775d48fd41
* genhomedircon: manual page improvements * setfiles/restorecon minor improvements * run_init: If open_init_pty is not available then just use exec * newrole: do not drop capabilities when newrole is run as * restorecon: only update type by default * scripts: Don't syslog setfiles changes on a fixfiles restore * setfiles: do not syslog if no changes * Disable user restorecond by default * Make restorecon return 0 when a file has changed context * setfiles: Fix process_glob error handling * semanage: allow enable/disable under -m * add .tx to gitignore * translations: commit translations from Fedora community * po: silence build process * gui: Checking in policy to support polgengui and sepolgen. * gui: polgen: search for systemd subpackage when generating policy * gui: for exploring booleans * gui: system-config-selinux gui * Add Makefiles to support new gui code * gui: remove lockdown wizard * return equivalency records in fcontext customized * semanage: option to not load new policy into kernel after * sandbox: manpage update to describe standard types * setsebool: -N should not reload policy on changes * semodule: Add -N qualifier to no reload kernel policy * gui: polgen: sort selinux types of user controls * gui: polgen: follow symlinks and get the real path to * gui: Fix missing error function * setfiles: return errors when bad paths are given * fixfiles: tell restorecon to ignore missing paths * setsebool: error when setting multiple options * semanage: use boolean subs. * sandbox: Make sure Xephyr never listens on tcp ports * sepolgen: return and output constraint violation information * semanage: skip comments while reading external configuration files * restorecond: relabel all mount runtime files in the restorecond example * genhomedircon: dynamically create genhomedircon * Allow returning of bastard matches * sepolgen: return and output constraint violation information * audit2allow: one role/type pair per line
1094 lines
52 KiB
Diff
1094 lines
52 KiB
Diff
diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
|
|
index 77d8c80..eca632b 100644
|
|
--- a/policycoreutils/Makefile
|
|
+++ b/policycoreutils/Makefile
|
|
@@ -1,4 +1,4 @@
|
|
-SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
|
|
+SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
|
|
|
|
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
|
|
|
|
diff --git a/policycoreutils/audit2allow/sepolgen-ifgen b/policycoreutils/audit2allow/sepolgen-ifgen
|
|
index ef4bec3..9b313ec 100644
|
|
--- a/policycoreutils/audit2allow/sepolgen-ifgen
|
|
+++ b/policycoreutils/audit2allow/sepolgen-ifgen
|
|
@@ -61,20 +61,10 @@ def parse_options():
|
|
|
|
return options
|
|
|
|
-def get_policy():
|
|
- i = selinux.security_policyvers()
|
|
- p = selinux.selinux_binary_policy_path() + "." + str(i)
|
|
- while i > 0 and not os.path.exists(p):
|
|
- i = i - 1
|
|
- p = selinux.selinux_binary_policy_path() + "." + str(i)
|
|
- if i > 0:
|
|
- return p
|
|
- return None
|
|
-
|
|
def get_attrs(policy_path):
|
|
try:
|
|
if not policy_path:
|
|
- policy_path = get_policy()
|
|
+ policy_path = selinux.selinux_current_policy_path()
|
|
if not policy_path:
|
|
sys.stderr.write("No installed policy to check\n")
|
|
return None
|
|
diff --git a/policycoreutils/gui/Makefile b/policycoreutils/gui/Makefile
|
|
index 1464971..153da2d 100644
|
|
--- a/policycoreutils/gui/Makefile
|
|
+++ b/policycoreutils/gui/Makefile
|
|
@@ -16,7 +16,8 @@ portsPage.py \
|
|
semanagePage.py \
|
|
statusPage.py \
|
|
system-config-selinux.glade \
|
|
-usersPage.py
|
|
+usersPage.py \
|
|
+selinux.tbl
|
|
|
|
all: $(TARGETS) system-config-selinux.py polgengui.py templates polgen.py
|
|
|
|
diff --git a/policycoreutils/gui/selinux.tbl b/policycoreutils/gui/selinux.tbl
|
|
new file mode 100644
|
|
index 0000000..07ccf6e
|
|
--- /dev/null
|
|
+++ b/policycoreutils/gui/selinux.tbl
|
|
@@ -0,0 +1,233 @@
|
|
+acct_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for acct daemon")
|
|
+allow_daemons_dump_core _("Admin") _("Allow all daemons to write corefiles to /")
|
|
+allow_daemons_use_tty _("Admin") _("Allow all daemons the ability to use unallocated ttys")
|
|
+allow_gadmin_exec_content _("User Privs") _("Allow gadmin SELinux user account to execute files in home directory or /tmp")
|
|
+allow_guest_exec_content _("User Privs") _("Allow guest SELinux user account to execute files in home directory or /tmp")
|
|
+allow_java_execstack _("Memory Protection") _("Allow java executable stack")
|
|
+allow_mount_anyfile _("Mount") _("Allow mount to mount any file")
|
|
+allow_mounton_anydir _("Mount") _("Allow mount to mount any directory")
|
|
+allow_mplayer_execstack _("Memory Protection") _("Allow mplayer executable stack")
|
|
+allow_ssh_keysign _("SSH") _("Allow ssh to run ssh-keysign")
|
|
+allow_staff_exec_content _("User Privs") _("Allow staff SELinux user account to execute files in home directory or /tmp")
|
|
+allow_sysadm_exec_content _("User Privs") _("Allow sysadm SELinux user account to execute files in home directory or /tmp")
|
|
+allow_unconfined_exec_content _("User Privs") _("Allow unconfined SELinux user account to execute files in home directory or /tmp")
|
|
+allow_unlabeled_packets _("Network Configuration") _("Allow unlabeled packets to flow on the network")
|
|
+allow_user_exec_content _("User Privs") _("Allow user SELinux user account to execute files in home directory or /tmp")
|
|
+allow_unconfined_execmem_dyntrans _("Memory Protection") _("Allow unconfined to dyntrans to unconfined_execmem")
|
|
+allow_user_mysql_connect _("Databases") _("Allow user to connect to mysql socket")
|
|
+allow_user_postgresql_connect _("Databases") _("Allow user to connect to postgres socket")
|
|
+allow_write_xshm _("XServer") _("Allow clients to write to X shared memory")
|
|
+allow_xguest_exec_content _("User Privs") _("Allow xguest SELinux user account to execute files in home directory or /tmp")
|
|
+allow_ypbind _("NIS") _("Allow daemons to run with NIS")
|
|
+browser_confine_staff _("Web Applications") _("Transition staff SELinux user to Web Browser Domain")
|
|
+browser_confine_sysadm _("Web Applications") _("Transition sysadm SELinux user to Web Browser Domain")
|
|
+browser_confine_user _("Web Applications") _("Transition user SELinux user to Web Browser Domain")
|
|
+browser_confine_xguest _("Web Applications") _("Transition xguest SELinux user to Web Browser Domain")
|
|
+browser_write_staff_data _("Web Applications") _("Allow staff Web Browsers to write to home directories")
|
|
+browser_write_sysadm_data _("Web Applications") _("Allow staff Web Browsers to write to home directories")
|
|
+browser_write_user_data _("Web Applications") _("Allow staff Web Browsers to write to home directories")
|
|
+browser_write_xguest_data _("Web Applications") _("Allow staff Web Browsers to write to home directories")
|
