_fd, path); ++} ++ ++#ifdef TEST ++int main(int argc, char **argv) { ++ read_utmp(); ++ return 0; ++} ++#endif ++ ++ +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecond/utmpwatcher.h policycoreutils-1.29.27/restorecond/utmpwatcher.h +--- nsapolicycoreutils/restorecond/utmpwatcher.h 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.29.27/restorecond/utmpwatcher.h 2006-03-15 16:06:43.000000000 -0500 +@@ -0,0 +1,2 @@ ++unsigned int utmpwatcher_handle(int inotify_fd, int wd); ++void utmpwatcher_add(int inotify_fd, const char *path); +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.29.27/scripts/fixfiles --- nsapolicycoreutils/scripts/fixfiles 2006-01-04 13:07:46.000000000 -0500 -+++ policycoreutils-1.29.26/scripts/fixfiles 2006-02-23 17:12:53.000000000 -0500 ++++ policycoreutils-1.29.27/scripts/fixfiles 2006-03-15 16:06:43.000000000 -0500 @@ -124,7 +124,10 @@ exit $? fi @@ -331,756 +883,32 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policyc exit $? fi LogReadOnly -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.26/semanage/semanage ---- nsapolicycoreutils/semanage/semanage 2006-02-16 13:35:28.000000000 -0500 -+++ policycoreutils-1.29.26/semanage/semanage 2006-02-23 16:32:45.000000000 -0500 -@@ -22,6 +22,9 @@ - # - import os, sys, getopt - import seobject -+import selinux -+ -+is_mls_enabled=selinux.is_selinux_mls_enabled() +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-1.29.27/scripts/Makefile +--- nsapolicycoreutils/scripts/Makefile 2005-12-08 12:59:25.000000000 -0500 ++++ policycoreutils-1.29.27/scripts/Makefile 2006-03-15 16:06:43.000000000 -0500 +@@ -13,7 +13,7 @@ + -mkdir -p $(BINDIR) + install -m 755 $(TARGETS) $(SBINDIR) + install -m 755 chcat $(BINDIR) +- install -m 755 fixfiles $(DESTDIR)/sbin ++ install -m 755 fixfiles $(PREFIX)/sbin + -mkdir -p $(MANDIR)/man8 + install -m 644 fixfiles.8 $(MANDIR)/man8/ + install -m 644 genhomedircon.8 $(MANDIR)/man8/ +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.27/semanage/seobject.py +--- nsapolicycoreutils/semanage/seobject.py 2006-03-10 09:48:05.000000000 -0500 ++++ policycoreutils-1.29.27/semanage/seobject.py 2006-03-15 16:06:43.000000000 -0500 +@@ -229,10 +229,9 @@ + if rc < 0: + raise ValueError("Could not set name for %s" % name) - if __name__ == '__main__': - -@@ -57,13 +60,13 @@ - -p (named pipe) \n\n\ - \ - -p, --proto Port protocol (tcp or udp)\n\ -- -L, --level Default SELinux Level\n\ -+ -L, --level Default SELinux Level (MLS/MCS Systems only)\n\ - -R, --roles SELinux Roles (ex: "sysadm_r staff_r")\n\ - -T, --trans SELinux Level Translation\n\n\ - \ - -s, --seuser SELinux User Name\n\ - -t, --type SELinux Type for the object\n\ -- -r, --range MLS/MCS Security Range\n\ -+ -r, --range MLS/MCS Security Range (MLS/MCS Systems only\n\ - ' - print message - sys.exit(1) -@@ -167,12 +170,16 @@ - modify = 1 - - if o == "-r" or o == '--range': -+ if is_mls_enabled == 0: -+ errorExit("range not supported on Non MLS machines") - serange = a - - if o == "-l" or o == "--list": - list = 1 - - if o == "-L" or o == '--level': -+ if is_mls_enabled == 0: -+ errorExit("range not supported on Non MLS machines") - selevel = a - - if o == "-p" or o == '--proto': -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.29.26/semanage/semanage.8 ---- nsapolicycoreutils/semanage/semanage.8 2006-01-27 01:16:33.000000000 -0500 -+++ policycoreutils-1.29.26/semanage/semanage.8 2006-02-23 16:32:45.000000000 -0500 -@@ -46,7 +46,7 @@ - List the OBJECTS - .TP - .I \-L, \-\-level --Default