rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Wed Apr 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.62-14

Browse Source 
- Fix audit2allow -a to retun /var/log/messages
This commit is contained in:
Daniel J Walsh 2009-05-05 18:51:52 +00:00
parent 20fb912a16
commit b61040e0cd
3 changed files with 636 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

731
policycoreutils-rhat.patch
View File

@ -1,128 +1,575 @@
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/debugfiles.list policycoreutils-2.0.62/debugfiles.list
--- nsapolicycoreutils/debugfiles.list 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.62/debugfiles.list 2009-04-03 14:13:23.000000000 -0400
@@ -0,0 +1,64 @@
+%dir /usr/lib/debug
+%dir /usr/lib/debug/sbin
+%dir /usr/lib/debug/.build-id
+%dir /usr/lib/debug/.build-id/3d
+%dir /usr/lib/debug/.build-id/ec
+%dir /usr/lib/debug/.build-id/9d
+%dir /usr/lib/debug/.build-id/cb
+%dir /usr/lib/debug/.build-id/bc
+%dir /usr/lib/debug/.build-id/0a
+%dir /usr/lib/debug/.build-id/81
+%dir /usr/lib/debug/.build-id/ad
+%dir /usr/lib/debug/.build-id/7f
+%dir /usr/lib/debug/.build-id/f4
+%dir /usr/lib/debug/.build-id/15
+%dir /usr/lib/debug/.build-id/1d
+%dir /usr/lib/debug/.build-id/a8
+%dir /usr/lib/debug/.build-id/d3
+%dir /usr/lib/debug/usr
+%dir /usr/lib/debug/usr/sbin
+%dir /usr/lib/debug/usr/bin
+/usr/lib/debug/sbin/setfiles.debug
+/usr/lib/debug/sbin/restorecon.debug
+/usr/lib/debug/.build-id/3d/c26411dac65290297678f68c7d65c43039df70.debug
+/usr/lib/debug/.build-id/3d/c26411dac65290297678f68c7d65c43039df70
+/usr/lib/debug/.build-id/ec/2012afb3f104620e1d260c932419e6391474ab
+/usr/lib/debug/.build-id/ec/2012afb3f104620e1d260c932419e6391474ab.debug
+/usr/lib/debug/.build-id/9d/511790c5b6141b50c55b8fe8bc032d84827665.debug
+/usr/lib/debug/.build-id/9d/511790c5b6141b50c55b8fe8bc032d84827665
+/usr/lib/debug/.build-id/cb/29543b91147fcf47889d52fa8375c3a388dcce
+/usr/lib/debug/.build-id/cb/29543b91147fcf47889d52fa8375c3a388dcce.debug
+/usr/lib/debug/.build-id/bc/36b9f43fecf5bdb7cbc3780aea1de9a7192865
+/usr/lib/debug/.build-id/bc/36b9f43fecf5bdb7cbc3780aea1de9a7192865.debug
+/usr/lib/debug/.build-id/0a/2965fb8a1c2359677db2cd583f4caa9b79e082.debug
+/usr/lib/debug/.build-id/0a/2965fb8a1c2359677db2cd583f4caa9b79e082
+/usr/lib/debug/.build-id/81/4a2dc779e8dc03a30550b17393f4bf38cc3401.debug
+/usr/lib/debug/.build-id/81/4a2dc779e8dc03a30550b17393f4bf38cc3401
+/usr/lib/debug/.build-id/ad/d96fe93d52caa86fd8119e3a250b3ff1afc8be.debug
+/usr/lib/debug/.build-id/ad/d96fe93d52caa86fd8119e3a250b3ff1afc8be
+/usr/lib/debug/.build-id/7f/d8c1148b921ee7ce357dcc4827a35074d8744a.debug
+/usr/lib/debug/.build-id/7f/d8c1148b921ee7ce357dcc4827a35074d8744a
+/usr/lib/debug/.build-id/f4/3cc2016abf9b6152b720b604ffc7b05ada92b7.debug
+/usr/lib/debug/.build-id/f4/3cc2016abf9b6152b720b604ffc7b05ada92b7
+/usr/lib/debug/.build-id/15/cbead7609477306808e0d90860e7e0d69ccac8.debug
+/usr/lib/debug/.build-id/15/cbead7609477306808e0d90860e7e0d69ccac8
+/usr/lib/debug/.build-id/1d/b4d0c26d77215c7e45aa7da8d6622ec413951f.debug
+/usr/lib/debug/.build-id/1d/b4d0c26d77215c7e45aa7da8d6622ec413951f
+/usr/lib/debug/.build-id/a8/4bb87bec28cd2e948c72529f4640d56178107b
+/usr/lib/debug/.build-id/a8/4bb87bec28cd2e948c72529f4640d56178107b.debug
+/usr/lib/debug/.build-id/d3/a79f853588fb732304975cb781fe37f686e5b9
+/usr/lib/debug/.build-id/d3/a79f853588fb732304975cb781fe37f686e5b9.debug
+/usr/lib/debug/usr/sbin/load_policy.debug
+/usr/lib/debug/usr/sbin/restorecond.debug
+/usr/lib/debug/usr/sbin/semodule.debug
+/usr/lib/debug/usr/sbin/sestatus.debug
+/usr/lib/debug/usr/sbin/setsebool.debug
+/usr/lib/debug/usr/sbin/open_init_pty.debug
+/usr/lib/debug/usr/sbin/run_init.debug
+/usr/lib/debug/usr/bin/semodule_package.debug
+/usr/lib/debug/usr/bin/newrole.debug
