[policycoreutils/f14/master] - Fix sandbox to work on nfs homedirs - Fix error message to print out complete information in sandb
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Feb 2 18:42:36 UTC 2011
commit e2fab69723022907e96a31e7998c88fd27789b52
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Feb 2 13:42:30 2011 -0500
- Fix sandbox to work on nfs homedirs
- Fix error message to print out complete information in sandbox
policycoreutils-rhat.patch | 1227 +++++++++++++++++++++++++++++++++++++++-----
policycoreutils.spec | 6 +-
2 files changed, 1112 insertions(+), 121 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index cf3d06a..c02e295 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -1,6 +1,6 @@
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.83/audit2allow/audit2allow
--- nsapolicycoreutils/audit2allow/audit2allow 2010-06-16 08:04:13.000000000 -0400
-+++ policycoreutils-2.0.83/audit2allow/audit2allow 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/audit2allow/audit2allow 2011-01-21 09:11:18.000000000 -0500
@@ -1,4 +1,4 @@
-#! /usr/bin/python -E
+#! /usr/bin/python -Es
@@ -121,7 +121,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
app = AuditToPolicy()
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-2.0.83/audit2allow/audit2allow.1
--- nsapolicycoreutils/audit2allow/audit2allow.1 2010-06-16 08:04:13.000000000 -0400
-+++ policycoreutils-2.0.83/audit2allow/audit2allow.1 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/audit2allow/audit2allow.1 2011-01-21 09:11:18.000000000 -0500
@@ -1,5 +1,6 @@
.\" Hey, Emacs! This is an -*- nroff -*- source file.
.\" Copyright (c) 2005 Manoj Srivastava <srivasta at debian.org>
@@ -225,7 +225,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
.SH AUTHOR
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/sepolgen-ifgen policycoreutils-2.0.83/audit2allow/sepolgen-ifgen
--- nsapolicycoreutils/audit2allow/sepolgen-ifgen 2010-06-16 08:04:13.000000000 -0400
-+++ policycoreutils-2.0.83/audit2allow/sepolgen-ifgen 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/audit2allow/sepolgen-ifgen 2011-01-21 09:11:18.000000000 -0500
@@ -1,4 +1,4 @@
-#! /usr/bin/python -E
+#! /usr/bin/python -Es
@@ -321,7 +321,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/load_policy/load_policy.c policycoreutils-2.0.83/load_policy/load_policy.c
--- nsapolicycoreutils/load_policy/load_policy.c 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/load_policy/load_policy.c 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/load_policy/load_policy.c 2011-01-21 09:11:18.000000000 -0500
@@ -23,6 +23,14 @@
exit(1);
}
@@ -369,7 +369,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
}
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/load_policy/load_policy.c.disable policycoreutils-2.0.83/load_policy/load_policy.c.disable
--- nsapolicycoreutils/load_policy/load_policy.c.disable 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/load_policy/load_policy.c.disable 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/load_policy/load_policy.c.disable 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,106 @@
+#include <unistd.h>
+#include <stdlib.h>
@@ -479,7 +479,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+}
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.83/Makefile
--- nsapolicycoreutils/Makefile 2010-06-16 08:04:11.000000000 -0400
-+++ policycoreutils-2.0.83/Makefile 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/Makefile 2011-01-21 09:11:18.000000000 -0500
@@ -1,4 +1,4 @@
-SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
+SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po gui
@@ -488,7 +488,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/Makefile policycoreutils-2.0.83/newrole/Makefile
--- nsapolicycoreutils/newrole/Makefile 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/newrole/Makefile 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/newrole/Makefile 2011-01-21 09:11:18.000000000 -0500
@@ -50,7 +50,7 @@
endif
ifeq (${IS_SUID},y)
@@ -500,7 +500,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
endif
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-2.0.83/newrole/newrole.c
--- nsapolicycoreutils/newrole/newrole.c 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/newrole/newrole.c 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/newrole/newrole.c 2011-01-21 09:11:18.000000000 -0500
@@ -77,7 +77,7 @@
#endif
#if defined(AUDIT_LOG_PRIV) || (NAMESPACE_PRIV)
@@ -690,7 +690,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
fprintf(stderr, _("Unable to restore the environment, "
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.83/restorecond/Makefile
--- nsapolicycoreutils/restorecond/Makefile 2010-06-16 08:04:13.000000000 -0400
-+++ policycoreutils-2.0.83/restorecond/Makefile 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/restorecond/Makefile 2011-01-21 09:11:18.000000000 -0500
@@ -1,17 +1,28 @@
# Installation directories.
PREFIX ?= ${DESTDIR}/usr
@@ -739,14 +739,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
/sbin/restorecon $(SBINDIR)/restorecond
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.83/restorecond/org.selinux.Restorecond.service
--- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/restorecond/org.selinux.Restorecond.service 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/restorecond/org.selinux.Restorecond.service 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,3 @@
+[D-BUS Service]
+Name=org.selinux.Restorecond
+Exec=/usr/sbin/restorecond -u
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.83/restorecond/restorecond.8
--- nsapolicycoreutils/restorecond/restorecond.8 2010-06-16 08:04:13.000000000 -0400
-+++ policycoreutils-2.0.83/restorecond/restorecond.8 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/restorecond/restorecond.8 2011-01-21 09:11:18.000000000 -0500
@@ -3,7 +3,7 @@
restorecond \- daemon that watches for file creation and then sets the default SELinux file context
@@ -783,7 +783,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
.BR restorecon (8),
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.83/restorecond/restorecond.c
--- nsapolicycoreutils/restorecond/restorecond.c 2010-06-16 08:04:13.000000000 -0400
-+++ policycoreutils-2.0.83/restorecond/restorecond.c 2011-01-04 17:19:23.000000000 -0500
++++ policycoreutils-2.0.83/restorecond/restorecond.c 2011-01-21 09:11:18.000000000 -0500
@@ -30,9 +30,11 @@
* and makes sure that there security context matches the systems defaults
*
@@ -1288,7 +1288,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.83/restorecond/restorecond.conf
--- nsapolicycoreutils/restorecond/restorecond.conf 2010-06-16 08:04:13.000000000 -0400
-+++ policycoreutils-2.0.83/restorecond/restorecond.conf 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/restorecond/restorecond.conf 2011-01-21 09:11:18.000000000 -0500
@@ -4,8 +4,5 @@
/etc/mtab
/var/run/utmp
@@ -1301,7 +1301,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
-
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.83/restorecond/restorecond.desktop
--- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/restorecond/restorecond.desktop 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/restorecond/restorecond.desktop 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,7 @@
+[Desktop Entry]
+Name=File Context maintainer
@@ -1312,7 +1312,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+StartupNotify=false
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.83/restorecond/restorecond.h
--- nsapolicycoreutils/restorecond/restorecond.h 2010-06-16 08:04:13.000000000 -0400
-+++ policycoreutils-2.0.83/restorecond/restorecond.h 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/restorecond/restorecond.h 2011-01-21 09:11:18.000000000 -0500
@@ -24,7 +24,22 @@
#ifndef RESTORED_CONFIG_H
#define RESTORED_CONFIG_H
@@ -1340,7 +1340,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
#endif
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.83/restorecond/restorecond.init
--- nsapolicycoreutils/restorecond/restorecond.init 2010-06-16 08:04:13.000000000 -0400
-+++ policycoreutils-2.0.83/restorecond/restorecond.init 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/restorecond/restorecond.init 2011-01-21 09:11:18.000000000 -0500
