Menu
▾
▴
selinux-commits — Commits to the subversion repo
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(24) |
Sep
(38) |
Oct
(29) |
Nov
(40) |
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
(88) |
Feb
(66) |
Mar
(44) |
Apr
(104) |
May
(35) |
Jun
(34) |
Jul
(12) |
Aug
(42) |
Sep
(84) |
Oct
(34) |
Nov
(30) |
Dec
(22) |
| 2008 |
Jan
(60) |
Feb
(54) |
Mar
(32) |
Apr
(14) |
May
(16) |
Jun
(26) |
Jul
(22) |
Aug
(12) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: <ssm...@us...> - 2008-08-05 13:58:58
|
Revision: 2950
http://selinux.svn.sourceforge.net/selinux/?rev=2950&view=rev
Author: ssmalley
Date: 2008-08-05 13:58:56 +0000 (Tue, 05 Aug 2008)
Log Message:
-----------
updated libsemanage to version 2.0.27
Modified Paths:
--------------
trunk/libsemanage/ChangeLog
trunk/libsemanage/VERSION
Modified: trunk/libsemanage/ChangeLog
===================================================================
--- trunk/libsemanage/ChangeLog 2008-08-05 13:58:00 UTC (rev 2949)
+++ trunk/libsemanage/ChangeLog 2008-08-05 13:58:56 UTC (rev 2950)
@@ -1,3 +1,7 @@
+2.0.27 2008-08-05
+ * Modify genhomedircon to skip %groupname entries.
+ Ultimately we need to expand them to the list of users to support per-role homedir labeling when using the %groupname syntax.
+
2.0.26 2008-07-29
* Fix bug in genhomedircon fcontext matches logic from Dan Walsh.
Strip any trailing slash before appending /*$.
Modified: trunk/libsemanage/VERSION
===================================================================
--- trunk/libsemanage/VERSION 2008-08-05 13:58:00 UTC (rev 2949)
+++ trunk/libsemanage/VERSION 2008-08-05 13:58:56 UTC (rev 2950)
@@ -1 +1 @@
-2.0.26
+2.0.27
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-08-05 13:58:03
|
Revision: 2949
http://selinux.svn.sourceforge.net/selinux/?rev=2949&view=rev
Author: ssmalley
Date: 2008-08-05 13:58:00 +0000 (Tue, 05 Aug 2008)
Log Message:
-----------
Skip %groupname entries.
Modified Paths:
--------------
trunk/libsemanage/src/genhomedircon.c
Modified: trunk/libsemanage/src/genhomedircon.c
===================================================================
--- trunk/libsemanage/src/genhomedircon.c 2008-08-05 13:51:11 UTC (rev 2948)
+++ trunk/libsemanage/src/genhomedircon.c 2008-08-05 13:58:00 UTC (rev 2949)
@@ -762,6 +762,10 @@
if (strcmp(name, TEMPLATE_SEUSER) == 0)
continue;
+ /* %groupname syntax */
+ if (name[0] == '%')
+ continue;
+
/* find the user structure given the name */
u = bsearch(seuname, user_list, nusers, sizeof(semanage_user_t *),
(int (*)(const void *, const void *))
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-08-05 13:51:14
|
Revision: 2948
http://selinux.svn.sourceforge.net/selinux/?rev=2948&view=rev
Author: ssmalley
Date: 2008-08-05 13:51:11 +0000 (Tue, 05 Aug 2008)
Log Message:
-----------
updated policycoreutils to version 2.0.54
Modified Paths:
--------------
trunk/policycoreutils/ChangeLog
trunk/policycoreutils/VERSION
Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog 2008-08-05 13:48:53 UTC (rev 2947)
+++ trunk/policycoreutils/ChangeLog 2008-08-05 13:51:11 UTC (rev 2948)
@@ -1,3 +1,7 @@
+2.0.54 2008-08-05
+ * Add support for boolean files and group support for seusers from Dan Walsh.
+ * Ensure that setfiles -p output is newline terminated from Russell Coker.
+
2.0.53 2008-07-29
* Change setfiles to validate all file_contexts files when using -c from Stephen Smalley.
Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION 2008-08-05 13:48:53 UTC (rev 2947)
+++ trunk/policycoreutils/VERSION 2008-08-05 13:51:11 UTC (rev 2948)
@@ -1 +1 @@
-2.0.53
+2.0.54
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-08-05 13:48:57
|
Revision: 2947
http://selinux.svn.sourceforge.net/selinux/?rev=2947&view=rev
Author: ssmalley
Date: 2008-08-05 13:48:53 +0000 (Tue, 05 Aug 2008)
Log Message:
-----------
Author: Daniel J Walsh
Email: dw...@re...
Subject: policycoreutils patch
Date: Fri, 01 Aug 2008 07:43:28 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Adds support for boolean files, name/value pairs as input and output.
Allows you to set a large amount of booleans at once.
Add support from groupname in semanage login. This will allow you to
associate groups of Linux Users with an SELinux user. Uses same syntax
as sudo. Requires patch to libselinux.
Cleanup of semanage variables. Change use of 1/0 to True/False.
Remove bad use of raise(out)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkiS9t8ACgkQrlYvE4MpobN0/gCgsoXMR/oDibFEw3SNFxwQlhrY
gZIAn1wMYnPg+o2ixNVQsWYBOw1NN4Pd
=69RK
-----END PGP SIGNATURE-----
Modified Paths:
--------------
trunk/policycoreutils/restorecond/restorecond.c
trunk/policycoreutils/semanage/semanage
trunk/policycoreutils/semanage/semanage.8
trunk/policycoreutils/semanage/seobject.py
Modified: trunk/policycoreutils/restorecond/restorecond.c
===================================================================
--- trunk/policycoreutils/restorecond/restorecond.c 2008-08-05 13:29:01 UTC (rev 2946)
+++ trunk/policycoreutils/restorecond/restorecond.c 2008-08-05 13:48:53 UTC (rev 2947)
@@ -210,9 +210,10 @@
}
if (fsetfilecon(fd, scontext) < 0) {
- syslog(LOG_ERR,
- "set context %s->%s failed:'%s'\n",
- filename, scontext, strerror(errno));
+ if (errno != EOPNOTSUPP)
+ syslog(LOG_ERR,
+ "set context %s->%s failed:'%s'\n",
+ filename, scontext, strerror(errno));
if (retcontext >= 0)
free(prev_context);
free(scontext);
@@ -225,8 +226,9 @@
if (retcontext >= 0)
free(prev_context);
} else {
- syslog(LOG_ERR, "get context on %s failed: '%s'\n",
- filename, strerror(errno));
+ if (errno != EOPNOTSUPP)
+ syslog(LOG_ERR, "get context on %s failed: '%s'\n",
+ filename, strerror(errno));
}
free(scontext);
close(fd);
Modified: trunk/policycoreutils/semanage/semanage
===================================================================
--- trunk/policycoreutils/semanage/semanage 2008-08-05 13:29:01 UTC (rev 2946)
+++ trunk/policycoreutils/semanage/semanage 2008-08-05 13:48:53 UTC (rev 2947)
@@ -45,13 +45,13 @@
def usage(message = ""):
print _("""
semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n]
-semanage login -{a|d|m} [-sr] login_name
+semanage login -{a|d|m} [-sr] login_name | %groupname
semanage user -{a|d|m} [-LrRP] selinux_name
semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range
semanage interface -{a|d|m} [-tr] interface_spec
semanage fcontext -{a|d|m} [-frst] file_spec
semanage translation -{a|d|m} [-T] level