SELinux Level for SELinux use. (s0) -+Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Systems only) - .TP - .I \-m, \-\-modify - Modify a OBJECT record NAME -@@ -58,7 +58,7 @@ - Protocol for the specified port (tcp|udp). - .TP - .I \-r, \-\-range --MLS/MCS Security Range -+MLS/MCS Security Range (MLS/MCS Systems only) - .TP - .I \-R, \-\-role - SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times. -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.26/semanage/seobject.py ---- nsapolicycoreutils/semanage/seobject.py 2006-02-16 13:35:28.000000000 -0500 -+++ policycoreutils-1.29.26/semanage/seobject.py 2006-03-03 18:20:37.000000000 -0500 -@@ -21,9 +21,43 @@ - # - # - --import pwd, string, selinux, tempfile, os, re -+import pwd, string, selinux, tempfile, os, re, sys - from semanage import *; - -+is_mls_enabled=selinux.is_selinux_mls_enabled() -+import syslog -+try: -+ import audit -+ class logger: -+ def __init__(self): -+ self.audit_fd=audit.audit_open() -+ -+ def log(self, success, msg, name="", sename="", serole="", serange="", old_sename="", old_serole="", old_serange=""): -+ audit.audit_log_semanage_message(self.audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],msg, name, 0, sename, serole, serange, old_sename, old_serole, old_serange, "", "", "", success); -+except: -+ class logger: -+ def log(self, success, msg, name="", sename="", serole="", serange="", old_sename="", old_serole="", old_serange=""): -+ if success == 1: -+ message = "Successful: " -+ else: -+ message = "Failed: " -+ message += " %s name=%s" % (msg,name) -+ if sename != "": -+ message += " sename=" + sename -+ if old_sename != "": -+ message += " old_sename=" + old_sename -+ if serole != "": -+ message += " role=" + serole -+ if old_serole != "": -+ message += " old_role=" + old_serole -+ if serange != "": -+ message += " MLSRange=" + serange -+ if old_serange != "": -+ message += " old_MLSRange=" + old_serange -+ syslog.syslog(message); -+ -+mylog=logger() -+ - def validate_level(raw): - sensitivity="s([0-9]|1[0-5])" - category="c(1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])" -@@ -143,6 +177,7 @@ - def __init__(self): - self.sh = semanage_handle_create() - self.semanaged = semanage_is_managed(self.sh) -+ - if not self.semanaged: - semanage_handle_destroy(self.sh) - raise ValueError("SELinux policy is not managed or store cannot be accessed.") -@@ -162,127 +197,154 @@ - semanageRecords.__init__(self) - - def add(self, name, sename, serange): -- if serange == "": -- serange = "s0" -- else: -- serange = untranslate(serange) -+ if is_mls_enabled == 1: -+ if serange == "": -+ serange = "s0" -+ else: -+ serange = untranslate(serange) - - if sename == "": - sename = "user_u" - -- (rc,k) = semanage_seuser_key_create(self.sh, name) -- if rc < 0: -- raise ValueError("Could not create a key for %s" % name) -- -- (rc,exists) = semanage_seuser_exists(self.sh, k) -- if rc < 0: -- raise ValueError("Could not check if login mapping for %s is defined" % name) -- if exists: -- raise ValueError("Login mapping for %s is already defined" % name) - try: -- pwd.getpwnam(name) -- except: -- raise ValueError("Linux User %s does not exist" % name) -- -- (rc,u) = semanage_seuser_create(self.sh) -- if rc < 0: -- raise ValueError("Could not create login mapping for %s" % name) -+ (rc,k) = semanage_seuser_key_create(self.sh, name) -+ if rc < 0: -+ raise ValueError("Could not create a key for %s" % name) - -- rc = semanage_seuser_set_name(self.sh, u, name) -- if rc < 0: -- raise