diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/booleansPage.py policycoreutils-2.0.25/gui/booleansPage.py --- nsapolicycoreutils/gui/booleansPage.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/booleansPage.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,227 @@ +# +# booleansPage.py - GUI for Booleans page in system-config-securitylevel +# +# Brent Fox +# Dan Walsh +# +# Copyright 2006 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +import string +import gtk +import gtk.glade +import os +import libxml2 +import gobject +import sys +import tempfile + +INSTALLPATH='/usr/share/system-config-selinux' +sys.path.append(INSTALLPATH) + +import commands +ENFORCING=0 +PERMISSIVE=1 +DISABLED=2 + +## +## I18N +## +PROGNAME="system-config-selinux" + +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +from glob import fnmatch + +class Translation: + def __init__(self): + self.translation={} + fd=open(INSTALLPATH + "/selinux.tbl","r") + lines=fd.readlines() + fd.close() + for i in lines: + try: + line=i.strip().split("_(\"") + key=line[0].strip() + category=line[1].split("\"")[0] + value=line[2].split("\"")[0] + self.translation[key]=(category,value) + except: + continue + + def match(self,key, filter=""): + try: + f=filter.lower() + val=self.get_value(key).lower() + k=key.lower() + return val.find(f) >= 0 or k.find(f) >= 0 + except: + return False + + def get_category(self,key): + try: + return _(self.translation[key][0]) + except: + return _("Other") + + def get_value(self,key): + try: + return _(self.translation[key][1]) + except: + return key + +class Modifier: + def __init__(self,name, on, save): + self.on=on + self.name=name + self.save=save + + def set(self,value): + self.on=value + self.save=True + + def isOn(self): + return self.on + +class Boolean(Modifier): + def __init__(self,name, val, save=False): + Modifier.__init__(self,name, val, save) + +class Modifiers: + def __init__(self,store): + self.modifiers={} + self.translation=Translation() + self.store=store + self.store.clear() + + def add(self,name,val): + if name == "targeted_policy": + return + category=self.translation.get_category(name) + if not self.modifiers.has_key(category): + self.modifiers[category]={} + iter=self.store.append(None) + self.modifiers[category]["iter"] = iter + self.store.set_value(iter, 1, category) + self.store.set_value(iter, 3, False) + + self.modifiers[category][name]=val; + iter=self.store.append(self.modifiers[category]["iter"]) + self.store.set_value(iter, 0, val.isOn()) + self.store.set_value(iter, 1, self.translation.get_value(name)) + self.store.set_value(iter, 2, name) + self.store.set_value(iter, 3, True) + + def set(self,name,val): + category=self.translation.get_category(name) + self.modifiers[category][name].set(val) + + def isBoolean(self,name): + c=self.translation.get_category(name) + return isinstance(self.modifiers[c][name], Boolean) + + def get_booleans(self): + booleans={} + for c in self.modifiers.keys(): + for n in self.modifiers[c].keys(): + if isinstance(self.modifiers[c][n], Boolean): + booleans[n]=self.modifiers[c][n] + return booleans + +class booleansPage: + def __init__(self, xml, doDebug=None): + self.xml = xml + self.types=[] + self.selinuxsupport = True + self.translation = Translation() + self.typechanged = False + self.doDebug = doDebug + + # Bring in widgets from glade file. + self.typeHBox = xml.get_widget("typeHBox") + self.booleanSW = xml.get_widget("booleanSW") + self.booleansFilter = xml.get_widget("booleansFilter") + self.booleansFilter.connect("focus_out_event", self.filter_changed) + self.booleansFilter.connect("activate", self.filter_changed) + + self.booleansView = xml.get_widget("booleansView") + self.typeLabel = xml.get_widget("typeLabel") + self.modifySeparator = xml.get_widget("modifySeparator") + + listStore = gtk.ListStore(gobject.TYPE_STRING) + cell = gtk.CellRendererText() + + self.booleansStore = gtk.TreeStore(gobject.TYPE_BOOLEAN, gobject.TYPE_STRING, gobject.TYPE_PYOBJECT, gobject.TYPE_BOOLEAN) + self.booleansStore.set_sort_column_id(1, gtk.SORT_ASCENDING) + self.booleansView.set_model(self.booleansStore) + + checkbox = gtk.CellRendererToggle() + checkbox.connect("toggled", self.boolean_toggled) + col = gtk.TreeViewColumn('', checkbox, active = 0,visible=3) + col.set_fixed_width(20) + col.set_clickable(True) + self.booleansView.append_column(col) + + col = gtk.TreeViewColumn("", gtk.CellRendererText(), text=1) + self.booleansView.append_column(col) + self.filter="" + self.refreshBooleans(self.filter) + + def filter_changed(self, *arg): + filter = arg[0].get_text() + if filter != self.filter: + self.refreshBooleans(filter) + self.filter=filter + + def use_menus(self): + return False + + def get_description(self): + return _("Boolean") + + def refreshBooleans(self, filter=None): + self.modifiers=Modifiers(self.booleansStore) + booleansList=commands.getoutput("/usr/sbin/getsebool -a").split("\n") + for i in booleansList: + rec=i.split() + name=rec[0] + if self.translation.match(name, filter): + if rec[2]=="on" or rec[2]=="active": + on=1 + else: + on=0 + self.modifiers.add(name,Boolean(name,on)) + + def boolean_toggled(self, widget, row): + if len(row) == 1: + return + iter = self.booleansStore.get_iter(row) + val = self.booleansStore.get_value(iter, 0) + key = self.booleansStore.get_value(iter, 2) + self.booleansStore.set_value(iter, 0 , not val) + self.modifiers.set(key, not val) + + setsebool="/usr/sbin/setsebool -P %s=%d" % (key, not val) + commands.getstatusoutput(setsebool) diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/fcontextPage.py policycoreutils-2.0.25/gui/fcontextPage.py --- nsapolicycoreutils/gui/fcontextPage.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/fcontextPage.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,210 @@ +## fcontextPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. + +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +## Author: Dan Walsh +import gtk +import gtk.glade +import os +import libxml2 +import gobject +import seobject +import commands +from semanagePage import *; + +SPEC_COL = 0 +TYPE_COL = 1 +FTYPE_COL = 2 + +class context: + def __init__(self, scontext): + self.scontext = scontext + con=scontext.split(":") + self.user = con[0] + self.role = con[1] + self.type = con[2] + if len(con) > 3: + self.mls = con[3] + else: + self.mls = "s0" + + def __str__(self): + return self.scontext + +## +## I18N +## +PROGNAME="system-config-selinux" + +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +class fcontextPage(semanagePage): + def __init__(self, xml): + semanagePage.__init__(self, xml, "fcontext", _("File Labeling")) + self.fcontextFilter = xml.get_widget("fcontextFilterEntry") + self.fcontextFilter.connect("focus_out_event", self.filter_changed) + self.fcontextFilter.connect("activate", self.filter_changed) + self.view = xml.get_widget("fcontextView") + self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING) + self.view.set_model(self.store) +# self.store.set_sort_column_id(0, gtk.SORT_ASCENDING) + + col = gtk.TreeViewColumn(_("File\nSpecification"), gtk.CellRendererText(), text=SPEC_COL) + col.set_sizing(gtk.TREE_VIEW_COLUMN_FIXED) + col.set_fixed_width(250) + + col.set_sort_column_id(SPEC_COL) + col.set_resizable(True) + self.view.append_column(col) + col = gtk.TreeViewColumn(_("Selinux\nFile Context"), gtk.CellRendererText(), text=TYPE_COL) + + col.set_sizing(gtk.TREE_VIEW_COLUMN_FIXED) + col.set_fixed_width(250) + col.set_sort_column_id(TYPE_COL) + col.set_resizable(True) + self.view.append_column(col) + col = gtk.TreeViewColumn(_("File\nType"), gtk.CellRendererText(), text=2) + col.set_sort_column_id(FTYPE_COL) + col.set_resizable(True) + self.view.append_column(col) + self.load() + self.fcontextEntry = xml.get_widget("fcontextEntry") + self.fcontextFileTypeCombo = xml.get_widget("fcontextFileTypeCombo") + liststore=self.fcontextFileTypeCombo.get_model() + for k in seobject.file_types: + if len(k) > 0 and k[0] != '-': + iter=liststore.append() + liststore.set_value(iter, 0, k) + iter = liststore.get_iter_first() + self.fcontextFileTypeCombo.set_active_iter(iter) + self.fcontextTypeEntry = xml.get_widget("fcontextTypeEntry") + self.fcontextMLSEntry = xml.get_widget("fcontextMLSEntry") + + def match(self, fcon, filter): + try: + f=filter.lower() + for con in fcon: + k=con.lower() + if k.find(f) >= 0: + return True + except: + pass + return False + + def load(self, filter=""): + self.filter=filter + self.fcontext=seobject.fcontextRecords() + fcon_list=self.fcontext.get_all() + self.store.clear() + for fcon in fcon_list: + if not self.match(fcon, filter): + continue + iter=self.store.append() + self.store.set_value(iter, SPEC_COL, fcon[0]) + self.store.set_value(iter, FTYPE_COL, fcon[1]) + if len(fcon) > 3: + rec="%s:%s:%s:%s " % (fcon[2], fcon[3],fcon[4], seobject.translate(fcon[5],False)) + else: + rec="<>" + self.store.set_value(iter, 1, rec) + self.view.get_selection().select_path ((0,)) + + def filter_changed(self, *arg): + filter = arg[0].get_text() + if filter != self.filter: + self.load(filter) + + def dialogInit(self): + store, iter = self.view.get_selection().get_selected() + self.fcontextEntry.set_text(store.get_value(iter, SPEC_COL)) + self.fcontextEntry.set_sensitive(False) + scontext = store.get_value(iter, TYPE_COL) + scon=context(scontext) + self.fcontextTypeEntry.set_text(scon.type) + self.fcontextMLSEntry.set_text(scon.mls) + type=store.get_value(iter, FTYPE_COL) + liststore=self.fcontextFileTypeCombo.get_model() + iter = liststore.get_iter_first() + while iter != None and liststore.get_value(iter,0) != type: + iter = liststore.iter_next(iter) + if iter != None: + self.fcontextFileTypeCombo.set_active_iter(iter) + self.fcontextFileTypeCombo.set_sensitive(False) + + def dialogClear(self): + self.fcontextEntry.set_text("") + self.fcontextEntry.set_sensitive(True) + self.fcontextFileTypeCombo.set_sensitive(True) + self.fcontextTypeEntry.set_text("") + self.fcontextMLSEntry.set_text("s0") + + def delete(self): + store, iter = self.view.get_selection().get_selected() + try: + fspec=store.get_value(iter, SPEC_COL) + ftype=store.get_value(iter, FTYPE_COL) + (rc, out) = commands.getstatusoutput("semanage fcontext -d -f '%s' %s" % (ftype, fspec)) + + if rc != 0: + return self.error(out) + store.remove(iter) + self.view.get_selection().select_path ((0,)) + except ValueError, e: + self.error(e.args[0]) + + def add(self): + fspec=self.fcontextEntry.get_text().strip() + type=self.fcontextTypeEntry.get_text().strip() + mls=self.fcontextMLSEntry.get_text().strip() + list_model=self.fcontextFileTypeCombo.get_model() + iter = self.fcontextFileTypeCombo.get_active_iter() + ftype=list_model.get_value(iter,0) + (rc, out) = commands.getstatusoutput("semanage fcontext -a -t %s -r %s -f '%s' %s" % (type, mls, ftype, fspec)) + if rc != 0: + self.error(out) + return False + + iter=self.store.append() + self.store.set_value(iter, SPEC_COL, fspec) + self.store.set_value(iter, FTYPE_COL, ftype) + self.store.set_value(iter, TYPE_COL, "system_u:object_r:%s:%s" % (type, mls)) + + def modify(self): + fspec=self.fcontextEntry.get_text().strip() + type=self.fcontextTypeEntry.get_text().strip() + mls=self.fcontextMLSEntry.get_text().strip() + list_model=self.fcontextFileTypeCombo.get_model() + iter = self.fcontextFileTypeCombo.get_active_iter() + ftype=list_model.get_value(iter,0) + (rc, out) = commands.getstatusoutput("semanage fcontext -m -t %s -r %s -f '%s' %s" % (type, mls, ftype, fspec)) + if rc != 0: + self.error(out) + return False + + store, iter = self.view.get_selection().get_selected() + self.store.set_value(iter, SPEC_COL, fspec) + self.store.set_value(iter, FTYPE_COL, ftype) + self.store.set_value(iter, TYPE_COL, "system_u:object_r:%s:%s" % (type, mls)) diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/loginsPage.py policycoreutils-2.0.25/gui/loginsPage.py --- nsapolicycoreutils/gui/loginsPage.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/loginsPage.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,180 @@ +## loginsPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. + +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +## Author: Dan Walsh +import string +import gtk +import gtk.glade +import os +import libxml2 +import gobject +import sys +import commands +import seobject +from semanagePage import *; + +## +## I18N +## +PROGNAME="policycoreutils" +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +class loginsPage(semanagePage): + def __init__(self, xml): + self.firstTime = False + semanagePage.__init__(self, xml, "logins", _("User Mapping")) + self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING) + self.view.set_model(self.store) + self.store.set_sort_column_id(0, gtk.SORT_ASCENDING) + col = gtk.TreeViewColumn(_("Login\nName"), gtk.CellRendererText(), text = 0) + col.set_sort_column_id(0) + col.set_resizable(True) + self.view.append_column(col) + col = gtk.TreeViewColumn(_("SELinux\nUser"), gtk.CellRendererText(), text = 1) + col.set_resizable(True) + self.view.append_column(col) + col = gtk.TreeViewColumn(_("MLS/\nMCS Range"), gtk.CellRendererText(), text = 2) + col.set_resizable(True) + self.view.append_column(col) + self.load() + self.loginsNameEntry = xml.get_widget("loginsNameEntry") + self.loginsSelinuxUserCombo = xml.get_widget("loginsSelinuxUserCombo") + self.loginsMLSEntry = xml.get_widget("loginsMLSEntry") + + def load(self, filter = ""): + self.filter=filter + self.login = seobject.loginRecords() + dict = self.login.get_all() + keys = dict.keys() + keys.sort() + self.store.clear() + for k in keys: + range = seobject.translate(dict[k][1]) + if not (self.match(k, filter) or self.match(dict[k][0], filter) or self.match(range, filter)): + continue + iter = self.store.append() + self.store.set_value(iter, 0, k) + self.store.set_value(iter, 1, dict[k][0]) + self.store.set_value(iter, 2, range) + self.view.get_selection().select_path ((0,)) + + def __dialogSetup(self): + if self.firstTime == True: + return + self.firstTime = True + liststore = gtk.ListStore(gobject.TYPE_STRING) + self.loginsSelinuxUserCombo.set_model(liststore) + cell = gtk.CellRendererText() + self.loginsSelinuxUserCombo.pack_start(cell, True) + self.loginsSelinuxUserCombo.add_attribute(cell, 'text', 0) + + selusers = seobject.seluserRecords().get_all() + keys = selusers.keys() + keys.sort() + for k in keys: + if k != "system_u": + self.loginsSelinuxUserCombo.append_text(k) + + iter = liststore.get_iter_first() + while liststore.get_value(iter,0) != "user_u": + iter = liststore.iter_next(iter) + self.loginsSelinuxUserCombo.set_active_iter(iter) + + def dialogInit(self): + self.__dialogSetup() + store, iter = self.view.get_selection().get_selected() + self.loginsNameEntry.set_text(store.get_value(iter, 0)) + self.loginsNameEntry.set_sensitive(False) + + self.loginsMLSEntry.set_text(store.get_value(iter, 2)) + seuser = store.get_value(iter, 1) + liststore = self.loginsSelinuxUserCombo.get_model() + iter = liststore.get_iter_first() + while iter != None and liststore.get_value(iter,0) != seuser: + iter = liststore.iter_next(iter) + if iter != None: + self.loginsSelinuxUserCombo.set_active_iter(iter) + + + def dialogClear(self): + self.__dialogSetup() + self.loginsNameEntry.set_text("") + self.loginsNameEntry.set_sensitive(True) + self.loginsMLSEntry.set_text("s0") + + def delete(self): + store, iter = self.view.get_selection().get_selected() + try: + login=store.get_value(iter, 0) + if login == "root" or login == "__default__": + raise ValueError(_("Login '%s' is required") % login) + + (rc, out) = commands.getstatusoutput("semanage login -d %s" % login) + if rc != 0: + self.error(out) + return False + store.remove(iter) + self.view.get_selection().select_path ((0,)) + except ValueError, e: + self.error(e.args[0]) + + def add(self): + target=self.loginsNameEntry.get_text().strip() + serange=self.loginsMLSEntry.get_text().strip() + if serange == "": + serange="s0" + list_model=self.loginsSelinuxUserCombo.get_model() + iter = self.loginsSelinuxUserCombo.get_active_iter() + seuser = list_model.get_value(iter,0) + (rc, out) = commands.getstatusoutput("semanage login -a -s %s -r %s %s" % (seuser, serange, target)) + if rc != 0: + self.error(out) + return False + + iter = self.store.append() + self.store.set_value(iter, 0, target) + self.store.set_value(iter, 1, seuser) + self.store.set_value(iter, 2, seobject.translate(serange)) + + def modify(self): + target=self.loginsNameEntry.get_text().strip() + serange=self.loginsMLSEntry.get_text().strip() + if serange == "": + serange = "s0" + list_model = self.loginsSelinuxUserCombo.get_model() + iter = self.loginsSelinuxUserCombo.get_active_iter() + seuser=list_model.get_value(iter,0) + (rc, out) = commands.getstatusoutput("semanage login -m -s %s -r %s %s" % (seuser, serange, target)) + if rc != 0: + self.error(out) + return False + + store, iter = self.view.get_selection().get_selected() + self.store.set_value(iter, 0, target) + self.store.set_value(iter, 1, seuser) + self.store.set_value(iter, 2, seobject.translate(serange)) + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/Makefile policycoreutils-2.0.25/gui/Makefile --- nsapolicycoreutils/gui/Makefile 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/Makefile 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,34 @@ +# Installation directories. +PREFIX ?= ${DESTDIR}/usr +SHAREDIR ?= $(PREFIX)/share/system-config-selinux + +TARGETS= \ +booleansPage.py \ +fcontextPage.py \ +loginsPage.py \ +mappingsPage.py \ +modulesPage.py \ +polgen.py \ +polgen.glade \ +portsPage.py \ +semanagePage.py \ +statusPage.py \ +system-config-selinux.glade \ +translationsPage.py \ +usersPage.py \ +selinux.tbl + +all: $(TARGETS) system-config-selinux.py polgengui.py templates + +install: all + -mkdir -p $(SHAREDIR)/templates + install -m 755 system-config-selinux.py $(SHAREDIR) + install -m 755 polgengui.py $(SHAREDIR) + install -m 644 $(TARGETS) $(SHAREDIR) + install -m 644 templates/*.py $(SHAREDIR)/templates/ + +clean: + +indent: + +relabel: diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/mappingsPage.py policycoreutils-2.0.25/gui/mappingsPage.py --- nsapolicycoreutils/gui/mappingsPage.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/mappingsPage.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,57 @@ +## mappingsPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. + +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +## Author: Dan Walsh +import string +import gtk +import gtk.glade +import os +import libxml2 +import gobject +import sys +import seobject + +## +## I18N +## +PROGNAME="policycoreutils" +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +class loginsPage: + def __init__(self, xml): + self.xml = xml + self.view = xml.get_widget("mappingsView") + self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING) + self.store.set_sort_column_id(0, gtk.SORT_ASCENDING) + self.view.set_model(self.store) + self.login = loginRecords() + dict = self.login.get_all() + keys = dict.keys() + keys.sort() + for k in keys: + print "%-25s %-25s %-25s" % (k, dict[k][0], translate(dict[k][1])) + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py policycoreutils-2.0.25/gui/modulesPage.py --- nsapolicycoreutils/gui/modulesPage.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/modulesPage.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,182 @@ +## modulesPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. + +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +## Author: Dan Walsh +import string +import gtk +import gtk.glade +import os +import commands +import libxml2 +import gobject +import sys +import seobject +import selinux +from semanagePage import *; + +## +## I18N +## +PROGNAME="policycoreutils" +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +class modulesPage(semanagePage): + def __init__(self, xml): + semanagePage.