]>
Commit | Line | Data |
---|---|---|
db3649f6 SS |
1 | diff -Nur a/Makefile b/Makefile |
2 | --- a/Makefile 2011-11-04 14:38:45.000000000 +0100 | |
3 | +++ b/Makefile 2011-11-27 18:02:23.488513229 +0100 | |
4 | @@ -1,4 +1,4 @@ | |
5 | -SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po | |
6 | +SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po | |
7 | ||
8 | INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) | |
9 | ||
10 | diff -Nur a/newrole/newrole.c b/newrole/newrole.c | |
11 | --- a/newrole/newrole.c 2011-11-04 14:38:45.000000000 +0100 | |
12 | +++ b/newrole/newrole.c 2011-11-27 18:02:23.489513229 +0100 | |
13 | @@ -543,13 +543,13 @@ | |
14 | #if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV) | |
15 | static int drop_capabilities(int full) | |
16 | { | |
17 | + uid_t uid = getuid(); | |
18 | + if (!uid) return 0; | |
19 | + | |
20 | capng_clear(CAPNG_SELECT_BOTH); | |
21 | if (capng_lock() < 0) | |
22 | return -1; | |
23 | ||
24 | - uid_t uid = getuid(); | |
25 | - if (!uid) return 0; | |
26 | - | |
27 | /* Change uid */ | |
28 | if (setresuid(uid, uid, uid)) { | |
29 | fprintf(stderr, _("Error changing uid, aborting.\n")); | |
30 | @@ -1030,10 +1030,11 @@ | |
31 | * if it makes sense to continue to run newrole, and setting up | |
32 | * a scrubbed environment. | |
33 | */ | |
34 | - if (drop_capabilities(FALSE)) { | |
35 | +/* if (drop_capabilities(FALSE)) { | |
36 | perror(_("Sorry, newrole failed to drop capabilities\n")); | |
37 | return -1; | |
38 | } | |
39 | +*/ | |
40 | if (set_signal_handles()) | |
41 | return -1; | |
42 | ||
43 | diff -Nur a/po/Makefile b/po/Makefile | |
44 | --- a/po/Makefile 2011-11-04 14:38:45.000000000 +0100 | |
45 | +++ b/po/Makefile 2011-11-27 18:02:23.495513229 +0100 | |
46 | @@ -7,7 +7,7 @@ | |
47 | # What is this package? | |
48 | NLSPACKAGE = policycoreutils | |
49 | POTFILE = $(NLSPACKAGE).pot | |
50 | -INSTALL = /usr/bin/install -c | |
51 | +INSTALL = /usr/bin/install -c -p | |
52 | INSTALL_DATA = $(INSTALL) -m 644 | |
53 | INSTALL_DIR = /usr/bin/install -d | |
54 | ||
55 | diff -Nur a/restorecond/restorecond.c b/restorecond/restorecond.c | |
56 | --- a/restorecond/restorecond.c 2011-11-04 14:38:44.000000000 +0100 | |
57 | +++ b/restorecond/restorecond.c 2011-11-27 18:02:23.496513229 +0100 | |
58 | @@ -140,6 +140,7 @@ | |
59 | { | |
60 | int opt; | |
61 | struct sigaction sa; | |
62 | + const char *null_array[1] = { NULL }; | |
63 | ||
64 | memset(&r_opts, 0, sizeof(r_opts)); | |
65 | ||
66 | @@ -160,6 +161,7 @@ | |
67 | r_opts.fts_flags = FTS_PHYSICAL; | |
68 | r_opts.selabel_opt_validate = NULL; | |
69 | r_opts.selabel_opt_path = NULL; | |
70 | + r_opts.selabel_opt_prefixes = null_array; | |
71 | r_opts.ignore_enoent = 1; | |
72 | ||
73 | restore_init(&r_opts); | |
74 | diff -Nur a/run_init/run_init.c b/run_init/run_init.c | |
75 | --- a/run_init/run_init.c 2011-11-04 14:38:45.000000000 +0100 | |
76 | +++ b/run_init/run_init.c 2011-11-27 18:02:23.497513229 +0100 | |
77 | @@ -414,10 +414,17 @@ | |
78 | * execvp or using a exec(1) recycles pty's, and does not open a new | |
79 | * one. | |
80 | */ | |
81 | +#ifdef USE_OPEN_INIT_PTY | |
82 | if (execvp("/usr/sbin/open_init_pty", argv)) { | |
83 | perror("execvp"); | |
84 | exit(-1); | |
85 | } | |
86 | +#else | |
87 | + if (execvp(argv[1], argv + 1)) { | |
88 | + perror("execvp"); | |
89 | + exit(-1); | |
90 | + } | |
91 | +#endif | |
92 | return 0; | |
93 | ||
94 | } /* main() */ | |
95 | diff -Nur a/sandbox/Makefile b/sandbox/Makefile | |
96 | --- a/sandbox/Makefile 2011-11-04 14:38:45.000000000 +0100 | |
97 | +++ b/sandbox/Makefile 2011-11-27 18:02:23.518513231 +0100 | |
98 | @@ -23,7 +23,7 @@ | |
99 | install -m 644 sandbox.8 $(MANDIR)/man8/ | |
100 | install -m 644 seunshare.8 $(MANDIR)/man8/ | |
101 | -mkdir -p $(MANDIR)/man5 | |
102 | - install -m 644 sandbox.conf.5 $(MANDIR)/man5/ | |
103 | + install -m 644 sandbox.5 $(MANDIR)/man5/sandbox.5 | |
104 | -mkdir -p $(SBINDIR) | |
105 | install -m 4755 seunshare $(SBINDIR)/ | |
106 | -mkdir -p $(SHAREDIR) | |
107 | diff -Nur a/sandbox/sandbox b/sandbox/sandbox | |
108 | --- a/sandbox/sandbox 2011-11-04 14:38:45.000000000 +0100 | |
109 | +++ b/sandbox/sandbox 2011-11-27 18:02:23.519513231 +0100 | |
110 | @@ -118,10 +118,30 @@ | |
111 | sock.bind("\0%s" % level) | |
112 | fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC) | |
113 | ||
114 | +def get_range(): | |
115 | + try: | |
116 | + level =selinux.getcon_raw()[1].split(":")[4] | |
117 | + lowc,highc = level.split(".") | |
118 | + low = int(lowc[1:]) | |
119 | + high = int(highc[1:])+1 | |
120 | + if high - low < 100: | |
121 | + raise IndexError | |
122 | + | |
123 | + return low,high | |
124 | + except IndexError: | |
125 | + raise ValueError(_("User account must be setup with an MCS Range with more then 100 categories")) | |
126 | + | |
127 | def gen_mcs(): | |
128 | - while True: | |
129 | - i1 = random.randrange(0, 1024) | |
130 | - i2 = random.randrange(0, 1024) | |
131 | + low, high = get_range() | |
132 | + | |
133 | + level = None | |
134 | + ctr = 0 | |
135 | + total = high-low | |
136 | + total = (total * total)/2 - total | |
137 | + while ctr < total: | |
138 | + ctr += 1 | |
139 | + i1 = random.randrange(low, high) | |
140 | + i2 = random.randrange(low, high) | |
141 | if i1 == i2: | |
142 | continue | |
143 | if i1 > i2: | |
144 | @@ -134,7 +154,10 @@ | |
145 | except socket.error: | |
146 | continue | |
147 | break | |
148 | - return level | |
149 | + if level: | |
150 | + return level | |
151 | + raise ValueError(_("Failed to find any unused categories")) | |
152 | + | |
153 | ||
154 | def fullpath(cmd): | |
155 | for i in [ "/", "./", "../" ]: | |
156 | @@ -160,6 +183,17 @@ | |
157 | self.__level = None | |
158 | self.__homedir = None | |
159 | self.__tmpdir = None | |
160 | + self.__set_dpi() | |
161 | + | |
162 | + def __set_dpi(self): | |
