From 7238655897023dd017f2c8c64368c9c197412d79 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 14 Dec 2005 20:34:32 +0000 Subject: [PATCH] * Wed Dec 14 2005 Dan Walsh 1.29.2-1 - Fix genhomedircon to work in installer - Update to match NSA * Merged patch for chcat script from Dan Walsh. --- .cvsignore | 1 + policycoreutils-rhat.patch | 290 ++++++++----------------------------- policycoreutils.spec | 13 +- sources | 2 +- 4 files changed, 72 insertions(+), 234 deletions(-) diff --git a/.cvsignore b/.cvsignore index 3f1c82f..0f805fc 100644 --- a/.cvsignore +++ b/.cvsignore @@ -75,3 +75,4 @@ policycoreutils-1.27.36.tgz policycoreutils-1.27.37.tgz policycoreutils-1.28.tgz policycoreutils-1.29.1.tgz +policycoreutils-1.29.2.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index a3b9e27..5aa0a54 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,232 +1,64 @@ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.29.1/scripts/chcat ---- nsapolicycoreutils/scripts/chcat 2005-12-08 12:52:47.000000000 -0500 -+++ policycoreutils-1.29.1/scripts/chcat 2005-12-09 18:20:29.000000000 -0500 -@@ -25,26 +25,20 @@ - import commands, sys, os, pwd, string, getopt, re, selinux +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.1/scripts/genhomedircon +--- nsapolicycoreutils/scripts/genhomedircon 2005-12-07 07:28:00.000000000 -0500 ++++ policycoreutils-1.29.1/scripts/genhomedircon 2005-12-14 14:12:00.000000000 -0500 +@@ -29,11 +29,14 @@ + import commands, sys, os, pwd, string, getopt, re + from semanage import *; - def chcat_add(orig, newcat, files): -+ if len(newcat) == 1: -+ raise ValueError("Requires at least one category") - errors=0 -- cmd='chcon -l ' -- if len(newcat) > 1: -- sensitivity=newcat[0] -- cat=newcat[1] -- else: -- sensitivity=0 -- cat=newcat[0] -- -- -+ sensitivity=newcat[0] -+ cat=newcat[1] -+ cmd='chcon -l %s' % sensitivity - for f in files: -- (rc, con) = selinux.getfilecon(f) -- (rc, raw) = selinux.selinux_trans_to_raw_context(con) -- clist=raw.split(":")[3:] -- if sensitivity == 0: -- sensitivity = clist[0] -- if len(clist) > 1: -- if clist[0] != sensitivity: -+ (rc, c) = selinux.getfilecon(f) -+ con=c.split(":")[3:] -+ clist = translate(con) -+ if sensitivity != clist[0]: - print("Can not modify sensitivity levels using '+' on %s" % f) -- continue -+ -+ if len(clist) > 1: - cats=clist[1].split(",") - if cat in cats: - print "%s is already in %s" % (f, orig) -@@ -64,23 +58,21 @@ - return errors - - def chcat_remove(orig, newcat, files): -+ if len(newcat) == 1: -+ raise ValueError("Requires at least one category") - errors=0 -- if len(newcat) > 1: -- sensitivity=newcat[0] -- cat=newcat[1] -- else: -- sensitivity=0 -- cat=newcat[0] -+ sensitivity=newcat[0] -+ cat=newcat[1] -+ - for f in files: -- (rc, con) = selinux.getfilecon(f) -- (rc, raw) = selinux.selinux_trans_to_raw_context(con) -- clist=raw.split(":")[3:] -- if sensitivity == 0: -- sensitivity = clist[0] -- if len(clist) > 1: -- if clist[0] != sensitivity: -+ (rc, c) = selinux.getfilecon(f) -+ con=c.split(":")[3:] -+ clist = translate(con) -+ if sensitivity != clist[0]: - print("Can not modify sensitivity levels using '+' on %s" % f) - continue -+ -+ if len(clist) > 1: - cats=clist[1].split(",") - if