* Contributed manual pages for libselinux
@ 2009-11-02 23:57 Guido Trentalancia
2009-11-21 2:42 ` Eamon Walsh
0 siblings, 1 reply; 10+ messages in thread
From: Guido Trentalancia @ 2009-11-02 23:57 UTC (permalink / raw)
To: SELinux
[-- Attachment #1: Type: text/plain, Size: 17600 bytes --]
Hello !
I found from http://userspace.selinuxproject.org/trac/wiki/Todo that the
following manual pages were missing for libselinux:
* matchpathcon_checkmatches
* matchpathcon_filespec_add
* matchpathcon_filespec_destroy
* matchpathcon_filespec_eval
* matchpathcon_index
* matchpathcon_init_prefix
* print_access_vector
security_canonicalize_context
* security_disable
* security_set_boolean_list
* selinux_check_passwd_access
selinux_customizable_types_path
selinux_get_callback
* selinux_init_load_policy
* selinux_lsetfilecon_default
* selinux_mkload_policy
selinux_raw_to_trans_context
selinux_trans_to_raw_context
selinux_translations_path
selinux_users_path
* set_selinuxmnt
So, I have contributed the ones marked with a "*" in the attached patch.
I might do the rest at a later time, if possible (and if needed).
Guido Trentalancia
diff -pruN libselinux/man/man3/fini_selinuxmnt.3
libselinux-new/man/man3/fini_selinuxmnt.3
--- libselinux/man/man3/fini_selinuxmnt.3 1970-01-01 01:00:00.000000000
+0100
+++ libselinux-new/man/man3/fini_selinuxmnt.3 2009-11-03
00:09:04.000000000 +0100
@@ -0,0 +1 @@
+.so man3/init_selinuxmnt.3
diff -pruN libselinux/man/man3/init_selinuxmnt.3
libselinux-new/man/man3/init_selinuxmnt.3
--- libselinux/man/man3/init_selinuxmnt.3 1970-01-01 01:00:00.000000000
+0100
+++ libselinux-new/man/man3/init_selinuxmnt.3 2009-11-03
00:30:08.000000000 +0100
@@ -0,0 +1,31 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Guido Trentalancia (guido@trentalancia.com) 2009
+.TH "init_selinuxmnt" "3" "02 Nov 2009" "" "SELinux API documentation"
+.SH "NAME"
+init_selinuxmnt \- initialize the global variable selinux_mnt.
+
+.SH "SYNOPSIS"
+.BI "static void init_selinuxmnt(void);"
+.sp
+.BI "static void fini_selinuxmnt(void);"
+.sp
+.BI "void set_selinuxmnt(char *" mnt ");"
+
+.SH "DESCRIPTION"
+.B init_selinuxmnt
+initializes the global variable selinux_mnt to the selinuxfs
mountpoint.
+
+.B fini_selinuxmnt
+deinitializes the global variable selinux_mnt that stores the selinuxfs
+mountpoint.
+
+.B set_selinuxmnt
+changes the selinuxfs mountpoint to
+.I mnt.
+
+.SH "AUTHOR"
+This manual page has been written by Guido Trentalancia
<guido@trentalancia.com>
+
+.SH "SEE ALSO"
+.BR selinux (8),
diff -pruN libselinux/man/man3/matchpathcon.3
libselinux-new/man/man3/matchpathcon.3
--- libselinux/man/man3/matchpathcon.3 2009-11-01 22:23:01.000000000
+0100
+++ libselinux-new/man/man3/matchpathcon.3 2009-11-03 00:44:53.000000000
+0100
@@ -7,21 +7,35 @@ matchpathcon \- get the default SELinux
.sp
.BI "int matchpathcon_init(const char *" path ");"
+.BI "int matchpathcon_init_prefix(const char *" path ", const char *"
subset ");"
+
.BI "int matchpathcon_fini(void);"
-.BI "int matchpathcon(const char *" path ", mode_t " mode ",
security_context_t *" con);
+.BI "int matchpathcon(const char *" path ", mode_t " mode ",
security_context_t *" con ");
+.sp
+
+.BI "int matchpathcon_index(const char *" name ", mode_t " mode ",
security_context_t * " con ");"
+
+.BI "int matchpathcon_filespec_add(ino_t " ino ", int " specind ",
const char *" file ");"
+
+.BI "void matchpathcon_filespec_destroy(void);"
+
+.BI "void matchpathcon_filespec_eval(void);"
+
+.BI "void matchpathcon_checkmatches(char *" str ");"
.sp
.BI "void set_matchpathcon_printf(void (*" f ")(const char *" fmt
", ...));"
-.BI "void set_matchpathcon_invalidcon(int (*" f ")(const char *"path ",
unsigned " lineno ", char * " context "));"
+.BI "void set_matchpathcon_invalidcon(int (*" f ")(const char *" path
", unsigned " lineno ", char * " context "));"
.BI "void set_matchpathcon_flags(unsigned int " flags ");"
-.BI "int selinux_file_context_cmp(const security_context_t a,
- const security_context_t b);"
+.BI "int selinux_file_context_cmp(const security_context_t " a ", const
security_context_t " b ");"
-.BI "int selinux_file_context_verify(const char *path, mode_t mode);"
+.BI "int selinux_file_context_verify(const char *" path ", mode_t "
mode ");"
+
+.BI "int selinux_lsetfilecon_default(const char *" path ");"
.SH "DESCRIPTION"
.B matchpathcon_init
@@ -44,7 +58,16 @@ and
.B .local
suffix are also looked up and loaded if present. These files provide
dynamically generated entries for user home directories and for local
-customizations.
+customizations. Returns zero on success or \-1 on error.
+
+.sp
+.B matchpathcon_init_prefix
+is the same as
+.B matchpathcon_init
+but only loads entries with regexes that have stems that are prefixes
+of
+.I prefix.
+Returns zero on success or \-1 on error.
.sp
.B matchpathcon_fini
@@ -78,6 +101,43 @@ its first invocation with a NULL
defaulting to the active file contexts configuration.
.sp
+.B matchpathcon_index
+is the same as
+.B matchpathcon
+but returns a specification index that can be used later in a
+.B matchpathcon_filespec_add
+call.
+.sp
+
+.B matchpathcon_filespec_add
+maintains an association between an inode
+.I ino
+and a specification index
+.I specind,
+and checks whether a conflicting specification is already associated
+with the same inode (e.g. due to multiple hard links). If so, then
+it uses the latter of the two specifications based on their order in
the
+.I file
+context configuration. Returns the specification index used or \-1 on
+error.
+.sp
+
+.B matchpathcon_filespec_destroy
+destroys any inode associations that have been added, e.g. to restart
+for a new filesystem.
+.sp
+
+.B matchpathcon_filespec_eval
+displays statistics on the hash table usage for the inode associations.
+.sp
+
+.B matchpathcon_checkmatches
+checks whether any specification has no matches and reports them.
+The
+.I str
+argument is used as a prefix for any warning messages.
+.sp
+
.B set_matchpathcon_printf
sets the function used by
.B matchpathcon_init
@@ -98,7 +158,7 @@ This can be set to instead perform check
e.g. using
.B sepol_check_context(3),
as is done by
-.B setfiles -c.
+.B setfiles \-c.
The function is also responsible for reporting any such error, and
may include the
.I path
@@ -122,10 +182,13 @@ compares two file contexts to see if the
.sp
.B selinux_file_context_verify
compares the file context on disk to the system default.
+.sp
+.B selinux_lsetfilecon_default
+sets the file context to the system defaults.
.sp
.SH "RETURN VALUE"
-Returns 0 on success or -1 otherwise.
+Returns zero on success or \-1 otherwise.
.SH "SEE ALSO"
.BR selinux "(8), " freecon "(3), " setfilecon "(3), " setfscreatecon
"(3)"
diff -pruN libselinux/man/man3/matchpathcon_checkmatches.3
libselinux-new/man/man3/matchpathcon_checkmatches.3
--- libselinux/man/man3/matchpathcon_checkmatches.3 1970-01-01
01:00:00.000000000 +0100
+++ libselinux-new/man/man3/matchpathcon_checkmatches.3 2009-11-02
17:54:56.000000000 +0100
@@ -0,0 +1 @@
+.so man3/matchpathcon.3
diff -pruN libselinux/man/man3/print_access_vector.3
libselinux-new/man/man3/print_access_vector.3
--- libselinux/man/man3/print_access_vector.3 1970-01-01
01:00:00.000000000 +0100
+++ libselinux-new/man/man3/print_access_vector.3 2009-11-02
19:34:40.000000000 +0100
@@ -0,0 +1 @@
+.so man3/security_class_to_string.3
diff -pruN libselinux/man/man3/security_class_to_string.3
libselinux-new/man/man3/security_class_to_string.3
--- libselinux/man/man3/security_class_to_string.3 2009-11-01
22:23:01.000000000 +0100
+++ libselinux-new/man/man3/security_class_to_string.3 2009-11-03
00:23:55.000000000 +0100
@@ -6,6 +6,8 @@
security_class_to_string, security_av_perm_to_string,
string_to_security_class, string_to_av_perm, security_av_string \-
convert
between SELinux class and permission values and string names.
+print_access_vector \- display an access vector in human-readable
form.
+
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
@@ -20,6 +22,8 @@ between SELinux class and permission val
.BI "security_class_t string_to_security_class(const char *" name ");"
.sp
.BI "access_vector_t string_to_av_perm(security_class_t " tclass ",
const char *" name ");"
+.sp
+.BI "void print_access_vector(security_class_t " tclass ",
access_vector_t " av ");"
.SH "DESCRIPTION"
.B security_class_to_string
@@ -56,11 +60,17 @@ and security class
.IR tclass ,
or zero if no such value exists.
+.B print_access_vector
+displays an access vector in human-readable form on the standard output
+stream.
+
.SH "RETURN VALUE"
.B security_av_string
-returns returns zero on success or \-1 on error with
+returns zero on success or \-1 on error with
.I errno
-set appropriately. All other functions return zero or NULL on error.
+set appropriately.
+.B print_access_vector
+does not return a value. All other functions return zero or NULL on
error.
.SH "ERRORS"
.TP
diff -pruN libselinux/man/man3/security_compute_av.3
libselinux-new/man/man3/security_compute_av.3
--- libselinux/man/man3/security_compute_av.3 2009-11-01
22:23:01.000000000 +0100
+++ libselinux-new/man/man3/security_compute_av.3 2009-11-02
23:34:49.000000000 +0100
@@ -24,6 +24,8 @@ the SELinux policy database in the kerne
.BI "int security_get_initial_context(const char *" name ",
security_context_t
"con );
.sp
+.BI "int selinux_check_passwd_access(access_vector_t " requested );
+.sp
.BI "int checkPasswdAccess(access_vector_t " requested );
.SH "DESCRIPTION"
@@ -65,18 +67,29 @@ instance.
.B security_compute_user
is used to determine the set of user contexts that can be reached from
a
-source context. Is mainly used by
+source context. It is mainly used by
.B get_ordered_context_list.
.B security_get_initial_context
is used to get the context of a kernel initial security identifier
specified by
.I name
+.B selinux_check_passwd_access
+is used to check for a permission in the
+.I passwd
+class.
+.B selinux_check_passwd_access
+uses getprevcon() for the source and target security contexts.
+
+.B checkPasswdAccess
+is a helper function that allows you to check for a permission in the
+.I passwd
+class.
.B checkPasswdAccess
-This functions is a helper functions that allows you to check for a
permission in the passwd class. checkPasswdAccess uses getprevcon() for
the source and target security contexts.
+uses getprevcon() for the source and target security contexts.
.SH "RETURN VALUE"
-0 for success and on error -1 is returned.
+0 for success and on error \-1 is returned.
.SH "SEE ALSO"
.BR selinux "(8), " getcon "(3), " getfilecon "(3), "
get_ordered_context_list "(3)"
diff -pruN libselinux/man/man3/security_disable.3
libselinux-new/man/man3/security_disable.3
--- libselinux/man/man3/security_disable.3 1970-01-01 01:00:00.000000000
+0100
+++ libselinux-new/man/man3/security_disable.3 2009-11-03
00:30:18.000000000 +0100
@@ -0,0 +1,26 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Guido Trentalancia (guido@trentalancia.com) 2009
+.TH "security_disable" "3" "02 Nov 2009" "" "SELinux API documentation"
+.SH "NAME"
+security_disable \- disable the SELinux kernel code at runtime.
+
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.BI "int security_disable(void);"
+
+.SH "DESCRIPTION"
+.B security_disable
+disables the SELinux kernel code, unregisters selinuxfs
from /proc/filesystems,
+and then umounts /selinux.
+
+.SH "RETURN VALUE"
+.B security_disable
+returns returns zero on success or \-1 on error.
+
+.SH "AUTHOR"
+This manual page has been written by Guido Trentalancia
<guido@trentalancia.com>
+
+.SH "SEE ALSO"
+.BR selinux (8),
diff -pruN libselinux/man/man3/security_load_booleans.3
libselinux-new/man/man3/security_load_booleans.3
--- libselinux/man/man3/security_load_booleans.3 2009-11-01
22:23:01.000000000 +0100
+++ libselinux-new/man/man3/security_load_booleans.3 2009-11-02
20:23:28.000000000 +0100
@@ -6,17 +6,19 @@ security_get_boolean_pending \- routines
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
-extern int security_load_booleans(char *path);
-
-extern int security_get_boolean_names(char ***names, int *len);
-
-extern int security_get_boolean_pending(const char *name);
-
-extern int security_get_boolean_active(const char *name);
-
-extern int security_set_boolean(const char *name, int value);
-
-extern int security_commit_booleans(void);
+.BI "int security_load_booleans(char *" path ");"
+.sp
+.BI "int security_get_boolean_names(char ***" names ", int *" len ");"
+.sp
+.BI "int security_get_boolean_pending(const char *" name ");"
+.sp
+.BI "int security_get_boolean_active(const char *" name ");"
+.sp
+.BI "int security_set_boolean(const char *" name ", int " value ");"
+.sp
+.BI "int security_set_boolean_list(size_t " boolcnt ", SELboolean *"
boollist ", int " permanent ");"
+.sp
+.BI "int security_commit_booleans(void);"
.SH "DESCRIPTION"
@@ -26,31 +28,37 @@ disabled based on the current values of
These policy booleans allow runtime modification of the security
policy without having to load a new policy.
-The SELinux API allows for a transaction based update. So you can set
several boolean values and the commit them all at once.
+The SELinux API allows for a transaction based update. So you can
+set several boolean values and then commit them all at once.
+
+.B security_load_booleans
+
+loads policy boolean settings. Path may be NULL, in which case the
+booleans are loaded from the active policy boolean configuration file.
-security_load_booleans
+.B security_get_boolean_names
-Load policy boolean settings. Path may be NULL, in which case the
booleans are loaded from the active policy boolean configuration file.
+returns a list of boolean names, currently supported by the loaded
policy.
-security_get_boolean_names
+.B security_get_boolean_pending
-Returns a list of boolean names, currently supported by the loaded
policy.
+returns pending value for boolean
-security_set_boolean
+.B security_get_boolean_active
-Sets the pending value for boolean
+returns active value for boolean
-security_get_boolean_pending
+.B security_set_boolean
-Return pending value for boolean
+sets the pending value for boolean
-security_get_boolean_active
+.B security_set_boolean_list
-Return active value for boolean
+saves a list of booleans in a single transaction.
-security_commit_booleans
+.B security_commit_booleans
-Commit all pending values for the booleans.
+commits all pending values for the booleans.
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
diff -pruN libselinux/man/man3/security_load_policy.3
libselinux-new/man/man3/security_load_policy.3
--- libselinux/man/man3/security_load_policy.3 2009-11-01
22:23:01.000000000 +0100
+++ libselinux-new/man/man3/security_load_policy.3 2009-11-03
00:30:45.000000000 +0100
@@ -1,14 +1,46 @@
-.TH "security_load_policy" "3" "1 January 2004" "russell@coker.com.au"
"SELinux API documentation"
+.TH "security_load_policy" "3" "3 November 2009"
"guido@trentalancia.com" "SELinux API documentation"
.SH "NAME"
security_load_policy \- load a new SELinux policy
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.BI "int security_load_policy(void *" data ", size_t "len );
+.sp
+.BI "int selinux_mkload_policy(int " preservebools ");"
+.sp
+.BI "int selinux_init_load_policy(int *" enforce ");"
.SH "DESCRIPTION"
.B security_load_policy
-loads a new policy, returns 0 for success and -1 for error.
+loads a new policy, returns 0 for success and \-1 for error.
