* Patch to semanage
@ 2009-07-09 20:11 Daniel J Walsh
2009-07-16 17:57 ` Chad Sellers
0 siblings, 1 reply; 17+ messages in thread
From: Daniel J Walsh @ 2009-07-09 20:11 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 129 bytes --]
Allows semanage to use equivalence.
Also adds better support for booleans and modules, add support for setting dontaudit rules.
[-- Attachment #2: policycoreutils-semanage.patch --]
[-- Type: text/plain, Size: 6401 bytes --]
--- nsapolicycoreutils/semanage/semanage 2009-05-18 13:53:14.000000000 -0400
+++ policycoreutils-2.0.67/semanage/semanage 2009-07-07 16:47:35.000000000 -0400
@@ -44,16 +44,17 @@
text = _("""
semanage [ -S store ] -i [ input_file | - ]
-semanage {boolean|login|user|port|interface|node|fcontext|translation} -{l|D} [-n]
+semanage {module,boolean|login|user|port|interface|node|fcontext|translation} -{l|D} [-n]
semanage login -{a|d|m} [-sr] login_name | %groupname
semanage user -{a|d|m} [-LrRP] selinux_name
semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range
semanage interface -{a|d|m} [-tr] interface_spec
semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr
-semanage fcontext -{a|d|m} [-frst] file_spec
+semanage fcontext -{a|d|m} [-frst] [-e path ] file_spec
semanage translation -{a|d|m} [-T] level
semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
-semanage permissive -{d|a} type
+semanage permissive -{a|d} type
+semanage module -{a|d|} module
Primary Options:
@@ -68,6 +69,7 @@
-h, --help Display this message
-n, --noheading Do not print heading when listing OBJECTS
-S, --store Select and alternate SELinux store to manage
+ --dontaudit Turn on or off dontaudit rules
Object-specific Options (see above):
@@ -84,6 +86,7 @@
-F, --file Treat target as an input file for command, change multiple settings
-p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6)
-M, --mask Netmask
+ -e, --equil Make target equil to this paths labeling
-P, --prefix Prefix for home directory labeling
-L, --level Default SELinux Level (MLS/MCS Systems only)
-R, --roles SELinux Roles (ex: "sysadm_r staff_r")
@@ -115,11 +118,14 @@
valid_option["node"] = []
valid_option["node"] += valid_everyone + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol']
valid_option["fcontext"] = []
- valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range']
+ valid_option["fcontext"] += valid_everyone + [ '-e', '--equil', '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range']
valid_option["translation"] = []
valid_option["translation"] += valid_everyone + [ '-T', '--trans' ]
valid_option["boolean"] = []
valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0", "-F", "--file"]
+ valid_option["module"] = []
+ valid_option["module"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '--dontaudit']
+
valid_option["permissive"] = []
valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ]
return valid_option
@@ -192,7 +198,10 @@
locallist = False
use_file = False
store = ""
+ equil=""
+ dontaudit = ""
+
object = argv[0]
option_dict=get_options()
if object not in option_dict.keys():
@@ -201,10 +210,12 @@
args = argv[1:]
gopts, cmds = getopt.getopt(args,
- '01adf:i:lhmnp:s:FCDR:L:r:t:T:P:S:M:',
+ '01ade:f:i:lhmnp:s:FCDR:L:r:t:T:P:S:M:',
['add',
'delete',
'deleteall',
+ 'dontaudit=',
+ 'equil=',
'ftype=',
'file',
'help',
@@ -241,16 +252,24 @@
if modify or add:
raise ValueError(_("%s bad option") % o)
delete = True
+
if o == "-D" or o == "--deleteall":
if modify:
raise ValueError(_("%s bad option") % o)
deleteall = True
+
if o == "-f" or o == "--ftype":
- ftype=a
+ ftype = a
+
+ if o == "-e" or o == "--equil":
+ equil = a
if o == "-F" or o == "--file":
use_file = True
+ if o == "--dontaudit":
+ dontaudit = not int(a)
+
if o == "-h" or o == "--help":
raise ValueError(_("%s bad option") % o)
@@ -323,6 +342,9 @@
if object == "boolean":
OBJECT = seobject.booleanRecords(store)
+
+ if object == "module":
+ OBJECT = seobject.moduleRecords(store)
if object == "translation":
OBJECT = seobject.setransRecords()
@@ -341,6 +363,13 @@
OBJECT.deleteall()
return
+ if dontaudit != "":
+ if object == "module":
+ OBJECT.dontaudit(dontaudit)
+ else:
+ raise ValueError(_("%s bad option") % o)
+ return
+
if len(cmds) != 1:
raise ValueError(_("%s bad option") % o)
@@ -362,11 +391,17 @@
if object == "interface":
OBJECT.add(target, serange, setype)
+ if object == "module":
+ OBJECT.add(target)
+
if object == "node":
OBJECT.add(target, mask, proto, serange, setype)
if object == "fcontext":
- OBJECT.add(target, setype, ftype, serange, seuser)
+ if equil == "":
+ OBJECT.add(target, setype, ftype, serange, seuser)
+ else:
+ OBJECT.add_equil(target, equil)
if object == "permissive":
OBJECT.add(target)
@@ -386,6 +421,9 @@
rlist = roles.split()
OBJECT.modify(target, rlist, selevel, serange, prefix)
+ if object == "module":
+ OBJECT.modify(target)
+
if object == "port":
OBJECT.modify(target, proto, serange, setype)
@@ -396,7 +434,10 @@
OBJECT.modify(target, mask, proto, serange, setype)
if object == "fcontext":
- OBJECT.modify(target, setype, ftype, serange, seuser)
+ if equil == "":
+ OBJECT.modify(target, setype, ftype, serange, seuser)
+ else:
+ OBJECT.modify_equil(target, equil)
return
@@ -405,7 +446,7 @@
OBJECT.delete(target, proto)
elif object == "fcontext":
- OBJECT.delete(target, ftype)
+ OBJECT.delete(target, ftype)
elif object == "node":
OBJECT.delete(target, mask, proto)
^ permalink raw reply [flat|nested] 17+ messages in thread* Re: Patch to semanage 2009-07-09 20:11 Patch to semanage Daniel J Walsh @ 2009-07-16 17:57 ` Chad Sellers 2009-07-17 10:10 ` Daniel J Walsh 0 siblings, 1 reply; 17+ messages in thread From: Chad Sellers @ 2009-07-16 17:57 UTC (permalink / raw) To: Daniel J Walsh, SE Linux On 7/9/09 4:11 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: > Allows semanage to use equivalence. > > Also adds better support for booleans and modules, add support for setting > dontaudit rules. > --- nsapolicycoreutils/semanage/semanage 2009-05-18 13:53:14.000000000 > -0400 > +++ policycoreutils-2.0.67/semanage/semanage 2009-07-07 16:47:35.000000000 > -0400 > @@ -44,16 +44,17 @@ > text = _(""" > semanage [ -S store ] -i [ input_file | - ] > > -semanage {boolean|login|user|port|interface|node|fcontext|translation} -{l|D} > [-n] > +semanage {module,boolean|login|user|port|interface|node|fcontext|translation} > -{l|D} [-n] > semanage login -{a|d|m} [-sr] login_name | %groupname > semanage user -{a|d|m} [-LrRP] selinux_name > semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range > semanage interface -{a|d|m} [-tr] interface_spec > semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr > -semanage fcontext -{a|d|m} [-frst] file_spec > +semanage fcontext -{a|d|m} [-frst] [-e path ] file_spec > semanage translation -{a|d|m} [-T] level > semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file > -semanage permissive -{d|a} type > +semanage permissive -{a|d} type > +semanage module -{a|d|} module > So, you're adding module support to semanage, duplicating what semodule already does? Are you proposing that we deprecate semodule or is there a reason we need duplicate functionality? Or am I missing something? > Primary Options: > > @@ -68,6 +69,7 @@ > -h, --help Display this message > -n, --noheading Do not print heading when listing OBJECTS > -S, --store Select and alternate SELinux store to manage > + --dontaudit Turn on or off dontaudit rules > > Object-specific Options (see above): > > @@ -84,6 +86,7 @@ > -F, --file Treat target as an input file for command, change > multiple settings > -p, --proto Port protocol (tcp or udp) or internet protocol version > of node (ipv4 or ipv6) > -M, --mask Netmask > + -e, --equil Make target equil to this paths labeling Did you mean for this to be "equal" instead of "equil?" Perhaps I'm missing something, but dictionary.com turned up no results for equil. That said, I like the idea as this seems to be a nice convenience feature. <snip> > @@ -323,6 +342,9 @@ > > if object == "boolean": > OBJECT = seobject.booleanRecords(store) > + > + if object == "module": > + OBJECT = seobject.moduleRecords(store) > The moduleRecords() method does not seem to exist anywhere that I can find it. I'm guessing there is a corresponding patch to seobject.py? > if object == "translation": > OBJECT = seobject.setransRecords() > @@ -341,6 +363,13 @@ > OBJECT.deleteall() > return > > + if dontaudit != "": > + if object == "module": > + OBJECT.dontaudit(dontaudit) > + else: > + raise ValueError(_("%s bad option") % o) > + return > + > if len(cmds) != 1: > raise ValueError(_("%s bad option") % o) > > @@ -362,11 +391,17 @@ > if object == "interface": > OBJECT.add(target, serange, setype) > > + if object == "module": > + OBJECT.add(target) > + > if object == "node": > OBJECT.add(target, mask, proto, serange, setype) > > if object == "fcontext": > - OBJECT.add(target, setype, ftype, serange, seuser) > + if equil == "": > + OBJECT.add(target, setype, ftype, > serange, seuser) > + else: > + OBJECT.add_equil(target, equil) The add_equil() method does not seem to exist either. I'm guessing there are more missing methods as well. Thanks, Chad -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Patch to semanage 2009-07-16 17:57 ` Chad Sellers @ 2009-07-17 10:10 ` Daniel J Walsh 2009-08-12 20:14 ` Chad Sellers ` (2 more replies) 0 siblings, 3 replies; 17+ messages in thread From: Daniel J Walsh @ 2009-07-17 10:10 UTC (permalink / raw) To: Chad Sellers; +Cc: SE Linux [-- Attachment #1: Type: text/plain, Size: 247 bytes --] Ok lets try the patch again. Added equal patch (spelled correctly.) Beginning to add modules support to consolidate on one management command. Eventually replace semodule/setsebool with semanage command. Some white space fixing in seobject.py [-- Attachment #2: semanage.patch --] [-- Type: text/plain, Size: 38654 bytes --] --- nsapolicycoreutils/semanage/semanage 2009-05-18 13:53:14.000000000 -0400 +++ policycoreutils-2.0.67/semanage/semanage 2009-07-17 05:59:41.000000000 -0400 @@ -44,16 +44,17 @@ text = _(""" semanage [ -S store ] -i [ input_file | - ] -semanage {boolean|login|user|port|interface|node|fcontext|translation} -{l|D} [-n] +semanage {module,boolean|login|user|port|interface|node|fcontext|translation} -{l|D} [-n] semanage login -{a|d|m} [-sr] login_name | %groupname semanage user -{a|d|m} [-LrRP] selinux_name semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range semanage interface -{a|d|m} [-tr] interface_spec semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr -semanage fcontext -{a|d|m} [-frst] file_spec +semanage fcontext -{a|d|m} [-frst] [-e path ] file_spec semanage translation -{a|d|m} [-T] level semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file -semanage permissive -{d|a} type +semanage permissive -{a|d} type +semanage module -{a|d|} module Primary Options: @@ -68,6 +69,7 @@ -h, --help Display this message -n, --noheading Do not print heading when listing OBJECTS -S, --store Select and alternate SELinux store to manage + --dontaudit Turn on or off dontaudit rules Object-specific Options (see above): @@ -84,6 +86,7 @@ -F, --file Treat target as an input file for command, change multiple settings -p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6) -M, --mask Netmask + -e, --equal Make target equal to this paths labeling -P, --prefix Prefix for home directory labeling -L, --level Default SELinux Level (MLS/MCS Systems only) -R, --roles SELinux Roles (ex: "sysadm_r staff_r") @@ -115,11 +118,14 @@ valid_option["node"] = [] valid_option["node"] += valid_everyone + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol'] valid_option["fcontext"] = [] - valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range'] + valid_option["fcontext"] += valid_everyone + [ '-e', '--equal', '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range'] valid_option["translation"] = [] valid_option["translation"] += valid_everyone + [ '-T', '--trans' ] valid_option["boolean"] = [] valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0", "-F", "--file"] + valid_option["module"] = [] + valid_option["module"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '--dontaudit'] + valid_option["permissive"] = [] valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ] return valid_option @@ -192,7 +198,10 @@ locallist = False use_file = False store = "" + equal="" + dontaudit = "" + object = argv[0] option_dict=get_options() if object not in option_dict.keys(): @@ -201,10 +210,12 @@ args = argv[1:] gopts, cmds = getopt.getopt(args, - '01adf:i:lhmnp:s:FCDR:L:r:t:T:P:S:M:', + '01ade:f:i:lhmnp:s:FCDR:L:r:t:T:P:S:M:', ['add', 'delete', 'deleteall', + 'dontaudit=', + 'equal=', 'ftype=', 'file', 'help', @@ -241,16 +252,24 @@ if modify or add: raise ValueError(_("%s bad option") % o) delete = True + if o == "-D" or o == "--deleteall": if modify: raise ValueError(_("%s bad option") % o) deleteall = True + if o == "-f" or o == "--ftype": - ftype=a + ftype = a + + if o == "-e" or o == "--equal": + equal = a if o == "-F" or o == "--file": use_file = True + if o == "--dontaudit": + dontaudit = not int(a) + if o == "-h" or o == "--help": raise ValueError(_("%s bad option") % o) @@ -323,6 +342,9 @@ if object == "boolean": OBJECT = seobject.booleanRecords(store) + + if object == "module": + OBJECT = seobject.moduleRecords(store) if object == "translation": OBJECT = seobject.setransRecords() @@ -341,6 +363,13 @@ OBJECT.deleteall() return + if dontaudit != "": + if object == "module": + OBJECT.dontaudit(dontaudit) + else: + raise ValueError(_("%s bad option") % o) + return + if len(cmds) != 1: raise ValueError(_("%s bad option") % o) @@ -362,11 +391,17 @@ if object == "interface": OBJECT.add(target, serange, setype) + if object == "module": + OBJECT.add(target) + if object == "node": OBJECT.add(target, mask, proto, serange, setype) if object == "fcontext": - OBJECT.add(target, setype, ftype, serange, seuser) + if equal == "": + OBJECT.add(target, setype, ftype, serange, seuser) + else: + OBJECT.add_equal(target, equal) if object == "permissive": OBJECT.add(target) @@ -386,6 +421,9 @@ rlist = roles.split() OBJECT.modify(target, rlist, selevel, serange, prefix) + if object == "module": + OBJECT.modify(target) + if object == "port": OBJECT.modify(target, proto, serange, setype) @@ -396,7 +434,10 @@ OBJECT.modify(target, mask, proto, serange, setype) if object == "fcontext": - OBJECT.modify(target, setype, ftype, serange, seuser) + if equal == "": + OBJECT.modify(target, setype, ftype, serange, seuser) + else: + OBJECT.modify_equal(target, equal) return @@ -405,7 +446,7 @@ OBJECT.delete(target, proto) elif object == "fcontext": - OBJECT.delete(target, ftype) + OBJECT.delete(target, ftype) elif object == "node": OBJECT.delete(target, mask, proto) --- nsapolicycoreutils/semanage/semanage.8 2008-08-28 09:34:24.000000000 -0400 +++ policycoreutils-2.0.67/semanage/semanage.8 2009-07-07 16:47:35.000000000 -0400 @@ -21,6 +21,8 @@ .br .B semanage permissive \-{a|d} type .br +.B semanage module \-{a|d} policy_package +.br .B semanage translation \-{a|d|m} [\-T] level .P --- nsapolicycoreutils/semanage/seobject.py 2009-05-18 13:53:14.000000000 -0400 +++ policycoreutils-2.0.67/semanage/seobject.py 2009-07-17 05:59:45.000000000 -0400 @@ -1,5 +1,5 @@ #! /usr/bin/python -E -# Copyright (C) 2005, 2006, 2007, 2008 Red Hat +# Copyright (C) 2005, 2006, 2007, 2008, 2009 Red Hat # see file 'COPYING' for use and warranty information # # semanage is a tool for managing SELinux configuration files @@ -21,16 +21,16 @@ # # -import pwd, grp, string, selinux, tempfile, os, re, sys +import pwd, grp, string, selinux, tempfile, os, re, sys, stat from semanage import *; -PROGNAME="policycoreutils" +PROGNAME = "policycoreutils" import sepolgen.module as module import gettext gettext.bindtextdomain(PROGNAME, "/usr/share/locale") gettext.textdomain(PROGNAME) try: - gettext.install(PROGNAME, localedir="/usr/share/locale", unicode=1) + gettext.install(PROGNAME, localedir = "/usr/share/locale", unicode = 1) except IOError: import __builtin__ __builtin__.__dict__['_'] = unicode @@ -96,7 +96,7 @@ self.audit_fd = audit.audit_open() def log(self, success, msg, name = "", sename = "", serole = "", serange = "", old_sename = "", old_serole = "", old_serange = ""): - audit.audit_log_semanage_message(self.audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],str(msg), name, 0, sename, serole, serange, old_sename, old_serole, old_serange, "", "", "", success); + audit.audit_log_semanage_message(self.audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0], str(msg), name, 0, sename, serole, serange, old_sename, old_serole, old_serange, "", "", "", success); except: class logger: def log(self, success, msg, name = "", sename = "", serole = "", serange = "", old_sename = "", old_serole = "", old_serange = ""): @@ -104,7 +104,7 @@ message = "Successful: " else: message = "Failed: " - message += " %s name=%s" % (msg,name) + message += " %s name=%s" % (msg, name) if sename != "": message += " sename=" + sename if old_sename != "": @@ -123,9 +123,9 @@ import xml.etree.ElementTree -booleans_dict={} +booleans_dict = {} try: - tree=xml.etree.ElementTree.parse("/usr/share/selinux/devel/policy.xml") + tree = xml.etree.ElementTree.parse("/usr/share/selinux/devel/policy.xml") for l in tree.findall("layer"): for m in l.findall("module"): for b in m.findall("tunable"): @@ -160,12 +160,12 @@ cat_range = category + "(\." + category +")?" categories = cat_range + "(\," + cat_range + ")*" reg = sensitivity + "(-" + sensitivity + ")?" + "(:" + categories + ")?" - return re.search("^" + reg +"$",raw) + return re.search("^" + reg +"$", raw) def translate(raw, prepend = 1): - filler="a:b:c:" + filler = "a:b:c:" if prepend == 1: - context = "%s%s" % (filler,raw) + context = "%s%s" % (filler, raw) else: context = raw (rc, trans) = selinux.selinux_raw_to_trans_context(context) @@ -179,9 +179,9 @@ return trans def untranslate(trans, prepend = 1): - filler="a:b:c:" + filler = "a:b:c:" if prepend == 1: - context = "%s%s" % (filler,trans) + context = "%s%s" % (filler, trans) else: context = trans @@ -234,7 +234,7 @@ rec += "%s=%s\n" % (k, self.ddict[k]) return rec - def list(self,heading = 1, locallist = 0): + def list(self, heading = 1, locallist = 0): if heading: print "\n%-25s %s\n" % (_("Level"), _("Translation")) keys = self.ddict.keys() @@ -273,6 +273,7 @@ (fd, newfilename) = tempfile.mkstemp('', self.filename) os.write(fd, self.out()) os.close(fd) + os.chmod(newfilename, os.stat(self.filename)[stat.ST_MODE]) os.rename(newfilename, self.filename) os.system("/sbin/service mcstrans reload > /dev/null") @@ -283,7 +284,7 @@ if handle != None: self.sh = handle else: - self.sh=get_handle(store) + self.sh = get_handle(store) self.transaction = False def deleteall(self): @@ -314,6 +315,49 @@ self.transaction = False self.commit() +class moduleRecords(semanageRecords): + def __init__(self, store): + semanageRecords.__init__(self, store) + + def get_all(self): + l = [] + (rc, mlist, number) = semanage_module_list(self.sh) + if rc < 0: + raise ValueError(_("Could not list SELinux modules")) + + for i in range(number): + mod = semanage_module_list_nth(mlist, i) + name = semanage_module_get_name(mod) + l.append(name) + return l + + def dontaudit(self, dontaudit = 0): + self.begin() + rc = semanage_set_disable_dontaudit(self.sh, dontaudit) + self.commit() + rc = semanage_reload_policy(self.sh) + + def list(self, heading = 1, locallist = 0): + if heading: + print "\n%-25s\n" % (_("Modules")) + for t in self.get_all(): + print t + + def add(self, modules): + import glob + for m in modules.split(): + rc = semanage_module_install_file(self.sh, m); + if rc >= 0: + self.commit() + + def delete(self, modules): + for m in modules.split(): + rc = semanage_module_remove(self.sh, m) + if rc < 0: + raise ValueError(_("Could not remove module %s (remove failed)") % name) + + self.commit() + class permissiveRecords(semanageRecords): def __init__(self, store): semanageRecords.__init__(self, store) @@ -331,7 +375,7 @@ l.append(name.split("permissive_")[1]) return l - def list(self,heading = 1, locallist = 0): + def list(self, heading = 1, locallist = 0): if heading: print "\n%-25s\n" % (_("Permissive Types")) for t in self.get_all(): @@ -353,7 +397,7 @@ permissive %s; """ % (name, type, type) - fd = open(filename,'w') + fd = open(filename, 'w') fd.write(modtxt) fd.close() mc = module.ModuleCompiler() @@ -366,7 +410,7 @@ if rc >= 0: self.commit() - for root, dirs, files in os.walk("tmp", topdown=False): + for root, dirs, files in os.walk("tmp", topdown = False): for name in files: os.remove(os.path.join(root, name)) for name in dirs: @@ -405,11 +449,11 @@ if sename == "": sename = "user_u" - (rc,k) = semanage_seuser_key_create(self.sh, name) + (rc, k) = semanage_seuser_key_create(self.sh, name) if rc < 0: raise ValueError(_("Could not create a key for %s") % name) - (rc,exists) = semanage_seuser_exists(self.sh, k) + (rc, exists) = semanage_seuser_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if login mapping for %s is defined") % name) if exists: @@ -425,7 +469,7 @@ except: raise ValueError(_("Linux User %s does not exist") % name) - (rc,u) = semanage_seuser_create(self.sh) + (rc, u) = semanage_seuser_create(self.sh) if rc < 0: raise ValueError(_("Could not create login mapping for %s") % name) @@ -465,17 +509,17 @@ if sename == "" and serange == "": raise ValueError(_("Requires seuser or serange")) - (rc,k) = semanage_seuser_key_create(self.sh, name) + (rc, k) = semanage_seuser_key_create(self.sh, name) if rc < 0: raise ValueError(_("Could not create a key for %s") % name) - (rc,exists) = semanage_seuser_exists(self.sh, k) + (rc, exists) = semanage_seuser_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if login mapping for %s is defined") % name) if not exists: raise ValueError(_("Login mapping for %s is not defined") % name) - (rc,u) = semanage_seuser_query(self.sh, k) + (rc, u) = semanage_seuser_query(self.sh, k) if rc < 0: raise ValueError(_("Could not query seuser for %s") % name) @@ -498,7 +542,7 @@ semanage_seuser_key_free(k) semanage_seuser_free(u) - mylog.log(1,"modify selinux user mapping", name, sename, "", serange, oldsename, "", oldserange); + mylog.log(1, "modify selinux user mapping", name, sename, "", serange, oldsename, "", oldserange); def modify(self, name, sename = "", serange = ""): try: @@ -507,21 +551,21 @@ self.commit() except ValueError, error: - mylog.log(0,"modify selinux user mapping", name, sename,"", serange, "", "", ""); + mylog.log(0, "modify selinux user mapping", name, sename, "", serange, "", "", ""); raise error def __delete(self, name): - (rc,k) = semanage_seuser_key_create(self.sh, name) + (rc, k) = semanage_seuser_key_create(self.sh, name) if rc < 0: raise ValueError(_("Could not create a key for %s") % name) - (rc,exists) = semanage_seuser_exists(self.sh, k) + (rc, exists) = semanage_seuser_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if login mapping for %s is defined") % name) if not exists: raise ValueError(_("Login mapping for %s is not defined") % name) - (rc,exists) = semanage_seuser_exists_local(self.sh, k) + (rc, exists) = semanage_seuser_exists_local(self.sh, k) if rc < 0: raise ValueError(_("Could not check if login mapping for %s is defined") % name) if not exists: @@ -540,10 +584,10 @@ self.commit() except ValueError, error: - mylog.log(0,"delete SELinux user mapping", name); + mylog.log(0, "delete SELinux user mapping", name); raise error - mylog.log(1,"delete SELinux user mapping", name); + mylog.log(1, "delete SELinux user mapping", name); def get_all(self, locallist = 0): ddict = {} @@ -593,17 +637,17 @@ if len(roles) < 1: raise ValueError(_("You must add at least one role for %s") % name) - (rc,k) = semanage_user_key_create(self.sh, name) + (rc, k) = semanage_user_key_create(self.sh, name) if rc < 0: raise ValueError(_("Could not create a key for %s") % name) - (rc,exists) = semanage_user_exists(self.sh, k) + (rc, exists) = semanage_user_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if SELinux user %s is defined") % name) if exists: raise ValueError(_("SELinux user %s is already defined") % name) - (rc,u) = semanage_user_create(self.sh) + (rc, u) = semanage_user_create(self.sh) if rc < 0: raise ValueError(_("Could not create SELinux user for %s") % name) @@ -627,7 +671,7 @@ rc = semanage_user_set_prefix(self.sh, u, prefix) if rc < 0: raise ValueError(_("Could not add prefix %s for %s") % (r, prefix)) - (rc,key) = semanage_user_key_extract(self.sh,u) + (rc, key) = semanage_user_key_extract(self.sh,u) if rc < 0: raise ValueError(_("Could not extract key for %s") % name) @@ -660,17 +704,17 @@ else: raise ValueError(_("Requires prefix or roles")) - (rc,k) = semanage_user_key_create(self.sh, name) + (rc, k) = semanage_user_key_create(self.sh, name) if rc < 0: raise ValueError(_("Could not create a key for %s") % name) - (rc,exists) = semanage_user_exists(self.sh, k) + (rc, exists) = semanage_user_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if SELinux user %s is defined") % name) if not exists: raise ValueError(_("SELinux user %s is not defined") % name) - (rc,u) = semanage_user_query(self.sh, k) + (rc, u) = semanage_user_query(self.sh, k) if rc < 0: raise ValueError(_("Could not query user for %s") % name) @@ -718,17 +762,17 @@ raise error def __delete(self, name): - (rc,k) = semanage_user_key_create(self.sh, name) + (rc, k) = semanage_user_key_create(self.sh, name) if rc < 0: raise ValueError(_("Could not create a key for %s") % name) - (rc,exists) = semanage_user_exists(self.sh, k) + (rc, exists) = semanage_user_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if SELinux user %s is defined") % name) if not exists: raise ValueError(_("SELinux user %s is not defined") % name) - (rc,exists) = semanage_user_exists_local(self.sh, k) + (rc, exists) = semanage_user_exists_local(self.sh, k) if rc < 0: raise ValueError(_("Could not check if SELinux user %s is defined") % name) if not exists: @@ -810,7 +854,7 @@ low = int(ports[0]) high = int(ports[1]) - (rc,k) = semanage_port_key_create(self.sh, low, high, proto_d) + (rc, k) = semanage_port_key_create(self.sh, low, high, proto_d) if rc < 0: raise ValueError(_("Could not create a key for %s/%s") % (proto, port)) return ( k, proto_d, low, high ) @@ -827,13 +871,13 @@ ( k, proto_d, low, high ) = self.