* policycoreutils latest diffs.
@ 2006-02-22 18:23 Daniel J Walsh
2006-02-23 14:02 ` Stephen Smalley
0 siblings, 1 reply; 19+ messages in thread
From: Daniel J Walsh @ 2006-02-22 18:23 UTC (permalink / raw)
To: Stephen Smalley, SE Linux
[-- Attachment #1: Type: text/plain, Size: 667 bytes --]
audit2allow -
Added (-R/--reference) to audit2allow. This basically greps through
reference policy and finds all matches for a particular
access. Then outputs them. It attempts to find the best match. This
makes updating reference policy a lot easier.
Changed load_policy to be looked at regardless of the granted flag.
Fixed some -M output so it is easier to cut and paste.
Fixed error handling output.
Handle "msg='avc:" as an AVC message also. This is output by Userspace
tools.
Add some checks to semanage and seobject.py to turn off processing on
non MLS/MCS machines.
(These are untested on a Non MLS/MCS machine, since I do not have access.)
[-- Attachment #2: policycoreutils-rhat.patch --]
[-- Type: text/x-patch, Size: 33736 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.29.26/audit2allow/audit2allow
--- nsapolicycoreutils/audit2allow/audit2allow 2005-12-08 12:52:44.000000000 -0500
+++ policycoreutils-1.29.26/audit2allow/audit2allow 2006-02-21 13:48:01.000000000 -0500
@@ -25,6 +25,118 @@
#
#
import commands, sys, os, pwd, string, getopt, re, selinux
+
+obj="(\{[^\}]*\}|[^ \t:]*)"
+allow_regexp="allow[ \t]+%s[ \t]*%s[ \t]*:[ \t]*%s[ \t]*%s" % (obj, obj, obj, obj)
+
+awk_script='/^[[:blank:]]*interface[[:blank:]]*\(/ {\n\
+ IFACEFILE=FILENAME\n\
+ IFACENAME = gensub("^[[:blank:]]*interface[[:blank:]]*\\\\(\`?","","g",$0);\n\
+ IFACENAME = gensub("\'?,.*$","","g",IFACENAME);\n\
+}\n\
+\n\
+/^[[:blank:]]*allow[[:blank:]]+.*;[[:blank:]]*$/ {\n\
+\n\
+ if ((length(IFACENAME) > 0) && (IFACEFILE == FILENAME)){\n\
+ ALLOW = gensub("^[[:blank:]]*","","g",$0)\n\
+ ALLOW = gensub(";[[:blank:]]*$","","g",$0)\n\
+ print FILENAME "\\t" IFACENAME "\\t" ALLOW;\n\
+ }\n\
+}\
+'
+
+class accessTrans:
+ def __init__(self):
+ self.dict={}
+ try:
+ fd=open("/usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt")
+ except IOError, error:
+ raise IOError("Reference policy generation requires the policy development package.\n%s" % error)
+ records=fd.read().split("\n")
+ regexp="^define *\(`([^']*)' *, *` *\{([^}]*)}'"
+ for r in records:
+ m=re.match(regexp,r)
+ if m!=None:
+ self.dict[m.groups()[0]] = m.groups()[1].split()
+ fd.close()
+ def get(self, var):
+ l=[]
+ for v in var:
+ if v in self.dict.keys():
+ l += self.dict[v]
+ else:
+ if v not in ("{", "}"):
+ l.append(v)
+ return l
+
+class interfaces:
+ def __init__(self):
+ self.dict={}
+ trans=accessTrans()
+ (input, output) = os.popen2("awk -f - /usr/share/selinux/refpolicy/include/*/*.if 2> /dev/null")
+ input.write(awk_script)
+ input.close()
+ records=output.read().split("\n")
+ input.close()
+ if len(records) > 0:
+ regexp="([^ \t]*)[ \t]+([^ \t]*)[ \t]+%s" % allow_regexp
+ for r in records:
+ m=re.match(regexp,r)
+ if m==None:
+ continue
+ else:
+ val=m.groups()
+ file=os.path.basename(val[0]).split(".")[0]
+ iface=val[1]
+ Scon=val[2].split()
+ Tcon=val[3].split()
+ Class=val[4].split()
+ Access=trans.get(val[5].split())
+ for s in Scon:
+ for t in Tcon:
+ for c in Class:
+ if (s, t, c) not in self.dict.keys():
+ self.dict[(s, t, c)]=[]
+ self.dict[(s, t, c)].append((Access, file, iface))
+ def out(self):
+ keys=self.dict.keys()
+ keys.sort()
+ for k in keys:
+ print k
+ for i in self.dict[k]:
+ print "\t", i
+
+ def match(self, Scon, Tcon, Class, Access):
+ keys=self.dict.keys()
+ ret=[]
+ if (Scon, Tcon, Class) in keys:
+ for i in self.dict[(Scon, Tcon, Class)]:
+ if Access in i[0]:
+ if i[2].find(Access) >= 0:
+ ret.insert(0, i)
+ else:
+ ret.append(i)
+ return ret
+ if ("$1", Tcon, Class) in keys:
+ for i in self.dict[("$1", Tcon, Class)]:
+ if Access in i[0]:
+ if i[2].find(Access) >= 0:
+ ret.insert(0, i)
+ else:
+ ret.append(i)
+ return ret
+ if (Scon, "$1", Class) in keys:
+ for i in self.dict[(Scon, "$1", Class)]:
+ if Access in i[0]:
+ if i[2].find(Access) >= 0:
+ ret.insert(0, i)
+ else:
+ ret.append(i)
+ return ret
+ else:
+ return ret
+
+
class serule:
def __init__(self, type, source, target, seclass):
self.type=type
@@ -32,6 +144,8 @@
self.target=target
self.seclass=seclass
self.avcinfo={}
+ self.iface=None
+
def add(self, avc):
for a in avc[0]:
if a not in self.avcinfo.keys():
@@ -67,6 +181,33 @@
ret=ret + " : " + i
return ret
+ def gen_reference_policy(self, iface):
+ ret=""
+ Scon=self.source
+ Tcon=self.gettarget()
+ Class=self.seclass
+ Access=self.getAccess()
+ m=iface.match(Scon,Tcon,Class,Access)
+ if len(m)==0:
+ return self.out()
+ else:
+ file=m[0][1]
+ ret="\n#%s\n"% self.out()
+ ret += "optional_policy(`%s', `\n" % m[0][1]
+ first=True
+ for i in m:
+ if file != i[1]:
+ ret += "')\ngen_require(`%s', `\n" % i[1]
+ file = i[1]
+ first=True
+ if first:
+ ret += "\t%s(%s)\n" % (i[2], Scon)
+ first=False
+ else:
+ ret += "#\t%s(%s)\n" % (i[2], Scon)
+ ret += "');"
+ return ret
+
def gettarget(self):
if self.source == self.target:
return "self"
@@ -81,7 +222,12 @@
self.types=[]
self.roles=[]
self.load(input, te_ind)
-
+ self.gen_ref_policy = False
+
+ def gen_reference_policy(self):
+ self.gen_ref_policy = True
+ self.iface=interfaces()
+
def warning(self, error):
sys.stderr.write("%s: " % sys.argv[0])
sys.stderr.write("%s\n" % error)
@@ -104,7 +250,8 @@
while line:
rec=line.split()
for i in rec:
- if i=="avc:" or i=="message=avc:":
+ if i=="avc:" or i=="message=avc:" or i=="msg='avc:":
+
found=1
else:
avc.append(i)
@@ -182,9 +329,10 @@
if "security_compute_sid" in avc:
return
+ if "load_policy" in avc and self.last_reload:
+ self.seRules={}
+
if "granted" in avc:
- if "load_policy" in avc and self.last_reload:
- self.seRules={}
return
try:
for i in range (0, len(avc)):
@@ -292,7 +440,10 @@
keys=self.seRules.keys()
keys.sort()
for i in keys:
- rec += self.seRules[i].out(verbose)+"\n"
+ if self.gen_ref_policy:
+ rec += self.seRules[i].gen_reference_policy(self.iface)+"\n"
+ else:
+ rec += self.seRules[i].out(verbose)+"\n"
return rec
if __name__ == '__main__':
@@ -342,11 +493,12 @@
buildPP=0
input_ind=0
output_ind=0
+ ref_ind=False
te_ind=0
fc_file=""
gopts, cmds = getopt.getopt(sys.argv[1:],
- 'adf:hi:lm:M:o:rtv',
+ 'adf:hi:lm:M:o:rtvR',
['all',
'dmesg',
'fcfile=',
@@ -356,6 +508,7 @@
'module=',
'output=',
'requires',
+ 'reference',
'tefile',
'verbose'
])
@@ -397,6 +550,9 @@
if auditlogs:
usage()
te_ind=1
+ if o == "-R" or o == "--reference":
+ ref_ind=True
+
if o == "-o" or o == "--output":
if module != "" or a[0]=="-":
usage()
@@ -413,6 +569,10 @@
out=seruleRecords(input, last_reload, verbose, te_ind)
+
+ if ref_ind:
+ out.gen_reference_policy()
+
if auditlogs:
input=os.popen("ausearch -m avc")
out.load(input)
@@ -423,15 +583,15 @@
output.flush()
if buildPP:
cmd="checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module)
- print "Compiling policy: %s" % cmd
+ print "Compiling policy"
+ print cmd
rc=commands.getstatusoutput(cmd)
if rc[0]==0:
cmd="semodule_package -o %s.pp -m %s.mod" % (module, module)
- print cmd
if fc_file != "":
cmd = "%s -f %s" % (cmd, fc_file)
- print "Building package: %s" % cmd
+ print cmd
rc=commands.getstatusoutput(cmd)
if rc[0]==0:
print ("\n******************** IMPORTANT ***********************\n")
@@ -446,6 +606,6 @@
except ValueError, error:
errorExit(error.args[0])
except IOError, error:
- errorExit(error.args[1])
+ errorExit(error)
except KeyboardInterrupt, error:
sys.exit(0)
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-1.29.26/audit2allow/audit2allow.1
--- nsapolicycoreutils/audit2allow/audit2allow.1 2005-12-01 10:11:27.000000000 -0500
+++ policycoreutils-1.29.26/audit2allow/audit2allow.1 2006-02-21 13:48:54.000000000 -0500
@@ -65,6 +65,9 @@
.B "\-r" | "\-\-requires"
Generate require output syntax for loadable modules.
.TP
+.B "\-R" | "\-\-reference"
+Generate reference policy using installed macros
+.TP
.B "\-t " | "\-\-tefile"
Indicates input file is a te (type enforcement) file. This can be used to translate old te format to new policy format.
.TP
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.26/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2006-02-16 13:35:28.000000000 -0500
+++ policycoreutils-1.29.26/semanage/semanage 2006-02-21 13:57:04.000000000 -0500
@@ -22,6 +22,9 @@
#
import os, sys, getopt
import seobject
+import selinux
+
+is_mls_enabled=selinux.is_selinux_mls_enabled()
if __name__ == '__main__':
@@ -57,13 +60,13 @@
-p (named pipe) \n\n\
\
-p, --proto Port protocol (tcp or udp)\n\
- -L, --level Default SELinux Level\n\
+ -L, --level Default SELinux Level (MLS/MCS Systems only)\n\
-R, --roles SELinux Roles (ex: "sysadm_r staff_r")\n\
-T, --trans SELinux Level Translation\n\n\
\
-s, --seuser SELinux User Name\n\
-t, --type SELinux Type for the object\n\
- -r, --range MLS/MCS Security Range\n\
+ -r, --range MLS/MCS Security Range (MLS/MCS Systems only\n\
'
print message
sys.exit(1)
@@ -167,12 +170,16 @@
modify = 1
if o == "-r" or o == '--range':
+ if is_mls_enabled == 0:
+ errorExit("range not supported on Non MLS machines")
serange = a
if o == "-l" or o == "--list":
list = 1
if o == "-L" or o == '--level':
+ if is_mls_enabled == 0:
+ errorExit("range not supported on Non MLS machines")
selevel = a
if o == "-p" or o == '--proto':
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.29.26/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8 2006-01-27 01:16:33.000000000 -0500
+++ policycoreutils-1.29.26/semanage/semanage.8 2006-02-20 23:21:37.000000000 -0500
@@ -46,7 +46,7 @@
List the OBJECTS
.TP
.I \-L, \-\-level
-Default SELinux Level for SELinux use. (s0)
+Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Systems only)
.TP
.I \-m, \-\-modify
Modify a OBJECT record NAME
@@ -58,7 +58,7 @@
Protocol for the specified port (tcp|udp).
.TP
.I \-r, \-\-range
-MLS/MCS Security Range
+MLS/MCS Security Range (MLS/MCS Systems only)
.TP
.I \-R, \-\-role
SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.26/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2006-02-16 13:35:28.000000000 -0500
+++ policycoreutils-1.29.26/semanage/seobject.py 2006-02-20 23:21:42.000000000 -0500
@@ -21,9 +21,43 @@
#
#
-import pwd, string, selinux, tempfile, os, re
+import pwd, string, selinux, tempfile, os, re, sys
from semanage import *;
+is_mls_enabled=selinux.is_selinux_mls_enabled()
+import syslog
+try:
+ import audit
+ class logger:
+ def __init__(self):
+ self.audit_fd=audit.audit_open()
+
+ def log(self, success, msg, name="", sename="", serole="", serange="", old_sename="", old_serole="", old_serange=""):
+ audit.audit_log_semanage_message(self.audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],msg, name, 0, sename, serole, serange, old_sename, old_serole, old_serange, "", "", "", success);
+except:
+ class logger:
+ def log(self, success, msg, name="", sename="", serole="", serange="", old_sename="", old_serole="", old_serange=""):
+ if success == 1:
+ message = "Successful: "
+ else:
+ message = "Failed: "
+ message += " %s name=%s" % (msg,name)
+ if sename != "":
+ message += " sename=" + sename
+ if old_sename != "":
+ message += " old_sename=" + old_sename
+ if serole != "":
+ message += " role=" + serole
+ if old_serole != "":
+ message += " old_role=" + old_serole
+ if serange != "":
+ message += " MLSRange=" + serange
+ if old_serange != "":
+ message += " old_MLSRange=" + old_serange
+ syslog.syslog(message);
+
+mylog=logger()
+
def validate_level(raw):
sensitivity="s([0-9]|1[0-5])"
category="c(1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])"
@@ -143,6 +177,7 @@
def __init__(self):
self.sh = semanage_handle_create()
self.semanaged = semanage_is_managed(self.sh)
+
if not self.semanaged:
semanage_handle_destroy(self.sh)
raise ValueError("SELinux policy is not managed or store cannot be accessed.")
