We only need the sepolgen python module if we are setting up permissive
types. As this has been removed from the core code in Fedora/RHEL we
include a better user error message pointing them how to find the
required module.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If there are entries in /etc/selinux/[POLICY]/logins they should be
included in the semange login -l output. So do so!
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The man page shows --role as an option, but the real option is --roles.
Fix the man page.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We should check that a type is a valid before assigning it with
semanage. Aka we should just that a type is a port type before assigning it
to a port, or a valid user type before assigning it to a user.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fix fcontextRecords() in policycoreutils/semanage/seobject.py so
that semanage does not produce an error in fcontext mode when
the file_contexts.subs_dist file contains comments (prefixed by #).
Properly skip blank lines.
Treat both white space and tab as valid separators for the above
mentioned policy configuration file (v2). Minimum number of
changes (v2bis).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Signed-off-by: Eric Paris <eparis@redhat.com>
Add -N, --noreload option to semanage to prevent reloading policy into
the kernel after a change.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
fcontext customized was not returning the customized equivalency records. This
patches fixes this.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fix --enable and --disable for modules to only work under -m options.
Without this patch you couldn't do -m and --enable. We want that to
work.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We still want to be able to use sepolgen even if setools isn't
installed. Degrade functionality, but still work if it can't be found.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwlash@redhat.com>
The locallist option was specified as --locallist= but it does not take
an option. We also had --localist (notice the 'l' is missing) which
wasn't doing anything, so drop those.
Signed-off-by: Eric Paris <eparis@redhat.com>
The OBJECT was not being set early enough and thus would miss the checks
for things like deleteall and extract. Move the setting of OBJECT where
it happens for everything else.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
semanage fcontext -e man page update to make it easier to understand
what it does.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The range and level user options default to s0. State that in the man
page.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Also if the user specifies a store that is not the current store, we should not be sending audit messages.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
semanage command was not reporting proper audit messages for the LSPP
certification. Needed to report additional information such as prior
roles before and after update. Many other changes, were reviewed by
Steve Grubb to make sure were were doing proper auditing.
Should be reporting AUDIT_ROLE_ASSIGN instead of AUDIT_USER_ROLE_CHANGE.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
No real code change. Just to make it clear what a src and dst means.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Check for conflict on equivalence when adding a file context.
If a user adds a file context that begins with an equivalence string, we
throw an exception.
/usr/sbin/semanage: File spec /usr/lib64/dan conflicts with equivalency rule '/usr/lib64 /usr/lib'; Try adding '/usr/lib/dan' instead
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Print out the list of local and distribution file context equivalencies
rather than just local rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
I think I was trying to allow an admin to set a bunch of booleans
from a file, but I later added -i and -o options, which would seem to
be a better way to handle many changes at once.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Basically we want to trigger a modify of booleans record if the user
specifies --on or --off on a boolean.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If someone modifies the boolean settings using semanage, we would
expect them to be reflected on the local system. This change would
change the active settings IFF you are changing the currently running
system.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This is purely personal preference. Most of the Makefiles use $() for
Makefile variables, but a couple of places use ${}. Since this obscured
some later Makefile changes I figured I'd just make them all the same up
front.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Some versions of python are reporting an indentation error when trying
to use this file. Fix the whitespace messup.
Signed-off-by: Eric Paris <eparis@redhat.com>
Exit cleanly instead of python getting angry when SELinux is disabled.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If you tell semanage to list the contents of an object and the list is
empty, we should not print the header.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Fix header to not display all of the options and fix Booleans to only list
supported options
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This patch just removes some blank lines that we don't need. Makes it
all purdy.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This adds a new -e options to semanage fcontext which allows one to
specify filesystem equivalancies. An example would be if an admin were
to run out of space and to start putting home directories in /home1.
They can use the equivalencies to specify that /home1 is labeled exactly
like /home.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add tools to store the state of modules and to enable and disable those
modules.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Introduce a new -o option which will output all local modifications in a
method which can be 're-inputted' on another host.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add a new option -E which will extract the local configuration changes
made for the given record type. This will be used by a further output
option to be able to dump local configuration in a form which can be
imported later.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Before you would get:
$ semanage fcontext toys
/usr/sbin/semanage Invalid command fcontext toys
Now you get:
$ semanage fcontext toys
/usr/sbin/semanage: Invalid command: semanage fcontext toys
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Return quickly instead of tring to parse arguments if there are
no arguments.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Right now we do lots of needless string comparisons even though we know
we are finished doing work immediately after an operation. So return
sooner.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
One of the getopt parsers didn't have a try/except pair to show usage
when a user did it wrong. Fix that.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Right now the validation code has lots of conditionals which check if we
are trying to add and delete or add and modify or something like that.
