diff --git a/.cvsignore b/.cvsignore index 72cc3cc..76a3521 100644 --- a/.cvsignore +++ b/.cvsignore @@ -91,3 +91,4 @@ policycoreutils-1.29.18.tgz policycoreutils-1.29.19.tgz policycoreutils-1.29.20.tgz policycoreutils-1.29.23.tgz +policycoreutils-1.29.26.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 47211b3..7f41d19 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,20 +1,437 @@ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.20/semanage/seobject.py ---- nsapolicycoreutils/semanage/seobject.py 2006-02-02 12:08:04.000000000 -0500 -+++ policycoreutils-1.29.20/semanage/seobject.py 2006-02-10 11:48:59.000000000 -0500 -@@ -21,8 +21,11 @@ +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.29.26/audit2allow/audit2allow +--- nsapolicycoreutils/audit2allow/audit2allow 2005-12-08 12:52:44.000000000 -0500 ++++ policycoreutils-1.29.26/audit2allow/audit2allow 2006-02-21 13:48:01.000000000 -0500 +@@ -25,6 +25,118 @@ + # + # + import commands, sys, os, pwd, string, getopt, re, selinux ++ ++obj="(\{[^\}]*\}|[^ \t:]*)" ++allow_regexp="allow[ \t]+%s[ \t]*%s[ \t]*:[ \t]*%s[ \t]*%s" % (obj, obj, obj, obj) ++ ++awk_script='/^[[:blank:]]*interface[[:blank:]]*\(/ {\n\ ++ IFACEFILE=FILENAME\n\ ++ IFACENAME = gensub("^[[:blank:]]*interface[[:blank:]]*\\\\(\`?","","g",$0);\n\ ++ IFACENAME = gensub("\'?,.*$","","g",IFACENAME);\n\ ++}\n\ ++\n\ ++/^[[:blank:]]*allow[[:blank:]]+.*;[[:blank:]]*$/ {\n\ ++\n\ ++ if ((length(IFACENAME) > 0) && (IFACEFILE == FILENAME)){\n\ ++ ALLOW = gensub("^[[:blank:]]*","","g",$0)\n\ ++ ALLOW = gensub(";[[:blank:]]*$","","g",$0)\n\ ++ print FILENAME "\\t" IFACENAME "\\t" ALLOW;\n\ ++ }\n\ ++}\ ++' ++ ++class accessTrans: ++ def __init__(self): ++ self.dict={} ++ try: ++ fd=open("/usr/share/selinux/refpolicy/include/support/obj_perm_sets.spt") ++ except IOError, error: ++ raise IOError("Reference policy generation requires the policy development package.\n%s" % error) ++ records=fd.read().split("\n") ++ regexp="^define *\(`([^']*)' *, *` *\{([^}]*)}'" ++ for r in records: ++ m=re.match(regexp,r) ++ if m!=None: ++ self.dict[m.groups()[0]] = m.groups()[1].split() ++ fd.close() ++ def get(self, var): ++ l=[] ++ for v in var: ++ if v in self.dict.keys(): ++ l += self.dict[v] ++ else: ++ if v not in ("{", "}"): ++ l.append(v) ++ return l ++ ++class interfaces: ++ def __init__(self): ++ self.dict={} ++ trans=accessTrans() ++ (input, output) = os.popen2("awk -f - /usr/share/selinux/refpolicy/include/*/*.if 2> /dev/null") ++ input.write(awk_script) ++ input.close() ++ records=output.read().split("\n") ++ input.close() ++ if len(records) > 0: ++ regexp="([^ \t]*)[ \t]+([^ \t]*)[ \t]+%s" % allow_regexp ++ for r in records: ++ m=re.match(regexp,r) ++ if m==None: ++ continue ++ else: ++ val=m.groups() ++ file=os.path.basename(val[0]).split(".")[0] ++ iface=val[1] ++ Scon=val[2].split() ++ Tcon=val[3].split() ++ Class=val[4].split() ++ Access=trans.get(val[5].split()) ++ for s in Scon: ++ for t in Tcon: ++ for c in Class: ++ if (s, t, c) not in self.dict.keys(): ++ self.dict[(s, t, c)]=[] ++ self.dict[(s, t, c)].append((Access, file, iface)) ++ def out(self): ++ keys=self.dict.keys() ++ keys.sort() ++ for k in keys: ++ print k ++ for i in self.dict[k]: ++ print "\t", i ++ ++ def match(self, Scon, Tcon, Class, Access): ++ keys=self.dict.keys() ++ ret=[] ++ if (Scon, Tcon, Class) in keys: ++ for i in self.dict[(Scon, Tcon, Class)]: ++ if Access in i[0]: ++ if i[2].find(Access) >= 0: ++ ret.insert(0, i) ++ else: ++ ret.append(i) ++ return ret ++ if ("$1", Tcon, Class) in keys: ++ for i in self.dict[("$1", Tcon, Class)]: ++ if Access in i[0]: ++ if i[2].find(Access) >= 0: ++ ret.insert(0, i) ++ else: ++ ret.append(i) ++ return ret ++ if (Scon, "$1", Class) in keys: ++ for i in self.dict[(Scon, "$1", Class)]: ++ if Access in i[0]: ++ if i[2].find(Access) >= 0: ++ ret.insert(0, i) ++ else: ++ ret.append(i) ++ return ret ++ else: ++ return ret ++ ++ + class serule: + def __init__(self, type, source, target, seclass): + self.type=type +@@ -32,6 +144,8 @@ + self.target=target + self.seclass=seclass + self.avcinfo={} ++ self.iface=None ++ + def add(self, avc): + for a in avc[0]: + if a not in self.avcinfo.keys(): +@@ -67,6 +181,33 @@ + ret=ret + " : " + i + return ret + ++ def gen_reference_policy(self, iface): ++ ret="" ++ Scon=self.source ++ Tcon=self.gettarget() ++ Class=self.seclass ++ Access=self.getAccess() ++ m=iface.match(Scon,Tcon,Class,Access) ++ if len(m)==0: ++ return self.out() ++ else: ++ file=m[0][1] ++ ret="\n#%s\n"% self.out() ++ ret += "optional_policy(`%s', `\n" % m[0][1] ++ first=True ++ for i in m: ++ if file != i[1]: ++ ret += "')\ngen_require(`%s', `\n" % i[1] ++ file = i[1] ++ first=True ++ if first: ++ ret += "\t%s(%s)\n" % (i[2], Scon) ++ first=False ++ else: ++ ret += "#\t%s(%s)\n" % (i[2], Scon) ++ ret += "');" ++ return ret ++ + def gettarget(self): + if self.source == self.target: + return "self" +@@ -81,7 +222,12 @@ + self.types=[] + self.roles=[] + self.load(input, te_ind) +- ++ self.gen_ref_policy = False ++ ++ def gen_reference_policy(self): ++ self.gen_ref_policy = True ++ self.iface=interfaces() ++ + def warning(self, error): + sys.stderr.write("%s: " % sys.argv[0]) + sys.stderr.write("%s\n" % error) +@@ -104,7 +250,8 @@ + while line: + rec=line.split() + for i in rec: +- if i=="avc:" or i=="message=avc:": ++ if i=="avc:" or i=="message=avc:" or i=="msg='avc:": ++ + found=1 + else: + avc.append(i) +@@ -182,9 +329,10 @@ + if "security_compute_sid" in avc: + return + ++ if "load_policy" in avc and self.last_reload: ++ self.seRules={} ++ + if "granted" in avc: +- if "load_policy" in avc and self.last_reload: +- self.seRules={} + return + try: + for i in range (0, len(avc)): +@@ -292,7 +440,10 @@ + keys=self.seRules.keys() + keys.sort() + for i in keys: +- rec += self.seRules[i].out(verbose)+"\n" ++ if self.gen_ref_policy: ++ rec += self.seRules[i].gen_reference_policy(self.iface)+"\n" ++ else: ++ rec += self.seRules[i].out(verbose)+"\n" + return rec + + if __name__ == '__main__': +@@ -342,11 +493,12 @@ + buildPP=0 + input_ind=0 + output_ind=0 ++ ref_ind=False + te_ind=0 + + fc_file="" + gopts, cmds = getopt.getopt(sys.argv[1:], +- 'adf:hi:lm:M:o:rtv', ++ 'adf:hi:lm:M:o:rtvR', + ['all', + 'dmesg', + 'fcfile=', +@@ -356,6 +508,7 @@ + 'module=', + 'output=', + 'requires', ++ 'reference', + 'tefile', + 'verbose' + ]) +@@ -397,6 +550,9 @@ + if auditlogs: + usage() + te_ind=1 ++ if o == "-R" or o == "--reference": ++ ref_ind=True ++ + if o == "-o" or o == "--output": + if module != "" or a[0]=="-": + usage() +@@ -413,6 +569,10 @@ + + out=seruleRecords(input, last_reload, verbose, te_ind) + ++ ++ if ref_ind: ++ out.gen_reference_policy() ++ + if auditlogs: + input=os.popen("ausearch -m avc") + out.load(input) +@@ -423,15 +583,15 @@ + output.flush() + if buildPP: + cmd="checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module) +- print "Compiling policy: %s" % cmd ++ print "Compiling policy" ++ print cmd + rc=commands.getstatusoutput(cmd) + if rc[0]==0: + cmd="semodule_package -o %s.pp -m %s.mod" % (module, module) +- print cmd + if fc_file != "": + cmd = "%s -f %s" % (cmd, fc_file) + +- print "Building package: %s" % cmd ++ print cmd + rc=commands.getstatusoutput(cmd) + if rc[0]==0: + print ("\n******************** IMPORTANT ***********************\n") +@@ -446,6 +606,6 @@ + except