diff -up libselinux-2.0.14/src/selinuxswig.i.rhat libselinux-2.0.14/src/selinuxswig.i --- libselinux-2.0.14/src/selinuxswig.i.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/src/selinuxswig.i 2007-09-07 09:21:26.000000000 -0400 @@ -21,6 +21,7 @@ %module selinux %{ #include "selinux/selinux.h" + #include "selinux/get_context_list.h" %} %apply int *OUTPUT { int * }; %apply int *OUTPUT { size_t * }; @@ -42,8 +43,12 @@ %typedef unsigned mode_t; +%include "../include/selinux/get_context_list.h" + extern int is_selinux_enabled(void); extern int is_selinux_mls_enabled(void); +extern void freecon(security_context_t con); +extern void freeconary(security_context_t * con); extern int getcon(security_context_t *con); extern int setcon(security_context_t con); extern int getpidcon(int pid, security_context_t *con); @@ -90,6 +95,11 @@ extern int matchpathcon(const char *path mode_t mode, security_context_t *con); +extern int matchpathcon_init_prefix(const char *path, + const char *prefix); +extern void matchpathcon_fini(void); + + extern int matchmediacon(const char *media, security_context_t *con); @@ -106,6 +116,7 @@ extern const char *selinux_file_context_ extern const char *selinux_homedir_context_path(void); extern const char *selinux_media_context_path(void); extern const char *selinux_contexts_path(void); +extern const char *selinux_securetty_types_path(void); extern const char *selinux_booleans_path(void); extern const char *selinux_customizable_types_path(void); extern const char *selinux_users_path(void); @@ -113,11 +124,15 @@ extern const char *selinux_usersconf_pat extern const char *selinux_translations_path(void); extern const char *selinux_netfilter_context_path(void); extern const char *selinux_path(void); -extern int selinux_check_passwd_access(access_vector_t requested); -extern int checkPasswdAccess(access_vector_t requested); +#extern int selinux_check_passwd_access(access_vector_t requested); +#extern int checkPasswdAccess(access_vector_t requested); + +extern int selinux_check_securetty_context(security_context_t tty_context); +void set_selinuxmnt(char *mnt); +#ifdef SWIGpython // This tells SWIG to treat char ** as a special case -%typemap(python,in) char ** { +%typemap(in) char ** { /* Check if is a list */ if (PyList_Check($input)) { int size = PyList_Size($input); @@ -143,10 +158,48 @@ extern int checkPasswdAccess(access_vect return NULL; } } +#endif -extern int rpm_execcon(unsigned int verified, - const char *filename, - char **, char **); +%typemap(in) char * const [] { + int i, size; + PyObject * s; + + if (!PySequence_Check($input)) { + PyErr_SetString(PyExc_ValueError, "Expected a sequence"); + return NULL; + } + + size = PySequence_Size($input); + + $1 = (char**) malloc(size + 1); + + for(i = 0; i < size; i++) { + if (!PyString_Check(PySequence_GetItem($input, i))) { + PyErr_SetString(PyExc_ValueError, "Sequence must contain only strings"); + return NULL; + } + } + + for(i = 0; i < size; i++) { + s = PySequence_GetItem($input, i); + $1[i] = (char*) malloc(PyString_Size(s) + 1); + strcpy($1[i], PyString_AsString(s)); + } + $1[size] = NULL; +} + +%typemap(freearg,match="in") char * const [] { + int i = 0; + while($1[i]) { + free($1[i]); + i++; + } + free($1); +} + +extern int rpm_execcon(unsigned int verified, + const char *filename, + char *const argv[], char *const envp[]); extern int is_context_customizable (security_context_t scontext); @@ -164,3 +217,7 @@ extern int selinux_raw_to_trans_context( } extern int selinux_getpolicytype(char **enforce); extern int getseuserbyname(const char *linuxuser, char **seuser, char **level); + +int selinux_file_context_cmp(const security_context_t a, const security_context_t b); +int selinux_file_context_verify(const char *path, mode_t mode); +int selinux_lsetfilecon_default(const char *path); diff -up libselinux-2.0.14/src/selinux.py.rhat libselinux-2.0.14/src/selinux.py --- libselinux-2.0.14/src/selinux.py.rhat 2007-04-24 10:36:20.000000000 -0400 +++ libselinux-2.0.14/src/selinux.py 2007-09-07 