[policycoreutils] Update to upstream 2.1.4 2011-08-17 * run_init: clarification of the usage in the * semanage: fix
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Aug 18 11:24:17 UTC 2011
commit 831d6fd46cb259d689a4488ba4247c1daeccda9a
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Aug 18 07:23:59 2011 -0400
Update to upstream
2.1.4 2011-08-17
* run_init: clarification of the usage in the
* semanage: fix usage header around booleans
* semanage: remove useless empty lines
* semanage: update man page with new examples
* semanage: update usage text
* semanage: introduce file context equivalencies
* semanage: enable and disable modules
* semanage: output all local modifications
* semanage: introduce extraction of local configuration
* semanage: cleanup error on invalid operation
* semanage: handle being called with no arguments
* semanage: return sooner to save CPU time
* semanage: surround getopt with try/except
* semanage: use define/raise instead of lots of
* semanage: some options are only valid for
* semanage: introduce better deleteall support
* semanage: do not allow spaces in file
* semanage: distinguish between builtin and local permissive
* semanage: centralized ip node handling
* setfiles: make the restore function exclude() non-static
* setfiles: use glob to handle ~ and
* fixfiles: do not hard code types
* fixfiles: stop trying to be smart about
* fixfiles: use new kernel seclabel option
* fixfiles: pipe everything to cat before sending
* fixfiles: introduce /etc/selinux/fixfiles_exclude_dirs
* semodule: support for alternative root paths
.gitignore | 1 +
policycoreutils-gui.patch | 158 ++--
policycoreutils-rhat.patch | 2696 +++++++++-----------------------------------
policycoreutils.spec | 89 ++-
sources | 2 +-
5 files changed, 721 insertions(+), 2225 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 1eb6044..5fae7f7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -224,3 +224,4 @@ policycoreutils-2.0.83.tgz
/policycoreutils-2.0.84.tgz
/policycoreutils-2.0.85.tgz
/policycoreutils-2.0.86.tgz
+/policycoreutils-2.1.4.tgz
diff --git a/policycoreutils-gui.patch b/policycoreutils-gui.patch
index 06085d7..415d192 100644
--- a/policycoreutils-gui.patch
+++ b/policycoreutils-gui.patch
@@ -1,6 +1,6 @@
diff -up policycoreutils-2.0.86/gui/booleansPage.py.gui policycoreutils-2.0.86/gui/booleansPage.py
---- policycoreutils-2.0.86/gui/booleansPage.py.gui 2011-04-12 10:52:07.463643555 -0400
-+++ policycoreutils-2.0.86/gui/booleansPage.py 2011-04-12 10:52:07.463643555 -0400
+--- policycoreutils-2.0.86/gui/booleansPage.py.gui 2011-06-13 13:35:38.766854582 -0400
++++ policycoreutils-2.0.86/gui/booleansPage.py 2011-06-13 13:35:38.766854582 -0400
@@ -0,0 +1,247 @@
+#
+# booleansPage.py - GUI for Booleans page in system-config-securitylevel
@@ -250,8 +250,8 @@ diff -up policycoreutils-2.0.86/gui/booleansPage.py.gui policycoreutils-2.0.86/g
+ return True
+
diff -up policycoreutils-2.0.86/gui/domainsPage.py.gui policycoreutils-2.0.86/gui/domainsPage.py
---- policycoreutils-2.0.86/gui/domainsPage.py.gui 2011-04-12 10:52:07.464643571 -0400
-+++ policycoreutils-2.0.86/gui/domainsPage.py 2011-04-12 10:52:07.464643571 -0400
+--- policycoreutils-2.0.86/gui/domainsPage.py.gui 2011-06-13 13:35:38.767854591 -0400
++++ policycoreutils-2.0.86/gui/domainsPage.py 2011-06-13 13:35:38.767854591 -0400
@@ -0,0 +1,154 @@
+## domainsPage.py - show selinux domains
+## Copyright (C) 2009 Red Hat, Inc.
@@ -408,8 +408,8 @@ diff -up policycoreutils-2.0.86/gui/domainsPage.py.gui policycoreutils-2.0.86/gu
+ except ValueError, e:
+ self.error(e.args[0])
diff -up policycoreutils-2.0.86/gui/fcontextPage.py.gui policycoreutils-2.0.86/gui/fcontextPage.py
---- policycoreutils-2.0.86/gui/fcontextPage.py.gui 2011-04-12 10:52:07.468643633 -0400
-+++ policycoreutils-2.0.86/gui/fcontextPage.py 2011-04-12 10:52:07.468643633 -0400
+--- policycoreutils-2.0.86/gui/fcontextPage.py.gui 2011-06-13 13:35:38.768854600 -0400
++++ policycoreutils-2.0.86/gui/fcontextPage.py 2011-06-13 13:35:38.768854600 -0400
@@ -0,0 +1,223 @@
+## fcontextPage.py - show selinux mappings
+## Copyright (C) 2006 Red Hat, Inc.
@@ -635,8 +635,8 @@ diff -up policycoreutils-2.0.86/gui/fcontextPage.py.gui policycoreutils-2.0.86/g
+ self.store.set_value(iter, FTYPE_COL, ftype)
+ self.store.set_value(iter, TYPE_COL, "%s:%s" % (type, mls))
diff -up policycoreutils-2.0.86/gui/html_util.py.gui policycoreutils-2.0.86/gui/html_util.py
---- policycoreutils-2.0.86/gui/html_util.py.gui 2011-04-12 10:52:07.469643648 -0400
-+++ policycoreutils-2.0.86/gui/html_util.py 2011-04-12 10:52:07.470643663 -0400
+--- policycoreutils-2.0.86/gui/html_util.py.gui 2011-06-13 13:35:38.768854600 -0400
++++ policycoreutils-2.0.86/gui/html_util.py 2011-06-13 13:35:38.769854608 -0400
@@ -0,0 +1,164 @@
+# Authors: John Dennis <jdennis at redhat.com>
+#
@@ -803,8 +803,8 @@ diff -up policycoreutils-2.0.86/gui/html_util.py.gui policycoreutils-2.0.86/gui/
+ return doc
+
diff -up policycoreutils-2.0.86/gui/lockdown.glade.gui policycoreutils-2.0.86/gui/lockdown.glade
---- policycoreutils-2.0.86/gui/lockdown.glade.gui 2011-04-12 10:52:07.471643678 -0400
-+++ policycoreutils-2.0.86/gui/lockdown.glade 2011-04-12 10:52:07.477643771 -0400
+--- policycoreutils-2.0.86/gui/lockdown.glade.gui 2011-06-13 13:35:38.770854616 -0400
++++ policycoreutils-2.0.86/gui/lockdown.glade 2011-06-13 13:35:38.770854616 -0400
@@ -0,0 +1,771 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
@@ -1578,8 +1578,8 @@ diff -up policycoreutils-2.0.86/gui/lockdown.glade.gui policycoreutils-2.0.86/gu
+
+</glade-interface>
diff -up policycoreutils-2.0.86/gui/lockdown.gladep.gui policycoreutils-2.0.86/gui/lockdown.gladep
---- policycoreutils-2.0.86/gui/lockdown.gladep.gui 2011-04-12 10:52:07.482643847 -0400
-+++ policycoreutils-2.0.86/gui/lockdown.gladep 2011-04-12 10:52:07.483643863 -0400
+--- policycoreutils-2.0.86/gui/lockdown.gladep.gui 2011-06-13 13:35:38.770854616 -0400
++++ policycoreutils-2.0.86/gui/lockdown.gladep 2011-06-13 13:35:38.771854624 -0400
@@ -0,0 +1,7 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-project SYSTEM "http://glade.gnome.org/glade-project-2.0.dtd">
@@ -1589,8 +1589,8 @@ diff -up policycoreutils-2.0.86/gui/lockdown.gladep.gui policycoreutils-2.0.86/g
+ <program_name></program_name>
+</glade-project>
diff -up policycoreutils-2.0.86/gui/lockdown.py.gui policycoreutils-2.0.86/gui/lockdown.py
---- policycoreutils-2.0.86/gui/lockdown.py.gui 2011-04-12 10:52:07.484643879 -0400
-+++ policycoreutils-2.0.86/gui/lockdown.py 2011-04-12 10:52:07.484643879 -0400
+--- policycoreutils-2.0.86/gui/lockdown.py.gui 2011-06-13 13:35:38.773854641 -0400
++++ policycoreutils-2.0.86/gui/lockdown.py 2011-06-13 13:35:38.773854641 -0400
@@ -0,0 +1,382 @@
+#!/usr/bin/python -Es
+#
@@ -1975,8 +1975,8 @@ diff -up policycoreutils-2.0.86/gui/lockdown.py.gui policycoreutils-2.0.86/gui/l
+ app = booleanWindow()
+ app.stand_alone()
diff -up policycoreutils-2.0.86/gui/loginsPage.py.gui policycoreutils-2.0.86/gui/loginsPage.py
---- policycoreutils-2.0.86/gui/loginsPage.py.gui 2011-04-12 10:52:07.485643894 -0400
-+++ policycoreutils-2.0.86/gui/loginsPage.py 2011-04-12 10:52:07.486643909 -0400
+--- policycoreutils-2.0.86/gui/loginsPage.py.gui 2011-06-13 13:35:38.775854659 -0400
++++ policycoreutils-2.0.86/gui/loginsPage.py 2011-06-13 13:35:38.775854659 -0400
@@ -0,0 +1,185 @@
+## loginsPage.py - show selinux mappings
+## Copyright (C) 2006 Red Hat, Inc.
@@ -2164,8 +2164,8 @@ diff -up policycoreutils-2.0.86/gui/loginsPage.py.gui policycoreutils-2.0.86/gui
+ self.store.set_value(iter, 2, seobject.translate(serange))
+
diff -up policycoreutils-2.0.86/gui/Makefile.gui policycoreutils-2.0.86/gui/Makefile
---- policycoreutils-2.0.86/gui/Makefile.gui 2011-04-12 10:52:07.486643909 -0400
-+++ policycoreutils-2.0.86/gui/Makefile 2011-04-12 10:52:07.487643924 -0400
+--- policycoreutils-2.0.86/gui/Makefile.gui 2011-06-13 13:35:38.776854668 -0400
++++ policycoreutils-2.0.86/gui/Makefile 2011-06-13 13:35:38.776854668 -0400
@@ -0,0 +1,40 @@
+# Installation directories.
+PREFIX ?= ${DESTDIR}/usr
@@ -2208,8 +2208,8 @@ diff -up policycoreutils-2.0.86/gui/Makefile.gui policycoreutils-2.0.86/gui/Make
+
+relabel:
diff -up policycoreutils-2.0.86/gui/mappingsPage.py.gui policycoreutils-2.0.86/gui/mappingsPage.py
---- policycoreutils-2.0.86/gui/mappingsPage.py.gui 2011-04-12 10:52:07.487643924 -0400
-+++ policycoreutils-2.0.86/gui/mappingsPage.py 2011-04-12 10:52:07.492644000 -0400
+--- policycoreutils-2.0.86/gui/mappingsPage.py.gui 2011-06-13 13:35:38.776854668 -0400
++++ policycoreutils-2.0.86/gui/mappingsPage.py 2011-06-13 13:35:38.777854677 -0400
@@ -0,0 +1,56 @@
+## mappingsPage.py - show selinux mappings
+## Copyright (C) 2006 Red Hat, Inc.
@@ -2268,8 +2268,8 @@ diff -up policycoreutils-2.0.86/gui/mappingsPage.py.gui policycoreutils-2.0.86/g
+ print "%-25s %-25s %-25s" % (k, dict[k][0], translate(dict[k][1]))
+
diff -up policycoreutils-2.0.86/gui/modulesPage.py.gui policycoreutils-2.0.86/gui/modulesPage.py
---- policycoreutils-2.0.86/gui/modulesPage.py.gui 2011-04-12 10:52:07.493644016 -0400
-+++ policycoreutils-2.0.86/gui/modulesPage.py 2011-04-12 10:52:07.493644016 -0400
+--- policycoreutils-2.0.86/gui/modulesPage.py.gui 2011-06-13 13:35:38.778854686 -0400
++++ policycoreutils-2.0.86/gui/modulesPage.py 2011-06-13 13:35:38.778854686 -0400
@@ -0,0 +1,190 @@
+## modulesPage.py - show selinux mappings
+## Copyright (C) 2006-2009 Red Hat, Inc.
@@ -2462,8 +2462,8 @@ diff -up policycoreutils-2.0.86/gui/modulesPage.py.gui policycoreutils-2.0.86/gu
+ except ValueError, e:
+ self.error(e.args[0])
diff -up policycoreutils-2.0.86/gui/polgen.glade.gui policycoreutils-2.0.86/gui/polgen.glade
---- policycoreutils-2.0.86/gui/polgen.glade.gui 2011-04-12 10:52:07.505644201 -0400
-+++ policycoreutils-2.0.86/gui/polgen.glade 2011-04-12 10:52:07.507644232 -0400
+--- policycoreutils-2.0.86/gui/polgen.glade.gui 2011-06-13 13:35:38.782854720 -0400
++++ policycoreutils-2.0.86/gui/polgen.glade 2011-06-13 13:35:38.783854728 -0400
@@ -0,0 +1,3432 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
@@ -5898,8 +5898,8 @@ diff -up policycoreutils-2.0.86/gui/polgen.glade.gui policycoreutils-2.0.86/gui/
+
+</glade-interface>
diff -up policycoreutils-2.0.86/gui/polgen.gladep.gui policycoreutils-2.0.86/gui/polgen.gladep
---- policycoreutils-2.0.86/gui/polgen.gladep.gui 2011-04-12 10:52:07.508644247 -0400
-+++ policycoreutils-2.0.86/gui/polgen.gladep 2011-04-12 10:52:07.508644247 -0400
+--- policycoreutils-2.0.86/gui/polgen.gladep.gui 2011-06-13 13:35:38.784854736 -0400
++++ policycoreutils-2.0.86/gui/polgen.gladep 2011-06-13 13:35:38.784854736 -0400
@@ -0,0 +1,7 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-project SYSTEM "http://glade.gnome.org/glade-project-2.0.dtd">
@@ -5909,8 +5909,8 @@ diff -up policycoreutils-2.0.86/gui/polgen.gladep.gui policycoreutils-2.0.86/gui
+ <program_name></program_name>
+</glade-project>
diff -up policycoreutils-2.0.86/gui/polgengui.py.gui policycoreutils-2.0.86/gui/polgengui.py
---- policycoreutils-2.0.86/gui/polgengui.py.gui 2011-04-12 10:52:07.513644322 -0400
-+++ policycoreutils-2.0.86/gui/polgengui.py 2011-05-23 17:04:16.377786536 -0400
+--- policycoreutils-2.0.86/gui/polgengui.py.gui 2011-06-13 13:35:38.786854754 -0400
++++ policycoreutils-2.0.86/gui/polgengui.py 2011-06-13 13:35:38.786854754 -0400
@@ -0,0 +1,750 @@
+#!/usr/bin/python -Es
+#
@@ -6663,8 +6663,8 @@ diff -up policycoreutils-2.0.86/gui/polgengui.py.gui policycoreutils-2.0.86/gui/
+ app = childWindow()
+ app.stand_alone()
diff -up policycoreutils-2.0.86/gui/polgen.py.gui policycoreutils-2.0.86/gui/polgen.py
---- policycoreutils-2.0.86/gui/polgen.py.gui 2011-04-12 10:52:07.516644368 -0400
-+++ policycoreutils-2.0.86/gui/polgen.py 2011-05-23 17:04:04.539689964 -0400
+--- policycoreutils-2.0.86/gui/polgen.py.gui 2011-06-13 13:35:38.789854781 -0400
++++ policycoreutils-2.0.86/gui/polgen.py 2011-07-26 10:08:47.330188867 -0400
@@ -0,0 +1,1346 @@
+#!/usr/bin/python -Es
+#
@@ -6982,7 +6982,7 @@ diff -up policycoreutils-2.0.86/gui/polgen.py.gui policycoreutils-2.0.86/gui/pol
+ if name == "":
+ raise ValueError(_("You must enter a name for your confined process/user"))
+ if not name.isalnum():
-+ raise ValueError(_("Name must be alpha numberic with no spaces."))
++ raise ValueError(_("Name must be alpha numberic with no spaces. Consider using option \"-n MODULENAME\""))
+
+ if type == CGI:
+ self.name = "httpd_%s_script" % name
@@ -7950,7 +7950,7 @@ diff -up policycoreutils-2.0.86/gui/polgen.py.gui policycoreutils-2.0.86/gui/pol
+ print _("""
+%s
+
-+sepolgen [ -m ] [ -t type ] [ executable | Name ]
++sepolgen [ -n moduleName ] [ -m ] [ -t type ] [ executable | Name ]
+valid Types:
+""") % msg
+ keys=poltype.keys()
@@ -7966,7 +7966,7 @@ diff -up policycoreutils-2.0.86/gui/polgen.py.gui policycoreutils-2.0.86/gui/pol
+ ["type=",
+ "mount",
+ "test",
-+ "name",
++ "name=",
+ "help"])
+ for o, a in gopts:
+ if o == "-t" or o == "--type":
@@ -8013,8 +8013,8 @@ diff -up policycoreutils-2.0.86/gui/polgen.py.gui policycoreutils-2.0.86/gui/pol
+ except ValueError, e:
+ usage(e)
diff -up policycoreutils-2.0.86/gui/portsPage.py.gui policycoreutils-2.0.86/gui/portsPage.py
---- policycoreutils-2.0.86/gui/portsPage.py.gui 2011-04-12 10:52:07.518644400 -0400
-+++ policycoreutils-2.0.86/gui/portsPage.py 2011-04-12 10:52:07.521644446 -0400
+--- policycoreutils-2.0.86/gui/portsPage.py.gui 2011-06-13 13:35:38.790854790 -0400
++++ policycoreutils-2.0.86/gui/portsPage.py 2011-06-13 13:35:38.791854799 -0400
@@ -0,0 +1,259 @@
+## portsPage.py - show selinux mappings
+## Copyright (C) 2006 Red Hat, Inc.
@@ -8276,8 +8276,8 @@ diff -up policycoreutils-2.0.86/gui/portsPage.py.gui policycoreutils-2.0.86/gui/
+ return True
+
diff -up policycoreutils-2.0.86/gui/selinux.tbl.gui policycoreutils-2.0.86/gui/selinux.tbl
---- policycoreutils-2.0.86/gui/selinux.tbl.gui 2011-04-12 10:52:07.522644461 -0400
-+++ policycoreutils-2.0.86/gui/selinux.tbl 2011-04-12 10:52:07.522644461 -0400
+--- policycoreutils-2.0.86/gui/selinux.tbl.gui 2011-06-13 13:35:38.792854808 -0400
++++ policycoreutils-2.0.86/gui/selinux.tbl 2011-06-13 13:35:38.793854816 -0400
@@ -0,0 +1,234 @@
+acct_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for acct daemon")
+allow_daemons_dump_core _("Admin") _("Allow all daemons to write corefiles to /")
@@ -8514,8 +8514,8 @@ diff -up policycoreutils-2.0.86/gui/selinux.tbl.gui policycoreutils-2.0.86/gui/s
+webadm_read_user_files _("HTTPD Service") _("Allow SELinux webadm user to read unprivileged users home directories")
+
diff -up policycoreutils-2.0.86/gui/semanagePage.py.gui policycoreutils-2.0.86/gui/semanagePage.py
---- policycoreutils-2.0.86/gui/semanagePage.py.gui 2011-04-12 10:52:07.523644476 -0400
-+++ policycoreutils-2.0.86/gui/semanagePage.py 2011-04-12 10:52:07.524644491 -0400
+--- policycoreutils-2.0.86/gui/semanagePage.py.gui 2011-06-13 13:35:38.794854824 -0400
++++ policycoreutils-2.0.86/gui/semanagePage.py 2011-06-13 13:35:38.794854824 -0400
@@ -0,0 +1,168 @@
+## semanagePage.py - show selinux mappings
+## Copyright (C) 2006 Red Hat, Inc.
@@ -8686,8 +8686,8 @@ diff -up policycoreutils-2.0.86/gui/semanagePage.py.gui policycoreutils-2.0.86/g
+ return True
+
diff -up policycoreutils-2.0.86/gui/statusPage.py.gui policycoreutils-2.0.86/gui/statusPage.py
---- policycoreutils-2.0.86/gui/statusPage.py.gui 2011-04-12 10:52:07.530644584 -0400
-+++ policycoreutils-2.0.86/gui/statusPage.py 2011-04-12 10:52:07.530644584 -0400
+--- policycoreutils-2.0.86/gui/statusPage.py.gui 2011-06-13 13:35:38.795854832 -0400
++++ policycoreutils-2.0.86/gui/statusPage.py 2011-06-13 13:35:38.795854832 -0400
@@ -0,0 +1,190 @@
+# statusPage.py - show selinux status
+## Copyright (C) 2006-2009 Red Hat, Inc.
