[policycoreutils] - Have restorecond watch more directories in homedir
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Jan 19 21:48:44 UTC 2011
commit 971f278f98b82e3646fbc2f832847231dd8bad24
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Jan 19 16:45:53 2011 -0500
- Have restorecond watch more directories in homedir
policycoreutils-rhat.patch | 1124 --------------------------------------------
policycoreutils.spec | 5 +-
2 files changed, 4 insertions(+), 1125 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 4bbecb0..d1f0a4d 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -338,15 +338,6 @@ index 3f235e6..7552668 100644
relabel: install
/sbin/restorecon $(SBINDIR)/restorecond
-diff --git a/policycoreutils/restorecond/org.selinux.Restorecond.service b/policycoreutils/restorecond/org.selinux.Restorecond.service
-new file mode 100644
-index 0000000..0ef5f0b
---- /dev/null
-+++ b/policycoreutils/restorecond/org.selinux.Restorecond.service
-@@ -0,0 +1,3 @@
-+[D-BUS Service]
-+Name=org.selinux.Restorecond
-+Exec=/usr/sbin/restorecond -u
diff --git a/policycoreutils/restorecond/restorecond.8 b/policycoreutils/restorecond/restorecond.8
index b149dcb..0c14c94 100644
--- a/policycoreutils/restorecond/restorecond.8
@@ -905,19 +896,6 @@ index 3fc9376..58b723a 100644
/root/.ssh/*
-
-
-diff --git a/policycoreutils/restorecond/restorecond.desktop b/policycoreutils/restorecond/restorecond.desktop
-new file mode 100644
-index 0000000..23ff89d
---- /dev/null
-+++ b/policycoreutils/restorecond/restorecond.desktop
-@@ -0,0 +1,7 @@
-+[Desktop Entry]
-+Name=File Context maintainer
-+Exec=/usr/sbin/restorecond -u
-+Comment=Fix file context in owned by the user
-+Encoding=UTF-8
-+Type=Application
-+StartupNotify=false
diff --git a/policycoreutils/restorecond/restorecond.h b/policycoreutils/restorecond/restorecond.h
index e1666bf..8c85ef0 100644
--- a/policycoreutils/restorecond/restorecond.h
@@ -979,259 +957,6 @@ index b966db6..775c52b 100644
exit $RETVAL
-
-diff --git a/policycoreutils/restorecond/restorecond_user.conf b/policycoreutils/restorecond/restorecond_user.conf
-new file mode 100644
-index 0000000..d97bc72
---- /dev/null
-+++ b/policycoreutils/restorecond/restorecond_user.conf
-@@ -0,0 +1,2 @@
-+~/*
-+~/public_html/*
-diff --git a/policycoreutils/restorecond/user.c b/policycoreutils/restorecond/user.c
-new file mode 100644
-index 0000000..272479a
---- /dev/null
-+++ b/policycoreutils/restorecond/user.c
-@@ -0,0 +1,239 @@
-+/*
-+ * restorecond
-+ *
-+ * Copyright (C) 2006-2009 Red Hat
-+ * see file 'COPYING' for use and warranty information
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU General Public License as
-+ * published by the Free Software Foundation; either version 2 of
-+ * the License, or (at your option) any later version.
-+ *
-+ * This program is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ * GNU General Public License for more details.
-+.*
-+ * You should have received a copy of the GNU General Public License
-+ * along with this program; if not, write to the Free Software
-+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
-+ * 02111-1307 USA
-+ *
-+ * Authors:
-+ * Dan Walsh <dwalsh at redhat.com>
-+ *
-+*/
-+
-+#define _GNU_SOURCE
-+#include <sys/inotify.h>
-+#include <errno.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <signal.h>
-+#include <string.h>
-+#include <unistd.h>
-+#include <ctype.h>
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <syslog.h>
-+#include <limits.h>
-+#include <fcntl.h>
-+
-+#include "restorecond.h"
-+#include "stringslist.h"
-+#include <glib.h>
-+#ifdef HAVE_DBUS
-+#include <dbus/dbus.h>
-+#include <dbus/dbus-glib.h>
-+#include <dbus/dbus-glib-lowlevel.h>
-+
-+static DBusHandlerResult signal_filter (DBusConnection *connection, DBusMessage *message, void *user_data);
-+
-+static const char *PATH="/org/selinux/Restorecond";
-+//static const char *BUSNAME="org.selinux.Restorecond";
