Merge branch 'master' into next
Conflicts:
policycoreutils/ChangeLog
diff --git a/checkpolicy/ChangeLog b/checkpolicy/ChangeLog
index 0c76070..2271c05 100644
--- a/checkpolicy/ChangeLog
+++ b/checkpolicy/ChangeLog
@@ -1,3 +1,5 @@
+ * Add debug feature to display constraints/validatetrans from Richard Haines.
+
2.2 2013-10-30
* Fix hyphen usage in man pages from Laurent Bigonville.
* handle-unknown / -U required argument fix from Laurent Bigonville.
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index 292f568..9881dd7 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -377,7 +377,7 @@
int main(int argc, char **argv)
{
sepol_security_class_t tclass;
- sepol_security_id_t ssid, tsid, *sids;
+ sepol_security_id_t ssid, tsid, *sids, oldsid, newsid, tasksid;
sepol_security_context_t scontext;
struct sepol_av_decision avd;
class_datum_t *cladatum;
@@ -395,6 +395,9 @@
char *name;
int state;
int show_version = 0;
+ char *reason_buf = NULL;
+ unsigned int reason;
+ int flags;
struct policy_file pf;
struct option long_options[] = {
{"output", required_argument, NULL, 'o'},
@@ -644,6 +647,8 @@
printf("f) display conditional bools\n");
printf("g) display conditional expressions\n");
printf("h) change a boolean value\n");
+ printf("i) display constraint expressions\n");
+ printf("j) display validatetrans expressions\n");
#ifdef EQUIVTYPES
printf("z) Show equivalent types\n");
#endif
@@ -1060,6 +1065,109 @@
change_bool(name, state);
free(name);
break;
+ case 'i':
+ printf("source sid? ");
+ FGETS(ans, sizeof(ans), stdin);
+ ssid = atoi(ans);
+
+ printf("target sid? ");
+ FGETS(ans, sizeof(ans), stdin);
+ tsid = atoi(ans);
+
+ printf("target class? ");
+ FGETS(ans, sizeof(ans), stdin);
+ if (isdigit(ans[0])) {
+ tclass = atoi(ans);
+ if (!tclass
+ || tclass > policydb.p_classes.nprim) {
+ printf("\nNo such class.\n");
+ break;
+ }
+ cladatum =
+ policydb.class_val_to_struct[tclass - 1];
+ } else {
+ ans[strlen(ans) - 1] = 0;
+ cladatum =
+ (class_datum_t *) hashtab_search(policydb.
+ p_classes.
+ table,
+ ans);
+ if (!cladatum) {
+ printf("\nNo such class\n");
+ break;
+ }
+ tclass = cladatum->s.value;
+ }
+
+ flags = SHOW_GRANTED;
+ if (sepol_compute_av_reason_buffer(ssid, tsid,
+ tclass, 0, &avd, &reason,
+ &reason_buf, flags)) {
+ printf("\nconstraint error\n");
+ break;
+ }
+ if (reason_buf) {
+ printf("\nConstraint expressions:\n%s",
+ reason_buf);
+ free(reason_buf);
+ } else {
+ printf("\nNo constraints found.\n");
+ }
+ break;
+ case 'j':
+ printf("old sid? ");
+ FGETS(ans, sizeof(ans), stdin);
+ oldsid = atoi(ans);
+
+ printf("new sid? ");
+ FGETS(ans, sizeof(ans), stdin);
+ newsid = atoi(ans);
+
+ printf("task sid? ");
+ FGETS(ans, sizeof(ans), stdin);
+ tasksid = atoi(ans);
+
+ printf("target class? ");
+ FGETS(ans, sizeof(ans), stdin);
+ if (isdigit(ans[0])) {
+ tclass = atoi(ans);
+ if (!tclass
+ || tclass > policydb.p_classes.nprim) {
+ printf("\nNo such class.\n");
+ break;
+ }
+ cladatum =
+ policydb.class_val_to_struct[tclass - 1];
+ } else {
+ ans[strlen(ans) - 1] = 0;
+ cladatum =
+ (class_datum_t *) hashtab_search(policydb.
+ p_classes.
+ table,
+ ans);
+ if (!cladatum) {
+ printf("\nNo such class\n");
+ break;
+ }
+ tclass = cladatum->s.value;
+ }
+
+ flags = SHOW_GRANTED;
+ if (sepol_validate_transition_reason_buffer(oldsid,
+ newsid, tasksid, tclass,
+ &reason_buf, flags)) {
+ printf("\nvalidatetrans error\n");
+ break;
+ }
+ if (reason_buf) {
+ printf("\nValidatetrans expressions:\n%s",
+ reason_buf);
+ free(reason_buf);
+ } else {
+ printf(
+ "\nNo validatetrans expressions found.\n");
+ }
+ break;
#ifdef EQUIVTYPES
case 'z':
identify_equiv_types();
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 7fff62a..8ea29d4 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -357,6 +357,25 @@
const char *perms[sizeof(access_vector_t) * 8 + 1];
};
+/**
+ * selinux_set_mapping - Enable dynamic mapping between integer offsets and security class names
+ * @map: array of security_class_mapping structures
+ *
+ * The core avc_has_perm() API uses integers to represent security
+ * classes; previous to the introduction of this function, it was
+ * common for userspace object managers to be compiled using generated
+ * offsets for a particular policy. However, that strongly ties the build of the userspace components to a particular policy.
+ *
+ * By using this function to map between integer offsets and security
+ * class names, it's possible to replace a system policies that have
+ * at least the same set of security class names as used by the
+ * userspace object managers.
+ *
+ * To correctly use this function, you should override the generated
+ * security class defines from the system policy in a local header,
+ * starting at 1, and have one security_class_mapping structure entry
+ * per define.
+ */
extern int selinux_set_mapping(struct security_class_mapping *map);
/* Common helpers */
diff --git a/libsepol/ChangeLog b/libsepol/ChangeLog
index a01cda0..4cfba82 100644
--- a/libsepol/ChangeLog
+++ b/libsepol/ChangeLog
@@ -1,3 +1,6 @@
+ * Fix valgrind errors in constraint_expr_eval_reason from Richard Haines.
+ * Add sepol_validate_transition_reason_buffer function from Richard Haines.
+
2.2 2013-10-30
* Allow constraint denial cause to be determined from Richard Haines.
