diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 6336ce2..0232668 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,13 +1,24 @@ -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.84/audit2allow/audit2allow ---- nsapolicycoreutils/audit2allow/audit2allow 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/audit2allow/audit2allow 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile +index 86ed03f..67d0ee8 100644 +--- a/policycoreutils/Makefile ++++ b/policycoreutils/Makefile +@@ -1,4 +1,4 @@ +-SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po ++SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po gui + + INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) + +diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow +index 5435e9d..fddcdaa 100644 +--- a/policycoreutils/audit2allow/audit2allow ++++ b/policycoreutils/audit2allow/audit2allow @@ -1,4 +1,4 @@ -#! /usr/bin/python -E +#! /usr/bin/python -Es # Authors: Karl MacMillan # # Copyright (C) 2006-2007 Red Hat -@@ -28,6 +28,7 @@ +@@ -28,6 +28,7 @@ import sepolgen.objectmodel as objectmodel import sepolgen.defaults as defaults import sepolgen.module as module from sepolgen.sepolgeni18n import _ @@ -15,7 +26,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po class AuditToPolicy: VERSION = "%prog .1" -@@ -46,6 +47,7 @@ +@@ -46,6 +47,7 @@ class AuditToPolicy: help="audit messages since last boot conflicts with -i") parser.add_option("-a", "--all", action="store_true", dest="audit", default=False, help="read input from audit log - conflicts with -i") @@ -23,7 +34,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False, help="read input from dmesg - conflicts with --all and --input") parser.add_option("-i", "--input", dest="input", -@@ -231,63 +233,44 @@ +@@ -231,63 +233,44 @@ class AuditToPolicy: def __output_audit2why(self): import selinux @@ -99,7 +110,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po print "\t\tMissing role allow rule.\n" print "\t\tAdd an allow rule for the role pair.\n" continue -@@ -350,11 +333,19 @@ +@@ -350,11 +333,19 @@ class AuditToPolicy: def main(self): try: self.__parse_options() @@ -119,9 +130,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if __name__ == "__main__": app = AuditToPolicy() -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-2.0.84/audit2allow/audit2allow.1 ---- nsapolicycoreutils/audit2allow/audit2allow.1 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/audit2allow/audit2allow.1 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1 +index 6178cc8..b6f386d 100644 +--- a/policycoreutils/audit2allow/audit2allow.1 ++++ b/policycoreutils/audit2allow/audit2allow.1 @@ -1,5 +1,6 @@ .\" Hey, Emacs! This is an -*- nroff -*- source file. .\" Copyright (c) 2005 Manoj Srivastava @@ -138,7 +150,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .SH NAME .BR audit2allow \- generate SELinux policy allow/dontaudit rules from logs of denied operations -@@ -66,6 +67,9 @@ +@@ -66,6 +67,9 @@ Generate module/require output .B "\-M " Generate loadable module package, conflicts with -o .TP @@ -148,7 +160,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .B "\-o " | "\-\-output " append output to .I -@@ -117,14 +121,6 @@ +@@ -117,14 +121,6 @@ an 'allow' rule. .B Please substitute /var/log/messages for /var/log/audit/audit.log in the .B examples. .PP @@ -163,7 +175,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .B Using audit2allow to generate module policy $ cat /var/log/audit/audit.log | audit2allow -m local > local.te -@@ -132,20 +128,38 @@ +@@ -132,20 +128,38 @@ $ cat local.te module local 1.0; require { @@ -208,7 +220,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .B Building module policy manually # Compile the module -@@ -168,6 +182,14 @@ +@@ -168,6 +182,14 @@ you are required to execute semodule -i local.pp @@ -223,9 +235,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .fi .PP .SH AUTHOR -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/sepolgen-ifgen policycoreutils-2.0.84/audit2allow/sepolgen-ifgen ---- nsapolicycoreutils/audit2allow/sepolgen-ifgen 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/audit2allow/sepolgen-ifgen 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/audit2allow/sepolgen-ifgen b/policycoreutils/audit2allow/sepolgen-ifgen +index 03f95a1..5986b23 100644 +--- a/policycoreutils/audit2allow/sepolgen-ifgen ++++ b/policycoreutils/audit2allow/sepolgen-ifgen @@ -1,4 +1,4 @@ -#! /usr/bin/python -E +#! /usr/bin/python -Es @@ -243,7 +256,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po import sepolgen.refparser as refparser import sepolgen.defaults as defaults -@@ -35,6 +39,7 @@ +@@ -35,6 +39,7 @@ import sepolgen.interfaces as interfaces VERSION = "%prog .1" @@ -251,7 +264,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def parse_options(): from optparse import OptionParser -@@ -44,14 +49,43 @@ +@@ -44,14 +49,43 @@ def parse_options(): help="filename to store output") parser.add_option("-i", "--interfaces", dest="headers", default=defaults.headers(), help="location of the interface header files") @@ -295,7 +308,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def main(): options = parse_options() -@@ -68,6 +102,14 @@ +@@ -68,6 +102,14 @@ def main(): else: log = None @@ -310,7 +323,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po try: headers = refparser.parse_headers(options.headers, output=log, debug=options.debug) except ValueError, e: -@@ -76,7 +118,7 @@ +@@ -76,7 +118,7 @@ def main(): return 1 if_set = interfaces.InterfaceSet(output=log) @@ -319,22 +332,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if_set.to_file(f) f.close() -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/load_policy/load_policy.c policycoreutils-2.0.84/load_policy/load_policy.c ---- nsapolicycoreutils/load_policy/load_policy.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/load_policy/load_policy.c 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/load_policy/load_policy.c b/policycoreutils/load_policy/load_policy.c +index 47d9b0f..566565f 100644 +--- a/policycoreutils/load_policy/load_policy.c ++++ b/policycoreutils/load_policy/load_policy.c @@ -1,3 +1,4 @@ +#define _GNU_SOURCE #include #include #include -@@ -17,12 +18,21 @@ - #define PACKAGE "policycoreutils" /* the name of this package lang translation */ - #endif - -+ - void usage(char *progname) - { - fprintf(stderr, _("usage: %s [-qi]\n"), progname); +@@ -23,6 +24,14 @@ void usage(char *progname) exit(1); } @@ -349,7 +356,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po int main(int argc, char **argv) { int ret, opt, quiet = 0, nargs, init=0, enforce=0; -@@ -64,6 +74,7 @@ +@@ -64,6 +73,7 @@ int main(int argc, char **argv) "%s: Warning! Boolean file argument (%s) is no longer supported, installed booleans file is always used. Continuing...\n", argv[0], argv[optind++]); } @@ -357,7 +364,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if (init) { if (is_selinux_enabled() == 1) { /* SELinux is already enabled, we should not do an initial load again */ -@@ -76,9 +87,11 @@ +@@ -76,9 +86,11 @@ int main(int argc, char **argv) if (ret != 0 ) { if (enforce > 0) { /* SELinux in enforcing mode but load_policy failed */ @@ -371,7 +378,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po exit(3); } } -@@ -86,9 +99,16 @@ +@@ -86,9 +98,16 @@ int main(int argc, char **argv) else { ret = selinux_mkload_policy(1); } @@ -391,19 +398,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po exit(2); } exit(0); -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.84/Makefile ---- nsapolicycoreutils/Makefile 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.84/Makefile 2010-11-30 11:57:21.000000000 -0500 -@@ -1,4 +1,4 @@ --SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po -+SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po gui - - INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) - -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/Makefile policycoreutils-2.0.84/newrole/Makefile ---- nsapolicycoreutils/newrole/Makefile 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/newrole/Makefile 2010-11-30 11:57:21.000000000 -0500 -@@ -50,7 +50,7 @@ +diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile +index 6c19bd1..bd8e7a7 100644 +--- a/policycoreutils/newrole/Makefile ++++ b/policycoreutils/newrole/Makefile +@@ -50,7 +50,7 @@ ifeq (${NAMESPACE_PRIV},y) endif ifeq (${IS_SUID},y) MODE := 4555 @@ -412,9 +411,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po else MODE := 0555 endif -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-2.0.84/newrole/newrole.c ---- nsapolicycoreutils/newrole/newrole.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/newrole/newrole.c 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c +index d191be6..071b393 100644 +--- a/policycoreutils/newrole/newrole.c ++++ b/policycoreutils/newrole/newrole.c @@ -77,7 +77,7 @@ #endif #if defined(AUDIT_LOG_PRIV) || (NAMESPACE_PRIV) @@ -434,7 +434,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po /* USAGE_STRING describes the command-line args of this program. */ #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]" -@@ -538,69 +541,23 @@ +@@ -538,69 +541,23 @@ static int restore_environment(int preserve_environment, * Returns zero on success, non-zero otherwise */ #if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV) @@ -514,7 +514,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po } #elif defined(NAMESPACE_PRIV) /** -@@ -616,50 +573,25 @@ +@@ -616,50 +573,25 @@ static int drop_capabilities(void) * * Returns zero on success, non-zero otherwise */ @@ -577,7 +577,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po { return 0; } -@@ -1098,7 +1030,7 @@ +@@ -1098,7 +1030,7 @@ int main(int argc, char *argv[]) * if it makes sense to continue to run newrole, and setting up * a scrubbed environment. */ @@ -586,7 +586,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po return -1; if (set_signal_handles()) return -1; -@@ -1334,11 +1266,15 @@ +@@ -1334,11 +1266,15 @@ int main(int argc, char *argv[]) if (send_audit_message(1, old_context, new_context, ttyn)) goto err_close_pam_session; @@ -602,9 +602,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po /* Handle environment changes */ if (restore_environment(preserve_environment, old_environ, &pw)) { fprintf(stderr, _("Unable to restore the environment, " -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.84/restorecond/Makefile ---- nsapolicycoreutils/restorecond/Makefile 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/restorecond/Makefile 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/restorecond/Makefile b/policycoreutils/restorecond/Makefile +index 3f235e6..7552668 100644 +--- a/policycoreutils/restorecond/Makefile ++++ b/policycoreutils/restorecond/Makefile @@ -1,17 +1,28 @@ # Installation directories. PREFIX ?