+/usr/lib/debug/usr/bin/semodule_link.debug
+/usr/lib/debug/usr/bin/semodule_deps.debug
+/usr/lib/debug/usr/bin/semodule_expand.debug
+/usr/lib/debug/usr/bin/secon.debug
+/usr/src/debug/policycoreutils-2.0.62
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/debuglinks.list policycoreutils-2.0.62/debuglinks.list
--- nsapolicycoreutils/debuglinks.list 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.62/debuglinks.list 2009-04-03 14:13:23.000000000 -0400
@@ -0,0 +1,29 @@
+/usr/lib/debug/.build-id/f4/3cc2016abf9b6152b720b604ffc7b05ada92b7 /sbin/setfiles
+/usr/lib/debug/.build-id/f4/3cc2016abf9b6152b720b604ffc7b05ada92b7.debug /usr/lib/debug/sbin/setfiles.debug
+/usr/lib/debug/.build-id/3d/c26411dac65290297678f68c7d65c43039df70 /usr/sbin/open_init_pty
+/usr/lib/debug/.build-id/3d/c26411dac65290297678f68c7d65c43039df70.debug /usr/lib/debug/usr/sbin/open_init_pty.debug
+/usr/lib/debug/.build-id/15/cbead7609477306808e0d90860e7e0d69ccac8 /usr/sbin/sestatus
+/usr/lib/debug/.build-id/15/cbead7609477306808e0d90860e7e0d69ccac8.debug /usr/lib/debug/usr/sbin/sestatus.debug
+/usr/lib/debug/.build-id/81/4a2dc779e8dc03a30550b17393f4bf38cc3401 /usr/sbin/semodule
+/usr/lib/debug/.build-id/81/4a2dc779e8dc03a30550b17393f4bf38cc3401.debug /usr/lib/debug/usr/sbin/semodule.debug
+/usr/lib/debug/.build-id/d3/a79f853588fb732304975cb781fe37f686e5b9 /usr/sbin/load_policy
+/usr/lib/debug/.build-id/d3/a79f853588fb732304975cb781fe37f686e5b9.debug /usr/lib/debug/usr/sbin/load_policy.debug
+/usr/lib/debug/.build-id/a8/4bb87bec28cd2e948c72529f4640d56178107b /usr/sbin/run_init
+/usr/lib/debug/.build-id/a8/4bb87bec28cd2e948c72529f4640d56178107b.debug /usr/lib/debug/usr/sbin/run_init.debug
+/usr/lib/debug/.build-id/7f/d8c1148b921ee7ce357dcc4827a35074d8744a /usr/sbin/restorecond
+/usr/lib/debug/.build-id/7f/d8c1148b921ee7ce357dcc4827a35074d8744a.debug /usr/lib/debug/usr/sbin/restorecond.debug
+/usr/lib/debug/.build-id/ec/2012afb3f104620e1d260c932419e6391474ab /usr/sbin/setsebool
+/usr/lib/debug/.build-id/ec/2012afb3f104620e1d260c932419e6391474ab.debug /usr/lib/debug/usr/sbin/setsebool.debug
+/usr/lib/debug/.build-id/bc/36b9f43fecf5bdb7cbc3780aea1de9a7192865 /usr/bin/secon
+/usr/lib/debug/.build-id/bc/36b9f43fecf5bdb7cbc3780aea1de9a7192865.debug /usr/lib/debug/usr/bin/secon.debug
+/usr/lib/debug/.build-id/1d/b4d0c26d77215c7e45aa7da8d6622ec413951f /usr/bin/newrole
+/usr/lib/debug/.build-id/1d/b4d0c26d77215c7e45aa7da8d6622ec413951f.debug /usr/lib/debug/usr/bin/newrole.debug
+/usr/lib/debug/.build-id/0a/2965fb8a1c2359677db2cd583f4caa9b79e082 /usr/bin/semodule_link
+/usr/lib/debug/.build-id/0a/2965fb8a1c2359677db2cd583f4caa9b79e082.debug /usr/lib/debug/usr/bin/semodule_link.debug
+/usr/lib/debug/.build-id/ad/d96fe93d52caa86fd8119e3a250b3ff1afc8be /usr/bin/semodule_expand
+/usr/lib/debug/.build-id/ad/d96fe93d52caa86fd8119e3a250b3ff1afc8be.debug /usr/lib/debug/usr/bin/semodule_expand.debug
+/usr/lib/debug/.build-id/cb/29543b91147fcf47889d52fa8375c3a388dcce /usr/bin/semodule_package
+/usr/lib/debug/.build-id/cb/29543b91147fcf47889d52fa8375c3a388dcce.debug /usr/lib/debug/usr/bin/semodule_package.debug
+/usr/lib/debug/.build-id/9d/511790c5b6141b50c55b8fe8bc032d84827665 /usr/bin/semodule_deps
+/usr/lib/debug/.build-id/9d/511790c5b6141b50c55b8fe8bc032d84827665.debug /usr/lib/debug/usr/bin/semodule_deps.debug
+/usr/lib/debug/sbin/restorecon.debug /usr/lib/debug/sbin/setfiles.debug
Binary files nsapolicycoreutils/debugsources.list and policycoreutils-2.0.62/debugsources.list differ
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.62/audit2allow/audit2allow
--- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500
+++ policycoreutils-2.0.62/audit2allow/audit2allow 2009-05-04 13:40:26.000000000 -0400
@@ -126,6 +126,7 @@
