* Wed Jun 11 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-4

- Add semanage permissive *
* Fri May 16 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-3
- Fix fixfiles to cleanup /tmp and /var/tmp
This commit is contained in:
Daniel J Walsh 2008-06-11 20:20:15 +00:00
parent 6ead03f02f
commit 69499e5535
4 changed files with 4046 additions and 549 deletions

File diff suppressed because it is too large Load Diff

View File

@ -1,5 +1,5 @@
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.49/Makefile diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.49/Makefile
--- nsapolicycoreutils/Makefile 2008-05-22 14:01:49.292734000 -0400 --- nsapolicycoreutils/Makefile 2008-05-22 14:01:49.000000000 -0400
+++ policycoreutils-2.0.49/Makefile 2008-05-16 11:27:02.000000000 -0400 +++ policycoreutils-2.0.49/Makefile 2008-05-16 11:27:02.000000000 -0400
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
@ -8,7 +8,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.49/restorecond/restorecond.c diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.49/restorecond/restorecond.c
--- nsapolicycoreutils/restorecond/restorecond.c 2008-05-22 14:01:42.385538000 -0400 --- nsapolicycoreutils/restorecond/restorecond.c 2008-05-22 14:01:42.000000000 -0400
+++ policycoreutils-2.0.49/restorecond/restorecond.c 2008-05-16 11:27:02.000000000 -0400 +++ policycoreutils-2.0.49/restorecond/restorecond.c 2008-05-16 11:27:02.000000000 -0400
@@ -210,9 +210,10 @@ @@ -210,9 +210,10 @@
} }
@ -37,7 +37,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
free(scontext); free(scontext);
close(fd); close(fd);
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.49/restorecond/restorecond.init diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.49/restorecond/restorecond.init
--- nsapolicycoreutils/restorecond/restorecond.init 2008-05-22 14:01:42.394526000 -0400 --- nsapolicycoreutils/restorecond/restorecond.init 2008-05-22 14:01:42.000000000 -0400
+++ policycoreutils-2.0.49/restorecond/restorecond.init 2008-05-16 11:27:02.000000000 -0400 +++ policycoreutils-2.0.49/restorecond/restorecond.init 2008-05-16 11:27:02.000000000 -0400
@@ -2,7 +2,7 @@ @@ -2,7 +2,7 @@
# #
@ -49,8 +49,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
# listed in the /etc/selinux/restorecond.conf file, and restores the \ # listed in the /etc/selinux/restorecond.conf file, and restores the \
# correct security context. # correct security context.
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.49/scripts/fixfiles diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.49/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles 2008-05-22 14:01:41.983778000 -0400 --- nsapolicycoreutils/scripts/fixfiles 2008-05-22 14:01:41.000000000 -0400
+++ policycoreutils-2.0.49/scripts/fixfiles 2008-05-22 13:56:53.737824000 -0400 +++ policycoreutils-2.0.49/scripts/fixfiles 2008-05-22 13:56:53.000000000 -0400
@@ -138,6 +138,9 @@ @@ -138,6 +138,9 @@
fi fi
LogReadOnly LogReadOnly
@ -81,7 +81,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
if [ $# = 0 ]; then if [ $# = 0 ]; then
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-2.0.49/scripts/fixfiles.8 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-2.0.49/scripts/fixfiles.8
--- nsapolicycoreutils/scripts/fixfiles.8 2008-05-22 14:01:41.942823000 -0400 --- nsapolicycoreutils/scripts/fixfiles.8 2008-05-22 14:01:41.000000000 -0400
+++ policycoreutils-2.0.49/scripts/fixfiles.8 2008-05-16 11:27:02.000000000 -0400 +++ policycoreutils-2.0.49/scripts/fixfiles.8 2008-05-16 11:27:02.000000000 -0400
@@ -7,6 +7,8 @@ @@ -7,6 +7,8 @@
@ -102,10 +102,155 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
.SH "OPTIONS" .SH "OPTIONS"
.TP .TP
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.49/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2008-05-22 14:01:41.000000000 -0400
+++ policycoreutils-2.0.49/semanage/semanage 2008-06-11 16:13:26.349017000 -0400
@@ -52,6 +52,7 @@
semanage fcontext -{a|d|m} [-frst] file_spec\n\
semanage translation -{a|d|m} [-T] level\n\n\
semanage boolean -{d|m} boolean\n\n\
+semanage permissive -{d|a} type\n\n\
\
Primary Options:\n\
\
@@ -112,6 +113,8 @@
valid_option["translation"] += valid_everyone + [ '-T', '--trans' ]
valid_option["boolean"] = []
valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ]
+ valid_option["permissive"] = []
+ valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', ]
return valid_option
#
@@ -266,6 +269,9 @@
if object == "translation":
OBJECT = seobject.setransRecords()
+ if object == "permissive":
+ OBJECT = seobject.permissiveRecords(store)
+
if list:
OBJECT.list(heading, locallist)
sys.exit(0);
@@ -302,6 +308,9 @@
if object == "fcontext":
OBJECT.add(target, setype, ftype, serange, seuser)
+ if object == "permissive":
+ OBJECT.add(target)
+
sys.exit(0);
if modify:
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.49/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8 2008-05-22 14:01:41.000000000 -0400
+++ policycoreutils-2.0.49/semanage/semanage.8 2008-06-11 16:18:48.296894000 -0400
@@ -17,6 +17,8 @@
.br
.B semanage fcontext \-{a|d|m} [\-frst] file_spec
.br
+.B semanage permissive \-{a|d} type
+.br
.B semanage translation \-{a|d|m} [\-T] level
.P
@@ -101,10 +103,11 @@
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
# Allow Apache to listen on port 81
$ semanage port -a -t http_port_t -p tcp 81
+# Change apache to a permissive domain
+$ semanage permissive -a http_t
.fi
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com> and
Russell Coker <rcoker@redhat.com>.
Examples by Thomas Bleher <ThomasBleher@gmx.de>.
-
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.49/semanage/seobject.py diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.49/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2008-05-22 14:01:41.602159000 -0400 --- nsapolicycoreutils/semanage/seobject.py 2008-05-22 14:01:41.000000000 -0400
+++ policycoreutils-2.0.49/semanage/seobject.py 2008-05-16 11:27:02.000000000 -0400 +++ policycoreutils-2.0.49/semanage/seobject.py 2008-06-11 16:13:41.213393000 -0400
@@ -464,7 +464,7 @@ @@ -1,5 +1,5 @@
#! /usr/bin/python -E
-# Copyright (C) 2005, 2006, 2007 Red Hat
+# Copyright (C) 2005, 2006, 2007, 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
# semanage is a tool for managing SELinux configuration files
@@ -24,7 +24,9 @@
import pwd, string, selinux, tempfile, os, re, sys
from semanage import *;
PROGNAME="policycoreutils"
+import sepolgen.module as module
+import commands
import gettext
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
@@ -246,7 +248,61 @@
os.close(fd)
os.rename(newfilename, self.filename)
os.system("/sbin/service mcstrans reload > /dev/null")
-
+
+class permissiveRecords:
+ def __init__(self, store):
+ self.store = store
+
+ def get_all(self):
+ rc, out = commands.getstatusoutput("semodule -l | grep ^permissive");
+ l = []
+ for i in out.split():
+ if i.startswith("permissive_"):
+ l.append(i.split("permissive_")[1])
+ return l
+
+ def list(self,heading = 1, locallist = 0):
+ if heading:
+ print "\n%-25s\n" % (_("Permissive Types"))
+ for t in self.get_all():
+ print t
+
+
+ def add(self, type):
+ name = "permissive_%s" % type
+ dirname = "/var/run/sepermissive"
+ if not os.path.exists(dirname):
+ os.mkdir(dirname)
+ os.chdir(dirname)
+ filename = "%s.te" % name
+ modtxt = """
+module %s 1.0;
+
+require {
+ type %s;
+}
+
+permissive %s;
+""" % (name, type, type)
+ fd = open(filename,'w')
+ fd.write(modtxt)
+ fd.close()
+ mc = module.ModuleCompiler()
+ mc.create_module_package(filename, 1)
+ rc, out = commands.getstatusoutput("semodule -i permissive_%s.pp" % type);
+ import glob
+ for i in glob.glob("permissive_%s.*" % type):
+ os.remove(i)
+
+ if rc != 0:
+ raise ValueError(out)
+
+
+ def delete(self, name):
+ rc, out = commands.getstatusoutput("semodule -r permissive_%s" % name );
+ if rc != 0:
+ raise(out);
+
class semanageRecords:
def __init__(self, store):
self.sh = semanage_handle_create()
@@ -464,7 +520,7 @@
def __init__(self, store = ""): def __init__(self, store = ""):
semanageRecords.__init__(self, store) semanageRecords.__init__(self, store)