|
+amanda_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for amanda")
|
|
+amavis_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for amavis")
|
|
+apmd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for apmd daemon")
|
|
+arpwatch_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for arpwatch daemon")
|
|
+auditd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for auditd daemon")
|
|
+automount_disable_trans _("Mount") _("Disable SELinux protection for automount daemon")
|
|
+avahi_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for avahi")
|
|
+bluetooth_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for bluetooth daemon")
|
|
+canna_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for canna daemon")
|
|
+cardmgr_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for cardmgr daemon")
|
|
+ccs_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for Cluster Server")
|
|
+cdrecord_read_content _("User Privs") _("Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files")
|
|
+ciped_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ciped daemon")
|
|
+clamd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for clamd daemon")
|
|
+clamscan_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for clamscan")
|
|
+clvmd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for clvmd")
|
|
+comsat_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for comsat daemon")
|
|
+courier_authdaemon_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for courier daemon")
|
|
+courier_pcp_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for courier daemon")
|
|
+courier_pop_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for courier daemon")
|
|
+courier_sqwebmail_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for courier daemon")
|
|
+courier_tcpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for courier daemon")
|
|
+cpucontrol_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for cpucontrol daemon")
|
|
+cpuspeed_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for cpuspeed daemon")
|
|
+crond_disable_trans _("Cron") _("Disable SELinux protection for crond daemon")
|
|
+cupsd_config_disable_trans _("Printing") _("Disable SELinux protection for cupsd back end server")
|
|
+cupsd_disable_trans _("Printing") _("Disable SELinux protection for cupsd daemon")
|
|
+cupsd_lpd_disable_trans _("Printing") _("Disable SELinux protection for cupsd_lpd")
|
|
+cvs_disable_trans _("CVS") _("Disable SELinux protection for cvs daemon")
|
|
+cyrus_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for cyrus daemon")
|
|
+dbskkd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dbskkd daemon")
|
|
+dbusd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dbusd daemon")
|
|
+dccd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dccd")
|
|
+dccifd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dccifd")
|
|
+dccm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dccm")
|
|
+ddt_client_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ddt daemon")
|
|
+devfsd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for devfsd daemon")
|
|
+dhcpc_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dhcpc daemon")
|
|
+dhcpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dhcpd daemon")
|
|
+dictd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dictd daemon")
|
|
+direct_sysadm_daemon _("Admin") _("Allow sysadm_t to directly start daemons")
|
|
+disable_evolution_trans _("Web Applications") _("Disable SELinux protection for Evolution")
|
|
+disable_games_trans _("Games") _("Disable SELinux protection for games")
|
|
+disable_mozilla_trans _("Web Applications") _("Disable SELinux protection for the web browsers")
|
|
+disable_thunderbird_trans _("Web Applications") _("Disable SELinux protection for Thunderbird")
|
|
+distccd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for distccd daemon")
|
|
+dmesg_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dmesg daemon")
|
|
+dnsmasq_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dnsmasq daemon")
|
|
+dovecot_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dovecot daemon")
|
|
+entropyd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for entropyd daemon")
|
|
+fetchmail_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for fetchmail")
|
|
+fingerd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for fingerd daemon")
|
|
+freshclam_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for freshclam daemon")
|
|
+fsdaemon_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for fsdaemon daemon")
|
|
+gpm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for gpm daemon")
|
|
+gssd_disable_trans _("NFS") _("Disable SELinux protection for gss daemon")
|
|
+hald_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for Hal daemon")
|
|
+hide_broken_symptoms _("Compatibility") _("Do not audit things that we know to be broken but which are not security risks")
|
|
+hostname_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for hostname daemon")
|
|
+hotplug_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for hotplug daemon")
|
|
+howl_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for howl daemon")
|
|
+hplip_disable_trans _("Printing") _("Disable SELinux protection for cups hplip daemon")
|
|
+httpd_rotatelogs_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for httpd rotatelogs")
|
|
+httpd_suexec_disable_trans _("HTTPD Service") _("Disable SELinux protection for http suexec")
|
|
+hwclock_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for hwclock daemon")
|
|
+i18n_input_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for i18n daemon")
|
|
+imazesrv_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for imazesrv daemon")
|
|
+inetd_child_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for inetd child daemons")
|
|
+inetd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for inetd daemon")
|
|
+innd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for innd daemon")
|
|
+iptables_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for iptables daemon")
|
|
+ircd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ircd daemon")
|
|
+irqbalance_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for irqbalance daemon")
|
|
+iscsid_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for iscsi daemon")
|
|
+jabberd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for jabberd daemon")
|
|
+kadmind_disable_trans _("Kerberos") _("Disable SELinux protection for kadmind daemon")
|
|
+klogd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for klogd daemon")
|
|
+krb5kdc_disable_trans _("Kerberos") _("Disable SELinux protection for krb5kdc daemon")
|
|
+ktalkd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ktalk daemons")
|
|
+kudzu_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for kudzu daemon")
