diff options
| author | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-02-04 00:32:29 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-02-04 00:32:29 +0000 |
| commit | 9bf2fcbeed9531113a3269b292124c6f643cb6b4 (patch) | |
| tree | c752a84f265804a941a2f17e9518938e7044cfc0 | |
| parent | b52d79ad9c184892aa9d7da3de97b83925b1a64b (diff) | |
| parent | c84adf737d57cdcc17fc8564fe47bdb6bf733150 (diff) | |
| download | selinux-9bf2fcbeed9531113a3269b292124c6f643cb6b4.tar.gz | |
Merge remote-tracking branch 'aosp/upstream-master' into mymerge am: 3760c1e482 am: 103d51f948 am: c84adf737d
Change-Id: Ic95924a45bd3114741615c2569a2c9f225a29246
387 files changed, 13430 insertions, 4177 deletions
diff --git a/.circleci/config.yml b/.circleci/config.yml new file mode 100644 index 00000000..5d3177da --- /dev/null +++ b/.circleci/config.yml @@ -0,0 +1,40 @@ +# Configuration file for https://circleci.com/ + +version: 2 + +jobs: + build: + docker: + # Use a Python image from https://hub.docker.com/r/circleci/python/tags/ + - image: circleci/python:3.6 + + steps: + - checkout + + # Install dependencies + - run: sudo apt-get update -qq + - run: sudo apt-get install -qq bison clang clang-tools flex gawk gettext libaudit-dev libcap-dev libcap-ng-dev libcunit1-dev libdbus-glib-1-dev libpcre3-dev python3-dev python-dev ruby-dev swig xmlto + + - run: + name: Setup environment variables + command: | + echo 'export DESTDIR=$HOME/destdir' >> "$BASH_ENV" + + # Download and install refpolicy headers for sepolgen tests + - run: + name: Download refpolicy Makefile + command: | + curl --location --retry 10 -o refpolicy.tar.bz2 https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20180701/refpolicy-2.20180701.tar.bz2 + tar -xvjf refpolicy.tar.bz2 + sed -e "s,^PREFIX :=.*,PREFIX := $DESTDIR/usr," -i refpolicy/support/Makefile.devel + sudo make -C refpolicy install-headers + sudo mkdir -p /etc/selinux + echo 'SELINUXTYPE=refpolicy' | sudo tee /etc/selinux/config + echo 'SELINUX_DEVEL_PATH = /usr/share/selinux/refpolicy' | sudo tee /etc/selinux/sepolgen.conf + sed -e "s,\"\(/usr/bin/[cs]\),\"$DESTDIR\1," -i python/sepolgen/src/sepolgen/module.py + + # Run clang's scan-build and store the result as artifacts + - run: ./scripts/run-scan-build + - store_artifacts: + path: scripts/output-scan-build + destination: output-scan-build diff --git a/.travis.yml b/.travis.yml index 7a9e73ce..e9f86baa 100644 --- a/.travis.yml +++ b/.travis.yml @@ -17,10 +17,8 @@ env: - PYVER=python3.7 RUBYLIBVER=2.6 LINKER=bfd # Test several Python versions - - PYVER=python2.7 RUBYLIBVER=2.6 - PYVER=python3.5 RUBYLIBVER=2.6 - PYVER=python3.6 RUBYLIBVER=2.6 - - PYVER=pypy2.7-6.0 RUBYLIBVER=2.6 - PYVER=pypy3.5-6.0 RUBYLIBVER=2.6 # Test several Ruby versions (http://rubies.travis-ci.org/) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 00000000..a3517cb8 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,87 @@ +# Contributing to SELinux + +Contributing to the SELinux userspace project is a similar process to +other open source projects. Bug reports, new features to the existing +code, additional tools, or updated documentation are all welcome. + +You can find a list of open issues where you might contribute to the SELinux kernel code at +https://github.com/SELinuxProject/selinux-kernel/issues or to the SELinux userspace code at +https://github.com/SELinuxProject/selinux/issues. + +See the selinuxproject.org [user resources +page](http://selinuxproject.org/page/User_Resources) for more +information on mailing lists, documentation, and other resources. + +## Reporting Bugs + +All bugs and patches should be submitted to the [SELinux mailing +list](https://lore.kernel.org/selinux) at selinux@vger.kernel.org. + +When reporting bugs please include versions of SELinux related libraries and +tools (libsepol, libselinux, libsemanage, checkpolicy). If you are +using a custom policy please include it as well. + +## Compiling + +There are a number of dependencies required to build the userspace +tools/libraries. On a Fedora system you can install them with yum: + + # yum install audit-libs-devel bison bzip2-devel dbus-devel dbus-glib-devel flex flex-devel flex-static glib2-devel libcap-devel libcap-ng-devel pam-devel pcre-devel python-devel setools-devel swig ustr-devel + +The tools and libraries can be built and installed under a private directory from the top level with make, e.g. + + $ make DESTDIR=~/obj install install-pywrap + +## Contributing Code + +After obtaining the code of the repository (see below), create a patch +against the repository, and post that patch to the [SELinux mailing +list](https://lore.kernel.org/selinux) at selinux@vger.kernel.org. When preparing +patches, please follow these guidelines: + +- Patches should apply with -p1 +- Must apply against HEAD of the master branch +- Separate large patches into logical patches +- Patch descriptions must end with your "Signed-off-by" line. This means your + code meets the Developer's certificate of origin, see below. + +When adding new, large features or tools it is best to discuss the +design on the mailing list prior to submitting the patch. + +## Development Repository + +Git is a modern source code management system. For more information +about Git please see the Git website. + +To get an anonymous checkout of the SELinux userland repository you can +run: + + $ git clone https://github.com/SELinuxProject/selinux.git + +# Developer Certificate of Origin + + Developer's Certificate of Origin 1.1 + + By making a contribution to this project, I certify that: + + (a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + + (b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + + (c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + + (d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. @@ -16,7 +16,8 @@ else -Wstrict-prototypes \ -Wundef \ -Wunused \ - -Wwrite-strings + -Wwrite-strings \ + -fno-common endif ifneq ($(DESTDIR),) diff --git a/checkpolicy/VERSION b/checkpolicy/VERSION index 8c269150..9f55b2cc 100644 --- a/checkpolicy/VERSION +++ b/checkpolicy/VERSION @@ -1 +1 @@ -2.9 +3.0 diff --git a/checkpolicy/checkmodule.8 b/checkpolicy/checkmodule.8 index e55582f3..e597d9d4 100644 --- a/checkpolicy/checkmodule.8 +++ b/checkpolicy/checkmodule.8 @@ -59,8 +59,7 @@ $ checkmodule \-M \-m httpd.te \-o httpd.mod .SH "SEE ALSO" .B semodule(8), semodule_package(8) -SELinux documentation at http://www.nsa.gov/research/selinux, -especially "Configuring the SELinux Policy". +SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki .SH AUTHOR diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8 index 8f7dad41..97e10ca7 100644 --- a/checkpolicy/checkpolicy.8 +++ b/checkpolicy/checkpolicy.8 @@ -3,7 +3,7 @@ checkpolicy \- SELinux policy compiler .SH SYNOPSIS .B checkpolicy -.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]" +.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]" .br .SH "DESCRIPTION" This manual page describes the @@ -40,7 +40,9 @@ Enable the MLS policy when checking and compiling the policy. Specify the policy version, defaults to the latest. .TP .B \-o,\-\-output filename -Write a binary policy file to the specified filename. +Write a policy file (binary, policy.conf, or CIL policy) +to the specified filename. If - is given as filename, +write it to standard output. .TP .B \-S,\-\-sort Sort ocontexts before writing out the binary policy. This option makes output of checkpolicy consistent with binary policies created by semanage and secilc. @@ -48,6 +50,9 @@ Sort ocontexts before writing out the binary policy. This option makes output of .B \-t,\-\-target Specify the target platform (selinux or xen). .TP +.B \-O,\-\-optimize +Optimize the final kernel policy (remove redundant rules). +.TP .B \-V,\-\-version Show version information. .TP @@ -55,8 +60,7 @@ Show version information. Show usage information. .SH "SEE ALSO" -SELinux documentation at http://www.nsa.gov/research/selinux, -especially "Configuring the SELinux Policy". +SELinux Reference Policy documentation at https://github.com/SELinuxProject/refpolicy/wiki .SH AUTHOR diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c index e0a00f7c..7c5b63f8 100644 --- a/checkpolicy/checkpolicy.c +++ b/checkpolicy/checkpolicy.c @@ -112,7 +112,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname) { printf ("usage: %s [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] " - "[-c policyvers (%d-%d)] [-o output_file] [-S] " + "[-c policyvers (%d-%d)] [-o output_file|-] [-S] " "[-t target_platform (selinux,xen)] [-V] [input_file]\n", progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); exit(1); @@ -390,11 +390,12 @@ int main(int argc, char **argv) struct sepol_av_decision avd; class_datum_t *cladatum; const char *file = txtfile; - char ans[80 + 1], *outfile = NULL, *path, *fstype; + char ans[80 + 1], *path, *fstype; + const char *outfile = NULL; size_t scontext_len, pathlen; unsigned int i; unsigned int protocol, port; - unsigned int binary = 0, debug = 0, sort = 0, cil = 0, conf = 0; + unsigned int binary = 0, debug = 0, sort = 0, cil = 0, conf = 0, optimize = 0; struct val_to_name v; int ret, ch, fd, target = SEPOL_TARGET_SELINUX; unsigned int nel, uret; @@ -419,11 +420,12 @@ int main(int argc, char **argv) {"cil", no_argument, NULL, 'C'}, {"conf",no_argument, NULL, 'F'}, {"sort", no_argument, NULL, 'S'}, + {"optimize", no_argument, NULL, 'O'}, {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0} }; - while ((ch = getopt_long(argc, argv, "o:t:dbU:MCFSVc:h", long_options, NULL)) != -1) { + while ((ch = getopt_long(argc, argv, "o:t:dbU:MCFSVc:Oh", long_options, NULL)) != -1) { switch (ch) { case 'o': outfile = optarg; @@ -466,6 +468,9 @@ int main(int argc, char **argv) case 'S': sort = 1; break; + case 'O': + optimize = 1; + break; case 'M': mlspol = 1; break; @@ -625,12 +630,25 @@ int main(int argc, char **argv) if (policydb_load_isids(&policydb, &sidtab)) exit(1); - if (outfile) { - outfp = fopen(outfile, "w"); - if (!outfp) { - perror(outfile); + if (optimize && policydbp->policy_type == POLICY_KERN) { + ret = policydb_optimize(policydbp); + if (ret) { + fprintf(stderr, "%s: error optimizing policy\n", argv[0]); exit(1); } + } + + if (outfile) { + if (!strcmp(outfile, "-")) { + outfp = stdout; + outfile = "<STDOUT>"; + } else { + outfp = fopen(outfile, "w"); + if (!outfp) { + perror(outfile); + exit(1); + } + } policydb.policyvers = policyvers; @@ -670,7 +688,7 @@ int main(int argc, char **argv) } } - if (outfile) { + if (outfp != stdout) { fclose(outfp); } } else if (cil) { diff --git a/checkpolicy/checkpolicy.h b/checkpolicy/checkpolicy.h index 3868f1fa..f127687e 100644 --- a/checkpolicy/checkpolicy.h +++ b/checkpolicy/checkpolicy.h @@ -1,20 +1,6 @@ #ifndef _CHECKPOLICY_H_ #define _CHECKPOLICY_H_ -#include <sepol/policydb/ebitmap.h> - -typedef struct te_assert { - ebitmap_t stypes; - ebitmap_t ttypes; - ebitmap_t tclasses; - int self; - sepol_access_vector_t *avp; - unsigned long line; - struct te_assert *next; -} te_assert_t; - -te_assert_t *te_assertions; - extern unsigned int policyvers; #endif diff --git a/checkpolicy/parse_util.c b/checkpolicy/parse_util.c index 9fda5b42..f2809b48 100644 --- a/checkpolicy/parse_util.c +++ b/checkpolicy/parse_util.c @@ -69,9 +69,6 @@ int read_source_policy(policydb_t * p, const char *file, const char *progname) } queue_destroy(id_queue); - if (policydb_errors) - return -1; - fclose(yyin); return 0; diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index db143836..e295bc52 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -2022,7 +2022,7 @@ int avrule_ioctl_ranges(struct av_ioctl_range_list **rangelist) return -1; if (avrule_merge_ioctls(&rangehead)) return -1; - /* flip ranges if these are ommited*/ + /* flip ranges if these are omitted */ if (omit) { if (avrule_omit_ioctls(&rangehead)) return -1; @@ -2189,7 +2189,7 @@ int avrule_xperms_used(av_extended_perms_t *xperms) /* * using definitions found in kernel document ioctl-number.txt * The kernel components of an ioctl command are: - * dir, size, driver, and fucntion. Only the driver and function fields + * dir, size, driver, and function. Only the driver and function fields * are considered here */ #define IOC_DRIV(x) (x >> 8) @@ -3377,9 +3377,9 @@ int define_filename_trans(void) goto bad; } - /* We expand the class set into seperate rules. We expand the types + /* We expand the class set into separate rules. We expand the types * just to make sure there are not duplicates. They will get turned - * into seperate rules later */ + * into separate rules later */ if (type_set_expand(&stypes, &e_stypes, policydbp, 1)) goto bad; diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y index 247bd4ee..abb7d885 100644 --- a/checkpolicy/policy_parse.y +++ b/checkpolicy/policy_parse.y @@ -155,7 +155,7 @@ typedef int (* require_func_t)(int pass); %token PERMISSIVE %token FILESYSTEM %token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE -%token LOW_HIGH LOW HIGH +%token LOW_HIGH LOW HIGH GLBLUB %left OR %left XOR @@ -247,6 +247,8 @@ default_range_def : DEFAULT_RANGE names SOURCE LOW ';' {if (define_default_range(DEFAULT_TARGET_HIGH)) return -1; } | DEFAULT_RANGE names TARGET LOW_HIGH ';' {if (define_default_range(DEFAULT_TARGET_LOW_HIGH)) return -1; } + | DEFAULT_RANGE names GLBLUB';' + {if (define_default_range(DEFAULT_GLBLUB)) return -1; } ; opt_mls : mls | diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l index e93ccb64..e2f676e4 100644 --- a/checkpolicy/policy_scan.l +++ b/checkpolicy/policy_scan.l @@ -256,6 +256,8 @@ high | HIGH { return(HIGH); } low | LOW { return(LOW); } +glblub | +GLBLUB { return(GLBLUB); } "/"[^ \n\r\t\f]* { return(PATH); } \""/"[^\"\n]*\" { return(QPATH); } \"[^"/"\"\n]+\" { return(FILENAME); } diff --git a/checkpolicy/ru/checkmodule.8 b/checkpolicy/ru/checkmodule.8 index 93e68e70..a1d687e3 100644 --- a/checkpolicy/ru/checkmodule.8 +++ b/checkpolicy/ru/checkmodule.8 @@ -46,8 +46,7 @@ $ checkmodule \-M \-m httpd.te \-o httpd.mod .SH "СМОТРИТЕ ТÐКЖЕ" .B semodule(8), semodule_package(8) -Ð”Ð¾ÐºÑƒÐ¼ÐµÐ½Ñ‚Ð°Ñ†Ð¸Ñ SELinux по адреÑу http://www.nsa.gov/research/selinux, -в чаÑтноÑти - "ÐаÑтройка политики SELinux". +Ð”Ð¾ÐºÑƒÐ¼ÐµÐ½Ñ‚Ð°Ñ†Ð¸Ñ SELinux Reference Policy по адреÑу https://github.com/SELinuxProject/refpolicy/wiki .SH ÐВТОРЫ diff --git a/checkpolicy/ru/checkpolicy.8 b/checkpolicy/ru/checkpolicy.8 index 2ad39b8e..25b0e555 100644 --- a/checkpolicy/ru/checkpolicy.8 +++ b/checkpolicy/ru/checkpolicy.8 @@ -51,9 +51,7 @@ checkpolicy \- компилÑтор политики SELinux Показать ÑÐ²ÐµÐ´ÐµÐ½Ð¸Ñ Ð¾Ð± иÑпользовании. .SH "СМОТРИТЕ ТÐКЖЕ" -Ð”Ð¾ÐºÑƒÐ¼ÐµÐ½Ñ‚Ð°Ñ†Ð¸Ñ SELinux по адреÑу http://www.nsa.gov/research/selinux, -в чаÑтноÑти - "ÐаÑтройка политики SELinux". - +Ð”Ð¾ÐºÑƒÐ¼ÐµÐ½Ñ‚Ð°Ñ†Ð¸Ñ SELinux Reference Policy по адреÑу https://github.com/SELinuxProject/refpolicy/wiki .SH ÐВТОРЫ Ðта Ñтраница руководÑтва была напиÑана Arpad Magosanyi <mag@bunuel.tii.matav.hu>, diff --git a/dbus/VERSION b/dbus/VERSION index 8c269150..9f55b2cc 100644 --- a/dbus/VERSION +++ b/dbus/VERSION @@ -1 +1 @@ -2.9 +3.0 diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py index 98ab53dd..be4f4557 100644 --- a/dbus/selinux_server.py +++ b/dbus/selinux_server.py @@ -19,7 +19,7 @@ class selinux_server(slip.dbus.service.Object): # # The semanage method runs a transaction on a series of semanage commands, - # these commnds can take the output of customized + # these commands can take the output of customized # @slip.dbus.polkit.require_auth("org.selinux.semanage") @dbus.service.method("org.selinux", in_signature='s') @@ -85,7 +85,10 @@ class selinux_server(slip.dbus.service.Object): fd = open("/.autorelabel", "w") fd.close() else: - os.unlink("/.autorelabel") + try: + os.unlink("/.autorelabel") + except FileNotFoundError: + pass def write_selinux_config(self, enforcing=None, policy=None): path = selinux.selinux_path() + "config" diff --git a/gui/VERSION b/gui/VERSION index 8c269150..9f55b2cc 100644 --- a/gui/VERSION +++ b/gui/VERSION @@ -1 +1 @@ -2.9 +3.0 diff --git a/gui/modulesPage.py b/gui/modulesPage.py index cb856b2d..0584acf9 100644 --- a/gui/modulesPage.py +++ b/gui/modulesPage.py @@ -125,9 +125,10 @@ class modulesPage(semanagePage): def delete(self): store, iter = self.view.get_selection().get_selected() module = store.get_value(iter, 0) + priority = store.get_value(iter, 1) try: self.wait() - status, output = getstatusoutput("semodule -r %s" % module) + status, output = getstatusoutput("semodule -X %s -r %s" % (priority, module)) self.ready() if status != 0: self.error(output) diff --git a/gui/polgen.ui b/gui/polgen.ui index 6a8c0672..91b3abcd 100644 --- a/gui/polgen.ui +++ b/gui/polgen.ui @@ -901,7 +901,7 @@ <object class="GtkTreeView" id="existing_user_treeview"> <property name="visible">True</property> <property name="can_focus">True</property> - <property name="tooltip-text" translatable="yes">Select the user roles that will transiton to the %s domain.</property> + <property name="tooltip-text" translatable="yes">Select the user roles that will transition to the %s domain.</property> <property name="headers_visible">False</property> </object> </child> @@ -1004,7 +1004,7 @@ role tab</property> <object class="GtkTreeView" id="user_transition_treeview"> <property name="visible">True</property> <property name="can_focus">True</property> - <property name="tooltip-text" translatable="yes">Select the user roles that will transiton to this applications domains.</property> + <property name="tooltip-text" translatable="yes">Select the user roles that will transition to this applications domains.</property> <property name="headers_visible">False</property> </object> </child> diff --git a/gui/polgengui.py b/gui/polgengui.py index b1cc9937..d284ded6 100644 --- a/gui/polgengui.py +++ b/gui/polgengui.py @@ -769,7 +769,7 @@ class childWindow: self.syslog_checkbutton.set_active(policy.use_syslog) def stand_alone(self): - desktopName = _("Configue SELinux") + desktopName = _("Configure SELinux") self.setupScreen() self.mainWindow.connect("destroy", self.quit) diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py index c42301b6..3f70122b 100644 --- a/gui/system-config-selinux.py +++ b/gui/system-config-selinux.py @@ -181,7 +181,7 @@ class childWindow: self.view.get_selection().select_path((0,)) def stand_alone(self): - desktopName = _("Configue SELinux") + desktopName = _("Configure SELinux") self.setupScreen() diff --git a/lgtm.yml b/lgtm.yml new file mode 100644 index 00000000..f80bf146 --- /dev/null +++ b/lgtm.yml @@ -0,0 +1,5 @@ +extraction: + cpp: + index: + build_command: + - make DESTDIR="$LGTM_WORKSPACE/destdir" install diff --git a/libselinux/VERSION b/libselinux/VERSION index 8c269150..9f55b2cc 100644 --- a/libselinux/VERSION +++ b/libselinux/VERSION @@ -1 +1 @@ -2.9 +3.0 diff --git a/libselinux/include/selinux/av_permissions.h b/libselinux/include/selinux/av_permissions.h deleted file mode 100644 index c1269af9..00000000 --- a/libselinux/include/selinux/av_permissions.h +++ /dev/null @@ -1,1029 +0,0 @@ -#warning "Please remove any #include of this header in your source code." -#warning "Instead, use string_to_av_perm() to map the permission name to a value." - -/* This file is automatically generated. Do not edit. */ -#define COMMON_FILE__IOCTL 0x00000001UL -#define COMMON_FILE__READ 0x00000002UL -#define COMMON_FILE__WRITE 0x00000004UL -#define COMMON_FILE__CREATE 0x00000008UL -#define COMMON_FILE__GETATTR 0x00000010UL -#define COMMON_FILE__SETATTR 0x00000020UL -#define COMMON_FILE__LOCK 0x00000040UL -#define COMMON_FILE__RELABELFROM 0x00000080UL -#define COMMON_FILE__RELABELTO 0x00000100UL -#define COMMON_FILE__APPEND 0x00000200UL -#define COMMON_FILE__UNLINK 0x00000400UL -#define COMMON_FILE__LINK 0x00000800UL -#define COMMON_FILE__RENAME 0x00001000UL -#define COMMON_FILE__EXECUTE 0x00002000UL -#define COMMON_FILE__SWAPON 0x00004000UL -#define COMMON_FILE__QUOTAON 0x00008000UL -#define COMMON_FILE__MOUNTON 0x00010000UL -#define COMMON_SOCKET__IOCTL 0x00000001UL -#define COMMON_SOCKET__READ 0x00000002UL -#define COMMON_SOCKET__WRITE 0x00000004UL -#define COMMON_SOCKET__CREATE 0x00000008UL -#define COMMON_SOCKET__GETATTR 0x00000010UL -#define COMMON_SOCKET__SETATTR 0x00000020UL -#define COMMON_SOCKET__LOCK 0x00000040UL -#define COMMON_SOCKET__RELABELFROM 0x00000080UL -#define COMMON_SOCKET__RELABELTO 0x00000100UL -#define COMMON_SOCKET__APPEND 0x00000200UL -#define COMMON_SOCKET__BIND 0x00000400UL -#define COMMON_SOCKET__CONNECT 0x00000800UL -#define COMMON_SOCKET__LISTEN 0x00001000UL -#define COMMON_SOCKET__ACCEPT 0x00002000UL -#define COMMON_SOCKET__GETOPT 0x00004000UL -#define COMMON_SOCKET__SETOPT 0x00008000UL -#define COMMON_SOCKET__SHUTDOWN 0x00010000UL -#define COMMON_SOCKET__RECVFROM 0x00020000UL -#define COMMON_SOCKET__SENDTO 0x00040000UL -#define COMMON_SOCKET__RECV_MSG 0x00080000UL -#define COMMON_SOCKET__SEND_MSG 0x00100000UL -#define COMMON_SOCKET__NAME_BIND 0x00200000UL -#define COMMON_IPC__CREATE 0x00000001UL -#define COMMON_IPC__DESTROY 0x00000002UL -#define COMMON_IPC__GETATTR 0x00000004UL -#define COMMON_IPC__SETATTR 0x00000008UL -#define COMMON_IPC__READ 0x00000010UL -#define COMMON_IPC__WRITE 0x00000020UL -#define COMMON_IPC__ASSOCIATE 0x00000040UL -#define COMMON_IPC__UNIX_READ 0x00000080UL -#define COMMON_IPC__UNIX_WRITE 0x00000100UL -#define COMMON_DATABASE__CREATE 0x00000001UL -#define COMMON_DATABASE__DROP 0x00000002UL -#define COMMON_DATABASE__GETATTR 0x00000004UL -#define COMMON_DATABASE__SETATTR 0x00000008UL -#define COMMON_DATABASE__RELABELFROM 0x00000010UL -#define COMMON_DATABASE__RELABELTO 0x00000020UL -#define FILESYSTEM__MOUNT 0x00000001UL -#define FILESYSTEM__REMOUNT 0x00000002UL -#define FILESYSTEM__UNMOUNT 0x00000004UL -#define FILESYSTEM__GETATTR 0x00000008UL -#define FILESYSTEM__RELABELFROM 0x00000010UL -#define FILESYSTEM__RELABELTO 0x00000020UL -#define FILESYSTEM__TRANSITION 0x00000040UL -#define FILESYSTEM__ASSOCIATE 0x00000080UL -#define FILESYSTEM__QUOTAMOD 0x00000100UL -#define FILESYSTEM__QUOTAGET 0x00000200UL -#define DIR__IOCTL 0x00000001UL -#define DIR__READ 0x00000002UL -#define DIR__WRITE 0x00000004UL -#define DIR__CREATE 0x00000008UL -#define DIR__GETATTR 0x00000010UL -#define DIR__SETATTR 0x00000020UL -#define DIR__LOCK 0x00000040UL -#define DIR__RELABELFROM 0x00000080UL -#define DIR__RELABELTO 0x00000100UL -#define DIR__APPEND 0x00000200UL -#define DIR__UNLINK 0x00000400UL -#define DIR__LINK 0x00000800UL -#define DIR__RENAME 0x00001000UL -#define DIR__EXECUTE 0x00002000UL -#define DIR__SWAPON 0x00004000UL -#define DIR__QUOTAON 0x00008000UL -#define DIR__MOUNTON 0x00010000UL -#define DIR__ADD_NAME 0x00020000UL -#define DIR__REMOVE_NAME 0x00040000UL -#define DIR__REPARENT 0x00080000UL -#define DIR__SEARCH 0x00100000UL -#define DIR__RMDIR 0x00200000UL -#define DIR__OPEN 0x00400000UL -#define FILE__IOCTL 0x00000001UL -#define FILE__READ 0x00000002UL -#define FILE__WRITE 0x00000004UL -#define FILE__CREATE 0x00000008UL -#define FILE__GETATTR 0x00000010UL -#define FILE__SETATTR 0x00000020UL -#define FILE__LOCK 0x00000040UL -#define FILE__RELABELFROM 0x00000080UL -#define FILE__RELABELTO 0x00000100UL -#define FILE__APPEND 0x00000200UL -#define FILE__UNLINK 0x00000400UL -#define FILE__LINK 0x00000800UL -#define FILE__RENAME 0x00001000UL -#define FILE__EXECUTE 0x00002000UL -#define FILE__SWAPON 0x00004000UL -#define FILE__QUOTAON 0x00008000UL -#define FILE__MOUNTON 0x00010000UL -#define FILE__EXECUTE_NO_TRANS 0x00020000UL -#define FILE__ENTRYPOINT 0x00040000UL -#define FILE__EXECMOD 0x00080000UL -#define FILE__OPEN 0x00100000UL -#define LNK_FILE__IOCTL 0x00000001UL -#define LNK_FILE__READ 0x00000002UL -#define LNK_FILE__WRITE 0x00000004UL -#define LNK_FILE__CREATE 0x00000008UL -#define LNK_FILE__GETATTR 0x00000010UL -#define LNK_FILE__SETATTR 0x00000020UL -#define LNK_FILE__LOCK 0x00000040UL -#define LNK_FILE__RELABELFROM 0x00000080UL -#define LNK_FILE__RELABELTO 0x00000100UL -#define LNK_FILE__APPEND 0x00000200UL -#define LNK_FILE__UNLINK 0x00000400UL -#define LNK_FILE__LINK 0x00000800UL -#define LNK_FILE__RENAME 0x00001000UL -#define LNK_FILE__EXECUTE 0x00002000UL -#define LNK_FILE__SWAPON 0x00004000UL -#define LNK_FILE__QUOTAON 0x00008000UL -#define LNK_FILE__MOUNTON 0x00010000UL -#define CHR_FILE__IOCTL 0x00000001UL -#define CHR_FILE__READ 0x00000002UL -#define CHR_FILE__WRITE 0x00000004UL -#define CHR_FILE__CREATE 0x00000008UL -#define CHR_FILE__GETATTR 0x00000010UL -#define CHR_FILE__SETATTR 0x00000020UL -#define CHR_FILE__LOCK 0x00000040UL -#define CHR_FILE__RELABELFROM 0x00000080UL -#define CHR_FILE__RELABELTO 0x00000100UL -#define CHR_FILE__APPEND 0x00000200UL -#define CHR_FILE__UNLINK 0x00000400UL -#define CHR_FILE__LINK 0x00000800UL -#define CHR_FILE__RENAME 0x00001000UL -#define CHR_FILE__EXECUTE 0x00002000UL -#define CHR_FILE__SWAPON 0x00004000UL -#define CHR_FILE__QUOTAON 0x00008000UL -#define CHR_FILE__MOUNTON 0x00010000UL -#define CHR_FILE__EXECUTE_NO_TRANS 0x00020000UL -#define CHR_FILE__ENTRYPOINT 0x00040000UL -#define CHR_FILE__EXECMOD 0x00080000UL -#define CHR_FILE__OPEN 0x00100000UL -#define BLK_FILE__IOCTL 0x00000001UL -#define BLK_FILE__READ 0x00000002UL -#define BLK_FILE__WRITE 0x00000004UL -#define BLK_FILE__CREATE 0x00000008UL -#define BLK_FILE__GETATTR 0x00000010UL -#define BLK_FILE__SETATTR 0x00000020UL -#define BLK_FILE__LOCK 0x00000040UL -#define BLK_FILE__RELABELFROM 0x00000080UL -#define BLK_FILE__RELABELTO 0x00000100UL -#define BLK_FILE__APPEND 0x00000200UL -#define BLK_FILE__UNLINK 0x00000400UL -#define BLK_FILE__LINK 0x00000800UL -#define BLK_FILE__RENAME 0x00001000UL -#define BLK_FILE__EXECUTE 0x00002000UL -#define BLK_FILE__SWAPON 0x00004000UL -#define BLK_FILE__QUOTAON 0x00008000UL -#define BLK_FILE__MOUNTON 0x00010000UL -#define BLK_FILE__OPEN 0x00020000UL -#define SOCK_FILE__IOCTL 0x00000001UL -#define SOCK_FILE__READ 0x00000002UL -#define SOCK_FILE__WRITE 0x00000004UL -#define SOCK_FILE__CREATE 0x00000008UL -#define SOCK_FILE__GETATTR 0x00000010UL -#define SOCK_FILE__SETATTR 0x00000020UL -#define SOCK_FILE__LOCK 0x00000040UL -#define SOCK_FILE__RELABELFROM 0x00000080UL -#define SOCK_FILE__RELABELTO 0x00000100UL -#define SOCK_FILE__APPEND 0x00000200UL -#define SOCK_FILE__UNLINK 0x00000400UL -#define SOCK_FILE__LINK 0x00000800UL -#define SOCK_FILE__RENAME 0x00001000UL -#define SOCK_FILE__EXECUTE 0x00002000UL -#define SOCK_FILE__SWAPON 0x00004000UL -#define SOCK_FILE__QUOTAON 0x00008000UL -#define SOCK_FILE__MOUNTON 0x00010000UL -#define FIFO_FILE__IOCTL 0x00000001UL -#define FIFO_FILE__READ 0x00000002UL -#define FIFO_FILE__WRITE 0x00000004UL -#define FIFO_FILE__CREATE 0x00000008UL -#define FIFO_FILE__GETATTR 0x00000010UL -#define FIFO_FILE__SETATTR 0x00000020UL -#define FIFO_FILE__LOCK 0x00000040UL -#define FIFO_FILE__RELABELFROM 0x00000080UL -#define FIFO_FILE__RELABELTO 0x00000100UL -#define FIFO_FILE__APPEND 0x00000200UL -#define FIFO_FILE__UNLINK 0x00000400UL -#define FIFO_FILE__LINK 0x00000800UL -#define FIFO_FILE__RENAME 0x00001000UL -#define FIFO_FILE__EXECUTE 0x00002000UL -#define FIFO_FILE__SWAPON 0x00004000UL -#define FIFO_FILE__QUOTAON 0x00008000UL -#define FIFO_FILE__MOUNTON 0x00010000UL -#define FIFO_FILE__OPEN 0x00020000UL -#define FD__USE 0x00000001UL -#define SOCKET__IOCTL 0x00000001UL -#define SOCKET__READ 0x00000002UL -#define SOCKET__WRITE 0x00000004UL -#define SOCKET__CREATE 0x00000008UL -#define SOCKET__GETATTR 0x00000010UL -#define SOCKET__SETATTR 0x00000020UL -#define SOCKET__LOCK 0x00000040UL -#define SOCKET__RELABELFROM 0x00000080UL -#define SOCKET__RELABELTO 0x00000100UL -#define SOCKET__APPEND 0x00000200UL -#define SOCKET__BIND 0x00000400UL -#define SOCKET__CONNECT 0x00000800UL -#define SOCKET__LISTEN 0x00001000UL -#define SOCKET__ACCEPT 0x00002000UL -#define SOCKET__GETOPT 0x00004000UL -#define SOCKET__SETOPT 0x00008000UL -#define SOCKET__SHUTDOWN 0x00010000UL -#define SOCKET__RECVFROM 0x00020000UL -#define SOCKET__SENDTO 0x00040000UL -#define SOCKET__RECV_MSG 0x00080000UL -#define SOCKET__SEND_MSG 0x00100000UL -#define SOCKET__NAME_BIND 0x00200000UL -#define TCP_SOCKET__IOCTL 0x00000001UL -#define TCP_SOCKET__READ 0x00000002UL -#define TCP_SOCKET__WRITE 0x00000004UL -#define TCP_SOCKET__CREATE 0x00000008UL -#define TCP_SOCKET__GETATTR 0x00000010UL -#define TCP_SOCKET__SETATTR 0x00000020UL -#define TCP_SOCKET__LOCK 0x00000040UL -#define TCP_SOCKET__RELABELFROM 0x00000080UL -#define TCP_SOCKET__RELABELTO 0x00000100UL -#define TCP_SOCKET__APPEND 0x00000200UL -#define TCP_SOCKET__BIND 0x00000400UL -#define TCP_SOCKET__CONNECT 0x00000800UL -#define TCP_SOCKET__LISTEN 0x00001000UL -#define TCP_SOCKET__ACCEPT 0x00002000UL -#define TCP_SOCKET__GETOPT 0x00004000UL -#define TCP_SOCKET__SETOPT 0x00008000UL -#define TCP_SOCKET__SHUTDOWN 0x00010000UL -#define TCP_SOCKET__RECVFROM 0x00020000UL -#define TCP_SOCKET__SENDTO 0x00040000UL -#define TCP_SOCKET__RECV_MSG 0x00080000UL -#define TCP_SOCKET__SEND_MSG 0x00100000UL -#define TCP_SOCKET__NAME_BIND 0x00200000UL -#define TCP_SOCKET__CONNECTTO 0x00400000UL -#define TCP_SOCKET__NEWCONN 0x00800000UL -#define TCP_SOCKET__ACCEPTFROM 0x01000000UL -#define TCP_SOCKET__NODE_BIND 0x02000000UL -#define TCP_SOCKET__NAME_CONNECT 0x04000000UL -#define UDP_SOCKET__IOCTL 0x00000001UL -#define UDP_SOCKET__READ 0x00000002UL -#define UDP_SOCKET__WRITE 0x00000004UL -#define UDP_SOCKET__CREATE 0x00000008UL -#define UDP_SOCKET__GETATTR 0x00000010UL -#define UDP_SOCKET__SETATTR 0x00000020UL -#define UDP_SOCKET__LOCK 0x00000040UL -#define UDP_SOCKET__RELABELFROM 0x00000080UL -#define UDP_SOCKET__RELABELTO 0x00000100UL -#define UDP_SOCKET__APPEND 0x00000200UL -#define UDP_SOCKET__BIND 0x00000400UL -#define UDP_SOCKET__CONNECT 0x00000800UL -#define UDP_SOCKET__LISTEN 0x00001000UL -#define UDP_SOCKET__ACCEPT 0x00002000UL -#define UDP_SOCKET__GETOPT 0x00004000UL -#define UDP_SOCKET__SETOPT 0x00008000UL -#define UDP_SOCKET__SHUTDOWN 0x00010000UL -#define UDP_SOCKET__RECVFROM 0x00020000UL -#define UDP_SOCKET__SENDTO 0x00040000UL -#define UDP_SOCKET__RECV_MSG 0x00080000UL -#define UDP_SOCKET__SEND_MSG 0x00100000UL -#define UDP_SOCKET__NAME_BIND 0x00200000UL -#define UDP_SOCKET__NODE_BIND 0x00400000UL -#define RAWIP_SOCKET__IOCTL 0x00000001UL -#define RAWIP_SOCKET__READ 0x00000002UL -#define RAWIP_SOCKET__WRITE 0x00000004UL -#define RAWIP_SOCKET__CREATE 0x00000008UL -#define RAWIP_SOCKET__GETATTR 0x00000010UL -#define RAWIP_SOCKET__SETATTR 0x00000020UL -#define RAWIP_SOCKET__LOCK 0x00000040UL -#define RAWIP_SOCKET__RELABELFROM 0x00000080UL -#define RAWIP_SOCKET__RELABELTO 0x00000100UL -#define RAWIP_SOCKET__APPEND 0x00000200UL -#define RAWIP_SOCKET__BIND 0x00000400UL -#define RAWIP_SOCKET__CONNECT 0x00000800UL -#define RAWIP_SOCKET__LISTEN 0x00001000UL -#define RAWIP_SOCKET__ACCEPT 0x00002000UL -#define RAWIP_SOCKET__GETOPT 0x00004000UL -#define RAWIP_SOCKET__SETOPT 0x00008000UL -#define RAWIP_SOCKET__SHUTDOWN 0x00010000UL -#define RAWIP_SOCKET__RECVFROM 0x00020000UL -#define RAWIP_SOCKET__SENDTO 0x00040000UL -#define RAWIP_SOCKET__RECV_MSG 0x00080000UL -#define RAWIP_SOCKET__SEND_MSG 0x00100000UL -#define RAWIP_SOCKET__NAME_BIND 0x00200000UL -#define RAWIP_SOCKET__NODE_BIND 0x00400000UL -#define NODE__TCP_RECV 0x00000001UL -#define NODE__TCP_SEND 0x00000002UL -#define NODE__UDP_RECV 0x00000004UL -#define NODE__UDP_SEND 0x00000008UL -#define NODE__RAWIP_RECV 0x00000010UL -#define NODE__RAWIP_SEND 0x00000020UL -#define NODE__ENFORCE_DEST 0x00000040UL -#define NODE__DCCP_RECV 0x00000080UL -#define NODE__DCCP_SEND 0x00000100UL -#define NODE__RECVFROM 0x00000200UL -#define NODE__SENDTO 0x00000400UL -#define NETIF__TCP_RECV 0x00000001UL -#define NETIF__TCP_SEND 0x00000002UL -#define NETIF__UDP_RECV 0x00000004UL -#define NETIF__UDP_SEND 0x00000008UL -#define NETIF__RAWIP_RECV 0x00000010UL -#define NETIF__RAWIP_SEND 0x00000020UL -#define NETIF__DCCP_RECV 0x00000040UL -#define NETIF__DCCP_SEND 0x00000080UL -#define NETIF__INGRESS 0x00000100UL -#define NETIF__EGRESS 0x00000200UL -#define NETLINK_SOCKET__IOCTL 0x00000001UL -#define NETLINK_SOCKET__READ 0x00000002UL -#define NETLINK_SOCKET__WRITE 0x00000004UL -#define NETLINK_SOCKET__CREATE 0x00000008UL -#define NETLINK_SOCKET__GETATTR 0x00000010UL -#define NETLINK_SOCKET__SETATTR 0x00000020UL -#define NETLINK_SOCKET__LOCK 0x00000040UL -#define NETLINK_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_SOCKET__APPEND 0x00000200UL -#define NETLINK_SOCKET__BIND 0x00000400UL -#define NETLINK_SOCKET__CONNECT 0x00000800UL -#define NETLINK_SOCKET__LISTEN 0x00001000UL -#define NETLINK_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_SOCKET__GETOPT 0x00004000UL -#define NETLINK_SOCKET__SETOPT 0x00008000UL -#define NETLINK_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_SOCKET__SENDTO 0x00040000UL -#define NETLINK_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_SOCKET__NAME_BIND 0x00200000UL -#define PACKET_SOCKET__IOCTL 0x00000001UL -#define PACKET_SOCKET__READ 0x00000002UL -#define PACKET_SOCKET__WRITE 0x00000004UL -#define PACKET_SOCKET__CREATE 0x00000008UL -#define PACKET_SOCKET__GETATTR 0x00000010UL -#define PACKET_SOCKET__SETATTR 0x00000020UL -#define PACKET_SOCKET__LOCK 0x00000040UL -#define PACKET_SOCKET__RELABELFROM 0x00000080UL -#define PACKET_SOCKET__RELABELTO 0x00000100UL -#define PACKET_SOCKET__APPEND 0x00000200UL -#define PACKET_SOCKET__BIND 0x00000400UL -#define PACKET_SOCKET__CONNECT 0x00000800UL -#define PACKET_SOCKET__LISTEN 0x00001000UL -#define PACKET_SOCKET__ACCEPT 0x00002000UL -#define PACKET_SOCKET__GETOPT 0x00004000UL -#define PACKET_SOCKET__SETOPT 0x00008000UL -#define PACKET_SOCKET__SHUTDOWN 0x00010000UL -#define PACKET_SOCKET__RECVFROM 0x00020000UL -#define PACKET_SOCKET__SENDTO 0x00040000UL -#define PACKET_SOCKET__RECV_MSG 0x00080000UL -#define PACKET_SOCKET__SEND_MSG 0x00100000UL -#define PACKET_SOCKET__NAME_BIND 0x00200000UL -#define KEY_SOCKET__IOCTL 0x00000001UL -#define KEY_SOCKET__READ 0x00000002UL -#define KEY_SOCKET__WRITE 0x00000004UL -#define KEY_SOCKET__CREATE 0x00000008UL -#define KEY_SOCKET__GETATTR 0x00000010UL -#define KEY_SOCKET__SETATTR 0x00000020UL -#define KEY_SOCKET__LOCK 0x00000040UL -#define KEY_SOCKET__RELABELFROM 0x00000080UL -#define KEY_SOCKET__RELABELTO 0x00000100UL -#define KEY_SOCKET__APPEND 0x00000200UL -#define KEY_SOCKET__BIND 0x00000400UL -#define KEY_SOCKET__CONNECT 0x00000800UL -#define KEY_SOCKET__LISTEN 0x00001000UL -#define KEY_SOCKET__ACCEPT 0x00002000UL -#define KEY_SOCKET__GETOPT 0x00004000UL -#define KEY_SOCKET__SETOPT 0x00008000UL -#define KEY_SOCKET__SHUTDOWN 0x00010000UL -#define KEY_SOCKET__RECVFROM 0x00020000UL -#define KEY_SOCKET__SENDTO 0x00040000UL -#define KEY_SOCKET__RECV_MSG 0x00080000UL -#define KEY_SOCKET__SEND_MSG 0x00100000UL -#define KEY_SOCKET__NAME_BIND 0x00200000UL -#define UNIX_STREAM_SOCKET__IOCTL 0x00000001UL -#define UNIX_STREAM_SOCKET__READ 0x00000002UL -#define UNIX_STREAM_SOCKET__WRITE 0x00000004UL -#define UNIX_STREAM_SOCKET__CREATE 0x00000008UL -#define UNIX_STREAM_SOCKET__GETATTR 0x00000010UL -#define UNIX_STREAM_SOCKET__SETATTR 0x00000020UL -#define UNIX_STREAM_SOCKET__LOCK 0x00000040UL -#define UNIX_STREAM_SOCKET__RELABELFROM 0x00000080UL -#define UNIX_STREAM_SOCKET__RELABELTO 0x00000100UL -#define UNIX_STREAM_SOCKET__APPEND 0x00000200UL -#define UNIX_STREAM_SOCKET__BIND 0x00000400UL -#define UNIX_STREAM_SOCKET__CONNECT 0x00000800UL -#define UNIX_STREAM_SOCKET__LISTEN 0x00001000UL -#define UNIX_STREAM_SOCKET__ACCEPT 0x00002000UL -#define UNIX_STREAM_SOCKET__GETOPT 0x00004000UL -#define UNIX_STREAM_SOCKET__SETOPT 0x00008000UL -#define UNIX_STREAM_SOCKET__SHUTDOWN 0x00010000UL -#define UNIX_STREAM_SOCKET__RECVFROM 0x00020000UL -#define UNIX_STREAM_SOCKET__SENDTO 0x00040000UL -#define UNIX_STREAM_SOCKET__RECV_MSG 0x00080000UL -#define UNIX_STREAM_SOCKET__SEND_MSG 0x00100000UL -#define UNIX_STREAM_SOCKET__NAME_BIND 0x00200000UL -#define UNIX_STREAM_SOCKET__CONNECTTO 0x00400000UL -#define UNIX_STREAM_SOCKET__NEWCONN 0x00800000UL -#define UNIX_STREAM_SOCKET__ACCEPTFROM 0x01000000UL -#define UNIX_DGRAM_SOCKET__IOCTL 0x00000001UL -#define UNIX_DGRAM_SOCKET__READ 0x00000002UL -#define UNIX_DGRAM_SOCKET__WRITE 0x00000004UL -#define UNIX_DGRAM_SOCKET__CREATE 0x00000008UL -#define UNIX_DGRAM_SOCKET__GETATTR 0x00000010UL -#define UNIX_DGRAM_SOCKET__SETATTR 0x00000020UL -#define UNIX_DGRAM_SOCKET__LOCK 0x00000040UL -#define UNIX_DGRAM_SOCKET__RELABELFROM 0x00000080UL -#define UNIX_DGRAM_SOCKET__RELABELTO 0x00000100UL -#define UNIX_DGRAM_SOCKET__APPEND 0x00000200UL -#define UNIX_DGRAM_SOCKET__BIND 0x00000400UL -#define UNIX_DGRAM_SOCKET__CONNECT 0x00000800UL -#define UNIX_DGRAM_SOCKET__LISTEN 0x00001000UL -#define UNIX_DGRAM_SOCKET__ACCEPT 0x00002000UL -#define UNIX_DGRAM_SOCKET__GETOPT 0x00004000UL -#define UNIX_DGRAM_SOCKET__SETOPT 0x00008000UL -#define UNIX_DGRAM_SOCKET__SHUTDOWN 0x00010000UL -#define UNIX_DGRAM_SOCKET__RECVFROM 0x00020000UL -#define UNIX_DGRAM_SOCKET__SENDTO 0x00040000UL -#define UNIX_DGRAM_SOCKET__RECV_MSG 0x00080000UL -#define UNIX_DGRAM_SOCKET__SEND_MSG 0x00100000UL -#define UNIX_DGRAM_SOCKET__NAME_BIND 0x00200000UL -#define PROCESS__FORK 0x00000001UL -#define PROCESS__TRANSITION 0x00000002UL -#define PROCESS__SIGCHLD 0x00000004UL -#define PROCESS__SIGKILL 0x00000008UL -#define PROCESS__SIGSTOP 0x00000010UL -#define PROCESS__SIGNULL 0x00000020UL -#define PROCESS__SIGNAL 0x00000040UL -#define PROCESS__PTRACE 0x00000080UL -#define PROCESS__GETSCHED 0x00000100UL -#define PROCESS__SETSCHED 0x00000200UL -#define PROCESS__GETSESSION 0x00000400UL -#define PROCESS__GETPGID 0x00000800UL -#define PROCESS__SETPGID 0x00001000UL -#define PROCESS__GETCAP 0x00002000UL -#define PROCESS__SETCAP 0x00004000UL -#define PROCESS__SHARE 0x00008000UL -#define PROCESS__GETATTR 0x00010000UL -#define PROCESS__SETEXEC 0x00020000UL -#define PROCESS__SETFSCREATE 0x00040000UL -#define PROCESS__NOATSECURE 0x00080000UL -#define PROCESS__SIGINH 0x00100000UL -#define PROCESS__SETRLIMIT 0x00200000UL -#define PROCESS__RLIMITINH 0x00400000UL -#define PROCESS__DYNTRANSITION 0x00800000UL -#define PROCESS__SETCURRENT 0x01000000UL -#define PROCESS__EXECMEM 0x02000000UL -#define PROCESS__EXECSTACK 0x04000000UL -#define PROCESS__EXECHEAP 0x08000000UL -#define PROCESS__SETKEYCREATE 0x10000000UL -#define PROCESS__SETSOCKCREATE 0x20000000UL -#define IPC__CREATE 0x00000001UL -#define IPC__DESTROY 0x00000002UL -#define IPC__GETATTR 0x00000004UL -#define IPC__SETATTR 0x00000008UL -#define IPC__READ 0x00000010UL -#define IPC__WRITE 0x00000020UL -#define IPC__ASSOCIATE 0x00000040UL -#define IPC__UNIX_READ 0x00000080UL -#define IPC__UNIX_WRITE 0x00000100UL -#define SEM__CREATE 0x00000001UL -#define SEM__DESTROY 0x00000002UL -#define SEM__GETATTR 0x00000004UL -#define SEM__SETATTR 0x00000008UL -#define SEM__READ 0x00000010UL -#define SEM__WRITE 0x00000020UL -#define SEM__ASSOCIATE 0x00000040UL -#define SEM__UNIX_READ 0x00000080UL -#define SEM__UNIX_WRITE 0x00000100UL -#define MSGQ__CREATE 0x00000001UL -#define MSGQ__DESTROY 0x00000002UL -#define MSGQ__GETATTR 0x00000004UL -#define MSGQ__SETATTR 0x00000008UL -#define MSGQ__READ 0x00000010UL -#define MSGQ__WRITE 0x00000020UL -#define MSGQ__ASSOCIATE 0x00000040UL -#define MSGQ__UNIX_READ 0x00000080UL -#define MSGQ__UNIX_WRITE 0x00000100UL -#define MSGQ__ENQUEUE 0x00000200UL -#define MSG__SEND 0x00000001UL -#define MSG__RECEIVE 0x00000002UL -#define SHM__CREATE 0x00000001UL -#define SHM__DESTROY 0x00000002UL -#define SHM__GETATTR 0x00000004UL -#define SHM__SETATTR 0x00000008UL -#define SHM__READ 0x00000010UL -#define SHM__WRITE 0x00000020UL -#define SHM__ASSOCIATE 0x00000040UL -#define SHM__UNIX_READ 0x00000080UL -#define SHM__UNIX_WRITE 0x00000100UL -#define SHM__LOCK 0x00000200UL -#define SECURITY__COMPUTE_AV 0x00000001UL -#define SECURITY__COMPUTE_CREATE 0x00000002UL -#define SECURITY__COMPUTE_MEMBER 0x00000004UL -#define SECURITY__CHECK_CONTEXT 0x00000008UL -#define SECURITY__LOAD_POLICY 0x00000010UL -#define SECURITY__COMPUTE_RELABEL 0x00000020UL -#define SECURITY__COMPUTE_USER 0x00000040UL -#define SECURITY__SETENFORCE 0x00000080UL -#define SECURITY__SETBOOL 0x00000100UL -#define SECURITY__SETSECPARAM 0x00000200UL -#define SECURITY__SETCHECKREQPROT 0x00000400UL -#define SYSTEM__IPC_INFO 0x00000001UL -#define SYSTEM__SYSLOG_READ 0x00000002UL -#define SYSTEM__SYSLOG_MOD 0x00000004UL -#define SYSTEM__SYSLOG_CONSOLE 0x00000008UL -#define CAPABILITY__CHOWN 0x00000001UL -#define CAPABILITY__DAC_OVERRIDE 0x00000002UL -#define CAPABILITY__DAC_READ_SEARCH 0x00000004UL -#define CAPABILITY__FOWNER 0x00000008UL -#define CAPABILITY__FSETID 0x00000010UL -#define CAPABILITY__KILL 0x00000020UL -#define CAPABILITY__SETGID 0x00000040UL -#define CAPABILITY__SETUID 0x00000080UL -#define CAPABILITY__SETPCAP 0x00000100UL -#define CAPABILITY__LINUX_IMMUTABLE 0x00000200UL -#define CAPABILITY__NET_BIND_SERVICE 0x00000400UL -#define CAPABILITY__NET_BROADCAST 0x00000800UL -#define CAPABILITY__NET_ADMIN 0x00001000UL -#define CAPABILITY__NET_RAW 0x00002000UL -#define CAPABILITY__IPC_LOCK 0x00004000UL -#define CAPABILITY__IPC_OWNER 0x00008000UL -#define CAPABILITY__SYS_MODULE 0x00010000UL -#define CAPABILITY__SYS_RAWIO 0x00020000UL -#define CAPABILITY__SYS_CHROOT 0x00040000UL -#define CAPABILITY__SYS_PTRACE 0x00080000UL -#define CAPABILITY__SYS_PACCT 0x00100000UL -#define CAPABILITY__SYS_ADMIN 0x00200000UL -#define CAPABILITY__SYS_BOOT 0x00400000UL -#define CAPABILITY__SYS_NICE 0x00800000UL -#define CAPABILITY__SYS_RESOURCE 0x01000000UL -#define CAPABILITY__SYS_TIME 0x02000000UL -#define CAPABILITY__SYS_TTY_CONFIG 0x04000000UL -#define CAPABILITY__MKNOD 0x08000000UL -#define CAPABILITY__LEASE 0x10000000UL -#define CAPABILITY__AUDIT_WRITE 0x20000000UL -#define CAPABILITY__AUDIT_CONTROL 0x40000000UL -#define CAPABILITY__SETFCAP 0x80000000UL -#define CAPABILITY2__MAC_OVERRIDE 0x00000001UL -#define CAPABILITY2__MAC_ADMIN 0x00000002UL -#define PASSWD__PASSWD 0x00000001UL -#define PASSWD__CHFN 0x00000002UL -#define PASSWD__CHSH 0x00000004UL -#define PASSWD__ROOTOK 0x00000008UL -#define PASSWD__CRONTAB 0x00000010UL -#define X_DRAWABLE__CREATE 0x00000001UL -#define X_DRAWABLE__DESTROY 0x00000002UL -#define X_DRAWABLE__READ 0x00000004UL -#define X_DRAWABLE__WRITE 0x00000008UL -#define X_DRAWABLE__BLEND 0x00000010UL -#define X_DRAWABLE__GETATTR 0x00000020UL -#define X_DRAWABLE__SETATTR 0x00000040UL -#define X_DRAWABLE__LIST_CHILD 0x00000080UL -#define X_DRAWABLE__ADD_CHILD 0x00000100UL -#define X_DRAWABLE__REMOVE_CHILD 0x00000200UL -#define X_DRAWABLE__LIST_PROPERTY 0x00000400UL -#define X_DRAWABLE__GET_PROPERTY 0x00000800UL -#define X_DRAWABLE__SET_PROPERTY 0x00001000UL -#define X_DRAWABLE__MANAGE 0x00002000UL -#define X_DRAWABLE__OVERRIDE 0x00004000UL -#define X_DRAWABLE__SHOW 0x00008000UL -#define X_DRAWABLE__HIDE 0x00010000UL -#define X_DRAWABLE__SEND 0x00020000UL -#define X_DRAWABLE__RECEIVE 0x00040000UL -#define X_SCREEN__GETATTR 0x00000001UL -#define X_SCREEN__SETATTR 0x00000002UL -#define X_SCREEN__HIDE_CURSOR 0x00000004UL -#define X_SCREEN__SHOW_CURSOR 0x00000008UL -#define X_SCREEN__SAVER_GETATTR 0x00000010UL -#define X_SCREEN__SAVER_SETATTR 0x00000020UL -#define X_SCREEN__SAVER_HIDE 0x00000040UL -#define X_SCREEN__SAVER_SHOW 0x00000080UL -#define X_GC__CREATE 0x00000001UL -#define X_GC__DESTROY 0x00000002UL -#define X_GC__GETATTR 0x00000004UL -#define X_GC__SETATTR 0x00000008UL -#define X_GC__USE 0x00000010UL -#define X_FONT__CREATE 0x00000001UL -#define X_FONT__DESTROY 0x00000002UL -#define X_FONT__GETATTR 0x00000004UL -#define X_FONT__ADD_GLYPH 0x00000008UL -#define X_FONT__REMOVE_GLYPH 0x00000010UL -#define X_FONT__USE 0x00000020UL -#define X_COLORMAP__CREATE 0x00000001UL -#define X_COLORMAP__DESTROY 0x00000002UL -#define X_COLORMAP__READ 0x00000004UL -#define X_COLORMAP__WRITE 0x00000008UL -#define X_COLORMAP__GETATTR 0x00000010UL -#define X_COLORMAP__ADD_COLOR 0x00000020UL -#define X_COLORMAP__REMOVE_COLOR 0x00000040UL -#define X_COLORMAP__INSTALL 0x00000080UL -#define X_COLORMAP__UNINSTALL 0x00000100UL -#define X_COLORMAP__USE 0x00000200UL -#define X_PROPERTY__CREATE 0x00000001UL -#define X_PROPERTY__DESTROY 0x00000002UL -#define X_PROPERTY__READ 0x00000004UL -#define X_PROPERTY__WRITE 0x00000008UL -#define X_PROPERTY__APPEND 0x00000010UL -#define X_PROPERTY__GETATTR 0x00000020UL -#define X_PROPERTY__SETATTR 0x00000040UL -#define X_SELECTION__READ 0x00000001UL -#define X_SELECTION__WRITE 0x00000002UL -#define X_SELECTION__GETATTR 0x00000004UL -#define X_SELECTION__SETATTR 0x00000008UL -#define X_CURSOR__CREATE 0x00000001UL -#define X_CURSOR__DESTROY 0x00000002UL -#define X_CURSOR__READ 0x00000004UL -#define X_CURSOR__WRITE 0x00000008UL -#define X_CURSOR__GETATTR 0x00000010UL -#define X_CURSOR__SETATTR 0x00000020UL -#define X_CURSOR__USE 0x00000040UL -#define X_CLIENT__DESTROY 0x00000001UL -#define X_CLIENT__GETATTR 0x00000002UL -#define X_CLIENT__SETATTR 0x00000004UL -#define X_CLIENT__MANAGE 0x00000008UL -#define X_DEVICE__GETATTR 0x00000001UL -#define X_DEVICE__SETATTR 0x00000002UL -#define X_DEVICE__USE 0x00000004UL -#define X_DEVICE__READ 0x00000008UL -#define X_DEVICE__WRITE 0x00000010UL -#define X_DEVICE__GETFOCUS 0x00000020UL -#define X_DEVICE__SETFOCUS 0x00000040UL -#define X_DEVICE__BELL 0x00000080UL -#define X_DEVICE__FORCE_CURSOR 0x00000100UL -#define X_DEVICE__FREEZE 0x00000200UL -#define X_DEVICE__GRAB 0x00000400UL -#define X_DEVICE__MANAGE 0x00000800UL -#define X_SERVER__GETATTR 0x00000001UL -#define X_SERVER__SETATTR 0x00000002UL -#define X_SERVER__RECORD 0x00000004UL -#define X_SERVER__DEBUG 0x00000008UL -#define X_SERVER__GRAB 0x00000010UL -#define X_SERVER__MANAGE 0x00000020UL -#define X_EXTENSION__QUERY 0x00000001UL -#define X_EXTENSION__USE 0x00000002UL -#define X_RESOURCE__READ 0x00000001UL -#define X_RESOURCE__WRITE 0x00000002UL -#define X_EVENT__SEND 0x00000001UL -#define X_EVENT__RECEIVE 0x00000002UL -#define X_SYNTHETIC_EVENT__SEND 0x00000001UL -#define X_SYNTHETIC_EVENT__RECEIVE 0x00000002UL -#define NETLINK_ROUTE_SOCKET__IOCTL 0x00000001UL -#define NETLINK_ROUTE_SOCKET__READ 0x00000002UL -#define NETLINK_ROUTE_SOCKET__WRITE 0x00000004UL -#define NETLINK_ROUTE_SOCKET__CREATE 0x00000008UL -#define NETLINK_ROUTE_SOCKET__GETATTR 0x00000010UL -#define NETLINK_ROUTE_SOCKET__SETATTR 0x00000020UL -#define NETLINK_ROUTE_SOCKET__LOCK 0x00000040UL -#define NETLINK_ROUTE_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_ROUTE_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_ROUTE_SOCKET__APPEND 0x00000200UL -#define NETLINK_ROUTE_SOCKET__BIND 0x00000400UL -#define NETLINK_ROUTE_SOCKET__CONNECT 0x00000800UL -#define NETLINK_ROUTE_SOCKET__LISTEN 0x00001000UL -#define NETLINK_ROUTE_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_ROUTE_SOCKET__GETOPT 0x00004000UL -#define NETLINK_ROUTE_SOCKET__SETOPT 0x00008000UL -#define NETLINK_ROUTE_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_ROUTE_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_ROUTE_SOCKET__SENDTO 0x00040000UL -#define NETLINK_ROUTE_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_ROUTE_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_ROUTE_SOCKET__NAME_BIND 0x00200000UL -#define NETLINK_ROUTE_SOCKET__NLMSG_READ 0x00400000UL -#define NETLINK_ROUTE_SOCKET__NLMSG_WRITE 0x00800000UL -#define NETLINK_FIREWALL_SOCKET__IOCTL 0x00000001UL -#define NETLINK_FIREWALL_SOCKET__READ 0x00000002UL -#define NETLINK_FIREWALL_SOCKET__WRITE 0x00000004UL -#define NETLINK_FIREWALL_SOCKET__CREATE 0x00000008UL -#define NETLINK_FIREWALL_SOCKET__GETATTR 0x00000010UL -#define NETLINK_FIREWALL_SOCKET__SETATTR 0x00000020UL -#define NETLINK_FIREWALL_SOCKET__LOCK 0x00000040UL -#define NETLINK_FIREWALL_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_FIREWALL_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_FIREWALL_SOCKET__APPEND 0x00000200UL -#define NETLINK_FIREWALL_SOCKET__BIND 0x00000400UL -#define NETLINK_FIREWALL_SOCKET__CONNECT 0x00000800UL -#define NETLINK_FIREWALL_SOCKET__LISTEN 0x00001000UL -#define NETLINK_FIREWALL_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_FIREWALL_SOCKET__GETOPT 0x00004000UL -#define NETLINK_FIREWALL_SOCKET__SETOPT 0x00008000UL -#define NETLINK_FIREWALL_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_FIREWALL_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_FIREWALL_SOCKET__SENDTO 0x00040000UL -#define NETLINK_FIREWALL_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_FIREWALL_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_FIREWALL_SOCKET__NAME_BIND 0x00200000UL -#define NETLINK_FIREWALL_SOCKET__NLMSG_READ 0x00400000UL -#define NETLINK_FIREWALL_SOCKET__NLMSG_WRITE 0x00800000UL -#define NETLINK_TCPDIAG_SOCKET__IOCTL 0x00000001UL -#define NETLINK_TCPDIAG_SOCKET__READ 0x00000002UL -#define NETLINK_TCPDIAG_SOCKET__WRITE 0x00000004UL -#define NETLINK_TCPDIAG_SOCKET__CREATE 0x00000008UL -#define NETLINK_TCPDIAG_SOCKET__GETATTR 0x00000010UL -#define NETLINK_TCPDIAG_SOCKET__SETATTR 0x00000020UL -#define NETLINK_TCPDIAG_SOCKET__LOCK 0x00000040UL -#define NETLINK_TCPDIAG_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_TCPDIAG_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_TCPDIAG_SOCKET__APPEND 0x00000200UL -#define NETLINK_TCPDIAG_SOCKET__BIND 0x00000400UL -#define NETLINK_TCPDIAG_SOCKET__CONNECT 0x00000800UL -#define NETLINK_TCPDIAG_SOCKET__LISTEN 0x00001000UL -#define NETLINK_TCPDIAG_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_TCPDIAG_SOCKET__GETOPT 0x00004000UL -#define NETLINK_TCPDIAG_SOCKET__SETOPT 0x00008000UL -#define NETLINK_TCPDIAG_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_TCPDIAG_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_TCPDIAG_SOCKET__SENDTO 0x00040000UL -#define NETLINK_TCPDIAG_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_TCPDIAG_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_TCPDIAG_SOCKET__NAME_BIND 0x00200000UL -#define NETLINK_TCPDIAG_SOCKET__NLMSG_READ 0x00400000UL -#define NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE 0x00800000UL -#define NETLINK_NFLOG_SOCKET__IOCTL 0x00000001UL -#define NETLINK_NFLOG_SOCKET__READ 0x00000002UL -#define NETLINK_NFLOG_SOCKET__WRITE 0x00000004UL -#define NETLINK_NFLOG_SOCKET__CREATE 0x00000008UL -#define NETLINK_NFLOG_SOCKET__GETATTR 0x00000010UL -#define NETLINK_NFLOG_SOCKET__SETATTR 0x00000020UL -#define NETLINK_NFLOG_SOCKET__LOCK 0x00000040UL -#define NETLINK_NFLOG_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_NFLOG_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_NFLOG_SOCKET__APPEND 0x00000200UL -#define NETLINK_NFLOG_SOCKET__BIND 0x00000400UL -#define NETLINK_NFLOG_SOCKET__CONNECT 0x00000800UL -#define NETLINK_NFLOG_SOCKET__LISTEN 0x00001000UL -#define NETLINK_NFLOG_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_NFLOG_SOCKET__GETOPT 0x00004000UL -#define NETLINK_NFLOG_SOCKET__SETOPT 0x00008000UL -#define NETLINK_NFLOG_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_NFLOG_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_NFLOG_SOCKET__SENDTO 0x00040000UL -#define NETLINK_NFLOG_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_NFLOG_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_NFLOG_SOCKET__NAME_BIND 0x00200000UL -#define NETLINK_XFRM_SOCKET__IOCTL 0x00000001UL -#define NETLINK_XFRM_SOCKET__READ 0x00000002UL -#define NETLINK_XFRM_SOCKET__WRITE 0x00000004UL -#define NETLINK_XFRM_SOCKET__CREATE 0x00000008UL -#define NETLINK_XFRM_SOCKET__GETATTR 0x00000010UL -#define NETLINK_XFRM_SOCKET__SETATTR 0x00000020UL -#define NETLINK_XFRM_SOCKET__LOCK 0x00000040UL -#define NETLINK_XFRM_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_XFRM_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_XFRM_SOCKET__APPEND 0x00000200UL -#define NETLINK_XFRM_SOCKET__BIND 0x00000400UL -#define NETLINK_XFRM_SOCKET__CONNECT 0x00000800UL -#define NETLINK_XFRM_SOCKET__LISTEN 0x00001000UL -#define NETLINK_XFRM_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_XFRM_SOCKET__GETOPT 0x00004000UL -#define NETLINK_XFRM_SOCKET__SETOPT 0x00008000UL -#define NETLINK_XFRM_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_XFRM_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_XFRM_SOCKET__SENDTO 0x00040000UL -#define NETLINK_XFRM_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_XFRM_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_XFRM_SOCKET__NAME_BIND 0x00200000UL -#define NETLINK_XFRM_SOCKET__NLMSG_READ 0x00400000UL -#define NETLINK_XFRM_SOCKET__NLMSG_WRITE 0x00800000UL -#define NETLINK_SELINUX_SOCKET__IOCTL 0x00000001UL -#define NETLINK_SELINUX_SOCKET__READ 0x00000002UL -#define NETLINK_SELINUX_SOCKET__WRITE 0x00000004UL -#define NETLINK_SELINUX_SOCKET__CREATE 0x00000008UL -#define NETLINK_SELINUX_SOCKET__GETATTR 0x00000010UL -#define NETLINK_SELINUX_SOCKET__SETATTR 0x00000020UL -#define NETLINK_SELINUX_SOCKET__LOCK 0x00000040UL -#define NETLINK_SELINUX_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_SELINUX_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_SELINUX_SOCKET__APPEND 0x00000200UL -#define NETLINK_SELINUX_SOCKET__BIND 0x00000400UL -#define NETLINK_SELINUX_SOCKET__CONNECT 0x00000800UL -#define NETLINK_SELINUX_SOCKET__LISTEN 0x00001000UL -#define NETLINK_SELINUX_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_SELINUX_SOCKET__GETOPT 0x00004000UL -#define NETLINK_SELINUX_SOCKET__SETOPT 0x00008000UL -#define NETLINK_SELINUX_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_SELINUX_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_SELINUX_SOCKET__SENDTO 0x00040000UL -#define NETLINK_SELINUX_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_SELINUX_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_SELINUX_SOCKET__NAME_BIND 0x00200000UL -#define NETLINK_AUDIT_SOCKET__IOCTL 0x00000001UL -#define NETLINK_AUDIT_SOCKET__READ 0x00000002UL -#define NETLINK_AUDIT_SOCKET__WRITE 0x00000004UL -#define NETLINK_AUDIT_SOCKET__CREATE 0x00000008UL -#define NETLINK_AUDIT_SOCKET__GETATTR 0x00000010UL -#define NETLINK_AUDIT_SOCKET__SETATTR 0x00000020UL -#define NETLINK_AUDIT_SOCKET__LOCK 0x00000040UL -#define NETLINK_AUDIT_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_AUDIT_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_AUDIT_SOCKET__APPEND 0x00000200UL -#define NETLINK_AUDIT_SOCKET__BIND 0x00000400UL -#define NETLINK_AUDIT_SOCKET__CONNECT 0x00000800UL -#define NETLINK_AUDIT_SOCKET__LISTEN 0x00001000UL -#define NETLINK_AUDIT_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_AUDIT_SOCKET__GETOPT 0x00004000UL -#define NETLINK_AUDIT_SOCKET__SETOPT 0x00008000UL -#define NETLINK_AUDIT_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_AUDIT_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_AUDIT_SOCKET__SENDTO 0x00040000UL -#define NETLINK_AUDIT_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_AUDIT_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_AUDIT_SOCKET__NAME_BIND 0x00200000UL -#define NETLINK_AUDIT_SOCKET__NLMSG_READ 0x00400000UL -#define NETLINK_AUDIT_SOCKET__NLMSG_WRITE 0x00800000UL -#define NETLINK_AUDIT_SOCKET__NLMSG_RELAY 0x01000000UL -#define NETLINK_AUDIT_SOCKET__NLMSG_READPRIV 0x02000000UL -#define NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT 0x04000000UL -#define NETLINK_IP6FW_SOCKET__IOCTL 0x00000001UL -#define NETLINK_IP6FW_SOCKET__READ 0x00000002UL -#define NETLINK_IP6FW_SOCKET__WRITE 0x00000004UL -#define NETLINK_IP6FW_SOCKET__CREATE 0x00000008UL -#define NETLINK_IP6FW_SOCKET__GETATTR 0x00000010UL -#define NETLINK_IP6FW_SOCKET__SETATTR 0x00000020UL -#define NETLINK_IP6FW_SOCKET__LOCK 0x00000040UL -#define NETLINK_IP6FW_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_IP6FW_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_IP6FW_SOCKET__APPEND 0x00000200UL -#define NETLINK_IP6FW_SOCKET__BIND 0x00000400UL -#define NETLINK_IP6FW_SOCKET__CONNECT 0x00000800UL -#define NETLINK_IP6FW_SOCKET__LISTEN 0x00001000UL -#define NETLINK_IP6FW_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_IP6FW_SOCKET__GETOPT 0x00004000UL -#define NETLINK_IP6FW_SOCKET__SETOPT 0x00008000UL -#define NETLINK_IP6FW_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_IP6FW_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_IP6FW_SOCKET__SENDTO 0x00040000UL -#define NETLINK_IP6FW_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_IP6FW_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_IP6FW_SOCKET__NAME_BIND 0x00200000UL -#define NETLINK_IP6FW_SOCKET__NLMSG_READ 0x00400000UL -#define NETLINK_IP6FW_SOCKET__NLMSG_WRITE 0x00800000UL -#define NETLINK_DNRT_SOCKET__IOCTL 0x00000001UL -#define NETLINK_DNRT_SOCKET__READ 0x00000002UL -#define NETLINK_DNRT_SOCKET__WRITE 0x00000004UL -#define NETLINK_DNRT_SOCKET__CREATE 0x00000008UL -#define NETLINK_DNRT_SOCKET__GETATTR 0x00000010UL -#define NETLINK_DNRT_SOCKET__SETATTR 0x00000020UL -#define NETLINK_DNRT_SOCKET__LOCK 0x00000040UL -#define NETLINK_DNRT_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_DNRT_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_DNRT_SOCKET__APPEND 0x00000200UL -#define NETLINK_DNRT_SOCKET__BIND 0x00000400UL -#define NETLINK_DNRT_SOCKET__CONNECT 0x00000800UL -#define NETLINK_DNRT_SOCKET__LISTEN 0x00001000UL -#define NETLINK_DNRT_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_DNRT_SOCKET__GETOPT 0x00004000UL -#define NETLINK_DNRT_SOCKET__SETOPT 0x00008000UL -#define NETLINK_DNRT_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_DNRT_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_DNRT_SOCKET__SENDTO 0x00040000UL -#define NETLINK_DNRT_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_DNRT_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_DNRT_SOCKET__NAME_BIND 0x00200000UL -#define DBUS__ACQUIRE_SVC 0x00000001UL -#define DBUS__SEND_MSG 0x00000002UL -#define NSCD__GETPWD 0x00000001UL -#define NSCD__GETGRP 0x00000002UL -#define NSCD__GETHOST 0x00000004UL -#define NSCD__GETSTAT 0x00000008UL -#define NSCD__ADMIN 0x00000010UL -#define NSCD__SHMEMPWD 0x00000020UL -#define NSCD__SHMEMGRP 0x00000040UL -#define NSCD__SHMEMHOST 0x00000080UL -#define NSCD__GETSERV 0x00000100UL -#define NSCD__SHMEMSERV 0x00000200UL -#define ASSOCIATION__SENDTO 0x00000001UL -#define ASSOCIATION__RECVFROM 0x00000002UL -#define ASSOCIATION__SETCONTEXT 0x00000004UL -#define ASSOCIATION__POLMATCH 0x00000008UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__WRITE 0x00000004UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__CREATE 0x00000008UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__GETATTR 0x00000010UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__SETATTR 0x00000020UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__LOCK 0x00000040UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELFROM 0x00000080UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELTO 0x00000100UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__APPEND 0x00000200UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__BIND 0x00000400UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__CONNECT 0x00000800UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__LISTEN 0x00001000UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__ACCEPT 0x00002000UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__GETOPT 0x00004000UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__SETOPT 0x00008000UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__SHUTDOWN 0x00010000UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__RECVFROM 0x00020000UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__SENDTO 0x00040000UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__RECV_MSG 0x00080000UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG 0x00100000UL -#define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND 0x00200000UL -#define APPLETALK_SOCKET__IOCTL 0x00000001UL -#define APPLETALK_SOCKET__READ 0x00000002UL -#define APPLETALK_SOCKET__WRITE 0x00000004UL -#define APPLETALK_SOCKET__CREATE 0x00000008UL -#define APPLETALK_SOCKET__GETATTR 0x00000010UL -#define APPLETALK_SOCKET__SETATTR 0x00000020UL -#define APPLETALK_SOCKET__LOCK 0x00000040UL -#define APPLETALK_SOCKET__RELABELFROM 0x00000080UL -#define APPLETALK_SOCKET__RELABELTO 0x00000100UL -#define APPLETALK_SOCKET__APPEND 0x00000200UL -#define APPLETALK_SOCKET__BIND 0x00000400UL -#define APPLETALK_SOCKET__CONNECT 0x00000800UL -#define APPLETALK_SOCKET__LISTEN 0x00001000UL -#define APPLETALK_SOCKET__ACCEPT 0x00002000UL -#define APPLETALK_SOCKET__GETOPT 0x00004000UL -#define APPLETALK_SOCKET__SETOPT 0x00008000UL -#define APPLETALK_SOCKET__SHUTDOWN 0x00010000UL -#define APPLETALK_SOCKET__RECVFROM 0x00020000UL -#define APPLETALK_SOCKET__SENDTO 0x00040000UL -#define APPLETALK_SOCKET__RECV_MSG 0x00080000UL -#define APPLETALK_SOCKET__SEND_MSG 0x00100000UL -#define APPLETALK_SOCKET__NAME_BIND 0x00200000UL -#define PACKET__SEND 0x00000001UL -#define PACKET__RECV 0x00000002UL -#define PACKET__RELABELTO 0x00000004UL -#define PACKET__FLOW_IN 0x00000008UL -#define PACKET__FLOW_OUT 0x00000010UL -#define PACKET__FORWARD_IN 0x00000020UL -#define PACKET__FORWARD_OUT 0x00000040UL -#define KEY__VIEW 0x00000001UL -#define KEY__READ 0x00000002UL -#define KEY__WRITE 0x00000004UL -#define KEY__SEARCH 0x00000008UL -#define KEY__LINK 0x00000010UL -#define KEY__SETATTR 0x00000020UL -#define KEY__CREATE 0x00000040UL -#define CONTEXT__TRANSLATE 0x00000001UL -#define CONTEXT__CONTAINS 0x00000002UL -#define DCCP_SOCKET__IOCTL 0x00000001UL -#define DCCP_SOCKET__READ 0x00000002UL -#define DCCP_SOCKET__WRITE 0x00000004UL -#define DCCP_SOCKET__CREATE 0x00000008UL -#define DCCP_SOCKET__GETATTR 0x00000010UL -#define DCCP_SOCKET__SETATTR 0x00000020UL -#define DCCP_SOCKET__LOCK 0x00000040UL -#define DCCP_SOCKET__RELABELFROM 0x00000080UL -#define DCCP_SOCKET__RELABELTO 0x00000100UL -#define DCCP_SOCKET__APPEND 0x00000200UL -#define DCCP_SOCKET__BIND 0x00000400UL -#define DCCP_SOCKET__CONNECT 0x00000800UL -#define DCCP_SOCKET__LISTEN 0x00001000UL -#define DCCP_SOCKET__ACCEPT 0x00002000UL -#define DCCP_SOCKET__GETOPT 0x00004000UL -#define DCCP_SOCKET__SETOPT 0x00008000UL -#define DCCP_SOCKET__SHUTDOWN 0x00010000UL -#define DCCP_SOCKET__RECVFROM 0x00020000UL -#define DCCP_SOCKET__SENDTO 0x00040000UL -#define DCCP_SOCKET__RECV_MSG 0x00080000UL -#define DCCP_SOCKET__SEND_MSG 0x00100000UL -#define DCCP_SOCKET__NAME_BIND 0x00200000UL -#define DCCP_SOCKET__NODE_BIND 0x00400000UL -#define DCCP_SOCKET__NAME_CONNECT 0x00800000UL -#define MEMPROTECT__MMAP_ZERO 0x00000001UL -#define DB_DATABASE__CREATE 0x00000001UL -#define DB_DATABASE__DROP 0x00000002UL -#define DB_DATABASE__GETATTR 0x00000004UL -#define DB_DATABASE__SETATTR 0x00000008UL -#define DB_DATABASE__RELABELFROM 0x00000010UL -#define DB_DATABASE__RELABELTO 0x00000020UL -#define DB_DATABASE__ACCESS 0x00000040UL -#define DB_DATABASE__INSTALL_MODULE 0x00000080UL -#define DB_DATABASE__LOAD_MODULE 0x00000100UL -#define DB_DATABASE__GET_PARAM 0x00000200UL -#define DB_DATABASE__SET_PARAM 0x00000400UL -#define DB_TABLE__CREATE 0x00000001UL -#define DB_TABLE__DROP 0x00000002UL -#define DB_TABLE__GETATTR 0x00000004UL -#define DB_TABLE__SETATTR 0x00000008UL -#define DB_TABLE__RELABELFROM 0x00000010UL -#define DB_TABLE__RELABELTO 0x00000020UL -#define DB_TABLE__USE 0x00000040UL -#define DB_TABLE__SELECT 0x00000080UL -#define DB_TABLE__UPDATE 0x00000100UL -#define DB_TABLE__INSERT 0x00000200UL -#define DB_TABLE__DELETE 0x00000400UL -#define DB_TABLE__LOCK 0x00000800UL -#define DB_PROCEDURE__CREATE 0x00000001UL -#define DB_PROCEDURE__DROP 0x00000002UL -#define DB_PROCEDURE__GETATTR 0x00000004UL -#define DB_PROCEDURE__SETATTR 0x00000008UL -#define DB_PROCEDURE__RELABELFROM 0x00000010UL -#define DB_PROCEDURE__RELABELTO 0x00000020UL -#define DB_PROCEDURE__EXECUTE 0x00000040UL -#define DB_PROCEDURE__ENTRYPOINT 0x00000080UL -#define DB_COLUMN__CREATE 0x00000001UL -#define DB_COLUMN__DROP 0x00000002UL -#define DB_COLUMN__GETATTR 0x00000004UL -#define DB_COLUMN__SETATTR 0x00000008UL -#define DB_COLUMN__RELABELFROM 0x00000010UL -#define DB_COLUMN__RELABELTO 0x00000020UL -#define DB_COLUMN__USE 0x00000040UL -#define DB_COLUMN__SELECT 0x00000080UL -#define DB_COLUMN__UPDATE 0x00000100UL -#define DB_COLUMN__INSERT 0x00000200UL -#define DB_TUPLE__RELABELFROM 0x00000001UL -#define DB_TUPLE__RELABELTO 0x00000002UL -#define DB_TUPLE__USE 0x00000004UL -#define DB_TUPLE__SELECT 0x00000008UL -#define DB_TUPLE__UPDATE 0x00000010UL -#define DB_TUPLE__INSERT 0x00000020UL -#define DB_TUPLE__DELETE 0x00000040UL -#define DB_BLOB__CREATE 0x00000001UL -#define DB_BLOB__DROP 0x00000002UL -#define DB_BLOB__GETATTR 0x00000004UL -#define DB_BLOB__SETATTR 0x00000008UL -#define DB_BLOB__RELABELFROM 0x00000010UL -#define DB_BLOB__RELABELTO 0x00000020UL -#define DB_BLOB__READ 0x00000040UL -#define DB_BLOB__WRITE 0x00000080UL -#define DB_BLOB__IMPORT 0x00000100UL -#define DB_BLOB__EXPORT 0x00000200UL -#define PEER__RECV 0x00000001UL -#define X_APPLICATION_DATA__PASTE 0x00000001UL -#define X_APPLICATION_DATA__PASTE_AFTER_CONFIRM 0x00000002UL -#define X_APPLICATION_DATA__COPY 0x00000004UL diff --git a/libselinux/include/selinux/avc.h b/libselinux/include/selinux/avc.h index b4bc6f3f..46c51419 100644 --- a/libselinux/include/selinux/avc.h +++ b/libselinux/include/selinux/avc.h @@ -37,8 +37,8 @@ typedef struct security_id *security_id_t; * failure, with @errno set to %ENOMEM if insufficient memory was * available to make the copy, or %EINVAL if the input SID is invalid. */ -int avc_sid_to_context(security_id_t sid, char ** ctx); -int avc_sid_to_context_raw(security_id_t sid, char ** ctx); +extern int avc_sid_to_context(security_id_t sid, char ** ctx); +extern int avc_sid_to_context_raw(security_id_t sid, char ** ctx); /** * avc_context_to_sid - get SID for context. @@ -51,8 +51,8 @@ int avc_sid_to_context_raw(security_id_t sid, char ** ctx); * to the SID structure into the memory referenced by @sid, * returning %0 on success or -%1 on error with @errno set. */ -int avc_context_to_sid(const char * ctx, security_id_t * sid); -int avc_context_to_sid_raw(const char * ctx, security_id_t * sid); +extern int avc_context_to_sid(const char * ctx, security_id_t * sid); +extern int avc_context_to_sid_raw(const char * ctx, security_id_t * sid); /** * sidget - increment SID reference counter. @@ -64,7 +64,7 @@ int avc_context_to_sid_raw(const char * ctx, security_id_t * sid); * reference count). Note that avc_context_to_sid() also * increments reference counts. */ -int sidget(security_id_t sid); +extern int sidget(security_id_t sid); /** * sidput - decrement SID reference counter. @@ -76,7 +76,7 @@ int sidget(security_id_t sid); * zero, the SID is invalid, and avc_context_to_sid() must * be called to obtain a new SID for the security context. */ -int sidput(security_id_t sid); +extern int sidput(security_id_t sid); /** * avc_get_initial_sid - get SID for an initial kernel security identifier @@ -87,7 +87,7 @@ int sidput(security_id_t sid); * @name using security_get_initial_context() and then call * avc_context_to_sid() to get the corresponding SID. */ -int avc_get_initial_sid(const char *name, security_id_t * sid); +extern int avc_get_initial_sid(const char *name, security_id_t * sid); /* * AVC entry @@ -188,11 +188,11 @@ struct avc_lock_callback { * for those callbacks (see the definition of the callback * structures above). */ -int avc_init(const char *msgprefix, - const struct avc_memory_callback *mem_callbacks, - const struct avc_log_callback *log_callbacks, - const struct avc_thread_callback *thread_callbacks, - const struct avc_lock_callback *lock_callbacks); +extern int avc_init(const char *msgprefix, + const struct avc_memory_callback *mem_callbacks, + const struct avc_log_callback *log_callbacks, + const struct avc_thread_callback *thread_callbacks, + const struct avc_lock_callback *lock_callbacks); /** * avc_open - Initialize the AVC. @@ -203,7 +203,7 @@ int avc_init(const char *msgprefix, * is set to "avc" and any callbacks desired should be specified via * selinux_set_callback(). Available options are listed above. */ -int avc_open(struct selinux_opt *opts, unsigned nopts); +extern int avc_open(struct selinux_opt *opts, unsigned nopts); /** * avc_cleanup - Remove unused SIDs and AVC entries. @@ -213,7 +213,7 @@ int avc_open(struct selinux_opt *opts, unsigned nopts); * AVC entries that reference them. This can be used * to return memory to the system. */ -void avc_cleanup(void); +extern void avc_cleanup(void); /** * avc_reset - Flush the cache and reset statistics. @@ -223,7 +223,7 @@ void avc_cleanup(void); * The SID mapping is not affected. Return %0 on success, * -%1 with @errno set on error. */ -int avc_reset(void); +extern int avc_reset(void); /** * avc_destroy - Free all AVC structures. @@ -234,7 +234,7 @@ int avc_reset(void); * callbacks will not. All SID's will be invalidated. * User must call avc_init() if further use of AVC is desired. */ -void avc_destroy(void); +extern void avc_destroy(void); /** * avc_has_perm_noaudit - Check permissions but perform no auditing. @@ -257,11 +257,11 @@ void avc_destroy(void); * auditing, e.g. in cases where a lock must be held for the check but * should be released for the auditing. */ -int avc_has_perm_noaudit(security_id_t ssid, - security_id_t tsid, - security_class_t tclass, - access_vector_t requested, - struct avc_entry_ref *aeref, struct av_decision *avd); +extern int avc_has_perm_noaudit(security_id_t ssid, + security_id_t tsid, + security_class_t tclass, + access_vector_t requested, + struct avc_entry_ref *aeref, struct av_decision *avd); /** * avc_has_perm - Check permissions and perform any appropriate auditing. @@ -281,9 +281,9 @@ int avc_has_perm_noaudit(security_id_t ssid, * permissions are granted, -%1 with @errno set to %EACCES if any permissions * are denied or to another value upon other errors. */ -int avc_has_perm(security_id_t ssid, security_id_t tsid, - security_class_t tclass, access_vector_t requested, - struct avc_entry_ref *aeref, void *auditdata); +extern int avc_has_perm(security_id_t ssid, security_id_t tsid, + security_class_t tclass, access_vector_t requested, + struct avc_entry_ref *aeref, void *auditdata); /** * avc_audit - Audit the granting or denial of permissions. @@ -304,9 +304,9 @@ int avc_has_perm(security_id_t ssid, security_id_t tsid, * be performed under a lock, to allow the lock to be released * before calling the auditing code. */ -void avc_audit(security_id_t ssid, security_id_t tsid, - security_class_t tclass, access_vector_t requested, - struct av_decision *avd, int result, void *auditdata); +extern void avc_audit(security_id_t ssid, security_id_t tsid, + security_class_t tclass, access_vector_t requested, + struct av_decision *avd, int result, void *auditdata); /** * avc_compute_create - Compute SID for labeling a new object. @@ -322,9 +322,9 @@ void avc_audit(security_id_t ssid, security_id_t tsid, * memory referenced by @newsid, returning %0 on success or -%1 on * error with @errno set. */ -int avc_compute_create(security_id_t ssid, - security_id_t tsid, - security_class_t tclass, security_id_t * newsid); +extern int avc_compute_create(security_id_t ssid, + security_id_t tsid, + security_class_t tclass, security_id_t * newsid); /** * avc_compute_member - Compute SID for polyinstantation. @@ -340,9 +340,9 @@ int avc_compute_create(security_id_t ssid, * memory referenced by @newsid, returning %0 on success or -%1 on * error with @errno set. */ -int avc_compute_member(security_id_t ssid, - security_id_t tsid, - security_class_t tclass, security_id_t * newsid); +extern int avc_compute_member(security_id_t ssid, + security_id_t tsid, + security_class_t tclass, security_id_t * newsid); /* * security event callback facility @@ -373,14 +373,14 @@ int avc_compute_member(security_id_t ssid, * @perms based on @tclass. Returns %0 on success or * -%1 if insufficient memory exists to add the callback. */ -int avc_add_callback(int (*callback) - (uint32_t event, security_id_t ssid, - security_id_t tsid, security_class_t tclass, - access_vector_t perms, - access_vector_t * out_retained), - uint32_t events, security_id_t ssid, - security_id_t tsid, security_class_t tclass, - access_vector_t perms); +extern int avc_add_callback(int (*callback) + (uint32_t event, security_id_t ssid, + security_id_t tsid, security_class_t tclass, + access_vector_t perms, + access_vector_t * out_retained), + uint32_t events, security_id_t ssid, + security_id_t tsid, security_class_t tclass, + access_vector_t perms); /* * AVC statistics @@ -411,7 +411,7 @@ struct avc_cache_stats { * avc_reset(). See the structure definition for * details. */ -void avc_cache_stats(struct avc_cache_stats *stats); +extern void avc_cache_stats(struct avc_cache_stats *stats); /** * avc_av_stats - log av table statistics. @@ -420,7 +420,7 @@ void avc_cache_stats(struct avc_cache_stats *stats); * distribution of the access vector table. The audit * callback is used to print the message. */ -void avc_av_stats(void); +extern void avc_av_stats(void); /** * avc_sid_stats - log SID table statistics. @@ -429,22 +429,22 @@ void avc_av_stats(void); * distribution of the SID table. The audit callback * is used to print the message. */ -void avc_sid_stats(void); +extern void avc_sid_stats(void); /** * avc_netlink_open - Create a netlink socket and connect to the kernel. */ -int avc_netlink_open(int blocking); +extern int avc_netlink_open(int blocking); /** * avc_netlink_loop - Wait for netlink messages from the kernel */ -void avc_netlink_loop(void); +extern void avc_netlink_loop(void); /** * avc_netlink_close - Close the netlink socket */ -void avc_netlink_close(void); +extern void avc_netlink_close(void); /** * avc_netlink_acquire_fd - Acquire netlink socket fd. @@ -452,14 +452,14 @@ void avc_netlink_close(void); * Allows the application to manage messages from the netlink socket in * its own main loop. */ -int avc_netlink_acquire_fd(void); +extern int avc_netlink_acquire_fd(void); /** * avc_netlink_release_fd - Release netlink socket fd. * * Returns ownership of the netlink socket to the library. */ -void avc_netlink_release_fd(void); +extern void avc_netlink_release_fd(void); /** * avc_netlink_check_nb - Check netlink socket for new messages. @@ -467,43 +467,43 @@ void avc_netlink_release_fd(void); * Called by the application when using avc_netlink_acquire_fd() to * process kernel netlink events. */ -int avc_netlink_check_nb(void); +extern int avc_netlink_check_nb(void); /** * selinux_status_open - Open and map SELinux kernel status page * */ -int selinux_status_open(int fallback); +extern int selinux_status_open(int fallback); /** * selinux_status_close - Unmap and close SELinux kernel status page * */ -void selinux_status_close(void); +extern void selinux_status_close(void); /** * selinux_status_updated - Inform us whether the kernel status has been updated * */ -int selinux_status_updated(void); +extern int selinux_status_updated(void); /** * selinux_status_getenforce - Get the enforce flag value * */ -int selinux_status_getenforce(void); +extern int selinux_status_getenforce(void); /** * selinux_status_policyload - Get the number of policy reloaded * */ -int selinux_status_policyload(void); +extern int selinux_status_policyload(void); /** * selinux_status_deny_unknown - Get the behavior for undefined classes/permissions * */ -int selinux_status_deny_unknown(void); +extern int selinux_status_deny_unknown(void); #ifdef __cplusplus } diff --git a/libselinux/include/selinux/flask.h b/libselinux/include/selinux/flask.h deleted file mode 100644 index 81282237..00000000 --- a/libselinux/include/selinux/flask.h +++ /dev/null @@ -1,118 +0,0 @@ -/* This file is automatically generated. Do not edit. */ -#ifndef _SELINUX_FLASK_H_ -#define _SELINUX_FLASK_H_ - -#warning "Please remove any #include's of this header in your source code." -#warning "Instead, use string_to_security_class() to map the class name to a value." - -/* - * Security object class definitions - */ -#define SECCLASS_SECURITY 1 -#define SECCLASS_PROCESS 2 -#define SECCLASS_SYSTEM 3 -#define SECCLASS_CAPABILITY 4 -#define SECCLASS_FILESYSTEM 5 -#define SECCLASS_FILE 6 -#define SECCLASS_DIR 7 -#define SECCLASS_FD 8 -#define SECCLASS_LNK_FILE 9 -#define SECCLASS_CHR_FILE 10 -#define SECCLASS_BLK_FILE 11 -#define SECCLASS_SOCK_FILE 12 -#define SECCLASS_FIFO_FILE 13 -#define SECCLASS_SOCKET 14 -#define SECCLASS_TCP_SOCKET 15 -#define SECCLASS_UDP_SOCKET 16 -#define SECCLASS_RAWIP_SOCKET 17 -#define SECCLASS_NODE 18 -#define SECCLASS_NETIF 19 -#define SECCLASS_NETLINK_SOCKET 20 -#define SECCLASS_PACKET_SOCKET 21 -#define SECCLASS_KEY_SOCKET 22 -#define SECCLASS_UNIX_STREAM_SOCKET 23 -#define SECCLASS_UNIX_DGRAM_SOCKET 24 -#define SECCLASS_SEM 25 -#define SECCLASS_MSG 26 -#define SECCLASS_MSGQ 27 -#define SECCLASS_SHM 28 -#define SECCLASS_IPC 29 -#define SECCLASS_PASSWD 30 -#define SECCLASS_X_DRAWABLE 31 -#define SECCLASS_X_SCREEN 32 -#define SECCLASS_X_GC 33 -#define SECCLASS_X_FONT 34 -#define SECCLASS_X_COLORMAP 35 -#define SECCLASS_X_PROPERTY 36 -#define SECCLASS_X_SELECTION 37 -#define SECCLASS_X_CURSOR 38 -#define SECCLASS_X_CLIENT 39 -#define SECCLASS_X_DEVICE 40 -#define SECCLASS_X_SERVER 41 -#define SECCLASS_X_EXTENSION 42 -#define SECCLASS_NETLINK_ROUTE_SOCKET 43 -#define SECCLASS_NETLINK_FIREWALL_SOCKET 44 -#define SECCLASS_NETLINK_TCPDIAG_SOCKET 45 -#define SECCLASS_NETLINK_NFLOG_SOCKET 46 -#define SECCLASS_NETLINK_XFRM_SOCKET 47 -#define SECCLASS_NETLINK_SELINUX_SOCKET 48 -#define SECCLASS_NETLINK_AUDIT_SOCKET 49 -#define SECCLASS_NETLINK_IP6FW_SOCKET 50 -#define SECCLASS_NETLINK_DNRT_SOCKET 51 -#define SECCLASS_DBUS 52 -#define SECCLASS_NSCD 53 -#define SECCLASS_ASSOCIATION 54 -#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55 -#define SECCLASS_APPLETALK_SOCKET 56 -#define SECCLASS_PACKET 57 -#define SECCLASS_KEY 58 -#define SECCLASS_CONTEXT 59 -#define SECCLASS_DCCP_SOCKET 60 -#define SECCLASS_MEMPROTECT 61 -#define SECCLASS_DB_DATABASE 62 -#define SECCLASS_DB_TABLE 63 -#define SECCLASS_DB_PROCEDURE 64 -#define SECCLASS_DB_COLUMN 65 -#define SECCLASS_DB_TUPLE 66 -#define SECCLASS_DB_BLOB 67 -#define SECCLASS_PEER 68 -#define SECCLASS_CAPABILITY2 69 -#define SECCLASS_X_RESOURCE 70 -#define SECCLASS_X_EVENT 71 -#define SECCLASS_X_SYNTHETIC_EVENT 72 -#define SECCLASS_X_APPLICATION_DATA 73 - -/* - * Security identifier indices for initial entities - */ -#define SECINITSID_KERNEL 1 -#define SECINITSID_SECURITY 2 -#define SECINITSID_UNLABELED 3 -#define SECINITSID_FS 4 -#define SECINITSID_FILE 5 -#define SECINITSID_FILE_LABELS 6 -#define SECINITSID_INIT 7 -#define SECINITSID_ANY_SOCKET 8 -#define SECINITSID_PORT 9 -#define SECINITSID_NETIF 10 -#define SECINITSID_NETMSG 11 -#define SECINITSID_NODE 12 -#define SECINITSID_IGMP_PACKET 13 -#define SECINITSID_ICMP_SOCKET 14 -#define SECINITSID_TCP_SOCKET 15 -#define SECINITSID_SYSCTL_MODPROBE 16 -#define SECINITSID_SYSCTL 17 -#define SECINITSID_SYSCTL_FS 18 -#define SECINITSID_SYSCTL_KERNEL 19 -#define SECINITSID_SYSCTL_NET 20 -#define SECINITSID_SYSCTL_NET_UNIX 21 -#define SECINITSID_SYSCTL_VM 22 -#define SECINITSID_SYSCTL_DEV 23 -#define SECINITSID_KMOD 24 -#define SECINITSID_POLICY 25 -#define SECINITSID_SCMP_PACKET 26 -#define SECINITSID_DEVNULL 27 - -#define SECINITSID_NUM 27 - -#endif diff --git a/libselinux/include/selinux/get_context_list.h b/libselinux/include/selinux/get_context_list.h index a15b9c4e..db8641a4 100644 --- a/libselinux/include/selinux/get_context_list.h +++ b/libselinux/include/selinux/get_context_list.h @@ -22,10 +22,10 @@ extern "C" { /* As above, but use the provided MLS level rather than the default level for the user. */ - int get_ordered_context_list_with_level(const char *user, - const char *level, - char * fromcon, - char *** list); + extern int get_ordered_context_list_with_level(const char *user, + const char *level, + char * fromcon, + char *** list); /* Get the default security context for a user session for 'user' spawned by 'fromcon' and set *newcon to refer to it. The context @@ -40,32 +40,32 @@ extern "C" { /* As above, but use the provided MLS level rather than the default level for the user. */ - int get_default_context_with_level(const char *user, - const char *level, - char * fromcon, - char ** newcon); + extern int get_default_context_with_level(const char *user, + const char *level, + char * fromcon, + char ** newcon); /* Same as get_default_context, but only return a context that has the specified role. If no reachable context exists for the user with that role, then return -1. */ - int get_default_context_with_role(const char *user, - const char *role, - char * fromcon, - char ** newcon); + extern int get_default_context_with_role(const char *user, + const char *role, + char * fromcon, + char ** newcon); /* Same as get_default_context, but only return a context that has the specified role and level. If no reachable context exists for the user with that role, then return -1. */ - int get_default_context_with_rolelevel(const char *user, - const char *role, - const char *level, - char * fromcon, - char ** newcon); + extern int get_default_context_with_rolelevel(const char *user, + const char *role, + const char *level, + char * fromcon, + char ** newcon); /* Given a list of authorized security contexts for the user, query the user to select one and set *newcon to refer to it. Caller must free via freecon. - Returns 0 on sucess or -1 otherwise. */ + Returns 0 on success or -1 otherwise. */ extern int query_user_context(char ** list, char ** newcon); diff --git a/libselinux/include/selinux/get_default_type.h b/libselinux/include/selinux/get_default_type.h index 65c5dd40..93f5b276 100644 --- a/libselinux/include/selinux/get_default_type.h +++ b/libselinux/include/selinux/get_default_type.h @@ -10,12 +10,12 @@ extern "C" { #endif /* Return path to default type file. */ - const char *selinux_default_type_path(void); + extern const char *selinux_default_type_path(void); /* Get the default type (domain) for 'role' and set 'type' to refer to it. Caller must free via free(). Return 0 on success or -1 otherwise. */ - int get_default_type(const char *role, char **type); + extern int get_default_type(const char *role, char **type); #ifdef __cplusplus } diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h index 277287ed..e8983606 100644 --- a/libselinux/include/selinux/label.h +++ b/libselinux/include/selinux/label.h @@ -7,6 +7,7 @@ #define _SELABEL_H_ #include <stdbool.h> +#include <stdint.h> #include <sys/types.h> #include <selinux/selinux.h> @@ -72,9 +73,9 @@ struct selabel_handle; * backend. Return value is the created handle on success or NULL with * @errno set on failure. */ -struct selabel_handle *selabel_open(unsigned int backend, - const struct selinux_opt *opts, - unsigned nopts); +extern struct selabel_handle *selabel_open(unsigned int backend, + const struct selinux_opt *opts, + unsigned nopts); /** * selabel_close - Close a labeling handle. @@ -83,7 +84,7 @@ struct selabel_handle *selabel_open(unsigned int backend, * Destroy the specified handle, closing files, freeing allocated memory, * etc. The handle may not be further used after it has been closed. */ -void selabel_close(struct selabel_handle *handle); +extern void selabel_close(struct selabel_handle *handle); /** * selabel_lookup - Perform labeling lookup operation. @@ -98,17 +99,25 @@ void selabel_close(struct selabel_handle *handle); * The result is returned in the memory pointed to by @con and must be freed * by the user with freecon(). */ -int selabel_lookup(struct selabel_handle *handle, char **con, - const char *key, int type); -int selabel_lookup_raw(struct selabel_handle *handle, char **con, - const char *key, int type); - -bool selabel_partial_match(struct selabel_handle *handle, const char *key); - -int selabel_lookup_best_match(struct selabel_handle *rec, char **con, - const char *key, const char **aliases, int type); -int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con, - const char *key, const char **aliases, int type); +extern int selabel_lookup(struct selabel_handle *handle, char **con, + const char *key, int type); +extern int selabel_lookup_raw(struct selabel_handle *handle, char **con, + const char *key, int type); + +extern bool selabel_partial_match(struct selabel_handle *handle, const char *key); + +extern bool selabel_get_digests_all_partial_matches(struct selabel_handle *rec, + const char *key, + uint8_t **calculated_digest, + uint8_t **xattr_digest, + size_t *digest_len); +extern bool selabel_hash_all_partial_matches(struct selabel_handle *rec, + const char *key, uint8_t* digest); + +extern int selabel_lookup_best_match(struct selabel_handle *rec, char **con, + const char *key, const char **aliases, int type); +extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con, + const char *key, const char **aliases, int type); /** * selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to @@ -123,9 +132,9 @@ int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con, * * Return %0 on success, -%1 with @errno set on failure. */ -int selabel_digest(struct selabel_handle *rec, - unsigned char **digest, size_t *digest_len, - char ***specfiles, size_t *num_specfiles); +extern int selabel_digest(struct selabel_handle *rec, + unsigned char **digest, size_t *digest_len, + char ***specfiles, size_t *num_specfiles); enum selabel_cmp_result { SELABEL_SUBSET, @@ -144,8 +153,8 @@ enum selabel_cmp_result { * if @h1 is identical to @h2, %SELABEL_SUPERSET if @h1 is a superset * of @h2, and %SELABEL_INCOMPARABLE if @h1 and @h2 are incomparable. */ -enum selabel_cmp_result selabel_cmp(struct selabel_handle *h1, - struct selabel_handle *h2); +extern enum selabel_cmp_result selabel_cmp(struct selabel_handle *h1, + struct selabel_handle *h2); /** * selabel_stats - log labeling operation statistics. @@ -155,7 +164,7 @@ enum selabel_cmp_result selabel_cmp(struct selabel_handle *h1, * number of unused matching entries, or other operational statistics. * Message is backend-specific, some backends may not output a message. */ -void selabel_stats(struct selabel_handle *handle); +extern void selabel_stats(struct selabel_handle *handle); /* * Type codes used by specific backends diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h index 595e7728..754b8645 100644 --- a/libselinux/include/selinux/restorecon.h +++ b/libselinux/include/selinux/restorecon.h @@ -27,8 +27,8 @@ extern int selinux_restorecon(const char *pathname, * restorecon_flags options */ /* - * Force the checking of labels even if the stored SHA1 - * digest matches the specfiles SHA1 digest. + * Force the checking of labels even if the stored SHA1 digest + * matches the specfiles SHA1 digest (requires CAP_SYS_ADMIN). */ #define SELINUX_RESTORECON_IGNORE_DIGEST 0x0001 /* @@ -96,12 +96,17 @@ extern int selinux_restorecon(const char *pathname, * See SELINUX_RESTORECON_PROGRESS flag for details. */ #define SELINUX_RESTORECON_MASS_RELABEL 0x4000 +/* + * Set if no digest is to be read or written (as only processes + * running with CAP_SYS_ADMIN can read/write digests). + */ +#define SELINUX_RESTORECON_SKIP_DIGEST 0x8000 /** * selinux_restorecon_set_sehandle - Set the global fc handle. * @hndl: specifies handle to set as the global fc handle. * - * Called by a process that has already called selabel_open(3) with it's + * Called by a process that has already called selabel_open(3) with its * required parameters, or if selinux_restorecon_default_handle(3) has been * called to set the default selabel_open(3) parameters. */ @@ -110,7 +115,7 @@ extern void selinux_restorecon_set_sehandle(struct selabel_handle *hndl); /** * selinux_restorecon_default_handle - Sets default selabel_open(3) parameters * to use the currently loaded policy and - * file_contexts, also requests the digest. + * file_contexts. * * Return value is the created handle on success or NULL with @errno set on * failure. @@ -134,12 +139,12 @@ extern void selinux_restorecon_set_exclude_list(const char **exclude_list); extern int selinux_restorecon_set_alt_rootpath(const char *alt_rootpath); /** - * selinux_restorecon_xattr - Read/remove RESTORECON_LAST xattr entries. + * selinux_restorecon_xattr - Read/remove security.sehash xattr entries. * @pathname: specifies directory path to check. * @xattr_flags: specifies the actions to be performed. * @xattr_list: a linked list of struct dir_xattr structures containing * the directory, digest and result of the action on the - * RESTORECON_LAST entry. + * security.sehash entry. * * selinux_restorecon_xattr(3) will automatically call * selinux_restorecon_default_handle(3) and selinux_restorecon_set_sehandle(3) diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h index f54f236b..7922d96b 100644 --- a/libselinux/include/selinux/selinux.h +++ b/libselinux/include/selinux/selinux.h @@ -258,7 +258,7 @@ extern int security_compute_user_raw(const char * scon, /* Validate a transition. This determines whether a transition from scon to newcon using tcon as the target for object class tclass is valid in the loaded policy. This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy. - Returns 0 if allowed and -1 if an error occured with errno set */ + Returns 0 if allowed and -1 if an error occurred with errno set */ extern int security_validatetrans(const char *scon, const char *tcon, security_class_t tclass, @@ -286,11 +286,7 @@ extern int security_get_initial_context_raw(const char *name, * manipulating it as needed for current boolean settings and/or local * definitions, and then calling security_load_policy to load it. * - * 'preservebools' is a boolean flag indicating whether current - * policy boolean values should be preserved into the new policy (if 1) - * or reset to the saved policy settings (if 0). The former case is the - * default for policy reloads, while the latter case is an option for policy - * reloads but is primarily for the initial policy load. + * 'preservebools' is no longer supported, set to 0. */ extern int selinux_mkload_policy(int preservebools); @@ -316,13 +312,15 @@ typedef struct { char *name; int value; } SELboolean; -/* save a list of booleans in a single transaction. */ +/* save a list of booleans in a single transaction. 'permanent' is no + * longer supported, set to 0. + */ extern int security_set_boolean_list(size_t boolcnt, SELboolean * boollist, int permanent); -/* Load policy boolean settings. - Path may be NULL, in which case the booleans are loaded from - the active policy boolean configuration file. */ +/* Load policy boolean settings. Deprecated as local policy booleans no + * longer supported. Will always return 0. + */ extern int security_load_booleans(char *path); /* Check the validity of a security context. */ @@ -420,6 +418,9 @@ extern int security_av_string(security_class_t tclass, /* Display an access vector in a string representation. */ extern void print_access_vector(security_class_t tclass, access_vector_t av); +/* Flush the SELinux class cache, e.g. upon a policy reload. */ +extern void selinux_flush_class_cache(void); + /* Set the function used by matchpathcon_init when displaying errors about the file_contexts configuration. If not set, then this defaults to fprintf(stderr, fmt, ...). */ @@ -569,8 +570,10 @@ extern const char *selinux_systemd_contexts_path(void); extern const char *selinux_contexts_path(void); extern const char *selinux_securetty_types_path(void); extern const char *selinux_booleans_subs_path(void); +/* Deprecated as local policy booleans no longer supported. */ extern const char *selinux_booleans_path(void); extern const char *selinux_customizable_types_path(void); +/* Deprecated as policy ./users no longer supported. */ extern const char *selinux_users_path(void); extern const char *selinux_usersconf_path(void); extern const char *selinux_translations_path(void); @@ -610,13 +613,13 @@ extern int selinux_check_securetty_context(const char * tty_context); Normally, this is determined automatically during libselinux initialization, but this is not always possible, e.g. for /sbin/init which performs the initial mount of selinuxfs. */ -void set_selinuxmnt(const char *mnt); +extern void set_selinuxmnt(const char *mnt); /* Check if selinuxfs exists as a kernel filesystem */ -int selinuxfs_exists(void); +extern int selinuxfs_exists(void); /* clear selinuxmnt variable and free allocated memory */ -void fini_selinuxmnt(void); +extern void fini_selinuxmnt(void); /* Set an appropriate security context based on the filename of a helper * program, falling back to a new context with the specified type. */ diff --git a/libselinux/man/man3/avc_has_perm.3 b/libselinux/man/man3/avc_has_perm.3 index 3e9fca84..62809f9a 100644 --- a/libselinux/man/man3/avc_has_perm.3 +++ b/libselinux/man/man3/avc_has_perm.3 @@ -34,6 +34,36 @@ avc_has_perm, avc_has_perm_noaudit, avc_audit, avc_entry_ref_init \- obtain and .in . .SH "DESCRIPTION" + +Direct use of these functions is generally discouraged in favor of +the higher level interface +.BR selinux_check_access(3) +since the latter automatically handles the dynamic mapping of class +and permission names to their policy values and proper handling of +allow_unknown. + +When using any of the functions that take policy integer values for +classes or permissions as inputs, use +.BR string_to_security_class(3) +and +.BR string_to_av_perm(3) +to map the class and permission names to their policy values. +These values may change across a policy reload, so they should be +re-acquired on every use or using a +.B SELINUX_CB_POLICYLOAD +callback set via +.BR selinux_set_callback(3). + +An alternative approach is to use +.BR selinux_set_mapping(3) +to create a mapping from class and permission index values +used by the application to the policy values, +thereby allowing the application to pass its own +fixed constants for the classes and permissions to +these functions and internally mapping them on demand. +However, this also requires setting up a callback as above +to address policy reloads. + .BR avc_entry_ref_init () initializes an .B avc_entry_ref @@ -146,11 +176,16 @@ Make sure that userspace object managers are granted appropriate access to netlink by the policy. . .SH "AUTHOR" -Eamon Walsh <ewalsh@tycho.nsa.gov> +Originally Eamon Walsh. Updated by Stephen Smalley <sds@tycho.nsa.gov> . .SH "SEE ALSO" .ad l .nh +.BR selinux_check_access(3), +.BR string_to_security_class(3), +.BR string_to_av_perm(3), +.BR selinux_set_callback(3), +.BR selinux_set_mapping(3), .BR avc_init (3), .BR avc_context_to_sid (3), .BR avc_cache_stats (3), diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3 index a7181bed..3de1b0fe 100644 --- a/libselinux/man/man3/security_compute_av.3 +++ b/libselinux/man/man3/security_compute_av.3 @@ -50,6 +50,39 @@ the SELinux policy database in the kernel .BI "int checkPasswdAccess(access_vector_t " requested ); . .SH "DESCRIPTION" + +This family of functions is used to obtain policy decisions from the +SELinux kernel security server (policy engine). In general, direct use of +.BR security_compute_av () +and its variant interfaces is discouraged in favor of using +.BR selinux_check_access () +since the latter automatically handles the dynamic mapping of class +and permission names to their policy values, initialization and use of +the Access Vector Cache (AVC), and proper handling of per-domain and +global permissive mode and allow_unknown. + +When using any of the functions that take policy integer values for +classes or permissions as inputs, use +.BR string_to_security_class(3) +and +.BR string_to_av_perm(3) +to map the class and permission names to their policy values. +These values may change across a policy reload, so they should be +re-acquired on every use or using a +.B SELINUX_CB_POLICYLOAD +callback set via +.BR selinux_set_callback(3). + +An alternative approach is to use +.BR selinux_set_mapping(3) +to create a mapping from class and permission index values +used by the application to the policy values, +thereby allowing the application to pass its own +fixed constants for the classes and permissions to +these functions and internally mapping them on demand. +However, this also requires setting up a callback as above +to address policy reloads. + .BR security_compute_av () queries whether the policy permits the source context .I scon @@ -102,13 +135,13 @@ instance. .BR security_compute_user () is used to determine the set of user contexts that can be reached from a source context. It is mainly used by -.BR get_ordered_context_list (). +.BR get_ordered_context_list (3). .BR security_validatetrans () is used to determine if a transition from scon to newcon using tcon as the object is valid for object class tclass. This checks against the mlsvalidatetrans and validatetrans constraints in the loaded policy. Returns 0 if allowed, and -1 -if an error occured with errno set. +if an error occurred with errno set. .BR security_get_initial_context () is used to get the context of a kernel initial security identifier specified by @@ -135,7 +168,9 @@ is used to check for a permission in the .I passwd class. .BR selinux_check_passwd_access () -uses getprevcon() for the source and target security contexts. +uses +.BR getprevcon(3) +for the source and target security contexts. .BR checkPasswdAccess () is a deprecated alias of the @@ -146,4 +181,10 @@ function. Returns zero on success or \-1 on error. . .SH "SEE ALSO" -.BR selinux "(8), " getcon "(3), " getfilecon "(3), " get_ordered_context_list "(3)" +.BR string_to_security_class (3), +.BR string_to_av_perm (3), +.BR selinux_set_callback (3), +.BR selinux_set_mapping (3), +.BR getprevcon (3), +.BR get_ordered_context_list (3), +.BR selinux (8) diff --git a/libselinux/man/man3/security_load_booleans.3 b/libselinux/man/man3/security_load_booleans.3 index 3b0bbeaf..25922f1a 100644 --- a/libselinux/man/man3/security_load_booleans.3 +++ b/libselinux/man/man3/security_load_booleans.3 @@ -1,13 +1,11 @@ .TH "security_get_boolean_names" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation" .SH "NAME" -security_load_booleans, security_set_boolean, security_commit_booleans, +security_set_boolean, security_commit_booleans, security_get_boolean_names, security_get_boolean_active, security_get_boolean_pending \- routines for manipulating SELinux boolean values . .SH "SYNOPSIS" .B #include <selinux/selinux.h> -.sp -.BI "int security_load_booleans(char *" path ");" .sp .BI "int security_get_boolean_names(char ***" names ", int *" len ");" .sp @@ -30,10 +28,6 @@ policy without having to load a new policy. The SELinux API allows for a transaction based update. So you can set several boolean values and then commit them all at once. -.BR security_load_booleans () -loads policy boolean settings. Path may be NULL, in which case the -booleans are loaded from the active policy boolean configuration file. - .BR security_get_boolean_names () provides a list of boolean names, currently supported by the loaded policy. @@ -47,7 +41,9 @@ returns the active value for boolean or \-1 on failure. sets the pending value for boolean .BR security_set_boolean_list () -saves a list of booleans in a single transaction. +saves a list of booleans in a single transaction. Note that the +.BI int " permanent " +flag is deprecated and should be set to zero. .BR security_commit_booleans () commits all pending values for the booleans. diff --git a/libselinux/man/man3/selabel_get_digests_all_partial_matches.3 b/libselinux/man/man3/selabel_get_digests_all_partial_matches.3 new file mode 100644 index 00000000..23663755 --- /dev/null +++ b/libselinux/man/man3/selabel_get_digests_all_partial_matches.3 @@ -0,0 +1,70 @@ +.TH "selabel_get_digests_all_partial_matches" "3" "14 April 2019" "SELinux API documentation" + +.SH "NAME" +selabel_get_digests_all_partial_matches \- retrieve the partial matches digest +and the xattr digest that applies to the supplied path \- Only supported +on file backend. +. +.SH "SYNOPSIS" +.B #include <stdbool.h> +.br +.B #include <selinux/selinux.h> +.br +.B #include <selinux/label.h> +.sp +.BI "bool selabel_get_digests_all_partial_matches(" +.in +\w'selabel_get_digests_all_partial_matches('u +.BI "struct selabel_handle *" hnd , +.br +.BI "const char *" key , +.br +.BI "uint8_t **" calculated_digest , +.br +.BI "uint8_t **" xattr_digest , +.br +.BI "size_t *" digest_len ");" +.in +. +.SH "DESCRIPTION" +.BR selabel_get_digests_all_partial_matches () +retrieves the file_contexts partial matches digest and the xattr digest that +applies to the supplied path on the handle +.IR hnd . +.br +The +.IR key +parameter is the path to retrieve the digests. +.br +The +.IR calculated_digest +is a pointer to the +.IR key +calculated file_contexts digest of all applicable partial matches, or NULL if +none exist. The caller must +.BR free (3) +the buffer. +.br +The +.IR xattr_digest +is a pointer to the +.IR key +.BR xattr (7) +stored digest, or NULL if it does not exist. +The caller must +.BR free (3) +the buffer. +.br +The +.IR digest_len +is the length of the digests that will always be returned (even if both are +NULL). Note that if both digests are returned, they will always be the same length. +.sp +.SH "RETURN VALUE" +TRUE if the digests match or FALSE if they do not or either or both are missing. +.sp +.SH "SEE ALSO" +.BR selinux_restorecon (3), +.BR selabel_partial_match (3), +.BR selabel_open (3), +.BR selinux (8), +.BR selabel_file (5) diff --git a/libselinux/man/man3/selinux_binary_policy_path.3 b/libselinux/man/man3/selinux_binary_policy_path.3 index edaa3b8b..01538688 100644 --- a/libselinux/man/man3/selinux_binary_policy_path.3 +++ b/libselinux/man/man3/selinux_binary_policy_path.3 @@ -4,7 +4,7 @@ selinux_path, selinux_policy_root, selinux_binary_policy_path, selinux_current_p selinux_failsafe_context_path, selinux_removable_context_path, selinux_default_context_path, selinux_user_contexts_path, selinux_file_context_path, selinux_media_context_path, -selinux_contexts_path, selinux_booleans_path \- These functions return the paths to the active SELinux policy configuration +selinux_contexts_path \- These functions return the paths to the active SELinux policy configuration directories and files . .SH "SYNOPSIS" @@ -40,8 +40,6 @@ directories and files .B const char *selinux_securetty_types_path(void); .sp .B const char *selinux_contexts_path(void); -.sp -.B const char *selinux_booleans_path(void); . .SH "DESCRIPTION" These functions return the paths to the active policy configuration @@ -104,9 +102,6 @@ returns the directory containing all of the context configuration files. .sp .BR selinux_securetty_types_path () returns the defines tty types for newrole securettys. -.sp -.BR selinux_booleans_path () -returns the initial policy boolean settings. . .SH AUTHOR This manual page was written by Dan Walsh <dwalsh@redhat.com>. diff --git a/libselinux/man/man3/selinux_booleans_path.3 b/libselinux/man/man3/selinux_booleans_path.3 deleted file mode 100644 index 175a611a..00000000 --- a/libselinux/man/man3/selinux_booleans_path.3 +++ /dev/null @@ -1 +0,0 @@ -.so man3/selinux_binary_policy_path.3 diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3 index 1eac6ed4..f6e5f2d7 100644 --- a/libselinux/man/man3/selinux_restorecon.3 +++ b/libselinux/man/man3/selinux_restorecon.3 @@ -28,39 +28,53 @@ If this is a directory and the .B SELINUX_RESTORECON_RECURSE has been set (for descending through directories), then .BR selinux_restorecon () -will write an SHA1 digest of the combined specfiles (see the +will write an SHA1 digest of specfile entries calculated by +.BR selabel_get_digests_all_partial_matches (3) +to an extended attribute of +.IR security.sehash +once the relabeling has been completed successfully (see the .B NOTES -section for details) to an extended attribute of -.IR security.restorecon_last -once the relabeling has been completed successfully. This digest will be -checked should +section for details). +.br +These digests will be checked should .BR selinux_restorecon () -be rerun -with the +be rerun with the .IR restorecon_flags .B SELINUX_RESTORECON_RECURSE -flag set. If any of the specfiles had been updated, the digest +flag set. If any of the specfile entries had been updated, the digest will also be updated. However if the digest is the same, no relabeling checks -will take place (unless the +will take place. +.br +The +.IR restorecon_flags +that can be used to manage the usage of the SHA1 digest are: +.RS +.B SELINUX_RESTORECON_SKIP_DIGEST +.br .B SELINUX_RESTORECON_IGNORE_DIGEST -flag is set). +.RE .sp .IR restorecon_flags contains the labeling option/rules as follows: .sp .RS .sp +.B SELINUX_RESTORECON_SKIP_DIGEST +Do not check or update any extended attribute +.IR security.sehash +entries. +.sp .B SELINUX_RESTORECON_IGNORE_DIGEST force the checking of labels even if the stored SHA1 digest matches the -specfiles SHA1 digest. The specfiles digest will be written to the -.IR security.restorecon_last +specfile entries SHA1 digest. The specfile entries digest will be written to the +.IR security.sehash extended attribute once relabeling has been completed successfully provided the .B SELINUX_RESTORECON_NOCHANGE flag has not been set. .sp .B SELINUX_RESTORECON_NOCHANGE don't change any file labels (passive check) or update the digest in the -.IR security.restorecon_last +.IR security.sehash extended attribute. .sp .B SELINUX_RESTORECON_SET_SPECFILE_CTX @@ -70,7 +84,7 @@ default specfile context. .sp .B SELINUX_RESTORECON_RECURSE change file and directory labels recursively (descend directories) -and if successful write an SHA1 digest of the combined specfiles to an +and if successful write an SHA1 digest of the specfile entries to an extended attribute as described in the .B NOTES section. @@ -182,12 +196,13 @@ To improve performance when relabeling file systems recursively (e.g. the .B SELINUX_RESTORECON_RECURSE flag is set) .BR selinux_restorecon () -will write an SHA1 digest of the specfiles that are processed by -.BR selabel_open (3) +will write a calculated SHA1 digest of the specfile entries returned by +.BR selabel_get_digests_all_partial_matches (3) to an extended attribute named -.IR security.restorecon_last -to the directory specified in the -.IR pathname . +.IR security.sehash +for each directory in the +.IR pathname +path. .IP "2." 4 To check the extended attribute entry use .BR getfattr (1) , @@ -195,40 +210,26 @@ for example: .sp .RS .RS -getfattr -e hex -n security.restorecon_last / +getfattr -e hex -n security.sehash / .RE .RE .IP "3." 4 -The SHA1 digest is calculated by -.BR selabel_open (3) -concatenating the specfiles it reads during initialisation with the -resulting digest and list of specfiles being retrieved by -.BR selabel_digest (3). -.IP "4." 4 -The specfiles consist of the mandatory -.I file_contexts -file plus any subs, subs_dist, local and homedir entries (text or binary versions) -as determined by any -.BR selabel_open (3) -options e.g. -.BR SELABEL_OPT_BASEONLY . -.sp -Should any of the specfiles have changed, then when +Should any of the specfile entries have changed, then when .BR selinux_restorecon () is run again with the .B SELINUX_RESTORECON_RECURSE -flag set, a new SHA1 digest will be calculated and all files will be automatically +flag set, new SHA1 digests will be calculated and all files automatically relabeled depending on the settings of the .B SELINUX_RESTORECON_SET_SPECFILE_CTX flag (provided .B SELINUX_RESTORECON_NOCHANGE is not set). -.IP "5." 4 +.IP "4." 4 .B /sys and in-memory filesystems do not support the -.IR security.restorecon_last +.IR security.sehash extended attribute and are automatically excluded from any relabeling checks. -.IP "6." 4 +.IP "5." 4 By default .B stderr is used to log output messages and errors. This may be changed by calling @@ -239,6 +240,8 @@ with the option. . .SH "SEE ALSO" +.BR selabel_get_digests_all_partial_matches (3), +.br .BR selinux_restorecon_set_sehandle (3), .br .BR selinux_restorecon_default_handle (3), diff --git a/libselinux/man/man3/selinux_restorecon_xattr.3 b/libselinux/man/man3/selinux_restorecon_xattr.3 index 516d2669..c5632681 100644 --- a/libselinux/man/man3/selinux_restorecon_xattr.3 +++ b/libselinux/man/man3/selinux_restorecon_xattr.3 @@ -2,7 +2,7 @@ .SH "NAME" selinux_restorecon_xattr \- manage default -.I security.restorecon_last +.I security.sehash extended attribute entries added by .BR selinux_restorecon (3), .BR setfiles (8) @@ -29,7 +29,7 @@ structures containing information described below based on: .RS .IR pathname containing a directory tree to be searched for -.I security.restorecon_last +.I security.sehash extended attribute entries. .sp .IR xattr_flags @@ -119,7 +119,7 @@ By default .BR selinux_restorecon_xattr (3) will use the default set of specfiles described in .BR files_contexts (5) -to calculate the initial SHA1 digest to be used for comparison. +to calculate the SHA1 digests to be used for comparison. To change this default behavior .BR selabel_open (3) must be called specifying the required @@ -143,7 +143,7 @@ flag has been set. and .B TMPFS filesystems do not support the -.IR security.restorecon_last +.IR security.sehash extended attribute and are automatically excluded from searches. .IP "4." 4 By default diff --git a/libselinux/man/man3/selinux_set_mapping.3 b/libselinux/man/man3/selinux_set_mapping.3 index a93f7b29..4624fbc7 100644 --- a/libselinux/man/man3/selinux_set_mapping.3 +++ b/libselinux/man/man3/selinux_set_mapping.3 @@ -19,7 +19,19 @@ struct security_class_mapping { . .SH "DESCRIPTION" .BR selinux_set_mapping () -establishes a mapping from a user-provided ordering of object classes and permissions to the numbers actually used by the loaded system policy. Use of this function is highly preferred over the generated constants in the libselinux header files, as this method allows the policy's class and permission values to change over time. +establishes a mapping from a user-provided ordering of object classes and permissions to the numbers actually used by the loaded system policy. If using this function, applications should also set a +.B SELINUX_CB_POLICYLOAD +callback via +.BR selinux_set_callback(3) +that calls this function again upon a policy reload to re-create the mapping +in case the class or permission values change in the new policy. +Generally it is preferred to instead use +.BR selinux_check_access(3) +instead of +.BR avc_has_perm(3) +or +.BR security_compute_av(3) +and not use this function at all. After the mapping is established, all libselinux functions that operate on class and permission values take the user-provided numbers, which are determined as follows: @@ -81,8 +93,10 @@ and class) will be identified by 1, 2, 4, and 8 respectively. Classes and permissions not listed in the mapping cannot be used. . .SH "AUTHOR" -Eamon Walsh <ewalsh@tycho.nsa.gov> +Originally Eamon Walsh. Updated by Stephen Smalley <sds@tycho.nsa.gov> . .SH "SEE ALSO" -.BR avc_open (8), +.BR selinux_check_access (3), +.BR selinux_set_callback (3), +.BR avc_has_perm (3), .BR selinux (8) diff --git a/libselinux/man/man5/booleans.5 b/libselinux/man/man5/booleans.5 deleted file mode 100644 index 2e9caa71..00000000 --- a/libselinux/man/man5/booleans.5 +++ /dev/null @@ -1,80 +0,0 @@ -.TH "booleans" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" -.SH "NAME" -booleans \- The SELinux booleans configuration files -. -.SH "DESCRIPTION" -The \fIbooleans\fR file, if present contains booleans to support a specific distribution. -.sp -The \fIbooleans.local\fR file, if present contains locally generated booleans. -.sp -Both files contain a list of boolean names and their associated values. -.sp -Generally the \fIbooleans\fR and/or \fIbooleans.local\fR files are not present (they have been deprecated). However if there is an SELinux-aware application that uses the libselinux functions listed below, then these files may be present: -.sp -.RS -.BR security_set_boolean_list "(3) " -.RS -Writes a \fIbooleans.local\fR file if flag \fIpermanent\fR = \fI1\fR. -.sp -.RE -.RE -.RS -.BR security_load_booleans "(3) " -.RS -Looks for a \fIbooleans\fR and/or \fIbooleans.local\fR file at \fBselinux_booleans_path\fR(3) unless a specific path is specified as a parameter. -.RE -.RE -.sp -\fBbooleans\fR(8) has details on booleans and \fBsetsebool\fR(8) describes how booleans can now be set persistent across reboots. -.sp -\fBselinux_booleans_path\fR(3) will return the active policy path to these files. The default boolean files are: -.RS -.I /etc/selinux/{SELINUXTYPE}/booleans -.br -.I /etc/selinux/{SELINUXTYPE}/booleans.local -.RE -.sp -Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). -. -.SH "FILE FORMAT" -Both boolean files have the same format and contain one or more boolean names and their value. -.sp -The format is: -.RS -.I boolean_name -.I value -.sp -.RE -Where: -.RS -.I boolean_name -.RS -The name of the boolean. -.RE -.I value -.RS -The default setting for the boolean. This can be one of the following: -.RS -.IR true " | " false " | " 1 " | " 0 -.RE -.RE -.RE -.sp -Note that if -.B SETLOCALDEFS -is set in the SELinux -.I config -file (see -.BR selinux_config "(5)), then " selinux_mkload_policy "(3) will check for a " -.I booleans.local -file in the -.BR selinux_booleans_path (3) -and also a -.I local.users -file (see -.BR local.users "(5)) in the " selinux_users_path "(3). " -. -.SH "SEE ALSO" -.ad l -.nh -.BR selinux "(8), " booleans "(8), " setsebool "(8), " semanage "(8), " selinux_booleans_path "(3), " security_set_boolean_list "(3), " security_load_booleans "(3), " selinux_mkload_policy "(3), " selinux_users_path "(3), " selinux_config "(5), " local.users "(5) " diff --git a/libselinux/man/man5/local.users.5 b/libselinux/man/man5/local.users.5 deleted file mode 100644 index 94d46735..00000000 --- a/libselinux/man/man5/local.users.5 +++ /dev/null @@ -1,68 +0,0 @@ -.TH "local.users" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" -.SH "NAME" -local.users \- The SELinux local users configuration file -. -.SH "DESCRIPTION" -The file contains local user definitions in the form of policy language user statements and is only found on older SELinux systems as it has been deprecated and replaced by the \fBsemange\fR(8) services. -.sp -This file is only read by \fBselinux_mkload_policy\fR(3) when \fBSETLOCALDEFS\fR in the SELinux \fIconfig\fR file (see \fBselinux_config\fR(5)) is set to \fI1\fR. -.sp -.BR selinux_users_path "(3) " -will return the active policy path to the directory where this file is located. The default local users file is: -.RS -.I /etc/selinux/{SELINUXTYPE}/contexts/users/local.users -.RE -.sp -Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). -. -.SH "FILE FORMAT" -The file consists of one or more entries terminated with '\fB;\fR', each on a separate line as follows: -.RS -\fBuser \fIseuser_id \fBroles \fIrole_id\fR [[\fBlevel \fIlevel\fR] [\fBrange \fIrange\fR]]\fB;\fR -.RE -.sp -Where: -.RS -.B user -.RS -The user keyword. -.RE -.I seuser_id -.RS -The SELinux user identifier. -.RE -.B roles -.RS -The roles keyword. -.RE -.I role_id -.RS -One or more previously declared role identifiers. Multiple role identifiers consist of a space separated list enclosed in braces '{}'. -.RE -.B level -.RS -If MLS/MCS is configured, the level keyword. -.RE -.I level -.RS -The users default security level. Note that only the sensitivity component of the level (e.g. s0) is required. -.RE -.B range -.RS -If MLS/MCS is configured, the range keyword. -.RE -.I range -.RS -The current and clearance levels that the user can run. These are separated by a hyphen '\fB-\fR' as shown in the \fBEXAMPLE\fR section. -.RE -.RE -. -.SH "EXAMPLE" -# ./users/local.users -.br -user test_u roles staff_r level s0 range s0 \- s15:c0.c1023; -. -.SH "SEE ALSO" -.ad l -.nh -.BR selinux "(8), " semanage "(8), " selinux_users_path "(3), " selinux_config "(5), " selinux_mkload_policy "(3) " diff --git a/libselinux/man/man5/secolor.conf.5 b/libselinux/man/man5/secolor.conf.5 index b834577a..a3bf2da1 100644 --- a/libselinux/man/man5/secolor.conf.5 +++ b/libselinux/man/man5/secolor.conf.5 @@ -123,7 +123,7 @@ range s7\-s7:c0.c1023 = black red .br range s9\-s9:c0.c1023 = black orange .br -range s15:c0.c1023 = black yellow +range s15\-s15:c0.c1023 = black yellow .RE .sp @@ -165,7 +165,7 @@ type xguest_t = black green .br user sysadm_u = white black .br -range s0:c0.c1023 = black white +range s0-s0:c0.c1023 = black white .br user * = black white .br diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 index e37aee68..31364271 100644 --- a/libselinux/man/man8/selinux.8 +++ b/libselinux/man/man8/selinux.8 @@ -10,7 +10,7 @@ enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role- Based Access Control, and Multi-Level Security. Background information and technical documentation about SELinux can be found at -http://www.nsa.gov/research/selinux. +https://github.com/SELinuxProject. The .I /etc/selinux/config diff --git a/libselinux/man/ru/man5/booleans.5 b/libselinux/man/ru/man5/booleans.5 deleted file mode 100644 index 1471e58b..00000000 --- a/libselinux/man/ru/man5/booleans.5 +++ /dev/null @@ -1,83 +0,0 @@ -.TH "booleans" "5" "28 ноÑÐ±Ñ€Ñ 2011" "Security Enhanced Linux" "ÐšÐ¾Ð½Ñ„Ð¸Ð³ÑƒÑ€Ð°Ñ†Ð¸Ñ SELinux" -.SH "ИМЯ" -booleans \- файлы конфигурации логичеÑких переключателей SELinux -. -.SH "ОПИСÐÐИЕ" -Файл \fIbooleans\fR (еÑли имеетÑÑ) Ñодержит логичеÑкие переключатели, обеÑпечивающие поддержку определённого диÑтрибутива. -.sp -Файл \fIbooleans.local\fR (еÑли имеетÑÑ) Ñодержит Ñозданные локально логичеÑкие переключатели. -.sp -Оба файла Ñодержат ÑпиÑок имён логичеÑких переключателей и ÑоответÑтвующих Ñтим именам значений. -.sp -Обычно файл \fIbooleans\fR и/или файл \fIbooleans.local\fR отÑутÑтвуют (они уÑтарели). Ðо Ñти файлы могут приÑутÑтвовать, еÑли имеетÑÑ Ð¿Ñ€Ð¸Ð»Ð¾Ð¶ÐµÐ½Ð¸Ðµ, которое поддерживает SELinux и иÑпользует перечиÑленные далее функции libselinux: -.sp -.RS -.BR security_set_boolean_list "(3) " -.RS -ЗапиÑывает файл \fIbooleans.local\fR, еÑли флаг \fIpermanent\fR = \fI1\fR. -.sp -.RE -.RE -.RS -.BR security_load_booleans "(3) " -.RS -ВыполнÑет поиÑк файла \fIbooleans\fR и/или файла \fIbooleans.local\fR по адреÑу \fBselinux_booleans_path\fR(3) (еÑли в качеÑтве параметра не указан конкретный путь). -.RE -.RE -.sp -\fBbooleans\fR(8) Ñодержит подробные ÑÐ²ÐµÐ´ÐµÐ½Ð¸Ñ Ð¾ логичеÑких переключателÑÑ…, а \fBsetsebool\fR(8) - опиÑание того, как уÑтановить логичеÑкие переключатели, которые не будут ÑбраÑыватьÑÑ Ð¿Ñ€Ð¸ перезагрузках. -.sp -\fBselinux_booleans_path\fR(3) вернёт путь активной политики к Ñтим файлам. Файлы логичеÑких переключателей по умолчанию: -.RS -.I /etc/selinux/{SELINUXTYPE}/booleans -.br -.I /etc/selinux/{SELINUXTYPE}/booleans.local -.RE -.sp -Где \fI{SELINUXTYPE}\fR - запиÑÑŒ из файла конфигурации selinux \fIconfig\fR (Ñм. \fBselinux_config\fR(5)). -. -.SH "ФОРМÐТ ФÐЙЛÐ" -Оба файла имеют один и тот же формат и Ñодержат одно или неÑколько имён логичеÑких переключателей и их значениÑ. -.sp -Формат: -.RS -.I boolean_name -.I value -.sp -.RE -Где: -.RS -.I boolean_name -.RS -Ð˜Ð¼Ñ Ð»Ð¾Ð³Ð¸Ñ‡ÐµÑкого переключателÑ. -.RE -.I value -.RS -Значение логичеÑкого Ð¿ÐµÑ€ÐµÐºÐ»ÑŽÑ‡Ð°Ñ‚ÐµÐ»Ñ Ð¿Ð¾ умолчанию. Может быть одним из Ñледующих: -.RS -.IR true " | " false " | " 1 " | " 0 -.RE -.RE -.RE -.sp -ЕÑли -.B SETLOCALDEFS -указано в файле -.I config -SELinux (Ñм. -.BR selinux_config "(5)), то " selinux_mkload_policy "(3) будет проверÑÑ‚ÑŒ наличие файла " -.I booleans.local -по адреÑу -.BR selinux_booleans_path (3), -а также файла -.I local.users -(Ñм. -.BR local.users "(5)) по адреÑу " selinux_users_path "(3). " -. -.SH "СМОТРИТЕ ТÐКЖЕ" -.ad l -.nh -.BR selinux "(8), " booleans "(8), " setsebool "(8), " semanage "(8), " selinux_booleans_path "(3), " security_set_boolean_list "(3), " security_load_booleans "(3), " selinux_mkload_policy "(3), " selinux_users_path "(3), " selinux_config "(5), " local.users "(5) " - -.SH ÐВТОРЫ -Перевод на руÑÑкий Ñзык выполнила ГераÑименко ОлеÑÑ <gammaray@basealt.ru>. diff --git a/libselinux/man/ru/man5/local.users.5 b/libselinux/man/ru/man5/local.users.5 deleted file mode 100644 index ca9f201d..00000000 --- a/libselinux/man/ru/man5/local.users.5 +++ /dev/null @@ -1,72 +0,0 @@ -.TH "local.users" "5" "28 ноÑÐ±Ñ€Ñ 2011" "Security Enhanced Linux" "ÐšÐ¾Ð½Ñ„Ð¸Ð³ÑƒÑ€Ð°Ñ†Ð¸Ñ SELinux" -.SH "ИМЯ" -local.users \- файл конфигурации локальных пользователей SELinux -. -.SH "ОПИСÐÐИЕ" -Файл Ñодержит Ð¾Ð¿Ñ€ÐµÐ´ÐµÐ»ÐµÐ½Ð¸Ñ Ð»Ð¾ÐºÐ°Ð»ÑŒÐ½Ñ‹Ñ… пользователей в виде инÑтрукций пользователей на Ñзыке политики. Ðтот файл имеетÑÑ Ñ‚Ð¾Ð»ÑŒÐºÐ¾ в Ñтарых верÑиÑÑ… ÑиÑтем SELinux, так как он уÑтарел и был заменён Ñлужбами \fBsemanage\fR(8). -.sp -\fBselinux_mkload_policy\fR(3) выполнÑет чтение Ñтого файла только тогда, когда Ð´Ð»Ñ \fBSETLOCALDEFS\fR в файле \fIconfig\fR SELinux (Ñм. \fBselinux_config\fR(5)) уÑтановлено значение \fI1\fR. -.sp -.BR selinux_users_path "(3) " -возвращает путь активной политики к каталогу, в котором раÑположен файл. Файл локальных пользователей по умолчанию: -.RS -.I /etc/selinux/{SELINUXTYPE}/contexts/users/local.users -.RE -.sp -Где \fI{SELINUXTYPE}\fR - запиÑÑŒ из файла конфигурации selinux \fIconfig\fR (Ñм. \fBselinux_config\fR(5)). -. -.SH "ФОРМÐТ ФÐЙЛÐ" -Файл ÑоÑтоит из одной или неÑкольких запиÑей, которые заканчиваютÑÑ '\fB;\fR', ÐºÐ°Ð¶Ð´Ð°Ñ Ð½Ð° отдельной Ñтроке: -.RS -\fBuser \fIseuser_id \fBroles \fIrole_id\fR [[\fBlevel \fIlevel\fR] [\fBrange \fIrange\fR]]\fB;\fR -.RE -.sp -Где: -.RS -.B user -.RS -Ключевое Ñлово user (пользователь). -.RE -.I seuser_id -.RS -Идентификатор Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ SELinux. -.RE -.B roles -.RS -Ключевое Ñлово roles (роли). -.RE -.I role_id -.RS -Один или неÑколько ранее объÑвленных идентификаторов ролей. ÐеÑколько идентификаторов ролей - Ñто разделённый пробелами ÑпиÑок, который заключён в Ñкобки '{}'. -.RE -.B level -.RS -ЕÑли наÑтроена ÑиÑтема MLS/MCS, ключевое Ñлово level (уровень). -.RE -.I level -.RS -Уровень безопаÑноÑти Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ Ð¿Ð¾ умолчанию. Обратите внимание, что обÑзательным ÑвлÑетÑÑ Ñ‚Ð¾Ð»ÑŒÐºÐ¾ компонент конфиденциальноÑти ÑƒÑ€Ð¾Ð²Ð½Ñ (например, s0). -.RE -.B range -.RS -ЕÑли наÑтроена ÑиÑтема MLS/MCS, ключевое Ñлово range (диапазон). -.RE -.I range -.RS -Текущий уровень и уровень допуÑка пользователÑ. Они разделены дефиÑом '\fB-\fR' (как показано в разделе \fBПРИМЕР\fR). -.RE -.RE -. -.SH "ПРИМЕР" -# ./users/local.users -.br -user test_u roles staff_r level s0 range s0 \- s15:c0.c1023; -. -.SH "СМОТРИТЕ ТÐКЖЕ" -.ad l -.nh -.BR selinux "(8), " semanage "(8), " selinux_users_path "(3), " selinux_config "(5), " selinux_mkload_policy "(3) " - - -.SH ÐВТОРЫ -Перевод на руÑÑкий Ñзык выполнила ГераÑименко ОлеÑÑ <gammaray@basealt.ru>. diff --git a/libselinux/man/ru/man5/secolor.conf.5 b/libselinux/man/ru/man5/secolor.conf.5 index 4c1236ae..bcae80c1 100644 --- a/libselinux/man/ru/man5/secolor.conf.5 +++ b/libselinux/man/ru/man5/secolor.conf.5 @@ -121,7 +121,7 @@ range s7\-s7:c0.c1023 = black red .br range s9\-s9:c0.c1023 = black orange .br -range s15:c0.c1023 = black yellow +range s15\-s15:c0.c1023 = black yellow .RE .sp @@ -163,7 +163,7 @@ type xguest_t = black green .br user sysadm_u = white black .br -range s0:c0.c1023 = black white +range s0\-s0:c0.c1023 = black white .br user * = black white .br diff --git a/libselinux/man/ru/man8/selinux.8 b/libselinux/man/ru/man8/selinux.8 index 5cc48df8..271809de 100644 --- a/libselinux/man/ru/man8/selinux.8 +++ b/libselinux/man/ru/man8/selinux.8 @@ -9,7 +9,7 @@ Linux Ñ ÑƒÐ»ÑƒÑ‡ÑˆÐµÐ½Ð½Ð¾Ð¹ безопаÑноÑтью от NSA - Ñто Ñ€ÐµÐ Ð²ÐºÐ»ÑŽÑ‡Ð°Ñ Ð¾Ñнованные на концепциÑÑ… Type Enforcement® (принудительное приÑвоение типов), Role-Based Access Control (управление доÑтупом на оÑнове ролей) и Multi-Level Security (Ð¼Ð½Ð¾Ð³Ð¾ÑƒÑ€Ð¾Ð²Ð½ÐµÐ²Ð°Ñ Ð±ÐµÐ·Ð¾Ð¿Ð°ÑноÑÑ‚ÑŒ). Ð”Ð¾Ð¿Ð¾Ð»Ð½Ð¸Ñ‚ÐµÐ»ÑŒÐ½Ð°Ñ Ð¸Ð½Ñ„Ð¾Ñ€Ð¼Ð°Ñ†Ð¸Ñ Ð¸ техничеÑÐºÐ°Ñ Ð´Ð¾ÐºÑƒÐ¼ÐµÐ½Ñ‚Ð°Ñ†Ð¸Ñ Ð¿Ð¾ -SELinux доÑтупна по адреÑу http://www.nsa.gov/research/selinux. +SELinux доÑтупна по адреÑу https://github.com/SELinuxProject. Файл конфигурации .I /etc/selinux/config diff --git a/libselinux/src/.gitignore b/libselinux/src/.gitignore index 4dcc3b3b..001f20b0 100644 --- a/libselinux/src/.gitignore +++ b/libselinux/src/.gitignore @@ -1,4 +1,3 @@ selinux.py -selinuxswig_wrap.c -selinuxswig_python_exception.i +selinuxswig_python_wrap.c selinuxswig_ruby_wrap.c diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index e9ed0383..7f5a5d74 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -36,7 +36,7 @@ TARGET=libselinux.so LIBPC=libselinux.pc SWIGIF= selinuxswig_python.i selinuxswig_python_exception.i SWIGRUBYIF= selinuxswig_ruby.i -SWIGCOUT= selinuxswig_wrap.c +SWIGCOUT= selinuxswig_python_wrap.c SWIGPYOUT= selinux.py SWIGRUBYCOUT= selinuxswig_ruby_wrap.c SWIGLOBJ:= $(patsubst %.c,$(PYPREFIX)%.lo,$(SWIGCOUT)) @@ -55,7 +55,7 @@ ifeq ($(LIBSEPOLA),) LDLIBS_LIBSEPOLA := -l:libsepol.a endif -GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i +GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) $(SWIGCOUT) selinuxswig_python_exception.i SRCS= $(filter-out $(GENERATED) audit2why.c, $(sort $(wildcard *.c))) MAX_STACK_SIZE=32768 @@ -125,25 +125,18 @@ DISABLE_FLAGS+= -DNO_ANDROID_BACKEND SRCS:= $(filter-out label_backends_android.c, $(SRCS)) endif -SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ $(DISABLE_FLAGS) - SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS) all: $(LIBA) $(LIBSO) $(LIBPC) -pywrap: all $(SWIGFILES) $(AUDIT2WHYSO) +pywrap: all selinuxswig_python_exception.i + CFLAGS="$(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext rubywrap: all $(SWIGRUBYSO) -$(SWIGLOBJ): $(SWIGCOUT) - $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(PYINC) -fPIC -DSHARED -c -o $@ $< - $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $< -$(SWIGSO): $(SWIGLOBJ) - $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $< -lselinux $(PYLIBS) - $(SWIGRUBYSO): $(SWIGRUBYLOBJ) $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(RUBYLIBS) @@ -158,32 +151,18 @@ $(LIBSO): $(LOBJS) $(LIBPC): $(LIBPC).in ../VERSION sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):; s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@ -selinuxswig_python_exception.i: ../include/selinux/selinux.h +selinuxswig_python_exception.i: exception.sh ../include/selinux/selinux.h bash -e exception.sh > $@ || (rm -f $@ ; false) -$(AUDIT2WHYLOBJ): audit2why.c - $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $< - -$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) $(LIBSEPOLA) - $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(LDLIBS_LIBSEPOLA) $(PYLIBS) -Wl,-soname,audit2why.so,--version-script=audit2why.map,-z,defs - %.o: %.c policy.h $(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $< %.lo: %.c policy.h $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $< -$(SWIGCOUT): $(SWIGIF) - $(SWIG) $< - -$(SWIGPYOUT): $(SWIGCOUT) - $(SWIGRUBYCOUT): $(SWIGRUBYIF) $(SWIGRUBY) $< -swigify: $(SWIGIF) - $(SWIG) $< - install: all test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR) install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR) @@ -194,10 +173,9 @@ install: all ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET) install-pywrap: pywrap - test -d $(DESTDIR)$(PYTHONLIBDIR)/selinux || install -m 755 -d $(DESTDIR)$(PYTHONLIBDIR)/selinux - install -m 755 $(SWIGSO) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT) - install -m 755 $(AUDIT2WHYSO) $(DESTDIR)$(PYTHONLIBDIR)/selinux/audit2why$(PYCEXT) + $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py + ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT) install-rubywrap: rubywrap test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL) @@ -208,6 +186,8 @@ relabel: clean-pywrap: -rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO) + $(PYTHON) setup.py clean + -rm -rf build *~ \#* *pyc .#* clean-rubywrap: -rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO) diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c index 49cecc96..568a3d92 100644 --- a/libselinux/src/avc_internal.c +++ b/libselinux/src/avc_internal.c @@ -23,6 +23,7 @@ #include "callbacks.h" #include "selinux_netlink.h" #include "avc_internal.h" +#include "selinux_internal.h" #ifndef NETLINK_SELINUX #define NETLINK_SELINUX 7 @@ -207,6 +208,7 @@ static int avc_netlink_process(void *buf) avc_prefix, rc, errno); return rc; } + selinux_flush_class_cache(); rc = selinux_netlink_policyload(msg->seqno); if (rc < 0) return rc; diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c index ab1e0754..ffa8d26b 100644 --- a/libselinux/src/booleans.c +++ b/libselinux/src/booleans.c @@ -81,8 +81,10 @@ int security_get_boolean_names(char ***names, int *len) free(namelist); return rc; bad_freen: - for (--i; i >= 0; --i) - free(n[i]); + if (i > 0) { + while (i >= 1) + free(n[--i]); + } free(n); bad: goto out; @@ -322,175 +324,6 @@ int security_commit_booleans(void) return -1; } -static char *strtrim(char *dest, char *source, int size) -{ - int i = 0; - char *ptr = source; - i = 0; - while (isspace(*ptr) && i < size) { - ptr++; - i++; - } - strncpy(dest, ptr, size); - for (i = strlen(dest) - 1; i > 0; i--) { - if (!isspace(dest[i])) - break; - } - dest[i + 1] = '\0'; - return dest; -} -static int process_boolean(char *buffer, char *name, int namesize, int *val) -{ - char name1[BUFSIZ]; - char *ptr = NULL; - char *tok; - - /* Skip spaces */ - while (isspace(buffer[0])) - buffer++; - /* Ignore comments */ - if (buffer[0] == '#') - return 0; - - tok = strtok_r(buffer, "=", &ptr); - if (!tok) { - errno = EINVAL; - return -1; - } - strncpy(name1, tok, BUFSIZ - 1); - strtrim(name, name1, namesize - 1); - - tok = strtok_r(NULL, "\0", &ptr); - if (!tok) { - errno = EINVAL; - return -1; - } - - while (isspace(*tok)) - tok++; - - *val = -1; - if (isdigit(tok[0])) - *val = atoi(tok); - else if (!strncasecmp(tok, "true", sizeof("true") - 1)) - *val = 1; - else if (!strncasecmp(tok, "false", sizeof("false") - 1)) - *val = 0; - if (*val != 0 && *val != 1) { - errno = EINVAL; - return -1; - } - return 1; -} -static int save_booleans(size_t boolcnt, SELboolean * boollist) -{ - ssize_t len; - size_t i; - char outbuf[BUFSIZ]; - char *inbuf = NULL; - - /* Open file */ - const char *bool_file = selinux_booleans_path(); - char local_bool_file[PATH_MAX]; - char tmp_bool_file[PATH_MAX]; - FILE *boolf; - int fd; - int *used = (int *)malloc(sizeof(int) * boolcnt); - if (!used) { - return -1; - } - /* zero out used field */ - for (i = 0; i < boolcnt; i++) - used[i] = 0; - - snprintf(tmp_bool_file, sizeof(tmp_bool_file), "%s.XXXXXX", bool_file); - fd = mkstemp(tmp_bool_file); - if (fd < 0) { - free(used); - return -1; - } - - snprintf(local_bool_file, sizeof(local_bool_file), "%s.local", - bool_file); - boolf = fopen(local_bool_file, "re"); - if (boolf != NULL) { - ssize_t ret; - size_t size = 0; - int val; - char boolname[BUFSIZ-3]; - char *buffer; - inbuf = NULL; - __fsetlocking(boolf, FSETLOCKING_BYCALLER); - while ((len = getline(&inbuf, &size, boolf)) > 0) { - buffer = strdup(inbuf); - if (!buffer) - goto close_remove_fail; - ret = - process_boolean(inbuf, boolname, sizeof(boolname), - &val); - if (ret != 1) { - ret = write(fd, buffer, len); - free(buffer); - if (ret != len) - goto close_remove_fail; - } else { - free(buffer); - for (i = 0; i < boolcnt; i++) { - if (strcmp(boollist[i].name, boolname) - == 0) { - snprintf(outbuf, sizeof(outbuf), - "%s=%d\n", boolname, - boollist[i].value); - len = strlen(outbuf); - used[i] = 1; - if (write(fd, outbuf, len) != - len) - goto close_remove_fail; - else - break; - } - } - if (i == boolcnt) { - val = !!val; - snprintf(outbuf, sizeof(outbuf), - "%s=%d\n", boolname, val); - len = strlen(outbuf); - if (write(fd, outbuf, len) != len) - goto close_remove_fail; - } - } - free(inbuf); - inbuf = NULL; - } - fclose(boolf); - } - - for (i = 0; i < boolcnt; i++) { - if (used[i] == 0) { - snprintf(outbuf, sizeof(outbuf), "%s=%d\n", - boollist[i].name, boollist[i].value); - len = strlen(outbuf); - if (write(fd, outbuf, len) != len) { - close_remove_fail: - free(inbuf); - close(fd); - remove_fail: - unlink(tmp_bool_file); - free(used); - return -1; - } - } - - } - if (fchmod(fd, S_IRUSR | S_IWUSR) != 0) - goto close_remove_fail; - close(fd); - if (rename(tmp_bool_file, local_bool_file) != 0) - goto remove_fail; - - free(used); - return 0; -} static void rollback(SELboolean * boollist, int end) { int i; @@ -519,62 +352,18 @@ int security_set_boolean_list(size_t boolcnt, SELboolean * boollist, return -1; } + /* Return error as flag no longer used */ if (permanent) - return save_booleans(boolcnt, boollist); + return -1; return 0; } -int security_load_booleans(char *path) -{ - FILE *boolf; - char *inbuf; - char localbools[BUFSIZ]; - size_t len = 0, errors = 0; - int val; - char name[BUFSIZ]; - - boolf = fopen(path ? path : selinux_booleans_path(), "re"); - if (boolf == NULL) - goto localbool; - - __fsetlocking(boolf, FSETLOCKING_BYCALLER); - while (getline(&inbuf, &len, boolf) > 0) { - int ret = process_boolean(inbuf, name, sizeof(name), &val); - if (ret == -1) - errors++; - if (ret == 1) - if (security_set_boolean(name, val) < 0) { - errors++; - } - } - fclose(boolf); - localbool: - snprintf(localbools, sizeof(localbools), "%s.local", - (path ? path : selinux_booleans_path())); - boolf = fopen(localbools, "re"); - - if (boolf != NULL) { - int ret; - __fsetlocking(boolf, FSETLOCKING_BYCALLER); - while (getline(&inbuf, &len, boolf) > 0) { - ret = process_boolean(inbuf, name, sizeof(name), &val); - if (ret == -1) - errors++; - if (ret == 1) - if (security_set_boolean(name, val) < 0) { - errors++; - } - } - fclose(boolf); - } - if (security_commit_booleans() < 0) - return -1; - if (errors) - errno = EINVAL; - return errors ? -1 : 0; +/* This function is deprecated */ +int security_load_booleans(char *path __attribute__((unused))) +{ + return -1; } - #else #include <stdlib.h> diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c index 16bfcfb6..7227ffe5 100644 --- a/libselinux/src/checkAccess.c +++ b/libselinux/src/checkAccess.c @@ -10,25 +10,12 @@ static pthread_once_t once = PTHREAD_ONCE_INIT; static int selinux_enabled; -static int avc_reset_callback(uint32_t event __attribute__((unused)), - security_id_t ssid __attribute__((unused)), - security_id_t tsid __attribute__((unused)), - security_class_t tclass __attribute__((unused)), - access_vector_t perms __attribute__((unused)), - access_vector_t *out_retained __attribute__((unused))) -{ - flush_class_cache(); - return 0; -} - static void avc_init_once(void) { selinux_enabled = is_selinux_enabled(); if (selinux_enabled == 1) { if (avc_open(NULL, 0)) return; - avc_add_callback(avc_reset_callback, AVC_CALLBACK_RESET, - 0, 0, 0, 0); } } diff --git a/libselinux/src/exception.sh b/libselinux/src/exception.sh index d6c8c717..33ceef80 100755 --- a/libselinux/src/exception.sh +++ b/libselinux/src/exception.sh @@ -5,7 +5,7 @@ case $1 in *) echo " %exception $1 { - \$action + \$action if (result < 0) { PyErr_SetFromErrno(PyExc_OSError); SWIG_fail; @@ -15,10 +15,10 @@ echo " ;; esac } -if ! ${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h +if ! ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h then # clang does not support -aux-info so fall back to gcc - gcc -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h + gcc -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h fi for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do except $i ; done -rm -f -- temp.aux -.o +rm -f -- temp.aux temp.o diff --git a/libselinux/src/file_path_suffixes.h b/libselinux/src/file_path_suffixes.h index 2d3ca497..a5573134 100644 --- a/libselinux/src/file_path_suffixes.h +++ b/libselinux/src/file_path_suffixes.h @@ -8,10 +8,12 @@ S_(BINPOLICY, "/policy/policy") S_(FAILSAFE_CONTEXT, "/contexts/failsafe_context") S_(DEFAULT_TYPE, "/contexts/default_type") S_(SECURETTY_TYPES, "/contexts/securetty_types") + /* BOOLEANS is deprecated */ S_(BOOLEANS, "/booleans") S_(MEDIA_CONTEXTS, "/contexts/files/media") S_(REMOVABLE_CONTEXT, "/contexts/removable_context") S_(CUSTOMIZABLE_TYPES, "/contexts/customizable_types") + /* USERS_DIR is deprecated */ S_(USERS_DIR, "/users/") S_(SEUSERS, "/seusers") S_(TRANSLATIONS, "/setrans.conf") diff --git a/libselinux/src/label.c b/libselinux/src/label.c index ce786cd4..eac6e364 100644 --- a/libselinux/src/label.c +++ b/libselinux/src/label.c @@ -282,6 +282,30 @@ bool selabel_partial_match(struct selabel_handle *rec, const char *key) return rec->func_partial_match(rec, key); } +bool selabel_get_digests_all_partial_matches(struct selabel_handle *rec, + const char *key, + uint8_t **calculated_digest, + uint8_t **xattr_digest, + size_t *digest_len) +{ + if (!rec->func_get_digests_all_partial_matches) + return false; + + return rec->func_get_digests_all_partial_matches(rec, key, + calculated_digest, + xattr_digest, + digest_len); +} + +bool selabel_hash_all_partial_matches(struct selabel_handle *rec, + const char *key, uint8_t *digest) { + if (!rec->func_hash_all_partial_matches) { + return false; + } + + return rec->func_hash_all_partial_matches(rec, key, digest); +} + int selabel_lookup_best_match(struct selabel_handle *rec, char **con, const char *key, const char **aliases, int type) { diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c index 0f3d0df2..0b102a1e 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c @@ -39,18 +39,17 @@ static int get_stem_from_file_name(const char *const buf) /* find the stem of a file name, returns the index into stem_arr (or -1 if * there is no match - IE for a file in the root directory or a regex that is - * too complex for us). Makes buf point to the text AFTER the stem. */ -static int find_stem_from_file(struct saved_data *data, const char **buf) + * too complex for us). */ +static int find_stem_from_file(struct saved_data *data, const char *key) { int i; - int stem_len = get_stem_from_file_name(*buf); + int stem_len = get_stem_from_file_name(key); if (!stem_len) return -1; for (i = 0; i < data->num_stems; i++) { if (stem_len == data->stem_arr[i].len - && !strncmp(*buf, data->stem_arr[i].buf, stem_len)) { - *buf += stem_len; + && !strncmp(key, data->stem_arr[i].buf, stem_len)) { return i; } } @@ -248,7 +247,7 @@ end_arch_check: uint32_t stem_len; int newid; - /* the length does not inlude the nul */ + /* the length does not include the nul */ rc = next_entry(&stem_len, mmap_area, sizeof(uint32_t)); if (rc < 0 || !stem_len) { rc = -1; @@ -893,22 +892,37 @@ static void closef(struct selabel_handle *rec) free(data); } -static struct spec *lookup_common(struct selabel_handle *rec, - const char *key, - int type, - bool partial) +// Finds all the matches of |key| in the given context. Returns the result in +// the allocated array and updates the match count. If match_count is NULL, +// stops early once the 1st match is found. +static const struct spec **lookup_all(struct selabel_handle *rec, + const char *key, + int type, + bool partial, + size_t *match_count) { struct saved_data *data = (struct saved_data *)rec->data; struct spec *spec_arr = data->spec_arr; int i, rc, file_stem; mode_t mode = (mode_t)type; - const char *buf; - struct spec *ret = NULL; char *clean_key = NULL; const char *prev_slash, *next_slash; unsigned int sofar = 0; char *sub = NULL; + const struct spec **result = NULL; + if (match_count) { + *match_count = 0; + result = calloc(data->nspec, sizeof(struct spec*)); + } else { + result = calloc(1, sizeof(struct spec*)); + } + if (!result) { + selinux_log(SELINUX_ERROR, "Failed to allocate %zu bytes of data\n", + data->nspec * sizeof(struct spec*)); + goto finish; + } + if (!data->nspec) { errno = ENOENT; goto finish; @@ -934,8 +948,7 @@ static struct spec *lookup_common(struct selabel_handle *rec, if (sub) key = sub; - buf = key; - file_stem = find_stem_from_file(data, &buf); + file_stem = find_stem_from_file(data, key); mode &= S_IFMT; /* @@ -948,19 +961,34 @@ static struct spec *lookup_common(struct selabel_handle *rec, * stem as the file AND if the spec in question has no mode * specified or if the mode matches the file mode then we do * a regex check */ - if ((spec->stem_id == -1 || spec->stem_id == file_stem) && - (!mode || !spec->mode || mode == spec->mode)) { - if (compile_regex(data, spec, NULL) < 0) + bool stem_matches = spec->stem_id == -1 || spec->stem_id == file_stem; + // Don't check the stem if we want to find partial matches. + // Otherwise the case "/abc/efg/(/.*)?" will be considered + //a miss for "/abc". + if ((partial || stem_matches) && + (!mode || !spec->mode || mode == spec->mode)) { + if (compile_regex(spec, NULL) < 0) goto finish; - if (spec->stem_id == -1) - rc = regex_match(spec->regex, key, partial); - else - rc = regex_match(spec->regex, buf, partial); - if (rc == REGEX_MATCH) { - spec->matches++; - break; - } else if (partial && rc == REGEX_MATCH_PARTIAL) + rc = regex_match(spec->regex, key, partial); + if (rc == REGEX_MATCH || (partial && rc == REGEX_MATCH_PARTIAL)) { + if (rc == REGEX_MATCH) { + spec->matches++; + } + + if (strcmp(spec_arr[i].lr.ctx_raw, "<<none>>") == 0) { + errno = ENOENT; + goto finish; + } + + if (match_count) { + result[*match_count] = spec; + *match_count += 1; + // Continue to find all the matches. + continue; + } + result[0] = spec; break; + } if (rc == REGEX_NO_MATCH) continue; @@ -971,19 +999,107 @@ static struct spec *lookup_common(struct selabel_handle *rec, } } - if (i < 0 || strcmp(spec_arr[i].lr.ctx_raw, "<<none>>") == 0) { - /* No matching specification. */ - errno = ENOENT; - goto finish; - } - - errno = 0; - ret = &spec_arr[i]; - finish: free(clean_key); free(sub); - return ret; + if (result && !result[0]) { + free(result); + result = NULL; + } + return result; +} + +static struct spec *lookup_common(struct selabel_handle *rec, + const char *key, + int type, + bool partial) { + const struct spec **matches = lookup_all(rec, key, type, partial, NULL); + if (!matches) { + return NULL; + } + struct spec *result = (struct spec*)matches[0]; + free(matches); + return result; +} + +/* + * Returns true if the digest of all partial matched contexts is the same as + * the one saved by setxattr, otherwise returns false. The length of the SHA1 + * digest will always be returned. The caller must free any returned digests. + */ +static bool get_digests_all_partial_matches(struct selabel_handle *rec, + const char *pathname, + uint8_t **calculated_digest, + uint8_t **xattr_digest, + size_t *digest_len) +{ + uint8_t read_digest[SHA1_HASH_SIZE]; + ssize_t read_size = getxattr(pathname, RESTORECON_PARTIAL_MATCH_DIGEST, + read_digest, SHA1_HASH_SIZE); + uint8_t hash_digest[SHA1_HASH_SIZE]; + bool status = selabel_hash_all_partial_matches(rec, pathname, + hash_digest); + + *xattr_digest = NULL; + *calculated_digest = NULL; + *digest_len = SHA1_HASH_SIZE; + + if (read_size == SHA1_HASH_SIZE) { + *xattr_digest = calloc(1, SHA1_HASH_SIZE + 1); + if (!*xattr_digest) + goto oom; + + memcpy(*xattr_digest, read_digest, SHA1_HASH_SIZE); + } + + if (status) { + *calculated_digest = calloc(1, SHA1_HASH_SIZE + 1); + if (!*calculated_digest) + goto oom; + + memcpy(*calculated_digest, hash_digest, SHA1_HASH_SIZE); + } + + if (status && read_size == SHA1_HASH_SIZE && + memcmp(read_digest, hash_digest, SHA1_HASH_SIZE) == 0) + return true; + + return false; + +oom: + selinux_log(SELINUX_ERROR, "SELinux: %s: Out of memory\n", __func__); + return false; +} + +static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key, uint8_t *digest) +{ + assert(digest); + + size_t total_matches; + const struct spec **matches = lookup_all(rec, key, 0, true, &total_matches); + if (!matches) { + return false; + } + + Sha1Context context; + Sha1Initialise(&context); + size_t i; + for (i = 0; i < total_matches; i++) { + char* regex_str = matches[i]->regex_str; + mode_t mode = matches[i]->mode; + char* ctx_raw = matches[i]->lr.ctx_raw; + + Sha1Update(&context, regex_str, strlen(regex_str) + 1); + Sha1Update(&context, &mode, sizeof(mode_t)); + Sha1Update(&context, ctx_raw, strlen(ctx_raw) + 1); + } + + SHA1_HASH sha1_hash; + Sha1Finalise(&context, &sha1_hash); + memcpy(digest, sha1_hash.bytes, SHA1_HASH_SIZE); + + free(matches); + return true; } static struct selabel_lookup_rec *lookup(struct selabel_handle *rec, @@ -1183,6 +1299,9 @@ int selabel_file_init(struct selabel_handle *rec, rec->func_stats = &stats; rec->func_lookup = &lookup; rec->func_partial_match = &partial_match; + rec->func_get_digests_all_partial_matches = + &get_digests_all_partial_matches; + rec->func_hash_all_partial_matches = &hash_all_partial_matches; rec->func_lookup_best_match = &lookup_best_match; rec->func_cmp = &cmp; diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h index 47859baf..baed3341 100644 --- a/libselinux/src/label_file.h +++ b/libselinux/src/label_file.h @@ -6,6 +6,7 @@ #include <string.h> #include <sys/stat.h> +#include <sys/xattr.h> /* * regex.h/c were introduced to hold all dependencies on the regular @@ -31,6 +32,9 @@ #define SELINUX_COMPILED_FCONTEXT_MAX_VERS \ SELINUX_COMPILED_FCONTEXT_REGEX_ARCH +/* Required selinux_restorecon and selabel_get_digests_all_partial_matches() */ +#define RESTORECON_PARTIAL_MATCH_DIGEST "security.sehash" + struct selabel_sub { char *src; int slen; @@ -41,7 +45,7 @@ struct selabel_sub { /* A file security context specification. */ struct spec { struct selabel_lookup_rec lr; /* holds contexts for lookup result */ - char *regex_str; /* regular expession string for diagnostics */ + char *regex_str; /* regular expression string for diagnostics */ char *type_str; /* type string for diagnostic messages */ struct regex_data * regex; /* backend dependent regular expression data */ bool regex_compiled; /* bool to indicate if the regex is compiled */ @@ -336,13 +340,11 @@ static inline int next_entry(void *buf, struct mmap_area *fp, size_t bytes) return 0; } -static inline int compile_regex(struct saved_data *data, struct spec *spec, - const char **errbuf) +static inline int compile_regex(struct spec *spec, const char **errbuf) { char *reg_buf, *anchored_regex, *cp; struct regex_error_data error_data; static char regex_error_format_buffer[256]; - struct stem *stem_arr = data->stem_arr; size_t len; int rc; bool regex_compiled; @@ -379,11 +381,7 @@ static inline int compile_regex(struct saved_data *data, struct spec *spec, return 0; } - /* Skip the fixed stem. */ reg_buf = spec->regex_str; - if (spec->stem_id >= 0) - reg_buf += stem_arr[spec->stem_id].len; - /* Anchor the regular expression. */ len = strlen(reg_buf); cp = anchored_regex = malloc(len + 3); @@ -501,7 +499,7 @@ static inline int process_line(struct selabel_handle *rec, data->nspec++; if (rec->validating - && compile_regex(data, &spec_arr[nspec], &errbuf)) { + && compile_regex(&spec_arr[nspec], &errbuf)) { COMPAT_LOG(SELINUX_ERROR, "%s: line %u has invalid regex %s: %s\n", path, lineno, regex, errbuf); diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h index a05a10a6..74bf9e07 100644 --- a/libselinux/src/label_internal.h +++ b/libselinux/src/label_internal.h @@ -87,6 +87,13 @@ struct selabel_handle { void (*func_close) (struct selabel_handle *h); void (*func_stats) (struct selabel_handle *h); bool (*func_partial_match) (struct selabel_handle *h, const char *key); + bool (*func_get_digests_all_partial_matches) (struct selabel_handle *h, + const char *key, + uint8_t **calculated_digest, + uint8_t **xattr_digest, + size_t *digest_len); + bool (*func_hash_all_partial_matches) (struct selabel_handle *h, + const char *key, uint8_t *digest); struct selabel_lookup_rec *(*func_lookup_best_match) (struct selabel_handle *h, const char *key, diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c index 20052beb..9e75292d 100644 --- a/libselinux/src/load_policy.c +++ b/libselinux/src/load_policy.c @@ -48,22 +48,18 @@ int security_load_policy(void *data, size_t len) hidden_def(security_load_policy) #ifndef ANDROID -int load_setlocaldefs hidden = 1; - #undef max #define max(a, b) (((a) > (b)) ? (a) : (b)) -int selinux_mkload_policy(int preservebools) +int selinux_mkload_policy(int preservebools __attribute__((unused))) { int kernvers = security_policyvers(); int maxvers = kernvers, minvers = DEFAULT_POLICY_VERSION, vers; - int setlocaldefs = load_setlocaldefs; char path[PATH_MAX]; struct stat sb; - struct utsname uts; size_t size; void *map, *data; - int fd, rc = -1, prot; + int fd, rc = -1; sepol_policydb_t *policydb; sepol_policy_file_t *pf; int usesepol = 0; @@ -77,9 +73,6 @@ int selinux_mkload_policy(int preservebools) int (*policydb_read)(sepol_policydb_t *, sepol_policy_file_t *) = NULL; int (*policydb_set_vers)(sepol_policydb_t *, unsigned int) = NULL; int (*policydb_to_image)(sepol_handle_t *, sepol_policydb_t *, void **, size_t *) = NULL; - int (*genbools_array)(void *data, size_t len, char **names, int *values, int nel) = NULL; - int (*genusers)(void *data, size_t len, const char *usersdir, void **newdata, size_t * newlen) = NULL; - int (*genbools)(void *data, size_t len, const char *boolpath) = NULL; #ifdef SHARED char *errormsg = NULL; @@ -110,13 +103,6 @@ int selinux_mkload_policy(int preservebools) DLERR(); policydb_to_image = dlsym(libsepolh, "sepol_policydb_to_image"); DLERR(); - genbools_array = dlsym(libsepolh, "sepol_genbools_array"); - DLERR(); - genusers = dlsym(libsepolh, "sepol_genusers"); - DLERR(); - genbools = dlsym(libsepolh, "sepol_genbools"); - DLERR(); - #undef DLERR } #else @@ -131,42 +117,11 @@ int selinux_mkload_policy(int preservebools) policydb_read = sepol_policydb_read; policydb_set_vers = sepol_policydb_set_vers; policydb_to_image = sepol_policydb_to_image; - genbools_array = sepol_genbools_array; - genusers = sepol_genusers; - genbools = sepol_genbools; - #endif - /* - * Check whether we need to support local boolean and user definitions. - */ - if (setlocaldefs) { - if (access(selinux_booleans_path(), F_OK) == 0) - goto checkbool; - snprintf(path, sizeof path, "%s.local", selinux_booleans_path()); - if (access(path, F_OK) == 0) - goto checkbool; - snprintf(path, sizeof path, "%s/local.users", selinux_users_path()); - if (access(path, F_OK) == 0) - goto checkbool; - /* No local definition files, so disable setlocaldefs. */ - setlocaldefs = 0; - } - -checkbool: - /* - * As of Linux 2.6.22, the kernel preserves boolean - * values across a reload, so we do not need to - * preserve them in userspace. - */ - if (preservebools && uname(&uts) == 0 && strverscmp(uts.release, "2.6.22") >= 0) - preservebools = 0; - if (usesepol) { - maxvers = vers_max(); + maxvers = max(kernvers, vers_max()); minvers = vers_min(); - if (!setlocaldefs && !preservebools) - maxvers = max(kernvers, maxvers); } vers = maxvers; @@ -195,12 +150,8 @@ checkbool: goto close; } - prot = PROT_READ; - if (setlocaldefs || preservebools) - prot |= PROT_WRITE; - size = sb.st_size; - data = map = mmap(NULL, size, prot, MAP_PRIVATE, fd, 0); + data = map = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); if (map == MAP_FAILED) { fprintf(stderr, "SELinux: Could not map policy file %s: %s\n", @@ -239,49 +190,6 @@ checkbool: policydb_free(policydb); } - if (usesepol) { - if (setlocaldefs) { - void *olddata = data; - size_t oldsize = size; - rc = genusers(olddata, oldsize, selinux_users_path(), - &data, &size); - if (rc < 0) { - /* Fall back to the prior image if genusers failed. */ - data = olddata; - size = oldsize; - rc = 0; - } else { - if (olddata != map) - free(olddata); - } - } - - if (preservebools) { - int *values, len, i; - char **names; - rc = security_get_boolean_names(&names, &len); - if (!rc) { - values = malloc(sizeof(int) * len); - if (!values) { - free(names); - goto unmap; - } - for (i = 0; i < len; i++) - values[i] = - security_get_boolean_active(names[i]); - (void)genbools_array(data, size, names, values, - len); - free(values); - for (i = 0; i < len; i++) - free(names[i]); - free(names); - } - } else if (setlocaldefs) { - (void)genbools(data, size, selinux_booleans_path()); - } - } - - rc = security_load_policy(data, size); if (rc) diff --git a/libselinux/src/regex.c b/libselinux/src/regex.c index a6fcbbfe..770bc3ea 100644 --- a/libselinux/src/regex.c +++ b/libselinux/src/regex.c @@ -519,6 +519,29 @@ void regex_format_error(struct regex_error_data const *error_data, char *buffer, if (pos >= buf_size) goto truncated; + /* Return early if there is no error to format */ +#ifdef USE_PCRE2 + if (!error_data->error_code) { + rc = snprintf(buffer + pos, buf_size - pos, "no error code"); + if (rc < 0) + abort(); + pos += rc; + if (pos >= buf_size) + goto truncated; + return; + } +#else + if (!error_data->error_buffer) { + rc = snprintf(buffer + pos, buf_size - pos, "empty error"); + if (rc < 0) + abort(); + pos += rc; + if (pos >= buf_size) + goto truncated; + return; + } +#endif + if (error_data->error_offset > 0) { #ifdef USE_PCRE2 rc = snprintf(buffer + pos, buf_size - pos, "At offset %zu: ", @@ -529,10 +552,10 @@ void regex_format_error(struct regex_error_data const *error_data, char *buffer, #endif if (rc < 0) abort(); + pos += rc; + if (pos >= buf_size) + goto truncated; } - pos += rc; - if (pos >= buf_size) - goto truncated; #ifdef USE_PCRE2 rc = pcre2_get_error_message(error_data->error_code, diff --git a/libselinux/src/regex.h b/libselinux/src/regex.h index eb8ca501..6732b349 100644 --- a/libselinux/src/regex.h +++ b/libselinux/src/regex.h @@ -159,8 +159,8 @@ int regex_cmp(struct regex_data *regex1, struct regex_data *regex2) hidden; * the buffer. * * @arg error_data Error data as returned by regex_prepare_data. - * @arg buffer String buffer to hold the formated error string. - * @arg buf_size Total size of the given bufer in bytes. + * @arg buffer String buffer to hold the formatted error string. + * @arg buf_size Total size of the given buffer in bytes. */ void regex_format_error(struct regex_error_data const *error_data, char *buffer, size_t buf_size) hidden; diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c index b06cb63b..b16a3851 100644 --- a/libselinux/src/selinux_config.c +++ b/libselinux/src/selinux_config.c @@ -16,7 +16,6 @@ #define SELINUXDEFAULT "targeted" #define SELINUXTYPETAG "SELINUXTYPE=" #define SELINUXTAG "SELINUX=" -#define SETLOCALDEFS "SETLOCALDEFS=" #define REQUIRESEUSERS "REQUIRESEUSERS=" /* Indices for file paths arrays. */ @@ -28,10 +27,12 @@ #define USER_CONTEXTS 5 #define FAILSAFE_CONTEXT 6 #define DEFAULT_TYPE 7 +/* BOOLEANS is deprecated */ #define BOOLEANS 8 #define MEDIA_CONTEXTS 9 #define REMOVABLE_CONTEXT 10 #define CUSTOMIZABLE_TYPES 11 +/* USERS_DIR is deprecated */ #define USERS_DIR 12 #define SEUSERS 13 #define TRANSLATIONS 14 @@ -192,10 +193,6 @@ static void init_selinux_config(void) } free(type); continue; - } else if (!strncmp(buf_p, SETLOCALDEFS, - sizeof(SETLOCALDEFS) - 1)) { - value = buf_p + sizeof(SETLOCALDEFS) - 1; - intptr = &load_setlocaldefs; } else if (!strncmp(buf_p, REQUIRESEUSERS, sizeof(REQUIRESEUSERS) - 1)) { value = buf_p + sizeof(REQUIRESEUSERS) - 1; @@ -410,6 +407,7 @@ const char *selinux_user_contexts_path(void) hidden_def(selinux_user_contexts_path) +/* Deprecated as local policy booleans no longer supported. */ const char *selinux_booleans_path(void) { return get_path(BOOLEANS); @@ -417,6 +415,7 @@ const char *selinux_booleans_path(void) hidden_def(selinux_booleans_path) +/* Deprecated as no longer supported. */ const char *selinux_users_path(void) { return get_path(USERS_DIR); diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h index acd59c7c..61b78aaa 100644 --- a/libselinux/src/selinux_internal.h +++ b/libselinux/src/selinux_internal.h @@ -107,10 +107,8 @@ hidden_proto(selinux_trans_to_raw_context); hidden_proto(security_get_initial_context); hidden_proto(security_get_initial_context_raw); hidden_proto(selinux_reset_config); +hidden_proto(selinux_flush_class_cache); -hidden void flush_class_cache(void); - -extern int load_setlocaldefs hidden; extern int require_seusers hidden; extern int selinux_page_size hidden; diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c index 5f189235..028d8924 100644 --- a/libselinux/src/selinux_restorecon.c +++ b/libselinux/src/selinux_restorecon.c @@ -36,17 +36,13 @@ #include "callbacks.h" #include "selinux_internal.h" - -#define RESTORECON_LAST "security.restorecon_last" - -#define SYS_PATH "/sys" -#define SYS_PREFIX SYS_PATH "/" +#include "label_file.h" +#include "sha1.h" #define STAR_COUNT 1024 static struct selabel_handle *fc_sehandle = NULL; -static unsigned char *fc_digest = NULL; -static size_t fc_digest_len = 0; +static bool selabel_no_digest; static char *rootpath = NULL; static int rootpathlen; @@ -77,7 +73,6 @@ struct rest_flags { bool mass_relabel; bool set_specctx; bool add_assoc; - bool ignore_digest; bool recurse; bool userealpath; bool set_xdev; @@ -299,57 +294,60 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, bool delete_all) { char *sha1_buf = NULL; - unsigned char *xattr_value = NULL; - ssize_t xattr_size; - size_t i; + size_t i, digest_len = 0; int rc, digest_result; struct dir_xattr *new_entry; + uint8_t *xattr_digest = NULL; + uint8_t *calculated_digest = NULL; if (!directory) { errno = EINVAL; return -1; } - xattr_value = malloc(fc_digest_len); - if (!xattr_value) - goto oom; + selabel_get_digests_all_partial_matches(fc_sehandle, directory, + &calculated_digest, + &xattr_digest, &digest_len); - xattr_size = getxattr(directory, RESTORECON_LAST, xattr_value, - fc_digest_len); - if (xattr_size < 0) { - free(xattr_value); + if (!xattr_digest || !digest_len) { + free(calculated_digest); return 1; } /* Convert entry to a hex encoded string. */ - sha1_buf = malloc(xattr_size * 2 + 1); + sha1_buf = malloc(digest_len * 2 + 1); if (!sha1_buf) { - free(xattr_value); + free(xattr_digest); + free(calculated_digest); goto oom; } - for (i = 0; i < (size_t)xattr_size; i++) - sprintf((&sha1_buf[i * 2]), "%02x", xattr_value[i]); + for (i = 0; i < digest_len; i++) + sprintf((&sha1_buf[i * 2]), "%02x", xattr_digest[i]); - rc = memcmp(fc_digest, xattr_value, fc_digest_len); + rc = memcmp(calculated_digest, xattr_digest, digest_len); digest_result = rc ? NOMATCH : MATCH; if ((delete_nonmatch && rc != 0) || delete_all) { digest_result = rc ? DELETED_NOMATCH : DELETED_MATCH; - rc = removexattr(directory, RESTORECON_LAST); + rc = removexattr(directory, RESTORECON_PARTIAL_MATCH_DIGEST); if (rc) { selinux_log(SELINUX_ERROR, "Error: %s removing xattr \"%s\" from: %s\n", - strerror(errno), RESTORECON_LAST, directory); + strerror(errno), + RESTORECON_PARTIAL_MATCH_DIGEST, directory); digest_result = ERROR; } } - free(xattr_value); + free(xattr_digest); + free(calculated_digest); /* Now add entries to link list. */ new_entry = malloc(sizeof(struct dir_xattr)); - if (!new_entry) + if (!new_entry) { + free(sha1_buf); goto oom; + } new_entry->next = NULL; new_entry->directory = strdup(directory); @@ -736,18 +734,78 @@ err: goto out1; } +struct dir_hash_node { + char *path; + uint8_t digest[SHA1_HASH_SIZE]; + struct dir_hash_node *next; +}; +/* + * Returns true if the digest of all partial matched contexts is the same as + * the one saved by setxattr. Otherwise returns false and constructs a + * dir_hash_node with the newly calculated digest. + */ +static bool check_context_match_for_dir(const char *pathname, + struct dir_hash_node **new_node, + int error) +{ + bool status; + size_t digest_len = 0; + uint8_t *read_digest = NULL; + uint8_t *calculated_digest = NULL; + + if (!new_node) + return false; + + *new_node = NULL; + + /* status = true if digests match, false otherwise. */ + status = selabel_get_digests_all_partial_matches(fc_sehandle, pathname, + &calculated_digest, + &read_digest, + &digest_len); + + if (status) + goto free; + + /* Save digest of all matched contexts for the current directory. */ + if (!error && calculated_digest) { + *new_node = calloc(1, sizeof(struct dir_hash_node)); + + if (!*new_node) + goto oom; + + (*new_node)->path = strdup(pathname); + + if (!(*new_node)->path) { + free(*new_node); + *new_node = NULL; + goto oom; + } + memcpy((*new_node)->digest, calculated_digest, digest_len); + (*new_node)->next = NULL; + } + +free: + free(calculated_digest); + free(read_digest); + return status; + +oom: + selinux_log(SELINUX_ERROR, "%s: Out of memory\n", __func__); + goto free; +} + + /* * Public API */ /* selinux_restorecon(3) - Main function that is responsible for labeling */ int selinux_restorecon(const char *pathname_orig, - unsigned int restorecon_flags) + unsigned int restorecon_flags) { struct rest_flags flags; - flags.ignore_digest = (restorecon_flags & - SELINUX_RESTORECON_IGNORE_DIGEST) ? true : false; flags.nochange = (restorecon_flags & SELINUX_RESTORECON_NOCHANGE) ? true : false; flags.verbose = (restorecon_flags & @@ -777,10 +835,10 @@ int selinux_restorecon(const char *pathname_orig, flags.warnonnomatch = true; ignore_mounts = (restorecon_flags & SELINUX_RESTORECON_IGNORE_MOUNTS) ? true : false; + bool ignore_digest = (restorecon_flags & + SELINUX_RESTORECON_IGNORE_DIGEST) ? true : false; + bool setrestorecondigest = true; - bool issys; - bool setrestoreconlast = true; /* TRUE = set xattr RESTORECON_LAST - * FALSE = don't use xattr */ struct stat sb; struct statfs sfsb; FTS *fts; @@ -788,9 +846,9 @@ int selinux_restorecon(const char *pathname_orig, char *pathname = NULL, *pathdnamer = NULL, *pathdname, *pathbname; char *paths[2] = { NULL, NULL }; int fts_flags, error, sverrno; - char *xattr_value = NULL; - ssize_t size; dev_t dev_num = 0; + struct dir_hash_node *current = NULL; + struct dir_hash_node *head = NULL; if (flags.verbose && flags.progress) flags.verbose = false; @@ -800,11 +858,13 @@ int selinux_restorecon(const char *pathname_orig, if (!fc_sehandle) return -1; - if (fc_digest_len) { - xattr_value = malloc(fc_digest_len); - if (!xattr_value) - return -1; - } + /* + * If selabel_no_digest = true then no digest has been requested by + * an external selabel_open(3) call. + */ + if (selabel_no_digest || + (restorecon_flags & SELINUX_RESTORECON_SKIP_DIGEST)) + setrestorecondigest = false; /* * Convert passed-in pathname to canonical pathname by resolving @@ -853,13 +913,9 @@ int selinux_restorecon(const char *pathname_orig, } paths[0] = pathname; - issys = (!strcmp(pathname, SYS_PATH) || - !strncmp(pathname, SYS_PREFIX, - sizeof(SYS_PREFIX) - 1)) ? true : false; if (lstat(pathname, &sb) < 0) { if (flags.ignore_noent && errno == ENOENT) { - free(xattr_value); free(pathdnamer); free(pathname); return 0; @@ -872,9 +928,9 @@ int selinux_restorecon(const char *pathname_orig, } } - /* Ignore restoreconlast if not a directory */ + /* Skip digest if not a directory */ if ((sb.st_mode & S_IFDIR) != S_IFDIR) - setrestoreconlast = false; + setrestorecondigest = false; if (!flags.recurse) { if (check_excluded(pathname)) { @@ -886,30 +942,19 @@ int selinux_restorecon(const char *pathname_orig, goto cleanup; } - /* Ignore restoreconlast on /sys */ - if (issys) - setrestoreconlast = false; - - /* Ignore restoreconlast on in-memory filesystems */ - if (setrestoreconlast && statfs(pathname, &sfsb) == 0) { - if (sfsb.f_type == RAMFS_MAGIC || sfsb.f_type == TMPFS_MAGIC) - setrestoreconlast = false; + /* Obtain fs type */ + if (statfs(pathname, &sfsb) < 0) { + selinux_log(SELINUX_ERROR, + "statfs(%s) failed: %s\n", + pathname, strerror(errno)); + error = -1; + goto cleanup; } - if (setrestoreconlast) { - size = getxattr(pathname, RESTORECON_LAST, xattr_value, - fc_digest_len); - - if (!flags.ignore_digest && (size_t)size == fc_digest_len && - memcmp(fc_digest, xattr_value, fc_digest_len) - == 0) { - selinux_log(SELINUX_INFO, - "Skipping restorecon as matching digest on: %s\n", - pathname); - error = 0; - goto cleanup; - } - } + /* Skip digest on in-memory filesystems and /sys */ + if (sfsb.f_type == RAMFS_MAGIC || sfsb.f_type == TMPFS_MAGIC || + sfsb.f_type == SYSFS_MAGIC) + setrestorecondigest = false; if (flags.set_xdev) fts_flags = FTS_PHYSICAL | FTS_NOCHDIR | FTS_XDEV; @@ -973,8 +1018,9 @@ int selinux_restorecon(const char *pathname_orig, fts_set(fts, ftsent, FTS_SKIP); continue; case FTS_D: - if (issys && !selabel_partial_match(fc_sehandle, - ftsent->fts_path)) { + if (sfsb.f_type == SYSFS_MAGIC && + !selabel_partial_match(fc_sehandle, + ftsent->fts_path)) { fts_set(fts, ftsent, FTS_SKIP); continue; } @@ -983,6 +1029,31 @@ int selinux_restorecon(const char *pathname_orig, fts_set(fts, ftsent, FTS_SKIP); continue; } + + if (setrestorecondigest) { + struct dir_hash_node *new_node = NULL; + + if (check_context_match_for_dir(ftsent->fts_path, + &new_node, + error) && + !ignore_digest) { + selinux_log(SELINUX_INFO, + "Skipping restorecon on directory(%s)\n", + ftsent->fts_path); + fts_set(fts, ftsent, FTS_SKIP); + continue; + } + + if (new_node && !error) { + if (!current) { + current = new_node; + head = current; + } else { + current->next = new_node; + current = current->next; + } + } + } /* fall through */ default: error |= restorecon_sb(ftsent->fts_path, @@ -995,13 +1066,24 @@ int selinux_restorecon(const char *pathname_orig, } } while ((ftsent = fts_read(fts)) != NULL); - /* Labeling successful. Mark the top level directory as completed. */ - if (setrestoreconlast && !flags.nochange && !error && fc_digest) { - error = setxattr(pathname, RESTORECON_LAST, fc_digest, - fc_digest_len, 0); - if (!error && flags.verbose) - selinux_log(SELINUX_INFO, - "Updated digest for: %s\n", pathname); + /* + * Labeling successful. Write partial match digests for subdirectories. + * TODO: Write digest upon FTS_DP if no error occurs in its descents. + */ + if (setrestorecondigest && !flags.nochange && !error) { + current = head; + while (current != NULL) { + if (setxattr(current->path, + RESTORECON_PARTIAL_MATCH_DIGEST, + current->digest, + SHA1_HASH_SIZE, 0) < 0) { + selinux_log(SELINUX_ERROR, + "setxattr failed: %s: %s\n", + current->path, + strerror(errno)); + } + current = current->next; + } } out: @@ -1019,7 +1101,15 @@ cleanup: } free(pathdnamer); free(pathname); - free(xattr_value); + + current = head; + while (current != NULL) { + struct dir_hash_node *next = current->next; + + free(current->path); + free(current); + current = next; + } return error; oom: @@ -1050,20 +1140,20 @@ fts_err: void selinux_restorecon_set_sehandle(struct selabel_handle *hndl) { char **specfiles; - size_t num_specfiles; + unsigned char *fc_digest; + size_t num_specfiles, fc_digest_len; fc_sehandle = (struct selabel_handle *) hndl; - /* - * Read digest if requested in selabel_open(3) and set global params. - */ + /* Check if digest requested in selabel_open(3), if so use it. */ if (selabel_digest(fc_sehandle, &fc_digest, &fc_digest_len, - &specfiles, &num_specfiles) < 0) { - fc_digest = NULL; - fc_digest_len = 0; - } + &specfiles, &num_specfiles) < 0) + selabel_no_digest = true; + else + selabel_no_digest = false; } + /* * selinux_restorecon_default_handle(3) is called to set the global restorecon * handle by a process if the default params are required. @@ -1085,6 +1175,7 @@ struct selabel_handle *selinux_restorecon_default_handle(void) return NULL; } + selabel_no_digest = false; return sehandle; } @@ -1134,9 +1225,11 @@ int selinux_restorecon_set_alt_rootpath(const char *alt_rootpath) return 0; } -/* selinux_restorecon_xattr(3) - Find RESTORECON_LAST entries. */ +/* selinux_restorecon_xattr(3) + * Find RESTORECON_PARTIAL_MATCH_DIGEST entries. + */ int selinux_restorecon_xattr(const char *pathname, unsigned int xattr_flags, - struct dir_xattr ***xattr_list) + struct dir_xattr ***xattr_list) { bool recurse = (xattr_flags & SELINUX_RESTORECON_XATTR_RECURSE) ? true : false; @@ -1157,7 +1250,7 @@ int selinux_restorecon_xattr(const char *pathname, unsigned int xattr_flags, __selinux_once(fc_once, restorecon_init); - if (!fc_sehandle || !fc_digest_len) + if (!fc_sehandle) return -1; if (lstat(pathname, &sb) < 0) { diff --git a/libselinux/src/selinuxswig_python_exception.i b/libselinux/src/selinuxswig_python_exception.i new file mode 100644 index 00000000..cf658259 --- /dev/null +++ b/libselinux/src/selinuxswig_python_exception.i @@ -0,0 +1,954 @@ + +%exception is_selinux_enabled { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception is_selinux_mls_enabled { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getcon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getcon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception setcon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception setcon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getpidcon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getpidcon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getprevcon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getprevcon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getexeccon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getexeccon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception setexeccon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception setexeccon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getfscreatecon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getfscreatecon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception setfscreatecon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception setfscreatecon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getkeycreatecon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getkeycreatecon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception setkeycreatecon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception setkeycreatecon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getsockcreatecon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getsockcreatecon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception setsockcreatecon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception setsockcreatecon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getfilecon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getfilecon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception lgetfilecon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception lgetfilecon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception fgetfilecon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception fgetfilecon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception setfilecon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception setfilecon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception lsetfilecon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception lsetfilecon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception fsetfilecon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception fsetfilecon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getpeercon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getpeercon_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_compute_av { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_compute_av_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_compute_av_flags { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_compute_av_flags_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_compute_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_compute_create_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_compute_create_name { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_compute_create_name_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_compute_relabel { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_compute_relabel_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_compute_member { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_compute_member_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_compute_user { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_compute_user_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_validatetrans { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_validatetrans_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_load_policy { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_get_initial_context { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_get_initial_context_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_mkload_policy { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_init_load_policy { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_set_boolean_list { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_load_booleans { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_check_context { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_check_context_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_canonicalize_context { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_canonicalize_context_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_getenforce { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_setenforce { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_reject_unknown { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_deny_unknown { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_get_checkreqprot { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_disable { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_policyvers { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_get_boolean_names { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_get_boolean_pending { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_get_boolean_active { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_set_boolean { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_commit_booleans { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_set_mapping { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception security_av_string { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception matchpathcon_init { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception matchpathcon_init_prefix { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception realpath_not_final { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception matchpathcon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception matchpathcon_index { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception matchpathcon_filespec_add { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception matchmediacon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_getenforcemode { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_getpolicytype { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_set_policy_root { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_check_access { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_check_passwd_access { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception checkPasswdAccess { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_check_securetty_context { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinuxfs_exists { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception setexecfilecon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception rpm_execcon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception is_context_customizable { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_trans_to_raw_context { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_raw_to_trans_context { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_raw_context_to_color { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getseuserbyname { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception getseuser { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_file_context_verify { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_lsetfilecon_default { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c index ed29dc55..ede5a289 100644 --- a/libselinux/src/sestatus.c +++ b/libselinux/src/sestatus.c @@ -21,7 +21,7 @@ */ struct selinux_status_t { - uint32_t version; /* version number of thie structure */ + uint32_t version; /* version number of this structure */ uint32_t sequence; /* sequence number of seqlock logic */ uint32_t enforcing; /* current setting of enforcing mode */ uint32_t policyload; /* times of policy reloaded */ diff --git a/libselinux/src/setup.py b/libselinux/src/setup.py new file mode 100644 index 00000000..c8270bdc --- /dev/null +++ b/libselinux/src/setup.py @@ -0,0 +1,24 @@ +#!/usr/bin/python3 + +from distutils.core import Extension, setup + +setup( + name="selinux", + version="3.0", + description="SELinux python 3 bindings", + author="SELinux Project", + author_email="selinux@vger.kernel.org", + ext_modules=[ + Extension('selinux._selinux', + sources=['selinuxswig_python.i'], + include_dirs=['../include'], + library_dirs=['.'], + libraries=['selinux']), + Extension('selinux.audit2why', + sources=['audit2why.c'], + include_dirs=['../include'], + library_dirs=['.'], + libraries=['selinux'], + extra_link_args=['-l:libsepol.a', '-Wl,--version-script=audit2why.map']) + ], +) diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c index d671044d..004fcd3b 100644 --- a/libselinux/src/sha1.c +++ b/libselinux/src/sha1.c @@ -11,7 +11,7 @@ // Modified to: // - stop symbols being exported for libselinux shared library - October 2015 // Richard Haines <richard_c_haines@btinternet.com> -// - Not cast the workspace from a byte array to a CHAR64LONG16 due to allignment isses. +// - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment isses. // Fixes: // sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align] // CHAR64LONG16* block = (CHAR64LONG16*) workspace; diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c index ad29f76d..29757b75 100644 --- a/libselinux/src/stringrep.c +++ b/libselinux/src/stringrep.c @@ -93,7 +93,7 @@ static struct discover_class_node * discover_class(const char *s) if (sscanf(buf, "%hu", &node->value) != 1) goto err3; - /* load up permission indicies */ + /* load up permission indices */ snprintf(path, sizeof path, "%s/class/%s/perms",selinux_mnt,s); dir = opendir(path); if (dir == NULL) @@ -158,7 +158,7 @@ err1: return NULL; } -hidden void flush_class_cache(void) +void selinux_flush_class_cache(void) { struct discover_class_node *cur = discover_class_cache, *prev = NULL; size_t i; @@ -180,6 +180,8 @@ hidden void flush_class_cache(void) discover_class_cache = NULL; } +hidden_def(selinux_flush_class_cache) + security_class_t string_to_security_class(const char *s) { struct discover_class_node *node; @@ -268,7 +270,7 @@ const char *security_av_perm_to_string(security_class_t tclass, int security_av_string(security_class_t tclass, access_vector_t av, char **res) { - unsigned int i = 0; + unsigned int i; size_t len = 5; access_vector_t tmp = av; int rc = 0; @@ -276,19 +278,12 @@ int security_av_string(security_class_t tclass, access_vector_t av, char **res) char *ptr; /* first pass computes the required length */ - while (tmp) { + for (i = 0; tmp; tmp >>= 1, i++) { if (tmp & 1) { str = security_av_perm_to_string(tclass, av & (1<<i)); if (str) len += strlen(str) + 1; - else { - rc = -1; - errno = EINVAL; - goto out; - } } - tmp >>= 1; - i++; } *res = malloc(len); @@ -298,7 +293,6 @@ int security_av_string(security_class_t tclass, access_vector_t av, char **res) } /* second pass constructs the string */ - i = 0; tmp = av; ptr = *res; @@ -308,12 +302,12 @@ int security_av_string(security_class_t tclass, access_vector_t av, char **res) } ptr += sprintf(ptr, "{ "); - while (tmp) { - if (tmp & 1) - ptr += sprintf(ptr, "%s ", security_av_perm_to_string( - tclass, av & (1<<i))); - tmp >>= 1; - i++; + for (i = 0; tmp; tmp >>= 1, i++) { + if (tmp & 1) { + str = security_av_perm_to_string(tclass, av & (1<<i)); + if (str) + ptr += sprintf(ptr, "%s ", str); + } } sprintf(ptr, "}"); out: diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore index aba18a3c..3ef34374 100644 --- a/libselinux/utils/.gitignore +++ b/libselinux/utils/.gitignore @@ -15,6 +15,7 @@ matchpathcon policyvers sefcontext_compile selabel_digest +selabel_get_digests_all_partial_matches selabel_lookup selabel_lookup_best_match selabel_partial_match diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c index 54600e2c..dcb0085a 100644 --- a/libselinux/utils/sefcontext_compile.c +++ b/libselinux/utils/sefcontext_compile.c @@ -88,7 +88,7 @@ out: * u32 - spec has meta characters * u32 - The specs prefix_len if >= SELINUX_COMPILED_FCONTEXT_PREFIX_LEN * u32 - data length of the pcre regex - * char - a bufer holding the raw pcre regex info + * char - a buffer holding the raw pcre regex info * u32 - data length of the pcre regex study daya * char - a buffer holding the raw pcre regex study data */ diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c new file mode 100644 index 00000000..0c2edc67 --- /dev/null +++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c @@ -0,0 +1,170 @@ +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <getopt.h> +#include <errno.h> +#include <stdbool.h> +#include <fts.h> +#include <selinux/selinux.h> +#include <selinux/label.h> + +#include "../src/label_file.h" + +static __attribute__ ((__noreturn__)) void usage(const char *progname) +{ + fprintf(stderr, + "usage: %s [-vr] [-f file] path\n\n" + "Where:\n\t" + "-v Validate file_contxts entries against loaded policy.\n\t" + "-r Recursively descend directories.\n\t" + "-f Optional file_contexts file (defaults to current policy).\n\t" + "path Path to check current SHA1 digest against file_contexts entries.\n\n" + "This will check the directory selinux.sehash SHA1 digest for " + "<path> against\na newly generated digest based on the " + "file_context entries for that node\n(using the regx, mode " + "and path entries).\n", progname); + exit(1); +} + +int main(int argc, char **argv) +{ + int opt, fts_flags; + size_t i, digest_len; + bool status, recurse = false; + FTS *fts; + FTSENT *ftsent; + char *validate = NULL, *file = NULL; + char *paths[2] = { NULL, NULL }; + uint8_t *xattr_digest = NULL; + uint8_t *calculated_digest = NULL; + char *sha1_buf = NULL; + + struct selabel_handle *hnd; + struct selinux_opt selabel_option[] = { + { SELABEL_OPT_PATH, file }, + { SELABEL_OPT_VALIDATE, validate } + }; + + if (argc < 2) + usage(argv[0]); + + while ((opt = getopt(argc, argv, "f:rv")) > 0) { + switch (opt) { + case 'f': + file = optarg; + break; + case 'r': + recurse = true; + break; + case 'v': + validate = (char *)1; + break; + default: + usage(argv[0]); + } + } + + if (optind >= argc) { + fprintf(stderr, "No pathname specified\n"); + exit(-1); + } + + paths[0] = argv[optind]; + + selabel_option[0].value = file; + selabel_option[1].value = validate; + + hnd = selabel_open(SELABEL_CTX_FILE, selabel_option, 2); + if (!hnd) { + fprintf(stderr, "ERROR: selabel_open - Could not obtain " + "handle.\n"); + return -1; + } + + fts_flags = FTS_PHYSICAL | FTS_NOCHDIR; + fts = fts_open(paths, fts_flags, NULL); + if (!fts) { + printf("fts error on %s: %s\n", + paths[0], strerror(errno)); + return -1; + } + + while ((ftsent = fts_read(fts)) != NULL) { + switch (ftsent->fts_info) { + case FTS_DP: + continue; + case FTS_D: { + + xattr_digest = NULL; + calculated_digest = NULL; + digest_len = 0; + + status = selabel_get_digests_all_partial_matches(hnd, + ftsent->fts_path, + &calculated_digest, + &xattr_digest, + &digest_len); + + sha1_buf = calloc(1, digest_len * 2 + 1); + if (!sha1_buf) { + fprintf(stderr, "Could not calloc buffer ERROR: %s\n", + strerror(errno)); + return -1; + } + + if (status) { /* They match */ + printf("xattr and file_contexts SHA1 digests match for: %s\n", + ftsent->fts_path); + + if (calculated_digest) { + for (i = 0; i < digest_len; i++) + sprintf((&sha1_buf[i * 2]), + "%02x", + calculated_digest[i]); + printf("SHA1 digest: %s\n", sha1_buf); + } + } else { + if (!calculated_digest) { + printf("No SHA1 digest available for: %s\n", + ftsent->fts_path); + printf("as file_context entry is \"<<none>>\"\n"); + break; + } + + printf("The file_context entries for: %s\n", + ftsent->fts_path); + + for (i = 0; i < digest_len; i++) + sprintf((&sha1_buf[i * 2]), "%02x", + calculated_digest[i]); + printf("generated SHA1 digest: %s\n", sha1_buf); + + if (!xattr_digest) { + printf("however there is no selinux.sehash xattr entry.\n"); + } else { + printf("however it does NOT match the current entry of:\n"); + for (i = 0; i < digest_len; i++) + sprintf((&sha1_buf[i * 2]), + "%02x", + xattr_digest[i]); + printf("%s\n", sha1_buf); + } + + free(xattr_digest); + free(calculated_digest); + free(sha1_buf); + } + break; + } + default: + break; + } + + if (!recurse) + break; + } + + (void) fts_close(fts); + (void) selabel_close(hnd); + return 0; +} diff --git a/libsemanage/VERSION b/libsemanage/VERSION index 8c269150..9f55b2cc 100644 --- a/libsemanage/VERSION +++ b/libsemanage/VERSION @@ -1 +1 @@ -2.9 +3.0 diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h index c8165900..946d69bc 100644 --- a/libsemanage/include/semanage/handle.h +++ b/libsemanage/include/semanage/handle.h @@ -32,13 +32,13 @@ typedef struct semanage_handle semanage_handle_t; /* Create and return a semanage handle. The handle is initially in the disconnected state. */ -semanage_handle_t *semanage_handle_create(void); +extern semanage_handle_t *semanage_handle_create(void); /* Deallocate all space associated with a semanage_handle_t, including * the pointer itself. CAUTION: this function does not disconnect * from the backend; be sure that a semanage_disconnect() was * previously called if the handle was connected. */ -void semanage_handle_destroy(semanage_handle_t *); +extern void semanage_handle_destroy(semanage_handle_t *); /* This is the type of connection to the store, for now only * direct is supported */ @@ -51,65 +51,65 @@ enum semanage_connect_type { * It must be called after semanage_handle_create but before * semanage_connect. The argument should be the full path to the store. */ -void semanage_select_store(semanage_handle_t * handle, char *path, - enum semanage_connect_type storetype); +extern void semanage_select_store(semanage_handle_t * handle, char *path, + enum semanage_connect_type storetype); /* Just reload the policy */ -int semanage_reload_policy(semanage_handle_t * handle); +extern int semanage_reload_policy(semanage_handle_t * handle); /* set whether to reload the policy or not after a commit, * 1 for yes (default), 0 for no */ -void semanage_set_reload(semanage_handle_t * handle, int do_reload); +extern void semanage_set_reload(semanage_handle_t * handle, int do_reload); /* set whether to rebuild the policy on commit, even if no * changes were performed. * 1 for yes, 0 for no (default) */ -void semanage_set_rebuild(semanage_handle_t * handle, int do_rebuild); +extern void semanage_set_rebuild(semanage_handle_t * handle, int do_rebuild); /* Fills *compiler_path with the location of the hll compiler sh->conf->compiler_directory_path * corresponding to lang_ext. * Upon success returns 0, -1 on error. */ -int semanage_get_hll_compiler_path(semanage_handle_t *sh, char *lang_ext, char **compiler_path); +extern int semanage_get_hll_compiler_path(semanage_handle_t *sh, char *lang_ext, char **compiler_path); /* create the store if it does not exist, this only has an effect on * direct connections and must be called before semanage_connect * 1 for yes, 0 for no (default) */ -void semanage_set_create_store(semanage_handle_t * handle, int create_store); +extern void semanage_set_create_store(semanage_handle_t * handle, int create_store); /*Get whether or not dontaudits will be disabled upon commit */ -int semanage_get_disable_dontaudit(semanage_handle_t * handle); +extern int semanage_get_disable_dontaudit(semanage_handle_t * handle); /* Set whether or not to disable dontaudits upon commit */ -void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit); +extern void semanage_set_disable_dontaudit(semanage_handle_t * handle, int disable_dontaudit); /* Set whether or not to execute setfiles to check file contexts upon commit */ -void semanage_set_check_contexts(semanage_handle_t * sh, int do_check_contexts); +extern void semanage_set_check_contexts(semanage_handle_t * sh, int do_check_contexts); /* Get the default priority. */ -uint16_t semanage_get_default_priority(semanage_handle_t *sh); +extern uint16_t semanage_get_default_priority(semanage_handle_t *sh); /* Set the default priority. */ -int semanage_set_default_priority(semanage_handle_t *sh, uint16_t priority); +extern int semanage_set_default_priority(semanage_handle_t *sh, uint16_t priority); /* Check whether policy is managed via libsemanage on this system. * Must be called prior to trying to connect. * Return 1 if policy is managed via libsemanage on this system, * 0 if policy is not managed, or -1 on error. */ -int semanage_is_managed(semanage_handle_t *); +extern int semanage_is_managed(semanage_handle_t *); /* "Connect" to a manager based on the configuration and * associate the provided handle with the connection. * If the connect fails then this function returns a negative value, * else it returns zero. */ -int semanage_connect(semanage_handle_t *); +extern int semanage_connect(semanage_handle_t *); /* Disconnect from the manager given by the handle. If already * disconnected then this function does nothing. Return 0 if * disconnected properly or already disconnected, negative value on * error. */ -int semanage_disconnect(semanage_handle_t *); +extern int semanage_disconnect(semanage_handle_t *); /* Attempt to obtain a transaction lock on the manager. If another * process has the lock then this function may block, depending upon @@ -118,47 +118,47 @@ int semanage_disconnect(semanage_handle_t *); * Note that if the semanage_handle has not yet obtained a transaction * lock whenever a writer function is called, there will be an * implicit call to this function. */ -int semanage_begin_transaction(semanage_handle_t *); +extern int semanage_begin_transaction(semanage_handle_t *); /* Attempt to commit all changes since this transaction began. If the * commit is successful then increment the "policy sequence number" * and then release the transaction lock. Return that policy number * afterwards, or -1 on error. */ -int semanage_commit(semanage_handle_t *); +extern int semanage_commit(semanage_handle_t *); #define SEMANAGE_CAN_READ 1 #define SEMANAGE_CAN_WRITE 2 /* returns SEMANAGE_CAN_READ or SEMANAGE_CAN_WRITE if the store is readable * or writable, respectively. <0 if an error occurred */ -int semanage_access_check(semanage_handle_t * sh); +extern int semanage_access_check(semanage_handle_t * sh); /* returns 0 if not connected, 1 if connected */ -int semanage_is_connected(semanage_handle_t * sh); +extern int semanage_is_connected(semanage_handle_t * sh); /* returns 1 if policy is MLS, 0 otherwise. */ -int semanage_mls_enabled(semanage_handle_t *sh); +extern int semanage_mls_enabled(semanage_handle_t *sh); /* Change to alternate semanage root path */ -int semanage_set_root(const char *path); +extern int semanage_set_root(const char *path); /* Get the current semanage root path */ -const char * semanage_root(void); +extern const char * semanage_root(void); /* Get whether or not needless unused branch of tunables would be preserved */ -int semanage_get_preserve_tunables(semanage_handle_t * handle); +extern int semanage_get_preserve_tunables(semanage_handle_t * handle); /* Set whether or not to preserve the needless unused branch of tunables */ -void semanage_set_preserve_tunables(semanage_handle_t * handle, int preserve_tunables); +extern void semanage_set_preserve_tunables(semanage_handle_t * handle, int preserve_tunables); /* Get the flag value for whether or not caching is ignored for compiled CIL modules from HLL files */ -int semanage_get_ignore_module_cache(semanage_handle_t *handle); +extern int semanage_get_ignore_module_cache(semanage_handle_t *handle); /* Set semanage_handle flag for whether or not to ignore caching of compiled CIL modules from HLL files */ -void semanage_set_ignore_module_cache(semanage_handle_t *handle, int ignore_module_cache); +extern void semanage_set_ignore_module_cache(semanage_handle_t *handle, int ignore_module_cache); /* set the store root path for semanage output files */ -void semanage_set_store_root(semanage_handle_t *sh, const char *store_root); +extern void semanage_set_store_root(semanage_handle_t *sh, const char *store_root); /* META NOTES * diff --git a/libsemanage/include/semanage/modules.h b/libsemanage/include/semanage/modules.h index 4b93e54e..ac403931 100644 --- a/libsemanage/include/semanage/modules.h +++ b/libsemanage/include/semanage/modules.h @@ -32,11 +32,11 @@ typedef struct semanage_module_key semanage_module_key_t; * a transaction */ -int semanage_module_install(semanage_handle_t *, - char *module_data, size_t data_len, char *name, char *ext_lang); -int semanage_module_install_file(semanage_handle_t *, - const char *module_name); -int semanage_module_remove(semanage_handle_t *, char *module_name); +extern int semanage_module_install(semanage_handle_t *, + char *module_data, size_t data_len, char *name, char *ext_lang); +extern int semanage_module_install_file(semanage_handle_t *, + const char *module_name); +extern int semanage_module_remove(semanage_handle_t *, char *module_name); /* semanage_module_info is for getting information on installed modules, only name at this time */ @@ -52,18 +52,18 @@ typedef struct semanage_module_info semanage_module_info_t; * * Returns 0 on success and -1 on error. */ -int semanage_module_extract(semanage_handle_t *sh, - semanage_module_key_t *modkey, - int extract_cil, - void **mapped_data, - size_t *data_len, - semanage_module_info_t **modinfo); -int semanage_module_list(semanage_handle_t *, - semanage_module_info_t **, int *num_modules); -void semanage_module_info_datum_destroy(semanage_module_info_t *); -semanage_module_info_t *semanage_module_list_nth(semanage_module_info_t * list, - int n); -const char *semanage_module_get_name(semanage_module_info_t *); +extern int semanage_module_extract(semanage_handle_t *sh, + semanage_module_key_t *modkey, + int extract_cil, + void **mapped_data, + size_t *data_len, + semanage_module_info_t **modinfo); +extern int semanage_module_list(semanage_handle_t *, + semanage_module_info_t **, int *num_modules); +extern void semanage_module_info_datum_destroy(semanage_module_info_t *); +extern semanage_module_info_t *semanage_module_list_nth(semanage_module_info_t * list, + int n); +extern const char *semanage_module_get_name(semanage_module_info_t *); /* Module Info */ @@ -74,8 +74,8 @@ const char *semanage_module_get_name(semanage_module_info_t *); * The @modinfo should be destroyed with semanage_module_info_destroy. * The caller should call free() on the struct. */ -int semanage_module_info_create(semanage_handle_t *sh, - semanage_module_info_t **modinfo); +extern int semanage_module_info_create(semanage_handle_t *sh, + semanage_module_info_t **modinfo); /* Frees the members of the module info struct. * @@ -83,8 +83,8 @@ int semanage_module_info_create(semanage_handle_t *sh, * * The caller should call free() on the struct. */ -int semanage_module_info_destroy(semanage_handle_t *handle, - semanage_module_info_t *modinfo); +extern int semanage_module_info_destroy(semanage_handle_t *handle, + semanage_module_info_t *modinfo); /* Module Info Getters */ @@ -92,33 +92,33 @@ int semanage_module_info_destroy(semanage_handle_t *handle, * * Returns 0 on success and -1 on error. */ -int semanage_module_info_get_priority(semanage_handle_t *sh, - semanage_module_info_t *modinfo, - uint16_t *priority); +extern int semanage_module_info_get_priority(semanage_handle_t *sh, + semanage_module_info_t *modinfo, + uint16_t *priority); /* Get @name from @modinfo. Caller should not free @name. * * Returns 0 on success and -1 on error. */ -int semanage_module_info_get_name(semanage_handle_t *sh, - semanage_module_info_t *modinfo, - const char **name); +extern int semanage_module_info_get_name(semanage_handle_t *sh, + semanage_module_info_t *modinfo, + const char **name); /* Get @lang_ext from @modinfo. Caller should not free @lang_ext. * * Returns 0 on success and -1 on error. */ -int semanage_module_info_get_lang_ext(semanage_handle_t *sh, - semanage_module_info_t *modinfo, - const char **lang_ext); +extern int semanage_module_info_get_lang_ext(semanage_handle_t *sh, + semanage_module_info_t *modinfo, + const char **lang_ext); /* Get @enabled from @modinfo. * * Returns 0 on success and -1 on error. */ -int semanage_module_info_get_enabled(semanage_handle_t *sh, - semanage_module_info_t *modinfo, - int *enabled); +extern int semanage_module_info_get_enabled(semanage_handle_t *sh, + semanage_module_info_t *modinfo, + int *enabled); /* Module Info Setters */ @@ -126,33 +126,33 @@ int semanage_module_info_get_enabled(semanage_handle_t *sh, * * Returns 0 on success and -1 on error. */ -int semanage_module_info_set_priority(semanage_handle_t *sh, - semanage_module_info_t *modinfo, - uint16_t priority); +extern int semanage_module_info_set_priority(semanage_handle_t *sh, + semanage_module_info_t *modinfo, + uint16_t priority); /* Set @name in @modinfo. * * Returns 0 on success and -1 on error. */ -int semanage_module_info_set_name(semanage_handle_t *sh, - semanage_module_info_t *modinfo, - const char *name); +extern int semanage_module_info_set_name(semanage_handle_t *sh, + semanage_module_info_t *modinfo, + const char *name); /* Set @lang_ext in @modinfo. * * Returns 0 on success and -1 on error. */ -int semanage_module_info_set_lang_ext(semanage_handle_t *sh, - semanage_module_info_t *modinfo, - const char *lang_ext); +extern int semanage_module_info_set_lang_ext(semanage_handle_t *sh, + semanage_module_info_t *modinfo, + const char *lang_ext); /* Set @enabled in @modinfo. * * Returns 0 on success and -1 on error. */ -int semanage_module_info_set_enabled(semanage_handle_t *sh, - semanage_module_info_t *modinfo, - int enabled); +extern int semanage_module_info_set_enabled(semanage_handle_t *sh, + semanage_module_info_t *modinfo, + int enabled); /* Module Key */ @@ -163,16 +163,16 @@ int semanage_module_info_set_enabled(semanage_handle_t *sh, * The @modkey should be destroyed with semanage_module_key_destroy. * The caller should call free() on the struct. */ -int semanage_module_key_create(semanage_handle_t *sh, - semanage_module_key_t **modkey); +extern int semanage_module_key_create(semanage_handle_t *sh, + semanage_module_key_t **modkey); /* Frees members of the @modkey, but not the struct. The caller should * call free() on struct. * * Returns 0 on success, and -1 on error. */ -int semanage_module_key_destroy(semanage_handle_t *sh, - semanage_module_key_t *modkey); +extern int semanage_module_key_destroy(semanage_handle_t *sh, + semanage_module_key_t *modkey); /* Module Key Getters */ @@ -180,17 +180,17 @@ int semanage_module_key_destroy(semanage_handle_t *sh, * * Returns 0 on success and -1 on error. */ -int semanage_module_key_get_name(semanage_handle_t *sh, - semanage_module_key_t *modkey, - const char **name); +extern int semanage_module_key_get_name(semanage_handle_t *sh, + semanage_module_key_t *modkey, + const char **name); /* Get @name from @modkey. * * Returns 0 on success and -1 on error. */ -int semanage_module_key_get_priority(semanage_handle_t *sh, - semanage_module_key_t *modkey, - uint16_t *priority); +extern int semanage_module_key_get_priority(semanage_handle_t *sh, + semanage_module_key_t *modkey, + uint16_t *priority); /* Module Key Setters */ @@ -198,17 +198,17 @@ int semanage_module_key_get_priority(semanage_handle_t *sh, * * Returns 0 on success and -1 on error. */ -int semanage_module_key_set_name(semanage_handle_t *sh, - semanage_module_key_t *modkey, - const char *name); +extern int semanage_module_key_set_name(semanage_handle_t *sh, + semanage_module_key_t *modkey, + const char *name); /* Set @priority in @modkey. * * Returns 0 on success and -1 on error. */ -int semanage_module_key_set_priority(semanage_handle_t *sh, - semanage_module_key_t *modkey, - uint16_t priority); +extern int semanage_module_key_set_priority(semanage_handle_t *sh, + semanage_module_key_t *modkey, + uint16_t priority); /* Set module @enabled status from @modkey. Modules are enabled on a per * module name basis (across all priorities). @modkey only needs to have @@ -216,18 +216,18 @@ int semanage_module_key_set_priority(semanage_handle_t *sh, * * Returns 0 on success and -1 on error. */ -int semanage_module_set_enabled(semanage_handle_t *sh, - const semanage_module_key_t *modkey, - int enabled); +extern int semanage_module_set_enabled(semanage_handle_t *sh, + const semanage_module_key_t *modkey, + int enabled); /* Lookup @modinfo by @modkey. Caller should use * semanage_module_info_destroy and free on @modinfo. * * Returns 0 on success and -1 on error. */ -int semanage_module_get_module_info(semanage_handle_t *sh, - const semanage_module_key_t *modkey, - semanage_module_info_t **modinfo); +extern int semanage_module_get_module_info(semanage_handle_t *sh, + const semanage_module_key_t *modkey, + semanage_module_info_t **modinfo); /* Create a list of all modules in @modinfos of length @modinfos_len. * The list will be sorted from high priority to low and alphabetically @@ -238,9 +238,9 @@ int semanage_module_get_module_info(semanage_handle_t *sh, * * Returns 0 on success and -1 on error. */ -int semanage_module_list_all(semanage_handle_t *sh, - semanage_module_info_t **modinfos, - int *modinfos_len); +extern int semanage_module_list_all(semanage_handle_t *sh, + semanage_module_info_t **modinfos, + int *modinfos_len); /* Install the module indicated by @modinfo with input data from * @module_data with length @data_len. @@ -254,21 +254,21 @@ int semanage_module_list_all(semanage_handle_t *sh, * -2 failure, invalid @modinfo * -3 failure, error writing file */ -int semanage_module_install_info(semanage_handle_t *sh, - const semanage_module_info_t *modinfo, - char *data, - size_t data_len); +extern int semanage_module_install_info(semanage_handle_t *sh, + const semanage_module_info_t *modinfo, + char *data, + size_t data_len); /* Remove the module indicated by @modkey. * @modkey must have key values filled in. * * Returns: * 0 success - * -1 failure, out of memeory + * -1 failure, out of memory * -2 failure, @module not found or couldn't be removed */ -int semanage_module_remove_key(semanage_handle_t *sh, - const semanage_module_key_t *modkey); +extern int semanage_module_remove_key(semanage_handle_t *sh, + const semanage_module_key_t *modkey); /* Module Enabled */ @@ -278,8 +278,8 @@ int semanage_module_remove_key(semanage_handle_t *sh, * * Returns 0 on success and -1 on error. */ -int semanage_module_get_enabled(semanage_handle_t *sh, - const semanage_module_key_t *modkey, - int *enabled); +extern int semanage_module_get_enabled(semanage_handle_t *sh, + const semanage_module_key_t *modkey, + int *enabled); #endif diff --git a/libsemanage/include/semanage/port_record.h b/libsemanage/include/semanage/port_record.h index 20ae4bd9..71074800 100644 --- a/libsemanage/include/semanage/port_record.h +++ b/libsemanage/include/semanage/port_record.h @@ -16,6 +16,8 @@ typedef struct semanage_port_key semanage_port_key_t; #define SEMANAGE_PROTO_UDP 0 #define SEMANAGE_PROTO_TCP 1 +#define SEMANAGE_PROTO_DCCP 2 +#define SEMANAGE_PROTO_SCTP 3 /* Key */ extern int semanage_port_compare(const semanage_port_t * port, diff --git a/libsemanage/man/man5/semanage.conf.5 b/libsemanage/man/man5/semanage.conf.5 index 8f8de55a..8efc7dd5 100644 --- a/libsemanage/man/man5/semanage.conf.5 +++ b/libsemanage/man/man5/semanage.conf.5 @@ -121,6 +121,11 @@ and by default it is set to "false". Please note that since this option deletes all HLL files, an updated HLL compiler will not be able to recompile the original HLL file into CIL. In order to compile the original HLL file into CIL, the same HLL file will need to be reinstalled. +.TP +.B optimize-policy +When set to "true", the kernel policy will be optimized upon rebuilds. +It can be set to either "true" or "false" and by default it is set to "false". + .SH "SEE ALSO" .TP semanage(8) diff --git a/libsemanage/src/.gitignore b/libsemanage/src/.gitignore index dc87c598..b4d4bb32 100644 --- a/libsemanage/src/.gitignore +++ b/libsemanage/src/.gitignore @@ -1,4 +1,3 @@ semanageswig_wrap.c -semanageswig_python_exception.i semanage.py semanageswig_ruby_wrap.c diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile index e029f098..8a9570c7 100644 --- a/libsemanage/src/Makefile +++ b/libsemanage/src/Makefile @@ -94,7 +94,7 @@ $(LIBSO): $(LOBJS) $(LIBPC): $(LIBPC).in ../VERSION sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ -semanageswig_python_exception.i: ../include/semanage/semanage.h +semanageswig_python_exception.i: exception.sh $(wildcard ../include/semanage/*.h) bash -e exception.sh > $@ || (rm -f $@ ; false) conf-scan.c: conf-scan.l conf-parse.h diff --git a/libsemanage/src/boolean_internal.h b/libsemanage/src/boolean_internal.h index ad12b820..dc23c273 100644 --- a/libsemanage/src/boolean_internal.h +++ b/libsemanage/src/boolean_internal.h @@ -21,7 +21,7 @@ hidden_proto(semanage_bool_clone) hidden_proto(semanage_bool_set_name) hidden_proto(semanage_bool_set_value) -/* BOOL RECORD: metod table */ +/* BOOL RECORD: method table */ extern record_table_t SEMANAGE_BOOL_RTABLE; extern int bool_file_dbase_init(semanage_handle_t * handle, diff --git a/libsemanage/src/booleans_policydb.c b/libsemanage/src/booleans_policydb.c index 6869d6cd..26fcac0a 100644 --- a/libsemanage/src/booleans_policydb.c +++ b/libsemanage/src/booleans_policydb.c @@ -39,7 +39,7 @@ typedef struct dbase_policydb dbase_t; record_policydb_table_t SEMANAGE_BOOL_POLICYDB_RTABLE = { .add = NULL, .modify = NULL, -/* FIXME: these casts depend on stucts in libsepol matching structs +/* FIXME: these casts depend on structs in libsepol matching structs * in libsemanage. This is incredibly fragile - the casting gets * rid of warnings, but is not type safe. */ diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y index b527e893..9bf9364a 100644 --- a/libsemanage/src/conf-parse.y +++ b/libsemanage/src/conf-parse.y @@ -59,7 +59,7 @@ static int parse_errors; char *s; } -%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT +%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT OPTIMIZE_POLICY %token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS %token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END @@ -95,6 +95,7 @@ single_opt: module_store | bzip_blocksize | bzip_small | remove_hll + | optimize_policy ; module_store: MODULE_STORE '=' ARG { @@ -268,6 +269,17 @@ remove_hll: REMOVE_HLL'=' ARG { free($3); } +optimize_policy: OPTIMIZE_POLICY '=' ARG { + if (strcasecmp($3, "false") == 0) { + current_conf->optimize_policy = 0; + } else if (strcasecmp($3, "true") == 0) { + current_conf->optimize_policy = 1; + } else { + yyerror("optimize-policy can only be 'true' or 'false'"); + } + free($3); +} + command_block: command_start external_opts BLOCK_END { if (new_external->path == NULL) { @@ -352,6 +364,7 @@ static int semanage_conf_init(semanage_conf_t * conf) conf->bzip_small = 0; conf->ignore_module_cache = 0; conf->remove_hll = 0; + conf->optimize_policy = 0; conf->save_previous = 0; conf->save_linked = 0; diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l index 607bbf0b..b06a896c 100644 --- a/libsemanage/src/conf-scan.l +++ b/libsemanage/src/conf-scan.l @@ -54,6 +54,7 @@ handle-unknown return HANDLE_UNKNOWN; bzip-blocksize return BZIP_BLOCKSIZE; bzip-small return BZIP_SMALL; remove-hll return REMOVE_HLL; +optimize-policy return OPTIMIZE_POLICY; "[load_policy]" return LOAD_POLICY_START; "[setfiles]" return SETFILES_START; "[sefcontext_compile]" return SEFCONTEXT_COMPILE_START; diff --git a/libsemanage/src/database.h b/libsemanage/src/database.h index 6a4a164e..a1cd32b8 100644 --- a/libsemanage/src/database.h +++ b/libsemanage/src/database.h @@ -49,7 +49,7 @@ typedef struct record_table { int (*clone) (struct semanage_handle * handle, const record_t * rec, record_t ** new_rec); - /* Deallocate record resources. Must sucessfully handle NULL. */ + /* Deallocate record resources. Must successfully handle NULL. */ void (*free) (record_t * rec); } record_table_t; diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c index 7e097d5f..1088a0ac 100644 --- a/libsemanage/src/direct_api.c +++ b/libsemanage/src/direct_api.c @@ -1461,6 +1461,13 @@ rebuild: cil_db_destroy(&cildb); + /* Remove redundancies in binary policy if requested. */ + if (sh->conf->optimize_policy) { + retval = sepol_policydb_optimize(out); + if (retval < 0) + goto cleanup; + } + /* Write the linked policy before merging local changes. */ retval = semanage_write_policydb(sh, out, SEMANAGE_LINKED); diff --git a/libsemanage/src/exception.sh b/libsemanage/src/exception.sh index 97bc2ae8..fc1d4035 100644 --- a/libsemanage/src/exception.sh +++ b/libsemanage/src/exception.sh @@ -9,10 +9,10 @@ echo " } " } -if ! ${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/semanage/semanage.h +if ! ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/semanage/semanage.h then # clang does not support -aux-info so fall back to gcc - gcc -x c -c -I../include - -aux-info temp.aux < ../include/semanage/semanage.h + gcc -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/semanage/semanage.h fi for i in `awk '/extern int/ { print $6 }' temp.aux`; do except $i ; done -rm -f -- temp.aux -.o +rm -f -- temp.aux temp.o diff --git a/libsemanage/src/fcontext_internal.h b/libsemanage/src/fcontext_internal.h index a6008ea4..c7767d07 100644 --- a/libsemanage/src/fcontext_internal.h +++ b/libsemanage/src/fcontext_internal.h @@ -26,7 +26,7 @@ hidden_proto(semanage_fcontext_key_create) hidden_proto(semanage_fcontext_free) hidden_proto(semanage_fcontext_iterate_local) -/* FCONTEXT RECORD: metod table */ +/* FCONTEXT RECORD: method table */ extern record_table_t SEMANAGE_FCONTEXT_RTABLE; extern int fcontext_file_dbase_init(semanage_handle_t * handle, diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c index e5f8d371..d08c88de 100644 --- a/libsemanage/src/genhomedircon.c +++ b/libsemanage/src/genhomedircon.c @@ -28,8 +28,10 @@ #include <semanage/fcontexts_policy.h> #include <sepol/context.h> #include <sepol/context_record.h> +#include "fcontext_internal.h" #include "semanage_store.h" #include "seuser_internal.h" +#include "user_internal.h" #include "debug.h" #include "utilities.h" diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c index e5109aef..5e59aef7 100644 --- a/libsemanage/src/handle.c +++ b/libsemanage/src/handle.c @@ -279,7 +279,7 @@ void semanage_select_store(semanage_handle_t * sh, char *storename, assert(sh != NULL); /* This just sets the storename to what the user requests, no - verification of existance will be done until connect */ + verification of existence will be done until connect */ free(sh->conf->store_path); sh->conf->store_path = strdup(storename); assert(sh->conf->store_path); /* no way to return failure */ diff --git a/libsemanage/src/iface_internal.h b/libsemanage/src/iface_internal.h index 1f678362..5cb77789 100644 --- a/libsemanage/src/iface_internal.h +++ b/libsemanage/src/iface_internal.h @@ -22,7 +22,7 @@ hidden_proto(semanage_iface_create) hidden_proto(semanage_iface_set_msgcon) hidden_proto(semanage_iface_set_name) -/* IFACE RECORD: metod table */ +/* IFACE RECORD: method table */ extern record_table_t SEMANAGE_IFACE_RTABLE; extern int iface_policydb_dbase_init(semanage_handle_t * handle, diff --git a/libsemanage/src/modules.c b/libsemanage/src/modules.c index fa84d33e..19043505 100644 --- a/libsemanage/src/modules.c +++ b/libsemanage/src/modules.c @@ -849,7 +849,7 @@ int semanage_module_set_enabled(semanage_handle_t *sh, hidden_def(semanage_module_set_enabled) -/* This function exists only for ABI compatability. It has been deprecated and +/* This function exists only for ABI compatibility. It has been deprecated and * should not be used. Instead, use semanage_module_set_enabled() */ int semanage_module_enable(semanage_handle_t *sh, char *module_name) { @@ -877,7 +877,7 @@ exit: return rc; } -/* This function exists only for ABI compatability. It has been deprecated and +/* This function exists only for ABI compatibility. It has been deprecated and * should not be used. Instead, use semanage_module_set_enabled() */ int semanage_module_disable(semanage_handle_t *sh, char *module_name) { diff --git a/libsemanage/src/policy.h b/libsemanage/src/policy.h index f1271560..7d595433 100644 --- a/libsemanage/src/policy.h +++ b/libsemanage/src/policy.h @@ -31,7 +31,7 @@ struct semanage_handle; struct semanage_policy_table { /* Returns the current policy serial/commit number - * A negative number is returned in case of failre */ + * A negative number is returned in case of failure */ int (*get_serial) (struct semanage_handle *); /* Destroy a connection */ diff --git a/libsemanage/src/ports_file.c b/libsemanage/src/ports_file.c index 46ee2f00..4738d467 100644 --- a/libsemanage/src/ports_file.c +++ b/libsemanage/src/ports_file.c @@ -84,6 +84,10 @@ static int port_parse(semanage_handle_t * handle, semanage_port_set_proto(port, SEMANAGE_PROTO_TCP); else if (!strcasecmp(str, "udp")) semanage_port_set_proto(port, SEMANAGE_PROTO_UDP); + else if (!strcasecmp(str, "dccp")) + semanage_port_set_proto(port, SEMANAGE_PROTO_DCCP); + else if (!strcasecmp(str, "sctp")) + semanage_port_set_proto(port, SEMANAGE_PROTO_SCTP); else { ERR(handle, "invalid protocol \"%s\" (%s: %u):\n%s", str, info->filename, info->lineno, info->orig_line); diff --git a/libsemanage/src/pywrap-test.py b/libsemanage/src/pywrap-test.py index 5ac48f40..f266f700 100644 --- a/libsemanage/src/pywrap-test.py +++ b/libsemanage/src/pywrap-test.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/python3 from __future__ import print_function import sys diff --git a/libsemanage/src/semanage_conf.h b/libsemanage/src/semanage_conf.h index c99ac8c7..23c4b8b4 100644 --- a/libsemanage/src/semanage_conf.h +++ b/libsemanage/src/semanage_conf.h @@ -47,6 +47,7 @@ typedef struct semanage_conf { int bzip_small; int remove_hll; int ignore_module_cache; + int optimize_policy; char *ignoredirs; /* ";" separated of list for genhomedircon to ignore */ struct external_prog *load_policy; struct external_prog *setfiles; diff --git a/libsemanage/src/semanageswig_python.i b/libsemanage/src/semanageswig_python.i index 8604b8aa..8dd79fc2 100644 --- a/libsemanage/src/semanageswig_python.i +++ b/libsemanage/src/semanageswig_python.i @@ -105,7 +105,7 @@ %apply int *OUTPUT { uint16_t * }; %include <cstring.i> -/* This is needed to properly mmaped binary data in SWIG */ +/* This is needed to properly mmap binary data in SWIG */ %cstring_output_allocate_size(void **mapped_data, size_t *data_len, munmap(*$1, *$2)); %typemap(in, numinputs=0) char **(char *temp=NULL) { diff --git a/libsemanage/src/semanageswig_python_exception.i b/libsemanage/src/semanageswig_python_exception.i new file mode 100644 index 00000000..06c60267 --- /dev/null +++ b/libsemanage/src/semanageswig_python_exception.i @@ -0,0 +1,2385 @@ + +%exception semanage_reload_policy { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_get_hll_compiler_path { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_get_disable_dontaudit { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_set_default_priority { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_is_managed { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_connect { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_disconnect { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_begin_transaction { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_commit { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_access_check { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_is_connected { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_mls_enabled { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_set_root { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_get_preserve_tunables { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_get_ignore_module_cache { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception select { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception pselect { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_install { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_install_file { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_remove { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_extract { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_list { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_info_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_info_destroy { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_info_get_priority { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_info_get_name { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_info_get_lang_ext { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_info_get_enabled { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_info_set_priority { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_info_set_name { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_info_set_lang_ext { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_info_set_enabled { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_key_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_key_destroy { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_key_get_name { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_key_get_priority { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_key_set_name { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_key_set_priority { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_set_enabled { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_get_module_info { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_list_all { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_install_info { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_remove_key { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_module_get_enabled { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_msg_get_level { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_key_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_key_extract { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_compare { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_compare2 { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_set_name { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_get_value { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_clone { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_key_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_key_extract { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_compare { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_compare2 { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_set_name { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_set_prefix { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_set_mlslevel { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_set_mlsrange { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_get_num_roles { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_add_role { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_has_role { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_get_roles { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_set_roles { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_clone { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_key_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_key_extract { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_compare { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_compare2 { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_set_name { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_set_sename { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_set_mlsrange { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_clone { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_context_set_user { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_context_set_role { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_context_set_type { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_context_set_mls { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_context_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_context_clone { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_context_from_string { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_context_to_string { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_compare { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_compare2 { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_key_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_key_extract { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_set_name { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_set_ifcon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_set_msgcon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_clone { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_compare { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_compare2 { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_key_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_key_extract { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_get_proto { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_get_low { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_get_high { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_set_con { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_clone { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_compare { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_compare2 { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_key_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_key_extract { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_get_subnet_prefix { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_set_subnet_prefix { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_get_low { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_get_high { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_set_con { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_clone { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_compare { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_compare2 { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_key_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_key_extract { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_get_ibdev_name { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_set_ibdev_name { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_get_port { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_set_con { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_clone { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_compare { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_compare2 { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_key_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_key_extract { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_get_addr { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_get_addr_bytes { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_set_addr { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_set_addr_bytes { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_get_mask { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_get_mask_bytes { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_set_mask { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_set_mask_bytes { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_get_proto { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_set_con { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_clone { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_modify_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_del_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_query_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_exists_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_count_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_iterate_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_list_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_query { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_exists { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_count { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_iterate { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_list { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_set_active { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_query_active { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_exists_active { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_count_active { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_iterate_active { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_bool_list_active { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_modify_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_del_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_query_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_exists_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_count_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_iterate_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_list_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_query { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_exists { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_count { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_iterate { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_user_list { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_compare { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_compare2 { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_key_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_key_extract { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_set_expr { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_get_type { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_set_con { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_clone { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_modify_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_del_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_query_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_exists_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_count_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_iterate_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_list_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_query { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_exists { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_count { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_iterate { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_list { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_fcontext_list_homedirs { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_modify_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_del_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_query_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_exists_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_count_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_iterate_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_list_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_query { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_exists { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_count { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_iterate { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_seuser_list { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_modify_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_del_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_query_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_exists_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_count_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_iterate_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_list_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_query { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_exists { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_count { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_iterate { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_port_list { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_modify_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_del_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_query_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_exists_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_count_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_iterate_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_list_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_modify_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_del_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_query_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_exists_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_count_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_iterate_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_list_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_query { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_exists { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_count { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_iterate { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibendport_list { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_query { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_exists { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_count { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_iterate { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_ibpkey_list { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_modify_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_del_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_query_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_exists_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_count_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_iterate_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_list_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_query { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_exists { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_count { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_iterate { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_iface_list { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_modify_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_del_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_query_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_exists_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_count_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_iterate_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_list_local { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_query { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_exists { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_count { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_iterate { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception semanage_node_list { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + diff --git a/libsemanage/src/user_internal.h b/libsemanage/src/user_internal.h index ce1ac313..2fede947 100644 --- a/libsemanage/src/user_internal.h +++ b/libsemanage/src/user_internal.h @@ -28,7 +28,7 @@ hidden_proto(semanage_user_add_role) hidden_proto(semanage_user_exists) hidden_proto(semanage_user_query) -/* USER record: metod table */ +/* USER record: method table */ extern record_table_t SEMANAGE_USER_RTABLE; /* USER BASE record: method table */ diff --git a/libsemanage/src/utilities.c b/libsemanage/src/utilities.c index ba6dc85a..fc5a6a51 100644 --- a/libsemanage/src/utilities.c +++ b/libsemanage/src/utilities.c @@ -244,7 +244,7 @@ char *semanage_str_replace(const char *search, const char *replace, if (slen == 0) return NULL; - /* Count the occurences of search in src and compute the new size */ + /* Count the occurrences of search in src and compute the new size */ for (p = strstr(src, search); p != NULL; p = strstr(p + slen, search)) { count++; if (lim && count >= lim) diff --git a/libsemanage/src/utilities.h b/libsemanage/src/utilities.h index ba1ed029..6bbe9f5b 100644 --- a/libsemanage/src/utilities.h +++ b/libsemanage/src/utilities.h @@ -69,16 +69,16 @@ int semanage_is_prefix(const char *str, const char *val) WARN_UNUSED; /** * @param str the string to semanage_split - * @return malloc'd string after the first run of charachters that aren't whitespace + * @return malloc'd string after the first run of characters that aren't whitespace */ char *semanage_split_on_space(const char *str) WARN_UNUSED; /** * @param str the string to semanage_split - * @param delim the string delimiter. NOT a set of charachters that can be + * @param delim the string delimiter. NOT a set of characters that can be * a delimiter. * if *delim == '\0' behaves as semanage_splitOnSpace() - * @return a ptr to the first charachter past the delimiter. + * @return a ptr to the first character past the delimiter. * if delim doesn't appear in the string, returns a ptr to the * trailing null in the string */ @@ -102,15 +102,15 @@ int semanage_cmp_plist_t(const semanage_list_t ** x, const semanage_list_t ** y); /** * @param data a target string - * @param what a charachter + * @param what a character * @returns the number of times the char appears in the string */ int semanage_str_count(const char *data, char what); /** * @param - a string - * @param the charachter to trim to + * @param the character to trim to * @return - mangles the string, converting the first - * occurrance of the charachter to a '\0' from + * occurrence of the character to a '\0' from * the end of the string. */ void semanage_rtrim(char *str, char trim_to); @@ -119,7 +119,7 @@ void semanage_rtrim(char *str, char trim_to); * @param value being searched for * @param replacement value that replaces found search values * @param string being searched and replaced on - * @param maximum number of value occurences (zero for unlimited) + * @param maximum number of value occurrences (zero for unlimited) * @return newly-allocated string with the replaced values */ char *semanage_str_replace(const char *search, const char *replace, diff --git a/libsemanage/tests/.gitignore b/libsemanage/tests/.gitignore index f07111db..8a2a866a 100644 --- a/libsemanage/tests/.gitignore +++ b/libsemanage/tests/.gitignore @@ -1 +1,2 @@ libsemanage-tests +*.policy diff --git a/libsemanage/tests/Makefile b/libsemanage/tests/Makefile index 324766a0..69f49a36 100644 --- a/libsemanage/tests/Makefile +++ b/libsemanage/tests/Makefile @@ -1,5 +1,6 @@ # Add your test source files here: SOURCES = $(sort $(wildcard *.c)) +CILS = $(sort $(wildcard *.cil)) ########################################################################### @@ -8,15 +9,19 @@ CFLAGS += -g -O0 -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute override CFLAGS += -I../src -I../include override LDLIBS += -lcunit -lbz2 -laudit -lselinux -lsepol -OBJECTS = $(SOURCES:.c=.o) +OBJECTS = $(SOURCES:.c=.o) +POLICIES = $(CILS:.cil=.policy) -all: $(EXECUTABLE) +all: $(EXECUTABLE) $(POLICIES) $(EXECUTABLE): $(OBJECTS) ../src/libsemanage.a $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) +%.policy: %.cil + ../../secilc/secilc $*.cil -o $*.policy -f /dev/null + clean distclean: - rm -rf $(OBJECTS) $(EXECUTABLE) + rm -rf $(OBJECTS) $(POLICIES) $(EXECUTABLE) test: all ./$(EXECUTABLE) diff --git a/libsemanage/tests/libsemanage-tests.c b/libsemanage/tests/libsemanage-tests.c index 048751b8..2ae4a21b 100644 --- a/libsemanage/tests/libsemanage-tests.c +++ b/libsemanage/tests/libsemanage-tests.c @@ -21,6 +21,15 @@ #include "test_semanage_store.h" #include "test_utilities.h" +#include "test_handle.h" +#include "test_bool.h" +#include "test_fcontext.h" +#include "test_iface.h" +#include "test_ibendport.h" +#include "test_node.h" +#include "test_port.h" +#include "test_user.h" +#include "test_other.h" #include <CUnit/Basic.h> #include <CUnit/Console.h> @@ -59,6 +68,15 @@ static bool do_tests(int interactive, int verbose) DECLARE_SUITE(semanage_store); DECLARE_SUITE(semanage_utilities); + DECLARE_SUITE(handle); + DECLARE_SUITE(bool); + DECLARE_SUITE(fcontext); + DECLARE_SUITE(iface); + DECLARE_SUITE(ibendport); + DECLARE_SUITE(node); + DECLARE_SUITE(port); + DECLARE_SUITE(user); + DECLARE_SUITE(other); if (verbose) CU_basic_set_mode(CU_BRM_VERBOSE); diff --git a/libsemanage/tests/test_bool.c b/libsemanage/tests/test_bool.c new file mode 100644 index 00000000..ae80d448 --- /dev/null +++ b/libsemanage/tests/test_bool.c @@ -0,0 +1,932 @@ +/* + * Authors: Jan Zarsky <jzarsky@redhat.com> + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "utilities.h" +#include "test_bool.h" + +#define BOOL_COUNT 3 +#define BOOL1_NAME "first_bool" +#define BOOL1_VALUE 1 +#define BOOL2_NAME "second_bool" +#define BOOL2_VALUE 0 +#define BOOL3_NAME "third_bool" +#define BOOL3_VALUE 0 +#define BOOL_NONEXISTENT "asdf" + +/* boolean_record.h */ +void test_bool_key_create(void); +void test_bool_key_extract(void); +void test_bool_compare(void); +void test_bool_compare2(void); +void test_bool_get_set_name(void); +void test_bool_get_set_value(void); +void test_bool_create(void); +void test_bool_clone(void); + +/* booleans_policy.h */ +void test_bool_query(void); +void test_bool_exists(void); +void test_bool_count(void); +void test_bool_iterate(void); +void test_bool_list(void); + +/* booleans_local.h */ +void test_bool_modify_del_local(void); +void test_bool_query_local(void); +void test_bool_exists_local(void); +void test_bool_count_local(void); +void test_bool_iterate_local(void); +void test_bool_list_local(void); + +extern semanage_handle_t *sh; + +int bool_test_init(void) +{ + if (create_test_store() < 0) { + fprintf(stderr, "Could not create test store\n"); + return 1; + } + + if (write_test_policy_from_file("test_bool.policy") < 0) { + fprintf(stderr, "Could not write test policy\n"); + return 1; + } + + return 0; +} + +int bool_test_cleanup(void) +{ + if (destroy_test_store() < 0) { + fprintf(stderr, "Could not destroy test store\n"); + return 1; + } + + return 0; +} + +int bool_add_tests(CU_pSuite suite) +{ + CU_add_test(suite, "bool_key_create", test_bool_key_create); + CU_add_test(suite, "bool_key_extract", test_bool_key_extract); + CU_add_test(suite, "bool_compare", test_bool_compare); + CU_add_test(suite, "bool_compare2", test_bool_compare2); + CU_add_test(suite, "bool_get_set_name", test_bool_get_set_name); + CU_add_test(suite, "bool_get_set_value", test_bool_get_set_value); + CU_add_test(suite, "bool_create", test_bool_create); + CU_add_test(suite, "bool_clone", test_bool_clone); + + CU_add_test(suite, "bool_query", test_bool_query); + CU_add_test(suite, "bool_exists", test_bool_exists); + CU_add_test(suite, "bool_count", test_bool_count); + CU_add_test(suite, "bool_iterate", test_bool_iterate); + CU_add_test(suite, "bool_list", test_bool_list); + + CU_add_test(suite, "bool_modify_del_local", test_bool_modify_del_local); + CU_add_test(suite, "bool_query_local", test_bool_query_local); + CU_add_test(suite, "bool_exists_local", test_bool_exists_local); + CU_add_test(suite, "bool_count_local", test_bool_count_local); + CU_add_test(suite, "bool_iterate_local", test_bool_iterate_local); + CU_add_test(suite, "bool_list_local", test_bool_list_local); + + return 0; +} + +/* Helpers */ + +semanage_bool_t *get_bool_nth(int idx) +{ + int res; + semanage_bool_t **records; + semanage_bool_t *boolean; + unsigned int count; + + if (idx == I_NULL) + return NULL; + + res = semanage_bool_list(sh, &records, &count); + + CU_ASSERT_FATAL(res >= 0); + CU_ASSERT_FATAL(count >= (unsigned int) idx + 1); + + boolean = records[idx]; + + for (unsigned int i = 0; i < count; i++) + if (i != (unsigned int) idx) + semanage_bool_free(records[i]); + + return boolean; +} + +semanage_bool_t *get_bool_new(void) +{ + int res; + semanage_bool_t *boolean; + + res = semanage_bool_create(sh, &boolean); + + CU_ASSERT_FATAL(res >= 0); + + return boolean; +} + +semanage_bool_key_t *get_bool_key_nth(int idx) +{ + semanage_bool_key_t *key; + semanage_bool_t *boolean; + int res; + + if (idx == I_NULL) + return NULL; + + boolean = get_bool_nth(idx); + + res = semanage_bool_key_extract(sh, boolean, &key); + + CU_ASSERT_FATAL(res >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + return key; +} + +semanage_bool_key_t *get_bool_key_from_str(const char *str) +{ + semanage_bool_key_t *key; + int res; + + if (str == NULL) + return NULL; + + res = semanage_bool_key_create(sh, str, &key); + + CU_ASSERT_FATAL(res >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + return key; +} + +void add_local_bool(const char *name) +{ + semanage_bool_t *boolean; + semanage_bool_key_t *key = NULL; + + CU_ASSERT_PTR_NOT_NULL_FATAL(name); + + CU_ASSERT_FATAL(semanage_bool_key_create(sh, name, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + CU_ASSERT_FATAL(semanage_bool_query(sh, key, &boolean) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(boolean); + + CU_ASSERT_FATAL(semanage_bool_modify_local(sh, key, boolean) >= 0); +} + +void delete_local_bool(const char *name) +{ + semanage_bool_key_t *key = NULL; + + CU_ASSERT_PTR_NOT_NULL_FATAL(name); + + CU_ASSERT_FATAL(semanage_bool_key_create(sh, name, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + CU_ASSERT_FATAL(semanage_bool_del_local(sh, key) >= 0); +} + +/* Function bool_key_create */ + +void helper_bool_key_create(level_t level) +{ + semanage_bool_key_t *key = NULL; + + setup_handle(level); + + CU_ASSERT(semanage_bool_key_create(sh, "", &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + semanage_bool_key_free(key); + + key = NULL; + + CU_ASSERT(semanage_bool_key_create(sh, "testbool", &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + semanage_bool_key_free(key); + + cleanup_handle(level); +} + +void test_bool_key_create(void) +{ + helper_bool_key_create(SH_CONNECT); + helper_bool_key_create(SH_TRANS); +} + +/* Function bool_key_extract */ +#define SK_NULL 1 +#define SK_NEW 2 +#define SK_INDEX 3 +#define SK_KEY_NULL 4 +void helper_bool_key_extract(level_t level, int mode) +{ + semanage_bool_t *boolean = NULL; + semanage_bool_key_t *key = NULL; + int res; + + setup_handle(level); + + switch (mode) { + case SK_NULL: + boolean = NULL; + break; + case SK_NEW: + boolean = get_bool_new(); + break; + case SK_INDEX: + boolean = get_bool_nth(0); + break; + case SK_KEY_NULL: + boolean = get_bool_nth(0); + break; + default: + CU_FAIL_FATAL("Invalid mode\n"); + } + + if (mode == SK_KEY_NULL) + res = semanage_bool_key_extract(sh, boolean, NULL); + else + res = semanage_bool_key_extract(sh, boolean, &key); + + CU_ASSERT(res >= 0); + + res = semanage_bool_compare(boolean, key); + + CU_ASSERT(res == 0); + + semanage_bool_key_free(key); + semanage_bool_free(boolean); + + cleanup_handle(level); +} + +void test_bool_key_extract(void) +{ + helper_bool_key_extract(SH_CONNECT, SK_INDEX); + helper_bool_key_extract(SH_TRANS, SK_INDEX); +} +#undef SK_NULL +#undef SK_NEW +#undef SK_INDEX +#undef SK_KEY_NULL + +/* Function bool_compare */ +void helper_bool_compare(level_t level, int bool_idx1, int bool_idx2) +{ + semanage_bool_t *boolean; + semanage_bool_key_t *key; + int res; + + setup_handle(level); + + boolean = get_bool_nth(bool_idx1); + key = get_bool_key_nth(bool_idx2); + + res = semanage_bool_compare(boolean, key); + + if (bool_idx1 == bool_idx2) { + CU_ASSERT(res == 0); + } else { + CU_ASSERT(res != 0); + } + + semanage_bool_free(boolean); + semanage_bool_key_free(key); + cleanup_handle(level); +} + +void test_bool_compare(void) +{ + helper_bool_compare(SH_CONNECT, I_FIRST, I_FIRST); + helper_bool_compare(SH_CONNECT, I_FIRST, I_SECOND); + helper_bool_compare(SH_CONNECT, I_SECOND, I_FIRST); + helper_bool_compare(SH_CONNECT, I_SECOND, I_SECOND); + + helper_bool_compare(SH_TRANS, I_FIRST, I_FIRST); + helper_bool_compare(SH_TRANS, I_FIRST, I_SECOND); + helper_bool_compare(SH_TRANS, I_SECOND, I_FIRST); + helper_bool_compare(SH_TRANS, I_SECOND, I_SECOND); +} + +/* Function bool_compare2 */ +void helper_bool_compare2(level_t level, int bool_idx1, int bool_idx2) +{ + semanage_bool_t *bool1; + semanage_bool_t *bool2; + int res; + + setup_handle(level); + + bool1 = get_bool_nth(bool_idx1); + bool2 = get_bool_nth(bool_idx2); + + res = semanage_bool_compare2(bool1, bool2); + + if (bool_idx1 == bool_idx2) { + CU_ASSERT(res == 0); + } else { + CU_ASSERT(res != 0); + } + + semanage_bool_free(bool1); + semanage_bool_free(bool2); + cleanup_handle(level); +} + +void test_bool_compare2(void) +{ + helper_bool_compare2(SH_CONNECT, I_FIRST, I_FIRST); + helper_bool_compare2(SH_CONNECT, I_FIRST, I_SECOND); + helper_bool_compare2(SH_CONNECT, I_SECOND, I_FIRST); + helper_bool_compare2(SH_CONNECT, I_SECOND, I_SECOND); + + helper_bool_compare2(SH_TRANS, I_FIRST, I_FIRST); + helper_bool_compare2(SH_TRANS, I_FIRST, I_SECOND); + helper_bool_compare2(SH_TRANS, I_SECOND, I_FIRST); + helper_bool_compare2(SH_TRANS, I_SECOND, I_SECOND); +} + +/* Function bool_get_name, bool_set_name */ +void helper_bool_get_set_name(level_t level, int bool_idx, const char *name) +{ + semanage_bool_t *boolean; + const char *new_name = NULL; + + setup_handle(level); + + boolean = get_bool_nth(bool_idx); + + CU_ASSERT(semanage_bool_set_name(sh, boolean, name) >= 0); + + new_name = semanage_bool_get_name(boolean); + + CU_ASSERT_PTR_NOT_NULL(new_name); + /* Use assert to silence the clang analyzer */ + assert(new_name); + CU_ASSERT_STRING_EQUAL(new_name, name); + + semanage_bool_free(boolean); + cleanup_handle(level); +} + +void test_bool_get_set_name(void) +{ + helper_bool_get_set_name(SH_CONNECT, I_FIRST, "testbool"); + helper_bool_get_set_name(SH_CONNECT, I_FIRST, ""); + helper_bool_get_set_name(SH_CONNECT, I_SECOND, "testbool"); + helper_bool_get_set_name(SH_CONNECT, I_SECOND, ""); + + helper_bool_get_set_name(SH_TRANS, I_FIRST, "testbool"); + helper_bool_get_set_name(SH_TRANS, I_FIRST, ""); + helper_bool_get_set_name(SH_TRANS, I_SECOND, "testbool"); + helper_bool_get_set_name(SH_TRANS, I_SECOND, ""); +} + +/* Function bool_get_value, bool_set_value */ +void helper_bool_get_set_value(int bool_idx, int val) +{ + semanage_bool_t *boolean; + int new_val = 0; + + setup_handle(SH_CONNECT); + boolean = get_bool_nth(bool_idx); + cleanup_handle(SH_CONNECT); + + semanage_bool_set_value(boolean, val); + + new_val = semanage_bool_get_value(boolean); + + CU_ASSERT(new_val == val); + + semanage_bool_free(boolean); +} + +void test_bool_get_set_value(void) +{ + helper_bool_get_set_value(I_FIRST, 1); + helper_bool_get_set_value(I_FIRST, 0); + helper_bool_get_set_value(I_SECOND, 1); + helper_bool_get_set_value(I_SECOND, 0); +} + +/* Function bool_create */ +void helper_bool_create(level_t level) +{ + semanage_bool_t *boolean; + + setup_handle(level); + + CU_ASSERT(semanage_bool_create(sh, &boolean) >= 0); + + CU_ASSERT_PTR_NULL(semanage_bool_get_name(boolean)); + CU_ASSERT(semanage_bool_get_value(boolean) == 0); + + cleanup_handle(level); +} + +void test_bool_create(void) +{ + helper_bool_create(SH_HANDLE); + helper_bool_create(SH_CONNECT); + helper_bool_create(SH_TRANS); +} + +/* Function bool_clone */ +void helper_bool_clone(level_t level, int bool_idx) +{ + semanage_bool_t *boolean; + semanage_bool_t *boolean_clone; + const char *str; + const char *str_clone; + int val; + int val_clone; + + setup_handle(level); + + boolean = get_bool_nth(bool_idx); + + CU_ASSERT(semanage_bool_clone(sh, boolean, &boolean_clone) >= 0); + + str = semanage_bool_get_name(boolean); + str_clone = semanage_bool_get_name(boolean_clone); + + CU_ASSERT_STRING_EQUAL(str, str_clone); + + val = semanage_bool_get_value(boolean); + val_clone = semanage_bool_get_value(boolean_clone); + + CU_ASSERT_EQUAL(val, val_clone); + + cleanup_handle(level); +} + +void test_bool_clone(void) +{ + helper_bool_clone(SH_CONNECT, I_FIRST); + helper_bool_clone(SH_CONNECT, I_SECOND); + + helper_bool_clone(SH_TRANS, I_FIRST); + helper_bool_clone(SH_TRANS, I_SECOND); +} + +/* Function bool_query */ +void helper_bool_query(level_t level, const char *bool_str, int exp_res) +{ + semanage_bool_key_t *key; + semanage_bool_t *resp = (void *) 42; + + setup_handle(level); + + key = get_bool_key_from_str(bool_str); + + CU_ASSERT(semanage_bool_query(sh, key, &resp) >= 0); + + if (exp_res >= 0) { + const char *name = semanage_bool_get_name(resp); + CU_ASSERT_STRING_EQUAL(name, bool_str); + } else { + CU_ASSERT_PTR_NULL(resp); + } + + cleanup_handle(level); +} + +void test_bool_query(void) +{ + helper_bool_query(SH_CONNECT, BOOL1_NAME, 1); + helper_bool_query(SH_CONNECT, BOOL2_NAME, 1); + helper_bool_query(SH_CONNECT, BOOL_NONEXISTENT, -1); + + helper_bool_query(SH_TRANS, BOOL1_NAME, 1); + helper_bool_query(SH_TRANS, BOOL2_NAME, 1); + helper_bool_query(SH_TRANS, BOOL_NONEXISTENT, -1); +} + +/* Function bool_exists */ +void helper_bool_exists(level_t level, const char *bool_str, int exp_resp) +{ + semanage_bool_key_t *key; + int resp; + + setup_handle(level); + + key = get_bool_key_from_str(bool_str); + + CU_ASSERT(semanage_bool_exists(sh, key, &resp) >= 0); + CU_ASSERT(resp == exp_resp); + + semanage_bool_key_free(key); + + cleanup_handle(level); +} + +void test_bool_exists(void) +{ + helper_bool_exists(SH_CONNECT, BOOL1_NAME, 1); + helper_bool_exists(SH_CONNECT, BOOL2_NAME, 1); + helper_bool_exists(SH_CONNECT, BOOL_NONEXISTENT, 0); + + helper_bool_exists(SH_TRANS, BOOL1_NAME, 1); + helper_bool_exists(SH_TRANS, BOOL2_NAME, 1); + helper_bool_exists(SH_TRANS, BOOL_NONEXISTENT, 0); +} + +/* Function bool_count */ +void test_bool_count(void) +{ + unsigned int resp; + + /* handle */ + setup_handle(SH_HANDLE); + CU_ASSERT(semanage_bool_count(sh, &resp) < 0); + CU_ASSERT(semanage_bool_count(sh, NULL) < 0); + cleanup_handle(SH_HANDLE); + + /* connect */ + resp = 0; + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_bool_count(sh, &resp) >= 0); + CU_ASSERT(resp == BOOL_COUNT); + cleanup_handle(SH_CONNECT); + + /* trans */ + resp = 0; + setup_handle(SH_TRANS); + CU_ASSERT(semanage_bool_count(sh, &resp) >= 0); + CU_ASSERT(resp == BOOL_COUNT); + cleanup_handle(SH_TRANS); +} + +/* Function bool_iterate */ +unsigned int counter_bool_iterate = 0; + +int handler_bool_iterate(const semanage_bool_t *record, void *varg) +{ + counter_bool_iterate++; + return 0; +} + +void helper_bool_iterate_invalid(void) +{ + setup_handle(SH_HANDLE); + CU_ASSERT(semanage_bool_iterate(sh, &handler_bool_iterate, NULL) < 0); + CU_ASSERT(semanage_bool_iterate(sh, NULL, NULL) < 0); + cleanup_handle(SH_HANDLE); +} + +void helper_bool_iterate(level_t level) +{ + setup_handle(level); + counter_bool_iterate = 0; + CU_ASSERT(semanage_bool_iterate(sh, &handler_bool_iterate, NULL) >= 0); + CU_ASSERT(counter_bool_iterate == BOOL_COUNT); + cleanup_handle(level); +} + +void test_bool_iterate(void) +{ + helper_bool_iterate_invalid(); + helper_bool_iterate(SH_CONNECT); + helper_bool_iterate(SH_TRANS); +} + +/* Function bool_list */ +void helper_bool_list_invalid(void) +{ + semanage_bool_t **records; + unsigned int count; + + setup_handle(SH_HANDLE); + + CU_ASSERT(semanage_bool_list(sh, &records, &count) < 0); + CU_ASSERT(semanage_bool_list(sh, NULL, &count) < 0); + CU_ASSERT(semanage_bool_list(sh, &records, NULL) < 0); + + cleanup_handle(SH_HANDLE); +} + +void helper_bool_list(level_t level) +{ + semanage_bool_t **records; + unsigned int count; + + setup_handle(level); + + CU_ASSERT(semanage_bool_list(sh, &records, &count) >= 0); + CU_ASSERT(count == BOOL_COUNT); + + for (unsigned int i = 0; i < count; i++) + CU_ASSERT_PTR_NOT_NULL(records[i]); + + for (unsigned int i = 0; i < count; i++) + semanage_bool_free(records[i]); + + cleanup_handle(level); +} + +void test_bool_list(void) +{ + helper_bool_list_invalid(); + helper_bool_list(SH_CONNECT); + helper_bool_list(SH_TRANS); +} + +/* Function bool_modify_local, bool_del_local */ +void helper_bool_modify_del_local(level_t level, const char *name, + int old_val, int exp_res) +{ + semanage_bool_t *boolean; + semanage_bool_t *boolean_local; + semanage_bool_key_t *key = NULL; + int res; + int new_val; + + /* setup */ + setup_handle(level); + + CU_ASSERT(semanage_bool_key_create(sh, name, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + CU_ASSERT(semanage_bool_query(sh, key, &boolean) >= 0); + CU_ASSERT_PTR_NOT_NULL(boolean); + + new_val = !old_val; + semanage_bool_set_value(boolean, new_val); + + /* test */ + res = semanage_bool_modify_local(sh, key, boolean); + + if (exp_res < 0) { + CU_ASSERT(res < 0); + } else { + CU_ASSERT(res >= 0); + + /* write changes to file */ + if (level == SH_TRANS) { + helper_commit(); + helper_begin_transaction(); + } + + CU_ASSERT(semanage_bool_query_local(sh, key, + &boolean_local) >= 0); + CU_ASSERT(semanage_bool_compare2(boolean_local, boolean) == 0); + CU_ASSERT(semanage_bool_del_local(sh, key) >= 0); + CU_ASSERT(semanage_bool_query_local(sh, key, + &boolean_local) < 0); + } + + /* cleanup */ + semanage_bool_key_free(key); + semanage_bool_free(boolean); + + cleanup_handle(level); +} + +void test_bool_modify_del_local(void) +{ + helper_bool_modify_del_local(SH_CONNECT, BOOL1_NAME, BOOL1_VALUE, -1); + helper_bool_modify_del_local(SH_CONNECT, BOOL2_NAME, BOOL2_VALUE, -1); + helper_bool_modify_del_local(SH_TRANS, BOOL1_NAME, BOOL1_VALUE, 1); + helper_bool_modify_del_local(SH_TRANS, BOOL2_NAME, BOOL2_VALUE, 1); +} + +/* Function bool_query_local */ +void test_bool_query_local(void) +{ + semanage_bool_key_t *key = NULL; + semanage_bool_t *resp = NULL; + + /* connect */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_bool_key_create(sh, BOOL1_NAME, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + CU_ASSERT(semanage_bool_query_local(sh, key, &resp) < 0); + CU_ASSERT_PTR_NULL(resp); + + cleanup_handle(SH_CONNECT); + + /* transaction */ + setup_handle(SH_TRANS); + CU_ASSERT(semanage_bool_key_create(sh, BOOL1_NAME, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + CU_ASSERT(semanage_bool_query_local(sh, key, &resp) < 0); + CU_ASSERT_PTR_NULL(resp); + + add_local_bool(BOOL1_NAME); + CU_ASSERT(semanage_bool_query_local(sh, key, &resp) >= 0); + CU_ASSERT_PTR_NOT_NULL(resp); + + semanage_bool_key_free(key); + CU_ASSERT(semanage_bool_key_create(sh, BOOL2_NAME, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + add_local_bool(BOOL2_NAME); + CU_ASSERT(semanage_bool_query_local(sh, key, &resp) >= 0); + CU_ASSERT_PTR_NOT_NULL(resp); + + /* cleanup */ + delete_local_bool(BOOL1_NAME); + delete_local_bool(BOOL2_NAME); + cleanup_handle(SH_TRANS); +} + +/* Function bool_exists_local */ +void test_bool_exists_local(void) +{ + int resp = -1; + semanage_bool_key_t *key; + + /* setup */ + setup_handle(SH_TRANS); + CU_ASSERT(semanage_bool_key_create(sh, BOOL1_NAME, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + /* test */ + CU_ASSERT(semanage_bool_exists_local(sh, key, &resp) >= 0); + CU_ASSERT(resp == 0); + + add_local_bool(BOOL1_NAME); + resp = -1; + CU_ASSERT(semanage_bool_exists_local(sh, key, &resp) >= 0); + CU_ASSERT(resp == 1); + + delete_local_bool(BOOL1_NAME); + resp = -1; + CU_ASSERT(semanage_bool_exists_local(sh, key, &resp) >= 0); + CU_ASSERT(resp == 0); + + /* cleanup */ + cleanup_handle(SH_TRANS); +} + +/* Function bool_count_local */ +void test_bool_count_local(void) +{ + unsigned int resp; + unsigned int init_count; + + /* handle */ + setup_handle(SH_HANDLE); + CU_ASSERT(semanage_bool_count_local(sh, &resp) < 0); + cleanup_handle(SH_HANDLE); + + /* connect */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_bool_count_local(sh, &resp) >= 0); + cleanup_handle(SH_CONNECT); + + /* transaction */ + setup_handle(SH_TRANS); + + CU_ASSERT(semanage_bool_count_local(sh, &resp) >= 0); + init_count = resp; + + add_local_bool(BOOL1_NAME); + CU_ASSERT(semanage_bool_count_local(sh, &resp) >= 0); + CU_ASSERT(resp == init_count + 1); + + add_local_bool(BOOL2_NAME); + CU_ASSERT(semanage_bool_count_local(sh, &resp) >= 0); + CU_ASSERT(resp == init_count + 2); + + delete_local_bool(BOOL2_NAME); + CU_ASSERT(semanage_bool_count_local(sh, &resp) >= 0); + CU_ASSERT(resp == init_count + 1); + + delete_local_bool(BOOL1_NAME); + CU_ASSERT(semanage_bool_count_local(sh, &resp) >= 0); + CU_ASSERT(resp == init_count); + + /* cleanup */ + cleanup_handle(SH_TRANS); +} + +/* Function bool_iterate_local */ +unsigned int counter_bool_iterate_local = 0; + +int handler_bool_iterate_local(const semanage_bool_t *record, void *varg) +{ + counter_bool_iterate_local++; + return 0; +} + +void test_bool_iterate_local(void) +{ + unsigned int init_count; + + /* handle */ + setup_handle(SH_HANDLE); + CU_ASSERT(semanage_bool_iterate_local(sh, &handler_bool_iterate_local, + NULL) < 0); + cleanup_handle(SH_HANDLE); + + /* connect */ + setup_handle(SH_CONNECT); + + counter_bool_iterate_local = 0; + CU_ASSERT(semanage_bool_iterate_local(sh, &handler_bool_iterate_local, + NULL) >= 0); + init_count = counter_bool_iterate_local; + + cleanup_handle(SH_CONNECT); + + /* transaction */ + setup_handle(SH_TRANS); + + counter_bool_iterate_local = 0; + CU_ASSERT(semanage_bool_iterate_local(sh, &handler_bool_iterate_local, + NULL) >= 0); + CU_ASSERT(counter_bool_iterate_local == init_count); + + add_local_bool(BOOL1_NAME); + counter_bool_iterate_local = 0; + CU_ASSERT(semanage_bool_iterate_local(sh, &handler_bool_iterate_local, + NULL) >= 0); + CU_ASSERT(counter_bool_iterate_local == init_count + 1); + + add_local_bool(BOOL2_NAME); + counter_bool_iterate_local = 0; + CU_ASSERT(semanage_bool_iterate_local(sh, &handler_bool_iterate_local, + NULL) >= 0); + CU_ASSERT(counter_bool_iterate_local == init_count + 2); + + /* cleanup */ + delete_local_bool(BOOL1_NAME); + delete_local_bool(BOOL2_NAME); + cleanup_handle(SH_TRANS); +} + +/* Function bool_list_local */ +void test_bool_list_local(void) +{ + semanage_bool_t **records; + unsigned int count; + unsigned int init_count; + + /* handle */ + setup_handle(SH_HANDLE); + + CU_ASSERT(semanage_bool_list_local(sh, &records, &count) < 0); + CU_ASSERT(semanage_bool_list_local(sh, NULL, &count) < 0); + CU_ASSERT(semanage_bool_list_local(sh, &records, NULL) < 0); + + cleanup_handle(SH_HANDLE); + + /* connect */ + setup_handle(SH_CONNECT); + + CU_ASSERT(semanage_bool_list_local(sh, &records, &count) >= 0); + init_count = count; + + cleanup_handle(SH_CONNECT); + + /* transaction */ + setup_handle(SH_TRANS); + + CU_ASSERT(semanage_bool_list_local(sh, &records, &count) >= 0); + CU_ASSERT(count == init_count); + + add_local_bool(BOOL1_NAME); + CU_ASSERT(semanage_bool_list_local(sh, &records, &count) >= 0); + CU_ASSERT(count == init_count + 1); + CU_ASSERT_PTR_NOT_NULL(records[0]); + + add_local_bool(BOOL2_NAME); + CU_ASSERT(semanage_bool_list_local(sh, &records, &count) >= 0); + CU_ASSERT(count == init_count + 2); + CU_ASSERT_PTR_NOT_NULL(records[0]); + CU_ASSERT_PTR_NOT_NULL(records[1]); + + /* cleanup */ + delete_local_bool(BOOL1_NAME); + delete_local_bool(BOOL2_NAME); + cleanup_handle(SH_TRANS); +} diff --git a/libsemanage/tests/test_bool.cil b/libsemanage/tests/test_bool.cil new file mode 100644 index 00000000..4174751c --- /dev/null +++ b/libsemanage/tests/test_bool.cil @@ -0,0 +1,24 @@ +(typeattribute cil_gen_require) +(roleattribute cil_gen_require) +(handleunknown allow) +(mls true) +(policycap network_peer_controls) +(policycap open_perms) +(sid security) +(sidorder (security)) +(sensitivity s0) +(sensitivityorder (s0)) +(user system_u) +(userrole system_u object_r) +(userlevel system_u (s0)) +(userrange system_u ((s0) (s0))) +(role object_r) +(roletype object_r test_t) +(type test_t) +(sidcontext security (system_u object_r test_t ((s0) (s0)))) +(class test_class (test_perm)) +(classorder (test_class)) +(allow test_t self (test_class (test_perm))) +(boolean first_bool true) +(boolean second_bool false) +(boolean third_bool false) diff --git a/libsemanage/tests/test_bool.h b/libsemanage/tests/test_bool.h new file mode 100644 index 00000000..b5b5a603 --- /dev/null +++ b/libsemanage/tests/test_bool.h @@ -0,0 +1,31 @@ +/* + * Authors: Jan Zarsky <jzarsky@redhat.com> + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __TEST_BOOL_H__ +#define __TEST_BOOL_H__ + +#include <CUnit/Basic.h> +#include "semanage/semanage.h" + +int bool_test_init(void); +int bool_test_cleanup(void); +int bool_add_tests(CU_pSuite suite); + +#endif diff --git a/libsemanage/tests/test_fcontext.c b/libsemanage/tests/test_fcontext.c new file mode 100644 index 00000000..62af711f --- /dev/null +++ b/libsemanage/tests/test_fcontext.c @@ -0,0 +1,1045 @@ +/* + * Authors: Jan Zarsky <jzarsky@redhat.com> + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "utilities.h" +#include "test_fcontext.h" + +char FCONTEXTS[] = + "/etc/selinux(/.*) -s system_u:object_r:first_t:s0\n" + "/etc/selinux/targeted -- system_u:object_r:second_t:s0\n" + "/etc/selinux(/.*) -b system_u:object_r:third_t:s0\n"; +unsigned int FCONTEXTS_LEN = sizeof(FCONTEXTS); + +#define FCONTEXTS_COUNT 3 + +#define FCONTEXT1_EXPR "/etc/selinux(/.*)" +#define FCONTEXT1_TYPE SEMANAGE_FCONTEXT_SOCK +#define FCONTEXT1_CON "system_u:object_r:first_t:s0" + +#define FCONTEXT2_EXPR "/etc/selinux/targeted" +#define FCONTEXT2_TYPE SEMANAGE_FCONTEXT_REG +#define FCONTEXT2_CON "system_u:object_r:second_t:s0" + +#define FCONTEXT3_EXPR "/etc/selinux(/.*)" +#define FCONTEXT3_TYPE SEMANAGE_FCONTEXT_BLOCK +#define FCONTEXT3_CON "system_u:object_r:third_t:s0" + +#define FCONTEXT_NONEXISTENT_EXPR "/asdf" +#define FCONTEXT_NONEXISTENT_TYPE SEMANAGE_FCONTEXT_ALL + +/* fcontext_record.h */ +void test_fcontext_compare(void); +void test_fcontext_compare2(void); +void test_fcontext_key_create(void); +void test_fcontext_key_extract(void); +void test_fcontext_get_set_expr(void); +void test_fcontext_get_set_type(void); +void test_fcontext_get_type_str(void); +void test_fcontext_get_set_con(void); +void test_fcontext_create(void); +void test_fcontext_clone(void); + +/* fcontext_policy.h */ +void test_fcontext_query(void); +void test_fcontext_exists(void); +void test_fcontext_count(void); +void test_fcontext_iterate(void); +void test_fcontext_list(void); + +/* fcontext_local.h */ +void test_fcontext_modify_del_local(void); +void test_fcontext_query_local(void); +void test_fcontext_exists_local(void); +void test_fcontext_count_local(void); +void test_fcontext_iterate_local(void); +void test_fcontext_list_local(void); + +extern semanage_handle_t *sh; + +int get_type(char *t) +{ + if (strcmp(t, "--") == 0) + return SEMANAGE_FCONTEXT_ALL; + else if (strcmp(t, "-f") == 0) + return SEMANAGE_FCONTEXT_REG; + else if (strcmp(t, "-d") == 0) + return SEMANAGE_FCONTEXT_DIR; + else if (strcmp(t, "-c") == 0) + return SEMANAGE_FCONTEXT_CHAR; + else if (strcmp(t, "-b") == 0) + return SEMANAGE_FCONTEXT_BLOCK; + else if (strcmp(t, "-s") == 0) + return SEMANAGE_FCONTEXT_SOCK; + else if (strcmp(t, "-l") == 0) + return SEMANAGE_FCONTEXT_LINK; + else if (strcmp(t, "-p") == 0) + return SEMANAGE_FCONTEXT_PIPE; + else + return -1; +} + +int write_file_contexts(const char *data, unsigned int data_len) +{ + FILE *fptr = fopen("test-policy/store/active/file_contexts", "w+"); + + if (!fptr) { + perror("fopen"); + return -1; + } + + if (fwrite(data, data_len, 1, fptr) != 1) { + perror("fwrite"); + fclose(fptr); + return -1; + } + + fclose(fptr); + + return 0; +} + +int fcontext_test_init(void) +{ + if (create_test_store() < 0) { + fprintf(stderr, "Could not create test store\n"); + return 1; + } + + if (write_test_policy_from_file("test_fcontext.policy") < 0) { + fprintf(stderr, "Could not write test policy\n"); + return 1; + } + + if (write_file_contexts(FCONTEXTS, FCONTEXTS_LEN) < 0) { + fprintf(stderr, "Could not write file contexts\n"); + return 1; + } + + return 0; +} + +int fcontext_test_cleanup(void) +{ + if (destroy_test_store() < 0) { + fprintf(stderr, "Could not destroy test store\n"); + return 1; + } + + return 0; +} + +int fcontext_add_tests(CU_pSuite suite) +{ + CU_add_test(suite, "test_fcontext_compare", test_fcontext_compare); + CU_add_test(suite, "test_fcontext_compare2", test_fcontext_compare2); + CU_add_test(suite, "test_fcontext_key_create", + test_fcontext_key_create); + CU_add_test(suite, "test_fcontext_key_extract", + test_fcontext_key_extract); + CU_add_test(suite, "test_fcontext_get_set_expr", + test_fcontext_get_set_expr); + CU_add_test(suite, "test_fcontext_get_set_type", + test_fcontext_get_set_type); + CU_add_test(suite, "test_fcontext_get_type_str", + test_fcontext_get_type_str); + CU_add_test(suite, "test_fcontext_get_set_con", + test_fcontext_get_set_con); + CU_add_test(suite, "test_fcontext_create", test_fcontext_create); + CU_add_test(suite, "test_fcontext_clone", test_fcontext_clone); + + CU_add_test(suite, "test_fcontext_query", test_fcontext_query); + CU_add_test(suite, "test_fcontext_exists", test_fcontext_exists); + CU_add_test(suite, "test_fcontext_count", test_fcontext_count); + CU_add_test(suite, "test_fcontext_iterate", test_fcontext_iterate); + CU_add_test(suite, "test_fcontext_list", test_fcontext_list); + CU_add_test(suite, "test_fcontext_modify_del_local", + test_fcontext_modify_del_local); + CU_add_test(suite, "test_fcontext_query_local", + test_fcontext_query_local); + CU_add_test(suite, "test_fcontext_exists_local", + test_fcontext_exists_local); + CU_add_test(suite, "test_fcontext_count_local", + test_fcontext_count_local); + CU_add_test(suite, "test_fcontext_iterate_local", + test_fcontext_iterate_local); + CU_add_test(suite, "test_fcontext_list_local", + test_fcontext_list_local); + + return 0; +} + +/* Helpers */ + +semanage_fcontext_t *get_fcontext_new(void) +{ + semanage_fcontext_t *fcontext; + + CU_ASSERT_FATAL(semanage_fcontext_create(sh, &fcontext) >= 0); + + return fcontext; +} + +semanage_fcontext_t *get_fcontext_nth(int idx) +{ + semanage_fcontext_t **records; + semanage_fcontext_t *fcontext; + unsigned int count; + + if (idx == I_NULL) + return NULL; + + CU_ASSERT_FATAL(semanage_fcontext_list(sh, &records, &count) >= 0); + CU_ASSERT_FATAL(count >= (unsigned int) idx + 1); + + fcontext = records[idx]; + + for (unsigned int i = 0; i < count; i++) + if (i != (unsigned int) idx) + semanage_fcontext_free(records[i]); + + return fcontext; +} + +semanage_fcontext_key_t *get_fcontext_key_nth(int idx) +{ + semanage_fcontext_key_t *key; + semanage_fcontext_t *fcontext; + + if (idx == I_NULL) + return NULL; + + fcontext = get_fcontext_nth(idx); + + CU_ASSERT_FATAL(semanage_fcontext_key_extract(sh, fcontext, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + return key; +} + +void add_local_fcontext(int fcontext_idx) +{ + semanage_fcontext_t *fcontext; + semanage_fcontext_key_t *key = NULL; + + CU_ASSERT_FATAL(fcontext_idx != I_NULL); + + fcontext = get_fcontext_nth(fcontext_idx); + + CU_ASSERT_FATAL(semanage_fcontext_key_extract(sh, fcontext, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + CU_ASSERT_FATAL(semanage_fcontext_modify_local(sh, key, fcontext) >= 0); +} + +void delete_local_fcontext(int fcontext_idx) +{ + semanage_fcontext_key_t *key = NULL; + + CU_ASSERT_FATAL(fcontext_idx != I_NULL); + + key = get_fcontext_key_nth(fcontext_idx); + + CU_ASSERT_FATAL(semanage_fcontext_del_local(sh, key) >= 0); +} + +semanage_fcontext_key_t *get_fcontext_key_from_str(const char *str, int type) +{ + semanage_fcontext_key_t *key; + int res; + + if (str == NULL) + return NULL; + + res = semanage_fcontext_key_create(sh, str, type, &key); + + CU_ASSERT_FATAL(res >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + return key; +} + +/* Function semanage_fcontext_compare */ +void test_fcontext_compare(void) +{ + semanage_fcontext_t *fcontext; + semanage_fcontext_key_t *key1; + semanage_fcontext_key_t *key2; + semanage_fcontext_key_t *key3; + + /* setup */ + setup_handle(SH_CONNECT); + + fcontext = get_fcontext_nth(I_FIRST); + + key1 = get_fcontext_key_nth(I_FIRST); + key2 = get_fcontext_key_nth(I_SECOND); + key3 = get_fcontext_key_nth(I_THIRD); + + /* test */ + CU_ASSERT(semanage_fcontext_compare(fcontext, key1) == 0); + CU_ASSERT(semanage_fcontext_compare(fcontext, key2) < 0); + CU_ASSERT(semanage_fcontext_compare(fcontext, key3) > 0); + + /* cleanup */ + semanage_fcontext_free(fcontext); + semanage_fcontext_key_free(key1); + semanage_fcontext_key_free(key2); + semanage_fcontext_key_free(key3); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_fcontext_compare2 */ +void test_fcontext_compare2(void) +{ + semanage_fcontext_t *fcontext; + semanage_fcontext_t *fcontext1; + semanage_fcontext_t *fcontext2; + semanage_fcontext_t *fcontext3; + + /* setup */ + setup_handle(SH_CONNECT); + + fcontext = get_fcontext_nth(I_FIRST); + fcontext1 = get_fcontext_nth(I_FIRST); + fcontext2 = get_fcontext_nth(I_SECOND); + fcontext3 = get_fcontext_nth(I_THIRD); + + /* test */ + CU_ASSERT(semanage_fcontext_compare2(fcontext, fcontext1) == 0); + CU_ASSERT(semanage_fcontext_compare2(fcontext, fcontext2) < 0); + CU_ASSERT(semanage_fcontext_compare2(fcontext, fcontext3) > 0); + + /* cleanup */ + semanage_fcontext_free(fcontext); + semanage_fcontext_free(fcontext1); + semanage_fcontext_free(fcontext2); + semanage_fcontext_free(fcontext3); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_fcontext_key_create */ +void test_fcontext_key_create(void) +{ + semanage_fcontext_key_t *key = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_fcontext_key_create(sh, "", SEMANAGE_FCONTEXT_ALL, + &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + semanage_fcontext_key_free(key); + + key = NULL; + + CU_ASSERT(semanage_fcontext_key_create(sh, "testfcontext", + SEMANAGE_FCONTEXT_ALL, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + semanage_fcontext_key_free(key); + + /* cleanup */ + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_fcontext_key_extract */ +void test_fcontext_key_extract(void) +{ + semanage_fcontext_t *fcontext; + semanage_fcontext_key_t *key; + + /* setup */ + setup_handle(SH_CONNECT); + fcontext = get_fcontext_nth(I_FIRST); + + /* test */ + CU_ASSERT(semanage_fcontext_key_extract(sh, fcontext, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + /* cleanup */ + semanage_fcontext_key_free(key); + semanage_fcontext_free(fcontext); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_fcontext_get_expr, semanage_fcontext_set_expr */ +void test_fcontext_get_set_expr(void) +{ + semanage_fcontext_t *fcontext; + const char *expr = NULL; + const char *expr_exp = "/asdf"; + + /* setup */ + setup_handle(SH_CONNECT); + fcontext = get_fcontext_nth(I_FIRST); + + /* test */ + CU_ASSERT(semanage_fcontext_set_expr(sh, fcontext, expr_exp) >= 0); + expr = semanage_fcontext_get_expr(fcontext); + CU_ASSERT_PTR_NOT_NULL(expr); + assert(expr); + CU_ASSERT_STRING_EQUAL(expr, expr_exp); + + /* cleanup */ + semanage_fcontext_free(fcontext); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_fcontext_get_type, semanage_fcontext_set_type */ +void test_fcontext_get_set_type(void) +{ + semanage_fcontext_t *fcontext; + int type_exp = SEMANAGE_FCONTEXT_SOCK; + int type; + + /* setup */ + setup_handle(SH_CONNECT); + fcontext = get_fcontext_nth(I_FIRST); + + /* test */ + semanage_fcontext_set_type(fcontext, type_exp); + type = semanage_fcontext_get_type(fcontext); + CU_ASSERT(type == type_exp); + + /* cleanup */ + semanage_fcontext_free(fcontext); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_fcontext_get_type_str */ +void helper_fcontext_get_type_str(int type, const char *exp_str) +{ + CU_ASSERT_STRING_EQUAL(semanage_fcontext_get_type_str(type), exp_str); +} + +void test_fcontext_get_type_str(void) +{ + helper_fcontext_get_type_str(SEMANAGE_FCONTEXT_ALL, "all files"); + helper_fcontext_get_type_str(SEMANAGE_FCONTEXT_REG, "regular file"); + helper_fcontext_get_type_str(SEMANAGE_FCONTEXT_DIR, "directory"); + helper_fcontext_get_type_str(SEMANAGE_FCONTEXT_CHAR, + "character device"); + helper_fcontext_get_type_str(SEMANAGE_FCONTEXT_BLOCK, "block device"); + helper_fcontext_get_type_str(SEMANAGE_FCONTEXT_SOCK, "socket"); + helper_fcontext_get_type_str(SEMANAGE_FCONTEXT_LINK, "symbolic link"); + helper_fcontext_get_type_str(SEMANAGE_FCONTEXT_PIPE, "named pipe"); + + helper_fcontext_get_type_str(SEMANAGE_FCONTEXT_ALL - 1, "????"); + helper_fcontext_get_type_str(SEMANAGE_FCONTEXT_PIPE + 1, "????"); +} + +/* Function semanage_fcontext_get_con, semanage_fcontext_set_con */ +void helper_fcontext_get_set_con(level_t level, int fcontext_idx, + const char *con_str) +{ + semanage_fcontext_t *fcontext; + semanage_context_t *con = NULL; + semanage_context_t *new_con = NULL; + + /* setup */ + setup_handle(level); + fcontext = get_fcontext_nth(fcontext_idx); + + if (con_str != NULL) { + CU_ASSERT(semanage_context_from_string(sh, con_str, &con) >= 0); + CU_ASSERT_PTR_NOT_NULL(con); + } else { + con = NULL; + } + + /* test */ + CU_ASSERT(semanage_fcontext_set_con(sh, fcontext, con) >= 0); + new_con = semanage_fcontext_get_con(fcontext); + + if (con_str != NULL) { + CU_ASSERT_CONTEXT_EQUAL(con, new_con); + } else { + CU_ASSERT_PTR_NULL(new_con); + } + + /* cleanup */ + semanage_fcontext_free(fcontext); + cleanup_handle(level); +} + +void test_fcontext_get_set_con(void) +{ + helper_fcontext_get_set_con(SH_CONNECT, I_FIRST, NULL); + helper_fcontext_get_set_con(SH_CONNECT, I_FIRST, + "user_u:role_r:type_t:s0"); + helper_fcontext_get_set_con(SH_CONNECT, I_SECOND, + "user_u:role_r:type_t:s0"); + helper_fcontext_get_set_con(SH_TRANS, I_FIRST, NULL); + helper_fcontext_get_set_con(SH_TRANS, I_FIRST, + "user_u:role_r:type_t:s0"); + helper_fcontext_get_set_con(SH_TRANS, I_SECOND, + "user_u:role_r:type_t:s0"); +} + +/* Function semanage_fcontext_create */ +void helper_fcontext_create(level_t level) +{ + semanage_fcontext_t *fcontext; + + /* setup */ + setup_handle(level); + + /* test */ + CU_ASSERT(semanage_fcontext_create(sh, &fcontext) >= 0); + CU_ASSERT_PTR_NULL(semanage_fcontext_get_expr(fcontext)); + CU_ASSERT(semanage_fcontext_get_type(fcontext) + == SEMANAGE_FCONTEXT_ALL); + CU_ASSERT_PTR_NULL(semanage_fcontext_get_con(fcontext)); + + /* cleanup */ + semanage_fcontext_free(fcontext); + cleanup_handle(level); +} + +void test_fcontext_create(void) +{ + helper_fcontext_create(SH_NULL); + helper_fcontext_create(SH_HANDLE); + helper_fcontext_create(SH_CONNECT); + helper_fcontext_create(SH_TRANS); +} + +/* Function semanage_fcontext_clone */ +void helper_fcontext_clone(level_t level, int fcontext_idx) +{ + semanage_fcontext_t *fcontext; + semanage_fcontext_t *fcontext_clone; + const char *expr; + const char *expr_clone; + int type; + int type_clone; + semanage_context_t *con; + semanage_context_t *con_clone; + + /* setup */ + setup_handle(level); + fcontext = get_fcontext_nth(fcontext_idx); + + /* test */ + CU_ASSERT(semanage_fcontext_clone(sh, fcontext, &fcontext_clone) >= 0); + + expr = semanage_fcontext_get_expr(fcontext); + expr_clone = semanage_fcontext_get_expr(fcontext_clone); + CU_ASSERT_STRING_EQUAL(expr, expr_clone); + + type = semanage_fcontext_get_type(fcontext); + type_clone = semanage_fcontext_get_type(fcontext_clone); + CU_ASSERT_EQUAL(type, type_clone); + + con = semanage_fcontext_get_con(fcontext); + con_clone = semanage_fcontext_get_con(fcontext_clone); + CU_ASSERT_CONTEXT_EQUAL(con, con_clone); + + /* cleanup */ + semanage_fcontext_free(fcontext); + semanage_fcontext_free(fcontext_clone); + cleanup_handle(level); +} + +void test_fcontext_clone(void) +{ + helper_fcontext_clone(SH_CONNECT, I_FIRST); + helper_fcontext_clone(SH_CONNECT, I_SECOND); + helper_fcontext_clone(SH_TRANS, I_FIRST); + helper_fcontext_clone(SH_TRANS, I_SECOND); +} + +/* Function semanage_fcontext_query */ +void helper_fcontext_query(level_t level, const char *fcontext_expr, + int fcontext_type, int exp_res) +{ + semanage_fcontext_key_t *key; + semanage_fcontext_t *resp = (void *) 42; + int res; + + /* setup */ + setup_handle(level); + key = get_fcontext_key_from_str(fcontext_expr, fcontext_type); + + /* test */ + res = semanage_fcontext_query(sh, key, &resp); + + if (exp_res >= 0) { + CU_ASSERT(res >= 0); + const char *expr = semanage_fcontext_get_expr(resp); + CU_ASSERT_STRING_EQUAL(expr, fcontext_expr); + } else { + CU_ASSERT(res < 0); + CU_ASSERT(resp == (void *) 42); + } + + /* cleanup */ + cleanup_handle(level); +} + +void test_fcontext_query(void) +{ + helper_fcontext_query(SH_CONNECT, FCONTEXT_NONEXISTENT_EXPR, + FCONTEXT_NONEXISTENT_TYPE, -1); + helper_fcontext_query(SH_CONNECT, FCONTEXT2_EXPR, FCONTEXT1_TYPE, -1); + helper_fcontext_query(SH_CONNECT, FCONTEXT1_EXPR, FCONTEXT1_TYPE, 1); + helper_fcontext_query(SH_CONNECT, FCONTEXT2_EXPR, FCONTEXT2_TYPE, 1); + helper_fcontext_query(SH_TRANS, FCONTEXT_NONEXISTENT_EXPR, + FCONTEXT_NONEXISTENT_TYPE, -1); + helper_fcontext_query(SH_TRANS, FCONTEXT2_EXPR, FCONTEXT1_TYPE, -1); + helper_fcontext_query(SH_TRANS, FCONTEXT1_EXPR, FCONTEXT1_TYPE, 1); + helper_fcontext_query(SH_TRANS, FCONTEXT2_EXPR, FCONTEXT2_TYPE, 1); +} + +/* Function semanage_fcontext_exists */ +void helper_fcontext_exists(level_t level, const char *fcontext_expr, + int fcontext_type, int exp_resp) +{ + semanage_fcontext_key_t *key; + int resp; + + /* setup */ + setup_handle(level); + key = get_fcontext_key_from_str(fcontext_expr, fcontext_type); + + /* test */ + CU_ASSERT(semanage_fcontext_exists(sh, key, &resp) >= 0); + CU_ASSERT(resp == exp_resp); + + /* cleanup */ + semanage_fcontext_key_free(key); + cleanup_handle(level); +} + +void test_fcontext_exists(void) +{ + helper_fcontext_exists(SH_CONNECT, FCONTEXT_NONEXISTENT_EXPR, + FCONTEXT_NONEXISTENT_TYPE, 0); + helper_fcontext_exists(SH_CONNECT, FCONTEXT2_EXPR, FCONTEXT1_TYPE, 0); + helper_fcontext_exists(SH_CONNECT, FCONTEXT1_EXPR, FCONTEXT1_TYPE, 1); + helper_fcontext_exists(SH_CONNECT, FCONTEXT2_EXPR, FCONTEXT2_TYPE, 1); + helper_fcontext_exists(SH_TRANS, FCONTEXT_NONEXISTENT_EXPR, + FCONTEXT_NONEXISTENT_TYPE, 0); + helper_fcontext_exists(SH_TRANS, FCONTEXT2_EXPR, FCONTEXT1_TYPE, 0); + helper_fcontext_exists(SH_TRANS, FCONTEXT1_EXPR, FCONTEXT1_TYPE, 1); + helper_fcontext_exists(SH_TRANS, FCONTEXT2_EXPR, FCONTEXT2_TYPE, 1); +} + +/* Function semanage_fcontext_count */ +void test_fcontext_count(void) +{ + unsigned int resp; + + /* handle */ + setup_handle(SH_HANDLE); + CU_ASSERT(semanage_fcontext_count(sh, &resp) < 0); + CU_ASSERT(semanage_fcontext_count(sh, NULL) < 0); + cleanup_handle(SH_HANDLE); + + /* connect */ + resp = 0; + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_fcontext_count(sh, &resp) >= 0); + CU_ASSERT(resp == FCONTEXTS_COUNT); + cleanup_handle(SH_CONNECT); + + /* trans */ + resp = 0; + setup_handle(SH_TRANS); + CU_ASSERT(semanage_fcontext_count(sh, &resp) >= 0); + CU_ASSERT(resp == FCONTEXTS_COUNT); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_fcontext_iterate */ +unsigned int counter_fcontext_iterate = 0; + +int handler_fcontext_iterate(const semanage_fcontext_t *record, void *varg) +{ + CU_ASSERT_PTR_NOT_NULL(record); + counter_fcontext_iterate++; + return 0; +} + +void helper_fcontext_iterate_invalid(void) +{ + /* setup */ + setup_handle(SH_HANDLE); + + /* test */ + CU_ASSERT(semanage_fcontext_iterate(sh, &handler_fcontext_iterate, + NULL) < 0); + CU_ASSERT(semanage_fcontext_iterate(sh, NULL, NULL) < 0); + + /* cleanup */ + cleanup_handle(SH_HANDLE); +} + +void helper_fcontext_iterate(level_t level) +{ + /* setup */ + setup_handle(level); + counter_fcontext_iterate = 0; + + /* test */ + CU_ASSERT(semanage_fcontext_iterate(sh, &handler_fcontext_iterate, + NULL) >= 0); + CU_ASSERT(counter_fcontext_iterate == FCONTEXTS_COUNT); + + /* cleanup */ + cleanup_handle(level); +} + +void test_fcontext_iterate(void) +{ + helper_fcontext_iterate_invalid(); + helper_fcontext_iterate(SH_CONNECT); + helper_fcontext_iterate(SH_TRANS); +} + +/* Function semanage_fcontext_list */ +void helper_fcontext_list_invalid(void) +{ + semanage_fcontext_t **records; + unsigned int count; + + /* setup */ + setup_handle(SH_HANDLE); + + /* test */ + CU_ASSERT(semanage_fcontext_list(sh, &records, &count) < 0); + CU_ASSERT(semanage_fcontext_list(sh, NULL, &count) < 0); + CU_ASSERT(semanage_fcontext_list(sh, &records, NULL) < 0); + + /* cleanup */ + cleanup_handle(SH_HANDLE); +} + +void helper_fcontext_list(level_t level) +{ + semanage_fcontext_t **records; + unsigned int count; + + /* setup */ + setup_handle(level); + + /* test */ + CU_ASSERT(semanage_fcontext_list(sh, &records, &count) >= 0); + CU_ASSERT(count == FCONTEXTS_COUNT); + + for (unsigned int i = 0; i < count; i++) + CU_ASSERT_PTR_NOT_NULL(records[i]); + + for (unsigned int i = 0; i < count; i++) + semanage_fcontext_free(records[i]); + + /* cleanup */ + cleanup_handle(level); +} + +void test_fcontext_list(void) +{ + helper_fcontext_list_invalid(); + helper_fcontext_list(SH_CONNECT); + helper_fcontext_list(SH_TRANS); +} + +/* Function semanage_fcontext_modify_local, semanage_fcontext_del_local */ +void helper_fcontext_modify_del_local(level_t level, int fcontext_idx, + const char *con_str, int exp_res) +{ + semanage_fcontext_t *fcontext; + semanage_fcontext_t *fcontext_local; + semanage_fcontext_key_t *key = NULL; + semanage_context_t *con = NULL; + int res; + + /* setup */ + setup_handle(level); + fcontext = get_fcontext_nth(fcontext_idx); + CU_ASSERT(semanage_fcontext_key_extract(sh, fcontext, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + if (con_str != NULL) { + CU_ASSERT(semanage_context_from_string(sh, con_str, &con) >= 0); + CU_ASSERT_PTR_NOT_NULL(con); + } else { + con = NULL; + } + + CU_ASSERT(semanage_fcontext_set_con(sh, fcontext, con) >= 0); + + /* test */ + res = semanage_fcontext_modify_local(sh, key, fcontext); + + if (exp_res >= 0) { + CU_ASSERT(res >= 0); + + if (level == SH_TRANS) { + helper_commit(); + helper_begin_transaction(); + } + + CU_ASSERT(semanage_fcontext_query_local(sh, key, + &fcontext_local) >= 0); + CU_ASSERT(semanage_fcontext_compare2(fcontext_local, + fcontext) == 0); + CU_ASSERT(semanage_fcontext_del_local(sh, key) >= 0); + CU_ASSERT(semanage_fcontext_query_local(sh, key, + &fcontext_local) < 0); + } else { + CU_ASSERT(res < 0); + } + + /* cleanup */ + semanage_fcontext_key_free(key); + semanage_fcontext_free(fcontext); + cleanup_handle(level); +} + +void test_fcontext_modify_del_local(void) +{ + helper_fcontext_modify_del_local(SH_CONNECT, I_FIRST, + "system_u:object_r:tmp_t:s0", -1); + helper_fcontext_modify_del_local(SH_CONNECT, I_SECOND, + "system_u:object_r:tmp_t:s0", -1); + helper_fcontext_modify_del_local(SH_TRANS, I_FIRST, + "system_u:object_r:tmp_t:s0", 1); + helper_fcontext_modify_del_local(SH_TRANS, I_SECOND, + "system_u:object_r:tmp_t:s0", 1); +} + +/* Function semanage_fcontext_query_local */ +void test_fcontext_query_local(void) +{ + semanage_fcontext_key_t *key = NULL; + semanage_fcontext_t *resp = NULL; + + /* connect */ + setup_handle(SH_CONNECT); + + key = get_fcontext_key_nth(I_FIRST); + CU_ASSERT(semanage_fcontext_query_local(sh, key, &resp) < 0); + CU_ASSERT_PTR_NULL(resp); + + cleanup_handle(SH_CONNECT); + + /* transaction */ + setup_handle(SH_TRANS); + + key = get_fcontext_key_nth(I_FIRST); + CU_ASSERT(semanage_fcontext_query_local(sh, key, &resp) < 0); + CU_ASSERT_PTR_NULL(resp); + + add_local_fcontext(I_FIRST); + CU_ASSERT(semanage_fcontext_query_local(sh, key, &resp) >= 0); + CU_ASSERT_PTR_NOT_NULL(resp); + + semanage_fcontext_key_free(key); + key = get_fcontext_key_nth(I_SECOND); + add_local_fcontext(I_SECOND); + CU_ASSERT(semanage_fcontext_query_local(sh, key, &resp) >= 0); + CU_ASSERT_PTR_NOT_NULL(resp); + + /* cleanup */ + delete_local_fcontext(I_FIRST); + delete_local_fcontext(I_SECOND); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_fcontext_exists_local */ +void test_fcontext_exists_local(void) +{ + int resp = -1; + semanage_fcontext_key_t *key; + + /* setup */ + setup_handle(SH_TRANS); + key = get_fcontext_key_nth(I_FIRST); + + /* test */ + CU_ASSERT(semanage_fcontext_exists_local(sh, key, &resp) >= 0); + CU_ASSERT(resp == 0); + + add_local_fcontext(I_FIRST); + resp = -1; + + CU_ASSERT(semanage_fcontext_exists_local(sh, key, &resp) >= 0); + CU_ASSERT(resp == 1); + + delete_local_fcontext(I_FIRST); + resp = -1; + + CU_ASSERT(semanage_fcontext_exists_local(sh, key, &resp) >= 0); + CU_ASSERT(resp == 0); + + resp = -1; + + CU_ASSERT(semanage_fcontext_exists_local(sh, NULL, &resp) >= 0); + CU_ASSERT(resp == 0); + + /* cleanup */ + cleanup_handle(SH_TRANS); +} + +/* Function semanage_fcontext_count_local */ +void test_fcontext_count_local(void) +{ + unsigned int resp; + + /* handle */ + setup_handle(SH_HANDLE); + CU_ASSERT(semanage_fcontext_count_local(sh, &resp) < 0); + cleanup_handle(SH_HANDLE); + + /* connect */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_fcontext_count_local(sh, &resp) >= 0); + CU_ASSERT(resp == 0); + cleanup_handle(SH_CONNECT); + + /* transaction */ + setup_handle(SH_TRANS); + CU_ASSERT(semanage_fcontext_count_local(sh, &resp) >= 0); + CU_ASSERT(resp == 0); + + add_local_fcontext(I_FIRST); + CU_ASSERT(semanage_fcontext_count_local(sh, &resp) >= 0); + CU_ASSERT(resp == 1); + + add_local_fcontext(I_SECOND); + CU_ASSERT(semanage_fcontext_count_local(sh, &resp) >= 0); + CU_ASSERT(resp == 2); + + delete_local_fcontext(I_SECOND); + CU_ASSERT(semanage_fcontext_count_local(sh, &resp) >= 0); + CU_ASSERT(resp == 1); + + /* cleanup */ + delete_local_fcontext(I_FIRST); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_fcontext_iterate_local */ +unsigned int counter_fcontext_iterate_local = 0; + +int handler_fcontext_iterate_local(const semanage_fcontext_t *record, + void *varg) +{ + CU_ASSERT_PTR_NOT_NULL(record); + counter_fcontext_iterate_local++; + return 0; +} + +void test_fcontext_iterate_local(void) +{ + /* handle */ + setup_handle(SH_HANDLE); + + CU_ASSERT(semanage_fcontext_iterate_local(sh, + &handler_fcontext_iterate_local, NULL) < 0); + CU_ASSERT(semanage_fcontext_iterate_local(sh, NULL, NULL) < 0); + + cleanup_handle(SH_HANDLE); + + /* connect */ + setup_handle(SH_CONNECT); + + counter_fcontext_iterate_local = 0; + CU_ASSERT(semanage_fcontext_iterate_local(sh, + &handler_fcontext_iterate_local, NULL) >= 0); + CU_ASSERT(counter_fcontext_iterate_local == 0); + CU_ASSERT(semanage_fcontext_iterate_local(sh, NULL, NULL) >= 0); + + cleanup_handle(SH_CONNECT); + + /* transaction */ + setup_handle(SH_TRANS); + + counter_fcontext_iterate_local = 0; + CU_ASSERT(semanage_fcontext_iterate_local(sh, + &handler_fcontext_iterate_local, NULL) >= 0); + CU_ASSERT(counter_fcontext_iterate_local == 0); + + add_local_fcontext(I_FIRST); + counter_fcontext_iterate_local = 0; + CU_ASSERT(semanage_fcontext_iterate_local(sh, + &handler_fcontext_iterate_local, NULL) >= 0); + CU_ASSERT(counter_fcontext_iterate_local == 1); + + add_local_fcontext(I_SECOND); + counter_fcontext_iterate_local = 0; + CU_ASSERT(semanage_fcontext_iterate_local(sh, + &handler_fcontext_iterate_local, NULL) >= 0); + CU_ASSERT(counter_fcontext_iterate_local == 2); + + /* cleanup */ + delete_local_fcontext(I_FIRST); + delete_local_fcontext(I_SECOND); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_fcontext_list_local */ +void test_fcontext_list_local(void) +{ + semanage_fcontext_t **records; + unsigned int count; + + /* handle */ + setup_handle(SH_HANDLE); + + CU_ASSERT(semanage_fcontext_list_local(sh, &records, &count) < 0); + CU_ASSERT(semanage_fcontext_list_local(sh, NULL, &count) < 0); + CU_ASSERT(semanage_fcontext_list_local(sh, &records, NULL) < 0); + + cleanup_handle(SH_HANDLE); + + /* connect */ + setup_handle(SH_CONNECT); + + CU_ASSERT(semanage_fcontext_list_local(sh, &records, &count) >= 0); + CU_ASSERT(count == 0); + + cleanup_handle(SH_CONNECT); + + /* transaction */ + setup_handle(SH_TRANS); + + CU_ASSERT(semanage_fcontext_list_local(sh, &records, &count) >= 0); + CU_ASSERT(count == 0); + + add_local_fcontext(I_FIRST); + CU_ASSERT(semanage_fcontext_list_local(sh, &records, &count) >= 0); + CU_ASSERT(count == 1); + CU_ASSERT_PTR_NOT_NULL(records[0]); + + add_local_fcontext(I_SECOND); + CU_ASSERT(semanage_fcontext_list_local(sh, &records, &count) >= 0); + CU_ASSERT(count == 2); + CU_ASSERT_PTR_NOT_NULL(records[0]); + CU_ASSERT_PTR_NOT_NULL(records[1]); + + /* cleanup */ + delete_local_fcontext(I_FIRST); + delete_local_fcontext(I_SECOND); + cleanup_handle(SH_TRANS); +} diff --git a/libsemanage/tests/test_fcontext.cil b/libsemanage/tests/test_fcontext.cil new file mode 100644 index 00000000..1c62b893 --- /dev/null +++ b/libsemanage/tests/test_fcontext.cil @@ -0,0 +1,25 @@ +(typeattribute cil_gen_require) +(roleattribute cil_gen_require) +(handleunknown allow) +(mls true) +(policycap network_peer_controls) +(policycap open_perms) +(sid security) +(sidorder (security)) +(sensitivity s0) +(sensitivityorder (s0)) +(user system_u) +(userrole system_u object_r) +(userlevel system_u (s0)) +(userrange system_u ((s0) (s0))) +(role object_r) +(roletype object_r first_t) +(roletype object_r second_t) +(roletype object_r third_t) +(type first_t) +(type second_t) +(type third_t) +(sidcontext security (system_u object_r first_t ((s0) (s0)))) +(class test_class (test_perm)) +(classorder (test_class)) +(allow first_t self (test_class (test_perm))) diff --git a/libsemanage/tests/test_fcontext.h b/libsemanage/tests/test_fcontext.h new file mode 100644 index 00000000..64aba991 --- /dev/null +++ b/libsemanage/tests/test_fcontext.h @@ -0,0 +1,30 @@ +/* + * Authors: Jan Zarsky <jzarsky@redhat.com> + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __TEST_FCONTEXT_H__ +#define __TEST_FCONTEXT_H__ + +#include <CUnit/Basic.h> + +int fcontext_test_init(void); +int fcontext_test_cleanup(void); +int fcontext_add_tests(CU_pSuite suite); + +#endif diff --git a/libsemanage/tests/test_handle.c b/libsemanage/tests/test_handle.c new file mode 100644 index 00000000..2fab29be --- /dev/null +++ b/libsemanage/tests/test_handle.c @@ -0,0 +1,329 @@ +/* + * Authors: Jan Zarsky <jzarsky@redhat.com> + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "utilities.h" +#include "test_handle.h" + +void test_handle_create(void); +void test_connect(void); +void test_disconnect(void); +void test_transaction(void); +void test_commit(void); +void test_is_connected(void); +void test_access_check(void); +void test_is_managed(void); +void test_mls_enabled(void); +void test_msg_set_callback(void); +void test_root(void); +void test_select_store(void); + +extern semanage_handle_t *sh; + +int handle_test_init(void) +{ + if (create_test_store() < 0) { + fprintf(stderr, "Could not create test store\n"); + return 1; + } + + if (write_test_policy_from_file("test_handle.policy") < 0) { + fprintf(stderr, "Could not write test policy\n"); + return 1; + } + + return 0; +} + +int handle_test_cleanup(void) +{ + if (destroy_test_store() < 0) { + fprintf(stderr, "Could not destroy test store\n"); + return 1; + } + + return 0; +} + +int handle_add_tests(CU_pSuite suite) +{ + CU_add_test(suite, "test_handle_create", test_handle_create); + CU_add_test(suite, "test_connect", test_connect); + CU_add_test(suite, "test_disconnect", test_disconnect); + CU_add_test(suite, "test_transaction", test_transaction); + CU_add_test(suite, "test_commit", test_commit); + CU_add_test(suite, "test_is_connected", test_is_connected); + CU_add_test(suite, "test_access_check", test_access_check); + CU_add_test(suite, "test_is_managed", test_is_managed); + CU_add_test(suite, "test_mls_enabled", test_mls_enabled); + CU_add_test(suite, "msg_set_callback", test_msg_set_callback); + CU_add_test(suite, "test_root", test_root); + CU_add_test(suite, "test_select_store", test_select_store); + + return 0; +} + +/* Function semanage_handle_create */ +void test_handle_create(void) +{ + sh = semanage_handle_create(); + CU_ASSERT_PTR_NOT_NULL(sh); + semanage_handle_destroy(sh); +} + +/* Function semanage_connect */ +void test_connect(void) +{ + /* test handle created */ + setup_handle(SH_HANDLE); + CU_ASSERT(semanage_connect(sh) >= 0); + CU_ASSERT(semanage_disconnect(sh) >= 0); + cleanup_handle(SH_HANDLE); + + /* test invalid store */ + setup_handle_invalid_store(SH_HANDLE); + CU_ASSERT(semanage_connect(sh) < 0); + cleanup_handle(SH_HANDLE); + + /* test normal use */ + setup_handle(SH_HANDLE); + CU_ASSERT(semanage_connect(sh) >= 0); + CU_ASSERT(semanage_disconnect(sh) >= 0); + cleanup_handle(SH_HANDLE); +} + +/* Function semanage_disconnect */ +void test_disconnect(void) +{ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_disconnect(sh) >= 0); + cleanup_handle(SH_HANDLE); +} + +/* Function semanage_begin_transaction */ +void test_transaction(void) +{ + /* test disconnected */ + setup_handle(SH_CONNECT); + helper_disconnect(); + CU_ASSERT(semanage_begin_transaction(sh) < 0); + + cleanup_handle(SH_HANDLE); + + /* test normal use */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_begin_transaction(sh) >= 0); + CU_ASSERT(semanage_commit(sh) >= 0); + + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_commit */ +void test_commit(void) +{ + /* test without transaction */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_commit(sh) < 0); + + /* test with transaction */ + helper_begin_transaction(); + CU_ASSERT(semanage_commit(sh) >= 0); + + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_is_connected */ +void test_is_connected(void) +{ + /* test disconnected */ + setup_handle(SH_HANDLE); + CU_ASSERT(semanage_is_connected(sh) == 0); + + /* test connected */ + helper_connect(); + CU_ASSERT(semanage_is_connected(sh) == 1); + + /* test in transaction */ + helper_begin_transaction(); + CU_ASSERT(semanage_is_connected(sh) == 1); + + cleanup_handle(SH_TRANS); +} + +/* Function semanage_access_check */ +void test_access_check(void) +{ + int res = 0; + + /* test with handle */ + setup_handle(SH_HANDLE); + res = semanage_access_check(sh); + CU_ASSERT(res == 0 || res == SEMANAGE_CAN_READ + || res == SEMANAGE_CAN_WRITE); + cleanup_handle(SH_HANDLE); + + /* test with invalid store */ + setup_handle_invalid_store(SH_HANDLE); + CU_ASSERT(semanage_access_check(sh) < 0); + cleanup_handle(SH_HANDLE); + + /* test connected */ + setup_handle(SH_CONNECT); + res = semanage_access_check(sh); + CU_ASSERT(res == 0 || res == SEMANAGE_CAN_READ + || res == SEMANAGE_CAN_WRITE); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_is_managed */ +void test_is_managed(void) +{ + int res = 0; + + /* test with handle */ + setup_handle(SH_HANDLE); + res = semanage_is_managed(sh); + CU_ASSERT(res == 0 || res == 1); + + /* test connected */ + helper_connect(); + res = semanage_is_managed(sh); + CU_ASSERT(res < 0); + + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_mls_enabled */ +void test_mls_enabled(void) +{ + int res = 0; + + /* test with handle */ + setup_handle(SH_HANDLE); + res = semanage_mls_enabled(sh); + CU_ASSERT(res == 0 || res == 1); + cleanup_handle(SH_HANDLE); + + /* test with invalid store */ + setup_handle_invalid_store(SH_HANDLE); + CU_ASSERT(semanage_mls_enabled(sh) < 0); + cleanup_handle(SH_HANDLE); + + /* test connected */ + setup_handle(SH_CONNECT); + res = semanage_mls_enabled(sh); + CU_ASSERT(res == 0 || res == 1); + + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_set_callback */ +int msg_set_callback_count = 0; + +void helper_msg_set_callback(void *varg, semanage_handle_t *handle, + const char *fmt, ...) +{ + msg_set_callback_count++; +} + +void test_msg_set_callback(void) +{ + setup_handle(SH_CONNECT); + + semanage_msg_set_callback(sh, helper_msg_set_callback, NULL); + + /* produce error message */ + semanage_commit(sh); + CU_ASSERT(msg_set_callback_count == 1); + semanage_msg_set_callback(sh, NULL, NULL); + + /* produce error message */ + semanage_commit(sh); + CU_ASSERT(msg_set_callback_count == 1); + + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_root, semanage_set_root */ +void helper_root(void) +{ + const char *root = NULL; + + CU_ASSERT(semanage_set_root("asdf") >= 0); + root = semanage_root(); + CU_ASSERT_STRING_EQUAL(root, "asdf"); + + CU_ASSERT(semanage_set_root("") >= 0); + root = semanage_root(); + CU_ASSERT_STRING_EQUAL(root, ""); +} + +void test_root(void) +{ + /* test without handle */ + setup_handle(SH_NULL); + helper_root(); + + /* test with handle */ + helper_handle_create(); + helper_root(); + + /* test connected */ + helper_connect(); + helper_root(); + + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_select_store */ +void helper_select_store(const char *name, enum semanage_connect_type type, + int exp_res) +{ + setup_handle(SH_HANDLE); + + /* FIXME: the storename parameter of semanage_select_store should be + * 'const char *' + */ + semanage_select_store(sh, (char *) name, type); + + int res = semanage_connect(sh); + + if (exp_res < 0) { + CU_ASSERT(res < 0); + } else { + CU_ASSERT(res >= 0); + } + + if (res >= 0) + cleanup_handle(SH_CONNECT); + else + cleanup_handle(SH_HANDLE); +} + +void test_select_store(void) +{ + helper_select_store("asdf", SEMANAGE_CON_INVALID - 1, -1); + helper_select_store("asdf", SEMANAGE_CON_POLSERV_REMOTE + 1, -1); + helper_select_store("", SEMANAGE_CON_DIRECT, 0); + + helper_select_store("asdf", SEMANAGE_CON_INVALID, -1); + helper_select_store("asdf", SEMANAGE_CON_DIRECT, 0); + helper_select_store("asdf", SEMANAGE_CON_POLSERV_LOCAL, -1); + helper_select_store("asdf", SEMANAGE_CON_POLSERV_REMOTE, -1); +} diff --git a/libsemanage/tests/test_handle.cil b/libsemanage/tests/test_handle.cil new file mode 100644 index 00000000..81690b88 --- /dev/null +++ b/libsemanage/tests/test_handle.cil @@ -0,0 +1,21 @@ +(typeattribute cil_gen_require) +(roleattribute cil_gen_require) +(handleunknown allow) +(mls true) +(policycap network_peer_controls) +(policycap open_perms) +(sid security) +(sidorder (security)) +(sensitivity s0) +(sensitivityorder (s0)) +(user system_u) +(userrole system_u object_r) +(userlevel system_u (s0)) +(userrange system_u ((s0) (s0))) +(role object_r) +(roletype object_r test_t) +(type test_t) +(sidcontext security (system_u object_r test_t ((s0) (s0)))) +(class test_class (test_perm)) +(classorder (test_class)) +(allow test_t self (test_class (test_perm))) diff --git a/libsemanage/tests/test_handle.h b/libsemanage/tests/test_handle.h new file mode 100644 index 00000000..f927bd6a --- /dev/null +++ b/libsemanage/tests/test_handle.h @@ -0,0 +1,30 @@ +/* + * Authors: Jan Zarsky <jzarsky@redhat.com> + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __TEST_HANDLE_H__ +#define __TEST_HANDLE_H__ + +#include <CUnit/Basic.h> + +int handle_test_init(void); +int handle_test_cleanup(void); +int handle_add_tests(CU_pSuite suite); + +#endif diff --git a/libsemanage/tests/test_ibendport.c b/libsemanage/tests/test_ibendport.c new file mode 100644 index 00000000..79a8e2c8 --- /dev/null +++ b/libsemanage/tests/test_ibendport.c @@ -0,0 +1,525 @@ +/* + * Authors: Jan Zarsky <jzarsky@redhat.com> + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "utilities.h" +#include "test_ibendport.h" + +#define IBENDPORT_COUNT 3 +#define IBENDPORT_1_NAME "mlx4_0" +#define IBENDPORT_1_PORT 1 +#define IBENDPORT_1_CON "system_u:object_r:first_ibendport_t:s0" +#define IBENDPORT_2_NAME "mlx4_1" +#define IBENDPORT_2_PORT 2 +#define IBENDPORT_2_CON "system_u:object_r:second_ibendport_second_t:s0" +#define IBENDPORT_3_NAME "mlx4_1" +#define IBENDPORT_3_PORT 3 +#define IBENDPORT_3_CON "system_u:object_r:third_ibendport_second_t:s0" + +/* ibendports_policy.h */ +void test_ibendport_query(void); +void test_ibendport_exists(void); +void test_ibendport_count(void); +void test_ibendport_iterate(void); +void test_ibendport_list(void); + +/* ibendports_local.h */ +void test_ibendport_modify_del_query_local(void); +void test_ibendport_exists_local(void); +void test_ibendport_count_local(void); +void test_ibendport_iterate_local(void); +void test_ibendport_list_local(void); + +extern semanage_handle_t *sh; + +int ibendport_test_init(void) +{ + if (create_test_store() < 0) { + fprintf(stderr, "Could not create test store\n"); + return 1; + } + + if (write_test_policy_from_file("test_ibendport.policy") < 0) { + fprintf(stderr, "Could not write test policy\n"); + return 1; + } + + return 0; +} + +int ibendport_test_cleanup(void) +{ + if (destroy_test_store() < 0) { + fprintf(stderr, "Could not destroy test store\n"); + return 1; + } + + return 0; +} + +int ibendport_add_tests(CU_pSuite suite) +{ + CU_add_test(suite, "ibendport_query", test_ibendport_query); + CU_add_test(suite, "ibendport_exists", test_ibendport_exists); + CU_add_test(suite, "ibendport_count", test_ibendport_count); + CU_add_test(suite, "ibendport_iterate", test_ibendport_iterate); + CU_add_test(suite, "ibendport_list", test_ibendport_list); + + CU_add_test(suite, "ibendport_modify_del_query_local", + test_ibendport_modify_del_query_local); + CU_add_test(suite, "ibendport_exists_local", + test_ibendport_exists_local); + CU_add_test(suite, "ibendport_count_local", test_ibendport_count_local); + CU_add_test(suite, "ibendport_iterate_local", + test_ibendport_iterate_local); + CU_add_test(suite, "ibendport_list_local", test_ibendport_list_local); + + return 0; +} + +/* Helpers */ + +semanage_ibendport_t *get_ibendport_nth(int idx) +{ + semanage_ibendport_t **records; + semanage_ibendport_t *ibendport; + unsigned int count; + + if (idx == I_NULL) + return NULL; + + CU_ASSERT_FATAL(semanage_ibendport_list(sh, &records, &count) >= 0); + CU_ASSERT_FATAL(count >= (unsigned int) idx + 1); + + ibendport = records[idx]; + + for (unsigned int i = 0; i < count; i++) + if (i != (unsigned int) idx) + semanage_ibendport_free(records[i]); + + return ibendport; +} + +semanage_ibendport_key_t *get_ibendport_key_nth(int idx) +{ + semanage_ibendport_key_t *key; + semanage_ibendport_t *ibendport; + int res; + + if (idx == I_NULL) + return NULL; + + ibendport = get_ibendport_nth(idx); + + res = semanage_ibendport_key_extract(sh, ibendport, &key); + + CU_ASSERT_FATAL(res >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + return key; +} + +void add_local_ibendport(int idx) +{ + semanage_ibendport_t *ibendport; + semanage_ibendport_key_t *key = NULL; + + ibendport = get_ibendport_nth(idx); + + CU_ASSERT_FATAL(semanage_ibendport_key_extract(sh, ibendport, + &key) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + CU_ASSERT_FATAL(semanage_ibendport_modify_local(sh, key, + ibendport) >= 0); +} + +void delete_local_ibendport(int idx) +{ + semanage_ibendport_key_t *key = NULL; + key = get_ibendport_key_nth(idx); + CU_ASSERT_FATAL(semanage_ibendport_del_local(sh, key) >= 0); +} + +/* Function semanage_ibendport_query */ +void test_ibendport_query(void) +{ + semanage_ibendport_t *ibendport = NULL; + semanage_ibendport_t *ibendport_exp = NULL; + semanage_ibendport_key_t *key = NULL; + semanage_context_t *con = NULL; + semanage_context_t *con_exp = NULL; + char *name; + char *name_exp; + + /* setup */ + setup_handle(SH_CONNECT); + key = get_ibendport_key_nth(I_FIRST); + ibendport_exp = get_ibendport_nth(I_FIRST); + + /* test */ + CU_ASSERT(semanage_ibendport_query(sh, key, &ibendport) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(ibendport); + + CU_ASSERT(semanage_ibendport_get_ibdev_name(sh, ibendport, &name) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(name); + CU_ASSERT(semanage_ibendport_get_ibdev_name(sh, ibendport_exp, + &name_exp) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(name_exp); + assert(name); + CU_ASSERT_STRING_EQUAL(name, name_exp); + + CU_ASSERT(semanage_ibendport_get_port(ibendport) == + semanage_ibendport_get_port(ibendport_exp)); + + con = semanage_ibendport_get_con(ibendport); + con_exp = semanage_ibendport_get_con(ibendport_exp); + CU_ASSERT_PTR_NOT_NULL_FATAL(con); + CU_ASSERT_PTR_NOT_NULL_FATAL(con_exp); + CU_ASSERT_CONTEXT_EQUAL(con, con_exp); + + /* cleanup */ + free(name); + semanage_ibendport_free(ibendport); + semanage_ibendport_free(ibendport_exp); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_ibendport_exists */ +void test_ibendport_exists(void) +{ + semanage_ibendport_key_t *key1 = NULL; + semanage_ibendport_key_t *key2 = NULL; + int resp = 42; + + /* setup */ + setup_handle(SH_CONNECT); + key1 = get_ibendport_key_nth(I_FIRST); + CU_ASSERT(semanage_ibendport_key_create(sh, "asdf", 1, &key2) >= 0); + + /* test */ + CU_ASSERT(semanage_ibendport_exists(sh, key1, &resp) >= 0); + CU_ASSERT(resp); + + CU_ASSERT(semanage_ibendport_exists(sh, key2, &resp) >= 0); + CU_ASSERT(!resp); + + /* cleanup */ + semanage_ibendport_key_free(key1); + semanage_ibendport_key_free(key2); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_ibendport_count */ +void test_ibendport_count(void) +{ + unsigned int count = 42; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_ibendport_count(sh, &count) >= 0); + CU_ASSERT(count == IBENDPORT_COUNT); + + /* cleanup */ + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_ibendport_iterate */ +unsigned int helper_ibendport_iterate_counter = 0; + +int helper_ibendport_iterate(const semanage_ibendport_t *ibendport, + void *fn_arg) +{ + CU_ASSERT(fn_arg == (void *) 42); + helper_ibendport_iterate_counter++; + return 0; +} + +int helper_ibendport_iterate_error(const semanage_ibendport_t *ibendport, + void *fn_arg) +{ + CU_ASSERT(fn_arg == (void *) 42); + helper_ibendport_iterate_counter++; + return -1; +} + +int helper_ibendport_iterate_break(const semanage_ibendport_t *ibendport, + void *fn_arg) +{ + CU_ASSERT(fn_arg == (void *) 42); + helper_ibendport_iterate_counter++; + return 1; +} + +void test_ibendport_iterate(void) +{ + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + helper_ibendport_iterate_counter = 0; + CU_ASSERT(semanage_ibendport_iterate(sh, helper_ibendport_iterate, + (void *) 42) >= 0); + CU_ASSERT(helper_ibendport_iterate_counter == IBENDPORT_COUNT); + + /* test function which returns error */ + helper_ibendport_iterate_counter = 0; + CU_ASSERT(semanage_ibendport_iterate(sh, helper_ibendport_iterate_error, + (void *) 42) < 0); + CU_ASSERT(helper_ibendport_iterate_counter == 1); + + /* test function which requests break */ + helper_ibendport_iterate_counter = 0; + CU_ASSERT(semanage_ibendport_iterate(sh, helper_ibendport_iterate_break, + (void *) 42) >= 0); + CU_ASSERT(helper_ibendport_iterate_counter == 1); + + /* cleanup */ + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_ibendport_list */ +void test_ibendport_list(void) +{ + semanage_ibendport_t **records = NULL; + unsigned int count = 42; + char *name = NULL; + semanage_context_t *con = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_ibendport_list(sh, &records, &count) >= 0); + + CU_ASSERT_PTR_NOT_NULL_FATAL(records); + assert(records); + CU_ASSERT(count == IBENDPORT_COUNT); + + for (unsigned int i = 0; i < count; i++) { + CU_ASSERT_PTR_NOT_NULL_FATAL(records[i]); + CU_ASSERT(semanage_ibendport_get_ibdev_name(sh, records[i], + &name) >= 0); + con = semanage_ibendport_get_con(records[i]); + CU_ASSERT_PTR_NOT_NULL_FATAL(con); + free(name); + } + + /* cleanup */ + for (unsigned int i = 0; i < count; i++) + semanage_ibendport_free(records[i]); + + free(records); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_ibendport_modify_local, semanage_ibendport_del_local, + * semanage_ibendport_query_local + */ +void test_ibendport_modify_del_query_local(void) +{ + semanage_ibendport_t *ibendport; + semanage_ibendport_t *ibendport_local; + semanage_ibendport_key_t *key = NULL; + + /* setup */ + setup_handle(SH_TRANS); + ibendport = get_ibendport_nth(I_FIRST); + CU_ASSERT(semanage_ibendport_key_extract(sh, ibendport, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + /* test */ + CU_ASSERT(semanage_ibendport_modify_local(sh, key, ibendport) >= 0); + + /* write changes to file */ + helper_commit(); + helper_begin_transaction(); + + CU_ASSERT(semanage_ibendport_query_local(sh, key, + &ibendport_local) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(ibendport_local); + + CU_ASSERT(semanage_ibendport_del_local(sh, key) >= 0); + CU_ASSERT(semanage_ibendport_query_local(sh, key, + &ibendport_local) < 0); + + /* cleanup */ + semanage_ibendport_free(ibendport); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_ibendport_exists_local */ +void test_ibendport_exists_local(void) +{ + semanage_ibendport_key_t *key1 = NULL; + semanage_ibendport_key_t *key2 = NULL; + int resp = 42; + + /* setup */ + setup_handle(SH_TRANS); + add_local_ibendport(I_FIRST); + key1 = get_ibendport_key_nth(I_FIRST); + key2 = get_ibendport_key_nth(I_SECOND); + + /* test */ + CU_ASSERT(semanage_ibendport_exists_local(sh, key1, &resp) >= 0); + CU_ASSERT(resp); + + CU_ASSERT(semanage_ibendport_exists_local(sh, key2, &resp) >= 0); + CU_ASSERT(!resp); + + /* cleanup */ + CU_ASSERT(semanage_ibendport_del_local(sh, key1) >= 0); + semanage_ibendport_key_free(key1); + semanage_ibendport_key_free(key2); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_ibendport_count_local */ +void test_ibendport_count_local(void) +{ + unsigned int count = 42; + + /* setup */ + setup_handle(SH_TRANS); + + /* test */ + CU_ASSERT(semanage_ibendport_count_local(sh, &count) >= 0); + CU_ASSERT(count == 0); + + add_local_ibendport(I_FIRST); + CU_ASSERT(semanage_ibendport_count_local(sh, &count) >= 0); + CU_ASSERT(count == 1); + + add_local_ibendport(I_SECOND); + CU_ASSERT(semanage_ibendport_count_local(sh, &count) >= 0); + CU_ASSERT(count == 2); + + delete_local_ibendport(I_SECOND); + CU_ASSERT(semanage_ibendport_count_local(sh, &count) >= 0); + CU_ASSERT(count == 1); + + delete_local_ibendport(I_FIRST); + CU_ASSERT(semanage_ibendport_count_local(sh, &count) >= 0); + CU_ASSERT(count == 0); + + /* cleanup */ + cleanup_handle(SH_TRANS); +} + +/* Function semanage_ibendport_iterate_local */ +unsigned int helper_ibendport_iterate_local_counter = 0; + +int helper_ibendport_iterate_local(const semanage_ibendport_t *ibendport, + void *fn_arg) +{ + CU_ASSERT(fn_arg == (void *) 42); + helper_ibendport_iterate_local_counter++; + return 0; +} + +int helper_ibendport_iterate_local_error(const semanage_ibendport_t *ibendport, + void *fn_arg) +{ + CU_ASSERT(fn_arg == (void *) 42); + helper_ibendport_iterate_local_counter++; + return -1; +} + +int helper_ibendport_iterate_local_break(const semanage_ibendport_t *ibendport, + void *fn_arg) +{ + CU_ASSERT(fn_arg == (void *) 42); + helper_ibendport_iterate_local_counter++; + return 1; +} + +void test_ibendport_iterate_local(void) +{ + /* setup */ + setup_handle(SH_TRANS); + add_local_ibendport(I_FIRST); + add_local_ibendport(I_SECOND); + add_local_ibendport(I_THIRD); + + /* test */ + helper_ibendport_iterate_local_counter = 0; + CU_ASSERT(semanage_ibendport_iterate_local(sh, + helper_ibendport_iterate_local, (void *) 42) >= 0); + CU_ASSERT(helper_ibendport_iterate_local_counter == 3); + + /* test function which returns error */ + helper_ibendport_iterate_local_counter = 0; + CU_ASSERT(semanage_ibendport_iterate_local(sh, + helper_ibendport_iterate_local_error, (void *) 42) < 0); + CU_ASSERT(helper_ibendport_iterate_local_counter == 1); + + /* test function which requests break */ + helper_ibendport_iterate_local_counter = 0; + CU_ASSERT(semanage_ibendport_iterate_local(sh, + helper_ibendport_iterate_local_break, (void *) 42) >= 0); + + /* cleanup */ + delete_local_ibendport(I_FIRST); + delete_local_ibendport(I_SECOND); + delete_local_ibendport(I_THIRD); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_ibendport_list_local */ +void test_ibendport_list_local(void) +{ + semanage_ibendport_t **records = NULL; + unsigned int count = 42; + char *name = NULL; + semanage_context_t *con = NULL; + + /* setup */ + setup_handle(SH_TRANS); + add_local_ibendport(I_FIRST); + add_local_ibendport(I_SECOND); + add_local_ibendport(I_THIRD); + + /* test */ + CU_ASSERT(semanage_ibendport_list_local(sh, &records, &count) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(records); + assert(records); + CU_ASSERT(count == 3); + + for (unsigned int i = 0; i < count; i++) { + CU_ASSERT_PTR_NOT_NULL_FATAL(records[i]); + CU_ASSERT(semanage_ibendport_get_ibdev_name(sh, records[i], + &name) >= 0); + con = semanage_ibendport_get_con(records[i]); + CU_ASSERT_PTR_NOT_NULL_FATAL(con); + free(name); + } + + /* cleanup */ + for (unsigned int i = 0; i < count; i++) + semanage_ibendport_free(records[i]); + + free(records); + delete_local_ibendport(I_FIRST); + delete_local_ibendport(I_SECOND); + delete_local_ibendport(I_THIRD); + cleanup_handle(SH_TRANS); +} diff --git a/libsemanage/tests/test_ibendport.cil b/libsemanage/tests/test_ibendport.cil new file mode 100644 index 00000000..b786b913 --- /dev/null +++ b/libsemanage/tests/test_ibendport.cil @@ -0,0 +1,28 @@ +(typeattribute cil_gen_require) +(roleattribute cil_gen_require) +(handleunknown allow) +(mls true) +(policycap network_peer_controls) +(policycap open_perms) +(sid security) +(sidorder (security)) +(sensitivity s0) +(sensitivityorder (s0)) +(user system_u) +(userrole system_u object_r) +(userlevel system_u (s0)) +(userrange system_u ((s0) (s0))) +(role object_r) +(roletype object_r first_ibendport_t) +(roletype object_r second_ibendport_t) +(roletype object_r third_ibendport_t) +(type first_ibendport_t) +(type second_ibendport_t) +(type third_ibendport_t) +(sidcontext security (system_u object_r first_ibendport_t ((s0) (s0)))) +(class test_class (test_perm)) +(classorder (test_class)) +(allow first_ibendport_t self (test_class (test_perm))) +(ibendportcon mlx4_0 1 (system_u object_r first_ibendport_t ((s0) (s0)))) +(ibendportcon mlx4_1 2 (system_u object_r second_ibendport_t ((s0) (s0)))) +(ibendportcon mlx4_1 3 (system_u object_r third_ibendport_t ((s0) (s0)))) diff --git a/libsemanage/tests/test_ibendport.h b/libsemanage/tests/test_ibendport.h new file mode 100644 index 00000000..33d7fbd0 --- /dev/null +++ b/libsemanage/tests/test_ibendport.h @@ -0,0 +1,30 @@ +/* + * Authors: Jan Zarsky <jzarsky@redhat.com> + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __TEST_IBENDPORT_H__ +#define __TEST_IBENDPORT_H__ + +#include <CUnit/Basic.h> + +int ibendport_test_init(void); +int ibendport_test_cleanup(void); +int ibendport_add_tests(CU_pSuite suite); + +#endif diff --git a/libsemanage/tests/test_iface.c b/libsemanage/tests/test_iface.c new file mode 100644 index 00000000..d5d530a8 --- /dev/null +++ b/libsemanage/tests/test_iface.c @@ -0,0 +1,666 @@ +/* + * Authors: Jan Zarsky <jzarsky@redhat.com> + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "utilities.h" +#include "test_iface.h" + +#define IFACE_COUNT 3 + +#define IFACE1_NAME "eth0" +#define IFACE1_IFCON "system_u:object_r:first_netif_t:s0" +#define IFACE1_MSGCON IFACE1_IFCON + +#define IFACE2_NAME "eth1" +#define IFACE2_IFCON "system_u:object_r:second_netif_t:s0" +#define IFACE2_MSGCON IFACE2_IFCON + +#define IFACE3_NAME "eth2" +#define IFACE3_IFCON "system_u:object_r:third_netif_t:s0" +#define IFACE3_MSGCON IFACE3_IFCON + + +/* iface_record.h */ +void test_iface_compare(void); +void test_iface_compare2(void); +void test_iface_key_create(void); +void test_iface_key_extract(void); +void test_iface_get_set_name(void); +void test_iface_get_set_ifcon(void); +void test_iface_get_set_msgcon(void); +void test_iface_create(void); +void test_iface_clone(void); + +/* iterfaces_policy.h */ +void test_iface_query(void); +void test_iface_exists(void); +void test_iface_count(void); +void test_iface_iterate(void); +void test_iface_list(void); + +/* interfaces_local.h */ +void test_iface_modify_del_query_local(void); +void test_iface_exists_local(void); +void test_iface_count_local(void); +void test_iface_iterate_local(void); +void test_iface_list_local(void); + +extern semanage_handle_t *sh; + +int iface_test_init(void) +{ + if (create_test_store() < 0) { + fprintf(stderr, "Could not create test store\n"); + return 1; + } + + if (write_test_policy_from_file("test_iface.policy") < 0) { + fprintf(stderr, "Could not write test policy\n"); + return 1; + } + + return 0; +} + +int iface_test_cleanup(void) +{ + if (destroy_test_store() < 0) { + fprintf(stderr, "Could not destroy test store\n"); + return 1; + } + + return 0; +} + +int iface_add_tests(CU_pSuite suite) +{ + CU_add_test(suite, "iface_compare", test_iface_compare); + CU_add_test(suite, "iface_compare2", test_iface_compare2); + CU_add_test(suite, "iface_key_create", test_iface_key_create); + CU_add_test(suite, "iface_key_extract", test_iface_key_extract); + CU_add_test(suite, "iface_get_set_name", test_iface_get_set_name); + CU_add_test(suite, "iface_get_set_ifcon", test_iface_get_set_ifcon); + CU_add_test(suite, "iface_get_set_msgcon", test_iface_get_set_msgcon); + CU_add_test(suite, "iface_create)", test_iface_create); + CU_add_test(suite, "iface_clone);", test_iface_clone); + + CU_add_test(suite, "iface_query", test_iface_query); + CU_add_test(suite, "iface_exists", test_iface_exists); + CU_add_test(suite, "iface_count", test_iface_count); + CU_add_test(suite, "iface_iterate", test_iface_iterate); + CU_add_test(suite, "iface_list", test_iface_list); + + CU_add_test(suite, "iface_modify_del_query_local", + test_iface_modify_del_query_local); + CU_add_test(suite, "iface_exists_local", test_iface_exists_local); + CU_add_test(suite, "iface_count_local", test_iface_count_local); + CU_add_test(suite, "iface_iterate_local", test_iface_iterate_local); + CU_add_test(suite, "iface_list_local", test_iface_list_local); + + return 0; +} + +/* Helpers */ + +semanage_iface_t *get_iface_nth(int idx) +{ + int res; + semanage_iface_t **records; + semanage_iface_t *iface; + unsigned int count; + + if (idx == I_NULL) + return NULL; + + res = semanage_iface_list(sh, &records, &count); + + CU_ASSERT_FATAL(res >= 0); + CU_ASSERT_FATAL(count >= (unsigned int) idx + 1); + + iface = records[idx]; + + for (unsigned int i = 0; i < count; i++) + if (i != (unsigned int) idx) + semanage_iface_free(records[i]); + + return iface; +} + +semanage_iface_key_t *get_iface_key_nth(int idx) +{ + semanage_iface_key_t *key; + semanage_iface_t *iface; + int res; + + if (idx == I_NULL) + return NULL; + + iface = get_iface_nth(idx); + res = semanage_iface_key_extract(sh, iface, &key); + + CU_ASSERT_FATAL(res >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + return key; +} + +void add_local_iface(int idx) +{ + semanage_iface_t *iface; + semanage_iface_key_t *key = NULL; + + iface = get_iface_nth(idx); + + CU_ASSERT_FATAL(semanage_iface_key_extract(sh, iface, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + CU_ASSERT_FATAL(semanage_iface_modify_local(sh, key, iface) >= 0); +} + +void delete_local_iface(int idx) +{ + semanage_iface_key_t *key = NULL; + key = get_iface_key_nth(idx); + CU_ASSERT_FATAL(semanage_iface_del_local(sh, key) >= 0); +} + +/* Function semanage_iface_compare */ +void test_iface_compare(void) +{ + semanage_iface_t *iface = NULL; + semanage_iface_key_t *key1 = NULL; + semanage_iface_key_t *key2 = NULL; + int res = 42; + + /* setup */ + setup_handle(SH_CONNECT); + iface = get_iface_nth(I_FIRST); + key1 = get_iface_key_nth(I_FIRST); + CU_ASSERT(semanage_iface_key_create(sh, "qwerty", &key2) >= 0); + CU_ASSERT_PTR_NOT_NULL(key2); + + /* test */ + res = semanage_iface_compare(iface, key1); + CU_ASSERT(res == 0); + res = semanage_iface_compare(iface, key2); + CU_ASSERT(res != 0); + + /* cleanup */ + semanage_iface_free(iface); + semanage_iface_key_free(key1); + semanage_iface_key_free(key2); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_iface_compare2 */ +void test_iface_compare2(void) +{ + semanage_iface_t *iface1 = NULL; + semanage_iface_t *iface2 = NULL; + semanage_iface_t *iface3 = NULL; + int res = 42; + + /* setup */ + setup_handle(SH_CONNECT); + iface1 = get_iface_nth(I_FIRST); + iface2 = get_iface_nth(I_FIRST); + iface3 = get_iface_nth(I_SECOND); + + /* test */ + res = semanage_iface_compare2(iface1, iface2); + CU_ASSERT(res == 0); + res = semanage_iface_compare2(iface1, iface3); + CU_ASSERT(res != 0); + + /* cleanup */ + semanage_iface_free(iface1); + semanage_iface_free(iface2); + semanage_iface_free(iface3); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_iface_create */ +void test_iface_key_create(void) +{ + semanage_iface_key_t *key = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_iface_key_create(sh, "asdf", &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + /* cleanup */ + semanage_iface_key_free(key); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_iface_extract */ +void test_iface_key_extract(void) +{ + semanage_iface_t *iface = NULL; + semanage_iface_key_t *key = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + iface = get_iface_nth(I_FIRST); + + /* test */ + CU_ASSERT(semanage_iface_key_extract(sh, iface, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + /* cleanup */ + semanage_iface_free(iface); + semanage_iface_key_free(key); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_iface_get_name, semanage_iface_set_name */ +void test_iface_get_set_name(void) +{ + semanage_iface_t *iface = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + iface = get_iface_nth(I_FIRST); + + /* test */ + CU_ASSERT(semanage_iface_set_name(sh, iface, "my_asdf") == 0); + CU_ASSERT_STRING_EQUAL(semanage_iface_get_name(iface), "my_asdf"); + + /* cleanup */ + semanage_iface_free(iface); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_iface_get_ifcon, semanage_iface_set_ifcon */ +void test_iface_get_set_ifcon(void) +{ + semanage_iface_t *iface = NULL; + semanage_context_t *con1 = NULL; + semanage_context_t *con2 = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + iface = get_iface_nth(I_FIRST); + CU_ASSERT(semanage_context_from_string(sh, + "my_user_u:my_role_r:my_type_t:s0", &con1) >= 0); + + /* test */ + CU_ASSERT(semanage_iface_set_ifcon(sh, iface, con1) == 0); + con2 = semanage_iface_get_ifcon(iface); + CU_ASSERT_CONTEXT_EQUAL(con1, con2); + + /* cleanup */ + semanage_iface_free(iface); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_iface_get_msgcon, semanage_iface_set_msgcon */ +void test_iface_get_set_msgcon(void) +{ + semanage_iface_t *iface = NULL; + semanage_context_t *con1 = NULL; + semanage_context_t *con2 = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + iface = get_iface_nth(I_FIRST); + CU_ASSERT(semanage_context_from_string(sh, + "my_user_u:my_role_r:my_type_t:s0", &con1) >= 0); + + /* test */ + CU_ASSERT(semanage_iface_set_msgcon(sh, iface, con1) == 0); + con2 = semanage_iface_get_msgcon(iface); + CU_ASSERT_CONTEXT_EQUAL(con1, con2); + + /* cleanup */ + semanage_iface_free(iface); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_iface_create */ +void test_iface_create(void) +{ + semanage_iface_t *iface = NULL; + semanage_context_t *ifcon = NULL; + semanage_context_t *msgcon = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_iface_create(sh, &iface) >= 0); + CU_ASSERT(semanage_iface_set_name(sh, iface, "asdf") >= 0); + CU_ASSERT(semanage_context_from_string(sh, "user_u:role_r:type_t:s0", + &ifcon) >= 0); + CU_ASSERT(semanage_iface_set_ifcon(sh, iface, ifcon) >= 0); + CU_ASSERT(semanage_context_from_string(sh, "user_u:role_r:type_t:s0", + &msgcon) >= 0); + CU_ASSERT(semanage_iface_set_msgcon(sh, iface, msgcon) >= 0); + + /* cleanup */ + semanage_iface_free(iface); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_iface_clone */ +void test_iface_clone(void) +{ + semanage_iface_t *iface = NULL; + semanage_iface_t *iface_clone = NULL; + semanage_context_t *ifcon = NULL; + semanage_context_t *ifcon2 = NULL; + semanage_context_t *msgcon = NULL; + semanage_context_t *msgcon2 = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_iface_create(sh, &iface) >= 0); + CU_ASSERT(semanage_iface_set_name(sh, iface, "asdf") >= 0); + CU_ASSERT(semanage_context_from_string(sh, "user_u:role_r:if_type_t:s0", + &ifcon) >= 0); + CU_ASSERT(semanage_iface_set_ifcon(sh, iface, ifcon) >= 0); + CU_ASSERT(semanage_context_from_string(sh, "user_u:role_r:msg_type_t:s0", + &msgcon) >= 0); + CU_ASSERT(semanage_iface_set_msgcon(sh, iface, msgcon) >= 0); + + /* test */ + CU_ASSERT(semanage_iface_clone(sh, iface, &iface_clone) >= 0); + CU_ASSERT_STRING_EQUAL(semanage_iface_get_name(iface_clone), "asdf"); + + ifcon2 = semanage_iface_get_ifcon(iface_clone); + CU_ASSERT_CONTEXT_EQUAL(ifcon, ifcon2); + + msgcon2 = semanage_iface_get_msgcon(iface_clone); + CU_ASSERT_CONTEXT_EQUAL(msgcon, msgcon2); + + /* cleanup */ + semanage_iface_free(iface); + semanage_iface_free(iface_clone); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_iface_query */ +void test_iface_query(void) +{ + semanage_iface_t *iface = NULL; + semanage_iface_t *iface_exp = NULL; + semanage_iface_key_t *key = NULL; + semanage_context_t *con = NULL; + semanage_context_t *con_exp = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + key = get_iface_key_nth(I_FIRST); + iface_exp = get_iface_nth(I_FIRST); + + /* test */ + CU_ASSERT(semanage_iface_query(sh, key, &iface) >= 0); + CU_ASSERT_STRING_EQUAL(semanage_iface_get_name(iface), + semanage_iface_get_name(iface_exp)); + + con = semanage_iface_get_ifcon(iface); + con_exp = semanage_iface_get_ifcon(iface_exp); + CU_ASSERT_CONTEXT_EQUAL(con, con_exp); + + con = semanage_iface_get_msgcon(iface); + con_exp = semanage_iface_get_msgcon(iface_exp); + CU_ASSERT_CONTEXT_EQUAL(con, con_exp); + + /* cleanup */ + semanage_iface_free(iface); + semanage_iface_free(iface_exp); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_iface_exists */ +void test_iface_exists(void) +{ + semanage_iface_key_t *key1 = NULL; + semanage_iface_key_t *key2 = NULL; + int resp = 42; + + /* setup */ + setup_handle(SH_CONNECT); + key1 = get_iface_key_nth(I_FIRST); + CU_ASSERT(semanage_iface_key_create(sh, "asdf", &key2) >= 0); + + /* test */ + CU_ASSERT(semanage_iface_exists(sh, key1, &resp) >= 0); + CU_ASSERT(resp); + CU_ASSERT(semanage_iface_exists(sh, key2, &resp) >= 0); + CU_ASSERT(!resp); + + /* cleanup */ + semanage_iface_key_free(key1); + semanage_iface_key_free(key2); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_iface_count */ +void test_iface_count(void) +{ + unsigned int count = 42; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_iface_count(sh, &count) >= 0); + CU_ASSERT(count == IFACE_COUNT); + + /* cleanup */ + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_iface_iterate */ + +unsigned int counter_iface_iterate = 0; + +int handler_iface_iterate(const semanage_iface_t *record, void *varg) +{ + counter_iface_iterate++; + return 0; +} + +void test_iface_iterate(void) +{ + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + semanage_iface_iterate(sh, handler_iface_iterate, NULL); + CU_ASSERT(counter_iface_iterate == IFACE_COUNT); + + /* cleanup */ + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_iface_list */ +void test_iface_list(void) +{ + semanage_iface_t **records = NULL; + unsigned int count = 42; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_iface_list(sh, &records, &count) >= 0); + CU_ASSERT(count == IFACE_COUNT); + + for (unsigned int i = 0; i < count; i++) + CU_ASSERT_PTR_NOT_NULL(records[i]); + + for (unsigned int i = 0; i < count; i++) + semanage_iface_free(records[i]); + + /* cleanup */ + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_iface_modify_local, semanage_iface_del_local, + * semanage_iface_query_local + */ +void test_iface_modify_del_query_local(void) +{ + semanage_iface_t *iface; + semanage_iface_t *iface_local; + semanage_iface_key_t *key = NULL; + + /* setup */ + setup_handle(SH_TRANS); + iface = get_iface_nth(I_FIRST); + CU_ASSERT(semanage_iface_key_extract(sh, iface, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + /* test */ + CU_ASSERT(semanage_iface_modify_local(sh, key, iface) >= 0); + + /* write changes to file */ + helper_commit(); + helper_begin_transaction(); + + CU_ASSERT(semanage_iface_query_local(sh, key, &iface_local) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(iface_local); + + CU_ASSERT(semanage_iface_del_local(sh, key) >= 0); + CU_ASSERT(semanage_iface_query_local(sh, key, &iface_local) < 0); + + /* cleanup */ + semanage_iface_free(iface); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_iface_exists_local */ +void test_iface_exists_local(void) +{ + semanage_iface_key_t *key1 = NULL; + semanage_iface_key_t *key2 = NULL; + int resp = 42; + + /* setup */ + setup_handle(SH_TRANS); + add_local_iface(I_FIRST); + key1 = get_iface_key_nth(I_FIRST); + key2 = get_iface_key_nth(I_SECOND); + + /* test */ + CU_ASSERT(semanage_iface_exists_local(sh, key1, &resp) >= 0); + CU_ASSERT(resp); + CU_ASSERT(semanage_iface_exists_local(sh, key2, &resp) >= 0); + CU_ASSERT(!resp); + + /* cleanup */ + CU_ASSERT(semanage_iface_del_local(sh, key1) >= 0); + semanage_iface_key_free(key1); + semanage_iface_key_free(key2); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_iface_count_local */ +void test_iface_count_local(void) +{ + unsigned int count = 42; + + /* setup */ + setup_handle(SH_TRANS); + + /* test */ + CU_ASSERT(semanage_iface_count_local(sh, &count) >= 0); + CU_ASSERT(count == 0); + + add_local_iface(I_FIRST); + CU_ASSERT(semanage_iface_count_local(sh, &count) >= 0); + CU_ASSERT(count == 1); + + add_local_iface(I_SECOND); + CU_ASSERT(semanage_iface_count_local(sh, &count) >= 0); + CU_ASSERT(count == 2); + + delete_local_iface(I_SECOND); + CU_ASSERT(semanage_iface_count_local(sh, &count) >= 0); + CU_ASSERT(count == 1); + + delete_local_iface(I_FIRST); + CU_ASSERT(semanage_iface_count_local(sh, &count) >= 0); + CU_ASSERT(count == 0); + + /* cleanup */ + cleanup_handle(SH_TRANS); +} + +/* Function semanage_iface_iterate_local */ +unsigned int counter_iface_iterate_local = 0; + +int handler_iface_iterate_local(const semanage_iface_t *record, void *varg) +{ + counter_iface_iterate_local++; + return 0; +} + +void test_iface_iterate_local(void) +{ + /* setup */ + setup_handle(SH_TRANS); + add_local_iface(I_FIRST); + add_local_iface(I_SECOND); + add_local_iface(I_THIRD); + + /* test */ + semanage_iface_iterate_local(sh, handler_iface_iterate_local, NULL); + CU_ASSERT(counter_iface_iterate_local == 3); + + /* cleanup */ + delete_local_iface(I_FIRST); + delete_local_iface(I_SECOND); + delete_local_iface(I_THIRD); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_iface_list_local */ +void test_iface_list_local(void) +{ + semanage_iface_t **records = NULL; + unsigned int count = 42; + + /* setup */ + setup_handle(SH_TRANS); + add_local_iface(I_FIRST); + add_local_iface(I_SECOND); + add_local_iface(I_THIRD); + + /* test */ + CU_ASSERT(semanage_iface_list_local(sh, &records, &count) >= 0); + CU_ASSERT(count == 3); + + for (unsigned int i = 0; i < count; i++) + CU_ASSERT_PTR_NOT_NULL(records[i]); + + /* cleanup */ + for (unsigned int i = 0; i < count; i++) + semanage_iface_free(records[i]); + + delete_local_iface(I_FIRST); + delete_local_iface(I_SECOND); + delete_local_iface(I_THIRD); + cleanup_handle(SH_TRANS); +} diff --git a/libsemanage/tests/test_iface.cil b/libsemanage/tests/test_iface.cil new file mode 100644 index 00000000..13fd8f68 --- /dev/null +++ b/libsemanage/tests/test_iface.cil @@ -0,0 +1,28 @@ +(typeattribute cil_gen_require) +(roleattribute cil_gen_require) +(handleunknown allow) +(mls true) +(policycap network_peer_controls) +(policycap open_perms) +(sid security) +(sidorder (security)) +(sensitivity s0) +(sensitivityorder (s0)) +(user system_u) +(userrole system_u object_r) +(userlevel system_u (s0)) +(userrange system_u ((s0) (s0))) +(role object_r) +(roletype object_r first_netif_t) +(roletype object_r second_netif_t) +(roletype object_r third_netif_t) +(type first_netif_t) +(type second_netif_t) +(type third_netif_t) +(sidcontext security (system_u object_r first_netif_t ((s0) (s0)))) +(class netif (tcp_recv)) +(classorder (netif)) +(allow first_netif_t self (netif (tcp_recv))) +(netifcon eth0 (system_u object_r first_netif_t ((s0) (s0))) (system_u object_r first_netif_t ((s0) (s0)))) +(netifcon eth1 (system_u object_r second_netif_t ((s0) (s0))) (system_u object_r second_netif_t ((s0) (s0)))) +(netifcon eth2 (system_u object_r third_netif_t ((s0) (s0))) (system_u object_r third_netif_t ((s0) (s0)))) diff --git a/libsemanage/tests/test_iface.h b/libsemanage/tests/test_iface.h new file mode 100644 index 00000000..5953e9c0 --- /dev/null +++ b/libsemanage/tests/test_iface.h @@ -0,0 +1,30 @@ +/* + * Authors: Jan Zarsky <jzarsky@redhat.com> + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __TEST_IFACE_H__ +#define __TEST_IFACE_H__ + +#include <CUnit/Basic.h> + +int iface_test_init(void); +int iface_test_cleanup(void); +int iface_add_tests(CU_pSuite suite); + +#endif diff --git a/libsemanage/tests/test_node.c b/libsemanage/tests/test_node.c new file mode 100644 index 00000000..53c2eb69 --- /dev/null +++ b/libsemanage/tests/test_node.c @@ -0,0 +1,807 @@ +/* + * Authors: Jan Zarsky <jzarsky@redhat.com> + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "utilities.h" +#include "test_node.h" + +#define NODE_COUNT 3 + +#define NODE1_ADDR "192.168.0.0" +#define NODE1_MASK "255.255.255.0" +#define NODE1_PROTO SEPOL_PROTO_IP4 +#define NODE1_CONTEXT "system_u:object_r:first_node_t:s0" + +#define NODE2_ADDR "2001:db8:85a3::8a2e:370:7334" +#define NODE2_MASK "2001:db8:85a3::8a2e:370:7334" +#define NODE2_PROTO SEPOL_PROTO_IP6 +#define NODE2_CONTEXT "system_u:object_r:second_node_t:s0" + +#define NODE3_ADDR "127.0.0.1" +#define NODE3_MASK "255.255.0.0" +#define NODE3_PROTO SEPOL_PROTO_IP4 +#define NODE3_CONTEXT "system_u:object_r:third_node_t:s0" + +/* node_record.h */ +void test_node_compare(void); +void test_node_compare2(void); +void test_node_key_create(void); +void test_node_key_extract(void); +void test_node_get_set_addr(void); +void test_node_get_set_addr_bytes(void); +void test_node_get_set_mask(void); +void test_node_get_set_mask_bytes(void); +void test_node_get_set_proto(void); +void test_node_get_proto_str(void); +void test_node_get_set_con(void); +void test_node_create(void); +void test_node_clone(void); + +/* nodes_policy.h */ +void test_node_query(void); +void test_node_exists(void); +void test_node_count(void); +void test_node_iterate(void); +void test_node_list(void); + +/* nodes_local.h */ +void test_node_modify_del_query_local(void); +void test_node_exists_local(void); +void test_node_count_local(void); +void test_node_iterate_local(void); +void test_node_list_local(void); + +extern semanage_handle_t *sh; + +int node_test_init(void) +{ + if (create_test_store() < 0) { + fprintf(stderr, "Could not create test store\n"); + return 1; + } + + if (write_test_policy_from_file("test_node.policy") < 0) { + fprintf(stderr, "Could not write test policy\n"); + return 1; + } + + return 0; +} + +int node_test_cleanup(void) +{ + if (destroy_test_store() < 0) { + fprintf(stderr, "Could destroy test store\n"); + return 1; + } + + return 0; +} + +int node_add_tests(CU_pSuite suite) +{ + CU_add_test(suite, "node_compare", test_node_compare); + CU_add_test(suite, "node_compare2", test_node_compare2); + CU_add_test(suite, "node_key_create", test_node_key_create); + CU_add_test(suite, "node_key_extract", test_node_key_extract); + CU_add_test(suite, "node_get_set_addr", test_node_get_set_addr); + CU_add_test(suite, "node_get_set_addr_bytes", + test_node_get_set_addr_bytes); + CU_add_test(suite, "node_get_set_mask", test_node_get_set_mask); + CU_add_test(suite, "node_get_set_mask_bytes", + test_node_get_set_mask_bytes); + CU_add_test(suite, "node_get_set_proto", test_node_get_set_proto); + CU_add_test(suite, "node_get_proto_str", test_node_get_proto_str); + CU_add_test(suite, "node_get_set_con", test_node_get_set_con); + CU_add_test(suite, "node_create", test_node_create); + CU_add_test(suite, "node_clone", test_node_clone); + + CU_add_test(suite, "node_query", test_node_query); + CU_add_test(suite, "node_exists", test_node_exists); + CU_add_test(suite, "node_count", test_node_count); + CU_add_test(suite, "node_iterate", test_node_iterate); + CU_add_test(suite, "node_list", test_node_list); + + CU_add_test(suite, "node_modify_del_query_local", + test_node_modify_del_query_local); + CU_add_test(suite, "node_exists_local", test_node_exists_local); + CU_add_test(suite, "node_count_local", test_node_count_local); + CU_add_test(suite, "node_iterate_local", test_node_iterate_local); + CU_add_test(suite, "node_list_local", test_node_list_local); + + return 0; +} + +/* Helpers */ + +semanage_node_t *get_node_nth(int idx) +{ + semanage_node_t **records; + semanage_node_t *node; + unsigned int count; + + if (idx == I_NULL) + return NULL; + + CU_ASSERT_FATAL(semanage_node_list(sh, &records, &count) >= 0); + CU_ASSERT_FATAL(count >= (unsigned int) idx + 1); + + node = records[idx]; + + for (unsigned int i = 0; i < count; i++) + if (i != (unsigned int) idx) + semanage_node_free(records[i]); + + return node; +} + +semanage_node_key_t *get_node_key_nth(int idx) +{ + semanage_node_key_t *key; + semanage_node_t *node; + int res; + + if (idx == I_NULL) + return NULL; + + node = get_node_nth(idx); + + res = semanage_node_key_extract(sh, node, &key); + + CU_ASSERT_FATAL(res >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + return key; +} + +void add_local_node(int idx) +{ + semanage_node_t *node; + semanage_node_key_t *key = NULL; + + node = get_node_nth(idx); + + CU_ASSERT_FATAL(semanage_node_key_extract(sh, node, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + CU_ASSERT_FATAL(semanage_node_modify_local(sh, key, node) >= 0); +} + +void delete_local_node(int idx) +{ + semanage_node_key_t *key = NULL; + + key = get_node_key_nth(idx); + + CU_ASSERT_FATAL(semanage_node_del_local(sh, key) >= 0); +} + +/* Function semanage_node_compare */ +void test_node_compare(void) +{ + semanage_node_t *node = NULL; + semanage_node_key_t *key1 = NULL; + semanage_node_key_t *key2 = NULL; + int res = 42; + + /* setup */ + setup_handle(SH_CONNECT); + node = get_node_nth(I_FIRST); + key1 = get_node_key_nth(I_FIRST); + CU_ASSERT(semanage_node_key_create(sh, "192.168.0.1", "255.255.0.0", + SEMANAGE_PROTO_IP4, &key2) >= 0); + CU_ASSERT_PTR_NOT_NULL(key2); + + /* test */ + res = semanage_node_compare(node, key1); + CU_ASSERT(res == 0); + res = semanage_node_compare(node, key2); + CU_ASSERT(res != 0); + + /* cleanup */ + semanage_node_free(node); + semanage_node_key_free(key1); + semanage_node_key_free(key2); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_node_compare2 */ +void test_node_compare2(void) +{ + semanage_node_t *node1 = NULL; + semanage_node_t *node2 = NULL; + semanage_node_t *node3 = NULL; + int res = 42; + + /* setup */ + setup_handle(SH_CONNECT); + node1 = get_node_nth(I_FIRST); + node2 = get_node_nth(I_FIRST); + node3 = get_node_nth(I_SECOND); + + /* test */ + res = semanage_node_compare2(node1, node2); + CU_ASSERT(res == 0); + res = semanage_node_compare2(node1, node3); + CU_ASSERT(res != 0); + + /* cleanup */ + semanage_node_free(node1); + semanage_node_free(node2); + semanage_node_free(node3); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_node_key_create */ +void test_node_key_create(void) +{ + semanage_node_key_t *key = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_node_key_create(sh, "127.0.0.1", "255.255.255.255", + SEMANAGE_PROTO_IP4, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + /* cleanup */ + semanage_node_key_free(key); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_node_key_extract */ +void test_node_key_extract(void) +{ + semanage_node_t *node = NULL; + semanage_node_key_t *key = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + node = get_node_nth(I_FIRST); + + /* test */ + CU_ASSERT(semanage_node_key_extract(sh, node, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + /* cleanup */ + semanage_node_free(node); + semanage_node_key_free(key); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_node_get_addr, semanage_node_set_addr */ +void test_node_get_set_addr(void) +{ + semanage_node_t *node = NULL; + char *addr = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_node_create(sh, &node) >= 0); + + /* test */ + CU_ASSERT(semanage_node_set_addr(sh, node, SEMANAGE_PROTO_IP4, + "192.168.0.1") == 0); + CU_ASSERT(semanage_node_get_addr(sh, node, &addr) >= 0); + CU_ASSERT_PTR_NOT_NULL(addr); + assert(addr); + CU_ASSERT_STRING_EQUAL(addr, "192.168.0.1"); + + /* cleanup */ + semanage_node_free(node); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_node_get_addr_bytes, semanage_node_set_addr_bytes */ +void test_node_get_set_addr_bytes(void) +{ + semanage_node_t *node = NULL; + char addr1[] = { 192, 168, 0, 1 }; + size_t addr1_size = sizeof(addr1); + char *addr2 = NULL; + size_t addr2_size = 0; + + /* setup */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_node_create(sh, &node) >= 0); + + /* test */ + CU_ASSERT(semanage_node_set_addr_bytes(sh, node, addr1, + addr1_size) == 0); + CU_ASSERT(semanage_node_get_addr_bytes(sh, node, &addr2, + &addr2_size) >= 0); + CU_ASSERT_PTR_NOT_NULL(addr2); + assert(addr2); + + for (size_t i = 0; i < addr2_size; i++) + CU_ASSERT(addr1[i] == addr2[i]); + + /* cleanup */ + semanage_node_free(node); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_node_get_mask, semanage_node_set_mask */ +void test_node_get_set_mask(void) +{ + semanage_node_t *node = NULL; + char *mask = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_node_create(sh, &node) >= 0); + + /* test */ + CU_ASSERT(semanage_node_set_mask(sh, node, SEMANAGE_PROTO_IP4, + "255.255.255.0") == 0); + CU_ASSERT(semanage_node_get_mask(sh, node, &mask) >= 0); + CU_ASSERT_PTR_NOT_NULL(mask); + assert(mask); + CU_ASSERT_STRING_EQUAL(mask, "255.255.255.0"); + + /* cleanup */ + semanage_node_free(node); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_node_get_mask_bytes, semanage_node_set_mask_bytes */ +void test_node_get_set_mask_bytes(void) +{ + semanage_node_t *node = NULL; + char mask1[] = { 255, 255, 255, 0 }; + size_t mask1_size = sizeof(mask1); + char *mask2 = NULL; + size_t mask2_size = 0; + + /* setup */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_node_create(sh, &node) >= 0); + + /* test */ + CU_ASSERT(semanage_node_set_mask_bytes(sh, node, mask1, + mask1_size) == 0); + CU_ASSERT(semanage_node_get_mask_bytes(sh, node, &mask2, + &mask2_size) >= 0); + CU_ASSERT_PTR_NOT_NULL(mask2); + assert(mask2); + + for (size_t i = 0; i < mask2_size; i++) + CU_ASSERT(mask1[i] == mask2[i]); + + /* cleanup */ + semanage_node_free(node); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_node_get_proto, semanage_node_set_proto */ +void test_node_get_set_proto(void) +{ + semanage_node_t *node = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_node_create(sh, &node) >= 0); + + /* test */ + semanage_node_set_proto(node, SEMANAGE_PROTO_IP4); + CU_ASSERT(semanage_node_get_proto(node) == SEMANAGE_PROTO_IP4); + + /* cleanup */ + semanage_node_free(node); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_node_get_proto_str */ +void test_node_get_proto_str(void) +{ + CU_ASSERT_STRING_EQUAL(semanage_node_get_proto_str(SEMANAGE_PROTO_IP4), + "ipv4"); + CU_ASSERT_STRING_EQUAL(semanage_node_get_proto_str(SEMANAGE_PROTO_IP6), + "ipv6"); +} + +/* Function semanage_node_get_con, semanage_node_set_con */ +void test_node_get_set_con(void) +{ + semanage_node_t *node = NULL; + semanage_context_t *con1 = NULL; + semanage_context_t *con2 = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_node_create(sh, &node) >= 0); + CU_ASSERT(semanage_context_from_string(sh, + "my_user_u:my_role_r:my_type_t:s0", &con1) >= 0); + + /* test */ + CU_ASSERT(semanage_node_set_con(sh, node, con1) == 0); + con2 = semanage_node_get_con(node); + CU_ASSERT_CONTEXT_EQUAL(con1, con2); + + /* cleanup */ + semanage_node_free(node); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_node_create */ +void test_node_create(void) +{ + semanage_node_t *node = NULL; + semanage_context_t *con = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_node_create(sh, &node) >= 0); + CU_ASSERT(semanage_node_set_addr(sh, node, SEMANAGE_PROTO_IP4, + "127.0.0.1") >= 0); + CU_ASSERT(semanage_node_set_mask(sh, node, SEMANAGE_PROTO_IP4, + "255.255.255.0") >= 0); + semanage_node_set_proto(node, SEMANAGE_PROTO_IP4); + CU_ASSERT(semanage_context_from_string(sh, "user_u:role_r:type_t:s0", + &con) >= 0); + CU_ASSERT(semanage_node_set_con(sh, node, con) >= 0); + + /* cleanup */ + semanage_node_free(node); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_node_clone */ +void test_node_clone(void) +{ + semanage_node_t *node = NULL; + semanage_node_t *node_clone = NULL; + semanage_context_t *con = NULL; + semanage_context_t *con2 = NULL; + const char *addr1 = "127.0.0.1"; + char *addr2 = NULL; + const char *mask1 = "255.255.255.0"; + char *mask2 = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_node_create(sh, &node) >= 0); + CU_ASSERT(semanage_node_set_addr(sh, node, SEMANAGE_PROTO_IP4, + addr1) >= 0); + CU_ASSERT(semanage_node_set_mask(sh, node, SEMANAGE_PROTO_IP4, + mask1) >= 0); + semanage_node_set_proto(node, SEMANAGE_PROTO_IP4); + CU_ASSERT(semanage_context_from_string(sh, "user_u:role_r:type_t:s0", + &con) >= 0); + CU_ASSERT(semanage_node_set_con(sh, node, con) >= 0); + + /* test */ + CU_ASSERT(semanage_node_clone(sh, node, &node_clone) >= 0); + + CU_ASSERT(semanage_node_get_addr(sh, node_clone, &addr2) >= 0); + CU_ASSERT_PTR_NOT_NULL(addr2); + assert(addr2); + CU_ASSERT_STRING_EQUAL(addr1, addr2); + + CU_ASSERT(semanage_node_get_mask(sh, node_clone, &mask2) >= 0); + CU_ASSERT_PTR_NOT_NULL(mask2); + assert(mask2); + CU_ASSERT_STRING_EQUAL(mask1, mask2); + + CU_ASSERT(semanage_node_get_proto(node_clone) == SEMANAGE_PROTO_IP4); + + con2 = semanage_node_get_con(node_clone); + CU_ASSERT_CONTEXT_EQUAL(con, con2); + + /* cleanup */ + semanage_node_free(node); + semanage_node_free(node_clone); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_node_query */ +void test_node_query(void) +{ + semanage_node_t *node = NULL; + semanage_node_t *node_exp = NULL; + semanage_node_key_t *key = NULL; + char *str = NULL; + char *str_exp = NULL; + semanage_context_t *con = NULL; + semanage_context_t *con_exp = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + key = get_node_key_nth(I_FIRST); + node_exp = get_node_nth(I_FIRST); + + /* test */ + CU_ASSERT(semanage_node_query(sh, key, &node) >= 0); + + CU_ASSERT(semanage_node_get_addr(sh, node, &str) >= 0); + CU_ASSERT(semanage_node_get_addr(sh, node_exp, &str_exp) >= 0); + CU_ASSERT_STRING_EQUAL(str, str_exp); + free(str); + free(str_exp); + + CU_ASSERT(semanage_node_get_mask(sh, node, &str) >= 0); + CU_ASSERT(semanage_node_get_mask(sh, node_exp, &str_exp) >= 0); + CU_ASSERT_STRING_EQUAL(str, str_exp); + free(str); + free(str_exp); + + CU_ASSERT(semanage_node_get_proto(node) == + semanage_node_get_proto(node_exp)); + + con = semanage_node_get_con(node); + con_exp = semanage_node_get_con(node_exp); + CU_ASSERT_CONTEXT_EQUAL(con, con_exp); + + /* cleanup */ + semanage_node_free(node); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_node_exists */ +void test_node_exists(void) +{ + semanage_node_key_t *key1 = NULL; + semanage_node_key_t *key2 = NULL; + int resp = 42; + + /* setup */ + setup_handle(SH_CONNECT); + key1 = get_node_key_nth(I_FIRST); + CU_ASSERT(semanage_node_key_create(sh, "1.2.3.4", "255.255.0.0", + SEMANAGE_PROTO_IP4, &key2) >= 0); + + /* test */ + CU_ASSERT(semanage_node_exists(sh, key1, &resp) >= 0); + CU_ASSERT(resp); + CU_ASSERT(semanage_node_exists(sh, key2, &resp) >= 0); + CU_ASSERT(!resp); + + /* cleanup */ + semanage_node_key_free(key1); + semanage_node_key_free(key2); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_node_count */ +void test_node_count(void) +{ + unsigned int count = 42; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_node_count(sh, &count) >= 0); + CU_ASSERT(count == NODE_COUNT); + + /* cleanup */ + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_node_iterate */ +unsigned int counter_node_iterate = 0; + +int handler_node_iterate(const semanage_node_t *record, void *varg) +{ + counter_node_iterate++; + return 0; +} + +void test_node_iterate(void) +{ + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + semanage_node_iterate(sh, handler_node_iterate, NULL); + CU_ASSERT(counter_node_iterate == NODE_COUNT); + + /* cleanup */ + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_node_list */ +void test_node_list(void) +{ + semanage_node_t **records = NULL; + unsigned int count = 42; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_node_list(sh, &records, &count) >= 0); + CU_ASSERT(count == NODE_COUNT); + + for (unsigned int i = 0; i < count; i++) + CU_ASSERT_PTR_NOT_NULL(records[i]); + + for (unsigned int i = 0; i < count; i++) + semanage_node_free(records[i]); + + /* cleanup */ + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_node_modify_local, semanage_node_del_local, + * semanage_node_query_local + */ +void test_node_modify_del_query_local(void) +{ + semanage_node_t *node; + semanage_node_t *node_local; + semanage_node_t *node_tmp; + semanage_node_key_t *key = NULL; + semanage_node_key_t *key_tmp = NULL; + + /* setup */ + setup_handle(SH_TRANS); + node = get_node_nth(I_FIRST); + CU_ASSERT(semanage_node_key_extract(sh, node, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + /* add second record, so that semanage_node_compare2_qsort + * will be called + */ + node_tmp = get_node_nth(I_FIRST); + + CU_ASSERT(semanage_node_set_addr(sh, node_tmp, SEMANAGE_PROTO_IP4, + "10.0.0.1") >= 0); + CU_ASSERT(semanage_node_key_extract(sh, node_tmp, &key_tmp) >= 0); + CU_ASSERT_PTR_NOT_NULL(key_tmp); + + /* test */ + CU_ASSERT(semanage_node_modify_local(sh, key, node) >= 0); + CU_ASSERT(semanage_node_modify_local(sh, key_tmp, node_tmp) >= 0); + + /* write changes to file */ + helper_commit(); + helper_begin_transaction(); + + CU_ASSERT(semanage_node_query_local(sh, key, &node_local) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(node_local); + + CU_ASSERT(semanage_node_del_local(sh, key) >= 0); + CU_ASSERT(semanage_node_del_local(sh, key_tmp) >= 0); + + CU_ASSERT(semanage_node_query_local(sh, key, &node_local) < 0); + + /* cleanup */ + semanage_node_free(node); + semanage_node_free(node_tmp); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_node_exists_local */ +void test_node_exists_local(void) +{ + semanage_node_key_t *key1 = NULL; + semanage_node_key_t *key2 = NULL; + int resp = 42; + + /* setup */ + setup_handle(SH_TRANS); + add_local_node(I_FIRST); + key1 = get_node_key_nth(I_FIRST); + key2 = get_node_key_nth(I_SECOND); + + /* test */ + CU_ASSERT(semanage_node_exists_local(sh, key1, &resp) >= 0); + CU_ASSERT(resp); + CU_ASSERT(semanage_node_exists_local(sh, key2, &resp) >= 0); + CU_ASSERT(!resp); + + /* cleanup */ + CU_ASSERT(semanage_node_del_local(sh, key1) >= 0); + semanage_node_key_free(key1); + semanage_node_key_free(key2); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_node_count_local */ +void test_node_count_local(void) +{ + unsigned int count = 42; + + /* setup */ + setup_handle(SH_TRANS); + + /* test */ + CU_ASSERT(semanage_node_count_local(sh, &count) >= 0); + CU_ASSERT(count == 0); + + add_local_node(I_FIRST); + CU_ASSERT(semanage_node_count_local(sh, &count) >= 0); + CU_ASSERT(count == 1); + + add_local_node(I_SECOND); + CU_ASSERT(semanage_node_count_local(sh, &count) >= 0); + CU_ASSERT(count == 2); + + delete_local_node(I_SECOND); + CU_ASSERT(semanage_node_count_local(sh, &count) >= 0); + CU_ASSERT(count == 1); + + delete_local_node(I_FIRST); + CU_ASSERT(semanage_node_count_local(sh, &count) >= 0); + CU_ASSERT(count == 0); + + /* cleanup */ + cleanup_handle(SH_TRANS); +} + +/* Function semanage_node_iterate_local */ +unsigned int counter_node_iterate_local = 0; + +int handler_node_iterate_local(const semanage_node_t *record, void *varg) +{ + counter_node_iterate_local++; + return 0; +} + +void test_node_iterate_local(void) +{ + /* setup */ + setup_handle(SH_TRANS); + add_local_node(I_FIRST); + add_local_node(I_SECOND); + add_local_node(I_THIRD); + + /* test */ + semanage_node_iterate_local(sh, handler_node_iterate_local, NULL); + CU_ASSERT(counter_node_iterate_local == 3); + + /* cleanup */ + delete_local_node(I_FIRST); + delete_local_node(I_SECOND); + delete_local_node(I_THIRD); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_node_list_local */ +void test_node_list_local(void) +{ + semanage_node_t **records = NULL; + unsigned int count = 42; + + /* setup */ + setup_handle(SH_TRANS); + add_local_node(I_FIRST); + add_local_node(I_SECOND); + add_local_node(I_THIRD); + + /* test */ + CU_ASSERT(semanage_node_list_local(sh, &records, &count) >= 0); + CU_ASSERT(count == 3); + + for (unsigned int i = 0; i < count; i++) + CU_ASSERT_PTR_NOT_NULL(records[i]); + + /* cleanup */ + for (unsigned int i = 0; i < count; i++) + semanage_node_free(records[i]); + + delete_local_node(I_FIRST); + delete_local_node(I_SECOND); + delete_local_node(I_THIRD); + cleanup_handle(SH_TRANS); +} diff --git a/libsemanage/tests/test_node.cil b/libsemanage/tests/test_node.cil new file mode 100644 index 00000000..1638cd1e --- /dev/null +++ b/libsemanage/tests/test_node.cil @@ -0,0 +1,28 @@ +(typeattribute cil_gen_require) +(roleattribute cil_gen_require) +(handleunknown allow) +(mls true) +(policycap network_peer_controls) +(policycap open_perms) +(sid security) +(sidorder (security)) +(sensitivity s0) +(sensitivityorder (s0)) +(user system_u) +(userrole system_u object_r) +(userlevel system_u (s0)) +(userrange system_u ((s0) (s0))) +(role object_r) +(roletype object_r first_node_t) +(roletype object_r second_node_t) +(roletype object_r third_node_t) +(type first_node_t) +(type second_node_t) +(type third_node_t) +(sidcontext security (system_u object_r first_node_t ((s0) (s0)))) +(class node (tcp_recv)) +(classorder (node)) +(allow first_node_t self (node (tcp_recv))) +(nodecon (192.168.0.0) (255.255.255.0) (system_u object_r first_node_t ((s0) (s0)))) +(nodecon (2001:db8:85a3::8a2e:370:7334) (2001:db8:85a3::8a2e:370:7334) (system_u object_r second_node_t ((s0) (s0)))) +(nodecon (127.0.0.1) (255.255.0.0) (system_u object_r third_node_t ((s0) (s0)))) diff --git a/libsemanage/tests/test_node.h b/libsemanage/tests/test_node.h new file mode 100644 index 00000000..5b329406 --- /dev/null +++ b/libsemanage/tests/test_node.h @@ -0,0 +1,30 @@ +/* + * Authors: Jan Zarsky <jzarsky@redhat.com> + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __TEST_NODE_H__ +#define __TEST_NODE_H__ + +#include <CUnit/Basic.h> + +int node_test_init(void); +int node_test_cleanup(void); +int node_add_tests(CU_pSuite suite); + +#endif diff --git a/libsemanage/tests/test_other.c b/libsemanage/tests/test_other.c new file mode 100644 index 00000000..c4ee0ed8 --- /dev/null +++ b/libsemanage/tests/test_other.c @@ -0,0 +1,120 @@ +/* + * Authors: Jan Zarsky <jzarsky@redhat.com> + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "utilities.h" +#include "test_other.h" + +/* context_record.h */ +void test_semanage_context(void); + +/* debug.h */ +void test_debug(void); + +extern semanage_handle_t *sh; + +int other_test_init(void) +{ + return 0; +} + +int other_test_cleanup(void) +{ + return 0; +} + +int other_add_tests(CU_pSuite suite) +{ + CU_add_test(suite, "semanage_context", test_semanage_context); + CU_add_test(suite, "debug", test_debug); + + return 0; +} + +/* Function semanage_context_get_user, semanage_context_set_user, + * semanage_context_get_role, semanage_context_set_role, + * semanage_context_get_type, semanage_context_set_type, + * semanage_context_get_mls, semanage_context_set_mls, + * semanage_context_create, semanage_context_clone, + * semanage_context_free, semanage_context_from_string + * semanage_context_to_string + */ +void test_semanage_context(void) +{ + semanage_context_t *con = NULL; + semanage_context_t *con_clone = NULL; + char *str = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_context_create(sh, &con) >= 0); + + CU_ASSERT(semanage_context_set_user(sh, con, "user_u") >= 0); + CU_ASSERT_STRING_EQUAL(semanage_context_get_user(con), "user_u"); + CU_ASSERT(semanage_context_set_role(sh, con, "role_r") >= 0); + CU_ASSERT_STRING_EQUAL(semanage_context_get_role(con), "role_r"); + CU_ASSERT(semanage_context_set_type(sh, con, "type_t") >= 0); + CU_ASSERT_STRING_EQUAL(semanage_context_get_type(con), "type_t"); + CU_ASSERT(semanage_context_set_mls(sh, con, "s0") >= 0); + CU_ASSERT_STRING_EQUAL(semanage_context_get_mls(con), "s0"); + + CU_ASSERT(semanage_context_to_string(sh, con, &str) >= 0); + CU_ASSERT_PTR_NOT_NULL(str); + assert(str); + CU_ASSERT_STRING_EQUAL(str, "user_u:role_r:type_t:s0"); + + CU_ASSERT(semanage_context_from_string(sh, "my_u:my_r:my_t:s0", + &con) >= 0); + CU_ASSERT_STRING_EQUAL(semanage_context_get_user(con), "my_u"); + CU_ASSERT_STRING_EQUAL(semanage_context_get_role(con), "my_r"); + CU_ASSERT_STRING_EQUAL(semanage_context_get_type(con), "my_t"); + CU_ASSERT_STRING_EQUAL(semanage_context_get_mls(con), "s0"); + + CU_ASSERT(semanage_context_clone(sh, con, &con_clone) >= 0); + CU_ASSERT_STRING_EQUAL(semanage_context_get_user(con_clone), "my_u"); + CU_ASSERT_STRING_EQUAL(semanage_context_get_role(con_clone), "my_r"); + CU_ASSERT_STRING_EQUAL(semanage_context_get_type(con_clone), "my_t"); + CU_ASSERT_STRING_EQUAL(semanage_context_get_mls(con_clone), "s0"); + + /* cleanup */ + semanage_context_free(con); + semanage_context_free(con_clone); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_msg_default_handler */ +void test_debug(void) +{ + semanage_module_info_t *modinfo = NULL; + + /* setup */ + sh = semanage_handle_create(); + CU_ASSERT_PTR_NOT_NULL(sh); + CU_ASSERT(semanage_connect(sh) >= 0); + CU_ASSERT(semanage_module_info_create(sh, &modinfo) >= 0); + + /* test */ + CU_ASSERT(semanage_module_info_set_priority(sh, modinfo, -42) < 0); + + /* cleanup */ + CU_ASSERT(semanage_disconnect(sh) >= 0); + semanage_handle_destroy(sh); +} diff --git a/libsemanage/tests/test_other.h b/libsemanage/tests/test_other.h new file mode 100644 index 00000000..40d2dcf8 --- /dev/null +++ b/libsemanage/tests/test_other.h @@ -0,0 +1,30 @@ +/* + * Authors: Jan Zarsky <jzarsky@redhat.com> + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __TEST_OTHER_H__ +#define __TEST_OTHER_H__ + +#include <CUnit/Basic.h> + +int other_test_init(void); +int other_test_cleanup(void); +int other_add_tests(CU_pSuite suite); + +#endif diff --git a/libsemanage/tests/test_port.c b/libsemanage/tests/test_port.c new file mode 100644 index 00000000..0408be4d --- /dev/null +++ b/libsemanage/tests/test_port.c @@ -0,0 +1,909 @@ +/* + * Authors: Jan Zarsky <jzarsky@redhat.com> + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "utilities.h" +#include "test_port.h" + +#define PORT_COUNT 3 + +#define PORT1_LOW 80 +#define PORT1_HIGH 80 +#define PORT1_PROTO SEPOL_PROTO_TCP + +#define PORT2_LOW 1 +#define PORT2_HIGH 1023 +#define PORT2_PROTO SEPOL_PROTO_UDP + +#define PORT3_LOW 12345 +#define PORT3_HIGH 12345 +#define PORT3_PROTO SEPOL_PROTO_TCP + +/* port_record.h */ +void test_port_compare(void); +void test_port_compare2(void); +void test_port_key_create(void); +void test_port_key_extract(void); +void test_port_get_set_proto(void); +void test_port_get_proto_str(void); +void test_port_get_set_port(void); +void test_port_get_set_con(void); +void test_port_create(void); +void test_port_clone(void); + +/* ports_policy.h */ +void test_port_query(void); +void test_port_exists(void); +void test_port_count(void); +void test_port_iterate(void); +void test_port_list(void); + +/* ports_local.h */ +void test_port_modify_del_local(void); +void test_port_query_local(void); +void test_port_exists_local(void); +void test_port_count_local(void); +void test_port_iterate_local(void); +void test_port_list_local(void); + +/* internal */ +void test_port_validate_local(void); + +extern semanage_handle_t *sh; + +int port_test_init(void) +{ + if (create_test_store() < 0) { + fprintf(stderr, "Could not create test store\n"); + return 1; + } + + if (write_test_policy_from_file("test_port.policy") < 0) { + fprintf(stderr, "Could not write test policy\n"); + return 1; + } + + return 0; +} + +int port_test_cleanup(void) +{ + if (destroy_test_store() < 0) { + fprintf(stderr, "Could not destroy test store\n"); + return 1; + } + + return 0; +} + +int port_add_tests(CU_pSuite suite) +{ + CU_add_test(suite, "port_compare", test_port_compare); + CU_add_test(suite, "port_compare2", test_port_compare2); + CU_add_test(suite, "port_key_create", test_port_key_create); + CU_add_test(suite, "port_key_extract", test_port_key_extract); + CU_add_test(suite, "port_get_set_proto", test_port_get_set_proto); + CU_add_test(suite, "port_get_proto_str", test_port_get_proto_str); + CU_add_test(suite, "port_get_set_port", test_port_get_set_port); + CU_add_test(suite, "port_get_set_con", test_port_get_set_con); + CU_add_test(suite, "port_create", test_port_create); + CU_add_test(suite, "port_clone", test_port_clone); + + CU_add_test(suite, "port_query", test_port_query); + CU_add_test(suite, "port_exists", test_port_exists); + CU_add_test(suite, "port_count", test_port_count); + CU_add_test(suite, "port_iterate", test_port_iterate); + CU_add_test(suite, "port_list", test_port_list); + + CU_add_test(suite, "port_modify_del_local", test_port_modify_del_local); + CU_add_test(suite, "port_query_local", test_port_query_local); + CU_add_test(suite, "port_exists_local", test_port_exists_local); + CU_add_test(suite, "port_count_local", test_port_count_local); + CU_add_test(suite, "port_iterate_local", test_port_iterate_local); + CU_add_test(suite, "port_list_local", test_port_list_local); + + CU_add_test(suite, "port_validate_local", test_port_validate_local); + + return 0; +} + +/* Helpers */ + +semanage_port_t *get_port_nth(int idx) +{ + int res; + semanage_port_t **records; + semanage_port_t *port; + unsigned int count; + + if (idx == I_NULL) + return NULL; + + res = semanage_port_list(sh, &records, &count); + + CU_ASSERT_FATAL(res >= 0); + CU_ASSERT_FATAL(count >= (unsigned int) idx + 1); + + port = records[idx]; + + for (unsigned int i = 0; i < count; i++) + if (i != (unsigned int) idx) + semanage_port_free(records[i]); + + return port; +} + +semanage_port_key_t *get_port_key_nth(int idx) +{ + semanage_port_key_t *key; + semanage_port_t *port; + int res; + + if (idx == I_NULL) + return NULL; + + port = get_port_nth(idx); + + res = semanage_port_key_extract(sh, port, &key); + + CU_ASSERT_FATAL(res >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + return key; +} + +void add_local_port(int port_idx) +{ + semanage_port_t *port; + semanage_port_key_t *key = NULL; + + CU_ASSERT_FATAL(port_idx != I_NULL); + + port = get_port_nth(port_idx); + + CU_ASSERT_FATAL(semanage_port_key_extract(sh, port, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + CU_ASSERT_FATAL(semanage_port_modify_local(sh, key, port) >= 0); +} + +void delete_local_port(int port_idx) +{ + semanage_port_key_t *key = NULL; + + CU_ASSERT_FATAL(port_idx != I_NULL); + + key = get_port_key_nth(port_idx); + + CU_ASSERT_FATAL(semanage_port_del_local(sh, key) >= 0); +} + +/* Function semanage_port_compare */ +void helper_port_compare(int idx1, int idx2) +{ + semanage_port_t *port = NULL; + semanage_port_key_t *key = NULL; + int res = 42; + + /* setup */ + setup_handle(SH_CONNECT); + port = get_port_nth(idx1); + key = get_port_key_nth(idx2); + + /* test */ + res = semanage_port_compare(port, key); + + if (idx1 == idx2) { + CU_ASSERT(res == 0); + } else { + CU_ASSERT(res != 0); + } + + /* cleanup */ + semanage_port_free(port); + semanage_port_key_free(key); + cleanup_handle(SH_CONNECT); +} + +void test_port_compare(void) +{ + helper_port_compare(I_FIRST, I_FIRST); + helper_port_compare(I_FIRST, I_SECOND); + helper_port_compare(I_SECOND, I_FIRST); + helper_port_compare(I_SECOND, I_SECOND); +} + +/* Function semanage_port_compare2 */ +void helper_port_compare2(int idx1, int idx2) +{ + semanage_port_t *port1 = NULL; + semanage_port_t *port2 = NULL; + int res = 42; + + /* setup */ + setup_handle(SH_CONNECT); + + port1 = get_port_nth(idx1); + port2 = get_port_nth(idx2); + + /* test */ + res = semanage_port_compare2(port1, port2); + + if (idx1 == idx2) { + CU_ASSERT(res == 0); + } else { + CU_ASSERT(res != 0); + } + + /* cleanup */ + semanage_port_free(port1); + semanage_port_free(port2); + cleanup_handle(SH_CONNECT); +} + +void test_port_compare2(void) +{ + helper_port_compare2(I_FIRST, I_FIRST); + helper_port_compare2(I_FIRST, I_SECOND); + helper_port_compare2(I_SECOND, I_FIRST); + helper_port_compare2(I_SECOND, I_SECOND); +} + +/* Function semanage_port_create */ +void test_port_key_create(void) +{ + semanage_port_key_t *key = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_port_key_create(sh, 1000, 1200, 0, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + /* cleanup */ + semanage_port_key_free(key); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_port_extract */ +void test_port_key_extract(void) +{ + semanage_port_t *port = NULL; + semanage_port_key_t *key = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + port = get_port_nth(I_FIRST); + + /* test */ + CU_ASSERT(semanage_port_key_extract(sh, port, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + /* cleanup */ + semanage_port_free(port); + semanage_port_key_free(key); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_port_get_proto, semanage_port_set_proto */ +void helper_port_get_set_proto(int idx) +{ + semanage_port_t *port = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + port = get_port_nth(idx); + + /* test */ + semanage_port_set_proto(port, 0); + CU_ASSERT(semanage_port_get_proto(port) == 0); + semanage_port_set_proto(port, 1); + CU_ASSERT(semanage_port_get_proto(port) == 1); + + /* cleanup */ + semanage_port_free(port); + cleanup_handle(SH_CONNECT); +} + +void test_port_get_set_proto(void) +{ + helper_port_get_set_proto(I_FIRST); + helper_port_get_set_proto(I_SECOND); +} + +/* Function semanage_port_get_proto_str */ +void test_port_get_proto_str(void) +{ + const char *str = NULL; + + str = semanage_port_get_proto_str(-1); + CU_ASSERT_STRING_EQUAL(str, "???"); + + str = semanage_port_get_proto_str(0); + CU_ASSERT_STRING_EQUAL(str, "udp"); + + str = semanage_port_get_proto_str(1); + CU_ASSERT_STRING_EQUAL(str, "tcp"); + + str = semanage_port_get_proto_str(2); + CU_ASSERT_STRING_EQUAL(str, "dccp"); + + str = semanage_port_get_proto_str(3); + CU_ASSERT_STRING_EQUAL(str, "sctp"); + + str = semanage_port_get_proto_str(4); + CU_ASSERT_STRING_EQUAL(str, "???"); +} + +/* Function semanage_port_get_low, semanage_port_get_high, */ +/* semanage_port_set_port, semanage_port_set_range */ +void test_port_get_set_port(void) +{ + semanage_port_t *port = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + port = get_port_nth(I_FIRST); + + /* test */ + semanage_port_set_port(port, 1000); + CU_ASSERT(semanage_port_get_low(port) == 1000); + CU_ASSERT(semanage_port_get_high(port) == 1000); + + semanage_port_set_range(port, 1000, 1200); + CU_ASSERT(semanage_port_get_low(port) == 1000); + CU_ASSERT(semanage_port_get_high(port) == 1200); + + /* cleanup */ + semanage_port_free(port); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_port_get_con, semanage_port_set_con */ +void test_port_get_set_con(void) +{ + semanage_port_t *port = NULL; + semanage_port_t *port_tmp = NULL; + semanage_context_t *con1 = NULL; + semanage_context_t *con2 = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + port = get_port_nth(I_FIRST); + port_tmp = get_port_nth(I_SECOND); + con1 = semanage_port_get_con(port_tmp); + + /* test */ + CU_ASSERT(semanage_port_set_con(sh, port, con1) >= 0); + con2 = semanage_port_get_con(port); + CU_ASSERT_CONTEXT_EQUAL(con1, con2); + + /* cleanup */ + semanage_port_free(port); + semanage_port_free(port_tmp); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_port_create */ +void test_port_create(void) +{ + semanage_port_t *port = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_port_create(sh, &port) >= 0); + CU_ASSERT(semanage_port_get_low(port) == 0); + CU_ASSERT(semanage_port_get_high(port) == 0); + CU_ASSERT(semanage_port_get_con(port) == NULL); + CU_ASSERT(semanage_port_get_proto(port) == 0); + + /* cleanup */ + semanage_port_free(port); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_port_clone */ +void test_port_clone(void) +{ + semanage_port_t *port = NULL; + semanage_port_t *port_clone = NULL; + semanage_context_t *con = NULL; + semanage_context_t *con2 = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_port_create(sh, &port) >= 0); + semanage_port_set_range(port, 1000, 1200); + semanage_port_set_proto(port, 1); + semanage_context_from_string(sh, "user_u:role_r:type_t:s0", &con); + semanage_port_set_con(sh, port, con); + + /* test */ + CU_ASSERT(semanage_port_clone(sh, port, &port_clone) >= 0); + CU_ASSERT(semanage_port_get_low(port_clone) == 1000); + CU_ASSERT(semanage_port_get_high(port_clone) == 1200); + CU_ASSERT(semanage_port_get_proto(port_clone) == 1); + + con2 = semanage_port_get_con(port_clone); + CU_ASSERT_CONTEXT_EQUAL(con, con2); + + /* cleanup */ + semanage_port_free(port); + semanage_port_free(port_clone); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_port_query */ +void test_port_query(void) +{ + semanage_port_t *port = NULL; + semanage_port_t *port_exp = NULL; + semanage_port_key_t *key = NULL; + semanage_context_t *con = NULL; + semanage_context_t *con_exp = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + key = get_port_key_nth(I_FIRST); + port_exp = get_port_nth(I_FIRST); + + /* test */ + CU_ASSERT(semanage_port_query(sh, key, &port) >= 0); + CU_ASSERT(semanage_port_get_low(port) == + semanage_port_get_low(port_exp)); + CU_ASSERT(semanage_port_get_high(port) == + semanage_port_get_high(port_exp)); + CU_ASSERT(semanage_port_get_proto(port) == + semanage_port_get_proto(port_exp)); + + con = semanage_port_get_con(port); + con_exp = semanage_port_get_con(port_exp); + CU_ASSERT_CONTEXT_EQUAL(con, con_exp); + + /* cleanup */ + semanage_port_free(port); + semanage_port_free(port_exp); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_port_exists */ +void test_port_exists(void) +{ + semanage_port_key_t *key1 = NULL; + semanage_port_key_t *key2 = NULL; + int resp = 42; + + /* setup */ + setup_handle(SH_CONNECT); + key1 = get_port_key_nth(I_FIRST); + CU_ASSERT(semanage_port_key_create(sh, 123, 456, 0, &key2) >= 0); + + /* test */ + CU_ASSERT(semanage_port_exists(sh, key1, &resp) >= 0); + CU_ASSERT(resp); + CU_ASSERT(semanage_port_exists(sh, key2, &resp) >= 0); + CU_ASSERT(!resp); + + /* cleanup */ + semanage_port_key_free(key1); + semanage_port_key_free(key2); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_port_count */ +void test_port_count(void) +{ + unsigned int count = 42; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_port_count(sh, &count) >= 0); + CU_ASSERT(count == PORT_COUNT); + + /* cleanup */ + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_port_iterate */ +unsigned int counter_port_iterate = 0; + +int handler_port_iterate(const semanage_port_t *record, void *varg) +{ + counter_port_iterate++; + return 0; +} + +void test_port_iterate(void) +{ + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + semanage_port_iterate(sh, handler_port_iterate, NULL); + CU_ASSERT(counter_port_iterate == PORT_COUNT); + + /* cleanup */ + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_port_list */ +void test_port_list(void) +{ + semanage_port_t **records = NULL; + unsigned int count = 42; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_port_list(sh, &records, &count) >= 0); + CU_ASSERT(count == PORT_COUNT); + + for (unsigned int i = 0; i < count; i++) + CU_ASSERT_PTR_NOT_NULL(records[i]); + + /* cleanup */ + for (unsigned int i = 0; i < count; i++) + semanage_port_free(records[i]); + + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_port_modify_local, semanage_port_del_local */ +void test_port_modify_del_local(void) +{ + semanage_port_t *port; + semanage_port_t *port_local; + semanage_port_key_t *key = NULL; + semanage_context_t *con = NULL; + semanage_context_t *con_local = NULL; + + /* setup */ + setup_handle(SH_TRANS); + port = get_port_nth(I_FIRST); + semanage_context_from_string(sh, "user_u:role_r:type_t:s0", &con); + semanage_port_set_con(sh, port, con); + CU_ASSERT(semanage_port_key_extract(sh, port, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + /* test */ + CU_ASSERT(semanage_port_modify_local(sh, key, port) >= 0); + CU_ASSERT(semanage_port_query_local(sh, key, &port_local) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(port_local); + + con_local = semanage_port_get_con(port_local); + CU_ASSERT_CONTEXT_EQUAL(con, con_local); + + CU_ASSERT(semanage_port_del_local(sh, key) >= 0); + CU_ASSERT(semanage_port_query_local(sh, key, &port_local) < 0); + + /* cleanup */ + semanage_port_free(port); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_port_query_local */ +void test_port_query_local(void) +{ + semanage_port_t *port = NULL; + semanage_port_t *port_exp = NULL; + semanage_port_key_t *key = NULL; + semanage_context_t *con = NULL; + semanage_context_t *con_exp = NULL; + + /* setup */ + setup_handle(SH_TRANS); + add_local_port(I_FIRST); + key = get_port_key_nth(I_FIRST); + port_exp = get_port_nth(I_FIRST); + + /* test */ + CU_ASSERT(semanage_port_query_local(sh, key, &port) >= 0); + CU_ASSERT(semanage_port_get_low(port) == + semanage_port_get_low(port_exp)); + CU_ASSERT(semanage_port_get_high(port) == + semanage_port_get_high(port_exp)); + CU_ASSERT(semanage_port_get_proto(port) == + semanage_port_get_proto(port_exp)); + + con = semanage_port_get_con(port); + con_exp = semanage_port_get_con(port_exp); + CU_ASSERT_CONTEXT_EQUAL(con, con_exp); + + /* cleanup */ + delete_local_port(I_FIRST); + semanage_port_free(port); + semanage_port_free(port_exp); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_port_exists_local */ +void test_port_exists_local(void) +{ + semanage_port_key_t *key1 = NULL; + semanage_port_key_t *key2 = NULL; + int resp = 42; + + /* setup */ + setup_handle(SH_TRANS); + add_local_port(I_FIRST); + key1 = get_port_key_nth(I_FIRST); + key2 = get_port_key_nth(I_SECOND); + + /* test */ + CU_ASSERT(semanage_port_exists_local(sh, key1, &resp) >= 0); + CU_ASSERT(resp); + CU_ASSERT(semanage_port_exists_local(sh, key2, &resp) >= 0); + CU_ASSERT(!resp); + + /* cleanup */ + delete_local_port(I_FIRST); + semanage_port_key_free(key1); + semanage_port_key_free(key2); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_port_count_local */ +void test_port_count_local(void) +{ + unsigned int count = 42; + + /* setup */ + setup_handle(SH_TRANS); + + /* test */ + CU_ASSERT(semanage_port_count_local(sh, &count) >= 0); + CU_ASSERT(count == 0); + + add_local_port(I_FIRST); + CU_ASSERT(semanage_port_count_local(sh, &count) >= 0); + CU_ASSERT(count == 1); + + add_local_port(I_SECOND); + CU_ASSERT(semanage_port_count_local(sh, &count) >= 0); + CU_ASSERT(count == 2); + + delete_local_port(I_SECOND); + CU_ASSERT(semanage_port_count_local(sh, &count) >= 0); + CU_ASSERT(count == 1); + + delete_local_port(I_FIRST); + CU_ASSERT(semanage_port_count_local(sh, &count) >= 0); + CU_ASSERT(count == 0); + + /* cleanup */ + cleanup_handle(SH_TRANS); +} + +/* Function semanage_port_iterate_local */ +unsigned int counter_port_iterate_local = 0; + +int handler_port_iterate_local(const semanage_port_t *record, void *varg) +{ + counter_port_iterate_local++; + return 0; +} + +void test_port_iterate_local(void) +{ + /* setup */ + setup_handle(SH_TRANS); + add_local_port(I_FIRST); + add_local_port(I_SECOND); + add_local_port(I_THIRD); + + /* test */ + semanage_port_iterate_local(sh, handler_port_iterate_local, NULL); + CU_ASSERT(counter_port_iterate_local == 3); + + /* cleanup */ + delete_local_port(I_FIRST); + delete_local_port(I_SECOND); + delete_local_port(I_THIRD); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_port_list_local */ +void test_port_list_local(void) +{ + semanage_port_t **records = NULL; + unsigned int count = 42; + + /* setup */ + setup_handle(SH_TRANS); + add_local_port(I_FIRST); + add_local_port(I_SECOND); + add_local_port(I_THIRD); + + /* test */ + CU_ASSERT(semanage_port_list_local(sh, &records, &count) >= 0); + CU_ASSERT(count == 3); + + for (unsigned int i = 0; i < count; i++) + CU_ASSERT_PTR_NOT_NULL(records[i]); + + /* cleanup */ + for (unsigned int i = 0; i < count; i++) + semanage_port_free(records[i]); + + delete_local_port(I_FIRST); + delete_local_port(I_SECOND); + delete_local_port(I_THIRD); + cleanup_handle(SH_TRANS); +} + +/* Internal function semanage_port_validate_local */ +void helper_port_validate_local_noport(void) +{ + semanage_port_key_t *key = NULL; + int resp = 42; + + /* setup */ + setup_handle(SH_TRANS); + add_local_port(I_FIRST); + helper_commit(); + key = get_port_key_nth(I_FIRST); + CU_ASSERT(semanage_port_exists_local(sh, key, &resp) >= 0); + CU_ASSERT(resp); + + /* test */ + helper_begin_transaction(); + delete_local_port(I_FIRST); + helper_commit(); + + /* cleanup */ + helper_begin_transaction(); + delete_local_port(I_FIRST); + cleanup_handle(SH_TRANS); +} + +void helper_port_validate_local_oneport(void) +{ + /* setup */ + setup_handle(SH_TRANS); + add_local_port(I_FIRST); + + /* test */ + helper_commit(); + + /* cleanup */ + helper_begin_transaction(); + delete_local_port(I_FIRST); + cleanup_handle(SH_TRANS); +} + +void helper_port_validate_local_twoports(void) +{ + semanage_port_key_t *key1 = NULL; + semanage_port_key_t *key2 = NULL; + semanage_port_t *port1 = NULL; + semanage_port_t *port2 = NULL; + semanage_context_t *con1 = NULL; + semanage_context_t *con2 = NULL; + + /* setup */ + setup_handle(SH_TRANS); + CU_ASSERT(semanage_port_key_create(sh, 101, 200, 0, &key1) >= 0); + CU_ASSERT(semanage_port_key_create(sh, 201, 300, 0, &key2) >= 0); + CU_ASSERT(semanage_port_create(sh, &port1) >= 0); + CU_ASSERT(semanage_port_create(sh, &port2) >= 0); + + semanage_port_set_range(port1, 101, 200); + semanage_port_set_range(port2, 201, 300); + semanage_port_set_proto(port1, 0); + semanage_port_set_proto(port2, 0); + + CU_ASSERT(semanage_context_from_string(sh, + "system_u:object_r:user_home_t:s0", &con1) >= 0); + CU_ASSERT(semanage_context_from_string(sh, + "system_u:object_r:user_tmp_t:s0", &con2) >= 0); + + semanage_port_set_con(sh, port1, con1); + semanage_port_set_con(sh, port2, con2); + + CU_ASSERT(semanage_port_modify_local(sh, key1, port1) >= 0); + CU_ASSERT(semanage_port_modify_local(sh, key2, port2) >= 0); + + /* test */ + helper_commit(); + + /* cleanup */ + helper_begin_transaction(); + CU_ASSERT(semanage_port_del_local(sh, key1) >= 0); + CU_ASSERT(semanage_port_del_local(sh, key2) >= 0); + semanage_port_key_free(key1); + semanage_port_key_free(key2); + semanage_port_free(port1); + semanage_port_free(port2); + cleanup_handle(SH_TRANS); +} + +void helper_port_validate_local_proto(void) +{ + semanage_port_key_t *key1 = NULL; + semanage_port_key_t *key2 = NULL; + semanage_port_key_t *key3 = NULL; + semanage_port_t *port1 = NULL; + semanage_port_t *port2 = NULL; + semanage_port_t *port3 = NULL; + semanage_context_t *con1 = NULL; + semanage_context_t *con2 = NULL; + semanage_context_t *con3 = NULL; + + /* setup */ + setup_handle(SH_TRANS); + + CU_ASSERT(semanage_port_key_create(sh, 101, 200, 0, &key1) >= 0); + CU_ASSERT(semanage_port_key_create(sh, 51, 250, 1, &key2) >= 0); + CU_ASSERT(semanage_port_key_create(sh, 201, 300, 0, &key3) >= 0); + + CU_ASSERT(semanage_port_create(sh, &port1) >= 0); + CU_ASSERT(semanage_port_create(sh, &port2) >= 0); + CU_ASSERT(semanage_port_create(sh, &port3) >= 0); + + semanage_port_set_range(port1, 101, 200); + semanage_port_set_range(port2, 51, 250); + semanage_port_set_range(port3, 201, 300); + + semanage_port_set_proto(port1, 0); + semanage_port_set_proto(port2, 0); + semanage_port_set_proto(port3, 0); + + CU_ASSERT(semanage_context_from_string(sh, + "system_u:object_r:user_home_t:s0", &con1) >= 0); + CU_ASSERT(semanage_context_from_string(sh, + "system_u:object_r:user_home_t:s0", &con2) >= 0); + CU_ASSERT(semanage_context_from_string(sh, + "system_u:object_r:user_tmp_t:s0", &con3) >= 0); + + semanage_port_set_con(sh, port1, con1); + semanage_port_set_con(sh, port2, con2); + semanage_port_set_con(sh, port3, con3); + + CU_ASSERT(semanage_port_modify_local(sh, key1, port1) >= 0); + CU_ASSERT(semanage_port_modify_local(sh, key2, port2) >= 0); + CU_ASSERT(semanage_port_modify_local(sh, key3, port3) >= 0); + + /* test */ + helper_commit(); + + /* cleanup */ + CU_ASSERT(semanage_port_del_local(sh, key1) >= 0); + CU_ASSERT(semanage_port_del_local(sh, key2) >= 0); + CU_ASSERT(semanage_port_del_local(sh, key3) >= 0); + semanage_port_key_free(key1); + semanage_port_key_free(key2); + semanage_port_key_free(key3); + semanage_port_free(port1); + semanage_port_free(port2); + semanage_port_free(port3); + cleanup_handle(SH_TRANS); +} + +void test_port_validate_local(void) +{ + helper_port_validate_local_noport(); + helper_port_validate_local_oneport(); + helper_port_validate_local_twoports(); +} diff --git a/libsemanage/tests/test_port.cil b/libsemanage/tests/test_port.cil new file mode 100644 index 00000000..7e07a61c --- /dev/null +++ b/libsemanage/tests/test_port.cil @@ -0,0 +1,27 @@ +(typeattribute cil_gen_require) +(roleattribute cil_gen_require) +(handleunknown allow) +(mls true) +(policycap open_perms) +(sid security) +(sidorder (security)) +(sensitivity s0) +(sensitivityorder (s0)) +(user system_u) +(userrole system_u object_r) +(userlevel system_u (s0)) +(userrange system_u ((s0) (s0))) +(role object_r) +(roletype object_r first_port_t) +(roletype object_r second_port_t) +(roletype object_r third_port_t) +(type first_port_t) +(type second_port_t) +(type third_port_t) +(sidcontext security (system_u object_r first_port_t ((s0) (s0)))) +(class file (open)) +(classorder (file)) +(allow first_port_t self (file (open))) +(portcon tcp 80 (system_u object_r first_port_t ((s0) (s0)))) +(portcon udp (1 1023) (system_u object_r second_port_t ((s0) (s0)))) +(portcon tcp 12345 (system_u object_r third_port_t ((s0) (s0)))) diff --git a/libsemanage/tests/test_port.h b/libsemanage/tests/test_port.h new file mode 100644 index 00000000..ad26f90b --- /dev/null +++ b/libsemanage/tests/test_port.h @@ -0,0 +1,30 @@ +/* + * Authors: Jan Zarsky <jzarsky@redhat.com> + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __TEST_PORT_H__ +#define __TEST_PORT_H__ + +#include <CUnit/Basic.h> + +int port_test_init(void); +int port_test_cleanup(void); +int port_add_tests(CU_pSuite suite); + +#endif diff --git a/libsemanage/tests/test_semanage_store.c b/libsemanage/tests/test_semanage_store.c index b324d502..92085361 100644 --- a/libsemanage/tests/test_semanage_store.c +++ b/libsemanage/tests/test_semanage_store.c @@ -43,7 +43,7 @@ #include <unistd.h> #include <CUnit/Basic.h> -semanage_handle_t *sh = NULL; +extern semanage_handle_t *sh; const char *rootpath = "./test-policy"; const char *polpath = "./test-policy/store/"; const char *readlockpath = "./test-policy/store/semanage.read.LOCK"; diff --git a/libsemanage/tests/test_user.c b/libsemanage/tests/test_user.c new file mode 100644 index 00000000..cd082030 --- /dev/null +++ b/libsemanage/tests/test_user.c @@ -0,0 +1,690 @@ +/* + * Authors: Jan Zarsky <jzarsky@redhat.com> + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#include "utilities.h" +#include "test_user.h" + +#define USER_COUNT 3 + +/* user_record.h */ +void test_user_compare(void); +void test_user_compare2(void); +void test_user_key_create(void); +void test_user_key_extract(void); +void test_user_get_set_name(void); +void test_user_get_set_prefix(void); +void test_user_get_set_mlslevel(void); +void test_user_get_set_mlsrange(void); +void test_user_roles(void); +void test_user_create(void); +void test_user_clone(void); + +/* users_policy.h */ +void test_user_query(void); +void test_user_exists(void); +void test_user_count(void); +void test_user_iterate(void); +void test_user_list(void); + +/* users_local.h */ +void test_user_modify_del_query_local(void); +void test_user_exists_local(void); +void test_user_count_local(void); +void test_user_iterate_local(void); +void test_user_list_local(void); + +extern semanage_handle_t *sh; + +int user_test_init(void) +{ + if (create_test_store() < 0) { + fprintf(stderr, "Could not create test store\n"); + return 1; + } + + if (write_test_policy_from_file("test_user.policy") < 0) { + fprintf(stderr, "Could not write test policy\n"); + return 1; + } + + return 0; +} + +int user_test_cleanup(void) +{ + if (destroy_test_store() < 0) { + fprintf(stderr, "Could not destroy test store\n"); + return 1; + } + + return 0; +} + +int user_add_tests(CU_pSuite suite) +{ + CU_add_test(suite, "user_compare", test_user_compare); + CU_add_test(suite, "user_compare2", test_user_compare2); + CU_add_test(suite, "user_key_create", test_user_key_create); + CU_add_test(suite, "user_key_extract", test_user_key_extract); + CU_add_test(suite, "user_get_set_name", test_user_get_set_name); + CU_add_test(suite, "user_get_set_prefix", test_user_get_set_prefix); + CU_add_test(suite, "user_get_set_mlslevel", test_user_get_set_mlslevel); + CU_add_test(suite, "user_get_set_mlsrange", test_user_get_set_mlsrange); + CU_add_test(suite, "user_roles", test_user_roles); + CU_add_test(suite, "user_create", test_user_create); + CU_add_test(suite, "user_clone", test_user_clone); + + CU_add_test(suite, "user_query", test_user_query); + CU_add_test(suite, "user_exists", test_user_exists); + CU_add_test(suite, "user_count", test_user_count); + CU_add_test(suite, "user_iterate", test_user_iterate); + CU_add_test(suite, "user_list", test_user_list); + + CU_add_test(suite, "user_modify_del_query_local", + test_user_modify_del_query_local); + CU_add_test(suite, "user_exists_local", test_user_exists_local); + CU_add_test(suite, "user_count_local", test_user_count_local); + CU_add_test(suite, "user_iterate_local", test_user_iterate_local); + CU_add_test(suite, "user_list_local", test_user_list_local); + + return 0; +} + +/* Helpers */ + +semanage_user_t *get_user_nth(int idx) +{ + int res; + semanage_user_t **records; + semanage_user_t *user; + unsigned int count; + + if (idx == I_NULL) + return NULL; + + res = semanage_user_list(sh, &records, &count); + + CU_ASSERT_FATAL(res >= 0); + CU_ASSERT_FATAL(count >= (unsigned int) idx + 1); + + user = records[idx]; + + for (unsigned int i = 0; i < count; i++) + if (i != (unsigned int) idx) + semanage_user_free(records[i]); + + return user; +} + +semanage_user_key_t *get_user_key_nth(int idx) +{ + semanage_user_key_t *key; + semanage_user_t *user; + int res; + + if (idx == I_NULL) + return NULL; + + user = get_user_nth(idx); + + res = semanage_user_key_extract(sh, user, &key); + + CU_ASSERT_FATAL(res >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + return key; +} + +void add_local_user(int user_idx) +{ + semanage_user_t *user; + semanage_user_key_t *key = NULL; + + CU_ASSERT_FATAL(user_idx != I_NULL); + + user = get_user_nth(user_idx); + + CU_ASSERT_FATAL(semanage_user_key_extract(sh, user, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + CU_ASSERT_FATAL(semanage_user_modify_local(sh, key, user) >= 0); +} + +void delete_local_user(int user_idx) +{ + semanage_user_key_t *key = NULL; + + CU_ASSERT_FATAL(user_idx != I_NULL); + + key = get_user_key_nth(user_idx); + + CU_ASSERT_FATAL(semanage_user_del_local(sh, key) >= 0); +} + +/* Function semanage_user_compare */ +void test_user_compare(void) +{ + semanage_user_t *user = NULL; + semanage_user_key_t *key1 = NULL; + semanage_user_key_t *key2 = NULL; + int res = 42; + + /* setup */ + setup_handle(SH_CONNECT); + user = get_user_nth(I_FIRST); + key1 = get_user_key_nth(I_FIRST); + key2 = get_user_key_nth(I_SECOND); + + /* test */ + res = semanage_user_compare(user, key1); + CU_ASSERT(res == 0); + res = semanage_user_compare(user, key2); + CU_ASSERT(res != 0); + + /* cleanup */ + semanage_user_free(user); + semanage_user_key_free(key1); + semanage_user_key_free(key2); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_user_compare2 */ +void test_user_compare2(void) +{ + semanage_user_t *user1 = NULL; + semanage_user_t *user2 = NULL; + semanage_user_t *user3 = NULL; + int res = 42; + + /* setup */ + setup_handle(SH_CONNECT); + user1 = get_user_nth(I_FIRST); + user2 = get_user_nth(I_FIRST); + user3 = get_user_nth(I_SECOND); + + /* test */ + res = semanage_user_compare2(user1, user2); + CU_ASSERT(res == 0); + res = semanage_user_compare2(user1, user3); + CU_ASSERT(res != 0); + + /* cleanup */ + semanage_user_free(user1); + semanage_user_free(user2); + semanage_user_free(user3); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_user_key_create */ +void test_user_key_create(void) +{ + semanage_user_key_t *key = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_user_key_create(sh, "asdf", &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + /* cleanup */ + semanage_user_key_free(key); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_user_key_extract */ +void test_user_key_extract(void) +{ + semanage_user_t *user = NULL; + semanage_user_key_t *key = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + user = get_user_nth(I_FIRST); + + /* test */ + CU_ASSERT(semanage_user_key_extract(sh, user, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + /* cleanup */ + semanage_user_free(user); + semanage_user_key_free(key); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_user_get_name, semanage_user_set_name */ +void test_user_get_set_name(void) +{ + semanage_user_t *user = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_user_create(sh, &user) >= 0); + + /* test */ + CU_ASSERT(semanage_user_set_name(sh, user, "user_u") == 0); + CU_ASSERT_STRING_EQUAL(semanage_user_get_name(user), "user_u"); + + /* cleanup */ + semanage_user_free(user); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_user_get_prefix, semanage_user_set_prefix */ +void test_user_get_set_prefix(void) +{ + semanage_user_t *user = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_user_create(sh, &user) >= 0); + + /* test */ + CU_ASSERT(semanage_user_set_prefix(sh, user, "user") == 0); + CU_ASSERT_STRING_EQUAL(semanage_user_get_prefix(user), "user"); + + /* cleanup */ + semanage_user_free(user); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_user_get_mlslevel, semanage_user_set_mlslevel */ +void test_user_get_set_mlslevel(void) +{ + semanage_user_t *user = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_user_create(sh, &user) >= 0); + + /* test */ + CU_ASSERT(semanage_user_set_mlslevel(sh, user, "s0") == 0); + CU_ASSERT_STRING_EQUAL(semanage_user_get_mlslevel(user), "s0"); + + /* cleanup */ + semanage_user_free(user); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_user_get_mlsrange, semanage_user_set_mlsrange */ +void test_user_get_set_mlsrange(void) +{ + semanage_user_t *user = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_user_create(sh, &user) >= 0); + + /* test */ + CU_ASSERT(semanage_user_set_mlsrange(sh, user, "s0-s15") == 0); + CU_ASSERT_STRING_EQUAL(semanage_user_get_mlsrange(user), "s0-s15"); + + /* cleanup */ + semanage_user_free(user); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_user_get_num_roles, semanage_user_add_role, + * semanage_user_del_role, semanage_user_has_role, semanage_user_get_roles + * semanage_user_set_roles + */ +void test_user_roles(void) +{ + semanage_user_t *user = NULL; + const char **roles_arr = NULL; + unsigned int num_roles = 42; + const char *new_roles_arr[] = { "new_role_r", "new_my_role_r" }; + unsigned int new_num_roles = 2; + + /* setup */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_user_create(sh, &user) >= 0); + + /* test */ + CU_ASSERT(semanage_user_get_num_roles(user) == 0); + + CU_ASSERT(semanage_user_add_role(sh, user, "role_r") == 0); + CU_ASSERT(semanage_user_get_num_roles(user) == 1); + + CU_ASSERT(semanage_user_has_role(user, "role_r")); + CU_ASSERT(!semanage_user_has_role(user, "my_role_r")); + + CU_ASSERT(semanage_user_add_role(sh, user, "my_role_r") == 0); + CU_ASSERT(semanage_user_get_num_roles(user) == 2); + + CU_ASSERT(semanage_user_get_roles(sh, user, &roles_arr, + &num_roles) >= 0); + CU_ASSERT(num_roles == 2); + CU_ASSERT_STRING_EQUAL(roles_arr[0], "role_r"); + CU_ASSERT_STRING_EQUAL(roles_arr[1], "my_role_r"); + + CU_ASSERT(semanage_user_set_roles(sh, user, new_roles_arr, + new_num_roles) >= 0); + + CU_ASSERT(semanage_user_has_role(user, "new_role_r")); + CU_ASSERT(semanage_user_has_role(user, "new_my_role_r")); + + CU_ASSERT(!semanage_user_has_role(user, "role_r")); + CU_ASSERT(!semanage_user_has_role(user, "my_role_r")); + + semanage_user_del_role(user, "new_my_role_r"); + CU_ASSERT(semanage_user_get_num_roles(user) == 1); + + semanage_user_del_role(user, "new_role_r"); + CU_ASSERT(semanage_user_get_num_roles(user) == 0); + + /* cleanup */ + semanage_user_free(user); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_user_create */ +void test_user_create(void) +{ + semanage_user_t *user = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_user_create(sh, &user) >= 0); + CU_ASSERT(semanage_user_set_name(sh, user, "user_u") >= 0); + CU_ASSERT(semanage_user_set_prefix(sh, user, "user") >= 0); + CU_ASSERT(semanage_user_set_mlslevel(sh, user, "s0") >= 0); + CU_ASSERT(semanage_user_set_mlsrange(sh, user, "s0-s15") >= 0); + + /* cleanup */ + semanage_user_free(user); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_user_clone */ +void test_user_clone(void) +{ + semanage_user_t *user = NULL; + semanage_user_t *user_clone = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + CU_ASSERT(semanage_user_create(sh, &user) >= 0); + CU_ASSERT(semanage_user_set_name(sh, user, "user_u") >= 0); + CU_ASSERT(semanage_user_set_prefix(sh, user, "user") >= 0); + CU_ASSERT(semanage_user_set_mlslevel(sh, user, "s0") >= 0); + CU_ASSERT(semanage_user_set_mlsrange(sh, user, "s0-s15") >= 0); + + /* test */ + CU_ASSERT(semanage_user_clone(sh, user, &user_clone) >= 0); + CU_ASSERT_STRING_EQUAL(semanage_user_get_name(user), "user_u"); + CU_ASSERT_STRING_EQUAL(semanage_user_get_prefix(user), "user"); + CU_ASSERT_STRING_EQUAL(semanage_user_get_mlslevel(user), "s0"); + CU_ASSERT_STRING_EQUAL(semanage_user_get_mlsrange(user), "s0-s15"); + + /* cleanup */ + semanage_user_free(user); + semanage_user_free(user_clone); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_user_query */ +void test_user_query(void) +{ + semanage_user_t *user = NULL; + semanage_user_key_t *key = NULL; + + /* setup */ + setup_handle(SH_CONNECT); + key = get_user_key_nth(I_FIRST); + + /* test */ + CU_ASSERT(semanage_user_query(sh, key, &user) >= 0); + + /* TODO: test values */ + CU_ASSERT_PTR_NOT_NULL(user); + + /* cleanup */ + semanage_user_free(user); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_user_exists */ +void test_user_exists(void) +{ + semanage_user_key_t *key1 = NULL; + semanage_user_key_t *key2 = NULL; + int resp = 42; + + /* setup */ + setup_handle(SH_CONNECT); + key1 = get_user_key_nth(I_FIRST); + CU_ASSERT(semanage_user_key_create(sh, "asdf", &key2) >= 0); + + /* test */ + CU_ASSERT(semanage_user_exists(sh, key1, &resp) >= 0); + CU_ASSERT(resp); + CU_ASSERT(semanage_user_exists(sh, key2, &resp) >= 0); + CU_ASSERT(!resp); + + /* cleanup */ + semanage_user_key_free(key1); + semanage_user_key_free(key2); + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_user_count */ +void test_user_count(void) +{ + unsigned int count = 42; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_user_count(sh, &count) >= 0); + CU_ASSERT(count == USER_COUNT); + + /* cleanup */ + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_user_iterate */ +unsigned int counter_user_iterate = 0; + +int handler_user_iterate(const semanage_user_t *record, void *varg) +{ + counter_user_iterate++; + return 0; +} + +void test_user_iterate(void) +{ + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + semanage_user_iterate(sh, handler_user_iterate, NULL); + CU_ASSERT(counter_user_iterate == USER_COUNT); + + /* cleanup */ + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_user_list */ +void test_user_list(void) +{ + semanage_user_t **records = NULL; + unsigned int count = 42; + + /* setup */ + setup_handle(SH_CONNECT); + + /* test */ + CU_ASSERT(semanage_user_list(sh, &records, &count) >= 0); + CU_ASSERT(count == USER_COUNT); + + /* TODO: check real values */ + for (unsigned int i = 0; i < count; i++) + CU_ASSERT_PTR_NOT_NULL(records[i]); + + /* cleanup */ + for (unsigned int i = 0; i < count; i++) + semanage_user_free(records[i]); + + cleanup_handle(SH_CONNECT); +} + +/* Function semanage_user_modify_local, semanage_user_del_local, + * semanage_user_query_local + */ +void test_user_modify_del_query_local(void) +{ + semanage_user_t *user; + semanage_user_t *user_local; + semanage_user_key_t *key = NULL; + + /* setup */ + setup_handle(SH_TRANS); + user = get_user_nth(I_FIRST); + CU_ASSERT(semanage_user_key_extract(sh, user, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + /* test */ + CU_ASSERT(semanage_user_modify_local(sh, key, user) >= 0); + + /* write changes to file */ + helper_commit(); + helper_begin_transaction(); + + CU_ASSERT(semanage_user_query_local(sh, key, &user_local) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(user_local); + CU_ASSERT(semanage_user_del_local(sh, key) >= 0); + CU_ASSERT(semanage_user_query_local(sh, key, &user_local) < 0); + + /* cleanup */ + semanage_user_free(user); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_user_exists_local */ +void test_user_exists_local(void) +{ + semanage_user_t *user = NULL; + semanage_user_key_t *key1 = NULL; + semanage_user_key_t *key2 = NULL; + int resp = 42; + + /* setup */ + setup_handle(SH_TRANS); + add_local_user(I_FIRST); + key1 = get_user_key_nth(I_FIRST); + CU_ASSERT(semanage_user_key_create(sh, "asdf", &key2) >= 0); + CU_ASSERT_PTR_NOT_NULL(key2); + + /* test */ + CU_ASSERT(semanage_user_exists_local(sh, key1, &resp) >= 0); + CU_ASSERT(resp); + CU_ASSERT(semanage_user_exists_local(sh, key2, &resp) >= 0); + CU_ASSERT(!resp); + + /* cleanup */ + CU_ASSERT(semanage_user_del_local(sh, key1) >= 0); + semanage_user_free(user); + semanage_user_key_free(key1); + semanage_user_key_free(key2); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_user_count_local */ +void test_user_count_local(void) +{ + unsigned int count = 42; + + /* setup */ + setup_handle(SH_TRANS); + add_local_user(I_FIRST); + add_local_user(I_SECOND); + add_local_user(I_THIRD); + + /* test */ + CU_ASSERT(semanage_user_count_local(sh, &count) >= 0); + CU_ASSERT(count == 3); + + /* cleanup */ + delete_local_user(I_FIRST); + delete_local_user(I_SECOND); + delete_local_user(I_THIRD); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_user_iterate_local */ +unsigned int counter_user_iterate_local = 0; + +int handler_user_iterate_local(const semanage_user_t *record, void *varg) +{ + counter_user_iterate_local++; + return 0; +} + +void test_user_iterate_local(void) +{ + /* setup */ + setup_handle(SH_TRANS); + add_local_user(I_FIRST); + add_local_user(I_SECOND); + add_local_user(I_THIRD); + + /* test */ + semanage_user_iterate_local(sh, handler_user_iterate_local, NULL); + CU_ASSERT(counter_user_iterate_local == 3); + + /* cleanup */ + delete_local_user(I_FIRST); + delete_local_user(I_SECOND); + delete_local_user(I_THIRD); + cleanup_handle(SH_TRANS); +} + +/* Function semanage_user_list_local */ +void test_user_list_local(void) +{ + semanage_user_t **records = NULL; + unsigned int count = 42; + + /* setup */ + setup_handle(SH_TRANS); + add_local_user(I_FIRST); + add_local_user(I_SECOND); + add_local_user(I_THIRD); + + /* test */ + CU_ASSERT(semanage_user_list_local(sh, &records, &count) >= 0); + CU_ASSERT(count == 3); + + for (unsigned int i = 0; i < count; i++) + CU_ASSERT_PTR_NOT_NULL(records[i]); + + /* cleanup */ + for (unsigned int i = 0; i < count; i++) + semanage_user_free(records[i]); + + delete_local_user(I_FIRST); + delete_local_user(I_SECOND); + delete_local_user(I_THIRD); + cleanup_handle(SH_TRANS); +} diff --git a/libsemanage/tests/test_user.cil b/libsemanage/tests/test_user.cil new file mode 100644 index 00000000..1c65b9fc --- /dev/null +++ b/libsemanage/tests/test_user.cil @@ -0,0 +1,27 @@ +(typeattribute cil_gen_require) +(roleattribute cil_gen_require) +(handleunknown allow) +(mls true) +(policycap network_peer_controls) +(policycap open_perms) +(sid security) +(sidorder (security)) +(sensitivity s0) +(sensitivityorder (s0)) +(user first_u) +(user second_u) +(user third_u) +(userrole first_u object_r) +(userlevel first_u (s0)) +(userlevel second_u (s0)) +(userlevel third_u (s0)) +(userrange first_u ((s0) (s0))) +(userrange second_u ((s0) (s0))) +(userrange third_u ((s0) (s0))) +(role object_r) +(roletype object_r test_t) +(type test_t) +(sidcontext security (first_u object_r test_t ((s0) (s0)))) +(class test_class (test_perm)) +(classorder (test_class)) +(allow test_t self (test_class (test_perm))) diff --git a/libsemanage/tests/test_user.h b/libsemanage/tests/test_user.h new file mode 100644 index 00000000..014a84aa --- /dev/null +++ b/libsemanage/tests/test_user.h @@ -0,0 +1,30 @@ +/* + * Authors: Jan Zarsky <jzarsky@redhat.com> + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifndef __TEST_USER_H__ +#define __TEST_USER_H__ + +#include <CUnit/Basic.h> + +int user_test_init(void); +int user_test_cleanup(void); +int user_add_tests(CU_pSuite suite); + +#endif diff --git a/libsemanage/tests/test_utilities.c b/libsemanage/tests/test_utilities.c index 601508c2..33609401 100644 --- a/libsemanage/tests/test_utilities.c +++ b/libsemanage/tests/test_utilities.c @@ -34,6 +34,8 @@ #include <string.h> #include <unistd.h> +#include "utilities.h" + void test_semanage_is_prefix(void); void test_semanage_split_on_space(void); void test_semanage_split(void); @@ -140,18 +142,22 @@ void test_semanage_split_on_space(void) if (!str) { CU_FAIL ("semanage_split_on_space: unable to perform test, no memory"); + return; } temp = semanage_split_on_space(str); + CU_ASSERT_PTR_NOT_NULL_FATAL(temp); CU_ASSERT_STRING_EQUAL(temp, "bar baz"); free(str); str = temp; temp = semanage_split_on_space(str); + CU_ASSERT_PTR_NOT_NULL_FATAL(temp); CU_ASSERT_STRING_EQUAL(temp, "baz"); free(str); str = temp; temp = semanage_split_on_space(str); + CU_ASSERT_PTR_NOT_NULL_FATAL(temp); CU_ASSERT_STRING_EQUAL(temp, ""); free(str); free(temp); @@ -168,21 +174,25 @@ void test_semanage_split(void) return; } temp = semanage_split(str, NULL); + CU_ASSERT_PTR_NOT_NULL_FATAL(temp); CU_ASSERT_STRING_EQUAL(temp, "foo2 foo:bar:"); free(str); str = temp; temp = semanage_split(str, ""); + CU_ASSERT_PTR_NOT_NULL_FATAL(temp); CU_ASSERT_STRING_EQUAL(temp, "foo:bar:"); free(str); str = temp; temp = semanage_split(str, ":"); + CU_ASSERT_PTR_NOT_NULL_FATAL(temp); CU_ASSERT_STRING_EQUAL(temp, "bar:"); free(str); str = temp; temp = semanage_split(str, ":"); + CU_ASSERT_PTR_NOT_NULL_FATAL(temp); CU_ASSERT_STRING_EQUAL(temp, ""); free(str); free(temp); @@ -298,14 +308,17 @@ void test_semanage_findval(void) CU_FAIL_FATAL("Temporary file was not created, aborting test."); } tok = semanage_findval(fname, "one", NULL); + CU_ASSERT_PTR_NOT_NULL_FATAL(tok); CU_ASSERT_STRING_EQUAL(tok, ""); free(tok); rewind(fptr); tok = semanage_findval(fname, "one", ""); + CU_ASSERT_PTR_NOT_NULL_FATAL(tok); CU_ASSERT_STRING_EQUAL(tok, ""); free(tok); rewind(fptr); tok = semanage_findval(fname, "sigma", "="); + CU_ASSERT_PTR_NOT_NULL_FATAL(tok); CU_ASSERT_STRING_EQUAL(tok, "foo"); free(tok); } diff --git a/libsemanage/tests/utilities.c b/libsemanage/tests/utilities.c index 7cc726c6..18393215 100644 --- a/libsemanage/tests/utilities.c +++ b/libsemanage/tests/utilities.c @@ -1,6 +1,7 @@ /* Authors: Christopher Ashworth <cashworth@tresys.com> * * Copyright (C) 2006 Tresys Technology, LLC + * Copyright (C) 2019 Red Hat, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -17,16 +18,261 @@ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ -/* The purpose of this file is to provide some functions commonly needed +/* The purpose of this file is to provide some functions commonly needed * by our unit tests. */ #include "utilities.h" +int test_store_enabled = 0; + +semanage_handle_t *sh = NULL; + /* Silence any error output caused by our tests - * by using this dummy function to catch messages. + * by using this dummy function to catch messages. */ -void test_msg_handler(void *varg, - semanage_handle_t * handle, const char *fmt, ...) +void test_msg_handler(void *varg, semanage_handle_t *handle, const char *fmt, + ...) { } + +int create_test_store() { + FILE *fptr; + + if (mkdir("test-policy", 0700) < 0) + return -1; + + if (mkdir("test-policy/store", 0700) < 0) + return -1; + + if (mkdir("test-policy/store/active", 0700) < 0) + return -1; + + if (mkdir("test-policy/store/active/modules", 0700) < 0) + return -1; + + if (mkdir("test-policy/etc", 0700) < 0) + return -1; + + if (mkdir("test-policy/etc/selinux", 0700) < 0) + return -1; + + fptr = fopen("test-policy/etc/selinux/semanage.conf", "w+"); + + if (!fptr) + return -1; + + fclose(fptr); + + enable_test_store(); + return 0; +} + +void disable_test_store(void) { + test_store_enabled = 0; +} + +void enable_test_store(void) { + test_store_enabled = 1; +} + +int write_test_policy(char *data, size_t data_len) { + FILE *fptr = fopen("test-policy/store/active/policy.kern", "wb+"); + + if (!fptr) { + perror("fopen"); + return -1; + } + + if (fwrite(data, data_len, 1, fptr) != 1) { + perror("fwrite"); + fclose(fptr); + return -1; + } + + fclose(fptr); + + return 0; +} + +int write_test_policy_from_file(const char *filename) { + char *buf = NULL; + size_t len = 0; + FILE *fptr = fopen(filename, "rb"); + + if (!fptr) { + perror("fopen"); + return -1; + } + + fseek(fptr, 0, SEEK_END); + len = ftell(fptr); + fseek(fptr, 0, SEEK_SET); + + buf = (char *) malloc(len); + + if (!buf) { + perror("malloc"); + fclose(fptr); + return -1; + } + + fread(buf, len, 1, fptr); + fclose(fptr); + + return write_test_policy(buf, len); +} + +int write_test_policy_src(unsigned char *data, unsigned int data_len) { + if (mkdir("test-policy/store/active/modules/100", 0700) < 0) + return -1; + + if (mkdir("test-policy/store/active/modules/100/base", 0700) < 0) + return -1; + + FILE *fptr = fopen("test-policy/store/active/modules/100/base/cil", + "w+"); + + if (!fptr) { + perror("fopen"); + return -1; + } + + if (fwrite(data, data_len, 1, fptr) != 1) { + perror("fwrite"); + fclose(fptr); + return -1; + } + + fclose(fptr); + + fptr = fopen("test-policy/store/active/modules/100/base/lang_ext", + "w+"); + + if (!fptr) { + perror("fopen"); + return -1; + } + + if (fwrite("cil", sizeof("cil"), 1, fptr) != 1) { + perror("fwrite"); + fclose(fptr); + return -1; + } + + fclose(fptr); + + return 0; +} + +int destroy_test_store() { + FTS *ftsp = NULL; + FTSENT *curr = NULL; + int ret = 0; + + disable_test_store(); + + char *files[] = { (char *) "test-policy", NULL }; + + ftsp = fts_open(files, FTS_NOCHDIR | FTS_PHYSICAL | FTS_XDEV, NULL); + + if (!ftsp) + return -1; + + while ((curr = fts_read(ftsp))) + switch (curr->fts_info) { + case FTS_DP: + case FTS_F: + case FTS_SL: + case FTS_SLNONE: + case FTS_DEFAULT: + if (remove(curr->fts_accpath) < 0) + ret = -1; + default: + break; + } + + fts_close(ftsp); + + return ret; +} + +void helper_handle_create(void) { + if (test_store_enabled) + semanage_set_root("test-policy"); + + sh = semanage_handle_create(); + CU_ASSERT_PTR_NOT_NULL(sh); + + semanage_msg_set_callback(sh, test_msg_handler, NULL); + + if (test_store_enabled) { + semanage_set_create_store(sh, 1); + semanage_set_reload(sh, 0); + semanage_set_store_root(sh, ""); + semanage_select_store(sh, (char *) "store", + SEMANAGE_CON_DIRECT); + } +} + +void helper_handle_destroy(void) { + semanage_handle_destroy(sh); +} + +void helper_connect(void) { + CU_ASSERT(semanage_connect(sh) >= 0); +} + +void helper_disconnect(void) { + CU_ASSERT(semanage_disconnect(sh) >= 0); +} + +void helper_begin_transaction(void) { + CU_ASSERT(semanage_begin_transaction(sh) >= 0); +} + +void helper_commit(void) { + CU_ASSERT(semanage_commit(sh) >= 0); +} + +void setup_handle(level_t level) { + if (level >= SH_NULL) + sh = NULL; + + if (level >= SH_HANDLE) + helper_handle_create(); + + if (level >= SH_CONNECT) + helper_connect(); + + if (level >= SH_TRANS) + helper_begin_transaction(); +} + +void cleanup_handle(level_t level) { + if (level >= SH_TRANS) + helper_commit(); + + if (level >= SH_CONNECT) + helper_disconnect(); + + if (level >= SH_HANDLE) + helper_handle_destroy(); + + if (level >= SH_NULL) + sh = NULL; +} + +void setup_handle_invalid_store(level_t level) { + CU_ASSERT(level >= SH_HANDLE); + + helper_handle_create(); + + semanage_select_store(sh, (char *) "", SEMANAGE_CON_INVALID); + + if (level >= SH_CONNECT) + helper_connect(); + + if (level >= SH_TRANS) + helper_begin_transaction(); +} diff --git a/libsemanage/tests/utilities.h b/libsemanage/tests/utilities.h index 781867d1..db4dabf9 100644 --- a/libsemanage/tests/utilities.h +++ b/libsemanage/tests/utilities.h @@ -1,6 +1,7 @@ /* Authors: Christopher Ashworth <cashworth@tresys.com> * * Copyright (C) 2006 Tresys Technology, LLC + * Copyright (C) 2019 Red Hat, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -17,7 +18,81 @@ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ -#include "handle.h" +#ifndef __UTILITIES_H__ +#define __UTILITIES_H__ -void test_msg_handler(void *varg, semanage_handle_t * handle, const char *fmt, +#include <stdio.h> +#include <stdlib.h> +#include <stdarg.h> +#include <fts.h> +#include <assert.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <CUnit/Basic.h> + +#include "semanage/semanage.h" + +#define CU_ASSERT_CONTEXT_EQUAL(CON1,CON2) \ + do { \ + char *__str; \ + char *__str2; \ + CU_ASSERT(semanage_context_to_string(sh, CON1, &__str) >= 0); \ + CU_ASSERT(semanage_context_to_string(sh, CON2, &__str2) >= 0); \ + CU_ASSERT_STRING_EQUAL(__str, __str2); \ + } while (0) + + +/* Override CU_*_FATAL() in order to help static analyzers by really asserting that an assertion holds */ +#ifdef __CHECKER__ + +#undef CU_ASSERT_FATAL +#define CU_ASSERT_FATAL(value) do { \ + int _value = (value); \ + CU_ASSERT(_value); \ + assert(_value); \ + } while (0) + +#undef CU_FAIL_FATAL +#define CU_FAIL_FATAL(msg) do { \ + CU_FAIL(msg); \ + assert(0); \ + } while (0) + +#undef CU_ASSERT_PTR_NOT_NULL_FATAL +#define CU_ASSERT_PTR_NOT_NULL_FATAL(value) do { \ + const void *_value = (value); \ + CU_ASSERT_PTR_NOT_NULL(_value); \ + assert(_value != NULL); \ + } while (0) + +#endif /* __CHECKER__ */ + +#define I_NULL -1 +#define I_FIRST 0 +#define I_SECOND 1 +#define I_THIRD 2 + +typedef enum { SH_NULL, SH_HANDLE, SH_CONNECT, SH_TRANS } level_t; + +void test_msg_handler(void *varg, semanage_handle_t *handle, const char *fmt, ...); + +void setup_handle(level_t level); +void cleanup_handle(level_t level); +void setup_handle_invalid_store(level_t level); + +void helper_handle_create(void); +void helper_handle_destroy(void); +void helper_connect(void); +void helper_disconnect(void); +void helper_begin_transaction(void); +void helper_commit(void); + +int create_test_store(void); +int write_test_policy_from_file(const char *filename); +int write_test_policy_src(unsigned char *data, unsigned int data_len); +int destroy_test_store(void); +void enable_test_store(void); +void disable_test_store(void); + +#endif diff --git a/libsepol/VERSION b/libsepol/VERSION index 8c269150..9f55b2cc 100644 --- a/libsepol/VERSION +++ b/libsepol/VERSION @@ -1 +1 @@ -2.9 +3.0 diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c index 2a7ec063..d222ad3a 100644 --- a/libsepol/cil/src/cil.c +++ b/libsepol/cil/src/cil.c @@ -77,6 +77,168 @@ int cil_sym_sizes[CIL_SYM_ARRAY_NUM][CIL_SYM_NUM] = { {1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1} }; +char *CIL_KEY_CONS_T1; +char *CIL_KEY_CONS_T2; +char *CIL_KEY_CONS_T3; +char *CIL_KEY_CONS_R1; +char *CIL_KEY_CONS_R2; +char *CIL_KEY_CONS_R3; +char *CIL_KEY_CONS_U1; +char *CIL_KEY_CONS_U2; +char *CIL_KEY_CONS_U3; +char *CIL_KEY_CONS_L1; +char *CIL_KEY_CONS_L2; +char *CIL_KEY_CONS_H1; +char *CIL_KEY_CONS_H2; +char *CIL_KEY_AND; +char *CIL_KEY_OR; +char *CIL_KEY_NOT; +char *CIL_KEY_EQ; +char *CIL_KEY_NEQ; +char *CIL_KEY_CONS_DOM; +char *CIL_KEY_CONS_DOMBY; +char *CIL_KEY_CONS_INCOMP; +char *CIL_KEY_CONDTRUE; +char *CIL_KEY_CONDFALSE; +char *CIL_KEY_SELF; +char *CIL_KEY_OBJECT_R; +char *CIL_KEY_STAR; +char *CIL_KEY_TCP; +char *CIL_KEY_UDP; +char *CIL_KEY_DCCP; +char *CIL_KEY_SCTP; +char *CIL_KEY_AUDITALLOW; +char *CIL_KEY_TUNABLEIF; +char *CIL_KEY_ALLOW; +char *CIL_KEY_DONTAUDIT; +char *CIL_KEY_TYPETRANSITION; +char *CIL_KEY_TYPECHANGE; +char *CIL_KEY_CALL; +char *CIL_KEY_TUNABLE; +char *CIL_KEY_XOR; +char *CIL_KEY_ALL; +char *CIL_KEY_RANGE; +char *CIL_KEY_GLOB; +char *CIL_KEY_FILE; +char *CIL_KEY_DIR; +char *CIL_KEY_CHAR; +char *CIL_KEY_BLOCK; +char *CIL_KEY_SOCKET; +char *CIL_KEY_PIPE; +char *CIL_KEY_SYMLINK; +char *CIL_KEY_ANY; +char *CIL_KEY_XATTR; +char *CIL_KEY_TASK; +char *CIL_KEY_TRANS; +char *CIL_KEY_TYPE; +char *CIL_KEY_ROLE; +char *CIL_KEY_USER; +char *CIL_KEY_USERATTRIBUTE; +char *CIL_KEY_USERATTRIBUTESET; +char *CIL_KEY_SENSITIVITY; +char *CIL_KEY_CATEGORY; +char *CIL_KEY_CATSET; +char *CIL_KEY_LEVEL; +char *CIL_KEY_LEVELRANGE; +char *CIL_KEY_CLASS; +char *CIL_KEY_IPADDR; +char *CIL_KEY_MAP_CLASS; +char *CIL_KEY_CLASSPERMISSION; +char *CIL_KEY_BOOL; +char *CIL_KEY_STRING; +char *CIL_KEY_NAME; +char *CIL_KEY_SOURCE; +char *CIL_KEY_TARGET; +char *CIL_KEY_LOW; +char *CIL_KEY_HIGH; +char *CIL_KEY_LOW_HIGH; +char *CIL_KEY_GLBLUB; +char *CIL_KEY_HANDLEUNKNOWN; +char *CIL_KEY_HANDLEUNKNOWN_ALLOW; +char *CIL_KEY_HANDLEUNKNOWN_DENY; +char *CIL_KEY_HANDLEUNKNOWN_REJECT; +char *CIL_KEY_MACRO; +char *CIL_KEY_IN; +char *CIL_KEY_MLS; +char *CIL_KEY_DEFAULTRANGE; +char *CIL_KEY_BLOCKINHERIT; +char *CIL_KEY_BLOCKABSTRACT; +char *CIL_KEY_CLASSORDER; +char *CIL_KEY_CLASSMAPPING; +char *CIL_KEY_CLASSPERMISSIONSET; +char *CIL_KEY_COMMON; +char *CIL_KEY_CLASSCOMMON; +char *CIL_KEY_SID; +char *CIL_KEY_SIDCONTEXT; +char *CIL_KEY_SIDORDER; +char *CIL_KEY_USERLEVEL; +char *CIL_KEY_USERRANGE; +char *CIL_KEY_USERBOUNDS; +char *CIL_KEY_USERPREFIX; +char *CIL_KEY_SELINUXUSER; +char *CIL_KEY_SELINUXUSERDEFAULT; +char *CIL_KEY_TYPEATTRIBUTE; +char *CIL_KEY_TYPEATTRIBUTESET; +char *CIL_KEY_EXPANDTYPEATTRIBUTE; +char *CIL_KEY_TYPEALIAS; +char *CIL_KEY_TYPEALIASACTUAL; +char *CIL_KEY_TYPEBOUNDS; +char *CIL_KEY_TYPEPERMISSIVE; +char *CIL_KEY_RANGETRANSITION; +char *CIL_KEY_USERROLE; +char *CIL_KEY_ROLETYPE; +char *CIL_KEY_ROLETRANSITION; +char *CIL_KEY_ROLEALLOW; +char *CIL_KEY_ROLEATTRIBUTE; +char *CIL_KEY_ROLEATTRIBUTESET; +char *CIL_KEY_ROLEBOUNDS; +char *CIL_KEY_BOOLEANIF; +char *CIL_KEY_NEVERALLOW; +char *CIL_KEY_TYPEMEMBER; +char *CIL_KEY_SENSALIAS; +char *CIL_KEY_SENSALIASACTUAL; +char *CIL_KEY_CATALIAS; +char *CIL_KEY_CATALIASACTUAL; +char *CIL_KEY_CATORDER; +char *CIL_KEY_SENSITIVITYORDER; +char *CIL_KEY_SENSCAT; +char *CIL_KEY_CONSTRAIN; +char *CIL_KEY_MLSCONSTRAIN; +char *CIL_KEY_VALIDATETRANS; +char *CIL_KEY_MLSVALIDATETRANS; +char *CIL_KEY_CONTEXT; +char *CIL_KEY_FILECON; +char *CIL_KEY_IBPKEYCON; +char *CIL_KEY_IBENDPORTCON; +char *CIL_KEY_PORTCON; +char *CIL_KEY_NODECON; +char *CIL_KEY_GENFSCON; +char *CIL_KEY_NETIFCON; +char *CIL_KEY_PIRQCON; +char *CIL_KEY_IOMEMCON; +char *CIL_KEY_IOPORTCON; +char *CIL_KEY_PCIDEVICECON; +char *CIL_KEY_DEVICETREECON; +char *CIL_KEY_FSUSE; +char *CIL_KEY_POLICYCAP; +char *CIL_KEY_OPTIONAL; +char *CIL_KEY_DEFAULTUSER; +char *CIL_KEY_DEFAULTROLE; +char *CIL_KEY_DEFAULTTYPE; +char *CIL_KEY_ROOT; +char *CIL_KEY_NODE; +char *CIL_KEY_PERM; +char *CIL_KEY_ALLOWX; +char *CIL_KEY_AUDITALLOWX; +char *CIL_KEY_DONTAUDITX; +char *CIL_KEY_NEVERALLOWX; +char *CIL_KEY_PERMISSIONX; +char *CIL_KEY_IOCTL; +char *CIL_KEY_UNORDERED; +char *CIL_KEY_SRC_INFO; +char *CIL_KEY_SRC_CIL; +char *CIL_KEY_SRC_HLL; + static void cil_init_keys(void) { /* Initialize CIL Keys into strpool */ @@ -227,6 +389,7 @@ static void cil_init_keys(void) CIL_KEY_LOW = cil_strpool_add("low"); CIL_KEY_HIGH = cil_strpool_add("high"); CIL_KEY_LOW_HIGH = cil_strpool_add("low-high"); + CIL_KEY_GLBLUB = cil_strpool_add("glblub"); CIL_KEY_ROOT = cil_strpool_add("<root>"); CIL_KEY_NODE = cil_strpool_add("<node>"); CIL_KEY_PERM = cil_strpool_add("perm"); diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index 77ffc36f..4cf6f481 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -1608,7 +1608,7 @@ int __cil_permx_bitmap_to_sepol_xperms_list(ebitmap_t *xperms, struct cil_list * continue; } - // if we got here, i is the end of this range (either becuase the func + // if we got here, i is the end of this range (either because the func // is 0xff or the next bit isn't set). The next time around we are // going to need a start a new range high = i; @@ -1665,7 +1665,7 @@ int __cil_avrulex_ioctl_to_policydb(hashtab_key_t k, hashtab_datum_t datum, void sepol_obj = pdb->class_val_to_struct[avtab_key->target_class - 1]; - // setting the data for an extended avtab isn't really neccessary because + // setting the data for an extended avtab isn't really necessary because // it is ignored by the kernel. However, neverallow checking requires that // the data value be set, so set it for that to work. rc = __perm_str_to_datum(CIL_KEY_IOCTL, sepol_obj, &data); @@ -4152,7 +4152,7 @@ int __cil_policydb_init(policydb_t *pdb, const struct cil_db *db, struct cil_cla int rc = SEPOL_ERR; // these flags should get set in __cil_policydb_create. However, for - // backwards compatability, it is possible that __cil_policydb_create is + // backwards compatibility, it is possible that __cil_policydb_create is // never called. So, they must also be set here. pdb->handle_unknown = db->handle_unknown; pdb->mls = db->mls; @@ -5043,11 +5043,13 @@ exit: hashtab_destroy(avrulex_ioctl_table); free(type_value_to_cil); free(class_value_to_cil); - /* Range is because libsepol values start at 1. */ - for (i=1; i < db->num_classes+1; i++) { - free(perm_value_to_cil[i]); + if (perm_value_to_cil != NULL) { + /* Range is because libsepol values start at 1. */ + for (i=1; i < db->num_classes+1; i++) { + free(perm_value_to_cil[i]); + } + free(perm_value_to_cil); } - free(perm_value_to_cil); cil_list_destroy(&neverallows, CIL_FALSE); return rc; diff --git a/libsepol/cil/src/cil_binary.h b/libsepol/cil/src/cil_binary.h index 5367febe..1004df45 100644 --- a/libsepol/cil/src/cil_binary.h +++ b/libsepol/cil/src/cil_binary.h @@ -49,11 +49,11 @@ int cil_binary_create(const struct cil_db *db, sepol_policydb_t **pdb); /** * Create a pre allocated binary policydb from the cil db. * - * It is assumed that pdb has been allocated and initialzed so that fields such - * as policy type and version are set appropriately. It is reccomended that + * It is assumed that pdb has been allocated and initialized so that fields such + * as policy type and version are set appropriately. It is recommended that * instead of calling this, one instead calls cil_binary_create, which will * properly allocate and initialize the pdb and then calls this function. This - * funcion is used to maintain binary backwards compatability. + * function is used to maintain binary backwards compatibility. * * @param[in] db The cil database. * @param[in] pdb The policy database. @@ -126,7 +126,7 @@ int cil_typealias_to_policydb(policydb_t *pdb, struct cil_alias *cil_alias); /** * Insert cil typepermissive structure into sepol policydb. - * The function looks up the perviously inserted type and flips the bit + * The function looks up the previously inserted type and flips the bit * in the permssive types bitmap that corresponds to that type's value. * * @param[in] pdb The policy database to insert the typepermissive into. diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index b90b0f60..307b1ee3 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -5894,7 +5894,7 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no CIL_SYN_STRING, CIL_SYN_STRING | CIL_SYN_LIST, CIL_SYN_STRING, - CIL_SYN_STRING, + CIL_SYN_STRING | CIL_SYN_END, CIL_SYN_END }; int syntax_len = sizeof(syntax)/sizeof(*syntax); @@ -5917,8 +5917,8 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no } object = parse_current->next->next->data; - range = parse_current->next->next->next->data; if (object == CIL_KEY_SOURCE) { + range = parse_current->next->next->next->data; if (range == CIL_KEY_LOW) { def->object_range = CIL_DEFAULT_SOURCE_LOW; } else if (range == CIL_KEY_HIGH) { @@ -5930,7 +5930,8 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no rc = SEPOL_ERR; goto exit; } - } else if (parse_current->next->next->data == CIL_KEY_TARGET) { + } else if (object == CIL_KEY_TARGET) { + range = parse_current->next->next->next->data; if (range == CIL_KEY_LOW) { def->object_range = CIL_DEFAULT_TARGET_LOW; } else if (range == CIL_KEY_HIGH) { @@ -5942,8 +5943,10 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no rc = SEPOL_ERR; goto exit; } + } else if (object == CIL_KEY_GLBLUB) { + def->object_range = CIL_DEFAULT_GLBLUB; } else { - cil_log(CIL_ERR,"Expected either \'source\' or \'target\'\n"); + cil_log(CIL_ERR,"Expected \'source\', \'target\', or \'glblub\'\n"); rc = SEPOL_ERR; goto exit; } @@ -6122,7 +6125,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f rc = SEPOL_OK; goto exit; } else if (parse_current->data == NULL) { - /* the only time parenthsis can immediately following parenthesis is if + /* the only time parenthesis can immediately following parenthesis is if * the parent is the root node */ if (parse_current->parent->parent == NULL) { rc = SEPOL_OK; @@ -6541,7 +6544,7 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void // At this point we no longer have any need for parse_current or any of its // siblings; they have all been converted to the appropriate AST node. The // full parse tree will get deleted elsewhere, but in an attempt to - // minimize memory useage (of which the parse tree uses alot), start + // minimize memory usage (of which the parse tree uses a lot), start // deleting the parts we don't need now. cil_tree_children_destroy(parse_current->parent); diff --git a/libsepol/cil/src/cil_copy_ast.c b/libsepol/cil/src/cil_copy_ast.c index 7af00aaf..67dd8528 100644 --- a/libsepol/cil/src/cil_copy_ast.c +++ b/libsepol/cil/src/cil_copy_ast.c @@ -827,7 +827,7 @@ int cil_copy_avrule(struct cil_db *db, void *data, void **copy, __attribute__((u if (!new->is_extended) { cil_copy_classperms_list(orig->perms.classperms, &new->perms.classperms); } else { - if (new->perms.x.permx_str != NULL) { + if (orig->perms.x.permx_str != NULL) { new->perms.x.permx_str = orig->perms.x.permx_str; } else { cil_permissionx_init(&new->perms.x.permx); diff --git a/libsepol/cil/src/cil_fqn.c b/libsepol/cil/src/cil_fqn.c index 717358a2..2e76f873 100644 --- a/libsepol/cil/src/cil_fqn.c +++ b/libsepol/cil/src/cil_fqn.c @@ -103,7 +103,7 @@ static int __cil_fqn_qualify_blocks(__attribute__((unused)) hashtab_key_t k, has case CIL_SYM_IPADDRS: case CIL_SYM_NAMES: case CIL_SYM_PERMX: - /* These do not show up in the kernal policy */ + /* These do not show up in the kernel policy */ break; case CIL_SYM_POLICYCAPS: /* Valid policy capability names are defined in libsepol */ diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h index 6ff32285..9bdcbdd0 100644 --- a/libsepol/cil/src/cil_internal.h +++ b/libsepol/cil/src/cil_internal.h @@ -74,166 +74,167 @@ enum cil_pass { /* Keywords */ -char *CIL_KEY_CONS_T1; -char *CIL_KEY_CONS_T2; -char *CIL_KEY_CONS_T3; -char *CIL_KEY_CONS_R1; -char *CIL_KEY_CONS_R2; -char *CIL_KEY_CONS_R3; -char *CIL_KEY_CONS_U1; -char *CIL_KEY_CONS_U2; -char *CIL_KEY_CONS_U3; -char *CIL_KEY_CONS_L1; -char *CIL_KEY_CONS_L2; -char *CIL_KEY_CONS_H1; -char *CIL_KEY_CONS_H2; -char *CIL_KEY_AND; -char *CIL_KEY_OR; -char *CIL_KEY_NOT; -char *CIL_KEY_EQ; -char *CIL_KEY_NEQ; -char *CIL_KEY_CONS_DOM; -char *CIL_KEY_CONS_DOMBY; -char *CIL_KEY_CONS_INCOMP; -char *CIL_KEY_CONDTRUE; -char *CIL_KEY_CONDFALSE; -char *CIL_KEY_SELF; -char *CIL_KEY_OBJECT_R; -char *CIL_KEY_STAR; -char *CIL_KEY_TCP; -char *CIL_KEY_UDP; -char *CIL_KEY_DCCP; -char *CIL_KEY_SCTP; -char *CIL_KEY_AUDITALLOW; -char *CIL_KEY_TUNABLEIF; -char *CIL_KEY_ALLOW; -char *CIL_KEY_DONTAUDIT; -char *CIL_KEY_TYPETRANSITION; -char *CIL_KEY_TYPECHANGE; -char *CIL_KEY_CALL; -char *CIL_KEY_TUNABLE; -char *CIL_KEY_XOR; -char *CIL_KEY_ALL; -char *CIL_KEY_RANGE; -char *CIL_KEY_GLOB; -char *CIL_KEY_FILE; -char *CIL_KEY_DIR; -char *CIL_KEY_CHAR; -char *CIL_KEY_BLOCK; -char *CIL_KEY_SOCKET; -char *CIL_KEY_PIPE; -char *CIL_KEY_SYMLINK; -char *CIL_KEY_ANY; -char *CIL_KEY_XATTR; -char *CIL_KEY_TASK; -char *CIL_KEY_TRANS; -char *CIL_KEY_TYPE; -char *CIL_KEY_ROLE; -char *CIL_KEY_USER; -char *CIL_KEY_USERATTRIBUTE; -char *CIL_KEY_USERATTRIBUTESET; -char *CIL_KEY_SENSITIVITY; -char *CIL_KEY_CATEGORY; -char *CIL_KEY_CATSET; -char *CIL_KEY_LEVEL; -char *CIL_KEY_LEVELRANGE; -char *CIL_KEY_CLASS; -char *CIL_KEY_IPADDR; -char *CIL_KEY_MAP_CLASS; -char *CIL_KEY_CLASSPERMISSION; -char *CIL_KEY_BOOL; -char *CIL_KEY_STRING; -char *CIL_KEY_NAME; -char *CIL_KEY_SOURCE; -char *CIL_KEY_TARGET; -char *CIL_KEY_LOW; -char *CIL_KEY_HIGH; -char *CIL_KEY_LOW_HIGH; -char *CIL_KEY_HANDLEUNKNOWN; -char *CIL_KEY_HANDLEUNKNOWN_ALLOW; -char *CIL_KEY_HANDLEUNKNOWN_DENY; -char *CIL_KEY_HANDLEUNKNOWN_REJECT; -char *CIL_KEY_MACRO; -char *CIL_KEY_IN; -char *CIL_KEY_MLS; -char *CIL_KEY_DEFAULTRANGE; -char *CIL_KEY_BLOCKINHERIT; -char *CIL_KEY_BLOCKABSTRACT; -char *CIL_KEY_CLASSORDER; -char *CIL_KEY_CLASSMAPPING; -char *CIL_KEY_CLASSPERMISSIONSET; -char *CIL_KEY_COMMON; -char *CIL_KEY_CLASSCOMMON; -char *CIL_KEY_SID; -char *CIL_KEY_SIDCONTEXT; -char *CIL_KEY_SIDORDER; -char *CIL_KEY_USERLEVEL; -char *CIL_KEY_USERRANGE; -char *CIL_KEY_USERBOUNDS; -char *CIL_KEY_USERPREFIX; -char *CIL_KEY_SELINUXUSER; -char *CIL_KEY_SELINUXUSERDEFAULT; -char *CIL_KEY_TYPEATTRIBUTE; -char *CIL_KEY_TYPEATTRIBUTESET; -char *CIL_KEY_EXPANDTYPEATTRIBUTE; -char *CIL_KEY_TYPEALIAS; -char *CIL_KEY_TYPEALIASACTUAL; -char *CIL_KEY_TYPEBOUNDS; -char *CIL_KEY_TYPEPERMISSIVE; -char *CIL_KEY_RANGETRANSITION; -char *CIL_KEY_USERROLE; -char *CIL_KEY_ROLETYPE; -char *CIL_KEY_ROLETRANSITION; -char *CIL_KEY_ROLEALLOW; -char *CIL_KEY_ROLEATTRIBUTE; -char *CIL_KEY_ROLEATTRIBUTESET; -char *CIL_KEY_ROLEBOUNDS; -char *CIL_KEY_BOOLEANIF; -char *CIL_KEY_NEVERALLOW; -char *CIL_KEY_TYPEMEMBER; -char *CIL_KEY_SENSALIAS; -char *CIL_KEY_SENSALIASACTUAL; -char *CIL_KEY_CATALIAS; -char *CIL_KEY_CATALIASACTUAL; -char *CIL_KEY_CATORDER; -char *CIL_KEY_SENSITIVITYORDER; -char *CIL_KEY_SENSCAT; -char *CIL_KEY_CONSTRAIN; -char *CIL_KEY_MLSCONSTRAIN; -char *CIL_KEY_VALIDATETRANS; -char *CIL_KEY_MLSVALIDATETRANS; -char *CIL_KEY_CONTEXT; -char *CIL_KEY_FILECON; -char *CIL_KEY_IBPKEYCON; -char *CIL_KEY_IBENDPORTCON; -char *CIL_KEY_PORTCON; -char *CIL_KEY_NODECON; -char *CIL_KEY_GENFSCON; -char *CIL_KEY_NETIFCON; -char *CIL_KEY_PIRQCON; -char *CIL_KEY_IOMEMCON; -char *CIL_KEY_IOPORTCON; -char *CIL_KEY_PCIDEVICECON; -char *CIL_KEY_DEVICETREECON; -char *CIL_KEY_FSUSE; -char *CIL_KEY_POLICYCAP; -char *CIL_KEY_OPTIONAL; -char *CIL_KEY_DEFAULTUSER; -char *CIL_KEY_DEFAULTROLE; -char *CIL_KEY_DEFAULTTYPE; -char *CIL_KEY_ROOT; -char *CIL_KEY_NODE; -char *CIL_KEY_PERM; -char *CIL_KEY_ALLOWX; -char *CIL_KEY_AUDITALLOWX; -char *CIL_KEY_DONTAUDITX; -char *CIL_KEY_NEVERALLOWX; -char *CIL_KEY_PERMISSIONX; -char *CIL_KEY_IOCTL; -char *CIL_KEY_UNORDERED; -char *CIL_KEY_SRC_INFO; -char *CIL_KEY_SRC_CIL; -char *CIL_KEY_SRC_HLL; +extern char *CIL_KEY_CONS_T1; +extern char *CIL_KEY_CONS_T2; +extern char *CIL_KEY_CONS_T3; +extern char *CIL_KEY_CONS_R1; +extern char *CIL_KEY_CONS_R2; +extern char *CIL_KEY_CONS_R3; +extern char *CIL_KEY_CONS_U1; +extern char *CIL_KEY_CONS_U2; +extern char *CIL_KEY_CONS_U3; +extern char *CIL_KEY_CONS_L1; +extern char *CIL_KEY_CONS_L2; +extern char *CIL_KEY_CONS_H1; +extern char *CIL_KEY_CONS_H2; +extern char *CIL_KEY_AND; +extern char *CIL_KEY_OR; +extern char *CIL_KEY_NOT; +extern char *CIL_KEY_EQ; +extern char *CIL_KEY_NEQ; +extern char *CIL_KEY_CONS_DOM; +extern char *CIL_KEY_CONS_DOMBY; +extern char *CIL_KEY_CONS_INCOMP; +extern char *CIL_KEY_CONDTRUE; +extern char *CIL_KEY_CONDFALSE; +extern char *CIL_KEY_SELF; +extern char *CIL_KEY_OBJECT_R; +extern char *CIL_KEY_STAR; +extern char *CIL_KEY_TCP; +extern char *CIL_KEY_UDP; +extern char *CIL_KEY_DCCP; +extern char *CIL_KEY_SCTP; +extern char *CIL_KEY_AUDITALLOW; +extern char *CIL_KEY_TUNABLEIF; +extern char *CIL_KEY_ALLOW; +extern char *CIL_KEY_DONTAUDIT; +extern char *CIL_KEY_TYPETRANSITION; +extern char *CIL_KEY_TYPECHANGE; +extern char *CIL_KEY_CALL; +extern char *CIL_KEY_TUNABLE; +extern char *CIL_KEY_XOR; +extern char *CIL_KEY_ALL; +extern char *CIL_KEY_RANGE; +extern char *CIL_KEY_GLOB; +extern char *CIL_KEY_FILE; +extern char *CIL_KEY_DIR; +extern char *CIL_KEY_CHAR; +extern char *CIL_KEY_BLOCK; +extern char *CIL_KEY_SOCKET; +extern char *CIL_KEY_PIPE; +extern char *CIL_KEY_SYMLINK; +extern char *CIL_KEY_ANY; +extern char *CIL_KEY_XATTR; +extern char *CIL_KEY_TASK; +extern char *CIL_KEY_TRANS; +extern char *CIL_KEY_TYPE; +extern char *CIL_KEY_ROLE; +extern char *CIL_KEY_USER; +extern char *CIL_KEY_USERATTRIBUTE; +extern char *CIL_KEY_USERATTRIBUTESET; +extern char *CIL_KEY_SENSITIVITY; +extern char *CIL_KEY_CATEGORY; +extern char *CIL_KEY_CATSET; +extern char *CIL_KEY_LEVEL; +extern char *CIL_KEY_LEVELRANGE; +extern char *CIL_KEY_CLASS; +extern char *CIL_KEY_IPADDR; +extern char *CIL_KEY_MAP_CLASS; +extern char *CIL_KEY_CLASSPERMISSION; +extern char *CIL_KEY_BOOL; +extern char *CIL_KEY_STRING; +extern char *CIL_KEY_NAME; +extern char *CIL_KEY_SOURCE; +extern char *CIL_KEY_TARGET; +extern char *CIL_KEY_LOW; +extern char *CIL_KEY_HIGH; +extern char *CIL_KEY_LOW_HIGH; +extern char *CIL_KEY_GLBLUB; +extern char *CIL_KEY_HANDLEUNKNOWN; +extern char *CIL_KEY_HANDLEUNKNOWN_ALLOW; +extern char *CIL_KEY_HANDLEUNKNOWN_DENY; +extern char *CIL_KEY_HANDLEUNKNOWN_REJECT; +extern char *CIL_KEY_MACRO; +extern char *CIL_KEY_IN; +extern char *CIL_KEY_MLS; +extern char *CIL_KEY_DEFAULTRANGE; +extern char *CIL_KEY_BLOCKINHERIT; +extern char *CIL_KEY_BLOCKABSTRACT; +extern char *CIL_KEY_CLASSORDER; +extern char *CIL_KEY_CLASSMAPPING; +extern char *CIL_KEY_CLASSPERMISSIONSET; +extern char *CIL_KEY_COMMON; +extern char *CIL_KEY_CLASSCOMMON; +extern char *CIL_KEY_SID; +extern char *CIL_KEY_SIDCONTEXT; +extern char *CIL_KEY_SIDORDER; +extern char *CIL_KEY_USERLEVEL; +extern char *CIL_KEY_USERRANGE; +extern char *CIL_KEY_USERBOUNDS; +extern char *CIL_KEY_USERPREFIX; +extern char *CIL_KEY_SELINUXUSER; +extern char *CIL_KEY_SELINUXUSERDEFAULT; +extern char *CIL_KEY_TYPEATTRIBUTE; +extern char *CIL_KEY_TYPEATTRIBUTESET; +extern char *CIL_KEY_EXPANDTYPEATTRIBUTE; +extern char *CIL_KEY_TYPEALIAS; +extern char *CIL_KEY_TYPEALIASACTUAL; +extern char *CIL_KEY_TYPEBOUNDS; +extern char *CIL_KEY_TYPEPERMISSIVE; +extern char *CIL_KEY_RANGETRANSITION; +extern char *CIL_KEY_USERROLE; +extern char *CIL_KEY_ROLETYPE; +extern char *CIL_KEY_ROLETRANSITION; +extern char *CIL_KEY_ROLEALLOW; +extern char *CIL_KEY_ROLEATTRIBUTE; +extern char *CIL_KEY_ROLEATTRIBUTESET; +extern char *CIL_KEY_ROLEBOUNDS; +extern char *CIL_KEY_BOOLEANIF; +extern char *CIL_KEY_NEVERALLOW; +extern char *CIL_KEY_TYPEMEMBER; +extern char *CIL_KEY_SENSALIAS; +extern char *CIL_KEY_SENSALIASACTUAL; +extern char *CIL_KEY_CATALIAS; +extern char *CIL_KEY_CATALIASACTUAL; +extern char *CIL_KEY_CATORDER; +extern char *CIL_KEY_SENSITIVITYORDER; +extern char *CIL_KEY_SENSCAT; +extern char *CIL_KEY_CONSTRAIN; +extern char *CIL_KEY_MLSCONSTRAIN; +extern char *CIL_KEY_VALIDATETRANS; +extern char *CIL_KEY_MLSVALIDATETRANS; +extern char *CIL_KEY_CONTEXT; +extern char *CIL_KEY_FILECON; +extern char *CIL_KEY_IBPKEYCON; +extern char *CIL_KEY_IBENDPORTCON; +extern char *CIL_KEY_PORTCON; +extern char *CIL_KEY_NODECON; +extern char *CIL_KEY_GENFSCON; +extern char *CIL_KEY_NETIFCON; +extern char *CIL_KEY_PIRQCON; +extern char *CIL_KEY_IOMEMCON; +extern char *CIL_KEY_IOPORTCON; +extern char *CIL_KEY_PCIDEVICECON; +extern char *CIL_KEY_DEVICETREECON; +extern char *CIL_KEY_FSUSE; +extern char *CIL_KEY_POLICYCAP; +extern char *CIL_KEY_OPTIONAL; +extern char *CIL_KEY_DEFAULTUSER; +extern char *CIL_KEY_DEFAULTROLE; +extern char *CIL_KEY_DEFAULTTYPE; +extern char *CIL_KEY_ROOT; +extern char *CIL_KEY_NODE; +extern char *CIL_KEY_PERM; +extern char *CIL_KEY_ALLOWX; +extern char *CIL_KEY_AUDITALLOWX; +extern char *CIL_KEY_DONTAUDITX; +extern char *CIL_KEY_NEVERALLOWX; +extern char *CIL_KEY_PERMISSIONX; +extern char *CIL_KEY_IOCTL; +extern char *CIL_KEY_UNORDERED; +extern char *CIL_KEY_SRC_INFO; +extern char *CIL_KEY_SRC_CIL; +extern char *CIL_KEY_SRC_HLL; /* Symbol Table Array Indices @@ -941,6 +942,7 @@ enum cil_default_object_range { CIL_DEFAULT_TARGET_LOW = DEFAULT_TARGET_LOW, CIL_DEFAULT_TARGET_HIGH = DEFAULT_TARGET_HIGH, CIL_DEFAULT_TARGET_LOW_HIGH = DEFAULT_TARGET_LOW_HIGH, + CIL_DEFAULT_GLBLUB = DEFAULT_GLBLUB, }; /* Default labeling behavior for range */ diff --git a/libsepol/cil/src/cil_mem.c b/libsepol/cil/src/cil_mem.c index 12c59be2..f73021b5 100644 --- a/libsepol/cil/src/cil_mem.c +++ b/libsepol/cil/src/cil_mem.c @@ -34,19 +34,6 @@ #include "cil_log.h" -__attribute__((noreturn)) void cil_default_mem_error_handler(void) -{ - cil_log(CIL_ERR, "Failed to allocate memory\n"); - exit(1); -} - -void (*cil_mem_error_handler)(void) = &cil_default_mem_error_handler; - -void cil_set_mem_error_handler(void (*handler)(void)) -{ - cil_mem_error_handler = handler; -} - void *cil_malloc(size_t size) { void *mem = malloc(size); @@ -54,7 +41,8 @@ void *cil_malloc(size_t size) if (size == 0) { return NULL; } - (*cil_mem_error_handler)(); + cil_log(CIL_ERR, "Failed to allocate memory\n"); + exit(1); } return mem; @@ -64,7 +52,8 @@ void *cil_calloc(size_t num_elements, size_t element_size) { void *mem = calloc(num_elements, element_size); if (mem == NULL){ - (*cil_mem_error_handler)(); + cil_log(CIL_ERR, "Failed to allocate memory\n"); + exit(1); } return mem; @@ -77,7 +66,8 @@ void *cil_realloc(void *ptr, size_t size) if (size == 0) { return NULL; } - (*cil_mem_error_handler)(); + cil_log(CIL_ERR, "Failed to allocate memory\n"); + exit(1); } return mem; @@ -94,7 +84,8 @@ char *cil_strdup(const char *str) mem = strdup(str); if (mem == NULL) { - (*cil_mem_error_handler)(); + cil_log(CIL_ERR, "Failed to allocate memory\n"); + exit(1); } return mem; @@ -110,7 +101,8 @@ __attribute__ ((format (printf, 2, 3))) int cil_asprintf(char **strp, const char va_end(ap); if (rc == -1) { - (*cil_mem_error_handler)(); + cil_log(CIL_ERR, "Failed to allocate memory\n"); + exit(1); } return rc; diff --git a/libsepol/cil/src/cil_mem.h b/libsepol/cil/src/cil_mem.h index 902ce131..794f02a3 100644 --- a/libsepol/cil/src/cil_mem.h +++ b/libsepol/cil/src/cil_mem.h @@ -36,7 +36,6 @@ void *cil_calloc(size_t num_elements, size_t element_size); void *cil_realloc(void *ptr, size_t size); char *cil_strdup(const char *str); int cil_asprintf(char **strp, const char *fmt, ...); -void (*cil_mem_error_handler)(void); #endif /* CIL_MEM_H_ */ diff --git a/libsepol/cil/src/cil_policy.c b/libsepol/cil/src/cil_policy.c index 1adf22a3..06d7d74e 100644 --- a/libsepol/cil/src/cil_policy.c +++ b/libsepol/cil/src/cil_policy.c @@ -834,6 +834,9 @@ static void cil_default_ranges_to_policy(FILE *out, struct cil_list *defaults) case CIL_DEFAULT_TARGET_LOW_HIGH: fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_LOW_HIGH); break; + case CIL_DEFAULT_GLBLUB: + fprintf(out," %s", CIL_KEY_GLBLUB); + break; default: break; } diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c index 708b4320..a0cadfde 100644 --- a/libsepol/cil/src/cil_post.c +++ b/libsepol/cil/src/cil_post.c @@ -2309,7 +2309,7 @@ static int cil_post_db(struct cil_db *db) rc = cil_tree_walk(db->ast->root, __cil_post_db_count_helper, NULL, NULL, db); if (rc != SEPOL_OK) { - cil_log(CIL_INFO, "Failure during cil databse count helper\n"); + cil_log(CIL_INFO, "Failure during cil database count helper\n"); goto exit; } diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index ea08087d..87575860 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -131,18 +131,14 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab, } } if (rc != SEPOL_OK) { - struct cil_list *empty_list; if (class_flavor == CIL_MAP_CLASS) { cil_log(CIL_ERR, "Failed to resolve permission %s for map class\n", (char*)curr->data); - goto exit; + } else { + cil_log(CIL_ERR, "Failed to resolve permission %s\n", (char*)curr->data); } - cil_log(CIL_WARN, "Failed to resolve permission %s\n", (char*)curr->data); - /* Use an empty list to represent unknown perm */ - cil_list_init(&empty_list, perm_strs->flavor); - cil_list_append(*perm_datums, CIL_LIST, empty_list); - } else { - cil_list_append(*perm_datums, CIL_DATUM, perm_datum); + goto exit; } + cil_list_append(*perm_datums, CIL_DATUM, perm_datum); } else { cil_list_append(*perm_datums, curr->flavor, curr->data); } @@ -1382,7 +1378,7 @@ static int insert_unordered(struct cil_list *merged, struct cil_list *unordered) cil_list_for_each(item, unordered_list->list) { if (cil_list_contains(merged, item->data)) { - /* item was declared in an ordered statement, which supercedes + /* item was declared in an ordered statement, which supersedes * all unordered statements */ if (item->flavor == CIL_CLASS) { cil_log(CIL_WARN, "Ignoring '%s' as it has already been declared in classorder.\n", ((struct cil_class*)(item->data))->datum.name); @@ -3765,14 +3761,16 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished enum cil_log_level lvl = CIL_ERR; if (optstack != NULL) { - lvl = CIL_WARN; + lvl = CIL_INFO; struct cil_optional *opt = (struct cil_optional *)optstack->data; struct cil_tree_node *opt_node = opt->datum.nodes->head->data; - cil_tree_log(opt_node, lvl, "Disabling optional '%s'", opt->datum.name); /* disable an optional if something failed to resolve */ opt->enabled = CIL_FALSE; + cil_tree_log(node, lvl, "Failed to resolve %s statement", cil_node_to_string(node)); + cil_tree_log(opt_node, lvl, "Disabling optional '%s'", opt->datum.name); rc = SEPOL_OK; + goto exit; } cil_tree_log(node, lvl, "Failed to resolve %s statement", cil_node_to_string(node)); @@ -3988,7 +3986,7 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current) if (changed && (pass > CIL_PASS_CALL1)) { /* Need to re-resolve because an optional was disabled that contained * one or more declarations. We only need to reset to the call1 pass - * because things done in the preceeding passes aren't allowed in + * because things done in the preceding passes aren't allowed in * optionals, and thus can't be disabled. * Note: set pass to CIL_PASS_CALL1 because the pass++ will increment * it to CIL_PASS_CALL2 diff --git a/libsepol/cil/src/cil_strpool.c b/libsepol/cil/src/cil_strpool.c index 97d4c4b9..2598bbf3 100644 --- a/libsepol/cil/src/cil_strpool.c +++ b/libsepol/cil/src/cil_strpool.c @@ -80,8 +80,8 @@ char *cil_strpool_add(const char *str) int rc = hashtab_insert(cil_strpool_tab, (hashtab_key_t)strpool_ref->str, strpool_ref); if (rc != SEPOL_OK) { pthread_mutex_unlock(&cil_strpool_mutex); - (*cil_mem_error_handler)(); - pthread_mutex_lock(&cil_strpool_mutex); + cil_log(CIL_ERR, "Failed to allocate memory\n"); + exit(1); } } @@ -104,8 +104,8 @@ void cil_strpool_init(void) cil_strpool_tab = hashtab_create(cil_strpool_hash, cil_strpool_compare, CIL_STRPOOL_TABLE_SIZE); if (cil_strpool_tab == NULL) { pthread_mutex_unlock(&cil_strpool_mutex); - (*cil_mem_error_handler)(); - return; + cil_log(CIL_ERR, "Failed to allocate memory\n"); + exit(1); } } cil_strpool_readers++; diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c index 1a21cf4b..018514dc 100644 --- a/libsepol/cil/src/cil_verify.c +++ b/libsepol/cil/src/cil_verify.c @@ -225,6 +225,9 @@ int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_fl cil_log(CIL_ERR, "u3, r3, and t3 can only be used with (mls)validatetrans rules\n"); goto exit; } + } else if (r_flavor == CIL_LIST) { + cil_log(CIL_ERR, "t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side\n"); + goto exit; } } else { if (r_flavor == CIL_CONS_U2) { diff --git a/libsepol/include/sepol/booleans.h b/libsepol/include/sepol/booleans.h index 2966903d..06d2230c 100644 --- a/libsepol/include/sepol/booleans.h +++ b/libsepol/include/sepol/booleans.h @@ -10,23 +10,10 @@ extern "C" { #endif -/*--------------compatibility--------------*/ - -/* Given an existing binary policy (starting at 'data', with length 'len') - and a boolean configuration file named by 'boolpath', rewrite the binary - policy for the boolean settings in the boolean configuration file. - The binary policy is rewritten in place in memory. - Returns 0 upon success, or -1 otherwise. */ +/* These two functions are deprecated. See src/deprecated_funcs.c */ extern int sepol_genbools(void *data, size_t len, const char *boolpath); - -/* Given an existing binary policy (starting at 'data', with length 'len') - and boolean settings specified by the parallel arrays ('names', 'values') - with 'nel' elements, rewrite the binary policy for the boolean settings. - The binary policy is rewritten in place in memory. - Returns 0 upon success or -1 otherwise. */ extern int sepol_genbools_array(void *data, size_t len, char **names, int *values, int nel); -/*---------------end compatbility------------*/ /* Set the specified boolean */ extern int sepol_bool_set(sepol_handle_t * handle, diff --git a/libsepol/include/sepol/policydb.h b/libsepol/include/sepol/policydb.h index 6769b913..792913dd 100644 --- a/libsepol/include/sepol/policydb.h +++ b/libsepol/include/sepol/policydb.h @@ -100,6 +100,11 @@ extern int sepol_policydb_set_handle_unknown(sepol_policydb_t * p, extern int sepol_policydb_set_target_platform(sepol_policydb_t * p, int target_platform); +/* + * Optimize the policy by removing redundant rules. + */ +extern int sepol_policydb_optimize(sepol_policydb_t * p); + /* * Read a policydb from a policy file. * This automatically sets the type and version based on the diff --git a/libsepol/include/sepol/policydb/context.h b/libsepol/include/sepol/policydb/context.h index c27c3341..37cdc591 100644 --- a/libsepol/include/sepol/policydb/context.h +++ b/libsepol/include/sepol/policydb/context.h @@ -92,6 +92,11 @@ out: return rc; } +static inline int mls_context_glblub(context_struct_t *dst, context_struct_t *c1, context_struct_t *c2) +{ + return mls_range_glblub(&dst->range, &c1->range, &c2->range); +} + static inline int mls_context_cmp(context_struct_t * c1, context_struct_t * c2) { return (mls_level_eq(&c1->range.level[0], &c2->range.level[0]) && diff --git a/libsepol/include/sepol/policydb/hashtab.h b/libsepol/include/sepol/policydb/hashtab.h index ef1bb679..ca5ba862 100644 --- a/libsepol/include/sepol/policydb/hashtab.h +++ b/libsepol/include/sepol/policydb/hashtab.h @@ -47,7 +47,7 @@ typedef hashtab_val_t *hashtab_t; /* Creates a new hash table with the specified characteristics. - Returns NULL if insufficent space is available or + Returns NULL if insufficient space is available or the new hash table otherwise. */ extern hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h, diff --git a/libsepol/include/sepol/policydb/mls_types.h b/libsepol/include/sepol/policydb/mls_types.h index a06723be..0ba6d9de 100644 --- a/libsepol/include/sepol/policydb/mls_types.h +++ b/libsepol/include/sepol/policydb/mls_types.h @@ -30,8 +30,10 @@ #ifndef _SEPOL_POLICYDB_MLS_TYPES_H_ #define _SEPOL_POLICYDB_MLS_TYPES_H_ +#include <errno.h> #include <stdint.h> #include <stdlib.h> +#include <sys/param.h> #include <sepol/policydb/ebitmap.h> #include <sepol/policydb/flask_types.h> @@ -48,6 +50,30 @@ typedef struct mls_range { mls_level_t level[2]; /* low == level[0], high == level[1] */ } mls_range_t; +static inline int mls_range_glblub(struct mls_range *dst, struct mls_range *r1, struct mls_range *r2) +{ + if (r1->level[1].sens < r2->level[0].sens || r2->level[1].sens < r1->level[0].sens) { + /* These ranges have no common sensitivities */ + return -EINVAL; + } + + /* Take the greatest of the low */ + dst->level[0].sens = MAX(r1->level[0].sens, r2->level[0].sens); + /* Take the least of the high */ + dst->level[1].sens = MIN(r1->level[1].sens, r2->level[1].sens); + + if (ebitmap_and(&dst->level[0].cat, &r1->level[0].cat, &r2->level[0].cat) < 0) { + return -1; + } + + if (ebitmap_and(&dst->level[1].cat, &r1->level[1].cat, &r2->level[1].cat) < 0) { + return -1; + } + + return 0; +} + + static inline int mls_level_cpy(struct mls_level *dst, struct mls_level *src) { diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h index 591ce6e0..b0d2fdfc 100644 --- a/libsepol/include/sepol/policydb/policydb.h +++ b/libsepol/include/sepol/policydb/policydb.h @@ -130,6 +130,7 @@ typedef struct class_datum { #define DEFAULT_TARGET_LOW 4 #define DEFAULT_TARGET_HIGH 5 #define DEFAULT_TARGET_LOW_HIGH 6 +#define DEFAULT_GLBLUB 7 char default_range; } class_datum_t; @@ -636,6 +637,8 @@ extern int policydb_user_cache(hashtab_key_t key, extern int policydb_reindex_users(policydb_t * p); +extern int policydb_optimize(policydb_t * p); + extern void policydb_destroy(policydb_t * p); extern int policydb_load_isids(policydb_t * p, sidtab_t * s); @@ -739,10 +742,11 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); #define POLICYDB_VERSION_XEN_DEVICETREE 30 /* Xen-specific */ #define POLICYDB_VERSION_XPERMS_IOCTL 30 /* Linux-specific */ #define POLICYDB_VERSION_INFINIBAND 31 /* Linux-specific */ +#define POLICYDB_VERSION_GLBLUB 32 /* Range of policy versions we understand*/ #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_INFINIBAND +#define POLICYDB_VERSION_MAX POLICYDB_VERSION_GLBLUB /* Module versions and specific changes*/ #define MOD_POLICYDB_VERSION_BASE 4 @@ -763,9 +767,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); #define MOD_POLICYDB_VERSION_CONSTRAINT_NAMES 17 #define MOD_POLICYDB_VERSION_XPERMS_IOCTL 18 #define MOD_POLICYDB_VERSION_INFINIBAND 19 +#define MOD_POLICYDB_VERSION_GLBLUB 20 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE -#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_INFINIBAND +#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_GLBLUB #define POLICYDB_CONFIG_MLS 1 diff --git a/libsepol/include/sepol/policydb/services.h b/libsepol/include/sepol/policydb/services.h index 6ef27a8c..048f8a5a 100644 --- a/libsepol/include/sepol/policydb/services.h +++ b/libsepol/include/sepol/policydb/services.h @@ -30,12 +30,6 @@ extern "C" { extern int sepol_set_policydb(policydb_t * p); extern int sepol_set_sidtab(sidtab_t * s); -/* Modify a policydb for boolean settings. */ -int sepol_genbools_policydb(policydb_t * policydb, const char *booleans); - -/* Modify a policydb for user settings. */ -int sepol_genusers_policydb(policydb_t * policydb, const char *usersdir); - /* Load the security policy. This initializes the policydb and sidtab based on the provided binary policy. */ extern int sepol_load_policy(void *data, size_t len); @@ -66,7 +60,7 @@ extern int sepol_compute_av_reason(sepol_security_id_t ssid, /* * Same as above, but also returns the constraint expression calculations * whether allowed or denied in a buffer. This buffer is allocated by - * this call and must be free'd by the caller using free(3). The contraint + * this call and must be free'd by the caller using free(3). The constraint * buffer will contain any constraints in infix notation. * If the SHOW_GRANTED flag is set it will show granted and denied * constraints. The default is to show only denied constraints. diff --git a/libsepol/include/sepol/users.h b/libsepol/include/sepol/users.h index ad23f89b..70158ac4 100644 --- a/libsepol/include/sepol/users.h +++ b/libsepol/include/sepol/users.h @@ -10,23 +10,12 @@ extern "C" { #endif -/*---------compatibility------------*/ - -/* Given an existing binary policy (starting at 'data with length 'len') - and user configurations living in 'usersdir', generate a new binary - policy for the new user configurations. Sets '*newdata' and '*newlen' - to refer to the new binary policy image. */ +/* These two functions are deprecated. See src/deprecated_funcs.c */ extern int sepol_genusers(void *data, size_t len, const char *usersdir, void **newdata, size_t * newlen); - -/* Enable or disable deletion of users by sepol_genusers(3) when - a user in original binary policy image is not defined by the - new user configurations. Defaults to disabled. */ extern void sepol_set_delusers(int on); -/*--------end compatibility----------*/ - /* Modify the user, or add it, if the key is not found */ extern int sepol_user_modify(sepol_handle_t * handle, sepol_policydb_t * policydb, diff --git a/libsepol/man/man3/sepol_genbools.3 b/libsepol/man/man3/sepol_genbools.3 deleted file mode 100644 index 53633832..00000000 --- a/libsepol/man/man3/sepol_genbools.3 +++ /dev/null @@ -1,30 +0,0 @@ -.TH "sepol_genbools" "3" "11 August 2004" "sds@tycho.nsa.gov" "SE Linux binary policy API documentation" -.SH "NAME" -sepol_genbools \- Rewrite a binary policy with different boolean settings -.SH "SYNOPSIS" -.B #include <sepol/sepol.h> -.sp -.BI "int sepol_genbools(void *" data ", size_t "len ", const char *" boolpath ); -.br -.BI "int sepol_genbools_array(void *" data ", size_t " len ", char **" names ", int *" values ", int " nel ); - -.SH "DESCRIPTION" -.B sepol_genbools -rewrites a binary policy stored in the memory region described by -(data, len) to use the boolean settings specified in the file named by -boolpath. The boolean settings are specified by name=value lines -where value may be 0 or false to disable or 1 or true to enable. The -binary policy is rewritten in place in memory. - -.B sepol_genbools_array -does likewise, but obtains the boolean settings from the parallel arrays -(names, values) with nel elements each. - -.SH "RETURN VALUE" -Returns 0 on success or \-1 otherwise, with errno set appropriately. -An errno of ENOENT indicates that the boolean file did not exist. -An errno of EINVAL indicates that one or more booleans listed in the -boolean file was undefined in the policy or had an invalid value specified; -in this case, the binary policy is still rewritten but any invalid -boolean settings are ignored. - diff --git a/libsepol/man/man3/sepol_genusers.3 b/libsepol/man/man3/sepol_genusers.3 deleted file mode 100644 index 1f820ff5..00000000 --- a/libsepol/man/man3/sepol_genusers.3 +++ /dev/null @@ -1,54 +0,0 @@ -.TH "sepol_genusers" "3" "15 March 2005" "sds@tycho.nsa.gov" "SE Linux binary policy API documentation" -.SH "NAME" -sepol_genusers \- Generate a new binary policy image with a customized user configuration -.SH "SYNOPSIS" -.B #include <sepol/sepol.h> -.sp -.BI "int sepol_genusers(void *" data ", size_t "len ", const char *" usersdir ", void *" newdata ", size_t *" newlen); -.sp -.BI "void sepol_set_delusers(int " on ");" - -.SH "DESCRIPTION" -.B sepol_genusers -generates a new binary policy image from -an existing binary policy image stored in the memory region described by -the starting address -.I data -and the length -.I len -and a pair of user configuration files named -.B system.users -and -.B local.users -from the directory specified by -.I usersdir. -The resulting binary policy is placed into dynamically allocated -memory and the variables -.I newdata -and -.I newlen -are set to refer to the new binary image's starting address and length. -The original binary policy image is not modified. - -By default, -.B sepol_genusers -will preserve user entries that are defined in the original binary policy image -but not defined in the user configuration files. If such user entries -should instead by omitted entirely from the new binary policy image, then -the -.B sepol_set_delusers -function may be called with -.I on -set to 1 prior to calling -.B sepol_genusers -in order to enable deletion of such users. - -.SH "RETURN VALUE" -Returns 0 on success or \-1 otherwise, with errno set appropriately. -An errno of ENOENT indicates that one or both of the user -configuration files did not exist. An errno of EINVAL indicates that -either the original binary policy image or the generated one were -invalid. An errno of ENOMEM indicates that insufficient memory was -available to process the original binary policy image or to generate -the new policy image. Invalid entries in the user configuration files -are skipped with a warning. diff --git a/libsepol/src/avrule_block.c b/libsepol/src/avrule_block.c index 5a873af4..a9832d0d 100644 --- a/libsepol/src/avrule_block.c +++ b/libsepol/src/avrule_block.c @@ -157,7 +157,7 @@ int is_id_enabled(char *id, policydb_t * p, int symbol_table) scope_datum_t *scope = (scope_datum_t *) hashtab_search(p->scope[symbol_table].table, id); avrule_decl_t *decl; - uint32_t len = scope->decl_ids_len; + uint32_t len; if (scope == NULL) { return 0; @@ -166,6 +166,7 @@ int is_id_enabled(char *id, policydb_t * p, int symbol_table) return 0; } + len = scope->decl_ids_len; if (len < 1) { return 0; } diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c index 2883aeb6..823b649a 100644 --- a/libsepol/src/conditional.c +++ b/libsepol/src/conditional.c @@ -359,7 +359,7 @@ int cond_normalize_expr(policydb_t * p, cond_node_t * cn) ne = NULL; e = cn->expr; - /* becuase it's RPN look at last element */ + /* because it's RPN look at last element */ while (e->next != NULL) { ne = e; e = e->next; diff --git a/libsepol/src/context.c b/libsepol/src/context.c index a88937fc..e81b28c6 100644 --- a/libsepol/src/context.c +++ b/libsepol/src/context.c @@ -38,7 +38,6 @@ int context_is_valid(const policydb_t * p, const context_struct_t * c) role_datum_t *role; user_datum_t *usrdatum; ebitmap_t types, roles; - int ret = 1; ebitmap_init(&types); ebitmap_init(&roles); @@ -75,7 +74,7 @@ int context_is_valid(const policydb_t * p, const context_struct_t * c) if (!mls_context_isvalid(p, c)) return 0; - return ret; + return 1; } /* diff --git a/libsepol/src/deprecated_funcs.c b/libsepol/src/deprecated_funcs.c new file mode 100644 index 00000000..d0dab7df --- /dev/null +++ b/libsepol/src/deprecated_funcs.c @@ -0,0 +1,50 @@ +#include <stdio.h> +#include "debug.h" + +/* + * Need to keep these stubs for the libsepol interfaces exported in + * libsepol.map.in, as they are part of the shared library ABI. + */ + +static const char *msg = "Deprecated interface"; + +/* + * These two functions are deprecated and referenced in: + * include/libsepol/users.h + */ +int sepol_genusers(void *data __attribute((unused)), + size_t len __attribute((unused)), + const char *usersdir __attribute((unused)), + void **newdata __attribute((unused)), + size_t *newlen __attribute((unused))) +{ + WARN(NULL, "%s", msg); + return -1; +} + +void sepol_set_delusers(int on __attribute((unused))) +{ + WARN(NULL, "%s", msg); +} + +/* + * These two functions are deprecated and referenced in: + * include/libsepol/booleans.h + */ +int sepol_genbools(void *data __attribute((unused)), + size_t len __attribute((unused)), + const char *booleans __attribute((unused))) +{ + WARN(NULL, "%s", msg); + return -1; +} + +int sepol_genbools_array(void *data __attribute((unused)), + size_t len __attribute((unused)), + char **names __attribute((unused)), + int *values __attribute((unused)), + int nel __attribute((unused))) +{ + WARN(NULL, "%s", msg); + return -1; +} diff --git a/libsepol/src/ebitmap.c b/libsepol/src/ebitmap.c index 76e6e41b..6c9951b7 100644 --- a/libsepol/src/ebitmap.c +++ b/libsepol/src/ebitmap.c @@ -455,7 +455,7 @@ int ebitmap_read(ebitmap_t * e, void *fp) } if (count && l->startbit + MAPSIZE != e->highbit) { printf - ("security: ebitmap: hight bit %u has not the expected value %zu\n", + ("security: ebitmap: high bit %u has not the expected value %zu\n", e->highbit, l->startbit + MAPSIZE); goto bad; } diff --git a/libsepol/src/genbools.c b/libsepol/src/genbools.c deleted file mode 100644 index d4a2df62..00000000 --- a/libsepol/src/genbools.c +++ /dev/null @@ -1,279 +0,0 @@ -#include <stdio.h> -#include <stdlib.h> -#include <ctype.h> -#include <errno.h> - -#include <sepol/policydb/policydb.h> -#include <sepol/policydb/conditional.h> - -#include "debug.h" -#include "private.h" -#include "dso.h" - -/* -- Deprecated -- */ - -static char *strtrim(char *dest, char *source, int size) -{ - int i = 0; - char *ptr = source; - i = 0; - while (isspace(*ptr) && i < size) { - ptr++; - i++; - } - strncpy(dest, ptr, size); - for (i = strlen(dest) - 1; i > 0; i--) { - if (!isspace(dest[i])) - break; - } - dest[i + 1] = '\0'; - return dest; -} - -static int process_boolean(char *buffer, char *name, int namesize, int *val) -{ - char name1[BUFSIZ]; - char *ptr = NULL; - char *tok; - - /* Skip spaces */ - while (isspace(buffer[0])) - buffer++; - /* Ignore comments */ - if (buffer[0] == '#') - return 0; - - tok = strtok_r(buffer, "=", &ptr); - if (!tok) { - ERR(NULL, "illegal boolean definition %s", buffer); - return -1; - } - strncpy(name1, tok, BUFSIZ - 1); - strtrim(name, name1, namesize - 1); - - tok = strtok_r(NULL, "\0", &ptr); - if (!tok) { - ERR(NULL, "illegal boolean definition %s=%s", name, buffer); - return -1; - } - - while (isspace(*tok)) - tok++; - - *val = -1; - if (isdigit(tok[0])) - *val = atoi(tok); - else if (!strncasecmp(tok, "true", sizeof("true") - 1)) - *val = 1; - else if (!strncasecmp(tok, "false", sizeof("false") - 1)) - *val = 0; - if (*val != 0 && *val != 1) { - ERR(NULL, "illegal value for boolean %s=%s", name, tok); - return -1; - } - return 1; -} - -static int load_booleans(struct policydb *policydb, const char *path, - int *changesp) -{ - FILE *boolf; - char *buffer = NULL; - char localbools[BUFSIZ]; - char name[BUFSIZ]; - int val; - int errors = 0, changes = 0; - struct cond_bool_datum *datum; - - boolf = fopen(path, "r"); - if (boolf == NULL) - goto localbool; - -#ifdef __APPLE__ - if ((buffer = (char *)malloc(255 * sizeof(char))) == NULL) { - ERR(NULL, "out of memory"); - return -1; - } - - while(fgets(buffer, 255, boolf) != NULL) { -#else - size_t size = 0; - while (getline(&buffer, &size, boolf) > 0) { -#endif - int ret = process_boolean(buffer, name, sizeof(name), &val); - if (ret == -1) - errors++; - if (ret == 1) { - datum = hashtab_search(policydb->p_bools.table, name); - if (!datum) { - ERR(NULL, "unknown boolean %s", name); - errors++; - continue; - } - if (datum->state != val) { - datum->state = val; - changes++; - } - } - } - fclose(boolf); - localbool: - snprintf(localbools, sizeof(localbools), "%s.local", path); - boolf = fopen(localbools, "r"); - if (boolf != NULL) { - -#ifdef __APPLE__ - - while(fgets(buffer, 255, boolf) != NULL) { -#else - - while (getline(&buffer, &size, boolf) > 0) { -#endif - int ret = - process_boolean(buffer, name, sizeof(name), &val); - if (ret == -1) - errors++; - if (ret == 1) { - datum = - hashtab_search(policydb->p_bools.table, - name); - if (!datum) { - ERR(NULL, "unknown boolean %s", name); - errors++; - continue; - } - if (datum->state != val) { - datum->state = val; - changes++; - } - } - } - fclose(boolf); - } - free(buffer); - if (errors) - errno = EINVAL; - *changesp = changes; - return errors ? -1 : 0; -} - -int sepol_genbools(void *data, size_t len, const char *booleans) -{ - struct policydb policydb; - struct policy_file pf; - int rc, changes = 0; - - if (policydb_init(&policydb)) - goto err; - if (policydb_from_image(NULL, data, len, &policydb) < 0) - goto err; - - if (load_booleans(&policydb, booleans, &changes) < 0) { - WARN(NULL, "error while reading %s", booleans); - } - - if (!changes) - goto out; - - if (evaluate_conds(&policydb) < 0) { - ERR(NULL, "error while re-evaluating conditionals"); - errno = EINVAL; - goto err_destroy; - } - - policy_file_init(&pf); - pf.type = PF_USE_MEMORY; - pf.data = data; - pf.len = len; - rc = policydb_write(&policydb, &pf); - if (rc) { - ERR(NULL, "unable to write new binary policy image"); - errno = EINVAL; - goto err_destroy; - } - - out: - policydb_destroy(&policydb); - return 0; - - err_destroy: - policydb_destroy(&policydb); - - err: - return -1; -} - -int hidden sepol_genbools_policydb(policydb_t * policydb, const char *booleans) -{ - int rc, changes = 0; - - rc = load_booleans(policydb, booleans, &changes); - if (!rc && changes) - rc = evaluate_conds(policydb); - if (rc) - errno = EINVAL; - return rc; -} - -/* -- End Deprecated -- */ - -int sepol_genbools_array(void *data, size_t len, char **names, int *values, - int nel) -{ - struct policydb policydb; - struct policy_file pf; - int rc, i, errors = 0; - struct cond_bool_datum *datum; - - /* Create policy database from image */ - if (policydb_init(&policydb)) - goto err; - if (policydb_from_image(NULL, data, len, &policydb) < 0) - goto err; - - for (i = 0; i < nel; i++) { - datum = hashtab_search(policydb.p_bools.table, names[i]); - if (!datum) { - ERR(NULL, "boolean %s no longer in policy", names[i]); - errors++; - continue; - } - if (values[i] != 0 && values[i] != 1) { - ERR(NULL, "illegal value %d for boolean %s", - values[i], names[i]); - errors++; - continue; - } - datum->state = values[i]; - } - - if (evaluate_conds(&policydb) < 0) { - ERR(NULL, "error while re-evaluating conditionals"); - errno = EINVAL; - goto err_destroy; - } - - policy_file_init(&pf); - pf.type = PF_USE_MEMORY; - pf.data = data; - pf.len = len; - rc = policydb_write(&policydb, &pf); - if (rc) { - ERR(NULL, "unable to write binary policy"); - errno = EINVAL; - goto err_destroy; - } - if (errors) { - errno = EINVAL; - goto err_destroy; - } - - policydb_destroy(&policydb); - return 0; - - err_destroy: - policydb_destroy(&policydb); - - err: - return -1; -} diff --git a/libsepol/src/genusers.c b/libsepol/src/genusers.c deleted file mode 100644 index c375c669..00000000 --- a/libsepol/src/genusers.c +++ /dev/null @@ -1,343 +0,0 @@ -#include <stdio.h> - -#include <stdlib.h> -#include <ctype.h> -#include <errno.h> -#include <limits.h> - -#include <sepol/policydb/policydb.h> - -#ifndef __APPLE__ -#include <stdio_ext.h> -#endif - -#include <stdarg.h> - -#include "debug.h" -#include "private.h" -#include "dso.h" -#include "mls.h" - -/* -- Deprecated -- */ - -void sepol_set_delusers(int on __attribute((unused))) -{ - WARN(NULL, "Deprecated interface"); -} - -#undef BADLINE -#define BADLINE() { \ - ERR(NULL, "invalid entry %s (%s:%u)", \ - buffer, path, lineno); \ - continue; \ -} - -static int load_users(struct policydb *policydb, const char *path) -{ - FILE *fp; - char *buffer = NULL, *p, *q, oldc; - ssize_t nread; - unsigned lineno = 0, islist = 0, bit; - user_datum_t *usrdatum; - role_datum_t *roldatum; - ebitmap_node_t *rnode; - - fp = fopen(path, "r"); - if (fp == NULL) - return -1; - -#ifdef __APPLE__ - if ((buffer = (char *)malloc(255 * sizeof(char))) == NULL) { - ERR(NULL, "out of memory"); - return -1; - } - - while(fgets(buffer, 255, fp) != NULL) { - nread = strlen(buffer); -#else - size_t len = 0; - __fsetlocking(fp, FSETLOCKING_BYCALLER); - while ((nread = getline(&buffer, &len, fp)) > 0) { -#endif - - lineno++; - if (buffer[nread - 1] == '\n') - buffer[nread - 1] = 0; - p = buffer; - while (*p && isspace(*p)) - p++; - if (!(*p) || *p == '#') - continue; - - if (strncasecmp(p, "user", 4)) - BADLINE(); - p += 4; - if (!isspace(*p)) - BADLINE(); - while (*p && isspace(*p)) - p++; - if (!(*p)) - BADLINE(); - q = p; - while (*p && !isspace(*p)) - p++; - if (!(*p)) - BADLINE(); - *p++ = 0; - - usrdatum = hashtab_search(policydb->p_users.table, q); - if (usrdatum) { - /* Replacing an existing user definition. */ - ebitmap_destroy(&usrdatum->roles.roles); - ebitmap_init(&usrdatum->roles.roles); - } else { - char *id = strdup(q); - - if (!id) { - ERR(NULL, "out of memory"); - free(buffer); - fclose(fp); - return -1; - } - - /* Adding a new user definition. */ - usrdatum = malloc(sizeof(user_datum_t)); - if (!usrdatum) { - ERR(NULL, "out of memory"); - free(buffer); - free(id); - fclose(fp); - return -1; - } - - user_datum_init(usrdatum); - usrdatum->s.value = ++policydb->p_users.nprim; - if (hashtab_insert(policydb->p_users.table, - id, (hashtab_datum_t) usrdatum)) { - ERR(NULL, "out of memory"); - free(buffer); - free(id); - user_datum_destroy(usrdatum); - free(usrdatum); - fclose(fp); - return -1; - } - } - - while (*p && isspace(*p)) - p++; - if (!(*p)) - BADLINE(); - if (strncasecmp(p, "roles", 5)) - BADLINE(); - p += 5; - if (!isspace(*p)) - BADLINE(); - while (*p && isspace(*p)) - p++; - if (!(*p)) - BADLINE(); - if (*p == '{') { - islist = 1; - p++; - } else - islist = 0; - - oldc = 0; - do { - while (*p && isspace(*p)) - p++; - if (!(*p)) - break; - - q = p; - while (*p && *p != ';' && *p != '}' && !isspace(*p)) - p++; - if (!(*p)) - break; - if (*p == '}') - islist = 0; - oldc = *p; - *p++ = 0; - if (!q[0]) - break; - - roldatum = hashtab_search(policydb->p_roles.table, q); - if (!roldatum) { - ERR(NULL, "undefined role %s (%s:%u)", - q, path, lineno); - continue; - } - /* Set the role and every role it dominates */ - ebitmap_for_each_positive_bit(&roldatum->dominates, rnode, bit) { - if (ebitmap_set_bit - (&usrdatum->roles.roles, bit, 1)) { - ERR(NULL, "out of memory"); - free(buffer); - fclose(fp); - return -1; - } - } - } while (islist); - if (oldc == 0) - BADLINE(); - - if (policydb->mls) { - context_struct_t context; - char *scontext, *r, *s; - - while (*p && isspace(*p)) - p++; - if (!(*p)) - BADLINE(); - if (strncasecmp(p, "level", 5)) - BADLINE(); - p += 5; - if (!isspace(*p)) - BADLINE(); - while (*p && isspace(*p)) - p++; - if (!(*p)) - BADLINE(); - q = p; - while (*p && (!isspace(*p) || strncasecmp(p + 1, "range", 5))) - p++; - if (!(*p) || p == q) - BADLINE(); - *p = 0; - p++; - - scontext = malloc(p - q); - if (!scontext) { - ERR(NULL, "out of memory"); - free(buffer); - fclose(fp); - return -1; - } - r = scontext; - s = q; - while (*s) { - if (!isspace(*s)) - *r++ = *s; - s++; - } - *r = 0; - r = scontext; - - context_init(&context); - if (mls_context_to_sid(policydb, oldc, &r, &context) < - 0) { - ERR(NULL, "invalid level %s (%s:%u)", scontext, - path, lineno); - free(scontext); - continue; - - } - free(scontext); - memcpy(&usrdatum->dfltlevel, &context.range.level[0], - sizeof(usrdatum->dfltlevel)); - - if (strncasecmp(p, "range", 5)) - BADLINE(); - p += 5; - if (!isspace(*p)) - BADLINE(); - while (*p && isspace(*p)) - p++; - if (!(*p)) - BADLINE(); - q = p; - while (*p && *p != ';') - p++; - if (!(*p)) - BADLINE(); - *p++ = 0; - - scontext = malloc(p - q); - if (!scontext) { - ERR(NULL, "out of memory"); - free(buffer); - fclose(fp); - return -1; - } - r = scontext; - s = q; - while (*s) { - if (!isspace(*s)) - *r++ = *s; - s++; - } - *r = 0; - r = scontext; - - context_init(&context); - if (mls_context_to_sid(policydb, oldc, &r, &context) < - 0) { - ERR(NULL, "invalid range %s (%s:%u)", scontext, - path, lineno); - free(scontext); - continue; - } - free(scontext); - memcpy(&usrdatum->range, &context.range, - sizeof(usrdatum->range)); - } - } - - free(buffer); - fclose(fp); - return 0; -} - -int sepol_genusers(void *data, size_t len, - const char *usersdir, void **newdata, size_t * newlen) -{ - struct policydb policydb; - char path[PATH_MAX]; - - /* Construct policy database */ - if (policydb_init(&policydb)) - goto err; - if (policydb_from_image(NULL, data, len, &policydb) < 0) - goto err; - - /* Load locally defined users. */ - snprintf(path, sizeof path, "%s/local.users", usersdir); - if (load_users(&policydb, path) < 0) - goto err_destroy; - - /* Write policy database */ - if (policydb_to_image(NULL, &policydb, newdata, newlen) < 0) - goto err_destroy; - - policydb_destroy(&policydb); - return 0; - - err_destroy: - policydb_destroy(&policydb); - - err: - return -1; -} - -int hidden sepol_genusers_policydb(policydb_t * policydb, const char *usersdir) -{ - char path[PATH_MAX]; - - /* Load locally defined users. */ - snprintf(path, sizeof path, "%s/local.users", usersdir); - if (load_users(policydb, path) < 0) { - ERR(NULL, "unable to load local.users: %s", strerror(errno)); - return -1; - } - - if (policydb_reindex_users(policydb) < 0) { - ERR(NULL, "unable to reindex users: %s", strerror(errno)); - return -1; - - } - - return 0; -} - -/* -- End Deprecated -- */ diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c index 320af37b..ca2e4a9b 100644 --- a/libsepol/src/kernel_to_cil.c +++ b/libsepol/src/kernel_to_cil.c @@ -108,10 +108,12 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr) return str; exit: - while ((new_val = strs_stack_pop(stack)) != NULL) { - free(new_val); + if (stack) { + while ((new_val = strs_stack_pop(stack)) != NULL) { + free(new_val); + } + strs_stack_destroy(&stack); } - strs_stack_destroy(&stack); return NULL; } @@ -251,10 +253,12 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr return str; exit: - while ((new_val = strs_stack_pop(stack)) != NULL) { - free(new_val); + if (stack) { + while ((new_val = strs_stack_pop(stack)) != NULL) { + free(new_val); + } + strs_stack_destroy(&stack); } - strs_stack_destroy(&stack); return NULL; } @@ -698,6 +702,9 @@ static int write_default_range_to_cil(FILE *out, char *class_name, class_datum_t case DEFAULT_TARGET_LOW_HIGH: dft = "target low-high"; break; + case DEFAULT_GLBLUB: + dft = "glblub"; + break; default: sepol_log_err("Unknown default type value: %i", class->default_range); return -1; diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index 4f84ee8b..b4966162 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -106,10 +106,12 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr) return str; exit: - while ((new_val = strs_stack_pop(stack)) != NULL) { - free(new_val); + if (stack) { + while ((new_val = strs_stack_pop(stack)) != NULL) { + free(new_val); + } + strs_stack_destroy(&stack); } - strs_stack_destroy(&stack); return NULL; } @@ -247,10 +249,12 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr return str; exit: - while ((new_val = strs_stack_pop(stack)) != NULL) { - free(new_val); + if (stack) { + while ((new_val = strs_stack_pop(stack)) != NULL) { + free(new_val); + } + strs_stack_destroy(&stack); } - strs_stack_destroy(&stack); return NULL; } @@ -448,8 +452,12 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, if (i < num_sids) { sid = (char *)sid_to_str[i]; } else { - snprintf(unknown, 18, "%s%u", "UNKNOWN", i); + snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i); sid = strdup(unknown); + if (!sid) { + rc = -1; + goto exit; + } } rc = strs_add_at_index(strs, sid, i); if (rc != 0) { @@ -669,6 +677,9 @@ static int write_default_range_to_conf(FILE *out, char *class_name, class_datum_ case DEFAULT_TARGET_LOW_HIGH: dft = "target low-high"; break; + case DEFAULT_GLBLUB: + dft = "glblub"; + break; default: sepol_log_err("Unknown default type value: %i", class->default_range); return -1; @@ -792,6 +803,10 @@ static int write_sensitivity_rules_to_conf(FILE *out, struct policydb *pdb) j = level->level->sens - 1; if (!sens_alias_map[j]) { sens_alias_map[j] = strdup(name); + if (!sens_alias_map[j]) { + rc = -1; + goto exit; + } } else { alias = sens_alias_map[j]; sens_alias_map[j] = create_str("%s %s", 2, alias, name); @@ -919,6 +934,10 @@ static int write_category_rules_to_conf(FILE *out, struct policydb *pdb) j = cat->s.value - 1; if (!cat_alias_map[j]) { cat_alias_map[j] = strdup(name); + if (!cat_alias_map[j]) { + rc = -1; + goto exit; + } } else { alias = cat_alias_map[j]; cat_alias_map[j] = create_str("%s %s", 2, alias, name); @@ -2364,7 +2383,7 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons if (i < num_sids) { sid = (char *)sid_to_str[i]; } else { - snprintf(unknown, 18, "%s%u", "UNKNOWN", i); + snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i); sid = unknown; } diff --git a/libsepol/src/libsepol.map.in b/libsepol/src/libsepol.map.in index d879016c..f4946a79 100644 --- a/libsepol/src/libsepol.map.in +++ b/libsepol/src/libsepol.map.in @@ -59,3 +59,8 @@ LIBSEPOL_1.1 { sepol_polcap_getnum; sepol_polcap_getname; } LIBSEPOL_1.0; + +LIBSEPOL_3.0 { + global: + sepol_policydb_optimize; +} LIBSEPOL_1.1; diff --git a/libsepol/src/link.c b/libsepol/src/link.c index 0ded480d..83bbc8a5 100644 --- a/libsepol/src/link.c +++ b/libsepol/src/link.c @@ -65,7 +65,7 @@ typedef struct link_state { char *dest_class_name; char dest_class_req; /* flag indicating the class was not declared */ uint32_t symbol_num; - /* used to report the name of the module if dependancy error occurs */ + /* used to report the name of the module if dependency error occurs */ policydb_t **decl_to_mod; /* error reporting fields */ @@ -2172,7 +2172,7 @@ static void print_missing_requirements(link_state_t * state, * decl. If the block has an else decl, enable. * * This will correctly handle all dependencies, including mutual and - * cicular. The only downside is that it is slow. + * circular. The only downside is that it is slow. */ static int enable_avrules(link_state_t * state, policydb_t * pol) { diff --git a/libsepol/src/mls.c b/libsepol/src/mls.c index 63ad1bcb..6ff9a846 100644 --- a/libsepol/src/mls.c +++ b/libsepol/src/mls.c @@ -643,6 +643,8 @@ int mls_compute_sid(policydb_t * policydb, return mls_context_cpy_high(newcontext, tcontext); case DEFAULT_TARGET_LOW_HIGH: return mls_context_cpy(newcontext, tcontext); + case DEFAULT_GLBLUB: + return mls_context_glblub(newcontext, scontext, tcontext); } /* Fallthrough */ diff --git a/libsepol/src/module.c b/libsepol/src/module.c index 219355f3..3b8a0a59 100644 --- a/libsepol/src/module.c +++ b/libsepol/src/module.c @@ -124,8 +124,10 @@ int sepol_module_package_create(sepol_module_package_t ** p) return -1; rc = module_package_init(*p); - if (rc < 0) + if (rc < 0) { free(*p); + *p = NULL; + } return rc; } diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index da62c8aa..e20c3d44 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -54,6 +54,7 @@ #include "kernel_to_common.h" #include "private.h" +#include "module_internal.h" #ifdef __GNUC__ # define UNUSED(x) UNUSED_ ## x __attribute__((__unused__)) @@ -1322,7 +1323,7 @@ static int cond_expr_to_cil(int indent, struct policydb *pdb, struct cond_expr * // length = length of parameters + // length of operator + - // 1 space preceeding each parameter + + // 1 space preceding each parameter + // 2 parens around the whole expression // + null terminator len = strlen(val1) + strlen(val2) + strlen(op) + (num_params * 1) + 2 + 1; @@ -1852,7 +1853,7 @@ static int constraint_expr_to_string(struct policydb *pdb, struct constraint_exp // length = length of parameters + // length of operator + - // 1 space preceeding each parameter + + // 1 space preceding each parameter + // 2 parens around the whole expression // + null terminator len = strlen(val1) + strlen(val2) + strlen(op) + (num_params * 1) + 2 + 1; @@ -2032,6 +2033,7 @@ static int class_to_cil(int indent, struct policydb *pdb, struct avrule_block *U case DEFAULT_TARGET_LOW: dflt = "target low"; break; case DEFAULT_TARGET_HIGH: dflt = "target high"; break; case DEFAULT_TARGET_LOW_HIGH: dflt = "target low-high"; break; + case DEFAULT_GLBLUB: dflt = "glblub"; break; default: log_err("Unknown default range value: %i", class->default_range); rc = -1; diff --git a/libsepol/src/optimize.c b/libsepol/src/optimize.c new file mode 100644 index 00000000..1e5e97e8 --- /dev/null +++ b/libsepol/src/optimize.c @@ -0,0 +1,378 @@ +/* + * Author: Ondrej Mosnacek <omosnacek@gmail.com> + * + * Copyright (C) 2019 Red Hat Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/* + * Binary policy optimization. + * + * Defines the policydb_optimize() function, which finds and removes + * redundant rules from the binary policy to reduce its size and potentially + * improve rule matching times. Only rules that are already covered by a + * more general rule are removed. The resulting policy is functionally + * equivalent to the original one. + */ + +#include <sepol/policydb/policydb.h> +#include <sepol/policydb/conditional.h> + +/* builds map: type/attribute -> {all attributes that are a superset of it} */ +static ebitmap_t *build_type_map(const policydb_t *p) +{ + unsigned int i, k; + ebitmap_t *map = malloc(p->p_types.nprim * sizeof(ebitmap_t)); + if (!map) + return NULL; + + for (i = 0; i < p->p_types.nprim; i++) { + if (p->type_val_to_struct[i] && + p->type_val_to_struct[i]->flavor != TYPE_ATTRIB) { + if (ebitmap_cpy(&map[i], &p->type_attr_map[i])) + goto err; + } else { + ebitmap_t *types_i = &p->attr_type_map[i]; + + ebitmap_init(&map[i]); + for (k = 0; k < p->p_types.nprim; k++) { + ebitmap_t *types_k = &p->attr_type_map[k]; + + if (ebitmap_contains(types_k, types_i)) { + if (ebitmap_set_bit(&map[i], k, 1)) + goto err; + } + } + } + } + return map; +err: + for (k = 0; k <= i; k++) + ebitmap_destroy(&map[k]); + free(map); + return NULL; +} + +static void destroy_type_map(const policydb_t *p, ebitmap_t *type_map) +{ + unsigned int i; + for (i = 0; i < p->p_types.nprim; i++) + ebitmap_destroy(&type_map[i]); + free(type_map); +} + +static int process_xperms(uint32_t *p1, const uint32_t *p2) +{ + size_t i; + int ret = 1; + + for (i = 0; i < EXTENDED_PERMS_LEN; i++) { + p1[i] &= ~p2[i]; + if (p1[i] != 0) + ret = 0; + } + return ret; +} + +static int process_avtab_datum(uint16_t specified, + avtab_datum_t *d1, const avtab_datum_t *d2) +{ + /* inverse logic needed for AUDITDENY rules */ + if (specified & AVTAB_AUDITDENY) + return (d1->data |= ~d2->data) == UINT32_C(0xFFFFFFFF); + + if (specified & AVTAB_AV) + return (d1->data &= ~d2->data) == 0; + + if (specified & AVTAB_XPERMS) { + avtab_extended_perms_t *x1 = d1->xperms; + const avtab_extended_perms_t *x2 = d2->xperms; + + if (x1->specified == AVTAB_XPERMS_IOCTLFUNCTION) { + if (x2->specified == AVTAB_XPERMS_IOCTLFUNCTION) { + if (x1->driver != x2->driver) + return 0; + return process_xperms(x1->perms, x2->perms); + } + if (x2->specified == AVTAB_XPERMS_IOCTLDRIVER) + return xperm_test(x1->driver, x2->perms); + } else if (x1->specified == AVTAB_XPERMS_IOCTLDRIVER) { + if (x2->specified == AVTAB_XPERMS_IOCTLFUNCTION) + return 0; + + if (x2->specified == AVTAB_XPERMS_IOCTLDRIVER) + return process_xperms(x1->perms, x2->perms); + } + return 0; + } + return 0; +} + +/* checks if avtab contains a rule that covers the given rule */ +static int is_avrule_redundant(avtab_ptr_t entry, avtab_t *tab, + const ebitmap_t *type_map, unsigned char not_cond) +{ + unsigned int i, k, s_idx, t_idx; + ebitmap_node_t *snode, *tnode; + avtab_datum_t *d1, *d2; + avtab_key_t key; + + /* we only care about AV rules */ + if (!(entry->key.specified & (AVTAB_AV|AVTAB_XPERMS))) + return 0; + + s_idx = entry->key.source_type - 1; + t_idx = entry->key.target_type - 1; + + key.target_class = entry->key.target_class; + key.specified = entry->key.specified; + + d1 = &entry->datum; + + ebitmap_for_each_positive_bit(&type_map[s_idx], snode, i) { + key.source_type = i + 1; + + ebitmap_for_each_positive_bit(&type_map[t_idx], tnode, k) { + if (not_cond && s_idx == i && t_idx == k) + continue; + + key.target_type = k + 1; + + d2 = avtab_search(tab, &key); + if (!d2) + continue; + + if (process_avtab_datum(key.specified, d1, d2)) + return 1; + } + } + return 0; +} + +static int is_type_attr(policydb_t *p, unsigned int id) +{ + return p->type_val_to_struct[id]->flavor == TYPE_ATTRIB; +} + +static int is_avrule_with_attr(avtab_ptr_t entry, policydb_t *p) +{ + unsigned int s_idx = entry->key.source_type - 1; + unsigned int t_idx = entry->key.target_type - 1; + + return is_type_attr(p, s_idx) || is_type_attr(p, t_idx); +} + +/* checks if conditional list contains a rule that covers the given rule */ +static int is_cond_rule_redundant(avtab_ptr_t e1, cond_av_list_t *list, + const ebitmap_t *type_map) +{ + unsigned int s1, t1, c1, k1, s2, t2, c2, k2; + + /* we only care about AV rules */ + if (!(e1->key.specified & (AVTAB_AV|AVTAB_XPERMS))) + return 0; + + s1 = e1->key.source_type - 1; + t1 = e1->key.target_type - 1; + c1 = e1->key.target_class; + k1 = e1->key.specified; + + for (; list; list = list->next) { + avtab_ptr_t e2 = list->node; + + s2 = e2->key.source_type - 1; + t2 = e2->key.target_type - 1; + c2 = e2->key.target_class; + k2 = e2->key.specified; + + if (k1 != k2 || c1 != c2) + continue; + + if (s1 == s2 && t1 == t2) + continue; + if (!ebitmap_get_bit(&type_map[s1], s2)) + continue; + if (!ebitmap_get_bit(&type_map[t1], t2)) + continue; + + if (process_avtab_datum(k1, &e1->datum, &e2->datum)) + return 1; + } + return 0; +} + +static void optimize_avtab(policydb_t *p, const ebitmap_t *type_map) +{ + avtab_t *tab = &p->te_avtab; + unsigned int i; + avtab_ptr_t *cur; + + for (i = 0; i < tab->nslot; i++) { + cur = &tab->htable[i]; + while (*cur) { + if (is_avrule_redundant(*cur, tab, type_map, 1)) { + /* redundant rule -> remove it */ + avtab_ptr_t tmp = *cur; + + *cur = tmp->next; + if (tmp->key.specified & AVTAB_XPERMS) + free(tmp->datum.xperms); + free(tmp); + + tab->nel--; + } else { + /* rule not redundant -> move to next rule */ + cur = &(*cur)->next; + } + } + } +} + +/* find redundant rules in (*cond) and put them into (*del) */ +static void optimize_cond_av_list(cond_av_list_t **cond, cond_av_list_t **del, + policydb_t *p, const ebitmap_t *type_map) +{ + cond_av_list_t **listp = cond; + cond_av_list_t *pcov = NULL; + cond_av_list_t **pcov_cur; + + /* + * Separate out all "potentially covering" rules (src or tgt is an attr) + * and move them to the end of the list. This is needed to avoid + * polynomial complexity when almost all rules are expanded. + */ + while (*cond) { + if (is_avrule_with_attr((*cond)->node, p)) { + cond_av_list_t *tmp = *cond; + + *cond = tmp->next; + tmp->next = pcov; + pcov = tmp; + } else { + cond = &(*cond)->next; + } + } + /* link the "potentially covering" rules to the end of the list */ + *cond = pcov; + + /* now go through the list and find the redundant rules */ + cond = listp; + pcov_cur = &pcov; + while (*cond) { + /* needed because pcov itself may get deleted */ + if (*cond == pcov) + pcov_cur = cond; + /* + * First check if covered by an unconditional rule, then also + * check if covered by another rule in the same list. + */ + if (is_avrule_redundant((*cond)->node, &p->te_avtab, type_map, 0) || + is_cond_rule_redundant((*cond)->node, *pcov_cur, type_map)) { + cond_av_list_t *tmp = *cond; + + *cond = tmp->next; + tmp->next = *del; + *del = tmp; + } else { + cond = &(*cond)->next; + } + } +} + +static void optimize_cond_avtab(policydb_t *p, const ebitmap_t *type_map) +{ + avtab_t *tab = &p->te_cond_avtab; + unsigned int i; + avtab_ptr_t *cur; + cond_node_t **cond; + cond_av_list_t **avcond, *del = NULL; + + /* First go through all conditionals and collect redundant rules. */ + cond = &p->cond_list; + while (*cond) { + optimize_cond_av_list(&(*cond)->true_list, &del, p, type_map); + optimize_cond_av_list(&(*cond)->false_list, &del, p, type_map); + /* TODO: maybe also check for rules present in both lists */ + + /* nothing left in both lists -> remove the whole conditional */ + if (!(*cond)->true_list && !(*cond)->false_list) { + cond_node_t *cond_tmp = *cond; + + *cond = cond_tmp->next; + cond_node_destroy(cond_tmp); + free(cond_tmp); + } else { + cond = &(*cond)->next; + } + } + + if (!del) + return; + + /* + * Now go through the whole cond_avtab and remove all rules that are + * found in the 'del' list. + */ + for (i = 0; i < tab->nslot; i++) { + cur = &tab->htable[i]; + while (*cur) { + int redundant = 0; + avcond = &del; + while (*avcond) { + if ((*avcond)->node == *cur) { + cond_av_list_t *cond_tmp = *avcond; + + *avcond = cond_tmp->next; + free(cond_tmp); + redundant = 1; + break; + } else { + avcond = &(*avcond)->next; + } + } + if (redundant) { + avtab_ptr_t tmp = *cur; + + *cur = tmp->next; + if (tmp->key.specified & AVTAB_XPERMS) + free(tmp->datum.xperms); + free(tmp); + + tab->nel--; + } else { + cur = &(*cur)->next; + } + } + } +} + +int policydb_optimize(policydb_t *p) +{ + ebitmap_t *type_map; + + if (p->policy_type != POLICY_KERN) + return -1; + + type_map = build_type_map(p); + if (!type_map) + return -1; + + optimize_avtab(p, type_map); + optimize_cond_avtab(p, type_map); + + destroy_type_map(p, type_map); + return 0; +} diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index 69bcb4d5..67037b6d 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -195,6 +195,13 @@ static struct policydb_compat_info policydb_compat[] = { .target_platform = SEPOL_TARGET_SELINUX, }, { + .type = POLICY_KERN, + .version = POLICYDB_VERSION_GLBLUB, + .sym_num = SYM_NUM, + .ocon_num = OCON_IBENDPORT + 1, + .target_platform = SEPOL_TARGET_SELINUX, + }, + { .type = POLICY_BASE, .version = MOD_POLICYDB_VERSION_BASE, .sym_num = SYM_NUM, @@ -307,6 +314,13 @@ static struct policydb_compat_info policydb_compat[] = { .target_platform = SEPOL_TARGET_SELINUX, }, { + .type = POLICY_BASE, + .version = MOD_POLICYDB_VERSION_GLBLUB, + .sym_num = SYM_NUM, + .ocon_num = OCON_IBENDPORT + 1, + .target_platform = SEPOL_TARGET_SELINUX, + }, + { .type = POLICY_MOD, .version = MOD_POLICYDB_VERSION_BASE, .sym_num = SYM_NUM, @@ -418,6 +432,14 @@ static struct policydb_compat_info policydb_compat[] = { .ocon_num = 0, .target_platform = SEPOL_TARGET_SELINUX, }, + { + .type = POLICY_MOD, + .version = MOD_POLICYDB_VERSION_GLBLUB, + .sym_num = SYM_NUM, + .ocon_num = 0, + .target_platform = SEPOL_TARGET_SELINUX, + }, + }; #if 0 diff --git a/libsepol/src/policydb_public.c b/libsepol/src/policydb_public.c index e7218423..747a43ff 100644 --- a/libsepol/src/policydb_public.c +++ b/libsepol/src/policydb_public.c @@ -169,6 +169,11 @@ int sepol_policydb_set_target_platform(sepol_policydb_t * sp, return 0; } +int sepol_policydb_optimize(sepol_policydb_t * p) +{ + return policydb_optimize(&p->p); +} + int sepol_policydb_read(sepol_policydb_t * p, sepol_policy_file_t * pf) { return policydb_read(&p->p, &pf->pf, 0); diff --git a/libsepol/src/services.c b/libsepol/src/services.c index 303a138c..3758436f 100644 --- a/libsepol/src/services.c +++ b/libsepol/src/services.c @@ -1134,13 +1134,13 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid, scontext = sepol_sidtab_search(sidtab, ssid); if (!scontext) { - ERR(NULL, "unrecognized SID %d", ssid); + ERR(NULL, "unrecognized source SID %d", ssid); rc = -EINVAL; goto out; } tcontext = sepol_sidtab_search(sidtab, tsid); if (!tcontext) { - ERR(NULL, "unrecognized SID %d", tsid); + ERR(NULL, "unrecognized target SID %d", tsid); rc = -EINVAL; goto out; } @@ -1170,13 +1170,13 @@ int hidden sepol_compute_av_reason_buffer(sepol_security_id_t ssid, scontext = sepol_sidtab_search(sidtab, ssid); if (!scontext) { - ERR(NULL, "unrecognized SID %d", ssid); + ERR(NULL, "unrecognized source SID %d", ssid); rc = -EINVAL; goto out; } tcontext = sepol_sidtab_search(sidtab, tsid); if (!tcontext) { - ERR(NULL, "unrecognized SID %d", tsid); + ERR(NULL, "unrecognized target SID %d", tsid); rc = -EINVAL; goto out; } diff --git a/libsepol/src/write.c b/libsepol/src/write.c index dee7b4a3..c6be2be2 100644 --- a/libsepol/src/write.c +++ b/libsepol/src/write.c @@ -46,6 +46,11 @@ #include "private.h" #include "mls.h" +#define glblub_version ((p->policy_type == POLICY_KERN && \ + p->policyvers >= POLICYDB_VERSION_GLBLUB) || \ + (p->policy_type == POLICY_BASE && \ + p->policyvers >= MOD_POLICYDB_VERSION_GLBLUB)) + struct policy_data { struct policy_file *fp; struct policydb *p; @@ -1034,6 +1039,13 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) { buf[0] = cpu_to_le32(cladatum->default_user); buf[1] = cpu_to_le32(cladatum->default_role); + if (!glblub_version && cladatum->default_range == DEFAULT_GLBLUB) { + WARN(fp->handle, + "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding", + p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers, + p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB); + cladatum->default_range = 0; + } buf[2] = cpu_to_le32(cladatum->default_range); items = put_entry(buf, sizeof(uint32_t), 3, fp); if (items != 3) diff --git a/libsepol/tests/helpers.h b/libsepol/tests/helpers.h index 10d39094..fa84cfab 100644 --- a/libsepol/tests/helpers.h +++ b/libsepol/tests/helpers.h @@ -24,9 +24,38 @@ #include <sepol/policydb/policydb.h> #include <sepol/policydb/conditional.h> +#include <CUnit/Basic.h> /* helper functions */ +/* Override CU_*_FATAL() in order to help static analyzers by really asserting that an assertion holds */ +#ifdef __CHECKER__ + +#include <assert.h> + +#undef CU_ASSERT_FATAL +#define CU_ASSERT_FATAL(value) do { \ + int _value = (value); \ + CU_ASSERT(_value); \ + assert(_value); \ + } while (0) + +#undef CU_FAIL_FATAL +#define CU_FAIL_FATAL(msg) do { \ + CU_FAIL(msg); \ + assert(0); \ + } while (0) + +#undef CU_ASSERT_PTR_NOT_NULL_FATAL +#define CU_ASSERT_PTR_NOT_NULL_FATAL(value) do { \ + const void *_value = (value); \ + CU_ASSERT_PTR_NOT_NULL(_value); \ + assert(_value != NULL); \ + } while (0) + +#endif /* __CHECKER__ */ + + /* Load a source policy into p. policydb_init will called within this function. * * Example: test_load_policy(p, POLICY_BASE, 1, "foo", "base.conf") will load the diff --git a/libsepol/tests/policies/test-deps/base-metreq.conf b/libsepol/tests/policies/test-deps/base-metreq.conf index bfb4c56b..3e2f8407 100644 --- a/libsepol/tests/policies/test-deps/base-metreq.conf +++ b/libsepol/tests/policies/test-deps/base-metreq.conf @@ -346,7 +346,7 @@ class system } # -# Define the access vector interpretation for controling capabilies +# Define the access vector interpretation for controlling capabilities # class capability diff --git a/libsepol/tests/policies/test-deps/base-notmetreq.conf b/libsepol/tests/policies/test-deps/base-notmetreq.conf index f2630e7b..8ff3d204 100644 --- a/libsepol/tests/policies/test-deps/base-notmetreq.conf +++ b/libsepol/tests/policies/test-deps/base-notmetreq.conf @@ -341,7 +341,7 @@ class system } # -# Define the access vector interpretation for controling capabilies +# Define the access vector interpretation for controlling capabilities # class capability diff --git a/libsepol/tests/policies/test-deps/small-base.conf b/libsepol/tests/policies/test-deps/small-base.conf index 7c1cbe49..1411e624 100644 --- a/libsepol/tests/policies/test-deps/small-base.conf +++ b/libsepol/tests/policies/test-deps/small-base.conf @@ -346,7 +346,7 @@ class system } # -# Define the access vector interpretation for controling capabilies +# Define the access vector interpretation for controlling capabilities # class capability diff --git a/libsepol/tests/policies/test-expander/alias-base.conf b/libsepol/tests/policies/test-expander/alias-base.conf index 4ed46d24..57d4520e 100644 --- a/libsepol/tests/policies/test-expander/alias-base.conf +++ b/libsepol/tests/policies/test-expander/alias-base.conf @@ -346,7 +346,7 @@ class system } # -# Define the access vector interpretation for controling capabilies +# Define the access vector interpretation for controlling capabilities # class capability diff --git a/libsepol/tests/policies/test-expander/role-base.conf b/libsepol/tests/policies/test-expander/role-base.conf index b43389fa..a603390b 100644 --- a/libsepol/tests/policies/test-expander/role-base.conf +++ b/libsepol/tests/policies/test-expander/role-base.conf @@ -346,7 +346,7 @@ class system } # -# Define the access vector interpretation for controling capabilies +# Define the access vector interpretation for controlling capabilities # class capability diff --git a/libsepol/tests/policies/test-expander/small-base.conf b/libsepol/tests/policies/test-expander/small-base.conf index 7c5d77af..20005e3f 100644 --- a/libsepol/tests/policies/test-expander/small-base.conf +++ b/libsepol/tests/policies/test-expander/small-base.conf @@ -346,7 +346,7 @@ class system } # -# Define the access vector interpretation for controling capabilies +# Define the access vector interpretation for controlling capabilities # class capability diff --git a/libsepol/tests/policies/test-expander/user-base.conf b/libsepol/tests/policies/test-expander/user-base.conf index b60672fa..1f84fd76 100644 --- a/libsepol/tests/policies/test-expander/user-base.conf +++ b/libsepol/tests/policies/test-expander/user-base.conf @@ -346,7 +346,7 @@ class system } # -# Define the access vector interpretation for controling capabilies +# Define the access vector interpretation for controlling capabilities # class capability diff --git a/libsepol/tests/policies/test-hooks/cmp_policy.conf b/libsepol/tests/policies/test-hooks/cmp_policy.conf index ec1e2342..1eccf4a8 100644 --- a/libsepol/tests/policies/test-hooks/cmp_policy.conf +++ b/libsepol/tests/policies/test-hooks/cmp_policy.conf @@ -346,7 +346,7 @@ class system } # -# Define the access vector interpretation for controling capabilies +# Define the access vector interpretation for controlling capabilities # class capability diff --git a/libsepol/tests/policies/test-hooks/small-base.conf b/libsepol/tests/policies/test-hooks/small-base.conf index ec1e2342..1eccf4a8 100644 --- a/libsepol/tests/policies/test-hooks/small-base.conf +++ b/libsepol/tests/policies/test-hooks/small-base.conf @@ -346,7 +346,7 @@ class system } # -# Define the access vector interpretation for controling capabilies +# Define the access vector interpretation for controlling capabilities # class capability diff --git a/libsepol/tests/policies/test-linker/small-base.conf b/libsepol/tests/policies/test-linker/small-base.conf index 3a66f913..2bc14656 100644 --- a/libsepol/tests/policies/test-linker/small-base.conf +++ b/libsepol/tests/policies/test-linker/small-base.conf @@ -346,7 +346,7 @@ class system } # -# Define the access vector interpretation for controling capabilies +# Define the access vector interpretation for controlling capabilities # class capability diff --git a/libsepol/tests/test-common.c b/libsepol/tests/test-common.c index e6619ed1..f690635e 100644 --- a/libsepol/tests/test-common.c +++ b/libsepol/tests/test-common.c @@ -26,6 +26,8 @@ #include <CUnit/Basic.h> +#include "helpers.h" + void test_sym_presence(policydb_t * p, const char *id, int sym_type, unsigned int scope_type, unsigned int *decls, unsigned int len) { scope_datum_t *scope; @@ -228,13 +230,16 @@ void test_attr_types(policydb_t * p, const char *id, avrule_decl_t * decl, const unsigned int i; type_datum_t *attr; - if (decl) + if (decl) { attr = hashtab_search(decl->p_types.table, id); - else + if (attr == NULL) + printf("could not find attr %s in decl %d\n", id, decl->decl_id); + } else { attr = hashtab_search(p->p_types.table, id); + if (attr == NULL) + printf("could not find attr %s in policy\n", id); + } - if (attr == NULL) - printf("could not find attr %s in decl %d\n", id, decl->decl_id); CU_ASSERT_FATAL(attr != NULL); CU_ASSERT(attr->flavor == TYPE_ATTRIB); CU_ASSERT(attr->primary == 1); diff --git a/libsepol/tests/test-deps.c b/libsepol/tests/test-deps.c index f495087a..f4ab09ba 100644 --- a/libsepol/tests/test-deps.c +++ b/libsepol/tests/test-deps.c @@ -66,6 +66,8 @@ #include <sepol/debug.h> #include <sepol/handle.h> +#include "helpers.h" + #define BASE_MODREQ_TYPE_GLOBAL 0 #define BASE_MODREQ_ATTR_GLOBAL 1 #define BASE_MODREQ_OBJ_GLOBAL 2 @@ -126,7 +128,7 @@ int deps_test_cleanup(void) * symbols. It is capable of testing 2 scenarios - the dependencies are met * and the dependencies are not met. * - * Paramaters: + * Parameters: * req_met boolean indicating whether the base policy meets the * requirements for the modules global block. * b index of the base policy in the global bases_met array. @@ -209,7 +211,7 @@ static void deps_modreq_global(void) * symbols. It is capable of testing 2 scenarios - the dependencies are met * and the dependencies are not met. * - * Paramaters: + * Parameters: * req_met boolean indicating whether the base policy meets the * requirements for the modules global block. * b index of the base policy in the global bases_met array. diff --git a/libsepol/tests/test-downgrade.c b/libsepol/tests/test-downgrade.c index 963f3fab..f1b0ebb9 100644 --- a/libsepol/tests/test-downgrade.c +++ b/libsepol/tests/test-downgrade.c @@ -97,7 +97,7 @@ int downgrade_add_tests(CU_pSuite suite) * Output: None * * Description: - * Tests the backward compatability of MLS and Non-MLS binary policy versions. + * Tests the backward compatibility of MLS and Non-MLS binary policy versions. */ void test_downgrade(void) { diff --git a/libsepol/tests/test-downgrade.h b/libsepol/tests/test-downgrade.h index 10a7c3ba..4105defa 100644 --- a/libsepol/tests/test-downgrade.h +++ b/libsepol/tests/test-downgrade.h @@ -65,7 +65,7 @@ int downgrade_add_tests(CU_pSuite suite); * * Output: None * - * Description: Tests the backward compatability of MLS and Non-MLS binary + * Description: Tests the backward compatibility of MLS and Non-MLS binary * policy versions. */ void test_downgrade(void); diff --git a/libsepol/tests/test-expander-attr-map.c b/libsepol/tests/test-expander-attr-map.c index b2f59aee..a9744541 100644 --- a/libsepol/tests/test-expander-attr-map.c +++ b/libsepol/tests/test-expander-attr-map.c @@ -21,6 +21,7 @@ #include "test-expander-attr-map.h" #include "test-common.h" +#include "helpers.h" #include <sepol/policydb/policydb.h> #include <CUnit/Basic.h> @@ -30,7 +31,7 @@ extern policydb_t base_expanded2; void test_expander_attr_mapping(void) { - /* note that many cases are ommitted because they don't make sense + /* note that many cases are omitted because they don't make sense (i.e. declaring in an optional and then using it in the base) or because declare in optional then require in a different optional logic still doesn't work */ diff --git a/libsepol/tests/test-expander-roles.c b/libsepol/tests/test-expander-roles.c index aba3c9bd..74c781b8 100644 --- a/libsepol/tests/test-expander-roles.c +++ b/libsepol/tests/test-expander-roles.c @@ -22,6 +22,7 @@ #include "test-expander-roles.h" #include "test-common.h" +#include "helpers.h" #include <sepol/policydb/policydb.h> #include <CUnit/Basic.h> diff --git a/libsepol/tests/test-expander-users.c b/libsepol/tests/test-expander-users.c index 9d9c7a62..ab2265c1 100644 --- a/libsepol/tests/test-expander-users.c +++ b/libsepol/tests/test-expander-users.c @@ -21,6 +21,7 @@ */ #include "test-expander-users.h" +#include "helpers.h" #include <sepol/policydb/policydb.h> #include <CUnit/Basic.h> diff --git a/libsepol/tests/test-linker-cond-map.c b/libsepol/tests/test-linker-cond-map.c index 712d9914..b02e7881 100644 --- a/libsepol/tests/test-linker-cond-map.c +++ b/libsepol/tests/test-linker-cond-map.c @@ -93,7 +93,7 @@ void base_cond_tests(policydb_t * base) /* these tests look at booleans and conditionals in the base only * to ensure that they aren't altered or removed during the link process */ - /* bool existance and state, global scope */ + /* bool existence and state, global scope */ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_g_b"); decls[0] = d->decl_id; test_sym_presence(base, "g_b_bool_1", SYM_BOOLS, SCOPE_DECL, decls, 1); @@ -103,7 +103,7 @@ void base_cond_tests(policydb_t * base) bools[0].expr_type = COND_BOOL; test_cond_expr_mapping(base, d, bools, 1); - /* bool existance and state, optional scope */ + /* bool existence and state, optional scope */ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_o1_b"); decls[0] = d->decl_id; test_sym_presence(base, "o1_b_bool_1", SYM_BOOLS, SCOPE_DECL, decls, 1); @@ -121,7 +121,7 @@ void module_cond_tests(policydb_t * base) unsigned int decls[1]; test_cond_expr_t bools[3]; - /* bool existance and state, module 1 global scope */ + /* bool existence and state, module 1 global scope */ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m1"); decls[0] = d->decl_id; test_sym_presence(base, "g_m1_bool_1", SYM_BOOLS, SCOPE_DECL, decls, 1); @@ -131,7 +131,7 @@ void module_cond_tests(policydb_t * base) bools[0].expr_type = COND_BOOL; test_cond_expr_mapping(base, d, bools, 1); - /* bool existance and state, module 1 optional scope */ + /* bool existence and state, module 1 optional scope */ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_o1_m1"); decls[0] = d->decl_id; test_sym_presence(base, "o1_m1_bool_1", SYM_BOOLS, SCOPE_DECL, decls, 1); @@ -141,7 +141,7 @@ void module_cond_tests(policydb_t * base) bools[0].expr_type = COND_BOOL; test_cond_expr_mapping(base, d, bools, 1); - /* bool existance and state, module 2 global scope */ + /* bool existence and state, module 2 global scope */ d = test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m2"); decls[0] = d->decl_id; test_sym_presence(base, "g_m2_bool_1", SYM_BOOLS, SCOPE_DECL, decls, 1); diff --git a/mcstrans/VERSION b/mcstrans/VERSION index 8c269150..9f55b2cc 100644 --- a/mcstrans/VERSION +++ b/mcstrans/VERSION @@ -1 +1 @@ -2.9 +3.0 diff --git a/mcstrans/man/Makefile b/mcstrans/man/Makefile index 0f8d34fd..71713818 100644 --- a/mcstrans/man/Makefile +++ b/mcstrans/man/Makefile @@ -2,15 +2,23 @@ LINGUAS ?= ru PREFIX ?= /usr MANDIR ?= $(PREFIX)/share/man +MAN5SUBDIR ?= man5 +MAN5DIR ?= $(MANDIR)/$(MAN5SUBDIR) MAN8SUBDIR ?= man8 MAN8DIR ?= $(MANDIR)/$(MAN8SUBDIR) all: install: all + mkdir -p $(DESTDIR)$(MAN5DIR) mkdir -p $(DESTDIR)$(MAN8DIR) + install -m 644 man5/*.5 $(DESTDIR)$(MAN5DIR) install -m 644 man8/*.8 $(DESTDIR)$(MAN8DIR) for lang in $(LINGUAS) ; do \ + if [ -e $${lang}/man5 ] ; then \ + mkdir -p $(DESTDIR)$(MANDIR)/$${lang}/$(MAN5SUBDIR) ; \ + install -m 644 $${lang}/man5/*.5 $(DESTDIR)$(MANDIR)/$${lang}/$(MAN5SUBDIR) ; \ + fi ; \ if [ -e $${lang}/man8 ] ; then \ mkdir -p $(DESTDIR)$(MANDIR)/$${lang}/$(MAN8SUBDIR) ; \ install -m 644 $${lang}/man8/*.8 $(DESTDIR)$(MANDIR)/$${lang}/$(MAN8SUBDIR) ; \ @@ -19,4 +27,5 @@ install: all clean: -rm -f *~ \#* + -rm -f man5/*~ man5/\#* -rm -f man8/*~ man8/\#* diff --git a/mcstrans/man/man8/setrans.conf.8 b/mcstrans/man/man5/setrans.conf.5 index b7609921..4949a502 100644 --- a/mcstrans/man/man8/setrans.conf.8 +++ b/mcstrans/man/man5/setrans.conf.5 @@ -1,4 +1,4 @@ -.TH "setrans.conf" "8" "13 July 2010" "txtoth@gmail.com" "setrans.conf documentation" +.TH "setrans.conf" "5" "13 July 2010" "txtoth@gmail.com" "setrans.conf documentation" .SH "NAME" setrans.conf \- translation configuration file for MCS/MLS SELinux systems diff --git a/mcstrans/man/man8/mcstransd.8 b/mcstrans/man/man8/mcstransd.8 index 64774a52..9a5922ba 100644 --- a/mcstrans/man/man8/mcstransd.8 +++ b/mcstrans/man/man8/mcstransd.8 @@ -29,4 +29,4 @@ The program was enhanced/rewritten by Joe Nall <joe@nall.com>. /etc/selinux/{SELINUXTYPE}/setrans.conf .SH "SEE ALSO" -.BR mcs (8), +.BR setrans.conf (5), mcs (8) diff --git a/mcstrans/man/ru/man8/setrans.conf.8 b/mcstrans/man/ru/man5/setrans.conf.5 index 9141defe..724b206b 100644 --- a/mcstrans/man/ru/man8/setrans.conf.8 +++ b/mcstrans/man/ru/man5/setrans.conf.5 @@ -1,4 +1,4 @@ -.TH "setrans.conf" "8" "13 Ð¸ÑŽÐ»Ñ 2010" "txtoth@gmail.com" "Ð”Ð¾ÐºÑƒÐ¼ÐµÐ½Ñ‚Ð°Ñ†Ð¸Ñ Ð¿Ð¾ setrans.conf" +.TH "setrans.conf" "5" "13 Ð¸ÑŽÐ»Ñ 2010" "txtoth@gmail.com" "Ð”Ð¾ÐºÑƒÐ¼ÐµÐ½Ñ‚Ð°Ñ†Ð¸Ñ Ð¿Ð¾ setrans.conf" .SH "ИМЯ" setrans.conf \- файл конфигурации Ð¿Ñ€ÐµÐ¾Ð±Ñ€Ð°Ð·Ð¾Ð²Ð°Ð½Ð¸Ñ Ð´Ð»Ñ ÑиÑтем MCS/MLS SELinux diff --git a/mcstrans/man/ru/man8/mcstransd.8 b/mcstrans/man/ru/man8/mcstransd.8 index 90247c32..4cd68c17 100644 --- a/mcstrans/man/ru/man8/mcstransd.8 +++ b/mcstrans/man/ru/man8/mcstransd.8 @@ -23,7 +23,7 @@ mcstransd \- внутреннÑÑ Ñлужба MCS (мультикатегори /etc/selinux/{SELINUXTYPE}/setrans.conf .SH "СМОТРИТЕ ТÐКЖЕ" -.BR mcs (8) +.BR setrans.conf (5), mcs (8) .SH "ÐВТОРЫ" Ðта man-Ñтраница напиÑана Dan Walsh <dwalsh@redhat.com>. diff --git a/mcstrans/share/examples/default/setrans.conf b/mcstrans/share/examples/default/setrans.conf index eb181d2f..d2bc8a1d 100644 --- a/mcstrans/share/examples/default/setrans.conf +++ b/mcstrans/share/examples/default/setrans.conf @@ -1,7 +1,7 @@ # # Multi-Level Security translation table for SELinux -# -# Uncomment the following to disable translation libary +# +# Uncomment the following to disable translation library # disable=1 # # Objects can be labeled with one of 16 levels and be categorized with 0-1023 diff --git a/mcstrans/share/examples/include/setrans.conf b/mcstrans/share/examples/include/setrans.conf index 4e7b40e3..4c7ecf14 100644 --- a/mcstrans/share/examples/include/setrans.conf +++ b/mcstrans/share/examples/include/setrans.conf @@ -1,7 +1,7 @@ # # Multi-Level Security translation table for SELinux -# -# Uncomment the following to disable translation libary +# +# Uncomment the following to disable translation library # disable=1 # # Objects can be labeled with one of 16 levels and be categorized with 0-1023 @@ -10,6 +10,6 @@ # Users can modify this table to translate the MLS labels for different purpose. # -# Demonstrate Include by moving everthing to an include file +# Demonstrate Include by moving everything to an include file # Include=/etc/selinux/mls/setrans.d/include-example diff --git a/mcstrans/share/examples/include/setrans.d/include-example b/mcstrans/share/examples/include/setrans.d/include-example index eb181d2f..d2bc8a1d 100644 --- a/mcstrans/share/examples/include/setrans.d/include-example +++ b/mcstrans/share/examples/include/setrans.d/include-example @@ -1,7 +1,7 @@ # # Multi-Level Security translation table for SELinux -# -# Uncomment the following to disable translation libary +# +# Uncomment the following to disable translation library # disable=1 # # Objects can be labeled with one of 16 levels and be categorized with 0-1023 diff --git a/mcstrans/share/examples/nato/setrans.d/rel.conf b/mcstrans/share/examples/nato/setrans.d/rel.conf index c1eca297..21f8a795 100644 --- a/mcstrans/share/examples/nato/setrans.d/rel.conf +++ b/mcstrans/share/examples/nato/setrans.d/rel.conf @@ -9,7 +9,7 @@ Prefix=RELEASABLE TO Prefix=RELEASEABLE TO Default=c200.c511 -~c200.c511=EVERBODY +~c200.c511=EVERYBODY ~c200,~c205,~c219,~c223,~c239,~c257,~c258,~c261,~c268,~c269,~c274,~c278,~c288,~c298,~c300,~c308,~c310,~c331,~c332,~c333,~c365,~c366,~c378,~c381,~c387,~c406,~c407,~c423,~c430=NATO @@ -748,4 +748,4 @@ Default=c200.c511 ~c200,~c444=ZI # Zimbabwe ~c200,~c444=ZWE # Zimbabwe -#UNCLASSIFIED
\ No newline at end of file +#UNCLASSIFIED diff --git a/mcstrans/share/examples/urcsts-via-include/secolor.conf b/mcstrans/share/examples/urcsts-via-include/secolor.conf index d35b3c67..3b3f5430 100644 --- a/mcstrans/share/examples/urcsts-via-include/secolor.conf +++ b/mcstrans/share/examples/urcsts-via-include/secolor.conf @@ -17,5 +17,5 @@ range s3-s3:c0.c1023 = black tan range s5-s5:c0.c1023 = white blue range s7-s7:c0.c1023 = black red range s9-s9:c0.c1023 = black orange -range s15:c0.c1023 = black yellow +range s15-s15:c0.c1023 = black yellow diff --git a/mcstrans/share/examples/urcsts-via-include/setrans.conf b/mcstrans/share/examples/urcsts-via-include/setrans.conf index 6b578d87..5998183c 100644 --- a/mcstrans/share/examples/urcsts-via-include/setrans.conf +++ b/mcstrans/share/examples/urcsts-via-include/setrans.conf @@ -1,7 +1,7 @@ # # Multi-Level Security translation table for SELinux -# -# Uncomment the following to disable translation libary +# +# Uncomment the following to disable translation library # disable=1 # # Objects can be labeled with one of 16 levels and be categorized with 0-1023 @@ -10,6 +10,6 @@ # Users can modify this table to translate the MLS labels for different purpose. # -# Demonstrate Include by moving everthing to an include file +# Demonstrate Include by moving everything to an include file # Include=/etc/selinux/mls/setrans.d/*.conf diff --git a/mcstrans/share/examples/urcsts/secolor.conf b/mcstrans/share/examples/urcsts/secolor.conf index d35b3c67..3b3f5430 100644 --- a/mcstrans/share/examples/urcsts/secolor.conf +++ b/mcstrans/share/examples/urcsts/secolor.conf @@ -17,5 +17,5 @@ range s3-s3:c0.c1023 = black tan range s5-s5:c0.c1023 = white blue range s7-s7:c0.c1023 = black red range s9-s9:c0.c1023 = black orange -range s15:c0.c1023 = black yellow +range s15-s15:c0.c1023 = black yellow diff --git a/mcstrans/src/mcscolor.c b/mcstrans/src/mcscolor.c index 6ea1aa97..4ee0db50 100644 --- a/mcstrans/src/mcscolor.c +++ b/mcstrans/src/mcscolor.c @@ -134,12 +134,12 @@ static const secolor_t *find_color(int idx, const char *component, } while (ptr) { - if (fnmatch(ptr->pattern, component, 0) == 0) { - if (idx == COLOR_RANGE) { - if (check_dominance(ptr->pattern, raw) == 0) - return &ptr->color; - } else - return &ptr->color; + if (idx == COLOR_RANGE) { + if (check_dominance(ptr->pattern, raw) == 0) + return &ptr->color; + } else { + if (fnmatch(ptr->pattern, component, 0) == 0) + return &ptr->color; } ptr = ptr->next; } @@ -211,7 +211,7 @@ static int add_mnemonic(const char *name, uint32_t color) /* Process line from color file. - May modify the data pointed to by the buffer paremeter */ + May modify the data pointed to by the buffer parameter */ static int process_color(char *buffer, int line) { char rule[10], pat[256], f[256], b[256]; uint32_t i, fg, bg; diff --git a/mcstrans/src/mcstrans.service b/mcstrans/src/mcstrans.service index 8976b970..09529432 100644 --- a/mcstrans/src/mcstrans.service +++ b/mcstrans/src/mcstrans.service @@ -1,5 +1,6 @@ [Unit] Description=Translates SELinux MCS/MLS labels to human readable form +Documentation=man:mcstransd(8) ConditionSecurity=selinux [Service] diff --git a/policycoreutils/VERSION b/policycoreutils/VERSION index 8c269150..9f55b2cc 100644 --- a/policycoreutils/VERSION +++ b/policycoreutils/VERSION @@ -1 +1 @@ -2.9 +3.0 diff --git a/policycoreutils/hll/pp/pp.c b/policycoreutils/hll/pp/pp.c index 98969eb2..1d867280 100644 --- a/policycoreutils/hll/pp/pp.c +++ b/policycoreutils/hll/pp/pp.c @@ -50,7 +50,7 @@ static __attribute__((__noreturn__)) void usage(int err) { fprintf(stderr, "Usage: %s [OPTIONS] [IN_FILE [OUT_FILE]]\n", progname); fprintf(stderr, "\n"); - fprintf(stderr, "Read an SELinux policy package (.pp) and output the equivilent CIL.\n"); + fprintf(stderr, "Read an SELinux policy package (.pp) and output the equivalent CIL.\n"); fprintf(stderr, "If IN_FILE is not provided or is -, read SELinux policy package from\n"); fprintf(stderr, "standard input. If OUT_FILE is not provided or is -, output CIL to\n"); fprintf(stderr, "standard output.\n"); diff --git a/policycoreutils/load_policy/load_policy.c b/policycoreutils/load_policy/load_policy.c index 2707d6fe..322ed002 100644 --- a/policycoreutils/load_policy/load_policy.c +++ b/policycoreutils/load_policy/load_policy.c @@ -77,7 +77,7 @@ int main(int argc, char **argv) } } else { - ret = selinux_mkload_policy(1); + ret = selinux_mkload_policy(0); } if (ret < 0) { fprintf(stderr, _("%s: Can't load policy: %s\n"), diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5 index dbfec55a..1ffade15 100644 --- a/policycoreutils/man/man5/selinux_config.5 +++ b/policycoreutils/man/man5/selinux_config.5 @@ -11,10 +11,8 @@ The policy enforcement status \- \fIenforcing\fR, \fIpermissive\fR or \fIdisable .IP "2." 4 The policy name or type that forms a path to the policy to be loaded and its supporting configuration files. .IP "3." 4 -How local users and booleans will be managed when the policy is loaded (note that this function was used by older releases of SELinux and is now deprecated). -.IP "4." 4 How SELinux-aware login applications should behave if no valid SELinux users are configured. -.IP "5." 4 +.IP "4." 4 Whether the system is to be relabeled or not. .RE @@ -34,8 +32,6 @@ The \fIconfig\fR file supports the following parameters: .br \fBSELINUXTYPE = \fIpolicy_name\fR .br -\fBSETLOCALDEFS = \fI0\fR | \fI1\fR -.br \fBREQUIREUSERS = \fI0\fR | \fI1\fR .br \fBAUTORELABEL = \fI0\fR | \fI1\fR @@ -88,13 +84,6 @@ The binary policy name has by convention the SELinux policy version that it supp .RE .RE .sp -.B SETLOCALDEFS -.RS -This entry is deprecated and should be removed or set to \fI0\fR. -.sp -If set to \fI1\fR, then \fBselinux_mkload_policy\fR(3) will read the local customization for booleans (see \fBbooleans\fR(5)) and users (see \fBlocal.users\fR(5)). -.RE -.sp .B REQUIRESEUSERS .RS This optional entry can be used to fail a login if there is no matching or default entry in the @@ -138,4 +127,4 @@ SELINUXTYPE = targeted .RE .SH "SEE ALSO" -.BR selinux "(8), " sestatus "(8), " selinux_path "(3), " selinux_policy_root_path "(3), " selinux_binary_policy_path "(3), " getseuserbyname "(3), " PAM "(8), " fixfiles "(8), " selinux_mkload_policy "(3), " selinux_getpolicytype "(3), " security_policyvers "(3), " selinux_getenforcemode "(3), " seusers "(5), " booleans "(5), " local.users "(5) " +.BR selinux "(8), " sestatus "(8), " selinux_path "(3), " selinux_policy_root_path "(3), " selinux_binary_policy_path "(3), " getseuserbyname "(3), " PAM "(8), " fixfiles "(8), " selinux_mkload_policy "(3), " selinux_getpolicytype "(3), " security_policyvers "(3), " selinux_getenforcemode "(3), " seusers "(5) " diff --git a/policycoreutils/man/ru/man5/selinux_config.5 b/policycoreutils/man/ru/man5/selinux_config.5 index 93dcc582..40039e57 100644 --- a/policycoreutils/man/ru/man5/selinux_config.5 +++ b/policycoreutils/man/ru/man5/selinux_config.5 @@ -34,8 +34,6 @@ config \- файл конфигурации подÑиÑтемы SELinux. .br \fBSELINUXTYPE = \fIpolicy_name\fR .br -\fBSETLOCALDEFS = \fI0\fR | \fI1\fR -.br \fBREQUIREUSERS = \fI0\fR | \fI1\fR .br \fBAUTORELABEL = \fI0\fR | \fI1\fR @@ -88,13 +86,6 @@ SELinux отключён, политика не загружена. .RE .RE .sp -.B SETLOCALDEFS -.RS -Ðта запиÑÑŒ уÑтарела. Следует её удалить или задать Ð´Ð»Ñ Ð½ÐµÑ‘ значение \fI0\fR. -.sp -ЕÑли задано значение \fI1\fR, \fBselinux_mkload_policy\fR(3) выполнит чтение логичеÑких переключателей (Ñм. \fBbooleans\fR(5)) и пользователей (Ñм. \fBlocal.users\fR(5)) в локальной наÑтройке. -.RE -.sp .B REQUIRESEUSERS .RS Ðта необÑÐ·Ð°Ñ‚ÐµÐ»ÑŒÐ½Ð°Ñ Ð·Ð°Ð¿Ð¸ÑÑŒ позволÑет Ñделать попытку входа неудачной, еÑли в файле @@ -138,7 +129,7 @@ SELINUXTYPE = targeted .RE .SH "СМОТРИТЕ ТÐКЖЕ" -.BR selinux "(8), " sestatus "(8), " selinux_path "(3), " selinux_policy_root_path "(3), " selinux_binary_policy_path "(3), " getseuserbyname "(3), " PAM "(8), " fixfiles "(8), " selinux_mkload_policy "(3), " selinux_getpolicytype "(3), " security_policyvers "(3), " selinux_getenforcemode "(3), " seusers "(5), " booleans "(5), " local.users "(5) " +.BR selinux "(8), " sestatus "(8), " selinux_path "(3), " selinux_policy_root_path "(3), " selinux_binary_policy_path "(3), " getseuserbyname "(3), " PAM "(8), " fixfiles "(8), " selinux_mkload_policy "(3), " selinux_getpolicytype "(3), " security_policyvers "(3), " selinux_getenforcemode "(3), " seusers "(5) " .SH ÐВТОРЫ diff --git a/policycoreutils/newrole/hashtab.h b/policycoreutils/newrole/hashtab.h index 3790f0aa..ad5559ba 100644 --- a/policycoreutils/newrole/hashtab.h +++ b/policycoreutils/newrole/hashtab.h @@ -49,7 +49,7 @@ typedef hashtab_val_t *hashtab_t; /* Creates a new hash table with the specified characteristics. - Returns NULL if insufficent space is available or + Returns NULL if insufficient space is available or the new hash table otherwise. */ extern hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h, diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c index 077496d3..e70051b1 100644 --- a/policycoreutils/newrole/newrole.c +++ b/policycoreutils/newrole/newrole.c @@ -621,7 +621,7 @@ static inline int drop_capabilities(__attribute__ ((__unused__)) int full) #ifdef NAMESPACE_PRIV /** * This function will set the uid values to be that of caller's uid, and - * will drop any privilages which maybe have been raised. + * will drop any privilege which may have been raised. */ static int transition_to_caller_uid() { @@ -718,7 +718,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context, fprintf(stderr, _("Error! Could not open %s.\n"), ttyn); return fd; } - /* this craziness is to make sure we cann't block on open and deadlock */ + /* this craziness is to make sure we can't block on open and deadlock */ rc = fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); if (rc) { fprintf(stderr, _("Error! Could not clear O_NONBLOCK on %s\n"), ttyn); @@ -1053,7 +1053,7 @@ int main(int argc, char *argv[]) /* * Step 0: Setup * - * Do some intial setup, including dropping capabilities, checking + * Do some initial setup, including dropping capabilities, checking * if it makes sense to continue to run newrole, and setting up * a scrubbed environment. */ diff --git a/policycoreutils/po/af.po b/policycoreutils/po/af.po index e4a6e09c..904bb73f 100644 --- a/policycoreutils/po/af.po +++ b/policycoreutils/po/af.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/aln.po b/policycoreutils/po/aln.po index 507644ce..f6174a48 100644 --- a/policycoreutils/po/aln.po +++ b/policycoreutils/po/aln.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/am.po b/policycoreutils/po/am.po index db494866..593c3bfe 100644 --- a/policycoreutils/po/am.po +++ b/policycoreutils/po/am.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ar.po b/policycoreutils/po/ar.po index b03fb785..2c8b4c8b 100644 --- a/policycoreutils/po/ar.po +++ b/policycoreutils/po/ar.po @@ -1631,7 +1631,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1657,7 +1657,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1881,7 +1881,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3730,7 +3730,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3956,7 +3956,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/as.po b/policycoreutils/po/as.po index 4689a675..8b7155b1 100644 --- a/policycoreutils/po/as.po +++ b/policycoreutils/po/as.po @@ -1682,7 +1682,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>পৰিবৰà§à¦¤à¦¨ কৰিবলে সà§à¦¥à¦¾à§Ÿà§€ à¦à§‚মিকা বাছক:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "%s ডমেইনলে সà§à¦¥à¦¾à¦¨à¦¾à¦¨à§à¦¤à§° হোৱা বà§à¦¯à§±à¦¹à¦¾à§°à¦•à¦¾à§°à§€ à¦à§‚মিকাসমূহ বাছক।" #: ../gui/polgen.glade:928 @@ -1710,7 +1710,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>%s লে পৰিবৰà§à¦¤à¦¨ হোৱা বà§à¦¯à§±à¦¹à¦¾à§°à¦•à¦¾à§°à§€ à¦à§‚মিকাসমূহ বাছক (_r):</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "চিহà§à¦¨à¦¿à¦¤ à¦à¦ªà§à¦²à¦¿à¦•à§‡à¦šà¦¨ ডমেইনত ৰূপানà§à¦¤à§°à¦¯à§‹à¦—à§à¦¯ বà§à¦¯à§±à¦¹à¦¾à§°à¦•à¦¾à§°à§€à§° à¦à§‚মিকা নিৰà§à¦¬à¦¾à¦šà¦¨ কৰক" #: ../gui/polgen.glade:1056 @@ -1950,7 +1950,7 @@ msgid "You must enter a executable" msgstr "à¦à¦•à§à¦¸à§‡à¦•à¦¿à¦‰à¦Ÿà§‡à¦¬à¦² উলà§à¦²à§‡à¦– কৰা আৱশà§à¦¯à¦•" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "SELinux বিনà§à¦¯à¦¾à¦¸ কৰক" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -4009,7 +4009,7 @@ msgstr "আপোনাৰ %s ৰ বাবে আপোনাৰ নীতি à #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "নাম কোনো খালি ঠাই নথকাকৈ আলà§à¦«à¦¾ নিউমাৰিক হব লাগিব। বিকলà§à¦ª \"-n MODULENAME\" " @@ -4249,7 +4249,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ast.po b/policycoreutils/po/ast.po index 1a5bc232..84ecf573 100644 --- a/policycoreutils/po/ast.po +++ b/policycoreutils/po/ast.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/az.po b/policycoreutils/po/az.po index 1936f49c..5819b64d 100644 --- a/policycoreutils/po/az.po +++ b/policycoreutils/po/az.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/bal.po b/policycoreutils/po/bal.po index 31b85765..fd19eead 100644 --- a/policycoreutils/po/bal.po +++ b/policycoreutils/po/bal.po @@ -1622,7 +1622,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1648,7 +1648,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1872,7 +1872,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3721,7 +3721,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3947,7 +3947,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/be.po b/policycoreutils/po/be.po index e9c70078..ca6d42b8 100644 --- a/policycoreutils/po/be.po +++ b/policycoreutils/po/be.po @@ -1624,7 +1624,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1650,7 +1650,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1874,7 +1874,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3723,7 +3723,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3949,7 +3949,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/bg.po b/policycoreutils/po/bg.po index 1e71e74b..33e707de 100644 --- a/policycoreutils/po/bg.po +++ b/policycoreutils/po/bg.po @@ -1677,7 +1677,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>Изберете ÑъщеÑтвуваща Ñ€Ð¾Ð»Ñ Ð·Ð° промÑна:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1703,7 +1703,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1940,7 +1940,7 @@ msgid "You must enter a executable" msgstr "ТрÑбва да въведете изпълним файл" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "Конфигуриране на " #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3826,7 +3826,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "Името Ñ‚Ñ€Ñбва да е от букви и цифри без интервали. Разгледайте ползването на " @@ -4061,7 +4061,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/bn.po b/policycoreutils/po/bn.po index 1db73964..ab70a073 100644 --- a/policycoreutils/po/bn.po +++ b/policycoreutils/po/bn.po @@ -1622,7 +1622,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1648,7 +1648,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1872,7 +1872,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3721,7 +3721,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3947,7 +3947,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/bn_BD.po b/policycoreutils/po/bn_BD.po index b4f0bfa6..695e6158 100644 --- a/policycoreutils/po/bn_BD.po +++ b/policycoreutils/po/bn_BD.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/bn_IN.po b/policycoreutils/po/bn_IN.po index 3d3cd0bf..9909aa38 100644 --- a/policycoreutils/po/bn_IN.po +++ b/policycoreutils/po/bn_IN.po @@ -1675,7 +1675,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>পরিবরà§à¦¤à¦¨à§‡à¦° উদà§à¦¦à§‡à¦¶à§à¦¯à§‡ কোনো উপসà§à¦¥à¦¿à¦¤ à¦à§‚মিকা নিরà§à¦¬à¦¾à¦šà¦¨ করà§à¦¨:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "%s ডোমেইনে সà§à¦¥à¦¾à¦¨à¦¾à¦¨à§à¦¤à¦°à§‡à¦° জনà§à¦¯ বà§à¦¯à¦¬à¦¹à¦¾à¦°à¦•à¦¾à¦°à§€ à¦à§‚মিকা নিরà§à¦¬à¦¾à¦šà¦¨ করà§à¦¨à¥¤" #: ../gui/polgen.glade:928 @@ -1701,7 +1701,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>যে সমসà§à¦¤ user_roles %s-ঠরূপানà§à¦¤à¦°à¦¿à¦¤ হবে সেগà§à¦²à¦¿ নিরà§à¦¬à¦¾à¦šà¦¨ করà§à¦¨:</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" "চিহà§à¦¨à¦¿à¦¤ অà§à¦¯à¦¾à¦ªà§à¦²à¦¿à¦•à§‡à¦¶à¦¨ ডোমেইনের মধà§à¦¯à§‡ রূপানà§à¦¤à¦°à¦¯à§‹à¦—à§à¦¯ বà§à¦¯à¦¬à¦¹à¦¾à¦°à¦•à¦¾à¦°à§€à¦° à¦à§‚মিকা নিরà§à¦¬à¦¾à¦šà¦¨ করà§à¦¨" @@ -1943,7 +1943,7 @@ msgid "You must enter a executable" msgstr "à¦à¦•à§à¦¸à§‡à¦•à¦¿à¦‰à¦Ÿà§‡à¦¬à¦² উলà§à¦²à§‡à¦– করা আবশà§à¦¯à¦•" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "SELinux কনফিগার করà§à¦¨" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3828,7 +3828,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "শূণà§à¦¯à¦¸à§à¦¥à¦¾à¦¨ বিনা অকà§à¦·à¦° ও সংখà§à¦¯à¦¾ বিশিষà§à¦Ÿ নাম হওয়া আবশà§à¦¯à¦•à¥¤ \"-n MODULENAME\" বিকলà§à¦ªà§‡à¦° " @@ -4063,7 +4063,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/bo.po b/policycoreutils/po/bo.po index 86644889..e7f79f5b 100644 --- a/policycoreutils/po/bo.po +++ b/policycoreutils/po/bo.po @@ -1622,7 +1622,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1648,7 +1648,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1872,7 +1872,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3721,7 +3721,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3947,7 +3947,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/br.po b/policycoreutils/po/br.po index 5c08944d..9aafc404 100644 --- a/policycoreutils/po/br.po +++ b/policycoreutils/po/br.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/brx.po b/policycoreutils/po/brx.po index 3d6ccd23..bb71d881 100644 --- a/policycoreutils/po/brx.po +++ b/policycoreutils/po/brx.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/bs.po b/policycoreutils/po/bs.po index ec4c1d39..689948c4 100644 --- a/policycoreutils/po/bs.po +++ b/policycoreutils/po/bs.po @@ -1632,7 +1632,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1658,7 +1658,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1882,7 +1882,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3731,7 +3731,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3957,7 +3957,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ca.po b/policycoreutils/po/ca.po index 401e16f1..c1ec98b1 100644 --- a/policycoreutils/po/ca.po +++ b/policycoreutils/po/ca.po @@ -1654,7 +1654,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1680,7 +1680,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1904,7 +1904,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3753,7 +3753,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3979,7 +3979,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/cs.po b/policycoreutils/po/cs.po index 91d764bc..75c6251c 100644 --- a/policycoreutils/po/cs.po +++ b/policycoreutils/po/cs.po @@ -1627,7 +1627,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1653,7 +1653,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1877,7 +1877,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3726,7 +3726,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3952,7 +3952,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/cy.po b/policycoreutils/po/cy.po index c7ff335b..34b7460f 100644 --- a/policycoreutils/po/cy.po +++ b/policycoreutils/po/cy.po @@ -1624,7 +1624,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1650,7 +1650,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1874,7 +1874,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3723,7 +3723,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3949,7 +3949,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/da.po b/policycoreutils/po/da.po index 402c612d..e8ef6f93 100644 --- a/policycoreutils/po/da.po +++ b/policycoreutils/po/da.po @@ -1632,7 +1632,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1658,7 +1658,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1882,7 +1882,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3731,7 +3731,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3957,7 +3957,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/de.po b/policycoreutils/po/de.po index f7ac23c8..747719c8 100644 --- a/policycoreutils/po/de.po +++ b/policycoreutils/po/de.po @@ -1709,7 +1709,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>Wählen Sie eine vorhandene Rolle zum Bearbeiten:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "Wählen Sie die Benutzerrollen, die in die %s-Domain wechseln werden." #: ../gui/polgen.glade:928 @@ -1737,7 +1737,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>Wählen Sie die Benutzer_rollen, die nach %s wechseln werden:</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" "Wählen Sie die Benutzerrollen, die in diese Anwendungsdomains wechseln " "werden." @@ -1986,7 +1986,7 @@ msgid "You must enter a executable" msgstr "Sie müssen eine ausführbare Datei angeben" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "SELinux konfigurieren" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -4106,7 +4106,7 @@ msgstr "Sie müssen einen Namen für Ihr Richtlinienmodul für %s angeben." #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "Name muss alphanumerisch ohne Leerzeichen sein. Verwenden Sie ggf. die " @@ -4346,7 +4346,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/dz.po b/policycoreutils/po/dz.po index 9a6ca3df..1df09b27 100644 --- a/policycoreutils/po/dz.po +++ b/policycoreutils/po/dz.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/el.po b/policycoreutils/po/el.po index d9844d02..39627b40 100644 --- a/policycoreutils/po/el.po +++ b/policycoreutils/po/el.po @@ -1626,7 +1626,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1652,7 +1652,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1876,7 +1876,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3725,7 +3725,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3951,7 +3951,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/en_GB.po b/policycoreutils/po/en_GB.po index b7312f5a..34c73523 100644 --- a/policycoreutils/po/en_GB.po +++ b/policycoreutils/po/en_GB.po @@ -1630,7 +1630,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1656,7 +1656,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1880,7 +1880,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3729,7 +3729,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3955,7 +3955,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/eo.po b/policycoreutils/po/eo.po index 53705657..88552984 100644 --- a/policycoreutils/po/eo.po +++ b/policycoreutils/po/eo.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/es.po b/policycoreutils/po/es.po index 1bf427a5..03212814 100644 --- a/policycoreutils/po/es.po +++ b/policycoreutils/po/es.po @@ -1703,7 +1703,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>Elija la función existente a modificar:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" "Elija los roles de usuario que harán la transición hacia el dominio %s." @@ -1732,7 +1732,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>Elija las funciones de usuario que harán la transición a %s:</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" "Elija las funciones de usuario que harán la transición a estos dominios de " "aplicaciones." @@ -1976,7 +1976,7 @@ msgid "You must enter a executable" msgstr "Debe ingresar un ejecutable" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "Configurar SELinux" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -4050,7 +4050,7 @@ msgstr "Debe introducir un nombre para su módulo de polÃtica para su %s." #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "El nombre deber ser de tipo alfanumérico y sin espacios. Considere utilizar " @@ -4288,7 +4288,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/es_MX.po b/policycoreutils/po/es_MX.po index 1e3e7b20..8d9fc09f 100644 --- a/policycoreutils/po/es_MX.po +++ b/policycoreutils/po/es_MX.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/et.po b/policycoreutils/po/et.po index a89b95fd..605247b6 100644 --- a/policycoreutils/po/et.po +++ b/policycoreutils/po/et.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/eu.po b/policycoreutils/po/eu.po index bde96970..d6ee3d12 100644 --- a/policycoreutils/po/eu.po +++ b/policycoreutils/po/eu.po @@ -1626,7 +1626,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1652,7 +1652,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1876,7 +1876,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "Konfiguratu SELinux" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3725,7 +3725,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3953,7 +3953,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/fa.po b/policycoreutils/po/fa.po index 7d33e83b..778aa61d 100644 --- a/policycoreutils/po/fa.po +++ b/policycoreutils/po/fa.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/fi.po b/policycoreutils/po/fi.po index 93a94e93..8bb10122 100644 --- a/policycoreutils/po/fi.po +++ b/policycoreutils/po/fi.po @@ -1638,7 +1638,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1664,7 +1664,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1888,7 +1888,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3737,7 +3737,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3964,7 +3964,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/fr.po b/policycoreutils/po/fr.po index 5c797c9a..0867545f 100644 --- a/policycoreutils/po/fr.po +++ b/policycoreutils/po/fr.po @@ -1712,7 +1712,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>Sélectionner le rôle existant à modifier :</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" "Sélectionnez les rôles utilisateur qui transitionneront vers le domaine %s." @@ -1742,7 +1742,7 @@ msgstr "" "<b>Sélectionnez les rôle utilisateur qui transitionneront vers %s :</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" "Sélectionnez les rôles utilisateur qui transitionneront verss ce domaine " "applicatif." @@ -1993,7 +1993,7 @@ msgid "You must enter a executable" msgstr "Vous devez entrer un exécutable" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "Configurer SELinux" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -4147,7 +4147,7 @@ msgstr "Vous devez entrer un nom pour votre module de stratégie pour votre %s." #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "Le nom doit être alphanumérique sans espaces. Pensez à utiliser l'option « -" @@ -4386,7 +4386,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ga.po b/policycoreutils/po/ga.po index 683287b7..48fc2c1d 100644 --- a/policycoreutils/po/ga.po +++ b/policycoreutils/po/ga.po @@ -1624,7 +1624,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1650,7 +1650,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1874,7 +1874,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3723,7 +3723,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3949,7 +3949,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/gl.po b/policycoreutils/po/gl.po index 15fbe4a6..c0165f18 100644 --- a/policycoreutils/po/gl.po +++ b/policycoreutils/po/gl.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/gu.po b/policycoreutils/po/gu.po index bf08113c..6400b8c3 100644 --- a/policycoreutils/po/gu.po +++ b/policycoreutils/po/gu.po @@ -1670,7 +1670,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>બદલવા માટે હાલની àªà«‚મિકાને પસંદ કરો:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "વપરાશકરà«àª¤àª¾ àªà«‚મિકાને પસંદ કરો કે જે %s ડોમેઇનમાં પરિવહન કરશે." #: ../gui/polgen.glade:928 @@ -1698,7 +1698,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>વપરાશકરà«àª¤àª¾ àªà«‚મિકાઓ પસંદ કરો કે જે %s માં પરિવહન કરશે: (_r)</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "વપરાશકરà«àª¤àª¾ àªà«‚મિકાઓ પસંદ કરો કે જે કારà«àª¯àª•à«àª°àª® ડોમેઈનોમાં પરિવહન કરશે." #: ../gui/polgen.glade:1056 @@ -1936,7 +1936,7 @@ msgid "You must enter a executable" msgstr "તમારે àªàª•à«àªà«‡àª•à«àª¯à«àªŸà«‡àª¬àª² દાખલ કરવી જ પડશે" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "SELinux રૂપરેખાંકિત કરો" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3965,7 +3965,7 @@ msgstr "તમે તમારી %s માટે તમારી પોલિઠ#: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "નામ ખાલી જગà«àª¯àª¾ વગરનà«àª‚ આલà«àª«àª¾ નà«àª¯à«‚મેરીક હોવૠજ જોઇàª. વિકલà«àªª \"-n MODULENAME\" ને વાપરવાનà«àª‚ " @@ -4205,7 +4205,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/he.po b/policycoreutils/po/he.po index 9e3af00e..b34f259b 100644 --- a/policycoreutils/po/he.po +++ b/policycoreutils/po/he.po @@ -1622,7 +1622,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1648,7 +1648,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1872,7 +1872,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3721,7 +3721,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3947,7 +3947,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/hi.po b/policycoreutils/po/hi.po index 34a52247..0c4bf3c1 100644 --- a/policycoreutils/po/hi.po +++ b/policycoreutils/po/hi.po @@ -1663,7 +1663,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>बदलने के लिठमौजूदा à¤à¥‚मिका चà¥à¤¨à¥‡à¤‚:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "उन उपयोकà¥à¤¤à¤¾ à¤à¥‚मिकाओं को चà¥à¤¨à¥‡à¤‚ जो %s डोमेन में संकà¥à¤°à¤®à¤¿à¤¤ किया जाà¤à¤—ा" #: ../gui/polgen.glade:928 @@ -1691,7 +1691,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>उन उपयोकà¥à¤¤à¤¾_à¤à¥‚मिका को चà¥à¤¨à¥‡à¤‚ जो %s में संकà¥à¤°à¤®à¤¿à¤¤ किया जाà¤à¤—ा:</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "उपयोकà¥à¤¤à¤¾ à¤à¥‚मिका चà¥à¤¨à¥‡à¤‚ जो कि इस अनà¥à¤ªà¥à¤°à¤¯à¥‹à¤— डोमेन में संकà¥à¤°à¤®à¤¿à¤¤ करेगा." #: ../gui/polgen.glade:1056 @@ -1931,7 +1931,7 @@ msgid "You must enter a executable" msgstr "आप जरूर à¤à¤• à¤à¤•à¥à¤¸à¤•à¥à¤¯à¥‚टेबल दें" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "SELinux विनà¥à¤¯à¤¸à¥à¤¤ करें" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3949,7 +3949,7 @@ msgstr "आपको अपने नीति मॉडà¥à¤¯à¥‚ल के लà #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "नाम को वरà¥à¤£à¤¾à¤‚किक होना चाहिठबिना किसी सà¥à¤¥à¤¾à¤¨ के. option \"-n MODULENAME\" का " @@ -4186,7 +4186,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/hr.po b/policycoreutils/po/hr.po index 9e7db25b..d198e91a 100644 --- a/policycoreutils/po/hr.po +++ b/policycoreutils/po/hr.po @@ -1631,7 +1631,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1657,7 +1657,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1881,7 +1881,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3730,7 +3730,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3956,7 +3956,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/hu.po b/policycoreutils/po/hu.po index e3584014..9b1c56ef 100644 --- a/policycoreutils/po/hu.po +++ b/policycoreutils/po/hu.po @@ -1693,7 +1693,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>Válasszon létezÅ‘ szerepkört a módosÃtáshoz:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" "Válassza ki a felhasználói szerepköröket amik átmenetet képeznek ehhez a " "területhez: %s." @@ -1724,7 +1724,7 @@ msgstr "" "<b>Válasszon felhasználói sze_repeket amik átmenetet képeznek ehhez %s:</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" "Válasszon felhasználói szerepköröket amik átmenetet képeznek ehhez az " "alkalmazás területhez." @@ -1974,7 +1974,7 @@ msgid "You must enter a executable" msgstr "Meg kell adnia egy végrehajtható állományt" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "SELinux beállÃtása" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -4240,7 +4240,7 @@ msgstr "Meg kell adnia egy nevet a szabályzat moduljának %s számára." #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "A névnek alfanumerikusnak kell lennie szóközök nélkül. Vagy alkalmazza az \"-" @@ -4481,7 +4481,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/hy.po b/policycoreutils/po/hy.po index 0bc535d3..29faeb7f 100644 --- a/policycoreutils/po/hy.po +++ b/policycoreutils/po/hy.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ia.po b/policycoreutils/po/ia.po index ca47314d..a6bd42ea 100644 --- a/policycoreutils/po/ia.po +++ b/policycoreutils/po/ia.po @@ -1622,7 +1622,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1648,7 +1648,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1872,7 +1872,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3721,7 +3721,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3947,7 +3947,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/id.po b/policycoreutils/po/id.po index 8bd451c8..a569be2a 100644 --- a/policycoreutils/po/id.po +++ b/policycoreutils/po/id.po @@ -1622,7 +1622,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1648,7 +1648,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1872,7 +1872,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3721,7 +3721,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3947,7 +3947,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ilo.po b/policycoreutils/po/ilo.po index 07c416a2..92651005 100644 --- a/policycoreutils/po/ilo.po +++ b/policycoreutils/po/ilo.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/is.po b/policycoreutils/po/is.po index 0ded88a0..dacee22f 100644 --- a/policycoreutils/po/is.po +++ b/policycoreutils/po/is.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/it.po b/policycoreutils/po/it.po index 0ec9bffa..d7ab4a17 100644 --- a/policycoreutils/po/it.po +++ b/policycoreutils/po/it.po @@ -1679,7 +1679,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>Selezionare una regola esistente da modificare:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "Selezionare le regole utente che transiteranno verso il dominio %s." #: ../gui/polgen.glade:928 @@ -1707,7 +1707,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>Selezionare user_roles che transiterà verso %s:</b> " #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1946,7 +1946,7 @@ msgid "You must enter a executable" msgstr "Inserire un'eseguibile" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "Configurare SELinux" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3986,7 +3986,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "Il nome deve essere alfanumerico senza spazi. Considerare l'utilizzo " @@ -4225,7 +4225,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ja.po b/policycoreutils/po/ja.po index b9487c17..19cf603f 100644 --- a/policycoreutils/po/ja.po +++ b/policycoreutils/po/ja.po @@ -1692,7 +1692,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>ä¿®æ£ã™ã‚‹æ—¢å˜ã®ãƒãƒ¼ãƒ«ã‚’é¸æŠž:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "%s ドメインã«ç§»è¡Œã™ã‚‹ãƒ¦ãƒ¼ã‚¶ãƒ¼ãƒãƒ¼ãƒ«ã‚’é¸æŠžã—ã¾ã™ã€‚" #: ../gui/polgen.glade:928 @@ -1720,7 +1720,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>%s ã«ç§»è¡Œã™ã‚‹ãƒ¦ãƒ¼ã‚¶ãƒ¼ãƒãƒ¼ãƒ«ã®é¸æŠž (_R):</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "ã“ã®ã‚¢ãƒ—リケーションドメインã«ç§»è¡Œã™ã‚‹ãƒ¦ãƒ¼ã‚¶ãƒ¼ãƒãƒ¼ãƒ«ã‚’é¸æŠžã—ã¾ã™" #: ../gui/polgen.glade:1056 @@ -1960,7 +1960,7 @@ msgid "You must enter a executable" msgstr "実行ファイルを記入ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "SELinux ã®è¨å®š" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -4098,7 +4098,7 @@ msgstr "%s å‘ã‘ã®ãƒãƒªã‚·ãƒ¼ãƒ¢ã‚¸ãƒ¥ãƒ¼ãƒ«ã«å¯¾ã™ã‚‹åå‰ã‚’入力ã™ã‚‹ #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "åå‰ã¯ç©ºç™½ã®ç„¡ã„英数å—ã§ãªã‘ã‚Œã°ãªã‚Šã¾ã›ã‚“。オプション \"-n モジュールå\" ã®" @@ -4338,7 +4338,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ka.po b/policycoreutils/po/ka.po index b6e3ffda..fa516979 100644 --- a/policycoreutils/po/ka.po +++ b/policycoreutils/po/ka.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/kk.po b/policycoreutils/po/kk.po index 1eabf045..32eebf67 100644 --- a/policycoreutils/po/kk.po +++ b/policycoreutils/po/kk.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/km.po b/policycoreutils/po/km.po index e91ea5cf..9fcc6857 100644 --- a/policycoreutils/po/km.po +++ b/policycoreutils/po/km.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/kn.po b/policycoreutils/po/kn.po index a528c7ea..e1a426a0 100644 --- a/policycoreutils/po/kn.po +++ b/policycoreutils/po/kn.po @@ -1680,7 +1680,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>ಮಾರà³à²ªà²¡à²¿à²¸à²²à³ ಈಗಿರà³à²µ ಪಾತà³à²°à²µà²¨à³à²¨à³ ಆರಿಸಿ:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "%s ಡೊಮೈನà³â€Œà²—ೆ ಪರಿವರà³à²¤à²¿à²¤à²—ೊಳà³à²³à³à²µ ಬಳಕೆದಾರ ಪಾತà³à²°à²—ಳನà³à²¨à³ ಆರಿಸಿ." #: ../gui/polgen.glade:928 @@ -1708,7 +1708,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>%s ಗೆ ಪರಿವರà³à²¤à²¿à²¤à²—ೊಳà³à²³à³à²µ ಬಳಕೆದಾರ_ಪಾತà³à²°à²—ಳನà³à²¨à³ ಆರಿಸಿ:</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "ಈ ಅನà³à²µà²¯ ಡೊಮೈನà³â€Œà²—ಳಿಗೆ ಪರಿವರà³à²¤à²¿à²¤à²—ೊಳà³à²³à³à²µ ಬಳಕೆದಾರ ಪಾತà³à²°à²—ಳನà³à²¨à³ ಆರಿಸಿ." #: ../gui/polgen.glade:1056 @@ -1951,7 +1951,7 @@ msgid "You must enter a executable" msgstr "ನೀವೠಒಂದೠಕಾರà³à²¯à²—ೊಳಿಸಬಹà³à²¦à²¾à²¦à³à²¦à²¨à³à²¨à³ ನಮೂದಿಸಬೇಕà³" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "SELinux ಅನà³à²¨à³ ಸಂರಚಿಸà³" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -4060,7 +4060,7 @@ msgstr "ನಿಮà³à²® %s ಗಾಗಿನ ಪಾಲಿಸಿ ಮಾಡà³à²¯à³‚ #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "ಹೆಸರೠವರà³à²£à²®à²¾à²²à³† ಮತà³à²¤à³ ಅಂಕೆ ಎರಡನà³à²¨à³‚ ಹೊಂದಿರಬೇಕೠಹಾಗೠಖಾಲಿ ಜಾಗಗಳಿರಬಾರದà³. \"-n " @@ -4301,7 +4301,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ko.po b/policycoreutils/po/ko.po index 49c34e50..9e00978c 100644 --- a/policycoreutils/po/ko.po +++ b/policycoreutils/po/ko.po @@ -1669,7 +1669,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>ìˆ˜ì •í• ê¸°ì¡´ ì—í• ì„ íƒ:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "%s ë„ë©”ì¸ìœ¼ë¡œ ì „í™˜í• ì‚¬ìš©ìž ì—í• ì„ ì„ íƒí•©ë‹ˆë‹¤." #: ../gui/polgen.glade:928 @@ -1697,7 +1697,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>%së¡œ ì „í™˜í• ì‚¬ìš©ìž ì—í• ì„ ì„ íƒ(_R):</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "ì´ ì• í”Œë¦¬ì¼€ì´ì…˜ ë„ë©”ì¸ìœ¼ë¡œ ì „í™˜í• ì‚¬ìš©ìž ì—í• ì„ ì„ íƒí•©ë‹ˆë‹¤." #: ../gui/polgen.glade:1056 @@ -1935,7 +1935,7 @@ msgid "You must enter a executable" msgstr "실행 파ì¼ì„ ìž…ë ¥í•´ì•¼ 합니다" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "SELinux ì„¤ì • " #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -4018,7 +4018,7 @@ msgstr "%sì— í•´ë‹¹í•˜ëŠ” ì •ì±… 모듈 ì´ë¦„ì„ ìž…ë ¥í•´ì•¼ 합니다 " #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "ì´ë¦„ì€ ê³µë°±ì´ ì—†ëŠ” ì˜ë¬¸ 숫ìžë¡œ 구성ë˜ì–´ì•¼ 합니다. \"-n MODULENAME\" ì˜µì…˜ì˜ ì‚¬" @@ -4255,7 +4255,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ks.po b/policycoreutils/po/ks.po index 59c9404f..0e2cbb95 100644 --- a/policycoreutils/po/ks.po +++ b/policycoreutils/po/ks.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ku.po b/policycoreutils/po/ku.po index 9d9f1df4..ee99d9fc 100644 --- a/policycoreutils/po/ku.po +++ b/policycoreutils/po/ku.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ky.po b/policycoreutils/po/ky.po index c5fdd2f0..925ea8a6 100644 --- a/policycoreutils/po/ky.po +++ b/policycoreutils/po/ky.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/la.po b/policycoreutils/po/la.po index dc61a425..92a3213e 100644 --- a/policycoreutils/po/la.po +++ b/policycoreutils/po/la.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/lo.po b/policycoreutils/po/lo.po index 91003c83..fa05b70d 100644 --- a/policycoreutils/po/lo.po +++ b/policycoreutils/po/lo.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/lt.po b/policycoreutils/po/lt.po index c8110753..1d77779b 100644 --- a/policycoreutils/po/lt.po +++ b/policycoreutils/po/lt.po @@ -1624,7 +1624,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1650,7 +1650,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1874,7 +1874,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3723,7 +3723,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3949,7 +3949,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/lt_LT.po b/policycoreutils/po/lt_LT.po index 3eebb68c..3f69e408 100644 --- a/policycoreutils/po/lt_LT.po +++ b/policycoreutils/po/lt_LT.po @@ -1624,7 +1624,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1650,7 +1650,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1874,7 +1874,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3723,7 +3723,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3949,7 +3949,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/lv.po b/policycoreutils/po/lv.po index 6bb48a3f..c7e1b459 100644 --- a/policycoreutils/po/lv.po +++ b/policycoreutils/po/lv.po @@ -1624,7 +1624,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1650,7 +1650,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1874,7 +1874,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3723,7 +3723,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3949,7 +3949,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/lv_LV.po b/policycoreutils/po/lv_LV.po index e5c37993..5b2afd22 100644 --- a/policycoreutils/po/lv_LV.po +++ b/policycoreutils/po/lv_LV.po @@ -1624,7 +1624,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1650,7 +1650,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1874,7 +1874,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3723,7 +3723,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3949,7 +3949,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/mai.po b/policycoreutils/po/mai.po index 63e9b9aa..d137fe36 100644 --- a/policycoreutils/po/mai.po +++ b/policycoreutils/po/mai.po @@ -1627,7 +1627,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1653,7 +1653,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1877,7 +1877,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3726,7 +3726,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3952,7 +3952,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/mg.po b/policycoreutils/po/mg.po index 4192aec8..45b508a7 100644 --- a/policycoreutils/po/mg.po +++ b/policycoreutils/po/mg.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/mk.po b/policycoreutils/po/mk.po index 9e58dcd8..fe6e114c 100644 --- a/policycoreutils/po/mk.po +++ b/policycoreutils/po/mk.po @@ -1638,7 +1638,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1664,7 +1664,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1888,7 +1888,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3737,7 +3737,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3963,7 +3963,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ml.po b/policycoreutils/po/ml.po index dc07ee84..e1b12709 100644 --- a/policycoreutils/po/ml.po +++ b/policycoreutils/po/ml.po @@ -1664,7 +1664,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>മാറàµà´±à´‚ വരàµà´¤àµà´¤àµà´¨àµà´¨à´¤à´¿à´¨à´¾à´¯à´¿ നിലവിലàµà´³àµà´³àµŠà´°àµ നിയമനം തെരഞàµà´žàµ†à´Ÿàµà´•àµà´•àµà´•:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "%s ഡൊമെയിനിലേകàµà´•àµ ഉപയോകàµà´¤à´¾à´µà´¿à´¨àµà´±àµ† à´à´¤àµ†à´²àµà´²à´¾à´‚ ജോലികളàµâ€ മാറàµà´¨àµà´¨àµ à´Žà´¨àµà´¨àµàµ തെരഞàµà´žàµ†à´Ÿàµà´•àµà´•àµà´•." #: ../gui/polgen.glade:928 @@ -1692,7 +1692,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>%s മാറàµà´¨àµà´¨ ഉപയോകàµà´¤à´¾à´µà´¿à´¨àµà´±àµ† നിയമനങàµà´™à´³àµâ€ തെരഞàµà´žàµ†à´Ÿàµà´•àµà´•àµà´•.:</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" "ഉപയോകàµà´¤à´¾à´µàµ à´à´¤àµ ജോലികളിലàµâ€ നിനàµà´¨àµà´‚ à´ˆ à´ªàµà´°à´¯àµ‹à´—à´™àµà´™à´³àµà´Ÿàµ† ഡൊമെയിനàµà´•à´³à´¿à´²àµ‡à´•àµà´•àµ മാറàµà´¨àµà´¨àµ à´Žà´¨àµà´¨àµ തിരഞàµà´žàµ†à´Ÿàµà´•àµà´•àµà´•" @@ -1933,7 +1933,7 @@ msgid "You must enter a executable" msgstr "à´ªàµà´°à´µà´°àµâ€à´¤àµà´¤à´¨à´¤àµà´¤à´¿à´²àµà´³àµà´³à´¤àµ പറഞàµà´žà´¿à´°à´¿à´•àµà´•à´£à´‚" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "SELinux à´•àµà´°à´®à´¿à´•à´°à´¿à´•àµà´•àµà´•" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -4025,7 +4025,7 @@ msgstr "നിങàµà´™à´³àµà´Ÿàµ† %s-à´¨àµà´³àµà´³ പോളിസി ഘട #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "പേരിലàµâ€ à´¸àµà´ªàµ†à´¯à´¿à´¸àµà´•à´³à´¿à´²àµà´²à´¾à´¤àµ† ആലàµâ€à´«à´¾ à´¨àµà´¯àµ‚മെറികൠഅകàµà´·à´°à´™àµà´™à´³àµâ€ നലàµâ€à´•àµà´•. \"-n MODULENAME\" à´à´šàµà´›à´¿à´•à´‚ " @@ -4265,7 +4265,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/mn.po b/policycoreutils/po/mn.po index 9d1342bc..7040ba44 100644 --- a/policycoreutils/po/mn.po +++ b/policycoreutils/po/mn.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/mr.po b/policycoreutils/po/mr.po index cfc3b88c..fe3758db 100644 --- a/policycoreutils/po/mr.po +++ b/policycoreutils/po/mr.po @@ -1668,7 +1668,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>संपादनकरीता असà¥à¤¤à¤¿à¤¤à¥à¤µà¤¾à¤¤à¥€à¤² à¤à¥‚मिका पसंत करा:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "%s डोमेनकरीता सà¥à¤¥à¤¾à¤¨à¤¾à¤‚तर करणà¥à¤¯à¤¾à¤œà¥‹à¤—ी वापरकरà¥à¤¤à¤¾ à¤à¥‚मिकाची नीवड करा." #: ../gui/polgen.glade:928 @@ -1696,7 +1696,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>%s करीता सà¥à¤¥à¤¾à¤¨à¤¾à¤‚तरनजोगी user_roles ची नीवड करा:</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "या ॲपà¥à¤²à¤¿à¤•à¥‡à¤¶à¤¨ डोमेनकरीता सà¥à¤¥à¤¾à¤¨à¤¾à¤‚तरन करणà¥à¤¯à¤¾à¤œà¥‹à¤—ी वापरकरà¥à¤¤à¤¾ à¤à¥‚मिका निवडा." #: ../gui/polgen.glade:1056 @@ -1936,7 +1936,7 @@ msgid "You must enter a executable" msgstr "à¤à¤•à¥à¤œà¥€à¤•à¥à¤¯à¥‚टेबल देणे आवशà¥à¤¯à¤•" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "SELinux संरचीत करा" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3968,7 +3968,7 @@ msgstr "%sचà¥à¤¯à¤¾ धोरण मॉडà¥à¤¯à¥à¤²à¤•à¤°à¥€à¤¤à¤¾ नाà #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "विना मोकळी जागा नाव अलà¥à¤«à¤¾ नà¥à¤¯à¥à¤®à¥‡à¤°à¤¿à¤• असायला पाहिजे. परà¥à¤¯à¤¾à¤¯ \"-n MODULENAME\" याचा " @@ -4208,7 +4208,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ms.po b/policycoreutils/po/ms.po index 4b2f2107..7de7fa0c 100644 --- a/policycoreutils/po/ms.po +++ b/policycoreutils/po/ms.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/my.po b/policycoreutils/po/my.po index 37eb16a7..2fd7f752 100644 --- a/policycoreutils/po/my.po +++ b/policycoreutils/po/my.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/nb.po b/policycoreutils/po/nb.po index 410a43e6..f78a07b4 100644 --- a/policycoreutils/po/nb.po +++ b/policycoreutils/po/nb.po @@ -1622,7 +1622,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1648,7 +1648,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1872,7 +1872,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3721,7 +3721,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3947,7 +3947,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/nds.po b/policycoreutils/po/nds.po index 1a1547c0..e131dcc7 100644 --- a/policycoreutils/po/nds.po +++ b/policycoreutils/po/nds.po @@ -1622,7 +1622,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1648,7 +1648,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1872,7 +1872,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3721,7 +3721,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3947,7 +3947,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ne.po b/policycoreutils/po/ne.po index c74d6650..b0a1fda7 100644 --- a/policycoreutils/po/ne.po +++ b/policycoreutils/po/ne.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/nl.po b/policycoreutils/po/nl.po index 3d3b111e..cb51b7c2 100644 --- a/policycoreutils/po/nl.po +++ b/policycoreutils/po/nl.po @@ -1641,7 +1641,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1667,7 +1667,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1891,7 +1891,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3740,7 +3740,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3966,7 +3966,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/nn.po b/policycoreutils/po/nn.po index e89e3536..dea00028 100644 --- a/policycoreutils/po/nn.po +++ b/policycoreutils/po/nn.po @@ -1622,7 +1622,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1648,7 +1648,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1872,7 +1872,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3721,7 +3721,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3947,7 +3947,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/nso.po b/policycoreutils/po/nso.po index 5684f243..b7ceef65 100644 --- a/policycoreutils/po/nso.po +++ b/policycoreutils/po/nso.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/or.po b/policycoreutils/po/or.po index 3f3e921a..01e8ac71 100644 --- a/policycoreutils/po/or.po +++ b/policycoreutils/po/or.po @@ -1668,7 +1668,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>ପରିବରàତàତନ କରିବା ପାଇଠସàଥିତବାନ à¬à‚ମିକା ବାଛନàତà:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "ଚାଳକ à¬à‚ମିକାଗàଡିକà ଚàŸà¬¨ କରନàତà ଯିଠ%s ପରିସରକà ସକରàମ କରିବ।" #: ../gui/polgen.glade:928 @@ -1696,7 +1696,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>%s କà ପରିବରàତàତିତ ହà‡à¬¬à¬¾à¬•à ଥିବା ଚାଳକ à¬à‚ମିକା ବାଛନàତà (_r):</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "ଚାଳକ à¬à‚ମିକା ଗàଡିକà ଚàŸà¬¨ କରନàତà ଯିଠà¬à¬¹à¬¿ ପàରàŸà‹à¬— ପରିସରଗàଡିକà ସକରàମ କରିବ।" #: ../gui/polgen.glade:1056 @@ -1936,7 +1936,7 @@ msgid "You must enter a executable" msgstr "ଆପଣ ଗà‹à¬Ÿà¬¿à¬ ନିଷàପାଦààŸ à¬à¬°à¬£ କରିବା ଉଚିତ" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "SELinux ବିନààŸà¬¾à¬¸ କରନàତà" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3970,7 +3970,7 @@ msgstr "ଆପଣଙàକର %s ପାଇଠଆପଣଙàକà à¬¨à¬¿à¬¤à€ #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "ନାମଟି ନିଶàଚିତ à¬à¬¾à¬¬à¬°à‡ ଖାଲିସàଥାନ ନଥିବା à¬à¬¬à¬‚ ସାଂକàଷରିକ ହà‹à¬‡à¬¥à¬¿à¬¬à¬¾ ଉଚିତ। \"-n MODULENAME\" " @@ -4210,7 +4210,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/pa.po b/policycoreutils/po/pa.po index 845642e4..9635cb6f 100644 --- a/policycoreutils/po/pa.po +++ b/policycoreutils/po/pa.po @@ -1658,7 +1658,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>ਤਬਦੀਲ ਕਰਨ ਲਈ ਮੌਜੀਦਾ ਰੋਲ ਚà©à¨£à©‹:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "ਯੂਜ਼ਰ ਰੋਲ ਚà©à¨£à©‹ ਜੋ %s ਡੋਮੇਨ ਵਿੱਚ ਤਬਦੀਲ ਹੋਵੇਗਾ।" #: ../gui/polgen.glade:928 @@ -1686,7 +1686,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>user_roles ਚà©à¨£à©‹ ਜੋ %s ਵਿੱਚ ਤਬਦੀਲ ਹੋਵੇਗਾ:</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "ਉਪà¨à©‹à¨—à©€ ਰੋਲ ਚà©à¨£à©‹ ਜੋ ਇਸ ਕਾਰਜ ਡੋਮੇਨਾਂ ਵਿੱਚ ਤਬਦੀਲ ਹੋਵੇਗਾ।" #: ../gui/polgen.glade:1056 @@ -1926,7 +1926,7 @@ msgid "You must enter a executable" msgstr "ਤà©à¨¹à¨¾à¨¨à©‚à©° ਇੱਕ à¨à¨—ਜ਼ੀਕਿਊਟੇਬਲ ਦੇਣਾ ਚਾਹੀਦਾ ਹੈ" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "SELinux ਸੰਰਚਨਾ" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3925,7 +3925,7 @@ msgstr "ਤà©à¨¹à¨¾à¨¨à©‚à©° ਤà©à¨¹à¨¾à¨¡à©€ %s ਲਈ ਤà©à¨¹à¨¾à¨¡à©‡ ਠ#: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "ਨਾਂ ਅਲਫਾ ਨà©à¨®à©ˆà¨°à¨¿à¨• ਹੋਣਾ ਜਰੂਰੀ ਹੈ। ਚੋਣ \"-n MODULENAME\" ਦੀ ਵਰਤੋਂ ਕਰੋ" @@ -4163,7 +4163,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/pl.po b/policycoreutils/po/pl.po index 6764d70b..193af55d 100644 --- a/policycoreutils/po/pl.po +++ b/policycoreutils/po/pl.po @@ -1678,7 +1678,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>Wybór istniejÄ…cej roli do zmodyfikowania:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "Wybór roli użytkownika, które przemienić do domeny %s." #: ../gui/polgen.glade:928 @@ -1706,7 +1706,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>Wybór ról użytkownika, do których przemienić %s:</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "Wybór ról użytkownika, które przemienić do tych domen aplikacji." #: ../gui/polgen.glade:1056 @@ -1947,7 +1947,7 @@ msgid "You must enter a executable" msgstr "Należy podać plik wykonywalny" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "Skonfiguruj SELinuksa" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -4010,7 +4010,7 @@ msgstr "Należy podać nazwÄ™ dla moduÅ‚u polityki dla %s." #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "Nazwa musi być alfanumeryczna bez spacji. ProszÄ™ rozważyć użycie opcji \"-n " @@ -4245,7 +4245,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/policycoreutils.pot b/policycoreutils/po/policycoreutils.pot index be2f1eb2..18fcdccf 100644 --- a/policycoreutils/po/policycoreutils.pot +++ b/policycoreutils/po/policycoreutils.pot @@ -1622,7 +1622,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1648,7 +1648,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1872,7 +1872,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3721,7 +3721,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3947,7 +3947,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/pt.po b/policycoreutils/po/pt.po index b9691422..6a74f347 100644 --- a/policycoreutils/po/pt.po +++ b/policycoreutils/po/pt.po @@ -1653,7 +1653,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1679,7 +1679,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1903,7 +1903,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3752,7 +3752,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3978,7 +3978,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/pt_BR.po b/policycoreutils/po/pt_BR.po index bea6ff51..9c2771b9 100644 --- a/policycoreutils/po/pt_BR.po +++ b/policycoreutils/po/pt_BR.po @@ -1695,7 +1695,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>Selecione função existente para modificar:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "Selecionar as funções de usuário que transitarão para o domÃnio %s." #: ../gui/polgen.glade:928 @@ -1721,7 +1721,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>Selecione user_roles que transitarão para %s</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" "Selecionar funções de usuários que transitarão para estes domÃnios de " "aplicativos." @@ -1957,7 +1957,7 @@ msgid "You must enter a executable" msgstr "Você deve inserir um executável" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "Configurar SELinux" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3972,7 +3972,7 @@ msgstr "Você precisa inserir um nome para seu módulo de polÃtica para seu %s. #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "O nome deve ser alfa numérico sem espaços. Considere o uso da opção \"-n " @@ -4208,7 +4208,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ro.po b/policycoreutils/po/ro.po index ffee45de..6ea8b3a2 100644 --- a/policycoreutils/po/ro.po +++ b/policycoreutils/po/ro.po @@ -1624,7 +1624,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1650,7 +1650,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1874,7 +1874,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3723,7 +3723,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3949,7 +3949,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ru.po b/policycoreutils/po/ru.po index 96987b68..afa0b0d8 100644 --- a/policycoreutils/po/ru.po +++ b/policycoreutils/po/ru.po @@ -1676,7 +1676,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>Выберите роль Ð´Ð»Ñ Ð¸Ð·Ð¼ÐµÐ½ÐµÐ½Ð¸Ñ:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "Выберите роли Ð´Ð»Ñ Ð¿ÐµÑ€ÐµÐ½Ð¾Ñа в домен %s." #: ../gui/polgen.glade:928 @@ -1704,7 +1704,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>Выберите роли, которые будут перенеÑены в %s:</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "Выберите роли, которые будут перенеÑены в программные домены." #: ../gui/polgen.glade:1056 @@ -1943,7 +1943,7 @@ msgid "You must enter a executable" msgstr "Ðеобходимо указать иÑполнÑемый файл" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "ÐаÑтроить SELinux" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -4023,7 +4023,7 @@ msgstr "Ðеобходимо ввеÑти Ð¸Ð¼Ñ Ð¼Ð¾Ð´ÑƒÐ»Ñ Ð¿Ð¾Ð»Ð¸Ñ‚Ð¸ÐºÐ¸ Ð #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "Ð˜Ð¼Ñ Ð¼Ð¾Ð¶ÐµÑ‚ Ñодержать буквы и цифры без пробелов. РекомендуетÑÑ Ð¸Ñпользовать " @@ -4263,7 +4263,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/si.po b/policycoreutils/po/si.po index 34a766f5..0b82f248 100644 --- a/policycoreutils/po/si.po +++ b/policycoreutils/po/si.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/si_LK.po b/policycoreutils/po/si_LK.po index 28909141..ea6721f2 100644 --- a/policycoreutils/po/si_LK.po +++ b/policycoreutils/po/si_LK.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/sk.po b/policycoreutils/po/sk.po index 98880861..3ffa737f 100644 --- a/policycoreutils/po/sk.po +++ b/policycoreutils/po/sk.po @@ -1627,7 +1627,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1653,7 +1653,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1877,7 +1877,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3726,7 +3726,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3952,7 +3952,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/sl.po b/policycoreutils/po/sl.po index 31807dd5..cc83cb24 100644 --- a/policycoreutils/po/sl.po +++ b/policycoreutils/po/sl.po @@ -1624,7 +1624,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1650,7 +1650,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1874,7 +1874,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3723,7 +3723,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3949,7 +3949,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/sq.po b/policycoreutils/po/sq.po index 21c15f0c..d5f9ea95 100644 --- a/policycoreutils/po/sq.po +++ b/policycoreutils/po/sq.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/sr.po b/policycoreutils/po/sr.po index b7d900ef..2eac72ca 100644 --- a/policycoreutils/po/sr.po +++ b/policycoreutils/po/sr.po @@ -1634,7 +1634,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1660,7 +1660,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1884,7 +1884,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3733,7 +3733,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3959,7 +3959,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/sr@latin.po b/policycoreutils/po/sr@latin.po index 93b28d4f..9417e546 100644 --- a/policycoreutils/po/sr@latin.po +++ b/policycoreutils/po/sr@latin.po @@ -1635,7 +1635,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1661,7 +1661,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1885,7 +1885,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3734,7 +3734,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3960,7 +3960,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/sv.po b/policycoreutils/po/sv.po index fddabf4b..4486700c 100644 --- a/policycoreutils/po/sv.po +++ b/policycoreutils/po/sv.po @@ -1673,7 +1673,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>Välj en befintlig roll att ändra:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "Välj användarrollerna som skall övergÃ¥ till domänen %s." #: ../gui/polgen.glade:928 @@ -1701,7 +1701,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>Välj användarrollerna som skall övergÃ¥ till domänen %s:</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "Välj användarrollerna som kan övergÃ¥ till detta programs domäner." #: ../gui/polgen.glade:1056 @@ -1940,7 +1940,7 @@ msgid "You must enter a executable" msgstr "Du mÃ¥ste ange ett körbart program" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "Konfigurera SELinux" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -4006,7 +4006,7 @@ msgstr "Du mÃ¥ste ange ett namn pÃ¥ din policymodul för din %s." #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "Namn mÃ¥ste vara alfanumeriska utan blanktecken. Överväg att använda flagga " @@ -4245,7 +4245,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ta.po b/policycoreutils/po/ta.po index 9f91a5c6..e551f039 100644 --- a/policycoreutils/po/ta.po +++ b/policycoreutils/po/ta.po @@ -1673,7 +1673,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>à®®à¯à®©à¯à®ªà¯‡ உளà¯à®³ பஙà¯à®•à¯à®•à®³à®¿à®²à¯ மாறà¯à®±à®®à¯ செயà¯à®¯ வேணà¯à®Ÿà®¿à®¯à®µà®±à¯à®±à¯ˆà®¤à¯ தேரà¯à®¨à¯à®¤à¯†à®Ÿà¯à®•à¯à®•à®µà¯à®®à¯:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "%s டொமைனà¯à®•à¯à®•à¯ நிலைமாறà¯à®®à¯ பயனர௠பஙà¯à®•à¯à®•à®³à¯ˆà®¤à¯ தேரà¯à®¨à¯à®¤à¯†à®Ÿà¯à®•à¯à®•à®µà¯à®®à¯." #: ../gui/polgen.glade:928 @@ -1701,7 +1701,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>%s கà¯à®•à¯ நிலைமாறà¯à®®à¯ user_roles à®à®¤à¯ தேரà¯à®¨à¯à®¤à¯†à®Ÿà¯à®•à¯à®•à®µà¯à®®à¯:</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "இநà¯à®¤ பயனà¯à®ªà®¾à®Ÿà¯à®•à®³à®¿à®©à¯ செயறà¯à®•à®³à®™à¯à®•à®³à¯à®•à¯à®•à¯ மறà¯à®±à¯Šà®©à¯à®±à¯à®•à¯à®•à¯ மாறாத பயனர௠பஙà¯à®•à¯à®•à®³à¯ˆ தேரà¯à®¨à¯à®¤à¯†à®Ÿà¯." #: ../gui/polgen.glade:1056 @@ -1941,7 +1941,7 @@ msgid "You must enter a executable" msgstr "ஒர௠இயகà¯à®•à®¤à¯à®¤à®•à¯à®•à®¤à¯ˆ உளà¯à®³à®¿à®Ÿ வேணà¯à®Ÿà¯à®®à¯" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "SELinux஠அமைவாகà¯à®•à®®à¯ செயà¯à®¯à®µà¯à®®à¯" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -4038,7 +4038,7 @@ msgstr "உஙà¯à®•à®³à¯ %s கà¯à®•à®¾à®© உஙà¯à®•à®³à¯ கொளà¯à®• #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "பெயரில௠இடைவெளி இரà¯à®•à¯à®•à®•à¯à®•à¯‚டாதà¯, எணà¯à®•à®³à¯à®®à¯ எழà¯à®¤à¯à®¤à¯à®•à®³à¯à®®à¯ இரà¯à®•à¯à®• வேணà¯à®Ÿà¯à®®à¯. \"-n MODULENAME" @@ -4278,7 +4278,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/te.po b/policycoreutils/po/te.po index 91321c37..f22ead18 100644 --- a/policycoreutils/po/te.po +++ b/policycoreutils/po/te.po @@ -1658,7 +1658,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>సవరించà±à°Ÿà°•à± à°µà±à°¨à±à°¨ పాతà±à°°à°¨à± యెంపికచేయి:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "%s డొమైనà±â€Œà°•à± బదిలీ అగౠవాడà±à°•à°°à°¿ పాతà±à°°à°²à°¨à± యెంపికచేయి." #: ../gui/polgen.glade:928 @@ -1686,7 +1686,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>%s కౠబదీలీ à°…à°¯à±à°¯à±‡ వాడà±à°•à°°à°¿-పాతà±à°°à°²à± యెంపికచేయి:</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "à°ˆ à°…à°¨à±à°µà°°à±à°¤à°¨à°¾à°² డొమైనà±à°¸à±â€â€Œà°•à± బదిలీకరించబోవౠవినియోగదారి దసà±à°¤à±à°°à°¾à°²à°¨à± ఎంపికచేయà±à°®à±" #: ../gui/polgen.glade:1056 @@ -1924,7 +1924,7 @@ msgid "You must enter a executable" msgstr "మీరౠతపà±à°ªà°• à°’à°• నిరà±à°µà°°à±à°¤à°¿à°¨à°¿à°¨à°¿ à°ªà±à°°à°µà±‡à°¶à°ªà±†à°Ÿà±à°Ÿà°µà°²à±†à°¨à±" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "SELinux నౠఆకృతీకరించà±à°®à±" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3907,7 +3907,7 @@ msgstr "మీ విధాన మాడà±à°¯à±‚లౠకొరకౠమీ % #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "పేరౠఖాళీలౠలేకà±à°‚à°¡à°¾ à°…à°²à±à°«à°¾à°¨à±à°¯à±‚మరికౠఅయివà±à°‚డాలి. \"-n MODULENAME\" à°à°šà±à°šà°¿à°•à°‚ à°µà±à°ªà°¯à±‹à°—à°¿à°‚à°šà±à°®à±." @@ -4142,7 +4142,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/tg.po b/policycoreutils/po/tg.po index c67e7ebb..8075acdc 100644 --- a/policycoreutils/po/tg.po +++ b/policycoreutils/po/tg.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/th.po b/policycoreutils/po/th.po index faa74755..b23787a9 100644 --- a/policycoreutils/po/th.po +++ b/policycoreutils/po/th.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/tl.po b/policycoreutils/po/tl.po index 3332653a..b045a2b1 100644 --- a/policycoreutils/po/tl.po +++ b/policycoreutils/po/tl.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/tr.po b/policycoreutils/po/tr.po index 269e42c4..e814ab3a 100644 --- a/policycoreutils/po/tr.po +++ b/policycoreutils/po/tr.po @@ -1624,7 +1624,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1650,7 +1650,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1874,7 +1874,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3723,7 +3723,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3949,7 +3949,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/uk.po b/policycoreutils/po/uk.po index 2938d05f..77ebdc0e 100644 --- a/policycoreutils/po/uk.po +++ b/policycoreutils/po/uk.po @@ -1675,7 +1675,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>Виберіть вже Ñтворену роль Ð´Ð»Ñ Ð²Ð½ÐµÑÐµÐ½Ð½Ñ Ð·Ð¼Ñ–Ð½:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "Виберіть ролі кориÑтувача, Ñкі переводитимуть до домену %s." #: ../gui/polgen.glade:928 @@ -1703,7 +1703,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>Виберіть user_roles Ñкі переводитимуть до %s:</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "Виберіть ролі кориÑтувачів, Ñкі Ñлід перенеÑти у домени програм." #: ../gui/polgen.glade:1056 @@ -1944,7 +1944,7 @@ msgid "You must enter a executable" msgstr "Слід вказати виконуваний файл" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "ÐÐ°Ð»Ð°ÑˆÑ‚Ð¾Ð²ÑƒÐ²Ð°Ð½Ð½Ñ SELinux" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -4138,7 +4138,7 @@ msgstr "Ð”Ð»Ñ Ð²Ð°ÑˆÐ¾Ð³Ð¾ %s вам Ñлід вказати назву вашР#: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" "Ðазва має ÑкладатиÑÑ Ð· літер Ñ– цифр, без пробілів. Вам варто ÑкориÑтатиÑÑ " @@ -4378,7 +4378,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/ur.po b/policycoreutils/po/ur.po index 0ede3e6e..c3b77f29 100644 --- a/policycoreutils/po/ur.po +++ b/policycoreutils/po/ur.po @@ -1622,7 +1622,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1648,7 +1648,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1872,7 +1872,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3721,7 +3721,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3947,7 +3947,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/vi.po b/policycoreutils/po/vi.po index fa87a1db..b999ad0d 100644 --- a/policycoreutils/po/vi.po +++ b/policycoreutils/po/vi.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/vi_VN.po b/policycoreutils/po/vi_VN.po index c444825b..ef0280c6 100644 --- a/policycoreutils/po/vi_VN.po +++ b/policycoreutils/po/vi_VN.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/wo.po b/policycoreutils/po/wo.po index 8713a249..4ec507c0 100644 --- a/policycoreutils/po/wo.po +++ b/policycoreutils/po/wo.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/xh.po b/policycoreutils/po/xh.po index e1997883..90eae450 100644 --- a/policycoreutils/po/xh.po +++ b/policycoreutils/po/xh.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/zh_CN.GB2312.po b/policycoreutils/po/zh_CN.GB2312.po index f56bae34..b2cceed8 100644 --- a/policycoreutils/po/zh_CN.GB2312.po +++ b/policycoreutils/po/zh_CN.GB2312.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/zh_CN.po b/policycoreutils/po/zh_CN.po index 03946d3c..297af9ae 100644 --- a/policycoreutils/po/zh_CN.po +++ b/policycoreutils/po/zh_CN.po @@ -1644,7 +1644,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>选择现有角色进行修改:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "选择è¦è½¬æ¢åˆ° %s 域的用户角色。" #: ../gui/polgen.glade:928 @@ -1672,7 +1672,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>选择è¦è½¬æ¢æˆ %s çš„ user_roles:</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "选择è¦è½¬æ¢æˆè¿™ä¸ªç¨‹åºåŸŸçš„用户角色。" #: ../gui/polgen.glade:1056 @@ -1900,7 +1900,7 @@ msgid "You must enter a executable" msgstr "您必须输入 executable" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "é…ç½® SELinux" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3824,7 +3824,7 @@ msgstr "您必须为您 %s çš„ç–略模å—输入一个åå—。" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "å称必须是数å—å—æ¯ç»„åˆï¼Œä¸”æ²¡æœ‰ç©ºæ ¼ã€‚è¯·è€ƒè™‘ä½¿ç”¨é€‰é¡¹ \"-n MODULENAME\"。" @@ -4057,7 +4057,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/zh_HK.po b/policycoreutils/po/zh_HK.po index dc7dae81..440dbdef 100644 --- a/policycoreutils/po/zh_HK.po +++ b/policycoreutils/po/zh_HK.po @@ -1622,7 +1622,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1648,7 +1648,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1872,7 +1872,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3721,7 +3721,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3947,7 +3947,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/zh_TW.Big5.po b/policycoreutils/po/zh_TW.Big5.po index afc86a8d..047f9736 100644 --- a/policycoreutils/po/zh_TW.Big5.po +++ b/policycoreutils/po/zh_TW.Big5.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/zh_TW.po b/policycoreutils/po/zh_TW.po index 9f84d797..ea5620f0 100644 --- a/policycoreutils/po/zh_TW.po +++ b/policycoreutils/po/zh_TW.po @@ -1654,7 +1654,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "<b>é¸æ“‡æ¬²ä¿®æ”¹çš„既有角色:</b>" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "é¸æ“‡å°‡æœƒè½‰æ›è‡³ %s å€åŸŸçš„使用者角色。" #: ../gui/polgen.glade:928 @@ -1682,7 +1682,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "<b>é¸æ“‡å°‡æœƒè½‰æ›è‡³ %s çš„ user_roles:</b>" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "é¸æ“‡å°‡æœƒè½‰æ›è‡³æ¤æ‡‰ç”¨ç¨‹å¼å€åŸŸçš„使用者角色。" #: ../gui/polgen.glade:1056 @@ -1916,7 +1916,7 @@ msgid "You must enter a executable" msgstr "æ‚¨å¿…é ˆè¼¸å…¥ä¸€å€‹å¯åŸ·è¡Œæª”" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "é…ç½® SELinux" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3854,7 +3854,7 @@ msgstr "æ‚¨å¿…é ˆç‚ºæ‚¨çš„ %s 之政ç–模組輸入一組å稱。" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "åç¨±å¿…é ˆæ˜¯å—æ¯æ•¸å—,並且ä¸åŒ…å«ç©ºæ ¼ã€‚請考慮使用 \"-n MODULENAME\" é¸é …" @@ -4089,7 +4089,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/po/zu.po b/policycoreutils/po/zu.po index b3060410..06cab62e 100644 --- a/policycoreutils/po/zu.po +++ b/policycoreutils/po/zu.po @@ -1623,7 +1623,7 @@ msgid "<b>Select existing role to modify:</b>" msgstr "" #: ../gui/polgen.glade:908 -msgid "Select the user roles that will transiton to the %s domain." +msgid "Select the user roles that will transition to the %s domain." msgstr "" #: ../gui/polgen.glade:928 @@ -1649,7 +1649,7 @@ msgid "<b>Select the user_roles that will transition to %s:</b>" msgstr "" #: ../gui/polgen.glade:1019 -msgid "Select the user roles that will transiton to this applications domains." +msgid "Select the user roles that will transition to this applications domains." msgstr "" #: ../gui/polgen.glade:1056 @@ -1873,7 +1873,7 @@ msgid "You must enter a executable" msgstr "" #: ../gui/polgengui.py:756 ../gui/system-config-selinux.py:180 -msgid "Configue SELinux" +msgid "Configure SELinux" msgstr "" #: ../gui/portsPage.py:51 ../gui/system-config-selinux.glade:2528 @@ -3722,7 +3722,7 @@ msgstr "" #: ../sepolicy/sepolicy/generate.py:333 msgid "" -"Name must be alpha numberic with no spaces. Consider using option \"-n " +"Name must be alpha numeric with no spaces. Consider using option \"-n " "MODULENAME\"" msgstr "" @@ -3948,7 +3948,7 @@ msgstr "" #: ../sepolicy/sepolicy/sepolicy.glade:826 msgid "" -"Select Make Path Recursive iff you want to apply this label to all children " +"Select Make Path Recursive if you want to apply this label to all children " "of the specified directory path. objects under the directory to have this " "label." msgstr "" diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles index b2779581..5d777034 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles @@ -67,7 +67,7 @@ done } # -# Get the default label returned from the kernel for a file with a lable the +# Get the default label returned from the kernel for a file with a label the # kernel does not understand # get_undefined_type() { @@ -111,7 +111,7 @@ VERBOSE="-p" FORCEFLAG="" RPMFILES="" PREFC="" -RESTORE_MODE="DEFAULT" +RESTORE_MODE="" SETFILES=/sbin/setfiles RESTORECON=/sbin/restorecon FILESYSTEMSRW=`get_rw_labeled_mounts` @@ -213,16 +213,17 @@ restore () { OPTION=$1 shift -case "$RESTORE_MODE" in - PREFC) - diff_filecontext $* - return - ;; - BOOTTIME) +# [-B | -N time ] +if [ -n "$BOOTTIME" ]; then newer $BOOTTIME $* return - ;; -esac +fi + +# -C PREVIOUS_FILECONTEXT +if [ "$RESTORE_MODE" == PREFC ]; then + diff_filecontext $* + return +fi [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon @@ -238,7 +239,7 @@ case "$RESTORE_MODE" in FILEPATH) ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH" ;; - DEFAULT) + *) if [ -n "${FILESYSTEMSRW}" ]; then LogReadOnly echo "${OPTION}ing `echo ${FILESYSTEMSRW}`" @@ -271,7 +272,7 @@ fullrelabel() { relabel() { - if [ "$RESTORE_MODE" != DEFAULT ]; then + if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then usage exit 1 fi @@ -302,18 +303,18 @@ process() { case "$1" in restore) restore Relabel;; check) VERBOSE="-v"; restore Check -n;; - verify) restore Verify -n;; + verify) VERBOSE="-v"; restore Verify -n;; relabel) relabel;; onboot) - if [ "$RESTORE_MODE" != DEFAULT ]; then + if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then usage exit 1 fi > /.autorelabel || exit $? [ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel [ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel - # Force full relabel if / does not have a label on it - getfilecon / > /dev/null 2>&1 || echo -F >/.autorelabel + # Force full relabel if SELinux is not enabled + selinuxenabled || echo -F > /.autorelabel echo "System will relabel on next boot" ;; *) @@ -343,7 +344,7 @@ if [ $# -eq 0 ]; then fi set_restore_mode() { - if [ "$RESTORE_MODE" != DEFAULT ]; then + if [ -n "$RESTORE_MODE" ]; then # can't specify two different modes usage exit 1 @@ -356,7 +357,7 @@ while getopts "N:BC:FfR:l:v" i; do case "$i" in B) BOOTTIME=`/bin/who -b | awk '{print $3}'` - set_restore_mode BOOTTIME + set_restore_mode DEFAULT ;; N) BOOTTIME=$OPTARG diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c index a76797f5..a1f75e16 100644 --- a/policycoreutils/semodule/semodule.c +++ b/policycoreutils/semodule/semodule.c @@ -22,6 +22,7 @@ #include <libgen.h> #include <limits.h> +#include <sepol/cil/cil.h> #include <semanage/modules.h> enum client_modes { @@ -238,7 +239,7 @@ static void parse_command_line(int argc, char **argv) set_mode(LIST_M, optarg); break; case 'v': - verbose = 1; + verbose++; break; case 'r': set_mode(REMOVE_M, optarg); @@ -350,6 +351,8 @@ int main(int argc, char *argv[]) } parse_command_line(argc, argv); + cil_set_log_level(CIL_ERR + verbose); + if (build) commit = 1; diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c index 9dea5656..d3335d1a 100644 --- a/policycoreutils/setfiles/restore.c +++ b/policycoreutils/setfiles/restore.c @@ -17,40 +17,37 @@ char **exclude_list; int exclude_count; -struct restore_opts *r_opts; - void restore_init(struct restore_opts *opts) { int rc; - r_opts = opts; struct selinux_opt selinux_opts[] = { - { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate }, - { SELABEL_OPT_PATH, r_opts->selabel_opt_path }, - { SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest } + { SELABEL_OPT_VALIDATE, opts->selabel_opt_validate }, + { SELABEL_OPT_PATH, opts->selabel_opt_path }, + { SELABEL_OPT_DIGEST, opts->selabel_opt_digest } }; - r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3); - if (!r_opts->hnd) { - perror(r_opts->selabel_opt_path); + opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3); + if (!opts->hnd) { + perror(opts->selabel_opt_path); exit(1); } - r_opts->restorecon_flags = 0; - r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose | - r_opts->progress | r_opts->set_specctx | - r_opts->add_assoc | r_opts->ignore_digest | - r_opts->recurse | r_opts->userealpath | - r_opts->xdev | r_opts->abort_on_error | - r_opts->syslog_changes | r_opts->log_matches | - r_opts->ignore_noent | r_opts->ignore_mounts | - r_opts->mass_relabel; + opts->restorecon_flags = 0; + opts->restorecon_flags = opts->nochange | opts->verbose | + opts->progress | opts->set_specctx | + opts->add_assoc | opts->ignore_digest | + opts->recurse | opts->userealpath | + opts->xdev | opts->abort_on_error | + opts->syslog_changes | opts->log_matches | + opts->ignore_noent | opts->ignore_mounts | + opts->mass_relabel; /* Use setfiles, restorecon and restorecond own handles */ - selinux_restorecon_set_sehandle(r_opts->hnd); + selinux_restorecon_set_sehandle(opts->hnd); - if (r_opts->rootpath) { - rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath); + if (opts->rootpath) { + rc = selinux_restorecon_set_alt_rootpath(opts->rootpath); if (rc) { fprintf(stderr, "selinux_restorecon_set_alt_rootpath error: %s.\n", @@ -81,7 +78,6 @@ int process_glob(char *name, struct restore_opts *opts) size_t i = 0; int len, rc, errors; - r_opts = opts; memset(&globbuf, 0, sizeof(globbuf)); errors = glob(name, GLOB_TILDE | GLOB_PERIOD | @@ -96,7 +92,7 @@ int process_glob(char *name, struct restore_opts *opts) if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) continue; rc = selinux_restorecon(globbuf.gl_pathv[i], - r_opts->restorecon_flags); + opts->restorecon_flags); if (rc < 0) errors = rc; } diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 index 0f81db45..bbfc83fe 100644 --- a/policycoreutils/setfiles/restorecon.8 +++ b/policycoreutils/setfiles/restorecon.8 @@ -100,7 +100,7 @@ section for further details. .B \-D Set or update any directory SHA1 digests. Use this option to enable usage of the -.IR security.restorecon_last +.IR security.sehash extended attribute. .TP .B \-m @@ -184,10 +184,10 @@ option to .B restorecon will cause it to store a SHA1 digest of the default specfiles set in an extended attribute named -.IR security.restorecon_last -on the directory specified in each +.IR security.sehash +on each directory specified in .IR pathname \ ... -once the relabeling has been completed successfully. This digest will be +once the relabeling has been completed successfully. These digests will be checked should .B restorecon .B \-D @@ -204,7 +204,7 @@ option will ignore the SHA1 digest from each directory specified in and provided the .B \-n option is NOT set and recursive mode is set, files will be relabeled as -required with the digest then being updated provided there are no errors. +required with the digests then being updated provided there are no errors. .SH "AUTHOR" This man page was written by Dan Walsh <dwalsh@redhat.com>. diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8 index 65b28ea6..e04528e6 100644 --- a/policycoreutils/setfiles/restorecon_xattr.8 +++ b/policycoreutils/setfiles/restorecon_xattr.8 @@ -1,7 +1,7 @@ .TH "restorecon_xattr" "8" "24 Sept 2016" "" "SELinux User Command" .SH "NAME" restorecon_xattr \- manage -.I security.restorecon_last +.I security.sehash extended attribute entries added by .BR setfiles (8) or @@ -24,7 +24,7 @@ or .SH "DESCRIPTION" .B restorecon_xattr will display the SHA1 digests added to extended attributes -.I security.restorecon_last +.I security.sehash or delete the attribute completely. These attributes are set by .BR restorecon (8) or @@ -43,7 +43,7 @@ from. and .B TMPFS filesystems do not support the -.I security.restorecon_last +.I security.sehash extended attribute and are automatically excluded from searches. .sp By default @@ -62,12 +62,12 @@ option. .TP .B \-d delete all non-matching -.I security.restorecon_last +.I security.sehash directory digest entries. .TP .B \-D delete all -.I security.restorecon_last +.I security.sehash directory digest entries. .TP .B \-m @@ -87,7 +87,10 @@ Do not append "Match" or "No Match" to displayed digests. recursively descend directories. .TP .B \-v -display SHA1 digest generated by specfile set. +display SHA1 digest generated by specfile set (Note that this digest is not +used to match the +.I security.sehash +directory digest entries, and is shown for reference only). .TP .B \-e .I directory @@ -101,11 +104,6 @@ an optional .I specfile containing file context entries as described in .BR file_contexts (5). -This will be used by -.BR selabel_open (3) -to retrieve the set of labeling entries, with the SHA1 digest being -retrieved by -.BR selabel_digest (3). If the option is not specified, then the default file_contexts will be used. .SH "ARGUMENTS" diff --git a/policycoreutils/setfiles/restorecon_xattr.c b/policycoreutils/setfiles/restorecon_xattr.c index 91c087fa..59b1f748 100644 --- a/policycoreutils/setfiles/restorecon_xattr.c +++ b/policycoreutils/setfiles/restorecon_xattr.c @@ -27,7 +27,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname) "-D Delete all digest entries.\n\t" "-e Directory to exclude (repeat option for more than one directory).\n\t" "-f Optional specfile for calculating the digest.\n\t" - "pathname Path to search for xattr \"security.restorecon_last\" entries.\n\n", + "pathname Path to search for xattr \"security.sehash\" entries.\n\n", progname); exit(-1); } diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 index ccaaf4de..c9f8be06 100644 --- a/policycoreutils/setfiles/setfiles.8 +++ b/policycoreutils/setfiles/setfiles.8 @@ -90,7 +90,7 @@ section for further details. .B \-D Set or update any directory SHA1 digests. Use this option to enable usage of the -.IR security.restorecon_last +.IR security.sehash extended attribute. .TP .B \-l @@ -228,10 +228,10 @@ option to will cause it to store a SHA1 digest of the .B spec_file set in an extended attribute named -.IR security.restorecon_last -on the directory specified in each +.IR security.sehash +on each directory specified in .IR pathname \ ... -once the relabeling has been completed successfully. This digest will be +once the relabeling has been completed successfully. These digests will be checked should .B setfiles .B \-D @@ -250,7 +250,7 @@ option will ignore the SHA1 digest from each directory specified in .IR pathname \ ... and provided the .B \-n -option is NOT set, files will be relabeled as required with the digest then +option is NOT set, files will be relabeled as required with the digests then being updated provided there are no errors. .SH "AUTHOR" diff --git a/python/VERSION b/python/VERSION index 8c269150..9f55b2cc 100644 --- a/python/VERSION +++ b/python/VERSION @@ -1 +1 @@ -2.9 +3.0 diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen index be2d093b..4a71cda4 100644 --- a/python/audit2allow/sepolgen-ifgen +++ b/python/audit2allow/sepolgen-ifgen @@ -53,7 +53,7 @@ def parse_options(): parser.add_option("-a", "--attribute_info", dest="attribute_info") parser.add_option("-p", "--policy", dest="policy_path") parser.add_option("-v", "--verbose", action="store_true", default=False, - help="print debuging output") + help="print debugging output") parser.add_option("-d", "--debug", action="store_true", default=False, help="extra debugging output") parser.add_option("--attr-helper", default=ATTR_HELPER, @@ -126,7 +126,7 @@ def main(): else: log = None - # Get the attibutes from the binary + # Get the attributes from the binary attrs = None if not options.no_attrs: attrs = get_attrs(options.policy_path, options.attr_helper) diff --git a/python/chcat/chcat b/python/chcat/chcat index ba398684..fdd2e46e 100755 --- a/python/chcat/chcat +++ b/python/chcat/chcat @@ -115,7 +115,6 @@ def chcat_add(orig, newcat, objects, login_ind): errors = 0 sensitivity = newcat[0] cat = newcat[1] - cmd = 'chcon -l %s' % sensitivity for f in objects: (rc, c) = selinux.getfilecon(f) con = c.split(":")[3:] diff --git a/python/semanage/semanage b/python/semanage/semanage index 144cc000..b2fabea6 100644 --- a/python/semanage/semanage +++ b/python/semanage/semanage @@ -73,9 +73,6 @@ usage_interface_dict = {' --add': ('-t TYPE', '-r RANGE', 'interface'), ' --modi usage_boolean = "semanage boolean [-h] [-n] [-N] [-S STORE] [" usage_boolean_dict = {' --modify': ('(', '--on', '|', '--off', ')', 'boolean'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)} - - - class CheckRole(argparse.Action): def __call__(self, parser, namespace, value, option_string=None): @@ -237,7 +234,7 @@ def parser_add_level(parser, name): def parser_add_range(parser, name): - parser.add_argument('-r', '--range', default="s0", + parser.add_argument('-r', '--range', default='', help=_(''' MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping @@ -248,7 +245,7 @@ SELinux Range for SELinux user defaults to s0. def parser_add_proto(parser, name): parser.add_argument('-p', '--proto', help=_(''' - Protocol for the specified port (tcp|udp) or internet protocol + Protocol for the specified port (tcp|udp|dccp|sctp) or internet protocol version for the specified node (ipv4|ipv6). ''')) @@ -737,6 +734,11 @@ def handlePermissive(args): if args.action == "list": OBJECT.list(args.noheading) + elif args.action == "deleteall": + OBJECT.deleteall() + elif args.action == "extract": + for i in OBJECT.customized(): + print("permissive %s" % str(i)) elif args.type is not None: if args.action == "add": OBJECT.add(args.type) @@ -752,9 +754,9 @@ def setupPermissiveParser(subparsers): pgroup = permissiveParser.add_mutually_exclusive_group(required=True) parser_add_add(pgroup, "permissive") parser_add_delete(pgroup, "permissive") + parser_add_deleteall(pgroup, "permissive") + parser_add_extract(pgroup, "permissive") parser_add_list(pgroup, "permissive") - #TODO: probably should be also added => need to implement own option handling - #parser_add_deleteall(pgroup) parser_add_noheading(permissiveParser, "permissive") parser_add_noreload(permissiveParser, "permissive") @@ -778,7 +780,7 @@ def setupDontauditParser(subparsers): def handleExport(args): - manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey"] + manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey", "permissive"] for i in manageditems: print("%s -D" % i) for i in manageditems: @@ -906,7 +908,7 @@ def createCommandParser(): def make_io_args(args): - # import/export backward compability + # import/export backward compatibility args_origin = ["-S", "-o", "-i", "targeted", "minimum", "mls"] args_file = [] args_ie = [] diff --git a/python/semanage/semanage-permissive.8 b/python/semanage/semanage-permissive.8 index 1999a451..5c3364fa 100644 --- a/python/semanage/semanage-permissive.8 +++ b/python/semanage/semanage-permissive.8 @@ -2,7 +2,7 @@ .SH "NAME" .B semanage\-permissive \- SELinux Policy Management permissive mapping tool .SH "SYNOPSIS" -.B semanage permissive [\-h] (\-a | \-d | \-l) [\-n] [\-N] [\-S STORE] [type] +.B semanage permissive [\-h] [\-n] [\-N] [\-S STORE] (\-\-add TYPE | \-\-delete TYPE | \-\-deleteall | \-\-extract | \-\-list) .SH "DESCRIPTION" semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage permissive adds or removes a SELinux Policy permissive module. @@ -18,9 +18,15 @@ Add a record of the specified object type .I \-d, \-\-delete Delete a record of the specified object type .TP +.I \-D, \-\-deleteall +Remove all local customizations of permissive domains +.TP .I \-l, \-\-list List records of the specified object type .TP +.I \-E, \-\-extract +Extract customizable commands, for use within a transaction +.TP .I \-n, \-\-noheading Do not print heading when listing the specified object type .TP diff --git a/python/semanage/semanage-port.8 b/python/semanage/semanage-port.8 index a21287c0..12ec14c2 100644 --- a/python/semanage/semanage-port.8 +++ b/python/semanage/semanage-port.8 @@ -49,7 +49,7 @@ SELinux type for the object MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0. .TP .I \-p PROTO, \-\-proto PROTO -Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6). +Protocol for the specified port (tcp|udp|dccp|sctp) or internet protocol version for the specified node (ipv4|ipv6). .SH EXAMPLE .nf diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py index 13fdf531..0e9ce290 100644 --- a/python/semanage/seobject.py +++ b/python/semanage/seobject.py @@ -380,7 +380,7 @@ class moduleRecords(semanageRecords): def customized(self): all = self.get_all() if len(all) == 0: - return + return [] return ["-d %s" % x[0] for x in [t for t in all if t[1] == 0]] def list(self, heading=1, locallist=0): @@ -478,6 +478,9 @@ class permissiveRecords(semanageRecords): l.append(name.split("permissive_")[1]) return l + def customized(self): + return ["-a %s" % x for x in sorted(self.get_all())] + def list(self, heading=1, locallist=0): all = [y["name"] for y in [x for x in sepolicy.info(sepolicy.TYPE) if x["permissive"]]] if len(all) == 0: @@ -1055,17 +1058,23 @@ class portRecords(semanageRecords): pass def __genkey(self, port, proto): - if proto == "tcp": - proto_d = SEMANAGE_PROTO_TCP + protocols = {"tcp": SEMANAGE_PROTO_TCP, + "udp": SEMANAGE_PROTO_UDP, + "sctp": SEMANAGE_PROTO_SCTP, + "dccp": SEMANAGE_PROTO_DCCP} + + if proto in protocols.keys(): + proto_d = protocols[proto] else: - if proto == "udp": - proto_d = SEMANAGE_PROTO_UDP - else: - raise ValueError(_("Protocol udp or tcp is required")) + raise ValueError(_("Protocol has to be one of udp, tcp, dccp or sctp")) if port == "": raise ValueError(_("Port is required")) - ports = port.split("-") + if isinstance(port, str): + ports = port.split('-', 1) + else: + ports = (port,) + if len(ports) == 1: high = low = int(ports[0]) else: @@ -1849,7 +1858,7 @@ class nodeRecords(semanageRecords): if addr == "": raise ValueError(_("Node Address is required")) - # verify valid comination + # verify valid combination if len(mask) == 0 or mask[0] == "/": i = IP(addr + mask) newaddr = i.strNormal(0) diff --git a/python/sepolgen/HACKING b/python/sepolgen/HACKING index a0ec3235..f7d07774 100644 --- a/python/sepolgen/HACKING +++ b/python/sepolgen/HACKING @@ -24,7 +24,7 @@ etc.). This representation can be used as output from the parser to represent the reference policy interfaces. It can also be used to generate -policy by building up the relevent data structures and then outputting +policy by building up the relevant data structures and then outputting them. See sepolgen.policygen and sepolgen.output for information on how this can be done. @@ -75,5 +75,3 @@ Information about the SELinux object classes. This is semantic information about the object classes - including information flow. It is separated to keep the core from being concerned about the details of the object classes. - -[selist]: http://www.nsa.gov/research/selinux/info/list.cfm diff --git a/python/sepolgen/VERSION b/python/sepolgen/VERSION index 8c269150..9f55b2cc 100644 --- a/python/sepolgen/VERSION +++ b/python/sepolgen/VERSION @@ -1 +1 @@ -2.9 +3.0 diff --git a/python/sepolgen/src/sepolgen/access.py b/python/sepolgen/src/sepolgen/access.py index ba80f939..791b9e85 100644 --- a/python/sepolgen/src/sepolgen/access.py +++ b/python/sepolgen/src/sepolgen/access.py @@ -23,7 +23,7 @@ Classes representing basic access. SELinux - at the most basic level - represents access as the 4-tuple subject (type or context), target (type or context), object class, permission. The policy language elaborates this basic -access to faciliate more concise rules (e.g., allow rules can have multiple +access to facilitate more concise rules (e.g., allow rules can have multiple source or target types - see refpolicy for more information). This module has objects for representing the most basic access (AccessVector) @@ -37,12 +37,12 @@ from . import util from selinux import audit2why def is_idparam(id): - """Determine if an id is a paramater in the form $N, where N is + """Determine if an id is a parameter in the form $N, where N is an integer. Returns: - True if the id is a paramater - False if the id is not a paramater + True if the id is a parameter + False if the id is not a parameter """ if len(id) > 1 and id[0] == '$': try: @@ -167,7 +167,7 @@ class AccessVector(util.Comparison): def avrule_to_access_vectors(avrule): """Convert an avrule into a list of access vectors. - AccessVectors and AVRules are similary, but differ in that + AccessVectors and AVRules are similarly, but differ in that an AVRule can more than one source type, target type, and object class. This function expands a single avrule into a list of one or more AccessVectors representing the access @@ -223,7 +223,7 @@ class AccessVectorSet: def __len__(self): """Return the number of unique access vectors in the set. - Because of the inernal representation of the access vector set, + Because of the internal representation of the access vector set, __len__ is not a constant time operation. Worst case is O(N) where N is the number of unique access vectors, but the common case is probably better. @@ -317,7 +317,7 @@ def avs_extract_obj_perms(avs): class RoleTypeSet: """A non-overlapping set of role type statements. - This clas allows the incremental addition of role type statements and + This class allows the incremental addition of role type statements and maintains a non-overlapping list of statements. """ def __init__(self): diff --git a/python/sepolgen/src/sepolgen/interfaces.py b/python/sepolgen/src/sepolgen/interfaces.py index f4d3e5c5..eadf3a3c 100644 --- a/python/sepolgen/src/sepolgen/interfaces.py +++ b/python/sepolgen/src/sepolgen/interfaces.py @@ -33,7 +33,7 @@ from .sepolgeni18n import _ class Param: """ - Object representing a paramater for an interface. + Object representing a parameter for an interface. """ def __init__(self): self.__name = "" @@ -66,7 +66,7 @@ def __param_insert(name, type, av, params): # The entries are identical - we're done if type == p.type: return - # Hanldle implicitly typed objects (like process) + # Handle implicitly typed objects (like process) if (type == refpolicy.SRC_TYPE or type == refpolicy.TGT_TYPE) and \ (p.type == refpolicy.TGT_TYPE or p.type == refpolicy.SRC_TYPE): #print name, refpolicy.field_to_str[p.type] @@ -104,9 +104,9 @@ def __param_insert(name, type, av, params): def av_extract_params(av, params): - """Extract the paramaters from an access vector. + """Extract the parameters from an access vector. - Extract the paramaters (in the form $N) from an access + Extract the parameters (in the form $N) from an access vector, storing them as Param objects in a dictionary. Some attempt is made at resolving conflicts with other entries in the dict, but if an unresolvable conflict is @@ -132,7 +132,7 @@ def av_extract_params(av, params): allow fingerd_t $1:process sigchld; ') - Here the usage seems ambigious, but it is not. $1 is still domain + Here the usage seems ambiguous, but it is not. $1 is still domain and therefore should be returned as a SRC_TYPE. Returns: @@ -245,7 +245,7 @@ class InterfaceVector: # this will include indirect access from typeattribute # statements. self.access = access.AccessVectorSet() - # Paramaters are stored in a dictionary (key: param name + # Parameters are stored in a dictionary (key: param name # value: Param object). self.params = { } if interface: @@ -284,13 +284,13 @@ class InterfaceVector: self.add_av(av) - # Extract paramaters from roles + # Extract parameters from roles for role in interface.roles(): if role_extract_params(role, self.params): pass #print "found conflicting role param %s for interface %s" % \ # (role.name, interface.name) - # Extract paramaters from type rules + # Extract parameters from type rules for rule in interface.typerules(): if type_rule_extract_params(rule, self.params): pass diff --git a/python/sepolgen/src/sepolgen/matching.py b/python/sepolgen/src/sepolgen/matching.py index 6f86359d..a2f2d1b5 100644 --- a/python/sepolgen/src/sepolgen/matching.py +++ b/python/sepolgen/src/sepolgen/matching.py @@ -149,7 +149,7 @@ class AccessMatcher: prov - [AccessVector] The access provided. This is the potential match that is being evaluated for req. Returns: - 0 : Exact match between the acess vectors. + 0 : Exact match between the access vectors. < 0 : The prov av does not provide all of the access in req. A smaller value indicates that the access is further. diff --git a/python/sepolgen/src/sepolgen/module.py b/python/sepolgen/src/sepolgen/module.py index 8766dd9d..745364cd 100644 --- a/python/sepolgen/src/sepolgen/module.py +++ b/python/sepolgen/src/sepolgen/module.py @@ -95,7 +95,7 @@ class ModuleCompiler: module compiler (checkmodule) and module packager (semodule_package). You are likely interested in the create_module_package method. - Several options are controlled via paramaters (only effects the + Several options are controlled via parameters (only effects the non-refpol builds): .mls [boolean] Generate an MLS module (by passed -M to diff --git a/python/sepolgen/src/sepolgen/objectmodel.py b/python/sepolgen/src/sepolgen/objectmodel.py index d05d721f..84955f7c 100644 --- a/python/sepolgen/src/sepolgen/objectmodel.py +++ b/python/sepolgen/src/sepolgen/objectmodel.py @@ -47,7 +47,7 @@ implicitly_typed_objects = ["socket", "fd", "process", "file", "lnk_file", "fifo # All of the permissions in SELinux can be described in terms of # information flow. For example, a read of a file is a flow of # information from that file to the process reading. Viewing -# permissions in these terms can be used to model a varity of +# permissions in these terms can be used to model a variety of # security properties. # # Here we have some infrastructure for understanding permissions @@ -70,7 +70,7 @@ FLOW_READ = 1 FLOW_WRITE = 2 FLOW_BOTH = FLOW_READ | FLOW_WRITE -# These are used by the parser and for nice disply of the directions +# These are used by the parser and for nice display of the directions str_to_dir = { "n" : FLOW_NONE, "r" : FLOW_READ, "w" : FLOW_WRITE, "b" : FLOW_BOTH } dir_to_str = { FLOW_NONE : "n", FLOW_READ : "r", FLOW_WRITE : "w", FLOW_BOTH : "b" } @@ -106,7 +106,7 @@ class PermMappings: """Read the permission mappings from a file. This reads the format used by Apol in the setools suite. """ - # This parsing is deliberitely picky and bails at the least error. It + # This parsing is deliberately picky and bails at the least error. It # is assumed that the permission map file will be shipped as part # of sepolgen and not user modified, so this is a reasonable design # choice. If user supplied permission mappings are needed the parser @@ -124,7 +124,7 @@ class PermMappings: cur = self.classes[c] else: if len(fields) != 3: - raise ValueError("error in object classs permissions") + raise ValueError("error in object class permissions") if cur is None: raise ValueError("permission outside of class") pm = PermMap(fields[0], str_to_dir[fields[1]], int(fields[2])) diff --git a/python/sepolgen/src/sepolgen/policygen.py b/python/sepolgen/src/sepolgen/policygen.py index 319da151..8f0ce26e 100644 --- a/python/sepolgen/src/sepolgen/policygen.py +++ b/python/sepolgen/src/sepolgen/policygen.py @@ -54,7 +54,7 @@ class PolicyGenerator: permission access vector rules. By default only allow rules are generated. The methods .set_gen_refpol, .set_gen_requires and .set_gen_xperms turns on interface generation, - requires generation, and xperms rules genration respectively. + requires generation, and xperms rules generation respectively. PolicyGenerator can also optionally add comments explaining why a particular access was allowed based on the audit @@ -70,7 +70,7 @@ class PolicyGenerator: """Initialize a PolicyGenerator with an optional existing module. - If the module paramater is not None then access + If the module parameter is not None then access will be added to the passed in module. Otherwise a new reference policy module will be created. """ @@ -339,7 +339,7 @@ class InterfaceGenerator: def hack_check_ifs(self, ifs): # FIXME: Disable interfaces we can't call - this is a hack. - # Because we don't handle roles, multiple paramaters, etc., + # Because we don't handle roles, multiple parameters, etc., # etc., we must make certain we can actually use a returned # interface. for x in ifs.interfaces.values(): @@ -347,7 +347,7 @@ class InterfaceGenerator: params.extend(x.params.values()) params.sort(key=lambda param: param.num, reverse=True) for i in range(len(params)): - # Check that the paramater position matches + # Check that the parameter position matches # the number (e.g., $1 is the first arg). This # will fail if the parser missed something. if (i + 1) != params[i].num: diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py index f506dc3a..2e521a0f 100644 --- a/python/sepolgen/src/sepolgen/refparser.py +++ b/python/sepolgen/src/sepolgen/refparser.py @@ -207,7 +207,7 @@ t_TICK = r'\`' t_SQUOTE = r'\'' t_OBRACE = r'\{' t_CBRACE = r'\}' -# This will handle spurios extra ';' via the + +# This will handle spurious extra ';' via the + t_SEMI = r'\;+' t_COLON = r'\:' t_OPAREN = r'\(' diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py index e3dd33a2..43cecfc7 100644 --- a/python/sepolgen/src/sepolgen/refpolicy.py +++ b/python/sepolgen/src/sepolgen/refpolicy.py @@ -177,7 +177,7 @@ def walktree(node, depthfirst=True, showdepth=False, type=None): The walktree function iterates over a tree containing Nodes and leaf objects. The iteration can perform a depth first or a breadth first traversal of the tree (controlled by the depthfirst - paramater. The passed in node will be returned. + parameter. The passed in node will be returned. This function will only work correctly for trees - arbitrary graphs will likely cause infinite looping. @@ -242,7 +242,7 @@ def list_to_space_str(s, cont=('{', '}')): def list_to_comma_str(s): l = len(s) if l < 1: - raise ValueError("cannot conver 0 len set to comma string") + raise ValueError("cannot convert 0 len set to comma string") return ", ".join(s) diff --git a/python/sepolgen/src/sepolgen/util.py b/python/sepolgen/src/sepolgen/util.py index f5b66d03..bd68d813 100644 --- a/python/sepolgen/src/sepolgen/util.py +++ b/python/sepolgen/src/sepolgen/util.py @@ -79,8 +79,8 @@ def first(s, sorted=False): Otherwise a random element will be returned (as sets are not ordered). """ if not len(s): - raise IndexError("empty containter") - + raise IndexError("empty container") + if sorted: l = set_to_list(s) l.sort() @@ -119,7 +119,7 @@ class Comparison(): """Class used when implementing rich comparison. Inherit from this class if you want to have a rich - comparison withing the class, afterwards implement + comparison within the class, afterwards implement _compare function within your class.""" def _compare(self, other, method): diff --git a/python/sepolgen/tests/test_refpolicy.py b/python/sepolgen/tests/test_refpolicy.py index 64c48dfd..4b50c8aa 100644 --- a/python/sepolgen/tests/test_refpolicy.py +++ b/python/sepolgen/tests/test_refpolicy.py @@ -36,7 +36,7 @@ class TestIdSet(unittest.TestCase): class TestXpermSet(unittest.TestCase): def test_init(self): - """ Test that all atttributes are correctly initialized. """ + """ Test that all attributes are correctly initialized. """ s1 = refpolicy.XpermSet() self.assertEqual(s1.complement, False) self.assertEqual(s1.ranges, []) diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py index 1934cd86..7b223065 100755 --- a/python/sepolicy/sepolicy.py +++ b/python/sepolicy/sepolicy.py @@ -25,6 +25,7 @@ import os import sys import selinux import sepolicy +from multiprocessing import Pool from sepolicy import get_os_version, get_conditionals, get_conditionals_format_text import argparse PROGNAME = "policycoreutils" @@ -326,8 +327,13 @@ def gen_gui_args(parser): gui.set_defaults(func=gui_run) +def manpage_work(domain, path, root, source_files, web): + from sepolicy.manpage import ManPage + m = ManPage(domain, path, root, source_files, web) + print(m.get_man_page_path()) + def manpage(args): - from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains + from sepolicy.manpage import HTMLManPages, manpage_domains, manpage_roles, gen_domains path = args.path if not args.policy and args.root != "/": @@ -340,9 +346,11 @@ def manpage(args): else: test_domains = args.domain + p = Pool() for domain in test_domains: - m = ManPage(domain, path, args.root, args.source_files, args.web) - print(m.get_man_page_path()) + p.apply_async(manpage_work, [domain, path, args.root, args.source_files, args.web]) + p.close() + p.join() if args.web: HTMLManPages(manpage_roles, manpage_domains, path, args.os) diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py index 6aed31bd..e4540977 100644 --- a/python/sepolicy/sepolicy/__init__.py +++ b/python/sepolicy/sepolicy/__init__.py @@ -539,7 +539,6 @@ def find_file(reg): path += "/" except IndexError: print("try failed got an IndexError") - pass try: pat = re.compile(r"%s$" % reg) diff --git a/python/sepolicy/sepolicy/booleans.py b/python/sepolicy/sepolicy/booleans.py index ad07ab04..59c444b0 100644 --- a/python/sepolicy/sepolicy/booleans.py +++ b/python/sepolicy/sepolicy/booleans.py @@ -1,7 +1,7 @@ # Copyright (C) 2012 Red Hat # see file 'COPYING' for use and warranty information # -# setrans is a tool for analyzing process transistions in SELinux policy +# setrans is a tool for analyzing process transitions in SELinux policy # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as diff --git a/python/sepolicy/sepolicy/communicate.py b/python/sepolicy/sepolicy/communicate.py index 37400220..238f9ab3 100755 --- a/python/sepolicy/sepolicy/communicate.py +++ b/python/sepolicy/sepolicy/communicate.py @@ -1,7 +1,7 @@ # Copyright (C) 2012 Red Hat # see file 'COPYING' for use and warranty information # -# setrans is a tool for analyzing process transistions in SELinux policy +# setrans is a tool for analyzing process transitions in SELinux policy # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py index 019e7836..e8d07e7d 100644 --- a/python/sepolicy/sepolicy/generate.py +++ b/python/sepolicy/sepolicy/generate.py @@ -26,7 +26,6 @@ import re import sepolicy from sepolicy import get_all_types, get_all_attributes, get_all_roles import time -import platform from .templates import executable from .templates import boolean @@ -341,7 +340,7 @@ class policy: (self.generate_root_user_types, self.generate_root_user_rules), (self.generate_new_types, self.generate_new_rules)) if not re.match(r"^[a-zA-Z0-9-_]+$", name): - raise ValueError(_("Name must be alpha numberic with no spaces. Consider using option \"-n MODULENAME\"")) + raise ValueError(_("Name must be alpha numeric with no spaces. Consider using option \"-n MODULENAME\"")) if type == CGI: self.name = "httpd_%s_script" % name @@ -1178,8 +1177,7 @@ allow %s_t %s_t:%s_socket name_%s; newsh += re.sub("TEMPLATETYPE", self.name, t1) newsh += self.generate_user_sh() - if (platform.linux_distribution(full_distribution_name=0)[0] in ("redhat", "centos", "SuSE", "fedora", "mandrake", "mandriva")): - newsh += re.sub("TEMPLATEFILE", self.file_name, script.rpm) + newsh += re.sub("TEMPLATEFILE", self.file_name, script.rpm) return newsh @@ -1379,7 +1377,6 @@ Warning %s does not exist out += "%s # %s\n" % (self.write_if(out_dir), _("Interface file")) out += "%s # %s\n" % (self.write_fc(out_dir), _("File Contexts file")) if self.type != NEWTYPE: - if (platform.linux_distribution(full_distribution_name=0)[0] in ("redhat", "centos", "SuSE", "fedora", "mandrake", "mandriva")): - out += "%s # %s\n" % (self.write_spec(out_dir), _("Spec file")) + out += "%s # %s\n" % (self.write_spec(out_dir), _("Spec file")) out += "%s # %s\n" % (self.write_sh(out_dir), _("Setup Script")) return out diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py index 00fd7a11..1e86422b 100644 --- a/python/sepolicy/sepolicy/gui.py +++ b/python/sepolicy/sepolicy/gui.py @@ -1023,7 +1023,7 @@ class SELinuxGui(): self.delete_button.set_sensitive(True) # Clear the tree to prepare for a new selection otherwise self.executable_files_liststore.clear() - # data will pile up everytime the user selects a new item from the drop down menu + # data will pile up every time the user selects a new item from the drop down menu self.network_in_liststore.clear() self.network_out_liststore.clear() self.boolean_liststore.clear() @@ -1894,7 +1894,7 @@ class SELinuxGui(): tree.set_value(iter, 2, fclass) def restore_to_default(self, *args): - print("restore to defualt clicked...") + print("restore to default clicked...") def invalid_entry_retry(self, *args): self.closewindow(self.error_check_window) diff --git a/python/sepolicy/sepolicy/interface.py b/python/sepolicy/sepolicy/interface.py index 583091ae..187419fa 100644 --- a/python/sepolicy/sepolicy/interface.py +++ b/python/sepolicy/sepolicy/interface.py @@ -196,7 +196,7 @@ def get_xml_file(if_file): from subprocess import getstatusoutput basedir = os.path.dirname(if_file) + "/" filename = os.path.basename(if_file).split(".")[0] - rc, output = getstatusoutput("python /usr/share/selinux/devel/include/support/segenxml.py -w -m %s" % basedir + filename) + rc, output = getstatusoutput("/usr/bin/python3 /usr/share/selinux/devel/include/support/segenxml.py -w -m %s" % (basedir + filename)) if rc != 0: sys.stderr.write("\n Could not proceed selected interface file.\n") sys.stderr.write("\n%s" % output) diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py index 1d367962..44260819 100755 --- a/python/sepolicy/sepolicy/manpage.py +++ b/python/sepolicy/sepolicy/manpage.py @@ -782,7 +782,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d for e in equiv: self.fd.write(r""" .PP -%(domainname)s policy stores data with multiple different file context types under the %(equiv)s directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: +%(domainname)s policy stores data with multiple different file context types under the %(equiv)s directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv directory you would execute the following command: .PP .B semanage fcontext -a -e %(equiv)s /srv/%(alt)s .br @@ -962,7 +962,7 @@ The default entrypoint paths for the %s_t domain are the following: if "bin_t" in entrypoints: entrypoints.remove("bin_t") self.fd.write(""" -All executeables with the default executable label, usually stored in /usr/bin and /usr/sbin.""") +All executables with the default executable label, usually stored in /usr/bin and /usr/sbin.""") paths = [] for entrypoint in entrypoints: diff --git a/python/sepolicy/sepolicy/network.py b/python/sepolicy/sepolicy/network.py index 34267d92..ff308fad 100755 --- a/python/sepolicy/sepolicy/network.py +++ b/python/sepolicy/sepolicy/network.py @@ -1,7 +1,7 @@ # Copyright (C) 2012 Red Hat # see file 'COPYING' for use and warranty information # -# setrans is a tool for analyzing process transistions in SELinux policy +# setrans is a tool for analyzing process transitions in SELinux policy # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as diff --git a/python/sepolicy/sepolicy/transition.py b/python/sepolicy/sepolicy/transition.py index 6414a765..2d4d8d3d 100755 --- a/python/sepolicy/sepolicy/transition.py +++ b/python/sepolicy/sepolicy/transition.py @@ -1,7 +1,7 @@ # Copyright (C) 2011 Red Hat # see file 'COPYING' for use and warranty information # -# setrans is a tool for analyzing process transistions in SELinux policy +# setrans is a tool for analyzing process transitions in SELinux policy # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as diff --git a/python/sepolicy/setup.py b/python/sepolicy/setup.py index 4bd8353d..fa60ef6c 100644 --- a/python/sepolicy/setup.py +++ b/python/sepolicy/setup.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/python3 # Author: Thomas Liu <tliu@redhat.com> # Author: Dan Walsh <dwalsh@redhat.com> @@ -6,7 +6,7 @@ from distutils.core import setup setup( name="sepolicy", - version="1.1", + version="3.0", description="Python SELinux Policy Analyses bindings", author="Daniel Walsh", author_email="dwalsh@redhat.com", diff --git a/restorecond/VERSION b/restorecond/VERSION index 8c269150..9f55b2cc 100644 --- a/restorecond/VERSION +++ b/restorecond/VERSION @@ -1 +1 @@ -2.9 +3.0 diff --git a/restorecond/restore.c b/restorecond/restore.c index f6e30001..b93b5fdb 100644 --- a/restorecond/restore.c +++ b/restorecond/restore.c @@ -12,39 +12,36 @@ char **exclude_list; int exclude_count; -struct restore_opts *r_opts; - void restore_init(struct restore_opts *opts) { int rc; - r_opts = opts; struct selinux_opt selinux_opts[] = { - { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate }, - { SELABEL_OPT_PATH, r_opts->selabel_opt_path }, - { SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest } + { SELABEL_OPT_VALIDATE, opts->selabel_opt_validate }, + { SELABEL_OPT_PATH, opts->selabel_opt_path }, + { SELABEL_OPT_DIGEST, opts->selabel_opt_digest } }; - r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3); - if (!r_opts->hnd) { - perror(r_opts->selabel_opt_path); + opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3); + if (!opts->hnd) { + perror(opts->selabel_opt_path); exit(1); } - r_opts->restorecon_flags = 0; - r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose | - r_opts->progress | r_opts->set_specctx | - r_opts->add_assoc | r_opts->ignore_digest | - r_opts->recurse | r_opts->userealpath | - r_opts->xdev | r_opts->abort_on_error | - r_opts->syslog_changes | r_opts->log_matches | - r_opts->ignore_noent | r_opts->ignore_mounts; + opts->restorecon_flags = 0; + opts->restorecon_flags = opts->nochange | opts->verbose | + opts->progress | opts->set_specctx | + opts->add_assoc | opts->ignore_digest | + opts->recurse | opts->userealpath | + opts->xdev | opts->abort_on_error | + opts->syslog_changes | opts->log_matches | + opts->ignore_noent | opts->ignore_mounts; /* Use setfiles, restorecon and restorecond own handles */ - selinux_restorecon_set_sehandle(r_opts->hnd); + selinux_restorecon_set_sehandle(opts->hnd); - if (r_opts->rootpath) { - rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath); + if (opts->rootpath) { + rc = selinux_restorecon_set_alt_rootpath(opts->rootpath); if (rc) { fprintf(stderr, "selinux_restorecon_set_alt_rootpath error: %s.\n", @@ -75,7 +72,6 @@ int process_glob(char *name, struct restore_opts *opts) size_t i = 0; int len, rc, errors; - r_opts = opts; memset(&globbuf, 0, sizeof(globbuf)); errors = glob(name, GLOB_TILDE | GLOB_PERIOD | @@ -90,7 +86,7 @@ int process_glob(char *name, struct restore_opts *opts) if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) continue; rc = selinux_restorecon(globbuf.gl_pathv[i], - r_opts->restorecon_flags); + opts->restorecon_flags); if (rc < 0) errors = rc; } diff --git a/restorecond/restorecond.service b/restorecond/restorecond.service index 6bce99d3..0e4ea72d 100644 --- a/restorecond/restorecond.service +++ b/restorecond/restorecond.service @@ -1,5 +1,6 @@ [Unit] Description=Restorecon maintaining path file context +Documentation=man:restorecond(8) ConditionPathExists=/etc/selinux/restorecond.conf ConditionSecurity=selinux diff --git a/restorecond/user.c b/restorecond/user.c index 714aae78..8f932307 100644 --- a/restorecond/user.c +++ b/restorecond/user.c @@ -125,7 +125,7 @@ io_channel_callback &bytes_read, NULL); if (! bytes_read) { - /* Sesssion/Terminal Ended */ + /* Session/Terminal Ended */ exit(0); } diff --git a/sandbox/VERSION b/sandbox/VERSION index 8c269150..9f55b2cc 100644 --- a/sandbox/VERSION +++ b/sandbox/VERSION @@ -1 +1 @@ -2.9 +3.0 diff --git a/sandbox/sandbox b/sandbox/sandbox index 1dec07ac..ca5f1e03 100644 --- a/sandbox/sandbox +++ b/sandbox/sandbox @@ -339,7 +339,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- default=False, help=_("run complete desktop session within sandbox")) parser.add_option("-s", "--shred", action="store_true", dest="shred", - default=False, help=_("Shred content before tempory directories are removed")) + default=False, help=_("Shred content before temporary directories are removed")) parser.add_option("-X", dest="X_ind", action="callback", callback=self.__x_callback, diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c index 289fcf75..9707a456 100644 --- a/sandbox/seunshare.c +++ b/sandbox/seunshare.c @@ -290,7 +290,7 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st } /* - If path is empy or ends with "/." or "/.. return -1 else return 0; + If path is empty or ends with "/." or "/.. return -1 else return 0; */ static int bad_path(const char *path) { const char *ptr; @@ -410,7 +410,7 @@ static int cleanup_tmpdir(const char *tmpdir, const char *src, /* remove runtime temporary directory */ if ((uid_t)setfsuid(0) != 0) { - /* setfsuid does not return errror, but this check makes code checkers happy */ + /* setfsuid does not return error, but this check makes code checkers happy */ rc++; } diff --git a/scripts/run-scan-build b/scripts/run-scan-build index 88fe551c..ae5aa48b 100755 --- a/scripts/run-scan-build +++ b/scripts/run-scan-build @@ -22,7 +22,11 @@ export RUBYLIB="$DESTDIR/$(${RUBY:-ruby} -e 'puts RbConfig::CONFIG["vendorlibdir # Build and analyze make -C .. CC=clang clean distclean -j"$(nproc)" -scan-build -analyze-headers -o "$OUTPUTDIR" make -C .. CC=clang DESTDIR="$DESTDIR" install install-pywrap install-rubywrap all test +scan-build -analyze-headers -o "$OUTPUTDIR" make -C .. \ + CC=clang \ + DESTDIR="$DESTDIR" \ + CFLAGS="-O2 -Wall -D__CHECKER__ -I$DESTDIR/usr/include" \ + install install-pywrap install-rubywrap all test # Reduce the verbosity in order to keep the message from scan-build saying # "scan-build: Run 'scan-view /.../output-scan-build/2018-...' to examine bug reports. diff --git a/secilc/COPYING b/secilc/COPYING index 03a99053..a4277276 100644 --- a/secilc/COPYING +++ b/secilc/COPYING @@ -1,4 +1,4 @@ -All files are licensed under the FreeBSD license, excepet for thid party +All files are licensed under the FreeBSD license, except for third party components, which are subject to their respective licenses as specified in their source files. diff --git a/secilc/VERSION b/secilc/VERSION index 8c269150..9f55b2cc 100644 --- a/secilc/VERSION +++ b/secilc/VERSION @@ -1 +1 @@ -2.9 +3.0 diff --git a/secilc/docs/cil_class_and_permission_statements.md b/secilc/docs/cil_class_and_permission_statements.md index 290af50b..308c86d6 100644 --- a/secilc/docs/cil_class_and_permission_statements.md +++ b/secilc/docs/cil_class_and_permission_statements.md @@ -113,7 +113,7 @@ Declares a class and zero or more permissions in the current namespace. **Examples:** -This example defines a set of permissions for the `binder` class indentifier: +This example defines a set of permissions for the `binder` class identifier: (class binder (impersonate call set_context_mgr transfer receive)) @@ -179,7 +179,7 @@ This will produce an ordered list of "`file dir process`" **Unordered Classorder Statement:** -If users do not have knowledge of the existing [`classorder`](#classorder), the `unordered` keyword may be used in a [`classorder`](#classorder) statement. The [classes](#class) in an unordered statement are appended to the existing [`classorder`](#classorder). A class in an ordered statement always supercedes the class redeclaration in an unordered statement. The `unordered` keyword must be the first item in the [`classorder`](#classorder) listing. +If users do not have knowledge of the existing [`classorder`](#classorder), the `unordered` keyword may be used in a [`classorder`](#classorder) statement. The [classes](#class) in an unordered statement are appended to the existing [`classorder`](#classorder). A class in an ordered statement always supersedes the class redeclaration in an unordered statement. The `unordered` keyword must be the first item in the [`classorder`](#classorder) listing. **Example:** diff --git a/secilc/docs/cil_context_statement.md b/secilc/docs/cil_context_statement.md index 57ad3c6d..60812751 100644 --- a/secilc/docs/cil_context_statement.md +++ b/secilc/docs/cil_context_statement.md @@ -3,7 +3,7 @@ Context Statement Contexts are formed using previously declared parameters and may be named or anonymous where: -- Named - The context is declared with a context identifer that is used as a reference. +- Named - The context is declared with a context identifier that is used as a reference. - Anonymous - They are defined within the CIL labeling statement using user, role etc. identifiers. @@ -65,7 +65,7 @@ to resolve/build a `file_contexts` entry of (assuming MLS enabled policy): /system/bin/run-as -- u:object_r:runas.exec:s0-s0 -This example uses an anonymous context where the previously declared `user role type levelrange` identifiers are used to specifiy two [`portcon`](cil_network_labeling_statements.md#portcon) statements: +This example uses an anonymous context where the previously declared `user role type levelrange` identifiers are used to specify two [`portcon`](cil_network_labeling_statements.md#portcon) statements: (portcon udp 1024 (test.user object_r test.process ((s0) (s1)))) (portcon tcp 1024 (test.user object_r test.process (system_low system_high))) diff --git a/secilc/docs/cil_default_object_statements.md b/secilc/docs/cil_default_object_statements.md index 73d84d6d..80ccabe7 100644 --- a/secilc/docs/cil_default_object_statements.md +++ b/secilc/docs/cil_default_object_statements.md @@ -143,11 +143,11 @@ When creating a new `socket` object, the [`type`](cil_type_statements.md#type) c defaultrange ------------ -Allows the default level or range to be taken from the source or target context when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27. +Allows the default level or range to be taken from the source, target, or both contexts when computing a new context for the object [`class`](cil_class_and_permission_statements.md#class) identifier. Requires policy version 27. glblub as the default requires policy version 32. **Statement definition:** - (defaultrange class_id default range) + (defaultrange class_id default <range>) **Where:** @@ -167,11 +167,11 @@ Allows the default level or range to be taken from the source or target context </tr> <tr class="odd"> <td align="left"><p><code>default</code></p></td> -<td align="left"><p>A keyword of either <code>source</code> or <code>target</code>.</p></td> +<td align="left"><p>A keyword of either <code>source</code>, <code>target</code>, or <code>glblub</code>.</p></td> </tr> <tr class="even"> <td align="left"><p><code>range</code></p></td> -<td align="left"><p>A keyword of either <code>low</code>, <code>high</code> or <code>low-high</code>.</p></td> +<td align="left"><p>A keyword of either <code>low</code>, <code>high</code>, or <code>low-high</code>.</p></td> </tr> </tbody> </table> @@ -181,3 +181,7 @@ Allows the default level or range to be taken from the source or target context When creating a new `file` object, the appropriate `range` component of the new security context will be taken from the `target` context: (defaultrange file target low_high) + +MLS userspace object managers may need to compute the common parts of a range such that the object is created with the range common to the subject and containing object: + + (defaultrange db_table glblub) diff --git a/secilc/docs/cil_policy_config_statements.md b/secilc/docs/cil_policy_config_statements.md index 392976ff..48e29d67 100644 --- a/secilc/docs/cil_policy_config_statements.md +++ b/secilc/docs/cil_policy_config_statements.md @@ -97,7 +97,7 @@ Allow policy capabilities to be enabled via policy. These should be declared in </tr> <tr class="even"> <td align="left"><p><code>policycap_id</code></p></td> -<td align="left"><p>The <code>policycap</code> identifer (e.g. <code>open_perms</code>).</p></td> +<td align="left"><p>The <code>policycap</code> identifier (e.g. <code>open_perms</code>).</p></td> </tr> </tbody> </table> diff --git a/secilc/docs/cil_reference_guide.md b/secilc/docs/cil_reference_guide.md index d179c3c2..1b1fccca 100644 --- a/secilc/docs/cil_reference_guide.md +++ b/secilc/docs/cil_reference_guide.md @@ -57,7 +57,7 @@ Declarations may be named or anonymous and have three different forms: ipaddr macro policycap -2. Explicit anonymous declarations - These are currently restricted to IP addesses where they can be declared directly in statements by enclosing them within parentheses e.g. `(127.0.0.1)` or `(::1)`. See the [Network Labeling Statements](#network_labeling) section for examples. +2. Explicit anonymous declarations - These are currently restricted to IP addresses where they can be declared directly in statements by enclosing them within parentheses e.g. `(127.0.0.1)` or `(::1)`. See the [Network Labeling Statements](#network_labeling) section for examples. 3. Anonymous declarations - These have been previously declared and the object already exists, therefore they may be referenced by their name or identifier within statements. For example the following declare all the components required to specify a context: @@ -224,7 +224,7 @@ The number of `expr_set`'s in an `expr` is dependent on the statement type (ther (classpermissionset cps_1 (security (not (load_policy setenforce)))) - This example includes all permissions in the associated [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset) identifer `security_all_perms`: + This example includes all permissions in the associated [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset) identifier `security_all_perms`: (class security (compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot diff --git a/secilc/docs/cil_role_statements.md b/secilc/docs/cil_role_statements.md index d92f6288..c1e457a7 100644 --- a/secilc/docs/cil_role_statements.md +++ b/secilc/docs/cil_role_statements.md @@ -310,7 +310,7 @@ Notes: **Example:** -In this example the role `test` cannot have greater priviledges than `unconfined.role`: +In this example the role `test` cannot have greater privileges than `unconfined.role`: (role test) diff --git a/secilc/docs/cil_user_statements.md b/secilc/docs/cil_user_statements.md index 4075187f..bbd76eff 100644 --- a/secilc/docs/cil_user_statements.md +++ b/secilc/docs/cil_user_statements.md @@ -222,7 +222,7 @@ This example will associate `unconfined.user` with a named [`level`](cil_mls_lab userrange --------- -Associates a previously declared [`user`](cil_user_statements.md#user) identifer with a previously declared [`levelrange`](cil_mls_labeling_statements.md#levelrange) identifier. The [`levelrange`](cil_mls_labeling_statements.md#levelrange) may be named or anonymous. +Associates a previously declared [`user`](cil_user_statements.md#user) identifier with a previously declared [`levelrange`](cil_mls_labeling_statements.md#levelrange) identifier. The [`levelrange`](cil_mls_labeling_statements.md#levelrange) may be named or anonymous. **Statement definition:** @@ -281,7 +281,7 @@ This example will associate `unconfined.user` with a named [`levelrange`](cil_ml userbounds ---------- -Defines a hierarchical relationship between users where the child user cannot have more priviledges than the parent. +Defines a hierarchical relationship between users where the child user cannot have more privileges than the parent. Notes: @@ -318,7 +318,7 @@ Notes: **Example:** -The user `test` cannot have greater priviledges than `unconfined.user`: +The user `test` cannot have greater privileges than `unconfined.user`: (user test) diff --git a/secilc/secilc.8.xml b/secilc/secilc.8.xml index e08a9624..2b734f09 100644 --- a/secilc/secilc.8.xml +++ b/secilc/secilc.8.xml @@ -96,6 +96,11 @@ </varlistentry> <varlistentry> + <term><option>-O, --optimize</option></term> + <listitem><para>Optimize final policy (remove redundant rules).</para></listitem> + </varlistentry> + + <varlistentry> <term><option>-v, --verbose</option></term> <listitem><para>Increment verbosity level.</para></listitem> </varlistentry> diff --git a/secilc/secilc.c b/secilc/secilc.c index ad6862ba..186c5a73 100644 --- a/secilc/secilc.c +++ b/secilc/secilc.c @@ -68,6 +68,7 @@ static __attribute__((__noreturn__)) void usage(const char *prog) printf(" -G, --expand-generated Expand and remove auto-generated attributes\n"); printf(" -X, --expand-size <SIZE> Expand type attributes with fewer than <SIZE>\n"); printf(" members.\n"); + printf(" -O, --optimize optimize final policy\n"); printf(" -v, --verbose increment verbosity level\n"); printf(" -h, --help display usage information\n"); exit(1); @@ -97,6 +98,7 @@ int main(int argc, char *argv[]) int policyvers = POLICYDB_VERSION_MAX; int attrs_expand_generated = 0; int attrs_expand_size = -1; + int optimize = 0; int opt_char; int opt_index = 0; char *fc_buf = NULL; @@ -117,12 +119,13 @@ int main(int argc, char *argv[]) {"filecontexts", required_argument, 0, 'f'}, {"expand-generated", no_argument, 0, 'G'}, {"expand-size", required_argument, 0, 'X'}, + {"optimize", no_argument, 0, 'O'}, {0, 0, 0, 0} }; int i; while (1) { - opt_char = getopt_long(argc, argv, "o:f:U:hvt:M:PDmNc:GX:", long_opts, &opt_index); + opt_char = getopt_long(argc, argv, "o:f:U:hvt:M:PDmNOc:GX:n", long_opts, &opt_index); if (opt_char == -1) { break; } @@ -211,6 +214,9 @@ int main(int argc, char *argv[]) } break; } + case 'O': + optimize = 1; + break; case 'h': usage(argv[0]); case '?': @@ -294,6 +300,14 @@ int main(int argc, char *argv[]) goto exit; } + if (optimize) { + rc = sepol_policydb_optimize(pdb); + if (rc != SEPOL_OK) { + fprintf(stderr, "Failed to optimize policydb\n"); + goto exit; + } + } + if (output == NULL) { int size = snprintf(NULL, 0, "policy.%d", policyvers); output = malloc((size + 1) * sizeof(char)); diff --git a/semodule-utils/VERSION b/semodule-utils/VERSION index 8c269150..9f55b2cc 100644 --- a/semodule-utils/VERSION +++ b/semodule-utils/VERSION @@ -1 +1 @@ -2.9 +3.0 diff --git a/semodule-utils/semodule_package/semodule_unpackage.c b/semodule-utils/semodule_package/semodule_unpackage.c index c9124c0f..b8c4fbce 100644 --- a/semodule-utils/semodule_package/semodule_unpackage.c +++ b/semodule-utils/semodule_package/semodule_unpackage.c @@ -55,7 +55,7 @@ int main(int argc, char **argv) ppfile = argv[1]; modfile = argv[2]; - if (argc >= 3) + if (argc >= 4) fcfile = argv[3]; if (file_to_policy_file(ppfile, &in, "r")) |