PERFORCE change 97286 for review
Todd Miller
millert at FreeBSD.org
Tue May 16 19:21:30 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=97286
Change 97286 by millert at millert_p4 on 2006/05/16 19:18:30
A port of policycoreutils version 1.30 to SEBSD
Obtained from: selinux.sourceforge.net
Affected files ...
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/COPYING#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/ChangeLog#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/Makefile#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/VERSION#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2allow/Makefile#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2allow/audit2allow#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2allow/audit2allow.1#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2allow/audit2allow.perl#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2why/Makefile#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2why/audit2why.8#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2why/audit2why.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/load_policy/Makefile#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/load_policy/load_policy.8#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/load_policy/load_policy.c#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/newrole/Makefile#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/newrole/newrole.1#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/newrole/newrole.c#3 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/newrole/newrole.pamd#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/Makefile#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/Makefile.in#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/Makefile.in.in#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/POTFILES#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/POTFILES.in#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/da.po#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/de.po#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/es.po#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/et.po#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/fr.po#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/gl.po#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/id.po#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/it.po#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/ko.po#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/nl.po#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/pl.po#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/policycoreutils.pot#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/pt_BR.po#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/ru.po#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/po/sv.po#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/policycoreutils.spec#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/restorecon/Makefile#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/restorecon/restorecon.8#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/restorecon/restorecon.c#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/run_init/Makefile#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/run_init/open_init_pty.8#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/run_init/open_init_pty.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/run_init/run_init.8#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/run_init/run_init.c#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/run_init/run_init.pamd#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/Makefile#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/chcat#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/chcat.8#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/fixfiles#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/fixfiles.8#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/fixfiles.8.gz#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/fixfiles.cron#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/genhomedircon#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/scripts/genhomedircon.8#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semanage/Makefile#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semanage/semanage#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semanage/semanage.8#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semanage/seobject.py#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule/Makefile#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule/semodule.8#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule/semodule.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule_expand/Makefile#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule_expand/semodule_expand.8#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule_expand/semodule_expand.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule_link/Makefile#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule_link/semodule_link.8#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule_link/semodule_link.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule_package/Makefile#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule_package/semodule_package.8#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/semodule_package/semodule_package.c#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/sestatus/Makefile#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/sestatus/sestatus.8#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/sestatus/sestatus.c#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/sestatus/sestatus.conf#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/setfiles/Makefile#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/setfiles/setfiles.8#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/setfiles/setfiles.c#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/setsebool/Makefile#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/setsebool/setsebool.8#1 add
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/setsebool/setsebool.c#1 add
Differences ...
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/COPYING#2 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/ChangeLog#2 (text+ko) ====
@@ -1,3 +1,458 @@
+1.30 2006-03-14
+ * Updated version for release.
+
+1.29.28 2006-03-13
+ * Merged German translations (de.po) by Debian translation team from Manoj Srivastava.
+
+1.29.27 2006-03-08
+ * Merged audit2allow -R support, chcat fix, semanage MLS checks
+ and semanage audit calls from Dan Walsh.
+
+1.29.26 2006-02-15
+ * Merged semanage bug fix patch from Ivan Gyurdiev.
+
+1.29.25 2006-02-14
+ * Merged improve bindings patch from Ivan Gyurdiev.
+
+1.29.24 2006-02-14
+ * Merged semanage usage patch from Ivan Gyurdiev.
+ * Merged use PyList patch from Ivan Gyurdiev.
+
+1.29.23 2006-02-13
+ * Merged newrole -V/--version support from Glauber de Oliveira Costa.
+
+1.29.22 2006-02-13
+ * Merged genhomedircon prefix patch from Dan Walsh.
+
+1.29.21 2006-02-13
+ * Merged optionals in base patch from Joshua Brindle.
+
+1.29.20 2006-02-07
+ * Merged seuser/user_extra support patch to semodule_package
+ from Joshua Brindle.
+
+1.29.19 2006-02-06
+ * Merged getopt type fix for semodule_link/expand and sestatus
+ from Chris PeBenito.
+
+1.29.18 2006-02-02
+ * Merged clone record on set_con patch from Ivan Gyurdiev.
+
+1.29.17 2006-01-30
+ * Merged genhomedircon fix from Dan Walsh.
+
+1.29.16 2006-01-30
+ * Merged seusers.system patch from Ivan Gyurdiev.
+ * Merged improve port/fcontext API patch from Ivan Gyurdiev.