@@ -162,127 +197,154 @@
semanageRecords.__init__(self)
def add(self, name, sename, serange):
- if serange == "":
- serange = "s0"
- else:
- serange = untranslate(serange)
+ if is_mls_enabled == 1:
+ if serange == "":
+ serange = "s0"
+ else:
+ serange = untranslate(serange)
if sename == "":
sename = "user_u"
- (rc,k) = semanage_seuser_key_create(self.sh, name)
- if rc < 0:
- raise ValueError("Could not create a key for %s" % name)
-
- (rc,exists) = semanage_seuser_exists(self.sh, k)
- if rc < 0:
- raise ValueError("Could not check if login mapping for %s is defined" % name)
- if exists:
- raise ValueError("Login mapping for %s is already defined" % name)
try:
- pwd.getpwnam(name)
- except:
- raise ValueError("Linux User %s does not exist" % name)
-
- (rc,u) = semanage_seuser_create(self.sh)
- if rc < 0:
- raise ValueError("Could not create login mapping for %s" % name)
+ (rc,k) = semanage_seuser_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError("Could not create a key for %s" % name)
- rc = semanage_seuser_set_name(self.sh, u, name)
- if rc < 0:
- raise ValueError("Could not set name for %s" % name)
+ (rc,exists) = semanage_seuser_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not check if login mapping for %s is defined" % name)
+ if exists:
+ raise ValueError("Login mapping for %s is already defined" % name)
+ try:
+ pwd.getpwnam(name)
+ except:
+ raise ValueError("Linux User %s does not exist" % name)
- rc = semanage_seuser_set_mlsrange(self.sh, u, serange)
- if rc < 0:
- raise ValueError("Could not set MLS range for %s" % name)
+ (rc,u) = semanage_seuser_create(self.sh)
+ if rc < 0:
+ raise ValueError("Could not create login mapping for %s" % name)
- rc = semanage_seuser_set_sename(self.sh, u, sename)
- if rc < 0:
- raise ValueError("Could not set SELinux user for %s" % name)
+ rc = semanage_seuser_set_name(self.sh, u, name)
+ if rc < 0:
+ raise ValueError("Could not set name for %s" % name)
- rc = semanage_begin_transaction(self.sh)
- if rc < 0:
- raise ValueError("Could not start semanage transaction")
+ rc = semanage_seuser_set_mlsrange(self.sh, u, serange)
+ if rc < 0:
+ raise ValueError("Could not set MLS range for %s" % name)
- rc = semanage_seuser_modify_local(self.sh, k, u)
- if rc < 0:
- raise ValueError("Could not add login mapping for %s" % name)
+ rc = semanage_seuser_set_sename(self.sh, u, sename)
+ if rc < 0:
+ raise ValueError("Could not set SELinux user for %s" % name)
- rc = semanage_commit(self.sh)
- if rc < 0:
- raise ValueError("Could not add login mapping for %s" % name)
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError("Could not start semanage transaction")
+ rc = semanage_seuser_modify_local(self.sh, k, u)
+ if rc < 0:
+ raise ValueError("Could not add login mapping for %s" % name)
+
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError("Could not add login mapping for %s" % name)
+
+ except ValueError, error:
+ mylog.log(0, "add SELinux user mapping", name, sename, "", serange);
+ raise error
+
+ mylog.log(1, "add SELinux user mapping", name, sename, "", serange);
semanage_seuser_key_free(k)
semanage_seuser_free(u)
def modify(self, name, sename = "", serange = ""):
- if sename == "" and serange == "":
- raise ValueError("Requires seuser or serange")
+ oldsename=""
+ oldserange=""
+ try:
+ if sename == "" and serange == "":
+ raise ValueError("Requires seuser or serange")
- (rc,k) = semanage_seuser_key_create(self.sh, name)
- if rc < 0:
- raise ValueError("Could not create a key for %s" % name)
+ (rc,k) = semanage_seuser_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError("Could not create a key for %s" % name)
- (rc,exists) = semanage_seuser_exists(self.sh, k)
- if rc < 0:
- raise ValueError("Could not check if login mapping for %s is defined" % name)
- if not exists:
- raise ValueError("Login mapping for %s is not defined" % name)
+ (rc,exists) = semanage_seuser_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not check if login mapping for %s is defined" % name)
+ if not exists:
+ raise ValueError("Login mapping for %s is not defined" % name)
- (rc,u) = semanage_seuser_query(self.sh, k)
- if rc < 0:
- raise ValueError("Could not query seuser for %s" % name)
+ (rc,u) = semanage_seuser_query(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not query seuser for %s" % name)
- if serange != "":
- semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
- if sename != "":
- semanage_seuser_set_sename(self.sh, u, sename)
+ oldserange=semanage_seuser_get_mlsrange(u)
+ oldsename=semanage_seuser_get_sename(u)
+ if serange != "":
+ semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
+ else:
+ serange=oldserange
+ if sename != "":
+ semanage_seuser_set_sename(self.sh, u, sename)
+ else:
+ sename=oldsename
- rc = semanage_begin_transaction(self.sh)
- if rc < 0:
- raise ValueError("Could not srart semanage transaction")
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError("Could not srart semanage transaction")
- rc = semanage_seuser_modify_local(self.sh, k, u)
- if rc < 0:
- raise ValueError("Could not modify login mapping for %s" % name)
-
- rc = semanage_commit(self.sh)
- if rc < 0:
- raise ValueError("Could not modify login mapping for %s" % name)
+ rc = semanage_seuser_modify_local(self.sh, k, u)
+ if rc < 0:
+ raise ValueError("Could not modify login mapping for %s" % name)
+
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError("Could not modify login mapping for %s" % name)
+ except ValueError, error:
+ mylog.log(0,"modify selinux user mapping", name, sename, "", serange, "", oldsename, "", oldserange);
+ raise error
+
+ mylog.log(1,"modify selinux user mapping", name, sename, "", serange, "", oldsename, "", oldserange);
semanage_seuser_key_free(k)
semanage_seuser_free(u)
def delete(self, name):
- (rc,k) = semanage_seuser_key_create(self.sh, name)
- if rc < 0:
- raise ValueError("Could not create a key for %s" % name)
+ try:
+ (rc,k) = semanage_seuser_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError("Could not create a key for %s" % name)
- (rc,exists) = semanage_seuser_exists(self.sh, k)
- if rc < 0:
- raise ValueError("Could not check if login mapping for %s is defined" % name)
- if not exists:
- raise ValueError("Login mapping for %s is not defined" % name)
+ (rc,exists) = semanage_seuser_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not check if login mapping for %s is defined" % name)
+ if not exists:
+ raise ValueError("Login mapping for %s is not defined" % name)
- (rc,exists) = semanage_seuser_exists_local(self.sh, k)
- if rc < 0:
- raise ValueError("Could not check if login mapping for %s is defined" % name)
- if not exists:
- raise ValueError("Login mapping for %s is defined in policy, cannot be deleted" % name)
+ (rc,exists) = semanage_seuser_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not check if login mapping for %s is defined" % name)
+ if not exists:
+ raise ValueError("Login mapping for %s is defined in policy, cannot be deleted" % name)
- rc = semanage_begin_transaction(self.sh)
- if rc < 0:
- raise ValueError("Could not start semanage transaction")
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError("Could not start semanage transaction")
- rc = semanage_seuser_del_local(self.sh, k)
+ rc = semanage_seuser_del_local(self.sh, k)
- if rc < 0:
- raise ValueError("Could not delete login mapping for %s" % name)
+ if rc < 0:
+ raise ValueError("Could not delete login mapping for %s" % name)
- rc = semanage_commit(self.sh)
- if rc < 0:
- raise ValueError("Could not delete login mapping for %s" % name)
-
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError("Could not delete login mapping for %s" % name)
+
+ except ValueError, error:
+ mylog.log(0,"delete SELinux user mapping", name);
+ raise error
+
+ mylog.log(1,"delete SELinux user mapping", name);
semanage_seuser_key_free(k)
@@ -298,150 +360,179 @@
return ddict
def list(self,heading=1):
- if heading:
- print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range")
ddict=self.get_all()
keys=ddict.keys()
keys.sort()
- for k in keys:
- print "%-25s %-25s %-25s" % (k, ddict[k][0], translate(ddict[k][1]))
+ if is_mls_enabled == 1:
+ if heading:
+ print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range")
+ for k in keys:
+ print "%-25s %-25s %-25s" % (k, ddict[k][0], translate(ddict[k][1]))
+ else:
+ if heading:
+ print "\n%-25s %-25s\n" % ("Login Name", "SELinux User")
+ for k in keys:
+ print "%-25s %-25s %-25s" % (k, ddict[k][0])
class seluserRecords(semanageRecords):
def __init__(self):
semanageRecords.__init__(self)
def add(self, name, roles, selevel, serange):
- if serange == "":
- serange = "s0"
- else:
- serange = untranslate(serange)
+ if is_mls_enabled == 1:
+ if serange == "":
+ serange = "s0"
+ else:
+ serange = untranslate(serange)
- if selevel == "":
- selevel = "s0"
- else:
- selevel = untranslate(selevel)
-
- (rc,k) = semanage_user_key_create(self.sh, name)
- if rc < 0:
- raise ValueError("Could not create a key for %s" % name)
-
- (rc,exists) = semanage_user_exists(self.sh, k)
- if rc < 0:
- raise ValueError("Could not check if SELinux user %s is defined" % name)
- if exists:
- raise ValueError("SELinux user %s is already defined" % name)
-
- (rc,u) = semanage_user_create(self.sh)
- if rc < 0:
- raise ValueError("Could not create SELinux user for %s" % name)
+ if selevel == "":
+ selevel = "s0"
+ else:
+ selevel = untranslate(selevel)
+
+ seroles=" ".join(roles)
+ try:
+ (rc,k) = semanage_user_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError("Could not create a key for %s" % name)
- rc = semanage_user_set_name(self.sh, u, name)
- if rc < 0:
- raise ValueError("Could not set name for %s" % name)
+ (rc,exists) = semanage_user_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not check if SELinux user %s is defined" % name)
+ if exists:
+ raise ValueError("SELinux user %s is already defined" % name)
- for r in roles:
- rc = semanage_user_add_role(self.sh, u, r)
+ (rc,u) = semanage_user_create(self.sh)
if rc < 0:
- raise ValueError("Could not add role %s for %s" % (r, name))
+ raise ValueError("Could not create SELinux user for %s" % name)
- rc = semanage_user_set_mlsrange(self.sh, u, serange)
- if rc < 0:
- raise ValueError("Could not set MLS range for %s" % name)
+ rc = semanage_user_set_name(self.sh, u, name)
+ if rc < 0:
+ raise ValueError("Could not set name for %s" % name)
- rc = semanage_user_set_mlslevel(self.sh, u, selevel)
- if rc < 0:
- raise ValueError("Could not set MLS level for %s" % name)
+ for r in roles:
+ rc = semanage_user_add_role(self.sh, u, r)
+ if rc < 0:
+ raise ValueError("Could not add role %s for %s" % (r, name))
+
+ if is_mls_enabled == 1:
+ rc = semanage_user_set_mlsrange(self.sh, u, serange)
+ if rc < 0:
+ raise ValueError("Could not set MLS range for %s" % name)
+
+ rc = semanage_user_set_mlslevel(self.sh, u, selevel)
+ if rc < 0:
+ raise ValueError("Could not set MLS level for %s" % name)
- (rc,key) = semanage_user_key_extract(self.sh,u)
- if rc < 0:
- raise ValueError("Could not extract key for %s" % name)
+ (rc,key) = semanage_user_key_extract(self.sh,u)
+ if rc < 0:
+ raise ValueError("Could not extract key for %s" % name)
- rc = semanage_begin_transaction(self.sh)
- if rc < 0:
- raise ValueError("Could not start semanage transaction")
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError("Could not start semanage transaction")
- rc = semanage_user_modify_local(self.sh, k, u)
- if rc < 0:
- raise ValueError("Could not add SELinux user %s" % name)
+ rc = semanage_user_modify_local(self.sh, k, u)
+ if rc < 0:
+ raise ValueError("Could not add SELinux user %s" % name)
- rc = semanage_commit(self.sh)
- if rc < 0:
- raise ValueError("Could not add SELinux user %s" % name)
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError("Could not add SELinux user %s" % name)
+ except ValueError, error:
+ mylog.log(0,"add SELinux user record", name, name, seroles, serange)
+ raise error
+
+ mylog.log(1,"add SELinux user record", name, name, seroles, serange)
semanage_user_key_free(k)
semanage_user_free(u)
def modify(self, name, roles = [], selevel = "", serange = ""):
- if len(roles) == 0 and serange == "" and selevel == "":
- raise ValueError("Requires roles, level or range")
+ try:
+ if len(roles) == 0 and serange == "" and selevel == "":
+ if is_mls_enabled == 1:
+ raise ValueError("Requires roles, level or range")
+ else:
+ raise ValueError("Requires roles")
- (rc,k) = semanage_user_key_create(self.sh, name)
- if rc < 0:
- raise ValueError("Could not create a key for %s" % name)
+ (rc,k) = semanage_user_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError("Could not create a key for %s" % name)
- (rc,exists) = semanage_user_exists(self.sh, k)
- if rc < 0:
- raise ValueError("Could not check if SELinux user %s is defined" % name)
- if not exists:
- raise ValueError("SELinux user %s is not defined" % name)
-
- (rc,u) = semanage_user_query(self.sh, k)
- if rc < 0:
- raise ValueError("Could not query user for %s" % name)
+ (rc,exists) = semanage_user_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not check if SELinux user %s is defined" % name)
+ if not exists:
+ raise ValueError("SELinux user %s is not defined" % name)
- if serange != "":
