Menu
▾
▴
selinux-commits — Commits to the subversion repo
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(24) |
Sep
(38) |
Oct
(29) |
Nov
(40) |
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
(88) |
Feb
(66) |
Mar
(44) |
Apr
(104) |
May
(35) |
Jun
(34) |
Jul
(12) |
Aug
(42) |
Sep
(84) |
Oct
(34) |
Nov
(30) |
Dec
(22) |
| 2008 |
Jan
(60) |
Feb
(54) |
Mar
(32) |
Apr
(14) |
May
(16) |
Jun
(26) |
Jul
(22) |
Aug
(12) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: <kma...@us...> - 2006-11-27 19:04:35
|
Revision: 2101
http://svn.sourceforge.net/selinux/?rev=2101&view=rev
Author: kmacmillan
Date: 2006-11-27 11:04:31 -0800 (Mon, 27 Nov 2006)
Log Message:
-----------
Author: Manoj Srivastava
Email: man...@st...
Subject: Compiling libsepol with -fPIC instead of -fpic
Date: Wed, 15 Nov 2006 00:45:25 -0600
Hi,
I've had reports of packages filing to compile on SPARC
hardware when linked with libsepol1 which was compiled with
-fpic. We seem to be hitting the global offset table size limit;
,----[ GCC manual ]
| `-fpic'
| Generate position-independent code (PIC) suitable for use in a
| shared library, if supported for the target machine. Such code
| accesses all constant addresses through a global offset table
| (GOT). The dynamic loader resolves the GOT entries when the
| program starts (the dynamic loader is not part of GCC; it is part
| of the operating system). If the GOT size for the linked
| executable exceeds a machine-specific maximum size, you get an
| error message from the linker indicating that `-fpic' does not
| work; in that case, recompile with `-fPIC' instead. (These
| maximums are 8k on the SPARC and 32k on the m68k and RS/6000. The
| 386 has no such limit.)
`----
Simply recompiling with -fPIC corrects the problem.
manoj
Acked-by: Stephen Smalley <sd...@ty...>
Acked-by: Karl MacMillan <kma...@me...>
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/src/Makefile
trunk/libsemanage/ChangeLog
trunk/libsemanage/src/Makefile
trunk/libsepol/ChangeLog
trunk/libsepol/src/Makefile
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2006-11-21 21:20:44 UTC (rev 2100)
+++ trunk/libselinux/ChangeLog 2006-11-27 19:04:31 UTC (rev 2101)
@@ -1,3 +1,8 @@
+1.33.2 2006-11-27
+ * Merged patch to compile wit -fPIC instead of -fpic from
+ Manoj Srivastava to prevent hitting the global offest table
+ limit. Patch changed to include libselinux and libsemanage in
+ addition to libselinux.
1.33.1 2006-10-19
* Merged updated flask definitions from Darrel Goeddel.
This adds the context security class, and also adds
Modified: trunk/libselinux/src/Makefile
===================================================================
--- trunk/libselinux/src/Makefile 2006-11-21 21:20:44 UTC (rev 2100)
+++ trunk/libselinux/src/Makefile 2006-11-27 19:04:31 UTC (rev 2101)
@@ -42,7 +42,7 @@
$(RANLIB) $@
$(SWIGLOBJ): $(SWIGCOUT)
- $(CC) $(CFLAGS) -I$(PYINC) -fpic -DSHARED -c -o $@ $<
+ $(CC) $(CFLAGS) -I$(PYINC) -fPIC -DSHARED -c -o $@ $<
$(SWIGSO): $(SWIGLOBJ)
$(CC) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@
@@ -55,7 +55,7 @@
$(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<
%.lo: %.c policy.h
- $(CC) $(CFLAGS) -fpic -DSHARED -c -o $@ $<
+ $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
$(SWIGCOUT): $(SWIGIF)
$(SWIG) $^
Modified: trunk/libsemanage/ChangeLog
===================================================================
--- trunk/libsemanage/ChangeLog 2006-11-21 21:20:44 UTC (rev 2100)
+++ trunk/libsemanage/ChangeLog 2006-11-27 19:04:31 UTC (rev 2101)
@@ -1,3 +1,8 @@
+1.8.1 2006-11-27
+ * Merged patch to compile wit -fPIC instead of -fpic from
+ Manoj Srivastava to prevent hitting the global offest table
+ limit. Patch changed to include libselinux and libsemanage in
+ addition to libselinux.
1.8 2006-10-17
* Updated version for release.
Modified: trunk/libsemanage/src/Makefile
===================================================================
--- trunk/libsemanage/src/Makefile 2006-11-21 21:20:44 UTC (rev 2100)
+++ trunk/libsemanage/src/Makefile 2006-11-27 19:04:31 UTC (rev 2101)
@@ -44,7 +44,7 @@
pywrap: all $(SWIGLOBJ) $(SWIGSO)
$(SWIGLOBJ): $(SWIGCOUT)
- $(CC) $(CFLAGS) -I$(PYINC) -fpic -DSHARED -c -o $@ $<
+ $(CC) $(CFLAGS) -I$(PYINC) -fPIC -DSHARED -c -o $@ $<
$(SWIGSO): $(SWIGLOBJ)
$(CC) $(LDFLAGS) -shared -o $@ $< -L. -lsemanage -l$(PYLIBVER) -L$(LIBDIR) -Wl,-soname,$@,-z,defs
@@ -69,7 +69,7 @@
$(CC) $(CFLAGS) -c -o $@ $<
%.lo: %.c
- $(CC) $(CFLAGS) -fpic -DSHARED -c -o $@ $<
+ $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
$(SWIGCOUT): $(SWIGIF)
$(SWIG) $^
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2006-11-21 21:20:44 UTC (rev 2100)
+++ trunk/libsepol/ChangeLog 2006-11-27 19:04:31 UTC (rev 2101)
@@ -1,3 +1,8 @@
+1.15.3 2006-11-27
+ * Merged patch to compile wit -fPIC instead of -fpic from
+ Manoj Srivastava to prevent hitting the global offest table
+ limit. Patch changed to include libselinux and libsemanage in
+ addition to libselinux.
1.15.2 2006-10-31
* Merged fix from Karl MacMillan for a segfault when linking
non-MLS modules with users in them.
Modified: trunk/libsepol/src/Makefile
===================================================================
--- trunk/libsepol/src/Makefile 2006-11-21 21:20:44 UTC (rev 2100)
+++ trunk/libsepol/src/Makefile 2006-11-27 19:04:31 UTC (rev 2101)
@@ -24,10 +24,10 @@
ln -sf $@ $(TARGET)
%.o: %.c
- $(CC) $(CFLAGS) -fpic -c -o $@ $<
+ $(CC) $(CFLAGS) -fPIC -c -o $@ $<
%.lo: %.c
- $(CC) $(CFLAGS) -fpic -DSHARED -c -o $@ $<
+ $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
install: all
test -d $(LIBDIR) || install -m 755 -d $(LIBDIR)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-21 21:20:47
|
Revision: 2100
http://svn.sourceforge.net/selinux/?rev=2100&view=rev
Author: ssmalley
Date: 2006-11-21 13:20:44 -0800 (Tue, 21 Nov 2006)
Log Message:
-----------
New as.po file from Dan Walsh.
Modified Paths:
--------------
trunk/policycoreutils/po/ru.po
Added Paths:
-----------
trunk/policycoreutils/po/as.po
Added: trunk/policycoreutils/po/as.po
===================================================================
--- trunk/policycoreutils/po/as.po (rev 0)
+++ trunk/policycoreutils/po/as.po 2006-11-21 21:20:44 UTC (rev 2100)
@@ -0,0 +1,973 @@
+# translation of as.po to Assamese
+# This file is distributed under the same license as the PACKAGE package.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER.
+# Amitakhya Phukan <ami...@gm...>, 2006.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: as\n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2006-10-20 09:14-0400\n"
+"PO-Revision-Date: 2006-09-29 12:44+0530\n"
+"Last-Translator: Amitakhya Phukan <ami...@gm...>\n"
+"Language-Team: Assamese\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"X-Generator: KBabel 1.9.1\n"
+
+#: ../load_policy/load_policy.c:22
+#, c-format
+msgid "usage: %s [-bq]\n"
+msgstr ""
+
+#: ../load_policy/load_policy.c:66
+#, c-format
+msgid "%s: Can't load policy: %s\n"
+msgstr ""
+
+#: ../newrole/newrole.c:98
+#, c-format
+msgid "Out of memory!\n"
+msgstr ""
+
+#: ../newrole/newrole.c:200 ../run_init/run_init.c:126
+#, c-format
+msgid "failed to initialize PAM\n"
+msgstr ""
+
+#: ../newrole/newrole.c:211
+#, c-format
+msgid "failed to set PAM_TTY\n"
+msgstr ""
+
+#: ../newrole/newrole.c:247 ../run_init/run_init.c:154
+msgid "Password:"
+msgstr ""
+
+#: ../newrole/newrole.c:282 ../run_init/run_init.c:189
+#, c-format
+msgid "Cannot find your entry in the shadow passwd file.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:288 ../run_init/run_init.c:195
+#, c-format
+msgid "getpass cannot open /dev/tty\n"
+msgstr ""
+
+#: ../newrole/newrole.c:355
+#, c-format
+msgid "Error initing capabilities, aborting.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:369
+#, c-format
+msgid "Error dropping capabilities, aborting\n"
+msgstr ""
+
+#: ../newrole/newrole.c:376
+#, c-format
+msgid "Error changing uid, aborting.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:383
+#, c-format
+msgid "Error resetting KEEPCAPS, aborting\n"
+msgstr ""
+
+#: ../newrole/newrole.c:391
+#, c-format
+msgid "Error dropping SETUID capability, aborting\n"
+msgstr ""
+
+#: ../newrole/newrole.c:410
+#, c-format
+msgid "Error connecting to audit system.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:416
+#, c-format
+msgid "Error allocating memory.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:423
+#, c-format
+msgid "Error sending audit message.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:511
+#, c-format
+msgid "Sorry, newrole may be used only on a SELinux kernel.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:516
+#, c-format
+msgid "Could not determine enforcing mode.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:536
+#, c-format
+msgid "Error: multiple roles specified\n"
+msgstr ""
+
+#: ../newrole/newrole.c:546
+#, c-format
+msgid "Error: multiple types specified\n"
+msgstr ""
+
+#: ../newrole/newrole.c:556
+#, c-format
+msgid "Sorry, -l may be used with SELinux MLS support.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:563
+#, c-format
+msgid "Error: multiple levels specified\n"
+msgstr ""
+
+#: ../newrole/newrole.c:585
+#, c-format
+msgid "Couldn't get default type.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:608
+#, c-format
+msgid "failed to get old_context.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:621
+#, c-format
+msgid "failed to get new context.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:645
+#, c-format
+msgid "cannot find your entry in the passwd file.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:655
+#, c-format
+msgid "Error! Shell is not valid.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:663
+#, c-format
+msgid "Error! Could not retrieve tty information.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:667
+#, c-format
+msgid "Authenticating %s.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:681
+#, c-format
+msgid "newrole: incorrect password for %s\n"
+msgstr ""
+
+#: ../newrole/newrole.c:707
+#, c-format
+msgid "failed to set new role %s\n"
+msgstr ""
+
+#: ../newrole/newrole.c:721
+#, c-format
+msgid "failed to set new type %s\n"
+msgstr ""
+
+#: ../newrole/newrole.c:738
+#, c-format
+msgid "failed to build new range with level %s\n"
+msgstr ""
+
+#: ../newrole/newrole.c:743
+#, c-format
+msgid "failed to set new range %s\n"
+msgstr ""
+
+#: ../newrole/newrole.c:758
+#, c-format
+msgid "failed to convert new context to string\n"
+msgstr ""
+
+#: ../newrole/newrole.c:766
+#, c-format
+msgid "%s is not a valid context\n"
+msgstr ""
+
+#: ../newrole/newrole.c:780
+#, c-format
+msgid "Error! Could not open %s.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:788
+#, c-format
+msgid "%s! Could not get current context for %s, not relabeling tty.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:807
+#, c-format
+msgid "%s! Could not get new context for %s, not relabeling tty.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:821
+#, c-format
+msgid "%s! Could not set new context for %s\n"
+msgstr ""
+
+#: ../newrole/newrole.c:834
+#, c-format
+msgid "newrole: failure forking: %s"
+msgstr ""
+
+#: ../newrole/newrole.c:839
+#, c-format
+msgid "Warning! Could not restore context for %s\n"
+msgstr ""
+
+#: ../newrole/newrole.c:860
+#, c-format
+msgid "%s changed labels.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:884
+#, c-format
+msgid "Could not close descriptors.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:909
+#, c-format
+msgid "Error allocating shell.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:922 ../run_init/run_init.c:397
+#, c-format
+msgid "Could not set exec context to %s.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:932
+msgid "failed to exec shell\n"
+msgstr ""
+
+#: ../run_init/run_init.c:67
+msgid ""
+"USAGE: run_init <script> <args ...>\n"
+" where: <script> is the name of the init script to run,\n"
+" <args ...> are the arguments to that script."
+msgstr ""
+
+#: ../run_init/run_init.c:267
+#, c-format
+msgid "run_init: incorrect password for %s\n"
+msgstr ""
+
+#: ../run_init/run_init.c:301
+#, c-format
+msgid "Could not open file %s\n"
+msgstr ""
+
+#: ../run_init/run_init.c:328
+#, c-format
+msgid "No context in file %s\n"
+msgstr ""
+
+#: ../run_init/run_init.c:353
+#, c-format
+msgid "Sorry, run_init may be used only on a SELinux kernel.\n"
+msgstr ""
+
+#: ../run_init/run_init.c:372
+#, c-format
+msgid "authentication failed.\n"
+msgstr ""
+
+#: ../scripts/chcat:75 ../scripts/chcat:145
+msgid "Requires at least one category"
+msgstr ""
+
+#: ../scripts/chcat:89 ../scripts/chcat:159
+#, c-format
+msgid "Can not modify sensitivity levels using '+' on %s"
+msgstr ""
+
+#: ../scripts/chcat:93
+#, c-format
+msgid "%s is already in %s"
+msgstr ""
+
+#: ../scripts/chcat:164 ../scripts/chcat:174
+#, c-format
+msgid "%s is not in %s"
+msgstr ""
+
+#: ../scripts/chcat:237 ../scripts/chcat:242
+msgid "Can not combine +/- with other types of categories"
+msgstr ""
+
+#: ../scripts/chcat:287
+msgid "Can not have multiple sensitivities"
+msgstr ""
+
+#: ../scripts/chcat:293
+#, c-format
+msgid "Usage %s CATEGORY File ..."
+msgstr ""
+
+#: ../scripts/chcat:294
+#, c-format
+msgid "Usage %s -l CATEGORY user ..."
+msgstr ""
+
+#: ../scripts/chcat:295
+#, c-format
+msgid "Usage %s [[+|-]CATEGORY],...]q File ..."
+msgstr ""
+
+#: ../scripts/chcat:296
+#, c-format
+msgid "Usage %s -l [[+|-]CATEGORY],...]q user ..."
+msgstr ""
+
+#: ../scripts/chcat:297
+#, c-format
+msgid "Usage %s -d File ..."
+msgstr ""
+
+#: ../scripts/chcat:298
+#, c-format
+msgid "Usage %s -l -d user ..."
+msgstr ""
+
+#: ../scripts/chcat:299
+#, c-format
+msgid "Usage %s -L"
+msgstr ""
+
+#: ../scripts/chcat:300
+#, c-format
+msgid "Usage %s -L -l user"
+msgstr ""
+
+#: ../scripts/chcat:301
+msgid "Use -- to end option list. For example"
+msgstr ""
+
+#: ../scripts/chcat:302
+msgid "chcat -- -CompanyConfidential /docs/businessplan.odt"
+msgstr ""
+
+#: ../scripts/chcat:303
+msgid "chcat -l +CompanyConfidential juser"
+msgstr ""
+
+#: ../semanage/semanage:127
+msgid "Requires 2 or more arguments"
+msgstr ""
+
+#: ../semanage/semanage:132
+#, c-format
+msgid "%s not defined"
+msgstr ""
+
+#: ../semanage/semanage:156
+#, c-format
+msgid "%s not valid for %s objects\n"
+msgstr ""
+
+#: ../semanage/semanage:183 ../semanage/semanage:191
+msgid "range not supported on Non MLS machines"
+msgstr ""
+
+#: ../semanage/semanage:249
+msgid "You must specify a role"
+msgstr ""
+
+#: ../semanage/semanage:251
+msgid "You must specify a prefix"
+msgstr ""
+
+#: ../semanage/semanage:300
+#, c-format
+msgid "Options Error %s "
+msgstr ""
+
+#: ../semanage/semanage:304
+#, c-format
+msgid "Invalid value %s"
+msgstr ""
+
+#: ../semanage/seobject.py:130
+msgid "translations not supported on non-MLS machines"
+msgstr ""
+
+#: ../semanage/seobject.py:137
+#, python-format
+msgid "Unable to open %s: translations not supported on non-MLS machines"
+msgstr ""
+
+#: ../semanage/seobject.py:177 ../semanage/seobject.py:191
+#, python-format
+msgid "Translations can not contain spaces '%s' "
+msgstr ""
+
+#: ../semanage/seobject.py:180
+#, python-format
+msgid "Invalid Level '%s' "
+msgstr ""
+
+#: ../semanage/seobject.py:183
+#, python-format
+msgid "%s already defined in translations"
+msgstr ""
+
+#: ../semanage/seobject.py:195
+#, python-format
+msgid "%s not defined in translations"
+msgstr ""
+
+#: ../semanage/seobject.py:215
+msgid "SELinux policy is not managed or store cannot be accessed."
+msgstr ""
+
+#: ../semanage/seobject.py:220
+msgid "Cannot read policy store."
+msgstr ""
+
+#: ../semanage/seobject.py:225
+msgid "Could not establish semanage connection"
+msgstr ""
+
+#: ../semanage/seobject.py:244 ../semanage/seobject.py:302
+#: ../semanage/seobject.py:349 ../semanage/seobject.py:430
+#: ../semanage/seobject.py:501 ../semanage/seobject.py:559
+#: ../semanage/seobject.py:1090 ../semanage/seobject.py:1129
+#: ../semanage/seobject.py:1204 ../semanage/seobject.py:1238
+#, python-format
+msgid "Could not create a key for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:248 ../semanage/seobject.py:306
+#: ../semanage/seobject.py:353 ../semanage/seobject.py:359
+#, python-format
+msgid "Could not check if login mapping for %s is defined"
+msgstr ""
+
+#: ../semanage/seobject.py:250
+#, python-format
+msgid "Login mapping for %s is already defined"
+msgstr ""
+
+#: ../semanage/seobject.py:254
+#, python-format
+msgid "Linux User %s does not exist"
+msgstr ""
+
+#: ../semanage/seobject.py:258
+#, python-format
+msgid "Could not create login mapping for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:262 ../semanage/seobject.py:444
+#, python-format
+msgid "Could not set name for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:267 ../semanage/seobject.py:454
+#, python-format
+msgid "Could not set MLS range for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:271
+#, python-format
+msgid "Could not set SELinux user for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:275 ../semanage/seobject.py:327
+#: ../semanage/seobject.py:365 ../semanage/seobject.py:470
+#: ../semanage/seobject.py:536 ../semanage/seobject.py:575
+#: ../semanage/seobject.py:702 ../semanage/seobject.py:744
+#: ../semanage/seobject.py:773 ../semanage/seobject.py:900
+#: ../semanage/seobject.py:941 ../semanage/seobject.py:973
+#: ../semanage/seobject.py:1070 ../semanage/seobject.py:1113
+#: ../semanage/seobject.py:1145 ../semanage/seobject.py:1222
+#: ../semanage/seobject.py:1254
+msgid "Could not start semanage transaction"
+msgstr ""
+
+#: ../semanage/seobject.py:279 ../semanage/seobject.py:283
+#, python-format
+msgid "Could not add login mapping for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:298
+msgid "Requires seuser or serange"
+msgstr ""
+
+#: ../semanage/seobject.py:308 ../semanage/seobject.py:355
+#, python-format
+msgid "Login mapping for %s is not defined"
+msgstr ""
+
+#: ../semanage/seobject.py:312
+#, python-format
+msgid "Could not query seuser for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:331 ../semanage/seobject.py:335
+#, python-format
+msgid "Could not modify login mapping for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:361
+#, python-format
+msgid "Login mapping for %s is defined in policy, cannot be deleted"
+msgstr ""
+
+#: ../semanage/seobject.py:370 ../semanage/seobject.py:374
+#, python-format
+msgid "Could not delete login mapping for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:388
+msgid "Could not list login mappings"
+msgstr ""
+
+#: ../semanage/seobject.py:434 ../semanage/seobject.py:505
+#: ../semanage/seobject.py:563 ../semanage/seobject.py:569
+#, python-format
+msgid "Could not check if SELinux user %s is defined"
+msgstr ""
+
+#: ../semanage/seobject.py:436
+#, python-format
+msgid "SELinux user %s is already defined"
+msgstr ""
+
+#: ../semanage/seobject.py:440
+#, python-format
+msgid "Could not create SELinux user for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:449
+#, python-format
+msgid "Could not add role %s for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:458
+#, python-format
+msgid "Could not set MLS level for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:460 ../semanage/seobject.py:527
+#, python-format
+msgid "Invalid prefix %s"
+msgstr ""
+
+#: ../semanage/seobject.py:463
+#, python-format
+msgid "Could not add prefix %s for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:466
+#, python-format
+msgid "Could not extract key for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:474 ../semanage/seobject.py:478
+#, python-format
+msgid "Could not add SELinux user %s"
+msgstr ""
+
+#: ../semanage/seobject.py:495
+msgid "Requires prefix, roles, level or range"
+msgstr ""
+
+#: ../semanage/seobject.py:497
+msgid "Requires prefix or roles"
+msgstr ""
+
+#: ../semanage/seobject.py:507 ../semanage/seobject.py:565
+#, python-format
+msgid "SELinux user %s is not defined"
+msgstr ""
+
+#: ../semanage/seobject.py:511
+#, python-format
+msgid "Could not query user for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:540 ../semanage/seobject.py:544
+#, python-format
+msgid "Could not modify SELinux user %s"
+msgstr ""
+
+#: ../semanage/seobject.py:571
+#, python-format
+msgid "SELinux user %s is defined in policy, cannot be deleted"
+msgstr ""
+
+#: ../semanage/seobject.py:579 ../semanage/seobject.py:583
+#, python-format
+msgid "Could not delete SELinux user %s"
+msgstr ""
+
+#: ../semanage/seobject.py:595
+msgid "Could not list SELinux users"
+msgstr ""
+
+#: ../semanage/seobject.py:601
+#, python-format
+msgid "Could not list roles for user %s"
+msgstr ""
+
+#: ../semanage/seobject.py:635
+msgid "Protocol udp or tcp is required"
+msgstr ""
+
+#: ../semanage/seobject.py:637
+msgid "Port is required"
+msgstr ""
+
+#: ../semanage/seobject.py:648
+#, python-format
+msgid "Could not create a key for %s/%s"
+msgstr ""
+
+#: ../semanage/seobject.py:659
+msgid "Type is required"
+msgstr ""
+
+#: ../semanage/seobject.py:665 ../semanage/seobject.py:727
+#: ../semanage/seobject.py:761 ../semanage/seobject.py:767
+#, python-format
+msgid "Could not check if port %s/%s is defined"
+msgstr ""
+
+#: ../semanage/seobject.py:667
+#, python-format
+msgid "Port %s/%s already defined"
+msgstr ""
+
+#: ../semanage/seobject.py:671
+#, python-format
+msgid "Could not create port for %s/%s"
+msgstr ""
+
+#: ../semanage/seobject.py:677
+#, python-format
+msgid "Could not create context for %s/%s"
+msgstr ""
+
+#: ../semanage/seobject.py:681
+#, python-format
+msgid "Could not set user in port context for %s/%s"
+msgstr ""
+
+#: ../semanage/seobject.py:685
+#, python-format
+msgid "Could not set role in port context for %s/%s"
+msgstr ""
+
+#: ../semanage/seobject.py:689
+#, python-format
+msgid "Could not set type in port context for %s/%s"
+msgstr ""
+
+#: ../semanage/seobject.py:694
+#, python-format
+msgid "Could not set mls fields in port context for %s/%s"
+msgstr ""
+
+#: ../semanage/seobject.py:698
+#, python-format
+msgid "Could not set port context for %s/%s"
+msgstr ""
+
+#: ../semanage/seobject.py:706 ../semanage/seobject.py:710
+#, python-format
+msgid "Could not add port %s/%s"
+msgstr ""
+
+#: ../semanage/seobject.py:719 ../semanage/seobject.py:916
+msgid "Requires setype or serange"
+msgstr ""
+
+#: ../semanage/seobject.py:721
+msgid "Requires setype"
+msgstr ""
+
+#: ../semanage/seobject.py:729 ../semanage/seobject.py:763
+#, python-format
+msgid "Port %s/%s is not defined"
+msgstr ""
+
+#: ../semanage/seobject.py:733
+#, python-format
+msgid "Could not query port %s/%s"
+msgstr ""
+
+#: ../semanage/seobject.py:748 ../semanage/seobject.py:752
+#, python-format
+msgid "Could not modify port %s/%s"
+msgstr ""
+
+#: ../semanage/seobject.py:769
+#, python-format
+msgid "Port %s/%s is defined in policy, cannot be deleted"
+msgstr ""
+
+#: ../semanage/seobject.py:777 ../semanage/seobject.py:781
+#, python-format
+msgid "Could not delete port %s/%s"
+msgstr ""
+
+#: ../semanage/seobject.py:789 ../semanage/seobject.py:808
+msgid "Could not list ports"
+msgstr ""
+
+#: ../semanage/seobject.py:852 ../semanage/seobject.py:1024
+msgid "SELinux Type is required"
+msgstr ""
+
+#: ../semanage/seobject.py:856 ../semanage/seobject.py:920
+#: ../semanage/seobject.py:957 ../semanage/seobject.py:1028
+#, python-format
+msgid "Could not create key for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:860 ../semanage/seobject.py:924
+#: ../semanage/seobject.py:961 ../semanage/seobject.py:967
+#, python-format
+msgid "Could not check if interface %s is defined"
+msgstr ""
+
+#: ../semanage/seobject.py:862
+#, python-format
+msgid "Interface %s already defined"
+msgstr ""
+
+#: ../semanage/seobject.py:866
+#, python-format
+msgid "Could not create interface for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:871 ../semanage/seobject.py:1043
+#, python-format
+msgid "Could not create context for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:875
+#, python-format
+msgid "Could not set user in interface context for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:879
+#, python-format
+msgid "Could not set role in interface context for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:883
+#, python-format
+msgid "Could not set type in interface context for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:888
+#, python-format
+msgid "Could not set mls fields in interface context for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:892
+#, python-format
+msgid "Could not set interface context for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:896
+#, python-format
+msgid "Could not set message context for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:904 ../semanage/seobject.py:908
+#, python-format
+msgid "Could not add interface %s"
+msgstr ""
+
+#: ../semanage/seobject.py:926 ../semanage/seobject.py:963
+#, python-format
+msgid "Interface %s is not defined"
+msgstr ""
+
+#: ../semanage/seobject.py:930
+#, python-format
+msgid "Could not query interface %s"
+msgstr ""
+
+#: ../semanage/seobject.py:945 ../semanage/seobject.py:949
+#, python-format
+msgid "Could not modify interface %s"
+msgstr ""
+
+#: ../semanage/seobject.py:969
+#, python-format
+msgid "Interface %s is defined in policy, cannot be deleted"
+msgstr ""
+
+#: ../semanage/seobject.py:977 ../semanage/seobject.py:981
+#, python-format
+msgid "Could not delete interface %s"
+msgstr ""
+
+#: ../semanage/seobject.py:989
+msgid "Could not list interfaces"
+msgstr ""
+
+#: ../semanage/seobject.py:1032 ../semanage/seobject.py:1094
+#: ../semanage/seobject.py:1133 ../semanage/seobject.py:1137
+#, python-format
+msgid "Could not check if file context for %s is defined"
+msgstr ""
+
+#: ../semanage/seobject.py:1034
+#, python-format
+msgid "File context for %s already defined"
+msgstr ""
+
+#: ../semanage/seobject.py:1038
+#, python-format
+msgid "Could not create file context for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:1047
+#, python-format
+msgid "Could not set user in file context for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:1051
+#, python-format
+msgid "Could not set role in file context for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:1055
+#, python-format
+msgid "Could not set type in file context for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:1060
+#, python-format
+msgid "Could not set mls fields in file context for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:1066
+#, python-format
+msgid "Could not set file context for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:1074 ../semanage/seobject.py:1078
+#, python-format
+msgid "Could not add file context for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:1086
+msgid "Requires setype, serange or seuser"
+msgstr ""
+
+#: ../semanage/seobject.py:1096 ../semanage/seobject.py:1141
+#, python-format
+msgid "File context for %s is not defined"
+msgstr ""
+
+#: ../semanage/seobject.py:1100
+#, python-format
+msgid "Could not query file context for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:1117 ../semanage/seobject.py:1121
+#, python-format
+msgid "Could not modify file context for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:1139
+#, python-format
+msgid "File context for %s is defined in policy, cannot be deleted"
+msgstr ""
+
+#: ../semanage/seobject.py:1149 ../semanage/seobject.py:1153
+#, python-format
+msgid "Could not delete file context for %s"
+msgstr ""
+
+#: ../semanage/seobject.py:1161
+msgid "Could not list file contexts"
+msgstr ""
+
+#: ../semanage/seobject.py:1165
+msgid "Could not list local file contexts"
+msgstr ""
+
+#: ../semanage/seobject.py:1200
+msgid "Requires value"
+msgstr ""
+
+#: ../semanage/seobject.py:1208 ../semanage/seobject.py:1242
+#: ../semanage/seobject.py:1248
+#, python-format
+msgid "Could not check if boolean %s is defined"
+msgstr ""
+
+#: ../semanage/seobject.py:1210 ../semanage/seobject.py:1244
+#, python-format
+msgid "Boolean %s is not defined"
+msgstr ""
+
+#: ../semanage/seobject.py:1214
+#, python-format
+msgid "Could not query file context %s"
+msgstr ""
+
+#: ../semanage/seobject.py:1226 ../semanage/seobject.py:1230
+#, python-format
+msgid "Could not modify boolean %s"
+msgstr ""
+
+#: ../semanage/seobject.py:1250
+#, python-format
+msgid "Boolean %s is defined in policy, cannot be deleted"
+msgstr ""
+
+#: ../semanage/seobject.py:1258 ../semanage/seobject.py:1262
+#, python-format
+msgid "Could not delete boolean %s"
+msgstr ""
+
+#: ../semanage/seobject.py:1270
+msgid "Could not list booleans"
+msgstr ""
+
+#: ../audit2allow/audit2allow:183
+#, c-format
+msgid "Generating type enforcment file: %s.te"
+msgstr ""
+
+#: ../audit2allow/audit2allow:188
+msgid "Compiling policy"
+msgstr ""
+
+#: ../audit2allow/audit2allow:199
+msgid ""
+"\n"
+"******************** IMPORTANT ***********************\n"
+msgstr ""
+
+#: ../audit2allow/audit2allow:200
+#, c-format
+msgid ""
+"In order to load this newly created policy package into the kernel,\n"
+"you are required to execute \n"
+"\n"
+"semodule -i %s.pp\n"
+"\n"
+msgstr ""
+
+#: ../audit2allow/audit2allow:207
+#, c-format
+msgid "Options Error: %s "
+msgstr ""
Modified: trunk/policycoreutils/po/ru.po
===================================================================
--- trunk/policycoreutils/po/ru.po 2006-11-21 21:12:54 UTC (rev 2099)
