From 9852e61813014fb86801561e42f0fbc67d898c91 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mon, 25 Oct 2010 17:25:34 -0400 Subject: [PATCH] - Remove setuid flag and replace with file capabilities - Fix sandbox handling of files with spaces in them --- policycoreutils-rhat.patch | 1621 +++++++++++++++++++----------------- policycoreutils.spec | 14 +- 2 files changed, 857 insertions(+), 778 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index d4db5bc..dbdf4d8 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,13 +1,101 @@ -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.83/audit2allow/audit2allow ---- nsapolicycoreutils/audit2allow/audit2allow 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/audit2allow/audit2allow 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/audit2allow/audit2allow.1.rhat policycoreutils-2.0.83/audit2allow/audit2allow.1 +--- policycoreutils-2.0.83/audit2allow/audit2allow.1.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/audit2allow/audit2allow.1 2010-10-25 17:11:18.000000000 -0400 +@@ -66,6 +66,9 @@ Generate module/require output " + Generate loadable module package, conflicts with -o + .TP ++.B "\-p " | "\-\-policy " ++Policy file to use for analysis ++.TP + .B "\-o " | "\-\-output " + append output to + .I +@@ -117,14 +120,6 @@ an 'allow' rule. + .B Please substitute /var/log/messages for /var/log/audit/audit.log in the + .B examples. + .PP +-.B Using audit2allow to generate monolithic (non-module) policy +-$ cd /etc/selinux/$SELINUXTYPE/src/policy +-$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te +-$ cat domains/misc/local.te +-allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; +- +-$ make load +- + .B Using audit2allow to generate module policy + + $ cat /var/log/audit/audit.log | audit2allow -m local > local.te +@@ -132,20 +127,38 @@ $ cat local.te + module local 1.0; + + require { +- role system_r; ++ class file { getattr open read }; + + +- class fifo_file { getattr ioctl }; ++ type myapp_t; ++ type etc_t; ++ }; + + +- type cupsd_config_t; +- type unconfined_t; +- }; ++allow myapp_t etc_t:file { getattr open read }; ++ + ++.B Using audit2allow to generate module policy using reference policy + +-allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; ++$ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te ++$ cat local.te ++policy_module(local, 1.0) ++ ++gen_require(` ++ type myapp_t; ++ type etc_t; ++ }; ++ ++files_read_etc_files(myapp_t) + + ++.B Building module policy using Makefile ++ ++# SELinux provides a policy devel environment under /usr/share/selinux/devel ++# You can create a te file and compile it by executing ++$ make -f /usr/share/selinux/devel/Makefile ++$ semodule -i local.pp ++ + .B Building module policy manually + + # Compile the module +@@ -168,6 +181,14 @@ you are required to execute + + semodule -i local.pp + ++.B Using audit2allow to generate monolithic (non-module) policy ++$ cd /etc/selinux/$SELINUXTYPE/src/policy ++$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te ++$ cat domains/misc/local.te ++allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; ++ ++$ make load ++ + .fi + .PP + .SH AUTHOR +diff -up policycoreutils-2.0.83/audit2allow/audit2allow.rhat policycoreutils-2.0.83/audit2allow/audit2allow +--- policycoreutils-2.0.83/audit2allow/audit2allow.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/audit2allow/audit2allow 2010-10-25 17:11:18.000000000 -0400 @@ -1,4 +1,4 @@ -#! /usr/bin/python -E +#! /usr/bin/python -Es # Authors: Karl MacMillan # # Copyright (C) 2006-2007 Red Hat -@@ -28,6 +28,7 @@ +@@ -28,6 +28,7 @@ import sepolgen.objectmodel as objectmod import sepolgen.defaults as defaults import sepolgen.module as module from sepolgen.sepolgeni18n import _ @@ -15,7 +103,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po class AuditToPolicy: VERSION = "%prog .1" -@@ -46,6 +47,7 @@ +@@ -46,6 +47,7 @@ class AuditToPolicy: help="audit messages since last boot conflicts with -i") parser.add_option("-a", "--all", action="store_true", dest="audit", default=False, help="read input from audit log - conflicts with -i") @@ -23,7 +111,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False, help="read input from dmesg - conflicts with --all and --input") parser.add_option("-i", "--input", dest="input", -@@ -231,63 +233,44 @@ +@@ -231,63 +233,44 @@ class AuditToPolicy: def __output_audit2why(self): import selinux @@ -99,7 +187,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po print "\t\tMissing role allow rule.\n" print "\t\tAdd an allow rule for the role pair.\n" continue -@@ -350,11 +333,19 @@ +@@ -350,11 +333,19 @@ class AuditToPolicy: def main(self): try: self.__parse_options() @@ -119,97 +207,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if __name__ == "__main__": app = AuditToPolicy() -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-2.0.83/audit2allow/audit2allow.1 ---- nsapolicycoreutils/audit2allow/audit2allow.1 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/audit2allow/audit2allow.1 2010-09-17 15:14:35.000000000 -0400 -@@ -66,6 +66,9 @@ - .B "\-M " - Generate loadable module package, conflicts with -o - .TP -+.B "\-p " | "\-\-policy " -+Policy file to use for analysis -+.TP - .B "\-o " | "\-\-output " - append output to - .I -@@ -117,14 +120,6 @@ - .B Please substitute /var/log/messages for /var/log/audit/audit.log in the - .B examples. - .PP --.B Using audit2allow to generate monolithic (non-module) policy --$ cd /etc/selinux/$SELINUXTYPE/src/policy --$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te --$ cat domains/misc/local.te --allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; -- --$ make load -- - .B Using audit2allow to generate module policy - - $ cat /var/log/audit/audit.log | audit2allow -m local > local.te -@@ -132,20 +127,38 @@ - module local 1.0; - - require { -- role system_r; -+ class file { getattr open read }; - - -- class fifo_file { getattr ioctl }; -+ type myapp_t; -+ type etc_t; -+ }; - - -- type cupsd_config_t; -- type unconfined_t; -- }; -+allow myapp_t etc_t:file { getattr open read }; -+ - -+.B Using audit2allow to generate module policy using reference policy - --allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; -+$ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te -+$ cat local.te -+policy_module(local, 1.0) -+ -+gen_require(` -+ type myapp_t; -+ type etc_t; -+ }; -+ -+files_read_etc_files(myapp_t) - - -+.B Building module policy using Makefile -+ -+# SELinux provides a policy devel environment under /usr/share/selinux/devel -+# You can create a te file and compile it by executing -+$ make -f /usr/share/selinux/devel/Makefile -+$ semodule -i local.pp -+ - .B Building module policy manually - - # Compile the module -@@ -168,6 +181,14 @@ - - semodule -i local.pp - -+.B Using audit2allow to generate monolithic (non-module) policy -+$ cd /etc/selinux/$SELINUXTYPE/src/policy -+$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te -+$ cat domains/misc/local.te -+allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; -+ -+$ make load -+ - .fi - .PP - .SH AUTHOR -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/sepolgen-ifgen policycoreutils-2.0.83/audit2allow/sepolgen-ifgen ---- nsapolicycoreutils/audit2allow/sepolgen-ifgen 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/audit2allow/sepolgen-ifgen 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/audit2allow/sepolgen-ifgen.rhat policycoreutils-2.0.83/audit2allow/sepolgen-ifgen +--- policycoreutils-2.0.83/audit2allow/sepolgen-ifgen.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/audit2allow/sepolgen-ifgen 2010-10-25 17:11:18.000000000 -0400 @@ -1,4 +1,4 @@ -#! /usr/bin/python -E +#! /usr/bin/python -Es @@ -227,7 +227,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po import sepolgen.refparser as refparser import sepolgen.defaults as defaults -@@ -35,6 +39,7 @@ +@@ -35,6 +39,7 @@ import sepolgen.interfaces as interfaces VERSION = "%prog .1" @@ -235,7 +235,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def parse_options(): from optparse import OptionParser -@@ -44,14 +49,43 @@ +@@ -44,14 +49,43 @@ def parse_options(): help="filename to store output") parser.add_option("-i", "--interfaces", dest="headers", default=defaults.headers(), help="location of the interface header files") @@ -279,7 +279,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def main(): options = parse_options() -@@ -68,6 +102,14 @@ +@@ -68,6 +102,14 @@ def main(): else: log = None @@ -294,7 +294,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po try: headers = refparser.parse_headers(options.headers, output=log, debug=options.debug) except ValueError, e: -@@ -76,7 +118,7 @@ +@@ -76,7 +118,7 @@ def main(): return 1 if_set = interfaces.InterfaceSet(output=log) @@ -303,10 +303,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if_set.to_file(f) f.close() -Binary files nsapolicycoreutils/load_policy/load_policy and policycoreutils-2.0.83/load_policy/load_policy differ -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/load_policy/load_policy.c policycoreutils-2.0.83/load_policy/load_policy.c ---- nsapolicycoreutils/load_policy/load_policy.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/load_policy/load_policy.c 2010-08-23 10:48:26.000000000 -0400 +diff -up policycoreutils-2.0.83/load_policy/load_policy.c.rhat policycoreutils-2.0.83/load_policy/load_policy.c +--- policycoreutils-2.0.83/load_policy/load_policy.c.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/load_policy/load_policy.c 2010-10-25 17:11:18.000000000 -0400 @@ -1,3 +1,4 @@ +#define _GNU_SOURCE #include @@ -334,7 +333,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po int main(int argc, char **argv) { int ret, opt, quiet = 0, nargs, init=0, enforce=0; -@@ -76,9 +86,11 @@ +@@ -76,9 +86,11 @@ int main(int argc, char **argv) if (ret != 0 ) { if (enforce > 0) { /* SELinux in enforcing mode but load_policy failed */ @@ -348,7 +347,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po exit(3); } } -@@ -87,8 +99,10 @@ +@@ -87,8 +99,10 @@ int main(int argc, char **argv) ret = selinux_mkload_policy(1); } if (ret < 0) { @@ -361,19 +360,37 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po exit(2); } exit(0); -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.83/Makefile ---- nsapolicycoreutils/Makefile 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.83/Makefile 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/Makefile.rhat policycoreutils-2.0.83/Makefile +--- policycoreutils-2.0.83/Makefile.rhat 2010-06-16 08:04:11.000000000 -0400 ++++ policycoreutils-2.0.83/Makefile 2010-10-25 17:11:18.000000000 -0400 @@ -1,4 +1,4 @@ -SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po +SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po gui INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-2.0.83/newrole/newrole.c ---- nsapolicycoreutils/newrole/newrole.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/newrole/newrole.c 2010-07-30 13:50:40.000000000 -0400 -@@ -1334,6 +1334,9 @@ +diff -up policycoreutils-2.0.83/newrole/newrole.c.rhat policycoreutils-2.0.83/newrole/newrole.c +--- policycoreutils-2.0.83/newrole/newrole.c.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/newrole/newrole.c 2010-10-25 17:14:24.000000000 -0400 +@@ -537,7 +537,7 @@ static int restore_environment(int prese + * + * Returns zero on success, non-zero otherwise + */ +-#if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV) ++#if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV) && !defined(USE_FILECAP) + static int drop_capabilities(void) + { + int rc = 0; +@@ -602,7 +602,7 @@ static int drop_capabilities(void) + fprintf(stderr, _("Error freeing caps\n")); + return rc; + } +-#elif defined(NAMESPACE_PRIV) ++#elif defined(NAMESPACE_PRIV) && !defined(USE_FILECAP) + /** + * This function will drop the capabilities so that we are left + * only with access to the audit system and the ability to raise +@@ -1334,6 +1334,9 @@ int main(int argc, char *argv[]) if (send_audit_message(1, old_context, new_context, ttyn)) goto err_close_pam_session; @@ -383,9 +400,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po #ifdef NAMESPACE_PRIV if (transition_to_caller_uid()) goto err_close_pam_session; -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.83/restorecond/Makefile ---- nsapolicycoreutils/restorecond/Makefile 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/restorecond/Makefile 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/restorecond/Makefile.rhat policycoreutils-2.0.83/restorecond/Makefile +--- policycoreutils-2.0.83/restorecond/Makefile.