[policycoreutils/f20] Add Miroslav Grepl setsebool patch to give better error message on bad boolean names
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Sep 4 21:14:03 UTC 2013
commit 07948c9d820e674d0a23aec5c35126f3f0b4830e
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Sep 4 17:13:48 2013 -0400
Add Miroslav Grepl setsebool patch to give better error message on bad boolean names
- Additional help screens for sepolicy gui
policycoreutils-rhat.patch | 181 ++++++++++++++++++++++++++++++++++++++++---
policycoreutils.spec | 6 +-
2 files changed, 173 insertions(+), 14 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 8c3d7ec..e2c8e36 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -513618,6 +513618,22 @@ index 4eca22d..2a9e1c7 100644
PyObject *m;
m = Py_InitModule("_policy", methods);
init_info(m);
+diff --git a/policycoreutils/sepolicy/selinux_client.py b/policycoreutils/sepolicy/selinux_client.py
+new file mode 100644
+index 0000000..afd3f31
+--- /dev/null
++++ b/policycoreutils/sepolicy/selinux_client.py
+@@ -0,0 +1,10 @@
++import dbus
++import dbus.service
++from sepolicy.sedbus import SELinuxDBus
++if __name__ == "__main__":
++ try:
++ dbus_proxy = SELinuxDBus()
++ resp = dbus_proxy.customized()
++ print (resp)
++ except dbus.DBusException, e:
++ print e
diff --git a/policycoreutils/sepolicy/selinux_server.py b/policycoreutils/sepolicy/selinux_server.py
new file mode 100644
index 0000000..dfefb65
@@ -515901,7 +515917,7 @@ index 26f8390..ba959ae 100644
return out
diff --git a/policycoreutils/sepolicy/sepolicy/gui.py b/policycoreutils/sepolicy/sepolicy/gui.py
new file mode 100644
-index 0000000..5455378
+index 0000000..745e7b9
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy/gui.py
@@ -0,0 +1,2797 @@
@@ -516550,7 +516566,7 @@ index 0000000..5455378
+ fd.close()
+ except IOError:
+ buf = ""
-+ self.help_text.set_label(buf)
++ self.help_text.set_label(buf % { "APP": self.application } )
+ self.help_image.set_from_file("%shelp/%s.png" % (self.code_path, self.help_list[self.help_page]))
+ self.help_window.show()
+
@@ -516600,7 +516616,7 @@ index 0000000..5455378
+ ipage = self.inner_notebook_transitions.get_current_page()
+ if ipage == 0:
+ self.help_window.set_title(_("Help: Transition from application Page"))
-+ self.help_list = [ "transition_from" ]
++ self.help_list = [ "transition_from", "transition_from_boolean", "transition_from_boolean_1", "transition_from_boolean_2"]
+ return self.help_show_page()
+ if ipage == 1:
+ self.help_window.set_title(_("Help: Transition into application Page"))
@@ -518706,6 +518722,59 @@ diff --git a/policycoreutils/sepolicy/sepolicy/help/booleans.png b/policycoreuti
new file mode 100644
index 0000000..a7b4206
Binary files /dev/null and b/policycoreutils/sepolicy/sepolicy/help/booleans.png differ
+diff --git a/policycoreutils/sepolicy/sepolicy/help/booleans.txt b/policycoreutils/sepolicy/sepolicy/help/booleans.txt
+new file mode 100644
+index 0000000..d2924f8
+--- /dev/null
++++ b/policycoreutils/sepolicy/sepolicy/help/booleans.txt
+@@ -0,0 +1,5 @@
++You are viewing the booleans page for the application domain.
++
++SELinux Policy writers have written booleans, if-than-else rules, into the policy. This allows the adminstrator to change the way SELinux enforces policy on an application. The administrator can tighten or loosen the SELinux policy based on his needs.
++
++You can use the "Filter Text Entry" to search for approprate booleans. The Show Modified Only toggle, will show the booleans that your system has customized.
