Re: policycoreutils 1.29.10

Re: policycoreutils 1.29.10

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 639 bytes --]

Stephen Smalley wrote:
> On Mon, 2006-01-23 at 14:34 -0500, Stephen Smalley wrote:
>   
>> I committed policycoreutils 1.29.10 on Friday, but looks like rawhide
>> still has 1.29.9?  It has the patches from Ivan and Russell for
>> semanage, and your patches for chcat.8 and genhomedircon merged.
>>     
>
> Ping?
>
>   
I just built 1.29.11.  I was waiting for some mods to libsemanage to 
handle semanage_user_set_roles

but I build it anyways.  Modify of users does not work, until this 
swigify is fixed.

Dan

Here is my latest diff also, mainly  adding translation support to 
semanage and cleaning up some of the error reporting.



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 10153 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.29.10/scripts/chcat
--- nsapolicycoreutils/scripts/chcat	2006-01-19 16:00:44.000000000 -0500
+++ policycoreutils-1.29.10/scripts/chcat	2006-01-20 17:17:02.000000000 -0500
@@ -356,7 +356,7 @@
 
         if list_ind==0 and len(cmds) < 1:
             usage()
-    except:
+    except ValueError, e:
         usage()
 
     if delete_ind:
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.10/semanage/semanage
--- nsapolicycoreutils/semanage/semanage	2006-01-20 10:37:37.000000000 -0500
+++ policycoreutils-1.29.10/semanage/semanage	2006-01-20 15:17:56.000000000 -0500
@@ -30,28 +30,27 @@
 
 	def usage(message = ""):
 		print '\
-semanage {login|user|port|interface|fcontext} -l\n\
+semanage {login|user|port|interface|fcontext|translation} -l [-n] \n\
 semanage login -{a|d|m} [-sr] login_name\n\
 semanage user -{a|d|m} [-LrR] selinux_name\n\
-semanage port -{a|d|m} -p protocol [-t] port_number\n\
+semanage port -{a|d|m} [-tr] [ -p protocol ] port | port_range\n\
 semanage interface -{a|d|m} [-tr] interface_spec\n\
-semanage translation -{a|d|m} [-T] level\n\
 semanage fcontext -{a|d|m} [-frst] file_spec\n\
+semanage translation -{a|d|m} [-T] level\n\
 	-a, --add        Add a OBJECT record NAME\n\
 	-d, --delete     Delete a OBJECT record NAME\n\
 	-f, --ftype      File Type of OBJECT \n\
 	-h, --help       display this message\n\
 	-l, --list       List the OBJECTS\n\
 	-L, --level      Default SELinux Level\n\
-	-n, --noheading  Do not print heading when listing OBJECTS\n\
 	-m, --modify     Modify a OBJECT record NAME\n\
-	-P, --proto      Port protocol\n\
+	-n, --noheading  Do not print heading when listing OBJECTS\n\
+	-p, --proto      Port protocol\n\
 	-r, --range      MLS/MCS Security Range\n\
 	-R, --roles      SELinux Roles (Separate by spaces)\n\
 	-s, --seuser     SELinux user name\n\
 	-t, --type       SELinux Type for the object\n\
 	-T, --trans      SELinux Level Translation\n\
-	-v, --verbose    verbose output\n\
 '
 		print message
 		sys.exit(1)
@@ -62,35 +61,29 @@
 		sys.stderr.flush()
 		sys.exit(1)
 
-	def unwanted_ftype():
-		if ftype != "":
-			sys.stderr.write("ftype not used\n");
-	def unwanted_selevel():
-		if selevel != "":
-			sys.stderr.write("level not used\n");
-	def unwanted_proto():
-		if proto != "":
-			sys.stderr.write("proto not used\n");
-	def unwanted_roles():
-		if roles != "":
-			sys.stderr.write("role not used\n");
-	def unwanted_serange():
-		if serange != "":
-			sys.stderr.write("range not used\n");
-	def unwanted_seuser():
-		if seuser != "":
-			sys.stderr.write("seuser not used\n");
-	def unwanted_setype():
-		if setype != "":
-			sys.stderr.write("type not used\n");
-	def unwanted_setrans():
-		if setrans != "":
-			sys.stderr.write("trans not used\n");
+	def get_options():
+		valid_option={}
+		valid_everyone=[ '-a', '--add', '-d', '--delete', '-m', '--modify', '-l', '--list', '-h', '--help', '-n', '--noheading' ]
+		valid_option["login"] = []
+		valid_option["login"] += valid_everyone + [ '-s', '--seuser', '-r', '--range']
+		valid_option["user"] = []
+		valid_option["user"] += valid_everyone + [ '-L', '--level', '-r', '--range', '-R', '--roles' ] 
+		valid_option["port"] = []
+		valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range'] 
+		valid_option["port"] = []
+		valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--protocol' ] 
+		valid_option["interface"] = []
+		valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range'] 
+		valid_option["fcontext"] = []
+		valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser',  '-t', '--type', '-r', '--range'] 
+		valid_option["translation"] = []
+		valid_option["fcontext"] += valid_everyone + [ '-T', '--trans' ] 
+		return valid_option
+
 	#
 	# 
 	#
 	try:
-		objectlist = ("login", "user", "port", "interface", "fcontext", "translation")
 		input = sys.stdin
 		output = sys.stdout
 		serange = ""
@@ -112,12 +105,14 @@
 			usage("Requires 2 or more arguments")
 			