- Add kernel policy version 29.
diff --git a/libsepol/include/sepol/policydb/services.h b/libsepol/include/sepol/policydb/services.h
index 8b2065f..e4e8362 100644
--- a/libsepol/include/sepol/policydb/services.h
+++ b/libsepol/include/sepol/policydb/services.h
@@ -75,6 +75,20 @@
unsigned int *reason,
char **reason_buf,
unsigned int flags);
+
+/*
+ * Returns the mls/validatetrans constraint expression calculations in
+ * a buffer that must be free'd by the caller using free(3).
+ * If the SHOW_GRANTED flag is set it will show granted and denied
+ * mls/validatetrans (the default is to show only those denied).
+ */
+extern int sepol_validate_transition_reason_buffer(sepol_security_id_t oldsid,
+ sepol_security_id_t newsid,
+ sepol_security_id_t tasksid,
+ sepol_security_class_t tclass,
+ char **reason_buf,
+ unsigned int flags);
+
/*
* Return a class ID associated with the class string representation
* specified by `class_name'.
diff --git a/libsepol/src/services.c b/libsepol/src/services.c
index 73faa05..44aa497 100644
--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
@@ -344,11 +344,16 @@
if (len < 0 || len >= class_buf_len - buf_used)
continue;
- /* Add permission entries */
+ /* Add permission entries (validatetrans does not have perms) */
p += len;
buf_used += len;
- len = snprintf(p, class_buf_len - buf_used, "{%s } (",
- sepol_av_to_string(policydb, tclass, constraint->permissions));
+ if (state_num < 2) {
+ len = snprintf(p, class_buf_len - buf_used, "{%s } (",
+ sepol_av_to_string(policydb, tclass,
+ constraint->permissions));
+ } else {
+ len = snprintf(p, class_buf_len - buf_used, "(");
+ }
if (len < 0 || len >= class_buf_len - buf_used)
continue;
break;
@@ -723,6 +728,7 @@
push(answer_list[answer_counter++]);
free(a);
free(b);
+ free(expr_list[x]);
} else if (strncmp(expr_list[x], "not", 3) == 0) {
b = pop();
b_len = strlen(b);
@@ -743,6 +749,7 @@
expr_list[x], b);
push(answer_list[answer_counter++]);
free(b);
+ free(expr_list[x]);
} else {
push(expr_list[x]);
}
@@ -750,8 +757,11 @@
/* Get the final answer from tos and build constraint text */
a = pop();
- /* Constraint calculation: rc = 0 is denied, rc = 1 is granted */
- sprintf(tmp_buf, "Constraint %s\n", s[0] ? "GRANTED" : "DENIED");
+ /* validatetrans / constraint calculation:
+ rc = 0 is denied, rc = 1 is granted */
+ sprintf(tmp_buf, "%s %s\n",
+ xcontext ? "Validatetrans" : "Constraint",
+ s[0] ? "GRANTED" : "DENIED");
int len, new_buf_len;
char *p, **new_buf = r_buf;
@@ -807,6 +817,8 @@
for (x = 0; expr_list[x] != NULL; x++)
free(expr_list[x]);
}
+ free(answer_list);
+ free(expr_list);
return rc;
}
@@ -982,6 +994,68 @@
return 0;
}
+/*
+ * sepol_validate_transition_reason_buffer - the reason buffer is realloc'd
+ * in the constraint_expr_eval_reason() function.
+ */
+int hidden sepol_validate_transition_reason_buffer(sepol_security_id_t oldsid,
+ sepol_security_id_t newsid,
+ sepol_security_id_t tasksid,
+ sepol_security_class_t tclass,
+ char **reason_buf,
+ unsigned int flags)
+{
+ context_struct_t *ocontext;
+ context_struct_t *ncontext;
+ context_struct_t *tcontext;
+ class_datum_t *tclass_datum;
+ constraint_node_t *constraint;
+
+ if (!tclass || tclass > policydb->p_classes.nprim) {
+ ERR(NULL, "unrecognized class %d", tclass);
+ return -EINVAL;
+ }
+ tclass_datum = policydb->class_val_to_struct[tclass - 1];
+
+ ocontext = sepol_sidtab_search(sidtab, oldsid);
+ if (!ocontext) {
+ ERR(NULL, "unrecognized SID %d", oldsid);
+ return -EINVAL;
+ }
+
+ ncontext = sepol_sidtab_search(sidtab, newsid);
+ if (!ncontext) {
+ ERR(NULL, "unrecognized SID %d", newsid);
+ return -EINVAL;
+ }
+
+ tcontext = sepol_sidtab_search(sidtab, tasksid);
+ if (!tcontext) {
+ ERR(NULL, "unrecognized SID %d", tasksid);
+ return -EINVAL;
+ }
+
+ /*
+ * Set the buffer to NULL as mls/validatetrans may not be processed.
+ * If a buffer is required, then the routines in
+ * constraint_expr_eval_reason will realloc in REASON_BUF_SIZE
+ * chunks (as it gets called for each mls/validatetrans processed).
+ * We just make sure these start from zero.
+ */
+ *reason_buf = NULL;
+ reason_buf_used = 0;
+ reason_buf_len = 0;
+ constraint = tclass_datum->validatetrans;
+ while (constraint) {
+ if (!constraint_expr_eval_reason(ocontext, ncontext, tcontext,
+ tclass, constraint, reason_buf, flags)) {
+ return -EPERM;
+ }
+ constraint = constraint->next;
+ }
+ return 0;
+}
+
int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
sepol_security_id_t tsid,
sepol_security_class_t tclass,
diff --git a/policycoreutils/ChangeLog b/policycoreutils/ChangeLog
index 4e3e1d0..bdb61ff 100644
--- a/policycoreutils/ChangeLog
+++ b/policycoreutils/ChangeLog
@@ -1,3 +1,16 @@
+ * Add -P semodule option to man page from Dan Walsh.
+ * selinux_current_policy_path will return none on a disabled SELinux system from Dan Walsh.
+ * Add new icons for sepolicy gui from Dan Walsh.
+ * Only return writeable files that are enabled from Dan Walsh.
+ * Add domain to short list of domains, when -t and -d from Dan Walsh.
+ * Fix up desktop files to match current standards from Dan Walsh.
+ * Add support to return sesitivities and cats for python from Dan Walsh.
+ * Cleanup whitespace from Dan Walsh.
+ * Add message to tell user to install sandbox policy from Dan Walsh.
+ * Add systemd unit file for mcstrans from Laurent Bigonville.
+ * Improve restorecond systemd unit file from Laurent Bigonville.
+ * Minor man pages improvements from Laurent Bigonville.
