rpms/policycoreutils/devel policycoreutils-gui.patch, 1.27, 1.28 policycoreutils.spec, 1.443, 1.444
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Sep 6 12:25:34 UTC 2007
- Previous message (by thread): extras-buildsys/utils/pushscript RepoSupport.py, 1.4, 1.5 RepoSupportExample.py, 1.2, NONE
- Next message (by thread): rpms/gcc/devel gcc41-builtin-chk-anticipated.patch, NONE, 1.1 gcc41-builtin-throw.patch, NONE, 1.1 gcc41-builtin-va-arg-pack.patch, NONE, 1.1 gcc41.spec, 1.170, 1.171
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/policycoreutils/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7833
Modified Files:
policycoreutils-gui.patch policycoreutils.spec
Log Message:
* Wed Sep 4 2007 Dan Walsh <dwalsh at redhat.com> 2.0.25-9
- Bump libsemanage version for disable dontaudit
- New gui features for creating admin users
policycoreutils-gui.patch:
Index: policycoreutils-gui.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils-gui.patch,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- policycoreutils-gui.patch 31 Aug 2007 21:17:12 -0000 1.27
+++ policycoreutils-gui.patch 6 Sep 2007 12:25:31 -0000 1.28
@@ -914,8 +914,8 @@
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policycoreutils-2.0.25/gui/polgen.glade
--- nsapolicycoreutils/gui/polgen.glade 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.25/gui/polgen.glade 2007-08-31 15:06:49.000000000 -0400
-@@ -0,0 +1,2313 @@
++++ policycoreutils-2.0.25/gui/polgen.glade 2007-09-05 22:33:12.000000000 -0400
+@@ -0,0 +1,2312 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
+
@@ -1028,8 +1028,7 @@
+ <child>
+ <widget class="GtkNotebook" id="notebook1">
+ <property name="visible">True</property>
-+ <property name="can_focus">True</property>
-+ <property name="show_tabs">True</property>
++ <property name="show_tabs">False</property>
+ <property name="show_border">True</property>
+ <property name="tab_pos">GTK_POS_TOP</property>
+ <property name="scrollable">False</property>
@@ -3231,8 +3230,8 @@
+</glade-interface>
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policycoreutils-2.0.25/gui/polgengui.py
--- nsapolicycoreutils/gui/polgengui.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.25/gui/polgengui.py 2007-08-31 15:06:45.000000000 -0400
-@@ -0,0 +1,444 @@
++++ policycoreutils-2.0.25/gui/polgengui.py 2007-09-05 22:33:06.000000000 -0400
+@@ -0,0 +1,432 @@
+#!/usr/bin/python
+#
+# system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux
@@ -3265,8 +3264,6 @@
+import gnome
+import sys
+import polgen
-+import sepolgen.interfaces as interfaces
-+import sepolgen.defaults as defaults
+import re
+
+##
@@ -3305,13 +3302,6 @@
+else:
+ xml = gtk.glade.XML ("/usr/share/system-config-selinux/polgen.glade", domain=PROGNAME)
+
-+fn = defaults.interface_info()
-+try:
-+ fd = open(fn)
-+except:
-+ sys.stderr.write("could not open interface info [%s]\n" % fn)
-+ sys.exit(1)
-+
+FILE = 1
+DIR = 2
+
@@ -3400,11 +3390,8 @@
+ col = gtk.TreeViewColumn(_("Application"), gtk.CellRendererText(), text = 0)
+ self.admin_treeview.append_column(col)
+
-+ # List of per_role_template interfaces
-+ ifs = interfaces.InterfaceSet()
-+ ifs.from_file(fd)
-+ fd.close()
-+ for i in ifs.interfaces.keys():
++ for i in polgen.methods:
++ print i
+ m = re.findall("(.*)%s" % polgen.USER_TRANSITION_INTERFACE, i)
