From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: SE Linux <selinux@tycho.nsa.gov>,
"Christopher J. PeBenito" <cpebenito@tresys.com>,
Karl MacMillan <kmacmillan@mentalrootkit.com>
Subject: Re: Patch to allow semanage to set boolean values and translate booleans via policy.xml
Date: Fri, 09 Nov 2007 12:05:23 -0500 [thread overview]
Message-ID: <47349353.7080203@redhat.com> (raw)
In-Reply-To: <1194625539.624.57.camel@moss-spartans.epoch.ncsc.mil>
[-- Attachment #1: Type: text/plain, Size: 2755 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen Smalley wrote:
> On Fri, 2007-11-02 at 15:58 -0400, Daniel J Walsh wrote:
> Also added translations of booleans to command line.
>
>>>> /usr/sbin/semanage boolean -l | grep nfs_export
>>>> nfs_export_all_rw -> off Allow nfs to be exported read/write.
>>>> nfs_export_all_ro -> on Allow nfs to be exported read only
>>>> sh-3.2# /usr/sbin/semanage boolean -l | grep nfs
>>>> xen_use_nfs -> off Allow xen to manage nfs files
>>>> use_nfs_home_dirs -> on Support NFS home directories
>>>> allow_ftpd_use_nfs -> off Allow ftp servers to use nfs used for public file transfer services.
>>>> cdrecord_read_content -> off Allow cdrecord to read various content. nfs, samba, removable devices, user temp and untrusted content files
>>>> httpd_use_nfs -> off Allow httpd to read nfs files
>>>> samba_share_nfs -> off Allow samba to export NFS volumes.
>>>> mail_read_content -> off Allow email client to various content. nfs, samba, removable devices, user temp and untrusted content files
>>>> allow_nfsd_anon_write -> off Allow nfs servers to modify public files used for public file transfer services.
>>>> nfs_export_all_rw -> off Allow nfs to be exported read/write.
>>>> nfs_export_all_ro -> on Allow nfs to be exported read only
>
> This time with the patch. :^)
>
>> Offhand, the only problem I see it that semanage boolean -l then fails
>> if /usr/share/selinux/devel/policy.xml doesn't exist, rather than just
>> falling back to displaying the untranslated booleans.
>
>> Also, is /usr/share/selinux/devel/policy.xml created by upstream
>> refpolicy or is it Fedora-specific?
>
>
policy.xml is generated in the build procedure, so it is combined
reference polciy plus my patches.
Updated patch to do a fallback.
Two problems with policy.xml right now.
1. Third parties have no way of updating it.
semodule should automatically generate the XML and edit policy.xml
2. Generated booleans within an interface do not get xml
semanage boolean -l | grep xguest
browser_write_xguest_data -> off browser_write_xguest_data
allow_xguest_exec_content -> off allow_xguest_exec_content
browser_confine_xguest -> on browser_confine_xguest
We need to change a way to add documentation to booleans created
within an interface.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHNJNSrlYvE4MpobMRAqiyAJ9Mm/TKM393yIGp+vSNSKKYk+JZCgCdF+Bi
dxKEDLRVlIKlXvy10+QysUQ=
=UVHb
-----END PGP SIGNATURE-----
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 6241 bytes --]
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.31/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2007-10-05 13:09:53.000000000 -0400
+++ policycoreutils-2.0.31/semanage/semanage 2007-11-02 15:54:42.000000000 -0400
@@ -1,5 +1,5 @@
#! /usr/bin/python -E
-# Copyright (C) 2005 Red Hat
+# Copyright (C) 2005, 2006, 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# semanage is a tool for managing SELinux configuration files
@@ -115,7 +115,7 @@
valid_option["translation"] = []
valid_option["translation"] += valid_everyone + [ '-T', '--trans' ]
valid_option["boolean"] = []
- valid_option["boolean"] += valid_everyone
+ valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ]
return valid_option
#
@@ -135,7 +135,7 @@
seuser = ""
prefix = ""
heading=1
-
+ value=0
add = 0
modify = 0
delete = 0
@@ -154,7 +154,7 @@
args = sys.argv[2:]
gopts, cmds = getopt.getopt(args,
- 'adf:lhmnp:s:CDR:L:r:t:T:P:S:',
+ '01adf:lhmnp:s:CDR:L:r:t:T:P:S:',
['add',
'delete',
'deleteall',
@@ -164,6 +164,8 @@
'modify',
'noheading',
'localist',
+ 'off',
+ 'on',
'proto=',
'seuser=',
'store=',
@@ -242,6 +244,11 @@
if o == "-T" or o == "--trans":
setrans = a
+ if o == "--on" or o == "-1":
+ value = 1
+ if o == "-off" or o == "-0":
+ value = 0
+
if object == "login":
OBJECT = seobject.loginRecords(store)
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.31/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2007-10-07 21:46:43.000000000 -0400
