[Selinux-commits] SF.net SVN: selinux: [2093] trunk/policycoreutils

[<kma...@us...>]

Revision: 2093
          http://svn.sourceforge.net/selinux/?rev=2093&view=rev
Author:   kmacmillan
Date:     2006-11-20 09:05:57 -0800 (Mon, 20 Nov 2006)

Log Message:
-----------
Author: Karl MacMillan
Email: kma...@me...
Subject: Multiple small fixes to policycoreutils
Date: Thu, 16 Nov 2006 17:15:15 -0500

Joshua Brindle wrote:
>> From: Karl MacMillan [mailto:kma...@me...] 
>>
>> Daniel J Walsh wrote:
>>> Joshua Brindle wrote:
>>>> Karl MacMillan wrote:
>> <snip>
>>
>>>>> What about a top-level USE_PIE makefile variable that directs all 
>>>>> sub-Makefiles to set PIE flags if appropriate for that module? By 
>>>>> default it would be off. This gets the behavior you want without 
>>>>> having to carry a patch and keeps the current behavior.
>>>>>
>>>> No patch necessary, like Chris said make CFLAGS="-fPIE -02 -Werror 
>>>> -Wall" LDFLAGS="-pie"
>>>>
>>>> done and done.
>>>>
>>> No, because then all compiled apps become -pie.  We only 
>> want this on 
>>> the daemons.
>>>
>> What about this instead?
> 
> Why doesn't make CFLAGS="-fPIE -02 -Werror -Wall" LDFLAGS="-pie" work? 
> Why does it matter if everything is built pie?
> 

There are performance costs associated with pie, particularly at 
startup. Talking to Dan though, he doesn't think it is enough to not 
just build everything as pie.

Resend below that I will apply unless there are other objections.

> This is distro specific (gentoo completely overrides the CFLAGS and
> LDFLAGS, I'm not sure what debian does). I don't think whether or not to
> override the user CFLAGS with non-critical things (e.g., things
> necessary to build the app like -I($PREFIX)/include) is appropriate for
> the upstream makefiles.
> 
> For that matter, anyone know why -D_FILE_OFFSET_BITS=64 is in the
> override?
> 

I wondered that as well - Dan?

Karl

Signed-off by: Karl MacMillan <kma...@me...> 

Modified Paths:
--------------
    trunk/policycoreutils/ChangeLog
    trunk/policycoreutils/newrole/newrole.c
    trunk/policycoreutils/restorecond/restorecond.conf
    trunk/policycoreutils/scripts/genhomedircon.8
    trunk/policycoreutils/semanage/semanage.8
    trunk/policycoreutils/semodule_expand/semodule_expand.8

Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog	2006-11-14 00:25:28 UTC (rev 2092)
+++ trunk/policycoreutils/ChangeLog	2006-11-20 17:05:57 UTC (rev 2093)
@@ -1,3 +1,9 @@
+1.33.2 2006-11-20
+	* Merged patch from Dan Walsh (via Karl MacMillan):
+	  * Added newrole audit message on login failure
+	  * Add /var/log/wtmp to restorecond.conf watch list
+	  * Fix genhomedircon, semanage, semodule_expand man pages.
+	
 1.33.1 2006-11-13
 	* Merged newrole patch set from Michael Thompson.
 

Modified: trunk/policycoreutils/newrole/newrole.c
===================================================================
--- trunk/policycoreutils/newrole/newrole.c	2006-11-14 00:25:28 UTC (rev 2092)
+++ trunk/policycoreutils/newrole/newrole.c	2006-11-20 17:05:57 UTC (rev 2093)
@@ -1028,6 +1028,7 @@
 	{
 		fprintf(stderr, _("newrole: incorrect password for %s\n"),
 			pw.pw_name);
+		send_audit_message(0, old_context, new_context, ttyn);
 		goto err_close_pam;
 	}
 

Modified: trunk/policycoreutils/restorecond/restorecond.conf
===================================================================
--- trunk/policycoreutils/restorecond/restorecond.conf	2006-11-14 00:25:28 UTC (rev 2092)
+++ trunk/policycoreutils/restorecond/restorecond.conf	2006-11-20 17:05:57 UTC (rev 2093)
@@ -2,5 +2,6 @@
 /etc/samba/secrets.tdb
 /etc/mtab
 /var/run/utmp
+/var/log/wtmp
 ~/public_html
 ~/.mozilla/plugins/libflashplayer.so

