From f6b16765a368655483a8ca09ec8f9477294e72be Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 31 Aug 2007 19:10:10 +0000 Subject: [PATCH] * Fri Aug 31 2007 Dan Walsh 2.0.25-7 - Lots of fixes for role templates --- policycoreutils-gui.patch | 1343 ++++++++++++++++++++++++------------- policycoreutils.spec | 5 +- 2 files changed, 880 insertions(+), 468 deletions(-) diff --git a/policycoreutils-gui.patch b/policycoreutils-gui.patch index 6dcec47..bbc1ec6 100644 --- a/policycoreutils-gui.patch +++ b/policycoreutils-gui.patch @@ -914,8 +914,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py polic + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policycoreutils-2.0.25/gui/polgen.glade --- nsapolicycoreutils/gui/polgen.glade 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/polgen.glade 2007-08-28 10:01:36.000000000 -0400 -@@ -0,0 +1,2261 @@ ++++ policycoreutils-2.0.25/gui/polgen.glade 2007-08-31 15:06:49.000000000 -0400 +@@ -0,0 +1,2313 @@ + + + @@ -1028,7 +1028,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + True -+ False ++ True ++ True + True + GTK_POS_TOP + False @@ -1039,12 +1040,12 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + True + GNOME_EDGE_START + SELinux Policy Generation Druid -+ This tool can be used to generate a policy framework, to confine an application or users using SELinux. ++ This tool can be used to generate a policy framework, to confine applications or users using SELinux. + +The tool generates: -+Type Enforcement File (te) ++Type enforcement file (te) +Interface file (if) -+File Context File (fc) ++File context file (fc) +Shell script (sh) - used to compile and install the policy. + + @@ -1079,7 +1080,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + True -+ Select what you want to confine. ++ Select application or user type that you want to confine. + + + @@ -1090,47 +1091,272 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + 6 + + -+ ++ + True + False + 0 + + -+ ++ + True -+ True -+ Confine an application -+ True -+ GTK_RELIEF_NORMAL -+ True -+ True -+ False -+ True ++ 0 ++ 0.5 ++ GTK_SHADOW_NONE ++ ++ ++ ++ True ++ 0.5 ++ 0.5 ++ 1 ++ 1 ++ 0 ++ 0 ++ 12 ++ 0 ++ ++ ++ ++ True ++ False ++ 0 ++ ++ ++ ++ True ++ Standard Init Daemon are daemons started on boot via init scripts. Usually requires a script in /etc/init.d ++ True ++ Standard Init Daemon ++ True ++ GTK_RELIEF_NORMAL ++ True ++ False ++ False ++ True ++ ++ ++ 0 ++ False ++ False ++ ++ ++ ++ ++ ++ True ++ Internet Services Daemon are daemons started by xinetd ++ True ++ Internet Services Daemon (inetd) ++ True ++ GTK_RELIEF_NORMAL ++ True ++ False ++ False ++ True ++ init_radiobutton ++ ++ ++ 0 ++ False ++ False ++ ++ ++ ++ ++ ++ True ++ Web Applications/Script (CGI) CGI scripts started by the web server (apache) ++ True ++ Web Application/Script (CGI) ++ True ++ GTK_RELIEF_NORMAL ++ True ++ False ++ False ++ True ++ init_radiobutton ++ ++ ++ 0 ++ False ++ False ++ ++ ++ ++ ++ ++ True ++ User Application are any application that you would like to confine that is started by a user ++ True ++ User Application ++ True ++ GTK_RELIEF_NORMAL ++ True ++ False ++ False ++ True ++ init_radiobutton ++ ++ ++ 0 ++ False ++ False ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ True ++ <b>Applications</b> ++ False ++ True ++ GTK_JUSTIFY_LEFT ++ False ++ False ++ 0.5 ++ 0.5 ++ 0 ++ 0 ++ PANGO_ELLIPSIZE_NONE ++ -1 ++ False ++ 0 ++ ++ ++ label_item ++ ++ + + + 0 -+ False -+ False ++ True ++ True + + + + -+ ++ + True -+ True -+ Confine a user -+ True -+ GTK_RELIEF_NORMAL -+ True -+ False -+ False -+ True -+ confine_application_radiobutton ++ 0 ++ 0.5 ++ GTK_SHADOW_NONE ++ ++ ++ ++ True ++ 0.5 ++ 0.5 ++ 1 ++ 1 ++ 0 ++ 0 ++ 12 ++ 0 ++ ++ ++ ++ True ++ False ++ 0 ++ ++ ++ ++ True ++ Select XWindows login user, if this is a user who will login to a machine via X ++ True ++ XWindows Login User ++ True ++ GTK_RELIEF_NORMAL ++ True ++ False ++ False ++ True ++ init_radiobutton ++ ++ ++ 0 ++ False ++ False ++ ++ ++ ++ ++ ++ True ++ Select Terminal Login User, if this user will login to a machine only via a terminal or remote login ++ True ++ Terminal Login User ++ True ++ GTK_RELIEF_NORMAL ++ True ++ False ++ False ++ True ++ init_radiobutton ++ ++ ++ 0 ++ False ++ False ++ ++ ++ ++ ++ ++ True ++ Select Root User, if this user will be used to administer the machine while running as root. This user will not be able to login to the system directly. ++ True ++ Root User ++ True ++ GTK_RELIEF_NORMAL ++ True ++ False ++ False ++ True ++ init_radiobutton ++ ++ ++ 0 ++ False ++ False ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ True ++ <b>Users</b> ++ False ++ True ++ GTK_JUSTIFY_LEFT ++ False ++ False ++ 0.5 ++ 0.5 ++ 0 ++ 0 ++ PANGO_ELLIPSIZE_NONE ++ -1 ++ False ++ 0 ++ ++ ++ label_item ++ ++ + + + 0 -+ False -+ False ++ True ++ True + + + @@ -1173,193 +1399,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + -+ -+ True -+ Name and Type of user to confine. -+ -+ -+ -+ 16 -+ True -+ False -+ 6 -+ -+ -+ -+ True -+ False -+ 0 -+ -+ -+ -+ True -+ False -+ 0 -+ -+ -+ -+ True -+ Select login user, if this is a user who will login to a machine directly -+ True -+ XWindows Login User -+ True -+ GTK_RELIEF_NORMAL -+ True -+ False -+ False -+ True -+ -+ -+ 0 -+ False -+ False -+ -+ -+ -+ -+ -+ True -+ Select login user, if this is a user who will login to a machine directly -+ True -+ Terminal Login User -+ True -+ GTK_RELIEF_NORMAL -+ True -+ False -+ False -+ True -+ xwindows_login_user_radiobutton -+ -+ -+ 10 -+ False -+ False -+ -+ -+ -+ -+ -+ True -+ True -+ Root User -+ True -+ GTK_RELIEF_NORMAL -+ True -+ False -+ False -+ True -+ xwindows_login_user_radiobutton -+ -+ -+ 10 -+ False -+ False -+ -+ -+ -+ -+ 0 -+ False -+ False -+ -+ -+ -+ -+ -+ True -+ False -+ 0 -+ -+ -+ -+ True -+ Name -+ False -+ False -+ GTK_JUSTIFY_LEFT -+ False -+ False -+ 0 -+ 0.5 -+ 0 -+ 0 -+ PANGO_ELLIPSIZE_NONE -+ -1 -+ False -+ 0 -+ -+ -+ 5 -+ False -+ False -+ -+ -+ -+ -+ -+ True -+ True -+ True -+ True -+ 0 -+ -+ True -+ -+ False -+ -+ -+ 0 -+ True -+ True -+ -+ -+ -+ -+ 0 -+ False -+ True -+ -+ -+ -+ -+ 0 -+ True -+ True -+ -+ -+ -+ -+ -+ -+ False -+ True -+ -+ -+ -+ -+ -+ True -+ label27 -+ False -+ False -+ GTK_JUSTIFY_LEFT -+ False -+ False -+ 0.5 -+ 0.5 -+ 0 -+ 0 -+ PANGO_ELLIPSIZE_NONE -+ -1 -+ False -+ 0 -+ -+ -+ tab -+ -+ -+ -+ + + True + Name of application to be confined @@ -1374,7 +1413,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + True -+ 2 ++ 3 + 3 + False + 0 @@ -1411,7 +1450,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + True -+ Enter path to executable to be confined. ++ Enter complete path for executable to be confined. + True + True + True @@ -1431,7 +1470,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + -+ ++ + True + True + ... @@ -1453,7 +1492,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + True -+ Enter unique policy type name for confined application. ++ Enter unique type name for the confined user or application. + True + True + True @@ -1499,6 +1538,76 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + ++ ++ ++ ++ True ++ Init script ++ False ++ False ++ GTK_JUSTIFY_LEFT ++ False ++ False ++ 0 ++ 0.5 ++ 0 ++ 0 ++ PANGO_ELLIPSIZE_NONE ++ -1 ++ False ++ 0 ++ ++ ++ 0 ++ 1 ++ 2 ++ 3 ++ fill ++ ++ ++ ++ ++ ++ ++ True ++ Enter complete path to init script used to start the confined application. ++ True ++ True ++ True ++ 0 ++ ++ True ++ ++ False ++ ++ ++ 1 ++ 2 ++ 2 ++ 3 ++ ++ ++ ++ ++ ++ ++ True ++ True ++ ... ++ True ++ GTK_RELIEF_NORMAL ++ True ++ ++ ++ ++ 2 ++ 3 ++ 2 ++ 3 ++ fill ++ ++ ++ + + + 0 @@ -1541,15 +1650,15 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + True -+ Select Application Transitions for this domain -+ ++ Select additional user domain(s) for transition ++ + + + 16 + True + False + 6 -+ ++ + + + True @@ -1558,11 +1667,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + GTK_POLICY_ALWAYS + GTK_SHADOW_IN + GTK_CORNER_TOP_LEFT -+ ++ + + + True -+ Select the applications that you would like this domain to transition to. ++ Select the applications domains that you would like this user to transition to. + True + False + False @@ -1583,6 +1692,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + ++ ++ False ++ True ++ + + + @@ -1609,100 +1722,39 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + -+ ++ + True -+ Application Type ++ Select the domain(s) that this user will administer + + -+ ++ + 16 + True + False + 6 + + -+ ++ + True -+ False -+ 0 ++ True ++ GTK_POLICY_ALWAYS ++ GTK_POLICY_ALWAYS ++ GTK_SHADOW_IN ++ GTK_CORNER_TOP_LEFT + + -+ ++ + True ++ Select the domains that you would like this user administer. + True -+ Standard Init Daemon -+ True -+ GTK_RELIEF_NORMAL -+ True -+ False -+ False -+ True ++ False ++ False ++ False ++ True ++ False ++ False ++ False + -+ -+ 0 -+ False -+ False -+ -+ -+ -+ -+ -+ True -+ True -+ Internet Services Daemon (inetd) -+ True -+ GTK_RELIEF_NORMAL -+ True -+ False -+ False -+ True -+ init_radiobutton -+ -+ -+ 0 -+ False -+ False -+ -+ -+ -+ -+ -+ True -+ True -+ Web Application/Script (CGI) -+ True -+ GTK_RELIEF_NORMAL -+ True -+ False -+ False -+ True -+ init_radiobutton -+ -+ -+ 0 -+ False -+ False -+ -+ -+ -+ -+ -+ True -+ True -+ User Application -+ True -+ GTK_RELIEF_NORMAL -+ True -+ False -+ False -+ True -+ init_radiobutton -+ -+ -+ 0 -+ False -+ False -+ + + + @@ -1721,9 +1773,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + -+ ++ + True -+ label29 ++ label30 + False + False + GTK_JUSTIFY_LEFT @@ -1789,7 +1841,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + True -+ Allows confined application to bind to any port ++ Allows confined application/user to bind to any tcp port + True + All + True @@ -1829,7 +1881,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + True -+ Any non defined ports > 1024 ++ Allow application/user to bind to any tcp ports > 1024 + True + Unreserved Ports (> 1024) + True @@ -1979,7 +2031,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + True -+ Allows confined application to bind to any port ++ Allows confined application/user to bind to any udp port + True + All + True @@ -1999,7 +2051,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + True -+ Use this checkbutton if your app calls bindresvport with 0. ++ Allow application/user to call bindresvport with 0. Binding to port 600-1024 + True + 600-1024 + True @@ -2019,7 +2071,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + True -+ Any non defined ports > 1024 ++ Allows application/user to bind to any udp ports > 1024 + True + Unreserved Ports (>1024) + True @@ -2144,9 +2196,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + -+ ++ + True -+ label30 ++ label31 + False + False + GTK_JUSTIFY_LEFT @@ -2268,7 +2320,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + True -+ Enter a comma separated list of udp ports that this application connects to. ++ Enter a comma separated list of udp ports that this application/user connects to. + True + True + True @@ -2400,7 +2452,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + True -+ Enter a comma separated list of udp ports that this application connects to. ++ Enter a comma separated list of udp ports that this application/user connects to. + True + True + True @@ -2460,9 +2512,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + -+ ++ + True -+ label31 ++ label32 + False + False + GTK_JUSTIFY_LEFT @@ -2592,9 +2644,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + -+ ++ + True -+ label32 ++ label33 + False + False + GTK_JUSTIFY_LEFT @@ -2922,9 +2974,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + -+ ++ + True -+ label33 ++ label34 + False + False + GTK_JUSTIFY_LEFT @@ -3038,9 +3090,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + -+ ++ + True -+ label34 ++ label35 + False + False + GTK_JUSTIFY_LEFT @@ -3078,9 +3130,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + -+ ++ + True -+ label35 ++ + False + False + GTK_JUSTIFY_LEFT @@ -3179,8 +3231,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policycoreutils-2.0.25/gui/polgengui.py --- nsapolicycoreutils/gui/polgengui.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/polgengui.py 2007-08-28 15:23:13.000000000 -0400 -@@ -0,0 +1,407 @@ ++++ policycoreutils-2.0.25/gui/polgengui.py 2007-08-31 15:06:45.000000000 -0400 +@@ -0,0 +1,444 @@ +#!