Email: dwalsh@redhat.com
Subject: chcat fixes
Date: Thu, 21 May 2009 08:13:26 -0400
On 05/20/2009 04:05 PM, Chad Sellers wrote:
> On 5/20/09 3:00 PM, "Daniel J Walsh"<dwalsh@redhat.com> wrote:
>
>> Expansion of categores is still broken. Here is a patch to fix.
>>
> This message appears to be missing a patch.
>
> Thanks,
> Chad
>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: setfiles will only put out a "*" if > 1000 files are fixed.
Date: Wed, 20 May 2009 13:08:14 -0400
setfiles was always putting out a \n, even when not many files were
being fixed. yum transactions were being desturbed by this.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Add btrfs to fixfiles.
Date: Wed, 20 May 2009 15:02:33 -0400
Hopefully the last time we will ever need to update. Once patch gets
out with kernel support to tell me which file systems support xattr, we
can remove this hack.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: patch to policycoreutils
Date: Wed, 01 Apr 2009 10:10:43 -0400
Multiple patches to policycoreutils.
First added /root/.ssh and /root/.ssh/* to allow people to place keys
in /root directory and have them labeled by restorcond
<snipdue to previously ack'd patch>
Clean up permissive domains creation in semanage so it does not leave
crap in /var/lib/selinux
---
Also have fixfiles operate recursively when in RPM mode, per:
Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Re: patch to policycoreutils
Date: Wed, 22 Apr 2009 21:50:48 -0400
If a package owned a directory like /var/lib/libvirt/images, when it is
relabeling we would want it to relabel not only the directory but the
contents of the directory
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: Help with python seobject.loginRecords
Date: Thu, 12 Mar 2009 09:29:17 -0400
On 03/11/2009 05:00 PM, Stephen Smalley wrote:
> On Wed, 2009-03-11 at 16:49 -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Joe Nall wrote:
>>> On Mar 11, 2009, at 2:35 PM, Daniel J Walsh wrote:
>>>
>>>> On 03/11/2009 12:15 PM, Joe Nall wrote:
>>>>> I need to add login mappings in python firstboot modules during system
>>>>> configuration. In my first module a simple:
>>>>>
>>>>> seobject.loginRecords().add(username, "siterep_u",
>>>>> "SystemLow-SystemHigh")
>>>>>
>>>>> works. In subsequent modules, I get an exception:
>>>>>
>>>>> libsemanage.enter_rw: this operation requires a transaction
>>>>> libsemanage.enter_rw: could not enter read-write section
>>>>> Traceback (most recent call last):
>>>>> File "./t", line 6, in<module>
>>>>> seobject.loginRecords().add("test3", "sysadm_u", "SystemLow-SystemHigh")
>>>>> File "/usr/lib64/python2.5/site-packages/seobject.py", line 442, in add
>>>>> raise error
>>>>> ValueError: Could not add login mapping for test3
>>>>>
>>>>> What is the right way to do this?
>>>>>
>>>>> joe
>>>>>
>>>>>
>>>>> --
>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>>>> with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>> Probably an MLS issue. firtstboot is running in a context that is not
>>>> allowed to lock/manage selinux.
>>> I'm installing in permissive and switching to enforcing after firstboot.
>>> You are correct that firstboot_t doesn't have the policy for all the
>>> stuff I'm trying to do yet.
>>>
>>>> You probably should exec semanage rather then calling seobject so you
>>>> could do a transition and not have to give a huge app like first boot
>>>> the ability to manage security policy.
>>> That is what is installing right now. I would still like an
>>> explanation/code snippet of correct usage for future use
>>>
>>> joe
>>>
>>>
>> This works on F10 Targeted policy
>>
>> # python -c "import seobject; seobject.loginRecords().add("pwalsh",
>> "staff_u", "s0")
>> # python -c 'import seobject; seobject.loginRecords().delete("pwalsh")'
>>
>> Could it be a translation problem?
>
> Try running multiple calls within the same python interpreter.
> I think seobject.py isn't using libsemanage correctly. For example, in
> add(), you do:
> self.begin()
> self.__add(name, sename, serange)
> self.commit()
> but begin() only ever invokes semanage_begin_transaction() the very
> first time:
> def begin(self):
> if self.transaction:
> return
> rc = semanage_begin_transaction(self.sh)
>
> So after the first commit(), you'll start failing.
>
I think this patch fixes the transaction patch in semanage.
Signed-off-by: Chad Sellers <csellers@tresys.com>
Email: dwalsh@redhat.com
Subject: Several fixes to restorecond
Date: Tue, 17 Feb 2009 11:40:54 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Init script should be 755
libflashplayer.so has moved in the homedir and is now correct so no
longer needs to have labeling checked.
restorecond supports glob matching and should not complain on multiple
hard links if they match a glob.
So if a file has > 1 link and is an exact match complain, otherwise do not.
Also fix a couple of error messages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkma6JYACgkQrlYvE4MpobOoIACfUgUfpCuhvVTWyHgsq7/8hY0z
9WcAmgPK2KktAlY84HhtRmdu/Hy+9eE/
=zcCj
-----END PGP SIGNATURE-----
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Make removing of a module a warning rather then an error.
Date: Tue, 13 Jan 2009 08:57:17 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This way if I say a command line
semodule -r mypol -i newmypol
and mypol was not there the semodule command does not error out.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAklsnb0ACgkQrlYvE4MpobNwFACfTqc17wREKC2aAhLOIkfbqgeg
GxgAn2/ZBz5ljtyK1aiVkqoCBj98y9Ey
=I4uX
-----END PGP SIGNATURE-----
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Change semanage/seobject to use semanage_mls_enabled() rather than
is_selinux_mls_enabled(). I dropped the mls enabled tests altogether
from the semanage front-end script since setting up a handle is done by
seobject.py; if those checks are actually important, we could move them
inside of the seobject methods, but I'm not clear on the real benefit of
those checks. In seobject.py, I moved the setting of the is_mls_enabled
variable inside of get_handle(store) after the connect. I also dropped
the is_mls_enabled test from setransRecords since no handle/connection
exists there (since translations are not managed via libsemanage), and
again I'm not clear that the check there was overly important/useful.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Email: dwalsh@redhat.com
Subject: Latest policycoreutils package has a minor problem
Date: Mon, 10 Nov 2008 09:04:39 -0500
Checking _local twice.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: seobject_fcontext patch allows you to modify a preexisting file context.
Date: Fri, 07 Nov 2008 09:46:36 -0500
Currently semanage is not allowed to change a file context mapping if it
matches exactly, this patch allows you to modify the file context.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
NOTE: original patch modified to remove unused list in fcontext get_all()
Email: dwalsh@redhat.com
Subject: policycoreutils patch
Date: Thu, 23 Oct 2008 13:15:11 -0400
Change semange fcontext -a to check for local customizations rather then
global, so you can modify a file context.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: policycoreutils audit2allow patch
Date: Fri, 07 Nov 2008 09:36:44 -0500
audit2why can throw a runtime exception and typo in man page.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Changes to semanage to allow it to handle transactions.
Date: Fri, 12 Sep 2008 11:52:31 -0400
Joshua Brindle wrote:
> Daniel J Walsh wrote:
> semanage -S targeted -i - << __eof
> user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
> user -a -P user -R guest_r guest_u
> user -a -P user -R xguest_r xguest_u
> __eof
> semanage -S targeted -i - << __eof
> login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
> login -m -s unconfined_u -r s0-s0:c0.c1023 root
> __eof
>
> So you can add multiple records in a single pass.
>>
> This patch seems to cause some issues:
> [root@misterfreeze selinux-pristine]# semanage --help
> Traceback (most recent call last):
> File "/usr/sbin/semanage", line 433, in <module>
> usage(_("Requires 2 or more arguments"))
> File "/usr/sbin/semanage", line 98, in usage
> """) % message)
> TypeError: float argument required
Patch off your latest policycoreutils.
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Changes to semanage to allow it to handle transactions.
Date: Mon, 08 Sep 2008 15:05:36 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
semanage -S targeted -i - << __eof
user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
user -a -P user -R guest_r guest_u
user -a -P user -R xguest_r xguest_u
__eof
semanage -S targeted -i - << __eof
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
login -m -s unconfined_u -r s0-s0:c0.c1023 root
__eof
So you can add multiple records in a single pass.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjFd4AACgkQrlYvE4MpobMaoQCgxeqYTX2mpRIiIr0461/fvblU
3fQAoIbM8x9rWL0f8iPz0UeoM2mf60XW
=hxC3
-----END PGP SIGNATURE-----
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Email: dwalsh@redhat.com
Subject: Add glob support for restorecond
Date: Mon, 08 Sep 2008 15:03:51 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have added supported for GLOB expressions in restorecond. In order to
get nsplugin to work well, you need all of the contents of the homedir
labeled correctly. Unfortunately gnome creates directories at a fairly
random pace. FCFS. So it is very difficult to get transitions to
happen properly. As a tradeoff, we can use restorecond to watch the
homedir and relabel the directory when it is created. I know this is a
potential race condition. where some of the files created in the
directory will still have the wrong context, but I don't know of a
better solution.
Telling everyone they need to restorcon -R -v ~ is not a great solution.
If you are worried about information flow you should never rely on
restorecond.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkjFdxcACgkQrlYvE4MpobPtjACg3uyqaHD78FRxdaG5mfitnoB/
lh0AnjvfDC2vmCWisxzWq2qFsZMMu3XK
=JiG7
-----END PGP SIGNATURE-----
Signed-off-by: Joshua Brindle <method@manicmethod.com>
Stephen Smalley schrieb:
Hi List,
> On Tue, 2008-07-08 at 08:30 -0400, Stephen Smalley wrote:
>> On Tue, 2008-07-08 at 12:13 +0200, Christian Kuester wrote:
>>>> Other tidbits on the semanage patch that I noticed:
>>>> - semanage node -l was broken, requires additional argument that has
>>>> been added to the list methods subsequently. Also would be nice to
>>>> support locallist/-C option.
>>>> - semanage node -p option should take a string rather than an integer
>>>> and map it to the proper symbolic constant for ipv4/ipv6.
>> Please be sure to test each of the nodeRecords methods.
> Are you still pursuing getting this cleaned up and merged?
Sorry, it took some time. The revised patch for nodecon support in
the semanage tool is attached.
It now takes strings as arguments for the ip protocol. list/locallist
work as expected and output is more readable. I also made changes for
the semanage.8 man page.
Kind Regards,
Christian
--
tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH
Heilsbachstr. 24, 53123 Bonn | Poststr. 4-5, 10178 Berlin
fon: +49(228) / 52675-0 | fon: +49(30) / 27594853
fax: +49(228) / 52675-25 | fax: +49(30) / 78709617
Geschäftsführer
Boris Esser, Elmar Geese
HRB AG Bonn 5168
Ust-ID: DE122264941
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Joshua Brindle
Daniel J Walsh
Stephen Smalley
Christian Kuester