Latest policycoreutils patch

Latest policycoreutils patch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 144 bytes --]

Includes Ivan and Russells changes

Now checks to make sure run as root.

Also chcat can now manipulate categories of users as well as files.



[-- Attachment #2: policycoreutils-rhat.patch --]
[-- Type: text/x-patch, Size: 52081 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.29.7/scripts/chcat
--- nsapolicycoreutils/scripts/chcat	2006-01-04 13:07:46.000000000 -0500
+++ policycoreutils-1.29.7/scripts/chcat	2006-01-17 12:44:55.000000000 -0500
@@ -23,15 +23,51 @@
 #
 #  
 import commands, sys, os, pwd, string, getopt, re, selinux
+import seobject
 
-def chcat_add(orig, newcat, files):
+def chcat_user_add(orig, newcat, users):
+    errors=0
+    logins = seobject.loginRecords()
+    seusers=logins.get_all()
+    add_ind=0
+    for u in users:
+        if u in seusers.keys():
+            user=seusers[u]
+        else:
+            add_ind=1
+            user=seusers["__default__"]
+        range=user[1].split("-")
+        cats=[]
+        top=["s0"]
+        if len(range) > 1:
+            top=range[1].split(":")
+            if len(top) > 1:
+                cats.append(top[1])
+                cats = expandCats(cats)
+
+        for i in newcat[1:]:
+            if i not in cats:
+                cats.append(i)
+        new_range="%s-%s:%s" % (range[0], top[0], string.join(cats, ","))
+        
+        if add_ind:
+            logins.add(u, user[0], new_range)
+        else:
+            logins.modify(u, user[0], new_range)
+    return errors
+        
+def chcat_add(orig, newcat, objects,login_ind):
     if len(newcat) == 1:
         raise ValueError("Requires at least one category")
+
+    if login_ind == 1:
+        return chcat_user_add(orig, newcat, objects)
+    
     errors=0
     sensitivity=newcat[0]
     cat=newcat[1]
     cmd='chcon -l %s' % sensitivity
-    for f in files:
+    for f in objects:
         (rc, c) = selinux.getfilecon(f)
         con=c.split(":")[3:]
         clist = translate(con)
@@ -57,14 +93,50 @@
             errors+=1
     return errors
 
-def chcat_remove(orig, newcat, files):
+def chcat_user_remove(orig, newcat, users):
+    errors=0
+    logins = seobject.loginRecords()
+    seusers=logins.get_all()
+    add_ind=0
+    for u in users:
+        if u in seusers.keys():
+            user=seusers[u]
+        else:
+            add_ind=1
+            user=seusers["__default__"]
+        range=user[1].split("-")
+        cats=[]
+        top=["s0"]
+        if len(range) > 1:
+            top=range[1].split(":")
+            if len(top) > 1:
+                cats.append(top[1])
+                cats = expandCats(cats)
+
+        for i in newcat[1:]:
+            if i in cats:
+                cats.remove(i)
+
+        new_range="%s-%s:%s" % (range[0], top[0], string.join(cats, ","))
+        
+        if add_ind:
+            logins.add(u, user[0], new_range)
+        else:
+            logins.modify(u, user[0], new_range)
+    return errors
+        
+def chcat_remove(orig, newcat, objects, login_ind):
     if len(newcat) == 1:
         raise ValueError("Requires at least one category")
+
+    if login_ind == 1:
+        return chcat_user_remove(orig, newcat, objects)
+
     errors=0
     sensitivity=newcat[0]
     cat=newcat[1]
 
-    for f in files:
+    for f in objects:
         (rc, c) = selinux.getfilecon(f)
         con=c.split(":")[3:]
         clist = translate(con)
@@ -97,7 +169,29 @@
             errors+=1
     return errors
 
-def chcat_replace(orig, newcat, files):
+def chcat_user_replace(orig, newcat, users):
+    errors=0
+    logins = seobject.loginRecords()
+    seusers=logins.get_all()
+    add_ind=0
+    for u in users:
+        if u in seusers.keys():
+            user=seusers[u]
+        else:
+            add_ind=1
+            user=seusers["__default__"]
+        range=user[1].split("-")
+        new_range="%s-%s:%s" % (range[0],newcat[0], string.join(newcat[1:], ","))
+        
+        if add_ind:
+            logins.add(u, user[0], new_range)
+        else:
+            logins.modify(u, user[0], new_range)
+    return errors
+    
+def chcat_replace(orig, newcat, objects, login_ind):
+    if login_ind == 1:
+        return chcat_user_replace(orig, newcat, objects)
     errors=0
     if len(newcat) == 1:
         sensitivity=newcat[0]
@@ -108,7 +202,7 @@
         for cat in newcat[2:]:
             cmd='%s,%s' % (cmd, cat)
         
-    for f in files:
+    for f in objects:
         cmd = "%s %s" % (cmd, f)
 
     rc=commands.getstatusoutput(cmd)
@@ -181,11 +275,15 @@
     
 def usage():
 	print "Usage %s CATEGORY File ..." % sys.argv[0]
+	print "Usage %s -l CATEGORY user ..." % sys.argv[0]
 	print "Usage %s [[+|-]CATEGORY],...]q File ..." % sys.argv[0]
+	print "Usage %s -l [[+|-]CATEGORY],...]q user ..." % sys.argv[0]
 	print "Usage %s -d File ..." % sys.argv[0]
-	print "Usage %s -l" % sys.argv[0]
+	print "Usage %s -l -d user ..." % sys.argv[0]
+	print "Usage %s -L" % sys.argv[0]
         print "Use -- to end option list.  For example"
-        print "chcat -- -CompanyConfidential /docs/businessplan.odt."
+        print "chcat -- -CompanyConfidential /docs/businessplan.odt"
+        print "chcat -l +CompanyConfidential juser"
 	sys.exit(1)
 
 def listcats():
@@ -199,6 +297,19 @@
     fd.close()
     return 0
     
+def listusercats(users):
+    seusers = seobject.loginRecords().get_all()
+    for u in users:
+        if u in seusers.keys():
+            cats=seobject.translate(seusers[u][1])
+        else:
+            cats=seobject.translate(seusers["__default__"][1])
+        cats=cats.split("-")
+        if len(cats) > 1 and cats[1] != "s0":
+            print "%s: %s" % (u, cats[1])
+        else:
+            print "%s:" % u
+            
 def error(msg):
     print "%s: %s" % (sys.argv[0], msg)
     sys.exit(1)
@@ -212,10 +323,12 @@
         
     delete_ind=0
     list_ind=0
+    login_ind=0
     try:
         gopts, cmds = getopt.getopt(sys.argv[1:],
-                                    'dhl',
+                                    'dhlL',
                                     ['list',
+                                     'login',
                                      'help',
                                      'delete'])
 
@@ -224,8 +337,10 @@
                 usage()
             if o == "-d" or o == "--delete":
                 delete_ind=1
-            if o == "-l" or o == "--list":
+            if o == "-L" or o == "--list":
                 list_ind=1
+            if o == "-l" or o == "--login":
+                login_ind=1
 
         if list_ind==0 and len(cmds) < 1:
             usage()
@@ -233,10 +348,17 @@
         usage()
 
     if delete_ind:
-        sys.exit(chcat_replace(["s0"], ["s0"], cmds))
+        sys.exit(chcat_replace(["s0"], ["s0"], cmds, login_ind))
 
     if list_ind:
-        sys.exit(listcats())
+        if login_ind:
+            if len(cmds) < 1:
+                usage()
+            sys.exit(listusercats(cmds))
+        else:
+            if len(cmds) > 0:
+                usage()
+            sys.exit(listcats())
 
     if len(cmds) < 2:
         usage()
@@ -245,19 +367,19 @@
     cats=cmds[0].split(",")
     mod_ind=0
     errors=0
-    files=cmds[1:]
+    objects=cmds[1:]
     try:
         if check_replace(cats):
-            errors=chcat_replace(cats,translate(cats), files)
+            errors=chcat_replace(cats,translate(cats), objects, login_ind)
         else:
             for c in cats:
                 l=[]
                 l.append(c[1:])
                 if len(c) > 0 and c[0] == "+":
-                    errors += chcat_add(c[1:],translate(l), files)
+                    errors += chcat_add(c[1:],translate(l), objects, login_ind)
                     continue
                 if len(c) > 0 and c[0] == "-":
-                    errors += chcat_remove(c[1:],translate(l), files)
+                    errors += chcat_remove(c[1:],translate(l), objects, login_ind)
                     continue
     except ValueError, e:
         error(e)
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat.8 policycoreutils-1.29.7/scripts/chcat.8
--- nsapolicycoreutils/scripts/chcat.8	2006-01-04 13:07:46.000000000 -0500
+++ policycoreutils-1.29.7/scripts/chcat.8	2006-01-17 12:49:34.000000000 -0500
@@ -5,31 +5,45 @@
 .B chcat
 \fICATEGORY FILE\fR...
 .br
+.B chcat -l 
+\fICATEGORY USER\fR...
+.br
 .B chcat
 \fI[[+|-]CATEGORY],...]  FILE\fR...
 .br
+.B chcat -l 
+\fI[[+|-]CATEGORY],...]  USER\fR...
+.br
 .B chcat
 [\fI-d\fR] \fIFILE\fR...
 .br
+.B chcat -l 
+[\fI-d\fR] \fIUSER\fR...
+.br
 .B chcat
-[\fI-l\fR] 
+\fI-L\fR [-l] [ USER ... ] 
 .br
 .PP
-Change/Remove the security CATEGORY for each FILE.
+Change/Remove the security CATEGORY for each FILE/USER.
 .PP
-Use +/- to add/remove categories from a FILE.
+Use +/- to add/remove categories from a FILE/USER.
 .TP
 \fB\-d\fR
-delete the category from each file.
+delete the category from each FILE/USER.
 .TP
-\fB\-l\fR
+\fB\-L\fR
 list available categories.
+.TP
+\fB\-l\fR
+Tells chcat to operate on users instead of files.
 .SH "SEE ALSO"
 .TP
-chcon(1), selinux(8)
+chcon(1), selinux(8), semanage(8)
 .PP
 .br
-This script wraps the chcon command.
+When operating on files this script wraps the chcon command.
 .SH "FILES"
 /etc/selinux/{SELINUXTYPE}/setrans.conf 
+.br
+/etc/selinux/{SELINUXTYPE}/seuser
 
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.7/scripts/genhomedircon
--- nsapolicycoreutils/scripts/genhomedircon	2006-01-13 09:47:40.000000000 -0500
+++ policycoreutils-1.29.7/scripts/genhomedircon	2006-01-15 08:42:38.000000000 -0500
@@ -327,6 +327,9 @@
 			sys.stderr.write("%s: %s\n" % ( sys.argv[0], error ))
 
 
+if os.getuid() > 0 or os.geteuid() > 0:
+	print "You must be root to run %s." % sys.argv[0]
+	sys.exit(0)
 
 #
 # This script will generate home dir file context
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.7/semanage/semanage
--- nsapolicycoreutils/semanage/semanage	2006-01-13 09:47:40.000000000 -0500
+++ policycoreutils-1.29.7/semanage/semanage	2006-01-15 09:04:05.000000000 -0500
@@ -20,23 +20,27 @@
 #                                        02111-1307  USA
 #
 #  
-import sys, getopt
+import os, sys, getopt
 import seobject
 
 if __name__ == '__main__':
+	if os.getuid() > 0 or os.geteuid() > 0:
+		print "You must be root to run %s." % sys.argv[0]
+		sys.exit(0)
 
 	def usage(message = ""):
 		print '\
-semanage user [-admsRrh] SELINUX_USER\n\
-semanage login [-admsrh] LOGIN_NAME\n\
-semanage port [-admth] PORT | PORTRANGE\n\
-semanage interface [-admth] INTERFACE\n\
-semanage fcontext [-admhfst] INTERFACE\n\
+semanage user [-admLRr] SELINUX_USER\n\
+semanage login [-admsr] LOGIN_NAME\n\
+semanage port [-admtpr] PORT | PORTRANGE\n\
+semanage interface [-admtr] INTERFACE\n\
+semanage fcontext [-admhfrst] INTERFACE\n\
 	-a, --add        Add a OBJECT record NAME\n\
 	-d, --delete     Delete a OBJECT record NAME\n\
 	-f, --ftype      File Type of OBJECT \n\
 	-h, --help       display this message\n\
 	-l, --list       List the OBJECTS\n\
+	-L, --level      Default SELinux Level\n\
 	-n, --noheading  Do not print heading when listing OBJECTS\n\
 	-m, --modify     Modify a OBJECT record NAME\n\
 	-r, --range      MLS/MCS Security Range\n\
@@ -84,7 +88,7 @@
 			
 		args = sys.argv[2:]
 		gopts, cmds = getopt.getopt(args,
-					    'adf:lhmnp:P:s:R:r:t:v',
+					    'adf:lhmnp:P:s:R:L:r:t:v',
 					    ['add',
 					     'delete',
 					     'ftype=',
@@ -96,6 +100,7 @@
 					     'proto=',
 					     'seuser=',
 					     'range=',
+					     'level=',
 					     'roles=',
 					     'type=',
 					     'verbose'
@@ -106,7 +111,7 @@
 					usage()
 				add = 1
 				
-			if o == "-d"  or o == "--delese":
+			if o == "-d"  or o == "--delete":
 				if modify or add:
 					usage()
 				delete = 1
@@ -126,21 +131,24 @@
 			if o == "-r" or o == '--range':
 				serange = a
 
+			if o == "-l" or o == "--list":
+				list = 1
+
+			if o == "-L" or o == '--level':
+				selevel = a
+
 			if o == "-P" or o == '--proto':
 				proto = a
 
 			if o == "-R" or o == '--roles':
 				roles = a
 
-			if o == "-t" or o == "--type":
-				setype = a
-
-			if o == "-l" or o == "--list":
-				list = 1
-
 			if o == "-s" or o == "--seuser":
 				seuser = a
 
+			if o == "-t" or o == "--type":
+				setype = a
+
 			if o == "-v" or o == "--verbose":
 				verbose = 1
 
@@ -210,8 +218,13 @@
 		if delete:
 			if object == "port":
 				OBJECT.delete(target, proto)
+
+			if object == "fcontext":
+				OBJECT.delete(target, ftype)
+
 			else:
 				OBJECT.delete(target)
+
 			sys.exit(0);
 		usage()
 			
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.29.7/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8	2005-11-29 10:55:01.000000000 -0500
+++ policycoreutils-1.29.7/semanage/semanage.8	2006-01-15 09:04:56.000000000 -0500
@@ -3,55 +3,71 @@
 semanage \- SELinux Policy Management tool
 
 .SH "SYNOPSIS"
-.B semanage OBJECTTYPE [\-admsrh] OBJECT
-.B semanage login [\-admsrh] login_name
+.B semanage {login|user|port|interface|fcontext} \-l
 .br
-.B semanage seuser [\-admsrh] selinux_name
+.B semanage login \-{a|d|m} [\-sr] login_name
 .br
-.B semanage port [\-admth] port_number
+.B semanage user \-{a|d|m} [\-LrR] selinux_name
+.br
+.B semanage port \-{a|d|m} [\-tp] port_number
+.br
+.B semanage interface \-{a|d|m} [\-tr] interface_spec
+.br
+.B semanage fcontext \-{a|d|m} [\-frst] file_spec
 .P
-This tool is used to manage configuration of the SELinux policy
+
+This tool is used to configure SELinux policy
 
 .SH "DESCRIPTION"
 This manual page describes the
 .BR semanage
 program.
 .br
-This tool is used to manage configuration of SELinux Policy.  You can configure SELinux User Mappings, SELinux Port Mappings, SELinux Users.
-
+This tool is used to configure SELinux Policy.  You can configure SELinux User Mappings, SELinux Port Mappings, SELinux Users. File Context and Network Interfaces.
 