__init__(self, xml, "modules", _("Policy Module")) + self.module_filter = xml.get_widget("modulesFilterEntry") + self.module_filter.connect("focus_out_event", self.filter_changed) + self.module_filter.connect("activate", self.filter_changed) + + self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING) + self.view.set_model(self.store) + self.store.set_sort_column_id(0, gtk.SORT_ASCENDING) + col = gtk.TreeViewColumn(_("Module Name"), gtk.CellRendererText(), text = 0) + col.set_sort_column_id(0) + col.set_resizable(True) + self.view.append_column(col) + self.store.set_sort_column_id(0, gtk.SORT_ASCENDING) + col = gtk.TreeViewColumn(_("Version"), gtk.CellRendererText(), text = 1) + self.enable_audit_button = xml.get_widget("enableAuditButton") + self.enable_audit_button.connect("clicked", self.enable_audit) + self.disable_audit_button = xml.get_widget("disableAuditButton") + self.disable_audit_button.connect("clicked", self.disable_audit) + self.new_button = xml.get_widget("newModuleButton") + self.new_button.connect("clicked", self.new_module) + col.set_sort_column_id(1) + col.set_resizable(True) + self.view.append_column(col) + self.store.set_sort_func(1,self.sort_int, "") + status, self.policy_type = selinux.selinux_getpolicytype() + + self.load() + + def sort_int(self, treemodel, iter1, iter2, user_data): + try: + p1 = int(treemodel.get_value(iter1,1)) + p2 = int(treemodel.get_value(iter1,1)) + if p1 > p2: + return 1 + if p1 == p2: + return 0 + return -1 + except: + return 0 + + def load(self, filter=""): + self.filter=filter + self.store.clear() + try: + fd=os.popen("semodule -l") + l = fd.readlines() + fd.close() + for i in l: + module, ver = i.split('\t') + if not (self.match(module, filter) or self.match(ver, filter)): + continue + iter = self.store.append() + self.store.set_value(iter, 0, module.strip()) + self.store.set_value(iter, 1, ver.strip()) + except: + pass + self.view.get_selection().select_path ((0,)) + + + def new_module(self, args): + try: + os.spawnl(os.P_NOWAIT, "/usr/share/system-config-selinux/polgengui.py") + except ValueError, e: + self.error(e.args[0]) + + def delete(self): + store, iter = self.view.get_selection().get_selected() + module = store.get_value(iter, 0) + try: + status, output = commands.getstatusoutput("semodule -r %s" % module) + if status != 0: + self.error(output) + else: + store.remove(iter) + self.view.get_selection().select_path ((0,)) + + except ValueError, e: + self.error(e.args[0]) + + def enable_audit(self, button): + try: + status, output =commands.getstatusoutput("semodule -b /usr/share/selinux/%s/enableaudit.pp" % self.policy_type) + if status != 0: + self.error(output) + + except ValueError, e: + self.error(e.args[0]) + + def disable_audit(self, button): + try: + status, output =commands.getstatusoutput("semodule -b /usr/share/selinux/%s/base.pp" % self.policy_type) + if status != 0: + self.error(output) + + except ValueError, e: + self.error(e.args[0]) + + def propertiesDialog(self): + # Do nothing + return + + def addDialog(self): + dialog = gtk.FileChooserDialog(_("Load Policy Module"), + None, + gtk.FILE_CHOOSER_ACTION_OPEN, + (gtk.STOCK_CANCEL, gtk.RESPONSE_CANCEL, + gtk.STOCK_OPEN, gtk.RESPONSE_OK)) + dialog.set_default_response(gtk.RESPONSE_OK) + + filter = gtk.FileFilter() + filter.set_name("Policy Files") + filter.add_pattern("*.pp") + dialog.add_filter(filter) + + response = dialog.run() + if response == gtk.RESPONSE_OK: + self.add(dialog.get_filename()) + dialog.destroy() + + def add(self, file): + try: + status, output =commands.getstatusoutput("semodule -i %s" % file) + if status != 0: + self.error(output) + else: + self.load() + + except ValueError, e: + self.error(e.args[0]) + + + + + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policycoreutils-2.0.25/gui/polgen.glade --- nsapolicycoreutils/gui/polgen.glade 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/polgen.glade 2007-08-28 10:01:36.000000000 -0400 @@ -0,0 +1,2261 @@ + + + + + + + + 5 + GTK_FILE_CHOOSER_ACTION_OPEN + True + True + True + False + GTK_WINDOW_TOPLEVEL + GTK_WIN_POS_MOUSE + False + True + False + True + False + False + GDK_WINDOW_TYPE_HINT_DIALOG + GDK_GRAVITY_NORTH_WEST + True + False + + + + True + False + 24 + + + + True + GTK_BUTTONBOX_END + + + + True + True + True + gtk-cancel + True + GTK_RELIEF_NORMAL + True + -6 + + + + + + True + True + True + True + gtk-add + True + GTK_RELIEF_NORMAL + True + -5 + + + + + 0 + False + True + GTK_PACK_END + + + + + + + + 5 + False + Polgen + Red Hat 2007 + GPL + False + www.redhat.com + Daniel Walsh <dwalsh@redhat.com> + translator-credits + + + + True + SELinux Policy Generation Tool + GTK_WINDOW_TOPLEVEL + GTK_WIN_POS_NONE + False + True + False + True + False + False + GDK_WINDOW_TYPE_HINT_NORMAL + GDK_GRAVITY_NORTH_WEST + True + False + + + + True + False + 0 + + + + True + False + True + GTK_POS_TOP + False + False + + + + True + GNOME_EDGE_START + SELinux Policy Generation Druid + This tool can be used to generate a policy framework, to confine an application or users using SELinux. + +The tool generates: +Type Enforcement File (te) +Interface file (if) +File Context File (fc) +Shell script (sh) - used to compile and install the policy. + + + False + True + + + + + + True + label25 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + Select what you want to confine. + + + + + 16 + True + False + 6 + + + + True + False + 0 + + + + True + True + Confine an application + True + GTK_RELIEF_NORMAL + True + True + False + True + + + 0 + False + False + + + + + + True + True + Confine a user + True + GTK_RELIEF_NORMAL + True + False + False + True + confine_application_radiobutton + + + 0 + False + False + + + + + 0 + True + True + + + + + + + False + True + + + + + + True + label26 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + Name and Type of user to confine. + + + + 16 + True + False + 6 + + + + True + False + 0 + + + + True + False + 0 + + + + True + Select login user, if this is a user who will login to a machine directly + True + XWindows Login User + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 0 + False + False + + + + + + True + Select login user, if this is a user who will login to a machine directly + True + Terminal Login User + True + GTK_RELIEF_NORMAL + True + False + False + True + xwindows_login_user_radiobutton + + + 10 + False + False + + + + + + True + True + Root User + True + GTK_RELIEF_NORMAL + True + False + False + True + xwindows_login_user_radiobutton + + + 10 + False + False + + + + + 0 + False + False + + + + + + True + False + 0 + + + + True + Name + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + True + True + True + 0 + + True + + False + + + 0 + True + True + + + + + 0 + False + True + + + + + 0 + True + True + + + + + + + False + True + + + + + + True + label27 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + Name of application to be confined + + + + 16 + True + False + 6 + + + + True + 2 + 3 + False + 0 + 5 + + + + True + Name + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 0 + 1 + fill + + + + + + + True + Enter path to executable to be confined. + True + True + True + 0 + + True + + False + + + 1 + 2 + 1 + 2 + + + + + + + True + True + ... + True + GTK_RELIEF_NORMAL + True + + + + 2 + 3 + 1 + 2 + fill + + + + + + + True + Enter unique policy type name for confined application. + True + True + True + 0 + + True + + False + + + 1 + 3 + 0 + 1 + + + + + + + True + Executable + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 1 + 2 + fill + + + + + + 0 + True + True + + + + + + + False + True + + + + + + True + label28 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + Select Application Transitions for this domain + + + + 16 + True + False + 6 + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_IN + GTK_CORNER_TOP_LEFT + + + + True + Select the applications that you would like this domain to transition to. + True + False + False + False + True + False + False + False + + + + + 0 + True + True + + + + + + + + + + True + label28 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + Application Type + + + + 16 + True + False + 6 + + + + True + False + 0 + + + + True + True + Standard Init Daemon + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 0 + False + False + + + + + + True + True + Internet Services Daemon (inetd) + True + GTK_RELIEF_NORMAL + True + False + False + True + init_radiobutton + + + 0 + False + False + + + + + + True + True + Web Application/Script (CGI) + True + GTK_RELIEF_NORMAL + True + False + False + True + init_radiobutton + + + 0 + False + False + + + + + + True + True + User Application + True + GTK_RELIEF_NORMAL + True + False + False + True + init_radiobutton + + + 0 + False + False + + + + + 0 + True + True + + + + + + + False + True + + + + + + True + label29 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + Incoming Network Port Connections + + + + 16 + True + False + 6 + + + + True + 0 + 0.5 + GTK_SHADOW_NONE + + + + True + 0.5 + 0.5 + 1 + 1 + 0 + 0 + 12 + 0 + + + + True + False + 0 + + + + True + False + 0 + + + + True + Allows confined application to bind to any port + True + All + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 10 + False + False + + + + + + True + Use this checkbutton if your app calls bindresvport with 0. + True + 600-1024 + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 10 + False + False + + + + + + True + Any non defined ports > 1024 + True + Unreserved Ports (> 1024) + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 10 + False + False + + + + + 0 + True + True + + + + + + True + False + 0 + + + + True + Select Ports + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + Enter a comma separated list of tcp ports that this application binds to. + True + True + True + 0 + + True + + False + + + 0 + True + True + + + + + 0 + True + True + + + + + + + + + + True + <b>TCP Ports</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + label_item + + + + + 0 + True + True + + + + + + True + 0 + 0.5 + GTK_SHADOW_NONE + + + + True + 0.5 + 0.5 + 1 + 1 + 0 + 0 + 12 + 0 + + + + True + False + 0 + + + + True + False + 0 + + + + True + Allows confined application to bind to any port + True + All + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 10 + False + False + + + + + + True + Use this checkbutton if your app calls bindresvport with 0. + True + 600-1024 + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 10 + False + False + + + + + + True + Any non defined ports > 1024 + True + Unreserved Ports (>1024) + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 10 + False + False + + + + + 0 + True + True + + + + + + True + False + 0 + + + + True + Select Ports + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + Enter a comma separated list of tcp ports that this application binds to. + True + True + True + 0 + + True + + False + + + 0 + True + True + + + + + 0 + True + True + + + + + + + + + + True + <b>UDP Ports</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + label_item + + + + + 0 + True + True + + + + + + + False + True + + + + + + True + label30 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + Outgoing Network Port Connections + + + + 16 + True + False + 6 + + + + True + 0 + 0.5 + GTK_SHADOW_NONE + + + + True + 0.5 + 0.5 + 1 + 1 + 0 + 0 + 12 + 0 + + + + True + False + 0 + + + + True + 0.5 + 0.5 + 1 + 1 + 0 + 0 + 12 + 0 + + + + True + False + 0 + + + + True + True + All + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 10 + False + False + + + + + + True + Select Ports + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + Enter a comma separated list of udp ports that this application connects to. + True + True + True + 0 + + True + + False + + + 0 + True + True + + + + + + + 0 + True + True + + + + + + + + + + True + <b>TCP Ports</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + label_item + + + + + 0 + True + True + + + + + + True + 0 + 0.5 + GTK_SHADOW_NONE + + + + True + 0.5 + 0.5 + 1 + 1 + 0 + 0 + 12 + 0 + + + + True + False + 0 + + + + True + True + All + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 10 + False + False + + + + + + True + Select Ports + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + Enter a comma separated list of udp ports that this application connects to. + True + True + True + 0 + + True + + False + + + 0 + True + True + + + + + + + + + + True + <b>UDP Ports</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + label_item + + + + + 0 + True + True + + + + + + + False + True + + + + + + True + label31 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + Common Application Traits + + + + 16 + True + False + 6 + + + + True + False + 0 + + + + True + True + Application uses syslog to log messages + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 0 + False + False + + + + + + True + True + Application uses /tmp to Create/Manipulate temporary files + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 0 + False + False + + + + + + True + True + Application uses Pam for authentication + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 0 + False + False + + + + + + True + True + Application uses nsswitch or translates UID's (daemons that run as non root) + True + GTK_RELIEF_NORMAL + True + False + False + True + + + 0 + False + False + + + + + 0 + True + True + + + + + + + False + True + + + + + + True + label32 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + Files and Directories + + + + 16 + True + False + 6 + + + + True + 0 + 0.5 + GTK_SHADOW_NONE + + + + True + 0.5 + 0.5 + 1 + 1 + 0 + 0 + 12 + 0 + + + + True + False + 0 + + + + True + False + 0 + + + + True + True + GTK_RELIEF_NORMAL + True + + + + + True + 0.5 + 0.5 + 0 + 0 + 0 + 0 + 0 + 0 + + + + True + False + 2 + + + + True + gtk-add + 4 + 0.5 + 0.5 + 0 + 0 + + + 0 + False + False + + + + + + True + Add File + True + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + + + + 0 + False + False + + + + + + True + True + GTK_RELIEF_NORMAL + True + + + + + True + 0.5 + 0.5 + 0 + 0 + 0 + 0 + 0 + 0 + + + + True + False + 2 + + + + True + gtk-add + 4 + 0.5 + 0.5 + 0 + 0 + + + 0 + False + False + + + + + + True + Add Directory + True + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + + + + 0 + False + False + + + + + + True + True + gtk-delete + True + GTK_RELIEF_NORMAL + True + + + + + 0 + False + False + + + + + 4 + False + True + + + + + + True + True + GTK_POLICY_NEVER + GTK_POLICY_NEVER + GTK_SHADOW_IN + GTK_CORNER_TOP_LEFT + + + + True + GTK_SHADOW_IN + + + + True + False + 0 + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_IN + GTK_CORNER_TOP_LEFT + + + + True + Add Files/Directories that this application will need to "Write" to. Pid Files, Log Files, /var/lib Files ... + True + False + False + False + True + False + False + False + + + + + 0 + True + True + + + + + + + + + 0 + True + True + + + + + + + + + 0 + True + True + + + + + + + False + True + + + + + + True + label33 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + Generate policy in this directory + + + + 16 + True + False + 5 + + + + True + False + 0 + + + + True + Policy Directory + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 5 + False + False + + + + + + True + True + True + True + 0 + + True + + False + + + 0 + True + True + + + + + + True + True + ... + True + GTK_RELIEF_NORMAL + True + + + 0 + False + False + + + + + 0 + False + True + + + + + + + False + True + + + + + + True + label34 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + GNOME_EDGE_FINISH + Generated Policy Files + This tool will generate the following: Type Enforcment(te), File Context(fc), Interface(if), Shell Script(sh). +Execute shell script to compile/install and relabel files/directories. Now you can put the machine in permissive mode (setenforce 0). +Run/restart the application to generate avc messages. +Use audit2allow -R to generate additional rules for the te file. + + + + False + True + + + + + + True + label35 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + 0 + True + True + + + + + + True + 0.5 + 0.5 + 1 + 1 + 0 + 0 + 0 + 0 + + + + True + GTK_BUTTONBOX_END + 0 + + + + True + True + True + gtk-cancel + True + GTK_RELIEF_NORMAL + True + + + + + + + True + True + True + gtk-go-back + True + GTK_RELIEF_NORMAL + True + + + + + + + True + True + True + gtk-go-forward + True + GTK_RELIEF_NORMAL + True + + + + + + + + 0 + True + True + + + + + + + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policycoreutils-2.0.25/gui/polgengui.py --- nsapolicycoreutils/gui/polgengui.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/polgengui.py 2007-08-28 15:23:13.000000000 -0400 @@ -0,0 +1,407 @@ +#!/usr/bin/python +# +# system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux +# +# Dan Walsh +# +# Copyright 2007 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +import signal +import string +import gtk +import gtk.glade +import os +import libxml2 +import gobject +import gnome +import sys +import polgen +import sepolgen.interfaces as interfaces +import sepolgen.defaults as defaults +import re + +## +## I18N +## +PROGNAME="system-config-selinux" + +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +gnome.program_init("SELinux Poligy Generation Tool", "5") + +version = "1.0" + +sys.path.append('/usr/share/system-config-selinux') +sys.path.append('.') + +# From John Hunter http://www.daa.com.au/pipermail/pygtk/2003-February/004454.html +def foreach(model, path, iter, selected): + selected.append(model.get_value(iter, 0)) + +## +## Pull in the Glade file +## +if os.access("polgen.glade", os.F_OK): + xml = gtk.glade.XML ("polgen.glade", domain=PROGNAME) +else: + xml = gtk.glade.XML ("/usr/share/system-config-selinux/polgen.glade", domain=PROGNAME) + +fn = defaults.interface_info() +try: + fd = open(fn) +except: + sys.stderr.write("could not open interface info [%s]\n" % fn) + sys.exit(1) + +FILE = 1 +DIR = 2 +class childWindow: + START_PAGE = 0 + SELECT_TYPE_PAGE = 1 + USER_PAGE = 2 + APP_PAGE = 3 + TRANSITION_PAGE = 4 + APP_TYPE_PAGE = 5 + IN_NET_PAGE = 6 + OUT_NET_PAGE = 7 + COMMON_APPS_PAGE = 8 + FILES_PAGE = 9 + GEN_POLCIY_PAGE = 10 + FINISH_PAGE = 11 + + def __init__(self): + self.xml = xml + xml.signal_connect("on_delete_clicked", self.delete) + xml.signal_connect("on_exec_select_clicked", self.exec_select) + xml.signal_connect("on_add_clicked", self.add) + xml.signal_connect("on_add_dir_clicked", self.add_dir) + xml.signal_connect("on_about_clicked", self.on_about_clicked) + xml.get_widget ("cancel_button").connect("clicked",self.quit) + self.forward_button = xml.get_widget ("forward_button") + self.forward_button.connect("clicked",self.forward) + self.back_button = xml.get_widget ("back_button") + self.back_button.connect("clicked",self.back) + + self.confine_application = xml.get_widget ("confine_application_radiobutton") + + self.notebook = xml.get_widget ("notebook1") + self.pages={} + self.pages[0] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.USER_PAGE, self.TRANSITION_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.GEN_POLCIY_PAGE, self.FINISH_PAGE] + + self.pages[1] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.APP_TYPE_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.COMMON_APPS_PAGE, self.FILES_PAGE,self.GEN_POLCIY_PAGE, self.FINISH_PAGE ] + self.current_page = 0 + self.back_button.set_sensitive(0) + + self.network_buttons = {} + + self.in_tcp_all_checkbutton = xml.get_widget ("in_tcp_all_checkbutton") + self.in_tcp_reserved_checkbutton = xml.get_widget ("in_tcp_reserved_checkbutton") + self.in_tcp_unreserved_checkbutton = xml.get_widget ("in_tcp_unreserved_checkbutton") + self.in_tcp_entry = self.xml.get_widget("in_tcp_entry") + self.network_buttons[self.in_tcp_all_checkbutton] = [ self.in_tcp_reserved_checkbutton, self.in_tcp_unreserved_checkbutton, self.in_tcp_entry ] + + + self.out_tcp_all_checkbutton = xml.get_widget ("out_tcp_all_checkbutton") + self.out_tcp_reserved_checkbutton = xml.get_widget ("out_tcp_reserved_checkbutton") + self.out_tcp_unreserved_checkbutton = xml.get_widget ("out_tcp_unreserved_checkbutton") + self.out_tcp_entry = self.xml.get_widget("out_tcp_entry") + + self.network_buttons[self.out_tcp_all_checkbutton] = [ self.out_tcp_entry ] + + self.in_udp_all_checkbutton = xml.get_widget ("in_udp_all_checkbutton") + self.in_udp_reserved_checkbutton = xml.get_widget ("in_udp_reserved_checkbutton") + self.in_udp_unreserved_checkbutton = xml.get_widget ("in_udp_unreserved_checkbutton") + self.in_udp_entry = self.xml.get_widget("in_udp_entry") + + self.network_buttons[self.in_udp_all_checkbutton] = [ self.in_udp_reserved_checkbutton, self.in_udp_unreserved_checkbutton, self.in_udp_entry ] + + self.out_udp_all_checkbutton = xml.get_widget ("out_udp_all_checkbutton") + self.out_udp_entry = self.xml.get_widget("out_udp_entry") + self.network_buttons[self.out_udp_all_checkbutton] = [ self.out_udp_entry ] + + for b in self.network_buttons.keys(): + b.connect("clicked",self.network_all_clicked) + + self.transition_treeview = self.xml.get_widget("transition_treeview") + self.transition_store = gtk.ListStore(gobject.TYPE_STRING) + self.transition_treeview.set_model(self.transition_store) + self.transition_treeview.get_selection().set_mode(gtk.SELECTION_MULTIPLE) + self.transition_store.set_sort_column_id(0, gtk.SORT_ASCENDING) + col = gtk.TreeViewColumn(_("Application"), gtk.CellRendererText(), text = 0) + self.transition_treeview.append_column(col) + # List of per_role_template interfaces + ifs = interfaces.InterfaceSet() + ifs.from_file(fd) + fd.close() + for i in ifs.interfaces.keys(): + m = re.findall("(.