View File

@ -1,6 +1,28 @@
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.35/sepolgen-1.0.11/src/sepolgen/refparser.py diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py
--- nsasepolgen/src/sepolgen/audit.py 2008-01-23 14:36:29.000000000 -0500
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py 2008-05-28 10:11:36.373597000 -0400
@@ -241,14 +241,17 @@
def from_split_string(self, recs):
AuditMessage.from_split_string(self, recs)
dict={}
+ ctr = 0
for i in recs:
+ ctr = ctr + 1
t = i.split('=')
if len(t) < 2:
+ if t[0] == "context":
+ self.type = refpolicy.SecurityContext(recs[ctr]).type
continue
dict[t[0]]=t[1]
try:
self.role = refpolicy.SecurityContext(dict["scontext"]).role
- self.type = refpolicy.SecurityContext(dict["tcontext"]).type
except:
raise ValueError("Split string does not represent a valid compute sid message")
def output(self):
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py 2008-01-23 14:36:29.000000000 -0500 --- nsasepolgen/src/sepolgen/refparser.py 2008-01-23 14:36:29.000000000 -0500
+++ policycoreutils-2.0.35/sepolgen-1.0.11/src/sepolgen/refparser.py 2008-01-11 11:17:50.000000000 -0500 +++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py 2008-05-16 11:27:03.000000000 -0400
@@ -919,7 +919,7 @@ @@ -919,7 +919,7 @@
def list_headers(root): def list_headers(root):
modules = [] modules = []

View File

@ -6,7 +6,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.0.49 Version: 2.0.49
Release: 3%{?dist} Release: 4%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -111,7 +111,7 @@ Summary: SELinux configuration GUI
Group: System Environment/Base Group: System Environment/Base
Requires: policycoreutils = %{version}-%{release} Requires: policycoreutils = %{version}-%{release}
Requires: gnome-python2, pygtk2, pygtk2-libglade, gnome-python2-canvas Requires: gnome-python2, pygtk2, pygtk2-libglade, gnome-python2-canvas
Requires: usermode, rhpl Requires: usermode
Requires: setools-console Requires: setools-console
Requires: python >= 2.4 Requires: python >= 2.4
BuildRequires: desktop-file-utils BuildRequires: desktop-file-utils
@ -192,6 +192,8 @@ if [ "$1" -ge "1" ]; then
fi fi
%changelog %changelog
* Wed Jun 11 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-4
- Add semanage permissive *
* Fri May 16 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-3 * Fri May 16 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-3
- Fix fixfiles to cleanup /tmp and /var/tmp - Fix fixfiles to cleanup /tmp and /var/tmp