+
+.B selinux_mkload_policy
+makes a policy image and loads it. This function provides a higher
level
+interface for loading policy than
+.B security_load_policy,
+internally determining the right policy version, locating and opening
+the policy file, mapping it into memory, manipulating it as needed for
+current boolean settings and/or local definitions, and then calling
+security_load_policy to load it.
+.I preservebools
+is a boolean flag indicating whether current policy boolean values
should
+be preserved into the new policy (if 1) or reset to the saved policy
+settings (if 0). The former case is the default for policy reloads,
while
+the latter case is an option for policy reloads but is primarily used
for
+the initial policy load.
+.B selinux_init_load_policy
+performs the initial policy load. This function determines the desired
+enforcing mode, sets the
+.I enforce
+argument accordingly for the caller to use, sets the SELinux kernel
+enforcing status to match it, and loads the policy. It also internally
+handles the initial selinuxfs mount required to perform these actions.
+
+.SH "RETURN VALUE"
+returns zero on success or \-1 on error.
+
+.SH "AUTHOR"
+This manual page has been written by Guido Trentalancia
<guido@trentalancia.com>
.SH "SEE ALSO"
.BR selinux "(8)"
diff -pruN libselinux/man/man3/security_mkload_policy.3
libselinux-new/man/man3/security_mkload_policy.3
--- libselinux/man/man3/security_mkload_policy.3 1970-01-01
01:00:00.000000000 +0100
+++ libselinux-new/man/man3/security_mkload_policy.3 2009-11-03
00:21:00.000000000 +0100
@@ -0,0 +1 @@
+.so man3/security_load_policy.3
diff -pruN libselinux/man/man3/selinux_lsetfilecon_default.3
libselinux-new/man/man3/selinux_lsetfilecon_default.3
--- libselinux/man/man3/selinux_lsetfilecon_default.3 1970-01-01
01:00:00.000000000 +0100
+++ libselinux-new/man/man3/selinux_lsetfilecon_default.3 2009-11-03
00:45:13.000000000 +0100
@@ -0,0 +1 @@
+.so man3/matchpathcon.3
diff -pruN libselinux/man/man3/set_selinuxmnt.3
libselinux-new/man/man3/set_selinuxmnt.3
--- libselinux/man/man3/set_selinuxmnt.3 1970-01-01 01:00:00.000000000
+0100
+++ libselinux-new/man/man3/set_selinuxmnt.3 2009-11-03
00:08:40.000000000 +0100
@@ -0,0 +1 @@
+.so man3/init_selinuxmnt.3
[-- Attachment #2: new-manpages.patch --]
[-- Type: text/x-patch, Size: 16755 bytes --]
diff -pruN libselinux/man/man3/fini_selinuxmnt.3 libselinux-new/man/man3/fini_selinuxmnt.3
--- libselinux/man/man3/fini_selinuxmnt.3 1970-01-01 01:00:00.000000000 +0100
+++ libselinux-new/man/man3/fini_selinuxmnt.3 2009-11-03 00:09:04.000000000 +0100
@@ -0,0 +1 @@
+.so man3/init_selinuxmnt.3
diff -pruN libselinux/man/man3/init_selinuxmnt.3 libselinux-new/man/man3/init_selinuxmnt.3
--- libselinux/man/man3/init_selinuxmnt.3 1970-01-01 01:00:00.000000000 +0100
+++ libselinux-new/man/man3/init_selinuxmnt.3 2009-11-03 00:30:08.000000000 +0100
@@ -0,0 +1,31 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Guido Trentalancia (guido@trentalancia.com) 2009
+.TH "init_selinuxmnt" "3" "02 Nov 2009" "" "SELinux API documentation"
+.SH "NAME"
+init_selinuxmnt \- initialize the global variable selinux_mnt.
+
+.SH "SYNOPSIS"
+.BI "static void init_selinuxmnt(void);"
+.sp
+.BI "static void fini_selinuxmnt(void);"
+.sp
+.BI "void set_selinuxmnt(char *" mnt ");"
+
+.SH "DESCRIPTION"
+.B init_selinuxmnt
+initializes the global variable selinux_mnt to the selinuxfs mountpoint.
+
+.B fini_selinuxmnt
+deinitializes the global variable selinux_mnt that stores the selinuxfs
+mountpoint.
+
+.B set_selinuxmnt
+changes the selinuxfs mountpoint to
+.I mnt.
+
+.SH "AUTHOR"
+This manual page has been written by Guido Trentalancia <guido@trentalancia.com>
+
+.SH "SEE ALSO"
+.BR selinux (8),
diff -pruN libselinux/man/man3/matchpathcon.3 libselinux-new/man/man3/matchpathcon.3
--- libselinux/man/man3/matchpathcon.3 2009-11-01 22:23:01.000000000 +0100
+++ libselinux-new/man/man3/matchpathcon.3 2009-11-03 00:44:53.000000000 +0100
@@ -7,21 +7,35 @@ matchpathcon \- get the default SELinux
.sp
.BI "int matchpathcon_init(const char *" path ");"
+.BI "int matchpathcon_init_prefix(const char *" path ", const char *" subset ");"
+
.BI "int matchpathcon_fini(void);"
-.BI "int matchpathcon(const char *" path ", mode_t " mode ", security_context_t *" con);
+.BI "int matchpathcon(const char *" path ", mode_t " mode ", security_context_t *" con ");
+.sp
+
+.BI "int matchpathcon_index(const char *" name ", mode_t " mode ", security_context_t * " con ");"
+
+.BI "int matchpathcon_filespec_add(ino_t " ino ", int " specind ", const char *" file ");"
+
+.BI "void matchpathcon_filespec_destroy(void);"
+
+.BI "void matchpathcon_filespec_eval(void);"
+
+.BI "void matchpathcon_checkmatches(char *" str ");"
.sp
.BI "void set_matchpathcon_printf(void (*" f ")(const char *" fmt ", ...));"
-.BI "void set_matchpathcon_invalidcon(int (*" f ")(const char *"path ", unsigned " lineno ", char * " context "));"
+.BI "void set_matchpathcon_invalidcon(int (*" f ")(const char *" path ", unsigned " lineno ", char * " context "));"
.BI "void set_matchpathcon_flags(unsigned int " flags ");"
-.BI "int selinux_file_context_cmp(const security_context_t a,
- const security_context_t b);"
+.BI "int selinux_file_context_cmp(const security_context_t " a ", const security_context_t " b ");"
-.BI "int selinux_file_context_verify(const char *path, mode_t mode);"
+.BI "int selinux_file_context_verify(const char *" path ", mode_t " mode ");"
+
+.BI "int selinux_lsetfilecon_default(const char *" path ");"
.SH "DESCRIPTION"
.B matchpathcon_init
@@ -44,7 +58,16 @@ and
.B .local
suffix are also looked up and loaded if present. These files provide
dynamically generated entries for user home directories and for local
-customizations.
+customizations. Returns zero on success or \-1 on error.
+
+.sp
+.B matchpathcon_init_prefix
+is the same as
+.B matchpathcon_init
+but only loads entries with regexes that have stems that are prefixes
+of
+.I prefix.
+Returns zero on success or \-1 on error.
.sp
.B matchpathcon_fini
@@ -78,6 +101,43 @@ its first invocation with a NULL
defaulting to the active file contexts configuration.
.sp
+.B matchpathcon_index
+is the same as
+.B matchpathcon
+but returns a specification index that can be used later in a
+.B matchpathcon_filespec_add
+call.
+.sp
+
+.B matchpathcon_filespec_add
+maintains an association between an inode
+.I ino
+and a specification index
+.I specind,
+and checks whether a conflicting specification is already associated
+with the same inode (e.g. due to multiple hard links). If so, then
+it uses the latter of the two specifications based on their order in the
+.I file
+context configuration. Returns the specification index used or \-1 on
+error.
+.sp
+
+.B matchpathcon_filespec_destroy
+destroys any inode associations that have been added, e.g. to restart
+for a new filesystem.
+.sp
+
+.B matchpathcon_filespec_eval
+displays statistics on the hash table usage for the inode associations.
+.sp
+
+.B matchpathcon_checkmatches
+checks whether any specification has no matches and reports them.
+The
+.I str
+argument is used as a prefix for any warning messages.
+.sp
+
.B set_matchpathcon_printf
sets the function used by
.B matchpathcon_init
@@ -98,7 +158,7 @@ This can be set to instead perform check
e.g. using
.B sepol_check_context(3),
as is done by
-.B setfiles -c.
+.B setfiles \-c.
The function is also responsible for reporting any such error, and
may include the
.I path
@@ -122,10 +182,13 @@ compares two file contexts to see if the
.sp
.B selinux_file_context_verify
compares the file context on disk to the system default.
+.sp
+.B selinux_lsetfilecon_default
+sets the file context to the system defaults.
.sp
.SH "RETURN VALUE"
-Returns 0 on success or -1 otherwise.
+Returns zero on success or \-1 otherwise.
.SH "SEE ALSO"
.BR selinux "(8), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
diff -pruN libselinux/man/man3/matchpathcon_checkmatches.3 libselinux-new/man/man3/matchpathcon_checkmatches.3
--- libselinux/man/man3/matchpathcon_checkmatches.3 1970-01-01 01:00:00.000000000 +0100
+++ libselinux-new/man/man3/matchpathcon_checkmatches.3 2009-11-02 17:54:56.000000000 +0100
@@ -0,0 +1 @@
+.so man3/matchpathcon.3
diff -pruN libselinux/man/man3/print_access_vector.3 libselinux-new/man/man3/print_access_vector.3
--- libselinux/man/man3/print_access_vector.3 1970-01-01 01:00:00.000000000 +0100
+++ libselinux-new/man/man3/print_access_vector.3 2009-11-02 19:34:40.000000000 +0100
@@ -0,0 +1 @@
+.so man3/security_class_to_string.3
diff -pruN libselinux/man/man3/security_class_to_string.3 libselinux-new/man/man3/security_class_to_string.3
--- libselinux/man/man3/security_class_to_string.3 2009-11-01 22:23:01.000000000 +0100
+++ libselinux-new/man/man3/security_class_to_string.3 2009-11-03 00:23:55.000000000 +0100
@@ -6,6 +6,8 @@
security_class_to_string, security_av_perm_to_string, string_to_security_class, string_to_av_perm, security_av_string \- convert
between SELinux class and permission values and string names.
+print_access_vector \- display an access vector in human-readable form.
+
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
@@ -20,6 +22,8 @@ between SELinux class and permission val
.BI "security_class_t string_to_security_class(const char *" name ");"
.sp
.BI "access_vector_t string_to_av_perm(security_class_t " tclass ", const char *" name ");"
+.sp
+.BI "void print_access_vector(security_class_t " tclass ", access_vector_t " av ");"
.SH "DESCRIPTION"
.B security_class_to_string
@@ -56,11 +60,17 @@ and security class
.IR tclass ,
or zero if no such value exists.
+.B print_access_vector
+displays an access vector in human-readable form on the standard output
+stream.
+
.SH "RETURN VALUE"
.B security_av_string
-returns returns zero on success or \-1 on error with
+returns zero on success or \-1 on error with
.I errno
-set appropriately. All other functions return zero or NULL on error.
+set appropriately.
+.B print_access_vector
+does not return a value. All other functions return zero or NULL on error.
.SH "ERRORS"
.TP
diff -pruN libselinux/man/man3/security_compute_av.3 libselinux-new/man/man3/security_compute_av.3
--- libselinux/man/man3/security_compute_av.3 2009-11-01 22:23:01.000000000 +0100
+++ libselinux-new/man/man3/security_compute_av.3 2009-11-02 23:34:49.000000000 +0100
@@ -24,6 +24,8 @@ the SELinux policy database in the kerne
.BI "int security_get_initial_context(const char *" name ", security_context_t
"con );
.sp
+.BI "int selinux_check_passwd_access(access_vector_t " requested );
+.sp
.BI "int checkPasswdAccess(access_vector_t " requested );
.SH "DESCRIPTION"
@@ -65,18 +67,29 @@ instance.
.B security_compute_user
is used to determine the set of user contexts that can be reached from a
-source context. Is mainly used by
+source context. It is mainly used by
.B get_ordered_context_list.
.B security_get_initial_context
is used to get the context of a kernel initial security identifier specified by
.I name
+.B selinux_check_passwd_access
+is used to check for a permission in the
+.I passwd
+class.
+.B selinux_check_passwd_access
+uses getprevcon() for the source and target security contexts.
+
+.B checkPasswdAccess
+is a helper function that allows you to check for a permission in the
+.I passwd
+class.
.B checkPasswdAccess
-This functions is a helper functions that allows you to check for a permission in the passwd class. checkPasswdAccess uses getprevcon() for the source and target security contexts.
+uses getprevcon() for the source and target security contexts.
.SH "RETURN VALUE"
-0 for success and on error -1 is returned.
+0 for success and on error \-1 is returned.
.SH "SEE ALSO"
.BR selinux "(8), " getcon "(3), " getfilecon "(3), " get_ordered_context_list "(3)"
diff -pruN libselinux/man/man3/security_disable.3 libselinux-new/man/man3/security_disable.3
--- libselinux/man/man3/security_disable.3 1970-01-01 01:00:00.000000000 +0100
+++ libselinux-new/man/man3/security_disable.3 2009-11-03 00:30:18.000000000 +0100
@@ -0,0 +1,26 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: Guido Trentalancia (guido@trentalancia.com) 2009
+.TH "security_disable" "3" "02 Nov 2009" "" "SELinux API documentation"
+.SH "NAME"
+security_disable \- disable the SELinux kernel code at runtime.
+
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.BI "int security_disable(void);"
+
+.SH "DESCRIPTION"
+.B security_disable
+disables the SELinux kernel code, unregisters selinuxfs from /proc/filesystems,
+and then umounts /selinux.
+
+.SH "RETURN VALUE"
+.B security_disable
+returns returns zero on success or \-1 on error.
+
+.SH "AUTHOR"
+This manual page has been written by Guido Trentalancia <guido@trentalancia.com>
+
+.SH "SEE ALSO"
+.BR selinux (8),
diff -pruN libselinux/man/man3/security_load_booleans.3 libselinux-new/man/man3/security_load_booleans.3
--- libselinux/man/man3/security_load_booleans.3 2009-11-01 22:23:01.000000000 +0100
+++ libselinux-new/man/man3/security_load_booleans.3 2009-11-02 20:23:28.000000000 +0100
@@ -6,17 +6,19 @@ security_get_boolean_pending \- routines
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
-extern int security_load_booleans(char *path);
-
-extern int security_get_boolean_names(char ***names, int *len);
-
-extern int security_get_boolean_pending(const char *name);
-
-extern int security_get_boolean_active(const char *name);
-
-extern int security_set_boolean(const char *name, int value);
-
-extern int security_commit_booleans(void);
+.BI "int security_load_booleans(char *" path ");"
+.sp
+.BI "int security_get_boolean_names(char ***" names ", int *" len ");"
+.sp
+.BI "int security_get_boolean_pending(const char *" name ");"
+.sp
+.BI "int security_get_boolean_active(const char *" name ");"
+.sp
+.BI "int security_set_boolean(const char *" name ", int " value ");"
+.sp
+.BI "int security_set_boolean_list(size_t " boolcnt ", SELboolean *" boollist ", int " permanent ");"
+.sp
+.BI "int security_commit_booleans(void);"
.SH "DESCRIPTION"
@@ -26,31 +28,37 @@ disabled based on the current values of
These policy booleans allow runtime modification of the security
policy without having to load a new policy.
-The SELinux API allows for a transaction based update. So you can set several boolean values and the commit them all at once.
+The SELinux API allows for a transaction based update. So you can
+set several boolean values and then commit them all at once.
+
+.B security_load_booleans
+
+loads policy boolean settings. Path may be NULL, in which case the
+booleans are loaded from the active policy boolean configuration file.
-security_load_booleans
+.B security_get_boolean_names
-Load policy boolean settings. Path may be NULL, in which case the booleans are loaded from the active policy boolean configuration file.
+returns a list of boolean names, currently supported by the loaded policy.
-security_get_boolean_names
+.B security_get_boolean_pending
-Returns a list of boolean names, currently supported by the loaded policy.
+returns pending value for boolean
-security_set_boolean
+.B security_get_boolean_active
-Sets the pending value for boolean
+returns active value for boolean
-security_get_boolean_pending
+.B security_set_boolean
-Return pending value for boolean
+sets the pending value for boolean
-security_get_boolean_active
+.B security_set_boolean_list
-Return active value for boolean
+saves a list of booleans in a single transaction.
-security_commit_booleans
+.B security_commit_booleans
-Commit all pending values for the booleans.
+commits all pending values for the booleans.
