diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 4fe274f..62b0a42 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,13 +1,117 @@ -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.84/audit2allow/audit2allow ---- nsapolicycoreutils/audit2allow/audit2allow 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/audit2allow/audit2allow 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/audit2allow/audit2allow.1.rhat policycoreutils-2.0.83/audit2allow/audit2allow.1 +--- policycoreutils-2.0.83/audit2allow/audit2allow.1.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/audit2allow/audit2allow.1 2010-12-07 09:23:49.000000000 -0500 +@@ -1,5 +1,6 @@ + .\" Hey, Emacs! This is an -*- nroff -*- source file. + .\" Copyright (c) 2005 Manoj Srivastava ++.\" Copyright (c) 2010 Dan Walsh + .\" + .\" This is free documentation; you can redistribute it and/or + .\" modify it under the terms of the GNU General Public License as +@@ -22,7 +23,7 @@ + .\" USA. + .\" + .\" +-.TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA ++.TH AUDIT2ALLOW "1" "October 2010" "Security Enhanced Linux" NSA + .SH NAME + .BR audit2allow + \- generate SELinux policy allow/dontaudit rules from logs of denied operations +@@ -66,6 +67,9 @@ Generate module/require output " + Generate loadable module package, conflicts with -o + .TP ++.B "\-p " | "\-\-policy " ++Policy file to use for analysis ++.TP + .B "\-o " | "\-\-output " + append output to + .I +@@ -117,14 +121,6 @@ an 'allow' rule. + .B Please substitute /var/log/messages for /var/log/audit/audit.log in the + .B examples. + .PP +-.B Using audit2allow to generate monolithic (non-module) policy +-$ cd /etc/selinux/$SELINUXTYPE/src/policy +-$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te +-$ cat domains/misc/local.te +-allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; +- +-$ make load +- + .B Using audit2allow to generate module policy + + $ cat /var/log/audit/audit.log | audit2allow -m local > local.te +@@ -132,20 +128,38 @@ $ cat local.te + module local 1.0; + + require { +- role system_r; ++ class file { getattr open read }; + + +- class fifo_file { getattr ioctl }; ++ type myapp_t; ++ type etc_t; ++ }; + + +- type cupsd_config_t; +- type unconfined_t; +- }; ++allow myapp_t etc_t:file { getattr open read }; ++ + ++.B Using audit2allow to generate module policy using reference policy + +-allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; ++$ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te ++$ cat local.te ++policy_module(local, 1.0) ++ ++gen_require(` ++ type myapp_t; ++ type etc_t; ++ }; ++ ++files_read_etc_files(myapp_t) + + ++.B Building module policy using Makefile ++ ++# SELinux provides a policy devel environment under /usr/share/selinux/devel ++# You can create a te file and compile it by executing ++$ make -f /usr/share/selinux/devel/Makefile ++$ semodule -i local.pp ++ + .B Building module policy manually + + # Compile the module +@@ -168,6 +182,14 @@ you are required to execute + + semodule -i local.pp + ++.B Using audit2allow to generate monolithic (non-module) policy ++$ cd /etc/selinux/$SELINUXTYPE/src/policy ++$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te ++$ cat domains/misc/local.te ++allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; ++ ++$ make load ++ + .fi + .PP + .SH AUTHOR +diff -up policycoreutils-2.0.83/audit2allow/audit2allow.rhat policycoreutils-2.0.83/audit2allow/audit2allow +--- policycoreutils-2.0.83/audit2allow/audit2allow.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/audit2allow/audit2allow 2010-12-07 09:23:49.000000000 -0500 @@ -1,4 +1,4 @@ -#! /usr/bin/python -E +#! /usr/bin/python -Es # Authors: Karl MacMillan # # Copyright (C) 2006-2007 Red Hat -@@ -28,6 +28,7 @@ +@@ -28,6 +28,7 @@ import sepolgen.objectmodel as objectmod import sepolgen.defaults as defaults import sepolgen.module as module from sepolgen.sepolgeni18n import _ @@ -15,7 +119,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po class AuditToPolicy: VERSION = "%prog .1" -@@ -46,6 +47,7 @@ +@@ -46,6 +47,7 @@ class AuditToPolicy: help="audit messages since last boot conflicts with -i") parser.add_option("-a", "--all", action="store_true", dest="audit", default=False, help="read input from audit log - conflicts with -i") @@ -23,7 +127,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False, help="read input from dmesg - conflicts with --all and --input") parser.add_option("-i", "--input", dest="input", -@@ -231,63 +233,44 @@ +@@ -231,63 +233,44 @@ class AuditToPolicy: def __output_audit2why(self): import selinux @@ -99,7 +203,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po print "\t\tMissing role allow rule.\n" print "\t\tAdd an allow rule for the role pair.\n" continue -@@ -350,11 +333,19 @@ +@@ -350,11 +333,19 @@ class AuditToPolicy: def main(self): try: self.__parse_options() @@ -119,113 +223,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if __name__ == "__main__": app = AuditToPolicy() -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-2.0.84/audit2allow/audit2allow.1 ---- nsapolicycoreutils/audit2allow/audit2allow.1 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/audit2allow/audit2allow.1 2010-11-29 10:07:47.000000000 -0500 -@@ -1,5 +1,6 @@ - .\" Hey, Emacs! This is an -*- nroff -*- source file. - .\" Copyright (c) 2005 Manoj Srivastava -+.\" Copyright (c) 2010 Dan Walsh - .\" - .\" This is free documentation; you can redistribute it and/or - .\" modify it under the terms of the GNU General Public License as -@@ -22,7 +23,7 @@ - .\" USA. - .\" - .\" --.TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA -+.TH AUDIT2ALLOW "1" "October 2010" "Security Enhanced Linux" NSA - .SH NAME - .BR audit2allow - \- generate SELinux policy allow/dontaudit rules from logs of denied operations -@@ -66,6 +67,9 @@ - .B "\-M " - Generate loadable module package, conflicts with -o - .TP -+.B "\-p " | "\-\-policy " -+Policy file to use for analysis -+.TP - .B "\-o " | "\-\-output " - append output to - .I -@@ -117,14 +121,6 @@ - .B Please substitute /var/log/messages for /var/log/audit/audit.log in the - .B examples. - .PP --.B Using audit2allow to generate monolithic (non-module) policy --$ cd /etc/selinux/$SELINUXTYPE/src/policy --$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te --$ cat domains/misc/local.te --allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; -- --$ make load -- - .B Using audit2allow to generate module policy - - $ cat /var/log/audit/audit.log | audit2allow -m local > local.te -@@ -132,20 +128,38 @@ - module local 1.0; - - require { -- role system_r; -+ class file { getattr open read }; - - -- class fifo_file { getattr ioctl }; -+ type myapp_t; -+ type etc_t; -+ }; - - -- type cupsd_config_t; -- type unconfined_t; -- }; -+allow myapp_t etc_t:file { getattr open read }; -+ - -+.B Using audit2allow to generate module policy using reference policy - --allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; -+$ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te -+$ cat local.te -+policy_module(local, 1.0) -+ -+gen_require(` -+ type myapp_t; -+ type etc_t; -+ }; -+ -+files_read_etc_files(myapp_t) - - -+.B Building module policy using Makefile -+ -+# SELinux provides a policy devel environment under /usr/share/selinux/devel -+# You can create a te file and compile it by executing -+$ make -f /usr/share/selinux/devel/Makefile -+$ semodule -i local.pp -+ - .B Building module policy manually - - # Compile the module -@@ -168,6 +182,14 @@ - - semodule -i local.pp - -+.B Using audit2allow to generate monolithic (non-module) policy -+$ cd /etc/selinux/$SELINUXTYPE/src/policy -+$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te -+$ cat domains/misc/local.te -+allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl }; -+ -+$ make load -+ - .fi - .PP - .SH AUTHOR -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/sepolgen-ifgen policycoreutils-2.0.84/audit2allow/sepolgen-ifgen ---- nsapolicycoreutils/audit2allow/sepolgen-ifgen 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/audit2allow/sepolgen-ifgen 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/audit2allow/sepolgen-ifgen.rhat policycoreutils-2.0.83/audit2allow/sepolgen-ifgen +--- policycoreutils-2.0.83/audit2allow/sepolgen-ifgen.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/audit2allow/sepolgen-ifgen 2010-12-07 09:23:49.000000000 -0500 @@ -1,4 +1,4 @@ -#! /usr/bin/python -E +#! /usr/bin/python -Es @@ -243,7 +243,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po import sepolgen.refparser as refparser import sepolgen.defaults as defaults -@@ -35,6 +39,7 @@ +@@ -35,6 +39,7 @@ import sepolgen.interfaces as interfaces VERSION = "%prog .1" @@ -251,7 +251,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def parse_options(): from optparse import OptionParser -@@ -44,14 +49,43 @@ +@@ -44,14 +49,43 @@ def parse_options(): help="filename to store output") parser.add_option("-i", "--interfaces", dest="headers", default=defaults.headers(), help="location of the interface header files") @@ -295,7 +295,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def main(): options = parse_options() -@@ -68,6 +102,14 @@ +@@ -68,6 +102,14 @@ def main(): else: log = None @@ -310,7 +310,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po try: headers = refparser.parse_headers(options.headers, output=log, debug=options.debug) except ValueError, e: -@@ -76,7 +118,7 @@ +@@ -76,7 +118,7 @@ def main(): return 1 if_set = interfaces.InterfaceSet(output=log) @@ -319,57 +319,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if_set.to_file(f) f.close() -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/load_policy/load_policy.c policycoreutils-2.0.84/load_policy/load_policy.c ---- nsapolicycoreutils/load_policy/load_policy.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/load_policy/load_policy.c 2010-11-29 10:13:07.000000000 -0500 -@@ -23,6 +23,14 @@ - exit(1); - } - -+char *policy_path(void) { -+ char *path=NULL; -+ if (asprintf(&path, "%s.%d", selinux_binary_policy_path(), security_policyvers()) < 0) { -+ return NULL; -+ } -+ return path; -+} -+ - int main(int argc, char **argv) - { - int ret, opt, quiet = 0, nargs, init=0, enforce=0; -@@ -64,6 +72,7 @@ - "%s: Warning! Boolean file argument (%s) is no longer supported, installed booleans file is always used. Continuing...\n", - argv[0], argv[optind++]); - } -+ errno = 0; - if (init) { - if (is_selinux_enabled() == 1) { - /* SELinux is already enabled, we should not do an initial load again */ -@@ -73,12 +82,18 @@ - exit(2); - } - ret = selinux_init_load_policy(&enforce); -- if (ret != 0 ) { -+ /* selinux_init_load_policy returns -1 if it did not load_policy -+ * On SELinux disabled system it will always return -1 -+ * So check errno to see if anything went wrong -+ */ -+ if (ret < 0 && errno != 0) { - if (enforce > 0) { - /* SELinux in enforcing mode but load_policy failed */ -+ char *path=policy_path(); - fprintf(stderr, -- _("%s: Can't load policy and enforcing mode requested: %s\n"), -- argv[0], strerror(errno)); -+ _("%s: Can't load policy file %s and enforcing mode requested: %s\n"), -+ argv[0], path, strerror(errno)); -+ free(path); - exit(3); - } - } -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/load_policy/load_policy.c.disable policycoreutils-2.0.84/load_policy/load_policy.c.disable ---- nsapolicycoreutils/load_policy/load_policy.c.disable 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/load_policy/load_policy.c.disable 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/load_policy/load_policy.c.disable.rhat policycoreutils-2.0.83/load_policy/load_policy.c.disable +--- policycoreutils-2.0.83/load_policy/load_policy.c.disable.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/load_policy/load_policy.c.disable 2010-12-07 09:23:49.000000000 -0500 @@ -0,0 +1,106 @@ +#include +#include @@ -477,19 +429,67 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + } + exit(0); +} -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.84/Makefile ---- nsapolicycoreutils/Makefile 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.84/Makefile 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/load_policy/load_policy.c.rhat policycoreutils-2.0.83/load_policy/load_policy.c +--- policycoreutils-2.0.83/load_policy/load_policy.c.