[Selinux-commits] SF.net SVN: selinux: [2518] trunk

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Revision: 2518
          http://selinux.svn.sourceforge.net/selinux/?rev=2518&view=rev
Author:   madmethod
Date:     2007-08-16 12:19:24 -0700 (Thu, 16 Aug 2007)

Log Message:
-----------
Disable dontaudits via semodule -D

Signed-off-by: Joshua Brindle <me...@ma...

Acked-by: Stephen Smalley <sd...@ty...>

Modified Paths:
--------------
    trunk/libsemanage/ChangeLog
    trunk/libsemanage/VERSION
    trunk/libsemanage/include/semanage/handle.h
    trunk/libsemanage/src/handle.c
    trunk/libsemanage/src/libsemanage.map
    trunk/libsepol/ChangeLog
    trunk/libsepol/VERSION
    trunk/libsepol/include/sepol/handle.h
    trunk/libsepol/src/expand.c
    trunk/libsepol/src/handle.c
    trunk/libsepol/src/handle.h
    trunk/libsepol/src/libsepol.map
    trunk/policycoreutils/ChangeLog
    trunk/policycoreutils/VERSION
    trunk/policycoreutils/semodule/semodule.c

Modified: trunk/libsemanage/ChangeLog
===================================================================

--- trunk/libsemanage/ChangeLog	2007-08-12 20:26:56 UTC (rev 2517)
+++ trunk/libsemanage/ChangeLog	2007-08-16 19:19:24 UTC (rev 2518)
@@ -1,3 +1,7 @@
+2.0.4 2007-08-16
+	* Allow dontaudits to be turned off via semanage interface when
+	  updating policy
+
 2.0.3 2007-04-25
 	* Fix to libsemanage man patches so whatis will work better from Dan Walsh
 

Modified: trunk/libsemanage/VERSION
===================================================================
--- trunk/libsemanage/VERSION	2007-08-12 20:26:56 UTC (rev 2517)
+++ trunk/libsemanage/VERSION	2007-08-16 19:19:24 UTC (rev 2518)
@@ -1 +1 @@
-2.0.3
+2.0.4

Modified: trunk/libsemanage/include/semanage/handle.h
===================================================================
--- trunk/libsemanage/include/semanage/handle.h	2007-08-12 20:26:56 UTC (rev 2517)
+++ trunk/libsemanage/include/semanage/handle.h	2007-08-16 19:19:24 UTC (rev 2518)
@@ -69,6 +69,9 @@
  * 1 for yes, 0 for no (default) */
 void semanage_set_create_store(semanage_handle_t * handle, int create_store);
 
+/* Set whether or not to disable dontaudits upon commit */
+void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit);
+
 /* Check whether policy is managed via libsemanage on this system.
  * Must be called prior to trying to connect.
  * Return 1 if policy is managed via libsemanage on this system,

Modified: trunk/libsemanage/src/handle.c
===================================================================
--- trunk/libsemanage/src/handle.c	2007-08-12 20:26:56 UTC (rev 2517)
+++ trunk/libsemanage/src/handle.c	2007-08-16 19:19:24 UTC (rev 2518)
@@ -109,6 +109,14 @@
 	return;
 }
 
+void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudit)
+{
+	assert(sh != NULL);
+	
+	sepol_set_disable_dontaudit(sh->sepolh, disable_dontaudit);
+	return;
+}
+
 int semanage_is_connected(semanage_handle_t * sh)
 {
 	assert(sh != NULL);

Modified: trunk/libsemanage/src/libsemanage.map
===================================================================
--- trunk/libsemanage/src/libsemanage.map	2007-08-12 20:26:56 UTC (rev 2517)
+++ trunk/libsemanage/src/libsemanage.map	2007-08-16 19:19:24 UTC (rev 2518)
@@ -13,6 +13,6 @@
 	  semanage_iface_*; semanage_port_*; semanage_context_*;
 	  semanage_node_*;
 	  semanage_fcontext_*; semanage_access_check; semanage_set_create_store;
-	  semanage_is_connected;
+	  semanage_is_connected; semanage_set_disable_dontaudit;
   local: *;
 };

Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog	2007-08-12 20:26:56 UTC (rev 2517)
+++ trunk/libsepol/ChangeLog	2007-08-16 19:19:24 UTC (rev 2518)
@@ -1,3 +1,6 @@
+2.0.6 2007-08-16
+	* Allow dontaudits to be turned off during policy expansion
+
 2.0.5 2007-08-01
 	* Fix sepol_context_clone to handle a NULL context correctly.
           This happens for e.g. semanage_fcontext_set_con(sh, fcontext, NULL)

Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION	2007-08-12 20:26:56 UTC (rev 2517)
+++ trunk/libsepol/VERSION	2007-08-16 19:19:24 UTC (rev 2518)
@@ -1 +1 @@
-2.0.5
+2.0.6

Modified: trunk/libsepol/include/sepol/handle.h
===================================================================
--- trunk/libsepol/include/sepol/handle.h	2007-08-12 20:26:56 UTC (rev 2517)
+++ trunk/libsepol/include/sepol/handle.h	2007-08-16 19:19:24 UTC (rev 2518)
@@ -7,6 +7,10 @@
 /* Create and return a sepol handle. */
 sepol_handle_t *sepol_handle_create(void);
 
