powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
502 Commits
1 Branch
0 Tags
390 MiB
 
 
 
 
 
 
Tree: 7c55c5a6c9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7c55c5a6c9'
${ noResults }
base/SOURCES/policycoreutils-rhel.patch

11214 lines
456 KiB
Raw Blame History

diff --git policycoreutils-2.5/ChangeLog policycoreutils-2.5/ChangeLog
index d8fb067..10f0cab 100644
--- policycoreutils-2.5/ChangeLog
+++ policycoreutils-2.5/ChangeLog
@@ -1,3 +1,34 @@
+ * sandbox: create a new session for sandboxed processes, from Petr Lautrbach.
+ * sandbox: do not try to setup directories without -X or -M, from Petr Lautrbach.
+ * audit2allow: tests should use local copy not system, from Jason Zaman.
+ * audit2allow: fix audit2why import from seobject, from Jason Zaman.
+ * audit2allow: remove audit2why so that it gets symlinked, from Jason Zaman.
+ * semanage: fix man page and help message for import option, from AJ.
+ * semanage: fix error message for fcontext -m, from Miroslav Vadkerti.
+ * semanage: Fix semanage fcontext -D, from Stephen Smalley.
+ * semanage: Correct fcontext auditing, from Miroslav Vadkerti.
+ * semanage: Default serange to "s0" for port modify, from Miroslav Vadkerti.
+ * semanage: Use socket.getprotobyname for protocol, from Miroslav Vadkerti.
+ * semanage: fix modify action in node and interface, from Miroslav Vadkerti.
+ * fixfiles: Pass -n to restorecon for fixfiles check, from Petr Lautrbach.
+ * sepolicy: Check get_rpm_nvr_list() return value, from Vit Mojzis.
+ * Don't use subprocess.getstatusoutput() in Python 2 code, from Petr Lautrbach.
+ * semanage: Add auditing of changes in records, from Miroslav Vadkerti.
+ * Remove unused 'q' from semodule getopt string, from Petr Lautrbach.
+ * Remove unused autoconf files from po/, from Petr Lautrbach.
+ * Remove duplicate, empty translation files, from Piotr Drąg.
+ * open_init_pty: Do not error on EINTR, from Jason Zaman.
+ * Fix [-s STORE] typos in semanage, from Petr Lautrbach.
+ * Update sandbox types in sandbox manual, from Michael De La Rue.
+ * Fix typos in semanage manpages, from Philipp Gesang.
+ * Fix the documentation of -l,--list for semodule, from Petr Lautrbach.
+ * Minor fix in a French translation, from Laurent Bigonville.
+ * Fix the extract example in semodule.8, from Petr Lautrbach.
+ * Update sandbox.8 man page, from Petr Lautrbach.
+ * Remove typos from chcat --help, from Petr Lautrbach.
+ * Fix multiple spelling errors, from Laurent Bigonville.
+ * hll/pp: Warn if module name different than output filename, from James Carter
+
2.5 2016-02-23
* sepolicy: Do not overwrite CFLAGS, from Nicolas Iooss.
* sepolicy: Rename policy global variable conflict, from Nicolas Iooss.
diff --git policycoreutils-2.5/Makefile policycoreutils-2.5/Makefile
index 962ac12..6a9c40c 100644
--- policycoreutils-2.5/Makefile
+++ policycoreutils-2.5/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui hll
+SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui hll semanage/default_encoding
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
diff --git policycoreutils-2.5/audit2allow/audit2why policycoreutils-2.5/audit2allow/audit2why
deleted file mode 100644
index b1489ed..0000000
--- policycoreutils-2.5/audit2allow/audit2why
+++ /dev/null
@@ -1,364 +0,0 @@
-#! /usr/bin/python -Es
-# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
-# Authors: Dan Walsh <dwalsh@redhat.com>
-#
-# Copyright (C) 2006-2013 Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License as
-# published by the Free Software Foundation; version 2 only
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-#
-
-import sys
-import os
-
-import sepolgen.audit as audit
-import sepolgen.policygen as policygen
-import sepolgen.interfaces as interfaces
-import sepolgen.output as output
-import sepolgen.objectmodel as objectmodel
-import sepolgen.defaults as defaults
-import sepolgen.module as module
-from sepolgen.sepolgeni18n import _
-import selinux.audit2why as audit2why
-import locale
-try:
- locale.setlocale(locale.LC_ALL, '')
-except:
- pass
-
-
-class AuditToPolicy:
- VERSION = "%prog .1"
- SYSLOG = "/var/log/messages"
-
- def __init__(self):
- self.__options = None
- self.__parser = None
- self.__avs = None
-
- def __parse_options(self):
- from optparse import OptionParser
-
- parser = OptionParser(version=self.VERSION)
- parser.add_option("-b", "--boot", action="store_true", dest="boot", default=False,
- help="audit messages since last boot conflicts with -i")
- parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
- help="read input from audit log - conflicts with -i")
- parser.add_option("-p", "--policy", dest="policy", default=None, help="Policy file to use for analysis")
- parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
- help="read input from dmesg - conflicts with --all and --input")
- parser.add_option("-i", "--input", dest="input",
- help="read input from <input> - conflicts with -a")
- parser.add_option("-l", "--lastreload", action="store_true", dest="lastreload", default=False,
- help="read input only after the last reload")
- parser.add_option("-r", "--requires", action="store_true", dest="requires", default=False,
- help="generate require statements for rules")
- parser.add_option("-m", "--module", dest="module",
- help="set the module name - implies --requires")
- parser.add_option("-M", "--module-package", dest="module_package",
- help="generate a module package - conflicts with -o and -m")
- parser.add_option("-o", "--output", dest="output",
- help="append output to <filename>, conflicts with -M")
- parser.add_option("-D", "--dontaudit", action="store_true",
- dest="dontaudit", default=False,
- help="generate policy with dontaudit rules")
- parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
- default=True, help="generate refpolicy style output")
-
- parser.add_option("-N", "--noreference", action="store_false", dest="refpolicy",
- default=False, help="do not generate refpolicy style output")
- parser.add_option("-v", "--verbose", action="store_true", dest="verbose",
- default=False, help="explain generated output")
- parser.add_option("-e", "--explain", action="store_true", dest="explain_long",
- default=False, help="fully explain generated output")
- parser.add_option("-t", "--type", help="only process messages with a type that matches this regex",
- dest="type")
- parser.add_option("--perm-map", dest="perm_map", help="file name of perm map")
- parser.add_option("--interface-info", dest="interface_info", help="file name of interface information")
- parser.add_option("--debug", dest="debug", action="store_true", default=False,
- help="leave generated modules for -M")
- parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=(os.path.basename(sys.argv[0]) == "audit2why"),
- help="Translates SELinux audit messages into a description of why the access was denied")
-
- options, args = parser.parse_args()
-
- # Make -d, -a, and -i conflict
- if options.audit is True or options.boot:
- if options.input is not None:
- sys.stderr.write("error: --all/--boot conflicts with --input\n")
- if options.dmesg is True:
- sys.stderr.write("error: --all/--boot conflicts with --dmesg\n")
- if options.input is not None and options.dmesg is True:
- sys.stderr.write("error: --input conflicts with --dmesg\n")
-
- # Turn on requires generation if a module name is given. Also verify
- # the module name.
- if options.module:
- name = options.module
- else:
- name = options.module_package
- if name:
- options.requires = True
- if not module.is_valid_name(name):
- sys.stderr.write('error: module names must begin with a letter, optionally followed by letters, numbers, "-", "_", "."\n')
- sys.exit(2)
-
- # Make -M and -o conflict
- if options.module_package:
- if options.output:
- sys.stderr.write("error: --module-package conflicts with --output\n")
- sys.exit(2)
- if options.module:
- sys.stderr.write("error: --module-package conflicts with --module\n")
- sys.exit(2)
-
- self.__options = options
-
- def __read_input(self):
- parser = audit.AuditParser(last_load_only=self.__options.lastreload)
-
- filename = None
- messages = None
- f = None
-
- # Figure out what input we want
- if self.__options.input is not None:
- filename = self.__options.input
- elif self.__options.dmesg:
- messages = audit.get_dmesg_msgs()
- elif self.__options.audit:
- try:
- messages = audit.get_audit_msgs()
- except OSError as e:
- sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
- sys.exit(1)
- elif self.__options.boot:
- try:
- messages = audit.get_audit_boot_msgs()
- except OSError as e:
- sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
- sys.exit(1)
- else:
- # This is the default if no input is specified
- f = sys.stdin
-
- # Get the input
- if filename is not None:
- try:
- f = open(filename)
- except IOError as e:
- sys.stderr.write('could not open file %s - "%s"\n' % (filename, str(e)))
- sys.exit(1)
-
- if f is not None:
- parser.parse_file(f)
- f.close()
-
- if messages is not None:
- parser.parse_string(messages)
-
- self.__parser = parser
-
- def __process_input(self):
- if self.__options.type:
- avcfilter = audit.AVCTypeFilter(self.__options.type)
- self.__avs = self.__parser.to_access(avcfilter)
- csfilter = audit.ComputeSidTypeFilter(self.__options.type)
- self.__role_types = self.__parser.to_role(csfilter)
- else:
- self.__avs = self.__parser.to_access()
- self.__role_types = self.__parser.to_role()
-
- def __load_interface_info(self):
- # Load interface info file
- if self.__options.interface_info:
- fn = self.__options.interface_info
- else:
- fn = defaults.interface_info()
- try:
- fd = open(fn)
- except:
- sys.stderr.write("could not open interface info [%s]\n" % fn)
- sys.exit(1)
-
- ifs = interfaces.InterfaceSet()
- ifs.from_file(fd)
- fd.close()
-
- # Also load perm maps
- if self.__options.perm_map:
- fn = self.__options.perm_map
- else:
- fn = defaults.perm_map()
- try:
- fd = open(fn)
- except:
- sys.stderr.write("could not open perm map [%s]\n" % fn)
- sys.exit(1)
-
- perm_maps = objectmodel.PermMappings()
- perm_maps.from_file(fd)
-
- return (ifs, perm_maps)
-
- def __output_modulepackage(self, writer, generator):
- generator.set_module_name(self.__options.module_package)
- filename = self.__options.module_package + ".te"
- packagename = self.__options.module_package + ".pp"
-
- try:
- fd = open(filename, "w")
- except IOError as e:
- sys.stderr.write("could not write output file: %s\n" % str(e))
- sys.exit(1)
-
- writer.write(generator.get_module(), fd)
- fd.close()
-
- mc = module.ModuleCompiler()
-
- try:
- mc.create_module_package(filename, self.__options.refpolicy)
- except RuntimeError as e:
- print(e)
- sys.exit(1)
-
- sys.stdout.write(_("******************** IMPORTANT ***********************\n"))
- sys.stdout.write((_("To make this policy package active, execute:" +
- "\n\nsemodule -i %s\n\n") % packagename))
-
- def __output_audit2why(self):
- import selinux
- import seobject
- for i in self.__parser.avc_msgs:
- rc = i.type
- data = i.data
- if rc >= 0:
- print("%s\n\tWas caused by:" % i.message)
- if rc == audit2why.ALLOW:
- print("\t\tUnknown - would be allowed by active policy")
- print("\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n")
- print("\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n")
- continue
- if rc == audit2why.DONTAUDIT:
- print("\t\tUnknown - should be dontaudit'd by active policy")
- print("\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n")
- print("\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n")
- continue
- if rc == audit2why.BOOLEAN:
- if len(data) > 1:
- print("\tOne of the following booleans was set incorrectly.")
- for b in data:
- print("\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0]))
- print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1]))
- else:
- print("\tThe boolean %s was set incorrectly. " % (data[0][0]))
- print("\tDescription:\n\t%s\n" % seobject.boolean_desc(data[0][0]))
- print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (data[0][0], data[0][1]))
- continue
-
- if rc == audit2why.TERULE:
- print("\t\tMissing type enforcement (TE) allow rule.\n")
- print("\t\tYou can use audit2allow to generate a loadable module to allow this access.\n")
- continue
-
- if rc == audit2why.CONSTRAINT:
- print() # !!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n"
- print("#Constraint rule: \n\t" + data[0])
- for reason in data[1:]:
- print("#\tPossible cause is the source %s and target %s are different.\n\b" % reason)
-
- if rc == audit2why.RBAC:
- print("\t\tMissing role allow rule.\n")
- print("\t\tAdd an allow rule for the role pair.\n")
- continue
-
- audit2why.finish()
- return
-
- def __output(self):
-
- if self.__options.audit2why:
- try:
- return self.__output_audit2why()
- except RuntimeError as e:
- print(e)
- sys.exit(1)
-
- g = policygen.PolicyGenerator()
-
- g.set_gen_dontaudit(self.__options.dontaudit)
-
- if self.__options.module:
- g.set_module_name(self.__options.module)
-
- # Interface generation
- if self.__options.refpolicy:
- ifs, perm_maps = self.__load_interface_info()
- g.set_gen_refpol(ifs, perm_maps)
-
- # Explanation
- if self.__options.verbose:
- g.set_gen_explain(policygen.SHORT_EXPLANATION)
- if self.__options.explain_long:
- g.set_gen_explain(policygen.LONG_EXPLANATION)
-
- # Requires
- if self.__options.requires:
- g.set_gen_requires(True)
-
- # Generate the policy
- g.add_access(self.__avs)
- g.add_role_types(self.__role_types)
-
- # Output
- writer = output.ModuleWriter()
-
- # Module package
- if self.__options.module_package:
- self.__output_modulepackage(writer, g)
- else:
- # File or stdout
- if self.__options.module:
- g.set_module_name(self.__options.module)
-
- if self.__options.output:
- fd = open(self.__options.output, "a")
- else:
- fd = sys.stdout
- writer.write(g.get_module(), fd)
-
- def main(self):
- try:
- self.__parse_options()
- if self.__options.policy:
- audit2why.init(self.__options.policy)
- else:
- audit2why.init()
-
- self.__read_input()
- self.__process_input()
- self.__output()
- except KeyboardInterrupt:
- sys.exit(0)
- except ValueError as e:
- print(e)
- sys.exit(1)
- except IOError as e:
- print(e)
- sys.exit(1)
-
-if __name__ == "__main__":
- app = AuditToPolicy()
- app.main()
diff --git policycoreutils-2.5/audit2allow/audit2why policycoreutils-2.5/audit2allow/audit2why
new file mode 120000
index 0000000..9cddcf5
--- /dev/null
+++ policycoreutils-2.5/audit2allow/audit2why
@@ -0,0 +1 @@
+audit2allow
\ No newline at end of file
diff --git policycoreutils-2.5/audit2allow/test_audit2allow.py policycoreutils-2.5/audit2allow/test_audit2allow.py
index 765c9ea..a826a9f 100644
--- policycoreutils-2.5/audit2allow/test_audit2allow.py
+++ policycoreutils-2.5/audit2allow/test_audit2allow.py
@@ -33,7 +33,7 @@ class Audit2allowTests(unittest.TestCase):
def test_audit2allow(self):
"Verify audit2allow works"
- p = Popen(['audit2allow', "-i", "test.log"], stdout=PIPE)
+ p = Popen(['python', './audit2allow', "-i", "test.log"], stdout=PIPE)
out, err = p.communicate()
if err:
print(out, err)
@@ -41,7 +41,7 @@ class Audit2allowTests(unittest.TestCase):
def test_audit2why(self):
"Verify audit2why works"
- p = Popen(['audit2why', "-i", "test.log"], stdout=PIPE)
+ p = Popen(['python', './audit2why', "-i", "test.log"], stdout=PIPE)
out, err = p.communicate()
if err:
print(out, err)
diff --git policycoreutils-2.5/gui/Makefile policycoreutils-2.5/gui/Makefile
index 9d9f820..0c2b390 100644
--- policycoreutils-2.5/gui/Makefile
+++ policycoreutils-2.5/gui/Makefile
@@ -12,7 +12,6 @@ domainsPage.py \
fcontextPage.py \
html_util.py \
loginsPage.py \
-mappingsPage.py \
modulesPage.py \
polgen.glade \
portsPage.py \
diff --git policycoreutils-2.5/gui/booleansPage.py policycoreutils-2.5/gui/booleansPage.py
index 507a79d..7fbd50c 100644
--- policycoreutils-2.5/gui/booleansPage.py
+++ policycoreutils-2.5/gui/booleansPage.py
@@ -18,23 +18,20 @@
# You should have received a copy of the GNU General Public License
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
-import string
import gtk
import gtk.glade
-import os
import gobject
import sys
-import tempfile
import seobject
import semanagePage
INSTALLPATH = '/usr/share/system-config-selinux'
sys.path.append(INSTALLPATH)
-import commands
-ENFORCING = 0
-PERMISSIVE = 1
-DISABLED = 2
+import subprocess
+ENFORCING=0
+PERMISSIVE=1
+DISABLED=2
##
## I18N
@@ -50,10 +47,8 @@ try:
unicode=False,
codeset='utf-8')
except IOError:
- import __builtin__
- __builtin__.__dict__['_'] = unicode
-
-from glob import fnmatch
+ import builtins
+ builtins.__dict__['_'] = str
class Modifier:
@@ -109,8 +104,6 @@ class booleansPage:
self.revertButton = xml.get_widget("booleanRevertButton")
self.revertButton.set_sensitive(self.local)
self.revertButton.connect("clicked", self.on_revert_clicked)
- listStore = gtk.ListStore(gobject.TYPE_STRING)
- cell = gtk.CellRendererText()
self.store = gtk.ListStore(gobject.TYPE_BOOLEAN, gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING)
self.store.set_sort_column_id(1, gtk.SORT_ASCENDING)
@@ -176,16 +169,15 @@ class booleansPage:
# change cursor
if boolean == None:
return
+ self.wait()
try:
- self.wait()
- (rc, out) = commands.getstatusoutput("semanage boolean -d %s" % boolean)
-
- self.ready()
- if rc != 0:
- return self.error(out)
+ subprocess.check_output("semanage boolean -d %s" % boolean,
+ stderr=subprocess.STDOUT,
+ shell=True)
self.load(self.filter)
- except ValueError, e:
- self.error(e.args[0])
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
+ self.ready()
def filter_changed(self, *arg):
filter = arg[0].get_text()
@@ -228,18 +220,26 @@ class booleansPage:
key = self.store.get_value(iter, BOOLEAN)
self.store.set_value(iter, ACTIVE, not val)
self.wait()
- setsebool = "/usr/sbin/setsebool -P %s %d" % (key, not val)
- rc, out = commands.getstatusoutput(setsebool)
- if rc != 0:
- self.error(out)
- self.load(self.filter)
+ setsebool="/usr/sbin/setsebool -P %s %d" % (key, not val)
+ try:
+ subprocess.check_output(setsebool,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ self.load(self.filter)
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
self.ready()
def on_revert_clicked(self, button):
self.wait()
- setsebool = "semanage boolean --deleteall"
- commands.getstatusoutput(setsebool)
- self.load(self.filter)
+ setsebool="semanage boolean --deleteall"
+ try:
+ subprocess.check_output(setsebool,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ self.load(self.filter)
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
self.ready()
def on_local_clicked(self, button):
diff --git policycoreutils-2.5/gui/domainsPage.py policycoreutils-2.5/gui/domainsPage.py
index 56c66fe..f4a281f 100644
--- policycoreutils-2.5/gui/domainsPage.py
+++ policycoreutils-2.5/gui/domainsPage.py
@@ -20,7 +20,7 @@ import string
import gtk
import gtk.glade
import os
-import commands
+import subprocess
import gobject
import sys
import seobject
@@ -41,8 +41,8 @@ try:
unicode=False,
codeset='utf-8')
except IOError:
- import __builtin__
- __builtin__.__dict__['_'] = unicode
+ import builtins
+ builtins.__dict__['_'] = str
class domainsPage(semanagePage):
@@ -117,18 +117,17 @@ class domainsPage(semanagePage):
selection = self.view.get_selection()
store, iter = selection.get_selected()
domain = store.get_value(iter, 0)
+ self.wait()
+ cmd = "semanage permissive -d %s_t" % domain
try:
- self.wait()
- status, output = commands.getstatusoutput("semanage permissive -d %s_t" % domain)
- self.ready()
- if status != 0:
- self.error(output)
- else:
- domain = store.set_value(iter, 1, "")
- self.itemSelected(selection)
-
- except ValueError, e:
- self.error(e.args[0])
+ subprocess.check_output(cmd,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ domain = store.set_value(iter, 1, "")
+ self.itemSelected(selection)
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
+ self.ready()
def propertiesDialog(self):
# Do nothing
@@ -142,15 +141,14 @@ class domainsPage(semanagePage):
selection = self.view.get_selection()
store, iter = selection.get_selected()
domain = store.get_value(iter, 0)
+ self.wait()
+ cmd = "semanage permissive -a %s_t" % domain
try:
- self.wait()
- status, output = commands.getstatusoutput("semanage permissive -a %s_t" % domain)
- self.ready()
- if status != 0:
- self.error(output)
- else:
- domain = store.set_value(iter, 1, _("Permissive"))
- self.itemSelected(selection)
-
- except ValueError, e:
- self.error(e.args[0])
+ subprocess.check_output(cmd,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ domain = store.set_value(iter, 1, _("Permissive"))
+ self.itemSelected(selection)
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
+ self.ready()
diff --git policycoreutils-2.5/gui/fcontextPage.py policycoreutils-2.5/gui/fcontextPage.py
index c8d6ba8..154e8e2 100644
--- policycoreutils-2.5/gui/fcontextPage.py
+++ policycoreutils-2.5/gui/fcontextPage.py
@@ -18,10 +18,9 @@
## Author: Dan Walsh
import gtk
import gtk.glade
-import os
import gobject
import seobject
-import commands
+import subprocess
from semanagePage import *
SPEC_COL = 0
@@ -57,8 +56,8 @@ try:
unicode=False,
codeset='utf-8')
except IOError:
- import __builtin__
- __builtin__.__dict__['_'] = unicode
+ import builtins
+ builtins.__dict__['_'] = str
class fcontextPage(semanagePage):
@@ -99,17 +98,17 @@ class fcontextPage(semanagePage):
self.fcontextFileTypeCombo = xml.get_widget("fcontextFileTypeCombo")
liststore = self.fcontextFileTypeCombo.get_model()
for k in seobject.file_types:
- if len(k) > 0 and k[0] != '-':
- iter = liststore.append()
- liststore.set_value(iter, 0, k)
- iter = liststore.get_iter_first()
- self.fcontextFileTypeCombo.set_active_iter(iter)
+ if len(k) > 0 and k[0] != '-':
+ it=liststore.append()
+ liststore.set_value(it, 0, k)
+ it = liststore.get_iter_first()
+ self.fcontextFileTypeCombo.set_active_iter(it)
self.fcontextTypeEntry = xml.get_widget("fcontextTypeEntry")
self.fcontextMLSEntry = xml.get_widget("fcontextMLSEntry")
- def match(self, fcon_dict, k, filter):
+ def match(self, fcon_dict, k, filt):
try:
- f = filter.lower()
+ f=filt.lower()
for con in k:
k = con.lower()
if k.find(f) >= 0:
@@ -122,46 +121,46 @@ class fcontextPage(semanagePage):
pass
return False
- def load(self, filter=""):
- self.filter = filter
- self.fcontext = seobject.fcontextRecords()
+ def load(self, filt=""):
+ self.filter=filt
+ self.fcontext=seobject.fcontextRecords()
self.store.clear()
- fcon_dict = self.fcontext.get_all(self.local)
- keys = fcon_dict.keys()
+ fcon_dict=self.fcontext.get_all(self.local)
+ keys = list(fcon_dict.keys())
keys.sort()
for k in keys:
- if not self.match(fcon_dict, k, filter):
+ if not self.match(fcon_dict, k, filt):
continue
- iter = self.store.append()
- self.store.set_value(iter, SPEC_COL, k[0])
- self.store.set_value(iter, FTYPE_COL, k[1])
+ it=self.store.append()
+ self.store.set_value(it, SPEC_COL, k[0])
+ self.store.set_value(it, FTYPE_COL, k[1])
if fcon_dict[k]:
rec = "%s:%s" % (fcon_dict[k][2], seobject.translate(fcon_dict[k][3], False))
else:
- rec = "<<None>>"
- self.store.set_value(iter, TYPE_COL, rec)
- self.view.get_selection().select_path((0,))
+ rec="<<None>>"
+ self.store.set_value(it, TYPE_COL, rec)
+ self.view.get_selection().select_path ((0,))
def filter_changed(self, *arg):
- filter = arg[0].get_text()
- if filter != self.filter:
- self.load(filter)
+ filt = arg[0].get_text()
+ if filt != self.filter:
+ self.load(filt)
def dialogInit(self):
- store, iter = self.view.get_selection().get_selected()
- self.fcontextEntry.set_text(store.get_value(iter, SPEC_COL))
+ store, it = self.view.get_selection().get_selected()
+ self.fcontextEntry.set_text(store.get_value(it, SPEC_COL))
self.fcontextEntry.set_sensitive(False)
- scontext = store.get_value(iter, TYPE_COL)
- scon = context(scontext)
+ scontext = store.get_value(it, TYPE_COL)
+ scon=context(scontext)
self.fcontextTypeEntry.set_text(scon.type)
self.fcontextMLSEntry.set_text(scon.mls)
- type = store.get_value(iter, FTYPE_COL)
- liststore = self.fcontextFileTypeCombo.get_model()
- iter = liststore.get_iter_first()
- while iter != None and liststore.get_value(iter, 0) != type:
- iter = liststore.iter_next(iter)
- if iter != None:
- self.fcontextFileTypeCombo.set_active_iter(iter)
+ setype=store.get_value(it, FTYPE_COL)
+ liststore=self.fcontextFileTypeCombo.get_model()
+ it = liststore.get_iter_first()
+ while it != None and liststore.get_value(it,0) != setype:
+ it = liststore.iter_next(it)
+ if it != None:
+ self.fcontextFileTypeCombo.set_active_iter(it)
self.fcontextFileTypeCombo.set_sensitive(False)
def dialogClear(self):
@@ -172,55 +171,60 @@ class fcontextPage(semanagePage):
self.fcontextMLSEntry.set_text("s0")
def delete(self):
- store, iter = self.view.get_selection().get_selected()
+ store, it = self.view.get_selection().get_selected()
+ fspec=store.get_value(it, SPEC_COL)
+ ftype=store.get_value(it, FTYPE_COL)
+ self.wait()
try:
- fspec = store.get_value(iter, SPEC_COL)
- ftype = store.get_value(iter, FTYPE_COL)
- self.wait()
- (rc, out) = commands.getstatusoutput("semanage fcontext -d -f '%s' '%s'" % (ftype, fspec))
- self.ready()
-
- if rc != 0:
- return self.error(out)
- store.remove(iter)
- self.view.get_selection().select_path((0,))
- except ValueError, e:
- self.error(e.args[0])
+ subprocess.check_output("semanage fcontext -d -f '%s' '%s'" % (ftype, fspec),
+ stderr=subprocess.STDOUT,
+ shell=True)
+ store.remove(it)
+ self.view.get_selection().select_path ((0,))
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
+ self.ready()
def add(self):
- ftype = ["", "--", "-d", "-c", "-b", "-s", "-l", "-p"]
- fspec = self.fcontextEntry.get_text().strip()
- type = self.fcontextTypeEntry.get_text().strip()
- mls = self.fcontextMLSEntry.get_text().strip()
- list_model = self.fcontextFileTypeCombo.get_model()
+ ftype=["", "--", "-d", "-c", "-b", "-s", "-l", "-p" ]
+ fspec=self.fcontextEntry.get_text().strip()
+ setype=self.fcontextTypeEntry.get_text().strip()
+ mls=self.fcontextMLSEntry.get_text().strip()
+ list_model=self.fcontextFileTypeCombo.get_model()
active = self.fcontextFileTypeCombo.get_active()
self.wait()
- (rc, out) = commands.getstatusoutput("semanage fcontext -a -t %s -r %s -f '%s' '%s'" % (type, mls, ftype[active], fspec))
- self.ready()
- if rc != 0:
- self.error(out)
+ try:
+ subprocess.check_output("semanage fcontext -a -t %s -r %s -f '%s' '%s'" % (setype, mls, ftype[active], fspec),
+ stderr=subprocess.STDOUT,
+ shell=True)
+ self.ready()
+ it=self.store.append()
+ self.store.set_value(it, SPEC_COL, fspec)
+ self.store.set_value(it, FTYPE_COL, ftype)
+ self.store.set_value(it, TYPE_COL, "%s:%s" % (setype, mls))
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
+ self.ready()
return False
- iter = self.store.append()
- self.store.set_value(iter, SPEC_COL, fspec)
- self.store.set_value(iter, FTYPE_COL, ftype)
- self.store.set_value(iter, TYPE_COL, "%s:%s" % (type, mls))
-
def modify(self):
- fspec = self.fcontextEntry.get_text().strip()
- type = self.fcontextTypeEntry.get_text().strip()
- mls = self.fcontextMLSEntry.get_text().strip()
- list_model = self.fcontextFileTypeCombo.get_model()
- iter = self.fcontextFileTypeCombo.get_active_iter()
- ftype = list_model.get_value(iter, 0)
+ fspec=self.fcontextEntry.get_text().strip()
+ setype=self.fcontextTypeEntry.get_text().strip()
+ mls=self.fcontextMLSEntry.get_text().strip()
+ list_model=self.fcontextFileTypeCombo.get_model()
+ it = self.fcontextFileTypeCombo.get_active_iter()
+ ftype=list_model.get_value(it,0)
self.wait()
- (rc, out) = commands.getstatusoutput("semanage fcontext -m -t %s -r %s -f '%s' '%s'" % (type, mls, ftype, fspec))
- self.ready()
- if rc != 0:
- self.error(out)
+ try:
+ subprocess.check_output("semanage fcontext -m -t %s -r %s -f '%s' '%s'" % (setype, mls, ftype, fspec),
+ stderr=subprocess.STDOUT,
+ shell=True)
+ self.ready()
+ store, it = self.view.get_selection().get_selected()
+ self.store.set_value(it, SPEC_COL, fspec)
+ self.store.set_value(it, FTYPE_COL, ftype)
+ self.store.set_value(it, TYPE_COL, "%s:%s" % (setype, mls))
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
+ self.ready()
return False
-
- store, iter = self.view.get_selection().get_selected()
- self.store.set_value(iter, SPEC_COL, fspec)
- self.store.set_value(iter, FTYPE_COL, ftype)
- self.store.set_value(iter, TYPE_COL, "%s:%s" % (type, mls))
diff --git policycoreutils-2.5/gui/html_util.py policycoreutils-2.5/gui/html_util.py
index 5a596bc..ad6c534 100644
--- policycoreutils-2.5/gui/html_util.py
+++ policycoreutils-2.5/gui/html_util.py
@@ -30,7 +30,8 @@ import htmllib
import formatter as Formatter
import string
from types import *
-import StringIO
+import io
+import collections
#------------------------------------------------------------------------------
@@ -127,7 +128,7 @@ def unescape_html(s):
def html_to_text(html, maxcol=80):
try:
- buffer = StringIO.StringIO()
+ buffer = io.StringIO()
formatter = Formatter.AbstractFormatter(TextWriter(buffer, maxcol))
parser = HTMLParserAnchor(formatter)
parser.feed(html)
@@ -135,7 +136,7 @@ def html_to_text(html, maxcol=80):
text = buffer.getvalue()
buffer.close()
return text
- except Exception, e:
+ except Exception as e:
log_program.error('cannot convert html to text: %s' % e)
return None
@@ -158,7 +159,7 @@ def html_document(*body_components):
elif type(body_component) in [TupleType, ListType]:
for item in body_component:
doc += item
- elif callable(body_component):
+ elif isinstance(body_component, collections.Callable):
result = body_component()
if type(result) in [TupleType, ListType]:
for item in result:
diff --git policycoreutils-2.5/gui/loginsPage.py policycoreutils-2.5/gui/loginsPage.py
index 982e252..fbc26e0 100644
--- policycoreutils-2.5/gui/loginsPage.py
+++ policycoreutils-2.5/gui/loginsPage.py
@@ -16,13 +16,10 @@
## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
## Author: Dan Walsh
-import string
import gtk
import gtk.glade
-import os
import gobject
-import sys
-import commands
+import subprocess
import seobject
from semanagePage import *
@@ -39,8 +36,8 @@ try:
unicode=False,
codeset='utf-8')
except IOError:
- import __builtin__
- __builtin__.__dict__['_'] = unicode
+ import builtins
+ builtins.__dict__['_'] = str
class loginsPage(semanagePage):
@@ -70,21 +67,21 @@ class loginsPage(semanagePage):
self.filter = filter
self.login = seobject.loginRecords()
dict = self.login.get_all(0)
- keys = dict.keys()
+ keys = list(dict.keys())
keys.sort()
self.store.clear()
for k in keys:
range = seobject.translate(dict[k][1])
if not (self.match(k, filter) or self.match(dict[k][0], filter) or self.match(range, filter)):
continue
- iter = self.store.append()
- self.store.set_value(iter, 0, k)
- self.store.set_value(iter, 1, dict[k][0])
- self.store.set_value(iter, 2, range)
- self.view.get_selection().select_path((0,))
+ it = self.store.append()
+ self.store.set_value(it, 0, k)
+ self.store.set_value(it, 1, dict[k][0])
+ self.store.set_value(it, 2, range)
+ self.view.get_selection().select_path ((0,))
def __dialogSetup(self):
- if self.firstTime == True:
+ if self.firstTime:
return
self.firstTime = True
liststore = gtk.ListStore(gobject.TYPE_STRING)
@@ -94,31 +91,31 @@ class loginsPage(semanagePage):
self.loginsSelinuxUserCombo.add_attribute(cell, 'text', 0)
selusers = seobject.seluserRecords().get_all(0)
- keys = selusers.keys()
+ keys = list(selusers.keys())
keys.sort()
for k in keys:
if k != "system_u":
self.loginsSelinuxUserCombo.append_text(k)
- iter = liststore.get_iter_first()
- while liststore.get_value(iter, 0) != "user_u":
- iter = liststore.iter_next(iter)
- self.loginsSelinuxUserCombo.set_active_iter(iter)
+ it = liststore.get_iter_first()
+ while liststore.get_value(it,0) != "user_u":
+ it = liststore.iter_next(it)
+ self.loginsSelinuxUserCombo.set_active_iter(it)
def dialogInit(self):
self.__dialogSetup()
- store, iter = self.view.get_selection().get_selected()
- self.loginsNameEntry.set_text(store.get_value(iter, 0))
+ store, it = self.view.get_selection().get_selected()
+ self.loginsNameEntry.set_text(store.get_value(it, 0))
self.loginsNameEntry.set_sensitive(False)
- self.loginsMLSEntry.set_text(store.get_value(iter, 2))
- seuser = store.get_value(iter, 1)
+ self.loginsMLSEntry.set_text(store.get_value(it, 2))
+ seuser = store.get_value(it, 1)
liststore = self.loginsSelinuxUserCombo.get_model()
- iter = liststore.get_iter_first()
- while iter != None and liststore.get_value(iter, 0) != seuser:
- iter = liststore.iter_next(iter)
- if iter != None:
- self.loginsSelinuxUserCombo.set_active_iter(iter)
+ it = liststore.get_iter_first()
+ while it != None and liststore.get_value(it,0) != seuser:
+ it = liststore.iter_next(it)
+ if it != None:
+ self.loginsSelinuxUserCombo.set_active_iter(it)
def dialogClear(self):
self.__dialogSetup()
@@ -127,59 +124,69 @@ class loginsPage(semanagePage):
self.loginsMLSEntry.set_text("s0")
def delete(self):
- store, iter = self.view.get_selection().get_selected()
+ store, it = self.view.get_selection().get_selected()
try:
- login = store.get_value(iter, 0)
+ login=store.get_value(it, 0)
if login == "root" or login == "__default__":
raise ValueError(_("Login '%s' is required") % login)
self.wait()
- (rc, out) = commands.getstatusoutput("semanage login -d %s" % login)
- self.ready()
- if rc != 0:
- self.error(out)
+ try:
+ subprocess.check_output("semanage login -d %s" % login,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ self.ready()
+ store.remove(it)
+ self.view.get_selection().select_path ((0,))
+ except subprocess.CalledProcessError as e:
+ self.ready()
+ self.error(e.output)
return False
- store.remove(iter)
- self.view.get_selection().select_path((0,))
- except ValueError, e:
+ except ValueError as e:
self.error(e.args[0])
def add(self):
target = self.loginsNameEntry.get_text().strip()
serange = self.loginsMLSEntry.get_text().strip()
if serange == "":
- serange = "s0"
- list_model = self.loginsSelinuxUserCombo.get_model()
- iter = self.loginsSelinuxUserCombo.get_active_iter()
- seuser = list_model.get_value(iter, 0)
+ serange="s0"
+ list_model=self.loginsSelinuxUserCombo.get_model()
+ it = self.loginsSelinuxUserCombo.get_active_iter()
+ seuser = list_model.get_value(it,0)
self.wait()
- (rc, out) = commands.getstatusoutput("semanage login -a -s %s -r %s %s" % (seuser, serange, target))
- self.ready()
- if rc != 0:
- self.error(out)
+ try:
+ subprocess.check_output("semanage login -a -s %s -r %s %s" % (seuser, serange, target),
+ stderr=subprocess.STDOUT,
+ shell=True)
+ self.ready()
+ it = self.store.append()
+ self.store.set_value(it, 0, target)
+ self.store.set_value(it, 1, seuser)
+ self.store.set_value(it, 2, seobject.translate(serange))
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
+ self.ready()
return False
- iter = self.store.append()
- self.store.set_value(iter, 0, target)
- self.store.set_value(iter, 1, seuser)
- self.store.set_value(iter, 2, seobject.translate(serange))
-
def modify(self):
target = self.loginsNameEntry.get_text().strip()
serange = self.loginsMLSEntry.get_text().strip()
if serange == "":
serange = "s0"
list_model = self.loginsSelinuxUserCombo.get_model()
- iter = self.loginsSelinuxUserCombo.get_active_iter()
- seuser = list_model.get_value(iter, 0)
+ it = self.loginsSelinuxUserCombo.get_active_iter()
+ seuser=list_model.get_value(it,0)
self.wait()
- (rc, out) = commands.getstatusoutput("semanage login -m -s %s -r %s %s" % (seuser, serange, target))
- self.ready()
- if rc != 0:
- self.error(out)
+ try:
+ subprocess.check_output("semanage login -m -s %s -r %s %s" % (seuser, serange, target),
+ stderr=subprocess.STDOUT,
+ shell=True)
+ self.ready()
+ store, it = self.view.get_selection().get_selected()
+ self.store.set_value(it, 0, target)
+ self.store.set_value(it, 1, seuser)
+ self.store.set_value(it, 2, seobject.translate(serange))
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
+ self.ready()
return False
-
- store, iter = self.view.get_selection().get_selected()
- self.store.set_value(iter, 0, target)
- self.store.set_value(iter, 1, seuser)
- self.store.set_value(iter, 2, seobject.translate(serange))
diff --git policycoreutils-2.5/gui/modulesPage.py policycoreutils-2.5/gui/modulesPage.py
index 3b83e45..3feb2ba 100644
--- policycoreutils-2.5/gui/modulesPage.py
+++ policycoreutils-2.5/gui/modulesPage.py
@@ -20,7 +20,7 @@ import string
import gtk
import gtk.glade
import os
-import commands
+import subprocess
import gobject
import sys
import seobject
@@ -41,8 +41,8 @@ try:
unicode=False,
codeset='utf-8')
except IOError:
- import __builtin__
- __builtin__.__dict__['_'] = unicode
+ import builtins
+ builtins.__dict__['_'] = str
class modulesPage(semanagePage):
@@ -87,8 +87,8 @@ class modulesPage(semanagePage):
except:
return 0
- def load(self, filter=""):
- self.filter = filter
+ def load(self, filt=""):
+ self.filter=filt
self.store.clear()
try:
fd = Popen("semodule -l", shell=True, stdout=PIPE).stdout
@@ -96,11 +96,11 @@ class modulesPage(semanagePage):
fd.close()
for i in l:
module, ver, newline = i.split('\t')
- if not (self.match(module, filter) or self.match(ver, filter)):
+ if not (self.match(module, filt) or self.match(ver, filt)):
continue
- iter = self.store.append()
- self.store.set_value(iter, 0, module.strip())
- self.store.set_value(iter, 1, ver.strip())
+ it = self.store.append()
+ self.store.set_value(it, 0, module.strip())
+ self.store.set_value(it, 1, ver.strip())
except:
pass
self.view.get_selection().select_path((0,))
@@ -108,53 +108,51 @@ class modulesPage(semanagePage):
def new_module(self, args):
try:
Popen(["/usr/share/system-config-selinux/polgengui.py"])
- except ValueError, e:
+ except ValueError as e:
self.error(e.args[0])
def delete(self):
- store, iter = self.view.get_selection().get_selected()
- module = store.get_value(iter, 0)
+ store, it = self.view.get_selection().get_selected()
+ module = store.get_value(it, 0)
+ self.wait()
try:
- self.wait()
- status, output = commands.getstatusoutput("semodule -r %s" % module)
- self.ready()
- if status != 0:
- self.error(output)
- else:
- store.remove(iter)
- self.view.get_selection().select_path((0,))
-
- except ValueError, e:
- self.error(e.args[0])
+ subprocess.check_output("semodule -r %s" % module,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ store.remove(it)
+ self.view.get_selection().select_path ((0,))
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
+ self.ready()
def enable_audit(self, button):
self.audit_enabled = not self.audit_enabled
+ if self.audit_enabled:
+ cmd = "semodule -DB"
+ label = _("Disable Audit")
+ else:
+ cmd = "semodule -B"
+ label = _("Enable Audit")
+ self.wait()
try:
- self.wait()
- if self.audit_enabled:
- status, output = commands.getstatusoutput("semodule -DB")
- button.set_label(_("Disable Audit"))
- else:
- status, output = commands.getstatusoutput("semodule -B")
- button.set_label(_("Enable Audit"))
- self.ready()
-
- if status != 0:
- self.error(output)
-
- except ValueError, e:
- self.error(e.args[0])
+ subprocess.check_output(cmd,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ button.set_label(label)
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
+ self.ready()
def disable_audit(self, button):
+ self.wait()
+ cmd = "semodule -B"
try:
- self.wait()
- status, output = commands.getstatusoutput("semodule -B")
- self.ready()
- if status != 0:
- self.error(output)
-
- except ValueError, e:
- self.error(e.args[0])
+ subprocess.check_output(cmd,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
+ self.ready()
def propertiesDialog(self):
# Do nothing
@@ -168,10 +166,10 @@ class modulesPage(semanagePage):
gtk.STOCK_OPEN, gtk.RESPONSE_OK))
dialog.set_default_response(gtk.RESPONSE_OK)
- filter = gtk.FileFilter()
- filter.set_name("Policy Files")
- filter.add_pattern("*.pp")
- dialog.add_filter(filter)
+ filt = gtk.FileFilter()
+ filt.set_name("Policy Files")
+ filt.add_pattern("*.pp")
+ dialog.add_filter(filt)
response = dialog.run()
if response == gtk.RESPONSE_OK:
@@ -179,14 +177,14 @@ class modulesPage(semanagePage):
dialog.destroy()
def add(self, file):
+ self.wait()
+ cmd = "semodule -i %s" % file
try:
- self.wait()
- status, output = commands.getstatusoutput("semodule -i %s" % file)
- self.ready()
- if status != 0:
- self.error(output)
- else:
- self.load()
-
- except ValueError, e:
- self.error(e.args[0])
+ subprocess.check_output(cmd,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ self.load()
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
+ self.ready()
+
diff --git policycoreutils-2.5/gui/polgen.glade policycoreutils-2.5/gui/polgen.glade
index 37c1472..a712c57 100644
--- policycoreutils-2.5/gui/polgen.glade
+++ policycoreutils-2.5/gui/polgen.glade
@@ -758,7 +758,7 @@
<property name="can_focus">True</property>
<property name="receives_default">False</property>
<property name="use_underline">True</property>
- <signal name="clicked" handler="on_exec_select_clicked" swapped="no"/>
+ <signal name="clicked" handler="on_exec_select_clicked"/>
</widget>
<packing>
<property name="left_attach">2</property>
@@ -840,7 +840,7 @@
<property name="can_focus">True</property>
<property name="receives_default">False</property>
<property name="use_underline">True</property>
- <signal name="clicked" handler="on_init_script_select_clicked" swapped="no"/>
+ <signal name="clicked" handler="on_init_script_select_clicked" />
</widget>
<packing>
<property name="left_attach">2</property>
@@ -1983,7 +1983,7 @@ Tab</property>
<property name="visible">True</property>
<property name="can_focus">True</property>
<property name="receives_default">False</property>
- <signal name="clicked" handler="on_add_clicked" swapped="no"/>
+ <signal name="clicked" handler="on_add_clicked" />
<child>
<widget class="GtkAlignment" id="alignment6">
<property name="visible">True</property>
@@ -2011,7 +2011,7 @@ Tab</property>
<widget class="GtkLabel" id="label17">
<property name="visible">True</property>
<property name="can_focus">False</property>
- <property name="label">Add File</property>
+ <property name="label" translatable="yes">Add File</property>
<property name="use_underline">True</property>
</widget>
<packing>
@@ -2036,7 +2036,7 @@ Tab</property>
<property name="visible">True</property>
<property name="can_focus">True</property>
<property name="receives_default">False</property>
- <signal name="clicked" handler="on_add_dir_clicked" swapped="no"/>
+ <signal name="clicked" handler="on_add_dir_clicked" />
<child>
<widget class="GtkAlignment" id="alignment5">
<property name="visible">True</property>
@@ -2064,7 +2064,7 @@ Tab</property>
<widget class="GtkLabel" id="label16">
<property name="visible">True</property>
<property name="can_focus">False</property>
- <property name="label">Add Directory</property>
+ <property name="label" translatable="yes">Add Directory</property>
<property name="use_underline">True</property>
</widget>
<packing>
@@ -2091,7 +2091,7 @@ Tab</property>
<property name="can_focus">True</property>
<property name="receives_default">False</property>
<property name="use_stock">True</property>
- <signal name="clicked" handler="on_delete_clicked" swapped="no"/>
+ <signal name="clicked" handler="on_delete_clicked" />
<accelerator key="Delete" signal="clicked"/>
</widget>
<packing>
@@ -2188,7 +2188,7 @@ Tab</property>
<property name="visible">True</property>
<property name="can_focus">True</property>
<property name="receives_default">False</property>
- <signal name="clicked" handler="on_add_boolean_clicked" swapped="no"/>
+ <signal name="clicked" handler="on_add_boolean_clicked" />
<child>
<widget class="GtkAlignment" id="alignment1">
<property name="visible">True</property>
@@ -2216,7 +2216,7 @@ Tab</property>
<widget class="GtkLabel" id="label3">
<property name="visible">True</property>
<property name="can_focus">False</property>
- <property name="label">Add Boolean</property>
+ <property name="label" translatable="yes">Add Boolean</property>
<property name="use_underline">True</property>
</widget>
<packing>
@@ -2243,7 +2243,7 @@ Tab</property>
<property name="can_focus">True</property>
<property name="receives_default">False</property>
<property name="use_stock">True</property>
- <signal name="clicked" handler="on_delete_boolean_clicked" swapped="no"/>
+ <signal name="clicked" handler="on_delete_boolean_clicked" />
<accelerator key="Delete" signal="clicked"/>
</widget>
<packing>
@@ -2414,7 +2414,7 @@ Tab</property>
<property name="can_default">True</property>
