-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch looks good to me. acked. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5D7R4ACgkQrlYvE4MpobO5ngCbBXiyHBPFUcZ27ed5LPUYPYVx dlgAn0amHayu16NW1dpYTOK16kzKylo8 =eH0w -----END PGP SIGNATURE-----
>From a41323e8e49ff07d3320a5faf8e403fbe9d6d548 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@xxxxxxxxxx>
Date: Tue, 19 Jul 2011 12:15:41 -0400
Subject: [PATCH 51/96] policycoreutils: semanage: enable and disable modules
Add tools to store the state of modules and to enable and disable those
modules.
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
policycoreutils/semanage/semanage | 34 ++++++++++++++++++
policycoreutils/semanage/semanage.8 | 14 +++++++
policycoreutils/semanage/seobject.py | 65 ++++++++++++++++++++++++++++++++++
3 files changed, 113 insertions(+), 0 deletions(-)
diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage
index ac15d28..fe084b1 100644
--- a/policycoreutils/semanage/semanage
+++ b/policycoreutils/semanage/semanage
@@ -59,6 +59,7 @@ semanage login -{a|d|m|D|E} [-sr] login_name | %groupname
semanage user -{a|d|m|D|E} [-LrRP] selinux_name
semanage port -{a|d|m|D|E} [-tr] [ -p proto ] port | port_range
semanage interface -{a|d|m|D|E} [-tr] interface_spec
+semanage module -{a|d|m} [--enable|--disable] module
semanage node -{a|d|m|D|E} [-tr] [ -p protocol ] [-M netmask] addr
semanage fcontext -{a|d|m|D|E} [-frst] file_spec
semanage boolean -{d|m|D} [--on|--off|-1|-0] -F boolean | boolean_file
@@ -102,6 +103,8 @@ Object-specific Options (see above):
-s, --seuser SELinux User Name
-t, --type SELinux Type for the object
-r, --range MLS/MCS Security Range (MLS/MCS Systems only)
+ --enable Enable a module
+ --disable Disable a module
""")
raise ValueError("%s\n%s" % (text, message))
@@ -125,6 +128,8 @@ Object-specific Options (see above):
valid_option["interface"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range']
valid_option["node"] = []
valid_option["node"] += valid_everyone + valid_local + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol']
+ valid_option["module"] = []
+ valid_option["module"] += valid_everyone + [ '--enable', '--disable']
valid_option["fcontext"] = []
valid_option["fcontext"] += valid_everyone + valid_local + [ '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range']
valid_option["dontaudit"] = [ '-S', '--store' ]
@@ -199,7 +204,9 @@ Object-specific Options (see above):
modify = False
delete = False
deleteall = False
+ enable = False
extract = False
+ disable = False
list = False
locallist = False
use_file = False
@@ -220,7 +227,9 @@ Object-specific Options (see above):
['add',
'delete',
'deleteall',
+ 'enable',
'extract',
+ 'disable',
'ftype=',
'file',
'help',
@@ -269,6 +278,14 @@ Object-specific Options (see above):
if o == "-f" or o == "--ftype":
ftype=a
+ if o == "--enable":
+ set_action(o)
+ enable = True
+
+ if o == "--disable":
+ set_action(o)
+ disable = True
+
if o == "-F" or o == "--file":
use_file = True
@@ -347,6 +364,10 @@ Object-specific Options (see above):
if use_file:
modify = True
+
+ if object == "module":
+ OBJECT = seobject.moduleRecords(store)
+
if object == "permissive":
OBJECT = seobject.permissiveRecords(store)
@@ -394,6 +415,10 @@ Object-specific Options (see above):
OBJECT.add(target, serange, setype)
return
+ if object == "module":
+ OBJECT.add(target)
+ return
+
if object == "node":
OBJECT.add(target, mask, proto, serange, setype)
return
@@ -420,6 +445,15 @@ Object-specific Options (see above):
OBJECT.modify(target, rlist, selevel, serange, prefix)
return
+ if object == "module":
+ if enable:
+ OBJECT.enable(target)
+ elif disable:
+ OBJECT.disable(target)
+ else:
+ OBJECT.modify(target)
+ return
+
if object == "port":
OBJECT.modify(target, proto, serange, setype)
return
diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8
index 4429e57..8dfe43a 100644
--- a/policycoreutils/semanage/semanage.8
+++ b/policycoreutils/semanage/semanage.8
@@ -16,6 +16,10 @@ Input local customizations
.B semanage boolean \-{d|m|D} [\-\-on|\-\-off|\-1|\-0] -F boolean | boolean_file
.br
.B semanage login \-{a|d|m|D} [\-sr] login_name | %groupname
+
+Manage policy modules.
+.br
+.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] module_name
.br
.B semanage user \-{a|d|m|D} [\-LrRP] selinux_name
.br
@@ -60,6 +64,16 @@ Delete a OBJECT record NAME
.I \-D, \-\-deleteall
Remove all OBJECTS local customizations
.TP
+.I \-\-disable
+Disable a policy module, requires -m option
+
+Currently modules only.
+.TP
+.I \-\-enable
+Enable a disabled policy module, requires -m option
+
+Currently modules only.
+.TP
.I \-f, \-\-ftype
File Type. This is used with fcontext.
Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index 233d0e5..ebd070a 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -237,6 +237,71 @@ class semanageRecords:
semanageRecords.transaction = False
self.commit()
+class moduleRecords(semanageRecords):
+ def __init__(self, store):
+ semanageRecords.__init__(self, store)
+
+ def get_all(self):
+ l = []
+ (rc, mlist, number) = semanage_module_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list SELinux modules"))
+
+ for i in range(number):
+ mod = semanage_module_list_nth(mlist, i)
+ l.append((semanage_module_get_name(mod), semanage_module_get_version(mod), semanage_module_get_enabled(mod)))
+ return l
+
+ def list(self, heading = 1, locallist = 0):
+ if heading:
+ print "\n%-25s%-10s\n" % (_("Modules Name"), _("Version"))
+ for t in self.get_all():
+ if t[2] == 0:
+ disabled = _("Disabled")
+ else:
+ disabled = ""
+ print "%-25s%-10s%s" % (t[0], t[1], disabled)
+
+ def add(self, file):
+ rc = semanage_module_install_file(self.sh, file);
+ if rc >= 0:
+ self.commit()
+
+ def disable(self, module):
+ need_commit = False
+ for m in module.split():
+ rc = semanage_module_disable(self.sh, m)
+ if rc < 0 and rc != -3:
+ raise ValueError(_("Could not disable module %s (remove failed)") % m)
+ if rc != -3:
+ need_commit = True
+ if need_commit:
+ self.commit()
+
+ def enable(self, module):
+ need_commit = False
+ for m in module.split():
+ rc = semanage_module_enable(self.sh, m)
+ if rc < 0 and rc != -3:
+ raise ValueError(_("Could not enable module %s (remove failed)") % m)
+ if rc != -3:
+ need_commit = True
+ if need_commit:
+ self.commit()
+
+ def modify(self, file):
+ rc = semanage_module_update_file(self.sh, file);
+ if rc >= 0:
+ self.commit()
+
+ def delete(self, module):
+ for m in module.split():
+ rc = semanage_module_remove(self.sh, m)
+ if rc < 0 and rc != -2:
+ raise ValueError(_("Could not remove module %s (remove failed)") % m)
+
+ self.commit()
+
class dontauditClass(semanageRecords):
def __init__(self, store):
semanageRecords.__init__(self, store)
--
1.7.6
Attachment:
0051-policycoreutils-semanage-enable-and-disable-modules.patch.sig
Description: PGP signature