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
diff -pruN libselinux/man/man3/security_load_policy.3 libselinux-new/man/man3/security_load_policy.3
--- libselinux/man/man3/security_load_policy.3 2009-11-01 22:23:01.000000000 +0100
+++ libselinux-new/man/man3/security_load_policy.3 2009-11-03 00:30:45.000000000 +0100
@@ -1,14 +1,46 @@
-.TH "security_load_policy" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
+.TH "security_load_policy" "3" "3 November 2009" "guido@trentalancia.com" "SELinux API documentation"
.SH "NAME"
security_load_policy \- load a new SELinux policy
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.BI "int security_load_policy(void *" data ", size_t "len );
+.sp
+.BI "int selinux_mkload_policy(int " preservebools ");"
+.sp
+.BI "int selinux_init_load_policy(int *" enforce ");"
.SH "DESCRIPTION"
.B security_load_policy
-loads a new policy, returns 0 for success and -1 for error.
+loads a new policy, returns 0 for success and \-1 for error.
+
+.B selinux_mkload_policy
+makes a policy image and loads it. This function provides a higher level
+interface for loading policy than
+.B security_load_policy,
+internally determining the right policy version, locating and opening
+the policy file, mapping it into memory, manipulating it as needed for
+current boolean settings and/or local definitions, and then calling
+security_load_policy to load it.
+.I preservebools
+is a boolean flag indicating whether current policy boolean values should
+be preserved into the new policy (if 1) or reset to the saved policy
+settings (if 0). The former case is the default for policy reloads, while
+the latter case is an option for policy reloads but is primarily used for
+the initial policy load.
+.B selinux_init_load_policy
+performs the initial policy load. This function determines the desired
+enforcing mode, sets the
+.I enforce
+argument accordingly for the caller to use, sets the SELinux kernel
+enforcing status to match it, and loads the policy. It also internally
+handles the initial selinuxfs mount required to perform these actions.
+
+.SH "RETURN VALUE"
+returns zero on success or \-1 on error.
+
+.SH "AUTHOR"
+This manual page has been written by Guido Trentalancia <guido@trentalancia.com>
.SH "SEE ALSO"
.BR selinux "(8)"
diff -pruN libselinux/man/man3/security_mkload_policy.3 libselinux-new/man/man3/security_mkload_policy.3
--- libselinux/man/man3/security_mkload_policy.3 1970-01-01 01:00:00.000000000 +0100
+++ libselinux-new/man/man3/security_mkload_policy.3 2009-11-03 00:21:00.000000000 +0100
@@ -0,0 +1 @@
+.so man3/security_load_policy.3
diff -pruN libselinux/man/man3/selinux_lsetfilecon_default.3 libselinux-new/man/man3/selinux_lsetfilecon_default.3
--- libselinux/man/man3/selinux_lsetfilecon_default.3 1970-01-01 01:00:00.000000000 +0100
+++ libselinux-new/man/man3/selinux_lsetfilecon_default.3 2009-11-03 00:45:13.000000000 +0100
@@ -0,0 +1 @@
+.so man3/matchpathcon.3
diff -pruN libselinux/man/man3/set_selinuxmnt.3 libselinux-new/man/man3/set_selinuxmnt.3
--- libselinux/man/man3/set_selinuxmnt.3 1970-01-01 01:00:00.000000000 +0100
+++ libselinux-new/man/man3/set_selinuxmnt.3 2009-11-03 00:08:40.000000000 +0100
@@ -0,0 +1 @@
+.so man3/init_selinuxmnt.3
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Contributed manual pages for libselinux
2009-11-02 23:57 Contributed manual pages for libselinux Guido Trentalancia
@ 2009-11-21 2:42 ` Eamon Walsh
2009-11-21 19:51 ` Guido Trentalancia
2009-11-21 22:03 ` [PATCH] Support for long-options in policycoreutils and checkpolicy (Ticket #1 [1672486]) Guido Trentalancia
0 siblings, 2 replies; 10+ messages in thread
From: Eamon Walsh @ 2009-11-21 2:42 UTC (permalink / raw)
To: Guido Trentalancia; +Cc: SELinux, Joshua Brindle
On 11/02/2009 06:57 PM, Guido Trentalancia wrote:
> Hello !
>
> I found from http://userspace.selinuxproject.org/trac/wiki/Todo that the
> following manual pages were missing for libselinux:
>
[Added some cc's]
Hi, thanks for doing this. Some quick review below.
> * matchpathcon_checkmatches
> * matchpathcon_filespec_add
> * matchpathcon_filespec_destroy
> * matchpathcon_filespec_eval
> * matchpathcon_index
> * matchpathcon_init_prefix
>
There is too much in matchpathcon(3) now. It's going to need to be
split up into different pages, perhaps the init/fini/teardown stuff in
one page, the lookup calls in another, and the non-matchpathcon prefixed
calls in a third page.
Also, .so manpage links are needed for all the calls here.
> * print_access_vector
>
Looks good.
> * security_disable
>
See the selinux.h comments for this. It needs to be documented that
this function can only be called at startup time.
> * security_set_boolean_list
>
a RETURN VALUE section is needed in this page, documenting at least this
call if not the others in that page.
> * selinux_check_passwd_access
>
This is a replacement for the inconsistently named "checkPasswdAccess"
function. So, the existing description of checkPasswdAccess should be
moved to this function, and checkPasswdAccess should be changed to "this
is a deprecated alias for selinux_check_passwd_access".
> * selinux_init_load_policy
>
A paragraph break is needed in the DESCRIPTION section before this function.
> * selinux_lsetfilecon_default
>
See notes above about the matchpathcon manpage.
> * selinux_mkload_policy
>
Looks good.
> * set_selinuxmnt
>
This manpage includes two static functions that are not part of the
libselinux API (at least, not anymore) and should be removed.
Also, I'm not comfortable with the description given. Instead, use the
comments in selinux.h, which are more accurate and verbose.
--
Eamon Walsh
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Contributed manual pages for libselinux
2009-11-21 2:42 ` Eamon Walsh
@ 2009-11-21 19:51 ` Guido Trentalancia
2009-11-27 19:23 ` Joshua Brindle
2009-11-27 20:03 ` Joshua Brindle
2009-11-21 22:03 ` [PATCH] Support for long-options in policycoreutils and checkpolicy (Ticket #1 [1672486]) Guido Trentalancia
1 sibling, 2 replies; 10+ messages in thread
From: Guido Trentalancia @ 2009-11-21 19:51 UTC (permalink / raw)
To: SELinux; +Cc: ewalsh
[-- Attachment #1.1: Type: text/plain, Size: 7498 bytes --]
Hello Eamon !
On Fri, 2009-11-20 at 21:42 -0500, Eamon Walsh wrote:
> Hi, thanks for doing this. Some quick review below.
You are welcome, I suppose it was a boring task for many...
Thanks very much for reviewing the changes. And please accept my
apologies for not placing "[PATCH]" in the subject of the original post.
I had just subscribed to the list.
I left you cc address intact here...
> There is too much in matchpathcon(3) now. It's going to need to be
> split up into different pages, perhaps the init/fini/teardown stuff in
> one page, the lookup calls in another, and the non-matchpathcon prefixed
> calls in a third page.
>
> Also, .so manpage links are needed for all the calls here.
Yes, matchpathcon is a mess. Following your guidelines, I have now
splitted the huge and messy page in several different man pages. It's
easier to consult and easier to maintain.
The first part (page) is strictly related to _init, its variant
_init_index, _fini, matchpathcon and its variant matchpathcon_index.
Nice and concise. References are provided in the "SEE ALSO" section to
the rest.
The second page describes the auxiliary lookup calls
(matchpathcon_checkmatches) and the inode associations functions
(matchpathcon_filespec_{add,destroy,eval}). The reference section points
to the main matchpathcon page.
A third page has been created for the functions that are used to set the
flags (set_matchpathcon_flags) or to configure the behaviour of the main
matchpathcon functions (set_matchpathcon_invalidcon and
set_matchpathcon_printf).
A fourth and fifth page is devoted to functions that should never had
ended up in matchpathcon (selinux_file_context_cmp and
selinux_file_context_verify in one page and selinux_lsetfilecon_default
in another one): we do not really need to save electrons needed for new
pages...
>
>
> > * print_access_vector
> >
>
> Looks good.
No modifications.
> > * security_disable
> >
>
> See the selinux.h comments for this. It needs to be documented that
> this function can only be called at startup time.
Ok. I have stressed that now and also mentioned that after the policy
has been loaded at startup, then only "setenforce" can be used to alter
(not disable) the mode of the SELinux kernel code (for example by
placing it into "permissive" mode).
> > * security_set_boolean_list
> >
>
> a RETURN VALUE section is needed in this page, documenting at least this
> call if not the others in that page.
I have now added a "RETURN VALUE" section.
Also, to avoid confusion, I have rephrased the word "returns" in
"provides" when not strictly referring the to the return value of the
function (take for example security_get_boolean_names(), strictly
speaking the function returns an integer representing 0=success or
-1=failure, although from a conceptual point of view it also returns a
list trough modification of one of its parameters passed by reference).
Usually when an application developer looks at the "RETURN VALUE"
section it is because he/she has already planned/coded the call to the
function (and thus also the handling to parameters passed by reference)
and only needs to check for the function exit status so that it can be
handled properly at the call point.
> > * selinux_check_passwd_access
> >
>
> This is a replacement for the inconsistently named "checkPasswdAccess"
> function. So, the existing description of checkPasswdAccess should be
> moved to this function, and checkPasswdAccess should be changed to "this
> is a deprecated alias for selinux_check_passwd_access".
Yes, I have now mentioned that checkPasswdAccess is deprecated. We are
referring to file security_compute_av.3 as the description of these two
functions lives there...
By the way, it has been pointed out that this function should not
hard-code a string. I also agree with him, there is a generic constant
for such "passwd" object class, it is defined in flask.h could be used
instead of the string, thus avoiding hard-coding and also allowing to
save a few cycles and be theoretically future-proof (if ever the name
would change, say to "password", "auth-token" or anything else).
--- libselinux/src/checkAccess.c.orig 2009-11-21 20:07:21.000000000
+0100
+++ libselinux/src/checkAccess.c 2009-11-21 20:08:36.000000000
+0100
@@ -13,17 +13,12 @@ int selinux_check_passwd_access(access_v
if (is_selinux_enabled() == 0)
return 0;
if (getprevcon_raw(&user_context) == 0) {
- security_class_t passwd_class;
struct av_decision avd;
int retval;
- passwd_class = string_to_security_class("passwd");
- if (passwd_class == 0)
- return 0;
-
retval = security_compute_av_raw(user_context,
user_context,
- passwd_class,
+ SECCLASS_PASSWD,
requested,
&avd);
Note that the above code, should really live in the application and not
in the selinux library. It used to be like that, then for some reason it
has been introduced. Redhat's passwd and cronie are calling the library
function and thus at the moment they rely on it. But for example,
util-linux-ng has the code in it and does not call this function, as I
believe it should be. A very minor issue anyway...
> > * selinux_init_load_policy
> >
>
> A paragraph break is needed in the DESCRIPTION section before this function.
Done. I have also added a note to the already mentioned fact that after
initial policy load, SELinux cannot be anymore disabled using calls to
security_disable(3).
> > * selinux_lsetfilecon_default
> >
>
> See notes above about the matchpathcon manpage.
Yes, separate man page now.
> > * selinux_mkload_policy
> >
>
> Looks good.
No modifications.
> > * set_selinuxmnt
> >
>
> This manpage includes two static functions that are not part of the
> libselinux API (at least, not anymore) and should be removed.
>
> Also, I'm not comfortable with the description given. Instead, use the
> comments in selinux.h, which are more accurate and verbose.
>
Please let me know if things are any better now.
I did also provide on the same day a patch for beautifying and improving
the command-line option parsing of a few utilities (a ticket had been
created by somebody). That patch provides those improvement according to
GNU-style parsing of "help" and "version" options (including long-option
variants). I think it also fixes a couple of typos here and there. Feel
free to include that patch too if you like it, so that the ticket can be
closed ! I will attach it again in another separate message: it has been
slightly modified in order to apply cleanly to the latest git snapshot.
More important, I was also thinking about fingerprinting (and
subsequently checking) the libraries with some cryptographic hash
function such as the NIST-recommended SHA2. It is beginning to be done
for security-related projects like OpenSSL, so I believe it is even more
essential for SELinux. Ever thought about anything like that ?
Best regards,
Guido
[-- Attachment #1.2: new-libselinux-manpages.patch --]
[-- Type: text/x-patch, Size: 30510 bytes --]
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/fini_selinuxmnt.3 selinux-dev-211109-patched/libselinux/man/man3/fini_selinuxmnt.3
--- selinux-dev-211109/libselinux/man/man3/fini_selinuxmnt.3 1970-01-01 01:00:00.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/fini_selinuxmnt.3 2009-11-21 16:19:43.000000000 +0100
@@ -0,0 +1 @@
+.so man3/init_selinuxmnt.3
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/init_selinuxmnt.3 selinux-dev-211109-patched/libselinux/man/man3/init_selinuxmnt.3
--- selinux-dev-211109/libselinux/man/man3/init_selinuxmnt.3 1970-01-01 01:00:00.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/init_selinuxmnt.3 2009-11-21 20:39:00.000000000 +0100
@@ -0,0 +1,28 @@
+.TH "init_selinuxmnt" "3" "21 Nov 2009" "" "SELinux API documentation"
+.SH "NAME"
+init_selinuxmnt \- initialize the global variable selinux_mnt.
+
+.SH "SYNOPSIS"
+.BI "static void init_selinuxmnt(void);"
+.sp
+.BI "static void fini_selinuxmnt(void);"
+.sp
+.BI "void set_selinuxmnt(char *" mnt ");"
+
+.SH "DESCRIPTION"
+.B init_selinuxmnt
+initializes the global variable selinux_mnt to the selinuxfs mountpoint.
+
+.B fini_selinuxmnt
+deinitializes the global variable selinux_mnt that stores the selinuxfs
+mountpoint.
+
+.B set_selinuxmnt
+changes the selinuxfs mountpoint to
+.I mnt.
+
+.SH "AUTHOR"
+This manual page has been written by Guido Trentalancia <guido@trentalancia.com>
+
+.SH "SEE ALSO"
+.BR selinux (8),
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/matchpathcon.3 selinux-dev-211109-patched/libselinux/man/man3/matchpathcon.3
--- selinux-dev-211109/libselinux/man/man3/matchpathcon.3 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/matchpathcon.3 2009-11-21 20:36:08.000000000 +0100
@@ -1,27 +1,22 @@
-.TH "matchpathcon" "3" "16 March 2005" "sds@tycho.nsa.gov" "SELinux API documentation"
+.TH "matchpathcon" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation"
.SH "NAME"
-matchpathcon \- get the default SELinux security context for the specified path from the file contexts configuration.
+matchpathcon, matchpathcon_index \- get the default SELinux security context for the specified path from the file contexts configuration.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
+
.BI "int matchpathcon_init(const char *" path ");"
-.BI "int matchpathcon_fini(void);"
+.BI "int matchpathcon_init_prefix(const char *" path ", const char *" subset ");"
-.BI "int matchpathcon(const char *" path ", mode_t " mode ", security_context_t *" con);
+.BI "int matchpathcon_fini(void);"
.sp
-.BI "void set_matchpathcon_printf(void (*" f ")(const char *" fmt ", ...));"
-
-.BI "void set_matchpathcon_invalidcon(int (*" f ")(const char *"path ", unsigned " lineno ", char * " context "));"
-
-.BI "void set_matchpathcon_flags(unsigned int " flags ");"
-
-.BI "int selinux_file_context_cmp(const security_context_t a,
- const security_context_t b);"
+.BI "int matchpathcon(const char *" path ", mode_t " mode ", security_context_t *" con ");
+.sp
-.BI "int selinux_file_context_verify(const char *path, mode_t mode);"
+.BI "int matchpathcon_index(const char *" name ", mode_t " mode ", security_context_t * " con ");"
.SH "DESCRIPTION"
.B matchpathcon_init
@@ -37,7 +32,7 @@ i.e. the path returned by
Unless the
.B MATCHPATHCON_BASEONLY
flag has been set via
-.B set_matchpathcon_flags,
+.B set_matchpathcon_flags(3),
files with the same path prefix but a
.B .homedirs
and
@@ -47,6 +42,14 @@ dynamically generated entries for user h
customizations.
.sp
+.B matchpathcon_init_prefix
+is the same as
+.B matchpathcon_init
+but only loads entries with regular expressions that have stems prefixed
+by
+.I prefix.