|
|
+locate_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for locate daemon")
|
|
+lpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for lpd daemon")
|
|
+lrrd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for lrrd daemon")
|
|
+lvm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for lvm daemon")
|
|
+mailman_mail_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for mailman")
|
|
+mail_read_content _("Web Applications") _("Allow evolution and thunderbird to read user files")
|
|
+mdadm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for mdadm daemon")
|
|
+monopd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for monopd daemon")
|
|
+mozilla_read_content _("Web Applications") _("Allow the mozilla browser to read user files")
|
|
+mrtg_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for mrtg daemon")
|
|
+mysqld_disable_trans _("Databases") _("Disable SELinux protection for mysqld daemon")
|
|
+nagios_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for nagios daemon")
|
|
+named_disable_trans _("Name Service") _("Disable SELinux protection for named daemon")
|
|
+nessusd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for nessusd daemon")
|
|
+NetworkManager_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for NetworkManager")
|
|
+nfsd_disable_trans _("NFS") _("Disable SELinux protection for nfsd daemon")
|
|
+nmbd_disable_trans _("Samba") _("Disable SELinux protection for nmbd daemon")
|
|
+nrpe_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for nrpe daemon")
|
|
+nscd_disable_trans _("Name Service") _("Disable SELinux protection for nscd daemon")
|
|
+nsd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for nsd daemon")
|
|
+ntpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ntpd daemon")
|
|
+oddjob_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for oddjob")
|
|
+oddjob_mkhomedir_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for oddjob_mkhomedir")
|
|
+openvpn_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for openvpn daemon")
|
|
+pam_console_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for pam daemon")
|
|
+pegasus_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for pegasus")
|
|
+perdition_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for perdition daemon")
|
|
+portmap_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for portmap daemon")
|
|
+portslave_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for portslave daemon")
|
|
+postfix_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for postfix")
|
|
+postgresql_disable_trans _("Databases") _("Disable SELinux protection for postgresql daemon")
|
|
+pppd_for_user _("pppd") _("Allow pppd to be run for a regular user")
|
|
+pptp_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for pptp")
|
|
+prelink_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for prelink daemon")
|
|
+privoxy_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for privoxy daemon")
|
|
+ptal_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ptal daemon")
|
|
+pxe_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for pxe daemon")
|
|
+pyzord_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for pyzord")
|
|
+quota_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for quota daemon")
|
|
+radiusd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for radiusd daemon")
|
|
+radvd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for radvd daemon")
|
|
+rdisc_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for rdisc")
|
|
+readahead_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for readahead")
|
|
+read_default_t _("Admin") _("Allow programs to read files in non-standard locations (default_t)")
|
|
+restorecond_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for restorecond")
|
|
+rhgb_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for rhgb daemon")
|
|
+ricci_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ricci")
|
|
+ricci_modclusterd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ricci_modclusterd")
|
|
+rlogind_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for rlogind daemon")
|
|
+rpcd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for rpcd daemon")
|
|
+rshd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for rshd")
|
|
+rsync_disable_trans _("rsync") _("Disable SELinux protection for rsync daemon")
|
|
+run_ssh_inetd _("SSH") _("Allow ssh to run from inetd instead of as a daemon")
|
|
+samba_share_nfs _("Samba") _("Allow Samba to share nfs directories")
|
|
+allow_saslauthd_read_shadow _("SASL authentication server") _("Allow sasl authentication server to read /etc/shadow")
|
|
+allow_xserver_execmem _("XServer") _("Allow X-Windows server to map a memory region as both executable and writable")
|
|
+saslauthd_disable_trans _("SASL authentication server") _("Disable SELinux protection for saslauthd daemon")
|
|
+scannerdaemon_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for scannerdaemon daemon")
|
|
+secure_mode _("Admin") _("Do not allow transition to sysadm_t, sudo and su effected")
|
|
+secure_mode_insmod _("Admin") _("Do not allow any processes to load kernel modules")
|
|
+secure_mode_policyload _("Admin") _("Do not allow any processes to modify kernel SELinux policy")
|
|
+sendmail_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for sendmail daemon")
|
|
+setrans_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for setrans")
|
|
+setroubleshootd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for setroubleshoot daemon")
|
|
+slapd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for slapd daemon")
|
|
+slrnpull_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for slrnpull daemon")
|
|
+smbd_disable_trans _("Samba") _("Disable SELinux protection for smbd daemon")
|
|
+snmpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for snmpd daemon")
|
|
+snort_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for snort daemon")
|
|
+soundd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for soundd daemon")
|
|
+sound_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for sound daemon")
|
|
+spamd_disable_trans _("Spam Protection") _("Disable SELinux protection for spamd daemon")
|
|
+spamd_enable_home_dirs _("Spam Protection") _("Allow spamd to access home directories")
|
|
+spamassassin_can_network _("Spam Protection") _("Allow Spam Assassin daemon network access")
|
|
+speedmgmt_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for speedmgmt daemon")
|
|
+squid_connect_any _("Squid") _("Allow squid daemon to connect to the network")
|
|
+squid_disable_trans _("Squid") _("Disable SELinux protection for squid daemon")
|
|
+ssh_keygen_disable_trans _("SSH") _("Disable SELinux protection for ssh daemon")
|
|
+ssh_sysadm_login _("SSH") _("Allow ssh logins as sysadm_r:sysadm_t")
|
|
