[SEMANAGE] Rename seuser -> seuser_local

[SEMANAGE] Rename seuser -> seuser_local

[Ivan Gyurdiev]

[-- Attachment #1: Type: text/plain, Size: 478 bytes --]

Seuser functions and dbase have incorrect names, since originally I did 
not think we'd have seusers.system. I must have asked about this, but 
regardless, I now think that a systems file will likely be necessary, so 
this patch renames all seuser-related things to _local, which leaves 
space for a _policy set of functions. It updates dependencies and 
manpages. This is an API change.

I think we should add users_extra.system and seusers.system into the 
package format.
 


[-- Attachment #2: libsemanage.local_seuser.diff --]
[-- Type: text/x-patch, Size: 39124 bytes --]

diff -Naurp --exclude-from excludes old/libsemanage/include/semanage/semanage.h new/libsemanage/include/semanage/semanage.h
--- old/libsemanage/include/semanage/semanage.h	2006-01-04 10:18:11.000000000 -0700
+++ new/libsemanage/include/semanage/semanage.h	2006-01-20 16:00:22.000000000 -0700
@@ -42,7 +42,7 @@
 #include <semanage/users_policy.h>
 #include <semanage/fcontexts_local.h>
 #include <semanage/fcontexts_policy.h>
-#include <semanage/seusers.h>
+#include <semanage/seusers_local.h>
 #include <semanage/ports_local.h>
 #include <semanage/ports_policy.h>
 #include <semanage/interfaces_local.h>
diff -Naurp --exclude-from excludes old/libsemanage/include/semanage/seusers.h new/libsemanage/include/semanage/seusers.h
--- old/libsemanage/include/semanage/seusers.h	2006-01-13 06:37:09.000000000 -0700
+++ new/libsemanage/include/semanage/seusers.h	1969-12-31 17:00:00.000000000 -0700
@@ -1,44 +0,0 @@
-/* Copyright (C) 2005 Red Hat, Inc. */
-
-#ifndef _SEMANAGE_SEUSERS_H_
-#define _SEMANAGE_SEUSERS_H_
-
-#include <semanage/seuser_record.h>
-#include <semanage/handle.h>
-
-extern int semanage_seuser_modify(
-	semanage_handle_t* handle,
-	const semanage_seuser_key_t* key,
-	const semanage_seuser_t* data);
-
-extern int semanage_seuser_del(
-	semanage_handle_t* handle,
-	const semanage_seuser_key_t* key);
-
-extern int semanage_seuser_query(
-	semanage_handle_t* handle,
-	const semanage_seuser_key_t* key,
-	semanage_seuser_t** response);
-
-extern int semanage_seuser_exists(
-	semanage_handle_t* handle,
-	const semanage_seuser_key_t* key,
-	int* response);
-
-extern int semanage_seuser_count(
-	semanage_handle_t* handle,
-	unsigned int* response);
-
-extern int semanage_seuser_iterate(
-	semanage_handle_t* handle,
-	int (*handler) (
-		const semanage_seuser_t* record,
-		void* varg),
-	void* handler_arg);
-
-extern int semanage_seuser_list(
-	semanage_handle_t* handle,
-	semanage_seuser_t*** records,
-	unsigned int* count);
-
-#endif 
diff -Naurp --exclude-from excludes old/libsemanage/include/semanage/seusers_local.h new/libsemanage/include/semanage/seusers_local.h
--- old/libsemanage/include/semanage/seusers_local.h	1969-12-31 17:00:00.000000000 -0700
+++ new/libsemanage/include/semanage/seusers_local.h	2006-01-20 16:00:08.000000000 -0700
@@ -0,0 +1,44 @@
+/* Copyright (C) 2005 Red Hat, Inc. */
+
+#ifndef _SEMANAGE_SEUSERS_H_
+#define _SEMANAGE_SEUSERS_H_
+
+#include <semanage/seuser_record.h>
+#include <semanage/handle.h>
+
+extern int semanage_seuser_modify_local(
+	semanage_handle_t* handle,
+	const semanage_seuser_key_t* key,
+	const semanage_seuser_t* data);
+
+extern int semanage_seuser_del_local(
+	semanage_handle_t* handle,
+	const semanage_seuser_key_t* key);
+
+extern int semanage_seuser_query_local(
+	semanage_handle_t* handle,
+	const semanage_seuser_key_t* key,
+	semanage_seuser_t** response);
+
+extern int semanage_seuser_exists_local(
+	semanage_handle_t* handle,
+	const semanage_seuser_key_t* key,
+	int* response);
+
+extern int semanage_seuser_count_local(
+	semanage_handle_t* handle,
+	unsigned int* response);
+
+extern int semanage_seuser_iterate_local(
+	semanage_handle_t* handle,
+	int (*handler) (
+		const semanage_seuser_t* record,
+		void* varg),
+	void* handler_arg);
+
+extern int semanage_seuser_list_local(
+	semanage_handle_t* handle,
+	semanage_seuser_t*** records,
+	unsigned int* count);
+
+#endif 
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_bool_del_local.3 new/libsemanage/man/man3/semanage_bool_del_local.3
--- old/libsemanage/man/man3/semanage_bool_del_local.3	1969-12-31 17:00:00.000000000 -0700
+++ new/libsemanage/man/man3/semanage_bool_del_local.3	2006-01-20 16:14:16.000000000 -0700
@@ -0,0 +1 @@
+.so man3/semanage_user_del_local.3
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_fcontext_del_local.3 new/libsemanage/man/man3/semanage_fcontext_del_local.3
--- old/libsemanage/man/man3/semanage_fcontext_del_local.3	1969-12-31 17:00:00.000000000 -0700
+++ new/libsemanage/man/man3/semanage_fcontext_del_local.3	2006-01-20 16:14:35.000000000 -0700
@@ -0,0 +1 @@
+.so man3/semanage_user_del_local.3
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_iface_del_local.3 new/libsemanage/man/man3/semanage_iface_del_local.3
--- old/libsemanage/man/man3/semanage_iface_del_local.3	1969-12-31 17:00:00.000000000 -0700
+++ new/libsemanage/man/man3/semanage_iface_del_local.3	2006-01-20 16:14:10.000000000 -0700
@@ -0,0 +1 @@
+.so man3/semanage_user_del_local.3
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_port_del_local.3 new/libsemanage/man/man3/semanage_port_del_local.3
--- old/libsemanage/man/man3/semanage_port_del_local.3	1969-12-31 17:00:00.000000000 -0700
+++ new/libsemanage/man/man3/semanage_port_del_local.3	2006-01-20 16:14:27.000000000 -0700
@@ -0,0 +1 @@
+.so man3/semanage_user_del_local.3
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_seuser_count.3 new/libsemanage/man/man3/semanage_seuser_count.3
--- old/libsemanage/man/man3/semanage_seuser_count.3	2006-01-05 06:26:19.000000000 -0700
+++ new/libsemanage/man/man3/semanage_seuser_count.3	1969-12-31 17:00:00.000000000 -0700
@@ -1 +0,0 @@
-.so man3/semanage_user_count_local.3
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_seuser_count_local.3 new/libsemanage/man/man3/semanage_seuser_count_local.3
--- old/libsemanage/man/man3/semanage_seuser_count_local.3	1969-12-31 17:00:00.000000000 -0700
+++ new/libsemanage/man/man3/semanage_seuser_count_local.3	2006-01-04 17:29:50.000000000 -0700
@@ -0,0 +1 @@
+.so man3/semanage_user_count_local.3
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_seuser_del_local.3 new/libsemanage/man/man3/semanage_seuser_del_local.3
--- old/libsemanage/man/man3/semanage_seuser_del_local.3	1969-12-31 17:00:00.000000000 -0700
+++ new/libsemanage/man/man3/semanage_seuser_del_local.3	2006-01-20 16:12:35.000000000 -0700
@@ -0,0 +1 @@
+.so man3/semanage_user_del_local.3
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_seuser_exists.3 new/libsemanage/man/man3/semanage_seuser_exists.3
--- old/libsemanage/man/man3/semanage_seuser_exists.3	2006-01-05 06:26:19.000000000 -0700
+++ new/libsemanage/man/man3/semanage_seuser_exists.3	1969-12-31 17:00:00.000000000 -0700
@@ -1 +0,0 @@
-.so man3/semanage_user_exists_local.3
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_seuser_exists_local.3 new/libsemanage/man/man3/semanage_seuser_exists_local.3
--- old/libsemanage/man/man3/semanage_seuser_exists_local.3	1969-12-31 17:00:00.000000000 -0700
+++ new/libsemanage/man/man3/semanage_seuser_exists_local.3	2006-01-04 16:30:54.000000000 -0700
@@ -0,0 +1 @@
+.so man3/semanage_user_exists_local.3
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_seuser_iterate.3 new/libsemanage/man/man3/semanage_seuser_iterate.3
--- old/libsemanage/man/man3/semanage_seuser_iterate.3	2006-01-05 06:26:19.000000000 -0700
+++ new/libsemanage/man/man3/semanage_seuser_iterate.3	1969-12-31 17:00:00.000000000 -0700
@@ -1 +0,0 @@
-.so man3/semanage_user_iterate_local.3
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_seuser_iterate_local.3 new/libsemanage/man/man3/semanage_seuser_iterate_local.3
--- old/libsemanage/man/man3/semanage_seuser_iterate_local.3	1969-12-31 17:00:00.000000000 -0700
+++ new/libsemanage/man/man3/semanage_seuser_iterate_local.3	2006-01-04 16:55:35.000000000 -0700
@@ -0,0 +1 @@
+.so man3/semanage_user_iterate_local.3
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_seuser_list.3 new/libsemanage/man/man3/semanage_seuser_list.3
--- old/libsemanage/man/man3/semanage_seuser_list.3	2006-01-05 06:26:19.000000000 -0700
+++ new/libsemanage/man/man3/semanage_seuser_list.3	1969-12-31 17:00:00.000000000 -0700
@@ -1 +0,0 @@
-.so man3/semanage_user_list_local.3
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_seuser_list_local.3 new/libsemanage/man/man3/semanage_seuser_list_local.3
--- old/libsemanage/man/man3/semanage_seuser_list_local.3	1969-12-31 17:00:00.000000000 -0700
+++ new/libsemanage/man/man3/semanage_seuser_list_local.3	2006-01-04 17:09:26.000000000 -0700
@@ -0,0 +1 @@
+.so man3/semanage_user_list_local.3
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_seuser_modify.3 new/libsemanage/man/man3/semanage_seuser_modify.3
--- old/libsemanage/man/man3/semanage_seuser_modify.3	2006-01-05 06:26:19.000000000 -0700
+++ new/libsemanage/man/man3/semanage_seuser_modify.3	1969-12-31 17:00:00.000000000 -0700
@@ -1 +0,0 @@
-.so man3/semanage_user_modify_local.3
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_seuser_modify_local.3 new/libsemanage/man/man3/semanage_seuser_modify_local.3
--- old/libsemanage/man/man3/semanage_seuser_modify_local.3	1969-12-31 17:00:00.000000000 -0700
+++ new/libsemanage/man/man3/semanage_seuser_modify_local.3	2006-01-04 08:42:28.000000000 -0700
@@ -0,0 +1 @@
+.so man3/semanage_user_modify_local.3
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_seuser_query.3 new/libsemanage/man/man3/semanage_seuser_query.3
--- old/libsemanage/man/man3/semanage_seuser_query.3	2006-01-05 06:26:19.000000000 -0700
+++ new/libsemanage/man/man3/semanage_seuser_query.3	1969-12-31 17:00:00.000000000 -0700
@@ -1 +0,0 @@
-.so man3/semanage_user_query_local.3
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_seuser_query_local.3 new/libsemanage/man/man3/semanage_seuser_query_local.3
--- old/libsemanage/man/man3/semanage_seuser_query_local.3	1969-12-31 17:00:00.000000000 -0700
+++ new/libsemanage/man/man3/semanage_seuser_query_local.3	2006-01-04 16:24:34.000000000 -0700
@@ -0,0 +1 @@
+.so man3/semanage_user_query_local.3
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_user_count_local.3 new/libsemanage/man/man3/semanage_user_count_local.3
--- old/libsemanage/man/man3/semanage_user_count_local.3	2006-01-05 06:26:19.000000000 -0700
+++ new/libsemanage/man/man3/semanage_user_count_local.3	2006-01-20 16:13:05.000000000 -0700
@@ -1,4 +1,4 @@
-.TH semanage_user_count_local 3 "4 January 2006" "ivg2@cornell.edu" "Libsemanage API documentation"
+.TH semanage_user_count_local 3 "20 January 2006" "ivg2@cornell.edu" "Libsemanage API documentation"
 .SH "NAME"
 .B semanage_user_count \-
 return the number of users users in the persistent policy
@@ -33,8 +33,8 @@ return the number of context specificati
 .B semanage_fcontext_count_local \- 
 return the number of context specifications in the local store
 .br
-.B semanage_seuser_count \- 
-return the number of seusers (login mappings)
+.B semanage_seuser_count_local \- 
+return the number of seusers (login mappings) in the local store
 