<property name="receives_default">False</property>
<property name="use_stock">True</property>
- <signal name="activate" handler="on_cancel_activate" swapped="no"/>
+ <signal name="activate" handler="on_cancel_activate" />
</widget>
<packing>
<property name="expand">False</property>
@@ -2430,7 +2430,7 @@ Tab</property>
<property name="can_default">True</property>
<property name="receives_default">False</property>
<property name="use_stock">True</property>
- <signal name="activate" handler="on_back_activate" swapped="no"/>
+ <signal name="activate" handler="on_back_activate" />
</widget>
<packing>
<property name="expand">False</property>
@@ -2446,7 +2446,7 @@ Tab</property>
<property name="can_default">True</property>
<property name="receives_default">False</property>
<property name="use_stock">True</property>
- <signal name="activate" handler="on_forward_activate" swapped="no"/>
+ <signal name="activate" handler="on_forward_activate" />
</widget>
<packing>
<property name="expand">False</property>
diff --git policycoreutils-2.5/gui/polgengui.py policycoreutils-2.5/gui/polgengui.py
index 0a153c6..f6511db 100644
--- policycoreutils-2.5/gui/polgengui.py
+++ policycoreutils-2.5/gui/polgengui.py
@@ -30,30 +30,15 @@ import gnome
import sys
try:
from sepolicy import generate
-except ValueError, e:
+except ValueError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
sys.exit(1)
-
+
import sepolicy.interface
-import commands
+import subprocess
import re
-
-def get_all_modules():
- try:
- all_modules = []
- rc, output = commands.getstatusoutput("semodule -l 2>/dev/null")
- if rc == 0:
- l = output.split("\n")
- for i in l:
- all_modules.append(i.split()[0])
- except:
- pass
-
- return all_modules
-
-
##
## I18N
##
@@ -68,8 +53,8 @@ try:
unicode=False,
codeset='utf-8')
except IOError:
- import __builtin__
- __builtin__.__dict__['_'] = unicode
+ import builtins
+ builtins.__dict__['_'] = str
gnome.program_init("SELinux Policy Generation Tool", "5")
@@ -195,10 +180,10 @@ class childWindow:
try:
self.all_types = generate.get_all_types()
- self.all_modules = get_all_modules()
+ self.all_modules = sepolicy.get_all_modules()
self.all_roles = generate.get_all_roles()
self.all_users = generate.get_all_users()
- except RuntimeError, e:
+ except RuntimeError as e:
self.all_types = []
self.all_modules = []
self.all_roles = []
@@ -265,8 +250,8 @@ class childWindow:
self.out_udp_entry = self.xml.get_widget("out_udp_entry")
self.network_buttons[self.out_udp_all_checkbutton] = [self.out_udp_entry]
- for b in self.network_buttons.keys():
- b.connect("clicked", self.network_all_clicked)
+ for b in list(self.network_buttons.keys()):
+ b.connect("clicked",self.network_all_clicked)
self.boolean_treeview = self.xml.get_widget("boolean_treeview")
self.boolean_store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING)
@@ -336,7 +321,7 @@ class childWindow:
for a in sepolicy.interface.get_admin():
iter = self.admin_store.append()
self.admin_store.set_value(iter, 0, a)
- except ValueError, e:
+ except ValueError as e:
self.error(e.message)
def confine_application(self):
@@ -522,7 +507,7 @@ class childWindow:
self.info(my_policy.generate(outputdir))
return False
- except ValueError, e:
+ except ValueError as e:
self.error(e.message)
def delete(self, args):
@@ -671,7 +656,7 @@ class childWindow:
entry.set_text("")
return False
if name in self.all_modules:
- if self.verify(_("Module %s.pp already loaded in current policy.\nDo you want to continue?") % name, _("Verify Name")) == gtk.RESPONSE_NO:
+ if self.verify(_("Module %s already loaded in current policy.\nDo you want to continue?") % name, _("Verify Name")) == gtk.RESPONSE_NO:
entry.set_text("")
return False
@@ -690,7 +675,7 @@ class childWindow:
try:
generate.verify_ports(self.in_tcp_entry.get_text())
generate.verify_ports(self.in_udp_entry.get_text())
- except ValueError, e:
+ except ValueError as e:
self.error(e.message)
return True
@@ -698,7 +683,7 @@ class childWindow:
try:
generate.verify_ports(self.out_tcp_entry.get_text())
generate.verify_ports(self.out_udp_entry.get_text())
- except ValueError, e:
+ except ValueError as e:
self.error(e.message)
return True
@@ -737,12 +722,12 @@ class childWindow:
policy.set_program(exe)
policy.gen_writeable()
policy.gen_symbols()
- for f in policy.files.keys():
+ for f in list(policy.files.keys()):
iter = self.store.append()
self.store.set_value(iter, 0, f)
self.store.set_value(iter, 1, FILE)
- for f in policy.dirs.keys():
+ for f in list(policy.dirs.keys()):
iter = self.store.append()
self.store.set_value(iter, 0, f)
self.store.set_value(iter, 1, DIR)
diff --git policycoreutils-2.5/gui/portsPage.py policycoreutils-2.5/gui/portsPage.py
index 8e74ac0..e8737b0 100644
--- policycoreutils-2.5/gui/portsPage.py
+++ policycoreutils-2.5/gui/portsPage.py
@@ -16,14 +16,11 @@
## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
## Author: Dan Walsh
-import string
import gtk
import gtk.glade
-import os
import gobject
-import sys
import seobject
-import commands
+import subprocess
from semanagePage import *
##
@@ -43,8 +40,8 @@ try:
unicode=False,
codeset='utf-8')
except IOError:
- import __builtin__
- __builtin__.__dict__['_'] = unicode
+ import builtins
+ builtins.__dict__['_'] = str
class portsPage(semanagePage):
@@ -64,19 +61,19 @@ class portsPage(semanagePage):
self.ports_properties_button = xml.get_widget("portsPropertiesButton")
self.ports_delete_button = xml.get_widget("portsDeleteButton")
liststore = self.ports_protocol_combo.get_model()
- iter = liststore.get_iter_first()
- self.ports_protocol_combo.set_active_iter(iter)
+ it = liststore.get_iter_first()
+ self.ports_protocol_combo.set_active_iter(it)
self.init_store()
self.edit = True
self.load()
def filter_changed(self, *arg):
- filter = arg[0].get_text()
- if filter != self.filter:
+ filt = arg[0].get_text()
+ if filt != self.filter:
if self.edit:
- self.load(filter)
+ self.load(filt)
else:
- self.group_load(filter)
+ self.group_load(filt)
def init_store(self):
self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING)
@@ -118,63 +115,63 @@ class portsPage(semanagePage):
except:
return 0
- def load(self, filter=""):
- self.filter = filter
+ def load(self,filt = ""):
+ self.filter=filt
self.port = seobject.portRecords()
- dict = self.port.get_all(self.local)
- keys = dict.keys()
+ pdict = self.port.get_all(self.local)
+ keys = list(pdict.keys())
keys.sort()
self.store.clear()
for k in keys:
- if not (self.match(str(k[0]), filter) or self.match(dict[k][0], filter) or self.match(k[2], filter) or self.match(dict[k][1], filter) or self.match(dict[k][1], filter)):
+ if not (self.match(str(k[0]), filt) or self.match(pdict[k][0], filt) or self.match(k[2], filt) or self.match(pdict[k][1], filt) or self.match(pdict[k][1], filt)):
continue
- iter = self.store.append()
+ it = self.store.append()
if k[0] == k[1]:
- self.store.set_value(iter, PORT_COL, k[0])
+ self.store.set_value(it, PORT_COL, k[0])
else:
rec = "%s-%s" % k[:2]
- self.store.set_value(iter, PORT_COL, rec)
- self.store.set_value(iter, TYPE_COL, dict[k][0])
- self.store.set_value(iter, PROTOCOL_COL, k[2])
- self.store.set_value(iter, MLS_COL, dict[k][1])
- self.view.get_selection().select_path((0,))
+ self.store.set_value(it, PORT_COL, rec)
+ self.store.set_value(it, TYPE_COL, pdict[k][0])
+ self.store.set_value(it, PROTOCOL_COL, k[2])
+ self.store.set_value(it, MLS_COL, pdict[k][1])
+ self.view.get_selection().select_path ((0,))
- def group_load(self, filter=""):
- self.filter = filter
+ def group_load(self, filt = ""):
+ self.filter=filt
self.port = seobject.portRecords()
- dict = self.port.get_all_by_type(self.local)
- keys = dict.keys()
+ pdict = self.port.get_all_by_type(self.local)
+ keys = list(pdict.keys())
keys.sort()
self.store.clear()
for k in keys:
- ports_string = ", ".join(dict[k])
- if not (self.match(ports_string, filter) or self.match(k[0], filter) or self.match(k[1], filter)):
+ ports_string = ", ".join(pdict[k])
+ if not (self.match(ports_string, filt) or self.match(k[0], filt) or self.match(k[1], filt) ):
continue
- iter = self.store.append()
- self.store.set_value(iter, TYPE_COL, k[0])
- self.store.set_value(iter, PROTOCOL_COL, k[1])
- self.store.set_value(iter, PORT_COL, ports_string)
- self.store.set_value(iter, MLS_COL, "")
- self.view.get_selection().select_path((0,))
+ it = self.store.append()
+ self.store.set_value(it, TYPE_COL, k[0])
+ self.store.set_value(it, PROTOCOL_COL, k[1])
+ self.store.set_value(it, PORT_COL, ports_string)
+ self.store.set_value(it, MLS_COL, "")
+ self.view.get_selection().select_path ((0,))
def propertiesDialog(self):
if self.edit:
semanagePage.propertiesDialog(self)
def dialogInit(self):
- store, iter = self.view.get_selection().get_selected()
- self.ports_number_entry.set_text(store.get_value(iter, PORT_COL))
+ store, it = self.view.get_selection().get_selected()
+ self.ports_number_entry.set_text(store.get_value(it, PORT_COL))
self.ports_number_entry.set_sensitive(False)
self.ports_protocol_combo.set_sensitive(False)
- self.ports_name_entry.set_text(store.get_value(iter, TYPE_COL))
- self.ports_mls_entry.set_text(store.get_value(iter, MLS_COL))
- protocol = store.get_value(iter, PROTOCOL_COL)
+ self.ports_name_entry.set_text(store.get_value(it, TYPE_COL))
+ self.ports_mls_entry.set_text(store.get_value(it, MLS_COL))
+ protocol = store.get_value(it, PROTOCOL_COL)
liststore = self.ports_protocol_combo.get_model()
- iter = liststore.get_iter_first()
- while iter != None and liststore.get_value(iter, 0) != protocol:
- iter = liststore.iter_next(iter)
- if iter != None:
- self.ports_protocol_combo.set_active_iter(iter)
+ it = liststore.get_iter_first()
+ while it != None and liststore.get_value(it,0) != protocol:
+ it = liststore.iter_next(it)
+ if it != None:
+ self.ports_protocol_combo.set_active_iter(it)
def dialogClear(self):
self.ports_number_entry.set_text("")
@@ -184,19 +181,20 @@ class portsPage(semanagePage):
self.ports_mls_entry.set_text("s0")
def delete(self):
- store, iter = self.view.get_selection().get_selected()
- port = store.get_value(iter, PORT_COL)
- protocol = store.get_value(iter, 1)
+ store, it = self.view.get_selection().get_selected()
+ port = store.get_value(it, PORT_COL)
+ protocol = store.get_value(it, 1)
+ self.wait()
+ cmd = "semanage port -d -p %s %s" % (protocol, port)
try:
- self.wait()
- (rc, out) = commands.getstatusoutput("semanage port -d -p %s %s" % (protocol, port))
- self.ready()
- if rc != 0:
- return self.error(out)
- store.remove(iter)
- self.view.get_selection().select_path((0,))
- except ValueError, e:
- self.error(e.args[0])
+ subprocess.check_output(cmd,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ store.remove(it)
+ self.view.get_selection().select_path ((0,))
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
+ self.ready()
def add(self):
target = self.ports_name_entry.get_text().strip()
@@ -209,39 +207,47 @@ class portsPage(semanagePage):
self.error(_("Port number \"%s\" is not valid. 0 < PORT_NUMBER < 65536 ") % port_number)
return False
list_model = self.ports_protocol_combo.get_model()
- iter = self.ports_protocol_combo.get_active_iter()
- protocol = list_model.get_value(iter, 0)
+ it = self.ports_protocol_combo.get_active_iter()
+ protocol = list_model.get_value(it,0)
self.wait()
- (rc, out) = commands.getstatusoutput("semanage port -a -p %s -r %s -t %s %s" % (protocol, mls, target, port_number))
+ cmd = "semanage port -a -p %s -r %s -t %s %s" % (protocol, mls, target, port_number)
+ try:
+ subprocess.check_output(cmd,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ it = self.store.append()
+ self.store.set_value(it, TYPE_COL, target)
+ self.store.set_value(it, PORT_COL, port_number)
+ self.store.set_value(it, PROTOCOL_COL, protocol)
+ self.store.set_value(it, MLS_COL, mls)
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
self.ready()
- if rc != 0:
- self.error(out)
- return False
- iter = self.store.append()
-
- self.store.set_value(iter, TYPE_COL, target)
- self.store.set_value(iter, PORT_COL, port_number)
- self.store.set_value(iter, PROTOCOL_COL, protocol)
- self.store.set_value(iter, MLS_COL, mls)
def modify(self):
target = self.ports_name_entry.get_text().strip()
mls = self.ports_mls_entry.get_text().strip()
port_number = self.ports_number_entry.get_text().strip()
list_model = self.ports_protocol_combo.get_model()
- iter = self.ports_protocol_combo.get_active_iter()
- protocol = list_model.get_value(iter, 0)
+ it = self.ports_protocol_combo.get_active_iter()
+ protocol = list_model.get_value(it,0)
self.wait()
- (rc, out) = commands.getstatusoutput("semanage port -m -p %s -r %s -t %s %s" % (protocol, mls, target, port_number))
- self.ready()
- if rc != 0:
- self.error(out)
+ cmd = "semanage port -m -p %s -r %s -t %s %s" % (protocol, mls, target, port_number)
+ try:
+ subprocess.check_output(cmd,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ store, it = self.view.get_selection().get_selected()
+ self.store.set_value(it, TYPE_COL, target)
+ self.store.set_value(it, PORT_COL, port_number)
+ self.store.set_value(it, PROTOCOL_COL, protocol)
+ self.store.set_value(it, MLS_COL, mls)
+ self.ready()
+ return True
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
+ self.ready()
return False
- store, iter = self.view.get_selection().get_selected()
- self.store.set_value(iter, TYPE_COL, target)
- self.store.set_value(iter, PORT_COL, port_number)
- self.store.set_value(iter, PROTOCOL_COL, protocol)
- self.store.set_value(iter, MLS_COL, mls)
def on_group_clicked(self, button):
self.ports_add_button.set_sensitive(self.group)
diff --git policycoreutils-2.5/gui/semanagePage.py policycoreutils-2.5/gui/semanagePage.py
index 5d7f2cf..1c5b095 100644
--- policycoreutils-2.5/gui/semanagePage.py
+++ policycoreutils-2.5/gui/semanagePage.py
@@ -37,8 +37,8 @@ try:
unicode=False,
codeset='utf-8')
except IOError:
- import __builtin__
- __builtin__.__dict__['_'] = unicode
+ import builtins
+ builtins.__dict__['_'] = str
def idle_func():
@@ -80,9 +80,9 @@ class semanagePage:
return
def filter_changed(self, *arg):
- filter = arg[0].get_text()
- if filter != self.filter:
- self.load(filter)
+ filt = arg[0].get_text()
+ if filt != self.filter:
+ self.load(filt)
def search(self, model, col, key, i):
sort_col = self.store.get_sort_column_id()[0]
@@ -125,13 +125,37 @@ class semanagePage:
dlg.destroy()
def deleteDialog(self):
- store, iter = self.view.get_selection().get_selected()
- if self.verify(_("Are you sure you want to delete %s '%s'?" % (self.description, store.get_value(iter, 0))), _("Delete %s" % self.description)) == gtk.RESPONSE_YES:
+ store, it = self.view.get_selection().get_selected()
+ if self.verify(_("Are you sure you want to delete %s '%s'?" % (self.description, store.get_value(it, 0))), _("Delete %s" % self.description)) == gtk.RESPONSE_YES:
self.delete()
def use_menus(self):
return True
+ def load(self, filt):
+ raise RuntimeError("load method not implemented in parent class");
+
+ def filter(self):
+ raise RuntimeError("filter method not implemented in parent class");
+
+ def store(self):
+ raise RuntimeError("store method not implemented in parent class");
+
+ def add(self):
+ raise RuntimeError("add method not implemented");
+
+ def modify(self):
+ raise RuntimeError("modify method not implemented");
+
+ def delete(self):
+ raise RuntimeError("delete method not implemented");
+
+ def dialogInit(self):
+ raise RuntimeError("dialogInit method not implemented");
+
+ def dialogClear(self):
+ raise RuntimeError("dialogClear method not implemented");
+
def addDialog(self):
self.dialogClear()
self.dialog.set_title(_("Add %s" % self.description))
@@ -139,10 +163,10 @@ class semanagePage:
while self.dialog.run() == gtk.RESPONSE_OK:
try:
- if self.add() == False:
+ if not self.add():
continue
- break
- except ValueError, e:
+ break;
+ except ValueError as e:
self.error(e.args[0])
self.dialog.hide()
@@ -152,10 +176,10 @@ class semanagePage:
self.dialog.set_position(gtk.WIN_POS_MOUSE)
while self.dialog.run() == gtk.RESPONSE_OK:
try:
- if self.modify() == False:
+ if not self.modify():
continue
- break
- except ValueError, e:
+ break;
+ except ValueError as e:
self.error(e.args[0])
self.dialog.hide()
diff --git policycoreutils-2.5/gui/statusPage.py policycoreutils-2.5/gui/statusPage.py
index 991d8f3..782d186 100644
--- policycoreutils-2.5/gui/statusPage.py
+++ policycoreutils-2.5/gui/statusPage.py
@@ -16,18 +16,14 @@
## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
## Author: Dan Walsh
-import string
import gtk
import gtk.glade
import os
-import gobject
import sys
-import tempfile
INSTALLPATH = '/usr/share/system-config-selinux'
sys.path.append(INSTALLPATH)
-import commands
ENFORCING = 1
PERMISSIVE = 0
DISABLED = -1
@@ -47,8 +43,8 @@ import selinux
try:
gettext.install(PROGNAME, localedir="/usr/share/locale", unicode=1)
except IOError:
- import __builtin__
- __builtin__.__dict__['_'] = unicode
+ import builtins
+ builtins.__dict__['_'] = unicode
class statusPage:
@@ -129,21 +125,21 @@ class statusPage:
return rc
def typemenu_changed(self, menu):
- type = self.get_type()
+ setype = self.get_type()
enabled = self.enabledOptionMenu.get_active()
- if self.initialtype != type:
+ if self.initialtype != setype:
if self.verify(_("Changing the policy type will cause a relabel of the entire file system on the next boot. Relabeling takes a long time depending on the size of the file system. Do you wish to continue?")) == gtk.RESPONSE_NO:
menu.set_active(self.typeHistory)
return None
self.relabel_checkbutton.set_active(True)
- self.write_selinux_config(modearray[enabled], type)
+ self.write_selinux_config(modearray[enabled], setype )
self.typeHistory = menu.get_active()
def enabled_changed(self, combo):
enabled = combo.get_active()
- type = self.get_type()
+ setype = self.get_type()
if self.initEnabled != DISABLED and enabled == DISABLED:
if self.verify(_("Changing to SELinux disabled requires a reboot. It is not recommended. If you later decide to turn SELinux back on, the system will be required to relabel. If you just want to see if SELinux is causing a problem on your system, you can go to permissive mode which will only log errors and not enforce SELinux policy. Permissive mode does not require a reboot Do you wish to continue?")) == gtk.RESPONSE_NO:
@@ -156,10 +152,10 @@ class statusPage:
return None
self.relabel_checkbutton.set_active(True)
- self.write_selinux_config(modearray[enabled], type)
+ self.write_selinux_config(modearray[enabled], setype )
self.enabled = enabled
- def write_selinux_config(self, enforcing, type):
+ def write_selinux_config(self, enforcing, setype):
path = selinux.selinux_path() + "config"
backup_path = path + ".bck"
fd = open(path)
@@ -171,7 +167,7 @@ class statusPage:
fd.write("SELINUX=%s\n" % enforcing)
continue
if l.startswith("SELINUXTYPE="):
- fd.write("SELINUXTYPE=%s\n" % type)
+ fd.write("SELINUXTYPE=%s\n" % setype)
continue
fd.write(l)
fd.close()
diff --git policycoreutils-2.5/gui/system-config-selinux.py policycoreutils-2.5/gui/system-config-selinux.py
index 7d342d0..563bb49 100644
--- policycoreutils-2.5/gui/system-config-selinux.py
+++ policycoreutils-2.5/gui/system-config-selinux.py
@@ -25,10 +25,10 @@ import string
import sys
try:
import gtk
-except RuntimeError, e:
- print "system-config-selinux:", e
- print "This is a graphical application and requires DISPLAY to be set."
- sys.exit(1)
+except RuntimeError as e:
+ print("system-config-selinux:", e)
+ print("This is a graphical application and requires DISPLAY to be set.")
+ sys.exit (1)
import gtk.glade
import os
@@ -57,8 +57,8 @@ try:
unicode=False,
codeset='utf-8')
except IOError:
- import __builtin__
- __builtin__.__dict__['_'] = unicode
+ import builtins
+ builtins.__dict__['_'] = str
gnome.program_init("SELinux Management Tool", "5")
@@ -94,9 +94,9 @@ class childWindow:
self.add_page(loginsPage.loginsPage(xml))
self.add_page(usersPage.usersPage(xml))
self.add_page(portsPage.portsPage(xml))
- self.add_page(modulesPage.modulesPage(xml)) # modules
- self.add_page(domainsPage.domainsPage(xml)) # domains
- except ValueError, e:
+ self.add_page(modulesPage.modulesPage(xml)) # modules
+ self.add_page(domainsPage.domainsPage(xml)) # domains
+ except ValueError as e:
self.error(e.message)
xml.signal_connect("on_quit_activate", self.destroy)
diff --git policycoreutils-2.5/gui/usersPage.py policycoreutils-2.5/gui/usersPage.py
index abf8d3b..f50fcb2 100644
--- policycoreutils-2.5/gui/usersPage.py
+++ policycoreutils-2.5/gui/usersPage.py
@@ -16,13 +16,10 @@
## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
## Author: Dan Walsh
-import string
import gtk
import gtk.glade
-import os
import gobject
-import sys
-import commands
+import subprocess
import seobject
from semanagePage import *
@@ -36,8 +33,8 @@ gettext.textdomain(PROGNAME)
try:
gettext.install(PROGNAME, localedir="/usr/share/locale", unicode=1)
except IOError:
- import __builtin__
- __builtin__.__dict__['_'] = unicode
+ import builtins
+ builtins.__dict__['_'] = unicode
class usersPage(semanagePage):
@@ -67,34 +64,30 @@ class usersPage(semanagePage):
self.mlsRangeEntry = xml.get_widget("mlsRangeEntry")
self.selinuxRolesEntry = xml.get_widget("selinuxRolesEntry")
- def load(self, filter=""):
- self.filter = filter
+ def load(self, filt = ""):
+ self.filter=filt
self.user = seobject.seluserRecords()
- dict = self.user.get_all()
- keys = dict.keys()
+ udict = self.user.get_all()
+ keys = list(udict.keys())
keys.sort()
self.store.clear()
for k in keys:
- range = seobject.translate(dict[k][2])
- if not (self.match(k, filter) or self.match(dict[k][0], filter) or self.match(range, filter) or self.match(dict[k][3], filter)):
+ serange = seobject.translate(udict[k][2])
+ if not (self.match(k, filt) or self.match(udict[k][0], filter) or self.match(serange, filt) or self.match(udict[k][3], filt)):
continue
- iter = self.store.append()
- self.store.set_value(iter, 0, k)
- self.store.set_value(iter, 1, range)
- self.store.set_value(iter, 2, dict[k][3])
- self.view.get_selection().select_path((0,))
-
- def delete(self):
- if semanagePage.delete(self) == gtk.RESPONSE_NO:
- return None
+ it = self.store.append()
+ self.store.set_value(it, 0, k)
+ self.store.set_value(it, 1, serange)
+ self.store.set_value(it, 2, udict[k][3])
+ self.view.get_selection().select_path ((0,))
def dialogInit(self):
- store, iter = self.view.get_selection().get_selected()
- self.selinuxUserEntry.set_text(store.get_value(iter, 0))
+ store, it = self.view.get_selection().get_selected()
+ self.selinuxUserEntry.set_text(store.get_value(it, 0))
self.selinuxUserEntry.set_sensitive(False)
- self.mlsRangeEntry.set_text(store.get_value(iter, 1))
- self.selinuxRolesEntry.set_text(store.get_value(iter, 2))
+ self.mlsRangeEntry.set_text(store.get_value(it, 1))
+ self.selinuxRolesEntry.set_text(store.get_value(it, 2))
def dialogClear(self):
self.selinuxUserEntry.set_text("")
@@ -104,48 +97,62 @@ class usersPage(semanagePage):
def add(self):
user = self.selinuxUserEntry.get_text()
- range = self.mlsRangeEntry.get_text()
+ serange = self.mlsRangeEntry.get_text()
roles = self.selinuxRolesEntry.get_text()
self.wait()
- (rc, out) = commands.getstatusoutput("semanage user -a -R '%s' -r %s %s" % (roles, range, user))
- self.ready()
- if rc != 0:
- self.error(out)
+ try:
+ subprocess.check_output("semanage user -a -R '%s' -r %s %s" % (roles, serange, user),
+ stderr=subprocess.STDOUT,
+ shell=True)
+ self.ready()
+ it = self.store.append()
+ self.store.set_value(it, 0, user)
+ self.store.set_value(it, 1, serange)
+ self.store.set_value(it, 2, roles)
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
+ self.ready()
return False
- iter = self.store.append()
- self.store.set_value(iter, 0, user)
- self.store.set_value(iter, 1, range)
- self.store.set_value(iter, 2, roles)
def modify(self):
user = self.selinuxUserEntry.get_text()
- range = self.mlsRangeEntry.get_text()
+ serange = self.mlsRangeEntry.get_text()
roles = self.selinuxRolesEntry.get_text()
self.wait()
- (rc, out) = commands.getstatusoutput("semanage user -m -R '%s' -r %s %s" % (roles, range, user))
- self.ready()
-
- if rc != 0:
- self.error(out)
+ cmd = "semanage user -m -R '%s' -r %s %s" % (roles, serange, user)
+ try:
+ subprocess.check_output(cmd,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ self.ready()
+ self.load(self.filter)
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
+ self.ready()
return False
- self.load(self.filter)
+ return True
def delete(self):
- store, iter = self.view.get_selection().get_selected()
+ store, it = self.view.get_selection().get_selected()
try:
- user = store.get_value(iter, 0)
+ user=store.get_value(it, 0)
if user == "root" or user == "user_u":
raise ValueError(_("SELinux user '%s' is required") % user)
self.wait()
- (rc, out) = commands.getstatusoutput("semanage user -d %s" % user)
- self.ready()
- if rc != 0:
- self.error(out)
+ cmd = "semanage user -d %s" % user
+ try:
+ subprocess.check_output(cmd,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ self.ready()
+ store.remove(it)
+ self.view.get_selection().select_path ((0,))
+ except subprocess.CalledProcessError as e:
+ self.error(e.output)
+ self.ready()
return False
- store.remove(iter)
- self.view.get_selection().select_path((0,))
- except ValueError, e:
+ except ValueError as e:
self.error(e.args[0])
diff --git policycoreutils-2.5/hll/pp/pp.c policycoreutils-2.5/hll/pp/pp.c
index 866734f..49ca05e 100644
--- policycoreutils-2.5/hll/pp/pp.c
+++ policycoreutils-2.5/hll/pp/pp.c
@@ -28,6 +28,7 @@
#include <sepol/module.h>
#include <sepol/module_to_cil.h>
+#include <sepol/policydb/module.h>
char *progname;
@@ -68,6 +69,8 @@ int main(int argc, char **argv)
{ NULL, 0, NULL, 0 }
};
struct sepol_module_package *mod_pkg = NULL;
+ char *ifile = NULL;
+ char *ofile = NULL;
FILE *in = NULL;
FILE *out = NULL;
int outfd = -1;
@@ -89,20 +92,23 @@ int main(int argc, char **argv)
}
if (argc >= optind + 1 && strcmp(argv[1], "-") != 0) {
- in = fopen(argv[1], "rb");
+ ifile = argv[1];
+ in = fopen(ifile, "rb");
if (in == NULL) {
- log_err("Failed to open %s: %s", argv[1], strerror(errno));
+ log_err("Failed to open %s: %s", ifile, strerror(errno));
rc = -1;
goto exit;
}
} else {
+ ifile = "stdin";
in = stdin;
}
if (argc >= optind + 2 && strcmp(argv[2], "-") != 0) {
- out = fopen(argv[2], "w");
+ ofile = argv[2];
+ out = fopen(ofile, "w");
if (out == NULL) {
- log_err("Failed to open %s: %s", argv[2], strerror(errno));
+ log_err("Failed to open %s: %s", ofile, strerror(errno));
rc = -1;
goto exit;
}
@@ -122,6 +128,25 @@ int main(int argc, char **argv)
fclose(in);
in = NULL;
+ if (ofile) {
+ char *mod_name = mod_pkg->policy->p.name;
+ char *cil_path = strdup(ofile);
+ if (cil_path == NULL) {
+ log_err("No memory available for strdup\n");
+ rc = -1;
+ goto exit;
+ }
+ char *cil_name = basename(cil_path);
+ char *separator = strrchr(cil_name, '.');
+ if (separator) {
+ *separator = '\0';
+ }
+ if (mod_name && strcmp(mod_name, cil_name) != 0) {
+ fprintf(stderr, "Warning: SELinux userspace will refer to the module from %s as %s rather than %s\n", ifile, cil_name, mod_name);
+ }
+ free(cil_path);
+ }
+
rc = sepol_module_package_to_cil(out, mod_pkg);
if (rc != 0) {
goto exit;
diff --git policycoreutils-2.5/po/Makefile policycoreutils-2.5/po/Makefile
index a693823..555f381 100644
--- policycoreutils-2.5/po/Makefile
+++ policycoreutils-2.5/po/Makefile
@@ -28,7 +28,7 @@ POTFILES = \
../run_init/run_init.c \
../semodule_link/semodule_link.c \
../audit2allow/audit2allow \
- ../semanage/seobject.py \
+ ../semanage/seobject/__init__.py \
../setsebool/setsebool.c \
../newrole/newrole.c \
../load_policy/load_policy.c \
@@ -49,7 +49,6 @@ POTFILES = \
../gui/booleansPage.py \
../gui/fcontextPage.py \
../gui/loginsPage.py \
- ../gui/mappingsPage.py \
../gui/modulesPage.py \
../gui/polgen.glade \
../gui/polgengui.py \
@@ -61,6 +60,36 @@ POTFILES = \
../gui/usersPage.py \
../secon/secon.c \
booleans.py \
+ ../sepolicy/sepolicy/help/booleans_more_show.txt \
+ ../sepolicy/sepolicy/help/booleans_more.txt \
+ ../sepolicy/sepolicy/help/booleans_toggled.txt \
+ ../sepolicy/sepolicy/help/booleans.txt \
+ ../sepolicy/sepolicy/help/file_equiv.txt \
+ ../sepolicy/sepolicy/help/files_apps.txt \
+ ../sepolicy/sepolicy/help/files_exec.txt \
+ ../sepolicy/sepolicy/help/files_write.txt \
+ ../sepolicy/sepolicy/help/lockdown_permissive.txt \
+ ../sepolicy/sepolicy/help/lockdown_ptrace.txt \
+ ../sepolicy/sepolicy/help/lockdown.txt \
+ ../sepolicy/sepolicy/help/lockdown_unconfined.txt \
+ ../sepolicy/sepolicy/help/login_default.txt \
+ ../sepolicy/sepolicy/help/login.txt \
+ ../sepolicy/sepolicy/help/ports_inbound.txt \
+ ../sepolicy/sepolicy/help/ports_outbound.txt \
+ ../sepolicy/sepolicy/help/start.txt \
+ ../sepolicy/sepolicy/help/system_boot_mode.txt \
+ ../sepolicy/sepolicy/help/system_current_mode.txt \
+ ../sepolicy/sepolicy/help/system_export.txt \
+ ../sepolicy/sepolicy/help/system_policy_type.txt \
+ ../sepolicy/sepolicy/help/system_relabel.txt \
+ ../sepolicy/sepolicy/help/system.txt \
+ ../sepolicy/sepolicy/help/transition_file.txt \
+ ../sepolicy/sepolicy/help/transition_from_boolean_1.txt \
+ ../sepolicy/sepolicy/help/transition_from_boolean_2.txt \
+ ../sepolicy/sepolicy/help/transition_from_boolean.txt \
+ ../sepolicy/sepolicy/help/transition_from.txt \
+ ../sepolicy/sepolicy/help/transition_to.txt \
+ ../sepolicy/sepolicy/help/users.txt \
../sepolicy/info.c \
../sepolicy/search.c \
../sepolicy/sepolicy.py \
diff --git policycoreutils-2.5/restorecond/watch.c policycoreutils-2.5/restorecond/watch.c
index 10978cb..80b0ee7 100644
--- policycoreutils-2.5/restorecond/watch.c
+++ policycoreutils-2.5/restorecond/watch.c
@@ -174,7 +174,7 @@ int watch(int fd, const char *watch_file)
syslog(LOG_ERR, "Read error (%s)", strerror(errno));
return 0;
}
- syslog(LOG_ERR, "terminated");
+ syslog(LOG_INFO, "terminated");
return -1;
} else if (!len)
/* BUF_LEN too small? */
diff --git policycoreutils-2.5/run_init/open_init_pty.c policycoreutils-2.5/run_init/open_init_pty.c
index 37805bf..6e25ea3 100644
--- policycoreutils-2.5/run_init/open_init_pty.c
+++ policycoreutils-2.5/run_init/open_init_pty.c
@@ -327,8 +327,9 @@ int main(int argc, char *argv[])
break;
}
+ errno = 0;
int select_rc = select(pty_master + 1, &readfds, &writefds, NULL, NULL);
- if (select_rc < 0) {
+ if (select_rc < 0 && errno != EINTR) {
perror("select()");
exit(EX_IOERR);
}
diff --git policycoreutils-2.5/sandbox/sandbox policycoreutils-2.5/sandbox/sandbox
index 9e0024f..5b73629 100644
--- policycoreutils-2.5/sandbox/sandbox
+++ policycoreutils-2.5/sandbox/sandbox
@@ -108,30 +108,29 @@ def copyfile(file, srcdir, dest):
def savefile(new, orig, X_ind):
- copy = False
- if(X_ind):
- import gtk
- dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO,
- gtk.BUTTONS_YES_NO,
- _("Do you want to save changes to '%s' (Y/N): ") % orig)
- dlg.set_title(_("Sandbox Message"))
- dlg.set_position(gtk.WIN_POS_MOUSE)
- dlg.show_all()
- rc = dlg.run()
- dlg.destroy()
- if rc == gtk.RESPONSE_YES:
- copy = True
- else:
- try:
- input = raw_input
- except NameError:
- pass
- ans = input(_("Do you want to save changes to '%s' (y/N): ") % orig)
- if(re.match(_("[yY]"), ans)):
- copy = True
- if(copy):
- shutil.copy2(new, orig)
-
+ copy = False
+ if(X_ind):
+ from gi.repository import Gtk
+ dlg = Gtk.MessageDialog(None, 0, Gtk.MessageType.INFO,
+ Gtk.ButtonsType.YES_NO,
+ _("Do you want to save changes to '%s' (Y/N): ") % orig)
+ dlg.set_title(_("Sandbox Message"))
+ dlg.set_position(Gtk.WindowPosition.MOUSE)
+ dlg.show_all()
+ rc = dlg.run()
+ dlg.destroy()
+ if rc == Gtk.ResponseType.YES:
+ copy = True
+ else:
+ try:
+ input = raw_input
+ except NameError:
+ pass
+ ans = input(_("Do you want to save changes to '%s' (y/N): ") % orig)
+ if(re.match(_("[yY]"),ans)):
+ copy = True
+ if(copy):
+ shutil.copy2(new,orig)
def reserve(level):
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
@@ -265,7 +264,7 @@ class Sandbox:
copyfile(f, "/tmp", self.__tmpdir)
copyfile(f, "/var/tmp", self.__tmpdir)
- def __setup_sandboxrc(self, wm="/usr/bin/openbox"):
+ def __setup_sandboxrc(self, wm="/usr/bin/matchbox-window-manager"):
execfile = self.__homedir + "/.sandboxrc"
fd = open(execfile, "w+")
if self.__options.session:
@@ -355,7 +354,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
parser.add_option("-W", "--windowmanager", dest="wm",
type="string",
- default="/usr/bin/openbox",
+ default="/usr/bin/matchbox-window-manager",
help=_("alternate window manager"))
parser.add_option("-l", "--level", dest="level",
@@ -467,10 +466,15 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
cmds += ["--"] + self.__paths
return subprocess.Popen(cmds).wait()
- selinux.setexeccon(self.__execcon)
- rc = subprocess.Popen(self.__cmds).wait()
- selinux.setexeccon(None)
- return rc
+ pid = os.fork()
+ if pid == 0:
+ rc = os.setsid()
+ if rc:
+ return rc
+ selinux.setexeccon(self.__execcon)
+ os.execv(self.__cmds[0], self.__cmds)
+ rc = os.waitpid(pid, 0)
+ return os.WEXITSTATUS(rc[1])
finally:
for i in self.__paths:
@@ -499,7 +503,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
try:
self.__parse_options()
self.__gen_context()
- self.__setup_dir()
+ if self.__mount:
+ self.__setup_dir()
return self.__execute()
except KeyboardInterrupt:
sys.exit(0)
diff --git policycoreutils-2.5/sandbox/sandbox.8 policycoreutils-2.5/sandbox/sandbox.8
index 0c8cd1e..90ef495 100644
--- policycoreutils-2.5/sandbox/sandbox.8
+++ policycoreutils-2.5/sandbox/sandbox.8
@@ -3,11 +3,11 @@
sandbox \- Run cmd under an SELinux sandbox
.SH SYNOPSIS
.B sandbox
-[\-C] [\-c] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd
+[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd
.br
.B sandbox
-[\-C] [\-c] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S
+[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S
.br
.SH DESCRIPTION
.PP
@@ -24,10 +24,10 @@ allows you to run X applications within a sandbox. These applications will star
If directories are specified with \-H or \-T the directory will have its context modified with chcon(1) unless a level is specified with \-l. If the MLS/MCS security level is specified, the user is responsible to set the correct labels.
.PP
.TP
-\fB\-h\ \fB\\-\-help\fR
+\fB\-h\ \fB\-\-help\fR
display usage message
.TP
-\fB\-H\ \fB\\-\-homedir\fR
+\fB\-H\ \fB\-\-homedir\fR
Use alternate homedir to mount over your home directory. Defaults to temporary. Requires \-X or \-M.
.TP
\fB\-i\fR \fB\-\-include\fR
@@ -55,11 +55,13 @@ sandbox_t \- No X, No Network Access, No Open, read/write on passed in file desc
.br
sandbox_min_t \- No Network Access
.br
-sandbox_x_t \- Printer Ports
+sandbox_x_t \- Ports for X applications to run locally
.br
sandbox_web_t \- Ports required for web browsing
.br
-sandbox_net_t \- All network ports
+sandbox_net_t \- Network ports (for server software)
+.br
+sandbox_net_client_t \- All network ports
.TP
\fB\-T\fR \fB\-\-tmpdir\fR
@@ -75,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
\fB\-W\fR \fB\-\-windowmanager\fR
Select alternative window manager to run within
.B sandbox \-X.
-Default to /usr/bin/openbox.
+Default to /usr/bin/matchbox-window-manager.
.TP
\fB\-X\fR
Create an X based Sandbox for gui apps, temporary files for
@@ -84,9 +86,6 @@ $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
\fB\-d\fR \fB\-\-dpi\fR
Set the DPI value for the sandbox X Server. Defaults to the current X Sever DPI.
.TP
-\fB\-c\fR \fB\-\-cgroups\fR
-Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
-.TP
\fB\-C\fR \fB\-\-capabilities\fR Use capabilities within the
sandbox. By default applications executed within the sandbox will not
be allowed to use capabilities (setuid apps), with the \-C flag, you
diff --git policycoreutils-2.5/sandbox/sandboxX.sh policycoreutils-2.5/sandbox/sandboxX.sh
index eaa500d..4774528 100644
--- policycoreutils-2.5/sandbox/sandboxX.sh
+++ policycoreutils-2.5/sandbox/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
</openbox_config>
EOF
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
cat > ~/seremote << __EOF
#!/bin/sh
diff --git policycoreutils-2.5/sandbox/seunshare.8 policycoreutils-2.5/sandbox/seunshare.8
index 76b75c8..9e105a1 100644
--- policycoreutils-2.5/sandbox/seunshare.8
+++ policycoreutils-2.5/sandbox/seunshare.8
@@ -25,7 +25,7 @@ Allow apps executed within the namespace to use capabilities. Default is no cap
Kill all processes with matching MCS level.
.TP
\fB\-Z\ context
-Use alternate SELinux context while runing the executable.
+Use alternate SELinux context while running the executable.
.TP
\fB\-v\fR
Verbose output
diff --git policycoreutils-2.5/sandbox/start policycoreutils-2.5/sandbox/start
index fc406e1..18d5859 100644
--- policycoreutils-2.5/sandbox/start
+++ policycoreutils-2.5/sandbox/start
@@ -1,10 +1,12 @@
#! /usr/bin/python -Es
-import gtk
-import subprocess
+try:
+ from subprocess import getstatusoutput
+except ImportError:
+ from commands import getstatusoutput
import sys
-rc = [-1, '']
+rc = [-1,'']
try:
- rc = subprocess.getstatusoutput(sys.argv[1])
+ rc = getstatusoutput(sys.argv[1])
except:
pass
if rc[0] == 0:
diff --git policycoreutils-2.5/scripts/chcat policycoreutils-2.5/scripts/chcat
index 472785c..f33a0ea 100755
--- policycoreutils-2.5/scripts/chcat
+++ policycoreutils-2.5/scripts/chcat
@@ -22,7 +22,10 @@
# 02111-1307 USA
#
#
-import subprocess
+try:
+ from subprocess import getstatusoutput
+except ImportError:
+ from commands import getstatusoutput
import sys
import os
import pwd
@@ -92,7 +95,7 @@ def chcat_user_add(newcat, users):
cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
else:
cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
- rc = subprocess.getstatusoutput(cmd)
+ rc = getstatusoutput(cmd)
if rc[0] != 0:
print(rc[1])
errors += 1
@@ -131,7 +134,7 @@ def chcat_add(orig, newcat, objects, login_ind):
else:
cat_string = cat
cmd = 'chcon -l %s:%s %s' % (sensitivity, cat_string, f)
- rc = subprocess.getstatusoutput(cmd)
+ rc = getstatusoutput(cmd)
if rc[0] != 0:
print(rc[1])
errors += 1
@@ -172,7 +175,7 @@ def chcat_user_remove(newcat, users):
cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
else:
cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
- rc = subprocess.getstatusoutput(cmd)
+ rc = getstatusoutput(cmd)
if rc[0] != 0:
print(rc[1])
errors += 1
@@ -217,7 +220,7 @@ def chcat_remove(orig, newcat, objects, login_ind):
cmd = 'chcon -l %s %s' % (sensitivity, f)
else:
cmd = 'chcon -l %s:%s %s' % (sensitivity, cat, f)
- rc = subprocess.getstatusoutput(cmd)
+ rc = getstatusoutput(cmd)
if rc[0] != 0:
print(rc[1])
errors += 1
@@ -245,7 +248,7 @@ def chcat_user_replace(newcat, users):
cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
else:
cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
- rc = subprocess.getstatusoutput(cmd)
+ rc = getstatusoutput(cmd)
if rc[0] != 0:
print(rc[1])
errors += 1
@@ -268,7 +271,7 @@ def chcat_replace(newcat, objects, login_ind):
for f in objects:
cmd = "%s %s" % (cmd, f)
- rc = subprocess.getstatusoutput(cmd)
+ rc = getstatusoutput(cmd)
if rc[0] != 0:
print(rc[1])
errors += 1
@@ -346,8 +349,8 @@ def translate(cats):
def usage():
print(_("Usage %s CATEGORY File ...") % sys.argv[0])
print(_("Usage %s -l CATEGORY user ...") % sys.argv[0])
- print(_("Usage %s [[+|-]CATEGORY],...]q File ...") % sys.argv[0])
- print(_("Usage %s -l [[+|-]CATEGORY],...]q user ...") % sys.argv[0])
+ print(_("Usage %s [[+|-]CATEGORY],...] File ...") % sys.argv[0])
+ print(_("Usage %s -l [[+|-]CATEGORY],...] user ...") % sys.argv[0])
print(_("Usage %s -d File ...") % sys.argv[0])
print(_("Usage %s -l -d user ...") % sys.argv[0])
print(_("Usage %s -L") % sys.argv[0])
diff --git policycoreutils-2.5/scripts/fixfiles policycoreutils-2.5/scripts/fixfiles
index 5c29eb9..401be3f 100755
--- policycoreutils-2.5/scripts/fixfiles
+++ policycoreutils-2.5/scripts/fixfiles
@@ -116,6 +116,7 @@ exclude_dirs() {
fullFlag=0
BOOTTIME=""
VERBOSE="-p"
+[ -t 1 ] || VERBOSE=""
FORCEFLAG=""
DIRS=""
RPMILES=""
@@ -137,6 +138,10 @@ else
FC=/etc/security/selinux/file_contexts
fi
+FC_SUB_DIST=${FC}.subs_dist
+FC_SUB=${FC}.subs
+FC_HOMEDIRS=${FC}.homedirs
+FC_LOCAL=${FC}.local
#
# Log to either syslog or a LOGFILE
#
@@ -150,8 +155,9 @@ fi
#
newer() {
DATE=$1
+ shift
for m in `echo $FILESYSTEMSRW`; do
- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} -i -0 -f -
+ find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f -
done;
}
@@ -190,7 +196,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
esac; \
fi; \
done | \
- ${RESTORECON} ${VERBOSE} -i -f - -R `exclude_dirs`; \
+ ${RESTORECON} ${VERBOSE} -i -f - -R $* `exclude_dirs`; \
rm -f ${TEMPFILE} ${PREFCTEMPFILE}
fi
}
@@ -222,7 +228,7 @@ if [ ! -z "$PREFC" ]; then
exit $?
fi
if [ ! -z "$BOOTTIME" ]; then
- newer $BOOTTIME
+ newer $BOOTTIME $*
exit $?
fi
[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
@@ -242,7 +248,12 @@ then
echo "${p1}" >> $TEMPFCFILE
logit "skipping the directory ${p}"
done
-FC=$TEMPFCFILE
+ FC=$TEMPFCFILE
+ /bin/cp -p ${FC_SUB_DIST} ${TEMPFCFILE}.subs_dist &>/dev/null || exit
+ /bin/cp -p ${FC_SUB} ${TEMPFCFILE}.subs &>/dev/null || exit
+ /bin/cp -p ${FC_HOMEDIRS} ${TEMPFCFILE}.homedirs &>/dev/null || exit
+ /bin/cp -p ${FC_LOCAL} ${TEMPFCFILE}.local &>/dev/null || exit
+
fi
if [ ! -z "$RPMFILES" ]; then
for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
@@ -251,7 +262,7 @@ if [ ! -z "$RPMFILES" ]; then
exit $?
fi
if [ ! -z "$FILEPATH" ]; then
- ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* $FILEPATH 2>&1 | cat >> $LOGFILE
+ ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* "$FILEPATH" 2>&1 | cat >> $LOGFILE
return
fi
if [ -n "${FILESYSTEMSRW}" ]; then
@@ -264,15 +275,15 @@ if [ ${OPTION} != "Relabel" ]; then
return
fi
echo "Cleaning up labels on /tmp"
-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
+rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE ${TEMPFCFILE}.subs_dist ${TEMPFCFILE}.subs ${TEMPFCFILE}.homedirs ${TEMPFCFILE}.local
UNDEFINED=`get_undefined_type` || exit $?
UNLABELED=`get_unlabeled_type` || exit $?
find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) \( -type s -o -type p \) -delete
-find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /tmp {} \;
-find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \;
-find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \;
-[ ! -e /var/lib/debug ] || find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \;
+find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /tmp {} \;
+find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /var/tmp {} \;
+find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /var/run {} \;
+[ ! -e /var/lib/debug ] || find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /lib {} \;
exit 0
}
diff --git policycoreutils-2.5/semanage/Makefile policycoreutils-2.5/semanage/Makefile
index 60c36a3..c5e4808 100644
--- policycoreutils-2.5/semanage/Makefile
+++ policycoreutils-2.5/semanage/Makefile
@@ -20,8 +20,7 @@ install: all
-mkdir -p $(SBINDIR)
install -m 755 semanage $(SBINDIR)
install -m 644 *.8 $(MANDIR)/man8
- test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages
- install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages
+ LDFLAGS="" ${PYTHON} setup.py install --install-lib=$(PYTHONLIBDIR)/site-packages
-mkdir -p $(BASHCOMPLETIONDIR)
install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/semanage
diff --git policycoreutils-2.5/semanage/default_encoding/Makefile policycoreutils-2.5/semanage/default_encoding/Makefile
new file mode 100644
index 0000000..e15a877
--- /dev/null
+++ policycoreutils-2.5/semanage/default_encoding/Makefile
@@ -0,0 +1,8 @@
+all:
+ LDFLAGS="" python setup.py build
+
+install: all
+ LDFLAGS="" python setup.py install --root=$(DESTDIR)/
+
+clean:
+ rm -rf build *~
diff --git policycoreutils-2.5/semanage/default_encoding/default_encoding.c policycoreutils-2.5/semanage/default_encoding/default_encoding.c
new file mode 100644
index 0000000..023b8f4
--- /dev/null
+++ policycoreutils-2.5/semanage/default_encoding/default_encoding.c
@@ -0,0 +1,57 @@
+/*
+ * Authors:
+ * John Dennis <jdennis@redhat.com>
+ *
+ * Copyright (C) 2009 Red Hat
+ * see file 'COPYING' for use and warranty information
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#include <Python.h>
+
+PyDoc_STRVAR(setdefaultencoding_doc,
+"setdefaultencoding(encoding='utf-8')\n\
+\n\
+Set the current default string encoding used by the Unicode implementation.\n\
+Defaults to utf-8."
