* Fri Oct 22 2004 Dan Walsh <dwalsh@redhat.com> 1.17.7-2

- Patch audit2allow to return self and no brackets if only one rule
This commit is contained in:
Daniel J Walsh 2004-10-28 14:39:53 +00:00
parent 2d79300263
commit d6dffe8d2b
2 changed files with 26 additions and 393 deletions

View File

@ -1,393 +1,26 @@
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.8 policycoreutils-1.17.6/restorecon/restorecon.8 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.17.7/audit2allow/audit2allow
--- nsapolicycoreutils/restorecon/restorecon.8 2004-10-06 09:47:27.000000000 -0400 --- nsapolicycoreutils/audit2allow/audit2allow 2004-09-10 11:25:57.000000000 -0400
+++ policycoreutils-1.17.6/restorecon/restorecon.8 2004-10-22 15:32:09.757994544 -0400 +++ policycoreutils-1.17.7/audit2allow/audit2allow 2004-10-28 10:34:33.476265420 -0400
@@ -7,7 +7,7 @@ @@ -124,13 +124,19 @@
.I [\-o outfilename ] [\-R] [\-n] [\-v] pathname... foreach $k (sort keys %rules)
.P
.B restorecon
-.I \-f infilename [\-o outfilename ] [\-R] [\-n] [\-v]
+.I \-f infilename [\-o outfilename ] [\-F] [\-R] [\-n] [\-v]
.SH "DESCRIPTION"
This manual page describes the
@@ -26,6 +26,9 @@
.B \-f infilename
infilename contains a list of files to be processed by application. Use \- for stdin.
.TP
+.B \-F
+restore file context even if admin customized file context.
+.TP
.B \-R
change files and directories file labels recursively
.TP
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.17.6/restorecon/restorecon.c
--- nsapolicycoreutils/restorecon/restorecon.c 2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/restorecon/restorecon.c 2004-10-22 15:35:25.200282800 -0400
@@ -8,11 +8,14 @@
* to match the specification returned by matchpathcon.
*
* USAGE:
- * restorecon [-Rnv] pathname...
+ * restorecon [-FRnv] [-f inputfile ] [ -o outputfile ] pathname...
*
+ * -R recurse
* -n Do not change any file labels.
* -v Show changes in file labels.
- * -o filename save list of files with incorrect context
+ * -o filename save list of files with incorrect context
+ * -F Restore file context even if the customize flag is set
+ * -f filename to read from for changing filecontext
*
* pathname... The file(s) to label
*
@@ -42,11 +45,12 @@
static char *progname;
static int errors=0;
static int recurse;
+static int force=0;
void usage(const char * const name)
{ {
fprintf(stderr, my ($a,$scontext,$tcontext,$tclass) = split /\|/, $k;
- "usage: %s [-Rnv] [-f filename | pathname... ]\n", name); - print OUT "allow $scontext $tcontext:$tclass {";
+ "usage: %s [-FRnv] [-f filename | pathname... ]\n", name); + if ($scontext eq $tcontext) {
exit(1); + $tcontext = 'self';
} + }
int restore(char *filename) { + print OUT "allow $scontext $tcontext:$tclass";
@@ -54,6 +58,8 @@
int retval=0; my $access_types = $rules{$k};
security_context_t scontext; + $len=(keys %$access_types);
security_context_t prev_context; + if ($len gt 2 ) { print OUT " {"; }
+ unsigned int customized=0; foreach $t (sort keys %$access_types) {
+ unsigned int flag=0; - print OUT "$t ";
int len=strlen(filename); + if ($t ne "") {print OUT " $t";}
struct stat st;
char path[PATH_MAX+1];
@@ -109,14 +115,27 @@
return 0;
}
retcontext=lgetfilecon(filename,&prev_context);
