From 875701c42acb4b8a447ae63c57c716f501986190 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 6 Aug 2008 22:11:40 +0000 Subject: [PATCH] * Wed Aug 6 2008 Dan Walsh 2.0.54-2 - Allow multiple transactions in one semanage command --- policycoreutils-rhat.patch | 1191 ++++++++++++++++++++++++++++++++++-- policycoreutils.spec | 5 +- 2 files changed, 1157 insertions(+), 39 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index e64fbc1..32c6030 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,54 +1,1169 @@ -diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.53/Makefile +diff -b -B --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.54/Makefile --- nsapolicycoreutils/Makefile 2008-08-05 09:58:35.000000000 -0400 -+++ policycoreutils-2.0.53/Makefile 2008-08-01 07:34:03.000000000 -0400 ++++ policycoreutils-2.0.54/Makefile 2008-08-06 18:05:28.000000000 -0400 @@ -1,4 +1,4 @@ -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po +SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) -diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.53/restorecond/restorecond.conf +diff -b -B --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.54/restorecond/restorecond.conf --- nsapolicycoreutils/restorecond/restorecond.conf 2008-08-05 09:58:27.000000000 -0400 -+++ policycoreutils-2.0.53/restorecond/restorecond.conf 2008-08-01 10:54:17.000000000 -0400 ++++ policycoreutils-2.0.54/restorecond/restorecond.conf 2008-08-06 18:05:28.000000000 -0400 @@ -1,3 +1,4 @@ +/etc/services /etc/resolv.conf /etc/samba/secrets.tdb /etc/mtab -diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.53/semanage/semanage +diff -b -B --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.54/semanage/semanage --- nsapolicycoreutils/semanage/semanage 2008-08-05 09:58:26.000000000 -0400 -+++ policycoreutils-2.0.53/semanage/semanage 2008-08-05 10:13:48.000000000 -0400 -@@ -45,11 +45,11 @@ ++++ policycoreutils-2.0.54/semanage/semanage 2008-08-06 18:05:28.000000000 -0400 +@@ -20,7 +20,7 @@ + # 02111-1307 USA + # + # +-import os, sys, getopt ++import sys, getopt + import seobject + import selinux + PROGNAME="policycoreutils" +@@ -43,7 +43,9 @@ + if __name__ == '__main__': + def usage(message = ""): - print _(""" +- print _(""" ++ raise ValueError(_(""" ++semanage [ -S store ] -i [ input_file | - ] ++ semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n] --semanage login -{a|d|m} [-sr] login_name | %groupname --semanage user -{a|d|m} [-LrRP] selinux_name -+semanage login -{a|d|m} [-srF] login_name | login_file -+semanage user -{a|d|m} [-LrRPF] selinux_name | user_file - semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range - semanage interface -{a|d|m} [-tr] interface_spec --semanage fcontext -{a|d|m} [-frst] file_spec -+semanage fcontext -{a|d|m} [-frstF] file_spec | fcontext_file - semanage translation -{a|d|m} [-T] level - semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file - semanage permissive -{d|a} type -@@ -103,15 +103,15 @@ - valid_option={} - valid_everyone=[ '-a', '--add', '-d', '--delete', '-m', '--modify', '-l', '--list', '-h', '--help', '-n', '--noheading', '-C', '--locallist', '-D', '--deleteall', '-S', '--store' ] - valid_option["login"] = [] -- valid_option["login"] += valid_everyone + [ '-s', '--seuser', '-r', '--range'] -+ valid_option["login"] += valid_everyone + [ '-s', '--seuser', '-r', '--range', "-F", "--file"] - valid_option["user"] = [] -- valid_option["user"] += valid_everyone + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix' ] -+ valid_option["user"] += valid_everyone + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix', "-F", "--file"] - valid_option["port"] = [] - valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--proto' ] - valid_option["interface"] = [] - valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range'] - valid_option["fcontext"] = [] -- valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range'] -+ valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range', "-F", "--file"] - valid_option["translation"] = [] - valid_option["translation"] += valid_everyone + [ '-T', '--trans' ] - valid_option["boolean"] = [] + semanage