 .SH "SYNOPSIS"
 .B #include <semanage/users_policy.h>
@@ -59,7 +59,7 @@ return the number of seusers (login mapp
 .br
 .B #include <semanage/fcontexts_local.h>
 .br
-.B #include <semanage/seusers.h>
+.B #include <semanage/seusers_local.h>
 .sp
 
 .B FUNCTION: 
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_user_del_local.3 new/libsemanage/man/man3/semanage_user_del_local.3
--- old/libsemanage/man/man3/semanage_user_del_local.3	2006-01-06 07:36:30.000000000 -0700
+++ new/libsemanage/man/man3/semanage_user_del_local.3	2006-01-20 16:12:58.000000000 -0700
@@ -1,4 +1,4 @@
-.TH semanage_user_del_local 3 "4 January 2006" "ivg2@cornell.edu" "Libsemanage API documentation"
+.TH semanage_user_del_local 3 "20 January 2006" "ivg2@cornell.edu" "Libsemanage API documentation"
 .SH "NAME"
 .B semanage_user_del_local \- 
 delete a user from the local store
@@ -15,8 +15,8 @@ delete a network interface from the loca
 .B semanage_fcontext_del_local \- 
 delete a context specification from the local store
 .br
-.B semanage_seuser_del \- 
-delete a seuser (login mapping)
+.B semanage_seuser_del_local \- 
+delete a seuser (login mapping) from the local store
 
 .SH "SYNOPSIS"
 .B #include <semanage/users_local.h> 
@@ -29,7 +29,7 @@ delete a seuser (login mapping)
 .br
 .B #include <semanage/fcontexts_local.h>
 .br
-.B #include <semanage/seusers.h>
+.B #include <semanage/seusers_local.h>
 .sp
 