@@ -26,7 +26,7 @@
# Source function library.
. /etc/rc.d/init.d/functions
@@ -1371,13 +1371,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
-
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.83/restorecond/restorecond_user.conf
--- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/restorecond/restorecond_user.conf 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/restorecond/restorecond_user.conf 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,2 @@
+~/*
+~/public_html/*
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.83/restorecond/user.c
--- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/restorecond/user.c 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/restorecond/user.c 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,239 @@
+/*
+ * restorecond
@@ -1620,7 +1620,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/utmpwatcher.c policycoreutils-2.0.83/restorecond/utmpwatcher.c
--- nsapolicycoreutils/restorecond/utmpwatcher.c 2010-06-16 08:04:13.000000000 -0400
-+++ policycoreutils-2.0.83/restorecond/utmpwatcher.c 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/restorecond/utmpwatcher.c 2011-01-21 09:11:18.000000000 -0500
@@ -72,8 +72,8 @@
if (utmp_wd == -1)
exitApp("Error watching utmp file.");
@@ -1633,7 +1633,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
return changed;
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.83/restorecond/watch.c
--- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/restorecond/watch.c 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/restorecond/watch.c 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,260 @@
+#define _GNU_SOURCE
+#include <sys/inotify.h>
@@ -1897,7 +1897,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+}
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.83/sandbox/deliverables/basicwrapper
--- nsapolicycoreutils/sandbox/deliverables/basicwrapper 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/sandbox/deliverables/basicwrapper 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/sandbox/deliverables/basicwrapper 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,4 @@
+import os, sys
+SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']]
@@ -1905,7 +1905,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+os.execv('/usr/bin/sandbox',SANDBOX_ARGS)
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.83/sandbox/deliverables/README
--- nsapolicycoreutils/sandbox/deliverables/README 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/sandbox/deliverables/README 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/sandbox/deliverables/README 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,32 @@
+Files:
+run-in-sandbox.py:
@@ -1941,7 +1941,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+Chris Pardy
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py
--- nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,49 @@
+import os
+import os.path
@@ -1994,8 +1994,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.83/sandbox/Makefile
--- nsapolicycoreutils/sandbox/Makefile 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/Makefile 2011-01-04 17:17:10.000000000 -0500
-@@ -7,8 +7,8 @@
++++ policycoreutils-2.0.83/sandbox/Makefile 2011-02-02 13:37:18.000000000 -0500
+@@ -7,10 +7,10 @@
MANDIR ?= $(PREFIX)/share/man
LOCALEDIR ?= /usr/share/locale
SHAREDIR ?= $(PREFIX)/share/sandbox
@@ -2004,9 +2004,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra
+LDLIBS += -lcgroup -lselinux -lcap-ng
- all: sandbox seunshare sandboxX.sh
+-all: sandbox seunshare sandboxX.sh
++all: sandbox seunshare sandboxX.sh start
-@@ -20,6 +20,9 @@
+ seunshare: seunshare.o $(EXTRA_OBJS)
+ $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
+@@ -20,14 +20,18 @@
install -m 755 sandbox $(BINDIR)
-mkdir -p $(MANDIR)/man8
install -m 644 sandbox.8 $(MANDIR)/man8/
@@ -2016,7 +2019,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
-mkdir -p $(SBINDIR)
install -m 4755 seunshare $(SBINDIR)/
-mkdir -p $(SHAREDIR)
-@@ -27,7 +30,7 @@
+ install -m 755 sandboxX.sh $(SHAREDIR)
++ install -m 755 start $(SHAREDIR)
-mkdir -p $(INITDIR)
install -m 755 sandbox.init $(INITDIR)/sandbox
-mkdir -p $(SYSCONFDIR)
@@ -2027,7 +2031,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
@python test_sandbox.py -v
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.83/sandbox/sandbox
--- nsapolicycoreutils/sandbox/sandbox 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/sandbox 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/sandbox/sandbox 2011-02-02 13:37:08.000000000 -0500
@@ -1,5 +1,6 @@
-#! /usr/bin/python -E
+#! /usr/bin/python -Es
@@ -2265,9 +2269,18 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
selinux.setexeccon(self.__execcon)
rc = subprocess.Popen(self.__cmds).wait()
+@@ -404,7 +447,7 @@
+ sandbox = Sandbox()
+ rc = sandbox.main()
+ except OSError, error:
+- error_exit(error.args[1])
++ error_exit(error)
+ except ValueError, error:
+ error_exit(error.args[0])
+ except KeyError, error:
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.83/sandbox/sandbox.8
--- nsapolicycoreutils/sandbox/sandbox.8 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/sandbox.8 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/sandbox/sandbox.8 2011-01-21 09:11:18.000000000 -0500
@@ -1,10 +1,13 @@
-.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
+.TH SANDBOX "8" "May 2010" "sandbox" "User Commands"
@@ -2319,7 +2332,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+.I Thomas Liu <tliu at fedoraproject.org>
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.conf policycoreutils-2.0.83/sandbox/sandbox.conf
--- nsapolicycoreutils/sandbox/sandbox.conf 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/sandbox/sandbox.conf 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/sandbox/sandbox.conf 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,7 @@
+# Space separate list of homedirs
+HOMEDIRS="/home"
@@ -2330,7 +2343,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+CPUUSAGE=80%
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.conf.5 policycoreutils-2.0.83/sandbox/sandbox.conf.5
--- nsapolicycoreutils/sandbox/sandbox.conf.5 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/sandbox/sandbox.conf.5 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/sandbox/sandbox.conf.5 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,40 @@
+.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration"
+.SH NAME
@@ -2374,7 +2387,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+.I Thomas Liu <tliu at fedoraproject.org>
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.init policycoreutils-2.0.83/sandbox/sandbox.init
--- nsapolicycoreutils/sandbox/sandbox.init 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/sandbox.init 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/sandbox/sandbox.init 2011-01-21 09:11:18.000000000 -0500
@@ -10,17 +10,12 @@
#
# chkconfig: 345 1 99
@@ -2401,8 +2414,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
# Source function library.
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.83/sandbox/sandboxX.sh
--- nsapolicycoreutils/sandbox/sandboxX.sh 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/sandboxX.sh 2011-01-04 17:17:10.000000000 -0500
-@@ -1,13 +1,26 @@
++++ policycoreutils-2.0.83/sandbox/sandboxX.sh 2011-02-02 13:36:54.000000000 -0500
+@@ -1,13 +1,17 @@
#!/bin/bash
context=`id -Z | secon -t -l -P`
export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
@@ -2418,23 +2431,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+#!/bin/sh
+DISPLAY=$DISPLAY "\$@"
+__EOF
-+chmod +x ~/seremote
-+ python << __EOF
-+import gtk, os, commands
-+rc = [-1,'']
-+try:
-+ rc=commands.getstatusoutput("%s/.sandboxrc" % os.environ["HOME"])
-+except:
-+ pass
-+if rc[0] == 0:
-+ print rc[1]
-+__EOF
++ chmod +x ~/seremote
++ /usr/share/sandbox/start $HOME/.sandboxrc
export EXITCODE=$?
kill -HUP 0
break
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.8 policycoreutils-2.0.83/sandbox/seunshare.8
--- nsapolicycoreutils/sandbox/seunshare.8 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/sandbox/seunshare.8 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/sandbox/seunshare.8 2011-02-02 13:36:29.000000000 -0500
@@ -0,0 +1,37 @@
+.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands"
+.SH NAME
@@ -2454,7 +2458,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+Alternate homedir to be used by the application. Homedir must be owned by the user.