+++ trunk/policycoreutils/po/ru.po 2006-11-21 21:20:44 UTC (rev 2100)
@@ -5,7 +5,7 @@
msgstr ""
"Project-Id-Version: ru\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2006-06-29 15:53-0400\n"
+"POT-Creation-Date: 2006-10-20 09:14-0400\n"
"PO-Revision-Date: 2006-11-07 22:36+0300\n"
"Last-Translator: Gregory R. Sapunkov <sap...@ya...>\n"
"Language-Team: Russian <fed...@re...>\n"
@@ -24,226 +24,228 @@
msgid "%s: Can't load policy: %s\n"
msgstr "%s: Невозможно загрузить пол\xD0\xB8тику: %s\n"
-#: ../newrole/newrole.c:97
+#: ../newrole/newrole.c:98
#, c-format
msgid "Out of memory!\n"
msgstr "Недостаточно памяти!\n"
-#: ../newrole/newrole.c:199
-#: ../run_init/run_init.c:126
+#: ../newrole/newrole.c:200 ../run_init/run_init.c:126
#, c-format
msgid "failed to initialize PAM\n"
msgstr "сбой инициализации PAM\n"
-#: ../newrole/newrole.c:210
+#: ../newrole/newrole.c:211
#, c-format
msgid "failed to set PAM_TTY\n"
msgstr "сбой установки PAM_TTY\n"
-#: ../newrole/newrole.c:246
-#: ../run_init/run_init.c:154
+#: ../newrole/newrole.c:247 ../run_init/run_init.c:154
msgid "Password:"
msgstr "Пароль:"
-#: ../newrole/newrole.c:281
-#: ../run_init/run_init.c:189
+#: ../newrole/newrole.c:282 ../run_init/run_init.c:189
#, c-format
msgid "Cannot find your entry in the shadow passwd file.\n"
msgstr "Невозможно найти вашу запись в теневом файле паролей.\n"
-#: ../newrole/newrole.c:287
-#: ../run_init/run_init.c:195
+#: ../newrole/newrole.c:288 ../run_init/run_init.c:195
#, c-format
msgid "getpass cannot open /dev/tty\n"
msgstr "getpass не может открыть /dev/tty\n"
-#: ../newrole/newrole.c:354
+#: ../newrole/newrole.c:355
#, fuzzy, c-format
msgid "Error initing capabilities, aborting.\n"
msgstr "Ошибка смены uid, аварийное завершение.\n"
-#: ../newrole/newrole.c:368
+#: ../newrole/newrole.c:369
#, fuzzy, c-format
msgid "Error dropping capabilities, aborting\n"
msgstr "Ошибка сброса capabilities, аварийное завершение.\n"
-#: ../newrole/newrole.c:375
+#: ../newrole/newrole.c:376
#, c-format
msgid "Error changing uid, aborting.\n"
msgstr "Ошибка смены uid, аварийное завершение.\n"
-#: ../newrole/newrole.c:382
+#: ../newrole/newrole.c:383
#, c-format
msgid "Error resetting KEEPCAPS, aborting\n"
msgstr "Ошибка сброса KEEPCAPS, аварийное завершение.\n"
-#: ../newrole/newrole.c:390
+#: ../newrole/newrole.c:391
#, fuzzy, c-format
msgid "Error dropping SETUID capability, aborting\n"
msgstr "Ошибка сброса SETUID capability, аварийное завершение.\n"
-#: ../newrole/newrole.c:463
+#: ../newrole/newrole.c:410
#, c-format
+msgid "Error connecting to audit system.\n"
+msgstr "Ошибка соединения с системой аудита.\n"
+
+#: ../newrole/newrole.c:416
+#, c-format
+msgid "Error allocating memory.\n"
+msgstr "Ошибка выделения памяти.\n"
+
+#: ../newrole/newrole.c:423
+#, c-format
+msgid "Error sending audit message.\n"
+msgstr "Ошибка отправки сообщения аудита.\n"
+
+#: ../newrole/newrole.c:511
+#, c-format
msgid "Sorry, newrole may be used only on a SELinux kernel.\n"
msgstr "Извините. newrole может быть использована только для ядра с SELinux.\n"
-#: ../newrole/newrole.c:468
+#: ../newrole/newrole.c:516
#, c-format
msgid "Could not determine enforcing mode.\n"
msgstr "Невозможно определить режим блокировок (enforcing).\n"
-#: ../newrole/newrole.c:488
+#: ../newrole/newrole.c:536
#, c-format
msgid "Error: multiple roles specified\n"
msgstr "Ошибка: указано несколько ролей\n"
-#: ../newrole/newrole.c:498
+#: ../newrole/newrole.c:546
#, c-format
msgid "Error: multiple types specified\n"
msgstr "Ошибка: указано несколько типов\n"
-#: ../newrole/newrole.c:508
+#: ../newrole/newrole.c:556
#, c-format
msgid "Sorry, -l may be used with SELinux MLS support.\n"
msgstr "Извините, -l может быть использована с поддержкой SELinux MLS.\n"
-#: ../newrole/newrole.c:515
+#: ../newrole/newrole.c:563
#, c-format
msgid "Error: multiple levels specified\n"
msgstr "Ошибка: указано несколько уровней\n"
-#: ../newrole/newrole.c:537
+#: ../newrole/newrole.c:585
#, c-format
msgid "Couldn't get default type.\n"
msgstr "Невозможно получить тип по умолчанию.\n"
-#: ../newrole/newrole.c:559
+#: ../newrole/newrole.c:608
#, c-format
msgid "failed to get old_context.\n"
msgstr "сбой получения старого_контекста.\n"
-#: ../newrole/newrole.c:572
+#: ../newrole/newrole.c:621
#, c-format
msgid "failed to get new context.\n"
msgstr "сбой получения нового контекста.\n"
-#: ../newrole/newrole.c:596
+#: ../newrole/newrole.c:645
#, c-format
msgid "cannot find your entry in the passwd file.\n"
msgstr "невозможно найти вашу запись в файле passwd.\n"
-#: ../newrole/newrole.c:606
+#: ../newrole/newrole.c:655
#, c-format
msgid "Error! Shell is not valid.\n"
msgstr "Ошибка! Оболочка не верна.\n"
-#: ../newrole/newrole.c:614
+#: ../newrole/newrole.c:663
#, c-format
msgid "Error! Could not retrieve tty information.\n"
msgstr "Ошибка! Невозможно получить информацию о tty.\n"
-#: ../newrole/newrole.c:618
+#: ../newrole/newrole.c:667
#, c-format
msgid "Authenticating %s.\n"
msgstr "Проверка подлинности %s.\n"
-#: ../newrole/newrole.c:632
+#: ../newrole/newrole.c:681
#, c-format
msgid "newrole: incorrect password for %s\n"
msgstr "newrole: неверный пароль %s\n"
-#: ../newrole/newrole.c:657
+#: ../newrole/newrole.c:707
#, c-format
msgid "failed to set new role %s\n"
msgstr "сбой задания новой роли %s\n"
-#: ../newrole/newrole.c:671
+#: ../newrole/newrole.c:721
#, c-format
msgid "failed to set new type %s\n"
msgstr "сбой задания нового типа %s\n"
-#: ../newrole/newrole.c:688
+#: ../newrole/newrole.c:738
#, c-format
msgid "failed to build new range with level %s\n"
msgstr "сбой построения нового диапазона с уровнем %s\n"
-#: ../newrole/newrole.c:693
+#: ../newrole/newrole.c:743
#, c-format
msgid "failed to set new range %s\n"
msgstr "сбой задания нового диапазона %s\n"
-#: ../newrole/newrole.c:708
+#: ../newrole/newrole.c:758
#, c-format
msgid "failed to convert new context to string\n"
msgstr "сбой преобразования нового контекста в строку\n"
-#: ../newrole/newrole.c:717
+#: ../newrole/newrole.c:766
#, c-format
msgid "%s is not a valid context\n"
msgstr "%s не является верным контекстом\n"
-#: ../newrole/newrole.c:730
+#: ../newrole/newrole.c:780
#, c-format
msgid "Error! Could not open %s.\n"
msgstr "Ошибка! Невозможно открыть %s.\n"
-#: ../newrole/newrole.c:738
+#: ../newrole/newrole.c:788
#, c-format
msgid "%s! Could not get current context for %s, not relabeling tty.\n"
-msgstr "%s! Невозможно получить текущий контекст для %s, метка tty не изменяет\xD1\x81я.\n"
+msgstr ""
+"%s! Невозможно получить текущий контекст для %s, метка tty не изменяется.\n"
-#: ../newrole/newrole.c:757
+#: ../newrole/newrole.c:807
#, c-format
msgid "%s! Could not get new context for %s, not relabeling tty.\n"
-msgstr "%s! Невозможно получить новый контекст для %s, метка tty не изменяется.\n"
+msgstr ""
+"%s! Невозможно получить новый контекст для %s, метка tty не изменяется.\n"
-#: ../newrole/newrole.c:771
+#: ../newrole/newrole.c:821
#, c-format
msgid "%s! Could not set new context for %s\n"
msgstr "%s! Невозможно задать новый контекст для %s\n"
-#: ../newrole/newrole.c:784
+#: ../newrole/newrole.c:834
#, c-format
msgid "newrole: failure forking: %s"
msgstr "newrole: сбой выполнения fork: %s"
-#: ../newrole/newrole.c:789
+#: ../newrole/newrole.c:839
#, c-format
msgid "Warning! Could not restore context for %s\n"
msgstr "Предупреждение! Невозможно восстановить контекст для %s\n"
-#: ../newrole/newrole.c:810
+#: ../newrole/newrole.c:860
#, fuzzy, c-format
msgid "%s changed labels.\n"
msgstr "%s изменило метки.\n"
-#: ../newrole/newrole.c:834
+#: ../newrole/newrole.c:884
#, c-format
msgid "Could not close descriptors.\n"
msgstr "Невозможно закрыть дескрипторы.\n"
-#: ../newrole/newrole.c:869
-#: ../run_init/run_init.c:397
+#: ../newrole/newrole.c:909
+#, fuzzy, c-format
+msgid "Error allocating shell.\n"
+msgstr "Ошибка выделения памяти.\n"
+
+#: ../newrole/newrole.c:922 ../run_init/run_init.c:397
#, c-format
msgid "Could not set exec context to %s.\n"
msgstr "Невозможно задать контекст исполнения для %s.\n"
-#: ../newrole/newrole.c:881
-#, c-format
-msgid "Error connecting to audit system.\n"
-msgstr "Ошибка соединения с системой аудита.\n"
-
-#: ../newrole/newrole.c:886
-#, c-format
-msgid "Error allocating memory.\n"
-msgstr "Ошибка выделения памяти.\n"
-
-#: ../newrole/newrole.c:892
-#, c-format
-msgid "Error sending audit message.\n"
-msgstr "Ошибка отправки сообщения аудита.\n"
-
-#: ../newrole/newrole.c:903
+#: ../newrole/newrole.c:932
msgid "failed to exec shell\n"
msgstr "сбой запуска оболочки\n"
@@ -275,740 +277,691 @@
#: ../run_init/run_init.c:353
#, c-format
msgid "Sorry, run_init may be used only on a SELinux kernel.\n"
-msgstr "Извините, run_init может быть использовано только для ядра с SELinux.\n"
+msgstr ""
+"Извините, run_init может быть использовано только для ядра с SELinux.\n"
#: ../run_init/run_init.c:372
#, c-format
msgid "authentication failed.\n"
msgstr "сбой проверки подл\xD0\xB8нности.\n"
-#: ../scripts/chcat:70
-#: ../scripts/chcat:140
+#: ../scripts/chcat:75 ../scripts/chcat:145
msgid "Requires at least one category"
msgstr "Требуется как минимум одна категория"
-#: ../scripts/chcat:84
-#: ../scripts/chcat:154
+#: ../scripts/chcat:89 ../scripts/chcat:159
#, c-format
msgid "Can not modify sensitivity levels using '+' on %s"
msgstr "Нельзя изменить уровень чувствительности используя '+' на %s"
-#: ../scripts/chcat:88
+#: ../scripts/chcat:93
#, c-format
msgid "%s is already in %s"
msgstr "%s уже в %s"
-#: ../scripts/chcat:159
-#: ../scripts/chcat:169
+#: ../scripts/chcat:164 ../scripts/chcat:174
#, c-format
msgid "%s is not in %s"
msgstr "%s не в %s"
-#: ../scripts/chcat:232
-#: ../scripts/chcat:237
+#: ../scripts/chcat:237 ../scripts/chcat:242
msgid "Can not combine +/- with other types of categories"
msgstr "Невозможно объединить +/- с друг\xD0\xB8ми типами категорий"
-#: ../scripts/chcat:282
+#: ../scripts/chcat:287
#, fuzzy
msgid "Can not have multiple sensitivities"
msgstr "Нельзя иметь несколько уровней чувствительности"
-#: ../scripts/chcat:288
+#: ../scripts/chcat:293
#, c-format
msgid "Usage %s CATEGORY File ..."
msgstr "Использование %s КАТЕГОРИЯ Файл ..."
-#: ../scripts/chcat:289
+#: ../scripts/chcat:294
#, c-format
msgid "Usage %s -l CATEGORY user ..."
msgstr "Использование %s -l КАТЕГОРИЯ пользователь ..."
-#: ../scripts/chcat:290
+#: ../scripts/chcat:295
#, c-format
msgid "Usage %s [[+|-]CATEGORY],...]q File ..."
msgstr "Использование %s [[+|-]КАТЕГОРИЯ],...]q Файл ..."
-#: ../scripts/chcat:291
+#: ../scripts/chcat:296
#, c-format
msgid "Usage %s -l [[+|-]CATEGORY],...]q user ..."
msgstr "Использование %s -l [[+|-]КАТЕГОРИЯ],...]q пользоват\xD0\xB5ль ..."
-#: ../scripts/chcat:292
+#: ../scripts/chcat:297
#, c-format
msgid "Usage %s -d File ..."
msgstr "Использование %s -d Файл ..."
-#: ../scripts/chcat:293
+#: ../scripts/chcat:298
#, c-format
msgid "Usage %s -l -d user ..."
msgstr "Использование %s -l -d пользователь ..."
-#: ../scripts/chcat:294
+#: ../scripts/chcat:299
#, c-format
msgid "Usage %s -L"
msgstr "Использование %s -L"
-#: ../scripts/chcat:295
+#: ../scripts/chcat:300
#, c-format
msgid "Usage %s -L -l user"
msgstr "Использование %s -L -l пользователь"
-#: ../scripts/chcat:296
+#: ../scripts/chcat:301
msgid "Use -- to end option list. For example"
msgstr "Используйте -- чтобы указать завершение списка параметров. На пример"
-#: ../scripts/chcat:297
+#: ../scripts/chcat:302
msgid "chcat -- -CompanyConfidential /docs/businessplan.odt"
msgstr "chcat -- -CompanyConfidential /docs/businessplan.odt"
-#: ../scripts/chcat:298
+#: ../scripts/chcat:303
msgid "chcat -l +CompanyConfidential juser"
msgstr "chcat -l +CompanyConfidential juser"
-#: ../semanage/semanage:122
+#: ../semanage/semanage:127
msgid "Requires 2 or more arguments"
msgstr "Требуетсе 2 или более аргумента"
-#: ../semanage/semanage:127
+#: ../semanage/semanage:132
#, c-format
msgid "%s not defined"
msgstr "%s не определен"
-#: ../semanage/semanage:151
+#: ../semanage/semanage:156
#, fuzzy, c-format
msgid "%s not valid for %s objects\n"
msgstr "%s не является допустимой для объектов %s\n"
-#: ../semanage/semanage:178
-#: ../semanage/semanage:186
+#: ../semanage/semanage:183 ../semanage/semanage:191
msgid "range not supported on Non MLS machines"
msgstr "диапазоны не поддерживаются на машинах без MLS"
-#: ../semanage/semanage:244
+#: ../semanage/semanage:249
msgid "You must specify a role"
msgstr "Необходимо указать роль"
-#: ../semanage/semanage:246
+#: ../semanage/semanage:251
msgid "You must specify a prefix"
msgstr "Необходимо указать префикс"
-#: ../semanage/semanage:295
+#: ../semanage/semanage:300
#, c-format
msgid "Options Error %s "
msgstr "Ошибка параметров %s "
-#: ../semanage/semanage:299
+#: ../semanage/semanage:304
#, c-format
msgid "Invalid value %s"
msgstr "Недопустимое значение %s"
-#: ../semanage/seobject.py:124
+#: ../semanage/seobject.py:130
#, fuzzy
msgid "translations not supported on non-MLS machines"
msgstr "переводы не поддерживаются для машин без MLS"
-#: ../semanage/seobject.py:131
+#: ../semanage/seobject.py:137
#, fuzzy, python-format
msgid "Unable to open %s: translations not supported on non-MLS machines"
msgstr "Невозможно открыть %s: переводы не поддерживаются на машинах без MLS"
-#: ../semanage/seobject.py:171
-#: ../semanage/seobject.py:185
+#: ../semanage/seobject.py:177 ../semanage/seobject.py:191
#, fuzzy, python-format
msgid "Translations can not contain spaces '%s' "
msgstr "Переводы не могут включать пробелы '%s' "
-#: ../semanage/seobject.py:174
+#: ../semanage/seobject.py:180
#, python-format
msgid "Invalid Level '%s' "
msgstr "Недопустимый уровень '%s' "
-#: ../semanage/seobject.py:177
+#: ../semanage/seobject.py:183
#, fuzzy, python-format
msgid "%s already defined in translations"
msgstr "%s уже определен в переводе"
-#: ../semanage/seobject.py:189
+#: ../semanage/seobject.py:195
#, fuzzy, python-format
msgid "%s not defined in translations"
msgstr "%s не определено в переводе"
-#: ../semanage/seobject.py:209
+#: ../semanage/seobject.py:215
#, fuzzy
msgid "SELinux policy is not managed or store cannot be accessed."
msgstr "Политика SELinux не поддерживает управление или хранилище недоступно."
-#: ../semanage/seobject.py:214
+#: ../semanage/seobject.py:220
msgid "Cannot read policy store."
msgstr "Невозможно прочитать хранилище политики."
-#: ../semanage/seobject.py:219
+#: ../semanage/seobject.py:225
#, fuzzy
msgid "Could not establish semanage connection"
msgstr "Невозможно установить semanage соединение"
-#: ../semanage/seobject.py:238
-#: ../semanage/seobject.py:296
-#: ../semanage/seobject.py:343
-#: ../semanage/seobject.py:424
-#: ../semanage/seobject.py:493
-#: ../semanage/seobject.py:549
-#: ../semanage/seobject.py:1080
-#: ../semanage/seobject.py:1119
-#: ../semanage/seobject.py:1188
-#: ../semanage/seobject.py:1222
+#: ../semanage/seobject.py:244 ../semanage/seobject.py:302
+#: ../semanage/seobject.py:349 ../semanage/seobject.py:430
+#: ../semanage/seobject.py:501 ../semanage/seobject.py:559
+#: ../semanage/seobject.py:1090 ../semanage/seobject.py:1129
+#: ../semanage/seobject.py:1204 ../semanage/seobject.py:1238
#, python-format
msgid "Could not create a key for %s"
msgstr "Невозможно создать ключ для %s"
-#: ../semanage/seobject.py:242
-#: ../semanage/seobject.py:300
-#: ../semanage/seobject.py:347
-#: ../semanage/seobject.py:353
+#: ../semanage/seobject.py:248 ../semanage/seobject.py:306
+#: ../semanage/seobject.py:353 ../semanage/seobject.py:359
#, python-format
msgid "Could not check if login mapping for %s is defined"
msgstr "Невозможно проверить, определено ли сопоставление входа для %s"
-#: ../semanage/seobject.py:244
+#: ../semanage/seobject.py:250
#, python-format
msgid "Login mapping for %s is already defined"
msgstr "Сопоставление входа для %s уже определено"
-#: ../semanage/seobject.py:248
+#: ../semanage/seobject.py:254
#, python-format
msgid "Linux User %s does not exist"
msgstr "Linux \xD0\xBFользователь %s не существует"
-#: ../semanage/seobject.py:252
+#: ../semanage/seobject.py:258
#, python-format
msgid "Could not create login mapping for %s"
msgstr "Невозможно создать сопоставление входа для %s"
-#: ../semanage/seobject.py:256
-#: ../semanage/seobject.py:438
+#: ../semanage/seobject.py:262 ../semanage/seobject.py:444
#, python-format
msgid "Could not set name for %s"
msgstr "Невозможно задать имя для %s"
-#: ../semanage/seobject.py:261
-#: ../semanage/seobject.py:448
+#: ../semanage/seobject.py:267 ../semanage/seobject.py:454
#, python-format
msgid "Could not set MLS range for %s"
msgstr "Невозможно задать диапазон MLS для %s"
-#: ../semanage/seobject.py:265
+#: ../semanage/seobject.py:271
#, python-format
msgid "Could not set SELinux user for %s"
msgstr "Невозможно задать пользователя SELinux для %s"
-#: ../semanage/seobject.py:269
-#: ../semanage/seobject.py:321
-#: ../semanage/seobject.py:359
-#: ../semanage/seobject.py:463
-#: ../semanage/seobject.py:526
-#: ../semanage/seobject.py:565
-#: ../semanage/seobject.py:692
-#: ../semanage/seobject.py:734
-#: ../semanage/seobject.py:763
-#: ../semanage/seobject.py:890
-#: ../semanage/seobject.py:931
-#: ../semanage/seobject.py:963
-#: ../semanage/seobject.py:1060
-#: ../semanage/seobject.py:1103
-#: ../semanage/seobject.py:1135
-#: ../semanage/seobject.py:1206
-#: ../semanage/seobject.py:1238
+#: ../semanage/seobject.py:275 ../semanage/seobject.py:327
+#: ../semanage/seobject.py:365 ../semanage/seobject.py:470
+#: ../semanage/seobject.py:536 ../semanage/seobject.py:575
+#: ../semanage/seobject.py:702 ../semanage/seobject.py:744
+#: ../semanage/seobject.py:773 ../semanage/seobject.py:900
+#: ../semanage/seobject.py:941 ../semanage/seobject.py:973
+#: ../semanage/seobject.py:1070 ../semanage/seobject.py:1113
+#: ../semanage/seobject.py:1145 ../semanage/seobject.py:1222
+#: ../semanage/seobject.py:1254
msgid "Could not start semanage transaction"
msgstr "Невозможно начать semanage транзакцию"
-#: ../semanage/seobject.py:273
-#: ../semanage/seobject.py:277
+#: ../semanage/seobject.py:279 ../semanage/seobject.py:283
#, python-format
msgid "Could not add login mapping for %s"
msgstr "Невозможно добавить сопоставление входа для %s"
-#: ../semanage/seobject.py:292
+#: ../semanage/seobject.py:298
msgid "Requires seuser or serange"
msgstr "Необходим seuser или serange"
-#: ../semanage/seobject.py:302
-#: ../semanage/seobject.py:349
+#: ../semanage/seobject.py:308 ../semanage/seobject.py:355
#, python-format
msgid "Login mapping for %s is not defined"
msgstr "Сопоставление входа для %s не определено"
-#: ../semanage/seobject.py:306
+#: ../semanage/seobject.py:312
#, python-format
msgid "Could not query seuser for %s"
msgstr "Невозможно запросить seuser д\xD0\xBBя %s"
-#: ../semanage/seobject.py:325
-#: ../semanage/seobject.py:329
+#: ../semanage/seobject.py:331 ../semanage/seobject.py:335
#, python-format
msgid "Could not modify login mapping for %s"
msgstr "Невозможно изменить сопоставление входа для %s"
-#: ../semanage/seobject.py:355
+#: ../semanage/seobject.py:361
#, python-format
msgid "Login mapping for %s is defined in policy, cannot be deleted"
-msgstr "Сопоставление входа для %s определено в политике и не может быть удалено"
+msgstr ""
+"Сопоставление входа для %s определено в политике и не может быть удалено"
-#: ../semanage/seobject.py:364
-#: ../semanage/seobject.py:368
+#: ../semanage/seobject.py:370 ../semanage/seobject.py:374
#, python-format
msgid "Could not delete login mapping for %s"
msgstr "Невозможно удалить сопоставление входа для %s"
-#: ../semanage/seobject.py:382
+#: ../semanage/seobject.py:388
msgid "Could not list login mappings"
msgstr "Невозможно выполнить перечисление сопоставлений входа"
-#: ../semanage/seobject.py:428
-#: ../semanage/seobject.py:497
-#: ../semanage/seobject.py:553
-#: ../semanage/seobject.py:559
+#: ../semanage/seobject.py:434 ../semanage/seobject.py:505
+#: ../semanage/seobject.py:563 ../semanage/seobject.py:569
#, python-format
msgid "Could not check if SELinux user %s is defined"
msgstr "Невозможно проверить, определен ли пользователь SELinux %s"
-#: ../semanage/seobject.py:430
+#: ../semanage/seobject.py:436
#, python-format
msgid "SELinux user %s is already defined"
msgstr "SELinux пользователь %s уже определен"
-#: ../semanage/seobject.py:434
+#: ../semanage/seobject.py:440
#, python-format
msgid "Could not create SELinux user for %s"
msgstr "Невозможно создать пользователя SELinux для %s"
-#: ../semanage/seobject.py:443
+#: ../semanage/seobject.py:449
#, python-format
msgid "Could not add role %s for %s"
msgstr "Невозможно добавить роль %s для %s"
-#: ../semanage/seobject.py:452
+#: ../semanage/seobject.py:458
#, python-format
msgid "Could not set MLS level for %s"
msgstr "Невозможно задать уровень MLS для %s"
-#: ../semanage/seobject.py:456
+#: ../semanage/seobject.py:460 ../semanage/seobject.py:527
+#, fuzzy, python-format
+msgid "Invalid prefix %s"
+msgstr "Недопустимое значение %s"
+
+#: ../semanage/seobject.py:463
#, python-format
msgid "Could not add prefix %s for %s"
msgstr "Невозможно добавить префикс %s для %s"
-#: ../semanage/seobject.py:459
+#: ../semanage/seobject.py:466
#, python-format
msgid "Could not extract key for %s"
msgstr "Невозможно извлечь ключ для %s"
-#: ../semanage/seobject.py:467
-#: ../semanage/seobject.py:471
+#: ../semanage/seobject.py:474 ../semanage/seobject.py:478
#, python-format
msgid "Could not add SELinux user %s"
msgstr "Невозможно добавить пользователя SELinux %s"
-#: ../semanage/seobject.py:487
+#: ../semanage/seobject.py:495
msgid "Requires prefix, roles, level or range"
msgstr "Необходим префикс, роль, уровень или диапазон"
-#: ../semanage/seobject.py:489
+#: ../semanage/seobject.py:497
msgid "Requires prefix or roles"
msgstr "Необходим префикс или роль"
-#: ../semanage/seobject.py:499
-#: ../semanage/seobject.py:555
+#: ../semanage/seobject.py:507 ../semanage/seobject.py:565
#, python-format
msgid "SELinux user %s is not defined"
msgstr "SELinux пользователь %s не определен"
-#: ../semanage/seobject.py:503
+#: ../semanage/seobject.py:511
#, python-format
msgid "Could not query user for %s"
msgstr "Невозможно запросить пользователя %s"
-#: ../semanage/seobject.py:530
-#: ../semanage/seobject.py:534
+#: ../semanage/seobject.py:540 ../semanage/seobject.py:544
#, python-format
msgid "Could not modify SELinux user %s"
msgstr "Невозможно изменить SELinux пользователя %s"
-#: ../semanage/seobject.py:561
+#: ../semanage/seobject.py:571
#, python-format
msgid "SELinux user %s is defined in policy, cannot be deleted"
msgstr "SELinux пользователь %s определен в политике и не может быть удален"
-#: ../semanage/seobject.py:569
-#: ../semanage/seobject.py:573
+#: ../semanage/seobject.py:579 ../semanage/seobject.py:583
#, python-format
msgid "Could not delete SELinux user %s"
msgstr "Невозможно удалить пользователя SELinux %s"
-#: ../semanage/seobject.py:585
+#: ../semanage/seobject.py:595
msgid "Could not list SELinux users"
msgstr "Невозможно выполнить перечисление п\xD0\xBEльзователей SELinux"
-#: ../semanage/seobject.py:591
+#: ../semanage/seobject.py:601
#, python-format
msgid "Could not list roles for user %s"
msgstr "Невозможно выполнить перечисление ролей пользователя %s"
-#: ../semanage/seobject.py:625
+#: ../semanage/seobject.py:635
msgid "Protocol udp or tcp is required"
msgstr "Необходимо задание tcp или udp протокола"
-#: ../semanage/seobject.py:627
+#: ../semanage/seobject.py:637
msgid "Port is required"
msgstr "Необходимо значение порта"
-#: ../semanage/seobject.py:638
+#: ../semanage/seobject.py:648
#, python-format
msgid "Could not create a key for %s/%s"
msgstr "Невозможно создать ключ для %s/%s"
-#: ../semanage/seobject.py:649
+#: ../semanage/seobject.py:659
msgid "Type is required"
msgstr "Требуется задание типа"
-#: ../semanage/seobject.py:655
-#: ../semanage/seobject.py:717
-#: ../semanage/seobject.py:751
-#: ../semanage/seobject.py:757
+#: ../semanage/seobject.py:665 ../semanage/seobject.py:727
+#: ../semanage/seobject.py:761 ../semanage/seobject.py:767
#, python-format
msgid "Could not check if port %s/%s is defined"
msgstr "Невозможно проверить, определен ли порт %s/%s"
-#: ../semanage/seobject.py:657
+#: ../semanage/seobject.py:667
#, python-format
msgid "Port %s/%s already defined"
msgstr "Порт %s/%s уже определен"
-#: ../semanage/seobject.py:661
+#: ../semanage/seobject.py:671
#, python-format
msgid "Could not create port for %s/%s"
msgstr "Невозможно создать порт для %s/%s"
-#: ../semanage/seobject.py:667
+#: ../semanage/seobject.py:677
#, python-format
msgid "Could not create context for %s/%s"
msgstr "Невозможно создать контекст %s/%s"
-#: ../semanage/seobject.py:671
+#: ../semanage/seobject.py:681
#, fuzzy, python-format
msgid "Could not set user in port context for %s/%s"
msgstr "Невозможно задать пользователя в контексте порта для %s"
-#: ../semanage/seobject.py:675
+#: ../semanage/seobject.py:685
#, python-format
msgid "Could not set role in port context for %s/%s"
msgstr "Невозможно задать роль в контексте порта для %s/%s"
-#: ../semanage/seobject.py:679
+#: ../semanage/seobject.py:689
#, python-format
msgid "Could not set type in port context for %s/%s"
msgstr "Невозможно задать тип в контексте порта для %s/%s"
-#: ../semanage/seobject.py:684
+#: ../semanage/seobject.py:694
#, fuzzy, python-format
msgid "Could not set mls fields in port context for %s/%s"
msgstr "Невозможно задать поля mls в контексте порта для %s"
-#: ../semanage/seobject.py:688
+#: ../semanage/seobject.py:698
#, python-format
msgid "Could not set port context for %s/%s"
msgstr "Невозможно задать контекст порта для %s/%s"
-#: ../semanage/seobject.py:696
-#: ../semanage/seobject.py:700
+#: ../semanage/seobject.py:706 ../semanage/seobject.py:710
#, python-format
msgid "Could not add port %s/%s"
msgstr "Невозможно добавить порт %s/%s"
-#: ../semanage/seobject.py:709
-#: ../semanage/seobject.py:906
+#: ../semanage/seobject.py:719 ../semanage/seobject.py:916
msgid "Requires setype or serange"
msgstr "Необходим setype или serange"
-#: ../semanage/seobject.py:711
+#: ../semanage/seobject.py:721
msgid "Requires setype"
msgstr "Необходим setype"
-#: ../semanage/seobject.py:719
-#: ../semanage/seobject.py:753
+#: ../semanage/seobject.py:729 ../semanage/seobject.py:763
#, python-format
msgid "Port %s/%s is not defined"
msgstr "Порт %s/%s не определен"
-#: ../semanage/seobject.py:723
+#: ../semanage/seobject.py:733
#, python-format
msgid "Could not query port %s/%s"
msgstr "Невозможно запросить порт %s/%s"
-#: ../semanage/seobject.py:738
-#: ../semanage/seobject.py:742
+#: ../semanage/seobject.py:748 ../semanage/seobject.py:752
#, python-format
msgid "Could not modify port %s/%s"
msgstr "Невозможно изменить порт %s/%s"
-#: ../semanage/seobject.py:759
+#: ../semanage/seobject.py:769
#, python-format
msgid "Port %s/%s is defined in policy, cannot be deleted"
msgstr "Порт %s/%s определен в политике и не может быть удален"
-#: ../semanage/seobject.py:767
-#: ../semanage/seobject.py:771
+#: ../semanage/seobject.py:777 ../semanage/seobject.py:781
#, fuzzy, python-format
msgid "Could not delete port %s/%s"
msgstr "Невозможно удалить порт %s"
-#: ../semanage/seobject.py:779
-#: ../semanage/seobject.py:798
+#: ../semanage/seobject.py:789 ../semanage/seobject.py:808
msgid "Could not list ports"
msgstr "Невозможно выполнить перечисление портов"
-#: ../semanage/seobject.py:842
-#: ../semanage/seobject.py:1014
+#: ../semanage/seobject.py:852 ../semanage/seobject.py:1024
msgid "SELinux Type is required"
msgstr "Требуется SELinux Type"
-#: ../semanage/seobject.py:846
-#: ../semanage/seobject.py:910
-#: ../semanage/seobject.py:947
-#: ../semanage/seobject.py:1018
+#: ../semanage/seobject.py:856 ../semanage/seobject.py:920
+#: ../semanage/seobject.py:957 ../semanage/seobject.py:1028
#, python-format
msgid "Could not create key for %s"
msgstr "Невозможно создать ключ для %s"
-#: ../semanage/seobject.py:850
-#: ../semanage/seobject.py:914
-#: ../semanage/seobject.py:951
-#: ../semanage/seobject.py:957
+#: ../semanage/seobject.py:860 ../semanage/seobject.py:924
+#: ../semanage/seobject.py:961 ../semanage/seobject.py:967
#, python-format
msgid "Could not check if interface %s is defined"
msgstr "Невозможно проверить, определен ли интерфейс %s"
-#: ../semanage/seobject.py:852
+#: ../semanage/seobject.py:862
#, python-format
msgid "Interface %s already defined"
msgstr "Интерфейс %s уже определен"
-#: ../semanage/seobject.py:856
+#: ../semanage/seobject.py:866
#, python-format
msgid "Could not create interface for %s"
msgstr "Невозможно создать интерфес для %s"
-#: ../semanage/seobject.py:861
-#: ../semanage/seobject.py:1033
+#: ../semanage/seobject.py:871 ../semanage/seobject.py:1043
#, python-format
msgid "Could not create context for %s"
msgstr "Невозможно создать контекст для %s"
-#: ../semanage/seobject.py:865
+#: ../semanage/seobject.py:875
#, python-format
msgid "Could not set user in interface context for %s"
msgstr "Невозможно задать пользователя в контексте интерфейса для %s"
-#: ../semanage/seobject.py:869
+#: ../semanage/seobject.py:879
#, python-format
msgid "Could not set role in interface context for %s"
msgstr "Невозможно задать роль в контексте интерфейса для %s"
-#: ../semanage/seobject.py:873
+#: ../semanage/seobject.py:883
#, python-format
msgid "Could not set type in interface context for %s"
msgstr "Невозможно задать тип в контексте интерфейса для %s."
