diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
index 3980799..6624804 100644
--- a/policycoreutils/Makefile
+++ b/policycoreutils/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
+SUBDIRS = sepolicy setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
diff --git a/policycoreutils/audit2allow/Makefile b/policycoreutils/audit2allow/Makefile
index 88635d4..fc290ea 100644
--- a/policycoreutils/audit2allow/Makefile
+++ b/policycoreutils/audit2allow/Makefile
@@ -5,14 +5,19 @@ LIBDIR ?= $(PREFIX)/lib
MANDIR ?= $(PREFIX)/share/man
LOCALEDIR ?= /usr/share/locale
-all: ;
+all: audit2why
+
+audit2why:
+ ln -sf audit2allow audit2why
install: all
-mkdir -p $(BINDIR)
install -m 755 audit2allow $(BINDIR)
+ (cd $(BINDIR); ln -sf audit2allow audit2why)
install -m 755 sepolgen-ifgen $(BINDIR)
-mkdir -p $(MANDIR)/man1
install -m 644 audit2allow.1 $(MANDIR)/man1/
+ install -m 644 audit2why.1 $(MANDIR)/man1/
clean:
rm -f *~
diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
index 8e0c396..d282eee 100644
--- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow
@@ -18,7 +18,7 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
-import sys
+import sys, os
import sepolgen.audit as audit
import sepolgen.policygen as policygen
@@ -29,6 +29,8 @@ import sepolgen.defaults as defaults
import sepolgen.module as module
from sepolgen.sepolgeni18n import _
import selinux.audit2why as audit2why
+import locale
+locale.setlocale(locale.LC_ALL, '')
class AuditToPolicy:
VERSION = "%prog .1"
@@ -80,8 +82,7 @@ class AuditToPolicy:
parser.add_option("--interface-info", dest="interface_info", help="file name of interface information")
parser.add_option("--debug", dest="debug", action="store_true", default=False,
help="leave generated modules for -M")
-
- parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=False,
+ parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=(os.path.basename(sys.argv[0])=="audit2why"),
help="Translates SELinux audit messages into a description of why the access was denied")
options, args = parser.parse_args()
@@ -267,12 +268,10 @@ class AuditToPolicy:
continue
if rc == audit2why.CONSTRAINT:
- print "\t\tPolicy constraint violation.\n"
- print "\t\tMay require adding a type attribute to the domain or type to satisfy the constraint.\n"
- print "\t\tConstraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).\n"
- for reason in data:
- print "\t\tNote: Possible cause is the source and target %s differ\n" % reason
- continue
+ print #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n"
+ print "#Constraint rule: \n\t" + data[0]
+ for reason in data[1:]:
+ print "#\tPossible cause is the source %s and target %s are different.\n\b" % reason
if rc == audit2why.RBAC:
print "\t\tMissing role allow rule.\n"
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index a854a45..bc70938 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@@ -171,7 +171,7 @@ $ semodule -i local.pp
.B Using audit2allow to generate and build module policy
$ cat /var/log/audit/audit.log | audit2allow -M local
-Generating type enforcment file: local.te
+Generating type enforcement file: local.te
Compiling policy: checkmodule -M -m -o local.mod local.te
Building package: semodule_package -o local.pp -m local.mod
diff --git a/policycoreutils/audit2allow/audit2why.1 b/policycoreutils/audit2allow/audit2why.1
new file mode 100644
index 0000000..a9e8893
--- /dev/null
+++ b/policycoreutils/audit2allow/audit2why.1
@@ -0,0 +1 @@
+.so man1/audit2allow.1
diff --git a/policycoreutils/audit2allow/sepolgen-ifgen b/policycoreutils/audit2allow/sepolgen-ifgen
index ef4bec3..3967ba5 100644
--- a/policycoreutils/audit2allow/sepolgen-ifgen
+++ b/policycoreutils/audit2allow/sepolgen-ifgen
@@ -62,6 +62,9 @@ def parse_options():
return options
def get_policy():
+ p = selinux.selinux_current_policy_path()
+ if os.path.exists(p):
+ return p
i = selinux.security_policyvers()
p = selinux.selinux_binary_policy_path() + "." + str(i)
while i > 0 and not os.path.exists(p):
diff --git a/policycoreutils/audit2why/Makefile b/policycoreutils/audit2why/Makefile
deleted file mode 100644
index 63eb8b3..0000000
--- a/policycoreutils/audit2why/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-# Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-BINDIR ?= $(PREFIX)/bin
-MANDIR ?= $(PREFIX)/share/man
-
-TARGETS=audit2why
-
-all: $(TARGETS)
-
-install: all
- -mkdir -p $(BINDIR)
- install -m 755 $(TARGETS) $(BINDIR)
- -mkdir -p $(MANDIR)/man1
- install -m 644 audit2why.1 $(MANDIR)/man1/
-
-clean:
-
-relabel:
diff --git a/policycoreutils/audit2why/audit2why b/policycoreutils/audit2why/audit2why
deleted file mode 100644
index 21a72aa..0000000
--- a/policycoreutils/audit2why/audit2why
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-/usr/bin/audit2allow -w $*
diff --git a/policycoreutils/audit2why/audit2why.1 b/policycoreutils/audit2why/audit2why.1
deleted file mode 100644
index a9e8893..0000000
--- a/policycoreutils/audit2why/audit2why.1
+++ /dev/null
@@ -1 +0,0 @@
-.so man1/audit2allow.1
diff --git a/policycoreutils/gui/Makefile b/policycoreutils/gui/Makefile
index b5abbb9..513f2c4 100644
--- a/policycoreutils/gui/Makefile
+++ b/policycoreutils/gui/Makefile
@@ -1,7 +1,9 @@
# Installation directories.
PREFIX ?= ${DESTDIR}/usr
+SYSCONFDIR ?= ${DESTDIR}/etc
BINDIR ?= $(PREFIX)/bin
SHAREDIR ?= $(PREFIX)/share/system-config-selinux
+DATADIR ?= $(PREFIX)/share
TARGETS= \
booleansPage.py \
@@ -16,6 +18,7 @@ portsPage.py \
semanagePage.py \
statusPage.py \
system-config-selinux.glade \
+system-config-selinux.png \
usersPage.py
all: $(TARGETS) system-config-selinux.py polgengui.py
@@ -23,11 +26,19 @@ all: $(TARGETS) system-config-selinux.py polgengui.py
install: all
-mkdir -p $(SHAREDIR)
-mkdir -p $(BINDIR)
+ -mkdir -p $(DATADIR)/pixmaps
+ -mkdir -p $(DATADIR)/icons/hicolor/24x24/apps
+ -mkdir -p $(SYSCONFDIR)
+ -mkdir -p $(DATADIR)/polkit-1/actions/
install -m 755 system-config-selinux.py $(SHAREDIR)
+ install -m 755 system-config-selinux $(BINDIR)
install -m 755 polgengui.py $(SHAREDIR)
- install -m 755 sepolgen $(BINDIR)
install -m 644 $(TARGETS) $(SHAREDIR)
-
+ install -m 644 system-config-selinux.png $(DATADIR)/pixmaps
+ install -m 644 system-config-selinux.png $(DATADIR)/icons/hicolor/24x24/apps
+ install -m 644 system-config-selinux.png $(DATADIR)/system-config-selinux
+ install -m 644 *.desktop $(DATADIR)/system-config-selinux
+ install -m 644 org.fedoraproject.config.selinux.policy $(DATADIR)/polkit-1/actions/
clean:
indent:
diff --git a/policycoreutils/gui/org.fedoraproject.config.selinux.policy b/policycoreutils/gui/org.fedoraproject.config.selinux.policy
new file mode 100644
index 0000000..fcfa81d
--- /dev/null
+++ b/policycoreutils/gui/org.fedoraproject.config.selinux.policy
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC
+"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
+<policyconfig>
+
+ <vendor>System Config SELinux</vendor>
+ <vendor_url>http://fedorahosted.org/system-config-selinux</vendor_url>
+
+ <action id="org.fedoraproject.config.selinux.pkexec.run">
+ <description>Run System Config SELinux</description>
+ <message>Authentication is required to run system-config-selinux</message>
+ <icon_name>system-selinux</icon_name>
+ <defaults>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_admin</allow_active>
+ </defaults>
+ <annotate key="org.freedesktop.policykit.exec.path">/usr/share/system-config-selinux/system-config-selinux.py</annotate>
+ <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
+ </action>
+</policyconfig>
diff --git a/policycoreutils/gui/selinux-polgengui.desktop b/policycoreutils/gui/selinux-polgengui.desktop
new file mode 100644
index 0000000..0c2f399
--- /dev/null
+++ b/policycoreutils/gui/selinux-polgengui.desktop
@@ -0,0 +1,67 @@
+[Desktop Entry]
+Name=SELinux Policy Generation Tool
+Name[bn_IN]=SELinux Policy নির্মাণের সামগ্রী
+Name[ca]=Eina de generació de polítiques del SELinux
+Name[da]=Regelsætgenereringsværktøj til SELinux
+Name[de]=Tool zur Erstellung von SELinux-Richtlinien
+Name[es]=Generador de Políticas de SELinux
+Name[fi]=SELinux-käytäntöjen generointityökalu
+Name[fr]=Outil de génération de stratégies SELinux
+Name[gu]=SELinux પોલિસી બનાવટ સાધન
+Name[hi]=SELinux पॉलिसी जनन औजार
+Name[it]=Tool di generazione della policy di SELinux
+Name[ja]=SELinux ポリシー生成ツール
+Name[kn]=SELinux ಪಾಲಿಸಿ ಉತ್ಪಾದನಾ ಉಪಕರಣ
+Name[ko]=SELinux 정책 생성 도구
+Name[ml]=SELinux പോളിസി ഉത്പാദന പ്രയോഗം
+Name[mr]=SELinux करार निर्माण साधन
+Name[nl]=SELinux tactiek generatie gereedschap
+Name[or]=SELinux ନୀତି ସୃଷ୍ଟି ଉପକରଣ
+Name[pa]=SELinux ਪਾਲਿਸੀ ਨਿਰਮਾਣ ਜੰਤਰ
+Name[pl]=Narzędzie tworzenia polityki SELinuksa
+Name[pt]=Ferramenta de Geração de Políticas SELinux
+Name[pt_BR]=Ferramenta de criação de políticas do SELinux
+Name[ru]=Средство создания политики SELinux
+Name[sv]=Genereringsverktyg för SELinuxpolicy
+Name[ta]=SELinux பாலிசி உற்பத்தி கருவி
+Name[te]=SELinux నిర్వహణ
+Name[uk]=Утиліта генерації правил SELinux
+Name[zh_CN]=SELinux 策略生成工具
+Name[zh_TW]=SELinux 政策產生工具(SELinux Policy Generation Tool)
+Comment=Generate SELinux policy modules
+Comment[bn_IN]=SELinux নিয়মনীতির মডিউল নির্মাণ করুন
+Comment[ca]=Genera els mòduls de les polítiques de SELinux
+Comment[da]=Generér SELinux-regelsætmodul
+Comment[de]=Tool zur Erstellung von SELinux-Richtlinien
+Comment[es]=Generar módulos de política de SELinux
+Comment[fi]=Generoi SELinuxin käytäntömoduuleja
+Comment[fr]=Génére des modules de stratégie SELinux
+Comment[gu]=SELinux પોલિસી મોડ્યુલોને ઉત્પન્ન કરો
+Comment[hi]=नया पॉलिसी मॉड्यूल उत्पन्न करें
+Comment[it]=Genera moduli della politica di SELinux
+Comment[ja]=新しいポリシーモジュールの作成
+Comment[kn]=SELinux ಪಾಲಿಸಿ ಘಟಕಗಳನ್ನು ಉತ್ಪಾದಿಸು
+Comment[ko]=SELinux 정책 모듈 생성
+Comment[ml]=SELinux യ പോളിസി ഘങ്ങള് തയ്യാറാക്കുക
+Comment[mr]=SELinux करार घटके निर्माण करा
+Comment[nl]=Maak een SELinux tactiek module aan
+Comment[or]=SELinux ନୀତି ଏକକାଂଶ ସୃଷ୍ଟିକରନ୍ତୁ
+Comment[pa]=SELinux ਪਾਲਿਸੀ ਮੈਡਿਊਲ ਬਣਾਓ
+Comment[pl]=Tworzenie nowych modułów polityki SELinuksa
+Comment[pt]=Gerar módulos de políticas SELinux
+Comment[pt_BR]=Gerar módulos de política do SELinux
+Comment[ru]=Генерация модулей политики SELinux
+Comment[sv]=Generera SELinux-policymoduler
+Comment[ta]=SELinux கொள்கை தொகுதியை உருவாக்கவும்
+Comment[te]=SELinux పాలసీ మాడ్యూళ్ళను వుద్భవింపచేయుము
+Comment[uk]=Створення модулів контролю доступу SELinux
+Comment[zh_CN]=生成 SELinux 策略模块
+Comment[zh_TW]=產生 SELinux 政策模組
+StartupNotify=true
+Icon=system-config-selinux
+Exec=/usr/bin/selinux-polgengui
+Type=Application
+Terminal=false
+Categories=System;Security;
+X-Desktop-File-Install-Version=0.2
+Keywords=policy;security;selinux;avc;permission;mac;
diff --git a/policycoreutils/gui/system-config-selinux b/policycoreutils/gui/system-config-selinux
new file mode 100755
index 0000000..5be5ccd
--- /dev/null
+++ b/policycoreutils/gui/system-config-selinux
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec /usr/bin/pkexec /usr/share/system-config-selinux/system-config-selinux.py
diff --git a/policycoreutils/gui/system-config-selinux.desktop b/policycoreutils/gui/system-config-selinux.desktop
new file mode 100644
index 0000000..8822ce2
--- /dev/null
+++ b/policycoreutils/gui/system-config-selinux.desktop
@@ -0,0 +1,67 @@
+[Desktop Entry]
+Name=SELinux Management
+Name[bn_IN]=SELinux পরিচালনা
+Name[da]=Håndtering af SELinux
+Name[de]=SELinux-Management
+Name[ca]=Gestió de SELinux
+Name[es]=Administración de SELinux
+Name[fi]=SELinuxin ylläpito
+Name[fr]=Gestion de SELinux
+Name[gu]=SELinux સંચાલન
+Name[hi]=SELinux प्रबंधन
+Name[jp]=SELinux 管理
+Name[it]=Gestione di SELinux
+Name[kn]=SELinux ವ್ಯವಸ್ಥಾಪನೆ
+Name[ko]=SELinux 관리
+Name[ml]=SELinux മാനേജ്മെന്റ്
+Name[mr]=SELinux मॅनेजमेंट
+Name[nl]=SELinux beheer
+Name[or]=SELinux ପରିଚାଳନା
+Name[pa]=SELinux ਮੈਨੇਜਮੈਂਟ
+Name[pl]=Zarządzanie SELinuksem
+Name[pt_BR]=Gerenciamento do SELinux
+Name[pt]=Gestão de SELinux
+Name[ru]=Управление SELinux
+Name[sv]=SELinux-hantering
+Name[ta]=SELinux மேலாண்மை
+Name[te]=SELinux నిర్వహణ
+Name[uk]=Керування SELinux
+Name[zh_CN]=SELinux 管理
+Name[zh_TW]=SELinux 管理
+Comment=Configure SELinux in a graphical setting
+Comment[bn_IN]=গ্রাফিক্যাল পরিবেশে SELinux কনফিগার করুন
+Comment[ca]=Configura SELinuc an mode de preferències gràfiques
+Comment[da]=Konfigurér SELinux i et grafisk miljø
+Comment[de]=SELinux in einer grafischen Einstellung konfigurieren
+Comment[es]=Defina SELinux en una configuración de interfaz gráfica
+Comment[fi]=Tee SELinuxin asetukset graafisesti
+Comment[fr]=Configure SELinux dans un environnement graphique
+Comment[gu]=ગ્રાફિકલ સુયોજનમાં SELinux ને રૂપરેખાંકિત કરો
+Comment[hi]=SELinux को आलेखी सेटिंग में विन्यस्त करें
+Comment[it]=Configura SELinux in una impostazione grafica
+Comment[jp]=グラフィカルな設定画面で SELinux を設定する
+Comment[ko]=SELinux를 그래픽 사용자 인터페이스로 설정
+Comment[kn]=SELinux ಅನ್ನು ಒಂದು ಚಿತ್ರಾತ್ಮಕ ಸಿದ್ದತೆಯಲ್ಲಿ ಸಂರಚಿಸಿ
+Comment[ml]=ഒരു ഗ്രാഫിക്കല് സജ്ജീകരണത്തില് SELinux ക്രമീകരിയ്ക്കുക
+Comment[mr]=ग्राफिकल सेटिंगमध्ये SELinux संरचीत करा
+Comment[nl]=Configureer SELinux in een grafische omgeving
+Comment[or]=SELinux କୁ ଆଲେଖିକ ସଂରଚନାରେ ବିନ୍ୟାସ କରନ୍ତୁ
+Comment[pa]=SELinux ਨੂੰ ਗਰਾਫੀਕਲ ਸੈਟਿੰਗ ਵਿੱਚ ਸੰਰਚਿਤ ਕਰੋ
+Comment[pl]=Konfiguracja SELinuksa w trybie graficznym
+Comment[pt]=Configurar o SELinux num ambiente gráfico
+Comment[pt_BR]=Configure o SELinux em uma configuração gráfica
+Comment[ru]=Настройка SELinux в графическом режиме
+Comment[sv]=Konfigurera SELinux i en grafisk miljö
+Comment[ta]=SELinuxஐ ஒரு வரைகலை அமைவில் கட்டமைக்கவும்
+Comment[te]=SELinuxను గ్రాఫికల్ అమర్పునందు ఆకృతీకరించుము
+Comment[uk]=Засіб для налаштування SELinux з графічним інтерфейсом
+Comment[zh_CN]=在图形设置中配置 SELinux
+Comment[zh_TW]=在圖形話設定中配置 SELinux
+StartupNotify=true
+Icon=system-config-selinux
+Exec=/usr/bin/system-config-selinux
+Type=Application
+Terminal=false
+Categories=System;Security;
+X-Desktop-File-Install-Version=0.2
+Keywords=policy;security;selinux;avc;permission;mac;
diff --git a/policycoreutils/gui/system-config-selinux.png b/policycoreutils/gui/system-config-selinux.png
new file mode 100644
index 0000000..68ffcb7
Binary files /dev/null and b/policycoreutils/gui/system-config-selinux.png differ
diff --git a/policycoreutils/load_policy/load_policy.8 b/policycoreutils/load_policy/load_policy.8
index f9ca36e..a86073f 100644
--- a/policycoreutils/load_policy/load_policy.8
+++ b/policycoreutils/load_policy/load_policy.8
@@ -19,7 +19,7 @@ values in the policy file.