-semanage boolean -{d|m} boolean
+semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
semanage permissive -{d|a} type
Primary Options:
@@ -79,6 +79,7 @@
-l (symbolic link)
-p (named pipe)
+ -F, --file Treat target as an input file for command, change multiple settings
-p, --proto Port protocol (tcp or udp)
-P, --prefix Prefix for home directory labeling
-L, --level Default SELinux Level (MLS/MCS Systems only)
@@ -114,7 +115,7 @@
valid_option["translation"] = []
valid_option["translation"] += valid_everyone + [ '-T', '--trans' ]
valid_option["boolean"] = []
- valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ]
+ valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0", "-F", "--file"]
valid_option["permissive"] = []
valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ]
return valid_option
@@ -134,15 +135,16 @@
setrans = ""
roles = ""
seuser = ""
- prefix = ""
- heading=1
- value=0
- add = 0
- modify = 0
- delete = 0
- deleteall = 0
- list = 0
- locallist = 0
+ prefix = "user"
+ heading = True
+ value = None
+ add = False
+ modify = False
+ delete = False
+ deleteall = False
+ list = False
+ locallist = False
+ use_file = False
store = ""
if len(sys.argv) < 3:
usage(_("Requires 2 or more arguments"))
@@ -155,11 +157,12 @@
args = sys.argv[2:]
gopts, cmds = getopt.getopt(args,
- '01adf:lhmnp:s:CDR:L:r:t:T:P:S:',
+ '01adf:lhmnp:s:FCDR:L:r:t:T:P:S:',
['add',
'delete',
'deleteall',
'ftype=',
+ 'file',
'help',
'list',
'modify',
@@ -185,31 +188,35 @@
if o == "-a" or o == "--add":
if modify or delete:
usage()
- add = 1
+ add = True
if o == "-d" or o == "--delete":
if modify or add:
usage()
- delete = 1
+ delete = True
if o == "-D" or o == "--deleteall":
if modify:
usage()
- deleteall = 1
+ deleteall = True
if o == "-f" or o == "--ftype":
ftype=a
+
+ if o == "-F" or o == "--file":
+ use_file = True
+
if o == "-h" or o == "--help":
usage()
if o == "-n" or o == "--noheading":
- heading=0
+ heading = False
if o == "-C" or o == "--locallist":
- locallist=1
+ locallist = True
if o == "-m"or o == "--modify":
if delete or add:
usage()
- modify = 1
+ modify = True
if o == "-S" or o == '--store':
store = a
@@ -220,7 +227,7 @@
serange = a
if o == "-l" or o == "--list":
- list = 1
+ list = True
if o == "-L" or o == '--level':
if is_mls_enabled == 0:
@@ -246,9 +253,9 @@
setrans = a
if o == "--on" or o == "-1":
- value = 1
- if o == "-off" or o == "-0":
- value = 0
+ value = "on"
+ if o == "--off" or o == "-0":
+ value = "off"
if object == "login":
OBJECT = seobject.loginRecords(store)
@@ -275,7 +282,10 @@
OBJECT = seobject.permissiveRecords(store)
if list:
- OBJECT.list(heading, locallist)
+ if object == "boolean":
+ OBJECT.list(heading, locallist, use_file)
+ else:
+ OBJECT.list(heading, locallist)
sys.exit(0);
if deleteall:
@@ -295,12 +305,10 @@
OBJECT.add(target, setrans)
if object == "user":
- rlist = roles.split()
- if len(rlist) == 0:
- raise ValueError(_("You must specify a role"))
- if prefix == "":
- raise ValueError(_("You must specify a prefix"))
- OBJECT.add(target, rlist, selevel, serange, prefix)
+ rlist = []
+ if not use_file:
+ rlist = roles.split()
+ OBJECT.add(target, rlist, selevel, serange, prefix)
if object == "port":
OBJECT.add(target, proto, serange, setype)
@@ -317,7 +325,7 @@
if modify:
if object == "boolean":
- OBJECT.modify(target, value)
+ OBJECT.modify(target, value, use_file)
if object == "login":
OBJECT.modify(target, seuser, serange)
Modified: trunk/policycoreutils/semanage/semanage.8
===================================================================
--- trunk/policycoreutils/semanage/semanage.8 2008-08-05 13:29:01 UTC (rev 2946)
+++ trunk/policycoreutils/semanage/semanage.8 2008-08-05 13:48:53 UTC (rev 2947)
@@ -3,11 +3,11 @@
semanage \- SELinux Policy Management tool
.SH "SYNOPSIS"
-.B semanage {boolean|login|user|port|interface|fcontext|translation} \-{l|lC|D} [\-n]
+.B semanage {boolean|login|user|port|interface|fcontext|translation} \-{l|D} [\-n] [\-S store]
.br
-.B semanage boolean \-{d|m} [\-\-on|\-\-off|\-1|\-0] boolean
+.B semanage boolean \-{d|m} [\-\-on|\-\-off|\-1|\-0] -F boolean | boolean_file
.br
-.B semanage login \-{a|d|m} [\-sr] login_name
+.B semanage login \-{a|d|m} [\-sr] login_name | %groupname
.br
.B semanage user \-{a|d|m} [\-LrRP] selinux_name
.br
@@ -54,6 +54,11 @@
File Type. This is used with fcontext.
Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
.TP
+.I \-F, \-\-file
+Set multiple records from the input file. When used with the \-l \-\-list, it will output the current settings to stdout in the proper format.
+
+Currently booleans only.
+.TP
.I \-h, \-\-help
display this message
.TP
@@ -87,6 +92,9 @@
.I \-s, \-\-seuser
SELinux user name
.TP
+.I \-S, \-\-store
+Select and alternate SELinux store to manage
+.TP
.I \-t, \-\-type
SELinux Type for the object
.TP
@@ -99,6 +107,8 @@
$ semanage user -l
# Allow joe to login as staff_u
$ semanage login -a -s staff_u joe
+# Allow the group clerks to login as user_u
+$ semanage login -a -s user_u %clerks
# Add file-context for everything under /web (used by restorecon)
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
# Allow Apache to listen on port 81
Modified: trunk/policycoreutils/semanage/seobject.py
===================================================================
--- trunk/policycoreutils/semanage/seobject.py 2008-08-05 13:29:01 UTC (rev 2946)
+++ trunk/policycoreutils/semanage/seobject.py 2008-08-05 13:48:53 UTC (rev 2947)
@@ -21,7 +21,7 @@
#
#
-import pwd, string, selinux, tempfile, os, re, sys
+import pwd, grp, string, selinux, tempfile, os, re, sys
from semanage import *;
PROGNAME="policycoreutils"
import sepolgen.module as module
@@ -330,20 +330,15 @@
for name in dirs:
os.rmdir(os.path.join(root, name))
- if rc != 0:
- raise ValueError(out)
-
-
def delete(self, name):
for n in name.split():
rc = semanage_module_remove(self.sh, "permissive_%s" % n)
if rc < 0:
raise ValueError(_("Could not remove permissive domain %s (remove failed)") % name)
- rc = semanage_commit(self.sh)
- if rc < 0:
- raise ValueError(_("Could not remove permissive domain %s (commit failed)") % name)
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not remove permissive domain %s (commit failed)") % name)
-
def deleteall(self):
l = self.get_all()
if len(l) > 0:
@@ -402,10 +397,16 @@
raise ValueError(_("Could not check if login mapping for %s is defined") % name)
if exists:
raise ValueError(_("Login mapping for %s is already defined") % name)