+
+.sp
.B matchpathcon_fini
frees the memory allocated by a prior call to
.B matchpathcon_init.
@@ -63,7 +66,9 @@ configuration and sets the security cont
to refer to the
resulting context. The caller must free the returned security context
.I con
-using freecon when finished using it.
+using
+.B freecon(3)
+when finished using it.
.I mode
can be 0 to disable mode matching, but
should be provided whenever possible, as it may affect the matching.
@@ -78,54 +83,16 @@ its first invocation with a NULL
defaulting to the active file contexts configuration.
.sp
-.B set_matchpathcon_printf
-sets the function used by
-.B matchpathcon_init
-when displaying errors about the file contexts configuration. If not set,
-then this defaults to fprintf(stderr, fmt, ...). This can be set to redirect
-error reporting to a different destination.
-
-.sp
-.B set_matchpathcon_invalidcon
-sets the function used by
-.B matchpathcon_init
-when checking the validity of a context in the file contexts
-configuration. If not set, then this defaults to a test based
-on
-.B security_check_context(3),
-which checks validity against the active policy on a SELinux system.
-This can be set to instead perform checking based on a binary policy file,
-e.g. using
-.B sepol_check_context(3),
-as is done by
-.B setfiles -c.
-The function is also responsible for reporting any such error, and
-may include the
-.I path
-and
-.I lineno
-in such error messages.
-
+.B matchpathcon_index
+is the same as
+.B matchpathcon
+but returns a specification index that can later be used in a
+.B matchpathcon_filespec_add(3)
+call.
.sp
-.B set_matchpathcon_flags
-sets flags controlling the operation of
-.B matchpathcon_init
-or
-.B matchpathcon.
-If the
-.B MATCHPATHCON_BASEONLY
-flag is set, then only the base file contexts configuration file
-will be processed, not any dynamically generated entries or local customizations.
-.sp
-.B selinux_file_context_cmp
-compares two file contexts to see if their differences are "significant", the function runs the strcmp function ignoring the user componant of the file context.
-.sp
-.B selinux_file_context_verify
-compares the file context on disk to the system default.
-.sp
.SH "RETURN VALUE"
-Returns 0 on success or -1 otherwise.
+Returns zero on success or \-1 otherwise.
.SH "SEE ALSO"
-.BR selinux "(8), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
+.BR selinux "(8), " set_matchpathcon_flags "(3), " set_matchpathcon_invalidcon "(3), " set_matchpathcon_printf "(3), " matchpathcon_filespec_add "(3), " matchpathcon_checkmatches "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/matchpathcon_checkmatches.3 selinux-dev-211109-patched/libselinux/man/man3/matchpathcon_checkmatches.3
--- selinux-dev-211109/libselinux/man/man3/matchpathcon_checkmatches.3 1970-01-01 01:00:00.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/matchpathcon_checkmatches.3 2009-11-21 18:37:07.000000000 +0100
@@ -0,0 +1,52 @@
+.TH "matchpathcon_checkmatches" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation"
+.SH "NAME"
+matchpathcon_checkmatches, matchpathcon_filespec_add, matchpathcon_filespec_destroy, matchpathcon_filespec_eval \- check and report whether any specification index has no matches with any inode. Maintenance and statistics on inode associations.
+
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+
+.BI "void matchpathcon_checkmatches(char *" str ");"
+.sp
+
+.BI "int matchpathcon_filespec_add(ino_t " ino ", int " specind ", const char *" file ");"
+
+.BI "void matchpathcon_filespec_destroy(void);"
+
+.BI "void matchpathcon_filespec_eval(void);"
+
+.SH "DESCRIPTION"
+.B matchpathcon_checkmatches
+checks whether any specification has no matches and reports them.
+The
+.I str
+argument is used as a prefix for any warning messages.
+.sp
+
+.B matchpathcon_filespec_add
+maintains an association between an inode
+.I ino
+and a specification index
+.I specind,
+and checks whether a conflicting specification is already associated
+with the same inode (e.g. due to multiple hard links). If so, then
+it uses the latter of the two specifications based on their order in the
+.I file
+context configuration. Returns the specification index used or \-1 on
+error.
+.sp
+
+.B matchpathcon_filespec_destroy
+destroys any inode associations that have been added, e.g. to restart
+for a new filesystem.
+.sp
+
+.B matchpathcon_filespec_eval
+displays statistics on the hash table usage for the inode associations.
+
+.sp
+.SH "RETURN VALUE"
+Returns zero on success or \-1 otherwise.
+
+.SH "SEE ALSO"
+.BR selinux "(8), " matchpathcon "(3), " matchpathcon_index "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/matchpathcon_filespec_add.3 selinux-dev-211109-patched/libselinux/man/man3/matchpathcon_filespec_add.3
--- selinux-dev-211109/libselinux/man/man3/matchpathcon_filespec_add.3 1970-01-01 01:00:00.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/matchpathcon_filespec_add.3 2009-11-21 16:52:05.000000000 +0100
@@ -0,0 +1 @@
+.so man3/matchpathcon_checkmatches.3
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/matchpathcon_filespec_destroy.3 selinux-dev-211109-patched/libselinux/man/man3/matchpathcon_filespec_destroy.3
--- selinux-dev-211109/libselinux/man/man3/matchpathcon_filespec_destroy.3 1970-01-01 01:00:00.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/matchpathcon_filespec_destroy.3 2009-11-21 16:52:18.000000000 +0100
@@ -0,0 +1 @@
+.so man3/matchpathcon_checkmatches.3
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/matchpathcon_filespec_eval.3 selinux-dev-211109-patched/libselinux/man/man3/matchpathcon_filespec_eval.3
--- selinux-dev-211109/libselinux/man/man3/matchpathcon_filespec_eval.3 1970-01-01 01:00:00.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/matchpathcon_filespec_eval.3 2009-11-21 16:52:26.000000000 +0100
@@ -0,0 +1 @@
+.so man3/matchpathcon_checkmatches.3
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/matchpathcon_index.3 selinux-dev-211109-patched/libselinux/man/man3/matchpathcon_index.3
--- selinux-dev-211109/libselinux/man/man3/matchpathcon_index.3 1970-01-01 01:00:00.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/matchpathcon_index.3 2009-11-21 17:54:05.000000000 +0100
@@ -0,0 +1 @@
+.so man3/matchpathcon.3
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/print_access_vector.3 selinux-dev-211109-patched/libselinux/man/man3/print_access_vector.3
--- selinux-dev-211109/libselinux/man/man3/print_access_vector.3 1970-01-01 01:00:00.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/print_access_vector.3 2009-11-21 16:19:43.000000000 +0100
@@ -0,0 +1 @@
+.so man3/security_class_to_string.3
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/security_class_to_string.3 selinux-dev-211109-patched/libselinux/man/man3/security_class_to_string.3
--- selinux-dev-211109/libselinux/man/man3/security_class_to_string.3 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/security_class_to_string.3 2009-11-21 16:19:43.000000000 +0100
@@ -6,6 +6,8 @@
security_class_to_string, security_av_perm_to_string, string_to_security_class, string_to_av_perm, security_av_string \- convert
between SELinux class and permission values and string names.
+print_access_vector \- display an access vector in human-readable form.
+
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
@@ -20,6 +22,8 @@ between SELinux class and permission val
.BI "security_class_t string_to_security_class(const char *" name ");"
.sp
.BI "access_vector_t string_to_av_perm(security_class_t " tclass ", const char *" name ");"
+.sp
+.BI "void print_access_vector(security_class_t " tclass ", access_vector_t " av ");"
.SH "DESCRIPTION"
.B security_class_to_string
@@ -56,11 +60,17 @@ and security class
.IR tclass ,
or zero if no such value exists.
+.B print_access_vector
+displays an access vector in human-readable form on the standard output
+stream.
+
.SH "RETURN VALUE"
.B security_av_string
-returns returns zero on success or \-1 on error with
+returns zero on success or \-1 on error with
.I errno
-set appropriately. All other functions return zero or NULL on error.
+set appropriately.
+.B print_access_vector
+does not return a value. All other functions return zero or NULL on error.
.SH "ERRORS"
.TP
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/security_compute_av.3 selinux-dev-211109-patched/libselinux/man/man3/security_compute_av.3
--- selinux-dev-211109/libselinux/man/man3/security_compute_av.3 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/security_compute_av.3 2009-11-21 20:46:47.000000000 +0100
@@ -24,6 +24,8 @@ the SELinux policy database in the kerne
.BI "int security_get_initial_context(const char *" name ", security_context_t
"con );
.sp
+.BI "int selinux_check_passwd_access(access_vector_t " requested );
+.sp
.BI "int checkPasswdAccess(access_vector_t " requested );
.SH "DESCRIPTION"
@@ -65,18 +67,27 @@ instance.
.B security_compute_user
is used to determine the set of user contexts that can be reached from a
-source context. Is mainly used by
+source context. It is mainly used by
.B get_ordered_context_list.
.B security_get_initial_context
is used to get the context of a kernel initial security identifier specified by
.I name
+.B selinux_check_passwd_access
+is used to check for a permission in the
+.I passwd
+class.
+.B selinux_check_passwd_access
+uses getprevcon() for the source and target security contexts.
+
.B checkPasswdAccess
-This functions is a helper functions that allows you to check for a permission in the passwd class. checkPasswdAccess uses getprevcon() for the source and target security contexts.
+is a deprecated alias of the
+.B selinux_check_passwd_access
+function.
.SH "RETURN VALUE"
-0 for success and on error -1 is returned.
+Returns zero on success or \-1 on error.
.SH "SEE ALSO"
.BR selinux "(8), " getcon "(3), " getfilecon "(3), " get_ordered_context_list "(3)"
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/security_disable.3 selinux-dev-211109-patched/libselinux/man/man3/security_disable.3
--- selinux-dev-211109/libselinux/man/man3/security_disable.3 1970-01-01 01:00:00.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/security_disable.3 2009-11-21 18:59:26.000000000 +0100
@@ -0,0 +1,28 @@
+.TH "security_disable" "3" "21 Nov 2009" "" "SELinux API documentation"
+.SH "NAME"
+security_disable \- disable the SELinux kernel code at runtime.
+
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+.BI "int security_disable(void);"
+
+.SH "DESCRIPTION"
+.B security_disable
+disables the SELinux kernel code, unregisters selinuxfs from /proc/filesystems,
+and then unmounts /selinux.
+.sp
+This function can only be called at runtime and prior to the initial policy
+load. After the initial policy load, the SELinux kernel code cannot be disabled,
+but only placed in "permissive" mode by using
+.B setenforce(1).
+
+.SH "RETURN VALUE"
+.B security_disable
+returns zero on success or \-1 on error.
+
+.SH "AUTHOR"
+This manual page has been written by Guido Trentalancia <guido@trentalancia.com>
+
+.SH "SEE ALSO"
+.BR selinux (8), " setenforce "(3)
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/security_load_booleans.3 selinux-dev-211109-patched/libselinux/man/man3/security_load_booleans.3
--- selinux-dev-211109/libselinux/man/man3/security_load_booleans.3 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/security_load_booleans.3 2009-11-21 19:54:30.000000000 +0100
@@ -6,17 +6,19 @@ security_get_boolean_pending \- routines
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
-extern int security_load_booleans(char *path);
-
-extern int security_get_boolean_names(char ***names, int *len);
-
-extern int security_get_boolean_pending(const char *name);
-
-extern int security_get_boolean_active(const char *name);
-
-extern int security_set_boolean(const char *name, int value);
-
-extern int security_commit_booleans(void);
+.BI "int security_load_booleans(char *" path ");"
+.sp
+.BI "int security_get_boolean_names(char ***" names ", int *" len ");"
+.sp
+.BI "int security_get_boolean_pending(const char *" name ");"
+.sp
+.BI "int security_get_boolean_active(const char *" name ");"
+.sp
+.BI "int security_set_boolean(const char *" name ", int " value ");"
+.sp
+.BI "int security_set_boolean_list(size_t " boolcnt ", SELboolean *" boollist ", int " permanent ");"
+.sp
+.BI "int security_commit_booleans(void);"
.SH "DESCRIPTION"
@@ -26,31 +28,41 @@ disabled based on the current values of
These policy booleans allow runtime modification of the security
policy without having to load a new policy.
-The SELinux API allows for a transaction based update. So you can set several boolean values and the commit them all at once.
+The SELinux API allows for a transaction based update. So you can
+set several boolean values and then commit them all at once.
+
+.B security_load_booleans
+
+loads policy boolean settings. Path may be NULL, in which case the
+booleans are loaded from the active policy boolean configuration file.
+
+.B security_get_boolean_names
-security_load_booleans
+provides a list of boolean names, currently supported by the loaded policy.
-Load policy boolean settings. Path may be NULL, in which case the booleans are loaded from the active policy boolean configuration file.
+.B security_get_boolean_pending
-security_get_boolean_names
+returns the pending value for boolean or \-1 on failure.
-Returns a list of boolean names, currently supported by the loaded policy.
+.B security_get_boolean_active
-security_set_boolean
+returns the active value for boolean or \-1 on failure.
-Sets the pending value for boolean
+.B security_set_boolean
-security_get_boolean_pending
+sets the pending value for boolean
-Return pending value for boolean
+.B security_set_boolean_list
-security_get_boolean_active
+saves a list of booleans in a single transaction.
-Return active value for boolean
+.B security_commit_booleans
-security_commit_booleans
+commits all pending values for the booleans.
-Commit all pending values for the booleans.
+.SH "RETURN VALUE"
+Where not otherwise stated, functions described in this manual page return
+zero on success or \-1 on error.
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/security_load_policy.3 selinux-dev-211109-patched/libselinux/man/man3/security_load_policy.3
--- selinux-dev-211109/libselinux/man/man3/security_load_policy.3 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/security_load_policy.3 2009-11-21 20:34:35.000000000 +0100
@@ -1,15 +1,58 @@
-.TH "security_load_policy" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
+.TH "security_load_policy" "3" "3 November 2009" "guido@trentalancia.com" "SELinux API documentation"
.SH "NAME"
security_load_policy \- load a new SELinux policy
+
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
.BI "int security_load_policy(void *" data ", size_t "len );
+.sp
+.BI "int selinux_mkload_policy(int " preservebools ");"
+.sp
+.BI "int selinux_init_load_policy(int *" enforce ");"
.SH "DESCRIPTION"
.B security_load_policy
-loads a new policy, returns 0 for success and -1 for error.
+loads a new policy, returns 0 for success and \-1 for error.
+
+.B selinux_mkload_policy
+makes a policy image and loads it. This function provides a higher level
+interface for loading policy than
+.B security_load_policy,
+internally determining the right policy version, locating and opening
+the policy file, mapping it into memory, manipulating it as needed for
+current boolean settings and/or local definitions, and then calling
+security_load_policy to load it.
+.I preservebools
+is a boolean flag indicating whether current policy boolean values should
+be preserved into the new policy (if 1) or reset to the saved policy
+settings (if 0). The former case is the default for policy reloads, while
+the latter case is an option for policy reloads but is primarily used for
+the initial policy load.
+.B selinux_init_load_policy
+performs the initial policy load. This function determines the desired
+enforcing mode, sets the
+.I enforce
+argument accordingly for the caller to use, sets the SELinux kernel
+enforcing status to match it, and loads the policy. It also internally
+handles the initial selinuxfs mount required to perform these actions.
+.sp
+It should also be noted that after the initial policy load, the SELinux
+kernel code cannot anymore be disabled and the selinuxfs cannot be
+unmounted using a call to
+.B security_disable(3).
+Therefore, after the initial policy load, the only operational changes
+are those permitted by
+.B setenforce(3)
+(i.e. eventually setting the framework in permissive mode rather than
+in enforcing one).
+
+.SH "RETURN VALUE"
+returns zero on success or \-1 on error.
