0d00568
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.27.29/audit2allow/audit2allow
0d00568
--- nsapolicycoreutils/audit2allow/audit2allow	2005-11-28 21:47:54.000000000 -0500
0d00568
+++ policycoreutils-1.27.29/audit2allow/audit2allow	2005-11-29 00:04:31.000000000 -0500
0d00568
@@ -24,7 +24,7 @@
0d00568
 #                                        02111-1307  USA
0d00568
 #
0d00568
 #  
0d00568
-import commands, sys, os, pwd, string, getopt, re
0d00568
+import commands, sys, os, pwd, string, getopt, re, selinux
0d00568
 class allow:
0d00568
 	def __init__(self, source, target, seclass):
0d00568
 		self.source=source
0d00568
@@ -81,6 +81,11 @@
0d00568
 		self.roles=[]
0d00568
 		self.load(input)
0d00568
 		
0d00568
+	def warning(self, error):
0d00568
+		sys.stderr.write("%s: " % sys.argv[0])
0d00568
+		sys.stderr.write("%s\n" % error)
0d00568
+		sys.stderr.flush()
0d00568
+
0d00568
 	def load(self, input):
0d00568
 		avc=[]
0d00568
 		found=0
0d00568
@@ -114,43 +119,47 @@
0d00568
 			if "load_policy" in avc and self.last_reload:
0d00568
 				self.allowRules={}
0d00568
 			return
0d00568
-		for i in range (0, len(avc)):
0d00568
-			if avc[i]=="{":
0d00568
-				i=i+1
0d00568
-				while i
0d00568
-					access.append(avc[i])
0d00568
+		try:
0d00568
+			for i in range (0, len(avc)):
0d00568
+				if avc[i]=="{":
0d00568
 					i=i+1
0d00568
-				continue
0d00568
+					while i
0d00568
+						access.append(avc[i])
0d00568
+						i=i+1
0d00568
+					continue
0d00568
 			
0d00568
-			t=avc[i].split('=')
0d00568
-			if len(t) < 2:
0d00568
-				continue
0d00568
-			if t[0]=="scontext":
0d00568
-				context=t[1].split(":")
0d00568
-				scon=context[2]
0d00568
-				srole=context[1]
0d00568
-				continue
0d00568
-			if t[0]=="tcontext":
0d00568
-				context=t[1].split(":")
0d00568
-				tcon=context[2]
0d00568
-				trole=context[1]
0d00568
-				continue
0d00568
-			if t[0]=="tclass":
0d00568
-				seclass=t[1]
0d00568
-				continue
0d00568
-			if t[0]=="comm":
0d00568
-				comm=t[1]
0d00568
-				continue
0d00568
-			if t[0]=="name":
0d00568
-				name=t[1]
0d00568
-				continue
0d00568
-			if t[0]=="msg":
0d00568
-				msg=t[1]
0d00568
-				continue
0d00568
-
0d00568
-		if scon=="" or tcon =="" or seclass=="":
0d00568
+				t=avc[i].split('=')
0d00568
+				if len(t) < 2:
0d00568
+					continue
0d00568
+				if t[0]=="scontext":
0d00568
+					context=t[1].split(":")
0d00568
+					scon=context[2]
0d00568
+					srole=context[1]
0d00568
+					continue
0d00568
+				if t[0]=="tcontext":
0d00568
+					context=t[1].split(":")
0d00568
+					tcon=context[2]
0d00568
+					trole=context[1]
0d00568
+					continue
0d00568
+				if t[0]=="tclass":
0d00568
+					seclass=t[1]
0d00568
+					continue
0d00568
+				if t[0]=="comm":
0d00568
+					comm=t[1]
0d00568
+					continue
0d00568
+				if t[0]=="name":
0d00568
+					name=t[1]
0d00568
+					continue
0d00568
+				if t[0]=="msg":
0d00568
+					msg=t[1]
0d00568
+					continue
0d00568
+
0d00568
+			if scon=="" or tcon =="" or seclass=="":
0d00568
+				return
0d00568
+		except IndexError, e:
0d00568
+			self.warning("Bad AVC Line: %s" % avc)
0d00568
 			return
54ecf23
-
0d00568
+			
0d00568
 		self.add_seclass(seclass, access)
0d00568
 		self.add_type(tcon)
0d00568
 		self.add_type(scon)
0d00568
@@ -220,6 +229,12 @@
0d00568
 
0d00568
 if __name__ == '__main__':
0d00568
 
0d00568
+	def get_mls_flag():
0d00568
+		if selinux.is_selinux_mls_enabled():
0d00568
+			return "-M"
0d00568
+		else:
0d00568
+			return ""
0d00568
+
0d00568
 	def usage():
0d00568
 		print 'audit2allow [-adhilrv] [-i <inputfile> ] [[-m|-M] <modulename> ] [-o <outputfile>]\n\
0d00568
 		-a, --all        read input from audit and message log, conflicts with -i\n\
0d00568
@@ -313,15 +328,17 @@
0d00568
 		if buildPP:
0d00568
 			print ("Generating type enforcment file: %s.te" % module)
0d00568
 		output.write(out.out(requires, module))
0d00568
+		output.flush()
0d00568
 		if buildPP:
0d00568
-			print ("Compiling policy: checkmodule -M -m -o %s.mod %s.te" % (module, module))
0d00568
-			rc=commands.getstatusoutput("checkmodule -M -m -o %s.mod %s.te" % (module, module))
0d00568
+			cmd="checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module)
0d00568
+			print "Compiling policy: %s" % cmd
0d00568
+			rc=commands.getstatusoutput(cmd)
0d00568
 			if rc[0]==0:
0d00568
 				print ("Building package: semodule_package -o %s.pp -m %s.mod" % (module, module))
0d00568
 				rc=commands.getstatusoutput("semodule_package -o %s.pp -m %s.mod" % (module, module))
0d00568
 				if rc[0]==0:
0d00568
-					print ("\n*************** IMPORTANT ***********************\n")
0d00568
-					print ("In order to load this newly created policy package,\nyou are required to execute \n\n\"semodule -i %s.pp\"\n\nto load the policy\n" % module)
0d00568
+					print ("\n******************** IMPORTANT ***********************\n")
0d00568
+					print ("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n" % module)
0d00568
 				else:
0d00568
 					errorExit(rc[1])
0d00568
 			else:
0d00568
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-1.27.29/audit2allow/audit2allow.1
0d00568
--- nsapolicycoreutils/audit2allow/audit2allow.1	2005-09-12 16:33:30.000000000 -0400
0d00568
+++ policycoreutils-1.27.29/audit2allow/audit2allow.1	2005-11-29 00:04:31.000000000 -0500
0d00568
@@ -30,26 +30,38 @@
0d00568
 .RI [ options "] "
0d00568
 .SH OPTIONS
0d00568
 .TP
0d00568
-.B "\-\-help"
0d00568
+.B "\-a" | "\-\-all"
0d00568
+Read input from audit and message log, conflicts with -i
0d00568
+.TP
0d00568
+.B "\-h" | "\-\-help"
0d00568
 Print a short usage message
0d00568
 .TP
0d00568
-.B "\-d"
0d00568
+.B "\-d" | "\-\-dmesg"
0d00568
 Read input from output of 
0d00568
 .I /bin/dmesg.
0d00568
 Note that audit messages are not available via dmesg when
0d00568
 auditd is running; use -i /var/log/audit/audit.log instead.
0d00568
 .TP
0d00568
-.B "\-v"
0d00568
+.B "\-v" | "\-\-verbose"
0d00568
 Turn on verbose output
0d00568
 .TP
0d00568
-.B "\-l"
0d00568
+.B "\-l" | "\-\-lastreload"
0d00568
 read input only after last policy reload
0d00568
 .TP
0d00568
-.B "\-i <inputfile>"
0d00568
+.B "\-r" | "\-\-requires"
0d00568
+Generate require output syntax for loadable modules.
0d00568
+.TP
0d00568
+.B "\-m <modulename>" | "\-\-module <modulename>"
0d00568
+Generate module/require output <modulename>
0d00568
+.TP
0d00568
+.B "\-M <modulename>" 
0d00568
+Generate loadable module package, conflicts with -o
0d00568
+.TP
0d00568
+.B "\-i  <inputfile>" | "\-\-input <inputfile>"
0d00568
 read input from 
0d00568
 .I <inputfile>
0d00568
 .TP
0d00568
-.B "\-o <outputfile>"
0d00568
+.B "\-o <outputfile>"  | "\-\-output <outputfile>"
0d00568
 append output to 
0d00568
 .I <outputfile>
0d00568
 .SH DESCRIPTION
0d00568
@@ -76,18 +88,66 @@
0d00568
 .PP
0d00568
 .SH EXAMPLE
0d00568
 .nf
0d00568
-$ cd /etc/selinux/$(SELINUXTYPE)/src/policy
0d00568
-$ /usr/bin/audit2allow -i < /var/log/audit/audit.log >> domains/misc/local.te
0d00568
-<review domains/misc/local.te and customize as desired>
0d00568
-$ make load
0d00568
+.B Traditional Syntax
0d00568
+cat /var/log/audit/audit.log.1 | audit2allow
0d00568
+allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
0d00568
+
0d00568
+
0d00568
+.B Using audit2allow to generate module syntax
0d00568
+
0d00568
+$ cat /var/log/audit/audit.log | audit2allow -m local
0d00568
+module local 1.0;
0d00568
+
0d00568
+require {
0d00568
+        role system_r;
0d00568
+
0d00568
+
0d00568
+        class fifo_file {  getattr ioctl };
0d00568
+
0d00568
+
0d00568
+        type cupsd_config_t;
0d00568
+        type unconfined_t;
0d00568
+ };
0d00568
+
0d00568
+
0d00568
+allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
0d00568
+
0d00568
+.B Building a loadable module
0d00568
+
0d00568
+$ /usr/bin/audit2allow -m local -i /var/log/audit/audit.log >> local.te
0d00568
+<review local.te and customize as desired>
0d00568
+# Compile the module
0d00568
+$ checkmodule -M -m -o local.mod local.te
0d00568
+# Create the package 
0d00568
+$ semodule_package -o local.pp -m local.mod
0d00568
+# Load the module into the kernel
0d00568
+$ semodule -i local.mod
0d00568
+
0d00568
+.B Building a loadable module automatically
0d00568
+$ cat /var/log/audit/audit.log | audit2allow -M local
0d00568
+Generating type enforcment file: local.te
0d00568
+Compiling policy: checkmodule -M -m -o local.mod local.te
0d00568
+Building package: semodule_package -o local.pp -m local.mod
0d00568
+
0d00568
+******************** IMPORTANT ***********************
0d00568
+
0d00568
+In order to load this newly created policy package into the kernel,
0d00568
+you are required to execute
0d00568
+
0d00568
+semodule -i local.pp
0d00568
+
0d00568
 .fi
0d00568
 .PP
0d00568
 .SH AUTHOR
0d00568
 This manual page was written by 
0d00568
 .I Manoj Srivastava <srivasta@debian.org>,
0d00568
-for the Debian GNU/Linux system. The 
0d00568
+for the Debian GNU/Linux system. It was updated by Dan Walsh <dwalsh@redhat.com>
0d00568
+.PP
0d00568
+The 
0d00568
 .B audit2allow
0d00568
 utility has contributions from several people, including 
0d00568
 .I Justin R. Smith 
0d00568
 and 
0d00568
 .I Yuichi Nakamura.
0d00568
+and 
0d00568
+.I Dan Walsh
0d00568
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/Makefile policycoreutils-1.27.29/Makefile
0d00568
--- nsapolicycoreutils/Makefile	2005-11-07 09:41:21.000000000 -0500
0d00568
+++ policycoreutils-1.27.29/Makefile	2005-11-29 00:04:31.000000000 -0500
0d00568
@@ -1,4 +1,4 @@
0d00568
-SUBDIRS=setfiles load_policy newrole run_init restorecon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand setsebool po
0d00568
+SUBDIRS=setfiles semanage load_policy newrole run_init restorecon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand setsebool po
0d00568
 
0d00568
 all install relabel clean: 
0d00568
 	@for subdir in $(SUBDIRS); do \
0d00568
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/Makefile policycoreutils-1.27.29/semanage/Makefile
0d00568
--- nsapolicycoreutils/semanage/Makefile	1969-12-31 19:00:00.000000000 -0500
0d00568
+++ policycoreutils-1.27.29/semanage/Makefile	2005-11-29 00:04:31.000000000 -0500
0d00568
@@ -0,0 +1,19 @@
0d00568
+# Installation directories.
0d00568
+PREFIX ?= ${DESTDIR}/usr
0d00568
+SBINDIR ?= $(PREFIX)/sbin
0d00568
+MANDIR = $(PREFIX)/share/man
0d00568
+
0d00568
+TARGETS=semanage
0d00568
+
0d00568
+all: $(TARGETS)
0d00568
+
0d00568
+install: all
0d00568
+	[ -d $(MANDIR)/man8 ] || mkdir -p $(MANDIR)/man8
0d00568
+	-mkdir -p $(SBINDIR)
0d00568
+	install -m 755 semanage $(SBINDIR)
0d00568
+	install -m 644 semanage.8 $(MANDIR)/man8
0d00568
+
0d00568
+clean:
0d00568
+	rm -f semanage
0d00568
+
0d00568
+relabel:
0d00568
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.27.29/semanage/semanage
0d00568
--- nsapolicycoreutils/semanage/semanage	1969-12-31 19:00:00.000000000 -0500
0d00568
+++ policycoreutils-1.27.29/semanage/semanage	2005-11-29 00:04:52.000000000 -0500
0d00568
@@ -0,0 +1,377 @@
15d8551
+#! /usr/bin/env python
15d8551
+# Copyright (C) 2005 Red Hat 
15d8551
+# see file 'COPYING' for use and warranty information
15d8551
+#
0d00568
+# semanage is a tool for managing SELinux configuration files
15d8551
+#
0d00568
+#    This program is free software; you can redistribute it and/or
0d00568
+#    modify it under the terms of the GNU General Public License as
0d00568
+#    published by the Free Software Foundation; either version 2 of
0d00568
+#    the License, or (at your option) any later version.
0d00568
+#
0d00568
+#    This program is distributed in the hope that it will be useful,
0d00568
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
0d00568
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
0d00568
+#    GNU General Public License for more details.
0d00568
+#
0d00568
+#    You should have received a copy of the GNU General Public License
0d00568
+#    along with this program; if not, write to the Free Software
0d00568
+#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA     
0d00568
+#                                        02111-1307  USA
15d8551
+#
15d8551
+#  
0d00568
+import commands, sys, os, pwd, string, getopt, pwd
0d00568
+from semanage import *;
0d00568
+class loginRecords:
0d00568
+	def __init__(self):
0d00568
+		self.sh=semanage_handle_create()
0d00568
+		self.semanaged=semanage_is_managed(self.sh)
0d00568
+		if self.semanaged:
0d00568
+			semanage_connect(self.sh)
0d00568
+
0d00568
+	def add(self, name, sename, serange):
0d00568
+		(rc,k)=semanage_seuser_key_create(self.sh, name)
0d00568
+		(rc,exists)= semanage_seuser_exists(self.sh, k)
0d00568
+		if exists:
0d00568
+			raise ValueError("SELinux User %s mapping already defined" % name)
0d00568
+		try:
0d00568
+			pwd.getpwname(name)
0d00568
+		except:
0d00568
+			raise ValueError("Linux User %s does not exist" % name)
0d00568
+			
0d00568
+		(rc,u)= semanage_seuser_create(self.sh)
0d00568
+		semanage_seuser_set_name(self.sh, u, name)
0d00568
+		semanage_seuser_set_mlsrange(self.sh, u, serange)
0d00568
+		semanage_seuser_set_sename(self.sh, u, sename)
0d00568
+		semanage_begin_transaction(self.sh)
0d00568
+		semanage_seuser_add(self.sh, k, u)
0d00568
+		if semanage_commit(self.sh) != 0:
0d00568
+			raise ValueError("Failed to add SELinux user mapping")
0d00568
+
0d00568
+	def modify(self, name, sename="", serange=""):
0d00568
+		(rc,k)=semanage_seuser_key_create(self.sh, name)
0d00568
+		(rc,u)= semanage_seuser_query(self.sh, k)
0d00568
+		if rc !=0 :
0d00568
+			raise ValueError("SELinux user %s mapping is not defined." % name)
0d00568
+		if sename == "" and serange=="":
0d00568
+			raise ValueError("Requires, seuser or serange")
0d00568
+		if serange != "":
0d00568
+			semanage_seuser_set_mlsrange(self.sh, u, serange)
0d00568
+		if sename != "":
0d00568
+			semanage_seuser_set_sename(self.sh, u, sename)
0d00568
+		semanage_begin_transaction(self.sh)
0d00568
+		semanage_seuser_modify(self.sh, k, u)
0d00568
+		if semanage_commit(self.sh) != 0:
0d00568
+			raise ValueError("Failed to modify SELinux user mapping")
0d00568
+
c264106
+		
0d00568
+	def delete(self, name):
0d00568
+		(rc,k)=semanage_seuser_key_create(self.sh, name)
0d00568
+		(rc,exists)= semanage_seuser_exists(self.sh, k)
0d00568
+		if rc !=0 :
0d00568
+			raise ValueError("SELinux user %s mapping is not defined." % name)
0d00568
+		semanage_begin_transaction(self.sh)
0d00568
+		semanage_seuser_del(self.sh, k)
0d00568
+		if semanage_commit(self.sh) != 0:
0d00568
+			raise ValueError("SELinux User %s mapping not defined" % name)
c264106
+		
0d00568
+	def list(self):
0d00568
+		print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range")
0d00568
+		(status, self.ulist, self.usize) = semanage_seuser_list(self.sh)
0d00568
+		for idx in range(self.usize):
0d00568
+			u=semanage_seuser_by_idx(self.ulist, idx)
0d00568
+			name=semanage_seuser_get_name(u)
0d00568
+			
0d00568
+			print "%-25s %-25s %-25s" % (name, semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u))
0d00568
+
0d00568
+class seluserRecords:
0d00568
+	def __init__(self):
0d00568
+		roles=[]
0d00568
+		self.sh=semanage_handle_create()
0d00568
+		self.semanaged=semanage_is_managed(self.sh)
0d00568
+		if self.semanaged:
0d00568
+			semanage_connect(self.sh)
0d00568
+
0d00568
+	def add(self, name, roles, selevel, serange):
0d00568
+		(rc,k)=semanage_user_key_create(self.sh, name)
0d00568
+		(rc,exists)= semanage_user_exists(self.sh, k)
0d00568
+		if exists:
0d00568
+			raise ValueError("Seuser %s already defined" % name)
0d00568
+		(rc,u)= semanage_user_create(self.sh)
0d00568
+		semanage_user_set_name(self.sh, u, name)
0d00568
+		for r in roles:
0d00568
+			semanage_user_add_role(self.sh, u, r)
0d00568
+		semanage_user_set_mlsrange(self.sh, u, serange)
0d00568
+		semanage_user_set_mlslevel(self.sh, u, selevel)
0d00568
+		(rc,key) = semanage_user_key_extract(self.sh,u)
0d00568
+		semanage_begin_transaction(self.sh)
0d00568
+		semanage_user_add_local(self.sh, k, u)
0d00568
+		if semanage_commit(self.sh) != 0:
0d00568
+			raise ValueError("Failed to add SELinux user")
c264106
+
0d00568
+		self.dict[name]=seluser(name, roles, selevel, serange)
15d8551
+		
0d00568
+	def modify(self, name, roles=[], selevel="", serange=""):
0d00568
+		(rc,k)=semanage_user_key_create(self.sh, name)
0d00568
+		(rc,exists)= semanage_user_exists(self.sh, k)
0d00568
+		if not exists:
0d00568
+			raise ValueError("user %s is not defined" % name)
0d00568
+		(rc,u)= semanage_user_query(self.sh, k)
0d00568
+		if rc !=0 :
0d00568
+			raise ValueError("User %s is not defined." % name)
0d00568
+		if len(roles) == 0  and serange=="" and selevel=="":
0d00568
+			raise ValueError("Requires, roles, level  or range")
0d00568
+		if serange != "":
0d00568
+			semanage_user_set_mlsrange(self.sh, u, serange)
0d00568
+		if selevel != "":
0d00568
+			semanage_user_set_mlslevel(self.sh, u, selevel)
0d00568
+		if len(roles) != 0:
0d00568
+			for r in roles:
0d00568
+				print r
0d00568
+				semanage_user_add_role(self.sh, u, r)
0d00568
+		semanage_begin_transaction(self.sh)
0d00568
+		semanage_user_modify_local(self.sh, k, u)
0d00568
+		if semanage_commit(self.sh) != 0:
0d00568
+			raise ValueError("Failed to modify SELinux user")
0d00568
+
15d8551
+		
0d00568
+	def delete(self, name):
0d00568
+		(rc,k)=semanage_user_key_create(self.sh, name)
0d00568
+		(rc,exists)= semanage_user_exists(self.sh, k)
0d00568
+		if not exists:
0d00568
+			raise ValueError("user %s is not defined" % name)
0d00568
+		semanage_begin_transaction(self.sh)
0d00568
+		semanage_user_del_local(self.sh, k)
0d00568
+		if semanage_commit(self.sh) != 0:
0d00568
+			raise ValueError("Login User %s not defined" % name)
0d00568
+		
0d00568
+	def list(self):
0d00568
+		print "\n%-15s %-10s %-20s" % ("", "MLS/", "MLS/")
0d00568
+		print "%-15s %-10s %-15s %-20s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles")
0d00568
+		(status, self.ulist, self.usize) = semanage_user_list(self.sh)
0d00568
+		for idx in range(self.usize):
0d00568
+			u=semanage_user_by_idx(self.ulist, idx)
0d00568
+			name=semanage_user_get_name(u)
0d00568
+			(status, rlist, rlist_size) = semanage_user_get_roles(self.sh, u)
0d00568
+			roles=""
0d00568
+
0d00568
+			if rlist_size:
0d00568
+				roles+=char_by_idx(rlist, 0)
0d00568
+				for ridx in range (1,rlist_size):
0d00568
+					roles+=" " + char_by_idx(rlist, ridx)
0d00568
+			print "%-15s %-10s %-15s %s" % (semanage_user_get_name(u), semanage_user_get_mlslevel(u), semanage_user_get_mlsrange(u), roles)
6c7ca7b
+
0d00568
+class portRecords:
0d00568
+	def __init__(self):
0d00568
+		self.dict={}
0d00568
+		self.sh=semanage_handle_create()
0d00568
+		self.semanaged=semanage_is_managed(self.sh)
0d00568
+		if self.semanaged:
0d00568
+			semanage_connect(self.sh)
0d00568
+
0d00568
+	def add(self, name, type):
0d00568
+		(rc,k)=semanage_port_key_create(self.sh, name)
0d00568
+		(rc,exists)= semanage_port_exists(self.sh, k)
0d00568
+		if exists:
0d00568
+			raise ValueError("User %s already defined" % name)
0d00568
+		(rc,u)= semanage_port_create(self.sh)
0d00568
+		semanage_port_set_name(self.sh, u, name)
0d00568
+		semanage_port_set_mlsrange(self.sh, u, serange)
0d00568
+		semanage_port_set_sename(self.sh, u, sename)
0d00568
+		semanage_begin_transaction(self.sh)
0d00568
+		semanage_port_add(self.sh, k, u)
0d00568
+		if semanage_commit(self.sh) != 0:
0d00568
+			raise ValueError("Failed to add port")
0d00568
+
0d00568
+	def modify(self, name, type):
0d00568
+		(rc,k)=semanage_port_key_create(self.sh, name)
0d00568
+		(rc,u)= semanage_port_query(self.sh, k)
0d00568
+		if rc !=0 :
0d00568
+			raise ValueError("User %s is not defined." % name)
0d00568
+		if sename == "" and serange=="":
0d00568
+			raise ValueError("Requires, port or serange")
0d00568
+		if serange != "":
0d00568
+			semanage_port_set_mlsrange(self.sh, u, serange)
0d00568
+		if sename != "":
0d00568
+			semanage_port_set_sename(self.sh, u, sename)
0d00568
+		semanage_begin_transaction(self.sh)
0d00568
+		semanage_port_modify(self.sh, k, u)
0d00568
+		if semanage_commit(self.sh) != 0:
0d00568
+			raise ValueError("Failed to add port")
0d00568
+		
0d00568
+	def delete(self, name):
0d00568
+		(rc,k)=semanage_port_key_create(self.sh, name)
0d00568
+		semanage_begin_transaction(self.sh)
0d00568
+		semanage_port_del(self.sh, k)
0d00568
+		if semanage_commit(self.sh) != 0:
0d00568
+			raise ValueError("Port %s not defined" % name)
0d00568
+		
0d00568
+	def list(self):
0d00568
+		(status, self.plist, self.psize) = semanage_port_list(self.sh)
0d00568
+		print "%-25s %s\n" % ("SELinux Port Name", "Port Number")
0d00568
+		for idx in range(self.psize):
0d00568
+			u=semanage_port_by_idx(self.plist, idx)
0d00568
+			name=semanage_port_get_name(u)
0d00568
+			print "%20s %d" % ( name, semanage_port_get_number(u))
0d00568
+			
a770942
+if __name__ == '__main__':
c264106
+
0d00568
+	def usage(message=""):
0d00568
+		print '\
0d00568
+semanage user [-admsRrh] SELINUX_USER\n\
0d00568
+semanage login [-admsrh] LOGIN_NAME\n\
0d00568
+semanage port [-admth] SELINUX_PORT_NAME\n\
0d00568
+	-a, --add        Add a OBJECT record NAME\n\
0d00568
+	-d, --delete     Delete a OBJECT record NAME\n\
0d00568
+	-h, --help       display this message\n\
0d00568
+	-l, --list       List the OBJECTS\n\
0d00568
+	-m, --modify     Modify a OBJECT record NAME\n\
0d00568
+	-r, --range      MLS/MCS Security Range\n\
0d00568
+	-R, --roles      SELinux Roles (Separate by spaces)\n\
0d00568
+	-s, --seuser     SELinux user name\n\
0d00568
+	-t, --type       SELinux Type for the object\n\
0d00568
+	-v, --verbose    verbose output\n\
0d00568
+'
0d00568
+		print message
a770942
+		sys.exit(1)
a770942
+		
a770942
+	def errorExit(error):
a770942
+		sys.stderr.write("%s: " % sys.argv[0])
a770942
+		sys.stderr.write("%s\n" % error)
a770942
+		sys.stderr.flush()
a770942
+		sys.exit(1)
a770942
+
a770942
+	#
a770942
+	# 
a770942
+	#
a770942
+	try:
0d00568
+		objectlist=("login", "user", "port")
a770942
+		input=sys.stdin
a770942
+		output=sys.stdout
0d00568
+		serange="s0"
0d00568
+		selevel="s0"
0d00568
+		roles=""
0d00568
+		seuser=""
0d00568
+		type=""
0d00568
+		add=0
0d00568
+		modify=0
0d00568
+		delete=0
0d00568
+		list=0
0d00568
+		if len(sys.argv) < 3:
0d00568
+			usage("Requires 2 or more arguments")
0d00568
+			
0d00568
+		object=sys.argv[1]
0d00568
+		if object not in objectlist:
0d00568
+			usage("%s not defined" % object)
0d00568
+			
0d00568
+		args=sys.argv[2:]
0d00568
+		gopts, cmds = getopt.getopt(args,
0d00568
+					    'adlhms:R:r:t:v',
0d00568
+					    ['add',
0d00568
+					     'delete',
a770942
+					     'help',
0d00568
+					     'list', 
0d00568
+					     'modify',
0d00568
+					     'seuser=',
0d00568
+					     'range=',
0d00568
+					     'roles=',
0d00568
+					     'type=',
a770942
+					     'verbose'
a770942
+					     ])
a770942
+		for o,a in gopts:
0d00568
+			if o == "-a" or o == "--add":
0d00568
+				if modify or delete:
a770942
+					usage()
0d00568
+				add=1
0d00568
+				
0d00568
+			if o == "-d"  or o == "--delese":
0d00568
+				if modify or add:
0d00568
+					usage()
0d00568
+				delete=1
a770942
+			if o == "-h" or o == "--help":
c264106
+				usage()
0d00568
+
0d00568
+			if o == "-m"or o == "--modify":
0d00568
+				if delete or add:
a770942
+					usage()
0d00568
+				modify=1
0d00568
+				
0d00568
+			if o == "-r" or o == '--range':
0d00568
+				serange=a
0d00568
+
0d00568
+			if o == "-R" or o == '--roles':
0d00568
+				roles=a
0d00568
+
0d00568
+			if o == "-t" or o == "--type":
0d00568
+				type=a
0d00568
+
0d00568
+			if o == "-l" or o == "--list":
0d00568
+				list=1
0d00568
+
0d00568
+			if o == "-s" or o == "--seuser":
0d00568
+				seuser=a
0d00568
+
a770942
+			if o == "-v" or o == "--verbose":
a770942
+				verbose=1
15d8551
+
0d00568
+		if object == "login":
0d00568
+			OBJECT=loginRecords()
0d00568
+
0d00568
+		if object == "user":
0d00568
+			OBJECT=seluserRecords()
0d00568
+
0d00568
+		if object == "port":
0d00568
+			OBJECT=portRecords()
0d00568
+		
0d00568
+		if list:
0d00568
+			OBJECT.list()
0d00568
+			sys.exit(0);
0d00568
+			
0d00568
+		if len(cmds) != 1:
0d00568
+			usage()
0d00568
+
0d00568
+		name=cmds[0]
0d00568
+
0d00568
+		if add:
0d00568
+			if object == "login":
0d00568
+				OBJECT.add(name, seuser, serange)
0d00568
+
0d00568
+			if object == "user":
0d00568
+				rlist=roles.split()
0d00568
+				print rlist
0d00568
+				OBJECT.add(name, rlist, selevel, serange)
0d00568
+
0d00568
+			if object == "port":
0d00568
+				OBJECT.add(name, type)
0d00568
+
0d00568
+			OBJECT.list()
0d00568
+			sys.exit(0);
0d00568
+			
0d00568
+		if modify:
0d00568
+			if object == "login":
0d00568
+				OBJECT.modify(name, seuser, serange)
0d00568
+
0d00568
+			if object == "user":
0d00568
+				rlist=roles.split()
0d00568
+				print rlist
0d00568
+				OBJECT.modify(name, rlist, selevel, serange)
0d00568
+
0d00568
+			if object == "port":
0d00568
+				OBJECT.modify(name, type)
0d00568
+				sys.exit(0);
0d00568
+			OBJECT.list()
0d00568
+			sys.exit(0);
0d00568
+
0d00568
+		if delete:
0d00568
+			OBJECT.delete(name)
0d00568
+			sys.exit(0);
0d00568
+		usage()
0d00568
+			
a770942
+	except getopt.error, error:
a770942
+		errorExit("Options Error " + error.msg)
a770942
+	except ValueError, error:
a770942
+		errorExit(error.args[0])
a770942
+	except IOError, error:
a770942
+		errorExit(error.args[1])
a770942
+	except KeyboardInterrupt, error:
a770942
+		sys.exit(0)
0d00568
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.27.29/semanage/semanage.8
0d00568
--- nsapolicycoreutils/semanage/semanage.8	1969-12-31 19:00:00.000000000 -0500
0d00568
+++ policycoreutils-1.27.29/semanage/semanage.8	2005-11-29 00:04:31.000000000 -0500
0d00568
@@ -0,0 +1,57 @@
0d00568
+.TH "semanage" "8" "2005111103" "" ""
0d00568
+.SH "NAME"
0d00568
+semanage \- SELinux Policy Management tool
0d00568
+
0d00568
+.SH "SYNOPSIS"
0d00568
+.B semanage OBJECTTYPE [\-admsrh] OBJECT
0d00568
+.B semanage login [\-admsrh] login_name
0d00568
+.br
0d00568
+.B semanage seuser [\-admsrh] selinux_name
0d00568
+.br
0d00568
+.B semanage port [\-admth] port_number
0d00568
+.P
0d00568
+This tool is used to manage configuration of the SELinux policy
0d00568
+
0d00568
+.SH "DESCRIPTION"
0d00568
+This manual page describes the
0d00568
+.BR semanage
0d00568
+program.
0d00568
+.br
0d00568
+This tool is used to manage configuration of SELinux Policy.  You can configure SELinux User Mappings, SELinux Port Mappings, SELinux Users.
0d00568
+
0d00568
+
0d00568
+.SH "OPTIONS"
0d00568
+.TP 
0d00568
+                \-a, \-\-add        
0d00568
+.P
0d00568
+Add a OBJECT record NAME
0d00568
+.B                \-d, \-\-delete     
0d00568
+.P
0d00568
+Delete a OBJECT record NAME
0d00568
+.B                \-h, \-\-help       
0d00568
+.P
0d00568
+display this message
0d00568
+.B                \-l, \-\-list       
0d00568
+.P
0d00568
+List the OBJECTS
0d00568
+.B                \-m, \-\-modify     
0d00568
+.P
0d00568
+Modify a OBJECT record NAME
0d00568
+.B                \-r, \-\-range      
0d00568
+.P
0d00568
+MLS/MCS Security Range
0d00568
+.B                \-s, \-\-seuser     
0d00568
+.P
0d00568
+SELinux user name
0d00568
+.B                \-t, \-\-type       
0d00568
+.P
0d00568
+SELinux Type for the object
0d00568
+.B                \-v, \-\-verbose    
0d00568
+.P
0d00568
+verbose output
0d00568
+
0d00568
+.SH "AUTHOR"
0d00568
+This man page was written by Daniel Walsh <dwalsh@redhat.com>.
0d00568
+
0d00568
+
0d00568
+
0d00568
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/sestatus/sestatus.8 policycoreutils-1.27.29/sestatus/sestatus.8
0d00568
--- nsapolicycoreutils/sestatus/sestatus.8	2005-09-12 16:33:30.000000000 -0400
0d00568
+++ policycoreutils-1.27.29/sestatus/sestatus.8	2005-11-29 00:04:31.000000000 -0500
0d00568
@@ -1,10 +1,10 @@
0d00568
-.TH "sestatus" "8" "2002031409" "" ""
0d00568
+.TH "sestatus" "8" "2005111103" "" ""
0d00568
 .SH "NAME"
0d00568
 sestatus \- SELinux status tool
0d00568
 
0d00568
 .SH "SYNOPSIS"
0d00568
 .B sestatus
0d00568
-.I [\-v]  
0d00568
+.I [\-v] [\-b]  
0d00568
 .P
0d00568
 This tool is used to get the status of a system running SELinux.
0d00568
 
0d00568
@@ -33,6 +33,10 @@
0d00568
  Checks the contexts of a files , and a processes listed in the /etc/sestatus.conf file.  It also checks the context of the target, in cases of
0d00568
 symlinks.
0bfa56b
 
0d00568
+.B \-b
0d00568
+.P
0d00568
+Display the current state of booleans.
0d00568
+
54ecf23
 
0d00568
 .SH "FILES"
0d00568
 /etc/sestatus.conf
0d00568
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/sestatus/sestatus.c policycoreutils-1.27.29/sestatus/sestatus.c
0d00568
--- nsapolicycoreutils/sestatus/sestatus.c	2005-09-12 16:33:30.000000000 -0400
0d00568
+++ policycoreutils-1.27.29/sestatus/sestatus.c	2005-11-29 00:04:31.000000000 -0500
0d00568
@@ -178,19 +178,33 @@
0d00568
 	char **bools;
0d00568
 	int nbool;
70ccd99
 
0d00568
+	int verbose=0;
0d00568
+	int show_bools=0;
0d00568
+
0d00568
+
0d00568
 	/* policy */
0d00568
 	const char *pol_name;
0d00568
 	char *pol_path;
0d00568
 
0d00568
-	opt=getopt(argc, argv, "v");
0d00568
-	if(opt == '?') {
0d00568
-		/* invalid option */
0d00568
-		printf("\nUsage: %s [OPTION]\n\n", basename(argv[0]));
0d00568
-		printf("  -v  Verbose check of process and file contexts.\n");
0d00568
-		printf("\nWithout options, show SELinux status.\n");
0d00568
-		return -1;
0d00568
+	while (1) {
0d00568
+		opt=getopt(argc, argv, "vb");
0d00568
+		if (opt == -1)
0d00568
+			break;
0d00568
+		switch (opt) {
0d00568
+		case 'v':
0d00568
+			verbose=1;
0d00568
+			break;
0d00568
+		case 'b':
0d00568
+			show_bools=1;
0d00568
+			break;
0d00568
+		default:
0d00568
+			/* invalid option */
0d00568
+			printf("\nUsage: %s [OPTION]\n\n", basename(argv[0]));
0d00568
+			printf("  -v  Verbose check of process and file contexts.\n");
0d00568
+			printf("\nWithout options, show SELinux status.\n");
0d00568
+			return -1;
0d00568
+		}
0d00568
 	}
0d00568
-
0d00568
 	printf_tab("SELinux status:");
0d00568
 	rc=is_selinux_enabled();
0d00568
 
0d00568
@@ -266,32 +280,34 @@
0d00568
 		printf("error (%s)\n", strerror(errno));
0d00568
 	}
0d00568
 
0d00568
-	/* show booleans */
0d00568
-	if(security_get_boolean_names(&bools,&nbool) >= 0) {
0d00568
-		printf("\nPolicy booleans:\n");
0d00568
-
0d00568
-		for( i=0 ; i
0d00568
-			if (strlen(bools[i]) + 1 > COL) 
0d00568
-			    COL=strlen(bools[i])+1;
0d00568
-		}
0d00568
-		for( i=0 ; i
0d00568
-			printf_tab(bools[i]);
0d00568
 
0d00568
-			rc=security_get_boolean_active(bools[i]);
0d00568
-			switch(rc) {
0d00568
+	if (show_bools) {
0d00568
+		/* show booleans */
0d00568
+		if(security_get_boolean_names(&bools,&nbool) >= 0) {
0d00568
+			printf("\nPolicy booleans:\n");
0d00568
+			
0d00568
+			for( i=0 ; i
0d00568
+				if (strlen(bools[i]) + 1 > COL) 
0d00568
+					COL=strlen(bools[i])+1;
0d00568
+			}
0d00568
+			for( i=0 ; i
0d00568
+				printf_tab(bools[i]);
0d00568
+				
0d00568
+				rc=security_get_boolean_active(bools[i]);
0d00568
+				switch(rc) {
0d00568
 				case 1:
0d00568
-					printf("active");
0d00568
+					printf("on");
0d00568
 					break;
0d00568
 				case 0:
0d00568
-					printf("inactive");
0d00568
+					printf("off");
0d00568
 					break;
0d00568
 				default:
0d00568
 					printf("unknown (%s)",strerror(errno));
0d00568
 					break;
0d00568
-			}
0d00568
-			c=security_get_boolean_pending(bools[i]);
0d00568
-			if(c != rc)
0d00568
-				switch(c) {
0d00568
+				}
0d00568
+				c=security_get_boolean_pending(bools[i]);
0d00568
+				if(c != rc)
0d00568
+					switch(c) {
0d00568
 					case 1:
0d00568
 						printf(" (activate pending)");
0d00568
 						break;
0d00568
@@ -301,17 +317,17 @@
0d00568
 					default:
0d00568
 						printf(" (pending error: %s)",strerror(errno));
0d00568
 						break;
0d00568
-				}
0d00568
-			printf("\n");
0d00568
-
0d00568
-			/* free up the booleans */
0d00568
-			free(bools[i]);
0d00568
+					}
0d00568
+				printf("\n");
0d00568
+				
0d00568
+				/* free up the booleans */
0d00568
+				free(bools[i]);
0d00568
+			}
0d00568
+			free(bools);
0d00568
 		}
0d00568
-		free(bools);
0d00568
 	}
0d00568
-
0d00568
 	/* only show contexts if -v is given */
0d00568
-	if(opt != 'v') return 0;
0d00568
+	if(!verbose) return 0;
70ccd99
 
0d00568
 	load_checks(pc,&npc,fc,&nfc;;
70ccd99