+
2.2.4 2013-11-26
* Revert automatic setting of serange and seuser in seobject; was breaking non-MLS systems.
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index be4df24..21d286b 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@@ -160,7 +160,7 @@
# interface files.
# You can create a te file and compile it by executing
-$ make -f /usr/share/selinux/devel/Makefile local.pp
+$ make \-f /usr/share/selinux/devel/Makefile local.pp
# This make command will compile a local.te file in the current
diff --git a/policycoreutils/audit2allow/sepolgen-ifgen b/policycoreutils/audit2allow/sepolgen-ifgen
index 3967ba5..83c7ecf 100644
--- a/policycoreutils/audit2allow/sepolgen-ifgen
+++ b/policycoreutils/audit2allow/sepolgen-ifgen
@@ -63,7 +63,7 @@
def get_policy():
p = selinux.selinux_current_policy_path()
- if os.path.exists(p):
+ if p and os.path.exists(p):
return p
i = selinux.security_policyvers()
p = selinux.selinux_binary_policy_path() + "." + str(i)
diff --git a/policycoreutils/gui/selinux-polgengui.8 b/policycoreutils/gui/selinux-polgengui.8
index 52bf7dd..a13399f 100644
--- a/policycoreutils/gui/selinux-polgengui.8
+++ b/policycoreutils/gui/selinux-polgengui.8
@@ -29,7 +29,7 @@
Report bugs to <http://bugzilla.redhat.com>.
.SH LICENSE AND AUTHORS
-\fBselinux-polgengui\fP is licensed under the GNU Public License and
+\fBselinux-polgengui\fP is licensed under the GNU General Public License and
is copyrighted by Red Hat, Inc.
.br
This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git a/policycoreutils/gui/selinux-polgengui.desktop b/policycoreutils/gui/selinux-polgengui.desktop
index 0c2f399..bbcb18f 100644
--- a/policycoreutils/gui/selinux-polgengui.desktop
+++ b/policycoreutils/gui/selinux-polgengui.desktop
@@ -64,4 +64,3 @@
Terminal=false
Categories=System;Security;
X-Desktop-File-Install-Version=0.2
-Keywords=policy;security;selinux;avc;permission;mac;
diff --git a/policycoreutils/gui/system-config-selinux.8 b/policycoreutils/gui/system-config-selinux.8
index a80cbf9..149570a 100644
--- a/policycoreutils/gui/system-config-selinux.8
+++ b/policycoreutils/gui/system-config-selinux.8
@@ -31,7 +31,7 @@
Report bugs to <http://bugzilla.redhat.com>.
.SH LICENSE AND AUTHORS
-\fBsystem-config-selinux\fP is licensed under the GNU Public License and
+\fBsystem-config-selinux\fP is licensed under the GNU General Public License and
is copyrighted by Red Hat, Inc.
.br
This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git a/policycoreutils/gui/system-config-selinux.desktop b/policycoreutils/gui/system-config-selinux.desktop
index 8822ce2..befdb23 100644
--- a/policycoreutils/gui/system-config-selinux.desktop
+++ b/policycoreutils/gui/system-config-selinux.desktop
@@ -64,4 +64,3 @@
Terminal=false
Categories=System;Security;
X-Desktop-File-Install-Version=0.2
-Keywords=policy;security;selinux;avc;permission;mac;
diff --git a/policycoreutils/load_policy/load_policy.8 b/policycoreutils/load_policy/load_policy.8
index a86073f..38c01b6 100644
--- a/policycoreutils/load_policy/load_policy.8
+++ b/policycoreutils/load_policy/load_policy.8
@@ -4,7 +4,7 @@
.SH SYNOPSIS
.B load_policy
-[-qi]
+[\-qi]
.br
.SH DESCRIPTION
.PP
diff --git a/policycoreutils/mcstrans/man/man8/mcstransd.8 b/policycoreutils/mcstrans/man/man8/mcstransd.8
index 0be6468..c1dc483 100644
--- a/policycoreutils/mcstrans/man/man8/mcstransd.8
+++ b/policycoreutils/mcstrans/man/man8/mcstransd.8
@@ -14,10 +14,10 @@
This daemon reads /etc/selinux/{SELINUXTYPE}/setrans.conf configuration file, and communicates with libselinux via a socket in /var/run/setrans.
.SH "OPTIONS"
.TP
--f
+\-f
Run mcstransd in the foreground. Do not run as a daemon.
.TP
--h
+\-h
Output a short summary of available command line options\&.
.SH "AUTHOR"
diff --git a/policycoreutils/mcstrans/src/Makefile b/policycoreutils/mcstrans/src/Makefile
index fb44490..907a1f1 100644
--- a/policycoreutils/mcstrans/src/Makefile
+++ b/policycoreutils/mcstrans/src/Makefile
@@ -17,6 +17,7 @@
PREFIX ?= $(DESTDIR)/usr
SBINDIR ?= $(DESTDIR)/sbin
INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
+SYSTEMDDIR ?= $(DESTDIR)/usr/lib/systemd
PROG_SRC=mcstrans.c mcscolor.c mcstransd.c mls_level.c
PROG_OBJS= $(patsubst %.c,%.o,$(PROG_SRC))
@@ -38,6 +39,8 @@
install -m 755 $(PROG) $(SBINDIR)
test -d $(INITDIR) || install -m 755 -d $(INITDIR)
install -m 755 $(INITSCRIPT).init $(INITDIR)/$(INITSCRIPT)
+ test -d $(SYSTEMDDIR)/system || install -m 755 -d $(SYSTEMDDIR)/system
+ install -m 644 mcstrans.service $(SYSTEMDDIR)/system/
clean:
-rm -f $(OBJS) $(LOBJS) $(TARGET) $(PROG) $(PROG_OBJS) *~ \#*
diff --git a/policycoreutils/mcstrans/src/mcstrans.service b/policycoreutils/mcstrans/src/mcstrans.service
new file mode 100644
index 0000000..64bb361
--- /dev/null
+++ b/policycoreutils/mcstrans/src/mcstrans.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Translates SELinux MCS/MLS labels to human readable form
+ConditionSecurity=selinux
+
+[Service]
+ExecStart=/sbin/mcstransd -f
+
+[Install]
+WantedBy=multi-user.target
diff --git a/policycoreutils/restorecond/restorecond.desktop b/policycoreutils/restorecond/restorecond.desktop
index 89201e1..af72868 100644
--- a/policycoreutils/restorecond/restorecond.desktop
+++ b/policycoreutils/restorecond/restorecond.desktop
@@ -2,7 +2,6 @@
Name=File Context maintainer
Exec=/usr/sbin/restorecond -u
Comment=Fix file context in owned by the user
-Encoding=UTF-8
Type=Application
StartupNotify=false
X-GNOME-Autostart-enabled=false
diff --git a/policycoreutils/restorecond/restorecond.service b/policycoreutils/restorecond/restorecond.service
index 7d64cc5..0511a1c 100644
--- a/policycoreutils/restorecond/restorecond.service
+++ b/policycoreutils/restorecond/restorecond.service
@@ -1,12 +1,12 @@
[Unit]
Description=Restorecon maintaining path file context
-After=syslog.target
ConditionPathExists=/etc/selinux/restorecond.conf
+ConditionSecurity=selinux
[Service]
-Type=oneshot
+Type=forking
ExecStart=/usr/sbin/restorecond
-RemainAfterExit=yes
+PIDFile=/var/run/restorecond.pid
[Install]
WantedBy=multi-user.target
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index fb5a24c..3668abe 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -356,7 +356,7 @@
try:
sepolicy.info(sepolicy.TYPE, "sandbox_t")
except RuntimeError:
- raise ValueError(_("Sandbox Policy is currently disabled.\nYou need to enable the policy by executing the following as root\n# semodule -e sandbox"))
+ raise ValueError(_("Sandbox Policy is not currently installed.\nYou need to install the selinux-policy-sandbox package in order to run this command"))
if self.__options.setype:
self.setype = self.__options.setype
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index 9f660dc..1b9a2d6 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -60,11 +60,11 @@
.TP
.B \-N time
Only act on files created after the specified date. Date must be specified in
-"YYYY-MM-DD HH:MM" format. Date field will be passed to find --newermt command.