= ${DESTDIR}/usr @@ -637,7 +638,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) install: all -@@ -22,7 +33,12 @@ +@@ -22,7 +33,12 @@ install: all -mkdir -p $(INITDIR) install -m 755 restorecond.init $(INITDIR)/restorecond -mkdir -p $(SELINUXDIR) @@ -651,16 +652,19 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po relabel: install /sbin/restorecon $(SBINDIR)/restorecond -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.84/restorecond/org.selinux.Restorecond.service ---- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/restorecond/org.selinux.Restorecond.service 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/restorecond/org.selinux.Restorecond.service b/policycoreutils/restorecond/org.selinux.Restorecond.service +new file mode 100644 +index 0000000..0ef5f0b +--- /dev/null ++++ b/policycoreutils/restorecond/org.selinux.Restorecond.service @@ -0,0 +1,3 @@ +[D-BUS Service] +Name=org.selinux.Restorecond +Exec=/usr/sbin/restorecond -u -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.84/restorecond/restorecond.8 ---- nsapolicycoreutils/restorecond/restorecond.8 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/restorecond/restorecond.8 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/restorecond/restorecond.8 b/policycoreutils/restorecond/restorecond.8 +index b149dcb..0c14c94 100644 +--- a/policycoreutils/restorecond/restorecond.8 ++++ b/policycoreutils/restorecond/restorecond.8 @@ -3,7 +3,7 @@ restorecond \- daemon that watches for file creation and then sets the default SELinux file context @@ -670,7 +674,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .P .SH "DESCRIPTION" -@@ -19,13 +19,22 @@ +@@ -19,13 +19,22 @@ the correct file context associated with the policy. .B \-d Turns on debugging mode. Application will stay in the foreground and lots of debugs messages start printing. @@ -695,9 +699,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .SH "SEE ALSO" .BR restorecon (8), -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.84/restorecond/restorecond.c ---- nsapolicycoreutils/restorecond/restorecond.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/restorecond/restorecond.c 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/restorecond/restorecond.c b/policycoreutils/restorecond/restorecond.c +index 58774e6..77c8013 100644 +--- a/policycoreutils/restorecond/restorecond.c ++++ b/policycoreutils/restorecond/restorecond.c @@ -30,9 +30,11 @@ * and makes sure that there security context matches the systems defaults * @@ -739,7 +744,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po - -#include -#include - +- -/* size of the event structure, not counting name */ -#define EVENT_SIZE (sizeof (struct inotify_event)) -/* reasonable guess as to size of 1024 events */ @@ -824,11 +829,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po - } - firstDir = NULL; -} -+static char *server_watch_file = "/etc/selinux/restorecond.conf"; -+static char *user_watch_file = "/etc/selinux/restorecond_user.conf"; -+static char *watch_file; -+static struct restore_opts r_opts; - +- -/* - Set the file context to the default file context for this system. - Same as restorecon. @@ -937,7 +938,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po - } - free(line_buf); -} -- + -/* - Read config file ignoring Comment lines - Files specified one per line. Files with "~" will be expanded to the logged in users @@ -966,8 +967,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po - if (master_wd == -1) - exitApp("Error watching config file."); -} -+#include - +- -/* - Inotify watch loop -*/ @@ -1001,11 +1001,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po - if (event->len) - watch_list_find(event->wd, event->name); - break; -- ++static char *server_watch_file = "/etc/selinux/restorecond.conf"; ++static char *user_watch_file = "/etc/selinux/restorecond_user.conf"; ++static char *watch_file; ++static struct restore_opts r_opts; + - case 1: /* utmp has changed need to reload */ - read_config(fd); - break; -- ++#include + - default: /* No users logged in or out */ - break; - } @@ -1026,7 +1031,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po } static const char *pidfile = "/var/run/restorecond.pid"; -@@ -374,7 +120,7 @@ +@@ -374,7 +120,7 @@ static void term_handler() static void usage(char *program) { @@ -1035,7 +1040,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po exit(0); } -@@ -390,74 +136,35 @@ +@@ -390,74 +136,35 @@ void exitApp(const char *msg) to see if it is one that we are watching. */ @@ -1134,7 +1139,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po /* Register sighandlers */ sa.sa_flags = 0; -@@ -467,36 +174,56 @@ +@@ -467,36 +174,56 @@ int main(int argc, char **argv) set_matchpathcon_flags(MATCHPATHCON_NOTRANS); @@ -1200,9 +1205,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if (pidfile) unlink(pidfile); -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.84/restorecond/restorecond.conf ---- nsapolicycoreutils/restorecond/restorecond.conf 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/restorecond/restorecond.conf 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/restorecond/restorecond.conf b/policycoreutils/restorecond/restorecond.conf +index 3fc9376..58b723a 100644 +--- a/policycoreutils/restorecond/restorecond.conf ++++ b/policycoreutils/restorecond/restorecond.conf @@ -4,8 +4,5 @@ /etc/mtab /var/run/utmp @@ -1213,9 +1219,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po /root/.ssh/* - - -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.84/restorecond/restorecond.desktop ---- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/restorecond/restorecond.desktop 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/restorecond/restorecond.desktop b/policycoreutils/restorecond/restorecond.desktop +new file mode 100644 +index 0000000..23ff89d +--- /dev/null ++++ b/policycoreutils/restorecond/restorecond.desktop @@ -0,0 +1,7 @@ +[Desktop Entry] +Name=File Context maintainer @@ -1224,9 +1232,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +Encoding=UTF-8 +Type=Application +StartupNotify=false -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.84/restorecond/restorecond.h ---- nsapolicycoreutils/restorecond/restorecond.h 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/restorecond/restorecond.h 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/restorecond/restorecond.h b/policycoreutils/restorecond/restorecond.h +index e1666bf..8c85ef0 100644 +--- a/policycoreutils/restorecond/restorecond.h ++++ b/policycoreutils/restorecond/restorecond.h @@ -24,7 +24,22 @@ #ifndef RESTORED_CONFIG_H #define RESTORED_CONFIG_H @@ -1252,10 +1261,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +extern int watch_list_isempty(); #endif -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.84/restorecond/restorecond.init ---- nsapolicycoreutils/restorecond/restorecond.init 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/restorecond/restorecond.init 2010-11-30 11:57:21.000000000 -0500 -@@ -26,7 +26,7 @@ +diff --git a/policycoreutils/restorecond/restorecond.init b/policycoreutils/restorecond/restorecond.init +index b966db6..775c52b 100644 +--- a/policycoreutils/restorecond/restorecond.init ++++ b/policycoreutils/restorecond/restorecond.init +@@ -26,7 +26,7 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin # Source function library. . /etc/rc.d/init.d/functions @@ -1264,7 +1274,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po # Check that we are root ... so non-root users stop here test $EUID = 0 || exit 4 -@@ -75,16 +75,15 @@ +@@ -75,16 +75,15 @@ case "$1" in status restorecond RETVAL=$? ;; @@ -1283,15 +1293,19 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po exit $RETVAL - -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.84/restorecond/restorecond_user.conf ---- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/restorecond/restorecond_user.conf 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/restorecond/restorecond_user.conf b/policycoreutils/restorecond/restorecond_user.conf +new file mode 100644 +index 0000000..d97bc72 +--- /dev/null ++++ b/policycoreutils/restorecond/restorecond_user.conf @@ -0,0 +1,2 @@ +~/* +~/public_html/* -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.84/restorecond/user.c ---- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/restorecond/user.c 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/restorecond/user.c b/policycoreutils/restorecond/user.c +new file mode 100644 +index 0000000..272479a +--- /dev/null ++++ b/policycoreutils/restorecond/user.c @@ -0,0 +1,239 @@ +/* + * restorecond @@ -1532,10 +1546,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + return 0; +} + -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/utmpwatcher.c policycoreutils-2.0.84/restorecond/utmpwatcher.c ---- nsapolicycoreutils/restorecond/utmpwatcher.