Multiple small fixes to policycoreutils

Multiple small fixes to policycoreutils

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 196 bytes --]

Add newrole audit message on login failure.

Add -fPIE and -pie to build of restorecond.

Add /var/log/wtmp to restorecond.conf watch list

Fix genhomedircon, semanage, semodule_expand man pages.

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 5382 bytes --]

diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-1.33.1/newrole/newrole.c
--- nsapolicycoreutils/newrole/newrole.c	2006-11-14 09:46:12.000000000 -0500
+++ policycoreutils-1.33.1/newrole/newrole.c	2006-11-14 09:55:30.000000000 -0500
@@ -1028,6 +1028,7 @@
 	{
 		fprintf(stderr, _("newrole: incorrect password for %s\n"),
 			pw.pw_name);
+		send_audit_message(0, old_context, new_context, ttyn);
 		goto err_close_pam;
 	}
 
diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-1.33.1/restorecond/Makefile
--- nsapolicycoreutils/restorecond/Makefile	2006-08-28 16:58:19.000000000 -0400
+++ policycoreutils-1.33.1/restorecond/Makefile	2006-11-14 09:54:05.000000000 -0500
@@ -5,8 +5,9 @@
 INITDIR = $(DESTDIR)/etc/rc.d/init.d
 SELINUXDIR = $(DESTDIR)/etc/selinux
 
-CFLAGS ?= -g -Werror -Wall -W
-override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
+LDFLAGS ?= -pie
+CFLAGS ?= -g -Werror -Wall -W 
+override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 -fPIE
 LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib
 
 all: restorecond
diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-1.33.1/restorecond/restorecond.conf
--- nsapolicycoreutils/restorecond/restorecond.conf	2006-08-28 16:58:19.000000000 -0400
+++ policycoreutils-1.33.1/restorecond/restorecond.conf	2006-11-14 09:54:05.000000000 -0500
@@ -2,5 +2,6 @@
 /etc/samba/secrets.tdb
 /etc/mtab
 /var/run/utmp
+/var/log/wtmp
 ~/public_html
 ~/.mozilla/plugins/libflashplayer.so
diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/scripts/genhomedircon.8 policycoreutils-1.33.1/scripts/genhomedircon.8
--- nsapolicycoreutils/scripts/genhomedircon.8	2006-08-28 16:58:19.000000000 -0400
+++ policycoreutils-1.33.1/scripts/genhomedircon.8	2006-11-14 09:54:05.000000000 -0500
@@ -45,35 +45,30 @@
 .SH DESCRIPTION
 .PP
 This utility is used to generate file context configuration entries for 
-user home directories based on their default roles and is run when building 
-the policy. It can also be run when ever the 
-.I /etc/selinux/<<SELINUXTYPE>>/users/local.users
-file is changed 
+user home directories based on their 
+.B prefix 
+entry in the the 
+.B semanage user record.  
+genhomedircon is run when building 
+the policy. It is also run automaticaly when ever the 
+.B semanage 
+utility modifies 
+.B user
+or
+.B login
+records.
 Specifically, we replace HOME_ROOT, HOME_DIR, and ROLE macros in the 
 .I /etc/selinux/<<SELINUXTYPE>>/contexts/files/homedir_template 
-file with generic and user-specific values.
-.I local.users
-file. If a user has more than one role in 
-.I local.users,
-.B genhomedircon
-uses the first role in the list. 
+file with generic and user-specific values.  HOME_ROOT and HOME_DIR is replaced with each distinct location where login users homedirectories are located.  Defaults to /home. ROLE is replaced based on the prefix entry in the 
+.B user
+record.
 .PP 
-If a user is not listed in 
-.I local.users,
-.B genhomedircon
-assumes that the user's home dir will be found in one of the
-HOME_ROOTs. 
-When looking for these users, 
-.B genhomedircon
-only considers real users. "Real" users (as opposed
-to system users) are those whose UID is greater than or equal 
+genhomedircon searches through all password entires for all "login" user home directories, (as opposed
+to system users).  Login users are those whose UID is greater than or equal 
 .I STARTING_UID
 (default 500) and whose login shell is not "/sbin/nologin", or
 "/bin/false". 
 .PP 
-Users who are explicitly defined in 
-.I local.users,
-are always "real" (including root, in the default configuration).
 .SH AUTHOR
 This manual page was originally written by 
 .I Manoj Srivastava <srivasta@debian.org>,
diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.33.1/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8	2006-09-14 08:07:24.000000000 -0400
+++ policycoreutils-1.33.1/semanage/semanage.8	2006-11-14 09:54:05.000000000 -0500
@@ -7,7 +7,7 @@
 .br
 .B semanage login \-{a|d|m} [\-sr] login_name
 .br
-.B semanage user \-{a|d|m} [\-LrR] selinux_name
+.B semanage user \-{a|d|m} [\-LrRP] selinux_name
 .br
 .B semanage port \-{a|d|m} [\-tr] [\-p protocol] port | port_range
 .br
@@ -71,6 +71,9 @@
 .I                \-R, \-\-role
 SELinux Roles.  You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
 .TP
+.I                \-P, \-\-prefix
+SELinux Prefix.  Prefix added to home_dir_t and home_t for labeling users home directories.
+.TP
 .I                \-s, \-\-seuser     
 SELinux user name
 .TP
diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semodule_expand/semodule_expand.8 policycoreutils-1.33.1/semodule_expand/semodule_expand.8
--- nsapolicycoreutils/semodule_expand/semodule_expand.8	2006-08-28 16:58:20.000000000 -0400
+++ policycoreutils-1.33.1/semodule_expand/semodule_expand.8	2006-11-14 09:54:05.000000000 -0500
@@ -18,7 +18,7 @@
 .SH "OPTIONS"
 .TP
 .B \-V
-verbose mode
+show version
 .TP
 .B \-c [version]
 policy version to create

Re: Multiple small fixes to policycoreutils

[Christopher J. PeBenito]

On Tue, 2006-11-14 at 10:06 -0500, Daniel J Walsh wrote:
> Add -fPIE and -pie to build of restorecond.

> -CFLAGS ?= -g -Werror -Wall -W
> -override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
> +LDFLAGS ?= -pie
> +CFLAGS ?= -g -Werror -Wall -W 
> +override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 -fPIE

I would say that this shouldn't be added in general, especially not to
the override.  The default flags should be pretty basic, IMO.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Multiple small fixes to policycoreutils

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Tue, 2006-11-14 at 10:06 -0500, Daniel J Walsh wrote:
>   
>> Add -fPIE and -pie to build of restorecond.
>>     
>
>   
>> -CFLAGS ?= -g -Werror -Wall -W
>> -override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
>> +LDFLAGS ?= -pie
>> +CFLAGS ?= -g -Werror -Wall -W 
>> +override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 -fPIE
>>     
>
> I would say that this shouldn't be added in general, especially not to
> the override.  The default flags should be pretty basic, IMO.
>
>   
How about if we change
LDFLAGS ?= ?= $(RANDLDFLAG)
override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 $(RANDCFLAG)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Multiple small fixes to policycoreutils

[Christopher J. PeBenito]

On Tue, 2006-11-14 at 11:18 -0500, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Tue, 2006-11-14 at 10:06 -0500, Daniel J Walsh wrote:
> >   
> >> Add -fPIE and -pie to build of restorecond.
> >>     
> >
> >   
> >> -CFLAGS ?= -g -Werror -Wall -W
> >> -override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
> >> +LDFLAGS ?= -pie
> >> +CFLAGS ?= -g -Werror -Wall -W 
> >> +override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 -fPIE
> >>     
> >
> > I would say that this shouldn't be added in general, especially not to
> > the override.  The default flags should be pretty basic, IMO.
> >
> >   
> How about if we change
> LDFLAGS ?= ?= $(RANDLDFLAG)
> override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 $(RANDCFLAG)

Why does this need to be special?  "?=" means if the variable isn't
already set (setting CFLAGS to "" counts as set), then its set with the
right side.  This assignment won't happen if CFLAGS is set:

CFLAGS ?= -g -Werror -Wall -W

So in your spec file you just change your make command to `make
CFLAGS="-fPIE" LDFLAGS="-pie"`, then you'll get the behavior of the
patch above.  Keeping the makefile as is will keep the defaults safe,
and then distros can set things whichever way they want with CFLAGS and
LDFLAGS and not have extra compile/linking flags pop up.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Multiple small fixes to policycoreutils

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Tue, 2006-11-14 at 11:18 -0500, Daniel J Walsh wrote:
>   
>> Christopher J. PeBenito wrote:
>>     
>>> On Tue, 2006-11-14 at 10:06 -0500, Daniel J Walsh wrote:
>>>   
>>>       
>>>> Add -fPIE and -pie to build of restorecond.
>>>>     
>>>>         
>>>   
>>>       
>>>> -CFLAGS ?= -g -Werror -Wall -W
>>>> -override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
>>>> +LDFLAGS ?= -pie
>>>> +CFLAGS ?= -g -Werror -Wall -W 
>>>> +override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 -fPIE
>>>>     
>>>>         
>>> I would say that this shouldn't be added in general, especially not to
>>> the override.  The default flags should be pretty basic, IMO.
>>>
>>>   
>>>       
>> How about if we change
>> LDFLAGS ?= ?= $(RANDLDFLAG)
>> override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 $(RANDCFLAG)
>>     
>
> Why does this need to be special?  "?=" means if the variable isn't
> already set (setting CFLAGS to "" counts as set), then its set with the
> right side.  This assignment won't happen if CFLAGS is set:
>
> CFLAGS ?= -g -Werror -Wall -W
>
> So in your spec file you just change your make command to `make
> CFLAGS="-fPIE" LDFLAGS="-pie"`, then you'll get the behavior of the
> patch above.  Keeping the makefile as is will keep the defaults safe,
> and then distros can set things whichever way they want with CFLAGS and
> LDFLAGS and not have extra compile/linking flags pop up.
>
>   
No because this will effect all the Makefiles, not just the daemon 
ones.  I do not want to build restorecon/setfiles etc with -fPIE.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Multiple small fixes to policycoreutils

[Joshua Brindle]