- semanage_user_set_mlsrange(self.sh, u, untranslate(serange))
- if selevel != "":
- semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
-
- if len(roles) != 0:
- for r in roles:
- semanage_user_add_role(self.sh, u, r)
+ (rc,u) = semanage_user_query(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not query user for %s" % name)
- rc = semanage_begin_transaction(self.sh)
- if rc < 0:
- raise ValueError("Could not start semanage transaction")
+ if serange != "":
+ semanage_user_set_mlsrange(self.sh, u, untranslate(serange))
+ if selevel != "":
+ semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
+
+ if len(roles) != 0:
+ for r in roles:
+ semanage_user_add_role(self.sh, u, r)
- rc = semanage_user_modify_local(self.sh, k, u)
- if rc < 0:
- raise ValueError("Could not modify SELinux user %s" % name)
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError("Could not start semanage transaction")
- rc = semanage_commit(self.sh)
- if rc < 0:
- raise ValueError("Could not modify SELinux user %s" % name)
+ rc = semanage_user_modify_local(self.sh, k, u)
+ if rc < 0:
+ raise ValueError("Could not modify SELinux user %s" % name)
+
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError("Could not modify SELinux user %s" % name)
+
+ except ValueError, error:
+ mylog.log(0,"modify SELinux user record", name, seuser, seroles, serange, oldseuser, oldseroles, olrserange)
+ raise error
+ mylog.log(1,"modify SELinux user record", name, seuser, seroles, serange, oldseuser, oldseroles, olrserange)
semanage_user_key_free(k)
semanage_user_free(u)
def delete(self, name):
- (rc,k) = semanage_user_key_create(self.sh, name)
- if rc < 0:
- raise ValueError("Could not create a key for %s" % name)
-
- (rc,exists) = semanage_user_exists(self.sh, k)
- if rc < 0:
- raise ValueError("Could not check if SELinux user %s is defined" % name)
- if not exists:
- raise ValueError("SELinux user %s is not defined" % name)
+ try:
+ (rc,k) = semanage_user_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError("Could not create a key for %s" % name)
+
+ (rc,exists) = semanage_user_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not check if SELinux user %s is defined" % name)
+ if not exists:
+ raise ValueError("SELinux user %s is not defined" % name)
- (rc,exists) = semanage_user_exists_local(self.sh, k)
- if rc < 0:
- raise ValueError("Could not check if SELinux user %s is defined" % name)
- if not exists:
- raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name)
+ (rc,exists) = semanage_user_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not check if SELinux user %s is defined" % name)
+ if not exists:
+ raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name)
- rc = semanage_begin_transaction(self.sh)
- if rc < 0:
- raise ValueError("Could not start semanage transaction")
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError("Could not start semanage transaction")
- rc = semanage_user_del_local(self.sh, k)
- if rc < 0:
- raise ValueError("Could not delete SELinux user %s" % name)
+ rc = semanage_user_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not delete SELinux user %s" % name)
- rc = semanage_commit(self.sh)
- if rc < 0:
- raise ValueError("Could not delete SELinux user %s" % name)
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError("Could not delete SELinux user %s" % name)
+ except ValueError, error:
+ mylog.log(0,"delete SELinux user record", name)
+ raise error
+ mylog.log(1,"delete SELinux user record", name)
semanage_user_key_free(k)
def get_all(self):
@@ -462,14 +553,20 @@
return ddict
def list(self, heading=1):
- if heading:
- print "\n%-15s %-10s %-30s" % ("", "MLS/", "MLS/")
- print "%-15s %-10s %-30s %s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles")
ddict=self.get_all()
keys=ddict.keys()
keys.sort()
- for k in keys:
- print "%-15s %-10s %-30s %s" % (k, translate(ddict[k][0]), translate(ddict[k][1]), ddict[k][2])
+ if is_mls_enabled == 1:
+ if heading:
+ print "\n%-15s %-10s %-30s" % ("", "MLS/", "MLS/")
+ print "%-15s %-10s %-30s %s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles")
+ for k in keys:
+ print "%-15s %-10s %-30s %s" % (k, translate(ddict[k][0]), translate(ddict[k][1]), ddict[k][2])
+ else:
+ if heading:
+ print "%-15s %s\n" % ("SELinux User", "SELinux Roles")
+ for k in keys:
+ print "%-15s %s" % (k, ddict[k][2])
class portRecords(semanageRecords):
def __init__(self):
@@ -500,10 +597,11 @@
return ( k, proto_d, low, high )
def add(self, port, proto, serange, type):
- if serange == "":
- serange="s0"
- else:
- serange=untranslate(serange)
+ if is_mls_enabled == 1:
+ if serange == "":
+ serange="s0"
+ else:
+ serange=untranslate(serange)
if type == "":
raise ValueError("Type is required")
@@ -564,7 +662,10 @@
def modify(self, port, proto, serange, setype):
if serange == "" and setype == "":
- raise ValueError("Requires setype or serange")
+ if is_mls_enabled == 1:
+ raise ValueError("Requires setype or serange")
+ else:
+ raise ValueError("Requires setype")
( k, proto_d, low, high ) = self.__genkey(port, proto)
@@ -688,10 +789,11 @@
semanageRecords.__init__(self)
def add(self, interface, serange, ctype):
- if serange == "":
- serange="s0"
- else:
- serange=untranslate(serange)
+ if is_mls_enabled == 1:
+ if serange == "":
+ serange="s0"
+ else:
+ serange=untranslate(serange)
if ctype == "":
raise ValueError("SELinux Type is required")
@@ -869,14 +971,14 @@
self.file_types["named pipe"] = SEMANAGE_FCONTEXT_PIPE;
- def add(self, target, type, ftype="", serange="s0", seuser="system_u"):
+ def add(self, target, type, ftype="", serange="", seuser="system_u"):
if seuser == "":
seuser="system_u"
-
- if serange == "":
- serange="s0"
- else:
- serange=untranslate(serange)
+ if is_mls_enabled == 1:
+ if serange == "":
+ serange="s0"
+ else:
+ serange=untranslate(serange)
if type == "":
raise ValueError("SELinux Type is required")
^ permalink raw reply [flat|nested] 19+ messages in thread* Re: policycoreutils latest diffs.
2006-02-22 18:23 policycoreutils latest diffs Daniel J Walsh
@ 2006-02-23 14:02 ` Stephen Smalley
2006-03-08 17:29 ` Stephen Smalley
0 siblings, 1 reply; 19+ messages in thread
From: Stephen Smalley @ 2006-02-23 14:02 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Ivan Gyurdiev, Joshua Brindle, SE Linux
On Wed, 2006-02-22 at 13:23 -0500, Daniel J Walsh wrote:
> audit2allow -
>
> Added (-R/--reference) to audit2allow. This basically greps through
> reference policy and finds all matches for a particular
> access. Then outputs them. It attempts to find the best match. This
> makes updating reference policy a lot easier.
>
> Changed load_policy to be looked at regardless of the granted flag.
Is this to catch reloads that occur in permissive mode?
Going forward, you should be able to key off the new audit messages
added by Steve Grubb for policy reloads, as they will indicate when a
reload actually occurred (vs. just a permission check for them).
> Add some checks to semanage and seobject.py to turn off processing on
> non MLS/MCS machines.
> (These are untested on a Non MLS/MCS machine, since I do not have access.)
Doesn't quite work yet.
# semanage login -l
Login Name SELinux User
Traceback (most recent call last):
File "/usr/sbin/semanage", line 219, in ?
OBJECT.list(heading)
File "/usr/lib/python2.4/site-packages/seobject.py", line 375, in list
print "%-25s %-25s %-25s" % (k, ddict[k][0])
TypeError: not enough arguments for format string
That one is easy to fix:
--- seobject.py.0 2006-02-23 08:54:12.000000000 -0500
+++ seobject.py 2006-02-23 08:54:16.000000000 -0500
@@ -372,7 +372,7 @@ class loginRecords(semanageRecords):
if heading:
print "\n%-25s %-25s\n" % ("Login Name", "SELinux User")
for k in keys:
- print "%-25s %-25s %-25s" % (k, ddict[k][0])
+ print "%-25s %-25s" % (k, ddict[k][0])
class seluserRecords(semanageRecords):
def __init__(self):
Then login -l works, but:
# semanage login -a sds
libsemanage.validate_handler: MLS is disabled, but MLS range was found for Unix user sds
libsemanage.validate_handler: seuser mapping [sds -> (user_u, )] is invalid
libsemanage.dbase_llist_iterate: could not iterate over records
/usr/sbin/semanage: Could not add login mapping for sds
So it looks like semanage (util) is passing libsemanage an empty string
rather than a NULL?
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 19+ messages in thread* Re: policycoreutils latest diffs.
2006-02-23 14:02 ` Stephen Smalley
@ 2006-03-08 17:29 ` Stephen Smalley
0 siblings, 0 replies; 19+ messages in thread
From: Stephen Smalley @ 2006-03-08 17:29 UTC (permalink / raw)
To: Daniel J Walsh
Cc: Christopher J. PeBenito, Ivan Gyurdiev, Joshua Brindle, SE Linux
On Thu, 2006-02-23 at 09:02 -0500, Stephen Smalley wrote:
> On Wed, 2006-02-22 at 13:23 -0500, Daniel J Walsh wrote:
> > audit2allow -
> >
> > Added (-R/--reference) to audit2allow. This basically greps through
> > reference policy and finds all matches for a particular
> > access. Then outputs them. It attempts to find the best match. This
> > makes updating reference policy a lot easier.
> >
> > Changed load_policy to be looked at regardless of the granted flag.
>
> Is this to catch reloads that occur in permissive mode?
> Going forward, you should be able to key off the new audit messages
> added by Steve Grubb for policy reloads, as they will indicate when a
> reload actually occurred (vs. just a permission check for them).
>
> > Add some checks to semanage and seobject.py to turn off processing on
> > non MLS/MCS machines.
> > (These are untested on a Non MLS/MCS machine, since I do not have access.)
>
> Doesn't quite work yet.
>
> # semanage login -l
> Login Name SELinux User
>
> Traceback (most recent call last):
> File "/usr/sbin/semanage", line 219, in ?
> OBJECT.list(heading)
> File "/usr/lib/python2.4/site-packages/seobject.py", line 375, in list
> print "%-25s %-25s %-25s" % (k, ddict[k][0])
> TypeError: not enough arguments for format string
>
> That one is easy to fix:
> --- seobject.py.0 2006-02-23 08:54:12.000000000 -0500
> +++ seobject.py 2006-02-23 08:54:16.000000000 -0500
> @@ -372,7 +372,7 @@ class loginRecords(semanageRecords):
> if heading:
> print "\n%-25s %-25s\n" % ("Login Name", "SELinux User")
> for k in keys:
> - print "%-25s %-25s %-25s" % (k, ddict[k][0])
> + print "%-25s %-25s" % (k, ddict[k][0])
>
> class seluserRecords(semanageRecords):
> def __init__(self):
>
> Then login -l works, but:
> # semanage login -a sds
> libsemanage.validate_handler: MLS is disabled, but MLS range was found for Unix user sds
> libsemanage.validate_handler: seuser mapping [sds -> (user_u, )] is invalid
> libsemanage.dbase_llist_iterate: could not iterate over records
> /usr/sbin/semanage: Could not add login mapping for sds
>
> So it looks like semanage (util) is passing libsemanage an empty string
> rather than a NULL?
I updated to the latest version of this patch from Fedora CVS, worked
around the two issues for MLS-disabled, and committed. Dropped the
fixfiles diff as it seems to be broken (try fixfiles check /boot).
I think that the audit2allow -R code will need further generalization
(e.g. location of policy devel files is presently hardcoded into the
script) for other distributions.
I verified that semanage login -l and semanage login -a sds worked on a
FC4 system (non-MLS, no python audit bindings), and it appeared to work
and syslog'd the audit message (but the record appears from "python:"
rather than "semanage").
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Policycoreutils latest diffs.
@ 2006-01-03 18:39 Daniel J Walsh
2006-01-03 17:22 ` Ivan Gyurdiev
` (2 more replies)
0 siblings, 3 replies; 19+ messages in thread
From: Daniel J Walsh @ 2006-01-03 18:39 UTC (permalink / raw)
To: Stephen Smalley, SE Linux
[-- Attachment #1: Type: text/plain, Size: 819 bytes --]
Fixes to restorecon to handle user_only_changed even in the -vv case.
Many fixes to chcat to get it working in the hundreds of different ways
it can be used...
Changed fixfiles to sort before doing the diff. New way of handling
file_context seems to change the file_context sort order on every update
causing fixfiles to falsely think things have changed. This might not
be ideal since ordering could cause problems.
genhomedircon fixes to make it work within anaconda. Eliminated all
calls to getstatusoutput.
Added test files to be run to make sure there are no regressions on
updates. Probably should get these to run automatically some how.
semanage modified to handle ports. Currenly does not work because of
some of Ivan's changes to libsepol, libsemanage and libselinux have not
been added.
[-- Attachment #2: policycoreutils-rhat.patch --]
[-- Type: text/x-patch, Size: 48909 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.8 policycoreutils-1.29.2/restorecon/restorecon.8
--- nsapolicycoreutils/restorecon/restorecon.8 2005-12-08 12:59:25.000000000 -0500
+++ policycoreutils-1.29.2/restorecon/restorecon.8 2006-01-02 14:35:46.000000000 -0500
@@ -45,7 +45,7 @@
show changes in file labels, if type, role, or user are changing.
.TP
.B \-F
-Force reset of context to match file_context for customizable files
+Force reset of context to match file_context for customizable files, or the user section, if it has changed.
.TP
.SH "ARGUMENTS"
.B pathname...