 .B FUNCTION: 
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_user_exists_local.3 new/libsemanage/man/man3/semanage_user_exists_local.3
--- old/libsemanage/man/man3/semanage_user_exists_local.3	2006-01-06 07:36:30.000000000 -0700
+++ new/libsemanage/man/man3/semanage_user_exists_local.3	2006-01-20 16:13:14.000000000 -0700
@@ -1,4 +1,4 @@
-.TH semanage_user_exists_local 3 "4 January 2006" "ivg2@cornell.edu" "Libsemanage API documentation"
+.TH semanage_user_exists_local 3 "20 January 2006" "ivg2@cornell.edu" "Libsemanage API documentation"
 .SH "NAME"
 .B semanage_user_exists \-
 check if a user exists in the persistent policy
@@ -33,8 +33,8 @@ check if a context specification exists 
 .B semanage_fcontext_exists_local \- 
 check if a context specification exists in the local store
 .br
-.B semanage_seuser_exists \- 
-check if a seuser exists (login mapping)
+.B semanage_seuser_exists_local \- 
+check if a seuser (login mapping) exists in the local store
 
 .SH "SYNOPSIS"
 .B #include <semanage/users_policy.h>
@@ -59,7 +59,7 @@ check if a seuser exists (login mapping)
 .br
 .B #include <semanage/fcontexts_local.h>
 .br
-.B #include <semanage/seusers.h>
+.B #include <semanage/seusers_local.h>
 .sp
 
 .B FUNCTION: 
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_user_iterate_local.3 new/libsemanage/man/man3/semanage_user_iterate_local.3
--- old/libsemanage/man/man3/semanage_user_iterate_local.3	2006-01-06 07:36:30.000000000 -0700
+++ new/libsemanage/man/man3/semanage_user_iterate_local.3	2006-01-20 16:13:32.000000000 -0700
@@ -1,4 +1,4 @@
-.TH semanage_user_iterate_local 3 "4 January 2006" "ivg2@cornell.edu" "Libsemanage API documentation"
+.TH semanage_user_iterate_local 3 "20 January 2006" "ivg2@cornell.edu" "Libsemanage API documentation"
 .SH "NAME"
 .B semanage_user_iterate \-
 execute a callback for all users users in the persistent policy
@@ -33,8 +33,8 @@ execute a callback for all context speci
 .B semanage_fcontext_iterate_local \- 
 execute a callback for all context specifications in the local store
 .br
-.B semanage_seuser_iterate \- 
-execute a callback for all seusers (login mappings)
+.B semanage_seuser_iterate_local \- 
+execute a callback for all seusers (login mappings) in the local store
 
 .SH "SYNOPSIS"
 .B #include <semanage/users_policy.h>
@@ -59,7 +59,7 @@ execute a callback for all seusers (logi
 .br
 .B #include <semanage/fcontexts_local.h>
 .br
-.B #include <semanage/seusers.h>
+.B #include <semanage/seusers_local.h>
 .sp
 
 .B FUNCTION: 
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_user_list_local.3 new/libsemanage/man/man3/semanage_user_list_local.3
--- old/libsemanage/man/man3/semanage_user_list_local.3	2006-01-13 06:37:09.000000000 -0700
+++ new/libsemanage/man/man3/semanage_user_list_local.3	2006-01-20 16:13:54.000000000 -0700
@@ -1,4 +1,4 @@
-.TH semanage_user_list_local 3 "4 January 2006" "ivg2@cornell.edu" "Libsemanage API documentation"
+.TH semanage_user_list_local 3 "20 January 2006" "ivg2@cornell.edu" "Libsemanage API documentation"
 .SH "NAME"
 .B semanage_user_list \-
 list all users users in the persistent policy
@@ -33,8 +33,8 @@ list all context specifications in the p
 .B semanage_fcontext_list_local \- 
 list all context specifications in the local store
 .br
-.B semanage_seuser_list \- 
-list all seusers (login mappings)
+.B semanage_seuser_list_local \- 
+list all seusers (login mappings) in the local store
 
 .SH "SYNOPSIS"
 .B #include <semanage/users_policy.h>
@@ -59,7 +59,7 @@ list all seusers (login mappings)
 .br
 .B #include <semanage/fcontexts_local.h>
 .br
-.B #include <semanage/seusers.h>
+.B #include <semanage/seusers_local.h>
 .sp
 
 .B FUNCTION: 
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_user_modify_local.3 new/libsemanage/man/man3/semanage_user_modify_local.3
--- old/libsemanage/man/man3/semanage_user_modify_local.3	2006-01-13 06:37:09.000000000 -0700
+++ new/libsemanage/man/man3/semanage_user_modify_local.3	2006-01-20 16:13:42.000000000 -0700
@@ -1,4 +1,4 @@
-.TH semanage_user_modify_local 3 "4 January 2006" "ivg2@cornell.edu" "Libsemanage API documentation"
+.TH semanage_user_modify_local 3 "20 January 2006" "ivg2@cornell.edu" "Libsemanage API documentation"
 .SH "NAME"
 .B semanage_user_modify_local \- 
 add or update a user in the local store
@@ -15,8 +15,8 @@ add or update an interface in the local 
 .B semanage_fcontext_modify_local \- 
 add or override a context specification in the local store
 .br
-.B semanage_seuser_modify \- 
-add or update a seuser (login mapping)
+.B semanage_seuser_modify_local \- 
+add or update a seuser (login mapping) in the local store
 
 .SH "SYNOPSIS"
 .B #include <semanage/users_local.h> 
@@ -29,7 +29,7 @@ add or update a seuser (login mapping)
 .br
 .B #include <semanage/fcontexts_local.h>
 .br
-.B #include <semanage/seusers.h>
+.B #include <semanage/seusers_local.h>
 .sp
 
 .B FUNCTION: 
diff -Naurp --exclude-from excludes old/libsemanage/man/man3/semanage_user_query_local.3 new/libsemanage/man/man3/semanage_user_query_local.3
--- old/libsemanage/man/man3/semanage_user_query_local.3	2006-01-06 07:36:30.000000000 -0700
+++ new/libsemanage/man/man3/semanage_user_query_local.3	2006-01-20 16:13:23.000000000 -0700
@@ -1,4 +1,4 @@
-.TH semanage_user_query_local 3 "4 January 2006" "ivg2@cornell.edu" "Libsemanage API documentation"
+.TH semanage_user_query_local 3 "20 January 2006" "ivg2@cornell.edu" "Libsemanage API documentation"
 .SH "NAME"
 .B semanage_user_query \-
 query a user in the persistent policy
@@ -33,8 +33,8 @@ query a context specification in the per
 .B semanage_fcontext_query_local \- 
 query a context specification in the local store
 .br
-.B semanage_seuser_query \- 
-query a seuser (login mapping)
+.B semanage_seuser_query_local \- 
+query a seuser (login mapping) in the local store
 
 .SH "SYNOPSIS"
 .B #include <semanage/users_policy.h>
@@ -59,7 +59,7 @@ query a seuser (login mapping)
 .br
 .B #include <semanage/fcontexts_local.h>
 .br
-.B #include <semanage/seusers.h>
+.B #include <semanage/seusers_local.h>
 .sp
 
 .B FUNCTION: 
diff -Naurp --exclude-from excludes old/libsemanage/src/direct_api.c new/libsemanage/src/direct_api.c
--- old/libsemanage/src/direct_api.c	2006-01-18 09:03:28.000000000 -0700
+++ new/libsemanage/src/direct_api.c	2006-01-20 16:04:13.000000000 -0700
@@ -139,7 +139,7 @@ int semanage_direct_connect(semanage_han
 		semanage_fcontext_dbase_local(sh)) < 0)
 		goto err;
 
