Patch to allow semanage to set boolean values and translate booleans via policy.xml

Patch to allow semanage to set boolean values and translate booleans via policy.xml

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1627 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Also added translations of booleans to command line.

> /usr/sbin/semanage boolean -l  | grep nfs_export
> nfs_export_all_rw              -> off   Allow nfs to be exported read/write.
> nfs_export_all_ro              -> on    Allow nfs to be exported read only
> sh-3.2# /usr/sbin/semanage boolean -l  | grep nfs
> xen_use_nfs                    -> off   Allow xen to manage nfs files
> use_nfs_home_dirs              -> on    Support NFS home directories
> allow_ftpd_use_nfs             -> off   Allow ftp servers to use nfs used for public file transfer services.
> cdrecord_read_content          -> off   Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files
> httpd_use_nfs                  -> off   Allow httpd to read nfs files
> samba_share_nfs                -> off   Allow samba to export NFS volumes.
> mail_read_content              -> off   Allow email client to various content. nfs, samba, removable devices, user temp and untrusted content files
> allow_nfsd_anon_write          -> off   Allow nfs servers to modify public files used for public file transfer services.
> nfs_export_all_rw              -> off   Allow nfs to be exported read/write.
> nfs_export_all_ro              -> on    Allow nfs to be exported read only


This time with the patch.  :^)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHK4F9rlYvE4MpobMRAr9eAJwNWFoe0+i7P2exSWAZRKb6ZNzUEgCgsymy
IRTVHeA8aa8boNYY9MTi/lA=
=UWlf
-----END PGP SIGNATURE-----

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 6206 bytes --]

diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.31/semanage/semanage
--- nsapolicycoreutils/semanage/semanage	2007-10-05 13:09:53.000000000 -0400
+++ policycoreutils-2.0.31/semanage/semanage	2007-11-02 15:50:54.000000000 -0400
@@ -1,5 +1,5 @@
 #! /usr/bin/python -E
-# Copyright (C) 2005 Red Hat 
+# Copyright (C) 2005, 2006, 2007 Red Hat 
 # see file 'COPYING' for use and warranty information
 #
 # semanage is a tool for managing SELinux configuration files
@@ -115,7 +115,7 @@
 		valid_option["translation"] = []
 		valid_option["translation"] += valid_everyone + [ '-T', '--trans' ] 
 		valid_option["boolean"] = []
-		valid_option["boolean"] += valid_everyone 
+		valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ] 
 		return valid_option
 
 	#
@@ -135,7 +135,7 @@
 		seuser = ""
 		prefix = ""
 		heading=1
-
+                value=0
 		add = 0
 		modify = 0
 		delete = 0
@@ -154,7 +154,7 @@
 		args = sys.argv[2:]
 
 		gopts, cmds = getopt.getopt(args,
-					    'adf:lhmnp:s:CDR:L:r:t:T:P:S:',
+					    '01adf:lhmnp:s:CDR:L:r:t:T:P:S:',
 					    ['add',
 					     'delete',
 					     'deleteall',
@@ -164,6 +164,8 @@
 					     'modify',
 					     'noheading',
 					     'localist',
+                                             'off', 
+                                             'on', 
 					     'proto=',
 					     'seuser=',
 					     'store=',
@@ -242,6 +244,11 @@
 			if o == "-T" or o == "--trans":
 				setrans = a
 
+                        if o == "--on" or o == "-1":
+                               value = 1
+                        if o == "-off" or o == "-0":
+                               value = 0
+
 		if object == "login":
 			OBJECT = seobject.loginRecords(store)
 
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.31/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py	2007-10-07 21:46:43.000000000 -0400
+++ policycoreutils-2.0.31/semanage/seobject.py	2007-11-02 15:51:27.000000000 -0400
@@ -1,5 +1,5 @@
 #! /usr/bin/python -E
-# Copyright (C) 2005 Red Hat 
+# Copyright (C) 2005, 2006, 2007 Red Hat 
 # see file 'COPYING' for use and warranty information
 #
 # semanage is a tool for managing SELinux configuration files
@@ -1095,7 +1092,13 @@
 
                 return con
                
+        def validate(self, target):
+               if target == "" or target.find("\n") >= 0:
+                      raise ValueError(_("Invalid file specification"))
+                      
 	def add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
+                self.validate(target)
+
 		if is_mls_enabled == 1:
                        serange = untranslate(serange)
 			
@@ -1154,6 +1157,7 @@
 	def modify(self, target, setype, ftype, serange, seuser):
 		if serange == "" and setype == "" and seuser == "":
 			raise ValueError(_("Requires setype, serange or seuser"))
+                self.validate(target)
 
 		(rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
 		if rc < 0:
@@ -1303,9 +1307,35 @@
 			else:
 				print "%-50s %-18s <<None>>" % (fcon[0], fcon[1])
 				
+import sys, os
+import re
+import xml.etree.ElementTree
+
 class booleanRecords(semanageRecords):
+
 	def __init__(self, store = ""):
 		semanageRecords.__init__(self, store)
+                self.dict={}
+
+                tree=xml.etree.ElementTree.parse("/usr/share/selinux/devel/policy.xml")
+                for l in  tree.findall("layer"):
+                       for m in  l.findall("module"):
+                              for b in  m.findall("tunable"):
+                                     desc = b.find("desc").find("p").text.strip("\n")
+                                     desc = re.sub("\n", " ", desc)
+                                     self.dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc)
+                              for b in  m.findall("bool"):
+                                     desc = b.find("desc").find("p").text.strip("\n")
+                                     desc = re.sub("\n", " ", desc)
+                                     self.dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc)
+                for i in  tree.findall("bool"):
+                       desc = i.find("desc").find("p").text.strip("\n")
+                       desc = re.sub("\n", " ", desc)
+                       self.dict[i.get('name')] = ("Global", i.get('dftval'), desc)
+                for i in  tree.findall("tunable"):
+                       desc = i.find("desc").find("p").text.strip("\n")
+                       desc = re.sub("\n", " ", desc)
+                       self.dict[i.get('name')] = ("Global", i.get('dftval'), desc)
 
 	def modify(self, name, value = ""):
 		if value == "":
@@ -1328,11 +1358,14 @@
 		if value != "":
 			nvalue = int(value)
 			semanage_bool_set_value(b, nvalue)
+                else:
+                       raise ValueError(_("You must specify a value"))
 
 		rc = semanage_begin_transaction(self.sh)
 		if rc < 0:
 			raise ValueError(_("Could not start semanage transaction"))
 
