diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 3506b80..d82bc96 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -7431,7 +7431,7 @@ index 51fb8d7..0000000 - except ValueError, e: - usage(e) diff --git a/policycoreutils/gui/polgengui.py b/policycoreutils/gui/polgengui.py -index 0460a33..c5d80b7 100644 +index 0460a33..1c16f7b 100644 --- a/policycoreutils/gui/polgengui.py +++ b/policycoreutils/gui/polgengui.py @@ -4,7 +4,7 @@ @@ -7443,12 +7443,13 @@ index 0460a33..c5d80b7 100644 # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by -@@ -28,9 +28,24 @@ import os +@@ -28,9 +28,25 @@ import os import gobject import gnome import sys -import polgen +from sepolicy import generate ++import sepolicy.interface +import commands + import re @@ -7469,7 +7470,7 @@ index 0460a33..c5d80b7 100644 ## ## I18N -@@ -169,10 +184,10 @@ class childWindow: +@@ -169,10 +185,10 @@ class childWindow: self.tooltip_dict[label] = label.get_tooltip_text() try: @@ -7484,7 +7485,7 @@ index 0460a33..c5d80b7 100644 except RuntimeError, e: self.all_types = [] self.all_modules = [] -@@ -200,16 +215,16 @@ class childWindow: +@@ -200,16 +216,16 @@ class childWindow: self.boolean_description_entry = xml.get_widget ("boolean_description_entry") self.pages={} @@ -7508,26 +7509,30 @@ index 0460a33..c5d80b7 100644 self.current_page = 0 self.back_button.set_sensitive(0) -@@ -304,22 +319,22 @@ class childWindow: +@@ -304,22 +320,17 @@ class childWindow: col = gtk.TreeViewColumn(_("Application"), gtk.CellRendererText(), text = 0) self.admin_treeview.append_column(col) - for i in polgen.methods: - m = re.findall("(.*)%s" % polgen.USER_TRANSITION_INTERFACE, i) -+ for i in generate.methods: -+ m = re.findall("(.*)%s" % generate.USER_TRANSITION_INTERFACE, i) - if len(m) > 0: - if "%s_exec_t" % m[0] in self.all_types: - iter = self.transition_store.append() - self.transition_store.set_value(iter, 0, m[0]) - continue +- if len(m) > 0: +- if "%s_exec_t" % m[0] in self.all_types: +- iter = self.transition_store.append() +- self.transition_store.set_value(iter, 0, m[0]) +- continue - m = re.findall("(.*)%s" % polgen.ADMIN_TRANSITION_INTERFACE, i) -+ m = re.findall("(.*)%s" % generate.ADMIN_TRANSITION_INTERFACE, i) - if len(m) > 0: - iter = self.admin_store.append() - self.admin_store.set_value(iter, 0, m[0]) - continue +- if len(m) > 0: +- iter = self.admin_store.append() +- self.admin_store.set_value(iter, 0, m[0]) +- continue ++ for u in sepolicy.interface.get_user(): ++ iter = self.transition_store.append() ++ self.transition_store.set_value(iter, 0, u) ++ ++ for a in sepolicy.interface.get_admin(): ++ iter = self.admin_store.append() ++ self.admin_store.set_value(iter, 0, a) def confine_application(self): - return self.get_type() in polgen.APPLICATIONS @@ -7535,7 +7540,7 @@ index 0460a33..c5d80b7 100644 def forward(self, arg): type = self.get_type() -@@ -416,41 +431,41 @@ class childWindow: +@@ -416,41 +427,41 @@ class childWindow: def get_type(self): if self.sandbox_radiobutton.get_active(): @@ -7591,7 +7596,7 @@ index 0460a33..c5d80b7 100644 my_policy.set_program(self.exec_entry.get_text()) my_policy.gen_symbols() -@@ -463,14 +478,14 @@ class childWindow: +@@ -463,14 +474,14 @@ class childWindow: my_policy.set_use_audit(self.audit_checkbutton.get_active() == 1) my_policy.set_use_terminal(self.terminal_checkbutton.get_active() == 1) my_policy.set_use_mail(self.mail_checkbutton.get_active() == 1) @@ -7609,7 +7614,7 @@ index 0460a33..c5d80b7 100644 selected = [] self.admin_treeview.get_selection().selected_foreach(foreach, selected) my_policy.set_admin_domains(selected) -@@ -667,16 +682,16 @@ class childWindow: +@@ -667,16 +678,16 @@ class childWindow: def on_in_net_page_next(self, *args): try: @@ -7630,7 +7635,7 @@ index 0460a33..c5d80b7 100644 except ValueError, e: self.error(e.message) return True -@@ -712,7 +727,7 @@ class childWindow: +@@ -712,7 +723,7 @@ class childWindow: if exe == "": self.error(_("You must enter a executable")) return True @@ -161172,7 +161177,7 @@ index 9787182..097a210 100644 +"services." msgstr "" diff --git a/policycoreutils/po/ja.po b/policycoreutils/po/ja.po -index ffeaef5..83523dc 100644 +index ffeaef5..dc764d1 100644 --- a/policycoreutils/po/ja.po +++ b/policycoreutils/po/ja.po @@ -1,38 +1,37 @@ @@ -161198,7 +161203,7 @@ index ffeaef5..83523dc 100644 -"PO-Revision-Date: 2012-04-02 20:30+0000\n" -"Last-Translator: dwalsh \n" +"POT-Creation-Date: 2012-10-08 10:31-0400\n" -+"PO-Revision-Date: 2012-12-19 22:40+0000\n" ++"PO-Revision-Date: 2012-12-21 03:31+0000\n" +"Last-Translator: Tomoyuki KATO \n" "Language-Team: Japanese \n" -"Language: ja\n" @@ -163423,33 +163428,44 @@ index ffeaef5..83523dc 100644 -#: ../gui/selinux.tbl:226 ../gui/selinux.tbl:227 ../gui/selinux.tbl:230 -msgid "SELinux Service Protection" -msgstr "" -- ++#: ../gui/semanagePage.py:126 ++#, python-format ++msgid "Are you sure you want to delete %s '%s'?" ++msgstr "本当に %s '%s' を削除しますか?" + -#: ../gui/selinux.tbl:1 -msgid "Disable SELinux protection for acct daemon" -msgstr "" -- ++#: ../gui/semanagePage.py:126 ++#, python-format ++msgid "Delete %s" ++msgstr "%s の削除" + -#: ../gui/selinux.tbl:2 ../gui/selinux.tbl:3 ../gui/selinux.tbl:70 -#: ../gui/selinux.tbl:153 ../gui/selinux.tbl:168 ../gui/selinux.tbl:169 -#: ../gui/selinux.tbl:170 ../gui/selinux.tbl:189 ../gui/selinux.tbl:202 -#: ../gui/selinux.tbl:203 ../gui/selinux.tbl:204 ../gui/selinux.tbl:205 -msgid "Admin" -msgstr "" -- ++#: ../gui/semanagePage.py:134 ++#, python-format ++msgid "Add %s" ++msgstr "%s の追加" + -#: ../gui/selinux.tbl:2 -msgid "Allow all daemons to write corefiles to /" -msgstr "" -+#: ../gui/semanagePage.py:126 ++#: ../gui/semanagePage.py:148 +#, python-format -+msgid "Are you sure you want to delete %s '%s'?" -+msgstr "本当に %s '%s' を削除しますか?" ++msgid "Modify %s" ++msgstr "%s の修正" -#: ../gui/selinux.tbl:3 -msgid "Allow all daemons the ability to use unallocated ttys" -msgstr "" -+#: ../gui/semanagePage.py:126 -+#, python-format -+msgid "Delete %s" -+msgstr "%s の削除" ++#: ../gui/statusPage.py:69 ../gui/system-config-selinux.glade:2819 ++msgid "Permissive" ++msgstr "容認" -#: ../gui/selinux.tbl:4 ../gui/selinux.tbl:5 ../gui/selinux.tbl:11 -#: ../gui/selinux.tbl:12 ../gui/selinux.tbl:13 ../gui/selinux.tbl:15 @@ -163459,25 +163475,11 @@ index ffeaef5..83523dc 100644 -#: ../gui/selinux.tbl:216 ../gui/selinux.tbl:217 -msgid "User Privs" -msgstr "" -+#: ../gui/semanagePage.py:134 -+#, python-format -+msgid "Add %s" -+msgstr "%s の追加" -+ -+#: ../gui/semanagePage.py:148 -+#, python-format -+msgid "Modify %s" -+msgstr "%s の修正" - --#: ../gui/selinux.tbl:4 -+#: ../gui/statusPage.py:69 ../gui/system-config-selinux.glade:2819 -+msgid "Permissive" -+msgstr "容認" -+ +#: ../gui/statusPage.py:70 ../gui/system-config-selinux.glade:2837 +msgid "Enforcing" +msgstr "強制" -+ + +-#: ../gui/selinux.tbl:4 +#: ../gui/statusPage.py:94 +msgid "Status" +msgstr "状態" @@ -165216,12 +165218,12 @@ index ffeaef5..83523dc 100644 +#: booleans.py:140 +msgid "Allow racoon to read shadow" +msgstr "racoon がシャドウを読み込むことを許可します。" - --#: ../gui/selinux.tbl:216 ++ +#: booleans.py:141 +msgid "Allow rgmanager domain to connect to the network using TCP." +msgstr "rgmanager ドメインに対して TCP を使用するネットワークへの接続を許可します。" -+ + +-#: ../gui/selinux.tbl:216 +#: booleans.py:142 msgid "" -"Allow users to run TCP servers (bind to ports and accept connection from the " @@ -165542,9 +165544,10 @@ index ffeaef5..83523dc 100644 -#: ../gui/system-config-selinux.glade:837 -msgid "Add SELinux User" +-msgstr "" +#: booleans.py:181 +msgid "Allow user spamassassin clients to use the network." - msgstr "" ++msgstr "ユーザー spamassassin クライアントがネットワークを使用することを許可します。" -#: ../gui/system-config-selinux.glade:1079 -msgid "SELinux Administration" @@ -165555,10 +165558,11 @@ index ffeaef5..83523dc 100644 -#: ../gui/system-config-selinux.glade:1122 -msgid "Add" +-msgstr "" +#: booleans.py:183 +msgid "" +"Allow squid to connect to all ports, not just HTTP, FTP, and Gopher ports." - msgstr "" ++msgstr "Squid が HTTP, FTP, および Gopher ポートを含め、すべてのポートに接続することを許可します。" -#: ../gui/system-config-selinux.glade:1144 -msgid "_Properties" @@ -165577,9 +165581,10 @@ index ffeaef5..83523dc 100644 -#: ../gui/system-config-selinux.glade:1256 -msgid "Select Management Object" +-msgstr "" +#: booleans.py:186 +msgid "allow host key based authentication" - msgstr "" ++msgstr "ホスト鍵による認証を許可する" -#: ../gui/system-config-selinux.glade:1273 -msgid "Select:" @@ -333811,10 +333816,10 @@ index 0000000..378eac2 +build diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile new file mode 100644 -index 0000000..af8cb8a +index 0000000..b1bfc5d --- /dev/null +++ b/policycoreutils/sepolicy/Makefile -@@ -0,0 +1,31 @@ +@@ -0,0 +1,32 @@ +# Installation directories. +PREFIX ?