-	if (seuser_file_dbase_init(sh, semanage_seuser_dbase(sh)) < 0)
+	if (seuser_file_dbase_init(sh, semanage_seuser_dbase_local(sh)) < 0)
 		goto err;
 
 	if (user_extra_file_dbase_init(sh, "users_extra.system",
@@ -208,7 +208,7 @@ static int semanage_direct_disconnect(se
 	iface_file_dbase_release(semanage_iface_dbase_local(sh));
 	bool_file_dbase_release(semanage_bool_dbase_local(sh));
 	fcontext_file_dbase_release(semanage_fcontext_dbase_local(sh));
-	seuser_file_dbase_release(semanage_seuser_dbase(sh));
+	seuser_file_dbase_release(semanage_seuser_dbase_local(sh));
 
 	user_extra_file_dbase_release(semanage_user_extra_dbase_system(sh));
 
@@ -399,7 +399,7 @@ static int semanage_direct_commit(semana
 	dbase_config_t* pifaces = semanage_iface_dbase_policy(sh);
 	dbase_config_t* fcontexts = semanage_fcontext_dbase_local(sh);
 	dbase_config_t* pfcontexts = semanage_fcontext_dbase_policy(sh);
-	dbase_config_t* seusers = semanage_seuser_dbase(sh);
+	dbase_config_t* seusers = semanage_seuser_dbase_local(sh);
 
 	/* Before we do anything else, flush the join to its component parts.
 	 * This *does not* flush to disk automatically */
@@ -503,11 +503,9 @@ static int semanage_direct_commit(semana
 			goto cleanup;
 	}
 
-	/* Validate seusers against policy
-	 * if either policy changed, or seusers changed,
-	 * or we forced a rebuild */
+	/* Validate local seusers against policy */
 	if (sh->do_rebuild || modified || seusers_modified) {
-		if (semanage_seuser_validate(sh, out) < 0) 
+		if (semanage_seuser_validate_local(sh, out) < 0) 
 			goto cleanup;
 	}
 
diff -Naurp --exclude-from excludes old/libsemanage/src/handle.h new/libsemanage/src/handle.h
--- old/libsemanage/src/handle.h	2006-01-18 09:03:28.000000000 -0700
+++ new/libsemanage/src/handle.h	2006-01-20 16:03:54.000000000 -0700
@@ -86,7 +86,7 @@ struct semanage_handle {
 #define DBASE_LOCAL_INTERFACES  4
 #define DBASE_LOCAL_BOOLEANS    5
 #define DBASE_LOCAL_FCONTEXTS	6
-#define DBASE_SEUSERS           7
+#define DBASE_LOCAL_SEUSERS     7
 
 /* Policy */
 #define DBASE_SYSTEM_USERS_EXTRA 8
@@ -141,8 +141,8 @@ dbase_config_t* semanage_fcontext_dbase_
 }
 
 static inline
-dbase_config_t* semanage_seuser_dbase(semanage_handle_t* handle) {
-	return &handle->dbase[DBASE_SEUSERS];
+dbase_config_t* semanage_seuser_dbase_local(semanage_handle_t* handle) {
+	return &handle->dbase[DBASE_LOCAL_SEUSERS];
 }
 
 static inline
diff -Naurp --exclude-from excludes old/libsemanage/src/policy_components.c new/libsemanage/src/policy_components.c
--- old/libsemanage/src/policy_components.c	2006-01-18 09:03:28.000000000 -0700
+++ new/libsemanage/src/policy_components.c	2006-01-20 16:23:16.000000000 -0700
@@ -199,7 +199,7 @@ int semanage_commit_components(
 		semanage_port_dbase_local(handle),
 		semanage_fcontext_dbase_local(handle),
 		semanage_fcontext_dbase_policy(handle),
-		semanage_seuser_dbase(handle),
+		semanage_seuser_dbase_local(handle),
 		semanage_bool_dbase_active(handle),
 	};
 	const int CCOUNT = sizeof(components)/sizeof(components[0]);
diff -Naurp --exclude-from excludes old/libsemanage/src/pywrap-test.py new/libsemanage/src/pywrap-test.py
--- old/libsemanage/src/pywrap-test.py	2006-01-18 09:03:28.000000000 -0700
+++ new/libsemanage/src/pywrap-test.py	2006-01-20 16:28:01.000000000 -0700
@@ -132,7 +132,7 @@ class Tests:
 	def test_seusers(self,sh):
 		print "Testing seusers..."
 
-		(status, slist, slist_size) = semanage.semanage_seuser_list(sh)
+		(status, slist, slist_size) = semanage.semanage_seuser_list_local(sh)
 		if status < 0:
 			raise Error("Could not list seusers")
 		print "Query status (commit number): ", status
@@ -434,13 +434,13 @@ class Tests:
 			raise Error("Could not extract SEUser key")
                 if self.verbose: print "SEUser key extracted: ", key
 	
-                (status,exists) = semanage.semanage_seuser_exists(sh,key)
+                (status,exists) = semanage.semanage_seuser_exists_local(sh,key)
 		if status < 0:
 			raise Error("Could not check if SEUser exists")
 		if self.verbose: print "Exists status (commit number): ", status
 
 		if exists:
-			(status, old_seuser) = semanage.semanage_seuser_query(sh, key)
+			(status, old_seuser) = semanage.semanage_seuser_query_local(sh, key)
 			if status < 0:
 				raise Error("Could not query old SEUser")
 			if self.verbose: print "Query status (commit number): ", status
@@ -450,7 +450,7 @@ class Tests:
 		if status < 0:
 			raise Error("Could not start semanage transaction")
 
-		status = semanage.semanage_seuser_modify(sh,key,seuser)
+		status = semanage.semanage_seuser_modify_local(sh,key,seuser)
 		if status < 0:
 			raise Error("Could not modify SEUser")
 
@@ -465,13 +465,13 @@ class Tests:
 
 		if not exists:
 			print "Removing seuser..."
-			status = semanage.semanage_seuser_del(sh, key)
+			status = semanage.semanage_seuser_del_local(sh, key)
 			if status < 0:
 				raise Error("Could not delete test SEUser")
 			if self.verbose: print "Seuser delete: ", status
 		else:
 			print "Resetting seuser..."
-			status = semanage.semanage_seuser_modify(sh, key, old_seuser)
+			status = semanage.semanage_seuser_modify_local(sh, key, old_seuser)
 			if status < 0:
 				raise Error("Could not reset test SEUser")
 			if self.verbose: print "Seuser modify: ", status
diff -Naurp --exclude-from excludes old/libsemanage/src/semanageswig.i new/libsemanage/src/semanageswig.i
--- old/libsemanage/src/semanageswig.i	2006-01-13 06:37:34.000000000 -0700
+++ new/libsemanage/src/semanageswig.i	2006-01-20 16:01:30.000000000 -0700
@@ -41,7 +41,7 @@
 	#include "semanage/fcontext_record.h"
 	#include "semanage/fcontexts_local.h"
 	#include "semanage/fcontexts_policy.h"
-	#include "semanage/seusers.h"	
+	#include "semanage/seusers_local.h"	
 	#include "semanage/semanage.h"
 %}
 