+.TP
+\fB\-t\ tmpdir
-+Use alternate tempory directory to mount on /tmp. tmpdir must be owned by the user.
++Use alternate temporary directory to mount on /tmp. tmpdir must be owned by the user.
+.TP
+\fB\-c cgroups\fR
+Use cgroups to control this copy of seunshare. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
@@ -2475,8 +2479,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+.I Thomas Liu <tliu at fedoraproject.org>
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.83/sandbox/seunshare.c
--- nsapolicycoreutils/sandbox/seunshare.c 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/seunshare.c 2011-01-04 17:17:10.000000000 -0500
-@@ -1,13 +1,21 @@
++++ policycoreutils-2.0.83/sandbox/seunshare.c 2011-02-02 13:36:09.000000000 -0500
+@@ -1,28 +1,34 @@
+/*
+ * Authors: Dan Walsh <dwalsh at redhat.com>
+ * Authors: Thomas Liu <tliu at fedoraproject.org>
@@ -2497,9 +2501,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
#include <stdio.h>
+#include <regex.h>
#include <unistd.h>
++#include <sys/fsuid.h>
#include <stdlib.h>
#include <cap-ng.h>
-@@ -15,14 +23,11 @@
+ #include <getopt.h> /* for getopt_long() form of getopt() */
#include <limits.h>
#include <stdlib.h>
#include <errno.h>
@@ -2515,7 +2520,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
#ifdef USE_NLS
#include <locale.h> /* for setlocale() */
#include <libintl.h> /* for gettext() */
-@@ -39,6 +44,12 @@
+@@ -39,6 +45,12 @@
#define MS_PRIVATE 1<<18
#endif
@@ -2528,7 +2533,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
/**
* This function will drop all capabilities
* Returns zero on success, non-zero otherwise
-@@ -46,9 +57,9 @@
+@@ -46,9 +58,9 @@
static int drop_capabilities(uid_t uid)
{
capng_clear(CAPNG_SELECT_BOTH);
@@ -2539,7 +2544,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
/* Change uid */
if (setresuid(uid, uid, uid)) {
fprintf(stderr, _("Error changing uid, aborting.\n"));
-@@ -134,42 +145,98 @@
+@@ -134,42 +146,98 @@
static int seunshare_mount(const char *src, const char *dst, struct passwd *pwd) {
if (verbose)
printf("Mount %s on %s\n", src, dst);
@@ -2643,10 +2648,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
{NULL, 0, 0, 0}
};
-@@ -180,6 +247,12 @@
+@@ -180,6 +248,17 @@
return -1;
}
++ if (setfsuid(uid) < 0) {
++ fprintf(stderr, _("setfsuid failed. %s"), strerror(errno));
++ return -1;
++ }
++
+#ifdef USE_NLS
+ setlocale(LC_ALL, "");
+ bindtextdomain(PACKAGE, LOCALEDIR);
@@ -2656,7 +2666,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
struct passwd *pwd=getpwuid(uid);
if (!pwd) {
perror(_("getpwduid failed"));
-@@ -192,30 +265,30 @@
+@@ -192,30 +271,30 @@
}
while (1) {
@@ -2696,7 +2706,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
default:
fprintf(stderr, "%s\n", USAGE_STRING);
return -1;
-@@ -223,21 +296,179 @@
+@@ -223,21 +302,179 @@
}
if (! homedir_s && ! tmpdir_s) {
@@ -2882,7 +2892,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
if (unshare(CLONE_NEWNS) < 0) {
perror(_("Failed to unshare"));
-@@ -286,11 +517,13 @@
+@@ -286,11 +523,13 @@
exit(-1);
}
@@ -2901,7 +2911,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
}
if (display)
-@@ -305,17 +538,14 @@
+@@ -305,17 +544,14 @@
perror(_("Failed to change dir to homedir"));
exit(-1);
}
@@ -2920,9 +2930,22 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
-
return status;
}
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/start policycoreutils-2.0.83/sandbox/start
+--- nsapolicycoreutils/sandbox/start 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.83/sandbox/start 2011-02-02 13:38:12.000000000 -0500
+@@ -0,0 +1,9 @@
++#! /usr/bin/python -Es
++import gtk, commands, sys
++rc = [-1,'']
++try:
++ rc=commands.getstatusoutput(sys.argv[1])
++except:
++ pass
++if rc[0] == 0:
++ print rc[1]
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.83/scripts/chcat
--- nsapolicycoreutils/scripts/chcat 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/scripts/chcat 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/scripts/chcat 2011-01-21 09:11:18.000000000 -0500
@@ -1,4 +1,4 @@
-#! /usr/bin/python -E
+#! /usr/bin/python -Es
@@ -2931,7 +2954,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
#
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.83/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/scripts/fixfiles 2011-01-04 17:19:36.000000000 -0500
++++ policycoreutils-2.0.83/scripts/fixfiles 2011-01-21 09:11:18.000000000 -0500
@@ -21,6 +21,25 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
@@ -3033,7 +3056,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/genhomedircon.8 policycoreutils-2.0.83/scripts/genhomedircon.8
--- nsapolicycoreutils/scripts/genhomedircon.8 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/scripts/genhomedircon.8 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/scripts/genhomedircon.8 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,37 @@
+.\" Hey, Emacs! This is an -*- nroff -*- source file.
+.\" Copyright (c) 2010 Dan Walsh <dwalsh at redhat.com>
@@ -3074,7 +3097,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+.I Dan Walsh <dwalsh at redhat.com>
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.83/scripts/Makefile
--- nsapolicycoreutils/scripts/Makefile 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/scripts/Makefile 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/scripts/Makefile 2011-01-21 09:11:18.000000000 -0500
@@ -14,6 +14,7 @@
install -m 755 genhomedircon $(SBINDIR)
-mkdir -p $(MANDIR)/man8
@@ -3085,7 +3108,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
clean:
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/severify.py policycoreutils-2.0.83/scripts/severify.py
--- nsapolicycoreutils/scripts/severify.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/scripts/severify.py 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/scripts/severify.py 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,21 @@
+#! /usr/bin/python -Es
+import seobject
@@ -3110,7 +3133,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/default_encoding.c policycoreutils-2.0.83/semanage/default_encoding/default_encoding.c
--- nsapolicycoreutils/semanage/default_encoding/default_encoding.c 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/semanage/default_encoding/default_encoding.c 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/semanage/default_encoding/default_encoding.c 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,59 @@
+/*
+ * Authors:
@@ -3173,7 +3196,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+}
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/Makefile policycoreutils-2.0.83/semanage/default_encoding/Makefile
--- nsapolicycoreutils/semanage/default_encoding/Makefile 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/semanage/default_encoding/Makefile 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/semanage/default_encoding/Makefile 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,8 @@
+all:
+ LDFLAGS="" python setup.py build
@@ -3185,7 +3208,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ rm -rf build *~
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/policycoreutils/__init__.py policycoreutils-2.0.83/semanage/default_encoding/policycoreutils/__init__.py
--- nsapolicycoreutils/semanage/default_encoding/policycoreutils/__init__.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/semanage/default_encoding/policycoreutils/__init__.py 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/semanage/default_encoding/policycoreutils/__init__.py 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,17 @@
+#
+# Copyright (C) 2006,2007,2008, 2009 Red Hat, Inc.