- try:
- pwd.getpwnam(name)
- except:
- raise ValueError(_("Linux User %s does not exist") % name)
+ if name[0] == '%':
+ try:
+ grp.getgrnam(name[1:])
+ except:
+ raise ValueError(_("Linux Group %s does not exist") % name[1:])
+ else:
+ try:
+ pwd.getpwnam(name)
+ except:
+ raise ValueError(_("Linux User %s does not exist") % name)
(rc,u) = semanage_seuser_create(self.sh)
if rc < 0:
@@ -1447,54 +1448,72 @@
class booleanRecords(semanageRecords):
def __init__(self, store = ""):
semanageRecords.__init__(self, store)
+ self.dict={}
+ self.dict["TRUE"] = 1
+ self.dict["FALSE"] = 0
+ self.dict["ON"] = 1
+ self.dict["OFF"] = 0
+ self.dict["1"] = 1
+ self.dict["0"] = 0
- def modify(self, name, value = ""):
- if value == "":
- raise ValueError(_("Requires value"))
+ def __mod(self, name, value):
+ (rc,k) = semanage_bool_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % name)
+ (rc,exists) = semanage_bool_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if boolean %s is defined") % name)
+ if not exists:
+ raise ValueError(_("Boolean %s is not defined") % name)
+
+ (rc,b) = semanage_bool_query(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not query file context %s") % name)
- (rc,k) = semanage_bool_key_create(self.sh, name)
- if rc < 0:
- raise ValueError(_("Could not create a key for %s") % name)
-
- (rc,exists) = semanage_bool_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if boolean %s is defined") % name)
- if not exists:
- raise ValueError(_("Boolean %s is not defined") % name)
-
- (rc,b) = semanage_bool_query(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not query file context %s") % name)
-
- if value != "":
- nvalue = int(value)
- semanage_bool_set_value(b, nvalue)
+ if value.upper() in self.dict:
+ semanage_bool_set_value(b, self.dict[value.upper()])
else:
- raise ValueError(_("You must specify a value"))
+ raise ValueError(_("You must specify one of the following values: %s") % ", ".join(self.dict.keys()) )
+
+ rc = semanage_bool_set_active(self.sh, k, b)
+ if rc < 0:
+ raise ValueError(_("Could not set active value of boolean %s") % name)
+ rc = semanage_bool_modify_local(self.sh, k, b)
+ if rc < 0:
+ raise ValueError(_("Could not modify boolean %s") % name)
+ semanage_bool_key_free(k)
+ semanage_bool_free(b)
+ def modify(self, name, value=None, use_file=False):
+
rc = semanage_begin_transaction(self.sh)
if rc < 0:
raise ValueError(_("Could not start semanage transaction"))
+ if use_file:
+ fd = open(name)
+ for b in fd.read().split("\n"):
+ b = b.strip()
+ if len(b) == 0:
+ continue
- rc = semanage_bool_set_active(self.sh, k, b)
- if rc < 0:
- raise ValueError(_("Could not set active value of boolean %s") % name)
- rc = semanage_bool_modify_local(self.sh, k, b)
- if rc < 0:
- raise ValueError(_("Could not modify boolean %s") % name)
+ try:
+ boolname, val = b.split("=")
+ except ValueError, e:
+ raise ValueError(_("Bad format %s: Record %s" % ( name, b) ))
+ self.__mod(boolname.strip(), val.strip())
+ fd.close()
+ else:
+ self.__mod(name, value)
rc = semanage_commit(self.sh)
if rc < 0:
raise ValueError(_("Could not modify boolean %s") % name)
- semanage_bool_key_free(k)
- semanage_bool_free(b)
-
def delete(self, name):
- (rc,k) = semanage_bool_key_create(self.sh, name)
- if rc < 0:
- raise ValueError(_("Could not create a key for %s") % name)
+ (rc,k) = semanage_bool_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % name)
(rc,exists) = semanage_bool_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if boolean %s is defined") % name)
@@ -1571,8 +1590,15 @@
else:
return _("unknown")
- def list(self, heading = 1, locallist = 0):
+ def list(self, heading = True, locallist = False, use_file = False):
on_off = (_("off"),_("on"))
+ if use_file:
+ ddict = self.get_all(locallist)
+ keys = ddict.keys()
+ for k in keys:
+ if ddict[k]:
+ print "%s=%s" % (k, ddict[k][2])
+ return
if heading:
print "%-40s %s\n" % (_("SELinux boolean"), _("Description"))
ddict = self.get_all(locallist)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-08-05 13:29:05
|
Revision: 2946
http://selinux.svn.sourceforge.net/selinux/?rev=2946&view=rev
Author: ssmalley
Date: 2008-08-05 13:29:01 +0000 (Tue, 05 Aug 2008)
Log Message:
-----------
Minor cleanups of Dan's code.
Modified Paths:
--------------
trunk/libselinux/src/seusers.c
Modified: trunk/libselinux/src/seusers.c
===================================================================
--- trunk/libselinux/src/seusers.c 2008-08-05 13:22:15 UTC (rev 2945)
+++ trunk/libselinux/src/seusers.c 2008-08-05 13:29:01 UTC (rev 2946)
@@ -102,7 +102,7 @@
if (rbuf == NULL) return -1;
int retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent);
- if (retval == 0 || pwent != NULL) {
+ if (retval == 0 && pwent) {
gid = pwent->pw_gid;
}
free(rbuf);
@@ -163,7 +163,6 @@
char *defaultlevel = NULL;
gid_t gid = get_default_gid(name);
- if ( gid == (gid_t) -1 ) goto nomatch;
cfg = fopen(selinux_usersconf_path(), "r");
if (!cfg)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-08-05 13:22:17
|
Revision: 2945
http://selinux.svn.sourceforge.net/selinux/?rev=2945&view=rev
Author: ssmalley
Date: 2008-08-05 13:22:15 +0000 (Tue, 05 Aug 2008)
Log Message:
-----------
updated libselinux to version 2.0.71
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2008-08-05 13:18:56 UTC (rev 2944)
+++ trunk/libselinux/ChangeLog 2008-08-05 13:22:15 UTC (rev 2945)
@@ -1,3 +1,8 @@
+2.0.71 2008-08-05
+ * Add group support to seusers using %groupname syntax from Dan Walsh.
+ * Mark setrans socket close-on-exec from Stephen Smalley.
+ * Only apply nodups checking to base file contexts from Stephen Smalley.
+
2.0.70 2008-07-30
* Merge ruby bindings from Dan Walsh.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2008-08-05 13:18:56 UTC (rev 2944)
+++ trunk/libselinux/VERSION 2008-08-05 13:22:15 UTC (rev 2945)
@@ -1 +1 @@
-2.0.70
+2.0.71
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-08-05 13:18:59
|
Revision: 2944
http://selinux.svn.sourceforge.net/selinux/?rev=2944&view=rev
Author: ssmalley
Date: 2008-08-05 13:18:56 +0000 (Tue, 05 Aug 2008)
Log Message:
-----------
Author: Daniel J Walsh
Email: dw...@re...
Subject: I have added group support to libselinux
Date: Fri, 01 Aug 2008 07:02:35 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If you create an seusers file using the sudo syntax %groupname,
getseuserbyname will check the user's groups for a match.