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.29.2/restorecon/restorecon.c
--- nsapolicycoreutils/restorecon/restorecon.c 2005-12-08 12:59:25.000000000 -0500
+++ policycoreutils-1.29.2/restorecon/restorecon.c 2006-01-02 14:33:52.000000000 -0500
@@ -112,18 +112,16 @@
void usage(const char * const name)
{
fprintf(stderr,
- "usage: %s [-rRnv] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n", name);
+ "usage: %s [-FnrRv] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n", name);
exit(1);
}
int restore(char *filename) {
int retcontext=0;
- int retval=0;
security_context_t scontext=NULL;
security_context_t prev_context=NULL;
int len=strlen(filename);
struct stat st;
char path[PATH_MAX+1];
- int user_only_changed=0;
/*
Eliminate trailing /
*/
@@ -175,8 +173,7 @@
if (excludeCtr > 0 && exclude(filename)) {
return 0;
}
- retval = matchpathcon(filename, st.st_mode, &scontext);
- if (retval < 0) {
+ if (matchpathcon(filename, st.st_mode, &scontext) < 0) {
if (errno == ENOENT)
return 0;
fprintf(stderr,"matchpathcon(%s) failed %s\n", filename,strerror(errno));
@@ -194,27 +191,24 @@
if (retcontext < 0 || force ||
(strcmp(prev_context,scontext) != 0 &&
!(customizable=is_context_customizable(prev_context) > 0))) {
- if (outfile) {
- fprintf(outfile, "%s\n", filename);
- }
- user_only_changed = only_changed_user(scontext, prev_context);
- if (change && !user_only_changed) {
- retval=lsetfilecon(filename,scontext);
- }
- if (retval<0) {
- fprintf(stderr,"%s set context %s->%s failed:'%s'\n",
- progname, filename, scontext, strerror(errno));
- if (retcontext >= 0)
- freecon(prev_context);
- freecon(scontext);
- return 1;
- } else
- if (verbose &&
- (verbose > 1 || !user_only_changed))
+ if (only_changed_user(scontext, prev_context) == 0) {
+ if (outfile) fprintf(outfile, "%s\n", filename);
+ if (change) {
+ if (lsetfilecon(filename,scontext) < 0) {
+ fprintf(stderr,"%s set context %s->%s failed:'%s'\n",
+ progname, filename, scontext, strerror(errno));
+ if (retcontext >= 0)
+ freecon(prev_context);
+ freecon(scontext);
+ return 1;
+ }
+ }
+ if (verbose)
printf("%s reset %s context %s->%s\n",
- progname, filename, (retcontext >= 0 ? prev_context : ""), scontext);
+ progname, filename, (retcontext >= 0 ? prev_context : ""), scontext);
+ }
}
- if (verbose > 1 && customizable>0) {
+ if (verbose > 1 && ! force && customizable>0) {
printf("%s: %s not reset customized by admin to %s\n",
progname, filename, prev_context);
}
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.29.2/scripts/chcat
--- nsapolicycoreutils/scripts/chcat 2005-12-14 14:16:50.000000000 -0500
+++ policycoreutils-1.29.2/scripts/chcat 2006-01-02 14:33:44.000000000 -0500
@@ -39,11 +39,11 @@
print("Can not modify sensitivity levels using '+' on %s" % f)
if len(clist) > 1:
- cats=clist[1].split(",")
- if cat in cats:
+ if cat in clist[1:]:
print "%s is already in %s" % (f, orig)
continue
- cats.append(cat)
+ clist.append(cat)
+ cats=clist[1:]
cats.sort()
cat_string=cats[0]
for c in cats[1:]:
@@ -73,14 +73,13 @@
continue
if len(clist) > 1:
- cats=clist[1].split(",")
- if cat not in cats:
+ if cat not in clist[1:]:
print "%s is not in %s" % (f, orig)
continue
- cats.remove(cat)
- if len(cats) > 0:
- cat=cats[0]
- for c in cats[1:]:
+ clist.remove(cat)
+ if len(clist) > 1:
+ cat=clist[1]
+ for c in clist[2:]:
cat="%s,%s" % (cat, c)
else:
cat=""
@@ -91,7 +90,7 @@
if len(cat) == 0:
cmd='chcon -l %s %s' % (sensitivity, f)
else:
- cmd='chcon -l %s:%s %s' % (sensitivity, cat, f)
+ cmd='chcon -l %s:%s %s' % (sensitivity,cat, f)
rc=commands.getstatusoutput(cmd)
if rc[0] != 0:
print rc[1]
@@ -101,18 +100,17 @@
def chcat_replace(orig, newcat, files):
errors=0
if len(newcat) == 1:
- if newcat[0][0] == "s" and newcat[0][1:].isdigit() and int(newcat[0][1:]) in range(0,16):
- sensitivity=newcat[0]
- cmd='chcon -l %s ' % newcat[0]
- else:
- cmd='chcon -l s0:%s ' % newcat[0]
+ sensitivity=newcat[0]
+ cmd='chcon -l %s ' % newcat[0]
else:
sensitivity=newcat[0]
- cat=newcat[1]
- cmd='chcon -l %s:%s ' % (sensitivity, cat)
+ cmd='chcon -l %s:%s' % (sensitivity, newcat[1])
+ for cat in newcat[2:]:
+ cmd='%s,%s' % (cmd, cat)
for f in files:
cmd = "%s %s" % (cmd, f)
+
rc=commands.getstatusoutput(cmd)
if rc[0] != 0:
print rc[1]
@@ -134,44 +132,73 @@
raise ValueError("Can not combine +/- with other types of categories")
return replace_ind
+def isSensitivity(sensitivity):
+ if sensitivity[0] == "s" and sensitivity[1:].isdigit() and int(sensitivity[1:]) in range(0,16):
+ return 1
+ else:
+ return 0
+
+def expandCats(cats):
+ newcats=[]
+ for c in cats:
+ if c.find(".") != -1:
+ c=c.split(".")
+ for i in range(int(c[0][1:]), int(c[1][1:])+1):
+ x=("c%d" % i)
+ if x not in newcats:
+ newcats.append("c%d" % i)
+ else:
+ for i in c.split(","):
+ if i not in newcats:
+ newcats.append(i)
+ return newcats
+
def translate(cats):
newcat=[]
+ if len(cats) == 0:
+ newcat.append("s0")
+ return newcat
for c in cats:
(rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c)
rlist=raw.split(":")[3:]
- if len(rlist) > 1:
- if len(newcat) == 0:
- newcat.append(rlist[0])
- else:
- if newcat[0] != rlist[0]:
- raise ValueError("Can not have multiple sensitivities")
- newcat.append(rlist[1])
- else:
- if rlist[0][0] == "s" and rlist[0][1:].isdigit() and int(rlist[0][1:]) in range(0,16):
-
- if len(newcat) == 0:
- newcat.append(rlist[0])
- else:
- if newcat[0] != rlist[0]:
- raise ValueError("Can not have multiple sensitivities")
- else:
- if len(newcat) == 0:
- newcat.append("s0")
- else:
- if newcat[0] != "s0":
- raise ValueError("Can not have multiple sensitivities")
- newcat.append(rlist[0])
-
+ tlist=[]
+ if isSensitivity(rlist[0])==0:
+ tlist.append("s0")
+ for i in expandCats(rlist):
+ tlist.append(i)
+ else:
+ tlist.append(rlist[0])
+ for i in expandCats(rlist[1:]):
+ tlist.append(i)
+ if len(newcat) == 0:
+ newcat.append(tlist[0])
+ else:
+ if newcat[0] != tlist[0]:
+ raise ValueError("Can not have multiple sensitivities")
+ for i in tlist[1:]:
+ newcat.append(i)
return newcat
def usage():
print "Usage %s CATEGORY File ..." % sys.argv[0]
print "Usage %s [[+|-]CATEGORY],...]q File ..." % sys.argv[0]
print "Usage %s -d File ..." % sys.argv[0]
+ print "Usage %s -l" % sys.argv[0]
print "Use -- to end option list. For example"
print "chcat -- -CompanyConfidential /docs/businessplan.odt."
sys.exit(1)
+def listcats():
+ fd = open(selinux.selinux_translations_path())
+ for l in fd.read().split("\n"):
+ if l.startswith("#"):
+ continue
+ if l.find("=")!=-1:
+ rec=l.split("=")
+ print "%-30s %s" % tuple(rec)
+ fd.close()
+ return 0
+
def error(msg):
print "%s: %s" % (sys.argv[0], msg)
sys.exit(1)
@@ -184,10 +211,12 @@
error("Requires an SELinux enabled system")
delete_ind=0
+ list_ind=0
try:
gopts, cmds = getopt.getopt(sys.argv[1:],
- 'dh',
- ['help',
+ 'dhl',
+ ['list',
+ 'help',
'delete'])
for o,a in gopts:
@@ -195,8 +224,10 @@
usage()
if o == "-d" or o == "--delete":
delete_ind=1
+ if o == "-l" or o == "--list":
+ list_ind=1
- if len(cmds) < 1:
+ if list_ind==0 and len(cmds) < 1:
usage()
except:
usage()
@@ -204,6 +235,8 @@
if delete_ind:
sys.exit(chcat_replace(["s0"], ["s0"], cmds))
+ if list_ind:
+ sys.exit(listcats())
if len(cmds) < 2:
usage()
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat.8 policycoreutils-1.29.2/scripts/chcat.8
--- nsapolicycoreutils/scripts/chcat.8 2005-12-08 12:52:47.000000000 -0500
+++ policycoreutils-1.29.2/scripts/chcat.8 2006-01-02 14:33:44.000000000 -0500
@@ -11,6 +11,9 @@
.B chcat
[\fI-d\fR] \fIFILE\fR...
.br
+.B chcat
+[\fI-l\fR]
+.br
.PP
Change/Remove the security CATEGORY for each FILE.
.PP
@@ -18,6 +21,9 @@
.TP
\fB\-d\fR
delete the category from each file.
+.TP
+\fB\-l\fR
+list available categories.
.SH "SEE ALSO"
.TP
chcon(1), selinux(8)
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.29.2/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles 2005-10-13 13:51:22.000000000 -0400
+++ policycoreutils-1.29.2/scripts/fixfiles 2006-01-02 14:33:44.000000000 -0500
@@ -62,8 +62,8 @@
TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
test -z "$TEMPFILE" && exit
PREFCTEMPFILE=`mktemp ${PREFC}.XXXXXXXXXX`
- sed -r -e 's,:s0, ,g' $PREFC > ${PREFCTEMPFILE}
- sed -r -e 's,:s0, ,g' $FC | \
+ sed -r -e 's,:s0, ,g' $PREFC | sort -u > ${PREFCTEMPFILE}
+ sed -r -e 's,:s0, ,g' $FC | sort -u | \
/usr/bin/diff -b ${PREFCTEMPFILE} - | \
grep '^[<>]'|cut -c3-| grep ^/ | \
egrep -v '(^/home|^/root|^/tmp|^/dev)' |\
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.2/scripts/genhomedircon
--- nsapolicycoreutils/scripts/genhomedircon 2005-12-07 07:28:00.000000000 -0500
+++ policycoreutils-1.29.2/scripts/genhomedircon 2006-01-02 14:33:44.000000000 -0500
@@ -1,4 +1,4 @@
-#! /usr/bin/env python
+#! /usr/bin/python
# Copyright (C) 2004 Tresys Technology, LLC
# see file 'COPYING' for use and warranty information
#
@@ -26,64 +26,73 @@
#
#
-import commands, sys, os, pwd, string, getopt, re
+import sys, os, pwd, string, getopt, re
from semanage import *;
-fd=open("/etc/shells", 'r')
-VALID_SHELLS=fd.read().split('\n')
-fd.close()
-if "/sbin/nologin" in VALID_SHELLS:
- VALID_SHELLS.remove("/sbin/nologin")
+try:
+ fd=open("/etc/shells", 'r')
+ VALID_SHELLS=fd.read().split('\n')
+ fd.close()
+ if "/sbin/nologin" in VALID_SHELLS:
+ VALID_SHELLS.remove("/sbin/nologin")
+except:
+ VALID_SHELLS = ['/bin/sh', '/bin/bash', '/bin/ash', '/bin/bsh', '/bin/ksh', '/usr/bin/ksh', '/usr/bin/pdksh', '/bin/tcsh', '/bin/csh', '/bin/zsh']
+
+def findval(file, var, delim=""):
+ val=""
+ try:
+ fd=open(file, 'r')
+ for i in fd.read().split('\n'):
+ if i.startswith(var) == 1:
+ if delim == "":
+ val = i.split()[1]
+ else:
+ val = i.split(delim)[1]
+ val = val.split("#")[0]
+ val = val.strip()
+ fd.close()
+ except:
+ val=""
+ return val
def getStartingUID():
starting_uid = sys.maxint
- rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs")
- if rc[0] == 0:
- uid_min = re.sub("^UID_MIN[^0-9]*", "", rc[1])
- #stip any comment from the end of the line
+ uid_min= findval("/etc/login.defs", "UID_MIN")
+ if uid_min != "":
uid_min = uid_min.split("#")[0]
uid_min = uid_min.strip()
if int(uid_min) < starting_uid:
starting_uid = int(uid_min)
- rc=commands.getstatusoutput("grep -h '^LU_UIDNUMBER' /etc/libuser.conf")
- if rc[0] == 0:
- lu_uidnumber = re.sub("^LU_UIDNUMBER[^0-9]*", "", rc[1])
- #stip any comment from the end of the line
- lu_uidnumber = re.sub("[ \t].*", "", lu_uidnumber)
- lu_uidnumber = lu_uidnumber.split("#")[0]
- lu_uidnumber = lu_uidnumber.strip()
- if int(lu_uidnumber) < starting_uid:
- starting_uid = int(lu_uidnumber)
+
+ uid_min= findval("/etc/libuser.conf", "LU_UIDNUMBER", "=")
+ if uid_min != "":
+ uid_min = uid_min.split("#")[0]
+ uid_min = uid_min.strip()
+ if int(uid_min) < starting_uid:
+ starting_uid = int(uid_min)
+
if starting_uid == sys.maxint:
starting_uid = 500
return starting_uid
def getDefaultHomeDir():
ret = []
- rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- if not homedir in ret:
- ret.append(homedir)
-
- rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- if not homedir in ret:
- ret.append(homedir)
-
+ homedir=findval("/etc/default/useradd", "HOME", "=")
+ if homedir != "" and not homedir in ret:
+ ret.append(homedir)
+
+ homedir=findval("/etc/libuser.conf", "LU_HOMEDIRECTORY", "=")
+ if homedir != "" and not homedir in ret:
+ ret.append(homedir)
+
if ret == []:
ret.append("/home")
return ret
def getSELinuxType(directory):
- rc=commands.getstatusoutput("grep ^SELINUXTYPE= %s/config" % directory)
- if rc[0]==0:
- return rc[1].split("=")[-1].strip()
+ val=findval(directory+"/config", "SELINUXTYPE", "=")
+ if val != "":
+ return val
return "targeted"
def usage(error = ""):
@@ -129,11 +138,17 @@
return self.getFileContextDir()+"/homedir_template"
def getHomeRootContext(self, homedir):
- rc=commands.getstatusoutput("grep HOME_ROOT %s | sed -e \"s|^HOME_ROOT|%s|\"" % ( self.getHomeDirTemplate(), homedir))
- if rc[0] == 0:
- return rc[1]+"\n"
- else:
- errorExit("sed error %s" % rc[1])
+ ret=""
+ fd=open(self.getHomeDirTemplate(), 'r')
+
+ for i in fd.read().split('\n'):
+ if i.find("HOME_ROOT") == 0:
+ i=i.replace("HOME_ROOT", homedir)
+ ret = i+"\n"
+ fd.close()
+ if ret=="":
+ errorExit("No Home Root Context Found")
+ return ret
def heading(self):
ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
@@ -152,32 +167,40 @@
return "user_r"
return name
def getOldRole(self, role):
- rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/system.users"))
- if rc[0] != 0:
- rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/local.users"))
- if rc[0] == 0:
- user=rc[1].split()
+ rc=findval(self.selinuxdir+self.type+"/users/system.users", 'grep "^user %s"' % role, "=")
+ if rc == "":
+ rc=findval(self.selinuxdir+self.type+"/users/local.users", 'grep "^user %s"' % role, "=")
+ if rc != "":
+ user=rc.split()
role = user[3]
if role == "{":
role = user[4]
return role
def adduser(self, udict, user, seuser, role):
+ if seuser == "user_u" or user == "__default__":
+ return
+ # !!! chooses first role in the list to use in the file context !!!