 .SH "OPTIONS"
-.TP 
-                \-a, \-\-add        
-.P
+.TP
+.I                \-a, \-\-add        
 Add a OBJECT record NAME
-.B                \-d, \-\-delete     
-.P
+.TP
+.I                \-d, \-\-delete     
 Delete a OBJECT record NAME
-.B                \-h, \-\-help       
-.P
+.TP
+.I                \-h, \-\-help       
 display this message
-.B                \-l, \-\-list       
-.P
+.TP
+.I                \-f, \-\-ftype
+File Type.   This is used with fcontext.
+Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
+.TP
+.I                \-l, \-\-list       
 List the OBJECTS
-.B                \-m, \-\-modify     
-.P
+.TP
+.I                \-L, \-\-level
+Default SELinux Level for SELinux use. (s0)
+.TP
+.I                \-m, \-\-modify     
 Modify a OBJECT record NAME
-.B                \-r, \-\-range      
-.P
+.TP
+.I                \-p, \-\-proto
+Protocol for the specified port (tcp|udp).
+.TP
+.I                \-R, \-\-role
+SELinux Roles (Separate by spaces)
+.TP
+.I                \-r, \-\-range      
 MLS/MCS Security Range
-.B                \-s, \-\-seuser     
-.P
+.TP
+.I                \-s, \-\-seuser     
 SELinux user name
-.B                \-t, \-\-type       
-.P
+.TP
+.I                \-t, \-\-type       
 SELinux Type for the object
-.B                \-v, \-\-verbose    
-.P
+.TP
+.I                \-v, \-\-verbose    
 verbose output
 
 .SH "AUTHOR"
-This man page was written by Daniel Walsh <dwalsh@redhat.com>.
-
-
+This man page was written by Daniel Walsh <dwalsh@redhat.com> and
+Russell Coker <rcoker@redhat.com>.
 
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.7/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py	2006-01-13 08:39:11.000000000 -0500
+++ policycoreutils-1.29.7/semanage/seobject.py	2006-01-15 09:50:28.000000000 -0500
@@ -21,8 +21,39 @@
 #
 #  
 
-import pwd, string
+import pwd, string, selinux
 from semanage import *;
+
+def translate(raw, prepend=1):
+	if prepend == 1:
+		context="a:b:c:%s" % raw
+	else:
+		context=raw
+	(rc, trans)=selinux.selinux_raw_to_trans_context(context)
+	if rc != 0:
+		return raw
+	if prepend:
+		trans = trans.strip("a:b:c")
+	if trans == "":
+		return raw
+	else:
+		return trans
+	
+def untranslate(trans, prepend=1):
+ 	if prepend == 1:
+		context="a:b:c:%s" % trans
+	else:
+		context=raw
+	(rc, raw)=selinux.selinux_trans_to_raw_context(context)
+	if rc != 0:
+		return trans
+	if prepend:
+		raw = raw.strip("a:b:c")	
+	if raw == "":
+		return trans
+	else:
+		return raw
+	
 class semanageRecords:
 	def __init__(self):
 		self.sh = semanage_handle_create()
@@ -37,6 +68,9 @@
 	def add(self, name, sename, serange):
 		if serange == "":
 			serange = "s0"
+		else:
+			serange = untranslate(serange)
+			
 		if sename == "":
 			sename = "user_u"
 			
@@ -46,7 +80,7 @@
 
 		(rc,exists) = semanage_seuser_exists(self.sh, k)
 		if exists:
-			raise ValueError("SELinux User %s mapping already defined" % name)
+			raise ValueError("Login mapping for %s is already defined" % name)
 		try:
 			pwd.getpwnam(name)
 		except:
@@ -54,40 +88,65 @@
 			
 		(rc,u) = semanage_seuser_create(self.sh)
 		if rc < 0:
-			raise ValueError("Could not create seuser for %s" % name)
+			raise ValueError("Could not create login mapping for %s" % name)
 
-		semanage_seuser_set_name(self.sh, u, name)
-		semanage_seuser_set_mlsrange(self.sh, u, serange)
-		semanage_seuser_set_sename(self.sh, u, sename)
-		semanage_begin_transaction(self.sh)
-		semanage_seuser_add(self.sh, k, u)
-		if semanage_commit(self.sh) < 0:
-			raise ValueError("Failed to add SELinux user mapping")
+		rc = semanage_seuser_set_name(self.sh, u, name)
+		if rc < 0:
+			raise ValueError("Could not set name for %s" % name)
+
+		rc = semanage_seuser_set_mlsrange(self.sh, u, serange)
+		if rc < 0:
+			raise ValueError("Could not set MLS range for %s" % name)
+
+		rc = semanage_seuser_set_sename(self.sh, u, sename)
+		if rc < 0:
+			raise ValueError("Could not set SELinux user for %s" % name)
+
+		rc = semanage_begin_transaction(self.sh)
+		if rc < 0:
+			raise ValueError("Could not start semanage transaction")
+
+		rc = semanage_seuser_modify(self.sh, k, u)
+		if rc < 0:
+			raise ValueError("Failed to add login mapping for %s" % name)
+
+		rc = semanage_commit(self.sh) 
+		if rc < 0:
+			raise ValueError("Failed to add login mapping for %s" % name)
 
 	def modify(self, name, sename = "", serange = ""):
+		if sename == "" and serange == "":
+			raise ValueError("Requires seuser or serange")
+
 		(rc,k) = semanage_seuser_key_create(self.sh, name)
 		if rc < 0:
 			raise ValueError("Could not create a key for %s" % name)
 
-		if sename == "" and serange == "":
-			raise ValueError("Requires, seuser or serange")
-
 		(rc,exists) = semanage_seuser_exists(self.sh, k)
-		if exists:
-			(rc,u) = semanage_seuser_query(self.sh, k)
-			if rc < 0:
-				raise ValueError("Could not query seuser for %s" % name)
-		else:
-			raise ValueError("SELinux user %s mapping is not defined." % name)
+		if not exists:
+			raise ValueError("Login mapping for %s is not defined" % name)
+
+		(rc,u) = semanage_seuser_query(self.sh, k)
+		if rc < 0:
+			raise ValueError("Could not query seuser for %s" % name)
 
 		if serange != "":
-			semanage_seuser_set_mlsrange(self.sh, u, serange)
+			semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
 		if sename != "":
 			semanage_seuser_set_sename(self.sh, u, sename)
-		semanage_begin_transaction(self.sh)
-		semanage_seuser_modify_local(self.sh, k, u)
-		if semanage_commit(self.sh) < 0:
-			raise ValueError("Failed to modify SELinux user mapping")
+
+		rc = semanage_begin_transaction(self.sh)
+		if rc < 0:
+			raise ValueError("Could not srart semanage transaction")
+
+		rc = semanage_seuser_modify(self.sh, k, u)
+		if rc < 0:
+			raise ValueError("Failed to modify login mapping for %s" % name)
+	
+		rc = semanage_commit(self.sh)
+		if rc < 0:
+			raise ValueError("Failed to modify login mapping for %s" % name)
+
 	def delete(self, name):
 		(rc,k) = semanage_seuser_key_create(self.sh, name)
 		if rc < 0:
@@ -95,15 +154,26 @@
 
 		(rc,exists) = semanage_seuser_exists(self.sh, k)
 		if not exists:
-			raise ValueError("SELinux user %s mapping is not defined." % name)
-		semanage_begin_transaction(self.sh)
-		semanage_seuser_del(self.sh, k)
-		if semanage_commit(self.sh) < 0:
-			raise ValueError("SELinux User %s mapping not defined" % name)
+			raise ValueError("Login mapping for %s is not defined" % name)
+
+		rc = semanage_begin_transaction(self.sh)
+		if rc < 0:
+			raise ValueError("Could not start semanage transaction")
+
+		rc = semanage_seuser_del(self.sh, k)
+		if rc < 0:
+			raise ValueError("Failed to delete login mapping for %s" % name)
+
+		rc = semanage_commit(self.sh)
+		if rc < 0:
+			raise ValueError("Failed to delete login mapping for %s" % name)
 		
 	def get_all(self):
 		dict={}
-		(status, self.ulist, self.usize) = semanage_seuser_list(self.sh)
+		(rc, self.ulist, self.usize) = semanage_seuser_list(self.sh)
+		if rc < 0:
+			raise ValueError("Could not list login mappings")
+
 		for idx in range(self.usize):
 			u = semanage_seuser_by_idx(self.ulist, idx)
 			name = semanage_seuser_get_name(u)
@@ -117,7 +187,7 @@
 		keys=dict.keys()
 		keys.sort()
 		for k in keys:
-			print "%-25s %-25s %-25s" % (k, dict[k][0], dict[k][1])
+			print "%-25s %-25s %-25s" % (k, dict[k][0], translate(dict[k][1]))
 
 class seluserRecords(semanageRecords):
 	def __init__(self):
@@ -126,87 +196,134 @@
 	def add(self, name, roles, selevel, serange):
 		if serange == "":
 			serange = "s0"
+		else:
+			serange = untranslate(serange)
+			
 		if selevel == "":
 			selevel = "s0"
+		else:
+			selevel = untranslate(selevel)
 
 		(rc,k) = semanage_user_key_create(self.sh, name)
 		if rc < 0:
 			raise ValueError("Could not create a key for %s" % name)
 
 		(rc,exists) = semanage_user_exists(self.sh, k)
-		if not exists:
-			raise ValueError("SELinux user %s is already defined." % name)
+		if exists:
+			raise ValueError("SELinux user %s is already defined" % name)
 
 		(rc,u) = semanage_user_create(self.sh)
 		if rc < 0:
-			raise ValueError("Could not create login mapping for %s" % name)
+			raise ValueError("Could not create SELinux user for %s" % name)
+
+		rc = semanage_user_set_name(self.sh, u, name)
+		if rc < 0:
+			raise ValueError("Could not set name for %s" % name)
 
-		semanage_user_set_name(self.sh, u, name)
 		for r in roles:
-			semanage_user_add_role(self.sh, u, r)
-		semanage_user_set_mlsrange(self.sh, u, serange)
-		semanage_user_set_mlslevel(self.sh, u, selevel)
+			rc = semanage_user_add_role(self.sh, u, r)
+			if rc < 0:
+				raise ValueError("Could not add role %s for %s" % (r, name))
+
+		rc = semanage_user_set_mlsrange(self.sh, u, serange)
+		if rc < 0:
+			raise ValueError("Could not set MLS range for %s" % name)
+
+		rc = semanage_user_set_mlslevel(self.sh, u, selevel)
+		if rc < 0:
+			raise ValueError("Could not set MLS level for %s" % name)
+
 		(rc,key) = semanage_user_key_extract(self.sh,u)
 		if rc < 0:
 			raise ValueError("Could not extract key for %s" % name)
 
-		semanage_begin_transaction(self.sh)
-		semanage_user_modify_local(self.sh, k, u)
-		if semanage_commit(self.sh) < 0:
-			raise ValueError("Failed to add SELinux user")
+		rc = semanage_begin_transaction(self.sh)
+		if rc < 0:
+			raise ValueError("Could not start semanage transaction")
+
+		rc = semanage_user_modify_local(self.sh, k, u)
+		if rc < 0:
+			raise ValueError("Failed to add SELinux user %s" % name)
+
+		rc = semanage_commit(self.sh)
+		if rc < 0:
+			raise ValueError("Failed to add SELinux user %s" % name)
 
 	def modify(self, name, roles = [], selevel = "", serange = ""):
 		if len(roles) == 0  and serange == "" and selevel == "":
-			raise ValueError("Requires, roles, level  or range")
+			raise ValueError("Requires roles, level or range")
 
 		(rc,k) = semanage_user_key_create(self.sh, name)
 		if rc < 0:
 			raise ValueError("Could not create a key for %s" % name)
 