+                rc = semanage_bool_set_active(self.sh, k, b)
 		rc = semanage_bool_modify_local(self.sh, k, b)
 		if rc < 0:
 			raise ValueError(_("Could not modify boolean %s") % name)
@@ -1416,11 +1449,19 @@
 
 		return ddict
 			
+        def get_desc(self, boolean):
+               if boolean in self.dict:
+                      return _(self.dict[boolean][2])
+               else:
+                      return boolean
+
 	def list(self, heading = 1, locallist = 0):
+                on_off = (_("off"),_("on")) 
 		if heading:
-			print "%-50s %7s %7s %7s\n" % (_("SELinux boolean"), _("value"), _("pending"),  _("active") )
+			print "%-40s %s\n" % (_("SELinux boolean"), _("Description"))
 		ddict = self.get_all(locallist)
 		keys = ddict.keys()
 		for k in keys:
 			if ddict[k]:
-				print "%-50s %7d %7d %7d " % (k, ddict[k][0],ddict[k][1], ddict[k][2])
+				print "%-30s -> %-5s %s" %  (k, on_off[ddict[k][2]], self.get_desc(k))
+

[-- Attachment #3: diff.sig --]
[-- Type: application/octet-stream, Size: 65 bytes --]

Re: Patch to allow semanage to set boolean values and translate booleans via policy.xml

[Stephen Smalley]

On Fri, 2007-11-02 at 15:58 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Also added translations of booleans to command line.
> 
> > /usr/sbin/semanage boolean -l  | grep nfs_export
> > nfs_export_all_rw              -> off   Allow nfs to be exported read/write.
> > nfs_export_all_ro              -> on    Allow nfs to be exported read only
> > sh-3.2# /usr/sbin/semanage boolean -l  | grep nfs
> > xen_use_nfs                    -> off   Allow xen to manage nfs files
> > use_nfs_home_dirs              -> on    Support NFS home directories
> > allow_ftpd_use_nfs             -> off   Allow ftp servers to use nfs used for public file transfer services.
> > cdrecord_read_content          -> off   Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files
> > httpd_use_nfs                  -> off   Allow httpd to read nfs files
> > samba_share_nfs                -> off   Allow samba to export NFS volumes.
> > mail_read_content              -> off   Allow email client to various content. nfs, samba, removable devices, user temp and untrusted content files
> > allow_nfsd_anon_write          -> off   Allow nfs servers to modify public files used for public file transfer services.
> > nfs_export_all_rw              -> off   Allow nfs to be exported read/write.
> > nfs_export_all_ro              -> on    Allow nfs to be exported read only
> 
> 
> This time with the patch.  :^)

Offhand, the only problem I see it that semanage boolean -l then fails
if /usr/share/selinux/devel/policy.xml doesn't exist, rather than just
falling back to displaying the untranslated booleans.

Also, is /usr/share/selinux/devel/policy.xml created by upstream
refpolicy or is it Fedora-specific?


> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> 
> iD8DBQFHK4F9rlYvE4MpobMRAr9eAJwNWFoe0+i7P2exSWAZRKb6ZNzUEgCgsymy
> IRTVHeA8aa8boNYY9MTi/lA=
> =UWlf
> -----END PGP SIGNATURE-----
> plain text document attachment (diff)
> diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.31/semanage/semanage
> --- nsapolicycoreutils/semanage/semanage	2007-10-05 13:09:53.000000000 -0400
> +++ policycoreutils-2.0.31/semanage/semanage	2007-11-02 15:50:54.000000000 -0400
> @@ -1,5 +1,5 @@
>  #! /usr/bin/python -E
> -# Copyright (C) 2005 Red Hat 
> +# Copyright (C) 2005, 2006, 2007 Red Hat 
>  # see file 'COPYING' for use and warranty information
>  #
>  # semanage is a tool for managing SELinux configuration files
> @@ -115,7 +115,7 @@
>  		valid_option["translation"] = []
>  		valid_option["translation"] += valid_everyone + [ '-T', '--trans' ] 
>  		valid_option["boolean"] = []
> -		valid_option["boolean"] += valid_everyone 
> +		valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ] 
>  		return valid_option
>  
>  	#
> @@ -135,7 +135,7 @@
>  		seuser = ""
>  		prefix = ""
>  		heading=1
> -
> +                value=0
>  		add = 0
>  		modify = 0
>  		delete = 0
> @@ -154,7 +154,7 @@
>  		args = sys.argv[2:]
>  
>  		gopts, cmds = getopt.getopt(args,
> -					    'adf:lhmnp:s:CDR:L:r:t:T:P:S:',
> +					    '01adf:lhmnp:s:CDR:L:r:t:T:P:S:',
>  					    ['add',
>  					     'delete',
>  					     'deleteall',
> @@ -164,6 +164,8 @@
>  					     'modify',
>  					     'noheading',
>  					     'localist',
> +                                             'off', 
> +                                             'on', 
>  					     'proto=',
>  					     'seuser=',
>  					     'store=',
> @@ -242,6 +244,11 @@
>  			if o == "-T" or o == "--trans":
>  				setrans = a
>  
> +                        if o == "--on" or o == "-1":
> +                               value = 1
> +                        if o == "-off" or o == "-0":
> +                               value = 0
> +
>  		if object == "login":
>  			OBJECT = seobject.loginRecords(store)
>  
> diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.31/semanage/seobject.py
> --- nsapolicycoreutils/semanage/seobject.py	2007-10-07 21:46:43.000000000 -0400
> +++ policycoreutils-2.0.31/semanage/seobject.py	2007-11-02 15:51:27.000000000 -0400
> @@ -1,5 +1,5 @@
>  #! /usr/bin/python -E
> -# Copyright (C) 2005 Red Hat 
> +# Copyright (C) 2005, 2006, 2007 Red Hat 
>  # see file 'COPYING' for use and warranty information
>  #
>  # semanage is a tool for managing SELinux configuration files
> @@ -1095,7 +1092,13 @@
>  
>                  return con
>                 
> +        def validate(self, target):
> +               if target == "" or target.find("\n") >= 0:
> +                      raise ValueError(_("Invalid file specification"))
> +                      
>  	def add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
> +                self.validate(target)
> +
>  		if is_mls_enabled == 1:
>                         serange = untranslate(serange)
>  			
> @@ -1154,6 +1157,7 @@
>  	def modify(self, target, setype, ftype, serange, seuser):
>  		if serange == "" and setype == "" and seuser == "":
>  			raise ValueError(_("Requires setype, serange or seuser"))
> +                self.validate(target)
>  
>  		(rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
>  		if rc < 0:
> @@ -1303,9 +1307,35 @@
>  			else:
>  				print "%-50s %-18s <<None>>" % (fcon[0], fcon[1])
>  				
> +import sys, os
> +import re
> +import xml.etree.ElementTree
> +
>  class booleanRecords(semanageRecords):
> +
>  	def __init__(self, store = ""):
>  		semanageRecords.__init__(self, store)
> +                self.dict={}
> +
> +                tree=xml.etree.ElementTree.parse("/usr/share/selinux/devel/policy.xml")
> +                for l in  tree.findall("layer"):
> +                       for m in  l.findall("module"):
> +                              for b in  m.findall("tunable"):
> +                                     desc = b.find("desc").find("p").text.strip("\n")
> +                                     desc = re.sub("\n", " ", desc)
> +                                     self.dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc)
> +                              for b in  m.findall("bool"):
> +                                     desc = b.find("desc").find("p").text.strip("\n")
> +                                     desc = re.sub("\n", " ", desc)
> +                                     self.dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc)
> +                for i in  tree.findall("bool"):
> +                       desc = i.find("desc").find("p").text.strip("\n")
> +                       desc = re.sub("\n", " ", desc)
> +                       self.dict[i.get('name')] = ("Global", i.get('dftval'), desc)
> +                for i in  tree.findall("tunable"):
> +                       desc = i.find("desc").find("p").text.strip("\n")
> +                       desc = re.sub("\n", " ", desc)
> +                       self.dict[i.get('name')] = ("Global", i.get('dftval'), desc)
>  
>  	def modify(self, name, value = ""):
>  		if value == "":
> @@ -1328,11 +1358,14 @@
>  		if value != "":
>  			nvalue = int(value)
>  			semanage_bool_set_value(b, nvalue)
> +                else:
> +                       raise ValueError(_("You must specify a value"))
>  
>  		rc = semanage_begin_transaction(self.sh)
>  		if rc < 0:
>  			raise ValueError(_("Could not start semanage transaction"))
>  
> +                rc = semanage_bool_set_active(self.sh, k, b)
>  		rc = semanage_bool_modify_local(self.sh, k, b)
>  		if rc < 0:
>  			raise ValueError(_("Could not modify boolean %s") % name)
> @@ -1416,11 +1449,19 @@
>  
>  		return ddict
>  			
> +        def get_desc(self, boolean):
> +               if boolean in self.dict:
> +                      return _(self.dict[boolean][2])
> +               else:
> +                      return boolean
> +
>  	def list(self, heading = 1, locallist = 0):
> +                on_off = (_("off"),_("on")) 
>  		if heading:
> -			print "%-50s %7s %7s %7s\n" % (_("SELinux boolean"), _("value"), _("pending"),  _("active") )
> +			print "%-40s %s\n" % (_("SELinux boolean"), _("Description"))
>  		ddict = self.get_all(locallist)
>  		keys = ddict.keys()
>  		for k in keys:
>  			if ddict[k]:
> -				print "%-50s %7d %7d %7d " % (k, ddict[k][0],ddict[k][1], ddict[k][2])
> +				print "%-30s -> %-5s %s" %  (k, on_off[ddict[k][2]], self.get_desc(k))
> +
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to allow semanage to set boolean values and translate booleans via policy.xml

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 2755 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Fri, 2007-11-02 at 15:58 -0400, Daniel J Walsh wrote:
> Also added translations of booleans to command line.
> 
>>>> /usr/sbin/semanage boolean -l  | grep nfs_export
>>>> nfs_export_all_rw              -> off   Allow nfs to be exported read/write.
>>>> nfs_export_all_ro              -> on    Allow nfs to be exported read only
>>>> sh-3.2# /usr/sbin/semanage boolean -l  | grep nfs
>>>> xen_use_nfs                    -> off   Allow xen to manage nfs files
>>>> use_nfs_home_dirs              -> on    Support NFS home directories
>>>> allow_ftpd_use_nfs             -> off   Allow ftp servers to use nfs used for public file transfer services.
>>>> cdrecord_read_content          -> off   Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files
>>>> httpd_use_nfs                  -> off   Allow httpd to read nfs files
>>>> samba_share_nfs                -> off   Allow samba to export NFS volumes.
>>>> mail_read_content              -> off   Allow email client to various content. nfs, samba, removable devices, user temp and untrusted content files
>>>> allow_nfsd_anon_write          -> off   Allow nfs servers to modify public files used for public file transfer services.
>>>> nfs_export_all_rw              -> off   Allow nfs to be exported read/write.
>>>> nfs_export_all_ro              -> on    Allow nfs to be exported read only
> 
> This time with the patch.  :^)
> 
>> Offhand, the only problem I see it that semanage boolean -l then fails
>> if /usr/share/selinux/devel/policy.xml doesn't exist, rather than just
>> falling back to displaying the untranslated booleans.
> 
>> Also, is /usr/share/selinux/devel/policy.xml created by upstream
>> refpolicy or is it Fedora-specific?
> 
> 
policy.xml is generated in the build procedure, so it is combined
reference polciy plus my patches.

