* Policycoreutils patches
@ 2007-01-03 18:05 Daniel J Walsh
2007-01-04 16:28 ` Stephen Smalley
0 siblings, 1 reply; 10+ messages in thread
From: Daniel J Walsh @ 2007-01-03 18:05 UTC (permalink / raw)
To: Stephen Smalley, SE Linux
[-- Attachment #1: Type: text/plain, Size: 749 bytes --]
Bunch of patches separated so you can approve/deny them separately.
avc patch Removes optional_policy name from audit2allow
pyver patch removes hardcoding of python version from makefile. Will
use version of installed python version.
newrole patch to use O_RDWR for terminals to fix more problem.
fixfiles patch fixes a problem with fixfiles was writing "not a tty" to
the current directory when there was no terminal.
seobject patch is somewhat more controversial, but at least parts of it
should be accepted.
- Fixes translation of portions of security context.
- Get rid of excess "\n"
- Restart mcstrans to relize file changed.
- Verify prefix is valid
- Modify roles correctly, currently role removal does not work without
this fix.
[-- Attachment #2: policycoreutils-avc.patch --]
[-- Type: text/x-patch, Size: 378 bytes --]
--- nsapolicycoreutils/audit2allow/avc.py 2006-11-16 17:14:29.000000000 -0500
+++ policycoreutils-1.33.6/audit2allow/avc.py 2006-12-20 14:59:04.000000000 -0500
@@ -231,7 +231,7 @@
else:
file = m[0][1]
ret = "\n#%s\n"% self.out()
- ret += "optional_policy(`%s', `\n" % m[0][1]
+ ret += "optional_policy(`\n"
first = True
for i in m:
if file != i[1]:
[-- Attachment #3: policycoreutils-pyver.patch --]
[-- Type: text/x-patch, Size: 1219 bytes --]
diff --exclude-from=exclude --exclude POTFILES.in --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/audit2allow/Makefile policycoreutils-1.33.6/audit2allow/Makefile
--- nsapolicycoreutils/audit2allow/Makefile 2006-11-16 17:14:29.000000000 -0500
+++ policycoreutils-1.33.6/audit2allow/Makefile 2006-12-20 14:59:04.000000000 -0500
@@ -4,7 +4,7 @@
LIBDIR ?= $(PREFIX)/lib
MANDIR ?= $(PREFIX)/share/man
LOCALEDIR ?= /usr/share/locale
-PYLIBVER ?= python2.4
+PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % sys.version_info[0:2]')
PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
TARGETS=audit2allow
diff --exclude-from=exclude --exclude POTFILES.in --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semanage/Makefile policycoreutils-1.33.6/semanage/Makefile
--- nsapolicycoreutils/semanage/Makefile 2006-11-16 17:14:26.000000000 -0500
+++ policycoreutils-1.33.6/semanage/Makefile 2006-12-20 14:59:04.000000000 -0500
@@ -3,7 +3,7 @@
LIBDIR ?= $(PREFIX)/lib
SBINDIR ?= $(PREFIX)/sbin
MANDIR = $(PREFIX)/share/man
-PYLIBVER ?= python2.4
+PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % sys.version_info[0:2]')
PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
TARGETS=semanage
[-- Attachment #4: policycoreutils-newrole.patch --]
[-- Type: text/x-patch, Size: 439 bytes --]
--- nsapolicycoreutils/newrole/newrole.c 2006-11-29 17:11:18.000000000 -0500
+++ policycoreutils-1.33.6/newrole/newrole.c 2006-12-20 14:59:04.000000000 -0500
@@ -1120,10 +1120,10 @@
fd = open(ttyn, O_RDONLY);
if (fd != 0)
goto err_close_pam;
- fd = open(ttyn, O_WRONLY);
+ fd = open(ttyn, O_RDWR);
if (fd != 1)
goto err_close_pam;
- fd = open(ttyn, O_WRONLY);
+ fd = open(ttyn, O_RDWR);
if (fd != 2)
goto err_close_pam;
[-- Attachment #5: policycoreutils-fixfiles.patch --]
[-- Type: text/x-patch, Size: 332 bytes --]
--- nsapolicycoreutils/scripts/fixfiles 2006-11-16 17:14:27.000000000 -0500
+++ policycoreutils-1.33.6/scripts/fixfiles 2007-01-02 10:51:58.000000000 -0500
@@ -29,6 +29,9 @@
RPMILES=""
OUTFILES=""
LOGFILE=`tty`
+if [ $1 != 0 ]; then
+ LOGFILE="/dev/null"
+fi
SYSLOGFLAG="-l"
LOGGER=/usr/sbin/logger
SETFILES=/sbin/setfiles
[-- Attachment #6: policycoreutils-seobject.patch --]
[-- Type: text/x-patch, Size: 2957 bytes --]
--- nsapolicycoreutils/semanage/seobject.py 2006-11-16 17:14:26.000000000 -0500
+++ policycoreutils-1.33.6/semanage/seobject.py 2006-12-20 14:59:04.000000000 -0500
@@ -94,23 +94,25 @@
return re.search("^" + reg +"$",raw)
def translate(raw, prepend = 1):
- if prepend == 1:
- context = "a:b:c:%s" % raw
+ filler="a:b:c:"
+ if prepend == 1:
+ context = "%s%s" % (filler,raw)
else:
context = raw
- (rc, trans) = selinux.selinux_raw_to_trans_context(context)
+ (rc, trans) = selinux.selinux_raw_to_trans_context(context)
if rc != 0:
return raw
if prepend:
- trans = trans.strip("a:b:c")
+ trans = trans[len(filler):]
if trans == "":
return raw
else:
return trans
def untranslate(trans, prepend = 1):
+ filler="a:b:c:"
if prepend == 1:
- context = "a:b:c:%s" % trans
+ context = "%s%s" % (filler,trans)
else:
context = trans
@@ -118,7 +120,7 @@
if rc != 0:
return trans
if prepend:
- raw = raw.strip("a:b:c")
+ raw = raw[len(filler):]
if raw == "":
return trans
else:
@@ -157,7 +159,7 @@
def out(self):
rec = ""
for c in self.comments:
- rec += c +"\n"
+ rec += c
keys = self.ddict.keys()
keys.sort()
for k in keys:
@@ -204,7 +206,8 @@
os.write(fd, self.out())
os.close(fd)
os.rename(newfilename, self.filename)
-
+ os.system("/sbin/service mcstrans reload > /dev/null")
+
class semanageRecords:
def __init__(self):
self.sh = semanage_handle_create()
@@ -456,7 +460,8 @@
rc = semanage_user_set_mlslevel(self.sh, u, selevel)
if rc < 0:
raise ValueError(_("Could not set MLS level for %s") % name)
-
+ if selinux.security_check_context("system_u:object_r:%s_home_t:s0" % prefix) != 0:
+ raise ValueError(_("Invalid prefix %s") % prefix)
rc = semanage_user_set_prefix(self.sh, u, prefix)
if rc < 0:
raise ValueError(_("Could not add prefix %s for %s") % (r, prefix))
@@ -522,11 +527,17 @@
semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
if prefix != "":
- semanage_user_set_prefix(self.sh, u, prefix)
+ if selinux.security_check_context("system_u:object_r:%s_home_t" % prefix) != 0:
+ raise ValueError(_("Invalid prefix %s") % prefix)
+ semanage_user_set_prefix(self.sh, u, prefix)
if len(roles) != 0:
- for r in roles:
- semanage_user_add_role(self.sh, u, r)
+ for r in rlist:
+ if r not in roles:
+ semanage_user_del_role(u, r)
+ for r in roles:
+ if r not in rlist:
+ semanage_user_add_role(self.sh, u, r)
rc = semanage_begin_transaction(self.sh)
if rc < 0:
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Policycoreutils patches
2007-01-03 18:05 Policycoreutils patches Daniel J Walsh
@ 2007-01-04 16:28 ` Stephen Smalley
2007-01-04 16:49 ` Stephen Smalley
0 siblings, 1 reply; 10+ messages in thread
From: Stephen Smalley @ 2007-01-04 16:28 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux, Karl MacMillan
On Wed, 2007-01-03 at 13:05 -0500, Daniel J Walsh wrote:
> Bunch of patches separated so you can approve/deny them separately.
>
> avc patch Removes optional_policy name from audit2allow
>
> pyver patch removes hardcoding of python version from makefile. Will
> use version of installed python version.
>
> newrole patch to use O_RDWR for terminals to fix more problem.
>
> fixfiles patch fixes a problem with fixfiles was writing "not a tty" to
> the current directory when there was no terminal.
>
> seobject patch is somewhat more controversial, but at least parts of it
> should be accepted.
>
> - Fixes translation of portions of security context.
> - Get rid of excess "\n"
> - Restart mcstrans to relize file changed.
> - Verify prefix is valid
> - Modify roles correctly, currently role removal does not work without
> this fix.
One patch per message is better for review and processing.
I don't think the fixfiles patch does what you think ($1 is the first
argument, not the exit status of the prior command).
newrole patch was already acked by Karl, not sure why it hasn't been
merged.
I had thought that there was some discussion of generalizing the
mcstrans restart to a generic pre/post scriptlet
facility. /sbin/service and mcstrans are fairly distro-specific, right?
At least wrap it with some script installed as part of policycoreutils,
with a default one that does nothing, and then Fedora can ship one that
does /sbin/service mcstrans restart.
prefix validity check would ideally happen in libsemanage using
libsepol; we'd like to avoid making assumptions in seobject about
particular context values.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Policycoreutils patches
2007-01-04 16:28 ` Stephen Smalley
@ 2007-01-04 16:49 ` Stephen Smalley
2007-01-04 22:07 ` Daniel J Walsh
0 siblings, 1 reply; 10+ messages in thread
From: Stephen Smalley @ 2007-01-04 16:49 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux, Karl MacMillan
On Thu, 2007-01-04 at 11:28 -0500, Stephen Smalley wrote:
> On Wed, 2007-01-03 at 13:05 -0500, Daniel J Walsh wrote:
> > Bunch of patches separated so you can approve/deny them separately.
> >
> > avc patch Removes optional_policy name from audit2allow
> >
> > pyver patch removes hardcoding of python version from makefile. Will
> > use version of installed python version.
> >
> > newrole patch to use O_RDWR for terminals to fix more problem.
> >
> > fixfiles patch fixes a problem with fixfiles was writing "not a tty" to
> > the current directory when there was no terminal.
> >
> > seobject patch is somewhat more controversial, but at least parts of it
> > should be accepted.
> >
> > - Fixes translation of portions of security context.
> > - Get rid of excess "\n"
> > - Restart mcstrans to relize file changed.
> > - Verify prefix is valid
> > - Modify roles correctly, currently role removal does not work without
> > this fix.
>
> One patch per message is better for review and processing.
>
> I don't think the fixfiles patch does what you think ($1 is the first
> argument, not the exit status of the prior command).
>
> newrole patch was already acked by Karl, not sure why it hasn't been
> merged.
>
> I had thought that there was some discussion of generalizing the
> mcstrans restart to a generic pre/post scriptlet
> facility. /sbin/service and mcstrans are fairly distro-specific, right?
> At least wrap it with some script installed as part of policycoreutils,
> with a default one that does nothing, and then Fedora can ship one that
> does /sbin/service mcstrans restart.
>
> prefix validity check would ideally happen in libsemanage using
> libsepol; we'd like to avoid making assumptions in seobject about
> particular context values.
Merged everything except for the fixfiles patch and the seobject patch.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Policycoreutils patches
2007-01-04 16:49 ` Stephen Smalley
@ 2007-01-04 22:07 ` Daniel J Walsh
2007-01-05 18:16 ` Stephen Smalley
0 siblings, 1 reply; 10+ messages in thread
From: Daniel J Walsh @ 2007-01-04 22:07 UTC (permalink / raw)
To: Stephen Smalley; +Cc: SE Linux, Karl MacMillan
[-- Attachment #1: Type: text/plain, Size: 111 bytes --]
Ok this part of the seobject patch should not be controversial.
This patch fixes modification of roles.
>
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 937 bytes --]
diff --exclude-from=exclude --exclude POTFILES.in --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.33.8/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2006-11-16 17:14:26.000000000 -0500
+++ policycoreutils-1.33.8/semanage/seobject.py 2007-01-04 17:06:25.000000000 -0500
@@ -525,8 +525,12 @@
semanage_user_set_prefix(self.sh, u, prefix)
if len(roles) != 0:
- for r in roles:
- semanage_user_add_role(self.sh, u, r)
+ for r in rlist:
+ if r not in roles:
+ semanage_user_del_role(u, r)
+ for r in roles:
+ if r not in rlist:
+ semanage_user_add_role(self.sh, u, r)
rc = semanage_begin_transaction(self.sh)
if rc < 0:
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Policycoreutils patches
2007-01-04 22:07 ` Daniel J Walsh
@ 2007-01-05 18:16 ` Stephen Smalley
2007-01-05 18:55 ` Stephen Smalley
0 siblings, 1 reply; 10+ messages in thread
From: Stephen Smalley @ 2007-01-05 18:16 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux, Karl MacMillan
On Thu, 2007-01-04 at 17:07 -0500, Daniel J Walsh wrote:
> Ok this part of the seobject patch should not be controversial.
>
> This patch fixes modification of roles.
> >
>
> plain text document attachment (diff)
> diff --exclude-from=exclude --exclude POTFILES.in --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.33.8/semanage/seobject.py
> --- nsapolicycoreutils/semanage/seobject.py 2006-11-16 17:14:26.000000000 -0500
> +++ policycoreutils-1.33.8/semanage/seobject.py 2007-01-04 17:06:25.000000000 -0500
> @@ -525,8 +525,12 @@
> semanage_user_set_prefix(self.sh, u, prefix)
>
> if len(roles) != 0:
> - for r in roles:
> - semanage_user_add_role(self.sh, u, r)
> + for r in rlist:
> + if r not in roles:
> + semanage_user_del_role(u, r)
> + for r in roles:
> + if r not in rlist:
> + semanage_user_add_role(self.sh, u, r)
>
> rc = semanage_begin_transaction(self.sh)
> if rc < 0:
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Policycoreutils patches
2007-01-05 18:16 ` Stephen Smalley
@ 2007-01-05 18:55 ` Stephen Smalley
2007-01-08 16:15 ` Daniel J Walsh
0 siblings, 1 reply; 10+ messages in thread
From: Stephen Smalley @ 2007-01-05 18:55 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux, Karl MacMillan
On Fri, 2007-01-05 at 13:16 -0500, Stephen Smalley wrote:
> On Thu, 2007-01-04 at 17:07 -0500, Daniel J Walsh wrote:
> > Ok this part of the seobject patch should not be controversial.
> >
> > This patch fixes modification of roles.
> > >
> >
> > plain text document attachment (diff)
> > diff --exclude-from=exclude --exclude POTFILES.in --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.33.8/semanage/seobject.py
> > --- nsapolicycoreutils/semanage/seobject.py 2006-11-16 17:14:26.000000000 -0500
> > +++ policycoreutils-1.33.8/semanage/seobject.py 2007-01-04 17:06:25.000000000 -0500
> > @@ -525,8 +525,12 @@
> > semanage_user_set_prefix(self.sh, u, prefix)
> >
> > if len(roles) != 0:
> > - for r in roles:
> > - semanage_user_add_role(self.sh, u, r)
> > + for r in rlist:
> > + if r not in roles:
> > + semanage_user_del_role(u, r)
> > + for r in roles:
> > + if r not in rlist:
> > + semanage_user_add_role(self.sh, u, r)
> >
> > rc = semanage_begin_transaction(self.sh)
> > if rc < 0:
>
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Question though - what should happen if len(role) == 0? Is that even
possible?
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Policycoreutils patches
2007-01-05 18:55 ` Stephen Smalley
@ 2007-01-08 16:15 ` Daniel J Walsh
0 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2007-01-08 16:15 UTC (permalink / raw)
To: Stephen Smalley; +Cc: SE Linux, Karl MacMillan
Stephen Smalley wrote:
> On Fri, 2007-01-05 at 13:16 -0500, Stephen Smalley wrote:
>
>> On Thu, 2007-01-04 at 17:07 -0500, Daniel J Walsh wrote:
>>
>>> Ok this part of the seobject patch should not be controversial.
>>>
>>> This patch fixes modification of roles.
>>>
>>>>
>>>>
>>> plain text document attachment (diff)
>>> diff --exclude-from=exclude --exclude POTFILES.in --exclude='*.po' --exclude='*.pot' -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.33.8/semanage/seobject.py
>>> --- nsapolicycoreutils/semanage/seobject.py 2006-11-16 17:14:26.000000000 -0500
>>> +++ policycoreutils-1.33.8/semanage/seobject.py 2007-01-04 17:06:25.000000000 -0500
>>> @@ -525,8 +525,12 @@
>>> semanage_user_set_prefix(self.sh, u, prefix)
>>>
>>> if len(roles) != 0:
>>> - for r in roles:
>>> - semanage_user_add_role(self.sh, u, r)
>>> + for r in rlist:
>>> + if r not in roles:
>>> + semanage_user_del_role(u, r)
>>> + for r in roles:
>>> + if r not in rlist:
>>> + semanage_user_add_role(self.sh, u, r)
>>>
>>> rc = semanage_begin_transaction(self.sh)
>>> if rc < 0:
>>>
>> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>>
>
> Question though - what should happen if len(role) == 0? Is that even
> possible?
>
>
semanage user -m -R "" -P staff d
/usr/sbin/semanage: Requires prefix, roles, level or range
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* policycoreutils patches
@ 2007-08-02 18:46 Daniel J Walsh
2007-08-16 17:21 ` Stephen Smalley
0 siblings, 1 reply; 10+ messages in thread
From: Daniel J Walsh @ 2007-08-02 18:46 UTC (permalink / raw)
To: Stephen Smalley, SE Linux
[-- Attachment #1: Type: text/plain, Size: 671 bytes --]
nsapolicycoreutils_audit2allow_Makefile - Move sepolgen-iggen to sbindir.
nsapolicycoreutils_run_init_Makefile Change permissions to 755 instead
of 555, Some audit scripts are reporting problems with 755 permissions.
nsapolicycoreutils_scripts_chcat - Missing : after else commands
nsapolicycoreutils_scripts_fixfiles - Certain patterns were not
expanding. So relabel was not complete also fix error handling
nsapolicycoreutils_scripts_genhomedircon - Speed up processing by a
factor of 10 by precompiling regex
nsapolicycoreutils_semanage_semanage - Fix handling of internationalization
nsapolicycoreutils_semanage_seobject.py - Allow users to specify <<none>>
[-- Attachment #2: nsapolicycoreutils_audit2allow_Makefile --]
[-- Type: text/plain, Size: 629 bytes --]
--- nsapolicycoreutils/audit2allow/Makefile 2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.22/audit2allow/Makefile 2007-07-31 15:45:57.000000000 -0400
@@ -1,6 +1,7 @@
# Installation directories.
PREFIX ?= ${DESTDIR}/usr
BINDIR ?= $(PREFIX)/bin
+SBINDIR ?= $(PREFIX)/sbin
LIBDIR ?= $(PREFIX)/lib
MANDIR ?= $(PREFIX)/share/man
LOCALEDIR ?= /usr/share/locale
@@ -10,7 +11,7 @@
install: all
-mkdir -p $(BINDIR)
install -m 755 audit2allow $(BINDIR)
- install -m 755 sepolgen-ifgen $(BINDIR)
+ install -m 755 sepolgen-ifgen $(SBINDIR)
-mkdir -p $(MANDIR)/man1
install -m 644 audit2allow.1 $(MANDIR)/man1/
[-- Attachment #3: nsapolicycoreutils_run_init_Makefile --]
[-- Type: text/plain, Size: 610 bytes --]
--- nsapolicycoreutils/run_init/Makefile 2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.22/run_init/Makefile 2007-07-31 15:45:57.000000000 -0400
@@ -34,8 +34,8 @@
install: all
test -d $(SBINDIR) || install -m 755 -d $(SBINDIR)
test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
- install -m 555 run_init $(SBINDIR)
- install -m 555 open_init_pty $(SBINDIR)
+ install -m 755 run_init $(SBINDIR)
+ install -m 755 open_init_pty $(SBINDIR)
install -m 644 run_init.8 $(MANDIR)/man8/
install -m 644 open_init_pty.8 $(MANDIR)/man8/
ifeq (${PAMH}, /usr/include/security/pam_appl.h)
[-- Attachment #4: nsapolicycoreutils_scripts_chcat --]
[-- Type: text/plain, Size: 656 bytes --]
--- nsapolicycoreutils/scripts/chcat 2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.22/scripts/chcat 2007-07-31 15:45:57.000000000 -0400
@@ -77,7 +77,7 @@
if len(cats) > 0:
new_serange = "%s-%s:%s" % (serange[0], top[0], ",".join(cats))
- else
+ else:
new_serange = "%s-%s" % (serange[0], top[0])
if add_ind:
@@ -155,7 +155,7 @@
if len(cats) > 0:
new_serange = "%s-%s:%s" % (serange[0], top[0], ",".join(cats))
- else
+ else:
new_serange = "%s-%s" % (serange[0], top[0])
if add_ind:
[-- Attachment #5: nsapolicycoreutils_scripts_fixfiles --]
[-- Type: text/plain, Size: 753 bytes --]
--- nsapolicycoreutils/scripts/fixfiles 2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.22/scripts/fixfiles 2007-07-31 15:45:57.000000000 -0400
@@ -88,7 +88,7 @@
esac; \
fi; \
done | \
- while read pattern ; do find $pattern \
+ while read pattern ; do sh -c "find $pattern" \
! \( -fstype ext2 -o -fstype ext3 -o -fstype jfs -o -fstype xfs \) -prune -o \
\( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print; \
done 2> /dev/null | \
@@ -108,6 +108,7 @@
rpmlist() {
rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
+[ ${PIPESTATUS[0]} != 0 ] && echo "$1 not found" >/dev/stderr
}
#
[-- Attachment #6: nsapolicycoreutils_scripts_genhomedircon --]
[-- Type: text/plain, Size: 1464 bytes --]
--- nsapolicycoreutils/scripts/genhomedircon 2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.22/scripts/genhomedircon 2007-08-01 16:03:41.000000000 -0400
@@ -139,7 +139,22 @@
self.default_user = "user_u"
self.default_prefix = "user"
self.users = self.getUsers()
+ fd = open(self.getFileContextFile())
+ self.fclines=[]
+ for i in fd.readlines():
+ try:
+ regex = i.split()[0]
+ #match a trailing .+
+ regex = re.sub("\.+$", "", regex)
+ regex = re.sub("\.\*$", "", regex)
+ regex = re.sub("\(\/\.\*\)\?", "", regex)
+ regex = regex + "/*$"
+ self.fclines.append(re.compile(regex))
+ except:
+ continue
+ fd.close()
+
def getFileContextDir(self):
return self.selinuxdir+self.type+self.filecontextdir
@@ -289,20 +304,9 @@
return ret+"\n"
def checkExists(self, home):
- fd = open(self.getFileContextFile())
- for i in fd.readlines():
- if len(i) == 0:
- continue
+ for i in self.fclines:
try:
- regex = i.split()[0]
- #match a trailing .+
- regex = re.sub("\.+$", "", regex)
- regex = re.sub("\.\*$", "", regex)
- #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
-
- regex = re.sub("\(\/\.\*\)\?", "", regex)
- regex = regex + "/*$"
- if re.search(regex,home, 0):
+ if i.match(home):
return 1
except:
continue
[-- Attachment #7: nsapolicycoreutils_semanage_semanage --]
[-- Type: text/plain, Size: 609 bytes --]
--- nsapolicycoreutils/semanage/semanage 2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.22/semanage/semanage 2007-07-31 15:45:57.000000000 -0400
@@ -34,7 +34,10 @@
sys.stdout = codecs.getwriter(locale.getpreferredencoding())(sys.__stdout__, 'replace')
try:
- gettext.install(PROGNAME, localedir="/usr/share/locale", unicode=1)
+ gettext.install(PROGNAME,
+ localedir="/usr/share/locale",
+ unicode=False,
+ codeset = 'utf-8')
except IOError:
import __builtin__
__builtin__.__dict__['_'] = unicode
[-- Attachment #8: nsapolicycoreutils_semanage_seobject.py --]
[-- Type: text/x-python, Size: 6307 bytes --]
--- nsapolicycoreutils/semanage/seobject.py 2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.22/semanage/seobject.py 2007-08-01 09:54:14.000000000 -0400
@@ -1024,14 +1025,31 @@
def __init__(self):
semanageRecords.__init__(self)
- def add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
+ def createcon(self, target, seuser = "system_u"):
+ (rc, con) = semanage_context_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create context for %s") % target)
if seuser == "":
seuser = "system_u"
+
+ rc = semanage_context_set_user(self.sh, con, seuser)
+ if rc < 0:
+ raise ValueError(_("Could not set user in file context for %s") % target)
+
+ rc = semanage_context_set_role(self.sh, con, "object_r")
+ if rc < 0:
+ raise ValueError(_("Could not set role in file context for %s") % target)
+
if is_mls_enabled == 1:
- if serange == "":
- serange = "s0"
- else:
- serange = untranslate(serange)
+ rc = semanage_context_set_mls(self.sh, con, "s0")
+ if rc < 0:
+ raise ValueError(_("Could not set mls fields in file context for %s") % target)
+
+ return con
+
+ def add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
+ if is_mls_enabled == 1:
+ serange = untranslate(serange)
if type == "":
raise ValueError(_("SELinux Type is required"))
@@ -1051,33 +1069,23 @@
raise ValueError(_("Could not create file context for %s") % target)
rc = semanage_fcontext_set_expr(self.sh, fcontext, target)
- (rc, con) = semanage_context_create(self.sh)
- if rc < 0:
- raise ValueError(_("Could not create context for %s") % target)
-
- rc = semanage_context_set_user(self.sh, con, seuser)
- if rc < 0:
- raise ValueError(_("Could not set user in file context for %s") % target)
-
- rc = semanage_context_set_role(self.sh, con, "object_r")
- if rc < 0:
- raise ValueError(_("Could not set role in file context for %s") % target)
-
- rc = semanage_context_set_type(self.sh, con, type)
- if rc < 0:
- raise ValueError(_("Could not set type in file context for %s") % target)
+ if type != "<<none>>":
+ con = self.createcon(target, seuser)
- if serange != "":
- rc = semanage_context_set_mls(self.sh, con, serange)
- if rc < 0:
- raise ValueError(_("Could not set mls fields in file context for %s") % target)
+ rc = semanage_context_set_type(self.sh, con, type)
+ if rc < 0:
+ raise ValueError(_("Could not set type in file context for %s") % target)
+
+ if serange != "":
+ rc = semanage_context_set_mls(self.sh, con, serange)
+ if rc < 0:
+ raise ValueError(_("Could not set mls fields in file context for %s") % target)
+ rc = semanage_fcontext_set_con(self.sh, fcontext, con)
+ if rc < 0:
+ raise ValueError(_("Could not set file context for %s") % target)
semanage_fcontext_set_type(fcontext, file_types[ftype])
- rc = semanage_fcontext_set_con(self.sh, fcontext, con)
- if rc < 0:
- raise ValueError(_("Could not set file context for %s") % target)
-
rc = semanage_begin_transaction(self.sh)
if rc < 0:
raise ValueError(_("Could not start semanage transaction"))
@@ -1090,7 +1098,8 @@
if rc < 0:
raise ValueError(_("Could not add file context for %s") % target)
- semanage_context_free(con)
+ if type != "<<none>>":
+ semanage_context_free(con)
semanage_fcontext_key_free(k)
semanage_fcontext_free(fcontext)
@@ -1112,16 +1121,29 @@
if rc < 0:
raise ValueError(_("Could not query file context for %s") % target)
- con = semanage_fcontext_get_con(fcontext)
+ if setype != "<<none>>":
+ con = semanage_fcontext_get_con(fcontext)
- if serange != "":
- semanage_context_set_mls(self.sh, con, untranslate(serange))
- if seuser != "":
- semanage_context_set_user(self.sh, con, seuser)
- if setype != "":
- semanage_context_set_type(self.sh, con, setype)
-
- rc = semanage_begin_transaction(self.sh)
+ if con == None:
+ con = self.createcon(target)
+
+ if serange != "":
+ semanage_context_set_mls(self.sh, con, untranslate(serange))
+ if seuser != "":
+ semanage_context_set_user(self.sh, con, seuser)
+
+ if setype != "":
+ semanage_context_set_type(self.sh, con, setype)
+
+ rc = semanage_fcontext_set_con(self.sh, fcontext, con)
+ if rc < 0:
+ raise ValueError(_("Could not set file context for %s") % target)
+ else:
+ rc = semanage_fcontext_set_con(self.sh, fcontext, None)
+ if rc < 0:
+ raise ValueError(_("Could not set file context for %s") % target)
+
+ rc = semanage_begin_transaction(self.sh)
if rc < 0:
raise ValueError(_("Could not start semanage transaction"))
@@ -1283,9 +1305,12 @@
raise ValueError(_("Could not list booleans"))
for boolean in self.blist:
- name = semanage_bool_get_name(boolean)
- value = semanage_bool_get_value(boolean)
- ddict[name] = value
+ value = []
+ name = semanage_bool_get_name(boolean)
+ value[0] = semanage_bool_get_value(boolean)
+ value[1] = selinux.security_get_boolean_pending(boolean)
+ value[2] = selinux.security_get_boolean_active(boolean)
+ ddict[name] = value
return ddict
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: policycoreutils patches
2007-08-02 18:46 policycoreutils patches Daniel J Walsh
@ 2007-08-16 17:21 ` Stephen Smalley
2007-08-17 13:20 ` Karl MacMillan
0 siblings, 1 reply; 10+ messages in thread
From: Stephen Smalley @ 2007-08-16 17:21 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux, Karl MacMillan, Joshua Brindle
On Thu, 2007-08-02 at 14:46 -0400, Daniel J Walsh wrote:
> nsapolicycoreutils_audit2allow_Makefile - Move sepolgen-iggen to sbindir.
Karl, is moving sepolgen-ifgen fine with you?
Dan - every time we move something like this, we risk breaking existing
packages (like .spec file invocation of it), scripts, etc, so let's
minimize please.
> nsapolicycoreutils_run_init_Makefile Change permissions to 755 instead
> of 555, Some audit scripts are reporting problems with 755 permissions.
Ok by me, but I don't quite understand why it matters.
> nsapolicycoreutils_scripts_chcat - Missing : after else commands
Hmm...so chcat has been broken for a while. Is it actually being used?
Worth retaining (upstream)?
> nsapolicycoreutils_scripts_fixfiles - Certain patterns were not
> expanding. So relabel was not complete also fix error handling
This seems pretty fragile.
> nsapolicycoreutils_scripts_genhomedircon - Speed up processing by a
> factor of 10 by precompiling regex
Obsoleted by the libsemanage genhomedircon support, I think, once it is
merged.
> nsapolicycoreutils_semanage_semanage - Fix handling of internationalization
> nsapolicycoreutils_semanage_seobject.py - Allow users to specify <<none>>
Is this the way we want to handle this? Layering seems broken.
>
> plain text document attachment
> (nsapolicycoreutils_audit2allow_Makefile)
> --- nsapolicycoreutils/audit2allow/Makefile 2007-07-16 14:20:41.000000000 -0400
> +++ policycoreutils-2.0.22/audit2allow/Makefile 2007-07-31 15:45:57.000000000 -0400
> @@ -1,6 +1,7 @@
> # Installation directories.
> PREFIX ?= ${DESTDIR}/usr
> BINDIR ?= $(PREFIX)/bin
> +SBINDIR ?= $(PREFIX)/sbin
> LIBDIR ?= $(PREFIX)/lib
> MANDIR ?= $(PREFIX)/share/man
> LOCALEDIR ?= /usr/share/locale
> @@ -10,7 +11,7 @@
> install: all
> -mkdir -p $(BINDIR)
> install -m 755 audit2allow $(BINDIR)
> - install -m 755 sepolgen-ifgen $(BINDIR)
> + install -m 755 sepolgen-ifgen $(SBINDIR)
> -mkdir -p $(MANDIR)/man1
> install -m 644 audit2allow.1 $(MANDIR)/man1/
>
> plain text document attachment (nsapolicycoreutils_run_init_Makefile)
> --- nsapolicycoreutils/run_init/Makefile 2007-07-16 14:20:41.000000000 -0400
> +++ policycoreutils-2.0.22/run_init/Makefile 2007-07-31 15:45:57.000000000 -0400
> @@ -34,8 +34,8 @@
> install: all
> test -d $(SBINDIR) || install -m 755 -d $(SBINDIR)
> test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
> - install -m 555 run_init $(SBINDIR)
> - install -m 555 open_init_pty $(SBINDIR)
> + install -m 755 run_init $(SBINDIR)
> + install -m 755 open_init_pty $(SBINDIR)
> install -m 644 run_init.8 $(MANDIR)/man8/
> install -m 644 open_init_pty.8 $(MANDIR)/man8/
> ifeq (${PAMH}, /usr/include/security/pam_appl.h)
> plain text document attachment (nsapolicycoreutils_scripts_chcat)
> --- nsapolicycoreutils/scripts/chcat 2007-07-16 14:20:41.000000000 -0400
> +++ policycoreutils-2.0.22/scripts/chcat 2007-07-31 15:45:57.000000000 -0400
> @@ -77,7 +77,7 @@
>
> if len(cats) > 0:
> new_serange = "%s-%s:%s" % (serange[0], top[0], ",".join(cats))
> - else
> + else:
> new_serange = "%s-%s" % (serange[0], top[0])
>
> if add_ind:
> @@ -155,7 +155,7 @@
>
> if len(cats) > 0:
> new_serange = "%s-%s:%s" % (serange[0], top[0], ",".join(cats))
> - else
> + else:
> new_serange = "%s-%s" % (serange[0], top[0])
>
> if add_ind:
> plain text document attachment (nsapolicycoreutils_scripts_fixfiles)
> --- nsapolicycoreutils/scripts/fixfiles 2007-07-16 14:20:41.000000000 -0400
> +++ policycoreutils-2.0.22/scripts/fixfiles 2007-07-31 15:45:57.000000000 -0400
> @@ -88,7 +88,7 @@
> esac; \
> fi; \
> done | \
> - while read pattern ; do find $pattern \
> + while read pattern ; do sh -c "find $pattern" \
> ! \( -fstype ext2 -o -fstype ext3 -o -fstype jfs -o -fstype xfs \) -prune -o \
> \( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print; \
> done 2> /dev/null | \
> @@ -108,6 +108,7 @@
>
> rpmlist() {
> rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
> +[ ${PIPESTATUS[0]} != 0 ] && echo "$1 not found" >/dev/stderr
> }
>
> #
> plain text document attachment
> (nsapolicycoreutils_scripts_genhomedircon)
> --- nsapolicycoreutils/scripts/genhomedircon 2007-07-16 14:20:41.000000000 -0400
> +++ policycoreutils-2.0.22/scripts/genhomedircon 2007-08-01 16:03:41.000000000 -0400
> @@ -139,7 +139,22 @@
> self.default_user = "user_u"
> self.default_prefix = "user"
> self.users = self.getUsers()
> + fd = open(self.getFileContextFile())
> + self.fclines=[]
> + for i in fd.readlines():
> + try:
> + regex = i.split()[0]
> + #match a trailing .+
> + regex = re.sub("\.+$", "", regex)
> + regex = re.sub("\.\*$", "", regex)
> + regex = re.sub("\(\/\.\*\)\?", "", regex)
> + regex = regex + "/*$"
> + self.fclines.append(re.compile(regex))
> + except:
> + continue
>
> + fd.close()
> +
> def getFileContextDir(self):
> return self.selinuxdir+self.type+self.filecontextdir
>
> @@ -289,20 +304,9 @@
> return ret+"\n"
>
> def checkExists(self, home):
> - fd = open(self.getFileContextFile())
> - for i in fd.readlines():
> - if len(i) == 0:
> - continue
> + for i in self.fclines:
> try:
> - regex = i.split()[0]
> - #match a trailing .+
> - regex = re.sub("\.+$", "", regex)
> - regex = re.sub("\.\*$", "", regex)
> - #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
> -
> - regex = re.sub("\(\/\.\*\)\?", "", regex)
> - regex = regex + "/*$"
> - if re.search(regex,home, 0):
> + if i.match(home):
> return 1
> except:
> continue
> plain text document attachment (nsapolicycoreutils_semanage_semanage)
> --- nsapolicycoreutils/semanage/semanage 2007-07-16 14:20:41.000000000 -0400
> +++ policycoreutils-2.0.22/semanage/semanage 2007-07-31 15:45:57.000000000 -0400
> @@ -34,7 +34,10 @@
> sys.stdout = codecs.getwriter(locale.getpreferredencoding())(sys.__stdout__, 'replace')
>
> try:
> - gettext.install(PROGNAME, localedir="/usr/share/locale", unicode=1)
> + gettext.install(PROGNAME,
> + localedir="/usr/share/locale",
> + unicode=False,
> + codeset = 'utf-8')
> except IOError:
> import __builtin__
> __builtin__.__dict__['_'] = unicode
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: policycoreutils patches
2007-08-16 17:21 ` Stephen Smalley
@ 2007-08-17 13:20 ` Karl MacMillan
0 siblings, 0 replies; 10+ messages in thread
From: Karl MacMillan @ 2007-08-17 13:20 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Daniel J Walsh, SE Linux, Joshua Brindle
On Thu, 2007-08-16 at 13:21 -0400, Stephen Smalley wrote:
> On Thu, 2007-08-02 at 14:46 -0400, Daniel J Walsh wrote:
> > nsapolicycoreutils_audit2allow_Makefile - Move sepolgen-iggen to sbindir.
>
> Karl, is moving sepolgen-ifgen fine with you?
> Dan - every time we move something like this, we risk breaking existing
> packages (like .spec file invocation of it), scripts, etc, so let's
> minimize please.
>
No - I nak'd this forever ago - sepolgen-ifgen is useful for non-root so
it shouldn't be in sbin.
Karl
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2007-08-17 13:20 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-08-02 18:46 policycoreutils patches Daniel J Walsh
2007-08-16 17:21 ` Stephen Smalley
2007-08-17 13:20 ` Karl MacMillan
-- strict thread matches above, loose matches on Subject: below --
2007-01-03 18:05 Policycoreutils patches Daniel J Walsh
2007-01-04 16:28 ` Stephen Smalley
2007-01-04 16:49 ` Stephen Smalley
2007-01-04 22:07 ` Daniel J Walsh
2007-01-05 18:16 ` Stephen Smalley
2007-01-05 18:55 ` Stephen Smalley
2007-01-08 16:15 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.