login -{a|d|m} [-sr] login_name | %groupname + semanage user -{a|d|m} [-LrRP] selinux_name +@@ -59,6 +61,7 @@ + -a, --add Add a OBJECT record NAME + -d, --delete Delete a OBJECT record NAME + -m, --modify Modify a OBJECT record NAME ++ -i, --input Input multiple semange commands in a transaction + -l, --list List the OBJECTS + -C, --locallist List OBJECTS local customizations + -D, --deleteall Remove all OBJECTS local customizations +@@ -89,9 +92,8 @@ + -s, --seuser SELinux User Name + -t, --type SELinux Type for the object + -r, --range MLS/MCS Security Range (MLS/MCS Systems only) +-""") +- print message +- sys.exit(1) ++%s ++""") % message) + + def errorExit(error): + sys.stderr.write("%s: " % sys.argv[0]) +@@ -120,12 +122,42 @@ + valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ] + return valid_option + +- # +- # +- # +- try: +- input = sys.stdin +- output = sys.stdout ++ def mkargv(line): ++ dquote = "\"" ++ squote = "\'" ++ l = line.split() ++ ret = [] ++ i = 0 ++ while i < len(l): ++ if dquote in l[i]: ++ quote = [ l[i].strip(dquote) ] ++ i = i + 1 ++ while i < len(l) and dquote not in l[i]: ++ quote.append(l[i]) ++ i = i + 1 ++ ++ quote.append(l[i].strip(dquote)) ++ ret.append(" ".join(quote)) ++ i = i + 1 ++ continue ++ if squote in l[i]: ++ quote = [ l[i].strip(squote) ] ++ i = i + 1 ++ while i < len(l) and squote not in l[i]: ++ quote.append(l[i]) ++ i = i + 1 ++ ++ quote.append(l[i].strip(squote)) ++ ret.append(" ".join(quote)) ++ i = i + 1 ++ continue ++ ++ ret.append(l[i]) ++ i = i + 1 ++ ++ return ret ++ ++ def process_args(argv): + serange = "" + port = "" + proto = "" +@@ -146,24 +178,23 @@ + locallist = False + use_file = False + store = "" +- if len(sys.argv) < 3: +- usage(_("Requires 2 or more arguments")) + +- object = sys.argv[1] ++ object = argv[0] + option_dict=get_options() + if object not in option_dict.keys(): + usage(_("%s not defined") % object) + +- args = sys.argv[2:] ++ args = argv[1:] + + gopts, cmds = getopt.getopt(args, +- '01adf:lhmnp:s:FCDR:L:r:t:T:P:S:', ++ '01adf:i:lhmnp:s:FCDR:L:r:t:T:P:S:', + ['add', + 'delete', + 'deleteall', + 'ftype=', + 'file', + 'help', ++ 'input=', + 'list', + 'modify', + 'noheading', +@@ -187,16 +218,16 @@ + for o,a in gopts: + if o == "-a" or o == "--add": + if modify or delete: +- usage() ++ raise ValueError(_("%s bad option") % o) + add = True + + if o == "-d" or o == "--delete": + if modify or add: +- usage() ++ raise ValueError(_("%s bad option") % o) + delete = True + if o == "-D" or o == "--deleteall": + if modify: +- usage() ++ raise ValueError(_("%s bad option") % o) + deleteall = True + if o == "-f" or o == "--ftype": + ftype=a +@@ -205,7 +236,7 @@ + use_file = True + + if o == "-h" or o == "--help": +- usage() ++ raise ValueError(_("%s bad option") % o) + + if o == "-n" or o == "--noheading": + heading = False +@@ -215,7 +246,7 @@ + + if o == "-m"or o == "--modify": + if delete or add: +- usage() ++ raise ValueError(_("%s bad option") % o) + modify = True + + if o == "-S" or o == '--store': +@@ -223,7 +254,7 @@ + + if o == "-r" or o == '--range': + if is_mls_enabled == 0: +- errorExit(_("range not supported on Non MLS machines")) ++ raise ValueError(_("range not supported on Non MLS machines")) + serange = a + + if o == "-l" or o == "--list": +@@ -231,7 +262,7 @@ + + if o == "-L" or o == '--level': + if is_mls_enabled == 0: +- errorExit(_("range not supported on Non MLS machines")) ++ raise ValueError(_("range not supported on Non MLS machines")) + selevel = a + + if o == "-p" or o == '--proto': +@@ -286,14 +317,14 @@ + OBJECT.list(heading, locallist, use_file) + else: + OBJECT.list(heading, locallist) +- sys.exit(0); ++ return + + if deleteall: + OBJECT.deleteall() +- sys.exit(0); ++ return + + if len(cmds) != 1: +- usage() ++ raise ValueError(_("%s bad option") % o) + + target = cmds[0] + +@@ -305,10 +336,7 @@ + OBJECT.add(target, setrans) + + if object == "user": +- rlist = [] +- if not use_file: +- rlist = roles.split() +- OBJECT.add(target, rlist, selevel, serange, prefix) ++ OBJECT.add(target, roles.split(), selevel, serange, prefix) + + if object == "port": + OBJECT.add(target, proto, serange, setype) +@@ -321,7 +349,7 @@ + if object == "permissive": + OBJECT.add(target) + +- sys.exit(0); ++ return + + if modify: + if object == "boolean": +@@ -346,7 +374,7 @@ + if object == "fcontext": + OBJECT.modify(target, setype, ftype, serange, seuser) + +- sys.exit(0); ++ return + + if delete: + if object == "port": +@@ -358,16 +386,69 @@ + else: + OBJECT.delete(target) + +- sys.exit(0); +- usage() ++ return ++ ++ raise ValueError(_("Invalid command") % " ".join(argv)) ++ ++ # ++ # ++ # ++ try: ++ input = None ++ store = "" ++ ++ if len(sys.argv) < 3: ++ usage(_("Requires 2 or more arguments")) ++ ++ gopts, cmds = getopt.getopt(sys.argv[1:], ++ '01adf:i:lhmnp:s:FCDR:L:r:t:T:P:S:', ++ ['add', ++ 'delete', ++ 'deleteall', ++ 'ftype=', ++ 'file', ++ 'help', ++ 'input=', ++ 'list', ++ 'modify', ++ 'noheading', ++ 'localist', ++ 'off', ++ 'on', ++ 'proto=', ++ 'seuser=', ++ 'store=', ++ 'range=', ++ 'level=', ++ 'roles=', ++ 'type=', ++ 'trans=', ++ 'prefix=' ++ ]) ++ for o, a in gopts: ++ if o == "-S" or o == '--store': ++ store = a ++ if o == "-i" or o == '--input': ++ input = a ++ ++ if input != None: ++ if input == "-": ++ fd = sys.stdin ++ else: ++ fd = open(input, 'r') ++ trans = seobject.semanageRecords(store) ++ trans.begin() ++ for l in fd.readlines(): ++ process_args(mkargv(l)) ++ trans.commit() ++ else: ++ process_args(sys.argv[1:]) + + except getopt.error, error: +- errorExit(_("Options Error %s ") % error.msg) ++ usage(_("Options Error %s ") % error.msg) + except ValueError, error: + errorExit(error.args[0]) + except KeyError, error: + errorExit(_("Invalid value %s") % error.args[0]) + except IOError, error: + errorExit(error.args[1]) +- except KeyboardInterrupt, error: +- sys.exit(0) +diff -b -B --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.54/semanage/seobject.py +--- nsapolicycoreutils/semanage/seobject.py 2008-08-05 09:58:26.000000000 -0400 ++++ policycoreutils-2.0.54/semanage/seobject.py 2008-08-06 18:07:21.000000000 -0400 +@@ -26,7 +26,6 @@ + PROGNAME="policycoreutils" + import sepolgen.module as module + +-import commands + import gettext + gettext.bindtextdomain(PROGNAME, "/usr/share/locale") + gettext.textdomain(PROGNAME) +@@ -40,6 +39,33 @@ + + import syslog + ++handle = None ++ ++def get_handle(store): ++ global handle ++ ++ handle = semanage_handle_create() ++ if not handle: ++ raise ValueError(_("Could not create semanage handle")) ++ ++ if store != "": ++ semanage_select_store(handle, store, SEMANAGE_CON_DIRECT); ++ ++ if not semanage_is_managed(handle): ++ semanage_handle_destroy(handle) ++ raise ValueError(_("SELinux policy is not managed or store cannot be accessed.")) ++ ++ rc = semanage_access_check(handle) ++ if rc < SEMANAGE_CAN_READ: ++ semanage_handle_destroy(handle) ++ raise ValueError(_("Cannot read policy store.")) ++ ++ rc = semanage_connect(handle) ++ if rc < 0: ++ semanage_handle_destroy(handle) ++ raise ValueError(_("Could not establish semanage connection")) ++ return handle ++ + file_types = {} + file_types[""] = SEMANAGE_FCONTEXT_ALL; + file_types["all files"] = SEMANAGE_FCONTEXT_ALL; +@@ -90,8 +116,6 @@ + + mylog = logger() + +-import sys, os +-import re + import xml.etree.ElementTree + + booleans_dict={} +@@ -249,31 +273,36 @@ + os.rename(newfilename, self.filename) + os.system("/sbin/service mcstrans reload > /dev/null") + +-class permissiveRecords: ++class semanageRecords: + def __init__(self, store): +- self.store = store +- self.sh = semanage_handle_create() +- if not self.sh: +- raise ValueError(_("Could not create semanage handle")) +- +- if store != "": +- semanage_select_store(self.sh, store, SEMANAGE_CON_DIRECT); ++ global handle + +- self.semanaged = semanage_is_managed(self.sh) +- +- if not self.semanaged: +- semanage_handle_destroy(self.sh) +- raise ValueError(_("SELinux policy is not managed or store cannot be accessed.")) ++ if handle != None: ++ self.transaction = True ++ self.sh = handle ++ else: ++ self.sh=get_handle(store) ++ self.transaction = False + +- rc = semanage_access_check(self.sh) +- if rc < SEMANAGE_CAN_READ: +- semanage_handle_destroy(self.sh) +- raise ValueError(_("Cannot read policy store.")) ++ def