+staff_read_sysadm_file _("Admin") _("Allow staff_r users to search the sysadm home dir and read files (such as ~/.bashrc)")
|
|
+stunnel_disable_trans _("Universal SSL tunnel") _("Disable SELinux protection for stunnel daemon")
|
|
+stunnel_is_daemon _("Universal SSL tunnel") _("Allow stunnel daemon to run as standalone, outside of xinetd")
|
|
+swat_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for swat daemon")
|
|
+sxid_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for sxid daemon")
|
|
+syslogd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for syslogd daemon")
|
|
+system_crond_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for system cron jobs")
|
|
+tcpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for tcp daemon")
|
|
+telnetd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for telnet daemon")
|
|
+tftpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for tftpd daemon")
|
|
+transproxy_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for transproxy daemon")
|
|
+udev_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for udev daemon")
|
|
+uml_switch_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for uml daemon")
|
|
+unlimitedInetd _("Admin") _("Allow xinetd to run unconfined, including any services it starts that do not have a domain transition explicitly defined")
|
|
+unlimitedRC _("Admin") _("Allow rc scripts to run unconfined, including any daemon started by an rc script that does not have a domain transition explicitly defined")
|
|
+unlimitedRPM _("Admin") _("Allow rpm to run unconfined")
|
|
+unlimitedUtils _("Admin") _("Allow privileged utilities like hotplug and insmod to run unconfined")
|
|
+updfstab_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for updfstab daemon")
|
|
+uptimed_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for uptimed daemon")
|
|
+user_canbe_sysadm _("User Privs") _("Allow user_r to reach sysadm_r via su, sudo, or userhelper. Otherwise, only staff_r can do so")
|
|
+user_can_mount _("Mount") _("Allow users to execute the mount command")
|
|
+user_direct_mouse _("User Privs") _("Allow regular users direct mouse access (only allow the X server)")
|
|
+user_dmesg _("User Privs") _("Allow users to run the dmesg command")
|
|
+user_net_control _("User Privs") _("Allow users to control network interfaces (also needs USERCTL=true)")
|
|
+user_ping _("User Privs") _("Allow normal user to execute ping")
|
|
+user_rw_noexattrfile _("User Privs") _("Allow user to r/w noextattrfile (FAT, CDROM, FLOPPY)")
|
|
+user_rw_usb _("User Privs") _("Allow users to rw usb devices")
|
|
+user_tcp_server _("User Privs") _("Allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols")
|
|
+user_ttyfile_stat _("User Privs") _("Allow user to stat ttyfiles")
|
|
+uucpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for uucpd daemon")
|
|
+vmware_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for vmware daemon")
|
|
+watchdog_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for watchdog daemon")
|
|
+winbind_disable_trans _("Samba") _("Disable SELinux protection for winbind daemon")
|
|
+xdm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for xdm daemon")
|
|
+xdm_sysadm_login _("XServer") _("Allow xdm logins as sysadm_r:sysadm_t")
|
|
+xend_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for xen daemon")
|
|
+xen_use_raw_disk _("XEN") _("Allow xen to read/write physical disk devices")
|
|
+xfs_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for xfs daemon")
|
|
+xm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for xen control")
|
|
+ypbind_disable_trans _("NIS") _("Disable SELinux protection for ypbind daemon")
|
|
+yppasswdd_disable_trans _("NIS") _("Disable SELinux protection for NIS Password Daemon")
|
|
+ypserv_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ypserv daemon")
|
|
+ypxfr_disable_trans _("NIS") _("Disable SELinux protection for NIS Transfer Daemon")
|
|
+webadm_manage_user_files _("HTTPD Service") _("Allow SELinux webadm user to manage unprivileged users home directories")
|
|
+webadm_read_user_files _("HTTPD Service") _("Allow SELinux webadm user to read unprivileged users home directories")
|
|
diff --git a/policycoreutils/gui/templates/etc_rw.py b/policycoreutils/gui/templates/etc_rw.py
|
|
index 0d3dbfe..dcf445e 100644
|
|
--- a/policycoreutils/gui/templates/etc_rw.py
|
|
+++ b/policycoreutils/gui/templates/etc_rw.py
|
|
@@ -29,7 +29,13 @@ files_type(TEMPLATETYPE_etc_rw_t)
|
|
te_rules="""
|
|
manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_etc_rw_t, TEMPLATETYPE_etc_rw_t)
|
|
manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_etc_rw_t, TEMPLATETYPE_etc_rw_t)
|
|
-files_etc_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_etc_rw_t, { dir file })
|
|
+manage_lnk_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_etc_rw_t, TEMPLATETYPE_etc_rw_t)
|
|
+files_etc_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_etc_rw_t, { dir file lnk_file })
|
|
+"""
|
|
+
|
|
+te_stream_rules="""
|
|
+manage_sock_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_etc_rw_t, TEMPLATETYPE_etc_rw_t)
|
|
+files_etc_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_etc_rw_t, sock_file)
|
|
"""
|
|
|
|
########################### Interface File #############################
|
|
@@ -68,8 +74,8 @@ interface(`TEMPLATETYPE_read_conf_files',`
|
|
type TEMPLATETYPE_etc_rw_t;
|
|
')
|
|
|
|
- allow $1 TEMPLATETYPE_etc_rw_t:file read_file_perms;
|
|
allow $1 TEMPLATETYPE_etc_rw_t:dir list_dir_perms;
|
|
+ read_files_pattern($1, TEMPLATETYPE_etc_rw_t, TEMPLATETYPE_etc_rw_t)
|
|
files_search_etc($1)
|
|
')
|
|
|
|
@@ -94,6 +100,27 @@ interface(`TEMPLATETYPE_manage_conf_files',`
|
|
|
|
"""
|
|
|
|
+if_stream_rules="""\
|
|
+########################################
|
|
+## <summary>
|
|
+## Connect to TEMPLATETYPE over a unix stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`TEMPLATETYPE_stream_connect',`
|
|
+ gen_require(`
|
|
+ type TEMPLATETYPE_t, TEMPLATETYPE_etc_rw_t;
|
|
+ ')
|
|
+
|
|
+ files_search_etc($1)
|
|
+ stream_connect_pattern($1, TEMPLATETYPE_etc_rw_t, TEMPLATETYPE_etc_rw_t, TEMPLATETYPE_t)
|
|
+')
|
|
+"""
|
|
+
|
|
if_admin_types="""
|
|
type TEMPLATETYPE_etc_rw_t;"""
|
|
|
|
diff --git a/policycoreutils/gui/templates/executable.py b/policycoreutils/gui/templates/executable.py
|
|
index 5b39d77..824fddd 100644
|
|
--- a/policycoreutils/gui/templates/executable.py
|
|
+++ b/policycoreutils/gui/templates/executable.py
|
|
@@ -50,7 +50,9 @@ policy_module(TEMPLATETYPE, 1.0.0)
|
|
|
|
type TEMPLATETYPE_t;
|
|
type TEMPLATETYPE_exec_t;
|
|
-dbus_system_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
|
|
+domain_type(TEMPLATETYPE_t)
|
|
+domain_entry_file(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
|
|
+role system_r types TEMPLATETYPE_t;
|
|
|
|
permissive TEMPLATETYPE_t;
|
|
"""
|
|
@@ -123,6 +125,9 @@ te_inetd_rules="""