@@ -310,5 +310,5 @@
 %include "../include/semanage/fcontexts_local.h"
 %include "../include/semanage/fcontexts_policy.h"
 %include "../include/semanage/seuser_record.h"
-%include "../include/semanage/seusers.h"
+%include "../include/semanage/seusers_local.h"
 %include "../include/semanage/semanage.h"
diff -Naurp --exclude-from excludes old/libsemanage/src/seuser_internal.h new/libsemanage/src/seuser_internal.h
--- old/libsemanage/src/seuser_internal.h	2006-01-06 07:36:31.000000000 -0700
+++ new/libsemanage/src/seuser_internal.h	2006-01-20 16:02:05.000000000 -0700
@@ -2,7 +2,7 @@
 #define _SEMANAGE_SEUSER_INTERNAL_H_
 
 #include <semanage/seuser_record.h>
-#include <semanage/seusers.h>
+#include <semanage/seusers_local.h>
 #include <sepol/policydb.h>
 #include "database.h"
 #include "handle.h"
@@ -16,13 +16,13 @@ hidden_proto(semanage_seuser_free)
 hidden_proto(semanage_seuser_get_mlsrange)
 hidden_proto(semanage_seuser_get_name)
 hidden_proto(semanage_seuser_get_sename)
-hidden_proto(semanage_seuser_iterate)
 hidden_proto(semanage_seuser_key_create)
 hidden_proto(semanage_seuser_key_extract)
 hidden_proto(semanage_seuser_key_free)
 hidden_proto(semanage_seuser_set_mlsrange)
 hidden_proto(semanage_seuser_set_name)
 hidden_proto(semanage_seuser_set_sename)
+hidden_proto(semanage_seuser_iterate_local)
 
 /* SEUSER RECORD: method table */
 extern record_table_t SEMANAGE_SEUSER_RTABLE;
@@ -34,7 +34,7 @@ extern int seuser_file_dbase_init(
 extern void seuser_file_dbase_release(
 	dbase_config_t* dconfig);
 
-extern int hidden semanage_seuser_validate(
+extern int hidden semanage_seuser_validate_local(
 	semanage_handle_t* handle,
 	const sepol_policydb_t* policydb);
 