+diff --git a/policycoreutils/sepolicy/sepolicy/help/booleans_more.png b/policycoreutils/sepolicy/sepolicy/help/booleans_more.png
+new file mode 100644
+index 0000000..1323d1a
+Binary files /dev/null and b/policycoreutils/sepolicy/sepolicy/help/booleans_more.png differ
+diff --git a/policycoreutils/sepolicy/sepolicy/help/booleans_more.txt b/policycoreutils/sepolicy/sepolicy/help/booleans_more.txt
+new file mode 100644
+index 0000000..b58f104
+--- /dev/null
++++ b/policycoreutils/sepolicy/sepolicy/help/booleans_more.txt
+@@ -0,0 +1,4 @@
++You are viewing the booleans page for the application domain.
++
++Selecting the "More..." button will open a dialog containing the SELinux allow rules that are turned on by the selected boolean.
++
+diff --git a/policycoreutils/sepolicy/sepolicy/help/booleans_more_show.png b/policycoreutils/sepolicy/sepolicy/help/booleans_more_show.png
+new file mode 100644
+index 0000000..885704b
+Binary files /dev/null and b/policycoreutils/sepolicy/sepolicy/help/booleans_more_show.png differ
+diff --git a/policycoreutils/sepolicy/sepolicy/help/booleans_more_show.txt b/policycoreutils/sepolicy/sepolicy/help/booleans_more_show.txt
+new file mode 100644
+index 0000000..e0804d2
+--- /dev/null
++++ b/policycoreutils/sepolicy/sepolicy/help/booleans_more_show.txt
+@@ -0,0 +1,4 @@
++You are viewing the booleans page for the application domain.
++
++
++
+diff --git a/policycoreutils/sepolicy/sepolicy/help/booleans_toggled.png b/policycoreutils/sepolicy/sepolicy/help/booleans_toggled.png
+new file mode 100644
+index 0000000..7a36510
+Binary files /dev/null and b/policycoreutils/sepolicy/sepolicy/help/booleans_toggled.png differ
+diff --git a/policycoreutils/sepolicy/sepolicy/help/booleans_toggled.txt b/policycoreutils/sepolicy/sepolicy/help/booleans_toggled.txt
+new file mode 100644
+index 0000000..2ba4ab9
+--- /dev/null
++++ b/policycoreutils/sepolicy/sepolicy/help/booleans_toggled.txt
+@@ -0,0 +1,4 @@
++You are viewing the booleans page for the application domain.
++
++Toggle the button to turn on or off the boolean. This will not happen immediately. All changes on the application screen are bundled up into a single transacton. you need to select the update button to apply all of your changes to the system.
++
diff --git a/policycoreutils/sepolicy/sepolicy/help/files_apps.png b/policycoreutils/sepolicy/sepolicy/help/files_apps.png
new file mode 100644
index 0000000..04dddf2
@@ -518738,6 +518807,65 @@ diff --git a/policycoreutils/sepolicy/sepolicy/help/transition_from.png b/policy
new file mode 100644
index 0000000..26a6d43
Binary files /dev/null and b/policycoreutils/sepolicy/sepolicy/help/transition_from.png differ
+diff --git a/policycoreutils/sepolicy/sepolicy/help/transition_from.txt b/policycoreutils/sepolicy/sepolicy/help/transition_from.txt
+new file mode 100644
+index 0000000..9547af7
+--- /dev/null
++++ b/policycoreutils/sepolicy/sepolicy/help/transition_from.txt
+@@ -0,0 +1,9 @@
++This screen shows <b>Executable File Paths</b> that will transition from processes running with the <b>%(APP)s</b> type.
++
++Under SELinux, when a process running with a "type" attempts to execute an executable, one of three things can happen.
++
++1. The process can be prevented from running the executable.
++2. The executable executes with the same label as parent.
++3. The executable <b>transitions</b> to a new "type" based on policy.
++
++This screen shows the executables that transition to another domain when <b>%(APP)s</b> executes them, and the <b>SELinux Application Type</b> of the newly created process.
