From: Daniel J Walsh <dwalsh@redhat.com>
To: SE Linux <selinux@tycho.nsa.gov>
Subject: This patch adds permissive to semanage
Date: Mon, 30 Jun 2008 12:02:05 -0400 [thread overview]
Message-ID: <4869037D.5040208@redhat.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 169 bytes --]
Gives users the ability to set a domain as permissive
semanage permissive -a http_t
It created a policy module named permissive_httpd_t.pp with the
permissive call.
[-- Attachment #2: permissive.patch --]
[-- Type: text/plain, Size: 8396 bytes --]
--- nsapolicycoreutils/semanage/semanage 2008-06-12 23:25:21.000000000 -0400
+++ policycoreutils-2.0.50/semanage/semanage 2008-06-30 11:49:38.000000000 -0400
@@ -43,49 +43,52 @@
if __name__ == '__main__':
def usage(message = ""):
- print _('\
-semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n] \n\
-semanage login -{a|d|m} [-sr] login_name\n\
-semanage user -{a|d|m} [-LrRP] selinux_name\n\
-semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range\n\
-semanage interface -{a|d|m} [-tr] interface_spec\n\
-semanage fcontext -{a|d|m} [-frst] file_spec\n\
-semanage translation -{a|d|m} [-T] level\n\n\
-semanage boolean -{d|m} boolean\n\n\
-\
-Primary Options:\n\
-\
- -a, --add Add a OBJECT record NAME\n\
- -d, --delete Delete a OBJECT record NAME\n\
- -m, --modify Modify a OBJECT record NAME\n\
- -l, --list List the OBJECTS\n\n\
- -C, --locallist List OBJECTS local customizations\n\n\
- -D, --deleteall Remove all OBJECTS local customizations\n\
-\
- -h, --help Display this message\n\
- -n, --noheading Do not print heading when listing OBJECTS\n\
- -S, --store Select and alternate SELinux store to manage\n\n\
-Object-specific Options (see above):\n\
- -f, --ftype File Type of OBJECT \n\
- "" (all files) \n\
- -- (regular file) \n\
- -d (directory) \n\
- -c (character device) \n\
- -b (block device) \n\
- -s (socket) \n\
- -l (symbolic link) \n\
- -p (named pipe) \n\n\
-\
- -p, --proto Port protocol (tcp or udp)\n\
- -P, --prefix Prefix for home directory labeling\n\
- -L, --level Default SELinux Level (MLS/MCS Systems only)\n\
- -R, --roles SELinux Roles (ex: "sysadm_r staff_r")\n\
- -T, --trans SELinux Level Translation (MLS/MCS Systems only)\n\n\
-\
- -s, --seuser SELinux User Name\n\
- -t, --type SELinux Type for the object\n\
- -r, --range MLS/MCS Security Range (MLS/MCS Systems only)\n\
-')
+ print _("""
+semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n]
+semanage login -{a|d|m} [-sr] login_name
+semanage user -{a|d|m} [-LrRP] selinux_name
+semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range
+semanage interface -{a|d|m} [-tr] interface_spec
+semanage fcontext -{a|d|m} [-frst] file_spec
+semanage translation -{a|d|m} [-T] level
+semanage boolean -{d|m} boolean
+semanage permissive -{d|a} type
+
+Primary Options:
+
+ -a, --add Add a OBJECT record NAME
+ -d, --delete Delete a OBJECT record NAME
+ -m, --modify Modify a OBJECT record NAME
+ -l, --list List the OBJECTS
+ -C, --locallist List OBJECTS local customizations
+ -D, --deleteall Remove all OBJECTS local customizations
+
+ -h, --help Display this message
+ -n, --noheading Do not print heading when listing OBJECTS
+ -S, --store Select and alternate SELinux store to manage
+
+Object-specific Options (see above):
+
+ -f, --ftype File Type of OBJECT
+ "" (all files)
+ -- (regular file)
+ -d (directory)
+ -c (character device)
+ -b (block device)
+ -s (socket)
+ -l (symbolic link)
+ -p (named pipe)
+
+ -p, --proto Port protocol (tcp or udp)
+ -P, --prefix Prefix for home directory labeling
+ -L, --level Default SELinux Level (MLS/MCS Systems only)
+ -R, --roles SELinux Roles (ex: "sysadm_r staff_r")
+ -T, --trans SELinux Level Translation (MLS/MCS Systems only)
+
+ -s, --seuser SELinux User Name
+ -t, --type SELinux Type for the object
+ -r, --range MLS/MCS Security Range (MLS/MCS Systems only)
+""")
print message
sys.exit(1)
@@ -112,6 +115,8 @@
valid_option["translation"] += valid_everyone + [ '-T', '--trans' ]
valid_option["boolean"] = []
valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ]
+ valid_option["permissive"] = []
+ valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ]
return valid_option
#
@@ -266,6 +271,9 @@
if object == "translation":
OBJECT = seobject.setransRecords()
+ if object == "permissive":
+ OBJECT = seobject.permissiveRecords(store)
+
if list:
OBJECT.list(heading, locallist)
sys.exit(0);
@@ -302,6 +310,9 @@
if object == "fcontext":
OBJECT.add(target, setype, ftype, serange, seuser)
+ if object == "permissive":
+ OBJECT.add(target)
+
sys.exit(0);
if modify:
--- nsapolicycoreutils/semanage/semanage.8 2008-06-12 23:25:21.000000000 -0400
+++ policycoreutils-2.0.50/semanage/semanage.8 2008-06-30 11:49:38.000000000 -0400
@@ -17,6 +17,8 @@
.br
.B semanage fcontext \-{a|d|m} [\-frst] file_spec
.br
+.B semanage permissive \-{a|d} type
+.br
.B semanage translation \-{a|d|m} [\-T] level
.P
@@ -101,10 +103,11 @@
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
# Allow Apache to listen on port 81
$ semanage port -a -t http_port_t -p tcp 81
+# Change apache to a permissive domain
+$ semanage permissive -a http_t
.fi
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com> and
Russell Coker <rcoker@redhat.com>.