-+static const char *INTERFACE="org.selinux.RestorecondIface";
-+static const char *RULE="type='signal',interface='org.selinux.RestorecondIface'";
-+
-+
-+static DBusHandlerResult
-+signal_filter (DBusConnection *connection __attribute__ ((__unused__)), DBusMessage *message, void *user_data)
-+{
-+ /* User data is the event loop we are running in */
-+ GMainLoop *loop = user_data;
-+
-+ /* A signal from the bus saying we are about to be disconnected */
-+ if (dbus_message_is_signal
-+ (message, INTERFACE, "Stop")) {
-+
-+ /* Tell the main loop to quit */
-+ g_main_loop_quit (loop);
-+ /* We have handled this message, don't pass it on */
-+ return DBUS_HANDLER_RESULT_HANDLED;
-+ }
-+ /* A Ping signal on the com.burtonini.dbus.Signal interface */
-+ else if (dbus_message_is_signal (message, INTERFACE, "Start")) {
-+ DBusError error;
-+ dbus_error_init (&error);
-+ g_print("Start received\n");
-+ return DBUS_HANDLER_RESULT_HANDLED;
-+ }
-+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
-+}
-+
-+static int dbus_server(GMainLoop *loop) {
-+ DBusConnection *bus;
-+ DBusError error;
-+ dbus_error_init (&error);
-+ bus = dbus_bus_get (DBUS_BUS_SESSION, &error);
-+ if (bus) {
-+ dbus_connection_setup_with_g_main (bus, NULL);
-+
-+ /* listening to messages from all objects as no path is specified */
-+ dbus_bus_add_match (bus, RULE, &error); // see signals from the given interfacey
-+ dbus_connection_add_filter (bus, signal_filter, loop, NULL);
-+ return 0;
-+ }
-+ return -1;
-+}
-+
-+#endif
-+#include <selinux/selinux.h>
-+#include <sys/file.h>
-+
-+/* size of the event structure, not counting name */
-+#define EVENT_SIZE (sizeof (struct inotify_event))
-+/* reasonable guess as to size of 1024 events */
-+#define BUF_LEN (1024 * (EVENT_SIZE + 16))
-+
-+static gboolean
-+io_channel_callback
-+ (GIOChannel *source,
-+ GIOCondition condition,
-+ gpointer data __attribute__((__unused__)))
-+{
-+
-+ char buffer[BUF_LEN+1];
-+ gsize bytes_read;
-+ unsigned int i = 0;
-+
-+ if (condition & G_IO_IN) {
-+ /* Data is available. */
-+ g_io_channel_read
-+ (source, buffer,
-+ sizeof (buffer),
-+ &bytes_read);
-+
-+ while (i < bytes_read) {
-+ struct inotify_event *event;
-+ event = (struct inotify_event *)&buffer[i];
-+ if (debug_mode)
-+ printf("wd=%d mask=%u cookie=%u len=%u\n",
-+ event->wd, event->mask,
-+ event->cookie, event->len);
-+ if (event->len)
-+ watch_list_find(event->wd, event->name);
-+
-+ i += EVENT_SIZE + event->len;
-+ }
-+ }
-+
-+ /* An error happened while reading
-+ the file. */
-+
-+ if (condition & G_IO_NVAL)
-+ return FALSE;
-+
-+ /* We have reached the end of the
-+ file. */
-+
-+ if (condition & G_IO_HUP) {
-+ g_io_channel_close (source);
-+ return FALSE;
-+ }
-+
-+ /* Returning TRUE will make sure
-+ the callback remains associated
-+ to the channel. */
-+
-+ return TRUE;
-+}
-+
-+int start() {
-+#ifdef HAVE_DBUS
-+ DBusConnection *bus;
-+ DBusError error;
-+ DBusMessage *message;
-+
-+ /* Get a connection to the session bus */
-+ dbus_error_init (&error);
-+ bus = dbus_bus_get (DBUS_BUS_SESSION, &error);
-+ if (!bus) {
-+ if (debug_mode)
-+ g_warning ("Failed to connect to the D-BUS daemon: %s", error.message);
-+ dbus_error_free (&error);
-+ return 1;
-+ }
-+
-+
-+ /* Create a new signal "Start" on the interface,
-+ * from the object */
-+ message = dbus_message_new_signal (PATH,
-+ INTERFACE, "Start");
-+ /* Send the signal */
-+ dbus_connection_send (bus, message, NULL);
-+ /* Free the signal now we have finished with it */
-+ dbus_message_unref (message);
-+#endif /* HAVE_DBUS */
-+ return 0;
-+}
-+
-+static int local_server() {
-+ // ! dbus, run as local service
-+ char *ptr=NULL;
-+ asprintf(&ptr, "%s/.restorecond", homedir);
-+ int fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW, S_IRUSR | S_IWUSR);
-+ if (debug_mode)
-+ g_warning ("Lock file: %s", ptr);
-+
-+ free(ptr);
-+ if (fd < 0) {