+);
+
+static PyObject *
+setdefaultencoding(PyObject *self, PyObject *args, PyObject *kwds)
+{
+ static char *kwlist[] = {"utf-8", NULL};
+ char *encoding;
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "s:setdefaultencoding", kwlist, &encoding))
+ return NULL;
+
+ if (PyUnicode_SetDefaultEncoding(encoding))
+ return NULL;
+
+ Py_RETURN_NONE;
+}
+
+static PyMethodDef methods[] = {
+ {"setdefaultencoding", (PyCFunction)setdefaultencoding, METH_VARARGS|METH_KEYWORDS, setdefaultencoding_doc},
+ {NULL, NULL} /* sentinel */
+};
+
+
+PyMODINIT_FUNC
+initdefault_encoding_utf8(void)
+{
+ PyUnicode_SetDefaultEncoding("utf-8");
+ Py_InitModule3("default_encoding_utf8", methods, "Forces the default encoding to utf-8");
+}
diff --git policycoreutils-2.5/semanage/default_encoding/policycoreutils/__init__.py policycoreutils-2.5/semanage/default_encoding/policycoreutils/__init__.py
new file mode 100644
index 0000000..ccb6b8b
--- /dev/null
+++ policycoreutils-2.5/semanage/default_encoding/policycoreutils/__init__.py
@@ -0,0 +1,17 @@
+#
+# Copyright (C) 2006,2007,2008, 2009 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
diff --git policycoreutils-2.5/semanage/default_encoding/setup.py policycoreutils-2.5/semanage/default_encoding/setup.py
new file mode 100644
index 0000000..e2befdb
--- /dev/null
+++ policycoreutils-2.5/semanage/default_encoding/setup.py
@@ -0,0 +1,38 @@
+# Authors:
+# John Dennis <jdennis@redhat.com>
+#
+# Copyright (C) 2009 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+from distutils.core import setup, Extension
+
+default_encoding_utf8 = Extension('policycoreutils.default_encoding_utf8', ['default_encoding.c'])
+
+setup(name = 'policycoreutils-default-encoding',
+ version = '0.1',
+ description = 'Forces the default encoding in Python to be utf-8',
+ long_description = 'Forces the default encoding in Python to be utf-8',
+ author = 'John Dennis',
+ author_email = 'jdennis@redhat.com',
+ maintainer = 'John Dennis',
+ maintainer_email = 'jdennis@redhat.com',
+ license = 'GPLv3+',
+ platforms = 'posix',
+ url = '',
+ download_url = '',
+ ext_modules = [default_encoding_utf8],
+ packages=["policycoreutils"],
+)
diff --git policycoreutils-2.5/semanage/semanage policycoreutils-2.5/semanage/semanage
index 7489955..37b5d70 100644
--- policycoreutils-2.5/semanage/semanage
+++ policycoreutils-2.5/semanage/semanage
@@ -23,6 +23,11 @@
#
#
+try:
+ import policycoreutils.default_encoding_utf8
+except ImportError:
+ pass
+
import argparse
import seobject
import sys
@@ -45,25 +50,31 @@ except IOError:
__builtin__.__dict__['_'] = unicode
# define custom usages for selected main actions
-usage_login = "semanage login [-h] [-n] [-N] [-s STORE] ["
+usage_login = "semanage login [-h] [-n] [-N] [-S STORE] ["
usage_login_dict = {' --add': ('-s SEUSER', '-r RANGE', 'LOGIN',), ' --modify': ('-s SEUSER', '-r RANGE', 'LOGIN',), ' --delete': ('LOGIN',), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}
-usage_fcontext = "semanage fcontext [-h] [-n] [-N] [-s STORE] ["
+usage_fcontext = "semanage fcontext [-h] [-n] [-N] [-S STORE] ["
usage_fcontext_dict = {' --add': ('(', '-t TYPE', '-f FTYPE', '-r RANGE', '-s SEUSER', '|', '-e EQUAL', ')', 'FILE_SPEC', ')',), ' --delete': ('(', '-t TYPE', '-f FTYPE', '|', '-e EQUAL', ')', 'FILE_SPEC', ')',), ' --modify': ('(', '-t TYPE', '-f FTYPE', '-r RANGE', '-s SEUSER', '|', '-e EQUAL', ')', 'FILE_SPEC )',), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}
-usage_user = "semanage user [-h] [-n] [-N] [-s STORE] ["
+usage_user = "semanage user [-h] [-n] [-N] [-S STORE] ["
usage_user_dict = {' --add': ('(', '-L LEVEL', '-R ROLES', '-r RANGE', '-s SEUSER', 'selinux_name'')'), ' --delete': ('selinux_name',), ' --modify': ('(', '-L LEVEL', '-R ROLES', '-r RANGE', '-s SEUSER', 'selinux_name', ')'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}
-usage_port = "semanage port [-h] [-n] [-N] [-s STORE] ["
+usage_port = "semanage port [-h] [-n] [-N] [-S STORE] ["
usage_port_dict = {' --add': ('-t TYPE', '-p PROTOCOL', '-r RANGE', '(', 'port_name', '|', 'port_range', ')'), ' --modify': ('-t TYPE', '-p PROTOCOL', '-r RANGE', '(', 'port_name', '|', 'port_range', ')'), ' --delete': ('-p PROTOCOL', '(', 'port_name', '|', 'port_range', ')'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}
-usage_node = "semanage node [-h] [-n] [-N] [-s STORE] ["
+usage_ibpkey = "semanage ibpkey [-h] [-n] [-N] [-s STORE] ["
+usage_ibpkey_dict = {' --add': ('-t TYPE', '-x SUBNET_PREFIX', '-r RANGE', '(', 'ibpkey_name', '|', 'pkey_range', ')'), ' --modify': ('-t TYPE', '-x SUBNET_PREFIX', '-r RANGE', '(', 'ibpkey_name', '|', 'pkey_range', ')'), ' --delete': ('-x SUBNET_PREFIX', '(', 'ibpkey_name', '|', 'pkey_range', ')'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}
+
+usage_ibendport = "semanage ibendport [-h] [-n] [-N] [-s STORE] ["
+usage_ibendport_dict = {' --add': ('-t TYPE', '-z IBDEV_NAME', '-r RANGE', '(', 'port', ')'), ' --modify': ('-t TYPE', '-z IBDEV_NAME', '-r RANGE', '(', 'port', ')'), ' --delete': ('-z IBDEV_NAME', '-r RANGE''(', 'port', ')'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}
+
+usage_node = "semanage node [-h] [-n] [-N] [-S STORE] ["
usage_node_dict = {' --add': ('-M NETMASK', '-p PROTOCOL', '-t TYPE', '-r RANGE', 'node'), ' --modify': ('-M NETMASK', '-p PROTOCOL', '-t TYPE', '-r RANGE', 'node'), ' --delete': ('-M NETMASK', '-p PROTOCOL', 'node'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}
-usage_interface = "semanage interface [-h] [-n] [-N] [-s STORE] ["
+usage_interface = "semanage interface [-h] [-n] [-N] [-S STORE] ["
usage_interface_dict = {' --add': ('-t TYPE', '-r RANGE', 'interface'), ' --modify': ('-t TYPE', '-r RANGE', 'interface'), ' --delete': ('interface',), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}
-usage_boolean = "semanage boolean [-h] [-n] [-N] [-s STORE] ["
+usage_boolean = "semanage boolean [-h] [-n] [-N] [-S STORE] ["
usage_boolean_dict = {' --modify': ('(', '--on', '|', '--off', ')', 'boolean'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}
import sepolicy
@@ -144,6 +155,13 @@ def port_ini():
OBJECT = seobject.portRecords(store)
return OBJECT
+def ibpkey_ini():
+ OBJECT = seobject.ibpkeyRecords(store)
+ return OBJECT
+
+def ibendport_ini():
+ OBJECT = seobject.ibendportRecords(store)
+ return OBJECT
def module_ini():
OBJECT = seobject.moduleRecords(store)
@@ -180,13 +198,12 @@ def dontaudit_ini():
return OBJECT
# define dictonary for seobject OBEJCTS
-object_dict = {'login': login_ini, 'user': user_ini, 'port': port_ini, 'module': module_ini, 'interface': interface_ini, 'node': node_ini, 'fcontext': fcontext_ini, 'boolean': boolean_ini, 'permissive': permissive_ini, 'dontaudit': dontaudit_ini}
-
+object_dict = {'login': login_ini, 'user': user_ini, 'port': port_ini, 'module': module_ini, 'interface': interface_ini, 'node': node_ini, 'fcontext': fcontext_ini, 'boolean': boolean_ini, 'permissive': permissive_ini, 'dontaudit': dontaudit_ini, 'ibpkey': ibpkey_ini, 'ibendport': ibendport_ini}
def generate_custom_usage(usage_text, usage_dict):
# generate custom usage from given text and dictonary
sorted_keys = []
- for i in usage_dict.keys():
+ for i in list(usage_dict.keys()):
sorted_keys.append(i)
sorted_keys.sort()
for k in sorted_keys:
@@ -202,7 +219,7 @@ def handle_opts(args, dict, target_key):
# {action:[conflict_opts,require_opts]}
# first we need to catch conflicts
- for k in args.__dict__.keys():
+ for k in list(args.__dict__.keys()):
try:
if k in dict[target_key][0] and args.__dict__[k]:
print("%s option can not be used with --%s" % (target_key, k))
@@ -210,7 +227,7 @@ def handle_opts(args, dict, target_key):
except KeyError:
continue
- for k in args.__dict__.keys():
+ for k in list(args.__dict__.keys()):
try:
if k in dict[target_key][1] and not args.__dict__[k]:
print("%s option is needed for %s" % (k, target_key))
@@ -272,16 +289,15 @@ def parser_add_type(parser, name):
def parser_add_level(parser, name):
- parser.add_argument('-L', '--level', default='s0', help=_('Default SELinux Level for SELinux user, s0 Default. (MLS/MCS Systems only)'))
+ parser.add_argument('-L', '--level', default='', help=_('Default SELinux Level for SELinux user. (MLS/MCS Systems only)'))
def parser_add_range(parser, name):
- parser.add_argument('-r', '--range', default="s0",
+ parser.add_argument('-r', '--range', default="",
help=_('''
MLS/MCS Security Range (MLS/MCS Systems only)
SELinux Range for SELinux login mapping
defaults to the SELinux user record range.
-SELinux Range for SELinux user defaults to s0.
'''))
@@ -291,6 +307,15 @@ def parser_add_proto(parser, name):
version for the specified node (ipv4|ipv6).
'''))
+def parser_add_subnet_prefix(parser, name):
+ parser.add_argument('-x', '--subnet_prefix', help=_('''
+ Subnet prefix for the specified infiniband ibpkey.
+'''))
+
+def parser_add_ibdev_name(parser, name):
+ parser.add_argument('-z', '--ibdev_name', help=_('''
+ Name for the specified infiniband end port.
+'''))
def parser_add_modify(parser, name):
parser.add_argument('-m', '--modify', dest='action', action='store_const', const='modify', help=_("Modify a record of the %s object type") % name)
@@ -382,13 +407,14 @@ def handleFcontext(args):
def setupFcontextParser(subparsers):
ftype_help = '''
-File Type. This is used with fcontext. Requires a file type
-as shown in the mode field by ls, e.g. use -d to match only
-directories or -- to match only regular files. The following
-file type options can be passed:
--- (regular file),-d (directory),-c (character device),
--b (block device),-s (socket),-l (symbolic link),-p (named pipe)
-If you do not specify a file type, the file type will default to "all files".
+File Type. This is used with fcontext. Requires a file
+type as shown in the mode field by ls, e.g. use 'd' to
+match only directories or 'f' to match only regular
+files. The following file type options can be passed:
+f (regular file),d (directory),c (character device),
+b (block device),s (socket),l (symbolic link),
+p (named pipe). If you do not specify a file type,
+the file type will default to "all files".
'''
generate_usage = generate_custom_usage(usage_fcontext, usage_fcontext_dict)
fcontextParser = subparsers.add_parser('fcontext', usage=generate_usage, help=_("Manage file context mapping definitions"))
@@ -513,6 +539,95 @@ def setupPortParser(subparsers):
portParser.set_defaults(func=handlePort)
+
+def handlePkey(args):
+ ibpkey_args = {'list': [('ibpkey', 'type', 'subnet_prefix'), ('')], 'add': [('locallist'), ('type', 'ibpkey', 'subnet_prefix')], 'modify': [('localist'), ('ibpkey', 'subnet_prefix')], 'delete': [('locallist'), ('ibpkey', 'subnet_prefix')], 'extract': [('locallist', 'ibpkey', 'type', 'subnet prefix'), ('')], 'deleteall': [('locallist'), ('')]}
+
+ handle_opts(args, ibpkey_args, args.action)
+
+ OBJECT = object_dict['ibpkey']()
+ OBJECT.set_reload(args.noreload)
+
+ if args.action is "add":
+ OBJECT.add(args.ibpkey, args.subnet_prefix, args.range, args.type)
+ if args.action is "modify":
+ OBJECT.modify(args.ibpkey, args.subnet_prefix, args.range, args.type)
+ if args.action is "delete":
+ OBJECT.delete(args.ibpkey, args.subnet_prefix)
+ if args.action is "list":
+ OBJECT.list(args.noheading, args.locallist)
+ if args.action is "deleteall":
+ OBJECT.deleteall()
+ if args.action is "extract":
+ for i in OBJECT.customized():
+ print("ibpkey %s" % str(i))
+
+
+def setupPkeyParser(subparsers):
+ generated_usage = generate_custom_usage(usage_ibpkey, usage_ibpkey_dict)
+ ibpkeyParser = subparsers.add_parser('ibpkey', usage=generated_usage, help=_('Manage infiniband ibpkey type definitions'))
+ parser_add_locallist(ibpkeyParser, "ibpkey")
+ parser_add_noheading(ibpkeyParser, "ibpkey")
+ parser_add_noreload(ibpkeyParser, "ibpkey")
+ parser_add_store(ibpkeyParser, "ibpkey")
+
+ ibpkey_action = ibpkeyParser.add_mutually_exclusive_group(required=True)
+ parser_add_add(ibpkey_action, "ibpkey")
+ parser_add_delete(ibpkey_action, "ibpkey")
+ parser_add_modify(ibpkey_action, "ibpkey")
+ parser_add_list(ibpkey_action, "ibpkey")
+ parser_add_extract(ibpkey_action, "ibpkey")
+ parser_add_deleteall(ibpkey_action, "ibpkey")
+ parser_add_type(ibpkeyParser, "ibpkey")
+ parser_add_range(ibpkeyParser, "ibpkey")
+ parser_add_subnet_prefix(ibpkeyParser, "ibpkey")
+ ibpkeyParser.add_argument('ibpkey', nargs='?', default=None, help=_('pkey | pkey_range'))
+ ibpkeyParser.set_defaults(func=handlePkey)
+
+def handleIbendport(args):
+ ibendport_args = {'list': [('ibendport', 'type', 'ibdev_name'), ('')], 'add': [('locallist'), ('type', 'ibendport', 'ibdev_name'), ('')], 'modify': [('localist'), ('ibendport', 'ibdev_name')], 'delete': [('locallist'), ('ibendport', 'ibdev_name')], 'extract': [('locallist', 'ibendport', 'type', 'ibdev_name'), ('')], 'deleteall': [('locallist'), ('')]}
+
+ handle_opts(args, ibendport_args, args.action)
+
+ OBJECT = object_dict['ibendport']()
+ OBJECT.set_reload(args.noreload)
+
+ if args.action is "add":
+ OBJECT.add(args.ibendport, args.ibdev_name, args.range, args.type)
+ if args.action is "modify":
+ OBJECT.modify(args.ibendport, args.ibdev_name, args.range, args.type)
+ if args.action is "delete":
+ OBJECT.delete(args.ibendport, args.ibdev_name)
+ if args.action is "list":
+ OBJECT.list(args.noheading, args.locallist)
+ if args.action is "deleteall":
+ OBJECT.deleteall()
+ if args.action is "extract":
+ for i in OBJECT.customized():
+ print("ibendport %s" % str(i))
+
+
+def setupIbendportParser(subparsers):
+ generated_usage = generate_custom_usage(usage_ibendport, usage_ibendport_dict)
+ ibendportParser = subparsers.add_parser('ibendport', usage=generated_usage, help=_('Manage infiniband end port type definitions'))
+ parser_add_locallist(ibendportParser, "ibendport")
+ parser_add_noheading(ibendportParser, "ibendport")
+ parser_add_noreload(ibendportParser, "ibendport")
+ parser_add_store(ibendportParser, "ibendport")
+
+ ibendport_action = ibendportParser.add_mutually_exclusive_group(required=True)
+ parser_add_add(ibendport_action, "ibendport")
+ parser_add_delete(ibendport_action, "ibendport")
+ parser_add_modify(ibendport_action, "ibendport")
+ parser_add_list(ibendport_action, "ibendport")
+ parser_add_extract(ibendport_action, "ibendport")
+ parser_add_deleteall(ibendport_action, "ibendport")
+ parser_add_type(ibendportParser, "ibendport")
+ parser_add_range(ibendportParser, "ibendport")
+ parser_add_ibdev_name(ibendportParser, "ibendport")
+ ibendportParser.add_argument('ibendport', nargs='?', default=None, help=_('ibendport'))
+ ibendportParser.set_defaults(func=handleIbendport)
+
def handleInterface(args):
interface_args = {'list': [('interface'), ('')], 'add': [('locallist'), ('type', 'interface')], 'modify': [('locallist'), ('type', 'interface')], 'delete': [('locallist'), ('interface')], 'extract': [('locallist', 'interface', 'type'), ('')], 'deleteall': [('locallist'), ('')]}
@@ -524,7 +639,7 @@ def handleInterface(args):
if args.action is "add":
OBJECT.add(args.interface, args.range, args.type)
if args.action is "modify":
- OBJECT.add(args.interface, args.range, args.type)
+ OBJECT.modify(args.interface, args.range, args.type)
if args.action is "delete":
OBJECT.delete(args.interface)
if args.action is "list":
@@ -607,7 +722,7 @@ def handleNode(args):
if args.action is "add":
OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type)
if args.action is "modify":
- OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type)
+ OBJECT.modify(args.node, args.netmask, args.proto, args.range, args.type)
if args.action is "delete":
OBJECT.delete(args.node, args.netmask, args.proto)
if args.action is "list":
@@ -839,7 +954,7 @@ def handleImport(args):
def setupImportParser(subparsers):
- importParser = subparsers.add_parser('import', help=_('Output local customizations'))
+ importParser = subparsers.add_parser('import', help=_('Import local customizations'))
parser_add_noreload(importParser, "import")
parser_add_store(importParser, "import")
importParser.add_argument('-f', '--input_file', dest='input_file', action=SetImportFile, help=_('Input file'))
@@ -860,6 +975,8 @@ def createCommandParser():
setupLoginParser(subparsers)
setupUserParser(subparsers)
setupPortParser(subparsers)
+ setupPkeyParser(subparsers)
+ setupIbendportParser(subparsers)
setupInterfaceParser(subparsers)
setupModuleParser(subparsers)
setupNodeParser(subparsers)
@@ -894,6 +1011,8 @@ def make_io_args(args):
def make_args(sys_args):
+ if len(sys_args) == 1:
+ return [ "-h" ]
args = []
if "-o" in sys_args[1:] or "-i" in sys_args[1:]:
args = make_io_args(sys_args[1:])
diff --git policycoreutils-2.5/semanage/semanage-boolean.8 policycoreutils-2.5/semanage/semanage-boolean.8
index 6eb6b69..0c48587 100644
--- policycoreutils-2.5/semanage/semanage-boolean.8
+++ policycoreutils-2.5/semanage/semanage-boolean.8
@@ -2,7 +2,7 @@
.SH "NAME"
semanage\-boolean \- SELinux Policy Management boolean tool
.SH "SYNOPSIS"
-.B semanage boolean [\-h] [\-n] [\-N] [\-s STORE] [ \-\-extract | \-\-deleteall | \-\-list [\-C] | \-\-modify ( \-\-on | \-\-off ) boolean ]
+.B semanage boolean [\-h] [\-n] [\-N] [\-S STORE] [ \-\-extract | \-\-deleteall | \-\-list [\-C] | \-\-modify ( \-\-on | \-\-off ) boolean ]
.SH "DESCRIPTION"
semanage is used to configure certain elements of
diff --git policycoreutils-2.5/semanage/semanage-dontaudit.8 policycoreutils-2.5/semanage/semanage-dontaudit.8
index 122780d..3d29911 100644
--- policycoreutils-2.5/semanage/semanage-dontaudit.8
+++ policycoreutils-2.5/semanage/semanage-dontaudit.8
@@ -8,7 +8,7 @@
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
from policy sources. semanage dontaudit toggles whether or not dontaudit rules will be in the policy. Policy writers use dontaudit rules to cause
-confined applications to use alternative paths. Dontaudit rules are denied but not reported in the logs. Some times dontaudit rules can cause bugs in applications but policy writers will not relize it since the AVC is not audited. Turning off dontaudit rules with this command to see if the kernel is blocking an access.
+confined applications to use alternative paths. Dontaudit rules are denied but not reported in the logs. Some times dontaudit rules can cause bugs in applications but policy writers will not realize it since the AVC is not audited. Turning off dontaudit rules with this command to see if the kernel is blocking an access.
.SH "OPTIONS"
.TP
diff --git policycoreutils-2.5/semanage/semanage-export.8 policycoreutils-2.5/semanage/semanage-export.8
index 469b1bb..d688224 100644
--- policycoreutils-2.5/semanage/semanage-export.8
+++ policycoreutils-2.5/semanage/semanage-export.8
@@ -7,7 +7,7 @@
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a hole group of semanage commands within a file and apply them to a machine in a single transaction.
+from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a whole group of semanage commands within a file and apply them to a machine in a single transaction.
.SH "OPTIONS"
.TP
diff --git policycoreutils-2.5/semanage/semanage-fcontext.8 policycoreutils-2.5/semanage/semanage-fcontext.8
index 7bbb0af..07c2831 100644
--- policycoreutils-2.5/semanage/semanage-fcontext.8
+++ policycoreutils-2.5/semanage/semanage-fcontext.8
@@ -3,7 +3,7 @@
semanage\-fcontext \- SELinux Policy Management file context tool
.SH "SYNOPSIS"
-.B semanage fcontext [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ) | \-\-delete ( \-t TYPE \-f FTYPE | \-e EQUAL ) FILE_SPEC ) | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ) ]
+.B semanage fcontext [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ) | \-\-delete ( \-t TYPE \-f FTYPE | \-e EQUAL ) FILE_SPEC ) | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ) ]
.SH "DESCRIPTION"
semanage is used to configure certain elements of
diff --git policycoreutils-2.5/semanage/semanage-ibendport.8 policycoreutils-2.5/semanage/semanage-ibendport.8
new file mode 100644
index 0000000..0a29eae
--- /dev/null
+++ policycoreutils-2.5/semanage/semanage-ibendport.8
@@ -0,0 +1,66 @@
+.TH "semanage-ibendport" "8" "20170508" "" ""
+.SH "NAME"
+.B semanage\-ibendport \- SELinux Policy Management ibendport mapping tool
+.SH "SYNOPSIS"
+.B semanage ibendport [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE \-z IBDEV_NAME \-r RANGE port | \-\-delete \-z IBDEV_NAME port | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-z IBDEV_NAME \-r RANGE port ]
+
+.SH "DESCRIPTION"
+semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage ibendport controls the ibendport number to ibendport type definitions.
+
+.SH "OPTIONS"
+.TP
+.I \-h, \-\-help
+show this help message and exit
+.TP
+.I \-n, \-\-noheading
+Do not print heading when listing the specified object type
+.TP
+.I \-N, \-\-noreload
+Do not reload policy after commit
+.TP
+.I \-S STORE, \-\-store STORE
+Select an alternate SELinux Policy Store to manage
+.TP
+.I \-C, \-\-locallist
+List local customizations
+.TP
+.I \-a, \-\-add
+Add a record of the specified object type
+.TP
+.I \-d, \-\-delete
+Delete a record of the specified object type
+.TP
+.I \-m, \-\-modify
+Modify a record of the specified object type
+.TP
+.I \-l, \-\-list
+List records of the specified object type
+.TP
+.I \-E, \-\-extract
+Extract customizable commands, for use within a transaction
+.TP
+.I \-D, \-\-deleteall
+Remove all local customizations
+.TP
+.I \-t TYPE, \-\-type TYPE
+SELinux type for the object
+.TP
+.I \-r RANGE, \-\-range RANGE
+MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0.
+.TP
+.I \-z IBDEV_NAME, \-\-ibdev_name IBDEV_NAME
+The name of the infiniband device for the port to be labeled. (ex. mlx5_0)
+
+.SH EXAMPLE
+.nf
+List all ibendport definitions
+# semanage ibendport \-l
+Label mlx4_0 port 2.
+# semanage ibendport \-a \-t allowed_ibendport_t \-z mlx4_0 2
+
+.SH "SEE ALSO"
+.BR selinux (8),
+.BR semanage (8)
+
+.SH "AUTHOR"
+This man page was written by Daniel Jurgens <danielj@mellanox.com>
diff --git policycoreutils-2.5/semanage/semanage-ibpkey.8 policycoreutils-2.5/semanage/semanage-ibpkey.8
new file mode 100644
index 0000000..51f455a
--- /dev/null
+++ policycoreutils-2.5/semanage/semanage-ibpkey.8
@@ -0,0 +1,66 @@
+.TH "semanage-ibpkey" "8" "20170508" "" ""
+.SH "NAME"
+.B semanage\-ibpkey \- SELinux Policy Management ibpkey mapping tool
+.SH "SYNOPSIS"
+.B semanage ibpkey [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE \-x SUBNET_PREFIX \-r RANGE ibpkey_name | ibpkey_range | \-\-delete \-x SUBNET_PREFIX ibpkey_name | ibpkey_range | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-x SUBNET_PREFIX \-r RANGE ibpkey_name | ibpkey_range ]
+
+.SH "DESCRIPTION"
+semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage ibpkey controls the ibpkey number to ibpkey type definitions.
+
+.SH "OPTIONS"
+.TP
+.I \-h, \-\-help
+show this help message and exit
+.TP
+.I \-n, \-\-noheading
+Do not print heading when listing the specified object type
+.TP
+.I \-N, \-\-noreload
+Do not reload policy after commit
+.TP
+.I \-S STORE, \-\-store STORE
+Select an alternate SELinux Policy Store to manage
+.TP
+.I \-C, \-\-locallist
+List local customizations
+.TP
+.I \-a, \-\-add
+Add a record of the specified object type
+.TP
+.I \-d, \-\-delete
+Delete a record of the specified object type
+.TP
+.I \-m, \-\-modify
+Modify a record of the specified object type
+.TP
+.I \-l, \-\-list
+List records of the specified object type
+.TP
+.I \-E, \-\-extract
+Extract customizable commands, for use within a transaction
+.TP
+.I \-D, \-\-deleteall
+Remove all local customizations
+.TP
+.I \-t TYPE, \-\-type TYPE
+SELinux type for the object
+.TP
+.I \-r RANGE, \-\-range RANGE
+MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0.
+.TP
+.I \-x SUBNET_PREFIX, \-\-subnet_prefix SUBNET_PREFIX
+Subnet prefix for the specified pkey or range of pkeys.
+
+.SH EXAMPLE
+.nf
+List all ibpkey definitions
+# semanage ibpkey \-l
+Label pkey 0x8FFF (limited membership default pkey) as a default pkey type
+# semanage ibpkey \-a \-t default_ibpkey_t \-x fe80:: 0x8FFF
+
+.SH "SEE ALSO"
+.BR selinux (8),
+.BR semanage (8)
+
+.SH "AUTHOR"
+This man page was written by Daniel Jurgens <danielj@mellanox.com>
diff --git policycoreutils-2.5/semanage/semanage-import.8 policycoreutils-2.5/semanage/semanage-import.8
index 5437de3..4a9b3e7 100644
--- policycoreutils-2.5/semanage/semanage-import.8
+++ policycoreutils-2.5/semanage/semanage-import.8
@@ -7,7 +7,7 @@
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a hole group of semanage commands within a file and apply them to a machine in a single transaction.
+from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a whole group of semanage commands within a file and apply them to a machine in a single transaction.
.SH "OPTIONS"
.TP
diff --git policycoreutils-2.5/semanage/semanage-interface.8 policycoreutils-2.5/semanage/semanage-interface.8
index d318bb8..fbab4b9 100644
--- policycoreutils-2.5/semanage/semanage-interface.8
+++ policycoreutils-2.5/semanage/semanage-interface.8
@@ -2,7 +2,7 @@
.SH "NAME"
.B semanage\-interface \- SELinux Policy Management network interface tool
.SH "SYNOPSIS"
-.B semanage interface [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-t TYPE \-r RANGE interface | \-\-delete interface | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-r RANGE interface ]
+.B semanage interface [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE \-r RANGE interface | \-\-delete interface | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-r RANGE interface ]
.SH "DESCRIPTION"
semanage is used to configure certain elements of
@@ -52,7 +52,7 @@ MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login ma
.SH EXAMPLE
.nf
-list all interface defitions
+list all interface definitions
# semanage interface \-l
.SH "SEE ALSO"
diff --git policycoreutils-2.5/semanage/semanage-login.8 policycoreutils-2.5/semanage/semanage-login.8
index 7cc5fde..a2397a0 100644
--- policycoreutils-2.5/semanage/semanage-login.8
+++ policycoreutils-2.5/semanage/semanage-login.8
@@ -2,7 +2,7 @@
.SH "NAME"
.B semanage\-login \- SELinux Policy Management linux user to SELinux User mapping tool
.SH "SYNOPSIS"
-.B semanage login [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-s SEUSER \-r RANGE LOGIN | \-\-delete LOGIN | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-s SEUSER \-r RANGE LOGIN ]
+.B semanage login [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-s SEUSER \-r RANGE LOGIN | \-\-delete LOGIN | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-s SEUSER \-r RANGE LOGIN ]
.SH "DESCRIPTION"
semanage is used to configure certain elements of
diff --git policycoreutils-2.5/semanage/semanage-node.8 policycoreutils-2.5/semanage/semanage-node.8
index 0a2160d..e0b0e56 100644
--- policycoreutils-2.5/semanage/semanage-node.8
+++ policycoreutils-2.5/semanage/semanage-node.8
@@ -2,7 +2,7 @@
.SH "NAME"
.B semanage\-node \- SELinux Policy Management node mapping tool
.SH "SYNOPSIS"
-.B semanage node [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-M NETMASK \-p PROTOCOL \-t TYPE \-r RANGE node | \-\-delete \-M NETMASK \-p PROTOCOL node | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-M NETMASK \-p PROTOCOL \-t TYPE \-r RANGE node ]
+.B semanage node [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-M NETMASK \-p PROTOCOL \-t TYPE \-r RANGE node | \-\-delete \-M NETMASK \-p PROTOCOL node | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-M NETMASK \-p PROTOCOL \-t TYPE \-r RANGE node ]
.SH "DESCRIPTION"
semanage is used to configure certain elements of
diff --git policycoreutils-2.5/semanage/semanage-port.8 policycoreutils-2.5/semanage/semanage-port.8
index 3f067c5..397cb00 100644
--- policycoreutils-2.5/semanage/semanage-port.8
+++ policycoreutils-2.5/semanage/semanage-port.8
@@ -2,11 +2,14 @@
.SH "NAME"
.B semanage\-port \- SELinux Policy Management port mapping tool
.SH "SYNOPSIS"
-.B semanage port [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range | \-\-delete \-p PROTOCOL port_name | port_range | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range ]
+.B semanage port [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range | \-\-delete \-p PROTOCOL port_name | port_range | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range ]
.SH "DESCRIPTION"
-semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage port controls the port number to port type definitions.
-
+semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. \fBsemanage port\fP controls the port number to port type definitions.
+.TP
+Default port definitions are contained in policy modules and can't be removed without removing corresponding module. Therefore \fBsemanage port\fP uses so called local definitions, which are assigned higher priority and override default definitions for the same port.
+.TP
+\fBsemanage port -l\fP lists all port definitions (both default and local) which can result in seemingly conflicting or duplicate entries. Use \fBsemanage port -l -C\fP to only list local definitions.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
@@ -53,7 +56,7 @@ Protocol for the specified port (tcp|udp) or internet protocol version for the s
.SH EXAMPLE
.nf
-List all port defitions
+List all port definitions
# semanage port \-l
Allow Apache to listen on tcp port 81
# semanage port \-a \-t http_port_t \-p tcp 81
diff --git policycoreutils-2.5/semanage/semanage-user.8 policycoreutils-2.5/semanage/semanage-user.8
index 0e29334..288ae0c 100644
--- policycoreutils-2.5/semanage/semanage-user.8
+++ policycoreutils-2.5/semanage/semanage-user.8
@@ -2,7 +2,7 @@
.SH "NAME"
.B semanage\-user \- SELinux Policy Management SELinux User mapping tool
.SH "SYNOPSIS"
-.B semanage user [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add ( \-L LEVEL \-R ROLES \-r RANGE \-s SEUSER selinux_name) | \-\-delete selinux_name | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify ( \-L LEVEL \-R ROLES \-r RANGE \-s SEUSER selinux_name ) ]
+.B semanage user [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add ( \-L LEVEL \-R ROLES \-r RANGE \-s SEUSER selinux_name) | \-\-delete selinux_name | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify ( \-L LEVEL \-R ROLES \-r RANGE \-s SEUSER selinux_name ) ]
.SH "DESCRIPTION"
semanage is used to configure certain elements of
@@ -62,6 +62,23 @@ Modify groups for staff_u user
Add level for TopSecret Users
# semanage user \-a \-R "staff_r" \-rs0\-TopSecret topsecret_u
+.SH "NOTES"
+SELinux users defined in the policy cannot be removed or directly altered. When the
+.I -m
+switch is used on such a user, semanage creates a local SELinux user of the same name, which overrides the original SELinux user.
+.P
+As long as a login entry exists that links local SELinux user to a Linux user, given local SELinux user cannot be removed (even if it represents local modification of a SELinux user defined in policy).
+In case you want to remove local modification of a SELinux user, you need to remove any related login mapping first. Follow these steps:
+.IP
+.nf
+1) Remove all login entries concerning the SELinux user.
+ To list local customizations of login entries execute:
+ # semanage login -l -C
+ or for semanage command form:
+ # semanage login --extract
+2) Remove the SELinux user
+3) Optionally reintroduce removed login entries
+
.SH "SEE ALSO"
.B selinux (8),
.B semanage (8)
diff --git policycoreutils-2.5/semanage/semanage.8 policycoreutils-2.5/semanage/semanage.8
index 0fad36c..6032b41 100644
--- policycoreutils-2.5/semanage/semanage.8
+++ policycoreutils-2.5/semanage/semanage.8
@@ -3,12 +3,12 @@
semanage \- SELinux Policy Management tool
.SH "SYNOPSIS"
-.B semanage {import,export,login,user,port,interface,module,node,fcontext,boolean,permissive,dontaudit}
+.B semanage {import,export,login,user,port,interface,module,node,fcontext,boolean,permissive,dontaudit,ibpkey,ibendport}
...
