debian/0000755000000000000000000000000012260023376007167 5ustar debian/policycoreutils.mcstrans.service0000644000000000000000000000026412260023376015635 0ustar [Unit] Description=Translates SELinux MCS/MLS labels to human readable form ConditionSecurity=selinux [Service] ExecStart=/sbin/mcstransd -f [Install] WantedBy=multi-user.target debian/se_dpkg0000644000000000000000000000016612260023376010531 0ustar #!/bin/sh EXEC=`echo $0 | cut -f2 -d_` if [ "$EXEC" != "dpkg" ]; then cd / fi exec /usr/sbin/run_init $EXEC "$@" debian/policycoreutils.dirs0000644000000000000000000000002012260023376013273 0ustar var/lib/selinux debian/changelog0000644000000000000000000017523212260023376011053 0ustar policycoreutils (2.2.5-1) unstable; urgency=medium * Team upload. * New upstream release * debian/control: Bump Standards-Version to 3.9.5 (no further changes) -- Laurent Bigonville Sun, 29 Dec 2013 14:43:17 +0100 policycoreutils (2.2.4-1) unstable; urgency=low * Team upload. * New upstream release - Drop d/p/0023-semanage_default_encoding.patch: Merged upstream -- Laurent Bigonville Mon, 02 Dec 2013 20:02:14 +0100 policycoreutils (2.2.1-1) unstable; urgency=low * Team upload. * New upstream release - debian/control: Bump {build-}dependencies to match the release - debian/control: Add python-dev, libapol-dev and libqpol-dev to the build-depencencies - Add new python-sepolicy package - d/p/0002-Made-fixfiles-display-the-progress.patch: Refreshed - Drop d/p/0004-manpages.patch: Fixed upstream - d/p/0005-build-system.patch: Refreshed - d/p/0006-default-config.patch: Refreshed - d/p/0009-find-does-not-have-a-context-switch.patch: Refreshed - Drop d/p/0013-use_dpkg_buildflags.patch: Fixed upstream - Drop d/p/0014-po-file-update.patch: .po files are not updated during build anymore - d/p/0017-no-sandbox: Refreshed - d/p/0018-sandbox-config.patch: Refreshed * debian/rules: bash-completion script are now properly installed * debian/patches/0022-sepolicy-path.patch: Install sepolicy modules in the correct location * debian/rules: Fix /usr/sbin/load_policy symlink creation * debian/rules: Set $SYSTEMDDIR variable to /lib/systemd, so systemd units files are installed in the correct directory * debian/control, debian/rules: Add calls to dh_systemd tools * debian/rules, debian/policycoreutils.install: Pass --destdir option to dh_auto_install and list files to install in the package * Add debian/patches/0023-semanage_default_encoding.patch: Remove import for not upstreamed module * Add debian/patches/0024-fix-manpages.patch: Fix some minor manpages issues * debian/control: Use canonical URL in VCS-Git field * d/p/0025-restorecon-service.patch: Improve restorecond service file -- Laurent Bigonville Wed, 06 Nov 2013 22:32:23 +0100 policycoreutils (2.1.13-2) unstable; urgency=low * Team upload. * debian/control: - Add gawk to the build-dependencies, this is needed for some manpages generation - Add python-audit to the Recommends - Bump Standards-Version to 3.9.4 (no further changes) -- Laurent Bigonville Sat, 25 May 2013 01:44:10 +0200 policycoreutils (2.1.13-1) experimental; urgency=low * Team upload. * New upstream release - Bump {build-}dependencies - debian/patches/0002-Made-fixfiles-display-the-progress.patch: Refreshed - debian/patches/0004-manpages.patch: Refreshed - debian/patches/0005-build-system.patch: Refreshed - debian/patches/0006-default-config.patch: Refreshed - d/p/0007-Fix-infinite-loop-i-watch-code.patch: Dropped, applied upstream - d/p/0008-Only-run-setfiles-if-we-found-read-write-filesystems.patch: Dropped, applied upstream - d/p/0010-fix-ftbfs-with-hardening-flags.patch: Dropped, applied upstream - debian/patches/0011-restorecon-no-error.patch: Dropped, applied upstream - debian/patches/0013-use_dpkg_buildflags.patch: Refreshed - debian/patches/0014-po-file-update.patch: Refreshed - debian/patches/0017-no-sandbox: Refreshed * debian/watch: Fix watch file URL * debian/gbp.conf: Change default git-buildpackage build-directory and the debian-branch to "debian" instead of "upstream" * debian/rules: Move bash completion scripts to the new location * Override INITDIR and SYSCONFDIR from debian/rules instead of patching Makefiles directly * debian/policycoreutils.dirs: Install /var/lib/selinux/ directory, this is needed for some operations of semanage (Closes: #668174) * Add debian/patches/0017-sandbox-config.patch: The sandbox configuration file is located in /etc/default/sandbox * Do not install system-config-selinux for now, it needs some adjustements for debian * debian/policycoreutils.maintscript: Properly remove /etc/init.d/sandbox and /etc/default/sandbox that were dropped previous version (Closes: #689048) * Rework initscripts using /etc/init.d/skeleton as a template * Include common-* files in newrole and run_init pam services * Add dependency against selinux-utils for selinuxenabled executable -- Laurent Bigonville Sat, 29 Sep 2012 23:16:16 +0200 policycoreutils (2.1.10-9) unstable; urgency=high * Revert the munging of setrans.conf which was introduced in 2.1.10-7. Closes: #677759 * Made mcstrans ignore a line containing "s0=" to properly solve the original problem. * Made the mcstrans init script not return an error when you stop it twice. * Included a new version of open_init_pty that doesn't take 100% CPU time. Closes: #474956 * Removed sandbox because it's a new feature that we never had working, also removed seunshare because it's not needed and brought in an annoying dependency on libcgroup1 Closes: #678590 -- Russell Coker Tue, 26 Jun 2012 17:22:05 +1000 policycoreutils (2.1.10-8) unstable; urgency=low * Drop /selinux directory, we are planning to move to /sys/fs/selinux, and it's already created by libselinux1 package anyway. From Laurent Bigonville -- Russell Coker Sat, 16 Jun 2012 23:37:05 +1000 policycoreutils (2.1.10-7) unstable; urgency=low * Correctly label /run/setrans. * Fix /etc/selinux/default/setrans.conf if it contains old syntax so we can start the new version of mcstrans. -- Russell Coker Sat, 16 Jun 2012 17:59:24 +1000 policycoreutils (2.1.10-6) unstable; urgency=low * Team upload. * debian/control, debian/patches/0013-use_dpkg_buildflags.patch: Enable hardening flags for all components of the package (Closes: #665320) * debian/control: Fix Vcs-Browser URL * debian/patches/0014-po-file-update.patch: Update the po files, this allows the package to build twice in a row again (Closes: #662514) * debian/rules: Install the right pam files -- Laurent Bigonville Tue, 27 Mar 2012 17:45:36 +0200 policycoreutils (2.1.10-5) unstable; urgency=low * Team upload. * Switch to dh sequence and debhelper 9 * Merge my missing patches * d/p/fix-ftbfs-hardening-flags.patch: Fix FTBFS with hardening flags * d/policycoreutils.lintian-overrides: Drop non-standard-toplevel-dir selinux/ * debian/patches/0006-default-config.patch: Properly disable sandbox by default * Rewrite maintainer scripts to use debhelper generated stanza. (Should closes: #660345) * debian/control: Update Vcs-* fields * Add debian/gbp.conf file * debian/control: - Add Pre-Depends: ${misc:Pre-Depends} field - Make policycoreutils arch:linux-any - Put under the Debian SELinux team maintenance - Bump python-setools dependency to >= 3.3.7-2 -- Laurent Bigonville Tue, 20 Mar 2012 19:50:46 +0100 policycoreutils (2.1.10-4) unstable; urgency=low * Made it depend on python-setools for audit2allow -- Russell Coker Mon, 19 Mar 2012 16:00:12 +1100 policycoreutils (2.1.10-2) unstable; urgency=low * Depend on python-ipy for semanage * Fix command not found error in init.d/sandbox Closes: #663419 * Added patch from Martin Orr to make restorecon not return 1 (error) when it relabels a file. Closes: #662990 -- Russell Coker Thu, 15 Mar 2012 10:52:29 +1100 policycoreutils (2.1.10-1) unstable; urgency=low * New upstream version * Made it build-depend on libcgroup-dev, libdbus-1-dev, libdbus-glib-1-dev, and libglib2.0-dev * Lots of multiarch related changes * Rename /etc/init.d/policycoreutils to /etc/init.d/restorecond * Added per-user configuration for restorecond -- Russell Coker Mon, 05 Mar 2012 17:28:46 +1100 policycoreutils (2.1.0-3.1) unstable; urgency=low * Non-maintainer upload. * Adjust package to multiarch: export/use DEB_HOST_MULTIARCH in debian/common/* and in some Makefiles; build-depend on dpkg-dev (>= 1.16.0). Based on patches from Mitsuya Shibata and Hideki Yamane. Closes: #640630, #652758 LP: #832802 -- gregor herrmann Wed, 15 Feb 2012 19:10:41 +0100 policycoreutils (2.1.0-3) unstable; urgency=low * Add mcstrans examples in /usr/share/doc/policycoreutils/mcstrans-examples * Added dependency on psmisc for killall in mcstrans init script -- Russell Coker Wed, 02 Nov 2011 15:06:07 +1100 policycoreutils (2.1.0-2) unstable; urgency=low * New upstream version, included mcstrans and added sandbox. * The new mcstrans won't work with the policy from Squeeze, it will abort on startup and you won't get the names mapped. IMHO this is acceptable for a partially upgraded system and when the system is fully upgraded it will all work. * Made it build-depend on the latest libselinux1-dev, libsepol1-dev, libsemanage1-dev, and python-sepolgen. * Added libcap-ng-dev to the build-depends for sandbox. * Added libcap-dev to the build-depends for mcstrans. * Hard-coded LIBDIR in mcstrans/src/Makefile and mcstrans/utils/Makefile as uname -i doesn't work. * Added dependency on python-support. * Made it depend on latest python-sepolgen and on python-support. * s/\.p/\.P/ on mcs.8 * Added lintian override for suid binary /usr/sbin/seunshare . * Made this version -2 because version -1 got lost. -- Russell Coker Mon, 31 Oct 2011 16:35:30 +1100 policycoreutils (2.0.82-5) unstable; urgency=low * Make it suggest selinux-policy-dev which is needed by sepolgen-ifgen. -- Russell Coker Wed, 16 Feb 2011 00:22:13 +1100 policycoreutils (2.0.82-4) unstable; urgency=low * Depend on the latest version of python-sepolgen, audit2allow won't work otherwise. -- Russell Coker Sat, 20 Nov 2010 23:40:52 +1100 policycoreutils (2.0.82-3) unstable; urgency=low * Update the man page for semanage to document -i for command files. -- Russell Coker Tue, 20 Jul 2010 12:33:36 +1000 policycoreutils (2.0.82-2) unstable; urgency=low * Use "rm -rf" when cleaning out /tmp. * Documented the -0 option in restorecon(8), noted in restorecon(8) and setfiles(8) that they are the same program and documented the -p option. * Removed the newlines when displaying the progress of setfiles/restorecon. * Made fixfiles display the progress. -- Russell Coker Mon, 21 Jun 2010 22:35:00 +1000 policycoreutils (2.0.82-1) unstable; urgency=low * New upstream release + Add avc's since boot from Dan Walsh. + Add dontaudit flag to audit2allow from Dan Walsh. + Module enable/disable support from Dan Walsh. + Fix double-free in newrole + Remove non-working OUTFILE from fixfiles from Dan Walsh. + Additional exception handling in chcat from Dan Walsh. -- Manoj Srivastava Sun, 28 Mar 2010 10:13:19 -0700 policycoreutils (2.0.77-1) unstable; urgency=low * New upstream version. + Fixed bug preventing semanage node -a from working from Chad Sellers + Fixed bug preventing semanage fcontext -l from working from Chad Sellers + Remove setrans management from semanage, as it does not work from Dan Walsh. + Move load_policy from /usr/sbin to /sbin from Dan Walsh. -- Manoj Srivastava Fri, 20 Nov 2009 01:53:37 -0600 policycoreutils (2.0.75-1) unstable; urgency=low * New upstream point release + Factor out restoring logic from setfiles.c into restore.c -- Manoj Srivastava Tue, 17 Nov 2009 16:34:11 -0600 policycoreutils (2.0.74-1) unstable; urgency=low * New upstream point release + Change semodule upgrade behavior to install even if the module + is not present from Dan Walsh. + Make setfiles label if selinux is disabled and a seclabel aware + kernel is running from Caleb Case. + Clarify forkpty() error message in run_init from Manoj Srivastava. + Add semanage dontaudit to turn off dontaudits from Dan Walsh. + Fix semanage to set correct mode for setrans file from Dan Walsh. + Fix malformed dictionary in portRecord from Dan Walsh. * Added patch from Martin Orr to fix a loop in the inotify watch code when installing a watch on utmp. * [863fb62]: topic--debian: Improve error messages on forkpty failure The current error message when forkpty() fails is not clear or useful. The following patch makes indicate what went wrong. Bug fix: "The error message on forkpty() failure is not clear or useful.", thanks to Russell Coker (Closes: #515710). -- Manoj Srivastava Wed, 14 Oct 2009 02:08:04 -0500 policycoreutils (2.0.72-4) UNRELEASED; urgency=low * [d42e245]: [topic--restorecond-init-script]: Add to watched files list -- Manoj Srivastava Mon, 14 Sep 2009 08:31:48 -0500 policycoreutils (2.0.72-3) UNRELEASED; urgency=low * [863fb62]: topic--debian: Improve error messages on forkpty failure The current error message when forkpty() fails is not clear or useful. The following patch makes indicate what went wrong. Bug fix: "The error message on forkpty() failure is not clear or useful.", thanks to Russell Coker (Closes: #515710). -- Manoj Srivastava Thu, 10 Sep 2009 13:20:33 -0500 policycoreutils (2.0.72-2) unstable; urgency=low * [1e640be]: [topic--restorecond-init-script]: init.d status support Here is a patch to support the "status" action in the init.d script. Note that to make "status" usable even as non-root user some things needed to be rejuggled. Note that the dependency on lsb-base is already missing in the current version. Bug fix: "init.d status support", thanks to Peter Eisentraut (Closes: #528582). -- Manoj Srivastava Fri, 04 Sep 2009 00:22:51 -0500 policycoreutils (2.0.72-1) unstable; urgency=low * New upstream release * Restore symlink handling support to restorecon based on a patch by Martin Orr. This fixes the restorecon /dev/stdin performed by Debian udev scripts that was broken by policycoreutils 2.0.70. Bug fix: "/dev/pts not created with policycoreutils 2.0.71", thanks to Martin Orr (Closes: #544215). -- Manoj Srivastava Thu, 03 Sep 2009 10:55:30 -0500 policycoreutils (2.0.71-1) unstable; urgency=low * New upstream point release + Modify setfiles/restorecon checking of exclude paths. Only check user-supplied exclude paths (not automatically generated ones based on lack of seclabel support), don't require them to be