Updated patch to do a fallback.

Two problems with policy.xml right now.

1.  Third parties have no way of updating it.
     semodule should automatically generate the XML and edit policy.xml
2.  Generated booleans within an interface do not get xml

semanage boolean -l | grep xguest
browser_write_xguest_data      -> off   browser_write_xguest_data
allow_xguest_exec_content      -> off   allow_xguest_exec_content
browser_confine_xguest         -> on    browser_confine_xguest

    We need to change a way to add documentation to booleans created
within an interface.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHNJNSrlYvE4MpobMRAqiyAJ9Mm/TKM393yIGp+vSNSKKYk+JZCgCdF+Bi
dxKEDLRVlIKlXvy10+QysUQ=
=UVHb
-----END PGP SIGNATURE-----

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 6241 bytes --]

diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.31/semanage/semanage
--- nsapolicycoreutils/semanage/semanage	2007-10-05 13:09:53.000000000 -0400
+++ policycoreutils-2.0.31/semanage/semanage	2007-11-02 15:54:42.000000000 -0400
@@ -1,5 +1,5 @@
 #! /usr/bin/python -E
-# Copyright (C) 2005 Red Hat 
+# Copyright (C) 2005, 2006, 2007 Red Hat 
 # see file 'COPYING' for use and warranty information
 #
 # semanage is a tool for managing SELinux configuration files
@@ -115,7 +115,7 @@
 		valid_option["translation"] = []
 		valid_option["translation"] += valid_everyone + [ '-T', '--trans' ] 
 		valid_option["boolean"] = []
-		valid_option["boolean"] += valid_everyone 
+		valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ] 
 		return valid_option
 
 	#
@@ -135,7 +135,7 @@
 		seuser = ""
 		prefix = ""
 		heading=1
-
+                value=0
 		add = 0
 		modify = 0
 		delete = 0
@@ -154,7 +154,7 @@
 		args = sys.argv[2:]
 
 		gopts, cmds = getopt.getopt(args,
-					    'adf:lhmnp:s:CDR:L:r:t:T:P:S:',
+					    '01adf:lhmnp:s:CDR:L:r:t:T:P:S:',
 					    ['add',
 					     'delete',
 					     'deleteall',
@@ -164,6 +164,8 @@
 					     'modify',
 					     'noheading',
 					     'localist',
+                                             'off', 
+                                             'on', 
 					     'proto=',
 					     'seuser=',
 					     'store=',
@@ -242,6 +244,11 @@
 			if o == "-T" or o == "--trans":
 				setrans = a
 
+                        if o == "--on" or o == "-1":
+                               value = 1
+                        if o == "-off" or o == "-0":
+                               value = 0
+
 		if object == "login":
 			OBJECT = seobject.loginRecords(store)
 
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.31/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py	2007-10-07 21:46:43.000000000 -0400
+++ policycoreutils-2.0.31/semanage/seobject.py	2007-11-09 12:00:35.000000000 -0500
@@ -1,5 +1,5 @@
 #! /usr/bin/python -E
-# Copyright (C) 2005 Red Hat 
+# Copyright (C) 2005, 2006, 2007 Red Hat 
 # see file 'COPYING' for use and warranty information
 #
 # semanage is a tool for managing SELinux configuration files
@@ -88,6 +88,35 @@
 			
 mylog = logger()		
 
+import sys, os
+import re
+import xml.etree.ElementTree
+
+booleans_dict={}
+try:
+       tree=xml.etree.ElementTree.parse("/usr/share/selinux/devel/policy.xml")
+       for l in  tree.findall("layer"):
+              for m in  l.findall("module"):
+                     for b in  m.findall("tunable"):
+                            desc = b.find("desc").find("p").text.strip("\n")
+                            desc = re.sub("\n", " ", desc)
+                            booleans_dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc)
+                     for b in  m.findall("bool"):
+                            desc = b.find("desc").find("p").text.strip("\n")
+                            desc = re.sub("\n", " ", desc)
+                            booleans_dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc)
+              for i in  tree.findall("bool"):
+                     desc = i.find("desc").find("p").text.strip("\n")
+                     desc = re.sub("\n", " ", desc)
+                     booleans_dict[i.get('name')] = (_("global"), i.get('dftval'), desc)
+       for i in  tree.findall("tunable"):
+              desc = i.find("desc").find("p").text.strip("\n")
+              desc = re.sub("\n", " ", desc)
+              booleans_dict[i.get('name')] = (_("global"), i.get('dftval'), desc)
+except IOError, e:
+       print _("Failed to translate booleans.\n%s") % e
+       pass
+
 def validate_level(raw):
 	sensitivity = "s[0-9]*"
 	category = "c[0-9]*"
@@ -1095,7 +1121,13 @@
 
                 return con
                
+        def validate(self, target):
+               if target == "" or target.find("\n") >= 0:
+                      raise ValueError(_("Invalid file specification"))
+                      
 	def add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
+                self.validate(target)
+
 		if is_mls_enabled == 1:
                        serange = untranslate(serange)
 			
@@ -1154,6 +1186,7 @@
 	def modify(self, target, setype, ftype, serange, seuser):
 		if serange == "" and setype == "" and seuser == "":
 			raise ValueError(_("Requires setype, serange or seuser"))
+                self.validate(target)
 
 		(rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
 		if rc < 0:
@@ -1328,11 +1362,14 @@
 		if value != "":
 			nvalue = int(value)
 			semanage_bool_set_value(b, nvalue)
+                else:
+                       raise ValueError(_("You must specify a value"))
 
 		rc = semanage_begin_transaction(self.sh)
 		if rc < 0:
 			raise ValueError(_("Could not start semanage transaction"))
 
