[policycoreutils/f14/master: 2/3] Merge branch 'f14/master' of ssh://pkgs.fedoraproject.org/policycoreutils into f14/master
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Feb 4 19:59:54 UTC 2011
commit 419030ab27b1618f611878e16686e1299c51f231
Merge: 720ea81 9f6e28a
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Feb 4 14:57:37 2011 -0500
Merge branch 'f14/master' of ssh://pkgs.fedoraproject.org/policycoreutils into f14/master
Conflicts:
policycoreutils-rhat.patch
policycoreutils-rhat.patch | 2633 +++++++++++++++++++++++++++++++-------------
1 files changed, 1874 insertions(+), 759 deletions(-)
---
diff --cc policycoreutils-rhat.patch
index 2695756,3f2f161..677cafc
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@@ -319,386 -288,38 +288,794 @@@ index 03f95a1..5986b23 10064
if_set.to_file(f)
f.close()
++<<<<<<< HEAD
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/load_policy/load_policy.c policycoreutils-2.0.83/load_policy/load_policy.c
+--- nsapolicycoreutils/load_policy/load_policy.c 2010-06-16 08:04:12.000000000 -0400
++++ policycoreutils-2.0.83/load_policy/load_policy.c 2011-01-21 09:11:18.000000000 -0500
+@@ -23,6 +23,14 @@
+ exit(1);
+ }
+
++char *policy_path(void) {
++ char *path=NULL;
++ if (asprintf(&path, "%s.%d", selinux_binary_policy_path(), security_policyvers()) < 0) {
++ return NULL;
++ }
++ return path;
++}
++
+ int main(int argc, char **argv)
+ {
+ int ret, opt, quiet = 0, nargs, init=0, enforce=0;
+@@ -64,6 +72,7 @@
+ "%s: Warning! Boolean file argument (%s) is no longer supported, installed booleans file is always used. Continuing...\n",
+ argv[0], argv[optind++]);
+ }
++ errno = 0;
+ if (init) {
+ if (is_selinux_enabled() == 1) {
+ /* SELinux is already enabled, we should not do an initial load again */
+@@ -73,12 +82,18 @@
+ exit(2);
+ }
+ ret = selinux_init_load_policy(&enforce);
+- if (ret != 0 ) {
++ /* selinux_init_load_policy returns -1 if it did not load_policy
++ * On SELinux disabled system it will always return -1
++ * So check errno to see if anything went wrong
++ */
++ if (ret < 0 && errno != 0) {
+ if (enforce > 0) {
+ /* SELinux in enforcing mode but load_policy failed */
++ char *path=policy_path();
+ fprintf(stderr,
+- _("%s: Can't load policy and enforcing mode requested: %s\n"),
+- argv[0], strerror(errno));
++ _("%s: Can't load policy file %s and enforcing mode requested: %s\n"),
++ argv[0], path, strerror(errno));
++ free(path);
+ exit(3);
+ }
+ }
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/load_policy/load_policy.c.disable policycoreutils-2.0.83/load_policy/load_policy.c.disable
+--- nsapolicycoreutils/load_policy/load_policy.c.disable 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.83/load_policy/load_policy.c.disable 2011-01-21 09:11:18.000000000 -0500
+@@ -0,0 +1,106 @@
++#include <unistd.h>
++#include <stdlib.h>
++#include <stdio.h>
++#include <errno.h>
++#include <getopt.h>
++#include <string.h>
++#include <selinux/selinux.h>
++#include <sepol/sepol.h>
++#ifdef USE_NLS
++#include <locale.h> /* for setlocale() */
++#include <libintl.h> /* for gettext() */
++#define _(msgid) gettext (msgid)
++#else
++#define _(msgid) (msgid)
++#endif
++#ifndef PACKAGE
++#define PACKAGE "policycoreutils" /* the name of this package lang translation */
++#endif
++
++
++void usage(char *progname)
++{
++ fprintf(stderr, _("usage: %s [-qi]\n"), progname);
++ exit(1);
++}
++
++char *policy_path(void) {
++ char *path=NULL;
++ if (asprintf(&path, "%s.%d", selinux_binary_policy_path(), security_policyvers()) < 0) {
++ return NULL;
++ }
++ return path;
++}
++
++int main(int argc, char **argv)
++{
++ int ret, opt, quiet = 0, nargs, init=0, enforce=0;
++
++#ifdef USE_NLS
++ setlocale(LC_ALL, "");
++ bindtextdomain(PACKAGE, LOCALEDIR);
++ textdomain(PACKAGE);
++#endif
++
++ while ((opt = getopt(argc, argv, "bqi")) > 0) {
++ switch (opt) {
++ case 'b':
++ fprintf(stderr, "%s: Warning! The -b option is no longer supported, booleans are always preserved across reloads. Continuing...\n",
++ argv[0]);
++ break;
++ case 'q':
++ quiet = 1;
++ sepol_debug(0);
++ break;
++ case 'i':
++ init = 1;
++ break;
++ default:
++ usage(argv[0]);
++ }
++ }
++
++ nargs = argc - optind;
++ if (nargs > 2)
++ usage(argv[0]);
++ if (nargs >= 1 && !quiet) {
++ fprintf(stderr,
++ "%s: Warning! Policy file argument (%s) is no longer supported, installed policy is always loaded. Continuing...\n",
++ argv[0], argv[optind++]);
++ }
++ if (nargs == 2 && ! quiet) {
++ fprintf(stderr,
++ "%s: Warning! Boolean file argument (%s) is no longer supported, installed booleans file is always used. Continuing...\n",
++ argv[0], argv[optind++]);
++ }
++ if (init) {
++ if (is_selinux_enabled() == 1) {
++ /* SELinux is already enabled, we should not do an initial load again */
++ fprintf(stderr,
++ _("%s: Policy is already loaded and initial load requested\n"),
++ argv[0]);
++ exit(2);
++ }
++ ret = selinux_init_load_policy(&enforce);
++ if (ret != 0 ) {
++ if (enforce > 0) {
++ /* SELinux in enforcing mode but load_policy failed */
++ char *path=policy_path();
++ fprintf(stderr,
++ _("%s: Can't load policy file %s and enforcing mode requested: %s\n"),
++ argv[0], path, strerror(errno));
++ free(path);
++ exit(3);
++ }
++ }
++ }
++ else {
++ ret = selinux_mkload_policy(1);
++ }
++ if (ret < 0) {
++ fprintf(stderr, _("%s: Can't load policy: %s\n"),
++ argv[0], strerror(errno));
++ exit(2);
++ }
++ exit(0);
++}
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.83/Makefile
+--- nsapolicycoreutils/Makefile 2010-06-16 08:04:11.000000000 -0400
++++ policycoreutils-2.0.83/Makefile 2011-01-21 09:11:18.000000000 -0500
+@@ -1,4 +1,4 @@
+-SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
++SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po gui
+
+ INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
+
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/Makefile policycoreutils-2.0.83/newrole/Makefile
+--- nsapolicycoreutils/newrole/Makefile 2010-06-16 08:04:12.000000000 -0400
++++ policycoreutils-2.0.83/newrole/Makefile 2011-01-21 09:11:18.000000000 -0500
+@@ -50,7 +50,7 @@
+ endif
+ ifeq (${IS_SUID},y)
+ MODE := 4555
+- LDLIBS += -lcap
++ LDLIBS += -lcap-ng
+ else
+ MODE := 0555
+ endif
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-2.0.83/newrole/newrole.c
+--- nsapolicycoreutils/newrole/newrole.c 2010-06-16 08:04:12.000000000 -0400
++++ policycoreutils-2.0.83/newrole/newrole.c 2011-02-04 14:53:44.000000000 -0500
+@@ -77,7 +77,7 @@
+ #endif
+ #if defined(AUDIT_LOG_PRIV) || (NAMESPACE_PRIV)
+ #include <sys/prctl.h>
+-#include <sys/capability.h>
++#include <cap-ng.h>
+ #endif
+ #ifdef USE_NLS
+ #include <locale.h> /* for setlocale() */
+@@ -90,6 +90,9 @@
+ #define PACKAGE "policycoreutils" /* the name of this package lang translation */
+ #endif
+
++#define TRUE 1
++#define FALSE 0
++
+ /* USAGE_STRING describes the command-line args of this program. */
+ #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]"
+
+@@ -538,69 +541,23 @@
+ * Returns zero on success, non-zero otherwise
+ */
+ #if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
+-static int drop_capabilities(void)
++static int drop_capabilities(int full)
+ {
+- int rc = 0;
+- cap_t new_caps, tmp_caps;
+- cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
+- cap_value_t tmp_cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID };
+- uid_t uid = getuid();
+-
+- if (!uid)
+- return 0;
+-
+- /* Non-root caller, suid root path */
+- new_caps = cap_init();
+- tmp_caps = cap_init();
+- if (!new_caps || !tmp_caps) {
+- fprintf(stderr, _("Error initializing capabilities, aborting.\n"));
++ capng_clear(CAPNG_SELECT_BOTH);
++ if (capng_lock() < 0)
+ return -1;
+- }
+- rc |= cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET);
+- rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET);
+- rc |= cap_set_flag(tmp_caps, CAP_PERMITTED, 2, tmp_cap_list, CAP_SET);
+- rc |= cap_set_flag(tmp_caps, CAP_EFFECTIVE, 2, tmp_cap_list, CAP_SET);
+- if (rc) {
+- fprintf(stderr, _("Error setting capabilities, aborting\n"));
+- goto out;
+- }
+
+- /* Keep capabilities across uid change */
+- if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
+- fprintf(stderr, _("Error setting KEEPCAPS, aborting\n"));
+- rc = -1;
+- goto out;
+- }
+-
+- /* Does this temporary change really buy us much? */
+- /* We should still have root's caps, so drop most capabilities now */
+- if ((rc = cap_set_proc(tmp_caps))) {
+- fprintf(stderr, _("Error dropping capabilities, aborting\n"));
+- goto out;
+- }
++ uid_t uid = getuid();
++ if (!uid) return 0;
+
+ /* Change uid */
+- if ((rc = setresuid(uid, uid, uid))) {
++ if (setresuid(uid, uid, uid)) {
+ fprintf(stderr, _("Error changing uid, aborting.\n"));
+- goto out;
+- }
+-
+- /* Now get rid of this ability */
+- if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) {
+- fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
+- goto out;
+- }
+-
+- /* Finish dropping capabilities. */
+- if ((rc = cap_set_proc(new_caps))) {
+- fprintf(stderr,
+- _("Error dropping SETUID capability, aborting\n"));
+- goto out;
++ return -1;
+ }
+- out:
+- if (cap_free(tmp_caps) || cap_free(new_caps))
+- fprintf(stderr, _("Error freeing caps\n"));
+- return rc;
++ if (! full)
++ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE);
++ return capng_apply(CAPNG_SELECT_BOTH);
+ }
+ #elif defined(NAMESPACE_PRIV)
+ /**
+@@ -616,50 +573,25 @@
+ *
+ * Returns zero on success, non-zero otherwise
+ */
+-static int drop_capabilities(void)
++static int drop_capabilities(int full)
+ {
+- int rc = 0;
+- cap_t new_caps;
+- cap_value_t cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID,
+- CAP_SYS_ADMIN, CAP_FOWNER, CAP_CHOWN,
+- CAP_DAC_OVERRIDE
+- };
+-
+- if (!getuid())
+- return 0;
+-
+- /* Non-root caller, suid root path */
+- new_caps = cap_init();
+- if (!new_caps) {
+- fprintf(stderr, _("Error initializing capabilities, aborting.\n"));
++ capng_clear(CAPNG_SELECT_BOTH);
++ if (capng_lock() < 0)
++||||||| merged common ancestors
++diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/load_policy/load_policy.c policycoreutils-2.0.83/load_policy/load_policy.c
++--- nsapolicycoreutils/load_policy/load_policy.c 2010-06-16 08:04:12.000000000 -0400
+++++ policycoreutils-2.0.83/load_policy/load_policy.c 2011-01-21 09:11:18.000000000 -0500
++@@ -23,6 +23,14 @@
++ exit(1);
++ }
++
+++char *policy_path(void) {
+++ char *path=NULL;
+++ if (asprintf(&path, "%s.%d", selinux_binary_policy_path(), security_policyvers()) < 0) {
+++ return NULL;
+++ }
+++ return path;
+++}
+++
++ int main(int argc, char **argv)
++ {
++ int ret, opt, quiet = 0, nargs, init=0, enforce=0;
++@@ -64,6 +72,7 @@
++ "%s: Warning! Boolean file argument (%s) is no longer supported, installed booleans file is always used. Continuing...\n",
++ argv[0], argv[optind++]);
++ }
+++ errno = 0;
++ if (init) {
++ if (is_selinux_enabled() == 1) {
++ /* SELinux is already enabled, we should not do an initial load again */
++@@ -73,12 +82,18 @@
++ exit(2);
++ }
++ ret = selinux_init_load_policy(&enforce);
++- if (ret != 0 ) {
+++ /* selinux_init_load_policy returns -1 if it did not load_policy
+++ * On SELinux disabled system it will always return -1
+++ * So check errno to see if anything went wrong
+++ */
+++ if (ret < 0 && errno != 0) {
++ if (enforce > 0) {
++ /* SELinux in enforcing mode but load_policy failed */
+++ char *path=policy_path();
++ fprintf(stderr,
++- _("%s: Can't load policy and enforcing mode requested: %s\n"),
++- argv[0], strerror(errno));
+++ _("%s: Can't load policy file %s and enforcing mode requested: %s\n"),
+++ argv[0], path, strerror(errno));
+++ free(path);
++ exit(3);
++ }
++ }
++diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/load_policy/load_policy.c.disable policycoreutils-2.0.83/load_policy/load_policy.c.disable
++--- nsapolicycoreutils/load_policy/load_policy.c.disable 1969-12-31 19:00:00.000000000 -0500
+++++ policycoreutils-2.0.83/load_policy/load_policy.c.disable 2011-01-21 09:11:18.000000000 -0500
++@@ -0,0 +1,106 @@
+++#include <unistd.h>
+++#include <stdlib.h>
+++#include <stdio.h>
+++#include <errno.h>
+++#include <getopt.h>
+++#include <string.h>
+++#include <selinux/selinux.h>
+++#include <sepol/sepol.h>
+++#ifdef USE_NLS
+++#include <locale.h> /* for setlocale() */
+++#include <libintl.h> /* for gettext() */
+++#define _(msgid) gettext (msgid)
+++#else
+++#define _(msgid) (msgid)
+++#endif
+++#ifndef PACKAGE
+++#define PACKAGE "policycoreutils" /* the name of this package lang translation */
+++#endif
+++
+++
+++void usage(char *progname)
+++{
+++ fprintf(stderr, _("usage: %s [-qi]\n"), progname);
+++ exit(1);
+++}
+++
+++char *policy_path(void) {
+++ char *path=NULL;
+++ if (asprintf(&path, "%s.%d", selinux_binary_policy_path(), security_policyvers()) < 0) {
+++ return NULL;
+++ }
+++ return path;
+++}
+++
+++int main(int argc, char **argv)
+++{
+++ int ret, opt, quiet = 0, nargs, init=0, enforce=0;
+++
+++#ifdef USE_NLS
+++ setlocale(LC_ALL, "");
+++ bindtextdomain(PACKAGE, LOCALEDIR);
+++ textdomain(PACKAGE);
+++#endif
+++
+++ while ((opt = getopt(argc, argv, "bqi")) > 0) {
+++ switch (opt) {
+++ case 'b':
+++ fprintf(stderr, "%s: Warning! The -b option is no longer supported, booleans are always preserved across reloads. Continuing...\n",
+++ argv[0]);
+++ break;
+++ case 'q':
+++ quiet = 1;
+++ sepol_debug(0);
+++ break;
+++ case 'i':
+++ init = 1;
+++ break;
+++ default:
+++ usage(argv[0]);
+++ }
+++ }
+++
+++ nargs = argc - optind;
+++ if (nargs > 2)
+++ usage(argv[0]);
+++ if (nargs >= 1 && !quiet) {
+++ fprintf(stderr,
+++ "%s: Warning! Policy file argument (%s) is no longer supported, installed policy is always loaded. Continuing...\n",
+++ argv[0], argv[optind++]);
+++ }
+++ if (nargs == 2 && ! quiet) {
+++ fprintf(stderr,
+++ "%s: Warning! Boolean file argument (%s) is no longer supported, installed booleans file is always used. Continuing...\n",
+++ argv[0], argv[optind++]);
+++ }
+++ if (init) {
+++ if (is_selinux_enabled() == 1) {
+++ /* SELinux is already enabled, we should not do an initial load again */
+++ fprintf(stderr,
+++ _("%s: Policy is already loaded and initial load requested\n"),
+++ argv[0]);
+++ exit(2);
+++ }
+++ ret = selinux_init_load_policy(&enforce);
+++ if (ret != 0 ) {
+++ if (enforce > 0) {
+++ /* SELinux in enforcing mode but load_policy failed */
+++ char *path=policy_path();
+++ fprintf(stderr,
+++ _("%s: Can't load policy file %s and enforcing mode requested: %s\n"),
+++ argv[0], path, strerror(errno));
+++ free(path);
+++ exit(3);
+++ }
+++ }
+++ }
+++ else {
+++ ret = selinux_mkload_policy(1);
+++ }
+++ if (ret < 0) {
+++ fprintf(stderr, _("%s: Can't load policy: %s\n"),
+++ argv[0], strerror(errno));
+++ exit(2);
+++ }
+++ exit(0);
+++}
++diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.83/Makefile
++--- nsapolicycoreutils/Makefile 2010-06-16 08:04:11.000000000 -0400
+++++ policycoreutils-2.0.83/Makefile 2011-01-21 09:11:18.000000000 -0500
++@@ -1,4 +1,4 @@
++-SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
+++SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po gui
++
++ INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
++
++diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/Makefile policycoreutils-2.0.83/newrole/Makefile
++--- nsapolicycoreutils/newrole/Makefile 2010-06-16 08:04:12.000000000 -0400
+++++ policycoreutils-2.0.83/newrole/Makefile 2011-01-21 09:11:18.000000000 -0500
++@@ -50,7 +50,7 @@
++ endif
++ ifeq (${IS_SUID},y)
++ MODE := 4555
++- LDLIBS += -lcap
+++ LDLIBS += -lcap-ng
++ else
++ MODE := 0555
++ endif
++diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-2.0.83/newrole/newrole.c
++--- nsapolicycoreutils/newrole/newrole.c 2010-06-16 08:04:12.000000000 -0400
+++++ policycoreutils-2.0.83/newrole/newrole.c 2011-01-21 09:11:18.000000000 -0500
++@@ -77,7 +77,7 @@
++ #endif
++ #if defined(AUDIT_LOG_PRIV) || (NAMESPACE_PRIV)
++ #include <sys/prctl.h>
++-#include <sys/capability.h>
+++#include <cap-ng.h>
++ #endif
++ #ifdef USE_NLS
++ #include <locale.h> /* for setlocale() */
++@@ -90,6 +90,9 @@
++ #define PACKAGE "policycoreutils" /* the name of this package lang translation */
++ #endif
++
+++# define TRUE 1
+++# define FALSE 0
+++
++ /* USAGE_STRING describes the command-line args of this program. */
++ #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]"
++
++@@ -538,69 +541,23 @@
++ * Returns zero on success, non-zero otherwise
++ */
++ #if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
++-static int drop_capabilities(void)
+++static int drop_capabilities(int full)
++ {
++- int rc = 0;
++- cap_t new_caps, tmp_caps;
++- cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
++- cap_value_t tmp_cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID };
++- uid_t uid = getuid();
++-
++- if (!uid)
++- return 0;
++-
++- /* Non-root caller, suid root path */
++- new_caps = cap_init();
++- tmp_caps = cap_init();
++- if (!new_caps || !tmp_caps) {
++- fprintf(stderr, _("Error initializing capabilities, aborting.\n"));
+++ capng_clear(CAPNG_SELECT_BOTH);
+++ if (capng_lock() < 0)
+ return -1;
+- }
- - rc |= cap_set_flag(new_caps, CAP_PERMITTED, 6, cap_list, CAP_SET);
- - rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 6, cap_list, CAP_SET);
++- rc |= cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET);
++- rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET);
++- rc |= cap_set_flag(tmp_caps, CAP_PERMITTED, 2, tmp_cap_list, CAP_SET);
++- rc |= cap_set_flag(tmp_caps, CAP_EFFECTIVE, 2, tmp_cap_list, CAP_SET);
+- if (rc) {
+- fprintf(stderr, _("Error setting capabilities, aborting\n"));
+- goto out;
+- }
+-
- - /* Ensure that caps are dropped after setuid call */
- - if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) {
- - fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
++- /* Keep capabilities across uid change */
++- if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
++- fprintf(stderr, _("Error setting KEEPCAPS, aborting\n"));
++- rc = -1;
+- goto out;
+- }
+
++- /* Does this temporary change really buy us much? */
+- /* We should still have root's caps, so drop most capabilities now */
- - if ((rc = cap_set_proc(new_caps))) {
++- if ((rc = cap_set_proc(tmp_caps))) {
+- fprintf(stderr, _("Error dropping capabilities, aborting\n"));
+- goto out;
++- }
++ uid_t uid = getuid();
- + /* Change uid */
+++ if (!uid) return 0;
++
++ /* Change uid */
++- if ((rc = setresuid(uid, uid, uid))) {
++ if (setresuid(uid, uid, uid)) {
- + fprintf(stderr, _("Error changing uid, aborting.\n"));
- + return -1;
- }
- - out:
- - if (cap_free(new_caps))
- - fprintf(stderr, _("Error freeing caps\n"));
++ fprintf(stderr, _("Error changing uid, aborting.\n"));
++- goto out;
++- }
++-
++- /* Now get rid of this ability */
++- if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) {
++- fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
++- goto out;
++- }
++-
++- /* Finish dropping capabilities. */
++- if ((rc = cap_set_proc(new_caps))) {
++- fprintf(stderr,
++- _("Error dropping SETUID capability, aborting\n"));
++- goto out;
+++ return -1;
++ }
++- out:
++- if (cap_free(tmp_caps) || cap_free(new_caps))
++- fprintf(stderr, _("Error freeing caps\n"));
++- return rc;
+++ if (! full)
+++ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE);
+++ return capng_apply(CAPNG_SELECT_BOTH);
++ }
++ #elif defined(NAMESPACE_PRIV)
++ /**
++@@ -616,50 +573,25 @@
++ *
++ * Returns zero on success, non-zero otherwise
++ */
++-static int drop_capabilities(void)
+++static int drop_capabilities(int full)
++ {
++- int rc = 0;
++- cap_t new_caps;
++- cap_value_t cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID,
++- CAP_SYS_ADMIN, CAP_FOWNER, CAP_CHOWN,
++- CAP_DAC_OVERRIDE
++- };
++-
++- if (!getuid())
++- return 0;
++-
++- /* Non-root caller, suid root path */
++- new_caps = cap_init();
++- if (!new_caps) {
++- fprintf(stderr, _("Error initializing capabilities, aborting.\n"));
+++ capng_clear(CAPNG_SELECT_BOTH);
+++ if (capng_lock() < 0)
++=======
+ diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
+ index 2d31d64..e985289 100644
+ --- a/policycoreutils/newrole/newrole.c
+ +++ b/policycoreutils/newrole/newrole.c
+ @@ -586,7 +586,7 @@ static int drop_capabilities(int full)
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
+ return -1;
++<<<<<<< HEAD
++- }
++- rc |= cap_set_flag(new_caps, CAP_PERMITTED, 6, cap_list, CAP_SET);
++- rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 6, cap_list, CAP_SET);
++- if (rc) {
++- fprintf(stderr, _("Error setting capabilities, aborting\n"));
++- goto out;
++- }
++-
++- /* Ensure that caps are dropped after setuid call */
++- if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) {
++- fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
++- goto out;
++- }
++
++- /* We should still have root's caps, so drop most capabilities now */
++- if ((rc = cap_set_proc(new_caps))) {
++- fprintf(stderr, _("Error dropping capabilities, aborting\n"));
++- goto out;
+++ uid_t uid = getuid();
+++ /* Change uid */
+++ if (setresuid(uid, uid, uid)) {
+++ fprintf(stderr, _("Error changing uid, aborting.\n"));
+++ return -1;
++||||||| merged common ancestors
++- }
++- rc |= cap_set_flag(new_caps, CAP_PERMITTED, 6, cap_list, CAP_SET);
++- rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 6, cap_list, CAP_SET);
++- if (rc) {
++- fprintf(stderr, _("Error setting capabilities, aborting\n"));
++- goto out;
++- }
++
++- /* Ensure that caps are dropped after setuid call */
++- if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) {
++- fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
++- goto out;
++- }
++-
++- /* We should still have root's caps, so drop most capabilities now */
++- if ((rc = cap_set_proc(new_caps))) {
++- fprintf(stderr, _("Error dropping capabilities, aborting\n"));
++- goto out;
+++ uid_t uid = getuid();
+++ /* Change uid */
+++ if (setresuid(uid, uid, uid)) {
+++ fprintf(stderr, _("Error changing uid, aborting.\n"));
+++ return -1;
++=======
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
+ }
++<<<<<<< HEAD
++- out:
++- if (cap_free(new_caps))
++- fprintf(stderr, _("Error freeing caps\n"));
+- return rc;
++ if (! full)
++ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE | CAP_SETPCAP );
++ return capng_apply(CAPNG_SELECT_BOTH);
++||||||| merged common ancestors
++- out:
++- if (cap_free(new_caps))
++- fprintf(stderr, _("Error freeing caps\n"));
++- return rc;
+++ if (! full)
+++ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE);
+++ return capng_apply(CAPNG_SELECT_BOTH);
++=======
+ if (! full)
+ - capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE);
+ + capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE | CAP_SETPCAP );
+ return capng_apply(CAPNG_SELECT_BOTH);
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
}
++<<<<<<< HEAD
+ #else
+-static inline int drop_capabilities(void)
++static inline int drop_capabilities(__attribute__ ((__unused__)) int full)
+ {
+ return 0;
+ }
+@@ -1098,8 +1030,13 @@
++||||||| merged common ancestors
++ #else
++-static inline int drop_capabilities(void)
+++static inline int drop_capabilities(__attribute__ ((__unused__)) int full)
++ {
++ return 0;
++ }
++@@ -1098,7 +1030,7 @@
++=======
+ @@ -1030,8 +1030,13 @@ int main(int argc, char *argv[])
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
* if it makes sense to continue to run newrole, and setting up
* a scrubbed environment.