Daniel J Walsh wrote:
> Add newrole audit message on login failure.
>
> Add -fPIE and -pie to build of restorecond.
>
> Add /var/log/wtmp to restorecond.conf watch list
>
> Fix genhomedircon, semanage, semodule_expand man pages.
> ------------------------------------------------------------------------
>
> diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-1.33.1/newrole/newrole.c
> --- nsapolicycoreutils/newrole/newrole.c	2006-11-14 09:46:12.000000000 -0500
> +++ policycoreutils-1.33.1/newrole/newrole.c	2006-11-14 09:55:30.000000000 -0500
> @@ -1028,6 +1028,7 @@
>  	{
>  		fprintf(stderr, _("newrole: incorrect password for %s\n"),
>  			pw.pw_name);
> +		send_audit_message(0, old_context, new_context, ttyn);
>  		goto err_close_pam;
>  	}
>  
> diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-1.33.1/restorecond/Makefile
> --- nsapolicycoreutils/restorecond/Makefile	2006-08-28 16:58:19.000000000 -0400
> +++ policycoreutils-1.33.1/restorecond/Makefile	2006-11-14 09:54:05.000000000 -0500
> @@ -5,8 +5,9 @@
>  INITDIR = $(DESTDIR)/etc/rc.d/init.d
>  SELINUXDIR = $(DESTDIR)/etc/selinux
>  
> -CFLAGS ?= -g -Werror -Wall -W
> -override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
> +LDFLAGS ?= -pie
> +CFLAGS ?= -g -Werror -Wall -W 
> +override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 -fPIE
>  LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib
>  
>  all: restorecond
> diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-1.33.1/restorecond/restorecond.conf
> --- nsapolicycoreutils/restorecond/restorecond.conf	2006-08-28 16:58:19.000000000 -0400
> +++ policycoreutils-1.33.1/restorecond/restorecond.conf	2006-11-14 09:54:05.000000000 -0500
> @@ -2,5 +2,6 @@
>  /etc/samba/secrets.tdb
>  /etc/mtab
>  /var/run/utmp
> +/var/log/wtmp
>  ~/public_html
>  ~/.mozilla/plugins/libflashplayer.so
> diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/scripts/genhomedircon.8 policycoreutils-1.33.1/scripts/genhomedircon.8
> --- nsapolicycoreutils/scripts/genhomedircon.8	2006-08-28 16:58:19.000000000 -0400
> +++ policycoreutils-1.33.1/scripts/genhomedircon.8	2006-11-14 09:54:05.000000000 -0500
> @@ -45,35 +45,30 @@
>  .SH DESCRIPTION
>  .PP
>  This utility is used to generate file context configuration entries for 
> -user home directories based on their default roles and is run when building 
> -the policy. It can also be run when ever the 
> -.I /etc/selinux/<<SELINUXTYPE>>/users/local.users
> -file is changed 
> +user home directories based on their 
> +.B prefix 
> +entry in the the 
> +.B semanage user record.  
> +genhomedircon is run when building 
> +the policy. It is also run automaticaly when ever the 
> +.B semanage 
> +utility modifies 
> +.B user
> +or
> +.B login
> +records.
>  Specifically, we replace HOME_ROOT, HOME_DIR, and ROLE macros in the 
>  .I /etc/selinux/<<SELINUXTYPE>>/contexts/files/homedir_template 
> -file with generic and user-specific values.
> -.I local.users
> -file. If a user has more than one role in 
> -.I local.users,
> -.B genhomedircon
> -uses the first role in the list. 
> +file with generic and user-specific values.  HOME_ROOT and HOME_DIR is replaced with each distinct location where login users homedirectories are located.  Defaults to /home. ROLE is replaced based on the prefix entry in the 
> +.B user
> +record.
>  .PP 
> -If a user is not listed in 
> -.I local.users,
> -.B genhomedircon
> -assumes that the user's home dir will be found in one of the
> -HOME_ROOTs. 
> -When looking for these users, 
> -.B genhomedircon
> -only considers real users. "Real" users (as opposed
> -to system users) are those whose UID is greater than or equal 
> +genhomedircon searches through all password entires for all "login" user home directories, (as opposed
> +to system users).  Login users are those whose UID is greater than or equal 
>  .I STARTING_UID
>  (default 500) and whose login shell is not "/sbin/nologin", or
>  "/bin/false". 
>  .PP 
> -Users who are explicitly defined in 
> -.I local.users,
> -are always "real" (including root, in the default configuration).
>  .SH AUTHOR
>  This manual page was originally written by 
>  .I Manoj Srivastava <srivasta@debian.org>,
> diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.33.1/semanage/semanage.8
> --- nsapolicycoreutils/semanage/semanage.8	2006-09-14 08:07:24.000000000 -0400
> +++ policycoreutils-1.33.1/semanage/semanage.8	2006-11-14 09:54:05.000000000 -0500
> @@ -7,7 +7,7 @@
>  .br
>  .B semanage login \-{a|d|m} [\-sr] login_name
>  .br
> -.B semanage user \-{a|d|m} [\-LrR] selinux_name
> +.B semanage user \-{a|d|m} [\-LrRP] selinux_name
>  .br
>  .B semanage port \-{a|d|m} [\-tr] [\-p protocol] port | port_range
>  .br
> @@ -71,6 +71,9 @@
>  .I                \-R, \-\-role
>  SELinux Roles.  You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
>  .TP
> +.I                \-P, \-\-prefix
> +SELinux Prefix.  Prefix added to home_dir_t and home_t for labeling users home directories.
> +.TP
>  .I                \-s, \-\-seuser     
>  SELinux user name
>  .TP
> diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semodule_expand/semodule_expand.8 policycoreutils-1.33.1/semodule_expand/semodule_expand.8
> --- nsapolicycoreutils/semodule_expand/semodule_expand.8	2006-08-28 16:58:20.000000000 -0400
> +++ policycoreutils-1.33.1/semodule_expand/semodule_expand.8	2006-11-14 09:54:05.000000000 -0500
> @@ -18,7 +18,7 @@
>  .SH "OPTIONS"
>  .TP
>  .B \-V
> -verbose mode
> +show version
>  .TP
>  .B \-c [version]
>  policy version to create
>   
Everything acked except the Makefile changes

Acked-By: Joshua Brindle <jbrindle@tresys.com>

I think our CFLAGS are inappropriate as is, the default (non-debug) 
build should not add -g and should likely have -O2, whether not to build 
with PIE is a distro choice I think.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Multiple small fixes to policycoreutils

[Karl MacMillan]

Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
>> On Tue, 2006-11-14 at 11:18 -0500, Daniel J Walsh wrote:
>>  
>>> Christopher J. PeBenito wrote:
>>>    
>>>> On Tue, 2006-11-14 at 10:06 -0500, Daniel J Walsh wrote:
>>>>        
>>>>> Add -fPIE and -pie to build of restorecond.
>>>>>             
>>>>        
>>>>> -CFLAGS ?= -g -Werror -Wall -W
>>>>> -override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
>>>>> +LDFLAGS ?= -pie
>>>>> +CFLAGS ?= -g -Werror -Wall -W +override CFLAGS += 
>>>>> -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 -fPIE
>>>>>             
>>>> I would say that this shouldn't be added in general, especially not to
>>>> the override.  The default flags should be pretty basic, IMO.
>>>>
>>>>         
>>> How about if we change
>>> LDFLAGS ?= ?= $(RANDLDFLAG)
>>> override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 
>>> $(RANDCFLAG)
>>>     
>>
>> Why does this need to be special?  "?=" means if the variable isn't
>> already set (setting CFLAGS to "" counts as set), then its set with the
>> right side.  This assignment won't happen if CFLAGS is set:
>>
>> CFLAGS ?= -g -Werror -Wall -W
>>
>> So in your spec file you just change your make command to `make
>> CFLAGS="-fPIE" LDFLAGS="-pie"`, then you'll get the behavior of the
>> patch above.  Keeping the makefile as is will keep the defaults safe,
>> and then distros can set things whichever way they want with CFLAGS and
>> LDFLAGS and not have extra compile/linking flags pop up.
>>
>>   
> No because this will effect all the Makefiles, not just the daemon 
> ones.  I do not want to build restorecon/setfiles etc with -fPIE.
> 

What about a top-level USE_PIE makefile variable that directs all 
sub-Makefiles to set PIE flags if appropriate for that module? By 
default it would be off. This gets the behavior you want without having 
to carry a patch and keeps the current behavior.

Karl

> 
> 
> 
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov 
> with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Multiple small fixes to policycoreutils

[Joshua Brindle]

Karl MacMillan wrote:
> Daniel J Walsh wrote:
>> Christopher J. PeBenito wrote:
>>> On Tue, 2006-11-14 at 11:18 -0500, Daniel J Walsh wrote:
>>>  
>>>> Christopher J. PeBenito wrote:
>>>>   
>>>>> On Tue, 2006-11-14 at 10:06 -0500, Daniel J Walsh wrote:
>>>>>       
>>>>>> Add -fPIE and -pie to build of restorecond.
>>>>>>             
>>>>>       
>>>>>> -CFLAGS ?= -g -Werror -Wall -W
>>>>>> -override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
>>>>>> +LDFLAGS ?= -pie
>>>>>> +CFLAGS ?= -g -Werror -Wall -W +override CFLAGS += 
>>>>>> -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 -fPIE
>>>>>>             
>>>>> I would say that this shouldn't be added in general, especially not to
>>>>> the override.  The default flags should be pretty basic, IMO.
>>>>>
>>>>>         
>>>> How about if we change
>>>> LDFLAGS ?= ?= $(RANDLDFLAG)
>>>> override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 
>>>> $(RANDCFLAG)
>>>>     
>>>
>>> Why does this need to be special?  "?=" means if the variable isn't
>>> already set (setting CFLAGS to "" counts as set), then its set with the
>>> right side.  This assignment won't happen if CFLAGS is set:
>>>
>>> CFLAGS ?= -g -Werror -Wall -W
>>>
>>> So in your spec file you just change your make command to `make
>>> CFLAGS="-fPIE" LDFLAGS="-pie"`, then you'll get the behavior of the
>>> patch above.  Keeping the makefile as is will keep the defaults safe,
>>> and then distros can set things whichever way they want with CFLAGS and
>>> LDFLAGS and not have extra compile/linking flags pop up.
>>>
>>>   
>> No because this will effect all the Makefiles, not just the daemon 
>> ones.  I do not want to build restorecon/setfiles etc with -fPIE.
>>
> 
> What about a top-level USE_PIE makefile variable that directs all 
> sub-Makefiles to set PIE flags if appropriate for that module? By 
> default it would be off. This gets the behavior you want without having 
> to carry a patch and keeps the current behavior.
> 

No patch necessary, like Chris said make CFLAGS="-fPIE -02 -Werror 
-Wall" LDFLAGS="-pie"

done and done.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Multiple small fixes to policycoreutils

[Daniel J Walsh]

Joshua Brindle wrote:
> Karl MacMillan wrote:
>> Daniel J Walsh wrote:
>>> Christopher J. PeBenito wrote:
>>>> On Tue, 2006-11-14 at 11:18 -0500, Daniel J Walsh wrote:
>>>>  
>>>>> Christopher J. PeBenito wrote:
>>>>>  
>>>>>> On Tue, 2006-11-14 at 10:06 -0500, Daniel J Walsh wrote:
>>>>>>      
>>>>>>> Add -fPIE and -pie to build of restorecond.
>>>>>>>             
>>>>>>      
>>>>>>> -CFLAGS ?= -g -Werror -Wall -W
>>>>>>> -override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
>>>>>>> +LDFLAGS ?= -pie
>>>>>>> +CFLAGS ?= -g -Werror -Wall -W +override CFLAGS += 
>>>>>>> -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 -fPIE
>>>>>>>             
>>>>>> I would say that this shouldn't be added in general, especially 
>>>>>> not to
>>>>>> the override.  The default flags should be pretty basic, IMO.
>>>>>>
>>>>>>         
>>>>> How about if we change
>>>>> LDFLAGS ?= ?= $(RANDLDFLAG)
>>>>> override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 
>>>>> $(RANDCFLAG)
>>>>>     
>>>>
>>>> Why does this need to be special?  "?=" means if the variable isn't
>>>> already set (setting CFLAGS to "" counts as set), then its set with 
>>>> the
>>>> right side.  This assignment won't happen if CFLAGS is set:
>>>>
>>>> CFLAGS ?= -g -Werror -Wall -W
>>>>
>>>> So in your spec file you just change your make command to `make
>>>> CFLAGS="-fPIE" LDFLAGS="-pie"`, then you'll get the behavior of the
>>>> patch above.  Keeping the makefile as is will keep the defaults safe,
>>>> and then distros can set things whichever way they want with CFLAGS 
>>>> and
>>>> LDFLAGS and not have extra compile/linking flags pop up.
>>>>
>>>>   
>>> No because this will effect all the Makefiles, not just the daemon 
>>> ones.  I do not want to build restorecon/setfiles etc with -fPIE.
>>>
>>
>> What about a top-level USE_PIE makefile variable that directs all 
>> sub-Makefiles to set PIE flags if appropriate for that module? By 
>> default it would be off. This gets the behavior you want without 
>> having to carry a patch and keeps the current behavior.
>>
>
> No patch necessary, like Chris said make CFLAGS="-fPIE -02 -Werror 
> -Wall" LDFLAGS="-pie"
>
> done and done.
>
No, because then all compiled apps become -pie.  We only want this on 
the daemons.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Multiple small fixes to policycoreutils

[Joshua Brindle]

> From: Daniel J Walsh [mailto:dwalsh@redhat.com] 
> 
> Joshua Brindle wrote:
> > Karl MacMillan wrote:
> >> Daniel J Walsh wrote:
> >>> Christopher J. PeBenito wrote:
> >>>> On Tue, 2006-11-14 at 11:18 -0500, Daniel J Walsh wrote:
> >>>>  
> >>>>> Christopher J. PeBenito wrote:
> >>>>>  
> >>>>>> On Tue, 2006-11-14 at 10:06 -0500, Daniel J Walsh wrote:
> >>>>>>      
> >>>>>>> Add -fPIE and -pie to build of restorecond.
> >>>>>>>             
> >>>>>>      
> >>>>>>> -CFLAGS ?= -g -Werror -Wall -W
> >>>>>>> -override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
> >>>>>>> +LDFLAGS ?= -pie
> >>>>>>> +CFLAGS ?= -g -Werror -Wall -W +override CFLAGS +=
> >>>>>>> -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 -fPIE
> >>>>>>>             
> >>>>>> I would say that this shouldn't be added in general, 
> especially 
> >>>>>> not to the override.  The default flags should be 
> pretty basic, 
> >>>>>> IMO.
> >>>>>>
> >>>>>>         
> >>>>> How about if we change
> >>>>> LDFLAGS ?= ?= $(RANDLDFLAG)
> >>>>> override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
> >>>>> $(RANDCFLAG)
> >>>>>     
> >>>>
> >>>> Why does this need to be special?  "?=" means if the 
> variable isn't 
> >>>> already set (setting CFLAGS to "" counts as set), then 
> its set with 
> >>>> the right side.  This assignment won't happen if CFLAGS is set:
> >>>>
> >>>> CFLAGS ?= -g -Werror -Wall -W
> >>>>
> >>>> So in your spec file you just change your make command to `make 
> >>>> CFLAGS="-fPIE" LDFLAGS="-pie"`, then you'll get the 
> behavior of the 
> >>>> patch above.  Keeping the makefile as is will keep the defaults 
> >>>> safe, and then distros can set things whichever way they 
> want with 
> >>>> CFLAGS and LDFLAGS and not have extra compile/linking 
> flags pop up.
> >>>>
> >>>>   
> >>> No because this will effect all the Makefiles, not just 
> the daemon 
> >>> ones.  I do not want to build restorecon/setfiles etc with -fPIE.
> >>>
> >>
> >> What about a top-level USE_PIE makefile variable that directs all 
> >> sub-Makefiles to set PIE flags if appropriate for that module? By 
> >> default it would be off. This gets the behavior you want without 
> >> having to carry a patch and keeps the current behavior.
> >>
> >
> > No patch necessary, like Chris said make CFLAGS="-fPIE -02 -Werror 
> > -Wall" LDFLAGS="-pie"
> >
> > done and done.
> >
> No, because then all compiled apps become -pie.  We only want 
> this on the daemons.
> 