+                rc = semanage_bool_set_active(self.sh, k, b)
 		rc = semanage_bool_modify_local(self.sh, k, b)
 		if rc < 0:
 			raise ValueError(_("Could not modify boolean %s") % name)
@@ -1416,11 +1453,25 @@
 
 		return ddict
 			
+        def get_desc(self, boolean):
+               if boolean in booleans_dict:
+                      return _(booleans_dict[boolean][2])
+               else:
+                      return boolean
+
+        def get_category(self, boolean):
+               if boolean in booleans_dict:
+                      return _(booleans_dict[boolean][0])
+               else:
+                      return _("unknown")
+
 	def list(self, heading = 1, locallist = 0):
+                on_off = (_("off"),_("on")) 
 		if heading:
-			print "%-50s %7s %7s %7s\n" % (_("SELinux boolean"), _("value"), _("pending"),  _("active") )
+			print "%-40s %s\n" % (_("SELinux boolean"), _("Description"))
 		ddict = self.get_all(locallist)
 		keys = ddict.keys()
 		for k in keys:
 			if ddict[k]:
-				print "%-50s %7d %7d %7d " % (k, ddict[k][0],ddict[k][1], ddict[k][2])
+				print "%-30s -> %-5s %s" %  (k, on_off[ddict[k][2]], self.get_desc(k))
+

[-- Attachment #3: diff.sig --]
[-- Type: application/octet-stream, Size: 65 bytes --]

Effect of changing SELinux package versions...

[Hasan Rezaul-CHR010]

Hi All,

The current customized version of Linux that I have comes with certain
versions of the SELinux libs/packages  (shown on the left column below).

Lets just say I am being forced to move to a newer version of Linux,
which will force me to move to the SELinux libs/packages shown below (on
the right column). 


1.  audit 1.0.14-1            audit 1.5.3
2.  libselinux 1.34.7         libselinux 2.0.13
3.  libsemanage 1.6.17-1      libsemanage 2.0.1
4.  libsepol 1.16.1           libsepol 2.0.3
5.  libsetrans 0.1.18         libsetrans 0.1.18
6.  mcstrans N/A              mcstrans 0.2.5
7.  policycoreutils 1.34.6    policycoreutils 2.0.16
8.  setools 3.0-2             setools 3.2-0


With the libs/package versions that I have on the left column, I am
moderately happy  :-)  Everything generally works the way I need them to
in "Permissive" mode.  The only problematic behavior I have seen is with
the Enforcing mode, where my Linux Card just resets after ~5 minutes for
no reason !

I was trying to evaluate any risks/surprises of upgrading to the
versions shown on the right. 

Would anyone be able to give me a risk/benefit/concern  assessment for
upgrading each of the libs/packages shown above. I am trying to
anticipate any problems I might have by going to the newer versions.

Thanks in advance,

- Rezaul.





--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Effect of changing SELinux package versions...

[Stephen Smalley]

On Fri, 2007-11-09 at 13:59 -0500, Hasan Rezaul-CHR010 wrote:
> Hi All,
> 
> The current customized version of Linux that I have comes with certain
> versions of the SELinux libs/packages  (shown on the left column below).
> 
> Lets just say I am being forced to move to a newer version of Linux,
> which will force me to move to the SELinux libs/packages shown below (on
> the right column). 
 
By "newer version of Linux", do you just mean a newer kernel or a newer
distribution?  If the former, why do you think you need to move to newer
SELinux userland?  Are these just the versions of the packages that
happened to ship in a given distribution release and you're moving from
e.g. FC6 to F7?

> 
> 1.  audit 1.0.14-1            audit 1.5.3
> 2.  libselinux 1.34.7         libselinux 2.0.13
> 3.  libsemanage 1.6.17-1      libsemanage 2.0.1
> 4.  libsepol 1.16.1           libsepol 2.0.3
> 5.  libsetrans 0.1.18         libsetrans 0.1.18
> 6.  mcstrans N/A              mcstrans 0.2.5
> 7.  policycoreutils 1.34.6    policycoreutils 2.0.16
> 8.  setools 3.0-2             setools 3.2-0
> 
> 
> With the libs/package versions that I have on the left column, I am
> moderately happy  :-)  Everything generally works the way I need them to
> in "Permissive" mode.  The only problematic behavior I have seen is with
> the Enforcing mode, where my Linux Card just resets after ~5 minutes for
> no reason !

Hmm...well, it would be nice to know more about that.

> I was trying to evaluate any risks/surprises of upgrading to the
> versions shown on the right. 
> 
> Would anyone be able to give me a risk/benefit/concern  assessment for
> upgrading each of the libs/packages shown above. I am trying to
> anticipate any problems I might have by going to the newer versions.

Offhand I don't see any cause for concern there, but am wondering
whether there is any particular reason for the specific versions above
(vs. the latest).  The only real issue is ensuring that you update to a
consistent snapshot of all the packages at once, as they can have
interdependencies (e.g. newer policycoreutils will often depend on new
interfaces introduced in the newer libsemanage or libselinux).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Effect of changing SELinux package versions...

[Hasan Rezaul-CHR010]

Yes, by "newer version of Linux", I meant a newer Linux distribution
that has newer versions of the SELinux packages in it.

Is it safe to say that the latest STABLE versions of the core userland
SELinux packages are:

libsepol-1.16.6
checkpolicy-1.34.3
libselinux-1.34.13
libsemanage-1.10.5
policycoreutils-1.34.11

Regarding the "Enforcing" mode problems, I will dig into it a bit more
and then will give you more accurate details...

Thanks,

- Rezaul. 


-----Original Message-----
From: Stephen Smalley [mailto:sds@tycho.nsa.gov] 
Sent: Friday, November 09, 2007 1:40 PM
To: Hasan Rezaul-CHR010
Cc: Daniel J Walsh; SE Linux; Christopher J. PeBenito; Karl MacMillan;
Steve Grubb
Subject: Re: Effect of changing SELinux package versions...

On Fri, 2007-11-09 at 13:59 -0500, Hasan Rezaul-CHR010 wrote:
> Hi All,
> 
> The current customized version of Linux that I have comes with certain
> versions of the SELinux libs/packages  (shown on the left column
below).
> 
> Lets just say I am being forced to move to a newer version of Linux,
> which will force me to move to the SELinux libs/packages shown below
(on
> the right column). 
 