+ if role[-2:] == "_r" or role[-2:] == "_u":
+ role = role[:-2]
try:
- if seuser == "user_u" or user == "__default__":
- return
- # !!! chooses first role in the list to use in the file context !!!
- if role[-2:] == "_r" or role[-2:] == "_u":
- role = role[:-2]
home = pwd.getpwnam(user)[5]
if home == "/":
- return
- prefs = {}
- prefs["role"] = role
- prefs["home"] = home
- udict[seuser] = prefs
+ # Probably install so hard code to /root
+ if user == "root":
+ home="/root"
+ else:
+ return
except KeyError:
- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user)
+ if user == "root":
+ home = "/root"
+ else:
+ sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user)
+ return
+ prefs = {}
+ prefs["role"] = role
+ prefs["home"] = home
+ udict[seuser] = prefs
def getUsers(self):
udict = {}
@@ -190,30 +213,50 @@
self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.defaultrole(seusername))
else:
- rc = commands.getstatusoutput("grep -v '^ *#' %s" % self.selinuxdir+self.type+"/seusers")
- if rc[0] == 0 and rc[1] != "":
- ulist = rc[1].split("\n")
- for u in ulist:
- if len(u)==0:
+ try:
+ fd =open(self.selinuxdir+self.type+"/seusers")
+ for u in fd.read().split('\n'):
+ u=u.strip()
+ if len(u)==0 or u[0]=="#":
continue
user = u.split(":")
if len(user) < 3:
continue
role=self.getOldRole(user[1])
self.adduser(udict, user[0], user[1], role)
+ fd.close()
+ except IOError, error:
+ # Must be install so force add of root
+ self.adduser(udict, "root", "root", "root")
+
return udict
def getHomeDirContext(self, user, home, role):
ret="\n\n#\n# Home Context for user %s\n#\n\n" % user
- rc=commands.getstatusoutput("grep '^HOME_DIR' %s | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), home, role, user))
- return ret + rc[1] + "\n"
+ fd=open(self.getHomeDirTemplate(), 'r')
+ for i in fd.read().split('\n'):
+ if i.startswith("HOME_DIR") == 1:
+ i=i.replace("HOME_DIR", home)
+ i=i.replace("ROLE", role)
+ i=i.replace("system_u", user)
+ ret = ret+i+"\n"
+ fd.close()
+ return ret
def getUserContext(self, user, sel_user, role):
- rc=commands.getstatusoutput("grep 'USER' %s | sed -e 's/USER/%s/' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), user, role, sel_user))
- return rc[1] + "\n"
+ ret=""
+ fd=open(self.getHomeDirTemplate(), 'r')
+ for i in fd.read().split('\n'):
+ if i.find("USER") == 1:
+ i=i.replace("USER", user)
+ i=i.replace("ROLE", role)
+ i=i.replace("system_u", sel_user)
+ ret=ret+i+"\n"
+ fd.close()
+ return ret
def genHomeDirContext(self):
- if commands.getstatusoutput("grep -q 'ROLE' %s" % self.getHomeDirTemplate())[0] == 0 and self.semanaged:
+ if self.semanaged and findval(self.getHomeDirTemplate(), "ROLE", "=") != "":
warning("genhomedircon: Warning! No support yet for expanding ROLE macros in the %s file when using libsemanage." % self.getHomeDirTemplate());
warning("genhomedircon: You must manually update file_contexts.homedirs for any non-user_r users (including root).");
users = self.getUsers()
@@ -225,40 +268,23 @@
return ret+"\n"
def checkExists(self, home):
- if commands.getstatusoutput("grep -E '^%s[^[:alnum:]_-]' %s" % (home, self.getFileContextFile()))[0] == 0:
- return 0
- #this works by grepping the file_contexts for
- # 1. ^/ makes sure this is not a comment
- # 2. prints only the regex in the first column first cut on \t then on space
- rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % self.getFileContextFile() )
- if rc[0] == 0:
- prefix_regex = rc[1].split("\n")
- else:
- warning("%s\nYou do not have access to read %s\n" % (rc[1], self.getFileContextFile()))
-
- exists=1
- for regex in prefix_regex:
- #match a trailing (/*)? which is actually a bug in rpc_pipefs
- regex = re.sub("\(/\*\)\?$", "", regex)
- #match a trailing .+
- regex = re.sub("\.+$", "", regex)
- #match a trailing .*
- regex = re.sub("\.\*$", "", regex)
- #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
- regex = re.sub("\(\/\.\*\)\?", "", regex)
- regex = regex + "/*$"
- if re.search(regex, home, 0):
- exists = 0
- break
- if exists == 1:
- return 1
- else:
- return 0
-
+ fd=open(self.getFileContextFile())
+ for i in fd.read().split('\n'):
+ if len(i)==0:
+ return
+ regex=i.split()[0]
+ #match a trailing .+
+ regex = re.sub("\.+$", "", regex)
+ regex = re.sub("\.\*$", "", regex)
+ #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
+ regex = re.sub("\(\/\.\*\)\?", "", regex)
+ regex = regex + "/*$"
+ if re.search(home, regex, 0):
+ return 1
+ return 0
def getHomeDirs(self):
- homedirs = []
- homedirs = homedirs + getDefaultHomeDir()
+ homedirs = getDefaultHomeDir()
starting_uid=getStartingUID()
if self.usepwd==0:
return homedirs
@@ -270,8 +296,8 @@
string.count(u[5], "/") > 1:
homedir = u[5][:string.rfind(u[5], "/")]
if not homedir in homedirs:
- if self.checkExists(homedir)==0:
- warning("%s homedir %s or its parent directoy conflicts with a\ndefined context in %s,\n%s will not create a new context." % (u[0], u[5], self.getFileContextFile(), sys.argv[0]))
+ if self.checkExists(homedir)==1:
+ warning("%s homedir %s or its parent directory conflicts with a\ndefined context in %s,\n%s will not create a new context." % (u[0], u[5], self.getFileContextFile(), sys.argv[0]))
else:
homedirs.append(homedir)
@@ -333,7 +359,3 @@
except getopt.error, error:
errorExit("Options Error %s " % error)
-except ValueError, error:
- errorExit("ValueError %s" % error)
-except IndexError, error:
- errorExit("IndexError")
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/selisteners policycoreutils-1.29.2/scripts/selisteners
--- nsapolicycoreutils/scripts/selisteners 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-1.29.2/scripts/selisteners 2006-01-02 14:33:44.000000000 -0500
@@ -0,0 +1,37 @@
+#! /usr/bin/env python
+# Copyright (C) 2005 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# listeners - this script finds all processes listening on a TCP or UDP Port
+# configuration entries for user home directories based on their
+# default roles and is run when building the policy. Specifically, we
+# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with
+# generic and user-specific values.
+#
+# Based off original script by Dan Walsh, <dwalsh@redhat.com>
+#
+# ASSUMPTIONS:
+#
+# The file CONTEXTDIR/files/homedir_template exists. This file is used to
+# set up the home directory context for each real user.
+#
+# If a user has more than one role, genhomedircon uses the first role in the list.
+#
+# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, role user
+#
+# "Real" users (as opposed to system users) are those whose UID is greater than
+# or equal STARTING_UID (usually 500) and whose login is not a member of
+# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/seusers
+# are always "real" (including root, in the default configuration).
+#
+#
+import commands, string
+import selinux
+rc=commands.getstatusoutput("netstat -aptul")
+out=rc[1].split("\n")
+for i in out:
+ x=i.split()
+ y=x[-1].split("/")
+ if len(y)==2:
+ pid=string.atoi(y[0])
+ print "%s %-40s %-10s\t%-20s\t%s" % (x[0], x[3], pid,y[1],selinux.getpidcon(pid)[1])
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/tests/chcat_test policycoreutils-1.29.2/scripts/tests/chcat_test
--- nsapolicycoreutils/scripts/tests/chcat_test 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-1.29.2/scripts/tests/chcat_test 2006-01-02 14:33:44.000000000 -0500
@@ -0,0 +1,43 @@
+#!/bin/sh -x
+#
+# You must copy the setrans.conf file in place before testing
+#
+chcat -l
+rm -f /tmp/chcat_test
+touch /tmp/chcat_test
+chcat -d /tmp/chcat_test
+chcat -d /tmp/chcat_test
+chcat -- -Payroll /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- +Payroll /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- -Payroll /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat Payroll,Marketing /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- +Payroll /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- Payroll /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- -Payroll,+Marketing /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- +Payroll,-Marketing /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- -Payroll,+Marketing,+NDA_Yoyodyne /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- -Marketing,-NDA_Yoyodyne /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- -s0 /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- s0 /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- s0:c1 /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- s0:c1,c2 /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- s0:c1.c3 /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- -s0:c3 /tmp/chcat_test
+ls -lZ /tmp/chcat_test
+chcat -- -s0:c2,+c3 /tmp/chcat_test
+ls -lZ /tmp/chcat_test
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/tests/setrans.conf policycoreutils-1.29.2/scripts/tests/setrans.conf
--- nsapolicycoreutils/scripts/tests/setrans.conf 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-1.29.2/scripts/tests/setrans.conf 2006-01-02 14:33:44.000000000 -0500
@@ -0,0 +1,23 @@
+#
+# Multi-Category Security translation table for SELinux
+#
+# Uncomment the following to disable translation libary
+# disable=1
+#
+# Objects can be categorized with 0-256 categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Categories are stored in the system as c0-c255. Users can use this
+# table to translate the categories into a more meaningful output.