+diff --git a/policycoreutils/sepolicy/sepolicy/help/transition_from_boolean.png b/policycoreutils/sepolicy/sepolicy/help/transition_from_boolean.png
+new file mode 100644
+index 0000000..f3d2642
+Binary files /dev/null and b/policycoreutils/sepolicy/sepolicy/help/transition_from_boolean.png differ
+diff --git a/policycoreutils/sepolicy/sepolicy/help/transition_from_boolean.txt b/policycoreutils/sepolicy/sepolicy/help/transition_from_boolean.txt
+new file mode 100644
+index 0000000..bd8539a
+--- /dev/null
++++ b/policycoreutils/sepolicy/sepolicy/help/transition_from_boolean.txt
+@@ -0,0 +1,8 @@
++Transitions can be controlled by SELinux Booleans.
++
++SELinux Booleans are If-then-else rules in policy, that allow the admistrator
++to modify the access control on a process type.
++
++Transition rules are either always allowed or can be turned on and off based on the boolean settings. If the <b>Boolean Enabled</b> column has an arrow on it, this indicates the transition is controlled by a boolean.
++
++Go to the next screen to see the effect of clicking on the arrow.
+diff --git a/policycoreutils/sepolicy/sepolicy/help/transition_from_boolean_1.png b/policycoreutils/sepolicy/sepolicy/help/transition_from_boolean_1.png
+new file mode 100644
+index 0000000..9e660f8
+Binary files /dev/null and b/policycoreutils/sepolicy/sepolicy/help/transition_from_boolean_1.png differ
+diff --git a/policycoreutils/sepolicy/sepolicy/help/transition_from_boolean_1.txt b/policycoreutils/sepolicy/sepolicy/help/transition_from_boolean_1.txt
+new file mode 100644
+index 0000000..f120f5f
+--- /dev/null
++++ b/policycoreutils/sepolicy/sepolicy/help/transition_from_boolean_1.txt
+@@ -0,0 +1,3 @@
++After selecting the arrow under Boolean Enabled column, the line will exband
++to show a link which you can click. This will take you to the booleans page
++and allow you to enable the boolean which will enable or disable the transition.
+diff --git a/policycoreutils/sepolicy/sepolicy/help/transition_from_boolean_2.png b/policycoreutils/sepolicy/sepolicy/help/transition_from_boolean_2.png
+new file mode 100644
+index 0000000..98f4f4d
+Binary files /dev/null and b/policycoreutils/sepolicy/sepolicy/help/transition_from_boolean_2.png differ
+diff --git a/policycoreutils/sepolicy/sepolicy/help/transition_from_boolean_2.txt b/policycoreutils/sepolicy/sepolicy/help/transition_from_boolean_2.txt
+new file mode 100644
+index 0000000..4d3f3f1
+--- /dev/null
++++ b/policycoreutils/sepolicy/sepolicy/help/transition_from_boolean_2.txt
+@@ -0,0 +1,3 @@
++This screen shows you the boolean page with the boolean selected.
++
++Enable or disable the boolean to turn on or off the transition.
diff --git a/policycoreutils/sepolicy/sepolicy/help/transition_to.png b/policycoreutils/sepolicy/sepolicy/help/transition_to.png
new file mode 100644
index 0000000..49558d9
@@ -519574,7 +519702,7 @@ index 0000000..7ad2af7
+ print e
diff --git a/policycoreutils/sepolicy/sepolicy/sepolicy.glade b/policycoreutils/sepolicy/sepolicy/sepolicy.glade
new file mode 100644
-index 0000000..1b7a2f0
+index 0000000..f01159e
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy/sepolicy.glade
@@ -0,0 +1,4326 @@
@@ -520136,8 +520264,8 @@ index 0000000..1b7a2f0
+ <property name="can_focus">False</property>
+ <property name="xalign">0</property>
+ <property name="xpad">10</property>
-+ <property name="label" translatable="yes"><operation> File Labeling for <selected domain>. File labels will be created when update is applied.</property>
+ <property name="justify">fill</property>