/usr/bin/python +# +# system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux @@ -3262,24 +3314,25 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + +FILE = 1 +DIR = 2 ++ +class childWindow: + START_PAGE = 0 + SELECT_TYPE_PAGE = 1 -+ USER_PAGE = 2 -+ APP_PAGE = 3 -+ TRANSITION_PAGE = 4 -+ APP_TYPE_PAGE = 5 -+ IN_NET_PAGE = 6 -+ OUT_NET_PAGE = 7 -+ COMMON_APPS_PAGE = 8 -+ FILES_PAGE = 9 -+ GEN_POLCIY_PAGE = 10 -+ FINISH_PAGE = 11 ++ APP_PAGE = 2 ++ TRANSITION_PAGE = 3 ++ ADMIN_PAGE = 4 ++ IN_NET_PAGE = 5 ++ OUT_NET_PAGE = 6 ++ COMMON_APPS_PAGE = 7 ++ FILES_PAGE = 8 ++ GEN_POLICY_PAGE = 9 ++ FINISH_PAGE = 10 + + def __init__(self): + self.xml = xml + xml.signal_connect("on_delete_clicked", self.delete) + xml.signal_connect("on_exec_select_clicked", self.exec_select) ++ xml.signal_connect("on_init_script_select_clicked", self.init_script_select) + xml.signal_connect("on_add_clicked", self.add) + xml.signal_connect("on_add_dir_clicked", self.add_dir) + xml.signal_connect("on_about_clicked", self.on_about_clicked) @@ -3289,13 +3342,14 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + self.back_button = xml.get_widget ("back_button") + self.back_button.connect("clicked",self.back) + -+ self.confine_application = xml.get_widget ("confine_application_radiobutton") -+ + self.notebook = xml.get_widget ("notebook1") + self.pages={} -+ self.pages[0] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.USER_PAGE, self.TRANSITION_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.GEN_POLCIY_PAGE, self.FINISH_PAGE] -+ -+ self.pages[1] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.APP_TYPE_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.COMMON_APPS_PAGE, self.FILES_PAGE,self.GEN_POLCIY_PAGE, self.FINISH_PAGE ] ++ for i in polgen.USERS: ++ self.pages[i] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.TRANSITION_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.GEN_POLICY_PAGE, self.FINISH_PAGE] ++ self.pages[polgen.RUSER] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.ADMIN_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.GEN_POLICY_PAGE, self.FINISH_PAGE] ++ for i in polgen.APPLICATIONS: ++ self.pages[i] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.COMMON_APPS_PAGE, self.FILES_PAGE,self.GEN_POLICY_PAGE, self.FINISH_PAGE ] ++ + self.current_page = 0 + self.back_button.set_sensitive(0) + @@ -3336,29 +3390,49 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + self.transition_store.set_sort_column_id(0, gtk.SORT_ASCENDING) + col = gtk.TreeViewColumn(_("Application"), gtk.CellRendererText(), text = 0) + self.transition_treeview.append_column(col) ++ ++ ++ self.admin_treeview = self.xml.get_widget("admin_treeview") ++ self.admin_store = gtk.ListStore(gobject.TYPE_STRING) ++ self.admin_treeview.set_model(self.admin_store) ++ self.admin_treeview.get_selection().set_mode(gtk.SELECTION_MULTIPLE) ++ self.admin_store.set_sort_column_id(0, gtk.SORT_ASCENDING) ++ col = gtk.TreeViewColumn(_("Application"), gtk.CellRendererText(), text = 0) ++ self.admin_treeview.append_column(col) ++ + # List of per_role_template interfaces + ifs = interfaces.InterfaceSet() + ifs.from_file(fd) + fd.close() + for i in ifs.interfaces.keys(): -+ m = re.findall("(.*)_per_role_template", i) ++ m = re.findall("(.*)%s" % polgen.USER_TRANSITION_INTERFACE, i) + if len(m) > 0: + iter = self.transition_store.append() + self.transition_store.set_value(iter, 0, m[0]) ++ continue ++ ++ m = re.findall("(.*)%s" % polgen.ADMIN_TRANSITION_INTERFACE, i) ++ if len(m) > 0: ++ iter = self.admin_store.append() ++ self.admin_store.set_value(iter, 0, m[0]) ++ continue ++ ++ def confine_application(self): ++ return self.get_type() in polgen.APPLICATIONS + + def forward(self, arg): -+ type = self.confine_application.get_active() ++ type = self.get_type() + if self.current_page == self.START_PAGE: + self.back_button.set_sensitive(1) + ++ if self.pages[type][self.current_page] == self.SELECT_TYPE_PAGE: ++ if self.on_select_type_page_next(): ++ return ++ + if self.pages[type][self.current_page] == self.APP_PAGE: + if self.on_name_page_next(): + return + -+ if self.pages[type][self.current_page] == self.USER_PAGE: -+ if self.on_user_page_next(): -+ return -+ + if self.pages[type][self.current_page] == self.FINISH_PAGE: + self.generate_policy() + else: @@ -3368,7 +3442,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + self.forward_button.set_label(gtk.STOCK_APPLY) + + def back(self,arg): -+ type = self.confine_application.get_active() ++ type = self.confine_application() + if self.pages[type][self.current_page] == self.FINISH_PAGE: + self.forward_button.set_label(gtk.STOCK_GO_FORWARD) + @@ -3412,28 +3486,23 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + dlg.destroy() + + def get_name(self): -+ if self.confine_application.get_active(): -+ return self.name_entry.get_text() -+ else: -+ return self.user_entry.get_text() ++ return self.name_entry.get_text() + + def get_type(self): -+ if self.confine_application.get_active(): -+ if self.cgi_radiobutton.get_active(): -+ return polgen.policy.CGI -+ if self.user_radiobutton.get_active(): -+ return polgen.policy.USER -+ if self.init_radiobutton.get_active(): -+ return polgen.policy.DAEMON -+ if self.inetd_radiobutton.get_active(): -+ return polgen.policy.INETD -+ else: -+ if self.xwindows_login_user_radiobutton.get_active(): -+ return polgen.policy.XUSER -+ if self.terminal_login_user_radiobutton.get_active(): -+ return polgen.policy.TUSER -+ if self.root_user_radiobutton.get_active(): -+ return polgen.policy.RUSER ++ if self.cgi_radiobutton.get_active(): ++ return polgen.CGI ++ if self.user_radiobutton.get_active(): ++ return polgen.USER ++ if self.init_radiobutton.get_active(): ++ return polgen.DAEMON ++ if self.inetd_radiobutton.get_active(): ++ return polgen.INETD ++ if self.xwindows_login_user_radiobutton.get_active(): ++ return polgen.XUSER ++ if self.terminal_login_user_radiobutton.get_active(): ++ return polgen.TUSER ++ if self.root_user_radiobutton.get_active(): ++ return polgen.RUSER + + def generate_policy(self, *args): + try: @@ -3442,17 +3511,22 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + my_policy.set_in_udp(self.in_udp_all_checkbutton.get_active(), self.in_udp_reserved_checkbutton.get_active(), self.in_udp_unreserved_checkbutton.get_active(), self.in_udp_entry.get_text()) + my_policy.set_out_tcp(self.out_tcp_all_checkbutton.get_active(), self.out_tcp_entry.get_text()) + my_policy.set_out_udp(self.out_udp_all_checkbutton.get_active(), self.out_udp_entry.get_text()) -+ if self.get_type() in my_policy.APPLICATIONS: ++ if self.get_type() in polgen.APPLICATIONS: + my_policy.set_program(self.exec_entry.get_text()) + my_policy.set_use_syslog(self.syslog_checkbutton.get_active() == 1) + my_policy.set_use_tmp(self.tmp_checkbutton.get_active() == 1) + my_policy.set_use_uid(self.uid_checkbutton.get_active() == 1) + my_policy.set_use_pam(self.pam_checkbutton.get_active() == 1) ++ my_policy.set_init_script(self.exec_entry.get_text()) + else: -+ selected = [] -+ self.transition_treeview.get_selection().selected_foreach(foreach, selected) -+ my_policy.set_transition_apps(selected) -+ ++ if self.get_type() == polgen.RUSER: ++ selected = [] ++ self.admin_treeview.get_selection().selected_foreach(foreach, selected) ++ my_policy.set_admin_domains(selected) ++ else: ++ selected = [] ++ self.transition_treeview.get_selection().selected_foreach(foreach, selected) ++ my_policy.set_transition_domains(selected) + + iter= self.store.get_iter_first() + while(iter): @@ -3487,12 +3561,24 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + self.file_dialog.set_select_multiple(0) + self.file_dialog.set_title(_("Select executable file to be confined.")) + self.file_dialog.set_action(gtk.FILE_CHOOSER_ACTION_SAVE) ++ self.file_dialog.set_current_folder("/usr/sbin") + rc = self.file_dialog.run() + self.file_dialog.hide() + if rc == gtk.RESPONSE_CANCEL: + return + self.exec_entry.set_text(self.file_dialog.get_filename()) + ++ def init_script_select(self, args): ++ self.file_dialog.set_select_multiple(0) ++ self.file_dialog.set_title(_("Select init script file to be confined.")) ++ self.file_dialog.set_action(gtk.FILE_CHOOSER_ACTION_SAVE) ++ self.file_dialog.set_current_folder("/etc/init.d") ++ rc = self.file_dialog.run() ++ self.file_dialog.hide() ++ if rc == gtk.RESPONSE_CANCEL: ++ return ++ self.init_script_entry.set_text(self.file_dialog.get_filename()) ++ + def add(self, args): + self.file_dialog.set_title(_("Select file(s) that confined application creates or writes")) + self.file_dialog.set_select_multiple(1) @@ -3518,9 +3604,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + self.mainWindow = self.xml.get_widget("main_window") + self.druid = self.xml.get_widget("druid") + self.type = 0 -+ self.user_entry = self.xml.get_widget("user_entry") + self.name_entry = self.xml.get_widget("name_entry") + self.exec_entry = self.xml.get_widget("exec_entry") ++ self.exec_button = self.xml.get_widget("exec_button") ++ self.init_script_entry = self.xml.get_widget("init_script_entry") ++ self.init_script_button = self.xml.get_widget("init_script_button") + self.output_entry = self.xml.get_widget("output_entry") + self.output_entry.set_text(os.getcwd()) + self.xml.get_widget("output_button").connect("clicked",self.output_button_clicked) @@ -3557,23 +3645,24 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + return + self.output_entry.set_text(self.file_dialog.get_filename()) + ++ def on_select_type_page_next(self, *args): ++ self.exec_entry.set_sensitive(self.confine_application()) ++ self.exec_button.set_sensitive(self.confine_application()) ++ self.init_script_entry.set_sensitive(self.init_radiobutton.get_active()) ++ self.init_script_button.set_sensitive(self.init_radiobutton.get_active()) ++ + def on_name_page_next(self, *args): + name=self.name_entry.get_text() + if name == "": + self.error(_("You must enter a name")) + return True + -+ exe = self.exec_entry.get_text() -+ if exe == "": -+ self.error(_("You must enter a executable")) -+ return True -+ -+ def on_user_page_next(self, *args): -+ name=self.user_entry.get_text() -+ if name == "": -+ self.error(_("You must enter a name")) -+ return True -+ ++ if self.confine_application(): ++ exe = self.exec_entry.get_text() ++ if exe == "": ++ self.error(_("You must enter a executable")) ++ return True ++ + def stand_alone(self): + desktopName = _("Configue SELinux") + @@ -3590,8 +3679,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + app.stand_alone() diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.25/gui/polgen.py --- nsapolicycoreutils/gui/polgen.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/polgen.py 2007-08-28 10:01:32.000000000 -0400 -@@ -0,0 +1,560 @@ ++++ policycoreutils-2.0.25/gui/polgen.py 2007-08-31 15:06:41.000000000 -0400 +@@ -0,0 +1,656 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -3648,17 +3737,20 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore +RESERVED = 1 +UNRESERVED = 2 +PORTS = 3 ++ADMIN_TRANSITION_INTERFACE = "_admin$" ++USER_TRANSITION_INTERFACE = "_per_role_template$" ++ ++DAEMON = 0 ++INETD = 1 ++USER = 2 ++CGI = 3 ++XUSER = 4 ++TUSER = 5 ++RUSER = 6 ++APPLICATIONS = [ DAEMON, INETD, USER, CGI ] ++USERS = [ XUSER, TUSER, RUSER ] + +class policy: -+ DAEMON = 0 -+ INETD = 1 -+ USER = 2 -+ CGI = 3 -+ XUSER = 4 -+ TUSER = 5 -+ RUSER = 6 -+ APPLICATIONS = [ DAEMON, INETD, USER, CGI ] -+ USERS = [ XUSER, TUSER, RUSER ] + + def __init__(self, name, type): + ports = seobject.portRecords() @@ -3675,13 +3767,14 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + self.DEFAULT_TYPES = (( self.generate_daemon_types, self.generate_daemon_rules), ( self.generate_inetd_types, self.generate_inetd_rules), ( self.generate_userapp_types, self.generate_userapp_rules), ( self.generate_cgi_types, self.generate_cgi_rules), ( self.generate_x_login_user_types, self.generate_x_login_user_rules), ( self.generate_login_user_types, self.generate_login_user_rules), ( self.generate_root_user_types, self.generate_root_user_rules)) + if name == "": + raise ValueError(_("You must enter a name for your confined process")) -+ if type == self.CGI: ++ if type == CGI: + self.name = "httpd_%s_script" % name + else: + self.name = name + self.file_name = name + + self.type = type ++ self.initscript = "" + self.program = "" + self.in_tcp = [False, False, False, []] + self.in_udp = [False, False, False, []] @@ -3697,13 +3790,17 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + self.found_udp_ports=[] + self.need_tcp_type=False + self.need_udp_type=False -+ self.transitions = [] ++ self.admin_domains = [] ++ self.transition_domains = [] + + def __isnetset(self, l): + return l[ALL] or l[RESERVED] or l[UNRESERVED] or len(l[PORTS]) > 0 + -+ def set_transition_apps(self, transitions): -+ self.transitions = transitions ++ def set_admin_domains(self, admin_domains): ++ self.admin_domains = admin_domains ++ ++ def set_transition_domains(self, transition_domains): ++ self.transition_domains = transition_domains + + def use_in_udp(self): + return self.