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/restorecond/utmpwatcher.c 2010-11-30 11:57:21.000000000 -0500 -@@ -72,8 +72,8 @@ +diff --git a/policycoreutils/restorecond/utmpwatcher.c b/policycoreutils/restorecond/utmpwatcher.c +index f182c22..feddb5a 100644 +--- a/policycoreutils/restorecond/utmpwatcher.c ++++ b/policycoreutils/restorecond/utmpwatcher.c +@@ -72,8 +72,8 @@ unsigned int utmpwatcher_handle(int inotify_fd, int wd) if (utmp_wd == -1) exitApp("Error watching utmp file."); @@ -1545,9 +1560,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po strings_list_free(prev_utmp_ptr); } return changed; -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.84/restorecond/watch.c ---- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/restorecond/watch.c 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/restorecond/watch.c b/policycoreutils/restorecond/watch.c +new file mode 100644 +index 0000000..ab67a02 +--- /dev/null ++++ b/policycoreutils/restorecond/watch.c @@ -0,0 +1,260 @@ +#define _GNU_SOURCE +#include @@ -1809,107 +1826,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + if (master_wd == -1) + exitApp("Error watching config file."); +} -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.84/sandbox/deliverables/basicwrapper ---- nsapolicycoreutils/sandbox/deliverables/basicwrapper 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/sandbox/deliverables/basicwrapper 2010-11-30 11:57:21.000000000 -0500 -@@ -0,0 +1,4 @@ -+import os, sys -+SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']] -+SANDBOX_ARGS.extend(sys.argv[1::]) -+os.execv('/usr/bin/sandbox',SANDBOX_ARGS) -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.84/sandbox/deliverables/README ---- nsapolicycoreutils/sandbox/deliverables/README 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/sandbox/deliverables/README 2010-11-30 11:57:21.000000000 -0500 -@@ -0,0 +1,32 @@ -+Files: -+run-in-sandbox.py: -+ adds the run in sandbox extension to nautilus -+ copy to .nautilus/python-extensions -+ yum install nautilus-python -+ -+sandbox: -+ adds support for file checking, This was working I don't know why it didn't at that presentation -+ adds support for file relabeling, This is/was also working. -+ -+basicwrapper: -+ This is pretty much the most basic condor wrapper you can create, it requires the -f option in sandbox. Also I can't make this work, maybe the grid team will have more luck. -+ -+Other: -+Xguest Live cd: -+ There's a tutorial on live cds here: http://www.ibm.com/developerworks/library/l-fedora-livecd/index.html?ca=dgr-lnxw16FedoraLiveCD -+ It looks like David Zeuthen is head guy in the live cd department, he might be worth talking to. -+ -+System-config-selinux: -+ wiki: fedorahosted.org/system-config-selinux -+ realeases: fedorahosted.org/releases/s/y/system-config-selinux/ includes a spec,srpm, and tarball of current version -+ The project is technically owned by Roman Rakus (rrakus@redhat.com) I've sent him an email asking him to make you a git contributor. -+ I'll continue making updates to this and make sure it gets into the repos. -+ -+Assuming I don't get to keep my RedHat email you can contact me: -+email: chris.pardy@gmail.com -+phone: 1-207-838-7119 -+ -+I'll probably continue to be on the #fedora-selinux and #selinux irc channels -+ -+Thanks for a great summer. -+Chris Pardy -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.84/sandbox/deliverables/run-in-sandbox.py ---- nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/sandbox/deliverables/run-in-sandbox.py 2010-11-30 11:57:21.000000000 -0500 -@@ -0,0 +1,49 @@ -+import os -+import os.path -+import urllib -+ -+import nautilus -+import gtk -+import gconf -+ -+class RunInSandboxExtension(nautilus.MenuProvider): -+ def __init__(self): -+ self.client = gconf.client_get_default() -+ -+ def sandbox_init(self,file,path): -+ if os.path.basename(path).endswith('.desktop'): -+ import re -+ f = open(path,'r') -+ for i in f.readlines(): -+ m = re.match(r'Exec=(?P\S+)',i) -+ if m: -+ path = m.group('name') -+ f.close() -+ break -+ os.system('/usr/bin/sandbox -X %s &' % path) -+ -+ def get_file_items(self, window, files): -+ if len(files) != 1: -+ return -+ -+ file = files[0] -+ -+ if file.is_directory(): -+ return -+ -+ if file.get_uri_scheme() != 'file': -+ return -+ -+ path = file.get_uri().replace('file://','',1) -+ if not os.access(path,os.X_OK): -+ return -+ -+ path = os.path.realpath(path) -+ -+ item = nautilus.MenuItem('NautilusPython::openterminal_file_items','Run In Sandbox','Run %s in Sandbox' % file.get_name()) -+ item.connect('activate',self.sandbox_init,path) -+ return item, -+ -+ def get_background_items(self, window, file): -+ return -+ -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.84/sandbox/Makefile ---- nsapolicycoreutils/sandbox/Makefile 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.84/sandbox/Makefile 2010-11-30 11:57:21.000000000 -0500 -@@ -7,8 +7,8 @@ +diff --git a/policycoreutils/sandbox/Makefile b/policycoreutils/sandbox/Makefile +index ff0ee7c..0c8a085 100644 +--- a/policycoreutils/sandbox/Makefile ++++ b/policycoreutils/sandbox/Makefile +@@ -7,10 +7,10 @@ SBINDIR ?= $(PREFIX)/sbin MANDIR ?= $(PREFIX)/share/man LOCALEDIR ?= /usr/share/locale SHAREDIR ?= $(PREFIX)/share/sandbox @@ -1918,9 +1839,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra +LDLIBS += -lcgroup -lselinux -lcap-ng - all: sandbox seunshare sandboxX.sh +-all: sandbox seunshare sandboxX.sh ++all: sandbox seunshare sandboxX.sh start -@@ -20,6 +20,9 @@ + seunshare: seunshare.o $(EXTRA_OBJS) + $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) +@@ -20,14 +20,18 @@ install: all install -m 755 sandbox $(BINDIR) -mkdir -p $(MANDIR)/man8 install -m 644 sandbox.8 $(MANDIR)/man8/ @@ -1930,7 +1854,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -mkdir -p $(SBINDIR) install -m 4755 seunshare $(SBINDIR)/ -mkdir -p $(SHAREDIR) -@@ -27,7 +30,7 @@ + install -m 755 sandboxX.sh $(SHAREDIR) ++ install -m 755 start $(SHAREDIR) -mkdir -p $(INITDIR) install -m 755 sandbox.init $(INITDIR)/sandbox -mkdir -p $(SYSCONFDIR) @@ -1939,9 +1864,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po test: @python test_sandbox.py -v -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.84/sandbox/sandbox ---- nsapolicycoreutils/sandbox/sandbox 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.84/sandbox/sandbox 2010-11-30 12:08:16.000000000 -0500 +diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox +index 48a26c2..224b9d1 100644 +--- a/policycoreutils/sandbox/sandbox ++++ b/policycoreutils/sandbox/sandbox @@ -1,5 +1,6 @@ -#! /usr/bin/python -E +#! /usr/bin/python -Es @@ -1971,7 +1897,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po import gettext gettext.bindtextdomain(PROGNAME, "/usr/share/locale") gettext.textdomain(PROGNAME) -@@ -41,6 +45,7 @@ +@@ -41,6 +45,7 @@ except IOError: import __builtin__ __builtin__.__dict__['_'] = unicode @@ -1979,7 +1905,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po DEFAULT_TYPE = "sandbox_t" DEFAULT_X_TYPE = "sandbox_x_t" SAVE_FILES = {} -@@ -63,15 +68,15 @@ +@@ -63,15 +68,15 @@ def error_exit(msg): sys.stderr.flush() sys.exit(1) @@ -1999,7 +1925,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if not os.path.exists(newdir): os.makedirs(newdir) dest = newdir + "/" + bname -@@ -81,9 +86,10 @@ +@@ -81,9 +86,10 @@ def copyfile(file, dir, dest): shutil.copytree(file, dest) else: shutil.copy2(file, dest) @@ -2012,7 +1938,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po SAVE_FILES[file] = (dest, os.path.getmtime(dest)) -@@ -161,10 +167,10 @@ +@@ -161,10 +167,10 @@ class Sandbox: if not self.__options.homedir or not self.__options.tmpdir: self.usage(_("Homedir and tempdir required for level mounts")) @@ -2026,7 +1952,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def __mount_callback(self, option, opt, value, parser): self.__mount = True -@@ -172,6 +178,15 @@ +@@ -172,6 +178,15 @@ class Sandbox: def __x_callback(self, option, opt, value, parser): self.__mount = True setattr(parser.values, option.dest, True) @@ -2042,7 +1968,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def __validdir(self, option, opt, value, parser): if not os.path.isdir(value): -@@ -194,6 +209,8 @@ +@@ -194,6 +209,8 @@ class Sandbox: self.__include(option, opt, i[:-1], parser) except IOError, e: sys.stderr.write(str(e)) @@ -2051,7 +1977,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po fd.close() def __copyfiles(self): -@@ -212,13 +229,15 @@ +@@ -212,13 +229,15 @@ class Sandbox: /etc/gdm/Xsession """) else: @@ -2069,7 +1995,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po kill -TERM $WM_PID 2> /dev/null """ % (command, wm, command)) fd.close() -@@ -226,14 +245,25 @@ +@@ -226,14 +245,25 @@ kill -TERM $WM_PID 2> /dev/null def usage(self, message = ""): error_exit("%s\n%s" % (self.__parser.usage, message)) @@ -2099,7 +2025,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po parser = OptionParser(version=self.VERSION, usage=usage) parser.disable_interspersed_args() -@@ -268,6 +298,10 @@ +@@ -268,6 +298,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [- action="callback", callback=self.__validdir, help=_("alternate /tmp directory to use for mounting")) @@ -2110,7 +2036,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po parser.add_option("-W", "--windowmanager", dest="wm", type="string", default="/usr/bin/matchbox-window-manager -use_titlebar no", -@@ -276,13 +310,17 @@ +@@ -276,13 +310,17 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [- parser.add_option("-l", "--level", dest="level", help=_("MCS/MLS level for the sandbox")) @@ -2129,7 +2055,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if self.__options.setype: self.setype = self.__options.setype -@@ -299,6 +337,9 @@ +@@ -299,6 +337,9 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [- self.__options.X_ind = True self.__homedir = self.__options.homedir self.__tmpdir = self.