policycoreutils/policycoreutils-rhat.patch
Daniel J Walsh 8ac1404c6b * Tue Jul 1 2008 Dan Walsh <dwalsh@redhat.com> 2.0.50-2
- Remove semodule use within semanage
2008-07-02 00:52:32 +00:00

345 lines
13 KiB
Diff

diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.50/Makefile
--- nsapolicycoreutils/Makefile 2007-12-19 06:02:52.000000000 -0500
+++ policycoreutils-2.0.50/Makefile 2008-07-01 14:59:58.000000000 -0400
@@ -1,4 +1,4 @@
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
+SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.50/restorecond/restorecond.c
--- nsapolicycoreutils/restorecond/restorecond.c 2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.50/restorecond/restorecond.c 2008-07-01 14:59:58.000000000 -0400
@@ -210,9 +210,10 @@
}
if (fsetfilecon(fd, scontext) < 0) {
- syslog(LOG_ERR,
- "set context %s->%s failed:'%s'\n",
- filename, scontext, strerror(errno));
+ if (errno != EOPNOTSUPP)
+ syslog(LOG_ERR,
+ "set context %s->%s failed:'%s'\n",
+ filename, scontext, strerror(errno));
if (retcontext >= 0)
free(prev_context);
free(scontext);
@@ -225,8 +226,9 @@
if (retcontext >= 0)
free(prev_context);
} else {
- syslog(LOG_ERR, "get context on %s failed: '%s'\n",
- filename, strerror(errno));
+ if (errno != EOPNOTSUPP)
+ syslog(LOG_ERR, "get context on %s failed: '%s'\n",
+ filename, strerror(errno));
}
free(scontext);
close(fd);
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.50/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2008-05-06 14:33:04.000000000 -0400
+++ policycoreutils-2.0.50/semanage/semanage 2008-07-01 20:31:40.000000000 -0400
@@ -43,49 +43,52 @@
if __name__ == '__main__':
def usage(message = ""):
- print _('\
-semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n] \n\
-semanage login -{a|d|m} [-sr] login_name\n\
-semanage user -{a|d|m} [-LrRP] selinux_name\n\
-semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range\n\
-semanage interface -{a|d|m} [-tr] interface_spec\n\
-semanage fcontext -{a|d|m} [-frst] file_spec\n\
-semanage translation -{a|d|m} [-T] level\n\n\
-semanage boolean -{d|m} boolean\n\n\
-\
-Primary Options:\n\
-\
- -a, --add Add a OBJECT record NAME\n\
- -d, --delete Delete a OBJECT record NAME\n\
- -m, --modify Modify a OBJECT record NAME\n\
- -l, --list List the OBJECTS\n\n\
- -C, --locallist List OBJECTS local customizations\n\n\
- -D, --deleteall Remove all OBJECTS local customizations\n\
-\
- -h, --help Display this message\n\
- -n, --noheading Do not print heading when listing OBJECTS\n\
- -S, --store Select and alternate SELinux store to manage\n\n\
-Object-specific Options (see above):\n\
- -f, --ftype File Type of OBJECT \n\
- "" (all files) \n\
- -- (regular file) \n\
- -d (directory) \n\
- -c (character device) \n\
- -b (block device) \n\
- -s (socket) \n\
- -l (symbolic link) \n\
- -p (named pipe) \n\n\
-\
- -p, --proto Port protocol (tcp or udp)\n\
- -P, --prefix Prefix for home directory labeling\n\
- -L, --level Default SELinux Level (MLS/MCS Systems only)\n\
- -R, --roles SELinux Roles (ex: "sysadm_r staff_r")\n\
- -T, --trans SELinux Level Translation (MLS/MCS Systems only)\n\n\
-\
- -s, --seuser SELinux User Name\n\
- -t, --type SELinux Type for the object\n\
- -r, --range MLS/MCS Security Range (MLS/MCS Systems only)\n\
-')
+ print _("""
+semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n]
+semanage login -{a|d|m} [-sr] login_name