+ * Merged genhomedircon patch from Dan Walsh.
+
+1.29.15 2006-01-27
+ * Merged newrole audit patch from Steve Grubb.
+
+1.29.14 2006-01-27
+ * Merged seuser -> seuser local rename patch from Ivan Gyurdiev.
+
+1.29.13 2006-01-27
+ * Merged semanage and semodule access check patches from Joshua Brindle.
+
+1.29.12 2006-01-26
+ * Merged restorecon, chcat, and semanage patches from Dan Walsh.
+
+1.29.11 2006-01-25
+ * Modified newrole and run_init to use the loginuid when
+ supported to obtain the Linux user identity to re-authenticate,
+ and to fall back to real uid. Dropped the use of the SELinux
+ user identity, as Linux users are now mapped to SELinux users
+ via seusers and the SELinux user identity space is separate.
+
+1.29.10 2006-01-20
+ * Merged semanage bug fixes from Ivan Gyurdiev.
+ * Merged semanage fixes from Russell Coker.
+ * Merged chcat.8 and genhomedircon patches from Dan Walsh.
+
+1.29.9 2006-01-19
+ * Merged chcat, semanage, and setsebool patches from Dan Walsh.
+
+1.29.8 2006-01-18
+ * Merged semanage fixes from Ivan Gyurdiev.
+ * Merged semanage fixes from Russell Coker.
+ * Merged chcat, genhomedircon, and semanage diffs from Dan Walsh.
+
+1.29.7 2006-01-13
+ * Merged newrole cleanup patch from Steve Grubb.
+ * Merged setfiles/restorecon performance patch from Russell Coker.
+ * Merged genhomedircon and semanage patches from Dan Walsh.
+
+1.29.6 2006-01-12
+ * Merged remove add_local/set_local patch from Ivan Gyurdiev.
+
+1.29.5 2006-01-05
+ * Added filename to semodule error reporting.
+
+1.29.4 2006-01-05
+ * Merged genhomedircon and semanage patch from Dan Walsh.
+ * Changed semodule error reporting to include argv[0].
+
+1.29.3 2006-01-04
+ * Merged semanage getpwnam bug fix from Serge Hallyn (IBM).
+ * Merged patch series from Ivan Gyurdiev.
+ This includes patches to:
+ - cleanup setsebool
+ - update setsebool to apply active booleans through libsemanage
+ - update semodule to use the new semanage_set_rebuild() interface
+ - fix various bugs in semanage
+ * Merged patch from Dan Walsh (Red Hat).
+ This includes fixes for restorecon, chcat, fixfiles, genhomedircon,
+ and semanage.
+
+1.29.2 2005-12-14
+ * Merged patch for chcat script from Dan Walsh.
+
+1.29.1 2005-12-08
+ * Merged fix for audit2allow long option list from Dan Walsh.
+ * Merged -r option for restorecon (alias for -R) from Dan Walsh.
+ * Merged chcat script and man page from Dan Walsh.
+
+1.28 2005-12-07
+ * Updated version for release.
+
+1.27.37 2005-12-07
+ * Clarified the genhomedircon warning message.
+
+1.27.36 2005-12-05
+ * Changed genhomedircon to warn on use of ROLE in homedir_template
+ if using managed policy, as libsemanage does not yet support it.
+
+1.27.35 2005-12-02
+ * Merged genhomedircon bug fix from Dan Walsh.
+
+1.27.34 2005-12-02
+ * Revised semodule* man pages to refer to checkmodule and
+ to include example sections.
+
+1.27.33 2005-12-01
+ * Merged audit2allow --tefile and --fcfile support from Dan Walsh.
+ * Merged genhomedircon fix from Dan Walsh.
+ * Merged semodule* man pages from Dan Walsh, and edited them.
+
+1.27.32 2005-12-01
+ * Changed setfiles to set the MATCHPATHCON_VALIDATE flag to
+ retain validation/canonicalization of contexts during init.
+
+1.27.31 2005-11-29
+ * Changed genhomedircon to always use user_r for the role in the
+ managed case since user_get_defrole is broken.
+
+1.27.30 2005-11-29
+ * Merged sestatus, audit2allow, and semanage patch from Dan Walsh.
+ * Fixed semodule -v option.
+
+1.27.29 2005-11-28
+ * Merged audit2allow python script from Dan Walsh.
+ (old script moved to audit2allow.perl, will be removed later).
