From ecae8883a5181312f1b828bd997167ae1da41ee8 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 30 Nov 2005 13:06:22 +0000 Subject: [PATCH] *** empty log message *** --- .cvsignore | 1 + policycoreutils-rhat.patch | 1085 +++++++----------------------------- policycoreutils.spec | 15 +- sources | 2 +- 4 files changed, 225 insertions(+), 878 deletions(-) diff --git a/.cvsignore b/.cvsignore index af0d16c..3871ad6 100644 --- a/.cvsignore +++ b/.cvsignore @@ -67,3 +67,4 @@ policycoreutils-1.27.26.tgz policycoreutils-1.27.27.tgz policycoreutils-1.27.28.tgz policycoreutils-1.27.29.tgz +policycoreutils-1.27.30.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index ff85230..0cfdea0 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,886 +1,223 @@ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.27.29/audit2allow/audit2allow ---- nsapolicycoreutils/audit2allow/audit2allow 2005-11-28 21:47:54.000000000 -0500 -+++ policycoreutils-1.27.29/audit2allow/audit2allow 2005-11-29 00:04:31.000000000 -0500 -@@ -24,7 +24,7 @@ - # 02111-1307 USA - # - # --import commands, sys, os, pwd, string, getopt, re -+import commands, sys, os, pwd, string, getopt, re, selinux - class allow: - def __init__(self, source, target, seclass): - self.source=source -@@ -81,6 +81,11 @@ - self.roles=[] - self.load(input) - -+ def warning(self, error): -+ sys.stderr.write("%s: " % sys.argv[0]) -+ sys.stderr.write("%s\n" % error) -+ sys.stderr.flush() -+ - def load(self, input): - avc=[] - found=0 -@@ -114,43 +119,47 @@ - if "load_policy" in avc and self.last_reload: - self.allowRules={} - return -- for i in range (0, len(avc)): -- if avc[i]=="{": -- i=i+1 -- while i ] [[-m|-M] ] [-o ]\n\ - -a, --all read input from audit and message log, conflicts with -i\n\ -@@ -313,15 +328,17 @@ - if buildPP: - print ("Generating type enforcment file: %s.te" % module) - output.write(out.out(requires, module)) -+ output.flush() - if buildPP: -- print ("Compiling policy: checkmodule -M -m -o %s.mod %s.te" % (module, module)) -- rc=commands.getstatusoutput("checkmodule -M -m -o %s.mod %s.te" % (module, module)) -+ cmd="checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module) -+ print "Compiling policy: %s" % cmd -+ rc=commands.getstatusoutput(cmd) - if rc[0]==0: - print ("Building package: semodule_package -o %s.pp -m %s.mod" % (module, module)) - rc=commands.getstatusoutput("semodule_package -o %s.pp -m %s.mod" % (module, module)) - if rc[0]==0: -- print ("\n*************** IMPORTANT ***********************\n") -- print ("In order to load this newly created policy package,\nyou are required to execute \n\n\"semodule -i %s.pp\"\n\nto load the policy\n" % module) -+ print ("\n******************** IMPORTANT ***********************\n") -+ print ("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n" % module) - else: - errorExit(rc[1]) - else: -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-1.27.29/audit2allow/audit2allow.1 ---- nsapolicycoreutils/audit2allow/audit2allow.1 2005-09-12 16:33:30.000000000 -0400 -+++ policycoreutils-1.27.29/audit2allow/audit2allow.1 2005-11-29 00:04:31.000000000 -0500 -@@ -30,26 +30,38 @@ - .RI [ options "] " - .SH OPTIONS - .TP --.B "\-\-help" -+.B "\-a" | "\-\-all" -+Read input from audit and message log, conflicts with -i -+.TP -+.B "\-h" | "\-\-help" - Print a short usage message - .TP --.B "\-d" -+.B "\-d" | "\-\-dmesg" - Read input from output of - .I /bin/dmesg. - Note that audit messages are not available via dmesg when - auditd is running; use -i /var/log/audit/audit.log instead. - .TP --.B "\-v" -+.B "\-v" | "\-\-verbose" - Turn on verbose output - .TP --.B "\-l" -+.B "\-l" | "\-\-lastreload" - read input only after last policy reload - .TP --.B "\-i " -+.B "\-r" | "\-\-requires" -+Generate require output syntax for loadable modules. -+.TP -+.B "\-m " | "\-\-module " -+Generate module/require output -+.TP -+.B "\-M " -+Generate loadable module package, conflicts with -o -+.TP -+.B "\-i " | "\-\-input " - read input from - .I - .TP --.B "\-o " -+.B "\-o " | "\-\-output " - append output to - .I - .SH DESCRIPTION -@@ -76,18 +88,66 @@ - .PP - .SH EXAMPLE - .nf --$ cd /etc/selinux/$(SELINUXTYPE)/src/policy --$ /usr/bin/audit2allow -i < /var/log/audit/audit.log >> domains/misc/local.te -- --$ make load -+.B Traditional Syntax -+cat /var/log/audit/audit.log.1 | audit2allow -+allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; -+ -+ -+.B Using audit2allow to generate module syntax -+ -+$ cat /var/log/audit/audit.log | audit2allow -m local -+module local 1.0; -+ -+require { -+ role system_r; -+ -+ -+ class fifo_file { getattr ioctl }; -+ -+ -+ type cupsd_config_t; -+ type unconfined_t; -+ }; -+ -+ -+allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; -+ -+.B Building a loadable module -+ -+$ /usr/bin/audit2allow -m local -i /var/log/audit/audit.log >> local.te -+ -+# Compile the module -+$ checkmodule -M -m -o local.mod local.te -+# Create the package -+$ semodule_package -o local.pp -m local.mod -+# Load the module into the kernel -+$ semodule -i local.mod -+ -+.B Building a loadable module automatically -+$ cat /var/log/audit/audit.log | audit2allow -M local -+Generating type enforcment file: local.te -+Compiling policy: checkmodule -M -m -o local.mod local.te -+Building package: semodule_package -o local.pp -m local.mod -+ -+******************** IMPORTANT *********************** -+ -+In order to load this newly created policy package into the kernel, -+you are required to execute -+ -+semodule -i local.pp -+ - .fi - .PP - .SH AUTHOR - This manual page was written by - .I Manoj Srivastava , --for the Debian GNU/Linux system. The -+for the Debian GNU/Linux system. It was updated by Dan Walsh ++.SH SYNOPSIS ++.B semodule ++.br ++.SH DESCRIPTION +.PP -+The - .B audit2allow - utility has contributions from several people, including - .I Justin R. Smith - and - .I Yuichi Nakamura. -+and -+.I Dan Walsh -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/Makefile policycoreutils-1.27.29/Makefile ---- nsapolicycoreutils/Makefile 2005-11-07 09:41:21.000000000 -0500 -+++ policycoreutils-1.27.29/Makefile 2005-11-29 00:04:31.000000000 -0500 -@@ -1,4 +1,4 @@ --SUBDIRS=setfiles load_policy newrole run_init restorecon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand setsebool po -+SUBDIRS=setfiles semanage load_policy newrole run_init restorecon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand setsebool po - - all install relabel clean: - @for subdir in $(SUBDIRS); do \ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/Makefile policycoreutils-1.27.29/semanage/Makefile ---- nsapolicycoreutils/semanage/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-1.27.29/semanage/Makefile 2005-11-29 00:04:31.000000000 -0500 -@@ -0,0 +1,19 @@ -+# Installation directories. -+PREFIX ?= ${DESTDIR}/usr -+SBINDIR ?= $(PREFIX)/sbin -+MANDIR = $(PREFIX)/share/man -+ -+TARGETS=semanage -+ -+all: $(TARGETS) -+ -+install: all -+ [ -d $(MANDIR)/man8 ] || mkdir -p $(MANDIR)/man8 -+ -mkdir -p $(SBINDIR) -+ install -m 755 semanage $(SBINDIR) -+ install -m 644 semanage.8 $(MANDIR)/man8 -+ -+clean: -+ rm -f semanage -+ -+relabel: -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.27.29/semanage/semanage ---- nsapolicycoreutils/semanage/semanage 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-1.27.29/semanage/semanage 2005-11-29 00:04:52.000000000 -0500 -@@ -0,0 +1,377 @@ -+#! /usr/bin/env python -+# Copyright (C) 2005 Red Hat -+# see file 