ValueError("Could not set name for %s" % name) -+ (rc,exists) = semanage_seuser_exists(self.sh, k) -+ if rc < 0: -+ raise ValueError("Could not check if login mapping for %s is defined" % name) -+ if exists: -+ raise ValueError("Login mapping for %s is already defined" % name) -+ try: -+ pwd.getpwnam(name) -+ except: -+ raise ValueError("Linux User %s does not exist" % name) - -- rc = semanage_seuser_set_mlsrange(self.sh, u, serange) -- if rc < 0: -- raise ValueError("Could not set MLS range for %s" % name) -+ (rc,u) = semanage_seuser_create(self.sh) -+ if rc < 0: -+ raise ValueError("Could not create login mapping for %s" % name) - -- rc = semanage_seuser_set_sename(self.sh, u, sename) -- if rc < 0: -- raise ValueError("Could not set SELinux user for %s" % name) -+ rc = semanage_seuser_set_name(self.sh, u, name) -+ if rc < 0: -+ raise ValueError("Could not set name for %s" % name) - -- rc = semanage_begin_transaction(self.sh) -- if rc < 0: -- raise ValueError("Could not start semanage transaction") +- if serange != "": +- rc = semanage_seuser_set_mlsrange(self.sh, u, serange) +- if rc < 0: +- raise ValueError("Could not set MLS range for %s" % name) + rc = semanage_seuser_set_mlsrange(self.sh, u, serange) + if rc < 0: + raise ValueError("Could not set MLS range for %s" % name) -- rc = semanage_seuser_modify_local(self.sh, k, u) -- if rc < 0: -- raise ValueError("Could not add login mapping for %s" % name) -+ rc = semanage_seuser_set_sename(self.sh, u, sename) -+ if rc < 0: -+ raise ValueError("Could not set SELinux user for %s" % name) - -- rc = semanage_commit(self.sh) -- if rc < 0: -- raise ValueError("Could not add login mapping for %s" % name) -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") - -+ rc = semanage_seuser_modify_local(self.sh, k, u) -+ if rc < 0: -+ raise ValueError("Could not add login mapping for %s" % name) -+ -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Could not add login mapping for %s" % name) -+ -+ except ValueError, error: -+ mylog.log(0, "add SELinux user mapping", name, sename, "", serange); -+ raise error -+ -+ mylog.log(1, "add SELinux user mapping", name, sename, "", serange); - semanage_seuser_key_free(k) - semanage_seuser_free(u) - - def modify(self, name, sename = "", serange = ""): -- if sename == "" and serange == "": -- raise ValueError("Requires seuser or serange") -+ oldsename="" -+ oldserange="" -+ try: -+ if sename == "" and serange == "": -+ raise ValueError("Requires seuser or serange") - -- (rc,k) = semanage_seuser_key_create(self.sh, name) -- if rc < 0: -- raise ValueError("Could not create a key for %s" % name) -+ (rc,k) = semanage_seuser_key_create(self.sh, name) -+ if rc < 0: -+ raise ValueError("Could not create a key for %s" % name) - -- (rc,exists) = semanage_seuser_exists(self.sh, k) -- if rc < 0: -- raise ValueError("Could not check if login mapping for %s is defined" % name) -- if not exists: -- raise ValueError("Login mapping for %s is not defined" % name) -+ (rc,exists) = semanage_seuser_exists(self.sh, k) -+ if rc < 0: -+ raise ValueError("Could not check if login mapping for %s is defined" % name) -+ if not exists: -+ raise ValueError("Login mapping for %s is not defined" % name) - -- (rc,u) = semanage_seuser_query(self.sh, k) -- if rc < 0: -- raise ValueError("Could not query seuser for %s" % name) -+ (rc,u) = semanage_seuser_query(self.sh, k) -+ if rc < 0: -+ raise ValueError("Could not query seuser for %s" % name) - -- if serange != "": -- semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange)) -- if