Why does it matter?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Multiple small fixes to policycoreutils

[Karl MacMillan]

Daniel J Walsh wrote:
> Joshua Brindle wrote:
>> Karl MacMillan wrote:

<snip>

>>>
>>> What about a top-level USE_PIE makefile variable that directs all 
>>> sub-Makefiles to set PIE flags if appropriate for that module? By 
>>> default it would be off. This gets the behavior you want without 
>>> having to carry a patch and keeps the current behavior.
>>>
>>
>> No patch necessary, like Chris said make CFLAGS="-fPIE -02 -Werror 
>> -Wall" LDFLAGS="-pie"
>>
>> done and done.
>>
> No, because then all compiled apps become -pie.  We only want this on 
> the daemons.
> 

What about this instead?

diff -r fdaf7172a43e Makefile
--- a/Makefile	Wed Nov 15 15:49:31 2006 -0500
+++ b/Makefile	Wed Nov 15 16:49:07 2006 -0500
@@ -1,10 +1,15 @@ SUBDIRS=libsepol libselinux libsemanage
  SUBDIRS=libsepol libselinux libsemanage checkpolicy policycoreutils # 
policy
  PYSUBDIRS=libselinux libsemanage
+
+# Turn on PIE for programs / daemons that support it. Default
+# is off (0).
+export USE_PIE=0

  ifeq ($(DEBUG),1)
  	export CFLAGS = -g3 -O0 -gdwarf-2 -fno-strict-aliasing -Wall -Wshadow
  	export LDFLAGS = -g
  endif
+

  install relabel:
  	@for subdir in $(SUBDIRS); do \
diff -r fdaf7172a43e policycoreutils/newrole/newrole.c
--- a/policycoreutils/newrole/newrole.c	Wed Nov 15 15:49:31 2006 -0500
+++ b/policycoreutils/newrole/newrole.c	Wed Nov 15 15:52:26 2006 -0500
@@ -1028,6 +1028,7 @@ int main(int argc, char *argv[])
  	{
  		fprintf(stderr, _("newrole: incorrect password for %s\n"),
  			pw.pw_name);
+		send_audit_message(0, old_context, new_context, ttyn);
  		goto err_close_pam;
  	}

diff -r fdaf7172a43e policycoreutils/restorecond/Makefile
--- a/policycoreutils/restorecond/Makefile	Wed Nov 15 15:49:31 2006 -0500
+++ b/policycoreutils/restorecond/Makefile	Wed Nov 15 16:45:24 2006 -0500
@@ -5,9 +5,15 @@ INITDIR = $(DESTDIR)/etc/rc.d/init.d
  INITDIR = $(DESTDIR)/etc/rc.d/init.d
  SELINUXDIR = $(DESTDIR)/etc/selinux

-CFLAGS ?= -g -Werror -Wall -W
-override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
+CFLAGS ?= -Werror -Wall -W
  LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib
+
+ifeq ($(USE_PIE),1)
+	override LDFLAGS += -pie
+	override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 -fPIE
+else
+	override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
+endif

  all: restorecond

diff -r fdaf7172a43e policycoreutils/restorecond/restorecond.conf
--- a/policycoreutils/restorecond/restorecond.conf	Wed Nov 15 15:49:31 
2006 -0500
+++ b/policycoreutils/restorecond/restorecond.conf	Wed Nov 15 15:52:26 
2006 -0500
@@ -2,5 +2,6 @@
  /etc/samba/secrets.tdb
  /etc/mtab
  /var/run/utmp
+/var/log/wtmp
  ~/public_html
  ~/.mozilla/plugins/libflashplayer.so
diff -r fdaf7172a43e policycoreutils/scripts/genhomedircon.8
--- a/policycoreutils/scripts/genhomedircon.8	Wed Nov 15 15:49:31 2006 -0500
+++ b/policycoreutils/scripts/genhomedircon.8	Wed Nov 15 15:52:26 2006 -0500
@@ -45,35 +45,30 @@ Indicates the selinux type of this insta
  .SH DESCRIPTION
  .PP
  This utility is used to generate file context configuration entries for
-user home directories based on their default roles and is run when 
building
-the policy. It can also be run when ever the
-.I /etc/selinux/<<SELINUXTYPE>>/users/local.users
-file is changed
+user home directories based on their
+.B prefix
+entry in the the
+.B semanage user record.
+genhomedircon is run when building
+the policy. It is also run automaticaly when ever the
+.B semanage
+utility modifies
+.B user
+or
+.B login
+records.
  Specifically, we replace HOME_ROOT, HOME_DIR, and ROLE macros in the
  .I /etc/selinux/<<SELINUXTYPE>>/contexts/files/homedir_template
-file with generic and user-specific values.
-.I local.users
-file. If a user has more than one role in
-.I local.users,
-.B genhomedircon
-uses the first role in the list.
+file with generic and user-specific values.  HOME_ROOT and HOME_DIR is 
replaced with each distinct location where login users homedirectories 
are located.  Defaults to /home. ROLE is replaced based on the prefix 
entry in the
+.B user
+record.
  .PP
-If a user is not listed in
-.I local.users,
-.B genhomedircon
-assumes that the user's home dir will be found in one of the
-HOME_ROOTs.
-When looking for these users,
-.B genhomedircon
-only considers real users. "Real" users (as opposed
-to system users) are those whose UID is greater than or equal
+genhomedircon searches through all password entires for all "login" 
user home directories, (as opposed
+to system users).  Login users are those whose UID is greater than or 
equal
  .I STARTING_UID
  (default 500) and whose login shell is not "/sbin/nologin", or
  "/bin/false".
  .PP
-Users who are explicitly defined in
-.I local.users,
-are always "real" (including root, in the default configuration).
  .SH AUTHOR
  This manual page was originally written by
  .I Manoj Srivastava <srivasta@debian.org>,
diff -r fdaf7172a43e policycoreutils/semanage/semanage.8
--- a/policycoreutils/semanage/semanage.8	Wed Nov 15 15:49:31 2006 -0500
+++ b/policycoreutils/semanage/semanage.8	Wed Nov 15 15:52:26 2006 -0500
@@ -7,7 +7,7 @@ semanage \- SELinux Policy Management to
  .br
  .B semanage login \-{a|d|m} [\-sr] login_name
  .br
-.B semanage user \-{a|d|m} [\-LrR] selinux_name
+.B semanage user \-{a|d|m} [\-LrRP] selinux_name
  .br
  .B semanage port \-{a|d|m} [\-tr] [\-p protocol] port | port_range
  .br
@@ -71,6 +71,9 @@ MLS/MCS Security Range (MLS/MCS Systems
  .I                \-R, \-\-role
  SELinux Roles.  You must enclose multiple roles within quotes, 
separate by spaces. Or specify \-R multiple times.
  .TP
+.I                \-P, \-\-prefix
+SELinux Prefix.  Prefix added to home_dir_t and home_t for labeling 
users home directories.
+.TP
  .I                \-s, \-\-seuser
  SELinux user name
  .TP
diff -r fdaf7172a43e policycoreutils/semodule_expand/semodule_expand.8
--- a/policycoreutils/semodule_expand/semodule_expand.8	Wed Nov 15 
15:49:31 2006 -0500
+++ b/policycoreutils/semodule_expand/semodule_expand.8	Wed Nov 15 
15:52:26 2006 -0500
@@ -18,7 +18,7 @@ together a set of packages into a single
  .SH "OPTIONS"
  .TP
  .B \-V
-verbose mode
+show version
  .TP
  .B \-c [version]
  policy version to create



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Multiple small fixes to policycoreutils

[Joshua Brindle]

> From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com] 
> 
> Daniel J Walsh wrote:
> > Joshua Brindle wrote:
> >> Karl MacMillan wrote:
> 
> <snip>
> 
> >>>
> >>> What about a top-level USE_PIE makefile variable that directs all 
> >>> sub-Makefiles to set PIE flags if appropriate for that module? By 
> >>> default it would be off. This gets the behavior you want without 
> >>> having to carry a patch and keeps the current behavior.
> >>>
> >>
> >> No patch necessary, like Chris said make CFLAGS="-fPIE -02 -Werror 
> >> -Wall" LDFLAGS="-pie"
> >>
> >> done and done.
> >>
> > No, because then all compiled apps become -pie.  We only 
> want this on 
> > the daemons.
> > 
> 
> What about this instead?

Why doesn't make CFLAGS="-fPIE -02 -Werror -Wall" LDFLAGS="-pie" work? 
Why does it matter if everything is built pie?

This is distro specific (gentoo completely overrides the CFLAGS and
LDFLAGS, I'm not sure what debian does). I don't think whether or not to
override the user CFLAGS with non-critical things (e.g., things
necessary to build the app like -I($PREFIX)/include) is appropriate for
the upstream makefiles.

For that matter, anyone know why -D_FILE_OFFSET_BITS=64 is in the
override?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Multiple small fixes to policycoreutils

[Karl MacMillan]

Joshua Brindle wrote:
>> From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com] 
>>
>> Daniel J Walsh wrote:
>>> Joshua Brindle wrote:
>>>> Karl MacMillan wrote:
>> <snip>
>>
>>>>> What about a top-level USE_PIE makefile variable that directs all 
>>>>> sub-Makefiles to set PIE flags if appropriate for that module? By 
>>>>> default it would be off. This gets the behavior you want without 
>>>>> having to carry a patch and keeps the current behavior.
>>>>>
>>>> No patch necessary, like Chris said make CFLAGS="-fPIE -02 -Werror 
>>>> -Wall" LDFLAGS="-pie"
>>>>
>>>> done and done.
>>>>
>>> No, because then all compiled apps become -pie.  We only 
>> want this on 
>>> the daemons.
>>>
>> What about this instead?
> 
> Why doesn't make CFLAGS="-fPIE -02 -Werror -Wall" LDFLAGS="-pie" work? 
> Why does it matter if everything is built pie?
> 

There are performance costs associated with pie, particularly at 
startup. Talking to Dan though, he doesn't think it is enough to not 
just build everything as pie.

Resend below that I will apply unless there are other objections.

> This is distro specific (gentoo completely overrides the CFLAGS and
> LDFLAGS, I'm not sure what debian does). I don't think whether or not to
> override the user CFLAGS with non-critical things (e.g., things
> necessary to build the app like -I($PREFIX)/include) is appropriate for
> the upstream makefiles.
> 
> For that matter, anyone know why -D_FILE_OFFSET_BITS=64 is in the
> override?
> 

I wondered that as well - Dan?

Karl

diff -r fdaf7172a43e policycoreutils/newrole/newrole.c
--- a/policycoreutils/newrole/newrole.c	Wed Nov 15 15:49:31 2006 -0500
+++ b/policycoreutils/newrole/newrole.c	Thu Nov 16 17:03:40 2006 -0500
@@ -1028,6 +1028,7 @@ int main(int argc, char *argv[])
  	{
  		fprintf(stderr, _("newrole: incorrect password for %s\n"),
  			pw.pw_name);
+		send_audit_message(0, old_context, new_context, ttyn);
  		goto err_close_pam;
  	}

diff -r fdaf7172a43e policycoreutils/restorecond/restorecond.conf
--- a/policycoreutils/restorecond/restorecond.conf	Wed Nov 15 15:49:31 
2006 -0500
+++ b/policycoreutils/restorecond/restorecond.conf	Thu Nov 16 17:03:40 
2006 -0500
@@ -2,5 +2,6 @@
  /etc/samba/secrets.tdb
  /etc/mtab
  /var/run/utmp
+/var/log/wtmp
  ~/public_html
  ~/.mozilla/plugins/libflashplayer.so
diff -r fdaf7172a43e policycoreutils/scripts/genhomedircon.8
--- a/policycoreutils/scripts/genhomedircon.8	Wed Nov 15 15:49:31 2006 -0500
+++ b/policycoreutils/scripts/genhomedircon.8	Thu Nov 16 17:03:40 2006 -0500
@@ -45,35 +45,30 @@ Indicates the selinux type of this insta
  .SH DESCRIPTION
  .PP
  This utility is used to generate file context configuration entries for
-user home directories based on their default roles and is run when 
building
-the policy. It can also be run when ever the
-.I /etc/selinux/<<SELINUXTYPE>>/users/local.users
-file is changed
+user home directories based on their
+.B prefix
+entry in the the
+.B semanage user record.
+genhomedircon is run when building
+the policy. It is also run automaticaly when ever the
+.B semanage
+utility modifies
+.B user
+or
+.B login
+records.
  Specifically, we replace HOME_ROOT, HOME_DIR, and ROLE macros in the
  .I /etc/selinux/<<SELINUXTYPE>>/contexts/files/homedir_template
-file with generic and user-specific values.
-.I local.users
-file. If a user has more than one role in
-.I local.users,
-.B genhomedircon
-uses the first role in the list.
+file with generic and user-specific values.  HOME_ROOT and HOME_DIR is 
replaced with each distinct location where login users homedirectories 
are located.  Defaults to /home. ROLE is replaced based on the prefix 
entry in the
+.B user
+record.
  .PP
-If a user is not listed in
-.I local.users,
-.B genhomedircon
-assumes that the user's home dir will be found in one of the
-HOME_ROOTs.
-When looking for these users,
-.B genhomedircon
-only considers real users. "Real" users (as opposed
-to system users) are those whose UID is greater than or equal
+genhomedircon searches through all password entires for all "login" 
user home directories, (as opposed
+to system users).  Login users are those whose UID is greater than or 
equal
  .I STARTING_UID
  (default 500) and whose login shell is not "/sbin/nologin", or
  "/bin/false".
  .PP
-Users who are explicitly defined in
-.I local.users,
-are always "real" (including root, in the default configuration).
  .SH AUTHOR
  This manual page was originally written by
  .I Manoj Srivastava <srivasta@debian.org>,
diff -r fdaf7172a43e policycoreutils/semanage/semanage.8
--- a/policycoreutils/semanage/semanage.8	Wed Nov 15 15:49:31 2006 -0500
+++ b/policycoreutils/semanage/semanage.8	Thu Nov 16 17:03:40 2006 -0500
@@ -7,7 +7,7 @@ semanage \- SELinux Policy Management to
  .br
  .B semanage login \-{a|d|m} [\-sr] login_name
  .br
-.B semanage user \-{a|d|m} [\-LrR] selinux_name
+.B semanage user \-{a|d|m} [\-LrRP] selinux_name
  .br
  .B semanage port \-{a|d|m} [\-tr] [\-p protocol] port | port_range
  .br
@@ -71,6 +71,9 @@ MLS/MCS Security Range (MLS/MCS Systems
  .I                \-R, \-\-role
  SELinux Roles.  You must enclose multiple roles within quotes, 
separate by spaces. Or specify \-R multiple times.
  .TP
+.I                \-P, \-\-prefix
+SELinux Prefix.  Prefix added to home_dir_t and home_t for labeling 
users home directories.
+.TP
  .I                \-s, \-\-seuser
  SELinux user name
  .TP
diff -r fdaf7172a43e policycoreutils/semodule_expand/semodule_expand.8
--- a/policycoreutils/semodule_expand/semodule_expand.8	Wed Nov 15 
15:49:31 2006 -0500
+++ b/policycoreutils/semodule_expand/semodule_expand.8	Thu Nov 16 
17:03:40 2006 -0500
@@ -18,7 +18,7 @@ together a set of packages into a single
  .SH "OPTIONS"
  .TP
  .B \-V
-verbose mode
+show version
  .TP
  .B \-c [version]
  policy version to create

Signed-off by: Karl MacMillan <kmacmillan@mentalrootkit.com>



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Multiple small fixes to policycoreutils

[Joshua Brindle]

> From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com] 
> 
> Joshua Brindle wrote:
> >> From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com]
> >>
> >> Daniel J Walsh wrote:
> >>> Joshua Brindle wrote:
> >>>> Karl MacMillan wrote:
> >> <snip>
> >>
> >>>>> What about a top-level USE_PIE makefile variable that 
> directs all 
> >>>>> sub-Makefiles to set PIE flags if appropriate for that 
> module? By 
> >>>>> default it would be off. This gets the behavior you 
> want without 
> >>>>> having to carry a patch and keeps the current behavior.
> >>>>>
> >>>> No patch necessary, like Chris said make CFLAGS="-fPIE 
> -02 -Werror 
> >>>> -Wall" LDFLAGS="-pie"
> >>>>
> >>>> done and done.
> >>>>
> >>> No, because then all compiled apps become -pie.  We only
> >> want this on
> >>> the daemons.
> >>>
> >> What about this instead?
> > 
> > Why doesn't make CFLAGS="-fPIE -02 -Werror -Wall" 
> LDFLAGS="-pie" work? 
> > Why does it matter if everything is built pie?
> > 
> 
> There are performance costs associated with pie, particularly 
> at startup. Talking to Dan though, he doesn't think it is 
> enough to not just build everything as pie.
> 

Yea, I don't think startup costs on checkpolicy, semodule, setfiles and
so on are a big deal, not worth adding extra distro dependant logic into
the make system. The actual issue though is that prelinking doesn't do
anything on pie binaries, which is no big deal here, prelinking won't do
much anyway.

> Resend below that I will apply unless there are other objections.
> 

It's the same patch sans the make stuff right? Looks fine to me

> > This is distro specific (gentoo completely overrides the CFLAGS and 
> > LDFLAGS, I'm not sure what debian does). I don't think 
> whether or not 
> > to override the user CFLAGS with non-critical things (e.g., things 
> > necessary to build the app like -I($PREFIX)/include) is appropriate 
> > for the upstream makefiles.
> > 
> > For that matter, anyone know why -D_FILE_OFFSET_BITS=64 is in the 
> > override?
> > 
> 
> I wondered that as well - Dan?
> 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Multiple small fixes to policycoreutils

[Daniel J Walsh]

Karl MacMillan wrote:
> Joshua Brindle wrote:
>>> From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com]
>>> Daniel J Walsh wrote:
>>>> Joshua Brindle wrote:
>>>>> Karl MacMillan wrote:
>>> <snip>
>>>
>>>>>> What about a top-level USE_PIE makefile variable that directs all 
>>>>>> sub-Makefiles to set PIE flags if appropriate for that module? By 
>>>>>> default it would be off. This gets the behavior you want without 
>>>>>> having to carry a patch and keeps the current behavior.
>>>>>>
>>>>> No patch necessary, like Chris said make CFLAGS="-fPIE -02 -Werror 
>>>>> -Wall" LDFLAGS="-pie"
>>>>>
>>>>> done and done.
>>>>>
>>>> No, because then all compiled apps become -pie.  We only 
>>> want this on
>>>> the daemons.
>>>>
>>> What about this instead?
>>
>> Why doesn't make CFLAGS="-fPIE -02 -Werror -Wall" LDFLAGS="-pie" 
>> work? Why does itmatter if everything is built pie?
>>
>
> There are performance costs associated with pie, particularly at 
> startup. Talking to Dan though, he doesn't think it is enough to not 
> just build everything as pie.
>
> Resend below that I will apply unless there are other objections.
>
Agreed.
>> This is distro specific (gentoo completely overrides the CFLAGS and
>> LDFLAGS, I'm not sure what debian does). I don't think whether or not to
>> override the user CFLAGS with non-critical things (e.g., things
>> necessary to build the app like -I($PREFIX)/include) is appropriate for
>> the upstream makefiles.
>>
>> For that matter, anyone know why -D_FILE_OFFSET_BITS=64 is in the
>> override?
>>
>
> I wondered that as well - Dan?
>
> Karl
>
>
That was not my doing.
> diff -r fdaf7172a43e policycoreutils/newrole/newrole.c
> --- a/policycoreutils/newrole/newrole.c    Wed Nov 15 15:49:31 2006 -0500
> +++ b/policycoreutils/newrole/newrole.c    Thu Nov 16 17:03:40 2006 -0500
> @@ -1028,6 +1028,7 @@ int main(int argc, char *argv[])
>      {
>          fprintf(stderr, _("newrole: incorrect password for %s\n"),
>              pw.pw_name);
> +        send_audit_message(0, old_context, new_context, ttyn);
>          goto err_close_pam;
>      }
>
> diff -r fdaf7172a43e policycoreutils/restorecond/restorecond.conf
> --- a/policycoreutils/restorecond/restorecond.conf    Wed Nov 15 
> 15:49:31 2006 -0500
> +++ b/policycoreutils/restorecond/restorecond.conf    Thu Nov 16 
> 17:03:40 2006 -0500
> @@ -2,5 +2,6 @@
>  /etc/samba/secrets.tdb
>  /etc/mtab
>  /var/run/utmp
> +/var/log/wtmp
>  ~/public_html
>  ~/.mozilla/plugins/libflashplayer.so
> diff -r fdaf7172a43e policycoreutils/scripts/genhomedircon.8
> --- a/policycoreutils/scripts/genhomedircon.8    Wed Nov 15 15:49:31 
> 2006 -0500
> +++ b/policycoreutils/scripts/genhomedircon.8    Thu Nov 16 17:03:40 
> 2006 -0500
> @@ -45,35 +45,30 @@ Indicates the selinux type of this insta
>  .SH DESCRIPTION
>  .PP
>  This utility is used to generate file context configuration entries for
> -user home directories based on their default roles and is run when 
> building
> -the policy. It can also be run when ever the
> -.I /etc/selinux/<<SELINUXTYPE>>/users/local.users
> -file is changed
> +user home directories based on their
> +.B prefix
> +entry in the the
> +.B semanage user record.
> +genhomedircon is run when building
> +the policy. It is also run automaticaly when ever the
> +.B semanage
> +utility modifies
> +.B user
> +or
> +.B login
> +records.
>  Specifically, we replace HOME_ROOT, HOME_DIR, and ROLE macros in the
>  .I /etc/selinux/<<SELINUXTYPE>>/contexts/files/homedir_template
> -file with generic and user-specific values.
> -.I local.users
> -file. If a user has more than one role in
> -.I local.users,
> -.B genhomedircon
> -uses the first role in the list.
> +file with generic and user-specific values.  HOME_ROOT and HOME_DIR 
> is replaced with each distinct location where login users 
> homedirectories are located.  Defaults to /home. ROLE is replaced 
> based on the prefix entry in the
> +.B user
> +record.
>  .PP
> -If a user is not listed in
> -.I local.users,
> -.B genhomedircon
> -assumes that the user's home dir will be found in one of the
> -HOME_ROOTs.
> -When looking for these users,
> -.B genhomedircon
> -only considers real users. "Real" users (as opposed
> -to system users) are those whose UID is greater than or equal
> +genhomedircon searches through all password entires for all "login" 
> user home directories, (as opposed
> +to system users).  Login users are those whose UID is greater than or 
> equal
>  .I STARTING_UID
>  (default 500) and whose login shell is not "/sbin/nologin", or
>  "/bin/false".
>  .PP
> -Users who are explicitly defined in
> -.I local.users,
> -are always "real" (including root, in the default configuration).
>  .SH AUTHOR
>  This manual page was originally written by
>  .I Manoj Srivastava <srivasta@debian.org>,
> diff -r fdaf7172a43e policycoreutils/semanage/semanage.8
> --- a/policycoreutils/semanage/semanage.8    Wed Nov 15 15:49:31 2006 
> -0500
> +++ b/policycoreutils/semanage/semanage.8    Thu Nov 16 17:03:40 2006 
> -0500
> @@ -7,7 +7,7 @@ semanage \- SELinux Policy Management to
>  .br
>  .B semanage login \-{a|d|m} [\-sr] login_name
>  .br
> -.B semanage user \-{a|d|m} [\-LrR] selinux_name
> +.B semanage user \-{a|d|m} [\-LrRP] selinux_name
>  .br
>  .B semanage port \-{a|d|m} [\-tr] [\-p protocol] port | port_range
>  .br
> @@ -71,6 +71,9 @@ MLS/MCS Security Range (MLS/MCS Systems
>  .I                \-R, \-\-role
>  SELinux Roles.  You must enclose multiple roles within quotes, 
> separate by spaces. Or specify \-R multiple times.
>  .TP
> +.I                \-P, \-\-prefix
> +SELinux Prefix.  Prefix added to home_dir_t and home_t for labeling 
> users home directories.
> +.TP
>  .I                \-s, \-\-seuser
>  SELinux user name
>  .TP
> diff -r fdaf7172a43e policycoreutils/semodule_expand/semodule_expand.8
> --- a/policycoreutils/semodule_expand/semodule_expand.8    Wed Nov 15 
> 15:49:31 2006 -0500
> +++ b/policycoreutils/semodule_expand/semodule_expand.8    Thu Nov 16 
> 17:03:40 2006 -0500
> @@ -18,7 +18,7 @@ together a set of packages into a single
>  .SH "OPTIONS"
>  .TP
>  .B \-V
> -verbose mode
> +show version
>  .TP
>  .B \-c [version]
>  policy version to create
>
> Signed-off by: Karl MacMillan <kmacmillan@mentalrootkit.com>
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Multiple small fixes to policycoreutils