@@ -3206,7 +3229,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+#
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/setup.py policycoreutils-2.0.83/semanage/default_encoding/setup.py
--- nsapolicycoreutils/semanage/default_encoding/setup.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/semanage/default_encoding/setup.py 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/semanage/default_encoding/setup.py 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,38 @@
+# Authors:
+# John Dennis <jdennis at redhat.com>
@@ -3248,7 +3271,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+)
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.83/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/semanage/semanage 2011-01-04 17:18:01.000000000 -0500
++++ policycoreutils-2.0.83/semanage/semanage 2011-01-21 09:11:19.000000000 -0500
@@ -1,4 +1,4 @@
-#! /usr/bin/python -E
+#! /usr/bin/python -Es
@@ -3396,23 +3419,70 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
object = argv[0]
option_dict=get_options()
if object not in option_dict.keys():
-@@ -197,10 +222,14 @@
+@@ -196,58 +221,84 @@
+
args = argv[1:]
- gopts, cmds = getopt.getopt(args,
+- gopts, cmds = getopt.getopt(args,
- '01adf:i:lhmnp:s:FCDR:L:r:t:P:S:M:',
-+ '01adEe:f:i:lhmnp:s:FCDR:L:r:t:P:S:M:',
- ['add',
- 'delete',
- 'deleteall',
-+ 'equal=',
-+ 'enable',
-+ 'extract',
-+ 'disable',
- 'ftype=',
- 'file',
- 'help',
-@@ -225,29 +254,47 @@
+- ['add',
+- 'delete',
+- 'deleteall',
+- 'ftype=',
+- 'file',
+- 'help',
+- 'input=',
+- 'list',
+- 'modify',
+- 'noheading',
+- 'localist',
+- 'off',
+- 'on',
+- 'proto=',
+- 'seuser=',
+- 'store=',
+- 'range=',
+- 'locallist=',
+- 'level=',
+- 'roles=',
+- 'type=',
+- 'prefix=',
+- 'mask='
+- ])
++ try:
++ gopts, cmds = getopt.getopt(args,
++ '01adEe:f:i:lhmnp:s:FCDR:L:r:t:P:S:M:',
++ ['add',
++ 'delete',
++ 'deleteall',
++ 'equal=',
++ 'enable',
++ 'extract',
++ 'disable',
++ 'ftype=',
++ 'file',
++ 'help',
++ 'input=',
++ 'list',
++ 'modify',
++ 'noheading',
++ 'localist',
++ 'off',
++ 'on',
++ 'proto=',
++ 'seuser=',
++ 'store=',
++ 'range=',
++ 'locallist=',
++ 'level=',
++ 'roles=',
++ 'type=',
++ 'prefix=',
++ 'mask='
++ ])
++ except getopt.error, error:
++ usage(_("Options Error %s ") % error.msg)
++
for o, a in gopts:
if o not in option_dict[object]:
sys.stderr.write(_("%s not valid for %s objects\n") % ( o, object) );
@@ -3467,7 +3537,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
if o == "-n" or o == "--noheading":
heading = False
-@@ -256,8 +303,7 @@
+@@ -256,8 +307,7 @@
locallist = True
if o == "-m"or o == "--modify":
@@ -3477,7 +3547,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
modify = True
if o == "-S" or o == '--store':
-@@ -292,8 +338,10 @@
+@@ -292,8 +342,10 @@
if o == "--on" or o == "-1":
value = "on"
@@ -3488,7 +3558,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
if object == "login":
OBJECT = seobject.loginRecords(store)
-@@ -315,6 +363,11 @@
+@@ -315,6 +367,11 @@
if object == "boolean":
OBJECT = seobject.booleanRecords(store)
@@ -3500,7 +3570,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
if object == "permissive":
OBJECT = seobject.permissiveRecords(store)
-@@ -330,65 +383,97 @@
+@@ -330,65 +387,97 @@
OBJECT.deleteall()
return
@@ -3610,7 +3680,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
if delete:
if object == "port":
OBJECT.delete(target, proto)
-@@ -401,15 +486,14 @@
+@@ -401,50 +490,65 @@
else:
OBJECT.delete(target)
@@ -3628,32 +3698,65 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
input = None
store = ""
-@@ -417,7 +501,7 @@
+ if len(sys.argv) < 3:
usage(_("Requires 2 or more arguments"))
- gopts, cmds = getopt.getopt(sys.argv[1:],
+- gopts, cmds = getopt.getopt(sys.argv[1:],
- '01adf:i:lhmnp:s:FCDR:L:r:t:T:P:S:',
-+ '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:',
- ['add',
- 'delete',
- 'deleteall',
-@@ -431,6 +515,7 @@
- 'localist',
- 'off',
- 'on',
-+ 'output=',
- 'proto=',
- 'seuser=',
- 'store=',
-@@ -438,6 +523,7 @@
- 'level=',
- 'roles=',
- 'type=',
-+ 'trans=',
- 'prefix='
- ])
+- ['add',
+- 'delete',
+- 'deleteall',
+- 'ftype=',
+- 'file',
+- 'help',
+- 'input=',
+- 'list',
+- 'modify',
+- 'noheading',
+- 'localist',
+- 'off',
+- 'on',
+- 'proto=',
+- 'seuser=',
+- 'store=',
+- 'range=',
+- 'level=',
+- 'roles=',
+- 'type=',
+- 'prefix='
+- ])
++ try:
++ gopts, cmds = getopt.getopt(sys.argv[1:],
++ '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:',
++ ['add',
++ 'delete',
++ 'deleteall',
++ 'ftype=',
++ 'file',
++ 'help',
++ 'input=',
++ 'list',
++ 'modify',
++ 'noheading',
++ 'localist',
++ 'off',
++ 'on',
++ 'output=',
++ 'proto=',
++ 'seuser=',
++ 'store=',
++ 'range=',
++ 'level=',
++ 'roles=',
++ 'type=',
++ 'trans=',
++ 'prefix='
++ ])
++ except getopt.error, error:
++ usage(_("Options Error %s ") % error.msg)
++
for o, a in gopts:
-@@ -445,6 +531,16 @@
+ if o == "-S" or o == '--store':
store = a
if o == "-i" or o == '--input':
input = a
@@ -3670,7 +3773,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
if input != None:
if input == "-":
-@@ -467,3 +563,5 @@
+@@ -459,11 +563,11 @@
+ else:
+ process_args(sys.argv[1:])
+
+- except getopt.error, error:
+- usage(_("Options Error %s ") % error.msg)
+ except ValueError, error:
+ errorExit(error.args[0])
+ except KeyError, error:
errorExit(_("Invalid value %s") % error.args[0])
except IOError, error:
errorExit(error.args[1])
@@ -3678,7 +3789,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ errorExit(error.args[1])
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.83/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/semanage/semanage.8 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/semanage/semanage.8 2011-01-21 09:11:18.000000000 -0500
@@ -1,29 +1,69 @@
-.TH "semanage" "8" "2005111103" "" ""
+.TH "semanage" "8" "20100223" "" ""
@@ -3885,9 +3996,580 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+and Russell Coker <rcoker at redhat.com>.