.B positional arguments:
.B import
-Output local customizations
+Import local customizations
.B export
Output local customizations
@@ -43,6 +43,12 @@ Manage process type enforcement mode
.B dontaudit
Disable/Enable dontaudit rules in policy
+.B ibpkey
+Manage infiniband pkey type definitions
+
+.B ibendport
+Manage infiniband end port type definitions
+
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
@@ -50,9 +56,9 @@ from policy sources. This includes the mapping from Linux usernames
to SELinux user identities (which controls the initial security context
assigned to Linux users when they login and bounds their authorized role set)
as well as security context mappings for various kinds of objects, such
-as network ports, interfaces, and nodes (hosts) as well as the file
-context mapping. See the EXAMPLES section below for some examples
-of common usage. Note that the semanage login command deals with the
+as network ports, interfaces, infiniband pkeys and endports, and nodes (hosts)
+as well as the file context mapping. See the EXAMPLES section below for some
+examples of common usage. Note that the semanage login command deals with the
mapping from Linux usernames (logins) to SELinux user identities,
while the semanage user command deals with the mapping from SELinux
user identities to authorized role sets. In most cases, only the
@@ -79,6 +85,8 @@ List help information
.B semanage-permissive (8),
.B semanage-port (8),
.B semanage-user (8)
+.B semanage-ibkey (8),
+.B semanage-ibendport (8),
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git policycoreutils-2.5/semanage/seobject.py policycoreutils-2.5/semanage/seobject.py
index 3b0b108..c49f0d6 100644
--- policycoreutils-2.5/semanage/seobject.py
+++ policycoreutils-2.5/semanage/seobject.py
@@ -30,12 +30,13 @@ import os
import re
import sys
import stat
-import shutil
+import socket
from semanage import *
PROGNAME = "policycoreutils"
import sepolicy
from sepolicy import boolean_desc, boolean_category, gen_bool_dict
gen_bool_dict()
+import setools
from IPy import IP
import gettext
@@ -79,17 +80,31 @@ file_type_str_to_option = {"all files": "a",
"directory": "d",
"character device": "c",
"block device": "b",
- "socket file": "s",
+ "socket": "s",
"symbolic link": "l",
"named pipe": "p"}
+
+ftype_to_audit = {"": "any",
+ "a" : "any",
+ "b": "block",
+ "c": "char",
+ "d": "dir",
+ "f": "file",
+ "l": "symlink",
+ "p": "pipe",
+ "s": "socket"}
+
try:
import audit
+ #test if audit module is enabled
+ audit.audit_close(audit.audit_open())
class logger:
def __init__(self):
self.audit_fd = audit.audit_open()
self.log_list = []
+ self.log_change_list = []
def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
@@ -109,11 +124,18 @@ try:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""])
+ def log_change(self, msg):
+ self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", "", "", ""])
+
def commit(self, success):
for l in self.log_list:
audit.audit_log_semanage_message(*(l + [success]))
+ for l in self.log_change_list:
+ audit.audit_log_user_comm_message(*(l + [success]))
+
self.log_list = []
-except:
+ self.log_change_list = []
+except (OSError, ImportError):
class logger:
def __init__(self):
@@ -138,6 +160,9 @@ except:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange)
+ def log_change(self, msg):
+ self.log_list.append(" %s" % msg)
+
def commit(self, success):
if success == 1:
message = "Successful: "
@@ -155,6 +180,9 @@ class nulllogger:
def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
pass
+ def log_change(self, msg):
+ pass
+
def commit(self, success):
pass
@@ -384,8 +412,13 @@ class moduleRecords(semanageRecords):
raise ValueError(_("Could not disable module %s") % m)
self.commit()
+ # Obsolete - "add()" does the same while allowing the user to set priority
def modify(self, file):
- rc = semanage_module_update_file(self.sh, file)
+ if not os.path.exists(file):
+ raise ValueError(_("Module does not exists %s ") % file)
+
+ # Priority was left unchanged, default is 400
+ rc = semanage_module_install_file(self.sh, file)
if rc >= 0:
self.commit()
@@ -557,7 +590,6 @@ class loginRecords(semanageRecords):
semanage_seuser_key_free(k)
semanage_seuser_free(u)
- self.mylog.log("login", name, sename=sename, serange=serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange)
def add(self, name, sename, serange):
try:
@@ -565,7 +597,6 @@ class loginRecords(semanageRecords):
self.__add(name, sename, serange)
self.commit()
except ValueError, error:
- self.mylog.commit(0)
raise error
def __modify(self, name, sename="", serange=""):
@@ -617,7 +648,6 @@ class loginRecords(semanageRecords):
semanage_seuser_key_free(k)
semanage_seuser_free(u)
- self.mylog.log("login", name, sename=self.sename, serange=self.serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange)
def modify(self, name, sename="", serange=""):
try:
@@ -625,7 +655,6 @@ class loginRecords(semanageRecords):
self.__modify(name, sename, serange)
self.commit()
except ValueError, error:
- self.mylog.commit(0)
raise error
def __delete(self, name):
@@ -658,8 +687,6 @@ class loginRecords(semanageRecords):
rec, self.sename, self.serange = selinux.getseuserbyname("__default__")
range, (rc, serole) = userrec.get(self.sename)
- self.mylog.log_remove("login", name, sename=self.sename, serange=self.serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange)
-
def delete(self, name):
try:
self.begin()
@@ -667,7 +694,6 @@ class loginRecords(semanageRecords):
self.commit()
except ValueError, error:
- self.mylog.commit(0)
raise error
def deleteall(self):
@@ -681,7 +707,6 @@ class loginRecords(semanageRecords):
self.__delete(semanage_seuser_get_name(u))
self.commit()
except ValueError, error:
- self.mylog.commit(0)
raise error
def get_all_logins(self):
@@ -1109,6 +1134,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
semanage_port_free(p)
+ self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, socket.getprotobyname(proto), "system_u", "object_r", type, serange))
+
def add(self, port, proto, serange, type):
self.begin()
self.__add(port, proto, serange, type)
@@ -1138,8 +1165,11 @@ class portRecords(semanageRecords):
con = semanage_port_get_con(p)
- if (is_mls_enabled == 1) and (serange != ""):
- semanage_context_set_mls(self.sh, con, untranslate(serange))
+ if is_mls_enabled == 1:
+ if serange == "":
+ serange = "s0"
+ else:
+ semanage_context_set_mls(self.sh, con, untranslate(serange))
if setype != "":
semanage_context_set_type(self.sh, con, setype)
@@ -1150,6 +1180,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
semanage_port_free(p)
+ self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, socket.getprotobyname(proto), "system_u", "object_r", setype, serange))
+
def modify(self, port, proto, serange, setype):
self.begin()
self.__modify(port, proto, serange, setype)
@@ -1168,6 +1200,7 @@ class portRecords(semanageRecords):
low = semanage_port_get_low(port)
high = semanage_port_get_high(port)
port_str = "%s-%s" % (low, high)
+
(k, proto_d, low, high) = self.__genkey(port_str, proto_str)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % port_str)
@@ -1177,6 +1210,11 @@ class portRecords(semanageRecords):
raise ValueError(_("Could not delete the port %s") % port_str)
semanage_port_key_free(k)
+ if low == high:
+ port_str = low
+
+ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, socket.getprotobyname(proto_str)))
+
self.commit()
def __delete(self, port, proto):
@@ -1199,6 +1237,8 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
+ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, socket.getprotobyname(proto)))
+
def delete(self, port, proto):
self.begin()
self.__delete(port, proto)
@@ -1276,6 +1316,499 @@ class portRecords(semanageRecords):
rec += ", %s" % p
print rec
+class ibpkeyRecords(semanageRecords):
+ try:
+ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibpkey_type"])
+ valid_types = sorted(str(t) for t in q.results())
+ except:
+ valid_types = []
+
+ def __init__(self, store=""):
+ semanageRecords.__init__(self, store)
+
+ def __genkey(self, pkey, subnet_prefix):
+ if subnet_prefix == "":
+ raise ValueError(_("Subnet Prefix is required"))
+
+ pkeys = pkey.split("-")
+ if len(pkeys) == 1:
+ high = low = int(pkeys[0], 0)
+ else:
+ low = int(pkeys[0], 0)
+ high = int(pkeys[1], 0)
+
+ if high > 65535:
+ raise ValueError(_("Invalid Pkey"))
+
+ (rc, k) = semanage_ibpkey_key_create(self.sh, subnet_prefix, low, high)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s/%s") % (subnet_prefix, pkey))
+ return (k, subnet_prefix, low, high)
+
+ def __add(self, pkey, subnet_prefix, serange, type):
+ if is_mls_enabled == 1:
+ if serange == "":
+ serange = "s0"
+ else:
+ serange = untranslate(serange)
+
+ if type == "":
+ raise ValueError(_("Type is required"))
+
+ if type not in self.valid_types:
+ raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type)
+
+ (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
+
+ (rc, exists) = semanage_ibpkey_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
+ if exists:
+ raise ValueError(_("ibpkey %s/%s already defined") % (subnet_prefix, pkey))
+
+ (rc, p) = semanage_ibpkey_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create ibpkey for %s/%s") % (subnet_prefix, pkey))
+
+ semanage_ibpkey_set_subnet_prefix(self.sh, p, subnet_prefix)
+ semanage_ibpkey_set_range(p, low, high)
+ (rc, con) = semanage_context_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create context for %s/%s") % (subnet_prefix, pkey))
+
+ rc = semanage_context_set_user(self.sh, con, "system_u")
+ if rc < 0:
+ raise ValueError(_("Could not set user in ibpkey context for %s/%s") % (subnet_prefix, pkey))
+
+ rc = semanage_context_set_role(self.sh, con, "object_r")
+ if rc < 0:
+ raise ValueError(_("Could not set role in ibpkey context for %s/%s") % (subnet_prefix, pkey))
+
+ rc = semanage_context_set_type(self.sh, con, type)
+ if rc < 0:
+ raise ValueError(_("Could not set type in ibpkey context for %s/%s") % (subnet_prefix, pkey))
+
+ if (is_mls_enabled == 1) and (serange != ""):
+ rc = semanage_context_set_mls(self.sh, con, serange)
+ if rc < 0:
+ raise ValueError(_("Could not set mls fields in ibpkey context for %s/%s") % (subnet_prefix, pkey))
+
+ rc = semanage_ibpkey_set_con(self.sh, p, con)
+ if rc < 0:
+ raise ValueError(_("Could not set ibpkey context for %s/%s") % (subnet_prefix, pkey))
+
+ rc = semanage_ibpkey_modify_local(self.sh, k, p)
+ if rc < 0:
+ raise ValueError(_("Could not add ibpkey %s/%s") % (subnet_prefix, pkey))
+
+ semanage_context_free(con)
+ semanage_ibpkey_key_free(k)
+ semanage_ibpkey_free(p)
+
+ def add(self, pkey, subnet_prefix, serange, type):
+ self.begin()
+ self.__add(pkey, subnet_prefix, serange, type)
+ self.commit()
+
+ def __modify(self, pkey, subnet_prefix, serange, setype):
+ if serange == "" and setype == "":
+ if is_mls_enabled == 1:
+ raise ValueError(_("Requires setype or serange"))
+ else:
+ raise ValueError(_("Requires setype"))
+
+ if setype and setype not in self.valid_types:
+ raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype)
+
+ (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
+
+ (rc, exists) = semanage_ibpkey_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
+ if not exists:
+ raise ValueError(_("ibpkey %s/%s is not defined") % (subnet_prefix, pkey))
+
+ (rc, p) = semanage_ibpkey_query(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not query ibpkey %s/%s") % (subnet_prefix, pkey))
+
+ con = semanage_ibpkey_get_con(p)
+
+ if (is_mls_enabled == 1) and (serange != ""):
+ semanage_context_set_mls(self.sh, con, untranslate(serange))
+ if setype != "":
+ semanage_context_set_type(self.sh, con, setype)
+
+ rc = semanage_ibpkey_modify_local(self.sh, k, p)
+ if rc < 0:
+ raise ValueError(_("Could not modify ibpkey %s/%s") % (subnet_prefix, pkey))
+
+ semanage_ibpkey_key_free(k)
+ semanage_ibpkey_free(p)
+
+ def modify(self, pkey, subnet_prefix, serange, setype):
+ self.begin()
+ self.__modify(pkey, subnet_prefix, serange, setype)
+ self.commit()
+
+ def deleteall(self):
+ (rc, plist) = semanage_ibpkey_list_local(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list the ibpkeys"))
+
+ self.begin()
+
+ for ibpkey in plist:
+ (rc, subnet_prefix) = semanage_ibpkey_get_subnet_prefix(self.sh, ibpkey)
+ low = semanage_ibpkey_get_low(ibpkey)
+ high = semanage_ibpkey_get_high(ibpkey)
+ pkey_str = "%s-%s" % (low, high)
+ (k, subnet_prefix, low, high) = self.__genkey(pkey_str, subnet_prefix)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % pkey_str)
+
+ rc = semanage_ibpkey_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete the ibpkey %s") % pkey_str)
+ semanage_ibpkey_key_free(k)
+
+ self.commit()
+
+ def __delete(self, pkey, subnet_prefix):
+ (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
+ (rc, exists) = semanage_ibpkey_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
+ if not exists:
+ raise ValueError(_("ibpkey %s/%s is not defined") % (subnet_prefix, pkey))
+
+ (rc, exists) = semanage_ibpkey_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
+ if not exists:
+ raise ValueError(_("ibpkey %s/%s is defined in policy, cannot be deleted") % (subnet_prefix, pkey))
+
+ rc = semanage_ibpkey_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete ibpkey %s/%s") % (subnet_prefix, pkey))
+
+ semanage_ibpkey_key_free(k)
+
+ def delete(self, pkey, subnet_prefix):
+ self.begin()
+ self.__delete(pkey, subnet_prefix)
+ self.commit()
+
+ def get_all(self, locallist=0):
+ ddict = {}
+ if locallist:
+ (rc, self.plist) = semanage_ibpkey_list_local(self.sh)
+ else:
+ (rc, self.plist) = semanage_ibpkey_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list ibpkeys"))
+
+ for ibpkey in self.plist:
+ con = semanage_ibpkey_get_con(ibpkey)
+ ctype = semanage_context_get_type(con)
+ if ctype == "reserved_ibpkey_t":
+ continue
+ level = semanage_context_get_mls(con)
+ (rc, subnet_prefix) = semanage_ibpkey_get_subnet_prefix(self.sh, ibpkey)
+ low = semanage_ibpkey_get_low(ibpkey)
+ high = semanage_ibpkey_get_high(ibpkey)
+ ddict[(low, high, subnet_prefix)] = (ctype, level)
+ return ddict
+
+ def get_all_by_type(self, locallist=0):
+ ddict = {}
+ if locallist:
+ (rc, self.plist) = semanage_ibpkey_list_local(self.sh)
+ else:
+ (rc, self.plist) = semanage_ibpkey_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list ibpkeys"))
+
+ for ibpkey in self.plist:
+ con = semanage_ibpkey_get_con(ibpkey)
+ ctype = semanage_context_get_type(con)
+ (rc, subnet_prefix) = semanage_ibpkey_get_subnet_prefix(self.sh, ibpkey)
+ low = semanage_ibpkey_get_low(ibpkey)
+ high = semanage_ibpkey_get_high(ibpkey)
+ if (ctype, subnet_prefix) not in ddict.keys():
+ ddict[(ctype, subnet_prefix)] = []
+ if low == high:
+ ddict[(ctype, subnet_prefix)].append("0x%x" % low)
+ else:
+ ddict[(ctype, subnet_prefix)].append("0x%x-0x%x" % (low, high))
+ return ddict
+
+ def customized(self):
+ l = []
+ ddict = self.get_all(True)
+ keys = ddict.keys()
+ keys.sort()
+ for k in keys:
+ if k[0] == k[1]:
+ l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], k[0]))
+ else:
+ l.append("-a -t %s -x %s %s-%s" % (ddict[k][0], k[2], k[0], k[1]))
+ return l
+
+ def list(self, heading=1, locallist=0):
+ ddict = self.get_all_by_type(locallist)
+ keys = ddict.keys()
+ if len(keys) == 0:
+ return
+ keys.sort()
+
+ if heading:
+ print "%-30s %-18s %s\n" % (_("SELinux IB Pkey Type"), _("Subnet_Prefix"), _("Pkey Number"))
+ for i in keys:
+ rec = "%-30s %-18s " % i
+ rec += "%s" % ddict[i][0]
+ for p in ddict[i][1:]:
+ rec += ", %s" % p
+ print rec
+
+class ibendportRecords(semanageRecords):
+ try:
+ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibendport_type"])
+ valid_types = set(str(t) for t in q.results())
+ except:
+ valid_types = []
+
+ def __init__(self, store=""):
+ semanageRecords.__init__(self, store)
+
+ def __genkey(self, ibendport, ibdev_name):
+ if ibdev_name == "":
+ raise ValueError(_("IB device name is required"))
+
+ port = int(ibendport)
+
+ if port > 255 or port < 1:
+ raise ValueError(_("Invalid Port Number"))
+
+ (rc, k) = semanage_ibendport_key_create(self.sh, ibdev_name, port)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for ibendport %s/%s") % (ibdev_name, ibendport))
+ return (k, ibdev_name, port)
+
+ def __add(self, ibendport, ibdev_name, serange, type):
+ if is_mls_enabled == 1:
+ if serange == "":
+ serange = "s0"
+ else:
+ serange = untranslate(serange)
+
+ if type == "":
+ raise ValueError(_("Type is required"))
+
+ if type not in self.valid_types:
+ raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
+ (k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
+
+ (rc, exists) = semanage_ibendport_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, port))
+ if exists:
+ raise ValueError(_("ibendport %s/%s already defined") % (ibdev_name, port))
+
+ (rc, p) = semanage_ibendport_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create ibendport for %s/%s") % (ibdev_name, port))
+
+ semanage_ibendport_set_ibdev_name(self.sh, p, ibdev_name)
+ semanage_ibendport_set_port(p, port)
+ (rc, con) = semanage_context_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create context for %s/%s") % (ibdev_name, port))
+
+ rc = semanage_context_set_user(self.sh, con, "system_u")
+ if rc < 0:
+ raise ValueError(_("Could not set user in ibendport context for %s/%s") % (ibdev_name, port))
+
+ rc = semanage_context_set_role(self.sh, con, "object_r")
+ if rc < 0:
+ raise ValueError(_("Could not set role in ibendport context for %s/%s") % (ibdev_name, port))
+
+ rc = semanage_context_set_type(self.sh, con, type)
+ if rc < 0:
+ raise ValueError(_("Could not set type in ibendport context for %s/%s") % (ibdev_name, port))
+
+ if (is_mls_enabled == 1) and (serange != ""):
+ rc = semanage_context_set_mls(self.sh, con, serange)
+ if rc < 0:
+ raise ValueError(_("Could not set mls fields in ibendport context for %s/%s") % (ibdev_name, port))
+
+ rc = semanage_ibendport_set_con(self.sh, p, con)
+ if rc < 0:
+ raise ValueError(_("Could not set ibendport context for %s/%s") % (ibdev_name, port))
+
+ rc = semanage_ibendport_modify_local(self.sh, k, p)
+ if rc < 0:
+ raise ValueError(_("Could not add ibendport %s/%s") % (ibdev_name, port))
+
+ semanage_context_free(con)
+ semanage_ibendport_key_free(k)
+ semanage_ibendport_free(p)
+
+ def add(self, ibendport, ibdev_name, serange, type):
+ self.begin()
+ self.__add(ibendport, ibdev_name, serange, type)
+ self.commit()
+
+ def __modify(self, ibendport, ibdev_name, serange, setype):
+ if serange == "" and setype == "":
+ if is_mls_enabled == 1:
+ raise ValueError(_("Requires setype or serange"))
+ else:
+ raise ValueError(_("Requires setype"))
+
+ if setype and setype not in self.valid_types:
+ raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype)
+
+ (k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name)
+
+ (rc, exists) = semanage_ibendport_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, ibendport))
+ if not exists:
+ raise ValueError(_("ibendport %s/%s is not defined") % (ibdev_name, ibendport))
+
+ (rc, p) = semanage_ibendport_query(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not query ibendport %s/%s") % (ibdev_name, ibendport))
+
+ con = semanage_ibendport_get_con(p)
+
+ if (is_mls_enabled == 1) and (serange != ""):
+ semanage_context_set_mls(self.sh, con, untranslate(serange))
+ if setype != "":
+ semanage_context_set_type(self.sh, con, setype)
+
+ rc = semanage_ibendport_modify_local(self.sh, k, p)
+ if rc < 0:
+ raise ValueError(_("Could not modify ibendport %s/%s") % (ibdev_name, ibendport))
+
+ semanage_ibendport_key_free(k)
+ semanage_ibendport_free(p)
+
+ def modify(self, ibendport, ibdev_name, serange, setype):
+ self.begin()
+ self.__modify(ibendport, ibdev_name, serange, setype)
+ self.commit()
+
+ def deleteall(self):
+ (rc, plist) = semanage_ibendport_list_local(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list the ibendports"))
+
+ self.begin()
+
+ for ibendport in plist:
+ (rc, ibdev_name) = semanage_ibendport_get_ibdev_name(self.sh, ibendport)
+ port = semanage_ibendport_get_port(ibendport)
+ (k, ibdev_name, port) = self.__genkey(str(port), ibdev_name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s/%d") % (ibdevname, port))
+
+ rc = semanage_ibendport_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete the ibendport %s/%d") % (ibdev_name, port))
+ semanage_ibendport_key_free(k)
+
+ self.commit()
+
+ def __delete(self, ibendport, ibdev_name):
+ (k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name)
+ (rc, exists) = semanage_ibendport_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, ibendport))
+ if not exists:
+ raise ValueError(_("ibendport %s/%s is not defined") % (ibdev_name, ibendport))
+
+ (rc, exists) = semanage_ibendport_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, ibendport))
+ if not exists:
+ raise ValueError(_("ibendport %s/%s is defined in policy, cannot be deleted") % (ibdev_name, ibendport))
+
+ rc = semanage_ibendport_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete ibendport %s/%s") % (ibdev_name, ibendport))
+
+ semanage_ibendport_key_free(k)
+
+ def delete(self, ibendport, ibdev_name):
+ self.begin()
+ self.__delete(ibendport, ibdev_name)
+ self.commit()
+
+ def get_all(self, locallist=0):
+ ddict = {}
+ if locallist:
+ (rc, self.plist) = semanage_ibendport_list_local(self.sh)
+ else:
+ (rc, self.plist) = semanage_ibendport_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list ibendports"))
+
+ for ibendport in self.plist:
+ con = semanage_ibendport_get_con(ibendport)
+ ctype = semanage_context_get_type(con)
+ if ctype == "reserved_ibendport_t":
+ continue
+ level = semanage_context_get_mls(con)
+ (rc, ibdev_name) = semanage_ibendport_get_ibdev_name(self.sh, ibendport)
+ port = semanage_ibendport_get_port(ibendport)
+ ddict[(port, ibdev_name)] = (ctype, level)
+ return ddict
+
+ def get_all_by_type(self, locallist=0):
+ ddict = {}
+ if locallist:
+ (rc, self.plist) = semanage_ibendport_list_local(self.sh)
+ else:
+ (rc, self.plist) = semanage_ibendport_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list ibendports"))
+
+ for ibendport in self.plist:
+ con = semanage_ibendport_get_con(ibendport)
+ ctype = semanage_context_get_type(con)
+ (rc, ibdev_name) = semanage_ibendport_get_ibdev_name(self.sh, ibendport)
+ port = semanage_ibendport_get_port(ibendport)
+ if (ctype, ibdev_name) not in ddict.keys():
+ ddict[(ctype, ibdev_name)] = []
+ ddict[(ctype, ibdev_name)].append("0x%x" % port)
+ return ddict
+
+ def customized(self):
+ l = []
+ ddict = self.get_all(True)
+ keys = ddict.keys()
+ keys.sort()
+ for k in keys:
+ l.append("-a -t %s -r %s -z %s %s" % (ddict[k][0], ddict[k][1], k[1], k[0]))
+ return l
+
+ def list(self, heading=1, locallist=0):
+ ddict = self.get_all_by_type(locallist)
+ keys = ddict.keys()
+ if len(keys) == 0:
+ return
+ keys.sort()
+
+ if heading:
+ print "%-30s %-18s %s\n" % (_("SELinux IB End Port Type"), _("IB Device Name"), _("Port Number"))
+ for i in keys:
+ rec = "%-30s %-18s " % i
+ rec += "%s" % ddict[i][0]
+ for p in ddict[i][1:]:
+ rec += ", %s" % p
+ print rec
class nodeRecords(semanageRecords):
try:
@@ -1380,6 +1913,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
semanage_node_free(node)
+ self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", ctype, serange))
+
def add(self, addr, mask, proto, serange, ctype):
self.begin()
self.__add(addr, mask, proto, serange, ctype)
@@ -1421,6 +1956,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
semanage_node_free(node)
+ self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", setype, serange))
+
def modify(self, addr, mask, proto, serange, setype):
self.begin()
self.__modify(addr, mask, proto, serange, setype)
@@ -1452,6 +1989,8 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
+ self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, socket.getprotobyname(self.protocol[proto])))
+
def delete(self, addr, mask, proto):
self.begin()
self.__delete(addr, mask, proto)
@@ -1581,6 +2120,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
semanage_iface_free(iface)
+ self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange))
+
def add(self, interface, serange, ctype):
self.begin()
self.__add(interface, serange, ctype)
@@ -1618,6 +2159,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
semanage_iface_free(iface)
+ self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange))
+
def modify(self, interface, serange, setype):
self.begin()
self.__modify(interface, serange, setype)
@@ -1646,6 +2189,8 @@ class interfaceRecords(semanageRecords):
semanage_iface_key_free(k)
+ self.mylog.log_change("resrc=interface op=delete netif=%s" % interface)
+
def delete(self, interface):
self.begin()
self.__delete(interface)
@@ -1775,6 +2320,8 @@ class fcontextRecords(semanageRecords):
if i.startswith(target + "/"):
raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'") % (target, i, fdict[i]))
+ self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+
self.equiv[target] = substitute
self.equal_ind = True
self.commit()
@@ -1785,6 +2332,9 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Equivalence class for %s does not exists") % target)
self.equiv[target] = substitute
self.equal_ind = True
+
+ self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+
self.commit()
def createcon(self, target, seuser="system_u"):
@@ -1879,6 +2429,11 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
semanage_fcontext_free(fcontext)
+ if not seuser:
+ seuser = "system_u"
+
+ self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
+
def add(self, target, type, ftype="", serange="", seuser="system_u"):
self.begin()
self.__add(target, type, ftype, serange, seuser)
@@ -1888,7 +2443,7 @@ class fcontextRecords(semanageRecords):
if serange == "" and setype == "" and seuser == "":
raise ValueError(_("Requires setype, serange or seuser"))
if setype and setype not in self.valid_types:
- raise ValueError(_("Type %s is invalid, must be a port type") % setype)
+ raise ValueError(_("Type %s is invalid, must be a file or device type") % setype)
self.validate(target)
@@ -1904,10 +2459,12 @@ class fcontextRecords(semanageRecords):
if not exists:
raise ValueError(_("File context for %s is not defined") % target)
- (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
- if rc < 0:
- (rc, fcontext) = semanage_fcontext_query(self.sh, k)
- if rc < 0:
+ try:
+ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
+ except OSError:
+ try:
+ (rc, fcontext) = semanage_fcontext_query(self.sh, k)
+ except OSError:
raise ValueError(_("Could not query file context for %s") % target)
if setype != "<<none>>":
@@ -1939,6 +2496,11 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
semanage_fcontext_free(fcontext)
+ if not seuser:
+ seuser = "system_u"
+
+ self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", setype, serange))
+
def modify(self, target, setype, ftype, serange, seuser):
self.begin()
self.__modify(target, setype, ftype, serange, seuser)
@@ -1964,6 +2526,8 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Could not delete the file context %s") % target)
semanage_fcontext_key_free(k)
+ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[file_type_str_to_option[ftype_str]]))
+
self.equiv = {}
self.equal_ind = True
self.commit()
@@ -1972,6 +2536,9 @@ class fcontextRecords(semanageRecords):
if target in self.equiv.keys():
self.equiv.pop(target)
self.equal_ind = True
+
+ self.mylog.log_change("resrc=fcontext op=delete-equal %s" % (audit.audit_encode_nv_string("tglob", target, 0)))
+
return
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
@@ -1996,6 +2563,8 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
+ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+
def delete(self, target, ftype):
self.begin()
self.__delete(target, ftype)
@@ -2009,10 +2578,15 @@ class fcontextRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not list file contexts"))
+ (rc, fchomedirs) = semanage_fcontext_list_homedirs(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list file contexts for home directories"))
+
(rc, fclocal) = semanage_fcontext_list_local(self.sh)
if rc < 0:
raise ValueError(_("Could not list local file contexts"))
+ self.flist += fchomedirs
self.flist += fclocal
ddict = {}
diff --git policycoreutils-2.5/semanage/seobject/__init__.py policycoreutils-2.5/semanage/seobject/__init__.py
new file mode 100644
index 0000000..bd05764
--- /dev/null
+++ policycoreutils-2.5/semanage/seobject/__init__.py
@@ -0,0 +1,2836 @@
+#! /usr/bin/python -Es
+# Copyright (C) 2005-2013 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# semanage is a tool for managing SELinux configuration files
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+# 02111-1307 USA
+#
+#
+import pwd
+import grp
+import string
+import selinux
+import tempfile
+import os
+import re
+import sys
+import stat
+import shutil
+import socket
+from semanage import *
+PROGNAME = "policycoreutils"
+import sepolicy
+from sepolicy import boolean_desc, boolean_category, gen_bool_dict
+gen_bool_dict()
+from IPy import IP
+
+import gettext
+gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
+gettext.textdomain(PROGNAME)
+try:
+ gettext.install(PROGNAME,
+ unicode=True,
+ codeset = 'utf-8')
+except TypeError:
+ # Failover to python3 install
+ gettext.install(PROGNAME,
+ codeset = 'utf-8')
+except IOError:
+ import builtins
+ builtins.__dict__['_'] = str
+
+is_mls_enabled = True
+
+import syslog
+
+file_types = {}
+file_types[""] = SEMANAGE_FCONTEXT_ALL
+file_types["all files"] = SEMANAGE_FCONTEXT_ALL
+file_types["a"] = SEMANAGE_FCONTEXT_ALL
+file_types["regular file"] = SEMANAGE_FCONTEXT_REG
+file_types["--"] = SEMANAGE_FCONTEXT_REG
+file_types["f"] = SEMANAGE_FCONTEXT_REG
+file_types["-d"] = SEMANAGE_FCONTEXT_DIR
+file_types["directory"] = SEMANAGE_FCONTEXT_DIR
+file_types["d"] = SEMANAGE_FCONTEXT_DIR
+file_types["-c"] = SEMANAGE_FCONTEXT_CHAR
+file_types["character device"] = SEMANAGE_FCONTEXT_CHAR
+file_types["c"] = SEMANAGE_FCONTEXT_CHAR
+file_types["-b"] = SEMANAGE_FCONTEXT_BLOCK
+file_types["block device"] = SEMANAGE_FCONTEXT_BLOCK
+file_types["b"] = SEMANAGE_FCONTEXT_BLOCK
+file_types["-s"] = SEMANAGE_FCONTEXT_SOCK
+file_types["socket"] = SEMANAGE_FCONTEXT_SOCK
+file_types["s"] = SEMANAGE_FCONTEXT_SOCK
+file_types["-l"] = SEMANAGE_FCONTEXT_LINK
+file_types["l"] = SEMANAGE_FCONTEXT_LINK
+file_types["symbolic link"] = SEMANAGE_FCONTEXT_LINK
+file_types["p"] = SEMANAGE_FCONTEXT_PIPE
+file_types["-p"] = SEMANAGE_FCONTEXT_PIPE
+file_types["named pipe"] = SEMANAGE_FCONTEXT_PIPE
+
+file_type_str_to_option = {"all files": "a",
+ "regular file":"f",
+ "directory":"d",
+ "character device":"c",
+ "block device":"b",
+ "socket":"s",
+ "symbolic link":"l",
+ "named pipe":"p"}
+
+ftype_to_audit = {"": "any",
+ "a": "any",
+ "b": "block",
+ "c": "char",
+ "d": "dir",
+ "f": "file",
+ "l": "symlink",
+ "p": "pipe",
+ "s": "socket"}
+
+try:
+ import audit
+ #test if audit module is enabled
+ audit.audit_close(audit.audit_open())
+
+ class logger:
+ def __init__(self):
+ self.audit_fd = audit.audit_open()
+ self.log_list = []
+ self.log_change_list = []
+
+ def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
+
+ sep = "-"
+ if sename != oldsename:
+ msg += sep + "sename"
+ sep = ","
+ if serole != oldserole:
+ msg += sep + "role"
+ sep = ","
+ if serange != oldserange:
+ msg += sep + "range"
+ sep = ","
+
+ self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_ASSIGN, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""])
+
+ def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
+ self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""])
+
+ def log_change(self, msg):
+ self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", "", "", ""])
+
+ def commit(self, success):
+ for l in self.log_list:
+ audit.audit_log_semanage_message(*(l + [success]))
+ for l in self.log_change_list:
+ audit.audit_log_user_comm_message(*(l + [success]))
+ self.log_list = []
+ self.log_change_list = []
+except OSError, ImportError:
+ class logger:
+ def __init__(self):
+ self.log_list = []
+
+ def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
+ message = " %s name=%s" % (msg, name)
+ if sename != "":
+ message += " sename=" + sename
+ if oldsename != "":
+ message += " oldsename=" + oldsename
+ if serole != "":
+ message += " role=" + serole
+ if oldserole != "":
+ message += " old_role=" + oldserole
+ if serange != "" and serange != None:
+ message += " MLSRange=" + serange
+ if oldserange != "" and oldserange != None:
+ message += " old_MLSRange=" + oldserange
+ self.log_list.append(message)
+
+ def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
+ self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange)
+
+ def log_change(self, msg):
+ self.log_list.append(" %s" % msg)
+
+ def commit(self, success):
+ if success == 1:
+ message = "Successful: "
+ else:
+ message = "Failed: "
+ for l in self.log_list:
+ syslog.syslog(syslog.LOG_INFO, message + l)
+
+class nulllogger:
+ def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
+ pass
+
+ def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
+ pass
+
+ def log_change(self, msg):
+ pass
+
+ def commit(self, success):
+ pass
+
+def validate_level(raw):
+ sensitivity = "s[0-9]*"
+ category = "c[0-9]*"
+ cat_range = category + "(\." + category +")?"
+ categories = cat_range + "(\," + cat_range + ")*"
+ reg = sensitivity + "(-" + sensitivity + ")?" + "(:" + categories + ")?"
+ return re.search("^" + reg +"$", raw)
+
+def translate(raw, prepend=1):
+ filler = "a:b:c:"
+ if prepend == 1:
+ context = "%s%s" % (filler, raw)
+ else:
+ context = raw
+ (rc, trans) = selinux.selinux_raw_to_trans_context(context)
+ if rc != 0:
+ return raw
+ if prepend:
+ trans = trans[len(filler):]
+ if trans == "":
+ return raw
+ else:
+ return trans
+
+def untranslate(trans, prepend=1):
+ filler = "a:b:c:"
+ if prepend == 1:
+ context = "%s%s" % (filler, trans)
+ else:
+ context = trans
+
+ (rc, raw) = selinux.selinux_trans_to_raw_context(context)
+ if rc != 0:
+ return trans
+ if prepend:
+ raw = raw[len(filler):]
+ if raw == "":
+ return trans
+ else:
+ return raw
+
+
+class semanageRecords:
+ transaction = False
+ handle = None
+ store = None
+
+ def __init__(self, store):
+ global handle
+ self.noreload = False
+ self.sh = self.get_handle(store)
+
+ rc, localstore = selinux.selinux_getpolicytype()
+ if store == "" or store == localstore:
+ self.mylog = logger()
+ else:
+ self.mylog = nulllogger()
+
+ def set_reload(self, load):
+ if not load:
+ self.noreload = True
+
+ def get_handle(self, store):
+ global is_mls_enabled
+
+ if semanageRecords.handle:
+ return semanageRecords.handle
+
+ handle = semanage_handle_create()
+ if not handle:
+ raise ValueError(_("Could not create semanage handle"))
+
+ if not semanageRecords.transaction and store != "":
+ semanage_select_store(handle, store, SEMANAGE_CON_DIRECT)
+ semanageRecords.store = store
+
+ if not semanage_is_managed(handle):
+ semanage_handle_destroy(handle)
+ raise ValueError(_("SELinux policy is not managed or store cannot be accessed."))
+
+ rc = semanage_access_check(handle)
+ if rc < SEMANAGE_CAN_READ:
+ semanage_handle_destroy(handle)
+ raise ValueError(_("Cannot read policy store."))
+
+ rc = semanage_connect(handle)
+ if rc < 0:
+ semanage_handle_destroy(handle)
+ raise ValueError(_("Could not establish semanage connection"))
+
+ is_mls_enabled = semanage_mls_enabled(handle)
+ if is_mls_enabled < 0:
+ semanage_handle_destroy(handle)
+ raise ValueError(_("Could not test MLS enabled status"))
+
+ semanageRecords.handle = handle
+ return semanageRecords.handle
+
+ def deleteall(self):
+ raise ValueError(_("Not yet implemented"))
+
+ def start(self):
+ if semanageRecords.transaction:
+ raise ValueError(_("Semanage transaction already in progress"))
+ self.begin()
+ semanageRecords.transaction = True
+
+ def begin(self):
+ if semanageRecords.transaction:
+ return
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not start semanage transaction"))
+
+ def customized(self):
+ raise ValueError(_("Not yet implemented"))
+
+ def commit(self):
+ if semanageRecords.transaction:
+ return
+
+ if self.noreload:
+ semanage_set_reload(self.sh, 0)
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ self.mylog.commit(0)
+ raise ValueError(_("Could not commit semanage transaction"))
+ self.mylog.commit(1)
+
+ def finish(self):
+ if not semanageRecords.transaction:
+ raise ValueError(_("Semanage transaction not in progress"))
+ semanageRecords.transaction = False
+ self.commit()
+
+
+class moduleRecords(semanageRecords):
+
+ def __init__(self, store):
+ semanageRecords.__init__(self, store)
+
+ def get_all(self):
+ l = []
+ (rc, mlist, number) = semanage_module_list_all(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list SELinux modules"))
+
+ for i in range(number):
+ mod = semanage_module_list_nth(mlist, i)
+
+ rc, name = semanage_module_info_get_name(self.sh, mod)
+ if rc < 0:
+ raise ValueError(_("Could not get module name"))
+
+ rc, enabled = semanage_module_info_get_enabled(self.sh, mod)
+ if rc < 0:
+ raise ValueError(_("Could not get module enabled"))
+
+ rc, priority = semanage_module_info_get_priority(self.sh, mod)
+ if rc < 0:
+ raise ValueError(_("Could not get module priority"))
+
+ rc, lang_ext = semanage_module_info_get_lang_ext(self.sh, mod)
+ if rc < 0:
+ raise ValueError(_("Could not get module lang_ext"))
+
+ l.append((name, enabled, priority, lang_ext))
+
+ # sort the list so they are in name order, but with higher priorities coming first
+ l.sort(key=lambda t: t[3], reverse=True)
+ l.sort(key=lambda t: t[0])
+ return l
+
+ def customized(self):
+ ALL = self.get_all()
+ if len(ALL) == 0:
+ return
+ return ["-d %s" % x[0] for x in [t for t in ALL if t[1] == 0]]
+
+ def list(self, heading=True, locallist=False):
+ ALL = self.get_all()
+ if len(ALL) == 0:
+ return
+
+ if heading:
+ print("\n%-25s %-9s %s\n" % (_("Module Name"), _("Priority"), _("Language")))
+ for t in ALL:
+ if t[1] == 0:
+ disabled = _("Disabled")
+ else:
+ if locallist:
+ continue
+ disabled = ""
+ print("%-25s %-9s %-5s %s" % (t[0], t[2], t[3], disabled))
+
+ def add(self, module, priority):
+ if not module:
+ raise ValueError(_("You did not define module name."))
+ if not os.path.exists(module):
+ raise ValueError(_("Module does not exists %s ") % module)
+
+ rc = semanage_set_default_priority(self.sh, priority)
+ if rc < 0:
+ raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority)
+
+ rc = semanage_module_install_file(self.sh, module)
+ if rc >= 0:
+ self.commit()
+
+ def set_enabled(self, module, enable):
+ if not module:
+ raise ValueError(_("You did not define module name."))
+ for m in module.split():
+ rc, key = semanage_module_key_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create module key"))
+
+ rc = semanage_module_key_set_name(self.sh, key, m)
+ if rc < 0:
+ raise ValueError(_("Could not set module key name"))
+
+ rc = semanage_module_set_enabled(self.sh, key, enable)
+ if rc < 0:
+ if enable:
+ raise ValueError(_("Could not enable module %s") % m)
+ else:
+ raise ValueError(_("Could not disable module %s") % m)
+ self.commit()
+
+ # Obsolete - "add()" does the same while allowing the user to set priority
+ def modify(self, file):
+ if not os.path.exists(file):
+ raise ValueError(_("Module does not exists %s ") % file)
+
+ # Priority was left unchanged, default is 400
+ rc = semanage_module_install_file(self.sh, file)
+ if rc >= 0:
+ self.commit()
+
+ def delete(self, module, priority):
+ if not module:
+ raise ValueError(_("You did not define module name."))
+ rc = semanage_set_default_priority(self.sh, priority)
+ if rc < 0:
+ raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority)
+
+ for m in module.split():
+ rc = semanage_module_remove(self.sh, m)
+ if rc < 0 and rc != -2:
+ raise ValueError(_("Could not remove module %s (remove failed)") % m)
+
+ self.commit()
+
+ def deleteall(self):
+ l = [x[0] for x in [t for t in self.get_all() if t[1] == 0]]
+ for m in l:
+ self.set_enabled(m, True)
+
+
+class dontauditClass(semanageRecords):
+
+ def __init__(self, store):
+ semanageRecords.__init__(self, store)
+
+ def toggle(self, dontaudit):
+ if dontaudit not in ["on", "off"]:
+ raise ValueError(_("dontaudit requires either 'on' or 'off'"))
+ self.begin()
+ rc = semanage_set_disable_dontaudit(self.sh, dontaudit == "off")
+ self.commit()
+
+
+class permissiveRecords(semanageRecords):
+
+ def __init__(self, store):
+ semanageRecords.__init__(self, store)
+
+ def get_all(self):
+ l = []
+ (rc, mlist, number) = semanage_module_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list SELinux modules"))
+
+ for i in range(number):
+ mod = semanage_module_list_nth(mlist, i)
+ name = semanage_module_get_name(mod)
+ if name and name.startswith("permissive_"):
+ l.append(name.split("permissive_")[1])
+ return l
+
+ def list(self, heading=True, locallist=False):
+ ALL = [y["name"] for y in [x for x in sepolicy.info(sepolicy.TYPE) if x["permissive"]]]
+ if len(ALL) == 0:
+ return
+
+ customized = self.get_all()
+ if heading:
+ print("\n%-25s\n" % (_("Customized Permissive Types")))
+ for t in customized:
+ print(t)
+
+ if locallist:
+ return
+
+ if heading:
+ print("\n%-25s\n" % (_("Builtin Permissive Types")))
+
+ for t in ALL:
+ if t not in customized:
+ print(t)
+
+ def add(self, setype):
+ import glob
+ if setype not in sepolicy.get_all_domains():
+ raise ValueError(_("%s is not a domain type") % setype )
+
+ try:
+ import sepolgen.module as module
+ except ImportError:
+ raise ValueError(_("The sepolgen python module is required to setup permissive domains.\nIn some distributions it is included in the policycoreutils-devel patckage.\n# yum install policycoreutils-devel\nOr similar for your distro."))
+
+ name = "permissive_%s" % setype
+ modtxt = "(typepermissive %s)" % setype
+
+ rc = semanage_module_install(self.sh, modtxt, len(modtxt), name, "cil")
+ if rc >= 0:
+ self.commit()
+
+ if rc < 0:
+ raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name)
+
+ def delete(self, name):
+ for n in name.split():
+ rc = semanage_module_remove(self.sh, "permissive_%s" % n)
+ if rc < 0:
+ raise ValueError(_("Could not remove permissive domain %s (remove failed)") % name)
+
+ self.commit()
+
+ def deleteall(self):
+ l = self.get_all()
+ if len(l) > 0:
+ self.delete(" ".join(l))
+
+class loginRecords(semanageRecords):
+ def __init__(self, store=""):
+ semanageRecords.__init__(self, store)
+ self.oldsename = None
+ self.oldserange = None
+ self.sename = None
+ self.serange = None
+
+ def __add(self, name, sename, serange):
+ rec, self.oldsename, self.oldserange = selinux.getseuserbyname(name)
+ if sename == "":
+ sename = "user_u"
+
+ userrec = seluserRecords()
+ (rc, oldserole) = userrec.get(self.oldsename)[1]
+ RANGE, (rc, serole) = userrec.get(sename)
+
+ if is_mls_enabled == 1:
+ if serange:
+ serange = untranslate(serange)
+ else:
+ serange = RANGE
+
+ (rc, k) = semanage_seuser_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % name)
+
+ (rc, exists) = semanage_seuser_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if login mapping for %s is defined") % name)
+ if exists:
+ semanage_seuser_key_free(k)
+ return self.__modify(name, sename, serange)
+
+ if name[0] == '%':
+ try:
+ grp.getgrnam(name[1:])
+ except:
+ raise ValueError(_("Linux Group %s does not exist") % name[1:])
+ else:
+ try:
+ pwd.getpwnam(name)
+ except:
+ raise ValueError(_("Linux User %s does not exist") % name)
+
+ (rc, u) = semanage_seuser_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create login mapping for %s") % name)
+
+ rc = semanage_seuser_set_name(self.sh, u, name)
+ if rc < 0:
+ raise ValueError(_("Could not set name for %s") % name)
+
+ if serange:
+ rc = semanage_seuser_set_mlsrange(self.sh, u, serange)
+ if rc < 0:
+ raise ValueError(_("Could not set MLS range for %s") % name)
+
+ rc = semanage_seuser_set_sename(self.sh, u, sename)
+ if rc < 0:
+ raise ValueError(_("Could not set SELinux user for %s") % name)
+
+ rc = semanage_seuser_modify_local(self.sh, k, u)
+ if rc < 0:
+ raise ValueError(_("Could not add login mapping for %s") % name)
+
+ semanage_seuser_key_free(k)
+ semanage_seuser_free(u)
+
+ def add(self, name, sename, serange):
+ try:
+ self.begin()
+ self.__add(name, sename, serange)
+ self.commit()
+ except ValueError as error:
+ raise error
+
+ def __modify(self, name, sename="", serange=None):
+ rec, self.oldsename, self.oldserange = selinux.getseuserbyname(name)
+ if sename == "" and not serange:
+ raise ValueError(_("Requires seuser or serange"))
+
+ userrec = seluserRecords()
+ RANGE, (rc, oldserole) = userrec.get(self.oldsename)
+
+ if sename != "":
+ RANGE, (rc, serole) = userrec.get(sename)
+ else:
+ serole = oldserole
+
+ if serange:
+ self.serange = serange
+ else:
+ self.serange = RANGE
+
+ (rc, k) = semanage_seuser_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % name)
+
+ (rc, exists) = semanage_seuser_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if login mapping for %s is defined") % name)
+ if not exists:
+ raise ValueError(_("Login mapping for %s is not defined") % name)
+
+ (rc, u) = semanage_seuser_query(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not query seuser for %s") % name)
+
+ self.oldserange = semanage_seuser_get_mlsrange(u)
+ self.oldsename = semanage_seuser_get_sename(u)
+ if serange:
+ semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
+
+ if sename != "":
+ semanage_seuser_set_sename(self.sh, u, sename)
+ self.sename = sename
+ else:
+ self.sename = self.oldsename
+
+ rc = semanage_seuser_modify_local(self.sh, k, u)
+ if rc < 0:
+ raise ValueError(_("Could not modify login mapping for %s") % name)
+
+ semanage_seuser_key_free(k)
+ semanage_seuser_free(u)
+
+ def modify(self, name, sename="", serange=None):
+ try:
+ self.begin()
+ self.__modify(name, sename, serange)
+ self.commit()
+ except ValueError as error:
+ raise error
+
+ def __delete(self, name):
+ rec, self.oldsename, self.oldserange = selinux.getseuserbyname(name)
+ userrec = seluserRecords()
+ RANGE, (rc, oldserole) = userrec.get(self.oldsename)
+
+ (rc, k) = semanage_seuser_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % name)
+
+ (rc, exists) = semanage_seuser_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if login mapping for %s is defined") % name)
+ if not exists:
+ raise ValueError(_("Login mapping for %s is not defined") % name)
+
+ (rc, exists) = semanage_seuser_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if login mapping for %s is defined") % name)
+ if not exists:
+ raise ValueError(_("Login mapping for %s is defined in policy, cannot be deleted") % name)
+
+ rc = semanage_seuser_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete login mapping for %s") % name)
+
+ semanage_seuser_key_free(k)
+
+ rec, self.sename, self.serange = selinux.getseuserbyname("__default__")
+ RANGE, (rc, serole) = userrec.get(self.sename)
+
+ def delete(self, name):
+ try:
+ self.begin()
+ self.__delete(name)
+ self.commit()
+
+ except ValueError as error:
+ raise error
+
+ def deleteall(self):
+ (rc, ulist) = semanage_seuser_list_local(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list login mappings"))
+
+ try:
+ self.begin()
+ for u in ulist:
+ self.__delete(semanage_seuser_get_name(u))
+ self.commit()
+ except ValueError as error:
+ raise error
+
+ def get_all_logins(self):
+ ddict = {}
+ self.logins_path = selinux.selinux_policy_root() + "/logins"
+ for path, dirs, files in os.walk(self.logins_path):
+ if path == self.logins_path:
+ for name in files:
+ try:
+ fd = open(path + "/" + name)
+ rec = fd.read().rstrip().split(":")
+ fd.close()
+ ddict[name] = (rec[1], rec[2], rec[0])
+ except IndexError:
+ pass
+ return ddict
+
+ def get_all(self, locallist=False):
+ ddict = {}
+ if locallist:
+ (rc, self.ulist) = semanage_seuser_list_local(self.sh)
+ else:
+ (rc, self.ulist) = semanage_seuser_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list login mappings"))
+
+ for u in self.ulist:
+ name = semanage_seuser_get_name(u)
+ ddict[name] = (semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u), "*")
+ return ddict
+
+ def customized(self):
+ l = []
+ ddict = self.get_all(True)
+ keys = list(ddict.keys())
+ keys.sort()
+ for k in keys:
+ l.append("-a -s %s -r '%s' %s" % (ddict[k][0], ddict[k][1], k))
+ return l
+
+ def list(self,heading=True, locallist=False):
+ ddict = self.get_all(locallist)
+ ldict = self.get_all_logins()
+ lkeys = list(ldict.keys())
+ keys = list(ddict.keys())
+ if len(keys) == 0 and len(lkeys) == 0:
+ return
+ keys.sort()
+ lkeys.sort()
+
+ if is_mls_enabled == 1:
+ if heading:
+ print("\n%-20s %-20s %-20s %s\n" % (_("Login Name"), _("SELinux User"), _("MLS/MCS Range"), _("Service")))
+ for k in keys:
+ u = ddict[k]
+ print("%-20s %-20s %-20s %s" % (k, u[0], translate(u[1]), u[2]))
+ if len(lkeys):
+ print("\nLocal customization in %s" % self.logins_path)
+
+ for k in lkeys:
+ u = ldict[k]
+ print("%-20s %-20s %-20s %s" % (k, u[0], translate(u[1]), u[2]))
+ else:
+ if heading:
+ print("\n%-25s %-25s\n" % (_("Login Name"), _("SELinux User")))
+ for k in keys:
+ print("%-25s %-25s" % (k, ddict[k][0]))
+
+class seluserRecords(semanageRecords):
+ def __init__(self, store=""):
+ semanageRecords.__init__(self, store)
+
+ def get(self, name):
+ (rc, k) = semanage_user_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % name)
+ (rc, exists) = semanage_user_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if SELinux user %s is defined") % name)
+ (rc, u) = semanage_user_query(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not query user for %s") % name)
+ serange = semanage_user_get_mlsrange(u)
+ serole = semanage_user_get_roles(self.sh, u)
+ semanage_user_key_free(k)
+ semanage_user_free(u)
+ return serange, serole
+
+ def __add(self, name, roles, selevel, serange, prefix):
+ if is_mls_enabled == 1:
+ if serange:
+ serange = untranslate(serange)
+ else:
+ serange = "s0"
+
+ if selevel == "":
+ selevel = "s0"
+ else:
+ selevel = untranslate(selevel)
+
+ if len(roles) < 1:
+ raise ValueError(_("You must add at least one role for %s") % name)
+
+ (rc, k) = semanage_user_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % name)
+
+ (rc, exists) = semanage_user_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if SELinux user %s is defined") % name)
+ if exists:
+ semanage_user_key_free(k)
+ return self.__modify(name, roles, selevel, serange, prefix)
+
+ (rc, u) = semanage_user_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create SELinux user for %s") % name)
+
+ rc = semanage_user_set_name(self.sh, u, name)
+ if rc < 0:
+ raise ValueError(_("Could not set name for %s") % name)
+
+ for r in roles:
+ rc = semanage_user_add_role(self.sh, u, r)
+ if rc < 0:
+ raise ValueError(_("Could not add role %(ROLE)s for %(NAME)s") % {"ROLE":r, "NAME":name})
+
+ if is_mls_enabled == 1:
+ rc = semanage_user_set_mlsrange(self.sh, u, serange)
+ if rc < 0:
+ raise ValueError(_("Could not set MLS range for %s") % name)
+
+ rc = semanage_user_set_mlslevel(self.sh, u, selevel)
+ if rc < 0:
+ raise ValueError(_("Could not set MLS level for %s") % name)
+ rc = semanage_user_set_prefix(self.sh, u, prefix)
+ if rc < 0:
+ raise ValueError(_("Could not add prefix %(PREFIX)s for %(ROLE)s") % {"ROLE":r, "PREFIX": prefix})
+ (rc, key) = semanage_user_key_extract(self.sh, u)
+ if rc < 0:
+ raise ValueError(_("Could not extract key for %s") % name)
+
+ rc = semanage_user_modify_local(self.sh, k, u)
+ if rc < 0:
+ raise ValueError(_("Could not add SELinux user %s") % name)
+
+ semanage_user_key_free(k)
+ semanage_user_free(u)
+ self.mylog.log("seuser", sename=name, serole=",".join(roles), serange=serange)
+
+ def add(self, name, roles, selevel, serange, prefix):
+ try:
+ self.begin()
+ self.__add(name, roles, selevel, serange, prefix)
+ self.commit()
+ except ValueError as error:
+ self.mylog.commit(0)
+ raise error
+
+ def __modify(self, name, roles=[], selevel="", serange=None, prefix=""):
+ oldserole = ""
+ oldserange = ""
+ newroles = ' '.join(roles)
+ if prefix == "" and len(roles) == 0 and not serange and selevel == "":
+ if is_mls_enabled == 1:
+ raise ValueError(_("Requires prefix, roles, level or range"))
+ else:
+ raise ValueError(_("Requires prefix or roles"))
+
+ (rc, k) = semanage_user_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % name)
+
+ (rc, exists) = semanage_user_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if SELinux user %s is defined") % name)
+ if not exists:
+ raise ValueError(_("SELinux user %s is not defined") % name)
+
+ (rc, u) = semanage_user_query(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not query user for %s") % name)
+
+ oldserange = semanage_user_get_mlsrange(u)
+ (rc, rlist) = semanage_user_get_roles(self.sh, u)
+ if rc >= 0:
+ oldserole = ' '.join(rlist)
+
+ if serange:
+ semanage_user_set_mlsrange(self.sh, u, untranslate(serange))
+ if selevel != "":
+ semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
+
+ if prefix != "":
+ semanage_user_set_prefix(self.sh, u, prefix)
+
+ if len(roles) != 0:
+ for r in rlist:
+ if r not in roles:
+ semanage_user_del_role(u, r)
+ for r in roles:
+ if r not in rlist:
+ semanage_user_add_role(self.sh, u, r)
+
+ rc = semanage_user_modify_local(self.sh, k, u)
+ if rc < 0:
+ raise ValueError(_("Could not modify SELinux user %s") % name)
+
+ semanage_user_key_free(k)
+ semanage_user_free(u)
+
+ role = ",".join(newroles.split())
+ oldserole = ",".join(oldserole.split())
+ self.mylog.log("seuser", sename=name, oldsename=name, serole=role, serange=serange, oldserole=oldserole, oldserange=oldserange)
+
+
+ def modify(self, name, roles=[], selevel="", serange=None, prefix=""):
+ try:
+ self.begin()
+ self.__modify(name, roles, selevel, serange, prefix)
+ self.commit()
+ except ValueError as error:
+ self.mylog.commit(0)
+ raise error
+
+ def __delete(self, name):
+ (rc, k) = semanage_user_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % name)
+
+ (rc, exists) = semanage_user_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if SELinux user %s is defined") % name)
+ if not exists:
+ raise ValueError(_("SELinux user %s is not defined") % name)
+
+ (rc, exists) = semanage_user_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if SELinux user %s is defined") % name)
+ if not exists:
+ raise ValueError(_("SELinux user %s is defined in policy, cannot be deleted") % name)
+
+ (rc, u) = semanage_user_query(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not query user for %s") % name)
+ oldserange = semanage_user_get_mlsrange(u)
+ (rc, rlist) = semanage_user_get_roles(self.sh, u)
+ oldserole = ",".join(rlist)
+
+ rc = semanage_user_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete SELinux user %s") % name)
+
+ semanage_user_key_free(k)
+ semanage_user_free(u)
+
+ self.mylog.log_remove("seuser", oldsename=name, oldserange=oldserange, oldserole=oldserole)
+
+ def delete(self, name):
+ try:
+ self.begin()
+ self.__delete(name)
+ self.commit()
+
+ except ValueError as error:
+ self.mylog.commit(0)
+ raise error
+
+ def deleteall(self):
+ (rc, ulist) = semanage_user_list_local(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list login mappings"))
+
+ try:
+ self.begin()
+ for u in ulist:
+ try:
+ self.__delete(semanage_user_get_name(u))
+ except OSError:
+ continue
+ self.commit()
+ except ValueError as error:
+ self.mylog.commit(0)
+ raise error
+
+ def get_all(self, locallist=False):
+ ddict = {}
+ if locallist:
+ (rc, self.ulist) = semanage_user_list_local(self.sh)
+ else:
+ (rc, self.ulist) = semanage_user_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list SELinux users"))
+
+ for u in self.ulist:
+ name = semanage_user_get_name(u)
+ (rc, rlist) = semanage_user_get_roles(self.sh, u)
+ if rc < 0:
+ raise ValueError(_("Could not list roles for user %s") % name)
+
+ roles = ' '.join(rlist)
+ ddict[semanage_user_get_name(u)] = (semanage_user_get_prefix(u), semanage_user_get_mlslevel(u), semanage_user_get_mlsrange(u), roles)
+
+ return ddict
+
+ def customized(self):
+ l = []