163 | + rc, out = commands.getstatusoutput("/usr/bin/xrdb -query") | |
164 | + if rc != 0: | |
165 | + self.dpi = 96 | |
166 | + else: | |
167 | + for i in out.split("\n"): | |
168 | + if i.startswith("Xft.dpi:"): | |
169 | + self.dpi = i.split()[1] | |
170 | + break; | |
171 | ||
172 | def __validate_mount(self): | |
173 | if self.__options.level: | |
174 | @@ -278,6 +312,9 @@ | |
175 | action="callback", callback=self.__mount_callback, | |
176 | help=_("mount new home and/or tmp directory")) | |
177 | ||
178 | + parser.add_option("-d", "--dpi", | |
179 | + dest="dpi", action="store",default=self.dpi, | |
180 | + help=_("dots per inch for X display: (%s)" % self.dpi)) | |
181 | parser.add_option("-S", "--session", action="store_true", dest="session", | |
182 | default=False, help=_("run complete desktop session within sandbox")) | |
183 | ||
184 | @@ -322,7 +359,7 @@ | |
185 | ||
186 | if self.__options.X_ind: | |
187 | self.setype = DEFAULT_X_TYPE | |
188 | - self.dpi=commands.getoutput("xrdb -query | grep dpi | /bin/cut -f 2") | |
189 | + | |
190 | if self.__options.setype: | |
191 | self.setype = self.__options.setype | |
192 | ||
193 | @@ -408,7 +445,7 @@ | |
194 | ||
195 | self.__setup_sandboxrc(self.__options.wm) | |
196 | ||
197 | - cmds += [ "--", SANDBOXSH, self.__options.windowsize, self.dpi ] | |
198 | + cmds += [ "--", SANDBOXSH, self.__options.windowsize, self.__options.dpi ] | |
199 | else: | |
200 | cmds += [ "--" ] + self.__paths | |
201 | return subprocess.Popen(cmds).wait() | |
202 | diff -Nur a/sandbox/sandbox.5 b/sandbox/sandbox.5 | |
203 | --- a/sandbox/sandbox.5 1970-01-01 01:00:00.000000000 +0100 | |
204 | +++ b/sandbox/sandbox.5 2011-11-27 18:02:23.520513231 +0100 | |
205 | @@ -0,0 +1,40 @@ | |
206 | +.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration" | |
207 | +.SH NAME | |
208 | +sandbox.conf \- user config file for the SELinux sandbox | |
209 | +.SH DESCRIPTION | |
210 | +.PP | |
211 | +When running sandbox with the -C argument, it will be confined using control groups and a system administrator can specify how the sandbox is confined. | |
212 | + | |
213 | +.PP | |
214 | +Everything after "#" is ignored, as are empty lines. All arguments should be separated by and equals sign ("="). | |
215 | + | |
216 | +.PP | |
217 | +These keywords are allowed. | |
218 | + | |
219 | +.RS | |
220 | +.TP | |
221 | +.B NAME | |
222 | +The name of the sandbox control group. Default is "sandbox". | |
223 | + | |
224 | +.TP | |
225 | +.B CPUAFFINITY | |
226 | +Which cpus to assign sandbox to. The default is ALL, but users can specify a comma-separated list with dashes ("-") to represent ranges. Ex: 0-2,5 | |
227 | + | |
228 | +.TP | |
229 | +.B MEMUSAGE | |
230 | +How much memory to allow sandbox to use. The default is 80%. Users can specify either a percentage or a value in the form of a number followed by one of the suffixes K, M, G to denote kilobytes, megabytes or gigabytes respectively. Ex: 50% or 100M | |
231 | + | |
232 | +.TP | |
233 | +.B CPUUSAGE | |
234 | +Percentage of cpu sandbox should be allowed to use. The default is 80%. Specify a value followed by a percent sign ("%"). Ex: 50% | |
235 | + | |
236 | + | |
237 | + | |
238 | +.SH "SEE ALSO" | |
239 | +.TP | |
240 | +sandbox(8) | |
241 | +.PP | |
242 | + | |
243 | +.SH AUTHOR | |
244 | +This manual page was written by | |
245 | +.I Thomas Liu <tliu@fedoraproject.org> | |
246 | diff -Nur a/sandbox/sandbox.8 b/sandbox/sandbox.8 | |
247 | --- a/sandbox/sandbox.8 2011-11-04 14:38:45.000000000 +0100 | |
248 | +++ b/sandbox/sandbox.8 2011-11-27 18:02:23.520513231 +0100 | |
249 | @@ -3,11 +3,11 @@ | |
250 | sandbox \- Run cmd under an SELinux sandbox | |
251 | .SH SYNOPSIS | |
252 | .B sandbox | |
253 | -[-C] [-c] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd | |
254 | +[-C] [-c] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd | |
255 | ||
256 | .br | |
257 | .B sandbox | |
258 | -[-C] [-c] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S | |
259 | +[-C] [-c] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S | |
260 | .br | |
261 | .SH DESCRIPTION | |
262 | .PP | |
263 | @@ -60,6 +60,9 @@ | |
264 | Create an X based Sandbox for gui apps, temporary files for | |
265 | $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t | |
266 | .TP | |
267 | +\fB\-d\fR | |
268 | +Set the DPI value for the sanbox X Server. Defaults to the current X Sever DPI. | |
269 | +.TP | |
270 | \fB\-c\fR | |
271 | Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc. | |
272 | .TP | |
273 | diff -Nur a/sandbox/sandbox.conf.5 b/sandbox/sandbox.conf.5 | |
274 | --- a/sandbox/sandbox.conf.5 2011-11-04 14:38:45.000000000 +0100 | |
275 | +++ b/sandbox/sandbox.conf.5 1970-01-01 01:00:00.000000000 +0100 | |
276 | @@ -1,40 +0,0 @@ | |
277 | -.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration" | |
278 | -.SH NAME | |
279 | -sandbox.conf \- user config file for the SELinux sandbox | |
280 | -.SH DESCRIPTION | |
281 | -.PP | |
282 | -When running sandbox with the -C argument, it will be confined using control groups and a system administrator can specify how the sandbox is confined. | |
283 | - | |
284 | -.PP | |
285 | -Everything after "#" is ignored, as are empty lines. All arguments should be separated by and equals sign ("="). | |
286 | - | |
287 | -.PP | |
288 | -These keywords are allowed. | |
289 | - | |
290 | -.RS | |
291 | -.TP | |
292 | -.B NAME | |
293 | -The name of the sandbox control group. Default is "sandbox". | |
294 | - | |
295 | -.TP | |
296 | -.B CPUAFFINITY | |
297 | -Which cpus to assign sandbox to. The default is ALL, but users can specify a comma-separated list with dashes ("-") to represent ranges. Ex: 0-2,5 | |
298 | - | |
299 | -.TP | |
300 | -.B MEMUSAGE | |
301 | -How much memory to allow sandbox to use. The default is 80%. Users can specify either a percentage or a value in the form of a number followed by one of the suffixes K, M, G to denote kilobytes, megabytes or gigabytes respectively. Ex: 50% or 100M | |