+.br
Examples by Thomas Bleher <ThomasBleher at gmx.de>.
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.f15 policycoreutils-2.0.83/semanage/semanage.f15
+--- nsapolicycoreutils/semanage/semanage.f15 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.83/semanage/semanage.f15 2011-01-21 09:11:18.000000000 -0500
+@@ -0,0 +1,567 @@
++#! /usr/bin/python -Es
++# Copyright (C) 2005, 2006, 2007 Red Hat
++# see file 'COPYING' for use and warranty information
++#
++# semanage is a tool for managing SELinux configuration files
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License as
++# published by the Free Software Foundation; either version 2 of
++# the License, or (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
++# 02111-1307 USA
++#
++#
++import policycoreutils.default_encoding_utf8
++import sys, getopt, re
++import seobject
++import selinux
++PROGNAME="policycoreutils"
++
++import gettext
++gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
++gettext.textdomain(PROGNAME)
++
++try:
++ gettext.install(PROGNAME,
++ localedir="/usr/share/locale",
++ unicode=True,
++ codeset = 'utf-8')
++except IOError:
++ import __builtin__
++ __builtin__.__dict__['_'] = unicode
++
++if __name__ == '__main__':
++ action = False
++ manageditems=[ "boolean", "login", "user", "port", "interface", "node", "fcontext"]
++ def set_action(option):
++ global action
++ if action:
++ raise ValueError(_("%s bad option") % option)
++ action = True
++
++ def usage(message = ""):
++ text = _("""
++semanage [ -S store ] -i [ input_file | - ]
++semanage [ -S store ] -o [ output_file | - ]
++
++semanage login -{a|d|m|l|D|E} [-nrs] login_name | %groupname
++semanage user -{a|d|m|l|D|E} [-LnrRP] selinux_name
++semanage port -{a|d|m|l|D|E} [-nrt] [ -p proto ] port | port_range
++semanage interface -{a|d|m|l|D|E} [-nrt] interface_spec
++semanage module -{a|d|m} [--enable|--disable] module
++semanage node -{a|d|m|l|D|E} [-nrt] [ -p protocol ] [-M netmask] addr
++semanage fcontext -{a|d|m|l|D|E} [-efnrst] file_spec
++semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
++semanage permissive -{d|a|l} [-n] type
++semanage dontaudit [ on | off ]
++
++Primary Options:
++
++ -a, --add Add a OBJECT record NAME
++ -d, --delete Delete a OBJECT record NAME
++ -m, --modify Modify a OBJECT record NAME
++ -i, --input Input multiple semange commands in a transaction
++ -o, --output Output current customizations as semange commands
++ -l, --list List the OBJECTS
++ -E, --extract extract customizable commands
++ -C, --locallist List OBJECTS local customizations
++ -D, --deleteall Remove all OBJECTS local customizations
++
++ -h, --help Display this message
++ -n, --noheading Do not print heading when listing OBJECTS
++ -S, --store Select and alternate SELinux store to manage
++
++Object-specific Options (see above):
++
++ -f, --ftype File Type of OBJECT
++ "" (all files)
++ -- (regular file)
++ -d (directory)
++ -c (character device)
++ -b (block device)
++ -s (socket)
++ -l (symbolic link)
++ -p (named pipe)
++
++ -F, --file Treat target as an input file for command, change multiple settings
++ -p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6)
++ -M, --mask Netmask
++ -e, --equal Substitue source path for dest path when labeling
++ -P, --prefix Prefix for home directory labeling
++ -L, --level Default SELinux Level (MLS/MCS Systems only)
++ -R, --roles SELinux Roles (ex: "sysadm_r staff_r")
++ -s, --seuser SELinux User Name
++ -t, --type SELinux Type for the object
++ -r, --range MLS/MCS Security Range (MLS/MCS Systems only)
++ --enable Enable a module
++ --disable Disable a module
++""")
++ raise ValueError("%s\n%s" % (text, message))
++
++ def errorExit(error):
++ sys.stderr.write("%s: " % sys.argv[0])
++ sys.stderr.write("%s\n" % error)
++ sys.stderr.flush()
++ sys.exit(1)
++
++ def get_options():
++ valid_option={}
++ valid_everyone=[ '-a', '--add', '-d', '--delete', '-m', '--modify', '-l', '--list', '-h', '--help', '-n', '--noheading', '-S', '--store' ]
++ valid_local=[ '-E', '--extract', '-C', '--locallist', '-D', '--deleteall']
++ valid_option["login"] = []
++ valid_option["login"] += valid_everyone + valid_local + [ '-s', '--seuser', '-r', '--range']
++ valid_option["user"] = []
++ valid_option["user"] += valid_everyone + valid_local + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix' ]
++ valid_option["port"] = []
++ valid_option["port"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range', '-p', '--proto' ]
++ valid_option["interface"] = []
++ valid_option["interface"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range']
++ valid_option["node"] = []
++ valid_option["node"] += valid_everyone + valid_local + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol']
++ valid_option["module"] = []
++ valid_option["module"] += valid_everyone + [ '--enable', '--disable']
++ valid_option["fcontext"] = []
++ valid_option["fcontext"] += valid_everyone + valid_local + [ '-e', '--equal', '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range']
++ valid_option["dontaudit"] = [ '-S', '--store' ]
++ valid_option["boolean"] = []
++ valid_option["boolean"] += valid_everyone + valid_local + [ '--on', "--off", "-1", "-0", "-F", "--file"]
++ valid_option["permissive"] = []
++ valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ]
++ return valid_option
++
++ def mkargv(line):
++ dquote = "\""
++ squote = "\'"
++ l = line.split()
++ ret = []
++ i = 0
++ while i < len(l):
++ cnt = len(re.findall(dquote, l[i]))
++ if cnt > 1:
++ ret.append(l[i].strip(dquote))
++ i = i + 1
++ continue
++ if cnt == 1:
++ quote = [ l[i].strip(dquote) ]
++ i = i + 1
++
++ while i < len(l) and dquote not in l[i]:
++ quote.append(l[i])
++ i = i + 1
++ quote.append(l[i].strip(dquote))
++ ret.append(" ".join(quote))
++ i = i + 1
++ continue
++
++ cnt = len(re.findall(squote, l[i]))
++ if cnt > 1:
++ ret.append(l[i].strip(squote))
++ i = i + 1
++ continue
++ if cnt == 1:
++ quote = [ l[i].strip(squote) ]
++ i = i + 1
++ while i < len(l) and squote not in l[i]:
++ quote.append(l[i])
++ i = i + 1
++
++ quote.append(l[i].strip(squote))
++ ret.append(" ".join(quote))
++ i = i + 1
++ continue
++
++ ret.append(l[i])
++ i = i + 1
++
++ return ret
++
++ def process_args(argv):
++ global action
++ action = False
++ serange = ""
++ port = ""
++ proto = ""
++ mask = ""