= $(DESTDIR)/usr +SYSCONFDIR ?= $(DESTDIR)/etc/sysconfig @@ -333842,6 +333847,7 @@ index 0000000..af8cb8a +install: + [ -d $(MANDIR)/man8 ] || mkdir -p $(MANDIR)/man8 + $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` ++ [ -d $(BINDIR) ] || mkdir -p $(BINDIR) + install -m 755 sepolicy.py $(BINDIR)/sepolicy + -mkdir -p $(BASHCOMPLETIONDIR) + install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR) @@ -336030,13 +336036,13 @@ index 0000000..c1d9411 +} diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh new file mode 100644 -index 0000000..d4ea0e7 +index 0000000..01ac68a --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy-bash-completion.sh -@@ -0,0 +1,151 @@ +@@ -0,0 +1,186 @@ +# This file is part of systemd. +# -+# Copyright 2011 Dan Walsh ++# Copyright 2012 Dan Walsh +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by @@ -336063,26 +336069,38 @@ index 0000000..d4ea0e7 +__get_all_ftypes () { + echo '-- -d -c -b -s -l -p' +} -+__get_all_networks () { -+ seinfo -u 2> /dev/null | tail -n +3 ++__get_all_networks () { ++ seinfo -u 2> /dev/null | tail -n +3 +} -+__get_all_types () { -+ seinfo -t 2> /dev/null | tail -n +3 ++__get_all_booleans () { ++ getsebool -a 2> /dev/null +} -+__get_all_classes () { -+ seinfo -c 2> /dev/null | tail -n +3 ++__get_all_types () { ++ seinfo -t 2> /dev/null | tail -n +3 +} -+__get_all_port_types () { -+ seinfo -aport_type -x 2> /dev/null | tail -n +3 ++__get_all_admin_interaces () { ++ awk '/InterfaceVector.*_admin /{ print $2 }' /var/lib/sepolgen/interface_info | awk -F '_admin' '{ print $1 }' +} -+__get_all_domain_types () { -+ seinfo -adomain -x 2> /dev/null | tail -n +3 ++__get_all_user_role_interaces () { ++ awk '/InterfaceVector.*_role /{ print $2 }' /var/lib/sepolgen/interface_info | awk -F '_role' '{ print $1 }' +} -+__get_all_domains () { ++__get_all_user_domains () { ++ seinfo -auserdomain -x 2> /dev/null | tail -n +2 ++} ++__get_all_classes () { ++ seinfo -c 2> /dev/null | tail -n +2 ++} ++__get_all_port_types () { ++ seinfo -aport_type -x 2> /dev/null | tail -n +2 ++} ++__get_all_domain_types () { ++ seinfo -adomain -x 2> /dev/null | tail -n +2 ++} ++__get_all_domains () { + seinfo -adomain -x 2>/dev/null | sed 's/_t$//g' +} -+__get_all_generate_types () { -+ seinfo -agenerate_type -x 2>/dev/null | tail -n +2 ++__get_all_generate_types () { ++ seinfo -agenerate_type -x 2>/dev/null | tail -n +2 +} +_sepolicy () { + local command=${COMP_WORDS[1]} @@ -336090,20 +336108,24 @@ index 0000000..d4ea0e7 + local verb comps + + local -A VERBS=( -+ [MANPAGE]='manpage' -+ [NETWORK]='network' -+ [COMMUNICATE]='communicate' -+ [TRANSITION]='transition' -+ [GENERATE]='generate' ++ [BOOLEANS]='booleans' ++ [COMMUNICATE]='communicate' ++ [GENERATE]='generate' ++ [INTERFACE]='interface' ++ [MANPAGE]='manpage' ++ [NETWORK]='network' ++ [TRANSITION]='transition' + ) + -+ COMMONOPTS='-P --policy -h --help' ++ COMMONOPTS='-P --policy -h --help' + local -A OPTS=( -+ [manpage]='-h --help -p --path -a -all -o --os -d --domain -w --web' -+ [network]='-h --help -d --domain -l --list -p --port -t --type ' -+ [communicate]='-h --help -s --source -t --target -c --class -S --sourceaccess -T --targetaccess' -+ [transition]='-h --help -s --source -t --target' -+ [generate]='-h --help -p --path -t --type -n --name -T --test' ++ [booleans]='-h --help -p --path -a -all -b --boolean' ++ [communicate]='-h --help -s --source -t --target -c --class -S --sourceaccess -T --targetaccess' ++ [generate]='-a --admin --admin_user --application --cgi --confined_admin --customize -d --domain --dbus --desktop_user -h --help --inetd --init -n --name -p --path --sandbox -T --test --term_user -u --user --x_user' ++ [interface]='-h --help -a --list_admin" -u --list_user -l --list' ++ [manpage]='-h --help -p --path -a -all -o --os -d --domain -w --web' ++ [network]='-h --help -d --domain -l --list -p --port -t --type ' ++ [transition]='-h --help -s --source -t --target' + ) + + for ((i=0; $i <= $COMP_CWORD; i++)); do @@ -336115,71 +336137,90 @@ index 0000000..d4ea0e7 + done + + if [[ -z $verb ]]; then -+ if [ "$prev" = "-P" -o "$prev" = "--policy" ]; then -+ COMPREPLY=( $( compgen -f -- "$cur") ) -+ compopt -o filenames -+ return 0 -+ else ++ if [ "$prev" = "-P" -o "$prev" = "--policy" ]; then ++ COMPREPLY=( $( compgen -f -- "$cur") ) ++ compopt -o filenames ++ return 0 ++ else + comps="${VERBS[*]} ${COMMONOPTS}" -+ fi -+ elif [ "$verb" = "manpage" ]; then -+ if [ "$prev" = "-d" -o "$prev" = "--domain" ]; then -+ COMPREPLY=( $(compgen -W "$( __get_all_domains ) " -- "$cur") ) -+ return 0 -+ elif [ "$prev" = "-o" -o "$prev" = "--os" ]; then -+ return 0 -+ elif test "$prev" = "-p" || test "$prev" = "--path" ; then -+ COMPREPLY=( $( compgen -d -- "$cur") ) -+ compopt -o filenames -+ return 0 -+ fi ++ fi ++ elif [ "$verb" = "booleans" ]; then ++ if [ "$prev" = "-b" -o "$prev" = "--boolean" ]; then ++ COMPREPLY=( $(compgen -W "$( __get_all_booleans ) " -- "$cur") ) ++ return 0 ++ fi + COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") ) -+ return 0 -+ elif [ "$verb" = "network" ]; then -+ if [ "$prev" = "-t" -o "$prev" = "--type" ]; then -+ COMPREPLY=( $(compgen -W "$( __get_all_port_types ) " -- "$cur") ) -+ return 0 -+ fi -+ if [ "$prev" = "-d" -o "$prev" = "--domain" ]; then -+ COMPREPLY=( $(compgen -W "$( __get_all_domain_types ) " -- "$cur") ) -+ return 0 -+ fi ++ return 0 ++ elif [ "$verb" = "communicate" ]; then ++ if [ "$prev" = "-s" -o "$prev" = "--source" -o "$prev" = "-t" -o "$prev" = "--target" ]; then ++ COMPREPLY=( $(compgen -W "$( __get_all_domain_types ) " -- "$cur") ) ++ return 0 ++ elif [ "$prev" = "-c" -o "$prev" = "--class" ]; then ++ COMPREPLY=( $(compgen -W "$( __get_all_classes ) " -- "$cur") ) ++ return 0 ++ fi + COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") ) -+ return 0 -+ elif [ "$verb" = "communicate" ]; then -+ if [ "$prev" = "-s" -o "$prev" = "--source" -o "$prev" = "-t" -o "$prev" = "--target" ]; then -+ COMPREPLY=( $(compgen -W "$( __get_all_domain_types ) " -- "$cur") ) -+ return 0 -+ elif [ "$prev" = "-c" -o "$prev" = "--class" ]; then -+ COMPREPLY=( $(compgen -W "$( __get_all_classes ) " -- "$cur") ) -+ return 0 -+ fi ++ return 0 ++ elif [ "$verb" = "generate" ]; then ++ if [ "$prev" = "--name" -o "$prev" = "-n" ]; then ++ return 0 ++ elif test "$prev" = "-p" || test "$prev" = "--path" ; then ++ COMPREPLY=( $( compgen -d -- "$cur") ) ++ compopt -o filenames ++ return 0 ++ elif [ "$prev" = "--type" -o "$prev" = "-t" ]; then ++ COMPREPLY=( $(compgen -W '0 1 2 3 4 5 6 7 8 9 10 11' -- "$cur") ) ++ return 0 ++ elif [ "$prev" = "--domain" -o "$prev" = "-d" ]; then ++ COMPREPLY=( $(compgen -W "$( __get_all_domain_types ) " -- "$cur") ) ++ return 0 ++ elif [ "$prev" = "--admin" -o "$prev" = "-a" ]; then ++ COMPREPLY=( $(compgen -W "$( __get_all_admin_interaces ) " -- "$cur") ) ++ return 0 ++ elif [ "$prev" = "--user" -o "$prev" = "-u" ]; then ++ COMPREPLY=( $(compgen -W "$( __get_all_user_domains ) " -- "$cur") ) ++ return 0 ++ elif [[ "$cur" == "$verb" || "$cur" == "" || "$cur" == -* ]]; then ++ COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") ) ++ return 0 ++ fi ++ COMPREPLY=( $( compgen -f -- "$cur") ) ++ compopt -o filenames ++ return 0 ++ elif [ "$verb" = "interface" ]; then + COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") ) -+ return 0 -+ elif [ "$verb" = "transition" ]; then -+ if [ "$prev" = "-s" -o "$prev" = "--source" -o "$prev" = "-t" -o "$prev" = "--target" ]; then -+ COMPREPLY=( $(compgen -W "$( __get_all_domain_types ) " -- "$cur") ) -+ return 0 -+ fi ++ return 0 ++ elif [ "$verb" = "manpage" ]; then ++ if [ "$prev" = "-d" -o "$prev" = "--domain" ]; then ++ COMPREPLY=( $(compgen -W "$( __get_all_domains ) " -- "$cur") ) ++ return 0 ++ elif [ "$prev" = "-o" -o "$prev" = "--os" ]; then ++ return 0 ++ elif test "$prev" = "-p" || test "$prev" = "--path" ; then ++ COMPREPLY=( $( compgen -d -- "$cur") ) ++ compopt -o filenames ++ return 0 ++ fi + COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") ) -+ return 0 -+ elif [ "$verb" = "generate" ]; then -+ if [ "$prev" = "--name" -o "$prev" = "-n" ]; then -+ return 0 -+ elif test "$prev" = "-p" || test "$prev" = "--path" ; then -+ COMPREPLY=( $( compgen -d -- "$cur") ) -+ compopt -o filenames -+ return 0 -+ elif [ "$prev" = "--type" -o "$prev" = "-t" ]; then -+ COMPREPLY=( $(compgen -W '0 1 2 3 4 5 6 7 8 9 10' -- "$cur") ) -+ return 0 -+ elif [[ "$cur" == "$verb" || "$cur" == "" || "$cur" == -* ]]; then -+ COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") ) -+ return 0 -+ fi -+ COMPREPLY=( $( compgen -f -- "$cur") ) -+ compopt -o filenames -+ return 0 ++ return 0 ++ elif [ "$verb" = "network" ]; then ++ if [ "$prev" = "-t" -o "$prev" = "--type" ]; then ++ COMPREPLY=( $(compgen -W "$( __get_all_port_types ) " -- "$cur") ) ++ return 0 ++ fi ++ if [ "$prev" = "-d" -o "$prev" = "--domain" ]; then ++ COMPREPLY=( $(compgen -W "$( __get_all_domain_types ) " -- "$cur") ) ++ return 0 ++ fi ++ COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") ) ++ return 0 ++ elif [ "$verb" = "transition" ]; then ++ if [ "$prev" = "-s" -o "$prev" = "--source" -o "$prev" = "-t" -o "$prev" = "--target" ]; then ++ COMPREPLY=( $(compgen -W "$( __get_all_domain_types ) " -- "$cur") ) ++ return 0 ++ fi ++ COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") ) ++ return 0 + fi + COMPREPLY=( $(compgen -W "$comps" -- "$cur") ) + return 0 @@ -336267,10 +336308,10 @@ index 0000000..764fd35 + diff --git a/policycoreutils/sepolicy/sepolicy-generate.8 b/policycoreutils/sepolicy/sepolicy-generate.8 new file mode 100644 -index 0000000..19aa99d +index 0000000..7d9c86b --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy-generate.8 -@@ -0,0 +1,109 @@ +@@ -0,0 +1,108 @@ +.TH "sepolicy-generate" "8" "20121005" "" "" +.SH "NAME" +sepolicy-generate \- Generate an initial SELinux policy module template. @@ -336278,7 +336319,7 @@ index 0000000..19aa99d +.SH "SYNOPSIS" + +.br -+.B sepolicy generate [\-h] [\-t TYPE] [\-n NAME] [\-p PATH ] [\-T TEST] [ command | confineduser ] ++.B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user] + +.SH "DESCRIPTION" +Use sepolicy generate to generate an SELinux policy Module. sepolicy generate will generate 4 files. @@ -336312,49 +336353,48 @@ index 0000000..19aa99d +.I \-h, \-\-help +Display help message +.TP -+.I \-t, \-\-type -+Specify the type of policy you want to create. -+.br -+Valid Options: -+.br -+.B 0 -+: Standard Init Daemon (Default) -+.br -+.B 1 -+: DBUS System Daemon -+.br -+.B 2 -+: Internet Services Daemon -+.br -+.B 3 -+: Web Application/Script (CGI) -+.br -+.B 4 -+: User Application -+.br -+.B 5 -+: Sandbox -+.br -+.B 6 -+: Minimal Terminal User Role -+.br -+.B 7 -+: Minimal X Windows User Role -+.br -+.B 8 -+: User Role -+.br -+.B 9 -+: Admin User Role -+.br -+.B 10 -+: Root Admin User Role -+.TP +.I \-n, \-\-name +Specify alternate name of policy. The policy will default to the executable or name specified. +.TP +.I \-p, \-\-path +Specify the directory to store the created policy files. (Default to current working directory ) ++optional arguments: ++.TP ++.I \-\-admin_user ++Generate Policy for Administrator Login User Role ++.TP ++.I \-\-application ++Generate Policy for User Application ++.TP ++.I \-\-cgi ++Generate Policy for Web Application/Script (CGI) ++.TP ++.I \-\-confined_admin ++Generate Policy for Confined Root Administrator Role ++.TP ++.I \-\-customize ++Generate Policy for Existing Domain Type ++.TP ++.I \-\-dbus ++Generate Policy for DBUS System Daemon ++.TP ++.I \-\-desktop_user ++Generate Policy for Desktop Login User Role ++.TP ++.I \-\-inetd ++Generate Policy for Internet Services Daemon ++.TP ++.I \-\-init ++Generate Policy for Standard Init Daemon (Default) ++.TP ++.I \-\-sandbox ++Generate Policy for Sandbox ++.TP ++.I \-\-term_user ++Generate Policy for Minimal Terminal Login User Role ++.TP ++.I \-\-x_user ++Generate Policy for Minimal X Windows Login User Role + +.SH "EXAMPLE" +.B > sepolicy generate /usr/sbin/rwhod @@ -336380,6 +336420,43 @@ index 0000000..19aa99d + +.SH "SEE ALSO" +sepolicy(8), selinux(8) +diff --git a/policycoreutils/sepolicy/sepolicy-interface.8 b/policycoreutils/sepolicy/sepolicy-interface.8 +new file mode 100644 +index 0000000..4fc9792 +--- /dev/null ++++ b/policycoreutils/sepolicy/sepolicy-interface.8 +@@ -0,0 +1,31 @@ ++.TH "sepolicy-interface" "8" "20121222" "" "" ++.SH "NAME" ++sepolicy-interface \- Print interface information based on the installed SELinux Policy ++ ++.SH "SYNOPSIS" ++ ++.br ++.B sepolicy interface [\-h] [\-a | \-u | \-l ] ++ ++.SH "DESCRIPTION" ++Use sepolicy interface to print interfaces information based on SELinux Policy. ++ ++.SH "OPTIONS" ++.TP ++.I \-a, \-\-list_admin ++List all domains with admin interface ++.TP ++.I \-h, \-\-help ++Display help message ++.TP ++.I \-l, \-\-list ++List all interfaces ++.TP ++.I \-u, \-\-list_user ++List all domains with SELinux user role interface ++ ++.SH "AUTHOR" ++This man page was written by Daniel Walsh ++ ++.SH "SEE ALSO" ++sepolicy(8), selinux(8) diff --git a/policycoreutils/sepolicy/sepolicy-manpage.8 b/policycoreutils/sepolicy/sepolicy-manpage.8 new file mode 100644 index 0000000..b6abdf5 @@ -336503,16 +336580,16 @@ index 0000000..897f0c4 +sepolicy(8), selinux(8) diff --git a/policycoreutils/sepolicy/sepolicy.8 b/policycoreutils/sepolicy/sepolicy.8 new file mode 100644 -index 0000000..a40f37d +index 0000000..0748ca9 --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy.8 -@@ -0,0 +1,64 @@ +@@ -0,0 +1,71 @@ +.TH "sepolicy" "8" "20121005" "" "" +.SH "NAME" +sepolicy \- SELinux Policy Inspection tool + +.SH "SYNOPSIS" -+.B sepolicy [-h] [-P policy_path ] {booleans,communicate,generate,manpage,network,transition} OPTIONS ++.B sepolicy [-h] [-P policy_path ] {booleans,communicate,generate,interface,manpage,network,transition} OPTIONS + +.br +Arguments: @@ -336537,6 +336614,13 @@ index 0000000..a40f37d +.B sepolicy-generate(8) +.br + ++.B interface ++.br ++.br ++Print SELinux Policy interface information ++.B sepolicy-interface(8) ++.br ++ +.B manpage +.br +Generate SELinux man pages @@ -336570,13 +336654,13 @@ index 0000000..a40f37d +This man page was written by Daniel Walsh + +.SH "SEE ALSO" -+selinux(8), sepolicy-generate(8), sepolicy-communicate(8), sepolicy-generate(8), sepolicy-network(8), sepolicy-transition(8) ++selinux(8), sepolicy-booleans(8), sepolicy-communicate(8), sepolicy-generate(8), sepolicy-interface(8), sepolicy-network(8), sepolicy-manpage(8), sepolicy-transition(8) diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py new file mode 100755 -index 0000000..2f562b0 +index 0000000..06663ed --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy.py -@@ -0,0 +1,338 @@ +@@ -0,0 +1,442 @@ +#! /usr/bin/python -Es +# Copyright (C) 2012 Red Hat +# AUTHOR: Dan Walsh @@ -336600,7 +336684,8 @@ index 0000000..2f562b0 +# 02111-1307 USA +# +# -+import sepolicy ++import os, sys ++from sepolicy import get_os_version +import argparse +import gettext +PROGNAME="policycoreutils" @@ -336614,7 +336699,103 @@ index 0000000..2f562b0 +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode -+import os, sys ++ ++class CheckPath(argparse.Action): ++ def __call__(self, parser, namespace, values, option_string=None): ++ if not os.path.exists(values): ++ raise ValueError("%s does not exist" % values) ++ setattr(namespace, self.dest, values) ++ ++class CheckDomain(argparse.Action): ++ def __call__(self, parser, namespace, values, option_string=None): ++ from sepolicy.network import domains ++ ++ if isinstance(values,str): ++ if values not in domains: ++ raise ValueError("%s must be an SELinux process domain" % values) ++ setattr(namespace, self.dest, values) ++ else: ++ newval = getattr(namespace, self.dest) ++ if not newval: ++ newval = [] ++ ++ for v in values: ++ if v not in domains: ++ raise ValueError("%s must be an SELinux process domain" % values) ++ newval.append(v) ++ setattr(namespace, self.dest, newval) ++ ++all_classes = None ++class CheckClass(argparse.Action): ++ def __call__(self, parser, namespace, values, option_string=None): ++ import sepolicy ++ global all_classes ++ if not all_classes: ++ all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS)) ++ if values not in all_classes: ++ raise ValueError("%s must be an SELinux process domain" % values) ++ setattr(namespace, self.dest, values) ++ ++class CheckAdmin(argparse.Action): ++ def __call__(self, parser, namespace, values, option_string=None): ++ from sepolicy.interface import get_admin ++ newval = getattr(namespace, self.dest) ++ if not newval: ++ newval = [] ++ admins = get_admin() ++ if values not in admins: ++ raise ValueError("%s must be an SELinux admin domain" % values) ++ newval.append(values) ++ setattr(namespace, self.dest, newval) ++ ++class CheckPort(argparse.Action): ++ def __call__(self, parser, namespace, values, option_string=None): ++ newval = getattr(namespace, self.dest) ++ if not newval: ++ newval = [] ++ for v in values: ++ if v < 1 or v > 65536: ++ raise ValueError("%s must be an integer between 1 and 65536" % v) ++ newval.append(v) ++ setattr(namespace, self.dest, newval) ++ ++class CheckPortType(argparse.Action): ++ def __call__(self, parser, namespace, values, option_string=None): ++ from sepolicy.network import port_types ++ newval = getattr(namespace, self.dest) ++ if not newval: ++ newval = [] ++ for v in values: ++ if v not in port_types: ++ raise ValueError("%s must be an SELinux port type" % values) ++ newval.append(v) ++ setattr(namespace, self.dest, values) ++ ++class LoadPolicy(argparse.Action): ++ def __call__(self, parser, namespace, values, option_string=None): ++ import sepolicy ++ sepolicy.policy(values) ++ setattr(namespace, self.dest, values) ++ ++class CheckPolicyType(argparse.Action): ++ def __call__(self, parser, namespace, values, option_string=None): ++ from sepolicy.generate import get_poltype_desc, poltype ++ if values not in poltype.keys(): ++ raise ValueError("%s invalid SELinux policy type\n%s" % (values, get_poltype_desc())) ++ newval.append(v) ++ setattr(namespace, self.dest, values) ++ ++class CheckUser(argparse.Action): ++ def __call__(self, parser, namespace, value, option_string=None): ++ from sepolicy.generate import get_all_users ++ newval = getattr(namespace, self.dest) ++ if not newval: ++ newval = [] ++ users = get_all_users() ++ if value not in users: ++ raise ValueError("%s must be an SELinux user" % value) ++ newval.append(value) ++ setattr(namespace, self.dest, newval) + +def _print_net(src, protocol, perm): + from sepolicy.network import get_network_connect @@ -336624,6 +336805,7 @@ index 0000000..2f562b0 + for p in portdict: + for recs in portdict[p]: + print "\t" + recs ++ +def network(args): + from sepolicy.network import portrecsbynum, portrecs, get_network_connect + if args.list_ports: @@ -336678,71 +336860,13 @@ index 0000000..2f562b0 + if args.web: + HTMLManPages(manpage_roles, manpage_domains, path, args.os) + -+class CheckPath(argparse.Action): -+ def __call__(self, parser, namespace, values, option_string=None): -+ if not os.path.exists(values): -+ raise ValueError("%s does not exist" % values) -+ setattr(namespace, self.dest, values) -+ -+class CheckDomain(argparse.Action): -+ def __call__(self, parser, namespace, values, option_string=None): -+ from sepolicy.network import domains -+ -+ if isinstance(values,str): -+ if values not in domains: -+ raise ValueError("%s must be an SELinux process domain" % values) -+ setattr(namespace, self.dest, values) -+ else: -+ newval = getattr(namespace, self.dest) -+ if not newval: -+ newval = [] -+ -+ for v in values: -+ if v not in domains: -+ raise ValueError("%s must be an SELinux process domain" % values) -+ newval.append(v) -+ setattr(namespace, self.dest, newval) -+ -+all_classes = None -+class CheckClass(argparse.Action): -+ def __call__(self, parser, namespace, values, option_string=None): -+ global all_classes -+ if not all_classes: -+ all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS)) -+ if values not in all_classes: -+ raise ValueError("%s must be an SELinux process domain" % values) -+ setattr(namespace, self.dest, values) -+ -+class CheckPort(argparse.Action): -+ def __call__(self, parser, namespace, values, option_string=None): -+ newval = getattr(namespace, self.dest) -+ if not newval: -+ newval = [] -+ for v in values: -+ if v < 1 or v > 65536: -+ raise ValueError("%s must be an integer between 1 and 65536" % v) -+ newval.append(v) -+ setattr(namespace, self.dest, newval) -+ -+class CheckPortType(argparse.Action): -+ def __call__(self, parser, namespace, values, option_string=None): -+ from sepolicy.network import port_types -+ newval = getattr(namespace, self.dest) -+ if not newval: -+ newval = [] -+ for v in values: -+ if v not in port_types: -+ raise ValueError("%s must be an SELinux port type" % values) -+ newval.append(v) -+ setattr(namespace, self.dest, values) -+ +def gen_manpage_args(parser): + man = parser.add_parser("manpage", + help=_('Generate SELinux man pages')) + + man.add_argument("-p", "--path", dest="path", default="/tmp", + help=_("path in which the generated SELinux man pages will be stored")) -+ man.add_argument("-o", "--os", dest="os", default=sepolicy.get_os_version(), ++ man.add_argument("-o", "--os", dest="os", default=get_os_version(), + help=_("name of the OS for man pages")) + man.add_argument("-w", "--web", dest="web", default=False, action="store_true", + help=_("Generate HTML man pages structure for selected SELinux man page")) @@ -336755,19 +336879,6 @@ index 0000000..2f562b0 + help=_("Domain name(s) of man pages to be created")) + man.set_defaults(func=manpage) + -+class