+ ddict = self.get_all(True)
+ keys = list(ddict.keys())
+ keys.sort()
+ for k in keys:
+ l.append("-a -L %s -r %s -R '%s' %s" % (ddict[k][1], ddict[k][2], ddict[k][3], k))
+ return l
+
+ def list(self, heading=True, locallist=False):
+ ddict = self.get_all(locallist)
+ keys = list(ddict.keys())
+ if len(keys) == 0:
+ return
+ keys.sort()
+
+ if is_mls_enabled == 1:
+ if heading:
+ print("\n%-15s %-10s %-10s %-30s" % ("", _("Labeling"), _("MLS/"), _("MLS/")))
+ print("%-15s %-10s %-10s %-30s %s\n" % (_("SELinux User"), _("Prefix"), _("MCS Level"), _("MCS Range"), _("SELinux Roles")))
+ for k in keys:
+ print("%-15s %-10s %-10s %-30s %s" % (k, ddict[k][0], translate(ddict[k][1]), translate(ddict[k][2]), ddict[k][3]))
+ else:
+ if heading:
+ print("%-15s %s\n" % (_("SELinux User"), _("SELinux Roles")))
+ for k in keys:
+ print("%-15s %s" % (k, ddict[k][3]))
+
+class portRecords(semanageRecords):
+ try:
+ valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "port_type")[0]["types"]
+ except RuntimeError:
+ valid_types = []
+
+ def __init__(self, store=""):
+ semanageRecords.__init__(self, store)
+
+ def __genkey(self, port, proto):
+ if proto == "tcp":
+ proto_d = SEMANAGE_PROTO_TCP
+ else:
+ if proto == "udp":
+ proto_d = SEMANAGE_PROTO_UDP
+ else:
+ raise ValueError(_("Protocol udp or tcp is required"))
+ if port == "":
+ raise ValueError(_("Port is required"))
+
+ ports = port.split("-")
+ if len(ports) == 1:
+ high = low = int(ports[0])
+ else:
+ low = int(ports[0])
+ high = int(ports[1])
+
+ if high > 65535:
+ raise ValueError(_("Invalid Port"))
+
+ (rc, k) = semanage_port_key_create(self.sh, low, high, proto_d)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %(PROTOTYPE)s/%(PORT)s") % {"PROTOTYPE": proto, "PORT":port})
+ return (k, proto_d, low, high)
+
+ def __add(self, port, proto, serange, type):
+ if is_mls_enabled == 1:
+ if serange:
+ serange = untranslate(serange)
+ else:
+ serange = "s0"
+
+ if type == "":
+ raise ValueError(_("Type is required"))
+
+ if sepolicy.get_real_type_name(type) not in self.valid_types:
+ raise ValueError(_("Type %s is invalid, must be a port type") % type)
+
+ (k, proto_d, low, high) = self.__genkey(port, proto)
+ if semanageRecords.transaction:
+ (rc, exists) = semanage_port_exists_local(self.sh, k)
+ else:
+ (rc, exists) = semanage_port_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if port %(PROTOCOL)s/%(PORT)s is defined") % {"PROTOCOL": proto, "PORT": port})
+ if exists:
+ raise ValueError(_("Port %(PROTOCOL)s/%(PORT)s already defined") % {"PROTOCOL": proto, "PORT": port})
+
+ (rc, p) = semanage_port_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create port for %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port})
+
+ semanage_port_set_proto(p, proto_d)
+ semanage_port_set_range(p, low, high)
+ (rc, con) = semanage_context_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create context for %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port})
+
+ rc = semanage_context_set_user(self.sh, con, "system_u")
+ if rc < 0:
+ raise ValueError(_("Could not set user in port context for %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port})
+
+ rc = semanage_context_set_role(self.sh, con, "object_r")
+ if rc < 0:
+ raise ValueError(_("Could not set role in port context for %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port})
+
+ rc = semanage_context_set_type(self.sh, con, type)
+ if rc < 0:
+ raise ValueError(_("Could not set type in port context for %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port})
+
+ if serange:
+ rc = semanage_context_set_mls(self.sh, con, serange)
+ if rc < 0:
+ raise ValueError(_("Could not set mls fields in port context for %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port})
+
+ rc = semanage_port_set_con(self.sh, p, con)
+ if rc < 0:
+ raise ValueError(_("Could not set port context for %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port})
+
+ rc = semanage_port_modify_local(self.sh, k, p)
+ if rc < 0:
+ raise ValueError(_("Could not add port %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port})
+
+ semanage_context_free(con)
+ semanage_port_key_free(k)
+ semanage_port_free(p)
+
+ self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, socket.getprotobyname(proto), "system_u", "object_r", type, serange))
+
+ def add(self, port, proto, serange, type):
+ self.begin()
+ self.__add(port, proto, serange, type)
+ self.commit()
+
+ def __modify(self, port, proto, serange, setype):
+ if not serange and setype == "":
+ if is_mls_enabled == 1:
+ raise ValueError(_("Requires setype or serange"))
+ else:
+ raise ValueError(_("Requires setype"))
+
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
+ raise ValueError(_("Type %s is invalid, must be a file or device type") % setype)
+
+ (k, proto_d, low, high) = self.__genkey(port, proto)
+
+ (rc, exists) = semanage_port_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if port @%(PROTOCOL)s/%(PORT)s is defined") % {"PROTOCOL": proto, "PORT": port})
+ if not exists:
+ raise ValueError(_("Port @%(PROTOCOL)s/%(PORT)s is not defined") % {"PROTOCOL": proto, "PORT": port})
+
+ (rc, p) = semanage_port_query(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not query port %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port})
+
+ con = semanage_port_get_con(p)
+
+ if serange:
+ semanage_context_set_mls(self.sh, con, untranslate(serange))
+ else:
+ serange = "s0"
+ if setype != "":
+ semanage_context_set_type(self.sh, con, setype)
+
+ rc = semanage_port_modify_local(self.sh, k, p)
+ if rc < 0:
+ raise ValueError(_("Could not modify port %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port})
+
+ semanage_port_key_free(k)
+ semanage_port_free(p)
+
+ self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, socket.getprotobyname(proto), "system_u", "object_r", setype, serange))
+
+ def modify(self, port, proto, serange, setype):
+ self.begin()
+ self.__modify(port, proto, serange, setype)
+ self.commit()
+
+ def deleteall(self):
+ (rc, plist) = semanage_port_list_local(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list the ports"))
+
+ self.begin()
+
+ for port in plist:
+ proto = semanage_port_get_proto(port)
+ proto_str = semanage_port_get_proto_str(proto)
+ low = semanage_port_get_low(port)
+ high = semanage_port_get_high(port)
+ port_str = "%s-%s" % (low, high)
+ (k, proto_d, low, high) = self.__genkey(port_str , proto_str)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % port_str)
+
+ rc = semanage_port_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete the port %s") % port_str)
+ semanage_port_key_free(k)
+
+ if low == high:
+ port_str = low
+
+ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, socket.getprotobyname(proto_str)))
+
+ self.commit()
+
+ def __delete(self, port, proto):
+ (k, proto_d, low, high) = self.__genkey(port, proto)
+ (rc, exists) = semanage_port_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if port %(PROTOCOL)s/%(PORT)s is defined") % {"PROTOCOL": proto, "PORT": port})
+ if not exists:
+ raise ValueError(_("Port %(PROTOCOL)s/%(PORT)s is not defined") % {"PROTOCOL": proto, "PORT": port})
+
+ (rc, exists) = semanage_port_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if port %(PROTOCOL)s/%(PORT)s is defined") % {"PROTOCOL": proto, "PORT": port})
+ if not exists:
+ raise ValueError(_("Port %(PROTOCOL)s/%(PORT)s is defined in policy, cannot be deleted") % {"PROTOCOL": proto, "PORT": port})
+
+ rc = semanage_port_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete port %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port})
+
+ semanage_port_key_free(k)
+
+ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, socket.getprotobyname(proto)))
+
+ def delete(self, port, proto):
+ self.begin()
+ self.__delete(port, proto)
+ self.commit()
+
+ def get_all(self, locallist=False):
+ ddict = {}
+ if locallist:
+ (rc, self.plist) = semanage_port_list_local(self.sh)
+ else:
+ (rc, self.plist) = semanage_port_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list ports"))
+
+ for port in self.plist:
+ con = semanage_port_get_con(port)
+ ctype = semanage_context_get_type(con)
+ level = semanage_context_get_mls(con)
+ proto = semanage_port_get_proto(port)
+ proto_str = semanage_port_get_proto_str(proto)
+ low = semanage_port_get_low(port)
+ high = semanage_port_get_high(port)
+ ddict[(low, high, proto_str)] = (ctype, level)
+ return ddict
+
+ def get_all_by_type(self, locallist=False):
+ ddict = {}
+ if locallist:
+ (rc, self.plist) = semanage_port_list_local(self.sh)
+ else:
+ (rc, self.plist) = semanage_port_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list ports"))
+
+ for port in self.plist:
+ con = semanage_port_get_con(port)
+ ctype = semanage_context_get_type(con)
+ proto = semanage_port_get_proto(port)
+ proto_str = semanage_port_get_proto_str(proto)
+ low = semanage_port_get_low(port)
+ high = semanage_port_get_high(port)
+ if (ctype, proto_str) not in list(ddict.keys()):
+ ddict[(ctype, proto_str)] = []
+ if low == high:
+ ddict[(ctype, proto_str)].append("%d" % low)
+ else:
+ ddict[(ctype, proto_str)].append("%d-%d" % (low, high))
+ return ddict
+
+ def customized(self):
+ l = []
+ ddict = self.get_all(True)
+ keys = list(ddict.keys())
+ keys.sort()
+ for k in keys:
+ if k[0] == k[1]:
+ l.append("-a -t %s -p %s %s" % (ddict[k][0], k[2], k[0]))
+ else:
+ l.append("-a -t %s -p %s %s-%s" % (ddict[k][0], k[2], k[0], k[1]))
+ return l
+
+ def list(self, heading=True, locallist=False):
+ ddict = self.get_all_by_type(locallist)
+ keys = list(ddict.keys())
+ if len(keys) == 0:
+ return
+ keys.sort()
+
+ if heading:
+ print("%-30s %-8s %s\n" % (_("SELinux Port Type"), _("Proto"), _("Port Number")))
+ for i in keys:
+ rec = "%-30s %-8s " % i
+ rec += "%s" % ddict[i][0]
+ for p in ddict[i][1:]:
+ rec += ", %s" % p
+ print(rec)
+
+class ibpkeyRecords(semanageRecords):
+ try:
+ valid_types = set(str(t) for t in sepolicy.info(sepolicy.ATTRIBUTE, "ibpkey_type")[0]["types"])
+ except:
+ valid_types = []
+
+ def __init__(self, store=""):
+ semanageRecords.__init__(self, store)
+
+ def __genkey(self, pkey, subnet_prefix):
+ if subnet_prefix == "":
+ raise ValueError(_("Subnet Prefix is required"))
+
+ pkeys = pkey.split("-")
+ if len(pkeys) == 1:
+ high = low = int(pkeys[0], 0)
+ else:
+ low = int(pkeys[0], 0)
+ high = int(pkeys[1], 0)
+
+ if high > 65535:
+ raise ValueError(_("Invalid Pkey"))
+
+ (rc, k) = semanage_ibpkey_key_create(self.sh, subnet_prefix, low, high)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s/%s") % (subnet_prefix, pkey))
+ return (k, subnet_prefix, low, high)
+
+ def __add(self, pkey, subnet_prefix, serange, type):
+ if is_mls_enabled == 1:
+ if serange == "":
+ serange = "s0"
+ else:
+ serange = untranslate(serange)
+
+ if type == "":
+ raise ValueError(_("Type is required"))
+
+ if sepolicy.get_real_type_name(type) not in self.valid_types:
+ raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type)
+
+ (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
+
+ (rc, exists) = semanage_ibpkey_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
+ if exists:
+ raise ValueError(_("ibpkey %s/%s already defined") % (subnet_prefix, pkey))
+
+ (rc, p) = semanage_ibpkey_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create ibpkey for %s/%s") % (subnet_prefix, pkey))
+
+ semanage_ibpkey_set_subnet_prefix(self.sh, p, subnet_prefix)
+ semanage_ibpkey_set_range(p, low, high)
+ (rc, con) = semanage_context_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create context for %s/%s") % (subnet_prefix, pkey))
+
+ rc = semanage_context_set_user(self.sh, con, "system_u")
+ if rc < 0:
+ raise ValueError(_("Could not set user in ibpkey context for %s/%s") % (subnet_prefix, pkey))
+
+ rc = semanage_context_set_role(self.sh, con, "object_r")
+ if rc < 0:
+ raise ValueError(_("Could not set role in ibpkey context for %s/%s") % (subnet_prefix, pkey))
+
+ rc = semanage_context_set_type(self.sh, con, type)
+ if rc < 0:
+ raise ValueError(_("Could not set type in ibpkey context for %s/%s") % (subnet_prefix, pkey))
+
+ if (is_mls_enabled == 1) and (serange != ""):
+ rc = semanage_context_set_mls(self.sh, con, serange)
+ if rc < 0:
+ raise ValueError(_("Could not set mls fields in ibpkey context for %s/%s") % (subnet_prefix, pkey))
+
+ rc = semanage_ibpkey_set_con(self.sh, p, con)
+ if rc < 0:
+ raise ValueError(_("Could not set ibpkey context for %s/%s") % (subnet_prefix, pkey))
+
+ rc = semanage_ibpkey_modify_local(self.sh, k, p)
+ if rc < 0:
+ raise ValueError(_("Could not add ibpkey %s/%s") % (subnet_prefix, pkey))
+
+ semanage_context_free(con)
+ semanage_ibpkey_key_free(k)
+ semanage_ibpkey_free(p)
+
+ def add(self, pkey, subnet_prefix, serange, type):
+ self.begin()
+ self.__add(pkey, subnet_prefix, serange, type)
+ self.commit()
+
+ def __modify(self, pkey, subnet_prefix, serange, setype):
+ if serange == "" and setype == "":
+ if is_mls_enabled == 1:
+ raise ValueError(_("Requires setype or serange"))
+ else:
+ raise ValueError(_("Requires setype"))
+
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
+ raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype)
+
+ (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
+
+ (rc, exists) = semanage_ibpkey_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
+ if not exists:
+ raise ValueError(_("ibpkey %s/%s is not defined") % (subnet_prefix, pkey))
+
+ (rc, p) = semanage_ibpkey_query(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not query ibpkey %s/%s") % (subnet_prefix, pkey))
+
+ con = semanage_ibpkey_get_con(p)
+
+ if (is_mls_enabled == 1) and (serange != ""):
+ semanage_context_set_mls(self.sh, con, untranslate(serange))
+ if setype != "":
+ semanage_context_set_type(self.sh, con, setype)
+
+ rc = semanage_ibpkey_modify_local(self.sh, k, p)
+ if rc < 0:
+ raise ValueError(_("Could not modify ibpkey %s/%s") % (subnet_prefix, pkey))
+
+ semanage_ibpkey_key_free(k)
+ semanage_ibpkey_free(p)
+
+ def modify(self, pkey, subnet_prefix, serange, setype):
+ self.begin()
+ self.__modify(pkey, subnet_prefix, serange, setype)
+ self.commit()
+
+ def deleteall(self):
+ (rc, plist) = semanage_ibpkey_list_local(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list the ibpkeys"))
+
+ self.begin()
+
+ for ibpkey in plist:
+ (rc, subnet_prefix) = semanage_ibpkey_get_subnet_prefix(self.sh, ibpkey)
+ low = semanage_ibpkey_get_low(ibpkey)
+ high = semanage_ibpkey_get_high(ibpkey)
+ pkey_str = "%s-%s" % (low, high)
+ (k, subnet_prefix, low, high) = self.__genkey(pkey_str, subnet_prefix)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % pkey_str)
+
+ rc = semanage_ibpkey_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete the ibpkey %s") % pkey_str)
+ semanage_ibpkey_key_free(k)
+
+ self.commit()
+
+ def __delete(self, pkey, subnet_prefix):
+ (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
+ (rc, exists) = semanage_ibpkey_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
+ if not exists:
+ raise ValueError(_("ibpkey %s/%s is not defined") % (subnet_prefix, pkey))
+
+ (rc, exists) = semanage_ibpkey_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
+ if not exists:
+ raise ValueError(_("ibpkey %s/%s is defined in policy, cannot be deleted") % (subnet_prefix, pkey))
+
+ rc = semanage_ibpkey_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete ibpkey %s/%s") % (subnet_prefix, pkey))
+
+ semanage_ibpkey_key_free(k)
+
+ def delete(self, pkey, subnet_prefix):
+ self.begin()
+ self.__delete(pkey, subnet_prefix)
+ self.commit()
+
+ def get_all(self, locallist=0):
+ ddict = {}
+ if locallist:
+ (rc, self.plist) = semanage_ibpkey_list_local(self.sh)
+ else:
+ (rc, self.plist) = semanage_ibpkey_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list ibpkeys"))
+
+ for ibpkey in self.plist:
+ con = semanage_ibpkey_get_con(ibpkey)
+ ctype = semanage_context_get_type(con)
+ if ctype == "reserved_ibpkey_t":
+ continue
+ level = semanage_context_get_mls(con)
+ (rc, subnet_prefix) = semanage_ibpkey_get_subnet_prefix(self.sh, ibpkey)
+ low = semanage_ibpkey_get_low(ibpkey)
+ high = semanage_ibpkey_get_high(ibpkey)
+ ddict[(low, high, subnet_prefix)] = (ctype, level)
+ return ddict
+
+ def get_all_by_type(self, locallist=0):
+ ddict = {}
+ if locallist:
+ (rc, self.plist) = semanage_ibpkey_list_local(self.sh)
+ else:
+ (rc, self.plist) = semanage_ibpkey_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list ibpkeys"))
+
+ for ibpkey in self.plist:
+ con = semanage_ibpkey_get_con(ibpkey)
+ ctype = semanage_context_get_type(con)
+ (rc, subnet_prefix) = semanage_ibpkey_get_subnet_prefix(self.sh, ibpkey)
+ low = semanage_ibpkey_get_low(ibpkey)
+ high = semanage_ibpkey_get_high(ibpkey)
+ if (ctype, subnet_prefix) not in ddict.keys():
+ ddict[(ctype, subnet_prefix)] = []
+ if low == high:
+ ddict[(ctype, subnet_prefix)].append("0x%x" % low)
+ else:
+ ddict[(ctype, subnet_prefix)].append("0x%x-0x%x" % (low, high))
+ return ddict
+
+ def customized(self):
+ l = []
+ ddict = self.get_all(True)
+ keys = ddict.keys()
+ keys.sort()
+ for k in keys:
+ if k[0] == k[1]:
+ l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], k[0]))
+ else:
+ l.append("-a -t %s -x %s %s-%s" % (ddict[k][0], k[2], k[0], k[1]))
+ return l
+
+ def list(self, heading=1, locallist=0):
+ ddict = self.get_all_by_type(locallist)
+ keys = ddict.keys()
+ if len(keys) == 0:
+ return
+ keys.sort()
+
+ if heading:
+ print "%-30s %-18s %s\n" % (_("SELinux IB Pkey Type"), _("Subnet_Prefix"), _("Pkey Number"))
+ for i in keys:
+ rec = "%-30s %-18s " % i
+ rec += "%s" % ddict[i][0]
+ for p in ddict[i][1:]:
+ rec += ", %s" % p
+ print rec
+
+class ibendportRecords(semanageRecords):
+ try:
+ valid_types = set(str(t) for t in sepolicy.info(sepolicy.ATTRIBUTE, "ibendport_type")[0]["types"])
+ except:
+ valid_types = []
+
+ def __init__(self, store=""):
+ semanageRecords.__init__(self, store)
+
+ def __genkey(self, ibendport, ibdev_name):
+ if ibdev_name == "":
+ raise ValueError(_("IB device name is required"))
+
+ port = int(ibendport)
+
+ if port > 255 or port < 1:
+ raise ValueError(_("Invalid Port Number"))
+
+ (rc, k) = semanage_ibendport_key_create(self.sh, ibdev_name, port)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for ibendport %s/%s") % (ibdev_name, ibendport))
+ return (k, ibdev_name, port)
+
+ def __add(self, ibendport, ibdev_name, serange, type):
+ if is_mls_enabled == 1:
+ if serange == "":
+ serange = "s0"
+ else:
+ serange = untranslate(serange)
+
+ if type == "":
+ raise ValueError(_("Type is required"))
+
+ if sepolicy.get_real_type_name(type) not in self.valid_types:
+ raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
+ (k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
+
+ (rc, exists) = semanage_ibendport_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, port))
+ if exists:
+ raise ValueError(_("ibendport %s/%s already defined") % (ibdev_name, port))
+
+ (rc, p) = semanage_ibendport_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create ibendport for %s/%s") % (ibdev_name, port))
+
+ semanage_ibendport_set_ibdev_name(self.sh, p, ibdev_name)
+ semanage_ibendport_set_port(p, port)
+ (rc, con) = semanage_context_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create context for %s/%s") % (ibdev_name, port))
+
+ rc = semanage_context_set_user(self.sh, con, "system_u")
+ if rc < 0:
+ raise ValueError(_("Could not set user in ibendport context for %s/%s") % (ibdev_name, port))
+
+ rc = semanage_context_set_role(self.sh, con, "object_r")
+ if rc < 0:
+ raise ValueError(_("Could not set role in ibendport context for %s/%s") % (ibdev_name, port))
+
+ rc = semanage_context_set_type(self.sh, con, type)
+ if rc < 0:
+ raise ValueError(_("Could not set type in ibendport context for %s/%s") % (ibdev_name, port))
+
+ if (is_mls_enabled == 1) and (serange != ""):
+ rc = semanage_context_set_mls(self.sh, con, serange)
+ if rc < 0:
+ raise ValueError(_("Could not set mls fields in ibendport context for %s/%s") % (ibdev_name, port))
+
+ rc = semanage_ibendport_set_con(self.sh, p, con)
+ if rc < 0:
+ raise ValueError(_("Could not set ibendport context for %s/%s") % (ibdev_name, port))
+
+ rc = semanage_ibendport_modify_local(self.sh, k, p)
+ if rc < 0:
+ raise ValueError(_("Could not add ibendport %s/%s") % (ibdev_name, port))
+
+ semanage_context_free(con)
+ semanage_ibendport_key_free(k)
+ semanage_ibendport_free(p)
+
+ def add(self, ibendport, ibdev_name, serange, type):
+ self.begin()
+ self.__add(ibendport, ibdev_name, serange, type)
+ self.commit()
+
+ def __modify(self, ibendport, ibdev_name, serange, setype):
+ if serange == "" and setype == "":
+ if is_mls_enabled == 1:
+ raise ValueError(_("Requires setype or serange"))
+ else:
+ raise ValueError(_("Requires setype"))
+
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
+ raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype)
+
+ (k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name)
+
+ (rc, exists) = semanage_ibendport_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, ibendport))
+ if not exists:
+ raise ValueError(_("ibendport %s/%s is not defined") % (ibdev_name, ibendport))
+
+ (rc, p) = semanage_ibendport_query(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not query ibendport %s/%s") % (ibdev_name, ibendport))
+
+ con = semanage_ibendport_get_con(p)
+
+ if (is_mls_enabled == 1) and (serange != ""):
+ semanage_context_set_mls(self.sh, con, untranslate(serange))
+ if setype != "":
+ semanage_context_set_type(self.sh, con, setype)
+
+ rc = semanage_ibendport_modify_local(self.sh, k, p)
+ if rc < 0:
+ raise ValueError(_("Could not modify ibendport %s/%s") % (ibdev_name, ibendport))
+
+ semanage_ibendport_key_free(k)
+ semanage_ibendport_free(p)
+
+ def modify(self, ibendport, ibdev_name, serange, setype):
+ self.begin()
+ self.__modify(ibendport, ibdev_name, serange, setype)
+ self.commit()
+
+ def deleteall(self):
+ (rc, plist) = semanage_ibendport_list_local(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list the ibendports"))
+
+ self.begin()
+
+ for ibendport in plist:
+ (rc, ibdev_name) = semanage_ibendport_get_ibdev_name(self.sh, ibendport)
+ port = semanage_ibendport_get_port(ibendport)
+ (k, ibdev_name, port) = self.__genkey(str(port), ibdev_name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s/%d") % (ibdevname, port))
+
+ rc = semanage_ibendport_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete the ibendport %s/%d") % (ibdev_name, port))
+ semanage_ibendport_key_free(k)
+
+ self.commit()
+
+ def __delete(self, ibendport, ibdev_name):
+ (k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name)
+ (rc, exists) = semanage_ibendport_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, ibendport))
+ if not exists:
+ raise ValueError(_("ibendport %s/%s is not defined") % (ibdev_name, ibendport))
+
+ (rc, exists) = semanage_ibendport_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, ibendport))
+ if not exists:
+ raise ValueError(_("ibendport %s/%s is defined in policy, cannot be deleted") % (ibdev_name, ibendport))
+
+ rc = semanage_ibendport_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete ibendport %s/%s") % (ibdev_name, ibendport))
+
+ semanage_ibendport_key_free(k)
+
+ def delete(self, ibendport, ibdev_name):
+ self.begin()
+ self.__delete(ibendport, ibdev_name)
+ self.commit()
+
+ def get_all(self, locallist=0):
+ ddict = {}
+ if locallist:
+ (rc, self.plist) = semanage_ibendport_list_local(self.sh)
+ else:
+ (rc, self.plist) = semanage_ibendport_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list ibendports"))
+
+ for ibendport in self.plist:
+ con = semanage_ibendport_get_con(ibendport)
+ ctype = semanage_context_get_type(con)
+ if ctype == "reserved_ibendport_t":
+ continue
+ level = semanage_context_get_mls(con)
+ (rc, ibdev_name) = semanage_ibendport_get_ibdev_name(self.sh, ibendport)
+ port = semanage_ibendport_get_port(ibendport)
+ ddict[(port, ibdev_name)] = (ctype, level)
+ return ddict
+
+ def get_all_by_type(self, locallist=0):
+ ddict = {}
+ if locallist:
+ (rc, self.plist) = semanage_ibendport_list_local(self.sh)
+ else:
+ (rc, self.plist) = semanage_ibendport_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list ibendports"))
+
+ for ibendport in self.plist:
+ con = semanage_ibendport_get_con(ibendport)
+ ctype = semanage_context_get_type(con)
+ (rc, ibdev_name) = semanage_ibendport_get_ibdev_name(self.sh, ibendport)
+ port = semanage_ibendport_get_port(ibendport)
+ if (ctype, ibdev_name) not in ddict.keys():
+ ddict[(ctype, ibdev_name)] = []
+ ddict[(ctype, ibdev_name)].append("0x%x" % port)
+ return ddict
+
+ def customized(self):
+ l = []
+ ddict = self.get_all(True)
+ keys = ddict.keys()
+ keys.sort()
+ for k in keys:
+ l.append("-a -t %s -r %s -z %s %s" % (ddict[k][0], ddict[k][1], k[1], k[0]))
+ return l
+
+ def list(self, heading=1, locallist=0):
+ ddict = self.get_all_by_type(locallist)
+ keys = ddict.keys()
+ if len(keys) == 0:
+ return
+ keys.sort()
+
+ if heading:
+ print "%-30s %-18s %s\n" % (_("SELinux IB End Port Type"), _("IB Device Name"), _("Port Number"))
+ for i in keys:
+ rec = "%-30s %-18s " % i
+ rec += "%s" % ddict[i][0]
+ for p in ddict[i][1:]:
+ rec += ", %s" % p
+ print rec
+
+class nodeRecords(semanageRecords):
+ try:
+ valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "node_type")[0]["types"]
+ except RuntimeError:
+ valid_types = []
+
+ def __init__(self, store=""):
+ semanageRecords.__init__(self, store)
+ self.protocol = ["ipv4", "ipv6"]
+
+ def validate(self, addr, mask, protocol):
+ newaddr = addr
+ newmask = mask
+ newprotocol = ""
+
+ if addr == "":
+ raise ValueError(_("Node Address is required"))
+
+ # verify valid comination
+ if len(mask) == 0 or mask[0] == "/":
+ i = IP(addr + mask)
+ newaddr = i.strNormal(0)
+ newmask = str(i.netmask())
+ if newmask == "0.0.0.0" and i.version() == 6:
+ newmask = "::"
+
+ protocol = "ipv%d" % i.version()
+
+ try:
+ newprotocol = self.protocol.index(protocol)
+ except:
+ raise ValueError(_("Unknown or missing protocol"))
+
+ return newaddr, newmask, newprotocol
+
+ def __add(self, addr, mask, proto, serange, ctype):
+ addr, mask, proto = self.validate(addr, mask, proto)
+
+ if is_mls_enabled == 1:
+ if serange:
+ serange = untranslate(serange)
+ else:
+ serange = "s0"
+
+ if ctype == "":
+ raise ValueError(_("SELinux node type is required"))
+
+ if sepolicy.get_real_type_name(ctype) not in self.valid_types:
+ raise ValueError(_("Type %s is invalid, must be a node type") % ctype)
+
+ (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % addr)
+ if rc < 0:
+ raise ValueError(_("Could not check if addr %s is defined") % addr)
+
+ (rc, exists) = semanage_node_exists(self.sh, k)
+ if exists:
+ semanage_node_key_free(k)
+ return self.__modify(addr, mask, self.protocol[proto], serange, ctype)
+
+ (rc, node) = semanage_node_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create addr for %s") % addr)
+ semanage_node_set_proto(node, proto)
+
+ rc = semanage_node_set_addr(self.sh, node, proto, addr)
+ (rc, con) = semanage_context_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create context for %s") % addr)
+
+ rc = semanage_node_set_mask(self.sh, node, proto, mask)
+ if rc < 0:
+ raise ValueError(_("Could not set mask for %s") % addr)
+
+ rc = semanage_context_set_user(self.sh, con, "system_u")
+ if rc < 0:
+ raise ValueError(_("Could not set user in addr context for %s") % addr)
+
+ rc = semanage_context_set_role(self.sh, con, "object_r")
+ if rc < 0:
+ raise ValueError(_("Could not set role in addr context for %s") % addr)
+
+ rc = semanage_context_set_type(self.sh, con, ctype)
+ if rc < 0:
+ raise ValueError(_("Could not set type in addr context for %s") % addr)
+
+ if serange:
+ rc = semanage_context_set_mls(self.sh, con, serange)
+ if rc < 0:
+ raise ValueError(_("Could not set mls fields in addr context for %s") % addr)
+
+ rc = semanage_node_set_con(self.sh, node, con)
+ if rc < 0:
+ raise ValueError(_("Could not set addr context for %s") % addr)
+
+ rc = semanage_node_modify_local(self.sh, k, node)
+ if rc < 0:
+ raise ValueError(_("Could not add addr %s") % addr)
+
+ semanage_context_free(con)
+ semanage_node_key_free(k)
+ semanage_node_free(node)
+
+ self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", ctype, serange))
+
+ def add(self, addr, mask, proto, serange, ctype):
+ self.begin()
+ self.__add(addr, mask, proto, serange, ctype)
+ self.commit()
+
+ def __modify(self, addr, mask, proto, serange, setype):
+ addr, mask, proto = self.validate(addr, mask, proto)
+
+ if not serange and setype == "":
+ raise ValueError(_("Requires setype or serange"))
+
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
+ raise ValueError(_("Type %s is invalid, must be a node type") % setype)
+
+ (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % addr)
+
+ (rc, exists) = semanage_node_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if addr %s is defined") % addr)
+ if not exists:
+ raise ValueError(_("Addr %s is not defined") % addr)
+
+ (rc, node) = semanage_node_query(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not query addr %s") % addr)
+
+ con = semanage_node_get_con(node)
+ if serange:
+ semanage_context_set_mls(self.sh, con, untranslate(serange))
+ if setype != "":
+ semanage_context_set_type(self.sh, con, setype)
+
+ rc = semanage_node_modify_local(self.sh, k, node)
+ if rc < 0:
+ raise ValueError(_("Could not modify addr %s") % addr)
+
+ semanage_node_key_free(k)
+ semanage_node_free(node)
+
+ self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", setype, serange))
+
+ def modify(self, addr, mask, proto, serange, setype):
+ self.begin()
+ self.__modify(addr, mask, proto, serange, setype)
+ self.commit()
+
+ def __delete(self, addr, mask, proto):
+
+ addr, mask, proto = self.validate(addr, mask, proto)
+
+ (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % addr)
+
+ (rc, exists) = semanage_node_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if addr %s is defined") % addr)
+ if not exists:
+ raise ValueError(_("Addr %s is not defined") % addr)
+
+ (rc, exists) = semanage_node_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if addr %s is defined") % addr)
+ if not exists:
+ raise ValueError(_("Addr %s is defined in policy, cannot be deleted") % addr)
+
+ rc = semanage_node_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete addr %s") % addr)
+
+ semanage_node_key_free(k)
+
+ self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, socket.getprotobyname(self.protocol[proto])))
+
+ def delete(self, addr, mask, proto):
+ self.begin()
+ self.__delete(addr, mask, proto)
+ self.commit()
+
+ def deleteall(self):
+ (rc, nlist) = semanage_node_list_local(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not deleteall node mappings"))
+
+ self.begin()
+ for node in nlist:
+ self.__delete(semanage_node_get_addr(self.sh, node)[1], semanage_node_get_mask(self.sh, node)[1], self.protocol[semanage_node_get_proto(node)])
+ self.commit()
+
+ def get_all(self, locallist=False):
+ ddict = {}
+ if locallist:
+ (rc, self.ilist) = semanage_node_list_local(self.sh)
+ else:
+ (rc, self.ilist) = semanage_node_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list addrs"))
+
+ for node in self.ilist:
+ con = semanage_node_get_con(node)
+ addr = semanage_node_get_addr(self.sh, node)
+ mask = semanage_node_get_mask(self.sh, node)
+ proto = self.protocol[semanage_node_get_proto(node)]
+ ddict[(addr[1], mask[1], proto)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con))
+
+ return ddict
+
+ def customized(self):
+ l = []
+ ddict = self.get_all(True)
+ keys = list(ddict.keys())
+ keys.sort()
+ for k in keys:
+ l.append("-a -M %s -p %s -t %s %s" % (k[1], k[2], ddict[k][2], k[0]))
+ return l
+
+ def list(self, heading=True, locallist=False):
+ ddict = self.get_all(locallist)
+ keys = list(ddict.keys())
+ if len(keys) == 0:
+ return
+ keys.sort()
+
+ if heading:
+ print("%-18s %-18s %-5s %-5s\n" % ("IP Address", "Netmask", "Protocol", "Context"))
+ if is_mls_enabled:
+ for k in keys:
+ val = ''
+ for fields in k:
+ val = val + '\t' + str(fields)
+ print("%-18s %-18s %-5s %s:%s:%s:%s " % (k[0], k[1], k[2], ddict[k][0], ddict[k][1], ddict[k][2], translate(ddict[k][3], False)))
+ else:
+ for k in keys:
+ print("%-18s %-18s %-5s %s:%s:%s " % (k[0], k[1], k[2], ddict[k][0], ddict[k][1], ddict[k][2]))
+
+
+class interfaceRecords(semanageRecords):
+ def __init__(self, store=""):
+ semanageRecords.__init__(self, store)
+
+ def __add(self, interface, serange, ctype):
+ if is_mls_enabled == 1:
+ if serange:
+ serange = untranslate(serange)
+ else:
+ serange = "s0"
+
+ if ctype == "":
+ raise ValueError(_("SELinux Type is required"))
+
+ (rc, k) = semanage_iface_key_create(self.sh, interface)
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % interface)
+
+ (rc, exists) = semanage_iface_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if interface %s is defined") % interface)
+ if exists:
+ semanage_iface_key_free(k)
+ return self.__modify(interface, serange, ctype)
+
+ (rc, iface) = semanage_iface_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create interface for %s") % interface)
+
+ rc = semanage_iface_set_name(self.sh, iface, interface)
+ (rc, con) = semanage_context_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create context for %s") % interface)
+
+ rc = semanage_context_set_user(self.sh, con, "system_u")
+ if rc < 0:
+ raise ValueError(_("Could not set user in interface context for %s") % interface)
+
+ rc = semanage_context_set_role(self.sh, con, "object_r")
+ if rc < 0:
+ raise ValueError(_("Could not set role in interface context for %s") % interface)
+
+ rc = semanage_context_set_type(self.sh, con, ctype)
+ if rc < 0:
+ raise ValueError(_("Could not set type in interface context for %s") % interface)
+
+ if serange:
+ rc = semanage_context_set_mls(self.sh, con, serange)
+ if rc < 0:
+ raise ValueError(_("Could not set mls fields in interface context for %s") % interface)
+
+ rc = semanage_iface_set_ifcon(self.sh, iface, con)
+ if rc < 0:
+ raise ValueError(_("Could not set interface context for %s") % interface)
+
+ rc = semanage_iface_set_msgcon(self.sh, iface, con)
+ if rc < 0:
+ raise ValueError(_("Could not set message context for %s") % interface)
+
+ rc = semanage_iface_modify_local(self.sh, k, iface)
+ if rc < 0:
+ raise ValueError(_("Could not add interface %s") % interface)
+
+ semanage_context_free(con)
+ semanage_iface_key_free(k)
+ semanage_iface_free(iface)
+
+ self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange))
+
+ def add(self, interface, serange, ctype):
+ self.begin()
+ self.__add(interface, serange, ctype)
+ self.commit()
+
+ def __modify(self, interface, serange, setype):
+ if not serange and setype == "":
+ raise ValueError(_("Requires setype or serange"))
+
+ (rc, k) = semanage_iface_key_create(self.sh, interface)
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % interface)
+
+ (rc, exists) = semanage_iface_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if interface %s is defined") % interface)
+ if not exists:
+ raise ValueError(_("Interface %s is not defined") % interface)
+
+ (rc, iface) = semanage_iface_query(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not query interface %s") % interface)
+
+ con = semanage_iface_get_ifcon(iface)
+
+ if serange:
+ semanage_context_set_mls(self.sh, con, untranslate(serange))
+ if setype != "":
+ semanage_context_set_type(self.sh, con, setype)
+
+ rc = semanage_iface_modify_local(self.sh, k, iface)
+ if rc < 0:
+ raise ValueError(_("Could not modify interface %s") % interface)
+
+ semanage_iface_key_free(k)
+ semanage_iface_free(iface)
+
+ self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange))
+
+ def modify(self, interface, serange, setype):
+ self.begin()
+ self.__modify(interface, serange, setype)
+ self.commit()
+
+ def __delete(self, interface):
+ (rc, k) = semanage_iface_key_create(self.sh, interface)
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % interface)
+
+ (rc, exists) = semanage_iface_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if interface %s is defined") % interface)
+ if not exists:
+ raise ValueError(_("Interface %s is not defined") % interface)
+
+ (rc, exists) = semanage_iface_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if interface %s is defined") % interface)
+ if not exists:
+ raise ValueError(_("Interface %s is defined in policy, cannot be deleted") % interface)
+
+ rc = semanage_iface_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete interface %s") % interface)
+
+ semanage_iface_key_free(k)
+
+ self.mylog.log_change("resrc=interface op=delete netif=%s" % interface)
+
+ def delete(self, interface):
+ self.begin()
+ self.__delete(interface)
+ self.commit()
+
+ def deleteall(self):
+ (rc, ulist) = semanage_iface_list_local(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not delete all interface mappings"))
+
+ self.begin()
+ for i in ulist:
+ self.__delete(semanage_iface_get_name(i))
+ self.commit()
+
+ def get_all(self, locallist=False):
+ ddict = {}
+ if locallist:
+ (rc, self.ilist) = semanage_iface_list_local(self.sh)
+ else:
+ (rc, self.ilist) = semanage_iface_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list interfaces"))
+
+ for interface in self.ilist:
+ con = semanage_iface_get_ifcon(interface)
+ ddict[semanage_iface_get_name(interface)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con))
+
+ return ddict
+
+ def customized(self):
+ l = []
+ ddict = self.get_all(True)
+ keys = list(ddict.keys())
+ keys.sort()
+ for k in keys:
+ l.append("-a -t %s %s" % (ddict[k][2], k))
+ return l
+
+ def list(self, heading=True, locallist=False):
+ ddict = self.get_all(locallist)
+ keys = list(ddict.keys())
+ if len(keys) == 0:
+ return
+ keys.sort()
+
+ if heading:
+ print("%-30s %s\n" % (_("SELinux Interface"), _("Context")))
+ if is_mls_enabled:
+ for k in keys:
+ print("%-30s %s:%s:%s:%s " % (k, ddict[k][0], ddict[k][1], ddict[k][2], translate(ddict[k][3], False)))
+ else:
+ for k in keys:
+ print("%-30s %s:%s:%s " % (k,ddict[k][0], ddict[k][1], ddict[k][2]))
+
+class fcontextRecords(semanageRecords):
+ try:
+ valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "file_type")[0]["types"]
+ valid_types += sepolicy.info(sepolicy.ATTRIBUTE, "device_node")[0]["types"]
+ except RuntimeError:
+ valid_types = []
+
+ def __init__(self, store=""):
+ semanageRecords.__init__(self, store)
+ self.equiv = {}
+ self.equiv_dist = {}
+ self.equal_ind = False
+ try:
+ fd = open(selinux.selinux_file_context_subs_path(), "r")
+ for i in fd.readlines():
+ i = i.strip()
+ if len(i) == 0:
+ continue
+ if i.startswith("#"):
+ continue
+ target, substitute = i.split()
+ self.equiv[target] = substitute
+ fd.close()
+ except IOError:
+ pass
+ try:
+ fd = open(selinux.selinux_file_context_subs_dist_path(), "r")
+ for i in fd.readlines():
+ i = i.strip()
+ if len(i) == 0:
+ continue
+ if i.startswith("#"):
+ continue
+ target, substitute = i.split()
+ self.equiv_dist[target] = substitute
+ fd.close()
+ except IOError:
+ pass
+
+ def commit(self):
+ if self.equal_ind:
+ subs_file = selinux.selinux_file_context_subs_path()
+ tmpfile = "%s.tmp" % subs_file
+ fd = open(tmpfile, "w")
+ for target in list(self.equiv.keys()):
+ fd.write("%s %s\n" % (target, self.equiv[target]))
+ fd.close()
+ try:
+ os.chmod(tmpfile, os.stat(subs_file)[stat.ST_MODE])
+ except:
+ pass
+ os.rename(tmpfile, subs_file)
+ self.equal_ind = False
+ semanageRecords.commit(self)
+
+ def add_equal(self, target, substitute):
+ self.begin()
+ if target != "/" and target[-1] == "/":
+ raise ValueError(_("Target %s is not valid. Target is not allowed to end with '/'") % target)
+
+ if substitute != "/" and substitute[-1] == "/":
+ raise ValueError(_("Substitute %s is not valid. Substitute is not allowed to end with '/'") % substitute)
+
+ if target in list(self.equiv.keys()):
+ raise ValueError(_("Equivalence class for %s already exists") % target)
+ self.validate(target)
+
+ for fdict in (self.equiv, self.equiv_dist):
+ for i in fdict:
+ if i.startswith(target + "/"):
+ raise ValueError(_("File spec %(TARGET)s conflicts with equivalency rule '%(SOURCE)s %(DEST)s'") % {"TARGET": target, "SOURCE": i, "DEST": fdict[i]})
+
+ self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+
+ self.equiv[target] = substitute
+ self.equal_ind = True
+ self.commit()
+
+ def modify_equal(self, target, substitute):
+ self.begin()
+ if target not in list(self.equiv.keys()):
+ raise ValueError(_("Equivalence class for %s does not exists") % target)
+ self.equiv[target] = substitute
+ self.equal_ind = True
+ self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+ self.commit()
+
+ def createcon(self, target, seuser="system_u"):
+ (rc, con) = semanage_context_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create context for %s") % target)
+ if seuser == "":
+ seuser = "system_u"
+
+ rc = semanage_context_set_user(self.sh, con, seuser)
+ if rc < 0:
+ raise ValueError(_("Could not set user in file context for %s") % target)
+
+ rc = semanage_context_set_role(self.sh, con, "object_r")
+ if rc < 0:
+ raise ValueError(_("Could not set role in file context for %s") % target)
+
+ if is_mls_enabled == 1:
+ rc = semanage_context_set_mls(self.sh, con, "s0")
+ if rc < 0:
+ raise ValueError(_("Could not set mls fields in file context for %s") % target)
+
+ return con
+
+ def validate(self, target):
+ if target == "" or target.find("\n") >= 0:
+ raise ValueError(_("Invalid file specification"))
+ if target.find(" ") != -1:
+ raise ValueError(_("File specification can not include spaces"))
+ for fdict in (self.equiv, self.equiv_dist):
+ for i in fdict:
+ if target.startswith(i + "/"):
+ t = re.sub(i, fdict[i], target)
+ raise ValueError(_("File spec %(TARGET)s conflicts with equivalency rule '%(SOURCE)s %(DEST)s'; Try adding '%(DEST1)s' instead") % {"TARGET":target, "SOURCE": i, "DEST":fdict[i], "DEST1": t})
+
+
+ def __add(self, target, type, ftype="", serange=None, seuser="system_u"):
+ self.validate(target)
+
+ if seuser == "":
+ seuser = "system_u"
+
+ if is_mls_enabled == 1:
+ serange = untranslate(serange)
+
+ if not serange:
+ serange = "s0"
+
+ if type == "":
+ raise ValueError(_("SELinux Type is required"))
+
+ if type != "<<none>>" and sepolicy.get_real_type_name(type) not in self.valid_types:
+ raise ValueError(_("Type %s is invalid, must be a file or device type") % type)
+
+ (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % target)
+
+ (rc, exists) = semanage_fcontext_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
+
+ if not exists:
+ (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
+
+ if exists:
+ semanage_fcontext_key_free(k)
+ return self.__modify(target, type, ftype, serange, seuser)
+
+ (rc, fcontext) = semanage_fcontext_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create file context for %s") % target)
+
+ rc = semanage_fcontext_set_expr(self.sh, fcontext, target)
+ if type != "<<none>>":
+ con = self.createcon(target, seuser)
+
+ rc = semanage_context_set_type(self.sh, con, type)
+ if rc < 0:
+ raise ValueError(_("Could not set type in file context for %s") % target)
+
+ if serange:
+ rc = semanage_context_set_mls(self.sh, con, serange)
+ if rc < 0:
+ raise ValueError(_("Could not set mls fields in file context for %s") % target)
+ rc = semanage_fcontext_set_con(self.sh, fcontext, con)
+ if rc < 0:
+ raise ValueError(_("Could not set file context for %s") % target)
+
+ semanage_fcontext_set_type(fcontext, file_types[ftype])
+
+ rc = semanage_fcontext_modify_local(self.sh, k, fcontext)
+ if rc < 0:
+ raise ValueError(_("Could not add file context for %s") % target)
+
+ if type != "<<none>>":
+ semanage_context_free(con)
+ semanage_fcontext_key_free(k)
+ semanage_fcontext_free(fcontext)
+
+ if not seuser:
+ seuser = "system_u"
+
+ self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
+
+ def add(self, target, type, ftype="", serange=None, seuser="system_u"):
+ self.begin()
+ self.__add(target, type, ftype, serange, seuser)
+ self.commit()
+
+ def __modify(self, target, setype, ftype, serange, seuser):
+ if serange and setype == "" and seuser == "":
+ raise ValueError(_("Requires setype, serange or seuser"))
+ if setype not in ["", "<<none>>"] and sepolicy.get_real_type_name(setype) not in self.valid_types:
+ raise ValueError(_("Type %s is invalid, must be a file or device type") % setype)
+
+ self.validate(target)
+
+ (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % target)
+
+ (rc, exists) = semanage_fcontext_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
+ if not exists:
+ (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
+ if not exists:
+ raise ValueError(_("File context for %s is not defined") % target)
+
+ try:
+ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
+ except OSError:
+ try:
+ (rc, fcontext) = semanage_fcontext_query(self.sh, k)
+ except OSError:
+ raise ValueError(_("Could not query file context for %s") % target)
+
+ if setype != "<<none>>":
+ con = semanage_fcontext_get_con(fcontext)
+
+ if con == None:
+ con = self.createcon(target)
+
+ if serange:
+ semanage_context_set_mls(self.sh, con, untranslate(serange))
+ if seuser != "":
+ semanage_context_set_user(self.sh, con, seuser)
+
+ if setype != "":
+ semanage_context_set_type(self.sh, con, setype)
+
+ rc = semanage_fcontext_set_con(self.sh, fcontext, con)
+ if rc < 0:
+ raise ValueError(_("Could not set file context for %s") % target)
+ else:
+ rc = semanage_fcontext_set_con(self.sh, fcontext, None)
+ if rc < 0:
+ raise ValueError(_("Could not set file context for %s") % target)
+
+ rc = semanage_fcontext_modify_local(self.sh, k, fcontext)
+ if rc < 0:
+ raise ValueError(_("Could not modify file context for %s") % target)
+
+ semanage_fcontext_key_free(k)
+ semanage_fcontext_free(fcontext)
+
+ if not seuser:
+ seuser = "system_u"
+
+ self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", setype, serange))
+
+ def modify(self, target, setype, ftype, serange, seuser):
+ self.begin()
+ self.__modify(target, setype, ftype, serange, seuser)
+ self.commit()
+
+ def deleteall(self):
+ (rc, flist) = semanage_fcontext_list_local(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list the file contexts"))
+
+ self.begin()
+
+ for fcontext in flist:
+ target = semanage_fcontext_get_expr(fcontext)
+ ftype = semanage_fcontext_get_type(fcontext)
+ ftype_str = semanage_fcontext_get_type_str(ftype)
+ (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype_str])
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % target)
+
+ rc = semanage_fcontext_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete the file context %s") % target)
+ semanage_fcontext_key_free(k)
+
+ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[file_type_str_to_option[ftype_str]]))
+
+ self.equiv = {}
+ self.equal_ind = True
+ self.commit()
+
+ def __delete(self, target, ftype):
+ if target in list(self.equiv.keys()):
+ self.equiv.pop(target)
+ self.equal_ind = True
+
+ self.mylog.log_change("resrc=fcontext op=delete-equal %s" % (audit.audit_encode_nv_string("tglob", target, 0)))
+
+ return
+
+ (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % target)
+
+ (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
+ if not exists:
+ (rc, exists) = semanage_fcontext_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
+ if exists:
+ raise ValueError(_("File context for %s is defined in policy, cannot be deleted") % target)
+ else:
+ raise ValueError(_("File context for %s is not defined") % target)
+
+ rc = semanage_fcontext_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete file context for %s") % target)
+
+ semanage_fcontext_key_free(k)
+
+ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+
+ def delete(self, target, ftype):
+ self.begin()
+ self.__delete(target, ftype)
+ self.commit()
+
+ def get_all(self, locallist=False):
+ if locallist:
+ (rc, self.flist) = semanage_fcontext_list_local(self.sh)
+ else:
+ (rc, self.flist) = semanage_fcontext_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list file contexts"))
+ (rc, fchomedirs) = semanage_fcontext_list_homedirs(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list file contexts for home directories"))
+ (rc, fclocal) = semanage_fcontext_list_local(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list local file contexts"))
+
+ self.flist += fchomedirs
+ self.flist += fclocal
+
+ from collections import OrderedDict
+ ddict = OrderedDict()
+
+ for fcontext in self.flist:
+ expr = semanage_fcontext_get_expr(fcontext)
+ ftype = semanage_fcontext_get_type(fcontext)
+ ftype_str = semanage_fcontext_get_type_str(ftype)
+ con = semanage_fcontext_get_con(fcontext)
+ if con:
+ ddict[(expr, ftype_str)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con))
+ else:
+ ddict[(expr, ftype_str)] = con
+
+ return ddict
+
+ def customized(self):
+ l = []
+ fcon_dict = self.get_all(True)
+ keys = list(fcon_dict.keys())
+ for k in keys:
+ if fcon_dict[k]:
+ l.append("-a -f %s -t %s '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], k[0]))
+
+ if len(self.equiv):
+ for target in list(self.equiv.keys()):
+ l.append("-a -e %s %s" % (self.equiv[target], target))
+ return l
+
+ def list(self, heading=True, locallist=False):
+ fcon_dict = self.get_all(locallist)
+ keys = list(fcon_dict.keys())
+ if len(keys) != 0:
+ if heading:
+ print("%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context")))
+ for k in keys:
+ if fcon_dict[k]:
+ if is_mls_enabled:
+ print("%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1], fcon_dict[k][2], translate(fcon_dict[k][3], False)))
+ else:
+ print("%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1], fcon_dict[k][2]))
+ else:
+ print("%-50s %-18s <<None>>" % (k[0], k[1]))
+
+ if len(self.equiv_dist):
+ if not locallist:
+ if heading:
+ print(_("\nSELinux Distribution fcontext Equivalence \n"))
+ for target in list(self.equiv_dist.keys()):
+ print("%s = %s" % (target, self.equiv_dist[target]))
+ if len(self.equiv):
+ if heading:
+ print(_("\nSELinux Local fcontext Equivalence \n"))
+
+ for target in list(self.equiv.keys()):
+ print("%s = %s" % (target, self.equiv[target]))
+
+class booleanRecords(semanageRecords):
+ def __init__(self, store=""):
+ semanageRecords.__init__(self, store)
+ self.dict = {}
+ self.dict["TRUE"] = 1
+ self.dict["FALSE"] = 0
+ self.dict["ON"] = 1
+ self.dict["OFF"] = 0
+ self.dict["1"] = 1
+ self.dict["0"] = 0
+
+ try:
+ rc, self.current_booleans = selinux.security_get_boolean_names()
+ rc, ptype = selinux.selinux_getpolicytype()
+ except:
+ self.current_booleans = []
+ ptype = None
+
+ if self.store == None or self.store == ptype:
+ self.modify_local = True
+ else:
+ self.modify_local = False
+
+ def __mod(self, name, value):
+ name = selinux.selinux_boolean_sub(name)
+
+ (rc, k) = semanage_bool_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % name)
+ (rc, exists) = semanage_bool_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if boolean %s is defined") % name)
+ if not exists:
+ raise ValueError(_("Boolean %s is not defined") % name)
+
+ (rc, b) = semanage_bool_query(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not query file context %s") % name)
+
+ if value.upper() in self.dict:
+ semanage_bool_set_value(b, self.dict[value.upper()])
+ else:
+ raise ValueError(_("You must specify one of the following values: %s") % ", ".join(list(self.dict.keys())))
+
+ if self.modify_local and name in self.current_booleans:
+ rc = semanage_bool_set_active(self.sh, k, b)
+ if rc < 0:
+ raise ValueError(_("Could not set active value of boolean %s") % name)
+ rc = semanage_bool_modify_local(self.sh, k, b)
+ if rc < 0:
+ raise ValueError(_("Could not modify boolean %s") % name)
+ semanage_bool_key_free(k)
+ semanage_bool_free(b)
+
+ def modify(self, name, value=None, use_file=False):
+ self.begin()
+ if use_file:
+ fd = open(name)
+ for b in fd.read().split("\n"):
+ b = b.strip()
+ if len(b) == 0:
+ continue
+
+ try:
+ boolname, val = b.split("=")
+ except ValueError:
+ raise ValueError(_("Bad format %(BOOLNAME)s: Record %(VALUE)s" % { "BOOLNAME": name, "VALUE": b }))
+ self.__mod(boolname.strip(), val.strip())
+ fd.close()
+ else:
+ self.__mod(name, value)
+
+ self.commit()
+
+ def __delete(self, name):
+ name = selinux.selinux_boolean_sub(name)
+
+ (rc, k) = semanage_bool_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % name)
+ (rc, exists) = semanage_bool_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if boolean %s is defined") % name)
+ if not exists:
+ raise ValueError(_("Boolean %s is not defined") % name)
+
+ (rc, exists) = semanage_bool_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if boolean %s is defined") % name)
+ if not exists:
+ raise ValueError(_("Boolean %s is defined in policy, cannot be deleted") % name)
+
+ rc = semanage_bool_del_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not delete boolean %s") % name)
+
+ semanage_bool_key_free(k)
+
+ def delete(self, name):
+ self.begin()
+ self.__delete(name)
+ self.commit()
+
+ def deleteall(self):
+ (rc, self.blist) = semanage_bool_list_local(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list booleans"))
+
+ self.begin()
+
+ for boolean in self.blist:
+ name = semanage_bool_get_name(boolean)
+ self.__delete(name)
+
+ self.commit()
+
+ def get_all(self, locallist=False):
+ ddict = {}
+ if locallist:
+ (rc, self.blist) = semanage_bool_list_local(self.sh)
+ else:
+ (rc, self.blist) = semanage_bool_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list booleans"))
+
+ for boolean in self.blist:
+ value = []
+ name = semanage_bool_get_name(boolean)
+ value.append(semanage_bool_get_value(boolean))
+ if self.modify_local and boolean in self.current_booleans:
+ value.append(selinux.security_get_boolean_pending(name))
+ value.append(selinux.security_get_boolean_active(name))
+ else:
+ value.append(value[0])
+ value.append(value[0])
+ ddict[name] = value
+
+ return ddict
+
+ def get_desc(self, name):
+ name = selinux.selinux_boolean_sub(name)
+ return boolean_desc(name)
+
+ def get_category(self, name):
+ name = selinux.selinux_boolean_sub(name)
+ return boolean_category(name)
+
+ def customized(self):
+ l = []
+ ddict = self.get_all(True)
+ keys = list(ddict.keys())
+ keys.sort()
+ for k in keys:
+ if ddict[k]:
+ l.append("-m -%s %s" % (ddict[k][2], k))
+ return l
+
+ def list(self, heading=True, locallist=False, use_file=False):
+ on_off = (_("off"), _("on"))
+ if use_file:
+ ddict = self.get_all(locallist)
+ keys = list(ddict.keys())
+ for k in keys:
+ if ddict[k]:
+ print("%s=%s" % (k, ddict[k][2]))
+ return
+ ddict = self.get_all(locallist)
+ keys = list(ddict.keys())
+ if len(keys) == 0:
+ return
+
+ if heading:
+ print("%-30s %s %s %s\n" % (_("SELinux boolean"), _("State"), _("Default"), _("Description")))
+ for k in keys:
+ if ddict[k]:
+ print("%-30s (%-5s,%5s) %s" % (k, on_off[selinux.security_get_boolean_active(k)], on_off[ddict[k][2]], self.get_desc(k)))
diff --git policycoreutils-2.5/semanage/setup.py policycoreutils-2.5/semanage/setup.py
new file mode 100644
index 0000000..7735c59
--- /dev/null
+++ policycoreutils-2.5/semanage/setup.py
@@ -0,0 +1,35 @@
+# Authors:
+# Dan Walsh <dwalsh@redhat.com>
+#
+# Copyright (C) 2013 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+from distutils.core import setup, Extension
+
+setup(name = 'seobject',
+ version = '0.1',
+ description = 'python bindings used by semanage and system-config-selinux',
+ long_description = 'python bindings used by semanage and system-config-selinux',
+ author = 'Dan Walsh',
+ author_email = 'dwalsh@redhat.com',
+ maintainer = 'Dan Walsh',
+ maintainer_email = 'dwalsh@redhat.com',
+ license = 'GPLv2+',
+ platforms = 'posix',
+ url = '',
+ download_url = '',
+ packages=["seobject"],
+)
diff --git policycoreutils-2.5/semodule/semodule.8 policycoreutils-2.5/semodule/semodule.8
index 6db390c..34d34eb 100644
--- policycoreutils-2.5/semodule/semodule.8
+++ policycoreutils-2.5/semodule/semodule.8
@@ -3,7 +3,7 @@
semodule \- Manage SELinux policy modules.