|
|
"""
|
|
|
|
te_dbusd_rules="""
|
|
+optional_policy(`
|
|
+ dbus_system_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
|
|
+')
|
|
"""
|
|
|
|
te_userapp_rules="""
|
|
@@ -281,7 +286,7 @@ interface(`TEMPLATETYPE_role',`
|
|
TEMPLATETYPE_domtrans($2)
|
|
|
|
ps_process_pattern($2, TEMPLATETYPE_t)
|
|
- allow $2 TEMPLATETYPE_t:process signal;
|
|
+ allow $2 TEMPLATETYPE_t:process { signull signal sigkill };
|
|
')
|
|
"""
|
|
|
|
diff --git a/policycoreutils/gui/templates/rw.py b/policycoreutils/gui/templates/rw.py
|
|
index 5dfc42f..143f56a 100644
|
|
--- a/policycoreutils/gui/templates/rw.py
|
|
+++ b/policycoreutils/gui/templates/rw.py
|
|
@@ -29,6 +29,7 @@ files_type(TEMPLATETYPE_rw_t)
|
|
te_rules="""
|
|
manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_rw_t, TEMPLATETYPE_rw_t)
|
|
manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_rw_t, TEMPLATETYPE_rw_t)
|
|
+manage_lnk_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_rw_t, TEMPLATETYPE_rw_t)
|
|
"""
|
|
|
|
########################### Interface File #############################
|
|
@@ -67,7 +68,7 @@ interface(`TEMPLATETYPE_read_rw_files',`
|
|
type TEMPLATETYPE_rw_t;
|
|
')
|
|
|
|
- allow $1 TEMPLATETYPE_rw_t:file read_file_perms;
|
|
+ read_files_pattern($1, TEMPLATETYPE_rw_t, TEMPLATETYPE_rw_t)
|
|
allow $1 TEMPLATETYPE_rw_t:dir list_dir_perms;
|
|
files_search_rw($1)
|
|
')
|
|
@@ -111,6 +112,30 @@ interface(`TEMPLATETYPE_manage_rw_dirs',`
|
|
|
|
"""
|
|
|
|
+te_stream_rules="""
|
|
+manage_sock_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_rw_t, TEMPLATETYPE_rw_t)
|
|
+"""
|
|
+
|
|
+if_stream_rules="""\
|
|
+########################################
|
|
+## <summary>
|
|
+## Connect to TEMPLATETYPE over a unix stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`TEMPLATETYPE_stream_connect',`
|
|
+ gen_require(`
|
|
+ type TEMPLATETYPE_t, TEMPLATETYPE_rw_t;
|
|
+ ')
|
|
+
|
|
+ stream_connect_pattern($1, TEMPLATETYPE_rw_t, TEMPLATETYPE_rw_t, TEMPLATETYPE_t)
|
|
+')
|
|
+"""
|
|
+
|
|
if_admin_types="""
|
|
type TEMPLATETYPE_rw_t;"""
|
|
|
|
diff --git a/policycoreutils/gui/templates/tmp.py b/policycoreutils/gui/templates/tmp.py
|
|
index d2adaa4..c000a75 100644
|
|
--- a/policycoreutils/gui/templates/tmp.py
|
|
+++ b/policycoreutils/gui/templates/tmp.py
|
|
@@ -29,7 +29,13 @@ files_tmp_file(TEMPLATETYPE_tmp_t)
|
|
te_rules="""
|
|
manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_tmp_t, TEMPLATETYPE_tmp_t)
|
|
manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_tmp_t, TEMPLATETYPE_tmp_t)
|
|
-files_tmp_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_tmp_t, { dir file })
|
|
+manage_lnk_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_tmp_t, TEMPLATETYPE_tmp_t)
|
|
+files_tmp_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_tmp_t, { dir file lnk_file })
|
|
+"""
|
|
+
|
|
+te_stream_rules="""
|
|
+manage_sock_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_tmp_t, TEMPLATETYPE_tmp_t)
|
|
+files_tmp_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_tmp_t, sock_file)
|
|
"""
|
|
|
|
if_rules="""
|
|
@@ -68,7 +74,7 @@ interface(`TEMPLATETYPE_read_tmp_files',`
|
|
')
|
|
|
|
files_search_tmp($1)
|
|
- allow $1 TEMPLATETYPE_tmp_t:file read_file_perms;
|
|
+ read_files_pattern($1, TEMPLATETYPE_tmp_t, TEMPLATETYPE_tmp_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -93,6 +99,27 @@ interface(`TEMPLATETYPE_manage_tmp',`
|
|
')
|
|
"""
|
|
|
|
+if_stream_rules="""\
|
|
+########################################
|
|
+## <summary>
|
|
+## Connect to TEMPLATETYPE over a unix stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`TEMPLATETYPE_stream_connect',`
|
|
+ gen_require(`
|
|
+ type TEMPLATETYPE_t, TEMPLATETYPE_tmp_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, TEMPLATETYPE_tmp_t, TEMPLATETYPE_tmp_t, TEMPLATETYPE_t)
|
|
+')
|
|
+"""
|
|
+
|
|
if_admin_types="""
|
|
type TEMPLATETYPE_tmp_t;"""
|
|
|
|
diff --git a/policycoreutils/gui/templates/var_cache.py b/policycoreutils/gui/templates/var_cache.py
|
|
index 8efc1d9..3789723 100644
|
|
--- a/policycoreutils/gui/templates/var_cache.py
|
|
+++ b/policycoreutils/gui/templates/var_cache.py
|
|
@@ -30,7 +30,12 @@ te_rules="""
|
|
manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_cache_t, TEMPLATETYPE_cache_t)
|
|
manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_cache_t, TEMPLATETYPE_cache_t)
|
|
manage_lnk_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_cache_t, TEMPLATETYPE_cache_t)
|
|
-files_var_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_cache_t, { dir file })
|
|
+files_var_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_cache_t, { dir file lnk_file })
|
|
+"""
|
|
+
|
|
+te_stream_rules="""\
|
|
+manage_sock_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_cache_t, TEMPLATETYPE_cache_t)
|
|
+files_var_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_cache_t, sock_file)
|
|
"""
|
|
|
|
########################### Interface File #############################
|
|
@@ -114,6 +119,26 @@ interface(`TEMPLATETYPE_manage_cache_dirs',`
|
|
|
|
"""
|
|
|
|
+if_stream_rules="""
|
|
+########################################
|
|
+## <summary>
|
|
+## Connect to TEMPLATETYPE over a unix stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`TEMPLATETYPE_stream_connect',`
|
|
+ gen_require(`
|
|
+ type TEMPLATETYPE_t, TEMPLATETYPE_cache_t;
|
|
+ ')
|
|
+
|
|
+ stream_connect_pattern($1, TEMPLATETYPE_cache_t, TEMPLATETYPE_cache_t)
|
|
+')
|
|
+"""
|
|
+
|
|
if_admin_types="""
|
|
type TEMPLATETYPE_cache_t;"""
|
|
|
|
diff --git a/policycoreutils/gui/templates/var_lib.py b/policycoreutils/gui/templates/var_lib.py
|
|
index 8bde8c6..148c13e 100644
|
|
--- a/policycoreutils/gui/templates/var_lib.py
|
|
+++ b/policycoreutils/gui/templates/var_lib.py
|
|
@@ -29,11 +29,12 @@ files_type(TEMPLATETYPE_var_lib_t)
|
|
te_rules="""
|
|
manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t)
|
|
manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t)
|
|
-files_var_lib_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, { dir file })
|
|
+manage_lnk_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t)
|
|
+files_var_lib_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, { dir file lnk_file })
|
|
"""
|
|
|
|
te_stream_rules="""\
|
|
-allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:sock_file manage_sock_file_perms;
|
|
+manage_sock_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t)
|
|
files_var_lib_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, sock_file)
|
|
"""
|
|
|
|
diff --git a/policycoreutils/gui/templates/var_log.py b/policycoreutils/gui/templates/var_log.py
|
|
index b57b93d..371dd7e 100644
|
|
--- a/policycoreutils/gui/templates/var_log.py
|
|
+++ b/policycoreutils/gui/templates/var_log.py
|
|
@@ -30,7 +30,8 @@ logging_log_file(TEMPLATETYPE_log_t)
|
|
te_rules="""
|
|
manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
|
|
manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
|
|
-logging_log_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_log_t, { dir file })
|
|
+manage_lnk_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
|
|
+logging_log_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_log_t, { dir file lnk_file })
|
|
"""
|
|
|
|
########################### Interface File #############################
|
|
diff --git a/policycoreutils/gui/templates/var_run.py b/policycoreutils/gui/templates/var_run.py
|
|
index 916f44c..563eebb 100644
|
|
--- a/policycoreutils/gui/templates/var_run.py
|
|
+++ b/policycoreutils/gui/templates/var_run.py
|
|
@@ -29,11 +29,12 @@ files_pid_file(TEMPLATETYPE_var_run_t)
|
|
te_rules="""
|
|
manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_var_run_t, TEMPLATETYPE_var_run_t)
|
|
manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_var_run_t, TEMPLATETYPE_var_run_t)
|
|
-files_pid_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_var_run_t, { dir file })
|
|
+manage_lnk_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_var_run_t, TEMPLATETYPE_var_run_t)
|
|
+files_pid_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_var_run_t, { dir file lnk_file })
|
|
"""
|
|
|
|
te_stream_rules="""
|
|
-allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:sock_file manage_sock_file_perms;
|
|
+manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_var_run_t, TEMPLATETYPE_var_run_t)
|
|
files_pid_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_var_run_t, sock_file)
|
|
"""
|
|
|
|
@@ -54,7 +55,7 @@ interface(`TEMPLATETYPE_read_pid_files',`
|
|
')
|
|
|
|
files_search_pids($1)
|
|
- allow $1 TEMPLATETYPE_var_run_t:file read_file_perms;
|
|
+ read_files_pattern($1, TEMPLATETYPE_var_run_t, TEMPLATETYPE_var_run_t)
|
|
')
|
|
|
|
"""
|
|
diff --git a/policycoreutils/gui/templates/var_spool.py b/policycoreutils/gui/templates/var_spool.py
|
|
index 8055a9e..dccb5f1 100644
|
|
--- a/policycoreutils/gui/templates/var_spool.py
|
|
+++ b/policycoreutils/gui/templates/var_spool.py
|
|
@@ -30,7 +30,12 @@ te_rules="""
|
|
manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_spool_t, TEMPLATETYPE_spool_t)
|
|
manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_spool_t, TEMPLATETYPE_spool_t)
|
|
manage_lnk_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_spool_t, TEMPLATETYPE_spool_t)
|
|
-files_spool_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_spool_t, { dir file })
|
|
+files_spool_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_spool_t, { dir file lnk_file })
|
|
+"""
|
|
+
|
|
+te_stream_rules="""\
|
|
+manage_sock_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_spool_t, TEMPLATETYPE_spool_t)
|
|
+files_spool_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_spool_t, sock_file)
|
|
"""
|
|
|
|
########################### Interface File #############################
|
|
@@ -113,6 +118,26 @@ interface(`TEMPLATETYPE_manage_spool_dirs',`
|
|
|
|
"""
|
|
|
|
+if_stream_rules="""
|
|
+########################################
|
|
+## <summary>
|
|
+## Connect to TEMPLATETYPE over a unix stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`TEMPLATETYPE_stream_connect',`
|
|
+ gen_require(`
|
|
+ type TEMPLATETYPE_t, TEMPLATETYPE_spool_t;
|
|
+ ')
|
|
+
|
|
+ stream_connect_pattern($1, TEMPLATETYPE_spool_t, TEMPLATETYPE_spool_t)
|
|
+')
|
|
+"""
|
|
+
|
|
if_admin_types="""
|
|
type TEMPLATETYPE_spool_t;"""
|
|
|
|
diff --git a/policycoreutils/load_policy/Makefile b/policycoreutils/load_policy/Makefile
|
|
index 5da2e0d..161abfc 100644
|
|
--- a/policycoreutils/load_policy/Makefile
|
|
+++ b/policycoreutils/load_policy/Makefile
|
|
@@ -19,7 +19,7 @@ install: all
|
|
test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8
|
|
install -m 644 load_policy.8 $(MANDIR)/man8/
|
|
-mkdir -p $(USRSBINDIR)
|
|
- -ln -sf /sbin/load_policy $(USRSBINDIR)/load_policy
|
|
+ -ln -s /sbin/load_policy $(USRSBINDIR)/load_policy 2> /dev/null
|
|
|
|
clean:
|
|
-rm -f $(TARGETS) *.o
|
|
diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon
|
|
new file mode 100644
|
|
index 0000000..58b19cd
|
|
--- /dev/null
|
|
+++ b/policycoreutils/scripts/genhomedircon
|
|
@@ -0,0 +1,3 @@
|
|
+#!/bin/sh
|
|
+
|
|
+/usr/sbin/semodule -Bn
|
|
diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile
|
|
new file mode 100644
|
|
index 0000000..e15a877
|
|
--- /dev/null
|
|
+++ b/policycoreutils/semanage/default_encoding/Makefile
|
|
@@ -0,0 +1,8 @@
|
|
+all:
|
|
+ LDFLAGS="" python setup.py build
|
|
+
|
|
+install: all
|
|
+ LDFLAGS="" python setup.py install --root=$(DESTDIR)/
|
|
+
|
|
+clean:
|
|
+ rm -rf build *~
|
|
diff --git a/policycoreutils/semanage/default_encoding/default_encoding.c b/policycoreutils/semanage/default_encoding/default_encoding.c
|
|
new file mode 100644
|
|
index 0000000..023b8f4
|
|
--- /dev/null
|
|
+++ b/policycoreutils/semanage/default_encoding/default_encoding.c
|
|
@@ -0,0 +1,57 @@
|
|
+/*
|
|
+ * Authors:
|
|
+ * John Dennis <jdennis@redhat.com>
|
|
+ *
|
|
+ * Copyright (C) 2009 Red Hat
|
|
+ * see file 'COPYING' for use and warranty information
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU General Public License as
|
|
+ * published by the Free Software Foundation.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program; if not, write to the Free Software
|
|
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
+ */
|
|
+
|
|
+#include <Python.h>
|
|
+
|
|
+PyDoc_STRVAR(setdefaultencoding_doc,
|
|
+"setdefaultencoding(encoding='utf-8')\n\
|
|
+\n\
|
|
+Set the current default string encoding used by the Unicode implementation.\n\
|
|
+Defaults to utf-8."
|
|
+);
|
|
+
|
|
+static PyObject *
|
|
+setdefaultencoding(PyObject *self, PyObject *args, PyObject *kwds)
|
|
+{
|
|
+ static char *kwlist[] = {"utf-8", NULL};
|
|
+ char *encoding;
|
|
+
|
|
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "s:setdefaultencoding", kwlist, &encoding))
|
|
+ return NULL;
|
|
+
|
|
+ if (PyUnicode_SetDefaultEncoding(encoding))
|
|
+ return NULL;
|
|
+
|
|
+ Py_RETURN_NONE;
|
|
+}
|
|
+
|
|
+static PyMethodDef methods[] = {
|
|
+ {"setdefaultencoding", (PyCFunction)setdefaultencoding, METH_VARARGS|METH_KEYWORDS, setdefaultencoding_doc},
|
|
+ {NULL, NULL} /* sentinel */
|
|
+};
|
|
+
|
|
+
|
|
+PyMODINIT_FUNC
|
|
+initdefault_encoding_utf8(void)
|
|
+{
|
|
+ PyUnicode_SetDefaultEncoding("utf-8");
|
|
+ Py_InitModule3("default_encoding_utf8", methods, "Forces the default encoding to utf-8");
|
|
+}
|
|
diff --git a/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py b/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py
|
|
new file mode 100644
|
|
index 0000000..ccb6b8b
|
|
--- /dev/null
|
|
+++ b/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py
|
|
@@ -0,0 +1,17 @@
|
|
+#
|
|
+# Copyright (C) 2006,2007,2008, 2009 Red Hat, Inc.