__isnetset(self.in_udp) @@ -3748,11 +3845,17 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + raise ValueError(_("Ports must be be numbers from 1 to %d " % max_port )) + + def set_program(self, program): -+ if self.type in self.APPLICATIONS: ++ if self.type not in APPLICATIONS: + raise ValueError(_("USER Types are not allowed executables")) + + self.program = program + ++ def set_init_script(self, initscript): ++ if self.type != DAEMON: ++ raise ValueError(_("Only DAEMON apps can use an init script")) ++ ++ self.initscript = initscript ++ + def set_in_tcp(self, all, reserved, unreserved, ports): + self.in_tcp = [ all, reserved, unreserved, self.__verify_ports(ports)] + @@ -3772,29 +3875,19 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + self.use_syslog = val + + def set_use_pam(self, val): -+ if val != True and val != False: -+ raise ValueError(_("use_pam must be a boolean value ")) -+ -+ self.use_pam = val ++ self.use_pam = val == True + + def set_use_tmp(self, val): -+ if self.type in self.APPLICATIONS: ++ if self.type not in APPLICATIONS: + raise ValueError(_("USER Types autoomatically get a tmp type")) + -+ if val == True: ++ if val: + self.DEFAULT_DIRS["tmp"][1].append("/tmp"); -+ return -+ if val == False: ++ else: + self.DEFAULT_DIRS["tmp"][1]=[] -+ return -+ raise ValueError(_("use_tmp must be a boolean value ")) -+ + + def set_use_uid(self, val): -+ if val != True and val != False: -+ raise ValueError(_("use_uid must be a boolean value ")) -+ -+ self.use_uid = val ++ self.use_uid = val == True + + def generate_uid_rules(self): + if self.use_uid: @@ -3922,10 +4015,33 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + + def generate_transition_rules(self): + newte = "" -+ for app in self.transitions: ++ for app in self.transition_domains: + tmp = re.sub("TEMPLATETYPE", self.name, user.te_transition_rules) + newte += re.sub("APPLICATION", app, tmp) + return newte ++ ++ def generate_admin_rules(self): ++ newte = "" ++ for app in self.admin_domains: ++ tmp = re.sub("TEMPLATETYPE", self.name, user.te_admin_rules) ++ newte += re.sub("APPLICATION", app, tmp) ++ return newte ++ ++ def generate_admin_if(self): ++ newif = "" ++ if self.initscript != "": ++ newif += re.sub("TEMPLATETYPE", self.name, executable.if_initscript_admin) ++ for d in self.DEFAULT_DIRS: ++ if len(self.DEFAULT_DIRS[d][1]) > 0: ++ newif += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].if_admin_rules) ++ ++ if newif != "": ++ ret = re.sub("TEMPLATETYPE", self.name, executable.if_begin_admin) ++ ret += newif ++ ret += re.sub("TEMPLATETYPE", self.name, executable.if_end_admin) ++ return ret ++ ++ return "" + + def generate_cgi_types(self): + return re.sub("TEMPLATETYPE", self.file_name, executable.te_cgi_types) @@ -3946,7 +4062,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + return re.sub("TEMPLATETYPE", self.name, user.te_root_user_types) + + def generate_daemon_types(self): -+ return re.sub("TEMPLATETYPE", self.name, executable.te_daemon_types) ++ newte = re.sub("TEMPLATETYPE", self.name, executable.te_daemon_types) ++ if self.initscript != "": ++ newte += re.sub("TEMPLATETYPE", self.name, executable.te_initscript_types) ++ return newte + + def generate_tmp_types(self): + if self.use_tmp: @@ -3958,7 +4077,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + return re.sub("TEMPLATETYPE", self.name, executable.te_cgi_types) + + def generate_daemon_rules(self): -+ return re.sub("TEMPLATETYPE", self.name, executable.te_daemon_rules) ++ newif = re.sub("TEMPLATETYPE", self.name, executable.te_daemon_rules) ++ ++ return newif + + def generate_login_user_rules(self): + return re.sub("TEMPLATETYPE", self.name, user.te_login_user_rules) @@ -3988,7 +4109,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + return newte + + def generate_if(self): -+ newif = re.sub("TEMPLATETYPE", self.name, executable.if_rules) ++ newif = "" ++ if self.program: ++ newif += re.sub("TEMPLATETYPE", self.name, executable.if_program_rules) ++ if self.initscript: ++ newif += re.sub("TEMPLATETYPE", self.name, executable.if_initscript_rules) + + for d in self.DEFAULT_DIRS: + if len(self.DEFAULT_DIRS[d][1]) > 0: @@ -3997,6 +4122,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]): + newif += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].if_stream_rules) + break ++ newif += self.generate_admin_if() ++ + return newif + + def generate_default_types(self): @@ -4010,7 +4137,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + for d in self.DEFAULT_DIRS: + if len(self.DEFAULT_DIRS[d][1]) > 0: + # CGI scripts already have a rw_t -+ if self.type != self.CGI or d != "rw": ++ if self.type != CGI or d != "rw": + newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_types) + + newte += self.generate_network_types() @@ -4031,14 +4158,21 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + newte += self.generate_syslog_rules() + newte += self.generate_pam_rules() + newte += self.generate_transition_rules() -+ ++ newte += self.generate_admin_rules() + return newte + + def generate_fc(self): + newfc = "" -+ t1 = re.sub("EXECUTABLE", self.program, executable.fc_file) ++ if self.program == "": ++ raise ValueError(_("You must enter the executable path for your confined process")) ++ ++ t1 = re.sub("EXECUTABLE", self.program, executable.fc_program) + newfc += re.sub("TEMPLATETYPE", self.name, t1) + ++ if self.initscript != "": ++ t1 = re.sub("EXECUTABLE", self.initscript, executable.fc_initscript) ++ newfc += re.sub("TEMPLATETYPE", self.name, t1) ++ + for i in