.SH SYNOPSIS
-.B semodule [options]... MODE [MODES]...
+.B semodule [option]... MODE...
.br
.SH DESCRIPTION
.PP
@@ -15,7 +15,7 @@ any other transaction. semodule acts on module packages created
by semodule_package. Conventionally, these files have a .pp suffix
(policy package), although this is not mandated in any way.
-.SH "OPTIONS"
+.SH "MODES"
.TP
.B \-R, \-\-reload
force a reload of policy
@@ -36,16 +36,11 @@ deprecated, alias for --install
deprecated, alias for --install
.TP
.B \-r,\-\-remove=MODULE_NAME
-remove existing module
+remove existing module at desired priority (defaults to -X 400)
.TP
-.B \-l,\-\-list-modules=[KIND]
+.B \-l[KIND],\-\-list-modules[=KIND]
display list of installed modules (other than base)
.TP
-.B \-E,\-\-extract=MODULE_PKG
-Extract a module from the store as an HLL or CIL file to the current directory.
-A module is extracted as HLL by default. The name of the module written is
-<module-name>.<lang_ext>
-.TP
.B KIND:
.TP
standard
@@ -57,12 +52,18 @@ list all modules
.B \-X,\-\-priority=PRIORITY
set priority for following operations (1-999)
.TP
-.B \-e,\-\-enabled=MODULE_NAME
+.B \-e,\-\-enable=MODULE_NAME
enable module
.TP
.B \-d,\-\-disable=MODULE_NAME
disable module
.TP
+.B \-E,\-\-extract=MODULE_PKG
+Extract a module from the store as an HLL or CIL file to the current directory.
+A module is extracted as HLL by default. The name of the module written is
+<module-name>.<lang_ext>
+.SH "OPTIONS"
+.TP
.B \-s,\-\-store
name of the store to operate on
.TP
@@ -88,10 +89,12 @@ Use an alternate path for the policy store root
be verbose
.TP
.B \-c,\-\-cil
-Extract module as a CIL file. This only affects the \-\-extract option.
+Extract module as a CIL file. This only affects the \-\-extract option and
+only modules listed in \-\-extract after this option.
.TP
.B \-H,\-\-hll
-Extract module as an HLL file. This only affects the \-\-extract option.
+Extract module as an HLL file. This only affects the \-\-extract option and
+only modules listed in \-\-extract after this option.
.SH EXAMPLE
.nf
@@ -99,29 +102,34 @@ Extract module as an HLL file. This only affects the \-\-extract option.
$ semodule \-b base.pp
# Install or replace a non-base policy package.
$ semodule \-i httpd.pp
+# Install or replace all non-base modules in the current directory.
+# This syntax can be used with -i/u/r/E, but no other option can be entered after the module names
+$ semodule \-i *.pp
+# Install or replace all modules in the current directory.
+$ ls *.pp | grep \-Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule \-b base.pp \-i
# List non-base modules.
$ semodule \-l
+# List all modules including priorities
+$ semodule \-lfull
+# Remove a module at priority 100
+$ semodule \-X 100 \-r wireshark
# Turn on all AVC Messages for which SELinux currently is "dontaudit"ing.
$ semodule \-DB
# Turn "dontaudit" rules back on.
$ semodule \-B
-# Install or replace all non-base modules in the current directory.
-$ semodule \-i *.pp
-# Install or replace all modules in the current directory.
-$ ls *.pp | grep \-Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule \-b base.pp \-i
-# Disable a module.
+# Disable a module (all instances of given module across priorities will be disabled).
$ semodule \-d alsa
# Install a module at a specific priority.
$ semodule \-X 100 \-i alsa.pp
# List all modules.
-$ semodule \-l full
+$ semodule \-\-list=full
# Set an alternate path for the policy root
$ semodule \-B \-p "/tmp"
# Set an alternate path for the policy store root
$ semodule \-B \-S "/tmp/var/lib/selinux"
# Write the HLL version of puppet and the CIL version of wireshark
# modules at priority 400 to the current working directory
-$ semodule \-X 400 \-g wireshark \-\-cil \-g puppet \-\-hll
+$ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
.fi
.SH SEE ALSO
diff --git policycoreutils-2.5/semodule/semodule.c policycoreutils-2.5/semodule/semodule.c
index bcfaa2b..d053493 100644
--- policycoreutils-2.5/semodule/semodule.c
+++ policycoreutils-2.5/semodule/semodule.c
@@ -120,26 +120,26 @@ static void create_signal_handlers(void)
static void usage(char *progname)
{
- printf("usage: %s [options]... MODE [MODES]...\n", progname);
+ printf("usage: %s [option]... MODE...\n", progname);
printf("Manage SELinux policy modules.\n");
printf("MODES:\n");
printf(" -R, --reload reload policy\n");
printf(" -B, --build build and reload policy\n");
+ printf(" -D,--disable_dontaudit Remove dontaudits from policy\n");
printf(" -i,--install=MODULE_PKG install a new module\n");
- printf(" -r,--remove=MODULE_NAME remove existing module\n");
- printf(" -l,--list-modules=[KIND] display list of installed modules\n");
+ printf(" -r,--remove=MODULE_NAME remove existing module at desired priority\n");
+ printf(" -l[KIND],--list-modules[=KIND] display list of installed modules\n");
printf(" KIND: standard list highest priority, enabled modules\n");
printf(" full list all modules\n");
printf(" -X,--priority=PRIORITY set priority for following operations (1-999)\n");
printf(" -e,--enable=MODULE_NAME enable module\n");
printf(" -d,--disable=MODULE_NAME disable module\n");
printf(" -E,--extract=MODULE_NAME extract module\n");
- printf("Other options:\n");
+ printf("Options:\n");
printf(" -s,--store name of the store to operate on\n");
printf(" -N,-n,--noreload do not reload policy after commit\n");
printf(" -h,--help print this message and quit\n");
printf(" -v,--verbose be verbose\n");
- printf(" -D,--disable_dontaudit Remove dontaudits from policy\n");
printf(" -P,--preserve_tunables Preserve tunables in policy\n");
printf(" -C,--ignore-module-cache Rebuild CIL modules compiled from HLL files\n");
printf(" -p,--path use an alternate path for the policy root\n");
@@ -209,7 +209,7 @@ static void parse_command_line(int argc, char **argv)
no_reload = 0;
priority = 400;
while ((i =
- getopt_long(argc, argv, "s:b:hi:l::vqr:u:RnNBDCPX:e:d:p:S:E:cH", opts,
+ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cH", opts,
NULL)) != -1) {
switch (i) {
case 'b':
@@ -560,6 +560,7 @@ cleanup_extract:
}
const char *name = NULL;
+ const char *version = NULL;
for (j = 0; j < modinfos_len; j++) {
m = semanage_module_list_nth(modinfos, j);
@@ -567,10 +568,12 @@ cleanup_extract:
result = semanage_module_info_get_name(sh, m, &name);
if (result != 0) goto cleanup_list;
- printf("%s\n", name);
+ result = semanage_module_info_get_version(sh, m, &version);
+ if (result != 0) goto cleanup_list;
+
+ printf("%s\t%s\n", name, version);
}
- }
- else if (strcmp(mode_arg, "full") == 0) {
+ } else if (strcmp(mode_arg, "full") == 0) {
/* get the modules */
result = semanage_module_list_all(sh,
&modinfos,
diff --git policycoreutils-2.5/semodule_package/semodule_package.c policycoreutils-2.5/semodule_package/semodule_package.c
index d2a5fd0..e472054 100644
--- policycoreutils-2.5/semodule_package/semodule_package.c
+++ policycoreutils-2.5/semodule_package/semodule_package.c
@@ -72,6 +72,10 @@ static int file_to_data(const char *path, char **data, size_t * len)
path, strerror(errno));
goto err;
}
+ if (!sb.st_size) {
+ *len = 0;
+ return 0;
+ }
*data = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
if (*data == MAP_FAILED) {
diff --git policycoreutils-2.5/sepolicy/common.h policycoreutils-2.5/sepolicy/common.h
index dc3ce6a..3b93845 100644
--- policycoreutils-2.5/sepolicy/common.h
+++ policycoreutils-2.5/sepolicy/common.h
@@ -9,12 +9,18 @@
# define UNUSED(x) x
#endif
-#define py_decref(x) { if (x) Py_DECREF(x); }
+#if PY_MAJOR_VERSION < 3
+#define PyLong_AsLong PyInt_AsLong
+#undef PyUnicode_FromString
+#define PyUnicode_FromString PyString_FromString
+#endif
+
+#define py_decref(x) { if (x) Py_DECREF(x); }
static int py_append_string(PyObject *list, const char* value)
{
int rt;
- PyObject *obj = PyString_FromString(value);
+ PyObject *obj = PyUnicode_FromString(value);
if (!obj) return -1;
rt = PyList_Append(list, obj);
Py_DECREF(obj);
@@ -40,11 +46,9 @@ static int py_insert_obj(PyObject *dict, const char *name, PyObject *obj)
static int py_insert_string(PyObject *dict, const char *name, const char* value)
{
int rt;
- PyObject *obj = PyString_FromString(value);
+ PyObject *obj = PyUnicode_FromString(value);
if (!obj) return -1;
rt = PyDict_SetItemString(dict, name, obj);
Py_DECREF(obj);
return rt;
}
-
-
diff --git policycoreutils-2.5/sepolicy/info.c policycoreutils-2.5/sepolicy/info.c
index bbb6844..ceb5c9b 100644
--- policycoreutils-2.5/sepolicy/info.c
+++ policycoreutils-2.5/sepolicy/info.c
@@ -1,12 +1,14 @@
/**
* @file
- * Command line tool to search TE rules.
+ * Python bindings to search TE rules.
*
+ * @author Thomas Liu <tliu@redhat.com>
+ * @author Dan Walsh <dwalsh@redhat.com>
+ *
+ * Sections copied from sesearch.c in setools package
* @author Frank Mayer mayerf@tresys.com
* @author Jeremy A. Mowery jmowery@tresys.com
* @author Paul Rosenfeld prosenfeld@tresys.com
- * @author Thomas Liu <tliu@redhat.com>
- * @author Dan Walsh <dwalsh@redhat.com>
*
* Copyright (C) 2003-2008 Tresys Technology, LLC
*
@@ -52,6 +54,13 @@
#define COPYRIGHT_INFO "Copyright (C) 2003-2007 Tresys Technology, LLC"
+#ifndef IPPROTO_DCCP
+#define IPPROTO_DCCP 33
+#endif
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
+
enum input
{
TYPE, ATTRIBUTE, ROLE, USER, PORT, BOOLEAN, CLASS, SENS, CATS
@@ -94,7 +103,6 @@ static PyObject* get_sens(const char *name, const apol_policy_t * policydb)
{
PyObject *dict = NULL;
int error = 0;
- int rt = 0;
size_t i;
char *tmp = NULL;
const char *lvl_name = NULL;
@@ -126,7 +134,6 @@ static PyObject* get_sens(const char *name, const apol_policy_t * policydb)
if (py_insert_string(dict, lvl_name, tmp))
goto err;
free(tmp); tmp = NULL;
- if (rt) goto err;
}
if (name && !apol_vector_get_size(v)) {
@@ -408,7 +415,7 @@ cleanup:
}
/**
- * Gets a textual representation of an attribute, and
+ * Gets a textual representation of an attribute, and
* all of that attribute's types.
*
* @param type_datum Reference to sepol type_datum
@@ -424,7 +431,7 @@ static PyObject* get_attr(const qpol_type_t * type_datum, const apol_policy_t *
unsigned char isattr;
int error = 0;
int rt = 0;
- PyObject *dict = PyDict_New();
+ PyObject *dict = PyDict_New();
if (!dict) goto err;
if (qpol_type_get_name(q, type_datum, &attr_name))
@@ -442,7 +449,7 @@ static PyObject* get_attr(const qpol_type_t * type_datum, const apol_policy_t *
goto err;
list = PyList_New(0);
if (!list) goto err;
-
+
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
if (qpol_iterator_get_item(iter, (void **)&attr_datum))
goto err;
@@ -601,7 +608,7 @@ static PyObject* get_type(const qpol_type_t * type_datum, const apol_policy_t *
int error = 0;
int rt;
unsigned char isalias, ispermissive, isattr;
- PyObject *dict = PyDict_New();
+ PyObject *dict = PyDict_New();
if (!dict) goto err;
if (qpol_type_get_name(q, type_datum, &type_name))
@@ -638,7 +645,7 @@ err:
py_decref(dict); dict = NULL;
cleanup:
- errno = error;
+ errno = error;
return dict;
}
@@ -674,7 +681,7 @@ static PyObject* get_booleans(const char *name, const apol_policy_t * policydb)
if (qpol_bool_get_state(q, bool_datum, &state))
goto err;
- dict = PyDict_New();
+ dict = PyDict_New();
if (!dict) goto err;
if (py_insert_string(dict, "name", name))
goto err;
@@ -696,7 +703,7 @@ static PyObject* get_booleans(const char *name, const apol_policy_t * policydb)
if (qpol_bool_get_state(q, bool_datum, &state))
goto err;
- dict = PyDict_New();
+ dict = PyDict_New();
if (!dict) goto err;
if (py_insert_string(dict, "name", bool_name))
goto err;
@@ -718,7 +725,7 @@ err:
cleanup:
qpol_iterator_destroy(&iter);
- errno = error;
+ errno = error;
return list;
}
@@ -750,7 +757,7 @@ static PyObject* get_user(const qpol_user_t * user_datum, const apol_policy_t *
if (qpol_user_get_name(q, user_datum, &user_name))
goto err;
- dict = PyDict_New();
+ dict = PyDict_New();
if (!dict) goto err;
if (py_insert_string(dict, "name", user_name))
@@ -775,7 +782,7 @@ static PyObject* get_user(const qpol_user_t * user_datum, const apol_policy_t *
goto err;
free(tmp); tmp=NULL;
}
-
+
if (qpol_user_get_role_iter(q, user_datum, &iter))
goto err;
for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
@@ -1000,7 +1007,7 @@ cleanup:
}
/**
- * get a textual representation of a role, and
+ * get a textual representation of a role, and
* all of that role's types.
*
* @param type_datum Reference to sepol type_datum
@@ -1046,7 +1053,7 @@ static PyObject* get_role(const qpol_role_t * role_datum, const apol_policy_t *
if (rt) goto err;
}
qpol_iterator_destroy(&iter);
-
+
if (qpol_role_get_type_iter(q, role_datum, &iter))
goto err;
if (qpol_iterator_get_size(iter, &n_types))
@@ -1129,7 +1136,9 @@ static PyObject* get_ports(const char *num, const apol_policy_t * policydb)
}
if ((ocon_proto != IPPROTO_TCP) &&
- (ocon_proto != IPPROTO_UDP))
+ (ocon_proto != IPPROTO_UDP) &&
+ (ocon_proto != IPPROTO_DCCP) &&
+ (ocon_proto != IPPROTO_SCTP))
goto err;
if (qpol_portcon_get_context(q, portcon, &ctxt)) {
@@ -1145,13 +1154,13 @@ static PyObject* get_ports(const char *num, const apol_policy_t * policydb)
if ((c = apol_context_create_from_qpol_context(policydb, ctxt)) == NULL) {
goto err;
}
-
+
if((type = apol_context_get_type(c)) == NULL) {
apol_context_destroy(&c);
goto err;
}
-
- dict = PyDict_New();
+
+ dict = PyDict_New();
if (!dict) goto err;
if (py_insert_string(dict, "type", type))
goto err;
@@ -1224,7 +1233,7 @@ static PyObject* get_roles(const char *name, const apol_policy_t * policydb)
}
obj = get_role(role_datum, policydb);
rt = py_append_obj(list, obj);
- Py_DECREF(obj);
+ Py_DECREF(obj);
if (rt) goto err;
} else {
if (qpol_policy_get_role_iter(q, &iter))
@@ -1235,7 +1244,7 @@ static PyObject* get_roles(const char *name, const apol_policy_t * policydb)
goto err;
obj = get_role(role_datum, policydb);
rt = py_append_obj(list, obj);
- Py_DECREF(obj);
+ Py_DECREF(obj);
if (rt) goto err;
}
qpol_iterator_destroy(&iter);
@@ -1283,7 +1292,7 @@ static PyObject* get_types(const char *name, const apol_policy_t * policydb)
}
obj = get_type(type_datum, policydb);
rt = py_append_obj(list, obj);
- Py_DECREF(obj);
+ Py_DECREF(obj);
if (rt) goto err;
} else {
if (qpol_policy_get_type_iter(q, &iter))
@@ -1294,7 +1303,7 @@ static PyObject* get_types(const char *name, const apol_policy_t * policydb)
goto err;
obj = get_type(type_datum, policydb);
rt = py_append_obj(list, obj);
- Py_DECREF(obj);
+ Py_DECREF(obj);
if (rt) goto err;
}
}
@@ -1363,7 +1372,7 @@ PyObject *wrap_info(PyObject *UNUSED(self), PyObject *args){
}
if (!PyArg_ParseTuple(args, "iz", &type, &name))
- return NULL;
+ return NULL;
return info(type, name);
}
diff --git policycoreutils-2.5/sepolicy/org.selinux.conf policycoreutils-2.5/sepolicy/org.selinux.conf
index a350978..1ae079d 100644
--- policycoreutils-2.5/sepolicy/org.selinux.conf
+++ policycoreutils-2.5/sepolicy/org.selinux.conf
@@ -12,12 +12,8 @@
<!-- Allow anyone to invoke methods on the interfaces,
authorization is performed by PolicyKit -->
- <policy at_console="true">
- <allow send_destination="org.selinux"/>
- </policy>
<policy context="default">
- <allow send_destination="org.selinux"
- send_interface="org.freedesktop.DBus.Introspectable"/>
+ <allow send_destination="org.selinux"/>
</policy>
</busconfig>
diff --git policycoreutils-2.5/sepolicy/org.selinux.policy policycoreutils-2.5/sepolicy/org.selinux.policy
index 0126610..9772127 100644
--- policycoreutils-2.5/sepolicy/org.selinux.policy
+++ policycoreutils-2.5/sepolicy/org.selinux.policy
@@ -70,9 +70,9 @@
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
- <action id="org.selinux.change_policy_type">
- <description>SELinux write access</description>
- <message>System policy prevents change_policy_type access to SELinux</message>
+ <action id="org.selinux.change_default_mode">
+ <description>Change SELinux default enforcing mode</description>
+ <message>System policy prevents change_default_policy access to SELinux</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
diff --git policycoreutils-2.5/sepolicy/policy.c policycoreutils-2.5/sepolicy/policy.c
index b7e3536..aac3357 100644
--- policycoreutils-2.5/sepolicy/policy.c
+++ policycoreutils-2.5/sepolicy/policy.c
@@ -3,8 +3,13 @@
* Python bindings to search SELinux Policy rules.
*
* @author Dan Walsh <dwalsh@redhat.com>
+ * Copyright (C) 2012-2013 Red Hat, INC
*
- * Copyright (C) 2012 Red Hat, INC
+ * Sections copied from setools package
+ * @author Frank Mayer mayerf@tresys.com
+ * @author Jeremy A. Mowery jmowery@tresys.com
+ * @author Paul Rosenfeld prosenfeld@tresys.com
+ * Copyright (C) 2003-2008 Tresys Technology, LLC
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -23,6 +28,17 @@
#include "Python.h"
+struct module_state {
+ PyObject *error;
+};
+
+#if PY_MAJOR_VERSION >= 3
+#define GETSTATE(m) ((struct module_state*)PyModule_GetState(m))
+#else
+#define GETSTATE(m) (&_state)
+static struct module_state _state;
+#endif
+
#ifdef UNUSED
#elif defined(__GNUC__)
# define UNUSED(x) UNUSED_ ## x __attribute__((unused))
@@ -35,21 +51,12 @@
#include "policy.h"
apol_policy_t *global_policy = NULL;
-/* other */
-#include <errno.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <assert.h>
-
-#define COPYRIGHT_INFO "Copyright (C) 2003-2007 Tresys Technology, LLC"
-
PyObject *wrap_policy(PyObject *UNUSED(self), PyObject *args){
const char *policy_file;
apol_vector_t *mod_paths = NULL;
apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC;
apol_policy_path_t *pol_path = NULL;
-
+
if (!PyArg_ParseTuple(args, "z", &policy_file))
return NULL;
@@ -57,7 +64,7 @@ PyObject *wrap_policy(PyObject *UNUSED(self), PyObject *args){
apol_policy_destroy(&global_policy);
int policy_load_options = 0;
-
+
pol_path = apol_policy_path_create(path_type, policy_file, mod_paths);
if (!pol_path) {
apol_vector_destroy(&mod_paths);
@@ -76,7 +83,7 @@ PyObject *wrap_policy(PyObject *UNUSED(self), PyObject *args){
return Py_None;
}
-static PyMethodDef methods[] = {
+static PyMethodDef policy_methods[] = {
{"policy", (PyCFunction) wrap_policy, METH_VARARGS,
"Initialize SELinux policy for use with search and info"},
{"info", (PyCFunction) wrap_info, METH_VARARGS,
@@ -86,8 +93,62 @@ static PyMethodDef methods[] = {
{NULL, NULL, 0, NULL} /* sentinel */
};
-void init_policy(void) {
-PyObject *m;
-m = Py_InitModule("_policy", methods);
-init_info(m);
+#if PY_MAJOR_VERSION >= 3
+
+static int policy_traverse(PyObject *m, visitproc visit, void *arg) {
+ Py_VISIT(GETSTATE(m)->error);
+ return 0;
+}
+
+static int policy_clear(PyObject *m) {
+ Py_CLEAR(GETSTATE(m)->error);
+ return 0;
+}
+
+
+static struct PyModuleDef moduledef = {
+ PyModuleDef_HEAD_INIT,
+ "policy",
+ NULL,
+ sizeof(struct module_state),
+ policy_methods,
+ NULL,
+ policy_traverse,
+ policy_clear,
+ NULL
+};
+
+#define INITERROR return NULL
+
+PyObject *
+PyInit_policy(void)
+
+#else
+#define INITERROR return
+
+void
+initpolicy(void)
+#endif
+{
+#if PY_MAJOR_VERSION >= 3
+ PyObject *module = PyModule_Create(&moduledef);
+#else
+ PyObject *module = Py_InitModule("policy", policy_methods);
+#endif
+
+ if (module == NULL)
+ INITERROR;
+ struct module_state *st = GETSTATE(module);
+
+ init_info(module);
+
+ st->error = PyErr_NewException("policy.Error", NULL, NULL);
+ if (st->error == NULL) {
+ Py_DECREF(module);
+ INITERROR;
+ }
+
+#if PY_MAJOR_VERSION >= 3
+ return module;
+#endif
}
diff --git policycoreutils-2.5/sepolicy/search.c policycoreutils-2.5/sepolicy/search.c
index d608006..6c23955 100644
--- policycoreutils-2.5/sepolicy/search.c
+++ policycoreutils-2.5/sepolicy/search.c
@@ -189,7 +189,7 @@ static PyObject* get_ra_results(const apol_policy_t * policy, const apol_vector_
if (qpol_role_get_name(q, role, &tmp)) {
goto err;
}
- obj = PyString_FromString(tmp);
+ obj = PyUnicode_FromString(tmp);
if (py_insert_obj(dict, "source", obj))
goto err;
@@ -199,7 +199,7 @@ static PyObject* get_ra_results(const apol_policy_t * policy, const apol_vector_
if (qpol_role_get_name(q, role, &tmp)) {
goto err;
}
- obj = PyString_FromString(tmp);
+ obj = PyUnicode_FromString(tmp);
if (py_insert_obj(dict, "target", obj))
goto err;
@@ -327,7 +327,7 @@ static PyObject* get_bool(const qpol_policy_t *q, const qpol_cond_t * cond, int
goto err;
}
if (expr_type != QPOL_COND_EXPR_BOOL) {
- obj = PyString_FromString(apol_cond_expr_type_to_str(expr_type));
+ obj = PyUnicode_FromString(apol_cond_expr_type_to_str(expr_type));
if (!obj) goto err;
if (py_append_obj(boollist, obj))
goto err;
@@ -341,7 +341,7 @@ static PyObject* get_bool(const qpol_policy_t *q, const qpol_cond_t * cond, int
if (qpol_bool_get_name(q, cond_bool, &bool_name)) {
goto err;
}
- obj = PyString_FromString(bool_name);
+ obj = PyUnicode_FromString(bool_name);
if (py_tuple_insert_obj(tuple, 0, obj))
goto err;
obj = PyBool_FromLong(enabled);
@@ -994,14 +994,25 @@ PyObject* search(bool allow,
static int Dict_ContainsInt(PyObject *dict, const char *key){
PyObject *item = PyDict_GetItemString(dict, key);
if (item)
- return PyInt_AsLong(item);
+ return PyLong_AsLong(item);
return false;
}
static const char *Dict_ContainsString(PyObject *dict, const char *key){
PyObject *item = PyDict_GetItemString(dict, key);
- if (item)
- return PyString_AsString(item);
+ if (item) {
+ if (PyUnicode_Check(item)) {
+ char *str = NULL;
+ PyObject *item_utf8 = PyUnicode_AsUTF8String(item);
+ if (item_utf8) {
+ str = strdup(PyBytes_AsString(item_utf8));
+ }
+ Py_XDECREF(item_utf8);
+ return str;
+ } else {
+ return PyBytes_AsString(item);
+ }
+ }
return NULL;
}
diff --git policycoreutils-2.5/sepolicy/selinux_client.py policycoreutils-2.5/sepolicy/selinux_client.py
index 7f4a91c..238048b 100644
--- policycoreutils-2.5/sepolicy/selinux_client.py
+++ policycoreutils-2.5/sepolicy/selinux_client.py
@@ -35,10 +35,10 @@ def convert_customization(buf):
cust_dict["module"][rec[-1]] = {"enabled": rec[2] != "-d"}
return cust_dict
-if __name__ == "__main__":
+if __name__ == "__main__":
try:
dbus_proxy = SELinuxDBus()
resp = dbus_proxy.customized()
- print convert_customization(resp)
- except dbus.DBusException, e:
- print e
+ print(convert_customization(resp))
+ except dbus.DBusException as e:
+ print(e)
diff --git policycoreutils-2.5/sepolicy/selinux_server.py policycoreutils-2.5/sepolicy/selinux_server.py
index cdf4d16..e8cdff3 100644
--- policycoreutils-2.5/sepolicy/selinux_server.py
+++ policycoreutils-2.5/sepolicy/selinux_server.py
@@ -20,45 +20,45 @@ class selinux_server(slip.dbus.service.Object):
#
# The semanage method runs a transaction on a series of semanage commands,
# these commnds can take the output of customized
- #
+ #
@slip.dbus.polkit.require_auth("org.selinux.semanage")
@dbus.service.method("org.selinux", in_signature='s')
def semanage(self, buf):
- p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE)
+ p = Popen(["/usr/sbin/semanage", "import"],stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True)
p.stdin.write(buf)
output = p.communicate()
if p.returncode and p.returncode != 0:
raise dbus.exceptions.DBusException(output[1])
-
+
#
# The customized method will return all of the custommizations for policy
- # on the server. This output can be used with the semanage method on
+ # on the server. This output can be used with the semanage method on
# another server to make the two systems have duplicate policy.
#
@slip.dbus.polkit.require_auth("org.selinux.customized")
@dbus.service.method("org.selinux", in_signature='', out_signature='s')
def customized(self):
- p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE)
+ p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
buf = p.stdout.read()
output = p.communicate()
if p.returncode and p.returncode != 0:
raise OSError("Failed to read SELinux configuration: %s", output)
return buf
-
+
#
- # The semodule_list method will return the output of semodule -l, using the customized polkit,
+ # The semodule_list method will return the output of semodule --list=full, using the customized polkit,
# since this is a readonly behaviour
#
@slip.dbus.polkit.require_auth("org.selinux.semodule_list")
@dbus.service.method("org.selinux", in_signature='', out_signature='s')
def semodule_list(self):
- p = Popen(["/usr/sbin/semodule", "-l"], stdout=PIPE, stderr=PIPE)
+ p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
buf = p.stdout.read()
output = p.communicate()
if p.returncode and p.returncode != 0:
raise OSError("Failed to list SELinux modules: %s", output)
return buf
-
+
#
# The restorecon method modifies any file path to the default system label
#
@@ -88,7 +88,7 @@ class selinux_server(slip.dbus.service.Object):
os.unlink("/.autorelabel")
def write_selinux_config(self, enforcing=None, policy=None):
- path = selinux.selinux_path() + "config"
+ path = selinux.selinux_path() + "config"
backup_path = path + ".bck"
fd = open(path)
lines = fd.readlines()
@@ -106,7 +106,7 @@ class selinux_server(slip.dbus.service.Object):
os.rename(backup_path, path)
#
- # The change_default_enforcement modifies the current enforcement mode
+ # The change_default_enforcement modifies the current enforcement mode
#
@slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
@dbus.service.method("org.selinux", in_signature='s')
@@ -126,7 +126,7 @@ class selinux_server(slip.dbus.service.Object):
if os.path.isdir(path):
return self.write_selinux_config(policy=value)
raise ValueError("%s does not exist" % path)
-
+
if __name__ == "__main__":
mainloop = gobject.MainLoop()
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
diff --git policycoreutils-2.5/sepolicy/sepolicy-bash-completion.sh policycoreutils-2.5/sepolicy/sepolicy-bash-completion.sh
index 779fd75..29ccbdf 100644
--- policycoreutils-2.5/sepolicy/sepolicy-bash-completion.sh
+++ policycoreutils-2.5/sepolicy/sepolicy-bash-completion.sh
@@ -16,9 +16,9 @@
# along with systemd; If not, see <http://www.gnu.org/licenses/>.
__contains_word () {
- local word=$1; shift
- for w in $*; do [[ $w = $word ]] && return 0; done
- return 1
+ local word=$1; shift
+ for w in $*; do [[ $w = $word ]] && return 0; done
+ return 1
}
__get_all_paths () {
@@ -28,37 +28,40 @@ __get_all_ftypes () {
echo '-- -d -c -b -s -l -p'
}
__get_all_networks () {
- seinfo -u 2> /dev/null | tail -n +3
+ /usr/bin/seinfo -u 2> /dev/null | tail -n +3
}
__get_all_booleans () {
- getsebool -a 2> /dev/null
+ /usr/bin/getsebool -a 2> /dev/null
}
__get_all_types () {
- seinfo -t 2> /dev/null | tail -n +3
+ /usr/bin/seinfo -t 2> /dev/null | tail -n +3
+}
+__get_all_roles () {
+ /usr/bin/seinfo -r 2> /dev/null | tail -n +3
}
__get_all_admin_interaces () {
- awk '/InterfaceVector.*_admin /{ print $2 }' /var/lib/sepolgen/interface_info | awk -F '_admin' '{ print $1 }'
+ /usr/bin/awk '/InterfaceVector.*_admin /{ print $2 }' /var/lib/sepolgen/interface_info | /usr/bin/awk -F '_admin' '{ print $1 }'
}
__get_all_user_role_interaces () {
- awk '/InterfaceVector.*_role /{ print $2 }' /var/lib/sepolgen/interface_info | awk -F '_role' '{ print $1 }'
+ /usr/bin/awk '/InterfaceVector.*_role /{ print $2 }' /var/lib/sepolgen/interface_info | /usr/bin/awk -F '_role' '{ print $1 }'
}
__get_all_user_domains () {
- seinfo -auserdomain -x 2> /dev/null | tail -n +2
+ /usr/bin/seinfo -auserdomain -x 2> /dev/null | tail -n +2
}
__get_all_users () {
- seinfo -u 2> /dev/null | tail -n +2
+ /usr/bin/seinfo -u 2> /dev/null | tail -n +2
}
__get_all_classes () {
- seinfo -c 2> /dev/null | tail -n +2
+ /usr/bin/seinfo -c 2> /dev/null | tail -n +2
}
__get_all_port_types () {
- seinfo -aport_type -x 2> /dev/null | tail -n +2
+ /usr/bin/seinfo -aport_type -x 2> /dev/null | tail -n +2
}
__get_all_domain_types () {
- seinfo -adomain -x 2> /dev/null | tail -n +2
+ /usr/bin/seinfo -adomain -x 2> /dev/null | tail -n +2
}
__get_all_domains () {
- seinfo -adomain -x 2>/dev/null | sed 's/_t$//g'
+ /usr/bin/seinfo -adomain -x 2>/dev/null | sed 's/_t$//g'
}
_sepolicy () {
local command=${COMP_WORDS[1]}
diff --git policycoreutils-2.5/sepolicy/sepolicy-generate.8 policycoreutils-2.5/sepolicy/sepolicy-generate.8
index 2e67456..0c5f998 100644
--- policycoreutils-2.5/sepolicy/sepolicy-generate.8
+++ policycoreutils-2.5/sepolicy/sepolicy-generate.8
@@ -13,7 +13,7 @@ Common options
Confined Applications
.br
-.B sepolicy generate \-\-application [\-n NAME] command [\-w WRITE_PATH ]
+.B sepolicy generate \-\-application [\-n NAME] [\-u USER ]command [\-w WRITE_PATH ]
.br
.B sepolicy generate \-\-cgi [\-n NAME] command [\-w WRITE_PATH ]
.br
diff --git policycoreutils-2.5/sepolicy/sepolicy.8 policycoreutils-2.5/sepolicy/sepolicy.8
index 7900586..09d2b24 100644
--- policycoreutils-2.5/sepolicy/sepolicy.8
+++ policycoreutils-2.5/sepolicy/sepolicy.8
@@ -22,14 +22,15 @@ Query SELinux policy to see if domains can communicate with each other
.br
.B generate
-.br
.br
Generate SELinux Policy module template
-.B gui
+.B sepolicy-generate(8)
.br
+
+.B gui
.br
Launch Graphical User Interface for SELinux Policy, requires policycoreutils-gui package.