ValueError, error: + errorExit(error.args[0]) + except IOError, error: +- errorExit(error.args[1]) ++ errorExit(error) + except KeyboardInterrupt, error: + sys.exit(0) +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-1.29.26/audit2allow/audit2allow.1 +--- nsapolicycoreutils/audit2allow/audit2allow.1 2005-12-01 10:11:27.000000000 -0500 ++++ policycoreutils-1.29.26/audit2allow/audit2allow.1 2006-02-21 13:48:54.000000000 -0500 +@@ -65,6 +65,9 @@ + .B "\-r" | "\-\-requires" + Generate require output syntax for loadable modules. + .TP ++.B "\-R" | "\-\-reference" ++Generate reference policy using installed macros ++.TP + .B "\-t " | "\-\-tefile" + Indicates input file is a te (type enforcement) file. This can be used to translate old te format to new policy format. + .TP +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.26/semanage/semanage +--- nsapolicycoreutils/semanage/semanage 2006-02-16 13:35:28.000000000 -0500 ++++ policycoreutils-1.29.26/semanage/semanage 2006-02-21 13:57:04.000000000 -0500 +@@ -22,6 +22,9 @@ + # + import os, sys, getopt + import seobject ++import selinux ++ ++is_mls_enabled=selinux.is_selinux_mls_enabled() + + if __name__ == '__main__': + +@@ -57,13 +60,13 @@ + -p (named pipe) \n\n\ + \ + -p, --proto Port protocol (tcp or udp)\n\ +- -L, --level Default SELinux Level\n\ ++ -L, --level Default SELinux Level (MLS/MCS Systems only)\n\ + -R, --roles SELinux Roles (ex: "sysadm_r staff_r")\n\ + -T, --trans SELinux Level Translation\n\n\ + \ + -s, --seuser SELinux User Name\n\ + -t, --type SELinux Type for the object\n\ +- -r, --range MLS/MCS Security Range\n\ ++ -r, --range MLS/MCS Security Range (MLS/MCS Systems only\n\ + ' + print message + sys.exit(1) +@@ -167,12 +170,16 @@ + modify = 1 + + if o == "-r" or o == '--range': ++ if is_mls_enabled == 0: ++ errorExit("range not supported on Non MLS machines") + serange = a + + if o == "-l" or o == "--list": + list = 1 + + if o == "-L" or o == '--level': ++ if is_mls_enabled == 0: ++ errorExit("range not supported on Non MLS machines") + selevel = a + + if o == "-p" or o == '--proto': +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.29.26/semanage/semanage.8 +--- nsapolicycoreutils/semanage/semanage.8 2006-01-27 01:16:33.000000000 -0500 ++++ policycoreutils-1.29.26/semanage/semanage.8 2006-02-20 23:21:37.000000000 -0500 +@@ -46,7 +46,7 @@ + List the OBJECTS + .TP + .I \-L, \-\-level +-Default SELinux Level for SELinux use. (s0) ++Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Systems only) + .TP + .I \-m, \-\-modify + Modify a OBJECT record NAME +@@ -58,7 +58,7 @@ + Protocol for the specified port (tcp|udp). + .TP + .I \-r, \-\-range +-MLS/MCS Security Range ++MLS/MCS Security Range (MLS/MCS Systems only) + .TP + .I \-R, \-\-role + SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times. +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.26/semanage/seobject.py +--- nsapolicycoreutils/semanage/seobject.py 2006-02-16 13:35:28.000000000 -0500 ++++ policycoreutils-1.29.26/semanage/seobject.py 2006-02-20 23:21:42.000000000 -0500 +@@ -21,9 +21,43 @@ # # -import pwd, string, selinux, tempfile, os, re +import pwd, string, selinux, tempfile, os, re, sys from semanage import *; -+import audit -+ -+audit_fd=audit.audit_open() ++is_mls_enabled=selinux.is_selinux_mls_enabled() ++import syslog ++try: ++ import audit ++ class logger: ++ def __init__(self): ++ self.audit_fd=audit.audit_open() ++ ++ def log(self, success, msg, name="", sename="", serole="", serange="", old_sename="", old_serole="", old_serange=""): ++ audit.audit_log_semanage_message(self.audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],msg, name, 