-#: ../semanage/seobject.py:878
+#: ../semanage/seobject.py:888
#, python-format
msgid "Could not set mls fields in interface context for %s"
msgstr "Невозможно задать поля mls в контексте интерфейса для %s"
-#: ../semanage/seobject.py:882
+#: ../semanage/seobject.py:892
#, python-format
msgid "Could not set interface context for %s"
msgstr "Невозможно задать контекст интерфейса для %s"
-#: ../semanage/seobject.py:886
+#: ../semanage/seobject.py:896
#, python-format
msgid "Could not set message context for %s"
msgstr "Невозможно задать контекст сообщения для %s"
-#: ../semanage/seobject.py:894
-#: ../semanage/seobject.py:898
+#: ../semanage/seobject.py:904 ../semanage/seobject.py:908
#, python-format
msgid "Could not add interface %s"
msgstr "Невозможно добавить интерфейс %s"
-#: ../semanage/seobject.py:916
-#: ../semanage/seobject.py:953
+#: ../semanage/seobject.py:926 ../semanage/seobject.py:963
#, python-format
msgid "Interface %s is not defined"
msgstr "Интерфейс %s yt определен"
-#: ../semanage/seobject.py:920
+#: ../semanage/seobject.py:930
#, python-format
msgid "Could not query interface %s"
msgstr "Невозможно запросить интерфейс %s"
-#: ../semanage/seobject.py:935
-#: ../semanage/seobject.py:939
+#: ../semanage/seobject.py:945 ../semanage/seobject.py:949
#, python-format
msgid "Could not modify interface %s"
msgstr "Невозможно изменить интерфейс %s"
-#: ../semanage/seobject.py:959
+#: ../semanage/seobject.py:969
#, python-format
msgid "Interface %s is defined in policy, cannot be deleted"
msgstr "Интерфейс %s определен в политике и не может быть удален"
-#: ../semanage/seobject.py:967
-#: ../semanage/seobject.py:971
+#: ../semanage/seobject.py:977 ../semanage/seobject.py:981
#, python-format
msgid "Could not delete interface %s"
msgstr "Невозможно удалить интерфейс %s"
-#: ../semanage/seobject.py:979
+#: ../semanage/seobject.py:989
msgid "Could not list interfaces"
msgstr "Невозможно выполнить перечисление интерфейсов"
-#: ../semanage/seobject.py:1022
-#: ../semanage/seobject.py:1084
-#: ../semanage/seobject.py:1123
-#: ../semanage/seobject.py:1129
+#: ../semanage/seobject.py:1032 ../semanage/seobject.py:1094
+#: ../semanage/seobject.py:1133 ../semanage/seobject.py:1137
#, python-format
msgid "Could not check if file context for %s is defined"
msgstr "Невозможно проверить, определен ли контекст файла для %s"
-#: ../semanage/seobject.py:1024
+#: ../semanage/seobject.py:1034
#, python-format
msgid "File context for %s already defined"
msgstr "Контекст файла для %s уже определен"
-#: ../semanage/seobject.py:1028
+#: ../semanage/seobject.py:1038
#, python-format
msgid "Could not create file context for %s"
msgstr "Невозможно создать контекст файла для %s"
-#: ../semanage/seobject.py:1037
+#: ../semanage/seobject.py:1047
#, python-format
msgid "Could not set user in file context for %s"
msgstr "Невозможно задать пользователя в контексте файла для %s"
-#: ../semanage/seobject.py:1041
+#: ../semanage/seobject.py:1051
#, python-format
msgid "Could not set role in file context for %s"
msgstr "Невозможно задать роль в контексте файла для %s"
-#: ../semanage/seobject.py:1045
+#: ../semanage/seobject.py:1055
#, python-format
msgid "Could not set type in file context for %s"
msgstr "Невозможно задать тип в контексте файла для %s"
-#: ../semanage/seobject.py:1050
+#: ../semanage/seobject.py:1060
#, python-format
msgid "Could not set mls fields in file context for %s"
msgstr "Невозможно задать поля msl в контексте файла для %s"
-#: ../semanage/seobject.py:1056
+#: ../semanage/seobject.py:1066
#, python-format
msgid "Could not set file context for %s"
msgstr "Невозможно задать контекст файла для %s"
-#: ../semanage/seobject.py:1064
-#: ../semanage/seobject.py:1068
+#: ../semanage/seobject.py:1074 ../semanage/seobject.py:1078
#, python-format
msgid "Could not add file context for %s"
msgstr "Невозможно добавить контекст файла для %s"
-#: ../semanage/seobject.py:1076
+#: ../semanage/seobject.py:1086
msgid "Requires setype, serange or seuser"
msgstr "Необходим setyp, serange и\xD0\xBBи seuser"
-#: ../semanage/seobject.py:1086
-#: ../semanage/seobject.py:1125
+#: ../semanage/seobject.py:1096 ../semanage/seobject.py:1141
#, python-format
msgid "File context for %s is not defined"
msgstr "Контекст файла для %s не определен"
-#: ../semanage/seobject.py:1090
+#: ../semanage/seobject.py:1100
#, python-format
msgid "Could not query file context for %s"
msgstr "Невозможно запросить контекст файла для %s"
-#: ../semanage/seobject.py:1107
-#: ../semanage/seobject.py:1111
+#: ../semanage/seobject.py:1117 ../semanage/seobject.py:1121
#, python-format
msgid "Could not modify file context for %s"
msgstr "Невозможно изменить контекст файла для %s"
-#: ../semanage/seobject.py:1131
+#: ../semanage/seobject.py:1139
#, python-format
msgid "File context for %s is defined in policy, cannot be deleted"
msgstr "Контекст файла для %s определен в политике и не может быть удален"
-#: ../semanage/seobject.py:1139
-#: ../semanage/seobject.py:1143
+#: ../semanage/seobject.py:1149 ../semanage/seobject.py:1153
#, python-format
msgid "Could not delete file context for %s"
msgstr "Невозможно удалить контекст файла для %s"
-#: ../semanage/seobject.py:1151
+#: ../semanage/seobject.py:1161
msgid "Could not list file contexts"
msgstr "Невозможно выполнить перечисление контекстов файлов"
-#: ../semanage/seobject.py:1184
+#: ../semanage/seobject.py:1165
+#, fuzzy
+msgid "Could not list local file contexts"
+msgstr "Невозможно выполнить перечисление контекстов файлов"
+
+#: ../semanage/seobject.py:1200
msgid "Requires value"
msgstr "Требуется значение"
-#: ../semanage/seobject.py:1192
-#: ../semanage/seobject.py:1226
-#: ../semanage/seobject.py:1232
+#: ../semanage/seobject.py:1208 ../semanage/seobject.py:1242
+#: ../semanage/seobject.py:1248
#, python-format
msgid "Could not check if boolean %s is defined"
msgstr "Невозможно проверить, определен ли переключатель %s"
-#: ../semanage/seobject.py:1194
-#: ../semanage/seobject.py:1228
+#: ../semanage/seobject.py:1210 ../semanage/seobject.py:1244
#, python-format
msgid "Boolean %s is not defined"
msgstr "Переключатель %s не определен"
-#: ../semanage/seobject.py:1198
+#: ../semanage/seobject.py:1214
#, python-format
msgid "Could not query file context %s"
msgstr "Невозможно запросить контекст файла %s"
-#: ../semanage/seobject.py:1210
-#: ../semanage/seobject.py:1214
+#: ../semanage/seobject.py:1226 ../semanage/seobject.py:1230
#, python-format
msgid "Could not modify boolean %s"
msgstr "Невозможно изменить переключатель %s"
-#: ../semanage/seobject.py:1234
+#: ../semanage/seobject.py:1250
#, python-format
msgid "Boolean %s is defined in policy, cannot be deleted"
msgstr "Переключатель %s не определен в политике и не может быть удален"
-#: ../semanage/seobject.py:1242
-#: ../semanage/seobject.py:1246
+#: ../semanage/seobject.py:1258 ../semanage/seobject.py:1262
#, python-format
msgid "Could not delete boolean %s"
msgstr "Невозможно удалить переключатель %s"
-#: ../semanage/seobject.py:1254
+#: ../semanage/seobject.py:1270
msgid "Could not list...
[truncated message content] |
|
From: <ssm...@us...> - 2006-11-21 21:12:55
|
Revision: 2099
http://svn.sourceforge.net/selinux/?rev=2099&view=rev
Author: ssmalley
Date: 2006-11-21 13:12:54 -0800 (Tue, 21 Nov 2006)
Log Message:
-----------
po file updates from Dan Walsh
Modified Paths:
--------------
trunk/policycoreutils/ChangeLog
trunk/policycoreutils/VERSION
trunk/policycoreutils/po/af.po
trunk/policycoreutils/po/am.po
trunk/policycoreutils/po/ar.po
trunk/policycoreutils/po/be.po
trunk/policycoreutils/po/bg.po
trunk/policycoreutils/po/bn.po
trunk/policycoreutils/po/bn_IN.po
trunk/policycoreutils/po/ca.po
trunk/policycoreutils/po/cs.po
trunk/policycoreutils/po/cy.po
trunk/policycoreutils/po/da.po
trunk/policycoreutils/po/de.po
trunk/policycoreutils/po/el.po
trunk/policycoreutils/po/en_GB.po
trunk/policycoreutils/po/es.po
trunk/policycoreutils/po/et.po
trunk/policycoreutils/po/eu_ES.po
trunk/policycoreutils/po/fa.po
trunk/policycoreutils/po/fi.po
trunk/policycoreutils/po/fr.po
trunk/policycoreutils/po/gl.po
trunk/policycoreutils/po/gu.po
trunk/policycoreutils/po/he.po
trunk/policycoreutils/po/hi.po
trunk/policycoreutils/po/hr.po
trunk/policycoreutils/po/hu.po
trunk/policycoreutils/po/hy.po
trunk/policycoreutils/po/id.po
trunk/policycoreutils/po/is.po
trunk/policycoreutils/po/it.po
trunk/policycoreutils/po/ja.po
trunk/policycoreutils/po/ka.po
trunk/policycoreutils/po/kn.po
trunk/policycoreutils/po/ko.po
trunk/policycoreutils/po/ku.po
trunk/policycoreutils/po/lo.po
trunk/policycoreutils/po/lt.po
trunk/policycoreutils/po/lv.po
trunk/policycoreutils/po/mk.po
trunk/policycoreutils/po/ml.po
trunk/policycoreutils/po/mr.po
trunk/policycoreutils/po/ms.po
trunk/policycoreutils/po/my.po
trunk/policycoreutils/po/nb.po
trunk/policycoreutils/po/nl.po
trunk/policycoreutils/po/nn.po
trunk/policycoreutils/po/no.po
trunk/policycoreutils/po/nso.po
trunk/policycoreutils/po/or.po
trunk/policycoreutils/po/pa.po
trunk/policycoreutils/po/pl.po
trunk/policycoreutils/po/policycoreutils.pot
trunk/policycoreutils/po/pt.po
trunk/policycoreutils/po/pt_BR.po
trunk/policycoreutils/po/ro.po
trunk/policycoreutils/po/ru.po
trunk/policycoreutils/po/si.po
trunk/policycoreutils/po/sk.po
trunk/policycoreutils/po/sl.po
trunk/policycoreutils/po/sq.po
trunk/policycoreutils/po/sr.po
trunk/policycoreutils/po/sr@Latn.po
trunk/policycoreutils/po/sv.po
trunk/policycoreutils/po/ta.po
trunk/policycoreutils/po/te.po
trunk/policycoreutils/po/th.po
trunk/policycoreutils/po/tr.po
trunk/policycoreutils/po/uk.po
trunk/policycoreutils/po/ur.po
trunk/policycoreutils/po/vi.po
trunk/policycoreutils/po/zh_CN.po
trunk/policycoreutils/po/zh_TW.po
trunk/policycoreutils/po/zu.po
Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog 2006-11-21 20:58:12 UTC (rev 2098)
+++ trunk/policycoreutils/ChangeLog 2006-11-21 21:12:54 UTC (rev 2099)
@@ -1,3 +1,6 @@
+1.33.4 2006-11-21
+ * Merged po file updates from Dan Walsh.
+
1.33.3 2006-11-21
* Merged setsebool patch from Karl MacMillan.
This fixes a bug reported by Yuichi Nakamura with
Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION 2006-11-21 20:58:12 UTC (rev 2098)
+++ trunk/policycoreutils/VERSION 2006-11-21 21:12:54 UTC (rev 2099)
@@ -1 +1 @@
-1.33.3
+1.33.4
Modified: trunk/policycoreutils/po/af.po
===================================================================
--- trunk/policycoreutils/po/af.po 2006-11-21 20:58:12 UTC (rev 2098)
+++ trunk/policycoreutils/po/af.po 2006-11-21 21:12:54 UTC (rev 2099)
@@ -8,7 +8,7 @@
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2006-06-29 15:53-0400\n"
+"POT-Creation-Date: 2006-10-20 09:14-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL...@li...>\n"
@@ -26,221 +26,226 @@
msgid "%s: Can't load policy: %s\n"
msgstr ""
-#: ../newrole/newrole.c:97
+#: ../newrole/newrole.c:98
#, c-format
msgid "Out of memory!\n"
msgstr ""
-#: ../newrole/newrole.c:199 ../run_init/run_init.c:126
+#: ../newrole/newrole.c:200 ../run_init/run_init.c:126
#, c-format
msgid "failed to initialize PAM\n"
msgstr ""
-#: ../newrole/newrole.c:210
+#: ../newrole/newrole.c:211
#, c-format
msgid "failed to set PAM_TTY\n"
msgstr ""
-#: ../newrole/newrole.c:246 ../run_init/run_init.c:154
+#: ../newrole/newrole.c:247 ../run_init/run_init.c:154
msgid "Password:"
msgstr ""
-#: ../newrole/newrole.c:281 ../run_init/run_init.c:189
+#: ../newrole/newrole.c:282 ../run_init/run_init.c:189
#, c-format
msgid "Cannot find your entry in the shadow passwd file.\n"
msgstr ""
-#: ../newrole/newrole.c:287 ../run_init/run_init.c:195
+#: ../newrole/newrole.c:288 ../run_init/run_init.c:195
#, c-format
msgid "getpass cannot open /dev/tty\n"
msgstr ""
-#: ../newrole/newrole.c:354
+#: ../newrole/newrole.c:355
#, c-format
msgid "Error initing capabilities, aborting.\n"
msgstr ""
-#: ../newrole/newrole.c:368
+#: ../newrole/newrole.c:369
#, c-format
msgid "Error dropping capabilities, aborting\n"
msgstr ""
-#: ../newrole/newrole.c:375
+#: ../newrole/newrole.c:376
#, c-format
msgid "Error changing uid, aborting.\n"
msgstr ""
-#: ../newrole/newrole.c:382
+#: ../newrole/newrole.c:383
#, c-format
msgid "Error resetting KEEPCAPS, aborting\n"
msgstr ""
-#: ../newrole/newrole.c:390
+#: ../newrole/newrole.c:391
#, c-format
msgid "Error dropping SETUID capability, aborting\n"
msgstr ""
-#: ../newrole/newrole.c:463
+#: ../newrole/newrole.c:410
#, c-format
+msgid "Error connecting to audit system.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:416
+#, c-format
+msgid "Error allocating memory.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:423
+#, c-format
+msgid "Error sending audit message.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:511
+#, c-format
msgid "Sorry, newrole may be used only on a SELinux kernel.\n"
msgstr ""
-#: ../newrole/newrole.c:468
+#: ../newrole/newrole.c:516
#, c-format
msgid "Could not determine enforcing mode.\n"
msgstr ""
-#: ../newrole/newrole.c:488
+#: ../newrole/newrole.c:536
#, c-format
msgid "Error: multiple roles specified\n"
msgstr ""
-#: ../newrole/newrole.c:498
+#: ../newrole/newrole.c:546
#, c-format
msgid "Error: multiple types specified\n"
msgstr ""
-#: ../newrole/newrole.c:508
+#: ../newrole/newrole.c:556
#, c-format
msgid "Sorry, -l may be used with SELinux MLS support.\n"
msgstr ""
-#: ../newrole/newrole.c:515
+#: ../newrole/newrole.c:563
#, c-format
msgid "Error: multiple levels specified\n"
msgstr ""
-#: ../newrole/newrole.c:537
+#: ../newrole/newrole.c:585
#, c-format
msgid "Couldn't get default type.\n"
msgstr ""
-#: ../newrole/newrole.c:559
+#: ../newrole/newrole.c:608
#, c-format
msgid "failed to get old_context.\n"
msgstr ""
-#: ../newrole/newrole.c:572
+#: ../newrole/newrole.c:621
#, c-format
msgid "failed to get new context.\n"
msgstr ""
-#: ../newrole/newrole.c:596
+#: ../newrole/newrole.c:645
#, c-format
msgid "cannot find your entry in the passwd file.\n"
msgstr ""
-#: ../newrole/newrole.c:606
+#: ../newrole/newrole.c:655
#, c-format
msgid "Error! Shell is not valid.\n"
msgstr ""
-#: ../newrole/newrole.c:614
+#: ../newrole/newrole.c:663
#, c-format
msgid "Error! Could not retrieve tty information.\n"
msgstr ""
-#: ../newrole/newrole.c:618
+#: ../newrole/newrole.c:667
#, c-format
msgid "Authenticating %s.\n"
msgstr ""
-#: ../newrole/newrole.c:632
+#: ../newrole/newrole.c:681
#, c-format
msgid "newrole: incorrect password for %s\n"
msgstr ""
-#: ../newrole/newrole.c:657
+#: ../newrole/newrole.c:707
#, c-format
msgid "failed to set new role %s\n"
msgstr ""
-#: ../newrole/newrole.c:671
+#: ../newrole/newrole.c:721
#, c-format
msgid "failed to set new type %s\n"
msgstr ""
-#: ../newrole/newrole.c:688
+#: ../newrole/newrole.c:738
#, c-format
msgid "failed to build new range with level %s\n"
msgstr ""
-#: ../newrole/newrole.c:693
+#: ../newrole/newrole.c:743
#, c-format
msgid "failed to set new range %s\n"
msgstr ""
-#: ../newrole/newrole.c:708
+#: ../newrole/newrole.c:758
#, c-format
msgid "failed to convert new context to string\n"
msgstr ""
-#: ../newrole/newrole.c:717
+#: ../newrole/newrole.c:766
#, c-format
msgid "%s is not a valid context\n"
msgstr ""
-#: ../newrole/newrole.c:730
+#: ../newrole/newrole.c:780
#, c-format
msgid "Error! Could not open %s.\n"
msgstr ""
-#: ../newrole/newrole.c:738
+#: ../newrole/newrole.c:788
#, c-format
msgid "%s! Could not get current context for %s, not relabeling tty.\n"
msgstr ""
-#: ../newrole/newrole.c:757
+#: ../newrole/newrole.c:807
#, c-format
msgid "%s! Could not get new context for %s, not relabeling tty.\n"
msgstr ""
-#: ../newrole/newrole.c:771
+#: ../newrole/newrole.c:821
#, c-format
msgid "%s! Could not set new context for %s\n"
msgstr ""
-#: ../newrole/newrole.c:784
+#: ../newrole/newrole.c:834
#, c-format
msgid "newrole: failure forking: %s"
msgstr ""
-#: ../newrole/newrole.c:789
+#: ../newrole/newrole.c:839
#, c-format
msgid "Warning! Could not restore context for %s\n"
msgstr ""
-#: ../newrole/newrole.c:810
+#: ../newrole/newrole.c:860
#, c-format
msgid "%s changed labels.\n"
msgstr ""
-#: ../newrole/newrole.c:834
+#: ../newrole/newrole.c:884
#, c-format
msgid "Could not close descriptors.\n"
msgstr ""
-#: ../newrole/newrole.c:869 ../run_init/run_init.c:397
+#: ../newrole/newrole.c:909
#, c-format
-msgid "Could not set exec context to %s.\n"
+msgid "Error allocating shell.\n"
msgstr ""
-#: ../newrole/newrole.c:881
+#: ../newrole/newrole.c:922 ../run_init/run_init.c:397
#, c-format
-msgid "Error connecting to audit system.\n"
+msgid "Could not set exec context to %s.\n"
msgstr ""
-#: ../newrole/newrole.c:886
-#, c-format
-msgid "Error allocating memory.\n"
-msgstr ""
-
-#: ../newrole/newrole.c:892
-#, c-format
-msgid "Error sending audit message.\n"
-msgstr ""
-
-#: ../newrole/newrole.c:903
+#: ../newrole/newrole.c:932
msgid "failed to exec shell\n"
msgstr ""
@@ -276,674 +281,683 @@
msgid "authentication failed.\n"
msgstr ""
-#: ../scripts/chcat:70 ../scripts/chcat:140
+#: ../scripts/chcat:75 ../scripts/chcat:145
msgid "Requires at least one category"
msgstr ""
-#: ../scripts/chcat:84 ../scripts/chcat:154
+#: ../scripts/chcat:89 ../scripts/chcat:159
#, c-format
msgid "Can not modify sensitivity levels using '+' on %s"
msgstr ""
-#: ../scripts/chcat:88
+#: ../scripts/chcat:93
#, c-format
msgid "%s is already in %s"
msgstr ""
-#: ../scripts/chcat:159 ../scripts/chcat:169
+#: ../scripts/chcat:164 ../scripts/chcat:174
#, c-format
msgid "%s is not in %s"
msgstr ""
-#: ../scripts/chcat:232 ../scripts/chcat:237
+#: ../scripts/chcat:237 ../scripts/chcat:242
msgid "Can not combine +/- with other types of categories"
msgstr ""
-#: ../scripts/chcat:282
+#: ../scripts/chcat:287
msgid "Can not have multiple sensitivities"
msgstr ""
-#: ../scripts/chcat:288
+#: ../scripts/chcat:293
#, c-format
msgid "Usage %s CATEGORY File ..."
msgstr ""
-#: ../scripts/chcat:289
+#: ../scripts/chcat:294
#, c-format
msgid "Usage %s -l CATEGORY user ..."
msgstr ""
-#: ../scripts/chcat:290
+#: ../scripts/chcat:295
#, c-format
msgid "Usage %s [[+|-]CATEGORY],...]q File ..."
msgstr ""
-#: ../scripts/chcat:291
+#: ../scripts/chcat:296
#, c-format
msgid "Usage %s -l [[+|-]CATEGORY],...]q user ..."
msgstr ""
-#: ../scripts/chcat:292
+#: ../scripts/chcat:297
#, c-format
msgid "Usage %s -d File ..."
msgstr ""
-#: ../scripts/chcat:293
+#: ../scripts/chcat:298
#, c-format
msgid "Usage %s -l -d user ..."
msgstr ""
-#: ../scripts/chcat:294
+#: ../scripts/chcat:299
#, c-format
msgid "Usage %s -L"
msgstr ""
-#: ../scripts/chcat:295
+#: ../scripts/chcat:300
#, c-format
msgid "Usage %s -L -l user"
msgstr ""
-#: ../scripts/chcat:296
+#: ../scripts/chcat:301
msgid "Use -- to end option list. For example"
msgstr ""
-#: ../scripts/chcat:297
+#: ../scripts/chcat:302
msgid "chcat -- -CompanyConfidential /docs/businessplan.odt"
msgstr ""
-#: ../scripts/chcat:298
+#: ../scripts/chcat:303
msgid "chcat -l +CompanyConfidential juser"
msgstr ""
-#: ../semanage/semanage:122
+#: ../semanage/semanage:127
msgid "Requires 2 or more arguments"
msgstr ""
-#: ../semanage/semanage:127
+#: ../semanage/semanage:132
#, c-format
msgid "%s not defined"
msgstr ""
-#: ../semanage/semanage:151
+#: ../semanage/semanage:156
#, c-format
msgid "%s not valid for %s objects\n"
msgstr ""
-#: ../semanage/semanage:178 ../semanage/semanage:186
+#: ../semanage/semanage:183 ../semanage/semanage:191
msgid "range not supported on Non MLS machines"
msgstr ""
-#: ../semanage/semanage:244
+#: ../semanage/semanage:249
msgid "You must specify a role"
msgstr ""
-#: ../semanage/semanage:246
+#: ../semanage/semanage:251
msgid "You must specify a prefix"
msgstr ""
-#: ../semanage/semanage:295
+#: ../semanage/semanage:300
#, c-format
msgid "Options Error %s "
msgstr ""
-#: ../semanage/semanage:299
+#: ../semanage/semanage:304
#, c-format
msgid "Invalid value %s"
msgstr ""
-#: ../semanage/seobject.py:124
+#: ../semanage/seobject.py:130
msgid "translations not supported on non-MLS machines"
msgstr ""
-#: ../semanage/seobject.py:131
+#: ../semanage/seobject.py:137
#, python-format
msgid "Unable to open %s: translations not supported on non-MLS machines"
msgstr ""
-#: ../semanage/seobject.py:171 ../semanage/seobject.py:185
+#: ../semanage/seobject.py:177 ../semanage/seobject.py:191
#, python-format
msgid "Translations can not contain spaces '%s' "
msgstr ""
-#: ../semanage/seobject.py:174
+#: ../semanage/seobject.py:180
#, python-format
msgid "Invalid Level '%s' "
msgstr ""
-#: ../semanage/seobject.py:177
+#: ../semanage/seobject.py:183
#, python-format
msgid "%s already defined in translations"
msgstr ""
-#: ../semanage/seobject.py:189
+#: ../semanage/seobject.py:195
#, python-format
msgid "%s not defined in translations"
msgstr ""
-#: ../semanage/seobject.py:209
+#: ../semanage/seobject.py:215
msgid "SELinux policy is not managed or store cannot be accessed."
