|
|
4bf679b |
diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.23/Makefile
|
|
|
e0e7eda |
--- nsapolicycoreutils/Makefile 2007-07-16 14:20:43.000000000 -0400
|
|
|
4bf679b |
+++ policycoreutils-2.0.23/Makefile 2007-08-22 16:29:22.000000000 -0400
|
|
|
e568e7a |
@@ -1,4 +1,4 @@
|
|
|
6f8d769 |
-SUBDIRS=setfiles semanage load_policy newrole run_init restorecond secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
|
|
|
6f8d769 |
+SUBDIRS=setfiles semanage load_policy newrole run_init restorecond secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
|
|
|
e568e7a |
|
|
|
e568e7a |
all install relabel clean indent:
|
|
|
e568e7a |
@for subdir in $(SUBDIRS); do \
|
|
|
4bf679b |
diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.23/restorecond/restorecond.c
|
|
|
e0e7eda |
--- nsapolicycoreutils/restorecond/restorecond.c 2007-07-16 14:20:41.000000000 -0400
|
|
|
4bf679b |
+++ policycoreutils-2.0.23/restorecond/restorecond.c 2007-08-22 16:29:22.000000000 -0400
|
|
|
9ac2144 |
@@ -210,9 +210,10 @@
|
|
|
9ac2144 |
}
|
|
|
9ac2144 |
|
|
|
9ac2144 |
if (fsetfilecon(fd, scontext) < 0) {
|
|
|
9ac2144 |
- syslog(LOG_ERR,
|
|
|
9ac2144 |
- "set context %s->%s failed:'%s'\n",
|
|
|
9ac2144 |
- filename, scontext, strerror(errno));
|
|
|
9ac2144 |
+ if (errno != EOPNOTSUPP)
|
|
|
9ac2144 |
+ syslog(LOG_ERR,
|
|
|
9ac2144 |
+ "set context %s->%s failed:'%s'\n",
|
|
|
9ac2144 |
+ filename, scontext, strerror(errno));
|
|
|
9ac2144 |
if (retcontext >= 0)
|
|
|
9ac2144 |
free(prev_context);
|
|
|
9ac2144 |
free(scontext);
|
|
|
9ac2144 |
@@ -225,8 +226,9 @@
|
|
|
9ac2144 |
if (retcontext >= 0)
|
|
|
9ac2144 |
free(prev_context);
|
|
|
9ac2144 |
} else {
|
|
|
9ac2144 |
- syslog(LOG_ERR, "get context on %s failed: '%s'\n",
|
|
|
9ac2144 |
- filename, strerror(errno));
|
|
|
9ac2144 |
+ if (errno != EOPNOTSUPP)
|
|
|
9ac2144 |
+ syslog(LOG_ERR, "get context on %s failed: '%s'\n",
|
|
|
9ac2144 |
+ filename, strerror(errno));
|
|
|
9ac2144 |
}
|
|
|
9ac2144 |
free(scontext);
|
|
|
9ac2144 |
close(fd);
|
|
|
4bf679b |
diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-2.0.23/scripts/genhomedircon
|
|
|
32455f3 |
--- nsapolicycoreutils/scripts/genhomedircon 1969-12-31 19:00:00.000000000 -0500
|
|
|
4bf679b |
+++ policycoreutils-2.0.23/scripts/genhomedircon 2007-08-23 10:08:04.000000000 -0400
|
|
|
32455f3 |
@@ -0,0 +1,404 @@
|
|
|
32455f3 |
+#! /usr/bin/python -E
|
|
|
32455f3 |
+# Copyright (C) 2004 Tresys Technology, LLC
|
|
|
32455f3 |
+# see file 'COPYING' for use and warranty information
|
|
|
32455f3 |
+#
|
|
|
32455f3 |
+# genhomedircon - this script is used to generate file context
|
|
|
32455f3 |
+# configuration entries for user home directories based on their
|
|
|
32455f3 |
+# default prefixes and is run when building the policy. Specifically, we
|
|
|
32455f3 |
+# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with
|
|
|
32455f3 |
+# generic and user-specific values.
|
|
|
32455f3 |
+#
|
|
|
32455f3 |
+# Based off original script by Dan Walsh, <dwalsh@redhat.com>
|
|
|
32455f3 |
+#
|
|
|
32455f3 |
+# ASSUMPTIONS:
|
|
|
32455f3 |
+#
|
|
|
32455f3 |
+# The file CONTEXTDIR/files/homedir_template exists. This file is used to
|
|
|
32455f3 |
+# set up the home directory context for each real user.
|
|
|
32455f3 |
+#
|
|
|
32455f3 |
+# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, prefix user
|
|
|
32455f3 |
+#
|
|
|
32455f3 |
+# "Real" users (as opposed to system users) are those whose UID is greater than
|
|
|
32455f3 |
+# or equal STARTING_UID (usually 500) and whose login is not a member of
|
|
|
32455f3 |
+# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/seusers
|
|
|
32455f3 |
+# are always "real" (including root, in the default configuration).
