policycoreutils/policycoreutils-rhat.patch
Daniel J Walsh 15119ec30a * Mon Feb 13 2006 Dan Walsh <dwalsh@redhat.com> 1.29.23-1
- Update from upstream
	* Merged newrole -V/--version support from Glauber de Oliveira Costa.
	* Merged genhomedircon prefix patch from Dan Walsh.
	* Merged optionals in base patch from Joshua Brindle.
2006-02-13 19:54:09 +00:00

483 lines
18 KiB
Diff

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.20/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2006-02-02 12:08:04.000000000 -0500
+++ policycoreutils-1.29.20/semanage/seobject.py 2006-02-10 11:48:59.000000000 -0500
@@ -21,8 +21,11 @@
#
#
-import pwd, string, selinux, tempfile, os, re
+import pwd, string, selinux, tempfile, os, re, sys
from semanage import *;
+import audit
+
+audit_fd=audit.audit_open()
def validate_level(raw):
sensitivity="s([0-9]|1[0-5])"
@@ -170,119 +173,145 @@
if sename == "":
sename = "user_u"
- (rc,k) = semanage_seuser_key_create(self.sh, name)
- if rc < 0:
- raise ValueError("Could not create a key for %s" % name)
-
- (rc,exists) = semanage_seuser_exists(self.sh, k)
- if rc < 0:
- raise ValueError("Could not check if login mapping for %s is defined" % name)
- if exists:
- raise ValueError("Login mapping for %s is already defined" % name)
try:
- pwd.getpwnam(name)
- except:
- raise ValueError("Linux User %s does not exist" % name)
-
- (rc,u) = semanage_seuser_create(self.sh)
- if rc < 0:
- raise ValueError("Could not create login mapping for %s" % name)
+ (rc,k) = semanage_seuser_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError("Could not create a key for %s" % name)
- rc = semanage_seuser_set_name(self.sh, u, name)
- if rc < 0:
- raise ValueError("Could not set name for %s" % name)
+ (rc,exists) = semanage_seuser_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not check if login mapping for %s is defined" % name)
+ if exists:
+ raise ValueError("Login mapping for %s is already defined" % name)
+ try:
+ pwd.getpwnam(name)
+ except:
+ raise ValueError("Linux User %s does not exist" % name)
- rc = semanage_seuser_set_mlsrange(self.sh, u, serange)
- if rc < 0:
- raise ValueError("Could not set MLS range for %s" % name)
+ (rc,u) = semanage_seuser_create(self.sh)
+ if rc < 0:
+ raise ValueError("Could not create login mapping for %s" % name)
- rc = semanage_seuser_set_sename(self.sh, u, sename)
- if rc < 0:
- raise ValueError("Could not set SELinux user for %s" % name)
+ rc = semanage_seuser_set_name(self.sh, u, name)
+ if rc < 0:
+ raise ValueError("Could not set name for %s" % name)
- rc = semanage_begin_transaction(self.sh)
- if rc < 0:
- raise ValueError("Could not start semanage transaction")
+ rc = semanage_seuser_set_mlsrange(self.sh, u, serange)
+ if rc < 0:
+ raise ValueError("Could not set MLS range for %s" % name)
- rc = semanage_seuser_modify_local(self.sh, k, u)
- if rc < 0:
- raise ValueError("Could not add login mapping for %s" % name)
+ rc = semanage_seuser_set_sename(self.sh, u, sename)
+ if rc < 0:
+ raise ValueError("Could not set SELinux user for %s" % name)
- rc = semanage_commit(self.sh)
- if rc < 0:
- raise ValueError("Could not add login mapping for %s" % name)
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError("Could not start semanage transaction")
+ rc = semanage_seuser_modify_local(self.sh, k, u)
+ if rc < 0:
+ raise ValueError("Could not add login mapping for %s" % name)
+
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError("Could not add login mapping for %s" % name)
+
+ except ValueError, error:
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user mapping", name, 0, sename, "", serange, "", "", "", "", "", "", 0);
+ raise error
+
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user mapping", name, 0, sename, "", serange, "", "", "", "", "", "", 1);
semanage_seuser_key_free(k)
semanage_seuser_free(u)
def modify(self, name, sename = "", serange = ""):
- if sename == "" and serange == "":
- raise ValueError("Requires seuser or serange")
+ oldsename=""
+ oldserange=""
+ try:
+ if sename == "" and serange == "":
+ raise ValueError("Requires seuser or serange")
- (rc,k) = semanage_seuser_key_create(self.sh, name)
- if rc < 0:
- raise ValueError("Could not create a key for %s" % name)
