From cdca00d223e0b3d5e28fb38be7ccb445df6f2637 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 5 Jan 2006 21:39:11 +0000 Subject: [PATCH] * Thu Jan 5 2006 Dan Walsh 1.29.4-1 - Update to match NSA * Merged genhomedircon and semanage patch from Dan Walsh. * Changed semodule error reporting to include argv[0]. --- .cvsignore | 2 + policycoreutils-rhat.patch | 518 ++++++++++++++++++++++++------------- policycoreutils.spec | 11 +- sources | 2 +- 4 files changed, 345 insertions(+), 188 deletions(-) diff --git a/.cvsignore b/.cvsignore index 2e402af..ef9543e 100644 --- a/.cvsignore +++ b/.cvsignore @@ -77,3 +77,5 @@ policycoreutils-1.28.tgz policycoreutils-1.29.1.tgz policycoreutils-1.29.2.tgz policycoreutils-1.29.3.tgz +policycoreutils-1.29.4.tgz +policycoreutils-1.29.5.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 7a1153a..a2510d7 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,225 +1,375 @@ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.3/scripts/genhomedircon ---- nsapolicycoreutils/scripts/genhomedircon 2006-01-04 13:07:46.000000000 -0500 -+++ policycoreutils-1.29.3/scripts/genhomedircon 2006-01-04 13:17:35.000000000 -0500 -@@ -220,8 +220,9 @@ - if len(u)==0 or u[0]=="#": - continue - user = u.split(":") -- if len(user) < 3: -+ if len(user) < 2: - continue -+ - role=self.getOldRole(user[1]) - self.adduser(udict, user[0], user[1], role) - fd.close() -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.3/semanage/semanage ---- nsapolicycoreutils/semanage/semanage 2006-01-04 13:07:46.000000000 -0500 -+++ policycoreutils-1.29.3/semanage/semanage 2006-01-04 13:17:35.000000000 -0500 -@@ -36,7 +36,7 @@ - sename = "user_u" - - (rc,k) = semanage_seuser_key_create(self.sh, name) -- if rc != 0: -+ if rc < 0: - raise ValueError("Could not create a key for %s" % name) +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.4/semanage/semanage +--- nsapolicycoreutils/semanage/semanage 2006-01-05 10:35:49.000000000 -0500 ++++ policycoreutils-1.29.4/semanage/semanage 2006-01-05 16:27:42.000000000 -0500 +@@ -20,15 +20,20 @@ + # 02111-1307 USA + # + # ++ + import commands, sys, os, pwd, string, getopt, pwd + from semanage import *; +-class loginRecords: ++class semanageRecords: + def __init__(self): + self.sh = semanage_handle_create() + self.semanaged = semanage_is_managed(self.sh) + if self.semanaged: + semanage_connect(self.sh) - (rc,exists) = semanage_seuser_exists(self.sh, k) -@@ -48,7 +48,7 @@ - raise ValueError("Linux User %s does not exist" % name) - - (rc,u) = semanage_seuser_create(self.sh) -- if rc != 0: -+ if rc < 0: - raise ValueError("Could not create seuser for %s" % name) - - semanage_seuser_set_name(self.sh, u, name) -@@ -56,12 +56,12 @@ - semanage_seuser_set_sename(self.sh, u, sename) - semanage_begin_transaction(self.sh) - semanage_seuser_add(self.sh, k, u) -- if semanage_commit(self.sh) != 0: -+ if semanage_commit(self.sh) < 0: - raise ValueError("Failed to add SELinux user mapping") - - def modify(self, name, sename = "", serange = ""): - (rc,k) = semanage_seuser_key_create(self.sh, name) -- if rc != 0: -+ if rc < 0: - raise ValueError("Could not create a key for %s" % name) - - if sename == "" and serange == "": -@@ -70,7 +70,7 @@ - (rc,exists) = semanage_seuser_exists(self.sh, k) - if exists: - (rc,u) = semanage_seuser_query(self.sh, k) -- if rc != 0: -+ if rc < 0: - raise ValueError("Could not query seuser for %s" % name) - else: - raise ValueError("SELinux user %s mapping is not defined." % name) -@@ -81,13 +81,13 @@ ++class loginRecords(semanageRecords): ++ def __init__(self): ++ semanageRecords.