-
+
if (retcontext >= 0 || errno == ENODATA) {
if (retcontext < 0 || strcmp(prev_context,scontext) != 0) {
- if (outfile) {
- fprintf(outfile, "%s\n", filename);
- }
+ lgetfileconflag(filename, &flag);
+ customized=flag & SELINUX_CUSTOMIZE;
+ if (outfile && (!customized || force))
+ fprintf(outfile, "%s\n", filename);
if (change) {
- retval=lsetfilecon(filename,scontext);
+ if (customized) {
+ if (force) {
+ retval=lsetfilecon(filename,scontext);
+ if (retval >= 0)
+ lsetfileconflag(filename, flag & !SELINUX_CUSTOMIZE);
+ } else {
+ if (verbose)
+ fprintf(stderr,"%s did not reset context for %s, marked flaganent\n",
+ progname, filename);
+ }
+ } else {
+ retval=lsetfilecon(filename,scontext);
+ }
}
if (retval<0) {
fprintf(stderr,"%s set context %s->%s failed:'%s'\n",
@@ -126,7 +145,7 @@
freecon(scontext);
return 1;
} else
- if (verbose)
+ if (verbose && (!customized || force))
fprintf(stderr,"%s reset context %s->%s\n",
progname, filename, scontext);
} }
@@ -179,7 +198,7 @@ - print OUT "};\n";
+ if ($len gt 2 ) { print OUT " }"; }
memset(buf,0, sizeof(buf)); + print OUT ";\n";
$occur{$k} =~ s/\\(.)/$1/g; # de-escape string
- while ((opt = getopt(argc, argv, "Rnvf:o:")) > 0) { print OUT "$occur{$k}\n" if ($verbose);
+ while ((opt = getopt(argc, argv, "FRnvf:o:")) > 0) {
switch (opt) {
case 'n':
change = 0;
@@ -187,6 +206,9 @@
case 'R':
recurse = 1;
break;
+ case 'F':
+ force = 1;
+ break;
case 'o':
outfile = fopen(optarg,"w");
if (!outfile) {
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.17.6/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles 2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/scripts/fixfiles 2004-10-22 15:32:09.759994240 -0400
@@ -31,6 +31,8 @@
outfileFlag=0
OUTFILES=""
logfileFlag=0
+LOGFILE=/dev/null
+SYSLOGFLAG="-l"
SETFILES=/usr/sbin/setfiles
FILESYSTEMSRW=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(rw/{print $3}';`
FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs | reiserfs ).*\(ro/{print $3}';`
@@ -44,50 +46,54 @@
FC=/etc/security/selinux/file_contexts
fi
+logit () {
+if [ $logfileFlag = 0 ]; then
+ logger -i $1
+else
+ echo $1 >> $LOGFILE
+fi
+}
checkLabels () {
-echo "logging to $LOGFILE"
if [ ! -z "$1" ]; then
for i in `echo $1 | sed 's/,/ /g'`; do
- rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 > $LOGFILE
+ rpm -q -l $i | restorecon ${OUTFILES} -n -v -f - 2>&1 >> $LOGFILE
done
else
if [ ! -z "$FILESYSTEMSRO" ]; then
- echo "Warning: Skipping the following R/O filesystems:"
- echo "$FILESYSTEMSRO"
+ logit "Warning: Skipping the following R/O filesystems:"
+ logit "$FILESYSTEMSRO"
fi
- ${SETFILES} ${OUTFILES} -n -v ${FC} ${FILESYSTEMSRW} 2>&1 > $LOGFILE
+ ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} -n -v ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
fi
} }
restoreLabels () {
-echo "logging to $LOGFILE"
if [ ! -z "$1" ]; then
for i in `echo $1 | sed 's/,/ /g'`; do
- rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 > $LOGFILE
+ rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 >> $LOGFILE
done
else
if [ ! -z "$FILESYSTEMSRO" ]; then
- echo "Warning: Skipping the following R/O filesystems:"
- echo "$FILESYSTEMSRO"
+ logit "Warning: Skipping the following R/O filesystems:"