09:17:52.000000000 -0400 @@ -48,8 +48,19 @@ except AttributeError: del types +SELINUX_DEFAULTUSER = _selinux.SELINUX_DEFAULTUSER +get_ordered_context_list = _selinux.get_ordered_context_list +get_ordered_context_list_with_level = _selinux.get_ordered_context_list_with_level +get_default_context = _selinux.get_default_context +get_default_context_with_level = _selinux.get_default_context_with_level +get_default_context_with_role = _selinux.get_default_context_with_role +get_default_context_with_rolelevel = _selinux.get_default_context_with_rolelevel +query_user_context = _selinux.query_user_context +manual_user_enter_context = _selinux.manual_user_enter_context is_selinux_enabled = _selinux.is_selinux_enabled is_selinux_mls_enabled = _selinux.is_selinux_mls_enabled +freecon = _selinux.freecon +freeconary = _selinux.freeconary getcon = _selinux.getcon setcon = _selinux.setcon getpidcon = _selinux.getpidcon @@ -88,6 +99,8 @@ MATCHPATHCON_NOTRANS = _selinux.MATCHPAT set_matchpathcon_flags = _selinux.set_matchpathcon_flags matchpathcon_init = _selinux.matchpathcon_init matchpathcon = _selinux.matchpathcon +matchpathcon_init_prefix = _selinux.matchpathcon_init_prefix +matchpathcon_fini = _selinux.matchpathcon_fini matchmediacon = _selinux.matchmediacon selinux_getenforcemode = _selinux.selinux_getenforcemode selinux_policy_root = _selinux.selinux_policy_root @@ -102,6 +115,7 @@ selinux_file_context_local_path = _selin selinux_homedir_context_path = _selinux.selinux_homedir_context_path selinux_media_context_path = _selinux.selinux_media_context_path selinux_contexts_path = _selinux.selinux_contexts_path +selinux_securetty_types_path = _selinux.selinux_securetty_types_path selinux_booleans_path = _selinux.selinux_booleans_path selinux_customizable_types_path = _selinux.selinux_customizable_types_path selinux_users_path = _selinux.selinux_users_path @@ -109,13 +123,16 @@ selinux_usersconf_path = _selinux.selinu selinux_translations_path = _selinux.selinux_translations_path selinux_netfilter_context_path = _selinux.selinux_netfilter_context_path selinux_path = _selinux.selinux_path -selinux_check_passwd_access = _selinux.selinux_check_passwd_access -checkPasswdAccess = _selinux.checkPasswdAccess +selinux_check_securetty_context = _selinux.selinux_check_securetty_context +set_selinuxmnt = _selinux.set_selinuxmnt rpm_execcon = _selinux.rpm_execcon is_context_customizable = _selinux.is_context_customizable selinux_trans_to_raw_context = _selinux.selinux_trans_to_raw_context selinux_raw_to_trans_context = _selinux.selinux_raw_to_trans_context selinux_getpolicytype = _selinux.selinux_getpolicytype getseuserbyname = _selinux.getseuserbyname +selinux_file_context_cmp = _selinux.selinux_file_context_cmp +selinux_file_context_verify = _selinux.selinux_file_context_verify +selinux_lsetfilecon_default = _selinux.selinux_lsetfilecon_default diff -up libselinux-2.0.14/include/selinux/flask.h.rhat libselinux-2.0.14/include/selinux/flask.h --- libselinux-2.0.14/include/selinux/flask.h.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/include/selinux/flask.h 2007-09-07 09:17:52.000000000 -0400 @@ -64,6 +64,8 @@ #define SECCLASS_PACKET 57 #define SECCLASS_KEY 58 #define SECCLASS_CONTEXT 59 +#define SECCLASS_DCCP_SOCKET 60 +#define SECCLASS_MEMPROTECT 61 /* * Security identifier indices for initial entities diff -up libselinux-2.0.14/include/selinux/av_permissions.h.rhat libselinux-2.0.14/include/selinux/av_permissions.h --- libselinux-2.0.14/include/selinux/av_permissions.h.