++ selevel = ""
++ setype = ""
++ ftype = ""
++ roles = ""
++ seuser = ""
++ prefix = "user"
++ heading = True
++ value = None
++ add = False
++ modify = False
++ delete = False
++ deleteall = False
++ enable = False
++ extract = False
++ disable = False
++ list = False
++ locallist = False
++ use_file = False
++ store = ""
++ equal=""
++
++ if len(argv) == 0:
++ return
++ object = argv[0]
++ option_dict=get_options()
++ if object not in option_dict.keys():
++ usage(_("Invalid parameter %s not defined") % object)
++
++ args = argv[1:]
++
++ gopts, cmds = getopt.getopt(args,
++ '01adEe:f:i:lhmnp:s:FCDR:L:r:t:P:S:M:',
++ ['add',
++ 'delete',
++ 'deleteall',
++ 'equal=',
++ 'enable',
++ 'extract',
++ 'disable',
++ 'ftype=',
++ 'file',
++ 'help',
++ 'input=',
++ 'list',
++ 'modify',
++ 'noheading',
++ 'localist',
++ 'off',
++ 'on',
++ 'proto=',
++ 'seuser=',
++ 'store=',
++ 'range=',
++ 'locallist=',
++ 'level=',
++ 'roles=',
++ 'type=',
++ 'prefix=',
++ 'mask='
++ ])
++ for o, a in gopts:
++ if o not in option_dict[object]:
++ sys.stderr.write(_("%s not valid for %s objects\n") % ( o, object) );
++
++ return
++
++ for o,a in gopts:
++ if o == "-a" or o == "--add":
++ set_action(o)
++ add = True
++
++ if o == "-d" or o == "--delete":
++ set_action(o)
++ delete = True
++
++ if o == "-D" or o == "--deleteall":
++ set_action(o)
++ deleteall = True
++
++ if o == "-E" or o == "--extract":
++ set_action(o)
++ extract = True
++ if o == "-f" or o == "--ftype":
++ ftype=a
++
++ if o == "-e" or o == "--equal":
++ equal = a
++
++ if o == "--enable":
++ if disable:
++ raise ValueError(_("You can't disable and enable at the same time"))
++
++ enable = True
++
++ if o == "--disable":
++ if enable:
++ raise ValueError(_("You can't disable and enable at the same time"))
++ disable = True
++
++ if o == "-F" or o == "--file":
++ use_file = True
++
++ if o == "-h" or o == "--help":
++ raise usage()
++
++ if o == "-n" or o == "--noheading":
++ heading = False
++
++ if o == "-C" or o == "--locallist":
++ locallist = True
++
++ if o == "-m"or o == "--modify":
++ set_action(o)
++ modify = True
++
++ if o == "-S" or o == '--store':
++ store = a
++
++ if o == "-r" or o == '--range':
++ serange = a
++
++ if o == "-l" or o == "--list":
++ list = True
++
++ if o == "-L" or o == '--level':
++ selevel = a
++
++ if o == "-p" or o == '--proto':
++ proto = a
++
++ if o == "-P" or o == '--prefix':
++ prefix = a
++
++ if o == "-R" or o == '--roles':
++ roles = roles + " " + a
++
++ if o == "-s" or o == "--seuser":
++ seuser = a
++
++ if o == "-M" or o == '--mask':
++ mask = a
++
++ if o == "-t" or o == "--type":
++ setype = a
++
++ if o == "--on" or o == "-1":
++ value = "on"
++ modify = True
++ if o == "--off" or o == "-0":
++ value = "off"
++ modify = True
++
++ if object == "login":
++ OBJECT = seobject.loginRecords(store)
++
++ if object == "user":
++ OBJECT = seobject.seluserRecords(store)
++
++ if object == "port":
++ OBJECT = seobject.portRecords(store)
++
++ if object == "interface":
++ OBJECT = seobject.interfaceRecords(store)
++
++ if object == "node":
++ OBJECT = seobject.nodeRecords(store)
++
++ if object == "fcontext":
++ OBJECT = seobject.fcontextRecords(store)
++
++ if object == "boolean":
++ OBJECT = seobject.booleanRecords(store)
++ if use_file:
++ modify=True
++
++ if object == "module":
++ OBJECT = seobject.moduleRecords(store)
++
++ if object == "permissive":
++ OBJECT = seobject.permissiveRecords(store)
++
++ if list:
++ if object == "boolean":
++ OBJECT.list(heading, locallist, use_file)
++ else:
++ OBJECT.list(heading, locallist)
++ return
++
++ if deleteall:
++ OBJECT.deleteall()
++ return
++
++ if extract:
++ for i in OBJECT.customized():
++ print "%s %s" % (object, str(i))
++ return
++
++ if len(cmds) != 1:
++ raise ValueError(_("bad option"))
++
++ target = cmds[0]
++
++ if object == "dontaudit":
++ OBJECT = seobject.dontauditClass(store)
++ OBJECT.toggle(target)
++ return
++
++ if add:
++ if object == "login":
++ OBJECT.add(target, seuser, serange)
++ return
++
++ if object == "user":
++ OBJECT.add(target, roles.split(), selevel, serange, prefix)
++ return
++
++ if object == "port":
++ OBJECT.add(target, proto, serange, setype)
++ return
++
++ if object == "interface":
++ OBJECT.add(target, serange, setype)
++ return
++
++ if object == "module":
++ OBJECT.add(target)
++ return
++
++ if object == "node":
++ OBJECT.add(target, mask, proto, serange, setype)
++ return
++
++ if object == "fcontext":
++ if equal == "":
++ OBJECT.add(target, setype, ftype, serange, seuser)
++ else:
++ OBJECT.add_equal(target, equal)
++ return
++ if object == "permissive":
++ OBJECT.add(target)
++ return
++
++ if modify:
++ if object == "boolean":
++ OBJECT.modify(target, value, use_file)
++ return
++
++ if object == "login":
++ OBJECT.modify(target, seuser, serange)
++ return
++
++ if object == "user":
++ rlist = roles.split()
++ OBJECT.modify(target, rlist, selevel, serange, prefix)
++ return
++
++ if object == "module":
++ if enable:
++ OBJECT.enable(target)
++ elif disable:
++ OBJECT.disable(target)
++ else:
++ OBJECT.modify(target)
++ return
++
++ if object == "port":
++ OBJECT.modify(target, proto, serange, setype)
++ return
++
++ if object == "interface":
++ OBJECT.modify(target, serange, setype)
++ return
++
++ if object == "node":
++ OBJECT.modify(target, mask, proto, serange, setype)
++ return
++
++ if object == "fcontext":
++ if equal == "":
++ OBJECT.modify(target, setype, ftype, serange, seuser)
++ else:
++ OBJECT.modify_equal(target, equal)
++ return
++ if delete:
++ if object == "port":
++ OBJECT.delete(target, proto)
++
++ elif object == "fcontext":
++ OBJECT.delete(target, ftype)
++
++ elif object == "node":
++ OBJECT.delete(target, mask, proto)
++
++ else:
++ OBJECT.delete(target)
++ return
++ raise ValueError(_("Invalid command: semanage %s") % " ".join(argv))
++
++ #
++ #
++ #
++ try:
++ output = None
++ input = None
++ store = ""
++
++ if len(sys.argv) < 3:
++ usage(_("Requires 2 or more arguments"))
++
++ gopts, cmds = getopt.getopt(sys.argv[1:],
++ '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:',
++ ['add',
++ 'delete',
++ 'deleteall',
++ 'ftype=',
++ 'file',
++ 'help',
++ 'input=',
++ 'list',
++ 'modify',
++ 'noheading',
++ 'localist',
++ 'off',
++ 'on',
++ 'output=',
++ 'proto=',
++ 'seuser=',
++ 'store=',
++ 'range=',