Instead make a single function which just sets if this operation is
trying to do an action and if it gets called twice will realize this is
invalid and will raise and exception.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Some options like --locallist and --deleteall only effect local changes
not global things. Split these validation options into their own bit of
code.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The help text, man pages, and stuff didn't include everything about
deleteall rules. Try to update them.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The entire tool chain does not support file context with a space in the
regex. If one of these gets into the file_context files, all sorts of stuff
goes nuts.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This just distinguishes between permissive types that were definied in
policy and those that were set by the user using semanage.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Right now we have very little in the way of IP address validation. We
also do not properly support IPv6 netmasks. This patch centralizes IP
address validation and fixes the netmask support.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
$ semanage fcontext add delete
Traceback (most recent call last):
File "/usr/sbin/semanage", line 565, in <module>
process_args(sys.argv[1:])
File "/usr/sbin/semanage", line 396, in process_args
raise ValueError(_("%s bad option") % o)
UnboundLocalError: local variable 'o' referenced before assignment
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Raise a more sensicle useage rather than value error on help request
from user.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Some semanage objects have a deleteall function, some don't. This adds
them to login seluser node and interface.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We could currently create a rule with a port number of one million.
This doesn't make sense. Bounds test it.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
In order to allow semanage to perform a transaction on several seobjects
at the same time, the transaction lock has to be at the class level
versus being in each object.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Right now it is needlessly global. Make it a method of semanageRecords.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
SELinux pythons applications should not allow the user to change the
sys.path
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Apparently I failed to split out the whitespace changes from a
previous patchset, and a bit of the equivalence patch of the
day snuck in. This causes a stack trace when you execute
semanage fcontext -l. This patch reverts the accidentally
included code.
Signed-off-by: Chad Sellers <csellers@tresys.com>
This patch fixes a bug that causes semanage node -a to not work
(failing with a python traceback). You can test the bug with any
semanage node -a command, such as:
semanage node -a -t node_t -p ipv4 -M 255.255.255.0 192.168.1.0
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: Remove setrans management from semanage
Date: Wed, 30 Sep 2009 14:07:49 -0400
This will not work correctly using the current mcstrans code base. I believe an admin has to edit this code directly and probably should have never been added to semanage.
Signed-off-by: Chad Sellers <csellers@tresys.com>
Redone to match man page and remove reload_policy.
Chad Sellers: This patch adds the dontaudit directive to semanage to enable/disable dontaudit rules in policy.
Signed-off-by: Chad Sellers <csellers@tresys.com>
Patch to semanage
Chad Sellers: I pulled this patch out of the larger patch. This patch fixes 2 small bugs in seobject.py. The first left the setrans file with the wrong permissions. The second returned a malformed dictionary from portRecords get_all method.
Signed-off-by: Chad Sellers <csellers@tresys.com>
Some white space fixing in seobject.py
Chad Sellers: I pulled the whitespace patch out of the larger patch as a separate commit to make the patch more manageable.
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: patch to policycoreutils
Date: Wed, 01 Apr 2009 10:10:43 -0400
Multiple patches to policycoreutils.
First added /root/.ssh and /root/.ssh/* to allow people to place keys
in /root directory and have them labeled by restorcond
<snipdue to previously ack'd patch>
Clean up permissive domains creation in semanage so it does not leave
crap in /var/lib/selinux
---
Also have fixfiles operate recursively when in RPM mode, per:
Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Re: patch to policycoreutils
Date: Wed, 22 Apr 2009 21:50:48 -0400
If a package owned a directory like /var/lib/libvirt/images, when it is
relabeling we would want it to relabel not only the directory but the
contents of the directory
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: Help with python seobject.loginRecords
Date: Thu, 12 Mar 2009 09:29:17 -0400
On 03/11/2009 05:00 PM, Stephen Smalley wrote:
> On Wed, 2009-03-11 at 16:49 -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Joe Nall wrote:
>>> On Mar 11, 2009, at 2:35 PM, Daniel J Walsh wrote:
>>>
>>>> On 03/11/2009 12:15 PM, Joe Nall wrote:
>>>>> I need to add login mappings in python firstboot modules during system
>>>>> configuration. In my first module a simple:
>>>>>
>>>>> seobject.loginRecords().add(username, "siterep_u",
>>>>> "SystemLow-SystemHigh")
>>>>>
>>>>> works. In subsequent modules, I get an exception:
>>>>>
>>>>> libsemanage.enter_rw: this operation requires a transaction
>>>>> libsemanage.enter_rw: could not enter read-write section
>>>>> Traceback (most recent call last):
>>>>> File "./t", line 6, in<module>
>>>>> seobject.loginRecords().add("test3", "sysadm_u", "SystemLow-SystemHigh")
>>>>> File "/usr/lib64/python2.5/site-packages/seobject.py", line 442, in add
>>>>> raise error
>>>>> ValueError: Could not add login mapping for test3
>>>>>
>>>>> What is the right way to do this?
>>>>>
>>>>> joe
>>>>>
>>>>>
>>>>> --
>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>>>> with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>> Probably an MLS issue. firtstboot is running in a context that is not
>>>> allowed to lock/manage selinux.
>>> I'm installing in permissive and switching to enforcing after firstboot.
>>> You are correct that firstboot_t doesn't have the policy for all the
>>> stuff I'm trying to do yet.
>>>
>>>> You probably should exec semanage rather then calling seobject so you
>>>> could do a transition and not have to give a huge app like first boot
>>>> the ability to manage security policy.