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/include/selinux/av_permissions.h 2007-09-07 09:17:52.000000000 -0400 @@ -290,12 +290,16 @@ #define NODE__RAWIP_RECV 0x00000010UL #define NODE__RAWIP_SEND 0x00000020UL #define NODE__ENFORCE_DEST 0x00000040UL +#define NODE__DCCP_RECV 0x00000080UL +#define NODE__DCCP_SEND 0x00000100UL #define NETIF__TCP_RECV 0x00000001UL #define NETIF__TCP_SEND 0x00000002UL #define NETIF__UDP_RECV 0x00000004UL #define NETIF__UDP_SEND 0x00000008UL #define NETIF__RAWIP_RECV 0x00000010UL #define NETIF__RAWIP_SEND 0x00000020UL +#define NETIF__DCCP_RECV 0x00000040UL +#define NETIF__DCCP_SEND 0x00000080UL #define NETLINK_SOCKET__IOCTL 0x00000001UL #define NETLINK_SOCKET__READ 0x00000002UL #define NETLINK_SOCKET__WRITE 0x00000004UL @@ -837,6 +841,8 @@ #define NSCD__SHMEMPWD 0x00000020UL #define NSCD__SHMEMGRP 0x00000040UL #define NSCD__SHMEMHOST 0x00000080UL +#define NSCD__GETSERV 0x00000100UL +#define NSCD__SHMEMSERV 0x00000200UL #define ASSOCIATION__SENDTO 0x00000001UL #define ASSOCIATION__RECVFROM 0x00000002UL #define ASSOCIATION__SETCONTEXT 0x00000004UL @@ -897,3 +903,28 @@ #define KEY__CREATE 0x00000040UL #define CONTEXT__TRANSLATE 0x00000001UL #define CONTEXT__CONTAINS 0x00000002UL +#define DCCP_SOCKET__IOCTL 0x00000001UL +#define DCCP_SOCKET__READ 0x00000002UL +#define DCCP_SOCKET__WRITE 0x00000004UL +#define DCCP_SOCKET__CREATE 0x00000008UL +#define DCCP_SOCKET__GETATTR 0x00000010UL +#define DCCP_SOCKET__SETATTR 0x00000020UL +#define DCCP_SOCKET__LOCK 0x00000040UL +#define DCCP_SOCKET__RELABELFROM 0x00000080UL +#define DCCP_SOCKET__RELABELTO 0x00000100UL +#define DCCP_SOCKET__APPEND 0x00000200UL +#define DCCP_SOCKET__BIND 0x00000400UL +#define DCCP_SOCKET__CONNECT 0x00000800UL +#define DCCP_SOCKET__LISTEN 0x00001000UL +#define DCCP_SOCKET__ACCEPT 0x00002000UL +#define DCCP_SOCKET__GETOPT 0x00004000UL +#define DCCP_SOCKET__SETOPT 0x00008000UL +#define DCCP_SOCKET__SHUTDOWN 0x00010000UL +#define DCCP_SOCKET__RECVFROM 0x00020000UL +#define DCCP_SOCKET__SENDTO 0x00040000UL +#define DCCP_SOCKET__RECV_MSG 0x00080000UL +#define DCCP_SOCKET__SEND_MSG 0x00100000UL +#define DCCP_SOCKET__NAME_BIND 0x00200000UL +#define DCCP_SOCKET__NODE_BIND 0x00400000UL +#define DCCP_SOCKET__NAME_CONNECT 0x00800000UL +#define MEMPROTECT__MMAP_ZERO 0x00000001UL diff -up libselinux-2.0.14/man/man8/selinux.8.rhat libselinux-2.0.14/man/man8/selinux.8 --- libselinux-2.0.14/man/man8/selinux.8.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man8/selinux.8 2007-09-07 09:17:52.000000000 -0400 @@ -62,14 +62,13 @@ compile-time tunable options and a set o .B system-config-securitylevel allows customization of these booleans and tunables. -.br Many domains that are protected by SELinux also include selinux man pages explainging how to customize their policy. .SH FILE LABELING All files, directories, devices ... have a security context/label associated with them. These context are stored in the extended attributes of the file system. Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non selinux kernel. If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling. -.br + The best way to relabel the file system is to create the flag file /.autorelabel and reboot. system-config-securitylevel, also has this capability. The restorcon/fixfiles commands are also available for relabeling files. .SH AUTHOR diff -up libselinux-2.0.14/man/man8/matchpathcon.8.rhat libselinux-2.0.14/man/man8/matchpathcon.8 --- libselinux-2.0.14/man/man8/matchpathcon.8.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man8/matchpathcon.8 2007-09-07 09:17:52.000000000 -0400 @@ -10,16 +10,16 @@ Prints the file path and the default sec .SH OPTIONS .B \-n Do not display path. -.br + .B \-N Do not use translations. -.br + .B \-f file_context_file Use alternate file_context file -.br + .B \-p prefix Use prefix to speed translations -.br + .B \-V Verify file context on disk matches defaults diff -up libselinux-2.0.14/man/man3/avc_compute_create.3.rhat libselinux-2.0.14/man/man3/avc_compute_create.3 --- libselinux-2.0.14/man/man3/avc_compute_create.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/avc_compute_create.3 2007-09-07 09:17:52.000000000 -0400 @@ -6,7 +6,7 @@ avc_compute_create \- obtain SELinux label for new object. .SH "SYNOPSIS" .B #include -.br + .B #include .sp .BI "int avc_compute_create(security_id_t " ssid ", security_id_t " tsid , diff -up libselinux-2.0.14/man/man3/getexeccon.3.rhat libselinux-2.0.14/man/man3/getexeccon.3 --- libselinux-2.0.14/man/man3/getexeccon.