+ logit "$FILESYSTEMSRO"
fi
- ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 > $LOGFILE
+ ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} -v ${FC} ${FILESYSTEMS} 2>&1 >> $LOGFILE
fi
}
relabel() {
-echo "logging to $LOGFILE"
-echo "Cleaning out /tmp"
+logit "Cleaning out /tmp"
rm -rf /tmp/.??* /tmp/*
if [ ! -z "$1" ]; then
for i in `echo $1 | sed 's/,/ /g'`; do
- rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 > $LOGFILE
+ rpm -q -l $i | restorecon ${OUTFILES} -v -f - 2>&1 >> $LOGFILE
done
else
if [ ! -z "$FILESYSTEMSRO" ]; then
- echo "Warning: Skipping the following R/O filesystems:"
- echo "$FILESYSTEMSRO"
+ logit "Warning: Skipping the following R/O filesystems:"
+ logit "$FILESYSTEMSRO"
fi
- ${SETFILES} ${OUTFILES} -v ${FC} ${FILESYSTEMS} 2>&1 > $LOGFILE
+ ${SETFILES} ${OUTFILES} ${SYSLOGFLAG} -v ${FC} ${FILESYSTEMS} 2>&1 >> $LOGFILE
fi
}
relabelCheck() {
@@ -129,6 +135,8 @@
fi
if [ $logfileFlag = 2 ]; then
LOGFILE="$i"
+ echo > $LOGFILE
+ SYSLOGFLAG=""
logfileFlag=1
continue
fi
@@ -165,13 +173,6 @@
exit 1
fi
-if [ $logfileFlag = 0 ]; then
- LOGFILE=`mktemp /var/tmp/fixfiles.log.XXXXXXXXXX`
- if [ ! -w $LOGFILE ] ; then
- exit 1
- fi
-fi
-
if [ $checkFlag = 1 ]; then
checkLabels $rpmFiles
fi
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles.cron policycoreutils-1.17.6/scripts/fixfiles.cron
--- nsapolicycoreutils/scripts/fixfiles.cron 2004-09-10 11:25:57.000000000 -0400
+++ policycoreutils-1.17.6/scripts/fixfiles.cron 2004-10-22 15:32:09.760994088 -0400
@@ -21,7 +21,8 @@
mail ${CRONMAILTO} -s "Invalid File Contexts" < $OUTFILE
rm -f $OUTFILE
else
- mail ${CRONMAILTO} -s "Invalid File Contexts listed in $OUTFILE" < /dev/null
+ MESSAGE="Invalid File Contexts listed in $OUTFILE"
+ mail ${CRONMAILTO} -s "Invalid File Contexts" <<< $MESSAGE
fi
else
rm -f $OUTFILE
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-1.17.6/scripts/Makefile
--- nsapolicycoreutils/scripts/Makefile 2004-09-10 11:25:57.000000000 -0400
+++ policycoreutils-1.17.6/scripts/Makefile 2004-10-22 15:32:09.761993936 -0400
@@ -12,7 +12,7 @@
-mkdir -p $(BINDIR)
install -m 755 $(TARGETS) $(BINDIR)
install -m 755 fixfiles $(DESTDIR)/sbin
- install -D -m 755 fixfiles.cron $(DESTDIR)/etc/cron.daily/fixfiles.cron
+ install -D -m 755 fixfiles.cron $(DESTDIR)/etc/cron.weekly/fixfiles.cron
-mkdir -p $(MANDIR)/man8
install -m 644 fixfiles.8.gz $(MANDIR)/man8/
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-1.17.6/setfiles/setfiles.8
--- nsapolicycoreutils/setfiles/setfiles.8 2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/setfiles/setfiles.8 2004-10-22 15:32:09.761993936 -0400
@@ -4,7 +4,7 @@
.SH "SYNOPSIS"
.B setfiles
-.I [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-q] [\-s] [\-v] [\-vv] [\-W] spec_file pathname...
+.I [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-q] [\-s] [\-v] [\-vv] [\-F] [\-W] spec_file pathname...
.SH "DESCRIPTION"
This manual page describes the
.BR setfiles
@@ -47,6 +47,9 @@
.B \-vv
show changes in file labels, if type, role, or user are changing.
.TP
+.B \-F
+set file context even if admin customized file context.
+.TP
.B \-W
display warnings about entries that had no matching files.