|
|
|
32455f3 |
+#
|
|
|
32455f3 |
+#
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+import sys, os, pwd, string, getopt, re
|
|
|
32455f3 |
+from semanage import *;
|
|
|
32455f3 |
+import selinux
|
|
|
32455f3 |
+import gettext
|
|
|
32455f3 |
+gettext.install('policycoreutils')
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+def grep(file, var):
|
|
|
32455f3 |
+ ret = ""
|
|
|
32455f3 |
+ fd = open(file, 'r')
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ for i in fd.readlines():
|
|
|
32455f3 |
+ if re.search(var, i, 0) != None:
|
|
|
32455f3 |
+ ret = i
|
|
|
32455f3 |
+ break
|
|
|
32455f3 |
+ fd.close()
|
|
|
32455f3 |
+ return ret
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+def findval(file, var, delim = ""):
|
|
|
32455f3 |
+ val = ""
|
|
|
32455f3 |
+ try:
|
|
|
32455f3 |
+ fd = open(file, 'r')
|
|
|
32455f3 |
+ for i in fd.readlines():
|
|
|
32455f3 |
+ if i.startswith(var) == 1:
|
|
|
32455f3 |
+ if delim == "":
|
|
|
32455f3 |
+ val = i.split()[1]
|
|
|
32455f3 |
+ else:
|
|
|
32455f3 |
+ val = i.split(delim)[1]
|
|
|
32455f3 |
+ val = val.split("#")[0]
|
|
|
32455f3 |
+ val = val.strip()
|
|
|
32455f3 |
+ fd.close()
|
|
|
32455f3 |
+ except:
|
|
|
32455f3 |
+ val = ""
|
|
|
32455f3 |
+ return val
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+def getStartingUID():
|
|
|
32455f3 |
+ starting_uid = sys.maxint
|
|
|
32455f3 |
+ uid_min = findval("/etc/login.defs", "UID_MIN")
|
|
|
32455f3 |
+ if uid_min != "":
|
|
|
32455f3 |
+ uid_min = uid_min.split("#")[0]
|
|
|
32455f3 |
+ uid_min = uid_min.strip()
|
|
|
32455f3 |
+ if int(uid_min) < starting_uid:
|
|
|
32455f3 |
+ starting_uid = int(uid_min)
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ uid_min = findval("/etc/libuser.conf", "LU_UIDNUMBER", "=")
|
|
|
32455f3 |
+ if uid_min != "":
|
|
|
32455f3 |
+ uid_min = uid_min.split("#")[0]
|
|
|
32455f3 |
+ uid_min = uid_min.strip()
|
|
|
32455f3 |
+ if int(uid_min) < starting_uid:
|
|
|
32455f3 |
+ starting_uid = int(uid_min)
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ if starting_uid == sys.maxint:
|
|
|
32455f3 |
+ starting_uid = 500
|
|
|
32455f3 |
+ return starting_uid
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+def getDefaultHomeDir():
|
|
|
32455f3 |
+ ret = []
|
|
|
32455f3 |
+ homedir = findval("/etc/default/useradd", "HOME", "=")
|
|
|
32455f3 |
+ if homedir != "" and not homedir in ret:
|
|
|
32455f3 |
+ ret.append(homedir)
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ homedir = findval("/etc/libuser.conf", "LU_HOMEDIRECTORY", "=")
|
|
|
32455f3 |
+ if homedir != "" and not homedir in ret:
|
|
|
32455f3 |
+ ret.append(homedir)
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ if ret == []:
|
|
|
32455f3 |
+ ret.append("/home")
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ # Add /export/home if it exists
|
|
|
32455f3 |
+ # Some customers use this for automounted homedirs
|
|
|
32455f3 |
+ if os.path.exists("/export/home"):
|
|
|
32455f3 |
+ ret.append("/export/home")
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ return ret
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+def getSELinuxType(directory):
|
|
|
32455f3 |
+ val = findval(directory+"/config", "SELINUXTYPE", "=")
|
|
|
32455f3 |
+ if val != "":
|
|
|
32455f3 |
+ return val
|
|
|
32455f3 |
+ return "targeted"
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+def usage(rc=0, error = ""):
|
|
|
32455f3 |
+ if error != "":
|
|
|
32455f3 |
+ sys.stderr.write("%s\n" % error)
|
|
|
32455f3 |
+ rc = 1
|
|
|
32455f3 |
+ sys.stderr.write("Usage: %s [ -d selinuxdir ] [-n | --nopasswd] [-t selinuxtype ]\n" % sys.argv[0])
|
|
|
32455f3 |
+ sys.stderr.flush()
|
|
|
32455f3 |
+ sys.exit(rc)
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+def warning(warning = ""):
|
|
|
32455f3 |
+ sys.stderr.write("%s\n" % warning)
|
|
|
32455f3 |
+ sys.stderr.flush()
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+def errorExit(error):
|
|
|
32455f3 |
+ sys.stderr.write("%s exiting for: " % sys.argv[0])
|
|
|
32455f3 |
+ sys.stderr.write("%s\n" % error)
|
|
|
32455f3 |
+ sys.stderr.flush()
|
|
|
32455f3 |
+ sys.exit(1)
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+class selinuxConfig:
|
|
|
32455f3 |
+ def __init__(self, selinuxdir = "/etc/selinux", type = "targeted", usepwd = 1):
|
|
|
32455f3 |
+ self.semanageHandle = semanage_handle_create()
|
|
|
32455f3 |
+ self.semanaged = semanage_is_managed(self.semanageHandle)
|
|
|
32455f3 |
+ if self.semanaged:
|
|
|
32455f3 |
+ rc = semanage_connect(self.semanageHandle)
|
|
|
32455f3 |
+ if rc:
|
|
|
32455f3 |
+ errorExit("Unable to connect to semanage")
|
|
|
32455f3 |
+ (status, self.ulist) = semanage_user_list(self.semanageHandle)
|
|
|
32455f3 |
+ self.type = type
|
|
|
32455f3 |
+ self.selinuxdir = selinuxdir +"/"
|
|
|
32455f3 |
+ self.contextdir = "/contexts"
|
|
|
32455f3 |
+ self.filecontextdir = self.contextdir+"/files"
|
|
|
32455f3 |