[Karl MacMillan]

Daniel J Walsh wrote:
> Karl MacMillan wrote:
>> Joshua Brindle wrote:
>>>> From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com]
>>>> Daniel J Walsh wrote:
>>>>> Joshua Brindle wrote:
>>>>>> Karl MacMillan wrote:
>>>> <snip>
>>>>
>>>>>>> What about a top-level USE_PIE makefile variable that directs all 
>>>>>>> sub-Makefiles to set PIE flags if appropriate for that module? By 
>>>>>>> default it would be off. This gets the behavior you want without 
>>>>>>> having to carry a patch and keeps the current behavior.
>>>>>>>
>>>>>> No patch necessary, like Chris said make CFLAGS="-fPIE -02 -Werror 
>>>>>> -Wall" LDFLAGS="-pie"
>>>>>>
>>>>>> done and done.
>>>>>>
>>>>> No, because then all compiled apps become -pie.  We only 
>>>> want this on
>>>>> the daemons.
>>>>>
>>>> What about this instead?
>>>
>>> Why doesn't make CFLAGS="-fPIE -02 -Werror -Wall" LDFLAGS="-pie" 
>>> work? Why does itmatter if everything is built pie?
>>>
>>
>> There are performance costs associated with pie, particularly at 
>> startup. Talking to Dan though, he doesn't think it is enough to not 
>> just build everything as pie.
>>
>> Resend below that I will apply unless there are other objections.
>>

Committed as policycoreutils 1.33.2.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

More small fixes to policycoreutils

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 910 bytes --]

audit2allow was not generating reference policy correctly.  This patches 
fixes this and uses /usr/share/sleinux/devel/Makefile to create policy 
packages.


newrole has Amy Griffiths patch to make newrole return the status code 
of the shell it execs.


run_init needs to call pam_acct_mgmt, so that pam_tally will work correctly.

semanage does not have -v option, so man page should be fixed.

There is a bug in the translation code in seobject.py  Which ended up 
blowing up semanage, the strip command was being used in correctly.

Also after modifying translations the mcstrans needs to be signaled.

(I think it is time we break the mcstrans code out into a separate 
script, maybe executed by semanage, which would allow us to write 
tighter policy around this object and semanage.)


Lastly are you going to merge the translations? 

http://people.redhat.com/dwalsh/SELinux/pocicycoreutils-po.patch



[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 5492 bytes --]

diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.33.1/audit2allow/audit2allow
--- nsapolicycoreutils/audit2allow/audit2allow	2006-11-16 17:14:29.000000000 -0500
+++ policycoreutils-1.33.1/audit2allow/audit2allow	2006-11-15 16:29:10.000000000 -0500
@@ -184,22 +184,26 @@
 		output.write(serules.out(requires, module))
 		output.flush()
 		if buildPP:
-			cmd = "checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module)
-			print _("Compiling policy")
-			print cmd
-			rc = commands.getstatusoutput(cmd)
-			if rc[0] == 0:
-				cmd = "semodule_package -o %s.pp -m %s.mod" % (module, module)
-				if fc_file != "":
-					cmd = "%s -f %s" % (cmd, fc_file)
-					
+			if ref_ind:
+				cmd = "make -f /usr/share/selinux/devel/Makefile %s.pp" % module
+				print _("Compiling policy")
+				print cmd
+				rc = commands.getstatusoutput(cmd)
+			else:
+				cmd = "checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module)
+				print _("Compiling policy")
 				print cmd
 				rc = commands.getstatusoutput(cmd)
 				if rc[0] == 0:
-					print _("\n******************** IMPORTANT ***********************\n")
-					print (_("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n") % module)
-				else:
-					errorExit(rc[1])
+					cmd = "semodule_package -o %s.pp -m %s.mod" % (module, module)
+					if fc_file != "":
+						cmd = "%s -f %s" % (cmd, fc_file)
+					
+					print cmd
+					rc = commands.getstatusoutput(cmd)
+			if rc[0] == 0:
+				print _("\n******************** IMPORTANT ***********************\n")
+				print (_("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n") % module)
 			else:
 				errorExit(rc[1])
 
diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-1.33.1/newrole/newrole.c
--- nsapolicycoreutils/newrole/newrole.c	2006-11-20 12:19:55.000000000 -0500
+++ policycoreutils-1.33.1/newrole/newrole.c	2006-11-17 11:55:39.000000000 -0500
@@ -1068,11 +1068,16 @@
 		 */
 		int rc;
 		int exit_code = 0;
+		int status;
 
 		do {
-			rc = wait(NULL);
+			rc = wait(&status);
 		} while (rc < 0 && errno == EINTR);
 
+		/* Preserve child exit status, unless there is another error. */
+		if (WIFEXITED(status))
+			exit_code = WEXITSTATUS(status);
+
 		if (restore_tty_label(fd, ttyn, tty_context, new_tty_context)) {
 			fprintf(stderr, _("Unable to restore tty label...\n"));
 			exit_code = -1;
diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/run_init/run_init.c policycoreutils-1.33.1/run_init/run_init.c
--- nsapolicycoreutils/run_init/run_init.c	2006-11-16 17:14:27.000000000 -0500
+++ policycoreutils-1.33.1/run_init/run_init.c	2006-11-16 09:37:03.000000000 -0500
@@ -132,6 +132,14 @@
 		result = 1;	/* user authenticated OK! */
 	}
 
+	/* If we were successful, call pam_acct_mgmt() to reset the
+         * pam_tally failcount.
+         */
+	if (result && (PAM_SUCCESS != pam_acct_mgmt(pam_handle, 0)) ) {
+		fprintf(stderr, _("failed to get account information\n"));
+		exit(-1);
+	}	
+
 	/* We're done with PAM.  Free `pam_handle'. */
 	pam_end(pam_handle, PAM_SUCCESS);
 
diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.33.1/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8	2006-11-20 12:19:55.000000000 -0500
+++ policycoreutils-1.33.1/semanage/semanage.8	2006-11-17 09:57:31.000000000 -0500
@@ -82,9 +82,6 @@
 .TP
 .I                \-T, \-\-trans
 SELinux Translation
-.TP
-.I                \-v, \-\-verbose    
-verbose output
 
 .SH EXAMPLE
 .nf
diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.33.1/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py	2006-11-16 17:14:26.000000000 -0500
+++ policycoreutils-1.33.1/semanage/seobject.py	2006-11-15 18:20:53.000000000 -0500
@@ -94,23 +94,25 @@
 	return re.search("^" + reg +"$",raw)
 
 def translate(raw, prepend = 1):
-	if prepend == 1:
-		context = "a:b:c:%s" % raw
+        filler="a:b:c:"
+        if prepend == 1:
+		context = "%s%s" % (filler,raw)
 	else:
 		context = raw
-	(rc, trans) = selinux.selinux_raw_to_trans_context(context)
+ 	(rc, trans) = selinux.selinux_raw_to_trans_context(context)
 	if rc != 0:
 		return raw
 	if prepend:
-		trans = trans.strip("a:b:c")
+		trans = trans[len(filler):]
 	if trans == "":
 		return raw
 	else:
 		return trans
 	
 def untranslate(trans, prepend = 1):
+        filler="a:b:c:"
  	if prepend == 1:
-		context = "a:b:c:%s" % trans
+		context = "%s%s" % (filler,trans)
 	else:
 		context = trans
 
@@ -118,7 +120,7 @@
 	if rc != 0:
 		return trans
 	if prepend:
-		raw = raw.strip("a:b:c")	
+		raw = raw[len(filler):]
 	if raw == "":
 		return trans
 	else:
@@ -157,7 +159,7 @@
 	def out(self):
 		rec = ""
 		for c in self.comments:
-			rec += c +"\n"
+			rec += c
 		keys = self.ddict.keys()
 		keys.sort()
 		for k in keys:
@@ -204,7 +206,8 @@
 		os.write(fd, self.out())
 		os.close(fd)
 		os.rename(newfilename, self.filename)
-
+                os.system("/sbin/service mcstrans reload > /dev/null")
+                
 class semanageRecords:
 	def __init__(self):
 		self.sh = semanage_handle_create()

Re: More small fixes to policycoreutils

[Joshua Brindle]

Daniel J Walsh wrote:
> audit2allow was not generating reference policy correctly.  This patches 
> fixes this and uses /usr/share/sleinux/devel/Makefile to create policy 
> packages.
> 

This is distro specific, audit2allow should be using /etc/selinux/config 
to find the interface directory to use. Further, why is this needed at all?

 > run_init needs to call pam_acct_mgmt, so that pam_tally will work
 > correctly.
 >

What is pam_tally and what does the call to pam_acct_mgmt do, and how 
does it affect run_init?

 > Also after modifying translations the mcstrans needs to be signaled.
 >
 > (I think it is time we break the mcstrans code out into a separate
 > script, maybe executed by semanage, which would allow us to write
 > tighter policy around this object and semanage.)

Its interesting that semanage manages something that is redhat specific 
and not part of the upstream utilities at all.. IMO this should never 
have been merged in the first place, semanage manages libsemanage 
abstractions, if translations were a part of libsemanage it'd be a 
different story.

> Lastly are you going to merge the translations?
> http://people.redhat.com/dwalsh/SELinux/pocicycoreutils-po.patch
> 
> 

It can be merged when a revised patchset does.

p.s. please please inline patches and make them apply from the top of 
the tree with -p1 or -p0 :)

> @@ -204,7 +206,8 @@
>  		os.write(fd, self.out())
>  		os.close(fd)
>  		os.rename(newfilename, self.filename)
> -
> +                os.system("/sbin/service mcstrans reload > /dev/null")
> +                

This is very distro specific and totally inappropriate IMO.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More small fixes to policycoreutils

[Karl MacMillan]

Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> audit2allow was not generating reference policy correctly.  This 
>> patches fixes this and uses /usr/share/sleinux/devel/Makefile to 
>> create policy packages.
>>
> 
> This is distro specific, audit2allow should be using /etc/selinux/config 
> to find the interface directory to use. Further, why is this needed at all?
> 

Not certain that /usr/share/selinux/targeted/include is any more general 
in reality. There is nothing stopping a distro from installing headers 
in different locations.

>  > run_init needs to call pam_acct_mgmt, so that pam_tally will work
>  > correctly.
>  >
> 
> What is pam_tally and what does the call to pam_acct_mgmt do, and how 
> does it affect run_init?
> 
>  > Also after modifying translations the mcstrans needs to be signaled.
>  >
>  > (I think it is time we break the mcstrans code out into a separate
>  > script, maybe executed by semanage, which would allow us to write
>  > tighter policy around this object and semanage.)
> 
> Its interesting that semanage manages something that is redhat specific 
> and not part of the upstream utilities at all.. IMO this should never 
> have been merged in the first place, semanage manages libsemanage 
> abstractions, if translations were a part of libsemanage it'd be a 
> different story.
> 

Why isn't setrans upstream?

>> Lastly are you going to merge the translations?
>> http://people.redhat.com/dwalsh/SELinux/pocicycoreutils-po.patch
>>
>>
> 
> It can be merged when a revised patchset does.
> 
> p.s. please please inline patches and make them apply from the top of 
> the tree with -p1 or -p0 :)
> 
>> @@ -204,7 +206,8 @@
>>          os.write(fd, self.out())
>>          os.close(fd)
>>          os.rename(newfilename, self.filename)
>> -
>> +                os.system("/sbin/service mcstrans reload > /dev/null")
>> +                
> 
> This is very distro specific and totally inappropriate IMO.
> 

Agreed - what is the solution, though?

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More small fixes to policycoreutils

[Stephen Smalley]

On Mon, 2006-11-20 at 15:14 -0500, Karl MacMillan wrote:
> Joshua Brindle wrote:
> > Its interesting that semanage manages something that is redhat specific 
> > and not part of the upstream utilities at all.. IMO this should never 
> > have been merged in the first place, semanage manages libsemanage 
> > abstractions, if translations were a part of libsemanage it'd be a 
> > different story.
> > 
> 
> Why isn't setrans upstream?

It wasn't clear that there was any demand for it outside of Fedora /
RHEL, and it was always optional.  If other distros are going to use it
(e.g. Debian?), then I agree it should likely be added (after code
review and cleanup, of course).