+ if len(m) > 0:
+ iter = self.transition_store.append()
@@ -3442,7 +3429,7 @@
+ self.forward_button.set_label(gtk.STOCK_APPLY)
+
+ def back(self,arg):
-+ type = self.confine_application()
++ type = self.get_type()
+ if self.pages[type][self.current_page] == self.FINISH_PAGE:
+ self.forward_button.set_label(gtk.STOCK_GO_FORWARD)
+
@@ -3679,8 +3666,8 @@
+ app.stand_alone()
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.25/gui/polgen.py
--- nsapolicycoreutils/gui/polgen.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.25/gui/polgen.py 2007-08-31 15:06:41.000000000 -0400
-@@ -0,0 +1,656 @@
++++ policycoreutils-2.0.25/gui/polgen.py 2007-09-05 22:26:53.000000000 -0400
+@@ -0,0 +1,715 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
+#
@@ -3715,6 +3702,8 @@
+from templates import script
+from templates import user
+import seobject
++import sepolgen.interfaces as interfaces
++import sepolgen.defaults as defaults
+
+##
+## I18N
@@ -3733,6 +3722,20 @@
+ import __builtin__
+ __builtin__.__dict__['_'] = unicode
+
++methods = []
++fn = defaults.interface_info()
++try:
++ fd = open(fn)
++ # List of per_role_template interfaces
++ ifs = interfaces.InterfaceSet()
++ ifs.from_file(fd)
++ fd.close()
++ methods = ifs.interfaces.keys()
++except:
++ sys.stderr.write("could not open interface info [%s]\n" % fn)
++ sys.exit(1)
++
++
+ALL = 0
+RESERVED = 1
+UNRESERVED = 2
@@ -3792,6 +3795,7 @@
+ self.need_udp_type=False
+ self.admin_domains = []
+ self.transition_domains = []
++ self.roles = []
+
+ def __isnetset(self, l):
+ return l[ALL] or l[RESERVED] or l[UNRESERVED] or len(l[PORTS]) > 0
@@ -3799,6 +3803,9 @@
+ def set_admin_domains(self, admin_domains):
+ self.admin_domains = admin_domains
+
++ def set_admin_roles(self, roles):
++ self.roles = roles
++
+ def set_transition_domains(self, transition_domains):
+ self.transition_domains = transition_domains
+
@@ -3906,7 +3913,21 @@
+ if self.use_pam:
+ newte = re.sub("TEMPLATETYPE", self.name, executable.te_pam_rules)
+ return newte
-+
++
++ def generate_network_action(self, protocol, action, port_name):
++ line = ""
++ method = "corenet_%s_%s_%s" % (protocol, action, port_name)
++ if method in methods:
++ line = "%s(%s_t)\n" % (method, self.name)
++ else:
++ line = """
++gen_require(`
++ type %s_t;
++')
++allow %s_t %s_t:%s_socket name_%s;
++""" % (port_name, self.name, port_name, protocol, action)
++ return line
++
+ def generate_network_types(self):
+ for i in self.in_tcp[PORTS]:
+ rec = self.find_port(int(i))
@@ -3914,7 +3935,8 @@
+ self.need_tcp_type = True;
+ else:
+ port_name = rec[0][:-2]
-+ line = "corenet_tcp_bind_%s(%s_t)\n" % (port_name, self.name)
++ line = self.generate_network_action("tcp", "bind", port_name)
++# line = "corenet_tcp_bind_%s(%s_t)\n" % (port_name, self.name)
+ if line not in self.found_tcp_ports:
+ self.found_tcp_ports.append(line)
+
@@ -3924,7 +3946,8 @@
+ self.need_tcp_type = True;
+ else:
+ port_name = rec[0][:-2]
-+ line = "corenet_tcp_connect_%s(%s_t)\n" % (port_name, self.name)
++ line = self.generate_network_action("tcp", "connect", port_name)
++# line = "corenet_tcp_connect_%s(%s_t)\n" % (port_name, self.name)
+ if line not in self.found_tcp_ports:
+ self.found_tcp_ports.append(line)
+
@@ -3934,7 +3957,8 @@
+ self.need_udp_type = True;
+ else:
+ port_name = rec[0][:-2]
-+ line = "corenet_udp_bind_%s(%s_t)\n" % (port_name, self.name)
++ line = self.generate_network_action("udp", "bind", port_name)
++# line = "corenet_udp_bind_%s(%s_t)\n" % (port_name, self.name)
+ if line not in self.found_udp_ports:
+ self.found_udp_ports.append(line)
+
@@ -4022,8 +4046,10 @@
+
+ def generate_admin_rules(self):
+ newte = ""
++ newte += re.sub("TEMPLATETYPE", self.name, user.te_admin_rules)
++
+ for app in self.admin_domains:
-+ tmp = re.sub("TEMPLATETYPE", self.name, user.te_admin_rules)
++ tmp = re.sub("TEMPLATETYPE", self.name, user.te_admin_domain_rules)
+ newte += re.sub("APPLICATION", app, tmp)
+ return newte
+
@@ -4132,6 +4158,17 @@
+ def generate_default_rules(self):
+ return self.DEFAULT_TYPES[self.type][1]()
+
++ def generate_roles_rules(self):
++ newte = ""
++ if self.type in ( TUSER, XUSER):
++ roles = ""
++ if len(self.roles) > 0:
++ newte += re.sub("TEMPLATETYPE", self.name, user.te_newrole_rules)
++ for role in self.roles:
++ tmp = re.sub("TEMPLATETYPE", self.name, user.te_roles_rules)
++ newte += re.sub("ROLE", role, tmp)
++ return newte
++
+ def generate_te(self):
+ newte = self.generate_default_types()
+ for d in self.DEFAULT_DIRS:
@@ -4157,6 +4194,7 @@
+ newte += self.generate_uid_rules()
+ newte += self.generate_syslog_rules()
+ newte += self.generate_pam_rules()
++ newte += self.generate_roles_rules()
+ newte += self.generate_transition_rules()
+ newte += self.generate_admin_rules()
+ return newte
@@ -4188,6 +4226,18 @@
+
+ return newfc
+
++ def generate_user_sh(self):
++ newsh = ""
++ if self.type in ( TUSER, XUSER):
++ roles = ""
++ for role in self.roles:
++ roles += " %s_r" % role
++ if roles != "":
++ roles += " system_r"
++ tmp = re.sub("TEMPLATETYPE", self.name, script.users)
++ newsh += re.sub("ROLES", roles, tmp)
++ return newsh
++
+ def generate_sh(self):
+ newsh = re.sub("TEMPLATETYPE", self.name, script.compile)
+ newsh = re.sub("PACKAGEFILENAME", self.file_name, newsh)
@@ -4208,6 +4258,8 @@
+ if self.find_port(i) == None:
+ t1 = re.sub("PORTNUM", "%d" % i, script.udp_ports)
+ newsh += re.sub("TEMPLATETYPE", self.name, t1)
++
++ newsh += self.generate_user_sh()
+
+ return newsh
+
@@ -4265,7 +4317,7 @@
+ mypolicy.set_use_syslog(True)
+ mypolicy.set_use_pam(True)
+ mypolicy.set_out_tcp(0,"8000")
-+ print mypolicy.generate("/tmp")
++ print mypolicy.generate("/var/tmp")
+
+ mypolicy = policy("myuser", USER)
+ mypolicy.set_program("/usr/bin/myuser")
@@ -4277,7 +4329,7 @@
+ mypolicy.set_use_pam(True)
+ mypolicy.add_file("/var/lib/myuser/myuser.sock")
+ mypolicy.set_out_tcp(0,"8000")
-+ print mypolicy.generate("/tmp")
++ print mypolicy.generate("/var/tmp")
+
+
+ mypolicy = policy("myrwho", DAEMON)
@@ -4290,7 +4342,7 @@
+ mypolicy.set_use_pam(True)
+ mypolicy.add_dir("/var/run/myrwho")
+ mypolicy.add_dir("/var/lib/myrwho")
-+ print mypolicy.generate("/tmp")
++ print mypolicy.generate("/var/tmp")
+
+ mypolicy = policy("myinetd", INETD)
+ mypolicy.set_program("/usr/bin/mytest")
@@ -4308,16 +4360,12 @@
+ mypolicy.add_dir("/etc/daemon")
+ mypolicy.add_dir("/etc/daemon/special")
+ mypolicy.set_out_tcp(0,"8000")
-+ print mypolicy.generate("/tmp")
++ print mypolicy.generate("/var/tmp")
+
+ mypolicy = policy("mytuser", TUSER)
-+ mypolicy.set_in_tcp(1, 0, 0, "513")
-+ mypolicy.set_in_udp(1, 0, 0, "1513")
-+ mypolicy.set_use_uid(True)
-+ mypolicy.set_use_syslog(True)
-+ mypolicy.set_use_pam(True)
-+ mypolicy.set_transition_domains(["mozilla", "ssh"])
-+ print mypolicy.generate("/tmp")
++ mypolicy.set_transition_domains(["sudo"])
++ mypolicy.set_admin_roles(["mydbadm"])
++ print mypolicy.generate("/var/tmp")
+
+ mypolicy = policy("myxuser", XUSER)
+ mypolicy.set_in_tcp(1, 1, 1, "")
@@ -4326,13 +4374,11 @@
+ mypolicy.set_use_syslog(True)
+ mypolicy.set_use_pam(True)
+ mypolicy.set_transition_domains(["mozilla"])
-+ print mypolicy.generate("/tmp")
++ print mypolicy.generate("/var/tmp")
+
-+ mypolicy = policy("myruser", RUSER)
-+ mypolicy.set_in_tcp(1, 0, 0, "513")
-+ mypolicy.set_in_udp(1, 0, 0, "1513")
-+ mypolicy.set_admin_domains(["postgresql", "mysql", "apache"])
-+ print mypolicy.generate("/tmp")
++ mypolicy = policy("mydbadm", RUSER)
++ mypolicy.set_admin_domains(["postgresql", "mysql"])
++ print mypolicy.generate("/var/tmp")
+
+ sys.exit(0)
+
@@ -8762,8 +8808,8 @@
+ app.stand_alone()
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.25/gui/templates/executable.py
--- nsapolicycoreutils/gui/templates/executable.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.25/gui/templates/executable.py 2007-08-31 15:41:21.000000000 -0400
-@@ -0,0 +1,222 @@
++++ policycoreutils-2.0.25/gui/templates/executable.py 2007-09-05 22:25:10.000000000 -0400
+@@ -0,0 +1,229 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
+#
@@ -8906,7 +8952,8 @@
+#
+interface(`TEMPLATETYPE_domtrans',`
+ gen_require(`
-+ type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
++ type TEMPLATETYPE_t;
++ type TEMPLATETYPE_exec_t;
+ ')
+
+ domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)
@@ -8961,13 +9008,19 @@
+## <rolecap/>
+#
+interface(`TEMPLATETYPE_admin',`
++ gen_require(`
++ type TEMPLATETYPE_t;
++ ')
++
++ allow $1 TEMPLATETYPE_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, TEMPLATETYPE_t, TEMPLATETYPE_t)
++
+"""
+
+if_initscript_admin="""
+ # Allow $1 to restart the apache service
+ TEMPLATETYPE_script_domtrans($1)
-+ domain_role_change_exemption($1)
-+ domain_obj_id_change_exemption($1)
++ domain_system_change_exemption($1)
+ role_transition $2 TEMPLATETYPE_script_exec_t system_r;
+ allow $2 system_r;
+"""
@@ -9226,8 +9279,8 @@
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py policycoreutils-2.0.25/gui/templates/script.py
--- nsapolicycoreutils/gui/templates/script.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.25/gui/templates/script.py 2007-08-31 15:07:36.000000000 -0400
-@@ -0,0 +1,42 @@
++++ policycoreutils-2.0.25/gui/templates/script.py 2007-09-05 22:25:46.000000000 -0400
+@@ -0,0 +1,45 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
+#
@@ -9270,6 +9323,9 @@
+/usr/sbin/semanage port -a -t TEMPLATETYPE_port_t -p udp PORTNUM
+"""
+
++users="""\
++/usr/sbin/semanage user -a -P TEMPLATETYPE -R "TEMPLATETYPE_rROLES" TEMPLATETYPE_u
++"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.py policycoreutils-2.0.25/gui/templates/semodule.py
--- nsapolicycoreutils/gui/templates/semodule.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.25/gui/templates/semodule.py 2007-08-31 15:07:36.000000000 -0400
@@ -9418,8 +9474,8 @@
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.25/gui/templates/user.py
--- nsapolicycoreutils/gui/templates/user.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.25/gui/templates/user.py 2007-08-31 15:07:36.000000000 -0400
-@@ -0,0 +1,97 @@
++++ policycoreutils-2.0.25/gui/templates/user.py 2007-09-05 22:25:03.000000000 -0400
+@@ -0,0 +1,139 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
+#
@@ -9511,11 +9567,53 @@
+"""
+
+te_admin_rules="""
++allow TEMPLATETYPE_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
++files_dontaudit_search_all_dirs(TEMPLATETYPE_t)
++
++selinux_get_enforce_mode(TEMPLATETYPE_t)
++seutil_domtrans_restorecon(TEMPLATETYPE_t)
++seutil_search_default_contexts(mydbadm_t)
++
++logging_send_syslog_msg(TEMPLATETYPE_t)
++
++kernel_read_system_state(TEMPLATETYPE_t)
++
++domain_dontaudit_search_all_domains_state(TEMPLATETYPE_t)
++domain_dontaudit_ptrace_all_domains(TEMPLATETYPE_t)
++
++userdom_dontaudit_search_sysadm_home_dirs(TEMPLATETYPE_t)
++userdom_dontaudit_search_generic_user_home_dirs(TEMPLATETYPE_t)
++
++bool TEMPLATETYPE_read_user_files false;
++bool TEMPLATETYPE_manage_user_files false;
++
++if (TEMPLATETYPE_read_user_files) {
++ userdom_read_unpriv_users_home_content_files(TEMPLATETYPE_t)
++ userdom_read_unpriv_users_tmp_files(TEMPLATETYPE_t)
++}
++
++if (TEMPLATETYPE_manage_user_files) {
++ userdom_manage_unpriv_users_home_content_dirs(TEMPLATETYPE_t)
++ userdom_read_unpriv_users_tmp_files(TEMPLATETYPE_t)
++ userdom_write_unpriv_users_tmp_files(TEMPLATETYPE_t)
++}
++
++"""
++
++te_admin_domain_rules="""
+optional_policy(`
+ APPLICATION_admin(TEMPLATETYPE_t,TEMPLATETYPE_r, { TEMPLATETYPE_tty_device_t TEMPLATETYPE_devpts_t })
+')
+"""
+
++te_roles_rules="""
++userdom_role_change_template(TEMPLATETYPE, ROLE)
++"""
++
++te_newrole_rules="""
++seutil_run_newrole(TEMPLATETYPE_t,TEMPLATETYPE_r,{ TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t })
++"""
++
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py policycoreutils-2.0.25/gui/templates/var_lib.py
--- nsapolicycoreutils/gui/templates/var_lib.py 1969-12-31 19:00:00.000000000 -0500
Index: policycoreutils.spec
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils.spec,v
retrieving revision 1.443
retrieving revision 1.444
diff -u -r1.443 -r1.444
--- policycoreutils.spec 31 Aug 2007 21:17:12 -0000 1.443
+++ policycoreutils.spec 6 Sep 2007 12:25:31 -0000 1.444
@@ -1,12 +1,12 @@
%define libauditver 1.4.2-1
-%define libsepolver 2.0.6-1
-%define libsemanagever 2.0.4-1
+%define libsepolver 2.0.9-1
+%define libsemanagever 2.0.5-1
%define libselinuxver 2.0.23-3
%define sepolgenver 1.0.9
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.25
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -200,6 +200,10 @@
fi
%changelog
+* Wed Sep 4 2007 Dan Walsh <dwalsh at redhat.com> 2.0.25-9
+- Bump libsemanage version for disable dontaudit
+- New gui features for creating admin users
+
* Fri Aug 31 2007 Dan Walsh <dwalsh at redhat.com> 2.0.25-8
- Fix generated code for admin policy
- Previous message (by thread): extras-buildsys/utils/pushscript RepoSupport.py, 1.4, 1.5 RepoSupportExample.py, 1.2, NONE
- Next message (by thread): rpms/gcc/devel gcc41-builtin-chk-anticipated.patch, NONE, 1.1 gcc41-builtin-throw.patch, NONE, 1.1 gcc41-builtin-va-arg-pack.patch, NONE, 1.1 gcc41.spec, 1.170, 1.171
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list