 		(rc,exists) = semanage_user_exists(self.sh, k)
-		if exists:
-			(rc,u) = semanage_user_query(self.sh, k)
-		else:
-			raise ValueError("SELinux user %s mapping is not defined locally." % name)
+		if not exists:
+			raise ValueError("SELinux user %s is not defined" % name)
+		
+		(rc,u) = semanage_user_query(self.sh, k)
 		if rc < 0:
 			raise ValueError("Could not query user for %s" % name)
 
 		if serange != "":
-			semanage_user_set_mlsrange(self.sh, u, serange)
+			semanage_user_set_mlsrange(self.sh, u, untranslate(serange))
 		if selevel != "":
-			semanage_user_set_mlslevel(self.sh, u, selevel)
+			semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
+			
 		if len(roles) != 0:
 			for r in roles:
 				semanage_user_add_role(self.sh, u, r)
-		semanage_begin_transaction(self.sh)
-		semanage_user_modify_local(self.sh, k, u)
-		if semanage_commit(self.sh) < 0:
-			raise ValueError("Failed to modify SELinux user")
+
+		rc = semanage_begin_transaction(self.sh)
+		if rc < 0:
+			raise ValueError("Could not start semanage transaction")
+
+		rc = semanage_user_modify_local(self.sh, k, u)
+		if rc < 0:
+			raise ValueError("Failed to modify SELinux user %s" % name)
+
+		rc = semanage_commit(self.sh)
+		if rc < 0:
+			raise ValueError("Failed to modify SELinux user %s" % name)
 		
 	def delete(self, name):
 		(rc,k) = semanage_user_key_create(self.sh, name)
 		if rc < 0:
-			raise ValueError("Could not crpppeate a key for %s" % name)
+			raise ValueError("Could not create a key for %s" % name)
+
 		(rc,exists) = semanage_user_exists(self.sh, k)
 		if not exists:
-			raise ValueError("user %s is not defined" % name)
-		else:
-			(rc,exists) = semanage_user_exists_local(self.sh, k)
-			if not exists:
-				raise ValueError("user %s is not defined locally, can not delete " % name)
-			
-		semanage_begin_transaction(self.sh)
-		semanage_user_del_local(self.sh, k)
-		if semanage_commit(self.sh) < 0:
-			raise ValueError("Login User %s not defined" % name)
+			raise ValueError("SELinux user %s is not defined" % name)
+
+		(rc,exists) = semanage_user_exists_local(self.sh, k)
+		if not exists:
+			raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name)
+			
+		rc = semanage_begin_transaction(self.sh)
+		if rc < 0:
+			raise ValueError("Could not start semanage transaction")
+
+		rc = semanage_user_del_local(self.sh, k)
+		if rc < 0:
+			raise ValueError("Failed to delete SELinux user %s" % name)
+
+		rc = semanage_commit(self.sh)
+		if rc < 0:
+			raise ValueError("Failed to delete SELinux user %s" % name)
 		
 	def get_all(self):
 		dict={}
-		(status, self.ulist, self.usize) = semanage_user_list(self.sh)
+		(rc, self.ulist, self.usize) = semanage_user_list(self.sh)
+		if rc < 0:
+			raise ValueError("Could not list SELinux users")
+
 		for idx in range(self.usize):
 			u = semanage_user_by_idx(self.ulist, idx)
 			name = semanage_user_get_name(u)
-			(status, rlist, rlist_size) = semanage_user_get_roles(self.sh, u)
+			(rc, rlist, rlist_size) = semanage_user_get_roles(self.sh, u)
+			if rc < 0:
+				raise ValueError("Could not list roles for user %s" % name)
+
 			roles = ""
 
 			if rlist_size:
@@ -219,13 +336,13 @@
 
 	def list(self, heading=1):
 		if heading:
-			print "\n%-15s %-10s %-20s" % ("", "MLS/", "MLS/")
-			print "%-15s %-10s %-15s %-20s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles")
+			print "\n%-15s %-10s %-30s" % ("", "MLS/", "MLS/")
+			print "%-15s %-10s %-30s %s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles")
 		dict=self.get_all()
 		keys=dict.keys()
 		keys.sort()
 		for k in keys:
-			print "%-15s %-10s %-15s %s" % (k, dict[k][0], dict[k][1], dict[k][2])
+			print "%-15s %-10s %-30s %s" % (k, translate(dict[k][0]), translate(dict[k][1]), dict[k][2])
 
 class portRecords(semanageRecords):
 	def __init__(self):
@@ -258,6 +375,8 @@
 	def add(self, port, proto, serange, type):
 		if serange == "":
 			serange="s0"
+		else:
+			serange=untranslate(serange)
 			
 		if type == "":
 			raise ValueError("Type is required")
@@ -278,62 +397,97 @@
 		if rc < 0:
 			raise ValueError("Could not create context for %s/%s" % (proto, port))
 
-		semanage_context_set_user(self.sh, con, "system_u")
-		semanage_context_set_role(self.sh, con, "object_r")
-		semanage_context_set_type(self.sh, con, type)
-		semanage_context_set_mls(self.sh, con, serange)
-		semanage_begin_transaction(self.sh)
+		rc = semanage_context_set_user(self.sh, con, "system_u")
+		if rc < 0:
+			raise ValueError("Could not set user in port context for %s/%s" % (proto, port))
+
+		rc = semanage_context_set_role(self.sh, con, "object_r")
+		if rc < 0:
+			raise ValueError("Could not set role in port context for %s/%s" % (proto, port))
+
+		rc = semanage_context_set_type(self.sh, con, type)
+		if rc < 0:
+			raise ValueError("Could not set type in port context for %s/%s" % (proto, port))
+
+		rc = semanage_context_set_mls(self.sh, con, serange)
+		if rc < 0:
+			raise ValueError("Could not set mls fields in port context for %s/%s" % (proto, port))
+
 		semanage_port_set_con(p, con)
-		semanage_port_modify_local(self.sh, k, p)
-		if semanage_commit(self.sh) < 0:
-			raise ValueError("Failed to add port")
+
+		rc = semanage_begin_transaction(self.sh)
+		if rc < 0:
+			raise ValueError("Could not start semanage transaction")
+
+		rc = semanage_port_modify_local(self.sh, k, p)
+		if rc < 0:
+			raise ValueError("Failed to add port %s/%s" % (proto, port))
+	
+		rc = semanage_commit(self.sh)
+		if rc < 0:
+			raise ValueError("Failed to add port %s/%s" % (proto, port))
 
 	def modify(self, port, proto, serange, setype):
 		if serange == "" and setype == "":
-			raise ValueError("Requires, setype or serange")
+			raise ValueError("Requires setype or serange")
 
 		( k, proto_d, low, high ) = self.__genkey(port, proto)
 
 		(rc,exists) = semanage_port_exists(self.sh, k)
-		if exists:
-			(rc,p) = semanage_port_query(self.sh, k)
-		else:
-			raise ValueError("port %s/%s is not defined." % (proto,port))
-
+		if not exists:
+			raise ValueError("Port %s/%s is not defined" % (proto,port))
+	
+		(rc,p) = semanage_port_query(self.sh, k)
 		if rc < 0:
-			raise ValueError("Could not query port for %s/%s" % (proto, port))
+			raise ValueError("Could not query port %s/%s" % (proto, port))
 
 		con = semanage_port_get_con(p)
-		if rc < 0:
-			raise ValueError("Could not get port context for %s/%s" % (proto, port))
 			
 		if serange != "":
-			semanage_context_set_mls(self.sh, con, serange)	
+			semanage_context_set_mls(self.sh, con, untranslate(serange))
 		if setype != "":
 			semanage_context_set_type(self.sh, con, setype)
-		semanage_begin_transaction(self.sh)
-		semanage_port_modify_local(self.sh, k, p)
-		if semanage_commit(self.sh) < 0:
-			raise ValueError("Failed to add port")
+
+		rc = semanage_begin_transaction(self.sh)
+		if rc < 0:
+			raise ValueError("Could not start semanage transaction")
+
+		rc = semanage_port_modify_local(self.sh, k, p)
+		if rc < 0:
+			raise ValueError("Failed to modify port %s/%s" % (proto, port))
+
+		rc = semanage_commit(self.sh)
+		if rc < 0:
+			raise ValueError("Failed to add port %s/%s" % (proto, port))
 		
 	def delete(self, port, proto):
 		( k, proto_d, low, high ) = self.__genkey(port, proto)
 		(rc,exists) = semanage_port_exists(self.sh, k)
 		if not exists:
-			raise ValueError("port %s/%s is not defined." % (proto,port))
-		else:
-			(rc,exists) = semanage_port_exists_local(self.sh, k)
-			if not exists:
-				raise ValueError("port %s/%s is not defined localy, can not be deleted." % (proto,port))
-
-		semanage_begin_transaction(self.sh)
-		semanage_port_del_local(self.sh, k)
-		if semanage_commit(self.sh) < 0:
-			raise ValueError("Port %s/%s not defined" % (proto,port))
+			raise ValueError("Port %s/%s is not defined" % (proto, port))
+		
+		(rc,exists) = semanage_port_exists_local(self.sh, k)
+		if not exists:
+			raise ValueError("Port %s/%s is defined in policy, cannot be deleted" % (proto, port))
+
+		rc = semanage_begin_transaction(self.sh)
+		if rc < 0:
+			raise ValueError("Could not start semanage transaction")
+
+		rc = semanage_port_del_local(self.sh, k)
+		if rc < 0:
+			raise ValueError("Could not delete port %s/%s" % (proto, port))
+
+		rc = semanage_commit(self.sh)
+		if rc < 0:
+			raise ValueError("Could not delete port %s/%s" % (proto, port))
 		
 	def get_all(self):
 		dict={}
-		(status, self.plist, self.psize) = semanage_port_list(self.sh)
+		(rc, self.plist, self.psize) = semanage_port_list(self.sh)
+		if rc < 0:
+			raise ValueError("Could not list ports")
+
 		for idx in range(self.psize):
 			u = semanage_port_by_idx(self.plist, idx)
 			con = semanage_port_get_con(u)
@@ -369,89 +523,130 @@
 	def add(self, interface, serange, type):
 		if serange == "":
 			serange="s0"
+		else:
+			serange=untranslate(serange)
 			
 		if type == "":
 			raise ValueError("SELinux Type is required")
 
 		(rc,k) = semanage_iface_key_create(self.sh, interface)
 		if rc < 0:
-			raise ValueError("Can't create key for %s" % interface)
+			raise ValueError("Could not create key for %s" % interface)
+
 		(rc,exists) = semanage_iface_exists(self.sh, k)
 		if exists:
 			raise ValueError("Interface %s already defined" % interface)
 
 		(rc,iface) = semanage_iface_create(self.sh)
 		if rc < 0:
-			raise ValueError("Could not create interface for %s" % (interface))
+			raise ValueError("Could not create interface for %s" % interface)
 		
 		rc = semanage_iface_set_name(self.sh, iface, interface)
 		(rc, con) = semanage_context_create(self.sh)
 		if rc < 0:
 			raise ValueError("Could not create context for %s" % interface)
 
-		semanage_context_set_user(self.sh, con, "system_u")
-		semanage_context_set_role(self.sh, con, "object_r")
-		semanage_context_set_type(self.sh, con, type)
-		semanage_context_set_mls(self.sh, con, serange)
-		semanage_begin_transaction(self.sh)
+		rc = semanage_context_set_user(self.sh, con, "system_u")
+		if rc < 0:
+			raise ValueError("Could not set user in interface context for %s" % interface)
+
+		rc = semanage_context_set_role(self.sh, con, "object_r")
+		if rc < 0:
+			raise ValueError("Could not set role in interface context for %s" % interface)
+
+		rc = semanage_context_set_type(self.sh, con, type)
+		if rc < 0:
+			raise ValueError("Could not set type in interface context for %s" % interface)
+
+		rc = semanage_context_set_mls(self.sh, con, serange)
+		if rc < 0:
+			raise ValueError("Could not set mls fields in interface context for %s" % interface)
+
+		(rc, con2) = semanage_context_clone(self.sh, con)
+		if rc < 0:
+			raise ValueError("Could not clone interface context for %s" % interface)
+
 		semanage_iface_set_ifcon(iface, con)
-		semanage_iface_set_msgcon(iface, con)
-		semanage_iface_add_local(self.sh, k, iface)
-		if semanage_commit(self.sh) < 0:
-			raise ValueError("Failed to add interface")
+		semanage_iface_set_msgcon(iface, con2)
+
+		rc = semanage_begin_transaction(self.sh)
+		if rc < 0:
+			raise ValueError("Could not start semanage transaction")
+
+		rc = semanage_iface_modify_local(self.sh, k, iface)
+		if rc < 0:
+			raise ValueError("Failed to add interface %s" % interface)
+
+		rc = semanage_commit(self.sh)
+		if rc < 0:
+			raise ValueError("Failed to add interface %s" % interface)
 
 	def modify(self, interface, serange, setype):
 		if serange == "" and setype == "":
-			raise ValueError("Requires, setype or serange")
+			raise ValueError("Requires setype or serange")
 
 		(rc,k) = semanage_iface_key_create(self.sh, interface)
 		if rc < 0:
-			raise ValueError("Can't creater key for %s" % interface)
-		(rc,exists) = semanage_iface_exists(self.sh, k)
-		if exists:
-			(rc,p) = semanage_iface_query(self.sh, k)
-		else:
-			raise ValueError("interface %s is not defined." % interface)
+			raise ValueError("Could not create key for %s" % interface)
 
+		(rc,exists) = semanage_iface_exists(self.sh, k)
+		if not exists:
+			raise ValueError("Interface %s is not defined" % interface)
+	
+		(rc,p) = semanage_iface_query(self.sh, k)
 		if rc < 0:
-			raise ValueError("Could not query interface for %s" % interface)
+			raise ValueError("Could not query interface %s" % interface)
 
 		con = semanage_iface_get_ifcon(p)
-		if rc < 0:
-			raise ValueError("Could not get interface context for %s" % interface)
 			
 		if serange != "":
-			semanage_context_set_mls(self.sh, con, serange)	
+			semanage_context_set_mls(self.sh, con, untranslate(serange))
 		if setype != "":
 			semanage_context_set_type(self.sh, con, setype)
 
-		semanage_begin_transaction(self.sh)
-		semanage_iface_modify_local(self.sh, k, p)
-		if semanage_commit(self.sh) < 0:
-			raise ValueError("Failed to add interface")
+		rc = semanage_begin_transaction(self.sh)
+		if rc < 0:
+			raise ValueError("Could not start semanage transaction")
+
+		rc = semanage_iface_modify_local(self.sh, k, p)
+		if rc < 0:
+			raise ValueError("Failed to modify interface %s" % interface)
 		