suppress warning messages.
.TP
.B \-i
-inital policy load. Only use this if this is the first time policy is being loaded since boot (usually called from initramfs).
+initial policy load. Only use this if this is the first time policy is being loaded since boot (usually called from initramfs).
.SH "EXIT STATUS"
.TP
diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5
index 4963cdc..a55dbed 100644
--- a/policycoreutils/man/man5/selinux_config.5
+++ b/policycoreutils/man/man5/selinux_config.5
@@ -92,7 +92,7 @@ The binary policy name has by convention the SELinux policy version that it supp
.RS
This entry is deprecated and should be removed or set to \fI0\fR.
.sp
-If set to \fI1\fR, then \fBselinux_mkload_policy\fR(3) will read the local customisation for booleans (see \fBbooleans\fR(5)) and users (see \fBlocal.users\fR(5)).
+If set to \fI1\fR, then \fBselinux_mkload_policy\fR(3) will read the local customization for booleans (see \fBbooleans\fR(5)) and users (see \fBlocal.users\fR(5)).
.RE
.sp
.B REQUIRESEUSERS
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index 8fbf2d0..4e59a06 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@@ -547,9 +547,7 @@ static int drop_capabilities(int full)
if (!uid) return 0;
capng_setpid(getpid());
- capng_clear(CAPNG_SELECT_BOTH);
- if (capng_lock() < 0)
- return -1;
+ capng_clear(CAPNG_SELECT_CAPS);
/* Change uid */
if (setresuid(uid, uid, uid)) {
@@ -558,7 +556,7 @@ static int drop_capabilities(int full)
}
if (! full)
capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE);
- return capng_apply(CAPNG_SELECT_BOTH);
+ return capng_apply(CAPNG_SELECT_CAPS);
}
#elif defined(NAMESPACE_PRIV)
/**
@@ -576,20 +574,21 @@ static int drop_capabilities(int full)
*/
static int drop_capabilities(int full)
{
+ uid_t uid = getuid();
+ if (!uid) return 0;
+
capng_setpid(getpid());
- capng_clear(CAPNG_SELECT_BOTH);
- if (capng_lock() < 0)
- return -1;
+ capng_clear(CAPNG_SELECT_CAPS);
- uid_t uid = getuid();
/* Change uid */
if (setresuid(uid, uid, uid)) {
fprintf(stderr, _("Error changing uid, aborting.\n"));
return -1;
}
if (! full)
- capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, -1);
- return capng_apply(CAPNG_SELECT_BOTH);
+ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_AUDIT_WRITE, -1);
+
+ return capng_apply(CAPNG_SELECT_CAPS);
}
#else
@@ -680,7 +679,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
security_context_t * tty_context,
security_context_t * new_tty_context)
{
- int fd;
+ int fd, rc;
int enforcing = security_getenforce();
security_context_t tty_con = NULL;
security_context_t new_tty_con = NULL;
@@ -699,7 +698,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
fprintf(stderr, _("Error! Could not open %s.\n"), ttyn);
return fd;
}
- fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
+ /* this craziness is to make sure we cann't block on open and deadlock */
+ rc = fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
+ if (rc) {
+ fprintf(stderr, _("Error! Could not clear O_NONBLOCK on %s\n"), ttyn);
+ close(fd);
+ return rc;
+ }
if (fgetfilecon(fd, &tty_con) < 0) {
fprintf(stderr, _("%s! Could not get current context "
@@ -1010,9 +1015,9 @@ int main(int argc, char *argv[])
int fd;
pid_t childPid = 0;
char *shell_argv0 = NULL;
+ int rc;
#ifdef USE_PAM
- int rc;
int pam_status; /* pam return code */
pam_handle_t *pam_handle; /* opaque handle used by all PAM functions */
@@ -1226,15 +1231,23 @@ int main(int argc, char *argv[])
fd = open(ttyn, O_RDONLY | O_NONBLOCK);
if (fd != 0)
goto err_close_pam;
- fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
+ rc = fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
+ if (rc)
+ goto err_close_pam;
+
fd = open(ttyn, O_RDWR | O_NONBLOCK);
if (fd != 1)
goto err_close_pam;
- fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
+ rc = fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
+ if (rc)
+ goto err_close_pam;
+
fd = open(ttyn, O_RDWR | O_NONBLOCK);
if (fd != 2)
goto err_close_pam;
- fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
+ rc = fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
+ if (rc)
+ goto err_close_pam;
}
/*
@@ -1268,19 +1281,24 @@ int main(int argc, char *argv[])
}
#endif
- if (send_audit_message(1, old_context, new_context, ttyn))
+ if (send_audit_message(1, old_context, new_context, ttyn)) {
+ fprintf(stderr, _("Failed to send audit message"));
goto err_close_pam_session;
+ }
freecon(old_context); old_context=NULL;
freecon(new_context); new_context=NULL;
#ifdef NAMESPACE_PRIV
- if (transition_to_caller_uid())
+ if (transition_to_caller_uid()) {
+ fprintf(stderr, _("Failed to transition to namespace\n"));
goto err_close_pam_session;
+ }
#endif
- if (drop_capabilities(TRUE))
+ if (drop_capabilities(TRUE)) {
+ fprintf(stderr, _("Failed to drop capabilities %m\n"));
goto err_close_pam_session;
-
+ }
/* Handle environment changes */
if (restore_environment(preserve_environment, old_environ, &pw)) {
fprintf(stderr, _("Unable to restore the environment, "
diff --git a/policycoreutils/newrole/newrole.pamd b/policycoreutils/newrole/newrole.pamd
index d1b435c..de3582f 100644
--- a/policycoreutils/newrole/newrole.pamd
+++ b/policycoreutils/newrole/newrole.pamd
@@ -1,4 +1,6 @@
#%PAM-1.0
+# Uncomment the next line if you do not want to enter your passwd everytime
+# auth sufficient pam_rootok.so
auth include system-auth
account include system-auth
password include system-auth
diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile
index a377996..9c1486e 100644
--- a/policycoreutils/po/Makefile
+++ b/policycoreutils/po/Makefile
@@ -81,12 +81,16 @@ POTFILES = \
../sepolicy/sepolicy/templates/var_log.py \
../sepolicy/sepolicy/templates/var_run.py \
../sepolicy/sepolicy/templates/var_spool.py \
+ booleans.py
#default:: clean
all:: $(MOFILES)
-$(POTFILE): $(POTFILES)
+booleans.py:
+ sepolicy booleans -a > booleans.py
+
+$(POTFILE): $(POTFILES) booleans.py
$(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
@if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
rm -f $(NLSPACKAGE).po; \
@@ -95,6 +99,7 @@ $(POTFILE): $(POTFILES)
fi; \
update-po: Makefile $(POTFILE) refresh-po
+ @rm -f booleans.py
refresh-po: Makefile
for cat in $(POFILES); do \
diff --git a/policycoreutils/po/es.po b/policycoreutils/po/es.po
index e84995e..a60b20e 100644
--- a/policycoreutils/po/es.po
+++ b/policycoreutils/po/es.po
@@ -3,7 +3,9 @@
# This file is distributed under the same license as the PACKAGE package.
#
# Translators:
+# Adolfo Jayme Barrientos <fitoschido@gmail.com>, 2013.
# Domingo Becker <domingobecker@gmail.com>, 2006, 2008.
+# <ehespinosa@ya.com>, 2013.
# Gladys Guerrero <gguerrer@redhat.com>, 2010,2012.
# Héctor Daniel Cabrera <logan@fedoraproject.org>, 2010.
msgid ""
@@ -11,8 +13,8 @@ msgstr ""
"Project-Id-Version: Policycoreutils\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2013-01-04 12:01-0500\n"
-"PO-Revision-Date: 2013-01-04 17:02+0000\n"
-"Last-Translator: dwalsh <dwalsh@redhat.com>\n"
+"PO-Revision-Date: 2013-02-23 11:46+0000\n"
+"Last-Translator: vareli <ehespinosa@ya.com>\n"
"Language-Team: Spanish <trans-es@lists.fedoraproject.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
@@ -288,7 +290,7 @@ msgstr "Rango MLS/MCS"
#: ../semanage/seobject.py:672
msgid "Service"
-msgstr ""
+msgstr "Servicio"
#: ../semanage/seobject.py:698 ../semanage/seobject.py:729
#: ../semanage/seobject.py:796 ../semanage/seobject.py:853
@@ -425,7 +427,7 @@ msgstr "Se requiere tipo"
#: ../semanage/seobject.py:1814
#, python-format
msgid "Type %s is invalid, must be a port type"
-msgstr ""
+msgstr "Tipo %s es no válido, debe ser un tipo de puerto"
#: ../semanage/seobject.py:1000 ../semanage/seobject.py:1062
#: ../semanage/seobject.py:1117 ../semanage/seobject.py:1123
@@ -547,12 +549,12 @@ msgstr "Falta el protocolo o es desconocido"
#: ../semanage/seobject.py:1256
msgid "SELinux node type is required"
-msgstr ""
+msgstr "Se requiere tipo de nodo SELinux"
#: ../semanage/seobject.py:1259 ../semanage/seobject.py:1327
#, python-format
msgid "Type %s is invalid, must be a node type"
-msgstr ""
+msgstr "Tipo %s es no válido, debe ser un tipo nodo"
#: ../semanage/seobject.py:1263 ../semanage/seobject.py:1331
#: ../semanage/seobject.py:1367 ../semanage/seobject.py:1465
@@ -786,7 +788,7 @@ msgstr "La especificación de archivo %s choca con la regla de equivalencia '%s
#: ../semanage/seobject.py:1755
#, python-format
msgid "Type %s is invalid, must be a file or device type"
-msgstr ""
+msgstr "Tipo %s es no válido, debe ser un tipo fichero o dispositivo"
#: ../semanage/seobject.py:1763 ../semanage/seobject.py:1768
#: ../semanage/seobject.py:1824 ../semanage/seobject.py:1906
@@ -2174,11 +2176,11 @@ msgstr "La ruta en la cual se almacenarán las páginas de manual generadas "
#: ../sepolicy/sepolicy.py:207
msgid "name of the OS for man pages"
-msgstr ""
+msgstr "nombre del SO para las páginas de manual"
#: ../sepolicy/sepolicy.py:209
msgid "Generate HTML man pages structure for selected SELinux man page"
-msgstr ""
+msgstr "General páginas de manual de estructura HTML para la página de manual SELinux seleccionada"
#: ../sepolicy/sepolicy.py:213
msgid "All domains"
@@ -2226,7 +2228,7 @@ msgstr "Solicita la política de SELinux para ver la descripción de booleanos"
#: ../sepolicy/sepolicy.py:280
msgid "get all booleans descriptions"
-msgstr ""
+msgstr "obtiene todas las descripciones booleanas"
#: ../sepolicy/sepolicy.py:282
msgid "boolean to get description"
@@ -2248,11 +2250,11 @@ msgstr "Dominio de proceso de destino"
#: ../sepolicy/sepolicy.py:327
msgid "Command required for this type of policy"
-msgstr ""
+msgstr "Comando requerido para este tipo de política"
#: ../sepolicy/sepolicy.py:347
msgid "List SELinux Policy interfaces"
-msgstr ""
+msgstr "Lista las interfaces de la Política SELinux"
#: ../sepolicy/sepolicy.py:362
msgid "Generate SELinux Policy module template"
@@ -2260,15 +2262,15 @@ msgstr "Generar plantilla para módulo de política SELinux"
#: ../sepolicy/sepolicy.py:365
msgid "Enter domain type which you will be extending"
-msgstr ""
+msgstr "Introduzca el tipo de dominio que usted estaría extendiendo"
#: ../sepolicy/sepolicy.py:368
msgid "Enter SELinux user(s) which will transition to this domain"
-msgstr ""
+msgstr "Introduzca el usuario(s) SELinux que transicionará a este dominio"
#: ../sepolicy/sepolicy.py:371
msgid "Enter domain(s) that this confined admin will administrate"
-msgstr ""
+msgstr "Introduzca el dominio(s) que este administrador confinado administrará"
#: ../sepolicy/sepolicy.py:374
msgid "name of policy to generate"
@@ -2276,7 +2278,7 @@ msgstr "Nombre de política a generar"
#: ../sepolicy/sepolicy.py:378
msgid "path in which the generated policy files will be stored"
-msgstr ""
+msgstr "ruta en la que los ficheros de política generados serán almacenados"
#: ../sepolicy/sepolicy.py:380
msgid "executable to confine"
@@ -2290,7 +2292,7 @@ msgstr "Ejecutable a confinar"
#: ../sepolicy/sepolicy.py:414 ../sepolicy/sepolicy.py:417
#, python-format
msgid "Generate Policy for %s"
-msgstr ""
+msgstr "Generar Política para %s"
#: ../sepolicy/sepolicy.py:422
msgid "commands"
@@ -2298,16 +2300,16 @@ msgstr "Comandos"
#: ../sepolicy/sepolicy.py:425
msgid "Alternate SELinux policy, defaults to /sys/fs/selinux/policy"
-msgstr ""
+msgstr "Política SELinux suplente, por defecto a /sys/fs/selinux/policy"
#: ../sepolicy/sepolicy/__init__.py:48
msgid "No SELinux Policy installed"
-msgstr ""
+msgstr "No hay Política SELinux instalada"
#: ../sepolicy/sepolicy/__init__.py:54
#, python-format
msgid "Failed to read %s policy file"
-msgstr ""
+msgstr "Fallo al leer el fichero de política %s"
#: ../sepolicy/sepolicy/__init__.py:127
msgid "unknown"
@@ -2319,27 +2321,27 @@ msgstr "Demonio de los servicios de Internet"
#: ../sepolicy/sepolicy/generate.py:177
msgid "Existing Domain Type"
-msgstr ""
+msgstr "Tipo de Dominio Existente"
#: ../sepolicy/sepolicy/generate.py:178
msgid "Minimal Terminal Login User Role"
-msgstr ""
+msgstr "Rol de Acceso de Usuario de Terminal Mínimo"
#: ../sepolicy/sepolicy/generate.py:179
msgid "Minimal X Windows Login User Role"
-msgstr ""
+msgstr "Rol de Acceso de Usuario de X Windows Mínima"
#: ../sepolicy/sepolicy/generate.py:180
msgid "Desktop Login User Role"
-msgstr ""
+msgstr "Rol de Acceso de Usuario a Escritorio"
#: ../sepolicy/sepolicy/generate.py:181
msgid "Administrator Login User Role"
-msgstr ""
+msgstr "Rol de Acceso de Usuario Administrador"
#: ../sepolicy/sepolicy/generate.py:182
msgid "Confined Root Administrator Role"
-msgstr ""
+msgstr "Rol de Administrador Confinado Root"
#: ../sepolicy/sepolicy/generate.py:187
msgid "Valid Types:\n"
@@ -2352,12 +2354,12 @@ msgstr "Los puertos deben ser números o rangos de números entre 1 y %d"
#: ../sepolicy/sepolicy/generate.py:231
msgid "You must enter a valid policy type"
-msgstr ""
+msgstr "Debe introducir un tipo válido de política"
#: ../sepolicy/sepolicy/generate.py:234
#, python-format
msgid "You must enter a name for your policy module for your %s."