302 | - | |
303 | -.TP | |
304 | -.B CPUUSAGE | |
305 | -Percentage of cpu sandbox should be allowed to use. The default is 80%. Specify a value followed by a percent sign ("%"). Ex: 50% | |
306 | - | |
307 | - | |
308 | - | |
309 | -.SH "SEE ALSO" | |
310 | -.TP | |
311 | -sandbox(8) | |
312 | -.PP | |
313 | - | |
314 | -.SH AUTHOR | |
315 | -This manual page was written by | |
316 | -.I Thomas Liu <tliu@fedoraproject.org> | |
317 | diff -Nur a/sandbox/sandbox.init b/sandbox/sandbox.init | |
318 | --- a/sandbox/sandbox.init 2011-11-04 14:38:45.000000000 +0100 | |
319 | +++ b/sandbox/sandbox.init 2011-11-27 18:02:23.521513231 +0100 | |
320 | @@ -19,6 +19,7 @@ | |
321 | # | |
322 | ||
323 | # Source function library. | |
324 | +. /etc/init.d/functions | |
325 | ||
326 | LOCKFILE=/var/lock/subsys/sandbox | |
327 | ||
328 | @@ -27,7 +28,7 @@ | |
329 | start() { | |
330 | echo -n "Starting sandbox" | |
331 | ||
332 | - [ -f "$LOCKFILE" ] && return 1 | |
333 | + [ -f "$LOCKFILE" ] && return 0 | |
334 | ||
335 | touch $LOCKFILE | |
336 | mount --make-rshared / || return $? | |
337 | diff -Nur a/scripts/genhomedircon b/scripts/genhomedircon | |
338 | --- a/scripts/genhomedircon 2011-11-04 14:38:45.000000000 +0100 | |
339 | +++ b/scripts/genhomedircon 2011-11-27 18:02:23.521513231 +0100 | |
340 | @@ -1,2 +1,3 @@ | |
341 | #!/bin/sh | |
342 | + | |
343 | /usr/sbin/semodule -Bn | |
344 | diff -Nur a/semanage/default_encoding/default_encoding.c b/semanage/default_encoding/default_encoding.c | |
345 | --- a/semanage/default_encoding/default_encoding.c 1970-01-01 01:00:00.000000000 +0100 | |
346 | +++ b/semanage/default_encoding/default_encoding.c 2011-11-27 18:02:23.533513231 +0100 | |
347 | @@ -0,0 +1,57 @@ | |
348 | +/* | |
349 | + * Authors: | |
350 | + * John Dennis <jdennis@redhat.com> | |
351 | + * | |
352 | + * Copyright (C) 2009 Red Hat | |
353 | + * see file 'COPYING' for use and warranty information | |
354 | + * | |
355 | + * This program is free software; you can redistribute it and/or | |
356 | + * modify it under the terms of the GNU General Public License as | |
357 | + * published by the Free Software Foundation. | |
358 | + * | |
359 | + * This program is distributed in the hope that it will be useful, | |
360 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
361 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
362 | + * GNU General Public License for more details. | |
363 | + * | |
364 | + * You should have received a copy of the GNU General Public License | |
365 | + * along with this program; if not, write to the Free Software | |
366 | + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
367 | + */ | |
368 | + | |
369 | +#include <Python.h> | |
370 | + | |
371 | +PyDoc_STRVAR(setdefaultencoding_doc, | |
372 | +"setdefaultencoding(encoding='utf-8')\n\ | |
373 | +\n\ | |
374 | +Set the current default string encoding used by the Unicode implementation.\n\ | |
375 | +Defaults to utf-8." | |
376 | +); | |
377 | + | |
378 | +static PyObject * | |
379 | +setdefaultencoding(PyObject *self, PyObject *args, PyObject *kwds) | |
380 | +{ | |
381 | + static char *kwlist[] = {"utf-8", NULL}; | |
382 | + char *encoding; | |
383 | + | |
384 | + if (!PyArg_ParseTupleAndKeywords(args, kwds, "s:setdefaultencoding", kwlist, &encoding)) | |
385 | + return NULL; | |
386 | + | |
387 | + if (PyUnicode_SetDefaultEncoding(encoding)) | |
388 | + return NULL; | |
389 | + | |
390 | + Py_RETURN_NONE; | |
391 | +} | |
392 | + | |
393 | +static PyMethodDef methods[] = { | |
394 | + {"setdefaultencoding", (PyCFunction)setdefaultencoding, METH_VARARGS|METH_KEYWORDS, setdefaultencoding_doc}, | |
395 | + {NULL, NULL} /* sentinel */ | |
396 | +}; | |
397 | + | |
398 | + | |
399 | +PyMODINIT_FUNC | |
400 | +initdefault_encoding_utf8(void) | |
401 | +{ | |
402 | + PyUnicode_SetDefaultEncoding("utf-8"); | |
403 | + Py_InitModule3("default_encoding_utf8", methods, "Forces the default encoding to utf-8"); | |
404 | +} | |
405 | diff -Nur a/semanage/default_encoding/Makefile b/semanage/default_encoding/Makefile | |
406 | --- a/semanage/default_encoding/Makefile 1970-01-01 01:00:00.000000000 +0100 | |
407 | +++ b/semanage/default_encoding/Makefile 2011-11-27 18:02:23.533513231 +0100 | |
408 | @@ -0,0 +1,8 @@ | |
409 | +all: | |
410 | + LDFLAGS="" python setup.py build | |
411 | + | |
412 | +install: all | |
413 | + LDFLAGS="" python setup.py install --root=$(DESTDIR)/ | |
414 | + | |
415 | +clean: | |
416 | + rm -rf build *~ | |
417 | diff -Nur a/semanage/default_encoding/policycoreutils/__init__.py b/semanage/default_encoding/policycoreutils/__init__.py | |
418 | --- a/semanage/default_encoding/policycoreutils/__init__.py 1970-01-01 01:00:00.000000000 +0100 | |
419 | +++ b/semanage/default_encoding/policycoreutils/__init__.py 2011-11-27 18:02:23.534513231 +0100 | |
420 | @@ -0,0 +1,17 @@ | |
421 | +# | |
422 | +# Copyright (C) 2006,2007,2008, 2009 Red Hat, Inc. | |
423 | +# | |
424 | +# This program is free software; you can redistribute it and/or modify | |
425 | +# it under the terms of the GNU General Public License as published by | |
426 | +# the Free Software Foundation; either version 2 of the License, or | |
427 | +# (at your option) any later version. | |
428 | +# | |
429 | +# This program is distributed in the hope that it will be useful, | |
430 | +# but WITHOUT ANY WARRANTY; without even the implied warranty of | |
431 | +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
432 | +# GNU General Public License for more details. | |
433 | +# | |
434 | +# You should have received a copy of the GNU General Public License | |
435 | +# along with this program; if not, write to the Free Software | |
436 | +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. | |
437 | +# | |
438 | diff -Nur a/semanage/default_encoding/setup.py b/semanage/default_encoding/setup.py | |