cat not in cats: - print "%s is not in %s" % (f, orig) -@@ -108,51 +100,69 @@ - - def chcat_replace(orig, newcat, files): - errors=0 -- if len(newcat) > 1: -+ if len(newcat) == 1: -+ if newcat[0][0] == "s" and newcat[0][1:].isdigit() and int(newcat[0][1:]) in range(0,16): -+ sensitivity=newcat[0] -+ cmd='chcon -l %s ' % newcat[0] -+ else: -+ cmd='chcon -l s0:%s ' % newcat[0] -+ else: - sensitivity=newcat[0] - cat=newcat[1] - cmd='chcon -l %s:%s ' % (sensitivity, cat) -- for f in files: -- cmd = "%s %s" % (cmd, f) -- -- rc=commands.getstatusoutput(cmd) -- if rc[0] != 0: -- print rc[1] -- errors += 1 -- else: -- cat=newcat[0] -- for f in files: -- (rc, con) = selinux.getfilecon(f) -- (rc, raw) = selinux.selinux_trans_to_raw_context(con) -- clist=raw.split(":")[3:] -- sensitivity=clist[0] -- cmd='chcon -l %s:%s %s' % (sensitivity, cat, f) -- rc=commands.getstatusoutput(cmd) -- if rc[0] != 0: -- print rc[1] -- errors+=1 - -+ for f in files: -+ cmd = "%s %s" % (cmd, f) -+ rc=commands.getstatusoutput(cmd) -+ if rc[0] != 0: -+ print rc[1] -+ errors += 1 -+ - return errors - --def chcat(cats, files): -- errors=0 -+def check_replace(cats): -+ plus_ind=0 -+ replace_ind=0 - for c in cats: -- if len(c) > 0 and c[0] == "+": -- (rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c[1:]) -- rlist=raw.split(":") -- errors += chcat_add(c[1:], rlist[3:], files) -- continue -- if len(c) > 0 and c[0] == "-": -- (rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c[1:]) -- rlist=raw.split(":") -- errors += chcat_remove(c[1:], rlist[3:], files) -- continue -+ if len(c) > 0 and ( c[0] == "+" or c[0] == "-" ): -+ if replace_ind: -+ raise ValueError("Can not combine +/- with other types of categories") -+ plus_ind=1 -+ else: -+ replace_ind=1 -+ if plus_ind: -+ raise ValueError("Can not combine +/- with other types of categories") -+ return replace_ind - -+def translate(cats): -+ newcat=[] -+ for c in cats: - (rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c) -- rlist=raw.split(":") -- errors += chcat_replace(c[1:], rlist[3:], files) -- -- return errors -+ rlist=raw.split(":")[3:] -+ if len(rlist) > 1: -+ if len(newcat) == 0: -+ newcat.append(rlist[0]) -+ else: -+ if newcat[0] != rlist[0]: -+ raise ValueError("Can not have multiple sensitivities") -+ newcat.append(rlist[1]) -+ else: -+ if rlist[0][0] == "s" and rlist[0][1:].isdigit() and int(rlist[0][1:]) in range(0,16): -+ -+ if len(newcat) == 0: -+ newcat.append(rlist[0]) -+ else: -+ if newcat[0] != rlist[0]: -+ raise ValueError("Can not have multiple sensitivities") -+ else: -+ if len(newcat) == 0: -+ newcat.append("s0") -+ else: -+ if newcat[0] != "s0": -+ raise ValueError("Can not have multiple sensitivities") -+ newcat.append(rlist[0]) -+ -+ return newcat - - def usage(): - print "Usage %s CATEGORY File ..." % sys.argv[0] -@@ -190,26 +200,36 @@ - usage() - except: - usage() -+ - if delete_ind: -- sys.exit(chcat([""], cmds)) -+ sys.exit(chcat_replace(["s0"], ["s0"], cmds)) -+ - - if len(cmds) < 2: - usage() - -- cats=cmds[0].split(",") - set_ind=0 -+ cats=cmds[0].split(",") - mod_ind=0 -- for i in cats: -- if i[0]=='+' or i[0]=="-": -- mod_ind=1 -- if set_ind == 1: -- error("You can not use '%s' with previous