From 8cf3bcfdee423f04b54f18dfb18c86879b0b2ab4 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 30 Oct 2009 21:01:42 +0000 Subject: [PATCH] * Fri Oct 30 2009 Dan Walsh 2.0.74-14 - Allow semanage -i and semanage -o to generate customization files. - semanage -o will generate a customization file that semanage -i can read and set a machines to the same selinux configuration --- policycoreutils-rhat.patch | 957 +++++++++++++++++++++++++++++++++---- policycoreutils.spec | 9 +- 2 files changed, 870 insertions(+), 96 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 58d81ef..538d14f 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,6 +1,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.74/audit2allow/audit2allow --- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500 -+++ policycoreutils-2.0.74/audit2allow/audit2allow 2009-09-20 21:26:36.000000000 -0400 ++++ policycoreutils-2.0.74/audit2allow/audit2allow 2009-10-15 10:37:41.000000000 -0400 @@ -42,6 +42,8 @@ from optparse import OptionParser @@ -40,7 +40,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po f = sys.stdin diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/load_policy/Makefile policycoreutils-2.0.74/load_policy/Makefile --- nsapolicycoreutils/load_policy/Makefile 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.74/load_policy/Makefile 2009-09-25 15:28:19.000000000 -0400 ++++ policycoreutils-2.0.74/load_policy/Makefile 2009-10-15 10:37:41.000000000 -0400 @@ -1,6 +1,7 @@ # Installation directories. PREFIX ?= ${DESTDIR}/usr @@ -61,7 +61,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -rm -f $(TARGETS) *.o diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.74/Makefile --- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.74/Makefile 2009-09-20 21:26:36.000000000 -0400 ++++ policycoreutils-2.0.74/Makefile 2009-10-15 10:37:41.000000000 -0400 @@ -1,4 +1,4 @@ -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po +SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui @@ -70,7 +70,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.74/restorecond/Makefile --- nsapolicycoreutils/restorecond/Makefile 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.74/restorecond/Makefile 2009-09-20 21:26:36.000000000 -0400 ++++ policycoreutils-2.0.74/restorecond/Makefile 2009-10-15 10:37:41.000000000 -0400 @@ -1,17 +1,28 @@ # Installation directories. PREFIX ?= ${DESTDIR}/usr @@ -119,16 +119,65 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po /sbin/restorecon $(SBINDIR)/restorecond diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.74/restorecond/org.selinux.Restorecond.service --- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/restorecond/org.selinux.Restorecond.service 2009-09-20 21:26:36.000000000 -0400 ++++ policycoreutils-2.0.74/restorecond/org.selinux.Restorecond.service 2009-10-15 10:37:41.000000000 -0400 @@ -0,0 +1,3 @@ +[D-BUS Service] +Name=org.selinux.Restorecond +Exec=/usr/sbin/restorecond -u -Binary files nsapolicycoreutils/restorecond/restorecond and policycoreutils-2.0.74/restorecond/restorecond differ +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.74/restorecond/restorecond.8 +--- nsapolicycoreutils/restorecond/restorecond.8 2009-08-20 15:49:21.000000000 -0400 ++++ policycoreutils-2.0.74/restorecond/restorecond.8 2009-10-20 09:32:14.000000000 -0400 +@@ -3,7 +3,7 @@ + restorecond \- daemon that watches for file creation and then sets the default SELinux file context + + .SH "SYNOPSIS" +-.B restorecond [\-d] ++.B restorecond [\-d] [\-f restorecond_file ] [\-u] [\-v] + .P + + .SH "DESCRIPTION" +@@ -19,13 +19,22 @@ + .B \-d + Turns on debugging mode. Application will stay in the foreground and lots of + debugs messages start printing. ++.TP ++.B \-f restorecond_file ++Use alternative restorecond.conf file. ++.TP ++.B \-u ++Turns on user mode. Runs restorecond in the user session and reads /etc/selinux/restorecond_user.conf. Uses dbus to make sure only one restorecond is running per user session. ++.TP ++.B \-v ++Turns on verbose debugging. (Report missing files) + + .SH "AUTHOR" +-This man page was written by Dan Walsh . +-The program was written by Dan Walsh . ++This man page and program was written by Dan Walsh . + + .SH "FILES" + /etc/selinux/restorecond.conf ++/etc/selinux/restorecond_user.conf + + .SH "SEE ALSO" + .BR restorecon (8), diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.74/restorecond/restorecond.c --- nsapolicycoreutils/restorecond/restorecond.c 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.74/restorecond/restorecond.c 2009-09-24 22:59:01.000000000 -0400 -@@ -48,294 +48,38 @@ ++++ policycoreutils-2.0.74/restorecond/restorecond.c 2009-10-20 09:29:06.000000000 -0400 +@@ -30,9 +30,11 @@ + * and makes sure that there security context matches the systems defaults + * + * USAGE: +- * restorecond [-d] [-v] ++ * restorecond [-d] [-u] [-v] [-f restorecond_file ] + * + * -d Run in debug mode ++ * -f Use alternative restorecond_file ++ * -u Run in user mode + * -v Run in verbose mode (Report missing files) + * + * EXAMPLE USAGE: +@@ -48,294 +50,38 @@ #include #include #include @@ -289,7 +338,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po - return; - } - retcontext = fgetfilecon_raw(fd, &prev_context); -- + - if (retcontext >= 0 || errno == ENODATA) { - if (retcontext < 0) - prev_context = NULL; @@ -356,15 +405,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po - Files specified one per line. Files with "~" will be expanded to the logged in users - homedirs. -*/ - --static void read_config(int fd) --{ -- char *watch_file_path = "/etc/selinux/restorecond.conf"; +static char *server_watch_file = "/etc/selinux/restorecond.conf"; +static char *user_watch_file = "/etc/selinux/restorecond_user.conf"; +static char *watch_file; +static struct restore_opts r_opts; +-static void read_config(int fd) +-{ +- char *watch_file_path = "/etc/selinux/restorecond.conf"; ++#include + - FILE *cfg = NULL; - if (debug_mode) - printf("Read Config\n"); @@ -383,7 +433,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po - if (master_wd == -1) - exitApp("Error watching config file."); -} -+#include ++int debug_mode = 0; ++int