Changeset 159
- Timestamp:
- 01/04/07 13:18:05
(2 years ago)
- Author:
- ccase
- Message:
merged with upstream 2007-01-04
-
Files:
-
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
| r10 |
r159 |
|
| 1 | 1 | See selinux-doc/README for build instructions. |
|---|
| | 2 | -z |
|---|
| r84 |
r159 |
|
| | 1 | 1.33.3 2007-01-04 |
|---|
| | 2 | * Merged patch for matchpathcon utility to use file mode information |
|---|
| | 3 | when available from Dan Walsh. |
|---|
| | 4 | |
|---|
| | 5 | 1.33.2 2006-11-27 |
|---|
| | 6 | * Merged patch to compile with -fPIC instead of -fpic from |
|---|
| | 7 | Manoj Srivastava to prevent hitting the global offset table |
|---|
| | 8 | limit. Patch changed to include libsepol and libsemanage in |
|---|
| | 9 | addition to libselinux. |
|---|
| | 10 | |
|---|
| 1 | 11 | 1.33.1 2006-10-19 |
|---|
| 2 | 12 | * Merged updated flask definitions from Darrel Goeddel. |
|---|
| r10 |
r159 |
|
| 43 | 43 | |
|---|
| 44 | 44 | $(SWIGLOBJ): $(SWIGCOUT) |
|---|
| 45 | | $(CC) $(CFLAGS) -I$(PYINC) -fpic -DSHARED -c -o $@ $< |
|---|
| | 45 | $(CC) $(CFLAGS) -I$(PYINC) -fPIC -DSHARED -c -o $@ $< |
|---|
| 46 | 46 | |
|---|
| 47 | 47 | $(SWIGSO): $(SWIGLOBJ) |
|---|
| … | … | |
| 56 | 56 | |
|---|
| 57 | 57 | %.lo: %.c policy.h |
|---|
| 58 | | $(CC) $(CFLAGS) -fpic -DSHARED -c -o $@ $< |
|---|
| | 58 | $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $< |
|---|
| 59 | 59 | |
|---|
| 60 | 60 | $(SWIGCOUT): $(SWIGIF) |
|---|
| r10 |
r159 |
|
| 5 | 5 | #include <errno.h> |
|---|
| 6 | 6 | #include <string.h> |
|---|
| | 7 | #include <sys/types.h> |
|---|
| | 8 | #include <sys/stat.h> |
|---|
| | 9 | #include <sys/errno.h> |
|---|
| 7 | 10 | #include <selinux/selinux.h> |
|---|
| 8 | 11 | |
|---|
| … | … | |
| 10 | 13 | { |
|---|
| 11 | 14 | fprintf(stderr, |
|---|
| 12 | | "usage: %s [-n] [-f file_contexts] [-p prefix] path...\n", |
|---|
| | 15 | "usage: %s [-N] [-n] [-f file_contexts] [-p prefix] [-V] path...\n", |
|---|
| 13 | 16 | progname); |
|---|
| 14 | 17 | exit(1); |
|---|
| 15 | 18 | } |
|---|
| 16 | 19 | |
|---|
| 17 | | int printmatchpathcon(char *path, int header |
|---|
| | 20 | int printmatchpathcon(char *path, int header, int mode) |
|---|
| 18 | 21 | { |
|---|
| 19 | 22 | char *buf; |
|---|
| 20 | | int rc = matchpathcon(path, 0, &buf); |
|---|
| | 23 | int rc = matchpathcon(path, mode, &buf); |
|---|
| 21 | 24 | if (rc < 0) { |
|---|
| 22 | 25 | fprintf(stderr, "matchpathcon(%s) failed: %s\n", path, |
|---|
| … | … | |
| 93 | 96 | } |
|---|
| 94 | 97 | for (i = optind; i < argc; i++) { |
|---|
| | 98 | int mode=0; |
|---|
| | 99 | struct stat buf; |
|---|
| | 100 | if (lstat(argv[i], &buf) == 0) |
|---|
| | 101 | mode = buf.st_mode; |
|---|
| | 102 | |
|---|
| 95 | 103 | if (verify) { |
|---|
| 96 | 104 | if (selinux_file_context_verify(argv[i], 0)) { |
|---|