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/Makefile 2010-10-25 17:11:18.000000000 -0400 @@ -1,17 +1,28 @@ # Installation directories. PREFIX ?= ${DESTDIR}/usr @@ -418,7 +435,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) install: all -@@ -22,7 +33,12 @@ +@@ -22,7 +33,12 @@ install: all -mkdir -p $(INITDIR) install -m 755 restorecond.init $(INITDIR)/restorecond -mkdir -p $(SELINUXDIR) @@ -432,16 +449,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po relabel: install /sbin/restorecon $(SBINDIR)/restorecond -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.83/restorecond/org.selinux.Restorecond.service ---- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.83/restorecond/org.selinux.Restorecond.service 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/restorecond/org.selinux.Restorecond.service.rhat policycoreutils-2.0.83/restorecond/org.selinux.Restorecond.service +--- policycoreutils-2.0.83/restorecond/org.selinux.Restorecond.service.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/org.selinux.Restorecond.service 2010-10-25 17:11:18.000000000 -0400 @@ -0,0 +1,3 @@ +[D-BUS Service] +Name=org.selinux.Restorecond +Exec=/usr/sbin/restorecond -u -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.83/restorecond/restorecond.8 ---- nsapolicycoreutils/restorecond/restorecond.8 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/restorecond/restorecond.8 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/restorecond/restorecond.8.rhat policycoreutils-2.0.83/restorecond/restorecond.8 +--- policycoreutils-2.0.83/restorecond/restorecond.8.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/restorecond.8 2010-10-25 17:11:18.000000000 -0400 @@ -3,7 +3,7 @@ restorecond \- daemon that watches for file creation and then sets the default SELinux file context @@ -451,7 +468,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .P .SH "DESCRIPTION" -@@ -19,13 +19,22 @@ +@@ -19,13 +19,22 @@ the correct file context associated with .B \-d Turns on debugging mode. Application will stay in the foreground and lots of debugs messages start printing. @@ -476,9 +493,22 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .SH "SEE ALSO" .BR restorecon (8), -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.83/restorecond/restorecond.c ---- nsapolicycoreutils/restorecond/restorecond.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/restorecond/restorecond.c 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/restorecond/restorecond.conf.rhat policycoreutils-2.0.83/restorecond/restorecond.conf +--- policycoreutils-2.0.83/restorecond/restorecond.conf.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/restorecond.conf 2010-10-25 17:11:18.000000000 -0400 +@@ -4,8 +4,5 @@ + /etc/mtab + /var/run/utmp + /var/log/wtmp +-~/* +-/root/.ssh ++/root/* + /root/.ssh/* +- +- +diff -up policycoreutils-2.0.83/restorecond/restorecond.c.rhat policycoreutils-2.0.83/restorecond/restorecond.c +--- policycoreutils-2.0.83/restorecond/restorecond.c.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/restorecond.c 2010-10-25 17:11:18.000000000 -0400 @@ -30,9 +30,11 @@ * and makes sure that there security context matches the systems defaults * @@ -807,7 +837,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po } static const char *pidfile = "/var/run/restorecond.pid"; -@@ -374,7 +120,7 @@ +@@ -374,7 +120,7 @@ static void term_handler() static void usage(char *program) { @@ -816,7 +846,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po exit(0); } -@@ -390,74 +136,35 @@ +@@ -390,74 +136,35 @@ void exitApp(const char *msg) to see if it is one that we are watching. */ @@ -915,7 +945,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po /* Register sighandlers */ sa.sa_flags = 0; -@@ -467,36 +174,56 @@ +@@ -467,36 +174,56 @@ int main(int argc, char **argv) set_matchpathcon_flags(MATCHPATHCON_NOTRANS); @@ -981,22 +1011,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if (pidfile) unlink(pidfile); -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.83/restorecond/restorecond.conf ---- nsapolicycoreutils/restorecond/restorecond.conf 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/restorecond/restorecond.conf 2010-07-30 13:50:40.000000000 -0400 -@@ -4,8 +4,5 @@ - /etc/mtab - /var/run/utmp - /var/log/wtmp --~/* --/root/.ssh -+/root/* - /root/.ssh/* -- -- -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.83/restorecond/restorecond.desktop ---- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.83/restorecond/restorecond.desktop 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/restorecond/restorecond.desktop.rhat policycoreutils-2.0.83/restorecond/restorecond.desktop +--- policycoreutils-2.0.83/restorecond/restorecond.desktop.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/restorecond.desktop 2010-10-25 17:11:18.000000000 -0400 @@ -0,0 +1,7 @@ +[Desktop Entry] +Name=File Context maintainer @@ -1005,9 +1022,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +Encoding=UTF-8 +Type=Application +StartupNotify=false -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.83/restorecond/restorecond.h ---- nsapolicycoreutils/restorecond/restorecond.h 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/restorecond/restorecond.h 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/restorecond/restorecond.h.rhat policycoreutils-2.0.83/restorecond/restorecond.h +--- policycoreutils-2.0.83/restorecond/restorecond.h.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/restorecond.h 2010-10-25 17:11:18.000000000 -0400 @@ -24,7 +24,22 @@ #ifndef RESTORED_CONFIG_H #define RESTORED_CONFIG_H @@ -1033,10 +1050,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +extern int watch_list_isempty(); #endif -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.83/restorecond/restorecond.init ---- nsapolicycoreutils/restorecond/restorecond.init 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/restorecond/restorecond.init 2010-07-30 13:50:40.000000000 -0400 -@@ -26,7 +26,7 @@ +diff -up policycoreutils-2.0.83/restorecond/restorecond.init.rhat policycoreutils-2.0.83/restorecond/restorecond.init +--- policycoreutils-2.0.83/restorecond/restorecond.init.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/restorecond.init 2010-10-25 17:11:18.000000000 -0400 +@@ -26,7 +26,7 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin # Source function library. . /etc/rc.d/init.d/functions @@ -1045,7 +1062,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po # Check that we are root ... so non-root users stop here test $EUID = 0 || exit 4 -@@ -75,16 +75,15 @@ +@@ -75,16 +75,15 @@ case "$1" in status restorecond RETVAL=$? ;; @@ -1064,15 +1081,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po exit $RETVAL - -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.83/restorecond/restorecond_user.conf ---- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.83/restorecond/restorecond_user.conf 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/restorecond/restorecond_user.conf.rhat policycoreutils-2.0.83/restorecond/restorecond_user.conf +--- policycoreutils-2.0.83/restorecond/restorecond_user.conf.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/restorecond_user.conf 2010-10-25 17:11:18.000000000 -0400 @@ -0,0 +1,2 @@ +~/* +~/public_html/* -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.83/restorecond/user.c ---- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.83/restorecond/user.c 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/restorecond/user.c.rhat policycoreutils-2.0.83/restorecond/user.c +--- policycoreutils-2.0.83/restorecond/user.c.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/user.c 2010-10-25 17:11:18.000000000 -0400 @@ -0,0 +1,239 @@ +/* + * restorecond @@ -1313,10 +1330,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + return 0; +} + -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/utmpwatcher.c policycoreutils-2.0.83/restorecond/utmpwatcher.c ---- nsapolicycoreutils/restorecond/utmpwatcher.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/restorecond/utmpwatcher.c 2010-08-13 10:00:27.000000000 -0400 -@@ -72,8 +72,8 @@ +diff -up policycoreutils-2.0.83/restorecond/utmpwatcher.c.rhat policycoreutils-2.0.83/restorecond/utmpwatcher.c +--- policycoreutils-2.0.83/restorecond/utmpwatcher.c.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/utmpwatcher.c 2010-10-25 17:11:18.000000000 -0400 +@@ -72,8 +72,8 @@ unsigned int utmpwatcher_handle(int inot if (utmp_wd == -1) exitApp("Error watching utmp file."); @@ -1326,9 +1343,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po strings_list_free(prev_utmp_ptr); } return changed; -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.83/restorecond/watch.c ---- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.83/restorecond/watch.c 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/restorecond/watch.c.rhat policycoreutils-2.0.83/restorecond/watch.c +--- policycoreutils-2.0.83/restorecond/watch.c.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/watch.c 2010-10-25 17:11:18.000000000 -0400 @@ -0,0 +1,260 @@ +#define _GNU_SOURCE +#include @@ -1590,17 +1607,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + if (master_wd == -1) + exitApp("Error watching config file."); +} -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.83/sandbox/deliverables/basicwrapper ---- nsapolicycoreutils/sandbox/deliverables/basicwrapper 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.83/sandbox/deliverables/basicwrapper 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/sandbox/deliverables/basicwrapper.rhat policycoreutils-2.0.83/sandbox/deliverables/basicwrapper +--- policycoreutils-2.0.83/sandbox/deliverables/basicwrapper.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/deliverables/basicwrapper 2010-10-25 17:11:18.000000000 -0400 @@ -0,0 +1,4 @@ +import os, sys +SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']] +SANDBOX_ARGS.extend(sys.argv[1::]) +os.execv('/usr/bin/sandbox',SANDBOX_ARGS) -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.83/sandbox/deliverables/README ---- nsapolicycoreutils/sandbox/deliverables/README 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.83/sandbox/deliverables/README 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/sandbox/deliverables/README.rhat policycoreutils-2.0.83/sandbox/deliverables/README +--- policycoreutils-2.0.83/sandbox/deliverables/README.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/deliverables/README 2010-10-25 17:11:18.000000000 -0400 @@ -0,0 +1,32 @@ +Files: +run-in-sandbox.py: @@ -1634,9 +1651,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + +Thanks for a great summer. +Chris Pardy -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py ---- nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py.rhat policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py +--- policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py 2010-10-25 17:11:18.000000000 -0400 @@ -0,0 +1,49 @@ +import os +import os.path @@ -1687,10 +1704,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + def get_background_items(self, window, file): + return + -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.83/sandbox/Makefile ---- nsapolicycoreutils/sandbox/Makefile 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.83/sandbox/Makefile 2010-07-30 13:50:40.000000000 -0400 -@@ -7,8 +7,8 @@ +diff -up policycoreutils-2.0.83/sandbox/Makefile.rhat policycoreutils-2.0.83/sandbox/Makefile +--- policycoreutils-2.0.83/sandbox/Makefile.