directories, and ignore permission denied errors on them (it is ok to exclude a path to which the caller lacks permission). + Modify restorecon to only call realpath() on user-supplied pathnames from Stephen Smalley. * Prevent the package from building on non-linux platforms, since they are not supported. -- Manoj Srivastava Thu, 27 Aug 2009 13:06:36 -0500 policycoreutils (2.0.69-2) unstable; urgency=low * [7f346a4]: [topic--restorecond-init-script] Fix headers in script The list of runlevels in the init.d header do not match the arguments used by update-rc.d. The header say it should start in rcS.d, while update-rc.d uses the defaults argument, saying it should start in runlevels 2-5. Also, it uses files in /usr/ and should depend on $remote_fs instead of $local_fs. Fix thanks to Petter Reinholdtsen Bug fix: "Incorrect runlevels and dependencies in init.d script", thanks to Petter Reinholdtsen (Closes: #541871). -- Manoj Srivastava Sun, 23 Aug 2009 09:33:48 -0500 policycoreutils (2.0.69-1) unstable; urgency=low * New upstream release + Fix typo in fixfiles that prevented it from relabeling btrfs filesystems from Dan Walsh. + Modify setfiles to exclude mounts without seclabel option in /proc/mounts on kernels >= 2.6.30 from Thomas Liu. + Re-enable disable_dontaudit rules upon semodule -B from Christopher Pardy and Dan Walsh. + setfiles converted to fts from Thomas Liu. -- Manoj Srivastava Fri, 14 Aug 2009 01:46:15 -0500 policycoreutils (2.0.65-1) unstable; urgency=low * New upstream release + Remove gui from po/Makefile and po/POTFILES and regenerate po files + Keep setfiles from spamming console from Dan Walsh. + Fix chcat's category expansion for users from Dan Walsh. + Fix transaction checking from Dan Walsh. + Make fixfiles -R (for rpm) recursive. + Make semanage permissive clean up after itself from Dan Walsh. + add /root/.ssh/* to restorecond.conf -- Manoj Srivastava Wed, 24 Jun 2009 18:51:15 -0500 policycoreutils (2.0.62-1) unstable; urgency=low * New upstream release + Add btrfs to fixfiles from Dan Walsh. + Remove restorecond error for matching globs with multiple hard links and fix some error messages from Dan Walsh. + Make removing a non-existant module a warning rather than an error from Dan Walsh. + Man page fixes from Dan Walsh. + chcat: cut categories at arbitrary point (25) from Dan Walsh + semodule: use new interfaces in libsemanage for compressed files from Dan Walsh + audit2allow: string changes for usage + semanage: use semanage_mls_enabled() from Stephen Smalley. + fcontext add checked local records twice, fix from Dan Walsh. + Allow local file context entries to override policy entries in semanage from Dan Walsh. + Newrole error message corrections from Dan Walsh. + Add exception to audit2why call in audit2allow from Dan Walsh. -- Manoj Srivastava Mon, 15 Jun 2009 16:24:38 -0500 policycoreutils (2.0.55-1) unstable; urgency=low * New upstream release + Merged semanage node support from Christian Kuester. + Add support for boolean files and group support for seusers from Dan Walsh. + Ensure that setfiles -p output is newline terminated from Russell Coker. + Change setfiles to validate all file_contexts files when using -c from Stephen Smalley. + Add permissive domain capability to semanage from Dan Walsh. + Add onboot option to fixfiles from Dan Walsh. + Change restorecon.init to not run on boot by default from Dan Walsh. + Fix audit2allow generation of role-type rules from Karl MacMillan. * Fix reference to the GPL license in the copyright file (this is licensed under GPL-2) -- Manoj Srivastava Thu, 12 Feb 2009 22:52:54 -0600 policycoreutils (2.0.49-8) unstable; urgency=high * [62526b0]: Fix fr.po which causes semanage to fail Bug fix: "list index out of range", thanks to Ezannelli This is an RC bug fix (though the severity should not really be serious, this is not a policy violation [just a mostly useless package for people using the french locale] -- this is a case where a flawed po translation was causing a show stopper bug, and should be interesting to release managers about how even translations can cause show stoppers in some cases) (Closes: #506727). -- Manoj Srivastava Mon, 05 Jan 2009 15:51:17 -0600 policycoreutils (2.0.49-7) unstable; urgency=low * [a415013]: Merge branch 'topic--restorecond-init-script' restorecond is started in runlevels "S" and 2 3 4 5. When started in "S" it works correctly, but when started by one of the others start-stop-daemon exits with code 1 because it's already running. The fix was to simply add --oknodo to the start-stop-daemon invocations. Bug fix: "restorecond is started twice and gives an error on boot", thanks to Russell Coker (Closes: #506720). * [8b0c36a]: Remove a spurious $ sign in the init script Bug fix: "bashism in /bin/sh script", thanks to Raphael Geissert (Closes: #486055). * [debiandir:1da4d71]: Remove obsolete dependencies This will help in back porting. -- Manoj Srivastava Wed, 26 Nov 2008 00:03:49 -0600 policycoreutils (2.0.49-6) unstable; urgency=low * Fix conflict between LSB header and update-rc.d options (important bug). Closes: #493005 -- Manoj Srivastava Tue, 02 Sep 2008 13:33:10 -0500 policycoreutils (2.0.49-5) unstable; urgency=high * Made fixfiles display progress and made the setfiles progress display includes a newline at the end. * Make the package standard. -- Russell Coker Fri, 01 Aug 2008 09:41:50 +1000 policycoreutils (2.0.49-4) unstable; urgency=medium * Make it depend on python-sepolgen_1.0.11-4 and use the correct module names. Closes: #486120 -- Russell Coker Wed, 30 Jul 2008 08:08:30 +1000 policycoreutils (2.0.49-3) unstable; urgency=low * In the init script source /lib/lsb/init-functions before calling log_* functions. * Take over the package and add Manoj to the Uploaders list. * Change the construction of /etc/selinux/config to match the new names. * Made it recommend the new policy packages. -- Russell Coker Tue, 22 Jul 2008 15:03:42 +1000 policycoreutils (2.0.49-2) unstable; urgency=low * Fix some more changes for Bug#472351 (missed places where we still referred to sepolgen, not python-sepolgen). In retrospect, perhaps renaming sepolgen was not such a hot idea. -- Manoj Srivastava Sat, 07 Jun 2008 16:15:15 -0500 policycoreutils (2.0.49-1) unstable; urgency=low * New upstream point release from subversion - Remove security_check_context calls for prefix validation from semanage. - Change setfiles and restorecon to not relabel if the file already has the correct context value even if -F/force is specified. - Update semanage man page for booleans from Dan Walsh. - Add further error checking to seobject.py for setting booleans. - Update audit2allow to report dontaudit cases from Dan Walsh. - Fix semanage port to use --proto from Caleb Case. * Record the fact that this package has moved to a new git repository. * Update the package for the new version of policy * Move to the new, make -j friendly targets in debian/rules. * Bug fix: "policycoreutils: audit2why fails with error", thanks to Max Kosmach. Depend on python-sepolgen (name change) (Closes: #478489). * Bug fix: "policycoreutils: audit2allow fails with python error", thanks to Laurens Blankers. The dependency above fixes this too (Closes: #472351). -- Manoj Srivastava Fri, 06 Jun 2008 13:48:37 -0500 policycoreutils (2.0.44-2) unstable; urgency=low * Bug fix: "policycoreutils: bashism in /bin/sh script", thanks to Raphael Geissert. Closes: Bug#473689 * Bug fix: "/usr/sbin/semanage: python2.5 is needed to run scripts", thanks to Vaclav Ovsik. The heavy lifting was all his. Closes: Bug#471944 -- Manoj Srivastava Wed, 02 Apr 2008 23:15:31 -0500 policycoreutils (2.0.44-1) unstable; urgency=low * New upstream release * Fixed semodule to correctly handle error when unable to create a handle. * Merged fix fixfiles option processing from Vaclav Ovsik. * Make semodule_expand use sepol_set_expand_consume_base to reduce peak memory usage. * Merged audit2why fix and semanage boolean --on/--off/-1/-0 support from Dan Walsh. * Merged a second fixfiles -C fix from Marshall Miller. * Merged fixfiles -C fix from Marshall Miller. * Merged audit2allow cleanups and boolean descriptions from Dan Walsh. * Merged setfiles -0 support by Benny Amorsen via Dan Walsh. * Merged fixfiles fixes and support for ext4 and gfs2 from Dan Walsh. * Merged replacement for audit2why from Dan Walsh. * Merged update to chcat, fixfiles, and semanage scripts from Dan Walsh. * Merged support for non-interactive newrole command invocation from Tim Reed. * Update Makefile to not build restorecond if /usr/include/sys/inotify.h is not present * Drop verbose output on fixfiles -C from Dan Walsh. * Fix argument handling in fixfiles from Dan Walsh. * Enhance boolean support in semanage, including using the .xml description when available, from Dan Walsh. * load_policy initial load option from Chad Sellers. * Fix semodule option handling from Dan Walsh. * Add deleteall support for ports and fcontexts in semanage from Dan Walsh. * Add genhomedircon script to invoke semodule -Bn from Dan Walsh. * Update semodule man page for -D from Dan Walsh. * Add boolean, locallist, deleteall, and store support to semanage from Dan Walsh. -- Manoj Srivastava Tue, 18 Mar 2008 02:09:27 -0500 policycoreutils (2.0.27-1) unstable; urgency=low * New upstream release * Improve semodule reporting of system errors from Stephen Smalley. * Fix setfiles selabel option flag setting for 64-bit from Stephen Smalley. * Remove genhomedircon script (functionality is now provided within libsemanage) from Todd Miller. * Fix genhomedircon searching for USER from Todd Miller * Install run_init with mode 0755 from Dan Walsh. * Fix chcat from Dan Walsh. * Fix fixfiles pattern expansion and error reporting from Dan Walsh. * Optimize genhomedircon to compile regexes once from Dan Walsh. * Fix semanage gettext call from Dan Walsh. * Disable dontaudits via semodule -D * Rebase setfiles to use new labeling interface. * Fixed setsebool (falling through to error path on success). Closes: Bug#433883 * Merged genhomedircon fixes from Dan Walsh. * Merged setfiles -c usage fix from Dan Walsh. * Merged restorecon fix from Yuichi Nakamura. * Dropped -lsepol where no longer needed. * Merge newrole support for alternate pam configs from Ted X Toth. * Merged merging of restorecon into setfiles from Stephen Smalley. * Merged genhomedircon fix to find conflicting directories correctly from Dan Walsh. * Fix the validation template for semanage from system_u:object_r:%s_home_t to system_u:object_r:%s_home_t:s0, since otherwie the context was always invalid. Reported by Russell Coker. Closes: Bug#446847 * Alignment errors reported against policycoreutils were actually bugs in the underlying libselinux, and have been fixed in the latest versions. Closes: Bug#405975 * Fixed the wrong path in the example in the man page for audit2why. Reported by Hans Spaans Closes: Bug#458511 * The new upstream versions also fixes problems in chcat, duplicating the fix in the NMU (thanks) for bug#440474 * Fixed typos in se_dpkg man page, thanks to Justin Pryzby. Closes: Bug#437448 -- Manoj Srivastava Wed, 06 Feb 2008 15:31:30 -0600 policycoreutils (2.0.16-1) unstable; urgency=low * New upstream SVN HEAD + Merged updates to sepolgen-ifgen from Karl MacMillan. + Merged seobject setransRecords patch to return the first alias from Xavier Toth. + Merged chcat, fixfiles, genhomedircon, restorecond, and restorecon patches from Dan Walsh. + Dropped -b option from load_policy in preparation for always preserving booleans across reloads in the kernel. + Merged genhomedircon patch to use the __default__ setting from Dan Walsh. + Merged setsebool patch to only use libsemanage for persistent boolean changes from Stephen Smalley. + Build fix for setsebool. + Merged move of audit2why to /usr/bin from Dan Walsh. + Merged support for modifying the prefix via semanage from Dan Walsh. -- Manoj Srivastava Sun, 6 May 2007 18:06:30 -0500 policycoreutils (2.0.7-1) unstable; urgency=low * New upstream trunk release * Merged sepolgen and audit2allow patches to leave generated files in the current directory from Karl MacMillan. * Merged small fix to correct include of errcodes.h in semodule_deps from Dan Walsh. * Merged new audit2allow from Karl MacMillan. This audit2allow depends on the new sepolgen python module. Note that you must run the sepolgen-ifgen tool to generate the data needed by audit2allow to generate refpolicy. * Added build and runtime dependencies on sepolgen * Fixed watch file to correctly reflect the fact that this is the trunk version. -- Manoj Srivastava Fri, 20 Apr 2007 10:53:23 -0500 policycoreutils (1.34.6-1) unstable; urgency=low * New upstream release * Merged restorecond init script LSB compliance patch from Steve Grubb. * Merged newrole O_NONBLOCK fix from Linda Knippers. * Merged restorecond memory leak fix from Steve Grubb. * Merged translations update from Dan Walsh. * Merged chcat fixes from Dan Walsh. * Merged man page fixes from Dan Walsh. * Merged seobject prefix validity checking from Dan Walsh. * Merged seobject exception handler fix from Caleb Case. * Merged setfiles memory leak patch from Todd Miller. * Fixed newrole non-pam build. * Updated version for stable branch. * Merged po file updates from Dan Walsh. * Removed update-po from all target in po/Makefile. * Merged unicode-to-string fix for seobject audit from Dan Walsh. * Merged man page updates to make "apropos selinux" work from Dan Walsh. * Merged newrole man page patch from Michael Thompson. * Merged patch to fix python unicode problem from Dan Walsh. * Merged newrole securetty check from Dan Walsh. * Merged semodule patch to generalize list support from Karl MacMillan. * Merged fixfiles and seobject fixes from Dan Walsh. * Merged semodule support for list of modules after -i from Karl MacMillan. * Merged patch to correctly handle a failure during semanage handle creation from Karl MacMillan. * Merged patch to fix seobject role modification from Dan Walsh. * Merged patches from Dan Walsh to: - omit the optional name from audit2allow - use the installed python version in the Makefiles - re-open the tty with O_RDWR in newrole * Patch from Dan Walsh to correctly suppress warnings in load_policy. * Patch from Dan Walsh to add an pam_acct_msg call to run_init * Patch from Dan Walsh