| … | … | |
| 107 | 115 | printf("%s has context %s, should be ", |
|---|
| 108 | 116 | argv[i], con); |
|---|
| 109 | | error += printmatchpathcon(argv[i], 0 |
|---|
| | 117 | error += printmatchpathcon(argv[i], 0, mode); |
|---|
| 110 | 118 | freecon(con); |
|---|
| 111 | 119 | } else { |
|---|
| … | … | |
| 113 | 121 | ("actual context unknown: %s, should be ", |
|---|
| 114 | 122 | strerror(errno)); |
|---|
| 115 | | error += printmatchpathcon(argv[i], 0 |
|---|
| | 123 | error += printmatchpathcon(argv[i], 0,mode); |
|---|
| 116 | 124 | } |
|---|
| 117 | 125 | } |
|---|
| 118 | 126 | } else { |
|---|
| 119 | | error += printmatchpathcon(argv[i], header |
|---|
| | 127 | error += printmatchpathcon(argv[i], header, mode); |
|---|
| 120 | 128 | } |
|---|
| 121 | 129 | } |
|---|
| r84 |
r159 |
|
| | 1 | 1.9.1 2006-11-27 |
|---|
| | 2 | * Merged patch to compile wit -fPIC instead of -fpic from |
|---|
| | 3 | Manoj Srivastava to prevent hitting the global offest table |
|---|
| | 4 | limit. Patch changed to include libselinux and libsemanage in |
|---|
| | 5 | addition to libsepol. |
|---|
| 1 | 6 | 1.8 2006-10-17 |
|---|
| 2 | 7 | * Updated version for release. |
|---|
| r10 |
r159 |
|
| 45 | 45 | |
|---|
| 46 | 46 | $(SWIGLOBJ): $(SWIGCOUT) |
|---|
| 47 | | $(CC) $(CFLAGS) -I$(PYINC) -fpic -DSHARED -c -o $@ $< |
|---|
| | 47 | $(CC) $(CFLAGS) -I$(PYINC) -fPIC -DSHARED -c -o $@ $< |
|---|
| 48 | 48 | |
|---|
| 49 | 49 | $(SWIGSO): $(SWIGLOBJ) |
|---|
| … | … | |
| 70 | 70 | |
|---|
| 71 | 71 | %.lo: %.c |
|---|
| 72 | | $(CC) $(CFLAGS) -fpic -DSHARED -c -o $@ $< |
|---|
| | 72 | $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $< |
|---|
| 73 | 73 | |
|---|
| 74 | 74 | $(SWIGCOUT): $(SWIGIF) |
|---|
| r119 |
r159 |
|
| | 1 | 1.15.3 2006-11-27 |
|---|
| | 2 | * Merged patch to compile wit -fPIC instead of -fpic from |
|---|
| | 3 | Manoj Srivastava to prevent hitting the global offest table |
|---|
| | 4 | limit. Patch changed to include libselinux and libsemanage in |
|---|
| | 5 | addition to libselinux. |
|---|
| 1 | 6 | 1.15.2 2006-10-31 |
|---|
| 2 | 7 | * Merged fix from Karl MacMillan for a segfault when linking |
|---|
| r28 |
r159 |
|
| 25 | 25 | |
|---|
| 26 | 26 | %.o: %.c |
|---|
| 27 | | $(CC) $(CFLAGS) -fpic -c -o $@ $< |
|---|
| | 27 | $(CC) $(CFLAGS) -fPIC -c -o $@ $< |
|---|
| 28 | 28 | |
|---|
| 29 | 29 | %.lo: %.c |
|---|
| 30 | | $(CC) $(CFLAGS) -fpic -DSHARED -c -o $@ $< |
|---|
| | 30 | $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $< |
|---|
| 31 | 31 | |
|---|
| 32 | 32 | install: all |
|---|
| r141 |
r159 |
|
| | 1 | 1.33.8 2007-01-04 |
|---|
| | 2 | * Merged patches from Dan Walsh to: |
|---|
| | 3 | - omit the optional name from audit2allow |
|---|
| | 4 | - use the installed python version in the Makefiles |
|---|
| | 5 | - re-open the tty with O_RDWR in newrole |