elif self.__options.audit:
try:
messages = audit.get_audit_msgs()
+ messages += audit.get_log_msgs()
except OSError, e:
sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
sys.exit(1)
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.62/Makefile
--- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.62/Makefile 2009-04-03 14:12:56.000000000 -0400
+++ policycoreutils-2.0.62/Makefile 2009-05-04 13:40:26.000000000 -0400
@@ -1,4 +1,4 @@
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
+SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.62/restorecond/Makefile
--- nsapolicycoreutils/restorecond/Makefile 2009-02-18 16:44:47.000000000 -0500
+++ policycoreutils-2.0.62/restorecond/Makefile 2009-05-04 13:40:26.000000000 -0400
@@ -2,16 +2,21 @@
PREFIX ?= ${DESTDIR}/usr
SBINDIR ?= $(PREFIX)/sbin
MANDIR = $(PREFIX)/share/man
+AUTOSTARTDIR = $(DESTDIR)/etc/xdg/autostart
+DBUSSERVICEDIR = $(DESTDIR)/usr/share/dbus-1/services
+
+autostart_DATA = sealertauto.desktop
INITDIR = $(DESTDIR)/etc/rc.d/init.d
SELINUXDIR = $(DESTDIR)/etc/selinux
CFLAGS ?= -g -Werror -Wall -W
-override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
-LDLIBS += -lselinux -L$(PREFIX)/lib
+override CFLAGS += -I$(PREFIX)/include -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -D_FILE_OFFSET_BITS=64 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include
+
+LDLIBS += -lselinux -ldbus-glib-1 -lglib-2.0 -L$(PREFIX)/lib
all: restorecond
-restorecond: restorecond.o utmpwatcher.o stringslist.o
+restorecond: restorecond.o stringslist.o user.o
$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
install: all
@@ -22,7 +27,12 @@
-mkdir -p $(INITDIR)
install -m 755 restorecond.init $(INITDIR)/restorecond
-mkdir -p $(SELINUXDIR)
- install -m 600 restorecond.conf $(SELINUXDIR)/restorecond.conf
+ install -m 644 restorecond.conf $(SELINUXDIR)/restorecond.conf
+ install -m 644 restorecond_user.conf $(SELINUXDIR)/restorecond_user.conf
+ -mkdir -p $(AUTOSTARTDIR)
+ install -m 600 restorecond.desktop $(AUTOSTARTDIR)/restorecond.desktop
+ -mkdir -p $(DBUSSERVICEDIR)
+ install -m 600 org.selinux.Restorecond.service $(DBUSSERVICEDIR)/org.selinux.Restorecond.service
relabel: install
/sbin/restorecon $(SBINDIR)/restorecond
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.62/restorecond/org.selinux.Restorecond.service
--- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.62/restorecond/org.selinux.Restorecond.service 2009-05-04 13:40:26.000000000 -0400
@@ -0,0 +1,3 @@
+[D-BUS Service]
+Name=org.selinux.Restorecond
+Exec=/usr/sbin/restorecond -u
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.62/restorecond/restorecond.c
--- nsapolicycoreutils/restorecond/restorecond.c 2009-02-18 16:44:47.000000000 -0500
+++ policycoreutils-2.0.62/restorecond/restorecond.c 2009-05-04 13:40:26.000000000 -0400
@@ -54,25 +54,31 @@
#include <syslog.h>
#include <limits.h>
#include <fcntl.h>
+#include <pwd.h>
+#include <glob.h>
#include "restorecond.h"
#include "stringslist.h"
-#include "utmpwatcher.h"
+extern int start(void);
+extern int server(int);
extern char *dirname(char *path);
static int master_fd = -1;
static int master_wd = -1;
static int terminate = 0;
+static char *server_watch_file = "/etc/selinux/restorecond.conf";
+static char *user_watch_file = "/etc/selinux/restorecond_user.conf";
+static char *watch_file;
+
#include <selinux/selinux.h>
-#include <utmp.h>
/* size of the event structure, not counting name */
#define EVENT_SIZE (sizeof (struct inotify_event))
/* reasonable guess as to size of 1024 events */
#define BUF_LEN (1024 * (EVENT_SIZE + 16))
-static int debug_mode = 0;
+int debug_mode = 0;
static int verbose_mode = 0;
static void restore(const char *filename, int exact);
@@ -104,7 +110,7 @@
see if it is one that we are watching.