> >> @@ -204,7 +206,8 @@
> >>          os.write(fd, self.out())
> >>          os.close(fd)
> >>          os.rename(newfilename, self.filename)
> >> -
> >> +                os.system("/sbin/service mcstrans reload > /dev/null")
> >> +                
> > 
> > This is very distro specific and totally inappropriate IMO.
> > 
> 
> Agreed - what is the solution, though?

Configurable pre and post scriptlets, defined externally and optional?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More small fixes to policycoreutils

[Daniel J Walsh]

Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> audit2allow was not generating reference policy correctly.  This 
>> patches fixes this and uses /usr/share/sleinux/devel/Makefile to 
>> create policy packages.
>>
>
> This is distro specific, audit2allow should be using 
> /etc/selinux/config to find the interface directory to use. Further, 
> why is this needed at all?
>
audit2allow -R -M local -i /var/log/audit/audit.log 

Attempts to match interfaces against devel package, and build potential 
policies.  Without this change
audit2allow blows up.

Not sure what you want to extrace out of /etc/selinux/config?  The type 
of the policy? And then go to /usr/share/selinux/TYPE/include/Makefile?
> > run_init needs to call pam_acct_mgmt, so that pam_tally will work
> > correctly.
> >
>
> What is pam_tally and what does the call to pam_acct_mgmt do, and how 
> does it affect run_init?
>
I believe pam_tally increments a counter for failed logins in 
pam_authenticate and decrements it when it gets to pam_account 
management.  If it never gets there, the counter continues to increment.
> > Also after modifying translations the mcstrans needs to be signaled.
> >
> > (I think it is time we break the mcstrans code out into a separate
> > script, maybe executed by semanage, which would allow us to write
> > tighter policy around this object and semanage.)
>
> Its interesting that semanage manages something that is redhat 
> specific and not part of the upstream utilities at all.. IMO this 
> should never have been merged in the first place, semanage manages 
> libsemanage abstractions, if translations were a part of libsemanage 
> it'd be a different story.
>
Agreed, I think we should break it out and maybe allow semanage to have 
a plugin type interface, so the administrator still uses the same 
command to manage other parts of "SELinux" that do not come from upstream.
>> Lastly are you going to merge the translations?
>> http://people.redhat.com/dwalsh/SELinux/pocicycoreutils-po.patch
>>
>>
>
> It can be merged when a revised patchset does.
>
> p.s. please please inline patches and make them apply from the top of 
> the tree with -p1 or -p0 :)
>
We are applying these patches with a -p1? 
>> @@ -204,7 +206,8 @@
>>          os.write(fd, self.out())
>>          os.close(fd)
>>          os.rename(newfilename, self.filename)
>> -
>> +                os.system("/sbin/service mcstrans reload > /dev/null")
>> +                
>
> This is very distro specific and totally inappropriate IMO.
>
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More small fixes to policycoreutils

[Joshua Brindle]

Stephen Smalley wrote:
> On Mon, 2006-11-20 at 15:14 -0500, Karl MacMillan wrote:
>> Joshua Brindle wrote:
>>> Its interesting that semanage manages something that is redhat specific 
>>> and not part of the upstream utilities at all.. IMO this should never 
>>> have been merged in the first place, semanage manages libsemanage 
>>> abstractions, if translations were a part of libsemanage it'd be a 
>>> different story.
>>>
>> Why isn't setrans upstream?
> 
> It wasn't clear that there was any demand for it outside of Fedora /
> RHEL, and it was always optional.  If other distros are going to use it
> (e.g. Debian?), then I agree it should likely be added (after code
> review and cleanup, of course).
> 

Also, is this server only for mcs? Does MLS/LSPP config use a different 
server? It seems like this needs to be more general that mcs, since that 
doesn't really mean anything anyway.

>>>> @@ -204,7 +206,8 @@
>>>>          os.write(fd, self.out())
>>>>          os.close(fd)
>>>>          os.rename(newfilename, self.filename)
>>>> -
>>>> +                os.system("/sbin/service mcstrans reload > /dev/null")
>>>> +                
>>> This is very distro specific and totally inappropriate IMO.
>>>
>> Agreed - what is the solution, though?
> 
> Configurable pre and post scriptlets, defined externally and optional?
> 

Same question as above, does semanage management of translations break 
down on MLS configs? If so I'd vote for all this code to be ripped out 
of semanage altogether and put into another tool that is specific to the 
  mcstrans server, since the translation file is server specific anyway.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More small fixes to policycoreutils

[Stephen Smalley]

On Mon, 2006-11-20 at 16:58 -0500, Daniel J Walsh wrote:
> > What is pam_tally and what does the call to pam_acct_mgmt do, and how 
> > does it affect run_init?
> >
> I believe pam_tally increments a counter for failed logins in 
> pam_authenticate and decrements it when it gets to pam_account 
> management.  If it never gets there, the counter continues to increment.

I thought I saw that pam_tally was being moved from the generic system
auth config to specific program configs, and was thus no longer an issue
for run_init.  No?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More small fixes to policycoreutils

[Karl MacMillan]

Joshua Brindle wrote:
> Stephen Smalley wrote:
>> On Mon, 2006-11-20 at 15:14 -0500, Karl MacMillan wrote:
>>> Joshua Brindle wrote:
>>>> Its interesting that semanage manages something that is redhat 
>>>> specific and not part of the upstream utilities at all.. IMO this 
>>>> should never have been merged in the first place, semanage manages 
>>>> libsemanage abstractions, if translations were a part of libsemanage 
>>>> it'd be a different story.
>>>>
>>> Why isn't setrans upstream?
>>
>> It wasn't clear that there was any demand for it outside of Fedora /
>> RHEL, and it was always optional.  If other distros are going to use it
>> (e.g. Debian?), then I agree it should likely be added (after code
>> review and cleanup, of course).
>>
> 
> Also, is this server only for mcs? Does MLS/LSPP config use a different 
> server? 

No - this will work for MLS, though real MLS deployments may replace it 
with a more complex translation server.

It seems like this needs to be more general that mcs, since that
> doesn't really mean anything anyway.
> 

No idea what you mean here, but it seems worth having a component 
upstream even if it is only optionally used. Any distro that wants to 
use MLS/MCS will likely want a translation server.

>>>>> @@ -204,7 +206,8 @@
>>>>>          os.write(fd, self.out())
>>>>>          os.close(fd)
>>>>>          os.rename(newfilename, self.filename)
>>>>> -
>>>>> +                os.system("/sbin/service mcstrans reload > 
>>>>> /dev/null")
>>>>> +                
>>>> This is very distro specific and totally inappropriate IMO.
>>>>
>>> Agreed - what is the solution, though?
>>
>> Configurable pre and post scriptlets, defined externally and optional?
>>
> 
> Same question as above, does semanage management of translations break 
> down on MLS configs?

I don't think so.

  If so I'd vote for all this code to be ripped out
> of semanage altogether and put into another tool that is specific to the 
>  mcstrans server, since the translation file is server specific anyway.
> 

We are having a lot of success by pointing people towards semanage when 
they need to configure SELinux. Adding separate tools at this point 
seems counterproductive to me.

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More small fixes to policycoreutils

[Karl MacMillan]

Stephen Smalley wrote:
> On Mon, 2006-11-20 at 15:14 -0500, Karl MacMillan wrote:
>> Joshua Brindle wrote:
>>> Its interesting that semanage manages something that is redhat specific 
>>> and not part of the upstream utilities at all.. IMO this should never 
>>> have been merged in the first place, semanage manages libsemanage 
>>> abstractions, if translations were a part of libsemanage it'd be a 
>>> different story.
>>>
>> Why isn't setrans upstream?
> 
> It wasn't clear that there was any demand for it outside of Fedora /
> RHEL, and it was always optional.  If other distros are going to use it
> (e.g. Debian?), then I agree it should likely be added (after code
> review and cleanup, of course).
> 
>>>> @@ -204,7 +206,8 @@
>>>>          os.write(fd, self.out())
>>>>          os.close(fd)
>>>>          os.rename(newfilename, self.filename)
>>>> -
>>>> +                os.system("/sbin/service mcstrans reload > /dev/null")
>>>> +                
>>> This is very distro specific and totally inappropriate IMO.
>>>
>> Agreed - what is the solution, though?
> 
> Configurable pre and post scriptlets, defined externally and optional?
> 

Maybe - though I am already concerned about the amount of work that 
semanage does that is unnecessarily (e.g., changing a user results in a 
full link / expand). So I would want to allow these scripts to only run 
when something they are interested in changes.

Would these scripts be run by libsemanage or only semanage? I assume the 
former.

Karl

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More small fixes to policycoreutils

[Stephen Smalley]

On Mon, 2006-11-20 at 12:36 -0500, Daniel J Walsh wrote:
> Lastly are you going to merge the translations? 
> 
> http://people.redhat.com/dwalsh/SELinux/pocicycoreutils-po.patch

I merged this set of po file updates, but I'm hoping that there is some
better way to deal with them.  For example, after applying this patch
and merging it, running make in policycoreutils immediately regenerates
the files yet again with another round of changes (POT-Creation-Date
headers and line numbers in the comment annotations).  So should I
commit that as well?  I don't know how the po files are typically
maintained in other projects.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More small fixes to policycoreutils

[Daniel J Walsh]

Stephen Smalley wrote:
> On Mon, 2006-11-20 at 16:58 -0500, Daniel J Walsh wrote:
>   
>>> What is pam_tally and what does the call to pam_acct_mgmt do, and how 
>>> does it affect run_init?
>>>
>>>       
>> I believe pam_tally increments a counter for failed logins in 
>> pam_authenticate and decrements it when it gets to pam_account 
>> management.  If it never gets there, the counter continues to increment.
>>     
>
> I thought I saw that pam_tally was being moved from the generic system
> auth config to specific program configs, and was thus no longer an issue
> for run_init.  No?
>
>   
That might be, but after talking to Nalin, he heavily recommends that we 
use pam_acct_mgmt with a pam_permit.  He says that is the recommended 
way, and would admins to add customizations on when and how you can run 
the command.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: More small fixes to policycoreutils

[Joshua Brindle]

> From: Daniel J Walsh [mailto:dwalsh@redhat.com] 
> 
> Stephen Smalley wrote:
> > On Mon, 2006-11-20 at 16:58 -0500, Daniel J Walsh wrote:
> >   
> >>> What is pam_tally and what does the call to pam_acct_mgmt do, and 
> >>> how does it affect run_init?
> >>>
> >>>       
> >> I believe pam_tally increments a counter for failed logins in 
> >> pam_authenticate and decrements it when it gets to pam_account 
> >> management.  If it never gets there, the counter continues 
> to increment.
> >>     
> >
> > I thought I saw that pam_tally was being moved from the 
> generic system 
> > auth config to specific program configs, and was thus no longer an 
> > issue for run_init.  No?
> >
> >   
> That might be, but after talking to Nalin, he heavily 
> recommends that we use pam_acct_mgmt with a pam_permit.  He 
> says that is the recommended way, and would admins to add 
> customizations on when and how you can run the command.
> 

So what does this mean as far as the patch that you sent goes? Will you
be sending out a revised one soon?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More small fixes to policycoreutils

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 115 bytes --]

Fixes to make sure module name is all alphabet charaters.

Fixes to generate Reference Policy modules correctly.



[-- Attachment #2: audit2allow.diff --]
[-- Type: text/x-patch, Size: 2620 bytes --]

diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.33.4/audit2allow/audit2allow
--- nsapolicycoreutils/audit2allow/audit2allow	2006-11-16 17:14:29.000000000 -0500
+++ policycoreutils-1.33.4/audit2allow/audit2allow	2006-11-22 14:51:29.000000000 -0500
@@ -25,6 +25,7 @@
 #
 #  
 from avc import *
+import re
 
 if __name__ == '__main__':
 	import commands, sys, os, getopt, selinux
@@ -59,6 +60,11 @@
 			print msg
 		sys.exit(1)
 		
+	def verify_module(module):
+		m = re.findall("[^a-zA-Z]", module)
+		if len(m) != 0:
+			usage(_("Alphabetic Charaters Only"))
+		
 	def errorExit(error):
 		sys.stderr.write("%s: " % sys.argv[0])
 		sys.stderr.write("%s\n" % error)
@@ -125,10 +131,12 @@
 				if module != "" or a[0] == "-":
 					usage()
 				module = a
+				verify_module(module)
 			if o == "-M":
 				if module != "" or output_ind  or a[0] == "-":
 					usage()
 				module = a
+				verify_module(module)
 				outfile = a+".te"
 				buildPP = 1
 				if not os.path.exists("/usr/bin/checkmodule"):
@@ -184,22 +192,26 @@
 		output.write(serules.out(requires, module))
 		output.flush()
 		if buildPP:
-			cmd = "checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module)
-			print _("Compiling policy")
-			print cmd
-			rc = commands.getstatusoutput(cmd)
-			if rc[0] == 0:
-				cmd = "semodule_package -o %s.pp -m %s.mod" % (module, module)
-				if fc_file != "":
-					cmd = "%s -f %s" % (cmd, fc_file)
-					
+			if ref_ind:
+				cmd = "make -f /usr/share/selinux/devel/Makefile %s.pp" % module
+				print _("Compiling policy")
+				print cmd
+				rc = commands.getstatusoutput(cmd)
+			else:
+				cmd = "checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module)
+				print _("Compiling policy")
 				print cmd
 				rc = commands.getstatusoutput(cmd)
 				if rc[0] == 0:
-					print _("\n******************** IMPORTANT ***********************\n")
-					print (_("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n") % module)
-				else:
-					errorExit(rc[1])
+					cmd = "semodule_package -o %s.pp -m %s.mod" % (module, module)
+					if fc_file != "":
+						cmd = "%s -f %s" % (cmd, fc_file)
+					
+					print cmd
+					rc = commands.getstatusoutput(cmd)
+			if rc[0] == 0:
+				print _("\n******************** IMPORTANT ***********************\n")
+				print (_("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n") % module)
 			else:
 				errorExit(rc[1])
 

Re: More small fixes to policycoreutils

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 118 bytes --]

Fix handling of translations in python correctly.

Fix rewrite of the translations library not to insert extra lines.

[-- Attachment #2: seobject.diff --]
[-- Type: text/x-patch, Size: 1374 bytes --]

diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.33.4/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py	2006-11-16 17:14:26.000000000 -0500
+++ policycoreutils-1.33.4/semanage/seobject.py	2006-11-22 14:11:25.000000000 -0500
@@ -94,23 +94,25 @@
 	return re.search("^" + reg +"$",raw)
 
 def translate(raw, prepend = 1):
-	if prepend == 1:
-		context = "a:b:c:%s" % raw
+        filler="a:b:c:"
+        if prepend == 1:
+		context = "%s%s" % (filler,raw)
 	else:
 		context = raw
-	(rc, trans) = selinux.selinux_raw_to_trans_context(context)
+ 	(rc, trans) = selinux.selinux_raw_to_trans_context(context)
 	if rc != 0:
 		return raw
 	if prepend:
-		trans = trans.strip("a:b:c")
+		trans = trans[len(filler):]
 	if trans == "":
 		return raw
 	else:
 		return trans
 	
 def untranslate(trans, prepend = 1):
+        filler="a:b:c:"
  	if prepend == 1:
-		context = "a:b:c:%s" % trans
+		context = "%s%s" % (filler,trans)
 	else:
 		context = trans
 
@@ -118,7 +120,7 @@
 	if rc != 0:
 		return trans
 	if prepend:
-		raw = raw.strip("a:b:c")	
+		raw = raw[len(filler):]
 	if raw == "":
 		return trans
 	else:
@@ -157,7 +159,7 @@
 	def out(self):
 		rec = ""
 		for c in self.comments:
-			rec += c +"\n"
+			rec += c
 		keys = self.ddict.keys()
 		keys.sort()
 		for k in keys:

Re: More small fixes to policycoreutils

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 44 bytes --]

No verbose flag for semanage, fix man page.

[-- Attachment #2: semanage.diff --]
[-- Type: text/x-patch, Size: 478 bytes --]

diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.33.4/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8	2006-11-20 12:19:55.000000000 -0500
+++ policycoreutils-1.33.4/semanage/semanage.8	2006-11-22 14:11:25.000000000 -0500
@@ -82,10 +82,7 @@
 .TP
 .I                \-T, \-\-trans
 SELinux Translation
-.TP
-.I                \-v, \-\-verbose    
-verbose output
 
 .SH EXAMPLE
 .nf
 

Re: More small fixes to policycoreutils

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 48 bytes --]

Amy's patch for handling exit codes in newrole.

[-- Attachment #2: newrole.diff --]
[-- Type: text/x-patch, Size: 764 bytes --]

diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-1.33.4/newrole/newrole.c
--- nsapolicycoreutils/newrole/newrole.c	2006-11-20 12:19:55.000000000 -0500
+++ policycoreutils-1.33.4/newrole/newrole.c	2006-11-22 14:11:25.000000000 -0500
@@ -1068,11 +1068,16 @@
 		 */
 		int rc;
 		int exit_code = 0;
+		int status;
 
 		do {
-			rc = wait(NULL);
+			rc = wait(&status);
 		} while (rc < 0 && errno == EINTR);
 
+		/* Preserve child exit status, unless there is another error. */
+		if (WIFEXITED(status))
+			exit_code = WEXITSTATUS(status);
+
 		if (restore_tty_label(fd, ttyn, tty_context, new_tty_context)) {
 			fprintf(stderr, _("Unable to restore tty label...\n"));
 			exit_code = -1;

Re: More small fixes to policycoreutils

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 38 bytes --]

run_init patch for call pam_acct_mgmt

[-- Attachment #2: run_init.diff --]
[-- Type: text/x-patch, Size: 730 bytes --]

diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/run_init/run_init.c policycoreutils-1.33.4/run_init/run_init.c
--- nsapolicycoreutils/run_init/run_init.c	2006-11-16 17:14:27.000000000 -0500
+++ policycoreutils-1.33.4/run_init/run_init.c	2006-11-22 14:11:25.000000000 -0500
@@ -132,6 +132,14 @@
 		result = 1;	/* user authenticated OK! */
 	}
 
+	/* If we were successful, call pam_acct_mgmt() to reset the
+         * pam_tally failcount.
+         */
+	if (result && (PAM_SUCCESS != pam_acct_mgmt(pam_handle, 0)) ) {
+		fprintf(stderr, _("failed to get account information\n"));
+		exit(-1);
+	}	
+
 	/* We're done with PAM.  Free `pam_handle'. */
 	pam_end(pam_handle, PAM_SUCCESS);
 

Re: More small fixes to policycoreutils

[Joshua Brindle]

Daniel J Walsh wrote:
> Fixes to make sure module name is all alphabet charaters.
> 
> Fixes to generate Reference Policy modules correctly.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.33.4/audit2allow/audit2allow
> --- nsapolicycoreutils/audit2allow/audit2allow	2006-11-16 17:14:29.000000000 -0500
> +++ policycoreutils-1.33.4/audit2allow/audit2allow	2006-11-22 14:51:29.000000000 -0500
> @@ -25,6 +25,7 @@
>  #
>  #  
>  from avc import *
> +import re
>  
>  if __name__ == '__main__':
>  	import commands, sys, os, getopt, selinux
> @@ -59,6 +60,11 @@
>  			print msg
>  		sys.exit(1)
>  		
> +	def verify_module(module):
> +		m = re.findall("[^a-zA-Z]", module)
> +		if len(m) != 0:
> +			usage(_("Alphabetic Charaters Only"))
> +		

numbers are valid in module names, I use them all the time in fact.

>  	def errorExit(error):
>  		sys.stderr.write("%s: " % sys.argv[0])
>  		sys.stderr.write("%s\n" % error)
> @@ -125,10 +131,12 @@
>  				if module != "" or a[0] == "-":
>  					usage()
>  				module = a
> +				verify_module(module)
>  			if o == "-M":
>  				if module != "" or output_ind  or a[0] == "-":
>  					usage()
>  				module = a
> +				verify_module(module)
>  				outfile = a+".te"
>  				buildPP = 1
>  				if not os.path.exists("/usr/bin/checkmodule"):
> @@ -184,22 +192,26 @@
>  		output.write(serules.out(requires, module))
>  		output.flush()
>  		if buildPP:
> -			cmd = "checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module)
> -			print _("Compiling policy")
> -			print cmd
> -			rc = commands.getstatusoutput(cmd)
> -			if rc[0] == 0:
> -				cmd = "semodule_package -o %s.pp -m %s.mod" % (module, module)
> -				if fc_file != "":
> -					cmd = "%s -f %s" % (cmd, fc_file)
> -					
> +			if ref_ind:
> +				cmd = "make -f /usr/share/selinux/devel/Makefile %s.pp" % module

Still non-standard


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More small fixes to policycoreutils

[Joshua Brindle]

Daniel J Walsh wrote:
> Fix handling of translations in python correctly.
> 
> Fix rewrite of the translations library not to insert extra lines.
> 
> 
> ------------------------------------------------------------------------
> 
> diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.33.4/semanage/seobject.py
> --- nsapolicycoreutils/semanage/seobject.py	2006-11-16 17:14:26.000000000 -0500
> +++ policycoreutils-1.33.4/semanage/seobject.py	2006-11-22 14:11:25.000000000 -0500
> @@ -94,23 +94,25 @@
>  	return re.search("^" + reg +"$",raw)
>  
>  def translate(raw, prepend = 1):
> -	if prepend == 1:
> -		context = "a:b:c:%s" % raw
> +        filler="a:b:c:"
> +        if prepend == 1:
> +		context = "%s%s" % (filler,raw)

This is not good, why doesn't this python script use libsepol calls to 
get the MLS part of the context without manipulating the (opaque) 
context directly?

>  	else:
>  		context = raw
> -	(rc, trans) = selinux.selinux_raw_to_trans_context(context)
> + 	(rc, trans) = selinux.selinux_raw_to_trans_context(context)

?

>  	if rc != 0:
>  		return raw
>  	if prepend:
> -		trans = trans.strip("a:b:c")
> +		trans = trans[len(filler):]
>  	if trans == "":
>  		return raw
>  	else:
>  		return trans
>  	
>  def untranslate(trans, prepend = 1):
> +        filler="a:b:c:"
>   	if prepend == 1:
> -		context = "a:b:c:%s" % trans
> +		context = "%s%s" % (filler,trans)
>  	else:
>  		context = trans
>  
> @@ -118,7 +120,7 @@
>  	if rc != 0:
>  		return trans
>  	if prepend:
> -		raw = raw.strip("a:b:c")	
> +		raw = raw[len(filler):]
>  	if raw == "":
>  		return trans
>  	else:
> @@ -157,7 +159,7 @@
>  	def out(self):
>  		rec = ""
>  		for c in self.comments:
> -			rec += c +"\n"
> +			rec += c
>  		keys = self.ddict.keys()
>  		keys.sort()
>  		for k in keys:



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More small fixes to policycoreutils

[Joshua Brindle]

Daniel J Walsh wrote:
> No verbose flag for semanage, fix man page.
> 
> 
> ------------------------------------------------------------------------
> 
> diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.33.4/semanage/semanage.8
> --- nsapolicycoreutils/semanage/semanage.8	2006-11-20 12:19:55.000000000 -0500
> +++ policycoreutils-1.33.4/semanage/semanage.8	2006-11-22 14:11:25.000000000 -0500
> @@ -82,10 +82,7 @@
>  .TP
>  .I                \-T, \-\-trans
>  SELinux Translation
> -.TP
> -.I                \-v, \-\-verbose    
> -verbose output
>  
>  .SH EXAMPLE
>  .nf
>  

Acked-By: Joshua Brindle <method@manicmethod.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More small fixes to policycoreutils

[Joshua Brindle]

Daniel J Walsh wrote:
> run_init patch for call pam_acct_mgmt
> 
> 
> ------------------------------------------------------------------------
> 
> diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/run_init/run_init.c policycoreutils-1.33.4/run_init/run_init.c
> --- nsapolicycoreutils/run_init/run_init.c	2006-11-16 17:14:27.000000000 -0500
> +++ policycoreutils-1.33.4/run_init/run_init.c	2006-11-22 14:11:25.000000000 -0500
> @@ -132,6 +132,14 @@
>  		result = 1;	/* user authenticated OK! */
>  	}
>  
> +	/* If we were successful, call pam_acct_mgmt() to reset the
> +         * pam_tally failcount.
> +         */
> +	if (result && (PAM_SUCCESS != pam_acct_mgmt(pam_handle, 0)) ) {
> +		fprintf(stderr, _("failed to get account information\n"));
> +		exit(-1);
> +	}	
> +
>  	/* We're done with PAM.  Free `pam_handle'. */
>  	pam_end(pam_handle, PAM_SUCCESS);
>  

I thought the previous thread noted that this was unnecessary, or am I 
confused?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More small fixes to policycoreutils

[Joshua Brindle]

Daniel J Walsh wrote:
> Amy's patch for handling exit codes in newrole.
> 
> 
> ------------------------------------------------------------------------
> 
> diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-1.33.4/newrole/newrole.c
> --- nsapolicycoreutils/newrole/newrole.c	2006-11-20 12:19:55.000000000 -0500
> +++ policycoreutils-1.33.4/newrole/newrole.c	2006-11-22 14:11:25.000000000 -0500
> @@ -1068,11 +1068,16 @@
>  		 */
>  		int rc;
>  		int exit_code = 0;
> +		int status;
>  
>  		do {
> -			rc = wait(NULL);
> +			rc = wait(&status);
>  		} while (rc < 0 && errno == EINTR);
>  
> +		/* Preserve child exit status, unless there is another error. */
> +		if (WIFEXITED(status))
> +			exit_code = WEXITSTATUS(status);
> +
>  		if (restore_tty_label(fd, ttyn, tty_context, new_tty_context)) {
>  			fprintf(stderr, _("Unable to restore tty label...\n"));
>  			exit_code = -1;