'COPYING' for use and warranty information -+# -+# semanage is a tool for managing SELinux configuration files -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of the GNU General Public License as -+# published by the Free Software Foundation; either version 2 of -+# the License, or (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program; if not, write to the Free Software -+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA -+# 02111-1307 USA -+# -+# -+import commands, sys, os, pwd, string, getopt, pwd -+from semanage import *; -+class loginRecords: -+ def __init__(self): -+ self.sh=semanage_handle_create() -+ self.semanaged=semanage_is_managed(self.sh) -+ if self.semanaged: -+ semanage_connect(self.sh) -+ -+ def add(self, name, sename, serange): -+ (rc,k)=semanage_seuser_key_create(self.sh, name) -+ (rc,exists)= semanage_seuser_exists(self.sh, k) -+ if exists: -+ raise ValueError("SELinux User %s mapping already defined" % name) -+ try: -+ pwd.getpwname(name) -+ except: -+ raise ValueError("Linux User %s does not exist" % name) -+ -+ (rc,u)= semanage_seuser_create(self.sh) -+ semanage_seuser_set_name(self.sh, u, name) -+ semanage_seuser_set_mlsrange(self.sh, u, serange) -+ semanage_seuser_set_sename(self.sh, u, sename) -+ semanage_begin_transaction(self.sh) -+ semanage_seuser_add(self.sh, k, u) -+ if semanage_commit(self.sh) != 0: -+ raise ValueError("Failed to add SELinux user mapping") -+ -+ def modify(self, name, sename="", serange=""): -+ (rc,k)=semanage_seuser_key_create(self.sh, name) -+ (rc,u)= semanage_seuser_query(self.sh, k) -+ if rc !=0 : -+ raise ValueError("SELinux user %s mapping is not defined." % name) -+ if sename == "" and serange=="": -+ raise ValueError("Requires, seuser or serange") -+ if serange != "": -+ semanage_seuser_set_mlsrange(self.sh, u, serange) -+ if sename != "": -+ semanage_seuser_set_sename(self.sh, u, sename) -+ semanage_begin_transaction(self.sh) -+ semanage_seuser_modify(self.sh, k, u) -+ if semanage_commit(self.sh) != 0: -+ raise ValueError("Failed to modify SELinux user mapping") -+ -+ -+ def delete(self, name): -+ (rc,k)=semanage_seuser_key_create(self.sh, name) -+ (rc,exists)= semanage_seuser_exists(self.sh, k) -+ if rc !=0 : -+ raise ValueError("SELinux user %s mapping is not defined." % name) -+ semanage_begin_transaction(self.sh) -+ semanage_seuser_del(self.sh, k) -+ if semanage_commit(self.sh) != 0: -+ raise ValueError("SELinux User %s mapping not defined" % name) -+ -+ def list(self): -+ print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range") -+ (status, self.ulist, self.usize) = semanage_seuser_list(self.sh) -+ for idx in range(self.usize): -+ u=semanage_seuser_by_idx(self.ulist, idx) -+ name=semanage_seuser_get_name(u) -+ -+ print "%-25s %-25s %-25s" % (name, semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u)) -+ -+class seluserRecords: -+ def __init__(self): -+ roles=[] -+ self.sh=semanage_handle_create() -+ self.semanaged=semanage_is_managed(self.sh) -+ if self.semanaged: -+ semanage_connect(self.sh) -+ -+ def add(self, name, roles, selevel, serange): -+ (rc,k)=semanage_user_key_create(self.sh, name) -+ (rc,exists)= semanage_user_exists(self.sh, k) -+ if exists: -+ raise ValueError("Seuser %s already defined" % name) -+ (rc,u)= semanage_user_create(self.sh) -+ semanage_user_set_name(self.sh, u, name) -+ for r in roles: -+ semanage_user_add_role(self.sh, u, r) -+ semanage_user_set_mlsrange(self.sh, u, serange) -+ semanage_user_set_mlslevel(self.sh, u, selevel) -+ (rc,key) = semanage_user_key_extract(self.sh,u) -+ semanage_begin_transaction(self.sh) -+ semanage_user_add_local(self.sh, k, u) -+ if semanage_commit(self.sh) != 0: -+ raise ValueError("Failed to add SELinux user") -+ -+ self.dict[name]=seluser(name, roles, selevel, serange) -+ -+ def modify(self, name, roles=[], selevel="", serange=""): -+ (rc,k)=semanage_user_key_create(self.sh, name) -+ (rc,exists)= semanage_user_exists(self.sh, k) -+ if not exists: -+ raise ValueError("user %s is not defined" % name) -+ (rc,u)= semanage_user_query(self.sh, k) -+ if rc !