-+ if (debug_mode)
-+ perror("open");
-+ return -1;
-+ }
-+ if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
-+ if (debug_mode)
-+ perror("flock");
-+ return -1;
-+ }
-+ return 0;
-+}
-+
-+int server(int master_fd, const char *watch_file) {
-+ GMainLoop *loop;
-+
-+ loop = g_main_loop_new (NULL, FALSE);
-+
-+#ifdef HAVE_DBUS
-+ if (dbus_server(loop) != 0)
-+#endif /* HAVE_DBUS */
-+ if (local_server(loop) != 0)
-+ return 0;
-+
-+ read_config(master_fd, watch_file);
-+
-+ if (watch_list_isempty()) return 0;
-+
-+ set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
-+
-+ GIOChannel *c = g_io_channel_unix_new(master_fd);
-+
-+ g_io_add_watch_full( c,
-+ G_PRIORITY_HIGH,
-+ G_IO_IN|G_IO_ERR|G_IO_HUP,
-+ io_channel_callback, NULL, NULL);
-+
-+ g_main_loop_run (loop);
-+ return 0;
-+}
-+
diff --git a/policycoreutils/restorecond/utmpwatcher.c b/policycoreutils/restorecond/utmpwatcher.c
index f182c22..feddb5a 100644
--- a/policycoreutils/restorecond/utmpwatcher.c
@@ -1246,282 +971,6 @@ index f182c22..feddb5a 100644
strings_list_free(prev_utmp_ptr);
}
return changed;
-diff --git a/policycoreutils/restorecond/watch.c b/policycoreutils/restorecond/watch.c
-new file mode 100644
-index 0000000..c0caab2
---- /dev/null
-+++ b/policycoreutils/restorecond/watch.c
-@@ -0,0 +1,270 @@
-+#define _GNU_SOURCE
-+#include <sys/inotify.h>
-+#include <errno.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <unistd.h>
-+#include <ctype.h>
-+#include <sys/types.h>
-+#include <syslog.h>
-+#include "../setfiles/restore.h"
-+#include <glob.h>
-+#include <libgen.h>
-+#include <sys/stat.h>
-+#include <string.h>
-+#include <stdio.h>
-+#include <fcntl.h>
-+#include <selinux/selinux.h>
-+#include "restorecond.h"
-+#include "stringslist.h"
-+#include "utmpwatcher.h"
-+
-+/* size of the event structure, not counting name */
-+#define EVENT_SIZE (sizeof (struct inotify_event))
-+/* reasonable guess as to size of 1024 events */
-+#define BUF_LEN (1024 * (EVENT_SIZE + 16))
-+
-+
-+struct watchList {
-+ struct watchList *next;
-+ int wd;
-+ char *dir;
-+ struct stringsList *files;
-+};
-+struct watchList *firstDir = NULL;
-+
-+int watch_list_isempty() {
-+ return firstDir == NULL;
-+}
-+
-+void watch_list_add(int fd, const char *path)
-+{
-+ struct watchList *ptr = NULL;
-+ size_t i = 0;
-+ struct watchList *prev = NULL;
-+ glob_t globbuf;
-+ char *x = strdup(path);
-+ if (!x) exitApp("Out of Memory");
-+ char *file = basename(x);
-+ char *dir = dirname(x);
-+ ptr = firstDir;
-+
-+ if (exclude(path)) return;
-+
-+ globbuf.gl_offs = 1;
-+ if (glob(path,
-+ GLOB_TILDE | GLOB_PERIOD,
-+ NULL,
-+ &globbuf) >= 0) {
-+ for (i=0; i < globbuf.gl_pathc; i++) {
-+ int len = strlen(globbuf.gl_pathv[i]) -2;
-+ if (len > 0 && strcmp(&globbuf.gl_pathv[i][len--], "/.") == 0) continue;
-+ if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) continue;
-+ if (process_one_realpath(globbuf.gl_pathv[i], 0) > 0)
-+ process_one_realpath(globbuf.gl_pathv[i], 1);
-+ }
-+ globfree(&globbuf);
-+ }
-+
-+ while (ptr != NULL) {
-+ if (strcmp(dir, ptr->dir) == 0) {
-+ strings_list_add(&ptr->files, file);
-+ free(x);
-+ return;
-+ }
-+ prev = ptr;
-+ ptr = ptr->next;
-+ }
-+ ptr = calloc(1, sizeof(struct watchList));
-+
-+ if (!ptr) exitApp("Out of Memory");
-+
-+ ptr->wd = inotify_add_watch(fd, dir, IN_CREATE | IN_MOVED_TO);
-+ if (ptr->wd == -1) {
-+ free(ptr);
-+ free(x);
-+ if (! run_as_user)
-+ syslog(LOG_ERR, "Unable to watch (%s) %s\n",
-+ path, strerror(errno));
-+ return;
-+ }
-+
-+ ptr->dir = strdup(dir);
-+ if (!ptr->dir)
-+ exitApp("Out of Memory");
-+
-+ strings_list_add(&ptr->files, file);
-+ if (prev)
-+ prev->next = ptr;
-+ else
-+ firstDir = ptr;
-+
-+ if (debug_mode)
-+ printf("%d: Dir=%s, File=%s\n", ptr->wd, ptr->dir, file);
-+
-+ free(x);
-+}
-+
-+/*
-+ A file was in a direcroty has been created. This function checks to
-+ see if it is one that we are watching.