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/Makefile 2010-10-25 17:11:18.000000000 -0400 +@@ -7,8 +7,8 @@ SBINDIR ?= $(PREFIX)/sbin MANDIR ?= $(PREFIX)/share/man LOCALEDIR ?= /usr/share/locale SHAREDIR ?= $(PREFIX)/share/sandbox @@ -1701,7 +1718,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po all: sandbox seunshare sandboxX.sh -@@ -20,6 +20,9 @@ +@@ -20,6 +20,9 @@ install: all install -m 755 sandbox $(BINDIR) -mkdir -p $(MANDIR)/man8 install -m 644 sandbox.8 $(MANDIR)/man8/ @@ -1711,7 +1728,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -mkdir -p $(SBINDIR) install -m 4755 seunshare $(SBINDIR)/ -mkdir -p $(SHAREDIR) -@@ -27,7 +30,7 @@ +@@ -27,7 +30,7 @@ install: all -mkdir -p $(INITDIR) install -m 755 sandbox.init $(INITDIR)/sandbox -mkdir -p $(SYSCONFDIR) @@ -1720,212 +1737,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po test: @python test_sandbox.py -v -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.83/sandbox/sandbox ---- nsapolicycoreutils/sandbox/sandbox 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.83/sandbox/sandbox 2010-09-13 11:40:20.000000000 -0400 -@@ -1,5 +1,6 @@ --#! /usr/bin/python -E -+#! /usr/bin/python -Es - # Authors: Dan Walsh -+# Authors: Thomas Liu - # Authors: Josh Cogliati - # - # Copyright (C) 2009,2010 Red Hat -@@ -19,15 +20,17 @@ - # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - # - --import os, sys, socket, random, fcntl, shutil, re, subprocess -+import os, stat, sys, socket, random, fcntl, shutil, re, subprocess - import selinux - import signal - from tempfile import mkdtemp - import pwd -+import commands - - PROGNAME = "policycoreutils" - HOMEDIR=pwd.getpwuid(os.getuid()).pw_dir -- -+SEUNSHARE = "/usr/sbin/seunshare" -+SANDBOXSH = "/usr/share/sandbox/sandboxX.sh" - import gettext - gettext.bindtextdomain(PROGNAME, "/usr/share/locale") - gettext.textdomain(PROGNAME) -@@ -41,6 +44,7 @@ - import __builtin__ - __builtin__.__dict__['_'] = unicode - -+DEFAULT_WINDOWSIZE = "1000x700" - DEFAULT_TYPE = "sandbox_t" - DEFAULT_X_TYPE = "sandbox_x_t" - SAVE_FILES = {} -@@ -63,15 +67,15 @@ - sys.stderr.flush() - sys.exit(1) - --def copyfile(file, dir, dest): -+def copyfile(file, srcdir, dest): - import re -- if file.startswith(dir): -+ if file.startswith(srcdir): - dname = os.path.dirname(file) - bname = os.path.basename(file) -- if dname == dir: -+ if dname == srcdir: - dest = dest + "/" + bname - else: -- newdir = re.sub(dir, dest, dname) -+ newdir = re.sub(srcdir, dest, dname) - if not os.path.exists(newdir): - os.makedirs(newdir) - dest = newdir + "/" + bname -@@ -81,9 +85,10 @@ - shutil.copytree(file, dest) - else: - shutil.copy2(file, dest) -+ - except shutil.Error, elist: -- for e in elist: -- sys.stderr.write(e[1]) -+ for e in elist.message: -+ sys.stderr.write(e[2]) - - SAVE_FILES[file] = (dest, os.path.getmtime(dest)) - -@@ -161,10 +166,10 @@ - if not self.__options.homedir or not self.__options.tmpdir: - self.usage(_("Homedir and tempdir required for level mounts")) - -- if not os.path.exists("/usr/sbin/seunshare"): -+ if not os.path.exists(SEUNSHARE): - raise ValueError(_(""" --/usr/sbin/seunshare is required for the action you want to perform. --""")) -+%s is required for the action you want to perform. -+""") % SEUNSHARE) - - def __mount_callback(self, option, opt, value, parser): - self.__mount = True -@@ -172,6 +177,15 @@ - def __x_callback(self, option, opt, value, parser): - self.__mount = True - setattr(parser.values, option.dest, True) -+ if not os.path.exists(SEUNSHARE): -+ raise ValueError(_(""" -+%s is required for the action you want to perform. -+""") % SEUNSHARE) -+ -+ if not os.path.exists(SANDBOXSH): -+ raise ValueError(_(""" -+%s is required for the action you want to perform. -+""") % SANDBOXSH) - - def __validdir(self, option, opt, value, parser): - if not os.path.isdir(value): -@@ -218,7 +232,7 @@ - /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap - %s & - WM_PID=$! --%s -+dbus-launch --exit-with-session %s - kill -TERM $WM_PID 2> /dev/null - """ % (command, wm, command)) - fd.close() -@@ -230,9 +244,9 @@ - def __parse_options(self): - from optparse import OptionParser - usage = _(""" --sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [[-i file ] ...] [ -t type ] command -+sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] command - --sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [[-i file ] ...] [ -t type ] -S -+sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] -S - """) - - parser = OptionParser(version=self.VERSION, usage=usage) -@@ -268,6 +282,10 @@ - action="callback", callback=self.__validdir, - help=_("alternate /tmp directory to use for mounting")) - -+ parser.add_option("-w", "--windowsize", dest="windowsize", -+ type="string", default=DEFAULT_WINDOWSIZE, -+ help="size of the sandbox window") -+ - parser.add_option("-W", "--windowmanager", dest="wm", - type="string", - default="/usr/bin/matchbox-window-manager -use_titlebar no", -@@ -276,13 +294,17 @@ - parser.add_option("-l", "--level", dest="level", - help=_("MCS/MLS level for the sandbox")) - -+ parser.add_option("-C", "--cgroups", -+ action="store_true", dest="usecgroup", default=False, -+ help="Use cgroups to limit this sandbox.") -+ - self.__parser=parser - - self.__options, cmds = parser.parse_args() - - if self.__options.X_ind: - self.setype = DEFAULT_X_TYPE -- -+ - if self.__options.setype: - self.setype = self.__options.setype - -@@ -299,6 +321,9 @@ - self.__options.X_ind = True - self.__homedir = self.__options.homedir - self.__tmpdir = self.__options.tmpdir -+ elif self.__options.level: -+ self.__homedir = self.__options.homedir -+ self.__tmpdir = self.__options.tmpdir - else: - if len(cmds) == 0: - self.usage(_("Command required")) -@@ -351,22 +376,24 @@ - - def __execute(self): - try: -- if self.__options.X_ind: -- xmodmapfile = self.__homedir + "/.xmodmap" -- xd = open(xmodmapfile,"w") -- subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait() -- xd.close() -- -- self.__setup_sandboxrc(self.__options.wm) -- -- cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon, "/usr/share/sandbox/sandboxX.sh" ] -- rc = subprocess.Popen(cmds).wait() -- return rc -- -+ cmds = [ SEUNSHARE, "-Z", self.__execcon ] -+ if self.__options.usecgroup == True: -+ cmds.append('-c') - if self.__mount: -- cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon ] + self.__paths -- rc = subprocess.Popen(cmds).wait() -- return rc -+ cmds += [ "-t", self.__tmpdir, "-h", self.__homedir ] -+ -+ if self.__options.X_ind: -+ xmodmapfile = self.__homedir + "/.xmodmap" -+ xd = open(xmodmapfile,"w") -+ subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait() -+ xd.close() -+ -+ self.__setup_sandboxrc(self.__options.wm) -+ -+ cmds += [ "--", SANDBOXSH, self.__options.windowsize ] -+ else: -+ cmds += [ "--" ] + self.__paths -+ return subprocess.Popen(cmds).wait() - - selinux.setexeccon(self.__execcon) - rc = subprocess.Popen(self.__cmds).wait() -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.83/sandbox/sandbox.8 ---- nsapolicycoreutils/sandbox/sandbox.8 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.83/sandbox/sandbox.8 2010-09-07 11:15:04.000000000 -0400 +diff -up policycoreutils-2.0.83/sandbox/sandbox.8.rhat policycoreutils-2.0.83/sandbox/sandbox.8 +--- policycoreutils-2.0.83/sandbox/sandbox.8.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/sandbox.8 2010-10-25 17:11:18.000000000 -0400 @@ -1,10 +1,13 @@ -.TH SANDBOX "8" "May 2009" "chcat" "User Commands" +.TH SANDBOX "8" "May 2010" "sandbox" "User Commands" @@ -1943,7 +1757,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .br .SH DESCRIPTION .PP -@@ -42,6 +45,12 @@ +@@ -42,6 +45,12 @@ Use alternate sandbox type, defaults to \fB\-T\ tmpdir Use alternate tempory directory to mount on /tmp. Defaults to tmpfs. Requires -X or -M. .TP @@ -1956,7 +1770,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po \fB\-W windowmanager\fR Select alternative window manager to run within .B sandbox -X. -@@ -50,8 +59,17 @@ +@@ -50,8 +59,17 @@ Default to /usr/bin/matchbox-window-mana \fB\-X\fR Create an X based Sandbox for gui apps, temporary files for $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t @@ -1975,20 +1789,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +.I Dan Walsh +and +.I Thomas Liu -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.conf policycoreutils-2.0.83/sandbox/sandbox.conf ---- nsapolicycoreutils/sandbox/sandbox.conf 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.83/sandbox/sandbox.conf 2010-07-30 13:50:40.000000000 -0400 -@@ -0,0 +1,7 @@ -+# Space separate list of homedirs -+HOMEDIRS="/home" -+# Control group configuration -+NAME=sandbox -+CPUAFFINITY=ALL -+MEMUSAGE=80% -+CPUUSAGE=80% -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.conf.5 policycoreutils-2.0.83/sandbox/sandbox.conf.5 ---- nsapolicycoreutils/sandbox/sandbox.conf.5 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.83/sandbox/sandbox.conf.5 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/sandbox/sandbox.conf.5.rhat policycoreutils-2.0.83/sandbox/sandbox.conf.5 +--- policycoreutils-2.0.83/sandbox/sandbox.conf.5.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/sandbox.conf.5 2010-10-25 17:11:18.000000000 -0400 @@ -0,0 +1,40 @@ +.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration" +.SH NAME @@ -2030,15 +1833,21 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +.SH AUTHOR +This manual page was written by +.I Thomas Liu -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.config policycoreutils-2.0.83/sandbox/sandbox.config ---- nsapolicycoreutils/sandbox/sandbox.config 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.83/sandbox/sandbox.config 1969-12-31 19:00:00.000000000 -0500 -@@ -1,2 +0,0 @@ --# Space separate list of homedirs --HOMEDIRS="/home" -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.init policycoreutils-2.0.83/sandbox/sandbox.init ---- nsapolicycoreutils/sandbox/sandbox.init 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.83/sandbox/sandbox.init 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/sandbox/sandbox.config.rhat policycoreutils-2.0.83/sandbox/sandbox.config +diff -up policycoreutils-2.0.83/sandbox/sandbox.conf.rhat policycoreutils-2.0.83/sandbox/sandbox.conf +--- policycoreutils-2.0.83/sandbox/sandbox.conf.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/sandbox.conf 2010-10-25 17:11:18.000000000 -0400 +@@ -0,0 +1,7 @@ ++# Space separate list of homedirs ++HOMEDIRS="/home" ++# Control group configuration ++NAME=sandbox ++CPUAFFINITY=ALL ++MEMUSAGE=80% ++CPUUSAGE=80% +diff -up policycoreutils-2.0.83/sandbox/sandbox.init.rhat policycoreutils-2.0.83/sandbox/sandbox.init +--- policycoreutils-2.0.83/sandbox/sandbox.init.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/sandbox.init 2010-10-25 17:11:18.000000000 -0400 @@ -10,17 +10,12 @@ # # chkconfig: 345 1 99 @@ -2063,9 +1872,230 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po # # Source function library. -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.83/sandbox/sandboxX.sh ---- nsapolicycoreutils/sandbox/sandboxX.sh 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.83/sandbox/sandboxX.sh 2010-09-13 17:00:38.000000000 -0400 +diff -up policycoreutils-2.0.83/sandbox/sandbox.rhat policycoreutils-2.0.83/sandbox/sandbox +--- policycoreutils-2.0.83/sandbox/sandbox.