+ self.usepwd = usepwd
|
|
|
32455f3 |
+ self.default_user = "user_u"
|
|
|
32455f3 |
+ self.default_prefix = "user"
|
|
|
32455f3 |
+ self.users = self.getUsers()
|
|
|
4ecb32d |
+ fd = open(self.getFileContextFile())
|
|
|
4ecb32d |
+ self.fclines=[]
|
|
|
4ecb32d |
+ for i in fd.readlines():
|
|
|
4ecb32d |
+ try:
|
|
|
4ecb32d |
+ regex = i.split()[0]
|
|
|
4ecb32d |
+ #match a trailing .+
|
|
|
4ecb32d |
+ regex = re.sub("\.+$", "", regex)
|
|
|
4ecb32d |
+ regex = re.sub("\.\*$", "", regex)
|
|
|
4ecb32d |
+ regex = re.sub("\(\/\.\*\)\?", "", regex)
|
|
|
4ecb32d |
+ regex = regex + "/*$"
|
|
|
4ecb32d |
+ self.fclines.append(re.compile(regex))
|
|
|
4ecb32d |
+ except:
|
|
|
4ecb32d |
+ continue
|
|
|
32455f3 |
+
|
|
|
4ecb32d |
+ fd.close()
|
|
|
4ecb32d |
+
|
|
|
32455f3 |
+ def getFileContextDir(self):
|
|
|
32455f3 |
+ return self.selinuxdir+self.type+self.filecontextdir
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ def getFileContextFile(self):
|
|
|
32455f3 |
+ return self.getFileContextDir()+"/file_contexts"
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ def getContextDir(self):
|
|
|
32455f3 |
+ return self.selinuxdir+self.type+self.contextdir
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ def getHomeDirTemplate(self):
|
|
|
32455f3 |
+ return self.getFileContextDir()+"/homedir_template"
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ def getHomeRootContext(self, homedir):
|
|
|
32455f3 |
+ ret = ""
|
|
|
32455f3 |
+ fd = open(self.getHomeDirTemplate(), 'r')
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ for i in fd.readlines():
|
|
|
32455f3 |
+ if i.find("HOME_ROOT") == 0:
|
|
|
32455f3 |
+ i = i.replace("HOME_ROOT", homedir)
|
|
|
32455f3 |
+ ret += i
|
|
|
32455f3 |
+ fd.close()
|
|
|
32455f3 |
+ if ret == "":
|
|
|
32455f3 |
+ errorExit("No Home Root Context Found")
|
|
|
32455f3 |
+ return ret
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ def heading(self):
|
|
|
32455f3 |
+ ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
|
|
|
32455f3 |
+ if self.semanaged:
|
|
|
32455f3 |
+ ret += "# use semanage command to manage system users in order to change the file_context\n#\n#\n"
|
|
|
32455f3 |
+ else:
|
|
|
32455f3 |
+ ret += "# edit %s to change file_context\n#\n#\n" % (self.selinuxdir+self.type+"/seusers")
|
|
|
32455f3 |
+ return ret
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ def get_default_prefix(self, name):
|
|
|
32455f3 |
+ for user in self.ulist:
|
|
|
32455f3 |
+ if semanage_user_get_name(user) == name:
|
|
|
32455f3 |
+ return semanage_user_get_prefix(user)
|
|
|
32455f3 |
+ return name
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ def get_old_prefix(self, user):
|
|
|
32455f3 |
+ rc = grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % user)
|
|
|
32455f3 |
+ if rc == "":
|
|
|
32455f3 |
+ rc = grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % user)
|
|
|
32455f3 |
+ if rc != "":
|
|
|
32455f3 |
+ user = rc.split()
|
|
|
32455f3 |
+ prefix = user[3]
|
|
|
32455f3 |
+ if prefix == "{":
|
|
|
32455f3 |
+ prefix = user[4]
|
|
|
32455f3 |
+ if len(prefix) > 2 and (prefix[-2:] == "_r" or prefix[-2:] == "_u"):
|
|
|
32455f3 |
+ prefix = prefix[:-2]
|
|
|
32455f3 |
+ return prefix
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ def adduser(self, udict, user, seuser, prefix):
|
|
|
32455f3 |
+ if seuser == self.default_user or user == "__default__" or user == "system_u":
|
|
|
32455f3 |
+ return
|
|
|
32455f3 |
+ # !!! chooses first prefix in the list to use in the file context !!!
|
|
|
32455f3 |
+ try:
|
|
|
32455f3 |
+ home = pwd.getpwnam(user)[5]
|
|
|
32455f3 |
+ if home == "/":
|
|
|
32455f3 |
+ # Probably install so hard code to /root
|
|
|
32455f3 |
+ if user == "root":
|
|
|
32455f3 |
+ home = "/root"
|
|
|
32455f3 |
+ else:
|
|
|
32455f3 |
+ return
|
|
|
32455f3 |
+ except KeyError:
|
|
|
32455f3 |
+ if user == "root":
|
|
|
32455f3 |
+ home = "/root"
|
|
|
32455f3 |
+ else:
|
|
|
32455f3 |
+ sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user)
|
|
|
32455f3 |
+ return
|
|
|
32455f3 |
+ prefs = {}
|
|
|
32455f3 |
+ prefs["seuser"] = seuser
|
|
|
32455f3 |
+ prefs["prefix"] = prefix
|
|
|
32455f3 |
+ prefs["home"] = home
|
|
|
32455f3 |
+ udict[user] = prefs
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ def setDefaultUser(self, user, prefix):
|
|
|
32455f3 |
+ self.default_user = user
|
|
|
32455f3 |
+ self.default_prefix = prefix
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ def getUsers(self):
|
|
|
32455f3 |
+ udict = {}
|
|
|
32455f3 |
+ if self.semanaged:
|
|
|
32455f3 |
+ (status, list) = semanage_seuser_list(self.semanageHandle)
|
|
|
32455f3 |
+ for seuser in list:
|
|
|
32455f3 |
+ user = []
|
|
|
32455f3 |
+ seusername = semanage_seuser_get_sename(seuser)
|
|
|
32455f3 |
+ prefix = self.get_default_prefix(seusername)
|
|
|
32455f3 |
+ if semanage_seuser_get_name(seuser) == "__default__":
|
|
|
32455f3 |