diff -Naurp --exclude-from excludes old/libsemanage/src/seusers.c new/libsemanage/src/seusers.c
--- old/libsemanage/src/seusers.c	2006-01-13 06:37:34.000000000 -0700
+++ new/libsemanage/src/seusers.c	1969-12-31 17:00:00.000000000 -0700
@@ -1,164 +0,0 @@
-/* Copyright (C) 2005 Red Hat, Inc. */
-
-struct semanage_seuser;
-struct semanage_seuser_key;
-typedef struct semanage_seuser_key record_key_t;
-typedef struct semanage_seuser record_t;
-#define DBASE_RECORD_DEFINED
-
-#include <sepol/policydb.h>
-#include <sepol/context.h>
-#include "user_internal.h"
-#include "seuser_internal.h"
-#include "handle.h"
-#include "database.h"
-#include "debug.h"
-
-int semanage_seuser_modify(
-	semanage_handle_t* handle,
-	const semanage_seuser_key_t* key,
-	const semanage_seuser_t* data) {
-
-	dbase_config_t* dconfig = semanage_seuser_dbase(handle);	
-	return dbase_modify(handle, dconfig, key, data);
-}
-
-int semanage_seuser_del(
-	semanage_handle_t* handle,
-	const semanage_seuser_key_t* key) {
-
-	dbase_config_t* dconfig = semanage_seuser_dbase(handle);
-	return dbase_del(handle, dconfig, key);
-}
-
-int semanage_seuser_query(
-	semanage_handle_t* handle,
-	const semanage_seuser_key_t* key,
-	semanage_seuser_t** response) {
-
-	dbase_config_t* dconfig = semanage_seuser_dbase(handle);
-	return dbase_query(handle, dconfig, key, response);
-}
-
-int semanage_seuser_exists(
-	semanage_handle_t* handle,
-	const semanage_seuser_key_t* key,
-	int* response) {
-
-	dbase_config_t* dconfig = semanage_seuser_dbase(handle);
-	return dbase_exists(handle, dconfig, key, response);
-}
-
-int semanage_seuser_count(
-	semanage_handle_t* handle,
-	unsigned int* response) {
-
-	dbase_config_t* dconfig = semanage_seuser_dbase(handle);
-	return dbase_count(handle, dconfig, response);
-}
-
-int semanage_seuser_iterate(
-	semanage_handle_t* handle,
-	int (*handler) (
-		const semanage_seuser_t* record,
-		void* varg),
-	void* handler_arg) {
-
-	dbase_config_t* dconfig = semanage_seuser_dbase(handle);
-	return dbase_iterate(handle, dconfig, handler, handler_arg);
-}
-hidden_def(semanage_seuser_iterate)
-
-int semanage_seuser_list(
-	semanage_handle_t* handle,
-	semanage_seuser_t*** records,
-	unsigned int* count) {
-
-	dbase_config_t* dconfig = semanage_seuser_dbase(handle);
-	return dbase_list(handle, dconfig, records, count);
-}
-
-struct validate_handler_arg {
-	semanage_handle_t* handle;
-	const sepol_policydb_t* policydb;
-};
-
-static int validate_handler(
-	const semanage_seuser_t* seuser,
-	void* varg) {
-
-	semanage_user_t* user = NULL;
-	semanage_user_key_t* key = NULL;
-	int exists, mls_ok;
-
-	/* Unpack varg */
-	struct validate_handler_arg* arg = 
-		(struct validate_handler_arg*) varg;
-	semanage_handle_t* handle = arg->handle;
-	const sepol_policydb_t* policydb = arg->policydb;
-
-	/* Unpack seuser */
-	const char* name = semanage_seuser_get_name(seuser);
-	const char* sename = semanage_seuser_get_sename(seuser);
-	const char* mls_range = semanage_seuser_get_mlsrange(seuser);
-	const char* user_mls_range;
-
-	/* Make sure the (SElinux) user exists */
-	if (semanage_user_key_create(handle, sename, &key) < 0)
-		goto err;
-	if (semanage_user_exists(handle, key, &exists) < 0)
-		goto err;
-	if (!exists) {
-		ERR(handle, "selinux user %s does not exist", sename);
-		goto invalid;
-	}
-
-	/* Verify that the mls range is valid, and that it's contained
-	 * within the (SELinux) user mls range */
-	if (mls_range) {
-
-		if (semanage_user_query(handle, key, &user) < 0)
-			goto err;
-		user_mls_range = semanage_user_get_mlsrange(user);
-
-		if (sepol_mls_check(handle->sepolh, policydb, mls_range) < 0)
-			goto invalid;
-		if (sepol_mls_contains(handle->sepolh, policydb, 
-			user_mls_range, mls_range, &mls_ok) < 0)
-			goto err;
-		if (!mls_ok) {
-			ERR(handle, "mls range %s for Unix user %s "
-				"exceeds allowed range %s for SELinux user %s",
-				mls_range, name, user_mls_range, sename);
-			goto invalid;
-		}
-	}
-
-	semanage_user_key_free(key);
-	semanage_user_free(user);
-	return 0;
-
-	err:
-	ERR(handle, "could not check if the seuser mapping "
-		"%s -> (%s, %s) is valid", name, sename, mls_range);
-	semanage_user_key_free(key);
-	semanage_user_free(user);
-	return -1;
-
-	invalid:
-	ERR(handle, "seuser mapping %s -> (%s, %s) is invalid",
-		name, sename, mls_range);
-	semanage_user_key_free(key);
-	semanage_user_free(user);
-	return -1;
-}
-
-int hidden semanage_seuser_validate(
-	semanage_handle_t* handle,	
-	const sepol_policydb_t* policydb) {
-
-	struct validate_handler_arg arg;
-	arg.handle = handle;
-	arg.policydb = policydb;
-	return semanage_seuser_iterate(handle, validate_handler, &arg);
-}
diff -Naurp --exclude-from excludes old/libsemanage/src/seusers_local.c new/libsemanage/src/seusers_local.c
--- old/libsemanage/src/seusers_local.c	1969-12-31 17:00:00.000000000 -0700
+++ new/libsemanage/src/seusers_local.c	2006-01-20 16:02:22.000000000 -0700
@@ -0,0 +1,164 @@
+/* Copyright (C) 2005 Red Hat, Inc. */
+
+struct semanage_seuser;
+struct semanage_seuser_key;
+typedef struct semanage_seuser_key record_key_t;
+typedef struct semanage_seuser record_t;
+#define DBASE_RECORD_DEFINED
+
+#include <sepol/policydb.h>
+#include <sepol/context.h>
+#include "user_internal.h"
+#include "seuser_internal.h"
+#include "handle.h"
+#include "database.h"
+#include "debug.h"
+
+int semanage_seuser_modify_local(
+	semanage_handle_t* handle,
+	const semanage_seuser_key_t* key,
+	const semanage_seuser_t* data) {
+
+	dbase_config_t* dconfig = semanage_seuser_dbase_local(handle);	
+	return dbase_modify(handle, dconfig, key, data);
+}
+
+int semanage_seuser_del_local(
+	semanage_handle_t* handle,
+	const semanage_seuser_key_t* key) {
+
+	dbase_config_t* dconfig = semanage_seuser_dbase_local(handle);
+	return dbase_del(handle, dconfig, key);
+}
+
+int semanage_seuser_query_local(
+	semanage_handle_t* handle,
+	const semanage_seuser_key_t* key,
+	semanage_seuser_t** response) {
+
+	dbase_config_t* dconfig = semanage_seuser_dbase_local(handle);
+	return dbase_query(handle, dconfig, key, response);
+}
+
+int semanage_seuser_exists_local(
+	semanage_handle_t* handle,
+	const semanage_seuser_key_t* key,
+	int* response) {
+
+	dbase_config_t* dconfig = semanage_seuser_dbase_local(handle);
+	return dbase_exists(handle, dconfig, key, response);
+}
+
+int semanage_seuser_count_local(
+	semanage_handle_t* handle,
+	unsigned int* response) {
+
+	dbase_config_t* dconfig = semanage_seuser_dbase_local(handle);
+	return dbase_count(handle, dconfig, response);
+}
+
+int semanage_seuser_iterate_local(
+	semanage_handle_t* handle,
+	int (*handler) (
+		const semanage_seuser_t* record,
+		void* varg),
+	void* handler_arg) {
+
+	dbase_config_t* dconfig = semanage_seuser_dbase_local(handle);
+	return dbase_iterate(handle, dconfig, handler, handler_arg);
+}
+hidden_def(semanage_seuser_iterate_local)
+
+int semanage_seuser_list_local(
+	semanage_handle_t* handle,
+	semanage_seuser_t*** records,
+	unsigned int* count) {
+
+	dbase_config_t* dconfig = semanage_seuser_dbase_local(handle);
+	return dbase_list(handle, dconfig, records, count);
+}
+
+struct validate_handler_arg {
+	semanage_handle_t* handle;
+	const sepol_policydb_t* policydb;
+};
+
+static int validate_handler(
+	const semanage_seuser_t* seuser,
+	void* varg) {
+
+	semanage_user_t* user = NULL;
+	semanage_user_key_t* key = NULL;
+	int exists, mls_ok;
+
+	/* Unpack varg */
+	struct validate_handler_arg* arg = 
+		(struct validate_handler_arg*) varg;
+	semanage_handle_t* handle = arg->handle;
+	const sepol_policydb_t* policydb = arg->policydb;
+
+	/* Unpack seuser */
+	const char* name = semanage_seuser_get_name(seuser);
+	const char* sename = semanage_seuser_get_sename(seuser);
+	const char* mls_range = semanage_seuser_get_mlsrange(seuser);
+	const char* user_mls_range;
+
+	/* Make sure the (SElinux) user exists */
+	if (semanage_user_key_create(handle, sename, &key) < 0)
+		goto err;
+	if (semanage_user_exists(handle, key, &exists) < 0)
+		goto err;
+	if (!exists) {
+		ERR(handle, "selinux user %s does not exist", sename);
+		goto invalid;
+	}
+
+	/* Verify that the mls range is valid, and that it's contained
+	 * within the (SELinux) user mls range */
+	if (mls_range) {
+
+		if (semanage_user_query(handle, key, &user) < 0)
+			goto err;
+		user_mls_range = semanage_user_get_mlsrange(user);
+
+		if (sepol_mls_check(handle->sepolh, policydb, mls_range) < 0)
+			goto invalid;
+		if (sepol_mls_contains(handle->sepolh, policydb, 
+			user_mls_range, mls_range, &mls_ok) < 0)
+			goto err;
+		if (!mls_ok) {
+			ERR(handle, "mls range %s for Unix user %s "
+				"exceeds allowed range %s for SELinux user %s",
+				mls_range, name, user_mls_range, sename);
+			goto invalid;
+		}
+	}
+
+	semanage_user_key_free(key);
+	semanage_user_free(user);
+	return 0;
+
+	err:
+	ERR(handle, "could not check if the seuser mapping "
+		"%s -> (%s, %s) is valid", name, sename, mls_range);
+	semanage_user_key_free(key);
+	semanage_user_free(user);
+	return -1;
+
+	invalid:
+	ERR(handle, "seuser mapping %s -> (%s, %s) is invalid",
+		name, sename, mls_range);
+	semanage_user_key_free(key);
+	semanage_user_free(user);
+	return -1;
+}
+
+int hidden semanage_seuser_validate_local(
+	semanage_handle_t* handle,	
+	const sepol_policydb_t* policydb) {
+
+	struct validate_handler_arg arg;
+	arg.handle = handle;
+	arg.policydb = policydb;
+	return semanage_seuser_iterate_local(handle, validate_handler, &arg);
+}
diff -Naurp --exclude-from excludes old/policycoreutils/scripts/genhomedircon new/policycoreutils/scripts/genhomedircon
--- old/policycoreutils/scripts/genhomedircon	2006-01-20 16:16:49.000000000 -0700
+++ new/policycoreutils/scripts/genhomedircon	2006-01-20 16:20:02.000000000 -0700
@@ -207,7 +207,7 @@ class selinuxConfig:
 	def getUsers(self):
 		udict = {}
 		if self.semanaged:
-			(status, list, lsize) = semanage_seuser_list(self.semanageHandle)
+			(status, list, lsize) = semanage_seuser_list_local(self.semanageHandle)
 			for idx in range(lsize):
 				user=[]
 				seuser = semanage_seuser_by_idx(list, idx)
diff -Naurp --exclude-from excludes old/policycoreutils/semanage/seobject.py new/policycoreutils/semanage/seobject.py
--- old/policycoreutils/semanage/seobject.py	2006-01-20 16:16:49.000000000 -0700
+++ new/policycoreutils/semanage/seobject.py	2006-01-20 16:21:04.000000000 -0700
@@ -165,7 +165,7 @@ class loginRecords(semanageRecords):
 		if rc < 0:
 			raise ValueError("Could not create a key for %s" % name)
 
-		(rc,exists) = semanage_seuser_exists(self.sh, k)
+		(rc,exists) = semanage_seuser_exists_local(self.sh, k)
 		if rc < 0:
 			raise ValueError("Could not check if login mapping for %s is defined" % name)
 		if exists:
@@ -195,7 +195,7 @@ class loginRecords(semanageRecords):
 		if rc < 0:
 			raise ValueError("Could not start semanage transaction")
 