Match sequence will be:
username exists
FIRST group match
default
I will be sending a separate patch to allow semanage to add %groupname
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkiS7UsACgkQrlYvE4MpobPa7ACgwAZvdg8hD+KRT2hBY0dhna8o
tQ8AmwRgEatZmS8hUuw3Bx/uwdnyG4OG
=IRCg
-----END PGP SIGNATURE-----
Modified Paths:
--------------
trunk/libselinux/src/seusers.c
Modified: trunk/libselinux/src/seusers.c
===================================================================
--- trunk/libselinux/src/seusers.c 2008-08-05 13:09:18 UTC (rev 2943)
+++ trunk/libselinux/src/seusers.c 2008-08-05 13:18:56 UTC (rev 2944)
@@ -89,6 +89,62 @@
int require_seusers hidden = 0;
+#include <pwd.h>
+#include <grp.h>
+
+static gid_t get_default_gid(const char *name) {
+ struct passwd pwstorage, *pwent = NULL;
+ gid_t gid = -1;
+ /* Allocate space for the getpwnam_r buffer */
+ long rbuflen = sysconf(_SC_GETPW_R_SIZE_MAX);
+ if (rbuflen <= 0) return -1;
+ char *rbuf = malloc(rbuflen);
+ if (rbuf == NULL) return -1;
+
+ int retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent);
+ if (retval == 0 || pwent != NULL) {
+ gid = pwent->pw_gid;
+ }
+ free(rbuf);
+ return gid;
+}
+
+static int check_group(const char *group, const char *name, const gid_t gid) {
+ int match = 0;
+ int i, ng = 0;
+ gid_t *groups = NULL;
+ struct group gbuf, *grent = NULL;
+
+ long rbuflen = sysconf(_SC_GETGR_R_SIZE_MAX);
+ if (rbuflen <= 0)
+ return 0;
+ char *rbuf = malloc(rbuflen);
+ if (rbuf == NULL)
+ return 0;
+
+ if (getgrnam_r(group, &gbuf, rbuf, rbuflen,
+ &grent) != 0)
+ goto done;
+
+ if (getgrouplist(name, gid, NULL, &ng) < 0) {
+ groups = (gid_t *) malloc(sizeof (gid_t) * ng);
+ if (!groups) goto done;
+ if (getgrouplist(name, gid, groups, &ng) < 0) goto done;
+ }
+
+ for (i = 0; i < ng; i++) {
+ if (grent->gr_gid == groups[i]) {
+ match = 1;
+ goto done;
+ }
+ }
+
+ done:
+ free(groups);
+ free(rbuf);
+ return match;
+}
+
int getseuserbyname(const char *name, char **r_seuser, char **r_level)
{
FILE *cfg = NULL;
@@ -101,9 +157,14 @@
char *username = NULL;
char *seuser = NULL;
char *level = NULL;
+ char *groupseuser = NULL;
+ char *grouplevel = NULL;
char *defaultseuser = NULL;
char *defaultlevel = NULL;
+ gid_t gid = get_default_gid(name);
+ if ( gid == (gid_t) -1 ) goto nomatch;
+
cfg = fopen(selinux_usersconf_path(), "r");
if (!cfg)
goto nomatch;
@@ -124,31 +185,48 @@
if (!strcmp(username, name))
break;
- if (!defaultseuser && !strcmp(username, "__default__")) {
- free(username);
- defaultseuser = seuser;
- defaultlevel = level;
+ if (username[0] == '%' &&
+ !groupseuser &&
+ check_group(&username[1], name, gid)) {
+ groupseuser = seuser;
+ grouplevel = level;
} else {
- free(username);
- free(seuser);
- free(level);
+ if (!defaultseuser &&
+ !strcmp(username, "__default__")) {
+ defaultseuser = seuser;
+ defaultlevel = level;
+ } else {
+ free(seuser);
+ free(level);
+ }
}
+ free(username);
+ username = NULL;
seuser = NULL;
}
- if (buffer)
- free(buffer);
+ free(buffer);
fclose(cfg);
if (seuser) {
free(username);
free(defaultseuser);
free(defaultlevel);
+ free(groupseuser);
+ free(grouplevel);
*r_seuser = seuser;
*r_level = level;
return 0;
}
+ if (groupseuser) {
+ free(defaultseuser);
+ free(defaultlevel);
+ *r_seuser = groupseuser;
+ *r_level = grouplevel;
+ return 0;
+ }
+
if (defaultseuser) {
*r_seuser = defaultseuser;
*r_level = defaultlevel;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-08-05 13:09:21
|
Revision: 2943
http://selinux.svn.sourceforge.net/selinux/?rev=2943&view=rev
Author: ssmalley
Date: 2008-08-05 13:09:18 +0000 (Tue, 05 Aug 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: Patch to make libselinux shut up when SELinux is disabled.
Date: Mon, 04 Aug 2008 13:51:03 -0400
On Mon, 2008-08-04 at 16:06 +0100, Paul Howarth wrote:
> This may present a problem for policy developers. For instance, I am
> writing new policy for spamass-milter, which currently shares spamd_t
> with spamassassin. I need spamass-milter to transition into a different
> domain, so I need to specify a new context for /usr/bin/spamass-milter
> in my policy module. This conflicts with the existing context for the
> same file (spamd_exec_t) in the main selinux-policy-targeted package and
> I get warnings like this on most rpm/selinux operations:
>
> /etc/selinux/targeted/contexts/files/file_contexts: Multiple different
> specifications for /usr/sbin/spamass-milter
> (system_u:object_r:milter_spamass_exec_t:s0 and
> system_u:object_r:spamd_exec_t:s0).
>
> For whatever reason, the context from my local module "wins" and I get
> the desired result. However, if semanage didn't allow this, I believe
> I'd need to fork the selinux-policy package for the duration of my
> development to prevent the unwanted context specification from being
> used. Or is there some other way around this?
If that is the desired behavior, then I suppose we want to move up the
nodups_specs checking. Like this:
Modified Paths:
--------------
trunk/libselinux/src/label_file.c
Modified: trunk/libselinux/src/label_file.c
===================================================================
--- trunk/libselinux/src/label_file.c 2008-08-05 13:08:39 UTC (rev 2942)
+++ trunk/libselinux/src/label_file.c 2008-08-05 13:09:18 UTC (rev 2943)
@@ -468,6 +468,11 @@
pass, ++lineno) != 0)
goto finish;
}
+ if (pass == 1) {
+ status = nodups_specs(data, path);
+ if (status)
+ goto finish;
+ }
lineno = 0;
if (homedirfp)
while (getline(&line_buf, &line_len, homedirfp) > 0
@@ -507,10 +512,6 @@
}
free(line_buf);
- status = nodups_specs(data, path);
- if (status)
- goto finish;
-
/* Move exact pathname specifications to the end. */
spec_copy = malloc(sizeof(spec_t) * data->nspec);
if (!spec_copy)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-08-05 13:08:42
|
Revision: 2942
http://selinux.svn.sourceforge.net/selinux/?rev=2942&view=rev
Author: ssmalley
Date: 2008-08-05 13:08:39 +0000 (Tue, 05 Aug 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libselinux: make setrans socket descriptor close-on-exec
Date: Mon, 04 Aug 2008 12:59:05 -0400
Ensure that the setrans socket descriptor is marked close-on-exec.
If supported, use the new SOCK_CLOEXEC flag when the socket is created,
as per:
http://udrepper.livejournal.com/20407.html
Otherwise fall back to using fcntl after the socket has been created.
Signed-off-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libselinux/src/setrans_client.c
Modified: trunk/libselinux/src/setrans_client.c
===================================================================
--- trunk/libselinux/src/setrans_client.c 2008-08-05 13:06:40 UTC (rev 2941)
+++ trunk/libselinux/src/setrans_client.c 2008-08-05 13:08:39 UTC (rev 2942)
@@ -13,7 +13,7 @@
#include <errno.h>
#include <stdlib.h>
#include <netdb.h>
-
+#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <ctype.h>
@@ -42,11 +42,17 @@
{
struct sockaddr_un addr;
int fd;
-
- fd = socket(PF_UNIX, SOCK_STREAM, 0);
- if (fd < 0) {
+#ifdef SOCK_CLOEXEC
+ fd = socket(PF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0);
+ if (fd < 0 && errno == EINVAL)
+#endif
+ {
+ fd = socket(PF_UNIX, SOCK_STREAM, 0);
+ if (fd >= 0)
+ fcntl(fd, F_SETFD, FD_CLOEXEC);
+ }
+ if (fd < 0)
return -1;
- }
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-08-05 13:06:45
|
Revision: 2941
http://selinux.svn.sourceforge.net/selinux/?rev=2941&view=rev
Author: ssmalley
Date: 2008-08-05 13:06:40 +0000 (Tue, 05 Aug 2008)
Log Message:
-----------
Author: Russell Coker
Email: ru...@co...
Subject: setfiles patch
Date: Fri, 1 Aug 2008 11:12:37 +1000
Currently "setfiles -p" doesn't print a new-line at the end, this is annoying
as the output of the next command ends up starting halfway accross the
screen. Here is a patch.