sename != "": -- semanage_seuser_set_sename(self.sh, u, sename) -+ oldserange=semanage_seuser_get_mlsrange(u) -+ oldsename=semanage_seuser_get_sename(u) -+ if serange != "": -+ semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange)) -+ else: -+ serange=oldserange -+ if sename != "": -+ semanage_seuser_set_sename(self.sh, u, sename) -+ else: -+ sename=oldsename - -- rc = semanage_begin_transaction(self.sh) -- if rc < 0: -- raise ValueError("Could not srart semanage transaction") -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not srart semanage transaction") - -- rc = semanage_seuser_modify_local(self.sh, k, u) -- if rc < 0: -- raise ValueError("Could not modify login mapping for %s" % name) -- -- rc = semanage_commit(self.sh) -- if rc < 0: -- raise ValueError("Could not modify login mapping for %s" % name) -+ rc = semanage_seuser_modify_local(self.sh, k, u) -+ if rc < 0: -+ raise ValueError("Could not modify login mapping for %s" % name) -+ -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Could not modify login mapping for %s" % name) - -+ except ValueError, error: -+ mylog.log(0,"modify selinux user mapping", name, sename,"", serange, oldsename, "", oldserange); -+ raise error -+ -+ mylog.log(1,"modify selinux user mapping", name, sename, "", serange, oldsename, "", oldserange); - semanage_seuser_key_free(k) - semanage_seuser_free(u) - - def delete(self, name): -- (rc,k) = semanage_seuser_key_create(self.sh, name) -- if rc < 0: -- raise ValueError("Could not create a key for %s" % name) -+ try: -+ (rc,k) = semanage_seuser_key_create(self.sh, name) -+ if rc < 0: -+ raise ValueError("Could not create a key for %s" % name) - -- (rc,exists) = semanage_seuser_exists(self.sh, k) -- if rc < 0: -- raise ValueError("Could not check if login mapping for %s is defined" % name) -- if not exists: -- raise ValueError("Login mapping for %s is not defined" % name) -+ (rc,exists) = semanage_seuser_exists(self.sh, k) -+ if rc < 0: -+ raise ValueError("Could not check if login mapping for %s is defined" % name) -+ if not exists: -+ raise ValueError("Login mapping for %s is not defined" % name) - -- (rc,exists) = semanage_seuser_exists_local(self.sh, k) -- if rc < 0: -- raise ValueError("Could not check if login mapping for %s is defined" % name) -- if not exists: -- raise ValueError("Login mapping for %s is defined in policy, cannot be deleted" % name) -+ (rc,exists) = semanage_seuser_exists_local(self.sh, k) -+ if rc < 0: -+ raise ValueError("Could not check if login mapping for %s is defined" % name) -+ if not exists: -+ raise ValueError("Login mapping for %s is defined in policy, cannot be deleted" % name) - -- rc = semanage_begin_transaction(self.sh) -- if rc < 0: -- raise ValueError("Could not start semanage transaction") -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") - -- rc = semanage_seuser_del_local(self.sh, k) -+ rc = semanage_seuser_del_local(self.sh, k) - -- if rc < 0: -- raise ValueError("Could not delete login mapping for %s" % name) -+ if rc < 0: -+ raise ValueError("Could not delete login mapping for %s" % name) - -- rc = semanage_commit(self.sh) -- if rc < 0: -- raise ValueError("Could not delete login mapping for %s" % name) -- -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Could not delete login mapping for %s" % name) -+ -+ except ValueError, error: -+ mylog.log(0,"delete SELinux user mapping", name); -+ raise error -+ -+ mylog.log(1,"delete SELinux user mapping", name); - semanage_seuser_key_free(k) - - -@@ -298,150 +360,179 @@ - return ddict - - def list(self,heading=1): -- if heading: -- print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range") - ddict=self.get_all() - keys=ddict.keys() - keys.sort() -- for k in keys: -- print "%-25s %-25s %-25s" % (k, ddict[k][0], translate(ddict[k][1])) -+ if is_mls_enabled == 1: -+ if heading: -+ print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range") -+ for k in keys: -+ print "%-25s %-25s %-25s" % (k, ddict[k][0], translate(ddict[k][1])) -+ else: -+ if heading: -+ print "\n%-25s %-25s\n" % ("Login Name", "SELinux User") -+ for k in keys: -+ print "%-25s %-25s %-25s" % (k, ddict[k][0]) - - class seluserRecords(semanageRecords): - def __init__(self): - semanageRecords.__init__(self) - - def add(self, name, roles, selevel, serange): -- if serange == "": -- serange = "s0" -- else: -- serange = untranslate(serange) -+ if is_mls_enabled == 1: -+ if serange == "": -+ serange = "s0" -+ else: -+ serange = untranslate(serange) - -- if selevel == "": -- selevel = "s0" -- else: -- selevel = untranslate(selevel) -- -- (rc,k) = semanage_user_key_create(self.sh, name) -- if rc < 0: -- raise ValueError("Could not create a key for %s" % name) -- -- (rc,exists) = semanage_user_exists(self.sh, k) -- if rc < 0: -- raise ValueError("Could not check if SELinux user %s is defined" % name) -- if exists: -- raise ValueError("SELinux user %s is already defined" % name) -- -- (rc,u) = semanage_user_create(self.sh) -- if rc < 0: -- raise ValueError("Could not create SELinux user for %s" % name) -+ if selevel == "": -+ selevel = "s0" -+ else: -+ selevel = untranslate(selevel) -+ -+ seroles=" ".join(roles) -+ try: -+ (rc,k) = semanage_user_key_create(self.sh, name) -+ if rc < 0: -+ raise ValueError("Could not create a key for %s" % name) - -- rc = semanage_user_set_name(self.sh, u, name) -- if rc < 0: -- raise ValueError("Could not set name for %s" % name) -+ (rc,exists) = semanage_user_exists(self.sh, k) -+ if rc < 0: -+ raise ValueError("Could not check if SELinux user %s is defined" % name) -+ if exists: -+ raise ValueError("SELinux user %s is already defined" % name) - -- for r in roles: -- rc = semanage_user_add_role(self.sh, u, r) -+ (rc,u) = semanage_user_create(self.sh) + rc = semanage_seuser_set_sename(self.sh, u, sename) if rc < 0: -- raise ValueError("Could not add role %s for %s" % (r, name)) -+ raise ValueError("Could not create SELinux user for %s" % name) - -- rc = semanage_user_set_mlsrange(self.sh, u, serange) -- if rc < 0: -- raise ValueError("Could not set MLS range for %s" % name) -+ rc = semanage_user_set_name(self.sh, u, name) -+ if rc < 0: -+ raise ValueError("Could not set name for %s" % name) - -- rc = semanage_user_set_mlslevel(self.sh, u, selevel) -- if rc < 0: -- raise ValueError("Could not set MLS level for %s" % name) -+ for r in roles: -+ rc = semanage_user_add_role(self.sh, u, r) -+ if rc < 0: -+ raise ValueError("Could not add role %s for %s" % (r, name)) -+ -+ if is_mls_enabled == 1: -+ rc = semanage_user_set_mlsrange(self.sh, u, serange) -+ if rc < 0: -+ raise ValueError("Could not set MLS range for %s" % name) -+ -+ rc = semanage_user_set_mlslevel(self.sh, u, selevel) -+ if rc < 0: -+ raise ValueError("Could not set MLS level for %s" % name) - -- (rc,key) = semanage_user_key_extract(self.sh,u) -- if rc < 0: -- raise ValueError("Could not extract key for %s" % name) -+ (rc,key) = semanage_user_key_extract(self.sh,u) -+ if rc < 0: -+ raise ValueError("Could not extract key for %s" % name) - -- rc = semanage_begin_transaction(self.sh) -- if rc < 0: -- raise ValueError("Could not start semanage transaction") -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") - -- rc = semanage_user_modify_local(self.sh, k, u) -- if rc < 0: -- raise ValueError("Could not add SELinux user %s" % name) -+ rc = semanage_user_modify_local(self.sh, k, u) -+ if rc < 0: -+ raise ValueError("Could not add SELinux user %s" % name) - -- rc = semanage_commit(self.sh) -- if rc < 0: -- raise ValueError("Could not add SELinux user %s" % name) -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Could not add SELinux user %s" % name) - -+ except ValueError, error: -+ mylog.log(0,"add SELinux user record", name, name, seroles, serange) -+ raise error -+ -+ mylog.log(1,"add SELinux user record", name, name, seroles, serange) - semanage_user_key_free(k) - semanage_user_free(u) - - def modify(self, name, roles = [], selevel = "", serange = ""): -- if len(roles) == 0 and serange == "" and selevel == "": -- raise ValueError("Requires roles, level or range") -+ try: -+ if len(roles) == 0 and serange == "" and selevel == "": -+ if is_mls_enabled == 1: -+ raise ValueError("Requires roles, level or range") -+ else: -+ raise ValueError("Requires roles") - -- (rc,k) = semanage_user_key_create(self.sh, name) -- if rc < 0: -- raise ValueError("Could not create a key for %s" % name) -+ (rc,k) = semanage_user_key_create(self.sh, name) -+ if rc < 0: -+ raise ValueError("Could not create a key for %s" % name) - -- (rc,exists) = semanage_user_exists(self.sh, k) -- if rc < 0: -- raise ValueError("Could not check if SELinux user %s is defined" % name) -- if not exists: -- raise ValueError("SELinux user %s is not defined" % name) -- -- (rc,u) = semanage_user_query(self.sh, k) -- if rc < 0: -- raise ValueError("Could not query user for %s" % name) -+ (rc,exists) = semanage_user_exists(self.sh, k) -+ if rc < 0: -+ raise ValueError("Could not check if SELinux user %s is defined" % name) -+ if not exists: -+ raise ValueError("SELinux user %s is not defined" % name) - -- if serange != "": -- semanage_user_set_mlsrange(self.sh, u, untranslate(serange)) -- if selevel != "": -- semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) -- -- if len(roles) != 0: -- for r in roles: -- semanage_user_add_role(self.sh, u, r) -+ (rc,u) = semanage_user_query(self.sh, k) -+ if rc < 0: -+ raise ValueError("Could not query user for %s" % name) - -- rc = semanage_begin_transaction(self.sh) -- if rc < 0: -- raise ValueError("Could not start semanage transaction") -+ if serange != "": -+ semanage_user_set_mlsrange(self.sh, u, untranslate(serange)) -+ if selevel != "": -+ semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) -+ -+ if len(roles) != 0: -+ for r in roles: -+ semanage_user_add_role(self.sh, u, r) - -- rc = semanage_user_modify_local(self.sh, k, u) -- if rc < 0: -- raise ValueError("Could not modify SELinux user %s" % name) -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") - -- rc = semanage_commit(self.sh) -- if rc < 0: -- raise ValueError("Could not modify SELinux user %s" % name) -+ rc = semanage_user_modify_local(self.sh, k, u) -+ if rc < 0: -+ raise ValueError("Could not modify SELinux user %s" % name) -+ -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Could not modify SELinux user %s" % name) -+ -+ except ValueError, error: -+ mylog.log(0,"modify SELinux user record", name, seuser, seroles, serange, oldseuser, oldseroles, olrserange) -+ raise error - -+ mylog.log(1,"modify