deleteall(self): ++ raise ValueError(_("Not yet implemented")) + +- rc = semanage_connect(self.sh) ++ def begin(self): ++ if self.transaction: ++ return ++ rc = semanage_begin_transaction(self.sh) + if rc < 0: +- semanage_handle_destroy(self.sh) +- raise ValueError(_("Could not establish semanage connection")) ++ raise ValueError(_("Could not start semanage transaction")) ++ def commit(self): ++ if self.transaction: ++ return ++ rc = semanage_commit(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not commit semanage transaction")) ++ ++class permissiveRecords(semanageRecords): ++ def __init__(self, store): ++ semanageRecords.__init__(self, store) + + def get_all(self): + l = [] +@@ -321,9 +350,9 @@ + rc = semanage_module_install(self.sh, data, len(data)); + if rc < 0: + raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name) +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not set permissive domain %s (commit failed)") % name) ++ ++ self.commit() ++ + for root, dirs, files in os.walk("tmp", topdown=False): + for name in files: + os.remove(os.path.join(root, name)) +@@ -335,9 +364,8 @@ + rc = semanage_module_remove(self.sh, "permissive_%s" % n) + if rc < 0: + raise ValueError(_("Could not remove permissive domain %s (remove failed)") % name) +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not remove permissive domain %s (commit failed)") % name) ++ ++ self.commit() + + def deleteall(self): + l = self.get_all() +@@ -345,39 +373,11 @@ + all = " ".join(l) + self.delete(all) + +-class semanageRecords: +- def __init__(self, store): +- self.sh = semanage_handle_create() +- if not self.sh: +- raise ValueError(_("Could not create semanage handle")) +- +- if store != "": +- semanage_select_store(self.sh, store, SEMANAGE_CON_DIRECT); +- +- self.semanaged = semanage_is_managed(self.sh) +- +- if not self.semanaged: +- semanage_handle_destroy(self.sh) +- raise ValueError(_("SELinux policy is not managed or store cannot be accessed.")) +- +- rc = semanage_access_check(self.sh) +- if rc < SEMANAGE_CAN_READ: +- semanage_handle_destroy(self.sh) +- raise ValueError(_("Cannot read policy store.")) +- +- rc = semanage_connect(self.sh) +- if rc < 0: +- semanage_handle_destroy(self.sh) +- raise ValueError(_("Could not establish semanage connection")) +- def deleteall(self): +- raise ValueError(_("Not yet implemented")) +- +- + class loginRecords(semanageRecords): + def __init__(self, store = ""): + semanageRecords.__init__(self, store) + +- def add(self, name, sename, serange): ++ def __add(self, name, sename, serange): + if is_mls_enabled == 1: + if serange == "": + serange = "s0" +@@ -387,7 +387,6 @@ + if sename == "": + sename = "user_u" + +- try: + (rc,k) = semanage_seuser_key_create(self.sh, name) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) +@@ -425,30 +424,26 @@ + if rc < 0: + raise ValueError(_("Could not set SELinux user for %s") % name) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) +- + rc = semanage_seuser_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError(_("Could not add login mapping for %s") % name) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not add login mapping for %s") % name) ++ semanage_seuser_key_free(k) ++ semanage_seuser_free(u) ++ ++ def add(self, name, sename, serange): ++ try: ++ self.begin() ++ self.__add(name, sename, serange) ++ self.commit() + + except ValueError, error: + mylog.log(0, _("add SELinux user mapping"), name, sename, "", serange); + raise error + + mylog.log(1, _("add SELinux user mapping"), name, sename, "", serange); +- semanage_seuser_key_free(k) +- semanage_seuser_free(u) + +- def modify(self, name, sename = "", serange = ""): +- oldsename = "" +- oldserange = "" +- try: ++ def __modify(self, name, sename = "", serange = ""): + if sename == "" and serange == "": + raise ValueError(_("Requires seuser or serange")) + +@@ -477,28 +472,27 @@ + else: + sename = oldsename + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) +- + rc = semanage_seuser_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError(_("Could not modify login mapping for %s") % name) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not modify login mapping for %s") % name) +- +- except ValueError, error: +- mylog.log(0,"modify selinux user mapping", name, sename,"", serange, oldsename, "", oldserange); +- raise error +- +- mylog.log(1,"modify selinux user mapping", name, sename, "", serange, oldsename, "", oldserange); + semanage_seuser_key_free(k) + semanage_seuser_free(u) + +- def delete(self, name): ++ mylog.log(1,"modify selinux user mapping", name, sename, "", serange, oldsename, "", oldserange); ++ ++ ++ def modify(self, name, sename = "", serange = ""): + try: ++ self.begin() ++ self.