-msgstr ""
+msgstr "Debe introducir un nombre para su módulo de política para su %s."
#: ../sepolicy/sepolicy/generate.py:355
msgid ""
@@ -2396,7 +2398,7 @@ msgstr "USER Types automáticamente obtiene un tipo tmp"
#: ../sepolicy/sepolicy/generate.py:857
#, python-format
msgid "%s policy modules require existing domains"
-msgstr ""
+msgstr "%s módulo de política requieren dominios existentes"
#: ../sepolicy/sepolicy/generate.py:1059
msgid "You must enter the executable path for your confined process"
@@ -2416,7 +2418,7 @@ msgstr "Archivo de contextos de archivo"
#: ../sepolicy/sepolicy/generate.py:1324
msgid "Spec file"
-msgstr ""
+msgstr "Fichero spec"
#: ../sepolicy/sepolicy/generate.py:1325
msgid "Setup Script"
@@ -2438,11 +2440,11 @@ msgstr "Permite a amavis usar un compilador de JIT"
#: booleans.py:4
msgid "Allow antivirus programs to read non security files on a system"
-msgstr ""
+msgstr "Permitir a programas antivirus leer ficheros no asegurados sobre un sistema"
#: booleans.py:5
msgid "Allow auditadm to exec content"
-msgstr ""
+msgstr "Permitir al administrador de auditoria ejecutar contenido"
#: booleans.py:6
msgid ""
@@ -2456,11 +2458,11 @@ msgstr "Permite a usuarios iniciar sesión mediante un servidor Radius"
#: booleans.py:8
msgid "Allow users to login using a yubikey server"
-msgstr ""
+msgstr "Permite a los usuario acceder usando una servidor yubikey"
#: booleans.py:9
msgid "Allow awstats to purge Apache logs"
-msgstr ""
+msgstr "Permitir a awstats purgar los registros de Apache"
#: booleans.py:10
msgid ""
@@ -2528,11 +2530,11 @@ msgstr "Permite a todos los demonios la lectura y escritura de terminales"
#: booleans.py:25
msgid "Allow dan to manage user files"
-msgstr ""
+msgstr "Permitir a dan gestionar los archivos del usuario"
#: booleans.py:26
msgid "Allow dan to read user files"
-msgstr ""
+msgstr "Permitir a dan leer los archivos del usuario"
#: booleans.py:27
msgid "Allow dbadm to manage files in users home directories"
@@ -2599,7 +2601,7 @@ msgstr "Permite al dominio en valla ejecutar ssh."
#: booleans.py:42
msgid "Allow all domains to execute in fips_mode"
-msgstr ""
+msgstr "Permite ejecutar todos los dominios en modo fips"
#: booleans.py:43
msgid "Allow ftp to read and write files in the user home directories"
@@ -2699,7 +2701,7 @@ msgstr "Permite a GSSD leer el directorio temp. Para acceder a kerberos tgt."
#: booleans.py:64
msgid "Allow guest to exec content"
-msgstr ""
+msgstr "Permite al invitado ejecutar contenido"
#: booleans.py:65
msgid ""
@@ -2854,7 +2856,7 @@ msgstr "Permite a HTTPD acceder a puertos Openstack"
#: booleans.py:100
msgid "Allow Apache to query NS records"
-msgstr ""
+msgstr "Permite a Apache consultar registros NS"
#: booleans.py:101
msgid "Allow icecast to connect to all ports, not just sound ports."
@@ -2951,7 +2953,7 @@ msgstr "Permite a las aplicaciones confinadas usar memoria compartida NSCD "
#: booleans.py:122
msgid "Allow openshift to lockdown app"
-msgstr ""
+msgstr "Permite openshift para lockdown app"
#: booleans.py:123
msgid "Allow openvpn to read home directories"
@@ -3116,7 +3118,7 @@ msgstr "Permite a SASL leer sombra"
#: booleans.py:161
msgid "Allow secadm to exec content"
-msgstr ""
+msgstr "Permita a secadm ejecutar contenido"
#: booleans.py:162
msgid ""
@@ -3188,7 +3190,7 @@ msgstr "Permite a scripts y módulos HTTPD la conexión al puerto LDAP"
#: booleans.py:174
msgid "Allow user to use ssh chroot environment."
-msgstr ""
+msgstr "Permite al usuario usar el entorno ssh chroot"
#: booleans.py:175
msgid "Allow user music sharing"
@@ -3270,7 +3272,7 @@ msgstr "Permitir ingresos ssh como sysadm_r:sysadm_t"
#: booleans.py:191
msgid "Allow staff to exec content"
-msgstr ""
+msgstr "Permite a staff ejecutar contenido"
#: booleans.py:192
msgid "allow staff user to create and transition to svirt domains."
@@ -3278,7 +3280,7 @@ msgstr "Permite a scripts y módulos HTTPD la conexión al puerto LDAP"
#: booleans.py:193
msgid "Allow sysadm to exec content"
-msgstr ""
+msgstr "Permite a sysadm ejecutar contenido"
#: booleans.py:194
msgid ""
@@ -3297,7 +3299,7 @@ msgstr "Permite a tftp modificar los archivos públicos utilizados para servicio
#: booleans.py:197
msgid "Allow tftp to read and write files in the user home directories"
-msgstr ""
+msgstr "Permite a tftp leer y escribir archivos en los directorios home de usuario"
#: booleans.py:198
msgid "Allow tor daemon to bind tcp sockets to all unreserved ports."
@@ -3305,7 +3307,7 @@ msgstr "Permite a scripts y módulos HTTPD la conexión al puerto LDAP"
#: booleans.py:199
msgid "Allow tor to act as a relay"
-msgstr ""
+msgstr "Permite a tor actuar como relé"
#: booleans.py:200
msgid ""
@@ -3353,7 +3355,7 @@ msgstr "Soporta directorios principales de Samba"
#: booleans.py:210
msgid "Allow user to exec content"
-msgstr ""
+msgstr "Permite al usuario ejecutar contenido"
#: booleans.py:211
msgid "Allow varnishd to connect to all ports, not just HTTP."
@@ -3383,7 +3385,7 @@ msgstr "Permite a los huéspedes virtuales confinados administrar archivos NFS"
#: booleans.py:217
msgid "Allow confined virtual guests to interact with rawip sockets"
-msgstr ""
+msgstr "Permite a los invitados virtuales confinados interactuar con sockets rawip"
#: booleans.py:218
msgid "Allow confined virtual guests to manage cifs files"
@@ -3447,7 +3449,7 @@ msgstr "Permite a los usuario xguest configurar el Network Manager y conectar
#: booleans.py:232
msgid "Allow xguest to exec content"
-msgstr ""
+msgstr "Permite a xguest ejecutar contenido"
#: booleans.py:233
msgid "Allow xguest users to mount removable media"
diff --git a/policycoreutils/po/ja.po b/policycoreutils/po/ja.po
index 72ae12d..649d288 100644
--- a/policycoreutils/po/ja.po
+++ b/policycoreutils/po/ja.po
@@ -9,14 +9,14 @@
# <noriko@fedoraproject.org>, 2012.
# Noriko Mizumoto <noriko@redhat.com>, 2006, 2008, 2009.
# Takuro Nagamoto <tnagamot@redhat.com>, 2006.
-# Tomoyuki KATO <tomo@dream.daynight.jp>, 2012.
+# Tomoyuki KATO <tomo@dream.daynight.jp>, 2012-2013.
msgid ""
msgstr ""
"Project-Id-Version: Policycoreutils\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2013-01-04 12:01-0500\n"
-"PO-Revision-Date: 2013-01-04 17:02+0000\n"
-"Last-Translator: dwalsh <dwalsh@redhat.com>\n"
+"PO-Revision-Date: 2013-02-14 03:32+0000\n"
+"Last-Translator: Tomoyuki KATO <tomo@dream.daynight.jp>\n"
"Language-Team: Japanese <trans-ja@lists.fedoraproject.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
@@ -292,7 +292,7 @@ msgstr "MLS/MCS 範囲"
#: ../semanage/seobject.py:672
msgid "Service"
-msgstr ""
+msgstr "サービス"
#: ../semanage/seobject.py:698 ../semanage/seobject.py:729
#: ../semanage/seobject.py:796 ../semanage/seobject.py:853
@@ -429,7 +429,7 @@ msgstr "タイプが必要です"
#: ../semanage/seobject.py:1814
#, python-format
msgid "Type %s is invalid, must be a port type"
-msgstr ""
+msgstr "形式 %s が無効です、ポート形式である必要があります"
#: ../semanage/seobject.py:1000 ../semanage/seobject.py:1062
#: ../semanage/seobject.py:1117 ../semanage/seobject.py:1123
@@ -551,12 +551,12 @@ msgstr "不明又は欠如したプロトコル"
#: ../semanage/seobject.py:1256
msgid "SELinux node type is required"
-msgstr ""
+msgstr "SELinux ノード形式が必要です"
#: ../semanage/seobject.py:1259 ../semanage/seobject.py:1327
#, python-format
msgid "Type %s is invalid, must be a node type"
-msgstr ""
+msgstr "形式 %s が無効です、ノード形式である必要があります"
#: ../semanage/seobject.py:1263 ../semanage/seobject.py:1331
#: ../semanage/seobject.py:1367 ../semanage/seobject.py:1465
@@ -790,7 +790,7 @@ msgstr "ファイル仕様 %s は、等価規則 '%s %s' と競合します; 代
#: ../semanage/seobject.py:1755
#, python-format
msgid "Type %s is invalid, must be a file or device type"
-msgstr ""
+msgstr "形式 %s が無効です、ファイルまたはデバイス形式である必要があります"
#: ../semanage/seobject.py:1763 ../semanage/seobject.py:1768
#: ../semanage/seobject.py:1824 ../semanage/seobject.py:1906
@@ -2178,11 +2178,11 @@ msgstr "生成された SELinux の man ページの格納先となるパス"
#: ../sepolicy/sepolicy.py:207
msgid "name of the OS for man pages"
-msgstr ""
+msgstr "マニュアルページ向け OS 名称"
#: ../sepolicy/sepolicy.py:209
msgid "Generate HTML man pages structure for selected SELinux man page"
-msgstr ""
+msgstr "選択された SELinux マニュアルページ向けの HTML マニュアルページの構成を生成する"
#: ../sepolicy/sepolicy.py:213
msgid "All domains"
@@ -2230,7 +2230,7 @@ msgstr "SELinux に問い合わせて boolean の詳細を表示する"
#: ../sepolicy/sepolicy.py:280
msgid "get all booleans descriptions"
-msgstr ""
+msgstr "すべてのブーリアンの説明を取得する"
#: ../sepolicy/sepolicy.py:282
msgid "boolean to get description"
@@ -2252,11 +2252,11 @@ msgstr "ターゲットプロセスドメイン"
#: ../sepolicy/sepolicy.py:327
msgid "Command required for this type of policy"
-msgstr ""
+msgstr "この種類のポリシーに対して要求されるコマンド"
#: ../sepolicy/sepolicy.py:347
msgid "List SELinux Policy interfaces"
-msgstr ""
+msgstr "SELinux ポリシー・インターフェースの一覧表示"
#: ../sepolicy/sepolicy.py:362
msgid "Generate SELinux Policy module template"
@@ -2294,7 +2294,7 @@ msgstr "制限を課す実行ファイル"
#: ../sepolicy/sepolicy.py:414 ../sepolicy/sepolicy.py:417
#, python-format
msgid "Generate Policy for %s"
-msgstr ""
+msgstr "%s 向けのポリシーの生成"
#: ../sepolicy/sepolicy.py:422
msgid "commands"
@@ -2306,12 +2306,12 @@ msgstr ""
#: ../sepolicy/sepolicy/__init__.py:48
msgid "No SELinux Policy installed"
-msgstr ""
+msgstr "インストールされている SELinux ポリシーがありません"
#: ../sepolicy/sepolicy/__init__.py:54
#, python-format
msgid "Failed to read %s policy file"
-msgstr ""
+msgstr "%s ポリシーファイルの読み込みに失敗しました"
#: ../sepolicy/sepolicy/__init__.py:127
msgid "unknown"
@@ -2335,15 +2335,15 @@ msgstr ""
#: ../sepolicy/sepolicy/generate.py:180
msgid "Desktop Login User Role"
-msgstr ""
+msgstr "デスクトップログインユーザーロール"
#: ../sepolicy/sepolicy/generate.py:181
msgid "Administrator Login User Role"
-msgstr ""
+msgstr "管理者のログインユーザーロール"
#: ../sepolicy/sepolicy/generate.py:182
msgid "Confined Root Administrator Role"
-msgstr ""
+msgstr "制限された root 管理者ロール"
#: ../sepolicy/sepolicy/generate.py:187
msgid "Valid Types:\n"
@@ -2356,7 +2356,7 @@ msgstr "ポートは数字、又は 1 から %d までの数字の範囲でな
#: ../sepolicy/sepolicy/generate.py:231
msgid "You must enter a valid policy type"
-msgstr ""
+msgstr "有効なポリシー種別を入力する必要があります"
#: ../sepolicy/sepolicy/generate.py:234
#, python-format
@@ -2460,11 +2460,11 @@ msgstr "ユーザーが RADIUS サーバーを使用してログインするこ
#: booleans.py:8
msgid "Allow users to login using a yubikey server"
-msgstr ""
+msgstr "ユーザーが yubikey サーバーを使用してログインすることを許可する"
#: booleans.py:9
msgid "Allow awstats to purge Apache logs"
-msgstr ""
+msgstr "awstats が Apache のログを消去することを許可する"
#: booleans.py:10
msgid ""
@@ -2532,11 +2532,11 @@ msgstr "すべてのデーモンが端末を読み書きすることを許可し
#: booleans.py:25
msgid "Allow dan to manage user files"
-msgstr ""
+msgstr "dan がユーザーファイルを管理することを許可する"
#: booleans.py:26
msgid "Allow dan to read user files"
-msgstr ""
+msgstr "dan がユーザーファイルを読み取ることを許可する"
#: booleans.py:27
msgid "Allow dbadm to manage files in users home directories"
@@ -2603,7 +2603,7 @@ msgstr "隔離ドメインによる ssh の実行を許可します。"
#: booleans.py:42
msgid "Allow all domains to execute in fips_mode"
-msgstr ""
+msgstr "すべてのドメインが fips_mode で実行することを許可する"
#: booleans.py:43
msgid "Allow ftp to read and write files in the user home directories"
@@ -2872,7 +2872,7 @@ msgstr "あらゆるポートへの接続および予約されていないポー
#: booleans.py:103
msgid "Allow confined applications to run with kerberos."