__genkey(port, proto) - (rc,exists) = semanage_port_exists(self.sh, k) + (rc, exists) = semanage_port_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port)) if exists: raise ValueError(_("Port %s/%s already defined") % (proto, port)) - (rc,p) = semanage_port_create(self.sh) + (rc, p) = semanage_port_create(self.sh) if rc < 0: raise ValueError(_("Could not create port for %s/%s") % (proto, port)) @@ -886,13 +930,13 @@ ( k, proto_d, low, high ) = self.__genkey(port, proto) - (rc,exists) = semanage_port_exists(self.sh, k) + (rc, exists) = semanage_port_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port)) if not exists: raise ValueError(_("Port %s/%s is not defined") % (proto,port)) - (rc,p) = semanage_port_query(self.sh, k) + (rc, p) = semanage_port_query(self.sh, k) if rc < 0: raise ValueError(_("Could not query port %s/%s") % (proto, port)) @@ -941,13 +985,13 @@ def __delete(self, port, proto): ( k, proto_d, low, high ) = self.__genkey(port, proto) - (rc,exists) = semanage_port_exists(self.sh, k) + (rc, exists) = semanage_port_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port)) if not exists: raise ValueError(_("Port %s/%s is not defined") % (proto, port)) - (rc,exists) = semanage_port_exists_local(self.sh, k) + (rc, exists) = semanage_port_exists_local(self.sh, k) if rc < 0: raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port)) if not exists: @@ -983,7 +1027,7 @@ proto_str = semanage_port_get_proto_str(proto) low = semanage_port_get_low(port) high = semanage_port_get_high(port) - ddict[(low, high)] = (ctype, proto_str, level) + ddict[(low, high, proto_str)] = (ctype, level) return ddict def get_all_by_type(self, locallist = 0): @@ -1053,17 +1097,17 @@ if ctype == "": raise ValueError(_("SELinux Type is required")) - (rc,k) = semanage_node_key_create(self.sh, addr, mask, proto) + (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) if rc < 0: raise ValueError(_("Could not create key for %s") % addr) if rc < 0: raise ValueError(_("Could not check if addr %s is defined") % addr) - (rc,exists) = semanage_node_exists(self.sh, k) + (rc, exists) = semanage_node_exists(self.sh, k) if exists: raise ValueError(_("Addr %s already defined") % addr) - (rc,node) = semanage_node_create(self.sh) + (rc, node) = semanage_node_create(self.sh) if rc < 0: raise ValueError(_("Could not create addr for %s") % addr) @@ -1128,17 +1172,17 @@ if serange == "" and setype == "": raise ValueError(_("Requires setype or serange")) - (rc,k) = semanage_node_key_create(self.sh, addr, mask, proto) + (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) if rc < 0: raise ValueError(_("Could not create key for %s") % addr) - (rc,exists) = semanage_node_exists(self.sh, k) + (rc, exists) = semanage_node_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if addr %s is defined") % addr) if not exists: raise ValueError(_("Addr %s is not defined") % addr) - (rc,node) = semanage_node_query(self.sh, k) + (rc, node) = semanage_node_query(self.sh, k) if rc < 0: raise ValueError(_("Could not query addr %s") % addr) @@ -1175,17 +1219,17 @@ else: raise ValueError(_("Unknown or missing protocol")) - (rc,k) = semanage_node_key_create(self.sh, addr, mask, proto) + (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) if rc < 0: raise ValueError(_("Could not create key for %s") % addr) - (rc,exists) = semanage_node_exists(self.sh, k) + (rc, exists) = semanage_node_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if addr %s is defined") % addr) if not exists: raise ValueError(_("Addr %s is not defined") % addr) - (rc,exists) = semanage_node_exists_local(self.sh, k) + (rc, exists) = semanage_node_exists_local(self.sh, k) if rc < 0: raise ValueError(_("Could not check if addr %s is defined") % addr) if not exists: @@ -1255,17 +1299,17 @@ if ctype == "": raise ValueError(_("SELinux Type is required")) - (rc,k) = semanage_iface_key_create(self.sh, interface) + (rc, k) = semanage_iface_key_create(self.sh, interface) if rc < 0: raise ValueError(_("Could not create key for %s") % interface) - (rc,exists) = semanage_iface_exists(self.sh, k) + (rc, exists) = semanage_iface_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if interface %s is defined") % interface) if exists: raise ValueError(_("Interface %s already defined") % interface) - (rc,iface) = semanage_iface_create(self.sh) + (rc, iface) = semanage_iface_create(self.sh) if rc < 0: raise ValueError(_("Could not create interface for %s") % interface) @@ -1316,17 +1360,17 @@ if serange == "" and setype == "": raise ValueError(_("Requires setype or serange")) - (rc,k) = semanage_iface_key_create(self.sh, interface) + (rc, k) = semanage_iface_key_create(self.sh, interface) if rc < 0: raise ValueError(_("Could not create key for %s") % interface) - (rc,exists) = semanage_iface_exists(self.sh, k) + (rc, exists) = semanage_iface_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if interface %s is defined") % interface) if not exists: raise ValueError(_("Interface %s is not defined") % interface) - (rc,iface) = semanage_iface_query(self.sh, k) + (rc, iface) = semanage_iface_query(self.sh, k) if rc < 0: raise ValueError(_("Could not query interface %s") % interface) @@ -1350,17 +1394,17 @@ self.commit() def __delete(self, interface): - (rc,k) = semanage_iface_key_create(self.sh, interface) + (rc, k) = semanage_iface_key_create(self.sh, interface) if rc < 0: raise ValueError(_("Could not create key for %s") % interface) - (rc,exists) = semanage_iface_exists(self.sh, k) + (rc, exists) = semanage_iface_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if interface %s is defined") % interface) if not exists: raise ValueError(_("Interface %s is not defined") % interface) - (rc,exists) = semanage_iface_exists_local(self.sh, k) + (rc, exists) = semanage_iface_exists_local(self.sh, k) if rc < 0: raise ValueError(_("Could not check if interface %s is defined") % interface) if not exists: @@ -1408,6 +1452,48 @@ class fcontextRecords(semanageRecords): def __init__(self, store = ""): semanageRecords.__init__(self, store) + self.equiv = {} + self.equal_ind = False + try: + fd = open(selinux.selinux_file_context_subs_path(), "r") + for i in fd.readlines(): + src, dst = i.split() + self.equiv[src] = dst + fd.close() + except IOError: + pass + + def commit(self): + if self.equal_ind: + subs_file = selinux.selinux_file_context_subs_path() + tmpfile = "%s.tmp" % subs_file + fd = open(tmpfile, "w") + for src in self.equiv.keys(): + fd.write("%s %s\n" % (src, self.equiv[src])) + fd.close() + try: + os.chmod(tmpfile, os.stat(subs_file)[stat.ST_MODE]) + except: + pass + os.rename(tmpfile,subs_file) + self.equal_ind = False + semanageRecords.commit(self) + + def add_equal(self, src, dst): + self.begin() + if src in self.equiv.keys(): + raise ValueError(_("Equivalence class for %s already exists") % src) + self.equiv[src] = dst + self.equal_ind = True + self.commit() + + def modify_equal(self, src, dst): + self.begin() + if src not in self.equiv.keys(): + raise ValueError(_("Equivalence class for %s does not exists") % src) + self.equiv[src] = dst + self.equal_ind = True + self.commit() def createcon(self, target, seuser = "system_u"): (rc, con) = semanage_context_create(self.sh) @@ -1444,23 +1530,23 @@ if type == "": raise ValueError(_("SELinux Type is required")) - (rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) + (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) if rc < 0: raise ValueError(_("Could not create key for %s") % target) - (rc,exists) = semanage_fcontext_exists(self.sh, k) + (rc, exists) = semanage_fcontext_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if file context for %s is defined") % target) if not exists: - (rc,exists) = semanage_fcontext_exists_local(self.sh, k) + (rc, exists) = semanage_fcontext_exists_local(self.sh, k) if rc < 0: raise ValueError(_("Could not check if file context for %s is defined") % target) if exists: raise ValueError(_("File context for %s already defined") % target) - (rc,fcontext) = semanage_fcontext_create(self.sh) + (rc, fcontext) = semanage_fcontext_create(self.sh) if rc < 0: raise ValueError(_("Could not create file context for %s") % target) @@ -1501,21 +1587,21 @@ raise ValueError(_("Requires setype, serange or seuser")) self.validate(target) - (rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) + (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) if rc < 0: raise ValueError(_("Could not create a key for %s") % target) - (rc,exists) = semanage_fcontext_exists(self.sh, k) + (rc, exists) = semanage_fcontext_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if file context for %s is defined") % target) if not exists: - (rc,exists) = semanage_fcontext_exists_local(self.sh, k) + (rc, exists) = semanage_fcontext_exists_local(self.sh, k) if not exists: raise ValueError(_("File context for %s is not defined") % target) - (rc,fcontext) = semanage_fcontext_query_local(self.sh, k) + (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) if rc < 0: - (rc,fcontext) = semanage_fcontext_query(self.sh, k) + (rc, fcontext) = semanage_fcontext_query(self.sh, k) if rc < 0: raise ValueError(_("Could not query file context for %s") % target) @@ -1565,7 +1651,7 @@ target = semanage_fcontext_get_expr(fcontext) ftype = semanage_fcontext_get_type(fcontext) ftype_str = semanage_fcontext_get_type_str(ftype) - (rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype_str]) + (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype_str]) if rc < 0: raise ValueError(_("Could not create a key for %s") % target) @@ -1573,19 +1659,26 @@ if rc < 0: raise ValueError(_("Could not delete the file context %s") % target) semanage_fcontext_key_free(k) - + + self.equiv = {} + self.equal_ind = True self.commit() def __delete(self, target, ftype): - (rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) + if target in self.equiv.keys(): + self.equiv.pop(target) + self.equal_ind = True + return + + (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) if rc < 0: raise ValueError(_("Could not create a key for %s") % target) - (rc,exists) = semanage_fcontext_exists_local(self.sh, k) + (rc, exists) = semanage_fcontext_exists_local(self.sh, k) if rc < 0: raise ValueError(_("Could not check if file context for %s is defined") % target) if not exists: - (rc,exists) = semanage_fcontext_exists(self.sh, k) + (rc, exists) = semanage_fcontext_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if file context for %s is defined") % target) if exists: @@ -1632,11 +1725,11 @@ return ddict def list(self, heading = 1, locallist = 0 ): - if heading: - print "%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context")) fcon_dict = self.get_all(locallist) keys = fcon_dict.keys() keys.sort() + if len(keys) > 0 and heading: + print "%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context")) for k in keys: if fcon_dict[k]: if is_mls_enabled: @@ -1645,11 +1738,17 @@ print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2]) else: print "%-50s %-18s <<None>>" % (k[0], k[1]) + if len(self.equiv.keys()) > 0: + if heading: + print _("\nSELinux fcontext Equivalence \n") + + for src in self.equiv.keys(): + print "%s == %s" % (src, self.equiv[src]) class booleanRecords(semanageRecords): def __init__(self, store = ""): semanageRecords.