+ (rc,k) = semanage_seuser_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError("Could not create a key for %s" % name)
- (rc,exists) = semanage_seuser_exists(self.sh, k)
- if rc < 0:
- raise ValueError("Could not check if login mapping for %s is defined" % name)
- if not exists:
- raise ValueError("Login mapping for %s is not defined" % name)
+ (rc,exists) = semanage_seuser_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not check if login mapping for %s is defined" % name)
+ if not exists:
+ raise ValueError("Login mapping for %s is not defined" % name)
- (rc,u) = semanage_seuser_query(self.sh, k)
- if rc < 0:
- raise ValueError("Could not query seuser for %s" % name)
+ (rc,u) = semanage_seuser_query(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not query seuser for %s" % name)
- if serange != "":
- semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
- if sename != "":
- semanage_seuser_set_sename(self.sh, u, sename)
+ oldserange=semanage_seuser_get_mlsrange(u)
+ oldsename=semanage_seuser_get_sename(u)
+ if serange != "":
+ semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
+ else:
+ serange=oldserange
+ if sename != "":
+ semanage_seuser_set_sename(self.sh, u, sename)
+ else:
+ sename=oldsename
- rc = semanage_begin_transaction(self.sh)
- if rc < 0:
- raise ValueError("Could not srart semanage transaction")
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError("Could not srart semanage transaction")
- rc = semanage_seuser_modify_local(self.sh, k, u)
- if rc < 0:
- raise ValueError("Could not modify login mapping for %s" % name)
-
- rc = semanage_commit(self.sh)
- if rc < 0:
- raise ValueError("Could not modify login mapping for %s" % name)
+ rc = semanage_seuser_modify_local(self.sh, k, u)
+ if rc < 0:
+ raise ValueError("Could not modify login mapping for %s" % name)
+
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError("Could not modify login mapping for %s" % name)
+ except ValueError, error:
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", name, 0, sename, "", serange, "", oldsename, "", oldserange, "", "", "", 0);
+ raise error
+
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", name, 0, sename, "", serange, oldsename, "", oldserange, "", 1);
semanage_seuser_key_free(k)
semanage_seuser_free(u)
def delete(self, name):
- (rc,k) = semanage_seuser_key_create(self.sh, name)
- if rc < 0:
- raise ValueError("Could not create a key for %s" % name)
+ try:
+ (rc,k) = semanage_seuser_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError("Could not create a key for %s" % name)
- (rc,exists) = semanage_seuser_exists(self.sh, k)
- if rc < 0:
- raise ValueError("Could not check if login mapping for %s is defined" % name)
- if not exists:
- raise ValueError("Login mapping for %s is not defined" % name)
+ (rc,exists) = semanage_seuser_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not check if login mapping for %s is defined" % name)
+ if not exists:
+ raise ValueError("Login mapping for %s is not defined" % name)
- (rc,exists) = semanage_seuser_exists_local(self.sh, k)
- if rc < 0:
- raise ValueError("Could not check if login mapping for %s is defined" % name)
- if not exists:
- raise ValueError("Login mapping for %s is defined in policy, cannot be deleted" % name)
+ (rc,exists) = semanage_seuser_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not check if login mapping for %s is defined" % name)
+ if not exists:
+ raise ValueError("Login mapping for %s is defined in policy, cannot be deleted" % name)
- rc = semanage_begin_transaction(self.sh)
- if rc < 0:
- raise ValueError("Could not start semanage transaction")
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError("Could not start semanage transaction")
- rc = semanage_seuser_del_local(self.sh, k)
+ rc = semanage_seuser_del_local(self.sh, k)
- if rc < 0:
- raise ValueError("Could not delete login mapping for %s" % name)
+ if rc < 0:
+ raise ValueError("Could not delete login mapping for %s" % name)
- rc = semanage_commit(self.sh)
- if rc < 0:
- raise ValueError("Could not delete login mapping for %s" % name)
-
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError("Could not delete login mapping for %s" % name)