*/
++<<<<<<< HEAD
++- if (drop_capabilities())
+++
+++/* if (drop_capabilities(FALSE)) {
+++ fprintf(stderr, _("Sorry, newrole failed to drop capabilities\n"));
+++ perror("");
++||||||| merged common ancestors
+- if (drop_capabilities())
+++ if (drop_capabilities(FALSE))
++=======
+ - if (drop_capabilities(FALSE))
+
+/* if (drop_capabilities(FALSE)) {
+ fprintf(stderr, _("Sorry, newrole failed to drop capabilities\n"));
+ perror("");
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
return -1;
+ }
+*/
if (set_signal_handles())
return -1;
++<<<<<<< HEAD
+
+@@ -1334,11 +1271,17 @@
++||||||| merged common ancestors
++@@ -1334,11 +1266,15 @@
++=======
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
+
++<<<<<<< HEAD
+ if (send_audit_message(1, old_context, new_context, ttyn))
+ goto err_close_pam_session;
++ freecon(old_context); old_context=NULL;
++ freecon(new_context); new_context=NULL;
++
+ #ifdef NAMESPACE_PRIV
+ if (transition_to_caller_uid())
+ goto err_close_pam_session;
+ #endif
++ if (drop_capabilities(TRUE))
++ goto err_close_pam_session;
++
+ /* Handle environment changes */
+ if (restore_environment(preserve_environment, old_environ, &pw)) {
+ fprintf(stderr, _("Unable to restore the environment, "
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.83/restorecond/Makefile
+--- nsapolicycoreutils/restorecond/Makefile 2010-06-16 08:04:13.000000000 -0400
++++ policycoreutils-2.0.83/restorecond/Makefile 2011-01-21 09:11:18.000000000 -0500
++||||||| merged common ancestors
++ if (send_audit_message(1, old_context, new_context, ttyn))
++ goto err_close_pam_session;
+++ freecon(old_context); old_context=NULL;
+++ freecon(new_context); new_context=NULL;
+++
++ #ifdef NAMESPACE_PRIV
++ if (transition_to_caller_uid())
++ goto err_close_pam_session;
++ #endif
++
+++ drop_capabilities(TRUE);
++ /* Handle environment changes */
++ if (restore_environment(preserve_environment, old_environ, &pw)) {
++ fprintf(stderr, _("Unable to restore the environment, "
++diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.83/restorecond/Makefile
++--- nsapolicycoreutils/restorecond/Makefile 2010-06-16 08:04:13.000000000 -0400
+++++ policycoreutils-2.0.83/restorecond/Makefile 2011-01-21 09:11:18.000000000 -0500
++=======
+ diff --git a/policycoreutils/restorecond/Makefile b/policycoreutils/restorecond/Makefile
+ index 3f235e6..7552668 100644
+ --- a/policycoreutils/restorecond/Makefile
+ +++ b/policycoreutils/restorecond/Makefile
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
@@ -1,17 +1,28 @@
# Installation directories.
PREFIX ?= ${DESTDIR}/usr
@@@ -1903,9 -1555,10 +2311,10 @@@ index 0000000..c0caab
+ if (master_wd == -1)
+ exitApp("Error watching config file.");
+}
-diff --git a/policycoreutils/run_init/open_init_pty.8 b/policycoreutils/run_init/open_init_pty.8
-index 540860a..10175dd 100644
---- a/policycoreutils/run_init/open_init_pty.8
-+++ b/policycoreutils/run_init/open_init_pty.8
++<<<<<<< HEAD
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/run_init/open_init_pty.8 policycoreutils-2.0.83/run_init/open_init_pty.8
+--- nsapolicycoreutils/run_init/open_init_pty.8 2010-06-16 08:04:12.000000000 -0400
++++ policycoreutils-2.0.83/run_init/open_init_pty.8 2011-02-04 14:54:44.000000000 -0500
@@ -24,18 +24,18 @@
.\"
.TH OPEN_INIT_PTY "8" "January 2005" "Security Enhanced Linux" NSA
@@@ -1929,208 -1582,113 +2338,345 @@@
connects the physical terminal it was invoked upon with the pseudo
terminal, passing keyboard input into to the child process, and passing the
output of the child process to the physical terminal.
-diff --git a/policycoreutils/sandbox/Makefile b/policycoreutils/sandbox/Makefile
-index ff0ee7c..0c8a085 100644
---- a/policycoreutils/sandbox/Makefile
-+++ b/policycoreutils/sandbox/Makefile
-@@ -7,10 +7,10 @@ SBINDIR ?= $(PREFIX)/sbin
- MANDIR ?= $(PREFIX)/share/man
- LOCALEDIR ?= /usr/share/locale
- SHAREDIR ?= $(PREFIX)/share/sandbox
--override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\""
--LDLIBS += -lselinux -lcap-ng
-+override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra
-+LDLIBS += -lcgroup -lselinux -lcap-ng
-
--all: sandbox seunshare sandboxX.sh
-+all: sandbox seunshare sandboxX.sh start
-
- seunshare: seunshare.o $(EXTRA_OBJS)
- $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
-@@ -20,14 +20,18 @@ install: all
- install -m 755 sandbox $(BINDIR)
- -mkdir -p $(MANDIR)/man8
- install -m 644 sandbox.8 $(MANDIR)/man8/
-+ install -m 644 seunshare.8 $(MANDIR)/man8/
-+ -mkdir -p $(MANDIR)/man5
-+ install -m 644 sandbox.conf.5 $(MANDIR)/man5/
- -mkdir -p $(SBINDIR)
- install -m 4755 seunshare $(SBINDIR)/
- -mkdir -p $(SHAREDIR)
- install -m 755 sandboxX.sh $(SHAREDIR)
-+ install -m 755 start $(SHAREDIR)
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.83/sandbox/deliverables/basicwrapper
+--- nsapolicycoreutils/sandbox/deliverables/basicwrapper 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.83/sandbox/deliverables/basicwrapper 2011-01-21 09:11:18.000000000 -0500
+@@ -0,0 +1,4 @@
++import os, sys
++SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']]
++SANDBOX_ARGS.extend(sys.argv[1::])
++os.execv('/usr/bin/sandbox',SANDBOX_ARGS)
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.83/sandbox/deliverables/README
+--- nsapolicycoreutils/sandbox/deliverables/README 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.83/sandbox/deliverables/README 2011-01-21 09:11:18.000000000 -0500
+@@ -0,0 +1,32 @@
++Files:
++run-in-sandbox.py:
++ adds the run in sandbox extension to nautilus
++ copy to .nautilus/python-extensions
++ yum install nautilus-python
++
++sandbox:
++ adds support for file checking, This was working I don't know why it didn't at that presentation
++ adds support for file relabeling, This is/was also working.
++
++basicwrapper:
++ This is pretty much the most basic condor wrapper you can create, it requires the -f option in sandbox. Also I can't make this work, maybe the grid team will have more luck.
++
++Other:
++Xguest Live cd:
++ There's a tutorial on live cds here: http://www.ibm.com/developerworks/library/l-fedora-livecd/index.html?ca=dgr-lnxw16FedoraLiveCD
++ It looks like David Zeuthen is head guy in the live cd department, he might be worth talking to.
++
++System-config-selinux:
++ wiki: fedorahosted.org/system-config-selinux
++ realeases: fedorahosted.org/releases/s/y/system-config-selinux/ includes a spec,srpm, and tarball of current version
++ The project is technically owned by Roman Rakus (rrakus at redhat.com) I've sent him an email asking him to make you a git contributor.
++ I'll continue making updates to this and make sure it gets into the repos.
++
++Assuming I don't get to keep my RedHat email you can contact me:
++email: chris.pardy at gmail.com
++phone: 1-207-838-7119
++
++I'll probably continue to be on the #fedora-selinux and #selinux irc channels
++
++Thanks for a great summer.
++Chris Pardy
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py
+--- nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py 2011-01-21 09:11:18.000000000 -0500
+@@ -0,0 +1,49 @@
++import os
++import os.path
++import urllib
++
++import nautilus
++import gtk
++import gconf
++
++class RunInSandboxExtension(nautilus.MenuProvider):
++ def __init__(self):
++ self.client = gconf.client_get_default()
++
++ def sandbox_init(self,file,path):
++ if os.path.basename(path).endswith('.desktop'):
++ import re
++ f = open(path,'r')
++ for i in f.readlines():
++ m = re.match(r'Exec=(?P<name>\S+)',i)
++ if m:
++ path = m.group('name')
++ f.close()
++ break
++ os.system('/usr/bin/sandbox -X %s &' % path)
++
++ def get_file_items(self, window, files):
++ if len(files) != 1:
++ return
++
++ file = files[0]
++
++ if file.is_directory():
++ return
++
++ if file.get_uri_scheme() != 'file':
++ return
++
++ path = file.get_uri().replace('file://','',1)
++ if not os.access(path,os.X_OK):
++ return
++
++ path = os.path.realpath(path)
++
++ item = nautilus.MenuItem('NautilusPython::openterminal_file_items','Run In Sandbox','Run %s in Sandbox' % file.get_name())
++ item.connect('activate',self.sandbox_init,path)
++ return item,
++
++ def get_background_items(self, window, file):
++ return
++
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.83/sandbox/Makefile
+--- nsapolicycoreutils/sandbox/Makefile 2010-06-16 08:04:12.000000000 -0400
++++ policycoreutils-2.0.83/sandbox/Makefile 2011-02-02 13:37:18.000000000 -0500
+@@ -7,10 +7,10 @@
- MANDIR ?= $(PREFIX)/share/man
- LOCALEDIR ?= /usr/share/locale
- SHAREDIR ?= $(PREFIX)/share/sandbox
- -override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\""
- -LDLIBS += -lselinux -lcap-ng
- +override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra
- +LDLIBS += -lcgroup -lselinux -lcap-ng
-
- -all: sandbox seunshare sandboxX.sh
- +all: sandbox seunshare sandboxX.sh start
-
- seunshare: seunshare.o $(EXTRA_OBJS)
- $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
- @@ -20,14 +20,18 @@
- install -m 755 sandbox $(BINDIR)
- -mkdir -p $(MANDIR)/man8
- install -m 644 sandbox.8 $(MANDIR)/man8/
- + install -m 644 seunshare.8 $(MANDIR)/man8/
- + -mkdir -p $(MANDIR)/man5
- + install -m 644 sandbox.conf.5 $(MANDIR)/man5/
- -mkdir -p $(SBINDIR)
- install -m 4755 seunshare $(SBINDIR)/
- -mkdir -p $(SHAREDIR)
- install -m 755 sandboxX.sh $(SHAREDIR)
- + install -m 755 start $(SHAREDIR)
- -mkdir -p $(INITDIR)
- install -m 755 sandbox.init $(INITDIR)/sandbox
- -mkdir -p $(SYSCONFDIR)
- - install -m 644 sandbox.config $(SYSCONFDIR)/sandbox
- + install -m 644 sandbox.conf $(SYSCONFDIR)/sandbox
-
- test:
- @python test_sandbox.py -v
- diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.83/sandbox/sandbox
- --- nsapolicycoreutils/sandbox/sandbox 2010-06-16 08:04:12.000000000 -0400
- +++ policycoreutils-2.0.83/sandbox/sandbox 2011-02-02 13:37:08.000000000 -0500
- @@ -1,5 +1,6 @@
- -#! /usr/bin/python -E
- +#! /usr/bin/python -Es
- # Authors: Dan Walsh <dwalsh at redhat.com>
- +# Authors: Thomas Liu <tliu at fedoraproject.org>
- # Authors: Josh Cogliati
- #
- # Copyright (C) 2009,2010 Red Hat
- @@ -19,15 +20,18 @@
- # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- #
-
- -import os, sys, socket, random, fcntl, shutil, re, subprocess
- +import os, stat, sys, socket, random, fcntl, shutil, re, subprocess
- import selinux
- import signal
- from tempfile import mkdtemp
- import pwd
- +import commands
- +import setools
-
- PROGNAME = "policycoreutils"
- HOMEDIR=pwd.getpwuid(os.getuid()).pw_dir
- -
- +SEUNSHARE = "/usr/sbin/seunshare"
- +SANDBOXSH = "/usr/share/sandbox/sandboxX.sh"
- import gettext
- gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
- gettext.textdomain(PROGNAME)
- @@ -41,6 +45,7 @@
- import __builtin__
- __builtin__.__dict__['_'] = unicode
-
- +DEFAULT_WINDOWSIZE = "1000x700"
- DEFAULT_TYPE = "sandbox_t"
- DEFAULT_X_TYPE = "sandbox_x_t"
- SAVE_FILES = {}
- @@ -63,15 +68,15 @@
- sys.stderr.flush()
- sys.exit(1)
-
- -def copyfile(file, dir, dest):
- +def copyfile(file, srcdir, dest):
- import re
- - if file.startswith(dir):
- + if file.startswith(srcdir):
- dname = os.path.dirname(file)
- bname = os.path.basename(file)
- - if dname == dir:
- + if dname == srcdir:
- dest = dest + "/" + bname
- else:
- - newdir = re.sub(dir, dest, dname)
- + newdir = re.sub(srcdir, dest, dname)
- if not os.path.exists(newdir):
- os.makedirs(newdir)
- dest = newdir + "/" + bname
- @@ -81,9 +86,10 @@
- shutil.copytree(file, dest)
- else:
- shutil.copy2(file, dest)
- +
- except shutil.Error, elist:
- - for e in elist:
- - sys.stderr.write(e[1])
++||||||| merged common ancestors
++diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.83/sandbox/deliverables/basicwrapper
++--- nsapolicycoreutils/sandbox/deliverables/basicwrapper 1969-12-31 19:00:00.000000000 -0500
+++++ policycoreutils-2.0.83/sandbox/deliverables/basicwrapper 2011-01-21 09:11:18.000000000 -0500
++@@ -0,0 +1,4 @@
+++import os, sys
+++SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']]
+++SANDBOX_ARGS.extend(sys.argv[1::])
+++os.execv('/usr/bin/sandbox',SANDBOX_ARGS)
++diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.83/sandbox/deliverables/README
++--- nsapolicycoreutils/sandbox/deliverables/README 1969-12-31 19:00:00.000000000 -0500
+++++ policycoreutils-2.0.83/sandbox/deliverables/README 2011-01-21 09:11:18.000000000 -0500
++@@ -0,0 +1,32 @@
+++Files:
+++run-in-sandbox.py:
+++ adds the run in sandbox extension to nautilus
+++ copy to .nautilus/python-extensions
+++ yum install nautilus-python
+++
+++sandbox:
+++ adds support for file checking, This was working I don't know why it didn't at that presentation
+++ adds support for file relabeling, This is/was also working.
