diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.27.29/audit2allow/audit2allow --- nsapolicycoreutils/audit2allow/audit2allow 2005-11-28 21:47:54.000000000 -0500 +++ policycoreutils-1.27.29/audit2allow/audit2allow 2005-11-29 00:04:31.000000000 -0500 @@ -24,7 +24,7 @@ # 02111-1307 USA # # -import commands, sys, os, pwd, string, getopt, re +import commands, sys, os, pwd, string, getopt, re, selinux class allow: def __init__(self, source, target, seclass): self.source=source @@ -81,6 +81,11 @@ self.roles=[] self.load(input) + def warning(self, error): + sys.stderr.write("%s: " % sys.argv[0]) + sys.stderr.write("%s\n" % error) + sys.stderr.flush() + def load(self, input): avc=[] found=0 @@ -114,43 +119,47 @@ if "load_policy" in avc and self.last_reload: self.allowRules={} return - for i in range (0, len(avc)): - if avc[i]=="{": - i=i+1 - while i ] [[-m|-M] ] [-o ]\n\ -a, --all read input from audit and message log, conflicts with -i\n\ @@ -313,15 +328,17 @@ if buildPP: print ("Generating type enforcment file: %s.te" % module) output.write(out.out(requires, module)) + output.flush() if buildPP: - print ("Compiling policy: checkmodule -M -m -o %s.mod %s.te" % (module, module)) - rc=commands.getstatusoutput("checkmodule -M -m -o %s.mod %s.te" % (module, module)) + cmd="checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module) + print "Compiling policy: %s" % cmd + rc=commands.getstatusoutput(cmd) if rc[0]==0: print ("Building package: semodule_package -o %s.pp -m %s.mod" % (module, module)) rc=commands.getstatusoutput("semodule_package -o %s.pp -m %s.mod" % (module, module)) if rc[0]==0: - print ("\n*************** IMPORTANT ***********************\n") - print ("In order to load this newly created policy package,\nyou are required to execute \n\n\"semodule -i %s.pp\"\n\nto load the policy\n" % module) + print ("\n******************** IMPORTANT ***********************\n") + print ("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n" % module) else: errorExit(rc[1]) else: diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-1.27.29/audit2allow/audit2allow.1 --- nsapolicycoreutils/audit2allow/audit2allow.1 2005-09-12 16:33:30.000000000 -0400 +++ policycoreutils-1.27.29/audit2allow/audit2allow.1 2005-11-29 00:04:31.000000000 -0500 @@ -30,26 +30,38 @@ .RI [ options "] " .SH OPTIONS .TP -.B "\-\-help" +.B "\-a" | "\-\-all" +Read input from audit and message log, conflicts with -i +.TP +.B "\-h" | "\-\-help" Print a short usage message .TP -.B "\-d" +.B "\-d" | "\-\-dmesg" Read input from output of .I /bin/dmesg. Note that audit messages are not available via dmesg when auditd is running; use -i /var/log/audit/audit.log instead. .TP -.B "\-v" +.B "\-v" | "\-\-verbose" Turn on verbose output .TP -.B "\-l" +.B "\-l" | "\-\-lastreload" read input only after last policy reload .TP -.B "\-i " +.B "\-r" | "\-\-requires" +Generate require output syntax for loadable modules. +.TP +.B "\-m " | "\-\-module " +Generate module/require output +.TP +.B "\-M " +Generate loadable module package, conflicts with -o +.TP +.B "\-i " | "\-\-input " read input from .I .TP -.B "\-o " +.B "\-o " | "\-\-output " append output to .I .SH DESCRIPTION @@ -76,18 +88,66 @@ .PP .SH EXAMPLE .nf -$ cd /etc/selinux/$(SELINUXTYPE)/src/policy -$ /usr/bin/audit2allow -i < /var/log/audit/audit.log >> domains/misc/local.te - -$ make load +.B Traditional Syntax +cat /var/log/audit/audit.log.1 | audit2allow +allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; + + +.B Using audit2allow to generate module syntax + +$ cat /var/log/audit/audit.log | audit2allow -m local +module local 1.0; + +require { + role system_r; + + + class fifo_file { getattr ioctl }; + + + type cupsd_config_t; + type unconfined_t; + }; + + +allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; + +.B Building a loadable module + +$ /usr/bin/audit2allow -m local -i /var/log/audit/audit.log >> local.te + +# Compile the module +$ checkmodule -M -m -o local.mod local.te +# Create the package +$ semodule_package -o local.pp -m local.mod +# Load the module into the kernel +$ semodule -i local.mod + +.B Building a loadable module automatically +$ cat /var/log/audit/audit.log | audit2allow -M local +Generating type enforcment file: local.te +Compiling policy: checkmodule -M -m -o local.mod local.te +Building package: semodule_package -o local.pp -m local.mod + +******************** IMPORTANT *********************** + +In order to load this newly created policy package into the kernel, +you are required to execute + +semodule -i local.pp + .fi .PP .SH AUTHOR This manual page was written by .I Manoj Srivastava , -for the Debian GNU/Linux system. The +for the Debian GNU/Linux system. It was updated by Dan Walsh +.PP +The .B audit2allow utility has contributions from several people, including .I Justin R. Smith and .I Yuichi Nakamura. +and +.I Dan Walsh diff --exclude-from=exclude -N -u -r nsapolicycoreutils/Makefile policycoreutils-1.27.29/Makefile --- nsapolicycoreutils/Makefile 2005-11-07 09:41:21.000000000 -0500 +++ policycoreutils-1.27.29/Makefile 2005-11-29 00:04:31.000000000 -0500 @@ -1,4 +1,4 @@ -SUBDIRS=setfiles load_policy newrole run_init restorecon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand setsebool po +SUBDIRS=setfiles semanage load_policy newrole run_init restorecon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand setsebool po all install relabel clean: @for subdir in $(SUBDIRS); do \ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/Makefile policycoreutils-1.27.29/semanage/Makefile --- nsapolicycoreutils/semanage/Makefile 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-1.27.29/semanage/Makefile 2005-11-29 00:04:31.000000000 -0500 @@ -0,0 +1,19 @@ +# Installation directories. +PREFIX ?= ${DESTDIR}/usr +SBINDIR ?= $(PREFIX)/sbin +MANDIR = $(PREFIX)/share/man + +TARGETS=semanage + +all: $(TARGETS) + +install: all + [ -d $(MANDIR)/man8 ] || mkdir -p $(MANDIR)/man8 + -mkdir -p $(SBINDIR) + install -m 755 semanage $(SBINDIR) + install -m 644 semanage.8 $(MANDIR)/man8 + +clean: + rm -f semanage + +relabel: diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.27.29/semanage/semanage --- nsapolicycoreutils/semanage/semanage 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-1.27.29/semanage/semanage 2005-11-29 00:04:52.000000000 -0500 @@ -0,0 +1,377 @@ +#! /usr/bin/env python +# Copyright (C) 2005 Red Hat +# see file 'COPYING' for use and warranty information +# +# semanage is a tool for managing SELinux configuration files +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA +# 02111-1307 USA +# +# +import commands, sys, os, pwd, string, getopt, pwd +from semanage import *; +class loginRecords: + def __init__(self): + self.sh=semanage_handle_create() + self.semanaged=semanage_is_managed(self.sh) + if self.semanaged: + semanage_connect(self.sh) + + def add(self, name, sename, serange): + (rc,k)=semanage_seuser_key_create(self.sh, name) + (rc,exists)= semanage_seuser_exists(self.sh, k) + if exists: + raise ValueError("SELinux User %s mapping already defined" % name) + try: + pwd.getpwname(name) + except: + raise ValueError("Linux User %s does not exist" % name) + + (rc,u)= semanage_seuser_create(self.sh) + semanage_seuser_set_name(self.sh, u, name) + semanage_seuser_set_mlsrange(self.sh, u, serange) + semanage_seuser_set_sename(self.sh, u, sename) + semanage_begin_transaction(self.sh) + semanage_seuser_add(self.sh, k, u) + if semanage_commit(self.sh) != 0: + raise ValueError("Failed to add SELinux user mapping") + + def modify(self, name, sename="", serange=""): + (rc,k)=semanage_seuser_key_create(self.sh, name) + (rc,u)= semanage_seuser_query(self.sh, k) + if rc !=0 : + raise ValueError("SELinux user %s mapping is not defined." % name) + if sename == "" and serange=="": + raise ValueError("Requires, seuser or serange") + if serange != "": + semanage_seuser_set_mlsrange(self.sh, u, serange) + if sename != "": + semanage_seuser_set_sename(self.sh, u, sename) + semanage_begin_transaction(self.sh) + semanage_seuser_modify(self.sh, k, u) + if semanage_commit(self.sh) != 0: + raise ValueError("Failed to modify SELinux user mapping") + + + def delete(self, name): + (rc,k)=semanage_seuser_key_create(self.sh, name) + (rc,exists)= semanage_seuser_exists(self.sh, k) + if rc !