+semanage user -{a|d|m} [-LrRP] selinux_name
+semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range
+semanage interface -{a|d|m} [-tr] interface_spec
+semanage fcontext -{a|d|m} [-frst] file_spec
+semanage translation -{a|d|m} [-T] level
+semanage boolean -{d|m} boolean
+semanage permissive -{d|a} type
+
+Primary Options:
+
+ -a, --add Add a OBJECT record NAME
+ -d, --delete Delete a OBJECT record NAME
+ -m, --modify Modify a OBJECT record NAME
+ -l, --list List the OBJECTS
+ -C, --locallist List OBJECTS local customizations
+ -D, --deleteall Remove all OBJECTS local customizations
+
+ -h, --help Display this message
+ -n, --noheading Do not print heading when listing OBJECTS
+ -S, --store Select and alternate SELinux store to manage
+
+Object-specific Options (see above):
+
+ -f, --ftype File Type of OBJECT
+ "" (all files)
+ -- (regular file)
+ -d (directory)
+ -c (character device)
+ -b (block device)
+ -s (socket)
+ -l (symbolic link)
+ -p (named pipe)
+
+ -p, --proto Port protocol (tcp or udp)
+ -P, --prefix Prefix for home directory labeling
+ -L, --level Default SELinux Level (MLS/MCS Systems only)
+ -R, --roles SELinux Roles (ex: "sysadm_r staff_r")
+ -T, --trans SELinux Level Translation (MLS/MCS Systems only)
+
+ -s, --seuser SELinux User Name
+ -t, --type SELinux Type for the object
+ -r, --range MLS/MCS Security Range (MLS/MCS Systems only)
+""")
print message
sys.exit(1)
@@ -112,6 +115,8 @@
valid_option["translation"] += valid_everyone + [ '-T', '--trans' ]
valid_option["boolean"] = []
valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ]
+ valid_option["permissive"] = []
+ valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ]
return valid_option
#
@@ -266,6 +271,9 @@
if object == "translation":
OBJECT = seobject.setransRecords()
+ if object == "permissive":
+ OBJECT = seobject.permissiveRecords(store)
+
if list:
OBJECT.list(heading, locallist)
sys.exit(0);
@@ -302,6 +310,9 @@
if object == "fcontext":
OBJECT.add(target, setype, ftype, serange, seuser)
+ if object == "permissive":
+ OBJECT.add(target)
+
sys.exit(0);
if modify:
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.50/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8 2008-05-06 14:33:04.000000000 -0400
+++ policycoreutils-2.0.50/semanage/semanage.8 2008-07-01 20:33:48.000000000 -0400
@@ -3,7 +3,7 @@
semanage \- SELinux Policy Management tool
.SH "SYNOPSIS"
-.B semanage {boolean|login|user|port|interface|fcontext|translation} \-{l|lC|D} [\-n]
+.B semanage {boolean|login|user|port|interface|fcontext|translation} \-{l|D} [\-n] [\-S store]
.br
.B semanage boolean \-{d|m} [\-\-on|\-\-off|\-1|\-0] boolean
.br
@@ -17,6 +17,8 @@
.br
.B semanage fcontext \-{a|d|m} [\-frst] file_spec
.br
+.B semanage permissive \-{a|d} type
+.br
.B semanage translation \-{a|d|m} [\-T] level
.P
@@ -85,6 +87,9 @@
.I \-s, \-\-seuser
SELinux user name
.TP
+.I \-S, \-\-store
+Select and alternate SELinux store to manage
+.TP
.I \-t, \-\-type
SELinux Type for the object
.TP
@@ -101,10 +106,11 @@
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
# Allow Apache to listen on port 81
$ semanage port -a -t http_port_t -p tcp 81
+# Change apache to a permissive domain
+$ semanage permissive -a http_t
.fi
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com> and
Russell Coker <rcoker@redhat.com>.
Examples by Thomas Bleher <ThomasBleher@gmx.de>.