__modify(name, sename, serange) ++ self.commit() ++ ++ except ValueError, error: ++ mylog.log(0,"modify selinux user mapping", name, sename,"", serange, "", "", ""); ++ raise error ++ ++ def __delete(self, name): + (rc,k) = semanage_seuser_key_create(self.sh, name) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) +@@ -515,12 +509,7 @@ + if not exists: + raise ValueError(_("Login mapping for %s is defined in policy, cannot be deleted") % name) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) +- + rc = semanage_seuser_del_local(self.sh, k) +- + if rc < 0: + raise ValueError(_("Could not delete login mapping for %s") % name) + +@@ -524,16 +513,19 @@ + if rc < 0: + raise ValueError(_("Could not delete login mapping for %s") % name) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not delete login mapping for %s") % name) ++ semanage_seuser_key_free(k) ++ ++ def delete(self, name): ++ try: ++ self.begin() ++ self.__delete(name) ++ self.commit() + + except ValueError, error: + mylog.log(0,"delete SELinux user mapping", name); + raise error + + mylog.log(1,"delete SELinux user mapping", name); +- semanage_seuser_key_free(k) + + def get_all(self, locallist = 0): + ddict = {} +@@ -568,7 +560,7 @@ + def __init__(self, store = ""): + semanageRecords.__init__(self, store) + +- def add(self, name, roles, selevel, serange, prefix): ++ def __add(self, name, roles, selevel, serange, prefix): + if is_mls_enabled == 1: + if serange == "": + serange = "s0" +@@ -580,8 +572,9 @@ + else: + selevel = untranslate(selevel) + +- seroles = " ".join(roles) +- try: ++ if len(roles) < 1: ++ raise ValueError(_("You must add at least one role for %s") % name) ++ + (rc,k) = semanage_user_key_create(self.sh, name) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) +@@ -620,31 +613,29 @@ + if rc < 0: + raise ValueError(_("Could not extract key for %s") % name) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) +- + rc = semanage_user_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError(_("Could not add SELinux user %s") % name) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not add SELinux user %s") % name) ++ semanage_user_key_free(k) ++ semanage_user_free(u) + ++ def add(self, name, roles, selevel, serange, prefix): ++ seroles = " ".join(roles) ++ try: ++ self.begin() ++ self.__add( name, roles, selevel, serange, prefix) ++ self.commit() + except ValueError, error: + mylog.log(0,"add SELinux user record", name, name, seroles, serange) + raise error + + mylog.log(1,"add SELinux user record", name, name, seroles, serange) +- semanage_user_key_free(k) +- semanage_user_free(u) + +- def modify(self, name, roles = [], selevel = "", serange = "", prefix = ""): ++ def __modify(self, name, roles = [], selevel = "", serange = "", prefix = ""): + oldroles = "" + oldserange = "" + newroles = string.join(roles, ' '); +- try: + if prefix == "" and len(roles) == 0 and serange == "" and selevel == "": + if is_mls_enabled == 1: + raise ValueError(_("Requires prefix, roles, level or range")) +@@ -688,29 +677,27 @@ + if r not in rlist: + semanage_user_add_role(self.sh, u, r) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) +- + rc = semanage_user_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError(_("Could not modify SELinux user %s") % name) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not modify SELinux user %s") % name) +- +- except ValueError, error: +- mylog.log(0,"modify SELinux user record", name, "", newroles, serange, "", oldroles, oldserange) +- raise error ++ semanage_user_key_free(k) ++ semanage_user_free(u) + + mylog.log(1,"modify SELinux user record", name, "", newroles, serange, "", oldroles, oldserange) + +- semanage_user_key_free(k) +- semanage_user_free(u) + +- def delete(self, name): ++ def modify(self, name, roles = [], selevel = "", serange = "", prefix = ""): + try: ++ self.begin() ++ self.