+		rc = semanage_commit(self.sh)
+		if rc < 0:
+			raise ValueError("Failed to add interface %s" % interface)
+
 	def delete(self, interface):
 		(rc,k) = semanage_iface_key_create(self.sh, interface)
 		if rc < 0:
-			raise ValueError("Can't create key for %s" % interface)
+			raise ValueError("Could not create key for %s" % interface)
+
 		(rc,exists) = semanage_iface_exists(self.sh, k)
 		if not exists:
-			raise ValueError("interface %s is not defined." % interface)
-		else:
-			(rc,exists) = semanage_iface_exists_local(self.sh, k)
-			if not exists:
-				raise ValueError("interface %s is not defined localy, can not be deleted." % interface)
-
-		semanage_begin_transaction(self.sh)
-		semanage_iface_del_local(self.sh, k)
-		if semanage_commit(self.sh) < 0:
-			raise ValueError("Interface %s not defined" % interface)
+			raise ValueError("Interface %s is not defined" % interface)
+
+		(rc,exists) = semanage_iface_exists_local(self.sh, k)
+		if not exists:
+			raise ValueError("Interface %s is defined in policy, cannot be deleted" % interface)
+
+		rc = semanage_begin_transaction(self.sh)
+		if rc < 0:
+			raise ValueError("Could not start semanage transaction")
+
+		rc = semanage_iface_del_local(self.sh, k)
+		if rc < 0:
+			raise ValueError("Failed to delete interface %s" % interface)
+
+		rc = semanage_commit(self.sh)
+		if rc < 0:
+			raise ValueError("Failed to delete interface %s" % interface)
 		
 	def get_all(self):
 		dict={}
-		(status, self.plist, self.psize) = semanage_iface_list(self.sh)
-		if status < 0:
-			raise ValueError("Unable to list interfaces")
+		(rc, self.plist, self.psize) = semanage_iface_list(self.sh)
+		if rc < 0:
+			raise ValueError("Could not list interfaces")
+
 		for idx in range(self.psize):
 			interface = semanage_iface_by_idx(self.plist, idx)
 			con = semanage_iface_get_ifcon(interface)
@@ -466,7 +661,7 @@
 		keys=dict.keys()
 		keys.sort()
 		for k in keys:
-			print "%-30s %s:%s:%s:%s " % (k,dict[k][0], dict[k][1],dict[k][2], dict[k][3])
+			print "%-30s %s:%s:%s:%s " % (k,dict[k][0], dict[k][1],dict[k][2], translate(dict[k][3], False))
 			
 class fcontextRecords(semanageRecords):
 	def __init__(self):
@@ -495,89 +690,127 @@
 			
 		if serange == "":
 			serange="s0"
+		else:
+			serange=untranslate(serange)
 			
 		if type == "":
 			raise ValueError("SELinux Type is required")
 
 		(rc,k) = semanage_fcontext_key_create(self.sh, target, self.file_types[ftype])
 		if rc < 0:
-			raise ValueError("Can't create key for %s" % target)
+			raise ValueError("Could not create key for %s" % target)
+
 		(rc,exists) = semanage_fcontext_exists(self.sh, k)
-		print (rc, exists, target)
 		if exists:
-			raise ValueError("fcontext %s already defined" % target)
+			raise ValueError("File context for %s already defined" % target)
+
 		(rc,fcontext) = semanage_fcontext_create(self.sh)
 		if rc < 0:
-			raise ValueError("Could not create fcontext for %s" % target)
+			raise ValueError("Could not create file context for %s" % target)
 		
 		rc = semanage_fcontext_set_expr(self.sh, fcontext, target)
 		(rc, con) = semanage_context_create(self.sh)
 		if rc < 0:
 			raise ValueError("Could not create context for %s" % target)
 
-		semanage_context_set_user(self.sh, con, seuser)
-		semanage_context_set_role(self.sh, con, "object_r")
-		semanage_context_set_type(self.sh, con, type)
-		semanage_context_set_mls(self.sh, con, serange)
+		rc = semanage_context_set_user(self.sh, con, seuser)
+		if rc < 0:
+			raise ValueError("Could not set user in file context for %s" % target)
+		
+		rc = semanage_context_set_role(self.sh, con, "object_r")
+		if rc < 0:
+			raise ValueError("Could not set role in file context for %s" % target)
+
+		rc = semanage_context_set_type(self.sh, con, type)
+		if rc < 0:
+			raise ValueError("Could not set type in file context for %s" % target)
+
+		rc = semanage_context_set_mls(self.sh, con, serange)
+		if rc < 0:
+			raise ValueError("Could not set mls fields in file context for %s" % target)
+
 		semanage_fcontext_set_type(fcontext, self.file_types[ftype])
-		semanage_begin_transaction(self.sh)
 		semanage_fcontext_set_con(fcontext, con)
-		semanage_fcontext_add_local(self.sh, k, fcontext)
-		if semanage_commit(self.sh) < 0:
-			raise ValueError("Failed to add fcontext")
+
+		rc = semanage_begin_transaction(self.sh)
+		if rc < 0:
+			raise ValueError("Could not start semanage transaction")
+
+		rc = semanage_fcontext_modify_local(self.sh, k, fcontext)
+		if rc < 0:
+			raise ValueError("Failed to add file context for %s" % target)
+
+		rc = semanage_commit(self.sh)
+		if rc < 0:
+			raise ValueError("Failed to add file context for %s" % target)
 
 	def modify(self, target, setype, ftype, serange, seuser):
 		if serange == "" and setype == "" and seuser == "":
-			raise ValueError("Requires, setype, serange or seuser")
+			raise ValueError("Requires setype, serange or seuser")
 
 		(rc,k) = semanage_fcontext_key_create(self.sh, target, self.file_types[ftype])
 		if rc < 0:
-			raise ValueError("Can't creater key for %s" % target)
+			raise ValueError("Could not create a key for %s" % target)
+
 		(rc,exists) = semanage_fcontext_exists(self.sh, k)
-		if exists:
-			(rc,p) = semanage_fcontext_query(self.sh, k)
-		else:
-			raise ValueError("fcontext %s is not defined." % target)
+		if not exists:
+			raise ValueError("File context for %s is not defined" % target)
+		
+		(rc,p) = semanage_fcontext_query(self.sh, k)
 		if rc < 0:
-			raise ValueError("Could not query fcontext for %s" % target)
+			raise ValueError("Could not query file context for %s" % target)
+
 		con = semanage_fcontext_get_con(p)
-		if rc < 0:
-			raise ValueError("Could not get fcontext context for %s" % target)
 			
 		if serange != "":
-			semanage_context_set_mls(self.sh, con, serange)	
+			semanage_context_set_mls(self.sh, con, untranslate(serange))
 		if seuser != "":
 			semanage_context_set_user(self.sh, con, seuser)	
 		if setype != "":
 			semanage_context_set_type(self.sh, con, setype)
 
-		semanage_begin_transaction(self.sh)
-		semanage_fcontext_modify_local(self.sh, k, p)
-		if semanage_commit(self.sh) < 0:
-			raise ValueError("Failed to add fcontext")
+		rc = semanage_begin_transaction(self.sh)
+		if rc < 0:
+			raise ValueError("Could not start semanage transaction")
+
+		rc = semanage_fcontext_modify_local(self.sh, k, p)
+		if rc < 0:
+			raise ValueError("Failed to modify file context for %s" % target)
+
+		rc = semanage_commit(self.sh)
+		if rc < 0:
+			raise ValueError("Failed to add file context for %s" % target)
 		
-	def delete(self, target):
+	def delete(self, target, ftype):
 		(rc,k) = semanage_fcontext_key_create(self.sh, target, self.file_types[ftype])
 		if rc < 0:
-			raise ValueError("Can't create key for %s" % target)
+			raise ValueError("Could not create a key for %s" % target)
+
 		(rc,exists) = semanage_fcontext_exists(self.sh, k)
 		if not exists:
-			raise ValueError("fcontext %s is not defined." % target)
-		else:
-			(rc,exists) = semanage_fcontext_exists_local(self.sh, k)
-			if not exists:
-				raise ValueError("fcontext %s is not defined localy, can not be deleted." % target)
-
-		semanage_begin_transaction(self.sh)
-		semanage_fcontext_del_local(self.sh, k)
-		if semanage_commit(self.sh) < 0:
-			raise ValueError("fcontext %s not defined" % target)
+			raise ValueError("File context for %s is not defined" % target)
+		
+		(rc,exists) = semanage_fcontext_exists_local(self.sh, k)
+		if not exists:
+			raise ValueError("File context for %s is defined in policy, cannot be deleted" % target)
+
+		rc = semanage_begin_transaction(self.sh)
+		if rc < 0:
+			raise ValueError("Could not start semanage transaction")
+
+		rc = semanage_fcontext_del_local(self.sh, k)
+		if rc < 0:
+			raise ValueError("Failed to delete file context for %s" % target)
+
+		rc = semanage_commit(self.sh)
+		if rc < 0:
+			raise ValueError("Failed to delete file context for %s" % target)
 		
 	def get_all(self):
 		dict={}
-		(status, self.plist, self.psize) = semanage_fcontext_list(self.sh)
-		if status < 0:
-			raise ValueError("Unable to list fcontexts")
+		(rc, self.plist, self.psize) = semanage_fcontext_list(self.sh)
+		if rc < 0:
+			raise ValueError("Could not list file contexts")
 
 		for idx in range(self.psize):
 			fcontext = semanage_fcontext_by_idx(self.plist, idx)
@@ -598,7 +831,7 @@
 		keys=dict.keys()
 		for k in keys:
 			if dict[k]:
-				print "%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], dict[k][0], dict[k][1],dict[k][2], dict[k][3])
+				print "%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], dict[k][0], dict[k][1],dict[k][2], translate(dict[k][3],False))
 			else:
 				print "%-50s %-18s <<None>>" % (k[0], k[1])
 				
@@ -606,117 +839,82 @@
 	def __init__(self):
 		semanageRecords.__init__(self)
 		
-	def add(self, target, type, ftype="", serange="s0", seuser="system_u"):
-		if seuser == "":
-			seuser="system_u"
-			
-		if serange == "":
-			serange="s0"
-			
-		if type == "":
-			raise ValueError("SELinux Type is required")
+	def modify(self, name, value = ""):
+		if value == "":
+			raise ValueError("Requires value")
 
-		(rc,k) = semanage_fcontext_key_create(self.sh, target, self.file_types[ftype])
-		if rc < 0:
-			raise ValueError("Can't create key for %s" % target)
-		(rc,exists) = semanage_fcontext_exists(self.sh, k)
-		print (rc, exists, target)
-		if exists:
-			raise ValueError("fcontext %s already defined" % target)
-		(rc,fcontext) = semanage_fcontext_create(self.sh)
-		if rc < 0:
-			raise ValueError("Could not create fcontext for %s" % target)
-		
-		rc = semanage_fcontext_set_expr(self.sh, fcontext, target)
-		(rc, con) = semanage_context_create(self.sh)
+		(rc,k) = semanage_bool_key_create(self.sh, name)
 		if rc < 0:
-			raise ValueError("Could not create context for %s" % target)
-
-		semanage_context_set_user(self.sh, con, seuser)
-		semanage_context_set_role(self.sh, con, "object_r")
-		semanage_context_set_type(self.sh, con, type)
-		semanage_context_set_mls(self.sh, con, serange)
-		semanage_fcontext_set_type(fcontext, self.file_types[ftype])
-		semanage_begin_transaction(self.sh)
-		semanage_fcontext_set_con(fcontext, con)
-		semanage_fcontext_add_local(self.sh, k, fcontext)
-		if semanage_commit(self.sh) < 0:
-			raise ValueError("Failed to add fcontext")
+			raise ValueError("Could not create a key for %s" % name)
 
-	def modify(self, target, setype, ftype, serange, seuser):
-		if serange == "" and setype == "" and seuser == "":
-			raise ValueError("Requires, setype, serange or seuser")
+		(rc,exists) = semanage_bool_exists(self.sh, k)
+		if not exists:
+			raise ValueError("Boolean %s is not defined" % name)	
 
-		(rc,k) = semanage_fcontext_key_create(self.sh, target, self.file_types[ftype])
+		(rc,b) = semanage_bool_query(self.sh, k)
 		if rc < 0:
-			raise ValueError("Can't creater key for %s" % target)
-		(rc,exists) = semanage_fcontext_exists(self.sh, k)
-		if exists:
-			(rc,p) = semanage_fcontext_query(self.sh, k)
-		else:
-			raise ValueError("fcontext %s is not defined." % target)
+			raise ValueError("Could not query file context %s" % name)
+
+		if value != "":
+			nvalue = string.atoi(value)
+			semanage_bool_set_value(b, nvalue)
+
+		rc = semanage_begin_transaction(self.sh)
 		if rc < 0:
-			raise ValueError("Could not query fcontext for %s" % target)
-		con = semanage_fcontext_get_con(p)
+			raise ValueError("Could not start semanage transaction")
+
+		rc = semanage_bool_modify_local(self.sh, k, b)
 		if rc < 0:
-			raise ValueError("Could not get fcontext context for %s" % target)
-			
-		if serange != "":
-			semanage_context_set_mls(self.sh, con, serange)	
-		if seuser != "":
-			semanage_context_set_user(self.sh, con, seuser)	
-		if setype != "":
-			semanage_context_set_type(self.sh, con, setype)
+			raise ValueError("Failed to modify boolean %s" % name)
 
-		semanage_begin_transaction(self.sh)
-		semanage_fcontext_modify_local(self.sh, k, p)
-		if semanage_commit(self.sh) < 0:
-			raise ValueError("Failed to add fcontext")
+		rc = semanage_commit(self.sh)
+		if rc < 0:
+			raise ValueError("Failed to modify boolean %s" % name)
 		
