Commit Graph

151 Commits

Author SHA1 Message Date
Eric Paris
e25ea71a5b policycoreutils: semanage: output all local modifications
Introduce a new -o option which will output all local modifications in a
method which can be 're-inputted' on another host.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:23 -04:00
Eric Paris
f3fbc5d6de policycoreutils: semanage: introduce extraction of local configuration
Add a new option -E which will extract the local configuration changes
made for the given record type.  This will be used by a further output
option to be able to dump local configuration in a form which can be
imported later.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:23 -04:00
Eric Paris
2c3e6f6115 policycoreutils: semanage: cleanup error on invalid operation
Before you would get:
$ semanage fcontext toys
/usr/sbin/semanage Invalid command fcontext toys

Now you get:
$ semanage fcontext toys
/usr/sbin/semanage: Invalid command: semanage fcontext toys

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:23 -04:00
Eric Paris
877447a9e7 policycoreutils: semanage: handle being called with no arguments
Return quickly instead of tring to parse arguments if there are
no arguments.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:23 -04:00
Eric Paris
a0d1dc8a01 policycoreutils: semanage: return sooner to save CPU time
Right now we do lots of needless string comparisons even though we know
we are finished doing work immediately after an operation.  So return
sooner.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:23 -04:00
Eric Paris
d2f0f42570 policycoreutils: semanage: surround getopt with try/except
One of the getopt parsers didn't have a try/except pair to show usage
when a user did it wrong.  Fix that.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:23 -04:00
Eric Paris
0c4d0788ab policycoreutils: semanage: use define/raise instead of lots of conditionals
Right now the validation code has lots of conditionals which check if we
are trying to add and delete or add and modify or something like that.
Instead make a single function which just sets if this operation is
trying to do an action and if it gets called twice will realize this is
invalid and will raise and exception.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:23 -04:00
Eric Paris
123559545f policycoreutils: semanage: some options are only valid for local changes
Some options like --locallist and --deleteall only effect local changes
not global things.  Split these validation options into their own bit of
code.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:23 -04:00
Eric Paris
cfddb3fa9a policycoreutils: semanage: introduce better deleteall support
The help text, man pages, and stuff didn't include everything about
deleteall rules.  Try to update them.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:23 -04:00
Eric Paris
643b9b703c policycoreutils: semanage: do not allow spaces in file context
The entire tool chain does not support file context with a space in the
regex.  If one of these gets into the file_context files, all sorts of stuff
goes nuts.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:22 -04:00
Eric Paris
4c96df7d77 policycoreutils: semanage: distinguish between builtin and local permissive types
This just distinguishes between permissive types that were definied in
policy and those that were set by the user using semanage.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:22 -04:00
Eric Paris
12e29ee1dd policycoreutils: semanage: centralized ip node handling
Right now we have very little in the way of IP address validation.  We
also do not properly support IPv6 netmasks.  This patch centralizes IP
address validation and fixes the netmask support.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:22 -04:00
Eric Paris
66564a67cf policycoreutils: setfiles: make the restore function exclude() non-static
Stuff wants to use it later.  Make it non-static.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:22 -04:00
Eric Paris
17c577ace7 policycoreutils: setfiles: use glob to handle ~ and . in filenames
Use the glob library to handle ~ and . in filenames passed from the
command line.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:22 -04:00
Dan Walsh
5bd734dd73 policycoreutils: fixfiles: do not hard code types
We had a number of places where fixfiles would search for or set hard
coded types.  If policy used something other than tmp_t var_t file_t or
unlabeled_t we would go wrong.  This patch does 2 things.  It uses the
kernel provided selinuxfs interfaces to determine the label on unlabeled
and unknown files and it uses the --reference option with chcon to set
new labels.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:22 -04:00
Eric Paris
35f4e6a870 policycoreutils: fixfiles: stop trying to be smart about filesystems
The type of a filesystem (ext*, btrfs, etc) really doesn't matter when
it comes to the ability to set labels.  Stop trying to be smart and just
call restorecon.  It will either work or it won't and out heuristic
isn't helping.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:22 -04:00
Eric Paris
1da72eea26 policycoreutils: fixfiles: use new kernel seclabel option
The kernel now outputs a mount option called 'seclabel' which indicates
if the filesystem supposed security labeling.  Use that instead of
having to update some hard coded list of acceptable filesystems (that
may or may not be acceptable depending on if they were compiled with
security xattrs)

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-15 11:25:20 -04:00
Eric Paris
e2769ff670 policycoreutils: fixfiles: pipe everything to cat before sending to LOGFILE
We do this so we can eliminate foolish avcs about restorecon trying to
write to a random directory.  We allow apps to communicate with fds
globably.  So this allows the access no AVC's I am happy

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-11 23:35:52 -04:00
Eric Paris
275560b2a3 policycoreutils: fixfiles: introduce /etc/selinux/fixfiles_exclude_dirs
Introduce a new file /etc/selinux/fixfiles_exclude_dirs which contains a
list of directories which should not be relabeled.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-11 23:35:52 -04:00
Eric Paris
5e096d9ceb policycoreutils: semodule: support for alternative root paths
Add a -p option to semodule which will allow it to operate on the
specified semanaged root instead of the default.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-11 23:35:52 -04:00
Eric Paris
4749940426 update repo for 2011-08-03 with version and changelog updates 2011-08-03 18:09:02 -04:00
Eric Paris
2ac99a505e policycoreutils: semanage: fix indention
Part of the if clause used tabs, part spaces.  Be consistent.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:38 -04:00
Eric Paris
e1ae7b43f1 policycoreutils: semodule_package: fix man page typo
Just drop an extra bit of cruft from the man page.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:38 -04:00
Eric Paris
c52ff76180 policycoreutils: semodule_expand: update man page with -a
Update the man page to include -a.  Passing -a causes semodule_expand to
not check assertions.  Include this in the man info.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:38 -04:00
Eric Paris
f2a74f4f87 policycoreutils: semanage: handle os errors
Rather than traceback, handle os errors and exit cleanly.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:38 -04:00
Eric Paris
b5c0a182ef policycoreutils: semanage: fix traceback with bad options
$ semanage fcontext add delete
Traceback (most recent call last):
  File "/usr/sbin/semanage", line 565, in <module>
    process_args(sys.argv[1:])
  File "/usr/sbin/semanage", line 396, in process_args
    raise ValueError(_("%s bad option") % o)
UnboundLocalError: local variable 'o' referenced before assignment

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
b1820fcca6 policycoreutils: semanage: show usage on -h or --help
Raise a more sensicle useage rather than value error on help request
from user.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
72a83a110d policycoreutils: semanage: introduce more deleteall options
Some semanage objects have a deleteall function, some don't.  This adds
them to login seluser node and interface.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
849e7d5be7 policycoreutils: semanage: verify ports < 65536
We could currently create a rule with a port number of one million.
This doesn't make sense.  Bounds test it.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
c3226ebac9 policycoreutils: transaction into semanageRecords
In order to allow semanage to perform a transaction on several seobjects
at the same time, the transaction lock has to be at the class level
versus being in each object.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
3fd3a927e2 policycoreutils: make get_handle a method of semanageRecords
Right now it is needlessly global.  Make it a method of semanageRecords.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
7e00948bdb policycoreutils: remove a needless blank line
Yeah, that's really it.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
5763e720d8 policycoreutils: make process_one error if not initialized correctly
Rather than blow up in horible ways, error out if we detect
initialization wasn't done properly.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
2b4d32dc4b policycoreutils: fixfiles: correct usage for r_opts.rootpath
The error usable displays r_opts.rootpath, but r_opts is supposed to be
an internal code thing, not something users care about.  When printing
the error message just call it 'rootpath'

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
89ca0c2e29 policycoreutils: put -p in help for restorecon and fixfiles
restorecon and fixfiles both have the -p option to display a * every
10000 files.  Put it in the usage and man pages.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
2d0c192355 policycoreutils: fixfiles: do not try to only label known filesystems
In the old fixfiles we had to make sure we only attempted to relabel
files that were on file systems that supported extended attributes.
With the new restorecon, we no longer need this.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
593154505a policycoreutils: fixfiles clean up /var/run and /var/lib/debug
clean up /var/run and /var/lib/debug just like we do for /tmp and
/var/tmp since they can easily get unlabeled files.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
2bd5fd1642 policycoreutils: fixfiles delete tmp sockets and pipes rather than relabel then
We cannot reasonably relabel pipes and sockets in /tmp to tmp_t so just
delete them instead of trying to put and unuable label.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
6084f72aaf policycoreutils: fixfile use find -delete instead of pipe to rm
fixfiles uses a find command then than pipes that to rm -f.  Just use
the find delete predicate instead of causing all of those extra calls to
rm.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
da484b88d5 policycoreutils: chcat man page typo
Fix the page to point to the the seusers file, not the seuser file.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
6a1c070ea6 policycoreutils: add man page for genhomedircon
Nothing special, just a man page to say what it's about.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:37 -04:00
Eric Paris
a57385c578 policycoreutils: setfiles fix typo
Apparently we cannot spelll.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:36 -04:00
Eric Paris
4c63498a4c policycoreutils: setsebool should inform users they need to be root
Add a different error message when setsebool is unable to run because
the user is not root.  This just helps people who try to change booleans
based on setroubleshoot output and don't know what went wrong.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:36 -04:00
Eric Paris
98dcd24976 policycoreutils: setsebool typos
Apparently we can't spelll.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:36 -04:00
Eric Paris
10374e5e89 policycoreutils: open_init_tty man page typos
Apparently we can't spelll.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:36 -04:00
Eric Paris
0b8af757b6 policycoreutils: Don't add user site directory to sys.path
SELinux pythons applications should not allow the user to change the
sys.path

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:36 -04:00
Eric Paris
e3ffa8c31f policycoreutils: newrole retain CAP_SETPCAP
We retain CAP_SETPCAP so that we can drop the additional capabilities
we held onto to set up namespaces.

While we are at it, just add some console whine in case things fail.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:36 -04:00
Eric Paris
78b4b56857 Made updates to checkpolicy libselinux and policycoreutils so update
version and changelogs

Signed-off-by: Eric Paris <eparis@redhat.com>
2011-08-02 14:10:39 -04:00
Eric Paris
39066bd0ac policycoreutils: seunshare: define _GNU_SOURCE earlier
If one tries to build policycoreutils it won't work because of:

seunshare.c: In function ‘main’:
seunshare.c:242:21: error: ‘CLONE_NEWNS’ undeclared (first use in this
function)
seunshare.c:242:21: note: each undeclared identifier is reported only
once for each function it appears in
make[1]: *** [seunshare.o] Error 1

Moving the #define _GNU_SOURCE earlier in the file means it is set when
sched.h is includes via some of dependancy chain.  Thus it can build.

Signed-off-by: Eric Paris <eparis@redhat.com>
2011-08-02 13:58:07 -04:00
Eric Paris
30ad11feb9 policycoreutils: make ignore_enoent do something
We have dumb code in setfiles which will set a static variable called
ignore_enoent.  Thing is, nothing uses it.  So move the setting to where
it is useful and use it!

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-02 13:34:05 -04:00