LoadPolicy(argparse.Action): -+ def __call__(self, parser, namespace, values, option_string=None): -+ sepolicy.policy(values) -+ setattr(namespace, self.dest, values) -+ -+class CheckPolicyType(argparse.Action): -+ def __call__(self, parser, namespace, values, option_string=None): -+ from sepolicy.generate import get_poltype_desc, poltype -+ if values not in poltype.keys(): -+ raise ValueError("%s invalid SELinux policy type\n%s" % (values, get_poltype_desc())) -+ newval.append(v) -+ setattr(namespace, self.dest, values) -+ +def gen_network_args(parser): + net = parser.add_parser("network", + help=_('Query SELinux policy network information')) @@ -336783,7 +336894,7 @@ index 0000000..2f562b0 + action=CheckPortType,nargs="+", + help=_("Show ports defined for this SELinux type")) + group.add_argument("-d", "--domain", dest="domain", default=None, -+ action=CheckDomain, nargs="+", ++ action=CheckDomain, nargs="+", + help=_("show ports to which this domain can bind and/or connect")) + net.set_defaults(func=network) + @@ -336806,8 +336917,8 @@ index 0000000..2f562b0 + comm.add_argument("-t", "--target", dest="target", + action=CheckDomain, required=True, + help=_("Target Domain")) -+ comm.add_argument("-c", "--class", required=False, dest="tclass", -+ action=CheckClass, ++ comm.add_argument("-c", "--class", required=False, dest="tclass", ++ action=CheckClass, + default="file", help="class to use for communications, Default 'file'") + comm.add_argument("-S", "--sourceaccess", required=False, dest="sourceaccess", default="open,write", help="comma separate list of permissions for the source type to use, Default 'open,write'") + comm.add_argument("-T", "--targetaccess", required=False, dest="targetaccess", default="open,read", help="comma separated list of permissions for the target type to use, Default 'open,read'") @@ -336852,56 +336963,133 @@ index 0000000..2f562b0 + trans = parser.add_parser("transition", + help=_('query SELinux Policy to see how a source process domain can transition to the target process domain')) + trans.add_argument("-s", "--source", dest="source", -+ action=CheckDomain, required=True, ++ action=CheckDomain, required=True, + help=_("source process domain")) + trans.add_argument("-t", "--target", dest="target", + action=CheckDomain, + help=_("target process domain")) + trans.set_defaults(func=transition) + ++def interface(args): ++ from sepolicy.interface import get_admin, get, get_user ++ if args.list_admin: ++ for a in get_admin(): ++ print a ++ if args.list_user: ++ for a in get_user(): ++ print a ++ if args.list: ++ for m in get(): ++ print m ++ +def generate(args): + from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS -+ cmd = os.path.realpath(args.command) -+ if not args.name: -+ args.name = os.path.basename(cmd).replace("-","_") -+ -+ print("Generating Policy for %s named %s" % (cmd, args.name)) -+ mypolicy = policy(args.name, args.type) ++ cmd = None + if args.type not in USERS + [ SANDBOX ]: ++ if not args.command: ++ raise ValueError(_("Command required for this type of policy")) ++ cmd = os.path.realpath(args.command) ++ if not args.name: ++ args.name = os.path.basename(cmd).replace("-","_") ++ ++ mypolicy = policy(args.name, args.type) ++ if cmd: + mypolicy.set_program(cmd) + ++ mypolicy.set_transition_users(args.user) ++ mypolicy.set_admin_domains(args.admin_domain) ++ mypolicy.set_existing_domains(args.domain) ++ + if args.type in APPLICATIONS: + mypolicy.gen_writeable() + mypolicy.gen_symbols() + print mypolicy.generate(args.path) + ++def gen_interface_args(parser): ++ itf = parser.add_parser("interface", ++ help=_('List SELinux Policy interfaces')) ++ group = itf.add_mutually_exclusive_group(required=True) ++ group.add_argument("-a", "--list_admin", dest="list_admin",action="store_true", default=False, ++ help="List all domains with admin interface") ++ group.add_argument("-u", "--list_user", dest="list_user",action="store_true", ++ default=False, ++ help="List all domains with SELinux user role interface") ++ group.add_argument("-l", "--list", dest="list",action="store_true", ++ default=False, ++ help="List all interfaces") ++ itf.set_defaults(func=interface) ++ +def gen_generate_args(parser): -+ from sepolicy.generate import DAEMON, get_poltype_desc ++ from sepolicy.generate import DAEMON, get_poltype_desc, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER + pol = parser.add_parser("generate", + help=_('Generate SELinux Policy module template')) -+ pol.add_argument("-t", "--type", dest="type", -+ action=CheckPolicyType, default=DAEMON, type=int, -+ help=get_poltype_desc()) ++ pol.add_argument("-d", "--domain", dest="domain", ++ action=CheckDomain, default=None, ++ help=_("Enter domain type which you will be extending")) ++ pol.add_argument("-u", "--user", dest="user", ++ action=CheckUser, ++ help=_("Enter SELinux user(s) which will transition to this domain")) ++ pol.add_argument("-a", "--admin", dest="admin_domain", ++ action=CheckAdmin, ++ help=_("Enter domain(s) that this confined admin will administrate")) + pol.add_argument("-n", "--name", dest="name", + default=None, + help=_("name of policy to generate")) -+ pol.add_argument("command", -+ help=_("executable to confine")) + pol.add_argument("-T", "--test", dest="test", default=False, action="store_true", + help=argparse.SUPPRESS) + pol.add_argument("-p", "--path", dest="path", default=os.getcwd(), + help=_("path in which the generated policy files will be stored")) ++ pol.add_argument("command",nargs="?", default=None, ++ help=_("executable to confine")) ++ group = pol.add_mutually_exclusive_group(required=False) ++ group.add_argument("--admin_user", dest="type", const=AUSER, ++ action="store_const", ++ help=_("Generate Policy for %s") % poltype[AUSER]) ++ group.add_argument("--application", dest="type", const=USER, ++ action="store_const", ++ help=_("Generate Policy for %s") % poltype[USER]) ++ group.add_argument("--cgi", dest="type", const=CGI, ++ action="store_const", ++ help=_("Generate Policy for %s") % poltype[CGI]) ++ group.add_argument("--confined_admin", dest="type", const=RUSER, ++ action="store_const", ++ help=_("Generate Policy for %s") % poltype[RUSER]) ++ group.add_argument("--customize", dest="type", const=EUSER, ++ action="store_const", ++ help=_("Generate Policy for %s") % poltype[EUSER]) ++ group.add_argument("--dbus", dest="type", const=DBUS, ++ action="store_const", ++ help=_("Generate Policy for %s") % poltype[DBUS]) ++ group.add_argument("--desktop_user", dest="type", const=LUSER, ++ action="store_const", ++ help=_("Generate Policy for %s") % poltype[LUSER]) ++ group.add_argument("--inetd", dest="type", const=INETD, ++ action="store_const", ++ help=_("Generate Policy for %s") % poltype[INETD]) ++ group.add_argument("--init", dest="type", const=DAEMON, ++ action="store_const", default=DAEMON, ++ help=_("Generate Policy for %s") % poltype[DAEMON]) ++ group.add_argument("--sandbox", dest="type", const=SANDBOX, ++ action="store_const", ++ help=_("Generate Policy for %s") % poltype[SANDBOX]) ++ group.add_argument("--term_user", dest="type", const=TUSER, ++ action="store_const", ++ help=_("Generate Policy for %s") % poltype[TUSER]) ++ group.add_argument("--x_user", dest="type", const=XUSER, ++ action="store_const", ++ help=_("Generate Policy for %s") % poltype[XUSER]) + pol.set_defaults(func=generate) + +if __name__ == '__main__': + parser = argparse.ArgumentParser(description='SELinux Policy Inspection Tool') + subparsers = parser.add_subparsers(help=_("commands")) + parser.add_argument("-P", "--policy", dest="policy", -+ action=LoadPolicy, ++ action=LoadPolicy, + default=None, help=_("Alternate SELinux policy, defaults to /sys/fs/selinux/policy")) + gen_booleans_args(subparsers) + gen_communicate_args(subparsers) + gen_generate_args(subparsers) ++ gen_interface_args(subparsers) + gen_manpage_args(subparsers) + gen_network_args(subparsers) + gen_transition_args(subparsers) @@ -336914,10 +337102,10 @@ index 0000000..2f562b0 + sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e))) + sys.exit(1) + except KeyboardInterrupt: -+ sys.exit(0) ++ sys.exit(0) diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py new file mode 100644 -index 0000000..fd0848e +index 0000000..17b8582 --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy/__init__.py @@ -0,0 +1,154 @@ @@ -336974,7 +337162,7 @@ index 0000000..fd0848e + try: + _policy.policy(policy_file) + except: -+ raise ValueError(_("Failed to read % policy file") % policy_file) ++ raise ValueError(_("Failed to read %s policy file") % policy_file) + + +policy_file = selinux.selinux_current_policy_path() @@ -337180,10 +337368,10 @@ index 0000000..a179d95 + diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py new file mode 100644 -index 0000000..7fd6dd6 +index 0000000..c5ff610 --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy/generate.py -@@ -0,0 +1,1302 @@ +@@ -0,0 +1,1326 @@ +#!/usr/bin/python -Es +# +# Copyright (C) 2007-2012 Red Hat @@ -337248,6 +337436,7 @@ index 0000000..7fd6dd6 + import __builtin__ + __builtin__.__dict__['_'] = unicode + ++user_types = sepolicy.info(sepolicy.ATTRIBUTE,"userdomain")[0]["types"] +methods = [] +fn = defaults.interface_info() +try: @@ -337343,27 +337532,28 @@ index 0000000..7fd6dd6 +DBUS = 1 +INETD = 2 +CGI = 3 -+USER = 4 -+SANDBOX = 5 -+TUSER = 6 -+XUSER = 7 -+LUSER = 8 -+AUSER = 9 -+RUSER = 10 -+EUSER = 11 ++SANDBOX = 4 ++USER = 5 ++EUSER = 6 ++TUSER = 7 ++XUSER = 8 ++LUSER = 9 ++AUSER = 10 ++RUSER = 11 + +poltype={} +poltype[DAEMON] = _("Standard Init Daemon") +poltype[DBUS] = _("DBUS System Daemon") +poltype[INETD] = _("Internet Services Daemon") +poltype[CGI] = _("Web Application/Script (CGI)") -+poltype[USER] = _("User Application") +poltype[SANDBOX] = _("Sandbox") -+poltype[TUSER] = _("Minimal Terminal User Role") -+poltype[XUSER] = _("Minimal X Windows User Role") -+poltype[LUSER] = _("User Role") -+poltype[AUSER] = _("Admin User Role") -+poltype[RUSER] = _("Root Admin User Role") ++poltype[USER] = _("User Application") ++poltype[EUSER] = _("Existing Domain Type") ++poltype[TUSER] = _("Minimal Terminal Login User Role") ++poltype[XUSER] = _("Minimal X Windows Login User Role") ++poltype[LUSER] = _("Desktop Login User Role") ++poltype[AUSER] = _("Administrator Login User Role") ++poltype[RUSER] = _("Confined Root Administrator Role") + +def get_poltype_desc(): + keys = poltype.keys() @@ -337409,6 +337599,13 @@ index 0000000..7fd6dd6 + def __init__(self, name, type): + self.rpms = [] + self.ports = [] ++ self.all_roles = get_all_roles() ++ ++ if type not in poltype: ++ raise ValueError(_("You must enter a valid policy type")) ++ ++ if not name: ++ raise ValueError(_("You must enter a name for your policy module for your %s.") % poltype[type]) + try: + self.ports = get_all_ports() + except ValueError, e: @@ -337528,8 +337725,6 @@ index 0000000..7fd6dd6 +( self.generate_login_user_types, self.generate_login_user_rules), \ +( self.generate_admin_user_types, self.generate_login_user_rules), \ +( self.generate_root_user_types, self.generate_root_user_rules)) -+ if name == "": -+ raise ValueError(_("You must enter a name for your confined process/user")) + if not re.match(r"^[a-zA-Z0-9-_]+$", name): + raise ValueError(_("Name must be alpha numberic with no spaces. Consider using option \"-n MODULENAME\"")) + @@ -337558,9 +337753,9 @@ index 0000000..7fd6dd6 + self.use_pam = False + self.use_dbus = False + self.use_audit = False -+ self.use_etc = True -+ self.use_localization = True -+ self.use_fd = True ++ self.use_etc = self.type != EUSER ++ self.use_localization = self.type != EUSER ++ self.use_fd = self.type != EUSER + self.use_terminal = False + self.use_mail = False + self.booleans = {} @@ -337571,6 +337766,7 @@ index 0000000..7fd6dd6 + self.need_tcp_type=False + self.need_udp_type=False + self.admin_domains = [] ++ self.existing_domains = [] + self.transition_domains = [] + self.transition_users = [] + self.roles = [] @@ -337581,6 +337777,9 @@ index 0000000..7fd6dd6 + def set_admin_domains(self, admin_domains): + self.admin_domains = admin_domains + ++ def set_existing_domains(self, existing_domains): ++ self.existing_domains = existing_domains ++ + def set_admin_roles(self, roles): + self.roles = roles + @@ -337937,6 +338136,20 @@ index 0000000..7fd6dd6 + + def generate_admin_rules(self): + newte = "" ++ if self.type == EUSER: ++ for d in self.existing_domains: ++ name = d.split("_t")[0] ++ role = name + "_r" ++ for app in self.admin_domains: ++ tmp = re.sub("TEMPLATETYPE", name, user.te_admin_domain_rules) ++ if role not in self.all_roles: ++ tmp = re.sub(role, "system_r", tmp) ++ ++ ++ newte += re.sub("APPLICATION", app, tmp) ++ ++ return newte ++ + if self.type == RUSER: + newte += re.sub("TEMPLATETYPE", self.name, user.te_admin_rules) + @@ -337944,18 +338157,10 @@ index 0000000..7fd6dd6 + tmp = re.sub("TEMPLATETYPE", self.name, user.te_admin_domain_rules) + newte += re.sub("APPLICATION", app, tmp) + -+ all_roles = [] -+ try: -+ all_roles = get_all_roles() -+ except ValueError, e: -+ print "Can not get all roles, must be root for this information" -+ except RuntimeError, e: -+ print "Can not get all roles", e -+ + for u in self.transition_users: + role = u.split("_u")[0] + -+ if (role + "_r") in all_roles: ++ if (role + "_r") in self.all_roles: + tmp = re.sub("TEMPLATETYPE", self.name, user.te_admin_trans_rules) + newte += re.sub("USER", role, tmp) + @@ -338022,7 +338227,22 @@ index 0000000..7fd6dd6 + return re.sub("TEMPLATETYPE", self.name, user.te_admin_user_types) + + def generate_existing_user_types(self): -+ return re.sub("TEMPLATETYPE", self.name, user.te_existing_user_types) ++ if len(self.existing_domains) == 0: ++ raise ValueError(_("%s policy modules require existing domains") % poltype[self.type]) ++ newte = re.sub("TEMPLATETYPE", self.name, user.te_existing_user_types) ++ newte += """gen_require(`""" ++ ++ for d in self.existing_domains: ++ newte += """ ++ type %s;""" % d ++ role = d.split("_t")[0] + "_r" ++ if role in self.all_roles: ++ newte += """ ++ role %s;""" % role ++ newte += """ ++') ++""" ++ return newte; + + def generate_x_login_user_types(self): + return re.sub("TEMPLATETYPE", self.name, user.te_x_login_user_types) @@ -338070,7 +338290,8 @@ index 0000000..7fd6dd6 + return re.sub("TEMPLATETYPE", self.name, user.te_login_user_rules) + + def generate_existing_user_rules(self): -+ return re.sub("TEMPLATETYPE", self.name, user.te_existing_user_rules) ++ nerules = re.sub("TEMPLATETYPE", self.name, user.te_existing_user_rules) ++ return nerules + + def generate_x_login_user_rules(self): + return re.sub("TEMPLATETYPE", self.name, user.te_x_login_user_rules) @@ -338161,12 +338382,12 @@ index 0000000..7fd6dd6 + if self.type != CGI or d != "rw": + newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_types) + -+ newte +=""" ++ if self.type != EUSER: ++ newte +=""" +######################################## +# +# %s local policy -+# -+""" % self.name ++#""" % self.name + newte += self.generate_capabilities() + newte += self.generate_process() + newte += self.generate_network_types() @@ -338267,7 +338488,7 @@ index 0000000..7fd6dd6 + def generate_sh(self): + temp = re.sub("TEMPLATETYPE", self.file_name, script.compile) + if