-		rc = semanage_seuser_modify(self.sh, k, u)
+		rc = semanage_seuser_modify_local(self.sh, k, u)
 		if rc < 0:
 			raise ValueError("Could not add login mapping for %s" % name)
 
@@ -214,13 +214,13 @@ class loginRecords(semanageRecords):
 		if rc < 0:
 			raise ValueError("Could not create a key for %s" % name)
 
-		(rc,exists) = semanage_seuser_exists(self.sh, k)
+		(rc,exists) = semanage_seuser_exists_local(self.sh, k)
 		if rc < 0:
 			raise ValueError("Could not check if login mapping for %s is defined" % name)
 		if not exists:
 			raise ValueError("Login mapping for %s is not defined" % name)
 
-		(rc,u) = semanage_seuser_query(self.sh, k)
+		(rc,u) = semanage_seuser_query_local(self.sh, k)
 		if rc < 0:
 			raise ValueError("Could not query seuser for %s" % name)
 
@@ -233,7 +233,7 @@ class loginRecords(semanageRecords):
 		if rc < 0:
 			raise ValueError("Could not srart semanage transaction")
 
-		rc = semanage_seuser_modify(self.sh, k, u)
+		rc = semanage_seuser_modify_local(self.sh, k, u)
 		if rc < 0:
 			raise ValueError("Could not modify login mapping for %s" % name)
 	
@@ -249,7 +249,7 @@ class loginRecords(semanageRecords):
 		if rc < 0:
 			raise ValueError("Could not create a key for %s" % name)
 
-		(rc,exists) = semanage_seuser_exists(self.sh, k)
+		(rc,exists) = semanage_seuser_exists_local(self.sh, k)
 		if rc < 0:
 			raise ValueError("Could not check if login mapping for %s is defined" % name)
 		if not exists:
@@ -259,7 +259,8 @@ class loginRecords(semanageRecords):
 		if rc < 0:
 			raise ValueError("Could not start semanage transaction")
 
-		rc = semanage_seuser_del(self.sh, k)
+		rc = semanage_seuser_del_local(self.sh, k)
+
 		if rc < 0:
 			raise ValueError("Could not delete login mapping for %s" % name)
 
@@ -272,7 +273,7 @@ class loginRecords(semanageRecords):
 		
 	def get_all(self):
 		ddict={}
-		(rc, self.ulist, self.usize) = semanage_seuser_list(self.sh)
+		(rc, self.ulist, self.usize) = semanage_seuser_list_local(self.sh)
 		if rc < 0:
 			raise ValueError("Could not list login mappings")
 

Re: [SEMANAGE] Rename seuser -> seuser_local

[Stephen Smalley]

On Fri, 2006-01-20 at 16:34 -0700, Ivan Gyurdiev wrote:
> Seuser functions and dbase have incorrect names, since originally I did 
> not think we'd have seusers.system. I must have asked about this, but 
> regardless, I now think that a systems file will likely be necessary, so 
> this patch renames all seuser-related things to _local, which leaves 
> space for a _policy set of functions. It updates dependencies and 
> manpages. This is an API change.
> 
> I think we should add users_extra.system and seusers.system into the 
> package format.

Sorry, what is the motivation for this change, i.e. what is the system
seusers file for?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [SEMANAGE] Rename seuser -> seuser_local

[Ivan Valeriev Gyurdiev]

> On Fri, 2006-01-20 at 16:34 -0700, Ivan Gyurdiev wrote:
>> Seuser functions and dbase have incorrect names, since originally I did
>> not think we'd have seusers.system. I must have asked about this, but
>> regardless, I now think that a systems file will likely be necessary, so
>> this patch renames all seuser-related things to _local, which leaves
>> space for a _policy set of functions. It updates dependencies and
>> manpages. This is an API change.
>>
>> I think we should add users_extra.system and seusers.system into the
>> package format.
>
> Sorry, what is the motivation for this change, i.e. what is the system
> seusers file for?

That will allow us to configure per-policy defaults for certain users like
root, __default__. We could also configure more restricted SELinux users
for certain "system" users like daemon users,or things like a guest
account. It seems wrong to hardcode those defaults into the libselinux
library rather than policy.

Sorry for the late reply, I'm in the middle of moving to Cornell, and
switching to a PCI-E x86_64 computer - might have limited mail access for
the next few days.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [SEMANAGE] Rename seuser -> seuser_local

[Stephen Smalley]

On Wed, 2006-01-25 at 11:07 -0500, Ivan Valeriev Gyurdiev wrote:
> > On Fri, 2006-01-20 at 16:34 -0700, Ivan Gyurdiev wrote:
> >> Seuser functions and dbase have incorrect names, since originally I did
> >> not think we'd have seusers.system. I must have asked about this, but
> >> regardless, I now think that a systems file will likely be necessary, so
> >> this patch renames all seuser-related things to _local, which leaves
> >> space for a _policy set of functions. It updates dependencies and
> >> manpages. This is an API change.
> >>
> >> I think we should add users_extra.system and seusers.system into the
> >> package format.
> >
> > Sorry, what is the motivation for this change, i.e. what is the system
> > seusers file for?
> 
> That will allow us to configure per-policy defaults for certain users like
> root, __default__. We could also configure more restricted SELinux users
> for certain "system" users like daemon users,or things like a guest
> account. It seems wrong to hardcode those defaults into the libselinux
> library rather than policy.

That doesn't really seem consistent with the intended usage of seusers,
IIUC.  The policy package just needs to set up the initial state for
seusers upon the initial install (which it does from %post presently,
installing a seusers file from the policy package into the store, with
separate ones for targeted, mls, and strict), and then all subsequent
changes should occur via semanage.  Do we expect updated policy packages
to ship updates to that initial state that should take precedence over
local configuration done via semanage?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [SEMANAGE] Rename seuser -> seuser_local

[Ivan Valeriev Gyurdiev]

> On Wed, 2006-01-25 at 11:07 -0500, Ivan Valeriev Gyurdiev wrote:
>> > On Fri, 2006-01-20 at 16:34 -0700, Ivan Gyurdiev wrote:
>> >> Seuser functions and dbase have incorrect names, since originally I
>> did
>> >> not think we'd have seusers.system. I must have asked about this, but
>> >> regardless, I now think that a systems file will likely be necessary,
>> so
>> >> this patch renames all seuser-related things to _local, which leaves
>> >> space for a _policy set of functions. It updates dependencies and
>> >> manpages. This is an API change.
>> >>
>> >> I think we should add users_extra.system and seusers.system into the
>> >> package format.
>> >
>> > Sorry, what is the motivation for this change, i.e. what is the system
>> > seusers file for?
>>
>> That will allow us to configure per-policy defaults for certain users
>> like
>> root, __default__. We could also configure more restricted SELinux users
>> for certain "system" users like daemon users,or things like a guest
>> account. It seems wrong to hardcode those defaults into the libselinux
>> library rather than policy.
>
> That doesn't really seem consistent with the intended usage of seusers,
> IIUC.  The policy package just needs to set up the initial state for
> seusers upon the initial install (which it does from %post presently,
> installing a seusers file from the policy package into the store, with
> separate ones for targeted, mls, and strict), and then all subsequent
> changes should occur via semanage.  Do we expect updated policy packages
> to ship updates to that initial state that should take precedence over
> local configuration done via semanage?
>

Well, I guess Dan would be the one to ask that question.

