-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7dHfQACgkQrlYvE4MpobNZ+wCeIuas7uoJfopy60iS6YNbD5Go
uTsAoKDzx4Ec+1/fvRvuybhUGmZhqoD9
=GN8m
-----END PGP SIGNATURE-----
>From 92f2ce3a1cfcaba214dfa176dfe573f0748fd2a0 Mon Sep 17 00:00:00 2001
From: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
Date: Mon, 28 Nov 2011 14:43:28 +0000
Subject: [PATCH 42/48] policycoreutils: sestatus: Updated sestatus and man
pages.
sestatus has been modified to present additional information: SELinux root
directory, MLS flag and the deny_unknow flag. The man page has been updated
to reflect these changes and an sestatus.conf(5) man page has also been added.
Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
policycoreutils/sestatus/Makefile | 2 +
policycoreutils/sestatus/sestatus.8 | 62 ++++++++++++++-----
policycoreutils/sestatus/sestatus.c | 82 ++++++++++++++++++++-----
policycoreutils/sestatus/sestatus.conf.5 | 94 ++++++++++++++++++++++++++++++
4 files changed, 206 insertions(+), 34 deletions(-)
create mode 100644 policycoreutils/sestatus/sestatus.conf.5
diff --git a/policycoreutils/sestatus/Makefile b/policycoreutils/sestatus/Makefile
index 5774e22..c5db7a3 100644
--- a/policycoreutils/sestatus/Makefile
+++ b/policycoreutils/sestatus/Makefile
@@ -15,9 +15,11 @@ sestatus: sestatus.o
install: all
[ -d $(MANDIR)/man8 ] || mkdir -p $(MANDIR)/man8
+ [ -d $(MANDIR)/man5 ] || mkdir -p $(MANDIR)/man5
-mkdir -p $(SBINDIR)
install -m 755 sestatus $(SBINDIR)
install -m 644 sestatus.8 $(MANDIR)/man8
+ install -m 644 sestatus.conf.5 $(MANDIR)/man5
-mkdir -p $(ETCDIR)
install -m 644 sestatus.conf $(ETCDIR)
diff --git a/policycoreutils/sestatus/sestatus.8 b/policycoreutils/sestatus/sestatus.8
index 049892d..51ff056 100644
--- a/policycoreutils/sestatus/sestatus.8
+++ b/policycoreutils/sestatus/sestatus.8
@@ -1,4 +1,4 @@
-.TH "sestatus" "8" "2005111103" "" ""
+.TH "sestatus" "8" "26 Nov 2011" "Security Enhanced Linux" "SELinux command line documentation"
.SH "NAME"
sestatus \- SELinux status tool
@@ -12,38 +12,66 @@ This tool is used to get the status of a system running SELinux.
This manual page describes the
.BR sestatus
program.
-.br
-This tool is used to get the status of a system running SELinux. It displays data about whether SELinux is enabled, disabled, the loaded policy and whether it is in enforcing or permissive mode. It can also be used to display the security context of files and processes listed in the /etc/sestatus.conf file.
-
+.sp
+This tool is used to get the status of a system running SELinux. It displays data about whether SELinux is enabled or disabled, location of key directories, and the loaded policy with its status as shown in the example:
+.RS
> sestatus
.br
-SELinux status: enabled
+SELinux status: enabled
+.br
+SELinuxfs mount: /selinux
+.br
+SELinux root directory: /etc/selinux
+.br
+Loaded policy name: targeted
+.br
+Current mode: permissive
+.br
+Mode from config file: enforcing
.br
-SELinuxfs mount: /selinux
+Policy MLS status: enabled
.br
-Current Mode: permissive
+Policy deny_unknown status: allow
.br
-Policy version: 16
+Max kernel policy version: 26
+.RE
+.sp
+\fBsestatus\fR can also be used to display:
+.RS
+.IP "-" 4
+The security context of files and processes listed in the \fI/etc/sestatus.conf\fR file. The format of this file is described in \fBsestatus.conf\fR(5).
+.IP "-" 4
+The status of booleans.
+.RE
.SH "OPTIONS"
-.TP
-
.B \-v
-.P
- Checks the contexts of a files , and a processes listed in the /etc/sestatus.conf file. It also checks the context of the target, in cases of
-symlinks.
-
+.RS
+Displays the contexts of files and processes listed in the \fI/etc/sestatus.conf\fR file. It also checks whether the file is a symbolic link, if so then the context of the target file is also shown.
+.sp
+The following contexts will always be displayed:
+.RS
+The current process context
+.br
+The init process context
+.br
+The controlling terminal file context
+.RE
+.RE
+.sp
.B \-b
-.P
+.RS
Display the current state of booleans.
-
+.RE
.SH "FILES"
-/etc/sestatus.conf
+.I /etc/sestatus.conf
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@xxxxxxxxxx>.
.br
The program was written by Chris PeBenito <pebenito@xxxxxxxxxx>
+.SH "SEE ALSO"
+.BR selinux "(8), " sestatus.conf "(5)
diff --git a/policycoreutils/sestatus/sestatus.c b/policycoreutils/sestatus/sestatus.c
index 5617319..b31bafe 100644
--- a/policycoreutils/sestatus/sestatus.c
+++ b/policycoreutils/sestatus/sestatus.c
@@ -172,8 +172,8 @@ void printf_tab(const char *outp)
int main(int argc, char **argv)
{
/* these vars are reused several times */
- int rc, opt, i, c;
- char *context;
+ int rc, opt, i, c, size;
+ char *context, *root_path;
/* files that need context checks */
char *fc[MAX_CHECK];
@@ -193,9 +193,10 @@ int main(int argc, char **argv)
int show_bools = 0;
/* policy */
- const char *pol_name;
+ const char *pol_name, *root_dir;
char *pol_path;
+
while (1) {
opt = getopt(argc, argv, "vb");
if (opt == -1)
@@ -210,8 +211,8 @@ int main(int argc, char **argv)
default:
/* invalid option */
printf("\nUsage: %s [OPTION]\n\n", basename(argv[0]));
- printf
- (" -v Verbose check of process and file contexts.\n");
+ printf(" -v Verbose check of process and file contexts.\n");
+ printf(" -b Display current state of booleans.\n");
printf("\nWithout options, show SELinux status.\n");
return -1;
}
@@ -242,6 +243,35 @@ int main(int argc, char **argv)
return -1;
}
+ printf_tab("SELinux root directory:");
+ if ((root_dir = selinux_path()) != NULL) {
+ /* The path has a trailing '/' so remove it */
+ size = strlen(root_dir);
+ root_path = malloc(size);
+ if (!root_path) {
+ printf("malloc error (%s)\n", strerror(errno));
+ return -1;
+ }
+ memset(root_path, 0, size);
+ strncpy(root_path, root_dir, (size-1)) ;
+ printf("%s\n", root_path);
+ free(root_path);
+ } else {
+ printf("error (%s)\n", strerror(errno));
+ return -1;
+ }
+
+ /* Dump all the path information */
+ printf_tab("Loaded policy name:");
+ pol_path = strdup(selinux_policy_root());
+ if (pol_path) {
+ pol_name = basename(pol_path);
+ puts(pol_name);
+ free(pol_path);
+ } else {
+ printf("error (%s)\n", strerror(errno));
+ }
+
printf_tab("Current mode:");
rc = security_getenforce();
switch (rc) {
@@ -273,23 +303,41 @@ int main(int argc, char **argv)
printf("error (%s)\n", strerror(errno));
}
+ printf_tab("Policy MLS status:");
+ rc = is_selinux_mls_enabled();
+ switch (rc) {
+ case 0:
+ printf("disabled\n");
+ break;
+ case 1:
+ printf("enabled\n");
+ break;
+ default:
+ printf("error (%s)\n", strerror(errno));
+ break;
+ }
+
+ printf_tab("Policy deny_unknown status:");
+ rc = security_deny_unknown();
+ switch (rc) {
+ case 0:
+ printf("allowed\n");
+ break;
+ case 1:
+ printf("denied\n");
+ break;
+ default:
+ printf("error (%s)\n", strerror(errno));
+ break;
+ }
+
rc = security_policyvers();
- printf_tab("Policy version:");
+ printf_tab("Max kernel policy version:");
if (rc < 0)
printf("unknown (%s)\n", strerror(errno));
else
printf("%d\n", rc);
- /* Dump all the path information */
- printf_tab("Policy from config file:");
- pol_path = strdup(selinux_policy_root());
- if (pol_path) {
- pol_name = basename(pol_path);
- puts(pol_name);
- free(pol_path);
- } else {
- printf("error (%s)\n", strerror(errno));
- }
if (show_bools) {
/* show booleans */
@@ -374,7 +422,7 @@ int main(int argc, char **argv)
printf("\nFile contexts:\n");
/* controlling term */
- printf_tab("Controlling term:");
+ printf_tab("Controlling terminal:");
if (lgetfilecon(cterm, &context) >= 0) {
printf("%s\n", context);
freecon(context);
diff --git a/policycoreutils/sestatus/sestatus.conf.5 b/policycoreutils/sestatus/sestatus.conf.5
new file mode 100644
index 0000000..d2bb3fe
--- /dev/null
+++ b/policycoreutils/sestatus/sestatus.conf.5
@@ -0,0 +1,94 @@
+.TH "sestatus.conf" "5" "26-Nov-2011" "Security Enhanced Linux" "sestatus configuration file"
+
+.SH "NAME"
+sestatus.conf \- The \fBsestatus\fR(8) configuration file.
+
+.SH "DESCRIPTION"
+The \fIsestatus.conf\fR file is used by the \fBsestatus\fR(8) command with the \fB\-v\fR option to determine what file and process security contexts should be displayed.
+.sp
+The fully qualified path name of the configuration file is:
+.RS
+\fI/etc/sestatus.conf\fR
+.RE
+.RE
+.sp
+The file consists of two optional sections as described in the \fBFILE FORMAT\fR section. Whether these exist or not, the following will always be displayed:
+.RS
+The current process context
+.br
+The init process context
+.br
+The controlling terminal file context
+.RE
+
+.SH "FILE FORMAT"
+The format consists of two optional sections as follows:
+.RS
+.B [files]
+.br
+.I file_name
+.br
+.I [file_name]
+.br
+.I ...
+.sp
+.B [process]
+.br
+.I executable_file_name
+.br
+.I [executable_file_name]
+.br
+.I ...
+.RE
+.sp
+Where:
+.RS
+.B [files]
+.RS
+The start of the file list block.
+.RE
+.I file_name
+.RS
+One or more fully qualified file names, each on a new line will that will have its context displayed. If the file does not exist, then it is ignored. If the file is a symbolic link, then \fBsestatus -v\fR will also display the target file context.
+.RE
+.sp
+.B [process]
+.RS
+The start of the process list block.
+.RE
+.I executable_file_name
+.RS
+One or more fully qualified executable file names that should it be an active process, have its context displayed. Each entry is on a new line.
+.RE
+.RE
+
+.SH "EXAMPLE"
+# /etc/sestatus.conf
+.br
+[files]
+.br
+/etc/passwd
+.br
+/etc/shadow
+.br
+/bin/bash
+.br
+/bin/login
+.br
+/lib/libc.so.6
+.br
+/lib/ld-linux.so.2
+.br
+/lib/ld.so.1
+.sp
+[process]
+.br
+/sbin/mingetty
+.br
+/sbin/agetty
+.br
+/usr/sbin/sshd
+.RE
+
+.SH "SEE ALSO"
+.BR selinux "(8), " sestatus "(8) "
--
1.7.7.4