@@ -8880,8 +8880,8 @@ diff -up policycoreutils-2.0.86/gui/statusPage.py.gui policycoreutils-2.0.86/gui
+
+
diff -up policycoreutils-2.0.86/gui/system-config-selinux.glade.gui policycoreutils-2.0.86/gui/system-config-selinux.glade
---- policycoreutils-2.0.86/gui/system-config-selinux.glade.gui 2011-04-12 10:52:07.534644645 -0400
-+++ policycoreutils-2.0.86/gui/system-config-selinux.glade 2011-04-12 10:52:07.539644720 -0400
+--- policycoreutils-2.0.86/gui/system-config-selinux.glade.gui 2011-06-13 13:35:38.799854868 -0400
++++ policycoreutils-2.0.86/gui/system-config-selinux.glade 2011-06-13 13:35:38.800854877 -0400
@@ -0,0 +1,3024 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
@@ -11908,8 +11908,8 @@ diff -up policycoreutils-2.0.86/gui/system-config-selinux.glade.gui policycoreut
+
+</glade-interface>
diff -up policycoreutils-2.0.86/gui/system-config-selinux.gladep.gui policycoreutils-2.0.86/gui/system-config-selinux.gladep
---- policycoreutils-2.0.86/gui/system-config-selinux.gladep.gui 2011-04-12 10:52:07.540644736 -0400
-+++ policycoreutils-2.0.86/gui/system-config-selinux.gladep 2011-04-12 10:52:07.541644752 -0400
+--- policycoreutils-2.0.86/gui/system-config-selinux.gladep.gui 2011-06-13 13:35:38.801854886 -0400
++++ policycoreutils-2.0.86/gui/system-config-selinux.gladep 2011-06-13 13:35:38.801854886 -0400
@@ -0,0 +1,7 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-project SYSTEM "http://glade.gnome.org/glade-project-2.0.dtd">
@@ -11919,8 +11919,8 @@ diff -up policycoreutils-2.0.86/gui/system-config-selinux.gladep.gui policycoreu
+ <program_name></program_name>
+</glade-project>
diff -up policycoreutils-2.0.86/gui/system-config-selinux.py.gui policycoreutils-2.0.86/gui/system-config-selinux.py
---- policycoreutils-2.0.86/gui/system-config-selinux.py.gui 2011-04-12 10:52:07.542644768 -0400
-+++ policycoreutils-2.0.86/gui/system-config-selinux.py 2011-04-12 10:52:07.542644768 -0400
+--- policycoreutils-2.0.86/gui/system-config-selinux.py.gui 2011-06-13 13:35:38.802854894 -0400
++++ policycoreutils-2.0.86/gui/system-config-selinux.py 2011-06-13 13:35:38.802854894 -0400
@@ -0,0 +1,187 @@
+#!/usr/bin/python -Es
+#
@@ -12110,8 +12110,8 @@ diff -up policycoreutils-2.0.86/gui/system-config-selinux.py.gui policycoreutils
+ app = childWindow()
+ app.stand_alone()
diff -up policycoreutils-2.0.86/gui/templates/boolean.py.gui policycoreutils-2.0.86/gui/templates/boolean.py
---- policycoreutils-2.0.86/gui/templates/boolean.py.gui 2011-04-12 10:52:07.543644784 -0400
-+++ policycoreutils-2.0.86/gui/templates/boolean.py 2011-05-23 16:59:42.369598714 -0400
+--- policycoreutils-2.0.86/gui/templates/boolean.py.gui 2011-06-13 13:35:38.804854910 -0400
++++ policycoreutils-2.0.86/gui/templates/boolean.py 2011-06-13 13:35:38.804854910 -0400
@@ -0,0 +1,40 @@
+# Copyright (C) 2007-2011 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -12154,8 +12154,8 @@ diff -up policycoreutils-2.0.86/gui/templates/boolean.py.gui policycoreutils-2.0
+"""
+
diff -up policycoreutils-2.0.86/gui/templates/etc_rw.py.gui policycoreutils-2.0.86/gui/templates/etc_rw.py
---- policycoreutils-2.0.86/gui/templates/etc_rw.py.gui 2011-04-12 10:52:07.546644829 -0400
-+++ policycoreutils-2.0.86/gui/templates/etc_rw.py 2011-05-23 16:59:53.369684469 -0400
+--- policycoreutils-2.0.86/gui/templates/etc_rw.py.gui 2011-06-13 13:35:38.805854919 -0400
++++ policycoreutils-2.0.86/gui/templates/etc_rw.py 2011-06-13 13:35:38.806854928 -0400
@@ -0,0 +1,112 @@
+# Copyright (C) 2007-2011 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -12270,8 +12270,8 @@ diff -up policycoreutils-2.0.86/gui/templates/etc_rw.py.gui policycoreutils-2.0.
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0)
+"""
diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-2.0.86/gui/templates/executable.py
---- policycoreutils-2.0.86/gui/templates/executable.py.gui 2011-04-12 10:52:07.548644859 -0400
-+++ policycoreutils-2.0.86/gui/templates/executable.py 2011-05-23 17:03:10.575251921 -0400
+--- policycoreutils-2.0.86/gui/templates/executable.py.gui 2011-06-13 13:35:38.807854937 -0400
++++ policycoreutils-2.0.86/gui/templates/executable.py 2011-06-13 13:35:38.807854937 -0400
@@ -0,0 +1,451 @@
+# Copyright (C) 2007-2011 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -12725,8 +12725,8 @@ diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-
+EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_initrc_exec_t,s0)
+"""
diff -up policycoreutils-2.0.86/gui/templates/__init__.py.gui policycoreutils-2.0.86/gui/templates/__init__.py
---- policycoreutils-2.0.86/gui/templates/__init__.py.gui 2011-04-12 10:52:07.549644874 -0400
-+++ policycoreutils-2.0.86/gui/templates/__init__.py 2011-05-23 17:02:40.424008790 -0400
+--- policycoreutils-2.0.86/gui/templates/__init__.py.gui 2011-06-13 13:35:38.808854946 -0400
++++ policycoreutils-2.0.86/gui/templates/__init__.py 2011-06-13 13:35:38.808854946 -0400
@@ -0,0 +1,18 @@
+#
+# Copyright (C) 2007-2011 Red Hat
@@ -12747,8 +12747,8 @@ diff -up policycoreutils-2.0.86/gui/templates/__init__.py.gui policycoreutils-2.
+#
+
diff -up policycoreutils-2.0.86/gui/templates/network.py.gui policycoreutils-2.0.86/gui/templates/network.py
---- policycoreutils-2.0.86/gui/templates/network.py.gui 2011-04-12 10:52:07.556644982 -0400
-+++ policycoreutils-2.0.86/gui/templates/network.py 2011-05-23 17:03:09.237241107 -0400
+--- policycoreutils-2.0.86/gui/templates/network.py.gui 2011-06-13 13:35:38.809854955 -0400
++++ policycoreutils-2.0.86/gui/templates/network.py 2011-06-13 13:35:38.810854964 -0400
@@ -0,0 +1,102 @@
+# Copyright (C) 2007-2011 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -12853,8 +12853,8 @@ diff -up policycoreutils-2.0.86/gui/templates/network.py.gui policycoreutils-2.0
+"""
+
diff -up policycoreutils-2.0.86/gui/templates/rw.py.gui policycoreutils-2.0.86/gui/templates/rw.py
---- policycoreutils-2.0.86/gui/templates/rw.py.gui 2011-04-12 10:52:07.557644997 -0400
-+++ policycoreutils-2.0.86/gui/templates/rw.py 2011-05-23 16:59:48.308644991 -0400
+--- policycoreutils-2.0.86/gui/templates/rw.py.gui 2011-06-13 13:35:38.811854972 -0400
++++ policycoreutils-2.0.86/gui/templates/rw.py 2011-06-13 13:35:38.811854972 -0400
@@ -0,0 +1,129 @@
+# Copyright (C) 2007-2011 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -12986,8 +12986,8 @@ diff -up policycoreutils-2.0.86/gui/templates/rw.py.gui policycoreutils-2.0.86/g
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_rw_t,s0)
+"""
diff -up policycoreutils-2.0.86/gui/templates/script.py.gui policycoreutils-2.0.86/gui/templates/script.py
---- policycoreutils-2.0.86/gui/templates/script.py.gui 2011-04-12 10:52:07.558645012 -0400
-+++ policycoreutils-2.0.86/gui/templates/script.py 2011-05-23 17:02:13.796795073 -0400
+--- policycoreutils-2.0.86/gui/templates/script.py.gui 2011-06-13 13:35:38.812854980 -0400
++++ policycoreutils-2.0.86/gui/templates/script.py 2011-06-13 13:35:38.813854988 -0400
@@ -0,0 +1,126 @@
+# Copyright (C) 2007-2011 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13116,8 +13116,8 @@ diff -up policycoreutils-2.0.86/gui/templates/script.py.gui policycoreutils-2.0.
+fi
+"""
diff -up policycoreutils-2.0.86/gui/templates/semodule.py.gui policycoreutils-2.0.86/gui/templates/semodule.py
---- policycoreutils-2.0.86/gui/templates/semodule.py.gui 2011-04-12 10:52:07.560645042 -0400
-+++ policycoreutils-2.0.86/gui/templates/semodule.py 2011-05-23 17:02:07.466744404 -0400
+--- policycoreutils-2.0.86/gui/templates/semodule.py.gui 2011-06-13 13:35:38.814854997 -0400
++++ policycoreutils-2.0.86/gui/templates/semodule.py 2011-06-13 13:35:38.814854997 -0400
@@ -0,0 +1,41 @@
+# Copyright (C) 2007-2011 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13161,8 +13161,8 @@ diff -up policycoreutils-2.0.86/gui/templates/semodule.py.gui policycoreutils-2.
+"""
+
diff -up policycoreutils-2.0.86/gui/templates/tmp.py.gui policycoreutils-2.0.86/gui/templates/tmp.py
---- policycoreutils-2.0.86/gui/templates/tmp.py.gui 2011-04-12 10:52:07.561645058 -0400
-+++ policycoreutils-2.0.86/gui/templates/tmp.py 2011-05-23 17:01:55.736650663 -0400
+--- policycoreutils-2.0.86/gui/templates/tmp.py.gui 2011-06-13 13:35:38.815855006 -0400
++++ policycoreutils-2.0.86/gui/templates/tmp.py 2011-06-13 13:35:38.815855006 -0400
@@ -0,0 +1,102 @@
+# Copyright (C) 2007-2011 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13267,8 +13267,8 @@ diff -up policycoreutils-2.0.86/gui/templates/tmp.py.gui policycoreutils-2.0.86/
+ admin_pattern($1, TEMPLATETYPE_tmp_t)
+"""
diff -up policycoreutils-2.0.86/gui/templates/user.py.gui policycoreutils-2.0.86/gui/templates/user.py
---- policycoreutils-2.0.86/gui/templates/user.py.gui 2011-04-12 10:52:07.562645074 -0400
-+++ policycoreutils-2.0.86/gui/templates/user.py 2011-05-23 17:01:46.816579501 -0400
+--- policycoreutils-2.0.86/gui/templates/user.py.gui 2011-06-13 13:35:38.816855015 -0400
++++ policycoreutils-2.0.86/gui/templates/user.py 2011-06-13 13:35:38.817855024 -0400
@@ -0,0 +1,204 @@
+# Copyright (C) 2007-2011 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13475,8 +13475,8 @@ diff -up policycoreutils-2.0.86/gui/templates/user.py.gui policycoreutils-2.0.86
+seutil_run_newrole(TEMPLATETYPE_t, TEMPLATETYPE_r)
+"""
diff -up policycoreutils-2.0.86/gui/templates/var_cache.py.gui policycoreutils-2.0.86/gui/templates/var_cache.py
---- policycoreutils-2.0.86/gui/templates/var_cache.py.gui 2011-04-12 10:52:07.566645136 -0400
-+++ policycoreutils-2.0.86/gui/templates/var_cache.py 2011-05-23 17:01:38.793515591 -0400
+--- policycoreutils-2.0.86/gui/templates/var_cache.py.gui 2011-06-13 13:35:38.818855033 -0400
++++ policycoreutils-2.0.86/gui/templates/var_cache.py 2011-06-13 13:35:38.818855033 -0400
@@ -0,0 +1,132 @@
+# Copyright (C) 2007-2011 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13611,8 +13611,8 @@ diff -up policycoreutils-2.0.86/gui/templates/var_cache.py.gui policycoreutils-2
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_cache_t,s0)
+"""
diff -up policycoreutils-2.0.86/gui/templates/var_lib.py.gui policycoreutils-2.0.86/gui/templates/var_lib.py
---- policycoreutils-2.0.86/gui/templates/var_lib.py.gui 2011-04-12 10:52:07.567645151 -0400
-+++ policycoreutils-2.0.86/gui/templates/var_lib.py 2011-05-23 17:01:31.516457701 -0400
+--- policycoreutils-2.0.86/gui/templates/var_lib.py.gui 2011-06-13 13:35:38.819855042 -0400
++++ policycoreutils-2.0.86/gui/templates/var_lib.py 2011-06-13 13:35:38.819855042 -0400
@@ -0,0 +1,160 @@
+# Copyright (C) 2007-2011 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13775,8 +13775,8 @@ diff -up policycoreutils-2.0.86/gui/templates/var_lib.py.gui policycoreutils-2.0
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0)
+"""
diff -up policycoreutils-2.0.86/gui/templates/var_log.py.gui policycoreutils-2.0.86/gui/templates/var_log.py
---- policycoreutils-2.0.86/gui/templates/var_log.py.gui 2011-04-12 10:52:07.568645166 -0400
-+++ policycoreutils-2.0.86/gui/templates/var_log.py 2011-05-23 17:01:22.948389639 -0400
+--- policycoreutils-2.0.86/gui/templates/var_log.py.gui 2011-06-13 13:35:38.821855059 -0400
++++ policycoreutils-2.0.86/gui/templates/var_log.py 2011-06-13 13:35:38.821855059 -0400
@@ -0,0 +1,114 @@
+# Copyright (C) 2007-2011 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13893,8 +13893,8 @@ diff -up policycoreutils-2.0.86/gui/templates/var_log.py.gui policycoreutils-2.0
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_log_t,s0)
+"""
diff -up policycoreutils-2.0.86/gui/templates/var_run.py.gui policycoreutils-2.0.86/gui/templates/var_run.py
---- policycoreutils-2.0.86/gui/templates/var_run.py.gui 2011-04-12 10:52:07.569645181 -0400
-+++ policycoreutils-2.0.86/gui/templates/var_run.py 2011-05-23 17:01:11.639299961 -0400
+--- policycoreutils-2.0.86/gui/templates/var_run.py.gui 2011-06-13 13:35:38.822855067 -0400
++++ policycoreutils-2.0.86/gui/templates/var_run.py 2011-06-13 13:35:38.822855067 -0400
@@ -0,0 +1,101 @@
+# Copyright (C) 2007-2011 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13998,8 +13998,8 @@ diff -up policycoreutils-2.0.86/gui/templates/var_run.py.gui policycoreutils-2.0
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0)
+"""
diff -up policycoreutils-2.0.86/gui/templates/var_spool.py.gui policycoreutils-2.0.86/gui/templates/var_spool.py
---- policycoreutils-2.0.86/gui/templates/var_spool.py.gui 2011-04-12 10:52:07.573645242 -0400
-+++ policycoreutils-2.0.86/gui/templates/var_spool.py 2011-05-25 16:09:23.350352658 -0400
+--- policycoreutils-2.0.86/gui/templates/var_spool.py.gui 2011-06-13 13:35:38.823855075 -0400
++++ policycoreutils-2.0.86/gui/templates/var_spool.py 2011-06-13 13:35:38.824855083 -0400
@@ -0,0 +1,131 @@
+# Copyright (C) 2007-2011 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -14133,8 +14133,8 @@ diff -up policycoreutils-2.0.86/gui/templates/var_spool.py.gui policycoreutils-2
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_spool_t,s0)
+"""
diff -up policycoreutils-2.0.86/gui/usersPage.py.gui policycoreutils-2.0.86/gui/usersPage.py
---- policycoreutils-2.0.86/gui/usersPage.py.gui 2011-04-12 10:52:07.578645320 -0400
-+++ policycoreutils-2.0.86/gui/usersPage.py 2011-04-12 10:52:07.578645320 -0400
+--- policycoreutils-2.0.86/gui/usersPage.py.gui 2011-06-13 13:35:38.825855092 -0400
++++ policycoreutils-2.0.86/gui/usersPage.py 2011-06-13 13:35:38.825855092 -0400
@@ -0,0 +1,150 @@
+## usersPage.py - show selinux mappings
+## Copyright (C) 2006,2007,2008 Red Hat, Inc.
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 0cbf513..b73beec 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -1,10 +1,10 @@
diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
-index 86ed03f..67d0ee8 100644
+index 86ed03f..3e95698 100644
--- a/policycoreutils/Makefile
+++ b/policycoreutils/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
-+SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po gui
++SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
@@ -87,26 +87,10 @@ index 5435e9d..c60490b 100644
if __name__ == "__main__":
app = AuditToPolicy()
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
-index 6178cc8..b6f386d 100644
+index fd9eb88..a854a45 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
-@@ -1,5 +1,6 @@
- .\" Hey, Emacs! This is an -*- nroff -*- source file.
- .\" Copyright (c) 2005 Manoj Srivastava <srivasta at debian.org>
-+.\" Copyright (c) 2010 Dan Walsh <dwalsh at redhat.com>
- .\"
- .\" This is free documentation; you can redistribute it and/or
- .\" modify it under the terms of the GNU General Public License as
-@@ -22,7 +23,7 @@
- .\" USA.
- .\"
- .\"
--.TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA
-+.TH AUDIT2ALLOW "1" "October 2010" "Security Enhanced Linux" NSA
- .SH NAME
- .BR audit2allow
- \- generate SELinux policy allow/dontaudit rules from logs of denied operations
-@@ -66,6 +67,9 @@ Generate module/require output <modulename>
+@@ -67,6 +67,9 @@ Generate module/require output <modulename>
.B "\-M <modulename>"
Generate loadable module package, conflicts with -o
.TP
@@ -116,91 +100,10 @@ index 6178cc8..b6f386d 100644
.B "\-o <outputfile>" | "\-\-output <outputfile>"
append output to
.I <outputfile>
-@@ -117,14 +121,6 @@ an 'allow' rule.
- .B Please substitute /var/log/messages for /var/log/audit/audit.log in the
- .B examples.
- .PP
--.B Using audit2allow to generate monolithic (non-module) policy
--$ cd /etc/selinux/$SELINUXTYPE/src/policy
--$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
--$ cat domains/misc/local.te
--allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
--<review domains/misc/local.te and customize as desired>
--$ make load
--
- .B Using audit2allow to generate module policy
-
- $ cat /var/log/audit/audit.log | audit2allow -m local > local.te
-@@ -132,20 +128,38 @@ $ cat local.te
- module local 1.0;
-
- require {
-- role system_r;
-+ class file { getattr open read };
-
-
-- class fifo_file { getattr ioctl };
-+ type myapp_t;
-+ type etc_t;
-+ };
-
-
-- type cupsd_config_t;
-- type unconfined_t;
-- };
-+allow myapp_t etc_t:file { getattr open read };
-+<review local.te and customize as desired>
-
-+.B Using audit2allow to generate module policy using reference policy
-
--allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
-+$ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te
-+$ cat local.te
-+policy_module(local, 1.0)
-+
-+gen_require(`
-+ type myapp_t;
-+ type etc_t;
-+ };
-+
-+files_read_etc_files(myapp_t)
- <review local.te and customize as desired>
-
-+.B Building module policy using Makefile
-+
-+# SELinux provides a policy devel environment under /usr/share/selinux/devel
-+# You can create a te file and compile it by executing
-+$ make -f /usr/share/selinux/devel/Makefile
-+$ semodule -i local.pp
-+
- .B Building module policy manually
-
- # Compile the module
-@@ -168,6 +182,14 @@ you are required to execute
-
- semodule -i local.pp
-
-+.B Using audit2allow to generate monolithic (non-module) policy
-+$ cd /etc/selinux/$SELINUXTYPE/src/policy
-+$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
-+$ cat domains/misc/local.te
-+allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
-+<review domains/misc/local.te and customize as desired>
-+$ make load
-+
- .fi
- .PP
- .SH AUTHOR
diff --git a/policycoreutils/audit2allow/sepolgen-ifgen b/policycoreutils/audit2allow/sepolgen-ifgen
-index 03f95a1..dad2009 100644
+index 0acbf7e..ef4bec3 100644
--- a/policycoreutils/audit2allow/sepolgen-ifgen
+++ b/policycoreutils/audit2allow/sepolgen-ifgen
-@@ -1,4 +1,4 @@
--#! /usr/bin/python -E
-+#! /usr/bin/python -Es
- #
- # Authors: Karl MacMillan <kmacmillan at mentalrootkit.com>
- #
@@ -28,6 +28,10 @@
import sys
@@ -289,7 +192,7 @@ index 03f95a1..dad2009 100644
+ attrs = get_attrs(options.policy_path)
+ if attrs is None:
+ return 1
-+
++
+ # Parse the headers
try:
headers = refparser.parse_headers(options.headers, output=log, debug=options.debug)
@@ -304,35 +207,24 @@ index 03f95a1..dad2009 100644
f.close()
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
-index 2d31d64..e985289 100644
+index 99d0ed7..3f08d37 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
-@@ -586,7 +586,7 @@ static int drop_capabilities(int full)
- return -1;
- }
- if (! full)
-- capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE);
-+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE | CAP_SETPCAP );
- return capng_apply(CAPNG_SELECT_BOTH);
- }
-
-@@ -1030,8 +1030,13 @@ int main(int argc, char *argv[])
+@@ -1030,10 +1030,11 @@ int main(int argc, char *argv[])
* if it makes sense to continue to run newrole, and setting up
* a scrubbed environment.
*/
-- if (drop_capabilities(FALSE))
-+
+- if (drop_capabilities(FALSE)) {
+/* if (drop_capabilities(FALSE)) {
-+ fprintf(stderr, _("Sorry, newrole failed to drop capabilities\n"));
-+ perror("");
+ perror(_("Sorry, newrole failed to drop capabilities\n"));
return -1;
-+ }
+ }
+*/
if (set_signal_handles())
return -1;
diff --git a/policycoreutils/restorecond/Makefile b/policycoreutils/restorecond/Makefile
-index 3f235e6..7552668 100644
+index 3f235e6..03a4544 100644
--- a/policycoreutils/restorecond/Makefile
+++ b/policycoreutils/restorecond/Makefile
@@ -1,17 +1,28 @@
@@ -348,7 +240,7 @@ index 3f235e6..7552668 100644
INITDIR = $(DESTDIR)/etc/rc.d/init.d
SELINUXDIR = $(DESTDIR)/etc/selinux
-+DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
++DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
+DBUSLIB = -ldbus-glib-1 -ldbus-1
+
CFLAGS ?= -g -Werror -Wall -W
@@ -361,7 +253,7 @@ index 3f235e6..7552668 100644
all: restorecond
-restorecond: restorecond.o utmpwatcher.o stringslist.o
-+restorecond.o utmpwatcher.o stringslist.o user.o watch.o: restorecond.h
++restorecond.o utmpwatcher.o stringslist.o user.o watch.o: restorecond.h
+
+restorecond: ../setfiles/restore.o restorecond.o utmpwatcher.o stringslist.o user.o watch.o
$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
@@ -391,7 +283,7 @@ index 0000000..0ef5f0b
+Name=org.selinux.Restorecond
+Exec=/usr/sbin/restorecond -u
diff --git a/policycoreutils/restorecond/restorecond.8 b/policycoreutils/restorecond/restorecond.8
-index b149dcb..0c14c94 100644
+index b149dcb..4622d2b 100644
--- a/policycoreutils/restorecond/restorecond.8
+++ b/policycoreutils/restorecond/restorecond.8
@@ -3,7 +3,7 @@
@@ -407,13 +299,13 @@ index b149dcb..0c14c94 100644
.B \-d
Turns on debugging mode. Application will stay in the foreground and lots of
debugs messages start printing.