+ self.setDefaultUser(seusername, prefix)
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ self.adduser(udict, semanage_seuser_get_name(seuser), seusername, prefix)
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ else:
|
|
|
32455f3 |
+ try:
|
|
|
32455f3 |
+ fd = open(self.selinuxdir+self.type+"/seusers")
|
|
|
32455f3 |
+ for u in fd.readlines():
|
|
|
32455f3 |
+ u = u.strip()
|
|
|
32455f3 |
+ if len(u) == 0 or u[0] == "#":
|
|
|
32455f3 |
+ continue
|
|
|
32455f3 |
+ user = u.split(":")
|
|
|
32455f3 |
+ if len(user) < 2:
|
|
|
32455f3 |
+ continue
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ prefix = self.get_old_prefix(user[1])
|
|
|
32455f3 |
+ self.adduser(udict, user[0], user[1], prefix)
|
|
|
32455f3 |
+ fd.close()
|
|
|
32455f3 |
+ except IOError, error:
|
|
|
32455f3 |
+ # Must be install so force add of root
|
|
|
32455f3 |
+ self.adduser(udict, "root", "root", "root")
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ return udict
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ def getHomeDirContext(self, user, seuser, home, prefix):
|
|
|
32455f3 |
+ ret = "\n\n#\n# Home Context for user %s\n#\n\n" % user
|
|
|
32455f3 |
+ fd = open(self.getHomeDirTemplate(), 'r')
|
|
|
32455f3 |
+ for i in fd.readlines():
|
|
|
32455f3 |
+ if i.startswith("HOME_DIR") == 1:
|
|
|
32455f3 |
+ i = i.replace("HOME_DIR", home)
|
|
|
32455f3 |
+ i = i.replace("ROLE", prefix)
|
|
|
32455f3 |
+ i = i.replace("system_u", seuser)
|
|
|
32455f3 |
+ # Validate if the generated context exists. Some user types may not exist
|
|
|
32455f3 |
+ scon = i.split()[-1]
|
|
|
32455f3 |
+ if selinux.is_selinux_enabled() < 1 or selinux.security_check_context(scon) == 0:
|
|
|
32455f3 |
+ ret = ret+i
|
|
|
32455f3 |
+ fd.close()
|
|
|
32455f3 |
+ return ret
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ def getUserContext(self, user, sel_user, prefix):
|
|
|
32455f3 |
+ ret = ""
|
|
|
32455f3 |
+ fd = open(self.getHomeDirTemplate(), 'r')
|
|
|
32455f3 |
+ for i in fd.readlines():
|
|
|
4bf679b |
+ if i.find("USER") > 0:
|
|
|
32455f3 |
+ i = i.replace("USER", user)
|
|
|
32455f3 |
+ i = i.replace("ROLE", prefix)
|
|
|
32455f3 |
+ i = i.replace("system_u", sel_user)
|
|
|
32455f3 |
+ ret = ret+i
|
|
|
32455f3 |
+ fd.close()
|
|
|
32455f3 |
+ return ret
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ def genHomeDirContext(self):
|
|
|
32455f3 |
+ ret = ""
|
|
|
32455f3 |
+ # Fill in HOME and prefix for users that are defined
|
|
|
32455f3 |
+ for u in self.users.keys():
|
|
|
32455f3 |
+ ret += self.getHomeDirContext (u, self.users[u]["seuser"], self.users[u]["home"], self.users[u]["prefix"])
|
|
|
32455f3 |
+ ret += self.getUserContext (u, self.users[u]["seuser"], self.users[u]["prefix"])
|
|
|
32455f3 |
+ return ret+"\n"
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ def checkExists(self, home):
|
|
|
4ecb32d |
+ for i in self.fclines:
|
|
|
32455f3 |
+ try:
|
|
|
4ecb32d |
+ if i.match(home):
|
|
|
32455f3 |
+ return 1
|
|
|
32455f3 |
+ except:
|
|
|
32455f3 |
+ continue
|
|
|
32455f3 |
+ return 0
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ def getHomeDirs(self):
|
|
|
32455f3 |
+ homedirs = getDefaultHomeDir()
|
|
|
32455f3 |
+ starting_uid = getStartingUID()
|
|
|
32455f3 |
+ if self.usepwd == 0:
|
|
|
32455f3 |
+ return homedirs
|
|
|
32455f3 |
+ ulist = pwd.getpwall()
|
|
|
32455f3 |
+ for u in ulist:
|
|
|
32455f3 |
+ if u[2] >= starting_uid and \
|
|
|
32455f3 |
+ u[6] in VALID_SHELLS and \
|
|
|
32455f3 |
+ u[5] != "/" and \
|
|
|
32455f3 |
+ string.count(u[5], "/") > 1:
|
|
|
32455f3 |
+ homedir = u[5][:string.rfind(u[5], "/")]
|
|
|
32455f3 |
+ if not homedir in homedirs:
|
|
|
32455f3 |
+ if self.checkExists(homedir) == 1:
|
|
|
32455f3 |
+ warning("%s homedir %s or its parent directory conflicts with a\ndefined context in %s,\n%s will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin." % (u[0], u[5], self.getFileContextFile(), sys.argv[0]))
|
|
|
32455f3 |
+ else:
|
|
|
32455f3 |
+ homedirs.append(homedir)
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ homedirs.sort()
|
|
|
32455f3 |
+ return homedirs
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ def genoutput(self):
|
|
|
32455f3 |
+ ret = self.heading()
|
|
|
32455f3 |
+ for h in self.getHomeDirs():
|
|
|
32455f3 |
+ ret += self.getHomeDirContext (self.default_user, self.default_user, h+'/[^/]*', self.default_prefix)
|
|
|
32455f3 |
+ ret += self.getHomeRootContext(h)
|
|
|
32455f3 |
+ ret += self.getUserContext(".*", self.default_user, self.default_prefix) + "\n"
|
|
|
32455f3 |
+ ret += self.genHomeDirContext()
|
|
|
32455f3 |
+ return ret
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ def printout(self):
|
|
|
32455f3 |
+ print self.genoutput()
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+ def write(self):
|
|
|
32455f3 |
+ fd = open(self.getFileContextDir()+"/file_contexts.homedirs", "w")
|
|
|
32455f3 |
+ fd.write(self.genoutput())
