* Patch to allow semanage to set boolean values and translate booleans via policy.xml
@ 2007-11-02 19:57 Daniel J Walsh
0 siblings, 0 replies; 9+ messages in thread
From: Daniel J Walsh @ 2007-11-02 19:57 UTC (permalink / raw)
To: Stephen Smalley; +Cc: SE Linux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Also added translations of booleans to command line.
> /usr/sbin/semanage boolean -l | grep nfs_export
> nfs_export_all_rw -> off Allow nfs to be exported read/write.
> nfs_export_all_ro -> on Allow nfs to be exported read only
> sh-3.2# /usr/sbin/semanage boolean -l | grep nfs
> xen_use_nfs -> off Allow xen to manage nfs files
> use_nfs_home_dirs -> on Support NFS home directories
> allow_ftpd_use_nfs -> off Allow ftp servers to use nfs used for public file transfer services.
> cdrecord_read_content -> off Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files
> httpd_use_nfs -> off Allow httpd to read nfs files
> samba_share_nfs -> off Allow samba to export NFS volumes.
> mail_read_content -> off Allow email client to various content. nfs, samba, removable devices, user temp and untrusted content files
> allow_nfsd_anon_write -> off Allow nfs servers to modify public files used for public file transfer services.
> nfs_export_all_rw -> off Allow nfs to be exported read/write.
> nfs_export_all_ro -> on Allow nfs to be exported read only
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHK4FGrlYvE4MpobMRAuCvAJ0e8yxBp8vXHBAVgOBhF4uINPKHsQCfQ7pU
q9Oau5klonoR9aUMYQw3A7k=
=DKZN
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Patch to allow semanage to set boolean values and translate booleans via policy.xml
@ 2007-11-02 19:58 Daniel J Walsh
2007-11-09 16:25 ` Stephen Smalley
0 siblings, 1 reply; 9+ messages in thread
From: Daniel J Walsh @ 2007-11-02 19:58 UTC (permalink / raw)
To: Stephen Smalley; +Cc: SE Linux
[-- Attachment #1: Type: text/plain, Size: 1627 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Also added translations of booleans to command line.
> /usr/sbin/semanage boolean -l | grep nfs_export
> nfs_export_all_rw -> off Allow nfs to be exported read/write.
> nfs_export_all_ro -> on Allow nfs to be exported read only
> sh-3.2# /usr/sbin/semanage boolean -l | grep nfs
> xen_use_nfs -> off Allow xen to manage nfs files
> use_nfs_home_dirs -> on Support NFS home directories
> allow_ftpd_use_nfs -> off Allow ftp servers to use nfs used for public file transfer services.
> cdrecord_read_content -> off Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files
> httpd_use_nfs -> off Allow httpd to read nfs files
> samba_share_nfs -> off Allow samba to export NFS volumes.
> mail_read_content -> off Allow email client to various content. nfs, samba, removable devices, user temp and untrusted content files
> allow_nfsd_anon_write -> off Allow nfs servers to modify public files used for public file transfer services.
> nfs_export_all_rw -> off Allow nfs to be exported read/write.
> nfs_export_all_ro -> on Allow nfs to be exported read only
This time with the patch. :^)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHK4F9rlYvE4MpobMRAr9eAJwNWFoe0+i7P2exSWAZRKb6ZNzUEgCgsymy
IRTVHeA8aa8boNYY9MTi/lA=
=UWlf
-----END PGP SIGNATURE-----
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 6206 bytes --]
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.31/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2007-10-05 13:09:53.000000000 -0400
+++ policycoreutils-2.0.31/semanage/semanage 2007-11-02 15:50:54.000000000 -0400
@@ -1,5 +1,5 @@
#! /usr/bin/python -E
-# Copyright (C) 2005 Red Hat
+# Copyright (C) 2005, 2006, 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# semanage is a tool for managing SELinux configuration files
@@ -115,7 +115,7 @@
valid_option["translation"] = []
valid_option["translation"] += valid_everyone + [ '-T', '--trans' ]
valid_option["boolean"] = []
- valid_option["boolean"] += valid_everyone
+ valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ]
return valid_option
#
@@ -135,7 +135,7 @@
seuser = ""
prefix = ""
heading=1
-
+ value=0
add = 0
modify = 0
delete = 0
@@ -154,7 +154,7 @@
args = sys.argv[2:]
gopts, cmds = getopt.getopt(args,
- 'adf:lhmnp:s:CDR:L:r:t:T:P:S:',
+ '01adf:lhmnp:s:CDR:L:r:t:T:P:S:',
['add',
'delete',
'deleteall',
@@ -164,6 +164,8 @@
'modify',
'noheading',
'localist',