+# Examples:
+# s0:c0=CompanyConfidential
+# s0:c1=PatientRecord
+# s0:c2=Unclassified
+# s0:c3=TopSecret
+# s0:c1,c3=CompanyConfidentialRedHat
+s0=
+s0-s0:c0.c255=SystemLow-SystemHigh
+s0:c0.c255=SystemHigh
+s0:c0=Company_Confidential
+s0:c1=Marketing
+s0:c2=Payroll
+s0:c3=NDA_Yoyodyne
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.2/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2005-11-29 10:55:01.000000000 -0500
+++ policycoreutils-1.29.2/semanage/semanage 2006-01-02 14:33:44.000000000 -0500
@@ -24,22 +24,33 @@
from semanage import *;
class loginRecords:
def __init__(self):
- self.sh=semanage_handle_create()
- self.semanaged=semanage_is_managed(self.sh)
+ self.sh = semanage_handle_create()
+ self.semanaged = semanage_is_managed(self.sh)
if self.semanaged:
semanage_connect(self.sh)
def add(self, name, sename, serange):
- (rc,k)=semanage_seuser_key_create(self.sh, name)
- (rc,exists)= semanage_seuser_exists(self.sh, k)
+ if serange == "":
+ serange = "s0"
+ if sename == "":
+ sename = "user_u"
+
+ (rc,k) = semanage_seuser_key_create(self.sh, name)
+ if rc != 0:
+ raise ValueError("Could not create a key for %s" % name)
+
+ (rc,exists) = semanage_seuser_exists(self.sh, k)
if exists:
raise ValueError("SELinux User %s mapping already defined" % name)
try:
- pwd.getpwname(name)
+ pwd.getpwnam(name)
except:
raise ValueError("Linux User %s does not exist" % name)
- (rc,u)= semanage_seuser_create(self.sh)
+ (rc,u) = semanage_seuser_create(self.sh)
+ if rc != 0:
+ raise ValueError("Could not create seuser for %s" % name)
+
semanage_seuser_set_name(self.sh, u, name)
semanage_seuser_set_mlsrange(self.sh, u, serange)
semanage_seuser_set_sename(self.sh, u, sename)
@@ -48,13 +59,22 @@
if semanage_commit(self.sh) != 0:
raise ValueError("Failed to add SELinux user mapping")
- def modify(self, name, sename="", serange=""):
- (rc,k)=semanage_seuser_key_create(self.sh, name)
- (rc,u)= semanage_seuser_query(self.sh, k)
- if rc !=0 :
- raise ValueError("SELinux user %s mapping is not defined." % name)
- if sename == "" and serange=="":
+ def modify(self, name, sename = "", serange = ""):
+ (rc,k) = semanage_seuser_key_create(self.sh, name)
+ if rc != 0:
+ raise ValueError("Could not create a key for %s" % name)
+
+ if sename == "" and serange == "":
raise ValueError("Requires, seuser or serange")
+
+ (rc,exists) = semanage_seuser_exists(self.sh, k)
+ if exists:
+ (rc,u) = semanage_seuser_query(self.sh, k)
+ if rc != 0:
+ raise ValueError("Could not query seuser for %s" % name)
+ else:
+ raise ValueError("SELinux user %s mapping is not defined." % name)
+
if serange != "":
semanage_seuser_set_mlsrange(self.sh, u, serange)
if sename != "":
@@ -66,78 +86,107 @@
def delete(self, name):
- (rc,k)=semanage_seuser_key_create(self.sh, name)
- (rc,exists)= semanage_seuser_exists(self.sh, k)
- if rc !=0 :
+ (rc,k) = semanage_seuser_key_create(self.sh, name)
+ if rc != 0:
+ raise ValueError("Could not create a key for %s" % name)
+
+ (rc,exists) = semanage_seuser_exists(self.sh, k)
+ if not exists:
raise ValueError("SELinux user %s mapping is not defined." % name)
semanage_begin_transaction(self.sh)
semanage_seuser_del(self.sh, k)
if semanage_commit(self.sh) != 0:
raise ValueError("SELinux User %s mapping not defined" % name)
- def list(self):
- print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range")
+ def list(self,heading=1):
+ if heading:
+ print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range")
(status, self.ulist, self.usize) = semanage_seuser_list(self.sh)
for idx in range(self.usize):
- u=semanage_seuser_by_idx(self.ulist, idx)
- name=semanage_seuser_get_name(u)
-
+ u = semanage_seuser_by_idx(self.ulist, idx)
+ name = semanage_seuser_get_name(u)
print "%-25s %-25s %-25s" % (name, semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u))
class seluserRecords:
def __init__(self):
- roles=[]
- self.sh=semanage_handle_create()
- self.semanaged=semanage_is_managed(self.sh)
+ roles = []
+ self.sh = semanage_handle_create()
+ self.semanaged = semanage_is_managed(self.sh)
if self.semanaged:
semanage_connect(self.sh)
def add(self, name, roles, selevel, serange):
- (rc,k)=semanage_user_key_create(self.sh, name)
- (rc,exists)= semanage_user_exists(self.sh, k)
- if exists:
- raise ValueError("Seuser %s already defined" % name)
- (rc,u)= semanage_user_create(self.sh)
+ if serange == "":
+ serange = "s0"
+ if selevel == "":
+ selevel = "s0"
+
+ (rc,k) = semanage_user_key_create(self.sh, name)
+ if rc != 0:
+ raise ValueError("Could not create a key for %s" % name)
+
+ (rc,exists) = semanage_user_exists_local(self.sh, k)
+ if not exists:
+ (rc,exists) = semanage_user_exists(self.sh, k)
+ if not exists:
+ raise ValueError("SELinux user %s is already defined." % name)
+
+ (rc,u) = semanage_user_create(self.sh)
+ if rc != 0:
+ raise ValueError("Could not create login mapping for %s" % name)
+
semanage_user_set_name(self.sh, u, name)
for r in roles:
semanage_user_add_role(self.sh, u, r)
semanage_user_set_mlsrange(self.sh, u, serange)
semanage_user_set_mlslevel(self.sh, u, selevel)
(rc,key) = semanage_user_key_extract(self.sh,u)
+ if rc != 0:
+ raise ValueError("Could not extract key for %s" % name)
+
semanage_begin_transaction(self.sh)
semanage_user_add_local(self.sh, k, u)
if semanage_commit(self.sh) != 0:
raise ValueError("Failed to add SELinux user")
- self.dict[name]=seluser(name, roles, selevel, serange)
-
- def modify(self, name, roles=[], selevel="", serange=""):
- (rc,k)=semanage_user_key_create(self.sh, name)
- (rc,exists)= semanage_user_exists(self.sh, k)
- if not exists:
- raise ValueError("user %s is not defined" % name)
- (rc,u)= semanage_user_query(self.sh, k)
- if rc !=0 :
- raise ValueError("User %s is not defined." % name)
- if len(roles) == 0 and serange=="" and selevel=="":
+ def modify(self, name, roles = [], selevel = "", serange = ""):
+ if len(roles) == 0 and serange == "" and selevel == "":
raise ValueError("Requires, roles, level or range")
+
+ (rc,k) = semanage_user_key_create(self.sh, name)
+ if rc != 0:
+ raise ValueError("Could not create a key for %s" % name)
+
+ (rc,exists) = semanage_user_exists_local(self.sh, k)
+ if exists:
+ (rc,u) = semanage_user_query_local(self.sh, k)
+ else:
+ (rc,exists) = semanage_user_exists(self.sh, k)
+ if exists:
+ (rc,u) = semanage_user_query(self.sh, k)
+ else:
+ raise ValueError("SELinux user %s mapping is not defined." % name)
+ if rc != 0:
+ raise ValueError("Could not query user for %s" % name)
+
if serange != "":
semanage_user_set_mlsrange(self.sh, u, serange)
if selevel != "":
semanage_user_set_mlslevel(self.sh, u, selevel)
if len(roles) != 0:
for r in roles:
- print r
semanage_user_add_role(self.sh, u, r)
semanage_begin_transaction(self.sh)
semanage_user_modify_local(self.sh, k, u)
if semanage_commit(self.sh) != 0:
raise ValueError("Failed to modify SELinux user")
-
def delete(self, name):
- (rc,k)=semanage_user_key_create(self.sh, name)
- (rc,exists)= semanage_user_exists(self.sh, k)
+ (rc,k) = semanage_user_key_create(self.sh, name)
+ if rc != 0:
+ raise ValueError("Could not crpppeate a key for %s" % name)
+
+ (rc,exists) = semanage_user_exists_local(self.sh, k)
if not exists:
raise ValueError("user %s is not defined" % name)
semanage_begin_transaction(self.sh)
@@ -145,86 +194,183 @@
if semanage_commit(self.sh) != 0:
raise ValueError("Login User %s not defined" % name)
- def list(self):
- print "\n%-15s %-10s %-20s" % ("", "MLS/", "MLS/")
- print "%-15s %-10s %-15s %-20s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles")
+ def list(self, heading=1):
+ if heading:
+ print "\n%-15s %-10s %-20s" % ("", "MLS/", "MLS/")
+ print "%-15s %-10s %-15s %-20s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles")
(status, self.ulist, self.usize) = semanage_user_list(self.sh)
for idx in range(self.usize):
- u=semanage_user_by_idx(self.ulist, idx)
- name=semanage_user_get_name(u)
+ u = semanage_user_by_idx(self.ulist, idx)
+ name = semanage_user_get_name(u)
(status, rlist, rlist_size) = semanage_user_get_roles(self.sh, u)
- roles=""
+ roles = ""
if rlist_size:
- roles+=char_by_idx(rlist, 0)
+ roles += char_by_idx(rlist, 0)
for ridx in range (1,rlist_size):
- roles+=" " + char_by_idx(rlist, ridx)
+ roles += " " + char_by_idx(rlist, ridx)
print "%-15s %-10s %-15s %s" % (semanage_user_get_name(u), semanage_user_get_mlslevel(u), semanage_user_get_mlsrange(u), roles)
class portRecords:
def __init__(self):
- self.dict={}
- self.sh=semanage_handle_create()
- self.semanaged=semanage_is_managed(self.sh)
+ self.sh = semanage_handle_create()
+ self.semanaged = semanage_is_managed(self.sh)
if self.semanaged:
semanage_connect(self.sh)
- def add(self, name, type):
- (rc,k)=semanage_port_key_create(self.sh, name)
- (rc,exists)= semanage_port_exists(self.sh, k)
+ def __genkey(self, port, proto):
+ if proto == "tcp":
+ proto_d=SEMANAGE_PROTO_TCP
+ else:
+ if proto == "udp":
+ proto_d=SEMANAGE_PROTO_UDP
+ else:
+ raise ValueError("Protocol udp or tcp is required")
+ if port == "":
+ raise ValueError("Port is required")
+
+ ports=port.split("-")
+ if len(ports) == 1:
+ low=string.atoi(ports[0])
+ high=string.atoi(ports[0])
+ else:
+ low=string.atoi(ports[0])
+ high=string.atoi(ports[1])
+
+ (rc,k) = semanage_port_key_create(self.sh, low, high, proto_d)
+ if rc != 0:
+ raise ValueError("Could not create a key for %s/%s" % (proto, port))
+ return ( k, proto_d, low, high )
+
+ def add(self, port, proto, serange, type):
+ if serange == "":
+ serange="s0"
+
+ if type == "":
+ raise ValueError("Type is required")
+
+ ( k, proto_d, low, high ) = self.__genkey(port, proto)
+
+ (rc,exists) = semanage_port_exists(self.sh, k)
+ if exists:
+ raise ValueError("Port %s/%s already defined" % (proto, port))
+
+ (rc,exists) = semanage_port_exists_local(self.sh, k)
if exists:
- raise ValueError("User %s already defined" % name)
- (rc,u)= semanage_port_create(self.sh)
- semanage_port_set_name(self.sh, u, name)
- semanage_port_set_mlsrange(self.sh, u, serange)
- semanage_port_set_sename(self.sh, u, sename)
+ raise ValueError("Port %s/%s already defined locally" % (proto, port))
+
+ (rc,p) = semanage_port_create(self.sh)
+ if rc != 0:
+ raise ValueError("Could not create port for %s/%s" % (proto, port))
+
+ semanage_port_set_proto(p, proto_d)
+ semanage_port_set_range(p, low, high)
+ (rc, con) = semanage_context_create(self.sh)
+ if rc != 0:
+ raise ValueError("Could not create context for %s/%s" % (proto, port))
+
+ semanage_context_set_user(self.sh, con, "system_u")
+ semanage_context_set_role(self.sh, con, "object_r")
+ semanage_context_set_type(self.sh, con, type)
+ semanage_context_set_mls(self.sh, con, serange)
+ semanage_port_set_con(p, con)
semanage_begin_transaction(self.sh)
- semanage_port_add(self.sh, k, u)
+ semanage_port_add_local(self.sh, k, p)
if semanage_commit(self.sh) != 0:
raise ValueError("Failed to add port")
- def modify(self, name, type):
- (rc,k)=semanage_port_key_create(self.sh, name)
- (rc,u)= semanage_port_query(self.sh, k)
- if rc !=0 :
- raise ValueError("User %s is not defined." % name)
- if sename == "" and serange=="":
- raise ValueError("Requires, port or serange")
+ def modify(self, port, proto, serange, setype):
+ if serange == "" and setype == "":
+ raise ValueError("Requires, setype or serange")
+
+ ( k, proto_d, low, high ) = self.__genkey(port, proto)
+
+ (rc,exists) = semanage_port_exists_local(self.sh, k)
+ if exists:
+ (rc,p) = semanage_port_query_local(self.sh, k)
+ (rc,exists) = semanage_port_exists(self.sh, k)
+ if exists:
+ (rc,p) = semanage_port_query(self.sh, k)
+ else:
+ raise ValueError("port %s/%s is not defined." % (proto,port))
+
+ if rc != 0:
+ raise ValueError("Could not query port for %s/%s" % (proto, port))
+
+ con = semanage_port_get_con(p)
+ semanage_context_set_mls(self.sh, con, serange)
if serange != "":
- semanage_port_set_mlsrange(self.sh, u, serange)
- if sename != "":
- semanage_port_set_sename(self.sh, u, sename)
+ semanage_context_set_mls(self.sh, con, serange)
+ if setype != "":
+ semanage_context_set_type(self.sh, con, setype)
+ semanage_port_set_con(p, con)
semanage_begin_transaction(self.sh)
- semanage_port_modify(self.sh, k, u)
+ semanage_port_modify_local(self.sh, k, p)
if semanage_commit(self.sh) != 0:
raise ValueError("Failed to add port")
- def delete(self, name):
- (rc,k)=semanage_port_key_create(self.sh, name)
+ def delete(self, port, proto):
+ ( k, proto_d, low, high ) = self.__genkey(port, proto)
+ (rc,exists) = semanage_port_exists_local(self.sh, k)
+ if not exists:
+ raise ValueError("port %s/%s is not defined localy." % (proto,port))
+
semanage_begin_transaction(self.sh)
- semanage_port_del(self.sh, k)
+ semanage_port_del_local(self.sh, k)
if semanage_commit(self.sh) != 0:
- raise ValueError("Port %s not defined" % name)
+ raise ValueError("Port %s/%s not defined" % (proto,port))
- def list(self):
+ def list(self, heading=1):
(status, self.plist, self.psize) = semanage_port_list(self.sh)
- print "%-25s %s\n" % ("SELinux Port Name", "Port Number")
+ if heading:
+ print "%-30s %-8s %s\n" % ("SELinux Port Name", "Proto", "Port Number")
+ dict={}
+ for idx in range(self.psize):
+ u = semanage_port_by_idx(self.plist, idx)
+ con = semanage_port_get_con(u)
+ name = semanage_context_get_type(con)
+ proto=semanage_port_get_proto_str(u)
+ low=semanage_port_get_low(u)
+ high = semanage_port_get_high(u)
+ if (name, proto) not in dict.keys():
+ dict[(name,proto)]=[]
+ if low == high:
+ dict[(name,proto)].append("%d" % low)
+ else:
+ dict[(name,proto)].append("%d-%d" % (low, high))
+ (status, self.plist, self.psize) = semanage_port_list_local(self.sh)
for idx in range(self.psize):
- u=semanage_port_by_idx(self.plist, idx)
- name=semanage_port_get_name(u)
- print "%20s %d" % ( name, semanage_port_get_number(u))
+ u = semanage_port_by_idx(self.plist, idx)
+ con = semanage_port_get_con(u)
+ name = semanage_context_get_type(con)
+ proto=semanage_port_get_proto_str(u)
+ low=semanage_port_get_low(u)
+ high = semanage_port_get_high(u)
+ if (name, proto) not in dict.keys():
+ dict[(name,proto)]=[]
+ if low == high:
+ dict[(name,proto)].append("%d" % low)
+ else:
+ dict[(name,proto)].append("%d-%d" % (low, high))
+ for i in dict.keys():
+ rec = "%-30s %-8s " % i
+ rec += "%s" % dict[i][0]
+ for p in dict[i][1:]:
+ rec += ", %s" % p
+ print rec
if __name__ == '__main__':
- def usage(message=""):
+ def usage(message = ""):
print '\
semanage user [-admsRrh] SELINUX_USER\n\