terminate = 0; ++int master_wd = -1; ++int run_as_user = 0; -/* - Inotify watch loop @@ -427,11 +480,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po - break; - } - } -+int debug_mode = 0; -+int terminate = 0; -+int master_wd = -1; -+int run_as_user = 0; - +- - i += EVENT_SIZE + event->len; - } - return 0; @@ -443,16 +492,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po } static const char *pidfile = "/var/run/restorecond.pid"; -@@ -374,7 +118,7 @@ +@@ -374,7 +120,7 @@ static void usage(char *program) { - printf("%s [-d] [-v] \n", program); -+ printf("%s [-d] [-s] [-f restorecond_file ] [-v] \n", program); ++ printf("%s [-d] [-f restorecond_file ] [-u] [-v] \n", program); exit(0); } -@@ -390,74 +134,33 @@ +@@ -390,74 +136,33 @@ to see if it is one that we are watching. */ @@ -549,7 +598,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po /* Register sighandlers */ sa.sa_flags = 0; -@@ -467,38 +170,59 @@ +@@ -467,38 +172,59 @@ set_matchpathcon_flags(MATCHPATHCON_NOTRANS); @@ -559,7 +608,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po - - while ((opt = getopt(argc, argv, "dv")) > 0) { + atexit( done ); -+ while ((opt = getopt(argc, argv, "uf:dv")) > 0) { ++ while ((opt = getopt(argc, argv, "df:uv")) > 0) { switch (opt) { case 'd': debug_mode = 1; @@ -620,7 +669,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.74/restorecond/restorecond.conf --- nsapolicycoreutils/restorecond/restorecond.conf 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.74/restorecond/restorecond.conf 2009-09-20 21:26:36.000000000 -0400 ++++ policycoreutils-2.0.74/restorecond/restorecond.conf 2009-10-15 10:37:41.000000000 -0400 @@ -4,8 +4,5 @@ /etc/mtab /var/run/utmp @@ -633,7 +682,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po - diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.74/restorecond/restorecond.desktop --- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/restorecond/restorecond.desktop 2009-09-20 21:26:36.000000000 -0400 ++++ policycoreutils-2.0.74/restorecond/restorecond.desktop 2009-10-15 10:37:41.000000000 -0400 @@ -0,0 +1,7 @@ +[Desktop Entry] +Name=File Context maintainer @@ -644,7 +693,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +StartupNotify=false diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.74/restorecond/restorecond.h --- nsapolicycoreutils/restorecond/restorecond.h 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.74/restorecond/restorecond.h 2009-09-20 21:26:36.000000000 -0400 ++++ policycoreutils-2.0.74/restorecond/restorecond.h 2009-10-15 10:37:41.000000000 -0400 @@ -24,7 +24,21 @@ #ifndef RESTORED_CONFIG_H #define RESTORED_CONFIG_H @@ -671,7 +720,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po #endif diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.74/restorecond/restorecond.init --- nsapolicycoreutils/restorecond/restorecond.init 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.74/restorecond/restorecond.init 2009-09-20 21:26:36.000000000 -0400 ++++ policycoreutils-2.0.74/restorecond/restorecond.init 2009-10-15 10:37:41.000000000 -0400 @@ -75,16 +75,15 @@ status restorecond RETVAL=$? @@ -691,17 +740,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po exit $RETVAL - -Binary files nsapolicycoreutils/restorecond/restorecond.o and policycoreutils-2.0.74/restorecond/restorecond.o differ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.74/restorecond/restorecond_user.conf --- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/restorecond/restorecond_user.conf 2009-09-20 21:26:36.000000000 -0400 ++++ policycoreutils-2.0.74/restorecond/restorecond_user.conf 2009-10-15 10:37:41.000000000 -0400 @@ -0,0 +1,2 @@ +~/* +~/public_html/* -Binary files nsapolicycoreutils/restorecond/stringslist.o and policycoreutils-2.0.74/restorecond/stringslist.o differ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.74/restorecond/user.c --- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/restorecond/user.c 2009-09-20 21:26:36.000000000 -0400 ++++ policycoreutils-2.0.74/restorecond/user.c 2009-10-15 10:37:41.000000000 -0400 @@ -0,0 +1,237 @@ +/* + * restorecond @@ -940,11 +987,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + return 0; +} + -Binary files nsapolicycoreutils/restorecond/user.o and policycoreutils-2.0.74/restorecond/user.o differ -Binary files nsapolicycoreutils/restorecond/utmpwatcher.o and policycoreutils-2.0.74/restorecond/utmpwatcher.o differ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.74/restorecond/watch.c --- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/restorecond/watch.c 2009-10-06 12:06:56.000000000 -0400 ++++ policycoreutils-2.0.74/restorecond/watch.c 2009-10-15 10:37:41.000000000 -0400 @@ -0,0 +1,253 @@ +#define _GNU_SOURCE +#include @@ -1199,10 +1244,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + exitApp("Error watching config file."); +} + -Binary files nsapolicycoreutils/restorecond/watch.o and policycoreutils-2.0.74/restorecond/watch.o differ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.74/sandbox/deliverables/basicwrapper --- nsapolicycoreutils/sandbox/deliverables/basicwrapper 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/deliverables/basicwrapper 2009-08-14 10:53:53.000000000 -0400 ++++ policycoreutils-2.0.74/sandbox/deliverables/basicwrapper 2009-10-15 10:37:41.000000000 -0400 @@ -0,0 +1,4 @@ +import os, sys +SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']] @@ -1210,7 +1254,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +os.execv('/usr/bin/sandbox',SANDBOX_ARGS) diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.74/sandbox/deliverables/README --- nsapolicycoreutils/sandbox/deliverables/README 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/deliverables/README 2009-08-14 10:56:22.000000000 -0400 ++++ policycoreutils-2.0.74/sandbox/deliverables/README 2009-10-15 10:37:41.000000000 -0400 @@ -0,0 +1,32 @@ +Files: +run-in-sandbox.py: @@ -1246,7 +1290,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +Chris Pardy diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.74/sandbox/deliverables/run-in-sandbox.py --- nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/deliverables/run-in-sandbox.py 2009-08-14 10:25:38.000000000 -0400 ++++ policycoreutils-2.0.74/sandbox/deliverables/run-in-sandbox.py 2009-10-15 10:37:41.000000000 -0400 @@ -0,0 +1,49 @@ +import os +import os.path @@ -1299,7 +1343,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/sandbox policycoreutils-2.0.74/sandbox/deliverables/sandbox --- nsapolicycoreutils/sandbox/deliverables/sandbox 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/deliverables/sandbox 2009-08-14 10:22:47.000000000 -0400 ++++ policycoreutils-2.0.74/sandbox/deliverables/sandbox 2009-10-15 10:37:41.000000000 -0400 @@ -0,0 +1,216 @@ +#!