-+.TP
++.TP
+.B \-f restorecond_file
+Use alternative restorecond.conf file.
-+.TP
++.TP
+.B \-u
+Turns on user mode. Runs restorecond in the user session and reads /etc/selinux/restorecond_user.conf. Uses dbus to make sure only one restorecond is running per user session.
-+.TP
++.TP
+.B \-v
+Turns on verbose debugging. (Report missing files)
@@ -429,7 +321,7 @@ index b149dcb..0c14c94 100644
.SH "SEE ALSO"
.BR restorecon (8),
diff --git a/policycoreutils/restorecond/restorecond.c b/policycoreutils/restorecond/restorecond.c
-index 58774e6..a588e5e 100644
+index 4952632..89f5d97 100644
--- a/policycoreutils/restorecond/restorecond.c
+++ b/policycoreutils/restorecond/restorecond.c
@@ -30,9 +30,11 @@
@@ -440,12 +332,12 @@ index 58774e6..a588e5e 100644
+ * restorecond [-d] [-u] [-v] [-f restorecond_file ]
*
* -d Run in debug mode
-+ * -f Use alternative restorecond_file
++ * -f Use alternative restorecond_file
+ * -u Run in user mode
* -v Run in verbose mode (Report missing files)
*
* EXAMPLE USAGE:
-@@ -48,294 +50,38 @@
+@@ -48,297 +50,38 @@
#include <signal.h>
#include <string.h>
#include <unistd.h>
@@ -478,7 +370,7 @@ index 58774e6..a588e5e 100644
-#define EVENT_SIZE (sizeof (struct inotify_event))
-/* reasonable guess as to size of 1024 events */
-#define BUF_LEN (1024 * (EVENT_SIZE + 16))
--
+
-static int debug_mode = 0;
-static int verbose_mode = 0;
-
@@ -505,7 +397,11 @@ index 58774e6..a588e5e 100644
- return 0;
- return (strcmp(rest_a, rest_b) == 0);
-}
--
++static char *server_watch_file = "/etc/selinux/restorecond.conf";
++static char *user_watch_file = "/etc/selinux/restorecond_user.conf";
++static char *watch_file;
++static struct restore_opts r_opts;
+
-/*
- A file was in a direcroty has been created. This function checks to
- see if it is one that we are watching.
@@ -667,7 +563,7 @@ index 58774e6..a588e5e 100644
- }
- free(line_buf);
-}
-
+-
-/*
- Read config file ignoring Comment lines
- Files specified one per line. Files with "~" will be expanded to the logged in users
@@ -722,26 +618,25 @@ index 58774e6..a588e5e 100644
- printf("wd=%d mask=%u cookie=%u len=%u\n",
- event->wd, event->mask,
- event->cookie, event->len);
-- if (event->wd == master_wd)
-- read_config(fd);
-- else {
-- switch (utmpwatcher_handle(fd, event->wd)) {
-- case -1: /* Message was not for utmpwatcher */
-- if (event->len)
-- watch_list_find(event->wd, event->name);
-- break;
-+static char *server_watch_file = "/etc/selinux/restorecond.conf";
-+static char *user_watch_file = "/etc/selinux/restorecond_user.conf";
-+static char *watch_file;
-+static struct restore_opts r_opts;
-
-- case 1: /* utmp has changed need to reload */
+-
+- if (event->mask & ~IN_IGNORED) {
+- if (event->wd == master_wd)
- read_config(fd);
-- break;
+- else {
+- switch (utmpwatcher_handle(fd, event->wd)) {
+- case -1: /* Message was not for utmpwatcher */
+- if (event->len)
+- watch_list_find(event->wd, event->name);
+- break;
+-
+- case 1: /* utmp has changed need to reload */
+- read_config(fd);
+- break;
+#include <selinux/selinux.h>
-- default: /* No users logged in or out */
-- break;
+- default: /* No users logged in or out */
+- break;
+- }
- }
- }
+int debug_mode = 0;
@@ -760,7 +655,7 @@ index 58774e6..a588e5e 100644
}
static const char *pidfile = "/var/run/restorecond.pid";
-@@ -374,7 +120,7 @@ static void term_handler()
+@@ -377,7 +120,7 @@ static void term_handler()
static void usage(char *program)
{
@@ -769,7 +664,7 @@ index 58774e6..a588e5e 100644
exit(0);
}
-@@ -390,74 +136,35 @@ void exitApp(const char *msg)
+@@ -393,74 +136,35 @@ void exitApp(const char *msg)
to see if it is one that we are watching.
*/
@@ -868,7 +763,7 @@ index 58774e6..a588e5e 100644
/* Register sighandlers */
sa.sa_flags = 0;
-@@ -467,36 +174,59 @@ int main(int argc, char **argv)
+@@ -470,36 +174,59 @@ int main(int argc, char **argv)
set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
@@ -906,14 +801,14 @@ index 58774e6..a588e5e 100644
+
+ uid_t uid = getuid();
+ struct passwd *pwd = getpwuid(uid);
-+ if (!pwd)
++ if (!pwd)
+ exitApp("getpwuid");
+
+ homedir = pwd->pw_dir;
+ if (uid != 0) {
+ if (run_as_user)
+ return server(master_fd, user_watch_file);
-+ if (start() != 0)
++ if (start() != 0)
+ return server(master_fd, user_watch_file);
+ return 0;
+ }
@@ -1040,32 +935,32 @@ index 0000000..e0c2871
+~/.config/*
diff --git a/policycoreutils/restorecond/user.c b/policycoreutils/restorecond/user.c
new file mode 100644
-index 0000000..8cf2f20
+index 0000000..ade3fb8
--- /dev/null
+++ b/policycoreutils/restorecond/user.c
-@@ -0,0 +1,242 @@
+@@ -0,0 +1,246 @@
+/*
+ * restorecond
+ *
-+ * Copyright (C) 2006-2009 Red Hat
++ * Copyright (C) 2006-2009 Red Hat
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
-+ *
++ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
-+.*
++.*
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
-+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+ * 02111-1307 USA
+ *
-+ * Authors:
++ * Authors:
+ * Dan Walsh <dwalsh at redhat.com>
+ *
+*/
@@ -1108,9 +1003,9 @@ index 0000000..8cf2f20
+ GMainLoop *loop = user_data;
+
+ /* A signal from the bus saying we are about to be disconnected */
-+ if (dbus_message_is_signal
++ if (dbus_message_is_signal
+ (message, INTERFACE, "Stop")) {
-+
++
+ /* Tell the main loop to quit */
+ g_main_loop_quit (loop);
+ /* We have handled this message, don't pass it on */
@@ -1133,12 +1028,12 @@ index 0000000..8cf2f20
+ bus = dbus_bus_get (DBUS_BUS_SESSION, &error);
+ if (bus) {
+ dbus_connection_setup_with_g_main (bus, NULL);
-+
++
+ /* listening to messages from all objects as no path is specified */
+ dbus_bus_add_match (bus, RULE, &error); // see signals from the given interfacey
+ dbus_connection_add_filter (bus, signal_filter, loop, NULL);
+ return 0;
-+ }
++ }
+ return -1;
+}
+
@@ -1178,7 +1073,7 @@ index 0000000..8cf2f20
+ event->cookie, event->len);
+ if (event->len)
+ watch_list_find(event->wd, event->name);
-+
++
+ i += EVENT_SIZE + event->len;
+ }
+ }
@@ -1209,7 +1104,7 @@ index 0000000..8cf2f20
+ DBusConnection *bus;
+ DBusError error;
+ DBusMessage *message;
-+
++
+ /* Get a connection to the session bus */
+ dbus_error_init (&error);
+ bus = dbus_bus_get (DBUS_BUS_SESSION, &error);
@@ -1219,7 +1114,7 @@ index 0000000..8cf2f20
+ dbus_error_free (&error);
+ return 1;
+ }
-+
++
+
+ /* Create a new signal "Start" on the interface,
+ * from the object */
@@ -1236,11 +1131,15 @@ index 0000000..8cf2f20
+static int local_server() {
+ // ! dbus, run as local service
+ char *ptr=NULL;
-+ asprintf(&ptr, "%s/.restorecond", homedir);
++ if (asprintf(&ptr, "%s/.restorecond", homedir) < 0) {
++ if (debug_mode)
++ perror("asprintf");
++ return -1;
++ }
+ int fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW, S_IRUSR | S_IWUSR);
+ if (debug_mode)
+ g_warning ("Lock file: %s", ptr);
-+
++
+ free(ptr);
+ if (fd < 0) {
+ if (debug_mode)
@@ -1259,26 +1158,26 @@ index 0000000..8cf2f20
+ GMainLoop *loop;
+
+ loop = g_main_loop_new (NULL, FALSE);
-+
++
+#ifdef HAVE_DBUS
-+ if (dbus_server(loop) != 0)
++ if (dbus_server(loop) != 0)
+#endif /* HAVE_DBUS */
-+ if (local_server(loop))
++ if (local_server(loop))
+ goto end;
+
+ read_config(master_fd, watch_file);
-+
++
+ if (watch_list_isempty()) goto end;
+
+ set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
-+
++
+ GIOChannel *c = g_io_channel_unix_new(master_fd);
-+
++
+ g_io_add_watch_full( c,
+ G_PRIORITY_HIGH,
+ G_IO_IN|G_IO_ERR|G_IO_HUP,
+ io_channel_callback, NULL, NULL);
-+
++
+ g_main_loop_run (loop);
+
+end:
@@ -1286,26 +1185,12 @@ index 0000000..8cf2f20
+ return 0;
+}
+
-diff --git a/policycoreutils/restorecond/utmpwatcher.c b/policycoreutils/restorecond/utmpwatcher.c
-index f182c22..feddb5a 100644
---- a/policycoreutils/restorecond/utmpwatcher.c
-+++ b/policycoreutils/restorecond/utmpwatcher.c
-@@ -72,8 +72,8 @@ unsigned int utmpwatcher_handle(int inotify_fd, int wd)
- if (utmp_wd == -1)
- exitApp("Error watching utmp file.");
-
-+ changed = strings_list_diff(prev_utmp_ptr, utmp_ptr);
- if (prev_utmp_ptr) {
-- changed = strings_list_diff(prev_utmp_ptr, utmp_ptr);
- strings_list_free(prev_utmp_ptr);
- }
- return changed;
diff --git a/policycoreutils/restorecond/watch.c b/policycoreutils/restorecond/watch.c
new file mode 100644
-index 0000000..20a861f
+index 0000000..6a833c3
--- /dev/null
+++ b/policycoreutils/restorecond/watch.c
-@@ -0,0 +1,270 @@
+@@ -0,0 +1,272 @@
+#define _GNU_SOURCE
+#include <sys/inotify.h>
+#include <errno.h>
@@ -1361,7 +1246,7 @@ index 0000000..20a861f
+ if (exclude(path)) goto end;
+
+ globbuf.gl_offs = 1;
-+ if (glob(path,
++ if (glob(path,
+ GLOB_TILDE | GLOB_PERIOD,
+ NULL,
+ &globbuf) >= 0) {
@@ -1390,7 +1275,7 @@ index 0000000..20a861f
+ ptr->wd = inotify_add_watch(fd, dir, IN_CREATE | IN_MOVED_TO);
+ if (ptr->wd == -1) {
+ free(ptr);
-+ if (! run_as_user)
++ if (! run_as_user)
+ syslog(LOG_ERR, "Unable to watch (%s) %s\n",
+ path, strerror(errno));
+ goto end;
@@ -1414,8 +1299,8 @@ index 0000000..20a861f
+ return;
+}
+
-+/*
-+ A file was in a direcroty has been created. This function checks to
++/*
++ A file was in a direcroty has been created. This function checks to
+ see if it is one that we are watching.
+*/
+
@@ -1433,7 +1318,7 @@ index 0000000..20a861f
+ if (asprintf(&path, "%s/%s", ptr->dir, file) <
+ 0)
+ exitApp("Error allocating memory.");
-+
++
+ process_one_realpath(path, 0);
+ free(path);
+ return 0;
@@ -1467,8 +1352,8 @@ index 0000000..20a861f
+ firstDir = NULL;
+}
+
-+/*
-+ Inotify watch loop
++/*
++ Inotify watch loop
+*/
+int watch(int fd, const char *watch_file)
+{
@@ -1505,7 +1390,7 @@ index 0000000..20a861f
+ case 1: /* utmp has changed need to reload */
+ read_config(fd, watch_file);
+ break;
-+
++
+ default: /* No users logged in or out */
+ break;
+ }
@@ -1534,7 +1419,9 @@ index 0000000..20a861f
+ if (buffer[0] == '~') {
+ if (run_as_user) {
+ char *ptr=NULL;
-+ asprintf(&ptr, "%s%s", homedir, &buffer[1]);
++ if (asprintf(&ptr, "%s%s", homedir, &buffer[1]) < 0)
++ exitApp("Error allocating memory.");
++
+ watch_list_add(fd, ptr);
+ free(ptr);
+ } else {
@@ -1547,8 +1434,8 @@ index 0000000..20a861f
+ free(line_buf);
+}
+
-+/*
-+ Read config file ignoring Comment lines
++/*
++ Read config file ignoring Comment lines
+ Files specified one per line. Files with "~" will be expanded to the logged in users
+ homedirs.
+*/
@@ -1576,33 +1463,6 @@ index 0000000..20a861f
+ if (master_wd == -1)
+ exitApp("Error watching config file.");
+}
-diff --git a/policycoreutils/run_init/open_init_pty.8 b/policycoreutils/run_init/open_init_pty.8
-index 540860a..10175dd 100644
---- a/policycoreutils/run_init/open_init_pty.8
-+++ b/policycoreutils/run_init/open_init_pty.8
-@@ -24,18 +24,18 @@
- .\"
- .TH OPEN_INIT_PTY "8" "January 2005" "Security Enhanced Linux" NSA
- .SH NAME
--open_init_pty \- run an program under a psuedo terminal
-+open_init_pty \- run an program under a pseudo terminal
- .SH SYNOPSIS
- .B open_init_pty
- \fISCRIPT\fR [[\fIARGS\fR]...]
- .br
- .SH DESCRIPTION
- .PP
--Run a program under a psuedo terminal. This is used by
-+Run a program under a pseudo terminal. This is used by
- .B run_init
- to run actually run the program after setting up the proper
--context. This program acquires a new Psuedo terminal, forks a child
--process that binds to the psueado terminal, and then sits around and
-+context. This program acquires a new Pseudo terminal, forks a child
-+process that binds to the pseudo terminal, and then sits around and
- connects the physical terminal it was invoked upon with the pseudo
- terminal, passing keyboard input into to the child process, and passing the
- output of the child process to the physical terminal.
diff --git a/policycoreutils/run_init/run_init.c b/policycoreutils/run_init/run_init.c
index 9db766c..068e24c 100644
--- a/policycoreutils/run_init/run_init.c
@@ -1626,7 +1486,7 @@ index 9db766c..068e24c 100644
} /* main() */
diff --git a/policycoreutils/sandbox/Makefile b/policycoreutils/sandbox/Makefile
-index ff0ee7c..0c8a085 100644
+index ff0ee7c..924999d 100644
--- a/policycoreutils/sandbox/Makefile
+++ b/policycoreutils/sandbox/Makefile
@@ -7,10 +7,10 @@ SBINDIR ?= $(PREFIX)/sbin
@@ -1636,7 +1496,7 @@ index ff0ee7c..0c8a085 100644
-override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\""
-LDLIBS += -lselinux -lcap-ng
+override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra
-+LDLIBS += -lcgroup -lselinux -lcap-ng
++LDLIBS += -lcgroup -lselinux -lcap-ng
-all: sandbox seunshare sandboxX.sh
+all: sandbox seunshare sandboxX.sh start
@@ -1649,7 +1509,7 @@ index ff0ee7c..0c8a085 100644
install -m 644 sandbox.8 $(MANDIR)/man8/
+ install -m 644 seunshare.8 $(MANDIR)/man8/
+ -mkdir -p $(MANDIR)/man5
-+ install -m 644 sandbox.conf.5 $(MANDIR)/man5/
++ install -m 644 sandbox.conf.5 $(MANDIR)/man5/sandbox.5
-mkdir -p $(SBINDIR)
install -m 4755 seunshare $(SBINDIR)/
-mkdir -p $(SHAREDIR)
@@ -1664,12 +1524,11 @@ index ff0ee7c..0c8a085 100644
test:
@python test_sandbox.py -v
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
-index 48a26c2..4d17385 100644
+index 0b89e9a..481034c 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -1,5 +1,6 @@
--#! /usr/bin/python -E
-+#! /usr/bin/python -Es
+ #! /usr/bin/python -Es
# Authors: Dan Walsh <dwalsh at redhat.com>
+# Authors: Thomas Liu <tliu at fedoraproject.org>
# Authors: Josh Cogliati
@@ -1685,7 +1544,7 @@ index 48a26c2..4d17385 100644
import signal
from tempfile import mkdtemp
import pwd
-+import commands
++import commands
+import setools
PROGNAME = "policycoreutils"
@@ -1746,7 +1605,7 @@ index 48a26c2..4d17385 100644
raise ValueError(_("""
-/usr/sbin/seunshare is required for the action you want to perform.
-"""))
-+%s is required for the action you want to perform.
++%s is required for the action you want to perform.
+""") % SEUNSHARE)
def __mount_callback(self, option, opt, value, parser):
@@ -1757,12 +1616,12 @@ index 48a26c2..4d17385 100644
setattr(parser.values, option.dest, True)
+ if not os.path.exists(SEUNSHARE):
+ raise ValueError(_("""
-+%s is required for the action you want to perform.
++%s is required for the action you want to perform.
+""") % SEUNSHARE)
+
+ if not os.path.exists(SANDBOXSH):
+ raise ValueError(_("""
-+%s is required for the action you want to perform.
++%s is required for the action you want to perform.
+""") % SANDBOXSH)
def __validdir(self, option, opt, value, parser):
@@ -1794,18 +1653,14 @@ index 48a26c2..4d17385 100644
kill -TERM $WM_PID 2> /dev/null
""" % (command, wm, command))
fd.close()
-@@ -226,14 +244,25 @@ kill -TERM $WM_PID 2> /dev/null
+@@ -229,11 +247,22 @@ kill -TERM $WM_PID 2> /dev/null
- def usage(self, message = ""):
- error_exit("%s\n%s" % (self.__parser.usage, message))
--
-+
def __parse_options(self):
from optparse import OptionParser
+ types = ""
+ try:
+ types = _("""
-+Policy defines the following types for use with the -t:
++Policy defines the following types for use with the -t:
+\t%s
+""") % "\n\t".join(setools.seinfo(setools.ATTRIBUTE, "sandbox_type")[0]['types'])
+ except RuntimeError:
@@ -1813,9 +1668,9 @@ index 48a26c2..4d17385 100644
+
usage = _("""
-sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [[-i file ] ...] [ -t type ] command
-+sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] command
++sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] command
+
-+sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] -S
++sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] -S
+%s
+""") % types
@@ -1824,13 +1679,23 @@ index 48a26c2..4d17385 100644
parser = OptionParser(version=self.VERSION, usage=usage)
parser.disable_interspersed_args()
-@@ -268,6 +297,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
+@@ -260,14 +289,18 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
+ parser.add_option("-H", "--homedir",
+ action="callback", callback=self.__validdir,
+ type="string",
+- dest="homedir",
++ dest="homedir",
+ help=_("alternate home directory to use for mounting"))
+
+- parser.add_option("-T", "--tmpdir", dest="tmpdir",
++ parser.add_option("-T", "--tmpdir", dest="tmpdir",
+ type="string",
action="callback", callback=self.__validdir,
help=_("alternate /tmp directory to use for mounting"))
+ parser.add_option("-w", "--windowsize", dest="windowsize",
+ type="string", default=DEFAULT_WINDOWSIZE,
-+ help="size of the sandbox window")
++ help="size of the sandbox window")
+
parser.add_option("-W", "--windowmanager", dest="wm",
type="string",
@@ -1840,8 +1705,8 @@ index 48a26c2..4d17385 100644
help=_("MCS/MLS level for the sandbox"))
+ parser.add_option("-c", "--cgroups",
-+ action="store_true", dest="usecgroup", default=False,
-+ help="Use cgroups to limit this sandbox.")
++ action="store_true", dest="usecgroup", default=False,
++ help=_("Use cgroups to limit this sandbox."))
+
+ parser.add_option("-C", "--capabilities",
+ action="store_true", dest="usecaps", default=False,
@@ -1869,7 +1734,15 @@ index 48a26c2..4d17385 100644
if len(cmds) == 0:
self.usage(_("Command required"))
cmds[0] = fullpath(cmds[0])
-@@ -329,44 +374,47 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
+@@ -323,50 +368,51 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
+
+ con = selinux.getcon()[1].split(":")
+ self.__execcon = "%s:%s:%s:%s" % (con[0], con[1], self.setype, level)
+- self.__filecon = "%s:%s:%s:%s" % (con[0], "object_r",
+- "%s_file_t" % self.setype[:-2],
++ self.__filecon = "%s:%s:%s:%s" % (con[0], "object_r",
++ "%s_file_t" % self.setype[:-2],
+ level)
def __setup_dir(self):
if self.__options.level or self.__options.session:
return
@@ -1914,8 +1787,6 @@ index 48a26c2..4d17385 100644
+ cmds.append('-c')
+ if self.__options.usecaps:
+ cmds.append('-C')
-+ if not self.__options.level:
-+ cmds.append('-k')
if self.__mount:
- cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon ] + self.__paths
- rc = subprocess.Popen(cmds).wait()
@@ -1937,7 +1808,7 @@ index 48a26c2..4d17385 100644
selinux.setexeccon(self.__execcon)
rc = subprocess.Popen(self.__cmds).wait()
-@@ -404,7 +452,7 @@ if __name__ == '__main__':
+@@ -404,7 +450,7 @@ if __name__ == '__main__':
sandbox = Sandbox()
rc = sandbox.main()
except OSError, error:
@@ -1947,7 +1818,7 @@ index 48a26c2..4d17385 100644
error_exit(error.args[0])
except KeyError, error:
diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8
-index 1479364..3deb4b2 100644
+index 1479364..2b37e63 100644
--- a/policycoreutils/sandbox/sandbox.8
+++ b/policycoreutils/sandbox/sandbox.8
@@ -1,10 +1,13 @@
@@ -1975,7 +1846,7 @@ index 1479364..3deb4b2 100644
+Run a full desktop session, Requires level, and home and tmpdir.