-	def delete(self, target):
-		(rc,k) = semanage_fcontext_key_create(self.sh, target, self.file_types[ftype])
+	def delete(self, name):
+		(rc,k) = semanage_bool_key_create(self.sh, name)
 		if rc < 0:
-			raise ValueError("Can't create key for %s" % target)
-		(rc,exists) = semanage_fcontext_exists(self.sh, k)
+			raise ValueError("Could not create a key for %s" % name)
+
+		(rc,exists) = semanage_bool_exists(self.sh, k)
 		if not exists:
-			raise ValueError("fcontext %s is not defined." % target)
-		else:
-			(rc,exists) = semanage_fcontext_exists_local(self.sh, k)
-			if not exists:
-				raise ValueError("fcontext %s is not defined localy, can not be deleted." % target)
-
-		semanage_begin_transaction(self.sh)
-		semanage_fcontext_del_local(self.sh, k)
-		if semanage_commit(self.sh) < 0:
-			raise ValueError("fcontext %s not defined" % target)
+			raise ValueError("Boolean %s is not defined" % name)
+	
+		(rc,exists) = semanage_bool_exists_local(self.sh, k)
+		if not exists:
+			raise ValueError("Boolean %s is defined in policy, cannot be deleted" % name)
+
+		rc = semanage_begin_transaction(self.sh)
+		if rc < 0:
+			raise ValueError("Could not start semanage transaction")
+
+		rc = semanage_fcontext_del_local(self.sh, k)
+		if rc < 0:
+			raise ValueError("Failed to delete boolean %s" % name)
+	
+		rc = semanage_commit(self.sh)
+		if rc < 0:
+			raise ValueError("Failed to delete boolean %s" % name)
 		
 	def get_all(self):
 		dict={}
-		(status, self.plist, self.psize) = semanage_fcontext_list(self.sh)
-		if status < 0:
-			raise ValueError("Unable to list fcontexts")
+		(rc, self.blist, self.bsize) = semanage_bool_list(self.sh)
+		if rc < 0:
+			raise ValueError("Could not list booleans")
 
-		for idx in range(self.psize):
-			fcontext = semanage_fcontext_by_idx(self.plist, idx)
-			expr=semanage_fcontext_get_expr(fcontext)
-			ftype=semanage_fcontext_get_type_str(fcontext)
-			con = semanage_fcontext_get_con(fcontext)
-			if con:
-				dict[expr, ftype]=(semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con))
-			else:
-				dict[expr, ftype]=con
+		for idx in range(self.bsize):
+			boolean = semanage_bool_by_idx(self.blist, idx)
+			name = semanage_bool_get_name(boolean)
+			value = semanage_bool_get_value(boolean)
+			dict[name] = value
 
 		return dict
 			
 	def list(self, heading=1):
 		if heading:
-			print "%-50s %-18s %s\n" % ("SELinux fcontext", "type", "Context")
+			print "%-50s %-18s\n" % ("SELinux boolean", "value")
 		dict=self.get_all()
 		keys=dict.keys()
 		for k in keys:
 			if dict[k]:
-				print "%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], dict[k][0], dict[k][1],dict[k][2], dict[k][3])
-			else:
-				print "%-50s %-18s <<None>>" % (k[0], k[1])
-				
-			
+				print "%-50s %-18s " % (k[0], dict[k][0])
Binary files nsapolicycoreutils/semanage/seobject.pyc and policycoreutils-1.29.7/semanage/seobject.pyc differ

Re: Latest policycoreutils patch

[Joshua Brindle]

Daniel J Walsh wrote:
> Includes Ivan and Russells changes
> 
> Now checks to make sure run as root.

while it's probably true that most 'direct' libsemanage sessions need 
root that is not true for policy server so I don't think there should be 
a hard coded root check (aren't we trying to rely on MAC here?)
> 
> Also chcat can now manipulate categories of users as well as files.
> 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Joshua Brindle]

Daniel J Walsh wrote:
> Includes Ivan and Russells changes
> 
> Now checks to make sure run as root.

while it's probably true that most 'direct' libsemanage sessions need 
root that is not necessarily true for policy server so I don't think 
there should be a hard coded root check in semanage (aren't we trying to 
rely on MAC here anyway?)
> 
> Also chcat can now manipulate categories of users as well as files.
> 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Daniel J Walsh]

Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> Includes Ivan and Russells changes
>>
>> Now checks to make sure run as root.
>
> while it's probably true that most 'direct' libsemanage sessions need 
> root that is not necessarily true for policy server so I don't think 
> there should be a hard coded root check in semanage (aren't we trying 
> to rely on MAC here anyway?)
The checks are for genhomedircon and semanage both of which will be 
prevented from running because of DAC control.
>>
>> Also chcat can now manipulate categories of users as well as files.
>>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Joshua Brindle]

Daniel J Walsh wrote:
> Joshua Brindle wrote:
> 
>> Daniel J Walsh wrote:
>>
>>> Includes Ivan and Russells changes
>>>
>>> Now checks to make sure run as root.
>>
>>
>> while it's probably true that most 'direct' libsemanage sessions need 
>> root that is not necessarily true for policy server so I don't think 
>> there should be a hard coded root check in semanage (aren't we trying 
>> to rely on MAC here anyway?)
> 
> The checks are for genhomedircon and semanage both of which will be 
> prevented from running because of DAC control.
>

why not correctly handle the permission failure instead of hardcoding a 
root check? semanage going through the policy server will not be 
affected by DAC(uid) aside from the permissions on the sock file.

>>>
>>> Also chcat can now manipulate categories of users as well as files.
>>>
> 
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Daniel J Walsh]

Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> Joshua Brindle wrote:
>>
>>> Daniel J Walsh wrote:
>>>
>>>> Includes Ivan and Russells changes
>>>>
>>>> Now checks to make sure run as root.
>>>
>>>
>>> while it's probably true that most 'direct' libsemanage sessions 
>>> need root that is not necessarily true for policy server so I don't 
>>> think there should be a hard coded root check in semanage (aren't we 
>>> trying to rely on MAC here anyway?)
>>
>> The checks are for genhomedircon and semanage both of which will be 
>> prevented from running because of DAC control.
>>
>
> why not correctly handle the permission failure instead of hardcoding 
> a root check? semanage going through the policy server will not be 
> affected by DAC(uid) aside from the permissions on the sock file.
>
So we have nasty failures until the policy server shows up?
>>>>
>>>> Also chcat can now manipulate categories of users as well as files.
>>>>
>>
>>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Joshua Brindle]

Daniel J Walsh wrote:
> Joshua Brindle wrote:
> 
>> Daniel J Walsh wrote:
>>
>>> Joshua Brindle wrote:
>>>
>>>> Daniel J Walsh wrote:
>>>>
>>>>> Includes Ivan and Russells changes
>>>>>
>>>>> Now checks to make sure run as root.
>>>>
>>>>
>>>>
>>>> while it's probably true that most 'direct' libsemanage sessions 
>>>> need root that is not necessarily true for policy server so I don't 
>>>> think there should be a hard coded root check in semanage (aren't we 
>>>> trying to rely on MAC here anyway?)
>>>
>>>
>>> The checks are for genhomedircon and semanage both of which will be 
>>> prevented from running because of DAC control.
>>>
>>
>> why not correctly handle the permission failure instead of hardcoding 
>> a root check? semanage going through the policy server will not be 
>> affected by DAC(uid) aside from the permissions on the sock file.
>>
> So we have nasty failures until the policy server shows up?

sounds like the direct_api in libsemanage needs to return an error if it 
doesn't think it'll be able to write to the policy store (at transaction 
start time, or maybe on request) , and semanage can handle it 
gracefully. That way only direct connections are affected and semanage 
won't show users any nasty failures.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Ivan Gyurdiev]

>
> sounds like the direct_api in libsemanage needs to return an error if 
> it doesn't think it'll be able to write to the policy store (at 
> transaction start time, or maybe on request) , and semanage can handle 
> it gracefully. That way only direct connections are affected and 
> semanage won't show users any nasty failures.
It does return a failure... you mean a more specific one?
Current failure could be for many reasons, and it also writes to the ERR 
stream complaining about it..


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Daniel J Walsh]

Ivan Gyurdiev wrote:
>
>>
>> sounds like the direct_api in libsemanage needs to return an error if 
>> it doesn't think it'll be able to write to the policy store (at 
>> transaction start time, or maybe on request) , and semanage can 
>> handle it gracefully. That way only direct connections are affected 
>> and semanage won't show users any nasty failures.
> It does return a failure... you mean a more specific one?
> Current failure could be for many reasons, and it also writes to the 
> ERR stream complaining about it..
>
Nasty errors when trying to run as a normal user.  Are not pretty.

 python chcat -L -l dwalsh
libsemanage.semanage_create_store: Could not access module store at 
/etc/selinux/targeted/modules, or it is not a directory.
libsemanage.assert_init: A direct or server connection is needed to use 
this function - please call the corresponding connect() method
libsemanage.enter_ro: could not enter read-only section
Traceback (most recent call last):
  File "chcat", line 366, in ?
    sys.exit(listusercats(cmds))
  File "chcat", line 303, in listusercats
    seusers = seobject.loginRecords().get_all()
  File "/usr/lib/python2.4/site-packages/seobject.py", line 175, in get_all
    raise ValueError("Could not list login mappings")
ValueError: Could not list login mappings


This needs to be legal.  What is happening to cause this problem?  Or do 
I need to code around this by reading the seusers file?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Stephen Smalley]

On Tue, 2006-01-17 at 15:34 -0500, Daniel J Walsh wrote:
> Includes Ivan and Russells changes
> 
> Now checks to make sure run as root.
> 
> Also chcat can now manipulate categories of users as well as files.

Merged as of policycoreutils 1.29.8.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Ivan Gyurdiev]

> python chcat -L -l dwalsh
> libsemanage.semanage_create_store: Could not access module store at 
> /etc/selinux/targeted/modules, or it is not a directory.
> libsemanage.assert_init: A direct or server connection is needed to 
> use this function - please call the corresponding connect() method
> libsemanage.enter_ro: could not enter read-only section
> Traceback (most recent call last):
>  File "chcat", line 366, in ?
>    sys.exit(listusercats(cmds))
>  File "chcat", line 303, in listusercats
>    seusers = seobject.loginRecords().get_all()
>  File "/usr/lib/python2.4/site-packages/seobject.py", line 175, in 
> get_all
>    raise ValueError("Could not list login mappings")
> ValueError: Could not list login mappings
>
>
> This needs to be legal.  What is happening to cause this problem?  Or 
> do I need to code around this by reading the seusers file?
It's a permissions problem - you have to be root to create the store, 
because you're writing to /etc/selinux/targeted/modules (or reading from 
it, it doesn't really matter), and at least on my machine all folders 
and files under that folder are owned by root, and not writable/readable 
by anyone else. Of course, it should fail on connect  and stop there, 
but you're still not checking rc values where necessary.

Btw, it seems that handle_create can also fail in a variety of ways, 
while that is undocumented in the headers - should change the headers. 
It returns NULL on failure.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Ivan Gyurdiev]

>> python chcat -L -l dwalsh
>> libsemanage.semanage_create_store: Could not access module store at 
>> /etc/selinux/targeted/modules, or it is not a directory.
>> libsemanage.assert_init: A direct or server connection is needed to 
>> use this function - please call the corresponding connect() method
>> libsemanage.enter_ro: could not enter read-only section
>> Traceback (most recent call last):
>>  File "chcat", line 366, in ?
>>    sys.exit(listusercats(cmds))
>>  File "chcat", line 303, in listusercats
>>    seusers = seobject.loginRecords().get_all()
>>  File "/usr/lib/python2.4/site-packages/seobject.py", line 175, in 
>> get_all
>>    raise ValueError("Could not list login mappings")
>> ValueError: Could not list login mappings
>>
>>
>> This needs to be legal.  What is happening to cause this problem?  Or 
>> do I need to code around this by reading the seusers file?
> It's a permissions problem - you have to be root to create the store, 
> because you're writing to /etc/selinux/targeted/modules (or reading 
> from it, it doesn't really matter), and at least on my machine all 
> folders and files under that folder are owned by root, and not 
> writable/readable by anyone else. Of course, it should fail on 
> connect  and stop there, but you're still not checking rc values where 
> necessary.
>
> Btw, it seems that handle_create can also fail in a variety of ways, 
> while that is undocumented in the headers - should change the headers. 
> It returns NULL on failure.
Apparently it needs rwx on /etc/targeted/modules, and it doesn't have 
write as non-root.
I think it will need to write lock files in there to do anything at all.

int mode_mask = R_OK | W_OK | X_OK;

Then it has no permissions under /active as non-root, and therefore 
won't be able to read any information out of there.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Stephen Smalley]

On Wed, 2006-01-18 at 11:12 -0700, Ivan Gyurdiev wrote:
> >> python chcat -L -l dwalsh
> >> libsemanage.semanage_create_store: Could not access module store at 
> >> /etc/selinux/targeted/modules, or it is not a directory.
> >> libsemanage.assert_init: A direct or server connection is needed to 
> >> use this function - please call the corresponding connect() method
> >> libsemanage.enter_ro: could not enter read-only section
> >> Traceback (most recent call last):
> >>  File "chcat", line 366, in ?
> >>    sys.exit(listusercats(cmds))
> >>  File "chcat", line 303, in listusercats
> >>    seusers = seobject.loginRecords().get_all()
> >>  File "/usr/lib/python2.4/site-packages/seobject.py", line 175, in 
> >> get_all
> >>    raise ValueError("Could not list login mappings")
> >> ValueError: Could not list login mappings
> >>
> >>
> >> This needs to be legal.  What is happening to cause this problem?  Or 
> >> do I need to code around this by reading the seusers file?
> > It's a permissions problem - you have to be root to create the store, 
> > because you're writing to /etc/selinux/targeted/modules (or reading 
> > from it, it doesn't really matter), and at least on my machine all 
> > folders and files under that folder are owned by root, and not 
> > writable/readable by anyone else. Of course, it should fail on 
> > connect  and stop there, but you're still not checking rc values where 
> > necessary.
> >
> > Btw, it seems that handle_create can also fail in a variety of ways, 
> > while that is undocumented in the headers - should change the headers. 
> > It returns NULL on failure.
> Apparently it needs rwx on /etc/targeted/modules, and it doesn't have 
> write as non-root.
> I think it will need to write lock files in there to do anything at all.
> 
> int mode_mask = R_OK | W_OK | X_OK;
> 
> Then it has no permissions under /active as non-root, and therefore 
> won't be able to read any information out of there.

