294 lines
11 KiB
Diff
294 lines
11 KiB
Diff
diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.1/Makefile
|
|
--- nsapolicycoreutils/Makefile 2006-11-16 17:15:00.000000000 -0500
|
|
+++ policycoreutils-2.0.1/Makefile 2007-02-15 15:16:09.000000000 -0500
|
|
@@ -1,4 +1,4 @@
|
|
-SUBDIRS=setfiles semanage load_policy newrole run_init restorecon restorecond secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
|
|
+SUBDIRS=setfiles semanage load_policy newrole run_init restorecon restorecond secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
|
|
|
|
all install relabel clean indent:
|
|
@for subdir in $(SUBDIRS); do \
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.1/restorecond/restorecond.c
|
|
--- nsapolicycoreutils/restorecond/restorecond.c 2006-11-16 17:14:28.000000000 -0500
|
|
+++ policycoreutils-2.0.1/restorecond/restorecond.c 2007-02-15 15:16:09.000000000 -0500
|
|
@@ -210,9 +210,10 @@
|
|
}
|
|
|
|
if (fsetfilecon(fd, scontext) < 0) {
|
|
- syslog(LOG_ERR,
|
|
- "set context %s->%s failed:'%s'\n",
|
|
- filename, scontext, strerror(errno));
|
|
+ if (errno != EOPNOTSUPP)
|
|
+ syslog(LOG_ERR,
|
|
+ "set context %s->%s failed:'%s'\n",
|
|
+ filename, scontext, strerror(errno));
|
|
if (retcontext >= 0)
|
|
free(prev_context);
|
|
free(scontext);
|
|
@@ -225,8 +226,9 @@
|
|
if (retcontext >= 0)
|
|
free(prev_context);
|
|
} else {
|
|
- syslog(LOG_ERR, "get context on %s failed: '%s'\n",
|
|
- filename, strerror(errno));
|
|
+ if (errno != EOPNOTSUPP)
|
|
+ syslog(LOG_ERR, "get context on %s failed: '%s'\n",
|
|
+ filename, strerror(errno));
|
|
}
|
|
free(scontext);
|
|
close(fd);
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.1/restorecond/restorecond.conf
|
|
--- nsapolicycoreutils/restorecond/restorecond.conf 2006-11-20 12:19:55.000000000 -0500
|
|
+++ policycoreutils-2.0.1/restorecond/restorecond.conf 2007-02-15 15:16:09.000000000 -0500
|
|
@@ -1,7 +1,9 @@
|
|
/etc/resolv.conf
|
|
+/etc/localtime
|
|
/etc/samba/secrets.tdb
|
|
/etc/mtab
|
|
/var/run/utmp
|
|
+/var/run/faillog
|
|
/var/log/wtmp
|
|
~/public_html
|
|
~/.mozilla/plugins/libflashplayer.so
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.1/scripts/chcat
|
|
--- nsapolicycoreutils/scripts/chcat 2006-11-16 17:14:27.000000000 -0500
|
|
+++ policycoreutils-2.0.1/scripts/chcat 2007-02-15 15:16:09.000000000 -0500
|
|
@@ -25,11 +25,22 @@
|
|
import commands, sys, os, pwd, string, getopt, selinux
|
|
import seobject
|
|
import gettext
|
|
+import codecs
|
|
+import locale
|
|
+sys.stderr = codecs.getwriter(locale.getpreferredencoding())(sys.__stderr__, 'replace')
|
|
+sys.stdout = codecs.getwriter(locale.getpreferredencoding())(sys.__stdout__, 'replace')
|
|
|
|
try:
|
|
gettext.install('policycoreutils')
|
|
-except:
|
|
- pass
|
|
+except IOError:
|
|
+ import __builtin__
|
|
+ __builtin__.__dict__['_'] = unicode
|
|
+
|
|
+def errorExit(error):
|
|
+ sys.stderr.write("%s: " % sys.argv[0])
|
|
+ sys.stderr.write("%s\n" % error)
|
|
+ sys.stderr.flush()
|
|
+ sys.exit(1)
|
|
|
|
def verify_users(users):
|
|
for u in users:
|
|
@@ -62,12 +73,20 @@
|
|
for i in newcat[1:]:
|
|
if i not in cats:
|
|
cats.append(i)
|
|
+
|
|
new_serange = "%s-%s:%s" % (serange[0], top[0], string.join(cats, ","))
|
|
-
|
|
+ if new_serange[-1:] == ":":
|
|
+ new_serange = new_serange[:-1]
|
|
+
|
|
if add_ind:
|
|
- logins.add(u, user[0], new_serange)
|
|
+ cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
|
|
else:
|
|
- logins.modify(u, user[0], new_serange)
|
|
+ cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
|
|
+ rc = commands.getstatusoutput(cmd)
|
|
+ if rc[0] != 0:
|
