]> git.ipfire.org Git - people/amarx/ipfire-3.x.git/blame - policycoreutils/patches/policycoreutils-rhat.patch
projects / people / amarx / ipfire-3.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
openssl: Update to 1.0.1b.
[people/amarx/ipfire-3.x.git] / policycoreutils / patches / policycoreutils-rhat.patch
CommitLineData
db3649f6
SS		 1diff -Nur a/Makefile b/Makefile
2--- a/Makefile 2011-11-04 14:38:45.000000000 +0100
3+++ b/Makefile 2011-11-27 18:02:23.488513229 +0100
4@@ -1,4 +1,4 @@
5-SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po
6+SUBDIRS = setfiles semanage semanage/default_encoding load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool po
7
8 INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
9
10diff -Nur a/newrole/newrole.c b/newrole/newrole.c
11--- a/newrole/newrole.c 2011-11-04 14:38:45.000000000 +0100
12+++ b/newrole/newrole.c 2011-11-27 18:02:23.489513229 +0100
13@@ -543,13 +543,13 @@
14 #if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
15 static int drop_capabilities(int full)
16 {
17+ uid_t uid = getuid();
18+ if (!uid) return 0;
19+
20 capng_clear(CAPNG_SELECT_BOTH);
21 if (capng_lock() < 0)
22 return -1;
23
24- uid_t uid = getuid();
25- if (!uid) return 0;
26-
27 /* Change uid */
28 if (setresuid(uid, uid, uid)) {
29 fprintf(stderr, _("Error changing uid, aborting.\n"));
30@@ -1030,10 +1030,11 @@
31 * if it makes sense to continue to run newrole, and setting up
32 * a scrubbed environment.
33 */
34- if (drop_capabilities(FALSE)) {
35+/* if (drop_capabilities(FALSE)) {
36 perror(_("Sorry, newrole failed to drop capabilities\n"));
37 return -1;
38 }
39+*/
40 if (set_signal_handles())
41 return -1;
42
43diff -Nur a/po/Makefile b/po/Makefile
44--- a/po/Makefile 2011-11-04 14:38:45.000000000 +0100
45+++ b/po/Makefile 2011-11-27 18:02:23.495513229 +0100
46@@ -7,7 +7,7 @@
47 # What is this package?
48 NLSPACKAGE = policycoreutils
49 POTFILE = $(NLSPACKAGE).pot
50-INSTALL = /usr/bin/install -c
51+INSTALL = /usr/bin/install -c -p
52 INSTALL_DATA = $(INSTALL) -m 644
53 INSTALL_DIR = /usr/bin/install -d
54
55diff -Nur a/restorecond/restorecond.c b/restorecond/restorecond.c
56--- a/restorecond/restorecond.c 2011-11-04 14:38:44.000000000 +0100
57+++ b/restorecond/restorecond.c 2011-11-27 18:02:23.496513229 +0100
58@@ -140,6 +140,7 @@
59 {
60 int opt;
61 struct sigaction sa;
62+ const char *null_array[1] = { NULL };
63
64 memset(&r_opts, 0, sizeof(r_opts));
65
66@@ -160,6 +161,7 @@
67 r_opts.fts_flags = FTS_PHYSICAL;
68 r_opts.selabel_opt_validate = NULL;
69 r_opts.selabel_opt_path = NULL;
70+ r_opts.selabel_opt_prefixes = null_array;
71 r_opts.ignore_enoent = 1;
72
73 restore_init(&r_opts);
74diff -Nur a/run_init/run_init.c b/run_init/run_init.c
75--- a/run_init/run_init.c 2011-11-04 14:38:45.000000000 +0100
76+++ b/run_init/run_init.c 2011-11-27 18:02:23.497513229 +0100
77@@ -414,10 +414,17 @@
78 * execvp or using a exec(1) recycles pty's, and does not open a new
79 * one.
80 */
81+#ifdef USE_OPEN_INIT_PTY
82 if (execvp("/usr/sbin/open_init_pty", argv)) {
83 perror("execvp");
84 exit(-1);
85 }
86+#else
87+ if (execvp(argv[1], argv + 1)) {
88+ perror("execvp");
89+ exit(-1);
90+ }
91+#endif
92 return 0;
93
94 } /* main() */
95diff -Nur a/sandbox/Makefile b/sandbox/Makefile
96--- a/sandbox/Makefile 2011-11-04 14:38:45.000000000 +0100
97+++ b/sandbox/Makefile 2011-11-27 18:02:23.518513231 +0100
98@@ -23,7 +23,7 @@
99 install -m 644 sandbox.8 $(MANDIR)/man8/
100 install -m 644 seunshare.8 $(MANDIR)/man8/
101 -mkdir -p $(MANDIR)/man5
102- install -m 644 sandbox.conf.5 $(MANDIR)/man5/
103+ install -m 644 sandbox.5 $(MANDIR)/man5/sandbox.5
104 -mkdir -p $(SBINDIR)
105 install -m 4755 seunshare $(SBINDIR)/
106 -mkdir -p $(SHAREDIR)
107diff -Nur a/sandbox/sandbox b/sandbox/sandbox
108--- a/sandbox/sandbox 2011-11-04 14:38:45.000000000 +0100
109+++ b/sandbox/sandbox 2011-11-27 18:02:23.519513231 +0100
110@@ -118,10 +118,30 @@
111 sock.bind("\0%s" % level)
112 fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
113
114+def get_range():
115+ try:
116+ level =selinux.getcon_raw()[1].split(":")[4]
117+ lowc,highc = level.split(".")