semanage login [-admsrh] LOGIN_NAME\n\
-semanage port [-admth] SELINUX_PORT_NAME\n\
+semanage port [-admth] PORT | PORTRANGE\n\
-a, --add Add a OBJECT record NAME\n\
-d, --delete Delete a OBJECT record NAME\n\
-h, --help display this message\n\
-l, --list List the OBJECTS\n\
+ -n, --noheading Do not print heading when listing OBJECTS\n\
-m, --modify Modify a OBJECT record NAME\n\
-r, --range MLS/MCS Security Range\n\
-R, --roles SELinux Roles (Separate by spaces)\n\
@@ -245,33 +391,40 @@
#
#
try:
- objectlist=("login", "user", "port")
- input=sys.stdin
- output=sys.stdout
- serange="s0"
- selevel="s0"
- roles=""
- seuser=""
- type=""
- add=0
- modify=0
- delete=0
- list=0
+ objectlist = ("login", "user", "port")
+ input = sys.stdin
+ output = sys.stdout
+ serange = ""
+ port = ""
+ proto = ""
+ selevel = ""
+ setype = ""
+ roles = ""
+ seuser = ""
+ heading=1
+
+ add = 0
+ modify = 0
+ delete = 0
+ list = 0
if len(sys.argv) < 3:
usage("Requires 2 or more arguments")
- object=sys.argv[1]
+ object = sys.argv[1]
if object not in objectlist:
usage("%s not defined" % object)
- args=sys.argv[2:]
+ args = sys.argv[2:]
gopts, cmds = getopt.getopt(args,
- 'adlhms:R:r:t:v',
+ 'adlhmnp:P:s:R:r:t:v',
['add',
'delete',
'help',
'list',
'modify',
+ 'noheading',
+ 'port=',
+ 'proto=',
'seuser=',
'range=',
'roles=',
@@ -282,88 +435,95 @@
if o == "-a" or o == "--add":
if modify or delete:
usage()
- add=1
+ add = 1
if o == "-d" or o == "--delese":
if modify or add:
usage()
- delete=1
+ delete = 1
if o == "-h" or o == "--help":
usage()
+ if o == "-n" or o == "--nohead":
+ heading=0
+
if o == "-m"or o == "--modify":
if delete or add:
usage()
- modify=1
+ modify = 1
if o == "-r" or o == '--range':
- serange=a
+ serange = a
+
+ if o == "-P" or o == '--proto':
+ proto = a
if o == "-R" or o == '--roles':
- roles=a
+ roles = a
if o == "-t" or o == "--type":
- type=a
+ setype = a
if o == "-l" or o == "--list":
- list=1
+ list = 1
if o == "-s" or o == "--seuser":
- seuser=a
+ seuser = a
if o == "-v" or o == "--verbose":
- verbose=1
+ verbose = 1
if object == "login":
- OBJECT=loginRecords()
+ OBJECT = loginRecords()
if object == "user":
- OBJECT=seluserRecords()
+ OBJECT = seluserRecords()
if object == "port":
- OBJECT=portRecords()
+ OBJECT = portRecords()
if list:
- OBJECT.list()
+ OBJECT.list(heading)
sys.exit(0);
if len(cmds) != 1:
usage()
- name=cmds[0]
+ target = cmds[0]
if add:
if object == "login":
- OBJECT.add(name, seuser, serange)
+ OBJECT.add(target, seuser, serange)
if object == "user":
- rlist=roles.split()
- print rlist
- OBJECT.add(name, rlist, selevel, serange)
+ rlist = roles.split()
+ if len(rlist) == 0:
+ raise ValueError("You must specify a role")
+ OBJECT.add(target, rlist, selevel, serange)
if object == "port":
- OBJECT.add(name, type)
+ OBJECT.add(target, proto, serange, setype)
- OBJECT.list()
sys.exit(0);
if modify:
if object == "login":
- OBJECT.modify(name, seuser, serange)
+ OBJECT.modify(target, seuser, serange)
if object == "user":
- rlist=roles.split()
- print rlist
- OBJECT.modify(name, rlist, selevel, serange)
+ rlist = roles.split()
+ OBJECT.modify(target, rlist, selevel, serange)
if object == "port":
- OBJECT.modify(name, type)
+ OBJECT.modify(target, proto, serange, setype)
sys.exit(0);
- OBJECT.list()
sys.exit(0);
if delete:
- OBJECT.delete(name)
+ if object == "port":
+ OBJECT.delete(target, proto)
+ else:
+ OBJECT.delete(target)
sys.exit(0);
usage()
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/tests/semanage_test policycoreutils-1.29.2/semanage/tests/semanage_test
--- nsapolicycoreutils/semanage/tests/semanage_test 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-1.29.2/semanage/tests/semanage_test 2006-01-02 14:33:44.000000000 -0500
@@ -0,0 +1,67 @@
+#!/bin/sh -x
+#
+# This is a test script for the semanage command
+#
+echo "
+
+******************** semanage List Failue test ************************
+"
+semanage -l
+echo "
+
+******************** semanage Mapping test ************************
+"
+echo " * Mapping List test"
+semanage login -l
+echo " * Add mapping exist test"
+semanage login -a root
+echo " * Add new test"
+echo " * Add selinux login to selinux user mapping, username wrong"
+semanage login -a semanage_test1
+userdel -r semanage_test1 2> /dev/null
+useradd semanage_test1
+echo " * Add selinux login to selinux user mapping, Bad SELinux User"
+semanage login -a -s BadUser semanage_test1
+echo " * Add selinux login to selinux user mapping, username correct"
+semanage login -a semanage_test1
+semanage login -l
+userdel -r semanage_test1
+echo " * remove selinux login to selinux user mapping, username wrong"
+semanage login -d semanage_test2
+echo " * remove selinux login to selinux user mapping, username correct"
+semanage login -d semanage_test1
+semanage login -l
+
+echo "
+
+******************** semanage SELinux User test ************************
+"
+echo " * SELinux User List test"
+semanage user -l
+echo " * Add SELinux User exist test: Fail because root exist"
+semanage user -a -R user_r root
+echo " * Add SELinux User exist test: Fail because no role specified"
+semanage user -a -r s0 semanage_test1
+echo " * Add selinux user semanage_test1: Success"
+semanage user -a -R user_r -r s0 semanage_test1
+semanage user -l
+echo " * Modify selinux user semanage_test1 Failue bad range"
+semanage user -m -r BadRange semanage_test1
+echo " * Modify selinux user semanage_test1 Failue bad role"
+semanage user -m -R BadRole semanage_test1
+echo " * Modify selinux user semanage_test1"
+semanage user -m -r s0:c1,c5 semanage_test1
+semanage user -l
+echo " * Delete selinux user semanage_test2: Fail does not exist"
+semanage user -d semanage_test2
+echo " * Delete selinux user semanage_test1"
+semanage user -d semanage_test1
+semanage user -l
+
+#echo "
+#
+#******************** semanage SELinux ports test ************************
+#"
+semanage port -l
+semanage port -a -P tcp 123456
+semanage port -d -P tcp 123456
^ permalink raw reply [flat|nested] 19+ messages in thread* Re: Policycoreutils latest diffs.
2006-01-03 18:39 Policycoreutils " Daniel J Walsh
@ 2006-01-03 17:22 ` Ivan Gyurdiev
2006-01-04 16:33 ` Ivan Gyurdiev
2006-01-03 18:04 ` Ivan Gyurdiev
2006-01-04 17:36 ` Stephen Smalley
2 siblings, 1 reply; 19+ messages in thread
From: Ivan Gyurdiev @ 2006-01-03 17:22 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Stephen Smalley, SE Linux
Please use < 0 to check for error everywhere.
This is correct behavior, even though the only error code I currently
use is -1.
Once commit numbers are included (commit numbers are positive integers),
some
of those calls might fail if you check with != 0.
I already fixed a few earlier - not sure this patch is affected, but < 0
should be used in general.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Policycoreutils latest diffs.
2006-01-03 17:22 ` Ivan Gyurdiev
@ 2006-01-04 16:33 ` Ivan Gyurdiev
2006-01-04 16:40 ` Ivan Gyurdiev
0 siblings, 1 reply; 19+ messages in thread
From: Ivan Gyurdiev @ 2006-01-04 16:33 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Stephen Smalley, SE Linux
> Please use < 0 to check for error everywhere.
Another issue is that I'm rather confused by some of the current
semanage code w' respect to local vs in-policy, so I'll try to explain
again . All functions ending in _local (and the seusers one) act with
respect to the local store. All functions not ending in _local act with
respect to the final result (which includes local modifications stacked
on top of policy). They do not act on policy alone.
Let's look at two cases of code that I don't understand:
This is from port.modify. The libsemanage meaning of modify includes
adding things if they don't exist, but I understand this is not the case
in the tool, so that explains all the exists checks... However:
(rc,exists) = semanage_port_exists_local(self.sh, k)
if exists:
(rc,p) = semanage_port_query_local(self.sh, k)
(rc,exists) = semanage_port_exists(self.sh, k)
if exists:
(rc,p) = semanage_port_query(self.sh, k)
else:
raise ValueError("port %s/%s is not
defined." % (proto,port))
if rc != 0:
raise ValueError("Could not query port for
%s/%s" % (proto, port))
This doesn't make sense, because of something exists locally, and your
query succeeded, it will always exists in the final result, and the
second query will return the exact same thing, so you already know the
result to both of those function calls.
This is from the port add function:
(rc,exists) = semanage_port_exists(self.sh, k)
if exists:
raise ValueError("Port %s/%s already defined" %
(proto, port))
(rc,exists) = semanage_port_exists_local(self.sh, k)
if exists:
raise ValueError("Port %s/%s already defined
locally" % (proto, port))
Here, the second exception will never occur, because if the port exists
locally, then it exists in-policy as well, and the first value error
will be thrown.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 19+ messages in thread* Re: Policycoreutils latest diffs.
2006-01-04 16:33 ` Ivan Gyurdiev
@ 2006-01-04 16:40 ` Ivan Gyurdiev
2006-01-04 19:15 ` Daniel J Walsh
0 siblings, 1 reply; 19+ messages in thread
From: Ivan Gyurdiev @ 2006-01-04 16:40 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Stephen Smalley, SE Linux
>
> Let's look at two cases of code that I don't understand:
Here's another one from the user add:
(rc,exists) = semanage_user_exists_local(self.sh, k)
if not exists:
(rc,exists) = semanage_user_exists(self.sh, k)
if not exists:
raise ValueError("SELinux user %s is
already defined." % name)
This doesn't make sense, because you take the same action regardless of
whether the exist test fails locally, or on the final result (which
combines policy with local modifications). Hence, you might as well skip
the first one and go straight to the second one (which will include the
first one).
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 19+ messages in thread* Re: Policycoreutils latest diffs.
2006-01-04 16:40 ` Ivan Gyurdiev
@ 2006-01-04 19:15 ` Daniel J Walsh
2006-01-04 17:31 ` Ivan Gyurdiev
0 siblings, 1 reply; 19+ messages in thread
From: Daniel J Walsh @ 2006-01-04 19:15 UTC (permalink / raw)
To: Ivan Gyurdiev; +Cc: Stephen Smalley, SE Linux
Ivan Gyurdiev wrote:
>
>>
>> Let's look at two cases of code that I don't understand:
> Here's another one from the user add:
>
> (rc,exists) = semanage_user_exists_local(self.sh, k)
> if not exists:
> (rc,exists) = semanage_user_exists(self.sh, k)
> if not exists:
> raise ValueError("SELinux user %s is
> already defined." % name)
>
> This doesn't make sense, because you take the same action regardless
> of whether the exist test fails locally, or on the final result (which
> combines policy with local modifications). Hence, you might as well
> skip the first one and go straight to the second one (which will
> include the first one).
>
>
>
>
>
Ok, I might have misunderstood the symantics. But Should the following
checks be in place
delete
if does not exist local; error since you can not delete an object from
the server?
Prevent the user from deleting SELinux User "root"
Add
if does exist: error
Modify:
If does not exist local; you are not allowed to modify, see above.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 19+ messages in thread* Re: Policycoreutils latest diffs.
2006-01-04 19:15 ` Daniel J Walsh
@ 2006-01-04 17:31 ` Ivan Gyurdiev
2006-01-04 17:37 ` Ivan Gyurdiev
` (2 more replies)
0 siblings, 3 replies; 19+ messages in thread
From: Ivan Gyurdiev @ 2006-01-04 17:31 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Stephen Smalley, SE Linux, Joshua Brindle
> delete
> if does not exist local; error since you can not delete an object from
> the server?
> Prevent the user from deleting SELinux User "root"
Right.. I would two tests, and then if exists fails say: object does not
exist
if exists_local fails say: object is built into policy and can't be deleted.
There's still the issue of how the user would know that at all, since
list does not indicate
what's local and what isn't, but it's a good point to start at.
>
> Add
> if does exist: error
yes, that should be sufficient.
>
> Modify:
> If does not exist local; you are not allowed to modify, see above.
That's tricky. That depends on what you want modify to do.
The libsemanage modify_local function is with respect to the local
store, but
anything you write in the store at all will modify policy, so you can go
either way
with your higher level modify. The question is what you're modifying,
and does
the user understand that.
I think to be consistent with add(), you should modify with respect to
policy, and not do any checks here.
====
Btw, if there's interest in writing an API that works on policy alone,
minus local modifications, that can be done - it just requires writing
down another policy after expand, and before any local things are
written down.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 19+ messages in thread* Re: Policycoreutils latest diffs.
2006-01-04 17:31 ` Ivan Gyurdiev
@ 2006-01-04 17:37 ` Ivan Gyurdiev
2006-01-04 19:35 ` Joshua Brindle
2006-01-04 19:39 ` Daniel J Walsh
2 siblings, 0 replies; 19+ messages in thread
From: Ivan Gyurdiev @ 2006-01-04 17:37 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Stephen Smalley, SE Linux, Joshua Brindle
> That's tricky. That depends on what you want modify to do.
> The libsemanage modify_local function is with respect to the local
> store, but
> anything you write in the store at all will modify policy, so you can
> go either way
> with your higher level modify. The question is what you're modifying,
> and does
> the user understand that.
In case I wasn't clear here, overrides are allowed for all object types,
which means you can modify things that are built into policy.
That's regardless of which function you use to add things to store - add
vs set vs modify. In fact, all three functions do pretty much the same
thing, and I've been meaning to get rid of some of them, but now that we
must preserve a stable API that might be a problem - modify can be used
to implement all the others. The other two are only useful if you want
the library to do an exists check for you (which you shouldn't do), or
for performance reasons, but I'm thinking that set is algorithmically
guaranteed to take the same time as modify.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Policycoreutils latest diffs.