__init__(self, store) - self.dict={} + self.dict = {} self.dict["TRUE"] = 1 self.dict["FALSE"] = 0 self.dict["ON"] = 1 @@ -1658,16 +1757,16 @@ self.dict["0"] = 0 def __mod(self, name, value): - (rc,k) = semanage_bool_key_create(self.sh, name) + (rc, k) = semanage_bool_key_create(self.sh, name) if rc < 0: raise ValueError(_("Could not create a key for %s") % name) - (rc,exists) = semanage_bool_exists(self.sh, k) + (rc, exists) = semanage_bool_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if boolean %s is defined") % name) if not exists: raise ValueError(_("Boolean %s is not defined") % name) - (rc,b) = semanage_bool_query(self.sh, k) + (rc, b) = semanage_bool_query(self.sh, k) if rc < 0: raise ValueError(_("Could not query file context %s") % name) @@ -1685,7 +1784,7 @@ semanage_bool_key_free(k) semanage_bool_free(b) - def modify(self, name, value=None, use_file=False): + def modify(self, name, value = None, use_file = False): self.begin() @@ -1709,16 +1808,16 @@ def __delete(self, name): - (rc,k) = semanage_bool_key_create(self.sh, name) + (rc, k) = semanage_bool_key_create(self.sh, name) if rc < 0: raise ValueError(_("Could not create a key for %s") % name) - (rc,exists) = semanage_bool_exists(self.sh, k) + (rc, exists) = semanage_bool_exists(self.sh, k) if rc < 0: raise ValueError(_("Could not check if boolean %s is defined") % name) if not exists: raise ValueError(_("Boolean %s is not defined") % name) - (rc,exists) = semanage_bool_exists_local(self.sh, k) + (rc, exists) = semanage_bool_exists_local(self.sh, k) if rc < 0: raise ValueError(_("Could not check if boolean %s is defined") % name) if not exists: @@ -1777,7 +1876,7 @@ return _("unknown") def list(self, heading = True, locallist = False, use_file = False): - on_off = (_("off"),_("on")) + on_off = (_("off"), _("on")) if use_file: ddict = self.get_all(locallist) keys = ddict.keys() ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Patch to semanage 2009-07-17 10:10 ` Daniel J Walsh @ 2009-08-12 20:14 ` Chad Sellers 2009-08-12 20:26 ` Daniel J Walsh 2009-08-12 21:09 ` Chad Sellers 2009-08-17 21:45 ` Chad Sellers 2 siblings, 1 reply; 17+ messages in thread From: Chad Sellers @ 2009-08-12 20:14 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SE Linux On 7/17/09 6:10 AM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: > Ok lets try the patch again. > > Added equal patch (spelled correctly.) > Beginning to add modules support to consolidate on one management command. > Eventually replace semodule/setsebool with semanage command. > Some white space fixing in seobject.py I'm looking at this patch now. There are a couple of changes that I believe are not part of the rest, but I wonder if you could verify this (and maybe tell me why they're here). > diff --git a/policycoreutils/semanage/seobject.py > b/policycoreutils/semanage/seobject.py > index 94bdf7f..5b94a0f 100644 > --- a/policycoreutils/semanage/seobject.py > +++ b/policycoreutils/semanage/seobject.py > @@ -21,7 +21,7 @@ > # > # > > -import pwd, grp, string, selinux, tempfile, os, re, sys > +import pwd, grp, string, selinux, tempfile, os, re, sys, stat > from semanage import *; > PROGNAME = "policycoreutils" > import sepolgen.module as module > @@ -273,6 +273,7 @@ class setransRecords: > (fd, newfilename) = tempfile.mkstemp('', self.filename) > os.write(fd, self.out()) > os.close(fd) > + os.chmod(newfilename, os.stat(self.filename)[stat.ST_MODE]) > os.rename(newfilename, self.filename) > os.system("/sbin/service mcstrans reload > /dev/null") > I'm guessing there was some problem with the permissions on setrans files? > @@ -983,7 +1027,7 @@ class portRecords(semanageRecords): > proto_str = semanage_port_get_proto_str(proto) > low = semanage_port_get_low(port) > high = semanage_port_get_high(port) > - ddict[(low, high)] = (ctype, proto_str, level) > + ddict[(low, high, proto_str)] = (ctype, level) > return ddict > > def get_all_by_type(self, locallist = 0): Was this just plain wrong before? I'm not familiar with this. Was there not a user before (and presumably there is one now)? Everything else seems to fall into one of your 3 categories above. Thanks, Chad -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Patch to semanage 2009-08-12 20:14 ` Chad Sellers @ 2009-08-12 20:26 ` Daniel J Walsh 0 siblings, 0 replies; 17+ messages in thread From: Daniel J Walsh @ 2009-08-12 20:26 UTC (permalink / raw) To: Chad Sellers; +Cc: SE Linux On 08/12/2009 04:14 PM, Chad Sellers wrote: > On 7/17/09 6:10 AM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: > >> Ok lets try the patch again. >> >> Added equal patch (spelled correctly.) >> Beginning to add modules support to consolidate on one management command. >> Eventually replace semodule/setsebool with semanage command. >> Some white space fixing in seobject.py > > I'm looking at this patch now. There are a couple of changes that I believe > are not part of the rest, but I wonder if you could verify this (and maybe > tell me why they're here). > >> diff --git a/policycoreutils/semanage/seobject.py >> b/policycoreutils/semanage/seobject.py >> index 94bdf7f..5b94a0f 100644 >> --- a/policycoreutils/semanage/seobject.py >> +++ b/policycoreutils/semanage/seobject.py >> @@ -21,7 +21,7 @@ >> # >> # >> >> -import pwd, grp, string, selinux, tempfile, os, re, sys >> +import pwd, grp, string, selinux, tempfile, os, re, sys, stat >> from semanage import *; >> PROGNAME = "policycoreutils" >> import sepolgen.module as module >> @@ -273,6 +273,7 @@ class setransRecords: >> (fd, newfilename) = tempfile.mkstemp('', self.filename) >> os.write(fd, self.out()) >> os.close(fd) >> + os.chmod(newfilename, os.stat(self.filename)[stat.ST_MODE]) >> os.rename(newfilename, self.filename) >> os.system("/sbin/service mcstrans reload > /dev/null") >> > I'm guessing there was some problem with the permissions on setrans files? Well the tool was not maintainng the permissions, But I believe we should just remove all handling of setrans records, since this stuff will not work with the latest code. semanage should no longer manage the translatetions. > >> @@ -983,7 +1027,7 @@ class portRecords(semanageRecords): >> proto_str = semanage_port_get_proto_str(proto) >> low = semanage_port_get_low(port) >> high = semanage_port_get_high(port) >> - ddict[(low, high)] = (ctype, proto_str, level) >> + ddict[(low, high, proto_str)] = (ctype, level) >> return ddict >> >> def get_all_by_type(self, locallist = 0): > > Was this just plain wrong before? I'm not familiar with this. Was there not > a user before (and presumably there is one now)? > > Everything else seems to fall into one of your 3 categories above. > > Thanks, > Chad > Yes this was a bug. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Patch to semanage 2009-07-17 10:10 ` Daniel J Walsh 2009-08-12 20:14 ` Chad Sellers @ 2009-08-12 21:09 ` Chad Sellers 2009-08-17 21:45 ` Chad Sellers 2 siblings, 0 replies; 17+ messages in thread From: Chad Sellers @ 2009-08-12 21:09 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SE Linux On 7/17/09 6:10 AM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: > Ok lets try the patch again. > > Added equal patch (spelled correctly.) > Beginning to add modules support to consolidate on one management command. > Eventually replace semodule/setsebool with semanage command. > Some white space fixing in seobject.py I've split this patch into the 3 separate patches (whitespace, equal, modules) for review purposes, as it was too difficult to get through with the 3 different patches interspersed. Please try to split up functional patches in the future. This message will apply to the equal patch only. > diff --git a/policycoreutils/semanage/seobject.py > b/policycoreutils/semanage/seobject.py > index d3e0c40..94bdf7f 100644 > --- a/policycoreutils/semanage/seobject.py > +++ b/policycoreutils/semanage/seobject.py > @@ -1408,6 +1408,48 @@ class interfaceRecords(semanageRecords): > class fcontextRecords(semanageRecords): > def __init__(self, store = ""): > semanageRecords.__init__(self, store) > + self.equiv = {} > + self.equal_ind = False > + try: > + fd = open(selinux.selinux_file_context_subs_path(), "r") > + for i in fd.readlines(): > + src, dst = i.split() > + self.equiv[src] = dst > + fd.close() > + except IOError: > + pass > + > + def commit(self): > + if self.equal_ind: > + subs_file = selinux.selinux_file_context_subs_path() > + tmpfile = "%s.tmp" % subs_file > + fd = open(tmpfile, "w") > + for src in self.equiv.keys(): > + fd.write("%s %s\n" % (src, self.equiv[src])) > + fd.close() > + try: > + os.chmod(tmpfile, os.stat(subs_file)[stat.ST_MODE]) > + except: > + pass > + os.rename(tmpfile,subs_file) > + self.equal_ind = False > + semanageRecords.commit(self) > + Using subs in this manner has interesting side-effects, as all subs does is string substitution before looking up the context. This can result in weirdness when the string is passed to the regex matcher, such as: 1. Regular files will not match directory entries (/foo is a regular file): [root@f10 selinux]# semanage fcontext -a -e /usr /foo [root@f10 selinux]# restorecon -nv /foo restorecon reset /foo context unconfined_u:object_r:user_home_t:s0->system_u:object_r:etc_runtime_t:s0 2. Regular expression matching can cause matches to depend on whether a / is appended: [root@f10 selinux]# semanage fcontext -a -e /usr/ /foo [root@f10 selinux]# restorecon -nv /foo restorecon reset /foo context unconfined_u:object_r:user_home_t:s0->system_u:object_r:usr_t:s0 <snip> Unfortunately, I don't see an easy fix to these problems. We could augment the subs functionality to allow the user to specify the kind of file they want to match, but that would just make things more complex in trying to work around the problem. Or, we could just decide to live with the peculiarities (and at least document them for people who get confused). Thanks, Chad -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Patch to semanage 2009-07-17 10:10 ` Daniel J Walsh 2009-08-12 20:14 ` Chad Sellers 2009-08-12 21:09 ` Chad Sellers @ 2009-08-17 21:45 ` Chad Sellers 2009-08-18 21:35 ` Daniel J Walsh 2 siblings, 1 reply; 17+ messages in thread From: Chad Sellers @ 2009-08-17 21:45 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SE Linux On 7/17/09 6:10 AM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: > Ok lets try the patch again. > > Added equal patch (spelled correctly.) > Beginning to add modules support to consolidate on one management command. > Eventually replace semodule/setsebool with semanage command. > Some white space fixing in seobject.py As I said previously, I've split this patch into the 3 separate patches (whitespace, equal, modules) for review purposes, as it was too difficult to get through with the 3 different patches interspersed. Please try to split up functional patches in the future. This message will apply to the modules patch only. > diff --git a/policycoreutils/semanage/semanage > b/policycoreutils/semanage/semanage > index 1688d85..072453d 100644 > --- a/policycoreutils/semanage/semanage > +++ b/policycoreutils/semanage/semanage > @@ -44,7 +44,7 @@ if __name__ == '__main__': > text = _(""" > semanage [ -S store ] -i [ input_file | - ] > > -semanage {boolean|login|user|port|interface|node|fcontext|translation} -{l|D} > [-n] > +semanage {module,boolean|login|user|port|interface|node|fcontext|translation} > -{l|D} [-n] > semanage login -{a|d|m} [-sr] login_name | %groupname > semanage user -{a|d|m} [-LrRP] selinux_name > semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range > @@ -53,7 +53,8 @@ semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] > addr > semanage fcontext -{a|d|m} [-frst] [-e path ] file_spec > semanage translation -{a|d|m} [-T] level > semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file > -semanage permissive -{d|a} type > +semanage permissive -{a|d} type > +semanage module -{a|d|} module > > Primary Options: > > @@ -68,6 +69,7 @@ Primary Options: > -h, --help Display this message > -n, --noheading Do not print heading when listing OBJECTS > -S, --store Select and alternate SELinux store to manage > + --dontaudit Turn on or off dontaudit rules > Need to specify that this takes an integer argument (1 or 0) here. Also, need to specify which command this is valid for, which appears to be the module command. Why is this an option for the module command? It doesn't seem to have anything to do with a particular module. Should this just be its own command? > Object-specific Options (see above): > > @@ -121,6 +123,8 @@ Object-specific Options (see above): > valid_option["translation"] += valid_everyone + [ '-T', '--trans' ] > valid_option["boolean"] = [] > valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", > "-0", "-F", "--file"] > + valid_option["module"] = [] > + valid_option["module"] += [ '-a', '--add', '-d', '--delete', '-l', > '--list', '-h', '--help', '-n', '--noheading', '--dontaudit'] > valid_option["permissive"] = [] > valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', > '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ] > return valid_option > @@ -194,6 +198,7 @@ Object-specific Options (see above): > use_file = False > store = "" > equal = "" > + dontaudit = "" > > object = argv[0] > option_dict=get_options() > @@ -207,6 +212,7 @@ Object-specific Options (see above): > ['add', > 'delete', > 'deleteall', > + 'dontaudit=', > 'equal=', > 'ftype=', > 'file', > @@ -259,6 +265,9 @@ Object-specific Options (see above): > if o == "-F" or o == "--file": > use_file = True > > + if o == "--dontaudit": > + dontaudit = not int(a) > + > if o == "-h" or o == "--help": > raise ValueError(_("%s bad option") % o) > > @@ -331,6 +340,9 @@ Object-specific Options (see above): > > if object == "boolean": > OBJECT = seobject.booleanRecords(store) > + > + if object == "module": > + OBJECT = seobject.moduleRecords(store) > > if object == "translation": > OBJECT = seobject.setransRecords() > @@ -349,6 +361,13 @@ Object-specific Options (see above): > OBJECT.deleteall() > return > > + if dontaudit != "": > + if object == "module": > + OBJECT.dontaudit(dontaudit) > + else: > + raise ValueError(_("%s bad option") % o) > + return > + > if len(cmds) != 1: > raise ValueError(_("%s bad option") % o) > > @@ -370,6 +389,9 @@ Object-specific Options (see above): > if object == "interface": > OBJECT.add(target, serange, setype) > > + if object == "module": > + OBJECT.add(target) > + > if object == "node": > OBJECT.add(target, mask, proto, serange, setype) > > @@ -397,6 +419,9 @@ Object-specific Options (see above): > rlist = roles.split() > OBJECT.modify(target, rlist, selevel, serange, prefix) > > + if object == "module": > + OBJECT.modify(target) > + > if object == "port": > OBJECT.modify(target, proto, serange, setype) > > diff --git a/policycoreutils/semanage/semanage.8 > b/policycoreutils/semanage/semanage.8 > index 31e98c7..56208d8 100644 > --- a/policycoreutils/semanage/semanage.8 > +++ b/policycoreutils/semanage/semanage.8 > @@ -21,6 +21,8 @@ semanage \- SELinux Policy Management tool > .br > .B semanage permissive \-{a|d} type > .br > +.B semanage module \-{a|d} policy_package > +.br > .B semanage translation \-{a|d|m} [\-T] level > .P > > diff --git a/policycoreutils/semanage/seobject.py > b/policycoreutils/semanage/seobject.py > index 94bdf7f..7f911a9 100644 > --- a/policycoreutils/semanage/seobject.py > +++ b/policycoreutils/semanage/seobject.py > @@ -314,6 +314,49 @@ class semanageRecords: > self.transaction = False > self.commit() > > +class moduleRecords(semanageRecords): > + def __init__(self, store): > + semanageRecords.__init__(self, store) > + > + def get_all(self): > + l = [] > + (rc, mlist, number) = semanage_module_list(self.sh) > + if rc < 0: > + raise ValueError(_("Could not list SELinux modules")) > + > + for i in range(number): > + mod = semanage_module_list_nth(mlist, i) > + name = semanage_module_get_name(mod) > + l.append(name) > + return l > + > + def dontaudit(self, dontaudit = 0): > + self.begin() > + rc = semanage_set_disable_dontaudit(self.sh, dontaudit) > + self.commit() > + rc = semanage_reload_policy(self.sh) > + > + def list(self, heading = 1, locallist = 0): > + if heading: > + print "\n%-25s\n" % (_("Modules")) > + for t in self.get_all(): > + print t > + > + def add(self, modules): > + import glob > + for m in modules.split(): > + rc = semanage_module_install_file(self.sh, m); > + if rc >= 0: > + self.commit() > + Why import glob here? It doesn't look like you use it. > + def delete(self, modules): > + for m in modules.split(): > + rc = semanage_module_remove(self.sh, m) > + if rc < 0: > + raise ValueError(_("Could not remove module %s > (remove failed)") % name) > + > + self.commit() > + > class permissiveRecords(semanageRecords): > def __init__(self, store): > semanageRecords.__init__(self, store) Other than that, I have no problem with the code in the patch. The bigger problem with this is that it's still incomplete at this point. There's still no support for: - base modules - build (without changing anything) - reload (without changing anything) - module version number in listing - install/upgrade distinction (though I'm perfectly fine with ditching this) I'm not comfortable merging this before at least base modules are supported. Having an additional tool that doesn't meet the basic requirements for users will just lead to confusion. Thanks, Chad -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Patch to semanage 2009-08-17 21:45 ` Chad Sellers @ 2009-08-18 21:35 ` Daniel J Walsh 2009-08-18 21:41 ` Chad Sellers 0 siblings, 1 reply; 17+ messages in thread From: Daniel J Walsh @ 2009-08-18 21:35 UTC (permalink / raw) To: Chad Sellers; +Cc: SE Linux On 08/17/2009 05:45 PM, Chad Sellers wrote: > On 7/17/09 6:10 AM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: > >> Ok lets try the patch again. >> >> Added equal patch (spelled correctly.) >> Beginning to add modules support to consolidate on one management command. >> Eventually replace semodule/setsebool with semanage command. >> Some white space fixing in seobject.py > > As I said previously, I've split this patch into the 3 separate patches > (whitespace, equal, modules) for review purposes, as it was too difficult to > get through with the 3 different patches interspersed. Please try to split > up functional patches in the future. > > This message will apply to the modules patch only. > >> diff --git a/policycoreutils/semanage/semanage >> b/policycoreutils/semanage/semanage >> index 1688d85..072453d 100644 >> --- a/policycoreutils/semanage/semanage >> +++ b/policycoreutils/semanage/semanage >> @@ -44,7 +44,7 @@ if __name__ == '__main__': >> text = _(""" >> semanage [ -S store ] -i [ input_file | - ] >> >> -semanage {boolean|login|user|port|interface|node|fcontext|translation} -{l|D} >> [-n] >> +semanage {module,boolean|login|user|port|interface|node|fcontext|translation} >> -{l|D} [-n] >> semanage login -{a|d|m} [-sr] login_name | %groupname >> semanage user -{a|d|m} [-LrRP] selinux_name >> semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range >> @@ -53,7 +53,8 @@ semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] >> addr >> semanage fcontext -{a|d|m} [-frst] [-e path ] file_spec >> semanage translation -{a|d|m} [-T] level >> semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file >> -semanage permissive -{d|a} type >> +semanage permissive -{a|d} type >> +semanage module -{a|d|} module >> >> Primary Options: >> >> @@ -68,6 +69,7 @@ Primary Options: >> -h, --help Display this message >> -n, --noheading Do not print heading when listing OBJECTS >> -S, --store Select and alternate SELinux store to manage >> + --dontaudit Turn on or off dontaudit rules >> > Need to specify that this takes an integer argument (1 or 0) here. Also, > need to specify which command this is valid for, which appears to be the > module command. Why is this an option for the module command? It doesn't > seem to have anything to do with a particular module. Should this just be > its own command? > I think it should be just for the modules command. >> Object-specific Options (see above): >> >> @@ -121,6 +123,8 @@ Object-specific Options (see above): >> valid_option["translation"] += valid_everyone + [ '-T', '--trans' ] >> valid_option["boolean"] = [] >> valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", >> "-0", "-F", "--file"] >> + valid_option["module"] = [] >> + valid_option["module"] += [ '-a', '--add', '-d', '--delete', '-l', >> '--list', '-h', '--help', '-n', '--noheading', '--dontaudit'] >> valid_option["permissive"] = [] >> valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', >> '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ] >> return valid_option >> @@ -194,6 +198,7 @@ Object-specific Options (see above): >> use_file = False >> store = "" >> equal = "" >> + dontaudit = "" >> >> object = argv[0] >> option_dict=get_options() >> @@ -207,6 +212,7 @@ Object-specific Options (see above): >> ['add', >> 'delete', >> 'deleteall', >> + 'dontaudit=', >> 'equal=', >> 'ftype=', >> 'file', >> @@ -259,6 +265,9 @@ Object-specific Options (see above): >> if o == "-F" or o == "--file": >> use_file = True >> >> + if o == "--dontaudit": >> + dontaudit = not int(a) >> + >> if o == "-h" or o == "--help": >> raise ValueError(_("%s bad option") % o) >> >> @@ -331,6 +340,9 @@ Object-specific Options (see above): >> >> if object == "boolean": >> OBJECT = seobject.booleanRecords(store) >> + >> + if object == "module": >> + OBJECT = seobject.moduleRecords(store) >> >> if object == "translation": >> OBJECT = seobject.setransRecords() >> @@ -349,6 +361,13 @@ Object-specific Options (see above): >> OBJECT.deleteall() >> return >> >> + if dontaudit != "": >> + if object == "module": >> + OBJECT.dontaudit(dontaudit) >> + else: >> + raise ValueError(_("%s bad option") % o) >> + return >> + >> if len(cmds) != 1: >> raise ValueError(_("%s bad option") % o) >> >> @@ -370,6 +389,9 @@ Object-specific Options (see above): >> if object == "interface": >> OBJECT.add(target, serange, setype) >> >> + if object == "module": >> + OBJECT.add(target) >> + >> if object == "node": >> OBJECT.add(target, mask, proto, serange, setype) >> >> @@ -397,6 +419,9 @@ Object-specific Options (see above): >> rlist = roles.split() >> OBJECT.modify(target, rlist, selevel, serange, prefix) >> >> + if object == "module": >> + OBJECT.modify(target) >> + >> if object == "port": >> OBJECT.modify(target, proto, serange, setype) >> >> diff --git a/policycoreutils/semanage/semanage.8 >> b/policycoreutils/semanage/semanage.8 >> index 31e98c7..56208d8 100644 >> --- a/policycoreutils/semanage/semanage.8 >> +++ b/policycoreutils/semanage/semanage.8 >> @@ -21,6 +21,8 @@ semanage \- SELinux Policy Management tool >> .br >> .B semanage permissive \-{a|d} type >> .br >> +.B semanage module \-{a|d} policy_package >> +.br >> .B semanage translation \-{a|d|m} [\-T] level >> .P >> >> diff --git a/policycoreutils/semanage/seobject.py >> b/policycoreutils/semanage/seobject.py >> index 94bdf7f..7f911a9 100644 >> --- a/policycoreutils/semanage/seobject.py >> +++ b/policycoreutils/semanage/seobject.py >> @@ -314,6 +314,49 @@ class semanageRecords: >> self.transaction = False >> self.commit() >> >> +class moduleRecords(semanageRecords): >> + def __init__(self, store): >> + semanageRecords.__init__(self, store) >> + >> + def get_all(self): >> + l = [] >> + (rc, mlist, number) = semanage_module_list(self.sh) >> + if rc < 0: >> + raise ValueError(_("Could not list SELinux modules")) >> + >> + for i in range(number): >> + mod = semanage_module_list_nth(mlist, i) >> + name = semanage_module_get_name(mod) >> + l.append(name) >> + return l >> + >> + def dontaudit(self, dontaudit = 0): >> + self.begin() >> + rc = semanage_set_disable_dontaudit(self.sh, dontaudit) >> + self.commit() >> + rc = semanage_reload_policy(self.sh) >> + >> + def list(self, heading = 1, locallist = 0): >> + if heading: >> + print "\n%-25s\n" % (_("Modules")) >> + for t in self.get_all(): >> + print t >> + >> + def add(self, modules): >> + import glob >> + for m in modules.split(): >> + rc = semanage_module_install_file(self.sh, m); >> + if rc >= 0: >> + self.commit() >> + > Why import glob here? It doesn't look like you use it. > >> + def delete(self, modules): >> + for m in modules.split(): >> + rc = semanage_module_remove(self.sh, m) >> + if rc < 0: >> + raise ValueError(_("Could not remove module %s >> (remove failed)") % name) >> + >> + self.commit() >> + >> class permissiveRecords(semanageRecords): >> def __init__(self, store): >> semanageRecords.__init__(self, store) > > Other than that, I have no problem with the code in the patch. The bigger > problem with this is that it's still incomplete at this point. There's still > no support for: > - base modules > - build (without changing anything) > - reload (without changing anything) > - module version number in listing > - install/upgrade distinction (though I'm perfectly fine with ditching this) > > I'm not comfortable merging this before at least base modules are supported. > Having an additional tool that doesn't meet the basic requirements for users > will just lead to confusion. > > Thanks, > Chad > > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. > > Yes dontaudit should only be for the modules command. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Patch to semanage 2009-08-18 21:35 ` Daniel J Walsh @ 2009-08-18 21:41 ` Chad Sellers 2009-08-18 22:09 ` Daniel J Walsh 0 siblings, 1 reply; 17+ messages in thread From: Chad Sellers @ 2009-08-18 21:41 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SE Linux On 8/18/09 5:35 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: > On 08/17/2009 05:45 PM, Chad Sellers wrote: >> On 7/17/09 6:10 AM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: >> >>> Ok lets try the patch again. >>> >>> Added equal patch (spelled correctly.) >>> Beginning to add modules support to consolidate on one management command. >>> Eventually replace semodule/setsebool with semanage command. >>> Some white space fixing in seobject.py >> >> As I said previously, I've split this patch into the 3 separate patches >> (whitespace, equal, modules) for review purposes, as it was too difficult to >> get through with the 3 different patches interspersed. Please try to split >> up functional patches in the future. >> >> This message will apply to the modules patch only. >> >>> diff --git a/policycoreutils/semanage/semanage >>> b/policycoreutils/semanage/semanage >>> index 1688d85..072453d 100644 >>> --- a/policycoreutils/semanage/semanage >>> +++ b/policycoreutils/semanage/semanage >>> @@ -44,7 +44,7 @@ if __name__ == '__main__': >>> text = _(""" >>> semanage [ -S store ] -i [ input_file | - ] >>> >>> -semanage {boolean|login|user|port|interface|node|fcontext|translation} >>> -{l|D} >>> [-n] >>> +semanage >>> {module,boolean|login|user|port|interface|node|fcontext|translation} >>> -{l|D} [-n] >>> semanage login -{a|d|m} [-sr] login_name | %groupname >>> semanage user -{a|d|m} [-LrRP] selinux_name >>> semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range >>> @@ -53,7 +53,8 @@ semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] >>> addr >>> semanage fcontext -{a|d|m} [-frst] [-e path ] file_spec >>> semanage translation -{a|d|m} [-T] level >>> semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file >>> -semanage permissive -{d|a} type >>> +semanage permissive -{a|d} type >>> +semanage module -{a|d|} module >>> >>> Primary Options: >>> >>> @@ -68,6 +69,7 @@ Primary Options: >>> -h, --help Display this message >>> -n, --noheading Do not print heading when listing OBJECTS >>> -S, --store Select and alternate SELinux store to manage >>> + --dontaudit Turn on or off dontaudit rules >>> >> Need to specify that this takes an integer argument (1 or 0) here. Also, >> need to specify which command this is valid for, which appears to be the >> module command. Why is this an option for the module command? It doesn't >> seem to have anything to do with a particular module. Should this just be >> its own command? >> > I think it should be just for the modules command. Care to explain why? As your usage above shows, the module command is for adding or deleting modules. This functionality has nothing to do with that. --dontaudit is for specifying globally that dontaudit's should be turned on/off. It's not an option that modifies the behavior of adding or deleting a module, it's a completely separate thing. Thanks, Chad -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Patch to semanage 2009-08-18 21:41 ` Chad Sellers @ 2009-08-18 22:09 ` Daniel J Walsh 2009-08-19 13:53 ` Joshua Brindle 0 siblings, 1 reply; 17+ messages in thread From: Daniel J Walsh @ 2009-08-18 22:09 UTC (permalink / raw) To: Chad Sellers; +Cc: SE Linux On 08/18/2009 05:41 PM, Chad Sellers wrote: > On 8/18/09 5:35 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: > >> On 08/17/2009 05:45 PM, Chad Sellers wrote: >>> On 7/17/09 6:10 AM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: >>> >>>> Ok lets try the patch again. >>>> >>>> Added equal patch (spelled correctly.) >>>> Beginning to add modules support to consolidate on one management command. >>>> Eventually replace semodule/setsebool with semanage command. >>>> Some white space fixing in seobject.py >>> >>> As I said previously, I've split this patch into the 3 separate patches >>> (whitespace, equal, modules) for review purposes, as it was too difficult to >>> get through with the 3 different patches interspersed. Please try to split >>> up functional patches in the future. >>> >>> This message will apply to the modules patch only. >>> >>>> diff --git a/policycoreutils/semanage/semanage >>>> b/policycoreutils/semanage/semanage >>>> index 1688d85..072453d 100644 >>>> --- a/policycoreutils/semanage/semanage >>>> +++ b/policycoreutils/semanage/semanage >>>> @@ -44,7 +44,7 @@ if __name__ == '__main__': >>>> text = _(""" >>>> semanage [ -S store ] -i [ input_file | - ] >>>> >>>> -semanage {boolean|login|user|port|interface|node|fcontext|translation} >>>> -{l|D} >>>> [-n] >>>> +semanage >>>> {module,boolean|login|user|port|interface|node|fcontext|translation} >>>> -{l|D} [-n] >>>> semanage login -{a|d|m} [-sr] login_name | %groupname >>>> semanage user -{a|d|m} [-LrRP] selinux_name >>>> semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range >>>> @@ -53,7 +53,8 @@ semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] >>>> addr >>>> semanage fcontext -{a|d|m} [-frst] [-e path ] file_spec >>>> semanage translation -{a|d|m} [-T] level >>>> semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file >>>> -semanage permissive -{d|a} type >>>> +semanage permissive -{a|d} type >>>> +semanage module -{a|d|} module >>>> >>>> Primary Options: >>>> >>>> @@ -68,6 +69,7 @@ Primary Options: >>>> -h, --help Display this message >>>> -n, --noheading Do not print heading when listing OBJECTS >>>> -S, --store Select and alternate SELinux store to manage >>>> + --dontaudit Turn on or off dontaudit rules >>>> >>> Need to specify that this takes an integer argument (1 or 0) here. Also, >>> need to specify which command this is valid for, which appears to be the >>> module command. Why is this an option for the module command? It doesn't >>> seem to have anything to do with a particular module. Should this just be >>> its own command? >>> >> I think it should be just for the modules command. > > Care to explain why? As your usage above shows, the module command is for > adding or deleting modules. This functionality has nothing to do with that. > --dontaudit is for specifying globally that dontaudit's should be turned > on/off. It's not an option that modifies the behavior of adding or deleting > a module, it's a completely separate thing. > No I don't care to explain why, now that you shot down my idea. :^) I guess it should be a separate command What do you think of. semanage dontaudit -a semanage dontaudit -d > Thanks, > Chad > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Patch to semanage 2009-08-18 22:09 ` Daniel J Walsh @ 2009-08-19 13:53 ` Joshua Brindle 2009-08-19 19:20 ` Daniel J Walsh 0 siblings, 1 reply; 17+ messages in thread From: Joshua Brindle @ 2009-08-19 13:53 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Chad Sellers, SE Linux Daniel J Walsh wrote: > On 08/18/2009 05:41 PM, Chad Sellers wrote: >> On 8/18/09 5:35 PM, "Daniel J Walsh"<dwalsh@redhat.com> wrote: >> >>> On 08/17/2009 05:45 PM, Chad Sellers wrote: >>>> On 7/17/09 6:10 AM, "Daniel J Walsh"<dwalsh@redhat.com> wrote: >>>> >>>>> Ok lets try the patch again. >>>>> >>>>> Added equal patch (spelled correctly.) >>>>> Beginning to add modules support to consolidate on one management command. >>>>> Eventually replace semodule/setsebool with semanage command. >>>>> Some white space fixing in seobject.py >>>> As I said previously, I've split this patch into the 3 separate patches >>>> (whitespace, equal, modules) for review purposes, as it was too difficult to >>>> get through with the 3 different patches interspersed. Please try to split >>>> up functional patches in the future. >>>> >>>> This message will apply to the modules patch only. >>>> >>>>> diff --git a/policycoreutils/semanage/semanage >>>>> b/policycoreutils/semanage/semanage >>>>> index 1688d85..072453d 100644 >>>>> --- a/policycoreutils/semanage/semanage >>>>> +++ b/policycoreutils/semanage/semanage >>>>> @@ -44,7 +44,7 @@ if __name__ == '__main__': >>>>> text = _(""" >>>>> semanage [ -S store ] -i [ input_file | - ] >>>>> >>>>> -semanage {boolean|login|user|port|interface|node|fcontext|translation} >>>>> -{l|D} >>>>> [-n] >>>>> +semanage >>>>> {module,boolean|login|user|port|interface|node|fcontext|translation} >>>>> -{l|D} [-n] >>>>> semanage login -{a|d|m} [-sr] login_name | %groupname >>>>> semanage user -{a|d|m} [-LrRP] selinux_name >>>>> semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range >>>>> @@ -53,7 +53,8 @@ semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] >>>>> addr >>>>> semanage fcontext -{a|d|m} [-frst] [-e path ] file_spec >>>>> semanage translation -{a|d|m} [-T] level >>>>> semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file >>>>> -semanage permissive -{d|a} type >>>>> +semanage permissive -{a|d} type >>>>> +semanage module -{a|d|} module >>>>> >>>>> Primary Options: >>>>> >>>>> @@ -68,6 +69,7 @@ Primary Options: >>>>> -h, --help Display this message >>>>> -n, --noheading Do not print heading when listing OBJECTS >>>>> -S, --store Select and alternate SELinux store to manage >>>>> + --dontaudit Turn on or off dontaudit rules >>>>> >>>> Need to specify that this takes an integer argument (1 or 0) here. Also, >>>> need to specify which command this is valid for, which appears to be the >>>> module command. Why is this an option for the module command? It doesn't >>>> seem to have anything to do with a particular module. Should this just be >>>> its own command? >>>> >>> I think it should be just for the modules command. >> Care to explain why? As your usage above shows, the module command is for >> adding or deleting modules. This functionality has nothing to do with that. >> --dontaudit is for specifying globally that dontaudit's should be turned >> on/off. It's not an option that modifies the behavior of adding or deleting >> a module, it's a completely separate thing. >> > No I don't care to explain why, now that you shot down my idea. :^) > > I guess it should be a separate command > > What do you think of. > > semanage dontaudit -a > semanage dontaudit -d > I like it being a separate command since it really is a global thing but the syntax above seems very confusing. Can we depart from the add/remove paradigm for this one and use something more appropriate, like on/off, enable/disable, audit/dontaudit, or something similar? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Patch to semanage 2009-08-19 13:53 ` Joshua Brindle @ 2009-08-19 19:20 ` Daniel J Walsh 2009-08-19 19:35 ` Chad Sellers 0 siblings, 1 reply; 17+ messages in thread From: Daniel J Walsh @ 2009-08-19 19:20 UTC (permalink / raw) To: Joshua Brindle; +Cc: Chad Sellers, SE Linux On 08/19/2009 09:53 AM, Joshua Brindle wrote: > Daniel J Walsh wrote: >> On 08/18/2009 05:41 PM, Chad Sellers wrote: >>> On 8/18/09 5:35 PM, "Daniel J Walsh"<dwalsh@redhat.com> wrote: >>> >>>> On 08/17/2009 05:45 PM, Chad Sellers wrote: >>>>> On 7/17/09 6:10 AM, "Daniel J Walsh"<dwalsh@redhat.com> wrote: >>>>> >>>>>> Ok lets try the patch again. >>>>>> >>>>>> Added equal patch (spelled correctly.) >>>>>> Beginning to add modules support to consolidate on one management >>>>>> command. >>>>>> Eventually replace semodule/setsebool with semanage command. >>>>>> Some white space fixing in seobject.py >>>>> As I said previously, I've split this patch into the 3 separate >>>>> patches >>>>> (whitespace, equal, modules) for review purposes, as it was too >>>>> difficult to >>>>> get through with the 3 different patches interspersed. Please try >>>>> to split >>>>> up functional patches in the future. >>>>> >>>>> This message will apply to the modules patch only. >>>>> >>>>>> diff --git a/policycoreutils/semanage/semanage >>>>>> b/policycoreutils/semanage/semanage >>>>>> index 1688d85..072453d 100644 >>>>>> --- a/policycoreutils/semanage/semanage >>>>>> +++ b/policycoreutils/semanage/semanage >>>>>> @@ -44,7 +44,7 @@ if __name__ == '__main__': >>>>>> text = _(""" >>>>>> semanage [ -S store ] -i [ input_file | - ] >>>>>> >>>>>> -semanage >>>>>> {boolean|login|user|port|interface|node|fcontext|translation} >>>>>> -{l|D} >>>>>> [-n] >>>>>> +semanage >>>>>> {module,boolean|login|user|port|interface|node|fcontext|translation} >>>>>> -{l|D} [-n] >>>>>> semanage login -{a|d|m} [-sr] login_name | %groupname >>>>>> semanage user -{a|d|m} [-LrRP] selinux_name >>>>>> semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range >>>>>> @@ -53,7 +53,8 @@ semanage node -{a|d|m} [-tr] [ -p protocol ] [-M >>>>>> netmask] >>>>>> addr >>>>>> semanage fcontext -{a|d|m} [-frst] [-e path ] file_spec >>>>>> semanage translation -{a|d|m} [-T] level >>>>>> semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | >>>>>> boolean_file >>>>>> -semanage permissive -{d|a} type >>>>>> +semanage permissive -{a|d} type >>>>>> +semanage module -{a|d|} module >>>>>> >>>>>> Primary Options: >>>>>> >>>>>> @@ -68,6 +69,7 @@ Primary Options: >>>>>> -h, --help Display this message >>>>>> -n, --noheading Do not print heading when listing OBJECTS >>>>>> -S, --store Select and alternate SELinux store to >>>>>> manage >>>>>> + --dontaudit Turn on or off dontaudit rules >>>>>> >>>>> Need to specify that this takes an integer argument (1 or 0) here. >>>>> Also, >>>>> need to specify which command this is valid for, which appears to >>>>> be the >>>>> module command. Why is this an option for the module command? It >>>>> doesn't >>>>> seem to have anything to do with a particular module. Should this >>>>> just be >>>>> its own command? >>>>> >>>> I think it should be just for the modules command. >>> Care to explain why? As your usage above shows, the module command is >>> for >>> adding or deleting modules. This functionality has nothing to do with >>> that. >>> --dontaudit is for specifying globally that dontaudit's should be turned >>> on/off. It's not an option that modifies the behavior of adding or >>> deleting >>> a module, it's a completely separate thing. >>> >> No I don't care to explain why, now that you shot down my idea. :^) >> >> I guess it should be a separate command >> >> What do you think of. >> >> semanage dontaudit -a >> semanage dontaudit -d >> > > I like it being a separate command since it really is a global thing but > the syntax above seems very confusing. Can we depart from the add/remove > paradigm for this one and use something more appropriate, like on/off, > enable/disable, audit/dontaudit, or something similar? > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov > with > the words "unsubscribe selinux" without quotes as the message. > > semanage dontaudit on semanage dontaudit off -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Patch to semanage 2009-08-19 19:20 ` Daniel J Walsh @ 2009-08-19 19:35 ` Chad Sellers 2009-08-19 20:21 ` Daniel J Walsh 0 siblings, 1 reply; 17+ messages in thread From: Chad Sellers @ 2009-08-19 19:35 UTC (permalink / raw) To: Daniel J Walsh, Joshua Brindle; +Cc: SE Linux On 8/19/09 3:20 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: > On 08/19/2009 09:53 AM, Joshua Brindle wrote: >> Daniel J Walsh wrote: >>> On 08/18/2009 05:41 PM, Chad Sellers wrote: >>>> On 8/18/09 5:35 PM, "Daniel J Walsh"<dwalsh@redhat.com> wrote: >>>> >>>>> On 08/17/2009 05:45 PM, Chad Sellers wrote: >>>>>> On 7/17/09 6:10 AM, "Daniel J Walsh"<dwalsh@redhat.com> wrote: >>>>>> >>>>>>> Ok lets try the patch again. >>>>>>> >>>>>>> Added equal patch (spelled correctly.) >>>>>>> Beginning to add modules support to consolidate on one management >>>>>>> command. >>>>>>> Eventually replace semodule/setsebool with semanage command. >>>>>>> Some white space fixing in seobject.py >>>>>> As I said previously, I've split this patch into the 3 separate >>>>>> patches >>>>>> (whitespace, equal, modules) for review purposes, as it was too >>>>>> difficult to >>>>>> get through with the 3 different patches interspersed. Please try >>>>>> to split >>>>>> up functional patches in the future. >>>>>> >>>>>> This message will apply to the modules patch only. >>>>>> >>>>>>> diff --git a/policycoreutils/semanage/semanage >>>>>>> b/policycoreutils/semanage/semanage >>>>>>> index 1688d85..072453d 100644 >>>>>>> --- a/policycoreutils/semanage/semanage >>>>>>> +++ b/policycoreutils/semanage/semanage >>>>>>> @@ -44,7 +44,7 @@ if __name__ == '__main__': >>>>>>> text = _(""" >>>>>>> semanage [ -S store ] -i [ input_file | - ] >>>>>>> >>>>>>> -semanage >>>>>>> {boolean|login|user|port|interface|node|fcontext|translation} >>>>>>> -{l|D} >>>>>>> [-n] >>>>>>> +semanage >>>>>>> {module,boolean|login|user|port|interface|node|fcontext|translation} >>>>>>> -{l|D} [-n] >>>>>>> semanage login -{a|d|m} [-sr] login_name | %groupname >>>>>>> semanage user -{a|d|m} [-LrRP] selinux_name >>>>>>> semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range >>>>>>> @@ -53,7 +53,8 @@ semanage node -{a|d|m} [-tr] [ -p protocol ] [-M >>>>>>> netmask] >>>>>>> addr >>>>>>> semanage fcontext -{a|d|m} [-frst] [-e path ] file_spec >>>>>>> semanage translation -{a|d|m} [-T] level >>>>>>> semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | >>>>>>> boolean_file >>>>>>> -semanage permissive -{d|a} type >>>>>>> +semanage permissive -{a|d} type >>>>>>> +semanage module -{a|d|} module >>>>>>> >>>>>>> Primary Options: >>>>>>> >>>>>>> @@ -68,6 +69,7 @@ Primary Options: >>>>>>> -h, --help Display this message >>>>>>> -n, --noheading Do not print heading when listing OBJECTS >>>>>>> -S, --store Select and alternate SELinux store to >>>>>>> manage >>>>>>> + --dontaudit Turn on or off dontaudit rules >>>>>>> >>>>>> Need to specify that this takes an integer argument (1 or 0) here. >>>>>> Also, >>>>>> need to specify which command this is valid for, which appears to >>>>>> be the >>>>>> module command. Why is this an option for the module command? It >>>>>> doesn't >>>>>> seem to have anything to do with a particular module. Should this >>>>>> just be >>>>>> its own command? >>>>>> >>>>> I think it should be just for the modules command. >>>> Care to explain why? As your usage above shows, the module command is >>>> for >>>> adding or deleting modules. This functionality has nothing to do with >>>> that. >>>> --dontaudit is for specifying globally that dontaudit's should be turned >>>> on/off. It's not an option that modifies the behavior of adding or >>>> deleting >>>> a module, it's a completely separate thing. >>>> >>> No I don't care to explain why, now that you shot down my idea. :^) >>> >>> I guess it should be a separate command >>> >>> What do you think of. >>> >>> semanage dontaudit -a >>> semanage dontaudit -d >>> >> >> I like it being a separate command since it really is a global thing but >> the syntax above seems very confusing. Can we depart from the add/remove >> paradigm for this one and use something more appropriate, like on/off, >> enable/disable, audit/dontaudit, or something similar? >> >> >> -- >> This message was distributed to subscribers of the selinux mailing list. >> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov >> with >> the words "unsubscribe selinux" without quotes as the message. >> >> > > semanage dontaudit on > semanage dontaudit off Sounds great to me. Chad -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Patch to semanage 2009-08-19 19:35 ` Chad Sellers @ 2009-08-19 20:21 ` Daniel J Walsh 2009-08-27 20:48 ` Chad Sellers 0 siblings, 1 reply; 17+ messages in thread From: Daniel J Walsh @ 2009-08-19 20:21 UTC (permalink / raw) To: Chad Sellers; +Cc: Joshua Brindle, SE Linux [-- Attachment #1: Type: text/plain, Size: 4513 bytes --] On 08/19/2009 03:35 PM, Chad Sellers wrote: > On 8/19/09 3:20 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: > >> On 08/19/2009 09:53 AM, Joshua Brindle wrote: >>> Daniel J Walsh wrote: >>>> On 08/18/2009 05:41 PM, Chad Sellers wrote: >>>>> On 8/18/09 5:35 PM, "Daniel J Walsh"<dwalsh@redhat.com> wrote: >>>>> >>>>>> On 08/17/2009 05:45 PM, Chad Sellers wrote: >>>>>>> On 7/17/09 6:10 AM, "Daniel J Walsh"<dwalsh@redhat.com> wrote: >>>>>>> >>>>>>>> Ok lets try the patch again. >>>>>>>> >>>>>>>> Added equal patch (spelled correctly.) >>>>>>>> Beginning to add modules support to consolidate on one management >>>>>>>> command. >>>>>>>> Eventually replace semodule/setsebool with semanage command. >>>>>>>> Some white space fixing in seobject.py >>>>>>> As I said previously, I've split this patch into the 3 separate >>>>>>> patches >>>>>>> (whitespace, equal, modules) for review purposes, as it was too >>>>>>> difficult to >>>>>>> get through with the 3 different patches interspersed. Please try >>>>>>> to split >>>>>>> up functional patches in the future. >>>>>>> >>>>>>> This message will apply to the modules patch only. >>>>>>> >>>>>>>> diff --git a/policycoreutils/semanage/semanage >>>>>>>> b/policycoreutils/semanage/semanage >>>>>>>> index 1688d85..072453d 100644 >>>>>>>> --- a/policycoreutils/semanage/semanage >>>>>>>> +++ b/policycoreutils/semanage/semanage >>>>>>>> @@ -44,7 +44,7 @@ if __name__ == '__main__': >>>>>>>> text = _(""" >>>>>>>> semanage [ -S store ] -i [ input_file | - ] >>>>>>>> >>>>>>>> -semanage >>>>>>>> {boolean|login|user|port|interface|node|fcontext|translation} >>>>>>>> -{l|D} >>>>>>>> [-n] >>>>>>>> +semanage >>>>>>>> {module,boolean|login|user|port|interface|node|fcontext|translation} >>>>>>>> -{l|D} [-n] >>>>>>>> semanage login -{a|d|m} [-sr] login_name | %groupname >>>>>>>> semanage user -{a|d|m} [-LrRP] selinux_name >>>>>>>> semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range >>>>>>>> @@ -53,7 +53,8 @@ semanage node -{a|d|m} [-tr] [ -p protocol ] [-M >>>>>>>> netmask] >>>>>>>> addr >>>>>>>> semanage fcontext -{a|d|m} [-frst] [-e path ] file_spec >>>>>>>> semanage translation -{a|d|m} [-T] level >>>>>>>> semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | >>>>>>>> boolean_file >>>>>>>> -semanage permissive -{d|a} type >>>>>>>> +semanage permissive -{a|d} type >>>>>>>> +semanage module -{a|d|} module >>>>>>>> >>>>>>>> Primary Options: >>>>>>>> >>>>>>>> @@ -68,6 +69,7 @@ Primary Options: >>>>>>>> -h, --help Display this message >>>>>>>> -n, --noheading Do not print heading when listing OBJECTS >>>>>>>> -S, --store Select and alternate SELinux store to >>>>>>>> manage >>>>>>>> + --dontaudit Turn on or off dontaudit rules >>>>>>>> >>>>>>> Need to specify that this takes an integer argument (1 or 0) here. >>>>>>> Also, >>>>>>> need to specify which command this is valid for, which appears to >>>>>>> be the >>>>>>> module command. Why is this an option for the module command? It >>>>>>> doesn't >>>>>>> seem to have anything to do with a particular module. Should this >>>>>>> just be >>>>>>> its own command? >>>>>>> >>>>>> I think it should be just for the modules command. >>>>> Care to explain why? As your usage above shows, the module command is >>>>> for >>>>> adding or deleting modules. This functionality has nothing to do with >>>>> that. >>>>> --dontaudit is for specifying globally that dontaudit's should be turned >>>>> on/off. It's not an option that modifies the behavior of adding or >>>>> deleting >>>>> a module, it's a completely separate thing. >>>>> >>>> No I don't care to explain why, now that you shot down my idea. :^) >>>> >>>> I guess it should be a separate command >>>> >>>> What do you think of. >>>> >>>> semanage dontaudit -a >>>> semanage dontaudit -d >>>> >>> >>> I like it being a separate command since it really is a global thing but >>> the syntax above seems very confusing. Can we depart from the add/remove >>> paradigm for this one and use something more appropriate, like on/off, >>> enable/disable, audit/dontaudit, or something similar? >>> >>> >>> -- >>> This message was distributed to subscribers of the selinux mailing list. >>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov >>> with >>> the words "unsubscribe selinux" without quotes as the message. >>> >>> >> >> semanage dontaudit on >> semanage dontaudit off > > Sounds great to me. > > Chad > How about this patch. [-- Attachment #2: policycoreutils-dontaudit.patch --] [-- Type: text/plain, Size: 2984 bytes --] diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage index c4c957c..2285489 100644 --- a/policycoreutils/semanage/semanage +++ b/policycoreutils/semanage/semanage @@ -54,6 +54,7 @@ semanage fcontext -{a|d|m} [-frst] file_spec semanage translation -{a|d|m} [-T] level semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file semanage permissive -{d|a} type +semanage dontaudit [ on | off ] Primary Options: @@ -116,6 +117,7 @@ Object-specific Options (see above): valid_option["node"] += valid_everyone + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol'] valid_option["fcontext"] = [] valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range'] + valid_option["dontaudit"] = [ '-S', '--store' ] valid_option["translation"] = [] valid_option["translation"] += valid_everyone + [ '-T', '--trans' ] valid_option["boolean"] = [] @@ -346,6 +348,12 @@ Object-specific Options (see above): target = cmds[0] + + if object == "dontaudit": + OBJECT = seobject.dontauditClass(store) + OBJECT.toggle(target) + return + if add: if object == "login": OBJECT.add(target, seuser, serange) diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8 index d0726cf..d83e94e 100644 --- a/policycoreutils/semanage/semanage.8 +++ b/policycoreutils/semanage/semanage.8 @@ -21,6 +21,8 @@ semanage \- SELinux Policy Management tool .br .B semanage permissive \-{a|d} type .br +.B semanage dontaudit [ on | off ] +.br .B semanage translation \-{a|d|m} [\-T] level .P @@ -117,6 +119,8 @@ $ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" $ semanage port -a -t http_port_t -p tcp 81 # Change apache to a permissive domain $ semanage permissive -a httpd_t +# Turn off dontaudit rules +$ semanage dontaudit off .fi .SH "AUTHOR" diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py index 20bd205..9c5d2ec 100644 --- a/policycoreutils/semanage/seobject.py +++ b/policycoreutils/semanage/seobject.py @@ -314,6 +314,18 @@ class semanageRecords: self.transaction = False self.commit() +class dontauditClass(semanageRecords): + def __init__(self, store): + semanageRecords.