++ <property name="use_markup">True</property>
+ <property name="wrap">True</property>
+ </object>
+ <packing>
@@ -524708,18 +524836,19 @@ index 38abeb8..916a58c 100644
-getsebool(8), booleans(8), togglesebool(8)
+getsebool(8), booleans(8), togglesebool(8), semanage(8)
diff --git a/policycoreutils/setsebool/setsebool.c b/policycoreutils/setsebool/setsebool.c
-index 86578f7..219e088 100644
+index 86578f7..3ef37a0 100644
--- a/policycoreutils/setsebool/setsebool.c
+++ b/policycoreutils/setsebool/setsebool.c
-@@ -10,6 +10,7 @@
+@@ -10,6 +10,8 @@
#include <pwd.h>
#include <selinux/selinux.h>
#include <semanage/handle.h>
+#include <semanage/debug.h>
++#include <semanage/booleans_policy.h>
#include <semanage/booleans_local.h>
#include <semanage/booleans_active.h>
#include <semanage/boolean_record.h>
-@@ -17,13 +18,14 @@
+@@ -17,13 +19,14 @@
int permanent = 0;
int reload = 1;
@@ -524735,7 +524864,7 @@ index 86578f7..219e088 100644
stderr);
exit(1);
}
-@@ -41,7 +43,7 @@ int main(int argc, char **argv)
+@@ -41,7 +44,7 @@ int main(int argc, char **argv)
}
while (1) {
@@ -524744,7 +524873,7 @@ index 86578f7..219e088 100644
if (clflag == -1)
break;
-@@ -52,6 +54,9 @@ int main(int argc, char **argv)
+@@ -52,6 +55,9 @@ int main(int argc, char **argv)
case 'N':
reload = 0;
break;
@@ -524754,7 +524883,15 @@ index 86578f7..219e088 100644
default:
usage();
break;
-@@ -130,6 +135,10 @@ static int semanage_set_boolean_list(size_t boolcnt,
+@@ -123,6 +129,7 @@ static int semanage_set_boolean_list(size_t boolcnt,
+ semanage_bool_t *boolean = NULL;
+ semanage_bool_key_t *bool_key = NULL;
+ int managed;
++ int result;
+
+ handle = semanage_handle_create();
+ if (handle == NULL) {
+@@ -130,6 +137,10 @@ static int semanage_set_boolean_list(size_t boolcnt,
goto err;
}
@@ -524765,7 +524902,25 @@ index 86578f7..219e088 100644
managed = semanage_is_managed(handle);
if (managed < 0) {
fprintf(stderr,
-@@ -172,7 +181,7 @@ static int semanage_set_boolean_list(size_t boolcnt,
+@@ -166,13 +177,25 @@ static int semanage_set_boolean_list(size_t boolcnt,
+
+ if (semanage_bool_key_extract(handle, boolean, &bool_key) < 0)
+ goto err;
++
++ semanage_bool_exists(handle, bool_key, &result);
++ if ( !result ) {
++ fprintf(stderr, "Boolean %s is not defined\n", boollist[j].name);
++ goto err;
++ }
++
++ semanage_bool_exists_local(handle, bool_key, &result);
++ if ( !result ) {
++ fprintf(stderr, "Boolean %s is not defined\n", boollist[j].name);
++ goto err;
++ }
+
+ if (semanage_bool_modify_local(handle, bool_key,
+ boolean) < 0)
goto err;
if (semanage_bool_set_active(handle, bool_key, boolean) < 0) {
@@ -524774,7 +524929,7 @@ index 86578f7..219e088 100644
boollist[j].name);
goto err;
}
-@@ -194,7 +203,6 @@ static int semanage_set_boolean_list(size_t boolcnt,
+@@ -194,7 +217,6 @@ static int semanage_set_boolean_list(size_t boolcnt,
semanage_bool_key_free(bool_key);
semanage_bool_free(boolean);
semanage_handle_destroy(handle);
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 1511bd3..085bf11 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.14
-Release: 78%{?dist}
+Release: 79%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -336,6 +336,10 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
+* Wed Sep 4 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-79
+- Add Miroslav Grepl setsebool patch to give better error message on bad boolean names
+- Additional help screens for sepolicy gui
+
* Tue Sep 3 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-78
- Random fixes for sepolicy gui
- Update Translations
More information about the scm-commits
mailing list