Modified Paths:
--------------
trunk/policycoreutils/setfiles/setfiles.c
Modified: trunk/policycoreutils/setfiles/setfiles.c
===================================================================
--- trunk/policycoreutils/setfiles/setfiles.c 2008-08-05 13:06:08 UTC (rev 2940)
+++ trunk/policycoreutils/setfiles/setfiles.c 2008-08-05 13:06:40 UTC (rev 2941)
@@ -1017,5 +1017,7 @@
free(excludeArray[i].directory);
}
+ if (progress)
+ printf("\n");
exit(errors);
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-08-05 13:06:10
|
Revision: 2940
http://selinux.svn.sourceforge.net/selinux/?rev=2940&view=rev
Author: ssmalley
Date: 2008-08-05 13:06:08 +0000 (Tue, 05 Aug 2008)
Log Message:
-----------
Revert accidental commit
Modified Paths:
--------------
trunk/libselinux/src/setrans_client.c
trunk/policycoreutils/setfiles/setfiles.c
Modified: trunk/libselinux/src/setrans_client.c
===================================================================
--- trunk/libselinux/src/setrans_client.c 2008-08-05 13:04:32 UTC (rev 2939)
+++ trunk/libselinux/src/setrans_client.c 2008-08-05 13:06:08 UTC (rev 2940)
@@ -13,7 +13,7 @@
#include <errno.h>
#include <stdlib.h>
#include <netdb.h>
-#include <fcntl.h>
+
#include <stdio.h>
#include <string.h>
#include <ctype.h>
@@ -42,17 +42,11 @@
{
struct sockaddr_un addr;
int fd;
-#ifdef SOCK_CLOEXEC
- fd = socket(PF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0);
- if (fd < 0 && errno == EINVAL)
-#endif
- {
- fd = socket(PF_UNIX, SOCK_STREAM, 0);
- if (fd >= 0)
- fcntl(fd, F_SETFD, FD_CLOEXEC);
- }
- if (fd < 0)
+
+ fd = socket(PF_UNIX, SOCK_STREAM, 0);
+ if (fd < 0) {
return -1;
+ }
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX;
Modified: trunk/policycoreutils/setfiles/setfiles.c
===================================================================
--- trunk/policycoreutils/setfiles/setfiles.c 2008-08-05 13:04:32 UTC (rev 2939)
+++ trunk/policycoreutils/setfiles/setfiles.c 2008-08-05 13:06:08 UTC (rev 2940)
@@ -1017,7 +1017,5 @@
free(excludeArray[i].directory);
}
- if (progress)
- printf("\n");
exit(errors);
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-08-05 13:04:35
|
Revision: 2939
http://selinux.svn.sourceforge.net/selinux/?rev=2939&view=rev
Author: ssmalley
Date: 2008-08-05 13:04:32 +0000 (Tue, 05 Aug 2008)
Log Message:
-----------
Author: Russell Coker
Email: ru...@co...
Subject: setfiles patch
Date: Fri, 1 Aug 2008 11:12:37 +1000
Currently "setfiles -p" doesn't print a new-line at the end, this is annoying
as the output of the next command ends up starting halfway accross the
screen. Here is a patch.
Modified Paths:
--------------
trunk/libselinux/src/setrans_client.c
trunk/policycoreutils/setfiles/setfiles.c
Modified: trunk/libselinux/src/setrans_client.c
===================================================================
--- trunk/libselinux/src/setrans_client.c 2008-07-30 12:37:03 UTC (rev 2938)
+++ trunk/libselinux/src/setrans_client.c 2008-08-05 13:04:32 UTC (rev 2939)
@@ -13,7 +13,7 @@
#include <errno.h>
#include <stdlib.h>
#include <netdb.h>
-
+#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <ctype.h>
@@ -42,11 +42,17 @@
{
struct sockaddr_un addr;
int fd;
-
- fd = socket(PF_UNIX, SOCK_STREAM, 0);
- if (fd < 0) {
+#ifdef SOCK_CLOEXEC
+ fd = socket(PF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0);
+ if (fd < 0 && errno == EINVAL)
+#endif
+ {
+ fd = socket(PF_UNIX, SOCK_STREAM, 0);
+ if (fd >= 0)
+ fcntl(fd, F_SETFD, FD_CLOEXEC);
+ }
+ if (fd < 0)
return -1;
- }
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX;
Modified: trunk/policycoreutils/setfiles/setfiles.c
===================================================================
--- trunk/policycoreutils/setfiles/setfiles.c 2008-07-30 12:37:03 UTC (rev 2938)
+++ trunk/policycoreutils/setfiles/setfiles.c 2008-08-05 13:04:32 UTC (rev 2939)
@@ -1017,5 +1017,7 @@
free(excludeArray[i].directory);
}
+ if (progress)
+ printf("\n");
exit(errors);
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-07-30 12:37:06
|
Revision: 2938
http://selinux.svn.sourceforge.net/selinux/?rev=2938&view=rev
Author: ssmalley
Date: 2008-07-30 12:37:03 +0000 (Wed, 30 Jul 2008)
Log Message:
-----------
updated libselinux to version 2.0.70
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2008-07-30 12:25:26 UTC (rev 2937)
+++ trunk/libselinux/ChangeLog 2008-07-30 12:37:03 UTC (rev 2938)
@@ -1,3 +1,6 @@
+2.0.70 2008-07-30
+ * Merge ruby bindings from Dan Walsh.
+
2.0.69 2008-07-29
* Handle duplicate file context regexes as a fatal error from Stephen Smalley.
This prevents adding them via semanage.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2008-07-30 12:25:26 UTC (rev 2937)
+++ trunk/libselinux/VERSION 2008-07-30 12:37:03 UTC (rev 2938)
@@ -1 +1 @@
-2.0.69
+2.0.70
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-07-30 12:25:31
|
Revision: 2937
http://selinux.svn.sourceforge.net/selinux/?rev=2937&view=rev
Author: ssmalley
Date: 2008-07-30 12:25:26 +0000 (Wed, 30 Jul 2008)
Log Message:
-----------
Author: Daniel J Walsh
Email: dw...@re...
Subject: Ruby bindings patch for libselinux
Date: Tue, 29 Jul 2008 14:24:23 -0400
Acked-by: Stephen Smalley <sd...@ty...>
BuildRequires ruby ruby-libs ruby-devel
Modified Paths:
--------------
trunk/libselinux/Makefile
trunk/libselinux/src/Makefile
Added Paths:
-----------
trunk/libselinux/src/selinuxswig_ruby.i
Modified: trunk/libselinux/Makefile
===================================================================
--- trunk/libselinux/Makefile 2008-07-29 13:43:28 UTC (rev 2936)
+++ trunk/libselinux/Makefile 2008-07-30 12:25:26 UTC (rev 2937)
@@ -29,6 +29,9 @@
pywrap:
$(MAKE) -C src pywrap
+rubywrap:
+ $(MAKE) -C src rubywrap
+
install:
$(MAKE) -C include install
$(MAKE) -C src install
@@ -38,6 +41,9 @@
install-pywrap:
$(MAKE) -C src install-pywrap
+install-rubywrap:
+ $(MAKE) -C src install-rubywrap
+
relabel:
$(MAKE) -C src relabel
Modified: trunk/libselinux/src/Makefile
===================================================================
--- trunk/libselinux/src/Makefile 2008-07-29 13:43:28 UTC (rev 2936)
+++ trunk/libselinux/src/Makefile 2008-07-30 12:25:26 UTC (rev 2937)
@@ -7,16 +7,24 @@
PYINC ?= /usr/include/$(PYLIBVER)
PYLIB ?= /usr/lib/$(PYLIBVER)
PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
+RUBYLIBVER ?= $(shell ruby -e 'print RUBY_VERSION.split(".")[0..1].join(".")')