=0 : -+ raise ValueError("User %s is not defined." % name) -+ if len(roles) == 0 and serange=="" and selevel=="": -+ raise ValueError("Requires, roles, level or range") -+ if serange != "": -+ semanage_user_set_mlsrange(self.sh, u, serange) -+ if selevel != "": -+ semanage_user_set_mlslevel(self.sh, u, selevel) -+ if len(roles) != 0: -+ for r in roles: -+ print r -+ semanage_user_add_role(self.sh, u, r) -+ semanage_begin_transaction(self.sh) -+ semanage_user_modify_local(self.sh, k, u) -+ if semanage_commit(self.sh) != 0: -+ raise ValueError("Failed to modify SELinux user") -+ -+ -+ def delete(self, name): -+ (rc,k)=semanage_user_key_create(self.sh, name) -+ (rc,exists)= semanage_user_exists(self.sh, k) -+ if not exists: -+ raise ValueError("user %s is not defined" % name) -+ semanage_begin_transaction(self.sh) -+ semanage_user_del_local(self.sh, k) -+ if semanage_commit(self.sh) != 0: -+ raise ValueError("Login User %s not defined" % name) -+ -+ def list(self): -+ print "\n%-15s %-10s %-20s" % ("", "MLS/", "MLS/") -+ print "%-15s %-10s %-15s %-20s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles") -+ (status, self.ulist, self.usize) = semanage_user_list(self.sh) -+ for idx in range(self.usize): -+ u=semanage_user_by_idx(self.ulist, idx) -+ name=semanage_user_get_name(u) -+ (status, rlist, rlist_size) = semanage_user_get_roles(self.sh, u) -+ roles="" -+ -+ if rlist_size: -+ roles+=char_by_idx(rlist, 0) -+ for ridx in range (1,rlist_size): -+ roles+=" " + char_by_idx(rlist, ridx) -+ print "%-15s %-10s %-15s %s" % (semanage_user_get_name(u), semanage_user_get_mlslevel(u), semanage_user_get_mlsrange(u), roles) -+ -+class portRecords: -+ def __init__(self): -+ self.dict={} -+ self.sh=semanage_handle_create() -+ self.semanaged=semanage_is_managed(self.sh) -+ if self.semanaged: -+ semanage_connect(self.sh) -+ -+ def add(self, name, type): -+ (rc,k)=semanage_port_key_create(self.sh, name) -+ (rc,exists)= semanage_port_exists(self.sh, k) -+ if exists: -+ raise ValueError("User %s already defined" % name) -+ (rc,u)= semanage_port_create(self.sh) -+ semanage_port_set_name(self.sh, u, name) -+ semanage_port_set_mlsrange(self.sh, u, serange) -+ semanage_port_set_sename(self.sh, u, sename) -+ semanage_begin_transaction(self.sh) -+ semanage_port_add(self.sh, k, u) -+ if semanage_commit(self.sh) != 0: -+ raise ValueError("Failed to add port") -+ -+ def modify(self, name, type): -+ (rc,k)=semanage_port_key_create(self.sh, name) -+ (rc,u)= semanage_port_query(self.sh, k) -+ if rc !=0 : -+ raise ValueError("User %s is not defined." % name) -+ if sename == "" and serange=="": -+ raise ValueError("Requires, port or serange") -+ if serange != "": -+ semanage_port_set_mlsrange(self.sh, u, serange) -+ if sename != "": -+ semanage_port_set_sename(self.sh, u, sename) -+ semanage_begin_transaction(self.sh) -+ semanage_port_modify(self.sh, k, u) -+ if semanage_commit(self.sh) != 0: -+ raise ValueError("Failed to add port") -+ -+ def delete(self, name): -+ (rc,k)=semanage_port_key_create(self.sh, name) -+ semanage_begin_transaction(self.sh) -+ semanage_port_del(self.sh, k) -+ if semanage_commit(self.sh) != 0: -+ raise ValueError("Port %s not defined" % name) -+ -+ def list(self): -+ (status, self.plist, self.psize) = semanage_port_list(self.sh) -+ print "%-25s %s\n" % ("SELinux Port Name", "Port Number") -+ for idx in range(self.psize): -+ u=semanage_port_by_idx(self.plist, idx) -+ name=semanage_port_get_name(u) -+ print "%20s %d" % ( name, semanage_port_get_number(u)) -+ -+if __name__ == '__main__': -+ -+ def usage(message=""): -+ print '\ -+semanage user [-admsRrh] SELINUX_USER\n\ -+semanage login [-admsrh] LOGIN_NAME\n\ -+semanage port [-admth] SELINUX_PORT_NAME\n\ -+ -a, --add Add a OBJECT record NAME\n\ -+ -d, --delete Delete a OBJECT record NAME\n\ -+ -h, --help display this message\n\ -+ -l, --list List the OBJECTS\n\ -+ -m, --modify Modify a OBJECT record NAME\n\ -+ -r, --range MLS/MCS Security Range\n\ -+ -R, --roles SELinux Roles (Separate by spaces)\n\ -+ -s, --seuser SELinux user name\n\ -+ -t, --type SELinux Type for the object\n\ -+ -v, --verbose verbose output\n\ -+' -+ print message -+ sys.exit(1) -+ -+ def errorExit(error): -+ sys.stderr.write("%s: " % sys.argv[0]) -+ sys.stderr.write("%s\n" % error) -+ sys.stderr.flush() -+ sys.exit(1) -+ -+ # -+ # -+ # -+ try: -+ objectlist=("login", "user", "port") -+ input=sys.stdin -+ output=sys.stdout -+ serange="s0" -+ selevel="s0" -+ roles="" -+ seuser="" -+ type="" -+ add=0 -+ modify=0 -+ delete=0 -+ list=0 -+ if len(sys.argv) < 3: -+ usage("Requires 2 or more arguments") -+ -+ object=sys.argv[1] -+ if object not in objectlist: -+ usage("%s not defined" % object) -+ -+ args=sys.argv[2:] -+ gopts, cmds = getopt.getopt(args, -+ 'adlhms:R:r:t:v', -+ ['add', -+ 'delete', -+ 'help', -+ 'list', -+ 'modify', -+ 'seuser=', -+ 'range=', -+ 'roles=', -+ 'type=', -+ 'verbose' -+ ]) -+ for o,a in gopts: -+ if o == "-a" or o == "--add": -+ if modify or delete: -+ usage() -+ add=1 -+ -+ if o == "-d" or o == "--delese": -+ if modify or add: -+ usage() -+ delete=1 -+ if o == "-h" or o == "--help": -+ usage() -+ -+ if o == "-m"or o == "--modify": -+ if delete or add: -+ usage() -+ modify=1 -+ -+ if o == "-r" or o == '--range': -+ serange=a -+ -+ if o == "-R" or o == '--roles': -+ roles=a -+ -+ if o == "-t" or o == "--type": -+ type=a -+ -+ if o == "-l" or o == "--list": -+ list=1 -+ -+ if o == "-s" or o == "--seuser": -+ seuser=a -+ -+ if o == "-v" or o == "--verbose": -+ verbose=1 -+ -+ if object == "login": -+ OBJECT=loginRecords() -+ -+ if object == "user": -+ OBJECT=seluserRecords() -+ -+ if object == "port": -+ OBJECT=portRecords() -+ -+ if list: -+ OBJECT.list() -+ sys.exit(0); -+ -+ if len(cmds) != 1: -+ usage() -+ -+ name=cmds[0] -+ -+ if add: -+ if object == "login": -+ OBJECT.add(name, seuser, serange) -+ -+ if object == "user": -+ rlist=roles.split() -+ print rlist -+ OBJECT.add(name, rlist, selevel, serange) -+ -+ if object == "port": -+ OBJECT.add(name, type) -+ -+ OBJECT.list() -+ sys.exit(0); -+ -+ if modify: -+ if object == "login": -+ OBJECT.modify(name, seuser, serange) -+ -+ if object == "user": -+ rlist=roles.split() -+ print rlist -+ OBJECT.modify(name, rlist, selevel, serange) -+ -+ if object == "port": -+ OBJECT.modify(name, type) -+ sys.exit(0); -+ OBJECT.list() -+ sys.exit(0); -+ -+ if delete: -+ OBJECT.delete(name) -+ sys.exit(0); -+ usage() -+ -+ except getopt.error, error: -+ errorExit("Options Error " + error.msg) -+ except ValueError, error: -+ errorExit(error.args[0]) -+ except IOError, error: -+ errorExit(error.args[1]) -+ except KeyboardInterrupt, error: -+ sys.exit(0) -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.27.29/semanage/semanage.8 ---- nsapolicycoreutils/semanage/semanage.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-1.27.29/semanage/semanage.8 2005-11-29 00:04:31.000000000 -0500 -@@ -0,0 +1,57 @@ -+.TH "semanage" "8" "2005111103" "" "" -+.SH "NAME" -+semanage \- SELinux Policy Management tool -+ -+.SH "SYNOPSIS" -+.B semanage OBJECTTYPE [\-admsrh] OBJECT -+.B semanage login [\-admsrh] login_name -+.br -+.B semanage seuser [\-admsrh] selinux_name -+.br -+.B semanage port [\-admth] port_number -+.P -+This tool is used to manage configuration of the SELinux policy -+ -+.SH "DESCRIPTION" -+This manual page describes the -+.BR semanage -+program. -+.br -+This tool is used to manage configuration of SELinux Policy. You can configure SELinux User Mappings, SELinux Port Mappings, SELinux Users. -+ ++semodule is the tool used to manage policy, it can call functions to load/replace the policy in the kernel, as well as setup load_able modules. + +.SH "OPTIONS" -+.TP -+ \-a, \-\-add -+.P -+Add a OBJECT record NAME -+.B \-d, \-\-delete -+.P -+Delete a OBJECT record NAME -+.B \-h, \-\-help -+.P -+display this message -+.B \-l, \-\-list -+.P -+List the OBJECTS -+.B \-m, \-\-modify -+.P -+Modify a OBJECT record NAME -+.B \-r, \-\-range -+.P -+MLS/MCS Security Range -+.B \-s, \-\-seuser -+.P -+SELinux user name -+.B \-t, \-\-type -+.P -+SELinux Type for the object -+.B \-v, \-\-verbose -+.P -+verbose output ++.TP ++.B \-R, \-\-reload ++reload policy ++.TP ++.B \-B, \-\-build ++build and reload policy ++.TP ++.B \-i,\-\-install=MODULE_PKG ++install a new module ++.TP ++.B \-u,\-\-upgrade=MODULE_PKG ++upgrade existing module ++.TP ++.B \-b,\-\-base=MODULE_PKG ++install new base module ++.TP ++.B \-r,\-\-remove=MODULE_NAME ++remove existing module ++.TP ++.B \-l,\-\-list-modules ++display list of installed modules ++.TP ++.B \-s,\-\-store ++name of the store to operate on ++.TP ++.B \-n,\-\-noreload ++do not reload policy after commit ++.TP ++.B \-h,\-\-help ++prints help message and quit ++.TP ++.B \-v,\-\-verbose ++be verbose reset the policy boolean values to the saved policy settings. + -+.SH "AUTHOR" -+This man page was written by Daniel Walsh . ++.SH SEE ALSO ++.B load_policy(8), semodule_package(8), semodule_expand(8), semodule_link(8) ++(8), ++.SH AUTHORS ++.nf ++This manual page was written by Dan Walsh . ++The program was written by Karl MacMillan , Joshua Brindle , Jason Tang +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_expand/Makefile policycoreutils-1.27.30/semodule_expand/Makefile +--- nsapolicycoreutils/semodule_expand/Makefile 2005-10-12 15:25:33.000000000 -0400 ++++ policycoreutils-1.27.30/semodule_expand/Makefile 2005-11-29 16:06:55.000000000 -0500 +@@ -3,6 +3,7 @@ + INCLUDEDIR ?= $(PREFIX)/include + BINDIR ?= $(PREFIX)/bin + LIBDIR ?= ${PREFIX}/lib ++MANDIR ?= $(PREFIX)/share/man + + CFLAGS ?= -Werror -Wall -W + override CFLAGS += -I$(INCLUDEDIR) +@@ -15,6 +16,8 @@ + install: all + -mkdir -p $(BINDIR) + install -m 755 semodule_expand $(BINDIR) ++ test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8 ++ install -m 644 semodule_expand.8 $(MANDIR)/man8/ + + relabel: + +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_expand/semodule_expand.8 policycoreutils-1.27.30/semodule_expand/semodule_expand.8 +--- nsapolicycoreutils/semodule_expand/semodule_expand.8 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.27.30/semodule_expand/semodule_expand.8 2005-11-29 15:58:23.000000000 -0500 +@@ -0,0 +1,26 @@ ++.TH SEMODULE_EXPAND "8" "Nov 2005" "Security Enhanced Linux" NSA ++.SH NAME ++semodule_expand \- Manage SELinux policy modules. ++ ++.SH SYNOPSIS ++.B semodule_expand [-V -c [version]] basemodpkg outputfile ++.br ++.SH DESCRIPTION ++.PP ++semodule_expand is the tool used to create a policy file from a base policy module. Tool takes to arguments: The name of the base policy package (usually base.pp) and the name of the policy output file (policy.20). ++ ++.SH "OPTIONS" ++.TP ++.B \-V ++verbose mode ++.TP ++.B \-c [version] ++policy version to create ++ ++.SH SEE ALSO ++.B load_policy(8), semodule_package(8), semodule(8), semodule_link(8) ++(8), ++.SH AUTHORS ++.nf ++This manual page was written by Dan Walsh . ++The program was written by Karl MacMillan , Joshua Brindle +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_link/Makefile policycoreutils-1.27.30/semodule_link/Makefile +--- nsapolicycoreutils/semodule_link/Makefile 2005-10-12 15:25:33.000000000 -0400 ++++ policycoreutils-1.27.30/semodule_link/Makefile 2005-11-29 16:06:48.000000000 -0500 +@@ -2,6 +2,7 @@ + PREFIX ?= ${DESTDIR}/usr + INCLUDEDIR ?= $(PREFIX)/include + BINDIR ?= $(PREFIX)/bin ++MANDIR ?= $(PREFIX)/share/man + LIBDIR ?= ${PREFIX}/lib + + CFLAGS ?= -Werror -Wall -W +@@ -15,6 +16,8 @@ + install: all + -mkdir -p $(BINDIR) + install -m 755 semodule_link $(BINDIR) ++ test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8 ++ install -m 644 semodule_link.8 $(MANDIR)/man8/ + + relabel: + +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_link/semodule_link.8 policycoreutils-1.27.30/semodule_link/semodule_link.8 +--- nsapolicycoreutils/semodule_link/semodule_link.8 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.27.30/semodule_link/semodule_link.8 2005-11-29 16:04:14.000000000 -0500 +@@ -0,0 +1,27 @@ ++.TH SEMODULE_LINK "8" "Nov 2005" "Security Enhanced Linux" NSA ++.SH NAME ++semodule_link \- Link a group of modules together with a base module ++ ++.SH SYNOPSIS ++.B semodule_link [-V] [-o outfile] basemodpkg modpkg1 [modpkg2]... ++.br ++.SH DESCRIPTION ++.PP ++semodule_link is the tool used to create a policy file from a base policy module. and one of more loadable policy modules: The name of the base policy package (usually base.pp) and the name of the policy output file (policy.20). ++ ++.SH "OPTIONS" ++.TP ++.B \-V ++verbose mode ++.TP ++.B \-o \-\-outfile ++Loadable package Output file + + ++.SH SEE ALSO ++.B load_policy(8), semodule_package(8), semodule(8), semodule_expand(8) ++(8), ++.SH AUTHORS ++.nf ++This manual page was written by Dan Walsh . ++The program was written by Karl MacMillan +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_package/Makefile policycoreutils-1.27.30/semodule_package/Makefile +--- nsapolicycoreutils/semodule_package/Makefile 2005-10-12 15:25:33.000000000 -0400 ++++ policycoreutils-1.27.30/semodule_package/Makefile 2005-11-29 16:06:08.000000000 -0500 +@@ -3,6 +3,7 @@ + INCLUDEDIR ?= $(PREFIX)/include + BINDIR ?= $(PREFIX)/bin + LIBDIR ?= ${PREFIX}/lib ++MANDIR ?= $(PREFIX)/share/man + + CFLAGS ?= -Werror -Wall -W + override CFLAGS += -I$(INCLUDEDIR) +@@ -15,6 +16,8 @@ + install: all + -mkdir -p $(BINDIR) + install -m 755 semodule_package $(BINDIR) ++ test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8 ++ install -m 644 semodule_package.8 $(MANDIR)/man8/ + + relabel: + +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_package/semodule_package.8 policycoreutils-1.27.30/semodule_package/semodule_package.8 +--- nsapolicycoreutils/semodule_package/semodule_package.8 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.27.30/semodule_package/semodule_package.8 2005-11-29 16:02:13.000000000 -0500 +@@ -0,0 +1,29 @@ ++.TH SEMODULE_PACKAGE "8" "Nov 2005" "Security Enhanced Linux" NSA ++.SH NAME ++semodule_package \- Create loadable policy modules. + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/sestatus/sestatus.8 policycoreutils-1.27.29/sestatus/sestatus.8 ---- nsapolicycoreutils/sestatus/sestatus.8 2005-09-12 16:33:30.000000000 -0400 -+++ policycoreutils-1.27.29/sestatus/sestatus.8 2005-11-29 00:04:31.000000000 -0500 -@@ -1,10 +1,10 @@ --.TH "sestatus" "8" "2002031409" "" "" -+.TH "sestatus" "8" "2005111103" "" "" - .SH "NAME" - sestatus \- SELinux status tool - - .SH "SYNOPSIS" - .B sestatus --.I [\-v] -+.I [\-v] [\-b] - .P - This tool is used to get the status of a system running SELinux. - -@@ -33,6 +33,10 @@ - Checks the contexts of a files , and a processes listed in the /etc/sestatus.conf file. It also checks the context of the target, in cases of - symlinks. - -+.B \-b -+.P -+Display the current state of booleans. ++.SH SYNOPSIS ++.B semodule_package -o -m [-f ] ++.br ++.SH DESCRIPTION ++.PP ++semodule_package is the tool used to create a policy file from a base policy module. Tool takes to arguments: The name of the base policy package (usually base.pp) and the name of the policy output file (policy.20). + - - .SH "FILES" - /etc/sestatus.conf -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/sestatus/sestatus.c policycoreutils-1.27.29/sestatus/sestatus.c ---- nsapolicycoreutils/sestatus/sestatus.c 2005-09-12 16:33:30.000000000 -0400 -+++ policycoreutils-1.27.29/sestatus/sestatus.c 2005-11-29 00:04:31.000000000 -0500 -@@ -178,19 +178,33 @@ - char **bools; - int nbool; - -+ int verbose=0; -+ int show_bools=0; ++.SH "OPTIONS" ++.TP ++.B \-o \-\-outfile ++Loadable package Output file ++.TP ++.B \-m \-\-module ++Module file (te file) ++.TP ++.B \-f \-\-fc ++Policy File contexts file + -+ - /* policy */ - const char *pol_name; - char *pol_path; - -- opt=getopt(argc, argv, "v"); -- if(opt == '?') { -- /* invalid option */ -- printf("\nUsage: %s [OPTION]\n\n", basename(argv[0])); -- printf(" -v Verbose check of process and file contexts.\n"); -- printf("\nWithout options, show SELinux status.\n"); -- return -1; -+ while (1) { -+ opt=getopt(argc, argv, "vb"); -+ if (opt == -1) -+ break; -+ switch (opt) { -+ case 'v': -+ verbose=1; -+ break; -+ case 'b': -+ show_bools=1; -+ break; -+ default: -+ /* invalid option */ -+ printf("\nUsage: %s [OPTION]\n\n", basename(argv[0])); -+ printf(" -v Verbose check of process and file contexts.\n"); -+ printf("\nWithout options, show SELinux status.\n"); -+ return -1; -+ } - } -- - printf_tab("SELinux status:"); - rc=is_selinux_enabled(); - -@@ -266,32 +280,34 @@ - printf("error (%s)\n", strerror(errno)); - } - -- /* show booleans */ -- if(security_get_boolean_names(&bools,&nbool) >= 0) { -- printf("\nPolicy booleans:\n"); -- -- for( i=0 ; i COL) -- COL=strlen(bools[i])+1; -- } -- for( i=0 ; i= 0) { -+ printf("\nPolicy booleans:\n"); -+ -+ for( i=0 ; i COL) -+ COL=strlen(bools[i])+1; -+ } -+ for( i=0 ; i. ++The program was written by Karl MacMillan diff --git a/policycoreutils.spec b/policycoreutils.spec index 436bb66..d3e142a 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,8 +1,8 @@ %define libsepolver 1.9.41-1 -%define libsemanagever 1.3.59-1 +%define libsemanagever 1.3.61-1 Summary: SELinux policy core utilities. Name: policycoreutils -Version: 1.27.29 +Version: 1.27.30 Release: 1 License: GPL Group: System Environment/Base @@ -76,6 +76,10 @@ rm -rf ${RPM_BUILD_ROOT} %{_mandir}/man8/restorecon.8.gz %{_mandir}/man8/sestatus.8.gz %{_mandir}/man8/semanage.8.gz +%{_mandir}/man8/semodule.8.gz +%{_mandir}/man8/semodule_link.8.gz +%{_mandir}/man8/semodule_package.8.gz +%{_mandir}/man8/semodule_expand.8.gz %{_mandir}/man8/setfiles.8.gz %{_mandir}/man8/fixfiles.8.gz %{_mandir}/man8/load_policy.8.gz @@ -91,7 +95,12 @@ rm -rf ${RPM_BUILD_ROOT} %changelog -* Mon Nov 28 2005 Dan Walsh 1.27.29-3 +* Tue Nov 29 2005 Dan Walsh 1.27.30-1 +- Update to match NSA + * Merged sestatus, audit2allow, and semanage patch from Dan Walsh. + * Fixed semodule -v option. + +* Mon Nov 28 2005 Dan Walsh 1.27.29-1 - Update to match NSA * Merged audit2allow python script from Dan Walsh. (old script moved to audit2allow.perl, will be removed later). diff --git a/sources b/sources index 1fe3b3d..56dc8f7 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -6ab0e30653c286b06e12d36ea9203ac8 policycoreutils-1.27.29.tgz +38cdc65c904b41a6ec941b8ef9be25a6 policycoreutils-1.27.30.tgz