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/load_policy/load_policy.c 2010-12-07 09:23:49.000000000 -0500 +@@ -23,6 +23,14 @@ void usage(char *progname) + exit(1); + } + ++char *policy_path(void) { ++ char *path=NULL; ++ if (asprintf(&path, "%s.%d", selinux_binary_policy_path(), security_policyvers()) < 0) { ++ return NULL; ++ } ++ return path; ++} ++ + int main(int argc, char **argv) + { + int ret, opt, quiet = 0, nargs, init=0, enforce=0; +@@ -64,6 +72,7 @@ int main(int argc, char **argv) + "%s: Warning! Boolean file argument (%s) is no longer supported, installed booleans file is always used. Continuing...\n", + argv[0], argv[optind++]); + } ++ errno = 0; + if (init) { + if (is_selinux_enabled() == 1) { + /* SELinux is already enabled, we should not do an initial load again */ +@@ -73,12 +82,18 @@ int main(int argc, char **argv) + exit(2); + } + ret = selinux_init_load_policy(&enforce); +- if (ret != 0 ) { ++ /* selinux_init_load_policy returns -1 if it did not load_policy ++ * On SELinux disabled system it will always return -1 ++ * So check errno to see if anything went wrong ++ */ ++ if (ret < 0 && errno != 0) { + if (enforce > 0) { + /* SELinux in enforcing mode but load_policy failed */ ++ char *path=policy_path(); + fprintf(stderr, +- _("%s: Can't load policy and enforcing mode requested: %s\n"), +- argv[0], strerror(errno)); ++ _("%s: Can't load policy file %s and enforcing mode requested: %s\n"), ++ argv[0], path, strerror(errno)); ++ free(path); + exit(3); + } + } +diff -up policycoreutils-2.0.83/Makefile.rhat policycoreutils-2.0.83/Makefile +--- policycoreutils-2.0.83/Makefile.rhat 2010-06-16 08:04:11.000000000 -0400 ++++ policycoreutils-2.0.83/Makefile 2010-12-07 09:23:49.000000000 -0500 @@ -1,4 +1,4 @@ -SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po +SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po gui INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/Makefile policycoreutils-2.0.84/newrole/Makefile ---- nsapolicycoreutils/newrole/Makefile 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/newrole/Makefile 2010-11-29 10:07:47.000000000 -0500 -@@ -50,7 +50,7 @@ +diff -up policycoreutils-2.0.83/newrole/Makefile.rhat policycoreutils-2.0.83/newrole/Makefile +--- policycoreutils-2.0.83/newrole/Makefile.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/newrole/Makefile 2010-12-07 09:23:49.000000000 -0500 +@@ -50,7 +50,7 @@ ifeq (${NAMESPACE_PRIV},y) endif ifeq (${IS_SUID},y) MODE := 4555 @@ -498,9 +498,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po else MODE := 0555 endif -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-2.0.84/newrole/newrole.c ---- nsapolicycoreutils/newrole/newrole.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/newrole/newrole.c 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/newrole/newrole.c.rhat policycoreutils-2.0.83/newrole/newrole.c +--- policycoreutils-2.0.83/newrole/newrole.c.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/newrole/newrole.c 2010-12-07 09:23:49.000000000 -0500 @@ -77,7 +77,7 @@ #endif #if defined(AUDIT_LOG_PRIV) || (NAMESPACE_PRIV) @@ -520,7 +520,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po /* USAGE_STRING describes the command-line args of this program. */ #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]" -@@ -538,69 +541,23 @@ +@@ -538,69 +541,23 @@ static int restore_environment(int prese * Returns zero on success, non-zero otherwise */ #if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV) @@ -600,7 +600,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po } #elif defined(NAMESPACE_PRIV) /** -@@ -616,50 +573,25 @@ +@@ -616,50 +573,25 @@ static int drop_capabilities(void) * * Returns zero on success, non-zero otherwise */ @@ -663,7 +663,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po { return 0; } -@@ -1098,7 +1030,7 @@ +@@ -1098,7 +1030,7 @@ int main(int argc, char *argv[]) * if it makes sense to continue to run newrole, and setting up * a scrubbed environment. */ @@ -672,7 +672,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po return -1; if (set_signal_handles()) return -1; -@@ -1334,11 +1266,15 @@ +@@ -1334,11 +1266,15 @@ int main(int argc, char *argv[]) if (send_audit_message(1, old_context, new_context, ttyn)) goto err_close_pam_session; @@ -688,9 +688,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po /* Handle environment changes */ if (restore_environment(preserve_environment, old_environ, &pw)) { fprintf(stderr, _("Unable to restore the environment, " -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.84/restorecond/Makefile ---- nsapolicycoreutils/restorecond/Makefile 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/restorecond/Makefile 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/restorecond/Makefile.rhat policycoreutils-2.0.83/restorecond/Makefile +--- policycoreutils-2.0.83/restorecond/Makefile.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/Makefile 2010-12-07 09:23:49.000000000 -0500 @@ -1,17 +1,28 @@ # Installation directories. PREFIX ?= ${DESTDIR}/usr @@ -723,7 +723,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) install: all -@@ -22,7 +33,12 @@ +@@ -22,7 +33,12 @@ install: all -mkdir -p $(INITDIR) install -m 755 restorecond.init $(INITDIR)/restorecond -mkdir -p $(SELINUXDIR) @@ -737,16 +737,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po relabel: install /sbin/restorecon $(SBINDIR)/restorecond -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.84/restorecond/org.selinux.Restorecond.service ---- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/restorecond/org.selinux.Restorecond.service 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/restorecond/org.selinux.Restorecond.service.rhat policycoreutils-2.0.83/restorecond/org.selinux.Restorecond.service +--- policycoreutils-2.0.83/restorecond/org.selinux.Restorecond.service.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/restorecond/org.selinux.Restorecond.service 2010-12-07 09:23:49.000000000 -0500 @@ -0,0 +1,3 @@ +[D-BUS Service] +Name=org.selinux.Restorecond +Exec=/usr/sbin/restorecond -u -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.84/restorecond/restorecond.8 ---- nsapolicycoreutils/restorecond/restorecond.8 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/restorecond/restorecond.8 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/restorecond/restorecond.8.rhat policycoreutils-2.0.83/restorecond/restorecond.8 +--- policycoreutils-2.0.83/restorecond/restorecond.8.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/restorecond.8 2010-12-07 09:23:49.000000000 -0500 @@ -3,7 +3,7 @@ restorecond \- daemon that watches for file creation and then sets the default SELinux file context @@ -756,7 +756,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .P .SH "DESCRIPTION" -@@ -19,13 +19,22 @@ +@@ -19,13 +19,22 @@ the correct file context associated with .B \-d Turns on debugging mode. Application will stay in the foreground and lots of debugs messages start printing. @@ -781,9 +781,22 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .SH "SEE ALSO" .BR restorecon (8), -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.84/restorecond/restorecond.c ---- nsapolicycoreutils/restorecond/restorecond.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/restorecond/restorecond.c 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/restorecond/restorecond.conf.rhat policycoreutils-2.0.83/restorecond/restorecond.conf +--- policycoreutils-2.0.83/restorecond/restorecond.conf.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/restorecond.conf 2010-12-07 09:23:49.000000000 -0500 +@@ -4,8 +4,5 @@ + /etc/mtab + /var/run/utmp + /var/log/wtmp +-~/* +-/root/.ssh ++/root/* + /root/.ssh/* +- +- +diff -up policycoreutils-2.0.83/restorecond/restorecond.c.rhat policycoreutils-2.0.83/restorecond/restorecond.c +--- policycoreutils-2.0.83/restorecond/restorecond.c.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/restorecond.c 2010-12-07 09:23:49.000000000 -0500 @@ -30,9 +30,11 @@ * and makes sure that there security context matches the systems defaults * @@ -1112,7 +1125,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po } static const char *pidfile = "/var/run/restorecond.pid"; -@@ -374,7 +120,7 @@ +@@ -374,7 +120,7 @@ static void term_handler() static void usage(char *program) { @@ -1121,7 +1134,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po exit(0); } -@@ -390,74 +136,35 @@ +@@ -390,74 +136,35 @@ void exitApp(const char *msg) to see if it is one that we are watching. */ @@ -1220,7 +1233,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po /* Register sighandlers */ sa.sa_flags = 0; -@@ -467,36 +174,56 @@ +@@ -467,36 +174,56 @@ int main(int argc, char **argv) set_matchpathcon_flags(MATCHPATHCON_NOTRANS); @@ -1286,22 +1299,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if (pidfile) unlink(pidfile); -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.84/restorecond/restorecond.conf ---- nsapolicycoreutils/restorecond/restorecond.conf 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/restorecond/restorecond.conf 2010-11-29 10:07:47.000000000 -0500 -@@ -4,8 +4,5 @@ - /etc/mtab - /var/run/utmp - /var/log/wtmp --~/* --/root/.ssh -+/root/* - /root/.ssh/* -- -- -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.84/restorecond/restorecond.desktop ---- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/restorecond/restorecond.desktop 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/restorecond/restorecond.desktop.rhat policycoreutils-2.0.83/restorecond/restorecond.desktop +--- policycoreutils-2.0.83/restorecond/restorecond.desktop.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/restorecond/restorecond.desktop 2010-12-07 09:23:49.000000000 -0500 @@ -0,0 +1,7 @@ +[Desktop Entry] +Name=File Context maintainer @@ -1310,9 +1310,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +Encoding=UTF-8 +Type=Application +StartupNotify=false -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.84/restorecond/restorecond.h ---- nsapolicycoreutils/restorecond/restorecond.h 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/restorecond/restorecond.h 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/restorecond/restorecond.h.rhat policycoreutils-2.0.83/restorecond/restorecond.h +--- policycoreutils-2.0.83/restorecond/restorecond.h.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/restorecond.h 2010-12-07 09:23:49.000000000 -0500 @@ -24,7 +24,22 @@ #ifndef RESTORED_CONFIG_H #define RESTORED_CONFIG_H @@ -1338,10 +1338,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +extern int watch_list_isempty(); #endif -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.84/restorecond/restorecond.init ---- nsapolicycoreutils/restorecond/restorecond.init 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/restorecond/restorecond.init 2010-11-29 10:07:47.000000000 -0500 -@@ -26,7 +26,7 @@ +diff -up policycoreutils-2.0.83/restorecond/restorecond.init.rhat policycoreutils-2.0.83/restorecond/restorecond.init +--- policycoreutils-2.0.83/restorecond/restorecond.init.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/restorecond.init 2010-12-07 09:23:49.000000000 -0500 +@@ -26,7 +26,7 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin # Source function library. . /etc/rc.d/init.d/functions @@ -1350,7 +1350,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po # Check that we are root ... so non-root users stop here test $EUID = 0 || exit 4 -@@ -75,16 +75,15 @@ +@@ -75,16 +75,15 @@ case "$1" in status restorecond RETVAL=$? ;; @@ -1369,15 +1369,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po exit $RETVAL - -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.84/restorecond/restorecond_user.conf ---- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/restorecond/restorecond_user.conf 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/restorecond/restorecond_user.conf.rhat policycoreutils-2.0.83/restorecond/restorecond_user.conf +--- policycoreutils-2.0.83/restorecond/restorecond_user.conf.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/restorecond/restorecond_user.conf 2010-12-07 09:23:49.000000000 -0500 @@ -0,0 +1,2 @@ +~/* +~/public_html/* -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.84/restorecond/user.c ---- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/restorecond/user.c 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/restorecond/user.c.rhat policycoreutils-2.0.83/restorecond/user.c +--- policycoreutils-2.0.83/restorecond/user.c.