-
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.50/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2008-05-16 10:55:38.000000000 -0400
+++ policycoreutils-2.0.50/semanage/seobject.py 2008-07-01 20:30:55.000000000 -0400
@@ -1,5 +1,5 @@
#! /usr/bin/python -E
-# Copyright (C) 2005, 2006, 2007 Red Hat
+# Copyright (C) 2005, 2006, 2007, 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
# semanage is a tool for managing SELinux configuration files
@@ -24,7 +24,9 @@
import pwd, string, selinux, tempfile, os, re, sys
from semanage import *;
PROGNAME="policycoreutils"
+import sepolgen.module as module
+import commands
import gettext
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
@@ -246,7 +248,103 @@
os.close(fd)
os.rename(newfilename, self.filename)
os.system("/sbin/service mcstrans reload > /dev/null")
-
+
+class permissiveRecords:
+ def __init__(self, store):
+ self.store = store
+ self.sh = semanage_handle_create()
+ if not self.sh:
+ raise ValueError(_("Could not create semanage handle"))
+
+ if store != "":
+ semanage_select_store(self.sh, store, SEMANAGE_CON_DIRECT);
+
+ self.semanaged = semanage_is_managed(self.sh)
+
+ if not self.semanaged:
+ semanage_handle_destroy(self.sh)
+ raise ValueError(_("SELinux policy is not managed or store cannot be accessed."))
+
+ rc = semanage_access_check(self.sh)
+ if rc < SEMANAGE_CAN_READ:
+ semanage_handle_destroy(self.sh)
+ raise ValueError(_("Cannot read policy store."))
+
+ rc = semanage_connect(self.sh)
+ if rc < 0:
+ semanage_handle_destroy(self.sh)
+ raise ValueError(_("Could not establish semanage connection"))
+
+ def get_all(self):
+ l = []
+ (rc, mlist, number) = semanage_module_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list SELinux modules"))
+
+ for i in range(number):
+ mod = semanage_module_list_nth(mlist, i)
+ name = semanage_module_get_name(mod)
+ if name and name.startswith("permissive_"):
+ l.append(name.split("permissive_")[1])
+ return l
+
+ def list(self,heading = 1, locallist = 0):
+ if heading:
+ print "\n%-25s\n" % (_("Permissive Types"))
+ for t in self.get_all():
+ print t
+
+
+ def add(self, type):
+ name = "permissive_%s" % type
+ dirname = "/var/lib/selinux"
+ os.chdir(dirname)
+ filename = "%s.te" % name
+ modtxt = """
+module %s 1.0;
+
+require {
+ type %s;
+}
+
+permissive %s;
+""" % (name, type, type)
+ fd = open(filename,'w')
+ fd.write(modtxt)
+ fd.close()
+ mc = module.ModuleCompiler()
+ mc.create_module_package(filename, 1)
+ fd = open("permissive_%s.pp" % type)
+ data = fd.read()
+ fd.close()
+
+ rc = semanage_module_install(self.sh, data, len(data));
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not set permissive domain %s") % name)
+ for root, dirs, files in os.walk("tmp", topdown=False):
+ for name in files:
+ os.remove(os.path.join(root, name))
+ for name in dirs:
+ os.rmdir(os.path.join(root, name))
+
+ if rc != 0:
+ raise ValueError(out)
+
+
+ def delete(self, name):
+ for n in name.split():
+ rc = semanage_module_remove(self.sh, "permissive_%s" % n)
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not remove permissive domain %s") % name)
+
+ def deleteall(self):
+ l = self.get_all()
+ if len(l) > 0:
+ all = " ".join(l)
+ self.delete(all)
+
class semanageRecords:
def __init__(self, store):
self.sh = semanage_handle_create()
@@ -464,7 +562,7 @@
def __init__(self, store = ""):
semanageRecords.__init__(self, store)
- def add(self, name, roles, selevel, serange, prefix):
+ def add(self, name, roles, selevel, serange, prefix = "user"):
if is_mls_enabled == 1:
if serange == "":
serange = "s0"