If you want this to be useable by ordinary users (subject only to policy
restrictions), then you likely want it to act on the installed seusers
file instead of the libsemanage-managed one.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Ivan Gyurdiev]

Stephen Smalley wrote:
> On Wed, 2006-01-18 at 11:12 -0700, Ivan Gyurdiev wrote:
>   
>>>> python chcat -L -l dwalsh
>>>> libsemanage.semanage_create_store: Could not access module store at 
>>>> /etc/selinux/targeted/modules, or it is not a directory.
>>>> libsemanage.assert_init: A direct or server connection is needed to 
>>>> use this function - please call the corresponding connect() method
>>>> libsemanage.enter_ro: could not enter read-only section
>>>> Traceback (most recent call last):
>>>>  File "chcat", line 366, in ?
>>>>    sys.exit(listusercats(cmds))
>>>>  File "chcat", line 303, in listusercats
>>>>    seusers = seobject.loginRecords().get_all()
>>>>  File "/usr/lib/python2.4/site-packages/seobject.py", line 175, in 
>>>> get_all
>>>>    raise ValueError("Could not list login mappings")
>>>> ValueError: Could not list login mappings
>>>>
>>>>
>>>> This needs to be legal.  What is happening to cause this problem?  Or 
>>>> do I need to code around this by reading the seusers file?
>>>>         
>>> It's a permissions problem - you have to be root to create the store, 
>>> because you're writing to /etc/selinux/targeted/modules (or reading 
>>> from it, it doesn't really matter), and at least on my machine all 
>>> folders and files under that folder are owned by root, and not 
>>> writable/readable by anyone else. Of course, it should fail on 
>>> connect  and stop there, but you're still not checking rc values where 
>>> necessary.
>>>
>>> Btw, it seems that handle_create can also fail in a variety of ways, 
>>> while that is undocumented in the headers - should change the headers. 
>>> It returns NULL on failure.
>>>       
>> Apparently it needs rwx on /etc/targeted/modules, and it doesn't have 
>> write as non-root.
>> I think it will need to write lock files in there to do anything at all.
>>
>> int mode_mask = R_OK | W_OK | X_OK;
>>
>> Then it has no permissions under /active as non-root, and therefore 
>> won't be able to read any information out of there.
>>     
>
> If you want this to be useable by ordinary users (subject only to policy
> restrictions), then you likely want it to act on the installed seusers
> file instead of the libsemanage-managed one.
>   
Shouldn't the policy server improve this situation when it's merged?

(By the way, now that you've merged my patches, there's no more 
dependency on semanage_store.c in database.c, which means there's no 
further known obstacles to implementing a pserver backend to the 
database, if the server is merged, and line protocol is decided upon).


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Stephen Smalley]

On Wed, 2006-01-18 at 11:36 -0700, Ivan Gyurdiev wrote:
> Stephen Smalley wrote:
> > If you want this to be useable by ordinary users (subject only to policy
> > restrictions), then you likely want it to act on the installed seusers
> > file instead of the libsemanage-managed one.
> >   
> Shouldn't the policy server improve this situation when it's merged?

Policy server avoids the need for the client program to pass DAC checks
on the module store, but a) some kind of checking will certainly be
applied by the policy server on client requests, and b) use of policy
server will not be mandatory at least in the short term (even after it
is merged).

Also, the current usage pattern for file_contexts and seusers is that
libselinux reads the installed files for runtime operation rather than
getting the information from libsemanage, so I'm not sure why chcat -L
-l wouldn't just read the installed seusers file too (preferably via
libselinux function).  The installed files already have DAC modes that
allow user read access, subject only to policy restrictions.

> (By the way, now that you've merged my patches, there's no more 
> dependency on semanage_store.c in database.c, which means there's no 
> further known obstacles to implementing a pserver backend to the 
> database, if the server is merged, and line protocol is decided upon).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Ivan Gyurdiev]

> Policy server avoids the need for the client program to pass DAC checks
> on the module store, but a) some kind of checking will certainly be
> applied by the policy server on client requests, and b) use of policy
> server will not be mandatory at least in the short term (even after it
> is merged).
>   
Is there a problem with making some of those store files world-readable, 
and making changes to allow lock files to be written by ordinary users 
somehow. I don't understand why the selinux copy if the data is 
readable, but the semanage copy is not, if they contain the same thing.
> Also, the current usage pattern for file_contexts and seusers is that
> libselinux reads the installed files for runtime operation rather than
> getting the information from libsemanage, so I'm not sure why chcat -L
> -l wouldn't just read the installed seusers file too (preferably via
> libselinux function).  The installed files already have DAC modes that
> allow user read access, subject only to policy restrictions.
>   
Libsemanage has an interface for that kind of thing already - why can't 
that be used? I'm starting to get confused about the difference between 
all those libraries again. If libselinux is to be used on runtime, and 
libsemanage on persistent policy, then how do you explain the need for 
active booleans backend in libsemanage?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 270 bytes --]

chcat -L -l  now uses getseuserbyname.

chcat verifies all users exist

cut and paste errors in error messages in seobject.py

Fixes to seobject.py to return ports in two different formats for use 
with system-config-selinux ...

Better error reporting with setsebool



[-- Attachment #2: policycoreutils-rhat.patch --]
[-- Type: text/x-patch, Size: 5417 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.29.8/scripts/chcat
--- nsapolicycoreutils/scripts/chcat	2006-01-18 11:12:43.000000000 -0500
+++ policycoreutils-1.29.8/scripts/chcat	2006-01-18 13:52:39.000000000 -0500
@@ -281,6 +281,7 @@
 	print "Usage %s -d File ..." % sys.argv[0]
 	print "Usage %s -l -d user ..." % sys.argv[0]
 	print "Usage %s -L" % sys.argv[0]
+	print "Usage %s -L -l user" % sys.argv[0]
         print "Use -- to end option list.  For example"
         print "chcat -- -CompanyConfidential /docs/businessplan.odt"
         print "chcat -l +CompanyConfidential juser"
@@ -298,12 +299,8 @@
     return 0
     
 def listusercats(users):
-    seusers = seobject.loginRecords().get_all()
     for u in users:
-        if u in seusers.keys():
-            cats=seobject.translate(seusers[u][1])
-        else:
-            cats=seobject.translate(seusers["__default__"][1])
+        cats=seobject.translate(selinux.getseuserbyname(u)[2])
         cats=cats.split("-")
         if len(cats) > 1 and cats[1] != "s0":
             print "%s: %s" % (u, cats[1])
@@ -350,10 +347,17 @@
     if delete_ind:
         sys.exit(chcat_replace(["s0"], ["s0"], cmds, login_ind))
 
+    if login_ind:
+        if len(cmds) >= 1:
+            for u in cmds:
+                try:
+                    pwd.getpwnam(u)
+                except KeyError, e:
+                    error( "User %s does not exist" % u)
+        else:
+            cmds.append(os.getlogin())
     if list_ind:
         if login_ind:
-            if len(cmds) < 1:
-                usage()
             sys.exit(listusercats(cmds))
         else:
             if len(cmds) > 0:
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.8/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py	2006-01-18 11:12:43.000000000 -0500
+++ policycoreutils-1.29.8/semanage/seobject.py	2006-01-18 13:26:43.000000000 -0500
@@ -421,11 +421,11 @@
 
 		rc = semanage_port_modify_local(self.sh, k, p)
 		if rc < 0:
-			raise ValueError("Failed to add port %s/%s" % (proto, port))
+			raise ValueError("Failed to modify port %s/%s" % (proto, port))
 	
 		rc = semanage_commit(self.sh)
 		if rc < 0:
-			raise ValueError("Failed to add port %s/%s" % (proto, port))
+			raise ValueError("Failed to modify port %s/%s" % (proto, port))
 
 	def modify(self, port, proto, serange, setype):
 		if serange == "" and setype == "":
@@ -458,7 +458,7 @@
 
 		rc = semanage_commit(self.sh)
 		if rc < 0:
-			raise ValueError("Failed to add port %s/%s" % (proto, port))
+			raise ValueError("Failed to modify port %s/%s" % (proto, port))
 		
 	def delete(self, port, proto):
 		( k, proto_d, low, high ) = self.__genkey(port, proto)
@@ -491,22 +491,44 @@
 		for idx in range(self.psize):
 			u = semanage_port_by_idx(self.plist, idx)
 			con = semanage_port_get_con(u)
-			name = semanage_context_get_type(con)
+			type = semanage_context_get_type(con)
+			if type == "reserved_port_t":
+				continue
+			level = semanage_context_get_mls(con)
 			proto=semanage_port_get_proto_str(u)
 			low=semanage_port_get_low(u)
 			high = semanage_port_get_high(u)
-			if (name, proto) not in dict.keys():
-				dict[(name,proto)]=[]
+			dict[(low, high)]=(type, proto, level)
+		return dict
+
+	def get_all_by_type(self):
+		dict={}
+		(rc, self.plist, self.psize) = semanage_port_list(self.sh)
+		if rc < 0:
+			raise ValueError("Could not list ports")
+
+		for idx in range(self.psize):
+			u = semanage_port_by_idx(self.plist, idx)
+			con = semanage_port_get_con(u)
+			type = semanage_context_get_type(con)
+			if type == "reserved_port_t":
+				continue
+			level = semanage_context_get_mls(con)
+			proto=semanage_port_get_proto_str(u)
+			low=semanage_port_get_low(u)
+			high = semanage_port_get_high(u)
+			if (type, proto) not in dict.keys():
+				dict[(type,proto)]=[]
 			if low == high:
-				dict[(name,proto)].append("%d" % low)
+				dict[(type,proto)].append("%d" % low)
 			else:
-				dict[(name,proto)].append("%d-%d" % (low, high))
+				dict[(type,proto)].append("%d-%d" % (low, high))
 		return dict
 
 	def list(self, heading=1):
 		if heading:
-			print "%-30s %-8s %s\n" % ("SELinux Port Name", "Proto", "Port Number")
-		dict=self.get_all()
+			print "%-30s %-8s %s\n" % ("SELinux Port Type", "Proto", "Port Number")
+		dict=self.get_all_by_type()
 		keys=dict.keys()
 		keys.sort()
 		for i in keys:
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setsebool/setsebool.c policycoreutils-1.29.8/setsebool/setsebool.c
--- nsapolicycoreutils/setsebool/setsebool.c	2006-01-04 13:07:46.000000000 -0500
+++ policycoreutils-1.29.8/setsebool/setsebool.c	2006-01-18 13:27:42.000000000 -0500
@@ -130,7 +130,7 @@
 
 	for (j = 0; j < boolcnt; j++) {
 		
-		if (semanage_bool_create(handle, &boolean) < 0)
+		if (semanage_bool_create(handle, &boolean) < 0) 
 			goto err;
 
 		if (semanage_bool_set_name(handle, boolean, boollist[j].name) < 0)
@@ -144,9 +144,10 @@
 		if (permanent && semanage_bool_modify_local(handle, bool_key, boolean) < 0)
 			goto err;
 
-		if (semanage_bool_set_active(handle, bool_key, boolean) < 0)
+		if (semanage_bool_set_active(handle, bool_key, boolean) < 0) {
+			fprintf(stderr, "Could not change boolean %s\n", boollist[j].name);
 			goto err;
-
+		}
 		semanage_bool_key_free(bool_key);
 		semanage_bool_free(boolean);
 		bool_key = NULL;

Re: Latest policycoreutils patch

[Ivan Gyurdiev]

>
> cut and paste errors in error messages in seobject.py
Those were not cut and paste errors, they were intentional. The message 
corresponds to the semanage/tool function being used. The libsemanage 
function is always modify_local, so that would make all such error 
messages say "failed to modify" for all objects.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Daniel J Walsh]

Ivan Gyurdiev wrote:
>
>>
>> cut and paste errors in error messages in seobject.py
> Those were not cut and paste errors, they were intentional. The 
> message corresponds to the semanage/tool function being used. The 
> libsemanage function is always modify_local, so that would make all 
> such error messages say "failed to modify" for all objects.
>
>
When a user tries to add and he gets a failed to modify error, he will 
suspect a problem.  The writers of the code can figure out that they 
both call the same function.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Stephen Smalley]

On Wed, 2006-01-18 at 12:04 -0700, Ivan Gyurdiev wrote:
> Is there a problem with making some of those store files world-readable, 
> and making changes to allow lock files to be written by ordinary users 
> somehow. I don't understand why the selinux copy if the data is 
> readable, but the semanage copy is not, if they contain the same thing.

I view libsemanage as the management interface only, and thus naturally
restricted to privileged entities.  Certain files are then exported
outside of the module store for use by a variety of programs that only
want read access and nothing more.  We _could_ make some of the store
files readable, but I doubt we want to allow lock file creation.

In general, the protection of the module store needs more thought, at
least in terms of the security contexts on its files, as it contains
multiple files that ultimately end up with different SELinux security
contexts when they are installed (e.g. policy ends up as
policy_config_t, file_contexts as file_context_t, seusers as
selinux_config_t) and may have different protection requirements.
Easiest approach is to just label the entire module store with a type
that is at least as restrictive as the most restrictive type on any
installed file.  policy_config_t has typically been the most restrictive
type (under strict policy), as the fewest number of programs need to
read it and it contains the policy state.  file contexts is more widely
accessed, although it can still be viewed as potentially sensitive.  I'm
not sure that leaving seusers in selinux_config_t (the default due to
directory inheritance at creation) is a good idea, as that could also be
sensitive (identifying what users are authorized for admin roles).

> Libsemanage has an interface for that kind of thing already - why can't 
> that be used? I'm starting to get confused about the difference between 
> all those libraries again. If libselinux is to be used on runtime, and 
> libsemanage on persistent policy, then how do you explain the need for 
> active booleans backend in libsemanage?

For management purposes, it makes sense.  And in general, viewing and
modifying booleans both seem like management functions rather than
ordinary user functions.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Stephen Smalley]

On Wed, 2006-01-18 at 14:19 -0500, Daniel J Walsh wrote:
> Ivan Gyurdiev wrote:
> >
> >>
> >> cut and paste errors in error messages in seobject.py
> > Those were not cut and paste errors, they were intentional. The 
> > message corresponds to the semanage/tool function being used. The 
> > libsemanage function is always modify_local, so that would make all 
> > such error messages say "failed to modify" for all objects.
> >
> >
> When a user tries to add and he gets a failed to modify error, he will 
> suspect a problem.  The writers of the code can figure out that they 
> both call the same function.