*)_per_role_template", i) + if len(m) > 0: + iter = self.transition_store.append() + self.transition_store.set_value(iter, 0, m[0]) + + def forward(self, arg): + type = self.confine_application.get_active() + if self.current_page == self.START_PAGE: + self.back_button.set_sensitive(1) + + if self.pages[type][self.current_page] == self.APP_PAGE: + if self.on_name_page_next(): + return + + if self.pages[type][self.current_page] == self.USER_PAGE: + if self.on_user_page_next(): + return + + if self.pages[type][self.current_page] == self.FINISH_PAGE: + self.generate_policy() + else: + self.current_page = self.current_page + 1 + self.notebook.set_current_page(self.pages[type][self.current_page]) + if self.pages[type][self.current_page] == self.FINISH_PAGE: + self.forward_button.set_label(gtk.STOCK_APPLY) + + def back(self,arg): + type = self.confine_application.get_active() + if self.pages[type][self.current_page] == self.FINISH_PAGE: + self.forward_button.set_label(gtk.STOCK_GO_FORWARD) + + self.current_page = self.current_page - 1 + self.notebook.set_current_page(self.pages[type][self.current_page]) + if self.current_page == 0: + self.back_button.set_sensitive(0) + + def network_all_clicked(self, button): + active = button.get_active() + for b in self.network_buttons[button]: + b.set_sensitive(not active) + + def verify(self, message, title="" ): + dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO, + gtk.BUTTONS_YES_NO, + message) + dlg.set_title(title) + dlg.set_position(gtk.WIN_POS_MOUSE) + dlg.show_all() + rc = dlg.run() + dlg.destroy() + return rc + + def info(self, message): + dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO, + gtk.BUTTONS_OK, + message) + dlg.set_position(gtk.WIN_POS_MOUSE) + dlg.show_all() + dlg.run() + dlg.destroy() + + def error(self, message): + dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_ERROR, + gtk.BUTTONS_CLOSE, + message) + dlg.set_position(gtk.WIN_POS_MOUSE) + dlg.show_all() + dlg.run() + dlg.destroy() + + def get_name(self): + if self.confine_application.get_active(): + return self.name_entry.get_text() + else: + return self.user_entry.get_text() + + def get_type(self): + if self.confine_application.get_active(): + if self.cgi_radiobutton.get_active(): + return polgen.policy.CGI + if self.user_radiobutton.get_active(): + return polgen.policy.USER + if self.init_radiobutton.get_active(): + return polgen.policy.DAEMON + if self.inetd_radiobutton.get_active(): + return polgen.policy.INETD + else: + if self.xwindows_login_user_radiobutton.get_active(): + return polgen.policy.XUSER + if self.terminal_login_user_radiobutton.get_active(): + return polgen.policy.TUSER + if self.root_user_radiobutton.get_active(): + return polgen.policy.RUSER + + def generate_policy(self, *args): + try: + my_policy=polgen.policy(self.get_name(), self.get_type()) + my_policy.set_in_tcp(self.in_tcp_all_checkbutton.get_active(), self.in_tcp_reserved_checkbutton.get_active(), self.in_tcp_unreserved_checkbutton.get_active(), self.in_tcp_entry.get_text()) + my_policy.set_in_udp(self.in_udp_all_checkbutton.get_active(), self.in_udp_reserved_checkbutton.get_active(), self.in_udp_unreserved_checkbutton.get_active(), self.in_udp_entry.get_text()) + my_policy.set_out_tcp(self.out_tcp_all_checkbutton.get_active(), self.out_tcp_entry.get_text()) + my_policy.set_out_udp(self.out_udp_all_checkbutton.get_active(), self.out_udp_entry.get_text()) + if self.get_type() in my_policy.APPLICATIONS: + my_policy.set_program(self.exec_entry.get_text()) + my_policy.set_use_syslog(self.syslog_checkbutton.get_active() == 1) + my_policy.set_use_tmp(self.tmp_checkbutton.get_active() == 1) + my_policy.set_use_uid(self.uid_checkbutton.get_active() == 1) + my_policy.set_use_pam(self.pam_checkbutton.get_active() == 1) + else: + selected = [] + self.transition_treeview.get_selection().selected_foreach(foreach, selected) + my_policy.set_transition_apps(selected) + + + iter= self.store.get_iter_first() + while(iter): + if self.store.get_value(iter, 1) == FILE: + my_policy.add_file(self.store.get_value(iter, 0)) + else: + my_policy.add_dir(self.store.get_value(iter, 0)) + iter= self.store.iter_next(iter) + + self.info(my_policy.generate(self.output_entry.get_text())) + return False + except ValueError, e: + self.error(e.message) + + def delete(self, args): + store, iter = self.view.get_selection().get_selected() + if iter != None: + store.remove(iter) + self.view.get_selection().select_path ((0,)) + + def __add(self,type): + rc = self.file_dialog.run() + self.file_dialog.hide() + if rc == gtk.RESPONSE_CANCEL: + return + for i in self.file_dialog.get_filenames(): + iter = self.store.append() + self.store.set_value(iter, 0, i) + self.store.set_value(iter, 1, type) + + def exec_select(self, args): + self.file_dialog.set_select_multiple(0) + self.file_dialog.set_title(_("Select executable file to be confined.")) + self.file_dialog.set_action(gtk.FILE_CHOOSER_ACTION_SAVE) + rc = self.file_dialog.run() + self.file_dialog.hide() + if rc == gtk.RESPONSE_CANCEL: + return + self.exec_entry.set_text(self.file_dialog.get_filename()) + + def add(self, args): + self.file_dialog.set_title(_("Select file(s) that confined application creates or writes")) + self.file_dialog.set_select_multiple(1) + self.file_dialog.set_action(gtk.FILE_CHOOSER_ACTION_OPEN) + self.__add(FILE) + + def add_dir(self, args): + self.file_dialog.set_title(_("Select directory(s) that the confined application owns and writes into")) + self.file_dialog.set_select_multiple(0) + self.file_dialog.set_action(gtk.FILE_CHOOSER_ACTION_CREATE_FOLDER) + self.__add(DIR) + + def on_about_clicked(self, args): + dlg = xml.get_widget ("about_dialog") + dlg.run () + dlg.hide () + + def quit(self, args): + gtk.main_quit() + + def setupScreen(self): + # Bring in widgets from glade file. + self.mainWindow = self.xml.get_widget("main_window") + self.druid = self.xml.get_widget("druid") + self.type = 0 + self.user_entry = self.xml.get_widget("user_entry") + self.name_entry = self.xml.get_widget("name_entry") + self.exec_entry = self.xml.get_widget("exec_entry") + self.output_entry = self.xml.get_widget("output_entry") + self.output_entry.set_text(os.getcwd()) + self.xml.get_widget("output_button").connect("clicked",self.output_button_clicked) + + self.xwindows_login_user_radiobutton = self.xml.get_widget("xwindows_login_user_radiobutton") + self.terminal_login_user_radiobutton = self.xml.get_widget("terminal_login_user_radiobutton") + self.root_user_radiobutton = self.xml.get_widget("root_user_radiobutton") + + self.user_radiobutton = self.xml.get_widget("user_radiobutton") + self.init_radiobutton = self.xml.get_widget("init_radiobutton") + self.inetd_radiobutton = self.xml.get_widget("inetd_radiobutton") + self.cgi_radiobutton = self.xml.get_widget("cgi_radiobutton") + self.tmp_checkbutton = self.xml.get_widget("tmp_checkbutton") + self.uid_checkbutton = self.xml.get_widget("uid_checkbutton") + self.pam_checkbutton = self.xml.get_widget("pam_checkbutton") + self.syslog_checkbutton = self.xml.get_widget("syslog_checkbutton") + self.view = self.xml.get_widget("write_treeview") + self.file_dialog = self.xml.get_widget("filechooserdialog") + + self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_INT) + self.view.set_model(self.store) + col = gtk.TreeViewColumn("", gtk.CellRendererText(), text = 0) + col.set_resizable(True) + self.view.append_column(col) + self.view.get_selection().select_path ((0,)) + + def output_button_clicked(self, *args): + self.file_dialog.set_title(_("Select directory to generate policy files in")) + self.file_dialog.set_action(gtk.FILE_CHOOSER_ACTION_SELECT_FOLDER) + self.file_dialog.set_select_multiple(0) + rc = self.file_dialog.run() + self.file_dialog.hide() + if rc == gtk.RESPONSE_CANCEL: + return + self.output_entry.set_text(self.file_dialog.get_filename()) + + def on_name_page_next(self, *args): + name=self.name_entry.get_text() + if name == "": + self.error(_("You must enter a name")) + return True + + exe = self.exec_entry.get_text() + if exe == "": + self.error(_("You must enter a executable")) + return True + + def on_user_page_next(self, *args): + name=self.user_entry.get_text() + if name == "": + self.error(_("You must enter a name")) + return True + + def stand_alone(self): + desktopName = _("Configue SELinux") + + self.setupScreen() + self.mainWindow.connect("destroy", self.quit) + + self.mainWindow.show_all() + gtk.main() + +if __name__ == "__main__": + signal.signal (signal.SIGINT, signal.SIG_DFL) + + app = childWindow() + app.stand_alone() diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.25/gui/polgen.py --- nsapolicycoreutils/gui/polgen.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/polgen.py 2007-08-28 10:01:32.000000000 -0400 @@ -0,0 +1,560 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +import os, sys, stat +import re +from templates import executable +from templates import var_spool +from templates import var_lib +from templates import var_log +from templates import var_run +from templates import tmp +from templates import rw +from templates import network +from templates import script +from templates import user +import seobject + +## +## I18N +## +PROGNAME="system-config-selinux" + +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +ALL = 0 +RESERVED = 1 +UNRESERVED = 2 +PORTS = 3 + +class policy: + DAEMON = 0 + INETD = 1 + USER = 2 + CGI = 3 + XUSER = 4 + TUSER = 5 + RUSER = 6 + APPLICATIONS = [ DAEMON, INETD, USER, CGI ] + USERS = [ XUSER, TUSER, RUSER ] + + def __init__(self, name, type): + ports = seobject.portRecords() + self.dict = ports.get_all() + + self.DEFAULT_DIRS = {} + self.DEFAULT_DIRS["rw"] = ["rw", [], rw]; + self.DEFAULT_DIRS["tmp"] = ["tmp", [], tmp]; + self.DEFAULT_DIRS["/var/spool"] = ["var_spool", [], var_spool]; + self.DEFAULT_DIRS["/var/lib"] = ["var_lib", [], var_lib]; + self.DEFAULT_DIRS["/var/log"] = ["var_log", [], var_log]; + self.DEFAULT_DIRS["/var/run"] = ["var_run", [], var_run]; + + self.DEFAULT_TYPES = (( self.generate_daemon_types, self.generate_daemon_rules), ( self.generate_inetd_types, self.generate_inetd_rules), ( self.generate_userapp_types, self.generate_userapp_rules), ( self.generate_cgi_types, self.generate_cgi_rules), ( self.generate_x_login_user_types, self.generate_x_login_user_rules), ( self.generate_login_user_types, self.generate_login_user_rules), ( self.generate_root_user_types, self.generate_root_user_rules)) + if name == "": + raise ValueError(_("You must enter a name for your confined process")) + if type == self.CGI: + self.name = "httpd_%s_script" % name + else: + self.name = name + self.file_name = name + + self.type = type + self.program = "" + self.in_tcp = [False, False, False, []] + self.in_udp = [False, False, False, []] + self.out_tcp = [False, False, False, []] + self.out_udp = [False, False, False, []] + self.use_tmp = False + self.use_uid = False + self.use_pam = False + self.use_syslog = False + self.files = {} + self.dirs = {} + self.found_tcp_ports=[] + self.found_udp_ports=[] + self.need_tcp_type=False + self.need_udp_type=False + self.transitions = [] + + def __isnetset(self, l): + return l[ALL] or l[RESERVED] or l[UNRESERVED] or len(l[PORTS]) > 0 + + def set_transition_apps(self, transitions): + self.transitions = transitions + + def use_in_udp(self): + return self.__isnetset(self.in_udp) + + def use_out_udp(self): + return self.__isnetset(self.out_udp) + + def use_udp(self): + return self.use_in_udp() or self.use_out_udp() + + def use_in_tcp(self): + return self.__isnetset(self.in_tcp) + + def use_out_tcp(self): + return self.__isnetset(self.out_tcp) + + def use_tcp(self): + return self.use_in_tcp() or self.use_out_tcp() + + def use_network(self): + return self.use_tcp() or self.use_udp() + + def find_port(self, port): + for begin,end in self.dict.keys(): + if port >= begin and port <= end: + return self.dict[begin,end] + return None + + def __verify_ports(self, ports): + if ports == "": + return [] + max_port=2**16 + try: + temp = [] + for p in ports.split(","): + i = int(p.strip()) + if i < 1 or i > max_port: + raise ValueError() + temp.append(i) + return temp + except ValueError: + raise ValueError(_("Ports must be be numbers from 1 to %d " % max_port )) + + def set_program(self, program): + if self.type in self.APPLICATIONS: + raise ValueError(_("USER Types are not allowed executables")) + + self.program = program + + def set_in_tcp(self, all, reserved, unreserved, ports): + self.in_tcp = [ all, reserved, unreserved, self.__verify_ports(ports)] + + def set_in_udp(self, all, reserved, unreserved, ports): + self.in_udp = [ all, reserved, unreserved, self.__verify_ports(ports)] + + def set_out_tcp(self, all, ports): + self.out_tcp = [ all , False, False, self.__verify_ports(ports) ] + + def set_out_udp(self, all, ports): + self.out_udp = [ all , False, False, self.__verify_ports(ports) ] + + def set_use_syslog(self, val): + if val != True and val != False: + raise ValueError(_("use_syslog must be a boolean value ")) + + self.use_syslog = val + + def set_use_pam(self, val): + if val != True and val != False: + raise ValueError(_("use_pam must be a boolean value ")) + + self.use_pam = val + + def set_use_tmp(self, val): + if self.type in self.APPLICATIONS: + raise ValueError(_("USER Types autoomatically get a tmp type")) + + if val == True: + self.DEFAULT_DIRS["tmp"][1].append("/tmp"); + return + if val == False: + self.DEFAULT_DIRS["tmp"][1]=[] + return + raise ValueError(_("use_tmp must be a boolean value ")) + + + def set_use_uid(self, val): + if val != True and val != False: + raise ValueError(_("use_uid must be a boolean value ")) + + self.use_uid = val + + def generate_uid_rules(self): + if self.use_uid: + return re.sub("TEMPLATETYPE", self.name, executable.te_uid_rules) + else: + return "" + + def generate_syslog_rules(self): + if self.use_syslog: + return re.sub("TEMPLATETYPE", self.name, executable.te_syslog_rules) + else: + return "" + + def generate_pam_rules(self): + newte ="" + if self.use_pam: + newte = re.sub("TEMPLATETYPE", self.name, executable.te_pam_rules) + return newte + + def generate_network_types(self): + for i in self.in_tcp[PORTS]: + rec = self.find_port(int(i)) + if rec == None: + self.need_tcp_type = True; + else: + port_name = rec[0][:-2] + line = "corenet_tcp_bind_%s(%s_t)\n" % (port_name, self.name) + if line not in self.found_tcp_ports: + self.found_tcp_ports.append(line) + + for i in self.out_tcp[PORTS]: + rec = self.find_port(int(i)) + if rec == None: + self.need_tcp_type = True; + else: + port_name = rec[0][:-2] + line = "corenet_tcp_connect_%s(%s_t)\n" % (port_name, self.name) + if line not in self.found_tcp_ports: + self.found_tcp_ports.append(line) + + for i in self.in_udp[PORTS]: + rec = self.find_port(int(i)) + if rec == None: + self.need_udp_type = True; + else: + port_name = rec[0][:-2] + line = "corenet_udp_bind_%s(%s_t)\n" % (port_name, self.name) + if line not in self.found_udp_ports: + self.found_udp_ports.append(line) + + if self.need_udp_type == True or self.need_tcp_type == True: + return re.sub("TEMPLATETYPE", self.name, network.te_port_types) + return "" + + def __find_path(self, file): + for d in self.DEFAULT_DIRS: + if file.find(d) == 0: + self.DEFAULT_DIRS[d][1].append(file) + return self.DEFAULT_DIRS[d] + self.DEFAULT_DIRS["rw"][1].append(file) + return self.DEFAULT_DIRS["rw"] + + def add_file(self, file): + self.files[file] = self.__find_path(file) + + def add_dir(self, file): + self.dirs[file] = self.__find_path(file) + + def generate_network_rules(self): + newte = "" + if self.use_network(): + newte = "\n" + + newte += re.sub("TEMPLATETYPE", self.name, network.te_network) + + if self.use_tcp(): + newte += "\n" + newte += re.sub("TEMPLATETYPE", self.name, network.te_tcp) + + if self.use_in_tcp(): + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_tcp) + + if self.need_tcp_type and len(self.in_tcp[PORTS]) > 0: + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_need_port_tcp) + + if self.need_tcp_type and len(self.out_tcp[PORTS]) > 0: + newte += re.sub("TEMPLATETYPE", self.name, network.te_out_need_port_tcp) + + + if self.in_tcp[ALL]: + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_all_ports_tcp) + if self.in_tcp[RESERVED]: + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_reserved_ports_tcp) + if self.in_tcp[UNRESERVED]: + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_unreserved_ports_tcp) + + if self.out_tcp[ALL]: + newte += re.sub("TEMPLATETYPE", self.name, network.te_out_all_ports_tcp) + if self.out_tcp[RESERVED]: + newte += re.sub("TEMPLATETYPE", self.name, network.te_out_reserved_ports_tcp) + if self.out_tcp[UNRESERVED]: + newte += re.sub("TEMPLATETYPE", self.name, network.te_out_unreserved_ports_tcp) + + for i in self.found_tcp_ports: + newte += i + + if self.use_udp(): + newte += "\n" + newte += re.sub("TEMPLATETYPE", self.name, network.te_udp) + + if self.need_udp_type: + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_need_port_udp) + if self.use_in_udp(): + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_udp) + if self.in_udp[ALL]: + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_all_ports_udp) + if self.in_udp[RESERVED]: + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_reserved_ports_udp) + if self.in_udp[UNRESERVED]: + newte += re.sub("TEMPLATETYPE", self.name, network.te_in_unreserved_ports_udp) + + for i in self.found_udp_ports: + newte += i + return newte + + def generate_transition_rules(self): + newte = "" + for app in self.transitions: + tmp = re.sub("TEMPLATETYPE", self.name, user.te_transition_rules) + newte += re.sub("APPLICATION", app, tmp) + return newte + + def generate_cgi_types(self): + return re.sub("TEMPLATETYPE", self.file_name, executable.te_cgi_types) + + def generate_userapp_types(self): + return re.sub("TEMPLATETYPE", self.name, executable.te_userapp_types) + + def generate_inetd_types(self): + return re.sub("TEMPLATETYPE", self.name, executable.te_inetd_types) + + def generate_login_user_types(self): + return re.sub("TEMPLATETYPE", self.name, user.te_login_user_types) + + def generate_x_login_user_types(self): + return re.sub("TEMPLATETYPE", self.name, user.te_x_login_user_types) + + def generate_root_user_types(self): + return re.sub("TEMPLATETYPE", self.name, user.te_root_user_types) + + def generate_daemon_types(self): + return re.sub("TEMPLATETYPE", self.name, executable.te_daemon_types) + + def generate_tmp_types(self): + if self.use_tmp: + return re.sub("TEMPLATETYPE", self.name, tmp.te_types) + else: + return "" + + def generate_cgi_te(self): + return re.sub("TEMPLATETYPE", self.name, executable.te_cgi_types) + + def generate_daemon_rules(self): + return re.sub("TEMPLATETYPE", self.name, executable.te_daemon_rules) + + def generate_login_user_rules(self): + return