+
+.SH "AUTHOR"
+This manual page has been written by Guido Trentalancia <guido@trentalancia.com>
.SH "SEE ALSO"
-.BR selinux "(8)"
+.BR selinux "(8), " security_disable "(3), " setenforce "(1)
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/security_mkload_policy.3 selinux-dev-211109-patched/libselinux/man/man3/security_mkload_policy.3
--- selinux-dev-211109/libselinux/man/man3/security_mkload_policy.3 1970-01-01 01:00:00.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/security_mkload_policy.3 2009-11-21 16:19:43.000000000 +0100
@@ -0,0 +1 @@
+.so man3/security_load_policy.3
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/selinux_binary_policy_path.3 selinux-dev-211109-patched/libselinux/man/man3/selinux_binary_policy_path.3
--- selinux-dev-211109/libselinux/man/man3/selinux_binary_policy_path.3 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/selinux_binary_policy_path.3 2009-11-21 17:30:50.000000000 +0100
@@ -68,7 +68,7 @@ selinux_x_context_path() - file containi
.sp
selinux_netfilter_context_path - default netfilter context
.sp
-selinux_file_context_path() - default sysstem file contexts configuration
+selinux_file_context_path() - default system file contexts configuration
.sp
selinux_file_context_local_path() - local customization file contexts configuration
.sp
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/selinux_check_passwd_access.3 selinux-dev-211109-patched/libselinux/man/man3/selinux_check_passwd_access.3
--- selinux-dev-211109/libselinux/man/man3/selinux_check_passwd_access.3 1970-01-01 01:00:00.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/selinux_check_passwd_access.3 2009-11-21 20:46:06.000000000 +0100
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/selinux_file_context_cmp.3 selinux-dev-211109-patched/libselinux/man/man3/selinux_file_context_cmp.3
--- selinux-dev-211109/libselinux/man/man3/selinux_file_context_cmp.3 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/selinux_file_context_cmp.3 2009-11-21 18:38:56.000000000 +0100
@@ -1 +1,25 @@
-.so man3/matchpathcon.3
+.TH "selinux_file_context_cmp" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation"
+.SH "NAME"
+selinux_file_context_cmp, selinux_file_context_verify \- comparison of two file contexts.
+
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+
+.BI "int selinux_file_context_cmp(const security_context_t " a ", const security_context_t " b ");"
+
+.BI "int selinux_file_context_verify(const char *" path ", mode_t " mode ");"
+
+.SH "DESCRIPTION"
+.B selinux_file_context_cmp
+compares two file contexts to see if their differences are "significant", the function runs the strcmp function ignoring the user componant of the file context.
+.sp
+.B selinux_file_context_verify
+compares the file context on disk to the system default.
+.sp
+
+.SH "RETURN VALUE"
+Returns zero on success or \-1 otherwise.
+
+.SH "SEE ALSO"
+.BR selinux "(8), " selinux_lsetfilecon "(3), " matchpathcon "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/selinux_file_context_verify.3 selinux-dev-211109-patched/libselinux/man/man3/selinux_file_context_verify.3
--- selinux-dev-211109/libselinux/man/man3/selinux_file_context_verify.3 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/selinux_file_context_verify.3 2009-11-21 17:33:54.000000000 +0100
@@ -1 +1 @@
-.so man3/matchpathcon.3
+.so man3/selinux_file_context_cmp.3
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/selinux_lsetfilecon_default.3 selinux-dev-211109-patched/libselinux/man/man3/selinux_lsetfilecon_default.3
--- selinux-dev-211109/libselinux/man/man3/selinux_lsetfilecon_default.3 1970-01-01 01:00:00.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/selinux_lsetfilecon_default.3 2009-11-21 17:46:14.000000000 +0100
@@ -0,0 +1,20 @@
+.TH "selinux_lsetfilecon_default" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation"
+.SH "NAME"
+selinux_lsetfilecon_default \- set the file context to the system defaults.
+
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+
+.BI "int selinux_lsetfilecon_default(const char *" path ");"
+
+.SH "DESCRIPTION"
+.B selinux_lsetfilecon_default
+sets the file context to the system defaults.
+.sp
+
+.SH "RETURN VALUE"
+Returns zero on success or \-1 otherwise.
+
+.SH "SEE ALSO"
+.BR selinux "(8), " selinux_file_context_cmp "(3), " selinux_file_context_verify "(3), " matchpathcon "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/set_matchpathcon_flags.3 selinux-dev-211109-patched/libselinux/man/man3/set_matchpathcon_flags.3
--- selinux-dev-211109/libselinux/man/man3/set_matchpathcon_flags.3 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/set_matchpathcon_flags.3 2009-11-21 18:38:38.000000000 +0100
@@ -1 +1,62 @@
-.so man3/matchpathcon.3
+.TH "set_matchpathcon_flags" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation"
+.SH "NAME"
+set_matchpathcon_flags, set_matchpathcon_invalidcon, set_matchpathcon_printf \- set flags controlling the operation of matchpathcon or matchpathcon_index and configure the behaviour of validity checking and error displaying.
+
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+.sp
+
+.BI "void set_matchpathcon_flags(unsigned int " flags ");"
+
+.BI "void set_matchpathcon_invalidcon(int (*" f ")(const char *" path ", unsigned " lineno ", char * " context "));"
+
+.BI "void set_matchpathcon_printf(void (*" f ")(const char *" fmt ", ...));"
+
+.SH "DESCRIPTION"
+.B set_matchpathcon_flags
+sets the flags controlling the operation of
+.B matchpathcon_init
+and subsequently
+.B matchpathcon_index
+or
+.B matchpathcon.
+If the
+.B MATCHPATHCON_BASEONLY
+flag is set, then only the base file contexts configuration file
+will be processed, not any dynamically generated entries or local customizations.
+.sp
+
+.B set_matchpathcon_invalidcon
+sets the function used by
+.B matchpathcon_init
+when checking the validity of a context in the file contexts
+configuration. If not set, then this defaults to a test based
+on
+.B security_check_context(3),
+which checks validity against the active policy on a SELinux system.
+This can be set to instead perform checking based on a binary policy file,
+e.g. using
+.B sepol_check_context(3),
+as is done by
+.B setfiles \-c.
+The function is also responsible for reporting any such error, and
+may include the
+.I path
+and
+.I lineno
+in such error messages.
+.sp
+
+.B set_matchpathcon_printf
+sets the function used by
+.B matchpathcon_init
+when displaying errors about the file contexts configuration. If not set,
+then this defaults to fprintf(stderr, fmt, ...). This can be set to redirect
+error reporting to a different destination.
+.sp
+
+.SH "RETURN VALUE"
+Returns zero on success or \-1 otherwise.
+
+.SH "SEE ALSO"
+.BR selinux "(8), " matchpathcon "(3), " matchpathcon_index "(3), " set_matchpathcon_invalidcon "(3), " set_matchpathcon_printf "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/set_matchpathcon_invalidcon.3 selinux-dev-211109-patched/libselinux/man/man3/set_matchpathcon_invalidcon.3
--- selinux-dev-211109/libselinux/man/man3/set_matchpathcon_invalidcon.3 1970-01-01 01:00:00.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/set_matchpathcon_invalidcon.3 2009-11-21 18:38:26.000000000 +0100
@@ -0,0 +1 @@
+.so man3/set_matchpathcon_flags.3
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/set_matchpathcon_printf.3 selinux-dev-211109-patched/libselinux/man/man3/set_matchpathcon_printf.3
--- selinux-dev-211109/libselinux/man/man3/set_matchpathcon_printf.3 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/set_matchpathcon_printf.3 2009-11-21 17:11:09.000000000 +0100
@@ -1 +1 @@
-.so man3/matchpathcon.3
+.so man3/set_matchpathcon_flags.3
diff -pru --new-file selinux-dev-211109/libselinux/man/man3/set_selinuxmnt.3 selinux-dev-211109-patched/libselinux/man/man3/set_selinuxmnt.3
--- selinux-dev-211109/libselinux/man/man3/set_selinuxmnt.3 1970-01-01 01:00:00.000000000 +0100
+++ selinux-dev-211109-patched/libselinux/man/man3/set_selinuxmnt.3 2009-11-21 16:19:43.000000000 +0100
@@ -0,0 +1 @@
+.so man3/init_selinuxmnt.3
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5186 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH] Support for long-options in policycoreutils and checkpolicy (Ticket #1 [1672486])
2009-11-21 2:42 ` Eamon Walsh
2009-11-21 19:51 ` Guido Trentalancia
@ 2009-11-21 22:03 ` Guido Trentalancia
2009-11-27 18:42 ` Joshua Brindle
1 sibling, 1 reply; 10+ messages in thread
From: Guido Trentalancia @ 2009-11-21 22:03 UTC (permalink / raw)
To: Eamon Walsh; +Cc: SELinux
[-- Attachment #1.1: Type: text/plain, Size: 1431 bytes --]
Dear Eamon,
here are the two "maintenance" patches that I did post earlier this
month (along with the new manual pages). They are intended to close
Ticket #1 [1672486] that I found open on Tresys pages
(http://userspace.selinuxproject.org/trac/ticket/1).
I do apologize for not putting the keyword "[PATCH]" in the original
message.
Here is a summary of what has been changed for policycoreutils:
- introduced proper handling of -h, -V options and their respective long
formats --help and --version to all binaries that are produced from C
code. The same issue is not tackled for Python-based tools (e.g.
semanage);
- relative manual pages have also been updated accordingly.
And here is what has been changed for checkpolicy/checkmodule:
- introduced proper handling of -h, -V and the long formats --help and
--version to all binaries (checkpolicy/checkmodule);
- introduced the handling of long options for some of the other
available options;
- manual pages have also been updated accordingly (and a few
undocumented options have been documented).
One of the original two patches (the one against policycoreutils) did
not compile cleanly anymore against the current HEAD of SELinux, so I
have created an updated one, which is the one attached here.
It's just a matter of some really minor issues, but I hope it helps, at
least the ticket can now be closed...
Kind regards,
Guido
[-- Attachment #1.2: policycoreutils-ticket1-1672486.patch --]
[-- Type: text/x-patch, Size: 53245 bytes --]
diff -pruN selinux-dev-211109/policycoreutils/load_policy/load_policy.8 selinux-dev-211109-patched/policycoreutils/load_policy/load_policy.8
--- selinux-dev-211109/policycoreutils/load_policy/load_policy.8 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/load_policy/load_policy.8 2009-11-21 22:33:03.000000000 +0100
@@ -15,11 +15,25 @@ values in the policy file.
.SH "OPTIONS"
.TP
+.B \-V
+or
+.B \-\-version
+shows the current version of load_policy
+.TP
+.B \-h
+or
+.B \-\-help
+shows the usage information for load_policy
+.TP
.B \-q
+or
+.B \-\-quiet
suppress warning messages.
.TP
.B \-i
-inital policy load. Only use this if this is the first time policy is being loaded since boot (usually called from initramfs).
+or
+.B \-\-init
+initial policy load. Only use this if this is the first time policy is being loaded since boot (usually called from initramfs).
.SH "EXIT STATUS"
.TP
diff -pruN selinux-dev-211109/policycoreutils/load_policy/load_policy.c selinux-dev-211109-patched/policycoreutils/load_policy/load_policy.c
--- selinux-dev-211109/policycoreutils/load_policy/load_policy.c 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/load_policy/load_policy.c 2009-11-21 22:33:03.000000000 +0100
@@ -2,7 +2,7 @@
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
-#include <getopt.h>
+#include <getopt.h> /* for getopt_long() form of getopt() */
#include <string.h>
#include <selinux/selinux.h>
#include <sepol/sepol.h>
@@ -13,19 +13,49 @@
#else
#define _(msgid) (msgid)
#endif
+#define LOAD_POLICY_CONF_PROG_NAME "load_policy" /* default program name */
#ifndef PACKAGE
#define PACKAGE "policycoreutils" /* the name of this package lang translation */
#endif
void usage(char *progname)
{
- fprintf(stderr, _("usage: %s [-qi]\n"), progname);
+ fprintf(stderr, _("usage: %s -h | -V | [-qi]\n"), progname);
+ fprintf(stderr, _(" -h Show this message.\n"));
+ fprintf(stderr, _(" -V Show the version.\n"));
+ fprintf(stderr, _(" -q Suppress warning messages.\n"));
+ fprintf(stderr, _(" -i Inital policy load. Only use this if this is the first time policy is being loaded since boot.\n"));
exit(1);
}
+static char *opt_program_name(char *argv0, char *def)
+{
+ if (argv0) {
+ if ((def = strrchr(argv0, '/')))
+ ++def;
+ else
+ def = argv0;
+
+ /* hack for libtool */
+ if ((strlen(def) > strlen("lt-"))
+ && !memcmp("lt-", def, strlen("lt-")))
+ def += 3;
+ }
+
+ return (def);
+}
+
int main(int argc, char **argv)
{
int ret, opt, quiet = 0, nargs, init=0, enforce=0;
+ char *program_name = NULL;
+ struct option long_options[] = {
+ {"quiet", no_argument, NULL, 'q'},
+ {"init", no_argument, NULL, 'i'},
+ {"version", no_argument, NULL, 'V'},
+ {"help", no_argument, NULL, 'h'},
+ {NULL, 0, NULL, 0}
+ };
#ifdef USE_NLS
setlocale(LC_ALL, "");
@@ -33,11 +63,13 @@ int main(int argc, char **argv)
textdomain(PACKAGE);
#endif
- while ((opt = getopt(argc, argv, "bqi")) > 0) {
+ program_name = opt_program_name(argv[0], LOAD_POLICY_CONF_PROG_NAME);
+
+ while ((opt = getopt_long(argc, argv, "bqiVh", long_options, NULL)) != -1) {
switch (opt) {
case 'b':
fprintf(stderr, "%s: Warning! The -b option is no longer supported, booleans are always preserved across reloads. Continuing...\n",
- argv[0]);
+ program_name);
break;
case 'q':
quiet = 1;
@@ -46,8 +78,14 @@ int main(int argc, char **argv)
case 'i':
init = 1;
break;
+ case 'V':
+ fprintf(stdout,
+ " %s version %s.\n", program_name, VERSION);
+ exit(EXIT_SUCCESS);
+ case 'h':
+ usage(program_name);
default:
- usage(argv[0]);
+ usage(program_name);
}
}
diff -pruN selinux-dev-211109/policycoreutils/load_policy/Makefile selinux-dev-211109-patched/policycoreutils/load_policy/Makefile
--- selinux-dev-211109/policycoreutils/load_policy/Makefile 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/load_policy/Makefile 2009-11-21 22:33:03.000000000 +0100
@@ -5,8 +5,9 @@ USRSBINDIR ?= $(PREFIX)/sbin
MANDIR ?= $(PREFIX)/share/man
LOCALEDIR ?= /usr/share/locale
+VERSION = $(shell cat ../VERSION)
CFLAGS ?= -Werror -Wall -W
-override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\"" -DVERSION=\"$(VERSION)\"
LDLIBS += -lsepol -lselinux -L$(PREFIX)/lib
TARGETS=$(patsubst %.c,%,$(wildcard *.c))
diff -pruN selinux-dev-211109/policycoreutils/load_policy/Makefile.orig selinux-dev-211109-patched/policycoreutils/load_policy/Makefile.orig
--- selinux-dev-211109/policycoreutils/load_policy/Makefile.orig 1970-01-01 01:00:00.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/load_policy/Makefile.orig 2009-11-21 16:09:55.000000000 +0100
@@ -0,0 +1,31 @@
+# Installation directories.
+PREFIX ?= ${DESTDIR}/usr
+SBINDIR ?= $(DESTDIR)/sbin
+USRSBINDIR ?= $(PREFIX)/sbin
+MANDIR ?= $(PREFIX)/share/man
+LOCALEDIR ?= /usr/share/locale
+
+CFLAGS ?= -Werror -Wall -W
+override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+LDLIBS += -lsepol -lselinux -L$(PREFIX)/lib
+
+TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+
+all: $(TARGETS)
+
+install: all
+ -mkdir -p $(SBINDIR)
+ install -m 755 $(TARGETS) $(SBINDIR)
+ test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8
+ install -m 644 load_policy.8 $(MANDIR)/man8/
+ -mkdir -p $(USRSBINDIR)
+ ln -sf /sbin/load_policy $(USRSBINDIR)/load_policy
+
+clean:
+ -rm -f $(TARGETS) *.o
+
+indent:
+ ../../scripts/Lindent $(wildcard *.[ch])
+
+relabel:
+ /sbin/restorecon $(SBINDIR)/load_policy
diff -pruN selinux-dev-211109/policycoreutils/newrole/newrole.1 selinux-dev-211109-patched/policycoreutils/newrole/newrole.1
--- selinux-dev-211109/policycoreutils/newrole/newrole.1 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/newrole/newrole.1 2009-11-21 22:33:03.000000000 +0100
@@ -58,10 +58,16 @@ The new shell will be the shell specifie
file.
.PP
The
+.B -h
+or
+.B --help
+shows the usage information for newrole.
+.PP
+The
.B -V
or
.B --version
-shows the current version of newrole
+shows the current version of newrole.