__modify(name, roles, selevel, serange, prefix) ++ self.commit() ++ ++ except ValueError, error: ++ mylog.log(0,"modify SELinux user record", name, "", " ".join(roles), serange, "", "", "") ++ raise error ++ ++ def __delete(self, name): + (rc,k) = semanage_user_key_create(self.sh, name) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) +@@ -727,23 +714,23 @@ + if not exists: + raise ValueError(_("SELinux user %s is defined in policy, cannot be deleted") % name) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) +- + rc = semanage_user_del_local(self.sh, k) + if rc < 0: + raise ValueError(_("Could not delete SELinux user %s") % name) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not delete SELinux user %s") % name) ++ semanage_user_key_free(k) ++ ++ def delete(self, name): ++ try: ++ self.begin() ++ self.__delete(name) ++ self.commit() ++ + except ValueError, error: + mylog.log(0,"delete SELinux user record", name) + raise error + + mylog.log(1,"delete SELinux user record", name) +- semanage_user_key_free(k) + + def get_all(self, locallist = 0): + ddict = {} +@@ -808,7 +795,7 @@ + raise ValueError(_("Could not create a key for %s/%s") % (proto, port)) + return ( k, proto_d, low, high ) + +- def add(self, port, proto, serange, type): ++ def __add(self, port, proto, serange, type): + if is_mls_enabled == 1: + if serange == "": + serange = "s0" +@@ -857,23 +844,20 @@ + if rc < 0: + raise ValueError(_("Could not set port context for %s/%s") % (proto, port)) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) +- + rc = semanage_port_modify_local(self.sh, k, p) + if rc < 0: + raise ValueError(_("Could not add port %s/%s") % (proto, port)) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not add port %s/%s") % (proto, port)) +- + semanage_context_free(con) + semanage_port_key_free(k) + semanage_port_free(p) + +- def modify(self, port, proto, serange, setype): ++ def add(self, port, proto, serange, type): ++ self.begin() ++ self.__add(port, proto, serange, type) ++ self.commit() ++ ++ def __modify(self, port, proto, serange, setype): + if serange == "" and setype == "": + if is_mls_enabled == 1: + raise ValueError(_("Requires setype or serange")) +@@ -899,29 +883,24 @@ + if setype != "": + semanage_context_set_type(self.sh, con, setype) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) +- + rc = semanage_port_modify_local(self.sh, k, p) + if rc < 0: + raise ValueError(_("Could not modify port %s/%s") % (proto, port)) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not modify port %s/%s") % (proto, port)) +- + semanage_port_key_free(k) + semanage_port_free(p) + ++ def modify(self, port, proto, serange, setype): ++ self.begin() ++ self.__modify(port, proto, serange, setype) ++ self.commit() ++ + def deleteall(self): + (rc, plist) = semanage_port_list_local(self.sh) + if rc < 0: + raise ValueError(_("Could not list the ports")) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) ++ self.begin() + + for port in plist: + proto = semanage_port_get_proto(port) +@@ -938,11 +917,9 @@ + raise ValueError(_("Could not delete the port %s") % port_str) + semanage_port_key_free(k) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not delete the %s") % port_str) ++ self.commit() + +- def delete(self, port, proto): ++ def __delete(self, port, proto): + ( k, proto_d, low, high ) = self.__genkey(port, proto) + (rc,exists) = semanage_port_exists(self.sh, k) + if rc < 0: +@@ -956,20 +933,17 @@ + if not exists: + raise ValueError(_("Port %s/%s is defined in policy, cannot be deleted") % (proto, port)) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) +- + rc = semanage_port_del_local(self.sh, k) + if rc < 0: + raise ValueError(_("Could not delete port %s/%s") % (proto, port)) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not delete port %s/%s") % (proto, port)) +- + semanage_port_key_free(k) + ++ def delete(self, port, proto): ++ self.begin() ++ self.