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/getexeccon.3 2007-09-07 09:17:52.000000000 -0400 @@ -1,16 +1,16 @@ .TH "getexeccon" "3" "1 January 2004" "russell@coker.com.au" "SE Linux API documentation" .SH "NAME" getexeccon, setexeccon \- get or set the SELinux security context used for executing a new process. -.br + rpm_execcon \- run a helper for rpm in an appropriate security context .SH "SYNOPSIS" .B #include .sp .BI "int getexeccon(security_context_t *" context ); -.br + .BI "int setexeccon(security_context_t "context ); -.br + .BI "int rpm_execcon(unsigned int " verified ", const char *" filename ", char *const " argv "[] , char *const " envp "[]); .SH "DESCRIPTION" @@ -26,16 +26,16 @@ NULL can be passed to setexeccon to reset to the default policy behavior. The exec context is automatically reset after the next execve, so a program doesn't need to explicitly sanitize it upon startup. -.br + setexeccon can be applied prior to library functions that internally perform an execve, e.g. execl*, execv*, popen, in order to set an exec context for that operation. -.br + Note: Signal handlers that perform an execve must take care to save, reset, and restore the exec context to avoid unexpected behaviors. -.br + .B rpm_execcon runs a helper for rpm in an appropriate security context. The diff -up libselinux-2.0.14/man/man3/getfilecon.3.rhat libselinux-2.0.14/man/man3/getfilecon.3 --- libselinux-2.0.14/man/man3/getfilecon.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/getfilecon.3 2007-09-07 09:17:52.000000000 -0400 @@ -5,9 +5,9 @@ getfilecon, fgetfilecon, lgetfilecon \- .B #include .sp .BI "int getfilecon(const char *" path ", security_context_t *" con ); -.br + .BI "int lgetfilecon(const char *" path ", security_context_t *" con ); -.br + .BI "int fgetfilecon(int "fd ", security_context_t *" con ); .SH "DESCRIPTION" .B getfilecon @@ -22,7 +22,6 @@ link itself is interrogated, not the fil is identical to getfilecon, only the open file pointed to by filedes (as returned by open(2)) is interrogated in place of path. -.br The returned context should be freed with freecon if non-NULL. .SH "RETURN VALUE" diff -up libselinux-2.0.14/man/man3/selinux_binary_policy_path.3.rhat libselinux-2.0.14/man/man3/selinux_binary_policy_path.3 --- libselinux-2.0.14/man/man3/selinux_binary_policy_path.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/selinux_binary_policy_path.3 2007-09-07 09:17:52.000000000 -0400 @@ -10,27 +10,27 @@ directories and files. .SH "SYNOPSIS" .B #include .sp -.br + extern const char *selinux_policy_root(void); -.br + extern const char *selinux_binary_policy_path(void); -.br + extern const char *selinux_failsafe_context_path(void); -.br + extern const char *selinux_removable_context_path(void); -.br + extern const char *selinux_default_context_path(void); -.br + extern const char *selinux_user_contexts_path(void); -.br + extern const char *selinux_file_context_path(void); -.br + extern const char *selinux_media_context_path(void); -.br + extern const char *selinux_securetty_types_path(void); -.br + extern const char *selinux_contexts_path(void); -.br + extern const char *selinux_booleans_path(void); diff -up libselinux-2.0.14/man/man3/security_class_to_string.3.rhat libselinux-2.0.14/man/man3/security_class_to_string.3 --- libselinux-2.0.14/man/man3/security_class_to_string.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/security_class_to_string.3 2007-09-07 09:17:52.000000000 -0400 @@ -8,7 +8,7 @@ between SELinux class and permission val .SH "SYNOPSIS" .B #include -.br + .B #include .sp .BI "const char * security_class_to_string(security_class_t " tclass ");" diff -up libselinux-2.0.14/man/man3/getfscreatecon.3.rhat libselinux-2.0.14/man/man3/getfscreatecon.3 --- libselinux-2.0.14/man/man3/getfscreatecon.