|
|
|
32455f3 |
+ fd.close()
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+if os.getuid() > 0 or os.geteuid() > 0:
|
|
|
32455f3 |
+ print _("You must be root to run %s.") % sys.argv[0]
|
|
|
32455f3 |
+ sys.exit(1)
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+try:
|
|
|
32455f3 |
+ fd = open("/etc/shells", 'r')
|
|
|
32455f3 |
+ VALID_SHELLS = fd.read().split("\n")
|
|
|
32455f3 |
+ fd.close()
|
|
|
32455f3 |
+ if "/sbin/nologin" in VALID_SHELLS:
|
|
|
32455f3 |
+ VALID_SHELLS.remove("/sbin/nologin")
|
|
|
32455f3 |
+ if "" in VALID_SHELLS:
|
|
|
32455f3 |
+ VALID_SHELLS.remove("")
|
|
|
32455f3 |
+except:
|
|
|
32455f3 |
+ VALID_SHELLS = ['/bin/sh', '/bin/bash', '/bin/ash', '/bin/bsh', '/bin/ksh', '/usr/bin/ksh', '/usr/bin/pdksh', '/bin/tcsh', '/bin/csh', '/bin/zsh']
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+#
|
|
|
32455f3 |
+# This script will generate home dir file context
|
|
|
32455f3 |
+# based off the homedir_template file, entries in the password file, and
|
|
|
32455f3 |
+#
|
|
|
32455f3 |
+try:
|
|
|
32455f3 |
+ usepwd = 1
|
|
|
32455f3 |
+ directory = "/etc/selinux"
|
|
|
32455f3 |
+ type = None
|
|
|
32455f3 |
+ gopts, cmds = getopt.getopt(sys.argv[1:], 'hnd:t:', ['help',
|
|
|
32455f3 |
+ 'type=',
|
|
|
32455f3 |
+ 'nopasswd',
|
|
|
32455f3 |
+ 'dir='])
|
|
|
32455f3 |
+ for o,a in gopts:
|
|
|
32455f3 |
+ if o == '--type' or o == "-t":
|
|
|
32455f3 |
+ type = a
|
|
|
32455f3 |
+ if o == '--nopasswd' or o == "-n":
|
|
|
32455f3 |
+ usepwd = 0
|
|
|
32455f3 |
+ if o == '--dir' or o == "-d":
|
|
|
32455f3 |
+ directory = a
|
|
|
32455f3 |
+ if o == '--help' or o == "-h":
|
|
|
32455f3 |
+ usage()
|
|
|
32455f3 |
+except getopt.error, error:
|
|
|
32455f3 |
+ errorExit(_("Options Error %s ") % error)
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+if type == None:
|
|
|
32455f3 |
+ type = getSELinuxType(directory)
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+if len(cmds) != 0:
|
|
|
32455f3 |
+ usage(1)
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+selconf = selinuxConfig(directory, type, usepwd)
|
|
|
32455f3 |
+try:
|
|
|
32455f3 |
+ selconf.write()
|
|
|
32455f3 |
+except IOError, error:
|
|
|
32455f3 |
+ sys.stderr.write("%s: %s\n" % ( sys.argv[0], error ))
|
|
|
32455f3 |
+ sys.exit(1)
|
|
|
32455f3 |
+
|
|
|
32455f3 |
diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/genhomedircon.8 policycoreutils-2.0.23/scripts/genhomedircon.8
|
|
|
32455f3 |
--- nsapolicycoreutils/scripts/genhomedircon.8 1969-12-31 19:00:00.000000000 -0500
|
|
|
32455f3 |
+++ policycoreutils-2.0.23/scripts/genhomedircon.8 2007-08-20 19:16:35.000000000 -0400
|
|
|
32455f3 |
@@ -0,0 +1,82 @@
|
|
|
32455f3 |
+.\" Hey, Emacs! This is an -*- nroff -*- source file.
|
|
|
32455f3 |
+.\" Copyright (c) 2005 Manoj Srivastava <srivasta@debian.org>
|
|
|
32455f3 |
+.\"
|
|
|
32455f3 |
+.\" This is free documentation; you can redistribute it and/or
|
|
|
32455f3 |
+.\" modify it under the terms of the GNU General Public License as
|
|
|
32455f3 |
+.\" published by the Free Software Foundation; either version 2 of
|
|
|
32455f3 |
+.\" the License, or (at your option) any later version.
|
|
|
32455f3 |
+.\"
|
|
|
32455f3 |
+.\" The GNU General Public License's references to "object code"
|
|
|
32455f3 |
+.\" and "executables" are to be interpreted as the output of any
|
|
|
32455f3 |
+.\" document formatting or typesetting system, including
|
|
|
32455f3 |
+.\" intermediate and printed output.
|
|
|
32455f3 |
+.\"
|
|
|
32455f3 |
+.\" This manual is distributed in the hope that it will be useful,
|
|
|
32455f3 |
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
32455f3 |
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
32455f3 |
+.\" GNU General Public License for more details.
|
|
|
32455f3 |
+.\"
|
|
|
32455f3 |
+.\" You should have received a copy of the GNU General Public
|
|
|
32455f3 |
+.\" License along with this manual; if not, write to the Free
|
|
|
32455f3 |
+.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
|
|
|
32455f3 |
+.\" USA.
|
|
|
32455f3 |
+.\"
|
|
|
32455f3 |
+.\"
|
|
|
32455f3 |
+.TH GENHOMEDIRCON "8" "January 2005" "Security Enhanced Linux" ""
|
|
|
32455f3 |
+.SH NAME
|
|
|
32455f3 |
+genhomedircon \- generate SELinux file context configuration entries for user home directories
|
|
|
32455f3 |
+.SH SYNOPSIS
|
|
|
32455f3 |
+.B genhomedircon [ -d selinuxdir ] [-n | --nopasswd] [-t selinuxtype ] [-h]
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+.SH OPTIONS
|
|
|
32455f3 |
+.TP
|
|
|
32455f3 |
+.B "\-h"
|
|
|
32455f3 |
+Print a short usage message
|
|
|
32455f3 |
+.TP
|
|
|
32455f3 |
+.B "\-d selinuxdir (\-\-directory)"
|
|
|
32455f3 |
+Directory where selinux files are installed defaults to /etc/selinux
|
|
|
32455f3 |
+.TP
|
|
|
32455f3 |
+.B
|
|
|
32455f3 |
+\-n \-\-nopasswd
|
|
|
32455f3 |
+Indicates to the utility not to read homedirectories out of the password database.
|
|
|
32455f3 |
+.TP
|
|
|
32455f3 |
+\-t selinuxtype (\-\-type)
|
|
|
32455f3 |
+Indicates the selinux type of this install. Defaults to "targeted".
|
|
|
32455f3 |
+.SH DESCRIPTION
|
|
|
32455f3 |
+.PP
|
|
|
32455f3 |
+This utility is used to generate file context configuration entries for
|
|
|
32455f3 |
+user home directories based on their
|
|
|
32455f3 |
+.B prefix
|
|
|
32455f3 |
+entry in the the
|
|
|
32455f3 |
+.B semanage user record.
|
|
|
32455f3 |
+genhomedircon is run when building
|
|
|
32455f3 |
+the policy. It is also run automaticaly when ever the
|
|
|
32455f3 |
+.B semanage
|
|
|
32455f3 |
+utility modifies
|
|
|
32455f3 |
+.B user
|
|
|
32455f3 |
+or
|
|
|
32455f3 |
+.B login
|
|
|
32455f3 |
+records.
|
|
|
32455f3 |
+Specifically, we replace HOME_ROOT, HOME_DIR, and ROLE macros in the
|
|
|
32455f3 |
+.I /etc/selinux/<<SELINUXTYPE>>/contexts/files/homedir_template
|
|
|
32455f3 |
+file with generic and user-specific values. HOME_ROOT and HOME_DIR is replaced with each distinct location where login users homedirectories are located. Defaults to /home. ROLE is replaced based on the prefix entry in the
|
|
|
32455f3 |
+.B user
|
|
|
32455f3 |
+record.
|
|
|
32455f3 |
+.PP
|
|
|
32455f3 |
+genhomedircon searches through all password entires for all "login" user home directories, (as opposed
|
|
|
32455f3 |
+to system users). Login users are those whose UID is greater than or equal
|
|
|
32455f3 |
+.I STARTING_UID
|
|
|
32455f3 |
+(default 500) and whose login shell is not "/sbin/nologin", or
|
|
|
32455f3 |
+"/bin/false".
|
|
|
32455f3 |
+.PP
|
|
|
32455f3 |
+.SH AUTHOR
|
|
|
32455f3 |
+This manual page was originally written by
|
|
|
32455f3 |
+.I Manoj Srivastava <srivasta@debian.org>,
|
|
|
32455f3 |
+for the Debian GNU/Linux system, based on the comments and the code
|
|
|
32455f3 |
+in the utility, and then updated by Dan Walsh of Red Hat. The
|
|
|
32455f3 |
+.B genhomedircon
|
|
|
32455f3 |
+utility was originally written by
|
|
|
32455f3 |
+.I Dan Walsh of Red Hat
|
|
|
32455f3 |
+with some modifications by
|
|
|
32455f3 |
+.I Tresys Technology, LLC.
|
|
|
32455f3 |
+
|
|
|
32455f3 |
diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.23/scripts/Makefile
|
|
|
32455f3 |
--- nsapolicycoreutils/scripts/Makefile 2007-08-23 16:52:26.000000000 -0400
|
|
|
32455f3 |
+++ policycoreutils-2.0.23/scripts/Makefile 2007-08-20 19:16:35.000000000 -0400
|
|
|
32455f3 |
@@ -5,14 +5,18 @@
|
|
|
32455f3 |
MANDIR ?= $(PREFIX)/share/man
|
|
|
32455f3 |
LOCALEDIR ?= /usr/share/locale
|
|
|
32455f3 |
|
|
|
32455f3 |
-all: fixfiles
|
|
|
32455f3 |
+TARGETS=genhomedircon
|
|
|
32455f3 |
+
|
|
|
32455f3 |
+all: $(TARGETS) fixfiles
|
|
|
32455f3 |
|
|
|
32455f3 |
install: all
|
|
|
32455f3 |
-mkdir -p $(BINDIR)
|
|
|
32455f3 |
+ install -m 755 $(TARGETS) $(SBINDIR)
|
|
|
32455f3 |
install -m 755 chcat $(BINDIR)
|
|
|
32455f3 |
install -m 755 fixfiles $(DESTDIR)/sbin
|
|
|
32455f3 |
-mkdir -p $(MANDIR)/man8
|
|
|
32455f3 |
install -m 644 fixfiles.8 $(MANDIR)/man8/
|
|
|
32455f3 |
+ install -m 644 genhomedircon.8 $(MANDIR)/man8/
|
|
|
32455f3 |
install -m 644 chcat.8 $(MANDIR)/man8/
|
|
|
4efe23c |
|
|
|
32455f3 |
clean:
|
|
|
4bf679b |
diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.23/semanage/seobject.py
|
|
|
e0e7eda |
--- nsapolicycoreutils/semanage/seobject.py 2007-07-16 14:20:41.000000000 -0400
|
|
|
4bf679b |
+++ policycoreutils-2.0.23/semanage/seobject.py 2007-08-22 16:29:22.000000000 -0400
|
|
|
64fb16a |
@@ -210,6 +210,7 @@
|
|
|
73f3144 |
os.write(fd, self.out())
|
|
|
73f3144 |
os.close(fd)
|
|
|
73f3144 |
os.rename(newfilename, self.filename)
|
|
|
73f3144 |
+ os.system("/sbin/service mcstrans reload > /dev/null")
|
|
|
1e9f6c8 |
|
|
|
73f3144 |
class semanageRecords:
|
|
|
73f3144 |
def __init__(self):
|
|
|
b9cac61 |
@@ -1024,14 +1025,31 @@
|
|
|
85e2ce7 |
def __init__(self):
|
|
|
85e2ce7 |
semanageRecords.__init__(self)
|
|
|
85e2ce7 |
|
|
|
b9cac61 |
- def add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
|
|
|
b9cac61 |