|---|
| | 6 | |
|---|
| | 7 | 1.33.7 2007-01-03 |
|---|
| | 8 | * Patch from Dan Walsh to correctly suppress warnings in load_policy. |
|---|
| | 9 | |
|---|
| | 10 | 1.33.6 2006-11-29 |
|---|
| | 11 | * Patch from Dan Walsh to add an pam_acct_msg call to run_init |
|---|
| | 12 | * Patch from Dan Walsh to fix error code returns in newrole |
|---|
| | 13 | * Patch from Dan Walsh to remove verbose flag from semanage man page |
|---|
| | 14 | * Patch from Dan Walsh to make audit2allow use refpolicy Makefile |
|---|
| | 15 | in /usr/share/selinux/<SELINUXTYPE> |
|---|
| | 16 | |
|---|
| | 17 | 1.33.5 2006-11-27 |
|---|
| | 18 | * Merged patch from Micheal C Thompson to clean up genhomedircon |
|---|
| | 19 | error handling. |
|---|
| 1 | 20 | 1.33.4 2006-11-21 |
|---|
| 2 | 21 | * Merged po file updates from Dan Walsh. |
|---|
| r10 |
r159 |
|
| 5 | 5 | MANDIR ?= $(PREFIX)/share/man |
|---|
| 6 | 6 | LOCALEDIR ?= /usr/share/locale |
|---|
| 7 | | PYLIBVER ?= python2.4 |
|---|
| | 7 | PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % sys.version_info[0:2]') |
|---|
| 8 | 8 | PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER) |
|---|
| 9 | 9 | |
|---|
| r10 |
r159 |
|
| 30 | 30 | import commands, sys, os, getopt, selinux |
|---|
| 31 | 31 | import gettext |
|---|
| | 32 | import re |
|---|
| 32 | 33 | try: |
|---|
| 33 | 34 | gettext.install('policycoreutils') |
|---|
| … | … | |
| 60 | 61 | sys.exit(1) |
|---|
| 61 | 62 | |
|---|
| | 63 | def verify_module(module): |
|---|
| | 64 | m = re.findall("[^a-zA-Z0-9]", module) |
|---|
| | 65 | if len(m) != 0: |
|---|
| | 66 | usage(_("Alphanumeric Charaters Only")) |
|---|
| | 67 | |
|---|
| 62 | 68 | def errorExit(error): |
|---|
| 63 | 69 | sys.stderr.write("%s: " % sys.argv[0]) |
|---|
| … | … | |
| 126 | 132 | usage() |
|---|
| 127 | 133 | module = a |
|---|
| | 134 | verify_module(module) |
|---|
| 128 | 135 | if o == "-M": |
|---|
| 129 | 136 | if module != "" or output_ind or a[0] == "-": |
|---|
| 130 | 137 | usage() |
|---|
| 131 | 138 | module = a |
|---|
| | 139 | verify_module(module) |
|---|
| 132 | 140 | outfile = a+".te" |
|---|
| 133 | 141 | buildPP = 1 |
|---|
| … | … | |
| 185 | 193 | output.flush() |
|---|
| 186 | 194 | if buildPP: |
|---|
| 187 | | cmd = "checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module) |
|---|
| 188 | | print _("Compiling policy") |
|---|
| 189 | | print cmd |
|---|
| 190 | | rc = commands.getstatusoutput(cmd) |
|---|
| 191 | | if rc[0] == 0: |
|---|
| 192 | | cmd = "semodule_package -o %s.pp -m %s.mod" % (module, module) |
|---|
| 193 | | if fc_file != "": |
|---|
| 194 | | cmd = "%s -f %s" % (cmd, fc_file) |
|---|
| 195 | | |
|---|
| | 195 | if ref_ind: |
|---|
| | 196 | rc, type = selinux.selinux_getpolicytype() |
|---|
| | 197 | cmd = "make -f /usr/share/selinux/%s/include/Makefile %s.pp" % (type, module) |