+RUBYPLATFORM ?= $(shell ruby -e 'print RUBY_PLATFORM')
+RUBYINC ?= $(LIBDIR)/ruby/$(RUBYLIBVER)/$(RUBYPLATFORM)
+RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM)
LIBVERSION = 1
LIBA=libselinux.a
TARGET=libselinux.so
SWIGIF= selinuxswig_python.i
+SWIGRUBYIF= selinuxswig_ruby.i
SWIGCOUT= selinuxswig_wrap.c
+SWIGRUBYCOUT= selinuxswig_ruby_wrap.c
SWIGLOBJ:= $(patsubst %.c,%.lo,$(SWIGCOUT))
+SWIGRUBYLOBJ:= $(patsubst %.c,%.lo,$(SWIGRUBYCOUT))
SWIGSO=_selinux.so
SWIGFILES=$(SWIGSO) selinux.py
+SWIGRUBYSO=_rubyselinux.so
LIBSO=$(TARGET).$(LIBVERSION)
AUDIT2WHYSO=audit2why.so
@@ -29,8 +37,10 @@
ifeq ($(DISABLE_RPM),y)
UNUSED_SRCS+=rpm.c
endif
-SRCS= $(filter-out $(UNUSED_SRCS), $(filter-out audit2why.c $(SWIGCOUT),$(wildcard *.c)))
+GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT)
+SRCS= $(filter-out $(UNUSED_SRCS), $(filter-out audit2why.c $(GENERATED),$(wildcard *.c)))
+
OBJS= $(patsubst %.c,%.o,$(SRCS))
LOBJS= $(patsubst %.c,%.lo,$(SRCS))
CFLAGS ?= -Werror -Wall -W -Wundef -Wshadow -Wmissing-noreturn -Wmissing-format-attribute
@@ -44,12 +54,14 @@
SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./
-GENERATED=$(SWIGCOUT)
+SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./
all: $(LIBA) $(LIBSO)
pywrap: all $(SWIGSO) $(AUDIT2WHYSO)
+rubywrap: all $(SWIGRUBYSO)
+
$(LIBA): $(OBJS)
$(AR) rcs $@ $^
$(RANLIB) $@
@@ -57,9 +69,15 @@
$(SWIGLOBJ): $(SWIGCOUT)
$(CC) $(filter-out -Werror,$(CFLAGS)) -I$(PYINC) -fPIC -DSHARED -c -o $@ $<
+$(SWIGRUBYLOBJ): $(SWIGRUBYCOUT)
+ $(CC) $(filter-out -Werror,$(CFLAGS)) -I$(RUBYINC) -fPIC -DSHARED -c -o $@ $<
+
$(SWIGSO): $(SWIGLOBJ)
$(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@
+$(SWIGRUBYSO): $(SWIGRUBYLOBJ)
+ $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@
+
$(LIBSO): $(LOBJS)
$(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -ldl -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
ln -sf $@ $(TARGET)
@@ -79,6 +97,9 @@
$(SWIGCOUT): $(SWIGIF)
$(SWIG) $^
+$(SWIGRUBYCOUT): $(SWIGRUBYIF)
+ $(SWIGRUBY) $^
+
swigify: $(SWIGIF)
$(SWIG) $^
@@ -95,6 +116,10 @@
install -m 755 $(AUDIT2WHYSO) $(PYTHONLIBDIR)/site-packages/selinux
install -m 644 selinux.py $(PYTHONLIBDIR)/site-packages/selinux/__init__.py
+install-rubywrap: rubywrap
+ test -d $(RUBYINSTALL) || install -m 755 -d $(RUBYINSTALL)
+ install -m 755 $(SWIGRUBYSO) $(RUBYINSTALL)/selinux.so
+
relabel:
/sbin/restorecon $(SHLIBDIR)/$(LIBSO)
@@ -102,7 +127,7 @@
-rm -f $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) $(SWIGSO) $(TARGET) $(AUDIT2WHYSO) *.o *.lo *~
distclean: clean
- rm -f $(SWIGCOUT) $(SWIGFILES)
+ rm -f $(GENERATED) $(SWIGFILES)
indent:
../../scripts/Lindent $(filter-out $(GENERATED),$(wildcard *.[ch]))
Added: trunk/libselinux/src/selinuxswig_ruby.i
===================================================================
--- trunk/libselinux/src/selinuxswig_ruby.i (rev 0)
+++ trunk/libselinux/src/selinuxswig_ruby.i 2008-07-30 12:25:26 UTC (rev 2937)
@@ -0,0 +1,52 @@
+/* Author: Dan Walsh
+ Based on selinuxswig_python.i by James Athey
+ */
+
+%module selinux
+%{
+ #include "selinux/selinux.h"
+%}
+
+/* return a sid along with the result */
+%typemap(argout) (security_id_t * sid) {
+ if (*$1) {
+ %append_output(SWIG_NewPointerObj(*$1, $descriptor(security_id_t), 0));
+ }
+}
+
+%typemap(in,numinputs=0) security_id_t *(security_id_t temp) {
+ $1 = &temp;
+}
+
+%typemap(in,noblock=1,numinputs=0) security_context_t * (security_context_t temp = 0) {
+ $1 = &temp;
+}
+%typemap(freearg,match="in") security_context_t * "";
+%typemap(argout,noblock=1) security_context_t * {
+ if (*$1) {
+ %append_output(SWIG_FromCharPtr(*$1));
+ freecon(*$1);
+ }
+}
+
+%typemap(in,noblock=1,numinputs=0) char ** (char * temp = 0) {
+ $1 = &temp;
+}
+%typemap(freearg,match="in") char ** "";
+%typemap(argout,noblock=1) char ** {
+ if (*$1) {
+ %append_output(SWIG_FromCharPtr(*$1));
+ free(*$1);
+ }
+}
+
+%typemap(freearg,match="in") char * const [] {
+ int i = 0;
+ while($1[i]) {
+ free($1[i]);
+ i++;
+ }
+ free($1);
+}
+
+%include "selinuxswig.i"
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-07-29 13:43:30
|
Revision: 2936
http://selinux.svn.sourceforge.net/selinux/?rev=2936&view=rev
Author: ssmalley
Date: 2008-07-29 13:43:28 +0000 (Tue, 29 Jul 2008)
Log Message:
-----------
updated policycoreutils to version 2.0.53
Modified Paths:
--------------
trunk/policycoreutils/ChangeLog
trunk/policycoreutils/VERSION
Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog 2008-07-29 12:28:58 UTC (rev 2935)
+++ trunk/policycoreutils/ChangeLog 2008-07-29 13:43:28 UTC (rev 2936)
@@ -1,3 +1,6 @@
+2.0.53 2008-07-29
+ * Change setfiles to validate all file_contexts files when using -c from Stephen Smalley.
+
2.0.52 2008-07-02
* Add permissive domain capability to semanage from Dan Walsh.
Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION 2008-07-29 12:28:58 UTC (rev 2935)
+++ trunk/policycoreutils/VERSION 2008-07-29 13:43:28 UTC (rev 2936)
@@ -1 +1 @@
-2.0.52
+2.0.53
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-07-29 12:29:02
|
Revision: 2935
http://selinux.svn.sourceforge.net/selinux/?rev=2935&view=rev
Author: ssmalley
Date: 2008-07-29 12:28:58 +0000 (Tue, 29 Jul 2008)
Log Message:
-----------
updated libselinux to version 2.0.69
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2008-07-29 12:26:59 UTC (rev 2934)
+++ trunk/libselinux/ChangeLog 2008-07-29 12:28:58 UTC (rev 2935)
@@ -1,3 +1,7 @@
+2.0.69 2008-07-29
+ * Handle duplicate file context regexes as a fatal error from Stephen Smalley.
+ This prevents adding them via semanage.
+
2.0.68 2008-07-18
* Fix audit2why shadowed variables from Stephen Smalley.
* Note that freecon NULL is legal in man page from Karel Zak.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2008-07-29 12:26:59 UTC (rev 2934)
+++ trunk/libselinux/VERSION 2008-07-29 12:28:58 UTC (rev 2935)
@@ -1 +1 @@
-2.0.68
+2.0.69
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-07-29 12:27:01
|
Revision: 2934
http://selinux.svn.sourceforge.net/selinux/?rev=2934&view=rev
Author: ssmalley
Date: 2008-07-29 12:26:59 +0000 (Tue, 29 Jul 2008)
Log Message:
-----------
updated sepolgen to version 1.0.13
Modified Paths:
--------------
trunk/sepolgen/ChangeLog
trunk/sepolgen/VERSION
Modified: trunk/sepolgen/ChangeLog
===================================================================
--- trunk/sepolgen/ChangeLog 2008-07-29 12:25:20 UTC (rev 2933)
+++ trunk/sepolgen/ChangeLog 2008-07-29 12:26:59 UTC (rev 2934)
@@ -1,3 +1,6 @@
+1.0.13 2008-07-29
+ * Only append s0 suffix if MLS is enabled from Karl MacMillan.
+
1.0.12 2008-06-30
* Fix generation of role-type and role allow rules from Karl MacMillan.
Modified: trunk/sepolgen/VERSION
===================================================================
--- trunk/sepolgen/VERSION 2008-07-29 12:25:20 UTC (rev 2933)
+++ trunk/sepolgen/VERSION 2008-07-29 12:26:59 UTC (rev 2934)
@@ -1 +1 @@
-1.0.12
+1.0.13
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-07-29 12:25:23
|
Revision: 2933
http://selinux.svn.sourceforge.net/selinux/?rev=2933&view=rev
Author: ssmalley
Date: 2008-07-29 12:25:20 +0000 (Tue, 29 Jul 2008)
Log Message:
-----------
updated libsemanage to version 2.0.26
Modified Paths:
--------------
trunk/libsemanage/ChangeLog
trunk/libsemanage/VERSION
Modified: trunk/libsemanage/ChangeLog
===================================================================
--- trunk/libsemanage/ChangeLog 2008-07-29 12:21:08 UTC (rev 2932)
+++ trunk/libsemanage/ChangeLog 2008-07-29 12:25:20 UTC (rev 2933)
@@ -1,3 +1,7 @@
+2.0.26 2008-07-29
+ * Fix bug in genhomedircon fcontext matches logic from Dan Walsh.