-.B sepolicy-generate(8)
+.B sepolicy-gui(8)
.br
.B interface
diff --git policycoreutils-2.5/sepolicy/sepolicy.py policycoreutils-2.5/sepolicy/sepolicy.py
index 7d57f6e..4a162c3 100755
--- policycoreutils-2.5/sepolicy/sepolicy.py
+++ policycoreutils-2.5/sepolicy/sepolicy.py
@@ -26,6 +26,7 @@ import sys
import selinux
import sepolicy
from sepolicy import get_os_version, get_conditionals, get_conditionals_format_text
+from sepolgen import util
import argparse
import gettext
PROGNAME = "policycoreutils"
@@ -33,12 +34,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
try:
gettext.install(PROGNAME,
- localedir="/usr/share/locale",
- unicode=False,
- codeset='utf-8')
+ unicode=True,
+ codeset = 'utf-8')
+except TypeError:
+ # Failover to python3 install
+ gettext.install(PROGNAME,
+ codeset = 'utf-8')
except IOError:
- import __builtin__
- __builtin__.__dict__['_'] = unicode
+ import builtins
+ builtins.__dict__['_'] = str
usage = "sepolicy generate [-h] [-n NAME] [-p PATH] ["
usage_dict = {' --newtype': ('-t [TYPES [TYPES ...]]',), ' --customize': ('-d DOMAIN', '-a ADMIN_DOMAIN', "[ -w WRITEPATHS ]",), ' --admin_user': ('[-r TRANSITION_ROLE ]', "[ -w WRITEPATHS ]",), ' --application': ('COMMAND', "[ -w WRITEPATHS ]",), ' --cgi': ('COMMAND', "[ -w WRITEPATHS ]",), ' --confined_admin': ('-a ADMIN_DOMAIN', "[ -w WRITEPATHS ]",), ' --dbus': ('COMMAND', "[ -w WRITEPATHS ]",), ' --desktop_user': ('', "[ -w WRITEPATHS ]",), ' --inetd': ('COMMAND', "[ -w WRITEPATHS ]",), ' --init': ('COMMAND', "[ -w WRITEPATHS ]",), ' --sandbox': ("[ -w WRITEPATHS ]",), ' --term_user': ("[ -w WRITEPATHS ]",), ' --x_user': ("[ -w WRITEPATHS ]",)}
@@ -55,8 +59,6 @@ class CheckPath(argparse.Action):
class CheckType(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
- domains = sepolicy.get_all_domains()
-
if isinstance(values, str):
setattr(namespace, self.dest, values)
else:
@@ -98,7 +100,7 @@ class CheckDomain(argparse.Action):
domains = sepolicy.get_all_domains()
if isinstance(values, str):
- if values not in domains:
+ if sepolicy.get_real_type_name(values) not in domains:
raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains)))
setattr(namespace, self.dest, values)
else:
@@ -107,7 +109,7 @@ class CheckDomain(argparse.Action):
newval = []
for v in values:
- if v not in domains:
+ if sepolicy.get_real_type_name(v) not in domains:
raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains)))
newval.append(v)
setattr(namespace, self.dest, newval)
@@ -120,7 +122,7 @@ class CheckClass(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
global all_classes
if not all_classes:
- all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS))
+ all_classes = [x['name'] for x in sepolicy.info(sepolicy.TCLASS)]
if values not in all_classes:
raise ValueError("%s must be an SELinux class:\nValid classes: %s" % (values, ", ".join(all_classes)))
@@ -162,7 +164,7 @@ class CheckPortType(argparse.Action):
if not newval:
newval = []
for v in values:
- if v not in port_types:
+ if sepolicy.get_real_type_name(v) not in port_types:
raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types)))
newval.append(v)
setattr(namespace, self.dest, values)
@@ -171,7 +173,6 @@ class CheckPortType(argparse.Action):
class LoadPolicy(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
- import sepolicy
sepolicy.policy(values)
setattr(namespace, self.dest, values)
@@ -180,9 +181,8 @@ class CheckPolicyType(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
from sepolicy.generate import get_poltype_desc, poltype
- if values not in poltype.keys():
+ if values not in list(poltype.keys()):
raise ValueError("%s invalid SELinux policy type\n%s" % (values, get_poltype_desc()))
- newval.append(v)
setattr(namespace, self.dest, values)
@@ -218,7 +218,7 @@ class InterfaceInfo(argparse.Action):
from sepolicy.interface import get_interface_dict
interface_dict = get_interface_dict()
for v in values:
- if v not in interface_dict.keys():
+ if v not in list(interface_dict.keys()):
raise ValueError(_("Interface %s does not exist.") % v)
setattr(namespace, self.dest, values)
@@ -226,7 +226,7 @@ class InterfaceInfo(argparse.Action):
def generate_custom_usage(usage_text, usage_dict):
sorted_keys = []
- for i in usage_dict.keys():
+ for i in list(usage_dict.keys()):
sorted_keys.append(i)
sorted_keys.sort()
for k in sorted_keys:
@@ -248,18 +248,18 @@ def numcmp(val1, val2):
if v1 < v2:
return -1
except:
- return cmp(val1, val2)
+ return (val1 > val2) - (val1 < val2)
def _print_net(src, protocol, perm):
import sepolicy.network
portdict = sepolicy.network.get_network_connect(src, protocol, perm)
if len(portdict) > 0:
- bold_start = "\033[1m"
- bold_end = "\033[0;0m"
- print "\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + bold_end
- port_strings = []
- boolean_text = ""
+ bold_start="\033[1m"
+ bold_end="\033[0;0m"
+ print("\n"+bold_start+"%s: %s %s" % (src, protocol, perm) + bold_end)
+ port_strings=[]
+ boolean_text=""
for p in portdict:
for t, recs in portdict[p]:
cond = get_conditionals(src, t, "%s_socket" % protocol, [perm])
@@ -268,9 +268,9 @@ def _print_net(src, protocol, perm):
port_strings.append("%s (%s) %s" % (", ".join(recs), t, boolean_text))
else:
port_strings.append("%s (%s)" % (", ".join(recs), t))
- port_strings.sort(numcmp)
+ port_strings.sort(key=util.cmp_to_key(numcmp))
for p in port_strings:
- print "\t" + p
+ print("\t" + p)
def network(args):
@@ -281,29 +281,29 @@ def network(args):
if i[0] not in all_ports:
all_ports.append(i[0])
all_ports.sort()
- print "\n".join(all_ports)
+ print("\n".join(all_ports))
for port in args.port:
found = False
for i in portrecsbynum:
if i[0] <= port and port <= i[1]:
if i[0] == i[1]:
- range = i[0]
+ RANGE = i[0]
else:
- range = "%s-%s" % (i[0], i[1])
+ RANGE = "%s-%s" % (i[0], i[1])
found = True
- print "%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], range)
+ print("%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], RANGE))
if not found:
if port < 500:
- print "Undefined reserved port type"
+ print("Undefined reserved port type")
else:
- print "Undefined port type"
+ print("Undefined port type")
for t in args.type:
- if (t, 'tcp') in portrecs.keys():
- print "%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp']))
- if (t, 'udp') in portrecs.keys():
- print "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp']))
+ if (t,'tcp') in list(portrecs.keys()):
+ print("%s: tcp: %s" % (t, ",".join(portrecs[t,'tcp'])))
+ if (t,'udp') in list(portrecs.keys()):
+ print("%s: udp: %s" % (t, ",".join(portrecs[t,'udp'])))
for a in args.applications:
d = sepolicy.get_init_transtype(a)
@@ -351,8 +351,8 @@ def manpage(args):
test_domains = args.domain
for domain in test_domains:
- m = ManPage(domain, path, args.root, args.source_files, args.web)
- print m.get_man_page_path()
+ m = ManPage(domain, path, args.root,args.source_files, args.web)
+ print(m.get_man_page_path())
if args.web:
HTMLManPages(manpage_roles, manpage_domains, path, args.os)
@@ -413,7 +413,7 @@ def communicate(args):
out = list(set(writable) & set(readable))
for t in out:
- print t
+ print(t)
def gen_communicate_args(parser):
@@ -437,10 +437,12 @@ def booleans(args):
from sepolicy import boolean_desc
if args.all:
rc, args.booleans = selinux.security_get_boolean_names()
+ if util.PY3:
+ args.booleans = [util.decode_input(x) for x in args.booleans]
args.booleans.sort()
for b in args.booleans:
- print "%s=_(\"%s\")" % (b, boolean_desc(b))
+ print("%s=_(\"%s\")" % (b, boolean_desc(b)))
def gen_booleans_args(parser):
@@ -479,20 +481,20 @@ def print_interfaces(interfaces, args, append=""):
for i in interfaces:
if args.verbose:
try:
- print get_interface_format_text(i + append)
+ print(get_interface_format_text(i + append))
except KeyError:
- print i
+ print(i)
if args.compile:
try:
interface_compile_test(i)
except KeyError:
- print i
+ print(i)
else:
- print i
+ print(i)
def interface(args):
- from sepolicy.interface import get_admin, get_user, get_interface_dict, get_all_interfaces
+ from sepolicy.interface import get_admin, get_user, get_all_interfaces
if args.list_admin:
print_interfaces(get_admin(args.file), args, "_admin")
if args.list_user:
@@ -504,7 +506,7 @@ def interface(args):
def generate(args):
- from sepolicy.generate import policy, AUSER, RUSER, EUSER, USERS, SANDBOX, APPLICATIONS, NEWTYPE
+ from sepolicy.generate import policy, AUSER, RUSER, EUSER, APPLICATIONS, NEWTYPE
cmd = None
# numbers present POLTYPE defined in sepolicy.generate
conflict_args = {'TYPES': (NEWTYPE,), 'DOMAIN': (EUSER,), 'ADMIN_DOMAIN': (AUSER, RUSER, EUSER,)}
@@ -515,7 +517,7 @@ def generate(args):
for k in usage_dict:
error_text += "%s" % (k)
print(generate_usage)
- print(_("sepolicy generate: error: one of the arguments %s is required") % error_text)
+ print((_("sepolicy generate: error: one of the arguments %s is required") % error_text))
sys.exit(1)
if args.policytype in APPLICATIONS:
@@ -560,7 +562,7 @@ def generate(args):
if args.policytype in APPLICATIONS:
mypolicy.gen_writeable()
mypolicy.gen_symbols()
- print mypolicy.generate(args.path)
+ print(mypolicy.generate(args.path))
def gen_interface_args(parser):
@@ -590,7 +592,7 @@ def gen_interface_args(parser):
def gen_generate_args(parser):
- from sepolicy.generate import DAEMON, get_poltype_desc, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER, NEWTYPE
+ from sepolicy.generate import DAEMON, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER, NEWTYPE
generate_usage = generate_custom_usage(usage, usage_dict)
@@ -638,8 +640,8 @@ def gen_generate_args(parser):
action="store_const", default=DAEMON,
help=_("Generate '%s' policy") % poltype[DAEMON])
- type = pol.add_argument_group("Policy types which do not require a command")
- group = type.add_mutually_exclusive_group(required=False)
+ TYPE = pol.add_argument_group("Policy types which do not require a command")
+ group = TYPE.add_mutually_exclusive_group(required=False)
group.add_argument("--admin_user", dest="policytype", const=AUSER,
action="store_const",
help=_("Generate '%s' policy") % poltype[AUSER])
@@ -693,12 +695,12 @@ if __name__ == '__main__':
args = parser.parse_args(args=parser_args)
args.func(args)
sys.exit(0)
- except ValueError, e:
+ except ValueError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
sys.exit(1)
- except IOError, e:
+ except IOError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
sys.exit(1)
except KeyboardInterrupt:
- print "Out"
+ print("Out")
sys.exit(0)
diff --git policycoreutils-2.5/sepolicy/sepolicy/__init__.py policycoreutils-2.5/sepolicy/sepolicy/__init__.py
index 693c6fe..8c07c29 100644
--- policycoreutils-2.5/sepolicy/sepolicy/__init__.py
+++ policycoreutils-2.5/sepolicy/sepolicy/__init__.py
@@ -3,24 +3,30 @@
# Author: Dan Walsh <dwalsh@redhat.com>
# Author: Ryan Hallisey <rhallise@redhat.com>
-import _policy
+from . import policy as _policy
+import errno
import selinux
import glob
PROGNAME = "policycoreutils"
import gettext
import sepolgen.defaults as defaults
import sepolgen.interfaces as interfaces
+from sepolgen import util
import sys
+import subprocess
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
try:
gettext.install(PROGNAME,
- localedir="/usr/share/locale",
- unicode=False,
+ unicode=True,
+ codeset='utf-8')
+except TypeError:
+ # Failover to python3 install
+ gettext.install(PROGNAME,
codeset='utf-8')
except IOError:
- import __builtin__
- __builtin__.__dict__['_'] = unicode
+ import builtins
+ builtins.__dict__['_'] = str
TYPE = _policy.TYPE
ROLE = _policy.ROLE
@@ -29,6 +35,8 @@ PORT = _policy.PORT
USER = _policy.USER
BOOLEAN = _policy.BOOLEAN
TCLASS = _policy.CLASS
+SENS = _policy.SENS
+CATS = _policy.CATS
ALLOW = 'allow'
AUDITALLOW = 'auditallow'
@@ -47,8 +55,12 @@ def info(setype, name=None):
return dict_list
-def search(types, info={}):
- seinfo = info
+def search(types, info=None):
+ if info:
+ seinfo = info
+ else:
+ seinfo = {}
+
valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW]
for setype in types:
if setype not in valid_types:
@@ -62,7 +74,7 @@ def search(types, info={}):
dict_list = _policy.search(seinfo)
if dict_list and len(perms) != 0:
- dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list)
+ dict_list = [x for x in dict_list if _dict_has_perms(x, perms)]
return dict_list
@@ -79,7 +91,7 @@ def get_conditionals(src, dest, tclass, perm):
allows = []
allows.append(i)
try:
- for i in map(lambda y: (y), filter(lambda x: set(perm).issubset(x[PERMS]) and x['boolean'], allows)):
+ for i in [(y) for y in [x for x in allows if set(perm).issubset(x[PERMS]) and x['boolean']]]:
tdict.update({'source': i['source'], 'boolean': i['boolean']})
if tdict not in tlist:
tlist.append(tdict)
@@ -91,13 +103,58 @@ def get_conditionals(src, dest, tclass, perm):
def get_conditionals_format_text(cond):
- enabled = len(filter(lambda x: x['boolean'][0][1], cond)) > 0
- return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]), cond))))
+ enabled = len([x for x in cond if x['boolean'][0][1]]) > 0
+ return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(["%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]) for x in cond])))
def get_types_from_attribute(attribute):
return info(ATTRIBUTE, attribute)[0]["types"]
+
+def get_attributes_from_type(setype):
+ return info(TYPE, setype)[0]["attributes"]
+
+
+# determine if entered type is an alias
+# and return corresponding type name
+def get_real_type_name(setype):
+ try:
+ return info(TYPE, setype)[0]["name"]
+ except RuntimeError:
+ return None
+
+
+def file_type_is_executable(setype):
+ if "exec_type" in get_attributes_from_type(setype):
+ return True
+ else:
+ return False
+
+
+def file_type_is_entrypoint(setype):
+ if "entry_type" in get_attributes_from_type(setype):
+ return True
+ else:
+ return False
+
+
+def get_attributes_from_type(setype):
+ return info(TYPE, setype)[0]["attributes"]
+
+
+def file_type_is_executable(setype):
+ if "exec_type" in get_attributes_from_type(setype):
+ return True
+ else:
+ return False
+
+
+def file_type_is_entrypoint(setype):
+ if "entry_type" in get_attributes_from_type(setype):
+ return True
+ else:
+ return False
+
file_type_str = {}
file_type_str["a"] = _("all files")
file_type_str["f"] = _("regular file")
@@ -119,6 +176,46 @@ trans_file_type_str["-l"] = "l"
trans_file_type_str["-p"] = "p"
+def get_all_modules():
+ all_modules = []
+ cmd = "semodule --list=full 2>/dev/null"
+ try:
+ output = subprocess.check_output(cmd,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ l = output.split("\n")
+
+ except subprocess.CalledProcessError as e:
+ from .sedbus import SELinuxDBus
+ l = SELinuxDBus().semodule_list().split("\n")
+
+ for i in l:
+ if len(i):
+ all_modules.append(i.split()[1])
+
+ return all_modules
+
+
+def get_all_modules_from_mod_lst():
+ mod_lst_path = ["/usr/share/selinux/targeted/base.lst", "/usr/share/selinux/targeted/modules-base.lst", "/usr/share/selinux/targeted/modules-contrib.lst"]
+ all_modules = []
+ mod_temp = []
+ for i in mod_lst_path:
+ try:
+ fd = open(i, "r")
+ modules = fd.readlines()
+ fd.close()
+ modules = modules[0].split(" ")[:-1]
+ for m in modules:
+ mod_temp.append(m)
+ all_modules.extend(mod_temp)
+ mod_temp = []
+ except:
+ all_modules = []
+
+ return all_modules
+
+
def get_file_types(setype):
flist = []
mpaths = {}
@@ -181,7 +278,7 @@ def find_file(reg):
try:
pat = re.compile(r"%s$" % reg)
except:
- print "bad reg:", reg
+ print("bad reg:", reg)
return []
p = reg
if p.endswith("(/.*)?"):
@@ -193,12 +290,12 @@ def find_file(reg):
if path[-1] != "/": # is pass in it breaks without try block
path += "/"
except IndexError:
- print "try failed got an IndexError"
+ print("try failed got an IndexError")
pass
try:
pat = re.compile(r"%s$" % reg)
- return filter(pat.match, map(lambda x: path + x, os.listdir(path)))
+ return list(filter(pat.match, [path + x for x in os.listdir(path)]))
except:
return []
@@ -206,7 +303,7 @@ def find_file(reg):
def find_all_files(domain, exclude_list=[]):
all_entrypoints = []
executable_files = get_entrypoints(domain)
- for exe in executable_files.keys():
+ for exe in list(executable_files.keys()):
if exe.endswith("_exec_t") and exe not in exclude_list:
for path in executable_files[exe]:
for f in find_file(path):
@@ -230,12 +327,15 @@ def find_entrypoint_path(exe, exclude_list=[]):
def read_file_equiv(edict, fc_path, modify):
- fd = open(fc_path, "r")
- fc = fd.readlines()
- fd.close()
- for e in fc:
- f = e.split()
- edict[f[0]] = {"equiv": f[1], "modify": modify}
+ try:
+ with open(fc_path, "r") as fd:
+ fc = fd.readlines()
+ for e in fc:
+ f = e.split()
+ edict[f[0]] = {"equiv": f[1], "modify": modify}
+ except IOError as e:
+ if e.errno != errno.ENOENT:
+ raise
return edict
file_equiv_modified = None
@@ -268,9 +368,13 @@ def get_local_file_paths(fc_path=selinux.selinux_file_context_path()):
if local_files:
return local_files
local_files = []
- fd = open(fc_path + ".local", "r")
- fc = fd.readlines()
- fd.close()
+ try:
+ with open(fc_path + ".local", "r") as fd:
+ fc = fd.readlines()
+ except IOError as e:
+ if e.errno != errno.ENOENT:
+ raise
+ return []
for i in fc:
rec = i.split()
if len(rec) == 0:
@@ -296,13 +400,19 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()):
fd = open(fc_path, "r")
fc = fd.readlines()
fd.close()
- fd = open(fc_path + ".homedirs", "r")
- fc += fd.readlines()
- fd.close()
+ try:
+ with open(fc_path + ".homedirs", "r") as fd:
+ fc += fd.readlines()
+ except IOError as e:
+ if e.errno != errno.ENOENT:
+ raise
fcdict = {}
- fd = open(fc_path + ".local", "r")
- fc += fd.readlines()
- fd.close()
+ try:
+ with open(fc_path + ".local", "r") as fd:
+ fc += fd.readlines()
+ except IOError as e:
+ if e.errno != errno.ENOENT:
+ raise
for i in fc:
rec = i.split()
@@ -334,7 +444,7 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()):
def get_transitions_into(setype):
try:
- return filter(lambda x: x["transtype"] == setype, search([TRANSITION], {'class': 'process'}))
+ return [x for x in search([TRANSITION], {'class': 'process'}) if x["transtype"] == setype]
except TypeError:
pass
return None
@@ -350,7 +460,7 @@ def get_transitions(setype):
def get_file_transitions(setype):
try:
- return filter(lambda x: x['class'] != "process", search([TRANSITION], {'source': setype}))
+ return [x for x in search([TRANSITION], {'source': setype}) if x['class'] != "process"]
except TypeError:
pass
return None
@@ -377,7 +487,7 @@ def get_all_entrypoints():
def get_entrypoint_types(setype):
entrypoints = []
try:
- entrypoints = map(lambda x: x['target'], filter(lambda x: x['source'] == setype, search([ALLOW], {'source': setype, 'permlist': ['entrypoint'], 'class': 'file'})))
+ entrypoints = [x['target'] for x in [x for x in search([ALLOW], {'source': setype, 'permlist': ['entrypoint'], 'class':'file'}) if x['source'] == setype]]
except TypeError:
pass
return entrypoints
@@ -386,7 +496,7 @@ def get_entrypoint_types(setype):
def get_init_transtype(path):
entrypoint = selinux.getfilecon(path)[1].split(":")[2]
try:
- entrypoints = filter(lambda x: x['target'] == entrypoint, search([TRANSITION], {'source': "init_t", 'class': 'process'}))
+ entrypoints = [x for x in search([TRANSITION], {'source': "init_t", 'class': 'process'}) if x['target'] == entrypoint]
if len(entrypoints) == 0:
return None
return entrypoints[0]["transtype"]
@@ -397,7 +507,7 @@ def get_init_transtype(path):
def get_init_entrypoint(transtype):
try:
- entrypoints = filter(lambda x: x['transtype'] == transtype, search([TRANSITION], {'source': "init_t", 'class': 'process'}))
+ entrypoints = [x for x in search([TRANSITION], {'source': "init_t", 'class': 'process'}) if x['transtype'] == transtype]
if len(entrypoints) == 0:
return None
return entrypoints[0]["target"]
@@ -408,7 +518,7 @@ def get_init_entrypoint(transtype):
def get_init_entrypoint_target(entrypoint):
try:
- entrypoints = map(lambda x: x['transtype'], search([TRANSITION], {'source': "init_t", 'target': entrypoint, 'class': 'process'}))
+ entrypoints = [x['transtype'] for x in search([TRANSITION], {'source': "init_t", 'target': entrypoint, 'class': 'process'})]
return entrypoints[0]
except TypeError:
pass
@@ -450,7 +560,7 @@ def get_methods():
# List of per_role_template interfaces
ifs = interfaces.InterfaceSet()
ifs.from_file(fd)
- methods = ifs.interfaces.keys()
+ methods = list(ifs.interfaces.keys())
fd.close()
except:
sys.stderr.write("could not open interface info [%s]\n" % fn)
@@ -465,7 +575,7 @@ all_types = None
def get_all_types():
global all_types
if all_types == None:
- all_types = map(lambda x: x['name'], info(TYPE))
+ all_types = [x['name'] for x in info(TYPE)]
return all_types
user_types = None
@@ -513,7 +623,6 @@ portrecsbynum = None
def gen_interfaces():
- import commands
ifile = defaults.interface_info()
headers = defaults.headers()
rebuild = False
@@ -525,7 +634,9 @@ def gen_interfaces():
if os.getuid() != 0:
raise ValueError(_("You must regenerate interface info by running /usr/bin/sepolgen-ifgen"))
- print commands.getstatusoutput("/usr/bin/sepolgen-ifgen")[1]
+ print(subprocess.check_output("/usr/bin/sepolgen-ifgen",
+ stderr=subprocess.STDOUT,
+ shell=True))
def gen_port_dict():
@@ -562,6 +673,23 @@ def get_all_domains():
all_domains = info(ATTRIBUTE, "domain")[0]["types"]
return all_domains
+
+def mls_cmp(x, y):
+ return (int(x[1:]) > int(y[1:])) - (int(x[1:]) < int(y[1:]))
+
+mls_range = None
+
+
+def get_mls_range():
+ global mls_range
+ if mls_range:
+ return mls_rangeroles
+ range_dict = info(SENS)
+ keys = range_dict.keys()
+ keys.sort(key=util.cmp_to_key(mls_cmp))
+ mls_range = "%s-%s" % (keys[0], range_dict[keys[-1]])
+ return mls_range
+
roles = None
@@ -569,7 +697,7 @@ def get_all_roles():
global roles
if roles:
return roles
- roles = map(lambda x: x['name'], info(ROLE))
+ roles = [x['name'] for x in info(ROLE)]
roles.remove("object_r")
roles.sort()
return roles
@@ -607,7 +735,7 @@ def get_login_mappings():
def get_all_users():
- users = map(lambda x: x['name'], get_selinux_users())
+ users = [x['name'] for x in get_selinux_users()]
users.sort()
return users
@@ -766,7 +894,7 @@ all_attributes = None
def get_all_attributes():
global all_attributes
if not all_attributes:
- all_attributes = map(lambda x: x['name'], info(ATTRIBUTE))
+ all_attributes = [x['name'] for x in info(ATTRIBUTE)]
return all_attributes
@@ -797,7 +925,7 @@ def policy(policy_file):
try:
policy_file = get_installed_policy()
policy(policy_file)
-except ValueError, e:
+except ValueError as e:
if selinux.is_selinux_enabled() == 1:
raise e
@@ -815,7 +943,7 @@ def gen_short_name(setype):
domainname = setype[:-2]
else:
domainname = setype
- if domainname + "_t" not in all_domains:
+ if get_real_type_name(domainname + "_t") not in all_domains:
raise ValueError("domain %s_t does not exist" % domainname)
if domainname[-1] == 'd':
short_name = domainname[:-1] + "_"
@@ -828,7 +956,7 @@ def get_bools(setype):
bools = []
domainbools = []
domainname, short_name = gen_short_name(setype)
- for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, search([ALLOW], {'source': setype}))):
+ for i in [x['boolean'] for x in [x for x in search([ALLOW], {'source': setype}) if 'boolean' in x]]:
for b in i:
if not isinstance(b, tuple):
continue
@@ -851,6 +979,8 @@ def get_all_booleans():
global booleans
if not booleans:
booleans = selinux.security_get_boolean_names()[1]
+ if util.PY3:
+ booleans = [util.decode_input(x) for x in booleans]
return booleans
booleans_dict = None
@@ -896,7 +1026,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
desc = i.find("desc").find("p").text.strip("\n")
desc = re.sub("\n", " ", desc)
booleans_dict[i.get('name')] = ("global", i.get('dftval'), desc)
- except IOError, e:
+ except IOError as e:
pass
return booleans_dict
@@ -919,24 +1049,14 @@ def boolean_desc(boolean):
def get_os_version():
- os_version = ""
- pkg_name = "selinux-policy"
+ system_release = ""
try:
- import commands
- rc, output = commands.getstatusoutput("rpm -q '%s'" % pkg_name)
- if rc == 0:
- os_version = output.split(".")[-2]
- except:
- os_version = ""
-
- if os_version[0:2] == "fc":
- os_version = "Fedora" + os_version[2:]
- elif os_version[0:2] == "el":
- os_version = "RHEL" + os_version[2:]
- else:
- os_version = ""
+ with open('/etc/system-release') as f:
+ system_release = f.readline().rstrip()
+ except IOError:
+ system_release = "Misc"
- return os_version
+ return system_release
def reinit():
diff --git policycoreutils-2.5/sepolicy/sepolicy/booleans.py policycoreutils-2.5/sepolicy/sepolicy/booleans.py
index 56bef26..97236b6 100644
--- policycoreutils-2.5/sepolicy/sepolicy/booleans.py
+++ policycoreutils-2.5/sepolicy/sepolicy/booleans.py
@@ -39,6 +39,6 @@ def get_types(src, tclass, perm):
raise TypeError("The %s type is not allowed to %s any types" % (src, ",".join(perm)))
tlist = []
- for l in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)):
+ for l in [y[sepolicy.TARGET] for y in [x for x in allows if set(perm).issubset(x[sepolicy.PERMS])]]:
tlist = tlist + expand_attribute(l)
return tlist
diff --git policycoreutils-2.5/sepolicy/sepolicy/communicate.py policycoreutils-2.5/sepolicy/sepolicy/communicate.py
index 9939c23..27be126 100755
--- policycoreutils-2.5/sepolicy/sepolicy/communicate.py
+++ policycoreutils-2.5/sepolicy/sepolicy/communicate.py
@@ -47,6 +47,6 @@ def get_types(src, tclass, perm):
raise ValueError("The %s type is not allowed to %s any types" % (src, ",".join(perm)))
tlist = []
- for l in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)):
+ for l in [y[sepolicy.TARGET] for y in [x for x in allows if set(perm).issubset(x[sepolicy.PERMS])]]:
tlist = tlist + expand_attribute(l)
return tlist
diff --git policycoreutils-2.5/sepolicy/sepolicy/generate.py policycoreutils-2.5/sepolicy/sepolicy/generate.py
index a92783a..809637b 100644
--- policycoreutils-2.5/sepolicy/sepolicy/generate.py
+++ policycoreutils-2.5/sepolicy/sepolicy/generate.py
@@ -28,25 +28,25 @@ import re
import sepolicy
from sepolicy import get_all_types, get_all_attributes, get_all_roles
import time
-import platform
-
-from templates import executable
-from templates import boolean
-from templates import etc_rw
-from templates import unit_file
-from templates import var_cache
-from templates import var_spool
-from templates import var_lib
-from templates import var_log
-from templates import var_run
-from templates import tmp
-from templates import rw
-from templates import network
-from templates import script
-from templates import spec
-from templates import user
+
+from .templates import executable
+from .templates import boolean
+from .templates import etc_rw
+from .templates import unit_file
+from .templates import var_cache
+from .templates import var_spool
+from .templates import var_lib
+from .templates import var_log
+from .templates import var_run
+from .templates import tmp
+from .templates import rw
+from .templates import network
+from .templates import script
+from .templates import spec
+from .templates import user
import sepolgen.interfaces as interfaces
import sepolgen.defaults as defaults
+from sepolgen import util
##
## I18N
@@ -58,12 +58,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
try:
gettext.install(PROGNAME,
- localedir="/usr/share/locale",
- unicode=False,
+ unicode=True,
+ codeset='utf-8')
+except TypeError:
+ # Failover to python3 install
+ gettext.install(PROGNAME,
codeset='utf-8')
except IOError:
- import __builtin__
- __builtin__.__dict__['_'] = unicode
+ import builtins
+ builtins.__dict__['_'] = str
def get_rpm_nvr_from_header(hdr):
@@ -71,6 +74,11 @@ def get_rpm_nvr_from_header(hdr):
name = hdr['name']
version = hdr['version']
release = hdr['release']
+ if util.PY3:
+ name = util.decode_input(name)
+ version = util.decode_input(version)
+ release = util.decode_input(release)
+
release_version = version + "-" + release.split(".")[0]
os_version = release.split(".")[1]
@@ -87,7 +95,7 @@ def get_rpm_nvr_list(package):
nvr = get_rpm_nvr_from_header(h)
break
except:
- print("Failed to retrieve rpm info for %s") % package
+ print(("Failed to retrieve rpm info for %s") % package)
nvr = None
return nvr
@@ -105,7 +113,7 @@ def get_all_ports():
def get_all_users():
- users = map(lambda x: x['name'], sepolicy.info(sepolicy.USER))
+ users = [x['name'] for x in sepolicy.info(sepolicy.USER)]
users.remove("system_u")
users.remove("root")
users.sort()
@@ -149,7 +157,7 @@ poltype[NEWTYPE] = _("Module information for a new type")
def get_poltype_desc():
- keys = poltype.keys()
+ keys = list(poltype.keys())
keys.sort()
msg = _("Valid Types:\n")
for k in keys:
@@ -163,7 +171,7 @@ USERS = [XUSER, TUSER, LUSER, AUSER, RUSER]
def verify_ports(ports):
if ports == "":
return []
- max_port = 2 ** 16
+ max_port = 2**16
try:
temp = []
for a in ports.split(","):
@@ -204,10 +212,10 @@ class policy:
raise ValueError(_("You must enter a name for your policy module for your '%s'.") % poltype[type])
try:
self.ports = get_all_ports()
- except ValueError, e:
- print "Can not get port types, must be root for this information"
- except RuntimeError, e:
- print "Can not get port types", e
+ except ValueError as e:
+ print("Can not get port types, must be root for this information")
+ except RuntimeError as e:
+ print("Can not get port types", e)
self.symbols = {}
self.symbols["openlog"] = "set_use_kerberos(True)"
@@ -424,7 +432,7 @@ class policy:
return self.use_tcp() or self.use_udp()
def find_port(self, port, protocol="tcp"):
- for begin, end, p in self.ports.keys():
+ for begin, end, p in list(self.ports.keys()):
if port >= begin and port <= end and protocol == p:
return self.ports[begin, end, protocol]
return None
@@ -850,7 +858,7 @@ allow %s_t %s_t:%s_socket name_%s;
role = d.split("_t")[0] + "_r"
if role in self.all_roles:
newte += """
- role %s;""" % role
+ role %s;""" % role
newte += """
')
"""
@@ -870,7 +878,7 @@ allow %s_t %s_t:%s_socket name_%s;
for t in self.types:
for i in self.DEFAULT_EXT:
if t.endswith(i):
- print t, t[:-len(i)]
+ print(t, t[:-len(i)])
newte += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].te_types)
break
@@ -1088,7 +1096,7 @@ allow %s_t %s_t:%s_socket name_%s;
def generate_fc(self):
newfc = ""
fclist = []
- for i in self.files.keys():
+ for i in list(self.files.keys()):
if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]):
t1 = re.sub("TEMPLATETYPE", self.name, self.files[i][2].fc_sock_file)
else:
@@ -1096,7 +1104,7 @@ allow %s_t %s_t:%s_socket name_%s;
t2 = re.sub("FILENAME", i, t1)
fclist.append(re.sub("FILETYPE", self.files[i][0], t2))
- for i in self.dirs.keys():
+ for i in list(self.dirs.keys()):
t1 = re.sub("TEMPLATETYPE", self.name, self.dirs[i][2].fc_dir)
t2 = re.sub("FILENAME", i, t1)
fclist.append(re.sub("FILETYPE", self.dirs[i][0], t2))
@@ -1159,10 +1167,10 @@ allow %s_t %s_t:%s_socket name_%s;
if self.initscript != "":
newsh += re.sub("FILENAME", self.initscript, script.restorecon)
- for i in self.files.keys():
+ for i in list(self.files.keys()):
newsh += re.sub("FILENAME", i, script.restorecon)
- for i in self.dirs.keys():
+ for i in list(self.dirs.keys()):
newsh += re.sub("FILENAME", i, script.restorecon)
for i in self.in_tcp[PORTS] + self.out_tcp[PORTS]:
@@ -1176,28 +1184,31 @@ allow %s_t %s_t:%s_socket name_%s;
newsh += re.sub("TEMPLATETYPE", self.name, t1)
newsh += self.generate_user_sh()
- if (platform.linux_distribution(full_distribution_name=0)[0] in ("redhat", "centos", "SuSE", "fedora", "mandrake", "mandriva")):
- newsh += re.sub("TEMPLATEFILE", self.file_name, script.rpm)
+ newsh += re.sub("TEMPLATEFILE", self.file_name, script.rpm)
return newsh
def generate_spec(self):
newspec = ""
- selinux_policyver = get_rpm_nvr_list("selinux-policy")[1]
- POLICYCOREUTILSVER = get_rpm_nvr_list("checkpolicy")[1]
+ selinux_policynvr = get_rpm_nvr_list("selinux-policy")
+
+ if selinux_policynvr is None:
+ selinux_policyver = "0.0.0"
+ else:
+ selinux_policyver = selinux_policynvr[1]
newspec += spec.header_comment_section
if self.type in APPLICATIONS:
newspec += spec.define_relabel_files_begin
if self.program:
newspec += re.sub("FILENAME", self.program, spec.define_relabel_files_end)
- if self.initscript != "":
- newspec += re.sub("FILENAME", self.initscript, spec.define_relabel_files_end)
- for i in self.files.keys():
- newspec += re.sub("FILENAME", i, spec.define_relabel_files_end)
- for i in self.dirs.keys():
- newspec += re.sub("FILENAME", i, spec.define_relabel_files_end)
+ if self.initscript != "":
+ newspec += re.sub("FILENAME", self.initscript, spec.define_relabel_files_end)
+ for i in list(self.files.keys()):
+ newspec += re.sub("FILENAME", i, spec.define_relabel_files_end)
+ for i in list(self.dirs.keys()):
+ newspec += re.sub("FILENAME", i, spec.define_relabel_files_end)
newspec += re.sub("VERSION", selinux_policyver, spec.base_section)
newspec = re.sub("MODULENAME", self.file_name, newspec)
@@ -1239,7 +1250,7 @@ allow %s_t %s_t:%s_socket name_%s;
fd = open(shfile, "w")
fd.write(self.generate_sh())
fd.close()
- os.chmod(shfile, 0750)
+ os.chmod(shfile, 0o750)
return shfile
def write_if(self, out_dir):
@@ -1287,7 +1298,7 @@ allow %s_t %s_t:%s_socket name_%s;
# some packages have own systemd subpackage
# tor-systemd for example
binary_name = self.program.split("/")[-1]
- for bpkg in yb.rpmdb.searchNames(["%s-systemd" % binary_name]):
+ for bpkg in yb.rpmdb.searchNames([ "%s-systemd" % binary_name ]):
for fname in bpkg.filelist + bpkg.ghostlist + bpkg.dirlist:
for b in self.DEFAULT_DIRS:
if b == "/etc":
@@ -1325,7 +1336,7 @@ allow %s_t %s_t:%s_socket name_%s;
# we don't want to have subdir in the .fc policy file
# if we already specify labeling for parent dir
temp_basepath = []
- for p in self.DEFAULT_DIRS.keys():
+ for p in list(self.DEFAULT_DIRS.keys()):
temp_dirs = []
try:
temp_basepath = self.DEFAULT_DIRS[p][1][0] + "/"
@@ -1340,9 +1351,9 @@ allow %s_t %s_t:%s_socket name_%s;
if len(temp_dirs) is not 0:
for i in temp_dirs:
- if i in self.dirs.keys():
+ if i in list(self.dirs.keys()):
del(self.dirs[i])
- elif i in self.files.keys():
+ elif i in list(self.files.keys()):
del(self.files[i])
else:
continue
@@ -1364,7 +1375,7 @@ Warning %s does not exist
for s in fd.read().split():
for b in self.symbols:
if s.startswith(b):
- exec "self.%s" % self.symbols[b]
+ exec("self.%s" % self.symbols[b])
fd.close()
def generate(self, out_dir=os.getcwd()):
@@ -1373,7 +1384,6 @@ Warning %s does not exist
out += "%s # %s\n" % (self.write_if(out_dir), _("Interface file"))
out += "%s # %s\n" % (self.write_fc(out_dir), _("File Contexts file"))
if self.type != NEWTYPE:
- if (platform.linux_distribution(full_distribution_name=0)[0] in ("redhat", "centos", "SuSE", "fedora", "mandrake", "mandriva")):
- out += "%s # %s\n" % (self.write_spec(out_dir), _("Spec file"))
+ out += "%s # %s\n" % (self.write_spec(out_dir), _("Spec file"))
out += "%s # %s\n" % (self.write_sh(out_dir), _("Setup Script"))
return out
diff --git policycoreutils-2.5/sepolicy/sepolicy/gui.py policycoreutils-2.5/sepolicy/sepolicy/gui.py
index 313b77f..2ab2dce 100644
--- policycoreutils-2.5/sepolicy/sepolicy/gui.py
+++ policycoreutils-2.5/sepolicy/sepolicy/gui.py
@@ -48,12 +48,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
try:
gettext.install(PROGNAME,
- localedir="/usr/share/locale",
- unicode=False,
+ unicode=True,
+ codeset='utf-8')
+except TypeError:
+ # Failover to python3 install
+ gettext.install(PROGNAME,
codeset='utf-8')
except IOError:
- import __builtin__
- __builtin__.__dict__['_'] = unicode
+ import builtins
+ builtins.__dict__['_'] = str
reverse_file_type_str = {}
for f in sepolicy.file_type_str:
@@ -62,10 +65,6 @@ for f in sepolicy.file_type_str:
enabled = [_("No"), _("Yes")]
action = [_("Disable"), _("Enable")]
-
-def compare(a, b):
- return cmp(a.lower(), b.lower())
-
import distutils.sysconfig
ADVANCED_LABEL = (_("Advanced >>"), _("Advanced <<"))
ADVANCED_SEARCH_LABEL = (_("Advanced Search >>"), _("Advanced Search <<"))
@@ -106,18 +105,13 @@ class SELinuxGui():
def __init__(self, app=None, test=False):
self.finish_init = False
+ self.advanced_init = True
self.opage = START_PAGE
self.dbus = SELinuxDBus()
try:
customized = self.dbus.customized()
- except dbus.exceptions.DBusException, e:
- print e
- self.quit()
-
- sepolicy_domains = sepolicy.get_all_domains()
- sepolicy_domains.sort(compare)
- if app and app not in sepolicy_domains:
- self.error(_("%s is not a valid domain" % app))
+ except dbus.exceptions.DBusException as e:
+ print(e)
self.quit()
self.init_cur()
@@ -143,7 +137,7 @@ class SELinuxGui():
self.files_add = False
self.network_add = False
- self.all_list = []
+ self.all_domains = []
self.installed_list = []
self.previously_modified = {}
@@ -155,10 +149,10 @@ class SELinuxGui():
self.invalid_entry = False
# Advanced search window ****************************
self.advanced_search_window = builder.get_object("advanced_search_window")
- self.advanced_search_liststore = builder.get_object("Advanced_search_liststore")
- self.advanced_search_liststore.set_sort_column_id(0, Gtk.SortType.ASCENDING)
self.advanced_search_filter = builder.get_object("advanced_filter")
self.advanced_search_filter.set_visible_func(self.filter_the_data)
+ self.advanced_search_sort = builder.get_object("advanced_sort")
+
self.advanced_filter_entry = builder.get_object("advanced_filter_entry")
self.advanced_search_treeview = builder.get_object("advanced_search_treeview")
self.advanced_search = False
@@ -427,12 +421,10 @@ class SELinuxGui():
# Combobox and Entry items **************************
self.combobox_menu = builder.get_object("combobox_org") # This is the combobox box object, aka the arrow next to the entry text bar
- self.combobox_menu_model = builder.get_object("application_liststore")
+ self.application_liststore = builder.get_object("application_liststore")
self.completion_entry = builder.get_object("completion_entry") # self.combobox_menu.get_child()
- self.completion_entry_model = builder.get_object("application_liststore")
self.entrycompletion_obj = builder.get_object("entrycompletion_obj")
#self.entrycompletion_obj = Gtk.EntryCompletion()
- self.entrycompletion_obj.set_model(self.completion_entry_model)
self.entrycompletion_obj.set_minimum_key_length(0)
self.entrycompletion_obj.set_text_column(0)
self.entrycompletion_obj.set_match_func(self.match_func, None)
@@ -487,20 +479,24 @@ class SELinuxGui():
self.loading = 1
path = None
if test:
- domains = ["httpd_t", "abrt_t"]
- if app and app not in domains:
- domains.append(app)
+ self.all_domains = ["httpd_t", "abrt_t"]
+ if app and app not in self.all_domains:
+ self.all_domains.append(app)
else:
- domains = sepolicy_domains
- loading_gui.show()
- length = len(domains)
- for domain in domains:
+ self.all_domains = sepolicy.get_all_domains()
+ self.all_domains.sort(key=str.lower)
+
+ if app and app not in self.all_domains:
+ self.error(_("%s is not a valid domain" % app))
+ self.quit()
+
+ loading_gui.show()
+ length = len(self.all_domains)
+ for domain in self.all_domains:
# After the user selects a path in the drop down menu call
# get_init_entrypoint_target(entrypoint) to get the transtype
# which will give you the application
- self.combo_box_initialize(domain, None)
- self.advanced_search_initialize(domain)
- self.all_list.append(domain)
+ self.combo_box_add(domain, domain)
self.percentage = float(float(self.loading) / float(length))
self.progress_bar.set_fraction(self.percentage)
self.progress_bar.set_pulse_step(self.percentage)
@@ -510,14 +506,13 @@ class SELinuxGui():
if entrypoint:
path = sepolicy.find_entrypoint_path(entrypoint)
if path:
- self.combo_box_initialize(path, None)
- # Adds all files entrypoint paths that exists on disc
- # into the combobox
- self.advanced_search_initialize(path)
+ self.combo_box_add(path, domain)
self.installed_list.append(path)
self.loading += 1
loading_gui.hide()
+ self.entrycompletion_obj.set_model(self.application_liststore)
+ self.advanced_search_treeview.set_model(self.advanced_search_sort)
dic = {
"on_combo_button_clicked": self.open_combo_menu,
@@ -549,7 +544,7 @@ class SELinuxGui():
"on_file_equiv_button_clicked": self.show_file_equiv_page,
"on_app/system_button_clicked": self.system_interface,
"on_app/users_button_clicked": self.users_interface,
- "on_main_advanced_label_button_press_event": self.advanced_label_main,
+ "on_show_advanced_search_window": self.on_show_advanced_search_window,
"on_Show_mislabeled_files_toggled": self.show_mislabeled_files,
"on_Browse_button_files_clicked": self.browse_for_files,
@@ -565,8 +560,6 @@ class SELinuxGui():
"on_advanced_filter_entry_changed": self.get_advanced_filter_data,
"on_advanced_search_treeview_row_activated": self.advanced_item_selected,
"on_Select_advanced_search_clicked": self.advanced_item_button_push,
- "on_All_advanced_button_toggled": self.advanced_radio_select,
- "on_Installed_advanced_button_toggled": self.advanced_radio_select,
"on_info_button_button_press_event": self.on_help_button,
"on_back_button_clicked": self.on_help_back_clicked,
"on_forward_button_clicked": self.on_help_forward_clicked,
@@ -672,9 +665,10 @@ class SELinuxGui():
self.module_dict = {}
for m in self.dbus.semodule_list().split("\n"):
mod = m.split()
- if len(mod) < 2:
+ if len(mod) < 3:
continue
self.module_dict[mod[0]] = {"version": mod[1], "Disabled": (len(mod) > 2)}
+ self.module_dict[mod[1]] = { "priority": mod[0], "Disabled" : (len(mod) > 3) }
self.enable_unconfined_button.set_active(not self.module_dict["unconfined"]["Disabled"])
self.enable_permissive_button.set_active(not self.module_dict["permissivedomains"]["Disabled"])
@@ -707,7 +701,7 @@ class SELinuxGui():
def match_func(self, completion, key_string, iter, func_data):
try:
- if self.combobox_menu_model.get_value(iter, 0).find(key_string) != -1:
+ if self.application_liststore.get_value(iter, 0).find(key_string) != -1:
return True
return False
except AttributeError:
@@ -818,7 +812,7 @@ class SELinuxGui():
self.set_application_label = True
def resize_wrap(self, *args):
- print args
+ print(args)
def initialize_system_default_mode(self):
self.enforce_mode = selinux.selinux_getenforcemode()[1]
@@ -831,7 +825,7 @@ class SELinuxGui():
def populate_system_policy(self):
selinux_path = selinux.selinux_path()
- types = map(lambda x: x[1], filter(lambda x: x[0] == selinux_path, os.walk(selinux_path)))[0]
+ types = [x[1] for x in os.walk(selinux_path) if x[0] == selinux_path][0]
types.sort()
ctr = 0
for item in types:
@@ -856,14 +850,14 @@ class SELinuxGui():
# Returns true if filter_txt exists within the val
if(val.find(self.filter_txt) != -1 or val.lower().find(self.filter_txt) != -1):
return True
- except AttributeError, TypeError:
+ except AttributeError as TypeError:
pass
except: # ValueError:
pass
return False
def net_update(self, app, netd, protocol, direction, model):
- for k in netd.keys():
+ for k in list(netd.keys()):
for t, ports in netd[k]:
pkey = (",".join(ports), protocol)
if pkey in self.cur_dict["port"]:
@@ -918,11 +912,11 @@ class SELinuxGui():
self.ready_mouse()
def network_initialize(self, app):
- netd = sepolicy.network.get_network_connect(app, "tcp", "name_connect")
+ netd = sepolicy.network.get_network_connect(app, "tcp", "name_connect", check_bools=True)
self.net_update(app, netd, "tcp", OUTBOUND_PAGE, self.network_out_liststore)
- netd = sepolicy.network.get_network_connect(app, "tcp", "name_bind")
+ netd = sepolicy.network.get_network_connect(app, "tcp", "name_bind", check_bools=True)
self.net_update(app, netd, "tcp", INBOUND_PAGE, self.network_in_liststore)
- netd = sepolicy.network.get_network_connect(app, "udp", "name_bind")
+ netd = sepolicy.network.get_network_connect(app, "udp", "name_bind", check_bools=True)
self.net_update(app, netd, "udp", INBOUND_PAGE, self.network_in_liststore)
def network_initial_data_insert(self, model, ports, portType, protocol):
@@ -958,12 +952,12 @@ class SELinuxGui():
iter = liststore.get_iter(index)
return liststore.get_value(iter, 0)
- def combo_box_initialize(self, val, desc):
+ def combo_box_add(self, val, val1):
if val == None:
return
- iter = self.combobox_menu_model.append()
- for f in val:
- self.combobox_menu_model.set_value(iter, 0, val)
+ iter = self.application_liststore.append()
+ self.application_liststore.set_value(iter, 0, val)
+ self.application_liststore.set_value(iter, 1, val1)
def select_type_more(self, *args):
app = self.moreTypes_treeview.get_selection()
@@ -979,19 +973,18 @@ class SELinuxGui():
model, iter = row.get_selected()
iter = model.convert_iter_to_child_iter(iter)
iter = self.advanced_search_filter.convert_iter_to_child_iter(iter)
- app = self.advanced_search_liststore.get_value(iter, 1)
+ app = self.application_liststore.get_value(iter, 1)
if app == None:
return
self.advanced_filter_entry.set_text('')
self.advanced_search_window.hide()
self.reveal_advanced(self.main_advanced_label)
self.completion_entry.set_text(app)
- self.application_selected()
def advanced_item_selected(self, treeview, path, *args):
iter = self.advanced_search_filter.get_iter(path)
iter = self.advanced_search_filter.convert_iter_to_child_iter(iter)
- app = self.advanced_search_liststore.get_value(iter, 1)
+ app = self.application_liststore.get_value(iter, 1)
self.advanced_filter_entry.set_text('')
self.advanced_search_window.hide()
self.reveal_advanced(self.main_advanced_label)
@@ -1000,7 +993,7 @@ class SELinuxGui():
def find_application(self, app):
if app and len(app) > 0:
- for items in self.combobox_menu_model:
+ for items in self.application_liststore:
if app == items[0]:
return True
return False
@@ -1108,19 +1101,19 @@ class SELinuxGui():
if rec[0] == "module":
self.cust_dict["module"][rec[-1]] = {"enabled": rec[2] != "-d"}
- if "module" not in self.cust_dict:
+ for i in keys:
+ if i not in self.cust_dict:
+ self.cust_dict.update({i: {}})
+
+ if not self.cust_dict["module"]:
return
for semodule, button in [("unconfined", self.disable_unconfined_button), ("permissivedomains", self.disable_permissive_button)]:
if semodule in self.cust_dict["module"]:
button.set_active(self.cust_dict["module"][semodule]["enabled"])
- for i in keys:
- if i not in self.cust_dict:
- self.cust_dict.update({i: {}})
-
def executable_files_initialize(self, application):
self.entrypoints = sepolicy.get_entrypoints(application)
- for exe in self.entrypoints.keys():
+ for exe in list(self.entrypoints.keys()):
if len(self.entrypoints[exe]) == 0:
continue
file_class = self.entrypoints[exe][1]
@@ -1157,7 +1150,7 @@ class SELinuxGui():
def writable_files_initialize(self, application):
# Traversing the dictionary data struct
self.writable_files = sepolicy.get_writable_files(application)
- for write in self.writable_files.keys():
+ for write in list(self.writable_files.keys()):
if len(self.writable_files[write]) < 2:
self.files_initial_data_insert(self.writable_files_liststore, None, write, _("all files"))
continue
@@ -1200,7 +1193,7 @@ class SELinuxGui():
def application_files_initialize(self, application):
self.file_types = sepolicy.get_file_types(application)
- for app in self.file_types.keys():
+ for app in list(self.file_types.keys()):
if len(self.file_types[app]) == 0:
continue
file_class = self.file_types[app][1]
@@ -1373,8 +1366,8 @@ class SELinuxGui():
self.treeview = self.network_in_treeview
category = _("listen for inbound connections")
- self.add_button.set_tooltip_text(_("Add new port definition to which the '%(APP)s' domain is allowed to %s.") % {"APP": self.application, "PERM": category})
- self.delete_button.set_tooltip_text(_("Delete modified port definitions to which the '%(APP)s' domain is allowed to %s.") % {"APP": self.application, "PERM": category})
+ self.add_button.set_tooltip_text(_("Add new port definition to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category})
+ self.delete_button.set_tooltip_text(_("Delete modified port definitions to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category})
self.modify_button.set_tooltip_text(_("Modify port definitions to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category})
if self.transitions_radio_button.get_active():
@@ -1444,8 +1437,12 @@ class SELinuxGui():
def stripsort(self, model, row1, row2, user_data):
sort_column, _ = model.get_sort_column_id()
val1 = self.unmarkup(model.get_value(row1, sort_column))
+ if val1 is None:
+ val1 = ""
val2 = self.unmarkup(model.get_value(row2, sort_column))
- return cmp(val1, val2)
+ if val2 is None:
+ val2 = ""
+ return (val1 > val2) - (val1 < val2)
def display_more_detail(self, windows, path):
it = self.boolean_filter.get_iter(path)
@@ -1631,7 +1628,7 @@ class SELinuxGui():
self.files_type_combolist.clear()
self.files_class_combolist.clear()
compare = self.strip_domain(self.application)
- for d in self.completion_entry_model:
+ for d in self.application_liststore:
if d[0].startswith(compare) and d[0] != self.application and not d[0].startswith("httpd_sys"):
exclude_list.append(self.strip_domain(d[0]))
@@ -1642,7 +1639,7 @@ class SELinuxGui():
self.files_class_combolist.set_value(iter, 0, sepolicy.file_type_str[files])
if ipage == EXE_PAGE and self.entrypoints != None:
- for exe in self.entrypoints.keys():
+ for exe in list(self.entrypoints.keys()):
if exe.startswith(compare):
iter = self.files_type_combolist.append()
self.files_type_combolist.set_value(iter, 0, exe)
@@ -1652,7 +1649,7 @@ class SELinuxGui():
self.files_class_combobox.set_sensitive(False)
elif ipage == WRITABLE_PAGE and self.writable_files != None:
- for write in self.writable_files.keys():
+ for write in list(self.writable_files.keys()):
if write.startswith(compare) and not self.exclude_type(write, exclude_list) and write in self.file_types:
iter = self.files_type_combolist.append()
self.files_type_combolist.set_value(iter, 0, write)
@@ -1669,7 +1666,7 @@ class SELinuxGui():
self.more_types_files_liststore.set_value(iter, 0, app)
self.files_class_combobox.set_active(0)
except AttributeError:
- print "error"
+ print("error")
pass
self.files_type_combobox.set_active(0)
self.files_mls_entry.set_text("s0")
@@ -1710,13 +1707,13 @@ class SELinuxGui():
try:
if ipage == OUTBOUND_PAGE:
- netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_connect")
+ netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_connect", check_bools=True)
elif ipage == INBOUND_PAGE:
- netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_bind")
- netd += sepolicy.network.get_network_connect(self.application, "udp", "name_bind")
+ netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_bind", check_bools=True)
+ netd += sepolicy.network.get_network_connect(self.application, "udp", "name_bind", check_bools=True)
port_types = []
- for k in netd.keys():
+ for k in list(netd.keys()):
for t, ports in netd[k]:
if t not in port_types + ["port_t", "unreserved_port_t"]:
if t.endswith("_type"):
@@ -1811,7 +1808,7 @@ class SELinuxGui():
self.wait_mouse()
try:
self.dbus.semanage(update_buffer)
- except dbus.exceptions.DBusException, e:
+ except dbus.exceptions.DBusException as e:
self.error(e)
self.ready_mouse()
@@ -1890,7 +1887,7 @@ class SELinuxGui():
tree.set_value(iter, 2, fclass)
def restore_to_default(self, *args):
- print "restore to defualt clicked..."