/usr/bin/python -E +import os, sys, getopt, socket, random, fcntl, shutil @@ -1519,7 +1563,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.74/sandbox/Makefile --- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/Makefile 2009-09-20 21:26:36.000000000 -0400 ++++ policycoreutils-2.0.74/sandbox/Makefile 2009-10-15 10:37:41.000000000 -0400 @@ -0,0 +1,31 @@ +# Installation directories. +PREFIX ?= ${DESTDIR}/usr @@ -1554,7 +1598,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +relabel: diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.74/sandbox/sandbox --- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/sandbox 2009-10-06 11:48:36.000000000 -0400 ++++ policycoreutils-2.0.74/sandbox/sandbox 2009-10-15 10:37:41.000000000 -0400 @@ -0,0 +1,242 @@ +#!/usr/bin/python -E +import os, sys, getopt, socket, random, fcntl, shutil @@ -1800,7 +1844,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.74/sandbox/sandbox.8 --- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/sandbox.8 2009-09-20 21:26:36.000000000 -0400 ++++ policycoreutils-2.0.74/sandbox/sandbox.8 2009-10-15 10:37:41.000000000 -0400 @@ -0,0 +1,26 @@ +.TH SANDBOX "8" "May 2009" "chcat" "User Commands" +.SH NAME @@ -1830,7 +1874,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +.PP diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.74/sandbox/sandboxX.sh --- nsapolicycoreutils/sandbox/sandboxX.sh 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/sandboxX.sh 2009-09-20 21:51:31.000000000 -0400 ++++ policycoreutils-2.0.74/sandbox/sandboxX.sh 2009-10-15 10:37:41.000000000 -0400 @@ -0,0 +1,16 @@ +#!/bin/bash +export TITLE="Sandbox: `/usr/bin/tail -1 ~/.sandboxrc | /usr/bin/cut -b1-70`" @@ -1850,7 +1894,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +done diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.74/sandbox/seunshare.c --- nsapolicycoreutils/sandbox/seunshare.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/seunshare.c 2009-09-20 21:48:31.000000000 -0400 ++++ policycoreutils-2.0.74/sandbox/seunshare.c 2009-10-15 10:37:41.000000000 -0400 @@ -0,0 +1,265 @@ +#include +#include @@ -2119,7 +2163,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +} diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.74/scripts/chcat --- nsapolicycoreutils/scripts/chcat 2009-06-23 15:36:07.000000000 -0400 -+++ policycoreutils-2.0.74/scripts/chcat 2009-09-20 21:26:36.000000000 -0400 ++++ policycoreutils-2.0.74/scripts/chcat 2009-10-15 10:37:41.000000000 -0400 @@ -435,6 +435,8 @@ continue except ValueError, e: @@ -2131,18 +2175,121 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.74/scripts/fixfiles --- nsapolicycoreutils/scripts/fixfiles 2009-08-05 15:10:56.000000000 -0400 -+++ policycoreutils-2.0.74/scripts/fixfiles 2009-10-14 08:51:36.000000000 -0400 -@@ -136,6 +136,7 @@ ++++ policycoreutils-2.0.74/scripts/fixfiles 2009-10-22 08:49:41.000000000 -0400 +@@ -27,7 +27,6 @@ + FORCEFLAG="" + DIRS="" + RPMILES="" +-OUTFILES="" + LOGFILE=`tty` + if [ $? != 0 ]; then + LOGFILE="/dev/null" +@@ -122,7 +121,7 @@ + fi + if [ ! -z "$RPMFILES" ]; then + for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do +- rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -R -i -f - 2>&1 >> $LOGFILE ++ rpmlist $i | ${RESTORECON} ${FORCEFLAG} $* -R -i -f - 2>&1 >> $LOGFILE + done + exit $? + fi +@@ -130,14 +129,15 @@ + if [ -x /usr/bin/find ]; then + /usr/bin/find "$FILEPATH" \ + ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune -o -print0 | \ +- ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE ++ ${RESTORECON} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE + else +- ${RESTORECON} ${OUTFILES} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE ++ ${RESTORECON} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE fi return fi +[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon LogReadOnly - ${SETFILES} -q ${OUTFILES} ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE +-${SETFILES} -q ${OUTFILES} ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE ++${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* + find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; + find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; +@@ -193,10 +193,15 @@ + esac + } + usage() { +- echo $"Usage: $0 [-l logfile ] [-o outputfile ] { check | restore|[-F] relabel } [[dir] ... ] " +- echo or +- echo $"Usage: $0 -R rpmpackage[,rpmpackage...] -C PREVIOUS_FILECONTEXT [-l logfile ] [-o outputfile ] { check | restore }" +- echo $"Usage: $0 onboot" ++ echo $""" ++Usage: $0 [-F] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ] ++or ++Usage: $0 [-F] -R rpmpackage[,rpmpackage...] [-l logfile ] { check | restore | verify } ++or ++Usage: $0 [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify } ++or ++Usage: $0 onboot ++""" + } + + if [ $# = 0 ]; then +@@ -205,7 +210,7 @@ + fi + + # See how we were called. +-while getopts "C:Ffo:R:l:" i; do ++while getopts "C:FfR:l:" i; do + case "$i" in + f) + fullFlag=1 +@@ -213,9 +218,6 @@ + R) + RPMFILES=$OPTARG + ;; +- o) +- OUTFILES=$OPTARG +- ;; + l) + LOGFILE=$OPTARG + ;; +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-2.0.74/scripts/fixfiles.8 +--- nsapolicycoreutils/scripts/fixfiles.8 2008-08-28 09:34:24.000000000 -0400 ++++ policycoreutils-2.0.74/scripts/fixfiles.8 2009-10-22 08:55:09.000000000 -0400 +@@ -3,11 +3,18 @@ + fixfiles \- fix file SELinux security contexts. + + .SH "SYNOPSIS" +-.B fixfiles [-F] [ -R rpmpackagename[,rpmpackagename...] ] [ -C PREVIOUS_FILECONTEXT ] [-l logfile ] [-o outputfile ] { check | restore | [-F] relabel | verify }" + +-.B fixfiles [-F] [-l logfile ] [-o outputfile ] { check | restore|[-f] relabel | verify } [[dir/file] ... ] ++.B fixfiles ++.I [-F] [-l logfile ] { check | restore|[-f] relabel | verify } [[dir/file] ... ] + +-.B fixfiles onboot ++.B fixfiles ++.I [-F] [ -R rpmpackagename[,rpmpackagename...] ] [-l logfile ] { check | restore | verify } ++ ++.B fixfiles ++.I [ -C PREVIOUS_FILECONTEXT ] [-l logfile ] { check | restore | verify } ++ ++.B fixfiles ++.I onboot + + .SH "DESCRIPTION" + This manual page describes the +@@ -31,10 +38,6 @@ + .B -l logfile + Save the output to the specified logfile + .TP +-.B -o outputfile +-Save all files that have file_context that differs from the default, in outputfile. +- +-.TP + .B -F + Force reset of context to match file_context for customizable files + diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.74/scripts/Makefile --- nsapolicycoreutils/scripts/Makefile 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.74/scripts/Makefile 2009-09-20 21:26:36.000000000 -0400 ++++ policycoreutils-2.0.74/scripts/Makefile 2009-10-15 10:37:41.000000000 -0400 @@ -5,7 +5,7 @@ MANDIR ?= $(PREFIX)/share/man LOCALEDIR ?= /usr/share/locale @@ -2154,13 +2301,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -mkdir -p $(BINDIR) diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.74/semanage/semanage --- nsapolicycoreutils/semanage/semanage 2009-09-08 09:03:10.000000000 -0400 -+++ policycoreutils-2.0.74/semanage/semanage 2009-10-01 11:43:48.000000000 -0400 -@@ -39,19 +39,26 @@ ++++ policycoreutils-2.0.74/semanage/semanage 2009-10-30 16:31:40.000000000 -0400 +@@ -39,19 +39,27 @@ __builtin__.__dict__['_'] = unicode if __name__ == '__main__': +- + action = False - ++ manageditems=[ "boolean", "login", "user", "port", "interface", "node", "fcontext"] + def set_action(option): + global action + if action: @@ -2170,9 +2318,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po def usage(message = ""): text = _(""" semanage [ -S store ] -i [ input_file | - ] ++semanage [ -S store ] -o [ output_file | - ] -semanage {boolean|login|user|port|interface|node|fcontext|translation} -{l|D} [-n] -+semanage {boolean|login|user|port|interface|module|node|fcontext} -{l|D} [-n] ++semanage {boolean|login|user|port|interface|module|node|fcontext} -{l|D|E} [-n] semanage login -{a|d|m} [-sr] login_name | %groupname semanage user -{a|d|m} [-LrRP] selinux_name semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range @@ -2184,7 +2333,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file semanage permissive -{d|a} type semanage dontaudit [ on | off ] -@@ -85,14 +92,15 @@ +@@ -62,7 +70,9 @@ + -d, --delete Delete a OBJECT record NAME + -m, --modify Modify a OBJECT record NAME + -i, --input Input multiple semange commands in a transaction ++ -o, --output Output current customizations as semange commands + -l, --list List the OBJECTS ++ -E, --extract extract customizable commands + -C, --locallist List OBJECTS local customizations + -D, --deleteall Remove all OBJECTS local customizations + +@@ -85,14 +95,15 @@ -F, --file Treat target as an input file for command, change multiple settings -p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6) -M, --mask Netmask @@ -2202,7 +2361,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po """) raise ValueError("%s\n%s" % (text, message)) -@@ -115,11 +123,11 @@ +@@ -104,7 +115,7 @@ + + def get_options(): + valid_option={} +- valid_everyone=[ '-a', '--add', '-d', '--delete', '-m', '--modify', '-l', '--list', '-h', '--help', '-n', '--noheading', '-C', '--locallist', '-D', '--deleteall', '-S', '--store' ] ++ valid_everyone=[ '-a', '--add', '-d', '--delete', '-E', '--extract', '-m', '--modify', '-l', '--list', '-h', '--help', '-n', '--noheading', '-C', '--locallist', '-D', '--deleteall', '-S', '--store' ] + valid_option["login"] = [] + valid_option["login"] += valid_everyone + [ '-s', '--seuser', '-r', '--range'] + valid_option["user"] = [] +@@ -115,11 +126,11 @@ valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range'] valid_option["node"] = [] valid_option["node"] += valid_everyone + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol'] @@ -2217,7 +2385,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po valid_option["boolean"] = [] valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0", "-F", "--file"] valid_option["permissive"] = [] -@@ -180,7 +188,6 @@ +@@ -173,6 +184,8 @@ + return ret + + def process_args(argv): ++ global action ++ action = False + serange = "" + port = "" + proto = "" +@@ -180,7 +193,6 @@ selevel = "" setype = "" ftype = "" @@ -2225,11 +2402,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po roles = "" seuser = "" prefix = "user" -@@ -190,10 +197,13 @@ +@@ -190,10 +202,14 @@ modify = False delete = False deleteall = False + enable = False ++ extract = False + disable = False list = False locallist = False @@ -2239,22 +2417,23 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po object = argv[0] option_dict=get_options() -@@ -203,10 +213,13 @@ +@@ -203,10 +219,14 @@ args = argv[1:] gopts, cmds = getopt.getopt(args, - '01adf:i:lhmnp:s:FCDR:L:r:t:T:P:S:M:', -+ '01ade:f:i:lhmnp:s:FCDR:L:r:t:P:S:M:', ++ '01adEe:f:i:lhmnp:s:FCDR:L:r:t:P:S:M:', ['add', 'delete', 'deleteall', + 'equal=', + 'enable', ++ 'extract', + 'disable', 'ftype=', 'file', 'help', -@@ -225,7 +238,6 @@ +@@ -225,7 +245,6 @@ 'level=', 'roles=', 'type=', @@ -2262,7 +2441,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po 'prefix=', 'mask=' ]) -@@ -235,26 +247,39 @@ +@@ -235,26 +254,42 @@ for o,a in gopts: if o == "-a" or o == "--add": @@ -2283,6 +2462,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + set_action(o) deleteall = True + ++ if o == "-E" or o == "--extract": ++ set_action(o) ++ extract = True if o == "-f" or o == "--ftype": ftype=a @@ -2309,7 +2491,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po if o == "-n" or o == "--noheading": heading = False -@@ -263,8 +288,7 @@ +@@ -263,8 +298,7 @@ locallist = True if o == "-m"or o == "--modify": @@ -2319,7 +2501,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po modify = True if o == "-S" or o == '--store': -@@ -297,9 +321,6 @@ +@@ -297,14 +331,12 @@ if o == "-t" or o == "--type": setype = a @@ -2329,7 +2511,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po if o == "--on" or o == "-1": value = "on" if o == "--off" or o == "-0": -@@ -325,9 +346,10 @@ + value = "off" + ++ + if object == "login": + OBJECT = seobject.loginRecords(store) + +@@ -325,9 +357,10 @@ if object == "boolean": OBJECT = seobject.booleanRecords(store) @@ -2342,7 +2530,22 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po if object == "permissive": OBJECT = seobject.permissiveRecords(store) -@@ -358,9 +380,6 @@ +@@ -343,8 +376,13 @@ + OBJECT.deleteall() + return + ++ if extract: ++ for i in OBJECT.customized(): ++ print "%s %s" % (object, str(i)) ++ return ++ + if len(cmds) != 1: +- raise ValueError(_("%s bad option") % o) ++ raise ValueError(_("bad option")) + + target = cmds[0] + +@@ -358,9 +396,6 @@ if object == "login": OBJECT.add(target, seuser, serange) @@ -2352,7 +2555,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po if object == "user": OBJECT.add(target, roles.split(), selevel, serange, prefix) -@@ -370,11 +389,17 @@ +@@ -370,11 +405,17 @@ if object == "interface": OBJECT.add(target, serange, setype) @@ -2371,7 +2574,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po if object == "permissive": OBJECT.add(target) -@@ -387,13 +412,18 @@ +@@ -387,13 +428,18 @@ if object == "login": OBJECT.modify(target, seuser, serange) @@ -2393,7 +2596,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po if object == "port": OBJECT.modify(target, proto, serange, setype) -@@ -404,7 +434,10 @@ +@@ -404,7 +450,10 @@ OBJECT.modify(target, mask, proto, serange, setype) if object == "fcontext": @@ -2405,7 +2608,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po return -@@ -423,7 +456,7 @@ +@@ -423,12 +472,13 @@ return @@ -2414,13 +2617,103 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po # # + # + try: ++ output = None + input = None + store = "" + +@@ -436,7 +486,7 @@ + usage(_("Requires 2 or more arguments")) + + gopts, cmds = getopt.getopt(sys.argv[1:], +- '01adf:i:lhmnp:s:FCDR:L:r:t:T:P:S:', ++ '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:', + ['add', + 'delete', + 'deleteall', +@@ -450,6 +500,7 @@ + 'localist', + 'off', + 'on', ++ 'output=', + 'proto=', + 'seuser=', + 'store=', +@@ -465,6 +516,16 @@ + store = a + if o == "-i" or o == '--input': + input = a ++ if o == "-o" or o == '--output': ++ output = a ++ ++ if output != None: ++ if output != "-": ++ sys.stdout = open(output, 'w') ++ for i in manageditems: ++ print "%s -D" % i ++ process_args([i, "-E"]) ++ sys.exit(0) + + if input != None: + if input == "-": +@@ -474,6 +535,7 @@ + trans = seobject.semanageRecords(store) + trans.start() + for l in fd.readlines(): ++ print l + process_args(mkargv(l)) + trans.finish() + else: diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.74/semanage/seobject.py --- nsapolicycoreutils/semanage/seobject.py 2009-09-08 09:03:10.000000000 -0400 -+++ policycoreutils-2.0.74/semanage/seobject.py 2009-10-01 11:34:19.000000000 -0400 -@@ -195,88 +195,6 @@ ++++ policycoreutils-2.0.74/semanage/seobject.py 2009-10-30 16:31:59.000000000 -0400 +@@ -37,40 +37,6 @@ + + import syslog + +-handle = None +- +-def get_handle(store): +- global handle +- global is_mls_enabled +- +- handle = semanage_handle_create() +- if not handle: +- raise ValueError(_("Could not create semanage handle")) +- +- if store != "": +- semanage_select_store(handle, store, SEMANAGE_CON_DIRECT); +- +- if not semanage_is_managed(handle): +- semanage_handle_destroy(handle) +- raise ValueError(_("SELinux policy is not managed or store cannot be accessed.")) +- +- rc = semanage_access_check(handle) +- if rc < SEMANAGE_CAN_READ: +- semanage_handle_destroy(handle) +- raise ValueError(_("Cannot read policy store.")) +- +- rc = semanage_connect(handle) +- if rc < 0: +- semanage_handle_destroy(handle) +- raise ValueError(_("Could not establish semanage connection")) +- +- is_mls_enabled = semanage_mls_enabled(handle) +- if is_mls_enabled < 0: +- semanage_handle_destroy(handle) +- raise ValueError(_("Could not test MLS enabled status")) +- +- return handle +- + file_types = {} + file_types[""] = SEMANAGE_FCONTEXT_ALL; + file_types["all files"] = SEMANAGE_FCONTEXT_ALL; +@@ -194,127 +160,152 @@ + return trans else: return raw - +- -class setransRecords: - def __init__(self): - self.filename = selinux.selinux_translations_path() @@ -2446,10 +2739,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po - continue - if self.ddict.has_key(i[0]) == 0: - self.ddict[i[0]] = i[1] -- + - def get_all(self): - return self.ddict -- ++class semanageRecords: ++ transaction = False ++ handle = None + - def out(self): - rec = "" - for c in self.comments: @@ -2471,7 +2767,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po - def add(self, raw, trans): - if trans.find(" ") >= 0: - raise ValueError(_("Translations can not contain spaces '%s' ") % trans) -- ++ def __init__(self, store): ++ global handle ++ ++ self.sh = self.get_handle(store) + - if validate_level(raw) == None: - raise ValueError(_("Invalid Level '%s' ") % raw) - @@ -2483,7 +2783,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po - - def modify(self, raw, trans): - if trans.find(" ") >= 0: -- ++ def get_handle(self, store): ++ global is_mls_enabled + - raise ValueError(_("Translations can not contain spaces '%s' ") % trans) - if self.ddict.has_key(raw): - self.ddict[raw] = trans @@ -2502,12 +2804,81 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po - os.chmod(newfilename, os.stat(self.filename)[stat.ST_MODE]) - os.rename(newfilename, self.filename) - os.system("/sbin/service mcstrans reload > /dev/null") ++ if semanageRecords.handle: ++ return semanageRecords.handle + +-class semanageRecords: +- def __init__(self, store): +- global handle ++ handle = semanage_handle_create() ++ if not handle: ++ raise ValueError(_("Could not create semanage handle")) ++ ++ if store != "": ++ semanage_select_store(handle, store, SEMANAGE_CON_DIRECT); + +- if handle != None: +- self.sh = handle +- else: +- self.sh = get_handle(store) +- self.transaction = False ++ if not semanage_is_managed(handle): ++ semanage_handle_destroy(handle) ++ raise ValueError(_("SELinux policy is not managed or store cannot be accessed.")) ++ ++ rc = semanage_access_check(handle) ++ if rc < SEMANAGE_CAN_READ: ++ semanage_handle_destroy(handle) ++ raise ValueError(_("Cannot read policy store.")) ++ ++ rc = semanage_connect(handle) ++ if rc < 0: ++ semanage_handle_destroy(handle) ++ raise ValueError(_("Could not establish semanage connection")) ++ ++ is_mls_enabled = semanage_mls_enabled(handle) ++ if is_mls_enabled < 0: ++ semanage_handle_destroy(handle) ++ raise ValueError(_("Could not test MLS enabled status")) ++ ++ semanageRecords.handle = handle ++ return semanageRecords.handle + + def deleteall(self): + raise ValueError(_("Not yet implemented")) + + def start(self): +- if self.transaction: ++ if semanageRecords.transaction: + raise ValueError(_("Semanage transaction already in progress")) + self.begin() +- self.transaction = True - - class semanageRecords: - def __init__(self, store): - global handle -@@ -315,6 +233,77 @@ - self.transaction = False ++ semanageRecords.transaction = True + def begin(self): +- if self.transaction: ++ if semanageRecords.transaction: + return + rc = semanage_begin_transaction(self.sh) + if rc < 0: + raise ValueError(_("Could not start semanage transaction")) ++ def customized(self): ++ raise ValueError(_("Not yet implemented")) ++ + def commit(self): +- if self.transaction: ++ if semanageRecords.transaction: + return + rc = semanage_commit(self.sh) + if rc < 0: + raise ValueError(_("Could not commit semanage transaction")) + + def finish(self): +- if not self.transaction: ++ if not semanageRecords.transaction: + raise ValueError(_("Semanage transaction not in progress")) +- self.transaction = False ++ semanageRecords.transaction = False self.commit() +class moduleRecords(semanageRecords): @@ -2584,7 +2955,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po class dontauditClass(semanageRecords): def __init__(self, store): semanageRecords.__init__(self, store) -@@ -341,6 +330,7 @@ +@@ -341,6 +332,7 @@ name = semanage_module_get_name(mod) if name and name.startswith("permissive_"): l.append(name.split("permissive_")[1]) @@ -2592,7 +2963,195 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po return l def list(self, heading = 1, locallist = 0): -@@ -1120,7 +1110,7 @@ +@@ -425,7 +417,9 @@ + if rc < 0: + raise ValueError(_("Could not check if login mapping for %s is defined") % name) + if exists: +- raise ValueError(_("Login mapping for %s is already defined") % name) ++ semanage_seuser_key_free(k) ++ return self.__modify(name, sename, serange) ++ + if name[0] == '%': + try: + grp.getgrnam(name[1:]) +@@ -557,6 +551,16 @@ + + mylog.log(1, "delete SELinux user mapping", name); + ++ def deleteall(self): ++ (rc, ulist) = semanage_seuser_list_local(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list login mappings")) ++ ++ self.begin() ++ for u in ulist: ++ self.__delete(semanage_seuser_get_name(u)) ++ self.commit() ++ + def get_all(self, locallist = 0): + ddict = {} + if locallist: +@@ -571,6 +575,15 @@ + ddict[name] = (semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u)) + return ddict + ++ def customized(self): ++ l = [] ++ ddict = self.get_all(True) ++ keys = ddict.keys() ++ keys.sort() ++ for k in keys: ++ l.append("-a -s %s -r '%s' %s" % (ddict[k][0], ddict[k][1], k)) ++ return l ++ + def list(self,heading = 1, locallist = 0): + ddict = self.get_all(locallist) + keys = ddict.keys() +@@ -613,7 +626,8 @@ + if rc < 0: + raise ValueError(_("Could not check if SELinux user %s is defined") % name) + if exists: +- raise ValueError(_("SELinux user %s is already defined") % name) ++ semanage_user_key_free(k) ++ return self.__modify(name, roles, selevel, serange, prefix) + + (rc, u) = semanage_user_create(self.sh) + if rc < 0: +@@ -764,6 +778,16 @@ + + mylog.log(1,"delete SELinux user record", name) + ++ def deleteall(self): ++ (rc, ulist) = semanage_user_list_local(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list login mappings")) ++ ++ self.begin() ++ for u in ulist: ++ self.__delete(semanage_user_get_name(u)) ++ self.commit() ++ + def get_all(self, locallist = 0): + ddict = {} + if locallist: +@@ -784,6 +808,15 @@ + + return ddict + ++ def customized(self): ++ l = [] ++ ddict = self.get_all(True) ++ keys = ddict.keys() ++ keys.sort() ++ for k in keys: ++ l.append("-a -r %s -R '%s' %s" % (ddict[k][2], ddict[k][3], k)) ++ return l ++ + def list(self, heading = 1, locallist = 0): + ddict = self.get_all(locallist) + keys = ddict.keys() +@@ -822,12 +855,16 @@ + low = int(ports[0]) + high = int(ports[1]) + ++ if high > 65536: ++ raise ValueError(_("Invalid Port")) ++ + (rc, k) = semanage_port_key_create(self.sh, low, high, proto_d) + if rc < 0: + raise ValueError(_("Could not create a key for %s/%s") % (proto, port)) + return ( k, proto_d, low, high ) + + def __add(self, port, proto, serange, type): ++ + if is_mls_enabled == 1: + if serange == "": + serange = "s0" +@@ -843,7 +880,8 @@ + if rc < 0: + raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port)) + if exists: +- raise ValueError(_("Port %s/%s already defined") % (proto, port)) ++ semanage_port_key_free(k) ++ return self.__modify(port, proto, serange, type) + + (rc, p) = semanage_port_create(self.sh) + if rc < 0: +@@ -890,6 +928,7 @@ + self.commit() + + def __modify(self, port, proto, serange, setype): ++ + if serange == "" and setype == "": + if is_mls_enabled == 1: + raise ValueError(_("Requires setype or serange")) +@@ -1024,6 +1063,18 @@ + ddict[(ctype,proto_str)].append("%d-%d" % (low, high)) + return ddict + ++ def customized(self): ++ l = [] ++ ddict = self.get_all(True) ++ keys = ddict.keys() ++ keys.sort() ++ for k in keys: ++ if k[0] == k[1]: ++ l.append("-a -t %s -p %s %s" % (ddict[k][0], k[2], k[0])) ++ else: ++ l.append("-a -t %s -p %s %s-%s" % (ddict[k][0], k[2], k[0], k[1])) ++ return l ++ + def list(self, heading = 1, locallist = 0): + if heading: + print "%-30s %-8s %s\n" % (_("SELinux Port Type"), _("Proto"), _("Port Number")) +@@ -1040,7 +1091,8 @@ + class nodeRecords(semanageRecords): + def __init__(self, store = ""): + semanageRecords.