>>> That is what is installing right now. I would still like an
>>> explanation/code snippet of correct usage for future use
>>>
>>> joe
>>>
>>>
>> This works on F10 Targeted policy
>>
>> # python -c "import seobject; seobject.loginRecords().add("pwalsh",
>> "staff_u", "s0")
>> # python -c 'import seobject; seobject.loginRecords().delete("pwalsh")'
>>
>> Could it be a translation problem?
>
> Try running multiple calls within the same python interpreter.
> I think seobject.py isn't using libsemanage correctly. For example, in
> add(), you do:
> self.begin()
> self.__add(name, sename, serange)
> self.commit()
> but begin() only ever invokes semanage_begin_transaction() the very
> first time:
> def begin(self):
> if self.transaction:
> return
> rc = semanage_begin_transaction(self.sh)
>
> So after the first commit(), you'll start failing.
>
I think this patch fixes the transaction patch in semanage.
Signed-off-by: Chad Sellers <csellers@tresys.com>
Change semanage/seobject to use semanage_mls_enabled() rather than
is_selinux_mls_enabled(). I dropped the mls enabled tests altogether
from the semanage front-end script since setting up a handle is done by
seobject.py; if those checks are actually important, we could move them
inside of the seobject methods, but I'm not clear on the real benefit of
those checks. In seobject.py, I moved the setting of the is_mls_enabled
variable inside of get_handle(store) after the connect. I also dropped
the is_mls_enabled test from setransRecords since no handle/connection
exists there (since translations are not managed via libsemanage), and
again I'm not clear that the check there was overly important/useful.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Email: dwalsh@redhat.com
Subject: Latest policycoreutils package has a minor problem
Date: Mon, 10 Nov 2008 09:04:39 -0500
Checking _local twice.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: seobject_fcontext patch allows you to modify a preexisting file context.
Date: Fri, 07 Nov 2008 09:46:36 -0500
Currently semanage is not allowed to change a file context mapping if it
matches exactly, this patch allows you to modify the file context.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
NOTE: original patch modified to remove unused list in fcontext get_all()
Email: dwalsh@redhat.com
Subject: policycoreutils patch
Date: Thu, 23 Oct 2008 13:15:11 -0400
Change semange fcontext -a to check for local customizations rather then
global, so you can modify a file context.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Changes to semanage to allow it to handle transactions.
Date: Fri, 12 Sep 2008 11:52:31 -0400
Joshua Brindle wrote:
> Daniel J Walsh wrote:
> semanage -S targeted -i - << __eof
> user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
> user -a -P user -R guest_r guest_u
> user -a -P user -R xguest_r xguest_u
> __eof
> semanage -S targeted -i - << __eof
> login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
> login -m -s unconfined_u -r s0-s0:c0.c1023 root
> __eof
>
> So you can add multiple records in a single pass.
>>
> This patch seems to cause some issues:
> [root@misterfreeze selinux-pristine]# semanage --help
> Traceback (most recent call last):
> File "/usr/sbin/semanage", line 433, in <module>
> usage(_("Requires 2 or more arguments"))
> File "/usr/sbin/semanage", line 98, in usage
> """) % message)
> TypeError: float argument required
Patch off your latest policycoreutils.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Changes to semanage to allow it to handle transactions.
Date: Mon, 08 Sep 2008 15:05:36 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
semanage -S targeted -i - << __eof
user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
user -a -P user -R guest_r guest_u
user -a -P user -R xguest_r xguest_u
__eof
semanage -S targeted -i - << __eof
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
login -m -s unconfined_u -r s0-s0:c0.c1023 root
__eof
So you can add multiple records in a single pass.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjFd4AACgkQrlYvE4MpobMaoQCgxeqYTX2mpRIiIr0461/fvblU
3fQAoIbM8x9rWL0f8iPz0UeoM2mf60XW
=hxC3
-----END PGP SIGNATURE-----
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Stephen Smalley schrieb:
Hi List,
> On Tue, 2008-07-08 at 08:30 -0400, Stephen Smalley wrote:
>> On Tue, 2008-07-08 at 12:13 +0200, Christian Kuester wrote:
>>>> Other tidbits on the semanage patch that I noticed:
>>>> - semanage node -l was broken, requires additional argument that has
>>>> been added to the list methods subsequently. Also would be nice to
>>>> support locallist/-C option.
>>>> - semanage node -p option should take a string rather than an integer
>>>> and map it to the proper symbolic constant for ipv4/ipv6.
>> Please be sure to test each of the nodeRecords methods.
> Are you still pursuing getting this cleaned up and merged?
Sorry, it took some time. The revised patch for nodecon support in
the semanage tool is attached.
It now takes strings as arguments for the ip protocol. list/locallist
work as expected and output is more readable. I also made changes for
the semanage.8 man page.
Kind Regards,
Christian
--
tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH
Heilsbachstr. 24, 53123 Bonn | Poststr. 4-5, 10178 Berlin
fon: +49(228) / 52675-0 | fon: +49(30) / 27594853
fax: +49(228) / 52675-25 | fax: +49(30) / 78709617
Geschäftsführer
Boris Esser, Elmar Geese
HRB AG Bonn 5168
Ust-ID: DE122264941
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