+++
+++basicwrapper:
+++ This is pretty much the most basic condor wrapper you can create, it requires the -f option in sandbox. Also I can't make this work, maybe the grid team will have more luck.
+++
+++Other:
+++Xguest Live cd:
+++ There's a tutorial on live cds here: http://www.ibm.com/developerworks/library/l-fedora-livecd/index.html?ca=dgr-lnxw16FedoraLiveCD
+++ It looks like David Zeuthen is head guy in the live cd department, he might be worth talking to.
+++
+++System-config-selinux:
+++ wiki: fedorahosted.org/system-config-selinux
+++ realeases: fedorahosted.org/releases/s/y/system-config-selinux/ includes a spec,srpm, and tarball of current version
+++ The project is technically owned by Roman Rakus (rrakus at redhat.com) I've sent him an email asking him to make you a git contributor.
+++ I'll continue making updates to this and make sure it gets into the repos.
+++
+++Assuming I don't get to keep my RedHat email you can contact me:
+++email: chris.pardy at gmail.com
+++phone: 1-207-838-7119
+++
+++I'll probably continue to be on the #fedora-selinux and #selinux irc channels
+++
+++Thanks for a great summer.
+++Chris Pardy
++diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py
++--- nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py 1969-12-31 19:00:00.000000000 -0500
+++++ policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py 2011-01-21 09:11:18.000000000 -0500
++@@ -0,0 +1,49 @@
+++import os
+++import os.path
+++import urllib
+++
+++import nautilus
+++import gtk
+++import gconf
+++
+++class RunInSandboxExtension(nautilus.MenuProvider):
+++ def __init__(self):
+++ self.client = gconf.client_get_default()
+++
+++ def sandbox_init(self,file,path):
+++ if os.path.basename(path).endswith('.desktop'):
+++ import re
+++ f = open(path,'r')
+++ for i in f.readlines():
+++ m = re.match(r'Exec=(?P<name>\S+)',i)
+++ if m:
+++ path = m.group('name')
+++ f.close()
+++ break
+++ os.system('/usr/bin/sandbox -X %s &' % path)
+++
+++ def get_file_items(self, window, files):
+++ if len(files) != 1:
+++ return
+++
+++ file = files[0]
+++
+++ if file.is_directory():
+++ return
+++
+++ if file.get_uri_scheme() != 'file':
+++ return
+++
+++ path = file.get_uri().replace('file://','',1)
+++ if not os.access(path,os.X_OK):
+++ return
+++
+++ path = os.path.realpath(path)
+++
+++ item = nautilus.MenuItem('NautilusPython::openterminal_file_items','Run In Sandbox','Run %s in Sandbox' % file.get_name())
+++ item.connect('activate',self.sandbox_init,path)
+++ return item,
+++
+++ def get_background_items(self, window, file):
+++ return
+++
++diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.83/sandbox/Makefile
++--- nsapolicycoreutils/sandbox/Makefile 2010-06-16 08:04:12.000000000 -0400
+++++ policycoreutils-2.0.83/sandbox/Makefile 2011-02-02 13:37:18.000000000 -0500
++@@ -7,10 +7,10 @@
++=======
++diff --git a/policycoreutils/run_init/open_init_pty.8 b/policycoreutils/run_init/open_init_pty.8
++index 540860a..10175dd 100644
++--- a/policycoreutils/run_init/open_init_pty.8
+++++ b/policycoreutils/run_init/open_init_pty.8
++@@ -24,18 +24,18 @@
++ .\"
++ .TH OPEN_INIT_PTY "8" "January 2005" "Security Enhanced Linux" NSA
++ .SH NAME
++-open_init_pty \- run an program under a psuedo terminal
+++open_init_pty \- run an program under a pseudo terminal
++ .SH SYNOPSIS
++ .B open_init_pty
++ \fISCRIPT\fR [[\fIARGS\fR]...]
++ .br
++ .SH DESCRIPTION
++ .PP
++-Run a program under a psuedo terminal. This is used by
+++Run a program under a pseudo terminal. This is used by
++ .B run_init
++ to run actually run the program after setting up the proper
++-context. This program acquires a new Psuedo terminal, forks a child
++-process that binds to the psueado terminal, and then sits around and
+++context. This program acquires a new Pseudo terminal, forks a child
+++process that binds to the pseudo terminal, and then sits around and
++ connects the physical terminal it was invoked upon with the pseudo
++ terminal, passing keyboard input into to the child process, and passing the
++ output of the child process to the physical terminal.
++diff --git a/policycoreutils/sandbox/Makefile b/policycoreutils/sandbox/Makefile
++index ff0ee7c..0c8a085 100644
++--- a/policycoreutils/sandbox/Makefile
+++++ b/policycoreutils/sandbox/Makefile
++@@ -7,10 +7,10 @@ SBINDIR ?= $(PREFIX)/sbin
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
++ MANDIR ?= $(PREFIX)/share/man
++ LOCALEDIR ?= /usr/share/locale
++ SHAREDIR ?= $(PREFIX)/share/sandbox
++-override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\""
++-LDLIBS += -lselinux -lcap-ng
+++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra
+++LDLIBS += -lcgroup -lselinux -lcap-ng
++
++-all: sandbox seunshare sandboxX.sh
+++all: sandbox seunshare sandboxX.sh start
++
++ seunshare: seunshare.o $(EXTRA_OBJS)
++ $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
++@@ -20,14 +20,18 @@ install: all
++ install -m 755 sandbox $(BINDIR)
++ -mkdir -p $(MANDIR)/man8
++ install -m 644 sandbox.8 $(MANDIR)/man8/
+++ install -m 644 seunshare.8 $(MANDIR)/man8/
+++ -mkdir -p $(MANDIR)/man5
+++ install -m 644 sandbox.conf.5 $(MANDIR)/man5/
++ -mkdir -p $(SBINDIR)
++ install -m 4755 seunshare $(SBINDIR)/
++ -mkdir -p $(SHAREDIR)
++ install -m 755 sandboxX.sh $(SHAREDIR)
+++ install -m 755 start $(SHAREDIR)
+ -mkdir -p $(INITDIR)
+ install -m 755 sandbox.init $(INITDIR)/sandbox
+ -mkdir -p $(SYSCONFDIR)
+ - install -m 644 sandbox.config $(SYSCONFDIR)/sandbox
+ + install -m 644 sandbox.conf $(SYSCONFDIR)/sandbox
+
+ test:
+ @python test_sandbox.py -v
+ diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
+ index 48a26c2..d1037bd 100644
+ --- a/policycoreutils/sandbox/sandbox
+ +++ b/policycoreutils/sandbox/sandbox
+ @@ -1,5 +1,6 @@
+ -#! /usr/bin/python -E
+ +#! /usr/bin/python -Es
+ # Authors: Dan Walsh <dwalsh at redhat.com>
+ +# Authors: Thomas Liu <tliu at fedoraproject.org>
+ # Authors: Josh Cogliati
+ #
+ # Copyright (C) 2009,2010 Red Hat
+ @@ -19,15 +20,18 @@
+ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ #
+
+ -import os, sys, socket, random, fcntl, shutil, re, subprocess
+ +import os, stat, sys, socket, random, fcntl, shutil, re, subprocess
+ import selinux
+ import signal
+ from tempfile import mkdtemp
+ import pwd
+ +import commands
+ +import setools
+
+ PROGNAME = "policycoreutils"
+ HOMEDIR=pwd.getpwuid(os.getuid()).pw_dir
+ -
+ +SEUNSHARE = "/usr/sbin/seunshare"
+ +SANDBOXSH = "/usr/share/sandbox/sandboxX.sh"
+ import gettext
+ gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
+ gettext.textdomain(PROGNAME)
+ @@ -41,6 +45,7 @@ except IOError:
+ import __builtin__
+ __builtin__.__dict__['_'] = unicode
+
+ +DEFAULT_WINDOWSIZE = "1000x700"
+ DEFAULT_TYPE = "sandbox_t"
+ DEFAULT_X_TYPE = "sandbox_x_t"
+ SAVE_FILES = {}
+ @@ -63,15 +68,15 @@ def error_exit(msg):
+ sys.stderr.flush()
+ sys.exit(1)
+
+ -def copyfile(file, dir, dest):
+ +def copyfile(file, srcdir, dest):
+ import re
+ - if file.startswith(dir):
+ + if file.startswith(srcdir):
+ dname = os.path.dirname(file)
+ bname = os.path.basename(file)
+ - if dname == dir:
+ + if dname == srcdir:
+ dest = dest + "/" + bname
+ else:
+ - newdir = re.sub(dir, dest, dname)
+ + newdir = re.sub(srcdir, dest, dname)
+ if not os.path.exists(newdir):
+ os.makedirs(newdir)
+ dest = newdir + "/" + bname
+ @@ -81,9 +86,10 @@ def copyfile(file, dir, dest):
+ shutil.copytree(file, dest)
+ else:
+ shutil.copy2(file, dest)
+ +
+ except shutil.Error, elist:
+ - for e in elist:
+ - sys.stderr.write(e[1])
+ for e in elist.message:
+ sys.stderr.write(e[2])
@@@ -2986,19 -2569,21 +3557,41 @@@ index 4038a99..9efcb22 10075
# Copyright (C) 2005 Red Hat
# see file 'COPYING' for use and warranty information
#
++<<<<<<< HEAD
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat.8 policycoreutils-2.0.83/scripts/chcat.8
+--- nsapolicycoreutils/scripts/chcat.8 2010-06-16 08:04:12.000000000 -0400
++++ policycoreutils-2.0.83/scripts/chcat.8 2011-02-04 14:52:22.000000000 -0500
+@@ -51,5 +51,5 @@
+ .SH "FILES"
+ /etc/selinux/{SELINUXTYPE}/setrans.conf
+ .br
+-/etc/selinux/{SELINUXTYPE}/seuser
++/etc/selinux/{SELINUXTYPE}/seusers
+
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.83/scripts/fixfiles
+--- nsapolicycoreutils/scripts/fixfiles 2010-06-16 08:04:12.000000000 -0400
++++ policycoreutils-2.0.83/scripts/fixfiles 2011-01-21 09:11:18.000000000 -0500
++||||||| merged common ancestors
++diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.83/scripts/fixfiles
++--- nsapolicycoreutils/scripts/fixfiles 2010-06-16 08:04:12.000000000 -0400
+++++ policycoreutils-2.0.83/scripts/fixfiles 2011-01-21 09:11:18.000000000 -0500
++=======
+ diff --git a/policycoreutils/scripts/chcat.8 b/policycoreutils/scripts/chcat.8
+ index 3f9efba..7c6d75a 100644
+ --- a/policycoreutils/scripts/chcat.8
+ +++ b/policycoreutils/scripts/chcat.8
+ @@ -51,5 +51,5 @@ When operating on files this script wraps the chcon command.