By "newer version of Linux", do you just mean a newer kernel or a newer
distribution?  If the former, why do you think you need to move to newer
SELinux userland?  Are these just the versions of the packages that
happened to ship in a given distribution release and you're moving from
e.g. FC6 to F7?

> 
> 1.  audit 1.0.14-1            audit 1.5.3
> 2.  libselinux 1.34.7         libselinux 2.0.13
> 3.  libsemanage 1.6.17-1      libsemanage 2.0.1
> 4.  libsepol 1.16.1           libsepol 2.0.3
> 5.  libsetrans 0.1.18         libsetrans 0.1.18
> 6.  mcstrans N/A              mcstrans 0.2.5
> 7.  policycoreutils 1.34.6    policycoreutils 2.0.16
> 8.  setools 3.0-2             setools 3.2-0
> 
> 
> With the libs/package versions that I have on the left column, I am
> moderately happy  :-)  Everything generally works the way I need them
to
> in "Permissive" mode.  The only problematic behavior I have seen is
with
> the Enforcing mode, where my Linux Card just resets after ~5 minutes
for
> no reason !

Hmm...well, it would be nice to know more about that.

> I was trying to evaluate any risks/surprises of upgrading to the
> versions shown on the right. 
> 
> Would anyone be able to give me a risk/benefit/concern  assessment for
> upgrading each of the libs/packages shown above. I am trying to
> anticipate any problems I might have by going to the newer versions.

Offhand I don't see any cause for concern there, but am wondering
whether there is any particular reason for the specific versions above
(vs. the latest).  The only real issue is ensuring that you update to a
consistent snapshot of all the packages at once, as they can have
interdependencies (e.g. newer policycoreutils will often depend on new
interfaces introduced in the newer libsemanage or libselinux).

-- 
Stephen Smalley
National Security Agency



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Effect of changing SELinux package versions...

[Hasan Rezaul-CHR010]

Hi Stephen,

So turns out that the core SELinux packages shown below are the versions
in Fedora Core 7.

Are these versions known to be stable versions that will work well
together ?  If not, where can I find the latest set of stable core
SELinux packages ?

> 1.  audit 1.5.3
> 2.  libselinux 2.0.13
> 3.  libsemanage 2.0.1
> 4.  libsepol 2.0.3
> 5.  libsetrans 0.1.18
> 6.  mcstrans 0.2.5
> 7.  policycoreutils 2.0.16
> 8.  setools 3.2-0

Thanks,

- Rezaul.
 

-----Original Message-----
From: Stephen Smalley [mailto:sds@tycho.nsa.gov] 
Sent: Friday, November 09, 2007 1:40 PM
To: Hasan Rezaul-CHR010
Cc: Daniel J Walsh; SE Linux; Christopher J. PeBenito; Karl MacMillan;
Steve Grubb
Subject: Re: Effect of changing SELinux package versions...

On Fri, 2007-11-09 at 13:59 -0500, Hasan Rezaul-CHR010 wrote:
> Hi All,
> 
> The current customized version of Linux that I have comes with certain
> versions of the SELinux libs/packages  (shown on the left column
below).
> 
> Lets just say I am being forced to move to a newer version of Linux,
> which will force me to move to the SELinux libs/packages shown below
(on
> the right column). 
 
By "newer version of Linux", do you just mean a newer kernel or a newer
distribution?  If the former, why do you think you need to move to newer
SELinux userland?  Are these just the versions of the packages that
happened to ship in a given distribution release and you're moving from
e.g. FC6 to F7?

> 
> 1.  audit 1.0.14-1            audit 1.5.3
> 2.  libselinux 1.34.7         libselinux 2.0.13
> 3.  libsemanage 1.6.17-1      libsemanage 2.0.1
> 4.  libsepol 1.16.1           libsepol 2.0.3
> 5.  libsetrans 0.1.18         libsetrans 0.1.18
> 6.  mcstrans N/A              mcstrans 0.2.5
> 7.  policycoreutils 1.34.6    policycoreutils 2.0.16
> 8.  setools 3.0-2             setools 3.2-0
> 
> 
> With the libs/package versions that I have on the left column, I am
> moderately happy  :-)  Everything generally works the way I need them
to
> in "Permissive" mode.  The only problematic behavior I have seen is
with
> the Enforcing mode, where my Linux Card just resets after ~5 minutes
for
> no reason !

Hmm...well, it would be nice to know more about that.

> I was trying to evaluate any risks/surprises of upgrading to the
> versions shown on the right. 
> 
> Would anyone be able to give me a risk/benefit/concern  assessment for
> upgrading each of the libs/packages shown above. I am trying to
> anticipate any problems I might have by going to the newer versions.

Offhand I don't see any cause for concern there, but am wondering
whether there is any particular reason for the specific versions above
(vs. the latest).  The only real issue is ensuring that you update to a
consistent snapshot of all the packages at once, as they can have
interdependencies (e.g. newer policycoreutils will often depend on new
interfaces introduced in the newer libsemanage or libselinux).

-- 
Stephen Smalley
National Security Agency



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Effect of changing SELinux package versions...

[Stephen Smalley]

On Wed, 2007-12-05 at 13:00 -0500, Hasan Rezaul-CHR010 wrote:
> Hi Stephen,
> 
> So turns out that the core SELinux packages shown below are the versions
> in Fedora Core 7.
> 
> Are these versions known to be stable versions that will work well
> together ?  If not, where can I find the latest set of stable core
> SELinux packages ?
> 
> > 1.  audit 1.5.3
> > 2.  libselinux 2.0.13
> > 3.  libsemanage 2.0.1
> > 4.  libsepol 2.0.3
> > 5.  libsetrans 0.1.18
> > 6.  mcstrans 0.2.5
> > 7.  policycoreutils 2.0.16
> > 8.  setools 3.2-0

If they shipped together in a given Fedora release, then they should
work well together.  The only reason to move to a newer upstream version
would be if you needed some feature that didn't yet exist when that
Fedora release was made.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to allow semanage to set boolean values and translate booleans via policy.xml