118+ low = int(lowc[1:])
119+ high = int(highc[1:])+1
120+ if high - low < 100:
121+ raise IndexError
122+
123+ return low,high
124+ except IndexError:
125+ raise ValueError(_("User account must be setup with an MCS Range with more then 100 categories"))
126+
127 def gen_mcs():
128- while True:
129- i1 = random.randrange(0, 1024)
130- i2 = random.randrange(0, 1024)
131+ low, high = get_range()
132+
133+ level = None
134+ ctr = 0
135+ total = high-low
136+ total = (total * total)/2 - total
137+ while ctr < total:
138+ ctr += 1
139+ i1 = random.randrange(low, high)
140+ i2 = random.randrange(low, high)
141 if i1 == i2:
142 continue
143 if i1 > i2:
144@@ -134,7 +154,10 @@
145 except socket.error:
146 continue
147 break
148- return level
149+ if level:
150+ return level
151+ raise ValueError(_("Failed to find any unused categories"))
152+
153
154 def fullpath(cmd):
155 for i in [ "/", "./", "../" ]:
156@@ -160,6 +183,17 @@
157 self.__level = None
158 self.__homedir = None
159 self.__tmpdir = None
160+ self.__set_dpi()
161+
162+ def __set_dpi(self):
163+ rc, out = commands.getstatusoutput("/usr/bin/xrdb -query")
164+ if rc != 0:
165+ self.dpi = 96
166+ else:
167+ for i in out.split("\n"):
168+ if i.startswith("Xft.dpi:"):
169+ self.dpi = i.split()[1]
170+ break;
171
172 def __validate_mount(self):
173 if self.__options.level:
174@@ -278,6 +312,9 @@
175 action="callback", callback=self.__mount_callback,
176 help=_("mount new home and/or tmp directory"))
177
178+ parser.add_option("-d", "--dpi",
179+ dest="dpi", action="store",default=self.dpi,
180+ help=_("dots per inch for X display: (%s)" % self.dpi))
181 parser.add_option("-S", "--session", action="store_true", dest="session",
182 default=False, help=_("run complete desktop session within sandbox"))
183
184@@ -322,7 +359,7 @@
185
186 if self.__options.X_ind:
187 self.setype = DEFAULT_X_TYPE
188- self.dpi=commands.getoutput("xrdb -query | grep dpi | /bin/cut -f 2")
189+
190 if self.__options.setype:
191 self.setype = self.__options.setype
192
193@@ -408,7 +445,7 @@
194
195 self.__setup_sandboxrc(self.__options.wm)
196
197- cmds += [ "--", SANDBOXSH, self.__options.windowsize, self.dpi ]
198+ cmds += [ "--", SANDBOXSH, self.__options.windowsize, self.__options.dpi ]
199 else:
200 cmds += [ "--" ] + self.__paths
201 return subprocess.Popen(cmds).wait()
202diff -Nur a/sandbox/sandbox.5 b/sandbox/sandbox.5
203--- a/sandbox/sandbox.5 1970-01-01 01:00:00.000000000 +0100
204+++ b/sandbox/sandbox.5 2011-11-27 18:02:23.520513231 +0100
205@@ -0,0 +1,40 @@
206+.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration"
207+.SH NAME
208+sandbox.conf \- user config file for the SELinux sandbox
209+.SH DESCRIPTION
210+.PP
211+When running sandbox with the -C argument, it will be confined using control groups and a system administrator can specify how the sandbox is confined.
212+
213+.PP
214+Everything after "#" is ignored, as are empty lines. All arguments should be separated by and equals sign ("=").
215+
216+.PP
217+These keywords are allowed.
218+
219+.RS
220+.TP
221+.B NAME
222+The name of the sandbox control group. Default is "sandbox".
223+
224+.TP
225+.B CPUAFFINITY
226+Which cpus to assign sandbox to. The default is ALL, but users can specify a comma-separated list with dashes ("-") to represent ranges. Ex: 0-2,5
227+
228+.TP
229+.B MEMUSAGE
230+How much memory to allow sandbox to use. The default is 80%. Users can specify either a percentage or a value in the form of a number followed by one of the suffixes K, M, G to denote kilobytes, megabytes or gigabytes respectively. Ex: 50% or 100M
231+
232+.TP
233+.B CPUUSAGE
234+Percentage of cpu sandbox should be allowed to use. The default is 80%. Specify a value followed by a percent sign ("%"). Ex: 50%
235+
236+
237+
238+.SH "SEE ALSO"
239+.TP
240+sandbox(8)
241+.PP
242+
243+.SH AUTHOR
244+This manual page was written by
245+.I Thomas Liu <tliu@fedoraproject.org>
246diff -Nur a/sandbox/sandbox.8 b/sandbox/sandbox.8
247--- a/sandbox/sandbox.8 2011-11-04 14:38:45.000000000 +0100
248+++ b/sandbox/sandbox.8 2011-11-27 18:02:23.520513231 +0100
249@@ -3,11 +3,11 @@
250 sandbox \- Run cmd under an SELinux sandbox
251 .SH SYNOPSIS
252 .B sandbox
253-[-C] [-c] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
254+[-C] [-c] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
255
256 .br
257 .B sandbox
258-[-C] [-c] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
259+[-C] [-c] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
260 .br
261 .SH DESCRIPTION
262 .PP
263@@ -60,6 +60,9 @@
264 Create an X based Sandbox for gui apps, temporary files for
265 $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
266 .TP
267+\fB\-d\fR
268+Set the DPI value for the sanbox X Server. Defaults to the current X Sever DPI.
269+.TP
270 \fB\-c\fR
271 Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
272 .TP
273diff -Nur a/sandbox/sandbox.conf.5 b/sandbox/sandbox.conf.5
274--- a/sandbox/sandbox.conf.5 2011-11-04 14:38:45.000000000 +0100
275+++ b/sandbox/sandbox.conf.5 1970-01-01 01:00:00.000000000 +0100
276@@ -1,40 +0,0 @@
277-.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration"
278-.SH NAME
279-sandbox.conf \- user config file for the SELinux sandbox
280-.SH DESCRIPTION
281-.PP
282-When running sandbox with the -C argument, it will be confined using control groups and a system administrator can specify how the sandbox is confined.