+ 'off',
+ 'on',
'proto=',
'seuser=',
'store=',
@@ -242,6 +244,11 @@
if o == "-T" or o == "--trans":
setrans = a
+ if o == "--on" or o == "-1":
+ value = 1
+ if o == "-off" or o == "-0":
+ value = 0
+
if object == "login":
OBJECT = seobject.loginRecords(store)
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.31/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2007-10-07 21:46:43.000000000 -0400
+++ policycoreutils-2.0.31/semanage/seobject.py 2007-11-02 15:51:27.000000000 -0400
@@ -1,5 +1,5 @@
#! /usr/bin/python -E
-# Copyright (C) 2005 Red Hat
+# Copyright (C) 2005, 2006, 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# semanage is a tool for managing SELinux configuration files
@@ -1095,7 +1092,13 @@
return con
+ def validate(self, target):
+ if target == "" or target.find("\n") >= 0:
+ raise ValueError(_("Invalid file specification"))
+
def add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
+ self.validate(target)
+
if is_mls_enabled == 1:
serange = untranslate(serange)
@@ -1154,6 +1157,7 @@
def modify(self, target, setype, ftype, serange, seuser):
if serange == "" and setype == "" and seuser == "":
raise ValueError(_("Requires setype, serange or seuser"))
+ self.validate(target)
(rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
if rc < 0:
@@ -1303,9 +1307,35 @@
else:
print "%-50s %-18s <<None>>" % (fcon[0], fcon[1])
+import sys, os
+import re
+import xml.etree.ElementTree
+
class booleanRecords(semanageRecords):
+
def __init__(self, store = ""):
semanageRecords.__init__(self, store)
+ self.dict={}
+
+ tree=xml.etree.ElementTree.parse("/usr/share/selinux/devel/policy.xml")
+ for l in tree.findall("layer"):
+ for m in l.findall("module"):
+ for b in m.findall("tunable"):
+ desc = b.find("desc").find("p").text.strip("\n")
+ desc = re.sub("\n", " ", desc)
+ self.dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc)
+ for b in m.findall("bool"):
+ desc = b.find("desc").find("p").text.strip("\n")
+ desc = re.sub("\n", " ", desc)
+ self.dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc)
+ for i in tree.findall("bool"):
+ desc = i.find("desc").find("p").text.strip("\n")
+ desc = re.sub("\n", " ", desc)
+ self.dict[i.get('name')] = ("Global", i.get('dftval'), desc)
+ for i in tree.findall("tunable"):
+ desc = i.find("desc").find("p").text.strip("\n")
+ desc = re.sub("\n", " ", desc)
+ self.dict[i.get('name')] = ("Global", i.get('dftval'), desc)
def modify(self, name, value = ""):
if value == "":
@@ -1328,11 +1358,14 @@
if value != "":
nvalue = int(value)
semanage_bool_set_value(b, nvalue)
+ else:
+ raise ValueError(_("You must specify a value"))
rc = semanage_begin_transaction(self.sh)
if rc < 0:
raise ValueError(_("Could not start semanage transaction"))
+ rc = semanage_bool_set_active(self.sh, k, b)
rc = semanage_bool_modify_local(self.sh, k, b)
if rc < 0:
raise ValueError(_("Could not modify boolean %s") % name)
@@ -1416,11 +1449,19 @@
return ddict
+ def get_desc(self, boolean):
+ if boolean in self.dict:
+ return _(self.dict[boolean][2])
+ else:
+ return boolean
+
def list(self, heading = 1, locallist = 0):
+ on_off = (_("off"),_("on"))
if heading:
- print "%-50s %7s %7s %7s\n" % (_("SELinux boolean"), _("value"), _("pending"), _("active") )
+ print "%-40s %s\n" % (_("SELinux boolean"), _("Description"))
ddict = self.get_all(locallist)
keys = ddict.keys()
for k in keys:
if ddict[k]:
- print "%-50s %7d %7d %7d " % (k, ddict[k][0],ddict[k][1], ddict[k][2])
+ print "%-30s -> %-5s %s" % (k, on_off[ddict[k][2]], self.get_desc(k))
+
[-- Attachment #3: diff.sig --]
[-- Type: application/octet-stream, Size: 65 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Patch to allow semanage to set boolean values and translate booleans via policy.xml
2007-11-02 19:58 Daniel J Walsh
@ 2007-11-09 16:25 ` Stephen Smalley
2007-11-09 17:05 ` Daniel J Walsh
2007-11-09 18:38 ` Christopher J. PeBenito
0 siblings, 2 replies; 9+ messages in thread
From: Stephen Smalley @ 2007-11-09 16:25 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux, Christopher J. PeBenito, Karl MacMillan
On Fri, 2007-11-02 at 15:58 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Also added translations of booleans to command line.
>
> > /usr/sbin/semanage boolean -l | grep nfs_export
> > nfs_export_all_rw -> off Allow nfs to be exported read/write.