+
+ except ValueError, error:
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user mapping", name, 0, name, "", "", "", "", "", "", "", "", 0);
+ raise error
+
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user mapping", name, 0, name, "", "", "", "", "", "", "", "", 1);
semanage_seuser_key_free(k)
@@ -322,127 +351,145 @@
else:
selevel = untranslate(selevel)
- (rc,k) = semanage_user_key_create(self.sh, name)
- if rc < 0:
- raise ValueError("Could not create a key for %s" % name)
-
- (rc,exists) = semanage_user_exists(self.sh, k)
- if rc < 0:
- raise ValueError("Could not check if SELinux user %s is defined" % name)
- if exists:
- raise ValueError("SELinux user %s is already defined" % name)
+ seroles=" ".join(roles)
+ try:
+ (rc,k) = semanage_user_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError("Could not create a key for %s" % name)
- (rc,u) = semanage_user_create(self.sh)
- if rc < 0:
- raise ValueError("Could not create SELinux user for %s" % name)
+ (rc,exists) = semanage_user_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not check if SELinux user %s is defined" % name)
+ if exists:
+ raise ValueError("SELinux user %s is already defined" % name)
- rc = semanage_user_set_name(self.sh, u, name)
- if rc < 0:
- raise ValueError("Could not set name for %s" % name)
+ (rc,u) = semanage_user_create(self.sh)
+ if rc < 0:
+ raise ValueError("Could not create SELinux user for %s" % name)
- for r in roles:
- rc = semanage_user_add_role(self.sh, u, r)
+ rc = semanage_user_set_name(self.sh, u, name)
if rc < 0:
- raise ValueError("Could not add role %s for %s" % (r, name))
+ raise ValueError("Could not set name for %s" % name)
- rc = semanage_user_set_mlsrange(self.sh, u, serange)
- if rc < 0:
- raise ValueError("Could not set MLS range for %s" % name)
+ for r in roles:
+ rc = semanage_user_add_role(self.sh, u, r)
+ if rc < 0:
+ raise ValueError("Could not add role %s for %s" % (r, name))
- rc = semanage_user_set_mlslevel(self.sh, u, selevel)
- if rc < 0:
- raise ValueError("Could not set MLS level for %s" % name)
+ rc = semanage_user_set_mlsrange(self.sh, u, serange)
+ if rc < 0:
+ raise ValueError("Could not set MLS range for %s" % name)
- (rc,key) = semanage_user_key_extract(self.sh,u)
- if rc < 0:
- raise ValueError("Could not extract key for %s" % name)
+ rc = semanage_user_set_mlslevel(self.sh, u, selevel)
+ if rc < 0:
+ raise ValueError("Could not set MLS level for %s" % name)
- rc = semanage_begin_transaction(self.sh)
- if rc < 0:
- raise ValueError("Could not start semanage transaction")
+ (rc,key) = semanage_user_key_extract(self.sh,u)
+ if rc < 0:
+ raise ValueError("Could not extract key for %s" % name)
- rc = semanage_user_modify_local(self.sh, k, u)
- if rc < 0:
- raise ValueError("Could not add SELinux user %s" % name)
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError("Could not start semanage transaction")
- rc = semanage_commit(self.sh)
- if rc < 0:
- raise ValueError("Could not add SELinux user %s" % name)
+ rc = semanage_user_modify_local(self.sh, k, u)
+ if rc < 0:
+ raise ValueError("Could not add SELinux user %s" % name)
+
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError("Could not add SELinux user %s" % name)
+ except ValueError, error:
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user record", name, 0, name, seroles, serange, "", "", "", "", "", "", 0);
+ raise error
+
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user record", name, 0, name, seroles, serange, "", "", "", "", "", "", 1);
semanage_user_key_free(k)
semanage_user_free(u)
def modify(self, name, roles = [], selevel = "", serange = ""):
- if len(roles) == 0 and serange == "" and selevel == "":
- raise ValueError("Requires roles, level or range")
+ try:
+ if len(roles) == 0 and serange == "" and selevel == "":
+ raise ValueError("Requires roles, level or range")
- (rc,k) = semanage_user_key_create(self.sh, name)
- if rc < 0:
- raise ValueError("Could not create a key for %s" % name)
+ (rc,k) = semanage_user_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError("Could not create a key for %s" % name)
- (rc,exists) = semanage_user_exists(self.sh, k)
- if rc < 0:
- raise ValueError("Could not check if SELinux user %s is defined" % name)