+.TP
+\fB\-w windowsize\fR
-+Specifies the windowsize when creating an X based Sandbox. The default windowsize is 1000x700.
++Specifies the windowsize when creating an X based Sandbox. The default windowsize is 1000x700.
+.TP
\fB\-W windowmanager\fR
Select alternative window manager to run within
@@ -1998,7 +1869,7 @@ index 1479364..3deb4b2 100644
.PP
+
+.SH AUTHOR
-+This manual page was written by
++This manual page was written by
+.I Dan Walsh <dwalsh at redhat.com>
+and
+.I Thomas Liu <tliu at fedoraproject.org>
@@ -2017,13 +1888,13 @@ index 0000000..7c35808
+CPUUSAGE=80%
diff --git a/policycoreutils/sandbox/sandbox.conf.5 b/policycoreutils/sandbox/sandbox.conf.5
new file mode 100644
-index 0000000..ee97e10
+index 0000000..b3ee67d
--- /dev/null
+++ b/policycoreutils/sandbox/sandbox.conf.5
@@ -0,0 +1,40 @@
+.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration"
+.SH NAME
-+sandbox.conf \- user config file for the SELinux sandbox
++sandbox.conf \- user config file for the SELinux sandbox
+.SH DESCRIPTION
+.PP
+When running sandbox with the -C argument, it will be confined using control groups and a system administrator can specify how the sandbox is confined.
@@ -2059,7 +1930,7 @@ index 0000000..ee97e10
+.PP
+
+.SH AUTHOR
-+This manual page was written by
++This manual page was written by
+.I Thomas Liu <tliu at fedoraproject.org>
diff --git a/policycoreutils/sandbox/sandbox.init b/policycoreutils/sandbox/sandbox.init
index ff8b3ef..66aadfd 100644
@@ -2106,22 +1977,23 @@ index ff8b3ef..66aadfd 100644
}
diff --git a/policycoreutils/sandbox/sandboxX.sh b/policycoreutils/sandbox/sandboxX.sh
-index 8338203..0b0239c 100644
+index 8338203..88ebfee 100644
--- a/policycoreutils/sandbox/sandboxX.sh
+++ b/policycoreutils/sandbox/sandboxX.sh
@@ -1,15 +1,21 @@
- #!/bin/bash
+-#!/bin/bash
++#!/bin/bash
+trap "" TERM
context=`id -Z | secon -t -l -P`
export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
-export SCREENSIZE="1000x700"
-#export SCREENSIZE=`xdpyinfo | awk '/dimensions/ { print $2 }'`
-+[ -z $1 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$1"
-+[ -z $2 ] && export DPI="96" || export DPI="$2"
++[ -z $1 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$1"
++[ -z $2 ] && export DPI="96" || export DPI="$2"
trap "exit 0" HUP
-(/usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -displayfd 5 5>&1 2>/dev/null) | while read D; do
-+(/usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -displayfd 5 5>&1 2>/dev/null) | while read D; do
++(/usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
- python -c 'import gtk, os, commands; commands.getstatusoutput("%s/.sandboxrc" % os.environ["HOME"])'
+ cat > ~/seremote << __EOF
@@ -2138,7 +2010,7 @@ index 8338203..0b0239c 100644
exit 0
diff --git a/policycoreutils/sandbox/seunshare.8 b/policycoreutils/sandbox/seunshare.8
new file mode 100644
-index 0000000..c69ceda
+index 0000000..06610c0
--- /dev/null
+++ b/policycoreutils/sandbox/seunshare.8
@@ -0,0 +1,43 @@
@@ -2147,11 +2019,11 @@ index 0000000..c69ceda
+seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
+.SH SYNOPSIS
+.B seunshare
-+[-v] [-c] [-C] [-k] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
++[ -v ] [ -c ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
+.br
+.SH DESCRIPTION
+.PP
-+Run the
++Run the
+.I executable
+within the specified context, using the alternate home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context.
+
@@ -2178,15 +2050,15 @@ index 0000000..c69ceda
+Verbose output
+.SH "SEE ALSO"
+.TP
-+runcon(1), sandbox(8), selinux(8)
++runcon(1), sandbox(8), selinux(8)
+.PP
+.SH AUTHOR
-+This manual page was written by
++This manual page was written by
+.I Dan Walsh <dwalsh at redhat.com>
+and
+.I Thomas Liu <tliu at fedoraproject.org>
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
-index ec692e7..2718a68 100644
+index e713b74..1a0a488 100644
--- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c
@@ -1,27 +1,35 @@
@@ -2195,7 +2067,7 @@ index ec692e7..2718a68 100644
+ * Authors: Thomas Liu <tliu at fedoraproject.org>
+ */
+
-+#define _GNU_SOURCE
+ #define _GNU_SOURCE
#include <signal.h>
#include <sys/types.h>
+#include <sys/stat.h>
@@ -2204,7 +2076,6 @@ index ec692e7..2718a68 100644
#include <sys/mount.h>
+#include <glob.h>
#include <pwd.h>
--#define _GNU_SOURCE
#include <sched.h>
+#include <libcgroup.h>
#include <string.h>
@@ -2230,7 +2101,7 @@ index ec692e7..2718a68 100644
#ifdef USE_NLS
#include <locale.h> /* for setlocale() */
-@@ -39,29 +47,56 @@
+@@ -39,29 +47,55 @@
#define MS_PRIVATE 1<<18
#endif
@@ -2240,8 +2111,7 @@ index ec692e7..2718a68 100644
+
+#define BUF_SIZE 1024
+#define DEFAULT_PATH "/usr/bin:/bin"
-+
-+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -c ] -C -t tmpdir -h homedir [-Z context] -- executable [args]")
++#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -c ] [ -k ] [ -C ] [ -t tmpdir] [ -h homedir ] [ -Z context ] -- executable [args]")
+
+static int verbose = 0;
+static int child = 0;
@@ -2300,7 +2170,7 @@ index ec692e7..2718a68 100644
*/
static int set_signal_handles(void)
{
-@@ -75,32 +110,117 @@ static int set_signal_handles(void)
+@@ -75,32 +109,117 @@ static int set_signal_handles(void)
(void)sigprocmask(SIG_SETMASK, &empty, NULL);
@@ -2312,7 +2182,7 @@ index ec692e7..2718a68 100644
}
+ if (signal(SIGINT, handler) == SIG_ERR) {
-+ perror("Unable to set SIGHUP handler");
++ perror("Unable to set SIGINT handler");
+ return -1;
+ }
+
@@ -2408,7 +2278,7 @@ index ec692e7..2718a68 100644
- fprintf(stderr, _("Invalid mount point %s: %s\n"), mntdir, strerror(errno));
+
+ if (st_out == NULL) st_out = &sb;
-+
++
+ if (lstat(dir, st_out) == -1) {
+ fprintf(stderr, _("Failed to stat %s: %s\n"), dir, strerror(errno));
+ return -1;
@@ -2429,7 +2299,7 @@ index ec692e7..2718a68 100644
return 0;
}
-@@ -123,7 +243,7 @@ static int verify_shell(const char *shell_name)
+@@ -123,7 +242,7 @@ static int verify_shell(const char *shell_name)
/* check the shell skipping newline char */
if (!strcmp(shell_name, buf)) {
@@ -2438,7 +2308,7 @@ index ec692e7..2718a68 100644
break;
}
}
-@@ -131,45 +251,594 @@ static int verify_shell(const char *shell_name)
+@@ -131,54 +250,618 @@ static int verify_shell(const char *shell_name)
return rc;
}
@@ -2522,12 +2392,12 @@ index ec692e7..2718a68 100644
+static int match(const char *string, char *pattern)
+{
+ int status;
-+ regex_t re;
++ regex_t re;
+ if (regcomp(&re, pattern, REG_EXTENDED|REG_NOSUB) != 0) {
+ return 0;
+ }
+ status = regexec(&re, string, (size_t)0, NULL, 0);
-+ regfree(&re);
++ regfree(&re);
+ if (status != 0) {
+ return 0;
+ }
@@ -2549,8 +2419,8 @@ index ec692e7..2718a68 100644
+ char *tok = NULL;
+ int rc = -1;
+ char *str = NULL;
-+ const char* fname = "/etc/sysconfig/sandbox";
-+
++ const char* fname = "/etc/sysconfig/sandbox";
++
+ if ((fp = fopen(fname, "rt")) == NULL) {
+ fprintf(stderr, "Error opening sandbox config file.");
+ return rc;
@@ -2558,13 +2428,15 @@ index ec692e7..2718a68 100644
+ while(fgets(buf, BUF_SIZE, fp) != NULL) {
+ /* Skip comments */
+ if (buf[0] == '#') continue;
-+
++
+ /* Copy the string, ignoring whitespace */
+ int len = strlen(buf);
+ free(str);
+ str = malloc((len + 1) * sizeof(char));
-+
-+ int ind = 0;
++ if (!str)
++ goto err;
++
++ int ind = 0;
+ int i;
+ for (i = 0; i < len; i++) {
+ char cur = buf[i];
@@ -2574,7 +2446,7 @@ index ec692e7..2718a68 100644
+ }
+ }
+ str[ind] = '\0';
-+
++
+ tok = strtok(str, "=\n");
+ if (tok != NULL) {
+ if (!strcmp(tok, "CPUAFFINITY")) {
@@ -2598,7 +2470,7 @@ index ec692e7..2718a68 100644
+ fprintf(stderr, "Error parsing config file.");
+ goto err;
+ }
-+
++
+ } else if (!strcmp(tok, "CPUUSAGE")) {
+ tok = strtok(NULL, "=\n");
+ if (match(tok, "^[0-9]+\%")) {
@@ -2616,14 +2488,14 @@ index ec692e7..2718a68 100644
+ continue;
+ }
+ }
-+
++
+ }
+ if (mem == NULL) {
+ long phypz = sysconf(_SC_PHYS_PAGES);
+ long psize = sysconf(_SC_PAGE_SIZE);
+ memusage = phypz * psize * (float) memusage / 100.0;
+ }
-+
++
+ cgroup_init();
+
+ int64_t current_runtime = 0;
@@ -2639,8 +2511,8 @@ index ec692e7..2718a68 100644
+ cgroup_get_cgroup(curr);
+ cgroup_get_value_int64(cgroup_get_controller(curr, "cpu"), "cpu.rt_runtime_us", ¤t_runtime);
+ cgroup_get_value_int64(cgroup_get_controller(curr, "cpu"), "cpu.rt_period_us", ¤t_period);
-+ }
-+
++ }
++
+ ret = cgroup_get_current_controller_path(getpid(), "memory", &curr_mem_path);
+ if (ret) {
+ sandbox_error("Error while trying to get current controller path.\n");
@@ -2648,33 +2520,33 @@ index ec692e7..2718a68 100644
+ struct cgroup *curr = cgroup_new_cgroup(curr_mem_path);
+ cgroup_get_cgroup(curr);
+ cgroup_get_value_int64(cgroup_get_controller(curr, "memory"), "memory.limit_in_bytes", ¤t_mem);
-+ }
-+
++ }
++
+ if (((float) cpupercentage) / 100.0> (float)current_runtime / (float) current_period) {
+ sandbox_error("CPU usage restricted!\n");
+ goto err;
-+ }
-+
-+ if (mem == NULL) {
++ }
++
++ if (mem == NULL) {
+ if (memusage > current_mem) {
+ sandbox_error("Attempting to use more memory than allowed!");
+ goto err;
+ }
+ }
-+
++
+ long nprocs = sysconf(_SC_NPROCESSORS_ONLN);
-+
-+ struct sched_param sp;
++
++ struct sched_param sp;
+ sp.sched_priority = sched_get_priority_min(SCHED_FIFO);
+ sched_setscheduler(getpid(), SCHED_FIFO, &sp);
+ struct cgroup *sandbox_group = cgroup_new_cgroup(cgroupname);
+ cgroup_add_controller(sandbox_group, "memory");
+ cgroup_add_controller(sandbox_group, "cpu");
-+
++
+ if (mem == NULL) {
+ if (memusage > 0) {
+ cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", memusage);
-+ }
++ }
+ } else {
+ cgroup_set_value_string(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", mem);
+ }
@@ -2686,13 +2558,13 @@ index ec692e7..2718a68 100644
+ if (cpus != NULL) {
+ cgroup_set_value_string(cgroup_get_controller(sandbox_group, "cpu"), "cgroup.procs",cpus);
+ }
-+
++
+ uint64_t allocated_mem;
+ if (cgroup_get_value_uint64(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", &allocated_mem) > current_mem) {
+ sandbox_error("Attempting to use more memory than allowed!\n");
+ goto err;
+ }
-+
++
+ rc = cgroup_create_cgroup(sandbox_group, 1);
+ if (rc != 0) {
+ sandbox_error("Failed to create group. Ensure that cgconfig service is running. \n");
@@ -2711,7 +2583,7 @@ index ec692e7..2718a68 100644
+ return rc;
+}
+
-+/*
++/*
+ If path is empy or ends with "/." or "/.. return -1 else return 0;
+ */
+static int bad_path(const char *path) {
@@ -2733,7 +2605,7 @@ index ec692e7..2718a68 100644
+ return 0;
+}
+
-+static int rsynccmd(const char * src, const char *dst, char **cmdbuf)
++static int rsynccmd(const char * src, const char *dst, char **cmdbuf)
+{
+ char *buf = NULL;
+ char *newbuf = NULL;
@@ -2777,7 +2649,7 @@ index ec692e7..2718a68 100644
+ newbuf = NULL;
+ }
+
-+ if (buf) {
++ if (buf) {
+ if (asprintf(&newbuf, "/usr/bin/rsync -trlHDq %s '%s'", buf, dst) == -1) {
+ fprintf(stderr, "Out of memory\n");
+ goto err;
@@ -2892,8 +2764,12 @@ index ec692e7..2718a68 100644
+ if (verify_directory(tmpdir, NULL, out_st) < 0) {
+ goto err;
+ }
-+ if (check_owner_uid(0, tmpdir, out_st) < 0) goto err;
-+ if (check_owner_gid(getgid(), tmpdir, out_st) < 0) goto err;
++
++ if (check_owner_uid(0, tmpdir, out_st) < 0)
++ goto err;
++
++ if (check_owner_gid(getgid(), tmpdir, out_st) < 0)
++ goto err;
+
+ /* change permissions of the temporary directory */
+ if ((fd_t = open(tmpdir, O_RDONLY)) < 0) {
@@ -2920,7 +2796,7 @@ index ec692e7..2718a68 100644
+
+ /* copy selinux context */
+ if (execcon) {
-+ if (fsetfilecon(fd_t, con) == -1) {
++ if (fsetfilecon(fd_t, con) == -1) {
+ fprintf(stderr, _("Failed to set context of the directory %s: %s\n"), tmpdir, strerror(errno));
+ goto err;
+ }
@@ -2972,6 +2848,7 @@ index ec692e7..2718a68 100644
+ max_pids = 256;
+ pid_table = malloc(max_pids * sizeof (pid_t));
+ if (!pid_table) {
++ (void)closedir(dir);
+ return -1;
+ }
+ pids = 0;
@@ -2985,6 +2862,7 @@ index ec692e7..2718a68 100644
+
+ if (pids == max_pids) {
+ if (!(pid_table = realloc(pid_table, 2*pids*sizeof(pid_t)))) {
++ (void)closedir(dir);
+ return -1;
+ }
+ max_pids *= 2;
@@ -2998,7 +2876,7 @@ index ec692e7..2718a68 100644
+ pid_t id = pid_table[i];
+
+ if (getpidcon(id, &scon) == 0) {
-+
++
+ context_t pidcon = context_new(scon);
+ /* Attempt to kill remaining processes */
+ if (strcmp(context_range_get(pidcon), mcs) == 0)
@@ -3047,20 +2925,24 @@ index ec692e7..2718a68 100644
{NULL, 0, 0, 0}
};
-@@ -180,6 +849,12 @@ int main(int argc, char **argv) {
+ uid_t uid = getuid();
+-
++/*
+ if (!uid) {
+ fprintf(stderr, _("Must not be root"));
return -1;
}
-
++*/
++
+#ifdef USE_NLS
+ setlocale(LC_ALL, "");
+ bindtextdomain(PACKAGE, LOCALEDIR);
+ textdomain(PACKAGE);
+#endif
-+
+
struct passwd *pwd=getpwuid(uid);
if (!pwd) {
- perror(_("getpwduid failed"));
-@@ -187,34 +862,36 @@ int main(int argc, char **argv) {
+@@ -187,34 +870,36 @@ int main(int argc, char **argv) {
}
if (verify_shell(pwd->pw_shell) < 0) {
@@ -3112,7 +2994,7 @@ index ec692e7..2718a68 100644
break;
default:
fprintf(stderr, "%s\n", USAGE_STRING);
-@@ -223,76 +900,84 @@ int main(int argc, char **argv) {
+@@ -223,99 +908,131 @@ int main(int argc, char **argv) {
}
if (! homedir_s && ! tmpdir_s) {
@@ -3133,14 +3015,16 @@ index ec692e7..2718a68 100644
- scontext = argv[optind++];
-
- if (set_signal_handles())
-- return -1;
--
-- if (unshare(CLONE_NEWNS) < 0) {
-- perror(_("Failed to unshare"));
+ if (execcon && is_selinux_enabled() != 1) {
+ fprintf(stderr, _("Error: execution context specified, but SELinux is not enabled\n"));
return -1;
- }
++ }
+
+- if (unshare(CLONE_NEWNS) < 0) {
+- perror(_("Failed to unshare"));
++ if (set_signal_handles())
+ return -1;
+- }
- if (homedir_s && tmpdir_s && (strncmp(pwd->pw_dir, tmpdir_s, strlen(pwd->pw_dir)) == 0)) {
- if (seunshare_mount(tmpdir_s, "/tmp", pwd) < 0)
@@ -3154,16 +3038,17 @@ index ec692e7..2718a68 100644
- if (tmpdir_s && seunshare_mount(tmpdir_s, "/tmp", pwd) < 0)
- return -1;
- }
-+ if (set_signal_handles()) return -1;
-+
-+ if (usecgroups && setup_cgroups() < 0) return -1;
++ if (usecgroups && setup_cgroups() < 0)
++ return -1;
+
+ /* set fsuid to ruid */
+ /* Changing fsuid is usually required when user-specified directory is
+ * on an NFS mount. It's also desired to avoid leaking info about
+ * existence of the files not accessible to the user. */
+ setfsuid(uid);
-+
+
+- if (drop_capabilities(uid)) {
+- perror(_("Failed to drop all capabilities"));
+ /* verify homedir and tmpdir */
+ if (homedir_s && (
+ verify_directory(homedir_s, NULL, &st_homedir) < 0 ||
@@ -3172,9 +3057,7 @@ index ec692e7..2718a68 100644
+ verify_directory(tmpdir_s, NULL, &st_tmpdir_s) < 0 ||
+ check_owner_uid(uid, tmpdir_s, &st_tmpdir_s))) return -1;
+ setfsuid(0);
-
-- if (drop_capabilities(uid)) {
-- perror(_("Failed to drop all capabilities"));
++
+ /* create runtime tmpdir */
+ if (tmpdir_s && (tmpdir_r = create_tmpdir(tmpdir_s, &st_tmpdir_s,
+ &st_tmpdir_r, pwd, execcon)) == NULL) {
@@ -3243,18 +3126,20 @@ index ec692e7..2718a68 100644
+ goto childerr;
}
-
- if (display)
+- if (display)
++ if (display)
rc |= setenv("DISPLAY", display, 1);
rc |= setenv("HOME", pwd->pw_dir, 1);
-@@ -300,22 +985,47 @@ int main(int argc, char **argv) {
+ rc |= setenv("SHELL", pwd->pw_shell, 1);
rc |= setenv("USER", pwd->pw_name, 1);
rc |= setenv("LOGNAME", pwd->pw_name, 1);
rc |= setenv("PATH", DEFAULT_PATH, 1);
+-
+ if (rc != 0) {
+ fprintf(stderr, _("Failed to construct environment\n"));
+ goto childerr;
+ }
-
++
+ /* selinux context */
+ if (execcon && setexeccon(execcon) != 0) {
+ fprintf(stderr, _("Could not set exec context to %s.\n"), execcon);
@@ -3266,9 +3151,7 @@ index ec692e7..2718a68 100644
- exit(-1);
+ goto childerr;
}
-+
setsid();
-+
execv(argv[optind], argv + optind);
+ fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
+childerr:
@@ -3286,7 +3169,7 @@ index ec692e7..2718a68 100644
+ /* parent waits for child exit to do the cleanup */
+ waitpid(child, &status, 0);
+ status_to_retval(status, status);
-
++
+ /* Make sure all child processes exit */
+ kill(-child,SIGTERM);
+
@@ -3294,12 +3177,11 @@ index ec692e7..2718a68 100644
+ killall(execcon);
+
+ if (tmpdir_r) cleanup_tmpdir(tmpdir_r, tmpdir_s, pwd, 1);
-+
+
+err:
+ free(tmpdir_r);
return status;
}
-+
diff --git a/policycoreutils/sandbox/start b/policycoreutils/sandbox/start
new file mode 100644
index 0000000..52950d7
@@ -3315,246 +3197,26 @@ index 0000000..52950d7
+ pass
+if rc[0] == 0:
+ print rc[1]
-diff --git a/policycoreutils/scripts/Makefile b/policycoreutils/scripts/Makefile
-index 53b65b6..cc75a96 100644
---- a/policycoreutils/scripts/Makefile
-+++ b/policycoreutils/scripts/Makefile
-@@ -14,6 +14,7 @@ install: all
- install -m 755 genhomedircon $(SBINDIR)
- -mkdir -p $(MANDIR)/man8
- install -m 644 fixfiles.8 $(MANDIR)/man8/
-+ install -m 644 genhomedircon.8 $(MANDIR)/man8/
- install -m 644 chcat.8 $(MANDIR)/man8/
-
- clean:
-diff --git a/policycoreutils/scripts/chcat b/policycoreutils/scripts/chcat
-index 4038a99..9efcb22 100755
---- a/policycoreutils/scripts/chcat
-+++ b/policycoreutils/scripts/chcat
-@@ -1,4 +1,4 @@
--#! /usr/bin/python -E
-+#! /usr/bin/python -Es
- # Copyright (C) 2005 Red Hat
- # see file 'COPYING' for use and warranty information
- #
-diff --git a/policycoreutils/scripts/chcat.8 b/policycoreutils/scripts/chcat.8
-index 3f9efba..7c6d75a 100644
---- a/policycoreutils/scripts/chcat.8
-+++ b/policycoreutils/scripts/chcat.8
-@@ -51,5 +51,5 @@ When operating on files this script wraps the chcon command.