+ def createcon(self, target, seuser = "system_u"):
|
|
|
85e2ce7 |
+ (rc, con) = semanage_context_create(self.sh)
|
|
|
85e2ce7 |
+ if rc < 0:
|
|
|
85e2ce7 |
+ raise ValueError(_("Could not create context for %s") % target)
|
|
|
b9cac61 |
if seuser == "":
|
|
|
b9cac61 |
seuser = "system_u"
|
|
|
b9cac61 |
+
|
|
|
b9cac61 |
+ rc = semanage_context_set_user(self.sh, con, seuser)
|
|
|
85e2ce7 |
+ if rc < 0:
|
|
|
85e2ce7 |
+ raise ValueError(_("Could not set user in file context for %s") % target)
|
|
|
85e2ce7 |
+
|
|
|
85e2ce7 |
+ rc = semanage_context_set_role(self.sh, con, "object_r")
|
|
|
85e2ce7 |
+ if rc < 0:
|
|
|
85e2ce7 |
+ raise ValueError(_("Could not set role in file context for %s") % target)
|
|
|
85e2ce7 |
+
|
|
|
b9cac61 |
if is_mls_enabled == 1:
|
|
|
b9cac61 |
- if serange == "":
|
|
|
b9cac61 |
- serange = "s0"
|
|
|
b9cac61 |
- else:
|
|
|
b9cac61 |
- serange = untranslate(serange)
|
|
|
85e2ce7 |
+ rc = semanage_context_set_mls(self.sh, con, "s0")
|
|
|
85e2ce7 |
+ if rc < 0:
|
|
|
85e2ce7 |
+ raise ValueError(_("Could not set mls fields in file context for %s") % target)
|
|
|
85e2ce7 |
+
|
|
|
85e2ce7 |
+ return con
|
|
|
85e2ce7 |
+
|
|
|
b9cac61 |
+ def add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
|
|
|
b9cac61 |
+ if is_mls_enabled == 1:
|
|
|
b9cac61 |
+ serange = untranslate(serange)
|
|
|
b9cac61 |
|
|
|
b9cac61 |
if type == "":
|
|
|
b9cac61 |
raise ValueError(_("SELinux Type is required"))
|
|
|
b9cac61 |
@@ -1051,33 +1069,23 @@
|
|
|
2701345 |
raise ValueError(_("Could not create file context for %s") % target)
|
|
|
2701345 |
|
|
|
2701345 |
rc = semanage_fcontext_set_expr(self.sh, fcontext, target)
|
|
|
2701345 |
- (rc, con) = semanage_context_create(self.sh)
|
|
|
2701345 |
- if rc < 0:
|
|
|
2701345 |
- raise ValueError(_("Could not create context for %s") % target)
|
|
|
2701345 |
-
|
|
|
2701345 |
- rc = semanage_context_set_user(self.sh, con, seuser)
|
|
|
2701345 |
- if rc < 0:
|
|
|
2701345 |
- raise ValueError(_("Could not set user in file context for %s") % target)
|
|
|
2701345 |
-
|
|
|
2701345 |
- rc = semanage_context_set_role(self.sh, con, "object_r")
|
|
|
2701345 |
- if rc < 0:
|
|
|
2701345 |
- raise ValueError(_("Could not set role in file context for %s") % target)
|
|
|
2701345 |
-
|
|
|
2701345 |
- rc = semanage_context_set_type(self.sh, con, type)
|
|
|
2701345 |
- if rc < 0:
|
|
|
2701345 |
- raise ValueError(_("Could not set type in file context for %s") % target)
|
|
|
b9cac61 |
+ if type != "<<none>>":
|
|
|
b9cac61 |
+ con = self.createcon(target, seuser)
|
|
|
b9cac61 |
|
|
|
2701345 |
- if serange != "":
|
|
|
2701345 |
- rc = semanage_context_set_mls(self.sh, con, serange)
|
|
|
2701345 |
- if rc < 0:
|
|
|
2701345 |
- raise ValueError(_("Could not set mls fields in file context for %s") % target)
|
|
|
2701345 |
+ rc = semanage_context_set_type(self.sh, con, type)
|
|
|
2701345 |
+ if rc < 0:
|
|
|
2701345 |
+ raise ValueError(_("Could not set type in file context for %s") % target)
|
|
|
2701345 |
+
|
|
|
2701345 |
+ if serange != "":
|
|
|
2701345 |
+ rc = semanage_context_set_mls(self.sh, con, serange)
|
|
|
2701345 |
+ if rc < 0:
|
|
|
2701345 |
+ raise ValueError(_("Could not set mls fields in file context for %s") % target)
|
|
|
85e2ce7 |
+ rc = semanage_fcontext_set_con(self.sh, fcontext, con)
|
|
|
85e2ce7 |
+ if rc < 0:
|
|
|
85e2ce7 |
+ raise ValueError(_("Could not set file context for %s") % target)
|
|
|
2701345 |
|
|
|
2701345 |
semanage_fcontext_set_type(fcontext, file_types[ftype])
|
|
|
2701345 |
|
|
|
85e2ce7 |
- rc = semanage_fcontext_set_con(self.sh, fcontext, con)
|
|
|
85e2ce7 |
- if rc < 0:
|
|
|
85e2ce7 |
- raise ValueError(_("Could not set file context for %s") % target)
|
|
|
85e2ce7 |
-
|
|
|
85e2ce7 |
rc = semanage_begin_transaction(self.sh)
|
|
|
85e2ce7 |
if rc < 0:
|
|
|
85e2ce7 |
raise ValueError(_("Could not start semanage transaction"))
|
|
|
b9cac61 |
@@ -1090,7 +1098,8 @@
|
|
|
85e2ce7 |
if rc < 0:
|
|
|
85e2ce7 |
raise ValueError(_("Could not add file context for %s") % target)