__delete(port, proto) ++ self.commit() ++ + def get_all(self, locallist = 0): + ddict = {} + if locallist: +@@ -1035,7 +1009,7 @@ + def __init__(self, store = ""): + semanageRecords.__init__(self, store) + +- def add(self, interface, serange, ctype): ++ def __add(self, interface, serange, ctype): + if is_mls_enabled == 1: + if serange == "": + serange = "s0" +@@ -1089,23 +1063,20 @@ + if rc < 0: + raise ValueError(_("Could not set message context for %s") % interface) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) +- + rc = semanage_iface_modify_local(self.sh, k, iface) + if rc < 0: + raise ValueError(_("Could not add interface %s") % interface) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not add interface %s") % interface) +- + semanage_context_free(con) + semanage_iface_key_free(k) + semanage_iface_free(iface) + +- def modify(self, interface, serange, setype): ++ def add(self, interface, serange, ctype): ++ self.begin() ++ self.__add(interface, serange, ctype) ++ self.commit() ++ ++ def __modify(self, interface, serange, setype): + if serange == "" and setype == "": + raise ValueError(_("Requires setype or serange")) + +@@ -1130,22 +1101,19 @@ + if setype != "": + semanage_context_set_type(self.sh, con, setype) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) +- + rc = semanage_iface_modify_local(self.sh, k, iface) + if rc < 0: + raise ValueError(_("Could not modify interface %s") % interface) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not modify interface %s") % interface) +- + semanage_iface_key_free(k) + semanage_iface_free(iface) + +- def delete(self, interface): ++ def modify(self, interface, serange, setype): ++ self.begin() ++ self.__modify(interface, serange, setype) ++ self.commit() ++ ++ def __delete(self, interface): + (rc,k) = semanage_iface_key_create(self.sh, interface) + if rc < 0: + raise ValueError(_("Could not create key for %s") % interface) +@@ -1162,20 +1130,17 @@ + if not exists: + raise ValueError(_("Interface %s is defined in policy, cannot be deleted") % interface) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) +- + rc = semanage_iface_del_local(self.sh, k) + if rc < 0: + raise ValueError(_("Could not delete interface %s") % interface) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not delete interface %s") % interface) +- + semanage_iface_key_free(k) + ++ def delete(self, interface): ++ self.begin() ++ self.__delete(interface) ++ self.commit() ++ + def get_all(self, locallist = 0): + ddict = {} + if locallist: +@@ -1234,7 +1199,7 @@ + if target == "" or target.find("\n") >= 0: + raise ValueError(_("Invalid file specification")) + +- def add(self, target, type, ftype = "", serange = "", seuser = "system_u"): ++ def __add(self, target, type, ftype = "", serange = "", seuser = "system_u"): + self.validate(target) + + if is_mls_enabled == 1: +@@ -1275,24 +1240,22 @@ + + semanage_fcontext_set_type(fcontext, file_types[ftype]) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) +- + rc = semanage_fcontext_modify_local(self.sh, k, fcontext) + if rc < 0: + raise ValueError(_("Could not add file context for %s") % target) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not add file context for %s") % target) +- + if type != "<>": + semanage_context_free(con) + semanage_fcontext_key_free(k) + semanage_fcontext_free(fcontext) + +- def modify(self, target, setype, ftype, serange, seuser): ++ ++ def add(self, target, type, ftype = "", serange = "", seuser = "system_u"): ++ self.begin() ++ self.__add(target, type, ftype, serange, seuser) ++ self.commit() ++ ++ def __modify(self, target, setype, ftype, serange, seuser): + if serange == "" and setype == "" and seuser == "": + raise ValueError(_("Requires setype, serange or seuser")) + self.validate(target) +@@ -1333,29 +1296,25 @@ + if rc < 0: + raise ValueError(_("Could not set file context for %s") % target) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) +- + rc = semanage_fcontext_modify_local(self.sh, k, fcontext) + if rc < 0: + raise ValueError(_("Could not modify file context for %s") % target) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not modify file context for %s") % target) +- + semanage_fcontext_key_free(k) + semanage_fcontext_free(fcontext) + ++ def modify(self, target, setype, ftype, serange, seuser): ++ self.begin() ++ self.