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/sandbox 2010-10-25 17:11:18.000000000 -0400 +@@ -1,5 +1,6 @@ +-#! /usr/bin/python -E ++#! /usr/bin/python -Es + # Authors: Dan Walsh ++# Authors: Thomas Liu + # Authors: Josh Cogliati + # + # Copyright (C) 2009,2010 Red Hat +@@ -19,15 +20,17 @@ + # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + # + +-import os, sys, socket, random, fcntl, shutil, re, subprocess ++import os, stat, sys, socket, random, fcntl, shutil, re, subprocess + import selinux + import signal + from tempfile import mkdtemp + import pwd ++import commands + + PROGNAME = "policycoreutils" + HOMEDIR=pwd.getpwuid(os.getuid()).pw_dir +- ++SEUNSHARE = "/usr/sbin/seunshare" ++SANDBOXSH = "/usr/share/sandbox/sandboxX.sh" + import gettext + gettext.bindtextdomain(PROGNAME, "/usr/share/locale") + gettext.textdomain(PROGNAME) +@@ -41,6 +44,7 @@ except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + ++DEFAULT_WINDOWSIZE = "1000x700" + DEFAULT_TYPE = "sandbox_t" + DEFAULT_X_TYPE = "sandbox_x_t" + SAVE_FILES = {} +@@ -63,15 +67,15 @@ def error_exit(msg): + sys.stderr.flush() + sys.exit(1) + +-def copyfile(file, dir, dest): ++def copyfile(file, srcdir, dest): + import re +- if file.startswith(dir): ++ if file.startswith(srcdir): + dname = os.path.dirname(file) + bname = os.path.basename(file) +- if dname == dir: ++ if dname == srcdir: + dest = dest + "/" + bname + else: +- newdir = re.sub(dir, dest, dname) ++ newdir = re.sub(srcdir, dest, dname) + if not os.path.exists(newdir): + os.makedirs(newdir) + dest = newdir + "/" + bname +@@ -81,9 +85,10 @@ def copyfile(file, dir, dest): + shutil.copytree(file, dest) + else: + shutil.copy2(file, dest) ++ + except shutil.Error, elist: +- for e in elist: +- sys.stderr.write(e[1]) ++ for e in elist.message: ++ sys.stderr.write(e[2]) + + SAVE_FILES[file] = (dest, os.path.getmtime(dest)) + +@@ -161,10 +166,10 @@ class Sandbox: + if not self.__options.homedir or not self.__options.tmpdir: + self.usage(_("Homedir and tempdir required for level mounts")) + +- if not os.path.exists("/usr/sbin/seunshare"): ++ if not os.path.exists(SEUNSHARE): + raise ValueError(_(""" +-/usr/sbin/seunshare is required for the action you want to perform. +-""")) ++%s is required for the action you want to perform. ++""") % SEUNSHARE) + + def __mount_callback(self, option, opt, value, parser): + self.__mount = True +@@ -172,6 +177,15 @@ class Sandbox: + def __x_callback(self, option, opt, value, parser): + self.__mount = True + setattr(parser.values, option.dest, True) ++ if not os.path.exists(SEUNSHARE): ++ raise ValueError(_(""" ++%s is required for the action you want to perform. ++""") % SEUNSHARE) ++ ++ if not os.path.exists(SANDBOXSH): ++ raise ValueError(_(""" ++%s is required for the action you want to perform. ++""") % SANDBOXSH) + + def __validdir(self, option, opt, value, parser): + if not os.path.isdir(value): +@@ -194,6 +208,8 @@ class Sandbox: + self.__include(option, opt, i[:-1], parser) + except IOError, e: + sys.stderr.write(str(e)) ++ except TypeError, e: ++ sys.stderr.write(str(e)) + fd.close() + + def __copyfiles(self): +@@ -212,13 +228,15 @@ class Sandbox: + /etc/gdm/Xsession + """) + else: +- command = " ".join(self.__paths) ++ command = self.__paths[0] + " " ++ for p in self.__paths[1:]: ++ command += "'%s' " % p + fd.write("""#! /bin/sh + #TITLE: %s + /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap + %s & + WM_PID=$! +-%s ++dbus-launch --exit-with-session %s + kill -TERM $WM_PID 2> /dev/null + """ % (command, wm, command)) + fd.close() +@@ -230,9 +248,9 @@ kill -TERM $WM_PID 2> /dev/null + def __parse_options(self): + from optparse import OptionParser + usage = _(""" +-sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [[-i file ] ...] [ -t type ] command ++sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] command + +-sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [[-i file ] ...] [ -t type ] -S ++sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] -S + """) + + parser = OptionParser(version=self.VERSION, usage=usage) +@@ -268,6 +286,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H hom + action="callback", callback=self.__validdir, + help=_("alternate /tmp directory to use for mounting")) + ++ parser.add_option("-w", "--windowsize", dest="windowsize", ++ type="string", default=DEFAULT_WINDOWSIZE, ++ help="size of the sandbox window") ++ + parser.add_option("-W", "--windowmanager", dest="wm", + type="string", + default="/usr/bin/matchbox-window-manager -use_titlebar no", +@@ -276,13 +298,17 @@ sandbox [-h] [-[X|M] [-l level ] [-H hom + parser.add_option("-l", "--level", dest="level", + help=_("MCS/MLS level for the sandbox")) + ++ parser.add_option("-C", "--cgroups", ++ action="store_true", dest="usecgroup", default=False, ++ help="Use cgroups to limit this sandbox.") ++ + self.__parser=parser + + self.__options, cmds = parser.parse_args() + + if self.__options.X_ind: + self.setype = DEFAULT_X_TYPE +- ++ + if self.__options.setype: + self.setype = self.__options.setype + +@@ -299,6 +325,9 @@ sandbox [-h] [-[X|M] [-l level ] [-H hom + self.__options.X_ind = True + self.__homedir = self.__options.homedir + self.__tmpdir = self.__options.tmpdir ++ elif self.__options.level: ++ self.__homedir = self.__options.homedir ++ self.__tmpdir = self.__options.tmpdir + else: + if len(cmds) == 0: + self.usage(_("Command required")) +@@ -351,22 +380,24 @@ sandbox [-h] [-[X|M] [-l level ] [-H hom + + def __execute(self): + try: +- if self.__options.X_ind: +- xmodmapfile = self.__homedir + "/.xmodmap" +- xd = open(xmodmapfile,"w") +- subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait() +- xd.close() +- +- self.__setup_sandboxrc(self.__options.wm) +- +- cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon, "/usr/share/sandbox/sandboxX.sh" ] +- rc = subprocess.Popen(cmds).wait() +- return rc +- ++ cmds = [ SEUNSHARE, "-Z", self.__execcon ] ++ if self.__options.usecgroup == True: ++ cmds.append('-c') + if self.__mount: +- cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon ] + self.__paths +- rc = subprocess.Popen(cmds).wait() +- return rc ++ cmds += [ "-t", self.__tmpdir, "-h", self.__homedir ] ++ ++ if self.__options.X_ind: ++ xmodmapfile = self.__homedir + "/.xmodmap" ++ xd = open(xmodmapfile,"w") ++ subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait() ++ xd.close() ++ ++ self.__setup_sandboxrc(self.__options.wm) ++ ++ cmds += [ "--", SANDBOXSH, self.__options.windowsize ] ++ else: ++ cmds += [ "--" ] + self.__paths ++ return subprocess.Popen(cmds).wait() + + selinux.setexeccon(self.__execcon) + rc = subprocess.Popen(self.__cmds).wait() +diff -up policycoreutils-2.0.83/sandbox/sandboxX.sh.rhat policycoreutils-2.0.83/sandbox/sandboxX.sh +--- policycoreutils-2.0.83/sandbox/sandboxX.sh.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/sandboxX.sh 2010-10-25 17:11:18.000000000 -0400 @@ -1,13 +1,26 @@ #!/bin/bash context=`id -Z | secon -t -l -P` @@ -2096,10 +2126,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po export EXITCODE=$? kill -HUP 0 break -Binary files nsapolicycoreutils/sandbox/seunshare and policycoreutils-2.0.83/sandbox/seunshare differ -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.8 policycoreutils-2.0.83/sandbox/seunshare.8 ---- nsapolicycoreutils/sandbox/seunshare.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.83/sandbox/seunshare.8 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/sandbox/seunshare.8.rhat policycoreutils-2.0.83/sandbox/seunshare.8 +--- policycoreutils-2.0.83/sandbox/seunshare.8.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/seunshare.8 2010-10-25 17:11:18.000000000 -0400 @@ -0,0 +1,37 @@ +.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands" +.SH NAME @@ -2138,9 +2167,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +.I Dan Walsh +and +.I Thomas Liu -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.83/sandbox/seunshare.c ---- nsapolicycoreutils/sandbox/seunshare.c 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.83/sandbox/seunshare.c 2010-08-24 22:49:42.000000000 -0400 +diff -up policycoreutils-2.0.83/sandbox/seunshare.c.rhat policycoreutils-2.0.83/sandbox/seunshare.c +--- policycoreutils-2.0.83/sandbox/seunshare.c.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/seunshare.c 2010-10-25 17:11:18.000000000 -0400 @@ -1,13 +1,21 @@ +/* + * Authors: Dan Walsh @@ -2193,7 +2222,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po /** * This function will drop all capabilities * Returns zero on success, non-zero otherwise -@@ -134,42 +145,98 @@ +@@ -134,42 +145,98 @@ static int verify_shell(const char *shel static int seunshare_mount(const char *src, const char *dst, struct passwd *pwd) { if (verbose) printf("Mount %s on %s\n", src, dst); @@ -2297,7 +2326,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po {NULL, 0, 0, 0} }; -@@ -180,6 +247,12 @@ +@@ -180,6 +247,12 @@ int main(int argc, char **argv) { return -1; } @@ -2310,7 +2339,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po struct passwd *pwd=getpwuid(uid); if (!pwd) { perror(_("getpwduid failed")); -@@ -192,30 +265,30 @@ +@@ -192,30 +265,30 @@ int main(int argc, char **argv) { } while (1) { @@ -2350,7 +2379,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po default: fprintf(stderr, "%s\n", USAGE_STRING); return -1; -@@ -223,21 +296,179 @@ +@@ -223,21 +296,179 @@ int main(int argc, char **argv) { } if (! homedir_s && ! tmpdir_s) { @@ -2536,7 +2565,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if (unshare(CLONE_NEWNS) < 0) { perror(_("Failed to unshare")); -@@ -286,11 +517,13 @@ +@@ -286,11 +517,13 @@ int main(int argc, char **argv) { exit(-1); } @@ -2555,7 +2584,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po } if (display) -@@ -305,17 +538,14 @@ +@@ -305,17 +538,14 @@ int main(int argc, char **argv) { perror(_("Failed to change dir to homedir")); exit(-1); } @@ -2574,19 +2603,18 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po - return status; } -Binary files nsapolicycoreutils/sandbox/seunshare.o and policycoreutils-2.0.83/sandbox/seunshare.o differ -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.83/scripts/chcat ---- nsapolicycoreutils/scripts/chcat 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/scripts/chcat 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/scripts/chcat.rhat policycoreutils-2.0.83/scripts/chcat +--- policycoreutils-2.0.83/scripts/chcat.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/scripts/chcat 2010-10-25 17:11:18.000000000 -0400 @@ -1,4 +1,4 @@ -#! /usr/bin/python -E +#! /usr/bin/python -Es # Copyright (C) 2005 Red Hat # see file 'COPYING' for use and warranty information # -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.83/scripts/fixfiles ---- nsapolicycoreutils/scripts/fixfiles 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/scripts/fixfiles 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/scripts/fixfiles.rhat policycoreutils-2.0.83/scripts/fixfiles +--- policycoreutils-2.0.83/scripts/fixfiles.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/scripts/fixfiles 2010-10-25 17:11:18.000000000 -0400 @@ -21,6 +21,17 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA @@ -2605,7 +2633,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po # Set global Variables # fullFlag=0 -@@ -35,9 +46,7 @@ +@@ -35,9 +46,7 @@ SYSLOGFLAG="-l" LOGGER=/usr/sbin/logger SETFILES=/sbin/setfiles RESTORECON=/sbin/restorecon @@ -2616,7 +2644,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po SELINUXTYPE="targeted" if [ -e /etc/selinux/config ]; then . /etc/selinux/config -@@ -87,23 +96,10 @@ +@@ -87,23 +96,10 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; esac; \ fi; \ done | \ @@ -2641,7 +2669,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po rpmlist() { rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' ' -@@ -121,23 +117,16 @@ +@@ -121,23 +117,16 @@ if [ ! -z "$PREFC" ]; then fi if [ ! -z "$RPMFILES" ]; then for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do @@ -2668,7 +2696,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; -@@ -146,8 +135,7 @@ +@@ -146,8 +135,7 @@ exit $? fullrelabel() { logit "Cleaning out /tmp" @@ -2678,9 +2706,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po restore } -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/genhomedircon.8 policycoreutils-2.0.83/scripts/genhomedircon.8 ---- nsapolicycoreutils/scripts/genhomedircon.