Modified: trunk/policycoreutils/scripts/genhomedircon.8
===================================================================
--- trunk/policycoreutils/scripts/genhomedircon.8	2006-11-14 00:25:28 UTC (rev 2092)
+++ trunk/policycoreutils/scripts/genhomedircon.8	2006-11-20 17:05:57 UTC (rev 2093)
@@ -45,35 +45,30 @@
 .SH DESCRIPTION
 .PP
 This utility is used to generate file context configuration entries for 
-user home directories based on their default roles and is run when building 
-the policy. It can also be run when ever the 
-.I /etc/selinux/<<SELINUXTYPE>>/users/local.users
-file is changed 
+user home directories based on their 
+.B prefix 
+entry in the the 
+.B semanage user record.  
+genhomedircon is run when building 
+the policy. It is also run automaticaly when ever the 
+.B semanage 
+utility modifies 
+.B user
+or
+.B login
+records.
 Specifically, we replace HOME_ROOT, HOME_DIR, and ROLE macros in the 
 .I /etc/selinux/<<SELINUXTYPE>>/contexts/files/homedir_template 
-file with generic and user-specific values.
-.I local.users
-file. If a user has more than one role in 
-.I local.users,
-.B genhomedircon
-uses the first role in the list. 
+file with generic and user-specific values.  HOME_ROOT and HOME_DIR is replaced with each distinct location where login users homedirectories are located.  Defaults to /home. ROLE is replaced based on the prefix entry in the 
+.B user
+record.
 .PP 
-If a user is not listed in 
-.I local.users,
-.B genhomedircon
-assumes that the user's home dir will be found in one of the
-HOME_ROOTs. 
-When looking for these users, 
-.B genhomedircon
-only considers real users. "Real" users (as opposed
-to system users) are those whose UID is greater than or equal 
+genhomedircon searches through all password entires for all "login" user home directories, (as opposed
+to system users).  Login users are those whose UID is greater than or equal 
 .I STARTING_UID
 (default 500) and whose login shell is not "/sbin/nologin", or
 "/bin/false". 
 .PP 
-Users who are explicitly defined in 
-.I local.users,
-are always "real" (including root, in the default configuration).
 .SH AUTHOR
 This manual page was originally written by 
 .I Manoj Srivastava <sri...@de...>,

Modified: trunk/policycoreutils/semanage/semanage.8
===================================================================
--- trunk/policycoreutils/semanage/semanage.8	2006-11-14 00:25:28 UTC (rev 2092)
+++ trunk/policycoreutils/semanage/semanage.8	2006-11-20 17:05:57 UTC (rev 2093)
@@ -7,7 +7,7 @@
 .br
 .B semanage login \-{a|d|m} [\-sr] login_name
 .br
-.B semanage user \-{a|d|m} [\-LrR] selinux_name
+.B semanage user \-{a|d|m} [\-LrRP] selinux_name
 .br
 .B semanage port \-{a|d|m} [\-tr] [\-p protocol] port | port_range
 .br
@@ -71,6 +71,9 @@
 .I                \-R, \-\-role
 SELinux Roles.  You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
 .TP
+.I                \-P, \-\-prefix
+SELinux Prefix.  Prefix added to home_dir_t and home_t for labeling users home directories.
+.TP
 .I                \-s, \-\-seuser     
 SELinux user name
 .TP

Modified: trunk/policycoreutils/semodule_expand/semodule_expand.8
===================================================================
--- trunk/policycoreutils/semodule_expand/semodule_expand.8	2006-11-14 00:25:28 UTC (rev 2092)
+++ trunk/policycoreutils/semodule_expand/semodule_expand.8	2006-11-20 17:05:57 UTC (rev 2093)
@@ -18,7 +18,7 @@
 .SH "OPTIONS"
 .TP
 .B \-V
-verbose mode
+show version
 .TP
 .B \-c [version]
 policy version to create


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.