++ 'level=',
++ 'roles=',
++ 'type=',
++ 'trans=',
++ 'prefix='
++ ])
++ for o, a in gopts:
++ if o == "-S" or o == '--store':
++ store = a
++ if o == "-i" or o == '--input':
++ input = a
++ if o == "-o" or o == '--output':
++ output = a
++
++ if output != None:
++ if output != "-":
++ sys.stdout = open(output, 'w')
++ for i in manageditems:
++ print "%s -D" % i
++ process_args([i, "-E"])
++ sys.exit(0)
++
++ if input != None:
++ if input == "-":
++ fd = sys.stdin
++ else:
++ fd = open(input, 'r')
++ trans = seobject.semanageRecords(store)
++ trans.start()
++ for l in fd.readlines():
++ process_args(mkargv(l))
++ trans.finish()
++ else:
++ process_args(sys.argv[1:])
++
++ except getopt.error, error:
++ usage(_("Options Error %s ") % error.msg)
++ except ValueError, error:
++ errorExit(error.args[0])
++ except KeyError, error:
++ errorExit(_("Invalid value %s") % error.args[0])
++ except IOError, error:
++ errorExit(error.args[1])
++ except OSError, error:
++ errorExit(error.args[1])
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.83/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/semanage/seobject.py 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/semanage/seobject.py 2011-01-21 09:11:18.000000000 -0500
@@ -29,47 +29,12 @@
import gettext
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
@@ -4643,7 +5325,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
if use_file:
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sepolgen-ifgen/Makefile policycoreutils-2.0.83/sepolgen-ifgen/Makefile
--- nsapolicycoreutils/sepolgen-ifgen/Makefile 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/sepolgen-ifgen/Makefile 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/sepolgen-ifgen/Makefile 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,25 @@
+# Installation directories.
+PREFIX ?= ${DESTDIR}/usr
@@ -4672,7 +5354,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+relabel: ;
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c policycoreutils-2.0.83/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c
--- nsapolicycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.83/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c 2011-01-21 09:11:18.000000000 -0500
@@ -0,0 +1,230 @@
+/* Authors: Frank Mayer <mayerf at tresys.com>
+ * and Karl MacMillan <kmacmillan at tresys.com>
@@ -4906,7 +5588,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+}
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.83/setfiles/restore.c
--- nsapolicycoreutils/setfiles/restore.c 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/setfiles/restore.c 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/setfiles/restore.c 2011-01-21 09:11:18.000000000 -0500
@@ -1,4 +1,5 @@
#include "restore.h"
+#include <glob.h>
@@ -5090,7 +5772,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.83/setfiles/restorecon.8
--- nsapolicycoreutils/setfiles/restorecon.8 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/setfiles/restorecon.8 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/setfiles/restorecon.8 2011-01-21 09:11:18.000000000 -0500
@@ -4,10 +4,10 @@
.SH "SYNOPSIS"
@@ -5116,7 +5798,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
show changes in file labels.
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.83/setfiles/restore.h
--- nsapolicycoreutils/setfiles/restore.h 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/setfiles/restore.h 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/setfiles/restore.h 2011-01-21 09:11:18.000000000 -0500
@@ -27,6 +27,7 @@
int hard_links;
int verbose;
@@ -5138,7 +5820,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
#endif
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.83/setfiles/setfiles.8
--- nsapolicycoreutils/setfiles/setfiles.8 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/setfiles/setfiles.8 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/setfiles/setfiles.8 2011-01-21 09:11:18.000000000 -0500
@@ -31,6 +31,9 @@
.TP
.B \-n
@@ -5151,7 +5833,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
suppress non-error output.
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.83/setfiles/setfiles.c
--- nsapolicycoreutils/setfiles/setfiles.c 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/setfiles/setfiles.c 2011-01-04 17:17:10.000000000 -0500
++++ policycoreutils-2.0.83/setfiles/setfiles.c 2011-01-21 09:11:18.000000000 -0500
@@ -5,7 +5,6 @@
#include <ctype.h>
#include <regex.h>
@@ -5291,3 +5973,308 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
}
}
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setsebool/setsebool.c policycoreutils-2.0.83/setsebool/setsebool.c
+--- nsapolicycoreutils/setsebool/setsebool.c 2010-06-16 08:04:13.000000000 -0400
++++ policycoreutils-2.0.83/setsebool/setsebool.c 2011-01-21 09:11:19.000000000 -0500
+@@ -82,8 +82,13 @@
+ if (errno == ENOENT)
+ fprintf(stderr, "Could not change active booleans: "
+ "Invalid boolean\n");
+- else if (errno)
+- perror("Could not change active booleans");
++ else if (errno) {
++ if (getuid() == 0) {
++ perror("Could not change active booleans");
++ } else {
++ perror("Could not change active booleans. Please try as root");
++ }
++ }
+
+ return -1;
+ }
+@@ -115,8 +120,13 @@
+ goto err;
+
+ } else if (managed == 0) {
+- fprintf(stderr,
+- "Cannot set persistent booleans without managed policy.\n");
++ if (getuid() == 0) {
++ fprintf(stderr,
++ "Cannot set persistent booleans without managed policy.\n");
++ } else {
++ fprintf(stderr,
++ "Cannot set persistent booleans, please try as root.\n");
++ }
+ goto err;
+ }
+
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setsebool/setsebool.c.f15 policycoreutils-2.0.83/setsebool/setsebool.c.f15
+--- nsapolicycoreutils/setsebool/setsebool.c.f15 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.83/setsebool/setsebool.c.f15 2010-06-16 08:04:13.000000000 -0400
+@@ -0,0 +1,266 @@
++#include <unistd.h>
++#include <stdlib.h>
++#include <stdio.h>
++#include <string.h>
++#include <sys/stat.h>
++#include <fcntl.h>
++#include <errno.h>
++#include <syslog.h>
++#include <pwd.h>
++#include <selinux/selinux.h>
++#include <semanage/handle.h>
++#include <semanage/booleans_local.h>
++#include <semanage/booleans_active.h>
++#include <semanage/boolean_record.h>
++#include <errno.h>
++
++int permanent = 0;
++