- .SH "FILES"
- /etc/selinux/{SELINUXTYPE}/setrans.conf
- .br
--/etc/selinux/{SELINUXTYPE}/seuser
-+/etc/selinux/{SELINUXTYPE}/seusers
-
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
-index ae519fc..8e47d94 100755
+index e4e5f0d..27dcccf 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
-@@ -21,6 +21,44 @@
- # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+@@ -103,7 +103,7 @@ exclude_dirs_from_relabelling() {
- #
-+# Get all mounted rw file systems that support seclabel
-+#
-+get_labeled_mounts() {
-+# /dev is not listed in the mountab
-+FS="`mount | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/\(rw/{print $3}';` /dev"
-+for i in $FS; do
-+ grep --silent "$i ".*seclabel /proc/self/mounts && echo $i
-+done
-+}
-+exclude_dirs_from_relabelling() {
-+ exclude_from_relabelling=
-+ if [ -e /etc/selinux/fixfiles_exclude_dirs ]
-+ then
-+ while read i
-+ do
-+ # skip blank line and comment
-+ # skip not absolute path
-+ # skip not directory
-+ [ -z "${i}" ] && continue
-+ [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue
-+ [[ ! "${i}" =~ ^/.* ]] && continue
-+ [[ ! -d "${i}" ]] && continue
-+ exclude_from_relabelling="$exclude_from_relabelling -e $i"
-+ logit "skipping the directory $i from relabelling"
-+ done < /etc/selinux/fixfiles_exclude_dirs
-+ fi
-+ echo "$exclude_from_relabelling"
-+}
-+exclude_dirs() {
-+ exclude=
-+ for i in /var/lib/BackupPC /home /tmp /dev; do
-+ [ -e $i ] && exclude="$exclude -e $i";
-+ done
-+ exclude="$exclude `exclude_dirs_from_relabelling`"
-+ echo "$exclude"
-+}
-+
-+#
- # Set global Variables
- #
- fullFlag=0
-@@ -35,9 +73,7 @@ SYSLOGFLAG="-l"
- LOGGER=/usr/sbin/logger
- SETFILES=/sbin/setfiles
- RESTORECON=/sbin/restorecon
--FILESYSTEMSRW=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs ).*\(rw/{print $3}';`
--FILESYSTEMSRO=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs ).*\(ro/{print $3}';`
--FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO"
-+FILESYSTEMS=`get_labeled_mounts`
- SELINUXTYPE="targeted"
- if [ -e /etc/selinux/config ]; then
- . /etc/selinux/config
-@@ -87,23 +123,10 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
- esac; \
- fi; \
- done | \
-- while read pattern ; do sh -c "find $pattern \
-- ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune -o \
-- \( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print0"; \
-- done 2> /dev/null | \
-- ${RESTORECON} $* -0 -f -
-+ ${RESTORECON} -f - -R -p `exclude_dirs`; \
- rm -f ${TEMPFILE} ${PREFCTEMPFILE}
- fi
- }
--#
--# Log all Read Only file systems
--#
--LogReadOnly() {
--if [ ! -z "$FILESYSTEMSRO" ]; then
-- logit "Warning: Skipping the following R/O filesystems:"
-- logit "$FILESYSTEMSRO"
--fi
--}
-
- rpmlist() {
- rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
-@@ -121,33 +144,45 @@ if [ ! -z "$PREFC" ]; then
- fi
- if [ ! -z "$RPMFILES" ]; then
- for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
-- rpmlist $i | ${RESTORECON} ${FORCEFLAG} $* -R -i -f - 2>&1 >> $LOGFILE
-+ rpmlist $i | ${RESTORECON} ${FORCEFLAG} $* -R -i -f - 2>&1 | cat >> $LOGFILE
+ exclude_dirs() {
+ exclude=
+- for i in /home /root /tmp /dev; do
++ for i in /var/lib/BackupPC /home /tmp /dev; do
+ [ -e $i ] && exclude="$exclude -e $i";
done
- exit $?
- fi
- if [ ! -z "$FILEPATH" ]; then
-- if [ -x /usr/bin/find ]; then
-- /usr/bin/find "$FILEPATH" \
-- ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune -o -print0 | \
-- ${RESTORECON} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE
-- else
-- ${RESTORECON} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE
-- fi
-+ ${RESTORECON} ${FORCEFLAG} -R $* $FILEPATH 2>&1 | cat >> $LOGFILE
- return
- fi
- [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
--LogReadOnly
--${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
--rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
-+#
-+exclude_dirs="`exclude_dirs_from_relabelling`"
-+if [ -n "${exclude_dirs}" ]
-+then
-+ TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX`
-+ test -z "$TEMPFCFILE" && exit
-+ /bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit
-+ exclude_dirs=${exclude_dirs//-e/}
-+ for p in ${exclude_dirs}
-+ do
-+ p="${p%/}"
-+ p1="${p}(/.*)? -- <<none>>"
-+ echo "${p1}" >> $TEMPFCFILE
-+ logit "skipping the directory ${p} from relabelling"
-+ done
-+FC=$TEMPFCFILE
-+fi
-+${SETFILES} -q ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMS} 2>&1 | cat >> $LOGFILE
-+rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
-+find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) \( -type s -o -type p \) -delete
- find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
- find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \;
-+find /var/run \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t var_run_t {} \;
-+[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t lib_t {} \;
- exit $?
- }
-
- fullrelabel() {
- logit "Cleaning out /tmp"
-- find /tmp/ -mindepth 1 -print0 | xargs -0 /bin/rm -f
-- LogReadOnly
-+ find /tmp/ -mindepth 1 -delete
- restore
- }
-
-diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
-index dfe8aa9..0b4cbaa 100644
---- a/policycoreutils/scripts/fixfiles.8
-+++ b/policycoreutils/scripts/fixfiles.8
-@@ -29,6 +29,8 @@ new policy, or just check whether the file contexts are all
- as you expect. By default it will relabel all mounted ext2, ext3, xfs and
- jfs file systems as long as they do not have a security context mount
- option. You can use the -R flag to use rpmpackages as an alternative.
-+The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
-+excluded from relabelling.
- .P
- .B fixfiles onboot
- will setup the machine to relabel on the next reboot.
-diff --git a/policycoreutils/scripts/genhomedircon.8 b/policycoreutils/scripts/genhomedircon.8
-new file mode 100644
-index 0000000..6331660
---- /dev/null
-+++ b/policycoreutils/scripts/genhomedircon.8
-@@ -0,0 +1,37 @@
-+.\" Hey, Emacs! This is an -*- nroff -*- source file.
-+.\" Copyright (c) 2010 Dan Walsh <dwalsh at redhat.com>
-+.\"
-+.\" This is free documentation; you can redistribute it and/or
-+.\" modify it under the terms of the GNU General Public License as
-+.\" published by the Free Software Foundation; either version 2 of
-+.\" the License, or (at your option) any later version.
-+.\"
-+.\" The GNU General Public License's references to "object code"
-+.\" and "executables" are to be interpreted as the output of any
-+.\" document formatting or typesetting system, including
-+.\" intermediate and printed output.
-+.\"
-+.\" This manual is distributed in the hope that it will be useful,
-+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+.\" GNU General Public License for more details.
-+.\"
-+.\" You should have received a copy of the GNU General Public
-+.\" License along with this manual; if not, write to the Free
-+.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
-+.\" USA.
-+.\"
-+.\"
-+.TH GENHOMEDIRCON "8" "May 2010" "Security Enhanced Linux" "SELinux"
-+.SH NAME
-+genhomedircon \- generate SELinux file context configuration entries for user home directories
-+.SH SYNOPSIS
-+.B genhomedircon
-+is a script that executes semodule to rebuild policy and create the
-+labels for HOMEDIRS based on home directories returned by the getpw calls.
-+
-+This functionality is enabled via the usepasswd flag in /etc/selinux/semanage.conf.
-+
-+.SH AUTHOR
-+This manual page was written by
-+.I Dan Walsh <dwalsh at redhat.com>
+ exclude="$exclude `exclude_dirs_from_relabelling`"
diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile
new file mode 100644
-index 0000000..176b11f
+index 0000000..e15a877
--- /dev/null
+++ b/policycoreutils/semanage/default_encoding/Makefile
@@ -0,0 +1,8 @@
-+all:
++all:
+ LDFLAGS="" python setup.py build
+
+install: all
@@ -3564,7 +3226,7 @@ index 0000000..176b11f
+ rm -rf build *~
diff --git a/policycoreutils/semanage/default_encoding/default_encoding.c b/policycoreutils/semanage/default_encoding/default_encoding.c
new file mode 100644
-index 0000000..c3cdd4e
+index 0000000..2ba4870
--- /dev/null
+++ b/policycoreutils/semanage/default_encoding/default_encoding.c
@@ -0,0 +1,59 @@
@@ -3620,7 +3282,7 @@ index 0000000..c3cdd4e
+
+
+PyMODINIT_FUNC
-+initdefault_encoding_utf8(void)
++initdefault_encoding_utf8(void)
+{
+ PyObject* m;
+
@@ -3695,15 +3357,9 @@ index 0000000..e2befdb
+ packages=["policycoreutils"],
+)
diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage
-index ffaca5b..bc989bf 100644
+index 0140cd2..656a028 100644
--- a/policycoreutils/semanage/semanage
+++ b/policycoreutils/semanage/semanage
-@@ -1,4 +1,4 @@
--#! /usr/bin/python -E
-+#! /usr/bin/python -Es
- # Copyright (C) 2005, 2006, 2007 Red Hat
- # see file 'COPYING' for use and warranty information
- #
@@ -20,6 +20,7 @@
# 02111-1307 USA
#
@@ -3712,7 +3368,7 @@ index ffaca5b..bc989bf 100644
import sys, getopt, re
import seobject
import selinux
-@@ -32,27 +33,35 @@ gettext.textdomain(PROGNAME)
+@@ -32,7 +33,7 @@ gettext.textdomain(PROGNAME)
try:
gettext.install(PROGNAME,
localedir="/usr/share/locale",
@@ -3721,415 +3377,50 @@ index ffaca5b..bc989bf 100644
codeset = 'utf-8')
except IOError:
import __builtin__
- __builtin__.__dict__['_'] = unicode
+@@ -283,11 +284,14 @@ Object-specific Options (see above):
+ equal = a
- if __name__ == '__main__':
--
-+ action = False
-+ manageditems=[ "boolean", "login", "user", "port", "interface", "node", "fcontext"]
-+ def set_action(option):
-+ global action
-+ if action:
-+ raise ValueError(_("%s bad option") % option)
-+ action = True
-+
- def usage(message = ""):
- text = _("""
- semanage [ -S store ] -i [ input_file | - ]
--
--semanage {boolean|login|user|port|interface|node|fcontext} -{l|D} [-n]
--semanage login -{a|d|m} [-sr] login_name | %groupname
--semanage user -{a|d|m} [-LrRP] selinux_name
--semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range
--semanage interface -{a|d|m} [-tr] interface_spec
--semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr
--semanage fcontext -{a|d|m} [-frst] file_spec
-+semanage [ -S store ] -o [ output_file | - ]
-+
-+semanage login -{a|d|m|l|D|E} [-nrs] login_name | %groupname
-+semanage user -{a|d|m|l|D|E} [-LnrRP] selinux_name
-+semanage port -{a|d|m|l|D|E} [-nrt] [ -p proto ] port | port_range
-+semanage interface -{a|d|m|l|D|E} [-nrt] interface_spec
-+semanage module -{a|d|m} [--enable|--disable] module
-+semanage node -{a|d|m|l|D|E} [-nrt] [ -p protocol ] [-M netmask] addr
-+semanage fcontext -{a|d|m|l|D|E} [-efnrst] file_spec
- semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
--semanage permissive -{d|a} type
-+semanage permissive -{d|a|l} [-n] type
- semanage dontaudit [ on | off ]
-
- Primary Options:
-@@ -61,7 +70,9 @@ Primary Options:
- -d, --delete Delete a OBJECT record NAME
- -m, --modify Modify a OBJECT record NAME
- -i, --input Input multiple semange commands in a transaction
-+ -o, --output Output current customizations as semange commands
- -l, --list List the OBJECTS
-+ -E, --extract extract customizable commands
- -C, --locallist List OBJECTS local customizations
- -D, --deleteall Remove all OBJECTS local customizations
-
-@@ -84,12 +95,15 @@ Object-specific Options (see above):
- -F, --file Treat target as an input file for command, change multiple settings
- -p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6)
- -M, --mask Netmask
-+ -e, --equal Substitue source path for dest path when labeling
- -P, --prefix Prefix for home directory labeling
- -L, --level Default SELinux Level (MLS/MCS Systems only)
- -R, --roles SELinux Roles (ex: "sysadm_r staff_r")
- -s, --seuser SELinux User Name
- -t, --type SELinux Type for the object
- -r, --range MLS/MCS Security Range (MLS/MCS Systems only)
-+ --enable Enable a module
-+ --disable Disable a module
- """)
- raise ValueError("%s\n%s" % (text, message))
-
-@@ -101,22 +115,25 @@ Object-specific Options (see above):
-
- def get_options():
- valid_option={}
-- valid_everyone=[ '-a', '--add', '-d', '--delete', '-m', '--modify', '-l', '--list', '-h', '--help', '-n', '--noheading', '-C', '--locallist', '-D', '--deleteall', '-S', '--store' ]
-+ valid_everyone=[ '-a', '--add', '-d', '--delete', '-m', '--modify', '-l', '--list', '-h', '--help', '-n', '--noheading', '-S', '--store' ]
-+ valid_local=[ '-E', '--extract', '-C', '--locallist', '-D', '--deleteall']
- valid_option["login"] = []
-- valid_option["login"] += valid_everyone + [ '-s', '--seuser', '-r', '--range']
-+ valid_option["login"] += valid_everyone + valid_local + [ '-s', '--seuser', '-r', '--range']
- valid_option["user"] = []
-- valid_option["user"] += valid_everyone + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix' ]
-+ valid_option["user"] += valid_everyone + valid_local + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix' ]
- valid_option["port"] = []
-- valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--proto' ]
-+ valid_option["port"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range', '-p', '--proto' ]
- valid_option["interface"] = []
-- valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range']
-+ valid_option["interface"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range']
- valid_option["node"] = []
-- valid_option["node"] += valid_everyone + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol']
-+ valid_option["node"] += valid_everyone + valid_local + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol']
-+ valid_option["module"] = []
-+ valid_option["module"] += valid_everyone + [ '--enable', '--disable']
- valid_option["fcontext"] = []
-- valid_option["fcontext"] += valid_everyone + [ '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range']
-+ valid_option["fcontext"] += valid_everyone + valid_local + [ '-e', '--equal', '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range']
- valid_option["dontaudit"] = [ '-S', '--store' ]
- valid_option["boolean"] = []
-- valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0", "-F", "--file"]
-+ valid_option["boolean"] += valid_everyone + valid_local + [ '--on', "--off", "-1", "-0", "-F", "--file"]
- valid_option["permissive"] = []
- valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ]
- return valid_option
-@@ -168,6 +185,8 @@ Object-specific Options (see above):
- return ret
-
- def process_args(argv):
-+ global action
-+ action = False
- serange = ""
- port = ""
- proto = ""
-@@ -184,11 +203,17 @@ Object-specific Options (see above):
- modify = False
- delete = False
- deleteall = False
-+ enable = False
-+ extract = False
-+ disable = False
- list = False
- locallist = False
- use_file = False
- store = ""
-+ equal=""
-
-+ if len(argv) == 0:
-+ return
- object = argv[0]
- option_dict=get_options()
- if object not in option_dict.keys():
-@@ -196,58 +221,84 @@ Object-specific Options (see above):
-
- args = argv[1:]
-
-- gopts, cmds = getopt.getopt(args,
-- '01adf:i:lhmnp:s:FCDR:L:r:t:P:S:M:',
-- ['add',
-- 'delete',
-- 'deleteall',
-- 'ftype=',
-- 'file',
-- 'help',
-- 'input=',
-- 'list',
-- 'modify',
-- 'noheading',
-- 'localist',
-- 'off',
-- 'on',
-- 'proto=',
-- 'seuser=',
-- 'store=',
-- 'range=',
-- 'locallist=',
-- 'level=',
-- 'roles=',
-- 'type=',
-- 'prefix=',
-- 'mask='
-- ])
-+ try:
-+ gopts, cmds = getopt.getopt(args,
-+ '01adEe:f:i:lhmnp:s:FCDR:L:r:t:P:S:M:',
-+ ['add',
-+ 'delete',
-+ 'deleteall',
-+ 'equal=',
-+ 'enable',
-+ 'extract',
-+ 'disable',
-+ 'ftype=',
-+ 'file',
-+ 'help',
-+ 'input=',
-+ 'list',
-+ 'modify',
-+ 'noheading',
-+ 'localist',
-+ 'off',
-+ 'on',
-+ 'proto=',
-+ 'seuser=',
-+ 'store=',
-+ 'range=',
-+ 'locallist=',
-+ 'level=',
-+ 'roles=',
-+ 'type=',
-+ 'prefix=',
-+ 'mask='
-+ ])
-+ except getopt.error, error:
-+ usage(_("Options Error %s ") % error.msg)
-+
- for o, a in gopts:
- if o not in option_dict[object]:
- sys.stderr.write(_("%s not valid for %s objects\n") % ( o, object) );
-+
-+ return
-
- for o,a in gopts:
- if o == "-a" or o == "--add":
-- if modify or delete:
-- raise ValueError(_("%s bad option") % o)
-+ set_action(o)
- add = True
-
- if o == "-d" or o == "--delete":
-- if modify or add:
-- raise ValueError(_("%s bad option") % o)
-+ set_action(o)
- delete = True
-+
- if o == "-D" or o == "--deleteall":
-- if modify:
-- raise ValueError(_("%s bad option") % o)
-+ set_action(o)
- deleteall = True
-+
-+ if o == "-E" or o == "--extract":
-+ set_action(o)
-+ extract = True
- if o == "-f" or o == "--ftype":
- ftype=a
-
-+ if o == "-e" or o == "--equal":
-+ equal = a
-+
-+ if o == "--enable":
-+ if disable:
-+ raise ValueError(_("You can't disable and enable at the same time"))
-+
-+ enable = True
-+
-+ if o == "--disable":
-+ if enable:
-+ raise ValueError(_("You can't disable and enable at the same time"))
-+ disable = True
+ if o == "--enable":
+- set_action(o)
++ if disable:
++ raise ValueError(_("You can't disable and enable at the same time"))
+
+ enable = True
+
+ if o == "--disable":
+- set_action(o)
++ if enable:
++ raise ValueError(_("You can't disable and enable at the same time"))
+ disable = True
+
if o == "-F" or o == "--file":
- use_file = True
-
- if o == "-h" or o == "--help":
-- raise ValueError(_("%s bad option") % o)
-+ raise usage()
-
- if o == "-n" or o == "--noheading":
- heading = False
-@@ -256,8 +307,7 @@ Object-specific Options (see above):
- locallist = True
-
- if o == "-m"or o == "--modify":
-- if delete or add:
-- raise ValueError(_("%s bad option") % o)
-+ set_action(o)
- modify = True
-
- if o == "-S" or o == '--store':
-@@ -292,8 +342,10 @@ Object-specific Options (see above):
-
- if o == "--on" or o == "-1":
- value = "on"
-+ modify = True
- if o == "--off" or o == "-0":
- value = "off"
-+ modify = True
+@@ -338,9 +342,11 @@ Object-specific Options (see above):
+
+ if o == "--on" or o == "-1":
+ value = "on"
++ modify = True
+
+ if o == "--off" or o == "-0":
+ value = "off"
++ modify = True
if object == "login":
OBJECT = seobject.loginRecords(store)
-@@ -315,6 +367,11 @@ Object-specific Options (see above):
+@@ -362,6 +368,8 @@ Object-specific Options (see above):
if object == "boolean":
OBJECT = seobject.booleanRecords(store)
-+ if use_file:
-+ modify=True
-+
-+ if object == "module":
-+ OBJECT = seobject.moduleRecords(store)
-
- if object == "permissive":
- OBJECT = seobject.permissiveRecords(store)
-@@ -330,65 +387,97 @@ Object-specific Options (see above):
- OBJECT.deleteall()
- return
-
-+ if extract:
-+ for i in OBJECT.customized():
-+ print "%s %s" % (object, str(i))
-+ return
-+
- if len(cmds) != 1:
-- raise ValueError(_("%s bad option") % o)
-+ raise ValueError(_("bad option"))
-
- target = cmds[0]
-
--
- if object == "dontaudit":
-- OBJECT = seobject.dontauditClass(store)
-- OBJECT.toggle(target)
-- return
-+ OBJECT = seobject.dontauditClass(store)
-+ OBJECT.toggle(target)
-+ return
-
- if add:
- if object == "login":
- OBJECT.add(target, seuser, serange)
-+ return
-
- if object == "user":
- OBJECT.add(target, roles.split(), selevel, serange, prefix)
-+ return
-
- if object == "port":
- OBJECT.add(target, proto, serange, setype)
-+ return
-
- if object == "interface":
- OBJECT.add(target, serange, setype)
-+ return
-+
-+ if object == "module":
-+ OBJECT.add(target)
-+ return
-
- if object == "node":
- OBJECT.add(target, mask, proto, serange, setype)
-+ return
-
- if object == "fcontext":
-- OBJECT.add(target, setype, ftype, serange, seuser)
-+ if equal == "":
-+ OBJECT.add(target, setype, ftype, serange, seuser)
-+ else:
-+ OBJECT.add_equal(target, equal)
-+ return
- if object == "permissive":
- OBJECT.add(target)
-+ return
-
-- return
--
- if modify:
- if object == "boolean":
- OBJECT.modify(target, value, use_file)
-+ return
-
- if object == "login":
- OBJECT.modify(target, seuser, serange)
-+ return
-
- if object == "user":
- rlist = roles.split()
- OBJECT.modify(target, rlist, selevel, serange, prefix)
-+ return
-+
-+ if object == "module":
-+ if enable:
-+ OBJECT.enable(target)
-+ elif disable:
-+ OBJECT.disable(target)
-+ else:
-+ OBJECT.modify(target)
-+ return
-
- if object == "port":
- OBJECT.modify(target, proto, serange, setype)
-+ return
-
- if object == "interface":
- OBJECT.modify(target, serange, setype)
-+ return
-
- if object == "node":
- OBJECT.modify(target, mask, proto, serange, setype)
-+ return
-
- if object == "fcontext":
-- OBJECT.modify(target, setype, ftype, serange, seuser)
--
-- return
--
-+ if equal == "":
-+ OBJECT.modify(target, setype, ftype, serange, seuser)
-+ else:
-+ OBJECT.modify_equal(target, equal)
-+ return
- if delete:
- if object == "port":
- OBJECT.delete(target, proto)
-@@ -401,50 +490,65 @@ Object-specific Options (see above):
-
- else:
- OBJECT.delete(target)
--
- return
--
-- raise ValueError(_("Invalid command") % " ".join(argv))
-+ raise ValueError(_("Invalid command: semanage %s") % " ".join(argv))
-
- #
- #
- #
- try:
-+ output = None
- input = None
- store = ""
++ if use_file:
++ modify = True
+ if object == "module":
+ OBJECT = seobject.moduleRecords(store)
+@@ -500,31 +508,36 @@ Object-specific Options (see above):
if len(sys.argv) < 3:
usage(_("Requires 2 or more arguments"))
- gopts, cmds = getopt.getopt(sys.argv[1:],
-- '01adf:i:lhmnp:s:FCDR:L:r:t:T:P:S:',
+- '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:',
- ['add',
- 'delete',
- 'deleteall',
@@ -4143,6 +3434,7 @@ index ffaca5b..bc989bf 100644
- 'localist',
- 'off',
- 'on',
+- 'output=',
- 'proto=',
- 'seuser=',
- 'store=',
@@ -4162,12 +3454,12 @@ index ffaca5b..bc989bf 100644
+ 'file',
+ 'help',
+ 'input=',
-+ 'list',
++ 'list',
+ 'modify',
+ 'noheading',
+ 'localist',
-+ 'off',
-+ 'on',
++ 'off',
++ 'on',
+ 'output=',
+ 'proto=',
+ 'seuser=',
@@ -4185,22 +3477,7 @@ index ffaca5b..bc989bf 100644
for o, a in gopts:
if o == "-S" or o == '--store':
store = a
- if o == "-i" or o == '--input':
- input = a
-+ if o == "-o" or o == '--output':
-+ output = a
-+
-+ if output != None:
-+ if output != "-":
-+ sys.stdout = open(output, 'w')
-+ for i in manageditems:
-+ print "%s -D" % i
-+ process_args([i, "-E"])
-+ sys.exit(0)
-
- if input != None:
- if input == "-":
-@@ -459,11 +563,11 @@ Object-specific Options (see above):
+@@ -554,8 +567,6 @@ Object-specific Options (see above):
else:
process_args(sys.argv[1:])
@@ -4209,231 +3486,11 @@ index ffaca5b..bc989bf 100644
except ValueError, error:
errorExit(error.args[0])
except KeyError, error:
- errorExit(_("Invalid value %s") % error.args[0])
- except IOError, error:
- errorExit(error.args[1])
-+ except OSError, error:
-+ errorExit(error.args[1])
-diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8
-index 70d1a20..fb6a79b 100644
---- a/policycoreutils/semanage/semanage.8
-+++ b/policycoreutils/semanage/semanage.8
-@@ -1,29 +1,69 @@
--.TH "semanage" "8" "2005111103" "" ""
-+.TH "semanage" "8" "20100223" "" ""
- .SH "NAME"
- semanage \- SELinux Policy Management tool
-
- .SH "SYNOPSIS"
--.B semanage {boolean|login|user|port|interface|node|fcontext} \-{l|D} [\-n] [\-S store]
-+Output local customizations
- .br
--.B semanage boolean \-{d|m} [\-\-on|\-\-off|\-1|\-0] -F boolean | boolean_file
-+.B semanage [ -S store ] -o [ output_file | - ]
-+
-+Input local customizations
-+.br
-+.B semanage [ -S store ] -i [ input_file | - ]
-+
-+Manage booleans. Booleans allow the administrator to modify the confinement of
-+processes based on his configuration.