439 | --- a/semanage/default_encoding/setup.py 1970-01-01 01:00:00.000000000 +0100 | |
440 | +++ b/semanage/default_encoding/setup.py 2011-11-27 18:02:23.536513231 +0100 | |
441 | @@ -0,0 +1,38 @@ | |
442 | +# Authors: | |
443 | +# John Dennis <jdennis@redhat.com> | |
444 | +# | |
445 | +# Copyright (C) 2009 Red Hat | |
446 | +# see file 'COPYING' for use and warranty information | |
447 | +# | |
448 | +# This program is free software; you can redistribute it and/or | |
449 | +# modify it under the terms of the GNU General Public License as | |
450 | +# published by the Free Software Foundation. | |
451 | +# | |
452 | +# This program is distributed in the hope that it will be useful, | |
453 | +# but WITHOUT ANY WARRANTY; without even the implied warranty of | |
454 | +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
455 | +# GNU General Public License for more details. | |
456 | +# | |
457 | +# You should have received a copy of the GNU General Public License | |
458 | +# along with this program; if not, write to the Free Software | |
459 | +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA | |
460 | + | |
461 | +from distutils.core import setup, Extension | |
462 | + | |
463 | +default_encoding_utf8 = Extension('policycoreutils.default_encoding_utf8', ['default_encoding.c']) | |
464 | + | |
465 | +setup(name = 'policycoreutils-default-encoding', | |
466 | + version = '0.1', | |
467 | + description = 'Forces the default encoding in Python to be utf-8', | |
468 | + long_description = 'Forces the default encoding in Python to be utf-8', | |
469 | + author = 'John Dennis', | |
470 | + author_email = 'jdennis@redhat.com', | |
471 | + maintainer = 'John Dennis', | |
472 | + maintainer_email = 'jdennis@redhat.com', | |
473 | + license = 'GPLv3+', | |
474 | + platforms = 'posix', | |
475 | + url = '', | |
476 | + download_url = '', | |
477 | + ext_modules = [default_encoding_utf8], | |
478 | + packages=["policycoreutils"], | |
479 | +) | |
480 | diff -Nur a/semanage/semanage b/semanage/semanage | |
481 | --- a/semanage/semanage 2011-11-04 14:38:45.000000000 +0100 | |
482 | +++ b/semanage/semanage 2011-11-27 18:02:23.537513231 +0100 | |
483 | @@ -20,6 +20,7 @@ | |
484 | # 02111-1307 USA | |
485 | # | |
486 | # | |
487 | +import policycoreutils.default_encoding_utf8 | |
488 | import sys, getopt, re | |
489 | import seobject | |
490 | import selinux | |
491 | @@ -32,7 +33,7 @@ | |
492 | try: | |
493 | gettext.install(PROGNAME, | |
494 | localedir="/usr/share/locale", | |
495 | - unicode=False, | |
496 | + unicode=True, | |
497 | codeset = 'utf-8') | |
498 | except IOError: | |
499 | import __builtin__ | |
500 | @@ -283,11 +284,14 @@ | |
501 | equal = a | |
502 | ||
503 | if o == "--enable": | |
504 | - set_action(o) | |
505 | + if disable: | |
506 | + raise ValueError(_("You can't disable and enable at the same time")) | |
507 | + | |
508 | enable = True | |
509 | ||
510 | if o == "--disable": | |
511 | - set_action(o) | |
512 | + if enable: | |
513 | + raise ValueError(_("You can't disable and enable at the same time")) | |
514 | disable = True | |
515 | ||
516 | if o == "-F" or o == "--file": | |
517 | @@ -504,31 +508,36 @@ | |
518 | if len(sys.argv) < 3: | |
519 | usage(_("Requires 2 or more arguments")) | |
520 | ||
521 | - gopts, cmds = getopt.getopt(sys.argv[1:], | |
522 | - '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:', | |
523 | - ['add', | |
524 | - 'delete', | |
525 | - 'deleteall', | |
526 | - 'ftype=', | |
527 | - 'file', | |
528 | - 'help', | |
529 | - 'input=', | |
530 | - 'list', | |
531 | - 'modify', | |
532 | - 'noheading', | |
533 | - 'localist', | |
534 | - 'off', | |
535 | - 'on', | |
536 | - 'output=', | |
537 | - 'proto=', | |
538 | - 'seuser=', | |
539 | - 'store=', | |
540 | - 'range=', | |
541 | - 'level=', | |
542 | - 'roles=', | |
543 | - 'type=', | |
544 | - 'prefix=' | |
545 | - ]) | |
546 | + try: | |
547 | + gopts, cmds = getopt.getopt(sys.argv[1:], | |
548 | + '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:', | |
549 | + ['add', | |
550 | + 'delete', | |
551 | + 'deleteall', | |
552 | + 'ftype=', | |
553 | + 'file', | |
554 | + 'help', | |
555 | + 'input=', | |
556 | + 'list', | |
557 | + 'modify', | |
558 | + 'noheading', | |
559 | + 'localist', | |
560 | + 'off', | |
561 | + 'on', | |
562 | + 'output=', | |
563 | + 'proto=', | |
564 | + 'seuser=', | |
565 | + 'store=', | |
566 | + 'range=', | |
567 | + 'level=', | |
568 | + 'roles=', | |
569 | + 'type=', | |
570 | + 'trans=', | |
571 | + 'prefix=' | |
572 | + ]) | |
573 | + except getopt.error, error: | |
574 | + usage(_("Options Error %s ") % error.msg) | |
575 | + | |
576 | for o, a in gopts: | |
577 | if o == "-S" or o == '--store': | |
578 | store = a | |
579 | @@ -558,8 +567,6 @@ | |
580 | else: | |
581 | process_args(sys.argv[1:]) | |
582 | ||
583 | - except getopt.error, error: | |
584 | - usage(_("Options Error %s ") % error.msg) | |
585 | except ValueError, error: | |
586 | errorExit(error.args[0]) | |
587 | except KeyError, error: | |
588 | diff -Nur a/semanage/seobject.py b/semanage/seobject.py | |
589 | --- a/semanage/seobject.py 2011-11-04 14:38:45.000000000 +0100 | |
590 | +++ b/semanage/seobject.py 2011-11-27 18:02:23.539513231 +0100 | |
591 | @@ -30,11 +30,10 @@ | |
592 | import gettext | |
593 | gettext.bindtextdomain(PROGNAME, "/usr/share/locale") | |
594 | gettext.textdomain(PROGNAME) | |
595 | -try: | |
596 | - gettext.install(PROGNAME, localedir = "/usr/share/locale", unicode = 1) | |
597 | -except IOError: | |
598 | - import __builtin__ | |
599 | - __builtin__.__dict__['_'] = unicode | |
600 | + | |
601 | +import gettext | |
602 | +translation=gettext.translation(PROGNAME, localedir = "/usr/share/locale", fallback=True) | |
603 | +_=translation.ugettext | |
604 | ||
605 | import syslog | |
606 | ||
607 | @@ -166,6 +165,7 @@ | |
608 | transaction = False | |
609 | handle = None | |
610 | store = None | |