-+*/
-+
-+int watch_list_find(int wd, const char *file)
-+{
-+ struct watchList *ptr = NULL;
-+ ptr = firstDir;
-+ if (debug_mode)
-+ printf("%d: File=%s\n", wd, file);
-+ while (ptr != NULL) {
-+ if (ptr->wd == wd) {
-+ int exact=0;
-+ if (strings_list_find(ptr->files, file, &exact) == 0) {
-+ char *path = NULL;
-+ if (asprintf(&path, "%s/%s", ptr->dir, file) <
-+ 0)
-+ exitApp("Error allocating memory.");
-+
-+ process_one_realpath(path, 0);
-+ free(path);
-+ return 0;
-+ }
-+ if (debug_mode)
-+ strings_list_print(ptr->files);
-+
-+ /* Not found in this directory */
-+ return -1;
-+ }
-+ ptr = ptr->next;
-+ }
-+ /* Did not find a directory */
-+ return -1;
-+}
-+
-+void watch_list_free(int fd)
-+{
-+ struct watchList *ptr = NULL;
-+ struct watchList *prev = NULL;
-+ ptr = firstDir;
-+
-+ while (ptr != NULL) {
-+ inotify_rm_watch(fd, ptr->wd);
-+ strings_list_free(ptr->files);
-+ free(ptr->dir);
-+ prev = ptr;
-+ ptr = ptr->next;
-+ free(prev);
-+ }
-+ firstDir = NULL;
-+}
-+
-+/*
-+ Inotify watch loop
-+*/
-+int watch(int fd, const char *watch_file)
-+{
-+ char buf[BUF_LEN];
-+ int len, i = 0;
-+ if (firstDir == NULL) return 0;
-+
-+ len = read(fd, buf, BUF_LEN);
-+ if (len < 0) {
-+ if (terminate == 0) {
-+ syslog(LOG_ERR, "Read error (%s)", strerror(errno));
-+ return 0;
-+ }
-+ syslog(LOG_ERR, "terminated");
-+ return -1;
-+ } else if (!len)
-+ /* BUF_LEN too small? */
-+ return -1;
-+ while (i < len) {
-+ struct inotify_event *event;
-+ event = (struct inotify_event *)&buf[i];
-+ if (debug_mode)
-+ printf("wd=%d mask=%u cookie=%u len=%u\n",
-+ event->wd, event->mask,
-+ event->cookie, event->len);
-+ if (event->wd == master_wd)
-+ read_config(fd, watch_file);
-+ else {
-+ switch (utmpwatcher_handle(fd, event->wd)) {
-+ case -1: /* Message was not for utmpwatcher */
-+ if (event->len)
-+ watch_list_find(event->wd, event->name);
-+ break;
-+ case 1: /* utmp has changed need to reload */
-+ read_config(fd, watch_file);
-+ break;
-+
-+ default: /* No users logged in or out */
-+ break;
-+ }
-+ }
-+
-+ i += EVENT_SIZE + event->len;
-+ }
-+ return 0;
-+}
-+
-+static void process_config(int fd, FILE * cfg)
-+{
-+ char *line_buf = NULL;
-+ size_t len = 0;
-+
-+ while (getline(&line_buf, &len, cfg) > 0) {
-+ char *buffer = line_buf;
-+ while (isspace(*buffer))
-+ buffer++;
-+ if (buffer[0] == '#')
-+ continue;
-+ int l = strlen(buffer) - 1;
-+ if (l <= 0)
-+ continue;
-+ buffer[l] = 0;
-+ if (buffer[0] == '~') {
-+ if (run_as_user) {
-+ char *ptr=NULL;
-+ asprintf(&ptr, "%s%s", homedir, &buffer[1]);
-+ watch_list_add(fd, ptr);
-+ free(ptr);
-+ } else {
-+ utmpwatcher_add(fd, &buffer[1]);
-+ }
-+ } else {
-+ watch_list_add(fd, buffer);
-+ }
-+ }
-+ free(line_buf);
-+}
-+
-+/*
-+ Read config file ignoring Comment lines
-+ Files specified one per line. Files with "~" will be expanded to the logged in users
-+ homedirs.
-+*/
-+
-+void read_config(int fd, const char *watch_file_path)
-+{
-+
-+ FILE *cfg = NULL;
-+ if (debug_mode)
-+ printf("Read Config\n");
-+
-+ watch_list_free(fd);
-+
-+ cfg = fopen(watch_file_path, "r");
-+ if (!cfg){
-+ perror(watch_file_path);
-+ exitApp("Error reading config file");
-+ }
-+ process_config(fd, cfg);
-+ fclose(cfg);
-+
-+ inotify_rm_watch(fd, master_wd);
-+ master_wd =
-+ inotify_add_watch(fd, watch_file_path, IN_MOVED_FROM | IN_MODIFY);
-+ if (master_wd == -1)
-+ exitApp("Error watching config file.");
-+}
diff --git a/policycoreutils/sandbox/Makefile b/policycoreutils/sandbox/Makefile
index ff0ee7c..0c8a085 100644
--- a/policycoreutils/sandbox/Makefile
@@ -1854,65 +1303,6 @@ index 1479364..73d33b3 100644
+.I Dan Walsh <dwalsh at redhat.com>
+and
+.I Thomas Liu <tliu at fedoraproject.org>
-diff --git a/policycoreutils/sandbox/sandbox.conf b/policycoreutils/sandbox/sandbox.conf
-new file mode 100644
-index 0000000..7c35808
---- /dev/null
-+++ b/policycoreutils/sandbox/sandbox.conf
-@@ -0,0 +1,7 @@
-+# Space separate list of homedirs
-+HOMEDIRS="/home"
-+# Control group configuration
-+NAME=sandbox
-+CPUAFFINITY=ALL
-+MEMUSAGE=80%
-+CPUUSAGE=80%
-diff --git a/policycoreutils/sandbox/sandbox.conf.5 b/policycoreutils/sandbox/sandbox.conf.5
-new file mode 100644
-index 0000000..ee97e10
---- /dev/null
-+++ b/policycoreutils/sandbox/sandbox.conf.5
-@@ -0,0 +1,40 @@
-+.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration"
-+.SH NAME
-+sandbox.conf \- user config file for the SELinux sandbox
-+.SH DESCRIPTION
-+.PP
-+When running sandbox with the -C argument, it will be confined using control groups and a system administrator can specify how the sandbox is confined.