Not sure I follow; the patch changes some occurrences of "Failed to add
port" to "Failed to modify port" in the add() method.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Ivan Gyurdiev]

> Not sure I follow; the patch changes some occurrences of "Failed to add
> port" to "Failed to modify port" in the add() method.
>   
...which is wrong, imho, it should still say "Failed to add port".
The second part of it is right, I think (I assume it's changing 
modify(), hard to tell without the -p flag).
There's a bug in modify that says "failed to add" currently.

I agree with what Dan is saying, I just think the first place he's 
changing is wrong.

There's another wrong message btw, see interfaces.modify().


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Daniel J Walsh]

Ivan Gyurdiev wrote:
>
>> Not sure I follow; the patch changes some occurrences of "Failed to add
>> port" to "Failed to modify port" in the add() method.
>>   
> ...which is wrong, imho, it should still say "Failed to add port".
> The second part of it is right, I think (I assume it's changing 
> modify(), hard to tell without the -p flag).
> There's a bug in modify that says "failed to add" currently.
>
> I agree with what Dan is saying, I just think the first place he's 
> changing is wrong.
>
Yes the first part of the patch is wrong.  The messsage under the add 
section should stay add.  I was changing the "add" to "modify" under the 
modify section and got carried away...
> There's another wrong message btw, see interfaces.modify().
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest policycoreutils patch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 606 bytes --]

For some reason this did not go out last week.

More translations.

Change all python to use /usr/bin/python -E, to make it a little bit 
harder to muck with.

Have newrole ignore sigpipe so it gives correct error message when 
flooded with 4000 character security context.

Add -i qualifier to restorecon to tell it to ignore files that do not 
exist.  This fixes a problem in
fixfiles -R rpmlint restore


Which could hand restorecon files that do not exists and restorecon 
prints ugly warnings.

restorecond init script description needs line continuation marks to 
make system-config-services happy.


[-- Attachment #2: policycoreutils-rhat.patch.bz2 --]
[-- Type: application/x-bzip, Size: 17772 bytes --]

Re: Latest policycoreutils patch

[Karl MacMillan]

On Thu, 2006-09-07 at 09:31 -0400, Daniel J Walsh wrote:
> For some reason this did not go out last week.
> 
> More translations.
> 

Can you send these as separate patches in the future - it would make the
review easier.

> Change all python to use /usr/bin/python -E, to make it a little bit 
> harder to muck with.
> 
> Have newrole ignore sigpipe so it gives correct error message when 
> flooded with 4000 character security context.
> 
> Add -i qualifier to restorecon to tell it to ignore files that do not 
> exist.  This fixes a problem in
> fixfiles -R rpmlint restore
> 
> 
> Which could hand restorecon files that do not exists and restorecon 
> prints ugly warnings.
> 
> restorecond init script description needs line continuation marks to 
> make system-config-services happy.
> 

Acked-by Karl MacMillan <kmacmillan@mentalrootkit.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Joshua Brindle]

Daniel J Walsh wrote:
> For some reason this did not go out last week.
>
> More translations.
>
> Change all python to use /usr/bin/python -E, to make it a little bit 
> harder to muck with.
>
> Have newrole ignore sigpipe so it gives correct error message when 
> flooded with 4000 character security context.
>
> Add -i qualifier to restorecon to tell it to ignore files that do not 
> exist.  This fixes a problem in
> fixfiles -R rpmlint restore
>
I'm not sure about this. Most other commands don't have a feature like 
this (if they do its generally -f anyway, like rm -f ) and it seems like 
fixfiles should be interpreting the error correctly instead of ripping 
the error passing out of restorecon.
> Which could hand restorecon files that do not exists and restorecon 
> prints ugly warnings.
>
why not a -q then? I think it should still return a proper error code 
but it doesn't have to spam the console

> restorecond init script description needs line continuation marks to 
> make system-config-services happy.
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Stephen Smalley]

On Thu, 2006-09-07 at 09:31 -0400, Daniel J Walsh wrote:
> Have newrole ignore sigpipe so it gives correct error message when 
> flooded with 4000 character security context.

I'm a little unclear on this one, although I did find a bug report about
it (which would be helpful to identify in the patch posting in the
future when it applies for easy reference), at
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=203801

If I read that one correctly, the SIGPIPE is actually happening when
libselinux tries to write the context to the setrans socket, because the
daemon is dropping the connection immediately upon getting the header
with such a large length (more generally, any failure in the daemon
before reading the entire request could lead to this).  So that could
affect any user of libselinux, not just newrole, right?

Looking around a bit, I see that if we changed the use of writev() in
libselinux to instead use sendmsg() with an explicit MSG_NOSIGNAL flag,
we could avoid having such failures generate SIGPIPE altogether.  Then
we would just get an error return and have the usual fallback handling.

> Add -i qualifier to restorecon to tell it to ignore files that do not 
> exist.  This fixes a problem in
> fixfiles -R rpmlint restore
> 
> 
> Which could hand restorecon files that do not exists and restorecon 
> prints ugly warnings.
> 
> restorecond init script description needs line continuation marks to 
> make system-config-services happy.
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Karl MacMillan]

On Fri, 2006-09-08 at 10:33 -0400, Joshua Brindle wrote:
> Daniel J Walsh wrote:
> > For some reason this did not go out last week.
> >
> > More translations.
> >
> > Change all python to use /usr/bin/python -E, to make it a little bit 
> > harder to muck with.
> >
> > Have newrole ignore sigpipe so it gives correct error message when 
> > flooded with 4000 character security context.
> >
> > Add -i qualifier to restorecon to tell it to ignore files that do not 
> > exist.  This fixes a problem in
> > fixfiles -R rpmlint restore
> >
> I'm not sure about this. Most other commands don't have a feature like 
> this (if they do its generally -f anyway, like rm -f ) and it seems like 
> fixfiles should be interpreting the error correctly instead of ripping 
> the error passing out of restorecon.

I don't think the feature is objectionable. It is directly analogous to
'rm -f' though (both continue without the flag but change the error
reporting), so changing the flag to -f is fine with me.

> > Which could hand restorecon files that do not exists and restorecon 
> > prints ugly warnings.
> >
> why not a -q then? I think it should still return a proper error code 
> but it doesn't have to spam the 

I think that the meaning of the flag is to change whether or not a
nonexistent file is an error - which is a valid semantic that makes
scripting easier. So not returning an error code or printing a warning
makes sense (which also matches the 'rm -f' behavior).

Karl




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Daniel J Walsh]

Stephen Smalley wrote:
> On Thu, 2006-09-07 at 09:31 -0400, Daniel J Walsh wrote:
>   
>> Have newrole ignore sigpipe so it gives correct error message when 
>> flooded with 4000 character security context.
>>     
>
> I'm a little unclear on this one, although I did find a bug report about
> it (which would be helpful to identify in the patch posting in the
> future when it applies for easy reference), at
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=203801
>
> If I read that one correctly, the SIGPIPE is actually happening when
> libselinux tries to write the context to the setrans socket, because the
> daemon is dropping the connection immediately upon getting the header
> with such a large length (more generally, any failure in the daemon
> before reading the entire request could lead to this).  So that could
> affect any user of libselinux, not just newrole, right?
>
> Looking around a bit, I see that if we changed the use of writev() in
> libselinux to instead use sendmsg() with an explicit MSG_NOSIGNAL flag,
> we could avoid having such failures generate SIGPIPE altogether.  Then
> we would just get an error return and have the usual fallback handling.
>   
That sounds like a better solution.
>   
>> Add -i qualifier to restorecon to tell it to ignore files that do not 
>> exist.  This fixes a problem in
>> fixfiles -R rpmlint restore
>>
>>
>> Which could hand restorecon files that do not exists and restorecon 
>> prints ugly warnings.
>>
>> restorecond init script description needs line continuation marks to 
>> make system-config-services happy.
>>
>>     


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Stephen Smalley]

On Fri, 2006-09-08 at 12:37 -0400, Daniel J Walsh wrote:
> Stephen Smalley wrote:
> > On Thu, 2006-09-07 at 09:31 -0400, Daniel J Walsh wrote:
> >   
> >> Have newrole ignore sigpipe so it gives correct error message when 
> >> flooded with 4000 character security context.
> >>     
> >
> > I'm a little unclear on this one, although I did find a bug report about
> > it (which would be helpful to identify in the patch posting in the
> > future when it applies for easy reference), at
> > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=203801
> >
> > If I read that one correctly, the SIGPIPE is actually happening when
> > libselinux tries to write the context to the setrans socket, because the
> > daemon is dropping the connection immediately upon getting the header
> > with such a large length (more generally, any failure in the daemon
> > before reading the entire request could lead to this).  So that could
> > affect any user of libselinux, not just newrole, right?
> >
> > Looking around a bit, I see that if we changed the use of writev() in
> > libselinux to instead use sendmsg() with an explicit MSG_NOSIGNAL flag,
> > we could avoid having such failures generate SIGPIPE altogether.  Then
> > we would just get an error return and have the usual fallback handling.
> >   
> That sounds like a better solution.

Possible patch below.  Changes:
1) Collect up the entire request into a single msg and send it once.
2) Use sendmsg with MSG_NOSIGNAL rather than writev.

Can anyone explain what data2 is for?  It is always NULL at present
AFAICS.

Index: libselinux/src/setrans_client.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libselinux/src/setrans_client.c,v
retrieving revision 1.8
diff -u -p -r1.8 setrans_client.c
--- libselinux/src/setrans_client.c	29 Jun 2006 18:21:05 -0000	1.8
+++ libselinux/src/setrans_client.c	8 Sep 2006 20:18:07 -0000
@@ -58,11 +58,12 @@ static int setransd_open(void)
 static int
 send_request(int fd, uint32_t function, const char *data1, const char *data2)
 {
-	struct iovec req_hdr[3];
+	struct msghdr msgh;
+	struct iovec iov[5];
 	uint32_t data1_size;
 	uint32_t data2_size;
-	struct iovec req_data[2];
-	ssize_t count;
+	ssize_t count, expected;
+	unsigned int i;
 
 	if (fd < 0)
 		return -1;
@@ -75,28 +76,27 @@ send_request(int fd, uint32_t function, 
 	data1_size = strlen(data1) + 1;
 	data2_size = strlen(data2) + 1;
 
-	req_hdr[0].iov_base = &function;
-	req_hdr[0].iov_len = sizeof(function);
-	req_hdr[1].iov_base = &data1_size;
-	req_hdr[1].iov_len = sizeof(data1_size);
-	req_hdr[2].iov_base = &data2_size;
-	req_hdr[2].iov_len = sizeof(data2_size);
-
-	while (((count = writev(fd, req_hdr, 3)) < 0) && (errno == EINTR)) ;
-	if (count != (sizeof(function) + sizeof(data1_size) +
-		      sizeof(data2_size))) {
-		return -1;
-	}
+	iov[0].iov_base = &function;
+	iov[0].iov_len = sizeof(function);
+	iov[1].iov_base = &data1_size;
+	iov[1].iov_len = sizeof(data1_size);
+	iov[2].iov_base = &data2_size;
+	iov[2].iov_len = sizeof(data2_size);
+	iov[3].iov_base = (char *)data1;
+	iov[3].iov_len = data1_size;
+	iov[4].iov_base = (char *)data2;
+	iov[4].iov_len = data2_size;
+	memset(&msgh, 0, sizeof(msgh));
+	msgh.msg_iov = iov;
+	msgh.msg_iovlen = sizeof(iov)/sizeof(iov[0]);
+
+	expected = 0;
+	for (i = 0; i < sizeof(iov)/sizeof(iov[0]); i++)
+		expected += iov[i].iov_len;
 
-	req_data[0].iov_base = (char *)data1;
-	req_data[0].iov_len = data1_size;
-	req_data[1].iov_base = (char *)data2;
-	req_data[1].iov_len = data2_size;
-
-	while (((count = writev(fd, req_data, 2)) < 0) && (errno == EINTR)) ;
-	if (count < 0 || (uint32_t) count != (data1_size + data2_size)) {
+	while (((count = sendmsg(fd, &msgh, MSG_NOSIGNAL)) < 0) && (errno == EINTR)) ;
+	if (count < 0 || count != expected)
 		return -1;
-	}
 
 	return 0;
 }


-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Latest policycoreutils patch

[Joshua Brindle]