re.sub("TEMPLATETYPE", self.name, user.te_login_user_rules) + + def generate_x_login_user_rules(self): + return re.sub("TEMPLATETYPE", self.name, user.te_x_login_user_rules) + + def generate_root_user_rules(self): + newte =re.sub("TEMPLATETYPE", self.name, user.te_root_user_rules) + return newte + + def generate_userapp_rules(self): + return re.sub("TEMPLATETYPE", self.name, executable.te_userapp_rules) + + def generate_inetd_rules(self): + return re.sub("TEMPLATETYPE", self.name, executable.te_inetd_rules) + + def generate_tmp_rules(self): + if self.use_tmp: + return re.sub("TEMPLATETYPE", self.name, tmp.te_rules) + else: + return "" + + def generate_cgi_rules(self): + newte = "" + newte += re.sub("TEMPLATETYPE", self.name, executable.te_cgi_rules) + return newte + + def generate_if(self): + newif = re.sub("TEMPLATETYPE", self.name, executable.if_rules) + + for d in self.DEFAULT_DIRS: + if len(self.DEFAULT_DIRS[d][1]) > 0: + newif += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].if_rules) + for i in self.DEFAULT_DIRS[d][1]: + if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]): + newif += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].if_stream_rules) + break + return newif + + def generate_default_types(self): + return self.DEFAULT_TYPES[self.type][0]() + + def generate_default_rules(self): + return self.DEFAULT_TYPES[self.type][1]() + + def generate_te(self): + newte = self.generate_default_types() + for d in self.DEFAULT_DIRS: + if len(self.DEFAULT_DIRS[d][1]) > 0: + # CGI scripts already have a rw_t + if self.type != self.CGI or d != "rw": + newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_types) + + newte += self.generate_network_types() + newte += self.generate_tmp_types() + newte += self.generate_default_rules() + + for d in self.DEFAULT_DIRS: + if len(self.DEFAULT_DIRS[d][1]) > 0: + newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_rules) + for i in self.DEFAULT_DIRS[d][1]: + if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]): + newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules) + break + + newte += self.generate_network_rules() + newte += self.generate_tmp_rules() + newte += self.generate_uid_rules() + newte += self.generate_syslog_rules() + newte += self.generate_pam_rules() + newte += self.generate_transition_rules() + + return newte + + def generate_fc(self): + newfc = "" + t1 = re.sub("EXECUTABLE", self.program, executable.fc_file) + newfc += re.sub("TEMPLATETYPE", self.name, t1) + + for i in self.files.keys(): + if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]): + t1 = re.sub("TEMPLATETYPE", self.name, self.files[i][2].fc_sock_file) + else: + t1 = re.sub("TEMPLATETYPE", self.name, self.files[i][2].fc_file) + t2 = re.sub("FILENAME", i, t1) + newfc += re.sub("FILETYPE", self.files[i][0], t2) + + for i in self.dirs.keys(): + t1 = re.sub("TEMPLATETYPE", self.name, self.dirs[i][2].fc_dir) + t2 = re.sub("FILENAME", i, t1) + newfc += re.sub("FILETYPE", self.dirs[i][0], t2) + + return newfc + + def generate_sh(self): + newsh = re.sub("TEMPLATETYPE", self.name, script.compile) + newsh = re.sub("PACKAGEFILENAME", self.file_name, newsh) + newsh += re.sub("FILENAME", self.program, script.restorecon) + + for i in self.files.keys(): + newsh += re.sub("FILENAME", i, script.restorecon) + + for i in self.dirs.keys(): + newsh += re.sub("FILENAME", i, script.restorecon) + + for i in self.in_tcp[PORTS] + self.out_tcp[PORTS]: + if self.find_port(i) == None: + t1 = re.sub("PORTNUM", "%d" % i, script.tcp_ports) + newsh += re.sub("TEMPLATETYPE", self.name, t1) + + for i in self.in_udp[PORTS] + self.out_udp[PORTS]: + if self.find_port(i) == None: + t1 = re.sub("PORTNUM", "%d" % i, script.udp_ports) + newsh += re.sub("TEMPLATETYPE", self.name, t1) + + return newsh + + def write_te(self, out_dir): + tefile = "%s/%s.te" % (out_dir, self.file_name) + fd = open(tefile, "w") + fd.write(self.generate_te()) + fd.close() + return tefile + + def write_sh(self, out_dir): + shfile = "%s/%s.sh" % (out_dir, self.file_name) + fd = open(shfile, "w") + fd.write(self.generate_sh()) + fd.close() + return shfile + + def write_if(self, out_dir): + iffile = "%s/%s.if" % (out_dir, self.file_name) + fd = open(iffile, "w") + fd.write(self.generate_if()) + fd.close() + return iffile + + def write_fc(self,out_dir): + fcfile = "%s/%s.fc" % (out_dir, self.file_name) + if self.type in self.APPLICATIONS: + fd = open(fcfile, "w") + fd.write(self.generate_fc()) + fd.close() + return fcfile + + def generate(self, out_dir = "."): + if self.type in self.APPLICATIONS and self.program == "": + raise ValueError(_("You must enter the executable path for your confined process")) + + out = "Created the following files:\n" + out += "%-25s %s\n" % (_("Type Enforcment file"), self.write_te(out_dir)) + out += "%-25s %s\n" % (_("Interface file"), self.write_if(out_dir)) + out += "%-25s %s\n" % (_("File Contexts file"), self.write_fc(out_dir)) + out += "%-25s %s\n" % (_("Setup Script"),self.write_sh(out_dir)) + return out + +def errorExit(error): + sys.stderr.write("%s: " % sys.argv[0]) + sys.stderr.write("%s\n" % error) + sys.stderr.flush() + sys.exit(1) + + +if __name__ == '__main__': + mypolicy = policy("cgi", policy.XUSER) + mypolicy.set_program("/var/www/cgi-bin/cgi") + mypolicy.set_in_tcp(1, 0, 0, "513") + mypolicy.set_in_udp(1, 0, 0, "1513") + mypolicy.set_use_uid(True) + mypolicy.set_use_tmp(True) + mypolicy.set_use_syslog(True) + mypolicy.set_use_pam(True) + mypolicy.add_file("/var/lib/mysql/mysql.sock") + mypolicy.add_file("/var/run/rpcbind.sock") + mypolicy.add_file("/var/run/daemon.pub") + mypolicy.add_file("/var/log/daemon.log") + mypolicy.add_dir("/var/lib/daemon") + mypolicy.add_dir("/etc/daemon") + mypolicy.add_dir("/etc/daemon/special") + mypolicy.set_out_tcp(0,"8000") + mypolicy.set_transition_apps(["mozilla", "ssh"]) + print mypolicy.generate() +# mypolicy = policy("inetd", "/usr/sbin/inetd", 1) +# mypolicy.generate() +# mypolicy = policy("userapp", "/usr/sbin/userapp", 2) +# mypolicy.generate() +# mypolicy = policy("cgi", "cgi", 3) +# mypolicy.generate() + sys.exit(0) + + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/portsPage.py policycoreutils-2.0.25/gui/portsPage.py --- nsapolicycoreutils/gui/portsPage.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/portsPage.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,248 @@ +## portsPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. + +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +## Author: Dan Walsh +import string +import gtk +import gtk.glade +import os +import libxml2 +import gobject +import sys +import seobject +import commands +from semanagePage import *; + +## +## I18N +## +PROGNAME = "policycoreutils" +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +TYPE_COL = 0 +PROTOCOL_COL = 1 +MLS_COL = 2 +PORT_COL = 3 +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +class portsPage(semanagePage): + def __init__(self, xml): + semanagePage.__init__(self, xml, "ports", "Network Port") + self.ports_filter = xml.get_widget("portsFilterEntry") + self.ports_filter.connect("focus_out_event", self.filter_changed) + self.ports_filter.connect("activate", self.filter_changed) + self.ports_name_entry = xml.get_widget("portsNameEntry") + self.ports_protocol_combo = xml.get_widget("portsProtocolCombo") + self.ports_number_entry = xml.get_widget("portsNumberEntry") + self.ports_mls_entry = xml.get_widget("portsMLSEntry") + self.ports_add_button = xml.get_widget("portsAddButton") + self.ports_properties_button = xml.get_widget("portsPropertiesButton") + self.ports_delete_button = xml.get_widget("portsDeleteButton") + self.ports_group_togglebutton = xml.get_widget("portsGroupTogglebutton") + self.ports_group_togglebutton.connect("toggled", self.group_toggle) + liststore = self.ports_protocol_combo.get_model() + iter = liststore.get_iter_first() + self.ports_protocol_combo.set_active_iter(iter) + self.init_store() + self.edit = True + self.load() + + def filter_changed(self, *arg): + filter = arg[0].get_text() + if filter != self.filter: + if self.edit: + self.load(filter) + else: + self.group_load(filter) + + def init_store(self): + self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING , gobject.TYPE_STRING) + self.view.set_model(self.store) + self.store.set_sort_column_id(0, gtk.SORT_ASCENDING) + + col = gtk.TreeViewColumn(_("SELinux Port\nType"), gtk.CellRendererText(), text = TYPE_COL) + col.set_sort_column_id(TYPE_COL) + col.set_resizable(True) + self.view.append_column(col) + self.store.set_sort_column_id(TYPE_COL, gtk.SORT_ASCENDING) + + col = gtk.TreeViewColumn(_("Protocol"), gtk.CellRendererText(), text = PROTOCOL_COL) + col.set_sort_column_id(PROTOCOL_COL) + col.set_resizable(True) + self.view.append_column(col) + + self.mls_col = gtk.TreeViewColumn(_("MLS/MCS\nLevel"), gtk.CellRendererText(), text = MLS_COL) + self.mls_col.set_resizable(True) + self.mls_col.set_sort_column_id(MLS_COL) + self.view.append_column(self.mls_col) + + col = gtk.TreeViewColumn(_("Port"), gtk.CellRendererText(), text = PORT_COL) + col.set_sort_column_id(PORT_COL) + col.set_resizable(True) + self.view.append_column(col) + self.store.set_sort_func(PORT_COL,self.sort_int, "") + + def group_toggle(self, button): + self.edit = not button.get_active() + self.ports_add_button.set_sensitive(self.edit) + self.ports_properties_button.set_sensitive(self.edit) + self.ports_delete_button.set_sensitive(self.edit) + self.mls_col.set_visible(self.edit) + if self.edit: + self.load(self.filter) + else: + self.group_load(self.filter) + + def sort_int(self, treemodel, iter1, iter2, user_data): + try: + p1 = int(treemodel.get_value(iter1,2)) + p2 = int(treemodel.get_value(iter2,2)) + if p1 > p2: + return 1 + if p1 == p2: + return 0 + return -1 + except: + return 0 + + def load(self,filter = ""): + self.filter=filter + self.port = seobject.portRecords() + dict = self.port.get_all() + keys = dict.keys() + keys.sort() + self.store.clear() + for k in keys: + if not (self.match(str(k[0]), filter) or self.match(dict[k][0], filter) or self.match(dict[k][1], filter) or self.match(dict[k][2], filter)): + continue + iter = self.store.append() + if k[0] == k[1]: + self.store.set_value(iter, PORT_COL, k[0]) + else: + rec = "%s-%s" % k + self.store.set_value(iter, PORT_COL, rec) + self.store.set_value(iter, TYPE_COL, dict[k][0]) + self.store.set_value(iter, PROTOCOL_COL, dict[k][1]) + self.store.set_value(iter, MLS_COL, dict[k][2]) + self.view.get_selection().select_path ((0,)) + + def group_load(self, filter = ""): + self.filter=filter + self.port = seobject.portRecords() + dict = self.port.get_all_by_type() + keys = dict.keys() + keys.sort() + self.store.clear() + for k in keys: + ports_string = ", ".join(dict[k]) + if not (self.match(ports_string, filter) or self.match(k[0], filter) or self.match(k[1], filter) ): + continue + iter = self.store.append() + self.store.set_value(iter, TYPE_COL, k[0]) + self.store.set_value(iter, PROTOCOL_COL, k[1]) + self.store.set_value(iter, PORT_COL, ports_string) + self.store.set_value(iter, MLS_COL, "") + self.view.get_selection().select_path ((0,)) + + def propertiesDialog(self): + if self.edit: + semanagePage.propertiesDialog(self) + + def dialogInit(self): + store, iter = self.view.get_selection().get_selected() + self.ports_number_entry.set_text(store.get_value(iter, PORT_COL)) + self.ports_number_entry.set_sensitive(False) + self.ports_protocol_combo.set_sensitive(False) + self.ports_name_entry.set_text(store.get_value(iter, TYPE_COL)) + self.ports_mls_entry.set_text(store.get_value(iter, MLS_COL)) + protocol = store.get_value(iter, PROTOCOL_COL) + liststore = self.ports_protocol_combo.get_model() + iter = liststore.get_iter_first() + while iter != None and liststore.get_value(iter,0) != protocol: + iter = liststore.iter_next(iter) + if iter != None: + self.ports_protocol_combo.set_active_iter(iter) + + def dialogClear(self): + self.ports_number_entry.set_text("") + self.ports_number_entry.set_sensitive(True) + self.ports_protocol_combo.set_sensitive(True) + self.ports_name_entry.set_text("") + self.ports_mls_entry.set_text("s0") + + def delete(self): + store, iter = self.view.get_selection().get_selected() + port = store.get_value(iter, PORT_COL) + protocol = store.get_value(iter, 1) + try: + (rc, out) = commands.getstatusoutput("semanage port -d -p %s %s" % (protocol, port)) + if rc != 0: + return self.error(out) + store.remove(iter) + self.view.get_selection().select_path ((0,)) + except ValueError, e: + self.error(e.args[0]) + + def add(self): + target = self.ports_name_entry.get_text().strip() + mls = self.ports_mls_entry.get_text().strip() + port_number = self.ports_number_entry.get_text().strip() + if port_number == "": + port_number = "1" + if not port_number.isdigit(): + self.error(_("Port number \"%s\" is not valid. 0 < PORT_NUMBER < 65536 ") % port_number ) + return False + list_model = self.ports_protocol_combo.get_model() + iter = self.ports_protocol_combo.get_active_iter() + protocol = list_model.get_value(iter,0) + (rc, out) = commands.getstatusoutput("semanage port -a -p %s -r %s -t %s %s" % (protocol, mls, target, port_number)) + if rc != 0: + self.error(out) + return False + iter = self.store.append() + + self.store.set_value(iter, TYPE_COL, target) + self.store.set_value(iter, PORT_COL, port_number) + self.store.set_value(iter, PROTOCOL_COL, protocol) + self.store.set_value(iter, MLS_COL, mls) + + def modify(self): + target = self.ports_name_entry.get_text().strip() + mls = self.ports_mls_entry.get_text().strip() + port_number = self.ports_number_entry.get_text().strip() + list_model = self.ports_protocol_combo.get_model() + iter = self.ports_protocol_combo.get_active_iter() + protocol = list_model.get_value(iter,0) + (rc, out) = commands.getstatusoutput("semanage port -m -p %s -r %s -t %s %s" % (protocol, mls, target, port_number)) + if rc != 0: + self.error(out) + return False + store, iter = self.view.get_selection().get_selected() + self.store.set_value(iter, TYPE_COL, target) + self.store.set_value(iter, PORT_COL, port_number) + self.store.set_value(iter, PROTOCOL_COL, protocol) + self.store.set_value(iter, MLS_COL, mls) + + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policycoreutils-2.0.25/gui/selinux.tbl --- nsapolicycoreutils/gui/selinux.tbl 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/selinux.tbl 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,296 @@ +allow_console_login _("Login") _("Allow direct login to the console device. Requiered for System 390") +acct_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for acct daemon") +allow_cvs_read_shadow _("CVS") _("Allow cvs daemon to read shadow") +allow_daemons_dump_core _("Admin") _("Allow all daemons to write corefiles to /") +allow_daemons_use_tty _("Admin") _("Allow all daemons the ability to use unallocated ttys") +allow_execheap _("Memory Protection") _("Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") +allow_execmem _("Memory Protection") _("Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") +allow_execmod _("Memory Protection") _("Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t") +allow_execstack _("Memory Protection") _("Allow unconfined executables to make their stack executable. This should never, ever be neessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") +allow_ftpd_full_access _("FTP") _("Allow ftpd to full access to the system") +allow_ftpd_anon_write _("FTP") _("Allow ftpd to upload files to directories labeled public_content_rw_t") +allow_ftpd_use_cifs _("FTP") _("Allow ftp servers to use cifs used for public file transfer services") +allow_ftpd_use_nfs _("FTP") _("Allow ftp servers to use nfs used for public file transfer services") +allow_gpg_execstack _("Memory Protection") _("Allow gpg executable stack") +allow_gadmin_exec_content _("User Privs") _("Allow gadmin SELinux user accounts to execute files in his home directory or /tmp") +allow_gssd_read_tmp _("NFS") _("Allow gssd to read temp directory") +allow_guest_exec_content _("User Privs") _("Allow guest SELinux user accounts to execute files in his home directory or /tmp") +allow_httpd_anon_write _("HTTPD Service") _("Allow httpd daemon to write files in directories labeled public_content_rw_t") +allow_httpd_dbus_avahi _("HTTPD Service") _("Allow Apache to communicate with avahi service") +allow_httpd_mod_auth_pam _("HTTPD Service") _("Allow Apache to use mod_auth_pam") +allow_httpd_sys_script_anon_write _("HTTPD Service") _("Allow httpd scripts to write files in directories labeled public_content_rw_t") +allow_java_execstack _("Memory Protection") _("Allow java executable stack") +allow_kerberos _("Kerberos") _("Allow daemons to use kerberos files") +allow_mount_anyfile _("Mount") _("Allow mount to mount any file") +allow_mounton_anydir _("Mount") _("Allow mount to mount any directory") +allow_mplayer_execstack _("Memory Protection") _("Allow mplayer executable stack") +allow_nfsd_anon_write _("NFS") _("Allow nfs servers to modify public files used for public file transfer services") +allow_polyinstantiation _("Polyinstatiation") _("Enable polyinstantiated directory support") +allow_ptrace _("Compatibility") _("Allow sysadm_t to debug or ptrace applications") +allow_rsync_anon_write _("rsync") _("Allow rsync to write files in directories labeled public_content_rw_t") +allow_smbd_anon_write _("Samba") _("Allow Samba to write files in directories labeled public_content_rw_t") +allow_ssh_keysign _("SSH") _("Allow ssh to run ssh-keysign") +allow_staff_exec_content _("User Privs") _("Allow staff SELinux user accounts to execute files in his home directory or /tmp") +allow_sysadm_exec_content _("User Privs") _("Allow sysadm SELinux user accounts to execute files in his home directory or /tmp") +allow_unconfined_exec_content _("User Privs") _("Allow unconfined SELinux user accounts to execute files in his home directory or /tmp") +allow_unlabeled_packets _("Network Configuration") _("Allow unlabeled packets to flow on the network") +allow_user_exec_content _("User Privs") _("Allow user SELinux user accounts to execute files in his home directory or /tmp") +allow_unconfined_execmem_dyntrans _("Memory Protection") _("Allow unconfined to dyntrans to unconfined_execmem") +allow_user_mysql_connect _("Databases") _("Allow user to connect to mysql socket") +allow_user_postgresql_connect _("Databases") _("Allow user to connect to postgres socket") +allow_write_xshm _("XServer") _("Allow clients to write to X shared memory") +allow_xguest_exec_content _("User Privs") _("Allow xguest SELinux user accounts to execute files in his home directory or /tmp") +allow_ypbind _("NIS") _("Allow daemons to run with NIS") +allow_zebra_write_config _("Zebra") _("Allow zebra daemon to write it configuration files") +browser_confine_staff _("Web Applications") _("Transition staff SELinux user to Web Browser Domain") +browser_confine_sysadm _("Web Applications") _("Transition sysadm SELinux user to Web Browser Domain") +browser_confine_user _("Web Applications") _("Transition user SELinux user to Web Browser Domain") +browser_confine_xguest _("Web Applications") _("Transition xguest SELinux user to Web Browser Domain") +browser_write_staff_data _("Web Applications") _("Allow staff Web Browsers to write to home directories") +browser_write_sysadm_data _("Web Applications") _("Allow staff Web Browsers to write to home directories") +browser_write_user_data _("Web Applications") _("Allow staff Web Browsers to write to home directories") +browser_write_xguest_data _("Web Applications") _("Allow staff Web Browsers to write to home directories") +amanda_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for amanda") +amavis_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for amavis") +apmd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for apmd daemon") +arpwatch_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for arpwatch daemon") +auditd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for auditd daemon") +automount_disable_trans _("Mount") _("Disable SELinux protection for