Commit Graph

53 Commits

Author SHA1 Message Date
Stephen Smalley
33c961d35e policycoreutils 2.0.71 2009-08-11 10:24:16 -04:00
Stephen Smalley
b0c1077c34 Patch setfiles to only warn if add_remove fails to lstat on user initiated excludes.
On Tue, 2009-08-11 at 08:12 -0400, Daniel J Walsh wrote:
> On 08/10/2009 04:12 PM, Stephen Smalley wrote:
> > On Mon, 2009-08-10 at 16:03 -0400, Stephen Smalley wrote:
> >> On Mon, 2009-08-10 at 11:13 -0400, Daniel J Walsh wrote:
> >>> Currently in F12 if you have file systems that root can not read
> >>>
> >>> # restorecon -R -v /var/lib/libvirt/
> >>> Can't stat directory "/home/dwalsh/.gvfs", Permission denied.
> >>> Can't stat directory "/home/dwalsh/redhat", Permission denied.
> >>>
> >>> After patch
> >>>
> >>> # ./restorecon -R -v /var/lib/libvirt/
> >>
> >> But if you were to run
> >> ./restorecon -R /home/dwalsh
> >> that would try to descend into .gvfs and redhat, right?
> >>
> >> I think you want instead to ignore the lstat error if the error was
> >> permission denied and add the entry to the exclude list so that
> >> restorecon will not try to descend into it.  It is ok to exclude a
> >> directory to which you lack permission.  Try this:
> >
> > Also, why limit -e to only directories?  Why not let the user exclude
> > individual files if they choose to do so?  In which case we could drop
> > the mode test altogether, and possibly drop the lstat() call altogether?
> > Or if you truly want to warn the user about non-existent paths, then
> > take the lstat() and warning to the 'e' option processing in main()
> > instead of doing it inside of add_exclude().
> >
> I agree lets remove the directory check and warn on non existing files.

Does this handle it correctly for you?

Remove the directory check for the -e option and only apply the
existence test to user-specified entries.  Also ignore permission denied
errors as it is ok to exclude a directory or file to which the caller
lacks permission.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2009-08-11 10:19:46 -04:00
Stephen Smalley
4445704ed1 policycoreutils 2.0.70 2009-08-04 15:59:52 -04:00
Stephen Smalley
37c5c30998 setfiles: only call realpath() on user-supplied pathnames
Change setfiles/restorecon to only call realpath() on the user-supplied
pathnames prior to invoking fts_open().  This ensures that commands such
as restorecon -R /etc/init.d and (cd /etc && restorecon shadow gshadow)
will work as expected while avoiding the overhead of calling realpath()
on each file during a file tree walk.

Since we are now only acting on user-supplied pathnames, drop the
special case handling of symlinks (when a user invokes restorecon
-R /etc/init.d he truly wants it to descend /etc/rc.d/init.d).  We can
also defer allocation of the pathname buffer to libc by passing NULL
(freeing on the out path) and we can drop the redundant exclude() check
as it will now get handled on the normal path.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2009-08-04 15:58:38 -04:00
Joshua Brindle
1e5fdf6140 bump policycoreutils to 2.0.69 2009-07-30 22:14:16 -04:00
Daniel J Walsh
73a1f3a8f3 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Fixfiles has a bug when looking at btrfs file systems.
Date: Thu, 09 Jul 2009 16:06:58 -0400

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-07-30 21:52:30 -04:00
Stephen Smalley
6be2be0a07 policycoreutils: get setfiles to skip mounts without seclabel
On Fri, 2009-07-24 at 16:12 -0400, Stephen Smalley wrote:
> On Fri, 2009-07-17 at 10:48 -0400, Thomas Liu wrote:
> > Get setfiles to check paths for seclabel and skip them
> > if it is not supported.
> >
> > Parse /proc/mounts and add paths that do not have seclabel
> > to the exclude list.  If another path shows up that does
> > have seclabel, remove it from the exclude list, since setfiles
> > will try and when it fails it will skip it.
> >
> > Also made one of the error messages in add_exclude more
> > descriptive.
> >
> > Signed-off-by: Thomas Liu <tliu@redhat.com>
> > Signed-off-by: Dan Walsh <dwalsh@redhat.com>
> > ---
>
> Thanks, merged in policycoreutils 2.0.68.