 		object = sys.argv[1]
-		if object not in objectlist:
+		option_dict=get_options()
+		if object not in option_dict.keys():
 			usage("%s not defined" % object)
 			
 		args = sys.argv[2:]
+
 		gopts, cmds = getopt.getopt(args,
-					    'adf:lhmnp:P:s:R:L:r:t:vT:',
+					    'adf:lhmnp:s:R:L:r:t:vT:',
 					    ['add',
 					     'delete',
 					     'ftype=',
@@ -125,16 +120,18 @@
 					     'list', 
 					     'modify',
 					     'noheading',
-					     'port=',
 					     'proto=',
 					     'seuser=',
 					     'range=',
 					     'level=',
 					     'roles=',
 					     'type=',
-					     'trans=',
-					     'verbose'
+					     'trans='
 					     ])
+		for o, a in gopts:
+			if o not in option_dict[object]:
+				sys.stderr.write("%s not valid for %s objects\n" % ( o, object) );
+				
 		for o,a in gopts:
 			if o == "-a" or o == "--add":
 				if modify or delete:
@@ -167,11 +164,11 @@
 			if o == "-L" or o == '--level':
 				selevel = a
 
-			if o == "-P" or o == '--proto':
+			if o == "-p" or o == '--proto':
 				proto = a
 
 			if o == "-R" or o == '--roles':
-				roles = roles + " " + a
+				roles = a
 
 			if o == "-s" or o == "--seuser":
 				seuser = a
@@ -185,91 +182,25 @@
 			if o == "-v" or o == "--verbose":
 				verbose = 1
 
-# Note in this section I intentionally leave the unwanted_*() functions for
-# variabled which are wanted commented out and don't delete those lines.  This
-# will make it easier to modify the code when the list of wanted variables
-# changes.
 		if object == "login":
-			if not delete:
-				unwanted_ftype()
-				unwanted_selevel()
-				unwanted_proto()
-				unwanted_roles()
-#				unwanted_serange()
-#				unwanted_seuser()
-				unwanted_setype()
-				unwanted_setrans()
 			OBJECT = seobject.loginRecords()
 
 		if object == "user":
-			if not delete:
-				unwanted_ftype()
-#				unwanted_selevel()
-				unwanted_proto()
-#				unwanted_roles()
-#				unwanted_serange()
-				unwanted_seuser()
-				unwanted_setype()
-				unwanted_setrans()
 			OBJECT = seobject.seluserRecords()
 
 		if object == "port":
-			if not delete:
-				unwanted_ftype()
-				unwanted_selevel()
-#				unwanted_proto()
-				unwanted_roles()
-				unwanted_serange()
-				unwanted_seuser()
-#				unwanted_setype()
-				unwanted_setrans()
 			OBJECT = seobject.portRecords()
 		
 		if object == "interface":
-			if not delete:
-				unwanted_ftype()
-				unwanted_selevel()
-				unwanted_proto()
-				unwanted_roles()
-#				unwanted_serange()
-				unwanted_seuser()
-#				unwanted_setype()
-				unwanted_setrans()
 			OBJECT = seobject.interfaceRecords()
 		
 		if object == "fcontext":
-			if not delete:
-#				unwanted_ftype()
-				unwanted_selevel()
-				unwanted_proto()
-				unwanted_roles()
-#				unwanted_serange()
-#				unwanted_seuser()
-#				unwanted_setype()
-				unwanted_setrans()
 			OBJECT = seobject.fcontextRecords()
 		
 		if object == "translation":
-			if not delete:
-				unwanted_ftype()
-				unwanted_selevel()
-				unwanted_proto()
-				unwanted_roles()
-				unwanted_serange()
-				unwanted_seuser()
-				unwanted_setype()
-#				unwanted_setrans()
 			OBJECT = seobject.setransRecords()
 		
 		if list:
-			unwanted_ftype()
-			unwanted_selevel()
-			unwanted_proto()
-			unwanted_roles()
-			unwanted_serange()
-			unwanted_seuser()
-			unwanted_setype()
-			unwanted_setrans()
 			OBJECT.list(heading)
 			sys.exit(0);
 			
