On Fri, 2008-08-01 at 07:43 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Adds support for boolean files, name/value pairs as input and output.
> Allows you to set a large amount of booleans at once.
>
> Add support from groupname in semanage login. This will allow you to
> associate groups of Linux Users with an SELinux user. Uses same syntax
> as sudo. Requires patch to libselinux.
>
> Cleanup of semanage variables. Change use of 1/0 to True/False.
>
> Remove bad use of raise(out)

Looks ok other than adding gui to the Makefile since we don't have that one. But upon trying "semanage login -a -s root %wheel", I get: libsemanage.get_users: user %wheel not in password file

So it seems that we also need libsemanage to understand the %groupname syntax? That is coming from genhomedircon.c.

If actually supporting per-role file labeling, then we'd need libsemanage to expand the group and add the individual users for generating home directory entries.

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkiS9t8ACgkQrlYvE4MpobN0/gCgsoXMR/oDibFEw3SNFxwQlhrY
> gZIAn1wMYnPg+o2ixNVQsWYBOw1NN4Pd
> =69RK
> -----END PGP SIGNATURE-----
> plain text document attachment (diff)
> diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.53/Makefile
> --- nsapolicycoreutils/Makefile 2008-06-12 23:25:24.000000000 -0400
> +++ policycoreutils-2.0.53/Makefile 2008-07-29 16:25:16.000000000 -0400
> @@ -1,4 +1,4 @@
> -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
> +SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
>
> INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
>
> diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.53/restorecond/restorecond.c
> --- nsapolicycoreutils/restorecond/restorecond.c 2008-06-12 23:25:21.000000000 -0400
> +++ policycoreutils-2.0.53/restorecond/restorecond.c 2008-07-29 16:25:16.000000000 -0400
> @@ -210,9 +210,10 @@
> }
>
> if (fsetfilecon(fd, scontext) < 0) {
> - syslog(LOG_ERR,
> - "set context %s->%s failed:'%s'\n",
> - filename, scontext, strerror(errno));
> + if (errno != EOPNOTSUPP)
> + syslog(LOG_ERR,
> + "set context %s->%s failed:'%s'\n",
> + filename, scontext, strerror(errno));
> if (retcontext >= 0)
> free(prev_context);
> free(scontext);
> @@ -225,8 +226,9 @@
> if (retcontext >= 0)
> free(prev_context);
> } else {
> - syslog(LOG_ERR, "get context on %s failed: '%s'\n",
> - filename, strerror(errno));
> + if (errno != EOPNOTSUPP)
> + syslog(LOG_ERR, "get context on %s failed: '%s'\n",
> + filename, strerror(errno));
> }
> free(scontext);
> close(fd);
> diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.53/semanage/semanage
> --- nsapolicycoreutils/semanage/semanage 2008-07-02 17:19:15.000000000 -0400
> +++ policycoreutils-2.0.53/semanage/semanage 2008-08-01 07:30:43.000000000 -0400
> @@ -45,13 +45,13 @@
> def usage(message = ""):
> print _("""
> semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n]
> -semanage login -{a|d|m} [-sr] login_name
> +semanage login -{a|d|m} [-sr] login_name | %groupname
> semanage user -{a|d|m} [-LrRP] selinux_name
> semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range
> semanage interface -{a|d|m} [-tr] interface_spec
> semanage fcontext -{a|d|m} [-frst] file_spec
> semanage translation -{a|d|m} [-T] level
> -semanage boolean -{d|m} boolean
> +semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
> semanage permissive -{d|a} type
>
> Primary Options:
> @@ -79,6 +79,7 @@
> -l (symbolic link)
> -p (named pipe)
>
> + -F, --file Treat target as an input file for command, change multiple settings
> -p, --proto Port protocol (tcp or udp)
> -P, --prefix Prefix for home directory labeling
> -L, --level Default SELinux Level (MLS/MCS Systems only)
> @@ -114,7 +115,7 @@
> valid_option["translation"] = []
> valid_option["translation"] += valid_everyone + [ '-T', '--trans' ]
> valid_option["boolean"] = []
> - valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ]
> + valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0", "-F", "--file"]
> valid_option["permissive"] = []
> valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ]
> return valid_option
> @@ -134,15 +135,16 @@
> setrans = ""
> roles = ""
> seuser = ""
> - prefix = ""
> - heading=1
> - value=0
> - add = 0
> - modify = 0
> - delete = 0
> - deleteall = 0
> - list = 0
> - locallist = 0
> + prefix = "user"
> + heading = True
> + value = None
> + add = False
> + modify = False
> + delete = False
> + deleteall = False
> + list = False
> + locallist = False
> + use_file = False
> store = ""
> if len(sys.argv) < 3:
> usage(_("Requires 2 or more arguments"))
> @@ -155,11 +157,12 @@
> args = sys.argv[2:]
>
> gopts, cmds = getopt.getopt(args,
> - '01adf:lhmnp:s:CDR:L:r:t:T:P:S:',
> + '01adf:lhmnp:s:FCDR:L:r:t:T:P:S:',
> ['add',
> 'delete',
> 'deleteall',
> 'ftype=',
> + 'file',
> 'help',
> 'list',
> 'modify',
> @@ -185,31 +188,35 @@
> if o == "-a" or o == "--add":
> if modify or delete:
> usage()
> - add = 1
> + add = True
>
> if o == "-d" or o == "--delete":
> if modify or add:
> usage()
> - delete = 1
> + delete = True
> if o == "-D" or o == "--deleteall":
> if modify:
> usage()
> - deleteall = 1
> + deleteall = True
> if o == "-f" or o == "--ftype":
> ftype=a
> +
> + if o == "-F" or o == "--file":
> + use_file = True
> +
> if o == "-h" or o == "--help":
> usage()
>
> if o == "-n" or o == "--noheading":
> - heading=0
> + heading = False
>
> if o == "-C" or o == "--locallist":
> - locallist=1
> + locallist = True
>
> if o == "-m"or o == "--modify":
> if delete or add:
> usage()
> - modify = 1
> + modify = True
>
> if o == "-S" or o == '--store':
> store = a
> @@ -220,7 +227,7 @@
> serange = a
>
> if o == "-l" or o == "--list":
> - list = 1
> + list = True
>
> if o == "-L" or o == '--level':
> if is_mls_enabled == 0:
> @@ -246,9 +253,9 @@
> setrans = a
>
> if o == "--on" or o == "-1":
> - value = 1
> - if o == "-off" or o == "-0":
> - value = 0
> + value = "on"
> + if o == "--off" or o == "-0":
> + value = "off"
>
> if object == "login":
> OBJECT = seobject.loginRecords(store)
> @@ -275,7 +282,10 @@
> OBJECT = seobject.permissiveRecords(store)
>
> if list:
> - OBJECT.list(heading, locallist)
> + if object == "boolean":
> + OBJECT.list(heading, locallist, use_file)
> + else:
> + OBJECT.list(heading, locallist)
> sys.exit(0);
>
> if deleteall:
> @@ -295,12 +305,10 @@
> OBJECT.add(target, setrans)
>
> if object == "user":
> - rlist = roles.split()
> - if len(rlist) == 0:
> - raise ValueError(_("You must specify a role"))
> - if prefix == "":
> - raise ValueError(_("You must specify a prefix"))
> - OBJECT.add(target, rlist, selevel, serange, prefix)
> + rlist = []
> + if not use_file:
> + rlist = roles.split()
> + OBJECT.add(target, rlist, selevel, serange, prefix)
>
> if object == "port":
> OBJECT.add(target, proto, serange, setype)
> @@ -317,7 +325,7 @@
>
> if modify:
> if object == "boolean":
> - OBJECT.modify(target, value)
> + OBJECT.modify(target, value, use_file)
>
> if object == "login":
> OBJECT.modify(target, seuser, serange)
> diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.53/semanage/semanage.8
> --- nsapolicycoreutils/semanage/semanage.8 2008-07-02 17:19:15.000000000 -0400
> +++ policycoreutils-2.0.53/semanage/semanage.8 2008-08-01 07:05:54.000000000 -0400
> @@ -3,11 +3,11 @@
> semanage \- SELinux Policy Management tool
>
> .SH "SYNOPSIS"
> -.B semanage {boolean|login|user|port|interface|fcontext|translation} \-{l|lC|D} [\-n]
> +.B semanage {boolean|login|user|port|interface|fcontext|translation} \-{l|D} [\-n] [\-S store]
> .br
> -.B semanage boolean \-{d|m} [\-\-on|\-\-off|\-1|\-0] boolean
> +.B semanage boolean \-{d|m} [\-\-on|\-\-off|\-1|\-0] -F boolean | boolean_file
> .br
> -.B semanage login \-{a|d|m} [\-sr] login_name
> +.B semanage login \-{a|d|m} [\-sr] login_name | %groupname
> .br
> .B semanage user \-{a|d|m} [\-LrRP] selinux_name
> .br
> @@ -54,6 +54,11 @@
> File Type. This is used with fcontext.
> Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
> .TP
> +.I \-F, \-\-file
> +Set multiple records from the input file. When used with the \-l \-\-list, it will output the current settings to stdout in the proper format.
> +
> +Currently booleans only.
> +.TP
> .I \-h, \-\-help
> display this message
> .TP
> @@ -87,6 +92,9 @@
> .I \-s, \-\-seuser
> SELinux user name
> .TP
> +.I \-S, \-\-store
> +Select and alternate SELinux store to manage
> +.TP
> .I \-t, \-\-type
> SELinux Type for the object
> .TP
> @@ -99,6 +107,8 @@
> $ semanage user -l
> # Allow joe to login as staff_u
> $ semanage login -a -s staff_u joe
> +# Allow the group clerks to login as user_u
> +$ semanage login -a -s user_u %clerks
> # Add file-context for everything under /web (used by restorecon)
> $ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
> # Allow Apache to listen on port 81
> diff --exclude-from=exclude --exclude=sepolgen-1.0.13 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.53/semanage/seobject.py
> --- nsapolicycoreutils/semanage/seobject.py 2008-07-29 09:15:39.000000000 -0400
> +++ policycoreutils-2.0.53/semanage/seobject.py 2008-08-01 07:24:34.000000000 -0400
> @@ -21,7 +21,7 @@
> #
> #
>
> -import pwd, string, selinux, tempfile, os, re, sys
> +import pwd, grp, string, selinux, tempfile, os, re, sys
> from semanage import *;
> PROGNAME="policycoreutils"
> import sepolgen.module as module
> @@ -330,20 +330,15 @@
> for name in dirs:
> os.rmdir(os.path.join(root, name))
>
> - if rc != 0:
> - raise ValueError(out)
> -
> -
> def delete(self, name):
> for n in name.split():
> rc = semanage_module_remove(self.sh, "permissive_%s" % n)
> if rc < 0:
> raise ValueError(_("Could not remove permissive domain %s (remove failed)") % name)
> - rc = semanage_commit(self.sh)
> - if rc < 0:
> - raise ValueError(_("Could not remove permissive domain %s (commit failed)") % name)
> + rc = semanage_commit(self.sh)
> + if rc < 0:
> + raise ValueError(_("Could not remove permissive domain %s (commit failed)") % name)
>
> -
> def deleteall(self):
> l = self.get_all()
> if len(l) > 0:
> @@ -402,10 +397,16 @@
> raise ValueError(_("Could not check if login mapping for %s is defined") % name)
> if exists:
> raise ValueError(_("Login mapping for %s is already defined") % name)
> - try:
> - pwd.getpwnam(name)
> - except:
> - raise ValueError(_("Linux User %s does not exist") % name)
> + if name[0] == '%':
> + try:
> + grp.getgrnam(name[1:])
> + except:
> + raise ValueError(_("Linux Group %s does not exist") % name[1:])
> + else:
> + try:
> + pwd.getpwnam(name)
> + except:
> + raise ValueError(_("Linux User %s does not exist") % name)
>
> (rc,u) = semanage_seuser_create(self.sh)
> if rc < 0:
> @@ -1447,54 +1448,72 @@
> class booleanRecords(semanageRecords):
> def __init__(self, store = ""):
> semanageRecords.__init__(self, store)
> + self.dict={}
> + self.dict["TRUE"] = 1
> + self.dict["FALSE"] = 0
> + self.dict["ON"] = 1
> + self.dict["OFF"] = 0
> + self.dict["1"] = 1
> + self.dict["0"] = 0
>
> - def modify(self, name, value = ""):
> - if value == "":
> - raise ValueError(_("Requires value"))
> -
> - (rc,k) = semanage_bool_key_create(self.sh, name)
> - if rc < 0:
> - raise ValueError(_("Could not create a key for %s") % name)
> -
> - (rc,exists) = semanage_bool_exists(self.sh, k)
> - if rc < 0:
> - raise ValueError(_("Could not check if boolean %s is defined") % name)
> - if not exists:
> - raise ValueError(_("Boolean %s is not defined") % name)
> -
> - (rc,b) = semanage_bool_query(self.sh, k)
> - if rc < 0:
> - raise ValueError(_("Could not query file context %s") % name)
> + def __mod(self, name, value):
> + (rc,k) = semanage_bool_key_create(self.sh, name)
> + if rc < 0:
> + raise ValueError(_("Could not create a key for %s") % name)
> + (rc,exists) = semanage_bool_exists(self.sh, k)
> + if rc < 0:
> + raise ValueError(_("Could not check if boolean %s is defined") % name)
> + if not exists:
> + raise ValueError(_("Boolean %s is not defined") % name)
> +
> + (rc,b) = semanage_bool_query(self.sh, k)
> + if rc < 0:
> + raise ValueError(_("Could not query file context %s") % name)
>
> - if value != "":
> - nvalue = int(value)
> - semanage_bool_set_value(b, nvalue)
> + if value.upper() in self.dict:
> + semanage_bool_set_value(b, self.dict[value.upper()])
> else:
> - raise ValueError(_("You must specify a value"))
> + raise ValueError(_("You must specify one of the following values: %s") % ", ".join(self.dict.keys()) )
> +
> + rc = semanage_bool_set_active(self.sh, k, b)
> + if rc < 0:
> + raise ValueError(_("Could not set active value of boolean %s") % name)
> + rc = semanage_bool_modify_local(self.sh, k, b)
> + if rc < 0:
> + raise ValueError(_("Could not modify boolean %s") % name)
> + semanage_bool_key_free(k)
> + semanage_bool_free(b)
>
> + def modify(self, name, value=None, use_file=False):
> +
> rc = semanage_begin_transaction(self.sh)
> if rc < 0:
> raise ValueError(_("Could not start semanage transaction"))
> -
> - rc = semanage_bool_set_active(self.sh, k, b)
> - if rc < 0:
> - raise ValueError(_("Could not set active value of boolean %s") % name)
> - rc = semanage_bool_modify_local(self.sh, k, b)
> - if rc < 0:
> - raise ValueError(_("Could not modify boolean %s") % name)
> + if use_file:
> + fd = open(name)
> + for b in fd.read().split("\n"):
> + b = b.strip()
> + if len(b) == 0:
> + continue
> +
> + try:
> + boolname, val = b.split("=")
> + except ValueError, e:
> + raise ValueError(_("Bad format %s: Record %s" % ( name, b) ))
> + self.__mod(boolname.strip(), val.strip())
> + fd.close()
> + else:
> + self.__mod(name, value)
>
> rc = semanage_commit(self.sh)
> if rc < 0:
> raise ValueError(_("Could not modify boolean %s") % name)
>
> - semanage_bool_key_free(k)
> - semanage_bool_free(b)
> -
> def delete(self, name):
> - (rc,k) = semanage_bool_key_create(self.sh, name)
> - if rc < 0:
> - raise ValueError(_("Could not create a key for %s") % name)
>
> + (rc,k) = semanage_bool_key_create(self.sh, name)
> + if rc < 0:
> + raise ValueError(_("Could not create a key for %s") % name)
> (rc,exists) = semanage_bool_exists(self.sh, k)
> if rc < 0:
> raise ValueError(_("Could not check if boolean %s is defined") % name)
> @@ -1571,8 +1590,15 @@
> else:
> return _("unknown")
>
> - def list(self, heading = 1, locallist = 0):
> + def list(self, heading = True, locallist = False, use_file = False):
> on_off = (_("off"),_("on"))
> + if use_file:
> + ddict = self.get_all(locallist)
> + keys = ddict.keys()
> + for k in keys:
> + if ddict[k]:
> + print "%s=%s" % (k, ddict[k][2])
> + return
> if heading:
> print "%-40s %s\n" % (_("SELinux boolean"), _("Description"))
> ddict = self.get_all(locallist)

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.