Date: Tue, 16 May 2006 19:19:19 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 97286 for review Message-ID: <200605161919.k4GJJJl3079483@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=97286 Change 97286 by millert@millert_p4 on 2006/05/16 19:18:30 A port of policycoreutils version 1.30 to SEBSD Obtained from: selinux.sourceforge.net Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/COPYING#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/ChangeLog#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/Makefile#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/VERSION#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2allow/Makefile#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2allow/audit2allow#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2allow/audit2allow.1#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2allow/audit2allow.perl#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2why/Makefile#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2why/audit2why.8#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2why/audit2why.c#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/load_policy/Makefile#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/load_policy/load_policy.8#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/load_policy/load_policy.c#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/newrole/Makefile#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/newrole/newrole.1#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/newrole/newrole.c#3 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/newrole/newrole.pamd#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/Makefile#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/Makefile.in#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/Makefile.in.in#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/POTFILES#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/POTFILES.in#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/da.po#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/de.po#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/es.po#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/et.po#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/fr.po#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/gl.po#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/id.po#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/it.po#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/ko.po#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/nl.po#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/pl.po#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/policycoreutils.pot#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/pt_BR.po#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/ru.po#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/sv.po#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/policycoreutils.spec#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/restorecon/Makefile#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/restorecon/restorecon.8#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/restorecon/restorecon.c#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/run_init/Makefile#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/run_init/open_init_pty.8#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/run_init/open_init_pty.c#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/run_init/run_init.8#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/run_init/run_init.c#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/run_init/run_init.pamd#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/Makefile#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/chcat#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/chcat.8#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/fixfiles#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/fixfiles.8#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