From 3646f657ebb11f9e7cd1be7171caa23e61f7d4a2 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 20 2005 22:42:38 +0000 Subject: * Tue Dec 20 2005 Dan Walsh 1.29.2-5 - More fixes for chcat --- diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 6a27307..8ad4619 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,6 +1,234 @@ +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.29.2/scripts/chcat +--- nsapolicycoreutils/scripts/chcat 2005-12-14 14:16:50.000000000 -0500 ++++ policycoreutils-1.29.2/scripts/chcat 2005-12-20 17:12:59.000000000 -0500 +@@ -39,11 +39,11 @@ + print("Can not modify sensitivity levels using '+' on %s" % f) + + if len(clist) > 1: +- cats=clist[1].split(",") +- if cat in cats: ++ if cat in clist[1:]: + print "%s is already in %s" % (f, orig) + continue +- cats.append(cat) ++ clist.append(cat) ++ cats=clist[1:] + cats.sort() + cat_string=cats[0] + for c in cats[1:]: +@@ -73,14 +73,13 @@ + continue + + if len(clist) > 1: +- cats=clist[1].split(",") +- if cat not in cats: ++ if cat not in clist[1:]: + print "%s is not in %s" % (f, orig) + continue +- cats.remove(cat) +- if len(cats) > 0: +- cat=cats[0] +- for c in cats[1:]: ++ clist.remove(cat) ++ if len(clist) > 1: ++ cat=clist[1] ++ for c in clist[2:]: + cat="%s,%s" % (cat, c) + else: + cat="" +@@ -91,7 +90,7 @@ + if len(cat) == 0: + cmd='chcon -l %s %s' % (sensitivity, f) + else: +- cmd='chcon -l %s:%s %s' % (sensitivity, cat, f) ++ cmd='chcon -l %s:%s %s' % (sensitivity,cat, f) + rc=commands.getstatusoutput(cmd) + if rc[0] != 0: + print rc[1] +@@ -101,18 +100,17 @@ + def chcat_replace(orig, newcat, files): + errors=0 + if len(newcat) == 1: +- if newcat[0][0] == "s" and newcat[0][1:].isdigit() and int(newcat[0][1:]) in range(0,16): +- sensitivity=newcat[0] +- cmd='chcon -l %s ' % newcat[0] +- else: +- cmd='chcon -l s0:%s ' % newcat[0] ++ sensitivity=newcat[0] ++ cmd='chcon -l %s ' % newcat[0] + else: + sensitivity=newcat[0] +- cat=newcat[1] +- cmd='chcon -l %s:%s ' % (sensitivity, cat) ++ cmd='chcon -l %s:%s' % (sensitivity, newcat[1]) ++ for cat in newcat[2:]: ++ cmd='%s,%s' % (cmd, cat) + + for f in files: + cmd = "%s %s" % (cmd, f) ++ + rc=commands.getstatusoutput(cmd) + if rc[0] != 0: + print rc[1] +@@ -134,44 +132,73 @@ + raise ValueError("Can not combine +/- with other types of categories") + return replace_ind + ++def isSensitivity(sensitivity): ++ if sensitivity[0] == "s" and sensitivity[1:].isdigit() and int(sensitivity[1:]) in range(0,16): ++ return 1 ++ else: ++ return 0 ++ ++def expandCats(cats): ++ newcats=[] ++ for c in cats: ++ if c.find(".") != -1: ++ c=c.split(".") ++ for i in range(int(c[0][1:]), int(c[1][1:])+1): ++ x=("c%d" % i) ++ if x not in newcats: ++ newcats.append("c%d" % i) ++ else: ++ for i in c.split(","): ++ if i not in newcats: ++ newcats.append(i) ++ return newcats ++ + def translate(cats): + newcat=[] ++ if len(cats) == 0: ++ newcat.append("s0") ++ return newcat + for c in cats: + (rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c) + rlist=raw.split(":")[3:] +- if len(rlist) > 1: +- if len(newcat) == 0: +- newcat.append(rlist[0]) +- else: +- if newcat[0] != rlist[0]: +- raise ValueError("Can not have multiple sensitivities") +- newcat.append(rlist[1]) +- else: +- if rlist[0][0] == "s" and rlist[0][1:].isdigit() and int(rlist[0][1:]) in range(0,16): +- +- if len(newcat) == 0: +- newcat.append(rlist[0]) +- else: +- if newcat[0] != rlist[0]: +- raise ValueError("Can not have multiple sensitivities") +- else: +- if len(newcat) == 0: +- newcat.append("s0") +- else: +- if newcat[0] != "s0": +- raise ValueError("Can not have multiple sensitivities") +- newcat.append(rlist[0]) +- ++ tlist=[] ++ if isSensitivity(rlist[0])==0: ++ tlist.append("s0") ++ for i in expandCats(rlist): ++ tlist.append(i) ++ else: ++ tlist.append(rlist[0]) ++ for i in expandCats(rlist[1:]): ++ tlist.append(i) ++ if len(newcat) == 0: ++ newcat.append(tlist[0]) ++ else: ++ if newcat[0] != tlist[0]: ++ raise ValueError("Can not have multiple sensitivities") ++ for i in tlist[1:]: ++ newcat.append(i) + return newcat + + def usage(): + print "Usage %s CATEGORY File ..." % sys.argv[0] + print "Usage %s [[+|-]CATEGORY],...]q File ..." % sys.argv[0] + print "Usage %s -d File ..." % sys.argv[0] ++ print "Usage %s -l" % sys.argv[0] + print "Use -- to end option list. For example" + print "chcat -- -CompanyConfidential /docs/businessplan.odt." + sys.exit(1) + ++def listcats(): ++ fd = open(selinux.selinux_translations_path()) ++ for l in fd.read().split("\n"): ++ if l.startswith("#"): ++ continue ++ if l.find("=")!