@@ -324,16 +255,6 @@
 			sys.exit(0);
 
 		if delete:
-			if object != "fcontext":
-				unwanted_ftype()
-			unwanted_selevel()
-			if object == "port":
-				unwanted_proto()
-			unwanted_roles()
-			unwanted_serange()
-			unwanted_seuser()
-			unwanted_setype()
-			unwanted_setrans()
 			if object == "port":
 				OBJECT.delete(target, proto)
 
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.29.10/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8	2006-01-20 10:37:37.000000000 -0500
+++ policycoreutils-1.29.10/semanage/semanage.8	2006-01-20 15:10:15.000000000 -0500
@@ -3,19 +3,19 @@
 semanage \- SELinux Policy Management tool
 
 .SH "SYNOPSIS"
-.B semanage {login|user|port|interface|fcontext} \-l [\-n]
+.B semanage {login|user|port|interface|fcontext|translation} \-l [\-n]
 .br
 .B semanage login \-{a|d|m} [\-sr] login_name
 .br
 .B semanage user \-{a|d|m} [\-LrR] selinux_name
 .br
-.B semanage port \-{a|d|m} \-p protocol [\-t] port_number
+.B semanage port \-{a|d|m} [\-tr] [\-p protocol] port | port_range
 .br
 .B semanage interface \-{a|d|m} [\-tr] interface_spec
 .br
-.B semanage translation \-{a|d|m} [\-T] level
-.br
 .B semanage fcontext \-{a|d|m} [\-frst] file_spec
+.br
+.B semanage translation \-{a|d|m} [\-T] level
 .P
 
 This tool is used to configure SELinux policy
@@ -35,34 +35,34 @@
 .I                \-d, \-\-delete     
 Delete a OBJECT record NAME
 .TP
-.I                \-h, \-\-help       
-display this message
-.TP
 .I                \-f, \-\-ftype
 File Type.   This is used with fcontext.
 Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
 .TP
+.I                \-h, \-\-help       
+display this message
+.TP
 .I                \-l, \-\-list       
 List the OBJECTS
 .TP
-.I                \-n, \-\-noheading       
-Do not print heading when listing OBJECTS
-.TP
 .I                \-L, \-\-level
 Default SELinux Level for SELinux use. (s0)
 .TP
 .I                \-m, \-\-modify     
 Modify a OBJECT record NAME
 .TP
+.I                \-n, \-\-noheading  
+Do not print heading when listing OBJECTS.
+.TP
 .I                \-p, \-\-proto
 Protocol for the specified port (tcp|udp).
 .TP
-.I                \-R, \-\-role
-SELinux Roles (Separate by spaces)
-.TP
 .I                \-r, \-\-range      
 MLS/MCS Security Range
 .TP
+.I                \-R, \-\-role
+SELinux Roles.  You must inclose multiple roles within quotes, separate by spaces.
+.TP
 .I                \-s, \-\-seuser     
 SELinux user name
 .TP

Re: policycoreutils 1.29.10

[Stephen Smalley]

On Wed, 2006-01-25 at 11:16 -0500, Daniel J Walsh wrote:
> I just built 1.29.11.  I was waiting for some mods to libsemanage to 
> handle semanage_user_set_roles
> 
> but I build it anyways.  Modify of users does not work, until this 
> swigify is fixed.

Sorry, can you clarify what the issue is there?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policycoreutils 1.29.10

[Stephen Smalley]

On Wed, 2006-01-25 at 11:16 -0500, Daniel J Walsh wrote:
> Here is my latest diff also, mainly  adding translation support to 
> semanage and cleaning up some of the error reporting.

> diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.10/semanage/semanage
> --- nsapolicycoreutils/semanage/semanage	2006-01-20 10:37:37.000000000 -0500
> +++ policycoreutils-1.29.10/semanage/semanage	2006-01-20 15:17:56.000000000 -0500
> -	-v, --verbose    verbose output\n\

The code still checks for -v and --verbose later and sets verbose = 1,
so that likely should be dropped too.