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/getfscreatecon.3 2007-09-07 09:17:52.000000000 -0400 @@ -6,7 +6,7 @@ getfscreatecon, setfscreatecon \- get or .B #include .sp .BI "int getfscreatecon(security_context_t *" con ); -.br + .BI "int setfscreatecon(security_context_t "context ); .SH "DESCRIPTION" @@ -22,11 +22,11 @@ NULL can be passed to setfscreatecon to reset to the default policy behavior. The fscreate context is automatically reset after the next execve, so a program doesn't need to explicitly sanitize it upon startup. -.br + setfscreatecon can be applied prior to library functions that internally perform an file creation, in order to set an file context on the objects. -.br + Note: Signal handlers that perform an setfscreate must take care to save, reset, and restore the fscreate context to avoid unexpected behaviors. diff -up libselinux-2.0.14/man/man3/freecon.3.rhat libselinux-2.0.14/man/man3/freecon.3 --- libselinux-2.0.14/man/man3/freecon.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/freecon.3 2007-09-07 09:17:52.000000000 -0400 @@ -5,7 +5,7 @@ freecon, freeconary \- free memory assoc .B #include .sp .BI "void freecon(security_context_t "con ); -.br + .BI "void freeconary(security_context_t *" con ); .SH "DESCRIPTION" diff -up libselinux-2.0.14/man/man3/security_getenforce.3.rhat libselinux-2.0.14/man/man3/security_getenforce.3 --- libselinux-2.0.14/man/man3/security_getenforce.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/security_getenforce.3 2007-09-07 09:17:52.000000000 -0400 @@ -5,7 +5,7 @@ security_getenforce, security_setenforce .B #include .sp .B int security_getenforce(); -.br + .BI "int security_setenforce(int "value ); .SH "DESCRIPTION" diff -up libselinux-2.0.14/man/man3/selinux_getenforcemode.3.rhat libselinux-2.0.14/man/man3/selinux_getenforcemode.3 --- libselinux-2.0.14/man/man3/selinux_getenforcemode.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/selinux_getenforcemode.3 2007-09-07 09:17:52.000000000 -0400 @@ -5,13 +5,13 @@ selinux_getenforcemode \- get the enforc .B #include .sp .B int selinux_getenforcemode(int *enforce); -.br + .SH "DESCRIPTION" .B selinux_getenforcemode Reads the contents of the /etc/selinux/config file to determine how the system was setup to run SELinux. -.br + Sets the value of enforce to 1 if SELinux should be run in enforcing mode. Sets the value of enforce to 0 if SELinux should be run in permissive mode. Sets the value of enforce to -1 if SELinux should be disabled. diff -up libselinux-2.0.14/man/man3/matchmediacon.3.rhat libselinux-2.0.14/man/man3/matchmediacon.3 --- libselinux-2.0.14/man/man3/matchmediacon.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/matchmediacon.3 2007-09-07 09:17:52.000000000 -0400 @@ -6,14 +6,14 @@ matchmediacon \- get the default SELinux .B #include .sp .BI "int matchmediacon(const char *" media ", security_context_t *" con);" -.br + .SH "DESCRIPTION" -.br + .B matchmediacon matches the specified media type with the media contexts configuration and sets the security context "con" to refer to the resulting context. .sp -.br + .B Note: Caller must free returned security context "con" using freecon. .SH "RETURN VALUE" diff -up libselinux-2.0.14/man/man3/getseuserbyname.3.rhat libselinux-2.0.14/man/man3/getseuserbyname.3 --- libselinux-2.0.14/man/man3/getseuserbyname.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/getseuserbyname.3 2007-09-07 09:17:52.000000000 -0400 @@ -12,7 +12,7 @@ a given Linux username. The SELinux use then be passed to other libselinux functions such as get_ordered_context_list_with_level and get_default_context_with_level. -.br + The returned SELinux username and level should be freed by the caller using free. diff -up libselinux-2.0.14/man/man3/is_context_customizable.3.rhat libselinux-2.0.14/man/man3/is_context_customizable.3 --- libselinux-2.0.14/man/man3/is_context_customizable.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/is_context_customizable.3 2007-09-07 09:17:52.000000000 -0400 @@ -8,7 +8,7 @@ is_context_customizable \- check whether .SH "DESCRIPTION" .B is_context_customizable -.br + This function checks whether the type of scon is in the /etc/selinux/SELINUXTYPE/context/customizable_types file. A customizable type is a file context type that administrators set on files, usually to allow certain domains to share the file content. restorecon and setfiles, by default, leave these context in place. diff -up libselinux-2.0.14/man/man3/security_compute_av.3.rhat libselinux-2.0.14/man/man3/security_compute_av.3 --- libselinux-2.0.14/man/man3/security_compute_av.