From 02097a7562d7cb5180d0c69f15848ca2a2aefdc3 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jan 18 2006 17:43:23 +0000 Subject: * Wed Jan 18 2006 Dan Walsh 1.29.8-1 - Update to match NSA * Merged semanage fixes from Ivan Gyurdiev. * Merged semanage fixes from Russell Coker. * Merged chcat, genhomedircon, and semanage diffs from Dan Walsh. --- diff --git a/.cvsignore b/.cvsignore index 4244cbd..3ef788b 100644 --- a/.cvsignore +++ b/.cvsignore @@ -80,3 +80,4 @@ policycoreutils-1.29.3.tgz policycoreutils-1.29.4.tgz policycoreutils-1.29.5.tgz policycoreutils-1.29.7.tgz +policycoreutils-1.29.8.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 0be0f79..05fd662 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,1277 +1,109 @@ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.7/scripts/genhomedircon ---- nsapolicycoreutils/scripts/genhomedircon 2006-01-13 09:47:40.000000000 -0500 -+++ policycoreutils-1.29.7/scripts/genhomedircon 2006-01-15 08:42:38.000000000 -0500 -@@ -327,6 +327,9 @@ - sys.stderr.write("%s: %s\n" % ( sys.argv[0], error )) - - -+if os.getuid() > 0 or os.geteuid() > 0: -+ print "You must be root to run %s." % sys.argv[0] -+ sys.exit(0) - - # - # This script will generate home dir file context -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.7/semanage/semanage ---- nsapolicycoreutils/semanage/semanage 2006-01-13 09:47:40.000000000 -0500 -+++ policycoreutils-1.29.7/semanage/semanage 2006-01-15 09:04:05.000000000 -0500 -@@ -20,23 +20,27 @@ - # 02111-1307 USA - # - # --import sys, getopt -+import os, sys, getopt - import seobject - - if __name__ == '__main__': -+ if os.getuid() > 0 or os.geteuid() > 0: -+ print "You must be root to run %s." % sys.argv[0] -+ sys.exit(0) - - def usage(message = ""): - print '\ --semanage user [-admsRrh] SELINUX_USER\n\ --semanage login [-admsrh] LOGIN_NAME\n\ --semanage port [-admth] PORT | PORTRANGE\n\ --semanage interface [-admth] INTERFACE\n\ --semanage fcontext [-admhfst] INTERFACE\n\ -+semanage user [-admLRr] SELINUX_USER\n\ -+semanage login [-admsr] LOGIN_NAME\n\ -+semanage port [-admtpr] PORT | PORTRANGE\n\ -+semanage interface [-admtr] INTERFACE\n\ -+semanage fcontext [-admhfrst] INTERFACE\n\ - -a, --add Add a OBJECT record NAME\n\ - -d, --delete Delete a OBJECT record NAME\n\ - -f, --ftype File Type of OBJECT \n\ - -h, --help display this message\n\ - -l, --list List the OBJECTS\n\ -+ -L, --level Default SELinux Level\n\ - -n, --noheading Do not print heading when listing OBJECTS\n\ - -m, --modify Modify a OBJECT record NAME\n\ - -r, --range MLS/MCS Security Range\n\ -@@ -84,7 +88,7 @@ - - args = sys.argv[2:] - gopts, cmds = getopt.getopt(args, -- 'adf:lhmnp:P:s:R:r:t:v', -+ 'adf:lhmnp:P:s:R:L:r:t:v', - ['add', - 'delete', - 'ftype=', -@@ -96,6 +100,7 @@ - 'proto=', - 'seuser=', - 'range=', -+ 'level=', - 'roles=', - 'type=', - 'verbose' -@@ -106,7 +111,7 @@ - usage() - add = 1 - -- if o == "-d" or o == "--delese": -+ if o == "-d" or o == "--delete": - if modify or add: - usage() - delete = 1 -@@ -126,21 +131,24 @@ - if o == "-r" or o == '--range': - serange = a - -+ if o == "-l" or o == "--list": -+ list = 1 -+ -+ if o == "-L" or o == '--level': -+ selevel = a -+ - if o == "-P" or o == '--proto': - proto = a - - if o == "-R" or o == '--roles': - roles = a - -- if o == "-t" or o == "--type": -- setype = a -- -- if o == "-l" or o == "--list": -- list = 1 -- - if o == "-s" or o == "--seuser": - seuser = a - -+ if o == "-t" or o == "--type": -+ setype = a -+ - if o == "-v" or o == "--verbose": - verbose = 1 - -@@ -210,8 +218,13 @@ - if delete: - if object == "port": - OBJECT.delete(target, proto) -+ -+ if object == "fcontext": -+ OBJECT.delete(target, ftype) -+ - else: - OBJECT.delete(target) -+ - sys.exit(0); - usage() - -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.29.7/semanage/semanage.8 ---- nsapolicycoreutils/semanage/semanage.8 2005-11-29 10:55:01.000000000 -0500 -+++ policycoreutils-1.29.7/semanage/semanage.8 2006-01-15 09:04:56.000000000 -0500 -@@ -3,55 +3,71 @@ - semanage \- SELinux Policy Management tool - - .SH "SYNOPSIS" --.B semanage OBJECTTYPE [\-admsrh] OBJECT --.B semanage login [\-admsrh] login_name -+.B semanage {login|user|port|interface|fcontext} \-l - .br --.B semanage seuser [\-admsrh] selinux_name -+.B semanage login \-{a|d|m} [\-sr] login_name - .br --.B semanage port [\-admth] port_number -+.B semanage user \-{a|d|m} [\-LrR] selinux_name -+.br -+.B semanage port \-{a|d|m} [\-tp] port_number -+.br -+.B semanage interface \-{a|d|m} [\-tr] interface_spec -+.br -+.B semanage fcontext \-{a|d|m} [\-frst] file_spec - .P --This tool is used to manage configuration of the SELinux policy -+ -+This tool is used to configure SELinux policy - - .SH "DESCRIPTION" - This manual page describes the - .BR semanage - program. - .br --This tool is used to manage configuration of SELinux Policy. You can configure SELinux User Mappings, SELinux Port Mappings, SELinux Users. -- -+This tool is used to configure SELinux Policy. You can configure SELinux User Mappings, SELinux Port Mappings, SELinux Users. File Context and Network Interfaces. - - .SH "OPTIONS" --.TP -- \-a, \-\-add --.P -+.TP -+.I \-a, \-\-add - Add a OBJECT record NAME --.B \-d, \-\-delete --.P -+.TP -+.I \-d, \-\-delete - Delete a OBJECT record NAME --.B \-h, \-\-help --.P -+.TP -+.I \-h, \-\-help - display this message --.B \-l, \-\-list --.P -+.TP -+.I \-f, \-\-ftype -+File Type. This is used with fcontext. -+Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files. -+.TP -+.I \-l, \-\-list - List the OBJECTS --.B \-m, \-\-modify --.P -+.TP -+.I \-L, \-\-level -+Default SELinux Level for SELinux use. (s0) -+.TP -+.I \-m, \-\-modify - Modify a OBJECT record NAME --.B \-r, \-\-range --.P -+.TP -+.I \-p, \-\-proto -+Protocol for the specified port (tcp|udp). -+.TP -+.I \-R, \-\-role -+SELinux Roles (Separate by spaces) -+.TP -+.I \-r, \-\-range - MLS/MCS Security Range --.B \-s, \-\-seuser --.P -+.TP -+.I \-s, \-\-seuser - SELinux user name --.B \-t, \-\-type --.P -+.TP -+.I \-t, \-\-type - SELinux Type for the object --.B \-v, \-\-verbose --.P -+.TP -+.I \-v, \-\-verbose - verbose output - - .SH "AUTHOR" --This man page was written by Daniel Walsh . -- -- -+This man page was written by Daniel Walsh and -+Russell Coker . - +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.29.7/scripts/chcat +--- nsapolicycoreutils/scripts/chcat 2006-01-18 11:12:43.000000000 -0500 ++++ policycoreutils-1.29.7/scripts/chcat 2006-01-18 10:31:40.000000000 -0500 +@@ -281,6 +282,7 @@ + print "Usage %s -d File ..." % sys.argv[0] + print "Usage %s -l -d user ..." % sys.argv[0] + print "Usage %s -L" % sys.argv[0] ++ print "Usage %s -L -l user" % sys.argv[0] + print "Use -- to end option list. For example" + print "chcat -- -CompanyConfidential /docs/businessplan.odt" + print "chcat -l +CompanyConfidential juser" +@@ -350,10 +352,17 @@ + if delete_ind: + sys.exit(chcat_replace(["s0"], ["s0"], cmds, login_ind)) + ++ if login_ind: ++ if len(cmds) >= 1: ++ for u in cmds: ++ try: ++ pwd.getpwnam(u) ++ except KeyError, e: ++ error( "User %s does not exist" % u) ++ else: ++ cmds.append(os.getlogin()) + if list_ind: + if login_ind: +- if len(cmds) < 1: +- usage() + sys.exit(listusercats(cmds)) + else: + if len(cmds) > 0: diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.7/semanage/seobject.py ---- nsapolicycoreutils/semanage/seobject.py 2006-01-13 08:39:11.000000000 -0500 -+++ policycoreutils-1.29.7/semanage/seobject.py 2006-01-15 09:50:28.000000000 -0500 -@@ -21,8 +21,39 @@ - # - # - --import pwd, string -+import pwd, string, selinux - from semanage import *; -+ -+def translate(raw, prepend=1): -+ if prepend == 1: -+ context="a:b:c:%s" % raw -+ else: -+ context=raw -+ (rc, trans)=selinux.selinux_raw_to_trans_context(context) -+ if rc != 0: -+ return raw -+ if prepend: -+ trans = trans.strip("a:b:c") -+ if trans == "": -+ return raw -+ else: -+ return trans -+ -+def untranslate(trans, prepend=1): -+ if prepend == 1: -+ context="a:b:c:%s" % trans -+ else: -+ context=raw -+ (rc, raw)=selinux.selinux_trans_to_raw_context(context) -+ if rc != 0: -+ return trans -+ if prepend: -+ raw = raw.strip("a:b:c") -+ if raw == "": -+ return trans -+ else: -+ return raw -+ - class semanageRecords: - def __init__(self): - self.sh = semanage_handle_create() -@@ -37,6 +68,9 @@ - def add(self, name, sename, serange): - if serange == "": - serange = "s0" -+ else: -+ serange = untranslate(serange) -+ - if sename == "": - sename = "user_u" - -@@ -46,7 +80,7 @@ - - (rc,exists) = semanage_seuser_exists(self.sh, k) - if exists: -- raise ValueError("SELinux User %s mapping already defined" % name) -+ raise ValueError("Login mapping for %s is already defined" % name) - try: - pwd.getpwnam(name) - except: -@@ -54,40 +88,65 @@ - - (rc,u) = semanage_seuser_create(self.sh) - if rc < 0: -- raise ValueError("Could not create seuser for %s" % name) -+ raise ValueError("Could not create login mapping for %s" % name) - -- semanage_seuser_set_name(self.sh, u, name) -- semanage_seuser_set_mlsrange(self.sh, u, serange) -- semanage_seuser_set_sename(self.sh, u, sename) -- semanage_begin_transaction(self.sh) -- semanage_seuser_add(self.sh, k, u) -- if semanage_commit(self.sh) < 0: -- raise ValueError("Failed to add SELinux user mapping") -+ rc = semanage_seuser_set_name(self.sh, u, name) -+ if rc < 0: -+ raise ValueError("Could not set name for %s" % name) -+ -+ rc = semanage_seuser_set_mlsrange(self.sh, u, serange) -+ if rc < 0: -+ raise ValueError("Could not set MLS range for %s" % name) -+ -+ rc = semanage_seuser_set_sename(self.sh, u, sename) -+ if rc < 0: -+ raise ValueError("Could not set SELinux user for %s" % name) -+ -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") -+ -+ rc = semanage_seuser_modify(self.sh, k, u) -+ if rc < 0: -+ raise ValueError("Failed to add login mapping for %s" % name) -+ -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Failed to add login mapping for %s" % name) - - def modify(self, name, sename = "", serange = ""): -+ if sename == "" and serange == "": -+ raise ValueError("Requires seuser or serange") -+ - (rc,k) = semanage_seuser_key_create(self.sh, name) - if rc < 0: - raise ValueError("Could not create a key for %s" % name) - -- if sename == "" and serange == "": -- raise ValueError("Requires, seuser or serange") -- - (rc,exists) = semanage_seuser_exists(self.sh, k) -- if exists: -- (rc,u) = semanage_seuser_query(self.sh, k) -- if rc < 0: -- raise ValueError("Could not query seuser for %s" % name) -- else: -- raise ValueError("SELinux user %s mapping is not defined." % name) -+ if not exists: -+ raise ValueError("Login mapping for %s is not defined" % name) -+ -+ (rc,u) = semanage_seuser_query(self.sh, k) -+ if rc < 0: -+ raise ValueError("Could not query seuser for %s" % name) - - if serange != "": -- semanage_seuser_set_mlsrange(self.sh, u, serange) -+ semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange)) - if sename != "": - semanage_seuser_set_sename(self.sh, u, sename) -- semanage_begin_transaction(self.sh) -- semanage_seuser_modify_local(self.sh, k, u) -- if semanage_commit(self.sh) < 0: -- raise ValueError("Failed to modify SELinux user mapping") -+ -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not srart semanage transaction") -+ -+ rc = semanage_seuser_modify(self.sh, k, u) -+ if rc < 0: -+ raise ValueError("Failed to modify login mapping for %s" % name) -+ -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Failed to modify login mapping for %s" % name) -+ - def delete(self, name): - (rc,k) = semanage_seuser_key_create(self.sh, name) - if rc < 0: -@@ -95,15 +154,26 @@ - - (rc,exists) = semanage_seuser_exists(self.sh, k) - if not exists: -- raise ValueError("SELinux user %s mapping is not defined." % name) -- semanage_begin_transaction(self.sh) -- semanage_seuser_del(self.sh, k) -- if semanage_commit(self.sh) < 0: -- raise ValueError("SELinux User %s mapping not defined" % name) -+ raise ValueError("Login mapping for %s is not defined" % name) -+ -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") -+ -+ rc = semanage_seuser_del(self.sh, k) -+ if rc < 0: -+ raise ValueError("Failed to delete login mapping for %s" % name) -+ -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Failed to delete login mapping for %s" % name) - - def get_all(self): - dict={} -- (status, self.ulist, self.usize) = semanage_seuser_list(self.sh) -+ (rc, self.ulist, self.usize) = semanage_seuser_list(self.sh) -+ if rc < 0: -+ raise ValueError("Could not list login mappings") -+ - for idx in range(self.usize): - u = semanage_seuser_by_idx(self.ulist, idx) - name = semanage_seuser_get_name(u) -@@ -117,7 +187,7 @@ - keys=dict.keys() - keys.sort() - for k in keys: -- print "%-25s %-25s %-25s" % (k, dict[k][0], dict[k][1]) -+ print "%-25s %-25s %-25s" % (k, dict[k][0], translate(dict[k][1])) - - class seluserRecords(semanageRecords): - def __init__(self): -@@ -126,87 +196,134 @@ - def add(self, name, roles, selevel, serange): - if serange == "": - serange = "s0" -+ else: -+ serange = untranslate(serange) -+ - if selevel == "": - selevel = "s0" -+ else: -+ selevel = untranslate(selevel) - - (rc,k) = semanage_user_key_create(self.sh, name) - if rc < 0: - raise ValueError("Could not create a key for %s" % name) - - (rc,exists) = semanage_user_exists(self.sh, k) -- if not exists: -- raise ValueError("SELinux user %s is already defined." % name) -+ if exists: -+ raise ValueError("SELinux user %s is already defined" % name) - - (rc,u) = semanage_user_create(self.sh) - if rc < 0: -- raise ValueError("Could not create login mapping for %s" % name) -+ raise ValueError("Could not create SELinux user for %s" % name) -+ -+ rc = semanage_user_set_name(self.sh, u, name) -+ if rc < 0: -+ raise ValueError("Could not set name for %s" % name) - -- semanage_user_set_name(self.sh, u, name) - for r in roles: -- semanage_user_add_role(self.sh, u, r) -- semanage_user_set_mlsrange(self.sh, u, serange) -- semanage_user_set_mlslevel(self.sh, u, selevel) -+ rc = semanage_user_add_role(self.sh, u, r) -+ if rc < 0: -+ raise ValueError("Could not add role %s for %s" % (r, name)) -+ -+ rc = semanage_user_set_mlsrange(self.sh, u, serange) -+ if rc < 0: -+ raise ValueError("Could not set MLS range for %s" % name) -+ -+ rc = semanage_user_set_mlslevel(self.sh, u, selevel) -+ if rc < 0: -+ raise ValueError("Could not set MLS level for %s" % name) -+ - (rc,key) = semanage_user_key_extract(self.sh,u) - if rc < 0: - raise ValueError("Could not extract key for %s" % name) +--- nsapolicycoreutils/semanage/seobject.py 2006-01-18 11:12:43.000000000 -0500 ++++ policycoreutils-1.29.7/semanage/seobject.py 2006-01-18 11:12:01.000000000 -0500 +@@ -421,11 +421,11 @@ -- semanage_begin_transaction(self.sh) -- semanage_user_modify_local(self.sh, k, u) -- if semanage_commit(self.sh) < 0: -- raise ValueError("Failed to add SELinux user") -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") -+ -+ rc = semanage_user_modify_local(self.sh, k, u) -+ if rc < 0: -+ raise ValueError("Failed to add SELinux user %s" % name) -+ -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Failed to add SELinux user %s" % name) - - def modify(self, name, roles = [], selevel = "", serange = ""): - if len(roles) == 0 and serange == "" and selevel == "": -- raise ValueError("Requires, roles, level or range") -+ raise ValueError("Requires roles, level or range") - - (rc,k) = semanage_user_key_create(self.sh, name) + rc = semanage_port_modify_local(self.sh, k, p) if rc < 0: - raise ValueError("Could not create a key for %s" % name) - - (rc,exists) = semanage_user_exists(self.sh, k) -- if exists: -- (rc,u) = semanage_user_query(self.sh, k) -- else: -- raise ValueError("SELinux user %s mapping is not defined locally." % name) -+ if not exists: -+ raise ValueError("SELinux user %s is not defined" % name) -+ -+ (rc,u) = semanage_user_query(self.sh, k) - if rc < 0: - raise ValueError("Could not query user for %s" % name) - - if serange != "": -- semanage_user_set_mlsrange(self.sh, u, serange) -+ semanage_user_set_mlsrange(self.sh, u, untranslate(serange)) - if selevel != "": -- semanage_user_set_mlslevel(self.sh, u, selevel) -+ semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) -+ - if len(roles) != 0: - for r in roles: - semanage_user_add_role(self.sh, u, r) -- semanage_begin_transaction(self.sh) -- semanage_user_modify_local(self.sh, k, u) -- if semanage_commit(self.sh) < 0: -- raise ValueError("Failed to modify SELinux user") -+ -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") -+ -+ rc = semanage_user_modify_local(self.sh, k, u) -+ if rc < 0: -+ raise ValueError("Failed to modify SELinux user %s" % name) -+ -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Failed to modify SELinux user %s" % name) - - def delete(self, name): - (rc,k) = semanage_user_key_create(self.sh, name) - if rc < 0: -- raise ValueError("Could not crpppeate a key for %s" % name) -+ raise ValueError("Could not create a key for %s" % name) -+ - (rc,exists) = semanage_user_exists(self.sh, k) - if not exists: -- raise ValueError("user %s is not defined" % name) -- else: -- (rc,exists) = semanage_user_exists_local(self.sh, k) -- if not exists: -- raise ValueError("user %s is not defined locally, can not delete " % name) -- -- semanage_begin_transaction(self.sh) -- semanage_user_del_local(self.sh, k) -- if semanage_commit(self.sh) < 0: -- raise ValueError("Login User %s not defined" % name) -+ raise ValueError("SELinux user %s is not defined" % name) -+ -+ (rc,exists) = semanage_user_exists_local(self.sh, k) -+ if not exists: -+ raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name) -+ -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") -+ -+ rc = semanage_user_del_local(self.sh, k) -+ if rc < 0: -+ raise ValueError("Failed to delete SELinux user %s" % name) -+ -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Failed to delete SELinux user %s" % name) - - def get_all(self): - dict={} -- (status, self.ulist, self.usize) = semanage_user_list(self.sh) -+ (rc, self.ulist, self.usize) = semanage_user_list(self.sh) -+ if rc < 0: -+ raise ValueError("Could not list SELinux users") -+ - for idx in range(self.usize): - u = semanage_user_by_idx(self.ulist, idx) - name = semanage_user_get_name(u) -- (status, rlist, rlist_size) = semanage_user_get_roles(self.sh, u) -+ (rc, rlist, rlist_size) = semanage_user_get_roles(self.sh, u) -+ if rc < 0: -+ raise ValueError("Could not list roles for user %s" % name) -+ - roles = "" - - if rlist_size: -@@ -219,13 +336,13 @@ - - def list(self, heading=1): - if heading: -- print "\n%-15s %-10s %-20s" % ("", "MLS/", "MLS/") -- print "%-15s %-10s %-15s %-20s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles") -+ print "\n%-15s %-10s %-30s" % ("", "MLS/", "MLS/") -+ print "%-15s %-10s %-30s %s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles") - dict=self.get_all() - keys=dict.keys() - keys.sort() - for k in keys: -- print "%-15s %-10s %-15s %s" % (k, dict[k][0], dict[k][1], dict[k][2]) -+ print "%-15s %-10s %-30s %s" % (k, translate(dict[k][0]), translate(dict[k][1]), dict[k][2]) - - class portRecords(semanageRecords): - def __init__(self): -@@ -258,6 +375,8 @@ - def add(self, port, proto, serange, type): - if serange == "": - serange="s0" -+ else: -+ serange=untranslate(serange) - - if type == "": - raise ValueError("Type is required") -@@ -278,62 +397,97 @@ +- raise ValueError("Failed to add port %s/%s" % (proto, port)) ++ raise ValueError("Failed to modify port %s/%s" % (proto, port)) + + rc = semanage_commit(self.sh) if rc < 0: - raise ValueError("Could not create context for %s/%s" % (proto, port)) - -- semanage_context_set_user(self.sh, con, "system_u") -- semanage_context_set_role(self.sh, con, "object_r") -- semanage_context_set_type(self.sh, con, type) -- semanage_context_set_mls(self.sh, con, serange) -- semanage_begin_transaction(self.sh) -+ rc = semanage_context_set_user(self.sh, con, "system_u") -+ if rc < 0: -+ raise ValueError("Could not set user in port context for %s/%s" % (proto, port)) -+ -+ rc = semanage_context_set_role(self.sh, con, "object_r") -+ if rc < 0: -+ raise ValueError("Could not set role in port context for %s/%s" % (proto, port)) -+ -+ rc = semanage_context_set_type(self.sh, con, type) -+ if rc < 0: -+ raise ValueError("Could not set type in port context for %s/%s" % (proto, port)) -+ -+ rc = semanage_context_set_mls(self.sh, con, serange) -+ if rc < 0: -+ raise ValueError("Could not set mls fields in port context for %s/%s" % (proto, port)) -+ - semanage_port_set_con(p, con) -- semanage_port_modify_local(self.sh, k, p) -- if semanage_commit(self.sh) < 0: -- raise ValueError("Failed to add port") -+ -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") -+ -+ rc = semanage_port_modify_local(self.sh, k, p) -+ if rc < 0: -+ raise ValueError("Failed to add port %s/%s" % (proto, port)) -+ -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Failed to add port %s/%s" % (proto, port)) +- raise ValueError("Failed to add port %s/%s" % (proto, port)) ++ raise ValueError("Failed to modify port %s/%s" % (proto, port)) def modify(self, port, proto, serange, setype): if serange == "" and setype == "": -- raise ValueError("Requires, setype or serange") -+ raise ValueError("Requires setype or serange") +@@ -458,7 +458,7 @@ - ( k, proto_d, low, high ) = self.__genkey(port, proto) - - (rc,exists) = semanage_port_exists(self.sh, k) -- if exists: -- (rc,p) = semanage_port_query(self.sh, k) -- else: -- raise ValueError("port %s/%s is not defined." % (proto,port)) -- -+ if not exists: -+ raise ValueError("Port %s/%s is not defined" % (proto,port)) -+ -+ (rc,p) = semanage_port_query(self.sh, k) + rc = semanage_commit(self.sh) if rc < 0: -- raise ValueError("Could not query port for %s/%s" % (proto, port)) -+ raise ValueError("Could not query port %s/%s" % (proto, port)) - - con = semanage_port_get_con(p) -- if rc < 0: -- raise ValueError("Could not get port context for %s/%s" % (proto, port)) - - if serange != "": -- semanage_context_set_mls(self.sh, con, serange) -+ semanage_context_set_mls(self.sh, con, untranslate(serange)) - if setype != "": - semanage_context_set_type(self.sh, con, setype) -- semanage_begin_transaction(self.sh) -- semanage_port_modify_local(self.sh, k, p) -- if semanage_commit(self.sh) < 0: -- raise ValueError("Failed to add port") -+ -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") -+ -+ rc = semanage_port_modify_local(self.sh, k, p) -+ if rc < 0: +- raise ValueError("Failed to add port %s/%s" % (proto, port)) + raise ValueError("Failed to modify port %s/%s" % (proto, port)) -+ -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Failed to add port %s/%s" % (proto, port)) def delete(self, port, proto): ( k, proto_d, low, high ) = self.