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.83/scripts/genhomedircon.8 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/scripts/genhomedircon.8.rhat policycoreutils-2.0.83/scripts/genhomedircon.8 +--- policycoreutils-2.0.83/scripts/genhomedircon.8.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/scripts/genhomedircon.8 2010-10-25 17:11:18.000000000 -0400 @@ -0,0 +1,37 @@ +.\" Hey, Emacs! This is an -*- nroff -*- source file. +.\" Copyright (c) 2010 Dan Walsh @@ -2719,10 +2747,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +.SH AUTHOR +This manual page was written by +.I Dan Walsh -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.83/scripts/Makefile ---- nsapolicycoreutils/scripts/Makefile 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/scripts/Makefile 2010-07-30 13:50:40.000000000 -0400 -@@ -14,6 +14,7 @@ +diff -up policycoreutils-2.0.83/scripts/Makefile.rhat policycoreutils-2.0.83/scripts/Makefile +--- policycoreutils-2.0.83/scripts/Makefile.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/scripts/Makefile 2010-10-25 17:11:18.000000000 -0400 +@@ -14,6 +14,7 @@ install: all install -m 755 genhomedircon $(SBINDIR) -mkdir -p $(MANDIR)/man8 install -m 644 fixfiles.8 $(MANDIR)/man8/ @@ -2730,9 +2758,34 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po install -m 644 chcat.8 $(MANDIR)/man8/ clean: -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/default_encoding.c policycoreutils-2.0.83/semanage/default_encoding/default_encoding.c ---- nsapolicycoreutils/semanage/default_encoding/default_encoding.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.83/semanage/default_encoding/default_encoding.c 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/scripts/severify.py.rhat policycoreutils-2.0.83/scripts/severify.py +--- policycoreutils-2.0.83/scripts/severify.py.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/scripts/severify.py 2010-10-25 17:11:18.000000000 -0400 +@@ -0,0 +1,21 @@ ++#! /usr/bin/python -Es ++import seobject ++import selinux ++import setools ++import sys ++#store = selinux.selinux_getpolicytype()[1] ++#mod=seobject.moduleRecords(store = store, reload=False) ++#mod.disable("zebra") ++fd = open(sys.argv[1], "r") ++lines = fd.readlines() ++#fd.close() ++#for i in lines: ++# j = i.split() ++# if len(j) == 0 or ( j[0] != "allow" and j[0] != "dontaudit"): ++# continue ++# allow = j[0] ++# print j[1] ++#sys.exit() ++#setools.sesearch([ setools.ALLOW ], { setools.SCONTEXT:"rwho_t", setools.TCONTEXT:"rwho_spool_t" } ) ++#mod.enable("zebra") ++ +diff -up policycoreutils-2.0.83/semanage/default_encoding/default_encoding.c.rhat policycoreutils-2.0.83/semanage/default_encoding/default_encoding.c +--- policycoreutils-2.0.83/semanage/default_encoding/default_encoding.c.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/semanage/default_encoding/default_encoding.c 2010-10-25 17:11:18.000000000 -0400 @@ -0,0 +1,59 @@ +/* + * Authors: @@ -2793,9 +2846,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + PyUnicode_SetDefaultEncoding("utf-8"); + m = Py_InitModule3("default_encoding_utf8", methods, "Forces the default encoding to utf-8"); +} -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/Makefile policycoreutils-2.0.83/semanage/default_encoding/Makefile ---- nsapolicycoreutils/semanage/default_encoding/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.83/semanage/default_encoding/Makefile 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/semanage/default_encoding/Makefile.rhat policycoreutils-2.0.83/semanage/default_encoding/Makefile +--- policycoreutils-2.0.83/semanage/default_encoding/Makefile.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/semanage/default_encoding/Makefile 2010-10-25 17:11:18.000000000 -0400 @@ -0,0 +1,8 @@ +all: + LDFLAGS="" python setup.py build @@ -2805,9 +2858,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + +clean: + rm -rf build *~ -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/policycoreutils/__init__.py policycoreutils-2.0.83/semanage/default_encoding/policycoreutils/__init__.py ---- nsapolicycoreutils/semanage/default_encoding/policycoreutils/__init__.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.83/semanage/default_encoding/policycoreutils/__init__.py 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/semanage/default_encoding/policycoreutils/__init__.py.rhat policycoreutils-2.0.83/semanage/default_encoding/policycoreutils/__init__.py +--- policycoreutils-2.0.83/semanage/default_encoding/policycoreutils/__init__.py.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/semanage/default_encoding/policycoreutils/__init__.py 2010-10-25 17:11:18.000000000 -0400 @@ -0,0 +1,17 @@ +# +# Copyright (C) 2006,2007,2008, 2009 Red Hat, Inc. @@ -2826,9 +2879,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/setup.py policycoreutils-2.0.83/semanage/default_encoding/setup.py ---- nsapolicycoreutils/semanage/default_encoding/setup.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.83/semanage/default_encoding/setup.py 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/semanage/default_encoding/setup.py.rhat policycoreutils-2.0.83/semanage/default_encoding/setup.py +--- policycoreutils-2.0.83/semanage/default_encoding/setup.py.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/semanage/default_encoding/setup.py 2010-10-25 17:11:18.000000000 -0400 @@ -0,0 +1,38 @@ +# Authors: +# John Dennis @@ -2868,9 +2921,218 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + ext_modules = [default_encoding_utf8], + packages=["policycoreutils"], +) -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.83/semanage/semanage ---- nsapolicycoreutils/semanage/semanage 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/semanage/semanage 2010-08-13 15:13:19.000000000 -0400 +diff -up policycoreutils-2.0.83/semanage/semanage.8.rhat policycoreutils-2.0.83/semanage/semanage.8 +--- policycoreutils-2.0.83/semanage/semanage.8.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/semanage/semanage.8 2010-10-25 17:11:18.000000000 -0400 +@@ -1,29 +1,69 @@ +-.TH "semanage" "8" "2005111103" "" "" ++.TH "semanage" "8" "20100223" "" "" + .SH "NAME" + semanage \- SELinux Policy Management tool + + .SH "SYNOPSIS" +-.B semanage {boolean|login|user|port|interface|node|fcontext} \-{l|D} [\-n] [\-S store] ++Output local customizations + .br +-.B semanage boolean \-{d|m} [\-\-on|\-\-off|\-1|\-0] -F boolean | boolean_file ++.B semanage [ -S store ] -o [ output_file | - ] ++ ++Input local customizations + .br +-.B semanage login \-{a|d|m} [\-sr] login_name | %groupname ++.B semanage [ -S store ] -i [ input_file | - ] ++ ++Manage booleans. Booleans allow the administrator to modify the confinement of ++processes based on his configuration. + .br +-.B semanage user \-{a|d|m} [\-LrRP] selinux_name ++.B semanage boolean [\-S store] \-{d|m|l|n|D} \-[\-on|\-off|\1|0] -F boolean | boolean_file ++ ++Manage SELinux confined users (Roles and levels for an SELinux user) ++.br ++.B semanage user [\-S store] \-{a|d|m|l|n|D} [\-LrRP] selinux_name ++ ++Manage login mappings between linux users and SELinux confined users. ++.br ++.B semanage login [\-S store] \-{a|d|m|l|n|D} [\-sr] login_name | %groupname ++ ++Manage policy modules. ++.br ++.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] module_name ++ ++Manage network port type definitions ++.br ++.B semanage port [\-S store] \-{a|d|m|l|n|D} [\-tr] [\-p proto] port | port_range ++.br ++ ++Manage network interface type definitions ++.br ++.B semanage interface [\-S store] \-{a|d|m|l|n|D} [\-tr] interface_spec ++ ++Manage network node type definitions ++.br ++.B semanage node [\-S store] -{a|d|m|l|n|D} [-tr] [ -p protocol ] [-M netmask] address ++.br ++ ++Manage file context mapping definitions + .br +-.B semanage port \-{a|d|m} [\-tr] [\-p proto] port | port_range ++.B semanage fcontext [\-S store] \-{a|d|m|l|n|D} [\-frst] file_spec + .br +-.B semanage interface \-{a|d|m} [\-tr] interface_spec ++.B semanage fcontext [\-S store] \-{a|d|m|l|n|D} \-e replacement target + .br +-.B semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] address ++ ++Manage processes type enforcement mode + .br +-.B semanage fcontext \-{a|d|m} [\-frst] file_spec ++.B semanage permissive [\-S store] \-{a|d|l|n|D} type + .br +-.B semanage permissive \-{a|d} type ++ ++Disable/Enable dontaudit rules in policy + .br +-.B semanage dontaudit [ on | off ] ++.B semanage dontaudit [\-S store] [ on | off ] + .P + ++Execute multiple commands within a single transaction. ++.br ++.B semanage [\-S store] \-i command-file ++.br ++ + .SH "DESCRIPTION" + semanage is used to configure certain elements of + SELinux policy without requiring modification to or recompilation +@@ -52,6 +92,22 @@ Delete a OBJECT record NAME + .I \-D, \-\-deleteall + Remove all OBJECTS local customizations + .TP ++.I \-\-disable ++Disable a policy module, requires -m option ++ ++Currently modules only. ++.TP ++.I \-\-enable ++Enable a disabled policy module, requires -m option ++ ++Currently modules only. ++.TP ++.I \-e, \-\-equal ++Substitute target path with sourcepath when generating default label. This is used with ++fcontext. Requires source and target path arguments. The context ++labeling for the target subtree is made equivalent to that ++defined for the source. ++.TP + .I \-f, \-\-ftype + File Type. This is used with fcontext. + Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files. +@@ -60,6 +116,7 @@ Requires a file type as shown in the mod + Set multiple records from the input file. When used with the \-l \-\-list, it will output the current settings to stdout in the proper format. + + Currently booleans only. ++ + .TP + .I \-h, \-\-help + display this message +@@ -76,6 +133,9 @@ Default SELinux Level for SELinux use, s + .I \-m, \-\-modify + Modify a OBJECT record NAME + .TP ++.I \-M, \-\-mask ++Network Mask ++.TP + .I \-n, \-\-noheading + Do not print heading when listing OBJECTS. + .TP +@@ -99,26 +159,67 @@ Select and alternate SELinux store to ma + .TP + .I \-t, \-\-type + SELinux Type for the object ++.TP ++.I \-i, \-\-input ++Take a set of commands from a specified file and load them in a single ++transaction. + + .SH EXAMPLE + .nf +-# View SELinux user mappings +-$ semanage user -l +-# Allow joe to login as staff_u +-$ semanage login -a -s staff_u joe +-# Allow the group clerks to login as user_u +-$ semanage login -a -s user_u %clerks +-# Add file-context for everything under /web (used by restorecon) +-$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" +-# Allow Apache to listen on port 81 +-$ semanage port -a -t http_port_t -p tcp 81 +-# Change apache to a permissive domain +-$ semanage permissive -a httpd_t +-# Turn off dontaudit rules +-$ semanage dontaudit off ++.B SELinux user ++List SELinux users ++# semanage user -l ++ ++.B SELinux login ++Change joe to login as staff_u ++# semanage login -a -s staff_u joe ++Change the group clerks to login as user_u ++# semanage login -a -s user_u %clerks ++ ++.B File contexts ++.i remember to run restorecon after you set the file context ++Add file-context for everything under /web ++# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" ++# restorecon -R -v /web ++ ++Substitute /home1 with /home when setting file context ++# semanage fcontext -a -e /home /home1 ++# restorecon -R -v /home1 ++ ++For home directories under top level directory, for example /disk6/home, ++execute the following commands. ++# semanage fcontext -a -t home_root_t "/disk6" ++# semanage fcontext -a -e /home /disk6/home ++# restorecon -R -v /disk6 ++ ++.B Port contexts ++Allow Apache to listen on tcp port 81 ++# semanage port -a -t http_port_t -p tcp 81 ++ ++.B Change apache to a permissive domain ++# semanage permissive -a httpd_t ++ ++.B Turn off dontaudit rules ++# semanage dontaudit off ++ ++.B Managing multiple machines ++Multiple machines that need the same customizations. ++Extract customizations off first machine, copy them ++to second and import them. ++ ++# semanage -o /tmp/local.selinux ++# scp /tmp/local.selinux secondmachine:/tmp ++# ssh secondmachine ++# semanage -i /tmp/local.selinux ++ ++If these customizations include file context, you need to apply the ++context using restorecon. ++ + .fi + + .SH "AUTHOR" +-This man page was written by Daniel Walsh and +-Russell Coker . ++This man page was written by Daniel Walsh ++.br ++and Russell Coker . ++.br + Examples by Thomas Bleher . +diff -up policycoreutils-2.0.83/semanage/semanage.rhat policycoreutils-2.0.83/semanage/semanage +--- policycoreutils-2.0.83/semanage/semanage.