*/
-static int watch_list_find(int wd, const char *file)
+int watch_list_find(int wd, const char *file)
{
struct watchList *ptr = NULL;
ptr = firstDir;
@@ -135,7 +141,7 @@
return -1;
}
-static void watch_list_free(int fd)
+void watch_list_free(int fd)
{
struct watchList *ptr = NULL;
struct watchList *prev = NULL;
@@ -152,6 +158,12 @@
firstDir = NULL;
}
+static void done(void) {
+ watch_list_free(master_fd);
+ close(master_fd);
+ matchpathcon_fini();
+}
+
/*
Set the file context to the default file context for this system.
Same as restorecon.
@@ -241,6 +253,8 @@
{
char *line_buf = NULL;
size_t len = 0;
+ uid_t uid = getuid();
+ struct passwd *pwd = getpwuid(uid);
while (getline(&line_buf, &len, cfg) > 0) {
char *buffer = line_buf;
@@ -252,8 +266,12 @@
if (l <= 0)
continue;
buffer[l] = 0;
- if (buffer[0] == '~')
- utmpwatcher_add(fd, &buffer[1]);
+ if (buffer[0] == '~') {
+ char *ptr=NULL;
+ asprintf(&ptr, "%s%s", pwd->pw_dir, &buffer[1]);
+ watch_list_add(fd, ptr);
+ free(ptr);
+ }
else {
watch_list_add(fd, buffer);
}
@@ -267,9 +285,8 @@
homedirs.
*/
-static void read_config(int fd)
+static void read_config(int fd, const char *watch_file_path)
{
- char *watch_file_path = "/etc/selinux/restorecond.conf";
FILE *cfg = NULL;
if (debug_mode)
@@ -278,8 +295,10 @@
watch_list_free(fd);
cfg = fopen(watch_file_path, "r");
- if (!cfg)
- exitApp("Error reading config file.");
+ if (!cfg){
+ perror(watch_file_path);
+ exitApp("Error reading config file");
+ }
process_config(fd, cfg);
fclose(cfg);
@@ -316,21 +335,10 @@
event->wd, event->mask,
event->cookie, event->len);
if (event->wd == master_wd)
- read_config(fd);
+ read_config(fd, watch_file);
else {
- switch (utmpwatcher_handle(fd, event->wd)) {
- case -1: /* Message was not for utmpwatcher */
- if (event->len)
- watch_list_find(event->wd, event->name);
- break;
-
- case 1: /* utmp has changed need to reload */
- read_config(fd);
- break;
-
- default: /* No users logged in or out */
- break;
- }
+ if (event->len)
+ watch_list_find(event->wd, event->name);
}
i += EVENT_SIZE + event->len;
@@ -374,7 +382,7 @@
static void usage(char *program)
{
- printf("%s [-d] [-v] \n", program);
+ printf("%s [-d] [-s] [-f restorecond_file ] [-v] \n", program);
exit(0);
}
@@ -393,7 +401,9 @@
void watch_list_add(int fd, const char *path)
{
struct watchList *ptr = NULL;
+ size_t i = 0;
struct watchList *prev = NULL;
+ glob_t globbuf;
char *x = strdup(path);
if (!x)
exitApp("Out of Memory");
@@ -401,7 +411,15 @@
char *file = basename(path);
ptr = firstDir;
- restore(path, 1);
+ globbuf.gl_offs = 1;
+ if (glob(path,
+ GLOB_TILDE,
+ NULL,
+ &globbuf) >= 0) {
+ for (i=0; i < globbuf.gl_pathc; i++)
+ restore(globbuf.gl_pathv[i], 1);
+ globfree(&globbuf);
+ }
while (ptr != NULL) {
if (strcmp(dir, ptr->dir) == 0) {
@@ -445,14 +463,8 @@
{
int opt;
struct sigaction sa;
+ int run_as_user = 0;
-#ifndef DEBUG
- /* Make sure we are root */
- if (getuid() != 0) {
- fprintf(stderr, "You must be root to run this program.\n");
- return 1;
- }
-#endif
/* Make sure we are root */
if (is_selinux_enabled() != 1) {
fprintf(stderr, "Daemon requires SELinux be enabled to run.\n");
@@ -471,11 +483,18 @@
if (master_fd < 0)
exitApp("inotify_init");
- while ((opt = getopt(argc, argv, "dv")) > 0) {
+ atexit( done );
+ while ((opt = getopt(argc, argv, "uf:dv")) > 0) {
switch (opt) {
case 'd':
debug_mode = 1;
break;
+ case 'f':
+ watch_file = optarg;
+ break;
+ case 'u':
+ run_as_user = 1;
+ break;
case 'v':
verbose_mode = 1;
break;
@@ -483,7 +502,18 @@
usage(argv[0]);
}
}
- read_config(master_fd);
+
+ if (getuid() != 0) {
+ watch_file = user_watch_file;
+ read_config(master_fd, watch_file);
+ if (run_as_user)
+ return server(master_fd);
+ else
+ return start();
+ }
+
+ watch_file = server_watch_file;
+ read_config(master_fd, watch_file);
if (!debug_mode)
daemon(0, 0);
@@ -496,9 +526,10 @@
watch_list_free(master_fd);
close(master_fd);
matchpathcon_fini();
- utmpwatcher_free();