msgstr ""
-#: ../semanage/seobject.py:214
+#: ../semanage/seobject.py:220
msgid "Cannot read policy store."
msgstr ""
-#: ../semanage/seobject.py:219
+#: ../semanage/seobject.py:225
msgid "Could not establish semanage connection"
msgstr ""
-#: ../semanage/seobject.py:238 ../semanage/seobject.py:296
-#: ../semanage/seobject.py:343 ../semanage/seobject.py:424
-#: ../semanage/seobject.py:493 ../semanage/seobject.py:549
-#: ../semanage/seobject.py:1080 ../semanage/seobject.py:1119
-#: ../semanage/seobject.py:1188 ../semanage/seobject.py:1222
+#: ../semanage/seobject.py:244 ../semanage/seobject.py:302
+#: ../semanage/seobject.py:349 ../semanage/seobject.py:430
+#: ../semanage/seobject.py:501 ../semanage/seobject.py:559
+#: ../semanage/seobject.py:1090 ../semanage/seobject.py:1129
+#: ../semanage/seobject.py:1204 ../semanage/seobject.py:1238
#, python-format
msgid "Could not create a key for %s"
msgstr ""
-#: ../semanage/seobject.py:242 ../semanage/seobject.py:300
-#: ../semanage/seobject.py:347 ../semanage/seobject.py:353
+#: ../semanage/seobject.py:248 ../semanage/seobject.py:306
+#: ../semanage/seobject.py:353 ../semanage/seobject.py:359
#, python-format
msgid "Could not check if login mapping for %s is defined"
msgstr ""
-#: ../semanage/seobject.py:244
+#: ../semanage/seobject.py:250
#, python-format
msgid "Login mapping for %s is already defined"
msgstr ""
-#: ../semanage/seobject.py:248
+#: ../semanage/seobject.py:254
#, python-format
msgid "Linux User %s does not exist"
msgstr ""
-#: ../semanage/seobject.py:252
+#: ../semanage/seobject.py:258
#, python-format
msgid "Could not create login mapping for %s"
msgstr ""
-#: ../semanage/seobject.py:256 ../semanage/seobject.py:438
+#: ../semanage/seobject.py:262 ../semanage/seobject.py:444
#, python-format
msgid "Could not set name for %s"
msgstr ""
-#: ../semanage/seobject.py:261 ../semanage/seobject.py:448
+#: ../semanage/seobject.py:267 ../semanage/seobject.py:454
#, python-format
msgid "Could not set MLS range for %s"
msgstr ""
-#: ../semanage/seobject.py:265
+#: ../semanage/seobject.py:271
#, python-format
msgid "Could not set SELinux user for %s"
msgstr ""
-#: ../semanage/seobject.py:269 ../semanage/seobject.py:321
-#: ../semanage/seobject.py:359 ../semanage/seobject.py:463
-#: ../semanage/seobject.py:526 ../semanage/seobject.py:565
-#: ../semanage/seobject.py:692 ../semanage/seobject.py:734
-#: ../semanage/seobject.py:763 ../semanage/seobject.py:890
-#: ../semanage/seobject.py:931 ../semanage/seobject.py:963
-#: ../semanage/seobject.py:1060 ../semanage/seobject.py:1103
-#: ../semanage/seobject.py:1135 ../semanage/seobject.py:1206
-#: ../semanage/seobject.py:1238
+#: ../semanage/seobject.py:275 ../semanage/seobject.py:327
+#: ../semanage/seobject.py:365 ../semanage/seobject.py:470
+#: ../semanage/seobject.py:536 ../semanage/seobject.py:575
+#: ../semanage/seobject.py:702 ../semanage/seobject.py:744
+#: ../semanage/seobject.py:773 ../semanage/seobject.py:900
+#: ../semanage/seobject.py:941 ../semanage/seobject.py:973
+#: ../semanage/seobject.py:1070 ../semanage/seobject.py:1113
+#: ../semanage/seobject.py:1145 ../semanage/seobject.py:1222
+#: ../semanage/seobject.py:1254
msgid "Could not start semanage transaction"
msgstr ""
-#: ../semanage/seobject.py:273 ../semanage/seobject.py:277
+#: ../semanage/seobject.py:279 ../semanage/seobject.py:283
#, python-format
msgid "Could not add login mapping for %s"
msgstr ""
-#: ../semanage/seobject.py:292
+#: ../semanage/seobject.py:298
msgid "Requires seuser or serange"
msgstr ""
-#: ../semanage/seobject.py:302 ../semanage/seobject.py:349
+#: ../semanage/seobject.py:308 ../semanage/seobject.py:355
#, python-format
msgid "Login mapping for %s is not defined"
msgstr ""
-#: ../semanage/seobject.py:306
+#: ../semanage/seobject.py:312
#, python-format
msgid "Could not query seuser for %s"
msgstr ""
-#: ../semanage/seobject.py:325 ../semanage/seobject.py:329
+#: ../semanage/seobject.py:331 ../semanage/seobject.py:335
#, python-format
msgid "Could not modify login mapping for %s"
msgstr ""
-#: ../semanage/seobject.py:355
+#: ../semanage/seobject.py:361
#, python-format
msgid "Login mapping for %s is defined in policy, cannot be deleted"
msgstr ""
-#: ../semanage/seobject.py:364 ../semanage/seobject.py:368
+#: ../semanage/seobject.py:370 ../semanage/seobject.py:374
#, python-format
msgid "Could not delete login mapping for %s"
msgstr ""
-#: ../semanage/seobject.py:382
+#: ../semanage/seobject.py:388
msgid "Could not list login mappings"
msgstr ""
-#: ../semanage/seobject.py:428 ../semanage/seobject.py:497
-#: ../semanage/seobject.py:553 ../semanage/seobject.py:559
+#: ../semanage/seobject.py:434 ../semanage/seobject.py:505
+#: ../semanage/seobject.py:563 ../semanage/seobject.py:569
#, python-format
msgid "Could not check if SELinux user %s is defined"
msgstr ""
-#: ../semanage/seobject.py:430
+#: ../semanage/seobject.py:436
#, python-format
msgid "SELinux user %s is already defined"
msgstr ""
-#: ../semanage/seobject.py:434
+#: ../semanage/seobject.py:440
#, python-format
msgid "Could not create SELinux user for %s"
msgstr ""
-#: ../semanage/seobject.py:443
+#: ../semanage/seobject.py:449
#, python-format
msgid "Could not add role %s for %s"
msgstr ""
-#: ../semanage/seobject.py:452
+#: ../semanage/seobject.py:458
#, python-format
msgid "Could not set MLS level for %s"
msgstr ""
-#: ../semanage/seobject.py:456
+#: ../semanage/seobject.py:460 ../semanage/seobject.py:527
#, python-format
+msgid "Invalid prefix %s"
+msgstr ""
+
+#: ../semanage/seobject.py:463
+#, python-format
msgid "Could not add prefix %s for %s"
msgstr ""
-#: ../semanage/seobject.py:459
+#: ../semanage/seobject.py:466
#, python-format
msgid "Could not extract key for %s"
msgstr ""
-#: ../semanage/seobject.py:467 ../semanage/seobject.py:471
+#: ../semanage/seobject.py:474 ../semanage/seobject.py:478
#, python-format
msgid "Could not add SELinux user %s"
msgstr ""
-#: ../semanage/seobject.py:487
+#: ../semanage/seobject.py:495
msgid "Requires prefix, roles, level or range"
msgstr ""
-#: ../semanage/seobject.py:489
+#: ../semanage/seobject.py:497
msgid "Requires prefix or roles"
msgstr ""
-#: ../semanage/seobject.py:499 ../semanage/seobject.py:555
+#: ../semanage/seobject.py:507 ../semanage/seobject.py:565
#, python-format
msgid "SELinux user %s is not defined"
msgstr ""
-#: ../semanage/seobject.py:503
+#: ../semanage/seobject.py:511
#, python-format
msgid "Could not query user for %s"
msgstr ""
-#: ../semanage/seobject.py:530 ../semanage/seobject.py:534
+#: ../semanage/seobject.py:540 ../semanage/seobject.py:544
#, python-format
msgid "Could not modify SELinux user %s"
msgstr ""
-#: ../semanage/seobject.py:561
+#: ../semanage/seobject.py:571
#, python-format
msgid "SELinux user %s is defined in policy, cannot be deleted"
msgstr ""
-#: ../semanage/seobject.py:569 ../semanage/seobject.py:573
+#: ../semanage/seobject.py:579 ../semanage/seobject.py:583
#, python-format
msgid "Could not delete SELinux user %s"
msgstr ""
-#: ../semanage/seobject.py:585
+#: ../semanage/seobject.py:595
msgid "Could not list SELinux users"
msgstr ""
-#: ../semanage/seobject.py:591
+#: ../semanage/seobject.py:601
#, python-format
msgid "Could not list roles for user %s"
msgstr ""
-#: ../semanage/seobject.py:625
+#: ../semanage/seobject.py:635
msgid "Protocol udp or tcp is required"
msgstr ""
-#: ../semanage/seobject.py:627
+#: ../semanage/seobject.py:637
msgid "Port is required"
msgstr ""
-#: ../semanage/seobject.py:638
+#: ../semanage/seobject.py:648
#, python-format
msgid "Could not create a key for %s/%s"
msgstr ""
-#: ../semanage/seobject.py:649
+#: ../semanage/seobject.py:659
msgid "Type is required"
msgstr ""
-#: ../semanage/seobject.py:655 ../semanage/seobject.py:717
-#: ../semanage/seobject.py:751 ../semanage/seobject.py:757
+#: ../semanage/seobject.py:665 ../semanage/seobject.py:727
+#: ../semanage/seobject.py:761 ../semanage/seobject.py:767
#, python-format
msgid "Could not check if port %s/%s is defined"
msgstr ""
-#: ../semanage/seobject.py:657
+#: ../semanage/seobject.py:667
#, python-format
msgid "Port %s/%s already defined"
msgstr ""
-#: ../semanage/seobject.py:661
+#: ../semanage/seobject.py:671
#, python-format
msgid "Could not create port for %s/%s"
msgstr ""
-#: ../semanage/seobject.py:667
+#: ../semanage/seobject.py:677
#, python-format
msgid "Could not create context for %s/%s"
msgstr ""
-#: ../semanage/seobject.py:671
+#: ../semanage/seobject.py:681
#, python-format
msgid "Could not set user in port context for %s/%s"
msgstr ""
-#: ../semanage/seobject.py:675
+#: ../semanage/seobject.py:685
#, python-format
msgid "Could not set role in port context for %s/%s"
msgstr ""
-#: ../semanage/seobject.py:679
+#: ../semanage/seobject.py:689
#, python-format
msgid "Could not set type in port context for %s/%s"
msgstr ""
-#: ../semanage/seobject.py:684
+#: ../semanage/seobject.py:694
#, python-format
msgid "Could not set mls fields in port context for %s/%s"
msgstr ""
-#: ../semanage/seobject.py:688
+#: ../semanage/seobject.py:698
#, python-format
msgid "Could not set port context for %s/%s"
msgstr ""
-#: ../semanage/seobject.py:696 ../semanage/seobject.py:700
+#: ../semanage/seobject.py:706 ../semanage/seobject.py:710
#, python-format
msgid "Could not add port %s/%s"
msgstr ""
-#: ../semanage/seobject.py:709 ../semanage/seobject.py:906
+#: ../semanage/seobject.py:719 ../semanage/seobject.py:916
msgid "Requires setype or serange"
msgstr ""
-#: ../semanage/seobject.py:711
+#: ../semanage/seobject.py:721
msgid "Requires setype"
msgstr ""
-#: ../semanage/seobject.py:719 ../semanage/seobject.py:753
+#: ../semanage/seobject.py:729 ../semanage/seobject.py:763
#, python-format
msgid "Port %s/%s is not defined"
msgstr ""
-#: ../semanage/seobject.py:723
+#: ../semanage/seobject.py:733
#, python-format
msgid "Could not query port %s/%s"
msgstr ""
-#: ../semanage/seobject.py:738 ../semanage/seobject.py:742
+#: ../semanage/seobject.py:748 ../semanage/seobject.py:752
#, python-format
msgid "Could not modify port %s/%s"
msgstr ""
-#: ../semanage/seobject.py:759
+#: ../semanage/seobject.py:769
#, python-format
msgid "Port %s/%s is defined in policy, cannot be deleted"
msgstr ""
-#: ../semanage/seobject.py:767 ../semanage/seobject.py:771
+#: ../semanage/seobject.py:777 ../semanage/seobject.py:781
#, python-format
msgid "Could not delete port %s/%s"
msgstr ""
-#: ../semanage/seobject.py:779 ../semanage/seobject.py:798
+#: ../semanage/seobject.py:789 ../semanage/seobject.py:808
msgid "Could not list ports"
msgstr ""
-#: ../semanage/seobject.py:842 ../semanage/seobject.py:1014
+#: ../semanage/seobject.py:852 ../semanage/seobject.py:1024
msgid "SELinux Type is required"
msgstr ""
-#: ../semanage/seobject.py:846 ../semanage/seobject.py:910
-#: ../semanage/seobject.py:947 ../semanage/seobject.py:1018
+#: ../semanage/seobject.py:856 ../semanage/seobject.py:920
+#: ../semanage/seobject.py:957 ../semanage/seobject.py:1028
#, python-format
msgid "Could not create key for %s"
msgstr ""
-#: ../semanage/seobject.py:850 ../semanage/seobject.py:914
-#: ../semanage/seobject.py:951 ../semanage/seobject.py:957
+#: ../semanage/seobject.py:860 ../semanage/seobject.py:924
+#: ../semanage/seobject.py:961 ../semanage/seobject.py:967
#, python-format
msgid "Could not check if interface %s is defined"
msgstr ""
-#: ../semanage/seobject.py:852
+#: ../semanage/seobject.py:862
#, python-format
msgid "Interface %s already defined"
msgstr ""
-#: ../semanage/seobject.py:856
+#: ../semanage/seobject.py:866
#, python-format
msgid "Could not create interface for %s"
msgstr ""
-#: ../semanage/seobject.py:861 ../semanage/seobject.py:1033
+#: ../semanage/seobject.py:871 ../semanage/seobject.py:1043
#, python-format
msgid "Could not create context for %s"
msgstr ""
-#: ../semanage/seobject.py:865
+#: ../semanage/seobject.py:875
#, python-format
msgid "Could not set user in interface context for %s"
msgstr ""
-#: ../semanage/seobject.py:869
+#: ../semanage/seobject.py:879
#, python-format
msgid "Could not set role in interface context for %s"
msgstr ""
-#: ../semanage/seobject.py:873
+#: ../semanage/seobject.py:883
#, python-format
msgid "Could not set type in interface context for %s"
msgstr ""
-#: ../semanage/seobject.py:878
+#: ../semanage/seobject.py:888
#, python-format
msgid "Could not set mls fields in interface context for %s"
msgstr ""
-#: ../semanage/seobject.py:882
+#: ../semanage/seobject.py:892
#, python-format
msgid "Could not set interface context for %s"
msgstr ""
-#: ../semanage/seobject.py:886
+#: ../semanage/seobject.py:896
#, python-format
msgid "Could not set message context for %s"
msgstr ""
-#: ../semanage/seobject.py:894 ../semanage/seobject.py:898
+#: ../semanage/seobject.py:904 ../semanage/seobject.py:908
#, python-format
msgid "Could not add interface %s"
msgstr ""
-#: ../semanage/seobject.py:916 ../semanage/seobject.py:953
+#: ../semanage/seobject.py:926 ../semanage/seobject.py:963
#, python-format
msgid "Interface %s is not defined"
msgstr ""
-#: ../semanage/seobject.py:920
+#: ../semanage/seobject.py:930
#, python-format
msgid "Could not query interface %s"
msgstr ""
-#: ../semanage/seobject.py:935 ../semanage/seobject.py:939
+#: ../semanage/seobject.py:945 ../semanage/seobject.py:949
#, python-format
msgid "Could not modify interface %s"
msgstr ""
-#: ../semanage/seobject.py:959
+#: ../semanage/seobject.py:969
#, python-format
msgid "Interface %s is defined in policy, cannot be deleted"
msgstr ""
-#: ../semanage/seobject.py:967 ../semanage/seobject.py:971
+#: ../semanage/seobject.py:977 ../semanage/seobject.py:981
#, python-format
msgid "Could not delete interface %s"
msgstr ""
-#: ../semanage/seobject.py:979
+#: ../semanage/seobject.py:989
msgid "Could not list interfaces"
msgstr ""
-#: ../semanage/seobject.py:1022 ../semanage/seobject.py:1084
-#: ../semanage/seobject.py:1123 ../semanage/seobject.py:1129
+#: ../semanage/seobject.py:1032 ../semanage/seobject.py:1094
+#: ../semanage/seobject.py:1133 ../semanage/seobject.py:1137
#, python-format
msgid "Could not check if file context for %s is defined"
msgstr ""
-#: ../semanage/seobject.py:1024
+#: ../semanage/seobject.py:1034
#, python-format
msgid "File context for %s already defined"
msgstr ""
-#: ../semanage/seobject.py:1028
+#: ../semanage/seobject.py:1038
#, python-format
msgid "Could not create file context for %s"
msgstr ""
-#: ../semanage/seobject.py:1037
+#: ../semanage/seobject.py:1047
#, python-format
msgid "Could not set user in file context for %s"
msgstr ""
-#: ../semanage/seobject.py:1041
+#: ../semanage/seobject.py:1051
#, python-format
msgid "Could not set role in file context for %s"
msgstr ""
-#: ../semanage/seobject.py:1045
+#: ../semanage/seobject.py:1055
#, python-format
msgid "Could not set type in file context for %s"
msgstr ""
-#: ../semanage/seobject.py:1050
+#: ../semanage/seobject.py:1060
#, python-format
msgid "Could not set mls fields in file context for %s"
msgstr ""
-#: ../semanage/seobject.py:1056
+#: ../semanage/seobject.py:1066
#, python-format
msgid "Could not set file context for %s"
msgstr ""
-#: ../semanage/seobject.py:1064 ../semanage/seobject.py:1068
+#: ../semanage/seobject.py:1074 ../semanage/seobject.py:1078
#, python-format
msgid "Could not add file context for %s"
msgstr ""
-#: ../semanage/seobject.py:1076
+#: ../semanage/seobject.py:1086
msgid "Requires setype, serange or seuser"
msgstr ""
-#: ../semanage/seobject.py:1086 ../semanage/seobject.py:1125
+#: ../semanage/seobject.py:1096 ../semanage/seobject.py:1141
#, python-format
msgid "File context for %s is not defined"
msgstr ""
-#: ../semanage/seobject.py:1090
+#: ../semanage/seobject.py:1100
#, python-format
msgid "Could not query file context for %s"
msgstr ""
-#: ../semanage/seobject.py:1107 ../semanage/seobject.py:1111
+#: ../semanage/seobject.py:1117 ../semanage/seobject.py:1121
#, python-format
msgid "Could not modify file context for %s"
msgstr ""
-#: ../semanage/seobject.py:1131
+#: ../semanage/seobject.py:1139
#, python-format
msgid "File context for %s is defined in policy, cannot be deleted"
msgstr ""
-#: ../semanage/seobject.py:1139 ../semanage/seobject.py:1143
+#: ../semanage/seobject.py:1149 ../semanage/seobject.py:1153
#, python-format
msgid "Could not delete file context for %s"
msgstr ""
-#: ../semanage/seobject.py:1151
+#: ../semanage/seobject.py:1161
msgid "Could not list file contexts"
msgstr ""
-#: ../semanage/seobject.py:1184
+#: ../semanage/seobject.py:1165
+msgid "Could not list local file contexts"
+msgstr ""
+
+#: ../semanage/seobject.py:1200
msgid "Requires value"
msgstr ""
-#: ../semanage/seobject.py:1192 ../semanage/seobject.py:1226
-#: ../semanage/seobject.py:1232
+#: ../semanage/seobject.py:1208 ../semanage/seobject.py:1242
+#: ../semanage/seobject.py:1248
#, python-format
msgid "Could not check if boolean %s is defined"
msgstr ""
-#: ../semanage/seobject.py:1194 ../semanage/seobject.py:1228
+#: ../semanage/seobject.py:1210 ../semanage/seobject.py:1244
#, python-format
msgid "Boolean %s is not defined"
msgstr ""
-#: ../semanage/seobject.py:1198
+#: ../semanage/seobject.py:1214
#, python-format
msgid "Could not query file context %s"
msgstr ""
-#: ../semanage/seobject.py:1210 ../semanage/seobject.py:1214
+#: ../semanage/seobject.py:1226 ../semanage/seobject.py:1230
#, python-format
msgid "Could not modify boolean %s"
msgstr ""
-#: ../semanage/seobject.py:1234
+#: ../semanage/seobject.py:1250
#, python-format
msgid "Boolean %s is defined in policy, cannot be deleted"
msgstr ""
-#: ../semanage/seobject.py:1242 ../semanage/seobject.py:1246
+#: ../semanage/seobject.py:1258 ../semanage/seobject.py:1262
#, python-format
msgid "Could not delete boolean %s"
msgstr ""
-#: ../semanage/seobject.py:1254
+#: ../semanage/seobject.py:1270
msgid "Could not list booleans"
msgstr ""
-#: ../audit2allow/audit2allow:179
+#: ../audit2allow/audit2allow:183
#, c-format
msgid "Generating type enforcment file: %s.te"
msgstr ""
-#: ../audit2allow/audit2allow:184
+#: ../audit2allow/audit2allow:188
msgid "Compiling policy"
msgstr ""
-#: ../audit2allow/audit2allow:195
+#: ../audit2allow/audit2allow:199
msgid ""
"\n"
"******************** IMPORTANT ***********************\n"
msgstr ""
-#: ../audit2allow/audit2allow:196
+#: ../audit2allow/audit2allow:200
#, c-format
msgid ""
"In order to load this newly created policy package into the kernel,\n"
@@ -953,7 +967,7 @@
"\n"
msgstr ""
-#: ../audit2allow/audit2allow:203
+#: ../audit2allow/audit2allow:207
#, c-format
msgid "Options Error: %s "
msgstr ""
Modified: trunk/policycoreutils/po/am.po
===================================================================
--- trunk/policycoreutils/po/am.po 2006-11-21 20:58:12 UTC (rev 2098)
+++ trunk/policycoreutils/po/am.po 2006-11-21 21:12:54 UTC (rev 2099)
@@ -8,7 +8,7 @@
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2006-06-29 15:53-0400\n"
+"POT-Creation-Date: 2006-10-20 09:14-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL...@li...>\n"
@@ -26,221 +26,226 @@
msgid "%s: Can't load policy: %s\n"
msgstr ""
-#: ../newrole/newrole.c:97
+#: ../newrole/newrole.c:98
#, c-format
msgid "Out of memory!\n"
msgstr ""
-#: ../newrole/newrole.c:199 ../run_init/run_init.c:126
+#: ../newrole/newrole.c:200 ../run_init/run_init.c:126
#, c-format
msgid "failed to initialize PAM\n"
msgstr ""
-#: ../newrole/newrole.c:210
+#: ../newrole/newrole.c:211
#, c-format
msgid "failed to set PAM_TTY\n"
msgstr ""
-#: ../newrole/newrole.c:246 ../run_init/run_init.c:154
+#: ../newrole/newrole.c:247 ../run_init/run_init.c:154
msgid "Password:"
msgstr ""
-#: ../newrole/newrole.c:281 ../run_init/run_init.c:189
+#: ../newrole/newrole.c:282 ../run_init/run_init.c:189
#, c-format
msgid "Cannot find your entry in the shadow passwd file.\n"
msgstr ""
-#: ../newrole/newrole.c:287 ../run_init/run_init.c:195
+#: ../newrole/newrole.c:288 ../run_init/run_init.c:195
#, c-format
msgid "getpass cannot open /dev/tty\n"
msgstr ""
-#: ../newrole/newrole.c:354
+#: ../newrole/newrole.c:355
#, c-format
msgid "Error initing capabilities, aborting.\n"
msgstr ""
-#: ../newrole/newrole.c:368
+#: ../newrole/newrole.c:369
#, c-format
msgid "Error dropping capabilities, aborting\n"
msgstr ""
-#: ../newrole/newrole.c:375
+#: ../newrole/newrole.c:376
#, c-format
msgid "Error changing uid, aborting.\n"
msgstr ""
-#: ../newrole/newrole.c:382
+#: ../newrole/newrole.c:383
#, c-format
msgid "Error resetting KEEPCAPS, aborting\n"
msgstr ""
-#: ../newrole/newrole.c:390
+#: ../newrole/newrole.c:391
#, c-format
msgid "Error dropping SETUID capability, aborting\n"
msgstr ""
-#: ../newrole/newrole.c:463
+#: ../newrole/newrole.c:410
#, c-format
+msgid "Error connecting to audit system.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:416
+#, c-format
+msgid "Error allocating memory.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:423
+#, c-format
+msgid "Error sending audit message.\n"
+msgstr ""
+
+#: ../newrole/newrole.c:511
+#, c-format
msgid "Sorry, newrole may be used only on a SELinux kernel.\n"
msgstr ""
-#: ../newrole/newrole.c:468
+#: ../newrole/newrole.c:516
#, c-format
msgid "Could not determine enforcing mode.\n"
msgstr ""
-#: ../newrole/newrole.c:488
+#: ../newrole/newrole.c:536
#, c-format
msgid "Error: multiple roles specified\n"
msgstr ""
-#: ../newrole/newrole.c:498
+#: ../newrole/newrole.c:546
#, c-format
msgid "Error: multiple types specified\n"
msgstr ""
-#: ../newrole/newrole.c:508
+#: ../newrole/newrole.c:556
#, c-format
msgid "Sorry, -l may be used with SELinux MLS support.\n"
msgstr ""
-#: ../newrole/newrole.c:515
+#: ../newrole/newrole.c:563
#, c-format
msgid "Error: multiple levels specified\n"
msgstr ""
-#: ../newrole/newrole.c:537
+#: ../newrole/newrole.c:585
#, c-format
msgid "Couldn't get default type.\n"
msgstr ""
-#: ../newrole/newrole.c:559
+#: ../newrole/newrole.c:608
#, c-format
msgid "failed to get old_context.\n"
msgstr ""
-#: ../newrole/newrole.c:572
+#: ../newrole/newrole.c:621
#, c-format
msgid "failed to get new context.\n"
msgstr ""
-#: ../newrole/newrole.c:596
+#: ../newrole/newrole.c:645
#, c-format
msgid "cannot find your entry in the passwd file.\n"
msgstr ""
-#: ../newrole/newrole.c:606
+#: ../newrole/newrole.c:655
#, c-format
msgid "Error! Shell is not valid.\n"
msgstr ""
-#: ../newrole/newrole.c:614
+#: ../newrole/newrole.c:663
#, c-format
msgid "Error! Could not retrieve tty information.\n"
msgstr ""
-#: ../newrole/newrole.c:618
+#: ../newrole/newrole.c:667
#, c-format
msgid "Authenticating %s.\n"
msgstr ""
-#: ../newrole/newrole.c:632
+#: ../newrole/newrole.c:681
#, c-format
msgid "newrole: incorrect password for %s\n"
msgstr ""
-#: ../newrole/newrole.c:657
+#: ../newrole/newrole.c:707
#, c-format
msgid "failed to set new role %s\n"
msgstr ""
-#: ../newrole/newrole.c:671
+#: ../newrole/newrole.c:721
#, c-format
msgid "failed to set new type %s\n"
msgstr ""
-#: ../newrole/newrole.c:688
+#: ../newrole/newrole.c:738
#, c-format
msgid "failed to build new range with level %s\n"
msgstr ""
-#: ../newrole/newrole.c:693
+#: ../newrole/newrole.c:743
#, c-format
msgid "failed to set new range %s\n"
msgstr ""
-#: ../newrole/newrole.c:708
+#: ../newrole/newrole.c:758
#, c-format
msgid "failed to convert new context to string\n"
msgstr ""
-#: ../newrole/newrole.c:717
+#: ../newrole/newrole.c:766
#, c-format
msgid "%s is not a valid context\n"
msgstr ""
-#: ../newrole/newrole.c:730
+#: ../newrole/newrole.c:780
#, c-format
msgid "Error! Could not open %s.\n"
msgstr ""
-#: ../newrole/newrole.c:738
+#: ../newrole/newrole.c:788
#, c-format
msgid "%s! Could not get current context for %s, not relabeling tty.\n"
msgstr ""
-#: ../newrole/newrole.c:757
+#: ../newrole/newrole.c:807
#, c-format
msgid "%s! Could not get new context for %s, not relabeling tty.\n"
msgstr ""
-#: ../newrole/newrole.c:771
+#: ../newrole/newrole.c:821
#, c-format
msgid "%s! Could not set new context for %s\n"
msgstr ""
-#: ../newrole/newrole.c:784
+#: ../newrole/newrole.c:834
#, c-format
msgid "newrole: failure forking: %s"
msgstr ""
-#: ../newrole/newrole.c:789
+#: ../newrole/newrole.c:839
#, c-format
msgid "Warning! Could not restore context for %s\n"
msgstr ""
-#: ../newrole/newrole.c:810
+#: ../newrole/newrole.c:860
#, c-format
msgid "%s changed labels.\n"
msgstr ""
-#: ../newrole/newrole.c:834
+#: ../newrole/newrole.c:884
#, c-format
msgid "Could not close descriptors.\n"
msgstr ""
-#: ../newrole/newrole.c:869 ../run_init/run_init.c:397
+#: ../newrole/newrole.c:909
#, c-format
-msgid "Could not set exec context to %s.\n"
+msgid "Error allocating shell.\n"
msgstr ""
-#: ../newrole/newrole.c:881
+#: ../newrole/newrole.c:922 ../run_init/run_init.c:397
#, c-format
-msgid "Error connecting to audit system.\n"
+msgid "Could not set exec context to %s.\n"
msgstr ""
-#: ../newrole/newrole.c:886
-#, c-format
-msgid "Error allocating memory.\n"
-msgstr ""
-
-#: ../newrole/newrole.c:892
-#, c-format
-msgid "Error sending audit message.\n"
-msgstr ""
-
-#: ../newrole/newrole.c:903
+#: ../newrole/newrole.c:932
msgid "failed to exec shell\n"
msgstr ""
@@ -276,674 +281,683 @@
msgid "authentication failed.\n"
msgstr ""
-#: ../scripts/chcat:70 ../scripts/chcat:140
+#: ../scripts/chcat:75 ../scripts/chcat:145
msgid "Requires at least one category"
msgstr ""
-#: ../scripts/chcat:84 ../scripts/chcat:154
+#: ../scripts/chcat:89 ../scripts/chcat:159
#, c-format
msgid "Can not modify sensitivity levels using '+' on %s"
msgstr ""
-#: ../scripts/chcat:88
+#: ../scripts/chcat:93
#, c-format
msgid "%s is already in %s"
msgstr ""
-#: ../scripts/chcat:159 ../scripts/chcat:169
+#: ../scripts/chcat:164 ../scripts/chcat:174
#, c-format
msgid "%s is not in %s"
msgstr ""
-#: ../scripts/chcat:232 ../scripts/chcat:237
+#: ../scripts/chcat:237 ../scripts/chcat:242
msgid "Can not combine +/- with other types of categories"
msgstr ""
-#: ../scripts/chcat:282
+#: ../scripts/chcat:287
msgid "Can not have multiple sensitivities"
msgstr ""
-#: ../scripts/chcat:288
+#: ../scripts/chcat:293
#, c-format
msgid "Usage %s CATEGORY File ..."