__init__(self,store) +- ++ self.protocol = ["ipv4", "ipv6"] ++ + def __add(self, addr, mask, proto, serange, ctype): + if addr == "": + raise ValueError(_("Node Address is required")) +@@ -1048,14 +1100,11 @@ + if mask == "": + raise ValueError(_("Node Netmask is required")) + +- if proto == "ipv4": +- proto = 0 +- elif proto == "ipv6": +- proto = 1 +- else: ++ try: ++ proto = self.protocol.index(proto) ++ except: + raise ValueError(_("Unknown or missing protocol")) + +- + if is_mls_enabled == 1: + if serange == "": + serange = "s0" +@@ -1073,7 +1122,8 @@ + + (rc, exists) = semanage_node_exists(self.sh, k) + if exists: +- raise ValueError(_("Addr %s already defined") % addr) ++ semanage_node_key_free(k) ++ return self.__modify(addr, mask, self.protocol[proto], serange, ctype) + + (rc, node) = semanage_node_create(self.sh) + if rc < 0: +@@ -1097,7 +1147,7 @@ + if rc < 0: + raise ValueError(_("Could not set role in addr context for %s") % addr) + +- rc = semanage_context_set_type(self.sh, con, ctype) ++So rc = semanage_context_set_type(self.sh, con, ctype) + if rc < 0: + raise ValueError(_("Could not set type in addr context for %s") % addr) + +@@ -1120,7 +1170,7 @@ def add(self, addr, mask, proto, serange, ctype): self.begin() @@ -2601,7 +3160,126 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po self.commit() def __modify(self, addr, mask, proto, serange, setype): -@@ -1420,6 +1410,48 @@ +@@ -1129,13 +1179,10 @@ + + if mask == "": + raise ValueError(_("Node Netmask is required")) +- if proto == "ipv4": +- proto = 0 +- elif proto == "ipv6": +- proto = 1 +- else: +- raise ValueError(_("Unknown or missing protocol")) +- ++ try: ++ proto = self.protocol.index(proto) ++ except: ++ raise ValueError(_("Unknown or missing protocol")) + + if serange == "" and setype == "": + raise ValueError(_("Requires setype or serange")) +@@ -1180,11 +1227,9 @@ + if mask == "": + raise ValueError(_("Node Netmask is required")) + +- if proto == "ipv4": +- proto = 0 +- elif proto == "ipv6": +- proto = 1 +- else: ++ try: ++ proto = self.protocol.index(proto) ++ except: + raise ValueError(_("Unknown or missing protocol")) + + (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) +@@ -1214,6 +1259,16 @@ + self.__delete(addr, mask, proto) + self.commit() + ++ def deleteall(self): ++ (rc, nlist) = semanage_node_list_local(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not deleteall node mappings")) ++ ++ self.begin() ++ for node in nlist: ++ self.__delete(semanage_node_get_addr(self.sh, node)[1], semanage_node_get_mask(self.sh, node)[1], self.protocol[semanage_node_get_proto(node)]) ++ self.commit() ++ + def get_all(self, locallist = 0): + ddict = {} + if locallist : +@@ -1227,15 +1282,20 @@ + con = semanage_node_get_con(node) + addr = semanage_node_get_addr(self.sh, node) + mask = semanage_node_get_mask(self.sh, node) +- proto = semanage_node_get_proto(node) +- if proto == 0: +- proto = "ipv4" +- elif proto == 1: +- proto = "ipv6" ++ proto = self.protocol[semanage_node_get_proto(node)] + ddict[(addr[1], mask[1], proto)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con)) + + return ddict + ++ def customized(self): ++ l = [] ++ ddict = self.get_all(True) ++ keys = ddict.keys() ++ keys.sort() ++ for k in keys: ++ l.append("-a -M %s -p %s -t %s %s" % (k[1], k[2],ddict[k][2], k[0])) ++ return l ++ + def list(self, heading = 1, locallist = 0): + if heading: + print "%-18s %-18s %-5s %-5s\n" % ("IP Address", "Netmask", "Protocol", "Context") +@@ -1275,7 +1335,8 @@ + if rc < 0: + raise ValueError(_("Could not check if interface %s is defined") % interface) + if exists: +- raise ValueError(_("Interface %s already defined") % interface) ++ semanage_iface_key_free(k) ++ return self.__modify(interface, serange, ctype) + + (rc, iface) = semanage_iface_create(self.sh) + if rc < 0: +@@ -1389,6 +1450,16 @@ + self.__delete(interface) + self.commit() + ++ def deleteall(self): ++ (rc, ulist) = semanage_iface_list_local(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not delete all interface mappings")) ++ ++ self.begin() ++ for i in ulist: ++ self.__delete(semanage_iface_get_name(i)) ++ self.commit() ++ + def get_all(self, locallist = 0): + ddict = {} + if locallist: +@@ -1404,6 +1475,15 @@ + + return ddict + ++ def customized(self): ++ l = [] ++ ddict = self.get_all(True) ++ keys = ddict.keys() ++ keys.sort() ++ for k in keys: ++ l.append("-a -t %s %s" % (ddict[k][2], k)) ++ return l ++ + def list(self, heading = 1, locallist = 0): + if heading: + print "%-30s %s\n" % (_("SELinux Interface"), _("Context")) +@@ -1420,6 +1500,48 @@ class fcontextRecords(semanageRecords): def __init__(self, store = ""): semanageRecords.__init__(self, store) @@ -2650,7 +3328,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po def createcon(self, target, seuser = "system_u"): (rc, con) = semanage_context_create(self.sh) -@@ -1586,9 +1618,16 @@ +@@ -1470,7 +1592,8 @@ + raise ValueError(_("Could not check if file context for %s is defined") % target) + + if exists: +- raise ValueError(_("File context for %s already defined") % target) ++ semanage_fcontext_key_free(k) ++ return self.__modify(target, type, ftype, serange, seuser) + + (rc, fcontext) = semanage_fcontext_create(self.sh) + if rc < 0: +@@ -1586,9 +1709,16 @@ raise ValueError(_("Could not delete the file context %s") % target) semanage_fcontext_key_free(k) @@ -2667,9 +3355,20 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po (rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) if rc < 0: raise ValueError(_("Could not create a key for %s") % target) -@@ -1644,11 +1683,11 @@ +@@ -1643,12 +1773,22 @@ + return ddict ++ def customized(self): ++ l = [] ++ fcon_dict = self.get_all(True) ++ keys = fcon_dict.keys() ++ keys.sort() ++ for k in keys: ++ if fcon_dict[k]: ++ l.append("-a -f '%s' -t %s '%s'" % (k[1], fcon_dict[k][2], k[0])) ++ return l ++ def list(self, heading = 1, locallist = 0 ): - if heading: - print "%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context")) @@ -2681,9 +3380,26 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po for k in keys: if fcon_dict[k]: if is_mls_enabled: +@@ -1794,6 +1934,16 @@ + else: + return _("unknown") + ++ def