automount daemon") +avahi_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for avahi") +bluetooth_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for bluetooth daemon") +canna_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for canna daemon") +cardmgr_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for cardmgr daemon") +ccs_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for Cluster Server") +cdrecord_read_content _("User Privs") _("Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files") +ciped_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ciped daemon") +clamd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for clamd daemon") +clamscan_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for clamscan") +clvmd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for clvmd") +comsat_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for comsat daemon") +courier_authdaemon_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for courier daemon") +courier_pcp_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for courier daemon") +courier_pop_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for courier daemon") +courier_sqwebmail_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for courier daemon") +courier_tcpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for courier daemon") +cpucontrol_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for cpucontrol daemon") +cpuspeed_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for cpuspeed daemon") +cron_can_relabel _("Cron") _("Allow system cron jobs to relabel filesystem for restoring file contexts") +crond_disable_trans _("Cron") _("Disable SELinux protection for crond daemon") +cupsd_config_disable_trans _("Printing") _("Disable SELinux protection for cupsd backend server") +cupsd_disable_trans _("Printing") _("Disable SELinux protection for cupsd daemon") +cupsd_lpd_disable_trans _("Printing") _("Disable SELinux protection for cupsd_lpd") +cvs_disable_trans _("CVS") _("Disable SELinux protection for cvs daemon") +cyrus_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for cyrus daemon") +dbskkd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dbskkd daemon") +dbusd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dbusd daemon") +dccd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dccd") +dccifd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dccifd") +dccm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dccm") +ddt_client_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ddt daemon") +devfsd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for devfsd daemon") +dhcpc_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dhcpc daemon") +dhcpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dhcpd daemon") +dictd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dictd daemon") +direct_sysadm_daemon _("Admin") _("Allow sysadm_t to directly start daemons") +disable_evolution_trans _("Web Applications") _("Disable SELinux protection for Evolution") +disable_games_trans _("Games") _("Disable SELinux protection for games") +disable_mozilla_trans _("Web Applications") _("Disable SELinux protection for the web browsers") +disable_thunderbird_trans _("Web Applications") _("Disable SELinux protection for Thunderbird") +distccd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for distccd daemon") +dmesg_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dmesg daemon") +dnsmasq_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dnsmasq daemon") +dovecot_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dovecot daemon") +entropyd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for entropyd daemon") +fcron_crond _("Cron") _("Enable extra rules in the cron domain to support fcron") +fetchmail_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for fetchmail") +fingerd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for fingerd daemon") +freshclam_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for freshclam daemon") +fsdaemon_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for fsdaemon daemon") +ftpd_disable_trans _("FTP") _("Disable SELinux protection for ftpd daemon") +ftpd_is_daemon _("FTP") _("Allow ftpd to run directly without inetd") +ftp_home_dir _("FTP") _("Allow ftp to read/write files in the user home directories") +global_ssp _("Admin") _("This should be enabled when all programs are compiled with ProPolice/SSP stack smashing protection. All domains will be allowed to read from /dev/urandom") +gpm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for gpm daemon") +gssd_disable_trans _("NFS") _("Disable SELinux protection for gss daemon") +hald_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for hal daemon") +hide_broken_symptoms _("Compatibility") _("Do not audit things that we know to be broken but which are not security risks") +hostname_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for hostname daemon") +hotplug_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for hotplug daemon") +howl_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for howl daemon") +hplip_disable_trans _("Printing") _("Disable SELinux protection for cups hplip daemon") +httpd_builtin_scripting _("HTTPD Service") _("Allow HTTPD to support built-in scripting") +httpd_can_sendmail _("HTTPD Service") _("Allow HTTPD to send mail") +httpd_can_network_connect_db _("HTTPD Service") _("Allow HTTPD scripts and modules to network connect to databases") +httpd_can_network_connect _("HTTPD Service") _("Allow HTTPD scripts and modules to connect to the network") +httpd_can_network_relay _("HTTPD Service") _("Allow httpd to act as a relay") +httpd_disable_trans _("HTTPD Service") _("Disable SELinux protection for httpd daemon") +httpd_enable_cgi _("HTTPD Service") _("Allow HTTPD cgi support") +httpd_enable_ftp_server _("HTTPD Service") _("Allow HTTPD to run as a ftp server") +httpd_enable_homedirs _("HTTPD Service") _("Allow HTTPD to read home directories") +httpd_rotatelogs_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for httpd rotatelogs") +httpd_ssi_exec _("HTTPD Service") _("Allow HTTPD to run SSI executables in the same domain as system CGI scripts") +httpd_suexec_disable_trans _("HTTPD Service") _("Disable SELinux protection for http suexec") +httpd_tty_comm _("HTTPD Service") _("Unify HTTPD to communicate with the terminal. Needed for handling certificates") +httpd_unified _("HTTPD Service") _("Unify HTTPD handling of all content files") +hwclock_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for hwclock daemon") +i18n_input_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for i18n daemon") +imazesrv_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for imazesrv daemon") +inetd_child_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for inetd child daemons") +inetd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for inetd daemon") +innd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for innd daemon") +iptables_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for iptables daemon") +ircd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ircd daemon") +irqbalance_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for irqbalance daemon") +iscsid_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for iscsi daemon") +jabberd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for jabberd daemon") +kadmind_disable_trans _("Kerberos") _("Disable SELinux protection for kadmind daemon") +klogd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for klogd daemon") +krb5kdc_disable_trans _("Kerberos") _("Disable SELinux protection for krb5kdc daemon") +ktalkd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ktalk daemons") +kudzu_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for kudzu daemon") +locate_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for locate daemon") +lpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for lpd daemon") +lrrd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for lrrd daemon") +lvm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for lvm daemon") +mailman_mail_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for mailman") +mail_read_content _("Web Applications") _("Allow evolution and thunderbird to read user files") +mdadm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for mdadm daemon") +monopd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for monopd daemon") +mozilla_read_content _("Web Applications") _("Allow the mozilla browser to read user files") +mrtg_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for mrtg daemon") +mysqld_disable_trans _("Databases") _("Disable SELinux protection for mysqld daemon") +nagios_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for nagios daemon") +named_disable_trans _("Name Service") _("Disable SELinux protection for named daemon") +named_write_master_zones _("Name Service") _("Allow named to overwrite master zone files") +nessusd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for nessusd daemon") +NetworkManager_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for NetworkManager") +nfsd_disable_trans _("NFS") _("Disable SELinux protection for nfsd daemon") +nfs_export_all_ro _("NFS") _("Allow NFS to share any file/directory read only") +nfs_export_all_rw _("NFS") _("Allow NFS to share any file/directory read/write") +nmbd_disable_trans _("Samba") _("Disable SELinux protection for nmbd daemon") +nrpe_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for nrpe daemon") +nscd_disable_trans _("Name Service") _("Disable SELinux protection for nscd daemon") +nsd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for nsd daemon") +ntpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ntpd daemon") +oddjob_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for oddjob") +oddjob_mkhomedir_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for oddjob_mkhomedir") +openvpn_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for openvpn daemon") +pam_console_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for pam daemon") +pegasus_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for pegasus") +perdition_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for perdition daemon") +portmap_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for portmap daemon") +portslave_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for portslave daemon") +postfix_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for postfix") +postgresql_disable_trans _("Databases") _("Disable SELinux protection for postgresql daemon") +openvpn_enable_homedirs _("Network Configuration") _("Allow openvpn service access to users home directories") +pppd_can_insmod _("pppd") _("Allow pppd daemon to insert modules into the kernel") +pppd_disable_trans _("pppd") _("Disable SELinux protection for pppd daemon") +pppd_disable_trans _("pppd") _("Disable SELinux protection for the mozilla ppp daemon") +pppd_for_user _("pppd") _("Allow pppd to be run for a regular user") +pptp_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for pptp") +prelink_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for prelink daemon") +privoxy_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for privoxy daemon") +ptal_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ptal daemon") +pxe_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for pxe daemon") +pyzord_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for pyzord") +quota_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for quota daemon") +radiusd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for radiusd daemon") +radvd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for radvd daemon") +rdisc_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for rdisc") +readahead_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for readahead") +read_default_t _("Admin") _("Allow programs to read files in non-standard locations (default_t)") +read_untrusted_content _("Web Applications") _("Allow programs to read untrusted content without relabel") +restorecond_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for restorecond") +rhgb_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for rhgb daemon") +ricci_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ricci") +ricci_modclusterd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ricci_modclusterd") +rlogind_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for rlogind daemon") +rpcd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for rpcd daemon") +rshd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for rshd") +rsync_disable_trans _("rsync") _("Disable SELinux protection for rsync daemon") +run_ssh_inetd _("SSH") _("Allow ssh to run from inetd instead of as a daemon") +samba_enable_home_dirs _("Samba") _("Allow Samba to share users home directories") +samba_share_nfs _("Samba") _("Allow Samba to share nfs directories") +allow_saslauthd_read_shadow _("SASL authentication server") _("Allow sasl authentication server to read /etc/shadow") +allow_xserver_execmem _("XServer") _("Allow X-Windows server to map a memory region as both executable and writable") +saslauthd_disable_trans _("SASL authentication server") _("Disable SELinux protection for saslauthd daemon") +scannerdaemon_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for scannerdaemon daemon") +secure_mode _("Admin") _("Do not allow transition to sysadm_t, sudo and su effected") +secure_mode_insmod _("Admin") _("Do not allow any processes to load kernel modules") +secure_mode_policyload _("Admin") _("Do not allow any processes to modify kernel SELinux policy") +sendmail_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for sendmail daemon") +setrans_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for setrans") +setroubleshootd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for setroublesoot daemon") +slapd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for slapd daemon") +slrnpull_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for slrnpull daemon") +smbd_disable_trans _("Samba") _("Disable SELinux protection for smbd daemon") +snmpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for snmpd daemon") +snort_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for snort daemon") +soundd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for soundd daemon") +sound_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for sound daemon") +spamassassin_can_network _("Spam Assassin") _("Allow Spam Assasin daemon network access") +spamd_disable_trans _("spam Protection") _("Disable SELinux protection for spamd daemon") +spamd_enable_home_dirs _("spam Protection") _("Allow spamd to access home directories") +spammassasin_can_network _("spam Protection") _("Allow spammassasin to access the network") +speedmgmt_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for speedmgmt daemon") +squid_connect_any _("Squid") _("Allow squid daemon to connect to the network") +squid_disable_trans _("Squid") _("Disable SELinux protection for squid daemon") +ssh_keygen_disable_trans _("SSH") _("Disable SELinux protection for ssh daemon") +ssh_sysadm_login _("SSH") _("Allow ssh logins as sysadm_r:sysadm_t") +staff_read_sysadm_file _("Admin") _("Allow staff_r users to search the sysadm home dir and read files (such as ~/.bashrc)") +stunnel_disable_trans _("Universal SSL tunnel") _("Disable SELinux protection for stunnel daemon") +stunnel_is_daemon _("Universal SSL tunnel") _("Allow stunnel daemon to run as standalone, outside of xinetd") +swat_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for swat daemon") +sxid_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for sxid daemon") +syslogd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for syslogd daemon") +system_crond_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for system cron jobs") +tcpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for tcp daemon") +telnetd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for telnet daemon") +tftpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for tftpd daemon") +transproxy_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for transproxy daemon") +udev_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for udev daemon") +uml_switch_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for uml daemon") +unlimitedInetd _("Admin") _("Allow xinetd to run unconfined, including any services it starts that do not have a domain transition explicitly defined") +unlimitedRC _("Admin") _("Allow rc scripts to run unconfined, including any daemon started by an rc script that does not have a domain transition explicitly defined") +unlimitedRPM _("Admin") _("Allow rpm to run unconfined") +unlimitedUtils _("Admin") _("Allow privileged utilities like hotplug and insmod to run unconfined") +updfstab_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for updfstab daemon") +uptimed_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for uptimed daemon") +use_lpd_server _("Printing") _("Use lpd server instead of cups") +use_nfs_home_dirs _("NFS") _("Support NFS home directories") +user_canbe_sysadm _("User Privs") _("Allow user_r to reach sysadm_r via su, sudo, or userhelper. Otherwise, only staff_r can do so") +user_can_mount _("Mount") _("Allow users to execute the mount command") +user_direct_mouse _("User Privs") _("Allow regular users direct mouse access (only allow the X server)") +user_dmesg _("User Privs") _("Allow users to run the dmesg command") +user_net_control _("User Privs") _("Allow users to control network interfaces (also needs USERCTL=true)") +user_ping _("User Privs") _("Allow normal user to execute ping") +user_rw_noexattrfile _("User Privs") _("Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)") +user_rw_usb _("User Privs") _("Allow users to rw usb devices") +user_tcp_server _("User Privs") _("Allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols") +user_ttyfile_stat _("User Privs") _("Allow user to stat ttyfiles") +use_samba_home_dirs _("Samba") _("Allow users to login with CIFS home directories") +uucpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for uucpd daemon") +vmware_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for vmware daemon") +watchdog_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for watchdog daemon") +winbind_disable_trans _("Samba") _("Disable SELinux protection for winbind daemon") +write_untrusted_content _("Web Applications") _("Allow web applications to write untrusted content to disk (implies read)") +xdm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for xdm daemon") +xdm_sysadm_login _("XServer") _("Allow xdm logins as sysadm_r:sysadm_t") +xend_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for xen daemon") +xen_use_raw_disk _("XEN") _("Allow xen to read/write physical disk devices") +xfs_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for xfs daemon") +xm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for xen constrol") +ypbind_disable_trans _("NIS") _("Disable SELinux protection for ypbind daemon") +yppasswdd_disable_trans _("NIS") _("Disable SELinux protection for NIS Password Daemon") +ypserv_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ypserv daemon") +ypxfr_disable_trans _("NIS") _("Disable SELinux protection for NIS Transfer Daemon") +zebra_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for zebra daemon") +httpd_use_cifs _("HTTPD Service") _("Allow httpd to access samba/cifs file systems") +httpd_use_nfs _("HTTPD Service") _("Allow httpd to access nfs file systems") +samba_domain_controller _("Samba") _("Allow samba to act as the domain controller, add users, groups and change passwords") +samba_export_all_ro _("Samba") _("Allow Samba to share any file/directory read only") +samba_export_all_rw _("Samba") _("Allow Samba to share any file/directory read/write") +samba_run_unconfined _("Samba") _("Allow Samba to run unconfined scripts in /var/lib/samba/scripts directory") +webadm_manage_user_files _("HTTPD Service") _("Allow SELinux webadm user to manage unprivledged users home directories") +webadm_read_user_files _("HTTPD Service") _("Allow SELinux webadm user to read unprivledged users home directories") + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/semanagePage.py policycoreutils-2.0.25/gui/semanagePage.py --- nsapolicycoreutils/gui/semanagePage.