|---|
| | 198 | print _("Compiling policy") |
|---|
| | 199 | print cmd |
|---|
| | 200 | rc = commands.getstatusoutput(cmd) |
|---|
| | 201 | else: |
|---|
| | 202 | cmd = "checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module) |
|---|
| | 203 | print _("Compiling policy") |
|---|
| 196 | 204 | print cmd |
|---|
| 197 | 205 | rc = commands.getstatusoutput(cmd) |
|---|
| 198 | 206 | if rc[0] == 0: |
|---|
| 199 | | print _("\n******************** IMPORTANT ***********************\n") |
|---|
| 200 | | print (_("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n") % module) |
|---|
| 201 | | else: |
|---|
| 202 | | errorExit(rc[1]) |
|---|
| | 207 | cmd = "semodule_package -o %s.pp -m %s.mod" % (module, module) |
|---|
| | 208 | if fc_file != "": |
|---|
| | 209 | cmd = "%s -f %s" % (cmd, fc_file) |
|---|
| | 210 | |
|---|
| | 211 | print cmd |
|---|
| | 212 | rc = commands.getstatusoutput(cmd) |
|---|
| | 213 | if rc[0] == 0: |
|---|
| | 214 | print _("\n******************** IMPORTANT ***********************\n") |
|---|
| | 215 | print (_("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n") % module) |
|---|
| 203 | 216 | else: |
|---|
| 204 | 217 | errorExit(rc[1]) |
|---|
| r84 |
r159 |
|
| 232 | 232 | file = m[0][1] |
|---|
| 233 | 233 | ret = "\n#%s\n"% self.out() |
|---|
| 234 | | ret += "optional_policy(`%s', `\n" % m[0][1] |
|---|
| | 234 | ret += "optional_policy(`\n" |
|---|
| 235 | 235 | first = True |
|---|
| 236 | 236 | for i in m: |
|---|
| r10 |
r159 |
|
| 51 | 51 | if (nargs > 2) |
|---|
| 52 | 52 | usage(argv[0]); |
|---|
| 53 | | if (nargs >= 1 |
|---|
| 54 | | |
|---|
| 55 | | |
|---|
| 56 | | |
|---|
| | 53 | if (nargs >= 1 && !quiet) { |
|---|
| | 54 | fprintf(stderr, |
|---|
| | 55 | "%s: Warning! Policy file argument (%s) is no longer supported, installed policy is always loaded. Continuing...\n", |
|---|
| | 56 | argv[0], argv[optind++]); |
|---|
| 57 | 57 | } |
|---|
| 58 | | if (nargs == 2 |
|---|
| | 58 | if (nargs == 2 && ! quiet) { |
|---|
| 59 | 59 | fprintf(stderr, |
|---|
| 60 | 60 | "%s: Warning! Boolean file argument (%s) is no longer supported, installed booleans file is always used. Continuing...\n", |
|---|
| r141 |
r159 |
|
| 1069 | 1069 | int rc; |
|---|
| 1070 | 1070 | int exit_code = 0; |
|---|
| | 1071 | int status; |
|---|
| 1071 | 1072 | |
|---|
| 1072 | 1073 | do { |
|---|
| 1073 | | rc = wait(NULL); |
|---|
| | 1074 | rc = wait(&status); |
|---|
| 1074 | 1075 | } while (rc < 0 && errno == EINTR); |
|---|
| | 1076 | |
|---|
| | 1077 | /* Preserve child exit status, unless there is another error. */ |
|---|
| | 1078 | if (WIFEXITED(status)) |
|---|
| | 1079 | exit_code = WEXITSTATUS(status); |
|---|
| 1075 | 1080 | |
|---|
| 1076 | 1081 | if (restore_tty_label(fd, ttyn, tty_context, new_tty_context)) { |
|---|
| … | … | |