if (pidfile)
unlink(pidfile);
return 0;
}
+
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.62/restorecond/restorecond.conf
--- nsapolicycoreutils/restorecond/restorecond.conf 2009-02-18 16:44:47.000000000 -0500
+++ policycoreutils-2.0.62/restorecond/restorecond.conf 2009-04-03 14:12:56.000000000 -0400
@@ -5,3 +5,7 @@
+++ policycoreutils-2.0.62/restorecond/restorecond.conf 2009-05-04 13:40:26.000000000 -0400
@@ -4,4 +4,5 @@
/etc/mtab
/var/run/utmp
/var/log/wtmp
~/*
+/root/.ssh
-~/*
+/root/*
+/root/.ssh/*
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.62/restorecond/restorecond.desktop
--- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.62/restorecond/restorecond.desktop 2009-05-04 13:40:26.000000000 -0400
@@ -0,0 +1,7 @@
+[Desktop Entry]
+Name=File Context maintainer
+Exec=/usr/sbin/restorecond
+Comment=Fix file context in owned by the user
+Encoding=UTF-8
+Type=Application
+StartupNotify=false
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.62/restorecond/restorecond_user.conf
--- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.62/restorecond/restorecond_user.conf 2009-05-04 13:40:26.000000000 -0400
@@ -0,0 +1,2 @@
+~/*
+~/public_html/*
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.62/restorecond/user.c
--- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.62/restorecond/user.c 2009-05-04 13:40:26.000000000 -0400
@@ -0,0 +1,223 @@
+/*
+ * restorecond
+ *
+ * Copyright (C) 2006-2009 Red Hat
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+.*
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+ * 02111-1307 USA
+ *
+ * Authors:
+ * Dan Walsh <dwalsh@redhat.com>
+ *
+*/
+
+/*
+ * PURPOSE:
+ * This daemon program watches for the creation of files listed in a config file
+ * and makes sure that there security context matches the systems defaults
+ *
+ * USAGE:
+ * restorecond [-d] [-v]
+ *
+ * -d Run in debug mode
+ * -v Run in verbose mode (Report missing files)
+ *
+ * EXAMPLE USAGE:
+ * restorecond
+ *
+ */
+
+#define _GNU_SOURCE
+#include <sys/inotify.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <string.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <syslog.h>
+#include <limits.h>
+#include <fcntl.h>
+
+#include "restorecond.h"
+#include "stringslist.h"
+#include <glib.h>
+#include <dbus/dbus.h>
+#include <dbus/dbus-glib.h>
+#include <dbus/dbus-glib-lowlevel.h>
+
+extern int watch_list_find(int wd, const char *file);
+extern void watch_list_free(int fd);
+extern int debug_mode;
+
+static DBusHandlerResult signal_filter (DBusConnection *connection, DBusMessage *message, void *user_data);
+
+static const char *PATH="/org/selinux/Restorecond";
+//static const char *BUSNAME="org.selinux.Restorecond";
+static const char *INTERFACE="org.selinux.RestorecondIface";
+static const char *RULE="type='signal',interface='org.selinux.RestorecondIface'";
+
+#include <selinux/selinux.h>
+
+/* size of the event structure, not counting name */
+#define EVENT_SIZE (sizeof (struct inotify_event))
+/* reasonable guess as to size of 1024 events */
+#define BUF_LEN (1024 * (EVENT_SIZE + 16))
+
+static gboolean
+io_channel_callback
+ (GIOChannel *source,
+ GIOCondition condition,
+ gpointer data __attribute__((__unused__)))
+{
+
+ char buffer[BUF_LEN+1];
+ gsize bytes_read;
+ unsigned int i = 0;
+
+ if (condition & G_IO_IN) {
+ /* Data is available. */
+ g_io_channel_read
+ (source, buffer,
+ sizeof (buffer),
+ &bytes_read);
+
+ while (i < bytes_read) {
+ struct inotify_event *event;
+ event = (struct inotify_event *)&buffer[i];
+ if (debug_mode)
+ printf("wd=%d mask=%u cookie=%u len=%u\n",
+ event->wd, event->mask,
+ event->cookie, event->len);
+ if (event->len)
+ watch_list_find(event->wd, event->name);
+
+ i += EVENT_SIZE + event->len;
+ }
+ }
+
+ /* An error happened while reading
+ the file. */
+
+ if (condition & G_IO_NVAL)
+ return FALSE;
+
+ /* We have reached the end of the
+ file. */
+