+ print("restore to defualt clicked...")
def invalid_entry_retry(self, *args):
self.closewindow(self.error_check_window)
@@ -2143,7 +2140,7 @@ class SELinuxGui():
def on_save_delete_file_equiv_clicked(self, *args):
for delete in self.files_delete_liststore:
- print delete[0], delete[1], delete[2],
+ print(delete[0], delete[1], delete[2])
def on_toggle_update(self, cell, path, model):
model[path][0] = not model[path][0]
@@ -2185,7 +2182,6 @@ class SELinuxGui():
self.update = True
self.update_treestore.clear()
for bools in self.cur_dict["boolean"]:
- operation = self.cur_dict["boolean"][bools]["action"]
iter = self.update_treestore.append(None)
self.update_treestore.set_value(iter, 0, True)
self.update_treestore.set_value(iter, 1, sepolicy.boolean_desc(bools))
@@ -2416,8 +2412,11 @@ class SELinuxGui():
cur = selinux.getfilecon(path)[1].split(":")[2]
con = selinux.matchpathcon(path, 0)[1].split(":")[2]
if self.verify(_("Run restorecon on %(PATH)s to change its type from %(CUR_CONTEXT)s to the default %(DEF_CONTEXT)s?") % {"PATH": path, "CUR_CONTEXT": cur, "DEF_CONTEXT": con}, title="restorecon dialog") == Gtk.ResponseType.YES:
- self.dbus.restorecon(path)
- self.application_selected()
+ try:
+ self.dbus.restorecon(path)
+ self.application_selected()
+ except dbus.exceptions.DBusException as e:
+ self.error(e)
def new_updates(self, *args):
self.update_button.set_sensitive(self.modified())
@@ -2451,8 +2450,8 @@ class SELinuxGui():
self.wait_mouse()
try:
self.dbus.semanage(update_buffer)
- except dbus.exceptions.DBusException, e:
- print e
+ except dbus.exceptions.DBusException as e:
+ self.error(e)
self.ready_mouse()
self.init_cur()
@@ -2546,34 +2545,7 @@ class SELinuxGui():
self.network_mls_label.set_visible(advanced)
self.network_mls_entry.set_visible(advanced)
- def advanced_search_initialize(self, path):
- try:
- if path[0] == '/':
- domain = sepolicy.get_init_transtype(path)
- else:
- domain = path
- except IndexError:
- return
- except OSError:
- return
- iter = self.advanced_search_liststore.append()
- self.advanced_search_liststore.set_value(iter, 0, path)
- self.advanced_search_liststore.set_value(iter, 1, domain)
- user_types = sepolicy.get_user_types()
- if domain in user_types + ['initrc_t']:
- return
-
- entrypoints = sepolicy.get_entrypoints(domain)
- # From entry_point = 0 to the number of keys in the dic
- for exe in entrypoints:
- if len(entrypoints[exe]):
- file_class = entrypoints[exe][1]
- for path in entrypoints[exe][0]:
- iter = self.advanced_search_liststore.append()
- self.advanced_search_liststore.set_value(iter, 1, domain)
- self.advanced_search_liststore.set_value(iter, 0, path)
-
- def advanced_label_main(self, label, *args):
+ def on_show_advanced_search_window(self, label, *args):
if label.get_text() == ADVANCED_SEARCH_LABEL[1]:
label.set_text(ADVANCED_SEARCH_LABEL[0])
self.close_popup()
@@ -2581,25 +2553,6 @@ class SELinuxGui():
label.set_text(ADVANCED_SEARCH_LABEL[1])
self.show_popup(self.advanced_search_window)
- def advanced_radio_select(self, button):
- label = ""
- if button.get_active():
- label = button.get_label()
- if label == '':
- return
- self.advanced_search_liststore.clear()
- if label == "All":
- for items in self.all_list:
- self.advanced_search_initialize(items)
- self.idle_func()
-
- elif label == "Installed":
- if self.installed_list == []:
- return
- for items in self.installed_list:
- self.advanced_search_initialize(items)
- self.idle_func()
-
def set_enforce_text(self, value):
if value:
self.status_bar.push(self.context_id, _("System Status: Enforcing"))
@@ -2608,8 +2561,14 @@ class SELinuxGui():
self.current_status_permissive.set_active(True)
def set_enforce(self, button):
- self.dbus.setenforce(button.get_active())
- self.set_enforce_text(button.get_active())
+ if not self.finish_init:
+ return
+
+ try:
+ self.dbus.setenforce(button.get_active())
+ self.set_enforce_text(button.get_active())
+ except dbus.exceptions.DBusException as e:
+ self.error(e)
def on_browse_select(self, *args):
filename = self.file_dialog.get_filename()
@@ -2669,16 +2628,22 @@ class SELinuxGui():
self.system_policy_type_combobox.set_active(self.typeHistory)
return None
- self.dbus.change_default_policy(self.combo_get_active_text(self.system_policy_type_combobox))
- self.dbus.relabel_on_boot(True)
- self.typeHistory = self.system_policy_type_combobox.get_active()
+ try:
+ self.dbus.change_default_policy(self.combo_get_active_text(self.system_policy_type_combobox))
+ self.dbus.relabel_on_boot(True)
+ self.typeHistory = self.system_policy_type_combobox.get_active()
+ except dbus.exceptions.DBusException as e:
+ self.error(e)
def change_default_mode(self, button):
if not self.finish_init:
return
self.enabled_changed(button)
if button.get_active():
- self.dbus.change_default_mode(button.get_label().lower())
+ try:
+ self.dbus.change_default_mode(button.get_label().lower())
+ except dbus.exceptions.DBusException as e:
+ self.error(e)
def import_config_show(self, *args):
self.file_dialog.set_action(Gtk.FileChooserAction.OPEN)
@@ -2735,7 +2700,7 @@ class SELinuxGui():
return
try:
self.dbus.relabel_on_boot(active)
- except dbus.exceptions.DBusException, e:
+ except dbus.exceptions.DBusException as e:
self.error(e)
def closewindow(self, window, *args):
@@ -2821,10 +2786,13 @@ class SELinuxGui():
if not self.finish_init:
return
self.wait_mouse()
- if self.enable_permissive_button.get_active():
- self.dbus.semanage("module -e permissivedomains")
- else:
- self.dbus.semanage("module -d permissivedomains")
+ try:
+ if self.enable_permissive_button.get_active():
+ self.dbus.semanage("module -e permissivedomains")
+ else:
+ self.dbus.semanage("module -d permissivedomains")
+ except dbus.exceptions.DBusException as e:
+ self.error(e)
self.ready_mouse()
def confirmation_close(self, button, *args):
diff --git policycoreutils-2.5/sepolicy/sepolicy/interface.py policycoreutils-2.5/sepolicy/sepolicy/interface.py
index 69078b0..6c351ee 100644
--- policycoreutils-2.5/sepolicy/sepolicy/interface.py
+++ policycoreutils-2.5/sepolicy/sepolicy/interface.py
@@ -38,20 +38,24 @@ import gettext
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
try:
+ gettext.install(PROGNAME,
+ unicode=True,
+ codeset='utf-8')
+except TypeError:
+ # Failover to python3 install
gettext.install(PROGNAME,
localedir="/usr/share/locale",
- unicode=False,
codeset='utf-8')
except IOError:
- import __builtin__
- __builtin__.__dict__['_'] = unicode
+ import builtins
+ builtins.__dict__['_'] = unicode
def get_interfaces_from_xml(path):
""" Get all interfaces from given xml file"""
interfaces_list = []
idict = get_interface_dict(path)
- for k in idict.keys():
+ for k in list(idict.keys()):
interfaces_list.append(k)
return interfaces_list
@@ -76,10 +80,10 @@ def get_admin(path=""):
try:
xml_path = get_xml_file(path)
idict = get_interface_dict(xml_path)
- for k in idict.keys():
+ for k in list(idict.keys()):
if k.endswith("_admin"):
admin_list.append(k)
- except IOError, e:
+ except IOError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
sys.exit(1)
else:
@@ -98,11 +102,11 @@ def get_user(path=""):
try:
xml_path = get_xml_file(path)
idict = get_interface_dict(xml_path)
- for k in idict.keys():
+ for k in list(idict.keys()):
if k.endswith("_role"):
if (("%s_exec_t" % k[:-5]) in sepolicy.get_all_types()):
trans_list.append(k)
- except IOError, e:
+ except IOError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
sys.exit(1)
else:
@@ -121,12 +125,19 @@ def get_interface_dict(path="/usr/share/selinux/devel/policy.xml"):
global interface_dict
import os
import xml.etree.ElementTree
+ from sepolicy import get_all_modules, get_all_modules_from_mod_lst
if interface_dict:
return interface_dict
+ active_modules = []
interface_dict = {}
param_list = []
+ active_modules = get_all_modules_from_mod_lst()
+ if active_modules is None:
+ print((_("Using only non-base modules.")))
+ active_modules = get_all_modules()
+
xml_path = """<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>
<policy>
<layer name="admin">
@@ -144,17 +155,18 @@ def get_interface_dict(path="/usr/share/selinux/devel/policy.xml"):
tree = xml.etree.ElementTree.fromstring(xml_path)
for l in tree.findall("layer"):
for m in l.findall("module"):
- for i in m.getiterator('interface'):
- for e in i.findall("param"):
- param_list.append(e.get('name'))
- interface_dict[(i.get("name"))] = [param_list, (i.find('summary').text), "interface"]
- param_list = []
- for i in m.getiterator('template'):
- for e in i.findall("param"):
- param_list.append(e.get('name'))
- interface_dict[(i.get("name"))] = [param_list, (i.find('summary').text), "template"]
- param_list = []
- except IOError, e:
+ if m.get("name") in active_modules:
+ for i in m.getiterator('interface'):
+ for e in i.findall("param"):
+ param_list.append(e.get('name'))
+ interface_dict[(i.get("name"))] = [param_list, (i.find('summary').text), "interface"]
+ param_list = []
+ for i in m.getiterator('template'):
+ for e in i.findall("param"):
+ param_list.append(e.get('name'))
+ interface_dict[(i.get("name"))] = [param_list, (i.find('summary').text), "template"]
+ param_list = []
+ except IOError as e:
pass
return interface_dict
@@ -167,7 +179,7 @@ def get_interface_format_text(interface, path="/usr/share/selinux/devel/policy.x
def get_interface_compile_format_text(interfaces_dict, interface):
- from templates import test_module
+ from .templates import test_module
param_tmp = []
for i in interfaces_dict[interface][0]:
param_tmp.append(test_module.dict_values[i])
@@ -177,7 +189,7 @@ def get_interface_compile_format_text(interfaces_dict, interface):
def generate_compile_te(interface, idict, name="compiletest"):
- from templates import test_module
+ from .templates import test_module
te = ""
te += re.sub("TEMPLATETYPE", name, test_module.te_test_module)
te += get_interface_compile_format_text(idict, interface)
@@ -188,41 +200,47 @@ def generate_compile_te(interface, idict, name="compiletest"):
def get_xml_file(if_file):
""" Returns xml format of interfaces for given .if policy file"""
import os
- import commands
+ import subprocess
basedir = os.path.dirname(if_file) + "/"
filename = os.path.basename(if_file).split(".")[0]
- rc, output = commands.getstatusoutput("python /usr/share/selinux/devel/include/support/segenxml.py -w -m %s" % basedir + filename)
- if rc != 0:
+ try:
+ output = subprocess.check_output("python /usr/share/selinux/devel/include/support/segenxml.py -w -m %s" % basedir + filename,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ return output
+ except subprocess.CalledProcessError as e:
sys.stderr.write("\n Could not proceed selected interface file.\n")
- sys.stderr.write("\n%s" % output)
+ sys.stderr.write(e.output)
sys.exit(1)
- else:
- return output
def interface_compile_test(interface, path="/usr/share/selinux/devel/policy.xml"):
exclude_interfaces = ["userdom", "kernel", "corenet", "files", "dev"]
+ exclude_interface_name = ["selinux_genbool"]
exclude_interface_type = ["template"]
- import commands
+ import subprocess
import os
policy_files = {'pp': "compiletest.pp", 'te': "compiletest.te", 'fc': "compiletest.fc", 'if': "compiletest.if"}
idict = get_interface_dict(path)
- if not (interface.split("_")[0] in exclude_interfaces or idict[interface][2] in exclude_interface_type):
- print(_("Compiling %s interface" % interface))
+ if not (interface in exclude_interface_name or interface.split("_")[0] in exclude_interfaces or idict[interface][2] in exclude_interface_type):
+ print((_("Compiling %s interface" % interface)))
try:
fd = open(policy_files['te'], "w")
fd.write(generate_compile_te(interface, idict))
fd.close()
- rc, output = commands.getstatusoutput("make -f /usr/share/selinux/devel/Makefile %s" % policy_files['pp'])
- if rc != 0:
- sys.stderr.write(output)
+ try:
+ subprocess.check_output("make -f /usr/share/selinux/devel/Makefile %s" % policy_files['pp'],
+ stderr=subprocess.STDOUT,
+ shell=True)
+ except subprocess.CalledProcessError as e:
sys.stderr.write(_("\nCompile test for %s failed.\n") % interface)
+ sys.stderr.write(e.output)
- except EnvironmentError, e:
+ except EnvironmentError as e:
sys.stderr.write(_("\nCompile test for %s has not run. %s\n") % (interface, e))
- for v in policy_files.values():
+ for v in list(policy_files.values()):
if os.path.exists(v):
os.remove(v)
diff --git policycoreutils-2.5/sepolicy/sepolicy/manpage.py policycoreutils-2.5/sepolicy/sepolicy/manpage.py
index 7de2f80..5649b06 100755
--- policycoreutils-2.5/sepolicy/sepolicy/manpage.py
+++ policycoreutils-2.5/sepolicy/sepolicy/manpage.py
@@ -29,14 +29,23 @@ import argparse
import selinux
import sepolicy
from sepolicy import *
+from sepolgen import util
-import commands
+import subprocess
import sys
import os
import re
import time
-equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
+
+typealias_types = {
+ "antivirus_t": ("amavis_t", "clamd_t", "clamscan_t", "freshclam_t"),
+ "cluster_t": ("rgmanager_t", "corosync_t", "aisexec_t", "pacemaker_t"),
+ "svirt_t": ("qemu_t"),
+ "httpd_t": ("phpfpm_t"),
+}
+
+equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
equiv_dirs = ["/var"]
modules_dict = None
@@ -62,7 +71,7 @@ def gen_modules_dict(path="/usr/share/selinux/devel/policy.xml"):
name = "unconfined"
for b in m.findall("summary"):
modules_dict[name] = b.text
- except IOError, e:
+ except IOError as e:
pass
return modules_dict
@@ -111,8 +120,8 @@ def gen_domains():
for d in get_all_domains():
found = False
domain = d[:-2]
-# if domain + "_exec_t" not in get_entrypoints():
-# continue
+# if domain + "_exec_t" not in get_entrypoints():
+# continue
if domain in domains:
continue
domains.append(domain)
@@ -149,9 +158,6 @@ def prettyprint(f, trim):
manpage_domains = []
manpage_roles = []
-fedora_releases = ["Fedora17", "Fedora18"]
-rhel_releases = ["RHEL6", "RHEL7"]
-
def get_alphabet_manpages(manpage_list):
alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
@@ -167,16 +173,20 @@ def get_alphabet_manpages(manpage_list):
def convert_manpage_to_html(html_manpage, manpage):
- rc, output = commands.getstatusoutput("/usr/bin/groff -man -Thtml %s 2>/dev/null" % manpage)
- if rc == 0:
- print html_manpage, " has been created"
- fd = open(html_manpage, 'w')
- fd.write(output)
- fd.close()
+ try:
+ man_page = subprocess.check_output("/usr/bin/groff -man -Thtml %s 2>/dev/null" % manpage,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ except subprocess.CalledProcessError as e:
+ sys.stderr.write(util.decode_input(e.output))
+ return
+ fd = open(html_manpage, 'wb')
+ fd.write(man_page)
+ fd.close()
+ print(html_manpage)
class HTMLManPages:
-
"""
Generate a HHTML Manpages on an given SELinux domains
"""
@@ -186,96 +196,50 @@ class HTMLManPages:
self.manpage_domains = get_alphabet_manpages(manpage_domains)
self.os_version = os_version
self.old_path = path + "/"
- self.new_path = self.old_path + self.os_version + "/"
+ self.new_path = self.old_path
+
+ if self.os_version:
- if self.os_version in fedora_releases or rhel_releases:
self.__gen_html_manpages()
else:
- print("SELinux HTML man pages can not be generated for this %s" % os_version)
+ print(("SELinux HTML man pages can not be generated for this %s" % os_version))
exit(1)
def __gen_html_manpages(self):
self._write_html_manpage()
self._gen_index()
- self._gen_body()
self._gen_css()
def _write_html_manpage(self):
if not os.path.isdir(self.new_path):
os.mkdir(self.new_path)
- for domain in self.manpage_domains.values():
+ for domain in list(self.manpage_domains.values()):
if len(domain):
for d in domain:
- convert_manpage_to_html((self.new_path + d.split("_selinux")[0] + ".html"), self.old_path + d)
+ convert_manpage_to_html((self.new_path + d.rsplit("_selinux", 1)[0] + ".html"), self.old_path + d)
- for role in self.manpage_roles.values():
+ for role in list(self.manpage_roles.values()):
if len(role):
for r in role:
- convert_manpage_to_html((self.new_path + r.split("_selinux")[0] + ".html"), self.old_path + r)
+ convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
def _gen_index(self):
- index = self.old_path + "index.html"
- fd = open(index, 'w')
- fd.write("""
-<html>
-<head>
- <link rel=stylesheet type="text/css" href="style.css" title="style">
- <title>SELinux man pages online</title>
-</head>
-<body>
-<h1>SELinux man pages</h1>
-<br></br>
-Fedora or Red Hat Enterprise Linux Man Pages.</h2>
-<br></br>
-<hr>
-<h3>Fedora</h3>
-<table><tr>
-<td valign="middle">
-</td>
-</tr></table>
-<pre>
-""")
- for f in fedora_releases:
- fd.write("""
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (f, f, f, f))
-
- fd.write("""
-</pre>
-<hr>
-<h3>RHEL</h3>
-<table><tr>
-<td valign="middle">
-</td>
-</tr></table>
-<pre>
-""")
- for r in rhel_releases:
- fd.write("""
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (r, r, r, r))
-
- fd.write("""
-</pre>
- """)
- fd.close()
- print("%s has been created") % index
-
- def _gen_body(self):
- html = self.new_path + self.os_version + ".html"
+ html = self.new_path + "index.html"
fd = open(html, 'w')
fd.write("""
<html>
<head>
- <link rel=stylesheet type="text/css" href="../style.css" title="style">
- <title>Linux man-pages online for Fedora18</title>
+ <link rel=stylesheet type="text/css" href="style.css" title="style">
+ <title>SELinux man pages</title>
</head>
<body>
-<h1>SELinux man pages for Fedora18</h1>
+<h1>SELinux man pages for %s</h1>
<hr>
<table><tr>
<td valign="middle">
<h3>SELinux roles</h3>
-""")
+""" % self.os_version)
for letter in self.manpage_roles:
if len(self.manpage_roles[letter]):
fd.write("""
@@ -292,7 +256,7 @@ Fedora or Red Hat Enterprise Linux Man Pages.</h2>
if len(self.manpage_roles[letter]):
rolename_body += "<p>"
for r in self.manpage_roles[letter]:
- rolename = r.split("_selinux")[0]
+ rolename = r.rsplit("_selinux", 1)[0]
rolename_body += "<a name=%s_role></a><a href=%s.html>%s_selinux(8)</a> - Security Enhanced Linux Policy for the %s SELinux user\n" % (letter, rolename, rolename, rolename)
fd.write("""%s
@@ -307,7 +271,7 @@ Fedora or Red Hat Enterprise Linux Man Pages.</h2>
if len(self.manpage_domains[letter]):
fd.write("""
<a href=#%s_domain>%s</a>
- """ % (letter, letter))
+ """ % (letter, letter))
fd.write("""
</td>
@@ -319,7 +283,7 @@ Fedora or Red Hat Enterprise Linux Man Pages.</h2>
if len(self.manpage_domains[letter]):
domainname_body += "<p>"
for r in self.manpage_domains[letter]:
- domainname = r.split("_selinux")[0]
+ domainname = r.rsplit("_selinux", 1)[0]
domainname_body += "<a name=%s_domain></a><a href=%s.html>%s_selinux(8)</a> - Security Enhanced Linux Policy for the %s SELinux processes\n" % (letter, domainname, domainname, domainname)
fd.write("""%s
@@ -329,7 +293,7 @@ Fedora or Red Hat Enterprise Linux Man Pages.</h2>
""" % domainname_body)
fd.close()
- print("%s has been created") % html
+ print(("%s has been created") % html)
def _gen_css(self):
style_css = self.old_path + "style.css"
@@ -343,9 +307,9 @@ html, body {
}
h1, h2, h3, h4, h5, h5 {
- color: #2d7c0b;
- font-family: arial, sans-serif;
- margin-top: 25px;
+ color: #2d7c0b;
+ font-family: arial, sans-serif;
+ margin-top: 25px;
}
a {
@@ -392,11 +356,10 @@ pre.code {
""")
fd.close()
- print("%s has been created") % style_css
+ print(("%s has been created") % style_css)
class ManPage:
-
"""
Generate a Manpage on an SELinux domain in the specified path
"""
@@ -454,7 +417,7 @@ class ManPage:
self.__gen_man_page()
self.fd.close()
- for k in equiv_dict.keys():
+ for k in list(equiv_dict.keys()):
if k == self.domainname:
for alias in equiv_dict[k]:
self.__gen_man_page_link(alias)
@@ -506,6 +469,7 @@ class ManPage:
self._booleans()
self._port_types()
+ self._mcs_types()
self._writes()
self._footer()
@@ -514,9 +478,10 @@ class ManPage:
self.fd = open("%s/%s_selinux.8" % (self.path, alias), 'w')
self.fd.write(".so man8/%s_selinux.8" % self.domainname)
self.fd.close()
- print path
+ print(path)
def __gen_man_page(self):
+
self.anon_list = []
self.attributes = {}
@@ -524,11 +489,22 @@ class ManPage:
self._get_ptypes()
for domain_type in self.ptypes:
+ try:
+ if typealias_types[domain_type]:
+ fd = self.fd
+ man_page_path = self.man_page_path
+ for t in typealias_types[domain_type]:
+ self._typealias_gen_man(t)
+ self.fd = fd
+ self.man_page_path = man_page_path
+ except KeyError:
+ continue
self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"]
self._header()
self._entrypoints()
self._process_types()
+ self._mcs_types()
self._booleans()
self._nsswitch_domain()
self._port_types()
@@ -542,6 +518,34 @@ class ManPage:
if f.startswith(self.short_name) or f.startswith(self.domainname):
self.ptypes.append(f)
+ def _typealias_gen_man(self, t):
+ self.man_page_path = "%s/%s_selinux.8" % (self.path, t[:-2])
+ self.ports = []
+ self.booltext = ""
+ self.fd = open(self.man_page_path, 'w')
+ self._typealias(t[:-2])
+ self._footer()
+ self.fd.close()
+
+ def _typealias(self, typealias):
+ self.fd.write('.TH "%(typealias)s_selinux" "8" "%(date)s" "%(typealias)s" "SELinux Policy %(typealias)s"'
+ % {'typealias': typealias, 'date': time.strftime("%y-%m-%d")})
+ self.fd.write(r"""
+.SH "NAME"
+%(typealias)s_selinux \- Security Enhanced Linux Policy for the %(typealias)s processes
+.SH "DESCRIPTION"
+
+%(typealias)s_t SELinux domain type is now associated with %(domainname)s domain type (%(domainname)s_t).
+""" % {'typealias': typealias, 'domainname': self.domainname})
+
+ self.fd.write(r"""
+Please see
+
+.B %(domainname)s_selinux
+
+man page for more details.
+""" % {'domainname': self.domainname})
+
def _header(self):
self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"'
% {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")})
@@ -601,7 +605,7 @@ SELinux policy is customizable based on least access required. %s policy is ext
nsswitch_types = []
nsswitch_booleans = ['authlogin_nsswitch_use_ldap', 'kerberos_enabled']
nsswitchbooltext = ""
- for k in self.attributes.keys():
+ for k in list(self.attributes.keys()):
if "nsswitch_domain" in self.attributes[k]:
nsswitch_types.append(k)
@@ -691,10 +695,13 @@ Default Defined Ports:""")
def _file_context(self):
flist = []
+ flist_non_exec = []
mpaths = []
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
+ if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+ flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0:
@@ -746,19 +753,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1] })
- self.fd.write(r"""
+ if flist_non_exec:
+ self.fd.write(r"""
.PP
.B STANDARD FILE CONTEXT
SELinux defines the file context types for the %(domainname)s, if you wanted to
store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
.br
.B restorecon -R -v /srv/my%(domainname)s_content
Note: SELinux often uses regular expressions to specify labels that match multiple files.
-""" % {'domainname': self.domainname, "type": flist[0] })
+""" % {'domainname': self.domainname, "type": flist_non_exec[-1] })
self.fd.write(r"""
.I The following file types are defined for %(domainname)s:
@@ -895,7 +903,7 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
def _entrypoints(self):
try:
- entrypoints = map(lambda x: x['target'], sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['entrypoint'], 'class': 'file'}))
+ entrypoints = [x['target'] for x in sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['entrypoint'], 'class':'file'})]
except:
return
@@ -911,7 +919,7 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
The %s_t SELinux type can be entered via the %s.
The default entrypoint paths for the %s_t domain are the following:
-""" % (self.domainname, entrypoints_str, self.domainname))
+""" % (self.domainname, entrypoints_str, self.domainname))
if "bin_t" in entrypoints:
entrypoints.remove("bin_t")
self.fd.write ("""
@@ -925,6 +933,17 @@ All executeables with the default executable label, usually stored in /usr/bin a
self.fd.write("""
%s""" % ", ".join(paths))
+ def _mcs_types(self):
+ attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
+ if "mcs_constrained_type" not in attributes:
+ return
+ self.fd.write ("""
+.SH "MCS Constrained"
+The SELinux process type %(type)s_t is an MCS (Multi Category Security) constrained type. Sometimes this separation is referred to as sVirt. These types are usually used for securing multi-tenant environments, such as virtualization, containers or separation of users. The tools used to launch MCS types, pick out a different MCS label for each process group.
+
+For example one process might be launched with %(type)s_t:s0:c1,c2, and another process launched with %(type)s_t:s0:c3,c4. The SELinux kernel only allows these processes can only write to content with a matching MCS label, or a MCS Label of s0. A process running with the MCS level of s0:c1,c2 is not allowed to write to content with the MCS label of s0:c3,c4
+""" % {'type': self.domainname})
+
def _writes(self):
permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['open', 'write'], 'class': 'file'})
if permlist == None or len(permlist) == 0:
@@ -948,7 +967,7 @@ All executeables with the default executable label, usually stored in /usr/bin a
""")
self.fd.write ("""
The SELinux process type %s_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-""" % self.domainname)
+""" % self.domainname)
all_writes.sort()
if "file_type" in all_writes:
@@ -1013,7 +1032,7 @@ If you want to map the one Linux user (joe) to the SELinux user %(user)s, you wo
.B $ semanage login -a -s %(user)s_u joe
-""" % {'user': self.domainname})
+""" % {'user': self.domainname})
def _can_sudo(self):
sudotype = "%s_sudo_t" % self.domainname
@@ -1161,7 +1180,7 @@ Three things can happen when %(type)s attempts to execute a program.
Execute the following to see the types that the SELinux user %(type)s can execute without transitioning:
-.B search -A -s %(type)s -c file -p execute_no_trans
+.B sesearch -A -s %(type)s -c file -p execute_no_trans
.TP
@@ -1169,9 +1188,9 @@ Execute the following to see the types that the SELinux user %(type)s can execut
Execute the following to see the types that the SELinux user %(type)s can execute and transition:
-.B $ search -A -s %(type)s -c process -p transition
+.B $ sesearch -A -s %(type)s -c process -p transition
-""" % {'user': self.domainname, 'type': self.type})
+""" % {'user': self.domainname, 'type': self.type})
def _role_header(self):
self.fd.write('.TH "%(user)s_selinux" "8" "%(user)s" "mgrepl@redhat.com" "%(user)s SELinux Policy documentation"'
@@ -1233,7 +1252,7 @@ You need to add %(user)s_r to the staff_u user. You could setup the staff_u use
SELinux policy also controls which roles can transition to a different role.
You can list these rules using the following command.
-.B search --role_allow
+.B sesearch --role_allow
SELinux policy allows the %s role%s can transition to the %s_r role.
diff --git policycoreutils-2.5/sepolicy/sepolicy/network.py policycoreutils-2.5/sepolicy/sepolicy/network.py
index 1ca3158..ccaeff3 100755
--- policycoreutils-2.5/sepolicy/sepolicy/network.py
+++ policycoreutils-2.5/sepolicy/sepolicy/network.py
@@ -25,20 +25,22 @@ search = sepolicy.search
info = sepolicy.info
-def get_types(src, tclass, perm):
+def get_types(src, tclass, perm, check_bools=False):
allows = search([sepolicy.ALLOW], {sepolicy.SOURCE: src, sepolicy.CLASS: tclass, sepolicy.PERMS: perm})
nlist = []
if allows:
- for i in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)):
+ for i in [y[sepolicy.TARGET] for y in
+ [x for x in allows
+ if set(perm).issubset(x[sepolicy.PERMS]) and (not check_bools or x["enabled"])]]:
if i not in nlist:
nlist.append(i)
return nlist
-def get_network_connect(src, protocol, perm):
+def get_network_connect(src, protocol, perm, check_bools=False):
portrecs, portrecsbynum = sepolicy.gen_port_dict()
d = {}
- tlist = get_types(src, "%s_socket" % protocol, [perm])
+ tlist = get_types(src, "%s_socket" % protocol, [perm], check_bools)
if len(tlist) > 0:
d[(src, protocol, perm)] = []
for i in tlist:
diff --git policycoreutils-2.5/sepolicy/sepolicy/sedbus.py policycoreutils-2.5/sepolicy/sepolicy/sedbus.py
index 6055294..831d775 100644
--- policycoreutils-2.5/sepolicy/sepolicy/sedbus.py
+++ policycoreutils-2.5/sepolicy/sepolicy/sedbus.py
@@ -56,5 +56,5 @@ if __name__ == "__main__":
dbus_proxy = SELinuxDBus()
resp = dbus_proxy.setenforce(int(sys.argv[1]))
print (resp)
- except dbus.DBusException, e:
- print e
+ except dbus.DBusException as e:
+ print (e)
diff --git policycoreutils-2.5/sepolicy/sepolicy/sepolicy.glade policycoreutils-2.5/sepolicy/sepolicy/sepolicy.glade
index 1275c7f..83822dd 100644
--- policycoreutils-2.5/sepolicy/sepolicy/sepolicy.glade
+++ policycoreutils-2.5/sepolicy/sepolicy/sepolicy.glade
@@ -2,7 +2,7 @@
<!-- Generated with glade 3.16.0 on Fri Oct 11 08:24:19 2013 -->
<interface>
<!-- interface-requires gtk+ 3.8 -->
- <object class="GtkListStore" id="Advanced_search_liststore">
+ <object class="GtkListStore" id="application_liststore">
<columns>
<!-- column-name Application -->
<column type="gchararray"/>
@@ -82,7 +82,7 @@
<attributes>
<attribute name="foreground" value="#00004e4e9999"/>
</attributes>
- <signal name="button-press-event" handler="on_main_advanced_label_button_press_event" swapped="no"/>
+ <signal name="button-press-event" handler="on_show_advanced_search_window" swapped="no"/>
</object>
<packing>
<property name="expand">True</property>
@@ -225,7 +225,7 @@
</child>
</object>
<object class="GtkTreeModelFilter" id="advanced_filter">
- <property name="child_model">Advanced_search_liststore</property>
+ <property name="child_model">application_liststore</property>
</object>
<object class="GtkTreeModelSort" id="advanced_sort">
<property name="model">advanced_filter</property>
@@ -256,24 +256,6 @@
<object class="GtkTreeModelSort" id="application_files_sort">
<property name="model">application_files_filter</property>
</object>
- <object class="GtkListStore" id="application_liststore">
- <columns>
- <!-- column-name Application -->
- <column type="gchararray"/>
- </columns>
- </object>
- <object class="GtkTreeModelFilter" id="application_filter">
- <property name="child_model">application_liststore</property>
- </object>
- <object class="GtkTreeModelSort" id="application_sort">
- <property name="model">application_filter</property>
- </object>
- <object class="GtkListStore" id="application_tree_list">
- <columns>
- <!-- column-name Process -->
- <column type="gchararray"/>
- </columns>
- </object>
<object class="GtkListStore" id="boolean_liststore">
<columns>
<!-- column-name Active -->
@@ -473,7 +455,7 @@
<property name="can_focus">False</property>
<property name="xalign">0</property>
<property name="xpad">10</property>
- <property name="label" translatable="yes">Add file Equivilence Mapping. Mapping will be created when Update is applied.</property>
+ <property name="label" translatable="yes">Add file Equivalence Mapping. Mapping will be created when Update is applied.</property>
<property name="justify">fill</property>
<property name="wrap">True</property>
</object>
@@ -823,7 +805,7 @@
<property name="visible">True</property>
<property name="can_focus">True</property>
<property name="receives_default">False</property>
- <property name="tooltip_text" translatable="yes">Select Make Path Recursive iff you want to apply this label to all children of the specified directory path. objects under the directory to have this label.</property>
+ <property name="tooltip_text" translatable="yes">Select Make Path Recursive if you want to apply this label to all children of the specified directory path. objects under the directory to have this label.</property>
<property name="xalign">0.5</property>
<property name="draw_indicator">True</property>
<signal name="toggled" handler="on_make_path_recursive_toggled" swapped="no"/>
@@ -1061,7 +1043,7 @@
<object class="GtkImage" id="help_image">
<property name="visible">True</property>
<property name="can_focus">False</property>
- <property name="pixbuf">images/booleans.png</property>
+ <property name="pixbuf">help/booleans.png</property>
</object>
<packing>
<property name="expand">False</property>
@@ -2948,7 +2930,7 @@ Enabled</property>
<property name="tooltip_text" translatable="yes">Executables which will transition to a different domain, when the 'selected domain' executes them.</property>
<property name="xpad">1</property>
<property name="ypad">1</property>
- <property name="label" translatable="yes">Applicaton Transitions From 'select domain'</property>
+ <property name="label" translatable="yes">Application Transitions From 'select domain'</property>
</object>
<packing>
<property name="position">1</property>
@@ -4328,46 +4310,7 @@ allow alternative access control.</property>
<property name="position">0</property>
</packing>
</child>
- <child>
- <object class="GtkRadioButton" id="All_advanced_button">
- <property name="label" translatable="yes">All</property>
- <property name="visible">True</property>
- <property name="can_focus">True</property>
- <property name="receives_default">False</property>
- <property name="xalign">0.5</property>
- <property name="active">True</property>
- <property name="draw_indicator">True</property>
- <signal name="toggled" handler="on_All_advanced_button_toggled" swapped="no"/>
- </object>
- <packing>
- <property name="expand">True</property>
- <property name="fill">True</property>
- <property name="position">1</property>
- </packing>
- </child>
- <child>
- <object class="GtkRadioButton" id="Installed_advanced_button">
- <property name="label" translatable="yes">Installed</property>
- <property name="visible">True</property>
- <property name="can_focus">True</property>
- <property name="receives_default">False</property>
- <property name="xalign">0.5</property>
- <property name="draw_indicator">True</property>
- <property name="group">All_advanced_button</property>
- <signal name="toggled" handler="on_Installed_advanced_button_toggled" swapped="no"/>
- </object>
- <packing>
- <property name="expand">True</property>
- <property name="fill">True</property>
- <property name="position">2</property>
- </packing>
- </child>
</object>
- <packing>
- <property name="expand">False</property>
- <property name="fill">True</property>
- <property name="position">0</property>
- </packing>
</child>
<child>
<object class="GtkScrolledWindow" id="scrolledwindow11">
@@ -4377,7 +4320,6 @@ allow alternative access control.</property>
<object class="GtkTreeView" id="advanced_search_treeview">
<property name="visible">True</property>
<property name="can_focus">True</property>
- <property name="model">advanced_sort</property>
<property name="enable_search">False</property>
<signal name="row-activated" handler="on_advanced_search_treeview_row_activated" swapped="no"/>
<child internal-child="selection">
@@ -4788,7 +4730,7 @@ allow alternative access control.</property>
<property name="can_focus">False</property>
<property name="xalign">0</property>
<property name="xpad">10</property>
- <property name="label" translatable="yes">Select file equivalence labeling to delete.File equivalence labeling will be deleted when update is applied.</property>
+ <property name="label" translatable="yes">Select file equivalence labeling to delete. File equivalence labeling will be deleted when update is applied.</property>
<property name="justify">fill</property>
<property name="wrap">True</property>
</object>
diff --git policycoreutils-2.5/sepolicy/sepolicy/templates/etc_rw.py policycoreutils-2.5/sepolicy/sepolicy/templates/etc_rw.py
index dcf445e..b0ee119 100644
--- policycoreutils-2.5/sepolicy/sepolicy/templates/etc_rw.py
+++ policycoreutils-2.5/sepolicy/sepolicy/templates/etc_rw.py
@@ -137,3 +137,7 @@ FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0)
fc_dir="""\
FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0)
"""
+
+fc_sock_file="""\
+FILENAME -s gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0)
+"""
diff --git policycoreutils-2.5/sepolicy/sepolicy/templates/executable.py policycoreutils-2.5/sepolicy/sepolicy/templates/executable.py
index 4b9534d..f267993 100644
--- policycoreutils-2.5/sepolicy/sepolicy/templates/executable.py
+++ policycoreutils-2.5/sepolicy/sepolicy/templates/executable.py
@@ -86,6 +86,7 @@ roleattribute system_r TEMPLATETYPE_roles;
type TEMPLATETYPE_t;
type TEMPLATETYPE_exec_t;
application_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
+role TEMPLATETYPE_roles types TEMPLATETYPE_t;
permissive TEMPLATETYPE_t;
"""
@@ -219,7 +220,7 @@ if_program_rules="""
########################################
## <summary>
-## Execute TEMPLATE in the TEMPLATETYPE domin.
+## Execute TEMPLATETYPE_exec_t in the TEMPLATETYPE domain.
## </summary>
## <param name=\"domain\">
## <summary>
@@ -235,6 +236,25 @@ interface(`TEMPLATETYPE_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, TEMPLATETYPE_exec_t, TEMPLATETYPE_t)
')
+
+######################################
+## <summary>
+## Execute TEMPLATETYPE in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`TEMPLATETYPE_exec',`
+ gen_require(`
+ type TEMPLATETYPE_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, TEMPLATETYPE_exec_t)
+')
"""
if_user_program_rules="""
@@ -418,8 +438,12 @@ interface(`TEMPLATETYPE_admin',`
if_middle_admin="""
')
- allow $1 TEMPLATETYPE_t:process { ptrace signal_perms };
+ allow $1 TEMPLATETYPE_t:process { signal_perms };
ps_process_pattern($1, TEMPLATETYPE_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 TEMPLATETYPE_t:process ptrace;
+ ')
"""
if_initscript_admin_types="""
diff --git policycoreutils-2.5/sepolicy/sepolicy/templates/spec.py policycoreutils-2.5/sepolicy/sepolicy/templates/spec.py
index 16a2208..d8ee42f 100644
--- policycoreutils-2.5/sepolicy/sepolicy/templates/spec.py
+++ policycoreutils-2.5/sepolicy/sepolicy/templates/spec.py
@@ -39,7 +39,7 @@ install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
install -d %{buildroot}%{_mandir}/man8/
install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/DOMAINNAME_selinux.8
install -d %{buildroot}/etc/selinux/targeted/contexts/users/
-install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAINNAME_u
+install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAINNAME_u
%post
semodule -n -i %{_datadir}/selinux/packages/MODULENAME.pp
@@ -65,7 +65,7 @@ exit 0
%attr(0600,root,root) %{_datadir}/selinux/packages/MODULENAME.pp
%{_datadir}/selinux/devel/include/contrib/MODULENAME.if
%{_mandir}/man8/DOMAINNAME_selinux.8.*
-/etc/selinux/targeted/contexts/users/DOMAINNAME_u
+/etc/selinux/targeted/contexts/users/DOMAINNAME_u
%changelog
* TODAYSDATE YOUR NAME <YOUR@EMAILADDRESS> 1.0-1
diff --git policycoreutils-2.5/sepolicy/sepolicy/templates/test_module.py policycoreutils-2.5/sepolicy/sepolicy/templates/test_module.py
index 893a204..3a3faa6 100644
--- policycoreutils-2.5/sepolicy/sepolicy/templates/test_module.py
+++ policycoreutils-2.5/sepolicy/sepolicy/templates/test_module.py
@@ -111,7 +111,7 @@ role sepolicy_r;
role sepolicy_source_r;
role sepolicy_target_r;
-#################################
+#################################
#
# Local policy
#
diff --git policycoreutils-2.5/sepolicy/sepolicy/transition.py policycoreutils-2.5/sepolicy/sepolicy/transition.py
index 15b0eb1..a8edb69 100755
--- policycoreutils-2.5/sepolicy/sepolicy/transition.py
+++ policycoreutils-2.5/sepolicy/sepolicy/transition.py
@@ -81,4 +81,4 @@ class setrans:
def output(self):
self.seen = []
- print self.out(self.source)
+ print(self.out(self.source))
diff --git policycoreutils-2.5/sepolicy/setup.py policycoreutils-2.5/sepolicy/setup.py
index e74e68d..096ce1f 100644
--- policycoreutils-2.5/sepolicy/setup.py
+++ policycoreutils-2.5/sepolicy/setup.py
@@ -4,7 +4,7 @@
# Author: Dan Walsh <dwalsh@redhat.com>
import os
from distutils.core import setup, Extension
-policy = Extension("sepolicy._policy",
+policy = Extension("sepolicy.policy",
libraries=["apol", "qpol"],
sources=["policy.c", "info.c", "search.c"]
)
diff --git policycoreutils-2.5/sepolicy/test_sepolicy.py policycoreutils-2.5/sepolicy/test_sepolicy.py
index e7bad44..9c8f21c 100644
--- policycoreutils-2.5/sepolicy/test_sepolicy.py
+++ policycoreutils-2.5/sepolicy/test_sepolicy.py
@@ -8,26 +8,26 @@ from subprocess import Popen, PIPE
class SepolicyTests(unittest.TestCase):
def assertDenied(self, err):
- self.assert_('Permission denied' in err,
- '"Permission denied" not found in %r' % err)
+ self.assertTrue('Permission denied' in err,
+ '"Permission denied" not found in %r' % err)
def assertNotFound(self, err):
- self.assert_('not found' in err,
- '"not found" not found in %r' % err)
+ self.assertTrue('not found' in err,
+ '"not found" not found in %r' % err)
def assertFailure(self, status):
- self.assert_(status != 0,
- '"Succeeded when it should have failed')
+ self.assertTrue(status != 0,
+ '"Succeeded when it should have failed')
def assertSuccess(self, status, err):
- self.assert_(status == 0,
- '"sepolicy should have succeeded for this test %r' % err)
+ self.assertTrue(status == 0,
+ '"sepolicy should have succeeded for this test %r' % err)
def test_man_domain(self):
"Verify sepolicy manpage -d works"
p = Popen(['sepolicy', 'manpage', '-d', 'httpd_t'], stdout=PIPE)
out, err = p.communicate()
- print out, err
+ print(out, err)
self.assertSuccess(p.returncode, err)
def test_man_all(self):
@@ -119,4 +119,4 @@ if __name__ == "__main__":
if selinux.security_getenforce() == 1:
unittest.main()
else:
- print "SELinux must be in enforcing mode for this test"
+ print("SELinux must be in enforcing mode for this test")
diff --git policycoreutils-2.5/setfiles/restore.c policycoreutils-2.5/setfiles/restore.c
index 2a7cfa3..1cc6a64 100644
--- policycoreutils-2.5/setfiles/restore.c
+++ policycoreutils-2.5/setfiles/restore.c
@@ -118,7 +118,7 @@ static int restore(FTSENT *ftsent, int recurse)
r_opts->count++;
if (r_opts->count % STAR_COUNT == 0) {
if (r_opts->progress == 1) {
- fprintf(stdout, "\r%luk", (size_t) r_opts->count / STAR_COUNT );
+ fprintf(stdout, "\r%zuk", (size_t) r_opts->count / STAR_COUNT );
} else {
if (r_opts->nfile > 0) {
progress = (r_opts->count < r_opts->nfile) ? (100.0 * r_opts->count / r_opts->nfile) : 100;
@@ -160,6 +160,9 @@ static int restore(FTSENT *ftsent, int recurse)
/* Get the current context of the file. */
ret = lgetfilecon_raw(ftsent->fts_accpath, &curcon);
if (ret < 0) {
+ if (errno == ENOENT) {
+ goto out;
+ }
if (errno == ENODATA) {
curcon = NULL;
} else {
@@ -404,19 +407,18 @@ int process_one_realpath(char *name, int recurse)
"Must call initialize first!");
return -1;
}
+ rc = lstat64(name, &sb);
+ if (rc < 0) {
+ if (r_opts->ignore_enoent && errno == ENOENT)
+ return 0;
+ fprintf(stderr, "%s: lstat(%s) failed: %s\n",
+ r_opts->progname, name, strerror(errno));
+ return -1;
+ }
if (!r_opts->expand_realpath) {
return process_one(name, recurse);
} else {
- rc = lstat64(name, &sb);
- if (rc < 0) {
- if (r_opts->ignore_enoent && errno == ENOENT)
- return 0;
- fprintf(stderr, "%s: lstat(%s) failed: %s\n",
- r_opts->progname, name, strerror(errno));
- return -1;
- }
-
if (S_ISLNK(sb.st_mode)) {
char path[PATH_MAX + 1];
diff --git policycoreutils-2.5/setfiles/restorecon.8 policycoreutils-2.5/setfiles/restorecon.8
index 900def5..54dd1db 100644
--- policycoreutils-2.5/setfiles/restorecon.8
+++ policycoreutils-2.5/setfiles/restorecon.8
@@ -27,6 +27,12 @@ context to the file object's extended attributes. If a file object has a
context, restorecon will only modify the type portion of the security context.
The \-F option will force a replacement of the entire context.
.P
+If a file is labeled with
+.BR customizable
+SELinux type (for list of customizable
+types see /etc/selinux/{SELINUXTYPE}/contexts/customizable_types), restorecon
+won't reset the label unless the \-F option is used.
+.P
It is the same executable as
.BR setfiles
but operates in a slightly different manner depending on its argv[0].
@@ -64,7 +70,11 @@ change files and directories file labels recursively (descend directories).
.B Note: restorecon reports warnings on paths without default labels only if called non-recursively or in verbose mode.
.TP
.B \-v
-show changes in file labels, if type or role are going to be changed.
+show changes in file labels, if type or role are going to be changed. Multiple -v options increase the verbosity. Note that the
+.B \-v
+and
+.B \-p
+options are mutually exclusive.
.TP
.B \-0
the separator for the input items is assumed to be the null character
@@ -94,4 +104,5 @@ The program was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
.BR setfiles (8),
.BR load_policy (8),
-.BR checkpolicy (8)
+.BR checkpolicy (8),
+.BR customizable_types (5)
diff --git policycoreutils-2.5/setfiles/setfiles.8 policycoreutils-2.5/setfiles/setfiles.8
index 57067d2..2ec9618 100644
--- policycoreutils-2.5/setfiles/setfiles.8
+++ policycoreutils-2.5/setfiles/setfiles.8
@@ -31,7 +31,7 @@ check the validity of the contexts against the specified binary policy.
.TP
.B \-d
show what specification matched each file (do not abort validation
-after ABORT_ON_ERRORS errors).
+after ABORT_ON_ERRORS errors). Not affected by "\-q"
.TP
.B \-e directory
directory to exclude (repeat option for more than one directory).
diff --git policycoreutils-2.5/setfiles/setfiles.c policycoreutils-2.5/setfiles/setfiles.c
index 9ac3ebd..e39b500 100644
--- policycoreutils-2.5/setfiles/setfiles.c
+++ policycoreutils-2.5/setfiles/setfiles.c
@@ -230,6 +230,11 @@ int main(int argc, char **argv)
/* This must happen before getopt. */
r_opts.nfile = exclude_non_seclabel_mounts();
+ if (iamrestorecon)
+ opts = ropts;
+ else
+ opts = sopts;
+
/* Process any options. */
while ((opt = getopt(argc, argv, opts)) > 0) {
switch (opt) {
@@ -337,7 +342,7 @@ int main(int argc, char **argv)
if (r_opts.progress) {
fprintf(stderr,
"Progress and Verbose mutually exclusive\n");
- exit(-1);
+ usage(argv[0]);
}
r_opts.verbose++;
break;