self.type == EUSER: -+ newsh = re.sub("TEMPLATEFILE", "my%s" % self.file_name, temp) ++ newsh = re.sub("TEMPLATEFILE", "%s" % self.file_name, temp) + else: + newsh = re.sub("TEMPLATEFILE", self.file_name, temp) + if self.program != "": @@ -338301,8 +338522,8 @@ index 0000000..7fd6dd6 + selinux_policyver = get_rpm_nvr_list("selinux-policy")[1] + POLICYCOREUTILSVER = get_rpm_nvr_list("checkpolicy")[1] + ++ newspec += spec.header_comment_section + if self.type in APPLICATIONS: -+ newspec += spec.header_comment_section + newspec += spec.define_relabel_files_begin + if self.program != "": + newspec += re.sub("FILENAME", self.program, spec.define_relabel_files_end) @@ -338313,13 +338534,16 @@ index 0000000..7fd6dd6 + for i in self.dirs.keys(): + newspec += re.sub("FILENAME", i, spec.define_relabel_files_end) + -+ newspec += re.sub("VERSION", selinux_policyver, spec.base_section) -+ newspec = re.sub("MODULENAME", self.name, newspec) -+ if len(self.rpms) > 0: -+ newspec += "Requires(post): %s\n" % ", ".join(self.rpms) -+ newspec += re.sub("MODULENAME", self.name, spec.mid_section) -+ newspec = re.sub("TODAYSDATE", time.strftime("%a %b %e %Y"), newspec) ++ newspec += re.sub("VERSION", selinux_policyver, spec.base_section) ++ newspec = re.sub("MODULENAME", self.name, newspec) ++ if len(self.rpms) > 0: ++ newspec += "Requires(post): %s\n" % ", ".join(self.rpms) ++ newspec += re.sub("MODULENAME", self.name, spec.mid_section) ++ newspec = re.sub("TODAYSDATE", time.strftime("%a %b %e %Y"), newspec) + ++ if self.type not in APPLICATIONS: ++ newspec = re.sub("%relabel_files", "", newspec) ++ + return newspec + + def write_spec(self, out_dir): @@ -338331,20 +338555,14 @@ index 0000000..7fd6dd6 + return specfile + + def write_te(self, out_dir): -+ if self.type == EUSER: -+ tefile = "%s/my%s.te" % (out_dir, self.file_name) -+ else: -+ tefile = "%s/%s.te" % (out_dir, self.file_name) ++ tefile = "%s/%s.te" % (out_dir, self.file_name) + fd = open(tefile, "w") + fd.write(self.generate_te()) + fd.close() + return tefile + + def write_sh(self, out_dir): -+ if self.type == EUSER: -+ shfile = "%s/my%s.sh" % (out_dir, self.file_name) -+ else: -+ shfile = "%s/%s.sh" % (out_dir, self.file_name) ++ shfile = "%s/%s.sh" % (out_dir, self.file_name) + fd = open(shfile, "w") + fd.write(self.generate_sh()) + fd.close() @@ -338352,20 +338570,14 @@ index 0000000..7fd6dd6 + return shfile + + def write_if(self, out_dir): -+ if self.type == EUSER: -+ iffile = "%s/my%s.if" % (out_dir, self.file_name) -+ else: -+ iffile = "%s/%s.if" % (out_dir, self.file_name) ++ iffile = "%s/%s.if" % (out_dir, self.file_name) + fd = open(iffile, "w") + fd.write(self.generate_if()) + fd.close() + return iffile + + def write_fc(self,out_dir): -+ if self.type == EUSER: -+ fcfile = "%s/my%s.fc" % (out_dir, self.file_name) -+ else: -+ fcfile = "%s/%s.fc" % (out_dir, self.file_name) ++ fcfile = "%s/%s.fc" % (out_dir, self.file_name) + fd = open(fcfile, "w") + fd.write(self.generate_fc()) + fd.close() @@ -338486,12 +338698,100 @@ index 0000000..7fd6dd6 + out += "%s # %s\n" % (self.write_spec(out_dir), _("Spec file")) + out += "%s # %s\n" % (self.write_sh(out_dir), _("Setup Script")) + return out +diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py +new file mode 100644 +index 0000000..e0dec87 +--- /dev/null ++++ b/policycoreutils/sepolicy/sepolicy/interface.py +@@ -0,0 +1,82 @@ ++#!/usr/bin/python -Es ++# ++# Copyright (C) 2012 Red Hat ++# see file 'COPYING' for use and warranty information ++# ++# policygentool is a tool for the initial generation of SELinux policy ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License as ++# published by the Free Software Foundation; either version 2 of ++# the License, or (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA ++# 02111-1307 USA ++# ++# ++import re ++ ++import sepolgen.interfaces as interfaces ++import sepolgen.defaults as defaults ++ADMIN_TRANSITION_INTERFACE = "_admin$" ++USER_TRANSITION_INTERFACE = "_role$" ++from sepolicy.generate import get_all_types ++ ++__all__ = [ 'get', 'get_admin', 'get_user' ] ++ ++## ++## I18N ++## ++PROGNAME="policycoreutils" ++ ++import gettext ++gettext.bindtextdomain(PROGNAME, "/usr/share/locale") ++gettext.textdomain(PROGNAME) ++try: ++ gettext.install(PROGNAME, ++ localedir="/usr/share/locale", ++ unicode=False, ++ codeset = 'utf-8') ++except IOError: ++ import __builtin__ ++ __builtin__.__dict__['_'] = unicode ++ ++def get(): ++ """ Get all Methods """ ++ fn = defaults.interface_info() ++ try: ++ fd = open(fn) ++ ifs = interfaces.InterfaceSet() ++ ifs.from_file(fd) ++ methods = ifs.interfaces.keys() ++ fd.close() ++ except: ++ raise ValueError(_("could not open interface info [%s]\n") % fn) ++ ++ return methods ++ ++def get_admin(): ++ """ Get all domains with an admin interface""" ++ admin_list = [] ++ for i in get(): ++ m = re.findall("(.*)%s" % ADMIN_TRANSITION_INTERFACE, i) ++ if len(m) > 0: ++ admin_list.append(m[0]) ++ return admin_list ++ ++def get_user(): ++ """ Get all domains with SELinux user role interface""" ++ trans_list = [] ++ for i in get(): ++ m = re.findall("(.*)%s" % USER_TRANSITION_INTERFACE, i) ++ if len(m) > 0: ++ if "%s_exec_t" % m[0] in get_all_types(): ++ trans_list.append(m[0]) ++ return trans_list diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py new file mode 100755 -index 0000000..a50ba21 +index 0000000..49d62b0 --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy/manpage.py -@@ -0,0 +1,1363 @@ +@@ -0,0 +1,1421 @@ +#! /usr/bin/python -Es +# Copyright (C) 2012 Red Hat +# AUTHOR: Dan Walsh @@ -338529,6 +338829,7 @@ index 0000000..a50ba21 + +equiv_dict={ "smbd" : [ "samba" ], "httpd" : [ "apache" ], "virtd" : [ "virt", "libvirt" ], "named" : [ "bind" ] } + ++equiv_dirs=[ "/var" ] +modules_dict = None +def gen_modules_dict(path = "/usr/share/selinux/devel/policy.xml"): + global modules_dict @@ -338714,8 +339015,6 @@ index 0000000..a50ba21 + port_types.sort() + return port_types + -+files_dict = {} -+ +bools = None +def get_all_bools(): + global bools @@ -338757,7 +339056,7 @@ index 0000000..a50ba21 + +class HTMLManPages: + """ -+ Generate a HHTML Manpages on an given SELinux domains ++ Generate a HTML Manpages on an given SELinux domains + """ + + def __init__(self, manpage_roles, manpage_domains, path, os_version): @@ -339097,11 +339396,11 @@ index 0000000..a50ba21 + self._entrypoints() + self._process_types() + self._booleans() -+ self._public_content() -+ self._file_context() ++ self._nsswitch_domain() + self._port_types() + self._writes() -+ self._nsswitch_domain() ++ self._file_context() ++ self._public_content() + self._footer() + + def _get_ptypes(self): @@ -339141,7 +339440,7 @@ index 0000000..a50ba21 + + def _explain(self, f): + if f.endswith("_var_run_t"): -+ return "store the %s files under the /run directory." % prettyprint(f, "_var_run_t") ++ return "store the %s files under the /run or /var/run directory." % prettyprint(f, "_var_run_t") + if f.endswith("_pid_t"): + return "store the %s files under the /run directory." % prettyprint(f, "_pid_t") + if f.endswith("_var_lib_t"): @@ -339380,6 +339679,33 @@ index 0000000..a50ba21 +.EE""" % (prot, ",".join(self.portrecs[(p,prot)]))) + + def _file_context(self): ++ flist=[] ++ mpaths=[] ++ for f in self.all_file_types: ++ if f.startswith(self.domainname): ++ flist.append(f) ++ if f in self.fcdict: ++ mpaths = mpaths + self.fcdict[f] ++ mpaths.sort() ++ mdirs={} ++ for mp in mpaths: ++ found = False ++ for md in mdirs: ++ if mp.startswith(md): ++ mdirs[md].append(mp) ++ found = True ++ break ++ if not found: ++ for e in equiv_dirs: ++ if mp.startswith(e) and mp.endswith('(/.