+ .SH "FILES"
+ /etc/selinux/{SELINUXTYPE}/setrans.conf
+ .br
+ -/etc/selinux/{SELINUXTYPE}/seuser
+ +/etc/selinux/{SELINUXTYPE}/seusers
+
+ diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
+ index ae519fc..0890811 100755
+ --- a/policycoreutils/scripts/fixfiles
+ +++ b/policycoreutils/scripts/fixfiles
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
@@ -21,6 +21,25 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
@@@ -4007,614 -3569,44 +4577,1198 @@@ index 70d1a20..fb6a79b 10064
+# semanage fcontext -a -e /home /disk6/home
+# restorecon -R -v /disk6
+
- +.B Port contexts
- +Allow Apache to listen on tcp port 81
- +# semanage port -a -t http_port_t -p tcp 81
+ +.B Port contexts
+ +Allow Apache to listen on tcp port 81
+ +# semanage port -a -t http_port_t -p tcp 81
+ +
+ +.B Change apache to a permissive domain
+ +# semanage permissive -a httpd_t
+ +
+ +.B Turn off dontaudit rules
+ +# semanage dontaudit off
+ +
+ +.B Managing multiple machines
+ +Multiple machines that need the same customizations.
+ +Extract customizations off first machine, copy them
+ +to second and import them.
+ +
+ +# semanage -o /tmp/local.selinux
+ +# scp /tmp/local.selinux secondmachine:/tmp
+ +# ssh secondmachine
+ +# semanage -i /tmp/local.selinux
+ +
+ +If these customizations include file context, you need to apply the
+ +context using restorecon.
+ +
+ .fi
+
+ .SH "AUTHOR"
+ -This man page was written by Daniel Walsh <dwalsh at redhat.com> and
+ -Russell Coker <rcoker at redhat.com>.
+ +This man page was written by Daniel Walsh <dwalsh at redhat.com>
+ +.br
+ +and Russell Coker <rcoker at redhat.com>.
+ +.br
+ Examples by Thomas Bleher <ThomasBleher at gmx.de>.
++<<<<<<< HEAD
++diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.f15 policycoreutils-2.0.83/semanage/semanage.f15
++--- nsapolicycoreutils/semanage/semanage.f15 1969-12-31 19:00:00.000000000 -0500
+++++ policycoreutils-2.0.83/semanage/semanage.f15 2011-01-21 09:11:18.000000000 -0500
++@@ -0,0 +1,567 @@
+++#! /usr/bin/python -Es
+++# Copyright (C) 2005, 2006, 2007 Red Hat
+++# see file 'COPYING' for use and warranty information
+++#
+++# semanage is a tool for managing SELinux configuration files
+++#
+++# This program is free software; you can redistribute it and/or
+++# modify it under the terms of the GNU General Public License as
+++# published by the Free Software Foundation; either version 2 of
+++# the License, or (at your option) any later version.
+++#
+++# This program is distributed in the hope that it will be useful,
+++# but WITHOUT ANY WARRANTY; without even the implied warranty of
+++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+++# GNU General Public License for more details.
+++#
+++# You should have received a copy of the GNU General Public License
+++# along with this program; if not, write to the Free Software
+++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+++# 02111-1307 USA
+++#
+++#
+++import policycoreutils.default_encoding_utf8
+++import sys, getopt, re
+++import seobject
+++import selinux
+++PROGNAME="policycoreutils"
+++
+++import gettext
+++gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
+++gettext.textdomain(PROGNAME)
+++
+++try:
+++ gettext.install(PROGNAME,
+++ localedir="/usr/share/locale",
+++ unicode=True,
+++ codeset = 'utf-8')
+++except IOError:
+++ import __builtin__
+++ __builtin__.__dict__['_'] = unicode
+++
+++if __name__ == '__main__':
+++ action = False
+++ manageditems=[ "boolean", "login", "user", "port", "interface", "node", "fcontext"]
+++ def set_action(option):
+++ global action
+++ if action:
+++ raise ValueError(_("%s bad option") % option)
+++ action = True
+++
+++ def usage(message = ""):
+++ text = _("""
+++semanage [ -S store ] -i [ input_file | - ]
+++semanage [ -S store ] -o [ output_file | - ]
+++
+++semanage login -{a|d|m|l|D|E} [-nrs] login_name | %groupname
+++semanage user -{a|d|m|l|D|E} [-LnrRP] selinux_name
+++semanage port -{a|d|m|l|D|E} [-nrt] [ -p proto ] port | port_range
+++semanage interface -{a|d|m|l|D|E} [-nrt] interface_spec
+++semanage module -{a|d|m} [--enable|--disable] module
+++semanage node -{a|d|m|l|D|E} [-nrt] [ -p protocol ] [-M netmask] addr
+++semanage fcontext -{a|d|m|l|D|E} [-efnrst] file_spec
+++semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
+++semanage permissive -{d|a|l} [-n] type
+++semanage dontaudit [ on | off ]
+++
+++Primary Options:
+++
+++ -a, --add Add a OBJECT record NAME
+++ -d, --delete Delete a OBJECT record NAME
+++ -m, --modify Modify a OBJECT record NAME
+++ -i, --input Input multiple semange commands in a transaction
+++ -o, --output Output current customizations as semange commands
+++ -l, --list List the OBJECTS
+++ -E, --extract extract customizable commands
+++ -C, --locallist List OBJECTS local customizations
+++ -D, --deleteall Remove all OBJECTS local customizations
+++
+++ -h, --help Display this message
+++ -n, --noheading Do not print heading when listing OBJECTS
+++ -S, --store Select and alternate SELinux store to manage
+++
+++Object-specific Options (see above):
+++
+++ -f, --ftype File Type of OBJECT
+++ "" (all files)
+++ -- (regular file)
+++ -d (directory)
+++ -c (character device)
+++ -b (block device)
+++ -s (socket)
+++ -l (symbolic link)
+++ -p (named pipe)
+++
+++ -F, --file Treat target as an input file for command, change multiple settings
+++ -p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6)
+++ -M, --mask Netmask
+++ -e, --equal Substitue source path for dest path when labeling
+++ -P, --prefix Prefix for home directory labeling
+++ -L, --level Default SELinux Level (MLS/MCS Systems only)
+++ -R, --roles SELinux Roles (ex: "sysadm_r staff_r")
+++ -s, --seuser SELinux User Name
+++ -t, --type SELinux Type for the object
+++ -r, --range MLS/MCS Security Range (MLS/MCS Systems only)
+++ --enable Enable a module
+++ --disable Disable a module
+++""")
+++ raise ValueError("%s\n%s" % (text, message))
+++
+++ def errorExit(error):
+++ sys.stderr.write("%s: " % sys.argv[0])
+++ sys.stderr.write("%s\n" % error)
+++ sys.stderr.flush()
+++ sys.exit(1)
+++
+++ def get_options():
+++ valid_option={}
+++ valid_everyone=[ '-a', '--add', '-d', '--delete', '-m', '--modify', '-l', '--list', '-h', '--help', '-n', '--noheading', '-S', '--store' ]
+++ valid_local=[ '-E', '--extract', '-C', '--locallist', '-D', '--deleteall']
+++ valid_option["login"] = []
+++ valid_option["login"] += valid_everyone + valid_local + [ '-s', '--seuser', '-r', '--range']
+++ valid_option["user"] = []
+++ valid_option["user"] += valid_everyone + valid_local + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix' ]
+++ valid_option["port"] = []
+++ valid_option["port"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range', '-p', '--proto' ]
+++ valid_option["interface"] = []
+++ valid_option["interface"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range']
+++ valid_option["node"] = []
+++ valid_option["node"] += valid_everyone + valid_local + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol']
+++ valid_option["module"] = []
+++ valid_option["module"] += valid_everyone + [ '--enable', '--disable']
+++ valid_option["fcontext"] = []
+++ valid_option["fcontext"] += valid_everyone + valid_local + [ '-e', '--equal', '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range']
+++ valid_option["dontaudit"] = [ '-S', '--store' ]
+++ valid_option["boolean"] = []
+++ valid_option["boolean"] += valid_everyone + valid_local + [ '--on', "--off", "-1", "-0", "-F", "--file"]
+++ valid_option["permissive"] = []
+++ valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ]
+++ return valid_option
+++
+++ def mkargv(line):
+++ dquote = "\""
+++ squote = "\'"
+++ l = line.split()
+++ ret = []
+++ i = 0
+++ while i < len(l):
+++ cnt = len(re.findall(dquote, l[i]))
+++ if cnt > 1:
+++ ret.append(l[i].strip(dquote))
+++ i = i + 1
+++ continue
+++ if cnt == 1:
+++ quote = [ l[i].strip(dquote) ]
+++ i = i + 1
+++
+++ while i < len(l) and dquote not in l[i]:
+++ quote.append(l[i])
+++ i = i + 1
+++ quote.append(l[i].strip(dquote))
+++ ret.append(" ".join(quote))
+++ i = i + 1
+++ continue
+++
+++ cnt = len(re.findall(squote, l[i]))
+++ if cnt > 1:
+++ ret.append(l[i].strip(squote))
+++ i = i + 1
+++ continue
+++ if cnt == 1:
+++ quote = [ l[i].strip(squote) ]
+++ i = i + 1
+++ while i < len(l) and squote not in l[i]:
+++ quote.append(l[i])
+++ i = i + 1
+++
+++ quote.append(l[i].strip(squote))
+++ ret.append(" ".join(quote))
+++ i = i + 1
+++ continue
+++
+++ ret.append(l[i])
+++ i = i + 1
+++
+++ return ret
+++
+++ def process_args(argv):
+++ global action
+++ action = False
+++ serange = ""
+++ port = ""
+++ proto = ""
+++ mask = ""
+++ selevel = ""
+++ setype = ""
+++ ftype = ""
+++ roles = ""
+++ seuser = ""
+++ prefix = "user"
+++ heading = True
+++ value = None
+++ add = False
+++ modify = False
+++ delete = False
+++ deleteall = False
+++ enable = False
+++ extract = False
+++ disable = False
+++ list = False
+++ locallist = False
+++ use_file = False
+++ store = ""
+++ equal=""
+++
+++ if len(argv) == 0:
+++ return
+++ object = argv[0]
+++ option_dict=get_options()
+++ if object not in option_dict.keys():
+++ usage(_("Invalid parameter %s not defined") % object)
+++
+++ args = argv[1:]
+++
+++ gopts, cmds = getopt.getopt(args,
+++ '01adEe:f:i:lhmnp:s:FCDR:L:r:t:P:S:M:',
+++ ['add',
+++ 'delete',
+++ 'deleteall',
+++ 'equal=',
+++ 'enable',
+++ 'extract',
+++ 'disable',
+++ 'ftype=',
+++ 'file',
+++ 'help',
+++ 'input=',
+++ 'list',
+++ 'modify',
+++ 'noheading',
+++ 'localist',
+++ 'off',
+++ 'on',
+++ 'proto=',
+++ 'seuser=',
+++ 'store=',
+++ 'range=',
+++ 'locallist=',
+++ 'level=',
+++ 'roles=',
+++ 'type=',
+++ 'prefix=',
+++ 'mask='
+++ ])
+++ for o, a in gopts:
+++ if o not in option_dict[object]:
+++ sys.stderr.write(_("%s not valid for %s objects\n") % ( o, object) );
+++
+++ return
+++
+++ for o,a in gopts:
+++ if o == "-a" or o == "--add":
+++ set_action(o)
+++ add = True
+++
+++ if o == "-d" or o == "--delete":
+++ set_action(o)
+++ delete = True
+++
+++ if o == "-D" or o == "--deleteall":
+++ set_action(o)
+++ deleteall = True
+++
+++ if o == "-E" or o == "--extract":
+++ set_action(o)
+++ extract = True
+++ if o == "-f" or o == "--ftype":
+++ ftype=a
+++
+++ if o == "-e" or o == "--equal":
+++ equal = a
+++
+++ if o == "--enable":
+++ if disable:
+++ raise ValueError(_("You can't disable and enable at the same time"))
+++
+++ enable = True
+++
+++ if o == "--disable":
+++ if enable:
+++ raise ValueError(_("You can't disable and enable at the same time"))
+++ disable = True
+++
+++ if o == "-F" or o == "--file":
+++ use_file = True
+++
+++ if o == "-h" or o == "--help":
+++ raise usage()
+++
+++ if o == "-n" or o == "--noheading":
+++ heading = False
+++
+++ if o == "-C" or o == "--locallist":
+++ locallist = True
+++
+++ if o == "-m"or o == "--modify":
+++ set_action(o)
+++ modify = True
+++
+++ if o == "-S" or o == '--store':
+++ store = a
+++
+++ if o == "-r" or o == '--range':
+++ serange = a
+++
+++ if o == "-l" or o == "--list":
+++ list = True
+++
+++ if o == "-L" or o == '--level':
+++ selevel = a
+++
+++ if o == "-p" or o == '--proto':
+++ proto = a
+++