> From: Stephen Smalley [mailto:sds@tycho.nsa.gov] 
> 
> On Fri, 2006-09-08 at 12:37 -0400, Daniel J Walsh wrote:
> > Stephen Smalley wrote:
> > > On Thu, 2006-09-07 at 09:31 -0400, Daniel J Walsh wrote:
> > >   
> > >> Have newrole ignore sigpipe so it gives correct error 
> message when 
> > >> flooded with 4000 character security context.
> > >>     
> > >
> > > I'm a little unclear on this one, although I did find a 
> bug report 
> > > about it (which would be helpful to identify in the patch 
> posting in 
> > > the future when it applies for easy reference), at
> > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=203801
> > >
> > > If I read that one correctly, the SIGPIPE is actually 
> happening when 
> > > libselinux tries to write the context to the setrans 
> socket, because 
> > > the daemon is dropping the connection immediately upon 
> getting the 
> > > header with such a large length (more generally, any 
> failure in the 
> > > daemon before reading the entire request could lead to this).  So 
> > > that could affect any user of libselinux, not just newrole, right?
> > >
> > > Looking around a bit, I see that if we changed the use of 
> writev() 
> > > in libselinux to instead use sendmsg() with an explicit 
> MSG_NOSIGNAL 
> > > flag, we could avoid having such failures generate SIGPIPE 
> > > altogether.  Then we would just get an error return and 
> have the usual fallback handling.
> > >   
> > That sounds like a better solution.
> 
> Possible patch below.  Changes:
> 1) Collect up the entire request into a single msg and send it once.
> 2) Use sendmsg with MSG_NOSIGNAL rather than writev.
> 
> Can anyone explain what data2 is for?  It is always NULL at 
> present AFAICS.
> 
> Index: libselinux/src/setrans_client.c
> ===================================================================
> RCS file: 
> /nfshome/pal/CVS/selinux-usr/libselinux/src/setrans_client.c,v
> retrieving revision 1.8
> diff -u -p -r1.8 setrans_client.c
> --- libselinux/src/setrans_client.c	29 Jun 2006 18:21:05 
> -0000	1.8
> +++ libselinux/src/setrans_client.c	8 Sep 2006 20:18:07 -0000
> @@ -58,11 +58,12 @@ static int setransd_open(void)  static 
> int  send_request(int fd, uint32_t function, const char 
> *data1, const char *data2)  {
> -	struct iovec req_hdr[3];
> +	struct msghdr msgh;
> +	struct iovec iov[5];
>  	uint32_t data1_size;
>  	uint32_t data2_size;
> -	struct iovec req_data[2];
> -	ssize_t count;
> +	ssize_t count, expected;
> +	unsigned int i;
>  
>  	if (fd < 0)
>  		return -1;
> @@ -75,28 +76,27 @@ send_request(int fd, uint32_t function, 
>  	data1_size = strlen(data1) + 1;
>  	data2_size = strlen(data2) + 1;
>  
> -	req_hdr[0].iov_base = &function;
> -	req_hdr[0].iov_len = sizeof(function);
> -	req_hdr[1].iov_base = &data1_size;
> -	req_hdr[1].iov_len = sizeof(data1_size);
> -	req_hdr[2].iov_base = &data2_size;
> -	req_hdr[2].iov_len = sizeof(data2_size);
> -
> -	while (((count = writev(fd, req_hdr, 3)) < 0) && (errno 
> == EINTR)) ;
> -	if (count != (sizeof(function) + sizeof(data1_size) +
> -		      sizeof(data2_size))) {
> -		return -1;
> -	}
> +	iov[0].iov_base = &function;
> +	iov[0].iov_len = sizeof(function);
> +	iov[1].iov_base = &data1_size;
> +	iov[1].iov_len = sizeof(data1_size);
> +	iov[2].iov_base = &data2_size;
> +	iov[2].iov_len = sizeof(data2_size);
> +	iov[3].iov_base = (char *)data1;
> +	iov[3].iov_len = data1_size;
> +	iov[4].iov_base = (char *)data2;
> +	iov[4].iov_len = data2_size;
> +	memset(&msgh, 0, sizeof(msgh));
> +	msgh.msg_iov = iov;
> +	msgh.msg_iovlen = sizeof(iov)/sizeof(iov[0]);
> +
> +	expected = 0;
> +	for (i = 0; i < sizeof(iov)/sizeof(iov[0]); i++)
> +		expected += iov[i].iov_len;
>  
> -	req_data[0].iov_base = (char *)data1;
> -	req_data[0].iov_len = data1_size;
> -	req_data[1].iov_base = (char *)data2;
> -	req_data[1].iov_len = data2_size;
> -
> -	while (((count = writev(fd, req_data, 2)) < 0) && 
> (errno == EINTR)) ;
> -	if (count < 0 || (uint32_t) count != (data1_size + 
> data2_size)) {
> +	while (((count = sendmsg(fd, &msgh, MSG_NOSIGNAL)) < 0) 
> && (errno == EINTR)) ;
> +	if (count < 0 || count != expected)
>  		return -1;
> -	}
>  
>  	return 0;
>  }
> 

Acked-By: Joshua Brindle <jbrindle@tresys.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Latest policycoreutils patch

[Karl MacMillan]

On Mon, 2006-09-11 at 08:25 -0400, Joshua Brindle wrote:
> > From: Stephen Smalley [mailto:sds@tycho.nsa.gov] 
> > 
> > On Fri, 2006-09-08 at 12:37 -0400, Daniel J Walsh wrote:
> > > Stephen Smalley wrote:
> > > > On Thu, 2006-09-07 at 09:31 -0400, Daniel J Walsh wrote:
> > > >   
> > > >> Have newrole ignore sigpipe so it gives correct error 
> > message when 
> > > >> flooded with 4000 character security context.
> > > >>     
> > > >
> > > > I'm a little unclear on this one, although I did find a 
> > bug report 
> > > > about it (which would be helpful to identify in the patch 
> > posting in 
> > > > the future when it applies for easy reference), at
> > > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=203801
> > > >
> > > > If I read that one correctly, the SIGPIPE is actually 
> > happening when 
> > > > libselinux tries to write the context to the setrans 
> > socket, because 
> > > > the daemon is dropping the connection immediately upon 
> > getting the 
> > > > header with such a large length (more generally, any 
> > failure in the 
> > > > daemon before reading the entire request could lead to this).  So 
> > > > that could affect any user of libselinux, not just newrole, right?
> > > >
> > > > Looking around a bit, I see that if we changed the use of 
> > writev() 
> > > > in libselinux to instead use sendmsg() with an explicit 
> > MSG_NOSIGNAL 
> > > > flag, we could avoid having such failures generate SIGPIPE 
> > > > altogether.  Then we would just get an error return and 
> > have the usual fallback handling.
> > > >   
> > > That sounds like a better solution.
> > 
> > Possible patch below.  Changes:
> > 1) Collect up the entire request into a single msg and send it once.
> > 2) Use sendmsg with MSG_NOSIGNAL rather than writev.
> > 
> > Can anyone explain what data2 is for?  It is always NULL at 
> > present AFAICS.
> > 
> > Index: libselinux/src/setrans_client.c
> > ===================================================================
> > RCS file: 
> > /nfshome/pal/CVS/selinux-usr/libselinux/src/setrans_client.c,v
> > retrieving revision 1.8
> > diff -u -p -r1.8 setrans_client.c
> > --- libselinux/src/setrans_client.c	29 Jun 2006 18:21:05 
> > -0000	1.8
> > +++ libselinux/src/setrans_client.c	8 Sep 2006 20:18:07 -0000
> > @@ -58,11 +58,12 @@ static int setransd_open(void)  static 
> > int  send_request(int fd, uint32_t function, const char 
> > *data1, const char *data2)  {
> > -	struct iovec req_hdr[3];
> > +	struct msghdr msgh;
> > +	struct iovec iov[5];
> >  	uint32_t data1_size;
> >  	uint32_t data2_size;
> > -	struct iovec req_data[2];
> > -	ssize_t count;
> > +	ssize_t count, expected;
> > +	unsigned int i;
> >  
> >  	if (fd < 0)
> >  		return -1;
> > @@ -75,28 +76,27 @@ send_request(int fd, uint32_t function, 
> >  	data1_size = strlen(data1) + 1;
> >  	data2_size = strlen(data2) + 1;
> >  
> > -	req_hdr[0].iov_base = &function;
> > -	req_hdr[0].iov_len = sizeof(function);
> > -	req_hdr[1].iov_base = &data1_size;
> > -	req_hdr[1].iov_len = sizeof(data1_size);
> > -	req_hdr[2].iov_base = &data2_size;
> > -	req_hdr[2].iov_len = sizeof(data2_size);
> > -
> > -	while (((count = writev(fd, req_hdr, 3)) < 0) && (errno 
> > == EINTR)) ;
> > -	if (count != (sizeof(function) + sizeof(data1_size) +
> > -		      sizeof(data2_size))) {
> > -		return -1;
> > -	}
> > +	iov[0].iov_base = &function;
> > +	iov[0].iov_len = sizeof(function);
> > +	iov[1].iov_base = &data1_size;
> > +	iov[1].iov_len = sizeof(data1_size);
> > +	iov[2].iov_base = &data2_size;
> > +	iov[2].iov_len = sizeof(data2_size);
> > +	iov[3].iov_base = (char *)data1;
> > +	iov[3].iov_len = data1_size;
> > +	iov[4].iov_base = (char *)data2;
> > +	iov[4].iov_len = data2_size;
> > +	memset(&msgh, 0, sizeof(msgh));
> > +	msgh.msg_iov = iov;
> > +	msgh.msg_iovlen = sizeof(iov)/sizeof(iov[0]);
> > +
> > +	expected = 0;
> > +	for (i = 0; i < sizeof(iov)/sizeof(iov[0]); i++)
> > +		expected += iov[i].iov_len;
> >  
> > -	req_data[0].iov_base = (char *)data1;
> > -	req_data[0].iov_len = data1_size;
> > -	req_data[1].iov_base = (char *)data2;
> > -	req_data[1].iov_len = data2_size;
> > -
> > -	while (((count = writev(fd, req_data, 2)) < 0) && 
> > (errno == EINTR)) ;
> > -	if (count < 0 || (uint32_t) count != (data1_size + 
> > data2_size)) {
> > +	while (((count = sendmsg(fd, &msgh, MSG_NOSIGNAL)) < 0) 
> > && (errno == EINTR)) ;
> > +	if (count < 0 || count != expected)
> >  		return -1;
> > -	}
> >  
> >  	return 0;
> >  }
> > 
> 
> Acked-By: Joshua Brindle <jbrindle@tresys.com>

Acked-By: Karl MacMillan <kmacmillan@mentalrootkit.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Latest policycoreutils patch

[Joshua Brindle]

Stephen Smalley wrote:
> On Fri, 2006-09-08 at 12:37 -0400, Daniel J Walsh wrote:
>> Stephen Smalley wrote:
>>> On Thu, 2006-09-07 at 09:31 -0400, Daniel J Walsh wrote:
>>>   
>>>> Have newrole ignore sigpipe so it gives correct error message when 
>>>> flooded with 4000 character security context.
>>>>     
>>> I'm a little unclear on this one, although I did find a bug report about
>>> it (which would be helpful to identify in the patch posting in the
>>> future when it applies for easy reference), at
>>> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=203801
>>>
>>> If I read that one correctly, the SIGPIPE is actually happening when
>>> libselinux tries to write the context to the setrans socket, because the
>>> daemon is dropping the connection immediately upon getting the header
>>> with such a large length (more generally, any failure in the daemon
>>> before reading the entire request could lead to this).  So that could
>>> affect any user of libselinux, not just newrole, right?
>>>
>>> Looking around a bit, I see that if we changed the use of writev() in
>>> libselinux to instead use sendmsg() with an explicit MSG_NOSIGNAL flag,
>>> we could avoid having such failures generate SIGPIPE altogether.  Then
>>> we would just get an error return and have the usual fallback handling.
>>>   
>> That sounds like a better solution.
> 
> Possible patch below.  Changes:
> 1) Collect up the entire request into a single msg and send it once.
> 2) Use sendmsg with MSG_NOSIGNAL rather than writev.
> 
> Can anyone explain what data2 is for?  It is always NULL at present
> AFAICS.
> 
> Index: libselinux/src/setrans_client.c
> ===================================================================
> RCS file: /nfshome/pal/CVS/selinux-usr/libselinux/src/setrans_client.c,v
> retrieving revision 1.8
> diff -u -p -r1.8 setrans_client.c
> --- libselinux/src/setrans_client.c	29 Jun 2006 18:21:05 -0000	1.8
> +++ libselinux/src/setrans_client.c	8 Sep 2006 20:18:07 -0000
> @@ -58,11 +58,12 @@ static int setransd_open(void)
>  static int
>  send_request(int fd, uint32_t function, const char *data1, const char *data2)
>  {
> -	struct iovec req_hdr[3];
> +	struct msghdr msgh;
> +	struct iovec iov[5];
>  	uint32_t data1_size;
>  	uint32_t data2_size;
> -	struct iovec req_data[2];
> -	ssize_t count;
> +	ssize_t count, expected;
> +	unsigned int i;
>  
>  	if (fd < 0)
>  		return -1;
> @@ -75,28 +76,27 @@ send_request(int fd, uint32_t function, 
>  	data1_size = strlen(data1) + 1;
>  	data2_size = strlen(data2) + 1;
>  
> -	req_hdr[0].iov_base = &function;
> -	req_hdr[0].iov_len = sizeof(function);
> -	req_hdr[1].iov_base = &data1_size;
> -	req_hdr[1].iov_len = sizeof(data1_size);
> -	req_hdr[2].iov_base = &data2_size;
> -	req_hdr[2].iov_len = sizeof(data2_size);
> -
> -	while (((count = writev(fd, req_hdr, 3)) < 0) && (errno == EINTR)) ;
> -	if (count != (sizeof(function) + sizeof(data1_size) +
> -		      sizeof(data2_size))) {
> -		return -1;
> -	}
> +	iov[0].iov_base = &function;
> +	iov[0].iov_len = sizeof(function);
> +	iov[1].iov_base = &data1_size;
> +	iov[1].iov_len = sizeof(data1_size);
> +	iov[2].iov_base = &data2_size;
> +	iov[2].iov_len = sizeof(data2_size);
> +	iov[3].iov_base = (char *)data1;
> +	iov[3].iov_len = data1_size;
> +	iov[4].iov_base = (char *)data2;
> +	iov[4].iov_len = data2_size;
> +	memset(&msgh, 0, sizeof(msgh));
> +	msgh.msg_iov = iov;
> +	msgh.msg_iovlen = sizeof(iov)/sizeof(iov[0]);
> +
> +	expected = 0;
> +	for (i = 0; i < sizeof(iov)/sizeof(iov[0]); i++)
> +		expected += iov[i].iov_len;
>  
> -	req_data[0].iov_base = (char *)data1;
> -	req_data[0].iov_len = data1_size;
> -	req_data[1].iov_base = (char *)data2;
> -	req_data[1].iov_len = data2_size;
> -
> -	while (((count = writev(fd, req_data, 2)) < 0) && (errno == EINTR)) ;
> -	if (count < 0 || (uint32_t) count != (data1_size + data2_size)) {
> +	while (((count = sendmsg(fd, &msgh, MSG_NOSIGNAL)) < 0) && (errno == EINTR)) ;
> +	if (count < 0 || count != expected)
>  		return -1;
> -	}
>  
>  	return 0;
>  }
> 
> 

Thanks, merged.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Latest policycoreutils patch

[Daniel J Walsh]

New audit message in newrole on failure

-fPIE on restorecond

/var/run/wtmp added to restorecond

Fixes for genhomedircon man page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.