> +	def get_options():
> +		valid_option={}
> +		valid_everyone=[ '-a', '--add', '-d', '--delete', '-m', '--modify', '-l', '--list', '-h', '--help', '-n', '--noheading' ]
> +		valid_option["login"] = []
> +		valid_option["login"] += valid_everyone + [ '-s', '--seuser', '-r', '--range']
> +		valid_option["user"] = []
> +		valid_option["user"] += valid_everyone + [ '-L', '--level', '-r', '--range', '-R', '--roles' ] 
> +		valid_option["port"] = []
> +		valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range'] 
> +		valid_option["port"] = []
> +		valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--protocol' ] 

Cut-and-paste error - multiple definitions for "port"

> +		valid_option["interface"] = []
> +		valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range'] 
> +		valid_option["fcontext"] = []
> +		valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser',  '-t', '--type', '-r', '--range'] 
> +		valid_option["translation"] = []
> +		valid_option["fcontext"] += valid_everyone + [ '-T', '--trans' ]

Cut-and-paste error - last one should be for "translation", right?

>  		gopts, cmds = getopt.getopt(args,
> -					    'adf:lhmnp:P:s:R:L:r:t:vT:',
> +					    'adf:lhmnp:s:R:L:r:t:vT:',

-v still listed here.


>  			if o == "-R" or o == '--roles':
> -				roles = roles + " " + a
> +				roles = a

Why?  Aggregating multiple role specs seemed nice.  Implementation
problem?

> +.I                \-R, \-\-role
> +SELinux Roles.  You must inclose multiple roles within quotes, separate by spaces.
> +.TP

Reverts Russell's change, which as he said seems more script-friendly
and user-friendly (aggregate multiple -R options together).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policycoreutils 1.29.10

[Daniel J Walsh]

Stephen Smalley wrote:
> On Wed, 2006-01-25 at 11:16 -0500, Daniel J Walsh wrote:
>   
>> Here is my latest diff also, mainly  adding translation support to 
>> semanage and cleaning up some of the error reporting.
>>     
>
>   
>> diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.10/semanage/semanage
>> --- nsapolicycoreutils/semanage/semanage	2006-01-20 10:37:37.000000000 -0500
>> +++ policycoreutils-1.29.10/semanage/semanage	2006-01-20 15:17:56.000000000 -0500
>> -	-v, --verbose    verbose output\n\
>>     
Yes get rid of all -v and verbose stuff.
>> +	def get_options():
>> +		valid_option={}
>> +		valid_everyone=[ '-a', '--add', '-d', '--delete', '-m', '--modify', '-l', '--list', '-h', '--help', '-n', '--noheading' ]
>> +		valid_option["login"] = []
>> +		valid_option["login"] += valid_everyone + [ '-s', '--seuser', '-r', '--range']
>> +		valid_option["user"] = []
>> +		valid_option["user"] += valid_everyone + [ '-L', '--level', '-r', '--range', '-R', '--roles' ] 
>> +		valid_option["port"] = []
>> +		valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range'] 
>> +		valid_option["port"] = []
>> +		valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--protocol' ] 
>>     
>
> Cut-and-paste error - multiple definitions for "port"
>
>   
>> +		valid_option["interface"] = []
>> +		valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range'] 
>> +		valid_option["fcontext"] = []
>> +		valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser',  '-t', '--type', '-r', '--range'] 
>> +		valid_option["translation"] = []
>> +		valid_option["fcontext"] += valid_everyone + [ '-T', '--trans' ]
>>     
>
> Cut-and-paste error - last one should be for "translation", right?
>
>   
>>  		gopts, cmds = getopt.getopt(args,
>> -					    'adf:lhmnp:P:s:R:L:r:t:vT:',
>> +					    'adf:lhmnp:s:R:L:r:t:vT:',
>>     
>
> -v still listed here.
>
>
>   
>>  			if o == "-R" or o == '--roles':
>> -				roles = roles + " " + a
>> +				roles = a
>>     
>
> Why?  Aggregating multiple role specs seemed nice.  Implementation
> problem?
>   
How do I do a modify?

As a user I might be confused by the semantic
Does
-m -R user_r
add user_r or
replace all existing roles with user_r?

>   
>> +.I                \-R, \-\-role
>> +SELinux Roles.  You must inclose multiple roles within quotes, separate by spaces.
>> +.TP
>>     
>
> Reverts Russell's change, which as he said seems more script-friendly
> and user-friendly (aggregate multiple -R options together).
>
>   
I can be shouted down on this one.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policycoreutils 1.29.10

[Daniel J Walsh]

Stephen Smalley wrote:
> On Wed, 2006-01-25 at 11:16 -0500, Daniel J Walsh wrote:
>   
>> I just built 1.29.11.  I was waiting for some mods to libsemanage to 
>> handle semanage_user_set_roles
>>
>> but I build it anyways.  Modify of users does not work, until this 
>> swigify is fixed.
>>     
>
> Sorry, can you clarify what the issue is there?
>
>   
Currently the semanageswig.i file is broken

semanage_user_set_roles Returns an error.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.