-+.br
-+.B semanage boolean [\-S store] \-{d|m|l|n|D} \-[\-on|\-off|\1|0] -F boolean | boolean_file
-+
-+Manage SELinux confined users (Roles and levels for an SELinux user)
-+.br
-+.B semanage user [\-S store] \-{a|d|m|l|n|D} [\-LrRP] selinux_name
-+
-+Manage login mappings between linux users and SELinux confined users.
-+.br
-+.B semanage login [\-S store] \-{a|d|m|l|n|D} [\-sr] login_name | %groupname
-+
-+Manage policy modules.
-+.br
-+.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] module_name
-+
-+Manage network port type definitions
- .br
--.B semanage login \-{a|d|m} [\-sr] login_name | %groupname
-+.B semanage port [\-S store] \-{a|d|m|l|n|D} [\-tr] [\-p proto] port | port_range
- .br
--.B semanage user \-{a|d|m} [\-LrRP] selinux_name
-+
-+Manage network interface type definitions
-+.br
-+.B semanage interface [\-S store] \-{a|d|m|l|n|D} [\-tr] interface_spec
-+
-+Manage network node type definitions
- .br
--.B semanage port \-{a|d|m} [\-tr] [\-p proto] port | port_range
-+.B semanage node [\-S store] -{a|d|m|l|n|D} [-tr] [ -p protocol ] [-M netmask] address
- .br
--.B semanage interface \-{a|d|m} [\-tr] interface_spec
-+
-+Manage file context mapping definitions
-+.br
-+.B semanage fcontext [\-S store] \-{a|d|m|l|n|D} [\-frst] file_spec
- .br
--.B semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] address
-+.B semanage fcontext [\-S store] \-{a|d|m|l|n|D} \-e replacement target
- .br
--.B semanage fcontext \-{a|d|m} [\-frst] file_spec
-+
-+Manage processes type enforcement mode
- .br
--.B semanage permissive \-{a|d} type
-+.B semanage permissive [\-S store] \-{a|d|l|n|D} type
- .br
--.B semanage dontaudit [ on | off ]
-+
-+Disable/Enable dontaudit rules in policy
-+.br
-+.B semanage dontaudit [\-S store] [ on | off ]
- .P
-
-+Execute multiple commands within a single transaction.
-+.br
-+.B semanage [\-S store] \-i command-file
-+.br
-+
- .SH "DESCRIPTION"
- semanage is used to configure certain elements of
- SELinux policy without requiring modification to or recompilation
-@@ -52,6 +92,22 @@ Delete a OBJECT record NAME
- .I \-D, \-\-deleteall
- Remove all OBJECTS local customizations
- .TP
-+.I \-\-disable
-+Disable a policy module, requires -m option
-+
-+Currently modules only.
-+.TP
-+.I \-\-enable
-+Enable a disabled policy module, requires -m option
-+
-+Currently modules only.
-+.TP
-+.I \-e, \-\-equal
-+Substitute target path with sourcepath when generating default label. This is used with
-+fcontext. Requires source and target path arguments. The context
-+labeling for the target subtree is made equivalent to that
-+defined for the source.
-+.TP
- .I \-f, \-\-ftype
- File Type. This is used with fcontext.
- Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
-@@ -60,6 +116,7 @@ Requires a file type as shown in the mode field by ls, e.g. use -d to match only
- Set multiple records from the input file. When used with the \-l \-\-list, it will output the current settings to stdout in the proper format.
-
- Currently booleans only.
-+
- .TP
- .I \-h, \-\-help
- display this message
-@@ -76,6 +133,9 @@ Default SELinux Level for SELinux use, s0 Default. (MLS/MCS Systems only)
- .I \-m, \-\-modify
- Modify a OBJECT record NAME
- .TP
-+.I \-M, \-\-mask
-+Network Mask
-+.TP
- .I \-n, \-\-noheading
- Do not print heading when listing OBJECTS.
- .TP
-@@ -99,26 +159,67 @@ Select and alternate SELinux store to manage
- .TP
- .I \-t, \-\-type
- SELinux Type for the object
-+.TP
-+.I \-i, \-\-input
-+Take a set of commands from a specified file and load them in a single
-+transaction.
-
- .SH EXAMPLE
- .nf
--# View SELinux user mappings
--$ semanage user -l
--# Allow joe to login as staff_u
--$ semanage login -a -s staff_u joe
--# Allow the group clerks to login as user_u
--$ semanage login -a -s user_u %clerks
--# Add file-context for everything under /web (used by restorecon)
--$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
--# Allow Apache to listen on port 81
--$ semanage port -a -t http_port_t -p tcp 81
--# Change apache to a permissive domain
--$ semanage permissive -a httpd_t
--# Turn off dontaudit rules
--$ semanage dontaudit off
-+.B SELinux user
-+List SELinux users
-+# semanage user -l
-+
-+.B SELinux login
-+Change joe to login as staff_u
-+# semanage login -a -s staff_u joe
-+Change the group clerks to login as user_u
-+# semanage login -a -s user_u %clerks
-+
-+.B File contexts
-+.i remember to run restorecon after you set the file context
-+Add file-context for everything under /web
-+# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
-+# restorecon -R -v /web
-+
-+Substitute /home1 with /home when setting file context
-+# semanage fcontext -a -e /home /home1
-+# restorecon -R -v /home1
-+
-+For home directories under top level directory, for example /disk6/home,
-+execute the following commands.
-+# semanage fcontext -a -t home_root_t "/disk6"
-+# semanage fcontext -a -e /home /disk6/home
-+# restorecon -R -v /disk6
-+
-+.B Port contexts
-+Allow Apache to listen on tcp port 81
-+# semanage port -a -t http_port_t -p tcp 81
-+
-+.B Change apache to a permissive domain
-+# semanage permissive -a httpd_t
-+
-+.B Turn off dontaudit rules
-+# semanage dontaudit off
-+
-+.B Managing multiple machines
-+Multiple machines that need the same customizations.
-+Extract customizations off first machine, copy them
-+to second and import them.
-+
-+# semanage -o /tmp/local.selinux
-+# scp /tmp/local.selinux secondmachine:/tmp
-+# ssh secondmachine
-+# semanage -i /tmp/local.selinux
-+
-+If these customizations include file context, you need to apply the
-+context using restorecon.
-+
- .fi
-
- .SH "AUTHOR"
--This man page was written by Daniel Walsh <dwalsh at redhat.com> and
--Russell Coker <rcoker at redhat.com>.
-+This man page was written by Daniel Walsh <dwalsh at redhat.com>
-+.br
-+and Russell Coker <rcoker at redhat.com>.
-+.br
- Examples by Thomas Bleher <ThomasBleher at gmx.de>.
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
-index b7d257b..4462c9e 100644
+index 6842b07..6742fe9 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
-@@ -25,51 +25,17 @@ import pwd, grp, string, selinux, tempfile, os, re, sys, stat
- from semanage import *;
- PROGNAME = "policycoreutils"
- import sepolgen.module as module
-+from IPy import IP
-
+@@ -30,11 +30,10 @@ from IPy import IP
import gettext
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
@@ -4442,213 +3499,37 @@ index b7d257b..4462c9e 100644
-except IOError:
- import __builtin__
- __builtin__.__dict__['_'] = unicode
--
--import syslog
-
--handle = None
--
--def get_handle(store):
-- global handle
-- global is_mls_enabled
--
-- handle = semanage_handle_create()
-- if not handle:
-- raise ValueError(_("Could not create semanage handle"))
--
-- if store != "":
-- semanage_select_store(handle, store, SEMANAGE_CON_DIRECT);
--
-- if not semanage_is_managed(handle):
-- semanage_handle_destroy(handle)
-- raise ValueError(_("SELinux policy is not managed or store cannot be accessed."))
--
-- rc = semanage_access_check(handle)
-- if rc < SEMANAGE_CAN_READ:
-- semanage_handle_destroy(handle)
-- raise ValueError(_("Cannot read policy store."))
--
-- rc = semanage_connect(handle)
-- if rc < 0:
-- semanage_handle_destroy(handle)
-- raise ValueError(_("Could not establish semanage connection"))
--
-- is_mls_enabled = semanage_mls_enabled(handle)
-- if is_mls_enabled < 0:
-- semanage_handle_destroy(handle)
-- raise ValueError(_("Could not test MLS enabled status"))
++
+import gettext
+translation=gettext.translation(PROGNAME, localedir = "/usr/share/locale", fallback=True)
+_=translation.ugettext
-- return handle
-+import syslog
+ import syslog
- file_types = {}
- file_types[""] = SEMANAGE_FCONTEXT_ALL;
-@@ -194,45 +160,148 @@ def untranslate(trans, prepend = 1):
+@@ -161,10 +160,12 @@ def untranslate(trans, prepend = 1):
return trans
else:
return raw
-
+
class semanageRecords:
-- def __init__(self, store):
-+ transaction = False
-+ handle = None
-+ store = None
+ transaction = False
+ handle = None
++ store = None
+
-+ def __init__(self, store):
+ def __init__(self, store):
global handle
-- if handle != None:
-- self.sh = handle
-- else:
-- self.sh = get_handle(store)
-- self.transaction = False
-+ self.sh = self.get_handle(store)
-+
-+ def get_handle(self, store):
-+ global is_mls_enabled
-+
-+ if semanageRecords.handle:
-+ return semanageRecords.handle
-+
-+ handle = semanage_handle_create()
-+ if not handle:
-+ raise ValueError(_("Could not create semanage handle"))
-+
-+ if not semanageRecords.transaction and store != "":
-+ semanage_select_store(handle, store, SEMANAGE_CON_DIRECT);
-+ semanageRecords.store = store
-+
-+ if not semanage_is_managed(handle):
-+ semanage_handle_destroy(handle)
-+ raise ValueError(_("SELinux policy is not managed or store cannot be accessed."))
-+
-+ rc = semanage_access_check(handle)
-+ if rc < SEMANAGE_CAN_READ:
-+ semanage_handle_destroy(handle)
-+ raise ValueError(_("Cannot read policy store."))
-+
-+ rc = semanage_connect(handle)
-+ if rc < 0:
-+ semanage_handle_destroy(handle)
-+ raise ValueError(_("Could not establish semanage connection"))
-+
-+ is_mls_enabled = semanage_mls_enabled(handle)
-+ if is_mls_enabled < 0:
-+ semanage_handle_destroy(handle)
-+ raise ValueError(_("Could not test MLS enabled status"))
-+
-+ semanageRecords.handle = handle
-+ return semanageRecords.handle
-
- def deleteall(self):
- raise ValueError(_("Not yet implemented"))
-
- def start(self):
-- if self.transaction:
-+ if semanageRecords.transaction:
- raise ValueError(_("Semanage transaction already in progress"))
- self.begin()
-- self.transaction = True
--
-+ semanageRecords.transaction = True
- def begin(self):
-- if self.transaction:
-+ if semanageRecords.transaction:
- return
- rc = semanage_begin_transaction(self.sh)
- if rc < 0:
- raise ValueError(_("Could not start semanage transaction"))
-+ def customized(self):
-+ raise ValueError(_("Not yet implemented"))
-+
- def commit(self):
-- if self.transaction:
-+ if semanageRecords.transaction:
- return
- rc = semanage_commit(self.sh)
- if rc < 0:
- raise ValueError(_("Could not commit semanage transaction"))
-
- def finish(self):
-- if not self.transaction:
-+ if not semanageRecords.transaction:
- raise ValueError(_("Semanage transaction not in progress"))
-- self.transaction = False
-+ semanageRecords.transaction = False
- self.commit()
-
-+class moduleRecords(semanageRecords):
-+ def __init__(self, store):
-+ semanageRecords.__init__(self, store)
-+
-+ def get_all(self):
-+ l = []
-+ (rc, mlist, number) = semanage_module_list(self.sh)
-+ if rc < 0:
-+ raise ValueError(_("Could not list SELinux modules"))
-+
-+ for i in range(number):
-+ mod = semanage_module_list_nth(mlist, i)
-+ l.append((semanage_module_get_name(mod), semanage_module_get_version(mod), semanage_module_get_enabled(mod)))
-+ return l
-+
-+ def list(self, heading = 1, locallist = 0):
-+ if heading:
-+ print "\n%-25s%-10s\n" % (_("Modules Name"), _("Version"))
-+ for t in self.get_all():
-+ if t[2] == 0:
-+ disabled = _("Disabled")
-+ else:
-+ disabled = ""
-+ print "%-25s%-10s%s" % (t[0], t[1], disabled)
-+
-+ def add(self, file):
-+ rc = semanage_module_install_file(self.sh, file);
-+ if rc >= 0:
-+ self.commit()
-+
-+ def disable(self, module):
-+ need_commit = False
-+ for m in module.split():
-+ rc = semanage_module_disable(self.sh, m)
-+ if rc < 0 and rc != -3:
-+ raise ValueError(_("Could not disable module %s (remove failed)") % m)
-+ if rc != -3:
-+ need_commit = True
-+ if need_commit:
-+ self.commit()
-+
-+ def enable(self, module):
-+ need_commit = False
-+ for m in module.split():
-+ rc = semanage_module_enable(self.sh, m)
-+ if rc < 0 and rc != -3:
-+ raise ValueError(_("Could not enable module %s (remove failed)") % m)
-+ if rc != -3:
-+ need_commit = True
-+ if need_commit:
-+ self.commit()
-+
-+ def modify(self, file):
-+ rc = semanage_module_update_file(self.sh, file);
-+ if rc >= 0:
-+ self.commit()
-+
-+ def delete(self, module):
-+ for m in module.split():
-+ rc = semanage_module_remove(self.sh, m)
-+ if rc < 0 and rc != -2:
-+ raise ValueError(_("Could not remove module %s (remove failed)") % m)
-+
-+ self.commit()
-+
- class dontauditClass(semanageRecords):
- def __init__(self, store):
- semanageRecords.__init__(self, store)
-@@ -259,14 +328,23 @@ class permissiveRecords(semanageRecords):
+@@ -182,7 +183,7 @@ class semanageRecords:
+
+ if not semanageRecords.transaction and store != "":
+ semanage_select_store(handle, store, SEMANAGE_CON_DIRECT);
+- semanageRecords.store = store
++ semanageRecords.store = store
+
+ if not semanage_is_managed(handle):
+ semanage_handle_destroy(handle)
+@@ -328,6 +329,7 @@ class permissiveRecords(semanageRecords):
name = semanage_module_get_name(mod)
if name and name.startswith("permissive_"):
l.append(name.split("permissive_")[1])
@@ -4656,27 +3537,7 @@ index b7d257b..4462c9e 100644
return l
def list(self, heading = 1, locallist = 0):
-- if heading:
-- print "\n%-25s\n" % (_("Permissive Types"))
-- for t in self.get_all():
-- print t
-+ import setools
-+ all = map(lambda y: y["name"], filter(lambda x: x["permissive"], setools.seinfo(setools.TYPE)))
-
-+ if heading:
-+ print "\n%-25s\n" % (_("Builtin Permissive Types"))
-+ customized = self.get_all()
-+ for t in all:
-+ if t not in customized:
-+ print t
-+ if heading:
-+ print "\n%-25s\n" % (_("Customized Permissive Types"))
-+ for t in customized:
-+ print t
-
- def add(self, type):
- import glob
-@@ -343,7 +421,9 @@ class loginRecords(semanageRecords):
+@@ -420,7 +422,9 @@ class loginRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not check if login mapping for %s is defined") % name)
if exists:
@@ -4687,40 +3548,7 @@ index b7d257b..4462c9e 100644
if name[0] == '%':
try:
grp.getgrnam(name[1:])
-@@ -475,6 +555,16 @@ class loginRecords(semanageRecords):
-
- mylog.log(1, "delete SELinux user mapping", name);
-
-+ def deleteall(self):
-+ (rc, ulist) = semanage_seuser_list_local(self.sh)
-+ if rc < 0:
-+ raise ValueError(_("Could not list login mappings"))
-+
-+ self.begin()
-+ for u in ulist:
-+ self.__delete(semanage_seuser_get_name(u))
-+ self.commit()
-+
- def get_all(self, locallist = 0):
- ddict = {}
- if locallist:
-@@ -489,6 +579,15 @@ class loginRecords(semanageRecords):
- ddict[name] = (semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u))
- return ddict
-
-+ def customized(self):
-+ l = []
-+ ddict = self.get_all(True)
-+ keys = ddict.keys()
-+ keys.sort()
-+ for k in keys:
-+ l.append("-a -s %s -r '%s' %s" % (ddict[k][0], ddict[k][1], k))
-+ return l
-+
- def list(self,heading = 1, locallist = 0):
- ddict = self.get_all(locallist)
- keys = ddict.keys()
-@@ -531,7 +630,8 @@ class seluserRecords(semanageRecords):
+@@ -627,7 +631,8 @@ class seluserRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not check if SELinux user %s is defined") % name)
if exists:
@@ -4730,49 +3558,7 @@ index b7d257b..4462c9e 100644
(rc, u) = semanage_user_create(self.sh)
if rc < 0:
-@@ -682,6 +782,16 @@ class seluserRecords(semanageRecords):
-
- mylog.log(1,"delete SELinux user record", name)
-
-+ def deleteall(self):
-+ (rc, ulist) = semanage_user_list_local(self.sh)
-+ if rc < 0:
-+ raise ValueError(_("Could not list login mappings"))
-+
-+ self.begin()
-+ for u in ulist:
-+ self.__delete(semanage_user_get_name(u))
-+ self.commit()
-+
- def get_all(self, locallist = 0):
- ddict = {}
- if locallist:
-@@ -702,6 +812,15 @@ class seluserRecords(semanageRecords):
-
- return ddict
-
-+ def customized(self):
-+ l = []
-+ ddict = self.get_all(True)
-+ keys = ddict.keys()
-+ keys.sort()
-+ for k in keys:
-+ l.append("-a -r %s -R '%s' %s" % (ddict[k][2], ddict[k][3], k))
-+ return l
-+
- def list(self, heading = 1, locallist = 0):
- ddict = self.get_all(locallist)
- keys = ddict.keys()
-@@ -740,12 +859,16 @@ class portRecords(semanageRecords):
- low = int(ports[0])
- high = int(ports[1])
-
-+ if high > 65536:
-+ raise ValueError(_("Invalid Port"))
-+
- (rc, k) = semanage_port_key_create(self.sh, low, high, proto_d)
- if rc < 0:
- raise ValueError(_("Could not create a key for %s/%s") % (proto, port))
+@@ -864,6 +869,7 @@ class portRecords(semanageRecords):
return ( k, proto_d, low, high )
def __add(self, port, proto, serange, type):
@@ -4780,7 +3566,7 @@ index b7d257b..4462c9e 100644
if is_mls_enabled == 1:
if serange == "":
serange = "s0"
-@@ -808,6 +931,7 @@ class portRecords(semanageRecords):
+@@ -926,6 +932,7 @@ class portRecords(semanageRecords):
self.commit()
def __modify(self, port, proto, serange, setype):
@@ -4788,72 +3574,7 @@ index b7d257b..4462c9e 100644
if serange == "" and setype == "":
if is_mls_enabled == 1:
raise ValueError(_("Requires setype or serange"))
-@@ -942,6 +1066,18 @@ class portRecords(semanageRecords):
- ddict[(ctype,proto_str)].append("%d-%d" % (low, high))
- return ddict
-
-+ def customized(self):
-+ l = []
-+ ddict = self.get_all(True)
-+ keys = ddict.keys()
-+ keys.sort()
-+ for k in keys:
-+ if k[0] == k[1]:
-+ l.append("-a -t %s -p %s %s" % (ddict[k][0], k[2], k[0]))
-+ else:
-+ l.append("-a -t %s -p %s %s-%s" % (ddict[k][0], k[2], k[0], k[1]))
-+ return l
-+
- def list(self, heading = 1, locallist = 0):
- if heading:
- print "%-30s %-8s %s\n" % (_("SELinux Port Type"), _("Proto"), _("Port Number"))
-@@ -958,21 +1094,36 @@ class portRecords(semanageRecords):
- class nodeRecords(semanageRecords):
- def __init__(self, store = ""):
- semanageRecords.__init__(self,store)
-+ self.protocol = ["ipv4", "ipv6"]
-+
-+ def validate(self, addr, mask, protocol):
-+ newaddr=addr
-+ newmask=mask
-+ newprotocol=""
-
-- def __add(self, addr, mask, proto, serange, ctype):
- if addr == "":
- raise ValueError(_("Node Address is required"))
-
-- if mask == "":
-- raise ValueError(_("Node Netmask is required"))
--
-- if proto == "ipv4":
-- proto = 0
-- elif proto == "ipv6":
-- proto = 1
-- else:
-+ # verify valid comination
-+ if len(mask) == 0 or mask[0] == "/":
-+ i = IP(addr + mask)
-+ newaddr = i.strNormal(0)
-+ newmask = str(i.netmask())
-+ if newmask == "0.0.0.0" and i.version() == 6:
-+ newmask = "::"
-+
-+ protocol = "ipv%d" % i.version()
-+
-+ try:
-+ newprotocol = self.protocol.index(protocol)
-+ except:
- raise ValueError(_("Unknown or missing protocol"))
-
-+ return newaddr, newmask, newprotocol
-+
-+ def __add(self, addr, mask, proto, serange, ctype):