customized(self): ++ l = [] ++ ddict = self.get_all(True) ++ keys = ddict.keys() ++ keys.sort() ++ for k in keys: ++ if ddict[k]: ++ l.append("-%s %s" % (ddict[k][2], k)) ++ return l ++ + def list(self, heading = True, locallist = False, use_file = False): + on_off = (_("off"), _("on")) + if use_file: diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.8 policycoreutils-2.0.74/semodule/semodule.8 --- nsapolicycoreutils/semodule/semodule.8 2009-09-17 08:59:43.000000000 -0400 -+++ policycoreutils-2.0.74/semodule/semodule.8 2009-09-25 15:21:16.000000000 -0400 ++++ policycoreutils-2.0.74/semodule/semodule.8 2009-10-15 10:37:41.000000000 -0400 @@ -35,6 +35,12 @@ .B \-b,\-\-base=MODULE_PKG install/replace base module package @@ -2699,7 +3415,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po .TP diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.c policycoreutils-2.0.74/semodule/semodule.c --- nsapolicycoreutils/semodule/semodule.c 2009-09-17 08:59:43.000000000 -0400 -+++ policycoreutils-2.0.74/semodule/semodule.c 2009-09-20 21:26:36.000000000 -0400 ++++ policycoreutils-2.0.74/semodule/semodule.c 2009-10-15 10:37:41.000000000 -0400 @@ -22,12 +22,12 @@ #include @@ -2819,7 +3535,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po } diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/Makefile policycoreutils-2.0.74/setfiles/Makefile --- nsapolicycoreutils/setfiles/Makefile 2009-07-07 15:32:32.000000000 -0400 -+++ policycoreutils-2.0.74/setfiles/Makefile 2009-09-25 15:21:58.000000000 -0400 ++++ policycoreutils-2.0.74/setfiles/Makefile 2009-10-15 10:37:41.000000000 -0400 @@ -16,7 +16,7 @@ all: setfiles restorecon @@ -2831,7 +3547,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po ln -sf setfiles restorecon diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.74/setfiles/restore.c --- nsapolicycoreutils/setfiles/restore.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/setfiles/restore.c 2009-09-20 21:26:36.000000000 -0400 ++++ policycoreutils-2.0.74/setfiles/restore.c 2009-10-15 10:37:41.000000000 -0400 @@ -0,0 +1,519 @@ +#include "restore.h" + @@ -3352,9 +4068,35 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + + + +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.74/setfiles/restorecon.8 +--- nsapolicycoreutils/setfiles/restorecon.8 2008-08-28 09:34:24.000000000 -0400 ++++ policycoreutils-2.0.74/setfiles/restorecon.8 2009-10-22 08:41:15.000000000 -0400 +@@ -4,10 +4,10 @@ + + .SH "SYNOPSIS" + .B restorecon +-.I [\-o outfilename ] [\-R] [\-n] [\-v] [\-e directory ] pathname... ++.I [\-o outfilename ] [\-R] [\-n] [\-p] [\-v] [\-e directory ] pathname... + .P + .B restorecon +-.I \-f infilename [\-o outfilename ] [\-e directory ] [\-R] [\-n] [\-v] [\-F] ++.I \-f infilename [\-o outfilename ] [\-e directory ] [\-R] [\-n] [\-p] [\-v] [\-F] + + .SH "DESCRIPTION" + This manual page describes the +@@ -40,6 +40,9 @@ + .TP + .B \-o outfilename + save list of files with incorrect context in outfilename. ++.TP ++.B \-p ++show progress by printing * every 1000 files. + .TP + .B \-v + show changes in file labels. diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.74/setfiles/restore.h --- nsapolicycoreutils/setfiles/restore.h 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/setfiles/restore.h 2009-09-20 21:26:36.000000000 -0400 ++++ policycoreutils-2.0.74/setfiles/restore.h 2009-10-15 10:37:41.000000000 -0400 @@ -0,0 +1,49 @@ +#ifndef RESTORE_H +#define RESTORE_H @@ -3405,10 +4147,22 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +int process_one(char *name, int recurse); + +#endif -Binary files nsapolicycoreutils/setfiles/restore.o and policycoreutils-2.0.74/setfiles/restore.o differ +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.74/setfiles/setfiles.8 +--- nsapolicycoreutils/setfiles/setfiles.8 2008-08-28 09:34:24.000000000 -0400 ++++ policycoreutils-2.0.74/setfiles/setfiles.8 2009-10-22 08:37:16.000000000 -0400 +@@ -31,6 +31,9 @@ + .TP + .B \-n + don't change any file labels. ++.TP ++.B \-p ++show progress by printing * every 1000 files. + .TP + .B \-q + suppress non-error output. diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.74/setfiles/setfiles.c --- nsapolicycoreutils/setfiles/setfiles.c 2009-09-17 08:59:43.000000000 -0400 -+++ policycoreutils-2.0.74/setfiles/setfiles.c 2009-09-20 21:26:36.000000000 -0400 ++++ policycoreutils-2.0.74/setfiles/setfiles.c 2009-10-22 08:42:29.000000000 -0400 @@ -1,26 +1,12 @@ -#ifndef _GNU_SOURCE -#define _GNU_SOURCE @@ -3484,7 +4238,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po #define SETFILES "setfiles" #define RESTORECON "restorecon" -@@ -73,246 +41,9 @@ +@@ -73,257 +41,20 @@ /* Behavior flags determined based on setfiles vs. restorecon */ static int expand_realpath; /* Expand paths via realpath. */ @@ -3731,6 +4485,19 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po void usage(const char *const name) { if (iamrestorecon) { + fprintf(stderr, +- "usage: %s [-iFnrRv0] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n", ++ "usage: %s [-iFnprRv0] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n", + name); + } else { + fprintf(stderr, + "usage: %s [-dnpqvW] [-o filename] [-r alt_root_path ] spec_file pathname...\n" + "usage: %s -c policyfile spec_file\n" +- "usage: %s -s [-dnqvW] [-o filename ] spec_file\n", name, name, ++ "usage: %s -s [-dnpqvW] [-o filename ] spec_file\n", name, name, + name); + } + exit(1); @@ -334,194 +65,30 @@ void inc_err() { diff --git a/policycoreutils.spec b/policycoreutils.spec index c7a9f84..9b4068a 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -6,7 +6,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.74 -Release: 12%{?dist} +Release: 14%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -296,6 +296,13 @@ fi exit 0 %changelog +* Fri Oct 30 2009 Dan Walsh 2.0.74-14 +- Allow semanage -i and semanage -o to generate customization files. +- semanage -o will generate a customization file that semanage -i can read and set a machines to the same selinux configuration + +* Tue Oct 20 2009 Dan Walsh 2.0.74-13 +- Fix restorecond man page + * Mon Oct 19 2009 Dan Walsh 2.0.74-12 - Add generation of the users context file to polgengui