+/* Set whether or not to disable dontaudits, 0 is default and does 
+ * not disable dontaudits, 1 disables them */
+void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
+
 /* Destroy a sepol handle. */
 void sepol_handle_destroy(sepol_handle_t *);
 

Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c	2007-08-12 20:26:56 UTC (rev 2517)
+++ trunk/libsepol/src/expand.c	2007-08-16 19:19:24 UTC (rev 2518)
@@ -1367,6 +1367,8 @@
 	} else if (specified & AVRULE_AUDITDENY) {
 		spec = AVTAB_AUDITDENY;
 	} else if (specified & AVRULE_DONTAUDIT) {
+		if (handle->disable_dontaudit)
+			return EXPAND_RULE_SUCCESS;
 		spec = AVTAB_AUDITDENY;
 	} else if (specified & AVRULE_NEVERALLOW) {
 		spec = AVTAB_NEVERALLOW;

Modified: trunk/libsepol/src/handle.c
===================================================================
--- trunk/libsepol/src/handle.c	2007-08-12 20:26:56 UTC (rev 2517)
+++ trunk/libsepol/src/handle.c	2007-08-16 19:19:24 UTC (rev 2518)
@@ -1,4 +1,5 @@
 #include <stdlib.h>
+#include <assert.h>
 #include "handle.h"
 #include "debug.h"
 
@@ -13,9 +14,18 @@
 	sh->msg_callback = sepol_msg_default_handler;
 	sh->msg_callback_arg = NULL;
 
+	/* by default do not disable dontaudits */
+	sh->disable_dontaudit = 0;
+
 	return sh;
 }
 
+void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
+{
+	assert(sh !=NULL);
+	sh->disable_dontaudit = disable_dontaudit;
+}
+
 void sepol_handle_destroy(sepol_handle_t * sh)
 {
 	free(sh);

Modified: trunk/libsepol/src/handle.h
===================================================================
--- trunk/libsepol/src/handle.h	2007-08-12 20:26:56 UTC (rev 2517)
+++ trunk/libsepol/src/handle.h	2007-08-16 19:19:24 UTC (rev 2518)
@@ -14,6 +14,9 @@
 	void (*msg_callback) (void *varg,
 			      sepol_handle_t * handle, const char *fmt, ...);
 	void *msg_callback_arg;
+
+	int disable_dontaudit;
+
 };
 
 #endif

Modified: trunk/libsepol/src/libsepol.map
===================================================================
--- trunk/libsepol/src/libsepol.map	2007-08-12 20:26:56 UTC (rev 2517)
+++ trunk/libsepol/src/libsepol.map	2007-08-16 19:19:24 UTC (rev 2518)
@@ -12,5 +12,6 @@
 	sepol_policydb_*; sepol_set_policydb_from_file; 
 	sepol_policy_kern_*;
 	sepol_policy_file_*;
+	sepol_set_disable_dontaudit;
   local: *;
 };

Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog	2007-08-12 20:26:56 UTC (rev 2517)
+++ trunk/policycoreutils/ChangeLog	2007-08-16 19:19:24 UTC (rev 2518)
@@ -1,3 +1,6 @@
+2.0.23 2007-08-16
+	* Disable dontaudits via semodule -D
+
 2.0.22 2007-06-20
 	* Rebase setfiles to use new labeling interface.
 

Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION	2007-08-12 20:26:56 UTC (rev 2517)
+++ trunk/policycoreutils/VERSION	2007-08-16 19:19:24 UTC (rev 2518)
@@ -1 +1 @@
-2.0.22
+2.0.23

Modified: trunk/policycoreutils/semodule/semodule.c
===================================================================
--- trunk/policycoreutils/semodule/semodule.c	2007-08-12 20:26:56 UTC (rev 2517)
+++ trunk/policycoreutils/semodule/semodule.c	2007-08-16 19:19:24 UTC (rev 2518)
@@ -44,6 +44,7 @@
 static int no_reload;
 static int create_store;
 static int build;
+static int disable_dontaudit;
 
 static semanage_handle_t *sh = NULL;
 static char *store;
@@ -131,6 +132,7 @@
 	printf("  -n,--noreload	   do not reload policy after commit\n");
 	printf("  -h,--help        print this message and quit\n");
 	printf("  -v,--verbose     be verbose\n");
+	printf("  -D,--disable_dontaudit	Remove dontaudits from policy\n");
 }
 
 /* Sets the global mode variable to new_mode, but only if no other
@@ -173,6 +175,7 @@
 		{"reload", 0, NULL, 'R'},
 		{"noreload", 0, NULL, 'n'},
 		{"build", 0, NULL, 'B'},
+		{"disable_dontaudit", 0, NULL, 'D'},
 		{NULL, 0, NULL, 0}
 	};
 	int i;
@@ -181,7 +184,7 @@
 	no_reload = 0;
 	create_store = 0;
 	while ((i =
-		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnB", opts,
+		getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
 			    NULL)) != -1) {
 		switch (i) {
 		case 'b':
@@ -218,6 +221,9 @@
 		case 'B':
 			build = 1;
 			break;
+		case 'D':
+			disable_dontaudit = 1;
+			break;
 		case '?':
 		default:{
 				usage(argv[0]);
@@ -441,6 +447,8 @@
 			semanage_set_reload(sh, 0);
 		if (build)
 			semanage_set_rebuild(sh, 1);
+		if (disable_dontaudit)
+			semanage_set_disable_dontaudit(sh, 1);
 		result = semanage_commit(sh);
 	}
 


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.