-+
-+.PP
-+Everything after "#" is ignored, as are empty lines. All arguments should be separated by and equals sign ("=").
-+
-+.PP
-+These keywords are allowed.
-+
-+.RS
-+.TP
-+.B NAME
-+The name of the sandbox control group. Default is "sandbox".
-+
-+.TP
-+.B CPUAFFINITY
-+Which cpus to assign sandbox to. The default is ALL, but users can specify a comma-separated list with dashes ("-") to represent ranges. Ex: 0-2,5
-+
-+.TP
-+.B MEMUSAGE
-+How much memory to allow sandbox to use. The default is 80%. Users can specify either a percentage or a value in the form of a number followed by one of the suffixes K, M, G to denote kilobytes, megabytes or gigabytes respectively. Ex: 50% or 100M
-+
-+.TP
-+.B CPUUSAGE
-+Percentage of cpu sandbox should be allowed to use. The default is 80%. Specify a value followed by a percent sign ("%"). Ex: 50%
-+
-+
-+
-+.SH "SEE ALSO"
-+.TP
-+sandbox(8)
-+.PP
-+
-+.SH AUTHOR
-+This manual page was written by
-+.I Thomas Liu <tliu at fedoraproject.org>
diff --git a/policycoreutils/sandbox/sandbox.init b/policycoreutils/sandbox/sandbox.init
index ff8b3ef..8508647 100644
--- a/policycoreutils/sandbox/sandbox.init
@@ -1966,49 +1356,6 @@ index 8338203..e501b03 100644
export EXITCODE=$?
kill -HUP 0
break
-diff --git a/policycoreutils/sandbox/seunshare.8 b/policycoreutils/sandbox/seunshare.8
-new file mode 100644
-index 0000000..e7b8991
---- /dev/null
-+++ b/policycoreutils/sandbox/seunshare.8
-@@ -0,0 +1,37 @@
-+.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands"
-+.SH NAME
-+seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
-+.SH SYNOPSIS
-+.B seunshare
-+[ -v ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
-+.br
-+.SH DESCRIPTION
-+.PP
-+Run the
-+.I executable
-+within the specified context, using the alternate home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context.
-+
-+.TP
-+\fB\-h homedir\fR
-+Alternate homedir to be used by the application. Homedir must be owned by the user.
-+.TP
-+\fB\-t\ tmpdir
-+Use alternate tempory directory to mount on /tmp. tmpdir must be owned by the user.
-+.TP
-+\fB\-c cgroups\fR
-+Use cgroups to control this copy of seunshare. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
-+.TP
-+\fB\-Z\ context
-+Use alternate SELinux context while runing the executable.
-+.TP
-+\fB\-v\fR
-+Verbose output
-+.SH "SEE ALSO"
-+.TP
-+runcon(1), sandbox(8), selinux(8)
-+.PP
-+.SH AUTHOR
-+This manual page was written by
-+.I Dan Walsh <dwalsh at redhat.com>
-+and
-+.I Thomas Liu <tliu at fedoraproject.org>
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
index ec692e7..de694ad 100644
--- a/policycoreutils/sandbox/seunshare.c
@@ -2463,21 +1810,6 @@ index ec692e7..de694ad 100644
-
return status;
}
-diff --git a/policycoreutils/sandbox/start b/policycoreutils/sandbox/start
-new file mode 100755
-index 0000000..52950d7
---- /dev/null
-+++ b/policycoreutils/sandbox/start
-@@ -0,0 +1,9 @@
-+#! /usr/bin/python -Es
-+import gtk, commands, sys
-+rc = [-1,'']
-+try:
-+ rc=commands.getstatusoutput(sys.argv[1])
-+except:
-+ pass
-+if rc[0] == 0:
-+ print rc[1]
diff --git a/policycoreutils/scripts/Makefile b/policycoreutils/scripts/Makefile
index 53b65b6..cc75a96 100644
--- a/policycoreutils/scripts/Makefile
@@ -2603,195 +1935,6 @@ index ae519fc..0890811 100755
restore
}
-diff --git a/policycoreutils/scripts/genhomedircon.8 b/policycoreutils/scripts/genhomedircon.8
-new file mode 100644
-index 0000000..6331660
---- /dev/null
-+++ b/policycoreutils/scripts/genhomedircon.8
-@@ -0,0 +1,37 @@
-+.\" Hey, Emacs! This is an -*- nroff -*- source file.