to fix error code returns in newrole * Patch from Dan Walsh to remove verbose flag from semanage man page * Patch from Dan Walsh to make audit2allow use refpolicy Makefile in /usr/share/selinux/ * Merged patch from Michael C Thompson to clean up genhomedircon error handling. * Merged po file updates from Dan Walsh. * Merged setsebool patch from Karl MacMillan. This fixes a bug reported by Yuichi Nakamura with always setting booleans persistently on an unmanaged system. * Merged patch from Dan Walsh (via Karl MacMillan): * Added newrole audit message on login failure * Add /var/log/wtmp to restorecond.conf watch list * Fix genhomedircon, semanage, semodule_expand man pages. * Merged newrole patch set from Michael Thompson. * Added XS-VCS-Arch and XS-VCS-Browse to debian/control, and upgrraded build dependencies. -- Manoj Srivastava Thu, 19 Apr 2007 00:57:48 -0500 policycoreutils (1.32-3) unstable; urgency=high * Remember to run arch_export from the correct checked out working tree, so as to include the patches that you tested in the upload. -- Manoj Srivastava Wed, 7 Mar 2007 16:27:19 -0600 policycoreutils (1.32-2) unstable; urgency=low * Bug fix: "policycoreutils: fixfiles should warn if no suitable fs found", thanks to David Härdeman. This was a missing simple check -- now fixfiles does not attempt to run setfiles on an empty set if it did not find a valid directory. Low risk, simple test. (Closes: #397198). * Bug fix: "policycoreutils: audit2allow line 135 should refer to debian package", thanks to Russell Coker. It now asks the users to install the checkpolicy package, not the chckpolicy rpm package. (Closes: #401369). * Bug fix: "policycoreutils: patch for semanage.8", thanks to Russell Coker. This adds some options that had been missing from the man page. (Closes: #406702). * Bug fix: "policycoreutils: fixfiles excludes reiserfs", thanks to David Härdeman. Actually, it should: Support for atomic inode labeling has not been implemented in reiserfs, so there is no SELinux support for it. This is documented in selinux-doc. Reiser just won't label files when they are created making it basically worthless for xattr labeling. (Closes: #397196). -- Manoj Srivastava Sun, 4 Mar 2007 00:06:37 -0600 policycoreutils (1.32-1) unstable; urgency=low * New upstream release * Merged newrole auditing of failures due to user actions from Michael Thompson. * Merged audit2allow -l fix from Yuichi Nakamura. * Merged restorecon -i and -o - support from Karl MacMillan. * Merged semanage/seobject fix from Dan Walsh. * Merged fixfiles -R and verify changes from Dan Walsh. * Updated version for release. * Bug fix: "/sbin/fixfiles: bash-ism in /sbin/fixfiles", thanks to Paul Cupis (Closes: #391674). -- Manoj Srivastava Fri, 20 Oct 2006 17:12:58 -0500 policycoreutils (1.30.29-1) unstable; urgency=low * New upstream point release * Man page corrections from Dan Walsh * Change all python invocations to /usr/bin/python -E * Add missing getopt flags to genhomedircon -- Manoj Srivastava Wed, 20 Sep 2006 15:09:32 -0500 policycoreutils (1.30.28-2) unstable; urgency=low * Bug fix: "Is purging of the whole /etc/selinux a good idea?", thanks to Uwe Hermann. Perhaps not. (Closes: #386929). * Bug fix: "postinst: /etc/selinux/config: no such file or directory", thanks to Uwe Hermann (Closes: #386927). -- Manoj Srivastava Mon, 11 Sep 2006 16:29:44 -0500 policycoreutils (1.30.28-1) unstable; urgency=low * New upstream point release * Merged fix for restorecon symlink handling from Erich Schubert. * Merged fix for restorecon // handling from Erich Schubert. * Merged translations update and fixfiles fix from Dan Walsh. * Fix the initial /etc/selinux/config to refer to SELINUXTYPE=refpolicy-targeted to match what we ship (as opposed to paths on red hat installations). * Bug fix: "Can't open '/etc/selinux/targeted/policy/policy.20': No such file or directory", thanks to Uwe Hermann (Closes: #384852). * Add md5sums * With this version of policycoreutils, the file /etc/selinux/config shall have the variable SELINUXTYPE set to refpolicy-targeted (you may also set it to be refpolicy-strict or refpolicy-src). Only 1.30.26-3 created the file with SELINUXTYPE set to targeted (which is appropriate on Red Hat machines and not Debian). We can't automatically change /etc/selinux/config (preserve user changes) since /etc/selinux/targeted/policy/policy.N might be a legitimate local security policy. If it is not, and if any of the files /etc/selinux/refpolicy-targeted/policy/policy.N, /etc/selinux/refpolicy-strict/policy/policy.N, or /etc/selinux/refpolicy-src/policy/policy.N exist, please select one for the SELINUXTYPE variable in /etc/selinux/config -- Manoj Srivastava Thu, 7 Sep 2006 11:37:47 -0500 policycoreutils (1.30.26-3) unstable; urgency=low * Create /etc/selinux/config if that file does not exist. We default to targeted permissive. * Recommend on of the new reference policy based policy packages. -- Manoj Srivastava Mon, 21 Aug 2006 16:42:22 -0500 policycoreutils (1.30.26-2) unstable; urgency=low * Bug fix: "ImportError: No module named seobject", thanks to Erich Schubert. Fix wrong directory the modules were installed in. (Closes: #383101). -- Manoj Srivastava Tue, 15 Aug 2006 00:44:57 -0500 policycoreutils (1.30.26-1) unstable; urgency=low * New upstream point release * Merged semanage local file contexts patch from Chris PeBenito. -- Manoj Srivastava Sun, 13 Aug 2006 00:50:58 -0500 policycoreutils (1.30.25-1) unstable; urgency=low * New upstream point release. * Merged patch from Dan Walsh with: * audit2allow: process MAC_POLICY_LOAD events * newrole: run shell with - prefix to start a login shell * po: po file updates * restorecond: bail if SELinux not enabled * fixfiles: omit -q * genhomedircon: fix exit code if non-root * semodule_deps: install man page * Merged secon Makefile fix from Joshua Brindle. * Merged netfilter contexts support patch from Chris PeBenito. * Merged restorecond size_t fix from Joshua Brindle. * Merged secon keycreate patch from Michael LeMay. * Merged restorecond fixes from Dan Walsh. Merged updated po files from Dan Walsh. * Merged python gettext patch from Stephen Bennett. * Merged semodule_deps from Karl MacMillan. * Lindent. * Merged patch from Dan Walsh with: * -p option (progress) for setfiles and restorecon. * disable context translation for setfiles and restorecon. * on/off values for setsebool. * Merged setfiles and semodule_link fixes from Joshua Brindle. * Merged fix for setsebool error path from Serge Hallyn. * Merged patch from Dan Walsh with: * Updated po files. * Fixes for genhomedircon and seobject. * Audit message for mass relabel by setfiles. * Updated fixfiles script for new setfiles location in /sbin. * Merged more translations from Dan Walsh. * Merged patch to relocate setfiles to /sbin for early relabel when /usr might not be mounted from Dan Walsh. * Merged semanage/seobject patch to preserve fcontext ordering in list. * Merged secon patch from James Antill. * Merged patch with updates to audit2allow, secon, genhomedircon, and semanage from Dan Walsh. * Fixed audit2allow and po Makefiles for DESTDIR= builds. * Merged .po file patch from Dan Walsh. * Merged bug fix for genhomedircon. * Merged patch from Dan Walsh. This includes audit2allow changes for analysis plugins, internationalization support for several additional programs and added po files, some fixes for semanage, and several cleanups. It also adds a new secon utility. * Merged fix warnings patch from Karl MacMillan. * Merged semanage prefix support from Russell Coker. * Added a test to setfiles to check that the spec file is a regular file. * Merged audit2allow fixes for refpolicy from Dan Walsh. * Merged fixfiles patch from Dan Walsh. * Merged restorecond daemon from Dan Walsh. * Merged semanage non-MLS fixes from Chris PeBenito. * Merged semanage and semodule man page examples from Thomas Bleher. * Merged semanage labeling prefix patch from Ivan Gyurdiev. * Bug fix: "ImportError: No module named semanage", thanks to Uwe Hermann. Since the new semanage package has moved to the new Python policy, and we depend on it, this issue is resolved. (Closes: #372543). * Bug fix: "policycoreutils: incorrect syntax in genhomedircon", thanks to Piotr Meyer. The new point release fixes this. (Closes: #369852). * Remove support for restorecond, since we do not have support for inotify in glibc (glibc 2.4 is sitting in experimental) -- Manoj Srivastava Sat, 12 Aug 2006 23:52:53 -0500 policycoreutils (1.30-2) unstable; urgency=low * Bug fix: "policycoreutils - FTBFS: error: 'SEMANAGE_CAN_READ' undeclared", thanks to Bastian Blank. Tighten dependency on libsemanage1-dev (Closes: #361903). -- Manoj Srivastava Tue, 11 Apr 2006 09:07:42 -0500 policycoreutils (1.30-1) unstable; urgency=low * New upstream release * Updated version for release. * Merged German translations (de.po) by Debian translation team from Manoj Srivastava. * Merged audit2allow -R support, chcat fix, semanage MLS checks and semanage audit calls from Dan Walsh. * Merged semanage bug fix patch from Ivan Gyurdiev. * Merged improve bindings patch from Ivan Gyurdiev. * Merged semanage usage patch from Ivan Gyurdiev. * Merged use PyList patch from Ivan Gyurdiev. * Merged newrole -V/--version support from Glauber de Oliveira Costa. * Merged genhomedircon prefix patch from Dan Walsh. * Merged optionals in base patch from Joshua Brindle. * Merged seuser/user_extra support patch to semodule_package from Joshua Brindle. * Merged getopt type fix for semodule_link/expand and sestatus from Chris PeBenito. * Merged clone record on set_con patch from Ivan Gyurdiev. * Merged genhomedircon fix from Dan Walsh. * Merged seusers.system patch from Ivan Gyurdiev. * Merged improve port/fcontext API patch from Ivan Gyurdiev. * Merged genhomedircon patch from Dan Walsh. * Merged newrole audit patch from Steve Grubb. * Merged seuser -> seuser local rename patch from Ivan Gyurdiev. * Merged semanage and semodule access check patches from Joshua Brindle. * Merged restorecon, chcat, and semanage patches from Dan Walsh. * Modified newrole and run_init to use the loginuid when supported to obtain the Linux user identity to re-authenticate, and to fall back to real uid. Dropped the use of the SELinux user identity, as Linux users are now mapped to SELinux users via seusers and the SELinux user identity space is separate. * Merged semanage bug fixes from Ivan Gyurdiev. * Merged semanage fixes from Russell Coker. * Merged chcat.8 and genhomedircon patches from Dan Walsh. * Merged chcat, semanage, and setsebool patches from Dan Walsh. * Merged semanage fixes from Ivan Gyurdiev. * Merged semanage fixes from Russell Coker. * Merged chcat, genhomedircon, and semanage diffs from Dan Walsh. * Merged newrole cleanup patch from Steve Grubb. * Merged setfiles/restorecon performance patch from Russell Coker. * Merged genhomedircon and semanage patches from Dan Walsh. * Merged remove add_local/set_local patch from Ivan Gyurdiev. * Added filename to semodule error reporting. * Merged genhomedircon and semanage patch from Dan Walsh. * Changed semodule error reporting to include argv[0]. * Merged semanage getpwnam bug fix from Serge Hallyn (IBM). * Merged patch series from Ivan Gyurdiev. This includes patches to: - cleanup setsebool - update setsebool to apply active booleans through libsemanage - update semodule to use the new semanage_set_rebuild() interface - fix various bugs in semanage * Merged patch from Dan Walsh (Red Hat). This includes fixes for restorecon, chcat, fixfiles, genhomedircon, and semanage. * Merged patch for chcat script from Dan Walsh. * Merged fix for audit2allow long option list from Dan Walsh. * Merged -r option for restorecon (alias for -R) from Dan Walsh. * Merged chcat script and man page from Dan Walsh. -- Manoj Srivastava Mon, 10 Apr 2006 15:11:05 -0500 policycoreutils (1.28-6) unstable; urgency=low * Hmm. Actually ship the postrm file, so we really remove setfiles.old -- Manoj Srivastava Sun, 12 Mar 2006 10:55:39 -0600 policycoreutils (1.28-5) unstable; urgency=low * Bug fix: "policycoreutils: [L10N:DE] German PO file update", thanks to Holger Wansing (Closes: #353069). -- Manoj Srivastava Sun, 12 Mar 2006 10:17:22 -0600 policycoreutils (1.28-4) unstable; urgency=low * Bug fix: "undeclared conflict with selinux-utils over /usr/sbin/setsebool", thanks to Robert Bihlmeyer (Closes: #346356). -- Manoj Srivastava Mon, 23 Jan 2006 13:38:02 -0600 policycoreutils (1.28-3) unstable; urgency=low * Furthe changes to build dependencies; we now need python 2.4, since we use the selinux and semanage python bindings. -- Manoj Srivastava Sun, 1 Jan 2006 18:27:15 -0600 policycoreutils (1.28-2) unstable; urgency=low * Fix build dependencies; remove debian revisions from the dependency relations to facilitate backports. -- Manoj Srivastava Sat, 31 Dec 2005 14:20:08 -0600 policycoreutils (1.28-1) unstable; urgency=low * New upstream release * Updated version for release. * Clarified the genhomedircon warning message. * Changed genhomedircon to warn on use of ROLE in homedir_template if using managed policy, as libsemanage does not yet support it. * Merged genhomedircon bug fix from Dan Walsh. * Revised semodule* man pages to refer to checkmodule and to include example sections. * Merged audit2allow --tefile and --fcfile support from Dan Walsh. * Merged genhomedircon fix from Dan Walsh. * Merged semodule* man pages from Dan Walsh, and edited them. * Changed setfiles to set the MATCHPATHCON_VALIDATE flag to retain validation/canonicalization of contexts during init. * Changed genhomedircon to always use user_r for the role in the managed case since user_get_defrole is broken. * Merged sestatus, audit2allow, and semanage patch from Dan Walsh. * Fixed semodule -v option. * Merged audit2allow python script from Dan Walsh. (old script moved to audit2allow.perl, will be removed later). * Merged genhomedircon fixes from Dan Walsh. * Merged semodule quieting patch from Dan Walsh (inverts default, use -v to restore original behavior). * Merged genhomedircon rewrite from Dan Walsh. * Merged setsebool cleanup patch from Ivan Gyurdiev. * Added -B (--build) option to semodule to force a rebuild. * Reverted setsebool patch to call semanage_set_reload_bools(). * Changed setsebool to disable policy reload and