/fixfiles.8.gz#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/fixfiles.cron#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/genhomedircon#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/genhomedircon.8#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semanage/Makefile#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semanage/semanage#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semanage/semanage.8#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semanage/seobject.py#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule/Makefile#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule/semodule.8#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule/semodule.c#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule_expand/Makefile#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule_expand/semodule_expand.8#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule_expand/semodule_expand.c#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule_link/Makefile#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule_link/semodule_link.8#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule_link/semodule_link.c#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule_package/Makefile#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule_package/semodule_package.8#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule_package/semodule_package.c#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/sestatus/Makefile#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/sestatus/sestatus.8#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/sestatus/sestatus.c#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/sestatus/sestatus.conf#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/setfiles/Makefile#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/setfiles/setfiles.8#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/setfiles/setfiles.c#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/setsebool/Makefile#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/setsebool/setsebool.8#1 add .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/setsebool/setsebool.c#1 add Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/COPYING#2 (text+ko) ==== ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/ChangeLog#2 (text+ko) ==== @@ -1,3 +1,458 @@ +1.30 2006-03-14 + * Updated version for release. + +1.29.28 2006-03-13 + * Merged German translations (de.po) by Debian translation team from Manoj Srivastava. + +1.29.27 2006-03-08 + * Merged audit2allow -R support, chcat fix, semanage MLS checks + and semanage audit calls from Dan Walsh. + +1.29.26 2006-02-15 + * Merged semanage bug fix patch from Ivan Gyurdiev. + +1.29.25 2006-02-14 + * Merged improve bindings patch from Ivan Gyurdiev. + +1.29.24 2006-02-14 + * Merged semanage usage patch from Ivan Gyurdiev. + * Merged use PyList patch from Ivan Gyurdiev. + +1.29.23 2006-02-13 + * Merged newrole -V/--version support from Glauber de Oliveira Costa. + +1.29.22 2006-02-13 + * Merged genhomedircon prefix patch from Dan Walsh. + +1.29.21 2006-02-13 + * Merged optionals in base patch from Joshua Brindle. + +1.29.20 2006-02-07 + * Merged seuser/user_extra support patch to semodule_package + from Joshua Brindle. + +1.29.19 2006-02-06 + * Merged getopt type fix for semodule_link/expand and sestatus + from Chris PeBenito. + +1.29.18 2006-02-02 + * Merged clone record on set_con patch from Ivan Gyurdiev. + +1.29.17 2006-01-30 + * Merged genhomedircon fix from Dan Walsh. + +1.29.16 2006-01-30 + * Merged seusers.system patch from Ivan Gyurdiev. + * Merged improve port/fcontext API patch from Ivan Gyurdiev. + * Merged genhomedircon patch from Dan Walsh. + +1.29.15 2006-01-27 + * Merged newrole audit patch from Steve Grubb. + +1.29.14 2006-01-27 + * Merged seuser -> seuser local rename patch from Ivan Gyurdiev. + +1.29.13 2006-01-27 + * Merged semanage and semodule access check patches from Joshua Brindle. + +1.29.12 2006-01-26 + * Merged restorecon, chcat, and semanage patches from Dan Walsh. + +1.29.11 2006-01-25 + * Modified newrole and run_init to use the loginuid when + supported to obtain the Linux user identity to re-authenticate, + and to fall back to real uid. Dropped the use of the SELinux + user identity, as Linux users are now mapped to SELinux users + via seusers and the SELinux user identity space is separate. + +1.29.10 2006-01-20 + * Merged semanage bug fixes from Ivan Gyurdiev. + * Merged semanage fixes from Russell Coker. + * Merged chcat.8 and genhomedircon patches from Dan Walsh. + +1.29.9 2006-01-19 + * Merged chcat, semanage, and setsebool patches from Dan Walsh. + +1.29.8 2006-01-18 + * Merged semanage fixes from Ivan Gyurdiev. + * Merged semanage fixes from Russell Coker. + * Merged chcat, genhomedircon, and semanage diffs from Dan Walsh. + +1.29.7 2006-01-13 + * Merged newrole cleanup patch from Steve Grubb. + * Merged setfiles/restorecon performance patch from Russell Coker. + * Merged genhomedircon and semanage patches from Dan Walsh. + +1.29.6 2006-01-12 + * Merged remove add_local/set_local patch from Ivan Gyurdiev. + +1.29.5 2006-01-05 + * Added filename to semodule error reporting. + +1.29.4 2006-01-05 + * Merged genhomedircon and semanage patch from Dan Walsh. + * Changed semodule error reporting to include argv[0]. + +1.29.3 2006-01-04 + * Merged semanage getpwnam bug fix from Serge Hallyn (IBM). + * Merged patch series from Ivan Gyurdiev. + This includes patches to: + - cleanup setsebool + - update setsebool to apply active booleans through libsemanage + - update semodule to use the new semanage_set_rebuild() interface + - fix various bugs in semanage + * Merged patch from Dan Walsh (Red Hat). + This includes fixes for restorecon, chcat, fixfiles, genhomedircon, + and semanage. + +1.29.2 2005-12-14 + * Merged patch for chcat script from Dan Walsh. + +1.29.1 2005-12-08 + * Merged fix for audit2allow long option list from Dan Walsh. + * Merged -r option for restorecon (alias for -R) from Dan Walsh. + * Merged chcat script and man page from Dan Walsh. + +1.28 2005-12-07 + * Updated version for release. + +1.27.37 2005-12-07 + * Clarified the genhomedircon warning message. + +1.27.36 2005-12-05 + * Changed genhomedircon to warn on use of ROLE in homedir_template + if using managed policy, as libsemanage does not yet support it. + +1.27.35 2005-12-02 + * Merged genhomedircon bug fix from Dan Walsh. + +1.27.34 2005-12-02 + * Revised semodule* man pages to refer to checkmodule and + to include example sections. + +1.27.33 2005-12-01 + * Merged audit2allow --tefile and --fcfile support from Dan Walsh. + * Merged genhomedircon fix from Dan Walsh. + * Merged semodule* man pages from Dan Walsh, and edited them. + +1.27.32 2005-12-01 + * Changed setfiles to set the MATCHPATHCON_VALIDATE flag to + retain validation/canonicalization of contexts during init. + +1.27.31 2005-11-29 + * Changed genhomedircon to always use user_r for the role in the + managed case since user_get_defrole is broken. + +1.27.30 2005-11-29 + * Merged sestatus, audit2allow, and semanage patch from Dan Walsh. + * Fixed semodule -v option. + +1.27.29 2005-11-28 + * Merged audit2allow python script from Dan Walsh. + (old script moved to audit2allow.perl, will be removed later). + * Merged genhomedircon fixes from Dan Walsh. + * Merged semodule quieting patch from Dan Walsh + (inverts default, use -v to restore original behavior). + +1.27.28 2005-11-15 + * Merged genhomedircon rewrite from Dan Walsh. + +1.27.27 2005-11-09 + * Merged setsebool cleanup patch from Ivan Gyurdiev. + +1.27.26 2005-11-09 + * Added -B (--build) option to semodule to force a rebuild. + +1.27.25 2005-11-08 + * Reverted setsebool patch to call semanage_set_reload_bools(). + * Changed setsebool to disable policy reload and to call + security_set_boolean_list to update the runtime booleans. + +1.27.24 2005-11-08 + * Changed setfiles -c to use new flag to set_matchpathcon_flags() + to disable context translation by matchpathcon_init(). + +1.27.23 2005-11-07 + * Changed setfiles for the context canonicalization support. + +1.27.22 2005-11-07 + * Changed setsebool to call semanage_is_managed() interface + and fall back to security_set_boolean_list() if policy is + not managed. + +1.27.21 2005-11-07 + * Merged setsebool memory leak fix from Ivan Gyurdiev. + * Merged setsebool patch to call semanage_set_reload_bools() + interface from Ivan Gyurdiev. + +1.27.20 2005-11-04 + * Merged setsebool patch from Ivan Gyurdiev. + This moves setsebool from libselinux/utils to policycoreutils, + and rewrites it to use libsemanage for permanent boolean changes. + +1.27.19 2005-10-25 + * Merged semodule support for reload, noreload, and store options + from Joshua Brindle. + * Merged semodule_package rewrite from Joshua Brindle. + +1.27.18 2005-10-20 + * Cleaned up usage and error messages and releasing of memory by + semodule_* utilities. + +1.27.17 2005-10-20 + * Corrected error reporting by semodule. + +1.27.16 2005-10-19 + * Updated semodule_expand for change to sepol interface. + +1.27.15 2005-10-19 + * Merged fixes for make DESTDIR= builds from Joshua Brindle. + +1.27.14 2005-10-18 + * Updated semodule_package for sepol interface changes. + +1.27.13 2005-10-17 + * Updated semodule_expand/link for sepol interface changes. + +1.27.12 2005-10-14 + * Merged non-PAM Makefile support for newrole and run_init from Timothy Wood. + +1.27.11 2005-10-13 + * Updated semodule_expand to use get interfaces for hidden sepol_module_package type. + +1.27.10 2005-10-13 + * Merged newrole and run_init pam config patches from Dan Walsh (Red Hat). + +1.27.9 2005-10-13 + * Merged fixfiles patch from Dan Walsh (Red Hat). + +1.27.8 2005-10-13 + * Updated semodule for removal of semanage_strerror. + +1.27.7 2005-10-11 + * Updated semodule_link and semodule_expand to use shared libsepol. + Fixed audit2why to call policydb_init prior to policydb_read (still + uses the static libsepol). + +1.27.6 2005-10-07 + * Updated for changes to libsepol. + Changed semodule and semodule_package to use the shared libsepol. + Disabled build of semodule_link and semodule_expand for now. + Updated audit2why for relocated policydb internal headers, + still needs to be converted to a shared lib interface. + +1.27.5 2005-10-06 + * Fixed warnings in load_policy. + +1.27.4 2005-10-06 + * Rewrote load_policy to use the new selinux_mkload_policy() + interface provided by libselinux. + +1.27.3 2005-09-28 + * Merged patch to update semodule to the new libsemanage API + and improve the user interface from Karl MacMillan (Tresys). + * Modified semodule for the create/connect API split. + +1.27.2 2005-09-20 + * Merged run_init open_init_pty bug fix from Manoj Srivastava + (unblock SIGCHLD). Bug reported by Erich Schubert. + +1.27.1 2005-09-20 + * Merged error shadowing bug fix for restorecon from Dan Walsh. + * Merged setfiles usage/man page update for -r option from Dan Walsh. + * Merged fixfiles -C patch to ignore :s0 addition on update + to a MCS/MLS policy from Dan Walsh. + +1.26 2005-09-06 + * Updated version for release. + +1.25.9 2005-08-31 + * Changed setfiles -c to translate the context to raw format + prior to calling libsepol. + +1.25.8 2005-08-31 + * Changed semodule to report errors even without -v, + to detect extraneous arguments, and corrected usage message. + +1.25.7 2005-08-25 + * Merged patch for fixfiles -C from Dan Walsh. + +1.25.6 2005-08-22 + * Merged fixes for semodule_link and sestatus from Serge Hallyn (IBM). + Bugs found by Coverity. + +1.25.5 2005-08-02 + * Merged patch to move module read/write code from libsemanage + to libsepol from Jason Tang (Tresys). + +1.25.4 2005-07-27 + * Changed semodule* to link with libsemanage. + +1.25.3 2005-07-26 + * Merged restorecon patch from Ivan Gyurdiev. + +1.25.2 2005-07-11 + * Merged load_policy, newrole, and genhomedircon patches from Red Hat. + +1.25.1 2005-07-06 + * Merged loadable module support from Tresys Technology. + +1.24 2005-06-20 + * Updated version for release. + +1.23.11 2005-05-19 + * Merged fixfiles and newrole patch from Dan Walsh. + * Merged audit2why man page from Dan Walsh. + +1.23.10 2005-05-16 + * Extended audit2why to incorporate booleans and local user + settings when analyzing audit messages. + +1.23.9 2005-05-13 + * Updated audit2why for sepol_ prefixes on Flask types to + avoid namespace collision with libselinux, and to + include <selinux/selinux.h> now. + +1.23.8 2005-05-13 + * Added audit2why utility. + +1.23.7 2005-04-29 + * Merged patch for fixfiles from Dan Walsh. + Allow passing -F to force reset of customizable contexts. + +1.23.6 2005-04-13 + * Fixed signed/unsigned pointer bug in load_policy. + * Reverted context validation patch for genhomedircon. + +1.23.5 2005-04-12 + * Reverted load_policy is_selinux_enabled patch from Dan Walsh. + Otherwise, an initial policy load cannot be performed using + load_policy, e.g. for anaconda. + +1.23.4 2005-04-08 + * Merged load_policy is_selinux_enabled patch from Dan Walsh. + * Merged restorecon verbose output patch from Dan Walsh. + * Merged setfiles altroot patch from Chris PeBenito. + +1.23.3 2005-03-17 + * Merged context validation patch for genhomedircon from Eric Paris. + +1.23.2 2005-03-16 + * Changed setfiles -c to call set_matchpathcon_flags(3) to + turn off processing of .homedirs and .local. + +1.23.1 2005-03-14 + * Merged rewrite of genhomedircon by Eric Paris. + * Changed fixfiles to relabel jfs since it now supports security xattrs + (as of 2.6.11). Removed reiserfs until 2.6.12 is released with + fixed support for reiserfs and selinux. + +1.22 2005-03-09 + * Updated version for release. + +1.21.22 2005-03-07 + * Merged restorecon and genhomedircon patch from Dan Walsh. + +1.21.21 2005-02-28 + * Merged load_policy and genhomedircon patch from Dan Walsh. + +1.21.20 2005-02-24 + * Merged fixfiles and genhomedircon patch from Dan Walsh. + +1.21.19 2005-02-22 + * Merged several fixes from Ulrich Drepper. + +1.21.18 2005-02-18 + * Changed load_policy to fall back to the original policy upon + an error from sepol_genusers(). + +1.21.17 2005-02-17 + * Merged new genhomedircon script from Dan Walsh. + +1.21.16 2005-02-17 + * Changed load_policy to call sepol_genusers(). + +1.21.15 2005-02-09 + * Changed relabel Makefile target to use restorecon. + +1.21.14 2005-02-08 + * Merged restorecon patch from Dan Walsh. + +1.21.13 2005-02-07 + * Merged sestatus patch from Dan Walsh. + * Merged further change to fixfiles -C from Dan Walsh. + +1.21.12 2005-02-02 + * Merged further patches for restorecon/setfiles -e and fixfiles -C. + +1.21.11 2005-02-02 + * Merged patch for fixfiles -C option from Dan Walsh. + * Merged patch -e support for restorecon from Dan Walsh. + * Merged updated -e support for setfiles from Dan Walsh. + +1.21.10 2005-01-31 + * Merged patch for open_init_pty from Manoj Srivastava. + +1.21.9 2005-01-28 + * Merged updated fixfiles script from Dan Walsh. + * Merged updated man page for fixfiles from Dan Walsh and re-added unzipped. + * Reverted fixfiles patch for file_contexts.local; + obsoleted by setfiles rewrite. + * Merged error handling patch for restorecon from Dan Walsh. + * Merged semi raw mode for open_init_pty helper from Manoj Srivastava. + +1.21.8 2005-01-28 + * Rewrote setfiles to use matchpathcon and the new interfaces + exported by libselinux (>= 1.21.5). + +1.21.7 2005-01-27 + * Prevent overflow of spec array in setfiles. + +1.21.6 2005-01-27 + * Merged genhomedircon STARTING_UID bug fix from Dan Walsh. + +1.21.5 2005-01-26 + * Merged newrole -l support from Darrel Goeddel (TCS). + +1.21.4 2005-01-25 + * Merged fixfiles patch for file_contexts.local from Dan Walsh. + +1.21.3 2005-01-21 + * Fixed restorecon to not treat errors from is_context_customizable() + as a customizable context. + * Merged setfiles/restorecon patch to not reset user field unless + -F option is specified from Dan Walsh. + +1.21.2 2005-01-21 + * Merged open_init_pty helper for run_init from Manoj Srivastava. + * Merged audit2allow and genhomedircon man pages from Manoj Srivastava. + +1.21.1 2005-01-19 + * Merged customizable contexts patch for restorecon/setfiles from Dan Walsh. + +1.20 2005-01-06 + * Merged fixfiles rewrite from Dan Walsh. + * Merged restorecon patch from Dan Walsh. + * Merged fixfiles and restorecon patches from Dan Walsh. + * Changed restorecon to ignore ENOENT errors from matchpathcon. + * Merged nonls patch from Chris PeBenito. + * Removed fixfiles.cron. + * Merged run_init.8 patch from Dan Walsh. + +1.18 2004-11-01 + * Merged audit2allow patch from Thomas Bleher, with mods by Dan Walsh. + * Merged sestatus patch from Steve Grubb. + * Merged fixfiles patch from Dan Walsh. + * Added -l option to setfiles to log changes via syslog. + * Merged -e option to setfiles to exclude directories. + * Merged -R option to restorecon for recursive descent. + * Merged sestatus patch from Steve Grubb via Dan Walsh. + * Merged load_policy and fixfiles.cron patches from Dan Walsh. + * Merged fix for setfiles context validation patch from Colin Walters. + * Merged setfiles context validation patch from Colin Walters. + * Merged genhomedircon patch from Russell Coker. + * Merged restorecon patch from Russell Coker. + 1.16 2004-08-13 * Merged audit2allow fix from Tom London. * Merged load_policy man page from Dan Walsh. ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/Makefile#2 (text+ko) ==== @@ -1,4 +1,4 @@ -SUBDIRS=setfiles load_policy newrole run_init restorecon audit2allow scripts po sestatus +SUBDIRS=setfiles semanage load_policy newrole run_init restorecon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand setsebool po all install relabel clean: @for subdir in $(SUBDIRS); do \ ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/VERSION#2 (text+ko) ==== @@ -1,1 +1,1 @@ -1.16 +1.30 ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2allow/Makefile#2 (text+ko) ==== @@ -1,6 +1,7 @@ # Installation directories. PREFIX ?= ${DESTDIR}/usr BINDIR ?= $(PREFIX)/bin +MANDIR ?= $(PREFIX)/share/man LOCALEDIR ?= /usr/share/locale TARGETS=audit2allow @@ -10,6 +11,8 @@ install: all -mkdir -p $(BINDIR) install -m 755 $(TARGETS) $(BINDIR) + -mkdir -p $(MANDIR)/man1 + install -m 644 audit2allow.1 $(MANDIR)/man1/ clean: ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2allow/audit2allow#2 (text+ko) ==== @@ -1,7 +1,12 @@ -#!/usr/bin/perl - -# Adapted from: +#! /usr/bin/env python +# Copyright (C) 2005 Red Hat +# see file 'COPYING' for use and warranty information +# +# Audit2allow is a rewrite of prior perl script. +# +# Based off original audit2allow perl script: which credits # newrules.pl, Copyright (C) 2001 Justin R. Smith (jsmith@mcs.drexel.edu) +# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam@users.sourceforge.jp) # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as @@ -17,142 +22,590 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA # 02111-1307 USA -# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam@users.sourceforge.jp) +# +# +import commands, sys, os, pwd, string, getopt, re, selinux + +obj="(\{[^\}]*\}|[^ \t:]*)" +allow_regexp="allow[ \t]+%s[ \t]*%s[ \t]*:[ \t]*%s[ \t]*%s" % (obj, obj, obj, obj) + +awk_script='/^[[:blank:]]*interface[[:blank:]]*\(/ {\n\ + IFACEFILE=FILENAME\n\ + IFACENAME = gensub("^[[:blank:]]*interface[[:blank:]]*\\\\(\`?","","g",$0);\n\ + IFACENAME = gensub("\'?,.*$","","g",IFACENAME);\n\ +}\n\ +\n\ +/^[[:blank:]]*allow[[:blank:]]+.*;[[:blank:]]*$/ {\n\ +\n\ + if ((length(IFACENAME) > 0) && (IFACEFILE == FILENAME)){\n\ + ALLOW = gensub("^[[:blank:]]*","","g",$0)\n\ + ALLOW = gensub(";[[:blank:]]*$","","g",$0)\n\ + print FILENAME "\\t" IFACENAME "\\t" ALLOW;\n\ + }\n\ +}\ +' + +class accessTrans: + def __init__(self): + self.dict={} + try: + fd=open("/usr/share/selinux/devel/include/support/obj_perm_sets.spt") + except IOError, error: + raise IOError("Reference policy generation requires the policy development package.\n%s" % error) + records=fd.read().split("\n") + regexp="^define *\(`([^']*)' *, *` *\{([^}]*)}'" + for r in records: + m=re.match(regexp,r) + if m!=None: + self.dict[m.groups()[0]] = m.groups()[1].split() + fd.close() + def get(self, var): + l=[] + for v in var: + if v in self.dict.keys(): + l += self.dict[v] + else: + if v not in ("{", "}"): + l.append(v) + return l + +class interfaces: + def __init__(self): + self.dict={} + trans=accessTrans() + (input, output) = os.popen2("awk -f - /usr/share/selinux/devel/include/*/*.if 2> /dev/null") + input.write(awk_script) + input.close() + records=output.read().split("\n") + input.close() + if len(records) > 0: + regexp="([^ \t]*)[ \t]+([^ \t]*)[ \t]+%s" % allow_regexp + for r in records: + m=re.match(regexp,r) + if m==None: + continue + else: + val=m.groups() + file=os.path.basename(val[0]).split(".")[0] + iface=val[1] + Scon=val[2].split() + Tcon=val[3].split() + Class=val[4].split() + Access=trans.get(val[5].split()) + for s in Scon: + for t in Tcon: + for c in Class: + if (s, t, c) not in self.dict.keys(): + self.dict[(s, t, c)]=[] + self.dict[(s, t, c)].append((Access, file, iface)) + def out(self): + keys=self.dict.keys() + keys.sort() + for k in keys: + print k + for i in self.dict[k]: + print "\t", i + + def match(self, Scon, Tcon, Class, Access): + keys=self.dict.keys() + ret=[] + if (Scon, Tcon, Class) in keys: + for i in self.dict[(Scon, Tcon, Class)]: + if Access in i[0]: + if i[2].find(Access) >= 0: + ret.insert(0, i) + else: + ret.append(i) + return ret + if ("$1", Tcon, Class) in keys: + for i in self.dict[("$1", Tcon, Class)]: + if Access in i[0]: + if i[2].find(Access) >= 0: + ret.insert(0, i) + else: + ret.append(i) + return ret + if (Scon, "$1", Class) in keys: + for i in self.dict[(Scon, "$1", Class)]: + if Access in i[0]: + if i[2].find(Access) >= 0: + ret.insert(0, i) + else: + ret.append(i) + return ret + else: + return ret + + +class serule: + def __init__(self, type, source, target, seclass): + self.type=type + self.source=source + self.target=target + self.seclass=seclass + self.avcinfo={} + self.iface=None + + def add(self, avc): + for a in avc[0]: + if a not in self.avcinfo.keys(): + self.avcinfo[a]=[] + + self.avcinfo[a].append(avc[1:]) + + def getAccess(self): + if len(self.avcinfo.keys()) == 1: + for i in self.avcinfo.keys(): + return i + else: + keys=self.avcinfo.keys() + keys.sort() + ret="{" + for i in keys: + ret=ret + " " + i + ret=ret+" }" + return ret + def out(self, verbose=0): + ret="" + ret=ret+"%s %s %s:%s %s;" % (self.type, self.source, self.gettarget(), self.seclass, self.getAccess()) + if verbose: + keys=self.avcinfo.keys() + keys.sort() + for i in keys: + for x in self.avcinfo[i]: + ret=ret+"\n\t#TYPE=AVC MSG=%s " % x[0] + if len(x[1]): + ret=ret+"COMM=%s " % x[1] + if len(x[2]): + ret=ret+"NAME=%s " % x[2] + ret=ret + " : " + i + return ret + + def gen_reference_policy(self, iface): + ret="" + Scon=self.source + Tcon=self.gettarget() + Class=self.seclass + Access=self.getAccess() + m=iface.match(Scon,Tcon,Class,Access) + if len(m)==0: + return self.out() + else: + file=m[0][1] + ret="\n#%s\n"% self.out() + ret += "optional_policy(`%s', `\n" % m[0][1] + first=True + for i in m: + if file != i[1]: + ret += "')\ngen_require(`%s', `\n" % i[1] + file = i[1] + first=True + if first: + ret += "\t%s(%s)\n" % (i[2], Scon) + first=False + else: + ret += "#\t%s(%s)\n" % (i[2], Scon) + ret += "');" + return ret + + def gettarget(self): + if self.source == self.target: + return "self" + else: + return self.target + +class seruleRecords: + def __init__(self, input, last_reload=0, verbose=0, te_ind=0): + self.last_reload=last_reload + self.seRules={} + self.seclasses={} + self.types=[] + self.roles=[] + self.load(input, te_ind) + self.gen_ref_policy = False + + def gen_reference_policy(self): + self.gen_ref_policy = True + self.iface=interfaces() + + def warning(self, error): + sys.stderr.write("%s: " % sys.argv[0]) + sys.stderr.write("%s\n" % error) + sys.stderr.flush() + + def load(self, input, te_ind=0): + VALID_CMDS=("allow", "dontaudit", "auditallow", "role") + + avc=[] + found=0 + line = input.readline() + if te_ind: + while line: + rec=line.split() + if len(rec) and rec[0] in VALID_CMDS: + self.add_terule(line) + line = input.readline() + + else: + while line: + rec=line.split() + for i in rec: + if i=="avc:" or i=="message=avc:" or i=="msg='avc:": + + found=1 + else: + avc.append(i) + if found: + self.add(avc) + found=0 + avc=[] + line = input.readline() + + + def get_target(self, i, rule): + target=[] + if rule[i][0] == "{": + for t in rule[i].split("{"): + if len(t): + target.append(t) + i=i+1 + for s in rule[i:]: + if s.find("}") >= 0: + for s1 in s.split("}"): + if len(s1): + target.append(s1) + i=i+1 + return (i, target) + + target.append(s) + i=i+1 + else: + if rule[i].find(";") >= 0: + for s1 in rule[i].split(";"): + if len(s1): + target.append(s1) + else: + target.append(rule[i]) + + i=i+1 + return (i, target) + + def rules_split(self, rules): + (idx, target ) = self.get_target(0, rules) + (idx, subject) = self.get_target(idx, rules) + return (target, subject) + + def add_terule(self, rule): + rc = rule.split(":") + rules=rc[0].split() + type=rules[0] + if type == "role": + print type + (sources, targets) = self.rules_split(rules[1:]) + rules=rc[1].split() + (seclasses, access) = self.rules_split(rules) + for scon in sources: + for tcon in targets: + for seclass in seclasses: + self.add_rule(type, scon, tcon, seclass,access) + + def add_rule(self, rule_type, scon, tcon, seclass, access, msg="", comm="", name=""): + self.add_seclass(seclass, access) + self.add_type(tcon) + self.add_type(scon) + if (rule_type, scon, tcon, seclass) not in self.seRules.keys(): + self.seRules[(rule_type, scon, tcon, seclass)]=serule(rule_type, scon, tcon, seclass) + + self.seRules[(rule_type, scon, tcon, seclass)].add((access, msg, comm, name )) + def add(self,avc): + scon="" + tcon="" + seclass="" + comm="" + name="" + msg="" + access=[] + if "security_compute_sid" in avc: + return + + if "load_policy" in avc and self.last_reload: + self.seRules={} -$load_policy_pattern="avc:.*granted.*{.*load_policy.*}"; + if "granted" in avc: + return + try: + for i in range (0, len(avc)): + if avc[i]=="{": + i=i+1 + while i<len(avc) and avc[i] != "}": + access.append(avc[i]) + i=i+1 + continue + + t=avc[i].split('=') + if len(t) < 2: + continue + if t[0]=="scontext": + context=t[1].split(":") + scon=context[2] + srole=context[1] + continue + if t[0]=="tcontext": + context=t[1].split(":") + tcon=context[2] + trole=context[1] + continue + if t[0]=="tclass": + seclass=t[1] + continue + if t[0]=="comm": + comm=t[1] + continue + if t[0]=="name": + name=t[1] + continue + if t[0]=="msg": + msg=t[1] + continue -while ($opt = shift @ARGV) { - if ($opt eq "-d") { $read_dmesg++; } - elsif ($opt eq "-v") { $verbose++; } - elsif ($opt eq "-i") { $input = shift @ARGV; } - elsif ($opt eq "-o") { $output= shift @ARGV; } - elsif ($opt eq "-l") { $load_policy++; } - elsif ($opt eq "--help") { &printUsage; } - else { print "unknown option, '$opt'\n\n"; &printUsage; } -} + if scon=="" or tcon =="" or seclass=="": + return + except IndexError, e: + self.warning("Bad AVC Line: %s" % avc) + return + + self.add_role(srole) + self.add_role(trole) + self.add_rule("allow", scon, tcon, seclass, access, msg, comm, name) -if ($read_dmesg && $input) { - print "Error, can't read from both dmesg and $input\n\n"; - &printUsage; -} + def add_seclass(self,seclass, access): + if seclass not in self.seclasses.keys(): + self.seclasses[seclass]=[] + for a in access: + if a not in self.seclasses[seclass]: + self.seclasses[seclass].append(a) + + def add_role(self,role): + if role not in self.roles: + self.roles.append(role) -if ($read_dmesg) { open (IN, "/bin/dmesg|"); } -elsif ($input) { open (IN, "$input"); } >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200605161919.k4GJJJl3079483>