+"YYYY\-MM\-DD HH:MM" format. Date field will be passed to find \-\-newermt command.
.TP
.B -v
-Modify verbosity from progress to verbose. (Run restorecon with -v instead of -p)
+Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)
.SH "ARGUMENTS"
One of:
diff --git a/policycoreutils/secon/secon.1 b/policycoreutils/secon/secon.1
index 04b3fd3..3a8e0dd 100644
--- a/policycoreutils/secon/secon.1
+++ b/policycoreutils/secon/secon.1
@@ -31,7 +31,7 @@
outputs data in a format suitable for a prompt
.TP
\fB\-C\fR, \fB\-\-color\fR
-outputs data with the associated ANSI color codes (requires -P)
+outputs data with the associated ANSI color codes (requires \-P)
.TP
\fB\-u\fR, \fB\-\-user\fR
show the user of the security context
diff --git a/policycoreutils/semanage/semanage-boolean.8 b/policycoreutils/semanage/semanage-boolean.8
index 4195d50..6eb6b69 100644
--- a/policycoreutils/semanage/semanage-boolean.8
+++ b/policycoreutils/semanage/semanage-boolean.8
@@ -1,6 +1,6 @@
.TH "semanage-boolean" "8" "20130617" "" ""
.SH "NAME"
-semanage boolean\- SELinux Policy Management boolean tool
+semanage\-boolean \- SELinux Policy Management boolean tool
.SH "SYNOPSIS"
.B semanage boolean [\-h] [\-n] [\-N] [\-s STORE] [ \-\-extract | \-\-deleteall | \-\-list [\-C] | \-\-modify ( \-\-on | \-\-off ) boolean ]
diff --git a/policycoreutils/semanage/semanage-dontaudit.8 b/policycoreutils/semanage/semanage-dontaudit.8
index 65002f3..122780d 100644
--- a/policycoreutils/semanage/semanage-dontaudit.8
+++ b/policycoreutils/semanage/semanage-dontaudit.8
@@ -1,6 +1,6 @@
.TH "semanage-dontaudit" "8" "20130617" "" ""
.SH "NAME"
-.B semanage dontaudit\- SELinux Policy Management dontaudit tool
+.B semanage\-dontaudit \- SELinux Policy Management dontaudit tool
.SH "SYNOPSIS"
.B semanage dontaudit [\-h] [\-S STORE] [\-N] {on,off}
diff --git a/policycoreutils/semanage/semanage-export.8 b/policycoreutils/semanage/semanage-export.8
index 1d32a0a..469b1bb 100644
--- a/policycoreutils/semanage/semanage-export.8
+++ b/policycoreutils/semanage/semanage-export.8
@@ -1,6 +1,6 @@
.TH "semanage-export" "8" "20130617" "" ""
.SH "NAME"
-.B semanage export\- SELinux Policy Management import tool
+.B semanage\-export \- SELinux Policy Management import tool
.SH "SYNOPSIS"
.B semanage export [\-h] [\-S STORE] [\-f OUTPUT_FILE]
@@ -23,10 +23,10 @@
.SH EXAMPLE
.nf
Import semanage modifications from another machine
-# semanage export -f semanage.mods
+# semanage export \-f semanage.mods
# scp semanage.mod remotemachine:
# ssh remotemachine
-# semanage import -f semanage.mods
+# semanage import \-f semanage.mods
.SH "SEE ALSO"
.B selinux (8),
diff --git a/policycoreutils/semanage/semanage-fcontext.8 b/policycoreutils/semanage/semanage-fcontext.8
index 7369af7..7bbb0af 100644
--- a/policycoreutils/semanage/semanage-fcontext.8
+++ b/policycoreutils/semanage/semanage-fcontext.8
@@ -1,6 +1,6 @@
.TH "semanage-fcontext" "8" "20130617" "" ""
.SH "NAME"
-semanage fcontext\- SELinux Policy Management file context tool
+semanage\-fcontext \- SELinux Policy Management file context tool
.SH "SYNOPSIS"
.B semanage fcontext [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ) | \-\-delete ( \-t TYPE \-f FTYPE | \-e EQUAL ) FILE_SPEC ) | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ) ]
diff --git a/policycoreutils/semanage/semanage-import.8 b/policycoreutils/semanage/semanage-import.8
index fb95a04..5437de3 100644
--- a/policycoreutils/semanage/semanage-import.8
+++ b/policycoreutils/semanage/semanage-import.8
@@ -1,6 +1,6 @@
.TH "semanage-import" "8" "20130617" "" ""
.SH "NAME"
-.B semanage import\- SELinux Policy Management import tool
+.B semanage\-import \- SELinux Policy Management import tool
.SH "SYNOPSIS"
.B semanage import [\-h] [\-N] [\-S STORE] [\-f INPUT_FILE]
@@ -25,7 +25,7 @@
.SH EXAMPLE
.nf
Import semanage modifications from another machine
-# semanage import -f semanage.mods
+# semanage import \-f semanage.mods
.SH "SEE ALSO"
.B selinux (8),
diff --git a/policycoreutils/semanage/semanage-interface.8 b/policycoreutils/semanage/semanage-interface.8
index c9dd59c..d318bb8 100644
--- a/policycoreutils/semanage/semanage-interface.8
+++ b/policycoreutils/semanage/semanage-interface.8
@@ -1,6 +1,6 @@
.TH "semanage-interface" "8" "20130617" "" ""
.SH "NAME"
-.B semanage interface\- SELinux Policy Management network interface tool
+.B semanage\-interface \- SELinux Policy Management network interface tool
.SH "SYNOPSIS"
.B semanage interface [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-t TYPE \-r RANGE interface | \-\-delete interface | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-r RANGE interface ]
@@ -53,7 +53,7 @@
.SH EXAMPLE
.nf
list all interface defitions
-# semanage interface -l
+# semanage interface \-l
.SH "SEE ALSO"
.B selinux (8),
diff --git a/policycoreutils/semanage/semanage-login.8 b/policycoreutils/semanage/semanage-login.8
index 78a0ecb..7cc5fde 100644
--- a/policycoreutils/semanage/semanage-login.8
+++ b/policycoreutils/semanage/semanage-login.8
@@ -1,6 +1,6 @@
.TH "semanage-login" "8" "20130617" "" ""
.SH "NAME"
-.B semanage login\- SELinux Policy Management linux user to SELinux User mapping tool
+.B semanage\-login \- SELinux Policy Management linux user to SELinux User mapping tool
.SH "SYNOPSIS"
.B semanage login [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-s SEUSER \-r RANGE LOGIN | \-\-delete LOGIN | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-s SEUSER \-r RANGE LOGIN ]
@@ -53,11 +53,11 @@
.SH EXAMPLE
.nf
Modify the default user on the system to the guest_u user
-# semanage login -m -s guest_u __default__
+# semanage login \-m \-s guest_u __default__
Assign gijoe user on an MLS machine a range and to the staff_u user
-# semanage login -a -s staff_u -rSystemLow-Secret gijoe
+# semanage login \-a \-s staff_u \-rSystemLow-Secret gijoe
Assign all users in the engineering group to the staff_u user
-# semanage login -a -s staff_u %engineering
+# semanage login \-a \-s staff_u %engineering
.SH "SEE ALSO"
.B selinux (8),
diff --git a/policycoreutils/semanage/semanage-module.8 b/policycoreutils/semanage/semanage-module.8
index fd236f7..42d6862 100644
--- a/policycoreutils/semanage/semanage-module.8
+++ b/policycoreutils/semanage/semanage-module.8
@@ -1,6 +1,6 @@
.TH "semanage-module" "8" "20130617" "" ""
.SH "NAME"
-.B semanage module\\- SELinux Policy Management module mapping tool
+.B semanage\-module \- SELinux Policy Management module mapping tool
.SH "SYNOPSIS"
.B semanage module [\-h] [\-n] [\-N] [\-S STORE] (\-a | \-r | \-e | \-d | \-\-extract | \-\-list [\-C] | \-\-deleteall) [module_name]
diff --git a/policycoreutils/semanage/semanage-node.8 b/policycoreutils/semanage/semanage-node.8
index 75c2d30..0a2160d 100644
--- a/policycoreutils/semanage/semanage-node.8
+++ b/policycoreutils/semanage/semanage-node.8
@@ -1,6 +1,6 @@
.TH "semanage-node" "8" "20130617" "" ""
.SH "NAME"
-.B semanage node\- SELinux Policy Management node mapping tool
+.B semanage\-node \- SELinux Policy Management node mapping tool
.SH "SYNOPSIS"
.B semanage node [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-M NETMASK \-p PROTOCOL \-t TYPE \-r RANGE node | \-\-delete \-M NETMASK \-p PROTOCOL node | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-M NETMASK \-p PROTOCOL \-t TYPE \-r RANGE node ]
diff --git a/policycoreutils/semanage/semanage-permissive.8 b/policycoreutils/semanage/semanage-permissive.8
index 9a143df..ee30c85 100644
--- a/policycoreutils/semanage/semanage-permissive.8
+++ b/policycoreutils/semanage/semanage-permissive.8
@@ -1,6 +1,6 @@
.TH "semanage-permissive" "8" "20130617" "" ""
.SH "NAME"
-.B semanage permissive \- SELinux Policy Management permissive mapping tool
+.B semanage\-permissive \- SELinux Policy Management permissive mapping tool
.SH "SYNOPSIS"
.B semanage permissive [\-h] (\-a | \-d | \-l) [\-n] [\-N] [\-S STORE] [type]
diff --git a/policycoreutils/semanage/semanage-port.8 b/policycoreutils/semanage/semanage-port.8
index cd0a1b4..9aefd3b 100644
--- a/policycoreutils/semanage/semanage-port.8
+++ b/policycoreutils/semanage/semanage-port.8
@@ -1,6 +1,6 @@
.TH "semanage-port" "8" "20130617" "" ""
.SH "NAME"
-.B semanage port\- SELinux Policy Management port mapping tool
+.B semanage\-port \- SELinux Policy Management port mapping tool
.SH "SYNOPSIS"
.B semanage port [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range | \-\-delete \-p PROTOCOL port_name | port_range | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range ]
diff --git a/policycoreutils/semanage/semanage-user.8 b/policycoreutils/semanage/semanage-user.8
index 7259ea9..0e29334 100644
--- a/policycoreutils/semanage/semanage-user.8
+++ b/policycoreutils/semanage/semanage-user.8
@@ -1,6 +1,6 @@
.TH "semanage-user" "8" "20130617" "" ""
.SH "NAME"
-.B semanage user\- SELinux Policy Management SELinux User mapping tool
+.B semanage\-user \- SELinux Policy Management SELinux User mapping tool
.SH "SYNOPSIS"
.B semanage user [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add ( \-L LEVEL \-R ROLES \-r RANGE \-s SEUSER selinux_name) | \-\-delete selinux_name | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify ( \-L LEVEL \-R ROLES \-r RANGE \-s SEUSER selinux_name ) ]
@@ -60,7 +60,7 @@
Modify groups for staff_u user
# semanage user \-m \-R "system_r unconfined_r staff_r" staff_u
Add level for TopSecret Users
-# semanage user \-a \-R "staff_r" -rs0-TopSecret topsecret_u
+# semanage user \-a \-R "staff_r" \-rs0\-TopSecret topsecret_u
.SH "SEE ALSO"
.B selinux (8),
diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8
index cba2c9c..0fad36c 100644
--- a/policycoreutils/semanage/semanage.8
+++ b/policycoreutils/semanage/semanage.8
@@ -86,4 +86,4 @@
and Russell Coker <rcoker@redhat.com>.
.br
Examples by Thomas Bleher <ThomasBleher@gmx.de>.
-usage: semanage [-h]
+usage: semanage [\-h]
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index 35277e9..2a91697 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -59,6 +59,9 @@
.B \-h,\-\-help
prints help message and quit
.TP
+.B \-P,\-\-preserve_tunables
+Preserve tunables in policy
+.TP
.B \-v,\-\-verbose
be verbose
diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile
index 2b8716c..90f88a5 100644
--- a/policycoreutils/sepolicy/Makefile
+++ b/policycoreutils/sepolicy/Makefile
@@ -47,6 +47,11 @@
-mkdir -p $(DESTDIR)/usr/share/system-config-selinux
install -m 755 selinux_server.py $(DESTDIR)/usr/share/system-config-selinux
install -m 644 *.desktop $(DATADIR)/system-config-selinux
+ -mkdir -p $(DESTDIR) $(DATADIR)/pixmaps
+ install -m 644 sepolicy_256.png $(DATADIR)/pixmaps/sepolicy.png
+ for i in 16 22 32 48 256; do \
+ mkdir -p $(DESTDIR) $(DATADIR)/icons/hicolor/$${i}x$${i}/apps; \
+ install -m 644 sepolicy_$${i}.png $(DATADIR)/icons/hicolor/$${i}x$${i}/apps/sepolicy.png; \
+ done
relabel:
-
diff --git a/policycoreutils/sepolicy/info.c b/policycoreutils/sepolicy/info.c
index cd1026a..17f5732 100644
--- a/policycoreutils/sepolicy/info.c
+++ b/policycoreutils/sepolicy/info.c
@@ -54,13 +54,13 @@
enum input
{
- TYPE, ATTRIBUTE, ROLE, USER, PORT, BOOLEAN, CLASS
+ TYPE, ATTRIBUTE, ROLE, USER, PORT, BOOLEAN, CLASS, SENS, CATS
};
static int py_insert_long(PyObject *dict, const char *name, int value)
{
int rt;
- PyObject *obj = PyInt_FromLong(value);
+ PyObject *obj = PyLong_FromLong(value);
if (!obj) return -1;
rt = PyDict_SetItemString(dict, name, obj);
Py_DECREF(obj);
@@ -78,9 +78,287 @@
}
/**
+ * Get a policy's MLS sensitivities.
+ * If this function is given a name, it will attempt to
+ * get statistics about a particular sensitivity; otherwise
+ * the function gets statistics about all of the policy's
+ * sensitivities.
+ *
+ * @param name Reference to a sensitivity's name; if NULL,
+ * all sensitivities will be considered
+ * @param policydb Reference to a policy
+ *
+ * @return 0 on success, < 0 on error.
+ */
+static PyObject* get_sens(const char *name, const apol_policy_t * policydb)
+{
+ PyObject *dict = NULL;
+ int error = 0;
+ int rt = 0;
+ size_t i;
+ char *tmp = NULL;
+ const char *lvl_name = NULL;
+ apol_level_query_t *query = NULL;
+ apol_vector_t *v = NULL;
+ const qpol_level_t *level = NULL;
+ apol_mls_level_t *ap_mls_lvl = NULL;
+ qpol_policy_t *q = apol_policy_get_qpol(policydb);
+
+ query = apol_level_query_create();
+ if (!query)
+ goto cleanup;
+ if (apol_level_query_set_sens(policydb, query, name))
+ goto cleanup;
+ if (apol_level_get_by_query(policydb, query, &v))
+ goto cleanup;
+
+ dict = PyDict_New();
+ if (!dict) goto err;
+ for (i = 0; i < apol_vector_get_size(v); i++) {
+ level = apol_vector_get_element(v, i);
+ if (qpol_level_get_name(q, level, &lvl_name))
+ goto err;
+ ap_mls_lvl = (apol_mls_level_t *) apol_mls_level_create_from_qpol_level_datum(policydb, level);
+ tmp = apol_mls_level_render(policydb, ap_mls_lvl);
+ apol_mls_level_destroy(&ap_mls_lvl);
+ if (!tmp)
+ goto cleanup;
+ if (py_insert_string(dict, lvl_name, tmp))
+ goto err;
+ free(tmp); tmp = NULL;
+ if (rt) goto err;
+ }
+
+ if (name && !apol_vector_get_size(v)) {
+ goto cleanup;
+ }
+
+ goto cleanup;
+err:
+ error = errno;
+ PyErr_SetString(PyExc_RuntimeError,strerror(error));
+ py_decref(dict); dict = NULL;
+cleanup:
+ free(tmp);
+ apol_level_query_destroy(&query);
+ apol_vector_destroy(&v);
+ errno = error;
+ return dict;
+}
+
+/**
+ * Compare two qpol_cat_datum_t objects.
+ * This function is meant to be passed to apol_vector_compare
+ * as the callback for performing comparisons.
+ *
+ * @param datum1 Reference to a qpol_type_datum_t object
+ * @param datum2 Reference to a qpol_type_datum_t object
+ * @param data Reference to a policy
+ * @return Greater than 0 if the first argument is less than the second argument,
+ * less than 0 if the first argument is greater than the second argument,
+ * 0 if the arguments are equal
+ */
+static int qpol_cat_datum_compare(const void *datum1, const void *datum2, void *data)
+{
+ const qpol_cat_t *cat_datum1 = NULL, *cat_datum2 = NULL;
+ apol_policy_t *policydb = NULL;
+ qpol_policy_t *q;
+ uint32_t val1, val2;
+
+ policydb = (apol_policy_t *) data;
+ q = apol_policy_get_qpol(policydb);
+ assert(policydb);
+
+ if (!datum1 || !datum2)
+ goto exit_err;
+ cat_datum1 = datum1;
+ cat_datum2 = datum2;
+
+ if (qpol_cat_get_value(q, cat_datum1, &val1))
+ goto exit_err;
+ if (qpol_cat_get_value(q, cat_datum2, &val2))
+ goto exit_err;
+
+ return (val1 > val2) ? 1 : ((val1 == val2) ? 0 : -1);
+
+ exit_err:
+ assert(0);
+ return 0;
+}
+
+/**
+ * Compare two qpol_level_datum_t objects.
+ * This function is meant to be passed to apol_vector_compare
+ * as the callback for performing comparisons.
+ *
+ * @param datum1 Reference to a qpol_level_datum_t object
+ * @param datum2 Reference to a qpol_level_datum_t object
+ * @param data Reference to a policy
+ * @return Greater than 0 if the first argument is less than the second argument,
+ * less than 0 if the first argument is greater than the second argument,
+ * 0 if the arguments are equal
+ */
+static int qpol_level_datum_compare(const void *datum1, const void *datum2, void *data)
+{
+ const qpol_level_t *lvl_datum1 = NULL, *lvl_datum2 = NULL;
+ apol_policy_t *policydb = NULL;
+ qpol_policy_t *q;
+ uint32_t val1, val2;
+
+ policydb = (apol_policy_t *) data;
+ assert(policydb);
+ q = apol_policy_get_qpol(policydb);
+
+ if (!datum1 || !datum2)
+ goto exit_err;
+ lvl_datum1 = datum1;
+ lvl_datum2 = datum2;
+
+ if (qpol_level_get_value(q, lvl_datum1, &val1))
+ goto exit_err;
+ if (qpol_level_get_value(q, lvl_datum2, &val2))
+ goto exit_err;
+
+ return (val1 > val2) ? 1 : ((val1 == val2) ? 0 : -1);
+
+ exit_err:
+ assert(0);
+ return 0;
+}
+
+/**
+ * Gets a textual representation of a MLS category and
+ * all of that category's sensitivies.
+ *
+ * @param type_datum Reference to sepol type_datum
+ * @param policydb Reference to a policy
+ */
+static PyObject* get_cat_sens(const qpol_cat_t * cat_datum, const apol_policy_t * policydb)
+{
+ const char *cat_name, *lvl_name;
+ apol_level_query_t *query = NULL;
+ apol_vector_t *v = NULL;
+ const qpol_level_t *lvl_datum = NULL;
+ qpol_policy_t *q = apol_policy_get_qpol(policydb);
+ size_t i, n_sens = 0;
+ int error = 0;
+ PyObject *list = NULL;
+ PyObject *dict = PyDict_New();
+ if (!dict) goto err;
+ if (!cat_datum || !policydb)
+ goto err;
+
+ /* get category name for apol query */
+ if (qpol_cat_get_name(q, cat_datum, &cat_name))
+ goto cleanup;
+
+ query = apol_level_query_create();
+ if (!query)
+ goto err;
+ if (apol_level_query_set_cat(policydb, query, cat_name))
+ goto err;
+ if (apol_level_get_by_query(policydb, query, &v))
+ goto err;
+ apol_vector_sort(v, &qpol_level_datum_compare, (void *)policydb);
+ dict = PyDict_New();
+ if (!dict) goto err;
+ if (py_insert_string(dict, "name", cat_name))
+ goto err;
+ n_sens = apol_vector_get_size(v);
+ list = PyList_New(0);
+ if (!list) goto err;
+ for (i = 0; i < n_sens; i++) {
+ lvl_datum = (qpol_level_t *) apol_vector_get_element(v, i);
+ if (!lvl_datum)
+ goto err;
+ if (qpol_level_get_name(q, lvl_datum, &lvl_name))
+ goto err;
+ if (py_append_string(list, lvl_name))
+ goto err;
+ }
+ if (py_insert_obj(dict, "level", list))
+ goto err;
+ Py_DECREF(list);
+
+ goto cleanup;
+err:
+ error = errno;
+ PyErr_SetString(PyExc_RuntimeError,strerror(errno));
+ py_decref(list); list = NULL;
+ py_decref(dict); dict = NULL;
+cleanup:
+ apol_level_query_destroy(&query);
+ apol_vector_destroy(&v);
+ errno = error;
+ return dict;
+}
+
+/**
+ * Prints statistics regarding a policy's MLS categories.
+ * If this function is given a name, it will attempt to
+ * get statistics about a particular category; otherwise
+ * the function gets statistics about all of the policy's
+ * categories.
+ *
+ * @param name Reference to a MLS category's name; if NULL,
+ * all categories will be considered
+ * @param policydb Reference to a policy
+ *
+ * @return 0 on success, < 0 on error.
+ */
+static PyObject* get_cats(const char *name, const apol_policy_t * policydb)
+{
+ PyObject *obj = NULL;
+ apol_cat_query_t *query = NULL;
+ apol_vector_t *v = NULL;
+ const qpol_cat_t *cat_datum = NULL;
+ size_t i, n_cats;
+ int error = 0;
+ int rt;
+ PyObject *list = PyList_New(0);
+ if (!list) goto err;
+
+ query = apol_cat_query_create();
+ if (!query)
+ goto err;
+ if (apol_cat_query_set_cat(policydb, query, name))
+ goto err;
+ if (apol_cat_get_by_query(policydb, query, &v))
+ goto err;
+ n_cats = apol_vector_get_size(v);
+ apol_vector_sort(v, &qpol_cat_datum_compare, (void *)policydb);
+
+ for (i = 0; i < n_cats; i++) {
+ cat_datum = apol_vector_get_element(v, i);
+ if (!cat_datum)
+ goto err;
+ obj = get_cat_sens(cat_datum, policydb);
+ if (!obj)
+ goto err;
+ rt = py_append_obj(list, obj);
+ Py_DECREF(obj);
+ if (rt) goto err;
+ }
+
+ if (name && !n_cats) {
+ goto err;
+ }
+
+ goto cleanup;
+err:
+ error = errno;
+ PyErr_SetString(PyExc_RuntimeError,strerror(errno));
+ py_decref(list); list = NULL;
+cleanup:
+ apol_cat_query_destroy(&query);
+ apol_vector_destroy(&v);
+ errno = error;
+ return list;
+}
+
+/**
* Get the alias of a type.
*
- * @param fp Reference to a file to which to get type information
* @param type_datum Reference to sepol type_datum
* @param policydb Reference to a policy
* attributes
@@ -315,7 +593,7 @@
return list;
}
-static PyObject* get_type( const qpol_type_t * type_datum, const apol_policy_t * policydb) {
+static PyObject* get_type(const qpol_type_t * type_datum, const apol_policy_t * policydb) {
PyObject *obj;
qpol_policy_t *q = apol_policy_get_qpol(policydb);
@@ -370,11 +648,8 @@
* get statistics about a particular boolean; otherwise
* the function gets statistics about all of the policy's booleans.
*
- * @param fp Reference to a file to which to print statistics
* @param name Reference to a boolean's name; if NULL,
* all booleans will be considered
- * @param expand Flag indicating whether to print each
- * boolean's default state
* @param policydb Reference to a policy
*
* @return new reference, or NULL (setting an exception)
@@ -536,11 +811,8 @@
* Prints a textual representation of an object class and possibly
* all of that object class' permissions.
*
- * @param fp Reference to a file to which to print object class information
* @param type_datum Reference to sepol type_datum
* @param policydb Reference to a policy
- * @param expand Flag indicating whether to print each object class'
- * permissions
*/
static PyObject* get_class(const qpol_class_t * class_datum, const apol_policy_t * policydb)
{
@@ -1066,6 +1338,12 @@
case PORT:
output = get_ports(name, policy);
break;
+ case SENS:
+ output = get_sens(name, policy);
+ break;
+ case CATS:
+ output = get_cats(name, policy);
+ break;
default:
errno = EINVAL;
PyErr_SetString(PyExc_RuntimeError,strerror(errno));
@@ -1098,4 +1376,6 @@
PyModule_AddIntConstant(m, "USER", USER);
PyModule_AddIntConstant(m, "CLASS", CLASS);
PyModule_AddIntConstant(m, "BOOLEAN", BOOLEAN);
+ PyModule_AddIntConstant(m, "SENS", SENS);
+ PyModule_AddIntConstant(m, "CATS", CATS);
}
diff --git a/policycoreutils/sepolicy/sepolicy-generate.8 b/policycoreutils/sepolicy/sepolicy-generate.8
index 96c20fc..2e67456 100644
--- a/policycoreutils/sepolicy/sepolicy-generate.8
+++ b/policycoreutils/sepolicy/sepolicy-generate.8
@@ -54,7 +54,7 @@
When specifying a \fBconfined application\fP you must specify a
path. \fBsepolicy generate\fP will use the rpm payload of the
-application along with \fBnm -D APPLICATION\fP to help it generate
+application along with \fBnm \-D APPLICATION\fP to help it generate
types and policy rules for your policy files.
.B Type Enforcing File NAME.te
@@ -75,7 +75,7 @@
.B RPM Spec File NAME_selinux.spec
.br
-This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use \fBsepolicy manpage -d NAME\fP to generate the man page.
+This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use \fBsepolicy manpage \-d NAME\fP to generate the man page.
.B Shell File NAME.sh
.br
@@ -158,9 +158,7 @@
.br
Generating Policy for /usr/sbin/rwhod named rwhod
.br
-Created the following files in:
-.br
-./
+Created the following files:
.br
rwhod.te # Type Enforcement file
.br
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
index fd95c16..679725d 100644
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
@@ -141,6 +141,9 @@
for i in permlist:
if i['target'] in attributes:
continue
+ if "enabled" in i:
+ if not i["enabled"]:
+ continue
if i['target'].endswith("_t"):
if i['target'] not in file_types:
continue
diff --git a/policycoreutils/sepolicy/sepolicy/gui.py b/policycoreutils/sepolicy/sepolicy/gui.py
index 94ddb72..5ca87b9 100644
--- a/policycoreutils/sepolicy/sepolicy/gui.py
+++ b/policycoreutils/sepolicy/sepolicy/gui.py
@@ -484,6 +484,8 @@
path = None
if test:
domains = [ "httpd_t", "abrt_t" ]
+ if app and app not in domains:
+ domains.append(app)
else:
domains = sepolicy_domains
loading_gui.show()
diff --git a/policycoreutils/sepolicy/sepolicy_16.png b/policycoreutils/sepolicy/sepolicy_16.png
new file mode 100644
index 0000000..199aae5
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy_16.png
Binary files differ
diff --git a/policycoreutils/sepolicy/sepolicy_22.png b/policycoreutils/sepolicy/sepolicy_22.png
new file mode 100644
index 0000000..fa1f137
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy_22.png
Binary files differ
diff --git a/policycoreutils/sepolicy/sepolicy_256.png b/policycoreutils/sepolicy/sepolicy_256.png
new file mode 100644
index 0000000..40f1df5
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy_256.png
Binary files differ
diff --git a/policycoreutils/sepolicy/sepolicy_32.png b/policycoreutils/sepolicy/sepolicy_32.png
new file mode 100644
index 0000000..c57a734
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy_32.png
Binary files differ
diff --git a/policycoreutils/sepolicy/sepolicy_48.png b/policycoreutils/sepolicy/sepolicy_48.png
new file mode 100644
index 0000000..6cc0a03
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy_48.png
Binary files differ
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index 672bbd2..ab43206 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -25,7 +25,7 @@
If a file object does not have a context, restorecon will write the default
context to the file object's extended attributes. If a file object has a
context, restorecon will only modify the type portion of the security context.
-The -F option will force a replacement of the entire context.
+The \-F option will force a replacement of the entire context.
.P
It is the same executable as
.BR setfiles
@@ -50,7 +50,7 @@
ignore files that do not exist.
.TP
.B \-n
-don't change any file labels (passive check). To display the files whose labels would be changed, add -v.
+don't change any file labels (passive check). To display the files whose labels would be changed, add \-v.
.TP
.B \-o outfilename
Deprecated, SELinux policy will probably block this access. Use shell redirection to save list of files with incorrect context in filename.
diff --git a/policycoreutils/setsebool/setsebool.8 b/policycoreutils/setsebool/setsebool.8
index 7338f15..916a58c 100644
--- a/policycoreutils/setsebool/setsebool.8
+++ b/policycoreutils/setsebool/setsebool.8
@@ -20,7 +20,6 @@
If the \-N option is given, the policy on disk is not reloaded into the kernel.
-
If the \-V option is given, verbose error messages will be printed from semanage libraries.
diff --git a/policycoreutils/setsebool/setsebool.c b/policycoreutils/setsebool/setsebool.c
index 89412d0..b101f08 100644
--- a/policycoreutils/setsebool/setsebool.c
+++ b/policycoreutils/setsebool/setsebool.c
@@ -53,10 +53,10 @@
permanent = 1;
break;
case 'N':
- reload = 0;
+ reload = 0;
break;
case 'V':
- verbose = 1;
+ verbose = 1;
break;
default:
usage();