__init__(self) ++ + def add(self, name, sename, serange): + if serange == "": + serange = "s0" +@@ -80,7 +85,7 @@ + if sename != "": semanage_seuser_set_sename(self.sh, u, sename) semanage_begin_transaction(self.sh) - semanage_seuser_modify(self.sh, k, u) -- if semanage_commit(self.sh) != 0: -+ if semanage_commit(self.sh) < 0: +- semanage_seuser_modify(self.sh, k, u) ++ semanage_seuser_modify_local(self.sh, k, u) + if semanage_commit(self.sh) < 0: raise ValueError("Failed to modify SELinux user mapping") - - def delete(self, name): - (rc,k) = semanage_seuser_key_create(self.sh, name) -- if rc != 0: -+ if rc < 0: +@@ -107,13 +112,9 @@ + name = semanage_seuser_get_name(u) + print "%-25s %-25s %-25s" % (name, semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u)) + +-class seluserRecords: ++class seluserRecords(semanageRecords): + def __init__(self): +- roles = [] +- self.sh = semanage_handle_create() +- self.semanaged = semanage_is_managed(self.sh) +- if self.semanaged: +- semanage_connect(self.sh) ++ semanageRecords.__init__(self) + + def add(self, name, roles, selevel, serange): + if serange == "": +@@ -125,11 +126,9 @@ + if rc < 0: raise ValueError("Could not create a key for %s" % name) - (rc,exists) = semanage_seuser_exists(self.sh, k) -@@ -95,7 +95,7 @@ - raise ValueError("SELinux user %s mapping is not defined." % name) - semanage_begin_transaction(self.sh) - semanage_seuser_del(self.sh, k) -- if semanage_commit(self.sh) != 0: -+ if semanage_commit(self.sh) < 0: - raise ValueError("SELinux User %s mapping not defined" % name) - - def list(self,heading=1): -@@ -122,7 +122,7 @@ - selevel = "s0" - - (rc,k) = semanage_user_key_create(self.sh, name) -- if rc != 0: -+ if rc < 0: - raise ValueError("Could not create a key for %s" % name) - - (rc,exists) = semanage_user_exists_local(self.sh, k) -@@ -132,7 +132,7 @@ - raise ValueError("SELinux user %s is already defined." % name) +- (rc,exists) = semanage_user_exists_local(self.sh, k) ++ (rc,exists) = semanage_user_exists(self.sh, k) + if not exists: +- (rc,exists) = semanage_user_exists(self.sh, k) +- if not exists: +- raise ValueError("SELinux user %s is already defined." % name) ++ raise ValueError("SELinux user %s is already defined." % name) (rc,u) = semanage_user_create(self.sh) -- if rc != 0: -+ if rc < 0: - raise ValueError("Could not create login mapping for %s" % name) - - semanage_user_set_name(self.sh, u, name) -@@ -141,12 +141,12 @@ - semanage_user_set_mlsrange(self.sh, u, serange) - semanage_user_set_mlslevel(self.sh, u, selevel) - (rc,key) = semanage_user_key_extract(self.sh,u) -- if rc != 0: -+ if rc < 0: - raise ValueError("Could not extract key for %s" % name) - - semanage_begin_transaction(self.sh) - semanage_user_add_local(self.sh, k, u) -- if semanage_commit(self.sh) != 0: -+ if semanage_commit(self.sh) < 0: - raise ValueError("Failed to add SELinux user") - - def modify(self, name, roles = [], selevel = "", serange = ""): -@@ -154,7 +154,7 @@ - raise ValueError("Requires, roles, level