SELinux user record", name, seuser, seroles, serange, oldseuser, oldseroles, olrserange) - semanage_user_key_free(k) - semanage_user_free(u) - - def delete(self, name): -- (rc,k) = semanage_user_key_create(self.sh, name) -- if rc < 0: -- raise ValueError("Could not create a key for %s" % name) -- -- (rc,exists) = semanage_user_exists(self.sh, k) -- if rc < 0: -- raise ValueError("Could not check if SELinux user %s is defined" % name) -- if not exists: -- raise ValueError("SELinux user %s is not defined" % name) -+ try: -+ (rc,k) = semanage_user_key_create(self.sh, name) -+ if rc < 0: -+ raise ValueError("Could not create a key for %s" % name) -+ -+ (rc,exists) = semanage_user_exists(self.sh, k) -+ if rc < 0: -+ raise ValueError("Could not check if SELinux user %s is defined" % name) -+ if not exists: -+ raise ValueError("SELinux user %s is not defined" % name) - -- (rc,exists) = semanage_user_exists_local(self.sh, k) -- if rc < 0: -- raise ValueError("Could not check if SELinux user %s is defined" % name) -- if not exists: -- raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name) -+ (rc,exists) = semanage_user_exists_local(self.sh, k) -+ if rc < 0: -+ raise ValueError("Could not check if SELinux user %s is defined" % name) -+ if not exists: -+ raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name) - -- rc = semanage_begin_transaction(self.sh) -- if rc < 0: -- raise ValueError("Could not start semanage transaction") -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") - -- rc = semanage_user_del_local(self.sh, k) -- if rc < 0: -- raise ValueError("Could not delete SELinux user %s" % name) -+ rc = semanage_user_del_local(self.sh, k) -+ if rc < 0: -+ raise ValueError("Could not delete SELinux user %s" % name) - -- rc = semanage_commit(self.sh) -- if rc < 0: -- raise ValueError("Could not delete SELinux user %s" % name) -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Could not delete SELinux user %s" % name) -+ except ValueError, error: -+ mylog.log(0,"delete SELinux user record", name) -+ raise error - -+ mylog.log(1,"delete SELinux user record", name) - semanage_user_key_free(k) - - def get_all(self): -@@ -462,14 +553,20 @@ - return ddict - - def list(self, heading=1): -- if heading: -- print "\n%-15s %-10s %-30s" % ("", "MLS/", "MLS/") -- print "%-15s %-10s %-30s %s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles") - ddict=self.get_all() - keys=ddict.keys() - keys.sort() -- for k in keys: -- print "%-15s %-10s %-30s %s" % (k, translate(ddict[k][0]), translate(ddict[k][1]), ddict[k][2]) -+ if is_mls_enabled == 1: -+ if heading: -+ print "\n%-15s %-10s %-30s" % ("", "MLS/", "MLS/") -+ print "%-15s %-10s %-30s %s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles") -+ for k in keys: -+ print "%-15s %-10s %-30s %s" % (k, translate(ddict[k][0]), translate(ddict[k][1]), ddict[k][2]) -+ else: -+ if heading: -+ print "%-15s %s\n" % ("SELinux User", "SELinux Roles") -+ for k in keys: -+ print "%-15s %s" % (k, ddict[k][2]) - - class portRecords(semanageRecords): - def __init__(self): -@@ -500,10 +597,11 @@ - return ( k, proto_d, low, high ) - - def add(self, port, proto, serange, type): -- if serange == "": -- serange="s0" -- else: -- serange=untranslate(serange) -+ if is_mls_enabled == 1: -+ if serange == "": -+ serange="s0" -+ else: -+ serange=untranslate(serange) - - if type == "": - raise ValueError("Type is required") -@@ -564,7 +662,10 @@ - - def modify(self, port, proto, serange, setype): - if serange == "" and setype == "": -- raise ValueError("Requires setype or serange") -+ if is_mls_enabled == 1: -+ raise ValueError("Requires setype or serange") -+ else: -+ raise ValueError("Requires setype") - - ( k, proto_d, low, high ) = self.