+++ if o == "-P" or o == '--prefix':
+++ prefix = a
+++
+++ if o == "-R" or o == '--roles':
+++ roles = roles + " " + a
+++
+++ if o == "-s" or o == "--seuser":
+++ seuser = a
+++
+++ if o == "-M" or o == '--mask':
+++ mask = a
+++
+++ if o == "-t" or o == "--type":
+++ setype = a
+++
+++ if o == "--on" or o == "-1":
+++ value = "on"
+++ modify = True
+++ if o == "--off" or o == "-0":
+++ value = "off"
+++ modify = True
+++
+++ if object == "login":
+++ OBJECT = seobject.loginRecords(store)
+++
+++ if object == "user":
+++ OBJECT = seobject.seluserRecords(store)
+++
+++ if object == "port":
+++ OBJECT = seobject.portRecords(store)
+++
+++ if object == "interface":
+++ OBJECT = seobject.interfaceRecords(store)
+++
+++ if object == "node":
+++ OBJECT = seobject.nodeRecords(store)
+++
+++ if object == "fcontext":
+++ OBJECT = seobject.fcontextRecords(store)
+++
+++ if object == "boolean":
+++ OBJECT = seobject.booleanRecords(store)
+++ if use_file:
+++ modify=True
+++
+++ if object == "module":
+++ OBJECT = seobject.moduleRecords(store)
+++
+++ if object == "permissive":
+++ OBJECT = seobject.permissiveRecords(store)
+++
+++ if list:
+++ if object == "boolean":
+++ OBJECT.list(heading, locallist, use_file)
+++ else:
+++ OBJECT.list(heading, locallist)
+++ return
+++
+++ if deleteall:
+++ OBJECT.deleteall()
+++ return
+++
+++ if extract:
+++ for i in OBJECT.customized():
+++ print "%s %s" % (object, str(i))
+++ return
+++
+++ if len(cmds) != 1:
+++ raise ValueError(_("bad option"))
+++
+++ target = cmds[0]
+++
+++ if object == "dontaudit":
+++ OBJECT = seobject.dontauditClass(store)
+++ OBJECT.toggle(target)
+++ return
+++
+++ if add:
+++ if object == "login":
+++ OBJECT.add(target, seuser, serange)
+++ return
+++
+++ if object == "user":
+++ OBJECT.add(target, roles.split(), selevel, serange, prefix)
+++ return
+++
+++ if object == "port":
+++ OBJECT.add(target, proto, serange, setype)
+++ return
+++
+++ if object == "interface":
+++ OBJECT.add(target, serange, setype)
+++ return
+++
+++ if object == "module":
+++ OBJECT.add(target)
+++ return
+++
+++ if object == "node":
+++ OBJECT.add(target, mask, proto, serange, setype)
+++ return
+++
+++ if object == "fcontext":
+++ if equal == "":
+++ OBJECT.add(target, setype, ftype, serange, seuser)
+++ else:
+++ OBJECT.add_equal(target, equal)
+++ return
+++ if object == "permissive":
+++ OBJECT.add(target)
+++ return
+++
+++ if modify:
+++ if object == "boolean":
+++ OBJECT.modify(target, value, use_file)
+++ return
+++
+++ if object == "login":
+++ OBJECT.modify(target, seuser, serange)
+++ return
+++
+++ if object == "user":
+++ rlist = roles.split()
+++ OBJECT.modify(target, rlist, selevel, serange, prefix)
+++ return
+++
+++ if object == "module":
+++ if enable:
+++ OBJECT.enable(target)
+++ elif disable:
+++ OBJECT.disable(target)
+++ else:
+++ OBJECT.modify(target)
+++ return
+++
+++ if object == "port":
+++ OBJECT.modify(target, proto, serange, setype)
+++ return
+++
+++ if object == "interface":
+++ OBJECT.modify(target, serange, setype)
+++ return
+++
+++ if object == "node":
+++ OBJECT.modify(target, mask, proto, serange, setype)
+++ return
+++
+++ if object == "fcontext":
+++ if equal == "":
+++ OBJECT.modify(target, setype, ftype, serange, seuser)
+++ else:
+++ OBJECT.modify_equal(target, equal)
+++ return
+++ if delete:
+++ if object == "port":
+++ OBJECT.delete(target, proto)
+++
+++ elif object == "fcontext":
+++ OBJECT.delete(target, ftype)
++
- +.B Change apache to a permissive domain
- +# semanage permissive -a httpd_t
+++ elif object == "node":
+++ OBJECT.delete(target, mask, proto)
++
- +.B Turn off dontaudit rules
- +# semanage dontaudit off
+++ else:
+++ OBJECT.delete(target)
+++ return
+++ raise ValueError(_("Invalid command: semanage %s") % " ".join(argv))
++
- +.B Managing multiple machines
- +Multiple machines that need the same customizations.
- +Extract customizations off first machine, copy them
- +to second and import them.
+++ #
+++ #
+++ #
+++ try:
+++ output = None
+++ input = None
+++ store = ""
++
- +# semanage -o /tmp/local.selinux
- +# scp /tmp/local.selinux secondmachine:/tmp
- +# ssh secondmachine
- +# semanage -i /tmp/local.selinux
+++ if len(sys.argv) < 3:
+++ usage(_("Requires 2 or more arguments"))
+++
+++ gopts, cmds = getopt.getopt(sys.argv[1:],
+++ '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:',
+++ ['add',
+++ 'delete',
+++ 'deleteall',
+++ 'ftype=',
+++ 'file',
+++ 'help',
+++ 'input=',
+++ 'list',
+++ 'modify',
+++ 'noheading',
+++ 'localist',
+++ 'off',
+++ 'on',
+++ 'output=',
+++ 'proto=',
+++ 'seuser=',
+++ 'store=',
+++ 'range=',
+++ 'level=',
+++ 'roles=',
+++ 'type=',
+++ 'trans=',
+++ 'prefix='
+++ ])
+++ for o, a in gopts:
+++ if o == "-S" or o == '--store':
+++ store = a
+++ if o == "-i" or o == '--input':
+++ input = a
+++ if o == "-o" or o == '--output':
+++ output = a
++
- +If these customizations include file context, you need to apply the
- +context using restorecon.
+++ if output != None:
+++ if output != "-":
+++ sys.stdout = open(output, 'w')
+++ for i in manageditems:
+++ print "%s -D" % i
+++ process_args([i, "-E"])
+++ sys.exit(0)
++
- .fi
-
- .SH "AUTHOR"
- -This man page was written by Daniel Walsh <dwalsh at redhat.com> and
- -Russell Coker <rcoker at redhat.com>.
- +This man page was written by Daniel Walsh <dwalsh at redhat.com>
- +.br
- +and Russell Coker <rcoker at redhat.com>.
- +.br
- Examples by Thomas Bleher <ThomasBleher at gmx.de>.
+++ if input != None:
+++ if input == "-":
+++ fd = sys.stdin
+++ else:
+++ fd = open(input, 'r')
+++ trans = seobject.semanageRecords(store)
+++ trans.start()
+++ for l in fd.readlines():
+++ process_args(mkargv(l))
+++ trans.finish()
+++ else:
+++ process_args(sys.argv[1:])
+++
+++ except getopt.error, error:
+++ usage(_("Options Error %s ") % error.msg)
+++ except ValueError, error:
+++ errorExit(error.args[0])
+++ except KeyError, error:
+++ errorExit(_("Invalid value %s") % error.args[0])
+++ except IOError, error:
+++ errorExit(error.args[1])
+++ except OSError, error:
+++ errorExit(error.args[1])
++diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.83/semanage/seobject.py
++--- nsapolicycoreutils/semanage/seobject.py 2010-06-16 08:04:12.000000000 -0400
+++++ policycoreutils-2.0.83/semanage/seobject.py 2011-02-04 14:54:18.000000000 -0500
++@@ -29,47 +29,12 @@
++||||||| merged common ancestors
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.f15 policycoreutils-2.0.83/semanage/semanage.f15
+--- nsapolicycoreutils/semanage/semanage.f15 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.83/semanage/semanage.f15 2011-01-21 09:11:18.000000000 -0500
+@@ -0,0 +1,567 @@
++#! /usr/bin/python -Es
++# Copyright (C) 2005, 2006, 2007 Red Hat
++# see file 'COPYING' for use and warranty information
++#
++# semanage is a tool for managing SELinux configuration files
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License as
++# published by the Free Software Foundation; either version 2 of
++# the License, or (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
++# 02111-1307 USA
++#
++#
++import policycoreutils.default_encoding_utf8
++import sys, getopt, re
++import seobject
++import selinux
++PROGNAME="policycoreutils"
++
++import gettext
++gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
++gettext.textdomain(PROGNAME)
++
++try:
++ gettext.install(PROGNAME,
++ localedir="/usr/share/locale",
++ unicode=True,
++ codeset = 'utf-8')
++except IOError:
++ import __builtin__
++ __builtin__.__dict__['_'] = unicode
++
++if __name__ == '__main__':
++ action = False
++ manageditems=[ "boolean", "login", "user", "port", "interface", "node", "fcontext"]
++ def set_action(option):
++ global action
++ if action:
++ raise ValueError(_("%s bad option") % option)
++ action = True
++
++ def usage(message = ""):
++ text = _("""
++semanage [ -S store ] -i [ input_file | - ]
++semanage [ -S store ] -o [ output_file | - ]
++
++semanage login -{a|d|m|l|D|E} [-nrs] login_name | %groupname
++semanage user -{a|d|m|l|D|E} [-LnrRP] selinux_name
++semanage port -{a|d|m|l|D|E} [-nrt] [ -p proto ] port | port_range
++semanage interface -{a|d|m|l|D|E} [-nrt] interface_spec
++semanage module -{a|d|m} [--enable|--disable] module
++semanage node -{a|d|m|l|D|E} [-nrt] [ -p protocol ] [-M netmask] addr
++semanage fcontext -{a|d|m|l|D|E} [-efnrst] file_spec
++semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
++semanage permissive -{d|a|l} [-n] type
++semanage dontaudit [ on | off ]
++
++Primary Options:
++
++ -a, --add Add a OBJECT record NAME
++ -d, --delete Delete a OBJECT record NAME
++ -m, --modify Modify a OBJECT record NAME
++ -i, --input Input multiple semange commands in a transaction
++ -o, --output Output current customizations as semange commands
++ -l, --list List the OBJECTS
++ -E, --extract extract customizable commands
++ -C, --locallist List OBJECTS local customizations
++ -D, --deleteall Remove all OBJECTS local customizations
++
++ -h, --help Display this message
++ -n, --noheading Do not print heading when listing OBJECTS
++ -S, --store Select and alternate SELinux store to manage
++
++Object-specific Options (see above):
++
++ -f, --ftype File Type of OBJECT
++ "" (all files)
++ -- (regular file)
++ -d (directory)
++ -c (character device)
++ -b (block device)
++ -s (socket)
++ -l (symbolic link)
++ -p (named pipe)
++
++ -F, --file Treat target as an input file for command, change multiple settings
++ -p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6)
++ -M, --mask Netmask
++ -e, --equal Substitue source path for dest path when labeling
++ -P, --prefix Prefix for home directory labeling
++ -L, --level Default SELinux Level (MLS/MCS Systems only)
++ -R, --roles SELinux Roles (ex: "sysadm_r staff_r")
++ -s, --seuser SELinux User Name
++ -t, --type SELinux Type for the object
++ -r, --range MLS/MCS Security Range (MLS/MCS Systems only)
++ --enable Enable a module
++ --disable Disable a module
++""")
++ raise ValueError("%s\n%s" % (text, message))
++
++ def errorExit(error):
++ sys.stderr.write("%s: " % sys.argv[0])
++ sys.stderr.write("%s\n" % error)
++ sys.stderr.flush()
++ sys.exit(1)
++
++ def get_options():
++ valid_option={}
++ valid_everyone=[ '-a', '--add', '-d', '--delete', '-m', '--modify', '-l', '--list', '-h', '--help', '-n', '--noheading', '-S', '--store' ]
++ valid_local=[ '-E', '--extract', '-C', '--locallist', '-D', '--deleteall']
++ valid_option["login"] = []
++ valid_option["login"] += valid_everyone + valid_local + [ '-s', '--seuser', '-r', '--range']
++ valid_option["user"] = []
++ valid_option["user"] += valid_everyone + valid_local + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix' ]
++ valid_option["port"] = []
++ valid_option["port"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range', '-p', '--proto' ]
++ valid_option["interface"] = []
++ valid_option["interface"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range']
++ valid_option["node"] = []
++ valid_option["node"] += valid_everyone + valid_local + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol']
++ valid_option["module"] = []
++ valid_option["module"] += valid_everyone + [ '--enable', '--disable']
++ valid_option["fcontext"] = []