or range") - - (rc,k) = semanage_user_key_create(self.sh, name) -- if rc != 0: -+ if rc < 0: + if rc < 0: +@@ -157,15 +156,11 @@ + if rc < 0: raise ValueError("Could not create a key for %s" % name) - (rc,exists) = semanage_user_exists_local(self.sh, k) -@@ -166,24 +166,24 @@ - (rc,u) = semanage_user_query(self.sh, k) - else: - raise ValueError("SELinux user %s mapping is not defined." % name) -- if rc != 0: -+ if rc < 0: +- (rc,exists) = semanage_user_exists_local(self.sh, k) ++ (rc,exists) = semanage_user_exists(self.sh, k) + if exists: +- (rc,u) = semanage_user_query_local(self.sh, k) ++ (rc,u) = semanage_user_query(self.sh, k) + else: +- (rc,exists) = semanage_user_exists(self.sh, k) +- if exists: +- (rc,u) = semanage_user_query(self.sh, k) +- else: +- raise ValueError("SELinux user %s mapping is not defined." % name) ++ raise ValueError("SELinux user %s mapping is not defined locally." % name) + if rc < 0: raise ValueError("Could not query user for %s" % name) - if serange != "": - semanage_user_set_mlsrange(self.sh, u, serange) - if selevel != "": - semanage_user_set_mlslevel(self.sh, u, selevel) -- if len(roles) != 0: -+ if len(roles) < 0: - for r in roles: - semanage_user_add_role(self.sh, u, r) - semanage_begin_transaction(self.sh) - semanage_user_modify_local(self.sh, k, u) -- if semanage_commit(self.sh) != 0: -+ if semanage_commit(self.sh) < 0: - raise ValueError("Failed to modify SELinux user") - - def delete(self, name): +@@ -185,10 +180,14 @@ (rc,k) = semanage_user_key_create(self.sh, name) -- if rc != 0: -+ if rc < 0: + if rc < 0: raise ValueError("Could not crpppeate a key for %s" % name) - - (rc,exists) = semanage_user_exists_local(self.sh, k) -@@ -191,7 +191,7 @@ +- +- (rc,exists) = semanage_user_exists_local(self.sh, k) ++ (rc,exists) = semanage_user_exists(self.sh, k) + if not exists: raise ValueError("user %s is not defined" % name) ++ else: ++ (rc,exists) = semanage_user_exists_local(self.sh, k) ++ if not exists: ++ raise ValueError("user %s is not defined locally, can not delete " % name) ++ semanage_begin_transaction(self.sh) semanage_user_del_local(self.sh, k) -- if semanage_commit(self.sh) != 0: -+ if semanage_commit(self.sh) < 0: - raise ValueError("Login User %s not defined" % name) - - def list(self, heading=1): -@@ -238,7 +238,7 @@ + if semanage_commit(self.sh) < 0: +@@ -211,12 +210,9 @@ + roles += " " + char_by_idx(rlist, ridx) + print "%-15s %-10s %-15s %s" % (semanage_user_get_name(u), semanage_user_get_mlslevel(u), semanage_user_get_mlsrange(u), roles) + +-class portRecords: ++class portRecords(semanageRecords): + def __init__(self): +- self.sh = semanage_handle_create() +- self.semanaged = semanage_is_managed(self.sh) +- if self.semanaged: +- semanage_connect(self.sh) ++ semanageRecords.__init__(self) + + def __genkey(self, port, proto): + if proto == "tcp": +@@ -236,7 +232,7 @@ + else: + low=string.atoi(ports[0]) high=string.atoi(ports[1]) - +- ++ (rc,k) = semanage_port_key_create(self.sh, low, high, proto_d) -- if rc != 0: -+ if rc < 0: + if rc < 0: raise ValueError("Could not create a key for %s/%s" % (proto, port)) - return ( k, proto_d, low, high ) - -@@ -260,13 +260,13 @@ - raise ValueError("Port %s/%s already defined locally" % (proto, port)) +@@ -255,10 +251,6 @@ + if exists: + raise ValueError("Port %s/%s already defined" % (proto, port)) +- (rc,exists) = semanage_port_exists_local(self.sh, k) +- if exists: +- raise ValueError("Port %s/%s already defined locally" % (proto, port)) +- (rc,p) = semanage_port_create(self.sh) -- if rc != 0: -+ if rc < 0: + if rc < 0: raise ValueError("Could not create port for %s/%s" % (proto, port)) - - semanage_port_set_proto(p, proto_d) - semanage_port_set_range(p, low, high) - (rc, con) = semanage_context_create(self.sh) -- if rc != 0: -+ if rc < 0: - raise ValueError("Could not create context for %s/%s" % (proto, port)) - - semanage_context_set_user(self.sh, con, "system_u") -@@ -276,7 +276,7 @@ - semanage_port_set_con(p, con) +@@ -273,8 +265,8 @@ + semanage_context_set_role(self.sh, con, "object_r") + semanage_context_set_type(self.sh, con, type) + semanage_context_set_mls(self.sh, con, serange) +- semanage_port_set_con(p, con) semanage_begin_transaction(self.sh) ++ semanage_port_set_con(p, con) semanage_port_add_local(self.sh, k, p) -- if semanage_commit(self.sh) != 0: -+ if semanage_commit(self.sh) < 0: + if semanage_commit(self.sh) < 0: raise ValueError("Failed to add port") +@@ -285,25 +277,23 @@ - def modify(self, port, proto, serange, setype): -@@ -294,7 +294,7 @@ - else: - raise ValueError("port %s/%s is not defined." % (proto,port)) + ( k, proto_d, low, high ) = self.__genkey(port, proto) -- if rc != 0: -+ if rc < 0: +- (rc,exists) = semanage_port_exists_local(self.sh, k) ++ (rc,exists) = semanage_port_exists(self.sh, k) + if exists: +- (rc,p) = semanage_port_query_local(self.sh, k) +- (rc,exists) = semanage_port_exists(self.sh, k) +- if exists: +- (rc,p) = semanage_port_query(self.sh, k) +- else: +- raise ValueError("port %s/%s is not defined." % (proto,port)) ++ (rc,p) = semanage_port_query(self.sh, k) ++ else: ++ raise ValueError("port %s/%s is not defined." % (proto,port)) + + if rc < 0: raise ValueError("Could not query port for %s/%s" % (proto, port)) con = semanage_port_get_con(p) -@@ -306,7 +306,7 @@ - semanage_port_set_con(p, con) +- semanage_context_set_mls(self.sh, con, serange) ++ if rc < 0: ++ raise ValueError("Could not get port context for %s/%s" % (proto, port)) ++ + if serange != "": + semanage_context_set_mls(self.sh, con, serange) + if setype != "": + semanage_context_set_type(self.sh, con, setype) +- semanage_port_set_con(p, con) semanage_begin_transaction(self.sh) semanage_port_modify_local(self.sh, k, p) -- if semanage_commit(self.sh) != 0: -+ if semanage_commit(self.sh) < 0: - raise ValueError("Failed to add port") + if semanage_commit(self.sh) < 0: +@@ -311,9 +301,13 @@ def delete(self, port, proto): -@@ -317,7 +317,7 @@ + ( k, proto_d, low, high ) = self.__genkey(port, proto) +- (rc,exists) = semanage_port_exists_local(self.sh, k) ++ (rc,exists) = semanage_port_exists(self.sh, k) + if not exists: +- raise ValueError("port %s/%s is not defined localy." % (proto,port)) ++ raise ValueError("port %s/%s is not defined." % (proto,port)) ++ else: ++ (rc,exists) = semanage_port_exists_local(self.sh, k) ++ if not exists: ++ raise ValueError("port %s/%s is not defined localy, can not be deleted." % (proto,port)) semanage_begin_transaction(self.sh) semanage_port_del_local(self.sh, k) -- if semanage_commit(self.sh) != 0: +@@ -338,27 +332,116 @@ + dict[(name,proto)].append("%d" % low) + else: + dict[(name,proto)].append("%d-%d" % (low, high)) +- (status, self.plist, self.psize) = semanage_port_list_local(self.sh) +- for idx in range(self.psize): +- u = semanage_port_by_idx(self.plist, idx) +- con = semanage_port_get_con(u) +- name = semanage_context_get_type(con) +- proto=semanage_port_get_proto_str(u) +- low=semanage_port_get_low(u) +- high = semanage_port_get_high(u) +- if (name, proto) not in dict.keys(): +- dict[(name,proto)]=[] +- if low == high: +- dict[(name,proto)].append("%d" % low) +- else: +- dict[(name,proto)].append("%d-%d" % (low, high)) +- for i in dict.keys(): ++ keys=dict.keys() ++ keys.sort() ++ for i in keys: + rec = "%-30s %-8s " % i + rec += "%s" % dict[i][0] + for p in dict[i][1:]: + rec += ", %s" % p + print rec + ++class interfaceRecords(semanageRecords): ++ def __init__(self): ++ semanageRecords.__init__(self) ++ ++ def add(self, interface, serange, type): ++ if serange == "": ++ serange="s0" ++ ++ if type == "": ++ raise ValueError("Type is required") ++ ++ (rc,k) = semanage_iface_key_create(self.sh, interface) ++ if rc < 0: ++ raise ValueError("Can't create key for %s" % interface) ++ (rc,exists) = semanage_iface_exists(self.sh, k) ++ if exists: ++ raise ValueError("Interface %s already defined" % interface) ++ ++ (rc,iface) = semanage_iface_create(self.sh) ++ if rc < 0: ++ raise ValueError("Could not create interface for %s" % (interface)) ++ ++ rc = semanage_iface_set_name(self.sh, iface, interface) ++ (rc, con) = semanage_context_create(self.sh) ++ if rc < 0: ++ raise ValueError("Could not create context for %s" % interface) ++ ++ semanage_context_set_user(self.sh, con, "system_u") ++ semanage_context_set_role(self.sh, con, "object_r") ++ semanage_context_set_type(self.sh, con, type) ++ semanage_context_set_mls(self.sh, con, serange) ++ semanage_begin_transaction(self.sh) ++ semanage_iface_set_ifcon(iface, con) ++ semanage_iface_set_msgcon(iface, con) ++ semanage_iface_add_local(self.sh, k, iface) + if semanage_commit(self.sh) < 0: - raise ValueError("Port %s/%s not defined" % (proto,port)) ++ raise ValueError("Failed to add interface") ++ ++ def modify(self, interface, serange, setype): ++ if serange == "" and setype == "": ++ raise ValueError("Requires, setype or serange") ++ ++ (rc,k) = semanage_iface_key_create(self.sh, interface) ++ if rc < 0: ++ raise ValueError("Can't creater key for %s" % interface) ++ (rc,exists) = semanage_iface_exists(self.sh, k) ++ if exists: ++ (rc,p) = semanage_iface_query(self.sh, k) ++ else: ++ raise ValueError("interface %s is not defined." % interface) ++ ++ if rc < 0: ++ raise ValueError("Could not query interface for %s" % interface) ++ ++ con = semanage_iface_get_ifcon(p) ++ if rc < 0: ++ raise ValueError("Could not get interface context for %s" % interface) ++ ++ if serange != "": ++ semanage_context_set_mls(self.sh, con, serange) ++ if setype != "": ++ semanage_context_set_type(self.sh, con, setype) ++ ++ semanage_begin_transaction(self.sh) ++ semanage_iface_modify_local(self.sh, k, p) ++ if semanage_commit(self.sh) < 0: ++ raise ValueError("Failed to add interface") ++ ++ def delete(self, interface): ++ (rc,k) = semanage_iface_key_create(self.sh, interface) ++ if rc < 0: ++ raise ValueError("Can't create key