*)?'): ++ mdirs[mp[:-6]] = [] ++ break ++ ++ equiv = [] ++ for m in mdirs: ++ if len(mdirs[m]) > 0: ++ equiv.append(m) ++ + self.fd.write(r""" +.SH FILE CONTEXTS +SELinux requires files to have an extended attribute to define the file type. @@ -339389,10 +339715,42 @@ index 0000000..a50ba21 +Policy governs the access confined processes have to these files. +SELinux %(domainname)s policy is very flexible allowing users to setup their %(domainname)s processes in as secure a method as possible. +.PP -+The following file types are defined for %(domainname)s: +""" % {'domainname':self.domainname}) -+ for f in self.all_file_types: -+ if f.startswith(self.domainname): ++ ++ if len(equiv) > 0: ++ self.fd.write(r""" ++.PP ++.B EQUIVALENCE DIRECTORIES ++""") ++ for e in equiv: ++ self.fd.write(r""" ++.PP ++%(domainname)s policy stores data with multiple different file context types under the %(equiv)s directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv directory you would execute the following command: ++.PP ++.B semanage fcontext -a -e %(equiv)s /srv/%(alt)s ++.br ++.B restorecon -R -v /srv/%(alt)s ++.PP ++""" % {'domainname':self.domainname, 'equiv': e, 'alt': e.split('/')[-1] }) ++ ++ self.fd.write(r""" ++.PP ++.B STANDARD FILE CONTEXT ++ ++SELinux defines the file context types for the %(domainname)s, if you wanted to ++store files with these types in a different paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk. ++ ++.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?' ++.br ++.B restorecon -R -v /srv/my%(domainname)s_content ++ ++Note: SELinux often uses regular expressions to specify labels that match multiple files. ++""" % {'domainname':self.domainname, "type":flist[0] }) ++ ++ self.fd.write(r""" ++.I The following file types are defined for %(domainname)s: ++""" % {'domainname':self.domainname}) ++ for f in flist: + self.fd.write(""" + +.EX @@ -339403,17 +339761,17 @@ index 0000000..a50ba21 +- Set files with the %s type, if you want to %s +""" % (f, f, self._explain(f))) + -+ if f in files_dict: ++ if f in self.fcdict: + plural = "" -+ if len(files_dict[f]) > 1: ++ if len(self.fcdict[f]) > 1: + plural = "s" + self.fd.write(""" +.br +.TP 5 +Path%s: -+%s""" % (plural, files_dict[f][0][0])) -+ for x in files_dict[f][1:]: -+ self.fd.write(", %s" % x[0]) ++%s""" % (plural, self.fcdict[f][0])) ++ for x in self.fcdict[f][1:]: ++ self.fd.write(", %s" % x) + + self.fd.write(""" + @@ -340895,7 +341253,7 @@ index 0000000..46dd367 +""" diff --git a/policycoreutils/sepolicy/sepolicy/templates/script.py b/policycoreutils/sepolicy/sepolicy/templates/script.py new file mode 100644 -index 0000000..2fe917a +index 0000000..82f90bb --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy/templates/script.py @@ -0,0 +1,134 @@ @@ -340968,7 +341326,7 @@ index 0000000..2fe917a +/usr/sbin/semodule -i TEMPLATEFILE.pp + +# Generate a man page off the installed module -+sepolicy manpage -p . -d TEMPLATETYPE ++sepolicy manpage -p . -d TEMPLATETYPE_t + +# Generate a rpm package for the newly generated policy + @@ -341377,10 +341735,10 @@ index 0000000..60e5844 +""" diff --git a/policycoreutils/sepolicy/sepolicy/templates/user.py b/policycoreutils/sepolicy/sepolicy/templates/user.py new file mode 100644 -index 0000000..398c6f2 +index 0000000..79f3997 --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy/templates/user.py -@@ -0,0 +1,204 @@ +@@ -0,0 +1,191 @@ +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -341411,7 +341769,6 @@ index 0000000..398c6f2 +# +# Declarations +# -+ +userdom_unpriv_user_template(TEMPLATETYPE) +""" + @@ -341422,7 +341779,6 @@ index 0000000..398c6f2 +# +# Declarations +# -+ +userdom_admin_user_template(TEMPLATETYPE) +""" + @@ -341449,12 +341805,7 @@ index 0000000..398c6f2 +""" + +te_existing_user_types="""\ -+policy_module(myTEMPLATETYPE, 1.0.0) -+ -+gen_require(` -+ type TEMPLATETYPE_t, TEMPLATETYPE_devpts_t; -+ role TEMPLATETYPE_r; -+') ++policy_module(TEMPLATETYPE, 1.0.0) + +""" + @@ -341466,16 +341817,24 @@ index 0000000..398c6f2 +# Declarations +# + ++## ++##

++## Allow TEMPLATETYPE to read files in the user home directory ++##

++## ++gen_tunable(TEMPLATETYPE_read_user_files, false) ++ ++## ++##

++## Allow TEMPLATETYPE to manage files in the user home directory ++##

++## ++gen_tunable(TEMPLATETYPE_manage_user_files, false) ++ +userdom_base_user_template(TEMPLATETYPE) +""" + +te_login_user_rules="""\ -+ -+######################################## -+# -+# TEMPLATETYPE local policy -+# -+ +""" + +te_existing_user_rules="""\ @@ -341484,38 +341843,28 @@ index 0000000..398c6f2 +# +# TEMPLATETYPE customized policy +# -+ +""" + +te_x_login_user_rules="""\ -+ -+######################################## -+# -+# TEMPLATETYPE local policy -+# +""" + +te_root_user_rules="""\ + -+######################################## -+# -+# TEMPLATETYPE local policy -+# +""" + +te_transition_rules=""" +optional_policy(` -+ APPLICATION_role(TEMPLATETYPE_r, TEMPLATETYPE_t) ++ APPLICATION_role(TEMPLATETYPE_r, TEMPLATETYPE_t) +') +""" + +te_user_trans_rules=""" +optional_policy(` -+ gen_require(` -+ role USER_r; -+ ') ++ gen_require(` ++ role USER_r; ++ ') + -+ TEMPLATETYPE_role_change(USER_r) ++ TEMPLATETYPE_role_change(USER_r) +') +""" + @@ -341537,24 +341886,20 @@ index 0000000..398c6f2 +userdom_dontaudit_search_admin_dir(TEMPLATETYPE_t) +userdom_dontaudit_search_user_home_dirs(TEMPLATETYPE_t) + -+bool TEMPLATETYPE_read_user_files false; -+bool TEMPLATETYPE_manage_user_files false; -+ -+if (TEMPLATETYPE_read_user_files) { -+ userdom_read_user_home_content_files(TEMPLATETYPE_t) -+ userdom_read_user_tmp_files(TEMPLATETYPE_t) -+} -+ -+if (TEMPLATETYPE_manage_user_files) { -+ userdom_manage_user_home_content(TEMPLATETYPE_t) -+ userdom_manage_user_tmp_files(TEMPLATETYPE_t) -+} ++tunable_policy(`TEMPLATETYPE_read_user_files',` ++ userdom_read_user_home_content_files(TEMPLATETYPE_t) ++ userdom_read_user_tmp_files(TEMPLATETYPE_t) ++') + ++tunable_policy(`TEMPLATETYPE_manage_user_files',` ++ userdom_manage_user_home_content(TEMPLATETYPE_t) ++ userdom_manage_user_tmp_files(TEMPLATETYPE_t) ++') +""" + +te_admin_trans_rules=""" +gen_require(` -+ role USER_r; ++ role USER_r; +') + +allow USER_r TEMPLATETYPE_r; @@ -341562,23 +341907,23 @@ index 0000000..398c6f2 + +te_admin_domain_rules=""" +optional_policy(` -+ APPLICATION_admin(TEMPLATETYPE_t, TEMPLATETYPE_r) ++ APPLICATION_admin(TEMPLATETYPE_t, TEMPLATETYPE_r) +') +""" + +te_roles_rules=""" +optional_policy(` -+ gen_require(` -+ role ROLE_r; -+ ') ++ gen_require(` ++ role ROLE_r; ++ ') + -+ allow TEMPLATETYPE_r ROLE_r; ++ allow TEMPLATETYPE_r ROLE_r; +') +""" + +te_sudo_rules=""" +optional_policy(` -+ sudo_role_template(TEMPLATETYPE, TEMPLATETYPE_r, TEMPLATETYPE_t) ++ sudo_role_template(TEMPLATETYPE, TEMPLATETYPE_r, TEMPLATETYPE_t) +') +""" + diff --git a/policycoreutils.spec b/policycoreutils.spec index aa4b629..5cedcc2 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.13 -Release: 49%{?dist} +Release: 50%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -338,6 +338,12 @@ The policycoreutils-restorecond package contains the restorecond service. %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Thu Jan 3 2013 Dan Walsh - 2.1.12-50 +- Update translations +- update sepolicy manpage to generate fcontext equivalence data and to list +default file context paths. +- Add ability to generate policy for confined admins and domains like puppet. + * Thu Dec 19 2012 Dan Walsh - 2.1.12-49 - Fix semanage permissive , this time with the patch. - Update translations