__options.tmpdir @@ -2139,7 +2065,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po else: if len(cmds) == 0: self.usage(_("Command required")) -@@ -351,22 +392,24 @@ +@@ -351,22 +392,24 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [- def __execute(self): try: @@ -2179,9 +2105,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po selinux.setexeccon(self.__execcon) rc = subprocess.Popen(self.__cmds).wait() -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.84/sandbox/sandbox.8 ---- nsapolicycoreutils/sandbox/sandbox.8 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.84/sandbox/sandbox.8 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8 +index 1479364..73d33b3 100644 +--- a/policycoreutils/sandbox/sandbox.8 ++++ b/policycoreutils/sandbox/sandbox.8 @@ -1,10 +1,13 @@ -.TH SANDBOX "8" "May 2009" "chcat" "User Commands" +.TH SANDBOX "8" "May 2010" "sandbox" "User Commands" @@ -2199,7 +2126,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .br .SH DESCRIPTION .PP -@@ -42,6 +45,12 @@ +@@ -42,6 +45,12 @@ Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for -X. \fB\-T\ tmpdir Use alternate tempory directory to mount on /tmp. Defaults to tmpfs. Requires -X or -M. .TP @@ -2212,7 +2139,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po \fB\-W windowmanager\fR Select alternative window manager to run within .B sandbox -X. -@@ -50,8 +59,17 @@ +@@ -50,8 +59,17 @@ Default to /usr/bin/matchbox-window-manager. \fB\-X\fR Create an X based Sandbox for gui apps, temporary files for $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t @@ -2231,9 +2158,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +.I Dan Walsh +and +.I Thomas Liu -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.conf policycoreutils-2.0.84/sandbox/sandbox.conf ---- nsapolicycoreutils/sandbox/sandbox.conf 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/sandbox/sandbox.conf 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/sandbox/sandbox.conf b/policycoreutils/sandbox/sandbox.conf +new file mode 100644 +index 0000000..7c35808 +--- /dev/null ++++ b/policycoreutils/sandbox/sandbox.conf @@ -0,0 +1,7 @@ +# Space separate list of homedirs +HOMEDIRS="/home" @@ -2242,9 +2171,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +CPUAFFINITY=ALL +MEMUSAGE=80% +CPUUSAGE=80% -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.conf.5 policycoreutils-2.0.84/sandbox/sandbox.conf.5 ---- nsapolicycoreutils/sandbox/sandbox.conf.5 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/sandbox/sandbox.conf.5 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/sandbox/sandbox.conf.5 b/policycoreutils/sandbox/sandbox.conf.5 +new file mode 100644 +index 0000000..ee97e10 +--- /dev/null ++++ b/policycoreutils/sandbox/sandbox.conf.5 @@ -0,0 +1,40 @@ +.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration" +.SH NAME @@ -2286,9 +2217,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +.SH AUTHOR +This manual page was written by +.I Thomas Liu -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.init policycoreutils-2.0.84/sandbox/sandbox.init ---- nsapolicycoreutils/sandbox/sandbox.init 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.84/sandbox/sandbox.init 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/sandbox/sandbox.init b/policycoreutils/sandbox/sandbox.init +index ff8b3ef..8508647 100644 +--- a/policycoreutils/sandbox/sandbox.init ++++ b/policycoreutils/sandbox/sandbox.init @@ -10,17 +10,12 @@ # # chkconfig: 345 1 99 @@ -2313,10 +2245,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po # # Source function library. -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.84/sandbox/sandboxX.sh ---- nsapolicycoreutils/sandbox/sandboxX.sh 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.84/sandbox/sandboxX.sh 2010-11-30 11:57:21.000000000 -0500 -@@ -1,13 +1,26 @@ +diff --git a/policycoreutils/sandbox/sandboxX.sh b/policycoreutils/sandbox/sandboxX.sh +index 8338203..e501b03 100644 +--- a/policycoreutils/sandbox/sandboxX.sh ++++ b/policycoreutils/sandbox/sandboxX.sh +@@ -1,13 +1,17 @@ #!/bin/bash context=`id -Z | secon -t -l -P` export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`" @@ -2332,23 +2265,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +#!/bin/sh +DISPLAY=$DISPLAY "\$@" +__EOF -+chmod +x ~/seremote -+ python << __EOF -+import gtk, os, commands -+rc = [-1,''] -+try: -+ rc=commands.getstatusoutput("%s/.sandboxrc" % os.environ["HOME"]) -+except: -+ pass -+if rc[0] == 0: -+ print rc[1] -+__EOF ++ chmod +x ~/seremote ++ /usr/share/sandbox/start $HOME/.sandboxrc export EXITCODE=$? kill -HUP 0 break -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.8 policycoreutils-2.0.84/sandbox/seunshare.8 ---- nsapolicycoreutils/sandbox/seunshare.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/sandbox/seunshare.8 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/sandbox/seunshare.8 b/policycoreutils/sandbox/seunshare.8 +new file mode 100644 +index 0000000..e7b8991 +--- /dev/null ++++ b/policycoreutils/sandbox/seunshare.8 @@ -0,0 +1,37 @@ +.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands" +.SH NAME @@ -2387,10 +2313,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +.I Dan Walsh +and +.I Thomas Liu -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.84/sandbox/seunshare.c ---- nsapolicycoreutils/sandbox/seunshare.c 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.84/sandbox/seunshare.c 2010-11-30 11:57:21.000000000 -0500 -@@ -1,13 +1,21 @@ +diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c +index ec692e7..de694ad 100644 +--- a/policycoreutils/sandbox/seunshare.c ++++ b/policycoreutils/sandbox/seunshare.c +@@ -1,28 +1,34 @@ +/* + * Authors: Dan Walsh + * Authors: Thomas Liu @@ -2411,9 +2338,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po #include +#include #include ++#include #include #include -@@ -15,14 +23,11 @@ + #include /* for getopt_long() form of getopt() */ #include #include #include @@ -2429,7 +2357,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po #ifdef USE_NLS #include /* for setlocale() */ #include /* for gettext() */ -@@ -39,6 +44,12 @@ +@@ -39,6 +45,12 @@ #define MS_PRIVATE 1<<18 #endif @@ -2442,7 +2370,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po /** * This function will drop all capabilities * Returns zero on success, non-zero otherwise -@@ -46,9 +57,9 @@ +@@ -46,9 +58,9 @@ static int drop_capabilities(uid_t uid) { capng_clear(CAPNG_SELECT_BOTH); @@ -2453,7 +2381,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po /* Change uid */ if (setresuid(uid, uid, uid)) { fprintf(stderr, _("Error changing uid, aborting.\n")); -@@ -134,42 +145,98 @@ +@@ -134,42 +146,98 @@ static int verify_shell(const char *shell_name) static int seunshare_mount(const char *src, const char *dst, struct passwd *pwd) { if (verbose) printf("Mount %s on %s\n", src, dst); @@ -2512,8 +2440,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + syslog(LOG_AUTHPRIV | LOG_ALERT, string); + exit(-1); + -+} -+ + } + +-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ") + +int match(const char *string, char *pattern) { + int status; @@ -2527,9 +2456,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + return 0; + } + return 1; - } - --#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ") ++} ++ +void config_error() { + fprintf(stderr, "Error parsing config file."); + exit(-1); @@ -2557,10 +2485,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po {NULL, 0, 0, 0} }; -@@ -180,6 +247,12 @@ +@@ -180,6 +248,17 @@ int main(int argc, char **argv) { return -1; } ++ if (setfsuid(uid) < 0) { ++ fprintf(stderr, _("setfsuid failed. %s"), strerror(errno)); ++ return -1; ++ } ++ +#ifdef USE_NLS + setlocale(LC_ALL, ""); + bindtextdomain(PACKAGE, LOCALEDIR); @@ -2570,7 +2503,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po struct passwd *pwd=getpwuid(uid); if (!pwd) { perror(_("getpwduid failed")); -@@ -192,30 +265,30 @@ +@@ -192,30 +271,30 @@ int main(int argc, char **argv) { } while (1) { @@ -2610,7 +2543,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po default: fprintf(stderr, "%s\n", USAGE_STRING); return -1; -@@ -223,21 +296,179 @@ +@@ -223,21 +302,179 @@ int main(int argc, char **argv) { } if (! homedir_s && ! tmpdir_s) { @@ -2796,7 +2729,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if (unshare(CLONE_NEWNS) < 0) { perror(_("Failed to unshare")); -@@ -286,11 +517,13 @@ +@@ -286,11 +523,13 @@ int main(int argc, char **argv) { exit(-1); } @@ -2815,7 +2748,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po } if (display) -@@ -305,17 +538,14 @@ +@@ -305,17 +544,14 @@ int main(int argc, char **argv) { perror(_("Failed to change dir to homedir")); exit(-1); } @@ -2834,19 +2767,48 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po - return status; } -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.84/scripts/chcat ---- nsapolicycoreutils/scripts/chcat 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/scripts/chcat 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/sandbox/start b/policycoreutils/sandbox/start +new file mode 100755 +index 0000000..52950d7 +--- /dev/null ++++ b/policycoreutils/sandbox/start +@@ -0,0 +1,9 @@ ++#! /usr/bin/python -Es ++import gtk, commands, sys ++rc = [-1,''] ++try: ++ rc=commands.getstatusoutput(sys.argv[1]) ++except: ++ pass ++if rc[0] == 0: ++ print rc[1] +diff --git a/policycoreutils/scripts/Makefile b/policycoreutils/scripts/Makefile +index 53b65b6..cc75a96 100644 +--- a/policycoreutils/scripts/Makefile ++++ b/policycoreutils/scripts/Makefile +@@ -14,6 +14,7 @@ install: all + install -m 755 genhomedircon $(SBINDIR) + -mkdir -p $(MANDIR)/man8 + install -m 644 fixfiles.8 $(MANDIR)/man8/ ++ install -m 644 genhomedircon.8 $(MANDIR)/man8/ + install -m 644 chcat.8 $(MANDIR)/man8/ + + clean: +diff --git a/policycoreutils/scripts/chcat b/policycoreutils/scripts/chcat +index 4038a99..9efcb22 100755 +--- a/policycoreutils/scripts/chcat ++++ b/policycoreutils/scripts/chcat @@ -1,4 +1,4 @@ -#! /usr/bin/python -E +#! /usr/bin/python -Es # Copyright (C) 2005 Red Hat # see file 'COPYING' for use and warranty information # -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.84/scripts/fixfiles ---- nsapolicycoreutils/scripts/fixfiles 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/scripts/fixfiles 2010-11-30 11:57:21.000000000 -0500 -@@ -21,6 +21,17 @@ +diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles +index ae519fc..0890811 100755 +--- a/policycoreutils/scripts/fixfiles ++++ b/policycoreutils/scripts/fixfiles +@@ -21,6 +21,25 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # @@ -2860,11 +2822,19 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +done +} + ++exclude_dirs() { ++ exclude= ++ for i in /var/lib/BackupPC /home /tmp /dev; do ++ [ -e $i ] && exclude="$exclude -e $i"; ++ done ++ echo "$exclude" ++} ++ +# # Set global Variables # fullFlag=0 -@@ -35,9 +46,7 @@ +@@ -35,9 +54,7 @@ SYSLOGFLAG="-l" LOGGER=/usr/sbin/logger SETFILES=/sbin/setfiles RESTORECON=/sbin/restorecon @@ -2875,7 +2845,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po SELINUXTYPE="targeted" if [ -e /etc/selinux/config ]; then . /etc/selinux/config -@@ -87,23 +96,10 @@ +@@ -87,23 +104,10 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then esac; \ fi; \ done | \ @@ -2884,7 +2854,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po - \( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print0"; \ - done 2> /dev/null | \ - ${RESTORECON} $* -0 -f - -+ ${RESTORECON} -f - -R -p -e /var/lib/BackupPC -e /home -e /tmp -r /dev; \ ++ ${RESTORECON} -f - -R -p `exclude_dirs`; \ rm -f ${TEMPFILE} ${PREFCTEMPFILE} fi } @@ -2900,7 +2870,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po rpmlist() { rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' ' -@@ -121,23 +117,16 @@ +@@ -121,23 +125,16 @@ if [ ! -z "$PREFC" ]; then fi if [ ! -z "$RPMFILES" ]; then for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do @@ -2927,7 +2897,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; -@@ -146,8 +135,7 @@ +@@ -146,8 +143,7 @@ exit $? fullrelabel() { logit "Cleaning out /tmp" @@ -2937,9 +2907,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po restore } -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/genhomedircon.8 policycoreutils-2.0.84/scripts/genhomedircon.8 ---- nsapolicycoreutils/scripts/genhomedircon.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/scripts/genhomedircon.8 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/scripts/genhomedircon.8 b/policycoreutils/scripts/genhomedircon.8 +new file mode 100644 +index 0000000..6331660 +--- /dev/null ++++ b/policycoreutils/scripts/genhomedircon.8 @@ -0,0 +1,37 @@ +.\" Hey, Emacs! This is an -*- nroff -*- source file. +.\" Copyright (c) 2010 Dan Walsh @@ -2978,45 +2950,25 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +.SH AUTHOR +This manual page was written by +.I Dan Walsh -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.84/scripts/Makefile ---- nsapolicycoreutils/scripts/Makefile 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/scripts/Makefile 2010-11-30 11:57:21.000000000 -0500 -@@ -14,6 +14,7 @@ - install -m 755 genhomedircon $(SBINDIR) - -mkdir -p $(MANDIR)/man8 - install -m 644 fixfiles.8 $(MANDIR)/man8/ -+ install -m 644 genhomedircon.8 $(MANDIR)/man8/ - install -m 644 chcat.8 $(MANDIR)/man8/ - - clean: -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/severify.py policycoreutils-2.0.84/scripts/severify.py ---- nsapolicycoreutils/scripts/severify.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/scripts/severify.py 2010-11-30 11:57:21.000000000 -0500 -@@ -0,0 +1,21 @@ -+#! /usr/bin/python -Es -+import seobject -+import selinux -+import setools -+import sys -+#store = selinux.selinux_getpolicytype()[1] -+#mod=seobject.moduleRecords(store = store, reload=False) -+#mod.disable("zebra") -+fd = open(sys.argv[1], "r") -+lines = fd.readlines() -+#fd.close() -+#for i in lines: -+# j = i.split() -+# if len(j) == 0 or ( j[0] != "allow" and j[0] != "dontaudit"): -+# continue -+# allow = j[0] -+# print j[1] -+#sys.exit() -+#setools.sesearch([ setools.ALLOW ], { setools.SCONTEXT:"rwho_t", setools.TCONTEXT:"rwho_spool_t" } ) -+#mod.enable("zebra") +diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile +new file mode 100644 +index 0000000..176b11f +--- /dev/null ++++ b/policycoreutils/semanage/default_encoding/Makefile +@@ -0,0 +1,8 @@ ++all: ++ LDFLAGS="" python setup.py build + -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/default_encoding.c policycoreutils-2.0.84/semanage/default_encoding/default_encoding.c ---- nsapolicycoreutils/semanage/default_encoding/default_encoding.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/semanage/default_encoding/default_encoding.c 2010-11-30 11:57:21.000000000 -0500 ++install: all ++ LDFLAGS="" python setup.py install --root=$(DESTDIR)/ ++ ++clean: ++ rm -rf build *~ +diff --git a/policycoreutils/semanage/default_encoding/default_encoding.c b/policycoreutils/semanage/default_encoding/default_encoding.c +new file mode 100644 +index 0000000..c3cdd4e +--- /dev/null ++++ b/policycoreutils/semanage/default_encoding/default_encoding.c @@ -0,0 +1,59 @@ +/* + * Authors: @@ -3077,21 +3029,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + PyUnicode_SetDefaultEncoding("utf-8"); + m = Py_InitModule3("default_encoding_utf8", methods, "Forces the default encoding to utf-8"); +} -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/Makefile policycoreutils-2.0.84/semanage/default_encoding/Makefile ---- nsapolicycoreutils/semanage/default_encoding/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/semanage/default_encoding/Makefile 2010-11-30 11:57:21.000000000 -0500 -@@ -0,0 +1,8 @@ -+all: -+ LDFLAGS="" python setup.py build -+ -+install: all -+ LDFLAGS="" python setup.py install --root=$(DESTDIR)/ -+ -+clean: -+ rm -rf build *~ -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/policycoreutils/__init__.py policycoreutils-2.0.84/semanage/default_encoding/policycoreutils/__init__.py ---- nsapolicycoreutils/semanage/default_encoding/policycoreutils/__init__.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/semanage/default_encoding/policycoreutils/__init__.py 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py b/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py +new file mode 100644 +index 0000000..ccb6b8b +--- /dev/null ++++ b/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py @@ -0,0 +1,17 @@ +# +# Copyright (C) 2006,2007,2008, 2009 Red Hat, Inc. @@ -3110,9 +3052,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/setup.py policycoreutils-2.0.84/semanage/default_encoding/setup.py ---- nsapolicycoreutils/semanage/default_encoding/setup.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/semanage/default_encoding/setup.py 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/semanage/default_encoding/setup.py b/policycoreutils/semanage/default_encoding/setup.py +new file mode 100644 +index 0000000..e2befdb +--- /dev/null ++++ b/policycoreutils/semanage/default_encoding/setup.py @@ -0,0 +1,38 @@ +# Authors: +# John Dennis @@ -3152,9 +3096,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + ext_modules = [default_encoding_utf8], + packages=["policycoreutils"], +) -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.84/semanage/semanage ---- nsapolicycoreutils/semanage/semanage 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/semanage/semanage 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage +index ffaca5b..75b53e8 100644 +--- a/policycoreutils/semanage/semanage ++++ b/policycoreutils/semanage/semanage @@ -1,4 +1,4 @@ -#! /usr/bin/python -E +#! /usr/bin/python -Es @@ -3169,7 +3114,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po import sys, getopt, re import seobject import selinux -@@ -32,27 +33,36 @@ +@@ -32,27 +33,36 @@ gettext.textdomain(PROGNAME) try: gettext.install(PROGNAME, localedir="/usr/share/locale", @@ -3211,7 +3156,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po semanage dontaudit [ on | off ] Primary Options: -@@ -61,7 +71,9 @@ +@@ -61,7 +71,9 @@ Primary Options: -d, --delete Delete a OBJECT record NAME -m, --modify Modify a OBJECT record NAME -i, --input Input multiple semange commands in a transaction @@ -3221,7 +3166,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -C, --locallist List OBJECTS local customizations -D, --deleteall Remove all OBJECTS local customizations -@@ -84,12 +96,15 @@ +@@ -84,12 +96,15 @@ Object-specific Options (see above): -F, --file Treat target as an input file for command, change multiple settings -p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6) -M, --mask Netmask @@ -3237,7 +3182,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po """) raise ValueError("%s\n%s" % (text, message)) -@@ -101,7 +116,7 @@ +@@ -101,7 +116,7 @@ Object-specific Options (see above): def get_options(): valid_option={} @@ -3246,7 +3191,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po valid_option["login"] = [] valid_option["login"] += valid_everyone + [ '-s', '--seuser', '-r', '--range'] valid_option["user"] = [] -@@ -112,8 +127,10 @@ +@@ -112,8 +127,10 @@ Object-specific Options (see above): valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range'] valid_option["node"] = [] valid_option["node"] += valid_everyone + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol'] @@ -3258,7 +3203,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po valid_option["dontaudit"] = [ '-S', '--store' ] valid_option["boolean"] = [] valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0", "-F", "--file"] -@@ -168,6 +185,8 @@ +@@ -168,6 +185,8 @@ Object-specific Options (see above): return ret def process_args(argv): @@ -3267,7 +3212,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po serange = "" port = "" proto = "" -@@ -184,11 +203,17 @@ +@@ -184,11 +203,17 @@ Object-specific Options (see above): modify = False delete = False deleteall = False @@ -3285,7 +3230,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po object = argv[0] option_dict=get_options() if object not in option_dict.keys(): -@@ -197,10 +222,14 @@ +@@ -197,10 +222,14 @@ Object-specific Options (see above): args = argv[1:] gopts, cmds = getopt.getopt(args, @@ -3301,7 +3246,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po 'ftype=', 'file', 'help', -@@ -225,29 +254,47 @@ +@@ -225,29 +254,47 @@ Object-specific Options (see above): for o, a in gopts: if o not in option_dict[object]: sys.stderr.write(_("%s not valid for %s objects\n") % ( o, object) ); @@ -3356,7 +3301,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if o == "-n" or o == "--noheading": heading = False -@@ -256,8 +303,7 @@ +@@ -256,8 +303,7 @@ Object-specific Options (see above): locallist = True if o == "-m"or o == "--modify": @@ -3366,7 +3311,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po modify = True if o == "-S" or o == '--store': -@@ -292,8 +338,10 @@ +@@ -292,8 +338,10 @@ Object-specific Options (see above): if o == "--on" or o == "-1": value = "on" @@ -3377,7 +3322,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if object == "login": OBJECT = seobject.loginRecords(store) -@@ -315,6 +363,11 @@ +@@ -315,6 +363,11 @@ Object-specific Options (see above): if object == "boolean": OBJECT = seobject.booleanRecords(store) @@ -3389,7 +3334,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if object == "permissive": OBJECT = seobject.permissiveRecords(store) -@@ -330,65 +383,97 @@ +@@ -330,65 +383,97 @@ Object-specific Options (see above): OBJECT.deleteall() return @@ -3499,7 +3444,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if delete: if object == "port": OBJECT.delete(target, proto) -@@ -401,15 +486,14 @@ +@@ -401,15 +486,14 @@ Object-specific Options (see above): else: OBJECT.delete(target) @@ -3517,7 +3462,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po input = None store = "" -@@ -417,7 +501,7 @@ +@@ -417,7 +501,7 @@ Object-specific Options (see above): usage(_("Requires 2 or more arguments")) gopts, cmds = getopt.getopt(sys.argv[1:], @@ -3526,7 +3471,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po ['add', 'delete', 'deleteall', -@@ -431,6 +515,7 @@ +@@ -431,6 +515,7 @@ Object-specific Options (see above): 'localist', 'off', 'on', @@ -3534,7 +3479,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po 'proto=', 'seuser=', 'store=', -@@ -438,6 +523,7 @@ +@@ -438,6 +523,7 @@ Object-specific Options (see above): 'level=', 'roles=', 'type=', @@ -3542,7 +3487,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po 'prefix=' ]) for o, a in gopts: -@@ -445,6 +531,16 @@ +@@ -445,6 +531,16 @@ Object-specific Options (see above): store = a if o == "-i" or o == '--input': input = a @@ -3559,15 +3504,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if input != None: if input == "-": -@@ -467,3 +563,5 @@ +@@ -467,3 +563,5 @@ Object-specific Options (see above): errorExit(_("Invalid value %s") % error.args[0]) except IOError, error: errorExit(error.args[1]) + except OSError, error: + errorExit(error.args[1]) -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.84/semanage/semanage.8 ---- nsapolicycoreutils/semanage/semanage.8 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/semanage/semanage.8 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8 +index 70d1a20..fb6a79b 100644 +--- a/policycoreutils/semanage/semanage.8 ++++ b/policycoreutils/semanage/semanage.8 @@ -1,29 +1,69 @@ -.TH "semanage" "8" "2005111103" "" "" +.TH "semanage" "8" "20100223" "" "" @@ -3582,14 +3528,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +.B semanage [ -S store ] -o [ output_file | - ] + +Input local customizations - .br --.B semanage login \-{a|d|m} [\-sr] login_name | %groupname ++.br +.B semanage [ -S store ] -i [ input_file | - ] + +Manage booleans. Booleans allow the administrator to modify the confinement of +processes based on his configuration. - .br --.B semanage user \-{a|d|m} [\-LrRP] selinux_name ++.br +.B semanage boolean [\-S store] \-{d|m|l|n|D} \-[\-on|\-off|\1|0] -F boolean | boolean_file + +Manage SELinux confined users (Roles and levels for an SELinux user) @@ -3605,39 +3549,41 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] module_name + +Manage network port type definitions -+.br + .br +-.B semanage login \-{a|d|m} [\-sr] login_name | %groupname +.B semanage port [\-S store] \-{a|d|m|l|n|D} [\-tr] [\-p proto] port | port_range -+.br + .br +-.B semanage user \-{a|d|m} [\-LrRP] selinux_name + +Manage network interface type definitions +.br +.B semanage interface [\-S store] \-{a|d|m|l|n|D} [\-tr] interface_spec + +Manage network node type definitions -+.br -+.B semanage node [\-S store] -{a|d|m|l|n|D} [-tr] [ -p protocol ] [-M netmask] address -+.br -+ -+Manage file context mapping definitions .br -.B semanage port \-{a|d|m} [\-tr] [\-p proto] port | port_range -+.B semanage fcontext [\-S store] \-{a|d|m|l|n|D} [\-frst] file_spec ++.B semanage node [\-S store] -{a|d|m|l|n|D} [-tr] [ -p protocol ] [-M netmask] address .br -.B semanage interface \-{a|d|m} [\-tr] interface_spec -+.B semanage fcontext [\-S store] \-{a|d|m|l|n|D} \-e replacement target ++ ++Manage file context mapping definitions ++.br ++.B semanage fcontext [\-S store] \-{a|d|m|l|n|D} [\-frst] file_spec .br -.B semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] address ++.B semanage fcontext [\-S store] \-{a|d|m|l|n|D} \-e replacement target + .br +-.B semanage fcontext \-{a|d|m} [\-frst] file_spec + +Manage processes type enforcement mode .br --.B semanage fcontext \-{a|d|m} [\-frst] file_spec +-.B semanage permissive \-{a|d} type +.B semanage permissive [\-S store] \-{a|d|l|n|D} type .br --.B semanage permissive \-{a|d} type +-.B semanage dontaudit [ on | off ] + +Disable/Enable dontaudit rules in policy - .br --.B semanage dontaudit [ on | off ] ++.br +.B semanage dontaudit [\-S store] [ on | off ] .P @@ -3649,7 +3595,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .SH "DESCRIPTION" semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation -@@ -52,6 +92,22 @@ +@@ -52,6 +92,22 @@ Delete a OBJECT record NAME .I \-D, \-\-deleteall Remove all OBJECTS local customizations .TP @@ -3672,7 +3618,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .I \-f, \-\-ftype File Type. This is used with fcontext. Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files. -@@ -60,6 +116,7 @@ +@@ -60,6 +116,7 @@ Requires a file type as shown in the mode field by ls, e.g. use -d to match only Set multiple records from the input file. When used with the \-l \-\-list, it will output the current settings to stdout in the proper format. Currently booleans only. @@ -3680,7 +3626,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .TP .I \-h, \-\-help display this message -@@ -76,6 +133,9 @@ +@@ -76,6 +133,9 @@ Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Systems only) .I \-m, \-\-modify Modify a OBJECT record NAME .TP @@ -3690,7 +3636,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .I \-n, \-\-noheading Do not print heading when listing OBJECTS. .TP -@@ -99,26 +159,67 @@ +@@ -99,26 +159,67 @@ Select and alternate SELinux store to manage .TP .I \-t, \-\-type SELinux Type for the object @@ -3774,10 +3720,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +and Russell Coker . +.br Examples by Thomas Bleher . -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.84/semanage/seobject.py ---- nsapolicycoreutils/semanage/seobject.py 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/semanage/seobject.py 2010-11-30 11:57:21.000000000 -0500 -@@ -29,47 +29,12 @@ +diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py +index b7d257b..40e57e9 100644 +--- a/policycoreutils/semanage/seobject.py ++++ b/policycoreutils/semanage/seobject.py +@@ -29,47 +29,12 @@ import sepolgen.module as module import gettext gettext.bindtextdomain(PROGNAME, "/usr/share/locale") gettext.textdomain(PROGNAME) @@ -3801,7 +3748,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po - - if store != "": - semanage_select_store(handle, store, SEMANAGE_CON_DIRECT); - +- - if not semanage_is_managed(handle): - semanage_handle_destroy(handle) - raise ValueError(_("SELinux policy is not managed or store cannot be accessed.")) @@ -3815,7 +3762,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po - if rc < 0: - semanage_handle_destroy(handle) - raise ValueError(_("Could not establish semanage connection")) -- + - is_mls_enabled = semanage_mls_enabled(handle) - if is_mls_enabled < 0: - semanage_handle_destroy(handle) @@ -3829,7 +3776,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po file_types = {} file_types[""] = SEMANAGE_FCONTEXT_ALL; -@@ -194,44 +159,153 @@ +@@ -194,45 +159,154 @@ def untranslate(trans, prepend = 1): return trans else: return raw @@ -3922,8 +3869,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po raise ValueError(_("Semanage transaction not in progress")) - self.transaction = False + semanageRecords.transaction = False -+ self.commit() -+ + self.commit() + +class moduleRecords(semanageRecords): + def __init__(self, store): + semanageRecords.__init__(self, store) @@ -3987,17 +3934,18 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + if rc < 0 and rc != -2: + raise ValueError(_("Could not remove module %s (remove failed)") % m) + - self.commit() ++ self.commit() + + def deleteall(self): + l = self.get_all() + if len(l) > 0: + all = " ".join(l[0]) + self.delete(all) - ++ class dontauditClass(semanageRecords): def __init__(self, store): -@@ -259,14 +333,23 @@ + semanageRecords.