387 lines
14 KiB
Diff
387 lines
14 KiB
Diff
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.50/Makefile
|
|
--- nsapolicycoreutils/Makefile 2008-06-12 23:25:24.000000000 -0400
|
|
+++ policycoreutils-2.0.50/Makefile 2008-07-01 09:43:28.000000000 -0400
|
|
@@ -1,4 +1,4 @@
|
|
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
|
|
+SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
|
|
|
|
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
|
|
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.50/restorecond/restorecond.c
|
|
--- nsapolicycoreutils/restorecond/restorecond.c 2008-06-12 23:25:21.000000000 -0400
|
|
+++ policycoreutils-2.0.50/restorecond/restorecond.c 2008-07-01 09:43:28.000000000 -0400
|
|
@@ -210,9 +210,10 @@
|
|
}
|
|
|
|
if (fsetfilecon(fd, scontext) < 0) {
|
|
- syslog(LOG_ERR,
|
|
- "set context %s->%s failed:'%s'\n",
|
|
- filename, scontext, strerror(errno));
|
|
+ if (errno != EOPNOTSUPP)
|
|
+ syslog(LOG_ERR,
|
|
+ "set context %s->%s failed:'%s'\n",
|
|
+ filename, scontext, strerror(errno));
|
|
if (retcontext >= 0)
|
|
free(prev_context);
|
|
free(scontext);
|
|
@@ -225,8 +226,9 @@
|
|
if (retcontext >= 0)
|
|
free(prev_context);
|
|
} else {
|
|
- syslog(LOG_ERR, "get context on %s failed: '%s'\n",
|
|
- filename, strerror(errno));
|
|
+ if (errno != EOPNOTSUPP)
|
|
+ syslog(LOG_ERR, "get context on %s failed: '%s'\n",
|
|
+ filename, strerror(errno));
|
|
}
|
|
free(scontext);
|
|
close(fd);
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.50/restorecond/restorecond.init
|
|
--- nsapolicycoreutils/restorecond/restorecond.init 2008-06-12 23:25:21.000000000 -0400
|
|
+++ policycoreutils-2.0.50/restorecond/restorecond.init 2008-07-01 09:43:28.000000000 -0400
|
|
@@ -2,7 +2,7 @@
|
|
#
|
|
# restorecond: Daemon used to maintain path file context
|
|
#
|
|
-# chkconfig: 2345 12 87
|
|
+# chkconfig: - 12 87
|
|
# description: restorecond uses inotify to look for creation of new files \
|
|
# listed in the /etc/selinux/restorecond.conf file, and restores the \
|
|
# correct security context.
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.50/scripts/fixfiles
|
|
--- nsapolicycoreutils/scripts/fixfiles 2008-06-12 23:25:21.000000000 -0400
|
|
+++ policycoreutils-2.0.50/scripts/fixfiles 2008-07-01 09:43:28.000000000 -0400
|
|
@@ -138,6 +138,9 @@
|
|
fi
|
|
LogReadOnly
|
|
${SETFILES} -q ${OUTFILES} ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
|
|
+rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
|
|
+find /tmp -context "*:file_t*" -exec chcon -t tmp_t {} \;
|
|
+find /var/tmp -context "*:file_t*" -exec chcon -t tmp_t {} \;
|
|
exit $?
|
|
}
|
|
|
|
@@ -180,6 +183,10 @@
|
|
check) restore -n -v;;
|
|
verify) restore -n -o -;;
|
|
relabel) relabel;;
|
|
+ onboot)
|
|
+ touch /.autorelabel
|
|
+ echo "System will relabel on next boot"
|
|
+ ;;
|
|
*)
|
|
usage
|
|
exit 1
|
|
@@ -189,6 +196,7 @@
|
|
echo $"Usage: $0 [-l logfile ] [-o outputfile ] { check | restore|[-F] relabel } [[dir] ... ] "
|
|
echo or
|
|
echo $"Usage: $0 -R rpmpackage[,rpmpackage...] -C PREVIOUS_FILECONTEXT [-l logfile ] [-o outputfile ] { check | restore }"
|
|
+ echo $"Usage: $0 onboot"
|
|
}
|
|
|
|
if [ $# = 0 ]; then
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-2.0.50/scripts/fixfiles.8
|
|
--- nsapolicycoreutils/scripts/fixfiles.8 2008-06-12 23:25:21.000000000 -0400
|
|
+++ policycoreutils-2.0.50/scripts/fixfiles.8 2008-07-01 09:43:28.000000000 -0400
|
|
@@ -7,6 +7,8 @@
|
|
|
|
.B fixfiles [-F] [-l logfile ] [-o outputfile ] { check | restore|[-f] relabel | verify } [[dir/file] ... ]
|
|
|
|
+.B fixfiles onboot
|
|
+
|
|
.SH "DESCRIPTION"
|
|
This manual page describes the
|
|
.BR fixfiles
|
|
@@ -20,6 +22,9 @@
|
|
as you expect. By default it will relabel all mounted ext2, ext3, xfs and
|
|
jfs file systems as long as they do not have a security context mount
|
|
option. You can use the -R flag to use rpmpackages as an alternative.