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/restorecond/user.c 2010-12-07 09:23:49.000000000 -0500 @@ -0,0 +1,239 @@ +/* + * restorecond @@ -1618,10 +1618,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + return 0; +} + -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/utmpwatcher.c policycoreutils-2.0.84/restorecond/utmpwatcher.c ---- nsapolicycoreutils/restorecond/utmpwatcher.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/restorecond/utmpwatcher.c 2010-11-29 10:07:47.000000000 -0500 -@@ -72,8 +72,8 @@ +diff -up policycoreutils-2.0.83/restorecond/utmpwatcher.c.rhat policycoreutils-2.0.83/restorecond/utmpwatcher.c +--- policycoreutils-2.0.83/restorecond/utmpwatcher.c.rhat 2010-06-16 08:04:13.000000000 -0400 ++++ policycoreutils-2.0.83/restorecond/utmpwatcher.c 2010-12-07 09:23:49.000000000 -0500 +@@ -72,8 +72,8 @@ unsigned int utmpwatcher_handle(int inot if (utmp_wd == -1) exitApp("Error watching utmp file."); @@ -1631,9 +1631,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po strings_list_free(prev_utmp_ptr); } return changed; -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.84/restorecond/watch.c ---- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/restorecond/watch.c 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/restorecond/watch.c.rhat policycoreutils-2.0.83/restorecond/watch.c +--- policycoreutils-2.0.83/restorecond/watch.c.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/restorecond/watch.c 2010-12-07 09:23:49.000000000 -0500 @@ -0,0 +1,260 @@ +#define _GNU_SOURCE +#include @@ -1895,17 +1895,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + if (master_wd == -1) + exitApp("Error watching config file."); +} -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.84/sandbox/deliverables/basicwrapper ---- nsapolicycoreutils/sandbox/deliverables/basicwrapper 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/sandbox/deliverables/basicwrapper 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/sandbox/deliverables/basicwrapper.rhat policycoreutils-2.0.83/sandbox/deliverables/basicwrapper +--- policycoreutils-2.0.83/sandbox/deliverables/basicwrapper.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/sandbox/deliverables/basicwrapper 2010-12-07 09:23:49.000000000 -0500 @@ -0,0 +1,4 @@ +import os, sys +SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']] +SANDBOX_ARGS.extend(sys.argv[1::]) +os.execv('/usr/bin/sandbox',SANDBOX_ARGS) -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.84/sandbox/deliverables/README ---- nsapolicycoreutils/sandbox/deliverables/README 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/sandbox/deliverables/README 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/sandbox/deliverables/README.rhat policycoreutils-2.0.83/sandbox/deliverables/README +--- policycoreutils-2.0.83/sandbox/deliverables/README.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/sandbox/deliverables/README 2010-12-07 09:23:49.000000000 -0500 @@ -0,0 +1,32 @@ +Files: +run-in-sandbox.py: @@ -1939,9 +1939,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + +Thanks for a great summer. +Chris Pardy -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.84/sandbox/deliverables/run-in-sandbox.py ---- nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/sandbox/deliverables/run-in-sandbox.py 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py.rhat policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py +--- policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/sandbox/deliverables/run-in-sandbox.py 2010-12-07 09:23:49.000000000 -0500 @@ -0,0 +1,49 @@ +import os +import os.path @@ -1992,10 +1992,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + def get_background_items(self, window, file): + return + -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.84/sandbox/Makefile ---- nsapolicycoreutils/sandbox/Makefile 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.84/sandbox/Makefile 2010-11-29 10:07:47.000000000 -0500 -@@ -7,8 +7,8 @@ +diff -up policycoreutils-2.0.83/sandbox/Makefile.rhat policycoreutils-2.0.83/sandbox/Makefile +--- policycoreutils-2.0.83/sandbox/Makefile.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/Makefile 2010-12-07 09:23:49.000000000 -0500 +@@ -7,8 +7,8 @@ SBINDIR ?= $(PREFIX)/sbin MANDIR ?= $(PREFIX)/share/man LOCALEDIR ?= /usr/share/locale SHAREDIR ?= $(PREFIX)/share/sandbox @@ -2006,7 +2006,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po all: sandbox seunshare sandboxX.sh -@@ -20,6 +20,9 @@ +@@ -20,6 +20,9 @@ install: all install -m 755 sandbox $(BINDIR) -mkdir -p $(MANDIR)/man8 install -m 644 sandbox.8 $(MANDIR)/man8/ @@ -2016,7 +2016,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -mkdir -p $(SBINDIR) install -m 4755 seunshare $(SBINDIR)/ -mkdir -p $(SHAREDIR) -@@ -27,7 +30,7 @@ +@@ -27,7 +30,7 @@ install: all -mkdir -p $(INITDIR) install -m 755 sandbox.init $(INITDIR)/sandbox -mkdir -p $(SYSCONFDIR) @@ -2025,9 +2025,144 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po test: @python test_sandbox.py -v -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.84/sandbox/sandbox ---- nsapolicycoreutils/sandbox/sandbox 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.84/sandbox/sandbox 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/sandbox/sandbox.8.rhat policycoreutils-2.0.83/sandbox/sandbox.8 +--- policycoreutils-2.0.83/sandbox/sandbox.8.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/sandbox.8 2010-12-07 09:23:49.000000000 -0500 +@@ -1,10 +1,13 @@ +-.TH SANDBOX "8" "May 2009" "chcat" "User Commands" ++.TH SANDBOX "8" "May 2010" "sandbox" "User Commands" + .SH NAME + sandbox \- Run cmd under an SELinux sandbox + .SH SYNOPSIS + .B sandbox +-[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [[-i file ]...] [ -t type ] cmd +-[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [[-i file ]...] [ -t type ] -S ++[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd ++ ++.br ++.B sandbox ++[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S + .br + .SH DESCRIPTION + .PP +@@ -42,6 +45,12 @@ Use alternate sandbox type, defaults to + \fB\-T\ tmpdir + Use alternate tempory directory to mount on /tmp. Defaults to tmpfs. Requires -X or -M. + .TP ++\fB\-S ++Run a full desktop session, Requires level, and home and tmpdir. ++.TP ++\fB\-w windowsize\fR ++Specifies the windowsize when creating an X based Sandbox. The default windowsize is 1000x700. ++.TP + \fB\-W windowmanager\fR + Select alternative window manager to run within + .B sandbox -X. +@@ -50,8 +59,17 @@ Default to /usr/bin/matchbox-window-mana + \fB\-X\fR + Create an X based Sandbox for gui apps, temporary files for + $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t ++.TP ++\fB\-C\fR ++Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc. + .PP + .SH "SEE ALSO" + .TP +-runcon(1) ++runcon(1), seunshare(8), selinux(8) + .PP ++ ++.SH AUTHOR ++This manual page was written by ++.I Dan Walsh ++and ++.I Thomas Liu +diff -up policycoreutils-2.0.83/sandbox/sandbox.conf.5.rhat policycoreutils-2.0.83/sandbox/sandbox.conf.5 +--- policycoreutils-2.0.83/sandbox/sandbox.conf.5.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/sandbox/sandbox.conf.5 2010-12-07 09:23:49.000000000 -0500 +@@ -0,0 +1,40 @@ ++.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration" ++.SH NAME ++sandbox.conf \- user config file for the SELinux sandbox ++.SH DESCRIPTION ++.PP ++When running sandbox with the -C argument, it will be confined using control groups and a system administrator can specify how the sandbox is confined. ++ ++.PP ++Everything after "#" is ignored, as are empty lines. All arguments should be separated by and equals sign ("="). ++ ++.PP ++These keywords are allowed. ++ ++.RS ++.TP ++.B NAME ++The name of the sandbox control group. Default is "sandbox". ++ ++.TP ++.B CPUAFFINITY ++Which cpus to assign sandbox to. The default is ALL, but users can specify a comma-separated list with dashes ("-") to represent ranges. Ex: 0-2,5 ++ ++.TP ++.B MEMUSAGE ++How much memory to allow sandbox to use. The default is 80%. Users can specify either a percentage or a value in the form of a number followed by one of the suffixes K, M, G to denote kilobytes, megabytes or gigabytes respectively. Ex: 50% or 100M ++ ++.TP ++.B CPUUSAGE ++Percentage of cpu sandbox should be allowed to use. The default is 80%. Specify a value followed by a percent sign ("%"). Ex: 50% ++ ++ ++ ++.SH "SEE ALSO" ++.TP ++sandbox(8) ++.PP ++ ++.SH AUTHOR ++This manual page was written by ++.I Thomas Liu +diff -up policycoreutils-2.0.83/sandbox/sandbox.config.rhat policycoreutils-2.0.83/sandbox/sandbox.config +diff -up policycoreutils-2.0.83/sandbox/sandbox.conf.rhat policycoreutils-2.0.83/sandbox/sandbox.conf +--- policycoreutils-2.0.83/sandbox/sandbox.conf.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/sandbox/sandbox.conf 2010-12-07 09:23:49.000000000 -0500 +@@ -0,0 +1,7 @@ ++# Space separate list of homedirs ++HOMEDIRS="/home" ++# Control group configuration ++NAME=sandbox ++CPUAFFINITY=ALL ++MEMUSAGE=80% ++CPUUSAGE=80% +diff -up policycoreutils-2.0.83/sandbox/sandbox.init.rhat policycoreutils-2.0.83/sandbox/sandbox.init +--- policycoreutils-2.0.83/sandbox/sandbox.init.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/sandbox.init 2010-12-07 09:23:49.000000000 -0500 +@@ -10,17 +10,12 @@ + # + # chkconfig: 345 1 99 + # +-# Description: sandbox and other apps that want to use pam_namespace +-# on /var/tmp, /tmp and home directories, requires this script +-# to be run at boot time. +-# This script sets up the / mount point and all of its +-# subdirectories as shared. The script sets up +-# /tmp, /var/tmp, /home and any homedirs listed in +-# /etc/sysconfig/sandbox and all of their subdirectories +-# as unshared. +-# All processes that use pam_namespace will see +-# modifications to the global mountspace, except for the +-# unshared directories. ++# description: sandbox, xguest and other apps that want to use pam_namespace \ ++# require this script be run at boot. This service script does \ ++# not actually run any service but sets up: \ ++# /var/tmp, /tmp and home directories to be used by these tools.\ ++# If you do not use sandbox, xguest or pam_namespace you can turn \ ++# this service off.\ + # + + # Source function library. +diff -up policycoreutils-2.0.83/sandbox/sandbox.rhat policycoreutils-2.0.83/sandbox/sandbox +--- policycoreutils-2.0.83/sandbox/sandbox.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/sandbox 2010-12-07 09:23:49.000000000 -0500 @@ -1,5 +1,6 @@ -#! /usr/bin/python -E +#! /usr/bin/python -Es @@ -2057,7 +2192,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po import gettext gettext.bindtextdomain(PROGNAME, "/usr/share/locale") gettext.textdomain(PROGNAME) -@@ -41,6 +45,7 @@ +@@ -41,6 +45,7 @@ except IOError: import __builtin__ __builtin__.__dict__['_'] = unicode @@ -2065,7 +2200,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po DEFAULT_TYPE = "sandbox_t" DEFAULT_X_TYPE = "sandbox_x_t" SAVE_FILES = {} -@@ -63,15 +68,15 @@ +@@ -63,15 +68,15 @@ def error_exit(msg): sys.stderr.flush() sys.exit(1) @@ -2085,7 +2220,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if not os.path.exists(newdir): os.makedirs(newdir) dest = newdir + "/" + bname -@@ -81,9 +86,10 @@ +@@ -81,9 +86,10 @@ def copyfile(file, dir, dest): shutil.copytree(file, dest) else: shutil.copy2(file, dest) @@ -2098,7 +2233,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po SAVE_FILES[file] = (dest, os.path.getmtime(dest)) -@@ -161,10 +167,10 @@ +@@ -161,10 +167,10 @@ class Sandbox: if not self.__options.homedir or not self.__options.tmpdir: self.usage(_("Homedir and tempdir required for level mounts")) @@ -2112,7 +2247,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def __mount_callback(self, option, opt, value, parser): self.__mount = True -@@ -172,6 +178,15 @@ +@@ -172,6 +178,15 @@ class Sandbox: def __x_callback(self, option, opt, value, parser): self.__mount = True setattr(parser.values, option.dest, True) @@ -2128,7 +2263,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def __validdir(self, option, opt, value, parser): if not os.path.isdir(value): -@@ -194,6 +209,8 @@ +@@ -194,6 +209,8 @@ class Sandbox: self.__include(option, opt, i[:-1], parser) except IOError, e: sys.stderr.write(str(e)) @@ -2137,7 +2272,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po fd.close() def __copyfiles(self): -@@ -212,13 +229,15 @@ +@@ -212,13 +229,15 @@ class Sandbox: /etc/gdm/Xsession """) else: @@ -2155,7 +2290,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po kill -TERM $WM_PID 2> /dev/null """ % (command, wm, command)) fd.close() -@@ -226,14 +245,20 @@ +@@ -226,14 +245,20 @@ kill -TERM $WM_PID 2> /dev/null def usage(self, message = ""): error_exit("%s\n%s" % (self.__parser.usage, message)) @@ -2180,7 +2315,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po parser = OptionParser(version=self.VERSION, usage=usage) parser.disable_interspersed_args() -@@ -268,6 +293,10 @@ +@@ -268,6 +293,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H hom action="callback", callback=self.__validdir, help=_("alternate /tmp directory to use for mounting")) @@ -2191,7 +2326,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po parser.add_option("-W", "--windowmanager", dest="wm", type="string", default="/usr/bin/matchbox-window-manager -use_titlebar no", -@@ -276,13 +305,17 @@ +@@ -276,13 +305,17 @@ sandbox [-h] [-[X|M] [-l level ] [-H hom parser.add_option("-l", "--level", dest="level", help=_("MCS/MLS level for the sandbox")) @@ -2210,7 +2345,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if self.__options.setype: self.setype = self.__options.setype -@@ -299,6 +332,9 @@ +@@ -299,6 +332,9 @@ sandbox [-h] [-[X|M] [-l level ] [-H hom self.__options.X_ind = True self.__homedir = self.__options.homedir self.__tmpdir = self.__options.tmpdir @@ -2220,189 +2355,49 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po else: if len(cmds) == 0: self.usage(_("Command required")) -@@ -351,22 +387,24 @@ - - def __execute(self): - try: -- if self.__options.X_ind: -- xmodmapfile = self.__homedir + "/.xmodmap" -- xd = open(xmodmapfile,"w") -- subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait() -- xd.close() -- -- self.__setup_sandboxrc(self.__options.wm) -- -- cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon, "/usr/share/sandbox/sandboxX.sh" ] -- rc = subprocess.Popen(cmds).wait() -- return rc -- -+ cmds = [ SEUNSHARE, "-Z", self.__execcon ] -+ if self.__options.usecgroup == True: -+ cmds.append('-c') - if self.__mount: -- cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon ] + self.__paths -- rc = subprocess.Popen(cmds).wait() -- return rc -+ cmds += [ "-t", self.__tmpdir, "-h", self.__homedir ] -+ -+ if self.__options.X_ind: -+ xmodmapfile = self.__homedir + "/.xmodmap" -+ xd = open(xmodmapfile,"w") -+ subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait() -+ xd.close() -+ -+ self.__setup_sandboxrc(self.__options.wm) -+ -+ cmds += [ "--", SANDBOXSH, self.__options.windowsize ] -+ else: -+ cmds += [ "--" ] + self.__paths -+ return subprocess.Popen(cmds).wait() +@@ -351,22 +387,24 @@ sandbox [-h] [-[X|M] [-l level ] [-H hom - selinux.setexeccon(self.__execcon) - rc = subprocess.Popen(self.__cmds).wait() -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.84/sandbox/sandbox.8 ---- nsapolicycoreutils/sandbox/sandbox.8 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.84/sandbox/sandbox.8 2010-11-29 10:07:47.000000000 -0500 -@@ -1,10 +1,13 @@ --.TH SANDBOX "8" "May 2009" "chcat" "User Commands" -+.TH SANDBOX "8" "May 2010" "sandbox" "User Commands" - .SH NAME - sandbox \- Run cmd under an SELinux sandbox - .SH SYNOPSIS - .B sandbox --[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [[-i file ]...] [ -t type ] cmd --[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [[-i file ]...] [ -t type ] -S -+[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd -+ -+.br -+.B sandbox -+[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S - .br - .SH DESCRIPTION - .PP -@@ -42,6 +45,12 @@ - \fB\-T\ tmpdir - Use alternate tempory directory to mount on /tmp. Defaults to tmpfs. Requires -X or -M. - .TP -+\fB\-S -+Run a full desktop session, Requires level, and home and tmpdir. -+.TP -+\fB\-w windowsize\fR -+Specifies the windowsize when creating an X based Sandbox. The default windowsize is 1000x700. -+.TP - \fB\-W windowmanager\fR - Select alternative window manager to run within - .B sandbox -X. -@@ -50,8 +59,17 @@ - \fB\-X\fR - Create an X based Sandbox for gui apps, temporary files for - $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t -+.TP -+\fB\-C\fR -+Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc. - .PP - .SH "SEE ALSO" - .TP --runcon(1) -+runcon(1), seunshare(8), selinux(8) - .PP -+ -+.SH AUTHOR -+This manual page was written by -+.I Dan Walsh -+and -+.I Thomas Liu -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.conf policycoreutils-2.0.84/sandbox/sandbox.conf ---- nsapolicycoreutils/sandbox/sandbox.conf 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/sandbox/sandbox.conf 2010-11-29 10:07:47.000000000 -0500 -@@ -0,0 +1,7 @@ -+# Space separate list of homedirs -+HOMEDIRS="/home" -+# Control group configuration -+NAME=sandbox -+CPUAFFINITY=ALL -+MEMUSAGE=80% -+CPUUSAGE=80% -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.conf.5 policycoreutils-2.0.84/sandbox/sandbox.conf.5 ---- nsapolicycoreutils/sandbox/sandbox.conf.5 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/sandbox/sandbox.conf.5 2010-11-29 10:07:47.000000000 -0500 -@@ -0,0 +1,40 @@ -+.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration" -+.SH NAME -+sandbox.conf \- user config file for the SELinux sandbox -+.SH DESCRIPTION -+.PP -+When running sandbox with the -C argument, it will be confined using control groups and a system administrator can specify how the sandbox is confined. -+ -+.PP -+Everything after "#" is ignored, as are empty lines. All arguments should be separated by and equals sign ("="). -+ -+.PP -+These keywords are allowed. -+ -+.RS -+.TP -+.B NAME -+The name of the sandbox control group. Default is "sandbox". -+ -+.TP -+.B CPUAFFINITY -+Which cpus to assign sandbox to. The default is ALL, but users can specify a comma-separated list with dashes ("-") to represent ranges. Ex: 0-2,5 -+ -+.TP -+.B MEMUSAGE -+How much memory to allow sandbox to use. The default is 80%. Users can specify either a percentage or a value in the form of a number followed by one of the suffixes K, M, G to denote kilobytes, megabytes or gigabytes respectively. Ex: 50% or 100M -+ -+.TP -+.B CPUUSAGE -+Percentage of cpu sandbox should be allowed to use. The default is 80%. Specify a value followed by a percent sign ("%"). Ex: 50% -+ + def __execute(self): + try: +- if self.__options.X_ind: +- xmodmapfile = self.__homedir + "/.xmodmap" +- xd = open(xmodmapfile,"w") +- subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait() +- xd.close() +- +- self.__setup_sandboxrc(self.__options.wm) +- +- cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon, "/usr/share/sandbox/sandboxX.sh" ] +- rc = subprocess.Popen(cmds).wait() +- return rc +- ++ cmds = [ SEUNSHARE, "-Z", self.__execcon ] ++ if self.__options.usecgroup == True: ++ cmds.append('-c') + if self.__mount: +- cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon ] + self.__paths +- rc = subprocess.Popen(cmds).wait() +- return rc ++ cmds += [ "-t", self.__tmpdir, "-h", self.__homedir ] + ++ if self.__options.X_ind: ++ xmodmapfile = self.__homedir + "/.xmodmap" ++ xd = open(xmodmapfile,"w") ++ subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait() ++ xd.close() + -+.SH "SEE ALSO" -+.TP -+sandbox(8) -+.PP ++ self.__setup_sandboxrc(self.__options.wm) + -+.SH AUTHOR -+This manual page was written by -+.I Thomas Liu -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.config policycoreutils-2.0.84/sandbox/sandbox.config ---- nsapolicycoreutils/sandbox/sandbox.config 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.84/sandbox/sandbox.config 1969-12-31 19:00:00.000000000 -0500 -@@ -1,2 +0,0 @@ --# Space separate list of homedirs --HOMEDIRS="/home" -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.init policycoreutils-2.0.84/sandbox/sandbox.init ---- nsapolicycoreutils/sandbox/sandbox.init 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.84/sandbox/sandbox.init 2010-11-29 10:07:47.000000000 -0500 -@@ -10,17 +10,12 @@ - # - # chkconfig: 345 1 99 - # --# Description: sandbox and other apps that want to use pam_namespace --# on /var/tmp, /tmp and home directories, requires this script --# to be run at boot time. --# This script sets up the / mount point and all of its --# subdirectories as shared. The script sets up --# /tmp, /var/tmp, /home and any homedirs listed in --# /etc/sysconfig/sandbox and all of their subdirectories --# as unshared. --# All processes that use pam_namespace will see --# modifications to the global mountspace, except for the --# unshared directories. -+# description: sandbox, xguest and other apps that want to use pam_namespace \ -+# require this script be run at boot. This service script does \ -+# not actually run any service but sets up: \ -+# /var/tmp, /tmp and home directories to be used by these tools.\ -+# If you do not use sandbox, xguest or pam_namespace you can turn \ -+# this service off.\ - # ++ cmds += [ "--", SANDBOXSH, self.__options.windowsize ] ++ else: ++ cmds += [ "--" ] + self.__paths ++ return subprocess.Popen(cmds).wait() - # Source function library. -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.84/sandbox/sandboxX.sh ---- nsapolicycoreutils/sandbox/sandboxX.sh 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.84/sandbox/sandboxX.sh 2010-11-29 10:07:47.000000000 -0500 + selinux.setexeccon(self.__execcon) + rc = subprocess.Popen(self.__cmds).wait() +diff -up policycoreutils-2.0.83/sandbox/sandboxX.sh.rhat policycoreutils-2.0.83/sandbox/sandboxX.sh +--- policycoreutils-2.0.83/sandbox/sandboxX.sh.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/sandboxX.sh 2010-12-07 09:23:49.000000000 -0500 @@ -1,13 +1,26 @@ #!/bin/bash context=`id -Z | secon -t -l -P` @@ -2433,9 +2428,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po export EXITCODE=$? kill -HUP 0 break -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.8 policycoreutils-2.0.84/sandbox/seunshare.8 ---- nsapolicycoreutils/sandbox/seunshare.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/sandbox/seunshare.8 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/sandbox/seunshare.8.rhat policycoreutils-2.0.83/sandbox/seunshare.8 +--- policycoreutils-2.0.83/sandbox/seunshare.8.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/sandbox/seunshare.8 2010-12-07 09:23:49.000000000 -0500 @@ -0,0 +1,37 @@ +.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands" +.SH NAME @@ -2474,9 +2469,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +.I Dan Walsh +and +.I Thomas Liu -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.84/sandbox/seunshare.c ---- nsapolicycoreutils/sandbox/seunshare.c 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.84/sandbox/seunshare.c 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/sandbox/seunshare.c.rhat policycoreutils-2.0.83/sandbox/seunshare.c +--- policycoreutils-2.0.83/sandbox/seunshare.c.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/seunshare.c 2010-12-07 09:23:49.000000000 -0500 @@ -1,13 +1,21 @@ +/* + * Authors: Dan Walsh @@ -2540,7 +2535,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po /* Change uid */ if (setresuid(uid, uid, uid)) { fprintf(stderr, _("Error changing uid, aborting.\n")); -@@ -134,42 +145,98 @@ +@@ -134,42 +145,98 @@ static int verify_shell(const char *shel static int seunshare_mount(const char *src, const char *dst, struct passwd *pwd) { if (verbose) printf("Mount %s on %s\n", src, dst); @@ -2644,7 +2639,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po {NULL, 0, 0, 0} }; -@@ -180,6 +247,12 @@ +@@ -180,6 +247,12 @@ int main(int argc, char **argv) { return -1; } @@ -2657,7 +2652,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po struct passwd *pwd=getpwuid(uid); if (!pwd) { perror(_("getpwduid failed")); -@@ -192,30 +265,30 @@ +@@ -192,30 +265,30 @@ int main(int argc, char **argv) { } while (1) { @@ -2697,7 +2692,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po default: fprintf(stderr, "%s\n", USAGE_STRING); return -1; -@@ -223,21 +296,179 @@ +@@ -223,21 +296,179 @@ int main(int argc, char **argv) { } if (! homedir_s && ! tmpdir_s) { @@ -2883,7 +2878,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if (unshare(CLONE_NEWNS) < 0) { perror(_("Failed to unshare")); -@@ -286,11 +517,13 @@ +@@ -286,11 +517,13 @@ int main(int argc, char **argv) { exit(-1); } @@ -2902,7 +2897,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po } if (display) -@@ -305,17 +538,14 @@ +@@ -305,17 +538,14 @@ int main(int argc, char **argv) { perror(_("Failed to change dir to homedir")); exit(-1); } @@ -2921,19 +2916,19 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po - return status; } -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.84/scripts/chcat ---- nsapolicycoreutils/scripts/chcat 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/scripts/chcat 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/scripts/chcat.rhat policycoreutils-2.0.83/scripts/chcat +--- policycoreutils-2.0.83/scripts/chcat.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/scripts/chcat 2010-12-07 09:23:49.000000000 -0500 @@ -1,4 +1,4 @@ -#! /usr/bin/python -E +#! /usr/bin/python -Es # Copyright (C) 2005 Red Hat # see file 'COPYING' for use and warranty information # -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.84/scripts/fixfiles ---- nsapolicycoreutils/scripts/fixfiles 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/scripts/fixfiles 2010-11-29 10:07:47.000000000 -0500 -@@ -21,6 +21,25 @@ +diff -up policycoreutils-2.0.83/scripts/fixfiles.rhat policycoreutils-2.0.83/scripts/fixfiles +--- policycoreutils-2.0.83/scripts/fixfiles.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/scripts/fixfiles 2010-12-07 09:24:13.000000000 -0500 +@@ -21,6 +21,17 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # @@ -2947,19 +2942,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +done +} + -+exclude_dirs() { -+ exclude= -+ for i in /var/lib/BackupPC /home /tmp /dev; do -+ [ -e $i ] && exclude="$exclude -e $i"; -+ done -+ echo "$exclude" -+} -+ +# # Set global Variables # fullFlag=0 -@@ -35,9 +54,7 @@ +@@ -35,9 +46,7 @@ SYSLOGFLAG="-l" LOGGER=/usr/sbin/logger SETFILES=/sbin/setfiles RESTORECON=/sbin/restorecon @@ -2970,7 +2957,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po SELINUXTYPE="targeted" if [ -e /etc/selinux/config ]; then . /etc/selinux/config -@@ -87,23 +104,10 @@ +@@ -87,23 +96,10 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; esac; \ fi; \ done | \ @@ -2979,7 +2966,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po - \( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print0"; \ - done 2> /dev/null | \ - ${RESTORECON} $* -0 -f - -+ ${RESTORECON} -f - -R -p `exclude_dirs`; \ ++ ${RESTORECON} -f - -R -p -e /var/lib/BackupPC -e /home -e /tmp -r /dev; \ rm -f ${TEMPFILE} ${PREFCTEMPFILE} fi } @@ -2995,7 +2982,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po rpmlist() { rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' ' -@@ -121,23 +125,16 @@ +@@ -121,23 +117,16 @@ if [ ! -z "$PREFC" ]; then fi if [ ! -z "$RPMFILES" ]; then for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do @@ -3022,7 +3009,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* find /tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; find /var/tmp \( -context "*:file_t*" -o -context "*:unlabeled_t*" \) -exec chcon -t tmp_t {} \; -@@ -146,8 +143,7 @@ +@@ -146,8 +135,7 @@ exit $? fullrelabel() { logit "Cleaning out /tmp" @@ -3032,9 +3019,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po restore } -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/genhomedircon.8 policycoreutils-2.0.84/scripts/genhomedircon.8 ---- nsapolicycoreutils/scripts/genhomedircon.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/scripts/genhomedircon.8 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/scripts/genhomedircon.8.rhat policycoreutils-2.0.83/scripts/genhomedircon.8 +--- policycoreutils-2.0.83/scripts/genhomedircon.8.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/scripts/genhomedircon.8 2010-12-07 09:23:49.000000000 -0500 @@ -0,0 +1,37 @@ +.\" Hey, Emacs! This is an -*- nroff -*- source file. +.\" Copyright (c) 2010 Dan Walsh @@ -3073,10 +3060,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +.SH AUTHOR +This manual page was written by +.I Dan Walsh -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.84/scripts/Makefile ---- nsapolicycoreutils/scripts/Makefile 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/scripts/Makefile 2010-11-29 10:07:47.000000000 -0500 -@@ -14,6 +14,7 @@ +diff -up policycoreutils-2.0.83/scripts/Makefile.rhat policycoreutils-2.0.83/scripts/Makefile +--- policycoreutils-2.0.83/scripts/Makefile.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/scripts/Makefile 2010-12-07 09:23:49.000000000 -0500 +@@ -14,6 +14,7 @@ install: all install -m 755 genhomedircon $(SBINDIR) -mkdir -p $(MANDIR)/man8 install -m 644 fixfiles.8 $(MANDIR)/man8/ @@ -3084,9 +3071,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po install -m 644 chcat.8 $(MANDIR)/man8/ clean: -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/severify.py policycoreutils-2.0.84/scripts/severify.py ---- nsapolicycoreutils/scripts/severify.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/scripts/severify.py 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/scripts/severify.py.rhat policycoreutils-2.0.83/scripts/severify.py +--- policycoreutils-2.0.83/scripts/severify.py.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/scripts/severify.py 2010-12-07 09:23:49.000000000 -0500 @@ -0,0 +1,21 @@ +#! /usr/bin/python -Es +import seobject @@ -3109,9 +3096,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +#setools.sesearch([ setools.ALLOW ], { setools.SCONTEXT:"rwho_t", setools.TCONTEXT:"rwho_spool_t" } ) +#mod.enable("zebra") + -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/default_encoding.c policycoreutils-2.0.84/semanage/default_encoding/default_encoding.c ---- nsapolicycoreutils/semanage/default_encoding/default_encoding.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/semanage/default_encoding/default_encoding.c 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/semanage/default_encoding/default_encoding.c.rhat policycoreutils-2.0.83/semanage/default_encoding/default_encoding.c +--- policycoreutils-2.0.83/semanage/default_encoding/default_encoding.c.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/semanage/default_encoding/default_encoding.c 2010-12-07 09:23:49.000000000 -0500 @@ -0,0 +1,59 @@ +/* + * Authors: @@ -3172,9 +3159,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + PyUnicode_SetDefaultEncoding("utf-8"); + m = Py_InitModule3("default_encoding_utf8", methods, "Forces the default encoding to utf-8"); +} -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/Makefile policycoreutils-2.0.84/semanage/default_encoding/Makefile ---- nsapolicycoreutils/semanage/default_encoding/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/semanage/default_encoding/Makefile 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/semanage/default_encoding/Makefile.rhat policycoreutils-2.0.83/semanage/default_encoding/Makefile +--- policycoreutils-2.0.83/semanage/default_encoding/Makefile.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/semanage/default_encoding/Makefile 2010-12-07 09:23:49.000000000 -0500 @@ -0,0 +1,8 @@ +all: + LDFLAGS="" python setup.py build @@ -3184,9 +3171,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + +clean: + rm -rf build *~ -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/policycoreutils/__init__.py policycoreutils-2.0.84/semanage/default_encoding/policycoreutils/__init__.py ---- nsapolicycoreutils/semanage/default_encoding/policycoreutils/__init__.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/semanage/default_encoding/policycoreutils/__init__.py 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/semanage/default_encoding/policycoreutils/__init__.py.rhat policycoreutils-2.0.83/semanage/default_encoding/policycoreutils/__init__.py +--- policycoreutils-2.0.83/semanage/default_encoding/policycoreutils/__init__.py.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/semanage/default_encoding/policycoreutils/__init__.py 2010-12-07 09:23:49.000000000 -0500 @@ -0,0 +1,17 @@ +# +# Copyright (C) 2006,2007,2008, 2009 Red Hat, Inc. @@ -3205,9 +3192,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/setup.py policycoreutils-2.0.84/semanage/default_encoding/setup.py ---- nsapolicycoreutils/semanage/default_encoding/setup.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/semanage/default_encoding/setup.py 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/semanage/default_encoding/setup.py.rhat policycoreutils-2.0.83/semanage/default_encoding/setup.py +--- policycoreutils-2.0.83/semanage/default_encoding/setup.py.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/semanage/default_encoding/setup.py 2010-12-07 09:23:49.000000000 -0500 @@ -0,0 +1,38 @@ +# Authors: +# John Dennis @@ -3247,9 +3234,218 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + ext_modules = [default_encoding_utf8], + packages=["policycoreutils"], +) -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.84/semanage/semanage ---- nsapolicycoreutils/semanage/semanage 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/semanage/semanage 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/semanage/semanage.8.rhat policycoreutils-2.0.83/semanage/semanage.8 +--- policycoreutils-2.0.83/semanage/semanage.8.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/semanage/semanage.8 2010-12-07 09:23:49.000000000 -0500 +@@ -1,29 +1,69 @@ +-.TH "semanage" "8" "2005111103" "" "" ++.TH "semanage" "8" "20100223" "" "" + .SH "NAME" + semanage \- SELinux Policy Management tool + + .SH "SYNOPSIS" +-.B semanage {boolean|login|user|port|interface|node|fcontext} \-{l|D} [\-n] [\-S store] ++Output local customizations + .br +-.B semanage boolean \-{d|m} [\-\-on|\-\-off|\-1|\-0] -F boolean | boolean_file ++.B semanage [ -S store ] -o [ output_file | - ] ++ ++Input local customizations + .br +-.B semanage login \-{a|d|m} [\-sr] login_name | %groupname ++.B semanage [ -S store ] -i [ input_file | - ] ++ ++Manage booleans. Booleans allow the administrator to modify the confinement of ++processes based on his configuration. + .br +-.B semanage user \-{a|d|m} [\-LrRP] selinux_name ++.B semanage boolean [\-S store] \-{d|m|l|n|D} \-[\-on|\-off|\1|0] -F boolean | boolean_file ++ ++Manage SELinux confined users (Roles and levels for an SELinux user) ++.br ++.B semanage user [\-S store] \-{a|d|m|l|n|D} [\-LrRP] selinux_name ++ ++Manage login mappings between linux users and SELinux confined users. ++.br ++.B semanage login [\-S store] \-{a|d|m|l|n|D} [\-sr] login_name | %groupname ++ ++Manage policy modules. ++.br ++.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] module_name ++ ++Manage network port type definitions ++.br ++.B semanage port [\-S store] \-{a|d|m|l|n|D} [\-tr] [\-p proto] port | port_range ++.br ++ ++Manage network interface type definitions ++.br ++.B semanage interface [\-S store] \-{a|d|m|l|n|D} [\-tr] interface_spec ++ ++Manage network node type definitions ++.br ++.B semanage node [\-S store] -{a|d|m|l|n|D} [-tr] [ -p protocol ] [-M netmask] address ++.br ++ ++Manage file context mapping definitions + .br +-.B semanage port \-{a|d|m} [\-tr] [\-p proto] port | port_range ++.B semanage fcontext [\-S store] \-{a|d|m|l|n|D} [\-frst] file_spec + .br +-.B semanage interface \-{a|d|m} [\-tr] interface_spec ++.B semanage fcontext [\-S store] \-{a|d|m|l|n|D} \-e replacement target + .br +-.B semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] address ++ ++Manage processes type enforcement mode + .br +-.B semanage fcontext \-{a|d|m} [\-frst] file_spec ++.B semanage permissive [\-S store] \-{a|d|l|n|D} type + .br +-.B semanage permissive \-{a|d} type ++ ++Disable/Enable dontaudit rules in policy + .br +-.B semanage dontaudit [ on | off ] ++.B semanage dontaudit [\-S store] [ on | off ] + .P + ++Execute multiple commands within a single transaction. ++.br ++.B semanage [\-S store] \-i command-file ++.br ++ + .SH "DESCRIPTION" + semanage is used to configure certain elements of + SELinux policy without requiring modification to or recompilation +@@ -52,6 +92,22 @@ Delete a OBJECT record NAME + .I \-D, \-\-deleteall + Remove all OBJECTS local customizations + .TP ++.I \-\-disable ++Disable a policy module, requires -m option ++ ++Currently modules only. ++.TP ++.I \-\-enable ++Enable a disabled policy module, requires -m option ++ ++Currently modules only. ++.TP ++.I \-e, \-\-equal ++Substitute target path with sourcepath when generating default label. This is used with ++fcontext. Requires source and target path arguments. The context ++labeling for the target subtree is made equivalent to that ++defined for the source. ++.TP + .I \-f, \-\-ftype + File Type. This is used with fcontext. + Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files. +@@ -60,6 +116,7 @@ Requires a file type as shown in the mod + Set multiple records from the input file. When used with the \-l \-\-list, it will output the current settings to stdout in the proper format. + + Currently booleans only. ++ + .TP + .I \-h, \-\-help + display this message +@@ -76,6 +133,9 @@ Default SELinux Level for SELinux use, s + .I \-m, \-\-modify + Modify a OBJECT record NAME + .TP ++.I \-M, \-\-mask ++Network Mask ++.TP + .I \-n, \-\-noheading + Do not print heading when listing OBJECTS. + .TP +@@ -99,26 +159,67 @@ Select and alternate SELinux store to ma + .TP + .I \-t, \-\-type + SELinux Type for the object ++.TP ++.I \-i, \-\-input ++Take a set of commands from a specified file and load them in a single ++transaction. + + .SH EXAMPLE + .nf +-# View SELinux user mappings +-$ semanage user -l +-# Allow joe to login as staff_u +-$ semanage login -a -s staff_u joe +-# Allow the group clerks to login as user_u +-$ semanage login -a -s user_u %clerks +-# Add file-context for everything under /web (used by restorecon) +-$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" +-# Allow Apache to listen on port 81 +-$ semanage port -a -t http_port_t -p tcp 81 +-# Change apache to a permissive domain +-$ semanage permissive -a httpd_t +-# Turn off dontaudit rules +-$ semanage dontaudit off ++.B SELinux user ++List SELinux users ++# semanage user -l ++ ++.B SELinux login ++Change joe to login as staff_u ++# semanage login -a -s staff_u joe ++Change the group clerks to login as user_u ++# semanage login -a -s user_u %clerks ++ ++.B File contexts ++.i remember to run restorecon after you set the file context ++Add file-context for everything under /web ++# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" ++# restorecon -R -v /web ++ ++Substitute /home1 with /home when setting file context ++# semanage fcontext -a -e /home /home1 ++# restorecon -R -v /home1 ++ ++For home directories under top level directory, for example /disk6/home, ++execute the following commands. ++# semanage fcontext -a -t home_root_t "/disk6" ++# semanage fcontext -a -e /home /disk6/home ++# restorecon -R -v /disk6 ++ ++.B Port contexts ++Allow Apache to listen on tcp port 81 ++# semanage port -a -t http_port_t -p tcp 81 ++ ++.B Change apache to a permissive domain ++# semanage permissive -a httpd_t ++ ++.B Turn off dontaudit rules ++# semanage dontaudit off ++ ++.B Managing multiple machines ++Multiple machines that need the same customizations. ++Extract customizations off first machine, copy them ++to second and import them. ++ ++# semanage -o /tmp/local.selinux ++# scp /tmp/local.selinux secondmachine:/tmp ++# ssh secondmachine ++# semanage -i /tmp/local.selinux ++ ++If these customizations include file context, you need to apply the ++context using restorecon. ++ + .fi + + .SH "AUTHOR" +-This man page was written by Daniel Walsh and +-Russell Coker . ++This man page was written by Daniel Walsh ++.br ++and Russell Coker . ++.br + Examples by Thomas Bleher . +diff -up policycoreutils-2.0.83/semanage/semanage.rhat policycoreutils-2.0.83/semanage/semanage +--- policycoreutils-2.0.83/semanage/semanage.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/semanage/semanage 2010-12-07 09:23:49.000000000 -0500 @@ -1,4 +1,4 @@ -#! /usr/bin/python -E +#! /usr/bin/python -Es @@ -3264,7 +3460,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po import sys, getopt, re import seobject import selinux -@@ -32,27 +33,36 @@ +@@ -32,27 +33,36 @@ gettext.textdomain(PROGNAME) try: gettext.install(PROGNAME, localedir="/usr/share/locale", @@ -3306,7 +3502,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po semanage dontaudit [ on | off ] Primary Options: -@@ -61,7 +71,9 @@ +@@ -61,7 +71,9 @@ Primary Options: -d, --delete Delete a OBJECT record NAME -m, --modify Modify a OBJECT record NAME -i, --input Input multiple semange commands in a transaction @@ -3316,7 +3512,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -C, --locallist List OBJECTS local customizations -D, --deleteall Remove all OBJECTS local customizations -@@ -84,12 +96,15 @@ +@@ -84,12 +96,15 @@ Object-specific Options (see above): -F, --file Treat target as an input file for command, change multiple settings -p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6) -M, --mask Netmask @@ -3332,7 +3528,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po """) raise ValueError("%s\n%s" % (text, message)) -@@ -101,7 +116,7 @@ +@@ -101,7 +116,7 @@ Object-specific Options (see above): def get_options(): valid_option={} @@ -3341,7 +3537,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po valid_option["login"] = [] valid_option["login"] += valid_everyone + [ '-s', '--seuser', '-r', '--range'] valid_option["user"] = [] -@@ -112,8 +127,10 @@ +@@ -112,8 +127,10 @@ Object-specific Options (see above): valid_option["interface"] += valid_everyone + [ '-t', '--type', '-r', '--range'] valid_option["node"] = [] valid_option["node"] += valid_everyone + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol'] @@ -3353,7 +3549,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po valid_option["dontaudit"] = [ '-S', '--store' ] valid_option["boolean"] = [] valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0", "-F", "--file"] -@@ -168,6 +185,8 @@ +@@ -168,6 +185,8 @@ Object-specific Options (see above): return ret def process_args(argv): @@ -3362,7 +3558,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po serange = "" port = "" proto = "" -@@ -184,11 +203,17 @@ +@@ -184,11 +203,17 @@ Object-specific Options (see above): modify = False delete = False deleteall = False @@ -3380,7 +3576,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po object = argv[0] option_dict=get_options() if object not in option_dict.keys(): -@@ -197,10 +222,14 @@ +@@ -197,10 +222,14 @@ Object-specific Options (see above): args = argv[1:] gopts, cmds = getopt.getopt(args, @@ -3396,7 +3592,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po 'ftype=', 'file', 'help', -@@ -225,29 +254,47 @@ +@@ -225,29 +254,47 @@ Object-specific Options (see above): for o, a in gopts: if o not in option_dict[object]: sys.stderr.write(_("%s not valid for %s objects\n") % ( o, object) ); @@ -3451,7 +3647,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if o == "-n" or o == "--noheading": heading = False -@@ -256,8 +303,7 @@ +@@ -256,8 +303,7 @@ Object-specific Options (see above): locallist = True if o == "-m"or o == "--modify": @@ -3461,7 +3657,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po modify = True if o == "-S" or o == '--store': -@@ -292,8 +338,10 @@ +@@ -292,8 +338,10 @@ Object-specific Options (see above): if o == "--on" or o == "-1": value = "on" @@ -3472,7 +3668,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if object == "login": OBJECT = seobject.loginRecords(store) -@@ -315,6 +363,11 @@ +@@ -315,6 +363,11 @@ Object-specific Options (see above): if object == "boolean": OBJECT = seobject.booleanRecords(store) @@ -3484,7 +3680,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if object == "permissive": OBJECT = seobject.permissiveRecords(store) -@@ -330,65 +383,97 @@ +@@ -330,65 +383,97 @@ Object-specific Options (see above): OBJECT.deleteall() return @@ -3594,7 +3790,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if delete: if object == "port": OBJECT.delete(target, proto) -@@ -401,15 +486,14 @@ +@@ -401,15 +486,14 @@ Object-specific Options (see above): else: OBJECT.delete(target) @@ -3612,7 +3808,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po input = None store = "" -@@ -417,7 +501,7 @@ +@@ -417,7 +501,7 @@ Object-specific Options (see above): usage(_("Requires 2 or more arguments")) gopts, cmds = getopt.getopt(sys.argv[1:], @@ -3621,7 +3817,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po ['add', 'delete', 'deleteall', -@@ -431,6 +515,7 @@ +@@ -431,6 +515,7 @@ Object-specific Options (see above): 'localist', 'off', 'on', @@ -3629,7 +3825,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po 'proto=', 'seuser=', 'store=', -@@ -438,6 +523,7 @@ +@@ -438,6 +523,7 @@ Object-specific Options (see above): 'level=', 'roles=', 'type=', @@ -3637,7 +3833,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po 'prefix=' ]) for o, a in gopts: -@@ -445,6 +531,16 @@ +@@ -445,6 +531,16 @@ Object-specific Options (see above): store = a if o == "-i" or o == '--input': input = a @@ -3654,225 +3850,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if input != None: if input == "-": -@@ -467,3 +563,5 @@ +@@ -467,3 +563,5 @@ Object-specific Options (see above): errorExit(_("Invalid value %s") % error.args[0]) except IOError, error: errorExit(error.args[1]) + except OSError, error: + errorExit(error.args[1]) -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.84/semanage/semanage.8 ---- nsapolicycoreutils/semanage/semanage.8 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/semanage/semanage.8 2010-11-29 10:07:47.000000000 -0500 -@@ -1,29 +1,69 @@ --.TH "semanage" "8" "2005111103" "" "" -+.TH "semanage" "8" "20100223" "" "" - .SH "NAME" - semanage \- SELinux Policy Management tool - - .SH "SYNOPSIS" --.B semanage {boolean|login|user|port|interface|node|fcontext} \-{l|D} [\-n] [\-S store] -+Output local customizations - .br --.B semanage boolean \-{d|m} [\-\-on|\-\-off|\-1|\-0] -F boolean | boolean_file -+.B semanage [ -S store ] -o [ output_file | - ] -+ -+Input local customizations - .br --.B semanage login \-{a|d|m} [\-sr] login_name | %groupname -+.B semanage [ -S store ] -i [ input_file | - ] -+ -+Manage booleans. Booleans allow the administrator to modify the confinement of -+processes based on his configuration. - .br --.B semanage user \-{a|d|m} [\-LrRP] selinux_name -+.B semanage boolean [\-S store] \-{d|m|l|n|D} \-[\-on|\-off|\1|0] -F boolean | boolean_file -+ -+Manage SELinux confined users (Roles and levels for an SELinux user) -+.br -+.B semanage user [\-S store] \-{a|d|m|l|n|D} [\-LrRP] selinux_name -+ -+Manage login mappings between linux users and SELinux confined users. -+.br -+.B semanage login [\-S store] \-{a|d|m|l|n|D} [\-sr] login_name | %groupname -+ -+Manage policy modules. -+.br -+.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] module_name -+ -+Manage network port type definitions -+.br -+.B semanage port [\-S store] \-{a|d|m|l|n|D} [\-tr] [\-p proto] port | port_range -+.br -+ -+Manage network interface type definitions -+.br -+.B semanage interface [\-S store] \-{a|d|m|l|n|D} [\-tr] interface_spec -+ -+Manage network node type definitions -+.br -+.B semanage node [\-S store] -{a|d|m|l|n|D} [-tr] [ -p protocol ] [-M netmask] address -+.br -+ -+Manage file context mapping definitions - .br --.B semanage port \-{a|d|m} [\-tr] [\-p proto] port | port_range -+.B semanage fcontext [\-S store] \-{a|d|m|l|n|D} [\-frst] file_spec - .br --.B semanage interface \-{a|d|m} [\-tr] interface_spec -+.B semanage fcontext [\-S store] \-{a|d|m|l|n|D} \-e replacement target - .br --.B semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] address -+ -+Manage processes type enforcement mode - .br --.B semanage fcontext \-{a|d|m} [\-frst] file_spec -+.B semanage permissive [\-S store] \-{a|d|l|n|D} type - .br --.B semanage permissive \-{a|d} type -+ -+Disable/Enable dontaudit rules in policy - .br --.B semanage dontaudit [ on | off ] -+.B semanage dontaudit [\-S store] [ on | off ] - .P - -+Execute multiple commands within a single transaction. -+.br -+.B semanage [\-S store] \-i command-file -+.br -+ - .SH "DESCRIPTION" - semanage is used to configure certain elements of - SELinux policy without requiring modification to or recompilation -@@ -52,6 +92,22 @@ - .I \-D, \-\-deleteall - Remove all OBJECTS local customizations - .TP -+.I \-\-disable -+Disable a policy module, requires -m option -+ -+Currently modules only. -+.TP -+.I \-\-enable -+Enable a disabled policy module, requires -m option -+ -+Currently modules only. -+.TP -+.I \-e, \-\-equal -+Substitute target path with sourcepath when generating default label. This is used with -+fcontext. Requires source and target path arguments. The context -+labeling for the target subtree is made equivalent to that -+defined for the source. -+.TP - .I \-f, \-\-ftype - File Type. This is used with fcontext. - Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files. -@@ -60,6 +116,7 @@ - Set multiple records from the input file. When used with the \-l \-\-list, it will output the current settings to stdout in the proper format. - - Currently booleans only. -+ - .TP - .I \-h, \-\-help - display this message -@@ -76,6 +133,9 @@ - .I \-m, \-\-modify - Modify a OBJECT record NAME - .TP -+.I \-M, \-\-mask -+Network Mask -+.TP - .I \-n, \-\-noheading - Do not print heading when listing OBJECTS. - .TP -@@ -99,26 +159,67 @@ - .TP - .I \-t, \-\-type - SELinux Type for the object -+.TP -+.I \-i, \-\-input -+Take a set of commands from a specified file and load them in a single -+transaction. - - .SH EXAMPLE - .nf --# View SELinux user mappings --$ semanage user -l --# Allow joe to login as staff_u --$ semanage login -a -s staff_u joe --# Allow the group clerks to login as user_u --$ semanage login -a -s user_u %clerks --# Add file-context for everything under /web (used by restorecon) --$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" --# Allow Apache to listen on port 81 --$ semanage port -a -t http_port_t -p tcp 81 --# Change apache to a permissive domain --$ semanage permissive -a httpd_t --# Turn off dontaudit rules --$ semanage dontaudit off -+.B SELinux user -+List SELinux users -+# semanage user -l -+ -+.B SELinux login -+Change joe to login as staff_u -+# semanage login -a -s staff_u joe -+Change the group clerks to login as user_u -+# semanage login -a -s user_u %clerks -+ -+.B File contexts -+.i remember to run restorecon after you set the file context -+Add file-context for everything under /web -+# semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" -+# restorecon -R -v /web -+ -+Substitute /home1 with /home when setting file context -+# semanage fcontext -a -e /home /home1 -+# restorecon -R -v /home1 -+ -+For home directories under top level directory, for example /disk6/home, -+execute the following commands. -+# semanage fcontext -a -t home_root_t "/disk6" -+# semanage fcontext -a -e /home /disk6/home -+# restorecon -R -v /disk6 -+ -+.B Port contexts -+Allow Apache to listen on tcp port 81 -+# semanage port -a -t http_port_t -p tcp 81 -+ -+.B Change apache to a permissive domain -+# semanage permissive -a httpd_t -+ -+.B Turn off dontaudit rules -+# semanage dontaudit off -+ -+.B Managing multiple machines -+Multiple machines that need the same customizations. -+Extract customizations off first machine, copy them -+to second and import them. -+ -+# semanage -o /tmp/local.selinux -+# scp /tmp/local.selinux secondmachine:/tmp -+# ssh secondmachine -+# semanage -i /tmp/local.selinux -+ -+If these customizations include file context, you need to apply the -+context using restorecon. -+ - .fi - - .SH "AUTHOR" --This man page was written by Daniel Walsh and --Russell Coker . -+This man page was written by Daniel Walsh -+.br -+and Russell Coker . -+.br - Examples by Thomas Bleher . -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.84/semanage/seobject.py ---- nsapolicycoreutils/semanage/seobject.py 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/semanage/seobject.py 2010-11-29 10:07:47.000000000 -0500 -@@ -29,47 +29,12 @@ +diff -up policycoreutils-2.0.83/semanage/seobject.py.rhat policycoreutils-2.0.83/semanage/seobject.py +--- policycoreutils-2.0.83/semanage/seobject.py.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/semanage/seobject.py 2010-12-07 09:23:49.000000000 -0500 +@@ -29,47 +29,12 @@ import sepolgen.module as module import gettext gettext.bindtextdomain(PROGNAME, "/usr/share/locale") gettext.textdomain(PROGNAME) @@ -3924,7 +3911,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po file_types = {} file_types[""] = SEMANAGE_FCONTEXT_ALL; -@@ -194,44 +159,153 @@ +@@ -194,44 +159,153 @@ def untranslate(trans, prepend = 1): return trans else: return raw @@ -4092,7 +4079,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po class dontauditClass(semanageRecords): def __init__(self, store): -@@ -259,14 +333,23 @@ +@@ -259,14 +333,23 @@ class permissiveRecords(semanageRecords) name = semanage_module_get_name(mod) if name and name.startswith("permissive_"): l.append(name.split("permissive_")[1]) @@ -4120,7 +4107,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def add(self, type): import glob -@@ -343,7 +426,9 @@ +@@ -343,7 +426,9 @@ class loginRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if login mapping for %s is defined") % name) if exists: @@ -4131,7 +4118,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if name[0] == '%': try: grp.getgrnam(name[1:]) -@@ -475,6 +560,16 @@ +@@ -475,6 +560,16 @@ class loginRecords(semanageRecords): mylog.log(1, "delete SELinux user mapping", name); @@ -4148,7 +4135,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def get_all(self, locallist = 0): ddict = {} if locallist: -@@ -489,6 +584,15 @@ +@@ -489,6 +584,15 @@ class loginRecords(semanageRecords): ddict[name] = (semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u)) return ddict @@ -4164,7 +4151,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def list(self,heading = 1, locallist = 0): ddict = self.get_all(locallist) keys = ddict.keys() -@@ -531,7 +635,8 @@ +@@ -531,7 +635,8 @@ class seluserRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if SELinux user %s is defined") % name) if exists: @@ -4174,7 +4161,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po (rc, u) = semanage_user_create(self.sh) if rc < 0: -@@ -682,6 +787,16 @@ +@@ -682,6 +787,16 @@ class seluserRecords(semanageRecords): mylog.log(1,"delete SELinux user record", name) @@ -4191,7 +4178,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def get_all(self, locallist = 0): ddict = {} if locallist: -@@ -702,6 +817,15 @@ +@@ -702,6 +817,15 @@ class seluserRecords(semanageRecords): return ddict @@ -4207,7 +4194,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def list(self, heading = 1, locallist = 0): ddict = self.get_all(locallist) keys = ddict.keys() -@@ -740,12 +864,16 @@ +@@ -740,12 +864,16 @@ class portRecords(semanageRecords): low = int(ports[0]) high = int(ports[1]) @@ -4224,7 +4211,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if is_mls_enabled == 1: if serange == "": serange = "s0" -@@ -808,6 +936,7 @@ +@@ -808,6 +936,7 @@ class portRecords(semanageRecords): self.commit() def __modify(self, port, proto, serange, setype): @@ -4232,7 +4219,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if serange == "" and setype == "": if is_mls_enabled == 1: raise ValueError(_("Requires setype or serange")) -@@ -942,6 +1071,18 @@ +@@ -942,6 +1071,18 @@ class portRecords(semanageRecords): ddict[(ctype,proto_str)].append("%d-%d" % (low, high)) return ddict @@ -4251,7 +4238,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def list(self, heading = 1, locallist = 0): if heading: print "%-30s %-8s %s\n" % (_("SELinux Port Type"), _("Proto"), _("Port Number")) -@@ -958,7 +1099,8 @@ +@@ -958,7 +1099,8 @@ class portRecords(semanageRecords): class nodeRecords(semanageRecords): def __init__(self, store = ""): semanageRecords.__init__(self,store) @@ -4261,7 +4248,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def __add(self, addr, mask, proto, serange, ctype): if addr == "": raise ValueError(_("Node Address is required")) -@@ -966,14 +1108,11 @@ +@@ -966,14 +1108,11 @@ class nodeRecords(semanageRecords): if mask == "": raise ValueError(_("Node Netmask is required")) @@ -4279,7 +4266,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if is_mls_enabled == 1: if serange == "": serange = "s0" -@@ -991,11 +1130,13 @@ +@@ -991,11 +1130,13 @@ class nodeRecords(semanageRecords): (rc, exists) = semanage_node_exists(self.sh, k) if exists: @@ -4294,7 +4281,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po rc = semanage_node_set_addr(self.sh, node, proto, addr) (rc, con) = semanage_context_create(self.sh) -@@ -1005,8 +1146,7 @@ +@@ -1005,8 +1146,7 @@ class nodeRecords(semanageRecords): rc = semanage_node_set_mask(self.sh, node, proto, mask) if rc < 0: raise ValueError(_("Could not set mask for %s") % addr) @@ -4304,7 +4291,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po rc = semanage_context_set_user(self.sh, con, "system_u") if rc < 0: raise ValueError(_("Could not set user in addr context for %s") % addr) -@@ -1047,13 +1187,10 @@ +@@ -1047,13 +1187,10 @@ class nodeRecords(semanageRecords): if mask == "": raise ValueError(_("Node Netmask is required")) @@ -4322,7 +4309,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if serange == "" and setype == "": raise ValueError(_("Requires setype or serange")) -@@ -1068,12 +1205,11 @@ +@@ -1068,12 +1205,11 @@ class nodeRecords(semanageRecords): if not exists: raise ValueError(_("Addr %s is not defined") % addr) @@ -4336,7 +4323,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if serange != "": semanage_context_set_mls(self.sh, con, untranslate(serange)) if setype != "": -@@ -1098,11 +1234,9 @@ +@@ -1098,11 +1234,9 @@ class nodeRecords(semanageRecords): if mask == "": raise ValueError(_("Node Netmask is required")) @@ -4351,7 +4338,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po raise ValueError(_("Unknown or missing protocol")) (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) -@@ -1132,6 +1266,16 @@ +@@ -1132,6 +1266,16 @@ class nodeRecords(semanageRecords): self.__delete(addr, mask, proto) self.commit() @@ -4368,7 +4355,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def get_all(self, locallist = 0): ddict = {} if locallist : -@@ -1145,15 +1289,20 @@ +@@ -1145,15 +1289,20 @@ class nodeRecords(semanageRecords): con = semanage_node_get_con(node) addr = semanage_node_get_addr(self.sh, node) mask = semanage_node_get_mask(self.sh, node) @@ -4394,7 +4381,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def list(self, heading = 1, locallist = 0): if heading: print "%-18s %-18s %-5s %-5s\n" % ("IP Address", "Netmask", "Protocol", "Context") -@@ -1193,7 +1342,8 @@ +@@ -1193,7 +1342,8 @@ class interfaceRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if interface %s is defined") % interface) if exists: @@ -4404,7 +4391,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po (rc, iface) = semanage_iface_create(self.sh) if rc < 0: -@@ -1307,6 +1457,16 @@ +@@ -1307,6 +1457,16 @@ class interfaceRecords(semanageRecords): self.__delete(interface) self.commit() @@ -4421,7 +4408,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def get_all(self, locallist = 0): ddict = {} if locallist: -@@ -1322,6 +1482,15 @@ +@@ -1322,6 +1482,15 @@ class interfaceRecords(semanageRecords): return ddict @@ -4437,7 +4424,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def list(self, heading = 1, locallist = 0): if heading: print "%-30s %s\n" % (_("SELinux Interface"), _("Context")) -@@ -1338,6 +1507,48 @@ +@@ -1338,6 +1507,48 @@ class interfaceRecords(semanageRecords): class fcontextRecords(semanageRecords): def __init__(self, store = ""): semanageRecords.__init__(self, store) @@ -4486,7 +4473,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def createcon(self, target, seuser = "system_u"): (rc, con) = semanage_context_create(self.sh) -@@ -1364,6 +1575,8 @@ +@@ -1364,6 +1575,8 @@ class fcontextRecords(semanageRecords): def validate(self, target): if target == "" or target.find("\n") >= 0: raise ValueError(_("Invalid file specification")) @@ -4495,7 +4482,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def __add(self, target, type, ftype = "", serange = "", seuser = "system_u"): self.validate(target) -@@ -1388,7 +1601,8 @@ +@@ -1388,7 +1601,8 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Could not check if file context for %s is defined") % target) if exists: @@ -4505,7 +4492,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po (rc, fcontext) = semanage_fcontext_create(self.sh) if rc < 0: -@@ -1504,9 +1718,16 @@ +@@ -1504,9 +1718,16 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Could not delete the file context %s") % target) semanage_fcontext_key_free(k) @@ -4522,7 +4509,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po (rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) if rc < 0: raise ValueError(_("Could not create a key for %s") % target) -@@ -1561,12 +1782,22 @@ +@@ -1561,12 +1782,22 @@ class fcontextRecords(semanageRecords): return ddict @@ -4547,7 +4534,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po for k in keys: if fcon_dict[k]: if is_mls_enabled: -@@ -1575,6 +1806,12 @@ +@@ -1575,6 +1806,12 @@ class fcontextRecords(semanageRecords): print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2]) else: print "%-50s %-18s <>" % (k[0], k[1]) @@ -4560,7 +4547,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po class booleanRecords(semanageRecords): def __init__(self, store = ""): -@@ -1587,6 +1824,18 @@ +@@ -1587,6 +1824,18 @@ class booleanRecords(semanageRecords): self.dict["1"] = 1 self.dict["0"] = 0 @@ -4579,7 +4566,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def __mod(self, name, value): (rc, k) = semanage_bool_key_create(self.sh, name) if rc < 0: -@@ -1606,9 +1855,10 @@ +@@ -1606,9 +1855,10 @@ class booleanRecords(semanageRecords): else: raise ValueError(_("You must specify one of the following values: %s") % ", ".join(self.dict.keys()) ) @@ -4593,7 +4580,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po rc = semanage_bool_modify_local(self.sh, k, b) if rc < 0: raise ValueError(_("Could not modify boolean %s") % name) -@@ -1691,8 +1941,12 @@ +@@ -1691,8 +1941,12 @@ class booleanRecords(semanageRecords): value = [] name = semanage_bool_get_name(boolean) value.append(semanage_bool_get_value(boolean)) @@ -4608,7 +4595,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po ddict[name] = value return ddict -@@ -1706,6 +1960,16 @@ +@@ -1706,6 +1960,16 @@ class booleanRecords(semanageRecords): else: return _("unknown") @@ -4625,9 +4612,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po def list(self, heading = True, locallist = False, use_file = False): on_off = (_("off"), _("on")) if use_file: -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sepolgen-ifgen/Makefile policycoreutils-2.0.84/sepolgen-ifgen/Makefile ---- nsapolicycoreutils/sepolgen-ifgen/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/sepolgen-ifgen/Makefile 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/sepolgen-ifgen/Makefile.rhat policycoreutils-2.0.83/sepolgen-ifgen/Makefile +--- policycoreutils-2.0.83/sepolgen-ifgen/Makefile.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/sepolgen-ifgen/Makefile 2010-12-07 09:23:49.000000000 -0500 @@ -0,0 +1,25 @@ +# Installation directories. +PREFIX ?= ${DESTDIR}/usr @@ -4654,9 +4641,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + ../../scripts/Lindent $(wildcard *.[ch]) + +relabel: ; -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c policycoreutils-2.0.84/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c ---- nsapolicycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.84/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c.rhat policycoreutils-2.0.83/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c +--- policycoreutils-2.0.83/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c.rhat 2010-12-07 09:23:49.000000000 -0500 ++++ policycoreutils-2.0.83/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c 2010-12-07 09:23:49.000000000 -0500 @@ -0,0 +1,230 @@ +/* Authors: Frank Mayer + * and Karl MacMillan @@ -4888,16 +4875,42 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + + return 0; +} -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.84/setfiles/restore.c ---- nsapolicycoreutils/setfiles/restore.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/setfiles/restore.c 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/setfiles/restorecon.8.rhat policycoreutils-2.0.83/setfiles/restorecon.8 +--- policycoreutils-2.0.83/setfiles/restorecon.8.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/setfiles/restorecon.8 2010-12-07 09:23:49.000000000 -0500 +@@ -4,10 +4,10 @@ restorecon \- restore file(s) default SE + + .SH "SYNOPSIS" + .B restorecon +-.I [\-o outfilename ] [\-R] [\-n] [\-v] [\-e directory ] pathname... ++.I [\-o outfilename ] [\-R] [\-n] [\-p] [\-v] [\-e directory ] pathname... + .P + .B restorecon +-.I \-f infilename [\-o outfilename ] [\-e directory ] [\-R] [\-n] [\-v] [\-F] ++.I \-f infilename [\-o outfilename ] [\-e directory ] [\-R] [\-n] [\-p] [\-v] [\-F] + + .SH "DESCRIPTION" + This manual page describes the +@@ -40,6 +40,9 @@ don't change any file labels. + .TP + .B \-o outfilename + save list of files with incorrect context in outfilename. ++.TP ++.B \-p ++show progress by printing * every 1000 files. + .TP + .B \-v + show changes in file labels. +diff -up policycoreutils-2.0.83/setfiles/restore.c.rhat policycoreutils-2.0.83/setfiles/restore.c +--- policycoreutils-2.0.83/setfiles/restore.c.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/setfiles/restore.c 2010-12-07 09:23:49.000000000 -0500 @@ -1,4 +1,5 @@ #include "restore.h" +#include #define SKIP -2 #define ERR -1 -@@ -31,7 +32,6 @@ +@@ -31,7 +32,6 @@ struct edir { static file_spec_t *fl_head; @@ -4905,7 +4918,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po static int filespec_add(ino_t ino, const security_context_t con, const char *file); static int only_changed_user(const char *a, const char *b); struct restore_opts *r_opts = NULL; -@@ -53,7 +53,6 @@ +@@ -53,7 +53,6 @@ void remove_exclude(const char *director } } return; @@ -4913,7 +4926,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po } void restore_init(struct restore_opts *opts) -@@ -300,8 +299,14 @@ +@@ -300,8 +299,14 @@ static int process_one(char *name, int r int rc = 0; const char *namelist[2] = {name, NULL}; dev_t dev_num = 0; @@ -4930,7 +4943,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po fts_handle = fts_open((char **)namelist, r_opts->fts_flags, NULL); if (fts_handle == NULL) { -@@ -357,11 +362,34 @@ +@@ -357,11 +362,34 @@ err: goto out; } @@ -4966,7 +4979,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if (r_opts == NULL){ fprintf(stderr, -@@ -372,8 +400,9 @@ +@@ -372,8 +400,9 @@ int process_one_realpath(char *name, int if (!r_opts->expand_realpath) { return process_one(name, recurse); } else { @@ -4977,7 +4990,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po fprintf(stderr, "%s: lstat(%s) failed: %s\n", r_opts->progname, name, strerror(errno)); return -1; -@@ -409,7 +438,7 @@ +@@ -409,7 +438,7 @@ int process_one_realpath(char *name, int } } @@ -4986,7 +4999,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po { int i = 0; for (i = 0; i < excludeCtr; i++) { -@@ -537,7 +566,7 @@ +@@ -537,7 +566,7 @@ static int filespec_add(ino_t ino, const { file_spec_t *prevfl, *fl; int h, ret; @@ -4995,7 +5008,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if (!fl_head) { fl_head = malloc(sizeof(file_spec_t) * HASH_BUCKETS); -@@ -550,7 +579,7 @@ +@@ -550,7 +579,7 @@ static int filespec_add(ino_t ino, const for (prevfl = &fl_head[h], fl = fl_head[h].next; fl; prevfl = fl, fl = fl->next) { if (ino == fl->ino) { @@ -5004,7 +5017,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if (ret < 0 || sb.st_ino != ino) { freecon(fl->con); free(fl->file); -@@ -602,5 +631,67 @@ +@@ -602,5 +631,67 @@ static int filespec_add(ino_t ino, const return -1; } @@ -5072,36 +5085,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + free(buf); +} -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.84/setfiles/restorecon.8 ---- nsapolicycoreutils/setfiles/restorecon.8 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/setfiles/restorecon.8 2010-11-29 10:07:47.000000000 -0500 -@@ -4,10 +4,10 @@ - - .SH "SYNOPSIS" - .B restorecon --.I [\-o outfilename ] [\-R] [\-n] [\-v] [\-e directory ] pathname... -+.I [\-o outfilename ] [\-R] [\-n] [\-p] [\-v] [\-e directory ] pathname... - .P - .B restorecon --.I \-f infilename [\-o outfilename ] [\-e directory ] [\-R] [\-n] [\-v] [\-F] -+.I \-f infilename [\-o outfilename ] [\-e directory ] [\-R] [\-n] [\-p] [\-v] [\-F] - - .SH "DESCRIPTION" - This manual page describes the -@@ -40,6 +40,9 @@ - .TP - .B \-o outfilename - save list of files with incorrect context in outfilename. -+.TP -+.B \-p -+show progress by printing * every 1000 files. - .TP - .B \-v - show changes in file labels. -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.84/setfiles/restore.h ---- nsapolicycoreutils/setfiles/restore.h 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/setfiles/restore.h 2010-11-29 10:07:47.000000000 -0500 -@@ -27,6 +27,7 @@ +diff -up policycoreutils-2.0.83/setfiles/restore.h.rhat policycoreutils-2.0.83/setfiles/restore.h +--- policycoreutils-2.0.83/setfiles/restore.h.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/setfiles/restore.h 2010-12-07 09:23:49.000000000 -0500 +@@ -27,6 +27,7 @@ struct restore_opts { int hard_links; int verbose; int logging; @@ -5109,7 +5096,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po char *rootpath; int rootpathlen; char *progname; -@@ -44,7 +45,10 @@ +@@ -44,7 +45,10 @@ struct restore_opts { void restore_init(struct restore_opts *opts); void restore_finish(); int add_exclude(const char *directory); @@ -5120,10 +5107,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +void exclude_non_seclabel_mounts(); #endif -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.84/setfiles/setfiles.8 ---- nsapolicycoreutils/setfiles/setfiles.8 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/setfiles/setfiles.8 2010-11-29 10:07:47.000000000 -0500 -@@ -31,6 +31,9 @@ +diff -up policycoreutils-2.0.83/setfiles/setfiles.8.rhat policycoreutils-2.0.83/setfiles/setfiles.8 +--- policycoreutils-2.0.83/setfiles/setfiles.8.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/setfiles/setfiles.8 2010-12-07 09:23:49.000000000 -0500 +@@ -31,6 +31,9 @@ log changes in file labels to syslog. .TP .B \-n don't change any file labels. @@ -5133,9 +5120,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po .TP .B \-q suppress non-error output. -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.84/setfiles/setfiles.c ---- nsapolicycoreutils/setfiles/setfiles.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.84/setfiles/setfiles.c 2010-11-29 10:07:47.000000000 -0500 +diff -up policycoreutils-2.0.83/setfiles/setfiles.c.rhat policycoreutils-2.0.83/setfiles/setfiles.c +--- policycoreutils-2.0.83/setfiles/setfiles.c.rhat 2010-06-16 08:04:12.000000000 -0400 ++++ policycoreutils-2.0.83/setfiles/setfiles.c 2010-12-07 09:23:49.000000000 -0500 @@ -5,7 +5,6 @@ #include #include @@ -5144,7 +5131,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po #define __USE_XOPEN_EXTENDED 1 /* nftw */ #include #ifdef USE_AUDIT -@@ -25,7 +24,6 @@ +@@ -25,7 +24,6 @@ static char *policyfile = NULL; static int warn_no_match = 0; static int null_terminated = 0; static int errors; @@ -5152,7 +5139,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po static struct restore_opts r_opts; #define STAT_BLOCK_SIZE 1 -@@ -44,13 +42,13 @@ +@@ -44,13 +42,13 @@ void usage(const char *const name) { if (iamrestorecon) { fprintf(stderr, @@ -5168,7 +5155,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po name); } exit(1); -@@ -138,69 +136,6 @@ +@@ -138,69 +136,6 @@ static void maybe_audit_mass_relabel(voi #endif } @@ -5238,7 +5225,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po int main(int argc, char **argv) { struct stat sb; -@@ -335,7 +270,7 @@ +@@ -335,7 +270,7 @@ int main(int argc, char **argv) r_opts.debug = 1; break; case 'i': @@ -5247,7 +5234,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po break; case 'l': r_opts.logging = 1; -@@ -371,7 +306,7 @@ +@@ -371,7 +306,7 @@ int main(int argc, char **argv) break; } if (optind + 1 >= argc) { @@ -5256,7 +5243,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po argv[0]); exit(1); } -@@ -475,7 +410,7 @@ +@@ -475,7 +410,7 @@ int main(int argc, char **argv) buf[len - 1] = 0; if (!strcmp(buf, "/")) mass_relabel = 1; @@ -5265,7 +5252,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po } if (strcmp(input_filename, "-") != 0) fclose(f); -@@ -483,7 +418,8 @@ +@@ -483,7 +418,8 @@ int main(int argc, char **argv) for (i = optind; i < argc; i++) { if (!strcmp(argv[i], "/")) mass_relabel = 1; diff --git a/policycoreutils.spec b/policycoreutils.spec index ef6caa7..a9077b1 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.83 -Release: 33.3%{?dist} +Release: 33.4%{?dist} License: GPLv2 Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -315,6 +315,9 @@ fi exit 0 %changelog +* Tue Dec 7 2010 Dan Walsh 2.0.83-33.4 +- Fix fixfiles to not complain on missing directories. + * Mon Nov 22 2010 Dan Walsh 2.0.83-33.3 - Fix fixfiles to not complain on missing directories.