-msgstr ""
+msgstr "制限されたアプリケーションが Kerberos とともに動作することを許可する"
#: booleans.py:104
msgid "Allow syslogd daemon to send mail"
@@ -2880,11 +2880,11 @@ msgstr "syslogd デーモンがメールを送信することを許可します
#: booleans.py:105
msgid "Allow syslogd the ability to read/write terminals"
-msgstr ""
+msgstr "syslogd が端末を読み書きすることを許可する"
#: booleans.py:106
msgid "Allow logging in and using the system from /dev/console."
-msgstr ""
+msgstr "/dev/console からログインしてシステムを使用することを許可する"
#: booleans.py:107
msgid ""
@@ -2947,7 +2947,7 @@ msgstr ""
#: booleans.py:120
msgid "Allow system to run with NIS"
-msgstr ""
+msgstr "システムが NIS を使用することを許可する"
#: booleans.py:121
msgid "Allow confined applications to use nscd shared memory."
@@ -3361,7 +3361,7 @@ msgstr ""
#: booleans.py:211
msgid "Allow varnishd to connect to all ports, not just HTTP."
-msgstr ""
+msgstr "varnishd が HTTP 以外のすべてのポートに接続することを許可する"
#: booleans.py:212
msgid "Ignore vbetool mmap_zero errors."
@@ -3370,20 +3370,20 @@ msgstr "vbetool mmap_zero エラーを無視します。"
#: booleans.py:213
msgid ""
"Allow confined virtual guests to use serial/parallel communication ports"
-msgstr ""
+msgstr "制限された仮想マシンがシリアル/パラレル通信ポートを使用することを許可する"
#: booleans.py:214
msgid ""
"Allow confined virtual guests to use executable memory and executable stack"
-msgstr ""
+msgstr "制限された仮想マシンが実行可能なメモリおよび実行可能なスタックを使用することを許可する"
#: booleans.py:215
msgid "Allow confined virtual guests to read fuse files"
-msgstr ""
+msgstr "制限された仮想マシンが FUSE ファイルを読み込むことを許可する"
#: booleans.py:216
msgid "Allow confined virtual guests to manage nfs files"
-msgstr ""
+msgstr "制限された仮想マシンが NFS ファイルを管理することを許可する"
#: booleans.py:217
msgid "Allow confined virtual guests to interact with rawip sockets"
@@ -3391,15 +3391,15 @@ msgstr ""
#: booleans.py:218
msgid "Allow confined virtual guests to manage cifs files"
-msgstr ""
+msgstr "制限された仮想マシンが CIFS ファイルを管理することを許可する"
#: booleans.py:219
msgid "Allow confined virtual guests to interact with the sanlock"
-msgstr ""
+msgstr "制限された仮想マシンが sanlock と通信することを許可する"
#: booleans.py:220
msgid "Allow confined virtual guests to manage device configuration, (pci)"
-msgstr ""
+msgstr "制限された仮想マシンがデバイス設定 (pci) を管理することを許可する"
#: booleans.py:221
msgid "Allow confined virtual guests to use usb devices"
@@ -3438,11 +3438,11 @@ msgstr "Xen が NFS ファイルを管理することを許可する"
msgid ""
"Allow xend to run blktapctrl/tapdisk. Not required if using dedicated "
"logical volumes for disk images."
-msgstr ""
+msgstr "xend が blktapctrl/tapdisk を実行することを許可する。ディスクイメージ用の専用論理ボリュームを使用していなければ、必要ありません。"
#: booleans.py:230
msgid "Allow xend to run qemu-dm. Not required if using paravirt and no vfb."
-msgstr ""
+msgstr "xend が qemu-dm を実行することを許可する。準仮想化を使用していて、vfb がなければ、必要ありません。"
#: booleans.py:231
msgid ""
@@ -3455,11 +3455,11 @@ msgstr ""
#: booleans.py:233
msgid "Allow xguest users to mount removable media"
-msgstr ""
+msgstr "xguest ユーザーがリムーバブルメディアをマウントすることを許可する"
#: booleans.py:234
msgid "Allow xguest to use blue tooth devices"
-msgstr ""
+msgstr "xguest が Bluetooth デバイスを使用することを許可する"
#: booleans.py:235
msgid "Allows clients to write to the X server shared memory segments."
diff --git a/policycoreutils/restorecond/Makefile b/policycoreutils/restorecond/Makefile
index 3074542..3b704d8 100644
--- a/policycoreutils/restorecond/Makefile
+++ b/policycoreutils/restorecond/Makefile
@@ -5,6 +5,7 @@ LIBDIR ?= $(PREFIX)/lib
MANDIR = $(PREFIX)/share/man
AUTOSTARTDIR = $(DESTDIR)/etc/xdg/autostart
DBUSSERVICEDIR = $(DESTDIR)/usr/share/dbus-1/services
+SYSTEMDDIR ?= $(DESTDIR)/usr/lib/systemd
autostart_DATA = sealertauto.desktop
INITDIR = $(DESTDIR)/etc/rc.d/init.d
@@ -39,7 +40,8 @@ install: all
install -m 644 restorecond.desktop $(AUTOSTARTDIR)/restorecond.desktop
-mkdir -p $(DBUSSERVICEDIR)
install -m 600 org.selinux.Restorecond.service $(DBUSSERVICEDIR)/org.selinux.Restorecond.service
-
+ -mkdir -p $(SYSTEMDDIR)/system
+ install -m 644 restorecond.service $(SYSTEMDDIR)/system/
relabel: install
/sbin/restorecon $(SBINDIR)/restorecond
diff --git a/policycoreutils/restorecond/restorecond.service b/policycoreutils/restorecond/restorecond.service
new file mode 100644
index 0000000..11f4ffd
--- /dev/null
+++ b/policycoreutils/restorecond/restorecond.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Restorecon maintaining path file context
+After=syslog.target
+ConditionPathExists=/etc/selinux/restorecond.conf
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/restorecond
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/policycoreutils/restorecond/user.c b/policycoreutils/restorecond/user.c
index 00a646f..2c28676 100644
--- a/policycoreutils/restorecond/user.c
+++ b/policycoreutils/restorecond/user.c
@@ -54,6 +54,7 @@ static const char *PATH="/org/selinux/Restorecond";
static const char *INTERFACE="org.selinux.RestorecondIface";
static const char *RULE="type='signal',interface='org.selinux.RestorecondIface'";
+static int local_lock_fd = -1;
static DBusHandlerResult
signal_filter (DBusConnection *connection __attribute__ ((__unused__)), DBusMessage *message, void *user_data)
@@ -201,17 +202,18 @@ static int local_server() {
perror("asprintf");
return -1;
}
- int fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR);
+ local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR);
if (debug_mode)
g_warning ("Lock file: %s", ptr);
free(ptr);
- if (fd < 0) {
+ if (local_lock_fd < 0) {
if (debug_mode)
perror("open");
return -1;
}
- if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
+ if (flock(local_lock_fd, LOCK_EX | LOCK_NB) < 0) {
+ close(local_lock_fd);
if (debug_mode)
perror("flock");
return -1;
@@ -226,6 +228,12 @@ static int local_server() {
return 0;
}
+static void end_local_server(void) {
+ if (local_lock_fd >= 0)
+ close(local_lock_fd);
+ local_lock_fd = -1;
+}
+
int server(int master_fd, const char *watch_file) {
GMainLoop *loop;
@@ -253,6 +261,7 @@ int server(int master_fd, const char *watch_file) {
g_main_loop_run (loop);
end:
+ end_local_server();
g_main_loop_unref (loop);
return 0;
}
diff --git a/policycoreutils/run_init/run_init.pamd b/policycoreutils/run_init/run_init.pamd
index d1b435c..1c323d2 100644
--- a/policycoreutils/run_init/run_init.pamd
+++ b/policycoreutils/run_init/run_init.pamd
@@ -1,4 +1,6 @@
#%PAM-1.0
+# Uncomment the next line if you do not want to enter your passwd everytime
+#auth sufficient pam_rootok.so
auth include system-auth
account include system-auth
password include system-auth
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index b629006..6631c2d 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -243,7 +243,7 @@ class Sandbox:
copyfile(f, "/tmp", self.__tmpdir)
copyfile(f, "/var/tmp", self.__tmpdir)
- def __setup_sandboxrc(self, wm = "/usr/bin/matchbox-window-manager -use_titlebar no"):
+ def __setup_sandboxrc(self, wm = "/usr/bin/openbox"):
execfile =self.__homedir + "/.sandboxrc"
fd = open(execfile, "w+")
if self.__options.session:
@@ -333,7 +333,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
parser.add_option("-W", "--windowmanager", dest="wm",
type="string",
- default="/usr/bin/matchbox-window-manager -use_titlebar no",
+ default="/usr/bin/openbox",
help=_("alternate window manager"))
parser.add_option("-l", "--level", dest="level",
diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8
index 521afcd..ef90ce6 100644
--- a/policycoreutils/sandbox/sandbox.8
+++ b/policycoreutils/sandbox/sandbox.8
@@ -59,7 +59,7 @@ sandbox_net_t - All network ports
.TP
\fB\-T\ tmpdir
-Use alternate tempory directory to mount on /tmp. Defaults to tmpfs. Requires -X or -M.
+Use alternate temporary directory to mount on /tmp. Defaults to tmpfs. Requires -X or -M.
.TP
\fB\-S
Run a full desktop session, Requires level, and home and tmpdir.
@@ -70,14 +70,14 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
\fB\-W windowmanager\fR
Select alternative window manager to run within
.B sandbox -X.
-Default to /usr/bin/matchbox-window-manager.
+Default to /usr/bin/openbox.
.TP
\fB\-X\fR
Create an X based Sandbox for gui apps, temporary files for
$HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
.TP
\fB\-d\fR
-Set the DPI value for the sanbox X Server. Defaults to the current X Sever DPI.
+Set the DPI value for the sandbox X Server. Defaults to the current X Sever DPI.
.TP
\fB\-c\fR
Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
diff --git a/policycoreutils/sandbox/sandboxX.sh b/policycoreutils/sandbox/sandboxX.sh
index 23de6f6..171bb05 100644
--- a/policycoreutils/sandbox/sandboxX.sh
+++ b/policycoreutils/sandbox/sandboxX.sh
@@ -6,6 +6,20 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
[ -z $2 ] && export DPI="96" || export DPI="$2"
trap "exit 0" HUP
+mkdir -p ~/.config/openbox
+cat > ~/.config/openbox/rc.xml << EOF
+<openbox_config xmlns="http://openbox.org/3.4/rc"
+ xmlns:xi="http://www.w3.org/2001/XInclude">
+<applications>
+ <application class="*">
+ <decor>no</decor>
+ <desktop>all</desktop>
+ <maximized>yes</maximized>
+ </application>
+</applications>
+</openbox_config>
+EOF
+
(/usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
cat > ~/seremote << __EOF
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
index dbd5977..68a80c7 100644
--- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c
@@ -961,8 +961,9 @@ int main(int argc, char **argv) {
char *display = NULL;
char *LANG = NULL;
int rc = -1;
+ char *resolved_path = NULL;
- if (unshare(CLONE_NEWNS) < 0) {
+ if (unshare(CLONE_NEWNS | CLONE_NEWIPC) < 0) {
perror(_("Failed to unshare"));
goto childerr;
}
@@ -977,8 +978,10 @@ int main(int argc, char **argv) {
/* assume fsuid==ruid after this point */
if ((uid_t)setfsuid(uid) != 0) goto childerr;
+ resolved_path = realpath(pwd->pw_dir,NULL);
+ if (! resolved_path) goto childerr;
/* mount homedir and tmpdir, in this order */
- if (homedir_s && seunshare_mount(homedir_s, pwd->pw_dir,
+ if (homedir_s && seunshare_mount(homedir_s, resolved_path,
&st_homedir) != 0) goto childerr;
if (tmpdir_s && seunshare_mount(tmpdir_r, "/tmp",
&st_tmpdir_r) != 0) goto childerr;
@@ -1033,6 +1036,7 @@ int main(int argc, char **argv) {
execv(argv[optind], argv + optind);
fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
childerr:
+ free(resolved_path);
free(display);
free(LANG);
exit(-1);
diff --git a/policycoreutils/scripts/Makefile b/policycoreutils/scripts/Makefile
index 201a988..f5d6e9d 100644
--- a/policycoreutils/scripts/Makefile
+++ b/policycoreutils/scripts/Makefile
@@ -9,23 +9,12 @@ LOCALEDIR ?= $(PREFIX)/share/locale
.PHONY: all genhomedircon
all: fixfiles genhomedircon chcat
-genhomedircon:
- @echo "#!/bin/sh" > genhomedircon
- @echo >> genhomedircon
- @if [ -z "${SEMODULE_PATH}" ]; then \
- echo "${USRSBINDIR}/semodule -Bn" >> genhomedircon; \
- else \
- echo "${SEMODULE_PATH}/semodule -Bn" >> genhomedircon; \
- fi
-
install: all
-mkdir -p $(BINDIR)
install -m 755 chcat $(BINDIR)
install -m 755 fixfiles $(SBINDIR)
- install -m 755 genhomedircon $(USRSBINDIR)
-mkdir -p $(MANDIR)/man8
install -m 644 fixfiles.8 $(MANDIR)/man8/
- install -m 644 genhomedircon.8 $(MANDIR)/man8/
install -m 644 chcat.8 $(MANDIR)/man8/
clean:
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 6901e4d..5acb111 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -3,7 +3,7 @@
#
# Script to restore labels on a SELinux box
#
-# Copyright (C) 2004-2011 Red Hat, Inc.