|
|
+.P
|
|
+.B fixfiles onboot
|
|
+will setup the machine to relabel on the next reboot.
|
|
|
|
.SH "OPTIONS"
|
|
.TP
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.50/semanage/semanage
|
|
--- nsapolicycoreutils/semanage/semanage 2008-06-12 23:25:21.000000000 -0400
|
|
+++ policycoreutils-2.0.50/semanage/semanage 2008-07-01 09:43:28.000000000 -0400
|
|
@@ -43,49 +43,52 @@
|
|
if __name__ == '__main__':
|
|
|
|
def usage(message = ""):
|
|
- print _('\
|
|
-semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n] \n\
|
|
-semanage login -{a|d|m} [-sr] login_name\n\
|
|
-semanage user -{a|d|m} [-LrRP] selinux_name\n\
|
|
-semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range\n\
|
|
-semanage interface -{a|d|m} [-tr] interface_spec\n\
|
|
-semanage fcontext -{a|d|m} [-frst] file_spec\n\
|
|
-semanage translation -{a|d|m} [-T] level\n\n\
|
|
-semanage boolean -{d|m} boolean\n\n\
|
|
-\
|
|
-Primary Options:\n\
|
|
-\
|
|
- -a, --add Add a OBJECT record NAME\n\
|
|
- -d, --delete Delete a OBJECT record NAME\n\
|
|
- -m, --modify Modify a OBJECT record NAME\n\
|
|
- -l, --list List the OBJECTS\n\n\
|
|
- -C, --locallist List OBJECTS local customizations\n\n\
|
|
- -D, --deleteall Remove all OBJECTS local customizations\n\
|
|
-\
|
|
- -h, --help Display this message\n\
|
|
- -n, --noheading Do not print heading when listing OBJECTS\n\
|
|
- -S, --store Select and alternate SELinux store to manage\n\n\
|
|
-Object-specific Options (see above):\n\
|
|
- -f, --ftype File Type of OBJECT \n\
|
|
- "" (all files) \n\
|
|
- -- (regular file) \n\
|
|
- -d (directory) \n\
|
|
- -c (character device) \n\
|
|
- -b (block device) \n\
|
|
- -s (socket) \n\
|
|
- -l (symbolic link) \n\
|
|
- -p (named pipe) \n\n\
|
|
-\
|
|
- -p, --proto Port protocol (tcp or udp)\n\
|
|
- -P, --prefix Prefix for home directory labeling\n\
|
|
- -L, --level Default SELinux Level (MLS/MCS Systems only)\n\
|
|
- -R, --roles SELinux Roles (ex: "sysadm_r staff_r")\n\
|
|
- -T, --trans SELinux Level Translation (MLS/MCS Systems only)\n\n\
|
|
-\
|
|
- -s, --seuser SELinux User Name\n\
|
|
- -t, --type SELinux Type for the object\n\
|
|
- -r, --range MLS/MCS Security Range (MLS/MCS Systems only)\n\
|
|
-')
|
|
+ print _("""
|
|
+semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n]
|
|
+semanage login -{a|d|m} [-sr] login_name
|
|
+semanage user -{a|d|m} [-LrRP] selinux_name
|
|
+semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range
|
|
+semanage interface -{a|d|m} [-tr] interface_spec
|
|
+semanage fcontext -{a|d|m} [-frst] file_spec
|
|
+semanage translation -{a|d|m} [-T] level
|
|
+semanage boolean -{d|m} boolean
|
|
+semanage permissive -{d|a} type
|
|
+
|
|
+Primary Options:
|
|
+
|
|
+ -a, --add Add a OBJECT record NAME
|
|
+ -d, --delete Delete a OBJECT record NAME
|
|
+ -m, --modify Modify a OBJECT record NAME
|
|
+ -l, --list List the OBJECTS
|
|
+ -C, --locallist List OBJECTS local customizations
|
|
+ -D, --deleteall Remove all OBJECTS local customizations
|
|
+
|
|
+ -h, --help Display this message
|
|
+ -n, --noheading Do not print heading when listing OBJECTS
|
|
+ -S, --store Select and alternate SELinux store to manage
|
|
+
|
|
+Object-specific Options (see above):
|
|
+
|
|
+ -f, --ftype File Type of OBJECT
|
|
+ "" (all files)
|
|
+ -- (regular file)
|
|
+ -d (directory)
|
|
+ -c (character device)
|
|
+ -b (block device)
|
|
+ -s (socket)
|
|
+ -l (symbolic link)
|
|
+ -p (named pipe)
|
|
+
|
|
+ -p, --proto Port protocol (tcp or udp)
|
|
+ -P, --prefix Prefix for home directory labeling
|
|