__genkey(port, proto) - -@@ -688,10 +789,11 @@ - semanageRecords.__init__(self) - - def add(self, interface, serange, ctype): -- if serange == "": -- serange="s0" -- else: -- serange=untranslate(serange) -+ if is_mls_enabled == 1: -+ if serange == "": -+ serange="s0" -+ else: -+ serange=untranslate(serange) - - if ctype == "": - raise ValueError("SELinux Type is required") -@@ -869,14 +971,14 @@ - self.file_types["named pipe"] = SEMANAGE_FCONTEXT_PIPE; - - -- def add(self, target, type, ftype="", serange="s0", seuser="system_u"): -+ def add(self, target, type, ftype="", serange="", seuser="system_u"): - if seuser == "": - seuser="system_u" -- -- if serange == "": -- serange="s0" -- else: -- serange=untranslate(serange) -+ if is_mls_enabled == 1: -+ if serange == "": -+ serange="s0" -+ else: -+ serange=untranslate(serange) - - if type == "": - raise ValueError("SELinux Type is required") -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setsebool/Makefile policycoreutils-1.29.26/setsebool/Makefile ---- nsapolicycoreutils/setsebool/Makefile 2005-11-04 15:37:49.000000000 -0500 -+++ policycoreutils-1.29.26/setsebool/Makefile 2006-02-25 06:56:54.000000000 -0500 -@@ -17,6 +17,8 @@ - install: all - -mkdir -p $(SBINDIR) - install -m 755 setsebool $(SBINDIR) -+ -mkdir -p $(MANDIR)/man8 -+ install -m 644 setsebool.8 $(MANDIR)/man8/ - - relabel: - diff --git a/policycoreutils.spec b/policycoreutils.spec index b6c4db4..faf1d93 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,11 +1,11 @@ %define libauditver 1.1.4-3 -%define libsepolver 1.11.18-1 -%define libsemanagever 1.5.28-1 -%define libselinuxver 1.29.7-1 +%define libsepolver 1.12-1 +%define libsemanagever 1.6-1 +%define libselinuxver 1.30-1 Summary: SELinux policy core utilities. Name: policycoreutils -Version: 1.29.26 -Release: 6 +Version: 1.30 +Release: 1 License: GPL Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -42,6 +42,7 @@ make LOG_AUDIT_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags}" all %install rm -rf ${RPM_BUILD_ROOT} +mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d mkdir -p ${RPM_BUILD_ROOT}%{_bindir} mkdir -p ${RPM_BUILD_ROOT}%{_sbindir} mkdir -p ${RPM_BUILD_ROOT}/sbin @@ -57,8 +58,9 @@ rm -rf ${RPM_BUILD_ROOT} %files -f %{name}.lang %defattr(-,root,root) -/sbin/fixfiles /sbin/restorecon +%{_sbindir}/restorecond +%{_sbindir}/fixfiles %{_sbindir}/setfiles %{_sbindir}/setsebool %{_sbindir}/semodule @@ -76,6 +78,7 @@ rm -rf ${RPM_BUILD_ROOT} %{_bindir}/semodule_link %{_bindir}/semodule_package %{_mandir}/man8/chcat.8.gz +%{_mandir}/man8/restorecond.8.gz %{_mandir}/man8/restorecon.8.gz %{_mandir}/man8/sestatus.8.gz %{_mandir}/man8/semanage.8.gz @@ -97,8 +100,13 @@ rm -rf ${RPM_BUILD_ROOT} %config %{_sysconfdir}/pam.d/run_init %config(noreplace) %{_sysconfdir}/sestatus.conf %{_libdir}/python2.4/site-packages/seobject.py* +%attr(755,root,root) /etc/rc.d/init.d/restorecond +%config(noreplace) /etc/selinux/restorecond.conf %changelog +* Fri Mar 10 2006 Dan Walsh 1.29.27-1 +- Add restorecond + * Fri Mar 10 2006 Dan Walsh 1.29.26-6 - Remove prereq diff --git a/sources b/sources index c7edd97..d81be33 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -58fe44013f3515957fc626d0c11baf7c policycoreutils-1.29.26.tgz +e017bfddf27e124cef2743496dcfcc49 policycoreutils-1.30.tgz