self.files.keys(): + if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]): + t1 = re.sub("TEMPLATETYPE", self.name, self.files[i][2].fc_sock_file) @@ -4100,16 +4234,13 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + + def write_fc(self,out_dir): + fcfile = "%s/%s.fc" % (out_dir, self.file_name) -+ if self.type in self.APPLICATIONS: ++ if self.type in APPLICATIONS: + fd = open(fcfile, "w") + fd.write(self.generate_fc()) + fd.close() + return fcfile + + def generate(self, out_dir = "."): -+ if self.type in self.APPLICATIONS and self.program == "": -+ raise ValueError(_("You must enter the executable path for your confined process")) -+ + out = "Created the following files:\n" + out += "%-25s %s\n" % (_("Type Enforcment file"), self.write_te(out_dir)) + out += "%-25s %s\n" % (_("Interface file"), self.write_if(out_dir)) @@ -4125,11 +4256,47 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + + +if __name__ == '__main__': -+ mypolicy = policy("cgi", policy.XUSER) ++ mypolicy = policy("mycgi", CGI) + mypolicy.set_program("/var/www/cgi-bin/cgi") + mypolicy.set_in_tcp(1, 0, 0, "513") + mypolicy.set_in_udp(1, 0, 0, "1513") + mypolicy.set_use_uid(True) ++ mypolicy.set_use_tmp(False) ++ mypolicy.set_use_syslog(True) ++ mypolicy.set_use_pam(True) ++ mypolicy.set_out_tcp(0,"8000") ++ print mypolicy.generate("/tmp") ++ ++ mypolicy = policy("myuser", USER) ++ mypolicy.set_program("/usr/bin/myuser") ++ mypolicy.set_in_tcp(1, 0, 0, "513") ++ mypolicy.set_in_udp(1, 0, 0, "1513") ++ mypolicy.set_use_uid(True) ++ mypolicy.set_use_tmp(True) ++ mypolicy.set_use_syslog(True) ++ mypolicy.set_use_pam(True) ++ mypolicy.add_file("/var/lib/myuser/myuser.sock") ++ mypolicy.set_out_tcp(0,"8000") ++ print mypolicy.generate("/tmp") ++ ++ ++ mypolicy = policy("myrwho", DAEMON) ++ mypolicy.set_program("/usr/sbin/myrwhod") ++ mypolicy.set_init_script("/etc/init.d/myrwhod") ++ mypolicy.set_in_tcp(1, 0, 0, "513") ++ mypolicy.set_use_uid(True) ++ mypolicy.set_use_tmp(True) ++ mypolicy.set_use_syslog(True) ++ mypolicy.set_use_pam(True) ++ mypolicy.add_dir("/var/run/myrwho") ++ mypolicy.add_dir("/var/lib/myrwho") ++ print mypolicy.generate("/tmp") ++ ++ mypolicy = policy("myinetd", INETD) ++ mypolicy.set_program("/usr/bin/mytest") ++ mypolicy.set_in_tcp(1, 0, 0, "513") ++ mypolicy.set_in_udp(1, 0, 0, "1513") ++ mypolicy.set_use_uid(True) + mypolicy.set_use_tmp(True) + mypolicy.set_use_syslog(True) + mypolicy.set_use_pam(True) @@ -4141,14 +4308,32 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + mypolicy.add_dir("/etc/daemon") + mypolicy.add_dir("/etc/daemon/special") + mypolicy.set_out_tcp(0,"8000") -+ mypolicy.set_transition_apps(["mozilla", "ssh"]) -+ print mypolicy.generate() -+# mypolicy = policy("inetd", "/usr/sbin/inetd", 1) -+# mypolicy.generate() -+# mypolicy = policy("userapp", "/usr/sbin/userapp", 2) -+# mypolicy.generate() -+# mypolicy = policy("cgi", "cgi", 3) -+# mypolicy.generate() ++ print mypolicy.generate("/tmp") ++ ++ mypolicy = policy("mytuser", TUSER) ++ mypolicy.set_in_tcp(1, 0, 0, "513") ++ mypolicy.set_in_udp(1, 0, 0, "1513") ++ mypolicy.set_use_uid(True) ++ mypolicy.set_use_syslog(True) ++ mypolicy.set_use_pam(True) ++ mypolicy.set_transition_domains(["mozilla", "ssh"]) ++ print mypolicy.generate("/tmp") ++ ++ mypolicy = policy("myxuser", XUSER) ++ mypolicy.set_in_tcp(1, 1, 1, "") ++ mypolicy.set_in_udp(0, 0, 1, "1513") ++ mypolicy.set_use_uid(True) ++ mypolicy.set_use_syslog(True) ++ mypolicy.set_use_pam(True) ++ mypolicy.set_transition_domains(["mozilla"]) ++ print mypolicy.generate("/tmp") ++ ++ mypolicy = policy("myruser", RUSER) ++ mypolicy.set_in_tcp(1, 0, 0, "513") ++ mypolicy.set_in_udp(1, 0, 0, "1513") ++ mypolicy.set_admin_domains(["postgresql", "mysql", "apache"]) ++ print mypolicy.generate("/tmp") ++ + sys.exit(0) + + @@ -8577,8 +8762,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinu + app.stand_alone() diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.25/gui/templates/executable.py --- nsapolicycoreutils/gui/templates/executable.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/templates/executable.py 2007-08-28 09:22:17.000000000 -0400 -@@ -0,0 +1,153 @@ ++++ policycoreutils-2.0.25/gui/templates/executable.py 2007-08-31 15:07:36.000000000 -0400 +@@ -0,0 +1,222 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -8615,6 +8800,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable +init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t) +""" + ++te_initscript_types=""" ++type TEMPLATETYPE_script_exec_t; ++init_script_type(TEMPLATETYPE_script_exec_t) ++""" ++ +te_inetd_types="""\ +policy_module(TEMPLATETYPE,1.0.0) + @@ -8636,8 +8826,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable +# Declarations +# + ++type TEMPLATETYPE_t; +type TEMPLATETYPE_exec_t; -+corecmd_executable_file(TEMPLATETYPE_exec_t) ++application_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t) +""" + +te_cgi_types="""\ @@ -8700,7 +8891,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable +""" + +########################### Interface File ############################# -+if_rules=""" ++if_program_rules=""" +## policy for TEMPLATETYPE + +######################################## @@ -8724,17 +8915,80 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable + allow TEMPLATETYPE_t $1:fifo_file rw_file_perms; + allow TEMPLATETYPE_t $1:process sigchld; +') ++ ++""" ++ ++if_initscript_rules=""" ++######################################## ++## ++## Execute TEMPLATETYPE server in the TEMPLATETYPE domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`TEMPLATETYPE_script_domtrans',` ++ gen_require(` ++ type TEMPLATETYPE_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1,TEMPLATETYPE_script_exec_t) ++') ++""" ++ ++if_begin_admin=""" ++######################################## ++## ++## All of the rules required to administrate an TEMPLATETYPE environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The role to be allowed to manage the TEMPLATETYPE domain. ++## ++## ++## ++## ++## The type of the terminal allow the dmidecode domain to use. ++## ++## ++## ++# ++interface(`TEMPLATETYPE_admin',` ++""" ++ ++if_initscript_admin=""" ++ # Allow $2 to restart the apache service ++ TEMPLATETYPE_script_domtrans($2) ++ domain_role_change_exemption($2) ++ domain_obj_id_change_exemption($2) ++ role_transition $1_r TEMPLATETYPE_script_exec_t system_r; ++ allow $1_r system_r; ++""" ++ ++if_end_admin=""" ++') +""" + +########################### File Context ################################## -+fc_file="""\ ++fc_program="""\ + -+EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0) ++EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0) ++""" ++fc_initscript="""\ ++ ++EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_script_exec_t,s0) +""" + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.py policycoreutils-2.0.25/gui/templates/__init__.py --- nsapolicycoreutils/gui/templates/__init__.