+ if (condition & G_IO_HUP) {
+ g_io_channel_close (source);
+ return FALSE;
+ }
+
+ /* Returning TRUE will make sure
+ the callback remains associated
+ to the channel. */
+
+ return TRUE;
+}
+
+static DBusHandlerResult
+signal_filter (DBusConnection *connection __attribute__ ((__unused__)), DBusMessage *message, void *user_data)
+{
+ /* User data is the event loop we are running in */
+ GMainLoop *loop = user_data;
+
+ /* A signal from the bus saying we are about to be disconnected */
+ if (dbus_message_is_signal
+ (message, INTERFACE, "Stop")) {
+
+ /* Tell the main loop to quit */
+ g_main_loop_quit (loop);
+ /* We have handled this message, don't pass it on */
+ return DBUS_HANDLER_RESULT_HANDLED;
+ }
+ /* A Ping signal on the com.burtonini.dbus.Signal interface */
+ else if (dbus_message_is_signal (message, INTERFACE, "Start")) {
+ DBusError error;
+ dbus_error_init (&error);
+ g_print("Start received\n");
+ return DBUS_HANDLER_RESULT_HANDLED;
+ }
+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+}
+
+
+int start() {
+ DBusConnection *bus;
+ DBusError error;
+ DBusMessage *message;
+
+ /* Get a connection to the session bus */
+ dbus_error_init (&error);
+ bus = dbus_bus_get (DBUS_BUS_SESSION, &error);
+ if (!bus) {
+ g_warning ("Failed to connect to the D-BUS daemon: %s", error.message);
+ dbus_error_free (&error);
+ return 1;
+ }
+
+
+ /* Create a new signal "Start" on the interface,
+ * from the object */
+ message = dbus_message_new_signal (PATH,
+ INTERFACE, "Start");
+ /* Send the signal */
+ dbus_connection_send (bus, message, NULL);
+ /* Free the signal now we have finished with it */
+ dbus_message_unref (message);
+ return 0;
+}
+
+int server(int master_fd) {
+ GMainLoop *loop;
+ DBusConnection *bus;
+ DBusError error;
+
+ loop = g_main_loop_new (NULL, FALSE);
+
+ dbus_error_init (&error);
+ if(getuid() == 0) {
+ bus = dbus_bus_get (DBUS_BUS_SYSTEM, &error);
+ } else {
+ bus = dbus_bus_get (DBUS_BUS_SESSION, &error);
+ }
+ if (!bus) {
+ g_warning ("Failed to connect to the D-BUS daemon: %s", error.message);
+ dbus_error_free (&error);
+ return 1;
+ }
+ dbus_connection_setup_with_g_main (bus, NULL);
+
+ /* listening to messages from all objects as no path is specified */
+ dbus_bus_add_match (bus, RULE, &error); // see signals from the given interfacey
+ dbus_connection_add_filter (bus, signal_filter, loop, NULL);
+
+ set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
+
+ GIOChannel *c = g_io_channel_unix_new(master_fd);
+
+ g_io_add_watch_full( c,
+ G_PRIORITY_HIGH,
+ G_IO_IN|G_IO_ERR|G_IO_HUP,
+ io_channel_callback, NULL, NULL);
+
+ g_main_loop_run (loop);
+ return 0;
+}
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.62/scripts/chcat
--- nsapolicycoreutils/scripts/chcat 2009-01-13 08:45:35.000000000 -0500
+++ policycoreutils-2.0.62/scripts/chcat 2009-04-09 12:28:34.000000000 -0400
+++ policycoreutils-2.0.62/scripts/chcat 2009-05-04 13:40:26.000000000 -0400
@@ -281,14 +281,14 @@
def expandCats(cats):
newcats = []
@ -148,8 +595,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if len(newcats) > 25:
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.62/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles 2009-02-18 16:44:47.000000000 -0500
+++ policycoreutils-2.0.62/scripts/fixfiles 2009-04-03 14:12:56.000000000 -0400
@@ -122,7 +122,7 @@
+++ policycoreutils-2.0.62/scripts/fixfiles 2009-05-05 10:47:08.000000000 -0400
@@ -89,7 +89,7 @@
fi; \
done | \
while read pattern ; do sh -c "find $pattern \
- ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs \) -prune -o \
+ ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune -o \
\( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print0"; \
done 2> /dev/null | \
${RESTORECON} $* -0 -f -
@@ -122,14 +122,14 @@
fi
if [ ! -z "$RPMFILES" ]; then
for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
@ -158,9 +614,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
done
exit $?