283-
284-.PP
285-Everything after "#" is ignored, as are empty lines. All arguments should be separated by and equals sign ("=").
286-
287-.PP
288-These keywords are allowed.
289-
290-.RS
291-.TP
292-.B NAME
293-The name of the sandbox control group. Default is "sandbox".
294-
295-.TP
296-.B CPUAFFINITY
297-Which cpus to assign sandbox to. The default is ALL, but users can specify a comma-separated list with dashes ("-") to represent ranges. Ex: 0-2,5
298-
299-.TP
300-.B MEMUSAGE
301-How much memory to allow sandbox to use. The default is 80%. Users can specify either a percentage or a value in the form of a number followed by one of the suffixes K, M, G to denote kilobytes, megabytes or gigabytes respectively. Ex: 50% or 100M
302-
303-.TP
304-.B CPUUSAGE
305-Percentage of cpu sandbox should be allowed to use. The default is 80%. Specify a value followed by a percent sign ("%"). Ex: 50%
306-
307-
308-
309-.SH "SEE ALSO"
310-.TP
311-sandbox(8)
312-.PP
313-
314-.SH AUTHOR
315-This manual page was written by
316-.I Thomas Liu <tliu@fedoraproject.org>
317diff -Nur a/sandbox/sandbox.init b/sandbox/sandbox.init
318--- a/sandbox/sandbox.init 2011-11-04 14:38:45.000000000 +0100
319+++ b/sandbox/sandbox.init 2011-11-27 18:02:23.521513231 +0100
320@@ -19,6 +19,7 @@
321 #
322
323 # Source function library.
324+. /etc/init.d/functions
325
326 LOCKFILE=/var/lock/subsys/sandbox
327
328@@ -27,7 +28,7 @@
329 start() {
330 echo -n "Starting sandbox"
331
332- [ -f "$LOCKFILE" ] && return 1
333+ [ -f "$LOCKFILE" ] && return 0
334
335 touch $LOCKFILE
336 mount --make-rshared / || return $?
337diff -Nur a/scripts/genhomedircon b/scripts/genhomedircon
338--- a/scripts/genhomedircon 2011-11-04 14:38:45.000000000 +0100
339+++ b/scripts/genhomedircon 2011-11-27 18:02:23.521513231 +0100
340@@ -1,2 +1,3 @@
341 #!/bin/sh
342+
343 /usr/sbin/semodule -Bn
344diff -Nur a/semanage/default_encoding/default_encoding.c b/semanage/default_encoding/default_encoding.c
345--- a/semanage/default_encoding/default_encoding.c 1970-01-01 01:00:00.000000000 +0100
346+++ b/semanage/default_encoding/default_encoding.c 2011-11-27 18:02:23.533513231 +0100
347@@ -0,0 +1,57 @@
348+/*
349+ * Authors:
350+ * John Dennis <jdennis@redhat.com>
351+ *
352+ * Copyright (C) 2009 Red Hat
353+ * see file 'COPYING' for use and warranty information
354+ *
355+ * This program is free software; you can redistribute it and/or
356+ * modify it under the terms of the GNU General Public License as
357+ * published by the Free Software Foundation.
358+ *
359+ * This program is distributed in the hope that it will be useful,
360+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
361+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
362+ * GNU General Public License for more details.
363+ *
364+ * You should have received a copy of the GNU General Public License
365+ * along with this program; if not, write to the Free Software
366+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
367+ */
368+
369+#include <Python.h>
370+
371+PyDoc_STRVAR(setdefaultencoding_doc,
372+"setdefaultencoding(encoding='utf-8')\n\
373+\n\
374+Set the current default string encoding used by the Unicode implementation.\n\
375+Defaults to utf-8."
376+);
377+
378+static PyObject *
379+setdefaultencoding(PyObject *self, PyObject *args, PyObject *kwds)
380+{
381+ static char *kwlist[] = {"utf-8", NULL};
382+ char *encoding;
383+
384+ if (!PyArg_ParseTupleAndKeywords(args, kwds, "s:setdefaultencoding", kwlist, &encoding))
385+ return NULL;
386+
387+ if (PyUnicode_SetDefaultEncoding(encoding))
388+ return NULL;
389+
390+ Py_RETURN_NONE;
391+}
392+
393+static PyMethodDef methods[] = {
394+ {"setdefaultencoding", (PyCFunction)setdefaultencoding, METH_VARARGS|METH_KEYWORDS, setdefaultencoding_doc},
395+ {NULL, NULL} /* sentinel */
396+};
397+
398+
399+PyMODINIT_FUNC
400+initdefault_encoding_utf8(void)
401+{
402+ PyUnicode_SetDefaultEncoding("utf-8");
403+ Py_InitModule3("default_encoding_utf8", methods, "Forces the default encoding to utf-8");
404+}
405diff -Nur a/semanage/default_encoding/Makefile b/semanage/default_encoding/Makefile
406--- a/semanage/default_encoding/Makefile 1970-01-01 01:00:00.000000000 +0100
407+++ b/semanage/default_encoding/Makefile 2011-11-27 18:02:23.533513231 +0100
408@@ -0,0 +1,8 @@
409+all:
410+ LDFLAGS="" python setup.py build
411+
412+install: all
413+ LDFLAGS="" python setup.py install --root=$(DESTDIR)/
414+
415+clean:
416+ rm -rf build *~
417diff -Nur a/semanage/default_encoding/policycoreutils/__init__.py b/semanage/default_encoding/policycoreutils/__init__.py
418--- a/semanage/default_encoding/policycoreutils/__init__.py 1970-01-01 01:00:00.000000000 +0100
419+++ b/semanage/default_encoding/policycoreutils/__init__.py 2011-11-27 18:02:23.534513231 +0100
420@@ -0,0 +1,17 @@
421+#
422+# Copyright (C) 2006,2007,2008, 2009 Red Hat, Inc.