Applied this patch on top to free the buffer allocated by getline() and
to free any removed entries from the excludeArray.  valgrind
--leak-check=full then shows no leakage.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2009-07-27 09:22:15 -04:00
Stephen Smalley
709a754bfc policycoreutils 2.0.68 2009-07-24 16:10:18 -04:00
Thomas Liu
a6a29764a6 policycoreutils: get setfiles to skip mounts without seclabel
Get setfiles to check paths for seclabel and skip them
if it is not supported.

Parse /proc/mounts and add paths that do not have seclabel
to the exclude list.  If another path shows up that does
have seclabel, remove it from the exclude list, since setfiles
will try and when it fails it will skip it.

Also made one of the error messages in add_exclude more
descriptive.

Signed-off-by: Thomas Liu <tliu@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2009-07-24 16:08:44 -04:00
Stephen Smalley
fbaf056b69 policycoreutils 2.0.67 2009-07-07 14:28:35 -04:00
Christopher Pardy
2c91f6377d semodule: maintain old functionality
Patch for semodule command
semodule -B
Will now turn on dontaudit rules
semodule -DB
Will turn off dontaudit rules.
With other patch all other semanage commands will maintain state.

Created by Dan Walsh

Signed-off-by: Christopher Pardy <cpardy@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2009-07-07 14:21:29 -04:00
Stephen Smalley
b320c69d2e policycoreutils 2.0.66 2009-07-07 08:25:23 -04:00
Thomas Liu
cce1729067 setfiles converted to fts
This is version 5 of the setfiles to fts patch.

The code has been cleaned up to adhere to the CodingStyle guidelines.

I have confirmed that the stat struct that fts returns for a symlink when using
the FTS_PHYSICAL flag is in fact the stat struct for the symlink, not the file
it points to (st_size is 8 bytes).

Instead of using fts_path for getfilecon/setfilecon it now uses fts_accpath,
which should be more efficient since fts walks the file hierarchy for us.

FreeBSD setfsmac uses fts in a similar way to how this patch does and one
thing that I took from it was to pass the FTSENT pointer around instead of
the names, because although fts_accpath is more efficient for get/setfilecon,
it is less helpful in verbose output (fts_path will give the entire path).

Here is the output from running restorecon on /

(nftw version)
restorecon -Rv / 2>/dev/null
restorecon reset /dev/pts/ptmx context system_u:object_r:devpts_t:s0->system_u:object_r:ptmx_t:s0

(new version)
./restorecon -Rv / 2>/dev/null
./restorecon reset /dev/pts/ptmx context system_u:object_r:devpts_t:s0->system_u:object_r:ptmx_t:s0

Here are some benchmarks each was run twice from a fresh
boot in single user mode (shown are the second runs).

(nftw version)
restorecon -Rv /usr
real	1m56.392s
user	1m49.559s
sys	0m6.012s

(new version)
./restorecon -Rv /usr
real	1m55.102s
user	1m50.427s
sys	0m4.656s

So not much of a change, though some work has been pushed from kernel space
to user space.

It turns out setting the FTS_XDEV flag tells fts not to descend into
directories with different device numbers, but fts will still give back the
actual directory.  I think nftw would completely avoid the directories as well
as their contents.

This patch fixed this issue by saving the device number of the directory
that was passed to setfiles and then skipping all action on any directories
with a different device number when the FTS_XDEV flag is set.

Also removed some code that removed beginning and trailing slashes
from paths, since fts seems to handle it.

Signed-off-by: Thomas Liu <tliu@redhat.com>

[sds:  Moved local variable declarations to beginning of process_one.]
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2009-07-07 08:21:34 -04:00
Joshua Brindle
bf7a7c998f bump policycoreutils to 2.0.65 2009-06-24 10:55:46 -04:00
Joshua Brindle
347aacc37c remove gui from po/Makefile and po/POTFILES and regenerate po files 2009-06-24 10:54:56 -04:00
Joshua Brindle
33844aa60d bump libselinux to 2.0.82 and policycoreutils to 2.0.64 2009-06-22 11:32:27 -04:00
Daniel J Walsh
5467587bcc Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: chcat fixes
Date: Thu, 21 May 2009 08:13:26 -0400

On 05/20/2009 04:05 PM, Chad Sellers wrote:
> On 5/20/09 3:00 PM, "Daniel J Walsh"<dwalsh@redhat.com>  wrote:
>
>> Expansion of categores is still broken.  Here is a patch to fix.
>>
> This message appears to be missing a patch.
>
> Thanks,
> Chad
>

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-06-22 11:26:00 -04:00
Daniel J Walsh
275d7f658e Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: setfiles will only put out a "*" if > 1000 files are fixed.
Date: Wed, 20 May 2009 13:08:14 -0400

setfiles was always putting out a \n, even when not many files were
being fixed. yum transactions were being desturbed by this.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-06-19 13:16:24 -04:00
Daniel J Walsh
323a16ff37 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Add btrfs to fixfiles.
Date: Wed, 20 May 2009 15:02:33 -0400

Hopefully the last time we will ever need to update.  Once patch gets
out with kernel support to tell me which file systems support xattr, we
can remove this hack.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-06-19 11:12:57 -04:00
Joshua Brindle
7fc77104fa bump policycoreutils to 2.0.63 2009-05-05 20:16:31 -04:00
Daniel J Walsh
b6a1a954f5 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: patch to policycoreutils
Date: Wed, 01 Apr 2009 10:10:43 -0400

Multiple patches to policycoreutils.

First added /root/.ssh and /root/.ssh/*  to allow people to place keys
in /root directory and have them labeled by restorcond

<snipdue to previously ack'd patch>

Clean up permissive domains creation in semanage so it does not leave
crap in /var/lib/selinux

---
Also have fixfiles operate recursively when in RPM mode, per:

Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Re: patch to policycoreutils
Date: Wed, 22 Apr 2009 21:50:48 -0400

If a package owned a directory like /var/lib/libvirt/images, when it is
relabeling we would want it to relabel not only the directory but the
contents of the directory

Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-04-10 19:17:47 -04:00
Daniel J Walsh
35490f2fa5 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Help with python seobject.loginRecords
Date: Thu, 12 Mar 2009 09:29:17 -0400

On 03/11/2009 05:00 PM, Stephen Smalley wrote:
> On Wed, 2009-03-11 at 16:49 -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Joe Nall wrote:
>>> On Mar 11, 2009, at 2:35 PM, Daniel J Walsh wrote:
>>>
>>>> On 03/11/2009 12:15 PM, Joe Nall wrote:
>>>>> I need to add login mappings in python firstboot modules during system
>>>>> configuration. In my first module a simple:
>>>>>
>>>>> seobject.loginRecords().add(username, "siterep_u",
>>>>> "SystemLow-SystemHigh")
>>>>>
>>>>> works. In subsequent modules, I get an exception:
>>>>>
>>>>> libsemanage.enter_rw: this operation requires a transaction
>>>>> libsemanage.enter_rw: could not enter read-write section
>>>>> Traceback (most recent call last):
>>>>> File "./t", line 6, in<module>
>>>>> seobject.loginRecords().add("test3", "sysadm_u", "SystemLow-SystemHigh")
>>>>> File "/usr/lib64/python2.5/site-packages/seobject.py", line 442, in add
>>>>> raise error
>>>>> ValueError: Could not add login mapping for test3
>>>>>
>>>>> What is the right way to do this?
>>>>>
>>>>> joe
>>>>>
>>>>>
>>>>> --
>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>>>> with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>> Probably an MLS issue.  firtstboot is running in a context that is not
>>>> allowed to lock/manage selinux.
>>> I'm installing in permissive and switching to enforcing after firstboot.
>>> You are correct that firstboot_t doesn't have the policy for all the
>>> stuff I'm trying to do yet.
>>>
>>>> You probably should exec semanage rather then calling seobject so you
>>>> could do a transition and not have to give a huge app like first boot
>>>> the ability to manage security policy.
>>> That is what is installing right now. I would still like an
>>> explanation/code snippet of correct usage for future use
>>>
>>> joe
>>>
>>>
>> This works on F10 Targeted policy
>>
>> # python -c "import seobject; seobject.loginRecords().add("pwalsh",
>> "staff_u", "s0")
>> # python -c 'import seobject; seobject.loginRecords().delete("pwalsh")'
>>
>> Could it be a translation problem?
>
> Try running multiple calls within the same python interpreter.
> I think seobject.py isn't using libsemanage correctly.  For example, in
> add(), you do:
>                         self.begin()
>                          self.__add(name, sename, serange)
>                          self.commit()
> but begin() only ever invokes semanage_begin_transaction() the very
> first time:
>         def begin(self):
>                 if self.transaction:
>                        return
>                 rc = semanage_begin_transaction(self.sh)
>
> So after the first commit(), you'll start failing.
>
I think this patch fixes the transaction patch in semanage.

Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-04-10 17:14:47 -04:00
Joshua Brindle
c7e13bfea3 bump policycoreutils to 2.0.62 2009-02-17 12:18:05 -05:00
Joshua Brindle
f77e475fd8 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Add btrfs to fixfiles
Date: Tue, 17 Feb 2009 11:42:11 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hopefully will convert to seclabel when it is available.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkma6OMACgkQrlYvE4MpobNegwCfSBpm7O9wIKK+O89gC+Lwx+PV
rmsAn12IADGzhFu4thYK5qakacviWwfZ
=PtIL
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-02-17 11:43:11 -05:00
Joshua Brindle
be583ce332 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Several fixes to restorecond
Date: Tue, 17 Feb 2009 11:40:54 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Init script should be 755

libflashplayer.so has moved in the homedir and is now correct so no
longer needs to have labeling checked.

restorecond supports glob matching and should not complain on multiple
hard links if they match a glob.

So if a file has > 1 link and is an exact match complain, otherwise do not.

Also fix a couple of error messages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkma6JYACgkQrlYvE4MpobOoIACfUgUfpCuhvVTWyHgsq7/8hY0z
9WcAmgPK2KktAlY84HhtRmdu/Hy+9eE/
=zcCj
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-02-17 11:42:15 -05:00
Joshua Brindle
f5a700d107 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: policycoreutils_restorecond.patch
Date: Tue, 13 Jan 2009 08:53:50 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Add more error checking.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklsnO4ACgkQrlYvE4MpobOqdgCgvkzLK6bi1m9oTv217A7CYIvZ
BRcAn005E3lop2wmkaH5DcfVwVv3kCYD
=Xjf4
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-02-16 11:48:37 -05:00
Joshua Brindle
244fd583d8 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: policycoreutils_semanage.patch
Date: Tue, 13 Jan 2009 08:55:56 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Add missing locallist option
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklsnWwACgkQrlYvE4MpobPZJwCguhEXCkkeS+4QPeBIDMD/sMTv
yMoAoLz7d20UABT1La/JcUaMrXr/XLF7
=L7QI
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-02-16 11:46:40 -05:00
Joshua Brindle
d8b1ea603b Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Make removing of a module a warning rather then an error.
Date: Tue, 13 Jan 2009 08:57:17 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This way if I say a command line

semodule -r mypol -i newmypol

and mypol was not there the semodule command does not error out.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklsnb0ACgkQrlYvE4MpobNwFACfTqc17wREKC2aAhLOIkfbqgeg
GxgAn2/ZBz5ljtyK1aiVkqoCBj98y9Ey
=I4uX
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-02-16 11:41:02 -05:00
Joshua Brindle
498861044a Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: audit2allow patch
Date: Tue, 13 Jan 2009 08:52:51 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Remove --tefile from manpage, option does not exist.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklsnLIACgkQrlYvE4MpobOrGQCgs76GOeXnSKrLCX69GpCAiIZN
f4AAn312U9ill0sLCKWP1bsL661mctEH
=D9bQ
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-02-16 11:39:00 -05:00
Joshua Brindle
36df93ed82 bump policycoreutils to 2.0.61 2009-01-12 10:42:48 -05:00
Joshua Brindle
8b092bade5 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: chcat patch.
Date: Fri, 07 Nov 2008 09:39:32 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Prevent chcat from expanding number of categories above max size of
command line.  Arbitrarily picked 25.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkUUyQACgkQrlYvE4MpobMDDwCg0DMLERlnHZyVmORa9de9f5tf
fQsAoJZpO646H5CFuXZuW6htHpPfHz/z
=4OcI
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-01-12 10:19:59 -05:00
Joshua Brindle
5cbb573fa5 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Small fixes for audit2allow
Date: Mon, 01 Dec 2008 15:19:09 -0500

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-01-12 10:19:59 -05:00
Joshua Brindle
8c51c70d59 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: semodule patch to use new semanage interfaces
Date: Fri, 07 Nov 2008 09:41:24 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Allows semodule to read bzip compressed policy packages directly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkUU5QACgkQrlYvE4MpobMHGQCdGwEl3h1ZwV92u1mfgrr3z7XT
NGYAoIwz76N7QFdEr8I0t3ncGhbo6heq
=raBi
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-01-12 10:19:58 -05:00
Stephen Smalley
f64fea9a0b Bump policycoreutils to 2.0.60 2008-11-12 16:26:21 -05:00
Stephen Smalley
b4fca3c40f semanage: Use semanage_mls_enabled
Change semanage/seobject to use semanage_mls_enabled() rather than
is_selinux_mls_enabled().  I dropped the mls enabled tests altogether
from the semanage front-end script since setting up a handle is done by
seobject.py; if those checks are actually important, we could move them
inside of the seobject methods, but I'm not clear on the real benefit of
those checks.  In seobject.py, I moved the setting of the is_mls_enabled
variable inside of get_handle(store) after the connect.  I also dropped
the is_mls_enabled test from setransRecords since no handle/connection
exists there (since translations are not managed via libsemanage), and
again I'm not clear that the check there was overly important/useful.

Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
2008-11-12 16:00:06 -05:00
Joshua Brindle
223bb406d8 Bump libsemanage to 2.0.29 and policycoreutils to 2.0.59 2008-11-09 11:20:40 -05:00
Joshua Brindle
c35dcc43bc Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Latest policycoreutils package has a minor problem
Date: Mon, 10 Nov 2008 09:04:39 -0500

Checking _local twice.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-11-09 11:16:51 -05:00
Joshua Brindle
2c41d9d1a7 bump policycoreutils to 2.0.58 2008-11-07 19:25:17 -05:00
Joshua Brindle
1f4d94f4c4 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: seobject_fcontext patch allows you to modify a preexisting file context.
Date: Fri, 07 Nov 2008 09:46:36 -0500

Currently semanage is not allowed to change a file context mapping if it
matches exactly,  this patch allows you to modify the file context.

Signed-off-by: Joshua Brindle <method@manicmethod.com>

NOTE: original patch modified to remove unused list in fcontext get_all()
2008-11-07 19:20:39 -05:00
Joshua Brindle
dd808a1342 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: policycoreutils patch
Date: Thu, 23 Oct 2008 13:15:11 -0400

Change semange fcontext -a to check for local customizations rather then
 global, so you can modify a file context.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-11-07 16:55:34 -05:00
Joshua Brindle
cb69455465 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: policycoreutils audit2allow patch
Date: Fri, 07 Nov 2008 09:36:44 -0500

audit2why can throw a runtime exception and typo in man page.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-11-07 16:50:34 -05:00
Joshua Brindle
bcd43e0bf1 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: newrole error message corrections.
Date: Fri, 07 Nov 2008 09:37:52 -0500

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-11-07 16:49:04 -05:00
Joshua Brindle
c28138ef18 bump policycoreutils to 2.0.57 2008-09-18 09:56:06 -04:00
Joshua Brindle
1dce6736bd Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Latest translations of SELinux policoreutils patch
Date: Fri, 12 Sep 2008 11:57:31 -0400

http://people.fedoraproject.org/~dwalsh/SELinux/policycoreutils-po.patch
2008-09-18 09:52:36 -04:00
Joshua Brindle
a4c9f58e03 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Changes to semanage to allow it to handle transactions.
Date: Fri, 12 Sep 2008 11:52:31 -0400

Joshua Brindle wrote:
> Daniel J Walsh wrote:
> semanage -S targeted -i - << __eof
> user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
> user -a -P user -R guest_r guest_u
> user -a -P user -R xguest_r xguest_u
> __eof
> semanage -S targeted -i - << __eof
> login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
> login -m  -s unconfined_u -r s0-s0:c0.c1023 root
> __eof
>
> So you can add multiple records in a single pass.
>>

> This patch seems to cause some issues:

> [root@misterfreeze selinux-pristine]# semanage --help
> Traceback (most recent call last):
>   File "/usr/sbin/semanage", line 433, in <module>
>     usage(_("Requires 2 or more arguments"))
>   File "/usr/sbin/semanage", line 98, in usage
>     """) % message)
> TypeError: float argument required

Patch off your latest policycoreutils.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-07 22:00:20 -04:00
Joshua Brindle
5214ee3d97 bump policycoreutils to 2.0.56 and sepolgen to 1.0.14 2008-09-07 18:57:50 -04:00
Joshua Brindle
f33c230526 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Changes to semanage to allow it to handle transactions.
Date: Mon, 08 Sep 2008 15:05:36 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

semanage -S targeted -i - << __eof
user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u
user -a -P user -R guest_r guest_u
user -a -P user -R xguest_r xguest_u
__eof
semanage -S targeted -i - << __eof
login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
login -m  -s unconfined_u -r s0-s0:c0.c1023 root
__eof

So you can add multiple records in a single pass.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjFd4AACgkQrlYvE4MpobMaoQCgxeqYTX2mpRIiIr0461/fvblU
3fQAoIbM8x9rWL0f8iPz0UeoM2mf60XW
=hxC3
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-07 18:53:26 -04:00
Joshua Brindle
64d7ef5d44 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Add glob support for restorecond
Date: Mon, 08 Sep 2008 15:03:51 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have added supported for GLOB expressions in restorecond.  In order to
get nsplugin to work well, you need all of the contents of the homedir
labeled correctly.  Unfortunately gnome creates directories at a fairly
random pace.  FCFS.  So it is very difficult to get transitions to
happen properly.  As a tradeoff, we can use restorecond to watch the
homedir and relabel the directory when it is created.  I know this is a
potential race condition. where some of the files created in the
directory will still have the wrong context, but I don't know of a
better solution.

Telling everyone they need to restorcon -R -v ~ is not a great solution.
 If you are worried about information flow you should never rely on
restorecond.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjFdxcACgkQrlYvE4MpobPtjACg3uyqaHD78FRxdaG5mfitnoB/
lh0AnjvfDC2vmCWisxzWq2qFsZMMu3XK
=JiG7
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-07 18:51:09 -04:00
Joshua Brindle
2928ff2189 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: fixfiles fixes
Date: Mon, 08 Sep 2008 15:03:35 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Removes all files from /tmp, previous one would leave /tmp/.a and /tmp/.b

Fixed context on unlabeled_t and file_t files in /tmp and /var/tmp.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjFdwYACgkQrlYvE4MpobMZJACfRsCuVFja3fvYZYtptyW2h3lH
yAQAn0xmDAYELt+res60OIcL3UDrUFRv
=09W1
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-07 18:47:23 -04:00
Stephen Smalley
107d46ff3e Update policycoreutils VERSION and ChangeLog. 2008-08-26 09:40:22 -04:00