The semodule_path file, inside scripts, which is used to tell the
Makefile where genhomedircon should point to find semodule, was not
being updated. This patch makes sure we update this file every time
something builds, thus genhomedircon doesn't point to some wild out of
data file location.
Signed-off-by: Eric Paris <eparis@redhat.com>
/etc/mtab points to /proc/mounts in modern systems. Remove the entry to
try to update its label.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This patch adds support for displaying SELinux context information in
colors defined by mcstrans(8)/secolor.conf(5). The new behavior is
enabled through the use of the "-C/--color" option and requires the
"-P" option also be specified.
The reason for this addition is that in some situations, notably MLS,
users find it helpful to add SELinux context information to their prompt:
# example taken from the RHEL6 CC certification bash scripts
SEROLE=`secon -rP 2>/dev/null`
SEMLS=`secon -lP 2>/dev/null`
PS1="[\u/$SEROLE/$SEMLS@\h \W]\\$ "
export PS1
With the added functionality provided by this patch we can also display
the associated color information (note the addition of the "C" option):
SEROLE=`secon -rP 2>/dev/null`
SEMLS=`secon -lPC 2>/dev/null`
PS1="[\u/$SEROLE/$SEMLS@\h \W]\\$ "
export PS1
Note that in the example above only the MLS range is colored, but the
patch does provide support for all of the color information provided
by mcstransd/secolor.conf (user,role,type,range).
Finally, one quick word on the colors themselves; the secolor.conf
configuration file allows 32-bit colors but the ANSI color coding only
allows 8-bit colors so the colors displayed by secon using the "-C"
option will be a bit lossy.
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We should be able to make changed to /etc/selinux/config without using lokkit
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We only need the sepolgen python module if we are setting up permissive
types. As this has been removed from the core code in Fedora/RHEL we
include a better user error message pointing them how to find the
required module.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If there are entries in /etc/selinux/[POLICY]/logins they should be
included in the semange login -l output. So do so!
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If a user requested a label be reset but no default label is specified,
give a useful error message. Do not print the message if this is a
recursive restore, and that is very common.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The man page shows --role as an option, but the real option is --roles.
Fix the man page.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add a new sandbox option to run /usr/bin/shred on all files in the temp
directories before they are deleted.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Since /tmp and /var/tmp get mounted over each other in sandbox we should
take the data from both.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We should check that a type is a valid before assigning it with
semanage. Aka we should just that a type is a port type before assigning it
to a port, or a valid user type before assigning it to a user.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
update-po is a mechanism for sucking the latest english translations
out of the source code, but it ALWAYS updates all of the po files with things
like the last time the update-po was run even if there are no changes. This
results in having to do git checkins any time you run make at the top level.
Since so few people interact with the Translators I believe this should
be done on demand when they think it is time to get new translations.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This patch started with work from John Reiser patch to estimate the
percent progress for restorecon/setfiles.
It has a lot of changes since then, to make it only happen on full
relabel, overwrite itself, shows 10ths of %, and does a lot better and
more useful job of estimation. We get all of the inodes on all mounted
FS. Since the number of inodes is not fixed and only an estimate I added
5% to the inode number, and forced the number to never go over 100.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
selinux.tbl is a Fedora translation file that doesn't make sense in
policycoreutils. Until we figure out how to deal with it, I'm not going
to push it. But I accidentally included it in the update-po make
target. Remove it from the make target.
Signed-off-by: Eric Paris <eparis@redhat.com>
It dynamically creates the policycoreutils "genhomedircon"
script during the build process in order not to hard-code
the full path to the semodule executable, as in general the
latter could reside in non-standard SBINDIR/USRSBINDIR
locations.
It might not be very stylish or it might appear cumbersome,
but at least the script should not break as easily as the
current static one.
The patch also edits the Makefile for the scripts so that
LOCALEDIR correctly uses $(PREFIX) rather than an absolute
path.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Ship a restorecond.conf file that relabels all mount runtime files under /etc and
not just /etc/mtab.
Mount also uses /etc/mtab~[0-9]{0,20} lock files (the number corresponds to the
PID) and the /etc/mtab.tmp temporary file.
The above refers to mount from util-linux-2.21.2 from kernel.org. See mount -vvv
for the location of such files.
A patch is also available for the reference policy to fix this issue.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Fix fcontextRecords() in policycoreutils/semanage/seobject.py so
that semanage does not produce an error in fcontext mode when
the file_contexts.subs_dist file contains comments (prefixed by #).
Properly skip blank lines.
Treat both white space and tab as valid separators for the above
mentioned policy configuration file (v2). Minimum number of
changes (v2bis).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Signed-off-by: Eric Paris <eparis@redhat.com>
If one were to use multiple options such as both -P and -N we would have
problems. The issue is that for some reason instead of looking at
optind (the first non-option) we were looking at argc-optind. These
happen to be the same if there are 0 or 1 options, but doesn't work with
more than 1 option.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Just cosmetic. Make them all line up the same way in case anyone ever
looks at the code.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This makes semodule consistent with other commands to no reload the
policy into the kernel after the given change.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fix setsebool to use -N to not reload policy into the kernel optional on
permanant changes.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
add some definition to the standard types available for sandboxes so
users have a way to know about them and what they are intended to be
used for.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add -N, --noreload option to semanage to prevent reloading policy into
the kernel after a change.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
fcontext customized was not returning the customized equivalency records. This
patches fixes this.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Future systems will not support html in a pygtk window as webkit is
going away. I decided to add the full set of gui tools and then remove
the one I don't want to support just in case someone wants to resurrect
this at some point.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We added new gui programs, but not Makefiles to build/install them.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
These are the python files that make up the system-config-selinux gui, used to implement
most of the functionality of the semanage command line plus some configuration.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
A number of packages have a systemd subpackage. Look for those when
doing the file list of a package to generate its policy.
Signed-off-by: Eric Paris <eparis@redhat.com>
Eric Paris
Dan Walsh
Paul Moore
John Reiser
Guido Trentalancia
Miroslav Grepl