Acked-By: Joshua Brindle <method@manicmethod.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More small fixes to policycoreutils

[Daniel J Walsh]

Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> run_init patch for call pam_acct_mgmt
>>
>>
>> ------------------------------------------------------------------------
>>
>> diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u 
>> -r nsapolicycoreutils/run_init/run_init.c 
>> policycoreutils-1.33.4/run_init/run_init.c
>> --- nsapolicycoreutils/run_init/run_init.c    2006-11-16 
>> 17:14:27.000000000 -0500
>> +++ policycoreutils-1.33.4/run_init/run_init.c    2006-11-22 
>> 14:11:25.000000000 -0500
>> @@ -132,6 +132,14 @@
>>          result = 1;    /* user authenticated OK! */
>>      }
>>  
>> +    /* If we were successful, call pam_acct_mgmt() to reset the
>> +         * pam_tally failcount.
>> +         */
>> +    if (result && (PAM_SUCCESS != pam_acct_mgmt(pam_handle, 0)) ) {
>> +        fprintf(stderr, _("failed to get account information\n"));
>> +        exit(-1);
>> +    }   
>> +
>>      /* We're done with PAM.  Free `pam_handle'. */
>>      pam_end(pam_handle, PAM_SUCCESS);
>>  
>
> I thought the previous thread noted that this was unnecessary, or am I 
> confused?
>
The pam_tally might not be required anymore.  But best practices says 
put it in there.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More small fixes to policycoreutils

[Daniel J Walsh]

Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> Fix handling of translations in python correctly.
>>
>> Fix rewrite of the translations library not to insert extra lines.
>>
>>
>> ------------------------------------------------------------------------
>>
>> diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u 
>> -r nsapolicycoreutils/semanage/seobject.py 
>> policycoreutils-1.33.4/semanage/seobject.py
>> --- nsapolicycoreutils/semanage/seobject.py    2006-11-16 
>> 17:14:26.000000000 -0500
>> +++ policycoreutils-1.33.4/semanage/seobject.py    2006-11-22 
>> 14:11:25.000000000 -0500
>> @@ -94,23 +94,25 @@
>>      return re.search("^" + reg +"$",raw)
>>  
>>  def translate(raw, prepend = 1):
>> -    if prepend == 1:
>> -        context = "a:b:c:%s" % raw
>> +        filler="a:b:c:"
>> +        if prepend == 1:
>> +        context = "%s%s" % (filler,raw)
>
> This is not good, why doesn't this python script use libsepol calls to 
> get the MLS part of the context without manipulating the (opaque) 
> context directly?
>
Huh?  This is used to verify MLS Componants being added to users and 
levels by semanage.  There is no TYPE componant. so all we have is the 
MLS s0:15 or so-PatientRecord.
>>      else:
>>          context = raw
>> -    (rc, trans) = selinux.selinux_raw_to_trans_context(context)
>> +     (rc, trans) = selinux.selinux_raw_to_trans_context(context)
>
> ?
Ignore.
>
>>      if rc != 0:
>>          return raw
>>      if prepend:
>> -        trans = trans.strip("a:b:c")
>> +        trans = trans[len(filler):]
>>      if trans == "":
>>          return raw
>>      else:
>>          return trans
>>     
>>  def untranslate(trans, prepend = 1):
>> +        filler="a:b:c:"
>>       if prepend == 1:
>> -        context = "a:b:c:%s" % trans
>> +        context = "%s%s" % (filler,trans)
>>      else:
>>          context = trans
>>  
>> @@ -118,7 +120,7 @@
>>      if rc != 0:
>>          return trans
>>      if prepend:
>> -        raw = raw.strip("a:b:c")   
>> +        raw = raw[len(filler):]
>>      if raw == "":
>>          return trans
>>      else:
>> @@ -157,7 +159,7 @@
>>      def out(self):
>>          rec = ""
>>          for c in self.comments:
>> -            rec += c +"\n"
>> +            rec += c
>>          keys = self.ddict.keys()
>>          keys.sort()
>>          for k in keys:
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More small fixes to policycoreutils

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 177 bytes --]

Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> Fixes to make sure module name is all alphabet charaters.
>>
Added
>
> Still non-standard
>
Fine, I will go with your standard.

[-- Attachment #2: audit2allow.diff --]
[-- Type: text/x-patch, Size: 2765 bytes --]

diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.33.4/audit2allow/audit2allow
--- nsapolicycoreutils/audit2allow/audit2allow	2006-11-16 17:14:29.000000000 -0500
+++ policycoreutils-1.33.4/audit2allow/audit2allow	2006-11-22 16:16:37.000000000 -0500
@@ -29,6 +29,7 @@
 if __name__ == '__main__':
 	import commands, sys, os, getopt, selinux
         import gettext
+	import re
         try:
                 gettext.install('policycoreutils')
         except:
@@ -59,6 +60,11 @@
 			print msg
 		sys.exit(1)
 		
+	def verify_module(module):
+		m = re.findall("[^a-zA-Z0-9]", module)
+		if len(m) != 0:
+			usage(_("Alphanumeric Charaters Only"))
+		
 	def errorExit(error):
 		sys.stderr.write("%s: " % sys.argv[0])
 		sys.stderr.write("%s\n" % error)
@@ -125,10 +131,12 @@
 				if module != "" or a[0] == "-":
 					usage()
 				module = a
+				verify_module(module)
 			if o == "-M":
 				if module != "" or output_ind  or a[0] == "-":
 					usage()
 				module = a
+				verify_module(module)
 				outfile = a+".te"
 				buildPP = 1
 				if not os.path.exists("/usr/bin/checkmodule"):
@@ -184,22 +192,27 @@
 		output.write(serules.out(requires, module))
 		output.flush()
 		if buildPP:
-			cmd = "checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module)
-			print _("Compiling policy")
-			print cmd
-			rc = commands.getstatusoutput(cmd)
-			if rc[0] == 0:
-				cmd = "semodule_package -o %s.pp -m %s.mod" % (module, module)
-				if fc_file != "":
-					cmd = "%s -f %s" % (cmd, fc_file)
-					
+			if ref_ind:
+				rc, type = selinux.selinux_getpolicytype()
+				cmd = "make -f /usr/share/selinux/%s/include/Makefile %s.pp" % (type, module)
+				print _("Compiling policy")
+				print cmd
+				rc = commands.getstatusoutput(cmd)
+			else:
+				cmd = "checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module)
+				print _("Compiling policy")
 				print cmd
 				rc = commands.getstatusoutput(cmd)
 				if rc[0] == 0:
-					print _("\n******************** IMPORTANT ***********************\n")
-					print (_("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n") % module)
-				else:
-					errorExit(rc[1])
+					cmd = "semodule_package -o %s.pp -m %s.mod" % (module, module)
+					if fc_file != "":
+						cmd = "%s -f %s" % (cmd, fc_file)
+					
+					print cmd
+					rc = commands.getstatusoutput(cmd)
+			if rc[0] == 0:
+				print _("\n******************** IMPORTANT ***********************\n")
+				print (_("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n") % module)
 			else:
 				errorExit(rc[1])
 

Re: More small fixes to policycoreutils

[Joshua Brindle]

Daniel J Walsh wrote:
> Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> run_init patch for call pam_acct_mgmt
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u 
>>> -r nsapolicycoreutils/run_init/run_init.c 
>>> policycoreutils-1.33.4/run_init/run_init.c
>>> --- nsapolicycoreutils/run_init/run_init.c    2006-11-16 
>>> 17:14:27.000000000 -0500
>>> +++ policycoreutils-1.33.4/run_init/run_init.c    2006-11-22 
>>> 14:11:25.000000000 -0500
>>> @@ -132,6 +132,14 @@
>>>          result = 1;    /* user authenticated OK! */
>>>      }
>>>  
>>> +    /* If we were successful, call pam_acct_mgmt() to reset the
>>> +         * pam_tally failcount.
>>> +         */
>>> +    if (result && (PAM_SUCCESS != pam_acct_mgmt(pam_handle, 0)) ) {
>>> +        fprintf(stderr, _("failed to get account information\n"));
>>> +        exit(-1);
>>> +    }   +
>>>      /* We're done with PAM.  Free `pam_handle'. */
>>>      pam_end(pam_handle, PAM_SUCCESS);
>>>  
>>
>> I thought the previous thread noted that this was unnecessary, or am I 
>> confused?
>>
> The pam_tally might not be required anymore.  But best practices says 
> put it in there.
> 

Ok,

Acked-By: Joshua Brindle <jbrindle@tresys.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: More small fixes to policycoreutils

[Joshua Brindle]

Daniel J Walsh wrote:
> Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> Fixes to make sure module name is all alphabet charaters.
>>>
> Added
>>
>> Still non-standard
>>
> Fine, I will go with your standard.
> 
> 
> ------------------------------------------------------------------------
> 
> diff --exclude-from=exclude --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.33.4/audit2allow/audit2allow
> --- nsapolicycoreutils/audit2allow/audit2allow	2006-11-16 17:14:29.000000000 -0500
> +++ policycoreutils-1.33.4/audit2allow/audit2allow	2006-11-22 16:16:37.000000000 -0500
> @@ -29,6 +29,7 @@
>  if __name__ == '__main__':
>  	import commands, sys, os, getopt, selinux
>          import gettext
> +	import re
>          try:
>                  gettext.install('policycoreutils')
>          except:
> @@ -59,6 +60,11 @@
>  			print msg
>  		sys.exit(1)
>  		
> +	def verify_module(module):
> +		m = re.findall("[^a-zA-Z0-9]", module)
> +		if len(m) != 0:
> +			usage(_("Alphanumeric Charaters Only"))
> +		
>  	def errorExit(error):
>  		sys.stderr.write("%s: " % sys.argv[0])
>  		sys.stderr.write("%s\n" % error)
> @@ -125,10 +131,12 @@
>  				if module != "" or a[0] == "-":
>  					usage()
>  				module = a
> +				verify_module(module)
>  			if o == "-M":
>  				if module != "" or output_ind  or a[0] == "-":
>  					usage()
>  				module = a
> +				verify_module(module)
>  				outfile = a+".te"
>  				buildPP = 1
>  				if not os.path.exists("/usr/bin/checkmodule"):
> @@ -184,22 +192,27 @@
>  		output.write(serules.out(requires, module))
>  		output.flush()
>  		if buildPP:
> -			cmd = "checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module)
> -			print _("Compiling policy")
> -			print cmd
> -			rc = commands.getstatusoutput(cmd)
> -			if rc[0] == 0:
> -				cmd = "semodule_package -o %s.pp -m %s.mod" % (module, module)
> -				if fc_file != "":
> -					cmd = "%s -f %s" % (cmd, fc_file)
> -					
> +			if ref_ind:
> +				rc, type = selinux.selinux_getpolicytype()
> +				cmd = "make -f /usr/share/selinux/%s/include/Makefile %s.pp" % (type, module)
> +				print _("Compiling policy")
> +				print cmd
> +				rc = commands.getstatusoutput(cmd)
> +			else:
> +				cmd = "checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module)
> +				print _("Compiling policy")
>  				print cmd
>  				rc = commands.getstatusoutput(cmd)
>  				if rc[0] == 0:
> -					print _("\n******************** IMPORTANT ***********************\n")
> -					print (_("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n") % module)
> -				else:
> -					errorExit(rc[1])
> +					cmd = "semodule_package -o %s.pp -m %s.mod" % (module, module)
> +					if fc_file != "":
> +						cmd = "%s -f %s" % (cmd, fc_file)
> +					
> +					print cmd
> +					rc = commands.getstatusoutput(cmd)
> +			if rc[0] == 0:
> +				print _("\n******************** IMPORTANT ***********************\n")
> +				print (_("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n") % module)
>  			else:
>  				errorExit(rc[1])
>  


Acked-By: Joshua Brindle <jbrindle@tresys.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: More small fixes to policycoreutils

[Joshua Brindle]

> From: Daniel J Walsh [mailto:dwalsh@redhat.com] 
> 
> Joshua Brindle wrote:
> > Daniel J Walsh wrote:
> >> Fixes to make sure module name is all alphabet charaters.
> >>
> Added
> >
> > Still non-standard
> >
> Fine, I will go with your standard.
> 

Merged this, the error status patch, the verbose man page fix and
pam_acct_mgmt patches as of policycoreutils 1.33.6

Thanks.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.