.PP
.SH EXAMPLE
.br
diff -pruN selinux-dev-211109/policycoreutils/newrole/newrole.c selinux-dev-211109-patched/policycoreutils/newrole/newrole.c
--- selinux-dev-211109/policycoreutils/newrole/newrole.c 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/newrole/newrole.c 2009-11-21 22:33:03.000000000 +0100
@@ -10,7 +10,7 @@
*
* USAGE:
*
- * newrole [ -r role ] [ -t type ] [ -l level ] [ -V ] [ -- args ]
+ * newrole -h | -V | [ -r role ] [ -t type ] [ -l level ] [ -- args ]
*
* BUILD OPTIONS:
*
@@ -91,7 +91,7 @@
#endif
/* USAGE_STRING describes the command-line args of this program. */
-#define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]"
+#define USAGE_STRING "USAGE: newrole -h | -V | [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -- args ]"
#ifdef USE_PAM
#define PAM_SERVICE_CONFIG "/etc/selinux/newrole_pam.conf";
@@ -877,21 +877,24 @@ static int parse_command_line_arguments(
{"level", 1, 0, 'l'},
{"preserve-environment", 0, 0, 'p'},
{"version", 0, 0, 'V'},
+ {"help", 0, 0, 'h'},
{NULL, 0, 0, 0}
};
*preserve_environment = 0;
while (1) {
- clflag = getopt_long(argc, argv, "r:t:l:pV", long_options,
+ clflag = getopt_long(argc, argv, "r:t:l:pVh", long_options,
&flag_index);
if (clflag == -1)
break;
switch (clflag) {
+ case 'h':
+ fprintf(stderr, "%s\n", USAGE_STRING);
+ exit(EXIT_SUCCESS);
case 'V':
printf("newrole: %s version %s\n", PACKAGE, VERSION);
- exit(0);
- break;
+ exit(EXIT_SUCCESS);
case 'p':
*preserve_environment = 1;
break;
diff -pruN selinux-dev-211109/policycoreutils/restorecond/Makefile selinux-dev-211109-patched/policycoreutils/restorecond/Makefile
--- selinux-dev-211109/policycoreutils/restorecond/Makefile 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/restorecond/Makefile 2009-11-21 22:33:03.000000000 +0100
@@ -5,8 +5,9 @@ MANDIR = $(PREFIX)/share/man
INITDIR = $(DESTDIR)/etc/rc.d/init.d
SELINUXDIR = $(DESTDIR)/etc/selinux
+VERSION = $(shell cat ../VERSION)
CFLAGS ?= -g -Werror -Wall -W
-override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
+override CFLAGS += -I$(PREFIX)/include -DVERSION=\"$(VERSION)\" -D_FILE_OFFSET_BITS=64
LDLIBS += -lselinux -L$(PREFIX)/lib
all: restorecond
diff -pruN selinux-dev-211109/policycoreutils/restorecond/restorecond.8 selinux-dev-211109-patched/policycoreutils/restorecond/restorecond.8
--- selinux-dev-211109/policycoreutils/restorecond/restorecond.8 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/restorecond/restorecond.8 2009-11-21 22:33:03.000000000 +0100
@@ -3,7 +3,7 @@
restorecond \- daemon that watches for file creation and then sets the default SELinux file context
.SH "SYNOPSIS"
-.B restorecond [\-d]
+.B restorecond [\-d] [\-v] | \-h | \-V
.P
.SH "DESCRIPTION"
@@ -17,8 +17,25 @@ the correct file context associated with
.SH "OPTIONS"
.TP
.B \-d
+or
+.B \-\-debug
Turns on debugging mode. Application will stay in the foreground and lots of
debugs messages start printing.
+.TP
+.B \-v
+or
+.B \-\-verbose
+Turns on verbose mode. Missing files are reported.
+.TP
+.B \-h
+or
+.B \-\-help
+Shows the usage information.
+.TP
+.B \-V
+or
+.B \-\-version
+Shows the version information.
.SH "AUTHOR"
This man page was written by Dan Walsh <dwalsh@redhat.com>.
diff -pruN selinux-dev-211109/policycoreutils/restorecond/restorecond.c selinux-dev-211109-patched/policycoreutils/restorecond/restorecond.c
--- selinux-dev-211109/policycoreutils/restorecond/restorecond.c 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/restorecond/restorecond.c 2009-11-21 22:33:03.000000000 +0100
@@ -30,8 +30,10 @@
* and makes sure that there security context matches the systems defaults
*
* USAGE:
- * restorecond [-d] [-v]
- *
+ * restorecond -h | -V | [-d] [-v]
+ *
+ * -h Shows the usage information
+ * -V Shows the version
* -d Run in debug mode
* -v Run in verbose mode (Report missing files)
*
@@ -48,6 +50,7 @@
#include <signal.h>
#include <string.h>
#include <unistd.h>
+#include <getopt.h> /* for getopt_long() form of getopt() */
#include <ctype.h>
#include <sys/types.h>
#include <sys/stat.h>
@@ -67,6 +70,8 @@ static int terminate = 0;
#include <selinux/selinux.h>
#include <utmp.h>
+#define RESTORECOND_CONF_PROG_NAME "restorecond" /* default program name */
+
/* size of the event structure, not counting name */
#define EVENT_SIZE (sizeof (struct inotify_event))
/* reasonable guess as to size of 1024 events */
@@ -374,8 +379,25 @@ static void term_handler()
static void usage(char *program)
{
- printf("%s [-d] [-v] \n", program);
- exit(0);
+ printf("%s [-d] [-v] | -h | -V \n", program);
+ exit(EXIT_SUCCESS);
+}
+
+static char *opt_program_name(char *argv0, char *def)
+{
+ if (argv0) {
+ if ((def = strrchr(argv0, '/')))
+ ++def;
+ else
+ def = argv0;
+
+ /* hack for libtool */
+ if ((strlen(def) > strlen("lt-"))
+ && !memcmp("lt-", def, strlen("lt-")))
+ def += 3;
+ }
+
+ return (def);
}
void exitApp(const char *msg)
@@ -445,6 +467,14 @@ int main(int argc, char **argv)
{
int opt;
struct sigaction sa;
+ char *program_name = NULL;
+ struct option long_options[] = {
+ {"help", no_argument, NULL, 'h'},
+ {"version", no_argument, NULL, 'V'},
+ {"debug", no_argument, NULL, 'd'},
+ {"verbose", no_argument, NULL, 'v'},
+ {NULL, 0, NULL, 0}
+ };
#ifndef DEBUG
/* Make sure we are root */
@@ -471,8 +501,17 @@ int main(int argc, char **argv)
if (master_fd < 0)
exitApp("inotify_init");
- while ((opt = getopt(argc, argv, "dv")) > 0) {
+ program_name = opt_program_name(argv[0], RESTORECOND_CONF_PROG_NAME);
+
+ while ((opt = getopt_long(argc, argv, "hVdv", long_options, NULL)) != -1) {
switch (opt) {
+ case 'h':
+ usage(program_name);
+ exit(EXIT_SUCCESS);
+ case 'V':
+ fprintf(stdout,
+ " %s version %s.\n", program_name, VERSION);
+ exit(EXIT_SUCCESS);
case 'd':
debug_mode = 1;
break;
@@ -480,7 +519,7 @@ int main(int argc, char **argv)
verbose_mode = 1;
break;
case '?':
- usage(argv[0]);
+ usage(program_name);
}
}
read_config(master_fd);
diff -pruN selinux-dev-211109/policycoreutils/run_init/Makefile selinux-dev-211109-patched/policycoreutils/run_init/Makefile
--- selinux-dev-211109/policycoreutils/run_init/Makefile 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/run_init/Makefile 2009-11-21 22:33:03.000000000 +0100
@@ -8,8 +8,9 @@ LOCALEDIR ?= /usr/share/locale
PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
+VERSION = $(shell cat ../VERSION)
CFLAGS ?= -Werror -Wall -W
-override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\"" -DVERSION=\"$(VERSION)\"
LDLIBS += -lselinux -L$(PREFIX)/lib
ifeq (${PAMH}, /usr/include/security/pam_appl.h)
override CFLAGS += -DUSE_PAM
diff -pruN selinux-dev-211109/policycoreutils/run_init/run_init.8 selinux-dev-211109-patched/policycoreutils/run_init/run_init.8
--- selinux-dev-211109/policycoreutils/run_init/run_init.8 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/run_init/run_init.8 2009-11-21 22:33:03.000000000 +0100
@@ -3,12 +3,19 @@
run_init \- run an init script in the proper SELinux context
.SH SYNOPSIS
.B run_init
-\fISCRIPT\fR [[\fIARGS\fR]...]
+\fISCRIPT\fR [[\fIARGS\fR]...] | -h | -V
.br
.SH DESCRIPTION
.PP
Run a init script under the proper context, which is specified in
/etc/selinux/POLICYTYPE/contexts/initrc_context.
+.SH OPTIONS
+.TP
+.B \-h,\-\-help
+Print the help message.
+.TP
+.B \-V,\-\-version
+Print the version information.
.SH FILES
/etc/passwd - user account information
.br
diff -pruN selinux-dev-211109/policycoreutils/run_init/run_init.c selinux-dev-211109-patched/policycoreutils/run_init/run_init.c
--- selinux-dev-211109/policycoreutils/run_init/run_init.c 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/run_init/run_init.c 2009-11-21 22:33:03.000000000 +0100
@@ -8,7 +8,7 @@
*
* USAGE:
*
- * run_init <script> <args>
+ * run_init <script> <args> | -h | -V
*
* BUILD OPTIONS:
*
@@ -60,13 +60,17 @@
#else
#define _(msgid) (msgid)
#endif
+#define RUN_INIT_CONF_PROG_NAME "run_init" /* default program name */
#ifndef PACKAGE
#define PACKAGE "policycoreutils" /* the name of this package lang translation */
#endif
/* USAGE_STRING describes the command-line args of this program. */
-#define USAGE_STRING _("USAGE: run_init <script> <args ...>\n\
+#define USAGE_STRING _("USAGE: run_init <script> <args ...> | -h | -V\n\
where: <script> is the name of the init script to run,\n\
- <args ...> are the arguments to that script.")
+ <args ...> are the arguments to that script.\n\
+ or:\n\
+ -h or --help Print this usage information.\n\
+ -V or --version Print version information.\n")
#define CONTEXT_FILE "initrc_context"
#ifdef USE_PAM
@@ -289,7 +293,7 @@ int authenticate_user()
/*
* get_init_context()
*
- * Get the CONTEXT associated with the context for the init scripts. *
+ * Get the CONTEXT associated with the context for the init scripts.
*
* in: nothing
* out: The CONTEXT associated with the context.
@@ -338,15 +342,48 @@ int get_init_context(security_context_t
} /* get_init_context() */
+/*
+ * opt_program_name()
+ *
+ * Find out exactly what the program name is
+ *
+ * in:
+ * argv0 -- argv[0] from main
+ * def -- default program name
+ * out: The exact program name to print out in usage and version information
+ */
+static char *opt_program_name(char *argv0, char *def)
+{
+ if (argv0) {
+ if ((def = strrchr(argv0, '/')))
+ ++def;
+ else
+ def = argv0;
+
+ /* hack for libtool */
+ if ((strlen(def) > strlen("lt-"))
+ && !memcmp("lt-", def, strlen("lt-")))
+ def += 3;
+ }
+
+ return (def);
+}
+
/*****************************************************************************
* main() *
*****************************************************************************/
int main(int argc, char *argv[])
{
-
+ int opt;
+ char *program_name = NULL;
extern char *optarg; /* used by getopt() for arg strings */
extern int opterr; /* controls getopt() error messages */
security_context_t new_context; /* context for the init script context */
+ struct option long_options[] = {
+ {"version", no_argument, NULL, 'V'},
+ {"help", no_argument, NULL, 'h'},
+ {NULL, 0, NULL, 0}
+ };
#ifdef USE_NLS
setlocale(LC_ALL, "");
@@ -366,8 +403,27 @@ int main(int argc, char *argv[])
* Step 1: Handle command-line arguments. The first argument is the
* name of the script to run. All other arguments are for the script
* itself, and will be passed directly to the script.
+ * Request for help or version information are handled accordingly
+ * here.