++ valid_option["fcontext"] += valid_everyone + valid_local + [ '-e', '--equal', '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range']
++ valid_option["dontaudit"] = [ '-S', '--store' ]
++ valid_option["boolean"] = []
++ valid_option["boolean"] += valid_everyone + valid_local + [ '--on', "--off", "-1", "-0", "-F", "--file"]
++ valid_option["permissive"] = []
++ valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ]
++ return valid_option
++
++ def mkargv(line):
++ dquote = "\""
++ squote = "\'"
++ l = line.split()
++ ret = []
++ i = 0
++ while i < len(l):
++ cnt = len(re.findall(dquote, l[i]))
++ if cnt > 1:
++ ret.append(l[i].strip(dquote))
++ i = i + 1
++ continue
++ if cnt == 1:
++ quote = [ l[i].strip(dquote) ]
++ i = i + 1
++
++ while i < len(l) and dquote not in l[i]:
++ quote.append(l[i])
++ i = i + 1
++ quote.append(l[i].strip(dquote))
++ ret.append(" ".join(quote))
++ i = i + 1
++ continue
++
++ cnt = len(re.findall(squote, l[i]))
++ if cnt > 1:
++ ret.append(l[i].strip(squote))
++ i = i + 1
++ continue
++ if cnt == 1:
++ quote = [ l[i].strip(squote) ]
++ i = i + 1
++ while i < len(l) and squote not in l[i]:
++ quote.append(l[i])
++ i = i + 1
++
++ quote.append(l[i].strip(squote))
++ ret.append(" ".join(quote))
++ i = i + 1
++ continue
++
++ ret.append(l[i])
++ i = i + 1
++
++ return ret
++
++ def process_args(argv):
++ global action
++ action = False
++ serange = ""
++ port = ""
++ proto = ""
++ mask = ""
++ selevel = ""
++ setype = ""
++ ftype = ""
++ roles = ""
++ seuser = ""
++ prefix = "user"
++ heading = True
++ value = None
++ add = False
++ modify = False
++ delete = False
++ deleteall = False
++ enable = False
++ extract = False
++ disable = False
++ list = False
++ locallist = False
++ use_file = False
++ store = ""
++ equal=""
++
++ if len(argv) == 0:
++ return
++ object = argv[0]
++ option_dict=get_options()
++ if object not in option_dict.keys():
++ usage(_("Invalid parameter %s not defined") % object)
++
++ args = argv[1:]
++
++ gopts, cmds = getopt.getopt(args,
++ '01adEe:f:i:lhmnp:s:FCDR:L:r:t:P:S:M:',
++ ['add',
++ 'delete',
++ 'deleteall',
++ 'equal=',
++ 'enable',
++ 'extract',
++ 'disable',
++ 'ftype=',
++ 'file',
++ 'help',
++ 'input=',
++ 'list',
++ 'modify',
++ 'noheading',
++ 'localist',
++ 'off',
++ 'on',
++ 'proto=',
++ 'seuser=',
++ 'store=',
++ 'range=',
++ 'locallist=',
++ 'level=',
++ 'roles=',
++ 'type=',
++ 'prefix=',
++ 'mask='
++ ])
++ for o, a in gopts:
++ if o not in option_dict[object]:
++ sys.stderr.write(_("%s not valid for %s objects\n") % ( o, object) );
++
++ return
++
++ for o,a in gopts:
++ if o == "-a" or o == "--add":
++ set_action(o)
++ add = True
++
++ if o == "-d" or o == "--delete":
++ set_action(o)
++ delete = True
++
++ if o == "-D" or o == "--deleteall":
++ set_action(o)
++ deleteall = True
++
++ if o == "-E" or o == "--extract":
++ set_action(o)
++ extract = True
++ if o == "-f" or o == "--ftype":
++ ftype=a
++
++ if o == "-e" or o == "--equal":
++ equal = a
++
++ if o == "--enable":
++ if disable:
++ raise ValueError(_("You can't disable and enable at the same time"))
++
++ enable = True
++
++ if o == "--disable":
++ if enable:
++ raise ValueError(_("You can't disable and enable at the same time"))
++ disable = True
++
++ if o == "-F" or o == "--file":
++ use_file = True
++
++ if o == "-h" or o == "--help":
++ raise usage()
++
++ if o == "-n" or o == "--noheading":
++ heading = False
++
++ if o == "-C" or o == "--locallist":
++ locallist = True
++
++ if o == "-m"or o == "--modify":
++ set_action(o)
++ modify = True
++
++ if o == "-S" or o == '--store':
++ store = a
++
++ if o == "-r" or o == '--range':
++ serange = a
++
++ if o == "-l" or o == "--list":
++ list = True
++
++ if o == "-L" or o == '--level':
++ selevel = a
++
++ if o == "-p" or o == '--proto':
++ proto = a
++
++ if o == "-P" or o == '--prefix':
++ prefix = a
++
++ if o == "-R" or o == '--roles':
++ roles = roles + " " + a
++
++ if o == "-s" or o == "--seuser":
++ seuser = a
++
++ if o == "-M" or o == '--mask':
++ mask = a
++
++ if o == "-t" or o == "--type":
++ setype = a
++
++ if o == "--on" or o == "-1":
++ value = "on"
++ modify = True
++ if o == "--off" or o == "-0":
++ value = "off"
++ modify = True
++
++ if object == "login":
++ OBJECT = seobject.loginRecords(store)
++
++ if object == "user":
++ OBJECT = seobject.seluserRecords(store)
++
++ if object == "port":
++ OBJECT = seobject.portRecords(store)
++
++ if object == "interface":
++ OBJECT = seobject.interfaceRecords(store)
++
++ if object == "node":
++ OBJECT = seobject.nodeRecords(store)
++
++ if object == "fcontext":
++ OBJECT = seobject.fcontextRecords(store)
++
++ if object == "boolean":
++ OBJECT = seobject.booleanRecords(store)
++ if use_file:
++ modify=True
++
++ if object == "module":
++ OBJECT = seobject.moduleRecords(store)
++
++ if object == "permissive":
++ OBJECT = seobject.permissiveRecords(store)
++
++ if list:
++ if object == "boolean":
++ OBJECT.list(heading, locallist, use_file)
++ else:
++ OBJECT.list(heading, locallist)
++ return
++
++ if deleteall:
++ OBJECT.deleteall()
++ return
++
++ if extract:
++ for i in OBJECT.customized():
++ print "%s %s" % (object, str(i))
++ return
++
++ if len(cmds) != 1:
++ raise ValueError(_("bad option"))
++
++ target = cmds[0]
++
++ if object == "dontaudit":
++ OBJECT = seobject.dontauditClass(store)
++ OBJECT.toggle(target)
++ return
++
++ if add:
++ if object == "login":
++ OBJECT.add(target, seuser, serange)
++ return
++
++ if object == "user":
++ OBJECT.add(target, roles.split(), selevel, serange, prefix)
++ return
++
++ if object == "port":
++ OBJECT.add(target, proto, serange, setype)
++ return
++
++ if object == "interface":
++ OBJECT.add(target, serange, setype)
++ return
++
++ if object == "module":
++ OBJECT.add(target)
++ return
++
++ if object == "node":
++ OBJECT.add(target, mask, proto, serange, setype)
++ return
++
++ if object == "fcontext":
++ if equal == "":
++ OBJECT.add(target, setype, ftype, serange, seuser)
++ else:
++ OBJECT.add_equal(target, equal)
++ return
++ if object == "permissive":
++ OBJECT.add(target)
++ return
++
++ if modify:
++ if object == "boolean":
++ OBJECT.modify(target, value, use_file)
++ return
++
++ if object == "login":
++ OBJECT.modify(target, seuser, serange)
++ return
++
++ if object == "user":
++ rlist = roles.split()
++ OBJECT.modify(target, rlist, selevel, serange, prefix)
++ return
++
++ if object == "module":
++ if enable:
++ OBJECT.enable(target)
++ elif disable:
++ OBJECT.disable(target)
++ else:
++ OBJECT.modify(target)
++ return
++
++ if object == "port":
++ OBJECT.modify(target, proto, serange, setype)
++ return
++
++ if object == "interface":
++ OBJECT.modify(target, serange, setype)
++ return
++
++ if object == "node":
++ OBJECT.modify(target, mask, proto, serange, setype)
++ return
++
++ if object == "fcontext":
++ if equal == "":
++ OBJECT.modify(target, setype, ftype, serange, seuser)
++ else:
++ OBJECT.modify_equal(target, equal)
++ return
++ if delete:
++ if object == "port":
++ OBJECT.delete(target, proto)
++
++ elif object == "fcontext":
++ OBJECT.delete(target, ftype)
++
++ elif object == "node":
++ OBJECT.delete(target, mask, proto)
++
++ else:
++ OBJECT.delete(target)
++ return
++ raise ValueError(_("Invalid command: semanage %s") % " ".join(argv))
++
++ #
++ #
++ #
++ try:
++ output = None
++ input = None
++ store = ""
++
++ if len(sys.argv) < 3:
++ usage(_("Requires 2 or more arguments"))
++
++ gopts, cmds = getopt.getopt(sys.argv[1:],
++ '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:',
++ ['add',
++ 'delete',
++ 'deleteall',
++ 'ftype=',
++ 'file',
++ 'help',
++ 'input=',
++ 'list',
++ 'modify',
++ 'noheading',
++ 'localist',
++ 'off',
++ 'on',
++ 'output=',
++ 'proto=',
++ 'seuser=',
++ 'store=',
++ 'range=',
++ 'level=',
++ 'roles=',
++ 'type=',
++ 'trans=',
++ 'prefix='
++ ])
++ for o, a in gopts:
++ if o == "-S" or o == '--store':
++ store = a
++ if o == "-i" or o == '--input':
++ input = a
++ if o == "-o" or o == '--output':
++ output = a
++
++ if output != None:
++ if output != "-":
++ sys.stdout = open(output, 'w')
++ for i in manageditems:
++ print "%s -D" % i
++ process_args([i, "-E"])
++ sys.exit(0)
++
++ if input != None:
++ if input == "-":
++ fd = sys.stdin
++ else:
++ fd = open(input, 'r')
++ trans = seobject.semanageRecords(store)
++ trans.start()
++ for l in fd.readlines():
++ process_args(mkargv(l))
++ trans.finish()
++ else:
++ process_args(sys.argv[1:])
++
++ except getopt.error, error:
++ usage(_("Options Error %s ") % error.msg)
++ except ValueError, error:
++ errorExit(error.args[0])
++ except KeyError, error:
++ errorExit(_("Invalid value %s") % error.args[0])
++ except IOError, error:
++ errorExit(error.args[1])
++ except OSError, error:
++ errorExit(error.args[1])
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.83/semanage/seobject.py
+--- nsapolicycoreutils/semanage/seobject.py 2010-06-16 08:04:12.000000000 -0400
- +++ policycoreutils-2.0.83/semanage/seobject.py 2011-02-04 14:54:18.000000000 -0500
+++++ policycoreutils-2.0.83/semanage/seobject.py 2011-01-21 09:11:18.000000000 -0500
+@@ -29,47 +29,12 @@
++=======
+ diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
+ index b7d257b..735c1ba 100644
+ --- a/policycoreutils/semanage/seobject.py
+ +++ b/policycoreutils/semanage/seobject.py
+ @@ -29,47 +29,12 @@ import sepolgen.module as module
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
import gettext
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
@@@ -4666,7 -3658,7 +5820,13 @@@
file_types = {}
file_types[""] = SEMANAGE_FCONTEXT_ALL;
++<<<<<<< HEAD
+@@ -194,45 +159,148 @@
++||||||| merged common ancestors
++@@ -194,44 +159,153 @@
++=======
+ @@ -194,45 +159,148 @@ def untranslate(trans, prepend = 1):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
return trans
else:
return raw
@@@ -4828,8 -3820,8 +5988,15 @@@
+
class dontauditClass(semanageRecords):
def __init__(self, store):
++<<<<<<< HEAD
+ semanageRecords.__init__(self, store)
+@@ -259,14 +327,23 @@
++||||||| merged common ancestors
++@@ -259,14 +333,23 @@
++=======
+ semanageRecords.__init__(self, store)
+ @@ -259,14 +327,23 @@ class permissiveRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
name = semanage_module_get_name(mod)
if name and name.startswith("permissive_"):
l.append(name.split("permissive_")[1])
@@@ -4857,7 -3849,7 +6024,13 @@@
def add(self, type):
import glob
++<<<<<<< HEAD
+@@ -343,7 +420,9 @@
++||||||| merged common ancestors
++@@ -343,7 +426,9 @@
++=======
+ @@ -343,7 +420,9 @@ class loginRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
if rc < 0:
raise ValueError(_("Could not check if login mapping for %s is defined") % name)
if exists:
@@@ -4868,7 -3860,7 +6041,13 @@@
if name[0] == '%':
try:
grp.getgrnam(name[1:])
++<<<<<<< HEAD
+@@ -475,6 +554,16 @@
++||||||| merged common ancestors
++@@ -475,6 +560,16 @@
++=======
+ @@ -475,6 +554,16 @@ class loginRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
mylog.log(1, "delete SELinux user mapping", name);
@@@ -4885,7 -3877,7 +6064,13 @@@
def get_all(self, locallist = 0):
ddict = {}
if locallist:
++<<<<<<< HEAD
+@@ -489,6 +578,15 @@