It seems to me that this could be a desirable capability in the future.
Also, remember that this means that the user can apply non-additive
changes to the seuser file - in other words, the delete function will
clear not only local changes, but will completely remove the __default__,
or root user if requested, reverting back to libselinux defaults (not
post-script defaults). Not sure if this is a good idea...

The current naming scheme seemed inconsistent, which is why I sent a patch
for it. Whether or not a .system file is added, the rename improves
consistency with current usage - places seusers function in the _local
namespace where they belong.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [SEMANAGE] Rename seuser -> seuser_local

[Daniel J Walsh]

Ivan Valeriev Gyurdiev wrote:
>> On Wed, 2006-01-25 at 11:07 -0500, Ivan Valeriev Gyurdiev wrote:
>>     
>>>> On Fri, 2006-01-20 at 16:34 -0700, Ivan Gyurdiev wrote:
>>>>         
>>>>> Seuser functions and dbase have incorrect names, since originally I
>>>>>           
>>> did
>>>       
>>>>> not think we'd have seusers.system. I must have asked about this, but
>>>>> regardless, I now think that a systems file will likely be necessary,
>>>>>           
>>> so
>>>       
>>>>> this patch renames all seuser-related things to _local, which leaves
>>>>> space for a _policy set of functions. It updates dependencies and
>>>>> manpages. This is an API change.
>>>>>
>>>>> I think we should add users_extra.system and seusers.system into the
>>>>> package format.
>>>>>           
>>>> Sorry, what is the motivation for this change, i.e. what is the system
>>>> seusers file for?
>>>>         
>>> That will allow us to configure per-policy defaults for certain users
>>> like
>>> root, __default__. We could also configure more restricted SELinux users
>>> for certain "system" users like daemon users,or things like a guest
>>> account. It seems wrong to hardcode those defaults into the libselinux
>>> library rather than policy.
>>>       
>> That doesn't really seem consistent with the intended usage of seusers,
>> IIUC.  The policy package just needs to set up the initial state for
>> seusers upon the initial install (which it does from %post presently,
>> installing a seusers file from the policy package into the store, with
>> separate ones for targeted, mls, and strict), and then all subsequent
>> changes should occur via semanage.  Do we expect updated policy packages
>> to ship updates to that initial state that should take precedence over
>> local configuration done via semanage?
>>
>>     
>
> Well, I guess Dan would be the one to ask that question.
>   
No, and if they did we could do it via semanage.
> It seems to me that this could be a desirable capability in the future.
> Also, remember that this means that the user can apply non-additive
> changes to the seuser file - in other words, the delete function will
> clear not only local changes, but will completely remove the __default__,
> or root user if requested, reverting back to libselinux defaults (not
> post-script defaults). Not sure if this is a good idea...
>
>   
Yes this would be bad.
> The current naming scheme seemed inconsistent, which is why I sent a patch
> for it. Whether or not a .system file is added, the rename improves
> consistency with current usage - places seusers function in the _local
> namespace where they belong.
>
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [SEMANAGE] Rename seuser -> seuser_local

[Stephen Smalley]

On Wed, 2006-01-25 at 12:55 -0500, Daniel J Walsh wrote:
> No, and if they did we could do it via semanage.

Yes, that was my expectation.

> > It seems to me that this could be a desirable capability in the future.
> > Also, remember that this means that the user can apply non-additive
> > changes to the seuser file - in other words, the delete function will
> > clear not only local changes, but will completely remove the __default__,
> > or root user if requested, reverting back to libselinux defaults (not
> > post-script defaults). Not sure if this is a good idea...
> >
> >   
> Yes this would be bad.

It wouldn't be a good idea for them to do that, but I'm not sure we need
to introduce this additional baggage just to idiot-proof semanage.

> > The current naming scheme seemed inconsistent, which is why I sent a patch
> > for it. Whether or not a .system file is added, the rename improves
> > consistency with current usage - places seusers function in the _local
> > namespace where they belong.

I don't want API changes without adequate justification.  Yes, we still
have flexibility in this arena since we control all users of the
library, but we still don't want arbitrary changes.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [SEMANAGE] Rename seuser -> seuser_local

[Daniel J Walsh]

Stephen Smalley wrote:
> On Wed, 2006-01-25 at 12:55 -0500, Daniel J Walsh wrote:
>   
>> No, and if they did we could do it via semanage.
>>     
>
> Yes, that was my expectation.
>
>   
>>> It seems to me that this could be a desirable capability in the future.
>>> Also, remember that this means that the user can apply non-additive
>>> changes to the seuser file - in other words, the delete function will
>>> clear not only local changes, but will completely remove the __default__,
>>> or root user if requested, reverting back to libselinux defaults (not
>>> post-script defaults). Not sure if this is a good idea...
>>>
>>>   
>>>       
>> Yes this would be bad.
>>     
>
> It wouldn't be a good idea for them to do that, but I'm not sure we need
> to introduce this additional baggage just to idiot-proof semanage.
>
>   
How about I idiotproof seobject.py?
>>> The current naming scheme seemed inconsistent, which is why I sent a patch
>>> for it. Whether or not a .system file is added, the rename improves
>>> consistency with current usage - places seusers function in the _local
>>> namespace where they belong.
>>>       
>
> I don't want API changes without adequate justification.  Yes, we still
> have flexibility in this arena since we control all users of the
> library, but we still don't want arbitrary changes.
>
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [SEMANAGE] Rename seuser -> seuser_local

[Ivan Valeriev Gyurdiev]

>>> That doesn't really seem consistent with the intended usage of seusers,
>>> IIUC.  The policy package just needs to set up the initial state for
>>> seusers upon the initial install (which it does from %post presently,
>>> installing a seusers file from the policy package into the store, with
>>> separate ones for targeted, mls, and strict), and then all subsequent
>>> changes should occur via semanage.  Do we expect updated policy
>>> packages
>>> to ship updates to that initial state that should take precedence over
>>> local configuration done via semanage?
>>>
>>>
>>
>> Well, I guess Dan would be the one to ask that question.
>>
> No, and if they did we could do it via semanage.

Actually, I don't think we could - we have no way of distinguishing a
"local" update, initiated by the user, from a policy package update. They
are different in that system updates should override previous
system-installed settings, but not any "local" settings. Local updates on
the other hand should override everything. This is why we have two sets of
functions (and two data sources) for everything else, and part of the
reason why I'd like seusers to work the same way.

>> It seems to me that this could be a desirable capability in the future.
>> Also, remember that this means that the user can apply non-additive
>> changes to the seuser file - in other words, the delete function will
>> clear not only local changes, but will completely remove the
>> __default__,
>> or root user if requested, reverting back to libselinux defaults (not
>> post-script defaults). Not sure if this is a good idea...
>>
>>
> Yes this would be bad.

Well, to avoid this kind of thing we could ship seusers.system. Right now
semanage will delete __default__ or root - you can try it yourself...


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [SEMANAGE] Rename seuser -> seuser_local

[Stephen Smalley]

On Fri, 2006-01-20 at 16:34 -0700, Ivan Gyurdiev wrote:
> Seuser functions and dbase have incorrect names, since originally I did 
> not think we'd have seusers.system. I must have asked about this, but 
> regardless, I now think that a systems file will likely be necessary, so 
> this patch renames all seuser-related things to _local, which leaves 
> space for a _policy set of functions. It updates dependencies and 
> manpages. This is an API change.

Merged as of libsemanage 1.5.18 and policycoreutils 1.29.14.

> I think we should add users_extra.system and seusers.system into the 
> package format.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.