- if not exists:
- raise ValueError("SELinux user %s is not defined" % name)
-
- (rc,u) = semanage_user_query(self.sh, k)
- if rc < 0:
- raise ValueError("Could not query user for %s" % name)
+ (rc,exists) = semanage_user_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not check if SELinux user %s is defined" % name)
+ if not exists:
+ raise ValueError("SELinux user %s is not defined" % name)
- if serange != "":
- semanage_user_set_mlsrange(self.sh, u, untranslate(serange))
- if selevel != "":
- semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
-
- if len(roles) != 0:
- for r in roles:
- semanage_user_add_role(self.sh, u, r)
+ (rc,u) = semanage_user_query(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not query user for %s" % name)
- rc = semanage_begin_transaction(self.sh)
- if rc < 0:
- raise ValueError("Could not start semanage transaction")
+ if serange != "":
+ semanage_user_set_mlsrange(self.sh, u, untranslate(serange))
+ if selevel != "":
+ semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
+
+ if len(roles) != 0:
+ for r in roles:
+ semanage_user_add_role(self.sh, u, r)
- rc = semanage_user_modify_local(self.sh, k, u)
- if rc < 0:
- raise ValueError("Could not modify SELinux user %s" % name)
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError("Could not start semanage transaction")
- rc = semanage_commit(self.sh)
- if rc < 0:
- raise ValueError("Could not modify SELinux user %s" % name)
+ rc = semanage_user_modify_local(self.sh, k, u)
+ if rc < 0:
+ raise ValueError("Could not modify SELinux user %s" % name)
+
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError("Could not modify SELinux user %s" % name)
+
+ except ValueError, error:
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify SELinux user record", name, 0, seuser, seroles, serange, oldseuser, oldseroles, olrserange, "", 0);
+ raise error
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify SELinux user record", name, 0, seuser, seroles, serange, oldseuser, oldseroles, olrserange, "", 1);
semanage_user_key_free(k)
semanage_user_free(u)
def delete(self, name):
- (rc,k) = semanage_user_key_create(self.sh, name)
- if rc < 0:
- raise ValueError("Could not create a key for %s" % name)
-
- (rc,exists) = semanage_user_exists(self.sh, k)
- if rc < 0:
- raise ValueError("Could not check if SELinux user %s is defined" % name)
- if not exists:
- raise ValueError("SELinux user %s is not defined" % name)
+ try:
+ (rc,k) = semanage_user_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError("Could not create a key for %s" % name)
+
+ (rc,exists) = semanage_user_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not check if SELinux user %s is defined" % name)
+ if not exists:
+ raise ValueError("SELinux user %s is not defined" % name)
- (rc,exists) = semanage_user_exists_local(self.sh, k)
- if rc < 0:
- raise ValueError("Could not check if SELinux user %s is defined" % name)
- if not exists:
- raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name)
+ (rc,exists) = semanage_user_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not check if SELinux user %s is defined" % name)
+ if not exists:
+ raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name)
- rc = semanage_begin_transaction(self.sh)
- if rc < 0:
- raise ValueError("Could not start semanage transaction")
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError("Could not start semanage transaction")
- rc = semanage_user_del_local(self.sh, k)
- if rc < 0:
- raise ValueError("Could not delete SELinux user %s" % name)
+ rc = semanage_user_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not delete SELinux user %s" % name)
- rc = semanage_commit(self.sh)
- if rc < 0:
- raise ValueError("Could not delete SELinux user %s" % name)
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError("Could not delete SELinux user %s" % name)
+ except ValueError, error:
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user record", name, 0, "", "", "", "", "", "", "", "", "", 0);
+ raise error
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user record", name, 0, "", "", "", "", "", "", "", "", "", 1);
semanage_user_key_free(k)
def get_all(self):