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/semanagePage.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,137 @@ +## semanagePage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. + +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +## Author: Dan Walsh +import string +import gtk +import gtk.glade +import os +import libxml2 +import gobject +import sys +import seobject + +## +## I18N +## +PROGNAME="policycoreutils" +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +class semanagePage: + def __init__(self, xml, name, description): + self.xml = xml + self.view = xml.get_widget("%sView" % name) + self.dialog = xml.get_widget("%sDialog" % name) + self.filter_entry = xml.get_widget("%sFilterEntry" % name ) + self.filter_entry.connect("focus_out_event", self.filter_changed) + self.filter_entry.connect("activate", self.filter_changed) + + self.view.connect("row_activated", self.rowActivated) + self.view.get_selection().connect("changed", self.itemSelected) + self.description = description; + + def get_description(self): + return self.description + + def itemSelected(self, args): + return + + def filter_changed(self, *arg): + filter = arg[0].get_text() + if filter != self.filter: + self.load(filter) + + def match(self, target, filter): + try: + f=filter.lower() + t=target.lower() + if t.find(f) >= 0: + return True + except: + pass + return False + + def rowActivated(self, view, row, Column): + self.propertiesDialog() + + def verify(self, message, title="" ): + dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO, + gtk.BUTTONS_YES_NO, + message) + dlg.set_title(title) + dlg.set_position(gtk.WIN_POS_MOUSE) + dlg.show_all() + rc = dlg.run() + dlg.destroy() + return rc + + def error(self, message): + dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_ERROR, + gtk.BUTTONS_CLOSE, + message) + dlg.set_position(gtk.WIN_POS_MOUSE) + dlg.show_all() + dlg.run() + dlg.destroy() + + def deleteDialog(self): + store, iter = self.view.get_selection().get_selected() + if self.verify(_("Are you sure you want to delete %s '%s'?" % (self.description, store.get_value(iter, 0))), _("Delete %s" % self.description)) == gtk.RESPONSE_YES: + self.delete() + + def use_menus(self): + return True + + def addDialog(self): + self.dialogClear() + self.dialog.set_title(_("Add %s" % self.description)) + self.dialog.set_position(gtk.WIN_POS_MOUSE) + + while self.dialog.run() == gtk.RESPONSE_OK: + try: + if self.add() == False: + continue + break; + except ValueError, e: + self.error(e.args[0]) + print + self.dialog.hide() + + def propertiesDialog(self): + self.dialogInit() + self.dialog.set_title(_("Modify %s" % self.description)) + self.dialog.set_position(gtk.WIN_POS_MOUSE) + while self.dialog.run() == gtk.RESPONSE_OK: + try: + if self.modify() == False: + continue + break; + except ValueError, e: + self.error(e.args[0]) + self.dialog.hide() + + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/statusPage.py policycoreutils-2.0.25/gui/statusPage.py --- nsapolicycoreutils/gui/statusPage.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/statusPage.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,220 @@ +## statusPage.py - show selinux status +## Copyright (C) 2006 Red Hat, Inc. + +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +## Author: Dan Walsh +import string +import gtk +import gtk.glade +import os +import libxml2 +import gobject +import sys +import tempfile + +INSTALLPATH = '/usr/share/system-config-selinux' +sys.path.append(INSTALLPATH) + +rhplPath = "/usr/lib/python%d.%d/site-packages/rhpl" % (sys.version_info[0], sys.version_info[1]) +if not rhplPath in sys.path: + sys.path.append(rhplPath) + +rhplPath = "/usr/lib64/python%d.%d/site-packages/rhpl" % (sys.version_info[0], sys.version_info[1]) +if not rhplPath in sys.path: + sys.path.append(rhplPath) + +from Conf import * +import commands +ENFORCING = 0 +PERMISSIVE = 1 +DISABLED = 2 +modearray = ( "enforcing", "permissive", "disabled" ) + +SELINUXDIR = "/etc/selinux/" +RELABELFILE = "/.autorelabel" + +## +## I18N +## +PROGNAME="policycoreutils" +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +import selinux +try: + gettext.install(PROGNAME, localedir="/usr/share/locale", unicode=1) +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +class statusPage: + def __init__(self, xml): + self.xml = xml + self.needRelabel = False + + self.type = selinux.selinux_getpolicytype() + # Bring in widgets from glade file. + self.typeHBox = xml.get_widget("typeHBox") + self.selinuxTypeOptionMenu = xml.get_widget("selinuxTypeOptionMenu") + self.typeLabel = xml.get_widget("typeLabel") + self.enabledOptionMenu = xml.get_widget("enabledOptionMenu") + self.currentOptionMenu = xml.get_widget("currentOptionMenu") + self.relabel_checkbutton = xml.get_widget("relabelCheckbutton") + self.relabel_checkbutton.set_active(self.is_relabel()) + self.relabel_checkbutton.connect("toggled", self.on_relabel_toggle) + if self.get_current_mode() == ENFORCING or self.get_current_mode() == PERMISSIVE: + self.currentOptionMenu.append_text(_("Enforcing")) + self.currentOptionMenu.append_text(_("Permissive")) + self.currentOptionMenu.set_active(self.get_current_mode()) + self.currentOptionMenu.connect("changed", self.set_current_mode) + self.currentOptionMenu.set_sensitive(True) + else: + self.currentOptionMenu.append_text(_("Disabled")) + self.currentOptionMenu.set_active(0) + self.currentOptionMenu.set_sensitive(False) + + + if self.read_selinux_config() == None: + self.selinuxsupport = False + else: + self.enabledOptionMenu.connect("changed", self.enabled_changed) + # + # This line must come after read_selinux_config + # + self.selinuxTypeOptionMenu.connect("changed", self.typemenu_changed) + + self.typeLabel.set_mnemonic_widget(self.selinuxTypeOptionMenu) + + def use_menus(self): + return False + + def get_description(self): + return _("Status") + + def get_current_mode(self): + if selinux.is_selinux_enabled(): + if selinux.security_getenforce() > 0: + return ENFORCING + else: + return PERMISSIVE + else: + return DISABLED + + def set_current_mode(self,menu): + selinux.security_setenforce(menu.get_active() == 0) + + def is_relabel(self): + return os.access(RELABELFILE, os.F_OK) != 0 + + def on_relabel_toggle(self,button): + if button.get_active(): + fd = open(RELABELFILE,"w") + fd.close() + else: + if os.access(RELABELFILE, os.F_OK) != 0: + os.unlink(RELABELFILE) + + def verify(self, message): + dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO, + gtk.BUTTONS_YES_NO, + message) + dlg.set_position(gtk.WIN_POS_MOUSE) + dlg.show_all() + rc = dlg.run() + dlg.destroy() + return rc + + def typemenu_changed(self, menu): + type = self.get_type() + enabled = self.enabledOptionMenu.get_active() + if self.initialtype != type: + if self.verify(_("Changing the policy type will cause a relabel of the entire file system on the next boot. Relabeling takes a long time depending on the size of the file system. Do you wish to continue?")) == gtk.RESPONSE_NO: + menu.set_active(self.typeHistory) + return None + + self.relabel_checkbutton.set_active(True) + self.conf["SELINUX"] = modearray[enabled] + self.conf["SELINUXTYPE"]=type + self.conf.write() + self.typeHistory = menu.get_active() + + def enabled_changed(self, combo): + enabled = combo.get_active() + type = self.get_type() + + if self.initEnabled == DISABLED and enabled < 2: + if self.verify(_("Changing to SELinux enabled will cause a relabel of the entire file system on the next boot. Relabeling takes a long time depending on the size of the file system. Do you wish to continue?")) == gtk.RESPONSE_NO: + return None + self.relabel_checkbutton.set_active(True) + + if self.initEnabled != DISABLED and enabled == DISABLED: + if self.verify(_("Changing to SELinux disabled requires a reboot. It is not recommended. If you later decide to turn SELinux back on, the system will be required to relabel. If you just want to see if SELinux is causing a problem on your system, you can go to permissive mode which will only log errors and not enforce SELinux policy. Permissive mode does not require a reboot Do you wish to continue?")) == gtk.RESPONSE_NO: + return None + + self.conf["SELINUX"] = modearray[enabled] + self.conf["SELINUXTYPE"]=type + self.conf.write() + + def read_selinux_config(self): + self.initialtype = "targeted" + self.initEnabled = DISABLED + self.types = [] + if os.access(SELINUXDIR, os.F_OK) == 0: + #File doesn't exist. return + return None + + self.conf = ConfShellVar(SELINUXDIR+"config") + self.conf.rcs = 1 + if self.conf.has_key("SELINUX"): + value = self.conf.vars["SELINUX"].upper().strip() + else: + value = "ENFORCING" + self.conf.vars["SELINUX"] = value + + if value == "ENFORCING": + self.initEnabled = ENFORCING + self.enabledOptionMenu.set_active(ENFORCING) + elif value == "PERMISSIVE": + self.initEnabled = PERMISSIVE + self.enabledOptionMenu.set_active(PERMISSIVE) + elif value == "DISABLED": + self.initEnabled = DISABLED + self.enabledOptionMenu.set_active(DISABLED) + + if self.conf.has_key("SELINUXTYPE"): + self.initialtype = self.conf.vars["SELINUXTYPE"].strip() + else: + self.conf.vars["SELINUXTYPE"] = self.initialtype + + n = 0 + current = n + + for i in os.listdir(SELINUXDIR): + if os.path.isdir(SELINUXDIR+i) and os.path.isdir(SELINUXDIR+i+"/policy"): + self.types.append(i) + self.selinuxTypeOptionMenu.append_text(i) + if i == self.initialtype: + current = n + n = n+1 + self.selinuxTypeOptionMenu.set_active(current) + self.typeHistory = current + + return 0 + + def get_type(self): + return self.types[self.selinuxTypeOptionMenu.get_active()] + + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.glade policycoreutils-2.0.25/gui/system-config-selinux.glade --- nsapolicycoreutils/gui/system-config-selinux.glade 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/system-config-selinux.glade 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,3326 @@ + + + + + + + + + 5 + False + system-config-selinux + Copyright (c)2006 Red Hat, Inc. +Copyright (c) 2006 Dan Walsh <dwalsh@redhat.com> + False + Daniel Walsh <dwalsh@redhat.com> + + translator-credits + system-config-selinux.png + + + + Add SELinux Login Mapping + GTK_WINDOW_TOPLEVEL + GTK_WIN_POS_NONE + False + True + False + True + False + False + GDK_WINDOW_TYPE_HINT_DIALOG + GDK_GRAVITY_NORTH_WEST + True + False + True + + + + True + False + 0 + + + + True + GTK_BUTTONBOX_END + + + + True + True + True + gtk-cancel + True + GTK_RELIEF_NORMAL + True + -6 + + + + + + True + True + True + gtk-ok + True + GTK_RELIEF_NORMAL + True + -5 + + + + + 0 + False + True + GTK_PACK_END + + + + + + True + False + 0 + + + + True + 3 + 2 + False + 4 + 6 + + + + True + Login Name + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 0 + 1 + fill + + + + + + + True + SELinux User + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 1 + 2 + fill + + + + + + + True + MLS/MCS Range + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 2 + 3 + fill + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 0 + 1 + + + + + + + True + False + True + + + 1 + 2 + 1 + 2 + fill + fill + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 2 + 3 + + + + + + 5 + True + True + + + + + 0 + True + True + + + + + + + + Add SELinux Network Ports + GTK_WINDOW_TOPLEVEL + GTK_WIN_POS_NONE + False + True + False + True + False + False + GDK_WINDOW_TYPE_HINT_DIALOG + GDK_GRAVITY_NORTH_WEST + True + False + True + + + + True + False + 0 + + + + True + GTK_BUTTONBOX_END + + + + True + True + True + gtk-cancel + True + GTK_RELIEF_NORMAL + True + -6 + + + + + + True + True + True + gtk-ok + True + GTK_RELIEF_NORMAL + True + -5 + + + + + 0 + False + True + GTK_PACK_END + + + + + + True + False + 0 + + + + True + 4 + 2 + False + 4 + 6 + + + + True + Port Number + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 0 + 1 + fill + + + + + + + True + Protocol + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 1 + 2 + fill + + + + + + + True + SELinux Type + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 2 + 3 + fill + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 0 + 1 + + + + + + + True + tcp +udp + False + True + + + 1 + 2 + 1 + 2 + fill + fill + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 2 + 3 + + + + + + + True + MLS/MCS +Level + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 3 + 4 + fill + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 3 + 4 + + + + + + 5 + True + True + + + + + 0 + True + True + + + + + + + + Add SELinux Login Mapping + GTK_WINDOW_TOPLEVEL + GTK_WIN_POS_NONE + False + True + False + True + False + False + GDK_WINDOW_TYPE_HINT_DIALOG + GDK_GRAVITY_NORTH_WEST + True + False + True + + + + True + False + 0 + + + + True + GTK_BUTTONBOX_END + + + + True + True + True + gtk-cancel + True + GTK_RELIEF_NORMAL + True + -6 + + + + + + True + True + True + gtk-ok + True + GTK_RELIEF_NORMAL + True + -5 + + + + + 0 + False + True + GTK_PACK_END + + + + + + True + False + 0 + + + + True + 2 + 2 + False + 4 + 6 + + + + True + SELinux MLS/MCS +Level + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 0 + 1 + fill + + + + + + + True + Translation + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 1 + 2 + fill + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 0 + 1 + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 1 + 2 + + + + + + 5 + True + True + + + + + 0 + True + True + + + + + + + + Add SELinux Login Mapping + GTK_WINDOW_TOPLEVEL + GTK_WIN_POS_NONE + False + True + False + True + False + False + GDK_WINDOW_TYPE_HINT_DIALOG + GDK_GRAVITY_NORTH_WEST + True + False + True + + + + True + False + 0 + + + + True + GTK_BUTTONBOX_END + + + + True + True + True + gtk-cancel + True + GTK_RELIEF_NORMAL + True + -6 + + + + + + True + True + True + gtk-ok + True + GTK_RELIEF_NORMAL + True + -5 + + + + + 0 + False + True + GTK_PACK_END + + + + + + True + False + 0 + + + + True + 4 + 2 + False + 4 + 6 + + + + True + File Specification + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 0 + 1 + fill + + + + + + + True + File Type + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 1 + 2 + fill + + + + + + + True + SELinux Type + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 2 + 3 + fill + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 0 + 1 + + + + + + + True + all files +regular file +directory +character device +block device +socket +symbolic link +named pipe + + False + True + + + 1 + 2 + 1 + 2 + fill + fill + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 2 + 3 + + + + + + + True + MLS + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 3 + 4 + fill + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 3 + 4 + + + + + + 5 + True + True + + + + + 0 + True + True + + + + + + + + Add SELinux User + GTK_WINDOW_TOPLEVEL + GTK_WIN_POS_NONE + False + True + False + True + False + False + GDK_WINDOW_TYPE_HINT_DIALOG + GDK_GRAVITY_NORTH_WEST + True + False + True + + + + True + False + 0 + + + + True + GTK_BUTTONBOX_END + + + + True + True + True + gtk-cancel + True + GTK_RELIEF_NORMAL + True + -6 + + + + + + True + True + True + gtk-ok + True + GTK_RELIEF_NORMAL + True + -5 + + + + + 0 + False + True + GTK_PACK_END + + + + + + True + False + 0 + + + + True + 5 + 2 + False + 4 + 6 + + + + True + SELinux User + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 0 + 1 + fill + + + + + + + True + Label Prefix + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 1 + 2 + fill + + + + + + + True + MLS/MCS Range + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 3 + 4 + fill + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 3 + 4 + + + + + + + True + MLS/MCS Level + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 2 + 3 + fill + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 2 + 3 + + + + + + + True + SELinux Roles + False + False + GTK_JUSTIFY_LEFT + False + False + 0 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 4 + 5 + fill + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 4 + 5 + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 0 + 1 + + + + + + + True + True + True + True + 0 + + True + * + False + + + 1 + 2 + 1 + 2 + + + + + + 5 + True + True + + + + + 0 + True + True + + + + + + + + 800 + 500 + SELinux Administration + GTK_WINDOW_TOPLEVEL + GTK_WIN_POS_NONE + False + True + False + system-config-selinux.png + True + False + False + GDK_WINDOW_TYPE_HINT_NORMAL + GDK_GRAVITY_NORTH_WEST + True + False + True + + + + True + True + + + + True + GTK_SHADOW_NONE + + + + True + GTK_PACK_DIRECTION_LTR + GTK_PACK_DIRECTION_LTR + + + + True + GNOMEUIINFO_MENU_FILE_TREE + + + + + + + True + Add + True + + + + + + True + gtk-add + 1 + 0.5 + 0.5 + 0 + 0 + + + + + + + + True + _Properties + True + + + + + + True + gtk-properties + 1 + 0.5 + 0.5 + 0 + 0 + + + + + + + + True + _Delete + True + + + + + + True + gtk-delete + 1 + 0.5 + 0.5 + 0 + 0 + + + + + + + + True + GNOMEUIINFO_MENU_EXIT_ITEM + + + + + + + + + + + True + GNOMEUIINFO_MENU_HELP_TREE + + + + + + + True + GNOMEUIINFO_MENU_ABOUT_ITEM + + + + + + + + + + + + BONOBO_DOCK_TOP + 0 + 0 + 0 + BONOBO_DOCK_ITEM_BEH_EXCLUSIVE|BONOBO_DOCK_ITEM_BEH_NEVER_VERTICAL|BONOBO_DOCK_ITEM_BEH_LOCKED + + + + + + True + True + 0 + + + + 5 + True + 0 + 0.5 + GTK_SHADOW_NONE + + + + True + 0.5 + 0.5 + 1 + 1 + 0 + 0 + 12 + 0 + + + + True + Select Management Object + True + False + False + False + True + False + False + False + + + + + + + + True + <b>Select:</b> + False + True + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + label_item + + + + + False + True + + + + + + True + False + True + GTK_POS_TOP + False + False + + + + True + False + 0 + + + + True + 4 + 2 + False + 5 + 5 + + + + True + System Default Enforcing Mode + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 0 + 1 + fill + + + + + + + True + Enforcing +Permissive +Disabled + + False + True + + + 1 + 2 + 0 + 1 + fill + + + + + + True + Current Enforcing Mode + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 1 + 2 + fill + + + + + + + True + + False + True + + + 1 + 2 + 1 + 2 + fill + fill + + + + + + True + System Default Policy Type: + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + 1 + 2 + 3 + fill + + + + + + + True + + False + True + + + 1 + 2 + 2 + 3 + fill + fill + + + + + + True + Select if you wish to relabel then entire file system on next reboot. Relabeling can take a very long time, depending on the size of the system. If you are changing policy types or going from disabled to enforcing, a relabel is required. + True + GTK_RELIEF_NORMAL + True + False + False + True + + + + True + 0.5 + 0.5 + 0 + 0 + 0 + 0 + 0 + 0 + + + + True + False + 2 + + + + True + gtk-refresh + 4 + 0.5 + 0.5 + 0 + 0 + + + 0 + False + False + + + + + + True + Relabel on next reboot. + True + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + + + + 0 + 2 + 3 + 4 + fill + fill + + + + + 0 + True + True + + + + + False + True + + + + + + True + label37 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + False + 0 + + + + True + Filter + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 10 + False + False + + + + + + True + True + True + True + 0 + + True + + False + + + + 0 + True + True + + + + + 10 + False + True + + + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + True + True + False + False + False + True + False + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label50 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + GTK_ORIENTATION_HORIZONTAL + GTK_TOOLBAR_BOTH + True + True + + + + True + Add File Context + gtk-add + True + True + False + + + + False + True + + + + + + True + Modify File Context + gtk-properties + True + True + False + + + + False + True + + + + + + True + Delete File Context + gtk-delete + True + True + False + + + + False + True + + + + + 0 + False + False + + + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + True + GTK_SHADOW_IN + + + + True + False + 0 + + + + True + False + 0 + + + + True + Filter + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 10 + False + False + + + + + + True + True + True + True + 0 + + True + + False + + + + 0 + True + True + + + + + 5 + False + True + + + + + + True + True + True + False + False + True + False + False + False + + + 0 + True + True + + + + + + + + + 0 + True + True + + + + + False + True + + + + + + True + label38 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + GTK_ORIENTATION_HORIZONTAL + GTK_TOOLBAR_BOTH + True + True + + + + True + Add SELinux User Mapping + gtk-add + True + True + False + + + + False + True + + + + + + True + Modify SELinux User Mapping + gtk-properties + True + True + False + + + + False + True + + + + + + True + Delete SELinux User Mapping + gtk-delete + True + True + False + + + + False + True + + + + + 0 + False + False + + + + + + True + False + 0 + + + + True + Filter + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 10 + False + False + + + + + + True + True + True + True + 0 + + True + + False + + + + 0 + True + True + + + + + 5 + False + True + + + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + True + True + True + False + False + True + False + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label39 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + GTK_ORIENTATION_HORIZONTAL + GTK_TOOLBAR_BOTH + True + True + + + + True + Add Translation + gtk-add + True + True + False + + + + False + True + + + + + + True + Modify Translation + gtk-properties + True + True + False + + + + False + True + + + + + + True + Delete Translation + gtk-delete + True + True + False + + + + False + True + + + + + 0 + False + False + + + + + + True + False + 0 + + + + True + Filter + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 10 + False + False + + + + + + True + True + True + True + 0 + + True + + False + + + + 0 + True + True + + + + + 5 + False + True + + + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + True + True + True + False + False + True + False + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label41 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + GTK_ORIENTATION_HORIZONTAL + GTK_TOOLBAR_BOTH + True + True + + + + True + Add SELinux User + gtk-add + True + True + False + + + + False + True + + + + + + True + Modify SELinux User + gtk-properties + True + True + False + + + + False + True + + + + + + True + Add SELinux User + gtk-delete + True + True + False + + + + False + True + + + + + 0 + False + False + + + + + + True + False + 0 + + + + True + Filter + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 10 + False + False + + + + + + True + True + True + True + 0 + + True + + False + + + + 0 + True + True + + + + + 5 + False + True + + + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + True + True + True + False + False + True + False + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label40 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + GTK_ORIENTATION_HORIZONTAL + GTK_TOOLBAR_BOTH + False + True + + + + True + Add Network Port + gtk-add + True + True + False + + + + False + True + + + + + + True + Edit Network Port + gtk-properties + True + True + False + + + + False + True + + + + + + True + Delete Network Port + gtk-delete + True + True + False + + + + False + True + + + + + + True + True + True + False + + + + 32 + True + + + + + False + False + + + + + + True + True + True + False + + + + True + Group/ungroup network ports by SELinux type. + True + GTK_RELIEF_NORMAL + True + False + False + + + + + True + 0.5 + 0.5 + 0 + 0 + 0 + 0 + 0 + 0 + + + + True + False + 2 + + + + True + gtk-indent + 4 + 0.5 + 0.5 + 0 + 0 + + + 0 + False + False + + + + + + True + Group View + True + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 0 + False + False + + + + + + + + + + + False + False + + + + + 0 + False + False + + + + + + True + False + 0 + + + + True + Filter + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 10 + False + False + + + + + + True + True + True + True + 0 + + True + + False + + + + 0 + True + True + + + + + 5 + False + True + + + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + True + True + True + False + False + True + False + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label42 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + + True + False + 0 + + + + True + GTK_ORIENTATION_HORIZONTAL + GTK_TOOLBAR_BOTH + True + True + + + + True + Generate new policy module + gtk-new + True + True + False + + + + False + True + + + + + + True + Load policy module + gtk-add + True + True + False + + + + False + True + + + + + + True + Remove loadable policy module + gtk-remove + True + True + False + + + + False + True + + + + + + True + True + True + False + + + + 10 + True + + + + + False + False + + + + + + True + Enable additional audit rules, that are normally not reported in the log files. + Enable Audit + True + gtk-zoom-in + True + True + False + + + + False + True + + + + + + True + Disable additional audit rules, that are normally not reported in the log files. + Disable Audit + True + gtk-zoom-out + True + True + False + + + + False + True + + + + + 0 + False + False + + + + + + True + False + 0 + + + + True + Filter + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + 10 + False + False + + + + + + True + True + True + True + 0 + + True + + False + + + + 0 + True + True + + + + + 5 + False + True + + + + + + True + True + GTK_POLICY_ALWAYS + GTK_POLICY_ALWAYS + GTK_SHADOW_NONE + GTK_CORNER_TOP_LEFT + + + + True + True + True + False + False + True + False + False + False + + + + + 0 + True + True + + + + + False + True + + + + + + True + label44 + False + False + GTK_JUSTIFY_LEFT + False + False + 0.5 + 0.5 + 0 + 0 + PANGO_ELLIPSIZE_NONE + -1 + False + 0 + + + tab + + + + + True + True + + + + + + + 0 + True + True + + + + + + True + True + True + + + 0 + True + True + + + + + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.py policycoreutils-2.0.25/gui/system-config-selinux.py --- nsapolicycoreutils/gui/system-config-selinux.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/system-config-selinux.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,172 @@ +#!/usr/bin/python +# +# system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux +# +# Dan Walsh +# +# Copyright 2006 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +import signal +import string +import gtk +import gtk.glade +import os +import libxml2 +import gobject +import gnome +import sys +import statusPage +import booleansPage +import loginsPage +import usersPage +import portsPage +import modulesPage +import fcontextPage +import translationsPage +import selinux +## +## I18N +## +PROGNAME="system-config-selinux" + +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, + localedir="/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +gnome.program_init("SELinux Management Tool", "5") + +version = "1.0" + +sys.path.append('/usr/share/system-config-selinux') + + + +## +## Pull in the Glade file +## +if os.access("system-config-selinux.glade", os.F_OK): + xml = gtk.glade.XML ("system-config-selinux.glade", domain=PROGNAME) +else: + xml = gtk.glade.XML ("/usr/share/system-config-selinux/system-config-selinux.glade", domain=PROGNAME) + +class childWindow: + def __init__(self): + self.tabs=[] + self.xml = xml + xml.signal_connect("on_quit_activate", self.destroy) + xml.signal_connect("on_delete_clicked", self.delete) + xml.signal_connect("on_add_clicked", self.add) + xml.signal_connect("on_properties_clicked", self.properties) + self.add_page(statusPage.statusPage(xml)) + if selinux.is_selinux_enabled() > 0: + self.add_page(booleansPage.booleansPage(xml)) + self.add_page(fcontextPage.fcontextPage(xml)) + self.add_page(loginsPage.loginsPage(xml)) + self.add_page(usersPage.usersPage(xml)) + self.add_page(translationsPage.translationsPage(xml)) + self.add_page(portsPage.portsPage(xml)) + self.add_page(modulesPage.modulesPage(xml)) # modules + + xml.signal_connect("on_quit_activate", self.destroy) + xml.signal_connect("on_policy_activate", self.policy) + xml.signal_connect("on_logging_activate", self.logging) + xml.signal_connect("on_about_activate", self.on_about_activate) + + self.add_menu = xml.get_widget("add_menu_item") + self.properties_menu = xml.get_widget("properties_menu_item") + self.delete_menu = xml.get_widget("delete_menu_item") + + def add_page(self, page): + self.tabs.append(page) + + def policy(self, args): + os.spawnl(os.P_NOWAIT, "/usr/share/system-config-selinux/semanagegui.py") + def logging(self, args): + os.spawnl(os.P_NOWAIT, "/usr/bin/seaudit") + + def delete(self, args): + self.tabs[self.notebook.get_current_page()].deleteDialog() + + def add(self, args): + self.tabs[self.notebook.get_current_page()].addDialog() + + def properties(self, args): + self.tabs[self.notebook.get_current_page()].propertiesDialog() + + def on_about_activate(self, args): + dlg = xml.get_widget ("aboutWindow") + dlg.run () + dlg.hide () + + def destroy(self, args): + gtk.main_quit() + + def use_menus(self, use_menus): + self.add_menu.set_sensitive(use_menus) + self.properties_menu.set_sensitive(use_menus) + self.delete_menu.set_sensitive(use_menus) + + def itemSelected(self, selection): + store, rows = selection.get_selected_rows() + if store != None and len(rows) > 0: + self.notebook.set_current_page(rows[0][0]) + self.use_menus(self.tabs[rows[0][0]].use_menus()) + else: + self.notebook.set_current_page(0) + self.use_menus(self.tabs[0].use_menus()) + + + def setupScreen(self): + # Bring in widgets from glade file. + self.mainWindow = self.xml.get_widget("mainWindow") + self.notebook = self.xml.get_widget("notebook") + self.view = self.xml.get_widget("selectView") + self.view.get_selection().connect("changed", self.itemSelected) + self.store = gtk.ListStore(gobject.TYPE_STRING) + self.view.set_model(self.store) + col = gtk.TreeViewColumn("", gtk.CellRendererText(), text = 0) + col.set_resizable(True) + self.view.append_column(col) + + for page in self.tabs: + iter = self.store.append() + self.store.set_value(iter, 0, page.get_description()) + self.view.get_selection().select_path ((0,)) + + def stand_alone(self): + desktopName = _("Configue SELinux") + + self.setupScreen() + + self.mainWindow.connect("destroy", self.destroy) + + self.mainWindow.show_all() + gtk.main() + +if __name__ == "__main__": + signal.signal (signal.SIGINT, signal.SIG_DFL) + + app = childWindow() + app.stand_alone() diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.25/gui/templates/executable.py --- nsapolicycoreutils/gui/templates/executable.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/templates/executable.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,153 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### Type Enforcement File ############################# +te_daemon_types="""\ +policy_module(TEMPLATETYPE,1.0.0) + +######################################## +# +# Declarations +# + +type TEMPLATETYPE_t; +type TEMPLATETYPE_exec_t; +domain_type(TEMPLATETYPE_t) +init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t) +""" + +te_inetd_types="""\ +policy_module(TEMPLATETYPE,1.0.0) + +######################################## +# +# Declarations +# + +type TEMPLATETYPE_t; +type TEMPLATETYPE_exec_t; +inetd_service_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t) +""" + +te_userapp_types="""\ +policy_module(TEMPLATETYPE,1.0.0) + +######################################## +# +# Declarations +# + +type TEMPLATETYPE_exec_t; +corecmd_executable_file(TEMPLATETYPE_exec_t) +""" + +te_cgi_types="""\ +policy_module(TEMPLATETYPE,1.0.0) + +######################################## +# +# Declarations +# + +apache_content_template(TEMPLATETYPE) +""" + +te_daemon_rules=""" +######################################## +# +# TEMPLATETYPE local policy +# + +# Init script handling +domain_use_interactive_fds(TEMPLATETYPE_t) + +## internal communication is often done using fifo and unix sockets. +allow TEMPLATETYPE_t self:fifo_file rw_file_perms; +allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms; + +files_read_etc_files(TEMPLATETYPE_t) + +libs_use_ld_so(TEMPLATETYPE_t) +libs_use_shared_libs(TEMPLATETYPE_t) + +miscfiles_read_localization(TEMPLATETYPE_t) + +ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_ttys(TEMPLATETYPE_t) + term_dontaudit_use_generic_ptys(TEMPLATETYPE_t) +') + +""" + +te_inetd_rules=""" +""" + +te_userapp_rules=""" +""" + +te_cgi_rules=""" +""" + +te_uid_rules=""" +auth_use_nsswitch(TEMPLATETYPE_t) +""" + +te_syslog_rules=""" +logging_send_syslog_msg(TEMPLATETYPE_t) +""" + +te_pam_rules=""" +auth_domtrans_chk_passwd(TEMPLATETYPE_t) +""" + +########################### Interface File ############################# +if_rules=""" +## policy for TEMPLATETYPE + +######################################## +## +## Execute a domain transition to run TEMPLATETYPE. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`TEMPLATETYPE_domtrans',` + gen_require(` + type TEMPLATETYPE_t, TEMPLATETYPE_exec_t; + ') + + domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t) + + allow TEMPLATETYPE_t $1:fd use; + allow TEMPLATETYPE_t $1:fifo_file rw_file_perms; + allow TEMPLATETYPE_t $1:process sigchld; +') +""" + +########################### File Context ################################## +fc_file="""\ + +EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0) +""" + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.py policycoreutils-2.0.25/gui/templates/__init__.py --- nsapolicycoreutils/gui/templates/__init__.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/templates/__init__.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,18 @@ +# +# Copyright (C) 2007 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py policycoreutils-2.0.25/gui/templates/network.py --- nsapolicycoreutils/gui/templates/network.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/templates/network.py 2007-08-28 10:02:33.000000000 -0400 @@ -0,0 +1,80 @@ +te_port_types=""" +type TEMPLATETYPE_port_t; +corenet_port(TEMPLATETYPE_port_t) +""" + +te_network="""\ +sysnet_dns_name_resolve(TEMPLATETYPE_t) +corenet_all_recvfrom_unlabeled(TEMPLATETYPE_t) +""" + +te_tcp="""\ +allow TEMPLATETYPE_t self:tcp_socket create_stream_socket_perms; +corenet_tcp_sendrecv_all_if(TEMPLATETYPE_t) +corenet_tcp_sendrecv_all_nodes(TEMPLATETYPE_t) +corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t) +""" + +te_in_tcp="""\ +corenet_tcp_bind_all_nodes(TEMPLATETYPE_t) +""" + +te_in_need_port_tcp="""\ +allow TEMPLATETYPE_t TEMPLATETYPE_port_t:tcp_socket name_bind; +""" + +te_out_need_port_tcp="""\ +allow TEMPLATETYPE_t TEMPLATETYPE_port_t:tcp_socket name_connect; +""" + +te_udp="""\ +allow TEMPLATETYPE_t self:udp_socket { create_socket_perms listen }; +corenet_udp_sendrecv_all_if(TEMPLATETYPE_t) +corenet_udp_sendrecv_all_nodes(TEMPLATETYPE_t) +corenet_udp_sendrecv_all_ports(TEMPLATETYPE_t) +""" + +te_in_udp="""\ +corenet_udp_bind_all_nodes(TEMPLATETYPE_t) +""" + +te_in_need_port_udp="""\ +allow TEMPLATETYPE_t TEMPLATETYPE_port_t:udp_socket name_bind; +""" + +te_out_all_ports_tcp="""\ +corenet_tcp_connect_all_ports(TEMPLATETYPE_t) +""" + +te_out_reserved_ports_tcp="""\ +corenet_tcp_connect_all_rpc_ports(TEMPLATETYPE_t) +""" + +te_out_unreserved_ports_tcp="""\ +corenet_tcp_connect_all_unreserved_ports(TEMPLATETYPE_t) +""" + +te_in_all_ports_tcp="""\ +corenet_tcp_bind_all_ports(TEMPLATETYPE_t) +""" + +te_in_reserved_ports_tcp="""\ +corenet_tcp_bind_all_rpc_ports(TEMPLATETYPE_t) +""" + +te_in_unreserved_ports_tcp="""\ +corenet_tcp_bind_all_unreserved_ports(TEMPLATETYPE_t) +""" + +te_in_all_ports_udp="""\ +corenet_udp_bind_all_ports(TEMPLATETYPE_t) +""" + +te_in_reserved_ports_udp="""\ +corenet_udp_bind_all_rpc_ports(TEMPLATETYPE_t) +""" + +te_in_unreserved_ports_udp="""\ +corenet_udp_bind_all_unreserved_ports(TEMPLATETYPE_t) +""" + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py policycoreutils-2.0.25/gui/templates/rw.py --- nsapolicycoreutils/gui/templates/rw.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/templates/rw.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,104 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# + +########################### tmp Template File ############################# +te_types=""" +type TEMPLATETYPE_rw_t; +files_type(TEMPLATETYPE_rw_t) +""" + +te_rules=""" +allow TEMPLATETYPE_t TEMPLATETYPE_rw_t:file manage_file_perms; +allow TEMPLATETYPE_t TEMPLATETYPE_rw_t:dir create_dir_perms; +files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_rw_t, { file dir }) +""" + +########################### Interface File ############################# +if_rules=""" +######################################## +## +## Search TEMPLATETYPE rw directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_search_rw_dir',` + gen_require(` + type TEMPLATETYPE_rw_t; + ') + + allow $1 TEMPLATETYPE_rw_t:dir search_dir_perms; + files_search_rw($1) +') + +######################################## +## +## Read TEMPLATETYPE rw files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_read_rw_files',` + gen_require(` + type TEMPLATETYPE_rw_t; + ') + + allow $1 TEMPLATETYPE_rw_t:file r_file_perms; + allow $1 TEMPLATETYPE_rw_t:dir list_dir_perms; + files_search_rw($1) +') + +######################################## +## +## Create, read, write, and delete +## TEMPLATETYPE rw files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_manage_rw_files',` + gen_require(` + type TEMPLATETYPE_rw_t; + ') + + allow $1 TEMPLATETYPE_rw_t:file manage_file_perms; + allow $1 TEMPLATETYPE_rw_t:dir rw_dir_perms; +') +""" + +########################### File Context ################################## +fc_file=""" +FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_rw_t,s0) +""" + +fc_dir=""" +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_rw_t,s0) +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py policycoreutils-2.0.25/gui/templates/script.py --- nsapolicycoreutils/gui/templates/script.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/templates/script.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,42 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# + +########################### tmp Template File ############################# +compile=""" +#!/bin/sh +make -f /usr/share/selinux/devel/Makefile +/usr/sbin/semodule -i PACKAGEFILENAME.pp + +""" + +restorecon="""\ +/sbin/restorecon -F -R -v FILENAME +""" + +tcp_ports="""\ +/usr/sbin/semanage port -a -t TEMPLATETYPE_port_t -p tcp PORTNUM +""" + +udp_ports="""\ +/usr/sbin/semanage port -a -t TEMPLATETYPE_port_t -p udp PORTNUM +""" + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.py policycoreutils-2.0.25/gui/templates/semodule.py --- nsapolicycoreutils/gui/templates/semodule.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/templates/semodule.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,41 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# + +########################### tmp Template File ############################# +compile=""" +#!/bin/sh +make -f /usr/share/selinux/devel/Makefile +semodule -i TEMPLATETYPE.pp +""" + +restorecon=""" +restorecon -R -v FILENAME +""" + +tcp_ports=""" +semanage ports -a -t TEMPLATETYPE_port_t -p tcp PORTNUM +""" + +udp_ports=""" +semanage ports -a -t TEMPLATETYPE_port_t -p udp PORTNUM +""" + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py policycoreutils-2.0.25/gui/templates/tmp.py --- nsapolicycoreutils/gui/templates/tmp.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/templates/tmp.