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/security_compute_av.3 2007-09-07 09:17:52.000000000 -0400 @@ -6,7 +6,7 @@ the SELinux policy database in the kerne .SH "SYNOPSIS" .B #include -.br + .B #include .sp .BI "int security_compute_av(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd ); diff -up libselinux-2.0.14/man/man3/setfilecon.3.rhat libselinux-2.0.14/man/man3/setfilecon.3 --- libselinux-2.0.14/man/man3/setfilecon.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/setfilecon.3 2007-09-07 09:17:52.000000000 -0400 @@ -6,9 +6,9 @@ setfilecon, fsetfilecon, lsetfilecon \- .B #include .sp .BI "int setfilecon(const char *" path ", security_context_t "con ); -.br + .BI "int lsetfilecon(const char *" path ", security_context_t "con ); -.br + .BI "int fsetfilecon(int "fd ", security_context_t "con ); .SH "DESCRIPTION" diff -up libselinux-2.0.14/man/man3/matchpathcon.3.rhat libselinux-2.0.14/man/man3/matchpathcon.3 --- libselinux-2.0.14/man/man3/matchpathcon.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/matchpathcon.3 2007-09-07 09:17:52.000000000 -0400 @@ -6,18 +6,18 @@ matchpathcon \- get the default SELinux .B #include .sp .BI "int matchpathcon_init(const char *" path ");" -.br + .BI "int matchpathcon_fini(void);" -.br + .BI "int matchpathcon(const char *" path ", mode_t " mode ", security_context_t *" con); .sp -.br + .BI "void set_matchpathcon_printf(void (*" f ")(const char *" fmt ", ...));" -.br + .BI "void set_matchpathcon_invalidcon(int (*" f ")(const char *"path ", unsigned " lineno ", char * " context "));" -.br + .BI "void set_matchpathcon_flags(unsigned int " flags ");" -.br + .SH "DESCRIPTION" .B matchpathcon_init loads the file contexts configuration specified by @@ -40,7 +40,7 @@ and suffix are also looked up and loaded if present. These files provide dynamically generated entries for user home directories and for local customizations. -.br + .sp .B matchpathcon_fini frees the memory allocated by a prior call to @@ -49,7 +49,7 @@ This function can be used to free and re .B matchpathcon_init calls, or to free memory when finished using .B matchpathcon. -.br + .sp .B matchpathcon matches the specified pathname and mode against the file contexts @@ -72,14 +72,14 @@ its first invocation with a NULL .I path, defaulting to the active file contexts configuration. .sp -.br + .B set_matchpathcon_printf sets the function used by .B matchpathcon_init when displaying errors about the file contexts configuration. If not set, then this defaults to fprintf(stderr, fmt, ...). This can be set to redirect error reporting to a different destination. -.br + .sp .B set_matchpathcon_invalidcon sets the function used by @@ -100,7 +100,7 @@ may include the and .I lineno in such error messages. -.br + .sp .B set_matchpathcon_flags sets flags controlling the operation of @@ -111,7 +111,7 @@ If the .B MATCHPATHCON_BASEONLY flag is set, then only the base file contexts configuration file will be processed, not any dynamically generated entries or local customizations. -.br + .sp .SH "RETURN VALUE" Returns 0 on success or -1 otherwise. diff -up libselinux-2.0.14/man/man3/avc_init.3.rhat libselinux-2.0.14/man/man3/avc_init.3 --- libselinux-2.0.14/man/man3/avc_init.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/avc_init.3 2007-09-07 09:17:52.000000000 -0400 @@ -6,17 +6,17 @@ avc_init, avc_destroy, avc_reset, avc_cleanup \- userspace SELinux AVC setup and teardown. .SH "SYNOPSIS" .B #include -.br + .B #include .sp .BI "int avc_init(const char *" msgprefix , .in +\w'int avc_init('u .BI "const struct avc_memory_callback *" mem_callbacks , -.br + .BI "const struct avc_log_callback *" log_callbacks , -.br + .BI "const struct avc_thread_callback *" thread_callbacks , -.br + .BI "const struct avc_lock_callback *" lock_callbacks ");" .in .sp diff -up libselinux-2.0.14/man/man3/security_load_booleans.3.rhat libselinux-2.0.14/man/man3/security_load_booleans.3 --- libselinux-2.0.14/man/man3/security_load_booleans.