| 1116 | 1121 | if (fd != 0) |
|---|
| 1117 | 1122 | goto err_close_pam; |
|---|
| 1118 | | fd = open(ttyn, O_WRONLY); |
|---|
| | 1123 | fd = open(ttyn, O_RDWR); |
|---|
| 1119 | 1124 | if (fd != 1) |
|---|
| 1120 | 1125 | goto err_close_pam; |
|---|
| 1121 | | fd = open(ttyn, O_WRONLY); |
|---|
| | 1126 | fd = open(ttyn, O_RDWR); |
|---|
| 1122 | 1127 | if (fd != 2) |
|---|
| 1123 | 1128 | goto err_close_pam; |
|---|
| r10 |
r159 |
|
| 133 | 133 | } |
|---|
| 134 | 134 | |
|---|
| | 135 | /* If we were successful, call pam_acct_mgmt() to reset the |
|---|
| | 136 | * pam_tally failcount. |
|---|
| | 137 | */ |
|---|
| | 138 | if (result && (PAM_SUCCESS != pam_acct_mgmt(pam_handle, 0)) ) { |
|---|
| | 139 | fprintf(stderr, _("failed to get account information\n")); |
|---|
| | 140 | exit(-1); |
|---|
| | 141 | } |
|---|
| | 142 | |
|---|
| 135 | 143 | /* We're done with PAM. Free `pam_handle'. */ |
|---|
| 136 | 144 | pam_end(pam_handle, PAM_SUCCESS); |
|---|
| r10 |
r159 |
|
| 29 | 29 | import gettext |
|---|
| 30 | 30 | gettext.install('policycoreutils') |
|---|
| 31 | | |
|---|
| 32 | | try: |
|---|
| 33 | | fd = open("/etc/shells", 'r') |
|---|
| 34 | | VALID_SHELLS = fd.read().split("\n") |
|---|
| 35 | | fd.close() |
|---|
| 36 | | if "/sbin/nologin" in VALID_SHELLS: |
|---|
| 37 | | VALID_SHELLS.remove("/sbin/nologin") |
|---|
| 38 | | if "" in VALID_SHELLS: |
|---|
| 39 | | VALID_SHELLS.remove("") |
|---|
| 40 | | except: |
|---|
| 41 | | VALID_SHELLS = ['/bin/sh', '/bin/bash', '/bin/ash', '/bin/bsh', '/bin/ksh', '/usr/bin/ksh', '/usr/bin/pdksh', '/bin/tcsh', '/bin/csh', '/bin/zsh'] |
|---|
| 42 | 31 | |
|---|
| 43 | 32 | def grep(file, var): |
|---|
| … | … | |
| 115 | 104 | return "targeted" |
|---|
| 116 | 105 | |
|---|
| 117 | | def usage( |
|---|
| | 106 | def usage(rc=0, error = ""): |
|---|
| 118 | 107 | if error != "": |
|---|
| 119 | 108 | sys.stderr.write("%s\n" % error) |
|---|
| | 109 | rc = 1 |
|---|
| 120 | 110 | sys.stderr.write("Usage: %s [ -d selinuxdir ] [-n | --nopasswd] [-t selinuxtype ]\n" % sys.argv[0]) |
|---|
| 121 | 111 | sys.stderr.flush() |
|---|
| 122 | | sys.exit(1) |
|---|
| | 112 | sys.exit(rc) |
|---|
| 123 | 113 | |
|---|
| 124 | 114 | def warning(warning = ""): |
|---|
| … | … | |
| 137 | 127 | self.semanaged = semanage_is_managed(self.semanageHandle) |
|---|
| 138 | 128 | if self.semanaged: |
|---|
| 139 | | semanage_connect(self.semanageHandle) |
|---|
| | 129 | rc = semanage_connect(self.semanageHandle) |
|---|
| | 130 | if rc: |
|---|
| | 131 | errorExit("Unable to connect to semanage") |
|---|
| 140 | 132 | (status, self.ulist) = semanage_user_list(self.semanageHandle) |
|---|
| 141 | 133 | self.type = type |
|---|
| … | … | |
| 337 | 329 | |
|---|
| 338 | 330 | def write(self): |
|---|
| 339 | | try: |
|---|
| 340 | | fd = open(self.getFileContextDir()+"/file_contexts.homedirs", "w") |