611 | + | |
612 | def __init__(self, store): | |
613 | global handle | |
614 | ||
615 | @@ -333,6 +333,7 @@ | |
616 | name = semanage_module_get_name(mod) | |
617 | if name and name.startswith("permissive_"): | |
618 | l.append(name.split("permissive_")[1]) | |
619 | + | |
620 | return l | |
621 | ||
622 | def list(self, heading = 1, locallist = 0): | |
623 | @@ -431,7 +432,9 @@ | |
624 | if rc < 0: | |
625 | raise ValueError(_("Could not check if login mapping for %s is defined") % name) | |
626 | if exists: | |
627 | - raise ValueError(_("Login mapping for %s is already defined") % name) | |
628 | + semanage_seuser_key_free(k) | |
629 | + return self.__modify(name, sename, serange) | |
630 | + | |
631 | if name[0] == '%': | |
632 | try: | |
633 | grp.getgrnam(name[1:]) | |
634 | @@ -641,7 +644,8 @@ | |
635 | if rc < 0: | |
636 | raise ValueError(_("Could not check if SELinux user %s is defined") % name) | |
637 | if exists: | |
638 | - raise ValueError(_("SELinux user %s is already defined") % name) | |
639 | + semanage_user_key_free(k) | |
640 | + return self.__modify(name, roles, selevel, serange, prefix) | |
641 | ||
642 | (rc, u) = semanage_user_create(self.sh) | |
643 | if rc < 0: | |
644 | @@ -881,6 +885,7 @@ | |
645 | return ( k, proto_d, low, high ) | |
646 | ||
647 | def __add(self, port, proto, serange, type): | |
648 | + | |
649 | if is_mls_enabled == 1: | |
650 | if serange == "": | |
651 | serange = "s0" | |
652 | @@ -943,6 +948,7 @@ | |
653 | self.commit() | |
654 | ||
655 | def __modify(self, port, proto, serange, setype): | |
656 | + | |
657 | if serange == "" and setype == "": | |
658 | if is_mls_enabled == 1: | |
659 | raise ValueError(_("Requires setype or serange")) | |
660 | @@ -1156,7 +1162,8 @@ | |
661 | ||
662 | (rc, exists) = semanage_node_exists(self.sh, k) | |
663 | if exists: | |
664 | - raise ValueError(_("Addr %s already defined") % addr) | |
665 | + semanage_node_key_free(k) | |
666 | + return self.__modify(addr, mask, self.protocol[proto], serange, ctype) | |
667 | ||
668 | (rc, node) = semanage_node_create(self.sh) | |
669 | if rc < 0: | |
670 | @@ -1172,7 +1179,6 @@ | |
671 | if rc < 0: | |
672 | raise ValueError(_("Could not set mask for %s") % addr) | |
673 | ||
674 | - | |
675 | rc = semanage_context_set_user(self.sh, con, "system_u") | |
676 | if rc < 0: | |
677 | raise ValueError(_("Could not set user in addr context for %s") % addr) | |
678 | @@ -1224,12 +1230,11 @@ | |
679 | if not exists: | |
680 | raise ValueError(_("Addr %s is not defined") % addr) | |
681 | ||
682 | - (rc, node) = semanage_node_query(self.sh, k) | |
683 | + (rc, node) = semanage_node_query_local(self.sh, k) | |
684 | if rc < 0: | |
685 | raise ValueError(_("Could not query addr %s") % addr) | |
686 | ||
687 | con = semanage_node_get_con(node) | |
688 | - | |
689 | if serange != "": | |
690 | semanage_context_set_mls(self.sh, con, untranslate(serange)) | |
691 | if setype != "": | |
692 | @@ -1357,7 +1362,8 @@ | |
693 | if rc < 0: | |
694 | raise ValueError(_("Could not check if interface %s is defined") % interface) | |
695 | if exists: | |
696 | - raise ValueError(_("Interface %s already defined") % interface) | |
697 | + semanage_iface_key_free(k) | |
698 | + return self.__modify(interface, serange, ctype) | |
699 | ||
700 | (rc, iface) = semanage_iface_create(self.sh) | |
701 | if rc < 0: | |
702 | @@ -1525,6 +1531,7 @@ | |
703 | def __init__(self, store = ""): | |
704 | semanageRecords.__init__(self, store) | |
705 | self.equiv = {} | |
706 | + self.equiv_dist = {} | |
707 | self.equal_ind = False | |
708 | try: | |
709 | fd = open(selinux.selinux_file_context_subs_path(), "r") | |
710 | @@ -1534,6 +1541,14 @@ | |
711 | fd.close() | |
712 | except IOError: | |
713 | pass | |
714 | + try: | |
715 | + fd = open(selinux.selinux_file_context_subs_dist_path(), "r") | |
716 | + for i in fd.readlines(): | |
717 | + src, dst = i.split() | |
718 | + self.equiv_dist[src] = dst | |
719 | + fd.close() | |
720 | + except IOError: | |
721 | + pass | |
722 | ||
723 | def commit(self): | |
724 | if self.equal_ind: | |
725 | @@ -1589,12 +1604,21 @@ | |
726 | ||
727 | return con | |
728 | ||
729 | + def check_equiv(self, target, fdict): | |
730 | + for i in fdict: | |
731 | + if target.startswith(i+"/"): | |
732 | + t = re.sub(i, fdict[i], target) | |
733 | + raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'; Try adding '%s' instead") % (target, i, fdict[i], t)) | |
734 | + | |
735 | + | |
736 | def validate(self, target): | |
737 | if target == "" or target.find("\n") >= 0: | |
738 | raise ValueError(_("Invalid file specification")) | |
739 | if target.find(" ") != -1: | |
740 | raise ValueError(_("File specification can not include spaces")) | |
741 | - | |
742 | + self.check_equiv(target, self.equiv) | |
743 | + self.check_equiv(target, self.equiv_dist) | |
744 | + | |
745 | def __add(self, target, type, ftype = "", serange = "", seuser = "system_u"): | |
746 | self.validate(target) | |
747 | ||
748 | @@ -1618,7 +1642,8 @@ | |
749 | raise ValueError(_("Could not check if file context for %s is defined") % target) | |
750 | ||
751 | if exists: | |
752 | - raise ValueError(_("File context for %s already defined") % target) | |
753 | + semanage_fcontext_key_free(k) | |
754 | + return self.__modify(target, type, ftype, serange, seuser) | |
755 | ||
756 | (rc, fcontext) = semanage_fcontext_create(self.sh) | |
757 | if rc < 0: | |
758 | @@ -1825,9 +1850,17 @@ | |
759 | print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2]) | |
760 | else: | |
761 | print "%-50s %-18s <<None>>" % (k[0], k[1]) | |
762 | - if len(self.equiv.keys()) > 0: | |
763 | + | |
764 | + | |
765 | + if len(self.equiv_dist): | |
766 | + if not locallist: | |
767 | + if heading: | |
768 | + print _("\nSELinux Distribution fcontext Equivalence \n") | |
769 | + for src in self.equiv_dist.keys(): | |
770 | + print "%s = %s" % (src, self.equiv_dist[src]) | |