++||||||| merged common ancestors
++@@ -489,6 +584,15 @@
++=======
+ @@ -489,6 +578,15 @@ class loginRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
ddict[name] = (semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u))
return ddict
@@@ -4901,7 -3893,7 +6086,13 @@@
def list(self,heading = 1, locallist = 0):
ddict = self.get_all(locallist)
keys = ddict.keys()
++<<<<<<< HEAD
+@@ -531,7 +629,8 @@
++||||||| merged common ancestors
++@@ -531,7 +635,8 @@
++=======
+ @@ -531,7 +629,8 @@ class seluserRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
if rc < 0:
raise ValueError(_("Could not check if SELinux user %s is defined") % name)
if exists:
@@@ -4911,7 -3903,7 +6102,13 @@@
(rc, u) = semanage_user_create(self.sh)
if rc < 0:
++<<<<<<< HEAD
+@@ -682,6 +781,16 @@
++||||||| merged common ancestors
++@@ -682,6 +787,16 @@
++=======
+ @@ -682,6 +781,16 @@ class seluserRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
mylog.log(1,"delete SELinux user record", name)
@@@ -4928,7 -3920,7 +6125,13 @@@
def get_all(self, locallist = 0):
ddict = {}
if locallist:
++<<<<<<< HEAD
+@@ -702,6 +811,15 @@
++||||||| merged common ancestors
++@@ -702,6 +817,15 @@
++=======
+ @@ -702,6 +811,15 @@ class seluserRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
return ddict
@@@ -4944,7 -3936,7 +6147,13 @@@
def list(self, heading = 1, locallist = 0):
ddict = self.get_all(locallist)
keys = ddict.keys()
++<<<<<<< HEAD
+@@ -740,12 +858,16 @@
++||||||| merged common ancestors
++@@ -740,12 +864,16 @@
++=======
+ @@ -740,12 +858,16 @@ class portRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
low = int(ports[0])
high = int(ports[1])
@@@ -4961,7 -3953,7 +6170,13 @@@
if is_mls_enabled == 1:
if serange == "":
serange = "s0"
++<<<<<<< HEAD
+@@ -808,6 +930,7 @@
++||||||| merged common ancestors
++@@ -808,6 +936,7 @@
++=======
+ @@ -808,6 +930,7 @@ class portRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
self.commit()
def __modify(self, port, proto, serange, setype):
@@@ -4969,7 -3961,7 +6184,13 @@@
if serange == "" and setype == "":
if is_mls_enabled == 1:
raise ValueError(_("Requires setype or serange"))
++<<<<<<< HEAD
+@@ -942,6 +1065,18 @@
++||||||| merged common ancestors
++@@ -942,6 +1071,18 @@
++=======
+ @@ -942,6 +1065,18 @@ class portRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
ddict[(ctype,proto_str)].append("%d-%d" % (low, high))
return ddict
@@@ -4988,7 -3980,7 +6209,13 @@@
def list(self, heading = 1, locallist = 0):
if heading:
print "%-30s %-8s %s\n" % (_("SELinux Port Type"), _("Proto"), _("Port Number"))
++<<<<<<< HEAD
+@@ -958,7 +1093,8 @@
++||||||| merged common ancestors
++@@ -958,7 +1099,8 @@
++=======
+ @@ -958,7 +1093,8 @@ class portRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
class nodeRecords(semanageRecords):
def __init__(self, store = ""):
semanageRecords.__init__(self,store)
@@@ -4998,7 -3990,7 +6225,13 @@@
def __add(self, addr, mask, proto, serange, ctype):
if addr == "":
raise ValueError(_("Node Address is required"))
++<<<<<<< HEAD
+@@ -966,14 +1102,11 @@
++||||||| merged common ancestors
++@@ -966,14 +1108,11 @@
++=======
+ @@ -966,14 +1102,11 @@ class nodeRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
if mask == "":
raise ValueError(_("Node Netmask is required"))
@@@ -5016,7 -4008,7 +6249,13 @@@
if is_mls_enabled == 1:
if serange == "":
serange = "s0"
++<<<<<<< HEAD
+@@ -991,11 +1124,13 @@
++||||||| merged common ancestors
++@@ -991,11 +1130,13 @@
++=======
+ @@ -991,11 +1124,13 @@ class nodeRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
(rc, exists) = semanage_node_exists(self.sh, k)
if exists:
@@@ -5031,7 -4023,7 +6270,13 @@@
rc = semanage_node_set_addr(self.sh, node, proto, addr)
(rc, con) = semanage_context_create(self.sh)
++<<<<<<< HEAD
+@@ -1005,8 +1140,7 @@
++||||||| merged common ancestors
++@@ -1005,8 +1146,7 @@
++=======
+ @@ -1005,8 +1140,7 @@ class nodeRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
rc = semanage_node_set_mask(self.sh, node, proto, mask)
if rc < 0:
raise ValueError(_("Could not set mask for %s") % addr)
@@@ -5041,7 -4033,7 +6286,13 @@@
rc = semanage_context_set_user(self.sh, con, "system_u")
if rc < 0:
raise ValueError(_("Could not set user in addr context for %s") % addr)
++<<<<<<< HEAD
+@@ -1047,13 +1181,10 @@
++||||||| merged common ancestors
++@@ -1047,13 +1187,10 @@
++=======
+ @@ -1047,13 +1181,10 @@ class nodeRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
if mask == "":
raise ValueError(_("Node Netmask is required"))
@@@ -5059,7 -4051,7 +6310,13 @@@
if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange"))
++<<<<<<< HEAD
+@@ -1068,12 +1199,11 @@
++||||||| merged common ancestors
++@@ -1068,12 +1205,11 @@
++=======
+ @@ -1068,12 +1199,11 @@ class nodeRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
if not exists:
raise ValueError(_("Addr %s is not defined") % addr)
@@@ -5073,7 -4065,7 +6330,13 @@@
if serange != "":
semanage_context_set_mls(self.sh, con, untranslate(serange))
if setype != "":
++<<<<<<< HEAD
+@@ -1098,11 +1228,9 @@
++||||||| merged common ancestors
++@@ -1098,11 +1234,9 @@
++=======
+ @@ -1098,11 +1228,9 @@ class nodeRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
if mask == "":
raise ValueError(_("Node Netmask is required"))
@@@ -5088,7 -4080,7 +6351,13 @@@
raise ValueError(_("Unknown or missing protocol"))
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
++<<<<<<< HEAD
+@@ -1132,6 +1260,16 @@
++||||||| merged common ancestors
++@@ -1132,6 +1266,16 @@
++=======
+ @@ -1132,6 +1260,16 @@ class nodeRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
self.__delete(addr, mask, proto)
self.commit()
@@@ -5105,7 -4097,7 +6374,13 @@@
def get_all(self, locallist = 0):
ddict = {}
if locallist :
++<<<<<<< HEAD
+@@ -1145,15 +1283,20 @@
++||||||| merged common ancestors
++@@ -1145,15 +1289,20 @@
++=======
+ @@ -1145,15 +1283,20 @@ class nodeRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
con = semanage_node_get_con(node)
addr = semanage_node_get_addr(self.sh, node)
mask = semanage_node_get_mask(self.sh, node)
@@@ -5131,7 -4123,7 +6406,13 @@@
def list(self, heading = 1, locallist = 0):
if heading:
print "%-18s %-18s %-5s %-5s\n" % ("IP Address", "Netmask", "Protocol", "Context")
++<<<<<<< HEAD
+@@ -1193,7 +1336,8 @@
++||||||| merged common ancestors
++@@ -1193,7 +1342,8 @@
++=======
+ @@ -1193,7 +1336,8 @@ class interfaceRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
if rc < 0:
raise ValueError(_("Could not check if interface %s is defined") % interface)
if exists:
@@@ -5141,7 -4133,7 +6422,13 @@@
(rc, iface) = semanage_iface_create(self.sh)
if rc < 0:
++<<<<<<< HEAD
+@@ -1307,6 +1451,16 @@
++||||||| merged common ancestors
++@@ -1307,6 +1457,16 @@
++=======
+ @@ -1307,6 +1451,16 @@ class interfaceRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
self.__delete(interface)
self.commit()
@@@ -5158,7 -4150,7 +6445,13 @@@
def get_all(self, locallist = 0):
ddict = {}
if locallist:
++<<<<<<< HEAD
+@@ -1322,6 +1476,15 @@
++||||||| merged common ancestors
++@@ -1322,6 +1482,15 @@
++=======
+ @@ -1322,6 +1476,15 @@ class interfaceRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
return ddict
@@@ -5174,7 -4166,7 +6467,13 @@@
def list(self, heading = 1, locallist = 0):
if heading:
print "%-30s %s\n" % (_("SELinux Interface"), _("Context"))
++<<<<<<< HEAD
+@@ -1338,6 +1501,48 @@
++||||||| merged common ancestors
++@@ -1338,6 +1507,48 @@
++=======
+ @@ -1338,6 +1501,48 @@ class interfaceRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
class fcontextRecords(semanageRecords):
def __init__(self, store = ""):
semanageRecords.__init__(self, store)
@@@ -5223,7 -4215,7 +6522,13 @@@
def createcon(self, target, seuser = "system_u"):
(rc, con) = semanage_context_create(self.sh)
++<<<<<<< HEAD
+@@ -1364,6 +1569,8 @@
++||||||| merged common ancestors
++@@ -1364,6 +1575,8 @@
++=======
+ @@ -1364,6 +1569,8 @@ class fcontextRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
def validate(self, target):
if target == "" or target.find("\n") >= 0:
raise ValueError(_("Invalid file specification"))
@@@ -5232,7 -4224,7 +6537,13 @@@
def __add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
self.validate(target)
++<<<<<<< HEAD
+@@ -1388,7 +1595,8 @@
++||||||| merged common ancestors
++@@ -1388,7 +1601,8 @@
++=======
+ @@ -1388,7 +1595,8 @@ class fcontextRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
raise ValueError(_("Could not check if file context for %s is defined") % target)
if exists:
@@@ -5242,7 -4234,7 +6553,13 @@@
(rc, fcontext) = semanage_fcontext_create(self.sh)
if rc < 0:
++<<<<<<< HEAD
+@@ -1504,9 +1712,16 @@
++||||||| merged common ancestors
++@@ -1504,9 +1718,16 @@
++=======
+ @@ -1504,9 +1712,16 @@ class fcontextRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
raise ValueError(_("Could not delete the file context %s") % target)
semanage_fcontext_key_free(k)
@@@ -5259,7 -4251,7 +6576,13 @@@
(rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
if rc < 0:
raise ValueError(_("Could not create a key for %s") % target)
++<<<<<<< HEAD
+@@ -1561,12 +1776,22 @@
++||||||| merged common ancestors
++@@ -1561,12 +1782,22 @@
++=======
+ @@ -1561,12 +1776,22 @@ class fcontextRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
return ddict
@@@ -5284,7 -4276,7 +6607,13 @@@
for k in keys:
if fcon_dict[k]:
if is_mls_enabled:
++<<<<<<< HEAD
+@@ -1575,6 +1800,12 @@
++||||||| merged common ancestors
++@@ -1575,6 +1806,12 @@
++=======
+ @@ -1575,6 +1800,12 @@ class fcontextRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2])
else:
print "%-50s %-18s <<None>>" % (k[0], k[1])
@@@ -5297,7 -4289,7 +6626,13 @@@
class booleanRecords(semanageRecords):
def __init__(self, store = ""):
++<<<<<<< HEAD
+@@ -1587,6 +1818,18 @@
++||||||| merged common ancestors
++@@ -1587,6 +1824,18 @@
++=======
+ @@ -1587,6 +1818,18 @@ class booleanRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
self.dict["1"] = 1
self.dict["0"] = 0
@@@ -5316,7 -4308,7 +6651,13 @@@
def __mod(self, name, value):
(rc, k) = semanage_bool_key_create(self.sh, name)
if rc < 0:
++<<<<<<< HEAD
+@@ -1606,9 +1849,10 @@
++||||||| merged common ancestors
++@@ -1606,9 +1855,10 @@
++=======
+ @@ -1606,9 +1849,10 @@ class booleanRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
else:
raise ValueError(_("You must specify one of the following values: %s") % ", ".join(self.dict.keys()) )
@@@ -5330,7 -4322,7 +6671,13 @@@
rc = semanage_bool_modify_local(self.sh, k, b)
if rc < 0:
raise ValueError(_("Could not modify boolean %s") % name)
++<<<<<<< HEAD
+@@ -1691,8 +1935,12 @@
++||||||| merged common ancestors
++@@ -1691,8 +1941,12 @@
++=======
+ @@ -1691,8 +1935,12 @@ class booleanRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
value = []
name = semanage_bool_get_name(boolean)
value.append(semanage_bool_get_value(boolean))
@@@ -5345,7 -4337,7 +6692,13 @@@
ddict[name] = value
return ddict
++<<<<<<< HEAD
+@@ -1706,6 +1954,16 @@
++||||||| merged common ancestors
++@@ -1706,6 +1960,16 @@
++=======
+ @@ -1706,6 +1954,16 @@ class booleanRecords(semanageRecords):
++>>>>>>> 9f6e28ab9319bcc4c92883293f0c91b9bbd697a8
else:
return _("unknown")
More information about the scm-commits
mailing list