+ -L, --level Default SELinux Level (MLS/MCS Systems only)
|
|
+ -R, --roles SELinux Roles (ex: "sysadm_r staff_r")
|
|
+ -T, --trans SELinux Level Translation (MLS/MCS Systems only)
|
|
+
|
|
+ -s, --seuser SELinux User Name
|
|
+ -t, --type SELinux Type for the object
|
|
+ -r, --range MLS/MCS Security Range (MLS/MCS Systems only)
|
|
+""")
|
|
print message
|
|
sys.exit(1)
|
|
|
|
@@ -112,6 +115,8 @@
|
|
valid_option["translation"] += valid_everyone + [ '-T', '--trans' ]
|
|
valid_option["boolean"] = []
|
|
valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ]
|
|
+ valid_option["permissive"] = []
|
|
+ valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ]
|
|
return valid_option
|
|
|
|
#
|
|
@@ -266,6 +271,9 @@
|
|
if object == "translation":
|
|
OBJECT = seobject.setransRecords()
|
|
|
|
+ if object == "permissive":
|
|
+ OBJECT = seobject.permissiveRecords(store)
|
|
+
|
|
if list:
|
|
OBJECT.list(heading, locallist)
|
|
sys.exit(0);
|
|
@@ -302,6 +310,9 @@
|
|
|
|
if object == "fcontext":
|
|
OBJECT.add(target, setype, ftype, serange, seuser)
|
|
+ if object == "permissive":
|
|
+ OBJECT.add(target)
|
|
+
|
|
sys.exit(0);
|
|
|
|
if modify:
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.50/semanage/semanage.8
|
|
--- nsapolicycoreutils/semanage/semanage.8 2008-06-12 23:25:21.000000000 -0400
|
|
+++ policycoreutils-2.0.50/semanage/semanage.8 2008-07-01 09:43:28.000000000 -0400
|
|
@@ -17,6 +17,8 @@
|
|
.br
|
|
.B semanage fcontext \-{a|d|m} [\-frst] file_spec
|
|
.br
|
|
+.B semanage permissive \-{a|d} type
|
|
+.br
|
|
.B semanage translation \-{a|d|m} [\-T] level
|
|
.P
|
|
|
|
@@ -101,10 +103,11 @@
|
|
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
|
|
# Allow Apache to listen on port 81
|
|
$ semanage port -a -t http_port_t -p tcp 81
|
|
+# Change apache to a permissive domain
|
|
+$ semanage permissive -a http_t
|
|
.fi
|
|
|
|
.SH "AUTHOR"
|
|
This man page was written by Daniel Walsh <dwalsh@redhat.com> and
|
|
Russell Coker <rcoker@redhat.com>.
|
|
Examples by Thomas Bleher <ThomasBleher@gmx.de>.
|
|
-
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.50/semanage/seobject.py
|
|
--- nsapolicycoreutils/semanage/seobject.py 2008-06-12 23:25:21.000000000 -0400
|
|
+++ policycoreutils-2.0.50/semanage/seobject.py 2008-07-01 09:43:52.000000000 -0400
|
|
@@ -1,5 +1,5 @@
|
|
#! /usr/bin/python -E
|
|
-# Copyright (C) 2005, 2006, 2007 Red Hat
|
|
+# Copyright (C) 2005, 2006, 2007, 2008 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# semanage is a tool for managing SELinux configuration files
|
|
@@ -24,7 +24,9 @@
|
|
import pwd, string, selinux, tempfile, os, re, sys
|
|
from semanage import *;
|
|
PROGNAME="policycoreutils"
|
|
+import sepolgen.module as module
|
|
|
|
+import commands
|
|
import gettext
|
|
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
|
|
gettext.textdomain(PROGNAME)
|
|
@@ -246,7 +248,98 @@
|
|
os.close(fd)
|
|
os.rename(newfilename, self.filename)
|
|
os.system("/sbin/service mcstrans reload > /dev/null")
|
|
-
|
|
+
|
|
+class permissiveRecords:
|
|
+ def __init__(self, store):
|
|
+ self.store = store
|
|
+ self.sh = semanage_handle_create()
|
|
+ if not self.sh:
|
|
+ raise ValueError(_("Could not create semanage handle"))
|
|
+
|
|
+ if store != "":
|
|
+ semanage_select_store(self.sh, store, SEMANAGE_CON_DIRECT);
|
|
+
|
|
+ self.semanaged = semanage_is_managed(self.sh)
|
|
+
|
|
+ if not self.semanaged:
|
|
+ semanage_handle_destroy(self.sh)
|
|
+ raise ValueError(_("SELinux policy is not managed or store cannot be accessed."))