__modify(target, setype, ftype, serange, seuser) ++ self.commit() ++ ++ + def deleteall(self): + (rc, flist) = semanage_fcontext_list_local(self.sh) + if rc < 0: + raise ValueError(_("Could not list the file contexts")) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) ++ self.begin() + + for fcontext in flist: + target = semanage_fcontext_get_expr(fcontext) +@@ -1370,11 +1329,9 @@ + raise ValueError(_("Could not delete the file context %s") % target) + semanage_fcontext_key_free(k) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not delete the file context %s") % target) ++ self.commit() + +- def delete(self, target, ftype): ++ def __delete(self, target, ftype): + (rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % target) +@@ -1391,20 +1348,17 @@ + else: + raise ValueError(_("File context for %s is not defined") % target) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) +- + rc = semanage_fcontext_del_local(self.sh, k) + if rc < 0: + raise ValueError(_("Could not delete file context for %s") % target) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not delete file context for %s") % target) +- + semanage_fcontext_key_free(k) + ++ def delete(self, target, ftype): ++ self.begin() ++ self.__delete( target, ftype) ++ self.commit() ++ + def get_all(self, locallist = 0): + l = [] + if locallist: +@@ -1486,9 +1440,8 @@ + + def modify(self, name, value=None, use_file=False): + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) ++ self.begin() ++ + if use_file: + fd = open(name) + for b in fd.read().split("\n"): +@@ -1498,18 +1451,16 @@ + + try: + boolname, val = b.split("=") +- except ValueError, e: ++ except ValueError: + raise ValueError(_("Bad format %s: Record %s" % ( name, b) )) + self.__mod(boolname.strip(), val.strip()) + fd.close() + else: + self.__mod(name, value) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not modify boolean %s") % name) ++ self.commit() + +- def delete(self, name): ++ def __delete(self, name): + + (rc,k) = semanage_bool_key_create(self.sh, name) + if rc < 0: +@@ -1526,42 +1477,30 @@ + if not exists: + raise ValueError(_("Boolean %s is defined in policy, cannot be deleted") % name) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) +- + rc = semanage_bool_del_local(self.sh, k) + if rc < 0: + raise ValueError(_("Could not delete boolean %s") % name) + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not delete boolean %s") % name) + semanage_bool_key_free(k) + ++ def delete(self, name): ++ self.begin() ++ self.__delete(name) ++ self.commit() ++ + def deleteall(self): + (rc, self.blist) = semanage_bool_list_local(self.sh) + if rc < 0: + raise ValueError(_("Could not list booleans")) + +- rc = semanage_begin_transaction(self.sh) +- if rc < 0: +- raise ValueError(_("Could not start semanage transaction")) ++ self.begin() + + for boolean in self.blist: + name = semanage_bool_get_name(boolean) +- (rc,k) = semanage_bool_key_create(self.sh, name) +- if rc < 0: +- raise ValueError(_("Could not create a key for %s") % name) ++ self.__delete(name) + +- rc = semanage_bool_del_local(self.sh, k) +- if rc < 0: +- raise ValueError(_("Could not delete boolean %s") % name) +- semanage_bool_key_free(k) ++ self.commit() + +- rc = semanage_commit(self.sh) +- if rc < 0: +- raise ValueError(_("Could not delete boolean %s") % name) + def get_all(self, locallist = 0): + ddict = {} + if locallist: diff --git a/policycoreutils.spec b/policycoreutils.spec index 8b89c43..164f05a 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -6,7 +6,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.54 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -192,6 +192,9 @@ if [ "$1" -ge "1" ]; then fi %changelog +* Wed Aug 6 2008 Dan Walsh 2.0.54-2 +- Allow multiple transactions in one semanage command + * Tue Aug 5 2008 Dan Walsh 2.0.54-1 - Update to upstream * Add support for boolean files and group support for seusers from Dan Walsh.