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/security_load_booleans.3 2007-09-07 09:17:52.000000000 -0400 @@ -7,15 +7,15 @@ security_get_boolean_pending \- routines .B #include .sp extern int security_load_booleans(char *path); -.br + extern int security_get_boolean_names(char ***names, int *len); -.br + extern int security_get_boolean_pending(const char *name); -.br + extern int security_get_boolean_active(const char *name); -.br + extern int security_set_boolean(const char *name, int value); -.br + extern int security_commit_booleans(void); @@ -29,27 +29,27 @@ policy without having to load a new poli The SELinux API allows for a transaction based update. So you can set several boolean values and the commit them all at once. security_load_booleans -.br + Load policy boolean settings. Path may be NULL, in which case the booleans are loaded from the active policy boolean configuration file. security_get_boolean_names -.br + Returns a list of boolean names, currently supported by the loaded policy. security_set_boolean -.br + Sets the pending value for boolean security_get_boolean_pending -.br + Return pending value for boolean security_get_boolean_active -.br + Return active value for boolean security_commit_booleans -.br + Commit all pending values for the booleans. .SH AUTHOR diff -up libselinux-2.0.14/man/man3/avc_add_callback.3.rhat libselinux-2.0.14/man/man3/avc_add_callback.3 --- libselinux-2.0.14/man/man3/avc_add_callback.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/avc_add_callback.3 2007-09-07 09:17:52.000000000 -0400 @@ -6,26 +6,26 @@ avc_add_callback \- additional event notification for SELinux userspace object managers. .SH "SYNOPSIS" .B #include -.br + .B #include .sp .BI "int avc_add_callback(int (*" callback ")(uint32_t " event , .in +\w'int avc_add_callback(int (*callback)('u .BI "security_id_t " ssid , -.br + .BI "security_id_t " tsid , -.br + .BI "security_class_t " tclass , -.br + .BI "access_vector_t " perms , -.br + .BI "access_vector_t *" out_retained ")," .in .in +\w'int avc_add_callback('u .BI "uint32_t " events ", security_id_t " ssid , -.br + .BI "security_id_t " tsid ", security_class_t " tclass , -.br + .BI "access_vector_t " perms ");" .in .SH "DESCRIPTION" diff -up libselinux-2.0.14/man/man3/avc_has_perm.3.rhat libselinux-2.0.14/man/man3/avc_has_perm.3 --- libselinux-2.0.14/man/man3/avc_has_perm.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/avc_has_perm.3 2007-09-07 09:17:52.000000000 -0400 @@ -6,7 +6,7 @@ avc_has_perm, avc_has_perm_noaudit, avc_audit, avc_entry_ref_init \- obtain and audit SELinux access decisions. .SH "SYNOPSIS" .B #include -.br + .B #include .sp .BI "void avc_entry_ref_init(struct avc_entry_ref *" aeref ");" @@ -14,21 +14,21 @@ avc_has_perm, avc_has_perm_noaudit, avc_ .BI "int avc_has_perm(security_id_t " ssid ", security_id_t " tsid , .in +\w'int avc_has_perm('u .BI "security_class_t " tclass ", access_vector_t " requested , -.br + .BI "struct avc_entry_ref *" aeref ", void *" auditdata ");" .in .sp .BI "int avc_has_perm_noaudit(security_id_t " ssid ", security_id_t " tsid , .in +\w'int avc_has_perm('u .BI "security_class_t " tclass ", access_vector_t " requested , -.br + .BI "struct avc_entry_ref *" aeref ", struct av_decision *" avd ");" .in .sp .BI "void avc_audit(security_id_t " ssid ", security_id_t " tsid , .in +\w'void avc_audit('u .BI "security_class_t " tclass ", access_vector_t " requested , -.br + .BI "struct av_decision *" avd ", int " result ", void *" auditdata ");" .in .SH "DESCRIPTION" diff -up libselinux-2.0.14/man/man3/get_ordered_context_list.3.rhat libselinux-2.0.14/man/man3/get_ordered_context_list.3 --- libselinux-2.0.14/man/man3/get_ordered_context_list.