+ Strip any trailing slash before appending /*$.
+
2.0.25 2008-04-21
* Do not call genhomedircon if the policy was not rebuilt from Stephen Smalley.
Fixes semanage boolean -D seg fault (bug 441379).
Modified: trunk/libsemanage/VERSION
===================================================================
--- trunk/libsemanage/VERSION 2008-07-29 12:21:08 UTC (rev 2932)
+++ trunk/libsemanage/VERSION 2008-07-29 12:25:20 UTC (rev 2933)
@@ -1 +1 @@
-2.0.25
+2.0.26
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-07-29 12:21:10
|
Revision: 2932
http://selinux.svn.sourceforge.net/selinux/?rev=2932&view=rev
Author: ssmalley
Date: 2008-07-29 12:21:08 +0000 (Tue, 29 Jul 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libselinux: handle duplicate file context entries as a fatal error
Date: Fri, 18 Jul 2008 15:09:15 -0400
Take two. Ensure that duplicate file context entry errors are
propagated to the caller, causing setfiles -c to exit with an error
status and libsemanage to roll back the transaction. Do it for both
duplicate same entries and for duplicate conflicting entries.
Signed-off-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libselinux/src/label_file.c
Modified: trunk/libselinux/src/label_file.c
===================================================================
--- trunk/libselinux/src/label_file.c 2008-07-29 12:20:45 UTC (rev 2931)
+++ trunk/libselinux/src/label_file.c 2008-07-29 12:21:08 UTC (rev 2932)
@@ -146,8 +146,9 @@
/*
* Warn about duplicate specifications.
*/
-static void nodups_specs(struct saved_data *data, const char *path)
+static int nodups_specs(struct saved_data *data, const char *path)
{
+ int rc = 0;
unsigned int ii, jj;
struct spec *curr_spec, *spec_arr = data->spec_arr;
@@ -158,24 +159,27 @@
(spec_arr[jj].regex_str, curr_spec->regex_str))
&& (!spec_arr[jj].mode || !curr_spec->mode
|| spec_arr[jj].mode == curr_spec->mode)) {
+ rc = -1;
+ errno = EINVAL;
if (strcmp
(spec_arr[jj].lr.ctx_raw,
curr_spec->lr.ctx_raw)) {
COMPAT_LOG
- (SELINUX_WARNING,
+ (SELINUX_ERROR,
"%s: Multiple different specifications for %s (%s and %s).\n",
path, curr_spec->regex_str,
spec_arr[jj].lr.ctx_raw,
curr_spec->lr.ctx_raw);
} else {
COMPAT_LOG
- (SELINUX_WARNING,
+ (SELINUX_ERROR,
"%s: Multiple same specifications for %s.\n",
path, curr_spec->regex_str);
}
}
}
}
+ return rc;
}
/* Determine if the regular expression specification has any meta characters. */
@@ -503,6 +507,10 @@
}
free(line_buf);
+ status = nodups_specs(data, path);
+ if (status)
+ goto finish;
+
/* Move exact pathname specifications to the end. */
spec_copy = malloc(sizeof(spec_t) * data->nspec);
if (!spec_copy)
@@ -519,8 +527,6 @@
free(data->spec_arr);
data->spec_arr = spec_copy;
- nodups_specs(data, path);
-
status = 0;
finish:
fclose(fp);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-07-29 12:20:47
|
Revision: 2931
http://selinux.svn.sourceforge.net/selinux/?rev=2931&view=rev
Author: ssmalley
Date: 2008-07-29 12:20:45 +0000 (Tue, 29 Jul 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: setfiles: validate all file_contexts files when using -c
Date: Fri, 18 Jul 2008 14:34:43 -0400
In ancient days of yore, setfiles could only validate the base
file_contexts configuration because the .homedirs or .local
configurations might include local users that weren't defined by the
base policy since those definitions were brought in at policy load time.
These days the policy.N file contains all of the definitions required to
validate all file_contexts files and thus setfiles can and should
validate them.
Before:
# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /tmp
(no warnings)
After:
# /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /tmp
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /tmp (system_u:object_r:httpd_sys_content_t:s0 and system_u:object_r:tmp_t:s0).
If we want it to be a fatal error, then libselinux should be patched to
return an error in this case on the selabel_open() (requires making
nodups_specs return an error to the caller and propagating it up).
Signed-off-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/policycoreutils/setfiles/setfiles.c
Modified: trunk/policycoreutils/setfiles/setfiles.c
===================================================================
--- trunk/policycoreutils/setfiles/setfiles.c 2008-07-29 12:12:05 UTC (rev 2930)
+++ trunk/policycoreutils/setfiles/setfiles.c 2008-07-29 12:20:45 UTC (rev 2931)
@@ -72,7 +72,6 @@
static int abort_on_error; /* Abort the file tree walk upon an error. */
static int add_assoc; /* Track inode associations for conflict detection. */
static int nftw_flags; /* Flags to nftw, e.g. follow links, follow mounts */
-static int base_only; /* Don't use local file_contexts customizations */
static int ctx_validate; /* Validate contexts */
static const char *altpath; /* Alternate path to file_contexts */
@@ -748,7 +747,6 @@
char *base;
struct selinux_opt opts[] = {
{ SELABEL_OPT_VALIDATE, NULL },
- { SELABEL_OPT_BASEONLY, NULL },
{ SELABEL_OPT_PATH, NULL }
};
@@ -836,10 +834,6 @@
}
fclose(policystream);
- /* Only process the specified file_contexts file, not
- any .homedirs or .local files, and do not perform
- context translations. */
- base_only = 1;
ctx_validate = 1;
break;
@@ -972,10 +966,9 @@
/* Load the file contexts configuration and check it. */
opts[0].value = (ctx_validate ? (char*)1 : NULL);
- opts[1].value = (base_only ? (char *)1 : NULL);
- opts[2].value = altpath;
+ opts[1].value = altpath;
- hnd = selabel_open(SELABEL_CTX_FILE, opts, 3);
+ hnd = selabel_open(SELABEL_CTX_FILE, opts, 2);
if (!hnd) {
perror(altpath);
exit(1);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-07-29 12:12:07
|
Revision: 2930
http://selinux.svn.sourceforge.net/selinux/?rev=2930&view=rev
Author: ssmalley
Date: 2008-07-29 12:12:05 +0000 (Tue, 29 Jul 2008)
Log Message:
-----------
Author: "Karl MacMillan"
Email: kma...@tr...
Subject: RE: libsepol.context_from_record: MLS is disabled, but MLS context"s0" found
Date: Mon, 28 Jul 2008 14:08:50 -0400
> -----Original Message-----
> From: Vikram Ambrose [mailto:Vik...@wi...]
[...]
> >>>>
> >>>>
> >>> Right - it shouldn't do that if is_selinux_mls_enabled() <= 0.
> >>> I think this is a result of the audit2allow / audit2why
> integration;
> >>> previously, audit2why was directly consuming audit messages but
> now it
> >>> is leveraging sepolgen.
> >>>
> >>>
> >>>
> >> Is there a temporary work around for this? audit2* is basically
> the only
> >> debug tools available for selinux n00bs.
> >>
> >
> > I would think that you could just change default_level="" in the
> > to_string definition in class SecurityContext in refpolicy.py. Or
> make
> > it dynamically determine it based on is_selinux_mls_enabled().
> >
> >
> You mean that in a non-MCS/MLS policy level=""?
> and its fine for that function to append "" to the context (without
> the
> ":" added on) ?
>
Here's a patch - I'd appreciate testing on a non-MLS system as I don't
have one handy right now.