|
|
|
85e2ce7 |
|
|
|
85e2ce7 |
- semanage_context_free(con)
|
|
|
85e2ce7 |
+ if type != "<<none>>":
|
|
|
85e2ce7 |
+ semanage_context_free(con)
|
|
|
85e2ce7 |
semanage_fcontext_key_free(k)
|
|
|
85e2ce7 |
semanage_fcontext_free(fcontext)
|
|
|
85e2ce7 |
|
|
|
b9cac61 |
@@ -1112,16 +1121,29 @@
|
|
|
85e2ce7 |
if rc < 0:
|
|
|
85e2ce7 |
raise ValueError(_("Could not query file context for %s") % target)
|
|
|
85e2ce7 |
|
|
|
85e2ce7 |
- con = semanage_fcontext_get_con(fcontext)
|
|
|
85e2ce7 |
+ if setype != "<<none>>":
|
|
|
85e2ce7 |
+ con = semanage_fcontext_get_con(fcontext)
|
|
|
85e2ce7 |
|
|
|
85e2ce7 |
- if serange != "":
|
|
|
85e2ce7 |
- semanage_context_set_mls(self.sh, con, untranslate(serange))
|
|
|
85e2ce7 |
- if seuser != "":
|
|
|
85e2ce7 |
- semanage_context_set_user(self.sh, con, seuser)
|
|
|
85e2ce7 |
- if setype != "":
|
|
|
85e2ce7 |
- semanage_context_set_type(self.sh, con, setype)
|
|
|
85e2ce7 |
-
|
|
|
85e2ce7 |
- rc = semanage_begin_transaction(self.sh)
|
|
|
85e2ce7 |
+ if con == None:
|
|
|
b9cac61 |
+ con = self.createcon(target)
|
|
|
85e2ce7 |
+
|
|
|
85e2ce7 |
+ if serange != "":
|
|
|
85e2ce7 |
+ semanage_context_set_mls(self.sh, con, untranslate(serange))
|
|
|
85e2ce7 |
+ if seuser != "":
|
|
|
b9cac61 |
+ semanage_context_set_user(self.sh, con, seuser)
|
|
|
b9cac61 |
+
|
|
|
85e2ce7 |
+ if setype != "":
|
|
|
85e2ce7 |
+ semanage_context_set_type(self.sh, con, setype)
|
|
|
85e2ce7 |
+
|
|
|
85e2ce7 |
+ rc = semanage_fcontext_set_con(self.sh, fcontext, con)
|
|
|
85e2ce7 |
+ if rc < 0:
|
|
|
85e2ce7 |
+ raise ValueError(_("Could not set file context for %s") % target)
|
|
|
85e2ce7 |
+ else:
|
|
|
85e2ce7 |
+ rc = semanage_fcontext_set_con(self.sh, fcontext, None)
|
|
|
85e2ce7 |
+ if rc < 0:
|
|
|
85e2ce7 |
+ raise ValueError(_("Could not set file context for %s") % target)
|
|
|
85e2ce7 |
+
|
|
|
85e2ce7 |
+ rc = semanage_begin_transaction(self.sh)
|
|
|
85e2ce7 |
if rc < 0:
|
|
|
85e2ce7 |
raise ValueError(_("Could not start semanage transaction"))
|
|
|
85e2ce7 |
|
|
|
b9cac61 |
@@ -1283,9 +1305,12 @@
|
|
|
7e97034 |
raise ValueError(_("Could not list booleans"))
|
|
|
7e97034 |
|
|
|
7e97034 |
for boolean in self.blist:
|
|
|
7e97034 |
- name = semanage_bool_get_name(boolean)
|
|
|
7e97034 |
- value = semanage_bool_get_value(boolean)
|
|
|
7e97034 |
- ddict[name] = value
|
|
|
7e97034 |
+ value = []
|
|
|
7e97034 |
+ name = semanage_bool_get_name(boolean)
|
|
|
7e97034 |
+ value[0] = semanage_bool_get_value(boolean)
|
|
|
7e97034 |
+ value[1] = selinux.security_get_boolean_pending(boolean)
|
|
|
7e97034 |
+ value[2] = selinux.security_get_boolean_active(boolean)
|
|
|
7e97034 |
+ ddict[name] = value
|
|
|
7e97034 |
|
|
|
7e97034 |
return ddict
|
|
|
7e97034 |
|
|
|
4bf679b |
diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.8 policycoreutils-2.0.23/semodule/semodule.8
|
|
|
4bf679b |
--- nsapolicycoreutils/semodule/semodule.8 2007-07-16 14:20:42.000000000 -0400
|
|
|
4bf679b |
+++ policycoreutils-2.0.23/semodule/semodule.8 2007-08-23 10:18:35.000000000 -0400
|
|
|
4bf679b |
@@ -23,6 +23,9 @@
|
|
|
4bf679b |
.B \-B, \-\-build
|
|
|
4bf679b |
force a rebuild of policy (also reloads unless -n is used)
|
|
|
4bf679b |
.TP
|
|
|
4bf679b |
+.B \-D, \-\-disable_dontaudit
|
|
|
4bf679b |
+Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
|
|
|
4bf679b |
+.TP
|
|
|
4bf679b |
.B \-i,\-\-install=MODULE_PKG
|
|
|
4bf679b |
install/replace a module package
|
|
|
4bf679b |
.TP
|
|
|
4bf679b |
@@ -58,6 +61,10 @@
|
|
|
4bf679b |
$ semodule -i httpd.pp
|
|
|
4bf679b |
# List non-base modules.
|
|
|
4bf679b |
$ semodule -l
|
|
|
4bf679b |
+# Turn on all AVC Messages for which SELinux currently is "dontaudit"ing.
|
|
|
4bf679b |
+$ semodule -DB
|
|
|
4bf679b |
+# Turn "dontaudit" rules back on.
|
|
|
4bf679b |
+$ semodule -B
|
|
|
4bf679b |
# Install or replace all non-base modules in the current directory.
|
|
|
4bf679b |
$ semodule -i *.pp
|
|
|
4bf679b |
# Install or replace all modules in the current directory.
|