- Remove version references
- Use new methods for enabling/disabling modules
- Add support to set priority when adding/removing modules
- Modify module --list output to include priority and language extension
- Update permissiveRecords call to support cil policy
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Signed-off-by: Jason Dana <jdana@tresys.com>
semanage currently uses /var/lib/selinux/tmp to create permissive
modules. However, with the move to /var, the same tmp directory is used
for building policy binaries, causing a conflict. This patch creates a
random temporary directory in /tmp and moves permissive module creation
to that directory, avoiding the directory conflict.
This patch also imports shutil for rmtree to easily delete all created
temporary files.
Signed-off-by: Chad Sellers <csellers@tresys.com>
Currently, the selevel/serange values (which are often set on a default
's0' value) are used for ports, users, contexts and logins. This breaks
non-MLS setups.
This patch will only call the necessary mls functions if mls is actually
enabled.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Basically sepolicy is going to use single letters to indicate file types, need
to setup a dictionary to go back and forth between full names and short names.
We only need the sepolgen python module if we are setting up permissive
types. As this has been removed from the core code in Fedora/RHEL we
include a better user error message pointing them how to find the
required module.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If there are entries in /etc/selinux/[POLICY]/logins they should be
included in the semange login -l output. So do so!
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We should check that a type is a valid before assigning it with
semanage. Aka we should just that a type is a port type before assigning it
to a port, or a valid user type before assigning it to a user.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fix fcontextRecords() in policycoreutils/semanage/seobject.py so
that semanage does not produce an error in fcontext mode when
the file_contexts.subs_dist file contains comments (prefixed by #).
Properly skip blank lines.
Treat both white space and tab as valid separators for the above
mentioned policy configuration file (v2). Minimum number of
changes (v2bis).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Signed-off-by: Eric Paris <eparis@redhat.com>
Add -N, --noreload option to semanage to prevent reloading policy into
the kernel after a change.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
fcontext customized was not returning the customized equivalency records. This
patches fixes this.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We still want to be able to use sepolgen even if setools isn't
installed. Degrade functionality, but still work if it can't be found.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwlash@redhat.com>
Also if the user specifies a store that is not the current store, we should not be sending audit messages.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
semanage command was not reporting proper audit messages for the LSPP
certification. Needed to report additional information such as prior
roles before and after update. Many other changes, were reviewed by
Steve Grubb to make sure were were doing proper auditing.
Should be reporting AUDIT_ROLE_ASSIGN instead of AUDIT_USER_ROLE_CHANGE.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
No real code change. Just to make it clear what a src and dst means.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Check for conflict on equivalence when adding a file context.
If a user adds a file context that begins with an equivalence string, we
throw an exception.
/usr/sbin/semanage: File spec /usr/lib64/dan conflicts with equivalency rule '/usr/lib64 /usr/lib'; Try adding '/usr/lib/dan' instead
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Print out the list of local and distribution file context equivalencies
rather than just local rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If someone modifies the boolean settings using semanage, we would
expect them to be reflected on the local system. This change would
change the active settings IFF you are changing the currently running
system.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Some versions of python are reporting an indentation error when trying
to use this file. Fix the whitespace messup.
Signed-off-by: Eric Paris <eparis@redhat.com>
If you tell semanage to list the contents of an object and the list is
empty, we should not print the header.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
This adds a new -e options to semanage fcontext which allows one to
specify filesystem equivalancies. An example would be if an admin were
to run out of space and to start putting home directories in /home1.
They can use the equivalencies to specify that /home1 is labeled exactly
like /home.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add tools to store the state of modules and to enable and disable those
modules.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Add a new option -E which will extract the local configuration changes
made for the given record type. This will be used by a further output
option to be able to dump local configuration in a form which can be
imported later.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The entire tool chain does not support file context with a space in the
regex. If one of these gets into the file_context files, all sorts of stuff
goes nuts.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This just distinguishes between permissive types that were definied in
policy and those that were set by the user using semanage.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Right now we have very little in the way of IP address validation. We
also do not properly support IPv6 netmasks. This patch centralizes IP
address validation and fixes the netmask support.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Some semanage objects have a deleteall function, some don't. This adds
them to login seluser node and interface.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We could currently create a rule with a port number of one million.
This doesn't make sense. Bounds test it.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
In order to allow semanage to perform a transaction on several seobjects
at the same time, the transaction lock has to be at the class level
versus being in each object.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Right now it is needlessly global. Make it a method of semanageRecords.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Apparently I failed to split out the whitespace changes from a
previous patchset, and a bit of the equivalence patch of the
day snuck in. This causes a stack trace when you execute
semanage fcontext -l. This patch reverts the accidentally
included code.
Signed-off-by: Chad Sellers <csellers@tresys.com>
This patch fixes a bug that causes semanage node -a to not work
(failing with a python traceback). You can test the bug with any
semanage node -a command, such as:
semanage node -a -t node_t -p ipv4 -M 255.255.255.0 192.168.1.0
Signed-off-by: Chad Sellers <csellers@tresys.com>