++int setbool(char **list, size_t start, size_t end);
++
++void usage(void)
++{
++ fputs
++ ("\nUsage: setsebool [ -P ] boolean value | bool1=val1 bool2=val2...\n\n",
++ stderr);
++ exit(1);
++}
++
++int main(int argc, char **argv)
++{
++ size_t rc, start;
++
++ if (argc < 2)
++ usage();
++
++ if (is_selinux_enabled() <= 0) {
++ fputs("setsebool: SELinux is disabled.\n", stderr);
++ return 1;
++ }
++
++ if (strcmp(argv[1], "-P") == 0) {
++ permanent = 1;
++ if (argc < 3)
++ usage();
++ start = 2;
++ } else
++ start = 1;
++
++ /* Check to see which way we are being called. If a '=' is passed,
++ we'll enforce the list syntax. If not we'll enforce the original
++ syntax for backward compatibility. */
++ if (strchr(argv[start], '=') == 0) {
++ int len;
++ char *bool_list[1];
++
++ if ((argc - start) != 2)
++ usage();
++
++ /* Add 1 for the '=' */
++ len = strlen(argv[start]) + strlen(argv[start + 1]) + 2;
++ bool_list[0] = (char *)malloc(len);
++ if (bool_list[0] == 0) {
++ fputs("Out of memory - aborting\n", stderr);
++ return 1;
++ }
++ snprintf(bool_list[0], len, "%s=%s", argv[start],
++ argv[start + 1]);
++ rc = setbool(bool_list, 0, 1);
++ free(bool_list[0]);
++ } else
++ rc = setbool(argv, start, argc);
++
++ return rc;
++}
++
++/* Apply temporal boolean changes to policy via libselinux */
++static int selinux_set_boolean_list(size_t boolcnt,
++ SELboolean * boollist)
++{
++
++ if (security_set_boolean_list(boolcnt, boollist, 0)) {
++ if (errno == ENOENT)
++ fprintf(stderr, "Could not change active booleans: "
++ "Invalid boolean\n");
++ else if (errno)
++ perror("Could not change active booleans");
++
++ return -1;
++ }
++
++ return 0;
++}
++
++/* Apply permanent boolean changes to policy via libsemanage */
++static int semanage_set_boolean_list(size_t boolcnt,
++ SELboolean * boollist)
++{
++
++ size_t j;
++ semanage_handle_t *handle = NULL;
++ semanage_bool_t *boolean = NULL;
++ semanage_bool_key_t *bool_key = NULL;
++ int managed;
++
++ handle = semanage_handle_create();
++ if (handle == NULL) {
++ fprintf(stderr, "Could not create semanage library handle\n");
++ goto err;
++ }
++
++ managed = semanage_is_managed(handle);
++ if (managed < 0) {
++ fprintf(stderr,
++ "Error when checking whether policy is managed\n");
++ goto err;
++
++ } else if (managed == 0) {
++ fprintf(stderr,
++ "Cannot set persistent booleans without managed policy.\n");
++ goto err;
++ }
++
++ if (semanage_connect(handle) < 0)
++ goto err;
++
++ if (semanage_begin_transaction(handle) < 0)
++ goto err;
++
++ for (j = 0; j < boolcnt; j++) {
++
++ if (semanage_bool_create(handle, &boolean) < 0)
++ goto err;
++
++ if (semanage_bool_set_name(handle, boolean, boollist[j].name) <
++ 0)
++ goto err;
++
++ semanage_bool_set_value(boolean, boollist[j].value);
++
++ if (semanage_bool_key_extract(handle, boolean, &bool_key) < 0)
++ goto err;
++
++ if (semanage_bool_modify_local(handle, bool_key,
++ boolean) < 0)
++ goto err;
++
++ if (semanage_bool_set_active(handle, bool_key, boolean) < 0) {
++ fprintf(stderr, "Could not change boolean %s\n",
++ boollist[j].name);
++ goto err;
++ }
++ semanage_bool_key_free(bool_key);
++ semanage_bool_free(boolean);
++ bool_key = NULL;
++ boolean = NULL;
++ }
++
++ semanage_set_reload(handle, 0);
++ if (semanage_commit(handle) < 0)
++ goto err;
++
++ semanage_disconnect(handle);
++ semanage_handle_destroy(handle);
++ return 0;
++
++ err:
++ semanage_bool_key_free(bool_key);
++ semanage_bool_free(boolean);
++ semanage_handle_destroy(handle);
++ fprintf(stderr, "Could not change policy booleans\n");
++ return -1;
++}
++
++/* Given an array of strings in the form "boolname=value", a start index,
++ and a finish index...walk the list and set the bool. */
++int setbool(char **list, size_t start, size_t end)
++{
++ char *name, *value_ptr;
++ int j = 0, value;
++ size_t i = start;
++ size_t boolcnt = end - start;
++ struct passwd *pwd;
++ SELboolean *vallist = calloc(boolcnt, sizeof(SELboolean));
++ if (!vallist)
++ goto omem;
++
++ while (i < end) {
++ name = list[i];
++ value_ptr = strchr(list[i], '=');
++ if (value_ptr == 0) {
++ fprintf(stderr,
++ "setsebool: '=' not found in boolean expression %s\n",
++ list[i]);
++ goto err;
++ }
++ *value_ptr = 0;
++ value_ptr++;
++ if (strcmp(value_ptr, "1") == 0 ||
++ strcasecmp(value_ptr, "true") == 0 ||
++ strcasecmp(value_ptr, "on") == 0)
++ value = 1;
++ else if (strcmp(value_ptr, "0") == 0 ||
++ strcasecmp(value_ptr, "false") == 0 ||
++ strcasecmp(value_ptr, "off") == 0)
++ value = 0;
++ else {
++ fprintf(stderr, "setsebool: illegal value "
++ "%s for boolean %s\n", value_ptr, name);
++ goto err;
++ }
++
++ vallist[j].value = value;
++ vallist[j].name = strdup(name);
++ if (!vallist[j].name)
++ goto omem;
++ i++;
++ j++;
++
++ /* Now put it back */
++ value_ptr--;
++ *value_ptr = '=';
++ }
++
++ if (permanent) {
++ if (semanage_set_boolean_list(boolcnt, vallist) < 0)
++ goto err;
++ } else {
++ if (selinux_set_boolean_list(boolcnt, vallist) < 0)
++ goto err;
++ }
++
++ /* Now log what was done */
++ pwd = getpwuid(getuid());
++ i = start;
++ while (i < end) {
++ name = list[i];
++ value_ptr = strchr(name, '=');
++ *value_ptr = 0;
++ value_ptr++;
++ if (pwd && pwd->pw_name)
++ syslog(LOG_NOTICE,
++ "The %s policy boolean was changed to %s by %s",
++ name, value_ptr, pwd->pw_name);
++ else
++ syslog(LOG_NOTICE,
++ "The %s policy boolean was changed to %s by uid:%d",
++ name, value_ptr, getuid());
++ i++;
++ }
++
++ for (i = 0; i < boolcnt; i++)
++ free(vallist[i].name);
++ free(vallist);
++ return 0;
++
++ omem:
++ fprintf(stderr, "setsebool: out of memory");
++
++ err:
++ if (vallist) {
++ for (i = 0; i < boolcnt; i++)
++ free(vallist[i].name);
++ free(vallist);
++ }
++ return -1;
++}
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 7598e35..1d0aa88 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.83
-Release: 33.10%{?dist}
+Release: 33.11%{?dist}
License: GPLv2
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -317,6 +317,10 @@ fi
exit 0
%changelog
+* Wed Feb 2 2011 Dan Walsh <dwalsh at redhat.com> 2.0.83-33.11
+- Fix sandbox to work on nfs homedirs
+- Fix error message to print out complete information in sandbox
+
* Fri Jan 14 2011 Dan Walsh <dwalsh at redhat.com> 2.0.83-33.10
- Add sandbox to sepolgen and selinux-polgengui
More information about the scm-commits
mailing list