+ * Merged genhomedircon fixes from Dan Walsh.
+ * Merged semodule quieting patch from Dan Walsh
+ (inverts default, use -v to restore original behavior).
+
+1.27.28 2005-11-15
+ * Merged genhomedircon rewrite from Dan Walsh.
+
+1.27.27 2005-11-09
+ * Merged setsebool cleanup patch from Ivan Gyurdiev.
+
+1.27.26 2005-11-09
+ * Added -B (--build) option to semodule to force a rebuild.
+
+1.27.25 2005-11-08
+ * Reverted setsebool patch to call semanage_set_reload_bools().
+ * Changed setsebool to disable policy reload and to call
+ security_set_boolean_list to update the runtime booleans.
+
+1.27.24 2005-11-08
+ * Changed setfiles -c to use new flag to set_matchpathcon_flags()
+ to disable context translation by matchpathcon_init().
+
+1.27.23 2005-11-07
+ * Changed setfiles for the context canonicalization support.
+
+1.27.22 2005-11-07
+ * Changed setsebool to call semanage_is_managed() interface
+ and fall back to security_set_boolean_list() if policy is
+ not managed.
+
+1.27.21 2005-11-07
+ * Merged setsebool memory leak fix from Ivan Gyurdiev.
+ * Merged setsebool patch to call semanage_set_reload_bools()
+ interface from Ivan Gyurdiev.
+
+1.27.20 2005-11-04
+ * Merged setsebool patch from Ivan Gyurdiev.
+ This moves setsebool from libselinux/utils to policycoreutils,
+ and rewrites it to use libsemanage for permanent boolean changes.
+
+1.27.19 2005-10-25
+ * Merged semodule support for reload, noreload, and store options
+ from Joshua Brindle.
+ * Merged semodule_package rewrite from Joshua Brindle.
+
+1.27.18 2005-10-20
+ * Cleaned up usage and error messages and releasing of memory by
+ semodule_* utilities.
+
+1.27.17 2005-10-20
+ * Corrected error reporting by semodule.
+
+1.27.16 2005-10-19
+ * Updated semodule_expand for change to sepol interface.
+
+1.27.15 2005-10-19
+ * Merged fixes for make DESTDIR= builds from Joshua Brindle.
+
+1.27.14 2005-10-18
+ * Updated semodule_package for sepol interface changes.
+
+1.27.13 2005-10-17
+ * Updated semodule_expand/link for sepol interface changes.
+
+1.27.12 2005-10-14
+ * Merged non-PAM Makefile support for newrole and run_init from Timothy Wood.
+
+1.27.11 2005-10-13
+ * Updated semodule_expand to use get interfaces for hidden sepol_module_package type.
+
+1.27.10 2005-10-13
+ * Merged newrole and run_init pam config patches from Dan Walsh (Red Hat).
+
+1.27.9 2005-10-13
+ * Merged fixfiles patch from Dan Walsh (Red Hat).
+
+1.27.8 2005-10-13
+ * Updated semodule for removal of semanage_strerror.
+
+1.27.7 2005-10-11
+ * Updated semodule_link and semodule_expand to use shared libsepol.
+ Fixed audit2why to call policydb_init prior to policydb_read (still
+ uses the static libsepol).
+
+1.27.6 2005-10-07
+ * Updated for changes to libsepol.
+ Changed semodule and semodule_package to use the shared libsepol.
+ Disabled build of semodule_link and semodule_expand for now.
+ Updated audit2why for relocated policydb internal headers,
+ still needs to be converted to a shared lib interface.
+
+1.27.5 2005-10-06
+ * Fixed warnings in load_policy.
+
+1.27.4 2005-10-06
+ * Rewrote load_policy to use the new selinux_mkload_policy()
+ interface provided by libselinux.
+
+1.27.3 2005-09-28
+ * Merged patch to update semodule to the new libsemanage API
+ and improve the user interface from Karl MacMillan (Tresys).
+ * Modified semodule for the create/connect API split.
+
+1.27.2 2005-09-20
+ * Merged run_init open_init_pty bug fix from Manoj Srivastava
+ (unblock SIGCHLD). Bug reported by Erich Schubert.
+
+1.27.1 2005-09-20
+ * Merged error shadowing bug fix for restorecon from Dan Walsh.
+ * Merged setfiles usage/man page update for -r option from Dan Walsh.
+ * Merged fixfiles -C patch to ignore :s0 addition on update
+ to a MCS/MLS policy from Dan Walsh.