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation; either version 2 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program; if not, write to the Free Software
|
|
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
+#
|
|
diff --git a/policycoreutils/semanage/default_encoding/setup.py b/policycoreutils/semanage/default_encoding/setup.py
|
|
new file mode 100644
|
|
index 0000000..e2befdb
|
|
--- /dev/null
|
|
+++ b/policycoreutils/semanage/default_encoding/setup.py
|
|
@@ -0,0 +1,38 @@
|
|
+# Authors:
|
|
+# John Dennis <jdennis@redhat.com>
|
|
+#
|
|
+# Copyright (C) 2009 Red Hat
|
|
+# see file 'COPYING' for use and warranty information
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or
|
|
+# modify it under the terms of the GNU General Public License as
|
|
+# published by the Free Software Foundation.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program; if not, write to the Free Software
|
|
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
+
|
|
+from distutils.core import setup, Extension
|
|
+
|
|
+default_encoding_utf8 = Extension('policycoreutils.default_encoding_utf8', ['default_encoding.c'])
|
|
+
|
|
+setup(name = 'policycoreutils-default-encoding',
|
|
+ version = '0.1',
|
|
+ description = 'Forces the default encoding in Python to be utf-8',
|
|
+ long_description = 'Forces the default encoding in Python to be utf-8',
|
|
+ author = 'John Dennis',
|
|
+ author_email = 'jdennis@redhat.com',
|
|
+ maintainer = 'John Dennis',
|
|
+ maintainer_email = 'jdennis@redhat.com',
|
|
+ license = 'GPLv3+',
|
|
+ platforms = 'posix',
|
|
+ url = '',
|
|
+ download_url = '',
|
|
+ ext_modules = [default_encoding_utf8],
|
|
+ packages=["policycoreutils"],
|
|
+)
|
|
diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage
|
|
index f4602a9..61d455c 100644
|
|
--- a/policycoreutils/semanage/semanage
|
|
+++ b/policycoreutils/semanage/semanage
|
|
@@ -20,6 +20,7 @@
|
|
# 02111-1307 USA
|
|
#
|
|
#
|
|
+import policycoreutils.default_encoding_utf8
|
|
import sys, getopt, re
|
|
import seobject
|
|
import selinux
|
|
@@ -32,7 +33,7 @@ gettext.textdomain(PROGNAME)
|
|
try:
|
|
gettext.install(PROGNAME,
|
|
localedir="/usr/share/locale",
|
|
- unicode=False,
|
|
+ unicode=True,
|
|
codeset = 'utf-8')
|
|
except IOError:
|
|
import __builtin__
|
|
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
|
|
index ad7dc8c..22eac14 100644
|
|
--- a/policycoreutils/semanage/seobject.py
|
|
+++ b/policycoreutils/semanage/seobject.py
|
|
@@ -30,11 +30,10 @@ from IPy import IP
|
|
import gettext
|
|
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
|
|
gettext.textdomain(PROGNAME)
|
|
-try:
|
|
- gettext.install(PROGNAME, localedir = "/usr/share/locale", unicode = 1)
|
|
-except IOError:
|
|
- import __builtin__
|
|
- __builtin__.__dict__['_'] = unicode
|
|
+
|
|
+import gettext
|
|
+translation=gettext.translation(PROGNAME, localedir = "/usr/share/locale", fallback=True)
|
|
+_=translation.ugettext
|
|
|
|
import syslog
|
|
|
|
@@ -493,7 +492,9 @@ class loginRecords(semanageRecords):
|
|
if rc < 0:
|
|
raise ValueError(_("Could not check if login mapping for %s is defined") % name)
|
|
if exists:
|
|
- raise ValueError(_("Login mapping for %s is already defined") % name)
|
|
+ semanage_seuser_key_free(k)
|
|
+ return self.__modify(name, sename, serange)
|
|
+
|
|
if name[0] == '%':
|
|
try:
|
|
grp.getgrnam(name[1:])
|
|
@@ -738,7 +739,8 @@ class seluserRecords(semanageRecords):
|
|
if rc < 0:
|
|
raise ValueError(_("Could not check if SELinux user %s is defined") % name)
|
|
if exists:
|
|
- raise ValueError(_("SELinux user %s is already defined") % name)
|
|
+ semanage_user_key_free(k)
|
|
+ return self.__modify(name, roles, selevel, serange, prefix)
|
|
|
|
(rc, u) = semanage_user_create(self.sh)
|
|
if rc < 0:
|
|
@@ -1262,7 +1264,8 @@ class nodeRecords(semanageRecords):
|
|
|
|
(rc, exists) = semanage_node_exists(self.sh, k)
|
|
if exists:
|
|
- raise ValueError(_("Addr %s already defined") % addr)
|
|
+ semanage_node_key_free(k)
|
|
+ return self.__modify(addr, mask, self.protocol[proto], serange, ctype)
|
|
|
|
(rc, node) = semanage_node_create(self.sh)
|
|
if rc < 0:
|
|
@@ -1460,7 +1463,8 @@ class interfaceRecords(semanageRecords):
|
|
if rc < 0:
|
|
raise ValueError(_("Could not check if interface %s is defined") % interface)
|
|
if exists:
|
|
- raise ValueError(_("Interface %s already defined") % interface)
|
|
+ semanage_iface_key_free(k)
|
|
+ return self.__modify(interface, serange, ctype)
|
|
|
|
(rc, iface) = semanage_iface_create(self.sh)
|
|
if rc < 0:
|
|
@@ -1753,7 +1757,8 @@ class fcontextRecords(semanageRecords):
|
|
raise ValueError(_("Could not check if file context for %s is defined") % target)
|
|
|
|
if exists:
|
|
- raise ValueError(_("File context for %s already defined") % target)
|
|
+ semanage_fcontext_key_free(k)
|
|
+ return self.__modify(target, type, ftype, serange, seuser)
|
|
|
|
(rc, fcontext) = semanage_fcontext_create(self.sh)
|
|
if rc < 0:
|
|
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
|
|
index 4c62b41..01fc818 100644
|
|
--- a/policycoreutils/setfiles/restore.c
|
|
+++ b/policycoreutils/setfiles/restore.c
|
|
@@ -105,6 +105,7 @@ static int restore(FTSENT *ftsent)
|
|
char *my_file = strdupa(ftsent->fts_path);
|
|
int ret = -1;
|
|
security_context_t curcon = NULL, newcon = NULL;
|
|
+ float progress;
|
|
|
|
if (match(my_file, ftsent->fts_statp, &newcon) < 0)
|
|
/* Check for no matching specification. */
|
|
@@ -113,7 +114,14 @@ static int restore(FTSENT *ftsent)
|
|
if (r_opts->progress) {
|
|
r_opts->count++;
|
|
if (r_opts->count % STAR_COUNT == 0) {
|
|
- fprintf(stdout, "*");
|
|
+ if (r_opts->progress == 1) {
|
|
+ fprintf(stdout, "*");
|
|
+ } else {
|
|
+ if (r_opts->nfile > 0) {
|
|
+ progress = (r_opts->count < r_opts->nfile) ? (100.0 * r_opts->count / r_opts->nfile) : 100;
|
|
+ fprintf(stdout, "\r%-.1f%%", progress);
|
|
+ }
|
|
+ }
|
|
fflush(stdout);
|
|
}
|
|
}
|
|
@@ -283,6 +291,8 @@ static int apply_spec(FTSENT *ftsent)
|
|
return rc;
|
|
}
|
|
|
|
+#include <sys/statvfs.h>
|
|
+
|
|
static int process_one(char *name, int recurse_this_path)
|
|
{
|
|
int rc = 0;
|
|
@@ -332,6 +342,7 @@ static int process_one(char *name, int recurse_this_path)
|
|
continue;
|
|
}
|
|
}
|
|
+
|
|
rc = apply_spec(ftsent);
|
|
if (rc == SKIP)
|
|
fts_set(fts_handle, ftsent, FTS_SKIP);
|
|
@@ -611,12 +622,22 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil
|
|
}
|
|
|
|
#include <sys/utsname.h>
|
|
+int file_system_count(char *name) {
|
|
+ struct statvfs statvfs_buf;
|
|
+ int nfile = 0;
|
|
+ memset(&statvfs_buf, 0, sizeof(statvfs_buf));
|
|
+ if (!statvfs(name, &statvfs_buf)) {
|
|
+ nfile = statvfs_buf.f_files - statvfs_buf.f_ffree;
|
|
+ }
|
|
+ return nfile;
|
|
+}
|
|
+
|
|
/*
|
|
Search /proc/mounts for all file systems that do not support extended
|
|
attributes and add them to the exclude directory table. File systems
|
|
- that support security labels have the seclabel option.