to call security_set_boolean_list to update the runtime booleans. * Changed setfiles -c to use new flag to set_matchpathcon_flags() to disable context translation by matchpathcon_init(). * Changed setfiles for the context canonicalization support. * Changed setsebool to call semanage_is_managed() interface and fall back to security_set_boolean_list() if policy is not managed. * Merged setsebool memory leak fix from Ivan Gyurdiev. * Merged setsebool patch to call semanage_set_reload_bools() interface from Ivan Gyurdiev. * Merged setsebool patch from Ivan Gyurdiev. This moves setsebool from libselinux/utils to policycoreutils, and rewrites it to use libsemanage for permanent boolean changes. * Merged semodule support for reload, noreload, and store options from Joshua Brindle. * Merged semodule_package rewrite from Joshua Brindle. * Cleaned up usage and error messages and releasing of memory by semodule_* utilities. * Corrected error reporting by semodule. * Updated semodule_expand for change to sepol interface. * Merged fixes for make DESTDIR= builds from Joshua Brindle. * Updated semodule_package for sepol interface changes. * Updated semodule_expand/link for sepol interface changes. * Merged non-PAM Makefile support for newrole and run_init from Timothy Wood. * Updated semodule_expand to use get interfaces for hidden sepol_module_package type. * Merged newrole and run_init pam config patches from Dan Walsh (Red Hat). * Merged fixfiles patch from Dan Walsh (Red Hat). * Updated semodule for removal of semanage_strerror. * Updated semodule_link and semodule_expand to use shared libsepol. Fixed audit2why to call policydb_init prior to policydb_read (still uses the static libsepol). * Bug fix: "policycoreutils: doesn't remove /usr/sbin/setfiles.old on purge", thanks to Lars Wirzenius (Closes: #341418). -- Manoj Srivastava Fri, 30 Dec 2005 00:56:01 -0600 policycoreutils (1.26-1) unstable; urgency=low * New upstream release * Updated version for release. * Changed setfiles -c to translate the context to raw format prior to calling libsepol. * Changed semodule to report errors even without -v, to detect extraneous arguments, and corrected usage message. * Merged patch for fixfiles -C from Dan Walsh. * Merged fixes for semodule_link and sestatus from Serge Hallyn (IBM). Bugs found by Coverity. * Merged patch to move module read/write code from libsemanage to libsepol from Jason Tang (Tresys). * Changed semodule* to link with libsemanage. * Merged restorecon patch from Ivan Gyurdiev. * Merged load_policy, newrole, and genhomedircon patches from Red Hat. * Merged loadable module support from Tresys Technology. * Updated build depends. (Closes: #326153). * policycoreutils: run_init blocks sigCHLD but doesn't unblock it before exec, thanks to Erich Schubert (Closes: #326152). -- Manoj Srivastava Thu, 15 Sep 2005 01:06:11 -0500 policycoreutils (1.24-2) unstable; urgency=low * use /etc/adduser.conf as authoritative for the starting UID, and otherwise change genhomedircon to match Debian practice. This had worked while Russell Coker maintained this package, but this patch was lost in transition. * Bug fix: "FTBFS: build-depends not strict enough", thanks to Christian T. Steigies (Closes: #316440). -- Manoj Srivastava Thu, 7 Jul 2005 13:11:01 -0500 policycoreutils (1.24-1) unstable; urgency=low * New upstream release * Updated version for release. * Merged fixfiles and newrole patch from Dan Walsh. * Merged audit2why man page from Dan Walsh. * Extended audit2why to incorporate booleans and local user settings when analyzing audit messages. * Updated audit2why for sepol_ prefixes on Flask types to avoid namespace collision with libselinux, and to include now. * Added audit2why utility. * Merged patch for fixfiles from Dan Walsh. Allow passing -F to force reset of customizable contexts. * Fixed signed/unsigned pointer bug in load_policy. * Reverted context validation patch for genhomedircon. * Reverted load_policy is_selinux_enabled patch from Dan Walsh. Otherwise, an initial policy load cannot be performed using load_policy, e.g. for anaconda. * Merged load_policy is_selinux_enabled patch from Dan Walsh. * Merged restorecon verbose output patch from Dan Walsh. * Merged setfiles altroot patch from Chris PeBenito. * Merged context validation patch for genhomedircon from Eric Paris. * Changed setfiles -c to call set_matchpathcon_flags(3) to turn off processing of .homedirs and .local. * Merged rewrite of genhomedircon by Eric Paris. * Changed fixfiles to relabel jfs since it now supports security xattrs (as of 2.6.11). Removed reiserfs until 2.6.12 is released with fixed support for reiserfs and selinux. -- Manoj Srivastava Mon, 27 Jun 2005 16:00:56 -0500 policycoreutils (1.22+0-2) unstable; urgency=low * New upstream release * Bug fix: "policycoreutils: package description typo(s) and the like", thanks to Florian Zumbiehl (Closes: #300054). -- Manoj Srivastava Thu, 17 Mar 2005 19:54:20 -0600 policycoreutils (1.22+0-1) unstable; urgency=low * An release number designed to fix up fix the broken orig.tar.gz in the previous release. This is really the 1.22-2 release, but the 1.22.orig.tar.gz in the archive is an incorrect one. * Bug fix: "policycoreutils: FTBFS due to undeclared functions", thanks to Christian T. Steigies. The build dependencies needed to be versioned as well. (Closes: #299338). -- Manoj Srivastava Sun, 13 Mar 2005 13:36:24 -0600 policycoreutils (1.22-1) unstable; urgency=low * New upstream release * Merged restorecon and genhomedircon patch from Dan Walsh. * Merged load_policy and genhomedircon patch from Dan Walsh. * Merged fixfiles and genhomedircon patch from Dan Walsh. * Merged several fixes from Ulrich Drepper. * Changed load_policy to fall back to the original policy upon an error from sepol_genusers(). * Merged new genhomedircon script from Dan Walsh. * Changed load_policy to call sepol_genusers(). * Changed relabel Makefile target to use restorecon. * Merged restorecon patch from Dan Walsh. * Merged sestatus patch from Dan Walsh. * Merged further change to fixfiles -C from Dan Walsh. * Merged further patches for restorecon/setfiles -e and fixfiles -C. * Merged patch for fixfiles -C option from Dan Walsh. * Merged patch -e support for restorecon from Dan Walsh. * Merged updated -e support for setfiles from Dan Walsh. * Merged patch for open_init_pty from Manoj Srivastava. * Merged updated fixfiles script from Dan Walsh. * Merged updated man page for fixfiles from Dan Walsh and re-added unzipped. * Reverted fixfiles patch for file_contexts.local; obsoleted by setfiles rewrite. * Merged error handling patch for restorecon from Dan Walsh. * Merged semi raw mode for open_init_pty helper from Manoj Srivastava. * Rewrote setfiles to use matchpathcon and the new interfaces exported by libselinux (>= 1.21.5). * Prevent overflow of spec array in setfiles. * Merged genhomedircon STARTING_UID bug fix from Dan Walsh. * Merged newrole -l support from Darrel Goeddel (TCS). * Merged fixfiles patch for file_contexts.local from Dan Walsh. * Fixed restorecon to not treat errors from is_context_customizable() as a customizable context. * Merged setfiles/restorecon patch to not reset user field unless -F option is specified from Dan Walsh. * Merged open_init_pty helper for run_init from Manoj Srivastava. * Merged audit2allow and genhomedircon man pages from Manoj Srivastava. * Merged customizable contexts patch for restorecon/setfiles from Dan Walsh. -- Manoj Srivastava Sat, 12 Mar 2005 18:07:50 -0600 policycoreutils (1.20-3) unstable; urgency=low * policycoreutils_1.20-2(ia64/unstable): FTBFS: missing build-depends, thanks to Lamont Jones. I wonder why this builds on my debootstrap installed UML with just build essential ad selinux. (Closes: #291501). -- Manoj Srivastava Fri, 21 Jan 2005 10:30:16 -0600 policycoreutils (1.20-2) unstable; urgency=low * Arranged to flush stdout and stderr run at all the exit points for the open_init_pty executable. Also, improved comments and man page for genhomedircon, and corrected the default value for STARTING_UID. -- Manoj Srivastava Thu, 20 Jan 2005 23:15:13 -0600 policycoreutils (1.20-1) unstable; urgency=low * New upstream release. * Merged fixfiles rewrite from Dan Walsh. * Merged restorecon patch from Dan Walsh. * Merged fixfiles and restorecon patches from Dan Walsh. * Changed restorecon to ignore ENOENT errors from matchpathcon. * Merged nonls patch from Chris PeBenito. * Removed fixfiles.cron. * Merged run_init.8 patch from Dan Walsh. * Added man pages for genhomedircon, audit2allow, and all the se_* scripts. * Converted to new build system, and arch. * Bug fix: "policycoreutils: Too heavy dependency on the package expect", thanks to YAMASHITA Junji. rewrote open_init_tty in C, and added man page. I guess it can be moved to /usr/bin, though I don't really see what other purpose it can serve. (Closes: #255674). * Bug fix: "policycoreutils: error in genhomedircon: doesn't recognize FIRST_UID", thanks to Thomas Bleher. Since this was packaged from scratch, this debian specific flaw has been corrected. (Closes: #281988). -- Manoj Srivastava Thu, 20 Jan 2005 01:53:32 -0600 policycoreutils (1.18-1) unstable; urgency=low * New upstream version. Setfiles now works with policy Makefile. -- Russell Coker Sat, 6 Nov 2004 02:31:00 +1100 policycoreutils (1.16-2) unstable; urgency=low * Depends on libsepol for load_polixy. -- Russell Coker Mon, 23 Aug 2004 19:25:00 +1000 policycoreutils (1.16-1) unstable; urgency=low * New upstream release. -- Russell Coker Fri, 20 Aug 2004 22:48:00 +1000 policycoreutils (1.14-6) unstable; urgency=low * Minor newrole bugfix from Chad Hanson . -- Russell Coker Tue, 10 Aug 2004 16:23:00 +1000 policycoreutils (1.14-5) unstable; urgency=low * Fixed a couple of minor bugs in error handling for genhomedircon. -- Russell Coker Sun, 8 Aug 2004 22:39:00 +1000 policycoreutils (1.14-4) unstable; urgency=low * Made it depend on the latest sed, genhomedircon doesn't seem to work with older versions. -- Russell Coker Sun, 1 Aug 2004 17:50:00 +1000 policycoreutils (1.14-3) unstable; urgency=low * Changed genhomedircon to search /etc/adduser.conf for the first UID for a non-system user. The previous version really stuffed up a system that had a system user with a home directory under /var/run. -- Russell Coker Mon, 19 Jul 2004 22:56:00 +1000 policycoreutils (1.14-2) unstable; urgency=low * Made it build-depend on the latest libselinux1-dev. Closes: #257351 -- Russell Coker Sat, 3 Jul 2004 22:54:00 +1000 policycoreutils (1.14-1) unstable; urgency=low * New upstream version, adds -o option to setfiles and a few other features. -- Russell Coker Wed, 30 Jun 2004 15:21:00 +1000 policycoreutils (1.12-5) unstable; urgency=low * Add better error messages to genhomedircon and make it not abort when only one role is specified for a user without {}. -- Russell Coker Sun, 20 Jun 2004 14:03:00 +1000 policycoreutils (1.12-4) unstable; urgency=low * Use the upstream genhomedircon and patch it to use DHOME from /etc/adduser.conf -- Russell Coker Thu, 10 Jun 2004 17:59:00 +1000 policycoreutils (1.12-3) unstable; urgency=low * Made setfiles -s use lstat() instead of stat() so it can label sym-links. -- Russell Coker Sun, 30 May 2004 14:08:00 +1000 policycoreutils (1.12-2) unstable; urgency=low * Added /selinux directory. -- Russell Coker Sat, 29 May 2004 13:48:00 +1000 policycoreutils (1.12-1) unstable; urgency=low * New upstream version and taking over the package. * Newrole patch and added fixfiles. -- Russell Coker Sat, 15 May 2004 16:34:00 +1000 policycoreutils (1.10-0.1) unstable; urgency=low * NMU for new upstream version. -- Russell Coker Fri, 9 Apr 2004 15:09:00 +1000 policycoreutils (1.8-0.1) unstable; urgency=low * NMU for new upstream version. * Moved load_policy back to /usr/sbin. -- Russell Coker Tue, 16 Mar 2004 19:05:00 +1100 policycoreutils (1.6-0.3) unstable; urgency=low * New upload because of rejected build-depends. -- Russell Coker Thu, 26 Feb 2004 22:56:00 +1100 policycoreutils (1.6-0.1) unstable; urgency=low * NMU to upload new upstream version. -- Russell Coker Thu, 26 Feb 2004 21:46:00 +1100 policycoreutils (1.4-4) unstable; urgency=low * debian/patches/setfiles-order.patch: - New patch to fix ordering of file context regexps, from Stephen Smalley. -- Colin Walters Mon, 23 Feb 2004 04:43:36 +0000 policycoreutils (1.4-3) unstable; urgency=low * Rebuild with fixed tar to remove /DEBIAN (Closes: #231541) * Apply (modified) patch from Robert Bihlmeyer to handle regexps with starting metacharacters (Closes: #231561) -- Colin Walters Sun, 15 Feb 2004 03:46:17 +0000 policycoreutils (1.4-2) unstable; urgency=low * debian/genhomedircon: - New file, used to set contexts in home directories. * debian/control: - Conflict with selinux-policy-default (<< 1:1.4-5). -- Colin Walters Wed, 4 Feb 2004 13:46:23 +0000 policycoreutils (1.4-1) unstable; urgency=low * debian/control: - Build-Depend on libpam0g-dev (Closes: #225727) - Depend on expect (Closes: #225880) -- Colin Walters Sun, 4 Jan 2004 00:16:55 +0000 policycoreutils (1.4-0.2) unstable; urgency=low * Fixed a the help for audit2allow to have the right name. -- Russell Coker Fri, 26 Dec 2003 10:37:00 +1100 policycoreutils (1.4-0.1) unstable; urgency=low * New upstream, no significant change as mostly I had included the changes already. -- Russell Coker Sat, 6 Dec 2003 22:59:00 +1100 policycoreutils (1.2-0.2) unstable; urgency=low * Put in a symlink for /usr/sbin/load_policy so existing scripts will work. -- Russell Coker Fri, 21 Nov 2003 12:43:00 +1100 policycoreutils (1.2-0.1) unstable; urgency=low * Patches from CVS upstream version, makes setfiles slightly faster and adds audit2allow. -- Russell Coker Fri, 21 Nov 2003 01:20:00 +1100 policycoreutils (1.2-0) unstable; urgency=low * New upstream version (NMU). Setfiles is now a lot faster. -- Russell Coker Wed, 19 Nov 2003 18:18:00 +1100 policycoreutils (1.0-1) unstable; urgency=low * Initial version. -- Colin Walters Thu, 3 Jul 2003 17:16:19 -0400 debian/policycoreutils.postinst0000644000000000000000000000351512260023376014231 0ustar #!/bin/sh # postinst script for policycoreutils # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-remove' # * `abort-deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in configure) if [ ! -e /etc/selinux/config ]; then test -d /etc/selinux || mkdir -p /etc/selinux cat >/etc/selinux/config<&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# if [ "$1" = "configure" ] && [ -n "$2" ] && dpkg --compare-versions "$2" le-nl "2.1.0-3.1"; then update-rc.d policycoreutils remove >/dev/null fi exit 0 debian/etc_selinux_config0000644000000000000000000000375112260023376012767 0ustar ############################ -*- Mode: Conf-Unix -*- ########################## ## /etc/selinux/config --- ## Author : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com ) ## Created On : Thu Sep 7 11:44:37 2006 ## Created On Node : glaurung.internal.golden-gryphon.com ## Last Modified By : Manoj Srivastava ## Last Modified On : Thu Sep 7 11:46:13 2006 ## Last Machine Used: glaurung.internal.golden-gryphon.com ## Update Count : 2 ## Status : Unknown, Use with caution! ## HISTORY : ## Description : ## arch-tag: f71986d8-df29-4704-b560-45bd60e7928c ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by ## the Free Software Foundation; either version 2 of the License, or ## (at your option) any later version. ## ## This program is distributed in the hope that it will be useful, ## but WITHOUT ANY WARRANTY; without even the implied warranty of ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ## GNU General Public License for more details. ## ## You should have received a copy of the GNU General Public License ## along with this program; if not, write to the Free Software ## Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ## ############################################################################### # This file (/etc/selinux/config) controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these two values: # default - Equivalent to the old "targeted" and "strict" policies # mls - Multi-Level Security, for military and educational use # src - Custom policy built from source SELINUXTYPE=default # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0 debian/run_init.pam0000644000000000000000000000013712260023376011516 0ustar #%PAM-1.0 @include common-auth @include common-account @include common-session-noninteractive debian/policycoreutils.install0000644000000000000000000000445712260023376014022 0ustar etc/pam.d/run_init etc/selinux/restorecond.conf etc/selinux/restorecond_user.conf etc/sestatus.conf etc/xdg/autostart/restorecond.desktop lib/systemd/system/restorecond.service sbin/fixfiles sbin/load_policy sbin/mcstransd sbin/restorecon sbin/setfiles usr/bin/audit2allow usr/bin/audit2why usr/bin/chcat usr/bin/newrole usr/bin/secon usr/bin/semodule_deps usr/bin/semodule_expand usr/bin/semodule_link usr/bin/semodule_package usr/bin/semodule_unpackage usr/bin/sepolgen-ifgen usr/bin/sepolgen-ifgen-attr-helper usr/lib/python*/*-packages/seobject.py usr/sbin/genhomedircon usr/sbin/genhomedircon usr/sbin/load_policy usr/sbin/open_init_pty usr/sbin/restorecond usr/sbin/run_init usr/sbin/semanage usr/sbin/semodule usr/sbin/sestatus usr/sbin/setsebool usr/share/bash-completion/completions/semanage usr/share/bash-completion/completions/setsebool usr/share/dbus-1/services/org.selinux.Restorecond.service usr/share/locale/ usr/share/man/man1/audit2allow.1 usr/share/man/man1/audit2why.1 usr/share/man/man1/newrole.1 usr/share/man/man1/secon.1 usr/share/man/man5/selinux_config.5 usr/share/man/man5/sestatus.conf.5 usr/share/man/man8/chcat.8 usr/share/man/man8/fixfiles.8 usr/share/man/man8/genhomedircon.8 usr/share/man/man8/load_policy.8 usr/share/man/man8/mcs.8 usr/share/man/man8/mcstransd.8 usr/share/man/man8/open_init_pty.8 usr/share/man/man8/restorecon.8 usr/share/man/man8/restorecond.8 usr/share/man/man8/run_init.8 usr/share/man/man8/semanage-boolean.8 usr/share/man/man8/semanage-dontaudit.8 usr/share/man/man8/semanage-export.8 usr/share/man/man8/semanage-fcontext.8 usr/share/man/man8/semanage-import.8 usr/share/man/man8/semanage-interface.8 usr/share/man/man8/semanage-login.8 usr/share/man/man8/semanage-module.8 usr/share/man/man8/semanage-node.8 usr/share/man/man8/semanage-permissive.8 usr/share/man/man8/semanage-port.8 usr/share/man/man8/semanage-user.8 usr/share/man/man8/semanage.8 usr/share/man/man8/semodule.8 usr/share/man/man8/semodule_deps.8 usr/share/man/man8/semodule_expand.8 usr/share/man/man8/semodule_link.8 usr/share/man/man8/semodule_package.8 usr/share/man/man8/semodule_unpackage.8 usr/share/man/man8/sestatus.8 usr/share/man/man8/setfiles.8 usr/share/man/man8/setrans.conf.8 usr/share/man/man8/setsebool.8 ./mcstrans/share/examples/* usr/share/doc/policycoreutils/mcstrans-examples/ debian/se_dpkg /usr/sbin/ debian/policycoreutils.maintscript0000644000000000000000000000020712260023376014676 0ustar rm_conffile /etc/init.d/policycoreutils 2.1.0-3.1 rm_conffile /etc/init.d/sandbox 2.1.13-1~ rm_conffile /etc/default/sandbox 2.1.13-1~ debian/se_dpkg.80000644000000000000000000000474112260023376010702 0ustar .\" Hey, Emacs! This is an -*- nroff -*- source file. .\" Copyright (c) 2005 Manoj Srivastava .\" .\" This is free documentation; you can redistribute it and/or .\" modify it under the terms of the GNU General Public License as .\" published by the Free Software Foundation; either version 2 of .\" the License, or (at your option) any later version. .\" .\" The GNU General Public License's references to "object code" .\" and "executables" are to be interpreted as the output of any .\" document formatting or typesetting system, including .\" intermediate and printed output. .\" .\" This manual is distributed in the hope that it will be useful, .\" but WITHOUT ANY WARRANTY; without even the implied warranty of .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\" GNU General Public License for more details. .\" .\" You should have received a copy of the GNU General Public .\" License along with this manual; if not, write to the Free .\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, .\" USA. .\" .\" .TH SE_DPKG "8" "January 2008" "Security Enhanced Linux" NSA .SH NAME se_dpkg,se_apt-get,se_aptitude,se_dpkg-reconfigure,se_dselect,se_synaptic \- run a Debian package system programs in the proper security context .SH SYNOPSIS .B se_dpkg [ \fI <>\fR ... ] .br .B se_apt-get [ \fI<>\fR ... ] .br .B se_aptitude [ \fI<>\fR ... ] .br .B se_dpkg-reconfigure [ \fI<>\fR ... ] .br .B se_dselect [ \fI<>\fR ... ] .br .B se_synaptic [\fI <>\fR ... ] .br .SH DESCRIPTION .PP These programs are all symbolic links to a simple wrapper script that uses .B run_init to run actually run the corresponding program after setting up the proper context. .B run_init acquires a new Psuedo terminal, forks a child process that binds to the pseudo terminal, forks the program .BI (dpkg, apt\-get, aptitude, synaptic, dselect, or dpkg\-reconfigure) that the user actually needs to run, and then sits around and connects the physical terminal it was invoked upon with the psuedo terminal, passing keyboard into to the child process, and passing the output of the child process to the physical terminal. .PP It sets up the psuedo terminal properly based on the physical terminal attributes, and then sets the user's terminal to RAW mode, taking care to reset it on exit. .SH AUTHOR This manual page was written by Manoj Srivastava , for the Debian GNU/Linux system. debian/compat0000644000000000000000000000000212260023376010365 0ustar 9 debian/control0000644000000000000000000000711112260023376010572 0ustar Source: policycoreutils VCS-Git: git://anonscm.debian.org/selinux/policycoreutils.git VCS-Browser: http://anonscm.debian.org/gitweb/?p=selinux/policycoreutils.git;a=summary Priority: optional Section: utils Maintainer: Debian SELinux maintainers Uploaders: Manoj Srivastava , Russell Coker Standards-Version: 3.9.5 Build-Depends: debhelper (>= 9), dpkg-dev (>= 1.16.0), dh-systemd (>= 1.4), file, gawk, gettext, libapol-dev, libqpol-dev, libaudit-dev, libcap-dev, libcap-ng-dev, libcgroup-dev, libdbus-1-dev, libdbus-glib-1-dev, libglib2.0-dev, libpam0g-dev, libpcre3-dev, libselinux1-dev (>= 2.2), libsemanage1-dev (>= 2.2), libsepol1-dev (>= 2.2), python-dev (>= 2.6.6-3~), python-sepolgen (>= 1.1.8) X-Python-Version: >= 2.5 Homepage: http://userspace.selinuxproject.org/ Package: policycoreutils Architecture: linux-any Depends: lsb-base (>= 3.2-13), psmisc, python-ipy, python-selinux (>= 2.2), python-semanage (>= 2.2), python-sepolgen (>= 1.2.1), python-setools (>= 3.3.7-2), python-sepolicy (= ${binary:Version}), selinux-utils, ${misc:Depends}, ${python:Depends}, ${shlibs:Depends} Conflicts: mcstrans Provides: mcstrans Replaces: mcstrans Recommends: python-audit, selinux-policy-default Suggests: selinux-policy-dev Pre-Depends: ${misc:Pre-Depends} Description: SELinux core policy utilities Security-enhanced Linux is a patch of the Linux® kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role-based Access Control, and Multi-level Security. . This package contains the core policy utilities that are required for basic operation of an SELinux system. These utilities include load_policy to load policies, setfiles to label filesystems, newrole to switch roles, run_init to run /etc/init.d scripts in the proper context, and restorecond to restore contexts of files that often get the wrong context. . It also includes the mcstransd to map a maching readable sensitivity label to a human readable form. The sensitivity label is comprised of a sensitivity level (always s0 for MCS and anything from s0 to s15 for MLS) and a set of categories. A ranged sensitivity label will have a low level and a high level where the high level will dominate the low level. Categories are numbered from c0 to c1023. Names such as s0 and c1023 and not easily readable by humans, so mcstransd translated them to human readable labels such as SystemLow and SystemHigh. Package: python-sepolicy Architecture: linux-any Depends: ${misc:Depends}, ${python:Depends}, ${shlibs:Depends}, python-selinux (>= 2.2), python-sepolgen (>= 1.2.1) Section: python Description: Python binding for SELinux Policy Analyses This package contains a Python binding for SELinux Policy Analyses. debian/newrole.pam0000644000000000000000000000012012260023376011332 0ustar #%PAM-1.0 @include common-auth @include common-account @include common-session debian/rules0000755000000000000000000000267412260023376010260 0ustar #!/usr/bin/make -f # -*- makefile -*- # # # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) export LIBDIR=$${DESTDIR}/usr/lib/${DEB_HOST_MULTIARCH} export PYTHONLIBDIR=$${DESTDIR}/usr/lib/$(shell pyversions -d) export INITDIR=$${DESTDIR}/etc/init.d export SYSCONFDIR=$${DESTDIR}/etc/default export SYSTEMDDIR=$${DESTDIR}/lib/systemd #export SHLIBDIR=$${DESTDIR}/lib/${DEB_HOST_MULTIARCH} #export LIBBASE=lib/${DEB_HOST_MULTIARCH} export DEB_BUILD_MAINT_OPTIONS = hardening=+all # The build system doesn't use CPPFLAGS, pass them to CFLAGS to enable the # missing (hardening) flags. dpkg_buildflags is necessary because $(shell ..) # doesn't use local environment variables. dpkg_buildflags = DEB_BUILD_MAINT_OPTIONS=$(DEB_BUILD_MAINT_OPTIONS) dpkg-buildflags export DEB_CFLAGS_MAINT_APPEND = $(shell $(dpkg_buildflags) --get CPPFLAGS) %: dh $@ --with python2 --with systemd override_dh_auto_install: dh_auto_install --destdir=debian/tmp override_dh_install: dh_install --list-missing # Fix symlink rm -f $(CURDIR)/debian/policycoreutils/usr/sbin/load_policy ln -s /sbin/load_policy $(CURDIR)/debian/policycoreutils/usr/sbin/load_policy override_dh_fixperms: dh_fixperms -Xusr/sbin/seunshare override_dh_installinit: dh_installinit --name=mcstrans dh_installinit --name=restorecond override_dh_installpam: dh_installpam --name=newrole dh_installpam --name=run_init debian/watch0000644000000000000000000000013412260023376010216 0ustar version=3 http://userspace.selinuxproject.org/releases/(\d+)/policycoreutils-(.*)\.tar\.gz debian/policycoreutils.postrm0000644000000000000000000000211612260023376013666 0ustar #!/bin/sh # postrm script for policycoreutils # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ;; purge) if [ -e /etc/selinux/config ]; then echo "Removing old /etc/selinux/config file." rm -f /etc/selinux/config fi ;; *) echo "postrm called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/gbp.conf0000644000000000000000000000023312260023376010604 0ustar [DEFAULT] debian-branch = debian upstream-branch = upstream pristine-tar = True [git-buildpackage] tarball-dir = ../tarballs/ export-dir = ../build-area/ debian/patches/0000755000000000000000000000000012260023376010616 5ustar debian/patches/0002-Made-fixfiles-display-the-progress.patch0000644000000000000000000000232012260023376020753 0ustar From: Russell Coker Date: Mon, 21 Jun 2010 22:35:00 +1000 Subject: Made fixfiles display the progress --- scripts/fixfiles | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) --- a/scripts/fixfiles +++ b/scripts/fixfiles @@ -246,17 +246,17 @@ FC=$TEMPFCFILE fi if [ ! -z "$RPMFILES" ]; then for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do - rpmlist $i | ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} $* -R -i -f - 2>&1 | cat >> $LOGFILE + rpmlist $i | ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} $* -R -i -p -f - 2>&1 | cat >> $LOGFILE done exit $? fi if [ ! -z "$FILEPATH" ]; then - ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* $FILEPATH 2>&1 | cat >> $LOGFILE + ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R -p $* $FILEPATH 2>&1 | cat >> $LOGFILE return fi if [ -n "${FILESYSTEMSRW}" ]; then echo "${OPTION}ing `echo ${FILESYSTEMSRW}`" - ${SETFILES} ${VERBOSE} $exclude_dirs -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE + ${SETFILES} ${VERBOSE} $exclude_dirs -q -p ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE else echo >&2 "fixfiles: No suitable file systems found" fi debian/patches/0015-mcstrans-upgrade-from-squeeze0000644000000000000000000000113712260023376017025 0ustar Description: Patch for mcstrans to not abort when it sees a squeeze config file Author: Russell Coker Last-Update: 2012-06-19 --- policycoreutils-2.1.10.orig/mcstrans/src/mcstrans.c +++ policycoreutils-2.1.10/mcstrans/src/mcstrans.c @@ -745,6 +745,13 @@ process_trans(char *buffer) { if (*buffer == 0) return 0; + /* special case for old format */ + if(!strcmp("s0=", buffer)) + { + syslog(LOG_ERR, "Ignoring old format line \"s0=\"."); + return 0; + } + char *delim = strpbrk (buffer, "=!>"); if (! delim) { syslog(LOG_ERR, "invalid line (no !, = or >) %d", lineno); debian/patches/0017-no-sandbox0000644000000000000000000000133312260023376013176 0ustar Description: Do not build or install sandbox related software, it requires a module not in refpolicy Author: Russell Coker Last-Update: 2012-09-29 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui +SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui INOTIFYH = $(shell ls /usr/include/$(DEB_HOST_MULTIARCH)/sys/inotify.h 2>/dev/null) debian/patches/0005-build-system.patch0000644000000000000000000000567512260023376014657 0ustar From: Russell Coker Date: Sun, 26 Feb 2012 19:39:24 +0100 Subject: build system --- Makefile | 6 ++++-- mcstrans/src/Makefile | 3 ++- mcstrans/utils/Makefile | 2 +- restorecond/Makefile | 6 +++--- run_init/Makefile | 2 +- sandbox/Makefile | 4 ++-- semodule_deps/Makefile | 2 +- sepolgen-ifgen/Makefile | 2 +- 8 files changed, 15 insertions(+), 12 deletions(-) --- a/Makefile +++ b/Makefile @@ -1,11 +1,13 @@ SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui -INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) +INOTIFYH = $(shell ls /usr/include/$(DEB_HOST_MULTIARCH)/sys/inotify.h 2>/dev/null) -ifeq (${INOTIFYH}, /usr/include/sys/inotify.h) +ifneq (${INOTIFYH},) SUBDIRS += restorecond endif +SUBDIRS += restorecond mcstrans + all install relabel clean indent: @for subdir in $(SUBDIRS); do \ (cd $$subdir && $(MAKE) $@) || exit 1; \ --- a/mcstrans/src/Makefile +++ b/mcstrans/src/Makefile @@ -13,6 +13,7 @@ ifeq "$(ARCH)" "i386" endif endif endif +LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) # Installation directories. PREFIX ?= $(DESTDIR)/usr SBINDIR ?= $(DESTDIR)/sbin --- a/mcstrans/utils/Makefile +++ b/mcstrans/utils/Makefile @@ -17,7 +17,7 @@ ifeq "$(ARCH)" "i386" endif endif endif - +LIBDIR=/usr/lib/$(DEB_HOST_MULTIARCH) CFLAGS ?= -Wall override CFLAGS += -I../src -D_GNU_SOURCE --- a/restorecond/Makefile +++ b/restorecond/Makefile @@ -11,11 +11,11 @@ autostart_DATA = sealertauto.desktop INITDIR ?= $(DESTDIR)/etc/rc.d/init.d SELINUXDIR = $(DESTDIR)/etc/selinux -DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include +DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib/$(DEB_HOST_MULTIARCH)/dbus-1.0/include -I/usr/lib/dbus-1.0/include DBUSLIB = -ldbus-glib-1 -ldbus-1 CFLAGS ?= -g -Werror -Wall -W -override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/lib/glib-2.0/include +override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I/usr/include/glib-2.0 -I/usr/lib/$(DEB_HOST_MULTIARCH)/glib-2.0/include -I/usr/lib/glib-2.0/include LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR) --- a/semodule_deps/Makefile +++ b/semodule_deps/Makefile @@ -2,7 +2,7 @@ PREFIX ?= $(DESTDIR)/usr INCLUDEDIR ?= $(PREFIX)/include BINDIR ?= $(PREFIX)/bin -LIBDIR ?= $(PREFIX)/lib +LIBDIR ?= $(PREFIX)/lib/$(DEB_HOST_MULTIARCH) MANDIR ?= $(PREFIX)/share/man CFLAGS ?= -Werror -Wall -W --- a/sepolgen-ifgen/Makefile +++ b/sepolgen-ifgen/Makefile @@ -1,7 +1,7 @@ # Installation directories. PREFIX ?= $(DESTDIR)/usr BINDIR ?= $(PREFIX)/bin -LIBDIR ?= $(PREFIX)/lib +LIBDIR ?= $(PREFIX)/lib/$(DEB_HOST_MULTIARCH) INCLUDEDIR ?= $(PREFIX)/include CFLAGS ?= -Werror -Wall -W debian/patches/0025-restorecon-service.patch0000644000000000000000000000173512260023376016052 0ustar commit efd6e35212d3a4a2a41f25bfe436fd4853fa201f Author: Laurent Bigonville Date: Wed Nov 6 10:36:16 2013 +0100 Improve restorecond systemd unit file Use Type=forking and pass PIDFile option, this allows better tracking of the livecycle of the daemon. Only attempt to start the daemon if selinux is enabled. Drop After=syslog.target, syslog is socket activated anyway diff --git a/policycoreutils/restorecond/restorecond.service b/policycoreutils/restorecond/restorecond.service index 7d64cc5..0511a1c 100644 --- a/restorecond/restorecond.service +++ b/restorecond/restorecond.service @@ -1,12 +1,12 @@ [Unit] Description=Restorecon maintaining path file context -After=syslog.target ConditionPathExists=/etc/selinux/restorecond.conf +ConditionSecurity=selinux [Service] -Type=oneshot +Type=forking ExecStart=/usr/sbin/restorecond -RemainAfterExit=yes +PIDFile=/var/run/restorecond.pid [Install] WantedBy=multi-user.target debian/patches/0024-fix-manpages.patch0000644000000000000000000003107112260023376014603 0ustar Description: Fix some minor manpages issues Author: Laurent Bigonville --- a/audit2allow/audit2allow.1 +++ b/audit2allow/audit2allow.1 @@ -160,7 +160,7 @@ files_read_etc_files(myapp_t) # interface files. # You can create a te file and compile it by executing -$ make -f /usr/share/selinux/devel/Makefile local.pp +$ make \-f /usr/share/selinux/devel/Makefile local.pp # This make command will compile a local.te file in the current --- a/load_policy/load_policy.8 +++ b/load_policy/load_policy.8 @@ -4,7 +4,7 @@ load_policy \- load a new SELinux policy .SH SYNOPSIS .B load_policy -[-qi] +[\-qi] .br .SH DESCRIPTION .PP --- a/mcstrans/man/man8/mcstransd.8 +++ b/mcstrans/man/man8/mcstransd.8 @@ -14,10 +14,10 @@ program. This daemon reads /etc/selinux/{SELINUXTYPE}/setrans.conf configuration file, and communicates with libselinux via a socket in /var/run/setrans. .SH "OPTIONS" .TP --f +\-f Run mcstransd in the foreground. Do not run as a daemon. .TP --h +\-h Output a short summary of available command line options\&. .SH "AUTHOR" --- a/scripts/fixfiles.8 +++ b/scripts/fixfiles.8 @@ -60,11 +60,11 @@ Run a diff on the PREVIOUS_FILECONTEXT .TP .B \-N time Only act on files created after the specified date. Date must be specified in -"YYYY-MM-DD HH:MM" format. Date field will be passed to find --newermt command. +"YYYY\-MM\-DD HH:MM" format. Date field will be passed to find \-\-newermt command. .TP .B -v -Modify verbosity from progress to verbose. (Run restorecon with -v instead of -p) +Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p) .SH "ARGUMENTS" One of: --- a/secon/secon.1 +++ b/secon/secon.1 @@ -31,7 +31,7 @@ shows the usage information for secon outputs data in a format suitable for a prompt .TP \fB\-C\fR, \fB\-\-color\fR -outputs data with the associated ANSI color codes (requires -P) +outputs data with the associated ANSI color codes (requires \-P) .TP \fB\-u\fR, \fB\-\-user\fR show the user of the security context --- a/setfiles/restorecon.8 +++ b/setfiles/restorecon.8 @@ -25,7 +25,7 @@ check whether the file contexts are all If a file object does not have a context, restorecon will write the default context to the file object's extended attributes. If a file object has a context, restorecon will only modify the type portion of the security context. -The -F option will force a replacement of the entire context. +The \-F option will force a replacement of the entire context. .P It is the same executable as .BR setfiles @@ -50,7 +50,7 @@ display usage information and exit. ignore files that do not exist. .TP .B \-n -don't change any file labels (passive check). To display the files whose labels would be changed, add -v. +don't change any file labels (passive check). To display the files whose labels would be changed, add \-v. .TP .B \-o outfilename Deprecated, SELinux policy will probably block this access. Use shell redirection to save list of files with incorrect context in filename. --- a/semanage/semanage-boolean.8 +++ b/semanage/semanage-boolean.8 @@ -1,6 +1,6 @@ .TH "semanage-boolean" "8" "20130617" "" "" .SH "NAME" -semanage boolean\- SELinux Policy Management boolean tool +semanage\-boolean \- SELinux Policy Management boolean tool .SH "SYNOPSIS" .B semanage boolean [\-h] [\-n] [\-N] [\-s STORE] [ \-\-extract | \-\-deleteall | \-\-list [\-C] | \-\-modify ( \-\-on | \-\-off ) boolean ] --- a/semanage/semanage-dontaudit.8 +++ b/semanage/semanage-dontaudit.8 @@ -1,6 +1,6 @@ .TH "semanage-dontaudit" "8" "20130617" "" "" .SH "NAME" -.B semanage dontaudit\- SELinux Policy Management dontaudit tool +.B semanage\-dontaudit \- SELinux Policy Management dontaudit tool .SH "SYNOPSIS" .B semanage dontaudit [\-h] [\-S STORE] [\-N] {on,off} --- a/semanage/semanage-export.8 +++ b/semanage/semanage-export.8 @@ -1,6 +1,6 @@ .TH "semanage-export" "8" "20130617" "" "" .SH "NAME" -.B semanage export\- SELinux Policy Management import tool +.B semanage\-export \- SELinux Policy Management import tool .SH "SYNOPSIS" .B semanage export [\-h] [\-S STORE] [\-f OUTPUT_FILE] @@ -23,10 +23,10 @@ Output file .SH EXAMPLE .nf Import semanage modifications from another machine -# semanage export -f semanage.mods +# semanage export \-f semanage.mods # scp semanage.mod remotemachine: # ssh remotemachine -# semanage import -f semanage.mods +# semanage import \-f semanage.mods .SH "SEE ALSO" .B selinux (8), --- a/semanage/semanage-fcontext.8 +++ b/semanage/semanage-fcontext.8 @@ -1,6 +1,6 @@ .TH "semanage-fcontext" "8" "20130617" "" "" .SH "NAME" -semanage fcontext\- SELinux Policy Management file context tool +semanage\-fcontext \- SELinux Policy Management file context tool .SH "SYNOPSIS" .B semanage fcontext [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ) | \-\-delete ( \-t TYPE \-f FTYPE | \-e EQUAL ) FILE_SPEC ) | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ) ] --- a/semanage/semanage-import.8 +++ b/semanage/semanage-import.8 @@ -1,6 +1,6 @@ .TH "semanage-import" "8" "20130617" "" "" .SH "NAME" -.B semanage import\- SELinux Policy Management import tool +.B semanage\-import \- SELinux Policy Management import tool .SH "SYNOPSIS" .B semanage import [\-h] [\-N] [\-S STORE] [\-f INPUT_FILE] @@ -25,7 +25,7 @@ Input file .SH EXAMPLE .nf Import semanage modifications from another machine -# semanage import -f semanage.mods +# semanage import \-f semanage.mods .SH "SEE ALSO" .B selinux (8), --- a/semanage/semanage-interface.8 +++ b/semanage/semanage-interface.8 @@ -1,6 +1,6 @@ .TH "semanage-interface" "8" "20130617" "" "" .SH "NAME" -.B semanage interface\- SELinux Policy Management network interface tool +.B semanage\-interface \- SELinux Policy Management network interface tool .SH "SYNOPSIS" .B semanage interface [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-t TYPE \-r RANGE interface | \-\-delete interface | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-r RANGE interface ] @@ -53,7 +53,7 @@ MLS/MCS Security Range (MLS/MCS Systems .SH EXAMPLE .nf list all interface defitions -# semanage interface -l +# semanage interface \-l .SH "SEE ALSO" .B selinux (8), --- a/semanage/semanage-login.8 +++ b/semanage/semanage-login.8 @@ -1,6 +1,6 @@ .TH "semanage-login" "8" "20130617" "" "" .SH "NAME" -.B semanage login\- SELinux Policy Management linux user to SELinux User mapping tool +.B semanage\-login \- SELinux Policy Management linux user to SELinux User mapping tool .SH "SYNOPSIS" .B semanage login [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-s SEUSER \-r RANGE LOGIN | \-\-delete LOGIN | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-s SEUSER \-r RANGE LOGIN ] @@ -53,11 +53,11 @@ MLS/MCS Security Range (MLS/MCS Systems .SH EXAMPLE .nf Modify the default user on the system to the guest_u user -# semanage login -m -s guest_u __default__ +# semanage login \-m \-s guest_u __default__ Assign gijoe user on an MLS machine a range and to the staff_u user -# semanage login -a -s staff_u -rSystemLow-Secret gijoe +# semanage login \-a \-s staff_u \-rSystemLow-Secret gijoe Assign all users in the engineering group to the staff_u user -# semanage login -a -s staff_u %engineering +# semanage login \-a \-s staff_u %engineering .SH "SEE ALSO" .B selinux (8), --- a/semanage/semanage-module.8 +++ b/semanage/semanage-module.8 @@ -1,6 +1,6 @@ .TH "semanage-module" "8" "20130617" "" "" .SH "NAME" -.B semanage module\\- SELinux Policy Management module mapping tool +.B semanage\-module \- SELinux Policy Management module mapping tool .SH "SYNOPSIS" .B semanage module [\-h] [\-n] [\-N] [\-S STORE] (\-a | \-r | \-e | \-d | \-\-extract | \-\-list [\-C] | \-\-deleteall) [module_name] --- a/semanage/semanage-node.8 +++ b/semanage/semanage-node.8 @@ -1,6 +1,6 @@ .TH "semanage-node" "8" "20130617" "" "" .SH "NAME" -.B semanage node\- SELinux Policy Management node mapping tool +.B semanage\-node \- SELinux Policy Management node mapping tool .SH "SYNOPSIS" .B semanage node [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-M NETMASK \-p PROTOCOL \-t TYPE \-r RANGE node | \-\-delete \-M NETMASK \-p PROTOCOL node | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-M NETMASK \-p PROTOCOL \-t TYPE \-r RANGE node ] --- a/semanage/semanage-port.8 +++ b/semanage/semanage-port.8 @@ -1,6 +1,6 @@ .TH "semanage-port" "8" "20130617" "" "" .SH "NAME" -.B semanage port\- SELinux Policy Management port mapping tool +.B semanage\-port \- SELinux Policy Management port mapping tool .SH "SYNOPSIS" .B semanage port [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range | \-\-delete \-p PROTOCOL port_name | port_range | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range ] --- a/semanage/semanage-user.8 +++ b/semanage/semanage-user.8 @@ -1,6 +1,6 @@ .TH "semanage-user" "8" "20130617" "" "" .SH "NAME" -.B semanage user\- SELinux Policy Management SELinux User mapping tool +.B semanage\-user \- SELinux Policy Management SELinux User mapping tool .SH "SYNOPSIS" .B semanage user [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add ( \-L LEVEL \-R ROLES \-r RANGE \-s SEUSER selinux_name) | \-\-delete selinux_name | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify ( \-L LEVEL \-R ROLES \-r RANGE \-s SEUSER selinux_name ) ] @@ -60,7 +60,7 @@ List SELinux users Modify groups for staff_u user # semanage user \-m \-R "system_r unconfined_r staff_r" staff_u Add level for TopSecret Users -# semanage user \-a \-R "staff_r" -rs0-TopSecret topsecret_u +# semanage user \-a \-R "staff_r" \-rs0\-TopSecret topsecret_u .SH "SEE ALSO" .B selinux (8), --- a/semanage/semanage.8 +++ b/semanage/semanage.8 @@ -86,4 +86,4 @@ This man page was written by Daniel Wals and Russell Coker . .br Examples by Thomas Bleher . -usage: semanage [-h] +usage: semanage [\-h] --- a/gui/selinux-polgengui.8 +++ b/gui/selinux-polgengui.8 @@ -29,7 +29,7 @@ selinux(1), sepolicy(8), sepolicy-genera Report bugs to . .SH LICENSE AND AUTHORS -\fBselinux-polgengui\fP is licensed under the GNU Public License and +\fBselinux-polgengui\fP is licensed under the GNU General Public License and is copyrighted by Red Hat, Inc. .br This man page was written by Daniel Walsh --- a/sepolicy/sepolicy-generate.8 +++ b/sepolicy/sepolicy-generate.8 @@ -54,7 +54,7 @@ Use \fBsepolicy generate\fP to generate When specifying a \fBconfined application\fP you must specify a path. \fBsepolicy generate\fP will use the rpm payload of the -application along with \fBnm -D APPLICATION\fP to help it generate +application along with \fBnm \-D APPLICATION\fP to help it generate types and policy rules for your policy files. .B Type Enforcing File NAME.te @@ -75,7 +75,7 @@ file paths to the types. Tools like res .B RPM Spec File NAME_selinux.spec .br -This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use \fBsepolicy manpage -d NAME\fP to generate the man page. +This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use \fBsepolicy manpage \-d NAME\fP to generate the man page. .B Shell File NAME.sh .br @@ -158,9 +158,7 @@ Generate Policy for Minimal X Windows Lo .br Generating Policy for /usr/sbin/rwhod named rwhod .br -Created the following files in: -.br -./ +Created the following files: .br rwhod.te # Type Enforcement file .br --- a/gui/system-config-selinux.8 +++ b/gui/system-config-selinux.8 @@ -31,7 +31,7 @@ selinux(1), semanage(8) Report bugs to . .SH LICENSE AND AUTHORS -\fBsystem-config-selinux\fP is licensed under the GNU Public License and +\fBsystem-config-selinux\fP is licensed under the GNU General Public License and is copyrighted by Red Hat, Inc. .br This man page was written by Daniel Walsh --- a/semanage/semanage-permissive.8 +++ b/semanage/semanage-permissive.8 @@ -1,6 +1,6 @@ .TH "semanage-permissive" "8" "20130617" "" "" .SH "NAME" -.B semanage permissive \- SELinux Policy Management permissive mapping tool +.B semanage\-permissive \- SELinux Policy Management permissive mapping tool .SH "SYNOPSIS" .B semanage permissive [\-h] (\-a | \-d | \-l) [\-n] [\-N] [\-S STORE] [type] debian/patches/0018-sandbox-config.patch0000644000000000000000000000457212260023376015136 0ustar Subject: The sandbox configuration file is located in /etc/default/sandbox not in /etc/sysconfig/sandbox. Author: Laurent Bigonville Date: Sat, 29 Sep 2012 14:07:12 +0200 Forwarded: not-needed --- a/sandbox/sandbox.8 +++ b/sandbox/sandbox.8 @@ -85,7 +85,7 @@ $HOME and /tmp, secondary Xserver, defau Set the DPI value for the sandbox X Server. Defaults to the current X Sever DPI. .TP \fB\-c\fR \fB\-\-cgroups\fR -Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc. +Use control groups to control this copy of sandbox. Specify parameters in /etc/default/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc. .TP \fB\-C\fR \fB\-\-capabilities\fR Use capabilities within the sandbox. By default applications executed within the sandbox will not --- a/sandbox/seunshare.8 +++ b/sandbox/seunshare.8 @@ -19,7 +19,7 @@ Alternate homedir to be used by the appl Use alternate tempory directory to mount on /tmp. tmpdir must be owned by the user. .TP \fB\-c --cgroups\fR -Use cgroups to control this copy of seunshare. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc. +Use cgroups to control this copy of seunshare. Specify parameters in /etc/default/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc. .TP \fB\-C --capabilities\fR Allow apps executed within the namespace to use capabilities. Default is no capabilities. --- a/sandbox/seunshare.c +++ b/sandbox/seunshare.c @@ -319,7 +319,7 @@ static int match(const char *string, cha } /** - * Apply cgroups settings from the /etc/sysconfig/sandbox config file. + * Apply cgroups settings from the /etc/default/sandbox config file. */ static int setup_cgroups() { @@ -333,7 +333,7 @@ static int setup_cgroups() char *tok = NULL; int rc = -1; char *str = NULL; - const char* fname = "/etc/sysconfig/sandbox"; + const char* fname = "/etc/default/sandbox"; if ((fp = fopen(fname, "rt")) == NULL) { fprintf(stderr, "Error opening sandbox config file."); debian/patches/0022-sepolicy-path.patch0000644000000000000000000000213712260023376015004 0ustar Description: Fix installation path for the python module Author: Laurent Bigonville --- a/sepolicy/Makefile +++ b/sepolicy/Makefile @@ -30,7 +30,7 @@ test: @python test_sepolicy.py -v install: - $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` + $(PYTHON) setup.py install --prefix='/usr' --install-layout=deb `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` [ -d $(BINDIR) ] || mkdir -p $(BINDIR) install -m 755 sepolicy.py $(BINDIR)/sepolicy (cd $(BINDIR); ln -sf sepolicy sepolgen) --- a/semanage/Makefile +++ b/semanage/Makefile @@ -18,8 +18,8 @@ install: all -mkdir -p $(SBINDIR) install -m 755 semanage $(SBINDIR) install -m 644 *.8 $(MANDIR)/man8 - test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages - install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages + test -d $(PYTHONLIBDIR)/dist-packages || install -m 755 -d $(PYTHONLIBDIR)/dist-packages + install -m 755 seobject.py $(PYTHONLIBDIR)/dist-packages -mkdir -p $(BASHCOMPLETIONDIR) install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/semanage debian/patches/0016-open-init-pty0000644000000000000000000003012412260023376013641 0ustar Description: Add new open_init_pty that doesn't waste CPU time Origin: Václav Ovsík Author: Russell Coker Last-Update: 2012-06-26 --- policycoreutils-2.1.10.orig/run_init/Makefile +++ policycoreutils-2.1.10/run_init/Makefile @@ -8,8 +8,9 @@ LOCALEDIR ?= /usr/share/locale PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null) AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null) -CFLAGS ?= -Werror -Wall -W +CFLAGS ?= -Werror -Wall -W -g -O2 override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\"" +CPPFLAGS ?= $(CFLAGS) LDLIBS += -lselinux -L$(PREFIX)/lib ifeq ($(PAMH), /usr/include/security/pam_appl.h) override CFLAGS += -DUSE_PAM @@ -23,17 +24,17 @@ ifeq ($(AUDITH), /usr/include/libaudit.h LDLIBS += -laudit endif -TARGETS=$(patsubst %.c,%,$(wildcard *.c)) +TARGETS=open_init_pty run_init all: $(TARGETS) -open_init_pty: open_init_pty.c - $(LINK.c) $^ -ldl -lutil -o $@ +open_init_pty: open_init_pty.cpp + $(LINK.cpp) $^ -ldl -lutil -o $@ install: all test -d $(SBINDIR) || install -m 755 -d $(SBINDIR) - test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8 + test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1 install -m 755 run_init $(SBINDIR) install -m 755 open_init_pty $(SBINDIR) install -m 644 run_init.8 $(MANDIR)/man8/ --- /dev/null +++ policycoreutils-2.1.10/run_init/open_init_pty.cpp @@ -0,0 +1,423 @@ +/* -*- Mode: C -*- + * open_init_pty.c --- + * Author : Manoj Srivastava ( srivasta@glaurung.internal.golden-gryphon.com ) + * Created On : Fri Jan 14 10:48:28 2005 + * Created On Node : glaurung.internal.golden-gryphon.com + * Last Modified By : Manoj Srivastava + * Last Modified On : Thu Sep 15 00:57:00 2005 + * Last Machine Used: glaurung.internal.golden-gryphon.com + * Update Count : 92 + * Status : Unknown, Use with caution! + * HISTORY : + * Description : + * + * Distributed under the terms of the GNU General Public License v2 + * + * open_init_pty + * + * SYNOPSIS: + * + * This program allows a systems administrator to execute daemons + * which need to work in the initrc domain, and which need to have + * pty's as system_u:system_r:initrc_t + * + * USAGE: + * + * * arch-tag: a5583d39-72b9-4cdf-ba1b-5678ea4cbe20 + */ + +#include +#include +#include +#include +#include +#include + +#include + +#include /* for openpty and forkpty */ +#include /* for login_tty */ +#include +#include + +#include +#include + + +#define MAXRETR 3 /* The max number of IO retries on a fd */ +#define BUFSIZE 2048 /* The ring buffer size */ + +static struct termios saved_termios; +static int saved_fd = -1; +static enum { RESET, RAW, CBREAK } tty_state = RESET; + +static int tty_semi_raw(int fd) +{ + struct termios buf; + + if (tty_state == RESET) { + if (tcgetattr(fd, &saved_termios) < 0) { + return -1; + } + } + + buf = saved_termios; + /* + * echo off, canonical mode off, extended input processing off, + * signal chars off + */ + buf.c_lflag &= ~(ECHO | ICANON | IEXTEN | ISIG); + /* + * no SIGINT on break, CR-to-NL off, input parity check off, do not + * strip 8th bit on input,output flow control off + */ + buf.c_iflag &= ~(BRKINT | ICRNL | INPCK | ISTRIP | IXON); + /* Clear size bits, parity checking off */ + buf.c_cflag &= ~(CSIZE | PARENB); + /* set 8 bits/char */ + buf.c_cflag |= CS8; + /* Output processing off + buf.c_oflag &= ~(OPOST); */ + + buf.c_cc[VMIN] = 1; /* one byte at a time, no timer */ + buf.c_cc[VTIME] = 0; + if (tcsetattr(fd, TCSANOW, &buf) < 0) { + return -1; + } + tty_state = RAW; + saved_fd = fd; + return 0; +} + +static void tty_atexit(void) +{ + if (tty_state != CBREAK && tty_state != RAW) { + return; + } + + if (tcsetattr(saved_fd, TCSANOW, &saved_termios) < 0) { + return; + } + tty_state = RESET; + return; +} + + +/* The simple ring buffer */ +class ring_buffer +{ +public: + ring_buffer(char *buf, size_t size) + { + m_buf = m_wptr = m_rptr = buf; + m_size = size; + m_count = 0; + } + + size_t get_count() { return m_count; } + int isempty() { return m_count == 0; } + + // return the unused space size in the buffer + size_t space() + { + if(m_rptr > m_wptr) + return m_rptr - m_wptr; + if(m_rptr < m_wptr || m_count == 0) + return m_buf + m_size - m_wptr; + return 0; // should not hit this + } + + // return the used space in the buffer + size_t chunk_size() + { + if(m_rptr < m_wptr) + return m_wptr - m_rptr; + if(m_rptr > m_wptr || m_count > 0) + return m_buf + m_size - m_rptr; + return 0; // should not hit this + } + + // read from fd and write to buffer memory + ssize_t rb_read(int fd) + { + ssize_t n = read(fd, m_wptr, space()); + if(n <= 0) + return n; + m_wptr += n; + m_count += n; + if(m_buf + m_size <= m_wptr) + m_wptr = m_buf; + return n; + } + + ssize_t rb_write(int fd) + { + ssize_t n = write(fd, m_rptr, chunk_size()); + if(n <= 0) + return n; + m_rptr += n; + m_count -= n; + if(m_buf + m_size <= m_rptr) + m_rptr = m_buf; + return n; + } + +private: + char *m_buf; /* pointer to buffer memory */ + char *m_wptr; + char *m_rptr; + size_t m_size; /* the number of bytes allocated for buf */ + size_t m_count; +}; + +static void setfd_nonblock(int fd) +{ + int fsflags = fcntl(fd, F_GETFL); + + if (fsflags < 0) { + fprintf(stderr, "fcntl(%d, F_GETFL): %s\n", + fd, strerror(errno)); + exit(EX_IOERR); + } + + if (fcntl(STDIN_FILENO, F_SETFL, fsflags | O_NONBLOCK) < 0) { + fprintf(stderr, "fcntl(%d, F_SETFL, ... | O_NONBLOCK): %s\n", + fd, strerror(errno)); + exit(EX_IOERR); + } +} + +static void sigchld_handler(int asig __attribute__ ((unused))) +{ +} + +int main(int argc, char *argv[]) +{ + pid_t child_pid; + int child_exit_status; + struct termios tty_attr; + struct winsize window_size; + int pty_master; + char inbuf_mem[BUFSIZE]; + char outbuf_mem[BUFSIZE]; + ring_buffer inbuf(inbuf_mem, sizeof(inbuf_mem)); + ring_buffer outbuf(outbuf_mem, sizeof(outbuf_mem)); + + if (argc == 1) { + printf("usage: %s PROGRAM [ARGS]...\n", argv[0]); + exit(1); + } + + /* Wee need I/O calls to fail with EINTR on SIGCHLD... */ + if ( signal(SIGCHLD, sigchld_handler) == SIG_ERR ) { + perror("signal(SIGCHLD,...)"); + exit(EX_OSERR); + } + + if (isatty(STDIN_FILENO)) { + /* get terminal parameters associated with stdout */ + if (tcgetattr(STDOUT_FILENO, &tty_attr) < 0) { + perror("tcgetattr(stdout,...)"); + exit(EX_OSERR); + } + + /* end of if(tcsetattr(&tty_attr)) */ + /* get window size */ + if (ioctl(STDOUT_FILENO, TIOCGWINSZ, &window_size) < 0) { + perror("ioctl(stdout,...)"); + exit(1); + } + + child_pid = forkpty(&pty_master, NULL, &tty_attr, &window_size); + } /* end of if(isatty(STDIN_FILENO)) */ + else { /* not interactive */ + child_pid = forkpty(&pty_master, NULL, NULL, NULL); + } + + if (child_pid < 0) { + perror("forkpty()"); + fflush(stdout); + fflush(stderr); + exit(EX_OSERR); + } /* end of if(child_pid < 0) */ + if (child_pid == 0) { + /* in the child */ + struct termios s_tty_attr; + if (tcgetattr(STDIN_FILENO, &s_tty_attr)) { + perror("tcgetattr(stdin,...)"); + exit(EXIT_FAILURE); + } + /* Turn off echo */ + s_tty_attr.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL); + /* Also turn of NL to CR?LF on output */ + s_tty_attr.c_oflag &= ~(ONLCR); + if (tcsetattr(STDIN_FILENO, TCSANOW, &s_tty_attr)) { + perror("tcsetattr(stdin,...)"); + exit(EXIT_FAILURE); + } + + if (execvp(argv[1], argv + 1)) { + perror("execvp()"); + exit(EXIT_FAILURE); + } + } + + /* + * Non blocking mode for all file descriptors. + */ + setfd_nonblock(pty_master); + setfd_nonblock(STDIN_FILENO); + setfd_nonblock(STDOUT_FILENO); + + if (isatty(STDIN_FILENO)) { + if (tty_semi_raw(STDIN_FILENO) < 0) { + perror("tty_semi_raw(stdin)"); + } + if (atexit(tty_atexit) < 0) { + perror("atexit()"); + } + } + + /* for select()... */ + fd_set readfds; + fd_set writefds; + fd_set exceptfds; + FD_ZERO(&readfds); + FD_ZERO(&writefds); + FD_ZERO(&exceptfds); + + unsigned err_n_rpty = 0; + unsigned err_n_wpty = 0; + unsigned err_n_stdin = 0; + unsigned err_n_stdout = 0; + + int done = 0; + + do { + /* Accept events only on fds, that we can handle now. */ + int do_select = 0; + + if ( outbuf.space() > 0 && err_n_rpty < MAXRETR ) { + FD_SET(pty_master, &readfds); + do_select = 1; + } else + FD_CLR(pty_master, &readfds); + + if ( ! inbuf.isempty() && err_n_wpty < MAXRETR ) { + FD_SET(pty_master, &writefds); + do_select = 1; + } else + FD_CLR(pty_master, &writefds); + + if ( inbuf.space() > 0 && err_n_stdin < MAXRETR ) { + FD_SET(STDIN_FILENO, &readfds); + do_select = 1; + } else + FD_CLR(STDIN_FILENO, &readfds); + + if ( ! outbuf.isempty() && err_n_stdout < MAXRETR ) { + FD_SET(STDOUT_FILENO, &writefds); + do_select = 1; + } else + FD_CLR(STDOUT_FILENO, &writefds); + + if ( ! do_select ) + { +#ifdef DEBUG + fprintf(stderr, "No I/O job for us, calling waitpid()...\n"); +#endif + while ( waitpid(child_pid, &child_exit_status, 0) < 0 ) + ; + break; + } + + int select_rc = select(pty_master + 1, + &readfds, &writefds, &exceptfds, NULL); + if ( select_rc < 0 ) { + perror("select()"); + exit(EX_IOERR); + } +#ifdef DEBUG + fprintf(stderr, "select() returned %d\n", select_rc); +#endif + + if (FD_ISSET(STDOUT_FILENO, &writefds)) { +#ifdef DEBUG + fprintf(stderr, "stdout can be written\n"); +#endif + ssize_t n = outbuf.rb_write(STDOUT_FILENO); + if ( n <= 0 && n != EINTR && n != EAGAIN ) + err_n_stdout++; +#ifdef DEBUG + if ( n >= 0 ) + fprintf(stderr, "%d bytes written into stdout\n", n); + else + perror("write(stdout,...)"); +#endif + } + if (FD_ISSET(pty_master, &writefds)) { +#ifdef DEBUG + fprintf(stderr, "pty_master can be written\n"); +#endif + ssize_t n = inbuf.rb_write(pty_master); + if ( n <= 0 && n != EINTR && n != EAGAIN ) + err_n_wpty++; +#ifdef DEBUG + if ( n >= 0 ) + fprintf(stderr, "%d bytes written into pty_master\n", n); + else + perror("write(pty_master,...)"); +#endif + } + if (FD_ISSET(STDIN_FILENO, &readfds)) { +#ifdef DEBUG + fprintf(stderr, "stdin can be read\n"); +#endif + ssize_t n = inbuf.rb_read(STDIN_FILENO); + if ( n <= 0 && n != EINTR && n != EAGAIN ) + err_n_stdin++; +#ifdef DEBUG + if ( n >= 0 ) + fprintf(stderr, "%d bytes read from stdin\n", n); + else + perror("read(stdin,...)"); +#endif + } + if (FD_ISSET(pty_master, &readfds)) { +#ifdef DEBUG + fprintf(stderr, "pty_master can be read\n"); +#endif + ssize_t n = outbuf.rb_read(pty_master); + if ( n <= 0 && n != EINTR && n != EAGAIN ) + err_n_rpty++; +#ifdef DEBUG + if ( n >= 0 ) + fprintf(stderr, "%d bytes read from pty_master\n", n); + else + perror("read(pty_master,...)"); +#endif + } + + if ( ! done ) + if ( waitpid(child_pid, &child_exit_status, WNOHANG) > 0 ) + done = 1; + + } while ( !done + || !(inbuf.isempty() || err_n_wpty >= MAXRETR) + || !(outbuf.isempty() || err_n_stdout >= MAXRETR) ); + +#ifdef DEBUG + fprintf(stderr, "inbuf: %u bytes left, outbuf: %u bytes left\n", + inbuf.get_count(), outbuf.get_count()); + fprintf(stderr, "err_n_rpty=%u, err_n_wpty=%u, " + "err_n_stdin=%u, err_n_stdout=%u\n", + err_n_rpty, err_n_wpty, err_n_stdin, err_n_stdout); +#endif + if ( WIFEXITED(child_exit_status) ) + exit(WEXITSTATUS(child_exit_status)); + exit(EXIT_FAILURE); +} /* end of main() */ + +/* + * vim:ts=4: + */ debian/patches/series0000644000000000000000000000052012260023376012030 0ustar 0001-legacy.patch 0002-Made-fixfiles-display-the-progress.patch 0005-build-system.patch 0006-default-config.patch 0009-find-does-not-have-a-context-switch.patch 0015-mcstrans-upgrade-from-squeeze 0016-open-init-pty 0017-no-sandbox 0018-sandbox-config.patch 0022-sepolicy-path.patch 0024-fix-manpages.patch 0025-restorecon-service.patch debian/patches/0009-find-does-not-have-a-context-switch.patch0000644000000000000000000000336012260023376021015 0ustar From: Manoj Srivastava Date: Wed, 24 Jun 2009 18:43:16 -0500 Subject: find does not have a -context switch Do not error out if find does not have a -context switch. Signed-Off-By: Manoj Srivastava --- scripts/fixfiles | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) --- a/scripts/fixfiles +++ b/scripts/fixfiles @@ -268,11 +268,11 @@ rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/o UNDEFINED=`get_undefined_type` || exit $? UNLABELED=`get_unlabeled_type` || exit $? -find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) \( -type s -o -type p \) -delete -find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /tmp {} \; -find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \; -find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \; -[ ! -e /var/lib/debug ] || find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \; +find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) \( -type s -o -type p \) -delete || true +find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /tmp {} \; || true +find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \; || true +find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \; || true +[ ! -e /var/lib/debug ] || find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \; || true exit 0 } debian/patches/0001-legacy.patch0000644000000000000000000000114612260023376013463 0ustar From: Laurent Bigonville Date: Mon, 27 Feb 2012 00:07:22 +0100 Subject: legacy --- run_init/open_init_pty.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/run_init/open_init_pty.c b/run_init/open_init_pty.c index 4f04e72..8bbf83b 100644 --- a/run_init/open_init_pty.c +++ b/run_init/open_init_pty.c @@ -162,7 +162,7 @@ int main(int argc, char *argv[]) /* in the child */ struct termios s_tty_attr; if (tcgetattr(fileno(stdin), &s_tty_attr)) { - perror("Child:"); + perror("forkpty child:"); fflush(stdout); fflush(stderr); exit(EXIT_FAILURE); debian/patches/0006-default-config.patch0000644000000000000000000000074612260023376015120 0ustar From: Russell Coker Date: Sun, 26 Feb 2012 19:39:24 +0100 Subject: default config --- restorecond/restorecond.conf | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) --- a/restorecond/restorecond.conf +++ b/restorecond/restorecond.conf @@ -2,6 +2,11 @@ /etc/resolv.conf /etc/samba/secrets.tdb /etc/updatedb.conf +/var/run/cups +/var/run/dbus +/var/run/network +/var/run/network/ifstate +/var/run/PolicyKit /var/run/utmp /var/log/wtmp /root/* debian/policycoreutils.links0000644000000000000000000000114012260023376013456 0ustar usr/sbin/se_dpkg usr/sbin/se_apt-get usr/sbin/se_dpkg usr/sbin/se_aptitude usr/sbin/se_dpkg usr/sbin/se_dpkg-reconfigure usr/sbin/se_dpkg usr/sbin/se_dselect usr/sbin/se_dpkg usr/sbin/se_synaptic usr/share/man/man8/se_dpkg.8 usr/share/man/man8/se_apt-get.8 usr/share/man/man8/se_dpkg.8 usr/share/man/man8/se_aptitude.8 usr/share/man/man8/se_dpkg.8 usr/share/man/man8/se_dpkg-reconfigure.8 usr/share/man/man8/se_dpkg.8 usr/share/man/man8/se_dselect.8 usr/share/man/man8/se_dpkg.8 usr/share/man/man8/se_synaptic.8 usr/share/bash-completion/completions/setsebool usr/share/bash-completion/completions/getsebool debian/python-sepolicy.install0000644000000000000000000000100412260023376013720 0ustar usr/lib/python*/*-packages/sepolicy/*so usr/lib/python*/*-packages/sepolicy/templates/ usr/lib/python*/*-packages/sepolicy/help/ usr/lib/python*/*-packages/sepolicy/__init__.py usr/lib/python*/*-packages/sepolicy/booleans.py usr/lib/python*/*-packages/sepolicy/communicate.py usr/lib/python*/*-packages/sepolicy/interface.py usr/lib/python*/*-packages/sepolicy/manpage.py usr/lib/python*/*-packages/sepolicy/network.py usr/lib/python*/*-packages/sepolicy/transition.py #usr/lib/python*/*-packages/sepolicy/sedbus.py debian/source/0000755000000000000000000000000012260023376010467 5ustar debian/source/format0000644000000000000000000000001412260023376011675 0ustar 3.0 (quilt) debian/NEWS0000644000000000000000000000162212260023376007667 0ustar policycoreutils (1.30.28-1) unstable; urgency=low * With this version of policycoreutils, the file /etc/selinux/config shall have the variable SELINUXTYPE set to refpolicy-targeted (you may also set it to be refpolicy-strict or refpolicy-src). Only 1.30.26-3 created the file with SELINUXTYPE set to targeted (which is appropriate on Red Hat machines and not Debian). We can't automatically change /etc/selinux/config (preserve user changes) since /etc/selinux/targeted/policy/policy.N might be a legitimate local security policy. If it is not, and if any of the files /etc/selinux/refpolicy-targeted/policy/policy.N, /etc/selinux/refpolicy-strict/policy/policy.N, or /etc/selinux/refpolicy-src/policy/policy.N exist, please select one for the SELINUXTYPE variable in /etc/selinux/config -- Manoj Srivastava Thu, 7 Sep 2006 11:37:19 -0500 debian/policycoreutils.docs0000644000000000000000000000003212260023376013265 0ustar debian/etc_selinux_config debian/policycoreutils.mcstrans.init0000644000000000000000000000652612260023376015147 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: mcstransd mcstrans # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: The daemon to make sensitivity labels human readable form # Description: This daemon maps machine readable sensitivity labels # (numbered levels and categories) to a human readable form # (arbitrary names assigned by the sysadmin). ### END INIT INFO # Author: Laurent Bigonville # Do NOT "set -e" PATH=/sbin:/usr/sbin:/bin:/usr/bin DESC="SELinux Context Translation System" NAME=mcstransd DAEMON=/sbin/mcstransd DAEMON_ARGS="" PIDFILE=/var/run/$NAME.pid SCRIPTNAME=/etc/init.d/mcstrans # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 # Test to see if SELinux is enabled [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled || exit 0 # Read configuration variable file if it is present [ -r /etc/default/mcstrans ] && . /etc/default/mcstrans # Define LSB log_* functions. # Depend on lsb-base (>= 3.2-14) to ensure that this file is present # and status_of_proc is working. . /lib/lsb/init-functions # Read SELinux configuration file if it is present [ -r /etc/selinux/config ] && . /etc/selinux/config if [ -z "$SELINUXTYPE" -o ! -r "/etc/selinux/$SELINUXTYPE/setrans.conf" ]; then log_warning_msg "Daemon not started, configuration file not found." exit 0 fi # # Function that starts the daemon/service # do_start() { # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ || return 1 if ! [ -d /var/run/setrans ]; then mkdir -p /var/run/setrans [ -x /sbin/restorecon ] && /sbin/restorecon /var/run/setrans fi start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ $DAEMON_ARGS \ || return 2 pidof $DAEMON > $PIDFILE } # # Function that stops the daemon/service # do_stop() { # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 rm -f $PIDFILE return "$RETVAL" } # # Function that sends a SIGHUP to the daemon/service # do_reload() { start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME return 0 } case "$1" in start) log_daemon_msg "Starting $DESC" "$NAME" do_start case "$?" in 0|1) log_end_msg 0 ;; 2) log_end_msg 1 ;; esac ;; stop) log_daemon_msg "Stopping $DESC" "$NAME" do_stop case "$?" in 0|1) log_end_msg 0 ;; 2) log_end_msg 1 ;; esac ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; reload|force-reload) log_daemon_msg "Reloading $DESC" "$NAME" do_reload log_end_msg $? ;; restart) log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in 0|1) do_start case "$?" in 0) log_end_msg 0 ;; 1) log_end_msg 1 ;; # Old process is still running *) log_end_msg 1 ;; # Failed to start esac ;; *) # Failed to stop log_end_msg 1 ;; esac ;; *) echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload}" >&2 exit 3 ;; esac : debian/policycoreutils.restorecond.init0000644000000000000000000000572212260023376015641 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: restorecond # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Daemon used to maintain SELinux file context # Description: This daemon uses inotify to look for creation of new files # listed in the /etc/selinux/restorecond.conf file, # and restores the correct security context. ### END INIT INFO # Author: Laurent Bigonville # Do NOT "set -e" PATH=/sbin:/usr/sbin:/bin:/usr/bin DESC="SELinux file context maintaining daemon" NAME=restorecond DAEMON=/usr/sbin/$NAME DAEMON_ARGS="" PIDFILE=/var/run/$NAME.pid SCRIPTNAME=/etc/init.d/$NAME # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 # Test to see if SELinux is enabled [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled || exit 0 # Read configuration variable file if it is present [ -r /etc/default/$NAME ] && . /etc/default/$NAME # Define LSB log_* functions. # Depend on lsb-base (>= 3.2-14) to ensure that this file is present # and status_of_proc is working. . /lib/lsb/init-functions if [ ! -f /etc/selinux/restorecond.conf ] && [ "$1" != status ]; then log_warning_msg "There is no configuration file for restorecond." log_warning_msg "Please create /etc/selinux/restorecond.conf." exit 0 fi # # Function that starts the daemon/service # do_start() { # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ || return 1 start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ $DAEMON_ARGS \ || return 2 } # # Function that stops the daemon/service # do_stop() { # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 rm -f $PIDFILE return "$RETVAL" } case "$1" in start) log_daemon_msg "Starting $DESC" "$NAME" do_start case "$?" in 0|1) log_end_msg 0 ;; 2) log_end_msg 1 ;; esac ;; stop) log_daemon_msg "Stopping $DESC" "$NAME" do_stop case "$?" in 0|1) log_end_msg 0 ;; 2) log_end_msg 1 ;; esac ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; restart|force-reload) # # If the "reload" option is implemented then remove the # 'force-reload' alias # log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in 0|1) do_start case "$?" in 0) log_end_msg 0 ;; 1) log_end_msg 1 ;; # Old process is still running *) log_end_msg 1 ;; # Failed to start esac ;; *) # Failed to stop log_end_msg 1 ;; esac ;; *) echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 exit 3 ;; esac : debian/copyright0000644000000000000000000000365712260023376011135 0ustar This is the Debian package for policycoreutils, and it is built from sources obtained from: http://www.nsa.gov/selinux/code/download5.cfm. This package was debianized by Colin Walters on Thu, 3 Jul 2003 17:10:57 -0400. This package is maintained by Manoj Srivastava . Portions of this package are copyright by various people, inluding Copyright (C) 2001 Justin R. Smith (jsmith@mcs.drexel.edu) Copyright (C) 1995, 1996, 1997 by Ulrich Drepper Copyright (c) 2005 Manoj Srivastava Copyright (C) 2004-2009 Red Hat, Inc. Copyright (c) 2005 Dan Walsh Copyright (C) 2004, 2005 Tresys Technology, LLC Copyright 1999-2004 Gentoo Technologies, Inc. Copyright (C) 2006 Free Software Foundation, Inc. This packaged is licensed under the terms of the GNU GPL. These programs are free software; you can redistribute it and/or modify them under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 dated June, 1991. These programs are distributed in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. The Debian specific changes are © 2005-2009, Manoj Srivastava , and distributed under the terms of the GNU General Public License, version 2. On Debian GNU/Linux systems, the complete text of the GNU General Public License can be found in `/usr/share/common-licenses/GPL-2'. A copy of the GNU General Public License is also available at . You may also obtain it by writing to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. Manoj Srivastava arch-tag: d4250e44-a0e0-4ee0-adb9-2bd74f6eeb27 debian/policycoreutils.manpages0000644000000000000000000000002112260023376014126 0ustar debian/se_dpkg.8 debian/policycoreutils.mcstrans.tmpfile0000644000000000000000000000004212260023376015627 0ustar d /run/setrans 0755 root root - -