__init__(self, store) +@@ -259,14 +333,23 @@ class permissiveRecords(semanageRecords): name = semanage_module_get_name(mod) if name and name.startswith("permissive_"): l.append(name.split("permissive_")[1]) @@ -4025,7 +3973,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def add(self, type): import glob -@@ -343,7 +426,9 @@ +@@ -343,7 +426,9 @@ class loginRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if login mapping for %s is defined") % name) if exists: @@ -4036,7 +3984,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if name[0] == '%': try: grp.getgrnam(name[1:]) -@@ -475,6 +560,16 @@ +@@ -475,6 +560,16 @@ class loginRecords(semanageRecords): mylog.log(1, "delete SELinux user mapping", name); @@ -4053,7 +4001,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def get_all(self, locallist = 0): ddict = {} if locallist: -@@ -489,6 +584,15 @@ +@@ -489,6 +584,15 @@ class loginRecords(semanageRecords): ddict[name] = (semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u)) return ddict @@ -4069,7 +4017,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def list(self,heading = 1, locallist = 0): ddict = self.get_all(locallist) keys = ddict.keys() -@@ -531,7 +635,8 @@ +@@ -531,7 +635,8 @@ class seluserRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if SELinux user %s is defined") % name) if exists: @@ -4079,7 +4027,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po (rc, u) = semanage_user_create(self.sh) if rc < 0: -@@ -682,6 +787,16 @@ +@@ -682,6 +787,16 @@ class seluserRecords(semanageRecords): mylog.log(1,"delete SELinux user record", name) @@ -4096,7 +4044,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def get_all(self, locallist = 0): ddict = {} if locallist: -@@ -702,6 +817,15 @@ +@@ -702,6 +817,15 @@ class seluserRecords(semanageRecords): return ddict @@ -4112,7 +4060,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def list(self, heading = 1, locallist = 0): ddict = self.get_all(locallist) keys = ddict.keys() -@@ -740,12 +864,16 @@ +@@ -740,12 +864,16 @@ class portRecords(semanageRecords): low = int(ports[0]) high = int(ports[1]) @@ -4129,7 +4077,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if is_mls_enabled == 1: if serange == "": serange = "s0" -@@ -808,6 +936,7 @@ +@@ -808,6 +936,7 @@ class portRecords(semanageRecords): self.commit() def __modify(self, port, proto, serange, setype): @@ -4137,7 +4085,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if serange == "" and setype == "": if is_mls_enabled == 1: raise ValueError(_("Requires setype or serange")) -@@ -942,6 +1071,18 @@ +@@ -942,6 +1071,18 @@ class portRecords(semanageRecords): ddict[(ctype,proto_str)].append("%d-%d" % (low, high)) return ddict @@ -4156,7 +4104,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def list(self, heading = 1, locallist = 0): if heading: print "%-30s %-8s %s\n" % (_("SELinux Port Type"), _("Proto"), _("Port Number")) -@@ -958,7 +1099,8 @@ +@@ -958,7 +1099,8 @@ class portRecords(semanageRecords): class nodeRecords(semanageRecords): def __init__(self, store = ""): semanageRecords.__init__(self,store) @@ -4166,7 +4114,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def __add(self, addr, mask, proto, serange, ctype): if addr == "": raise ValueError(_("Node Address is required")) -@@ -966,14 +1108,11 @@ +@@ -966,14 +1108,11 @@ class nodeRecords(semanageRecords): if mask == "": raise ValueError(_("Node Netmask is required")) @@ -4184,7 +4132,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if is_mls_enabled == 1: if serange == "": serange = "s0" -@@ -991,11 +1130,13 @@ +@@ -991,11 +1130,13 @@ class nodeRecords(semanageRecords): (rc, exists) = semanage_node_exists(self.sh, k) if exists: @@ -4199,7 +4147,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po rc = semanage_node_set_addr(self.sh, node, proto, addr) (rc, con) = semanage_context_create(self.sh) -@@ -1005,8 +1146,7 @@ +@@ -1005,8 +1146,7 @@ class nodeRecords(semanageRecords): rc = semanage_node_set_mask(self.sh, node, proto, mask) if rc < 0: raise ValueError(_("Could not set mask for %s") % addr) @@ -4209,7 +4157,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po rc = semanage_context_set_user(self.sh, con, "system_u") if rc < 0: raise ValueError(_("Could not set user in addr context for %s") % addr) -@@ -1047,13 +1187,10 @@ +@@ -1047,13 +1187,10 @@ class nodeRecords(semanageRecords): if mask == "": raise ValueError(_("Node Netmask is required")) @@ -4227,7 +4175,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if serange == "" and setype == "": raise ValueError(_("Requires setype or serange")) -@@ -1068,12 +1205,11 @@ +@@ -1068,12 +1205,11 @@ class nodeRecords(semanageRecords): if not exists: raise ValueError(_("Addr %s is not defined") % addr) @@ -4241,7 +4189,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if serange != "": semanage_context_set_mls(self.sh, con, untranslate(serange)) if setype != "": -@@ -1098,11 +1234,9 @@ +@@ -1098,11 +1234,9 @@ class nodeRecords(semanageRecords): if mask == "": raise ValueError(_("Node Netmask is required")) @@ -4256,7 +4204,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po raise ValueError(_("Unknown or missing protocol")) (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) -@@ -1132,6 +1266,16 @@ +@@ -1132,6 +1266,16 @@ class nodeRecords(semanageRecords): self.__delete(addr, mask, proto) self.commit() @@ -4273,7 +4221,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def get_all(self, locallist = 0): ddict = {} if locallist : -@@ -1145,15 +1289,20 @@ +@@ -1145,15 +1289,20 @@ class nodeRecords(semanageRecords): con = semanage_node_get_con(node) addr = semanage_node_get_addr(self.sh, node) mask = semanage_node_get_mask(self.sh, node) @@ -4299,7 +4247,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def list(self, heading = 1, locallist = 0): if heading: print "%-18s %-18s %-5s %-5s\n" % ("IP Address", "Netmask", "Protocol", "Context") -@@ -1193,7 +1342,8 @@ +@@ -1193,7 +1342,8 @@ class interfaceRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if interface %s is defined") % interface) if exists: @@ -4309,7 +4257,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po (rc, iface) = semanage_iface_create(self.sh) if rc < 0: -@@ -1307,6 +1457,16 @@ +@@ -1307,6 +1457,16 @@ class interfaceRecords(semanageRecords): self.__delete(interface) self.commit() @@ -4326,7 +4274,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def get_all(self, locallist = 0): ddict = {} if locallist: -@@ -1322,6 +1482,15 @@ +@@ -1322,6 +1482,15 @@ class interfaceRecords(semanageRecords): return ddict @@ -4342,7 +4290,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def list(self, heading = 1, locallist = 0): if heading: print "%-30s %s\n" % (_("SELinux Interface"), _("Context")) -@@ -1338,6 +1507,48 @@ +@@ -1338,6 +1507,48 @@ class interfaceRecords(semanageRecords): class fcontextRecords(semanageRecords): def __init__(self, store = ""): semanageRecords.__init__(self, store) @@ -4391,7 +4339,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def createcon(self, target, seuser = "system_u"): (rc, con) = semanage_context_create(self.sh) -@@ -1364,6 +1575,8 @@ +@@ -1364,6 +1575,8 @@ class fcontextRecords(semanageRecords): def validate(self, target): if target == "" or target.find("\n") >= 0: raise ValueError(_("Invalid file specification")) @@ -4400,7 +4348,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def __add(self, target, type, ftype = "", serange = "", seuser = "system_u"): self.validate(target) -@@ -1388,7 +1601,8 @@ +@@ -1388,7 +1601,8 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Could not check if file context for %s is defined") % target) if exists: @@ -4410,7 +4358,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po (rc, fcontext) = semanage_fcontext_create(self.sh) if rc < 0: -@@ -1504,9 +1718,16 @@ +@@ -1504,9 +1718,16 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Could not delete the file context %s") % target) semanage_fcontext_key_free(k) @@ -4427,7 +4375,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po (rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) if rc < 0: raise ValueError(_("Could not create a key for %s") % target) -@@ -1561,12 +1782,22 @@ +@@ -1561,12 +1782,22 @@ class fcontextRecords(semanageRecords): return ddict @@ -4452,7 +4400,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po for k in keys: if fcon_dict[k]: if is_mls_enabled: -@@ -1575,6 +1806,12 @@ +@@ -1575,6 +1806,12 @@ class fcontextRecords(semanageRecords): print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2]) else: print "%-50s %-18s <>" % (k[0], k[1]) @@ -4465,7 +4413,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po class booleanRecords(semanageRecords): def __init__(self, store = ""): -@@ -1587,6 +1824,18 @@ +@@ -1587,6 +1824,18 @@ class booleanRecords(semanageRecords): self.dict["1"] = 1 self.dict["0"] = 0 @@ -4484,7 +4432,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def __mod(self, name, value): (rc, k) = semanage_bool_key_create(self.sh, name) if rc < 0: -@@ -1606,9 +1855,10 @@ +@@ -1606,9 +1855,10 @@ class booleanRecords(semanageRecords): else: raise ValueError(_("You must specify one of the following values: %s") % ", ".join(self.dict.keys()) ) @@ -4498,7 +4446,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po rc = semanage_bool_modify_local(self.sh, k, b) if rc < 0: raise ValueError(_("Could not modify boolean %s") % name) -@@ -1691,8 +1941,12 @@ +@@ -1691,8 +1941,12 @@ class booleanRecords(semanageRecords): value = [] name = semanage_bool_get_name(boolean) value.append(semanage_bool_get_value(boolean)) @@ -4513,7 +4461,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po ddict[name] = value return ddict -@@ -1706,6 +1960,16 @@ +@@ -1706,6 +1960,16 @@ class booleanRecords(semanageRecords): else: return _("unknown") @@ -4530,9 +4478,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def list(self, heading = True, locallist = False, use_file = False): on_off = (_("off"), _("on")) if use_file: -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sepolgen-ifgen/Makefile policycoreutils-2.0.84/sepolgen-ifgen/Makefile ---- nsapolicycoreutils/sepolgen-ifgen/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/sepolgen-ifgen/Makefile 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/sepolgen-ifgen/Makefile b/policycoreutils/sepolgen-ifgen/Makefile +new file mode 100644 +index 0000000..211580d +--- /dev/null ++++ b/policycoreutils/sepolgen-ifgen/Makefile @@ -0,0 +1,25 @@ +# Installation directories. +PREFIX ?