msgstr ""
-#: ../scripts/chcat:289
+#: ../scripts/chcat:294
#, c-format
msgid "Usage %s -l CATEGORY user ..."
msgstr ""
-#: ../scripts/chcat:290
+#: ../scripts/chcat:295
#, c-format
msgid "Usage %s [[+|-]CATEGORY],...]q File ..."
msgstr ""
-#: ../scripts/chcat:291
+#: ../scripts/chcat:296
#, c-format
msgid "Usage %s -l [[+|-]CATEGORY],...]q user ..."
msgstr ""
-#: ../scripts/chcat:292
+#: ../scripts/chcat:297
#, c-format
msgid "Usage %s -d File ..."
msgstr ""
-#: ../scripts/chcat:293
+#: ../scripts/chcat:298
#, c-format
msgid "Usage %s -l -d user ..."
msgstr ""
-#: ../scripts/chcat:294
+#: ../scripts/chcat:299
#, c-format
msgid "Usage %s -L"
msgstr ""
-#: ../scripts/chcat:295
+#: ../scripts/chcat:300
#, c-format
msgid "Usage %s -L -l user"
msgstr ""
-#: ../scripts/chcat:296
+#: ../scripts/chcat:301
msgid "Use -- to end option list. For example"
msgstr ""
-#: ../scripts/chcat:297
+#: ../scripts/chcat:302
msgid "chcat -- -CompanyConfidential /docs/businessplan.odt"
msgstr ""
-#: ../scripts/chcat:298
+#: ../scripts/chcat:303
msgid "chcat -l +CompanyConfidential juser"
msgstr ""
-#: ../semanage/semanage:122
+#: ../semanage/semanage:127
msgid "Requires 2 or more arguments"
msgstr ""
-#: ../semanage/semanage:127
+#: ../semanage/semanage:132
#, c-format
msgid "%s not defined"
msgstr ""
-#: ../semanage/semanage:151
+#: ../semanage/semanage:156
#, c-format
msgid "%s not valid for %s objects\n"
msgstr ""
-#: ../semanage/semanage:178 ../semanage/semanage:186
+#: ../semanage/semanage:183 ../semanage/semanage:191
msgid "range not supported on Non MLS machines"
msgstr ""
-#: ../semanage/semanage:244
+#: ../semanage/semanage:249
msgid "You must specify a role"
msgstr ""
-#: ../semanage/semanage:246
+#: ../semanage/semanage:251
msgid "You must specify a prefix"
msgstr ""
-#: ../semanage/semanage:295
+#: ../semanage/semanage:300
#, c-format
msgid "Options Error %s "
msgstr ""
-#: ../semanage/semanage:299
+#: ../semanage/semanage:304
#, c-format
msgid "Invalid value %s"
msgstr ""
-#: ../semanage/seobject.py:124
+#: ../semanage/seobject.py:130
msgid "translations not supported on non-MLS machines"
msgstr ""
-#: ../semanage/seobject.py:131
+#: ../semanage/seobject.py:137
#, python-format
msgid "Unable to open %s: translations not supported on non-MLS machines"
msgstr ""
-#: ../semanage/seobject.py:171 ../semanage/seobject.py:185
+#: ../semanage/seobject.py:177 ../semanage/seobject.py:191
#, python-format
msgid "Translations can not contain spaces '%s' "
msgstr ""
-#: ../semanage/seobject.py:174
+#: ../semanage/seobject.py:180
#, python-format
msgid "Invalid Level '%s' "
msgstr ""
-#: ../semanage/seobject.py:177
+#: ../semanage/seobject.py:183
#, python-format
msgid "%s already defined in translations"
msgstr ""
-#: ../semanage/seobject.py:189
+#: ../semanage/seobject.py:195
#, python-format
msgid "%s not defined in translations"
msgstr ""
-#: ../semanage/seobject.py:209
+#: ../semanage/seobject.py:215
msgid "SELinux policy is not managed or store cannot be accessed."
msgstr ""
-#: ../semanage/seobject.py:214
+#: ../semanage/seobject.py:220
msgid "Cannot read policy store."
msgstr ""
-#: ../semanage/seobject.py:219
+#: ../semanage/seobject.py:225
msgid "Could not establish semanage connection"
msgstr ""
-#: ../semanage/seobject.py:238 ../semanage/seobject.py:296
-#: ../semanage/seobject.py:343 ../semanage/seobject.py:424
-#: ../semanage/seobject.py:493 ../semanage/seobject.py:549
-#: ../semanage/seobject.py:1080 ../semanage/seobject.py:1119
-#: ../semanage/seobject.py:1188 ../semanage/seobject.py:1222
+#: ../semanage/seobject.py:244 ../semanage/seobject.py:302
+#: ../semanage/seobject.py:349 ../semanage/seobject.py:430
+#: ../semanage/seobject.py:501 ../semanage/seobject.py:559
+#: ../semanage/seobject.py:1090 ../semanage/seobject.py:1129
+#: ../semanage/seobject.py:1204 ../semanage/seobject.py:1238
#, python-format
msgid "Could not create a key for %s"
msgstr ""
-#: ../semanage/seobject.py:242 ../semanage/seobject.py:300
-#: ../semanage/seobject.py:347 ../semanage/seobject.py:353
+#: ../semanage/seobject.py:248 ../semanage/seobject.py:306
+#: ../semanage/seobject.py:353 ../semanage/seobject.py:359
#, python-format
msgid "Could not check if login mapping for %s is defined"
msgstr ""
-#: ../semanage/seobject.py:244
+#: ../semanage/seobject.py:250
#, python-format
msgid "Login mapping for %s is already defined"
msgstr ""
-#: ../semanage/seobject.py:248
+#: ../semanage/seobject.py:254
#, python-format
msgid "Linux User %s does not exist"
msgstr ""
-#: ../semanage/seobject.py:252
+#: ../semanage/seobject.py:258
#, python-format
msgid "Could not create login mapping for %s"
msgstr ""
-#: ../semanage/seobject.py:256 ../semanage/seobject.py:438
+#: ../semanage/seobject.py:262 ../semanage/seobject.py:444
#, python-format
msgid "Could not set name for %s"
msgstr ""
-#: ../semanage/seobject.py:261 ../semanage/seobject.py:448
+#: ../semanage/seobject.py:267 ../semanage/seobject.py:454
#, python-format
msgid "Could not set MLS range for %s"
msgstr ""
-#: ../semanage/seobject.py:265
+#: ../semanage/seobject.py:271
#, python-format
msgid "Could not set SELinux user for %s"
msgstr ""
-#: ../semanage/seobject.py:269 ../semanage/seobject.py:321
-#: ../semanage/seobject.py:359 ../semanage/seobject.py:463
-#: ../semanage/seobject.py:526 ../semanage/seobject.py:565
-#: ../semanage/seobject.py:692 ../semanage/seobject.py:734
-#: ../semanage/seobject.py:763 ../semanage/seobject.py:890
-#: ../semanage/seobject.py:931 ../semanage/seobject.py:963
-#: ../semanage/seobject.py:1060 ../semanage/seobject.py:1103
-#: ../semanage/seobject.py:1135 ../semanage/seobject.py:1206
-#: ../semanage/seobject.py:1238
+#: ../semanage/seobject.py:275 ../semanage/seobject.py:327
+#: ../semanage/seobject.py:365 ../semanage/seobject.py:470
+#: ../semanage/seobject.py:536 ../semanage/seobject.py:575
+#: ../semanage/seobject.py:702 ../semanage/seobject.py:744
+#: ../semanage/seobject.py:773 ../semanage/seobject.py:900
+#: ../semanage/seobject.py:941 ../semanage/seobject.py:973
+#: ../semanage/seobject.py:1070 ../semanage/seobject.py:1113
+#: ../semanage/seobject.py:1145 ../semanage/seobject.py:1222
+#: ../semanage/seobject.py:1254
msgid "Could not start semanage transaction"
msgstr ""
-#: ../semanage/seobject.py:273 ../semanage/seobject.py:277
+#: ../semanage/seobject.py:279 ../semanage/seobject.py:283
#, python-format
msgid "Could not add login mapping for %s"
msgstr ""
-#: ../semanage/seobject.py:292
+#: ../semanage/seobject.py:298
msgid "Requires seuser or serange"
msgstr ""
-#: ../semanage/seobject.py:302 ../semanage/seobject.py:349
+#: ../semanage/seobject.py:308 ../semanage/seobject.py:355
#, python-format
msgid "Login mapping for %s is not defined"
msgstr ""
-#: ../semanage/seobject.py:306
+#: ../semanage/seobject.py:312
#, python-format
msgid "Could not query seuser for %s"
msgstr ""
-#: ../semanage/seobject.py:325 ../semanage/seobject.py:329
+#: ../semanage/seobject.py:331 ../semanage/seobject.py:335
#, python-format
msgid "Could not modify login mapping for %s"
msgstr ""
-#: ../semanage/seobject.py:355
+#: ../semanage/seobject.py:361
#, python-format
msgid "Login mapping for %s is defined in policy, cannot be deleted"
msgstr ""
-#: ../semanage/seobject.py:364 ../semanage/seobject.py:368
+#: ../semanage/seobject.py:370 ../semanage/seobject.py:374
#, python-format
msgid "Could not delete login mapping for %s"
msgstr ""
-#: ../semanage/seobject.py:382
+#: ../semanage/seobject.py:388
msgid "Could not list login mappings"
msgstr ""
-#: ../semanage/seobject.py:428 ../semanage/seobject.py:497
-#: ../semanage/seobject.py:553 ../semanage/seobject.py:559
+#: ../semanage/seobject.py:434 ../semanage/seobject.py:505
+#: ../semanage/seobject.py:563 ../semanage/seobject.py:569
#, python-format
msgid "Could not check if SELinux user %s is defined"
msgstr ""
-#: ../semanage/seobject.py:430
+#: ../semanage/seobject.py:436
#, python-format
msgid "SELinux user %s is already defined"
msgstr ""
-#: ../semanage/seobject.py:434
+#: ../semanage/seobject.py:440
#, python-format
msgid "Could not create SELinux user for %s"
msgstr ""
-#: ../semanage/seobject.py:443
+#: ../semanage/seobject.py:449
#, python-format
msgid "Could not add role %s for %s"
msgstr ""
-#: ../semanage/seobject.py:452
+#: ../semanage/seobject.py:458
#, python-format
msgid "Could not set MLS level for %s"
msgstr ""
-#: ../semanage/seobject.py:456
+#: ../semanage/seobject.py:460 ../semanage/seobject.py:527
#, python-format
+msgid "Invalid prefix %s"
+msgstr ""
+
+#: ../semanage/seobject.py:463
+#, python-format
msgid "Could not add prefix %s for %s"
msgstr ""
-#: ../semanage/seobject.py:459
+#: ../semanage/seobject.py:466
#, python-format
msgid "Could not extract key for %s"
msgstr ""
-#: ../semanage/seobject.py:467 ../semanage/seobject.py:471
+#: ../semanage/seobject.py:474 ../semanage/seobject.py:478
#, python-format
msgid "Could not add SELinux user %s"
msgstr ""
-#: ../semanage/seobject.py:487
+#: ../semanage/seobject.py:495
msgid "Requires prefix, roles, level or range"
msgstr ""
-#: ../semanage/seobject.py:489
+#: ../semanage/seobject.py:497
msgid "Requires prefix or roles"
msgstr ""
-#: ../semanage/seobject.py:499 ../semanage/seobject.py:555
+#: ../semanage/seobject.py:507 ../semanage/seobject.py:565
#, python-format
msgid "SELinux user %s is not defined"
msgstr ""
-#: ../semanage/seobject.py:503
+#: ../semanage/seobject.py:511
#, python-format
msgid "Could not query user for %s"
msgstr ""
-#: ../semanage/seobject.py:530 ../semanage/seobject.py:534
+#: ../semanage/seobject.py:540 ../semanage/seobject.py:544
#, python-format
msgid "Could not modify SELinux user %s"
msgstr ""
-#: ../semanage/seobject.py:561
+#: ../semanage/seobject.py:571
#, python-format
msgid "SELinux user %s is defined in policy, cannot be deleted"
msgstr ""
-#: ../semanage/seobject.py:569 ../semanage/seobject.py:573
+#: ../semanage/seobject.py:579 ../semanage/seobject.py:583
#, python-format
msgid "Could not delete SELinux user %s"
msgstr ""
-#: ../semanage/seobject.py:585
+#: ../semanage/seobject.py:595
msgid "Could not list SELinux users"
msgstr ""
-#: ../semanage/seobject.py:591
+#: ../semanage/seobject.py:601
#, python-format
msgid "Could not list roles for user %s"
msgstr ""
-#: ../semanage/seobject.py:625
+#: ../semanage/seobject.py:635
msgid "Protocol udp or tcp is required"
msgstr ""
-#: ../semanage/seobject.py:627
+#: ../semanage/seobject.py:637
msgid "Port is required"
msgstr ""
-#: ../semanage/seobject.py:638
+#: ../semanage/seobject.py:648
#, python-format
msgid "Could not create a key for %s/%s"
msgstr ""
-#: ../semanage/seobject.py:649
+#: ../semanage/seobject.py:659
msgid "Type is required"
msgstr ""
-#: ../semanage/seobject.py:655 ../semanage/seobject.py:717
-#: ../semanage/seobject.py:751 ../semanage/seobject.py:757
+#: ../semanage/seobject.py:665 ../semanage/seobject.py:727
+#: ../semanage/seobject.py:761 ../semanage/seobject.py:767
#, python-format
msgid "Could not check if port %s/%s is defined"
msgstr ""
-#: ../semanage/seobject.py:657
+#: ../semanage/seobject.py:667
#, python-format
msgid "Port %s/%s already defined"
msgstr ""
-#: ../semanage/seobject.py:661
+#: ../semanage/seobject.py:671
#, python-format
msgid "Could not create port for %s/%s"
msgstr ""
-#: ../semanage/seobject.py:667
+#: ../semanage/seobject.py:677
#, python-format
msgid "Could not create context for %s/%s"
msgstr ""
-#: ../semanage/seobject.py:671
+#: ../semanage/seobject.py:681
#, python-format
msgid "Could not set user in port context for %s/%s"
msgstr ""
-#: ../semanage/seobject.py:675
+#: ../semanage/seobject.py:685
#, python-format
msgid "Could not set role in port context for %s/%s"
msgstr ""
-#: ../semanage/seobject.py:679
+#: ../semanage/seobject.py:689
#, python-format
msgid "Could not set type in port context for %s/%s"
msgstr ""
-#: ../semanage/seobject.py:684
+#: ../semanage/seobject.py:694
#, python-format
msgid "Could not set mls fields in port context for %s/%s"
msgstr ""
-#: ../semanage/seobject.py:688
+#: ../semanage/seobject.py:698
#, python-format
msgid "Could not set port context for %s/%s"
msgstr ""
-#: ../semanage/seobject.py:696 ../semanage/seobject.py:700
+#: ../semanage/seobject.py:706 ../semanage/seobject.py:710
#, python-format
msgid "Could not add port %s/%s"
msgstr ""
-#: ../semanage/seobject.py:709 ../semanage/seobject.py:906
+#: ../semanage/seobject.py:719 ../semanage/seobject.py:916
msgid "Requires setype or serange"
msgstr ""
-#: ../semanage/seobject.py:711
+#: ../semanage/seobject.py:721
msgid "Requires setype"
msgstr ""
-#: ../semanage/seobject.py:719 ../semanage/seobject.py:753
+#: ../semanage/seobject.py:729 ../semanage/seobject.py:763
#, python-format
msgid "Port %s/%s is not defined"
msgstr ""
-#: ../semanage/seobject.py:723
+#: ../semanage/seobject.py:733
#, python-format
msgid "Could not query port %s/%s"
msgstr ""
-#: ../semanage/seobject.py:738 ../semanage/seobject.py:742
+#: ../semanage/seobject.py:748 ../semanage/seobject.py:752
#, python-format
msgid "Could not modify port %s/%s"
msgstr ""
-#: ../semanage/seobject.py:759
+#: ../semanage/seobject.py:769
#, python-format
msgid "Port %s/%s is defined in policy, cannot be deleted"
msgstr ""
-#: ../semanage/seobject.py:767 ../semanage/seobject.py:771
+#: ../semanage/seobject.py:777 ../semanage/seobject.py:781
#, python-format
msgid "Could not delete port %s/%s"
msgstr ""
-#: ../semanage/seobject.py:779 ../semanage/seobject.py:798
+#: ../semanage/seobject.py:789 ../semanage/seobject.py:808
msgid "Could not list ports"
msgstr ""
-#: ../semanage/seobject.py:842 ../semanage/seobject.py:1014
+#: ../semanage/seobject.py:852 ../semanage/seobject.py:1024
msgid "SELinux Type is required"
msgstr ""
-#: ../semanage/seobject.py:846 ../semanage/seobject.py:910
-#: ../semanage/seobject.py:947 ../semanage/seobject.py:1018
+#: ../semanage/seobject.py:856 ../semanage/seobject.py:920
+#: ../semanage/seobject.py:957 ../semanage/seobject.py:1028
#, python-format
msgid "Could not create key for %s"
msgstr ""
-#: ../semanage/seobject.py:850 ../semanage/seobject.py:914
-#: ../semanage/seobject.py:951 ../semanage/seobject.py:957
+#: ../semanage/seobject.py:860 ../semanage/seobject.py:924
+#: ../semanage/seobject.py:961 ../semanage/seobject.py:967
#, python-format
msgid "Could not check if interface %s is defined"
msgstr ""
-#: ../semanage/seobject.py:852
+#: ../semanage/seobject.py:862
#, python-format
msgid "Interface %s already defined"
msgstr ""
-#: ../semanage/seobject.py:856
+#: ../semanage/seobject.py:866
#, python-format
msgid "Could not create interface for %s"
msgstr ""
-#: ../semanage/seobject.py:861 ../semanage/seobject.py:1033
+#: ../semanage/seobject.py:871 ../semanage/seobject.py:1043
#, python-format
msgid "Could not create context for %s"
msgstr ""
-#: ../semanage/seobject.py:865
+#: ../semanage/seobject.py:875
#, python-format
msgid "Could not set user in interface context for %s"
msgstr ""
-#: ../semanage/seobject.py:869
+#: ../semanage/seobject.py:879
#, python-format
msgid "Could not set role in interface context for %s"
msgstr ""
-#: ../semanage/seobject.py:873
+#: ../semanage/seobject.py:883
#, python-format
msgid "Could not set type in interface context for %s"
msgstr ""
-#: ../semanage/seobject.py:878
+#: ../semanage/seobject.py:888
#, python-format
msgid "Could not set mls fields in interface context for %s"
msgstr ""
-#: ../semanage/seobject.py:882
+#: ../semanage/seobject.py:892
#, python-format
msgid "Could not set interface context for %s"
msgstr ""
-#: ../semanage/seobject.py:886
+#: ../semanage/seobject.py:896
#, python-format
msgid "Could not set message context for %s"
msgstr ""
-#: ../semanage/seobject.py:894 ../semanage/seobject.py:898
+#: ../semanage/seobject.py:904 ../semanage/seobject.py:908
#, python-format
msgid "Could not add interface %s"
msgstr ""
-#: ../semanage/seobject.py:916 ../semanage/seobject.py:953
+#: ../semanage/seobject.py:926 ../semanage/seobject.py:963
#, python-format
msgid "Interface %s is not defined"
msgstr ""
-#: ../semanage/seobject.py:920
+#: ../semanage/seobject.py:930
#, python-format
msgid "Could not query interface %s"
msgstr ""
-#: ../semanage/seobject.py:935 ../semanage/seobject.py:939
+#: ../semanage/seobject.py:945 ../semanage/seobject.py:949
#, python-format
msgid "Could not modify interface %s"
msgstr ""
-#: ../semanage/seobject.py:959
+#: ../semanage/seobject.py:969
#, python-format
msgid "Interface %s is defined in policy, cannot be deleted"
msgstr ""
-#: ../semanage/seobject.py:967 ../semanage/seobject.py:971
+#: ../semanage/seobject.py:977 ../semanage/seobject.py:981
#, python-format
msgid "Could not delete interface %s"
msgstr ""
-#: ../semanage/seobject.py:979
+#: ../semanage/seobject.py:989
msgid "Could not list interfaces"
msgstr ""
-#: ../semanage/seobject.py:1022 ../semanage/seobject.py:1084
-#: ../semanage/seobject.py:1123 ../semanage/seobject.py:1129
+#: ../semanage/seobject.py:1032 ../semanage/seobject.py:1094
+#: ../semanage/seobject.py:1133 ../semanage/seobject.py:1137
#, python-format
msgid "Could not check if file context for %s is defined"
msgstr ""
-#: ../semanage/seobject.py:1024
+#: ../semanage/seobject.py:1034
#, python-format
msgid "File context for %s already defined"
msgstr ""
-#: ../semanage/seobject.py:1028
+#: ../semanage/seobject.py:1038
#, python-format
msgid "Could not create file context for %s"
msgstr ""
-#: ../semanage/seobject.py:1037
+#: ../semanage/seobject.py:1047
#, python-format
msgid "Could not set user in file context for %s"
msgstr ""
-#: ../semanage/seobject.py:1041
+#: ../semanage/seobject.py:1051
#, python-format
msgid "Could not set role in file context for %s"
msgstr ""
-#: ../semanage/seobject.py:1045
+#: ../semanage/seobject.py:1055
#, python-format
msgid "Could not set type in file context for %s"
msgstr ""
-#: ../semanage/seobject.py:1050
+#: ../semanage/seobject.py:1060
#, python-format
msgid "Could not set mls fields in file context for %s"
msgstr ""
-#: ../semanage/seobject.py:1056
+#: ../semanage/seobject.py:1066
#, python-format
msgid "Could not set file context for %s"
msgstr ""
-#: ../semanage/seobject.py:1064 ../semanage/seobject.py:1068
+#: ../semanage/seobject.py:1074 ../semanage/seobject.py:1078
#, python-format
msgid "Could not add file context for %s"
msgstr ""
-#: ../semanage/seobject.py:1076
+#: ../semanage/seobject.py:1086
msgid "Requires setype, serange or seuser"
msgstr ""
-#: ../semanage/seobject.py:1086 ../semanage/seobject.py:1125
+#: ../semanage/seobject.py:1096 ../semanage/seobject.py:1141
#, python-format
msgid "File context for %s is not defined"
msgstr ""
-#: ../semanage/seobject.py:1090
+#: ../semanage/seobject.py:1100
#, python-format
msgid "Could not query file context for %s"
msgstr ""
-#: ../semanage/...
[truncated message content] |
|
From: <ssm...@us...> - 2006-11-21 20:58:14
|
Revision: 2098
http://svn.sourceforge.net/selinux/?rev=2098&view=rev
Author: ssmalley
Date: 2006-11-21 12:58:12 -0800 (Tue, 21 Nov 2006)
Log Message:
-----------
Tag for policycoreutils 1.33.3
Added Paths:
-----------
tags/policycoreutils_1_33_3/policycoreutils/
Copied: tags/policycoreutils_1_33_3/policycoreutils (from rev 2097, trunk/policycoreutils)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-21 20:57:07
|
Revision: 2097
http://svn.sourceforge.net/selinux/?rev=2097&view=rev
Author: ssmalley
Date: 2006-11-21 12:57:02 -0800 (Tue, 21 Nov 2006)
Log Message:
-----------
Tag for policycoreutils 1.33.3
Added Paths:
-----------
tags/policycoreutils_1_33_3/
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-21 20:53:19
|
Revision: 2096
http://svn.sourceforge.net/selinux/?rev=2096&view=rev
Author: ssmalley
Date: 2006-11-21 12:52:25 -0800 (Tue, 21 Nov 2006)
Log Message:
-----------
Author: Karl MacMillan
Email: kma...@me...
Subject: Question about setsebool.c
Date: Mon, 20 Nov 2006 15:04:10 -0500
Joshua Brindle wrote:
> Karl MacMillan wrote:
>> Yuichi Nakamura wrote:
>>> Hi, I looked at the latest policycoreutils code.
>>> (policycoreutils-1.33.1-9.fc7.src.rpm)
>>>
>>> And found strange code, in setsebool.c.
>>>
>>> 94 /* Apply (permanent) boolean changes to policy via
>>> libsemanage */
>>> 95 static int semanage_set_boolean_list(size_t boolcnt,
>>> 96 SELboolean * boollist,
>>> int perm)
>>> 97 {
>>> <snip>
>>> 117 } else if (managed == 0) {
>>> 118 if (selinux_set_boolean_list(boolcnt,
>>> boollist, 1) < 0)
>>> 119 goto err;
>>> 120 goto out;
>>> 121 }
>>>
>>> Why 3rd arg for selinux_set_boolean_list is "1"?
>>> Should it be "perm"?
>>>
>>
>> Looks that way to me. Additionally, is it even possible to make
>> non-permanent change to a boolean via semanage? If not, then this code
>> path should check for that. Josh?
>>
> libsemanage is only responsible for the persistent changes,
That is not how the current setsebool.c code works - see:
if (perm
&& semanage_bool_modify_local(handle, bool_key, boolean) < 0)
goto err;
Testing confirms that this allows setting non-persistent booleans via
semanage using setsebool.
sesetbool
> sets the non-persistent directly, in fact demonstrated by the code
> snippet above. This does look like a bug and if someone uses setsebool
> to set a non-persistent boolean on an unmanaged system it appears that
> it will indeed make it permanent.
>
What about this:
Modified Paths:
--------------
trunk/policycoreutils/ChangeLog
trunk/policycoreutils/VERSION
trunk/policycoreutils/setsebool/setsebool.c
Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog 2006-11-20 17:09:13 UTC (rev 2095)
+++ trunk/policycoreutils/ChangeLog 2006-11-21 20:52:25 UTC (rev 2096)
@@ -1,3 +1,8 @@
+1.33.3 2006-11-21
+ * Merged setsebool patch from Karl MacMillan.
+ This fixes a bug reported by Yuichi Nakamura with
+ always setting booleans persistently on an unmanaged system.
+
1.33.2 2006-11-20
* Merged patch from Dan Walsh (via Karl MacMillan):
* Added newrole audit message on login failure
Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION 2006-11-20 17:09:13 UTC (rev 2095)
+++ trunk/policycoreutils/VERSION 2006-11-21 20:52:25 UTC (rev 2096)
@@ -1 +1 @@
-1.33.2
+1.33.3
Modified: trunk/policycoreutils/setsebool/setsebool.c
===================================================================
--- trunk/policycoreutils/setsebool/setsebool.c 2006-11-20 17:09:13 UTC (rev 2095)
+++ trunk/policycoreutils/setsebool/setsebool.c 2006-11-21 20:52:25 UTC (rev 2096)
@@ -115,7 +115,7 @@
goto err;
} else if (managed == 0) {
- if (selinux_set_boolean_list(boolcnt, boollist, 1) < 0)
+ if (selinux_set_boolean_list(boolcnt, boollist, perm) < 0)
goto err;
goto out;
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <kma...@us...> - 2006-11-20 17:09:18
|
Revision: 2095
http://svn.sourceforge.net/selinux/?rev=2095&view=rev
Author: kmacmillan
Date: 2006-11-20 09:09:13 -0800 (Mon, 20 Nov 2006)
Log Message:
-----------
Tag for policycoreutils 1.33.2
Added Paths:
-----------
tags/policycoreutils_1_33_2/
Copied: tags/policycoreutils_1_33_2 (from rev 2094, trunk/policycoreutils)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <kma...@us...> - 2006-11-20 17:07:17
|
Revision: 2094
http://svn.sourceforge.net/selinux/?rev=2094&view=rev
Author: kmacmillan
Date: 2006-11-20 09:07:13 -0800 (Mon, 20 Nov 2006)
Log Message:
-----------
policycoreutils 1.33.2
Modified Paths:
--------------
trunk/policycoreutils/VERSION
Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION 2006-11-20 17:05:57 UTC (rev 2093)
+++ trunk/policycoreutils/VERSION 2006-11-20 17:07:13 UTC (rev 2094)
@@ -1 +1 @@
-1.33.1
+1.33.2
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <kma...@us...> - 2006-11-20 17:06:21
|
Revision: 2093
http://svn.sourceforge.net/selinux/?rev=2093&view=rev
Author: kmacmillan
Date: 2006-11-20 09:05:57 -0800 (Mon, 20 Nov 2006)
Log Message:
-----------
Author: Karl MacMillan
Email: kma...@me...