+# Copyright (C) 2004-2013 Red Hat, Inc.
# Authors: Dan Walsh <dwalsh@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
@@ -26,11 +26,11 @@
# number if the current is less than 2.6.30 and 0 if they are the same.
#
function useseclabel {
- VER=`uname -r`
- SUP=2.6.30
- expr '(' "$VER" : '\([^.]*\)' ')' '-' '(' "$SUP" : '\([^.]*\)' ')' '|' \
- '(' "$VER.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0" : '[^.]*[.]\([^.]*\)' ')' '|' \
- '(' "$VER.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')'
+ VER=`uname -r`
+ SUP=2.6.30
+ expr '(' "$VER" : '\([^.]*\)' ')' '-' '(' "$SUP" : '\([^.]*\)' ')' '|' \
+ '(' "$VER.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0" : '[^.]*[.]\([^.]*\)' ')' '|' \
+ '(' "$VER.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')'
}
#
@@ -65,7 +65,7 @@ done
}
#
-# Get the default label returned from the kernel for a file with a lable the
+# Get the default label returned from the kernel for a file with a lable the
# kernel does not understand
#
get_undefined_type() {
@@ -78,25 +78,25 @@ get_undefined_type() {
#
get_unlabeled_type() {
SELINUXMNT=`grep selinuxfs /proc/self/mountinfo | head -1 | awk '{ print $5 }'`
- cat $SELINUXMNT/initial_contexts/file | secon -t
+ cat $SELINUXMNT/initial_contexts/file | secon -t
}
exclude_dirs_from_relabelling() {
exclude_from_relabelling=
if [ -e /etc/selinux/fixfiles_exclude_dirs ]
then
- while read i
- do
- # skip blank line and comment
- # skip not absolute path
- # skip not directory
- [ -z "${i}" ] && continue
- [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue
- [[ ! "${i}" =~ ^/.* ]] && continue
- [[ ! -d "${i}" ]] && continue
- exclude_from_relabelling="$exclude_from_relabelling -e $i"
- logit "skipping the directory $i from relabelling"
- done < /etc/selinux/fixfiles_exclude_dirs
+ while read i
+ do
+ # skip blank line and comment
+ # skip not absolute path
+ # skip not directory
+ [ -z "${i}" ] && continue
+ [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue
+ [[ ! "${i}" =~ ^/.* ]] && continue
+ [[ ! -d "${i}" ]] && continue
+ exclude_from_relabelling="$exclude_from_relabelling -e $i"
+ logit "skipping the directory $i from relabelling"
+ done < /etc/selinux/fixfiles_exclude_dirs
fi
echo "$exclude_from_relabelling"
}
@@ -104,7 +104,7 @@ exclude_dirs_from_relabelling() {
exclude_dirs() {
exclude=
for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC /home /tmp /dev; do
- [ -e $i ] && exclude="$exclude -e $i";
+ [ -e $i ] && exclude="$exclude -e $i";
done
exclude="$exclude `exclude_dirs_from_relabelling`"
echo "$exclude"
@@ -133,7 +133,7 @@ FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO"
SELINUXTYPE="targeted"
if [ -e /etc/selinux/config ]; then
. /etc/selinux/config
- FC=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts
+ FC=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts
else
FC=/etc/security/selinux/file_contexts
fi
@@ -158,7 +158,7 @@ newer() {
}
#
-# Compare PREVious File Context to currently installed File Context and
+# Compare PREVious File Context to currently installed File Context and
# run restorecon on all files affected by the differences.
#
diff_filecontext() {
@@ -172,30 +172,31 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
grep '^[<>]'|cut -c3-| grep ^/ | \
egrep -v '(^/home|^/root|^/tmp|^/dev)' |\
sed -r -e 's,[[:blank:]].*,,g' \
- -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
+ -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
-e 's|([/[:alnum:]])\?|{\1,}|g' \
- -e 's|\?.*|*|g' \
+ -e 's|\?.*|*|g' \
+ -e 's|\{.*|*|g' \
-e 's|\(.*|*|g' \
-e 's|\[.*|*|g' \
- -e 's|\.\*.*|*|g' \
- -e 's|\.\+.*|*|g' | \
+ -e 's|\.\*.*|*|g' \
+ -e 's|\.\+.*|*|g' | \
# These two sorts need to be separate commands \
sort -u | \
sort -d | \
- while read pattern ; \
+ while read pattern ; \
do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null; then \
- echo "$pattern"; \
- case "$pattern" in *"*") \
- echo "$pattern" | sed -e 's,^,^,' -e 's,\*$,,g' >> ${TEMPFILE};;
- esac; \
- fi; \
- done | \
+ echo "$pattern"; \
+ case "$pattern" in *"*") \
+ echo "$pattern" | sed -e 's,^,^,' -e 's,\*$,,g' >> ${TEMPFILE};;
+ esac; \
+ fi; \
+ done | \
${RESTORECON} ${VERBOSE} -i -f - -R `exclude_dirs`; \
rm -f ${TEMPFILE} ${PREFCTEMPFILE}
fi
}
#
-# Log all Read Only file systems
+# Log all Read Only file systems
#
LogReadOnly() {
if [ ! -z "$FILESYSTEMSRO" ]; then
@@ -209,7 +210,7 @@ rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
[ ${PIPESTATUS[0]} != 0 ] && echo "$1 not found" >/dev/stderr
}
-#
+#
# restore
# if called with -n will only check file context
#
@@ -241,8 +242,8 @@ then
TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX`
test -z "$TEMPFCFILE" && exit
/bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit
- exclude_dirs=${exclude_dirs//-e/}
- for p in ${exclude_dirs}
+ tmpdirs=${tempdirs//-e/}
+ for p in ${tmpdirs}
do
p="${p%/}"
p1="${p}(/.*)? -- <<none>>"
@@ -253,7 +254,7 @@ FC=$TEMPFCFILE
fi
if [ -n "${FILESYSTEMSRW}" ]; then
echo "Relabeling `echo ${FILESYSTEMSRW}`"
- ${SETFILES} ${VERBOSE} -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE
+ ${SETFILES} ${VERBOSE} $exclude_dirs -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE
else
echo >&2 "fixfiles: No suitable file systems found"
fi
@@ -278,7 +279,7 @@ fullrelabel() {
relabel() {
if [ ! -z "$RPMFILES" ]; then
- restore
+ restore
fi
if [ $fullFlag == 1 ]; then
@@ -286,13 +287,13 @@ relabel() {
fi
echo -n "
- Files in the /tmp directory may be labeled incorrectly, this command
- can remove all files in /tmp. If you choose to remove files from /tmp,
+ Files in the /tmp directory may be labeled incorrectly, this command
+ can remove all files in /tmp. If you choose to remove files from /tmp,
a reboot will be required after completion.
-
+
Do you wish to clean out the /tmp directory [N]? "
read answer
- if [ "$answer" = y -o "$answer" = Y ]; then
+ if [ "$answer" = y -o "$answer" = Y ]; then
fullrelabel
else
restore
@@ -322,8 +323,8 @@ case "$1" in
esac
}
usage() {
- echo $"""
-Usage: $0 [-F] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ]
+ echo $"""
+Usage: $0 [-F] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ]
or
Usage: $0 [-F] -R rpmpackage[,rpmpackage...] [-l logfile ] { check | restore | verify }
or
@@ -351,13 +352,13 @@ while getopts "N:BC:FfR:l:v" i; do
v)
VERBOSE="-v"
;;
- R)
+ R)
RPMFILES=$OPTARG
;;
- l)
+ l)
LOGFILE=$OPTARG
;;
- C)
+ C)
PREFC=$OPTARG
;;
F)
@@ -397,11 +398,11 @@ else
if [ -z "$1" ]; then
process $command
else
- while [ -n "$1" ]; do
+ while [ -n "$1" ]; do
FILEPATH=$1
- process $command
+ process $command
shift
- done
+ done
fi
fi
exit $?
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index 9ab7334..f263805 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -30,7 +30,7 @@ as you expect. By default it will relabel all mounted ext2, ext3, xfs and
jfs file systems as long as they do not have a security context mount
option. You can use the -R flag to use rpmpackages as an alternative.
The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
-excluded from relabelling.
+excluded from relabeling.
.P
.B fixfiles onboot
will setup the machine to relabel on the next reboot.
@@ -56,7 +56,7 @@ Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and
.TP
.B -v
-Modify verbosity from progess to verbose. (Run restorecon with -v instead of -p)
+Modify verbosity from progress to verbose. (Run restorecon with -v instead of -p)
.SH "ARGUMENTS"
One of:
diff --git a/policycoreutils/scripts/genhomedircon.8 b/policycoreutils/scripts/genhomedircon.8
deleted file mode 100644
index 8ec509c..0000000
--- a/policycoreutils/scripts/genhomedircon.8
+++ /dev/null
@@ -1,24 +0,0 @@
-.TH GENHOMEDIRCON "12" "Sep 2011" "Security Enhanced Linux" "SELinux"
-.SH NAME
-genhomedircon \- generate SELinux file context configuration entries for user home directories
-.SH SYNOPSIS
-.B genhomedircon
-is a script that executes
-.B semodule
-to rebuild the currently active SELinux policy (without reloading it) and to create the
-labels for each user home directory based on directory paths returned by calls to getpwent().
-
-The latter functionality depends on the "usepasswd" parameter being set to "true" (default)
-in /etc/selinux/semanage.conf.
-
-This script is usually executed by
-.B semanage
-although this default behavior can be optionally modified by setting to "true" the
-"disable-genhomedircon" in /etc/selinux/semanage.conf.
-
-.SH AUTHOR
-This manual page was written by
-.I Dan Walsh <dwalsh@redhat.com>
-
-.SH "SEE ALSO"
-semanage.conf(5), semodule(8), semanage(8), getpwent(3), getpwent_r(3)
diff --git a/policycoreutils/secon/secon.1 b/policycoreutils/secon/secon.1
index 6c30734..5e7f885 100644
--- a/policycoreutils/secon/secon.1
+++ b/policycoreutils/secon/secon.1
@@ -96,7 +96,7 @@ If that argument is
.I -
then the context will be read from stdin.
.br
-If there is no arugment,
+If there is no argument,
.B secon
will try reading a context from stdin, if that is not a tty, otherwise
.B secon
diff --git a/policycoreutils/semanage/Makefile b/policycoreutils/semanage/Makefile
index 24d6a21..b797d83 100644
--- a/policycoreutils/semanage/Makefile
+++ b/policycoreutils/semanage/Makefile
@@ -5,7 +5,7 @@ SBINDIR ?= $(PREFIX)/sbin
MANDIR = $(PREFIX)/share/man
PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % sys.version_info[0:2]')
PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
-BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
TARGETS=semanage
@@ -21,7 +21,7 @@ install: all
test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages
install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages
-mkdir -p $(BASHCOMPLETIONDIR)
- install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)
+ install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/semanage
clean:
diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile
new file mode 100644
index 0000000..e15a877
--- /dev/null
+++ b/policycoreutils/semanage/default_encoding/Makefile
@@ -0,0 +1,8 @@
+all:
+ LDFLAGS="" python setup.py build
+
+install: all
+ LDFLAGS="" python setup.py install --root=$(DESTDIR)/
+
+clean:
+ rm -rf build *~
diff --git a/policycoreutils/semanage/default_encoding/default_encoding.c b/policycoreutils/semanage/default_encoding/default_encoding.c
new file mode 100644
index 0000000..023b8f4
--- /dev/null
+++ b/policycoreutils/semanage/default_encoding/default_encoding.c
@@ -0,0 +1,57 @@
+/*
+ * Authors:
+ * John Dennis <jdennis@redhat.com>
+ *
+ * Copyright (C) 2009 Red Hat
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#include <Python.h>
+
+PyDoc_STRVAR(setdefaultencoding_doc,
+"setdefaultencoding(encoding='utf-8')\n\
+\n\
+Set the current default string encoding used by the Unicode implementation.\n\
+Defaults to utf-8."