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/templates/__init__.py 2007-08-28 09:22:17.000000000 -0400 ++++ policycoreutils-2.0.25/gui/templates/__init__.py 2007-08-31 15:07:36.000000000 -0400 @@ -0,0 +1,18 @@ +# +# Copyright (C) 2007 Red Hat, Inc. @@ -8756,7 +9010,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.p + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py policycoreutils-2.0.25/gui/templates/network.py --- nsapolicycoreutils/gui/templates/network.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/templates/network.py 2007-08-28 10:02:33.000000000 -0400 ++++ policycoreutils-2.0.25/gui/templates/network.py 2007-08-31 15:07:36.000000000 -0400 @@ -0,0 +1,80 @@ +te_port_types=""" +type TEMPLATETYPE_port_t; @@ -8840,8 +9094,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py policycoreutils-2.0.25/gui/templates/rw.py --- nsapolicycoreutils/gui/templates/rw.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/templates/rw.py 2007-08-28 09:22:17.000000000 -0400 -@@ -0,0 +1,104 @@ ++++ policycoreutils-2.0.25/gui/templates/rw.py 2007-08-31 15:07:36.000000000 -0400 +@@ -0,0 +1,128 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -8873,7 +9127,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py poli +te_rules=""" +allow TEMPLATETYPE_t TEMPLATETYPE_rw_t:file manage_file_perms; +allow TEMPLATETYPE_t TEMPLATETYPE_rw_t:dir create_dir_perms; -+files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_rw_t, { file dir }) +""" + +########################### Interface File ############################# @@ -8936,6 +9189,31 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py poli + allow $1 TEMPLATETYPE_rw_t:file manage_file_perms; + allow $1 TEMPLATETYPE_rw_t:dir rw_dir_perms; +') ++ ++######################################## ++## ++## Manage TEMPLATETYPE rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`TEMPLATETYPE_manage_rw',` ++ gen_require(` ++ type TEMPLATETYPE_rw_t; ++ ') ++ ++ manage_dir_perms($1,TEMPLATETYPE_rw_t,TEMPLATETYPE_rw_t) ++ manage_file_perms($1,TEMPLATETYPE_rw_t,TEMPLATETYPE_rw_t) ++ manage_lnk_file_perms($1,TEMPLATETYPE_rw_t,TEMPLATETYPE_rw_t) ++') ++ ++""" ++ ++if_admin_rules=""" ++ TEMPLATETYPE_manage_rw($1) +""" + +########################### File Context ################################## @@ -8948,7 +9226,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py poli +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py policycoreutils-2.0.25/gui/templates/script.py --- nsapolicycoreutils/gui/templates/script.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/templates/script.py 2007-08-28 09:22:17.000000000 -0400 ++++ policycoreutils-2.0.25/gui/templates/script.py 2007-08-31 15:07:36.000000000 -0400 @@ -0,0 +1,42 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -8994,7 +9272,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.py policycoreutils-2.0.25/gui/templates/semodule.py --- nsapolicycoreutils/gui/templates/semodule.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/templates/semodule.py 2007-08-28 09:22:17.000000000 -0400 ++++ policycoreutils-2.0.25/gui/templates/semodule.py 2007-08-31 15:07:36.000000000 -0400 @@ -0,0 +1,41 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -9039,8 +9317,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.p + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py policycoreutils-2.0.25/gui/templates/tmp.py --- nsapolicycoreutils/gui/templates/tmp.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/templates/tmp.py 2007-08-28 09:22:17.000000000 -0400 -@@ -0,0 +1,72 @@ ++++ policycoreutils-2.0.25/gui/templates/tmp.py 2007-08-31 15:07:36.000000000 -0400 +@@ -0,0 +1,97 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -9072,7 +9350,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py pol +te_rules=""" +allow TEMPLATETYPE_t TEMPLATETYPE_tmp_t:file manage_file_perms; +allow TEMPLATETYPE_t TEMPLATETYPE_tmp_t:dir create_dir_perms; -+files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_tmp_t, { file dir }) ++files_tmp_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_tmp_t, { file dir }) +""" + +if_rules=""" @@ -9110,13 +9388,38 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py pol + type TEMPLATETYPE_tmp_t; + ') + -+ dontaudit $1 TEMPLATETYPE_tmp_t:file r_file_perms; ++ allow $1 TEMPLATETYPE_tmp_t:file r_file_perms; ++') ++ ++######################################## ++## ++## Allow domain to manage TEMPLATETYPE tmp files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`TEMPLATETYPE_manage_tmp',` ++ gen_require(` ++ type TEMPLATETYPE_tmp_t; ++ ') ++ ++ manage_dir_perms($1,TEMPLATETYPE_tmp_t,TEMPLATETYPE_tmp_t) ++ manage_file_perms($1,TEMPLATETYPE_tmp_t,TEMPLATETYPE_tmp_t) ++ manage_lnk_file_perms($1,TEMPLATETYPE_tmp_t,TEMPLATETYPE_tmp_t) +') +""" ++ ++if_admin_rules=""" ++ TEMPLATETYPE_manage_tmp($1) ++""" ++ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.25/gui/templates/user.py --- nsapolicycoreutils/gui/templates/user.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/templates/user.py 2007-08-28 10:02:19.000000000 -0400 -@@ -0,0 +1,89 @@ ++++ policycoreutils-2.0.25/gui/templates/user.py 2007-08-31 15:07:36.000000000 -0400 +@@ -0,0 +1,97 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -9139,6 +9442,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po +# +# +########################### Type Enforcement File ############################# ++ +te_login_user_types="""\ +policy_module(TEMPLATETYPE,1.0.0) + @@ -9206,10 +9510,17 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po +') +""" + ++te_admin_rules=""" ++optional_policy(` ++ APPLICATION_admin(TEMPLATETYPE_t,TEMPLATETYPE_r, { TEMPLATETYPE_tty_device_t TEMPLATETYPE_devpts_t }) ++') ++""" ++ ++ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py policycoreutils-2.0.25/gui/templates/var_lib.py --- nsapolicycoreutils/gui/templates/var_lib.