771 | + if len(self.equiv): | |
772 | if heading: | |
773 | - print _("\nSELinux fcontext Equivalence \n") | |
774 | + print _("\nSELinux Local fcontext Equivalence \n") | |
775 | ||
776 | for src in self.equiv.keys(): | |
777 | print "%s = %s" % (src, self.equiv[src]) | |
778 | diff -Nur a/setfiles/restore.c b/setfiles/restore.c | |
779 | --- a/setfiles/restore.c 2011-11-04 14:38:45.000000000 +0100 | |
780 | +++ b/setfiles/restore.c 2011-11-27 18:02:23.540513231 +0100 | |
781 | @@ -1,5 +1,6 @@ | |
782 | #include "restore.h" | |
783 | #include <glob.h> | |
784 | +#include <selinux/context.h> | |
785 | ||
786 | #define SKIP -2 | |
787 | #define ERR -1 | |
788 | @@ -33,7 +34,6 @@ | |
789 | ||
790 | static file_spec_t *fl_head; | |
791 | static int filespec_add(ino_t ino, const security_context_t con, const char *file); | |
792 | -static int only_changed_user(const char *a, const char *b); | |
793 | struct restore_opts *r_opts = NULL; | |
794 | static void filespec_destroy(void); | |
795 | static void filespec_eval(void); | |
796 | @@ -58,11 +58,16 @@ | |
797 | void restore_init(struct restore_opts *opts) | |
798 | { | |
799 | r_opts = opts; | |
800 | - struct selinux_opt selinux_opts[] = { | |
801 | - { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate }, | |
802 | - { SELABEL_OPT_PATH, r_opts->selabel_opt_path } | |
803 | - }; | |
804 | - r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 2); | |
805 | + struct selinux_opt selinux_opts[3]; | |
806 | + | |
807 | + selinux_opts[0].type = SELABEL_OPT_VALIDATE; | |
808 | + selinux_opts[0].value = r_opts->selabel_opt_validate; | |
809 | + selinux_opts[1].type = SELABEL_OPT_PATH; | |
810 | + selinux_opts[1].value = r_opts->selabel_opt_path; | |
811 | + selinux_opts[2].type = SELABEL_OPT_PREFIXES; | |
812 | + selinux_opts[2].values = r_opts->selabel_opt_prefixes; | |
813 | + | |
814 | + r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3); | |
815 | if (!r_opts->hnd) { | |
816 | perror(r_opts->selabel_opt_path); | |
817 | exit(1); | |
818 | @@ -104,8 +109,7 @@ | |
819 | { | |
820 | char *my_file = strdupa(ftsent->fts_path); | |
821 | int ret = -1; | |
822 | - char *context, *newcon; | |
823 | - int user_only_changed = 0; | |
824 | + security_context_t curcon = NULL, newcon = NULL; | |
825 | ||
826 | if (match(my_file, ftsent->fts_statp, &newcon) < 0) | |
827 | /* Check for no matching specification. */ | |
828 | @@ -139,74 +143,105 @@ | |
829 | printf("%s: %s matched by %s\n", r_opts->progname, my_file, newcon); | |
830 | } | |
831 | ||
832 | + /* | |
833 | + * Do not relabel if their is no default specification for this file | |
834 | + */ | |
835 | + | |
836 | + if (strcmp(newcon, "<<none>>") == 0) { | |
837 | + goto out; | |
838 | + } | |
839 | + | |
840 | /* Get the current context of the file. */ | |
841 | - ret = lgetfilecon_raw(ftsent->fts_accpath, &context); | |
842 | + ret = lgetfilecon_raw(ftsent->fts_accpath, &curcon); | |
843 | if (ret < 0) { | |
844 | if (errno == ENODATA) { | |
845 | - context = NULL; | |
846 | + curcon = NULL; | |
847 | } else { | |
848 | fprintf(stderr, "%s get context on %s failed: '%s'\n", | |
849 | r_opts->progname, my_file, strerror(errno)); | |
850 | goto err; | |
851 | } | |
852 | - user_only_changed = 0; | |
853 | - } else | |
854 | - user_only_changed = only_changed_user(context, newcon); | |
855 | + } | |
856 | + | |
857 | /* lgetfilecon returns number of characters and ret needs to be reset | |
858 | * to 0. | |
859 | */ | |
860 | ret = 0; | |
861 | ||
862 | /* | |
863 | - * Do not relabel the file if the matching specification is | |
864 | - * <<none>> or the file is already labeled according to the | |
865 | - * specification. | |
866 | + * Do not relabel the file if the file is already labeled according to | |
867 | + * the specification. | |
868 | */ | |
869 | - if ((strcmp(newcon, "<<none>>") == 0) || | |
870 | - (context && (strcmp(context, newcon) == 0))) { | |
871 | - freecon(context); | |
872 | + if (curcon && (strcmp(curcon, newcon) == 0)) { | |
873 | goto out; | |
874 | } | |
875 | ||
876 | - if (!r_opts->force && context && (is_context_customizable(context) > 0)) { | |
877 | + if (!r_opts->force && curcon && (is_context_customizable(curcon) > 0)) { | |
878 | if (r_opts->verbose > 1) { | |
879 | fprintf(stderr, | |
880 | "%s: %s not reset customized by admin to %s\n", | |
881 | - r_opts->progname, my_file, context); | |
882 | + r_opts->progname, my_file, curcon); | |
883 | } | |
884 | - freecon(context); | |
885 | goto out; | |
886 | } | |
887 | ||
888 | - if (r_opts->verbose) { | |
889 | - /* If we're just doing "-v", trim out any relabels where | |
890 | - * the user has r_opts->changed but the role and type are the | |
891 | - * same. For "-vv", emit everything. */ | |
892 | - if (r_opts->verbose > 1 || !user_only_changed) { | |
893 | - printf("%s reset %s context %s->%s\n", | |
894 | - r_opts->progname, my_file, context ?: "", newcon); | |
895 | + /* | |
896 | + * Do not change label unless this is a force or the type is different | |
897 | + */ | |
898 | + if (!r_opts->force && curcon) { | |
899 | + int types_differ = 0; | |
900 | + context_t cona; | |
901 | + context_t conb; | |
902 | + int err = 0; | |
903 | + cona = context_new(curcon); | |
904 | + if (! cona) { | |
905 | + goto out; | |
906 | + } | |
907 | + conb = context_new(newcon); | |
908 | + if (! conb) { | |
909 | + context_free(cona); | |
910 | + goto out; | |
911 | } | |
912 | + | |
913 | + types_differ = strcmp(context_type_get(cona), context_type_get(conb)); | |
914 | + if (types_differ) { | |
915 | + err |= context_user_set(conb, context_user_get(cona)); | |
916 | + err |= context_role_set(conb, context_role_get(cona)); | |
917 | + err |= context_range_set(conb, context_range_get(cona)); | |
918 | + if (!err) { | |
919 | + freecon(newcon); | |
920 | + newcon = strdup(context_str(conb)); | |
921 | + } | |
922 | + } | |
923 | + context_free(cona); | |
924 | + context_free(conb); | |
925 | + | |
926 | + if (!types_differ || err) { | |
927 | + goto out; | |
928 | + } | |
929 | + } | |
930 | + | |
931 | + if (r_opts->verbose) { | |
932 | + printf("%s reset %s context %s->%s\n", | |
933 | + r_opts->progname, my_file, curcon ?: "", newcon); | |
934 | } | |
935 | ||
936 | - if (r_opts->logging && !user_only_changed) { | |
937 | - if (context) | |
938 | + if (r_opts->logging) { | |
939 | + if (curcon) | |
940 | syslog(LOG_INFO, "relabeling %s from %s to %s\n", | |
941 | - my_file, context, newcon); | |
942 | + my_file, curcon, newcon); | |
943 | else | |
944 | syslog(LOG_INFO, "labeling %s to %s\n", | |
945 | my_file, newcon); | |
946 | } | |
947 | ||
948 | - if (r_opts->outfile && !user_only_changed) | |
949 | + if (r_opts->outfile) | |
950 | fprintf(r_opts->outfile, "%s\n", my_file); | |
951 | ||
952 | - if (context) | |
953 | - freecon(context); | |
954 | - | |
955 | /* | |
956 | * Do not relabel the file if -n was used. | |
957 | */ | |
958 | - if (!r_opts->change || user_only_changed) | |
959 | + if (!r_opts->change) | |
960 | goto out; | |
961 | ||
962 | /* | |
963 | @@ -220,12 +255,15 @@ | |
964 | } | |
965 | ret = 1; | |
966 | out: | |
967 | + freecon(curcon); | |
968 | freecon(newcon); | |
969 | return ret; | |
970 | skip: | |
971 | + freecon(curcon); | |
972 | freecon(newcon); | |
973 | return SKIP; | |
974 | err: | |
975 | + freecon(curcon); | |
976 | freecon(newcon); | |
977 | return ERR; | |
978 | } | |
979 | @@ -447,22 +485,6 @@ | |
980 | return 0; | |
981 | } | |
982 | ||
983 | -/* Compare two contexts to see if their differences are "significant", | |
984 | - * or whether the only difference is in the user. */ | |
985 | -static int only_changed_user(const char *a, const char *b) | |
986 | -{ | |
987 | - char *rest_a, *rest_b; /* Rest of the context after the user */ | |
988 | - if (r_opts->force) | |
989 | - return 0; | |
990 | - if (!a || !b) | |
991 | - return 0; | |
992 | - rest_a = strchr(a, ':'); | |
993 | - rest_b = strchr(b, ':'); | |
994 | - if (!rest_a || !rest_b) | |
995 | - return 0; | |
996 | - return (strcmp(rest_a, rest_b) == 0); | |
997 | -} | |
998 | - | |
999 | /* | |
1000 | * Evaluate the association hash table distribution. | |
1001 | */ | |
1002 | diff -Nur a/setfiles/restorecon.8 b/setfiles/restorecon.8 | |
1003 | --- a/setfiles/restorecon.8 2011-11-04 14:38:45.000000000 +0100 | |
1004 | +++ b/setfiles/restorecon.8 2011-11-27 18:02:23.541513231 +0100 | |
1005 | @@ -4,22 +4,27 @@ | |
1006 | ||
1007 | .SH "SYNOPSIS" | |
1008 | .B restorecon | |
1009 | -.I [\-o outfilename ] [\-R] [\-n] [\-p] [\-v] [\-e directory ] pathname... | |
1010 | +.I [\-o outfilename ] [\-R] [\-n] [\-p] [\-v] [\-e directory ] [\-L labelprefix ] pathname... | |
1011 | .P | |
1012 | .B restorecon | |
1013 | -.I \-f infilename [\-o outfilename ] [\-e directory ] [\-R] [\-n] [\-p] [\-v] [\-F] | |
1014 | +.I \-f infilename [\-o outfilename ] [\-e directory ] [\-L labelprefix ] [\-R] [\-n] [\-p] [\-v] [\-F] | |
1015 | ||
1016 | .SH "DESCRIPTION" | |
1017 | This manual page describes the | |
1018 | .BR restorecon | |
1019 | program. | |
1020 | .P | |
1021 | -This program is primarily used to set the security context | |
1022 | +This program is primarily used to reset the security context (type) | |
1023 | (extended attributes) on one or more files. | |
1024 | .P | |
1025 | It can be run at any time to correct errors, to add support for | |
1026 | new policy, or with the \-n option it can just check whether the file | |
1027 | contexts are all as you expect. | |
1028 | +.P | |
1029 | +If a file object does not have a context, restorecon will write the default | |
1030 | +context to the file object's extended attributes. If a file object has a | |
1031 | +context, restorecon will only modify the type portion of the security context. | |
1032 | +The -F option will force a replacement of the entire context. | |
1033 | ||
1034 | .SH "OPTIONS" | |
1035 | .TP | |
1036 | @@ -32,6 +37,12 @@ | |
1037 | .B \-e directory | |
1038 | directory to exclude (repeat option for more than one directory.) | |
1039 | .TP | |
1040 | +.B \-L labelprefix | |
1041 | +Tells selinux to only use the file context that match this prefix for labeling, -L can be called multiple times. Can speed up labeling if you are only doing one directory. | |
1042 | + | |
1043 | +# restorecon -R -v -L /dev /dev | |
1044 | + | |
1045 | +.TP | |
1046 | .B \-R \-r | |
1047 | change files and directories file labels recursively | |
1048 | .TP | |
1049 | @@ -47,11 +58,8 @@ | |
1050 | .B \-v | |
1051 | show changes in file labels. | |
1052 | .TP | |
1053 | -.B \-vv | |
1054 | -show changes in file labels, if type, role, or user are changing. | |
1055 | -.TP | |
1056 | .B \-F | |
1057 | -Force reset of context to match file_context for customizable files, or the user section, if it has changed. | |
1058 | +Force reset of context to match file_context for customizable files, and the default file context, changing the user, role, range portion as well as the type. | |
1059 | .TP | |
1060 | .SH "ARGUMENTS" | |
1061 | .B pathname... | |
1062 | diff -Nur a/setfiles/restore.h b/setfiles/restore.h | |
1063 | --- a/setfiles/restore.h 2011-11-04 14:38:45.000000000 +0100 | |
1064 | +++ b/setfiles/restore.h 2011-11-27 18:02:23.540513231 +0100 | |
1065 | @@ -40,6 +40,7 @@ | |
1066 | int fts_flags; /* Flags to fts, e.g. follow links, follow mounts */ | |
1067 | const char *selabel_opt_validate; | |
1068 | const char *selabel_opt_path; | |
1069 | + const char **selabel_opt_prefixes; | |
1070 | }; | |
1071 | ||
1072 | void restore_init(struct restore_opts *opts); | |
1073 | diff -Nur a/setfiles/setfiles.8 b/setfiles/setfiles.8 | |
1074 | --- a/setfiles/setfiles.8 2011-11-04 14:38:45.000000000 +0100 | |
1075 | +++ b/setfiles/setfiles.8 2011-11-27 18:02:23.542513231 +0100 | |
1076 | @@ -4,7 +4,7 @@ | |
1077 | ||
1078 | .SH "SYNOPSIS" | |
1079 | .B setfiles | |
1080 | -.I [\-c policy ] [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-q] [\-s] [\-v] [\-vv] [\-W] [\-F] spec_file pathname... | |
1081 | +.I [\-c policy ] [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-L labelprefix ] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname... | |
1082 | .SH "DESCRIPTION" | |
1083 | This manual page describes the | |
1084 | .BR setfiles | |
1085 | @@ -17,6 +17,11 @@ | |
1086 | It can also be run at any time to correct errors, to add support for | |
1087 | new policy, or with the \-n option it can just check whether the file | |
1088 | contexts are all as you expect. | |
1089 | +.P | |
1090 | +If a file object does not have a context, setfiles will write the default | |
1091 | +context to the file object's extended attributes. If a file object has a | |
1092 | +context, setfiles will only modify the type portion of the security context. | |
1093 | +The -F option will force a replacement of the entire context. | |
1094 | ||
1095 | .SH "OPTIONS" | |
1096 | .TP | |
1097 | @@ -45,8 +50,11 @@ | |
1098 | directory to exclude (repeat option for more than one directory.) | |
1099 | .TP | |
1100 | .B \-F | |
1101 | -Force reset of context to match file_context for customizable files | |
1102 | +Force reset of context to match file_context for customizable files, and the default file context, changing the user, role, range portion as well as the type. | |
1103 | .TP | |
1104 | +.B \-L labelprefix | |
1105 | +Tells selinux to only use the file context that match this prefix for labeling, -L can be called multiple times. Can speed up labeling if you are only doing one directory. | |
1106 | +.TP | |
1107 | .B \-o filename | |
1108 | save list of files with incorrect context in filename. | |
1109 | .TP | |
1110 | @@ -55,10 +63,7 @@ | |
1111 | command line. | |
1112 | .TP | |
1113 | .B \-v | |
1114 | -show changes in file labels, if type or role are changing. | |
1115 | -.TP | |
1116 | -.B \-vv | |
1117 | -show changes in file labels, if type, role, or user are changing. | |
1118 | +show changes in file labels. | |
1119 | .TP | |
1120 | .B \-W | |
1121 | display warnings about entries that had no matching files. | |
1122 | diff -Nur a/setfiles/setfiles.c b/setfiles/setfiles.c | |
1123 | --- a/setfiles/setfiles.c 2011-11-04 14:38:45.000000000 +0100 | |
1124 | +++ b/setfiles/setfiles.c 2011-11-27 18:02:23.542513231 +0100 | |
1125 | @@ -39,7 +39,7 @@ | |
1126 | { | |
1127 | if (iamrestorecon) { | |
1128 | fprintf(stderr, | |
1129 | - "usage: %s [-iFnprRv0] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n", | |
1130 | + "usage: %s [-iFnprRv0] [ -L labelprefix ] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n", | |
1131 | name); | |
1132 | } else { | |
1133 | fprintf(stderr, | |
1134 | @@ -137,7 +137,7 @@ | |
1135 | int main(int argc, char **argv) | |
1136 | { | |
1137 | struct stat sb; | |
1138 | - int opt, i = 0; | |
1139 | + int opt, i; | |
1140 | char *input_filename = NULL; | |
1141 | int use_input_file = 0; | |
1142 | char *buf = NULL; | |
1143 | @@ -145,6 +145,8 @@ | |
1144 | int recurse; /* Recursive descent. */ | |
1145 | char *base; | |
1146 | int mass_relabel = 0, errors = 0; | |
1147 | + int num_prefixes = 0; | |
1148 | + const char *null_array[1] = { NULL }; | |
1149 | ||
1150 | memset(&r_opts, 0, sizeof(r_opts)); | |
1151 | ||
1152 | @@ -160,6 +162,7 @@ | |
1153 | r_opts.outfile = NULL; | |
1154 | r_opts.force = 0; | |
1155 | r_opts.hard_links = 1; | |
1156 | + r_opts.selabel_opt_prefixes = null_array; | |
1157 | ||
1158 | altpath = NULL; | |
1159 | ||
1160 | @@ -217,7 +220,7 @@ | |
1161 | exclude_non_seclabel_mounts(); | |
1162 | ||
1163 | /* Process any options. */ | |
1164 | - while ((opt = getopt(argc, argv, "c:de:f:ilnpqrsvo:FRW0")) > 0) { | |
1165 | + while ((opt = getopt(argc, argv, "c:de:f:ilnpqrsvo:FL:RW0")) > 0) { | |
1166 | switch (opt) { | |
1167 | case 'c': | |
1168 | { | |
1169 | @@ -280,6 +283,35 @@ | |
1170 | case 'n': | |
1171 | r_opts.change = 0; | |
1172 | break; | |
1173 | + case 'L': | |
1174 | + { | |
1175 | + char **new_prefixes; | |
1176 | + | |
1177 | + /* we need 1 for this entry and 1 for the NULL entry */ | |
1178 | + new_prefixes = malloc(sizeof(*new_prefixes) * (num_prefixes + 2)); | |
1179 | + if (!new_prefixes) { | |
1180 | + fprintf(stderr, "Can't allocate memory for labeling prefix %s:%s\n", | |
1181 | + optarg, strerror(errno)); | |
1182 | + exit(1); | |
1183 | + } | |
1184 | + | |
1185 | + memcpy(new_prefixes, r_opts.selabel_opt_prefixes, sizeof(*new_prefixes) * num_prefixes); | |
1186 | + new_prefixes[num_prefixes] = strdup(optarg); | |
1187 | + if (!new_prefixes[num_prefixes]) { | |
1188 | + fprintf(stderr, "Can't allocate memory for labeling prefix %s:%s\n", | |
1189 | + optarg, strerror(errno)); | |
1190 | + exit(1); | |
1191 | + } | |
1192 | + | |
1193 | + new_prefixes[num_prefixes + 1] = NULL; | |
1194 | + num_prefixes++; | |
1195 | + | |
1196 | + if (r_opts.selabel_opt_prefixes != null_array) | |
1197 | + free(r_opts.selabel_opt_prefixes); | |
1198 | + | |
1199 | + r_opts.selabel_opt_prefixes = (const char **)new_prefixes; | |
1200 | + break; | |
1201 | + } | |
1202 | case 'o': | |
1203 | if (strcmp(optarg, "-") == 0) { | |
1204 | r_opts.outfile = stdout; | |
1205 | @@ -433,7 +465,15 @@ | |
1206 | if (r_opts.outfile) | |
1207 | fclose(r_opts.outfile); | |
1208 | ||
1209 | - if (r_opts.progress && r_opts.count >= STAR_COUNT) | |
1210 | - printf("\n"); | |
1211 | + if (r_opts.progress && r_opts.count >= STAR_COUNT) | |
1212 | + printf("\n"); | |
1213 | + | |
1214 | + free(r_opts.progname); | |
1215 | + i = 0; | |
1216 | + while (r_opts.selabel_opt_prefixes[i]) | |
1217 | + free((void *)r_opts.selabel_opt_prefixes[i++]); | |
1218 | + if (r_opts.selabel_opt_prefixes != null_array) | |
1219 | + free(r_opts.selabel_opt_prefixes); | |
1220 | + free(r_opts.rootpath); | |
1221 | exit(errors); | |
1222 | } |