+++ policycoreutils-2.0.31/semanage/seobject.py 2007-11-09 12:00:35.000000000 -0500
@@ -1,5 +1,5 @@
#! /usr/bin/python -E
-# Copyright (C) 2005 Red Hat
+# Copyright (C) 2005, 2006, 2007 Red Hat
# see file 'COPYING' for use and warranty information
#
# semanage is a tool for managing SELinux configuration files
@@ -88,6 +88,35 @@
mylog = logger()
+import sys, os
+import re
+import xml.etree.ElementTree
+
+booleans_dict={}
+try:
+ tree=xml.etree.ElementTree.parse("/usr/share/selinux/devel/policy.xml")
+ for l in tree.findall("layer"):
+ for m in l.findall("module"):
+ for b in m.findall("tunable"):
+ desc = b.find("desc").find("p").text.strip("\n")
+ desc = re.sub("\n", " ", desc)
+ booleans_dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc)
+ for b in m.findall("bool"):
+ desc = b.find("desc").find("p").text.strip("\n")
+ desc = re.sub("\n", " ", desc)
+ booleans_dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc)
+ for i in tree.findall("bool"):
+ desc = i.find("desc").find("p").text.strip("\n")
+ desc = re.sub("\n", " ", desc)
+ booleans_dict[i.get('name')] = (_("global"), i.get('dftval'), desc)
+ for i in tree.findall("tunable"):
+ desc = i.find("desc").find("p").text.strip("\n")
+ desc = re.sub("\n", " ", desc)
+ booleans_dict[i.get('name')] = (_("global"), i.get('dftval'), desc)
+except IOError, e:
+ print _("Failed to translate booleans.\n%s") % e
+ pass
+
def validate_level(raw):
sensitivity = "s[0-9]*"
category = "c[0-9]*"
@@ -1095,7 +1121,13 @@
return con
+ def validate(self, target):
+ if target == "" or target.find("\n") >= 0:
+ raise ValueError(_("Invalid file specification"))
+
def add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
+ self.validate(target)
+
if is_mls_enabled == 1:
serange = untranslate(serange)
@@ -1154,6 +1186,7 @@
def modify(self, target, setype, ftype, serange, seuser):
if serange == "" and setype == "" and seuser == "":
raise ValueError(_("Requires setype, serange or seuser"))
+ self.validate(target)
(rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
if rc < 0:
@@ -1328,11 +1362,14 @@
if value != "":
nvalue = int(value)
semanage_bool_set_value(b, nvalue)
+ else:
+ raise ValueError(_("You must specify a value"))
rc = semanage_begin_transaction(self.sh)
if rc < 0:
raise ValueError(_("Could not start semanage transaction"))
+ rc = semanage_bool_set_active(self.sh, k, b)
rc = semanage_bool_modify_local(self.sh, k, b)
if rc < 0:
raise ValueError(_("Could not modify boolean %s") % name)
@@ -1416,11 +1453,25 @@
return ddict
+ def get_desc(self, boolean):
+ if boolean in booleans_dict:
+ return _(booleans_dict[boolean][2])
+ else:
+ return boolean
+
+ def get_category(self, boolean):
+ if boolean in booleans_dict:
+ return _(booleans_dict[boolean][0])
+ else:
+ return _("unknown")
+
def list(self, heading = 1, locallist = 0):
+ on_off = (_("off"),_("on"))
if heading:
- print "%-50s %7s %7s %7s\n" % (_("SELinux boolean"), _("value"), _("pending"), _("active") )
+ print "%-40s %s\n" % (_("SELinux boolean"), _("Description"))
ddict = self.get_all(locallist)
keys = ddict.keys()
for k in keys:
if ddict[k]:
- print "%-50s %7d %7d %7d " % (k, ddict[k][0],ddict[k][1], ddict[k][2])
+ print "%-30s -> %-5s %s" % (k, on_off[ddict[k][2]], self.get_desc(k))
+
[-- Attachment #3: diff.sig --]
[-- Type: application/octet-stream, Size: 65 bytes --]
next prev parent reply other threads:[~2007-11-09 17:05 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-02 19:58 Patch to allow semanage to set boolean values and translate booleans via policy.xml Daniel J Walsh
2007-11-09 16:25 ` Stephen Smalley
2007-11-09 17:05 ` Daniel J Walsh [this message]
2007-11-09 18:59 ` Effect of changing SELinux package versions Hasan Rezaul-CHR010
2007-11-09 19:39 ` Stephen Smalley
2007-11-09 22:26 ` Hasan Rezaul-CHR010
2007-12-05 18:00 ` Hasan Rezaul-CHR010
2007-12-05 18:13 ` Stephen Smalley
2007-11-09 18:38 ` Patch to allow semanage to set boolean values and translate booleans via policy.xml Christopher J. PeBenito
2007-11-09 19:47 ` Daniel J Walsh
2007-11-12 15:45 ` Christopher J. PeBenito
2007-11-14 18:57 ` Daniel J Walsh
2007-11-14 20:14 ` Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2007-11-02 19:57 Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47349353.7080203@redhat.com \
--to=dwalsh@redhat.com \
--cc=cpebenito@tresys.com \
--cc=kmacmillan@mentalrootkit.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.