*/
+ program_name = opt_program_name(argv[0], RUN_INIT_CONF_PROG_NAME);
+
+ while ((opt = getopt_long(argc, argv, "Vh", long_options, NULL)) != -1) {
+ switch (opt) {
+ case 'V':
+ fprintf(stdout,
+ " %s version %s.\n", program_name, VERSION);
+ exit(EXIT_SUCCESS);
+ case 'h':
+ fprintf(stderr, "%s\n", USAGE_STRING);
+ exit(EXIT_SUCCESS);
+ default:
+ fprintf(stderr, "%s\n", USAGE_STRING);
+ exit(-1);
+ }
+ }
+
if (argc < 2) {
fprintf(stderr, "%s\n", USAGE_STRING);
exit(-1);
diff -pruN selinux-dev-211109/policycoreutils/semodule/Makefile selinux-dev-211109-patched/policycoreutils/semodule/Makefile
--- selinux-dev-211109/policycoreutils/semodule/Makefile 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/semodule/Makefile 2009-11-21 22:33:03.000000000 +0100
@@ -5,8 +5,9 @@ SBINDIR ?= $(PREFIX)/sbin
MANDIR = $(PREFIX)/share/man
LIBDIR ?= ${PREFIX}/lib
+VERSION = $(shell cat ../VERSION)
CFLAGS ?= -Werror -Wall -W
-override CFLAGS += -I$(INCLUDEDIR)
+override CFLAGS += -I$(INCLUDEDIR) -DVERSION=\"$(VERSION)\"
LDLIBS = -lsepol -lselinux -lsemanage -L$(LIBDIR)
SEMODULE_OBJS = semodule.o
diff -pruN selinux-dev-211109/policycoreutils/semodule/semodule.8 selinux-dev-211109-patched/policycoreutils/semodule/semodule.8
--- selinux-dev-211109/policycoreutils/semodule/semodule.8 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/semodule/semodule.8 2009-11-21 22:33:03.000000000 +0100
@@ -52,6 +52,9 @@ prints help message and quit
.TP
.B \-v,\-\-verbose
be verbose
+.TP
+.B \-V,\-\-version
+shows the version information
.SH EXAMPLE
.nf
diff -pruN selinux-dev-211109/policycoreutils/semodule/semodule.c selinux-dev-211109-patched/policycoreutils/semodule/semodule.c
--- selinux-dev-211109/policycoreutils/semodule/semodule.c 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/semodule/semodule.c 2009-11-21 22:33:03.000000000 +0100
@@ -22,6 +22,8 @@
#include <semanage/modules.h>
+#define SEMODULE_CONF_PROG_NAME "semodule" /* default program name */
+
enum client_modes { NO_MODE, INSTALL_M, UPGRADE_M, BASE_M, REMOVE_M,
LIST_M, RELOAD
};
@@ -49,6 +51,8 @@ static int disable_dontaudit;
static semanage_handle_t *sh = NULL;
static char *store;
+char *program_name = NULL;
+
extern char *optarg;
extern int optind;
@@ -114,9 +118,28 @@ static void usage(char *progname)
printf(" -n,--noreload do not reload policy after commit\n");
printf(" -h,--help print this message and quit\n");
printf(" -v,--verbose be verbose\n");
+ printf(" -V,--version print version information\n");
printf(" -D,--disable_dontaudit Remove dontaudits from policy\n");
}
+/* Gets the exact program name. */
+static char *opt_program_name(char *argv0, char *def)
+{
+ if (argv0) {
+ if ((def = strrchr(argv0, '/')))
+ ++def;
+ else
+ def = argv0;
+
+ /* hack for libtool */
+ if ((strlen(def) > strlen("lt-"))
+ && !memcmp("lt-", def, strlen("lt-")))
+ def += 3;
+ }
+
+ return (def);
+}
+
/* Sets the global mode variable to new_mode, but only if no other
* mode has been given. */
static void set_mode(enum client_modes new_mode, char *arg)
@@ -152,6 +175,7 @@ static void parse_command_line(int argc,
{"install", required_argument, NULL, 'i'},
{"list-modules", 0, NULL, 'l'},
{"verbose", 0, NULL, 'v'},
+ {"version", 0, NULL, 'V'},
{"remove", required_argument, NULL, 'r'},
{"upgrade", required_argument, NULL, 'u'},
{"reload", 0, NULL, 'R'},
@@ -166,7 +190,7 @@ static void parse_command_line(int argc,
no_reload = 0;
create_store = 0;
while ((i =
- getopt_long(argc, argv, "s:b:hi:lvqr:u:RnBD", opts,
+ getopt_long(argc, argv, "s:b:hi:lvVqr:u:RnBD", opts,
NULL)) != -1) {
switch (i) {
case 'b':
@@ -174,7 +198,7 @@ static void parse_command_line(int argc,
create_store = 1;
break;
case 'h':
- usage(argv[0]);
+ usage(program_name);
exit(0);
case 'i':
set_mode(INSTALL_M, optarg);
@@ -185,6 +209,10 @@ static void parse_command_line(int argc,
case 'v':
verbose = 1;
break;
+ case 'V':
+ fprintf(stdout,
+ " %s version %s.\n", program_name, VERSION);
+ exit(EXIT_SUCCESS);
case 'r':
set_mode(REMOVE_M, optarg);
break;
@@ -208,7 +236,7 @@ static void parse_command_line(int argc,
break;
case '?':
default:{
- usage(argv[0]);
+ usage(program_name);
exit(1);
}
}
@@ -216,12 +244,12 @@ static void parse_command_line(int argc,
if ((build || reload) && num_commands) {
fprintf(stderr,
"build or reload should not be used with other commands\n");
- usage(argv[0]);
+ usage(program_name);
exit(1);
}
if (num_commands == 0 && reload == 0 && build == 0) {
fprintf(stderr, "At least one mode must be specified.\n");
- usage(argv[0]);
+ usage(program_name);
exit(1);
}
@@ -243,7 +271,7 @@ static void parse_command_line(int argc,
while (optind < argc)
fprintf(stderr, " %s", argv[optind++]);
fprintf(stderr, "\n\n");
- usage(argv[0]);
+ usage(program_name);
exit(1);
}
while (optind < argc)
@@ -257,6 +285,8 @@ int main(int argc, char *argv[])
int result;
int status = EXIT_FAILURE;
+ program_name = opt_program_name(argv[0], SEMODULE_CONF_PROG_NAME);
+
create_signal_handlers();
parse_command_line(argc, argv);
@@ -266,7 +296,7 @@ int main(int argc, char *argv[])
sh = semanage_handle_create();
if (!sh) {
fprintf(stderr, "%s: Could not create semanage handle\n",
- argv[0]);
+ program_name);
goto cleanup_nohandle;
}
@@ -285,27 +315,27 @@ int main(int argc, char *argv[])
if (!semanage_is_managed(sh)) {
fprintf(stderr,
"%s: SELinux policy is not managed or store cannot be accessed.\n",
- argv[0]);
+ program_name);
goto cleanup;
}
if (semanage_access_check(sh) < SEMANAGE_CAN_READ) {
fprintf(stderr, "%s: Cannot read policy store.\n",
- argv[0]);
+ program_name);
goto cleanup;
}
}
if ((result = semanage_connect(sh)) < 0) {
fprintf(stderr, "%s: Could not connect to policy handler\n",
- argv[0]);
+ program_name);
goto cleanup;
}
if (reload) {
if ((result = semanage_reload_policy(sh)) < 0) {
fprintf(stderr, "%s: Could not reload policy\n",
- argv[0]);
+ program_name);
goto cleanup;
}
}
@@ -313,7 +343,7 @@ int main(int argc, char *argv[])
if (build) {
if ((result = semanage_begin_transaction(sh)) < 0) {
fprintf(stderr, "%s: Could not begin transaction: %s\n",
- argv[0], errno ? strerror(errno) : "");
+ program_name, errno ? strerror(errno) : "");
goto cleanup;
}
}
@@ -397,14 +427,14 @@ int main(int argc, char *argv[])
default:{
fprintf(stderr,
"%s: Unknown mode specified.\n",
- argv[0]);
- usage(argv[0]);
+ program_name);
+ usage(program_name);
goto cleanup;
}
}
commit += do_commit[mode];
if (result < 0) {
- fprintf(stderr, "%s: Failed on %s!\n", argv[0],
+ fprintf(stderr, "%s: Failed on %s!\n", program_name,
mode_arg ? : "list");
goto cleanup;
} else if (verbose) {
@@ -428,14 +458,14 @@ int main(int argc, char *argv[])
}
if (result < 0) {
- fprintf(stderr, "%s: Failed!\n", argv[0]);
+ fprintf(stderr, "%s: Failed!\n", program_name);
goto cleanup;
} else if (commit && verbose) {
printf("Ok: transaction number %d.\n", result);
}
if (semanage_disconnect(sh) < 0) {
- fprintf(stderr, "%s: Error disconnecting\n", argv[0]);
+ fprintf(stderr, "%s: Error disconnecting\n", program_name);
goto cleanup;
}
status = EXIT_SUCCESS;
@@ -443,7 +473,7 @@ int main(int argc, char *argv[])
cleanup:
if (semanage_is_connected(sh)) {
if (semanage_disconnect(sh) < 0) {
- fprintf(stderr, "%s: Error disconnecting\n", argv[0]);
+ fprintf(stderr, "%s: Error disconnecting\n", program_name);
}
}
semanage_handle_destroy(sh);
diff -pruN selinux-dev-211109/policycoreutils/semodule_deps/Makefile selinux-dev-211109-patched/policycoreutils/semodule_deps/Makefile
--- selinux-dev-211109/policycoreutils/semodule_deps/Makefile 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/semodule_deps/Makefile 2009-11-21 22:33:03.000000000 +0100
@@ -5,8 +5,9 @@ BINDIR ?= $(PREFIX)/bin
LIBDIR ?= ${PREFIX}/lib
MANDIR ?= $(PREFIX)/share/man
+VERSION = $(shell cat ../VERSION)
CFLAGS ?= -Werror -Wall -W
-override CFLAGS += -I$(INCLUDEDIR)
+override CFLAGS += -I$(INCLUDEDIR) -DVERSION=\"$(VERSION)\"
LDLIBS = $(LIBDIR)/libsepol.a
all: semodule_deps
diff -pruN selinux-dev-211109/policycoreutils/semodule_deps/semodule_deps.8 selinux-dev-211109-patched/policycoreutils/semodule_deps/semodule_deps.8
--- selinux-dev-211109/policycoreutils/semodule_deps/semodule_deps.8 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/semodule_deps/semodule_deps.8 2009-11-21 22:33:03.000000000 +0100
@@ -29,14 +29,20 @@ dependencies.
.SH "OPTIONS"
.TP
-.B \-v
+.B \-v,\-\-verbose
verbose mode
.TP
-.B \-g
+.B \-g,\-\-graphviz
output dependency information in Graphviz dot format
.TP
-.B \-b
+.B \-b,\-\-base
include dependencies to the base module - by default these are excluded
+.TP
+.B \-h,\-\-help
+print usage information
+.TP
+.B \-V,\-\-version
+print version information
.SH SEE ALSO
.B checkmodule(8), semodule_package(8), semodule(8), semodule_link(8)
diff -pruN selinux-dev-211109/policycoreutils/semodule_deps/semodule_deps.c selinux-dev-211109-patched/policycoreutils/semodule_deps/semodule_deps.c
--- selinux-dev-211109/policycoreutils/semodule_deps/semodule_deps.c 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/semodule_deps/semodule_deps.c 2009-11-21 22:33:03.000000000 +0100
@@ -35,6 +35,8 @@
extern char *optarg;
extern int optind;
+#define SEMODULE_DEPS_CONF_PROG_NAME "semodule_deps" /* default program name */
+
/* This is really a horrible hack, but the base module
* is referred to with the following name. The same
* thing is done in the linker for displaying error
@@ -44,11 +46,29 @@ extern int optind;
static void usage(char *program_name)
{
- printf("usage: %s [-v -g -b] basemodpkg modpkg1 [modpkg2 ... ]\n",
+ printf("usage: %s -h | -V | [-v] [-g] [-b] basemodpkg modpkg1 [modpkg2 ... ]\n",
program_name);
exit(1);
}
+/* Get the exact program name */
+static char *opt_program_name(char *argv0, char *def)
+{
+ if (argv0) {
+ if ((def = strrchr(argv0, '/')))
+ ++def;
+ else
+ def = argv0;
+
+ /* hack for libtool */
+ if ((strlen(def) > strlen("lt-"))
+ && !memcmp("lt-", def, strlen("lt-")))
+ def += 3;
+ }
+
+ return (def);
+}
+
/* Basic string hash and compare for the hashtables used in
* generate_requires. Copied from symtab.c.
*/
@@ -319,12 +339,23 @@ int main(int argc, char **argv)
{
int ch, i, num_mods;
int verbose = 0, exclude_base = 1, command = SHOW_DEPS;
+ char *program_name = NULL;
char *basename;
sepol_module_package_t *base, **mods;
policydb_t *p;
hashtab_t req;
+ struct option long_options[] = {
+ {"verbose", no_argument, NULL, 'v'},
+ {"graphviz", no_argument, NULL, 'g'},
+ {"base", no_argument, NULL, 'b'},
+ {"version", no_argument, NULL, 'V'},
+ {"help", no_argument, NULL, 'h'},
+ {NULL, 0, NULL, 0}
+ };
+
+ program_name = opt_program_name(argv[0], SEMODULE_DEPS_CONF_PROG_NAME);
- while ((ch = getopt(argc, argv, "vgb")) != EOF) {
+ while ((ch = getopt_long(argc, argv, "vgbVh", long_options, NULL)) != -1) {
switch (ch) {
case 'v':
verbose = 1;
@@ -335,8 +366,15 @@ int main(int argc, char **argv)
case 'b':
exclude_base = 0;
break;
+ case 'V':
+ fprintf(stdout,
+ " %s version %s.\n", program_name, VERSION);
+ exit(EXIT_SUCCESS);
+ case 'h':
+ usage(program_name);
+ exit(EXIT_SUCCESS);
default:
- usage(argv[0]);
+ usage(program_name);
}
}
@@ -344,16 +382,16 @@ int main(int argc, char **argv)
if (argc < 3 || !(optind != (argc - 1))) {
fprintf(stderr,
"%s: You must provide the base module package and at least one other module package\n",
- argv[0]);
- usage(argv[0]);
+ program_name);
+ usage(program_name);
}
basename = argv[optind++];
- base = load_module(basename, argv[0]);
+ base = load_module(basename, program_name);
if (!base) {
fprintf(stderr,
"%s: Could not load base module from file %s\n",
- argv[0], basename);
+ program_name, basename);
exit(1);
}
@@ -362,23 +400,23 @@ int main(int argc, char **argv)
(sepol_module_package_t **) malloc(sizeof(sepol_module_package_t *)
* num_mods);
if (!mods) {
- fprintf(stderr, "%s: Out of memory\n", argv[0]);
+ fprintf(stderr, "%s: Out of memory\n", program_name);
exit(1);
}
memset(mods, 0, sizeof(sepol_module_package_t *) * num_mods);
for (i = 0; optind < argc; optind++, i++) {
- mods[i] = load_module(argv[optind], argv[0]);
+ mods[i] = load_module(argv[optind], program_name);
if (!mods[i]) {
fprintf(stderr,
"%s: Could not load module from file %s\n",
- argv[0], argv[optind]);
+ program_name, argv[optind]);
exit(1);
}
}
if (sepol_link_packages(NULL, base, mods, num_mods, verbose)) {
- fprintf(stderr, "%s: Error while linking packages\n", argv[0]);
+ fprintf(stderr, "%s: Error while linking packages\n", program_name);
exit(1);
}
diff -pruN selinux-dev-211109/policycoreutils/semodule_expand/semodule_expand.8 selinux-dev-211109-patched/policycoreutils/semodule_expand/semodule_expand.8
--- selinux-dev-211109/policycoreutils/semodule_expand/semodule_expand.8 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/semodule_expand/semodule_expand.8 2009-11-21 22:33:03.000000000 +0100
@@ -3,7 +3,7 @@
semodule_expand \- Expand a SELinux policy module package.
.SH SYNOPSIS
-.B semodule_expand [-V -c [version]] basemodpkg outputfile
+.B semodule_expand -h | [-V] [-v] [-a] [-c version] basemodpkg outputfile
.br
.SH DESCRIPTION
.PP
@@ -17,11 +17,20 @@ together a set of packages into a single
.SH "OPTIONS"
.TP
-.B \-V
+.B \-V,\-\-version
show version
.TP
-.B \-c [version]
+.B \-v,\-\-verbose
+be verbose
+.TP
+.B \-c,\-\-create version
policy version to create
+.TP
+.B \-a
+suppress assertions and hierarchy checking
+.TP
+.B \-h,\-\-help
+print usage information
.SH SEE ALSO
.B checkmodule(8), semodule_package(8), semodule(8), semodule_link(8)
diff -pruN selinux-dev-211109/policycoreutils/semodule_expand/semodule_expand.c selinux-dev-211109-patched/policycoreutils/semodule_expand/semodule_expand.c
--- selinux-dev-211109/policycoreutils/semodule_expand/semodule_expand.c 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/semodule_expand/semodule_expand.c 2009-11-21 22:33:03.000000000 +0100
@@ -30,7 +30,7 @@ int policyvers = 0;
static void usage(char *program_name)
{
- printf("usage: %s [-V -a -c [version]] basemodpkg outputfile\n",
+ printf("usage: %s -h | [-V] [-v] [-a] [-c version] basemodpkg outputfile\n",
program_name);
exit(1);
}
@@ -45,8 +45,15 @@ int main(int argc, char **argv)
FILE *fp, *outfile;
int check_assertions = 1;
sepol_handle_t *handle;
+ struct option long_options[] = {
+ {"version", no_argument, NULL, 'V'},
+ {"verbose", no_argument, NULL, 'v'},
+ {"create", required_argument, NULL, 'c'},
+ {"help", no_argument, NULL, 'h'},
+ {NULL, 0, NULL, 0}
+ };
- while ((ch = getopt(argc, argv, "c:Vva")) != EOF) {
+ while ((ch = getopt_long(argc, argv, "c:Vvha", long_options, NULL)) != -1) {
switch (ch) {
case 'V':
show_version = 1;
@@ -76,6 +83,8 @@ int main(int argc, char **argv)
policyvers = n;
break;
}
+ case 'h':
+ usage(argv[0]);
case 'a':{
check_assertions = 0;
break;
diff -pruN selinux-dev-211109/policycoreutils/semodule_link/semodule_link.8 selinux-dev-211109-patched/policycoreutils/semodule_link/semodule_link.8
--- selinux-dev-211109/policycoreutils/semodule_link/semodule_link.8 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/semodule_link/semodule_link.8 2009-11-21 22:33:03.000000000 +0100
@@ -16,14 +16,17 @@ semodule_package.
.SH "OPTIONS"
.TP
-.B \-V
+.B \-V,\-\-version
show version
.TP
-.B \-v
+.B \-v,\-\-verbose
verbose mode
.TP
-.B \-o <output file>
+.B \-o,\-\-output <output file>
Linked policy module package generated by this tool.
+.TP
+.B \-h,\-\-help
+show usage information
.SH SEE ALSO
diff -pruN selinux-dev-211109/policycoreutils/semodule_link/semodule_link.c selinux-dev-211109-patched/policycoreutils/semodule_link/semodule_link.c
--- selinux-dev-211109/policycoreutils/semodule_link/semodule_link.c 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/semodule_link/semodule_link.c 2009-11-21 22:33:03.000000000 +0100
@@ -81,10 +81,17 @@ int main(int argc, char **argv)
sepol_module_package_t *base, **mods;
FILE *outfile;
struct sepol_policy_file *pf;
+ struct option long_options[] = {
+ {"version", no_argument, NULL, 'V'},
+ {"verbose", no_argument, NULL, 'v'},
+ {"output", required_argument, NULL, 'o'},
+ {"help", no_argument, NULL, 'h'},
+ {NULL, 0, NULL, 0}
+ };
progname = argv[0];
- while ((ch = getopt(argc, argv, "o:Vv")) != EOF) {
+ while ((ch = getopt_long(argc, argv, "o:Vvh", long_options, NULL)) != -1) {
switch (ch) {
case 'V':
show_version = 1;
@@ -95,6 +102,7 @@ int main(int argc, char **argv)
case 'o':
outname = optarg;
break;
+ case 'h':
default:
usage(argv[0]);
}
diff -pruN selinux-dev-211109/policycoreutils/semodule_package/Makefile selinux-dev-211109-patched/policycoreutils/semodule_package/Makefile
--- selinux-dev-211109/policycoreutils/semodule_package/Makefile 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/semodule_package/Makefile 2009-11-21 22:33:03.000000000 +0100
@@ -5,8 +5,9 @@ BINDIR ?= $(PREFIX)/bin
LIBDIR ?= ${PREFIX}/lib
MANDIR ?= $(PREFIX)/share/man
+VERSION = $(shell cat ../VERSION)
CFLAGS ?= -Werror -Wall -W
-override CFLAGS += -I$(INCLUDEDIR)
+override CFLAGS += -I$(INCLUDEDIR) -DVERSION=\"$(VERSION)\"
LDLIBS = -lsepol -lselinux -L$(LIBDIR)
all: semodule_package
diff -pruN selinux-dev-211109/policycoreutils/semodule_package/semodule_package.8 selinux-dev-211109-patched/policycoreutils/semodule_package/semodule_package.8
--- selinux-dev-211109/policycoreutils/semodule_package/semodule_package.8 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/semodule_package/semodule_package.8 2009-11-21 22:33:03.000000000 +0100
@@ -25,6 +25,12 @@ $ semodule_package -o local.pp -m local.