-+
-+ addr, mask, proto = self.validate(addr, mask, proto)
-
- if is_mls_enabled == 1:
- if serange == "":
-@@ -991,11 +1142,13 @@ class nodeRecords(semanageRecords):
+@@ -1136,7 +1143,8 @@ class nodeRecords(semanageRecords):
(rc, exists) = semanage_node_exists(self.sh, k)
if exists:
@@ -4863,42 +3584,15 @@ index b7d257b..4462c9e 100644
(rc, node) = semanage_node_create(self.sh)
if rc < 0:
- raise ValueError(_("Could not create addr for %s") % addr)
-+ semanage_node_set_proto(node, proto)
-
- rc = semanage_node_set_addr(self.sh, node, proto, addr)
- (rc, con) = semanage_context_create(self.sh)
-@@ -1005,8 +1158,7 @@ class nodeRecords(semanageRecords):
- rc = semanage_node_set_mask(self.sh, node, proto, mask)
+@@ -1152,7 +1160,6 @@ class nodeRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not set mask for %s") % addr)
+
-
--
-+
rc = semanage_context_set_user(self.sh, con, "system_u")
if rc < 0:
raise ValueError(_("Could not set user in addr context for %s") % addr)
-@@ -1042,18 +1194,8 @@ class nodeRecords(semanageRecords):
- self.commit()
-
- def __modify(self, addr, mask, proto, serange, setype):
-- if addr == "":
-- raise ValueError(_("Node Address is required"))
--
-- if mask == "":
-- raise ValueError(_("Node Netmask is required"))
-- if proto == "ipv4":
-- proto = 0
-- elif proto == "ipv6":
-- proto = 1
-- else:
-- raise ValueError(_("Unknown or missing protocol"))
-
-+ addr, mask, proto = self.validate(addr, mask, proto)
-
- if serange == "" and setype == "":
- raise ValueError(_("Requires setype or serange"))
-@@ -1068,12 +1210,11 @@ class nodeRecords(semanageRecords):
+@@ -1204,12 +1211,11 @@ class nodeRecords(semanageRecords):
if not exists:
raise ValueError(_("Addr %s is not defined") % addr)
@@ -4912,70 +3606,7 @@ index b7d257b..4462c9e 100644
if serange != "":
semanage_context_set_mls(self.sh, con, untranslate(serange))
if setype != "":
-@@ -1092,18 +1233,8 @@ class nodeRecords(semanageRecords):
- self.commit()
-
- def __delete(self, addr, mask, proto):
-- if addr == "":
-- raise ValueError(_("Node Address is required"))
--
-- if mask == "":
-- raise ValueError(_("Node Netmask is required"))
-
-- if proto == "ipv4":
-- proto = 0
-- elif proto == "ipv6":
-- proto = 1
-- else:
-- raise ValueError(_("Unknown or missing protocol"))
-+ addr, mask, proto = self.validate(addr, mask, proto)
-
- (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
- if rc < 0:
-@@ -1132,6 +1263,16 @@ class nodeRecords(semanageRecords):
- self.__delete(addr, mask, proto)
- self.commit()
-
-+ def deleteall(self):
-+ (rc, nlist) = semanage_node_list_local(self.sh)
-+ if rc < 0:
-+ raise ValueError(_("Could not deleteall node mappings"))
-+
-+ self.begin()
-+ for node in nlist:
-+ self.__delete(semanage_node_get_addr(self.sh, node)[1], semanage_node_get_mask(self.sh, node)[1], self.protocol[semanage_node_get_proto(node)])
-+ self.commit()
-+
- def get_all(self, locallist = 0):
- ddict = {}
- if locallist :
-@@ -1145,15 +1286,20 @@ class nodeRecords(semanageRecords):
- con = semanage_node_get_con(node)
- addr = semanage_node_get_addr(self.sh, node)
- mask = semanage_node_get_mask(self.sh, node)
-- proto = semanage_node_get_proto(node)
-- if proto == 0:
-- proto = "ipv4"
-- elif proto == 1:
-- proto = "ipv6"
-+ proto = self.protocol[semanage_node_get_proto(node)]
- ddict[(addr[1], mask[1], proto)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con))
-
- return ddict
-
-+ def customized(self):
-+ l = []
-+ ddict = self.get_all(True)
-+ keys = ddict.keys()
-+ keys.sort()
-+ for k in keys:
-+ l.append("-a -M %s -p %s -t %s %s" % (k[1], k[2],ddict[k][2], k[0]))
-+ return l
-+
- def list(self, heading = 1, locallist = 0):
- if heading:
- print "%-18s %-18s %-5s %-5s\n" % ("IP Address", "Netmask", "Protocol", "Context")
-@@ -1193,7 +1339,8 @@ class interfaceRecords(semanageRecords):
+@@ -1334,7 +1340,8 @@ class interfaceRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not check if interface %s is defined") % interface)
if exists:
@@ -4985,98 +3616,7 @@ index b7d257b..4462c9e 100644
(rc, iface) = semanage_iface_create(self.sh)
if rc < 0:
-@@ -1307,6 +1454,16 @@ class interfaceRecords(semanageRecords):
- self.__delete(interface)
- self.commit()
-
-+ def deleteall(self):
-+ (rc, ulist) = semanage_iface_list_local(self.sh)
-+ if rc < 0:
-+ raise ValueError(_("Could not delete all interface mappings"))
-+
-+ self.begin()
-+ for i in ulist:
-+ self.__delete(semanage_iface_get_name(i))
-+ self.commit()
-+
- def get_all(self, locallist = 0):
- ddict = {}
- if locallist:
-@@ -1322,6 +1479,15 @@ class interfaceRecords(semanageRecords):
-
- return ddict
-
-+ def customized(self):
-+ l = []
-+ ddict = self.get_all(True)
-+ keys = ddict.keys()
-+ keys.sort()
-+ for k in keys:
-+ l.append("-a -t %s %s" % (ddict[k][2], k))
-+ return l
-+
- def list(self, heading = 1, locallist = 0):
- if heading:
- print "%-30s %s\n" % (_("SELinux Interface"), _("Context"))
-@@ -1338,6 +1504,48 @@ class interfaceRecords(semanageRecords):
- class fcontextRecords(semanageRecords):
- def __init__(self, store = ""):
- semanageRecords.__init__(self, store)
-+ self.equiv = {}
-+ self.equal_ind = False
-+ try:
-+ fd = open(selinux.selinux_file_context_subs_path(), "r")
-+ for i in fd.readlines():
-+ src, dst = i.split()
-+ self.equiv[src] = dst
-+ fd.close()
-+ except IOError:
-+ pass
-+
-+ def commit(self):
-+ if self.equal_ind:
-+ subs_file = selinux.selinux_file_context_subs_path()
-+ tmpfile = "%s.tmp" % subs_file
-+ fd = open(tmpfile, "w")
-+ for src in self.equiv.keys():
-+ fd.write("%s %s\n" % (src, self.equiv[src]))
-+ fd.close()
-+ try:
-+ os.chmod(tmpfile, os.stat(subs_file)[stat.ST_MODE])
-+ except:
-+ pass
-+ os.rename(tmpfile,subs_file)
-+ self.equal_ind = False
-+ semanageRecords.commit(self)
-+
-+ def add_equal(self, src, dst):
-+ self.begin()
-+ if src in self.equiv.keys():
-+ raise ValueError(_("Equivalence class for %s already exists") % src)
-+ self.equiv[src] = dst
-+ self.equal_ind = True
-+ self.commit()
-+
-+ def modify_equal(self, src, dst):
-+ self.begin()
-+ if src not in self.equiv.keys():
-+ raise ValueError(_("Equivalence class for %s does not exists") % src)
-+ self.equiv[src] = dst
-+ self.equal_ind = True
-+ self.commit()
-
- def createcon(self, target, seuser = "system_u"):
- (rc, con) = semanage_context_create(self.sh)
-@@ -1364,6 +1572,8 @@ class fcontextRecords(semanageRecords):
- def validate(self, target):
- if target == "" or target.find("\n") >= 0:
- raise ValueError(_("Invalid file specification"))
-+ if target.find(" ") != -1:
-+ raise ValueError(_("File specification can not include spaces"))
-
- def __add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
- self.validate(target)
-@@ -1388,7 +1598,8 @@ class fcontextRecords(semanageRecords):
+@@ -1592,7 +1599,8 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Could not check if file context for %s is defined") % target)
if exists:
@@ -5086,62 +3626,21 @@ index b7d257b..4462c9e 100644
(rc, fcontext) = semanage_fcontext_create(self.sh)
if rc < 0:
-@@ -1504,9 +1715,16 @@ class fcontextRecords(semanageRecords):
- raise ValueError(_("Could not delete the file context %s") % target)
- semanage_fcontext_key_free(k)
-
-+ self.equiv = {}
-+ self.equal_ind = True
- self.commit()
-
- def __delete(self, target, ftype):
-+ if target in self.equiv.keys():
-+ self.equiv.pop(target)
-+ self.equal_ind = True
-+ return
-+
- (rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
- if rc < 0:
- raise ValueError(_("Could not create a key for %s") % target)
-@@ -1561,12 +1779,22 @@ class fcontextRecords(semanageRecords):
+@@ -1783,11 +1791,11 @@ class fcontextRecords(semanageRecords):
+ return l
- return ddict
-
-+ def customized(self):
-+ l = []
-+ fcon_dict = self.get_all(True)
-+ keys = fcon_dict.keys()
-+ keys.sort()
-+ for k in keys:
-+ if fcon_dict[k]:
-+ l.append("-a -f '%s' -t %s '%s'" % (k[1], fcon_dict[k][2], k[0]))
-+ return l
-+
def list(self, heading = 1, locallist = 0 ):
- if heading:
- print "%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context"))
fcon_dict = self.get_all(locallist)
keys = fcon_dict.keys()
keys.sort()
-+ if len(keys) > 0 and heading:
++ if len(keys) > 0 and heading:
+ print "%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context"))
for k in keys:
if fcon_dict[k]:
if is_mls_enabled:
-@@ -1575,6 +1803,12 @@ class fcontextRecords(semanageRecords):
- print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2])
- else:
- print "%-50s %-18s <<None>>" % (k[0], k[1])
-+ if len(self.equiv.keys()) > 0:
-+ if heading:
-+ print _("\nSELinux fcontext Equivalence \n")
-+
-+ for src in self.equiv.keys():
-+ print "%s = %s" % (src, self.equiv[src])
-
- class booleanRecords(semanageRecords):
- def __init__(self, store = ""):
-@@ -1587,6 +1821,18 @@ class booleanRecords(semanageRecords):
+@@ -1814,6 +1822,18 @@ class booleanRecords(semanageRecords):
self.dict["1"] = 1
self.dict["0"] = 0
@@ -5160,7 +3659,7 @@ index b7d257b..4462c9e 100644
def __mod(self, name, value):
(rc, k) = semanage_bool_key_create(self.sh, name)
if rc < 0:
-@@ -1606,9 +1852,10 @@ class booleanRecords(semanageRecords):
+@@ -1833,9 +1853,10 @@ class booleanRecords(semanageRecords):
else:
raise ValueError(_("You must specify one of the following values: %s") % ", ".join(self.dict.keys()) )
@@ -5174,7 +3673,7 @@ index b7d257b..4462c9e 100644
rc = semanage_bool_modify_local(self.sh, k, b)
if rc < 0:
raise ValueError(_("Could not modify boolean %s") % name)
-@@ -1691,8 +1938,12 @@ class booleanRecords(semanageRecords):
+@@ -1918,8 +1939,12 @@ class booleanRecords(semanageRecords):
value = []
name = semanage_bool_get_name(boolean)
value.append(semanage_bool_get_value(boolean))
@@ -5189,92 +3688,191 @@ index b7d257b..4462c9e 100644
ddict[name] = value
return ddict
-@@ -1706,6 +1957,16 @@ class booleanRecords(semanageRecords):
- else:
- return _("unknown")
-
-+ def customized(self):
-+ l = []
-+ ddict = self.get_all(True)
-+ keys = ddict.keys()
-+ keys.sort()
-+ for k in keys:
-+ if ddict[k]:
-+ l.append("-%s %s" % (ddict[k][2], k))
-+ return l
-+
- def list(self, heading = True, locallist = False, use_file = False):
- on_off = (_("off"), _("on"))
- if use_file:
-diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
-index 059f629..81d6a3c 100644
---- a/policycoreutils/semodule/semodule.c
-+++ b/policycoreutils/semodule/semodule.c
-@@ -162,6 +162,7 @@ static void parse_command_line(int argc, char **argv)
- {"noreload", 0, NULL, 'n'},
- {"build", 0, NULL, 'B'},
- {"disable_dontaudit", 0, NULL, 'D'},
-+ {"path", required_argument, NULL, 'p'},
- {NULL, 0, NULL, 0}
- };
- int i;
-@@ -170,7 +171,7 @@ static void parse_command_line(int argc, char **argv)
- no_reload = 0;
- create_store = 0;
- while ((i =
-- getopt_long(argc, argv, "s:b:hi:lvqe:d:r:u:RnBD", opts,
-+ getopt_long(argc, argv, "p:s:b:hi:lvqe:d:r:u:RnBD", opts,
- NULL)) != -1) {
- switch (i) {
- case 'b':
-@@ -198,6 +199,9 @@ static void parse_command_line(int argc, char **argv)
- case 'r':
- set_mode(REMOVE_M, optarg);
- break;
-+ case 'p':
-+ semanage_set_root(optarg);
-+ break;
- case 'u':
- set_mode(UPGRADE_M, optarg);
- break;
-diff --git a/policycoreutils/semodule_expand/semodule_expand.8 b/policycoreutils/semodule_expand/semodule_expand.8
-index 22ad3be..35df2ed 100644
---- a/policycoreutils/semodule_expand/semodule_expand.8
-+++ b/policycoreutils/semodule_expand/semodule_expand.8
-@@ -3,7 +3,7 @@
- semodule_expand \- Expand a SELinux policy module package.
+diff --git a/policycoreutils/semodule_package/Makefile b/policycoreutils/semodule_package/Makefile
+index 0a4a3a6..f84cd7e 100644
+--- a/policycoreutils/semodule_package/Makefile
++++ b/policycoreutils/semodule_package/Makefile
+@@ -9,15 +9,17 @@ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += -I$(INCLUDEDIR)
+ LDLIBS = -lsepol -lselinux -L$(LIBDIR)
- .SH SYNOPSIS
--.B semodule_expand [-V -c [version]] basemodpkg outputfile
-+.B semodule_expand [-V ] [ -a ] [ -c [version]] basemodpkg outputfile
- .br
- .SH DESCRIPTION
- .PP
-@@ -22,6 +22,9 @@ show version
- .TP
- .B \-c [version]
- policy version to create
-+.TP
-+.B \-a
-+Check assertions. This will cause the policy to check all neverallow rules.
+-all: semodule_package
++all: semodule_package semodule_unpackage
+
+ semodule_package: semodule_package.o
+
+ install: all
+ -mkdir -p $(BINDIR)
+ install -m 755 semodule_package $(BINDIR)
++ install -m 755 semodule_unpackage $(BINDIR)
+ test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8
+ install -m 644 semodule_package.8 $(MANDIR)/man8/
++ install -m 644 semodule_unpackage.8 $(MANDIR)/man8/
+
+ relabel:
- .SH SEE ALSO
- .B checkmodule(8), semodule_package(8), semodule(8), semodule_link(8)
diff --git a/policycoreutils/semodule_package/semodule_package.8 b/policycoreutils/semodule_package/semodule_package.8
-index fb41480..29c9eb2 100644
+index 29c9eb2..ddad2d2 100644
--- a/policycoreutils/semodule_package/semodule_package.8
+++ b/policycoreutils/semodule_package/semodule_package.8
-@@ -45,7 +45,6 @@ netfilter context file to be included in the package.
+@@ -44,7 +44,7 @@ File contexts file for the module (optional).
+ netfilter context file to be included in the package.
.SH SEE ALSO
- .B checkmodule(8), semodule(8)
--(8),
+-.B checkmodule(8), semodule(8)
++.B checkmodule(8), semodule(8), semodule_unpackage(8)
.SH AUTHORS
.nf
This manual page was written by Dan Walsh <dwalsh at redhat.com>.
+diff --git a/policycoreutils/semodule_package/semodule_unpackage.8 b/policycoreutils/semodule_package/semodule_unpackage.8
+new file mode 100644
+index 0000000..62dd53e
+--- /dev/null
++++ b/policycoreutils/semodule_package/semodule_unpackage.8
+@@ -0,0 +1,24 @@
++.TH SEMODULE_PACKAGE "8" "Nov 2005" "Security Enhanced Linux" NSA
++.SH NAME
++semodule_unpackage \- Extract polciy module and file context file from an SELinux policy module unpackage.
++
++.SH SYNOPSIS
++.B semodule_unpackage <module> [<file contexts>]
++.br
++.SH DESCRIPTION
++.PP
++semodule_unpackage is the tool used to extract the SELinux policy module
++ and file context file from an SELinux Policy Package.
++
++.SH EXAMPLE
++.nf
++# Extract the httpd module file from httpd policy package.
++$ semodule_unpackage httpd.pp httpd.mod httpd.fc
++.fi
++
++.SH SEE ALSO
++.B semodule_package(8)
++.SH AUTHORS
++.nf
++This manual page was written by Dan Walsh <dwalsh at redhat.com>.
++The program was written by Stephen Smalley <sds at tycho.nsa.gov>
+diff --git a/policycoreutils/semodule_package/semodule_unpackage.c b/policycoreutils/semodule_package/semodule_unpackage.c
+new file mode 100644
+index 0000000..0120ee4
+--- /dev/null
++++ b/policycoreutils/semodule_package/semodule_unpackage.c
+@@ -0,0 +1,103 @@
++#include <sepol/module.h>
++#include <getopt.h>
++#include <fcntl.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <sys/mman.h>
++#include <fcntl.h>
++#include <errno.h>
++
++char *progname = NULL;
++extern char *optarg;
++
++static void usage(char *progname)
++{
++ printf("usage: %s ppfile modfile [fcfile]\n", progname);
++ exit(1);
++}
++
++static int file_to_policy_file(char *filename, struct sepol_policy_file **pf, char *mode)
++{
++ FILE *f;
++
++ if (sepol_policy_file_create(pf)) {
++ fprintf(stderr, "%s: Out of memory\n", progname);
++ return -1;
++ }
++
++ f = fopen(filename, mode);
++ if (!f) {
++ fprintf(stderr, "%s: Could not open file %s: %s\n", progname, strerror(errno), filename);
++ return -1;
++ }
++ sepol_policy_file_set_fp(*pf, f);
++ return 0;
++}
++
++int main(int argc, char **argv)
++{
++ struct sepol_module_package *pkg;
++ struct sepol_policy_file *in, *out;
++ FILE *fp;
++ size_t len;
++ char *ppfile, *modfile, *fcfile = NULL, *fcdata;
++
++ progname = argv[0];
++
++ if (argc < 3) {
++ usage(progname);
++ exit(1);
++ }
++
++ ppfile = argv[1];
++ modfile = argv[2];
++ if (argc >= 3)
++ fcfile = argv[3];
++
++ if (file_to_policy_file(ppfile, &in, "r"))
++ exit(1);
++
++ if (sepol_module_package_create(&pkg)) {
++ fprintf(stderr, "%s: Out of memory\n", progname);
++ exit(1);
++ }
++
++ if (sepol_module_package_read(pkg, in, 0) == -1) {
++ fprintf(stderr, "%s: Error while reading policy module from %s\n",
++ progname, ppfile);
++ exit(1);
++ }
++
++ if (file_to_policy_file(modfile, &out, "w"))
++ exit(1);
++
++ if (sepol_policydb_write(sepol_module_package_get_policy(pkg), out)) {
++ fprintf(stderr, "%s: Error while writing module to %s\n", progname, modfile);
++ exit(1);
++ }
++
++ sepol_policy_file_free(in);
++ sepol_policy_file_free(out);
++
++ len = sepol_module_package_get_file_contexts_len(pkg);
++ if (fcfile && len) {
++ fp = fopen(fcfile, "w");
++ if (!fp) {
++ fprintf(stderr, "%s: Could not open file %s: %s\n", progname, strerror(errno), fcfile);
++ exit(1);
++ }
++ fcdata = sepol_module_package_get_file_contexts(pkg);
++ if (fwrite(fcdata, 1, len, fp) != len) {
++ fprintf(stderr, "%s: Could not write file %s: %s\n", progname, strerror(errno), fcfile);
++ exit(1);
++ }
++ fclose(fp);
++ }
++
++ sepol_module_package_free(pkg);
++ exit(0);
++}
+diff --git a/policycoreutils/sepolgen-ifgen/.gitignore b/policycoreutils/sepolgen-ifgen/.gitignore
+new file mode 100644
+index 0000000..3816d2e
+--- /dev/null
++++ b/policycoreutils/sepolgen-ifgen/.gitignore
+@@ -0,0 +1 @@
++sepolgen-ifgen-attr-helper
diff --git a/policycoreutils/sepolgen-ifgen/Makefile b/policycoreutils/sepolgen-ifgen/Makefile
new file mode 100644
-index 0000000..211580d
+index 0000000..99f8fd0
--- /dev/null
+++ b/policycoreutils/sepolgen-ifgen/Makefile
@@ -0,0 +1,25 @@
@@ -5284,7 +3882,7 @@ index 0000000..211580d
+LIBDIR ?= ${PREFIX}/lib
+INCLUDEDIR ?= $(PREFIX)/include
+
-+CFLAGS ?= -Wall -W
++CFLAGS ?= -Werror -Wall -W
+override CFLAGS += -I$(INCLUDEDIR)
+LDLIBS = $(LIBDIR)/libsepol.a
+
@@ -5305,15 +3903,15 @@ index 0000000..211580d
+relabel: ;
diff --git a/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c b/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c
new file mode 100644
-index 0000000..8f5c8e0
+index 0000000..1ce37b0
--- /dev/null
+++ b/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c
-@@ -0,0 +1,233 @@
+@@ -0,0 +1,232 @@
+/* Authors: Frank Mayer <mayerf at tresys.com>
+ * and Karl MacMillan <kmacmillan at tresys.com>
+ *
+ * Copyright (C) 2003,2010 Tresys Technology, LLC
-+ *
++ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2.