+
+1.26 2005-09-06
+ * Updated version for release.
+
+1.25.9 2005-08-31
+ * Changed setfiles -c to translate the context to raw format
+ prior to calling libsepol.
+
+1.25.8 2005-08-31
+ * Changed semodule to report errors even without -v,
+ to detect extraneous arguments, and corrected usage message.
+
+1.25.7 2005-08-25
+ * Merged patch for fixfiles -C from Dan Walsh.
+
+1.25.6 2005-08-22
+ * Merged fixes for semodule_link and sestatus from Serge Hallyn (IBM).
+ Bugs found by Coverity.
+
+1.25.5 2005-08-02
+ * Merged patch to move module read/write code from libsemanage
+ to libsepol from Jason Tang (Tresys).
+
+1.25.4 2005-07-27
+ * Changed semodule* to link with libsemanage.
+
+1.25.3 2005-07-26
+ * Merged restorecon patch from Ivan Gyurdiev.
+
+1.25.2 2005-07-11
+ * Merged load_policy, newrole, and genhomedircon patches from Red Hat.
+
+1.25.1 2005-07-06
+ * Merged loadable module support from Tresys Technology.
+
+1.24 2005-06-20
+ * Updated version for release.
+
+1.23.11 2005-05-19
+ * Merged fixfiles and newrole patch from Dan Walsh.
+ * Merged audit2why man page from Dan Walsh.
+
+1.23.10 2005-05-16
+ * Extended audit2why to incorporate booleans and local user
+ settings when analyzing audit messages.
+
+1.23.9 2005-05-13
+ * Updated audit2why for sepol_ prefixes on Flask types to
+ avoid namespace collision with libselinux, and to
+ include <selinux/selinux.h> now.
+
+1.23.8 2005-05-13
+ * Added audit2why utility.
+
+1.23.7 2005-04-29
+ * Merged patch for fixfiles from Dan Walsh.
+ Allow passing -F to force reset of customizable contexts.
+
+1.23.6 2005-04-13
+ * Fixed signed/unsigned pointer bug in load_policy.
+ * Reverted context validation patch for genhomedircon.
+
+1.23.5 2005-04-12
+ * Reverted load_policy is_selinux_enabled patch from Dan Walsh.
+ Otherwise, an initial policy load cannot be performed using
+ load_policy, e.g. for anaconda.
+
+1.23.4 2005-04-08
+ * Merged load_policy is_selinux_enabled patch from Dan Walsh.
+ * Merged restorecon verbose output patch from Dan Walsh.
+ * Merged setfiles altroot patch from Chris PeBenito.
+
+1.23.3 2005-03-17
+ * Merged context validation patch for genhomedircon from Eric Paris.
+
+1.23.2 2005-03-16
+ * Changed setfiles -c to call set_matchpathcon_flags(3) to
+ turn off processing of .homedirs and .local.
+
+1.23.1 2005-03-14
+ * Merged rewrite of genhomedircon by Eric Paris.
+ * Changed fixfiles to relabel jfs since it now supports security xattrs
+ (as of 2.6.11). Removed reiserfs until 2.6.12 is released with
+ fixed support for reiserfs and selinux.
+
+1.22 2005-03-09
+ * Updated version for release.
+
+1.21.22 2005-03-07
+ * Merged restorecon and genhomedircon patch from Dan Walsh.
+
+1.21.21 2005-02-28
+ * Merged load_policy and genhomedircon patch from Dan Walsh.
+
+1.21.20 2005-02-24
+ * Merged fixfiles and genhomedircon patch from Dan Walsh.
+
+1.21.19 2005-02-22
+ * Merged several fixes from Ulrich Drepper.
+
+1.21.18 2005-02-18
+ * Changed load_policy to fall back to the original policy upon
+ an error from sepol_genusers().
+
+1.21.17 2005-02-17
+ * Merged new genhomedircon script from Dan Walsh.
+
+1.21.16 2005-02-17
+ * Changed load_policy to call sepol_genusers().
+
+1.21.15 2005-02-09
+ * Changed relabel Makefile target to use restorecon.
+
+1.21.14 2005-02-08
+ * Merged restorecon patch from Dan Walsh.
+
+1.21.13 2005-02-07
+ * Merged sestatus patch from Dan Walsh.
+ * Merged further change to fixfiles -C from Dan Walsh.
+
+1.21.12 2005-02-02
+ * Merged further patches for restorecon/setfiles -e and fixfiles -C.
+
+1.21.11 2005-02-02
+ * Merged patch for fixfiles -C option from Dan Walsh.
+ * Merged patch -e support for restorecon from Dan Walsh.
+ * Merged updated -e support for setfiles from Dan Walsh.
+
+1.21.10 2005-01-31
+ * Merged patch for open_init_pty from Manoj Srivastava.
+
+1.21.9 2005-01-28
+ * Merged updated fixfiles script from Dan Walsh.
+ * Merged updated man page for fixfiles from Dan Walsh and re-added unzipped.
+ * Reverted fixfiles patch for file_contexts.local;
+ obsoleted by setfiles rewrite.
+ * Merged error handling patch for restorecon from Dan Walsh.
+ * Merged semi raw mode for open_init_pty helper from Manoj Srivastava.
+
+1.21.8 2005-01-28
+ * Rewrote setfiles to use matchpathcon and the new interfaces
+ exported by libselinux (>= 1.21.5).
+
+1.21.7 2005-01-27
+ * Prevent overflow of spec array in setfiles.
+
+1.21.6 2005-01-27
+ * Merged genhomedircon STARTING_UID bug fix from Dan Walsh.
+
+1.21.5 2005-01-26
+ * Merged newrole -l support from Darrel Goeddel (TCS).
+
+1.21.4 2005-01-25
+ * Merged fixfiles patch for file_contexts.local from Dan Walsh.
+
+1.21.3 2005-01-21
+ * Fixed restorecon to not treat errors from is_context_customizable()
+ as a customizable context.
+ * Merged setfiles/restorecon patch to not reset user field unless
+ -F option is specified from Dan Walsh.
+
+1.21.2 2005-01-21
+ * Merged open_init_pty helper for run_init from Manoj Srivastava.
+ * Merged audit2allow and genhomedircon man pages from Manoj Srivastava.
+
+1.21.1 2005-01-19
+ * Merged customizable contexts patch for restorecon/setfiles from Dan Walsh.
+
+1.20 2005-01-06
+ * Merged fixfiles rewrite from Dan Walsh.
+ * Merged restorecon patch from Dan Walsh.
+ * Merged fixfiles and restorecon patches from Dan Walsh.
+ * Changed restorecon to ignore ENOENT errors from matchpathcon.
+ * Merged nonls patch from Chris PeBenito.
+ * Removed fixfiles.cron.
+ * Merged run_init.8 patch from Dan Walsh.
+
+1.18 2004-11-01
+ * Merged audit2allow patch from Thomas Bleher, with mods by Dan Walsh.
+ * Merged sestatus patch from Steve Grubb.
+ * Merged fixfiles patch from Dan Walsh.
+ * Added -l option to setfiles to log changes via syslog.
+ * Merged -e option to setfiles to exclude directories.
+ * Merged -R option to restorecon for recursive descent.
+ * Merged sestatus patch from Steve Grubb via Dan Walsh.
+ * Merged load_policy and fixfiles.cron patches from Dan Walsh.
+ * Merged fix for setfiles context validation patch from Colin Walters.
+ * Merged setfiles context validation patch from Colin Walters.
+ * Merged genhomedircon patch from Russell Coker.
+ * Merged restorecon patch from Russell Coker.
+
1.16 2004-08-13
* Merged audit2allow fix from Tom London.
* Merged load_policy man page from Dan Walsh.
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/Makefile#2 (text+ko) ====
@@ -1,4 +1,4 @@
-SUBDIRS=setfiles load_policy newrole run_init restorecon audit2allow scripts po sestatus
+SUBDIRS=setfiles semanage load_policy newrole run_init restorecon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand setsebool po
all install relabel clean:
@for subdir in $(SUBDIRS); do \
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/VERSION#2 (text+ko) ====
@@ -1,1 +1,1 @@
-1.16
+1.30
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2allow/Makefile#2 (text+ko) ====
@@ -1,6 +1,7 @@
# Installation directories.
PREFIX ?= ${DESTDIR}/usr
BINDIR ?= $(PREFIX)/bin
+MANDIR ?= $(PREFIX)/share/man
LOCALEDIR ?= /usr/share/locale
TARGETS=audit2allow
@@ -10,6 +11,8 @@
install: all
-mkdir -p $(BINDIR)
install -m 755 $(TARGETS) $(BINDIR)
+ -mkdir -p $(MANDIR)/man1
+ install -m 644 audit2allow.1 $(MANDIR)/man1/
clean:
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policycoreutils/audit2allow/audit2allow#2 (text+ko) ====
@@ -1,7 +1,12 @@
-#!/usr/bin/perl
-
-# Adapted from:
+#! /usr/bin/env python
+# Copyright (C) 2005 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# Audit2allow is a rewrite of prior perl script.
+#
+# Based off original audit2allow perl script: which credits
# newrules.pl, Copyright (C) 2001 Justin R. Smith (jsmith at mcs.drexel.edu)
+# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam at users.sourceforge.jp)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
@@ -17,142 +22,590 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
# 02111-1307 USA
-# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam at users.sourceforge.jp)
+#
+#
+import commands, sys, os, pwd, string, getopt, re, selinux
+
+obj="(\{[^\}]*\}|[^ \t:]*)"
+allow_regexp="allow[ \t]+%s[ \t]*%s[ \t]*:[ \t]*%s[ \t]*%s" % (obj, obj, obj, obj)
+
+awk_script='/^[[:blank:]]*interface[[:blank:]]*\(/ {\n\
+ IFACEFILE=FILENAME\n\
+ IFACENAME = gensub("^[[:blank:]]*interface[[:blank:]]*\\\\(\`?","","g",$0);\n\
+ IFACENAME = gensub("\'?,.*$","","g",IFACENAME);\n\
+}\n\
+\n\
+/^[[:blank:]]*allow[[:blank:]]+.*;[[:blank:]]*$/ {\n\
+\n\
+ if ((length(IFACENAME) > 0) && (IFACEFILE == FILENAME)){\n\
+ ALLOW = gensub("^[[:blank:]]*","","g",$0)\n\
+ ALLOW = gensub(";[[:blank:]]*$","","g",$0)\n\
+ print FILENAME "\\t" IFACENAME "\\t" ALLOW;\n\
+ }\n\
+}\
+'
+
+class accessTrans:
+ def __init__(self):
+ self.dict={}
+ try:
+ fd=open("/usr/share/selinux/devel/include/support/obj_perm_sets.spt")
+ except IOError, error:
+ raise IOError("Reference policy generation requires the policy development package.\n%s" % error)
+ records=fd.read().split("\n")
+ regexp="^define *\(`([^']*)' *, *` *\{([^}]*)}'"
+ for r in records:
+ m=re.match(regexp,r)
+ if m!=None:
+ self.dict[m.groups()[0]] = m.groups()[1].split()
+ fd.close()
+ def get(self, var):
+ l=[]
+ for v in var:
+ if v in self.dict.keys():
+ l += self.dict[v]
+ else:
+ if v not in ("{", "}"):
+ l.append(v)
+ return l
+
+class interfaces:
+ def __init__(self):
+ self.dict={}
+ trans=accessTrans()
+ (input, output) = os.popen2("awk -f - /usr/share/selinux/devel/include/*/*.if 2> /dev/null")
+ input.write(awk_script)
+ input.close()
+ records=output.read().split("\n")
+ input.close()
+ if len(records) > 0:
+ regexp="([^ \t]*)[ \t]+([^ \t]*)[ \t]+%s" % allow_regexp
+ for r in records:
+ m=re.match(regexp,r)
+ if m==None:
+ continue
+ else:
+ val=m.groups()
+ file=os.path.basename(val[0]).split(".")[0]
+ iface=val[1]
+ Scon=val[2].split()
+ Tcon=val[3].split()
+ Class=val[4].split()
+ Access=trans.get(val[5].split())
+ for s in Scon:
+ for t in Tcon:
+ for c in Class:
+ if (s, t, c) not in self.dict.keys():
+ self.dict[(s, t, c)]=[]
+ self.dict[(s, t, c)].append((Access, file, iface))
+ def out(self):
+ keys=self.dict.keys()
+ keys.sort()
+ for k in keys:
+ print k
+ for i in self.dict[k]:
+ print "\t", i
+
+ def match(self, Scon, Tcon, Class, Access):
+ keys=self.dict.keys()
+ ret=[]
+ if (Scon, Tcon, Class) in keys:
+ for i in self.dict[(Scon, Tcon, Class)]:
+ if Access in i[0]:
+ if i[2].find(Access) >= 0:
+ ret.insert(0, i)
+ else:
+ ret.append(i)
+ return ret
+ if ("$1", Tcon, Class) in keys:
+ for i in self.dict[("$1", Tcon, Class)]:
+ if Access in i[0]:
+ if i[2].find(Access) >= 0:
+ ret.insert(0, i)
+ else:
+ ret.append(i)
+ return ret
+ if (Scon, "$1", Class) in keys:
+ for i in self.dict[(Scon, "$1", Class)]:
+ if Access in i[0]:
+ if i[2].find(Access) >= 0:
+ ret.insert(0, i)
+ else:
+ ret.append(i)
+ return ret
+ else:
+ return ret
+
+
+class serule:
+ def __init__(self, type, source, target, seclass):
+ self.type=type
+ self.source=source
+ self.target=target
+ self.seclass=seclass
+ self.avcinfo={}
+ self.iface=None
+
+ def add(self, avc):
+ for a in avc[0]:
+ if a not in self.avcinfo.keys():
+ self.avcinfo[a]=[]
+
+ self.avcinfo[a].append(avc[1:])
+
+ def getAccess(self):
+ if len(self.avcinfo.keys()) == 1:
+ for i in self.avcinfo.keys():
+ return i
+ else:
+ keys=self.avcinfo.keys()
+ keys.sort()
+ ret="{"
+ for i in keys:
+ ret=ret + " " + i
+ ret=ret+" }"
+ return ret
+ def out(self, verbose=0):
+ ret=""
+ ret=ret+"%s %s %s:%s %s;" % (self.type, self.source, self.gettarget(), self.seclass, self.getAccess())
+ if verbose:
+ keys=self.avcinfo.keys()
+ keys.sort()
+ for i in keys:
+ for x in self.avcinfo[i]:
+ ret=ret+"\n\t#TYPE=AVC MSG=%s " % x[0]
+ if len(x[1]):
+ ret=ret+"COMM=%s " % x[1]
+ if len(x[2]):
+ ret=ret+"NAME=%s " % x[2]
+ ret=ret + " : " + i
+ return ret
+
+ def gen_reference_policy(self, iface):
+ ret=""
+ Scon=self.source
+ Tcon=self.gettarget()
+ Class=self.seclass
+ Access=self.getAccess()
+ m=iface.match(Scon,Tcon,Class,Access)
+ if len(m)==0:
+ return self.out()
+ else:
+ file=m[0][1]
+ ret="\n#%s\n"% self.out()
+ ret += "optional_policy(`%s', `\n" % m[0][1]
+ first=True
+ for i in m:
+ if file != i[1]:
+ ret += "')\ngen_require(`%s', `\n" % i[1]
+ file = i[1]
+ first=True
+ if first:
+ ret += "\t%s(%s)\n" % (i[2], Scon)
+ first=False
+ else:
+ ret += "#\t%s(%s)\n" % (i[2], Scon)
+ ret += "');"
+ return ret
+
+ def gettarget(self):
+ if self.source == self.target:
+ return "self"
+ else:
+ return self.target
+
+class seruleRecords:
+ def __init__(self, input, last_reload=0, verbose=0, te_ind=0):
+ self.last_reload=last_reload
+ self.seRules={}
+ self.seclasses={}
+ self.types=[]
+ self.roles=[]
+ self.load(input, te_ind)
+ self.gen_ref_policy = False
+
+ def gen_reference_policy(self):
+ self.gen_ref_policy = True
+ self.iface=interfaces()
+
+ def warning(self, error):
+ sys.stderr.write("%s: " % sys.argv[0])
+ sys.stderr.write("%s\n" % error)
+ sys.stderr.flush()
+
+ def load(self, input, te_ind=0):
+ VALID_CMDS=("allow", "dontaudit", "auditallow", "role")
+
+ avc=[]
+ found=0
+ line = input.readline()
+ if te_ind:
+ while line:
+ rec=line.split()
+ if len(rec) and rec[0] in VALID_CMDS:
+ self.add_terule(line)
+ line = input.readline()
+
+ else:
+ while line:
+ rec=line.split()
+ for i in rec:
+ if i=="avc:" or i=="message=avc:" or i=="msg='avc:":
+
+ found=1
+ else:
+ avc.append(i)
+ if found:
+ self.add(avc)
+ found=0
+ avc=[]
+ line = input.readline()
+
+
+ def get_target(self, i, rule):
+ target=[]
+ if rule[i][0] == "{":
+ for t in rule[i].split("{"):
+ if len(t):
+ target.append(t)
+ i=i+1
+ for s in rule[i:]:
+ if s.find("}") >= 0:
+ for s1 in s.split("}"):
+ if len(s1):
+ target.append(s1)
+ i=i+1
+ return (i, target)
+
+ target.append(s)
+ i=i+1
+ else:
+ if rule[i].find(";") >= 0:
+ for s1 in rule[i].split(";"):
+ if len(s1):
+ target.append(s1)
+ else:
+ target.append(rule[i])
+
+ i=i+1
+ return (i, target)
+
+ def rules_split(self, rules):
+ (idx, target ) = self.get_target(0, rules)
+ (idx, subject) = self.get_target(idx, rules)
+ return (target, subject)
+
+ def add_terule(self, rule):
+ rc = rule.split(":")
+ rules=rc[0].split()
+ type=rules[0]
+ if type == "role":
+ print type
+ (sources, targets) = self.rules_split(rules[1:])
+ rules=rc[1].split()
+ (seclasses, access) = self.rules_split(rules)
+ for scon in sources:
+ for tcon in targets:
+ for seclass in seclasses:
+ self.add_rule(type, scon, tcon, seclass,access)
+
+ def add_rule(self, rule_type, scon, tcon, seclass, access, msg="", comm="", name=""):
+ self.add_seclass(seclass, access)
+ self.add_type(tcon)
+ self.add_type(scon)
+ if (rule_type, scon, tcon, seclass) not in self.seRules.keys():
+ self.seRules[(rule_type, scon, tcon, seclass)]=serule(rule_type, scon, tcon, seclass)
+
+ self.seRules[(rule_type, scon, tcon, seclass)].add((access, msg, comm, name ))
+ def add(self,avc):
+ scon=""
+ tcon=""
+ seclass=""
+ comm=""
+ name=""
+ msg=""
+ access=[]
+ if "security_compute_sid" in avc:
+ return
+
+ if "load_policy" in avc and self.last_reload:
+ self.seRules={}
-$load_policy_pattern="avc:.*granted.*{.*load_policy.*}";
+ if "granted" in avc:
+ return
+ try:
+ for i in range (0, len(avc)):
+ if avc[i]=="{":
+ i=i+1
+ while i<len(avc) and avc[i] != "}":
+ access.append(avc[i])
+ i=i+1
+ continue
+
+ t=avc[i].split('=')
+ if len(t) < 2:
+ continue
+ if t[0]=="scontext":
+ context=t[1].split(":")
+ scon=context[2]
+ srole=context[1]
+ continue
+ if t[0]=="tcontext":
+ context=t[1].split(":")
+ tcon=context[2]
+ trole=context[1]
+ continue
+ if t[0]=="tclass":
+ seclass=t[1]
+ continue
+ if t[0]=="comm":
+ comm=t[1]
+ continue
+ if t[0]=="name":
+ name=t[1]
+ continue
+ if t[0]=="msg":
+ msg=t[1]
+ continue
-while ($opt = shift @ARGV) {
- if ($opt eq "-d") { $read_dmesg++; }
- elsif ($opt eq "-v") { $verbose++; }
- elsif ($opt eq "-i") { $input = shift @ARGV; }
- elsif ($opt eq "-o") { $output= shift @ARGV; }
- elsif ($opt eq "-l") { $load_policy++; }
- elsif ($opt eq "--help") { &printUsage; }
- else { print "unknown option, '$opt'\n\n"; &printUsage; }
-}
+ if scon=="" or tcon =="" or seclass=="":
+ return
+ except IndexError, e:
+ self.warning("Bad AVC Line: %s" % avc)
+ return
+
+ self.add_role(srole)
+ self.add_role(trole)
+ self.add_rule("allow", scon, tcon, seclass, access, msg, comm, name)
-if ($read_dmesg && $input) {
- print "Error, can't read from both dmesg and $input\n\n";
- &printUsage;
-}
+ def add_seclass(self,seclass, access):
+ if seclass not in self.seclasses.keys():
+ self.seclasses[seclass]=[]
+ for a in access:
+ if a not in self.seclasses[seclass]:
+ self.seclasses[seclass].append(a)
+
+ def add_role(self,role):
+ if role not in self.roles:
+ self.roles.append(role)
-if ($read_dmesg) { open (IN, "/bin/dmesg|"); }
-elsif ($input) { open (IN, "$input"); }
>>> TRUNCATED FOR MAIL (1000 lines) <<<
More information about the trustedbsd-cvs
mailing list