-+.\" Copyright (c) 2010 Dan Walsh <dwalsh at redhat.com>
-+.\"
-+.\" This is free documentation; you can redistribute it and/or
-+.\" modify it under the terms of the GNU General Public License as
-+.\" published by the Free Software Foundation; either version 2 of
-+.\" the License, or (at your option) any later version.
-+.\"
-+.\" The GNU General Public License's references to "object code"
-+.\" and "executables" are to be interpreted as the output of any
-+.\" document formatting or typesetting system, including
-+.\" intermediate and printed output.
-+.\"
-+.\" This manual is distributed in the hope that it will be useful,
-+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+.\" GNU General Public License for more details.
-+.\"
-+.\" You should have received a copy of the GNU General Public
-+.\" License along with this manual; if not, write to the Free
-+.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
-+.\" USA.
-+.\"
-+.\"
-+.TH GENHOMEDIRCON "8" "May 2010" "Security Enhanced Linux" "SELinux"
-+.SH NAME
-+genhomedircon \- generate SELinux file context configuration entries for user home directories
-+.SH SYNOPSIS
-+.B genhomedircon
-+is a script that executes semodule to rebuild policy and create the
-+labels for HOMEDIRS based on home directories returned by the getpw calls.
-+
-+This functionality is enabled via the usepasswd flag in /etc/selinux/semanage.conf.
-+
-+.SH AUTHOR
-+This manual page was written by
-+.I Dan Walsh <dwalsh at redhat.com>
-diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile
-new file mode 100644
-index 0000000..176b11f
---- /dev/null
-+++ b/policycoreutils/semanage/default_encoding/Makefile
-@@ -0,0 +1,8 @@
-+all:
-+ LDFLAGS="" python setup.py build
-+
-+install: all
-+ LDFLAGS="" python setup.py install --root=$(DESTDIR)/
-+
-+clean:
-+ rm -rf build *~
-diff --git a/policycoreutils/semanage/default_encoding/default_encoding.c b/policycoreutils/semanage/default_encoding/default_encoding.c
-new file mode 100644
-index 0000000..c3cdd4e
---- /dev/null
-+++ b/policycoreutils/semanage/default_encoding/default_encoding.c
-@@ -0,0 +1,59 @@
-+/*
-+ * Authors:
-+ * John Dennis <jdennis at redhat.com>
-+ *
-+ * Copyright (C) 2009 Red Hat
-+ * see file 'COPYING' for use and warranty information
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU General Public License as
-+ * published by the Free Software Foundation.
-+ *
-+ * This program is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ * GNU General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with this program; if not, write to the Free Software
-+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-+ */
-+
-+#include <Python.h>
-+
-+PyDoc_STRVAR(setdefaultencoding_doc,
-+"setdefaultencoding(encoding='utf-8')\n\
-+\n\
-+Set the current default string encoding used by the Unicode implementation.\n\
-+Defaults to utf-8."
-+);
-+
-+static PyObject *
-+setdefaultencoding(PyObject *self, PyObject *args, PyObject *kwds)
-+{
-+ static char *kwlist[] = {"utf-8", NULL};
-+ char *encoding;
-+
-+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "s:setdefaultencoding", kwlist, &encoding))
-+ return NULL;
-+
-+ if (PyUnicode_SetDefaultEncoding(encoding))
-+ return NULL;
-+
-+ Py_RETURN_NONE;
-+}
-+
-+static PyMethodDef methods[] = {
-+ {"setdefaultencoding", (PyCFunction)setdefaultencoding, METH_VARARGS|METH_KEYWORDS, setdefaultencoding_doc},
-+ {NULL, NULL} /* sentinel */
-+};
-+
-+
-+PyMODINIT_FUNC
-+initdefault_encoding_utf8(void)
-+{
-+ PyObject* m;
-+
-+ PyUnicode_SetDefaultEncoding("utf-8");
-+ m = Py_InitModule3("default_encoding_utf8", methods, "Forces the default encoding to utf-8");
-+}
-diff --git a/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py b/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py
-new file mode 100644
-index 0000000..ccb6b8b
---- /dev/null
-+++ b/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py
-@@ -0,0 +1,17 @@
-+#
-+# Copyright (C) 2006,2007,2008, 2009 Red Hat, Inc.