+);
+
+static PyObject *
+setdefaultencoding(PyObject *self, PyObject *args, PyObject *kwds)
+{
+ static char *kwlist[] = {"utf-8", NULL};
+ char *encoding;
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "s:setdefaultencoding", kwlist, &encoding))
+ return NULL;
+
+ if (PyUnicode_SetDefaultEncoding(encoding))
+ return NULL;
+
+ Py_RETURN_NONE;
+}
+
+static PyMethodDef methods[] = {
+ {"setdefaultencoding", (PyCFunction)setdefaultencoding, METH_VARARGS|METH_KEYWORDS, setdefaultencoding_doc},
+ {NULL, NULL} /* sentinel */
+};
+
+
+PyMODINIT_FUNC
+initdefault_encoding_utf8(void)
+{
+ PyUnicode_SetDefaultEncoding("utf-8");
+ Py_InitModule3("default_encoding_utf8", methods, "Forces the default encoding to utf-8");
+}
diff --git a/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py b/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py
new file mode 100644
index 0000000..ccb6b8b
--- /dev/null
+++ b/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py
@@ -0,0 +1,17 @@
+#
+# Copyright (C) 2006,2007,2008, 2009 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
diff --git a/policycoreutils/semanage/default_encoding/setup.py b/policycoreutils/semanage/default_encoding/setup.py
new file mode 100644
index 0000000..e2befdb
--- /dev/null
+++ b/policycoreutils/semanage/default_encoding/setup.py
@@ -0,0 +1,38 @@
+# Authors:
+# John Dennis <jdennis@redhat.com>
+#
+# Copyright (C) 2009 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+from distutils.core import setup, Extension
+
+default_encoding_utf8 = Extension('policycoreutils.default_encoding_utf8', ['default_encoding.c'])
+
+setup(name = 'policycoreutils-default-encoding',
+ version = '0.1',
+ description = 'Forces the default encoding in Python to be utf-8',
+ long_description = 'Forces the default encoding in Python to be utf-8',
+ author = 'John Dennis',
+ author_email = 'jdennis@redhat.com',
+ maintainer = 'John Dennis',
+ maintainer_email = 'jdennis@redhat.com',
+ license = 'GPLv3+',
+ platforms = 'posix',
+ url = '',
+ download_url = '',
+ ext_modules = [default_encoding_utf8],
+ packages=["policycoreutils"],
+)
diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage
index 6e33c85..89b8b24 100644
--- a/policycoreutils/semanage/semanage
+++ b/policycoreutils/semanage/semanage
@@ -20,6 +20,7 @@
# 02111-1307 USA
#
#
+import policycoreutils.default_encoding_utf8
import sys, getopt, re
import seobject
import selinux
@@ -32,7 +33,7 @@ gettext.textdomain(PROGNAME)
try:
gettext.install(PROGNAME,
localedir="/usr/share/locale",
- unicode=False,
+ unicode=True,
codeset = 'utf-8')
except IOError:
import __builtin__
@@ -60,7 +61,7 @@ semanage interface -{a|d|m|l|D|E} [-Nntr] interface_spec
semanage module -{a|d|m} [--enable|--disable] [-N] module
semanage node -{a|d|m|l|D|E} [-Nntr] [ -p protocol ] [-M netmask] addr
semanage fcontext -{a|d|m|l|D|E} [-Nefnrst] file_spec
-semanage boolean -{d|m} [--on|--off|-1|-0] [-N] -F boolean | boolean_file
+semanage boolean -{d|m} {--on|--off|-1|-0} [-N] -F boolean | boolean_file
semanage permissive -{d|a|l} [-Nn] type
semanage dontaudit [ on | off ] [-N]
@@ -444,6 +445,8 @@ Object-specific Options (see above):
if modify:
if object == "boolean":
+ if not value:
+ raise ValueError(_("Value Required [ --on | --off ]"))
OBJECT.modify(target, value, use_file)
return
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index 85bc37f..f703aed 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -32,11 +32,10 @@ from IPy import IP
import gettext
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
-try:
- gettext.install(PROGNAME, localedir = "/usr/share/locale", unicode = 1)
-except IOError:
- import __builtin__
- __builtin__.__dict__['_'] = unicode
+
+import gettext
+translation=gettext.translation(PROGNAME, localedir = "/usr/share/locale", fallback=True)
+_=translation.ugettext
import syslog
@@ -461,7 +460,9 @@ class loginRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not check if login mapping for %s is defined") % name)
if exists:
- raise ValueError(_("Login mapping for %s is already defined") % name)
+ semanage_seuser_key_free(k)
+ return self.__modify(name, sename, serange)
+
if name[0] == '%':
try:
grp.getgrnam(name[1:])
@@ -731,7 +732,8 @@ class seluserRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not check if SELinux user %s is defined") % name)
if exists:
- raise ValueError(_("SELinux user %s is already defined") % name)
+ semanage_user_key_free(k)
+ return self.__modify(name, roles, selevel, serange, prefix)
(rc, u) = semanage_user_create(self.sh)
if rc < 0:
@@ -1274,7 +1276,8 @@ class nodeRecords(semanageRecords):
(rc, exists) = semanage_node_exists(self.sh, k)
if exists:
- raise ValueError(_("Addr %s already defined") % addr)
+ semanage_node_key_free(k)
+ return self.__modify(addr, mask, self.protocol[proto], serange, ctype)
(rc, node) = semanage_node_create(self.sh)
if rc < 0:
@@ -1475,7 +1478,8 @@ class interfaceRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not check if interface %s is defined") % interface)
if exists:
- raise ValueError(_("Interface %s already defined") % interface)
+ semanage_iface_key_free(k)
+ return self.__modify(interface, serange, ctype)
(rc, iface) = semanage_iface_create(self.sh)
if rc < 0:
@@ -1777,7 +1781,8 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Could not check if file context for %s is defined") % target)
if exists:
- raise ValueError(_("File context for %s already defined") % target)
+ semanage_fcontext_key_free(k)
+ return self.__modify(target, type, ftype, serange, seuser)
(rc, fcontext) = semanage_fcontext_create(self.sh)
if rc < 0:
@@ -2026,6 +2031,9 @@ class booleanRecords(semanageRecords):
self.modify_local = False
def __mod(self, name, value):
+ if not value:
+ raise ValueError(_("Value Required for %s") % name)
+
name = selinux.selinux_boolean_sub(name)
(rc, k) = semanage_bool_key_create(self.sh, name)
diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
index 4c5243a..036c418 100644
--- a/policycoreutils/semodule/Makefile
+++ b/policycoreutils/semodule/Makefile
@@ -11,7 +11,7 @@ LDLIBS = -lsepol -lselinux -lsemanage -L$(LIBDIR)
SEMODULE_OBJS = semodule.o
.PHONY: all semodule_path
-all: semodule semodule_path
+all: semodule semodule_path genhomedircon
semodule_path:
@echo -n $(SBINDIR) > ../scripts/semodule_path
@@ -19,11 +19,16 @@ semodule_path:
semodule: $(SEMODULE_OBJS)
$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
+genhomedircon:
+ ln -sf semodule genhomedircon
+
install: all
-mkdir -p $(SBINDIR)
install -m 755 semodule $(SBINDIR)
+ (cd $(SBINDIR); ln -sf semodule genhomedircon)
test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8
install -m 644 semodule.8 $(MANDIR)/man8/
+ install -m 644 genhomedircon.8 $(MANDIR)/man8/
relabel:
diff --git a/policycoreutils/semodule/genhomedircon.8 b/policycoreutils/semodule/genhomedircon.8
new file mode 100644
index 0000000..8ec509c
--- /dev/null
+++ b/policycoreutils/semodule/genhomedircon.8
@@ -0,0 +1,24 @@
+.TH GENHOMEDIRCON "12" "Sep 2011" "Security Enhanced Linux" "SELinux"
+.SH NAME
+genhomedircon \- generate SELinux file context configuration entries for user home directories
+.SH SYNOPSIS
+.B genhomedircon
+is a script that executes
+.B semodule
+to rebuild the currently active SELinux policy (without reloading it) and to create the
+labels for each user home directory based on directory paths returned by calls to getpwent().
+
+The latter functionality depends on the "usepasswd" parameter being set to "true" (default)
+in /etc/selinux/semanage.conf.
+
+This script is usually executed by
+.B semanage
+although this default behavior can be optionally modified by setting to "true" the
+"disable-genhomedircon" in /etc/selinux/semanage.conf.
+
+.SH AUTHOR
+This manual page was written by
+.I Dan Walsh <dwalsh@redhat.com>
+
+.SH "SEE ALSO"
+semanage.conf(5), semodule(8), semanage(8), getpwent(3), getpwent_r(3)
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 17b4fa5..6947b37 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -19,6 +19,7 @@
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>
+#include <libgen.h>
#include <semanage/modules.h>
@@ -284,8 +285,12 @@ int main(int argc, char *argv[])
int i, commit = 0;
int result;
int status = EXIT_FAILURE;
-
+ char *genhomedirconargv[] = { "genhomedircon", "-B", "-n" };
create_signal_handlers();
+ if (strcmp(basename(argv[0]), "genhomedircon") == 0) {
+ argc = 3;
+ argv=genhomedirconargv;
+ }
parse_command_line(argc, argv);
if (build)
diff --git a/policycoreutils/semodule_package/semodule_unpackage.8 b/policycoreutils/semodule_package/semodule_unpackage.8
index 62dd53e..d6e1be0 100644
--- a/policycoreutils/semodule_package/semodule_unpackage.8
+++ b/policycoreutils/semodule_package/semodule_unpackage.8
@@ -1,6 +1,6 @@
.TH SEMODULE_PACKAGE "8" "Nov 2005" "Security Enhanced Linux" NSA
.SH NAME
-semodule_unpackage \- Extract polciy module and file context file from an SELinux policy module unpackage.
+semodule_unpackage \- Extract policy module and file context file from an SELinux policy module unpackage.
.SH SYNOPSIS
.B semodule_unpackage <module> [<file contexts>]
diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile
index 11b534f..ae064c4 100644
--- a/policycoreutils/sepolicy/Makefile
+++ b/policycoreutils/sepolicy/Makefile
@@ -7,7 +7,7 @@ SBINDIR ?= $(PREFIX)/sbin
MANDIR ?= $(PREFIX)/share/man
LOCALEDIR ?= /usr/share/locale
PYTHON ?= /usr/bin/python
-BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
SHAREDIR ?= $(PREFIX)/share/sandbox
override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
@@ -22,11 +22,15 @@ clean:
$(PYTHON) setup.py clean
-rm -rf build *~ \#* *pyc .#*
+sepolgen:
+ ln -sf sepolicy sepolgen
+
install:
$(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
[ -d $(BINDIR) ] || mkdir -p $(BINDIR)
install -m 755 sepolicy.py $(BINDIR)/sepolicy
+ (cd $(BINDIR); ln -sf sepolicy sepolgen)
-mkdir -p $(MANDIR)/man8
install -m 644 *.8 $(MANDIR)/man8
-mkdir -p $(BASHCOMPLETIONDIR)
- install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)
+ install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/sepolicy
diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c
index 4eca22d..eeee0ab 100644
--- a/policycoreutils/sepolicy/policy.c
+++ b/policycoreutils/sepolicy/policy.c
@@ -66,7 +66,6 @@ PyObject *wrap_policy(PyObject *UNUSED(self), PyObject *args){
}
apol_vector_destroy(&mod_paths);
- policy_load_options |= QPOL_POLICY_OPTION_MATCH_SYSTEM;
policy = apol_policy_create_from_policy_path(pol_path, policy_load_options, NULL, NULL);
apol_policy_path_destroy(&pol_path);
if (!policy) {
diff --git a/policycoreutils/sepolicy/sepolgen.8 b/policycoreutils/sepolicy/sepolgen.8
new file mode 100644
index 0000000..3ecf3eb
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolgen.8
@@ -0,0 +1 @@
+.so man8/sepolicy-generate.8
diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh
index 82fea52..29f9428 100644
--- a/policycoreutils/sepolicy/sepolicy-bash-completion.sh
+++ b/policycoreutils/sepolicy/sepolicy-bash-completion.sh
@@ -81,7 +81,7 @@ _sepolicy () {
[communicate]='-h --help -s --source -t --target -c --class -S --sourceaccess -T --targetaccess'
[generate]='-a --admin --admin_user --application --cgi --confined_admin --customize -d --domain --dbus --desktop_user -h --help --inetd --init -n --name --newtype -p --path --sandbox -T --test --term_user -u --user -w --writepath --x_user'
[interface]='-h --help -a --list_admin" -u --list_user -l --list'
- [manpage]='-h --help -p --path -a -all -o --os -d --domain -w --web'
+ [manpage]='-h --help -p --path -a -all -o --os -d --domain -w --web -r --root'
[network]='-h --help -d --domain -l --list -p --port -t --type '
[transition]='-h --help -s --source -t --target'
)
@@ -156,6 +156,10 @@ _sepolicy () {
if [ "$prev" = "-d" -o "$prev" = "--domain" ]; then
COMPREPLY=( $(compgen -W "$( __get_all_domains ) " -- "$cur") )
return 0
+ elif test "$prev" = "-r" || test "$prev" = "--root" ; then
+ COMPREPLY=( $( compgen -d -- "$cur") )
+ compopt -o filenames
+ return 0
elif [ "$prev" = "-o" -o "$prev" = "--os" ]; then
return 0
elif test "$prev" = "-p" || test "$prev" = "--path" ; then
diff --git a/policycoreutils/sepolicy/sepolicy-generate.8 b/policycoreutils/sepolicy/sepolicy-generate.8
index fb84af6..c2fa601 100644
--- a/policycoreutils/sepolicy/sepolicy-generate.8
+++ b/policycoreutils/sepolicy/sepolicy-generate.8
@@ -8,12 +8,18 @@ sepolicy-generate \- Generate an initial SELinux policy module template.
.B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-w WRITE_PATH ] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-newtype | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user]
.SH "DESCRIPTION"
-Use sepolicy generate to generate an SELinux policy Module. sepolicy generate will generate 4 files.
+Use \fBsepolicy generate\fP to generate an SELinux policy Module. \fBsepolicy generate\fP will create 5 files.
+
+If you specify a binary path, \fBsepolicy generate\fP will use the rpm payload of the binary along with \fBnm -D BINARY\fP to discover types and policy rules to generate these template files.
+
.B Type Enforcing File NAME.te
.br
This file can be used to define all the types rules for a particular domain.
+.I Note:
+Policy generated by \fBsepolicy generate\fP will automatically add a permissive DOMAIN to your te file. When you are satisfied that your policy works, you need to remove the permissive line from the te file to run your domain in enforcing mode.
+
.B Interface File NAME.if
.br
This file defines the interfaces for the types generated in the te file, which can be used by other policy domains.
@@ -25,7 +31,7 @@ file paths to the types. Tools like restorecon and RPM will use these paths to
.B RPM Spec File NAME_selinux.spec
.br
-This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use sepolicy manpage -d NAME to generate the man page.
+This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use \fBsepolicy manpage -d NAME\fP to generate the man page.
.B Shell File NAME.sh
.br
diff --git a/policycoreutils/sepolicy/sepolicy-manpage.8 b/policycoreutils/sepolicy/sepolicy-manpage.8
index b6abdf5..c05c943 100644
--- a/policycoreutils/sepolicy/sepolicy-manpage.8
+++ b/policycoreutils/sepolicy/sepolicy-manpage.8
@@ -5,7 +5,7 @@ sepolicy-manpage \- Generate a man page based on the installed SELinux Policy
.SH "SYNOPSIS"
.br
-.B sepolicy manpage [\-w] [\-h] [\-p PATH ] [\-a | \-d ]
+.B sepolicy manpage [\-w] [\-h] [\-p PATH ] [\-r ROOTDIR ] [\-a | \-d ]
.SH "DESCRIPTION"
Use sepolicy manpage to generate manpages based on SELinux Policy.
@@ -24,6 +24,9 @@ Display help message
.I \-p, \-\-path
Specify the directory to store the created man pages. (Default to /tmp)
.TP
+.I \-r, \-\-root
+Specify alternate root directory to generate man pages from. (Default to /)
+.TP
.I \-w, \-\-web
Generate an additional HTML man pages for the specified domain(s).