@@ -5492,7 +4090,7 @@ index 0000000..8f5c8e0
+ }
+
+ fclose(fp);
-+
++
+ return policydb;
+
+}
@@ -5515,9 +4113,8 @@ index 0000000..8f5c8e0
+
+ /* Open the policy. */
+ p = load_policy(argv[1]);
-+ if (p == NULL) {
++ if (p == NULL)
+ return -1;
-+ }
+
+ /* Open the output policy. */
+ fp = fopen(argv[2], "w");
@@ -5543,76 +4140,30 @@ index 0000000..8f5c8e0
+ return 0;
+}
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
-index b649d8f..38416d8 100644
+index e05761a..66cb950 100644
--- a/policycoreutils/setfiles/restore.c
+++ b/policycoreutils/setfiles/restore.c
-@@ -1,4 +1,5 @@
- #include "restore.h"
-+#include <glob.h>
+@@ -318,11 +318,16 @@ static int process_one(char *name, int recurse_this_path)
- #define SKIP -2
- #define ERR -1
-@@ -31,7 +32,6 @@ struct edir {
-
- static file_spec_t *fl_head;
--static int exclude(const char *file);
- static int filespec_add(ino_t ino, const security_context_t con, const char *file);
- static int only_changed_user(const char *a, const char *b);
- struct restore_opts *r_opts = NULL;
-@@ -53,7 +53,6 @@ void remove_exclude(const char *directory)
- }
- }
- return;
--
- }
-
- void restore_init(struct restore_opts *opts)
-@@ -300,8 +299,14 @@ static int process_one(char *name, int recurse_this_path)
- int rc = 0;
- const char *namelist[2] = {name, NULL};
- dev_t dev_num = 0;
-- FTS *fts_handle;
-- FTSENT *ftsent;
-+ FTS *fts_handle = NULL;
-+ FTSENT *ftsent = NULL;
-+
-+ if (r_opts == NULL){
+ ftsent = fts_read(fts_handle);
+- if (ftsent != NULL) {
+- /* Keep the inode of the first one. */
+- dev_num = ftsent->fts_statp->st_dev;
++ if (ftsent == NULL) {
+ fprintf(stderr,
-+ "Must call initialize first!");
++ "%s: error while labeling %s: %s\n",
++ r_opts->progname, namelist[0], strerror(errno));
+ goto err;
-+ }
-
- fts_handle = fts_open((char **)namelist, r_opts->fts_flags, NULL);
- if (fts_handle == NULL) {
-@@ -357,11 +362,34 @@ err:
- goto out;
- }
+ }
-+int process_glob(char *name, int recurse) {
-+ glob_t globbuf;
-+ size_t i = 0;
-+ int errors = 0;
-+ memset(&globbuf, 0, sizeof(globbuf));
-+ globbuf.gl_offs = 0;
-+ if (glob(name,
-+ GLOB_TILDE | GLOB_PERIOD,
-+ NULL,
-+ &globbuf) >= 0) {
-+ for (i = 0; i < globbuf.gl_pathc; i++) {
-+ int len = strlen(globbuf.gl_pathv[i]) -2;
-+ if (len > 0 && strcmp(&globbuf.gl_pathv[i][len--], "/.") == 0) continue;
-+ if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) continue;
-+ errors |= process_one_realpath(globbuf.gl_pathv[i], recurse) < 0;
-+ }
-+ globfree(&globbuf);
-+ }
-+ else
-+ errors |= process_one_realpath(name, recurse) < 0;
-+ return errors;
-+}
++ /* Keep the inode of the first one. */
++ dev_num = ftsent->fts_statp->st_dev;
+
- int process_one_realpath(char *name, int recurse)
+ do {
+ rc = 0;
+ /* Skip the post order nodes. */
+@@ -388,7 +393,7 @@ int process_one_realpath(char *name, int recurse)
{
int rc = 0;
char *p;
@@ -5621,27 +4172,16 @@ index b649d8f..38416d8 100644
if (r_opts == NULL){
fprintf(stderr,
-@@ -372,8 +400,9 @@ int process_one_realpath(char *name, int recurse)
+@@ -399,7 +404,7 @@ int process_one_realpath(char *name, int recurse)
if (!r_opts->expand_realpath) {
return process_one(name, recurse);
} else {
- rc = lstat(name, &sb);
+ rc = lstat64(name, &sb);
if (rc < 0) {
-+ if (r_opts->ignore_enoent && errno == ENOENT) return 0;
- fprintf(stderr, "%s: lstat(%s) failed: %s\n",
- r_opts->progname, name, strerror(errno));
- return -1;
-@@ -409,7 +438,7 @@ int process_one_realpath(char *name, int recurse)
- }
- }
-
--static int exclude(const char *file)
-+int exclude(const char *file)
- {
- int i = 0;
- for (i = 0; i < excludeCtr; i++) {
-@@ -537,7 +566,7 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil
+ if (r_opts->ignore_enoent && errno == ENOENT)
+ return 0;
+@@ -566,7 +571,7 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil
{
file_spec_t *prevfl, *fl;
int h, ret;
@@ -5650,7 +4190,7 @@ index b649d8f..38416d8 100644
if (!fl_head) {
fl_head = malloc(sizeof(file_spec_t) * HASH_BUCKETS);
-@@ -550,7 +579,7 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil
+@@ -579,7 +584,7 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil
for (prevfl = &fl_head[h], fl = fl_head[h].next; fl;
prevfl = fl, fl = fl->next) {
if (ino == fl->ino) {
@@ -5659,7 +4199,7 @@ index b649d8f..38416d8 100644
if (ret < 0 || sb.st_ino != ino) {
freecon(fl->con);
free(fl->file);
-@@ -602,5 +631,67 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil
+@@ -631,5 +636,67 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil
return -1;
}
@@ -5688,7 +4228,7 @@ index b649d8f..38416d8 100644
+ fp = fopen("/proc/mounts", "r");
+ if (!fp)
+ return;
-+
+
+ while ((num = getline(&buf, &len, fp)) != -1) {
+ found = 0;
+ index = 0;
@@ -5706,7 +4246,7 @@ index b649d8f..38416d8 100644
+ buf);
+ continue;
+ }
-
++
+ /* remove pre-existing entry */
+ remove_exclude(mount_info[1]);
+
@@ -5728,80 +4268,18 @@ index b649d8f..38416d8 100644
+}
diff --git a/policycoreutils/setfiles/restore.h b/policycoreutils/setfiles/restore.h
-index 03b82e8..8b50ff8 100644
+index 7e988d5..ac27222 100644
--- a/policycoreutils/setfiles/restore.h
+++ b/policycoreutils/setfiles/restore.h
-@@ -27,6 +27,7 @@ struct restore_opts {
- int hard_links;
- int verbose;
- int logging;
-+ int ignore_enoent;
- char *rootpath;
- int rootpathlen;
- char *progname;
-@@ -44,7 +45,10 @@ struct restore_opts {
- void restore_init(struct restore_opts *opts);
- void restore_finish();
- int add_exclude(const char *directory);
-+int exclude(const char *path);
+@@ -49,5 +49,6 @@ int exclude(const char *path);
void remove_exclude(const char *directory);
int process_one_realpath(char *name, int recurse);
-+int process_glob(char *name, int recurse);
-
+ int process_glob(char *name, int recurse);
+void exclude_non_seclabel_mounts();
- #endif
-diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
-index 1eb6a43..c8ea4bb 100644
---- a/policycoreutils/setfiles/restorecon.8
-+++ b/policycoreutils/setfiles/restorecon.8
-@@ -4,10 +4,10 @@ restorecon \- restore file(s) default SELinux security contexts.
- .SH "SYNOPSIS"
- .B restorecon
--.I [\-o outfilename ] [\-R] [\-n] [\-v] [\-e directory ] pathname...
-+.I [\-o outfilename ] [\-R] [\-n] [\-p] [\-v] [\-e directory ] pathname...
- .P
- .B restorecon
--.I \-f infilename [\-o outfilename ] [\-e directory ] [\-R] [\-n] [\-v] [\-F]
-+.I \-f infilename [\-o outfilename ] [\-e directory ] [\-R] [\-n] [\-p] [\-v] [\-F]
-
- .SH "DESCRIPTION"
- This manual page describes the
-@@ -40,6 +40,9 @@ don't change any file labels.
- .TP
- .B \-o outfilename
- save list of files with incorrect context in outfilename.
-+.TP
-+.B \-p
-+show progress by printing * every 1000 files.
- .TP
- .B \-v
- show changes in file labels.
-diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
-index ac68b94..7f700ca 100644
---- a/policycoreutils/setfiles/setfiles.8
-+++ b/policycoreutils/setfiles/setfiles.8
-@@ -10,7 +10,7 @@ This manual page describes the
- .BR setfiles
- program.
- .P
--This program is primarily used to initialise the security context
-+This program is primarily used to initialize the security context
- database (extended attributes) on one or more filesystems. This
- program is initially run as part of the SE Linux installation process.
- .P
-@@ -31,6 +31,9 @@ log changes in file labels to syslog.
- .TP
- .B \-n
- don't change any file labels.
-+.TP
-+.B \-p
-+show progress by printing * every 1000 files.
- .TP
- .B \-q
- suppress non-error output.
+ #endif
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
-index 8f4f663..b0a7e09 100644
+index d320e9f..fa0cd6a 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -5,7 +5,6 @@
@@ -5812,31 +4290,38 @@ index 8f4f663..b0a7e09 100644
#define __USE_XOPEN_EXTENDED 1 /* nftw */
#include <libgen.h>
#ifdef USE_AUDIT
-@@ -25,7 +24,6 @@ static char *policyfile = NULL;
+@@ -15,8 +14,6 @@
+ #define AUDIT_FS_RELABEL 2309
+ #endif
+ #endif
+-static int mass_relabel;
+-static int mass_relabel_errs;
+
+
+ /* cmdline opts*/
+@@ -24,7 +21,6 @@ static int mass_relabel_errs;
+ static char *policyfile = NULL;
static int warn_no_match = 0;
static int null_terminated = 0;
- static int errors;
--static int ignore_enoent;
+-static int errors;
static struct restore_opts r_opts;
#define STAT_BLOCK_SIZE 1
-@@ -44,13 +42,13 @@ void usage(const char *const name)
+@@ -108,10 +104,11 @@ int canoncon(char **contextp)
+ }
+
+ #ifndef USE_AUDIT
+-static void maybe_audit_mass_relabel(void)
++static void maybe_audit_mass_relabel(int mass_relabel __attribute__((unused)),
++ int mass_relabel_errs __attribute__((unused)))
{
- if (iamrestorecon) {
- fprintf(stderr,
-- "usage: %s [-iFnrRv0] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n",
-+ "usage: %s [-iFnprRv0] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n",
- name);
- } else {
- fprintf(stderr,
- "usage: %s [-dnpqvW] [-o filename] [-r alt_root_path ] spec_file pathname...\n"
- "usage: %s -c policyfile spec_file\n"
-- "usage: %s -s [-dnqvW] [-o filename ] spec_file\n", name, name,
-+ "usage: %s -s [-dnpqvW] [-o filename ] spec_file\n", name, name,
- name);
- }
- exit(1);
-@@ -138,69 +136,6 @@ static void maybe_audit_mass_relabel(void)
+ #else
+-static void maybe_audit_mass_relabel(void)
++static void maybe_audit_mass_relabel(int mass_relabel, int mass_relabel_errs)
+ {
+ int audit_fd = -1;
+ int rc = 0;
+@@ -137,69 +134,6 @@ static void maybe_audit_mass_relabel(void)
#endif
}
@@ -5906,89 +4391,22 @@ index 8f4f663..b0a7e09 100644
int main(int argc, char **argv)
{
struct stat sb;
-@@ -335,7 +270,7 @@ int main(int argc, char **argv)
- r_opts.debug = 1;
- break;
- case 'i':
-- ignore_enoent = 1;
-+ r_opts.ignore_enoent = 1;
- break;
- case 'l':
- r_opts.logging = 1;
-@@ -371,7 +306,7 @@ int main(int argc, char **argv)
- break;
- }
- if (optind + 1 >= argc) {
-- fprintf(stderr, "usage: %s -r r_opts.rootpath\n",
-+ fprintf(stderr, "usage: %s -r rootpath\n",
- argv[0]);
- exit(1);
- }
-@@ -475,7 +410,7 @@ int main(int argc, char **argv)
- buf[len - 1] = 0;
- if (!strcmp(buf, "/"))
- mass_relabel = 1;
-- errors |= process_one_realpath(buf, recurse) < 0;
-+ errors |= process_glob(buf, recurse) < 0;
- }
- if (strcmp(input_filename, "-") != 0)
- fclose(f);
-@@ -483,7 +418,8 @@ int main(int argc, char **argv)
- for (i = optind; i < argc; i++) {
- if (!strcmp(argv[i], "/"))
- mass_relabel = 1;
-- errors |= process_one_realpath(argv[i], recurse) < 0;
-+
-+ errors |= process_glob(argv[i], recurse) < 0;
- }
- }
+@@ -210,6 +144,7 @@ int main(int argc, char **argv)
+ size_t buf_len;
+ int recurse; /* Recursive descent. */
+ char *base;
++ int mass_relabel = 0, errors = 0;
-diff --git a/policycoreutils/setsebool/setsebool.8 b/policycoreutils/setsebool/setsebool.8
-index 4b13387..2b66bad 100644
---- a/policycoreutils/setsebool/setsebool.8
-+++ b/policycoreutils/setsebool/setsebool.8
-@@ -16,7 +16,7 @@ affected; the boot-time default settings
- are not changed.
-
- If the -P option is given, all pending values are written to
--the policy file on disk. So they will be persistant across reboots.
-+the policy file on disk. So they will be persistent across reboots.
-
- .SH AUTHOR
- This manual page was written by Dan Walsh <dwalsh at redhat.com>.
-diff --git a/policycoreutils/setsebool/setsebool.c b/policycoreutils/setsebool/setsebool.c
-index dc037dd..d6c041b 100644
---- a/policycoreutils/setsebool/setsebool.c
-+++ b/policycoreutils/setsebool/setsebool.c
-@@ -82,8 +82,13 @@ static int selinux_set_boolean_list(size_t boolcnt,
- if (errno == ENOENT)
- fprintf(stderr, "Could not change active booleans: "
- "Invalid boolean\n");
-- else if (errno)
-- perror("Could not change active booleans");
-+ else if (errno) {
-+ if (getuid() == 0) {
-+ perror("Could not change active booleans");
-+ } else {
-+ perror("Could not change active booleans. Please try as root");
-+ }
-+ }
+ memset(&r_opts, 0, sizeof(r_opts));
- return -1;
- }
-@@ -115,8 +120,13 @@ static int semanage_set_boolean_list(size_t boolcnt,
- goto err;
-
- } else if (managed == 0) {
-- fprintf(stderr,
-- "Cannot set persistent booleans without managed policy.\n");
-+ if (getuid() == 0) {
-+ fprintf(stderr,
-+ "Cannot set persistent booleans without managed policy.\n");
-+ } else {
-+ fprintf(stderr,
-+ "Cannot set persistent booleans, please try as root.\n");
-+ }
- goto err;
+@@ -487,9 +422,7 @@ int main(int argc, char **argv)
+ }
}
+
+- if (mass_relabel)
+- mass_relabel_errs = errors;
+- maybe_audit_mass_relabel();
++ maybe_audit_mass_relabel(mass_relabel, errors);
+ if (warn_no_match)
+ selabel_stats(r_opts.hnd);
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 7eb97f1..1d33fc4 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -1,13 +1,13 @@
%define libauditver 1.4.2-1
-%define libsepolver 2.0.44-2
-%define libsemanagever 2.0.46-6
-%define libselinuxver 2.0.90-3
+%define libsepolver 2.1.0-1
+%define libsemanagever 2.1.0-0
+%define libselinuxver 2.1.0-1
%define sepolgenver 1.0.23
Summary: SELinux policy core utilities
Name: policycoreutils
-Version: 2.0.86
-Release: 18%{?dist}
+Version: 2.1.4
+Release: 1%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -184,7 +184,7 @@ The policycoreutils-sandbox package contains the scripts to create graphical san
%{_datadir}/sandbox/start
%attr(0755,root,root) %caps(cap_setpcap,cap_setuid,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
%{_mandir}/man8/seunshare.8*
-%{_mandir}/man5/sandbox.conf.5*
+%{_mandir}/man5/sandbox.5*
%triggerin python -- selinux-policy
selinuxenabled && [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 2>/dev/null
@@ -349,6 +349,83 @@ fi
/bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Thu Aug 18 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.4-1
+-Update to upstream
+2.1.4 2011-08-17
+ * run_init: clarification of the usage in the
+ * semanage: fix usage header around booleans
+ * semanage: remove useless empty lines
+ * semanage: update man page with new examples
+ * semanage: update usage text
+ * semanage: introduce file context equivalencies
+ * semanage: enable and disable modules
+ * semanage: output all local modifications
+ * semanage: introduce extraction of local configuration
+ * semanage: cleanup error on invalid operation
+ * semanage: handle being called with no arguments
+ * semanage: return sooner to save CPU time
+ * semanage: surround getopt with try/except
+ * semanage: use define/raise instead of lots of
+ * semanage: some options are only valid for
+ * semanage: introduce better deleteall support
+ * semanage: do not allow spaces in file
+ * semanage: distinguish between builtin and local permissive
+ * semanage: centralized ip node handling
+ * setfiles: make the restore function exclude() non-static
+ * setfiles: use glob to handle ~ and
+ * fixfiles: do not hard code types
+ * fixfiles: stop trying to be smart about
+ * fixfiles: use new kernel seclabel option
+ * fixfiles: pipe everything to cat before sending
+ * fixfiles: introduce /etc/selinux/fixfiles_exclude_dirs
+ * semodule: support for alternative root paths
+
+2.1.3 2011-08-03
+ * semanage: fix indention
+ * semodule_package: fix man page typo
+ * semodule_expand: update man page with -a
+ * semanage: handle os errors
+ * semanage: fix traceback with bad options
+ * semanage: show usage on -h or --help
+ * semanage: introduce more deleteall options
+ * semanage: verify ports < 65536
+ * transaction into semanageRecords
+ * make get_handle a method of semanageRecords
+ * remove a needless blank line
+ * make process_one error if not initialized correctly
+ * fixfiles: correct usage for r_opts.rootpath
+ * put -p in help for restorecon and
+ * fixfiles: do not try to only label
+ * fixfiles clean up /var/run and /var/lib/debug
+ * fixfiles delete tmp sockets and pipes rather
+ * fixfile use find -delete instead of pipe
+ * chcat man page typo
+ * add man page for genhomedircon
+ * setfiles fix typo
+ * setsebool should inform users they need to
+ * setsebool typos
+ * open_init_tty man page typos
+ * Don't add user site directory to sys.path
+ * newrole retain CAP_SETPCAP
+
+2.1.2 2011-08-02
+ * seunshare: define _GNU_SOURCE earlier
+ * make ignore_enoent do something
+ * restorecond: first user logged in is not noticed
+ * Repo: update .gitignore
+
+2.1.1 2011-08-01
+ * Man page updates
+ * restorecon fix for bad inotify assumptions
+
+2.1.0 2011-07-27
+ * Release, minor version bump
+
+* Tue Jul 26 2011 Dan Walsh <dwalsh at redhat.com> 2.0.86-20
+- Fix sepolgen usage statement
+- Stop using -k insandbox
+- Fix seunshare usage statement
+
* Thu Jul 7 2011 Dan Walsh <dwalsh at redhat.com> 2.0.86-18
- Change seunshare to send kill signals to the childs session.
- Also add signal handler to catch sigint, so if user enters ctrl-C sandbox will shutdown.
diff --git a/sources b/sources
index c65b198..53b109d 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
49faa2e5f343317bcfcf34d7286f6037 sepolgen-1.0.23.tgz
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
-13d864a8a6f8a933ef7aee7baf4a9662 policycoreutils-2.0.86.tgz
+7e1e18c09798ffb44913bce3d60c667d policycoreutils-2.1.4.tgz
More information about the scm-commits
mailing list