Examples by Thomas Bleher <ThomasBleher@gmx.de>.
-
--- nsapolicycoreutils/semanage/seobject.py 2008-06-12 23:25:21.000000000 -0400
+++ policycoreutils-2.0.50/semanage/seobject.py 2008-06-30 11:49:38.000000000 -0400
@@ -1,5 +1,5 @@
#! /usr/bin/python -E
-# Copyright (C) 2005, 2006, 2007 Red Hat
+# Copyright (C) 2005, 2006, 2007, 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
# semanage is a tool for managing SELinux configuration files
@@ -24,7 +24,9 @@
import pwd, string, selinux, tempfile, os, re, sys
from semanage import *;
PROGNAME="policycoreutils"
+import sepolgen.module as module
+import commands
import gettext
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
@@ -246,7 +248,67 @@
os.close(fd)
os.rename(newfilename, self.filename)
os.system("/sbin/service mcstrans reload > /dev/null")
-
+
+class permissiveRecords:
+ def __init__(self, store):
+ self.store = store
+
+ def get_all(self):
+ rc, out = commands.getstatusoutput("semodule -l | grep ^permissive");
+ l = []
+ for i in out.split():
+ if i.startswith("permissive_"):
+ l.append(i.split("permissive_")[1])
+ return l
+
+ def list(self,heading = 1, locallist = 0):
+ if heading:
+ print "\n%-25s\n" % (_("Permissive Types"))
+ for t in self.get_all():
+ print t
+
+
+ def add(self, type):
+ name = "permissive_%s" % type
+ dirname = "/var/lib/selinux"
+ os.chdir(dirname)
+ filename = "%s.te" % name
+ modtxt = """
+module %s 1.0;
+
+require {
+ type %s;
+}
+
+permissive %s;
+""" % (name, type, type)
+ fd = open(filename,'w')
+ fd.write(modtxt)
+ fd.close()
+ mc = module.ModuleCompiler()
+ mc.create_module_package(filename, 1)
+ rc, out = commands.getstatusoutput("semodule -i permissive_%s.pp" % type);
+ for root, dirs, files in os.walk("top", topdown=False):
+ for name in files:
+ os.remove(os.path.join(root, name))
+ for name in dirs:
+ os.rmdir(os.path.join(root, name))
+
+ if rc != 0:
+ raise ValueError(out)
+
+
+ def delete(self, name):
+ rc, out = commands.getstatusoutput("semodule -r permissive_%s" % name );
+ if rc != 0:
+ raise ValueError(out)
+
+ def deleteall(self):
+ l = self.get_all()
+ if len(l) > 0:
+ all = " permissive_".join(l)
+ self.delete(all)
+
class semanageRecords:
def __init__(self, store):
self.sh = semanage_handle_create()
@@ -464,7 +526,7 @@
def __init__(self, store = ""):
semanageRecords.__init__(self, store)
- def add(self, name, roles, selevel, serange, prefix):
+ def add(self, name, roles, selevel, serange, prefix = "user"):
if is_mls_enabled == 1:
if serange == "":
serange = "s0"
next reply other threads:[~2008-06-30 16:03 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-30 16:02 Daniel J Walsh [this message]
2008-06-30 17:58 ` This patch adds permissive to semanage Joshua Brindle
2008-07-02 0:50 ` Daniel J Walsh
2008-07-02 12:00 ` Stephen Smalley
2008-07-02 13:09 ` Joshua Brindle
2008-07-02 13:17 ` Stephen Smalley
2008-07-02 13:37 ` Joshua Brindle
2008-07-02 14:29 ` Stephen Smalley
2008-07-02 18:09 ` Daniel J Walsh
2008-07-02 19:06 ` Joshua Brindle
2008-07-02 19:13 ` Stephen Smalley
2008-07-02 19:22 ` Joshua Brindle
2008-07-02 19:25 ` Stephen Smalley
2008-07-02 19:54 ` Joshua Brindle
2008-07-02 18:07 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4869037D.5040208@redhat.com \
--to=dwalsh@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.