0, sename, serole, serange, old_sename, old_serole, old_serange, "", "", "", success); ++except: ++ class logger: ++ def log(self, success, msg, name="", sename="", serole="", serange="", old_sename="", old_serole="", old_serange=""): ++ if success == 1: ++ message = "Successful: " ++ else: ++ message = "Failed: " ++ message += " %s name=%s" % (msg,name) ++ if sename != "": ++ message += " sename=" + sename ++ if old_sename != "": ++ message += " old_sename=" + old_sename ++ if serole != "": ++ message += " role=" + serole ++ if old_serole != "": ++ message += " old_role=" + old_serole ++ if serange != "": ++ message += " MLSRange=" + serange ++ if old_serange != "": ++ message += " old_MLSRange=" + old_serange ++ syslog.syslog(message); ++ ++mylog=logger() ++ def validate_level(raw): sensitivity="s([0-9]|1[0-5])" -@@ -170,119 +173,145 @@ + category="c(1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])" +@@ -143,6 +177,7 @@ + def __init__(self): + self.sh = semanage_handle_create() + self.semanaged = semanage_is_managed(self.sh) ++ + if not self.semanaged: + semanage_handle_destroy(self.sh) + raise ValueError("SELinux policy is not managed or store cannot be accessed.") +@@ -162,127 +197,154 @@ + semanageRecords.__init__(self) + + def add(self, name, sename, serange): +- if serange == "": +- serange = "s0" +- else: +- serange = untranslate(serange) ++ if is_mls_enabled == 1: ++ if serange == "": ++ serange = "s0" ++ else: ++ serange = untranslate(serange) + if sename == "": sename = "user_u" @@ -96,10 +513,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol + raise ValueError("Could not add login mapping for %s" % name) + + except ValueError, error: -+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user mapping", name, 0, sename, "", serange, "", "", "", "", "", "", 0); ++ mylog.log(0, "add SELinux user mapping", name, sename, "", serange); + raise error + -+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user mapping", name, 0, sename, "", serange, "", "", "", "", "", "", 1); ++ mylog.log(1, "add SELinux user mapping", name, sename, "", serange); semanage_seuser_key_free(k) semanage_seuser_free(u) @@ -175,10 +592,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol + raise ValueError("Could not modify login mapping for %s" % name) + except ValueError, error: -+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", name, 0, sename, "", serange, "", oldsename, "", oldserange, "", "", "", 0); ++ mylog.log(0,"modify selinux user mapping", name, sename, "", serange, "", oldsename, "", oldserange); + raise error + -+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", name, 0, sename, "", serange, oldsename, "", oldserange, "", 1); ++ mylog.log(1,"modify selinux user mapping", name, sename, "", serange, "", oldsename, "", oldserange); semanage_seuser_key_free(k) semanage_seuser_free(u) @@ -237,17 +654,55 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol + raise ValueError("Could not delete login mapping for %s" % name) + + except ValueError, error: -+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user mapping", name, 0, name, "", "", "", "", "", "", "", "", 0); ++ mylog.log(0,"delete SELinux user mapping", name); + raise error + -+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user mapping", name, 0, name, "", "", "", "", "", "", "", "", 1); ++ mylog.log(1,"delete SELinux user mapping", name); semanage_seuser_key_free(k) -@@ -322,127 +351,145 @@ - else: - selevel = untranslate(selevel) +@@ -298,150 +360,179 @@ + return ddict + + def list(self,heading=1): +- if heading: +- print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range") + ddict=self.get_all() + keys=ddict.keys() + keys.sort() +- for k in keys: +- print "%-25s %-25s %-25s" % (k, ddict[k][0], translate(ddict[k][1])) ++ if is_mls_enabled == 1: ++ if heading: ++ print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range") ++ for k in keys: ++ print "%-25s %-25s %-25s" % (k, ddict[k][0], translate(ddict[k][1])) ++ else: ++ if heading: ++ print "\n%-25s %-25s\n" % ("Login Name", "SELinux User") ++ for k in keys: ++ print "%-25s %-25s %-25s" % (k, ddict[k][0]) + + class seluserRecords(semanageRecords): + def __init__(self): + semanageRecords.