Karl
Modified Paths:
--------------
trunk/sepolgen/src/sepolgen/refpolicy.py
trunk/sepolgen/tests/test_refpolicy.py
Modified: trunk/sepolgen/src/sepolgen/refpolicy.py
===================================================================
--- trunk/sepolgen/src/sepolgen/refpolicy.py 2008-07-29 12:02:36 UTC (rev 2929)
+++ trunk/sepolgen/src/sepolgen/refpolicy.py 2008-07-29 12:12:05 UTC (rev 2930)
@@ -19,6 +19,7 @@
import string
import itertools
+import selinux
# OVERVIEW
#
@@ -265,7 +266,7 @@
self.user = ""
self.role = ""
self.type = ""
- self.level = ""
+ self.level = None
if context is not None:
self.from_string(context)
@@ -288,7 +289,7 @@
# FUTURE - normalize level fields to allow more comparisons to succeed.
self.level = string.join(fields[3:], ':')
else:
- self.level = ""
+ self.level = None
def __eq__(self, other):
"""Compare two SecurityContext objects - all fields must be exactly the
@@ -301,7 +302,7 @@
self.type == other.type and \
self.level == other.level
- def to_string(self, default_level="s0"):
+ def to_string(self, default_level=None):
"""Return a string representing this security context.
By default, the string will contiain a MCS / MLS level
@@ -317,8 +318,11 @@
'user:role:type:level'.
"""
fields = [self.user, self.role, self.type]
- if self.level == "":
- if default_level != "":
+ if self.level is None:
+ if default_level is None:
+ if selinux.is_selinux_mls_enabled() == 1:
+ fields.append("s0")
+ else:
fields.append(default_level)
else:
fields.append(self.level)
Modified: trunk/sepolgen/tests/test_refpolicy.py
===================================================================
--- trunk/sepolgen/tests/test_refpolicy.py 2008-07-29 12:02:36 UTC (rev 2929)
+++ trunk/sepolgen/tests/test_refpolicy.py 2008-07-29 12:12:05 UTC (rev 2930)
@@ -19,6 +19,7 @@
import unittest
import sepolgen.refpolicy as refpolicy
+import selinux
class TestIdSet(unittest.TestCase):
def test_set_to_str(self):
@@ -40,8 +41,11 @@
self.assertEquals(sc.user, "user_u")
self.assertEquals(sc.role, "object_r")
self.assertEquals(sc.type, "foo_t")
- self.assertEquals(sc.level, "")
- self.assertEquals(str(sc), context + ":s0")
+ self.assertEquals(sc.level, None)
+ if selinux.is_selinux_mls_enabled():
+ self.assertEquals(str(sc), context + ":s0")
+ else:
+ self.assertEquals(str(sc), context)
self.assertEquals(sc.to_string(default_level="s1"), context + ":s1")
context = "user_u:object_r:foo_t:s0-s0:c0-c255"
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-07-29 12:02:38
|
Revision: 2929
http://selinux.svn.sourceforge.net/selinux/?rev=2929&view=rev
Author: ssmalley
Date: 2008-07-29 12:02:36 +0000 (Tue, 29 Jul 2008)
Log Message:
-----------
Author: Daniel J Walsh
Email: dw...@re...
Subject: Critical bug in semanage
Date: Thu, 17 Jul 2008 14:47:31 -0400
homedirs in /var and /usr/local were not being matched, causing bad
context to be added.
genhomedircon porting problem.
An extra / at the end of the regex was causing the problem
Modified Paths:
--------------
trunk/libsemanage/src/genhomedircon.c
Modified: trunk/libsemanage/src/genhomedircon.c
===================================================================
--- trunk/libsemanage/src/genhomedircon.c 2008-07-18 19:12:55 UTC (rev 2928)
+++ trunk/libsemanage/src/genhomedircon.c 2008-07-29 12:02:36 UTC (rev 2929)
@@ -192,6 +192,11 @@
goto done;
}
+ if (ustr_cmp_suffix_cstr_eq(expr, "/")) {
+ if (!ustr_del(&expr, 1))
+ goto done;
+ }
+
/* Append pattern to eat up trailing slashes */
if (!ustr_add_cstr(&expr, "/*$"))
goto done;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-07-18 19:12:57
|
Revision: 2928
http://selinux.svn.sourceforge.net/selinux/?rev=2928&view=rev
Author: ssmalley
Date: 2008-07-18 19:12:55 +0000 (Fri, 18 Jul 2008)
Log Message:
-----------
Fix indentation error.
Modified Paths:
--------------
trunk/policycoreutils/semanage/seobject.py
Modified: trunk/policycoreutils/semanage/seobject.py
===================================================================
--- trunk/policycoreutils/semanage/seobject.py 2008-07-18 14:40:12 UTC (rev 2927)
+++ trunk/policycoreutils/semanage/seobject.py 2008-07-18 19:12:55 UTC (rev 2928)
@@ -339,8 +339,8 @@
rc = semanage_module_remove(self.sh, "permissive_%s" % n)
if rc < 0:
raise ValueError(_("Could not remove permissive domain %s (remove failed)") % name)
- rc = semanage_commit(self.sh)
- if rc < 0:
+ rc = semanage_commit(self.sh)
+ if rc < 0:
raise ValueError(_("Could not remove permissive domain %s (commit failed)") % name)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-07-18 14:40:17
|
Revision: 2927
http://selinux.svn.sourceforge.net/selinux/?rev=2927&view=rev
Author: ssmalley
Date: 2008-07-18 14:40:12 +0000 (Fri, 18 Jul 2008)
Log Message:
-----------
updated libselinux to version 2.0.68
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2008-07-18 14:02:26 UTC (rev 2926)
+++ trunk/libselinux/ChangeLog 2008-07-18 14:40:12 UTC (rev 2927)
@@ -1,3 +1,7 @@
+2.0.68 2008-07-18
+ * Fix audit2why shadowed variables from Stephen Smalley.
+ * Note that freecon NULL is legal in man page from Karel Zak.
+
2.0.67 2008-06-13
* New and revised AVC, label, and mapping man pages from Eamon Walsh.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2008-07-18 14:02:26 UTC (rev 2926)
+++ trunk/libselinux/VERSION 2008-07-18 14:40:12 UTC (rev 2927)
@@ -1 +1 @@
-2.0.67
+2.0.68
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-07-18 14:02:28
|
Revision: 2926
http://selinux.svn.sourceforge.net/selinux/?rev=2926&view=rev
Author: ssmalley
Date: 2008-07-18 14:02:26 +0000 (Fri, 18 Jul 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libselinux: eliminate shadowed variables from audit2why
Date: Wed, 09 Jul 2008 11:03:29 -0400
audit2why doesn't build with the default build options (-Werror) due to
shadowed variables. In the first case, there isn't much point in
passing an avc argument when the rest of the file uses a static global
variable for the same object; in the second case, we are dealing with a
separate object returned to the caller and should name it accordingly.
Signed-off-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libselinux/src/audit2why.c
Modified: trunk/libselinux/src/audit2why.c
===================================================================
--- trunk/libselinux/src/audit2why.c 2008-07-18 14:01:08 UTC (rev 2925)
+++ trunk/libselinux/src/audit2why.c 2008-07-18 14:02:26 UTC (rev 2926)
@@ -55,7 +55,7 @@
return 0;
}
-static int check_booleans(struct avc_t *avc, struct boolean_t **bools)
+static int check_booleans(struct boolean_t **bools)
{
char errormsg[PATH_MAX];
struct sepol_av_decision avd;
@@ -376,7 +376,7 @@
avc->tsid = tsid;
avc->tclass = tclass;
avc->av = av;
- if (check_booleans(avc, &bools) == 0) {
+ if (check_booleans(&bools) == 0) {
if (av & ~avd.auditdeny) {
RETURN(DONTAUDIT)
} else {
@@ -390,15 +390,15 @@
len++; b++;
}
b = bools;
- PyObject *boollist = PyTuple_New(len);
+ PyObject *outboollist = PyTuple_New(len);
len=0;
while(b->name) {
PyObject *bool = Py_BuildValue("(si)", b->name, b->active);
- PyTuple_SetItem(boollist, len++, bool);
+ PyTuple_SetItem(outboollist, len++, bool);
b++;
}
free(bools);
- PyTuple_SetItem(result, 1, boollist);
+ PyTuple_SetItem(result, 1, outboollist);
return result;
}
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