|
|
+
|
|
+ rc = semanage_access_check(self.sh)
|
|
+ if rc < SEMANAGE_CAN_READ:
|
|
+ semanage_handle_destroy(self.sh)
|
|
+ raise ValueError(_("Cannot read policy store."))
|
|
+
|
|
+ rc = semanage_connect(self.sh)
|
|
+ if rc < 0:
|
|
+ semanage_handle_destroy(self.sh)
|
|
+ raise ValueError(_("Could not establish semanage connection"))
|
|
+
|
|
+ def get_all(self):
|
|
+ rc, out = commands.getstatusoutput("semodule -l | grep ^permissive");
|
|
+ l = []
|
|
+ for i in out.split():
|
|
+ if i.startswith("permissive_"):
|
|
+ l.append(i.split("permissive_")[1])
|
|
+ return l
|
|
+
|
|
+ def list(self,heading = 1, locallist = 0):
|
|
+ if heading:
|
|
+ print "\n%-25s\n" % (_("Permissive Types"))
|
|
+ for t in self.get_all():
|
|
+ print t
|
|
+
|
|
+
|
|
+ def add(self, type):
|
|
+ name = "permissive_%s" % type
|
|
+ dirname = "/var/lib/selinux"
|
|
+ os.chdir(dirname)
|
|
+ filename = "%s.te" % name
|
|
+ modtxt = """
|
|
+module %s 1.0;
|
|
+
|
|
+require {
|
|
+ type %s;
|
|
+}
|
|
+
|
|
+permissive %s;
|
|
+""" % (name, type, type)
|
|
+ fd = open(filename,'w')
|
|
+ fd.write(modtxt)
|
|
+ fd.close()
|
|
+ mc = module.ModuleCompiler()
|
|
+ mc.create_module_package(filename, 1)
|
|
+ fd = open("permissive_%s.pp" % type)
|
|
+ data = fd.read()
|
|
+ fd.close()
|
|
+
|
|
+ rc = semanage_module_install(self.sh, data, len(data));
|
|
+ rc = semanage_commit(self.sh)
|
|
+ if rc < 0:
|
|
+ raise ValueError(_("Could not set permissive domain %s") % name)
|
|
+ for root, dirs, files in os.walk("tmp", topdown=False):
|
|
+ for name in files:
|
|
+ os.remove(os.path.join(root, name))
|
|
+ for name in dirs:
|
|
+ os.rmdir(os.path.join(root, name))
|
|
+
|
|
+ if rc != 0:
|
|
+ raise ValueError(out)
|
|
+
|
|
+
|
|
+ def delete(self, name):
|
|
+ for i in name.split
|
|
+ rc = semanage_module_remove(self.sh, "permissive_%s" % name)
|
|
+ rc = semanage_commit(self.sh)
|
|
+ if rc < 0:
|
|
+ raise ValueError(_("Could not remove permissive domain %s") % name)
|
|
+
|
|
+ def deleteall(self):
|
|
+ l = self.get_all()
|
|
+ if len(l) > 0:
|
|
+ all = " permissive_".join(l)
|
|
+ self.delete(all)
|
|
+
|
|
class semanageRecords:
|
|
def __init__(self, store):
|
|
self.sh = semanage_handle_create()
|
|
@@ -464,7 +557,7 @@
|
|
def __init__(self, store = ""):
|
|
semanageRecords.__init__(self, store)
|
|
|
|
- def add(self, name, roles, selevel, serange, prefix):
|
|
+ def add(self, name, roles, selevel, serange, prefix = "user"):
|
|
if is_mls_enabled == 1:
|
|
if serange == "":
|
|
serange = "s0"
|