|---|
| 341 | | fd.write(self.genoutput()) |
|---|
| 342 | | fd.close() |
|---|
| 343 | | except IOError, error: |
|---|
| 344 | | sys.stderr.write("%s: %s\n" % ( sys.argv[0], error )) |
|---|
| 345 | | |
|---|
| | 331 | fd = open(self.getFileContextDir()+"/file_contexts.homedirs", "w") |
|---|
| | 332 | fd.write(self.genoutput()) |
|---|
| | 333 | fd.close() |
|---|
| 346 | 334 | |
|---|
| 347 | 335 | if os.getuid() > 0 or os.geteuid() > 0: |
|---|
| 348 | 336 | print _("You must be root to run %s.") % sys.argv[0] |
|---|
| 349 | 337 | sys.exit(1) |
|---|
| | 338 | |
|---|
| | 339 | try: |
|---|
| | 340 | fd = open("/etc/shells", 'r') |
|---|
| | 341 | VALID_SHELLS = fd.read().split("\n") |
|---|
| | 342 | fd.close() |
|---|
| | 343 | if "/sbin/nologin" in VALID_SHELLS: |
|---|
| | 344 | VALID_SHELLS.remove("/sbin/nologin") |
|---|
| | 345 | if "" in VALID_SHELLS: |
|---|
| | 346 | VALID_SHELLS.remove("") |
|---|
| | 347 | except: |
|---|
| | 348 | VALID_SHELLS = ['/bin/sh', '/bin/bash', '/bin/ash', '/bin/bsh', '/bin/ksh', '/usr/bin/ksh', '/usr/bin/pdksh', '/bin/tcsh', '/bin/csh', '/bin/zsh'] |
|---|
| 350 | 349 | |
|---|
| 351 | 350 | # |
|---|
| … | … | |
| 370 | 369 | if o == '--help' or o == "-h": |
|---|
| 371 | 370 | usage() |
|---|
| 372 | | |
|---|
| 373 | | |
|---|
| 374 | | if type == None: |
|---|
| 375 | | type = getSELinuxType(directory) |
|---|
| 376 | | |
|---|
| 377 | | if len(cmds) != 0: |
|---|
| 378 | | usage() |
|---|
| 379 | | selconf = selinuxConfig(directory, type, usepwd) |
|---|
| 380 | | selconf.write() |
|---|
| 381 | | |
|---|
| 382 | 371 | except getopt.error, error: |
|---|
| 383 | 372 | errorExit(_("Options Error %s ") % error) |
|---|
| | 373 | |
|---|
| | 374 | if type == None: |
|---|
| | 375 | type = getSELinuxType(directory) |
|---|
| | 376 | |
|---|
| | 377 | if len(cmds) != 0: |
|---|
| | 378 | usage(1) |
|---|
| | 379 | |
|---|
| | 380 | selconf = selinuxConfig(directory, type, usepwd) |
|---|
| | 381 | try: |
|---|
| | 382 | selconf.write() |
|---|
| | 383 | except IOError, error: |
|---|
| | 384 | sys.stderr.write("%s: %s\n" % ( sys.argv[0], error )) |
|---|
| | 385 | sys.exit(1) |
|---|
| | 386 | |
|---|
| r10 |
r159 |
|
| 4 | 4 | SBINDIR ?= $(PREFIX)/sbin |
|---|
| 5 | 5 | MANDIR = $(PREFIX)/share/man |
|---|
| 6 | | PYLIBVER ?= python2.4 |
|---|
| | 6 | PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % sys.version_info[0:2]') |
|---|
| 7 | 7 | PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER) |
|---|
| 8 | 8 | |
|---|
| r141 |
r159 |
|
| 83 | 83 | .I \-T, \-\-trans |
|---|
| 84 | 84 | SELinux Translation |
|---|
| 85 | | .TP |
|---|
| 86 | | .I \-v, \-\-verbose |
|---|
| 87 | | verbose output |
|---|
| 88 | 85 | |
|---|
| 89 | 86 | .SH EXAMPLE |
|---|
Download in other formats:
* Generating other formats may take time.