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/semanage/semanage 2010-10-25 17:11:18.000000000 -0400 @@ -1,4 +1,4 @@ -#! /usr/bin/python -E +#! /usr/bin/python -Es @@ -2885,7 +3147,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po import sys, getopt, re import seobject import selinux -@@ -32,27 +33,36 @@ +@@ -32,27 +33,36 @@ gettext.textdomain(PROGNAME) try: gettext.install(PROGNAME, localedir="/usr/share/locale", @@ -2927,7 +3189,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po semanage dontaudit [ on | off ] Primary Options: -@@ -61,7 +71,9 @@ +@@ -61,7 +71,9 @@ Primary Options: -d, --delete Delete a OBJECT record NAME -m, --modify Modify a OBJECT record NAME -i, --input Input multiple semange commands in a transaction @@ -2937,7 +3199,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -C, --locallist List OBJECTS local customizations -D, --deleteall Remove all OBJECTS local customizations -@@ -84,12 +96,15 @@ +@@ -84,12 +96,15 @@ Object-specific Options (see above): -F, --file Treat target as an input file for command, change multiple settings -p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6) -M, --mask Netmask @@ -2953,7 +3215,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po """) raise ValueError("%s\n%s" % (text, message)) -@@ -101,7 +116,7 @@ +@@ -101,7 +116,7 @@ Object-specific Options (see above): def get_options(): valid_option={} @@ -2962,7 +3224,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po valid_option["login"] = [] valid_option["login"] += valid_everyone + [ '-s', '--seuser', '-r', '--range'] valid_option["user"] = [] -@@ -112,8 +127,10 @@ +@@ -112,8 +127,10 @@ Object-specific Options (see above): valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range'] valid_option["node"] = [] valid_option["node"] += valid_everyone + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol'] @@ -2974,7 +3236,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po valid_option["dontaudit"] = [ '-S', '--store' ] valid_option["boolean"] = [] valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0", "-F", "--file"] -@@ -168,6 +185,8 @@ +@@ -168,6 +185,8 @@ Object-specific Options (see above): return ret def process_args(argv): @@ -2983,7 +3245,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po serange = "" port = "" proto = "" -@@ -184,11 +203,17 @@ +@@ -184,11 +203,17 @@ Object-specific Options (see above): modify = False delete = False deleteall = False @@ -3001,7 +3263,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po object = argv[0] option_dict=get_options() if object not in option_dict.keys(): -@@ -197,10 +222,14 @@ +@@ -197,10 +222,14 @@ Object-specific Options (see above): args = argv[1:] gopts, cmds = getopt.getopt(args, @@ -3017,7 +3279,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po 'ftype=', 'file', 'help', -@@ -225,29 +254,47 @@ +@@ -225,29 +254,47 @@ Object-specific Options (see above): for o, a in gopts: if o not in option_dict[object]: sys.stderr.write(_("%s not valid for %s objects\n") % ( o, object) ); @@ -3072,7 +3334,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if o == "-n" or o == "--noheading": heading = False -@@ -256,8 +303,7 @@ +@@ -256,8 +303,7 @@ Object-specific Options (see above): locallist = True if o == "-m"or o == "--modify": @@ -3082,7 +3344,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po modify = True if o == "-S" or o == '--store': -@@ -292,8 +338,10 @@ +@@ -292,8 +338,10 @@ Object-specific Options (see above): if o == "--on" or o == "-1": value = "on" @@ -3093,7 +3355,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if object == "login": OBJECT = seobject.loginRecords(store) -@@ -315,6 +363,11 @@ +@@ -315,6 +363,11 @@ Object-specific Options (see above): if object == "boolean": OBJECT = seobject.booleanRecords(store) @@ -3105,7 +3367,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if object == "permissive": OBJECT = seobject.permissiveRecords(store) -@@ -330,65 +383,97 @@ +@@ -330,65 +383,97 @@ Object-specific Options (see above): OBJECT.deleteall() return @@ -3215,7 +3477,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if delete: if object == "port": OBJECT.delete(target, proto) -@@ -401,15 +486,14 @@ +@@ -401,15 +486,14 @@ Object-specific Options (see above): else: OBJECT.delete(target) @@ -3233,7 +3495,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po input = None store = "" -@@ -417,7 +501,7 @@ +@@ -417,7 +501,7 @@ Object-specific Options (see above): usage(_("Requires 2 or more arguments")) gopts, cmds = getopt.getopt(sys.argv[1:], @@ -3242,7 +3504,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po ['add', 'delete', 'deleteall', -@@ -431,6 +515,7 @@ +@@ -431,6 +515,7 @@ Object-specific Options (see above): 'localist', 'off', 'on', @@ -3250,7 +3512,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po 'proto=', 'seuser=', 'store=', -@@ -438,6 +523,7 @@ +@@ -438,6 +523,7 @@ Object-specific Options (see above): 'level=', 'roles=', 'type=', @@ -3258,7 +3520,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po 'prefix=' ]) for o, a in gopts: -@@ -445,6 +531,16 @@ +@@ -445,6 +531,16 @@ Object-specific Options (see above): store = a if o == "-i" or o == '--input': input = a @@ -3275,203 +3537,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if input != None: if input == "-": -@@ -467,3 +563,5 @@ +@@ -467,3 +563,5 @@ Object-specific Options (see above): errorExit(_("Invalid value %s") % error.args[0]) except IOError, error: errorExit(error.args[1]) + except OSError, error: + errorExit(error.args[1]) -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.83/semanage/semanage.8 ---- nsapolicycoreutils/semanage/semanage.8 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/semanage/semanage.8 2010-09-23 15:43:58.000000000 -0400 -@@ -1,29 +1,65 @@ --.TH "semanage" "8" "2005111103" "" "" -+.TH "semanage" "8" "20100223" "" "" - .SH "NAME" - semanage \- SELinux Policy Management tool - - .SH "SYNOPSIS" --.B semanage {boolean|login|user|port|interface|node|fcontext} \-{l|D} [\-n] [\-S store] -+Output local customizations - .br --.B semanage boolean \-{d|m} [\-\-on|\-\-off|\-1|\-0] -F boolean | boolean_file -+.B semanage [ -S store ] -o [ output_file | - ] -+ -+Input local customizations -+.br -+.B semanage [ -S store ] -i [ input_file | - ] -+ -+Manage booleans. Booleans allow the administrator to modify the confinement of -+processes based on his configuration. -+.br -+.B semanage boolean [\-S store] \-{d|m|l|n|D} \-[\-on|\-off|\1|0] -F boolean | boolean_file -+ -+Manage SELinux confined users (Roles and levels for an SELinux user) -+.br -+.B semanage user [\-S store] \-{a|d|m|l|n|D} [\-LrRP] selinux_name -+ -+Manage login mappings between linux users and SELinux confined users. - .br --.B semanage login \-{a|d|m} [\-sr] login_name | %groupname -+.B semanage login [\-S store] \-{a|d|m|l|n|D} [\-sr] login_name | %groupname -+ -+Manage network port type definitions - .br --.B semanage user \-{a|d|m} [\-LrRP] selinux_name -+.B semanage port [\-S store] \-{a|d|m|l|n|D} [\-tr] [\-p proto] port | port_range - .br --.B semanage port \-{a|d|m} [\-tr] [\-p proto] port | port_range -+ -+Manage network interface type definitions - .br --.B semanage interface \-{a|d|m} [\-tr] interface_spec -+.B semanage interface [\-S store] \-{a|d|m|l|n|D} [\-tr] interface_spec -+ -+Manage network node type definitions - .br --.B semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] address -+.B semanage node [\-S store] -{a|d|m|l|n|D} [-tr] [ -p protocol ] [-M netmask] address - .br --.B semanage fcontext \-{a|d|m} [\-frst] file_spec -+ -+Manage file context mapping definitions - .br --.B semanage permissive \-{a|d} type -+.B semanage fcontext [\-S store] \-{a|d|m|l|n|D} [\-frst] file_spec -+.br -+.B semanage fcontext [\-S store] \-{a|d|m|l|n|D} \-e replacement target -+.br -+ -+Manage processes type enforcement mode - .br --.B semanage dontaudit [ on | off ] -+.B semanage permissive [\-S store] \-{a|d|l|n|D} type -+.br -+ -+Disable/Enable dontaudit rules in policy -+.br -+.B semanage dontaudit [\-S store] [ on | off ] - .P - -+Execute multiple commands within a single transaction. -+.br -+.B semanage [\-S store] \-i command-file -+.br -+ - .SH "DESCRIPTION" - semanage is used to configure certain elements of - SELinux policy without requiring modification to or recompilation -@@ -52,6 +88,12 @@ - .I \-D, \-\-deleteall - Remove all OBJECTS local customizations - .TP -+.I \-e, \-\-equal -+Substitute target path with sourcepath when generating default label. This is used with -+fcontext. Requires source and target path arguments. The context -+labeling for the target subtree is made equivalent to that -+defined for the source. -+.TP - .I \-f, \-\-ftype - File Type. This is used with fcontext. - Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files. -@@ -76,6 +118,9 @@ - .I \-m, \-\-modify - Modify a OBJECT record NAME - .TP -+.I \-M, \-\-mask -+Network Mask -+.TP - .I \-n, \-\-noheading - Do not print heading when listing OBJECTS. - .TP -@@ -99,26 +144,67 @@ - .TP - .I \-t, \-\-type - SELinux Type for the object -+.TP -+.I \-i, \-\-input -+Take a set of commands from a specified file and load them in a single -+transaction. - - .SH EXAMPLE - .nf --# View SELinux user mappings --$ semanage user -l --# Allow joe to login as staff_u --$ semanage login -a -s staff_u joe --# Allow the group clerks to login as user_u --$ semanage login -a -s user_u %clerks --# Add file-context for everything under /web (used by restorecon) --$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" --# Allow Apache to listen on port 81 --$ semanage port -a -t http_port_t -p tcp 81 --# Change apache to a permissive domain --$ semanage permissive -a httpd_t --# Turn off dontaudit rules --$ semanage dontaudit off -+.B SELinux user -+List SELinux users -+# semanage user -l -+ -+.B SELinux login -+Change joe to login as staff_u -+# semanage login -a -s staff_u joe -+Change the group clerks to login as user_u -+# semanage login -a -s user_u %clerks -+ -+.B File contexts -+.i remember to run restorecon after you set the file context -+Add file-context for everything under /web -+# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" -+# restorecon -R -v /web -+ -+Substitute /home1 with /home when setting file context -+# semanage fcontext -a -e /home /home1 -+# restorecon -R -v /home1 -+ -+For home directories under top level directory, for example /disk6/home, -+execute the following commands. -+# semanage fcontext -a -t home_root_t "/disk6" -+# semanage fcontext -a -e /home /disk6/home -+# restorecon -R -v /disk6 -+ -+.B Port contexts -+Allow Apache to listen on tcp port 81 -+# semanage port -a -t http_port_t -p tcp 81 -+ -+.B Change apache to a permissive domain -+# semanage permissive -a httpd_t -+ -+.B Turn off dontaudit rules -+# semanage dontaudit off -+ -+.B Managing multiple machines -+Multiple machines that need the same customizations. -+Extract customizations off first machine, copy them -+to second and import them. -+ -+# semanage -o /tmp/local.selinux -+# scp /tmp/local.selinux secondmachine:/tmp -+# ssh secondmachine -+# semanage -i /tmp/local.selinux -+ -+If these customizations include file context, you need to apply the -+context using restorecon. -+ - .fi - - .SH "AUTHOR" --This man page was written by Daniel Walsh and --Russell Coker . -+This man page was written by Daniel Walsh -+.br -+and Russell Coker . -+.br - Examples by Thomas Bleher . -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.83/semanage/seobject.py ---- nsapolicycoreutils/semanage/seobject.py 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/semanage/seobject.py 2010-07-30 13:50:40.000000000 -0400 -@@ -29,47 +29,12 @@ +diff -up policycoreutils-2.0.83/semanage/seobject.py.rhat policycoreutils-2.0.83/semanage/seobject.py +--- policycoreutils-2.0.83/semanage/seobject.py.