= ${DESTDIR}/usr @@ -4559,9 +4509,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + ../../scripts/Lindent $(wildcard *.[ch]) + +relabel: ; -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c policycoreutils-2.0.84/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c ---- nsapolicycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c b/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c +new file mode 100644 +index 0000000..995b270 +--- /dev/null ++++ b/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c @@ -0,0 +1,230 @@ +/* Authors: Frank Mayer + * and Karl MacMillan @@ -4793,16 +4745,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + + return 0; +} -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.84/setfiles/restore.c ---- nsapolicycoreutils/setfiles/restore.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/setfiles/restore.c 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c +index b649d8f..38416d8 100644 +--- a/policycoreutils/setfiles/restore.c ++++ b/policycoreutils/setfiles/restore.c @@ -1,4 +1,5 @@ #include "restore.h" +#include #define SKIP -2 #define ERR -1 -@@ -31,7 +32,6 @@ +@@ -31,7 +32,6 @@ struct edir { static file_spec_t *fl_head; @@ -4810,7 +4763,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po static int filespec_add(ino_t ino, const security_context_t con, const char *file); static int only_changed_user(const char *a, const char *b); struct restore_opts *r_opts = NULL; -@@ -53,7 +53,6 @@ +@@ -53,7 +53,6 @@ void remove_exclude(const char *directory) } } return; @@ -4818,7 +4771,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po } void restore_init(struct restore_opts *opts) -@@ -300,8 +299,14 @@ +@@ -300,8 +299,14 @@ static int process_one(char *name, int recurse_this_path) int rc = 0; const char *namelist[2] = {name, NULL}; dev_t dev_num = 0; @@ -4835,7 +4788,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po fts_handle = fts_open((char **)namelist, r_opts->fts_flags, NULL); if (fts_handle == NULL) { -@@ -357,11 +362,34 @@ +@@ -357,11 +362,34 @@ err: goto out; } @@ -4871,7 +4824,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if (r_opts == NULL){ fprintf(stderr, -@@ -372,8 +400,9 @@ +@@ -372,8 +400,9 @@ int process_one_realpath(char *name, int recurse) if (!r_opts->expand_realpath) { return process_one(name, recurse); } else { @@ -4882,7 +4835,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po fprintf(stderr, "%s: lstat(%s) failed: %s\n", r_opts->progname, name, strerror(errno)); return -1; -@@ -409,7 +438,7 @@ +@@ -409,7 +438,7 @@ int process_one_realpath(char *name, int recurse) } } @@ -4891,7 +4844,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po { int i = 0; for (i = 0; i < excludeCtr; i++) { -@@ -537,7 +566,7 @@ +@@ -537,7 +566,7 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil { file_spec_t *prevfl, *fl; int h, ret; @@ -4900,7 +4853,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if (!fl_head) { fl_head = malloc(sizeof(file_spec_t) * HASH_BUCKETS); -@@ -550,7 +579,7 @@ +@@ -550,7 +579,7 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil for (prevfl = &fl_head[h], fl = fl_head[h].next; fl; prevfl = fl, fl = fl->next) { if (ino == fl->ino) { @@ -4909,7 +4862,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if (ret < 0 || sb.st_ino != ino) { freecon(fl->con); free(fl->file); -@@ -602,5 +631,67 @@ +@@ -602,5 +631,67 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil return -1; } @@ -4977,10 +4930,34 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + free(buf); +} -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.84/setfiles/restorecon.8 ---- nsapolicycoreutils/setfiles/restorecon.8 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/setfiles/restorecon.8 2010-11-30 11:57:21.000000000 -0500 -@@ -4,10 +4,10 @@ +diff --git a/policycoreutils/setfiles/restore.h b/policycoreutils/setfiles/restore.h +index 03b82e8..8b50ff8 100644 +--- a/policycoreutils/setfiles/restore.h ++++ b/policycoreutils/setfiles/restore.h +@@ -27,6 +27,7 @@ struct restore_opts { + int hard_links; + int verbose; + int logging; ++ int ignore_enoent; + char *rootpath; + int rootpathlen; + char *progname; +@@ -44,7 +45,10 @@ struct restore_opts { + void restore_init(struct restore_opts *opts); + void restore_finish(); + int add_exclude(const char *directory); ++int exclude(const char *path); + void remove_exclude(const char *directory); + int process_one_realpath(char *name, int recurse); ++int process_glob(char *name, int recurse); + ++void exclude_non_seclabel_mounts(); + #endif +diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 +index 1eb6a43..c8ea4bb 100644 +--- a/policycoreutils/setfiles/restorecon.8 ++++ b/policycoreutils/setfiles/restorecon.8 +@@ -4,10 +4,10 @@ restorecon \- restore file(s) default SELinux security contexts. .SH "SYNOPSIS" .B restorecon @@ -4993,7 +4970,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .SH "DESCRIPTION" This manual page describes the -@@ -40,6 +40,9 @@ +@@ -40,6 +40,9 @@ don't change any file labels. .TP .B \-o outfilename save list of files with incorrect context in outfilename. @@ -5003,32 +4980,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .TP .B \-v show changes in file labels. -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.84/setfiles/restore.h ---- nsapolicycoreutils/setfiles/restore.h 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/setfiles/restore.h 2010-11-30 11:57:21.000000000 -0500 -@@ -27,6 +27,7 @@ - int hard_links; - int verbose; - int logging; -+ int ignore_enoent; - char *rootpath; - int rootpathlen; - char *progname; -@@ -44,7 +45,10 @@ - void restore_init(struct restore_opts *opts); - void restore_finish(); - int add_exclude(const char *directory); -+int exclude(const char *path); - void remove_exclude(const char *directory); - int process_one_realpath(char *name, int recurse); -+int process_glob(char *name, int recurse); - -+void exclude_non_seclabel_mounts(); - #endif -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.84/setfiles/setfiles.8 ---- nsapolicycoreutils/setfiles/setfiles.8 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/setfiles/setfiles.8 2010-11-30 11:57:21.000000000 -0500 -@@ -31,6 +31,9 @@ +diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 +index ac68b94..28f99d9 100644 +--- a/policycoreutils/setfiles/setfiles.8 ++++ b/policycoreutils/setfiles/setfiles.8 +@@ -31,6 +31,9 @@ log changes in file labels to syslog. .TP .B \-n don't change any file labels. @@ -5038,9 +4994,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .TP .B \-q suppress non-error output. -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.84/setfiles/setfiles.c ---- nsapolicycoreutils/setfiles/setfiles.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/setfiles/setfiles.c 2010-11-30 11:57:21.000000000 -0500 +diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c +index 8f4f663..b0a7e09 100644 +--- a/policycoreutils/setfiles/setfiles.c ++++ b/policycoreutils/setfiles/setfiles.c @@ -5,7 +5,6 @@ #include #include @@ -5049,7 +5006,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po #define __USE_XOPEN_EXTENDED 1 /* nftw */ #include #ifdef USE_AUDIT -@@ -25,7 +24,6 @@ +@@ -25,7 +24,6 @@ static char *policyfile = NULL; static int warn_no_match = 0; static int null_terminated = 0; static int errors; @@ -5057,7 +5014,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po static struct restore_opts r_opts; #define STAT_BLOCK_SIZE 1 -@@ -44,13 +42,13 @@ +@@ -44,13 +42,13 @@ void usage(const char *const name) { if (iamrestorecon) { fprintf(stderr, @@ -5073,7 +5030,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po name); } exit(1); -@@ -138,69 +136,6 @@ +@@ -138,69 +136,6 @@ static void maybe_audit_mass_relabel(void) #endif } @@ -5143,7 +5100,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po int main(int argc, char **argv) { struct stat sb; -@@ -335,7 +270,7 @@ +@@ -335,7 +270,7 @@ int main(int argc, char **argv) r_opts.debug = 1; break; case 'i': @@ -5152,7 +5109,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po break; case 'l': r_opts.logging = 1; -@@ -371,7 +306,7 @@ +@@ -371,7 +306,7 @@ int main(int argc, char **argv) break; } if (optind + 1 >= argc) { @@ -5161,7 +5118,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po argv[0]); exit(1); } -@@ -475,7 +410,7 @@ +@@ -475,7 +410,7 @@ int main(int argc, char **argv) buf[len - 1] = 0; if (!strcmp(buf, "/")) mass_relabel = 1; @@ -5170,7 +5127,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po } if (strcmp(input_filename, "-") != 0) fclose(f); -@@ -483,7 +418,8 @@ +@@ -483,7 +418,8 @@ int main(int argc, char **argv) for (i = optind; i < argc; i++) { if (!strcmp(argv[i], "/")) mass_relabel = 1; diff --git a/policycoreutils.spec b/policycoreutils.spec index f70fe16..bebfaee 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.84 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2 Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -58,7 +58,7 @@ context. %prep %setup -q -a 1 -%patch -p1 -b .rhat +%patch -p2 -b .rhat %patch1 -p1 -b .rhatpo %patch3 -p1 -b .gui %patch4 -p1 -b .sepolgen @@ -166,6 +166,7 @@ The policycoreutils-python package contains the scripts to create graphical sand %files sandbox %defattr(-,root,root,-) %{_datadir}/sandbox/sandboxX.sh +%{_datadir}/sandbox/start %attr(0755,root,root) %caps(cap_setpcap,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare %{_mandir}/man8/seunshare.8* %{_mandir}/man5/sandbox.conf.5* @@ -327,6 +328,9 @@ fi exit 0 %changelog +* Thu Dec 16 2010 Dan Walsh 2.0.84-5 +- Change to allow sandbox to run on nfs homedirs, add start python script + * Wed Dec 15 2010 Dan Walsh 2.0.84-4 - Move seunshare to sandbox package