=0 : + raise ValueError("SELinux user %s mapping is not defined." % name) + semanage_begin_transaction(self.sh) + semanage_seuser_del(self.sh, k) + if semanage_commit(self.sh) != 0: + raise ValueError("SELinux User %s mapping not defined" % name) + + def list(self): + print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range") + (status, self.ulist, self.usize) = semanage_seuser_list(self.sh) + for idx in range(self.usize): + u=semanage_seuser_by_idx(self.ulist, idx) + name=semanage_seuser_get_name(u) + + print "%-25s %-25s %-25s" % (name, semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u)) + +class seluserRecords: + def __init__(self): + roles=[] + self.sh=semanage_handle_create() + self.semanaged=semanage_is_managed(self.sh) + if self.semanaged: + semanage_connect(self.sh) + + def add(self, name, roles, selevel, serange): + (rc,k)=semanage_user_key_create(self.sh, name) + (rc,exists)= semanage_user_exists(self.sh, k) + if exists: + raise ValueError("Seuser %s already defined" % name) + (rc,u)= semanage_user_create(self.sh) + semanage_user_set_name(self.sh, u, name) + for r in roles: + semanage_user_add_role(self.sh, u, r) + semanage_user_set_mlsrange(self.sh, u, serange) + semanage_user_set_mlslevel(self.sh, u, selevel) + (rc,key) = semanage_user_key_extract(self.sh,u) + semanage_begin_transaction(self.sh) + semanage_user_add_local(self.sh, k, u) + if semanage_commit(self.sh) != 0: + raise ValueError("Failed to add SELinux user") + + self.dict[name]=seluser(name, roles, selevel, serange) + + def modify(self, name, roles=[], selevel="", serange=""): + (rc,k)=semanage_user_key_create(self.sh, name) + (rc,exists)= semanage_user_exists(self.sh, k) + if not exists: + raise ValueError("user %s is not defined" % name) + (rc,u)= semanage_user_query(self.sh, k) + if rc !=0 : + raise ValueError("User %s is not defined." % name) + if len(roles) == 0 and serange=="" and selevel=="": + raise ValueError("Requires, roles, level or range") + if serange != "": + semanage_user_set_mlsrange(self.sh, u, serange) + if selevel != "": + semanage_user_set_mlslevel(self.sh, u, selevel) + if len(roles) != 0: + for r in roles: + print r + semanage_user_add_role(self.sh, u, r) + semanage_begin_transaction(self.sh) + semanage_user_modify_local(self.sh, k, u) + if semanage_commit(self.sh) != 0: + raise ValueError("Failed to modify SELinux user") + + + def delete(self, name): + (rc,k)=semanage_user_key_create(self.sh, name) + (rc,exists)= semanage_user_exists(self.sh, k) + if not exists: + raise ValueError("user %s is not defined" % name) + semanage_begin_transaction(self.sh) + semanage_user_del_local(self.sh, k) + if semanage_commit(self.sh) != 0: + raise ValueError("Login User %s not defined" % name) + + def list(self): + print "\n%-15s %-10s %-20s" % ("", "MLS/", "MLS/") + print "%-15s %-10s %-15s %-20s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles") + (status, self.ulist, self.usize) = semanage_user_list(self.sh) + for idx in range(self.usize): + u=semanage_user_by_idx(self.ulist, idx) + name=semanage_user_get_name(u) + (status, rlist, rlist_size) = semanage_user_get_roles(self.sh, u) + roles="" + + if rlist_size: + roles+=char_by_idx(rlist, 0) + for ridx in range (1,rlist_size): + roles+=" " + char_by_idx(rlist, ridx) + print "%-15s %-10s %-15s %s" % (semanage_user_get_name(u), semanage_user_get_mlslevel(u), semanage_user_get_mlsrange(u), roles) + +class portRecords: + def __init__(self): + self.dict={} + self.sh=semanage_handle_create() + self.semanaged=semanage_is_managed(self.sh) + if self.semanaged: + semanage_connect(self.sh) + + def add(self, name, type): + (rc,k)=semanage_port_key_create(self.sh, name) + (rc,exists)= semanage_port_exists(self.sh, k) + if exists: + raise ValueError("User %s already defined" % name) + (rc,u)= semanage_port_create(self.sh) + semanage_port_set_name(self.sh, u, name) + semanage_port_set_mlsrange(self.sh, u, serange) + semanage_port_set_sename(self.sh, u, sename) + semanage_begin_transaction(self.sh) + semanage_port_add(self.sh, k, u) + if semanage_commit(self.sh) != 0: + raise ValueError("Failed to add port") + + def modify(self, name, type): + (rc,k)=semanage_port_key_create(self.sh, name) + (rc,u)= semanage_port_query(self.sh, k) + if rc !