|
+ print rc[1]
|
|
+ errors += 1
|
|
+
|
|
return errors
|
|
|
|
def chcat_add(orig, newcat, objects,login_ind):
|
|
@@ -133,11 +152,17 @@
|
|
cats.remove(i)
|
|
|
|
new_serange = "%s-%s:%s" % (serange[0], top[0], string.join(cats, ","))
|
|
+ if new_serange[-1:] == ":":
|
|
+ new_serange = new_serange[:-1]
|
|
|
|
if add_ind:
|
|
- logins.add(u, user[0], new_serange)
|
|
+ cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
|
|
else:
|
|
- logins.modify(u, user[0], new_serange)
|
|
+ cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
|
|
+ rc = commands.getstatusoutput(cmd)
|
|
+ if rc[0] != 0:
|
|
+ print rc[1]
|
|
+ errors += 1
|
|
return errors
|
|
|
|
def chcat_remove(orig, newcat, objects, login_ind):
|
|
@@ -198,11 +223,17 @@
|
|
user = seusers["__default__"]
|
|
serange = user[1].split("-")
|
|
new_serange = "%s-%s:%s" % (serange[0],newcat[0], string.join(newcat[1:], ","))
|
|
-
|
|
+ if new_serange[-1:] == ":":
|
|
+ new_serange = new_serange[:-1]
|
|
+
|
|
if add_ind:
|
|
- logins.add(u, user[0], new_serange)
|
|
+ cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
|
|
else:
|
|
- logins.modify(u, user[0], new_serange)
|
|
+ cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
|
|
+ rc = commands.getstatusoutput(cmd)
|
|
+ if rc[0] != 0:
|
|
+ print rc[1]
|
|
+ errors += 1
|
|
return errors
|
|
|
|
def chcat_replace(newcat, objects, login_ind):
|
|
@@ -362,6 +393,10 @@
|
|
|
|
if list_ind == 0 and len(cmds) < 1:
|
|
usage()
|
|
+
|
|
+ except getopt.error, error:
|
|
+ errorExit(_("Options Error %s ") % error.msg)
|
|
+
|
|
except ValueError, e:
|
|
usage()
|
|
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat.8 policycoreutils-2.0.1/scripts/chcat.8
|
|
--- nsapolicycoreutils/scripts/chcat.8 2007-01-17 11:11:34.000000000 -0500
|
|
+++ policycoreutils-2.0.1/scripts/chcat.8 2007-02-15 15:16:09.000000000 -0500
|
|
@@ -3,30 +3,31 @@
|
|
chcat \- change file SELinux security category
|
|
.SH SYNOPSIS
|
|
.B chcat
|
|
-\fICATEGORY FILE\fR...
|
|
+\fIcategory file\fR...
|
|
.br
|
|
.B chcat -l
|
|
-\fICATEGORY USER\fR...
|
|
+\fIcategory user\fR...
|
|
.br
|
|
.B chcat
|
|
-\fI[[+|-]CATEGORY],...] FILE\fR...
|
|
+\fI[[+|-]category...] file\fR...
|
|
.br
|
|
.B chcat -l
|
|
-\fI[[+|-]CATEGORY],...] USER\fR...
|
|
+\fI[[+|-]category...] user\fR...
|
|
.br
|
|
.B chcat
|
|
-[\fI-d\fR] \fIFILE\fR...
|
|
+[\fI-d\fR] \fIfile\fR...
|
|
.br
|
|
.B chcat -l
|
|
-[\fI-d\fR] \fIUSER\fR...
|
|
+[\fI-d\fR] \fIuser\fR...
|
|
.br
|
|
.B chcat
|
|
-\fI-L\fR [-l] [ USER ... ]
|
|
+\fI-L\fR [ -l ] [ user ... ]
|
|
.br
|
|
+.SH DESCRIPTION
|
|
.PP
|
|
-Change/Remove the security CATEGORY for each FILE/USER.
|
|
+Change/Remove the security \fIcategory\fR for each \fIfile\fR or \fIuser\fR.
|
|
.PP
|
|
-Use +/- to add/remove categories from a FILE/USER.
|
|
+Use +/- to add/remove categories from a \fIfile\fR or \fIuser\fR.
|
|
.PP
|
|
.B
|
|
Note:
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-2.0.1/scripts/fixfiles.8
|
|
--- nsapolicycoreutils/scripts/fixfiles.8 2007-01-17 11:11:34.000000000 -0500
|
|
+++ policycoreutils-2.0.1/scripts/fixfiles.8 2007-02-15 15:16:09.000000000 -0500
|
|
@@ -54,7 +54,7 @@
|
|
change any incorrect file context labels.
|
|
.TP
|
|
.B relabel
|
|
-Prompt for removal of contents of /tmp directory and then change any inccorect file context labels to match the install file_contexts file.
|
|
+Prompt for removal of contents of /tmp directory and then change any incorrect file context labels to match the install file_contexts file.
|
|
.TP
|
|
.B verify
|
|
List out files with incorrect file context labels, but do not change them.