for %s" % interface) ++ (rc,exists) = semanage_iface_exists(self.sh, k) ++ if not exists: ++ raise ValueError("interface %s is not defined." % interface) ++ else: ++ (rc,exists) = semanage_iface_exists_local(self.sh, k) ++ if not exists: ++ raise ValueError("interface %s is not defined localy, can not be deleted." % interface) ++ ++ semanage_begin_transaction(self.sh) ++ semanage_iface_del_local(self.sh, k) ++ if semanage_commit(self.sh) < 0: ++ raise ValueError("Interface %s not defined" % interface) ++ ++ def list(self, heading=1): ++ (status, self.plist, self.psize) = semanage_iface_list(self.sh) ++ if status < 0: ++ raise ValueError("Unable to list interfaces") ++ ++ if heading: ++ print "%-30s %s\n" % ("SELinux Interface", "Context") ++ dict={} ++ for idx in range(self.psize): ++ iface = semanage_iface_by_idx(self.plist, idx) ++ name = semanage_iface_get_name(iface) ++ con = semanage_iface_get_ifcon(iface) ++ ++ ++ print "%-30s %s:%s:%s:%s " % (name,semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con)) ++ + if __name__ == '__main__': + + def usage(message = ""): +@@ -366,6 +449,7 @@ + semanage user [-admsRrh] SELINUX_USER\n\ + semanage login [-admsrh] LOGIN_NAME\n\ + semanage port [-admth] PORT | PORTRANGE\n\ ++semanage interface [-admth] INTERFACE\n\ + -a, --add Add a OBJECT record NAME\n\ + -d, --delete Delete a OBJECT record NAME\n\ + -h, --help display this message\n\ +@@ -391,7 +475,7 @@ + # + # + try: +- objectlist = ("login", "user", "port") ++ objectlist = ("login", "user", "port", "interface") + input = sys.stdin + output = sys.stdout + serange = "" +@@ -482,6 +566,9 @@ + if object == "port": + OBJECT = portRecords() - def list(self, heading=1): ++ if object == "interface": ++ OBJECT = interfaceRecords() ++ + if list: + OBJECT.list(heading) + sys.exit(0); +@@ -504,6 +591,9 @@ + if object == "port": + OBJECT.add(target, proto, serange, setype) + ++ if object == "interface": ++ OBJECT.add(target, serange, setype) ++ + sys.exit(0); + + if modify: +@@ -516,7 +606,10 @@ + + if object == "port": + OBJECT.modify(target, proto, serange, setype) +- sys.exit(0); ++ ++ if object == "interface": ++ OBJECT.modify(target, serange, setype) ++ + sys.exit(0); + + if delete: diff --git a/policycoreutils.spec b/policycoreutils.spec index f6cfb63..6ddbf7e 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,9 +1,9 @@ -%define libsepolver 1.11.2-2 -%define libsemanagever 1.5.4-3 +%define libsepolver 1.11.5-1 +%define libsemanagever 1.5.8-1 %define libselinuxver 1.29.3-2 Summary: SELinux policy core utilities. Name: policycoreutils -Version: 1.29.3 +Version: 1.29.4 Release: 1 License: GPL Group: System Environment/Base @@ -96,6 +96,11 @@ rm -rf ${RPM_BUILD_ROOT} %config(noreplace) %{_sysconfdir}/sestatus.conf %changelog +* Thu Jan 5 2006 Dan Walsh 1.29.4-1 +- Update to match NSA + * Merged genhomedircon and semanage patch from Dan Walsh. + * Changed semodule error reporting to include argv[0]. + * Wed Jan 4 2006 Dan Walsh 1.29.3-1 - Update to match NSA * Merged semanage getpwnam bug fix from Serge Hallyn (IBM). diff --git a/sources b/sources index 318db39..af83855 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -cc6c24f4661760764c33ec8786f3efee policycoreutils-1.29.3.tgz +da2c70fed32e21137b61f23da7a459f5 policycoreutils-1.29.5.tgz