=-1: ++ rec=l.split("=") ++ print "%-30s %s" % tuple(rec) ++ fd.close() ++ return 0 ++ + def error(msg): + print "%s: %s" % (sys.argv[0], msg) + sys.exit(1) +@@ -184,10 +211,12 @@ + error("Requires an SELinux enabled system") + + delete_ind=0 ++ list_ind=0 + try: + gopts, cmds = getopt.getopt(sys.argv[1:], +- 'dh', +- ['help', ++ 'dhl', ++ ['list', ++ 'help', + 'delete']) + + for o,a in gopts: +@@ -195,8 +224,10 @@ + usage() + if o == "-d" or o == "--delete": + delete_ind=1 ++ if o == "-l" or o == "--list": ++ list_ind=1 + +- if len(cmds) < 1: ++ if list_ind==0 and len(cmds) < 1: + usage() + except: + usage() +@@ -204,6 +235,8 @@ + if delete_ind: + sys.exit(chcat_replace(["s0"], ["s0"], cmds)) + ++ if list_ind: ++ sys.exit(listcats()) + + if len(cmds) < 2: + usage() +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat.8 policycoreutils-1.29.2/scripts/chcat.8 +--- nsapolicycoreutils/scripts/chcat.8 2005-12-08 12:52:47.000000000 -0500 ++++ policycoreutils-1.29.2/scripts/chcat.8 2005-12-20 13:42:21.000000000 -0500 +@@ -11,6 +11,9 @@ + .B chcat + [\fI-d\fR] \fIFILE\fR... + .br ++.B chcat ++[\fI-l\fR] ++.br + .PP + Change/Remove the security CATEGORY for each FILE. + .PP +@@ -18,6 +21,9 @@ + .TP + \fB\-d\fR + delete the category from each file. ++.TP ++\fB\-l\fR ++list available categories. + .SH "SEE ALSO" + .TP + chcon(1), selinux(8) diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.2/scripts/genhomedircon --- nsapolicycoreutils/scripts/genhomedircon 2005-12-07 07:28:00.000000000 -0500 -+++ policycoreutils-1.29.2/scripts/genhomedircon 2005-12-20 06:32:04.000000000 -0500 ++++ policycoreutils-1.29.2/scripts/genhomedircon 2005-12-20 17:41:53.000000000 -0500 @@ -26,64 +26,73 @@ # # @@ -145,9 +373,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po - rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/local.users")) - if rc[0] == 0: - user=rc[1].split() -+ rc=findval(self.selinuxdir+self.type+"/users/system.users", 'grep "^user %s" %s' % role, "=") ++ rc=findval(self.selinuxdir+self.type+"/users/system.users", 'grep "^user %s"' % role, "=") + if rc == "": -+ rc=findval(self.selinuxdir+self.type+"/users/local.users", 'grep "^user %s" %s' % role, "=") ++ rc=findval(self.selinuxdir+self.type+"/users/local.users", 'grep "^user %s"' % role, "=") + if rc != "": + user=rc.split() role = user[3] @@ -326,3 +554,118 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po except IndexError, error: - errorExit("IndexError") + errorExit("IndexError %s" % error) +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/selisteners policycoreutils-1.29.2/scripts/selisteners +--- nsapolicycoreutils/scripts/selisteners 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.29.2/scripts/selisteners 2005-12-20 09:54:52.000000000 -0500 +@@ -0,0 +1,37 @@ ++#! /usr/bin/env python ++# Copyright (C) 2005 Red Hat ++# see file 'COPYING' for use and warranty information ++# ++# listeners - this script finds all processes listening on a TCP or UDP Port ++# configuration entries for user home directories based on their ++# default roles and is run when building the policy. Specifically, we ++# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with ++# generic and user-specific values. ++# ++# Based off original script by Dan Walsh, ++# ++# ASSUMPTIONS: ++# ++# The file CONTEXTDIR/files/homedir_template exists. This file is used to ++# set up the home directory context for each real user. ++# ++# If a user has more than one role, genhomedircon