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.1/semanage/seobject.py
|
|
--- nsapolicycoreutils/semanage/seobject.py 2007-02-20 08:43:10.000000000 -0500
|
|
+++ policycoreutils-2.0.1/semanage/seobject.py 2007-02-15 15:16:09.000000000 -0500
|
|
@@ -139,7 +139,7 @@
|
|
translations = fd.readlines()
|
|
fd.close()
|
|
except IOError, e:
|
|
- raise ValueError(_("Unable to open %s: translations not supported on non-MLS machines") % (self.filename) )
|
|
+ raise ValueError(_("Unable to open %s: translations not supported on non-MLS machines") % (self.filename, e) )
|
|
|
|
self.ddict = {}
|
|
self.comments = []
|
|
@@ -209,7 +209,8 @@
|
|
os.write(fd, self.out())
|
|
os.close(fd)
|
|
os.rename(newfilename, self.filename)
|
|
-
|
|
+ os.system("/sbin/service mcstrans reload > /dev/null")
|
|
+
|
|
class semanageRecords:
|
|
def __init__(self):
|
|
self.sh = semanage_handle_create()
|
|
@@ -464,7 +465,8 @@
|
|
rc = semanage_user_set_mlslevel(self.sh, u, selevel)
|
|
if rc < 0:
|
|
raise ValueError(_("Could not set MLS level for %s") % name)
|
|
-
|
|
+ if selinux.security_check_context("system_u:object_r:%s_home_t:s0" % prefix) != 0:
|
|
+ raise ValueError(_("Invalid prefix %s") % prefix)
|
|
rc = semanage_user_set_prefix(self.sh, u, prefix)
|
|
if rc < 0:
|
|
raise ValueError(_("Could not add prefix %s for %s") % (r, prefix))
|
|
@@ -530,7 +532,9 @@
|
|
semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
|
|
|
|
if prefix != "":
|
|
- semanage_user_set_prefix(self.sh, u, prefix)
|
|
+ if selinux.security_check_context("system_u:object_r:%s_home_t" % prefix) != 0:
|
|
+ raise ValueError(_("Invalid prefix %s") % prefix)
|
|
+ semanage_user_set_prefix(self.sh, u, prefix)
|
|
|
|
if len(roles) != 0:
|
|
for r in rlist:
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.0 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-2.0.1/newrole/newrole.c
|
|
--- nsapolicycoreutils/newrole/newrole.c 2007-01-24 10:03:59.000000000 -0500
|
|
+++ policycoreutils-2.0.1/newrole/newrole.c 2007-02-15 15:16:09.000000000 -0500
|
|
@@ -636,11 +636,12 @@ static int relabel_tty(const char *ttyn,
|
|
}
|
|
|
|
/* Re-open TTY descriptor */
|
|
- fd = open(ttyn, O_RDWR);
|
|
+ fd = open(ttyn, O_RDWR|O_NONBLOCK);
|
|
if (fd < 0) {
|
|
fprintf(stderr, _("Error! Could not open %s.\n"), ttyn);
|
|
return fd;
|
|
}
|
|
+ fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
|
|
|
|
if (fgetfilecon(fd, &tty_con) < 0) {
|
|
fprintf(stderr, _("%s! Could not get current context "
|
|
@@ -1127,15 +1128,18 @@ int main(int argc, char *argv[])
|
|
fprintf(stderr, _("Could not close descriptors.\n"));
|
|
goto err_close_pam;
|
|
}
|
|
- fd = open(ttyn, O_RDONLY);
|
|
+ fd = open(ttyn, O_RDONLY|O_NONBLOCK);
|
|
if (fd != 0)
|
|
goto err_close_pam;
|
|
- fd = open(ttyn, O_RDWR);
|
|
+ fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
|
|
+ fd = open(ttyn, O_RDWR|O_NONBLOCK);
|
|
if (fd != 1)
|
|
goto err_close_pam;
|
|
- fd = open(ttyn, O_RDWR);
|
|
+ fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
|
|
+ fd = open(ttyn, O_RDWR|O_NONBLOCK);
|
|
if (fd != 2)
|
|
goto err_close_pam;
|
|
+ fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
|
|
|
|
/*
|
|
* Step 5: Execute a new shell with the new context in `new_context'.
|