[Christopher J. PeBenito]

On Fri, 2007-11-09 at 11:25 -0500, Stephen Smalley wrote:
> On Fri, 2007-11-02 at 15:58 -0400, Daniel J Walsh wrote:
> > Also added translations of booleans to command line.
> > 
> > > /usr/sbin/semanage boolean -l  | grep nfs_export
> > > nfs_export_all_rw              -> off   Allow nfs to be exported read/write.
> > > nfs_export_all_ro              -> on    Allow nfs to be exported read only
> > > sh-3.2# /usr/sbin/semanage boolean -l  | grep nfs
> > > xen_use_nfs                    -> off   Allow xen to manage nfs files
[...]
> > > nfs_export_all_ro              -> on    Allow nfs to be exported read only
> > 
> > 
> > This time with the patch.  :^)
> 
> Offhand, the only problem I see it that semanage boolean -l then fails
> if /usr/share/selinux/devel/policy.xml doesn't exist, rather than just
> falling back to displaying the untranslated booleans.
> 
> Also, is /usr/share/selinux/devel/policy.xml created by upstream
> refpolicy or is it Fedora-specific?

The infrastructure for building a policy.xml from the headers is
installed by upstream, but the policy.xml from refpolicy is not
installed.  This allows 3rd parties to add their headers and then a
policy.xml can be built to include their module.  Installing a
policy.xml there is a fedora-specific thing.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to allow semanage to set boolean values and translate booleans via policy.xml

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
> On Fri, 2007-11-09 at 11:25 -0500, Stephen Smalley wrote:
>> On Fri, 2007-11-02 at 15:58 -0400, Daniel J Walsh wrote:
>>> Also added translations of booleans to command line.
>>>
>>>> /usr/sbin/semanage boolean -l  | grep nfs_export
>>>> nfs_export_all_rw              -> off   Allow nfs to be exported read/write.
>>>> nfs_export_all_ro              -> on    Allow nfs to be exported read only
>>>> sh-3.2# /usr/sbin/semanage boolean -l  | grep nfs
>>>> xen_use_nfs                    -> off   Allow xen to manage nfs files
> [...]
>>>> nfs_export_all_ro              -> on    Allow nfs to be exported read only
>>>
>>> This time with the patch.  :^)
>> Offhand, the only problem I see it that semanage boolean -l then fails
>> if /usr/share/selinux/devel/policy.xml doesn't exist, rather than just
>> falling back to displaying the untranslated booleans.
>>
>> Also, is /usr/share/selinux/devel/policy.xml created by upstream
>> refpolicy or is it Fedora-specific?
> 
> The infrastructure for building a policy.xml from the headers is
> installed by upstream, but the policy.xml from refpolicy is not
> installed.  This allows 3rd parties to add their headers and then a
> policy.xml can be built to include their module.  Installing a
> policy.xml there is a fedora-specific thing.
> 
If I want to rebuild it after an interface file gets installed or want
to add my own xml to it, what do I need to do?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHNLlNrlYvE4MpobMRAn/RAJ4y28V9+rWAyMGHHPrfMxB4wJkZBwCfb4FE
k6KJbDFjCm/b4scaLCmxTwE=
=HzOo
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to allow semanage to set boolean values and translate booleans via policy.xml

[Christopher J. PeBenito]

On Fri, 2007-11-09 at 14:47 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Christopher J. PeBenito wrote:
> > On Fri, 2007-11-09 at 11:25 -0500, Stephen Smalley wrote:
> >> On Fri, 2007-11-02 at 15:58 -0400, Daniel J Walsh wrote:
> >>> Also added translations of booleans to command line.
> >>>
> >>>> /usr/sbin/semanage boolean -l  | grep nfs_export
> >>>> nfs_export_all_rw              -> off   Allow nfs to be exported read/write.
> >>>> nfs_export_all_ro              -> on    Allow nfs to be exported read only
> >>>> sh-3.2# /usr/sbin/semanage boolean -l  | grep nfs
> >>>> xen_use_nfs                    -> off   Allow xen to manage nfs files
> > [...]
> >>>> nfs_export_all_ro              -> on    Allow nfs to be exported read only
> >>>
> >>> This time with the patch.  :^)
> >> Offhand, the only problem I see it that semanage boolean -l then fails
> >> if /usr/share/selinux/devel/policy.xml doesn't exist, rather than just
> >> falling back to displaying the untranslated booleans.
> >>
> >> Also, is /usr/share/selinux/devel/policy.xml created by upstream
> >> refpolicy or is it Fedora-specific?
> > 
> > The infrastructure for building a policy.xml from the headers is
> > installed by upstream, but the policy.xml from refpolicy is not
> > installed.  This allows 3rd parties to add their headers and then a
> > policy.xml can be built to include their module.  Installing a
> > policy.xml there is a fedora-specific thing.
> > 
> If I want to rebuild it after an interface file gets installed or want
> to add my own xml to it, what do I need to do?

The 'xml' target from the headers makefile will build one.  It uses the
xml in header if files, plus global_(booleans|tunables).xml which are
pre generated from the global_(booleans|tunables) in the source policy.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to allow semanage to set boolean values and translate booleans via policy.xml