-+#
-+# This program is free software; you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation; either version 2 of the License, or
-+# (at your option) any later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program; if not, write to the Free Software
-+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+#
-diff --git a/policycoreutils/semanage/default_encoding/setup.py b/policycoreutils/semanage/default_encoding/setup.py
-new file mode 100644
-index 0000000..e2befdb
---- /dev/null
-+++ b/policycoreutils/semanage/default_encoding/setup.py
-@@ -0,0 +1,38 @@
-+# Authors:
-+# John Dennis <jdennis at redhat.com>
-+#
-+# Copyright (C) 2009 Red Hat
-+# see file 'COPYING' for use and warranty information
-+#
-+# This program is free software; you can redistribute it and/or
-+# modify it under the terms of the GNU General Public License as
-+# published by the Free Software Foundation.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program; if not, write to the Free Software
-+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-+
-+from distutils.core import setup, Extension
-+
-+default_encoding_utf8 = Extension('policycoreutils.default_encoding_utf8', ['default_encoding.c'])
-+
-+setup(name = 'policycoreutils-default-encoding',
-+ version = '0.1',
-+ description = 'Forces the default encoding in Python to be utf-8',
-+ long_description = 'Forces the default encoding in Python to be utf-8',
-+ author = 'John Dennis',
-+ author_email = 'jdennis at redhat.com',
-+ maintainer = 'John Dennis',
-+ maintainer_email = 'jdennis at redhat.com',
-+ license = 'GPLv3+',
-+ platforms = 'posix',
-+ url = '',
-+ download_url = '',
-+ ext_modules = [default_encoding_utf8],
-+ packages=["policycoreutils"],
-+)
diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage
index ffaca5b..bc989bf 100644
--- a/policycoreutils/semanage/semanage
@@ -4274,273 +3417,6 @@ index b7d257b..735c1ba 100644
def list(self, heading = True, locallist = False, use_file = False):
on_off = (_("off"), _("on"))
if use_file:
-diff --git a/policycoreutils/sepolgen-ifgen/Makefile b/policycoreutils/sepolgen-ifgen/Makefile
-new file mode 100644
-index 0000000..211580d
---- /dev/null
-+++ b/policycoreutils/sepolgen-ifgen/Makefile
-@@ -0,0 +1,25 @@
-+# Installation directories.
-+PREFIX ?= ${DESTDIR}/usr
-+BINDIR ?= $(PREFIX)/bin
-+LIBDIR ?= ${PREFIX}/lib
-+INCLUDEDIR ?= $(PREFIX)/include
-+
-+CFLAGS ?= -Wall -W
-+override CFLAGS += -I$(INCLUDEDIR)
-+LDLIBS = $(LIBDIR)/libsepol.a
-+
-+all: sepolgen-ifgen-attr-helper
-+
-+sepolgen-ifgen-attr-helper: sepolgen-ifgen-attr-helper.o
-+
-+install: all
-+ -mkdir -p $(BINDIR)
-+ install -m 755 sepolgen-ifgen-attr-helper $(BINDIR)
-+
-+clean:
-+ rm -f *~ *.o sepolgen-ifgen-attr-helper
-+
-+indent:
-+ ../../scripts/Lindent $(wildcard *.[ch])
-+
-+relabel: ;
-diff --git a/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c b/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c
-new file mode 100644
-index 0000000..995b270
---- /dev/null
-+++ b/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c
-@@ -0,0 +1,230 @@
-+/* Authors: Frank Mayer <mayerf at tresys.com>
-+ * and Karl MacMillan <kmacmillan at tresys.com>
-+ *
-+ * Copyright (C) 2003,2010 Tresys Technology, LLC
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU General Public License as
-+ * published by the Free Software Foundation, version 2.
-+ *
-+ * Adapted from dispol.c.
-+ *
-+ * This program is used by sepolgen-ifgen to get the access for all of
-+ * the attributes in the policy so that it can resolve the
-+ * typeattribute statements in the interfaces.
-+ *
-+ * It outputs the attribute access in a similar format to what sepolgen
-+ * uses to store interface vectors:
-+ * [Attribute sandbox_x_domain]
-+ * sandbox_x_domain,samba_var_t,file,ioctl,read,getattr,lock,open
-+ * sandbox_x_domain,samba_var_t,dir,getattr,search,open
-+ * sandbox_x_domain,initrc_var_run_t,file,ioctl,read,getattr,lock,open
-+ *
-+ */
-+
-+#include <sepol/policydb/policydb.h>
-+#include <sepol/policydb/avtab.h>
-+#include <sepol/policydb/util.h>
-+
-+#include <stdio.h>
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <fcntl.h>
-+#include <sys/mman.h>
-+#include <unistd.h>
-+
-+struct val_to_name {
-+ unsigned int val;
-+ char *name;
-+};
-+
-+static int perm_name(hashtab_key_t key, hashtab_datum_t datum, void *data)
-+{
-+ struct val_to_name *v = data;
-+ perm_datum_t *perdatum;
-+
-+ perdatum = (perm_datum_t *) datum;
-+
-+ if (v->val == perdatum->s.value) {
-+ v->name = key;