__init__(self) + def add(self, name, roles, selevel, serange): +- if serange == "": +- serange = "s0" +- else: +- serange = untranslate(serange) ++ if is_mls_enabled == 1: ++ if serange == "": ++ serange = "s0" ++ else: ++ serange = untranslate(serange) + +- if selevel == "": +- selevel = "s0" +- else: +- selevel = untranslate(selevel) +- - (rc,k) = semanage_user_key_create(self.sh, name) - if rc < 0: - raise ValueError("Could not create a key for %s" % name) @@ -257,87 +712,94 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol - raise ValueError("Could not check if SELinux user %s is defined" % name) - if exists: - raise ValueError("SELinux user %s is already defined" % name) +- +- (rc,u) = semanage_user_create(self.sh) +- if rc < 0: +- raise ValueError("Could not create SELinux user for %s" % name) ++ if selevel == "": ++ selevel = "s0" ++ else: ++ selevel = untranslate(selevel) ++ + seroles=" ".join(roles) + try: + (rc,k) = semanage_user_key_create(self.sh, name) + if rc < 0: + raise ValueError("Could not create a key for %s" % name) -- (rc,u) = semanage_user_create(self.sh) +- rc = semanage_user_set_name(self.sh, u, name) - if rc < 0: -- raise ValueError("Could not create SELinux user for %s" % name) +- raise ValueError("Could not set name for %s" % name) + (rc,exists) = semanage_user_exists(self.sh, k) + if rc < 0: + raise ValueError("Could not check if SELinux user %s is defined" % name) + if exists: + raise ValueError("SELinux user %s is already defined" % name) -- rc = semanage_user_set_name(self.sh, u, name) -- if rc < 0: -- raise ValueError("Could not set name for %s" % name) -+ (rc,u) = semanage_user_create(self.sh) -+ if rc < 0: -+ raise ValueError("Could not create SELinux user for %s" % name) - - for r in roles: - rc = semanage_user_add_role(self.sh, u, r) -+ rc = semanage_user_set_name(self.sh, u, name) ++ (rc,u) = semanage_user_create(self.sh) if rc < 0: - raise ValueError("Could not add role %s for %s" % (r, name)) -+ raise ValueError("Could not set name for %s" % name) ++ raise ValueError("Could not create SELinux user for %s" % name) - rc = semanage_user_set_mlsrange(self.sh, u, serange) - if rc < 0: - raise ValueError("Could not set MLS range for %s" % name) -+ for r in roles: -+ rc = semanage_user_add_role(self.sh, u, r) -+ if rc < 0: -+ raise ValueError("Could not add role %s for %s" % (r, name)) ++ rc = semanage_user_set_name(self.sh, u, name) ++ if rc < 0: ++ raise ValueError("Could not set name for %s" % name) - rc = semanage_user_set_mlslevel(self.sh, u, selevel) - if rc < 0: - raise ValueError("Could not set MLS level for %s" % name) -+ rc = semanage_user_set_mlsrange(self.sh, u, serange) -+ if rc < 0: -+ raise ValueError("Could not set MLS range for %s" % name) ++ for r in roles: ++ rc = semanage_user_add_role(self.sh, u, r) ++ if rc < 0: ++ raise ValueError("Could not add role %s for %s" % (r, name)) ++ ++ if is_mls_enabled == 1: ++ rc = semanage_user_set_mlsrange(self.sh, u, serange) ++ if rc < 0: ++ raise ValueError("Could not set MLS range for %s" % name) ++ ++ rc = semanage_user_set_mlslevel(self.sh, u, selevel) ++ if rc < 0: ++ raise ValueError("Could not set