fi
if [ ! -z "$FILEPATH" ]; then
if [ -x /usr/bin/find ]; then
/usr/bin/find "$FILEPATH" \
- ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs \) -prune -o -print0 | \
+ ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o fstype btrfs \) -prune -o -print0 | \
${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE
else
${RESTORECON} ${OUTFILES} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.62/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2009-02-18 16:44:47.000000000 -0500
+++ policycoreutils-2.0.62/semanage/semanage 2009-04-16 14:46:41.000000000 -0400
+++ policycoreutils-2.0.62/semanage/semanage 2009-05-04 13:40:26.000000000 -0400
@@ -44,16 +44,17 @@
text = _("""
semanage [ -S store ] -i [ input_file | - ]
@ -260,7 +724,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
use_file = True
+ if o == "--dontaudit":
+ dontaudit = a
+ dontaudit = not int(a)
+
if o == "-h" or o == "--help":
raise ValueError(_("%s bad option") % o)
@ -354,7 +818,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.62/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.62/semanage/semanage.8 2009-04-16 13:51:38.000000000 -0400
+++ policycoreutils-2.0.62/semanage/semanage.8 2009-05-04 13:40:26.000000000 -0400
@@ -21,6 +21,8 @@
.br
.B semanage permissive \-{a|d} type
@ -366,7 +830,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.62/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2008-11-14 17:10:15.000000000 -0500
+++ policycoreutils-2.0.62/semanage/seobject.py 2009-04-16 14:46:58.000000000 -0400
+++ policycoreutils-2.0.62/semanage/seobject.py 2009-05-05 14:45:58.000000000 -0400
@@ -1,5 +1,5 @@
#! /usr/bin/python -E
-# Copyright (C) 2005, 2006, 2007, 2008 Red Hat
+# Copyright (C) 2005, 2006, 2007, 2008, 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
# semanage is a tool for managing SELinux configuration files
@@ -21,16 +21,16 @@
#
#
@ -514,7 +985,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
+
+ def dontaudit(self, dontaudit = 0):
+ self.begin()
+ rc = semanage_set_disable_dontaudit(self.sh, int(dontaudit))
+ rc = semanage_set_disable_dontaudit(self.sh, dontaudit)
+ self.commit()
+ rc = semanage_reload_policy(self.sh)
+
@ -940,7 +1411,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not check if interface %s is defined") % interface)
if not exists:
@@ -1393,6 +1452,45 @@
@@ -1393,6 +1452,48 @@
class fcontextRecords(semanageRecords):
def __init__(self, store = ""):
semanageRecords.__init__(self, store)
@ -963,7 +1434,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
+ for src in self.equiv.keys():
+ fd.write("%s %s\n" % (src, self.equiv[src]))
+ fd.close()
+ try:
+ os.chmod(tmpfile, os.stat(subs_file)[stat.ST_MODE])
+ except:
+ pass
+ os.rename(tmpfile,subs_file)
+ self.equil_ind = False
+ semanageRecords.commit(self)
@ -986,7 +1460,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
def createcon(self, target, seuser = "system_u"):
(rc, con) = semanage_context_create(self.sh)
@@ -1429,23 +1527,23 @@
@@ -1429,23 +1530,23 @@
if type == "":
raise ValueError(_("SELinux Type is required"))
@ -1014,7 +1488,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not create file context for %s") % target)
@@ -1486,21 +1584,21 @@
@@ -1486,21 +1587,21 @@
raise ValueError(_("Requires setype, serange or seuser"))
self.validate(target)
@ -1041,7 +1515,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not query file context for %s") % target)
@@ -1550,7 +1648,7 @@
@@ -1550,7 +1651,7 @@
target = semanage_fcontext_get_expr(fcontext)
ftype = semanage_fcontext_get_type(fcontext)
ftype_str = semanage_fcontext_get_type_str(ftype)
@ -1050,7 +1524,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not create a key for %s") % target)
@@ -1558,19 +1656,26 @@
@@ -1558,19 +1659,26 @@
if rc < 0:
raise ValueError(_("Could not delete the file context %s") % target)
semanage_fcontext_key_free(k)
@ -1081,7 +1555,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not check if file context for %s is defined") % target)
if exists:
@@ -1617,11 +1722,11 @@
@@ -1617,11 +1725,11 @@
return ddict
def list(self, heading = 1, locallist = 0 ):
@ -1095,7 +1569,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
for k in keys:
if fcon_dict[k]:
if is_mls_enabled:
@@ -1630,11 +1735,17 @@
@@ -1630,11 +1738,17 @@
print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2])
else:
print "%-50s %-18s <<None>>" % (k[0], k[1])
@ -1114,7 +1588,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
self.dict["TRUE"] = 1
self.dict["FALSE"] = 0
self.dict["ON"] = 1
@@ -1643,16 +1754,16 @@
@@ -1643,16 +1757,16 @@
self.dict["0"] = 0
def __mod(self, name, value):
@ -1134,7 +1608,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not query file context %s") % name)
@@ -1670,7 +1781,7 @@
@@ -1670,7 +1784,7 @@
semanage_bool_key_free(k)
semanage_bool_free(b)
@ -1143,7 +1617,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
self.begin()
@@ -1694,16 +1805,16 @@
@@ -1694,16 +1808,16 @@
def __delete(self, name):
@ -1163,7 +1637,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not check if boolean %s is defined") % name)
if not exists:
@@ -1762,7 +1873,7 @@
@@ -1762,7 +1876,7 @@
return _("unknown")
def list(self, heading = True, locallist = False, use_file = False):
@ -1172,11 +1646,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if use_file:
ddict = self.get_all(locallist)
keys = ddict.keys()
Binary files nsapolicycoreutils/setfiles/restorecon and policycoreutils-2.0.62/setfiles/restorecon differ
Binary files nsapolicycoreutils/setfiles/setfiles and policycoreutils-2.0.62/setfiles/setfiles differ
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.62/setfiles/setfiles.c
--- nsapolicycoreutils/setfiles/setfiles.c 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.62/setfiles/setfiles.c 2009-04-14 09:38:55.000000000 -0400
+++ policycoreutils-2.0.62/setfiles/setfiles.c 2009-05-04 13:40:26.000000000 -0400
@@ -29,6 +29,8 @@
static int mass_relabel;
static int mass_relabel_errs;
@ -1209,4 +1681,3 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
printf("\n");
exit(errors);
}
Binary files nsapolicycoreutils/setfiles/setfiles.o and policycoreutils-2.0.62/setfiles/setfiles.o differ

25
policycoreutils-sepolgen.patch
View File

@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/access.py
--- nsasepolgen/src/sepolgen/access.py 2009-01-13 08:45:35.000000000 -0500
+++ policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/access.py 2009-04-01 10:03:43.000000000 -0400
+++ policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/access.py 2009-04-21 14:54:12.000000000 -0400
@@ -313,7 +313,7 @@
def __len__(self):
@ -10,9 +10,30 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
def add(self, role, type):
if self.role_types.has_key(role):
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/audit.py
--- nsasepolgen/src/sepolgen/audit.py 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/audit.py 2009-04-24 13:19:39.000000000 -0400
@@ -47,6 +47,17 @@
stdout=subprocess.PIPE).communicate()[0]
return output
+def get_log_msgs():
+ """Obtain all of the avc and policy load messages from /var/log/messages.
+
+ Returns:
+ string contain all of the audit messages returned by /var/log/messages.
+ """
+ import subprocess
+ output = subprocess.Popen(["/bin/grep", "avc", "/var/log/messages"],
+ stdout=subprocess.PIPE).communicate()[0]
+ return output
+
# Classes representing audit messages
class AuditMessage:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/refparser.py 2009-02-18 16:52:27.000000000 -0500
+++ policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/refparser.py 2009-04-21 14:54:12.000000000 -0400
@@ -919,7 +919,7 @@
def list_headers(root):
modules = []

13
policycoreutils.spec
View File

@ -6,7 +6,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.62
Release: 11%{?dist}
Release: 14%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -201,6 +201,9 @@ rm -rf %{buildroot}
%config(noreplace) %{_sysconfdir}/sestatus.conf
%attr(755,root,root) /etc/rc.d/init.d/restorecond
%config(noreplace) /etc/selinux/restorecond.conf
%config(noreplace) /etc/selinux/restorecond_user.conf
%{_sysconfdir}/xdg/autostart/restorecond.desktop
%{_datadir}/dbus-1/services/org.selinux.Restorecond.service
%preun
if [ $1 -eq 0 ]; then
@ -221,7 +224,13 @@ else
fi
%changelog
* Thu Apr 16 2009 Dan Walsh <dwalsh@redhat.com> 2.0.62-11
* Wed Apr 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.62-14
- Fix audit2allow -a to retun /var/log/messages
* Wed Apr 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.62-13
- Run restorecond as a user service
* Thu Apr 16 2009 Dan Walsh <dwalsh@redhat.com> 2.0.62-12
- Add semanage module support
* Tue Apr 14 2009 Dan Walsh <dwalsh@redhat.com> 2.0.62-10