> > nfs_export_all_ro -> on Allow nfs to be exported read only
> > sh-3.2# /usr/sbin/semanage boolean -l | grep nfs
> > xen_use_nfs -> off Allow xen to manage nfs files
> > use_nfs_home_dirs -> on Support NFS home directories
> > allow_ftpd_use_nfs -> off Allow ftp servers to use nfs used for public file transfer services.
> > cdrecord_read_content -> off Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files
> > httpd_use_nfs -> off Allow httpd to read nfs files
> > samba_share_nfs -> off Allow samba to export NFS volumes.
> > mail_read_content -> off Allow email client to various content. nfs, samba, removable devices, user temp and untrusted content files
> > allow_nfsd_anon_write -> off Allow nfs servers to modify public files used for public file transfer services.
> > nfs_export_all_rw -> off Allow nfs to be exported read/write.
> > nfs_export_all_ro -> on Allow nfs to be exported read only
>
>
> This time with the patch. :^)
Offhand, the only problem I see it that semanage boolean -l then fails
if /usr/share/selinux/devel/policy.xml doesn't exist, rather than just
falling back to displaying the untranslated booleans.
Also, is /usr/share/selinux/devel/policy.xml created by upstream
refpolicy or is it Fedora-specific?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFHK4F9rlYvE4MpobMRAr9eAJwNWFoe0+i7P2exSWAZRKb6ZNzUEgCgsymy
> IRTVHeA8aa8boNYY9MTi/lA=
> =UWlf
> -----END PGP SIGNATURE-----
> plain text document attachment (diff)
> diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.31/semanage/semanage
> --- nsapolicycoreutils/semanage/semanage 2007-10-05 13:09:53.000000000 -0400
> +++ policycoreutils-2.0.31/semanage/semanage 2007-11-02 15:50:54.000000000 -0400
> @@ -1,5 +1,5 @@
> #! /usr/bin/python -E
> -# Copyright (C) 2005 Red Hat
> +# Copyright (C) 2005, 2006, 2007 Red Hat
> # see file 'COPYING' for use and warranty information
> #
> # semanage is a tool for managing SELinux configuration files
> @@ -115,7 +115,7 @@
> valid_option["translation"] = []
> valid_option["translation"] += valid_everyone + [ '-T', '--trans' ]
> valid_option["boolean"] = []
> - valid_option["boolean"] += valid_everyone
> + valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ]
> return valid_option
>
> #
> @@ -135,7 +135,7 @@
> seuser = ""
> prefix = ""
> heading=1
> -
> + value=0
> add = 0
> modify = 0
> delete = 0
> @@ -154,7 +154,7 @@
> args = sys.argv[2:]
>
> gopts, cmds = getopt.getopt(args,
> - 'adf:lhmnp:s:CDR:L:r:t:T:P:S:',
> + '01adf:lhmnp:s:CDR:L:r:t:T:P:S:',
> ['add',
> 'delete',
> 'deleteall',
> @@ -164,6 +164,8 @@
> 'modify',
> 'noheading',
> 'localist',
> + 'off',
> + 'on',
> 'proto=',
> 'seuser=',
> 'store=',
> @@ -242,6 +244,11 @@
> if o == "-T" or o == "--trans":
> setrans = a
>
> + if o == "--on" or o == "-1":
> + value = 1
> + if o == "-off" or o == "-0":
> + value = 0
> +
> if object == "login":
> OBJECT = seobject.loginRecords(store)
>
> diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.31/semanage/seobject.py
> --- nsapolicycoreutils/semanage/seobject.py 2007-10-07 21:46:43.000000000 -0400
> +++ policycoreutils-2.0.31/semanage/seobject.py 2007-11-02 15:51:27.000000000 -0400
> @@ -1,5 +1,5 @@
> #! /usr/bin/python -E
> -# Copyright (C) 2005 Red Hat
> +# Copyright (C) 2005, 2006, 2007 Red Hat
> # see file 'COPYING' for use and warranty information
> #
> # semanage is a tool for managing SELinux configuration files
> @@ -1095,7 +1092,13 @@
>
> return con
>
> + def validate(self, target):
> + if target == "" or target.find("\n") >= 0:
> + raise ValueError(_("Invalid file specification"))
> +
> def add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
> + self.validate(target)
> +
> if is_mls_enabled == 1:
> serange = untranslate(serange)
>
> @@ -1154,6 +1157,7 @@
> def modify(self, target, setype, ftype, serange, seuser):
> if serange == "" and setype == "" and seuser == "":
> raise ValueError(_("Requires setype, serange or seuser"))
> + self.validate(target)
>
> (rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
> if rc < 0:
> @@ -1303,9 +1307,35 @@
> else:
> print "%-50s %-18s <<None>>" % (fcon[0], fcon[1])
>
> +import sys, os
> +import re
> +import xml.etree.ElementTree
> +
> class booleanRecords(semanageRecords):
> +