Subject: Multiple small fixes to policycoreutils
Date: Thu, 16 Nov 2006 17:15:15 -0500
Joshua Brindle wrote:
>> From: Karl MacMillan [mailto:kma...@me...]
>>
>> Daniel J Walsh wrote:
>>> Joshua Brindle wrote:
>>>> Karl MacMillan wrote:
>> <snip>
>>
>>>>> What about a top-level USE_PIE makefile variable that directs all
>>>>> sub-Makefiles to set PIE flags if appropriate for that module? By
>>>>> default it would be off. This gets the behavior you want without
>>>>> having to carry a patch and keeps the current behavior.
>>>>>
>>>> No patch necessary, like Chris said make CFLAGS="-fPIE -02 -Werror
>>>> -Wall" LDFLAGS="-pie"
>>>>
>>>> done and done.
>>>>
>>> No, because then all compiled apps become -pie. We only
>> want this on
>>> the daemons.
>>>
>> What about this instead?
>
> Why doesn't make CFLAGS="-fPIE -02 -Werror -Wall" LDFLAGS="-pie" work?
> Why does it matter if everything is built pie?
>
There are performance costs associated with pie, particularly at
startup. Talking to Dan though, he doesn't think it is enough to not
just build everything as pie.
Resend below that I will apply unless there are other objections.
> This is distro specific (gentoo completely overrides the CFLAGS and
> LDFLAGS, I'm not sure what debian does). I don't think whether or not to
> override the user CFLAGS with non-critical things (e.g., things
> necessary to build the app like -I($PREFIX)/include) is appropriate for
> the upstream makefiles.
>
> For that matter, anyone know why -D_FILE_OFFSET_BITS=64 is in the
> override?
>
I wondered that as well - Dan?
Karl
Signed-off by: Karl MacMillan <kma...@me...>
Modified Paths:
--------------
trunk/policycoreutils/ChangeLog
trunk/policycoreutils/newrole/newrole.c
trunk/policycoreutils/restorecond/restorecond.conf
trunk/policycoreutils/scripts/genhomedircon.8
trunk/policycoreutils/semanage/semanage.8
trunk/policycoreutils/semodule_expand/semodule_expand.8
Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog 2006-11-14 00:25:28 UTC (rev 2092)
+++ trunk/policycoreutils/ChangeLog 2006-11-20 17:05:57 UTC (rev 2093)
@@ -1,3 +1,9 @@
+1.33.2 2006-11-20
+ * Merged patch from Dan Walsh (via Karl MacMillan):
+ * Added newrole audit message on login failure
+ * Add /var/log/wtmp to restorecond.conf watch list
+ * Fix genhomedircon, semanage, semodule_expand man pages.
+
1.33.1 2006-11-13
* Merged newrole patch set from Michael Thompson.
Modified: trunk/policycoreutils/newrole/newrole.c
===================================================================
--- trunk/policycoreutils/newrole/newrole.c 2006-11-14 00:25:28 UTC (rev 2092)
+++ trunk/policycoreutils/newrole/newrole.c 2006-11-20 17:05:57 UTC (rev 2093)
@@ -1028,6 +1028,7 @@
{
fprintf(stderr, _("newrole: incorrect password for %s\n"),
pw.pw_name);
+ send_audit_message(0, old_context, new_context, ttyn);
goto err_close_pam;
}
Modified: trunk/policycoreutils/restorecond/restorecond.conf
===================================================================
--- trunk/policycoreutils/restorecond/restorecond.conf 2006-11-14 00:25:28 UTC (rev 2092)
+++ trunk/policycoreutils/restorecond/restorecond.conf 2006-11-20 17:05:57 UTC (rev 2093)
@@ -2,5 +2,6 @@
/etc/samba/secrets.tdb
/etc/mtab
/var/run/utmp
+/var/log/wtmp
~/public_html
~/.mozilla/plugins/libflashplayer.so
Modified: trunk/policycoreutils/scripts/genhomedircon.8
===================================================================
--- trunk/policycoreutils/scripts/genhomedircon.8 2006-11-14 00:25:28 UTC (rev 2092)
+++ trunk/policycoreutils/scripts/genhomedircon.8 2006-11-20 17:05:57 UTC (rev 2093)
@@ -45,35 +45,30 @@
.SH DESCRIPTION
.PP
This utility is used to generate file context configuration entries for
-user home directories based on their default roles and is run when building
-the policy. It can also be run when ever the
-.I /etc/selinux/<<SELINUXTYPE>>/users/local.users
-file is changed
+user home directories based on their
+.B prefix
+entry in the the
+.B semanage user record.
+genhomedircon is run when building
+the policy. It is also run automaticaly when ever the
+.B semanage
+utility modifies
+.B user
+or
+.B login
+records.
Specifically, we replace HOME_ROOT, HOME_DIR, and ROLE macros in the
.I /etc/selinux/<<SELINUXTYPE>>/contexts/files/homedir_template
-file with generic and user-specific values.
-.I local.users
-file. If a user has more than one role in
-.I local.users,
-.B genhomedircon
-uses the first role in the list.
+file with generic and user-specific values. HOME_ROOT and HOME_DIR is replaced with each distinct location where login users homedirectories are located. Defaults to /home. ROLE is replaced based on the prefix entry in the
+.B user
+record.
.PP
-If a user is not listed in
-.I local.users,
-.B genhomedircon
-assumes that the user's home dir will be found in one of the
-HOME_ROOTs.
-When looking for these users,
-.B genhomedircon
-only considers real users. "Real" users (as opposed
-to system users) are those whose UID is greater than or equal
+genhomedircon searches through all password entires for all "login" user home directories, (as opposed
+to system users). Login users are those whose UID is greater than or equal
.I STARTING_UID
(default 500) and whose login shell is not "/sbin/nologin", or
"/bin/false".
.PP
-Users who are explicitly defined in
-.I local.users,
-are always "real" (including root, in the default configuration).
.SH AUTHOR
This manual page was originally written by
.I Manoj Srivastava <sri...@de...>,
Modified: trunk/policycoreutils/semanage/semanage.8
===================================================================
--- trunk/policycoreutils/semanage/semanage.8 2006-11-14 00:25:28 UTC (rev 2092)
+++ trunk/policycoreutils/semanage/semanage.8 2006-11-20 17:05:57 UTC (rev 2093)
@@ -7,7 +7,7 @@
.br
.B semanage login \-{a|d|m} [\-sr] login_name
.br
-.B semanage user \-{a|d|m} [\-LrR] selinux_name
+.B semanage user \-{a|d|m} [\-LrRP] selinux_name
.br
.B semanage port \-{a|d|m} [\-tr] [\-p protocol] port | port_range
.br
@@ -71,6 +71,9 @@
.I \-R, \-\-role
SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
.TP
+.I \-P, \-\-prefix
+SELinux Prefix. Prefix added to home_dir_t and home_t for labeling users home directories.
+.TP
.I \-s, \-\-seuser
SELinux user name
.TP
Modified: trunk/policycoreutils/semodule_expand/semodule_expand.8
===================================================================
--- trunk/policycoreutils/semodule_expand/semodule_expand.8 2006-11-14 00:25:28 UTC (rev 2092)
+++ trunk/policycoreutils/semodule_expand/semodule_expand.8 2006-11-20 17:05:57 UTC (rev 2093)
@@ -18,7 +18,7 @@
.SH "OPTIONS"
.TP
.B \-V
-verbose mode
+show version
.TP
.B \-c [version]
policy version to create
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-14 00:25:33
|
Revision: 2092
http://svn.sourceforge.net/selinux/?rev=2092&view=rev
Author: ssmalley
Date: 2006-11-13 16:25:28 -0800 (Mon, 13 Nov 2006)
Log Message:
-----------
Tag for 1.33.1
Added Paths:
-----------
tags/checkpolicy_1_33_1/checkpolicy/
Copied: tags/checkpolicy_1_33_1/checkpolicy (from rev 2091, trunk/checkpolicy)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-14 00:25:22
|
Revision: 2091
http://svn.sourceforge.net/selinux/?rev=2091&view=rev
Author: ssmalley
Date: 2006-11-13 16:25:21 -0800 (Mon, 13 Nov 2006)
Log Message:
-----------
Tag for 1.33.1
Added Paths:
-----------
tags/checkpolicy_1_33_1/
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-14 00:24:08
|
Revision: 2090
http://svn.sourceforge.net/selinux/?rev=2090&view=rev
Author: ssmalley
Date: 2006-11-13 16:24:06 -0800 (Mon, 13 Nov 2006)
Log Message:
-----------
checkpolicy 1.33.1
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2006-11-14 00:22:12 UTC (rev 2089)
+++ trunk/checkpolicy/ChangeLog 2006-11-14 00:24:06 UTC (rev 2090)
@@ -1,3 +1,6 @@
+1.33.1 2006-11-13
+ * Collapse user identifiers and identifiers together.
+
1.32 2006-10-17
* Updated version for release.
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2006-11-14 00:22:12 UTC (rev 2089)
+++ trunk/checkpolicy/VERSION 2006-11-14 00:24:06 UTC (rev 2090)
@@ -1 +1 @@
-1.32
+1.33.1
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-14 00:22:13
|
Revision: 2089
http://svn.sourceforge.net/selinux/?rev=2089&view=rev
Author: ssmalley
Date: 2006-11-13 16:22:12 -0800 (Mon, 13 Nov 2006)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: RE: How should I run genfscon in my module?
Date: Wed, 01 Nov 2006 13:18:58 -0500
On Wed, 2006-11-01 at 11:09 -0500, Karl MacMillan wrote:
> On Wed, 2006-11-01 at 10:27 -0500, Joshua Brindle wrote:
> > > From: Karl MacMillan [mailto:kma...@me...]
> > >
> > > > > I looked at fixing this by changing genfscon to use
> > > user_identifier
> > > > > instead of identifier (they are the same except user_identifier
> > > > > includes "-"). This made checkpolicy generate a syntax
> > > error for all
> > > > > genfscon statements - haven't tracked down what the
> > > problem is. The
> > > > > grammer still seems to be unambiguous.
> > > >
> > > > Use "user_id" instead. Otherwise, you'll get a syntax
> > > error when the
> > > > token is classified as an IDENTIFIER (first match) and the grammar
> > > > says that it must be a USER_IDENTIFIER.
> > >
> > > Right as usual.
> > >
> >
> > Maybe make user_id more generic as it is no longer only used for users..
>
> Just making generic would make the user related parts of the grammar
> harder to read. What about this:
>
> Index: trunk/checkpolicy/policy_parse.y
> ===================================================================
> --- trunk/checkpolicy/policy_parse.y (revision 2076)
> +++ trunk/checkpolicy/policy_parse.y (working copy)
> @@ -605,6 +605,8 @@
> ;
> user_id : identifier
> | user_identifier
> + ;
> +dash_id : user_id
> ;
> user_def : USER user_id ROLES names opt_mls_user ';'
> {if (define_user()) return -1;}
> @@ -679,11 +681,11 @@
> genfs_contexts : genfs_context_def
> | genfs_contexts genfs_context_def
> ;
> -genfs_context_def : GENFSCON identifier path '-' identifier security_context_def
> +genfs_context_def : GENFSCON dash_id path '-' identifier security_context_def
> {if (define_genfs_context(1)) return -1;}
> - | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
> + | GENFSCON dash_id path '-' '-' {insert_id("-", 0);} security_context_def
> {if (define_genfs_context(1)) return -1;}
> - | GENFSCON identifier path security_context_def
> + | GENFSCON dash_id path security_context_def
> {if (define_genfs_context(0)) return -1;}
> ;
> ipv4_addr_def : number '.' number '.' number '.' number
>
>
> Signed-off by: Karl MacMillan <kma...@me...>
Why not just fold USER_IDENTIFIER back into IDENTIFIER? As in:
Revision Links:
--------------
http://svn.sourceforge.net/selinux/?rev=2076&view=rev
Modified Paths:
--------------
trunk/checkpolicy/policy_parse.y
trunk/checkpolicy/policy_scan.l
Modified: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk/checkpolicy/policy_parse.y 2006-11-14 00:16:07 UTC (rev 2088)
+++ trunk/checkpolicy/policy_parse.y 2006-11-14 00:22:12 UTC (rev 2089)
@@ -190,7 +190,6 @@
%token NOT AND OR XOR
%token CTRUE CFALSE
%token IDENTIFIER
-%token USER_IDENTIFIER
%token NUMBER
%token EQUALS
%token NOTEQUAL
@@ -522,13 +521,13 @@
| T1 op T2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2);
if ($$ == 0) return -1; }
- | U1 op { if (insert_separator(1)) return -1; } user_names_push
+ | U1 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2);
if ($$ == 0) return -1; }
- | U2 op { if (insert_separator(1)) return -1; } user_names_push
+ | U2 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2);
if ($$ == 0) return -1; }
- | U3 op { if (insert_separator(1)) return -1; } user_names_push
+ | U3 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2);
if ($$ == 0) return -1; }
| R1 op { if (insert_separator(1)) return -1; } names_push
@@ -603,10 +602,7 @@
users : user_def
| users user_def
;
-user_id : identifier
- | user_identifier
- ;
-user_def : USER user_id ROLES names opt_mls_user ';'
+user_def : USER identifier ROLES names opt_mls_user ';'
{if (define_user()) return -1;}
;
opt_mls_user : LEVEL mls_level_def RANGE mls_range_def
@@ -698,7 +694,7 @@
$$ = addr;
}
;
-security_context_def : user_id ':' identifier ':' identifier opt_mls_range_def
+security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def
;
opt_mls_range_def : ':' mls_range_def
|
@@ -766,23 +762,6 @@
identifier : IDENTIFIER
{ if (insert_id(yytext,0)) return -1; }
;
-user_identifier : USER_IDENTIFIER
- { if (insert_id(yytext,0)) return -1; }
- ;
-user_identifier_push : USER_IDENTIFIER
- { if (insert_id(yytext, 1)) return -1; }
- ;
-user_identifier_list_push : user_identifier_push
- | identifier_list_push user_identifier_push
- | user_identifier_list_push identifier_push
- | user_identifier_list_push user_identifier_push
- ;
-user_names_push : names_push
- | user_identifier_push
- | '{' user_identifier_list_push '}'
- | tilde_push user_identifier_push
- | tilde_push '{' user_identifier_list_push '}'
- ;
path : PATH
{ if (insert_id(yytext,0)) return -1; }
;
Modified: trunk/checkpolicy/policy_scan.l
===================================================================
--- trunk/checkpolicy/policy_scan.l 2006-11-14 00:16:07 UTC (rev 2088)
+++ trunk/checkpolicy/policy_scan.l 2006-11-14 00:22:12 UTC (rev 2089)
@@ -200,12 +200,11 @@
h2 |
H2 { return(H2); }
"/"({letter}|{digit}|_|"."|"-"|"/")* { return(PATH); }
-{letter}({letter}|{digit}|_|".")* { if (is_valid_identifier(yytext))
+{letter}({letter}|{digit}|_|"."|"-")* { if (is_valid_identifier(yytext))
return(IDENTIFIER);
else
REJECT;
}
-{letter}({letter}|{digit}|_|"."|"-")* { return(USER_IDENTIFIER); }
{digit}{digit}* { return(NUMBER); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":"|".")* { return(IPV6_ADDR); }
{version}/([ \t\f]*;) { return(VERSION_IDENTIFIER); }
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-14 00:16:08
|
Revision: 2088
http://svn.sourceforge.net/selinux/?rev=2088&view=rev
Author: ssmalley
Date: 2006-11-13 16:16:07 -0800 (Mon, 13 Nov 2006)
Log Message:
-----------
Merge context contains diff from James Antill (attachment).
Modified Paths:
--------------
trunk/libselinux/include/selinux/av_permissions.h
trunk/libselinux/src/av_perm_to_string.h
Modified: trunk/libselinux/include/selinux/av_permissions.h
===================================================================
--- trunk/libselinux/include/selinux/av_permissions.h 2006-11-14 00:09:55 UTC (rev 2087)
+++ trunk/libselinux/include/selinux/av_permissions.h 2006-11-14 00:16:07 UTC (rev 2088)
@@ -896,3 +896,4 @@
#define KEY__SETATTR 0x00000020UL
#define KEY__CREATE 0x00000040UL
#define CONTEXT__TRANSLATE 0x00000001UL
+#define CONTEXT__CONTAINS 0x00000002UL
Modified: trunk/libselinux/src/av_perm_to_string.h
===================================================================
--- trunk/libselinux/src/av_perm_to_string.h 2006-11-14 00:09:55 UTC (rev 2087)
+++ trunk/libselinux/src/av_perm_to_string.h 2006-11-14 00:16:07 UTC (rev 2088)
@@ -266,3 +266,4 @@
S_(SECCLASS_KEY, KEY__SETATTR, "setattr")
S_(SECCLASS_KEY, KEY__CREATE, "create")
S_(SECCLASS_CONTEXT, CONTEXT__TRANSLATE, "translate")
+ S_(SECCLASS_CONTEXT, CONTEXT__CONTAINS, "contains")
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-14 00:09:56
|
Revision: 2087
http://svn.sourceforge.net/selinux/?rev=2087&view=rev
Author: ssmalley
Date: 2006-11-13 16:09:55 -0800 (Mon, 13 Nov 2006)
Log Message:
-----------
Tag for 1.33.1
Added Paths:
-----------
tags/policycoreutils_1_33_1/policycoreutils/
Copied: tags/policycoreutils_1_33_1/policycoreutils (from rev 2086, trunk/policycoreutils)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-14 00:09:49
|
Revision: 2086
http://svn.sourceforge.net/selinux/?rev=2086&view=rev
Author: ssmalley
Date: 2006-11-13 16:09:47 -0800 (Mon, 13 Nov 2006)
Log Message:
-----------
Tag for 1.33.1
Added Paths:
-----------
tags/policycoreutils_1_33_1/
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-14 00:08:41
|
Revision: 2085
http://svn.sourceforge.net/selinux/?rev=2085&view=rev
Author: ssmalley
Date: 2006-11-13 16:08:39 -0800 (Mon, 13 Nov 2006)
Log Message:
-----------
policycoreutils 1.33.1
Modified Paths:
--------------
trunk/policycoreutils/ChangeLog
trunk/policycoreutils/VERSION
Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog 2006-11-13 23:59:04 UTC (rev 2084)
+++ trunk/policycoreutils/ChangeLog 2006-11-14 00:08:39 UTC (rev 2085)
@@ -1,3 +1,6 @@
+1.33.1 2006-11-13
+ * Merged newrole patch set from Michael Thompson.
+
1.32 2006-10-17
* Updated version for release.
Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION 2006-11-13 23:59:04 UTC (rev 2084)
+++ trunk/policycoreutils/VERSION 2006-11-14 00:08:39 UTC (rev 2085)
@@ -1 +1 @@
-1.32
+1.33.1
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-13 23:59:06
|
Revision: 2084
http://svn.sourceforge.net/selinux/?rev=2084&view=rev
Author: ssmalley
Date: 2006-11-13 15:59:04 -0800 (Mon, 13 Nov 2006)
Log Message:
-----------
Author: Michael C Thompson
Email: tho...@us...
Subject: make newrole suid (take 3)
Date: Thu, 02 Nov 2006 19:07:27 -0600
Michael C Thompson wrote:
> The 8 patches are as follows:
> 1) Modifications to Makefile to support future patch needs
> Add newrole-lspp.pamd
> 2) New extract_pw_data function and use in main()
> 3) Add signal handler function
> 4) Update drop_capabilities() and use in main()
> 5) Update the authentication functions and use in main()
> Add cleanup since pam_start is now left till program end
> 6) Move relabeling tty actions into functions
> 7) Move command-line argument parsing into a function
> Clear the environment during execution
> Add support for preserving the environment (-p)
> 8) Shift to using new defines in the Makefile and in newrole.c
> Add support for namespaces
> Remove unused code, cleanup and documentation
This is the 8th of 8 patches.
This patch applies against policycoreutils-1.30.30-1.
This function finalizes all of the changes made by the previous 7
patches and introduces the namespace support.
Changes:
* Introduces namespace support and transition_to_caller_uid()
- New functionality, for polyinstantitation
* Various bits of cleanup remaining from previous patches
Signed-off-by: Michael Thompson <tho...@us...>
Modified Paths:
--------------
trunk/policycoreutils/newrole/Makefile
trunk/policycoreutils/newrole/newrole.c
Modified: trunk/policycoreutils/newrole/Makefile
===================================================================
--- trunk/policycoreutils/newrole/Makefile 2006-11-13 23:56:30 UTC (rev 2083)
+++ trunk/policycoreutils/newrole/Makefile 2006-11-13 23:59:04 UTC (rev 2084)
@@ -6,11 +6,6 @@
LOCALEDIR = /usr/share/locale
PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
-# If LOG_AUDIT_PRIV is y, then newrole will be made into setuid root program.
-# This is so that we have the CAP_AUDIT_WRITE capability. newrole will
-# shed all privileges and change to the user's uid.
-LOG_AUDIT_PRIV ?= n
-
# Enable capabilities to permit newrole to generate audit records.
# This will make newrole a setuid root program.
# The capabilities used are: CAP_AUDIT_WRITE.
@@ -39,7 +34,6 @@
override CFLAGS += -DUSE_AUDIT
LDLIBS += -laudit
endif
-
ifeq (${LSPP_PRIV},y)
override AUDIT_LOG_PRIV=y
override NAMESPACE_PRIV=y
@@ -59,14 +53,6 @@
MODE := 0555
endif
-ifeq (${LOG_AUDIT_PRIV},y)
- override CFLAGS += -DLOG_AUDIT_PRIV
- LDLIBS += -lcap
- MODE := 4555
-else
- MODE := 555
-endif
-
TARGETS=$(patsubst %.c,%,$(wildcard *.c))
all: $(TARGETS)
Modified: trunk/policycoreutils/newrole/newrole.c
===================================================================
--- trunk/policycoreutils/newrole/newrole.c 2006-11-13 23:56:30 UTC (rev 2083)
+++ trunk/policycoreutils/newrole/newrole.c 2006-11-13 23:59:04 UTC (rev 2084)
@@ -36,11 +36,6 @@
* setuid root, so that it can read the shadow passwd file.
*
*
- * option CANTSPELLGDB:
- *
- * If you set CANTSPELLGDB you will turn on some debugging printfs.
- *
- *
* Authors: Tim Fraser ,
* Anthony Colatrella <am...@ep...>
* Various bug fixes by Stephen Smalley <sd...@ep...>
@@ -48,6 +43,14 @@
*************************************************************************/
#define _GNU_SOURCE
+
+#if defined(AUDIT_LOG_PRIV) && !defined(USE_AUDIT)
+#error AUDIT_LOG_PRIV needs the USE_AUDIT option
+#endif
+#if defined(NAMESPACE_PRIV) && !defined(USE_PAM)
+#error NAMESPACE_PRIV needs the USE_PAM option
+#endif
+
#include <stdio.h>
#include <stdlib.h> /* for malloc(), realloc(), free() */
#include <pwd.h> /* for getpwuid() */
@@ -63,13 +66,11 @@
#include <selinux/get_default_type.h>
#include <selinux/get_context_list.h> /* for SELINUX_DEFAULTUSER */
#include <signal.h>
+#include <unistd.h> /* for getuid(), exit(), getopt() */
#ifdef USE_AUDIT
#include <libaudit.h>
#endif
-#ifdef LOG_AUDIT_PRIV
-#ifndef USE_AUDIT
-#error LOG_AUDIT_PRIV needs the USE_AUDIT option
-#endif
+#if defined(AUDIT_LOG_PRIV) || (NAMESPACE_PRIV)
#include <sys/prctl.h>
#include <sys/capability.h>
#endif
@@ -92,18 +93,17 @@
extern char **environ;
-char *xstrdup(const char *s)
-{
- char *s2;
-
- s2 = strdup(s);
- if (!s2) {
- fprintf(stderr, _("Out of memory!\n"));
- exit(1);
- }
- return s2;
-}
-
+/**
+ * Construct from the current range and specified desired level a resulting
+ * range. If the specified level is a range, return that. If it is not, then
+ * construct a range with level as the sensitivity and clearance of the current
+ * context.
+ *
+ * newlevel - the level specified on the command line
+ * range - the range in the current context
+ *
+ * Returns malloc'd memory
+ */
static char *build_new_range(char *newlevel, const char *range)
{
char *newrangep = NULL;
@@ -120,9 +120,8 @@
return newrangep;
}
- /* look for MLS range */
+ /* look for MLS range in current context */
tmpptr = strchr(range, '-');
-
if (tmpptr) {
/* we are inserting into a ranged MLS context */
len = strlen(newlevel) + 1 + strlen(tmpptr + 1) + 1;
@@ -260,7 +259,7 @@
}
#endif /* if/else USE_PAM */
-/*
+/**
* This function checks to see if the shell is known in /etc/shells.
* If so, it returns 1. On error or illegal shell, it returns 0.
*/
@@ -269,7 +268,7 @@
int found = 0;
const char *buf;
- if (!shell_name)
+ if (! (shell_name && shell_name[0]))
return found;
while ((buf = getusershell()) != NULL) {
@@ -545,7 +544,29 @@
}
#endif
-#ifdef LOG_AUDIT_PRIV
+#ifdef NAMESPACE_PRIV
+/**
+ * This function will set the uid values to be that of caller's uid, and
+ * will drop any privilages which maybe have been raised.
+ */
+static int transition_to_caller_uid()
+{
+ uid_t uid = getuid();
+
+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) {
+ fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
+ return -1;
+ }
+
+ if (setresuid(uid, uid, uid)) {
+ fprintf(stderr, _("Error changing uid, aborting.\n"));
+ return -1;
+ }
+ return 0;
+}
+#endif
+
+#ifdef AUDIT_LOG_PRIV
/* Send audit message */
static
int send_audit_message(int success, security_context_t old_context,
@@ -1085,62 +1106,67 @@
}
/* CHILD */
-
- close(fd);
-
- /* Close and reopen descriptors 0 through 2 */
- if (close(0) || close(1) || close(2)) {
+ /* Close the tty and reopen descriptors 0 through 2 */
+ if (close(fd) || close(0) || close(1) || close(2)) {
fprintf(stderr, _("Could not close descriptors.\n"));
- exit(-1);
+ goto err_close_pam;
}
fd = open(ttyn, O_RDONLY);
- if (fd != 0) {
- exit(-1);
- }
+ if (fd != 0)
+ goto err_close_pam;
fd = open(ttyn, O_WRONLY);
- if (fd != 1) {
- exit(-1);
- }
+ if (fd != 1)
+ goto err_close_pam;
fd = open(ttyn, O_WRONLY);
- if (fd != 2) {
- exit(-1);
- }
+ if (fd != 2)
+ goto err_close_pam;
/*
- *
* Step 5: Execute a new shell with the new context in `new_context'.
*
+ * Establish context, namesapce and any options for the new shell
*/
-
if (optind < 1)
optind = 1;
- if (asprintf(&argv[optind - 1], "-%s", pw.pw_shell) < 0) {
- fprintf(stderr, _("Error allocating shell.\n"));
- exit(-1);
+
+ /* This is ugly, but use newrole's argv for the exec'd shells argv */
+ if (asprintf(&shell_argv0, "-%s", pw.pw_shell) < 0) {
+ fprintf(stderr, _("Error allocating shell's argv0.\n"));
+ shell_argv0 = NULL;
+ goto err_close_pam;
}
-#ifdef CANTSPELLGDB
- {
- int i;
- printf("Executing ");
- for (i = optind - 1; i < argc; i++)
- printf("%s ", argv[i]);
- printf("with context %s\n", new_context);
- }
-#endif
- if (setexeccon(new_context) < 0) {
+ argv[optind-1] = shell_argv0;
+
+ if (setexeccon(new_context)) {
fprintf(stderr, _("Could not set exec context to %s.\n"),
new_context);
- exit(-1);
+ goto err_close_pam;
}
+
+#ifdef NAMESPACE_PRIV
+ /* Ask PAM to setup session for user running this program */
+ pam_status = pam_open_session(pam_handle,0);
+ if (pam_status != PAM_SUCCESS) {
+ fprintf(stderr, "pam_open_session failed with %s\n",
+ pam_strerror(pam_handle, pam_status));
+ goto err_close_pam;
+ }
+#endif
+
if (send_audit_message(1, old_context, new_context, ttyn))
- exit(-1);
+ goto err_close_pam_session;
+#ifdef NAMESPACE_PRIV
+ if (transition_to_caller_uid())
+ goto err_close_pam_session;
+#endif
freecon(old_context);
+ freecon(new_context);
/* Handle environment changes */
if (restore_environment(preserve_environment, old_environ, &pw)) {
fprintf(stderr, _("Unable to restore the environment, "
"aborting\n"));
- goto err_close_pam;
+ goto err_close_pam_session;
}
execv(pw.pw_shell, argv + optind - 1);
@@ -1150,6 +1176,13 @@
* If we reach here, then we failed to exec the new shell.
*/
perror(_("failed to exec shell\n"));
+err_close_pam_session:
+#ifdef NAMESPACE_PRIV
+ pam_status = pam_close_session(pam_handle,0);
+ if(pam_status != PAM_SUCCESS)
+ fprintf(stderr, "pam_close_session failed with %s\n",
+ pam_strerror(pam_handle, pam_status));
+#endif
err_close_pam:
#ifdef USE_PAM
rc = pam_end(pam_handle, pam_status);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-13 23:56:31
|
Revision: 2083
http://svn.sourceforge.net/selinux/?rev=2083&view=rev
Author: ssmalley
Date: 2006-11-13 15:56:30 -0800 (Mon, 13 Nov 2006)
Log Message:
-----------
Author: Michael C Thompson
Email: tho...@us...
Subject: make newrole suid (take 3)
Date: Thu, 02 Nov 2006 19:06:49 -0600
Michael C Thompson wrote:
> The 8 patches are as follows:
> 1) Modifications to Makefile to support future patch needs
> Add newrole-lspp.pamd
> 2) New extract_pw_data function and use in main()
> 3) Add signal handler function
> 4) Update drop_capabilities() and use in main()
> 5) Update the authentication functions and use in main()
> Add cleanup since pam_start is now left till program end
> 6) Move relabeling tty actions into functions
> 7) Move command-line argument parsing into a function
> Clear the environment during execution
> Add support for preserving the environment (-p)
This is the 7th of 8 patches.