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/get_ordered_context_list.3 2007-09-07 09:17:52.000000000 -0400 @@ -4,7 +4,7 @@ get_ordered_context_list, get_ordered_co .SH "SYNOPSIS" .B #include -.br + .B #include .sp .BI "int get_ordered_context_list(const char *" user ", security_context_t "fromcon ", security_context_t **" list ); diff -up libselinux-2.0.14/man/man3/getcon.3.rhat libselinux-2.0.14/man/man3/getcon.3 --- libselinux-2.0.14/man/man3/getcon.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/getcon.3 2007-09-07 09:17:52.000000000 -0400 @@ -1,21 +1,21 @@ .TH "getcon" "3" "1 January 2004" "russell@coker.com.au" "SE Linux API documentation" .SH "NAME" getcon, getprevcon, getpidcon \- get SELinux security context of a process. -.br + getpeercon - get security context of a peer socket. -.br + setcon - set current security context of a process. .SH "SYNOPSIS" .B #include .sp .BI "int getcon(security_context_t *" context ); -.br + .BI "int getprevcon(security_context_t *" context ); -.br + .BI "int getpidcon(pid_t " pid ", security_context_t *" context ); -.br + .BI "int getpeercon(int " fd ", security_context_t *" context); -.br + .BI "int setcon(security_context_t " context); .SH "DESCRIPTION" diff -up libselinux-2.0.14/man/man3/avc_cache_stats.3.rhat libselinux-2.0.14/man/man3/avc_cache_stats.3 --- libselinux-2.0.14/man/man3/avc_cache_stats.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/avc_cache_stats.3 2007-09-07 09:17:52.000000000 -0400 @@ -6,7 +6,7 @@ avc_cache_stats, avc_av_stats, avc_sid_stats \- obtain userspace SELinux AVC statistics. .SH "SYNOPSIS" .B #include -.br + .B #include .sp .BI "void avc_av_stats(void);" diff -up libselinux-2.0.14/man/man3/avc_context_to_sid.3.rhat libselinux-2.0.14/man/man3/avc_context_to_sid.3 --- libselinux-2.0.14/man/man3/avc_context_to_sid.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/avc_context_to_sid.3 2007-09-07 09:17:52.000000000 -0400 @@ -6,7 +6,7 @@ avc_context_to_sid, avc_sid_to_context, sidput, sidget, avc_get_initial_sid \- obtain and manipulate SELinux security ID's. .SH "SYNOPSIS" .B #include -.br + .B #include .sp .BI "int avc_context_to_sid(security_context_t " ctx ", security_id_t *" sid ");" diff -up libselinux-2.0.14/man/man3/selinux_policy_root.3.rhat libselinux-2.0.14/man/man3/selinux_policy_root.3 --- libselinux-2.0.14/man/man3/selinux_policy_root.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/selinux_policy_root.3 2007-09-07 09:17:52.000000000 -0400 @@ -5,7 +5,7 @@ selinux_policy_root \- return the path o .B #include .sp .B char *selinux_policy_root(); -.br + .SH "DESCRIPTION" .B selinux_policy_root diff -up libselinux-2.0.14/man/man3/context_new.3.rhat libselinux-2.0.14/man/man3/context_new.3 --- libselinux-2.0.14/man/man3/context_new.3.rhat 2007-04-24 10:36:21.000000000 -0400 +++ libselinux-2.0.14/man/man3/context_new.3 2007-09-07 09:17:52.000000000 -0400 @@ -4,27 +4,27 @@ context_new, context_str, context_free, .SH "SYNOPSIS" .B #include -.br + .B "context_t context_new(const char *" context_str ); -.br + .B "const char * context_str(context_t " con ); -.br + .B "void context_free(context_t " con ); -.br + .B "const char * context_type_get(context_t " con ); -.br + .B "const char * context_range_get(context_t " con ); -.br + .B "const char * context_role_get(context_t " con ); -.br + .B "const char * context_user_get(context_t " con ); -.br + .B "const char * context_type_set(context_t " con ", const char* " type); -.br + .B "const char * context_range_set(context_t " con ", const char* " range); -.br + .B "const char * context_role_set(context_t " con ", const char* " role ); -.br + .B "const char * context_user_set(context_t " con ", const char* " user ); .SH "DESCRIPTION" diff -up libselinux-2.0.14/Makefile.rhat libselinux-2.0.14/Makefile --- libselinux-2.0.14/Makefile.rhat 2007-04-24 10:36:19.000000000 -0400 +++ libselinux-2.0.14/Makefile 2007-09-07 09:17:52.000000000 -0400 @@ -2,6 +2,9 @@ all: $(MAKE) -C src $(MAKE) -C utils +swigify: + $(MAKE) -C src swigify + pywrap: $(MAKE) -C src pywrap