=0 : + raise ValueError("User %s is not defined." % name) + if sename == "" and serange=="": + raise ValueError("Requires, port or serange") + if serange != "": + semanage_port_set_mlsrange(self.sh, u, serange) + if sename != "": + semanage_port_set_sename(self.sh, u, sename) + semanage_begin_transaction(self.sh) + semanage_port_modify(self.sh, k, u) + if semanage_commit(self.sh) != 0: + raise ValueError("Failed to add port") + + def delete(self, name): + (rc,k)=semanage_port_key_create(self.sh, name) + semanage_begin_transaction(self.sh) + semanage_port_del(self.sh, k) + if semanage_commit(self.sh) != 0: + raise ValueError("Port %s not defined" % name) + + def list(self): + (status, self.plist, self.psize) = semanage_port_list(self.sh) + print "%-25s %s\n" % ("SELinux Port Name", "Port Number") + for idx in range(self.psize): + u=semanage_port_by_idx(self.plist, idx) + name=semanage_port_get_name(u) + print "%20s %d" % ( name, semanage_port_get_number(u)) + +if __name__ == '__main__': + + def usage(message=""): + print '\ +semanage user [-admsRrh] SELINUX_USER\n\ +semanage login [-admsrh] LOGIN_NAME\n\ +semanage port [-admth] SELINUX_PORT_NAME\n\ + -a, --add Add a OBJECT record NAME\n\ + -d, --delete Delete a OBJECT record NAME\n\ + -h, --help display this message\n\ + -l, --list List the OBJECTS\n\ + -m, --modify Modify a OBJECT record NAME\n\ + -r, --range MLS/MCS Security Range\n\ + -R, --roles SELinux Roles (Separate by spaces)\n\ + -s, --seuser SELinux user name\n\ + -t, --type SELinux Type for the object\n\ + -v, --verbose verbose output\n\ +' + print message + sys.exit(1) + + def errorExit(error): + sys.stderr.write("%s: " % sys.argv[0]) + sys.stderr.write("%s\n" % error) + sys.stderr.flush() + sys.exit(1) + + # + # + # + try: + objectlist=("login", "user", "port") + input=sys.stdin + output=sys.stdout + serange="s0" + selevel="s0" + roles="" + seuser="" + type="" + add=0 + modify=0 + delete=0 + list=0 + if len(sys.argv) < 3: + usage("Requires 2 or more arguments") + + object=sys.argv[1] + if object not in objectlist: + usage("%s not defined" % object) + + args=sys.argv[2:] + gopts, cmds = getopt.getopt(args, + 'adlhms:R:r:t:v', + ['add', + 'delete', + 'help', + 'list', + 'modify', + 'seuser=', + 'range=', + 'roles=', + 'type=', + 'verbose' + ]) + for o,a in gopts: + if o == "-a" or o == "--add": + if modify or delete: + usage() + add=1 + + if o == "-d" or o == "--delese": + if modify or add: + usage() + delete=1 + if o == "-h" or o == "--help": + usage() + + if o == "-m"or o == "--modify": + if delete or add: + usage() + modify=1 + + if o == "-r" or o == '--range': + serange=a + + if o == "-R" or o == '--roles': + roles=a + + if o == "-t" or o == "--type": + type=a + + if o == "-l" or o == "--list": + list=1 + + if o == "-s" or o == "--seuser": + seuser=a + + if o == "-v" or o == "--verbose": + verbose=1 + + if object == "login": + OBJECT=loginRecords() + + if object == "user": + OBJECT=seluserRecords() + + if object == "port": + OBJECT=portRecords() + + if list: + OBJECT.list() + sys.exit(0); + + if len(cmds) != 1: + usage() + + name=cmds[0] + + if add: + if object == "login": + OBJECT.add(name, seuser, serange) + + if object == "user": + rlist=roles.split() + print rlist + OBJECT.add(name, rlist, selevel, serange) + + if object == "port": + OBJECT.add(name, type) + + OBJECT.list() + sys.exit(0); + + if modify: + if object == "login": + OBJECT.modify(name, seuser, serange) + + if object == "user": + rlist=roles.split() + print rlist + OBJECT.modify(name, rlist, selevel, serange) + + if