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
> On Fri, 2007-11-09 at 14:47 -0500, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Christopher J. PeBenito wrote:
>>> On Fri, 2007-11-09 at 11:25 -0500, Stephen Smalley wrote:
>>>> On Fri, 2007-11-02 at 15:58 -0400, Daniel J Walsh wrote:
>>>>> Also added translations of booleans to command line.
>>>>>
>>>>>> /usr/sbin/semanage boolean -l  | grep nfs_export
>>>>>> nfs_export_all_rw              -> off   Allow nfs to be exported read/write.
>>>>>> nfs_export_all_ro              -> on    Allow nfs to be exported read only
>>>>>> sh-3.2# /usr/sbin/semanage boolean -l  | grep nfs
>>>>>> xen_use_nfs                    -> off   Allow xen to manage nfs files
>>> [...]
>>>>>> nfs_export_all_ro              -> on    Allow nfs to be exported read only
>>>>> This time with the patch.  :^)
>>>> Offhand, the only problem I see it that semanage boolean -l then fails
>>>> if /usr/share/selinux/devel/policy.xml doesn't exist, rather than just
>>>> falling back to displaying the untranslated booleans.
>>>>
>>>> Also, is /usr/share/selinux/devel/policy.xml created by upstream
>>>> refpolicy or is it Fedora-specific?
>>> The infrastructure for building a policy.xml from the headers is
>>> installed by upstream, but the policy.xml from refpolicy is not
>>> installed.  This allows 3rd parties to add their headers and then a
>>> policy.xml can be built to include their module.  Installing a
>>> policy.xml there is a fedora-specific thing.
>>>
>> If I want to rebuild it after an interface file gets installed or want
>> to add my own xml to it, what do I need to do?
> 
> The 'xml' target from the headers makefile will build one.  It uses the
> xml in header if files, plus global_(booleans|tunables).xml which are
> pre generated from the global_(booleans|tunables) in the source policy.
> 
I am not sure how you intend this to work.

Currently we ship policy.xml and the xml files for each *if file.  We do
not ship the xml files for each directory admin.xml, apps.xdl, services.xml

I would have thought the third party would ship there own xml and if
file say myapp.if and myapp.xml.  Install them in
/usr/share/selinux/devel/include/services.

Then they would execute make -f /usr/share/selinux/devel/Makefile xml

And it would rebuild the policy.xml including their changes.

Is this what you are thinking?

Dan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHO0UdrlYvE4MpobMRAlYJAJ99NXipSygr5iNhSQdJWVlBKTi6pwCfeoIm
XdUxyvk9nHynq/UVDpXMKAg=
=yXWp
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to allow semanage to set boolean values and translate booleans via policy.xml

[Christopher J. PeBenito]

On Wed, 2007-11-14 at 13:57 -0500, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Fri, 2007-11-09 at 14:47 -0500, Daniel J Walsh wrote:
> >> Christopher J. PeBenito wrote:
> >>> On Fri, 2007-11-09 at 11:25 -0500, Stephen Smalley wrote:
> >>>> On Fri, 2007-11-02 at 15:58 -0400, Daniel J Walsh wrote:
> >>>>> Also added translations of booleans to command line.
> >>>>>
> >>>>>> /usr/sbin/semanage boolean -l  | grep nfs_export
> >>>>>> nfs_export_all_rw              -> off   Allow nfs to be exported read/write.
> >>>>>> nfs_export_all_ro              -> on    Allow nfs to be exported read only
> >>>>>> sh-3.2# /usr/sbin/semanage boolean -l  | grep nfs
> >>>>>> xen_use_nfs                    -> off   Allow xen to manage nfs files
> >>> [...]
> >>>>>> nfs_export_all_ro              -> on    Allow nfs to be exported read only
> >>>>> This time with the patch.  :^)
> >>>> Offhand, the only problem I see it that semanage boolean -l then fails
> >>>> if /usr/share/selinux/devel/policy.xml doesn't exist, rather than just
> >>>> falling back to displaying the untranslated booleans.
> >>>>
> >>>> Also, is /usr/share/selinux/devel/policy.xml created by upstream
> >>>> refpolicy or is it Fedora-specific?
> >>> The infrastructure for building a policy.xml from the headers is
> >>> installed by upstream, but the policy.xml from refpolicy is not
> >>> installed.  This allows 3rd parties to add their headers and then a
> >>> policy.xml can be built to include their module.  Installing a
> >>> policy.xml there is a fedora-specific thing.
> >>>
> >> If I want to rebuild it after an interface file gets installed or want
> >> to add my own xml to it, what do I need to do?
> > 
> > The 'xml' target from the headers makefile will build one.  It uses the
> > xml in header if files, plus global_(booleans|tunables).xml which are
> > pre generated from the global_(booleans|tunables) in the source policy.
> > 
> I am not sure how you intend this to work.
> 
> Currently we ship policy.xml and the xml files for each *if file.  We do
> not ship the xml files for each directory admin.xml, apps.xdl, services.xml
> 
> I would have thought the third party would ship there own xml and if
> file say myapp.if and myapp.xml.  Install them in
> /usr/share/selinux/devel/include/services.

Sorry, yes it uses the xml for each module, since it includes any
booleans/tunables that are declared in the te file, which isn't
installed in the headers.  So a 3rd party putting their .xml for their
module in there should get included.

> Then they would execute make -f /usr/share/selinux/devel/Makefile xml
> 
> And it would rebuild the policy.xml including their changes.
> 
> Is this what you are thinking?

Something like that.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Patch to allow semanage to set boolean values and translate booleans via policy.xml

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Also added translations of booleans to command line.

> /usr/sbin/semanage boolean -l  | grep nfs_export
> nfs_export_all_rw              -> off   Allow nfs to be exported read/write.
> nfs_export_all_ro              -> on    Allow nfs to be exported read only
> sh-3.2# /usr/sbin/semanage boolean -l  | grep nfs
> xen_use_nfs                    -> off   Allow xen to manage nfs files
> use_nfs_home_dirs              -> on    Support NFS home directories
> allow_ftpd_use_nfs             -> off   Allow ftp servers to use nfs used for public file transfer services.
> cdrecord_read_content          -> off   Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files
> httpd_use_nfs                  -> off   Allow httpd to read nfs files
> samba_share_nfs                -> off   Allow samba to export NFS volumes.
> mail_read_content              -> off   Allow email client to various content. nfs, samba, removable devices, user temp and untrusted content files
> allow_nfsd_anon_write          -> off   Allow nfs servers to modify public files used for public file transfer services.
> nfs_export_all_rw              -> off   Allow nfs to be exported read/write.
> nfs_export_all_ro              -> on    Allow nfs to be exported read only
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHK4FGrlYvE4MpobMRAuCvAJ0e8yxBp8vXHBAVgOBhF4uINPKHsQCfQ7pU
q9Oau5klonoR9aUMYQw3A7k=
=DKZN
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.