categories" % i) -- else: -- if mod_ind == 1 or set_ind==1: -- error("You can not use '%s' with previous categories" % i) -- set_ind=1 -- -+ errors=0 - files=cmds[1:] -- sys.exit(chcat(cats, files)) -+ try: -+ if check_replace(cats): -+ errors=chcat_replace(cats,translate(cats), files) -+ else: -+ for c in cats: -+ l=[] -+ l.append(c[1:]) -+ if len(c) > 0 and c[0] == "+": -+ errors += chcat_add(c[1:],translate(l), files) -+ continue -+ if len(c) > 0 and c[0] == "-": -+ errors += chcat_remove(c[1:],translate(l), files) -+ continue -+ except ValueError, e: -+ error(e) -+ -+ sys.exit(errors) -+ +-fd=open("/etc/shells", 'r') +-VALID_SHELLS=fd.read().split('\n') +-fd.close() +-if "/sbin/nologin" in VALID_SHELLS: +- VALID_SHELLS.remove("/sbin/nologin") ++try: ++ fd=open("/etc/shells", 'r') ++ VALID_SHELLS=fd.read().split('\n') ++ fd.close() ++ if "/sbin/nologin" in VALID_SHELLS: ++ VALID_SHELLS.remove("/sbin/nologin") ++except: ++ VALID_SHELLS = ['/bin/sh', '/bin/bash', '/bin/ash', '/bin/bsh', '/bin/ksh', '/usr/bin/ksh', '/usr/bin/pdksh', '/bin/tcsh', '/bin/csh', '/bin/zsh'] + def getStartingUID(): + starting_uid = sys.maxint +@@ -163,21 +166,29 @@ + return role + + def adduser(self, udict, user, seuser, role): ++ if seuser == "user_u" or user == "__default__": ++ return ++ # !!! chooses first role in the list to use in the file context !!! ++ if role[-2:] == "_r" or role[-2:] == "_u": ++ role = role[:-2] + try: +- if seuser == "user_u" or user == "__default__": +- return +- # !!! chooses first role in the list to use in the file context !!! +- if role[-2:] == "_r" or role[-2:] == "_u": +- role = role[:-2] + home = pwd.getpwnam(user)[5] + if home == "/": +- return +- prefs = {} +- prefs["role"] = role +- prefs["home"] = home +- udict[seuser] = prefs ++ # Probably install so hard code to /root ++ if user == "root": ++ home="/root" ++ else: ++ return + except KeyError: +- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user) ++ if user == "root": ++ home = "/root" ++ else: ++ sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user) ++ return ++ prefs = {} ++ prefs["role"] = role ++ prefs["home"] = home ++ udict[seuser] = prefs + def getUsers(self): + udict = {} diff --git a/policycoreutils.spec b/policycoreutils.spec index d754592..8ff9365 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,10 +1,10 @@ %define libsepolver 1.10-1 -%define libsemanagever 1.4-1 -%define libselinuxver 1.29.1-2 +%define libsemanagever 1.5.3-1 +%define libselinuxver 1.29.2-1 Summary: SELinux policy core utilities. Name: policycoreutils -Version: 1.29.1 -Release: 3 +Version: 1.29.2 +Release: 1 License: GPL Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -96,6 +96,11 @@ rm -rf ${RPM_BUILD_ROOT} %config(noreplace) %{_sysconfdir}/sestatus.conf %changelog +* Wed Dec 14 2005 Dan Walsh 1.29.2-1 +- Fix genhomedircon to work in installer +- Update to match NSA + * Merged patch for chcat script from Dan Walsh. + * Fri Dec 9 2005 Dan Walsh 1.29.1-2 - More fixes to chcat diff --git a/sources b/sources index fe9c9e3..45181c1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -92504be57af5d7dd21191f66014126d7 policycoreutils-1.29.1.tgz +db981cfd14f597746ed87ada3a815d0e policycoreutils-1.29.2.tgz