MLS level for %s" % name) - (rc,key) = semanage_user_key_extract(self.sh,u) - if rc < 0: - raise ValueError("Could not extract key for %s" % name) -+ rc = semanage_user_set_mlslevel(self.sh, u, selevel) ++ (rc,key) = semanage_user_key_extract(self.sh,u) + if rc < 0: -+ raise ValueError("Could not set MLS level for %s" % name) ++ raise ValueError("Could not extract key for %s" % name) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError("Could not start semanage transaction") -+ (rc,key) = semanage_user_key_extract(self.sh,u) ++ rc = semanage_begin_transaction(self.sh) + if rc < 0: -+ raise ValueError("Could not extract key for %s" % name) ++ raise ValueError("Could not start semanage transaction") - rc = semanage_user_modify_local(self.sh, k, u) - if rc < 0: - raise ValueError("Could not add SELinux user %s" % name) -+ rc = semanage_begin_transaction(self.sh) ++ rc = semanage_user_modify_local(self.sh, k, u) + if rc < 0: -+ raise ValueError("Could not start semanage transaction") ++ raise ValueError("Could not add SELinux user %s" % name) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError("Could not add SELinux user %s" % name) -+ rc = semanage_user_modify_local(self.sh, k, u) -+ if rc < 0: -+ raise ValueError("Could not add SELinux user %s" % name) -+ + rc = semanage_commit(self.sh) + if rc < 0: + raise ValueError("Could not add SELinux user %s" % name) + except ValueError, error: -+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user record", name, 0, name, seroles, serange, "", "", "", "", "", "", 0); ++ mylog.log(0,"add SELinux user record", name, name, seroles, serange) + raise error + -+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user record", name, 0, name, seroles, serange, "", "", "", "", "", "", 1); ++ mylog.log(1,"add SELinux user record", name, name, seroles, serange) semanage_user_key_free(k) semanage_user_free(u) @@ -346,7 +808,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol - raise ValueError("Requires roles, level or range") + try: + if len(roles) == 0 and serange == "" and selevel == "": -+ raise ValueError("Requires roles, level or range") ++ if is_mls_enabled == 1: ++ raise ValueError("Requires roles, level or range") ++ else: ++ raise ValueError("Requires roles") - (rc,k) = semanage_user_key_create(self.sh, name) - if rc < 0: @@ -413,10 +878,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol + raise ValueError("Could not modify SELinux user %s" % name) + + except ValueError, error: -+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify SELinux user record", name, 0, seuser, seroles, serange, oldseuser, oldseroles, olrserange, "", 0); ++ mylog.log(0,"modify SELinux user record", name, seuser, seroles, serange, oldseuser, oldseroles, olrserange) + raise error -+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify SELinux user record", name, 0, seuser, seroles, serange, oldseuser, oldseroles, olrserange, "", 1); ++ mylog.log(1,"modify SELinux user record", name, seuser, seroles, serange, oldseuser, oldseroles, olrserange) semanage_user_key_free(k) semanage_user_free(u) @@ -473,10 +938,101 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol + if rc < 0: + raise ValueError("Could not delete SELinux user %s" % name) + except ValueError, error: -+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user record", name, 0, "", "", "", "", "", "", "", "", "", 0); ++ mylog.log(0,"delete SELinux user record", name) + raise error -+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user record", name, 0, "", "", "", "", "", "", "", "", "", 1); ++ mylog.log(1,"delete SELinux user record", name) semanage_user_key_free(k) def get_all(self): +@@ -462,14 +553,20 @@ + return ddict + + def list(self, heading=1): +- if heading: +- print "\n%-15s %-10s %-30s" % ("", "MLS/", "MLS/") +- print "%-15s %-10s %-30s %s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles") + ddict=self.get_all() + keys=ddict.keys() + keys.sort() +- for k in keys: +- print "%-15s %-10s %-30s %s" % (k, translate(ddict[k][0]), translate(ddict[k][1]), ddict[k][2]) ++ if is_mls_enabled == 1: ++ if heading: ++ print "\n%-15s %-10s %-30s" % ("", "MLS/", "MLS/") ++ print "%-15s %-10s %-30s %s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles") ++ for k in keys: ++ print "%-15s %-10s %-30s %s" % (k, translate(ddict[k][0]), translate(ddict[k][1]), ddict[k][2]) ++ else: ++ if heading: ++ print "%-15s %s\n" % ("SELinux User", "SELinux Roles") ++ for k in keys: ++ print "%-15s %s" % (k, ddict[k][2]) + + class portRecords(semanageRecords): + def __init__(self): +@@ -500,10 +597,11 @@ + return ( k, proto_d, low, high ) + + def add(self, port, proto, serange, type): +- if serange == "": +- serange="s0" +- else: +- serange=untranslate(serange) ++ if is_mls_enabled == 1: ++ if serange == "": ++ serange="s0" ++ else: ++ serange=untranslate(serange) + + if type == "": + raise ValueError("Type is required") +@@ -564,7 +662,10 @@ + + def modify(self, port, proto, serange, setype): + if serange == "" and setype == "": +- raise ValueError("Requires setype or serange") ++ if is_mls_enabled == 1: ++ raise ValueError("Requires setype or serange") ++ else: ++ raise ValueError("Requires setype") + + ( k, proto_d, low, high ) = self.__genkey(port, proto) + +@@ -688,10 +789,11 @@ + semanageRecords.__init__(self) + + def add(self, interface, serange, ctype): +- if serange == "": +- serange="s0" +- else: +- serange=untranslate(serange) ++ if is_mls_enabled == 1: ++ if serange == "": ++ serange="s0" ++ else: ++ serange=untranslate(serange) + + if ctype == "": + raise ValueError("SELinux Type is required") +@@ -869,14 +971,14 @@ + self.file_types["named pipe"] = SEMANAGE_FCONTEXT_PIPE; + + +- def add(self, target, type, ftype="", serange="s0", seuser="system_u"): ++ def add(self, target, type, ftype="", serange="", seuser="system_u"): + if seuser == "": + seuser="system_u" +- +- if serange == "": +- serange="s0" +- else: +- serange=untranslate(serange) ++ if is_mls_enabled == 1: ++ if serange == "": ++ serange="s0" ++ else: ++ serange=untranslate(serange) + + if type == "": + raise ValueError("SELinux Type is required") diff --git a/policycoreutils.spec b/policycoreutils.spec index e265426..5ce40f9 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,10 +1,10 @@ %define libauditver 1.1.4-3 -%define libsepolver 1.11.14-1 -%define libsemanagever 1.5.23-1 +%define libsepolver 1.11.18-1 +%define libsemanagever 1.5.28-1 %define libselinuxver 1.29.7-1 Summary: SELinux policy core utilities. Name: policycoreutils -Version: 1.29.23 +Version: 1.29.26 Release: 1 License: GPL Group: System Environment/Base @@ -98,6 +98,13 @@ rm -rf ${RPM_BUILD_ROOT} %{_libdir}/python2.4/site-packages/seobject.py* %changelog +* Mon Feb 13 2006 Dan Walsh 1.29.26-1 +- Update from upstream + * Merged semanage bug fix patch from Ivan Gyurdiev. + * Merged improve bindings patch from Ivan Gyurdiev. + * Merged semanage usage patch from Ivan Gyurdiev. + * Merged use PyList patch from Ivan Gyurdiev. + * Mon Feb 13 2006 Dan Walsh 1.29.23-1 - Update from upstream * Merged newrole -V/--version support from Glauber de Oliveira Costa. diff --git a/sources b/sources index 85b22f7..c7edd97 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -b57167cc3ee8d8d49cbb848ebe5628d5 policycoreutils-1.29.23.tgz +58fe44013f3515957fc626d0c11baf7c policycoreutils-1.29.26.tgz