> def __init__(self, store = ""):
> semanageRecords.__init__(self, store)
> + self.dict={}
> +
> + tree=xml.etree.ElementTree.parse("/usr/share/selinux/devel/policy.xml")
> + for l in tree.findall("layer"):
> + for m in l.findall("module"):
> + for b in m.findall("tunable"):
> + desc = b.find("desc").find("p").text.strip("\n")
> + desc = re.sub("\n", " ", desc)
> + self.dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc)
> + for b in m.findall("bool"):
> + desc = b.find("desc").find("p").text.strip("\n")
> + desc = re.sub("\n", " ", desc)
> + self.dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc)
> + for i in tree.findall("bool"):
> + desc = i.find("desc").find("p").text.strip("\n")
> + desc = re.sub("\n", " ", desc)
> + self.dict[i.get('name')] = ("Global", i.get('dftval'), desc)
> + for i in tree.findall("tunable"):
> + desc = i.find("desc").find("p").text.strip("\n")
> + desc = re.sub("\n", " ", desc)
> + self.dict[i.get('name')] = ("Global", i.get('dftval'), desc)
>
> def modify(self, name, value = ""):
> if value == "":
> @@ -1328,11 +1358,14 @@
> if value != "":
> nvalue = int(value)
> semanage_bool_set_value(b, nvalue)
> + else:
> + raise ValueError(_("You must specify a value"))
>
> rc = semanage_begin_transaction(self.sh)
> if rc < 0:
> raise ValueError(_("Could not start semanage transaction"))
>
> + rc = semanage_bool_set_active(self.sh, k, b)
> rc = semanage_bool_modify_local(self.sh, k, b)
> if rc < 0:
> raise ValueError(_("Could not modify boolean %s") % name)
> @@ -1416,11 +1449,19 @@
>
> return ddict
>
> + def get_desc(self, boolean):
> + if boolean in self.dict:
> + return _(self.dict[boolean][2])
> + else:
> + return boolean
> +
> def list(self, heading = 1, locallist = 0):
> + on_off = (_("off"),_("on"))
> if heading:
> - print "%-50s %7s %7s %7s\n" % (_("SELinux boolean"), _("value"), _("pending"), _("active") )
> + print "%-40s %s\n" % (_("SELinux boolean"), _("Description"))
> ddict = self.get_all(locallist)
> keys = ddict.keys()
> for k in keys:
> if ddict[k]:
> - print "%-50s %7d %7d %7d " % (k, ddict[k][0],ddict[k][1], ddict[k][2])
> + print "%-30s -> %-5s %s" % (k, on_off[ddict[k][2]], self.get_desc(k))
> +
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Patch to allow semanage to set boolean values and translate booleans via policy.xml
2007-11-09 16:25 ` Stephen Smalley
@ 2007-11-09 17:05 ` Daniel J Walsh
2007-11-09 18:38 ` Christopher J. PeBenito
1 sibling, 0 replies; 9+ messages in thread
From: Daniel J Walsh @ 2007-11-09 17:05 UTC (permalink / raw)
To: Stephen Smalley; +Cc: SE Linux, Christopher J. PeBenito, Karl MacMillan
[-- Attachment #1: Type: text/plain, Size: 2755 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen Smalley wrote:
> On Fri, 2007-11-02 at 15:58 -0400, Daniel J Walsh wrote:
> Also added translations of booleans to command line.
>
>>>> /usr/sbin/semanage boolean -l | grep nfs_export
>>>> nfs_export_all_rw -> off Allow nfs to be exported read/write.
>>>> nfs_export_all_ro -> on Allow nfs to be exported read only
>>>> sh-3.2# /usr/sbin/semanage boolean -l | grep nfs
>>>> xen_use_nfs -> off Allow xen to manage nfs files
>>>> use_nfs_home_dirs -> on Support NFS home directories
>>>> allow_ftpd_use_nfs -> off Allow ftp servers to use nfs used for public file transfer services.
>>>> cdrecord_read_content -> off Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files
>>>> httpd_use_nfs -> off Allow httpd to read nfs files
>>>> samba_share_nfs -> off Allow samba to export NFS volumes.
>>>> mail_read_content -> off Allow email client to various content. nfs, samba, removable devices, user temp and untrusted content files
>>>> allow_nfsd_anon_write -> off Allow nfs servers to modify public files used for public file transfer services.
>>>> nfs_export_all_rw -> off Allow nfs to be exported read/write.
>>>> nfs_export_all_ro -> on Allow nfs to be exported read only
>
> This time with the patch. :^)
>
>> Offhand, the only problem I see it that semanage boolean -l then fails
>> if /usr/share/selinux/devel/policy.xml doesn't exist, rather than just
>> falling back to displaying the untranslated booleans.
>
>> Also, is /usr/share/selinux/devel/policy.xml created by upstream
>> refpolicy or is it Fedora-specific?
>
>
policy.xml is generated in the build procedure, so it is combined
reference polciy plus my patches.
Updated patch to do a fallback.
Two problems with policy.xml right now.
1. Third parties have no way of updating it.
semodule should automatically generate the XML and edit policy.xml
2. Generated booleans within an interface do not get xml
semanage boolean -l | grep xguest
browser_write_xguest_data -> off browser_write_xguest_data
allow_xguest_exec_content -> off allow_xguest_exec_content
browser_confine_xguest -> on browser_confine_xguest
We need to change a way to add documentation to booleans created
within an interface.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHNJNSrlYvE4MpobMRAqiyAJ9Mm/TKM393yIGp+vSNSKKYk+JZCgCdF+Bi
dxKEDLRVlIKlXvy10+QysUQ=
=UVHb
-----END PGP SIGNATURE-----
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 6241 bytes --]
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.31/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2007-10-05 13:09:53.000000000 -0400
+++ policycoreutils-2.0.31/semanage/semanage 2007-11-02 15:54:42.000000000 -0400
@@ -1,5 +1,5 @@
#! /usr/bin/python -E
-# Copyright (C) 2005 Red Hat
+# Copyright (C) 2005, 2006, 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# semanage is a tool for managing SELinux configuration files
@@ -115,7 +115,7 @@
valid_option["translation"] = []
valid_option["translation"] += valid_everyone + [ '-T', '--trans' ]
valid_option["boolean"] = []
- valid_option["boolean"] += valid_everyone
+ valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ]
return valid_option
#
@@ -135,7 +135,7 @@
seuser = ""
prefix = ""
heading=1
-
+ value=0
add = 0
modify = 0
delete = 0
@@ -154,7 +154,7 @@
args = sys.argv[2:]
gopts, cmds = getopt.getopt(args,
- 'adf:lhmnp:s:CDR:L:r:t:T:P:S:',
+ '01adf:lhmnp:s:CDR:L:r:t:T:P:S:',
['add',
'delete',
'deleteall',
@@ -164,6 +164,8 @@
'modify',
'noheading',
'localist',
+ 'off',
+ 'on',
'proto=',
'seuser=',
'store=',
@@ -242,6 +244,11 @@
if o == "-T" or o == "--trans":
setrans = a
+ if o == "--on" or o == "-1":
+ value = 1
+ if o == "-off" or o == "-0":
+ value = 0
+
if object == "login":
OBJECT = seobject.loginRecords(store)
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.31/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2007-10-07 21:46:43.000000000 -0400
+++ policycoreutils-2.0.31/semanage/seobject.py 2007-11-09 12:00:35.000000000 -0500
@@ -1,5 +1,5 @@
#! /usr/bin/python -E
-# Copyright (C) 2005 Red Hat
+# Copyright (C) 2005, 2006, 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# semanage is a tool for managing SELinux configuration files
@@ -88,6 +88,35 @@
mylog = logger()
+import sys, os
+import re
+import xml.etree.ElementTree
+
+booleans_dict={}
+try:
+ tree=xml.etree.ElementTree.parse("/usr/share/selinux/devel/policy.xml")
+ for l in tree.findall("layer"):
+ for m in l.findall("module"):
+ for b in m.findall("tunable"):
+ desc = b.find("desc").find("p").text.strip("\n")
+ desc = re.sub("\n", " ", desc)
+ booleans_dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc)
+ for b in m.findall("bool"):
+ desc = b.find("desc").find("p").text.strip("\n")
+ desc = re.sub("\n", " ", desc)
+ booleans_dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc)
+ for i in tree.findall("bool"):
+ desc = i.find("desc").find("p").text.strip("\n")
+ desc = re.sub("\n", " ", desc)
+ booleans_dict[i.get('name')] = (_("global"), i.get('dftval'), desc)
+ for i in tree.findall("tunable"):
+ desc = i.find("desc").find("p").text.strip("\n")
+ desc = re.sub("\n", " ", desc)
+ booleans_dict[i.get('name')] = (_("global"), i.get('dftval'), desc)
+except IOError, e:
+ print _("Failed to translate booleans.\n%s") % e
+ pass
+
def validate_level(raw):
sensitivity = "s[0-9]*"
category = "c[0-9]*"
@@ -1095,7 +1121,13 @@
return con
+ def validate(self, target):
+ if target == "" or target.find("\n") >= 0:
+ raise ValueError(_("Invalid file specification"))
+
def add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
+ self.validate(target)
+
if is_mls_enabled == 1:
serange = untranslate(serange)
@@ -1154,6 +1186,7 @@
def modify(self, target, setype, ftype, serange, seuser):
if serange == "" and setype == "" and seuser == "":
raise ValueError(_("Requires setype, serange or seuser"))
+ self.validate(target)
(rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
if rc < 0:
@@ -1328,11 +1362,14 @@
if value != "":
nvalue = int(value)
semanage_bool_set_value(b, nvalue)
+ else:
+ raise ValueError(_("You must specify a value"))
rc = semanage_begin_transaction(self.sh)
if rc < 0:
raise ValueError(_("Could not start semanage transaction"))
+ rc = semanage_bool_set_active(self.sh, k, b)
rc = semanage_bool_modify_local(self.sh, k, b)
if rc < 0:
raise ValueError(_("Could not modify boolean %s") % name)
@@ -1416,11 +1453,25 @@
return ddict
+ def get_desc(self, boolean):
+ if boolean in booleans_dict:
+ return _(booleans_dict[boolean][2])
+ else:
+ return boolean
+
+ def get_category(self, boolean):
+ if boolean in booleans_dict:
+ return _(booleans_dict[boolean][0])
+ else:
+ return _("unknown")
+
def list(self, heading = 1, locallist = 0):
+ on_off = (_("off"),_("on"))
if heading:
- print "%-50s %7s %7s %7s\n" % (_("SELinux boolean"), _("value"), _("pending"), _("active") )
+ print "%-40s %s\n" % (_("SELinux boolean"), _("Description"))
ddict = self.get_all(locallist)
keys = ddict.keys()
for k in keys:
if ddict[k]:
- print "%-50s %7d %7d %7d " % (k, ddict[k][0],ddict[k][1], ddict[k][2])
+ print "%-30s -> %-5s %s" % (k, on_off[ddict[k][2]], self.get_desc(k))
+
[-- Attachment #3: diff.sig --]
[-- Type: application/octet-stream, Size: 65 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Patch to allow semanage to set boolean values and translate booleans via policy.xml
2007-11-09 16:25 ` Stephen Smalley
2007-11-09 17:05 ` Daniel J Walsh
@ 2007-11-09 18:38 ` Christopher J. PeBenito
2007-11-09 19:47 ` Daniel J Walsh
1 sibling, 1 reply; 9+ messages in thread
From: Christopher J. PeBenito @ 2007-11-09 18:38 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Daniel J Walsh, SE Linux, Karl MacMillan
On Fri, 2007-11-09 at 11:25 -0500, Stephen Smalley wrote:
> On Fri, 2007-11-02 at 15:58 -0400, Daniel J Walsh wrote:
> > Also added translations of booleans to command line.
> >
> > > /usr/sbin/semanage boolean -l | grep nfs_export
> > > nfs_export_all_rw -> off Allow nfs to be exported read/write.
> > > nfs_export_all_ro -> on Allow nfs to be exported read only
> > > sh-3.2# /usr/sbin/semanage boolean -l | grep nfs
> > > xen_use_nfs -> off Allow xen to manage nfs files
[...]
> > > nfs_export_all_ro -> on Allow nfs to be exported read only
> >
> >
> > This time with the patch. :^)
>
> Offhand, the only problem I see it that semanage boolean -l then fails
> if /usr/share/selinux/devel/policy.xml doesn't exist, rather than just
> falling back to displaying the untranslated booleans.
>
> Also, is /usr/share/selinux/devel/policy.xml created by upstream
> refpolicy or is it Fedora-specific?
The infrastructure for building a policy.xml from the headers is
installed by upstream, but the policy.xml from refpolicy is not
installed. This allows 3rd parties to add their headers and then a
policy.xml can be built to include their module. Installing a
policy.xml there is a fedora-specific thing.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Patch to allow semanage to set boolean values and translate booleans via policy.xml
2007-11-09 18:38 ` Christopher J. PeBenito
@ 2007-11-09 19:47 ` Daniel J Walsh
2007-11-12 15:45 ` Christopher J. PeBenito
0 siblings, 1 reply; 9+ messages in thread
From: Daniel J Walsh @ 2007-11-09 19:47 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: Stephen Smalley, SE Linux, Karl MacMillan
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher J. PeBenito wrote:
> On Fri, 2007-11-09 at 11:25 -0500, Stephen Smalley wrote:
>> On Fri, 2007-11-02 at 15:58 -0400, Daniel J Walsh wrote:
>>> Also added translations of booleans to command line.
>>>
>>>> /usr/sbin/semanage boolean -l | grep nfs_export
>>>> nfs_export_all_rw -> off Allow nfs to be exported read/write.
>>>> nfs_export_all_ro -> on Allow nfs to be exported read only
>>>> sh-3.2# /usr/sbin/semanage boolean -l | grep nfs
>>>> xen_use_nfs -> off Allow xen to manage nfs files
> [...]
>>>> nfs_export_all_ro -> on Allow nfs to be exported read only
>>>
>>> This time with the patch. :^)
>> Offhand, the only problem I see it that semanage boolean -l then fails
>> if /usr/share/selinux/devel/policy.xml doesn't exist, rather than just
>> falling back to displaying the untranslated booleans.
>>
>> Also, is /usr/share/selinux/devel/policy.xml created by upstream
>> refpolicy or is it Fedora-specific?
>
> The infrastructure for building a policy.xml from the headers is
> installed by upstream, but the policy.xml from refpolicy is not
> installed. This allows 3rd parties to add their headers and then a
> policy.xml can be built to include their module. Installing a
> policy.xml there is a fedora-specific thing.
>
If I want to rebuild it after an interface file gets installed or want
to add my own xml to it, what do I need to do?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHNLlNrlYvE4MpobMRAn/RAJ4y28V9+rWAyMGHHPrfMxB4wJkZBwCfb4FE
k6KJbDFjCm/b4scaLCmxTwE=
=HzOo
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Patch to allow semanage to set boolean values and translate booleans via policy.xml
2007-11-09 19:47 ` Daniel J Walsh
@ 2007-11-12 15:45 ` Christopher J. PeBenito
2007-11-14 18:57 ` Daniel J Walsh
0 siblings, 1 reply; 9+ messages in thread
From: Christopher J. PeBenito @ 2007-11-12 15:45 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Stephen Smalley, SE Linux, Karl MacMillan
On Fri, 2007-11-09 at 14:47 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Christopher J. PeBenito wrote:
> > On Fri, 2007-11-09 at 11:25 -0500, Stephen Smalley wrote:
> >> On Fri, 2007-11-02 at 15:58 -0400, Daniel J Walsh wrote:
> >>> Also added translations of booleans to command line.
> >>>
> >>>> /usr/sbin/semanage boolean -l | grep nfs_export
> >>>> nfs_export_all_rw -> off Allow nfs to be exported read/write.
> >>>> nfs_export_all_ro -> on Allow nfs to be exported read only
> >>>> sh-3.2# /usr/sbin/semanage boolean -l | grep nfs
> >>>> xen_use_nfs -> off Allow xen to manage nfs files
> > [...]
> >>>> nfs_export_all_ro -> on Allow nfs to be exported read only
> >>>
> >>> This time with the patch. :^)
> >> Offhand, the only problem I see it that semanage boolean -l then fails
> >> if /usr/share/selinux/devel/policy.xml doesn't exist, rather than just
> >> falling back to displaying the untranslated booleans.
> >>
> >> Also, is /usr/share/selinux/devel/policy.xml created by upstream
> >> refpolicy or is it Fedora-specific?
> >
> > The infrastructure for building a policy.xml from the headers is
> > installed by upstream, but the policy.xml from refpolicy is not
> > installed. This allows 3rd parties to add their headers and then a
> > policy.xml can be built to include their module. Installing a
> > policy.xml there is a fedora-specific thing.
> >
> If I want to rebuild it after an interface file gets installed or want
> to add my own xml to it, what do I need to do?
The 'xml' target from the headers makefile will build one. It uses the
xml in header if files, plus global_(booleans|tunables).xml which are
pre generated from the global_(booleans|tunables) in the source policy.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Patch to allow semanage to set boolean values and translate booleans via policy.xml
2007-11-12 15:45 ` Christopher J. PeBenito
@ 2007-11-14 18:57 ` Daniel J Walsh
2007-11-14 20:14 ` Christopher J. PeBenito
0 siblings, 1 reply; 9+ messages in thread
From: Daniel J Walsh @ 2007-11-14 18:57 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: Stephen Smalley, SE Linux, Karl MacMillan
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christopher J. PeBenito wrote:
> On Fri, 2007-11-09 at 14:47 -0500, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Christopher J. PeBenito wrote:
>>> On Fri, 2007-11-09 at 11:25 -0500, Stephen Smalley wrote:
>>>> On Fri, 2007-11-02 at 15:58 -0400, Daniel J Walsh wrote:
>>>>> Also added translations of booleans to command line.
>>>>>
>>>>>> /usr/sbin/semanage boolean -l | grep nfs_export
>>>>>> nfs_export_all_rw -> off Allow nfs to be exported read/write.
>>>>>> nfs_export_all_ro -> on Allow nfs to be exported read only
>>>>>> sh-3.2# /usr/sbin/semanage boolean -l | grep nfs
>>>>>> xen_use_nfs -> off Allow xen to manage nfs files
>>> [...]
>>>>>> nfs_export_all_ro -> on Allow nfs to be exported read only
>>>>> This time with the patch. :^)
>>>> Offhand, the only problem I see it that semanage boolean -l then fails
>>>> if /usr/share/selinux/devel/policy.xml doesn't exist, rather than just
>>>> falling back to displaying the untranslated booleans.
>>>>
>>>> Also, is /usr/share/selinux/devel/policy.xml created by upstream
>>>> refpolicy or is it Fedora-specific?
>>> The infrastructure for building a policy.xml from the headers is
>>> installed by upstream, but the policy.xml from refpolicy is not
>>> installed. This allows 3rd parties to add their headers and then a
>>> policy.xml can be built to include their module. Installing a
>>> policy.xml there is a fedora-specific thing.