object == "port": + OBJECT.modify(name, type) + sys.exit(0); + OBJECT.list() + sys.exit(0); + + if delete: + OBJECT.delete(name) + sys.exit(0); + usage() + + except getopt.error, error: + errorExit("Options Error " + error.msg) + except ValueError, error: + errorExit(error.args[0]) + except IOError, error: + errorExit(error.args[1]) + except KeyboardInterrupt, error: + sys.exit(0) diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.27.29/semanage/semanage.8 --- nsapolicycoreutils/semanage/semanage.8 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-1.27.29/semanage/semanage.8 2005-11-29 00:04:31.000000000 -0500 @@ -0,0 +1,57 @@ +.TH "semanage" "8" "2005111103" "" "" +.SH "NAME" +semanage \- SELinux Policy Management tool + +.SH "SYNOPSIS" +.B semanage OBJECTTYPE [\-admsrh] OBJECT +.B semanage login [\-admsrh] login_name +.br +.B semanage seuser [\-admsrh] selinux_name +.br +.B semanage port [\-admth] port_number +.P +This tool is used to manage configuration of the SELinux policy + +.SH "DESCRIPTION" +This manual page describes the +.BR semanage +program. +.br +This tool is used to manage configuration of SELinux Policy. You can configure SELinux User Mappings, SELinux Port Mappings, SELinux Users. + + +.SH "OPTIONS" +.TP + \-a, \-\-add +.P +Add a OBJECT record NAME +.B \-d, \-\-delete +.P +Delete a OBJECT record NAME +.B \-h, \-\-help +.P +display this message +.B \-l, \-\-list +.P +List the OBJECTS +.B \-m, \-\-modify +.P +Modify a OBJECT record NAME +.B \-r, \-\-range +.P +MLS/MCS Security Range +.B \-s, \-\-seuser +.P +SELinux user name +.B \-t, \-\-type +.P +SELinux Type for the object +.B \-v, \-\-verbose +.P +verbose output + +.SH "AUTHOR" +This man page was written by Daniel Walsh . + + + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/sestatus/sestatus.8 policycoreutils-1.27.29/sestatus/sestatus.8 --- nsapolicycoreutils/sestatus/sestatus.8 2005-09-12 16:33:30.000000000 -0400 +++ policycoreutils-1.27.29/sestatus/sestatus.8 2005-11-29 00:04:31.000000000 -0500 @@ -1,10 +1,10 @@ -.TH "sestatus" "8" "2002031409" "" "" +.TH "sestatus" "8" "2005111103" "" "" .SH "NAME" sestatus \- SELinux status tool .SH "SYNOPSIS" .B sestatus -.I [\-v] +.I [\-v] [\-b] .P This tool is used to get the status of a system running SELinux. @@ -33,6 +33,10 @@ Checks the contexts of a files , and a processes listed in the /etc/sestatus.conf file. It also checks the context of the target, in cases of symlinks. +.B \-b +.P +Display the current state of booleans. + .SH "FILES" /etc/sestatus.conf diff --exclude-from=exclude -N -u -r nsapolicycoreutils/sestatus/sestatus.c policycoreutils-1.27.29/sestatus/sestatus.c --- nsapolicycoreutils/sestatus/sestatus.c 2005-09-12 16:33:30.000000000 -0400 +++ policycoreutils-1.27.29/sestatus/sestatus.c 2005-11-29 00:04:31.000000000 -0500 @@ -178,19 +178,33 @@ char **bools; int nbool; + int verbose=0; + int show_bools=0; + + /* policy */ const char *pol_name; char *pol_path; - opt=getopt(argc, argv, "v"); - if(opt == '?') { - /* invalid option */ - printf("\nUsage: %s [OPTION]\n\n", basename(argv[0])); - printf(" -v Verbose check of process and file contexts.\n"); - printf("\nWithout options, show SELinux status.\n"); - return -1; + while (1) { + opt=getopt(argc, argv, "vb"); + if (opt == -1) + break; + switch (opt) { + case 'v': + verbose=1; + break; + case 'b': + show_bools=1; + break; + default: + /* invalid option */ + printf("\nUsage: %s [OPTION]\n\n", basename(argv[0])); + printf(" -v Verbose check of process and file contexts.\n"); + printf("\nWithout options, show SELinux status.\n"); + return -1; + } } - printf_tab("SELinux status:"); rc=is_selinux_enabled(); @@ -266,32 +280,34 @@ printf("error (%s)\n", strerror(errno)); } - /* show booleans */ - if(security_get_boolean_names(&bools,&nbool) >= 0) { - printf("\nPolicy booleans:\n"); - - for( i=0 ; i COL) - COL=strlen(bools[i])+1; - } - for( i=0 ; i= 0) { + printf("\nPolicy booleans:\n"); + + for( i=0 ; i COL) + COL=strlen(bools[i])+1; + } + for( i=0 ; i