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
index b25d3b2..6e71f00 100755
--- a/policycoreutils/sepolicy/sepolicy.py
+++ b/policycoreutils/sepolicy/sepolicy.py
@@ -22,6 +22,8 @@
#
#
import os, sys
+import selinux
+import sepolicy
from sepolicy import get_os_version
import argparse
import gettext
@@ -45,7 +47,7 @@ class CheckPath(argparse.Action):
class CheckType(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
- from sepolicy.network import domains
+ domains = sepolicy.get_all_domains()
if isinstance(values,str):
setattr(namespace, self.dest, values)
@@ -58,9 +60,30 @@ class CheckType(argparse.Action):
newval.append(v)
setattr(namespace, self.dest, newval)
+class CheckBoolean(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ booleans = sepolicy.get_all_booleans()
+ newval = getattr(namespace, self.dest)
+ if not newval:
+ newval = []
+
+ if isinstance(values,str):
+ v = selinux.selinux_boolean_sub(values)
+ if v not in booleans:
+ raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(booleans)))
+ newval.append(v)
+ setattr(namespace, self.dest, newval)
+ else:
+ for value in values:
+ v = selinux.selinux_boolean_sub(value)
+ if v not in booleans:
+ raise ValueError("%s must be an SELinux boolean:\nValid boolean: %s" % (v, ", ".join(booleans)))
+ newval.append(v)
+ setattr(namespace, self.dest, newval)
+
class CheckDomain(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
- from sepolicy.network import domains
+ domains = sepolicy.get_all_domains()
if isinstance(values,str):
if values not in domains:
@@ -80,7 +103,6 @@ class CheckDomain(argparse.Action):
all_classes = None
class CheckClass(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
- import sepolicy
global all_classes
if not all_classes:
all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS))
@@ -114,7 +136,7 @@ class CheckPort(argparse.Action):
class CheckPortType(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
- from sepolicy.network import port_types
+ port_types = sepolicy.get_all_port_types()
newval = getattr(namespace, self.dest)
if not newval:
newval = []
@@ -140,19 +162,18 @@ class CheckPolicyType(argparse.Action):
class CheckUser(argparse.Action):
def __call__(self, parser, namespace, value, option_string=None):
- from sepolicy import get_all_users
newval = getattr(namespace, self.dest)
if not newval:
newval = []
- users = get_all_users()
+ users = sepolicy.get_all_users()
if value not in users:
raise ValueError("%s must be an SELinux user:\nValid users: %s" % (value, ", ".join(users)))
newval.append(value)
setattr(namespace, self.dest, newval)
def _print_net(src, protocol, perm):
- from sepolicy.network import get_network_connect
- portdict = get_network_connect(src, protocol, perm)
+ import sepolicy.network
+ portdict = sepolicy.network.get_network_connect(src, protocol, perm)
if len(portdict) > 0:
print "%s: %s %s" % (src, protocol, perm)
for p in portdict:
@@ -160,7 +181,7 @@ def _print_net(src, protocol, perm):
print "\t" + recs
def network(args):
- from sepolicy.network import portrecsbynum, portrecs, get_network_connect
+ portrecs, portrecsbynum = sepolicy.gen_port_dict()
if args.list_ports:
all_ports = []
for i in portrecs:
@@ -201,41 +222,41 @@ def manpage(args):
from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains
path = args.path
- if args.policy:
- for f in ( "policy.xml", "file_context", "file_context.homedirs"):
- if not os.path.exists(path + f):
- raise ValueError("manpage creation with alternate policy requires the %s file exist" % (path + f))
-
+ if not args.policy and args.root != "/":
+ sepolicy.policy(sepolicy.get_installed_policy(args.root))
+
if args.all:
test_domains = gen_domains()
else:
test_domains = args.domain
for domain in test_domains:
- m = ManPage(domain, path, args.web)
+ m = ManPage(domain, path, args.root, args.web)
print m.get_man_page_path()
if args.web:
HTMLManPages(manpage_roles, manpage_domains, path, args.os)
def gen_manpage_args(parser):
- man = parser.add_parser("manpage",
- help=_('Generate SELinux man pages'))
-
- man.add_argument("-p", "--path", dest="path", default="/tmp",
- help=_("path in which the generated SELinux man pages will be stored"))
- man.add_argument("-o", "--os", dest="os", default=get_os_version(),
- help=_("name of the OS for man pages"))
- man.add_argument("-w", "--web", dest="web", default=False, action="store_true",
- help=_("Generate HTML man pages structure for selected SELinux man page"))
- group = man.add_mutually_exclusive_group(required=True)
- group.add_argument("-a", "--all", dest="all", default=False,
- action="store_true",
- help=_("All domains"))
- group.add_argument("-d", "--domain", nargs="+",
- action=CheckDomain,
- help=_("Domain name(s) of man pages to be created"))
- man.set_defaults(func=manpage)
+ man = parser.add_parser("manpage",
+ help=_('Generate SELinux man pages'))
+
+ man.add_argument("-p", "--path", dest="path", default="/tmp",
+ help=_("path in which the generated SELinux man pages will be stored"))
+ man.add_argument("-o", "--os", dest="os", default=get_os_version(),
+ help=_("name of the OS for man pages"))
+ man.add_argument("-w", "--web", dest="web", default=False, action="store_true",
+ help=_("Generate HTML man pages structure for selected SELinux man page"))
+ man.add_argument("-r", "--root", dest="root", default="/",
+ help=_("Alternate root directory, defaults to /"))
+ group = man.add_mutually_exclusive_group(required=True)
+ group.add_argument("-a", "--all", dest="all", default=False,
+ action="store_true",
+ help=_("All domains"))
+ group.add_argument("-d", "--domain", nargs="+",
+ action=CheckDomain,
+ help=_("Domain name(s) of man pages to be created"))
+ man.set_defaults(func=manpage)
def gen_network_args(parser):
net = parser.add_parser("network",
@@ -283,7 +304,6 @@ def gen_communicate_args(parser):
comm.set_defaults(func=communicate)
def booleans(args):
- import selinux
from sepolicy import boolean_desc
if args.all:
rc, args.booleans = selinux.security_get_boolean_names()
@@ -300,6 +320,7 @@ def gen_booleans_args(parser):
action="store_true",
help=_("get all booleans descriptions"))
group.add_argument("-b", "--boolean", dest="booleans", nargs="+",
+ action=CheckBoolean, required=False,
help=_("boolean to get description"))
bools.set_defaults(func=booleans)
@@ -320,7 +341,7 @@ def gen_transition_args(parser):
trans.set_defaults(func=transition)
def interface(args):
- from sepolicy.interface import get_admin, get, get_user
+ from sepolicy.interface import get_admin, get_user
if args.list_admin:
for a in get_admin():
print a
@@ -328,7 +349,7 @@ def interface(args):
for a in get_user():
print a
if args.list:
- for m in get():
+ for m in sepolicy.get_methods():
print m
def generate(args):
@@ -368,10 +389,10 @@ def gen_interface_args(parser):
help=_('List SELinux Policy interfaces'))
group = itf.add_mutually_exclusive_group(required=True)
group.add_argument("-a", "--list_admin", dest="list_admin",action="store_true", default=False,
- help="List all domains with admin interface")
+ help="List all domains with admin interface - DOMAIN_admin()")
group.add_argument("-u", "--list_user", dest="list_user",action="store_true",
default=False,
- help="List all domains with SELinux user role interface")
+ help="List all domains with SELinux user role interface - DOMAIN_role()")
group.add_argument("-l", "--list", dest="list",action="store_true",
default=False,
help="List all interfaces")
@@ -461,7 +482,10 @@ if __name__ == '__main__':
gen_transition_args(subparsers)
try:
- args = parser.parse_args()
+ if os.path.basename(sys.argv[0]) == "sepolgen":
+ args = parser.parse_args([ "generate" ] + sys.argv[1:])
+ else:
+ args = parser.parse_args()
args.func(args)
sys.exit(0)
except ValueError,e:
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
index 5e7415c..5267ed9 100644
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
@@ -7,6 +7,9 @@ import _policy
import selinux, glob
PROGNAME="policycoreutils"
import gettext
+import sepolgen.defaults as defaults
+import sepolgen.interfaces as interfaces
+import sys
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
try:
@@ -37,9 +40,30 @@ CLASS = 'class'
TRANSITION = 'transition'
ROLE_ALLOW = 'role_allow'
-def __get_installed_policy():
+def info(setype, name=None):
+ dict_list = _policy.info(setype, name)
+ return dict_list
+
+def search(types, info = {} ):
+ valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW]
+ for type in types:
+ if type not in valid_types:
+ raise ValueError("Type has to be in %s" % valid_types)
+ info[type] = True
+
+ perms = []
+ if PERMS in info:
+ perms = info[PERMS]
+ info[PERMS] = ",".join(info[PERMS])
+
+ dict_list = _policy.search(info)
+ if dict_list and len(perms) != 0:
+ dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list)
+ return dict_list
+
+def get_installed_policy(root = "/"):
try:
- path = selinux.selinux_binary_policy_path()
+ path = root + selinux.selinux_binary_policy_path()
policies = glob.glob ("%s.*" % path )
policies.sort()
return policies[-1]
@@ -47,6 +71,26 @@ def __get_installed_policy():
pass
raise ValueError(_("No SELinux Policy installed"))
+methods = []
+def get_methods():
+ global methods
+ if len(methods) > 0:
+ return methods
+ fn = defaults.interface_info()
+ try:
+ fd = open(fn)
+ # List of per_role_template interfaces
+ ifs = interfaces.InterfaceSet()
+ ifs.from_file(fd)
+ methods = ifs.interfaces.keys()
+ fd.close()
+ except:
+ sys.stderr.write("could not open interface info [%s]\n" % fn)
+ sys.exit(1)
+
+ methods.sort()
+ return methods
+
all_types = None
def get_all_types():
global all_types
@@ -54,6 +98,13 @@ def get_all_types():
all_types = map(lambda x: x['name'], info(TYPE))
return all_types
+user_types = None
+def get_user_types():
+ global user_types
+ if user_types == None:
+ user_types = info(ATTRIBUTE,"userdomain")[0]["types"]
+ return user_types
+
role_allows = None
def get_all_role_allows():
global role_allows
@@ -71,6 +122,7 @@ def get_all_role_allows():
return role_allows
def get_all_entrypoint_domains():
+ import re
all_domains = []
types=get_all_types()
types.sort()
@@ -81,11 +133,35 @@ def get_all_entrypoint_domains():
all_domains.append(m[0])
return all_domains
+portrecs = None
+portrecsbynum = None
+
+def gen_port_dict():
+ global portrecs
+ global portrecsbynum
+ if portrecs:
+ return ( portrecs, portrecsbynum )
+ portrecsbynum = {}
+ portrecs = {}
+ for i in info(PORT):
+ if i['low'] == i['high']:
+ port = str(i['low'])
+ else:
+ port = "%s-%s" % (str(i['low']), str(i['high']))
+
+ if (i['type'], i['protocol']) in portrecs:
+ portrecs [(i['type'], i['protocol'])].append(port)
+ else:
+ portrecs [(i['type'], i['protocol'])] = [port]
+
+ portrecsbynum[(i['low'], i['high'],i['protocol'])] = (i['type'], i['range'])
+ return ( portrecs, portrecsbynum )
+
all_domains = None
def get_all_domains():
global all_domains
if not all_domains:
- all_domains = info(ATTRIBUTE,"domain")[0]["types"]
+ all_domains = info(ATTRIBUTE,"domain")[0]["types"]
return all_domains
roles = None
@@ -139,48 +215,48 @@ def get_all_attributes():
return all_attributes
def policy(policy_file):
+ global all_domains
+ global all_attributes
+ global bools
+ global all_types
+ global role_allows
+ global users
+ global roles
+ global file_types
+ global port_types
+ all_domains = None
+ all_attributes = None
+ bools = None
+ all_types = None
+ role_allows = None
+ users = None
+ roles = None
+ file_types = None
+ port_types = None
try:
_policy.policy(policy_file)
except:
raise ValueError(_("Failed to read %s policy file") % policy_file)
-
-policy_file = selinux.selinux_current_policy_path()
-if not policy_file:
- policy_file = __get_installed_policy()
-
try:
+ policy_file = get_installed_policy()
policy(policy_file)
except ValueError, e:
if selinux.is_selinux_enabled() == 1:
raise e
-def search(types, info = {} ):
- valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW]
- for type in types:
- if type not in valid_types:
- raise ValueError("Type has to be in %s" % valid_types)
- info[type] = True
-
- perms = []
- if PERMS in info:
- perms = info[PERMS]
- info[PERMS] = ",".join(info[PERMS])
-
- dict_list = _policy.search(info)
- if dict_list and len(perms) != 0:
- dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list)
- return dict_list
-
def _dict_has_perms(dict, perms):
for perm in perms:
if perm not in dict[PERMS]:
return False
return True
-def info(setype, name=None):
- dict_list = _policy.info(setype, name)
- return dict_list
+booleans = None
+def get_all_booleans():
+ global booleans
+ if not booleans:
+ booleans = selinux.security_get_boolean_names()[1]
+ return booleans
booleans_dict = None
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
index 26f8390..898ec43 100644
--- a/policycoreutils/sepolicy/sepolicy/generate.py
+++ b/policycoreutils/sepolicy/sepolicy/generate.py
@@ -63,20 +63,6 @@ except IOError:
import __builtin__
__builtin__.__dict__['_'] = unicode
-user_types = sepolicy.info(sepolicy.ATTRIBUTE,"userdomain")[0]["types"]
-methods = []
-fn = defaults.interface_info()
-try:
- fd = open(fn)
- # List of per_role_template interfaces
- ifs = interfaces.InterfaceSet()
- ifs.from_file(fd)
- methods = ifs.interfaces.keys()
- fd.close()
-except:
- sys.stderr.write("could not open interface info [%s]\n" % fn)
- sys.exit(1)
-
def get_rpm_nvr_from_header(hdr):
'Given an RPM header return the package NVR as a string'
name = hdr['name']
@@ -587,7 +573,7 @@ class policy:
def generate_network_action(self, protocol, action, port_name):
line = ""
method = "corenet_%s_%s_%s" % (protocol, action, port_name)
- if method in methods:
+ if method in sepolicy.get_methods():
line = "%s(%s_t)\n" % (method, self.name)
else:
line = """
@@ -1037,7 +1023,8 @@ allow %s_t %s_t:%s_socket name_%s;
########################################
#
# %s local policy
-#""" % self.name
+#
+""" % self.name
newte += self.generate_capabilities()
newte += self.generate_process()
newte += self.generate_network_types()
diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py
index 8b063ca..c9036c3 100644
--- a/policycoreutils/sepolicy/sepolicy/interface.py
+++ b/policycoreutils/sepolicy/sepolicy/interface.py
@@ -22,14 +22,12 @@
#
#
import re
-
-import sepolgen.interfaces as interfaces
-import sepolgen.defaults as defaults
+import sepolicy
ADMIN_TRANSITION_INTERFACE = "_admin$"
USER_TRANSITION_INTERFACE = "_role$"
-from sepolicy.generate import get_all_types
+import selinux
-__all__ = [ 'get', 'get_admin', 'get_user' ]
+__all__ = [ 'get_admin', 'get_user' ]
##
## I18N
@@ -48,24 +46,10 @@ except IOError:
import __builtin__
__builtin__.__dict__['_'] = unicode
-def get():
- """ Get all Methods """
- fn = defaults.interface_info()
- try:
- fd = open(fn)
- ifs = interfaces.InterfaceSet()
- ifs.from_file(fd)
- methods = ifs.interfaces.keys()
- fd.close()
- except:
- raise ValueError(_("could not open interface info [%s]\n") % fn)
-
- return methods
-
def get_admin():
""" Get all domains with an admin interface"""
admin_list = []
- for i in get():
+ for i in sepolicy.get_methods():
if i.endswith("_admin"):
admin_list.append(i.split("_admin")[0])
return admin_list
@@ -73,9 +57,9 @@ def get_admin():
def get_user():
""" Get all domains with SELinux user role interface"""
trans_list = []
- for i in get():
+ for i in sepolicy.get_methods():
m = re.findall("(.*)%s" % USER_TRANSITION_INTERFACE, i)
if len(m) > 0:
- if "%s_exec_t" % m[0] in get_all_types():
+ if "%s_exec_t" % m[0] in sepolicy.get_all_types():
trans_list.append(m[0])
return trans_list
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
index 25062da..f184b0c 100755
--- a/policycoreutils/sepolicy/sepolicy/manpage.py
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py
@@ -28,12 +28,12 @@ import string
import argparse
import selinux
import sepolicy
-from sepolicy import network, gen_bool_dict, get_all_file_types, get_all_domains, get_all_roles, get_all_users, get_all_port_types, get_all_bools, get_all_attributes, get_all_role_allows
+from sepolicy import *
import commands
import sys, os, re, time
-equiv_dict={ "smbd" : [ "samba" ], "httpd" : [ "apache" ], "virtd" : [ "virt", "libvirt" ], "named" : [ "bind" ], "fsdaemon" : [ "smartmon" ], "mdadm" : [ "raid" ] }
+equiv_dict={ "smbd" : [ "samba" ], "httpd" : [ "apache" ], "virtd" : [ "virt", "libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t" ], "named" : [ "bind" ], "fsdaemon" : [ "smartmon" ], "mdadm" : [ "raid" ] }
equiv_dirs=[ "/var" ]
modules_dict = None
@@ -184,14 +184,12 @@ def get_alphabet_manpages(manpage_list):
return alphabet_manpages
def convert_manpage_to_html(html_manpage,manpage):
- fd = open(html_manpage,'w')
- rc, output = commands.getstatusoutput("man2html -r %s" % manpage)
+ rc, output = commands.getstatusoutput("/usr/bin/groff -man -Thtml %s 2>/dev/null" % manpage)
if rc == 0:
+ print html_manpage, " has been created"
+ fd = open(html_manpage,'w')
fd.write(output)
- else:
- fd.write("Man page does not exist")
-
- fd.close()
+ fd.close()
class HTMLManPages:
"""
@@ -416,40 +414,33 @@ class ManPage:
"""
Generate a Manpage on an SELinux domain in the specified path
"""
- all_attributes = get_all_attributes()
- all_domains = get_all_domains()
- all_bools = get_all_bools()
- all_port_types = get_all_port_types()
- all_roles = get_all_roles()
- all_users = get_all_users_info()[0]
- all_users_range = get_all_users_info()[1]
- all_file_types = get_all_file_types()
- types = _gen_types()
modules_dict = None
- domains = gen_domains()
- role_allows = get_all_role_allows()
enabled_str = ["Disabled", "Enabled"]
- def __init__(self, domainname, path = "/tmp", html = False):
+ def __init__(self, domainname, path = "/tmp", root="/", html = False):
self.html = html
- self.portrecs = network.portrecs
-
- fcpath = path + "/file_contexts"
- if os.path.exists(fcpath):
- self.fcpath = fcpath
- else:
- self.fcpath = selinux.selinux_file_context_path()
+ self.root = root
+ self.portrecs = gen_port_dict()[0]
+ self.domains = gen_domains()
+ self.all_domains = get_all_domains()
+ self.all_attributes = get_all_attributes()
+ self.all_bools = get_all_bools()
+ self.all_port_types = get_all_port_types()
+ self.all_roles = get_all_roles()
+ self.all_users = get_all_users_info()[0]
+ self.all_users_range = get_all_users_info()[1]
+ self.all_file_types = get_all_file_types()
+ self.role_allows = get_all_role_allows()
+ self.types = _gen_types()
+
+ self.fcpath = self.root + selinux.selinux_file_context_path()
self.fcdict = _gen_fcdict(self.fcpath)
if not os.path.exists(path):
os.makedirs(path)
- self.path = path
- xmlpath = path + "/policy.xml"
- if os.path.exists(xmlpath):
- self.xmlpath = xmlpath
- else:
- self.xmlpath = "/usr/share/selinux/devel/policy.xml"
+ self.path = path
+ self.xmlpath = self.root + "/usr/share/selinux/devel/policy.xml"
self.booleans_dict = gen_bool_dict(self.xmlpath)
if domainname.endswith("_t"):
@@ -459,7 +450,10 @@ class ManPage:
if self.domainname + "_t" not in self.all_domains:
raise ValueError("domain %s_t does not exist" % self.domainname)
- self.short_name = self.domainname
+ if self.domainname[-1]=='d':
+ self.short_name = self.domainname[:-1] + "_"
+ else:
+ self.short_name = self.domainname + "_"
self.type = self.domainname + "_t"
self._gen_bools()
@@ -483,16 +477,23 @@ class ManPage:
def _gen_bools(self):
self.bools=[]
self.domainbools=[]
- for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, sepolicy.search([sepolicy.ALLOW],{'source' : self.type }))):
- for b in i:
- if not isinstance(b,tuple):
- continue
- if b[0].startswith(self.short_name):
- if b not in self.domainbools and (b[0], not b[1]) not in self.domainbools:
- self.domainbools.append(b)
- else:
- if b not in self.bools and (b[0], not b[1]) not in self.bools:
- self.bools.append(b)
+ types = [self.type]
+ if self.domainname in equiv_dict:
+ for t in equiv_dict[self.domainname]:
+ if t + "_t" in self.all_domains:
+ types.append(t+"_t")
+
+ for t in types:
+ for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, sepolicy.search([sepolicy.ALLOW],{'source' : t }))):
+ for b in i:
+ if not isinstance(b,tuple):
+ continue
+ if b[0].startswith(self.short_name) or b[0].startswith(self.domainname):
+ if b not in self.domainbools and (b[0], not b[1]) not in self.domainbools:
+ self.domainbools.append(b)
+ else:
+ if b not in self.bools and (b[0], not b[1]) not in self.bools:
+ self.bools.append(b)
self.bools.sort()
self.domainbools.sort()
@@ -538,9 +539,6 @@ class ManPage:
print path
def __gen_man_page(self):
- if self.domainname[-1]=='d':
- self.short_name = self.domainname[:-1]
-
self.anon_list = []
self.attributes = {}
@@ -563,19 +561,8 @@ class ManPage:
def _get_ptypes(self):
for f in self.all_domains:
- if f.startswith(self.short_name):
- self.ptypes.append(f)
-
- def __whoami(self):
- import pwd
- fd = open("/proc/self/loginuid", "r")
- uid = int(fd.read())
- fd.close()
- pw = pwd.getpwuid(uid)
- if len(pw.pw_gecos) > 0:
- return pw.pw_gecos
- else:
- return pw.pw_name
+ if f.startswith(self.short_name) or f.startswith(self.domainname):
+ self.ptypes.append(f)
def _header(self):
self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy documentation for %(domainname)s"'
@@ -774,7 +761,7 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n
def _port_types(self):
self.ports = []
for f in self.all_port_types:
- if f.startswith(self.short_name):
+ if f.startswith(self.short_name) or f.startswith(self.domainname):
self.ports.append(f)
if len(self.ports) == 0:
@@ -923,13 +910,12 @@ to apply the labels.
def _see_also(self):
ret = ""
- prefix = self.short_name.split("_")[0]
for d in self.domains:
if d == self.domainname:
continue
- if d.startswith(prefix):
+ if d.startswith(self.short_name):
ret += ", %s_selinux(8)" % d
- if self.domainname.startswith(d):
+ if d.startswith(self.domainname + "_"):
ret += ", %s_selinux(8)" % d
self.fd.write(ret)
@@ -947,13 +933,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?"
.B restorecon -F -R -v /var/%(domainname)s
.pp
.TP
-Allow %(domainname)s servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_%(domainname)sd_anon_write boolean to be set.
+Allow %(domainname)s servers to read and write /var/%(domainname)s/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. You also need to turn on the %(domainname)s_anon_write boolean.
.PP
.B
semanage fcontext -a -t public_content_rw_t "/var/%(domainname)s/incoming(/.*)?"
.br
.B restorecon -F -R -v /var/%(domainname)s/incoming
-
+.br
+.B setsebool -P %(domainname)s_anon_write 1
""" % {'domainname':self.domainname})
for b in self.anon_list:
desc = self.booleans_dict[b][2][0].lower() + self.booleans_dict[b][2][1:]
@@ -998,12 +985,11 @@ is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR
This manual page was auto-generated using
-.B "sepolicy manpage"
-by %s.
+.B "sepolicy manpage".
.SH "SEE ALSO"
selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-""" % (self.__whoami(), self.domainname))
+""" % (self.domainname))
if self.booltext != "":
self.fd.write(", setsebool(8)")
@@ -1230,6 +1216,7 @@ The SELinux user %s_u is not able to terminal login.
""" % self.domainname)
def _network(self):
+ from sepolicy import network
self.fd.write("""
.SH NETWORK
""")
diff --git a/policycoreutils/sepolicy/sepolicy/network.py b/policycoreutils/sepolicy/sepolicy/network.py
index 66efe26..a446d68 100755
--- a/policycoreutils/sepolicy/sepolicy/network.py
+++ b/policycoreutils/sepolicy/sepolicy/network.py
@@ -25,27 +25,6 @@ import sepolicy
search=sepolicy.search
info=sepolicy.info
-def _gen_port_dict():
- portrecsbynum = {}
- portrecs = {}
- for i in info(sepolicy.PORT):
- if i['low'] == i['high']:
- port = str(i['low'])
- else:
- port = "%s-%s" % (str(i['low']), str(i['high']))
-
- if (i['type'], i['protocol']) in portrecs:
- portrecs [(i['type'], i['protocol'])].append(port)
- else:
- portrecs [(i['type'], i['protocol'])] = [port]
-
- portrecsbynum[(i['low'], i['high'],i['protocol'])] = (i['type'], i['range'])
- return ( portrecs, portrecsbynum )
-portrecs, portrecsbynum = _gen_port_dict()
-
-port_types = sepolicy.info(sepolicy.ATTRIBUTE,"port_type")[0]["types"]
-domains = sepolicy.info(sepolicy.ATTRIBUTE,"domain")[0]["types"]
-
def get_types(src, tclass, perm):
allows=search([sepolicy.ALLOW],{sepolicy.SOURCE:src,sepolicy.CLASS:tclass, sepolicy.PERMS:perm})
nlist=[]
@@ -57,6 +36,7 @@ def get_types(src, tclass, perm):
def get_network_connect(src, protocol, perm):
+ portrecs, portrecsbynum = sepolicy.gen_port_dict()
d={}
tlist = get_types(src, "%s_socket" % protocol, [perm])
if len(tlist) > 0:
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index 80b6d6e..07c5ee2 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -4,10 +4,10 @@ restorecon \- restore file(s) default SELinux security contexts.
.SH "SYNOPSIS"
.B restorecon
-.I [\-o outfilename] [\-R] [\-n] [\-p] [\-v] [\-e directory] pathname...
+.I [\-R] [\-n] [\-p] [\-v] [\-e directory] pathname...
.P
.B restorecon
-.I \-f infilename [\-o outfilename] [\-e directory] [\-R] [\-n] [\-p] [\-v] [\-F]
+.I \-f infilename [\-e directory] [\-R] [\-n] [\-p] [\-v] [\-F]
.SH "DESCRIPTION"
This manual page describes the
@@ -49,7 +49,7 @@ ignore files that do not exist.
don't change any file labels (passive check).
.TP
.B \-o outfilename
-save list of files with incorrect context in outfilename.
+Deprecated, SELinux policy will probably block this access. Use shell redirection to save list of files with incorrect context in filename.
.TP
.B \-p
show progress by printing * every STAR_COUNT files. (If you relabel the entire OS, this will show you the percentage complete.)
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index 89d2a49..12bca43 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -4,7 +4,7 @@ setfiles \- set SELinux file security contexts.
.SH "SYNOPSIS"
.B setfiles
-.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname...
+.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname...
.SH "DESCRIPTION"
This manual page describes the
.BR setfiles
@@ -57,7 +57,7 @@ log changes in file labels to syslog.
don't change any file labels (passive check).
.TP
.B \-o filename
-save list of files with incorrect context in filename.
+Deprecated, SELinux policy will probably block this access. Use shell redirection to save list of files with incorrect context in filename.
.TP
.B \-p
show progress by printing * every STAR_COUNT files. (If you relabel the entire OS, this will show you the percentage complete.)
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index b11e49f..ac1c39a 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -45,18 +45,18 @@ void usage(const char *const name)
{
if (iamrestorecon) {
fprintf(stderr,
- "usage: %s [-iFnprRv0] [-e excludedir] [-o filename] pathname...\n"
- "usage: %s [-iFnprRv0] [-e excludedir] [-o filename] -f filename\n",
+ "usage: %s [-iFnprRv0] [-e excludedir] pathname...\n"
+ "usage: %s [-iFnprRv0] [-e excludedir] -f filename\n",
name, name);
} else {
fprintf(stderr,
- "usage: %s [-dilnpqvFW] [-e excludedir] [-o filename] [-r alt_root_path] spec_file pathname...\n"
- "usage: %s [-dilnpqvFW] [-e excludedir] [-o filename] [-r alt_root_path] spec_file -f filename\n"
- "usage: %s -s [-dilnpqvFW] [-o filename] spec_file\n"
+ "usage: %s [-dilnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n"
+ "usage: %s [-dilnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n"
+ "usage: %s -s [-dilnpqvFW] spec_file\n"
"usage: %s -c policyfile spec_file\n",
name, name, name, name);
}
- exit(1);
+ exit(-1);
}
static int nerr = 0;
@@ -66,7 +66,7 @@ void inc_err()
nerr++;
if (nerr > ABORT_ON_ERRORS - 1 && !r_opts.debug) {
fprintf(stderr, "Exiting after %d errors.\n", ABORT_ON_ERRORS);
- exit(1);
+ exit(-1);
}
}
@@ -80,7 +80,7 @@ void set_rootpath(const char *arg)
if (NULL == r_opts.rootpath) {
fprintf(stderr, "%s: insufficient memory for r_opts.rootpath\n",
r_opts.progname);
- exit(1);
+ exit(-1);
}
/* trim trailing /, if present */
@@ -98,7 +98,7 @@ int canoncon(char **contextp)
if (policyfile) {
if (sepol_check_context(context) < 0) {
fprintf(stderr, "invalid context %s\n", context);
- exit(1);
+ exit(-1);
}
} else if (security_canonicalize_context_raw(context, &tmpcon) == 0) {
free(context);
@@ -175,7 +175,7 @@ int main(int argc, char **argv)
r_opts.progname = strdup(argv[0]);
if (!r_opts.progname) {
fprintf(stderr, "%s: Out of memory!\n", argv[0]);
- exit(1);
+ exit(-1);
}
base = basename(r_opts.progname);
@@ -242,7 +242,7 @@ int main(int argc, char **argv)
fprintf(stderr,
"Error opening %s: %s\n",
policyfile, strerror(errno));
- exit(1);
+ exit(-1);
}
__fsetlocking(policystream,
FSETLOCKING_BYCALLER);
@@ -252,7 +252,7 @@ int main(int argc, char **argv)
fprintf(stderr,
"Error reading policy %s: %s\n",
policyfile, strerror(errno));
- exit(1);
+ exit(-1);
}
fclose(policystream);
@@ -268,7 +268,7 @@ int main(int argc, char **argv)
break;
}
if (add_exclude(optarg))
- exit(1);
+ exit(-1);
break;
case 'f':
use_input_file = 1;
@@ -318,13 +318,13 @@ int main(int argc, char **argv)
if (optind + 1 >= argc) {
fprintf(stderr, "usage: %s -r rootpath\n",
argv[0]);
- exit(1);
+ exit(-1);
}
if (NULL != r_opts.rootpath) {
fprintf(stderr,
"%s: only one -r can be specified\n",
argv[0]);
- exit(1);
+ exit(-1);
}
set_rootpath(argv[optind++]);
break;
@@ -337,7 +337,7 @@ int main(int argc, char **argv)
if (r_opts.progress) {
fprintf(stderr,
"Progress and Verbose mutually exclusive\n");
- exit(1);
+ exit(-1);
}
r_opts.verbose++;
break;
@@ -391,12 +391,12 @@ int main(int argc, char **argv)
if (stat(argv[optind], &sb) < 0) {
perror(argv[optind]);
- exit(1);
+ exit(-1);
}
if (!S_ISREG(sb.st_mode)) {
fprintf(stderr, "%s: spec file %s is not a regular file.\n",
argv[0], argv[optind]);
- exit(1);
+ exit(-1);
}
altpath = argv[optind];
@@ -409,7 +409,7 @@ int main(int argc, char **argv)
r_opts.selabel_opt_path = altpath;
if (nerr)
- exit(1);
+ exit(-1);
restore_init(&r_opts);
if (use_input_file) {
@@ -452,5 +452,5 @@ int main(int argc, char **argv)
if (r_opts.progress && r_opts.count >= STAR_COUNT)
printf("\n");
- exit(errors);
+ exit(errors ? -1: 0);
}
diff --git a/policycoreutils/setsebool/Makefile b/policycoreutils/setsebool/Makefile
index a6addc5..45d6538 100644
--- a/policycoreutils/setsebool/Makefile
+++ b/policycoreutils/setsebool/Makefile
@@ -4,7 +4,7 @@ INCLUDEDIR ?= $(PREFIX)/include
SBINDIR ?= $(PREFIX)/sbin
MANDIR = $(PREFIX)/share/man
LIBDIR ?= $(PREFIX)/lib
-BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
CFLAGS ?= -Werror -Wall -W
override CFLAGS += -I$(INCLUDEDIR)
@@ -23,7 +23,7 @@ install: all
-mkdir -p $(MANDIR)/man8
install -m 644 setsebool.8 $(MANDIR)/man8/
-mkdir -p $(BASHCOMPLETIONDIR)
- install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)
+ install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/setsebool
relabel: