diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.23/Makefile --- nsapolicycoreutils/Makefile 2007-07-16 14:20:43.000000000 -0400 +++ policycoreutils-2.0.23/Makefile 2007-08-22 16:29:22.000000000 -0400 @@ -1,4 +1,4 @@ -SUBDIRS=setfiles semanage load_policy newrole run_init restorecond secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po +SUBDIRS=setfiles semanage load_policy newrole run_init restorecond secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui all install relabel clean indent: @for subdir in $(SUBDIRS); do \ diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.23/restorecond/restorecond.c --- nsapolicycoreutils/restorecond/restorecond.c 2007-07-16 14:20:41.000000000 -0400 +++ policycoreutils-2.0.23/restorecond/restorecond.c 2007-08-22 16:29:22.000000000 -0400 @@ -210,9 +210,10 @@ } if (fsetfilecon(fd, scontext) < 0) { - syslog(LOG_ERR, - "set context %s->%s failed:'%s'\n", - filename, scontext, strerror(errno)); + if (errno != EOPNOTSUPP) + syslog(LOG_ERR, + "set context %s->%s failed:'%s'\n", + filename, scontext, strerror(errno)); if (retcontext >= 0) free(prev_context); free(scontext); @@ -225,8 +226,9 @@ if (retcontext >= 0) free(prev_context); } else { - syslog(LOG_ERR, "get context on %s failed: '%s'\n", - filename, strerror(errno)); + if (errno != EOPNOTSUPP) + syslog(LOG_ERR, "get context on %s failed: '%s'\n", + filename, strerror(errno)); } free(scontext); close(fd); diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-2.0.23/scripts/genhomedircon --- nsapolicycoreutils/scripts/genhomedircon 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.23/scripts/genhomedircon 2007-08-23 10:08:04.000000000 -0400 @@ -0,0 +1,404 @@ +#! /usr/bin/python -E +# Copyright (C) 2004 Tresys Technology, LLC +# see file 'COPYING' for use and warranty information +# +# genhomedircon - this script is used to generate file context +# configuration entries for user home directories based on their +# default prefixes and is run when building the policy. Specifically, we +# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with +# generic and user-specific values. +# +# Based off original script by Dan Walsh, +# +# ASSUMPTIONS: +# +# The file CONTEXTDIR/files/homedir_template exists. This file is used to +# set up the home directory context for each real user. +# +# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, prefix user +# +# "Real" users (as opposed to system users) are those whose UID is greater than +# or equal STARTING_UID (usually 500) and whose login is not a member of +# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/seusers +# are always "real" (including root, in the default configuration). +# +# + +import sys, os, pwd, string, getopt, re +from semanage import *; +import selinux +import gettext +gettext.install('policycoreutils') + +def grep(file, var): + ret = "" + fd = open(file, 'r') + + for i in fd.readlines(): + if re.search(var, i, 0) != None: + ret = i + break + fd.close() + return ret + +def findval(file, var, delim = ""): + val = "" + try: + fd = open(file, 'r') + for i in fd.readlines(): + if i.startswith(var) == 1: + if delim == "": + val = i.split()[1] + else: + val = i.split(delim)[1] + val = val.split("#")[0] + val = val.strip() + fd.close() + except: + val = "" + return val + +def getStartingUID(): + starting_uid = sys.maxint + uid_min = findval("/etc/login.defs", "UID_MIN") + if uid_min != "": + uid_min = uid_min.split("#")[0] + uid_min = uid_min.strip() + if int(uid_min) < starting_uid: + starting_uid = int(uid_min) + + uid_min = findval("/etc/libuser.conf", "LU_UIDNUMBER", "=") + if uid_min != "": + uid_min = uid_min.split("#")[0] + uid_min = uid_min.strip() + if int(uid_min) < starting_uid: + starting_uid = int(uid_min) + + if starting_uid == sys.maxint: + starting_uid = 500 + return starting_uid + +def getDefaultHomeDir(): + ret = [] + homedir = findval("/etc/default/useradd", "HOME", "=") + if homedir != "" and not homedir in ret: + ret.append(homedir) + + homedir = findval("/etc/libuser.conf", "LU_HOMEDIRECTORY", "=") + if homedir != "" and not homedir in ret: + ret.append(homedir) + + if ret == []: + ret.append("/home") + + # Add /export/home if it exists + # Some customers use this for automounted homedirs + if os.path.exists("/export/home"): + ret.append("/export/home") + + return ret + +def getSELinuxType(directory): + val = findval(directory+"/config", "SELINUXTYPE", "=") + if val != "": + return val + return "targeted" + +def usage(rc=0, error = ""): + if error != "": + sys.stderr.write("%s\n" % error) + rc = 1 + sys.stderr.write("Usage: %s [ -d selinuxdir ] [-n | --nopasswd] [-t selinuxtype ]\n" % sys.argv[0]) + sys.stderr.flush() + sys.exit(rc) + +def warning(warning = ""): + sys.stderr.write("%s\n" % warning) + sys.stderr.flush() + +def errorExit(error): + sys.stderr.write("%s exiting for: " % sys.argv[0]) + sys.stderr.write("%s\n" % error) + sys.stderr.flush() + sys.exit(1) + +class selinuxConfig: + def __init__(self, selinuxdir = "/etc/selinux", type = "targeted", usepwd = 1): + self.semanageHandle = semanage_handle_create() + self.semanaged = semanage_is_managed(self.semanageHandle) + if self.semanaged: + rc = semanage_connect(self.semanageHandle) + if rc: + errorExit("Unable to connect to semanage") + (status, self.ulist) = semanage_user_list(self.semanageHandle) + self.type = type + self.selinuxdir = selinuxdir +"/" + self.contextdir = "/contexts" + self.filecontextdir = self.contextdir+"/files" + self.usepwd = usepwd + self.default_user = "user_u" + self.default_prefix = "user" + self.users = self.getUsers() + fd = open(self.getFileContextFile()) + self.fclines=[] + for i in fd.readlines(): + try: + regex = i.split()[0] + #match a trailing .+ + regex = re.sub("\.+$", "", regex) + regex = re.sub("\.\*$", "", regex) + regex = re.sub("\(\/\.\*\)\?", "", regex) + regex = regex + "/*$" + self.fclines.append(re.compile(regex)) + except: + continue + + fd.close() + + def getFileContextDir(self): + return self.selinuxdir+self.type+self.filecontextdir + + def getFileContextFile(self): + return self.getFileContextDir()+"/file_contexts" + + def getContextDir(self): + return self.selinuxdir+self.type+self.contextdir + + def getHomeDirTemplate(self): + return self.getFileContextDir()+"/homedir_template" + + def getHomeRootContext(self, homedir): + ret = "" + fd = open(self.getHomeDirTemplate(), 'r') + + for i in fd.readlines(): + if i.find("HOME_ROOT") == 0: + i = i.replace("HOME_ROOT", homedir) + ret += i + fd.close() + if ret == "": + errorExit("No Home Root Context Found") + return ret + + def heading(self): + ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0] + if self.semanaged: + ret += "# use semanage command to manage system users in order to change the file_context\n#\n#\n" + else: + ret += "# edit %s to change file_context\n#\n#\n" % (self.selinuxdir+self.type+"/seusers") + return ret + + def get_default_prefix(self, name): + for user in self.ulist: + if semanage_user_get_name(user) == name: + return semanage_user_get_prefix(user) + return name + + def get_old_prefix(self, user): + rc = grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % user) + if rc == "": + rc = grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % user) + if rc != "": + user = rc.split() + prefix = user[3] + if prefix == "{": + prefix = user[4] + if len(prefix) > 2 and (prefix[-2:] == "_r" or prefix[-2:] == "_u"): + prefix = prefix[:-2] + return prefix + + def adduser(self, udict, user, seuser, prefix): + if seuser == self.default_user or user == "__default__" or user == "system_u": + return + # !!! chooses first prefix in the list to use in the file context !!! + try: + home = pwd.getpwnam(user)[5] + if home == "/": + # Probably install so hard code to /root + if user == "root": + home = "/root" + else: + return + except KeyError: + if user == "root": + home = "/root" + else: + sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user) + return + prefs = {} + prefs["seuser"] = seuser + prefs["prefix"] = prefix + prefs["home"] = home + udict[user] = prefs + + def setDefaultUser(self, user, prefix): + self.default_user = user + self.default_prefix = prefix + + def getUsers(self): + udict = {} + if self.semanaged: + (status, list) = semanage_seuser_list(self.semanageHandle) + for seuser in list: + user = [] + seusername = semanage_seuser_get_sename(seuser) + prefix = self.get_default_prefix(seusername) + if semanage_seuser_get_name(seuser) == "__default__": + self.setDefaultUser(seusername, prefix) + + self.adduser(udict, semanage_seuser_get_name(seuser), seusername, prefix) + + else: + try: + fd = open(self.selinuxdir+self.type+"/seusers") + for u in fd.readlines(): + u = u.strip() + if len(u) == 0 or u[0] == "#": + continue + user = u.split(":") + if len(user) < 2: + continue + + prefix = self.get_old_prefix(user[1]) + self.adduser(udict, user[0], user[1], prefix) + fd.close() + except IOError, error: + # Must be install so force add of root + self.adduser(udict, "root", "root", "root") + + return udict + + def getHomeDirContext(self, user, seuser, home, prefix): + ret = "\n\n#\n# Home Context for user %s\n#\n\n" % user + fd = open(self.getHomeDirTemplate(), 'r') + for i in fd.readlines(): + if i.startswith("HOME_DIR") == 1: + i = i.replace("HOME_DIR", home) + i = i.replace("ROLE", prefix) + i = i.replace("system_u", seuser) + # Validate if the generated context exists. Some user types may not exist + scon = i.split()[-1] + if selinux.is_selinux_enabled() < 1 or selinux.security_check_context(scon) == 0: + ret = ret+i + fd.close() + return ret + + def getUserContext(self, user, sel_user, prefix): + ret = "" + fd = open(self.getHomeDirTemplate(), 'r') + for i in fd.readlines(): + if i.find("USER") > 0: + i = i.replace("USER", user) + i = i.replace("ROLE", prefix) + i = i.replace("system_u", sel_user) + ret = ret+i + fd.close() + return ret + + def genHomeDirContext(self): + ret = "" + # Fill in HOME and prefix for users that are defined + for u in self.users.keys(): + ret += self.getHomeDirContext (u, self.users[u]["seuser"], self.users[u]["home"], self.users[u]["prefix"]) + ret += self.getUserContext (u, self.users[u]["seuser"], self.users[u]["prefix"]) + return ret+"\n" + + def checkExists(self, home): + for i in self.fclines: + try: + if i.match(home): + return 1 + except: + continue + return 0 + + def getHomeDirs(self): + homedirs = getDefaultHomeDir() + starting_uid = getStartingUID() + if self.usepwd == 0: + return homedirs + ulist = pwd.getpwall() + for u in ulist: + if u[2] >= starting_uid and \ + u[6] in VALID_SHELLS and \ + u[5] != "/" and \ + string.count(u[5], "/") > 1: + homedir = u[5][:string.rfind(u[5], "/")] + if not homedir in homedirs: + if self.checkExists(homedir) == 1: + warning("%s homedir %s or its parent directory conflicts with a\ndefined context in %s,\n%s will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin." % (u[0], u[5], self.getFileContextFile(), sys.argv[0])) + else: + homedirs.append(homedir) + + homedirs.sort() + return homedirs + + def genoutput(self): + ret = self.heading() + for h in self.getHomeDirs(): + ret += self.getHomeDirContext (self.default_user, self.default_user, h+'/[^/]*', self.default_prefix) + ret += self.getHomeRootContext(h) + ret += self.getUserContext(".*", self.default_user, self.default_prefix) + "\n" + ret += self.genHomeDirContext() + return ret + + def printout(self): + print self.genoutput() + + def write(self): + fd = open(self.getFileContextDir()+"/file_contexts.homedirs", "w") + fd.write(self.genoutput()) + fd.close() + +if os.getuid() > 0 or os.geteuid() > 0: + print _("You must be root to run %s.") % sys.argv[0] + sys.exit(1) + +try: + fd = open("/etc/shells", 'r') + VALID_SHELLS = fd.read().split("\n") + fd.close() + if "/sbin/nologin" in VALID_SHELLS: + VALID_SHELLS.remove("/sbin/nologin") + if "" in VALID_SHELLS: + VALID_SHELLS.remove("") +except: + VALID_SHELLS = ['/bin/sh', '/bin/bash', '/bin/ash', '/bin/bsh', '/bin/ksh', '/usr/bin/ksh', '/usr/bin/pdksh', '/bin/tcsh', '/bin/csh', '/bin/zsh'] + +# +# This script will generate home dir file context +# based off the homedir_template file, entries in the password file, and +# +try: + usepwd = 1 + directory = "/etc/selinux" + type = None + gopts, cmds = getopt.getopt(sys.argv[1:], 'hnd:t:', ['help', + 'type=', + 'nopasswd', + 'dir=']) + for o,a in gopts: + if o == '--type' or o == "-t": + type = a + if o == '--nopasswd' or o == "-n": + usepwd = 0 + if o == '--dir' or o == "-d": + directory = a + if o == '--help' or o == "-h": + usage() +except getopt.error, error: + errorExit(_("Options Error %s ") % error) + +if type == None: + type = getSELinuxType(directory) + +if len(cmds) != 0: + usage(1) + +selconf = selinuxConfig(directory, type, usepwd) +try: + selconf.write() +except IOError, error: + sys.stderr.write("%s: %s\n" % ( sys.argv[0], error )) + sys.exit(1) + diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/genhomedircon.8 policycoreutils-2.0.23/scripts/genhomedircon.8 --- nsapolicycoreutils/scripts/genhomedircon.8 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.23/scripts/genhomedircon.8 2007-08-20 19:16:35.000000000 -0400 @@ -0,0 +1,82 @@ +.\" Hey, Emacs! This is an -*- nroff -*- source file. +.\" Copyright (c) 2005 Manoj Srivastava +.\" +.\" This is free documentation; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License as +.\" published by the Free Software Foundation; either version 2 of +.\" the License, or (at your option) any later version. +.\" +.\" The GNU General Public License's references to "object code" +.\" and "executables" are to be interpreted as the output of any +.\" document formatting or typesetting system, including +.\" intermediate and printed output. +.\" +.\" This manual is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public +.\" License along with this manual; if not, write to the Free +.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, +.\" USA. +.\" +.\" +.TH GENHOMEDIRCON "8" "January 2005" "Security Enhanced Linux" "" +.SH NAME +genhomedircon \- generate SELinux file context configuration entries for user home directories +.SH SYNOPSIS +.B genhomedircon [ -d selinuxdir ] [-n | --nopasswd] [-t selinuxtype ] [-h] + +.SH OPTIONS +.TP +.B "\-h" +Print a short usage message +.TP +.B "\-d selinuxdir (\-\-directory)" +Directory where selinux files are installed defaults to /etc/selinux +.TP +.B +\-n \-\-nopasswd +Indicates to the utility not to read homedirectories out of the password database. +.TP +\-t selinuxtype (\-\-type) +Indicates the selinux type of this install. Defaults to "targeted". +.SH DESCRIPTION +.PP +This utility is used to generate file context configuration entries for +user home directories based on their +.B prefix +entry in the the +.B semanage user record. +genhomedircon is run when building +the policy. It is also run automaticaly when ever the +.B semanage +utility modifies +.B user +or +.B login +records. +Specifically, we replace HOME_ROOT, HOME_DIR, and ROLE macros in the +.I /etc/selinux/<>/contexts/files/homedir_template +file with generic and user-specific values. HOME_ROOT and HOME_DIR is replaced with each distinct location where login users homedirectories are located. Defaults to /home. ROLE is replaced based on the prefix entry in the +.B user +record. +.PP +genhomedircon searches through all password entires for all "login" user home directories, (as opposed +to system users). Login users are those whose UID is greater than or equal +.I STARTING_UID +(default 500) and whose login shell is not "/sbin/nologin", or +"/bin/false". +.PP +.SH AUTHOR +This manual page was originally written by +.I Manoj Srivastava , +for the Debian GNU/Linux system, based on the comments and the code +in the utility, and then updated by Dan Walsh of Red Hat. The +.B genhomedircon +utility was originally written by +.I Dan Walsh of Red Hat +with some modifications by +.I Tresys Technology, LLC. + diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.23/scripts/Makefile --- nsapolicycoreutils/scripts/Makefile 2007-08-23 16:52:26.000000000 -0400 +++ policycoreutils-2.0.23/scripts/Makefile 2007-08-20 19:16:35.000000000 -0400 @@ -5,14 +5,18 @@ MANDIR ?= $(PREFIX)/share/man LOCALEDIR ?= /usr/share/locale -all: fixfiles +TARGETS=genhomedircon + +all: $(TARGETS) fixfiles install: all -mkdir -p $(BINDIR) + install -m 755 $(TARGETS) $(SBINDIR) install -m 755 chcat $(BINDIR) install -m 755 fixfiles $(DESTDIR)/sbin -mkdir -p $(MANDIR)/man8 install -m 644 fixfiles.8 $(MANDIR)/man8/ + install -m 644 genhomedircon.8 $(MANDIR)/man8/ install -m 644 chcat.8 $(MANDIR)/man8/ clean: diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.23/semanage/seobject.py --- nsapolicycoreutils/semanage/seobject.py 2007-07-16 14:20:41.000000000 -0400 +++ policycoreutils-2.0.23/semanage/seobject.py 2007-08-22 16:29:22.000000000 -0400 @@ -210,6 +210,7 @@ os.write(fd, self.out()) os.close(fd) os.rename(newfilename, self.filename) + os.system("/sbin/service mcstrans reload > /dev/null") class semanageRecords: def __init__(self): @@ -1024,14 +1025,31 @@ def __init__(self): semanageRecords.__init__(self) - def add(self, target, type, ftype = "", serange = "", seuser = "system_u"): + def createcon(self, target, seuser = "system_u"): + (rc, con) = semanage_context_create(self.sh) + if rc < 0: + raise ValueError(_("Could not create context for %s") % target) if seuser == "": seuser = "system_u" + + rc = semanage_context_set_user(self.sh, con, seuser) + if rc < 0: + raise ValueError(_("Could not set user in file context for %s") % target) + + rc = semanage_context_set_role(self.sh, con, "object_r") + if rc < 0: + raise ValueError(_("Could not set role in file context for %s") % target) + if is_mls_enabled == 1: - if serange == "": - serange = "s0" - else: - serange = untranslate(serange) + rc = semanage_context_set_mls(self.sh, con, "s0") + if rc < 0: + raise ValueError(_("Could not set mls fields in file context for %s") % target) + + return con + + def add(self, target, type, ftype = "", serange = "", seuser = "system_u"): + if is_mls_enabled == 1: + serange = untranslate(serange) if type == "": raise ValueError(_("SELinux Type is required")) @@ -1051,33 +1069,23 @@ raise ValueError(_("Could not create file context for %s") % target) rc = semanage_fcontext_set_expr(self.sh, fcontext, target) - (rc, con) = semanage_context_create(self.sh) - if rc < 0: - raise ValueError(_("Could not create context for %s") % target) - - rc = semanage_context_set_user(self.sh, con, seuser) - if rc < 0: - raise ValueError(_("Could not set user in file context for %s") % target) - - rc = semanage_context_set_role(self.sh, con, "object_r") - if rc < 0: - raise ValueError(_("Could not set role in file context for %s") % target) - - rc = semanage_context_set_type(self.sh, con, type) - if rc < 0: - raise ValueError(_("Could not set type in file context for %s") % target) + if type != "<>": + con = self.createcon(target, seuser) - if serange != "": - rc = semanage_context_set_mls(self.sh, con, serange) - if rc < 0: - raise ValueError(_("Could not set mls fields in file context for %s") % target) + rc = semanage_context_set_type(self.sh, con, type) + if rc < 0: + raise ValueError(_("Could not set type in file context for %s") % target) + + if serange != "": + rc = semanage_context_set_mls(self.sh, con, serange) + if rc < 0: + raise ValueError(_("Could not set mls fields in file context for %s") % target) + rc = semanage_fcontext_set_con(self.sh, fcontext, con) + if rc < 0: + raise ValueError(_("Could not set file context for %s") % target) semanage_fcontext_set_type(fcontext, file_types[ftype]) - rc = semanage_fcontext_set_con(self.sh, fcontext, con) - if rc < 0: - raise ValueError(_("Could not set file context for %s") % target) - rc = semanage_begin_transaction(self.sh) if rc < 0: raise ValueError(_("Could not start semanage transaction")) @@ -1090,7 +1098,8 @@ if rc < 0: raise ValueError(_("Could not add file context for %s") % target) - semanage_context_free(con) + if type != "<>": + semanage_context_free(con) semanage_fcontext_key_free(k) semanage_fcontext_free(fcontext) @@ -1112,16 +1121,29 @@ if rc < 0: raise ValueError(_("Could not query file context for %s") % target) - con = semanage_fcontext_get_con(fcontext) + if setype != "<>": + con = semanage_fcontext_get_con(fcontext) - if serange != "": - semanage_context_set_mls(self.sh, con, untranslate(serange)) - if seuser != "": - semanage_context_set_user(self.sh, con, seuser) - if setype != "": - semanage_context_set_type(self.sh, con, setype) - - rc = semanage_begin_transaction(self.sh) + if con == None: + con = self.createcon(target) + + if serange != "": + semanage_context_set_mls(self.sh, con, untranslate(serange)) + if seuser != "": + semanage_context_set_user(self.sh, con, seuser) + + if setype != "": + semanage_context_set_type(self.sh, con, setype) + + rc = semanage_fcontext_set_con(self.sh, fcontext, con) + if rc < 0: + raise ValueError(_("Could not set file context for %s") % target) + else: + rc = semanage_fcontext_set_con(self.sh, fcontext, None) + if rc < 0: + raise ValueError(_("Could not set file context for %s") % target) + + rc = semanage_begin_transaction(self.sh) if rc < 0: raise ValueError(_("Could not start semanage transaction")) @@ -1283,9 +1305,12 @@ raise ValueError(_("Could not list booleans")) for boolean in self.blist: - name = semanage_bool_get_name(boolean) - value = semanage_bool_get_value(boolean) - ddict[name] = value + value = [] + name = semanage_bool_get_name(boolean) + value[0] = semanage_bool_get_value(boolean) + value[1] = selinux.security_get_boolean_pending(boolean) + value[2] = selinux.security_get_boolean_active(boolean) + ddict[name] = value return ddict diff --exclude-from=exclude --exclude=sepolgen-1.0.8 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.8 policycoreutils-2.0.23/semodule/semodule.8 --- nsapolicycoreutils/semodule/semodule.8 2007-07-16 14:20:42.000000000 -0400 +++ policycoreutils-2.0.23/semodule/semodule.8 2007-08-23 10:18:35.000000000 -0400 @@ -23,6 +23,9 @@ .B \-B, \-\-build force a rebuild of policy (also reloads unless -n is used) .TP +.B \-D, \-\-disable_dontaudit +Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt +.TP .B \-i,\-\-install=MODULE_PKG install/replace a module package .TP @@ -58,6 +61,10 @@ $ semodule -i httpd.pp # List non-base modules. $ semodule -l +# Turn on all AVC Messages for which SELinux currently is "dontaudit"ing. +$ semodule -DB +# Turn "dontaudit" rules back on. +$ semodule -B # Install or replace all non-base modules in the current directory. $ semodule -i *.pp # Install or replace all modules in the current directory.