uses the first role in the list. ++# ++# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, role user ++# ++# "Real" users (as opposed to system users) are those whose UID is greater than ++# or equal STARTING_UID (usually 500) and whose login is not a member of ++# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/seusers ++# are always "real" (including root, in the default configuration). ++# ++# ++import commands, string ++import selinux ++rc=commands.getstatusoutput("netstat -aptul") ++out=rc[1].split("\n") ++for i in out: ++ x=i.split() ++ y=x[-1].split("/") ++ if len(y)==2: ++ pid=string.atoi(y[0]) ++ print "%s %-40s %-10s\t%-20s\t%s" % (x[0], x[3], pid,y[1],selinux.getpidcon(pid)[1]) +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/tests/chcat_test policycoreutils-1.29.2/scripts/tests/chcat_test +--- nsapolicycoreutils/scripts/tests/chcat_test 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.29.2/scripts/tests/chcat_test 2005-12-20 17:12:23.000000000 -0500 +@@ -0,0 +1,43 @@ ++#!/bin/sh -x ++# ++# You must copy the setrans.conf file in place before testing ++# ++chcat -l ++rm -f /tmp/chcat_test ++touch /tmp/chcat_test ++chcat -d /tmp/chcat_test ++chcat -d /tmp/chcat_test ++chcat -- -Payroll /tmp/chcat_test ++ls -lZ /tmp/chcat_test ++chcat -- +Payroll /tmp/chcat_test ++ls -lZ /tmp/chcat_test ++chcat -- -Payroll /tmp/chcat_test ++ls -lZ /tmp/chcat_test ++chcat Payroll,Marketing /tmp/chcat_test ++ls -lZ /tmp/chcat_test ++chcat -- +Payroll /tmp/chcat_test ++ls -lZ /tmp/chcat_test ++chcat -- Payroll /tmp/chcat_test ++ls -lZ /tmp/chcat_test ++chcat -- -Payroll,+Marketing /tmp/chcat_test ++ls -lZ /tmp/chcat_test ++chcat -- +Payroll,-Marketing /tmp/chcat_test ++ls -lZ /tmp/chcat_test ++chcat -- -Payroll,+Marketing,+NDA_Yoyodyne /tmp/chcat_test ++ls -lZ /tmp/chcat_test ++chcat -- -Marketing,-NDA_Yoyodyne /tmp/chcat_test ++ls -lZ /tmp/chcat_test ++chcat -- -s0 /tmp/chcat_test ++ls -lZ /tmp/chcat_test ++chcat -- s0 /tmp/chcat_test ++ls -lZ /tmp/chcat_test ++chcat -- s0:c1 /tmp/chcat_test ++ls -lZ /tmp/chcat_test ++chcat -- s0:c1,c2 /tmp/chcat_test ++ls -lZ /tmp/chcat_test ++chcat -- s0:c1.c3 /tmp/chcat_test ++ls -lZ /tmp/chcat_test ++chcat -- -s0:c3 /tmp/chcat_test ++ls -lZ /tmp/chcat_test ++chcat -- -s0:c2,+c3 /tmp/chcat_test ++ls -lZ /tmp/chcat_test +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/tests/setrans.conf policycoreutils-1.29.2/scripts/tests/setrans.conf +--- nsapolicycoreutils/scripts/tests/setrans.conf 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.29.2/scripts/tests/setrans.conf 2005-12-20 17:05:16.000000000 -0500 +@@ -0,0 +1,23 @@ ++# ++# Multi-Category Security translation table for SELinux ++# ++# Uncomment the following to disable translation libary ++# disable=1 ++# ++# Objects can be categorized with 0-256 categories defined by the admin. ++# Objects can be in more than one category at a time. ++# Categories are stored in the system as c0-c255. Users can use this ++# table to translate the categories into a more meaningful output. ++# Examples: ++# s0:c0=CompanyConfidential ++# s0:c1=PatientRecord ++# s0:c2=Unclassified ++# s0:c3=TopSecret ++# s0:c1,c3=CompanyConfidentialRedHat ++s0= ++s0-s0:c0.c255=SystemLow-SystemHigh ++s0:c0.c255=SystemHigh ++s0:c0=Company_Confidential ++s0:c1=Marketing ++s0:c2=Payroll ++s0:c3=NDA_Yoyodyne diff --git a/policycoreutils.spec b/policycoreutils.spec index 41f3a88..299a5f0 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,10 +1,10 @@ %define libsepolver 1.11.1-1 %define libsemanagever 1.5.3-1 -%define libselinuxver 1.29.2-1 +%define libselinuxver 1.29.2-3 Summary: SELinux policy core utilities. Name: policycoreutils Version: 1.29.2 -Release: 4 +Release: 5 License: GPL Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -96,6 +96,9 @@ rm -rf ${RPM_BUILD_ROOT} %config(noreplace) %{_sysconfdir}/sestatus.conf %changelog +* Tue Dec 20 2005 Dan Walsh 1.29.2-5 +- More fixes for chcat + * Tue Dec 20 2005 Dan Walsh 1.29.2-4 - Add try catch for files that may not exists