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/templates/var_lib.py 2007-08-28 09:22:17.000000000 -0400 -@@ -0,0 +1,137 @@ ++++ policycoreutils-2.0.25/gui/templates/var_lib.py 2007-08-31 15:07:36.000000000 -0400 +@@ -0,0 +1,162 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -9246,7 +9557,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py + +te_stream_rules="""\ +allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:sock_file manage_file_perms; -+files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t, sock_file) ++files_var_lib_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t, sock_file) +""" + + @@ -9311,6 +9622,27 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py + allow $1 TEMPLATETYPE_var_lib_t:dir rw_dir_perms; + files_search_var_lib($1) +') ++ ++######################################## ++## ++## Manage TEMPLATETYPE var_lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`TEMPLATETYPE_manage_var_lib',` ++ gen_require(` ++ type TEMPLATETYPE_var_lib_t; ++ ') ++ ++ manage_dir_perms($1,TEMPLATETYPE_var_lib_t,TEMPLATETYPE_var_lib_t) ++ manage_file_perms($1,TEMPLATETYPE_var_lib_t,TEMPLATETYPE_var_lib_t) ++ manage_lnk_file_perms($1,TEMPLATETYPE_var_lib_t,TEMPLATETYPE_var_lib_t) ++') ++ +""" + +if_stream_rules=""" @@ -9335,6 +9667,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py +') +""" + ++if_admin_rules=""" ++ TEMPLATETYPE_manage_var_lib($1) ++""" ++ +########################### File Context ################################## +fc_file="""\ +FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0) @@ -9349,8 +9685,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py policycoreutils-2.0.25/gui/templates/var_log.py --- nsapolicycoreutils/gui/templates/var_log.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/templates/var_log.py 2007-08-28 09:22:17.000000000 -0400 -@@ -0,0 +1,89 @@ ++++ policycoreutils-2.0.25/gui/templates/var_log.py 2007-08-31 15:07:36.000000000 -0400 +@@ -0,0 +1,112 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -9430,6 +9766,29 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py + allow $1 TEMPLATETYPE_log_t:file { getattr append }; +') + ++######################################## ++## ++## Allow domain to manage TEMPLATETYPE log files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`TEMPLATETYPE_manage_log',` ++ gen_require(` ++ type TEMPLATETYPE_log_t; ++ ') ++ ++ manage_dir_perms($1,TEMPLATETYPE_log_t,TEMPLATETYPE_log_t) ++ manage_file_perms($1,TEMPLATETYPE_log_t,TEMPLATETYPE_log_t) ++ manage_lnk_file_perms($1,TEMPLATETYPE_log_t,TEMPLATETYPE_log_t) ++') ++""" ++ ++if_admin_rules=""" ++ TEMPLATETYPE_manage_log($1) +""" + +########################### File Context ################################## @@ -9442,8 +9801,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py policycoreutils-2.0.25/gui/templates/var_run.py --- nsapolicycoreutils/gui/templates/var_run.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/templates/var_run.py 2007-08-28 09:22:17.000000000 -0400 -@@ -0,0 +1,95 @@ ++++ policycoreutils-2.0.25/gui/templates/var_run.py 2007-08-31 15:07:36.000000000 -0400 +@@ -0,0 +1,119 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -9503,6 +9862,26 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py + allow $1 TEMPLATETYPE_var_run_t:file r_file_perms; +') + ++######################################## ++## ++## Manage TEMPLATETYPE var_run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`TEMPLATETYPE_manage_var_run',` ++ gen_require(` ++ type TEMPLATETYPE_var_run_t; ++ ') ++ ++ manage_dir_perms($1,TEMPLATETYPE_var_run_t,TEMPLATETYPE_var_run_t) ++ manage_file_perms($1,TEMPLATETYPE_var_run_t,TEMPLATETYPE_var_run_t) ++ manage_lnk_file_perms($1,TEMPLATETYPE_var_run_t,TEMPLATETYPE_var_run_t) ++') ++ +""" + +if_stream_rules="""\ @@ -9527,6 +9906,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py +') +""" + ++if_admin_rules=""" ++ TEMPLATETYPE_manage_var_run($1) ++""" ++ +fc_file="""\ +FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0) +""" @@ -9541,8 +9924,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.py policycoreutils-2.0.25/gui/templates/var_spool.py --- nsapolicycoreutils/gui/templates/var_spool.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.25/gui/templates/var_spool.py 2007-08-28 09:22:17.000000000 -0400 -@@ -0,0 +1,105 @@ ++++ policycoreutils-2.0.25/gui/templates/var_spool.py 2007-08-31 15:07:36.000000000 -0400 +@@ -0,0 +1,131 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -9639,7 +10022,33 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool. + allow $1 TEMPLATETYPE_spool_t:dir rw_dir_perms; + files_search_spool($1) +') ++ ++######################################## ++## ++## Allow domain to manage TEMPLATETYPE spool files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`TEMPLATETYPE_manage_spool',` ++ gen_require(` ++ type TEMPLATETYPE_spool_t; ++ ') ++ ++ manage_dir_perms($1,TEMPLATETYPE_spool_t,TEMPLATETYPE_spool_t) ++ manage_file_perms($1,TEMPLATETYPE_spool_t,TEMPLATETYPE_spool_t) ++ manage_lnk_file_perms($1,TEMPLATETYPE_spool_t,TEMPLATETYPE_spool_t) ++') ++ +""" ++ ++if_admin_rules=""" ++ TEMPLATETYPE_manage_spool($1) ++""" ++ +########################### File Context ################################## +fc_file="""\ +FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_spool_t,s0) diff --git a/policycoreutils.spec b/policycoreutils.spec index b8c9de1..1d5d68b 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -6,7 +6,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.25 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -200,6 +200,9 @@ if [ "$1" -ge "1" ]; then fi %changelog +* Fri Aug 31 2007 Dan Walsh 2.0.25-7 +- Lots of fixes for role templates + * Tue Aug 28 2007 Dan Walsh 2.0.25-6 - Add more role_templates