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/semanage/seobject.py 2010-10-25 17:11:18.000000000 -0400 +@@ -29,47 +29,12 @@ import sepolgen.module as module import gettext gettext.bindtextdomain(PROGNAME, "/usr/share/locale") gettext.textdomain(PROGNAME) @@ -3523,7 +3598,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po file_types = {} file_types[""] = SEMANAGE_FCONTEXT_ALL; -@@ -194,44 +159,153 @@ +@@ -194,44 +159,153 @@ def untranslate(trans, prepend = 1): return trans else: return raw @@ -3691,7 +3766,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po class dontauditClass(semanageRecords): def __init__(self, store): -@@ -259,14 +333,23 @@ +@@ -259,14 +333,23 @@ class permissiveRecords(semanageRecords) name = semanage_module_get_name(mod) if name and name.startswith("permissive_"): l.append(name.split("permissive_")[1]) @@ -3719,7 +3794,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def add(self, type): import glob -@@ -343,7 +426,9 @@ +@@ -343,7 +426,9 @@ class loginRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if login mapping for %s is defined") % name) if exists: @@ -3730,7 +3805,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if name[0] == '%': try: grp.getgrnam(name[1:]) -@@ -475,6 +560,16 @@ +@@ -475,6 +560,16 @@ class loginRecords(semanageRecords): mylog.log(1, "delete SELinux user mapping", name); @@ -3747,7 +3822,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def get_all(self, locallist = 0): ddict = {} if locallist: -@@ -489,6 +584,15 @@ +@@ -489,6 +584,15 @@ class loginRecords(semanageRecords): ddict[name] = (semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u)) return ddict @@ -3763,7 +3838,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def list(self,heading = 1, locallist = 0): ddict = self.get_all(locallist) keys = ddict.keys() -@@ -531,7 +635,8 @@ +@@ -531,7 +635,8 @@ class seluserRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if SELinux user %s is defined") % name) if exists: @@ -3773,7 +3848,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po (rc, u) = semanage_user_create(self.sh) if rc < 0: -@@ -682,6 +787,16 @@ +@@ -682,6 +787,16 @@ class seluserRecords(semanageRecords): mylog.log(1,"delete SELinux user record", name) @@ -3790,7 +3865,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def get_all(self, locallist = 0): ddict = {} if locallist: -@@ -702,6 +817,15 @@ +@@ -702,6 +817,15 @@ class seluserRecords(semanageRecords): return ddict @@ -3806,7 +3881,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def list(self, heading = 1, locallist = 0): ddict = self.get_all(locallist) keys = ddict.keys() -@@ -740,12 +864,16 @@ +@@ -740,12 +864,16 @@ class portRecords(semanageRecords): low = int(ports[0]) high = int(ports[1]) @@ -3823,7 +3898,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if is_mls_enabled == 1: if serange == "": serange = "s0" -@@ -808,6 +936,7 @@ +@@ -808,6 +936,7 @@ class portRecords(semanageRecords): self.commit() def __modify(self, port, proto, serange, setype): @@ -3831,7 +3906,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if serange == "" and setype == "": if is_mls_enabled == 1: raise ValueError(_("Requires setype or serange")) -@@ -942,6 +1071,18 @@ +@@ -942,6 +1071,18 @@ class portRecords(semanageRecords): ddict[(ctype,proto_str)].append("%d-%d" % (low, high)) return ddict @@ -3850,7 +3925,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def list(self, heading = 1, locallist = 0): if heading: print "%-30s %-8s %s\n" % (_("SELinux Port Type"), _("Proto"), _("Port Number")) -@@ -958,7 +1099,8 @@ +@@ -958,7 +1099,8 @@ class portRecords(semanageRecords): class nodeRecords(semanageRecords): def __init__(self, store = ""): semanageRecords.__init__(self,store) @@ -3860,7 +3935,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def __add(self, addr, mask, proto, serange, ctype): if addr == "": raise ValueError(_("Node Address is required")) -@@ -966,14 +1108,11 @@ +@@ -966,14 +1108,11 @@ class nodeRecords(semanageRecords): if mask == "": raise ValueError(_("Node Netmask is required")) @@ -3878,7 +3953,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if is_mls_enabled == 1: if serange == "": serange = "s0" -@@ -991,11 +1130,13 @@ +@@ -991,11 +1130,13 @@ class nodeRecords(semanageRecords): (rc, exists) = semanage_node_exists(self.sh, k) if exists: @@ -3893,7 +3968,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po rc = semanage_node_set_addr(self.sh, node, proto, addr) (rc, con) = semanage_context_create(self.sh) -@@ -1005,8 +1146,7 @@ +@@ -1005,8 +1146,7 @@ class nodeRecords(semanageRecords): rc = semanage_node_set_mask(self.sh, node, proto, mask) if rc < 0: raise ValueError(_("Could not set mask for %s") % addr) @@ -3903,7 +3978,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po rc = semanage_context_set_user(self.sh, con, "system_u") if rc < 0: raise ValueError(_("Could not set user in addr context for %s") % addr) -@@ -1047,13 +1187,10 @@ +@@ -1047,13 +1187,10 @@ class nodeRecords(semanageRecords): if mask == "": raise ValueError(_("Node Netmask is required")) @@ -3921,7 +3996,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if serange == "" and setype == "": raise ValueError(_("Requires setype or serange")) -@@ -1068,12 +1205,11 @@ +@@ -1068,12 +1205,11 @@ class nodeRecords(semanageRecords): if not exists: raise ValueError(_("Addr %s is not defined") % addr) @@ -3935,7 +4010,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if serange != "": semanage_context_set_mls(self.sh, con, untranslate(serange)) if setype != "": -@@ -1098,11 +1234,9 @@ +@@ -1098,11 +1234,9 @@ class nodeRecords(semanageRecords): if mask == "": raise ValueError(_("Node Netmask is required")) @@ -3950,7 +4025,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po raise ValueError(_("Unknown or missing protocol")) (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) -@@ -1132,6 +1266,16 @@ +@@ -1132,6 +1266,16 @@ class nodeRecords(semanageRecords): self.__delete(addr, mask, proto) self.commit() @@ -3967,7 +4042,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def get_all(self, locallist = 0): ddict = {} if locallist : -@@ -1145,15 +1289,20 @@ +@@ -1145,15 +1289,20 @@ class nodeRecords(semanageRecords): con = semanage_node_get_con(node) addr = semanage_node_get_addr(self.sh, node) mask = semanage_node_get_mask(self.sh, node) @@ -3993,7 +4068,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def list(self, heading = 1, locallist = 0): if heading: print "%-18s %-18s %-5s %-5s\n" % ("IP Address", "Netmask", "Protocol", "Context") -@@ -1193,7 +1342,8 @@ +@@ -1193,7 +1342,8 @@ class interfaceRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if interface %s is defined") % interface) if exists: @@ -4003,7 +4078,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po (rc, iface) = semanage_iface_create(self.sh) if rc < 0: -@@ -1307,6 +1457,16 @@ +@@ -1307,6 +1457,16 @@ class interfaceRecords(semanageRecords): self.__delete(interface) self.commit() @@ -4020,7 +4095,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def get_all(self, locallist = 0): ddict = {} if locallist: -@@ -1322,6 +1482,15 @@ +@@ -1322,6 +1482,15 @@ class interfaceRecords(semanageRecords): return ddict @@ -4036,7 +4111,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def list(self, heading = 1, locallist = 0): if heading: print "%-30s %s\n" % (_("SELinux Interface"), _("Context")) -@@ -1338,6 +1507,48 @@ +@@ -1338,6 +1507,48 @@ class interfaceRecords(semanageRecords): class fcontextRecords(semanageRecords): def __init__(self, store = ""): semanageRecords.__init__(self, store) @@ -4085,7 +4160,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def createcon(self, target, seuser = "system_u"): (rc, con) = semanage_context_create(self.sh) -@@ -1364,6 +1575,8 @@ +@@ -1364,6 +1575,8 @@ class fcontextRecords(semanageRecords): def validate(self, target): if target == "" or target.find("\n") >= 0: raise ValueError(_("Invalid file specification")) @@ -4094,7 +4169,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def __add(self, target, type, ftype = "", serange = "", seuser = "system_u"): self.validate(target) -@@ -1388,7 +1601,8 @@ +@@ -1388,7 +1601,8 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Could not check if file context for %s is defined") % target) if exists: @@ -4104,7 +4179,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po (rc, fcontext) = semanage_fcontext_create(self.sh) if rc < 0: -@@ -1504,9 +1718,16 @@ +@@ -1504,9 +1718,16 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Could not delete the file context %s") % target) semanage_fcontext_key_free(k) @@ -4121,7 +4196,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po (rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) if rc < 0: raise ValueError(_("Could not create a key for %s") % target) -@@ -1561,12 +1782,22 @@ +@@ -1561,12 +1782,22 @@ class fcontextRecords(semanageRecords): return ddict @@ -4146,7 +4221,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po for k in keys: if fcon_dict[k]: if is_mls_enabled: -@@ -1575,6 +1806,12 @@ +@@ -1575,6 +1806,12 @@ class fcontextRecords(semanageRecords): print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2]) else: print "%-50s %-18s <>" % (k[0], k[1]) @@ -4159,7 +4234,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po class booleanRecords(semanageRecords): def __init__(self, store = ""): -@@ -1587,6 +1824,18 @@ +@@ -1587,6 +1824,18 @@ class booleanRecords(semanageRecords): self.dict["1"] = 1 self.dict["0"] = 0 @@ -4178,7 +4253,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def __mod(self, name, value): (rc, k) = semanage_bool_key_create(self.sh, name) if rc < 0: -@@ -1606,9 +1855,10 @@ +@@ -1606,9 +1855,10 @@ class booleanRecords(semanageRecords): else: raise ValueError(_("You must specify one of the following values: %s") % ", ".join(self.dict.keys()) ) @@ -4192,7 +4267,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po rc = semanage_bool_modify_local(self.sh, k, b) if rc < 0: raise ValueError(_("Could not modify boolean %s") % name) -@@ -1691,8 +1941,12 @@ +@@ -1691,8 +1941,12 @@ class booleanRecords(semanageRecords): value = [] name = semanage_bool_get_name(boolean) value.append(semanage_bool_get_value(boolean)) @@ -4207,7 +4282,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po ddict[name] = value return ddict -@@ -1706,6 +1960,16 @@ +@@ -1706,6 +1960,16 @@ class booleanRecords(semanageRecords): else: return _("unknown") @@ -4224,9 +4299,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def list(self, heading = True, locallist = False, use_file = False): on_off = (_("off"), _("on")) if use_file: -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sepolgen-ifgen/Makefile policycoreutils-2.0.83/sepolgen-ifgen/Makefile ---- nsapolicycoreutils/sepolgen-ifgen/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.83/sepolgen-ifgen/Makefile 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/sepolgen-ifgen/Makefile.rhat policycoreutils-2.0.83/sepolgen-ifgen/Makefile +--- policycoreutils-2.0.83/sepolgen-ifgen/Makefile.