This patch applies against policycoreutils-1.30.30-1.
This function introduces a sanitized environment during the life-time
of newrole's execution, and sets the environment to either the preserved
environment or a minimal environment before shell execution.
Changes:
* Introduces restore_environment()
- New functionality, for preserving the environment or sanitizing it
* Introduces parse_command_line_arguments()
- Move functionality from main() into parse_command_line_arguments
* Uses the above new functions in main()
Signed-off-by: Michael Thompson <tho...@us...>
Modified Paths:
--------------
trunk/policycoreutils/newrole/newrole.c
Modified: trunk/policycoreutils/newrole/newrole.c
===================================================================
--- trunk/policycoreutils/newrole/newrole.c 2006-11-13 23:53:42 UTC (rev 2082)
+++ trunk/policycoreutils/newrole/newrole.c 2006-11-13 23:56:30 UTC (rev 2083)
@@ -85,10 +85,13 @@
#endif
/* USAGE_STRING describes the command-line args of this program. */
-#define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -V ] [ -- args ]"
+#define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]"
+#define DEFAULT_PATH "/usr/bin:/bin"
#define DEFAULT_CONTEXT_SIZE 255 /* first guess at context size */
+extern char **environ;
+
char *xstrdup(const char *s)
{
char *s2;
@@ -340,6 +343,74 @@
}
/**
+ * Either restore the original environment, or set up a minimal one.
+ *
+ * The minimal environment contains:
+ * TERM, DISPLAY and XAUTHORITY - if they are set, preserve values
+ * HOME, SHELL, USER and LOGNAME - set to contents of /etc/passwd
+ * PATH - set to default value DEFAULT_PATH
+ *
+ * Returns zero on success, non-zero otherwise
+ */
+static int restore_environment(int preserve_environment,
+ char **old_environ, const struct passwd *pw)
+{
+ char const *term_env;
+ char const *display_env;
+ char const *xauthority_env;
+ char *term = NULL; /* temporary container */
+ char *display = NULL; /* temporary container */
+ char *xauthority = NULL; /* temporary container */
+ int rc;
+
+ environ = old_environ;
+
+ if (preserve_environment)
+ return 0;
+
+ term_env = getenv("TERM");
+ display_env = getenv("DISPLAY");
+ xauthority_env = getenv("XAUTHORITY");
+
+ /* Save the variable values we want */
+ if (term_env)
+ term = strdup(term_env);
+ if (display_env)
+ display = strdup(display_env);
+ if (xauthority_env)
+ xauthority = strdup(xauthority_env);
+ if ((term_env && !term) || (display_env && !display) ||
+ (xauthority_env && !xauthority)) {
+ rc = -1;
+ goto out;
+ }
+
+ /* Construct a new environment */
+ if ((rc = clearenv())) {
+ fprintf(stderr, _("Unable to clear environment\n"));
+ goto out;
+ }
+
+ /* Restore that which we saved */
+ if (term)
+ rc |= setenv("TERM", term, 1);
+ if (display)
+ rc |= setenv("DISPLAY", display, 1);
+ if (xauthority)
+ rc |= setenv("XAUTHORITY", xauthority, 1);
+ rc |= setenv("HOME", pw->pw_dir, 1);
+ rc |= setenv("SHELL", pw->pw_shell, 1);
+ rc |= setenv("USER", pw->pw_name, 1);
+ rc |= setenv("LOGNAME", pw->pw_name, 1);
+ rc |= setenv("PATH", DEFAULT_PATH, 1);
+out:
+ free(term);
+ free(display);
+ free(xauthority);
+ return rc;
+}
+
+/**
* This function will drop the capabilities so that we are left
* only with access to the audit system. If the user is root, we leave
* the capabilities alone since they already should have access to the
@@ -627,7 +698,173 @@
return rc;
}
+/**
+ * Parses and validates the provided command line options and
+ * constructs a new context based on our old context and the
+ * arguments specified on the command line. On success
+ * new_context will be set to valid values, otherwise its value
+ * is left unchanged.
+ *
+ * Returns zero on success, non-zero otherwise.
+ */
+static int parse_command_line_arguments(int argc, char **argv, char *ttyn,
+ security_context_t old_context,
+ security_context_t *new_context,
+ int *preserve_environment)
+{
+ int flag_index; /* flag index in argv[] */
+ int clflag; /* holds codes for command line flags */
+ char *role_s = NULL; /* role spec'd by user in argv[] */
+ char *type_s = NULL; /* type spec'd by user in argv[] */
+ char *type_ptr = NULL; /* stores malloc'd data from get_default_type */
+ char *level_s = NULL; /* level spec'd by user in argv[] */
+ char *range_ptr = NULL;
+ security_context_t new_con = NULL;
+ context_t context = NULL; /* manipulatable form of new_context */
+ const struct option long_options[] = {
+ {"role", 1, 0, 'r'},
+ {"type", 1, 0, 't'},
+ {"level", 1, 0, 'l'},
+ {"preserve-environment", 0, 0, 'p'},
+ {"version", 0, 0, 'V'},
+ {NULL, 0, 0, 0}
+ };
+ *preserve_environment = 0;
+ while (1) {
+ clflag = getopt_long(argc, argv, "r:t:l:pV", long_options,
+ &flag_index);
+ if (clflag == -1)
+ break;
+
+ switch (clflag) {
+ case 'V':
+ printf("newrole: %s version %s\n", PACKAGE, VERSION);
+ exit(0);
+ break;
+ case 'p':
+ *preserve_environment = 1;
+ break;
+ case 'r':
+ if (role_s) {
+ fprintf(stderr,
+ _("Error: multiple roles specified\n"));
+ return -1;
+ }
+ role_s = optarg;
+ break;
+ case 't':
+ if (type_s) {
+ fprintf(stderr,
+ _("Error: multiple types specified\n"));
+ return -1;
+ }
+ type_s = optarg;
+ break;
+ case 'l':
+ if (!is_selinux_mls_enabled()) {
+ fprintf(stderr, _("Sorry, -l may be used with "
+ "SELinux MLS support.\n"));
+ return -1;
+ }
+ if (level_s) {
+ fprintf(stderr, _("Error: multiple levels "
+ "specified\n"));
+ return -1;
+ }
+ level_s = optarg;
+ break;
+ default:
+ fprintf(stderr, "%s\n", USAGE_STRING);
+ return -1;
+ }
+ }
+
+ /* Verify that the combination of command-line arguments are viable */
+ if (!(role_s || type_s || level_s)) {
+ fprintf(stderr, "%s\n", USAGE_STRING);
+ return -1;
+ }
+
+ /* Fill in a default type if one hasn't been specified. */
+ if (role_s && !type_s) {
+ /* get_default_type() returns malloc'd memory */
+ if (get_default_type(role_s, &type_ptr)) {
+ fprintf(stderr, _("Couldn't get default type.\n"));
+ send_audit_message(0, old_context, new_con, ttyn);
+ return -1;
+ }
+ type_s = type_ptr;
+ }
+
+ /* Create a temporary new context structure we extract and modify */
+ context = context_new(old_context);
+ if (!context) {
+ fprintf(stderr, _("failed to get new context.\n"));
+ goto err_free;
+ }
+
+ /* Modify the temporary new context */
+ if (role_s)
+ if (context_role_set(context, role_s)) {
+ fprintf(stderr, _("failed to set new role %s\n"),
+ role_s);
+ goto err_free;
+ }
+
+ if (type_s)
+ if (context_type_set(context, type_s)) {
+ fprintf(stderr, _("failed to set new type %s\n"),
+ type_s);
+ goto err_free;
+ }
+
+ if (level_s) {
+ range_ptr = build_new_range(level_s,context_range_get(context));
+ if (!range_ptr) {
+ fprintf(stderr,
+ _("failed to build new range with level %s\n"),
+ level_s);
+ goto err_free;
+ }
+ if (context_range_set(context, range_ptr)) {
+ fprintf(stderr, _("failed to set new range %s\n"),
+ range_ptr);
+ goto err_free;
+ }
+ }
+
+ /* Construct the final new context */
+ if (!(new_con = context_str(context))) {
+ fprintf(stderr, _("failed to convert new context to string\n"));
+ goto err_free;
+ }
+
+ if (security_check_context(new_con) < 0) {
+ fprintf(stderr, _("%s is not a valid context\n"), new_con);
+ send_audit_message(0, old_context, new_con, ttyn);
+ goto err_free;
+ }
+
+ *new_context = strdup(new_con);
+ if (!*new_context) {
+ fprintf(stderr, _("Unable to allocate memory for new_context"));
+ goto err_free;
+ }
+
+ free(type_ptr);
+ free(range_ptr);
+ context_free(context);
+ return 0;
+
+err_free:
+ free(type_ptr);
+ free(range_ptr);
+ /* Don't free new_con, context_free(context) handles this */
+ context_free(context);
+ return -1;
+}
+
/**
* Take care of any signal setup
*/
@@ -660,32 +897,20 @@
int main(int argc, char *argv[])
{
+ security_context_t new_context = NULL; /* target security context */
+ security_context_t old_context = NULL; /* original securiy context */
+ security_context_t tty_context = NULL; /* current context of tty */
+ security_context_t new_tty_context = NULL; /* new context of tty */
- security_context_t new_context = NULL; /* our target security context */
- security_context_t old_context = NULL; /* our original securiy context */
- security_context_t tty_context = NULL; /* The current context of tty file */
- security_context_t new_tty_context = NULL; /* The new context of tty file */
+ struct passwd pw; /* struct derived from passwd file line */
+ char *ttyn = NULL; /* tty path */
- context_t context; /* manipulatable form of new_context */
+ char **old_environ;
+ int preserve_environment;
- struct passwd pw; /* struct derived from passwd file line */
-
- int clflag; /* holds codes for command line flags */
- int flag_index; /* flag index in argv[] */
- const struct option long_options[] = { /* long option flags for getopt() */
- {"role", 1, 0, 'r'},
- {"type", 1, 0, 't'},
- {"level", 1, 0, 'l'},
- {"version", 0, 0, 'V'},
- {NULL, 0, 0, 0}
- };
- char *role_s = NULL; /* role spec'd by user in argv[] */
- char *type_s = NULL; /* type spec'd by user in argv[] */
- char *level_s = NULL; /* level spec'd by user in argv[] */
- char *ttyn = NULL; /* tty path */
+ int fd;
+ int rc;
pid_t childPid = 0;
- int fd, rc;
- int enforcing;
char *shell_argv0 = NULL;
#ifdef USE_PAM
@@ -719,139 +944,40 @@
textdomain(PACKAGE);
#endif
- /*
- *
- * Step 1: Handle command-line arguments.
- *
- */
+ old_environ = environ;
+ environ = NULL;
if (!is_selinux_enabled()) {
- fprintf(stderr,
- _
- ("Sorry, newrole may be used only on a SELinux kernel.\n"));
- exit(-1);
+ fprintf(stderr, _("Sorry, newrole may be used only on "
+ "a SELinux kernel.\n"));
+ return -1;
}
- enforcing = security_getenforce();
- if (enforcing < 0) {
+
+ if (security_getenforce() < 0) {
fprintf(stderr, _("Could not determine enforcing mode.\n"));
- exit(-1);
+ return -1;
}
- while (1) {
- clflag =
- getopt_long(argc, argv, "r:t:l:V", long_options,
- &flag_index);
- if (clflag == -1)
- break;
-
- switch (clflag) {
- case 'V':
- printf("newrole: %s version %s\n", PACKAGE, VERSION);
- exit(0);
- break;
- case 'r':
- /* If role_s is already set, the user spec'd multiple roles - bad. */
- if (role_s) {
- fprintf(stderr,
- _("Error: multiple roles specified\n"));
- exit(-1);
- }
- role_s = optarg; /* save the role string spec'd by user */
- break;
-
- case 't':
- /* If type_s is already set, the user spec'd multiple types - bad. */
- if (type_s) {
- fprintf(stderr,
- _("Error: multiple types specified\n"));
- exit(-1);
- }
- type_s = optarg; /* save the type string spec'd by user */
- break;
-
- case 'l':
- if (!is_selinux_mls_enabled()) {
- fprintf(stderr,
- _
- ("Sorry, -l may be used with SELinux MLS support.\n"));
- exit(-1);
- }
- /* If level_s is already set, the user spec'd multiple levels - bad. */
- if (level_s) {
- fprintf(stderr,
- _
- ("Error: multiple levels specified\n"));
- exit(-1);
- }
- level_s = optarg; /* save the level string spec'd by user */
- break;
-
- default:
- fprintf(stderr, "%s\n", USAGE_STRING);
- exit(-1);
- } /* switch( clflag ) */
- } /* while command-line flags remain for newrole */
-
- /* Verify that the combination of command-line arguments we were *
- * given is a viable one. */
- if (!(role_s || type_s || level_s)) {
- fprintf(stderr, "%s\n", USAGE_STRING);
- exit(-1);
- }
-
- /* Fill in a default type if one hasn't been specified */
- if (role_s && !type_s) {
- if (get_default_type(role_s, &type_s)) {
- fprintf(stderr, _("Couldn't get default type.\n"));
- send_audit_message(0, old_context, new_context, ttyn);
- exit(-1);
- }
-#ifdef CANTSPELLGDB
- printf("Your type will be %s.\n", type_s);
-#endif
- }
-
/*
+ * Step 1: Parse command line and valid arguments
*
- * Step 2: Authenticate the user.
- *
+ * old_context and ttyn are required for audit logging,
+ * context validation and pam
*/
-
- /*
- * Get the context of the caller, and extract
- * the username from the context. Don't rely on the Linux
- * uid information - it isn't trustworthy.
- */
-
- /* Put the caller's context into `old_context'. */
- if (0 != (getprevcon(&old_context))) {
+ if (getprevcon(&old_context)) {
fprintf(stderr, _("failed to get old_context.\n"));
- exit(-1);
+ return -1;
}
-#ifdef CANTSPELLGDB
- printf("Your old context was %s\n", old_context);
-#endif
- /*
- * Create a context structure so that we extract and modify
- * components easily.
- */
- context = context_new(old_context);
- if (context == 0) {
- fprintf(stderr, _("failed to get new context.\n"));
- exit(-1);
- }
-
- /* Get the tty name. Pam will need it. */
ttyn = ttyname(0);
if (!ttyn || *ttyn == '\0') {
fprintf(stderr,
_("Error! Could not retrieve tty information.\n"));
- exit(-1);
+ return -1;
}
- /* Get the passwd info for the Linux user identity. */
- if (extract_pw_data(&pw))
+ if (parse_command_line_arguments(argc, argv, ttyn, old_context,
+ &new_context, &preserve_environment))
return -1;
/*
@@ -862,6 +988,9 @@
* malicious software), not to authorize the operation (which is covered
* by policy). Trusted path mechanism would be preferred.
*/
+ if (extract_pw_data(&pw))
+ goto err_free;
+
printf(_("Authenticating %s.\n"), pw.pw_name);
#ifdef USE_PAM
pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation,
@@ -882,86 +1011,6 @@
}
/*
- *
- * Step 3: Construct a new context based on our old context and the
- * arguments specified on the command line.
- *
- */
-
- /* The first step in constructing a new context for the new shell we *
- * plan to exec is to take our old context in `context' as a *
- * starting point, and modify it according to the options the user *
- * specified on the command line. */
-
- /* If the user specified a new role on the command line (if `role_s' *
- * is set), then replace the old role in `context' with this new role. */
- if (role_s) {
- if (context_role_set(context, role_s)) {
- fprintf(stderr, _("failed to set new role %s\n"),
- role_s);
- exit(-1);
- }
-#ifdef CANTSPELLGDB
- printf("Your new role is %s\n", context_role_get(context));
-#endif
- }
-
- /* if user specified new role */
- /* If the user specified a new type on the command line (if `type_s' *
- * is set), then replace the old type in `context' with this new type. */
- if (type_s) {
- if (context_type_set(context, type_s)) {
- fprintf(stderr, _("failed to set new type %s\n"),
- type_s);
- exit(-1);
- }
-#ifdef CANTSPELLGDB
- printf("Your new type is %s\n", context_type_get(context));
-#endif
- }
-
- /* if user specified new type */
- /* If the user specified a new level on the command line (if `level_s' *
- * is set), then replace the old level in `context' with this new level. */
- if (level_s) {
- char *range_s =
- build_new_range(level_s, context_range_get(context));
- if (!range_s) {
- fprintf(stderr,
- _("failed to build new range with level %s\n"),
- level_s);
- exit(-1);
- }
- if (context_range_set(context, range_s)) {
- fprintf(stderr, _("failed to set new range %s\n"),
- range_s);
- free(range_s);
- exit(-1);
- }
- free(range_s);
-#ifdef CANTSPELLGDB
- printf("Your new range is %s\n", context_range_get(context));
-#endif
- }
-
- /* if user specified new level */
- /* The second step in creating the new context is to convert our modified *
- * `context' structure back to a context string and then to a Context. */
- if (!(new_context = context_str(context))) {
- fprintf(stderr, _("failed to convert new context to string\n"));
- exit(-1);
- }
-#ifdef CANTSPELLGDB
- printf("Your new context is %s\n", new_context);
-#endif
-
- if (security_check_context(new_context) < 0) {
- fprintf(stderr, _("%s is not a valid context\n"), new_context);
- send_audit_message(0, old_context, new_context, ttyn);
- exit(-1);
- }
-
- /*
* Step 3: Handle relabeling of the tty.
*
* Once we authenticate the user, we know that we want to proceed with
@@ -1086,6 +1135,13 @@
if (send_audit_message(1, old_context, new_context, ttyn))
exit(-1);
freecon(old_context);
+
+ /* Handle environment changes */
+ if (restore_environment(preserve_environment, old_environ, &pw)) {
+ fprintf(stderr, _("Unable to restore the environment, "
+ "aborting\n"));
+ goto err_close_pam;
+ }
execv(pw.pw_shell, argv + optind - 1);
/*
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-13 23:53:43
|
Revision: 2082
http://svn.sourceforge.net/selinux/?rev=2082&view=rev
Author: ssmalley
Date: 2006-11-13 15:53:42 -0800 (Mon, 13 Nov 2006)
Log Message:
-----------
Author: Michael C Thompson
Email: tho...@us...
Subject: make newrole suid (take 3)
Date: Thu, 02 Nov 2006 19:06:16 -0600
Michael C Thompson wrote:
> The 8 patches are as follows:
> 1) Modifications to Makefile to support future patch needs
> Add newrole-lspp.pamd
> 2) New extract_pw_data function and use in main()
> 3) Add signal handler function
> 4) Update drop_capabilities() and use in main()
> 5) Update the authentication functions and use in main()
> Add cleanup since pam_start is now left till program end
> 6) Move relabeling tty actions into functions
This is the 6th of 8 patches.
This patch applies against policycoreutils-1.30.30-1.
This patch moves the tty relabeling actions into their own
functions and adds better cleanup to main on error paths.
Changes:
* Introduces relabel_tty() and restore_tty_label()
- Move functionality from main() into functions
* Uses the above new functions in main()
* Updates the parent process to have better cleanup
Signed-off-by: Michael Thompson <tho...@us...>
Modified Paths:
--------------
trunk/policycoreutils/newrole/newrole.c
Modified: trunk/policycoreutils/newrole/newrole.c
===================================================================
--- trunk/policycoreutils/newrole/newrole.c 2006-11-13 23:51:59 UTC (rev 2081)
+++ trunk/policycoreutils/newrole/newrole.c 2006-11-13 23:53:42 UTC (rev 2082)
@@ -522,6 +522,113 @@
#endif
/**
+ * This function attempts to relabel the tty. If this function fails, then
+ * the fd is closed, the contexts are free'd and -1 is returned. On success,
+ * a valid fd is returned and tty_context and new_tty_context are set.
+ *
+ * This function will not fail if it can not relabel the tty when selinux is
+ * in permissive mode.
+ */
+static int relabel_tty(const char *ttyn, security_context_t new_context,
+ security_context_t *tty_context,
+ security_context_t *new_tty_context)
+{
+ int fd;
+ int enforcing = security_getenforce();
+ security_context_t tty_con = NULL;
+ security_context_t new_tty_con = NULL;
+
+ if (enforcing < 0) {
+ fprintf(stderr, _("Could not determine enforcing mode.\n"));
+ return -1;
+ }
+
+ /* Re-open TTY descriptor */
+ fd = open(ttyn, O_RDWR);
+ if (fd < 0) {
+ fprintf(stderr, _("Error! Could not open %s.\n"), ttyn);
+ return fd;
+ }
+
+ if (fgetfilecon(fd, &tty_con) < 0) {
+ fprintf(stderr, _("%s! Could not get current context "
+ "for %s, not relabeling tty.\n"),
+ enforcing ? "Error" : "Warning", ttyn);
+ if (enforcing)
+ goto close_fd;
+ }
+
+ if (tty_con &&
+ (security_compute_relabel(new_context, tty_con,
+ SECCLASS_CHR_FILE, &new_tty_con) < 0)) {
+ fprintf(stderr, _("%s! Could not get new context for %s, "
+ "not relabeling tty.\n"),
+ enforcing ? "Error" : "Warning", ttyn);
+ if (enforcing)
+ goto close_fd;
+ }
+
+ if (new_tty_con)
+ if (fsetfilecon(fd, new_tty_con) < 0) {
+ fprintf(stderr,
+ _("%s! Could not set new context for %s\n"),
+ enforcing ? "Error" : "Warning", ttyn);
+ freecon(new_tty_con);
+ new_tty_con = NULL;
+ if (enforcing)
+ goto close_fd;
+ }
+
+ *tty_context = tty_con;
+ *new_tty_context = new_tty_con;
+ return fd;
+
+close_fd:
+ freecon(tty_con);
+ close(fd);
+ return -1;
+}
+
+/**
+ * This function attempts to revert the relabeling done to the tty.
+ * fd - referencing the opened ttyn
+ * ttyn - name of tty to restore
+ * tty_context - original context of the tty
+ * new_tty_context - context tty was relabeled to
+ *
+ * Returns zero on success, non-zero otherwise
+ */
+static int restore_tty_label(int fd, const char *ttyn,
+ security_context_t tty_context,
+ security_context_t new_tty_context)
+{
+ int rc = 0;
+ security_context_t chk_tty_context = NULL;
+
+ if (!new_tty_context)
+ goto skip_relabel;
+
+ /* Verify that the tty still has the context set by newrole. */
+ if ((rc = fgetfilecon(fd, &chk_tty_context)) < 0) {
+ fprintf(stderr, "Could not fgetfilecon %s.\n", ttyn);
+ goto skip_relabel;
+ }
+
+ if ((rc = strcmp(chk_tty_context, new_tty_context))) {
+ fprintf(stderr, _("%s changed labels.\n"), ttyn);
+ goto skip_relabel;
+ }
+
+ if ((rc = fsetfilecon(fd, tty_context)) < 0)
+ fprintf(stderr,
+ _("Warning! Could not restore context for %s\n"), ttyn);
+skip_relabel:
+ freecon(chk_tty_context);
+ return rc;
+}
+
+
+/**
* Take care of any signal setup
*/
static int set_signal_handles()
@@ -558,7 +665,6 @@
security_context_t old_context = NULL; /* our original securiy context */
security_context_t tty_context = NULL; /* The current context of tty file */
security_context_t new_tty_context = NULL; /* The new context of tty file */
- security_context_t chk_tty_context = NULL;
context_t context; /* manipulatable form of new_context */
@@ -580,6 +686,7 @@
pid_t childPid = 0;
int fd, rc;
int enforcing;
+ char *shell_argv0 = NULL;
#ifdef USE_PAM
int pam_status; /* pam return code */
@@ -855,110 +962,77 @@
}
/*
+ * Step 3: Handle relabeling of the tty.
*
- * Step 4: Handle relabeling of the tty.
+ * Once we authenticate the user, we know that we want to proceed with
+ * the action. Prior to this point, no changes are made the to system.
+ */
+ fd = relabel_tty(ttyn, new_context, &tty_context, &new_tty_context);
+ if (fd < 0)
+ goto err_close_pam;
+
+ /*
+ * Step 4: Fork
*
+ * Fork, allowing parent to clean up after shell has executed.
+ * Child: reopen stdin, stdout, stderr and exec shell
+ * Parnet: wait for child to die and restore tty's context
*/
-
- /* Re-open TTY descriptor */
- fd = open(ttyn, O_RDWR);
- if (fd < 0) {
- fprintf(stderr, _("Error! Could not open %s.\n"), ttyn);
- exit(-1);
- }
-
- tty_context = NULL;
- if (fgetfilecon(fd, &tty_context) < 0) {
- fprintf(stderr,
- _
- ("%s! Could not get current context for %s, not relabeling tty.\n"),
- enforcing ? "Error" : "Warning", ttyn);
- if (enforcing)
- exit(-1);
- }
-#ifdef CANTSPELLGDB
- if (tty_context)
- printf("Your tty %s was labeled with context %s\n", ttyn,
- tty_context);
-#endif
-
- new_tty_context = NULL;
- if (tty_context
- &&
- (security_compute_relabel
- (new_context, tty_context, SECCLASS_CHR_FILE,
- &new_tty_context) < 0)) {
- fprintf(stderr,
- _
- ("%s! Could not get new context for %s, not relabeling tty.\n"),
- enforcing ? "Error" : "Warning", ttyn);
- if (enforcing)
- exit(-1);
- }
-#ifdef CANTSPELLGDB
- if (new_tty_context)
- printf("Relabeling tty %s to context %s\n", ttyn,
- new_tty_context);
-#endif
-
- if (new_tty_context) {
- if (fsetfilecon(fd, new_tty_context) < 0) {
- fprintf(stderr,
- _("%s! Could not set new context for %s\n"),
- enforcing ? "Error" : "Warning", ttyn);
- freecon(new_tty_context);
- new_tty_context = NULL;
- if (enforcing)
- exit(-1);
- }
- }
-
- /* Fork, allowing parent to clean up after shell has executed */
childPid = fork();
if (childPid < 0) {
+ /* fork failed, no child to worry about */
int errsv = errno;
fprintf(stderr, _("newrole: failure forking: %s"),
strerror(errsv));
- if (fsetfilecon(fd, tty_context) < 0)
- fprintf(stderr,
- _
- ("Warning! Could not restore context for %s\n"),
- ttyn);
- freecon(tty_context);
- exit(-1);
+ if (restore_tty_label(fd, ttyn, tty_context, new_tty_context))
+ fprintf(stderr, _("Unable to restore tty label...\n"));
+ if (close(fd))
+ fprintf(stderr, _("Failed to close tty properly\n"));
+ goto err_close_pam;
} else if (childPid) {
- /* PARENT */
+ /* PARENT
+ * It doesn't make senes to exit early on errors at this point,
+ * since we are doing cleanup which needs to be done.
+ * We can exit with a bad rc though
+ */
int rc;
+ int exit_code = 0;
+
do {
rc = wait(NULL);
} while (rc < 0 && errno == EINTR);
- if (!new_tty_context || !tty_context)
- exit(0);
-
- /* Verify that the tty still has the context set by newrole. */
- if (fgetfilecon(fd, &chk_tty_context) < 0) {
- fprintf(stderr, "Could not fgetfilecon %s.\n", ttyn);
- exit(-1);
+ if (restore_tty_label(fd, ttyn, tty_context, new_tty_context)) {
+ fprintf(stderr, _("Unable to restore tty label...\n"));
+ exit_code = -1;
}
-
- if (strcmp(chk_tty_context, new_tty_context)) {
- fprintf(stderr, _("%s changed labels.\n"), ttyn);
- exit(-1);
+ freecon(tty_context);
+ freecon(new_tty_context);
+ if (close(fd)) {
+ fprintf(stderr, _("Failed to close tty properly\n"));
+ exit_code = -1;
}
-
- freecon(new_tty_context);
-
-#ifdef CANTSPELLGDB
- printf("Restoring tty %s back to context %s\n", ttyn,
- tty_context);
+#ifdef USE_PAM
+#ifdef NAMESPACE_PRIV
+ pam_status = pam_close_session(pam_handle,0);
+ if (pam_status != PAM_SUCCESS) {
+ fprintf(stderr, "pam_close_session failed with %s\n",
+ pam_strerror(pam_handle, pam_status));
+ exit_code = -1;
+ }
#endif
-
- fsetfilecon(fd, tty_context);
- freecon(tty_context);
-
- /* Done! */
- exit(0);
+ rc = pam_end(pam_handle, pam_status);
+ if (rc != PAM_SUCCESS) {
+ fprintf(stderr, "pam_end failed with %s\n",
+ pam_strerror(pam_handle, rc));
+ exit_code = -1;
+ }
+#endif
+ free(pw.pw_name);
+ free(pw.pw_dir);
+ free(pw.pw_shell);
+ free(shell_argv0);
+ return exit_code;
}
/* CHILD */
@@ -1035,5 +1109,6 @@
free(pw.pw_name);
free(pw.pw_dir);
free(pw.pw_shell);
+ free(shell_argv0);
return -1;
} /* main() */
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-13 23:52:01
|
Revision: 2081
http://svn.sourceforge.net/selinux/?rev=2081&view=rev
Author: ssmalley
Date: 2006-11-13 15:51:59 -0800 (Mon, 13 Nov 2006)
Log Message:
-----------
Author: Michael C Thompson
Email: tho...@us...
Subject: make newrole suid (take 3)
Date: Thu, 02 Nov 2006 19:05:37 -0600
Michael C Thompson wrote:
> The 8 patches are as follows:
> 1) Modifications to Makefile to support future patch needs
> Add newrole-lspp.pamd
> 2) New extract_pw_data function and use in main()
> 3) Add signal handler function
> 4) Update drop_capabilities() and use in main()
> 5) Update the authentication functions and use in main()
> Add cleanup since pam_start is now left till program end
This is the 5th of 8 patches.
This patch applies against policycoreutils-1.30.30-1.
This patch updates the authentication functions so that they are
cleaner, and moves pam_start() into main() in prep for namespace
support.
Changes:
* Updates the authentication functions
- Noteably, pam_start is now done in main()
- Removed a lot of very obvious comments and clutter
* Adds pam variables to main()
* Adds pam_start() to main()
* Adds cleanup gotos to main() for pam_end() and missing frees
Signed-off-by: Michael Thompson <tho...@us...>
Modified Paths:
--------------
trunk/policycoreutils/newrole/newrole.c
Modified: trunk/policycoreutils/newrole/newrole.c
===================================================================
--- trunk/policycoreutils/newrole/newrole.c 2006-11-13 23:50:09 UTC (rev 2080)
+++ trunk/policycoreutils/newrole/newrole.c 2006-11-13 23:51:59 UTC (rev 2081)
@@ -150,16 +150,11 @@
* All PAM code goes in this section.