__genkey(port, proto) - (rc,exists) = semanage_port_exists(self.sh, k) - if not exists: -- raise ValueError("port %s/%s is not defined." % (proto,port)) -- else: -- (rc,exists) = semanage_port_exists_local(self.sh, k) -- if not exists: -- raise ValueError("port %s/%s is not defined localy, can not be deleted." % (proto,port)) -- -- semanage_begin_transaction(self.sh) -- semanage_port_del_local(self.sh, k) -- if semanage_commit(self.sh) < 0: -- raise ValueError("Port %s/%s not defined" % (proto,port)) -+ raise ValueError("Port %s/%s is not defined" % (proto, port)) -+ -+ (rc,exists) = semanage_port_exists_local(self.sh, k) -+ if not exists: -+ raise ValueError("Port %s/%s is defined in policy, cannot be deleted" % (proto, port)) -+ -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") -+ -+ rc = semanage_port_del_local(self.sh, k) -+ if rc < 0: -+ raise ValueError("Could not delete port %s/%s" % (proto, port)) -+ -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Could not delete port %s/%s" % (proto, port)) - - def get_all(self): - dict={} -- (status, self.plist, self.psize) = semanage_port_list(self.sh) -+ (rc, self.plist, self.psize) = semanage_port_list(self.sh) -+ if rc < 0: -+ raise ValueError("Could not list ports") -+ +@@ -491,22 +491,44 @@ for idx in range(self.psize): u = semanage_port_by_idx(self.plist, idx) con = semanage_port_get_con(u) -@@ -369,89 +523,130 @@ - def add(self, interface, serange, type): - if serange == "": - serange="s0" -+ else: -+ serange=untranslate(serange) - - if type == "": - raise ValueError("SELinux Type is required") - - (rc,k) = semanage_iface_key_create(self.sh, interface) - if rc < 0: -- raise ValueError("Can't create key for %s" % interface) -+ raise ValueError("Could not create key for %s" % interface) -+ - (rc,exists) = semanage_iface_exists(self.sh, k) - if exists: - raise ValueError("Interface %s already defined" % interface) - - (rc,iface) = semanage_iface_create(self.sh) - if rc < 0: -- raise ValueError("Could not create interface for %s" % (interface)) -+ raise ValueError("Could not create interface for %s" % interface) - - rc = semanage_iface_set_name(self.sh, iface, interface) - (rc, con) = semanage_context_create(self.sh) - if rc < 0: - raise ValueError("Could not create context for %s" % interface) - -- semanage_context_set_user(self.sh, con, "system_u") -- semanage_context_set_role(self.sh, con, "object_r") -- semanage_context_set_type(self.sh, con, type) -- semanage_context_set_mls(self.sh, con, serange) -- semanage_begin_transaction(self.sh) -+ rc = semanage_context_set_user(self.sh, con, "system_u") -+ if rc < 0: -+ raise ValueError("Could not set user in interface context for %s" % interface) -+ -+ rc = semanage_context_set_role(self.sh, con, "object_r") -+ if rc < 0: -+ raise ValueError("Could not set role in interface context for %s" % interface) -+ -+ rc = semanage_context_set_type(self.sh, con, type) -+ if rc < 0: -+ raise ValueError("Could not set type in interface context for %s" % interface) -+ -+ rc = semanage_context_set_mls(self.sh, con, serange) -+ if rc < 0: -+ raise ValueError("Could not set mls fields in interface context for %s" % interface) -+ -+ (rc, con2) = semanage_context_clone(self.sh, con) -+ if rc < 0: -+ raise ValueError("Could not clone interface context for %s" % interface) -+ - semanage_iface_set_ifcon(iface, con) -- semanage_iface_set_msgcon(iface, con) -- semanage_iface_add_local(self.sh, k, iface) -- if semanage_commit(self.sh) < 0: -- raise ValueError("Failed to add interface") -+ semanage_iface_set_msgcon(iface, con2) -+ -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") -+ -+ rc = semanage_iface_modify_local(self.sh, k, iface) -+ if rc < 0: -+ raise ValueError("Failed to add interface %s" % interface) -+ -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Failed to add interface %s" % interface) - - def modify(self, interface, serange, setype): - if serange == "" and setype == "": -- raise ValueError("Requires, setype or serange") -+ raise ValueError("Requires setype or serange") - - (rc,k) = semanage_iface_key_create(self.sh, interface) - if rc < 0: -- raise ValueError("Can't creater key for %s" % interface) -- (rc,exists) = semanage_iface_exists(self.sh, k) -- if exists: -- (rc,p) = semanage_iface_query(self.sh, k) -- else: -- raise ValueError("interface %s is not defined." % interface) -+ raise ValueError("Could not create key for %s" % interface) - -+ (rc,exists) = semanage_iface_exists(self.sh, k) -+ if not exists: -+ raise ValueError("Interface %s is not defined" % interface) -+ -+ (rc,p) = semanage_iface_query(self.sh, k) - if rc < 0: -- raise ValueError("Could not query interface for %s" % interface) -+ raise ValueError("Could not query interface %s" % interface) - - con = semanage_iface_get_ifcon(p) -- if rc < 0: -- raise ValueError("Could not get interface context for %s" % interface) - - if serange != "": -- semanage_context_set_mls(self.sh, con, serange) -+ semanage_context_set_mls(self.sh, con, untranslate(serange)) - if setype != "": - semanage_context_set_type(self.sh, con, setype) - -- semanage_begin_transaction(self.sh) -- semanage_iface_modify_local(self.sh, k, p) -- if semanage_commit(self.sh) < 0: -- raise ValueError("Failed to add interface") -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") -+ -+ rc = semanage_iface_modify_local(self.sh, k, p) -+ if rc < 0: -+ raise ValueError("Failed to modify interface %s" % interface) - -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Failed to add interface %s" % interface) -+ - def delete(self, interface): - (rc,k) = semanage_iface_key_create(self.sh, interface) - if rc < 0: -- raise ValueError("Can't create key for %s" % interface) -+ raise ValueError("Could not create key for %s" % interface) -+ - (rc,exists) = semanage_iface_exists(self.sh, k) - if not exists: -- raise ValueError("interface %s is not defined." % interface) -- else: -- (rc,exists) = semanage_iface_exists_local(self.sh, k) -- if not exists: -- raise ValueError("interface %s is not defined localy, can not be deleted." % interface) -- -- semanage_begin_transaction(self.sh) -- semanage_iface_del_local(self.sh, k) -- if semanage_commit(self.sh) < 0: -- raise ValueError("Interface %s not defined" % interface) -+ raise ValueError("Interface %s is not defined" % interface) -+ -+ (rc,exists) = semanage_iface_exists_local(self.sh, k) -+ if not exists: -+ raise ValueError("Interface %s is defined in policy, cannot be deleted" % interface) -+ -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") -+ -+ rc = semanage_iface_del_local(self.sh, k) -+ if rc < 0: -+ raise ValueError("Failed to delete interface %s" % interface) -+ -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Failed to delete interface %s" % interface) - - def get_all(self): - dict={} -- (status, self.plist, self.psize) = semanage_iface_list(self.sh) -- if status < 0: -- raise ValueError("Unable to list interfaces") -+ (rc, self.plist, self.psize) = semanage_iface_list(self.sh) -+ if rc < 0: -+ raise ValueError("Could not list interfaces") -+ - for idx in range(self.psize): - interface = semanage_iface_by_idx(self.plist, idx) - con = semanage_iface_get_ifcon(interface) -@@ -466,7 +661,7 @@ - keys=dict.keys() - keys.sort() - for k in keys: -- print "%-30s %s:%s:%s:%s " % (k,dict[k][0], dict[k][1],dict[k][2], dict[k][3]) -+ print "%-30s %s:%s:%s:%s " % (k,dict[k][0], dict[k][1],dict[k][2], translate(dict[k][3], False)) - - class fcontextRecords(semanageRecords): - def __init__(self): -@@ -495,89 +690,127 @@ - - if serange == "": - serange="s0" -+ else: -+ serange=untranslate(serange) - - if type == "": - raise ValueError("SELinux Type is required") - - (rc,k) = semanage_fcontext_key_create(self.sh, target, self.file_types[ftype]) - if rc < 0: -- raise ValueError("Can't create key for %s" % target) -+ raise ValueError("Could not create key for %s" % target) -+ - (rc,exists) = semanage_fcontext_exists(self.sh, k) -- print (rc, exists, target) - if exists: -- raise ValueError("fcontext %s already defined" % target) -+ raise ValueError("File context for %s already defined" % target) -+ - (rc,fcontext) = semanage_fcontext_create(self.sh) - if rc < 0: -- raise ValueError("Could not create fcontext for %s" % target) -+ raise ValueError("Could not create file context for %s" % target) - - rc = semanage_fcontext_set_expr(self.sh, fcontext, target) - (rc, con) = semanage_context_create(self.sh) - if rc < 0: - raise ValueError("Could not create context for %s" % target) - -- semanage_context_set_user(self.sh, con, seuser) -- semanage_context_set_role(self.sh, con, "object_r") -- semanage_context_set_type(self.sh, con, type) -- semanage_context_set_mls(self.sh, con, serange) -+ rc = semanage_context_set_user(self.sh, con, seuser) -+ if rc < 0: -+ raise ValueError("Could not set user in file context for %s" % target) -+ -+ rc = semanage_context_set_role(self.sh, con, "object_r") -+ if rc < 0: -+ raise ValueError("Could not set role in file context for %s" % target) -+ -+ rc = semanage_context_set_type(self.sh, con, type) -+ if rc < 0: -+ raise ValueError("Could not set type in file context for %s" % target) -+ -+ rc = semanage_context_set_mls(self.sh, con, serange) -+ if rc < 0: -+ raise ValueError("Could not set mls fields in file context for %s" % target) -+ - semanage_fcontext_set_type(fcontext, self.file_types[ftype]) -- semanage_begin_transaction(self.sh) - semanage_fcontext_set_con(fcontext, con) -- semanage_fcontext_add_local(self.sh, k, fcontext) -- if semanage_commit(self.sh) < 0: -- raise ValueError("Failed to add fcontext") -+ -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") -+ -+ rc = semanage_fcontext_modify_local(self.sh, k, fcontext) -+ if rc < 0: -+ raise ValueError("Failed to add file context for %s" % target) -+ -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Failed to add file context for %s" % target) - - def modify(self, target, setype, ftype, serange, seuser): - if serange == "" and setype == "" and seuser == "": -- raise ValueError("Requires, setype, serange or seuser") -+ raise ValueError("Requires setype, serange or seuser") - - (rc,k) = semanage_fcontext_key_create(self.sh, target, self.file_types[ftype]) - if rc < 0: -- raise ValueError("Can't creater key for %s" % target) -+ raise ValueError("Could not create a key for %s" % target) -+ - (rc,exists) = semanage_fcontext_exists(self.sh, k) -- if exists: -- (rc,p) = semanage_fcontext_query(self.sh, k) -- else: -- raise ValueError("fcontext %s is not defined." % target) -+ if not exists: -+ raise ValueError("File context for %s is not defined" % target) -+ -+ (rc,p) = semanage_fcontext_query(self.sh, k) - if rc < 0: -- raise ValueError("Could not query fcontext for %s" % target) -+ raise ValueError("Could not query file context for %s" % target) -+ - con = semanage_fcontext_get_con(p) -- if rc < 0: -- raise ValueError("Could not get fcontext context for %s" % target) - - if serange != "": -- semanage_context_set_mls(self.sh, con, serange) -+ semanage_context_set_mls(self.sh, con, untranslate(serange)) - if seuser != "": - semanage_context_set_user(self.sh, con, seuser) - if setype != "": - semanage_context_set_type(self.sh, con, setype) - -- semanage_begin_transaction(self.sh) -- semanage_fcontext_modify_local(self.sh, k, p) -- if semanage_commit(self.sh) < 0: -- raise ValueError("Failed to add fcontext") -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") -+ -+ rc = semanage_fcontext_modify_local(self.sh, k, p) -+ if rc < 0: -+ raise ValueError("Failed to modify file context for %s" % target) -+ -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Failed to add file context for %s" % target) - -- def delete(self, target): -+ def delete(self, target, ftype): - (rc,k) = semanage_fcontext_key_create(self.sh, target, self.file_types[ftype]) - if rc < 0: -- raise ValueError("Can't create key for %s" % target) -+ raise ValueError("Could not create a key for %s" % target) -+ - (rc,exists) = semanage_fcontext_exists(self.sh, k) - if not exists: -- raise ValueError("fcontext %s is not defined." % target) -- else: -- (rc,exists) = semanage_fcontext_exists_local(self.sh, k) -- if not exists: -- raise ValueError("fcontext %s is not defined localy, can not be deleted." % target) -- -- semanage_begin_transaction(self.sh) -- semanage_fcontext_del_local(self.sh, k) -- if semanage_commit(self.sh) < 0: -- raise ValueError("fcontext %s not defined" % target) -+ raise ValueError("File context for %s is not defined" % target) -+ -+ (rc,exists) = semanage_fcontext_exists_local(self.sh, k) -+ if not exists: -+ raise ValueError("File context for %s is defined in policy, cannot be deleted" % target) -+ -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") -+ -+ rc = semanage_fcontext_del_local(self.sh, k) +- name = semanage_context_get_type(con) ++ type = semanage_context_get_type(con) ++ if type == "reserved_port_t": ++ continue ++ level = semanage_context_get_mls(con) + proto=semanage_port_get_proto_str(u) + low=semanage_port_get_low(u) + high = semanage_port_get_high(u) +- if (name, proto) not in dict.keys(): +- dict[(name,proto)]=[] ++ dict[(low, high)]=(type, proto, level) ++ return dict ++ ++ def get_all_by_type(self): ++ dict={} ++ (rc, self.plist, self.psize) = semanage_port_list(self.sh) + if rc < 0: -+ raise ValueError("Failed to delete file context for %s" % target) ++ raise ValueError("Could not list ports") + -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Failed to delete file context for %s" % target) - - def get_all(self): - dict={} -- (status, self.plist, self.psize) = semanage_fcontext_list(self.sh) -- if status < 0: -- raise ValueError("Unable to list fcontexts") -+ (rc, self.plist, self.psize) = semanage_fcontext_list(self.sh) -+ if rc < 0: -+ raise ValueError("Could not list file contexts") - - for idx in range(self.psize): - fcontext = semanage_fcontext_by_idx(self.plist, idx) -@@ -598,7 +831,7 @@ - keys=dict.keys() - for k in keys: - if dict[k]: -- print "%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], dict[k][0], dict[k][1],dict[k][2], dict[k][3]) -+ print "%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], dict[k][0], dict[k][1],dict[k][2], translate(dict[k][3],False)) ++ for idx in range(self.psize): ++ u = semanage_port_by_idx(self.plist, idx) ++ con = semanage_port_get_con(u) ++ type = semanage_context_get_type(con) ++ if type == "reserved_port_t": ++ continue ++ level = semanage_context_get_mls(con) ++ proto=semanage_port_get_proto_str(u) ++ low=semanage_port_get_low(u) ++ high = semanage_port_get_high(u) ++ if (type, proto) not in dict.keys(): ++ dict[(type,proto)]=[] + if low == high: +- dict[(name,proto)].append("%d" % low) ++ dict[(type,proto)].append("%d" % low) else: - print "%-50s %-18s <>" % (k[0], k[1]) - -@@ -606,117 +839,82 @@ - def __init__(self): - semanageRecords.__init__(self) - -- def add(self, target, type, ftype="", serange="s0", seuser="system_u"): -- if seuser == "": -- seuser="system_u" -- -- if serange == "": -- serange="s0" -- -- if type == "": -- raise ValueError("SELinux Type is required") -+ def modify(self, name, value = ""): -+ if value == "": -+ raise ValueError("Requires value") - -- (rc,k) = semanage_fcontext_key_create(self.sh, target, self.file_types[ftype]) -- if rc < 0: -- raise ValueError("Can't create key for %s" % target) -- (rc,exists) = semanage_fcontext_exists(self.sh, k) -- print (rc, exists, target) -- if exists: -- raise ValueError("fcontext %s already defined" % target) -- (rc,fcontext) = semanage_fcontext_create(self.sh) -- if rc < 0: -- raise ValueError("Could not create fcontext for %s" % target) -- -- rc = semanage_fcontext_set_expr(self.sh, fcontext, target) -- (rc, con) = semanage_context_create(self.sh) -+ (rc,k) = semanage_bool_key_create(self.sh, name) - if rc < 0: -- raise ValueError("Could not create context for %s" % target) -- -- semanage_context_set_user(self.sh, con, seuser) -- semanage_context_set_role(self.sh, con, "object_r") -- semanage_context_set_type(self.sh, con, type) -- semanage_context_set_mls(self.sh, con, serange) -- semanage_fcontext_set_type(fcontext, self.file_types[ftype]) -- semanage_begin_transaction(self.sh) -- semanage_fcontext_set_con(fcontext, con) -- semanage_fcontext_add_local(self.sh, k, fcontext) -- if semanage_commit(self.sh) < 0: -- raise ValueError("Failed to add fcontext") -+ raise ValueError("Could not create a key for %s" % name) - -- def modify(self, target, setype, ftype, serange, seuser): -- if serange == "" and setype == "" and seuser == "": -- raise ValueError("Requires, setype, serange or seuser") -+ (rc,exists) = semanage_bool_exists(self.sh, k) -+ if not exists: -+ raise ValueError("Boolean %s is not defined" % name) - -- (rc,k) = semanage_fcontext_key_create(self.sh, target, self.file_types[ftype]) -+ (rc,b) = semanage_bool_query(self.sh, k) - if rc < 0: -- raise ValueError("Can't creater key for %s" % target) -- (rc,exists) = semanage_fcontext_exists(self.sh, k) -- if exists: -- (rc,p) = semanage_fcontext_query(self.sh, k) -- else: -- raise ValueError("fcontext %s is not defined." % target) -+ raise ValueError("Could not query file context %s" % name) -+ -+ if value != "": -+ nvalue = string.atoi(value) -+ semanage_bool_set_value(b, nvalue) -+ -+ rc = semanage_begin_transaction(self.sh) - if rc < 0: -- raise ValueError("Could not query fcontext for %s" % target) -- con = semanage_fcontext_get_con(p) -+ raise ValueError("Could not start semanage transaction") -+ -+ rc = semanage_bool_modify_local(self.sh, k, b) - if rc < 0: -- raise ValueError("Could not get fcontext context for %s" % target) -- -- if serange != "": -- semanage_context_set_mls(self.sh, con, serange) -- if seuser != "": -- semanage_context_set_user(self.sh, con, seuser) -- if setype != "": -- semanage_context_set_type(self.sh, con, setype) -+ raise ValueError("Failed to modify boolean %s" % name) - -- semanage_begin_transaction(self.sh) -- semanage_fcontext_modify_local(self.sh, k, p) -- if semanage_commit(self.sh) < 0: -- raise ValueError("Failed to add fcontext") -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Failed to modify boolean %s" % name) - -- def delete(self, target): -- (rc,k) = semanage_fcontext_key_create(self.sh, target, self.file_types[ftype]) -+ def delete(self, name): -+ (rc,k) = semanage_bool_key_create(self.sh, name) - if rc < 0: -- raise ValueError("Can't create key for %s" % target) -- (rc,exists) = semanage_fcontext_exists(self.sh, k) -+ raise ValueError("Could not create a key for %s" % name) -+ -+ (rc,exists) = semanage_bool_exists(self.sh, k) - if not exists: -- raise ValueError("fcontext %s is not defined." % target) -- else: -- (rc,exists) = semanage_fcontext_exists_local(self.sh, k) -- if not exists: -- raise ValueError("fcontext %s is not defined localy, can not be deleted." % target) -- -- semanage_begin_transaction(self.sh) -- semanage_fcontext_del_local(self.sh, k) -- if semanage_commit(self.sh) < 0: -- raise ValueError("fcontext %s not defined" % target) -+ raise ValueError("Boolean %s is not defined" % name) -+ -+ (rc,exists) = semanage_bool_exists_local(self.sh, k) -+ if not exists: -+ raise ValueError("Boolean %s is defined in policy, cannot be deleted" % name) -+ -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError("Could not start semanage transaction") -+ -+ rc = semanage_fcontext_del_local(self.sh, k) -+ if rc < 0: -+ raise ValueError("Failed to delete boolean %s" % name) -+ -+ rc = semanage_commit(self.sh) -+ if rc < 0: -+ raise ValueError("Failed to delete boolean %s" % name) - - def get_all(self): - dict={} -- (status, self.plist, self.psize) = semanage_fcontext_list(self.sh) -- if status < 0: -- raise ValueError("Unable to list fcontexts") -+ (rc, self.blist, self.bsize) = semanage_bool_list(self.sh) -+ if rc < 0: -+ raise ValueError("Could not list booleans") - -- for idx in range(self.psize): -- fcontext = semanage_fcontext_by_idx(self.plist, idx) -- expr=semanage_fcontext_get_expr(fcontext) -- ftype=semanage_fcontext_get_type_str(fcontext) -- con = semanage_fcontext_get_con(fcontext) -- if con: -- dict[expr, ftype]=(semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con)) -- else: -- dict[expr, ftype]=con -+ for idx in range(self.bsize): -+ boolean = semanage_bool_by_idx(self.blist, idx) -+ name = semanage_bool_get_name(boolean) -+ value = semanage_bool_get_value(boolean) -+ dict[name] = value - +- dict[(name,proto)].append("%d-%d" % (low, high)) ++ dict[(type,proto)].append("%d-%d" % (low, high)) return dict - + def list(self, heading=1): if heading: -- print "%-50s %-18s %s\n" % ("SELinux fcontext", "type", "Context") -+ print "%-50s %-18s\n" % ("SELinux boolean", "value") - dict=self.get_all() +- print "%-30s %-8s %s\n" % ("SELinux Port Name", "Proto", "Port Number") +- dict=self.get_all() ++ print "%-30s %-8s %s\n" % ("SELinux Port Type", "Proto", "Port Number") ++ dict=self.get_all_by_type() keys=dict.keys() - for k in keys: - if dict[k]: -- print "%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], dict[k][0], dict[k][1],dict[k][2], dict[k][3]) -- else: -- print "%-50s %-18s <>" % (k[0], k[1]) -- -- -+ print "%-50s %-18s " % (k[0], dict[k][0]) -Binary files nsapolicycoreutils/semanage/seobject.pyc and policycoreutils-1.29.7/semanage/seobject.pyc differ + keys.sort() + for i in keys: diff --git a/policycoreutils.spec b/policycoreutils.spec index 33ce6e1..643caf5 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,10 +1,10 @@ %define libsepolver 1.11.9-1 -%define libsemanagever 1.5.14-1 -%define libselinuxver 1.29.5-1 +%define libsemanagever 1.5.15-1 +%define libselinuxver 1.29.6-1 Summary: SELinux policy core utilities. Name: policycoreutils -Version: 1.29.7 -Release: 3 +Version: 1.29.8 +Release: 1 License: GPL Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -97,6 +97,15 @@ rm -rf ${RPM_BUILD_ROOT} %{_libdir}/python2.4/site-packages/seobject.py* %changelog +* Wed Jan 18 2006 Dan Walsh 1.29.8-1 +- Update to match NSA + * Merged semanage fixes from Ivan Gyurdiev. + * Merged semanage fixes from Russell Coker. + * Merged chcat, genhomedircon, and semanage diffs from Dan Walsh. + +* Tue Jan 14 2006 Dan Walsh 1.29.7-4 +- Update chcat to manage user categories also + * Sat Jan 14 2006 Dan Walsh 1.29.7-3 - Add check for root for semanage, genhomedircon diff --git a/sources b/sources index 50af720..711fac9 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -4bd38ec2ccaf8cc047dfdcb30876b9fb policycoreutils-1.29.7.tgz +c40bd665ecbb503adf1a8e8730fed32a policycoreutils-1.29.8.tgz