>>>
>> If I want to rebuild it after an interface file gets installed or want
>> to add my own xml to it, what do I need to do?
>
> The 'xml' target from the headers makefile will build one. It uses the
> xml in header if files, plus global_(booleans|tunables).xml which are
> pre generated from the global_(booleans|tunables) in the source policy.
>
I am not sure how you intend this to work.
Currently we ship policy.xml and the xml files for each *if file. We do
not ship the xml files for each directory admin.xml, apps.xdl, services.xml
I would have thought the third party would ship there own xml and if
file say myapp.if and myapp.xml. Install them in
/usr/share/selinux/devel/include/services.
Then they would execute make -f /usr/share/selinux/devel/Makefile xml
And it would rebuild the policy.xml including their changes.
Is this what you are thinking?
Dan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHO0UdrlYvE4MpobMRAlYJAJ99NXipSygr5iNhSQdJWVlBKTi6pwCfeoIm
XdUxyvk9nHynq/UVDpXMKAg=
=yXWp
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Patch to allow semanage to set boolean values and translate booleans via policy.xml
2007-11-14 18:57 ` Daniel J Walsh
@ 2007-11-14 20:14 ` Christopher J. PeBenito
0 siblings, 0 replies; 9+ messages in thread
From: Christopher J. PeBenito @ 2007-11-14 20:14 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Stephen Smalley, SE Linux, Karl MacMillan
On Wed, 2007-11-14 at 13:57 -0500, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Fri, 2007-11-09 at 14:47 -0500, Daniel J Walsh wrote:
> >> Christopher J. PeBenito wrote:
> >>> On Fri, 2007-11-09 at 11:25 -0500, Stephen Smalley wrote:
> >>>> On Fri, 2007-11-02 at 15:58 -0400, Daniel J Walsh wrote:
> >>>>> Also added translations of booleans to command line.
> >>>>>
> >>>>>> /usr/sbin/semanage boolean -l | grep nfs_export
> >>>>>> nfs_export_all_rw -> off Allow nfs to be exported read/write.
> >>>>>> nfs_export_all_ro -> on Allow nfs to be exported read only
> >>>>>> sh-3.2# /usr/sbin/semanage boolean -l | grep nfs
> >>>>>> xen_use_nfs -> off Allow xen to manage nfs files
> >>> [...]
> >>>>>> nfs_export_all_ro -> on Allow nfs to be exported read only
> >>>>> This time with the patch. :^)
> >>>> Offhand, the only problem I see it that semanage boolean -l then fails
> >>>> if /usr/share/selinux/devel/policy.xml doesn't exist, rather than just
> >>>> falling back to displaying the untranslated booleans.
> >>>>
> >>>> Also, is /usr/share/selinux/devel/policy.xml created by upstream
> >>>> refpolicy or is it Fedora-specific?
> >>> The infrastructure for building a policy.xml from the headers is
> >>> installed by upstream, but the policy.xml from refpolicy is not
> >>> installed. This allows 3rd parties to add their headers and then a
> >>> policy.xml can be built to include their module. Installing a
> >>> policy.xml there is a fedora-specific thing.
> >>>
> >> If I want to rebuild it after an interface file gets installed or want
> >> to add my own xml to it, what do I need to do?
> >
> > The 'xml' target from the headers makefile will build one. It uses the
> > xml in header if files, plus global_(booleans|tunables).xml which are
> > pre generated from the global_(booleans|tunables) in the source policy.
> >
> I am not sure how you intend this to work.
>
> Currently we ship policy.xml and the xml files for each *if file. We do
> not ship the xml files for each directory admin.xml, apps.xdl, services.xml
>
> I would have thought the third party would ship there own xml and if
> file say myapp.if and myapp.xml. Install them in
> /usr/share/selinux/devel/include/services.
Sorry, yes it uses the xml for each module, since it includes any
booleans/tunables that are declared in the te file, which isn't
installed in the headers. So a 3rd party putting their .xml for their
module in there should get included.
> Then they would execute make -f /usr/share/selinux/devel/Makefile xml
>
> And it would rebuild the policy.xml including their changes.
>
> Is this what you are thinking?
Something like that.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2007-11-14 20:14 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-11-02 19:57 Patch to allow semanage to set boolean values and translate booleans via policy.xml Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2007-11-02 19:58 Daniel J Walsh
2007-11-09 16:25 ` Stephen Smalley
2007-11-09 17:05 ` Daniel J Walsh
2007-11-09 18:38 ` Christopher J. PeBenito
2007-11-09 19:47 ` Daniel J Walsh
2007-11-12 15:45 ` Christopher J. PeBenito
2007-11-14 18:57 ` Daniel J Walsh
2007-11-14 20:14 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.