*
************************************************************************/
-
-#include <unistd.h> /* for getuid(), exit(), getopt() */
-
#include <security/pam_appl.h> /* for PAM functions */
#include <security/pam_misc.h> /* for misc_conv PAM utility function */
#define SERVICE_NAME "newrole" /* the name of this program for PAM */
-int authenticate_via_pam(const struct passwd *, const char *);
-
/* authenticate_via_pam()
*
* in: pw - struct containing data from our user's line in
@@ -173,63 +168,39 @@
* This function uses PAM to authenticate the user running this
* program. This is the only function in this program that makes PAM
* calls.
- *
*/
-
-int authenticate_via_pam(const struct passwd *pw, const char *ttyn)
+int authenticate_via_pam(const char *ttyn, pam_handle_t *pam_handle)
{
- int result = 0; /* our result, set to 0 (not authenticated) by default */
- int rc; /* pam return code */
- pam_handle_t *pam_handle; /* opaque handle used by all PAM functions */
+ int result = 0; /* set to 0 (not authenticated) by default */
+ int pam_rc; /* pam return code */
const char *tty_name;
- /* This is a jump table of functions for PAM to use when it wants to *
- * communicate with the user. We'll be using misc_conv(), which is *
- * provided for us via pam_misc.h. */
- struct pam_conv pam_conversation = {
- misc_conv,
- NULL
- };
-
- /* Make `p_pam_handle' a valid PAM handle so we can use it when *
- * calling PAM functions. */
- rc = pam_start(SERVICE_NAME,
- pw->pw_name, &pam_conversation, &pam_handle);
- if (rc != PAM_SUCCESS) {
- fprintf(stderr, _("failed to initialize PAM\n"));
- exit(-1);
- }
-
if (strncmp(ttyn, "/dev/", 5) == 0)
tty_name = ttyn + 5;
else
tty_name = ttyn;
- rc = pam_set_item(pam_handle, PAM_TTY, tty_name);
- if (rc != PAM_SUCCESS) {
+ pam_rc = pam_set_item(pam_handle, PAM_TTY, tty_name);
+ if (pam_rc != PAM_SUCCESS) {
fprintf(stderr, _("failed to set PAM_TTY\n"));
goto out;
}
/* Ask PAM to authenticate the user running this program */
- rc = pam_authenticate(pam_handle, 0);
- if (rc != PAM_SUCCESS) {
+ pam_rc = pam_authenticate(pam_handle, 0);
+ if (pam_rc != PAM_SUCCESS) {
goto out;
}
/* Ask PAM to verify acct_mgmt */
- rc = pam_acct_mgmt(pam_handle, 0);
- if (rc == PAM_SUCCESS) {
+ pam_rc = pam_acct_mgmt(pam_handle, 0);
+ if (pam_rc == PAM_SUCCESS) {
result = 1; /* user authenticated OK! */
}
- /* We're done with PAM. Free `pam_handle'. */
out:
- pam_end(pam_handle, rc);
-
- return (result);
-
+ return result;
} /* authenticate_via_pam() */
#else /* else !USE_PAM */
@@ -239,19 +210,14 @@
* All shadow passwd code goes in this section.
*
************************************************************************/
-
-#include <unistd.h> /* for getuid(), exit(), crypt() */
#include <shadow.h> /* for shadow passwd functions */
#include <string.h> /* for strlen(), memset() */
#define PASSWORD_PROMPT _("Password:") /* prompt for getpass() */
-int authenticate_via_shadow_passwd(const struct passwd *);
-
/* authenticate_via_shadow_passwd()
*
- * in: pw - struct containing data from our user's line in
- * the passwd file.
+ * in: uname - the calling user's user name
* out: nothing
* return: value condition
* ----- ---------
@@ -261,48 +227,34 @@
*
* This function uses the shadow passwd file to thenticate the user running
* this program.
- *
*/
-
-int authenticate_via_shadow_passwd(const struct passwd *pw)
+int authenticate_via_shadow_passwd(const char *uname)
{
+ struct spwd *p_shadow_line;
+ char *unencrypted_password_s;
+ char *encrypted_password_s;
- struct spwd *p_shadow_line; /* struct derived from shadow passwd file line */
- char *unencrypted_password_s; /* unencrypted password input by user */
- char *encrypted_password_s; /* user's password input after being crypt()ed */
-
- /* Make `p_shadow_line' point to the data from the current user's *
- * line in the shadow passwd file. */
- setspent(); /* Begin access to the shadow passwd file. */
- p_shadow_line = getspnam(pw->pw_name);
- endspent(); /* End access to the shadow passwd file. */
+ setspent();
+ p_shadow_line = getspnam(uname);
+ endspent();
if (!(p_shadow_line)) {
- fprintf(stderr,
- _
- ("Cannot find your entry in the shadow passwd file.\n"));
- exit(-1);
+ fprintf(stderr, _("Cannot find your entry in the shadow "
+ "passwd file.\n"));
+ return 0;
}
/* Ask user to input unencrypted password */
if (!(unencrypted_password_s = getpass(PASSWORD_PROMPT))) {
fprintf(stderr, _("getpass cannot open /dev/tty\n"));
- exit(-1);
+ return 0;
}
- /* Use crypt() to encrypt user's input password. Clear the *
- * unencrypted password as soon as we're done, so it is not *
- * visible to memory snoopers. */
+ /* Use crypt() to encrypt user's input password. */
encrypted_password_s = crypt(unencrypted_password_s,
p_shadow_line->sp_pwdp);
memset(unencrypted_password_s, 0, strlen(unencrypted_password_s));
-
- /* Return 1 (authenticated) iff the encrypted version of the user's *
- * input password matches the encrypted password stored in the *
- * shadow password file. */
return (!strcmp(encrypted_password_s, p_shadow_line->sp_pwdp));
-
-} /* authenticate_via_shadow_passwd() */
-
+}
#endif /* if/else USE_PAM */
/*
@@ -626,10 +578,22 @@
char *level_s = NULL; /* level spec'd by user in argv[] */
char *ttyn = NULL; /* tty path */
pid_t childPid = 0;
- uid_t uid;
- int fd;
+ int fd, rc;
int enforcing;
+#ifdef USE_PAM
+ int pam_status; /* pam return code */
+ pam_handle_t *pam_handle; /* opaque handle used by all PAM functions */
+
+ /* This is a jump table of functions for PAM to use when it wants to *
+ * communicate with the user. We'll be using misc_conv(), which is *
+ * provided for us via pam_misc.h. */
+ struct pam_conv pam_conversation = {
+ misc_conv,
+ NULL
+ };
+#endif
+
/*
* Step 0: Setup
*
@@ -771,26 +735,6 @@
exit(-1);
}
- /*
- * Determine the Linux user identity to re-authenticate.
- * If supported and set, use the login uid, as this should be more stable.
- * Otherwise, use the real uid.
- * The SELinux user identity is no longer used, as Linux users are now
- * mapped to SELinux users via seusers and the SELinux user identity space
- * is separate.
- */
-#ifdef USE_AUDIT
- uid = audit_getloginuid();
- if (uid == (uid_t) - 1)
- uid = getuid();
-#else
- uid = getuid();
-#endif
-
- /* Get the passwd info for the Linux user identity. */
- if (extract_pw_data(&pw))
- return -1;
-
/* Get the tty name. Pam will need it. */
ttyn = ttyname(0);
if (!ttyn || *ttyn == '\0') {
@@ -799,28 +743,36 @@
exit(-1);
}
- printf(_("Authenticating %s.\n"), pw.pw_name);
+ /* Get the passwd info for the Linux user identity. */
+ if (extract_pw_data(&pw))
+ return -1;
- /*
+ /*
+ * Step 2: Authenticate the user.
+ *
* Re-authenticate the user running this program.
* This is just to help confirm user intent (vs. invocation by
* malicious software), not to authorize the operation (which is covered
* by policy). Trusted path mechanism would be preferred.
*/
+ printf(_("Authenticating %s.\n"), pw.pw_name);
#ifdef USE_PAM
- if (!authenticate_via_pam(&pw, ttyn))
-#else /* !USE_PAM */
- if (!authenticate_via_shadow_passwd(&pw))
-#endif /* if/else USE_PAM */
+ pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation,
+ &pam_handle);
+ if (pam_status != PAM_SUCCESS) {
+ fprintf(stderr, _("failed to initialize PAM\n"));
+ goto err_free;
+ }
+
+ if (!authenticate_via_pam(ttyn, pam_handle))
+#else
+ if (!authenticate_via_shadow_passwd(pw.pw_name))
+#endif
{
fprintf(stderr, _("newrole: incorrect password for %s\n"),
pw.pw_name);
- return (-1);
+ goto err_close_pam;
}
- /* If we reach here, then we have authenticated the user. */
-#ifdef CANTSPELLGDB
- printf("You are authenticated!\n");
-#endif
/*
*
@@ -1062,7 +1014,26 @@
freecon(old_context);
execv(pw.pw_shell, argv + optind - 1);
- /* If we reach here, then we failed to exec the new shell. */
+ /*
+ * Error path cleanup
+ *
+ * If we reach here, then we failed to exec the new shell.
+ */
perror(_("failed to exec shell\n"));
- return (-1);
+err_close_pam:
+#ifdef USE_PAM
+ rc = pam_end(pam_handle, pam_status);
+ if (rc != PAM_SUCCESS)
+ fprintf(stderr, "pam_end failed with %s\n",
+ pam_strerror(pam_handle, rc));
+#endif
+err_free:
+ freecon(tty_context);
+ freecon(new_tty_context);
+ freecon(old_context);
+ freecon(new_context);
+ free(pw.pw_name);
+ free(pw.pw_dir);
+ free(pw.pw_shell);
+ return -1;
} /* main() */
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-13 23:50:11
|
Revision: 2080
http://svn.sourceforge.net/selinux/?rev=2080&view=rev
Author: ssmalley
Date: 2006-11-13 15:50:09 -0800 (Mon, 13 Nov 2006)
Log Message:
-----------
Author: Michael C Thompson
Email: tho...@us...
Subject: make newrole suid (take 3)
Date: Thu, 02 Nov 2006 19:05:00 -0600
Michael C Thompson wrote:
> The 8 patches are as follows:
> 1) Modifications to Makefile to support future patch needs
> Add newrole-lspp.pamd
> 2) New extract_pw_data function and use in main()
> 3) Add signal handler function
> 4) Update drop_capabilities() and use in main()
This is the 4th of 8 patches.
This patch applies against policycoreutils-1.30.30-1.
This patch adds expands the drop_capabilities functionality
to support various compile-time options (with audit, with
namespace, or neither).
Changes:
* Splits drop_capabilities into three versions (compile time option):
- 'No-cap' version, returns true
- 'audit-only' version, retains only CAP_AUDIT_WRITE
Enable with AUDIT_LOG_PRIV=y
- 'namespace+' version, retains CAP_AUDIT_WRITE, CAP_SYS_ADMIN and
more to allow namespace actions
Enable with NAMESPACE_PRIV = y
* main() calls drop_capabilities unconditionally
Signed-off-by: Michael Thompson <tho...@us...>
Modified Paths:
--------------
trunk/policycoreutils/newrole/newrole.c
Modified: trunk/policycoreutils/newrole/newrole.c
===================================================================
--- trunk/policycoreutils/newrole/newrole.c 2006-11-13 23:48:36 UTC (rev 2079)
+++ trunk/policycoreutils/newrole/newrole.c 2006-11-13 23:50:09 UTC (rev 2080)
@@ -387,68 +387,139 @@
return -1;
}
-/*
+/**
* This function will drop the capabilities so that we are left
* only with access to the audit system. If the user is root, we leave
* the capabilities alone since they already should have access to the
* audit netlink socket.
+ *
+ * Returns zero on success, non-zero otherwise
*/
-#ifdef LOG_AUDIT_PRIV
-static void drop_capabilities(void)
+#if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
+static int drop_capabilities(void)
{
+ int rc = 0;
+ cap_t new_caps, tmp_caps;
+ cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
+ cap_value_t tmp_cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID };
uid_t uid = getuid();
- if (uid) { /* Non-root path */
- cap_t new_caps, tmp_caps;
- cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
- cap_value_t tmp_cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID };
+ if (!uid)
+ return 0;
- new_caps = cap_init();
- tmp_caps = cap_init();
- if (!new_caps || !tmp_caps) {
- fprintf(stderr,
- _("Error initing capabilities, aborting.\n"));
- exit(-1);
- }
- cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET);
- cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET);
- cap_set_flag(tmp_caps, CAP_PERMITTED, 2, tmp_cap_list, CAP_SET);
- cap_set_flag(tmp_caps, CAP_EFFECTIVE, 2, tmp_cap_list, CAP_SET);
+ /* Non-root caller, suid root path */
+ new_caps = cap_init();
+ tmp_caps = cap_init();
+ if (!new_caps || !tmp_caps) {
+ fprintf(stderr, _("Error initing capabilities, aborting.\n"));
+ return -1;
+ }
+ rc |= cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET);
+ rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET);
+ rc |= cap_set_flag(tmp_caps, CAP_PERMITTED, 2, tmp_cap_list, CAP_SET);
+ rc |= cap_set_flag(tmp_caps, CAP_EFFECTIVE, 2, tmp_cap_list, CAP_SET);
+ if (rc) {
+ fprintf(stderr, _("Error setting capabilities, aborting\n"));
+ goto out;
+ }
- /* Keep capabilities across uid change */
- prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
+ /* Keep capabilities across uid change */
+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
+ fprintf(stderr, _("Error setting KEEPCAPS, aborting\n"));
+ rc = -1;
+ goto out;
+ }
- /* We should still have root's caps, so drop most capabilities now */
- if (cap_set_proc(tmp_caps)) {
- fprintf(stderr,
- _("Error dropping capabilities, aborting\n"));
- exit(-1);
- }
- cap_free(tmp_caps);
+ /* Does this temporary change really buy us much? */
+ /* We should still have root's caps, so drop most capabilities now */
+ if ((rc = cap_set_proc(tmp_caps))) {
+ fprintf(stderr, _("Error dropping capabilities, aborting\n"));
+ goto out;
+ }
- /* Change uid */
- if (setresuid(uid, uid, uid)) {
- fprintf(stderr, _("Error changing uid, aborting.\n"));
- exit(-1);
- }
+ /* Change uid */
+ if ((rc = setresuid(uid, uid, uid))) {
+ fprintf(stderr, _("Error changing uid, aborting.\n"));
+ goto out;
+ }
- /* Now get rid of this ability */
- if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) {
- fprintf(stderr,
- _("Error resetting KEEPCAPS, aborting\n"));
- exit(-1);
- }
+ /* Now get rid of this ability */
+ if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) {
+ fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
+ goto out;
+ }
- /* Finish dropping capabilities. */
- if (cap_set_proc(new_caps)) {
- fprintf(stderr,
- _
- ("Error dropping SETUID capability, aborting\n"));
- exit(-1);
- }
- cap_free(new_caps);
+ /* Finish dropping capabilities. */
+ if ((rc = cap_set_proc(new_caps))) {
+ fprintf(stderr,
+ _("Error dropping SETUID capability, aborting\n"));
+ goto out;
}
+out:
+ if (cap_free(tmp_caps) || cap_free(new_caps))
+ fprintf(stderr, _("Error freeing caps\n"));
+ return rc;
}
+#elif defined(NAMESPACE_PRIV)
+/**
+ * This function will drop the capabilities so that we are left
+ * only with access to the audit system and the ability to raise
+ * CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_FOWNER and CAP_CHOWN,
+ * before invoking pam_namespace. These capabilities are needed
+ * for performing bind mounts/unmounts and to create potential new
+ * instance directories with appropriate DAC attributes. If the
+ * user is root, we leave the capabilities alone since they already
+ * should have access to the audit netlink socket and should have
+ * the ability to create/mount/unmount instance directories.
+ *
+ * Returns zero on success, non-zero otherwise
+ */
+static int drop_capabilities(void)
+{
+ int rc = 0;
+ cap_t new_caps;
+ cap_value_t cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID,
+ CAP_SYS_ADMIN, CAP_FOWNER, CAP_CHOWN,
+ CAP_DAC_OVERRIDE };
+
+ if (!getuid())
+ return 0;
+
+ /* Non-root caller, suid root path */
+ new_caps = cap_init();
+ if (!new_caps) {
+ fprintf(stderr, _("Error initing capabilities, aborting.\n"));
+ return -1;
+ }
+ rc |= cap_set_flag(new_caps, CAP_PERMITTED, 6, cap_list, CAP_SET);
+ rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 6, cap_list, CAP_SET);
+ if (rc) {
+ fprintf(stderr, _("Error setting capabilities, aborting\n"));
+ goto out;
+ }
+
+ /* Ensure that caps are dropped after setuid call */
+ if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) {
+ fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
+ goto out;
+ }
+
+ /* We should still have root's caps, so drop most capabilities now */
+ if ((rc = cap_set_proc(new_caps))) {
+ fprintf(stderr, _("Error dropping capabilities, aborting\n"));
+ goto out;
+ }
+out:
+ if (cap_free(new_caps))
+ fprintf(stderr, _("Error freeing caps\n"));
+ return rc;
+}
+
+#else
+static inline int drop_capabilities(void)
+{
+ return 0;
+}
#endif
#ifdef LOG_AUDIT_PRIV
@@ -559,10 +630,15 @@
int fd;
int enforcing;
-#ifdef LOG_AUDIT_PRIV
- drop_capabilities();
-#endif
-
+ /*
+ * Step 0: Setup
+ *
+ * Do some intial setup, including dropping capabilities, checking
+ * if it makes sense to continue to run newrole, and setting up
+ * a scrubbed environment.
+ */
+ if (drop_capabilities())
+ return -1;
if (set_signal_handles())
return -1;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-13 23:48:37
|
Revision: 2079
http://svn.sourceforge.net/selinux/?rev=2079&view=rev
Author: ssmalley
Date: 2006-11-13 15:48:36 -0800 (Mon, 13 Nov 2006)
Log Message:
-----------
Author: Michael C Thompson
Email: tho...@us...
Subject: make newrole suid (take 3)
Date: Thu, 02 Nov 2006 19:04:20 -0600
Michael C Thompson wrote:
> The 8 patches are as follows:
> 1) Modifications to Makefile to support future patch needs
> Add newrole-lspp.pamd
> 2) New extract_pw_data function and use in main()
> 3) Add signal handler function
This is the 3rd of 8 patches.
This patch applies against policycoreutils-1.30.30-1.
This patch moves the signal handler setup from main() into a new
function.
Changes:
* Adds set_signal_handles() and uses it in main()
Signed-off-by: Michael Thompson <tho...@us...>
Modified Paths:
--------------
trunk/policycoreutils/newrole/newrole.c
Modified: trunk/policycoreutils/newrole/newrole.c
===================================================================
--- trunk/policycoreutils/newrole/newrole.c 2006-11-13 23:47:17 UTC (rev 2078)
+++ trunk/policycoreutils/newrole/newrole.c 2006-11-13 23:48:36 UTC (rev 2079)
@@ -498,6 +498,30 @@
}
#endif
+/**
+ * Take care of any signal setup
+ */
+static int set_signal_handles()
+{
+ sigset_t empty;
+
+ /* Empty the signal mask in case someone is blocking a signal */
+ if (sigemptyset(&empty)) {
+ fprintf(stderr, _("Unable to obtain empty signal set\n"));
+ return -1;
+ }
+
+ (void)sigprocmask(SIG_SETMASK, &empty, NULL);
+
+ /* Terminate on SIGHUP. */
+ if (signal(SIGHUP, SIG_DFL) == SIG_ERR) {
+ fprintf(stderr, _("Unable to set SIGHUP handler\n"));
+ return -1;
+ }
+
+ return 0;
+}
+
/************************************************************************
*
* All code used for both PAM and shadow passwd goes in this section.
@@ -534,19 +558,14 @@
uid_t uid;
int fd;
int enforcing;
- sigset_t empty;
#ifdef LOG_AUDIT_PRIV
drop_capabilities();
#endif
- /* Empty the signal mask in case someone is blocking a signal */
- sigemptyset(&empty);
- (void)sigprocmask(SIG_SETMASK, &empty, NULL);
+ if (set_signal_handles())
+ return -1;
- /* Terminate on SIGHUP. */
- signal(SIGHUP, SIG_DFL);
-
#ifdef USE_NLS
setlocale(LC_ALL, "");
bindtextdomain(PACKAGE, LOCALEDIR);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-13 23:47:22
|
Revision: 2078
http://svn.sourceforge.net/selinux/?rev=2078&view=rev
Author: ssmalley
Date: 2006-11-13 15:47:17 -0800 (Mon, 13 Nov 2006)
Log Message:
-----------
Author: Michael C Thompson
Email: tho...@us...
Subject: make newrole suid (take 3)
Date: Thu, 02 Nov 2006 19:03:34 -0600
Michael C Thompson wrote:
> The 8 patches are as follows:
> 1) Modifications to Makefile to support future patch needs
> Add newrole-lspp.pamd
> 2) New extract_pw_data function and use in main()
This is the 2nd of 8 patches.
This patch applies against policycoreutils-1.30.30-1.
This patch moves the parse /etc/passwd functionality from
main() into a separate function.
Changes:
* Introduces the extract_pw_data() function and uses it in main()
Signed-off-by: Michael Thompson <tho...@us...>
Modified Paths:
--------------
trunk/policycoreutils/newrole/newrole.c
Modified: trunk/policycoreutils/newrole/newrole.c
===================================================================
--- trunk/policycoreutils/newrole/newrole.c 2006-11-13 23:45:08 UTC (rev 2077)
+++ trunk/policycoreutils/newrole/newrole.c 2006-11-13 23:47:17 UTC (rev 2078)
@@ -332,6 +332,61 @@
return found;
}
+/**
+ * Determine the Linux user identity to re-authenticate.
+ * If supported and set, use the login uid, as this should be more stable.
+ * Otherwise, use the real uid.
+ *
+ * This function assigns malloc'd memory into the pw_copy struct.
+ * Returns zero on success, non-zero otherwise
+ */
+int extract_pw_data(struct passwd *pw_copy)
+{
+ uid_t uid;
+ struct passwd *pw;
+
+#ifdef USE_AUDIT
+ uid = audit_getloginuid();
+ if (uid == (uid_t) - 1)
+ uid = getuid();
+#else
+ uid = getuid();
+#endif
+
+ setpwent();
+ pw = getpwuid(uid);
+ endpwent();
+ if (!(pw && pw->pw_name && pw->pw_name[0] && pw->pw_shell
+ && pw->pw_shell[0] && pw->pw_dir && pw->pw_dir[0])) {
+ fprintf(stderr,
+ _("cannot find valid entry in the passwd file.\n"));
+ return -1;
+ }
+
+ *pw_copy = *pw;
+ pw = pw_copy;
+ pw->pw_name = strdup(pw->pw_name);
+ pw->pw_dir = strdup(pw->pw_dir);
+ pw->pw_shell = strdup(pw->pw_shell);
+
+ if (! (pw->pw_name && pw->pw_dir && pw->pw_shell)) {
+ fprintf(stderr, _("Out of memory!\n"));
+ goto out_free;
+ }
+
+ if (verify_shell(pw->pw_shell) == 0) {
+ fprintf(stderr, _("Error! Shell is not valid.\n"));
+ goto out_free;
+ }
+ return 0;
+
+out_free:
+ free(pw->pw_name);
+ free(pw->pw_dir);
+ free(pw->pw_shell);
+ return -1;
+}
+
/*
* This function will drop the capabilities so that we are left
* only with access to the audit system. If the user is root, we leave
@@ -460,8 +515,7 @@
context_t context; /* manipulatable form of new_context */
- struct passwd *pw; /* struct derived from passwd file line */
- struct passwd pw_copy;
+ struct passwd pw; /* struct derived from passwd file line */
int clflag; /* holds codes for command line flags */
int flag_index; /* flag index in argv[] */
@@ -639,23 +693,9 @@
#endif
/* Get the passwd info for the Linux user identity. */
- pw = getpwuid(uid);
- if (!pw) {
- fprintf(stderr,
- _("cannot find your entry in the passwd file.\n"));
- exit(-1);
- }
- pw_copy = *pw;
- pw = &pw_copy;
- pw->pw_name = xstrdup(pw->pw_name);
- pw->pw_dir = xstrdup(pw->pw_dir);
- pw->pw_shell = xstrdup(pw->pw_shell);
+ if (extract_pw_data(&pw))
+ return -1;
- if (verify_shell(pw->pw_shell) == 0) {
- fprintf(stderr, _("Error! Shell is not valid.\n"));
- exit(-1);
- }
-
/* Get the tty name. Pam will need it. */
ttyn = ttyname(0);
if (!ttyn || *ttyn == '\0') {
@@ -664,7 +704,7 @@
exit(-1);
}
- printf(_("Authenticating %s.\n"), pw->pw_name);
+ printf(_("Authenticating %s.\n"), pw.pw_name);
/*
* Re-authenticate the user running this program.
@@ -673,13 +713,13 @@
* by policy). Trusted path mechanism would be preferred.
*/
#ifdef USE_PAM
- if (!authenticate_via_pam(pw, ttyn))
+ if (!authenticate_via_pam(&pw, ttyn))
#else /* !USE_PAM */
- if (!authenticate_via_shadow_passwd(pw))
+ if (!authenticate_via_shadow_passwd(&pw))
#endif /* if/else USE_PAM */
{
fprintf(stderr, _("newrole: incorrect password for %s\n"),
- pw->pw_name);
+ pw.pw_name);
return (-1);
}
/* If we reach here, then we have authenticated the user. */
@@ -904,7 +944,7 @@
if (optind < 1)
optind = 1;
- if (asprintf(&argv[optind - 1], "-%s", pw->pw_shell) < 0) {
+ if (asprintf(&argv[optind - 1], "-%s", pw.pw_shell) < 0) {
fprintf(stderr, _("Error allocating shell.\n"));
exit(-1);
}
@@ -925,7 +965,7 @@
if (send_audit_message(1, old_context, new_context, ttyn))
exit(-1);
freecon(old_context);
- execv(pw->pw_shell, argv + optind - 1);
+ execv(pw.pw_shell, argv + optind - 1);
/* If we reach here, then we failed to exec the new shell. */
perror(_("failed to exec shell\n"));
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2006-11-13 23:45:12
|
Revision: 2077
http://svn.sourceforge.net/selinux/?rev=2077&view=rev
Author: ssmalley
Date: 2006-11-13 15:45:08 -0800 (Mon, 13 Nov 2006)
Log Message:
-----------
Author: Michael C Thompson
Email: tho...@us...
Subject: make newrole suid (take 3)
Date: Thu, 02 Nov 2006 19:02:31 -0600
Michael C Thompson wrote:
> The 8 patches are as follows:
> 1) Modifications to Makefile to support future patch needs
> Add newrole-lspp.pamd
This is the 1st of 8 patches.
This patch applies against policycoreutils-1.30.30-1.
This patch adds the new lspp pam.d support file for namespaces,
and includes new compile-time options to the Makefile.
Changes:
* Makefile now has AUDIT_LOG_PRIV and NAMESPACE_PRIV, as well as
LSPP_PRIV (causes both previous to be on)
* Adds newrole-lspp.pamd
Signed-off-by: Michael Thompson <tho...@us...>
Modified Paths:
--------------
trunk/policycoreutils/newrole/Makefile
Added Paths:
-----------
trunk/policycoreutils/newrole/newrole-lspp.pamd
Modified: trunk/policycoreutils/newrole/Makefile
===================================================================
--- trunk/policycoreutils/newrole/Makefile 2006-10-31 18:39:13 UTC (rev 2076)
+++ trunk/policycoreutils/newrole/Makefile 2006-11-13 23:45:08 UTC (rev 2077)
@@ -10,6 +10,19 @@
# This is so that we have the CAP_AUDIT_WRITE capability. newrole will
# shed all privileges and change to the user's uid.
LOG_AUDIT_PRIV ?= n
+
+# Enable capabilities to permit newrole to generate audit records.
+# This will make newrole a setuid root program.
+# The capabilities used are: CAP_AUDIT_WRITE.
+AUDIT_LOG_PRIV ?= n
+# Enable capabilities to permit newrole to utilitize the pam_namespace module.
+# This will make newrole a setuid root program.
+# The capabilities used are: CAP_SYS_ADMIN, CAP_CHOWN, CAP_FOWNER and
+# CAP_DAC_OVERRIDE.
+NAMESPACE_PRIV ?= n
+# If LSPP_PRIV is y, then newrole will be made into setuid root program.
+# Enabling this option will force AUDIT_LOG_PRIV and NAMESPACE_PRIV to be y.
+LSPP_PRIV ?= n
VERSION = $(shell cat ../VERSION)
CFLAGS ?= -Werror -Wall -W
@@ -26,6 +39,26 @@
override CFLAGS += -DUSE_AUDIT
LDLIBS += -laudit
endif
+
+ifeq (${LSPP_PRIV},y)
+ override AUDIT_LOG_PRIV=y
+ override NAMESPACE_PRIV=y
+endif
+ifeq (${AUDIT_LOG_PRIV},y)
+ override CFLAGS += -DAUDIT_LOG_PRIV
+ IS_SUID=y
+endif
+ifeq (${NAMESPACE_PRIV},y)
+ override CFLAGS += -DNAMESPACE_PRIV
+ IS_SUID=y
+endif
+ifeq (${IS_SUID},y)
+ MODE := 4555
+ LDLIBS += -lcap
+else
+ MODE := 0555
+endif
+
ifeq (${LOG_AUDIT_PRIV},y)
override CFLAGS += -DLOG_AUDIT_PRIV
LDLIBS += -lcap
@@ -46,8 +79,12 @@
install -m 644 newrole.1 $(MANDIR)/man1/
ifeq (${PAMH}, /usr/include/security/pam_appl.h)
test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
+ifeq (${LSPP_PRIV},y)
+ install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
+else
install -m 644 newrole.pamd $(ETCDIR)/pam.d/newrole
endif
+endif
clean:
rm -f $(TARGETS) *.o
Added: trunk/policycoreutils/newrole/newrole-lspp.pamd
===================================================================
--- trunk/policycoreutils/newrole/newrole-lspp.pamd (rev 0)
+++ trunk/policycoreutils/newrole/newrole-lspp.pamd 2006-11-13 23:45:08 UTC (rev 2077)
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth include system-auth
+account include system-auth
+password include system-auth
+session required pam_namespace.so unmnt_remnt no_unmount_on_close
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