|
|
+ that support security labels have the seclabel option, return total file count
|
|
*/
|
|
-void exclude_non_seclabel_mounts()
|
|
+int exclude_non_seclabel_mounts()
|
|
{
|
|
struct utsname uts;
|
|
FILE *fp;
|
|
@@ -625,16 +646,16 @@ void exclude_non_seclabel_mounts()
|
|
int index = 0, found = 0;
|
|
char *mount_info[4];
|
|
char *buf = NULL, *item;
|
|
-
|
|
+ int nfile = 0;
|
|
/* Check to see if the kernel supports seclabel */
|
|
if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.30") < 0)
|
|
- return;
|
|
+ return 0;
|
|
if (is_selinux_enabled() <= 0)
|
|
- return;
|
|
+ return 0;
|
|
|
|
fp = fopen("/proc/mounts", "r");
|
|
if (!fp)
|
|
- return;
|
|
+ return 0;
|
|
|
|
while ((num = getline(&buf, &len, fp)) != -1) {
|
|
found = 0;
|
|
@@ -661,6 +682,7 @@ void exclude_non_seclabel_mounts()
|
|
while (item != NULL) {
|
|
if (strcmp(item, "seclabel") == 0) {
|
|
found = 1;
|
|
+ nfile += file_system_count(mount_info[1]);
|
|
break;
|
|
}
|
|
item = strtok(NULL, ",");
|
|
@@ -673,5 +695,7 @@ void exclude_non_seclabel_mounts()
|
|
|
|
free(buf);
|
|
fclose(fp);
|
|
+ /* return estimated #Files + 5% for directories and hard links */
|
|
+ return nfile * 1.05;
|
|
}
|
|
|
|
diff --git a/policycoreutils/setfiles/restore.h b/policycoreutils/setfiles/restore.h
|
|
index ac27222..57ae46a 100644
|
|
--- a/policycoreutils/setfiles/restore.h
|
|
+++ b/policycoreutils/setfiles/restore.h
|
|
@@ -14,6 +14,7 @@
|
|
#include <selinux/label.h>
|
|
#include <stdlib.h>
|
|
#include <limits.h>
|
|
+#include <stdint.h>
|
|
|
|
#define STAR_COUNT 1000
|
|
|
|
@@ -21,7 +22,8 @@
|
|
struct restore_opts {
|
|
int add_assoc; /* Track inode associations for conflict detection. */
|
|
int progress;
|
|
- unsigned long long count;
|
|
+ uint64_t count; /* Number of files processed so far */
|
|
+ uint64_t nfile; /* Estimated total number of files */
|
|
int debug;
|
|
int change;
|
|
int hard_links;
|
|
@@ -49,6 +51,6 @@ int exclude(const char *path);
|
|
void remove_exclude(const char *directory);
|
|
int process_one_realpath(char *name, int recurse);
|
|
int process_glob(char *name, int recurse);
|
|
-void exclude_non_seclabel_mounts();
|
|
+int exclude_non_seclabel_mounts();
|
|
|
|
#endif
|
|
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
|
|
index ca24003..b11e49f 100644
|
|
--- a/policycoreutils/setfiles/setfiles.c
|
|
+++ b/policycoreutils/setfiles/setfiles.c
|
|
@@ -159,6 +159,7 @@ int main(int argc, char **argv)
|
|
/* Initialize variables */
|
|
r_opts.progress = 0;
|
|
r_opts.count = 0;
|
|
+ r_opts.nfile = 0;
|
|
r_opts.debug = 0;
|
|
r_opts.change = 1;
|
|
r_opts.verbose = 0;
|
|
@@ -222,7 +223,7 @@ int main(int argc, char **argv)
|
|
}
|
|
|
|
/* This must happen before getopt. */
|
|
- exclude_non_seclabel_mounts();
|
|
+ r_opts.nfile = exclude_non_seclabel_mounts();
|
|
|
|
/* Process any options. */
|
|
while ((opt = getopt(argc, argv, "c:de:f:hilno:pqrsvFRW0")) > 0) {
|
|
@@ -346,7 +347,7 @@ int main(int argc, char **argv)
|
|
"Progress and Verbose mutually exclusive\n");
|
|
usage(argv[0]);
|
|
}
|
|
- r_opts.progress = 1;
|
|
+ r_opts.progress++;
|
|
break;
|
|
case 'W':
|
|
warn_no_match = 1;
|
|
@@ -360,6 +361,14 @@ int main(int argc, char **argv)
|
|
}
|
|
}
|
|
|
|
+ for (i = optind; i < argc; i++) {
|
|
+ if (!strcmp(argv[i], "/")) {
|
|
+ mass_relabel = 1;
|
|
+ if (r_opts.progress)
|
|
+ r_opts.progress++;
|
|
+ }
|
|
+ }
|
|
+
|
|
if (!iamrestorecon) {
|
|
if (policyfile) {
|
|
if (optind != (argc - 1))
|
|
@@ -426,12 +435,8 @@ int main(int argc, char **argv)
|
|
if (strcmp(input_filename, "-") != 0)
|
|
fclose(f);
|
|
} else {
|
|
- for (i = optind; i < argc; i++) {
|
|
- if (!strcmp(argv[i], "/"))
|
|
- mass_relabel = 1;
|
|
-
|
|
+ for (i = optind; i < argc; i++)
|
|
errors |= process_glob(argv[i], recurse) < 0;
|
|
- }
|
|
}
|
|
|
|
maybe_audit_mass_relabel(mass_relabel, errors);
|