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-1.17.6/setfiles/setfiles.c
--- nsapolicycoreutils/setfiles/setfiles.c 2004-10-06 09:47:28.000000000 -0400
+++ policycoreutils-1.17.6/setfiles/setfiles.c 2004-10-22 15:36:18.282213120 -0400
@@ -12,7 +12,7 @@
* the user. The program does not cross file system boundaries.
*
* USAGE:
- * setfiles [-dnpqsvW] [-e directory ] [-c policy] [-o filename ] spec_file pathname...
+ * setfiles [-FdnpqsvW] [-e directory ] [-c policy] [-o filename ] spec_file pathname...
*
* -e Specify directory to exclude
* -c Verify the specification file using a binary policy
@@ -24,6 +24,7 @@
* -s Use stdin for a list of files instead of searching a partition.
* -v Show changes in file labels.
* -W Warn about entries that have no matching file.
+ * -F reset file context even if the customize flag is set
* -o filename write out file names with wrong context.
*
* spec_file The specification file.
@@ -96,6 +97,7 @@
static int use_stdin = 0;
static int verbose = 0;
static int log = 0;
+static int force = 0;
static int warn_no_match = 0;
static char *rootpath = NULL;
static int rootpathlen = 0;
@@ -515,9 +517,9 @@
void usage(const char * const name)
{
fprintf(stderr,
- "usage: %s [-dnqvW] [-o filename] spec_file pathname...\n"
+ "usage: %s [-FdnqvW] [-o filename] spec_file pathname...\n"
"usage: %s [-c policyfile] spec_file\n"
- "usage: %s -s [-dnqvW] [-o filename ] spec_file\n", name, name, name);
+ "usage: %s -s [-FdnqvW] [-o filename ] spec_file\n", name, name, name);
exit(1);
}
@@ -603,6 +605,8 @@
struct stat my_sb;
int i, ret;
char *context;
+ unsigned int customize=0;
+ unsigned int fileconflag=0;
/* Skip the extra slash at the beginning, if present. */
if (file[0] == '/' && file[1] == '/')
@@ -675,7 +679,9 @@
return 0;
}
- if (verbose) {
+ lgetfileconflag(my_file, &fileconflag);
+ customize=fileconflag & SELINUX_CUSTOMIZE;
+ if (verbose && (!customize || force)) {
/* If we're just doing "-v", trim out any relabels where
* the user has changed but the role and type are the
* same. For "-vv", emit everything. */
@@ -686,22 +692,22 @@
}
}
- if (log &&
+ if (log && (!customize || force) &&
!only_changed_user(context, spec_arr[i].context)) {
syslog(LOG_INFO, "relabeling %s from %s to %s\n",
my_file, context, spec_arr[i].context);
}
- if (outfile &&
+ if (outfile && (!customize || force) &&
!only_changed_user(context, spec_arr[i].context))
fprintf(outfile, "%s\n", my_file);
freecon(context);
/*
- * Do not relabel the file if -n was used.
+ * Do not relabel the file if -n was used or if customized.
*/
- if (!change)
+ if (!change || (customize && !force))
return 0;
/*
@@ -714,6 +720,7 @@
progname, my_file, spec_arr[i].context);
return 0;
}
+ lsetfileconflag(my_file, fileconflag & !SELINUX_CUSTOMIZE);
return 0;
}
@@ -775,7 +782,7 @@
memset(excludeArray,0, sizeof(excludeArray));
/* Process any options. */
- while ((opt = getopt(argc, argv, "c:dlnqrsvWe:o:")) > 0) {
+ while ((opt = getopt(argc, argv, "Fc:dlnqrsvWe:o:")) > 0) {
switch (opt) {
case 'c':
{
@@ -837,6 +844,9 @@
case 'l':
log = 1;
break;
+ case 'F':
+ force = 1;
+ break;
case 'n':
change = 0;
break;

View File

@ -1,7 +1,7 @@
Summary: SELinux policy core utilities. Summary: SELinux policy core utilities.
Name: policycoreutils Name: policycoreutils
Version: 1.17.7 Version: 1.17.7
Release: 1 Release: 2
License: GPL License: GPL
Group: System Environment/Base Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz