From 7b3ab100a929f4933594e90092c594d813a3a39e Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Aug 28 2009 18:18:46 +0000 Subject: * Fri Aug 28 2009 Dan Walsh 2.0.71-14 - Add enable/disable patch --- diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 81b8407..2603f12 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,6 +1,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.71/audit2allow/audit2allow --- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500 -+++ policycoreutils-2.0.71/audit2allow/audit2allow 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/audit2allow/audit2allow 2009-08-28 14:07:24.000000000 -0400 @@ -42,6 +42,8 @@ from optparse import OptionParser @@ -40,7 +40,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po f = sys.stdin diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.71/Makefile --- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.71/Makefile 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/Makefile 2009-08-28 14:07:24.000000000 -0400 @@ -1,4 +1,4 @@ -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po +SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui @@ -49,7 +49,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.71/restorecond/Makefile --- nsapolicycoreutils/restorecond/Makefile 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.71/restorecond/Makefile 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/restorecond/Makefile 2009-08-28 14:07:24.000000000 -0400 @@ -1,17 +1,28 @@ # Installation directories. PREFIX ?= ${DESTDIR}/usr @@ -98,14 +98,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po /sbin/restorecon $(SBINDIR)/restorecond diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.71/restorecond/org.selinux.Restorecond.service --- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/restorecond/org.selinux.Restorecond.service 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/restorecond/org.selinux.Restorecond.service 2009-08-28 14:07:24.000000000 -0400 @@ -0,0 +1,3 @@ +[D-BUS Service] +Name=org.selinux.Restorecond +Exec=/usr/sbin/restorecond -u diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.71/restorecond/restorecond.c --- nsapolicycoreutils/restorecond/restorecond.c 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.71/restorecond/restorecond.c 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/restorecond/restorecond.c 2009-08-28 14:07:24.000000000 -0400 @@ -48,294 +48,38 @@ #include #include @@ -598,7 +598,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.71/restorecond/restorecond.conf --- nsapolicycoreutils/restorecond/restorecond.conf 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.71/restorecond/restorecond.conf 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/restorecond/restorecond.conf 2009-08-28 14:07:24.000000000 -0400 @@ -4,8 +4,5 @@ /etc/mtab /var/run/utmp @@ -611,7 +611,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po - diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.71/restorecond/restorecond.desktop --- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/restorecond/restorecond.desktop 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/restorecond/restorecond.desktop 2009-08-28 14:07:24.000000000 -0400 @@ -0,0 +1,7 @@ +[Desktop Entry] +Name=File Context maintainer @@ -622,7 +622,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +StartupNotify=false diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.71/restorecond/restorecond.h --- nsapolicycoreutils/restorecond/restorecond.h 2009-08-20 15:49:21.000000000 -0400 -+++ policycoreutils-2.0.71/restorecond/restorecond.h 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/restorecond/restorecond.h 2009-08-28 14:07:24.000000000 -0400 @@ -24,7 +24,21 @@ #ifndef RESTORED_CONFIG_H #define RESTORED_CONFIG_H @@ -649,13 +649,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po #endif diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.71/restorecond/restorecond_user.conf --- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/restorecond/restorecond_user.conf 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/restorecond/restorecond_user.conf 2009-08-28 14:07:24.000000000 -0400 @@ -0,0 +1,2 @@ +~/* +~/public_html/* diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.71/restorecond/user.c --- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/restorecond/user.c 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/restorecond/user.c 2009-08-28 14:07:24.000000000 -0400 @@ -0,0 +1,237 @@ +/* + * restorecond @@ -896,7 +896,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.71/restorecond/watch.c --- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/restorecond/watch.c 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/restorecond/watch.c 2009-08-28 14:07:24.000000000 -0400 @@ -0,0 +1,254 @@ +#define _GNU_SOURCE +#include @@ -1154,7 +1154,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.71/sandbox/Makefile --- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/sandbox/Makefile 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/sandbox/Makefile 2009-08-28 14:07:24.000000000 -0400 @@ -0,0 +1,31 @@ +# Installation directories. +PREFIX ?= ${DESTDIR}/usr @@ -1189,8 +1189,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +relabel: diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.71/sandbox/sandbox --- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/sandbox/sandbox 2009-08-26 17:34:50.000000000 -0400 -@@ -0,0 +1,193 @@ ++++ policycoreutils-2.0.71/sandbox/sandbox 2009-08-28 14:07:24.000000000 -0400 +@@ -0,0 +1,202 @@ +#!/usr/bin/python -E +import os, sys, getopt, socket, random, fcntl, shutil +import selinux @@ -1341,7 +1341,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + break + + try: ++ newhomedir = None ++ newtmpdir = None + if X_ind: ++ if not os.path.exists("/usr/sbin/seunshare"): ++ raise ValueError("""/usr/sbin/seunshare required for sandbox -X, to install you need to execute ++#yum install /usr/sbin/seunshare""") ++ else: ++ print "exists" + import warnings + warnings.simplefilter("ignore") + newhomedir = os.tempnam(".", ".sandbox%s") @@ -1368,8 +1375,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + selinux.setexeccon(None) + finally: + if X_ind: -+ shutil.rmtree(newhomedir) -+ shutil.rmtree(newtmpdir) ++ if newhomedir: ++ shutil.rmtree(newhomedir) ++ if newtmpdir: ++ shutil.rmtree(newtmpdir) + + except getopt.GetoptError, error: + usage(_("Options Error %s ") % error.msg) @@ -1386,7 +1395,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.71/sandbox/sandbox.8 --- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/sandbox/sandbox.8 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/sandbox/sandbox.8 2009-08-28 14:07:24.000000000 -0400 @@ -0,0 +1,26 @@ +.TH SANDBOX "8" "May 2009" "chcat" "User Commands" +.SH NAME @@ -1416,7 +1425,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +.PP diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.71/sandbox/sandboxX.sh --- nsapolicycoreutils/sandbox/sandboxX.sh 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/sandbox/sandboxX.sh 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/sandbox/sandboxX.sh 2009-08-28 14:07:24.000000000 -0400 @@ -0,0 +1,13 @@ +#!/bin/bash +(Xephyr -terminate -screen 1000x700 -displayfd 5 5>&1 2>/dev/null) | while read D; do @@ -1431,10 +1440,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +exit $EXITCODE +break +done -Binary files nsapolicycoreutils/sandbox/seunshare and policycoreutils-2.0.71/sandbox/seunshare differ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.71/sandbox/seunshare.c --- nsapolicycoreutils/sandbox/seunshare.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/sandbox/seunshare.c 2009-08-26 17:50:31.000000000 -0400 ++++ policycoreutils-2.0.71/sandbox/seunshare.c 2009-08-28 14:07:24.000000000 -0400 @@ -0,0 +1,203 @@ +#include +#include @@ -1639,10 +1647,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + + return status; +} -Binary files nsapolicycoreutils/sandbox/seunshare.o and policycoreutils-2.0.71/sandbox/seunshare.o differ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.71/scripts/chcat --- nsapolicycoreutils/scripts/chcat 2009-06-23 15:36:07.000000000 -0400 -+++ policycoreutils-2.0.71/scripts/chcat 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/scripts/chcat 2009-08-28 14:07:24.000000000 -0400 @@ -435,6 +435,8 @@ continue except ValueError, e: @@ -1654,7 +1661,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.71/scripts/Makefile --- nsapolicycoreutils/scripts/Makefile 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.71/scripts/Makefile 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/scripts/Makefile 2009-08-28 14:07:24.000000000 -0400 @@ -5,7 +5,7 @@ MANDIR ?= $(PREFIX)/share/man LOCALEDIR ?= /usr/share/locale @@ -1666,7 +1673,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -mkdir -p $(BINDIR) diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.71/semanage/semanage --- nsapolicycoreutils/semanage/semanage 2009-08-19 16:35:03.000000000 -0400 -+++ policycoreutils-2.0.71/semanage/semanage 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/semanage/semanage 2009-08-28 14:07:24.000000000 -0400 @@ -68,6 +68,7 @@ -h, --help Display this message -n, --noheading Do not print heading when listing OBJECTS @@ -1776,7 +1783,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.71/semanage/seobject.py --- nsapolicycoreutils/semanage/seobject.py 2009-08-19 16:35:03.000000000 -0400 -+++ policycoreutils-2.0.71/semanage/seobject.py 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/semanage/seobject.py 2009-08-28 14:07:24.000000000 -0400 @@ -1,5 +1,5 @@ #! /usr/bin/python -E -# Copyright (C) 2005, 2006, 2007, 2008 Red Hat @@ -1903,9 +1910,683 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po class booleanRecords(semanageRecords): def __init__(self, store = ""): +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.8 policycoreutils-2.0.71/semodule/semodule.8 +--- nsapolicycoreutils/semodule/semodule.8 2008-08-28 09:34:24.000000000 -0400 ++++ policycoreutils-2.0.71/semodule/semodule.8 2009-08-28 14:07:24.000000000 -0400 +@@ -35,6 +35,12 @@ + .B \-b,\-\-base=MODULE_PKG + install/replace base module package + .TP ++.B \-d,\-\-disable=MODULE_NAME ++disable existing module ++.TP ++.B \-e,\-\-enable=MODULE_NAME ++enable existing module ++.TP + .B \-r,\-\-remove=MODULE_NAME + remove existing module + .TP +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.8.enable policycoreutils-2.0.71/semodule/semodule.8.enable +--- nsapolicycoreutils/semodule/semodule.8.enable 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.71/semodule/semodule.8.enable 2009-08-12 12:08:15.000000000 -0400 +@@ -0,0 +1,79 @@ ++.TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA ++.SH NAME ++semodule \- Manage SELinux policy modules. ++ ++.SH SYNOPSIS ++.B semodule [options]... MODE [MODES]... ++.br ++.SH DESCRIPTION ++.PP ++semodule is the tool used to manage SELinux policy modules, ++including installing, upgrading, listing and removing modules. ++semodule may also be used to force a rebuild of policy from the ++module store and/or to force a reload of policy without performing ++any other transaction. semodule acts on module packages created ++by semodule_package. Conventionally, these files have a .pp suffix ++(policy package), although this is not mandated in any way. ++ ++.SH "OPTIONS" ++.TP ++.B \-R, \-\-reload ++force a reload of policy ++.TP ++.B \-B, \-\-build ++force a rebuild of policy (also reloads unless -n is used) ++.TP ++.B \-D, \-\-disable_dontaudit ++Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt ++.TP ++.B \-i,\-\-install=MODULE_PKG ++install/replace a module package ++.TP ++.B \-u,\-\-upgrade=MODULE_PKG ++upgrade an existing module package ++.TP ++.B \-b,\-\-base=MODULE_PKG ++install/replace base module package ++.TP ++.B \-r,\-\-remove=MODULE_NAME ++remove existing module ++.TP ++.B \-l,\-\-list-modules ++display list of installed modules (other than base) ++.TP ++.B \-s,\-\-store ++name of the store to operate on ++.TP ++.B \-n,\-\-noreload ++do not reload policy after commit ++.TP ++.B \-h,\-\-help ++prints help message and quit ++.TP ++.B \-v,\-\-verbose ++be verbose ++ ++.SH EXAMPLE ++.nf ++# Install or replace a base policy package. ++$ semodule -b base.pp ++# Install or replace a non-base policy package. ++$ semodule -i httpd.pp ++# List non-base modules. ++$ semodule -l ++# Turn on all AVC Messages for which SELinux currently is "dontaudit"ing. ++$ semodule -DB ++# Turn "dontaudit" rules back on. ++$ semodule -B ++# Install or replace all non-base modules in the current directory. ++$ semodule -i *.pp ++# Install or replace all modules in the current directory. ++$ ls *.pp | grep -Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule -b base.pp -i ++.fi ++ ++.SH SEE ALSO ++.B checkmodule(8), semodule_package(8) ++.SH AUTHORS ++.nf ++This manual page was written by Dan Walsh . ++The program was written by Karl MacMillan , Joshua Brindle , Jason Tang +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.c policycoreutils-2.0.71/semodule/semodule.c +--- nsapolicycoreutils/semodule/semodule.c 2009-07-07 15:32:32.000000000 -0400 ++++ policycoreutils-2.0.71/semodule/semodule.c 2009-08-28 14:08:55.000000000 -0400 +@@ -22,12 +22,12 @@ + + #include + +-enum client_modes { NO_MODE, INSTALL_M, UPGRADE_M, BASE_M, REMOVE_M, ++enum client_modes { NO_MODE, INSTALL_M, UPGRADE_M, BASE_M, ENABLE_M, DISABLE_M, REMOVE_M, + LIST_M, RELOAD + }; + /* list of modes in which one ought to commit afterwards */ + static const int do_commit[] = { +- 0, 1, 1, 1, 1, ++ 0, 1, 1, 1, 1, 1, 1, + 0, 0 + }; + +@@ -106,7 +106,9 @@ + printf(" -i,--install=MODULE_PKG install a new module\n"); + printf(" -u,--upgrade=MODULE_PKG upgrade existing module\n"); + printf(" -b,--base=MODULE_PKG install new base module\n"); +- printf(" -r,--remove=MODULE_NAME remove existing module\n"); ++ printf(" -e,--enable=MODULE_PKG enable existing module\n"); ++ printf(" -d,--disable=MODULE_PKG disable existing module\n"); ++ printf(" -r,--remove=MODULE_NAME remove existing module\n"); + printf + (" -l,--list-modules display list of installed modules\n"); + printf("Other options:\n"); +@@ -152,6 +154,8 @@ + {"install", required_argument, NULL, 'i'}, + {"list-modules", 0, NULL, 'l'}, + {"verbose", 0, NULL, 'v'}, ++ {"enable", required_argument, NULL, 'e'}, ++ {"disable", required_argument, NULL, 'd'}, + {"remove", required_argument, NULL, 'r'}, + {"upgrade", required_argument, NULL, 'u'}, + {"reload", 0, NULL, 'R'}, +@@ -166,7 +170,7 @@ + no_reload = 0; + create_store = 0; + while ((i = +- getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts, ++ getopt_long(argc, argv, "s:b:hi:lvqe:d:r:u:RnBD", opts, + NULL)) != -1) { + switch (i) { + case 'b': +@@ -185,6 +189,12 @@ + case 'v': + verbose = 1; + break; ++ case 'e': ++ set_mode(ENABLE_M, optarg); ++ break; ++ case 'd': ++ set_mode(DISABLE_M, optarg); ++ break; + case 'r': + set_mode(REMOVE_M, optarg); + break; +@@ -238,6 +248,10 @@ + mode = UPGRADE_M; + } else if (commands && commands[num_commands - 1].mode == REMOVE_M) { + mode = REMOVE_M; ++ } else if (commands && commands[num_commands - 1].mode == ENABLE_M) { ++ mode = ENABLE_M; ++ } else if (commands && commands[num_commands - 1].mode == DISABLE_M) { ++ mode = DISABLE_M; + } else { + fprintf(stderr, "unknown additional arguments:\n"); + while (optind < argc) +@@ -352,6 +366,30 @@ + semanage_module_install_base_file(sh, mode_arg); + break; + } ++ case ENABLE_M:{ ++ if (verbose) { ++ printf ++ ("Attempting to enable module '%s':\n", ++ mode_arg); ++ } ++ result = semanage_module_enable(sh, mode_arg); ++ if ( result == -2 ) { ++ continue; ++ } ++ break; ++ } ++ case DISABLE_M:{ ++ if (verbose) { ++ printf ++ ("Attempting to disable module '%s':\n", ++ mode_arg); ++ } ++ result = semanage_module_disable(sh, mode_arg); ++ if ( result == -2 ) { ++ continue; ++ } ++ break; ++ } + case REMOVE_M:{ + if (verbose) { + printf +@@ -382,11 +420,12 @@ + semanage_module_info_t *m = + semanage_module_list_nth + (modinfo, j); +- printf("%s\t%s\n", ++ printf("%s\t%s\t%s\n", + semanage_module_get_name + (m), + semanage_module_get_version +- (m)); ++ (m), ++ (semanage_module_get_enabled(m) ? "" : "Disabled")); + semanage_module_info_datum_destroy + (m); + } +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.c.enable policycoreutils-2.0.71/semodule/semodule.c.enable +--- nsapolicycoreutils/semodule/semodule.c.enable 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.71/semodule/semodule.c.enable 2009-08-12 12:08:15.000000000 -0400 +@@ -0,0 +1,454 @@ ++/* Authors: Karl MacMillan ++ * Joshua Brindle ++ * Jason Tang ++ * ++ * Copyright (C) 2004-2005 Tresys Technology, LLC ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License as ++ * published by the Free Software Foundation, version 2. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++enum client_modes { NO_MODE, INSTALL_M, UPGRADE_M, BASE_M, REMOVE_M, ++ LIST_M, RELOAD ++}; ++/* list of modes in which one ought to commit afterwards */ ++static const int do_commit[] = { ++ 0, 1, 1, 1, 1, ++ 0, 0 ++}; ++ ++struct command { ++ enum client_modes mode; ++ char *arg; ++}; ++static struct command *commands = NULL; ++static int num_commands = 0; ++ ++/* options given on command line */ ++static int verbose; ++static int reload; ++static int no_reload; ++static int create_store; ++static int build; ++static int disable_dontaudit; ++ ++static semanage_handle_t *sh = NULL; ++static char *store; ++ ++extern char *optarg; ++extern int optind; ++ ++static void cleanup(void) ++{ ++ while (--num_commands >= 0) { ++ free(commands[num_commands].arg); ++ } ++ free(commands); ++} ++ ++/* Signal handlers. */ ++static void handle_signal(int sig_num) ++{ ++ if (sig_num == SIGINT || sig_num == SIGQUIT || sig_num == SIGTERM) { ++ /* catch these signals, and then drop them */ ++ } ++} ++ ++static void set_store(char *storename) ++{ ++ /* For now this only supports a store name, later on this ++ * should support an address for a remote connection */ ++ ++ if ((store = strdup(storename)) == NULL) { ++ fprintf(stderr, "Out of memory!\n"); ++ goto bad; ++ } ++ ++ return; ++ ++ bad: ++ cleanup(); ++ exit(1); ++} ++ ++/* Establish signal handlers for the process. */ ++static void create_signal_handlers(void) ++{ ++ if (signal(SIGINT, handle_signal) == SIG_ERR || ++ signal(SIGQUIT, handle_signal) == SIG_ERR || ++ signal(SIGTERM, handle_signal) == SIG_ERR) { ++ fprintf(stderr, "Could not set up signal handler.\n"); ++ exit(255); ++ } ++} ++ ++static void usage(char *progname) ++{ ++ printf("usage: %s [options]... MODE [MODES]...\n", progname); ++ printf("Manage SELinux policy modules.\n"); ++ printf("MODES:\n"); ++ printf(" -R, --reload reload policy\n"); ++ printf(" -B, --build build and reload policy\n"); ++ printf(" -i,--install=MODULE_PKG install a new module\n"); ++ printf(" -u,--upgrade=MODULE_PKG upgrade existing module\n"); ++ printf(" -b,--base=MODULE_PKG install new base module\n"); ++ printf(" -r,--remove=MODULE_NAME remove existing module\n"); ++ printf ++ (" -l,--list-modules display list of installed modules\n"); ++ printf("Other options:\n"); ++ printf(" -s,--store name of the store to operate on\n"); ++ printf(" -n,--noreload do not reload policy after commit\n"); ++ printf(" -h,--help print this message and quit\n"); ++ printf(" -v,--verbose be verbose\n"); ++ printf(" -D,--disable_dontaudit Remove dontaudits from policy\n"); ++} ++ ++/* Sets the global mode variable to new_mode, but only if no other ++ * mode has been given. */ ++static void set_mode(enum client_modes new_mode, char *arg) ++{ ++ struct command *c; ++ char *s; ++ if ((c = realloc(commands, sizeof(*c) * (num_commands + 1))) == NULL) { ++ fprintf(stderr, "Out of memory!\n"); ++ cleanup(); ++ exit(1); ++ } ++ commands = c; ++ commands[num_commands].mode = new_mode; ++ commands[num_commands].arg = NULL; ++ num_commands++; ++ if (arg != NULL) { ++ if ((s = strdup(arg)) == NULL) { ++ fprintf(stderr, "Out of memory!\n"); ++ cleanup(); ++ exit(1); ++ } ++ commands[num_commands - 1].arg = s; ++ } ++} ++ ++/* Parse command line and set global options. */ ++static void parse_command_line(int argc, char **argv) ++{ ++ static struct option opts[] = { ++ {"store", required_argument, NULL, 's'}, ++ {"base", required_argument, NULL, 'b'}, ++ {"help", 0, NULL, 'h'}, ++ {"install", required_argument, NULL, 'i'}, ++ {"list-modules", 0, NULL, 'l'}, ++ {"verbose", 0, NULL, 'v'}, ++ {"remove", required_argument, NULL, 'r'}, ++ {"upgrade", required_argument, NULL, 'u'}, ++ {"reload", 0, NULL, 'R'}, ++ {"noreload", 0, NULL, 'n'}, ++ {"build", 0, NULL, 'B'}, ++ {"disable_dontaudit", 0, NULL, 'D'}, ++ {NULL, 0, NULL, 0} ++ }; ++ int i; ++ verbose = 0; ++ reload = 0; ++ no_reload = 0; ++ create_store = 0; ++ while ((i = ++ getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts, ++ NULL)) != -1) { ++ switch (i) { ++ case 'b': ++ set_mode(BASE_M, optarg); ++ create_store = 1; ++ break; ++ case 'h': ++ usage(argv[0]); ++ exit(0); ++ case 'i': ++ set_mode(INSTALL_M, optarg); ++ break; ++ case 'l': ++ set_mode(LIST_M, NULL); ++ break; ++ case 'v': ++ verbose = 1; ++ break; ++ case 'r': ++ set_mode(REMOVE_M, optarg); ++ break; ++ case 'u': ++ set_mode(UPGRADE_M, optarg); ++ break; ++ case 's': ++ set_store(optarg); ++ break; ++ case 'R': ++ reload = 1; ++ break; ++ case 'n': ++ no_reload = 1; ++ break; ++ case 'B': ++ build = 1; ++ break; ++ case 'D': ++ disable_dontaudit = 1; ++ break; ++ case '?': ++ default:{ ++ usage(argv[0]); ++ exit(1); ++ } ++ } ++ } ++ if ((build || reload) && num_commands) { ++ fprintf(stderr, ++ "build or reload should not be used with other commands\n"); ++ usage(argv[0]); ++ exit(1); ++ } ++ if (num_commands == 0 && reload == 0 && build == 0) { ++ fprintf(stderr, "At least one mode must be specified.\n"); ++ usage(argv[0]); ++ exit(1); ++ } ++ ++ if (optind < argc) { ++ int mode; ++ /* if -i/u/r was the last command treat any remaining ++ * arguments as args. Will allow 'semodule -i *.pp' to ++ * work as expected. ++ */ ++ ++ if (commands && commands[num_commands - 1].mode == INSTALL_M) { ++ mode = INSTALL_M; ++ } else if (commands && commands[num_commands - 1].mode == UPGRADE_M) { ++ mode = UPGRADE_M; ++ } else if (commands && commands[num_commands - 1].mode == REMOVE_M) { ++ mode = REMOVE_M; ++ } else { ++ fprintf(stderr, "unknown additional arguments:\n"); ++ while (optind < argc) ++ fprintf(stderr, " %s", argv[optind++]); ++ fprintf(stderr, "\n\n"); ++ usage(argv[0]); ++ exit(1); ++ } ++ while (optind < argc) ++ set_mode(mode, argv[optind++]); ++ } ++} ++ ++int main(int argc, char *argv[]) ++{ ++ int i, commit = 0; ++ int result; ++ int status = EXIT_FAILURE; ++ ++ create_signal_handlers(); ++ parse_command_line(argc, argv); ++ ++ if (build) ++ commit = 1; ++ ++ sh = semanage_handle_create(); ++ if (!sh) { ++ fprintf(stderr, "%s: Could not create semanage handle\n", ++ argv[0]); ++ goto cleanup_nohandle; ++ } ++ ++ if (store) { ++ /* Set the store we want to connect to, before connecting. ++ * this will always set a direct connection now, an additional ++ * option will need to be used later to specify a policy server ++ * location */ ++ semanage_select_store(sh, store, SEMANAGE_CON_DIRECT); ++ } ++ ++ /* if installing base module create store if necessary, for bootstrapping */ ++ semanage_set_create_store(sh, create_store); ++ ++ if (!create_store) { ++ if (!semanage_is_managed(sh)) { ++ fprintf(stderr, ++ "%s: SELinux policy is not managed or store cannot be accessed.\n", ++ argv[0]); ++ goto cleanup; ++ } ++ ++ if (semanage_access_check(sh) < SEMANAGE_CAN_READ) { ++ fprintf(stderr, "%s: Cannot read policy store.\n", ++ argv[0]); ++ goto cleanup; ++ } ++ } ++ ++ if ((result = semanage_connect(sh)) < 0) { ++ fprintf(stderr, "%s: Could not connect to policy handler\n", ++ argv[0]); ++ goto cleanup; ++ } ++ ++ if (reload) { ++ if ((result = semanage_reload_policy(sh)) < 0) { ++ fprintf(stderr, "%s: Could not reload policy\n", ++ argv[0]); ++ goto cleanup; ++ } ++ } ++ ++ if (build) { ++ if ((result = semanage_begin_transaction(sh)) < 0) { ++ fprintf(stderr, "%s: Could not begin transaction: %s\n", ++ argv[0], errno ? strerror(errno) : ""); ++ goto cleanup; ++ } ++ } ++ ++ for (i = 0; i < num_commands; i++) { ++ enum client_modes mode = commands[i].mode; ++ char *mode_arg = commands[i].arg; ++ switch (mode) { ++ case INSTALL_M:{ ++ if (verbose) { ++ printf ++ ("Attempting to install module '%s':\n", ++ mode_arg); ++ } ++ result = ++ semanage_module_install_file(sh, mode_arg); ++ break; ++ } ++ case UPGRADE_M:{ ++ if (verbose) { ++ printf ++ ("Attempting to upgrade module '%s':\n", ++ mode_arg); ++ } ++ result = ++ semanage_module_upgrade_file(sh, mode_arg); ++ break; ++ } ++ case BASE_M:{ ++ if (verbose) { ++ printf ++ ("Attempting to install base module '%s':\n", ++ mode_arg); ++ } ++ result = ++ semanage_module_install_base_file(sh, mode_arg); ++ break; ++ } ++ case REMOVE_M:{ ++ if (verbose) { ++ printf ++ ("Attempting to remove module '%s':\n", ++ mode_arg); ++ } ++ result = semanage_module_remove(sh, mode_arg); ++ if ( result == -2 ) { ++ continue; ++ } ++ break; ++ } ++ case LIST_M:{ ++ semanage_module_info_t *modinfo; ++ int num_modules; ++ if (verbose) { ++ printf ++ ("Attempting to list active modules:\n"); ++ } ++ if ((result = ++ semanage_module_list(sh, &modinfo, ++ &num_modules)) >= 0) { ++ int j; ++ if (num_modules == 0) { ++ printf("No modules.\n"); ++ } ++ for (j = 0; j < num_modules; j++) { ++ semanage_module_info_t *m = ++ semanage_module_list_nth ++ (modinfo, j); ++ printf("%s\t%s\n", ++ semanage_module_get_name ++ (m), ++ semanage_module_get_version ++ (m)); ++ semanage_module_info_datum_destroy ++ (m); ++ } ++ free(modinfo); ++ } ++ break; ++ } ++ default:{ ++ fprintf(stderr, ++ "%s: Unknown mode specified.\n", ++ argv[0]); ++ usage(argv[0]); ++ goto cleanup; ++ } ++ } ++ commit += do_commit[mode]; ++ if (result < 0) { ++ fprintf(stderr, "%s: Failed on %s!\n", argv[0], ++ mode_arg ? : "list"); ++ goto cleanup; ++ } else if (verbose) { ++ printf("Ok: return value of %d.\n", result); ++ } ++ } ++ ++ if (commit) { ++ if (verbose) ++ printf("Committing changes:\n"); ++ if (no_reload) ++ semanage_set_reload(sh, 0); ++ if (build) ++ semanage_set_rebuild(sh, 1); ++ if (disable_dontaudit) ++ semanage_set_disable_dontaudit(sh, 1); ++ else if (build) ++ semanage_set_disable_dontaudit(sh, 0); ++ ++ result = semanage_commit(sh); ++ } ++ ++ if (result < 0) { ++ fprintf(stderr, "%s: Failed!\n", argv[0]); ++ goto cleanup; ++ } else if (commit && verbose) { ++ printf("Ok: transaction number %d.\n", result); ++ } ++ ++ if (semanage_disconnect(sh) < 0) { ++ fprintf(stderr, "%s: Error disconnecting\n", argv[0]); ++ goto cleanup; ++ } ++ status = EXIT_SUCCESS; ++ ++ cleanup: ++ if (semanage_is_connected(sh)) { ++ if (semanage_disconnect(sh) < 0) { ++ fprintf(stderr, "%s: Error disconnecting\n", argv[0]); ++ } ++ } ++ semanage_handle_destroy(sh); ++ ++ cleanup_nohandle: ++ cleanup(); ++ exit(status); ++} diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/Makefile policycoreutils-2.0.71/setfiles/Makefile --- nsapolicycoreutils/setfiles/Makefile 2009-07-07 15:32:32.000000000 -0400 -+++ policycoreutils-2.0.71/setfiles/Makefile 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/setfiles/Makefile 2009-08-28 14:07:24.000000000 -0400 @@ -5,7 +5,7 @@ LIBDIR ?= $(PREFIX)/lib AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null) @@ -1926,7 +2607,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po ln -sf setfiles restorecon diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.71/setfiles/restore.c --- nsapolicycoreutils/setfiles/restore.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/setfiles/restore.c 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/setfiles/restore.c 2009-08-28 14:07:24.000000000 -0400 @@ -0,0 +1,519 @@ +#include "restore.h" + @@ -2449,7 +3130,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.71/setfiles/restore.h --- nsapolicycoreutils/setfiles/restore.h 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/setfiles/restore.h 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/setfiles/restore.h 2009-08-28 14:07:24.000000000 -0400 @@ -0,0 +1,49 @@ +#ifndef RESTORE_H +#define RESTORE_H @@ -2502,7 +3183,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +#endif diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.71/setfiles/setfiles.c --- nsapolicycoreutils/setfiles/setfiles.c 2009-08-12 12:08:15.000000000 -0400 -+++ policycoreutils-2.0.71/setfiles/setfiles.c 2009-08-26 17:34:50.000000000 -0400 ++++ policycoreutils-2.0.71/setfiles/setfiles.c 2009-08-28 14:07:24.000000000 -0400 @@ -1,26 +1,12 @@ -#ifndef _GNU_SOURCE -#define _GNU_SOURCE diff --git a/policycoreutils.spec b/policycoreutils.spec index a60fe2c..5b31b19 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,12 +1,12 @@ %define libauditver 1.4.2-1 %define libsepolver 2.0.19-1 -%define libsemanagever 2.0.28-2 +%define libsemanagever 2.0.36-2 %define libselinuxver 2.0.46-5 %define sepolgenver 1.0.17 Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.71 -Release: 13%{?dist} +Release: 14%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -295,6 +295,9 @@ fi exit 0 %changelog +* Fri Aug 28 2009 Dan Walsh 2.0.71-14 +- Add enable/disable patch + * Thu Aug 27 2009 Tomas Mraz - 2.0.71-13 - rebuilt with new audit