2006-01-04 17:31 ` Ivan Gyurdiev
2006-01-04 17:37 ` Ivan Gyurdiev
@ 2006-01-04 19:35 ` Joshua Brindle
2006-01-04 17:38 ` Ivan Gyurdiev
2006-01-04 19:39 ` Daniel J Walsh
2 siblings, 1 reply; 19+ messages in thread
From: Joshua Brindle @ 2006-01-04 19:35 UTC (permalink / raw)
To: Ivan Gyurdiev; +Cc: Daniel J Walsh, Stephen Smalley, SE Linux
Ivan Gyurdiev wrote:
>
>> delete
>> if does not exist local; error since you can not delete an object from
>> the server?
>> Prevent the user from deleting SELinux User "root"
>
> Right.. I would two tests, and then if exists fails say: object does not
> exist
> if exists_local fails say: object is built into policy and can't be
> deleted.
>
> There's still the issue of how the user would know that at all, since
> list does not indicate
> what's local and what isn't, but it's a good point to start at.
>
>>
>> Add
>> if does exist: error
>
> yes, that should be sufficient.
>
>>
>> Modify:
>> If does not exist local; you are not allowed to modify, see above.
>
> That's tricky. That depends on what you want modify to do.
> The libsemanage modify_local function is with respect to the local
> store, but
> anything you write in the store at all will modify policy, so you can go
> either way
> with your higher level modify. The question is what you're modifying,
> and does
> the user understand that.
even if something does not exist locally a 'modify' of an existing
object would involve using local settings to override what is in the
policy. AFAIK all the current stuff should support overriding the
policydb so you can modify any policy resource whether it is local or not.
>
> I think to be consistent with add(), you should modify with respect to
> policy, and not do any checks here.
>
> ====
> Btw, if there's interest in writing an API that works on policy alone,
> minus local modifications, that can be done - it just requires writing
> down another policy after expand, and before any local things are
> written down.
>
No, I think this is a bad idea, the purpose of local files is to
override policy defaults. The base policy package should stay the same
so that upgrades via RPM do not smash changes. Using an alternate base
if it exists and the base.pp otherwise adds unnecessary complexity.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Policycoreutils latest diffs.
2006-01-04 19:35 ` Joshua Brindle
@ 2006-01-04 17:38 ` Ivan Gyurdiev
0 siblings, 0 replies; 19+ messages in thread
From: Ivan Gyurdiev @ 2006-01-04 17:38 UTC (permalink / raw)
To: Joshua Brindle; +Cc: Daniel J Walsh, Stephen Smalley, SE Linux
>
> No, I think this is a bad idea, the purpose of local files is to
> override policy defaults. The base policy package should stay the same
> so that upgrades via RPM do not smash changes. Using an alternate base
> if it exists and the base.pp otherwise adds unnecessary complexity.
I meant a read-only API.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Policycoreutils latest diffs.
2006-01-04 17:31 ` Ivan Gyurdiev
2006-01-04 17:37 ` Ivan Gyurdiev
2006-01-04 19:35 ` Joshua Brindle
@ 2006-01-04 19:39 ` Daniel J Walsh
2006-01-04 19:41 ` Joshua Brindle
2 siblings, 1 reply; 19+ messages in thread
From: Daniel J Walsh @ 2006-01-04 19:39 UTC (permalink / raw)
To: Ivan Gyurdiev; +Cc: Stephen Smalley, SE Linux, Joshua Brindle
Ivan Gyurdiev wrote:
>
>> delete
>> if does not exist local; error since you can not delete an object
>> from the server?
>> Prevent the user from deleting SELinux User "root"
> Right.. I would two tests, and then if exists fails say: object does
> not exist
> if exists_local fails say: object is built into policy and can't be
> deleted.
>
> There's still the issue of how the user would know that at all, since
> list does not indicate
> what's local and what isn't, but it's a good point to start at.
>>
>> Add
>> if does exist: error
> yes, that should be sufficient.
>>
>> Modify:
>> If does not exist local; you are not allowed to modify, see above.
> That's tricky. That depends on what you want modify to do.
> The libsemanage modify_local function is with respect to the local
> store, but
> anything you write in the store at all will modify policy, so you can
> go either way
> with your higher level modify. The question is what you're modifying,
> and does
> the user understand that.
>
But I thought we were only going to allow modifying of local stuff. Do
we want a user to be able to modify the SELinux USER Root or user_u? I
don't think so.
I think modify should be akin to delete. You can only modify if it
exists_local.
> I think to be consistent with add(), you should modify with respect to
> policy, and not do any checks here.
>
> ====
> Btw, if there's interest in writing an API that works on policy alone,
> minus local modifications, that can be done - it just requires writing
> down another policy after expand, and before any local things are
> written down.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Policycoreutils latest diffs.
2006-01-04 19:39 ` Daniel J Walsh
@ 2006-01-04 19:41 ` Joshua Brindle
2006-01-04 18:02 ` Ivan Gyurdiev
0 siblings, 1 reply; 19+ messages in thread
From: Joshua Brindle @ 2006-01-04 19:41 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Ivan Gyurdiev, Stephen Smalley, SE Linux
Daniel J Walsh wrote:
> Ivan Gyurdiev wrote:
>
>>
>>> delete
>>> if does not exist local; error since you can not delete an object
>>> from the server?
>>> Prevent the user from deleting SELinux User "root"
>>
>> Right.. I would two tests, and then if exists fails say: object does
>> not exist
>> if exists_local fails say: object is built into policy and can't be
>> deleted.
>>
>> There's still the issue of how the user would know that at all, since
>> list does not indicate
>> what's local and what isn't, but it's a good point to start at.
>>
>>>
>>> Add
>>> if does exist: error
>>
>> yes, that should be sufficient.
>>
>>>
>>> Modify:
>>> If does not exist local; you are not allowed to modify, see above.
>>
>> That's tricky. That depends on what you want modify to do.
>> The libsemanage modify_local function is with respect to the local
>> store, but
>> anything you write in the store at all will modify policy, so you can
>> go either way
>> with your higher level modify. The question is what you're modifying,
>> and does
>> the user understand that.
>>
> But I thought we were only going to allow modifying of local stuff. Do
> we want a user to be able to modify the SELinux USER Root or user_u? I
> don't think so.
>
why not? that is a fairly arbitrary decision, maybe we shouldn't allow
them to modify the ssh port either?
> I think modify should be akin to delete. You can only modify if it
> exists_local.
>
>> I think to be consistent with add(), you should modify with respect to
>> policy, and not do any checks here.
>>
>> ====
>> Btw, if there's interest in writing an API that works on policy alone,
>> minus local modifications, that can be done - it just requires writing
>> down another policy after expand, and before any local things are
>> written down.
>
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Policycoreutils latest diffs.
2006-01-04 19:41 ` Joshua Brindle
@ 2006-01-04 18:02 ` Ivan Gyurdiev
2006-01-04 20:11 ` Joshua Brindle
0 siblings, 1 reply; 19+ messages in thread
From: Ivan Gyurdiev @ 2006-01-04 18:02 UTC (permalink / raw)
To: Joshua Brindle; +Cc: Daniel J Walsh, Stephen Smalley, SE Linux
>> But I thought we were only going to allow modifying of local stuff.
>> Do we want a user to be able to modify the SELinux USER Root or
>> user_u? I don't think so.
>>
> why not? that is a fairly arbitrary decision, maybe we shouldn't allow
> them to modify the ssh port either?
Speaking of overriding things, is it currently possible to override the
entire ethereal security module, for example?
Is there a modules.local? It's always been my opinion that modules
should be just another record type, and the fs directory should be just
another backend to the database...
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Policycoreutils latest diffs.
2006-01-04 18:02 ` Ivan Gyurdiev
@ 2006-01-04 20:11 ` Joshua Brindle
2006-01-04 19:03 ` Ivan Gyurdiev
0 siblings, 1 reply; 19+ messages in thread
From: Joshua Brindle @ 2006-01-04 20:11 UTC (permalink / raw)
To: Ivan Gyurdiev; +Cc: Daniel J Walsh, Stephen Smalley, SE Linux
Ivan Gyurdiev wrote:
>
>>> But I thought we were only going to allow modifying of local stuff.
>>> Do we want a user to be able to modify the SELinux USER Root or
>>> user_u? I don't think so.
>>>
>> why not? that is a fairly arbitrary decision, maybe we shouldn't allow
>> them to modify the ssh port either?
>
> Speaking of overriding things, is it currently possible to override the
> entire ethereal security module, for example?
> Is there a modules.local? It's always been my opinion that modules
> should be just another record type, and the fs directory should be just
> another backend to the database...
>
>
I really don't want to get into this again. Generalizing module store
for the sake of doing so would be a tremendous waste of time. The policy
server will allow transfering of the binary modules to machines over the
network (with access control) so why would they ever need to be stored
in some other medium.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Policycoreutils latest diffs.
2006-01-04 20:11 ` Joshua Brindle
@ 2006-01-04 19:03 ` Ivan Gyurdiev
0 siblings, 0 replies; 19+ messages in thread
From: Ivan Gyurdiev @ 2006-01-04 19:03 UTC (permalink / raw)
To: Joshua Brindle; +Cc: Daniel J Walsh, Stephen Smalley, SE Linux
>>
>> Speaking of overriding things, is it currently possible to override
>> the entire ethereal security module, for example?
>> Is there a modules.local? It's always been my opinion that modules
>> should be just another record type, and the fs directory should be
>> just another backend to the database...
>>
>>
> I really don't want to get into this again. Generalizing module store
> for the sake of doing so would be a tremendous waste of time. The
> policy server will allow transfering of the binary modules to machines
> over the network (with access control) so why would they ever need to
> be stored in some other medium.
Maybe so... I don't think it'd be that difficult, and I think there
would be benefits in terms of shared code and uniform interface.
Anyway, my point was uniform interface is a good thing - modules should
be less special and more like the other things.
My first question still stands, whether or not the store is generalized
- it seems potentially useful to have a modules.local folder. It
actually seems like a namespace conflict not to have one - what if I
write a module, put it in the modules folder, and then it gets
overwritten by policy when somebody makes another one with the same
name. What if I want a more restrictive version of mozilla? Or a more
relaxed one? Or I want to make a program that has a policy interoperate
with my secret 3rd party extension that I can't upstream.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: Policycoreutils latest diffs.
2006-01-03 18:39 Policycoreutils " Daniel J Walsh
2006-01-03 17:22 ` Ivan Gyurdiev
@ 2006-01-03 18:04 ` Ivan Gyurdiev
2006-01-04 17:36 ` Stephen Smalley
2 siblings, 0 replies; 19+ messages in thread
From: Ivan Gyurdiev @ 2006-01-03 18:04 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Stephen Smalley, SE Linux
> - rc = commands.getstatusoutput("grep -v '^ *#' %s" % self.selinuxdir+self.type+"/seusers")
> - if rc[0] == 0 and rc[1] != "":
> - ulist = rc[1].split("\n")
> - for u in ulist:
> - if len(u)==0:
> + try:
> + fd =open(self.selinuxdir+self.type+"/seusers")
> + for u in fd.read().split('\n'):
> + u=u.strip()
> + if len(u)==0 or u[0]=="#":
> continue
> user = u.split(":")
> if len(user) < 3:
> continue
>
Somebody pointed out that len(user) < 3 assumes the mls component of the
seusers file is required.
This is not consistent with libsemanage and libselinux, which consider
it optional.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 19+ messages in thread* Re: Policycoreutils latest diffs.
2006-01-03 18:39 Policycoreutils " Daniel J Walsh
2006-01-03 17:22 ` Ivan Gyurdiev
2006-01-03 18:04 ` Ivan Gyurdiev
@ 2006-01-04 17:36 ` Stephen Smalley
2 siblings, 0 replies; 19+ messages in thread
From: Stephen Smalley @ 2006-01-04 17:36 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Ivan Gyurdiev, SE Linux
On Tue, 2006-01-03 at 13:39 -0500, Daniel J Walsh wrote:
> Fixes to restorecon to handle user_only_changed even in the -vv case.
>
>
> Many fixes to chcat to get it working in the hundreds of different ways
> it can be used...
>
> Changed fixfiles to sort before doing the diff. New way of handling
> file_context seems to change the file_context sort order on every update
> causing fixfiles to falsely think things have changed. This might not
> be ideal since ordering could cause problems.
>
> genhomedircon fixes to make it work within anaconda. Eliminated all
> calls to getstatusoutput.
>
> Added test files to be run to make sure there are no regressions on
> updates. Probably should get these to run automatically some how.
>
> semanage modified to handle ports. Currenly does not work because of
> some of Ivan's changes to libsepol, libsemanage and libselinux have not
> been added.
I merged the diffs to existing files as of policycoreutils 1.29.3.
However, I didn't add the new files yet, namely selisteners and the test
files. selisteners likely needs more polishing to be generally useful.
For the test scripts, I think we need them to be in a form more amenable
to automated testing (i.e. checking the return values and/or output
themselves against expected values), and possibly they should be added
to the selinux testsuite in the ltp instead of included in
policycoreutils itself (especially since you have to install a custom
setrans.conf for your chcat tests, and semanage may be manipulating the
active policy).
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2006-03-08 17:29 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-02-22 18:23 policycoreutils latest diffs Daniel J Walsh
2006-02-23 14:02 ` Stephen Smalley
2006-03-08 17:29 ` Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2006-01-03 18:39 Policycoreutils " Daniel J Walsh
2006-01-03 17:22 ` Ivan Gyurdiev
2006-01-04 16:33 ` Ivan Gyurdiev
2006-01-04 16:40 ` Ivan Gyurdiev
2006-01-04 19:15 ` Daniel J Walsh
2006-01-04 17:31 ` Ivan Gyurdiev
2006-01-04 17:37 ` Ivan Gyurdiev
2006-01-04 19:35 ` Joshua Brindle
2006-01-04 17:38 ` Ivan Gyurdiev
2006-01-04 19:39 ` Daniel J Walsh
2006-01-04 19:41 ` Joshua Brindle
2006-01-04 18:02 ` Ivan Gyurdiev
2006-01-04 20:11 ` Joshua Brindle
2006-01-04 19:03 ` Ivan Gyurdiev
2006-01-03 18:04 ` Ivan Gyurdiev
2006-01-04 17:36 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.