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/sepolgen-ifgen/Makefile 2010-10-25 17:11:18.000000000 -0400 @@ -0,0 +1,25 @@ +# Installation directories. +PREFIX ?= ${DESTDIR}/usr @@ -4253,9 +4328,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + ../../scripts/Lindent $(wildcard *.[ch]) + +relabel: ; -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c policycoreutils-2.0.83/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c ---- nsapolicycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.83/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c.rhat policycoreutils-2.0.83/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c +--- policycoreutils-2.0.83/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c.rhat 2010-10-25 17:11:18.000000000 -0400 ++++ policycoreutils-2.0.83/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c 2010-10-25 17:11:18.000000000 -0400 @@ -0,0 +1,230 @@ +/* Authors: Frank Mayer + * and Karl MacMillan @@ -4487,16 +4562,42 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + + return 0; +} -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.83/setfiles/restore.c ---- nsapolicycoreutils/setfiles/restore.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/setfiles/restore.c 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/setfiles/restorecon.8.rhat policycoreutils-2.0.83/setfiles/restorecon.8 +--- policycoreutils-2.0.83/setfiles/restorecon.8.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/setfiles/restorecon.8 2010-10-25 17:11:18.000000000 -0400 +@@ -4,10 +4,10 @@ restorecon \- restore file(s) default SE + + .SH "SYNOPSIS" + .B restorecon +-.I [\-o outfilename ] [\-R] [\-n] [\-v] [\-e directory ] pathname... ++.I [\-o outfilename ] [\-R] [\-n] [\-p] [\-v] [\-e directory ] pathname... + .P + .B restorecon +-.I \-f infilename [\-o outfilename ] [\-e directory ] [\-R] [\-n] [\-v] [\-F] ++.I \-f infilename [\-o outfilename ] [\-e directory ] [\-R] [\-n] [\-p] [\-v] [\-F] + + .SH "DESCRIPTION" + This manual page describes the +@@ -40,6 +40,9 @@ don't change any file labels. + .TP + .B \-o outfilename + save list of files with incorrect context in outfilename. ++.TP ++.B \-p ++show progress by printing * every 1000 files. + .TP + .B \-v + show changes in file labels. +diff -up policycoreutils-2.0.83/setfiles/restore.c.rhat policycoreutils-2.0.83/setfiles/restore.c +--- policycoreutils-2.0.83/setfiles/restore.c.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/setfiles/restore.c 2010-10-25 17:11:18.000000000 -0400 @@ -1,4 +1,5 @@ #include "restore.h" +#include #define SKIP -2 #define ERR -1 -@@ -31,7 +32,6 @@ +@@ -31,7 +32,6 @@ struct edir { static file_spec_t *fl_head; @@ -4504,7 +4605,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po static int filespec_add(ino_t ino, const security_context_t con, const char *file); static int only_changed_user(const char *a, const char *b); struct restore_opts *r_opts = NULL; -@@ -53,7 +53,6 @@ +@@ -53,7 +53,6 @@ void remove_exclude(const char *director } } return; @@ -4512,7 +4613,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po } void restore_init(struct restore_opts *opts) -@@ -300,8 +299,14 @@ +@@ -300,8 +299,14 @@ static int process_one(char *name, int r int rc = 0; const char *namelist[2] = {name, NULL}; dev_t dev_num = 0; @@ -4529,7 +4630,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po fts_handle = fts_open((char **)namelist, r_opts->fts_flags, NULL); if (fts_handle == NULL) { -@@ -357,11 +362,34 @@ +@@ -357,11 +362,34 @@ err: goto out; } @@ -4565,7 +4666,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if (r_opts == NULL){ fprintf(stderr, -@@ -372,8 +400,9 @@ +@@ -372,8 +400,9 @@ int process_one_realpath(char *name, int if (!r_opts->expand_realpath) { return process_one(name, recurse); } else { @@ -4576,7 +4677,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po fprintf(stderr, "%s: lstat(%s) failed: %s\n", r_opts->progname, name, strerror(errno)); return -1; -@@ -409,7 +438,7 @@ +@@ -409,7 +438,7 @@ int process_one_realpath(char *name, int } } @@ -4585,7 +4686,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po { int i = 0; for (i = 0; i < excludeCtr; i++) { -@@ -537,7 +566,7 @@ +@@ -537,7 +566,7 @@ static int filespec_add(ino_t ino, const { file_spec_t *prevfl, *fl; int h, ret; @@ -4594,7 +4695,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if (!fl_head) { fl_head = malloc(sizeof(file_spec_t) * HASH_BUCKETS); -@@ -550,7 +579,7 @@ +@@ -550,7 +579,7 @@ static int filespec_add(ino_t ino, const for (prevfl = &fl_head[h], fl = fl_head[h].next; fl; prevfl = fl, fl = fl->next) { if (ino == fl->ino) { @@ -4603,7 +4704,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if (ret < 0 || sb.st_ino != ino) { freecon(fl->con); free(fl->file); -@@ -602,5 +631,67 @@ +@@ -602,5 +631,67 @@ static int filespec_add(ino_t ino, const return -1; } @@ -4671,36 +4772,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + free(buf); +} -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.83/setfiles/restorecon.8 ---- nsapolicycoreutils/setfiles/restorecon.8 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/setfiles/restorecon.8 2010-07-30 13:50:40.000000000 -0400 -@@ -4,10 +4,10 @@ - - .SH "SYNOPSIS" - .B restorecon --.I [\-o outfilename ] [\-R] [\-n] [\-v] [\-e directory ] pathname... -+.I [\-o outfilename ] [\-R] [\-n] [\-p] [\-v] [\-e directory ] pathname... - .P - .B restorecon --.I \-f infilename [\-o outfilename ] [\-e directory ] [\-R] [\-n] [\-v] [\-F] -+.I \-f infilename [\-o outfilename ] [\-e directory ] [\-R] [\-n] [\-p] [\-v] [\-F] - - .SH "DESCRIPTION" - This manual page describes the -@@ -40,6 +40,9 @@ - .TP - .B \-o outfilename - save list of files with incorrect context in outfilename. -+.TP -+.B \-p -+show progress by printing * every 1000 files. - .TP - .B \-v - show changes in file labels. -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.83/setfiles/restore.h ---- nsapolicycoreutils/setfiles/restore.h 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/setfiles/restore.h 2010-07-30 13:50:40.000000000 -0400 -@@ -27,6 +27,7 @@ +diff -up policycoreutils-2.0.83/setfiles/restore.h.rhat policycoreutils-2.0.83/setfiles/restore.h +--- policycoreutils-2.0.83/setfiles/restore.h.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/setfiles/restore.h 2010-10-25 17:11:18.000000000 -0400 +@@ -27,6 +27,7 @@ struct restore_opts { int hard_links; int verbose; int logging; @@ -4708,7 +4783,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po char *rootpath; int rootpathlen; char *progname; -@@ -44,7 +45,10 @@ +@@ -44,7 +45,10 @@ struct restore_opts { void restore_init(struct restore_opts *opts); void restore_finish(); int add_exclude(const char *directory); @@ -4719,10 +4794,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +void exclude_non_seclabel_mounts(); #endif -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.83/setfiles/setfiles.8 ---- nsapolicycoreutils/setfiles/setfiles.8 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/setfiles/setfiles.8 2010-07-30 13:50:40.000000000 -0400 -@@ -31,6 +31,9 @@ +diff -up policycoreutils-2.0.83/setfiles/setfiles.8.rhat policycoreutils-2.0.83/setfiles/setfiles.8 +--- policycoreutils-2.0.83/setfiles/setfiles.8.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/setfiles/setfiles.8 2010-10-25 17:11:18.000000000 -0400 +@@ -31,6 +31,9 @@ log changes in file labels to syslog. .TP .B \-n don't change any file labels. @@ -4732,9 +4807,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .TP .B \-q suppress non-error output. -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.83/setfiles/setfiles.c ---- nsapolicycoreutils/setfiles/setfiles.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/setfiles/setfiles.c 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/setfiles/setfiles.c.rhat policycoreutils-2.0.83/setfiles/setfiles.c +--- policycoreutils-2.0.83/setfiles/setfiles.c.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/setfiles/setfiles.c 2010-10-25 17:11:18.000000000 -0400 @@ -5,7 +5,6 @@ #include #include @@ -4743,7 +4818,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po #define __USE_XOPEN_EXTENDED 1 /* nftw */ #include #ifdef USE_AUDIT -@@ -25,7 +24,6 @@ +@@ -25,7 +24,6 @@ static char *policyfile = NULL; static int warn_no_match = 0; static int null_terminated = 0; static int errors; @@ -4751,7 +4826,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po static struct restore_opts r_opts; #define STAT_BLOCK_SIZE 1 -@@ -44,13 +42,13 @@ +@@ -44,13 +42,13 @@ void usage(const char *const name) { if (iamrestorecon) { fprintf(stderr, @@ -4767,7 +4842,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po name); } exit(1); -@@ -138,69 +136,6 @@ +@@ -138,69 +136,6 @@ static void maybe_audit_mass_relabel(voi #endif } @@ -4837,7 +4912,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po int main(int argc, char **argv) { struct stat sb; -@@ -335,7 +270,7 @@ +@@ -335,7 +270,7 @@ int main(int argc, char **argv) r_opts.debug = 1; break; case 'i': @@ -4846,7 +4921,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po break; case 'l': r_opts.logging = 1; -@@ -371,7 +306,7 @@ +@@ -371,7 +306,7 @@ int main(int argc, char **argv) break; } if (optind + 1 >= argc) { @@ -4855,7 +4930,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po argv[0]); exit(1); } -@@ -475,7 +410,7 @@ +@@ -475,7 +410,7 @@ int main(int argc, char **argv) buf[len - 1] = 0; if (!strcmp(buf, "/")) mass_relabel = 1; @@ -4864,7 +4939,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po } if (strcmp(input_filename, "-") != 0) fclose(f); -@@ -483,7 +418,8 @@ +@@ -483,7 +418,8 @@ int main(int argc, char **argv) for (i = optind; i < argc; i++) { if (!strcmp(argv[i], "/")) mass_relabel = 1; @@ -4874,9 +4949,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po } } -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/VERSION policycoreutils-2.0.83/VERSION ---- nsapolicycoreutils/VERSION 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.83/VERSION 2010-07-30 13:50:40.000000000 -0400 +diff -up policycoreutils-2.0.83/VERSION.rhat policycoreutils-2.0.83/VERSION +--- policycoreutils-2.0.83/VERSION.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/VERSION 2010-10-25 17:11:18.000000000 -0400 @@ -1 +1 @@ -2.0.83 +2.0.82 diff --git a/policycoreutils.spec b/policycoreutils.spec index 2eb8156..3d754bd 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,11 +7,11 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.83 -Release: 31%{?dist} +Release: 32%{?dist} License: GPLv2 Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz -Source1: http://www.nsa.gov/selinux/archives/sepolgen-%{sepolgenver}.tgz +Source1: git://oss.tresys.com/git/selinux/sepolgen-%{sepolgenver}.tgz URL: http://www.selinuxproject.org Source2: system-config-selinux.png Source3: system-config-selinux.desktop @@ -64,7 +64,7 @@ context. %patch4 -p1 -b .sepolgen %build -make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all +make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE -DUSE_FILECAP" LDFLAGS="-pie -Wl,-z,relro" all make -C sepolgen-%{sepolgenver} LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all %install @@ -192,7 +192,7 @@ or level of a logged in user. %files newrole %defattr(-,root,root) -%attr(4755,root,root) %{_bindir}/newrole +%attr(0755,root,root) %caps(cap_audit_write=pe) %{_bindir}/newrole %{_mandir}/man1/newrole.1.gz %package gui @@ -238,7 +238,7 @@ rm -rf %{buildroot} /sbin/fixfiles /sbin/setfiles /sbin/load_policy -%{_sbindir}/seunshare +%attr(0755,root,root) %caps(cap_setpcap,cap_fowner,cap_setuid,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare %{_sbindir}/genhomedircon %{_sbindir}/load_policy %{_sbindir}/setsebool @@ -326,6 +326,10 @@ fi exit 0 %changelog +* Mon Oct 25 2010 Dan Walsh 2.0.83-32 +- Remove setuid flag and replace with file capabilities +- Fix sandbox handling of files with spaces in them + * Wed Sep 29 2010 jkeating - 2.0.83-31 - Rebuilt for gcc bug 634757