-+ return 1;
-+ }
-+
-+ return 0;
-+}
-+
-+int render_access_mask(uint32_t av, avtab_key_t *key, policydb_t *policydbp,
-+ FILE *fp)
-+{
-+ struct val_to_name v;
-+ class_datum_t *cladatum;
-+ char *perm = NULL;
-+ unsigned int i;
-+ int rc;
-+ uint32_t tclass = key->target_class;
-+
-+ cladatum = policydbp->class_val_to_struct[tclass - 1];
-+ for (i = 0; i < cladatum->permissions.nprim; i++) {
-+ if (av & (1 << i)) {
-+ v.val = i + 1;
-+ rc = hashtab_map(cladatum->permissions.table,
-+ perm_name, &v);
-+ if (!rc && cladatum->comdatum) {
-+ rc = hashtab_map(cladatum->comdatum->
-+ permissions.table, perm_name,
-+ &v);
-+ }
-+ if (rc)
-+ perm = v.name;
-+ if (perm) {
-+ fprintf(fp, ",%s", perm);
-+ }
-+ }
-+ }
-+
-+ return 0;
-+}
-+
-+static int render_key(avtab_key_t *key, policydb_t *p, FILE *fp)
-+{
-+ char *stype, *ttype, *tclass;
-+ stype = p->p_type_val_to_name[key->source_type - 1];
-+ ttype = p->p_type_val_to_name[key->target_type - 1];
-+ tclass = p->p_class_val_to_name[key->target_class - 1];
-+ if (stype && ttype) {
-+ fprintf(fp, "%s,%s,%s", stype, ttype, tclass);
-+ } else {
-+ fprintf(stderr, "error rendering key\n");
-+ exit(1);
-+ }
-+
-+ return 0;
-+}
-+
-+struct callback_data
-+{
-+ uint32_t attr;
-+ policydb_t *policy;
-+ FILE *fp;
-+};
-+
-+int output_avrule(avtab_key_t *key, avtab_datum_t *datum, void *args)
-+{
-+ struct callback_data *cb_data = (struct callback_data *)args;
-+
-+ if (key->source_type != cb_data->attr)
-+ return 0;
-+
-+ if (!(key->specified & AVTAB_AV && key->specified & AVTAB_ALLOWED))
-+ return 0;
-+
-+ render_key(key, cb_data->policy, cb_data->fp);
-+ render_access_mask(datum->data, key, cb_data->policy, cb_data->fp);
-+ fprintf(cb_data->fp, "\n");
-+
-+ return 0;
-+}
-+
-+static int attribute_callback(hashtab_key_t key, hashtab_datum_t datum, void *datap)
-+{
-+ struct callback_data *cb_data = (struct callback_data *)datap;
-+ type_datum_t *t = (type_datum_t *)datum;
-+
-+ if (t->flavor == TYPE_ATTRIB) {
-+ fprintf(cb_data->fp, "[Attribute %s]\n", key);
-+ cb_data->attr = t->s.value;
-+ if (avtab_map(&cb_data->policy->te_avtab, output_avrule, cb_data) < 0)
-+ return -1;
-+ if (avtab_map(&cb_data->policy->te_cond_avtab, output_avrule, cb_data) < 0)
-+ return -1;
-+ }
-+
-+ return 0;
-+}
-+
-+static policydb_t *load_policy(const char *filename)
-+{
-+ policydb_t *policydb;
-+ struct policy_file pf;
-+ FILE *fp;
-+ int ret;
-+
-+ fp = fopen(filename, "r");
-+ if (fp == NULL) {
-+ fprintf(stderr, "Can't open '%s': %s\n",
-+ filename, strerror(errno));
-+ return NULL;
-+ }
-+
-+ policy_file_init(&pf);
-+ pf.type = PF_USE_STDIO;
-+ pf.fp = fp;
-+
-+ policydb = malloc(sizeof(policydb_t));
-+ if (policydb == NULL) {
-+ fprintf(stderr, "Out of memory!\n");
-+ return NULL;
-+ }
-+
-+ if (policydb_init(policydb)) {
-+ fprintf(stderr, "Out of memory!\n");
-+ return NULL;
-+ }
-+
-+ ret = policydb_read(policydb, &pf, 1);
-+ if (ret) {
-+ fprintf(stderr,
-+ "error(s) encountered while parsing configuration\n");
-+ return NULL;
-+ }
-+
-+ fclose(fp);
-+
-+ return policydb;
-+
-+}
-+
-+void usage(char *progname)
-+{
-+ printf("usage: %s policy_file out_file\n", progname);
-+}
-+
-+int main(int argc, char **argv)
-+{
-+ policydb_t *p;
-+ struct callback_data cb_data;
-+ FILE *fp;
-+
-+ if (argc != 3) {
-+ usage(argv[0]);
-+ exit(1);
-+ }
-+
-+ /* Open the policy. */
-+ p = load_policy(argv[1]);
-+ if (p == NULL) {
-+ exit(1);
-+ }
-+
-+ /* Open the output policy. */
-+ fp = fopen(argv[2], "w");
-+ if (fp == NULL) {
-+ fprintf(stderr, "error opening output file\n");
-+ policydb_destroy(p);
-+ free(p);
-+ }
-+
-+ /* Find all of the attributes and output their access. */
-+ cb_data.policy = p;
-+ cb_data.fp = fp;
-+
-+ if (hashtab_map(p->p_types.table, attribute_callback, &cb_data)) {
-+ printf("error finding attributes\n");
-+ }
-+
-+ policydb_destroy(p);
-+ free(p);
-+ fclose(fp);
-+
-+ return 0;
-+}
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index b649d8f..38416d8 100644
--- a/policycoreutils/setfiles/restore.c
diff --git a/policycoreutils.spec b/policycoreutils.spec
index b2b5fea..1b92535 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.85
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -329,6 +329,9 @@ fi
exit 0
%changelog
+* Wed Jan 19 2011 Dan Walsh <dwalsh at redhat.com> 2.0.85-7
+- Have restorecond watch more directories in homedir
+
* Fri Jan 14 2011 Dan Walsh <dwalsh at redhat.com> 2.0.85-6
- Add sandbox to sepolgen
More information about the scm-commits
mailing list