__init__(self, store) + + def toggle(self, dontaudit): + if dontaudit not in [ "on", "off" ]: + raise ValueError(_("dontaudit requires either 'on' or 'off'")) + self.begin() + rc = semanage_set_disable_dontaudit(self.sh, dontaudit == "on") + self.commit() + rc = semanage_reload_policy(self.sh) + class permissiveRecords(semanageRecords): def __init__(self, store): semanageRecords.__init__(self, store) ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: Patch to semanage 2009-08-19 20:21 ` Daniel J Walsh @ 2009-08-27 20:48 ` Chad Sellers 2009-08-27 21:39 ` Daniel J Walsh 0 siblings, 1 reply; 17+ messages in thread From: Chad Sellers @ 2009-08-27 20:48 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Joshua Brindle, SE Linux On 8/19/09 4:21 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: > On 08/19/2009 03:35 PM, Chad Sellers wrote: >> On 8/19/09 3:20 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: >> >>> On 08/19/2009 09:53 AM, Joshua Brindle wrote: >>>> Daniel J Walsh wrote: >>>>> On 08/18/2009 05:41 PM, Chad Sellers wrote: >>>>>> On 8/18/09 5:35 PM, "Daniel J Walsh"<dwalsh@redhat.com> wrote: >>>>>> >>>>>>> On 08/17/2009 05:45 PM, Chad Sellers wrote: >>>>>>>> On 7/17/09 6:10 AM, "Daniel J Walsh"<dwalsh@redhat.com> wrote: >>>>>>>> >>>>>>>>> Ok lets try the patch again. >>>>>>>>> >>>>>>>>> Added equal patch (spelled correctly.) >>>>>>>>> Beginning to add modules support to consolidate on one management >>>>>>>>> command. >>>>>>>>> Eventually replace semodule/setsebool with semanage command. >>>>>>>>> Some white space fixing in seobject.py >>>>>>>> As I said previously, I've split this patch into the 3 separate >>>>>>>> patches >>>>>>>> (whitespace, equal, modules) for review purposes, as it was too >>>>>>>> difficult to >>>>>>>> get through with the 3 different patches interspersed. Please try >>>>>>>> to split >>>>>>>> up functional patches in the future. >>>>>>>> >>>>>>>> This message will apply to the modules patch only. >>>>>>>> >>>>>>>>> diff --git a/policycoreutils/semanage/semanage >>>>>>>>> b/policycoreutils/semanage/semanage >>>>>>>>> index 1688d85..072453d 100644 >>>>>>>>> --- a/policycoreutils/semanage/semanage >>>>>>>>> +++ b/policycoreutils/semanage/semanage >>>>>>>>> @@ -44,7 +44,7 @@ if __name__ == '__main__': >>>>>>>>> text = _(""" >>>>>>>>> semanage [ -S store ] -i [ input_file | - ] >>>>>>>>> >>>>>>>>> -semanage >>>>>>>>> {boolean|login|user|port|interface|node|fcontext|translation} >>>>>>>>> -{l|D} >>>>>>>>> [-n] >>>>>>>>> +semanage >>>>>>>>> {module,boolean|login|user|port|interface|node|fcontext|translation} >>>>>>>>> -{l|D} [-n] >>>>>>>>> semanage login -{a|d|m} [-sr] login_name | %groupname >>>>>>>>> semanage user -{a|d|m} [-LrRP] selinux_name >>>>>>>>> semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range >>>>>>>>> @@ -53,7 +53,8 @@ semanage node -{a|d|m} [-tr] [ -p protocol ] [-M >>>>>>>>> netmask] >>>>>>>>> addr >>>>>>>>> semanage fcontext -{a|d|m} [-frst] [-e path ] file_spec >>>>>>>>> semanage translation -{a|d|m} [-T] level >>>>>>>>> semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | >>>>>>>>> boolean_file >>>>>>>>> -semanage permissive -{d|a} type >>>>>>>>> +semanage permissive -{a|d} type >>>>>>>>> +semanage module -{a|d|} module >>>>>>>>> >>>>>>>>> Primary Options: >>>>>>>>> >>>>>>>>> @@ -68,6 +69,7 @@ Primary Options: >>>>>>>>> -h, --help Display this message >>>>>>>>> -n, --noheading Do not print heading when listing OBJECTS >>>>>>>>> -S, --store Select and alternate SELinux store to >>>>>>>>> manage >>>>>>>>> + --dontaudit Turn on or off dontaudit rules >>>>>>>>> >>>>>>>> Need to specify that this takes an integer argument (1 or 0) here. >>>>>>>> Also, >>>>>>>> need to specify which command this is valid for, which appears to >>>>>>>> be the >>>>>>>> module command. Why is this an option for the module command? It >>>>>>>> doesn't >>>>>>>> seem to have anything to do with a particular module. Should this >>>>>>>> just be >>>>>>>> its own command? >>>>>>>> >>>>>>> I think it should be just for the modules command. >>>>>> Care to explain why? As your usage above shows, the module command is >>>>>> for >>>>>> adding or deleting modules. This functionality has nothing to do with >>>>>> that. >>>>>> --dontaudit is for specifying globally that dontaudit's should be turned >>>>>> on/off. It's not an option that modifies the behavior of adding or >>>>>> deleting >>>>>> a module, it's a completely separate thing. >>>>>> >>>>> No I don't care to explain why, now that you shot down my idea. :^) >>>>> >>>>> I guess it should be a separate command >>>>> >>>>> What do you think of. >>>>> >>>>> semanage dontaudit -a >>>>> semanage dontaudit -d >>>>> >>>> >>>> I like it being a separate command since it really is a global thing but >>>> the syntax above seems very confusing. Can we depart from the add/remove >>>> paradigm for this one and use something more appropriate, like on/off, >>>> enable/disable, audit/dontaudit, or something similar? >>>> >>>> >>>> -- >>>> This message was distributed to subscribers of the selinux mailing list. >>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov >>>> with >>>> the words "unsubscribe selinux" without quotes as the message. >>>> >>>> >>> >>> semanage dontaudit on >>> semanage dontaudit off >> >> Sounds great to me. >> >> Chad >> > How about this patch. > It doesn't actually work, but that's primarily due to a problem in libsemanage, rather than here. libsemanage doesn't notice that the disable_dontaudit flag is set so it does not rebuild the policy. semodule got around this by calling semanage_set_rebuild() explicitly, but libsemanage should really notice that this has changed and rebuild appropriately. I'm sending a separate patch to fix libsemanage. There are a couple of issues with this as well, which I've highlighted below. <snip> > diff --git a/policycoreutils/semanage/semanage.8 > b/policycoreutils/semanage/semanage.8 > index d0726cf..d83e94e 100644 > --- a/policycoreutils/semanage/semanage.8 > +++ b/policycoreutils/semanage/semanage.8 > @@ -21,6 +21,8 @@ semanage \- SELinux Policy Management tool > .br > .B semanage permissive \-{a|d} type > .br > +.B semanage dontaudit [ on | off ] > +.br > .B semanage translation \-{a|d|m} [\-T] level > .P > > @@ -117,6 +119,8 @@ $ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" > $ semanage port -a -t http_port_t -p tcp 81 > # Change apache to a permissive domain > $ semanage permissive -a httpd_t > +# Turn off dontaudit rules > +$ semanage dontaudit off > .fi > > .SH "AUTHOR" > diff --git a/policycoreutils/semanage/seobject.py > b/policycoreutils/semanage/seobject.py > index 20bd205..9c5d2ec 100644 > --- a/policycoreutils/semanage/seobject.py > +++ b/policycoreutils/semanage/seobject.py > @@ -314,6 +314,18 @@ class semanageRecords: > self.transaction = False > self.commit() > > +class dontauditClass(semanageRecords): > + def __init__(self, store): > + semanageRecords.__init__(self, store) > + > + def toggle(self, dontaudit): > + if dontaudit not in [ "on", "off" ]: > + raise ValueError(_("dontaudit requires either 'on' or > 'off'")) > + self.begin() > + rc = semanage_set_disable_dontaudit(self.sh, dontaudit == > "on") This is the opposite logic of what you put in the man page. The man page says dontaudit off means disable_dontaudit. This does the opposite. I think the man page makes more sense than this. Also, there is no return code from semanage_set_disable_dontaudit(). > + self.commit() > + rc = semanage_reload_policy(self.sh) You shouldn't call semanage_reload_policy here, as semanage_commit() will do it. Thanks, Chad -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Patch to semanage 2009-08-27 20:48 ` Chad Sellers @ 2009-08-27 21:39 ` Daniel J Walsh 2009-08-31 21:24 ` Chad Sellers 0 siblings, 1 reply; 17+ messages in thread From: Daniel J Walsh @ 2009-08-27 21:39 UTC (permalink / raw) To: Chad Sellers; +Cc: Joshua Brindle, SE Linux [-- Attachment #1: Type: text/plain, Size: 51 bytes --] Redone to match man page and remove reload_policy. [-- Attachment #2: policycoreutils-dontaudit.patch --] [-- Type: text/plain, Size: 2932 bytes --] diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage index c4c957c..2285489 100644 --- a/policycoreutils/semanage/semanage +++ b/policycoreutils/semanage/semanage @@ -54,6 +54,7 @@ semanage fcontext -{a|d|m} [-frst] file_spec semanage translation -{a|d|m} [-T] level semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file semanage permissive -{d|a} type +semanage dontaudit [ on | off ] Primary Options: @@ -116,6 +117,7 @@ Object-specific Options (see above): valid_option["node"] += valid_everyone + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol'] valid_option["fcontext"] = [] valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range'] + valid_option["dontaudit"] = [ '-S', '--store' ] valid_option["translation"] = [] valid_option["translation"] += valid_everyone + [ '-T', '--trans' ] valid_option["boolean"] = [] @@ -346,6 +348,12 @@ Object-specific Options (see above): target = cmds[0] + + if object == "dontaudit": + OBJECT = seobject.dontauditClass(store) + OBJECT.toggle(target) + return + if add: if object == "login": OBJECT.add(target, seuser, serange) diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8 index d0726cf..d83e94e 100644 --- a/policycoreutils/semanage/semanage.8 +++ b/policycoreutils/semanage/semanage.8 @@ -21,6 +21,8 @@ semanage \- SELinux Policy Management tool .br .B semanage permissive \-{a|d} type .br +.B semanage dontaudit [ on | off ] +.br .B semanage translation \-{a|d|m} [\-T] level .P @@ -117,6 +119,8 @@ $ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" $ semanage port -a -t http_port_t -p tcp 81 # Change apache to a permissive domain $ semanage permissive -a httpd_t +# Turn off dontaudit rules +$ semanage dontaudit off .fi .SH "AUTHOR" diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py index 20bd205..bc329e1 100644 --- a/policycoreutils/semanage/seobject.py +++ b/policycoreutils/semanage/seobject.py @@ -314,6 +314,17 @@ class semanageRecords: self.transaction = False self.commit() +class dontauditClass(semanageRecords): + def __init__(self, store): + semanageRecords.__init__(self, store) + + def toggle(self, dontaudit): + if dontaudit not in [ "on", "off" ]: + raise ValueError(_("dontaudit requires either 'on' or 'off'")) + self.begin() + rc = semanage_set_disable_dontaudit(self.sh, dontaudit == "off") + self.commit() + class permissiveRecords(semanageRecords): def __init__(self, store): semanageRecords.__init__(self, store) ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: Patch to semanage 2009-08-27 21:39 ` Daniel J Walsh @ 2009-08-31 21:24 ` Chad Sellers 0 siblings, 0 replies; 17+ messages in thread From: Chad Sellers @ 2009-08-31 21:24 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Joshua Brindle, SE Linux On 8/27/09 5:39 PM, "Daniel J Walsh" <dwalsh@redhat.com> wrote: > Redone to match man page and remove reload_policy. Acked-by: Chad Sellers <csellers@tresys.com> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2009-08-31 21:24 UTC | newest] Thread overview: 17+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-07-09 20:11 Patch to semanage Daniel J Walsh 2009-07-16 17:57 ` Chad Sellers 2009-07-17 10:10 ` Daniel J Walsh 2009-08-12 20:14 ` Chad Sellers 2009-08-12 20:26 ` Daniel J Walsh 2009-08-12 21:09 ` Chad Sellers 2009-08-17 21:45 ` Chad Sellers 2009-08-18 21:35 ` Daniel J Walsh 2009-08-18 21:41 ` Chad Sellers 2009-08-18 22:09 ` Daniel J Walsh 2009-08-19 13:53 ` Joshua Brindle 2009-08-19 19:20 ` Daniel J Walsh 2009-08-19 19:35 ` Chad Sellers 2009-08-19 20:21 ` Daniel J Walsh 2009-08-27 20:48 ` Chad Sellers 2009-08-27 21:39 ` Daniel J Walsh 2009-08-31 21:24 ` Chad Sellers
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.