423+#
424+# This program is free software; you can redistribute it and/or modify
425+# it under the terms of the GNU General Public License as published by
426+# the Free Software Foundation; either version 2 of the License, or
427+# (at your option) any later version.
428+#
429+# This program is distributed in the hope that it will be useful,
430+# but WITHOUT ANY WARRANTY; without even the implied warranty of
431+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
432+# GNU General Public License for more details.
433+#
434+# You should have received a copy of the GNU General Public License
435+# along with this program; if not, write to the Free Software
436+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
437+#
438diff -Nur a/semanage/default_encoding/setup.py b/semanage/default_encoding/setup.py
439--- a/semanage/default_encoding/setup.py 1970-01-01 01:00:00.000000000 +0100
440+++ b/semanage/default_encoding/setup.py 2011-11-27 18:02:23.536513231 +0100
441@@ -0,0 +1,38 @@
442+# Authors:
443+# John Dennis <jdennis@redhat.com>
444+#
445+# Copyright (C) 2009 Red Hat
446+# see file 'COPYING' for use and warranty information
447+#
448+# This program is free software; you can redistribute it and/or
449+# modify it under the terms of the GNU General Public License as
450+# published by the Free Software Foundation.
451+#
452+# This program is distributed in the hope that it will be useful,
453+# but WITHOUT ANY WARRANTY; without even the implied warranty of
454+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
455+# GNU General Public License for more details.
456+#
457+# You should have received a copy of the GNU General Public License
458+# along with this program; if not, write to the Free Software
459+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
460+
461+from distutils.core import setup, Extension
462+
463+default_encoding_utf8 = Extension('policycoreutils.default_encoding_utf8', ['default_encoding.c'])
464+
465+setup(name = 'policycoreutils-default-encoding',
466+ version = '0.1',
467+ description = 'Forces the default encoding in Python to be utf-8',
468+ long_description = 'Forces the default encoding in Python to be utf-8',
469+ author = 'John Dennis',
470+ author_email = 'jdennis@redhat.com',
471+ maintainer = 'John Dennis',
472+ maintainer_email = 'jdennis@redhat.com',
473+ license = 'GPLv3+',
474+ platforms = 'posix',
475+ url = '',
476+ download_url = '',
477+ ext_modules = [default_encoding_utf8],
478+ packages=["policycoreutils"],
479+)
480diff -Nur a/semanage/semanage b/semanage/semanage
481--- a/semanage/semanage 2011-11-04 14:38:45.000000000 +0100
482+++ b/semanage/semanage 2011-11-27 18:02:23.537513231 +0100
483@@ -20,6 +20,7 @@
484 # 02111-1307 USA
485 #
486 #
487+import policycoreutils.default_encoding_utf8
488 import sys, getopt, re
489 import seobject
490 import selinux
491@@ -32,7 +33,7 @@
492 try:
493 gettext.install(PROGNAME,
494 localedir="/usr/share/locale",
495- unicode=False,
496+ unicode=True,
497 codeset = 'utf-8')
498 except IOError:
499 import __builtin__
500@@ -283,11 +284,14 @@
501 equal = a
502
503 if o == "--enable":
504- set_action(o)
505+ if disable:
506+ raise ValueError(_("You can't disable and enable at the same time"))
507+
508 enable = True
509
510 if o == "--disable":
511- set_action(o)
512+ if enable:
513+ raise ValueError(_("You can't disable and enable at the same time"))
514 disable = True
515
516 if o == "-F" or o == "--file":
517@@ -504,31 +508,36 @@
518 if len(sys.argv) < 3:
519 usage(_("Requires 2 or more arguments"))
520
521- gopts, cmds = getopt.getopt(sys.argv[1:],
522- '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:',
523- ['add',
524- 'delete',
525- 'deleteall',
526- 'ftype=',
527- 'file',
528- 'help',
529- 'input=',
530- 'list',
531- 'modify',
532- 'noheading',
533- 'localist',
534- 'off',
535- 'on',
536- 'output=',
537- 'proto=',
538- 'seuser=',
539- 'store=',
540- 'range=',
541- 'level=',
542- 'roles=',
543- 'type=',
544- 'prefix='
545- ])
546+ try:
547+ gopts, cmds = getopt.getopt(sys.argv[1:],
548+ '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:',
549+ ['add',
550+ 'delete',
551+ 'deleteall',
552+ 'ftype=',
553+ 'file',
554+ 'help',
555+ 'input=',
556+ 'list',
557+ 'modify',
558+ 'noheading',
559+ 'localist',
560+ 'off',
561+ 'on',
562+ 'output=',
563+ 'proto=',
564+ 'seuser=',
565+ 'store=',
566+ 'range=',
567+ 'level=',
568+ 'roles=',
569+ 'type=',
570+ 'trans=',
571+ 'prefix='
572+ ])
573+ except getopt.error, error:
574+ usage(_("Options Error %s ") % error.msg)
575+
576 for o, a in gopts:
577 if o == "-S" or o == '--store':
578 store = a
579@@ -558,8 +567,6 @@
580 else:
581 process_args(sys.argv[1:])
582
583- except getopt.error, error:
584- usage(_("Options Error %s ") % error.msg)
585 except ValueError, error:
586 errorExit(error.args[0])
587 except KeyError, error:
588diff -Nur a/semanage/seobject.py b/semanage/seobject.py
589--- a/semanage/seobject.py 2011-11-04 14:38:45.000000000 +0100
590+++ b/semanage/seobject.py 2011-11-27 18:02:23.539513231 +0100
591@@ -30,11 +30,10 @@
592 import gettext
593 gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
594 gettext.textdomain(PROGNAME)
595-try:
596- gettext.install(PROGNAME, localedir = "/usr/share/locale", unicode = 1)
597-except IOError:
598- import __builtin__
599- __builtin__.__dict__['_'] = unicode
600+
601+import gettext
602+translation=gettext.translation(PROGNAME, localedir = "/usr/share/locale", fallback=True)
603+_=translation.ugettext
604
605 import syslog
606
607@@ -166,6 +165,7 @@
608 transaction = False
609 handle = None
610 store = None
611+
612 def __init__(self, store):
613 global handle
614
615@@ -333,6 +333,7 @@
616 name = semanage_module_get_name(mod)
617 if name and name.startswith("permissive_"):
618 l.append(name.split("permissive_")[1])
619+
620 return l
621
622 def list(self, heading = 1, locallist = 0):
623@@ -431,7 +432,9 @@
624 if rc < 0:
625 raise ValueError(_("Could not check if login mapping for %s is defined") % name)
626 if exists:
627- raise ValueError(_("Login mapping for %s is already defined") % name)
628+ semanage_seuser_key_free(k)
629+ return self.__modify(name, sename, serange)
630+
631 if name[0] == '%':
632 try:
633 grp.getgrnam(name[1:])
634@@ -641,7 +644,8 @@
635 if rc < 0:
636 raise ValueError(_("Could not check if SELinux user %s is defined") % name)
637 if exists:
638- raise ValueError(_("SELinux user %s is already defined") % name)
639+ semanage_user_key_free(k)
640+ return self.__modify(name, roles, selevel, serange, prefix)
641
642 (rc, u) = semanage_user_create(self.sh)
643 if rc < 0:
644@@ -881,6 +885,7 @@
645 return ( k, proto_d, low, high )
646
647 def __add(self, port, proto, serange, type):
648+
649 if is_mls_enabled == 1:
650 if serange == "":
651 serange = "s0"
652@@ -943,6 +948,7 @@
653 self.commit()
654
655 def __modify(self, port, proto, serange, setype):
656+
657 if serange == "" and setype == "":
658 if is_mls_enabled == 1:
659 raise ValueError(_("Requires setype or serange"))
660@@ -1156,7 +1162,8 @@
661
662 (rc, exists) = semanage_node_exists(self.sh, k)
663 if exists:
664- raise ValueError(_("Addr %s already defined") % addr)
665+ semanage_node_key_free(k)
666+ return self.__modify(addr, mask, self.protocol[proto], serange, ctype)
667
668 (rc, node) = semanage_node_create(self.sh)
669 if rc < 0:
670@@ -1172,7 +1179,6 @@
671 if rc < 0:
672 raise ValueError(_("Could not set mask for %s") % addr)
673
674-
675 rc = semanage_context_set_user(self.sh, con, "system_u")
676 if rc < 0:
677 raise ValueError(_("Could not set user in addr context for %s") % addr)
678@@ -1224,12 +1230,11 @@
679 if not exists:
680 raise ValueError(_("Addr %s is not defined") % addr)
681
682- (rc, node) = semanage_node_query(self.sh, k)
683+ (rc, node) = semanage_node_query_local(self.sh, k)
684 if rc < 0:
685 raise ValueError(_("Could not query addr %s") % addr)
686
687 con = semanage_node_get_con(node)
688-
689 if serange != "":
690 semanage_context_set_mls(self.sh, con, untranslate(serange))
691 if setype != "":
692@@ -1357,7 +1362,8 @@
693 if rc < 0:
694 raise ValueError(_("Could not check if interface %s is defined") % interface)
695 if exists:
696- raise ValueError(_("Interface %s already defined") % interface)
697+ semanage_iface_key_free(k)
698+ return self.__modify(interface, serange, ctype)
699
700 (rc, iface) = semanage_iface_create(self.sh)
701 if rc < 0:
702@@ -1525,6 +1531,7 @@
703 def __init__(self, store = ""):
704 semanageRecords.__init__(self, store)
705 self.equiv = {}
706+ self.equiv_dist = {}
707 self.equal_ind = False
708 try:
709 fd = open(selinux.selinux_file_context_subs_path(), "r")
710@@ -1534,6 +1541,14 @@
711 fd.close()
712 except IOError:
713 pass
714+ try:
715+ fd = open(selinux.selinux_file_context_subs_dist_path(), "r")
716+ for i in fd.readlines():
717+ src, dst = i.split()
718+ self.equiv_dist[src] = dst
719+ fd.close()
720+ except IOError:
721+ pass
722
723 def commit(self):
724 if self.equal_ind:
725@@ -1589,12 +1604,21 @@
726
727 return con
728
729+ def check_equiv(self, target, fdict):
730+ for i in fdict:
731+ if target.startswith(i+"/"):
732+ t = re.sub(i, fdict[i], target)
733+ raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'; Try adding '%s' instead") % (target, i, fdict[i], t))
734+
735+
736 def validate(self, target):
737 if target == "" or target.find("\n") >= 0:
738 raise ValueError(_("Invalid file specification"))
739 if target.find(" ") != -1:
740 raise ValueError(_("File specification can not include spaces"))
741-
742+ self.check_equiv(target, self.equiv)
743+ self.check_equiv(target, self.equiv_dist)
744+
745 def __add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
746 self.validate(target)
747
748@@ -1618,7 +1642,8 @@
749 raise ValueError(_("Could not check if file context for %s is defined") % target)
750
751 if exists:
752- raise ValueError(_("File context for %s already defined") % target)
753+ semanage_fcontext_key_free(k)
754+ return self.__modify(target, type, ftype, serange, seuser)
755
756 (rc, fcontext) = semanage_fcontext_create(self.sh)
757 if rc < 0:
758@@ -1825,9 +1850,17 @@
759 print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2])
760 else:
761 print "%-50s %-18s <<None>>" % (k[0], k[1])
762- if len(self.equiv.keys()) > 0:
763+
764+
765+ if len(self.equiv_dist):
766+ if not locallist:
767+ if heading:
768+ print _("\nSELinux Distribution fcontext Equivalence \n")
769+ for src in self.equiv_dist.keys():
770+ print "%s = %s" % (src, self.equiv_dist[src])
771+ if len(self.equiv):
772 if heading:
773- print _("\nSELinux fcontext Equivalence \n")
774+ print _("\nSELinux Local fcontext Equivalence \n")
775
776 for src in self.equiv.keys():
777 print "%s = %s" % (src, self.equiv[src])
778diff -Nur a/setfiles/restore.c b/setfiles/restore.c
779--- a/setfiles/restore.c 2011-11-04 14:38:45.000000000 +0100
780+++ b/setfiles/restore.c 2011-11-27 18:02:23.540513231 +0100
781@@ -1,5 +1,6 @@
782 #include "restore.h"
783 #include <glob.h>
784+#include <selinux/context.h>
785
786 #define SKIP -2
787 #define ERR -1
788@@ -33,7 +34,6 @@
789
790 static file_spec_t *fl_head;
791 static int filespec_add(ino_t ino, const security_context_t con, const char *file);
792-static int only_changed_user(const char *a, const char *b);
793 struct restore_opts *r_opts = NULL;
794 static void filespec_destroy(void);
795 static void filespec_eval(void);
796@@ -58,11 +58,16 @@
797 void restore_init(struct restore_opts *opts)
798 {
799 r_opts = opts;
800- struct selinux_opt selinux_opts[] = {
801- { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate },
802- { SELABEL_OPT_PATH, r_opts->selabel_opt_path }
803- };
804- r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 2);
805+ struct selinux_opt selinux_opts[3];
806+
807+ selinux_opts[0].type = SELABEL_OPT_VALIDATE;
808+ selinux_opts[0].value = r_opts->selabel_opt_validate;
809+ selinux_opts[1].type = SELABEL_OPT_PATH;
810+ selinux_opts[1].value = r_opts->selabel_opt_path;
811+ selinux_opts[2].type = SELABEL_OPT_PREFIXES;
812+ selinux_opts[2].values = r_opts->selabel_opt_prefixes;
813+
814+ r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
815 if (!r_opts->hnd) {
816 perror(r_opts->selabel_opt_path);
817 exit(1);
818@@ -104,8 +109,7 @@
819 {
820 char *my_file = strdupa(ftsent->fts_path);
821 int ret = -1;
822- char *context, *newcon;
823- int user_only_changed = 0;
824+ security_context_t curcon = NULL, newcon = NULL;
825
826 if (match(my_file, ftsent->fts_statp, &newcon) < 0)
827 /* Check for no matching specification. */
828@@ -139,74 +143,105 @@
829 printf("%s: %s matched by %s\n", r_opts->progname, my_file, newcon);
830 }
831
832+ /*
833+ * Do not relabel if their is no default specification for this file
834+ */
835+
836+ if (strcmp(newcon, "<<none>>") == 0) {
837+ goto out;
838+ }
839+
840 /* Get the current context of the file. */
841- ret = lgetfilecon_raw(ftsent->fts_accpath, &context);
842+ ret = lgetfilecon_raw(ftsent->fts_accpath, &curcon);
843 if (ret < 0) {
844 if (errno == ENODATA) {
845- context = NULL;
846+ curcon = NULL;
847 } else {
848 fprintf(stderr, "%s get context on %s failed: '%s'\n",
849 r_opts->progname, my_file, strerror(errno));
850 goto err;
851 }
852- user_only_changed = 0;
853- } else
854- user_only_changed = only_changed_user(context, newcon);
855+ }
856+
857 /* lgetfilecon returns number of characters and ret needs to be reset
858 * to 0.
859 */
860 ret = 0;
861
862 /*
863- * Do not relabel the file if the matching specification is
864- * <<none>> or the file is already labeled according to the
865- * specification.
866+ * Do not relabel the file if the file is already labeled according to
867+ * the specification.
868 */
869- if ((strcmp(newcon, "<<none>>") == 0) ||
870- (context && (strcmp(context, newcon) == 0))) {
871- freecon(context);
872+ if (curcon && (strcmp(curcon, newcon) == 0)) {
873 goto out;
874 }
875
876- if (!r_opts->force && context && (is_context_customizable(context) > 0)) {
877+ if (!r_opts->force && curcon && (is_context_customizable(curcon) > 0)) {
878 if (r_opts->verbose > 1) {
879 fprintf(stderr,
880 "%s: %s not reset customized by admin to %s\n",
881- r_opts->progname, my_file, context);
882+ r_opts->progname, my_file, curcon);
883 }
884- freecon(context);
885 goto out;
886 }
887
888- if (r_opts->verbose) {
889- /* If we're just doing "-v", trim out any relabels where
890- * the user has r_opts->changed but the role and type are the
891- * same. For "-vv", emit everything. */
892- if (r_opts->verbose > 1 || !user_only_changed) {
893- printf("%s reset %s context %s->%s\n",
894- r_opts->progname, my_file, context ?: "", newcon);
895+ /*
896+ * Do not change label unless this is a force or the type is different
897+ */
898+ if (!r_opts->force && curcon) {
899+ int types_differ = 0;
900+ context_t cona;
901+ context_t conb;
902+ int err = 0;
903+ cona = context_new(curcon);
904+ if (! cona) {
905+ goto out;
906+ }
907+ conb = context_new(newcon);
908+ if (! conb) {
909+ context_free(cona);
910+ goto out;
911 }
912+
913+ types_differ = strcmp(context_type_get(cona), context_type_get(conb));
914+ if (types_differ) {
915+ err |= context_user_set(conb, context_user_get(cona));
916+ err |= context_role_set(conb, context_role_get(cona));
917+ err |= context_range_set(conb, context_range_get(cona));
918+ if (!err) {
919+ freecon(newcon);
920+ newcon = strdup(context_str(conb));
921+ }
922+ }
923+ context_free(cona);
924+ context_free(conb);
925+
926+ if (!types_differ || err) {
927+ goto out;
928+ }
929+ }
930+
931+ if (r_opts->verbose) {
932+ printf("%s reset %s context %s->%s\n",
933+ r_opts->progname, my_file, curcon ?: "", newcon);
934 }
935
936- if (r_opts->logging && !user_only_changed) {
937- if (context)
938+ if (r_opts->logging) {
939+ if (curcon)
940 syslog(LOG_INFO, "relabeling %s from %s to %s\n",
941- my_file, context, newcon);
942+ my_file, curcon, newcon);
943 else
944 syslog(LOG_INFO, "labeling %s to %s\n",
945 my_file, newcon);
946 }
947
948- if (r_opts->outfile && !user_only_changed)
949+ if (r_opts->outfile)
950 fprintf(r_opts->outfile, "%s\n", my_file);
951
952- if (context)
953- freecon(context);
954-
955 /*
956 * Do not relabel the file if -n was used.
957 */
958- if (!r_opts->change || user_only_changed)
959+ if (!r_opts->change)
960 goto out;
961
962 /*
963@@ -220,12 +255,15 @@
964 }
965 ret = 1;
966 out:
967+ freecon(curcon);
968 freecon(newcon);
969 return ret;
970 skip:
971+ freecon(curcon);
972 freecon(newcon);
973 return SKIP;
974 err:
975+ freecon(curcon);
976 freecon(newcon);
977 return ERR;
978 }
979@@ -447,22 +485,6 @@
980 return 0;
981 }
982
983-/* Compare two contexts to see if their differences are "significant",
984- * or whether the only difference is in the user. */
985-static int only_changed_user(const char *a, const char *b)
986-{
987- char *rest_a, *rest_b; /* Rest of the context after the user */
988- if (r_opts->force)
989- return 0;
990- if (!a || !b)
991- return 0;
992- rest_a = strchr(a, ':');
993- rest_b = strchr(b, ':');
994- if (!rest_a || !rest_b)
995- return 0;
996- return (strcmp(rest_a, rest_b) == 0);
997-}
998-
999 /*
1000 * Evaluate the association hash table distribution.
1001 */
1002diff -Nur a/setfiles/restorecon.8 b/setfiles/restorecon.8
1003--- a/setfiles/restorecon.8 2011-11-04 14:38:45.000000000 +0100
1004+++ b/setfiles/restorecon.8 2011-11-27 18:02:23.541513231 +0100
1005@@ -4,22 +4,27 @@
1006
1007 .SH "SYNOPSIS"
1008 .B restorecon
1009-.I [\-o outfilename ] [\-R] [\-n] [\-p] [\-v] [\-e directory ] pathname...
1010+.I [\-o outfilename ] [\-R] [\-n] [\-p] [\-v] [\-e directory ] [\-L labelprefix ] pathname...
1011 .P
1012 .B restorecon
1013-.I \-f infilename [\-o outfilename ] [\-e directory ] [\-R] [\-n] [\-p] [\-v] [\-F]
1014+.I \-f infilename [\-o outfilename ] [\-e directory ] [\-L labelprefix ] [\-R] [\-n] [\-p] [\-v] [\-F]
1015
1016 .SH "DESCRIPTION"
1017 This manual page describes the
1018 .BR restorecon
1019 program.
1020 .P
1021-This program is primarily used to set the security context
1022+This program is primarily used to reset the security context (type)
1023 (extended attributes) on one or more files.
1024 .P
1025 It can be run at any time to correct errors, to add support for
1026 new policy, or with the \-n option it can just check whether the file
1027 contexts are all as you expect.
1028+.P
1029+If a file object does not have a context, restorecon will write the default
1030+context to the file object's extended attributes. If a file object has a
1031+context, restorecon will only modify the type portion of the security context.
1032+The -F option will force a replacement of the entire context.
1033
1034 .SH "OPTIONS"
1035 .TP
1036@@ -32,6 +37,12 @@
1037 .B \-e directory
1038 directory to exclude (repeat option for more than one directory.)
1039 .TP
1040+.B \-L labelprefix
1041+Tells selinux to only use the file context that match this prefix for labeling, -L can be called multiple times. Can speed up labeling if you are only doing one directory.
1042+
1043+# restorecon -R -v -L /dev /dev
1044+
1045+.TP
1046 .B \-R \-r
1047 change files and directories file labels recursively
1048 .TP
1049@@ -47,11 +58,8 @@
1050 .B \-v
1051 show changes in file labels.
1052 .TP
1053-.B \-vv
1054-show changes in file labels, if type, role, or user are changing.
1055-.TP
1056 .B \-F
1057-Force reset of context to match file_context for customizable files, or the user section, if it has changed.
1058+Force reset of context to match file_context for customizable files, and the default file context, changing the user, role, range portion as well as the type.
1059 .TP
1060 .SH "ARGUMENTS"
1061 .B pathname...
1062diff -Nur a/setfiles/restore.h b/setfiles/restore.h
1063--- a/setfiles/restore.h 2011-11-04 14:38:45.000000000 +0100
1064+++ b/setfiles/restore.h 2011-11-27 18:02:23.540513231 +0100
1065@@ -40,6 +40,7 @@
1066 int fts_flags; /* Flags to fts, e.g. follow links, follow mounts */
1067 const char *selabel_opt_validate;
1068 const char *selabel_opt_path;
1069+ const char **selabel_opt_prefixes;
1070 };
1071
1072 void restore_init(struct restore_opts *opts);
1073diff -Nur a/setfiles/setfiles.8 b/setfiles/setfiles.8
1074--- a/setfiles/setfiles.8 2011-11-04 14:38:45.000000000 +0100
1075+++ b/setfiles/setfiles.8 2011-11-27 18:02:23.542513231 +0100
1076@@ -4,7 +4,7 @@
1077
1078 .SH "SYNOPSIS"
1079 .B setfiles
1080-.I [\-c policy ] [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-q] [\-s] [\-v] [\-vv] [\-W] [\-F] spec_file pathname...
1081+.I [\-c policy ] [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-L labelprefix ] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname...
1082 .SH "DESCRIPTION"
1083 This manual page describes the
1084 .BR setfiles
1085@@ -17,6 +17,11 @@
1086 It can also be run at any time to correct errors, to add support for
1087 new policy, or with the \-n option it can just check whether the file
1088 contexts are all as you expect.
1089+.P
1090+If a file object does not have a context, setfiles will write the default
1091+context to the file object's extended attributes. If a file object has a
1092+context, setfiles will only modify the type portion of the security context.
1093+The -F option will force a replacement of the entire context.
1094
1095 .SH "OPTIONS"
1096 .TP
1097@@ -45,8 +50,11 @@
1098 directory to exclude (repeat option for more than one directory.)
1099 .TP
1100 .B \-F
1101-Force reset of context to match file_context for customizable files
1102+Force reset of context to match file_context for customizable files, and the default file context, changing the user, role, range portion as well as the type.
1103 .TP
1104+.B \-L labelprefix
1105+Tells selinux to only use the file context that match this prefix for labeling, -L can be called multiple times. Can speed up labeling if you are only doing one directory.
1106+.TP
1107 .B \-o filename
1108 save list of files with incorrect context in filename.
1109 .TP
1110@@ -55,10 +63,7 @@
1111 command line.
1112 .TP
1113 .B \-v
1114-show changes in file labels, if type or role are changing.
1115-.TP
1116-.B \-vv
1117-show changes in file labels, if type, role, or user are changing.
1118+show changes in file labels.
1119 .TP
1120 .B \-W
1121 display warnings about entries that had no matching files.
1122diff -Nur a/setfiles/setfiles.c b/setfiles/setfiles.c
1123--- a/setfiles/setfiles.c 2011-11-04 14:38:45.000000000 +0100
1124+++ b/setfiles/setfiles.c 2011-11-27 18:02:23.542513231 +0100
1125@@ -39,7 +39,7 @@
1126 {
1127 if (iamrestorecon) {
1128 fprintf(stderr,
1129- "usage: %s [-iFnprRv0] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n",
1130+ "usage: %s [-iFnprRv0] [ -L labelprefix ] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n",
1131 name);
1132 } else {
1133 fprintf(stderr,
1134@@ -137,7 +137,7 @@
1135 int main(int argc, char **argv)
1136 {
1137 struct stat sb;
1138- int opt, i = 0;
1139+ int opt, i;
1140 char *input_filename = NULL;
1141 int use_input_file = 0;
1142 char *buf = NULL;
1143@@ -145,6 +145,8 @@
1144 int recurse; /* Recursive descent. */
1145 char *base;
1146 int mass_relabel = 0, errors = 0;
1147+ int num_prefixes = 0;
1148+ const char *null_array[1] = { NULL };
1149
1150 memset(&r_opts, 0, sizeof(r_opts));
1151
1152@@ -160,6 +162,7 @@
1153 r_opts.outfile = NULL;
1154 r_opts.force = 0;
1155 r_opts.hard_links = 1;
1156+ r_opts.selabel_opt_prefixes = null_array;
1157
1158 altpath = NULL;
1159
1160@@ -217,7 +220,7 @@
1161 exclude_non_seclabel_mounts();
1162
1163 /* Process any options. */
1164- while ((opt = getopt(argc, argv, "c:de:f:ilnpqrsvo:FRW0")) > 0) {
1165+ while ((opt = getopt(argc, argv, "c:de:f:ilnpqrsvo:FL:RW0")) > 0) {
1166 switch (opt) {
1167 case 'c':
1168 {
1169@@ -280,6 +283,35 @@
1170 case 'n':
1171 r_opts.change = 0;
1172 break;
1173+ case 'L':
1174+ {
1175+ char **new_prefixes;
1176+
1177+ /* we need 1 for this entry and 1 for the NULL entry */
1178+ new_prefixes = malloc(sizeof(*new_prefixes) * (num_prefixes + 2));
1179+ if (!new_prefixes) {
1180+ fprintf(stderr, "Can't allocate memory for labeling prefix %s:%s\n",
1181+ optarg, strerror(errno));
1182+ exit(1);
1183+ }
1184+
1185+ memcpy(new_prefixes, r_opts.selabel_opt_prefixes, sizeof(*new_prefixes) * num_prefixes);
1186+ new_prefixes[num_prefixes] = strdup(optarg);
1187+ if (!new_prefixes[num_prefixes]) {
1188+ fprintf(stderr, "Can't allocate memory for labeling prefix %s:%s\n",
1189+ optarg, strerror(errno));
1190+ exit(1);
1191+ }
1192+
1193+ new_prefixes[num_prefixes + 1] = NULL;
1194+ num_prefixes++;
1195+
1196+ if (r_opts.selabel_opt_prefixes != null_array)
1197+ free(r_opts.selabel_opt_prefixes);
1198+
1199+ r_opts.selabel_opt_prefixes = (const char **)new_prefixes;
1200+ break;
1201+ }
1202 case 'o':
1203 if (strcmp(optarg, "-") == 0) {
1204 r_opts.outfile = stdout;
1205@@ -433,7 +465,15 @@
1206 if (r_opts.outfile)
1207 fclose(r_opts.outfile);
1208
1209- if (r_opts.progress && r_opts.count >= STAR_COUNT)
1210- printf("\n");
1211+ if (r_opts.progress && r_opts.count >= STAR_COUNT)
1212+ printf("\n");
1213+
1214+ free(r_opts.progname);
1215+ i = 0;
1216+ while (r_opts.selabel_opt_prefixes[i])
1217+ free((void *)r_opts.selabel_opt_prefixes[i++]);
1218+ if (r_opts.selabel_opt_prefixes != null_array)
1219+ free(r_opts.selabel_opt_prefixes);
1220+ free(r_opts.rootpath);
1221 exit(errors);
1222 }
Alex's tree of IPFire 3.x