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,72 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### tmp Template File ############################# + +te_types=""" +type TEMPLATETYPE_tmp_t; +files_tmp_file(TEMPLATETYPE_tmp_t) +""" + +te_rules=""" +allow TEMPLATETYPE_t TEMPLATETYPE_tmp_t:file manage_file_perms; +allow TEMPLATETYPE_t TEMPLATETYPE_tmp_t:dir create_dir_perms; +files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_tmp_t, { file dir }) +""" + +if_rules=""" +######################################## +## +## Do not audit attempts to read, +## TEMPLATETYPE tmp files +## +## +## +## Domain to not audit. +## +## +# +interface(`TEMPLATETYPE_dontaudit_read_tmp_files',` + gen_require(` + type TEMPLATETYPE_tmp_t; + ') + + dontaudit $1 TEMPLATETYPE_tmp_t:file r_file_perms; +') + +######################################## +## +## Allow domain to read, TEMPLATETYPE tmp files +## +## +## +## Domain to not audit. +## +## +# +interface(`TEMPLATETYPE_read_tmp_files',` + gen_require(` + type TEMPLATETYPE_tmp_t; + ') + + dontaudit $1 TEMPLATETYPE_tmp_t:file r_file_perms; +') +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.25/gui/templates/user.py --- nsapolicycoreutils/gui/templates/user.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/templates/user.py 2007-08-28 10:02:19.000000000 -0400 @@ -0,0 +1,89 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### Type Enforcement File ############################# +te_login_user_types="""\ +policy_module(TEMPLATETYPE,1.0.0) + +######################################## +# +# Declarations +# + +userdom_unpriv_login_user(TEMPLATETYPE) +""" + +te_x_login_user_types="""\ +policy_module(TEMPLATETYPE,1.0.0) + +######################################## +# +# Declarations +# + +userdom_unpriv_xwindows_login_user(TEMPLATETYPE) +""" + +te_root_user_types="""\ + +policy_module(TEMPLATETYPE,1.0.0) + +######################################## +# +# Declarations +# + +userdom_base_user_template(TEMPLATETYPE) +""" + +te_login_user_rules="""\ + +######################################## +# +# TEMPLATETYPE local policy +# + +""" + +te_x_login_user_rules="""\ + +######################################## +# +# TEMPLATETYPE local policy +# + +""" + +te_root_user_rules="""\ + +######################################## +# +# TEMPLATETYPE local policy +# + +""" + +te_transition_rules=""" +optional_policy(` + APPLICATION_per_role_template(TEMPLATETYPE,TEMPLATETYPE_t,TEMPLATETYPE_r) +') +""" + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py policycoreutils-2.0.25/gui/templates/var_lib.py --- nsapolicycoreutils/gui/templates/var_lib.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/templates/var_lib.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,137 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### var_lib Template File ############################# + +########################### Type Enforcement File ############################# +te_types=""" +type TEMPLATETYPE_var_lib_t; +files_type(TEMPLATETYPE_var_lib_t) +""" +te_rules=""" +allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:file manage_file_perms; +allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:dir manage_dir_perms; +files_var_lib_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t, { file dir }) +""" + +te_stream_rules="""\ +allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:sock_file manage_file_perms; +files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t, sock_file) +""" + + +########################### Interface File ############################# +if_rules=""" +######################################## +## +## Search TEMPLATETYPE lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_search_lib',` + gen_require(` + type TEMPLATETYPE_var_lib_t; + ') + + allow $1 TEMPLATETYPE_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read TEMPLATETYPE lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_read_lib_files',` + gen_require(` + type TEMPLATETYPE_var_lib_t; + ') + + allow $1 TEMPLATETYPE_var_lib_t:file r_file_perms; + allow $1 TEMPLATETYPE_var_lib_t:dir list_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Create, read, write, and delete +## TEMPLATETYPE lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_manage_lib_files',` + gen_require(` + type TEMPLATETYPE_var_lib_t; + ') + + allow $1 TEMPLATETYPE_var_lib_t:file manage_file_perms; + allow $1 TEMPLATETYPE_var_lib_t:dir rw_dir_perms; + files_search_var_lib($1) +') +""" + +if_stream_rules=""" +######################################## +## +## Connect to TEMPLATETYPE over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_stream_connect',` + gen_require(` + type TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t; + ') + + files_search_pids($1) + allow $1 TEMPLATETYPE_var_lib_t:sock_file write; + allow $1 TEMPLATETYPE_t:unix_stream_socket connectto; +') +""" + +########################### File Context ################################## +fc_file="""\ +FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0) +""" + +fc_sock_file="""\ +FILENAME -s gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0) +""" + +fc_dir="""\ +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0) +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py policycoreutils-2.0.25/gui/templates/var_log.py --- nsapolicycoreutils/gui/templates/var_log.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/templates/var_log.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,89 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### var_log Template File ############################# + +########################### Type Enforcement File ############################# +te_types=""" +type TEMPLATETYPE_log_t; +logging_log_file(TEMPLATETYPE_log_t) +""" + +te_rules=""" +allow TEMPLATETYPE_t TEMPLATETYPE_log_t:file manage_file_perms; +allow TEMPLATETYPE_t TEMPLATETYPE_log_t:dir { rw_dir_perms setattr }; +logging_log_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_log_t,{ file dir }) +""" + +########################### Interface File ############################# +if_rules=""" +######################################## +## +## Allow the specified domain to read TEMPLATETYPE's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`TEMPLATETYPE_read_log',` + gen_require(` + type TEMPLATETYPE_log_t; + ') + + logging_search_logs($1) + allow $1 TEMPLATETYPE_log_t:dir r_dir_perms; + allow $1 TEMPLATETYPE_log_t:file { read getattr lock }; +') + +######################################## +## +## Allow the specified domain to append +## TEMPLATETYPE log files. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`TEMPLATETYPE_append_log',` + gen_require(` + type var_log_t, TEMPLATETYPE_log_t; + ') + + logging_search_logs($1) + allow $1 TEMPLATETYPE_log_t:dir r_dir_perms; + allow $1 TEMPLATETYPE_log_t:file { getattr append }; +') + +""" + +########################### File Context ################################## +fc_file="""\ +FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_log_t,s0) +""" + +fc_dir="""\ +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_log_t,s0) +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py policycoreutils-2.0.25/gui/templates/var_run.py --- nsapolicycoreutils/gui/templates/var_run.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/templates/var_run.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,95 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### var_run Template File ############################# + +te_types=""" +type TEMPLATETYPE_var_run_t; +files_pid_file(TEMPLATETYPE_var_run_t) +""" + +te_rules=""" +allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:file manage_file_perms; +allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:dir manage_dir_perms; +files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_run_t, { file dir }) +""" + +te_stream_rules=""" +allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:sock_file manage_file_perms; +files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_run_t, sock_file) +""" + +if_rules=""" +######################################## +## +## Read TEMPLATETYPE PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_read_pid_files',` + gen_require(` + type TEMPLATETYPE_var_run_t; + ') + + files_search_pids($1) + allow $1 TEMPLATETYPE_var_run_t:file r_file_perms; +') + +""" + +if_stream_rules="""\ +######################################## +## +## Connect to TEMPLATETYPE over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_stream_connect',` + gen_require(` + type TEMPLATETYPE_t, TEMPLATETYPE_var_run_t; + ') + + files_search_pids($1) + allow $1 TEMPLATETYPE_var_run_t:sock_file write; + allow $1 TEMPLATETYPE_t:unix_stream_socket connectto; +') +""" + +fc_file="""\ +FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0) +""" + +fc_sock_file="""\ +FILENAME -s gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0) +""" + +fc_dir="""\ +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0) +""" + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.py policycoreutils-2.0.25/gui/templates/var_spool.py --- nsapolicycoreutils/gui/templates/var_spool.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/templates/var_spool.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,105 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# policygentool is a tool for the initial generation of SELinux policy +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +########################### var_spool Template File ############################# + +########################### Type Enforcement File ############################# +te_types=""" +type TEMPLATETYPE_spool_t; +files_type(TEMPLATETYPE_spool_t) +""" +te_rules=""" +allow TEMPLATETYPE_t TEMPLATETYPE_spool_t:dir manage_dir_perms; +allow TEMPLATETYPE_t TEMPLATETYPE_spool_t:file manage_file_perms; +allow TEMPLATETYPE_t TEMPLATETYPE_spool_t:sock_file create_file_perms; +files_spool_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_spool_t, { file dir sock_file }) +""" + +########################### Interface File ############################# +if_rules=""" +######################################## +## +## Search TEMPLATETYPE spool directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_search_spool',` + gen_require(` + type TEMPLATETYPE_spool_t; + ') + + allow $1 TEMPLATETYPE_spool_t:dir search_dir_perms; + files_search_spool($1) +') + +######################################## +## +## Read TEMPLATETYPE spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_read_spool_files',` + gen_require(` + type TEMPLATETYPE_spool_t; + ') + + allow $1 TEMPLATETYPE_spool_t:file r_file_perms; + allow $1 TEMPLATETYPE_spool_t:dir list_dir_perms; + files_search_spool($1) +') + +######################################## +## +## Create, read, write, and delete +## TEMPLATETYPE spool files. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_manage_spool_files',` + gen_require(` + type TEMPLATETYPE_spool_t; + ') + + allow $1 TEMPLATETYPE_spool_t:file manage_file_perms; + allow $1 TEMPLATETYPE_spool_t:dir rw_dir_perms; + files_search_spool($1) +') +""" +########################### File Context ################################## +fc_file="""\ +FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_spool_t,s0) +""" + +fc_dir="""\ +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_spool_t,s0) +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/translationsPage.py policycoreutils-2.0.25/gui/translationsPage.py --- nsapolicycoreutils/gui/translationsPage.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/translationsPage.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,119 @@ +## translationsPage.py - show selinux translations +## Copyright (C) 2006 Red Hat, Inc. + +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +## Author: Dan Walsh +import string +import gtk +import gtk.glade +import os +import libxml2 +import gobject +import sys +import seobject +from semanagePage import *; + +## +## I18N +## +PROGNAME="policycoreutils" +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, localedir="/usr/share/locale", unicode=1) +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +class translationsPage(semanagePage): + def __init__(self, xml): + semanagePage.__init__(self, xml, "translations", _("Translation")) + self.firstTime = False + + self.translation_filter = xml.get_widget("translationsFilterEntry") + self.translation_filter.connect("focus_out_event", self.filter_changed) + self.translation_filter.connect("activate", self.filter_changed) + + self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING) + self.view.set_model(self.store) + self.store.set_sort_column_id(0, gtk.SORT_ASCENDING) + col = gtk.TreeViewColumn(_("Sensitvity Level"), gtk.CellRendererText(), text = 0) + col.set_sort_column_id(0) + col.set_sizing(gtk.TREE_VIEW_COLUMN_FIXED) + col.set_resizable(True) + col.set_fixed_width(250) + self.view.append_column(col) + col = gtk.TreeViewColumn(_("Translation"), gtk.CellRendererText(), text = 1) + col.set_sort_column_id(1) + col.set_resizable(True) + self.view.append_column(col) + + self.load() + self.translationsLevelEntry = xml.get_widget("translationsLevelEntry") + self.translationsEntry = xml.get_widget("translationsEntry") + + def load(self, filter = ""): + self.filter = filter + self.translation = seobject.setransRecords() + dict = self.translation.get_all() + keys = dict.keys() + keys.sort() + self.store.clear() + for k in keys: + if not (self.match(k, filter) or self.match(dict[k], filter)): + continue + iter = self.store.append() + self.store.set_value(iter, 0, k) + self.store.set_value(iter, 1, dict[k]) + self.view.get_selection().select_path ((0,)) + + def dialogInit(self): + store, iter = self.view.get_selection().get_selected() + self.translationsLevelEntry.set_text(store.get_value(iter, 0)) + self.translationsLevelEntry.set_sensitive(False) + self.translationsEntry.set_text(store.get_value(iter, 1)) + + def dialogClear(self): + self.translationsLevelEntry.set_text("") + self.translationsLevelEntry.set_sensitive(True) + self.translationsEntry.set_text("") + + def delete(self): + store, iter = self.view.get_selection().get_selected() + try: + level = store.get_value(iter, 0) + self.translation.delete(level) + store.remove(iter) + self.view.get_selection().select_path ((0,)) + except ValueError, e: + self.error(e.args[0]) + + def add(self): + level = self.translationsLevelEntry.get_text().strip() + translation = self.translationsEntry.get_text().strip() + self.translation.add(level, translation) + iter = self.store.append() + self.store.set_value(iter, 0, level) + self.store.set_value(iter, 1, translation) + + def modify(self): + level = self.translationsLevelEntry.get_text().strip() + translation = self.translationsEntry.get_text().strip() + self.translation.modify(level, translation) + store, iter = self.view.get_selection().get_selected() + self.store.set_value(iter, 0, level) + self.store.set_value(iter, 1, translation) diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/usersPage.py policycoreutils-2.0.25/gui/usersPage.py --- nsapolicycoreutils/gui/usersPage.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.25/gui/usersPage.py 2007-08-28 09:22:17.000000000 -0400 @@ -0,0 +1,173 @@ +## usersPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. + +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 2 of the License, or +## (at your option) any later version. + +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. + +## You should have received a copy of the GNU General Public License +## along with this program; if not, write to the Free Software +## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + +## Author: Dan Walsh +import string +import gtk +import gtk.glade +import os +import libxml2 +import gobject +import sys +import commands +import seobject +from semanagePage import *; + +## +## I18N +## +PROGNAME="policycoreutils" +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) +try: + gettext.install(PROGNAME, localedir="/usr/share/locale", unicode=1) +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +class usersPage(semanagePage): + def __init__(self, xml): + semanagePage.__init__(self, xml, "users", "SELinux User") + + self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING) + self.view.set_model(self.store) + self.store.set_sort_column_id(0, gtk.SORT_ASCENDING) + + col = gtk.TreeViewColumn(_("SELinux\nUser"), gtk.CellRendererText(), text = 0) + col.set_sort_column_id(0) + col.set_resizable(True) + self.view.append_column(col) + + col = gtk.TreeViewColumn(_("Labeling\nPrefix"), gtk.CellRendererText(), text = 1) + col.set_resizable(True) + self.view.append_column(col) + col = gtk.TreeViewColumn(_("MLS/\nMCS Level"), gtk.CellRendererText(), text = 2) + col.set_resizable(True) + self.view.append_column(col) + col = gtk.TreeViewColumn(_("MLS/\nMCS Range"), gtk.CellRendererText(), text = 3) + col.set_resizable(True) + self.view.append_column(col) + + col = gtk.TreeViewColumn(_("SELinux Roles"), gtk.CellRendererText(), text = 4) + col.set_resizable(True) + self.view.append_column(col) + + self.load() + self.selinuxUserEntry = xml.get_widget("selinuxUserEntry") + self.labelPrefixEntry = xml.get_widget("labelPrefixEntry") + self.mlsLevelEntry = xml.get_widget("mlsLevelEntry") + self.mlsRangeEntry = xml.get_widget("mlsRangeEntry") + self.selinuxRolesEntry = xml.get_widget("selinuxRolesEntry") + + def load(self, filter = ""): + self.filter=filter + self.user = seobject.seluserRecords() + dict = self.user.get_all() + keys = dict.keys() + keys.sort() + self.store.clear() + for k in keys: + level = seobject.translate(dict[k][1]) + range = seobject.translate(dict[k][2]) + if not (self.match(k, filter) or self.match(dict[k][0], filter) or self.match(level, filter) or self.match(range, filter) or self.match(dict[k][3], filter)): + continue + + iter = self.store.append() + self.store.set_value(iter, 0, k) + self.store.set_value(iter, 1, dict[k][0]) + self.store.set_value(iter, 2, level) + self.store.set_value(iter, 3, range) + self.store.set_value(iter, 4, dict[k][3]) + self.view.get_selection().select_path ((0,)) + + def delete(self): + if semanagePage.delete(self) == gtk.RESPONSE_NO: + return None + + def dialogInit(self): + store, iter = self.view.get_selection().get_selected() + self.selinuxUserEntry.set_text(store.get_value(iter, 0)) + self.selinuxUserEntry.set_sensitive(False) + self.labelPrefixEntry.set_text(store.get_value(iter, 1)) + self.mlsLevelEntry.set_text(store.get_value(iter, 2)) + self.mlsRangeEntry.set_text(store.get_value(iter, 3)) + self.selinuxRolesEntry.set_text(store.get_value(iter, 4)) + protocol=store.get_value(iter, 2) + + def dialogClear(self): + self.selinuxUserEntry.set_text("") + self.selinuxUserEntry.set_sensitive(True) + self.labelPrefixEntry.set_text("") + self.mlsLevelEntry.set_text("s0") + self.mlsRangeEntry.set_text("s0") + self.selinuxRolesEntry.set_text("") + + def add(self): + user = self.selinuxUserEntry.get_text() + prefix = self.labelPrefixEntry.get_text() + level = self.mlsLevelEntry.get_text() + range = self.mlsRangeEntry.get_text() + roles = self.selinuxRolesEntry.get_text() + + (rc, out) = commands.getstatusoutput("semanage user -a -R '%s' -r %s-%s -P %s %s" % (roles, level, range, prefix, user)) + if rc != 0: + self.error(out) + return False + iter = self.store.append() + self.store.set_value(iter, 0, user) + self.store.set_value(iter, 1, prefix) + self.store.set_value(iter, 2, level) + self.store.set_value(iter, 3, range) + self.store.set_value(iter, 4, roles) + + def modify(self): + user = self.selinuxUserEntry.get_text() + prefix = self.labelPrefixEntry.get_text() + level = self.mlsLevelEntry.get_text() + range = self.mlsRangeEntry.get_text() + roles = self.selinuxRolesEntry.get_text() + + (rc, out) = commands.getstatusoutput("semanage user -m -R '%s' -r %s-%s -P %s %s" % (roles, level, range, prefix, user)) + + if rc != 0: + self.error(out) + return False + store, iter = self.view.get_selection().get_selected() + iter = self.store.append() + self.store.set_value(iter, 0, user) + self.store.set_value(iter, 1, prefix) + self.store.set_value(iter, 2, level) + self.store.set_value(iter, 3, range) + self.store.set_value(iter, 4, roles) + + def delete(self): + store, iter = self.view.get_selection().get_selected() + try: + user=store.get_value(iter, 0) + if user == "root" or user == "user_u": + raise ValueError(_("SELinux user '%s' is required") % user) + + (rc, out) = commands.getstatusoutput("semanage user -d %s" % user) + if rc != 0: + self.error(out) + return False + store.remove(iter) + self.view.get_selection().select_path ((0,)) + except ValueError, e: + self.error(e.args[0]) +