.SH "OPTIONS"
.TP
+.B \-h \-\-help
+Print usage information.
+.TP
+.B \-V \-\-version
+Print version information.
+.TP
.B \-o \-\-outfile <output file>
Policy module package file generated by this tool.
.TP
diff -pruN selinux-dev-211109/policycoreutils/semodule_package/semodule_package.c selinux-dev-211109-patched/policycoreutils/semodule_package/semodule_package.c
--- selinux-dev-211109/policycoreutils/semodule_package/semodule_package.c 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/semodule_package/semodule_package.c 2009-11-21 22:33:03.000000000 +0100
@@ -19,14 +19,18 @@
#include <fcntl.h>
#include <errno.h>
+#define SEMODULE_PACKAGE_CONF_PROG_NAME "semodule_package" /* default program name */
+
char *progname = NULL;
extern char *optarg;
static void usage(char *prog)
{
- printf("usage: %s -o <output file> -m <module> [-f <file contexts>]\n",
+ printf("usage: %s -h | -V | -o <output file> -m <module> [-f <file contexts>]\n",
prog);
printf("Options:\n");
+ printf(" -h --help Print this usage information.\n");
+ printf(" -V --version Print version information.\n");
printf(" -o --outfile Output file (required)\n");
printf(" -m --module Module file (required)\n");
printf(" -f --fc File contexts file\n");
@@ -37,6 +41,23 @@ static void usage(char *prog)
exit(1);
}
+static char *opt_program_name(char *argv0, char *def)
+{
+ if (argv0) {
+ if ((def = strrchr(argv0, '/')))
+ ++def;
+ else
+ def = argv0;
+
+ /* hack for libtool */
+ if ((strlen(def) > strlen("lt-"))
+ && !memcmp("lt-", def, strlen("lt-")))
+ def += 3;
+ }
+
+ return (def);
+}
+
static int file_to_policy_file(char *filename, struct sepol_policy_file **pf,
char *mode)
{
@@ -107,13 +128,20 @@ int main(int argc, char **argv)
{"nc", required_argument, NULL, 'n'},
{"outfile", required_argument, NULL, 'o'},
{"help", 0, NULL, 'h'},
+ {"version", 0, NULL, 'V'},
{NULL, 0, NULL, 0}
};
- while ((i = getopt_long(argc, argv, "m:f:s:u:o:n:h", opts, NULL)) != -1) {
+ progname = opt_program_name(argv[0], SEMODULE_PACKAGE_CONF_PROG_NAME);
+
+ while ((i = getopt_long(argc, argv, "m:f:s:u:o:n:hV", opts, NULL)) != -1) {
switch (i) {
+ case 'V':
+ fprintf(stdout,
+ " %s version %s.\n", progname, VERSION);
+ exit(EXIT_SUCCESS);
case 'h':
- usage(argv[0]);
+ usage(progname);
exit(0);
case 'm':
if (module) {
@@ -178,10 +206,8 @@ int main(int argc, char **argv)
}
}
- progname = argv[0];
-
if (!module || !outfile) {
- usage(argv[0]);
+ usage(progname);
exit(0);
}
@@ -209,14 +235,14 @@ int main(int argc, char **argv)
exit(1);
if (sepol_module_package_create(&pkg)) {
- fprintf(stderr, "%s: Out of memory\n", argv[0]);
+ fprintf(stderr, "%s: Out of memory\n", progname);
exit(1);
}
if (sepol_policydb_read(sepol_module_package_get_policy(pkg), mod)) {
fprintf(stderr,
"%s: Error while reading policy module from %s\n",
- argv[0], module);
+ progname, module);
exit(1);
}
@@ -239,7 +265,7 @@ int main(int argc, char **argv)
if (sepol_module_package_write(pkg, out)) {
fprintf(stderr,
"%s: Error while writing module package to %s\n",
- argv[0], argv[1]);
+ progname, argv[1]);
exit(1);
}
diff -pruN selinux-dev-211109/policycoreutils/sestatus/Makefile selinux-dev-211109-patched/policycoreutils/sestatus/Makefile
--- selinux-dev-211109/policycoreutils/sestatus/Makefile 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/sestatus/Makefile 2009-11-21 22:33:03.000000000 +0100
@@ -5,8 +5,9 @@ MANDIR = $(PREFIX)/share/man
ETCDIR ?= $(DESTDIR)/etc
LIBDIR ?= ${PREFIX}/lib
+VERSION = $(shell cat ../VERSION)
CFLAGS = -Werror -Wall -W
-override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
+override CFLAGS += -I$(PREFIX)/include -DVERSION=\"$(VERSION)\" -D_FILE_OFFSET_BITS=64
LDLIBS = -lselinux -L$(LIBDIR)
all: sestatus
diff -pruN selinux-dev-211109/policycoreutils/sestatus/sestatus.8 selinux-dev-211109-patched/policycoreutils/sestatus/sestatus.8
--- selinux-dev-211109/policycoreutils/sestatus/sestatus.8 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/sestatus/sestatus.8 2009-11-21 22:33:03.000000000 +0100
@@ -4,7 +4,7 @@ sestatus \- SELinux status tool
.SH "SYNOPSIS"
.B sestatus
-.I [\-v] [\-b]
+.I -h | -V | [\-v] [\-b]
.P
This tool is used to get the status of a system running SELinux.
@@ -28,12 +28,20 @@ Policy version: 16
.SH "OPTIONS"
.TP
-.B \-v
+.B \-h,\-\-help
+.P
+ Print usage information.
+
+.B \-V,\-\-version
+.P
+ Print version information.
+
+.B \-v,\-\-verbose
.P
Checks the contexts of a files , and a processes listed in the /etc/sestatus.conf file. It also checks the context of the target, in cases of
symlinks.
-.B \-b
+.B \-b,\-\-show-bools
.P
Display the current state of booleans.
diff -pruN selinux-dev-211109/policycoreutils/sestatus/sestatus.c selinux-dev-211109-patched/policycoreutils/sestatus/sestatus.c
--- selinux-dev-211109/policycoreutils/sestatus/sestatus.c 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/sestatus/sestatus.c 2009-11-21 22:33:03.000000000 +0100
@@ -15,6 +15,7 @@
#include <sys/stat.h>
#include <dirent.h>
#include <unistd.h>
+#include <getopt.h>
#include <libgen.h>
#include <ctype.h>
@@ -196,22 +197,38 @@ int main(int argc, char **argv)
const char *pol_name;
char *pol_path;
+ struct option long_options[] = {
+ {"version", no_argument, NULL, 'V'},
+ {"help", no_argument, NULL, 'h'},
+ {"verbose", no_argument, NULL, 'v'},
+ {"show-bools", no_argument, NULL, 'b'},
+ {NULL, 0, NULL, 0}
+ };
+
while (1) {
- opt = getopt(argc, argv, "vb");
+ opt = getopt_long(argc, argv, "vbVh", long_options, NULL);
if (opt == -1)
break;
switch (opt) {
+ case 'V':
+ fprintf(stdout,
+ " %s version %s.\n", basename(argv[0]), VERSION);
+ exit(EXIT_SUCCESS);
case 'v':
verbose = 1;
break;
case 'b':
show_bools = 1;
break;
+ case 'h':
default:
/* invalid option */
printf("\nUsage: %s [OPTION]\n\n", basename(argv[0]));
+ printf(" -h,--help Print this help message.\n");
+ printf(" -V,--version Print version information.\n");
printf
- (" -v Verbose check of process and file contexts.\n");
+ (" -v,--verbose Verbose check of process and file contexts.\n");
+ printf(" -b,--show-bools Display the current state of booleans.\n");
printf("\nWithout options, show SELinux status.\n");
return -1;
}
diff -pruN selinux-dev-211109/policycoreutils/setfiles/Makefile selinux-dev-211109-patched/policycoreutils/setfiles/Makefile
--- selinux-dev-211109/policycoreutils/setfiles/Makefile 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/setfiles/Makefile 2009-11-21 22:16:21.000000000 +0100
@@ -5,8 +5,10 @@ MANDIR = $(PREFIX)/share/man
LIBDIR ?= $(PREFIX)/lib
AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
+VERSION = $(shell cat ../VERSION)
+
CFLAGS = -g -Werror -Wall -W
-override CFLAGS += -I$(PREFIX)/include
+override CFLAGS += -I$(PREFIX)/include -DVERSION=\"$(VERSION)\"
LDLIBS = -lselinux -lsepol -L$(LIBDIR)
ifeq (${AUDITH}, /usr/include/libaudit.h)
diff -pruN selinux-dev-211109/policycoreutils/setfiles/restorecon.8 selinux-dev-211109-patched/policycoreutils/setfiles/restorecon.8
--- selinux-dev-211109/policycoreutils/setfiles/restorecon.8 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/setfiles/restorecon.8 2009-11-21 22:17:34.000000000 +0100
@@ -22,6 +22,12 @@ new policy, or with the \-n option it ca
contexts are all as you expect.
.SH "OPTIONS"
+.TP
+.B \-h,\-\-help
+print usage information
+.TP
+.B \-V,\-\-version
+print version information
.TP
.B \-i
ignore files that do not exist
diff -pruN selinux-dev-211109/policycoreutils/setfiles/setfiles.8 selinux-dev-211109-patched/policycoreutils/setfiles/setfiles.8
--- selinux-dev-211109/policycoreutils/setfiles/setfiles.8 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/setfiles/setfiles.8 2009-11-21 22:18:03.000000000 +0100
@@ -19,6 +19,12 @@ new policy, or with the \-n option it ca
contexts are all as you expect.
.SH "OPTIONS"
+.TP
+.B \-h,\-\-help
+print usage information
+.TP
+.B \-V,\-\-version
+print version information
.TP
.B \-c
check the validity of the contexts against the specified binary policy.
diff -pruN selinux-dev-211109/policycoreutils/setfiles/setfiles.c selinux-dev-211109-patched/policycoreutils/setfiles/setfiles.c
--- selinux-dev-211109/policycoreutils/setfiles/setfiles.c 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/setfiles/setfiles.c 2009-11-21 22:31:42.000000000 +0100
@@ -2,6 +2,7 @@
#include <unistd.h>
#include <fcntl.h>
#include <stdio_ext.h>
+#include <getopt.h>
#include <ctype.h>
#include <regex.h>
#include <sys/vfs.h>
@@ -44,14 +45,18 @@ void usage(const char *const name)
{
if (iamrestorecon) {
fprintf(stderr,
+ "usage: %s -h,--help print this usage information\n"
+ "usage: %s -V,--version print version information\n"
"usage: %s [-iFnrRv0] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n",
- name);
+ name, name, name);
} else {
fprintf(stderr,
+ "usage: %s -h,--help print this usage information\n"
+ "usage: %s -V,--version print version information\n"
"usage: %s [-dnpqvW] [-o filename] [-r alt_root_path ] spec_file pathname...\n"
"usage: %s -c policyfile spec_file\n"
"usage: %s -s [-dnqvW] [-o filename ] spec_file\n", name, name,
- name);
+ name, name, name);
}
exit(1);
}
@@ -211,6 +216,12 @@ int main(int argc, char **argv)
size_t buf_len;
int recurse; /* Recursive descent. */
char *base;
+
+ const struct option long_options[] = {
+ {"version", no_argument, NULL, 'V'},
+ {"help", no_argument, NULL, 'h'},
+ {NULL, 0, NULL, 0}
+ };
memset(&r_opts, 0, sizeof(r_opts));
@@ -283,7 +294,7 @@ int main(int argc, char **argv)
exclude_non_seclabel_mounts();
/* Process any options. */
- while ((opt = getopt(argc, argv, "c:de:f:ilnpqrsvo:FRW0")) > 0) {
+ while ((opt = getopt_long(argc, argv, "c:de:f:hilnpqrsvo:FRVW0", long_options, NULL)) != -1) {
switch (opt) {
case 'c':
{
@@ -410,6 +421,11 @@ int main(int argc, char **argv)
case '0':
null_terminated = 1;
break;
+ case 'V':
+ fprintf(stdout,
+ " %s version %s.\n", base, VERSION);
+ exit(EXIT_SUCCESS);
+ case 'h':
case '?':
usage(argv[0]);
}
diff -pruN selinux-dev-211109/policycoreutils/setsebool/Makefile selinux-dev-211109-patched/policycoreutils/setsebool/Makefile
--- selinux-dev-211109/policycoreutils/setsebool/Makefile 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/setsebool/Makefile 2009-11-21 22:33:03.000000000 +0100
@@ -5,8 +5,9 @@ SBINDIR ?= $(PREFIX)/sbin
MANDIR = $(PREFIX)/share/man
LIBDIR ?= ${PREFIX}/lib
+VERSION = $(shell cat ../VERSION)
CFLAGS ?= -Werror -Wall -W
-override CFLAGS += -I$(INCLUDEDIR)
+override CFLAGS += -I$(INCLUDEDIR) -DVERSION=\"$(VERSION)\"
LDLIBS = -lsepol -lselinux -lsemanage -L$(LIBDIR)
SETSEBOOL_OBJS = setsebool.o
diff -pruN selinux-dev-211109/policycoreutils/setsebool/setsebool.8 selinux-dev-211109-patched/policycoreutils/setsebool/setsebool.8
--- selinux-dev-211109/policycoreutils/setsebool/setsebool.8 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/setsebool/setsebool.8 2009-11-21 22:33:03.000000000 +0100
@@ -11,6 +11,17 @@ setsebool \- set SELinux boolean value
sets the current state of a particular SELinux boolean or a list of booleans
to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it.
+.SH "OPTIONS"
+.TP
+
+.B \-h,\-\-help
+.P
+ Print usage information.
+
+.B \-V,\-\-version
+.P
+ Print version information.
+
Without the -P option, only the current boolean value is
affected; the boot-time default settings
are not changed.
diff -pruN selinux-dev-211109/policycoreutils/setsebool/setsebool.c selinux-dev-211109-patched/policycoreutils/setsebool/setsebool.c
--- selinux-dev-211109/policycoreutils/setsebool/setsebool.c 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/policycoreutils/setsebool/setsebool.c 2009-11-21 22:33:03.000000000 +0100
@@ -5,6 +5,7 @@
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
+#include <getopt.h>
#include <syslog.h>
#include <pwd.h>
#include <selinux/selinux.h>
@@ -14,38 +15,75 @@
#include <semanage/boolean_record.h>
#include <errno.h>
+#define SETSEBOOL_CONF_PROG_NAME "setsebool" /* default program name */
+
int permanent = 0;
int setbool(char **list, size_t start, size_t end);
-void usage(void)
+void usage(char *progname)
{
- fputs
- ("\nUsage: setsebool [ -P ] boolean value | bool1=val1 bool2=val2...\n\n",
- stderr);
+ fprintf(stderr, "\nUsage: %s -h | -V | [ -P ] boolean value | bool1=val1 bool2=val2...\n\n", progname);
exit(1);
}
+static char *opt_program_name(char *argv0, char *def)
+{
+ if (argv0) {
+ if ((def = strrchr(argv0, '/')))
+ ++def;
+ else
+ def = argv0;
+
+ /* hack for libtool */
+ if ((strlen(def) > strlen("lt-"))
+ && !memcmp("lt-", def, strlen("lt-")))
+ def += 3;
+ }
+
+ return (def);
+}
+
int main(int argc, char **argv)
{
size_t rc, start;
+ int opt;
+ char *program_name = NULL;
+ struct option long_options[] = {
+ {"help", no_argument, NULL, 'h'},
+ {"version", no_argument, NULL, 'V'},
+ {NULL, 0, NULL, 0}
+ };
+
+ program_name = opt_program_name(argv[0], SETSEBOOL_CONF_PROG_NAME);
+ start = 1;
+
+ while ((opt = getopt_long(argc, argv, "hPV", long_options, NULL)) != -1) {
+ switch (opt) {
+ case 'V':
+ fprintf(stdout,
+ " %s version %s.\n", program_name, VERSION);
+ exit(EXIT_SUCCESS);
+ case 'h':
+ usage(program_name);
+ case 'P':
+ if (argc < 3)
+ usage(program_name);
+ permanent = 1;
+ start = 2;
+ default:
+ usage(program_name);
+ }
+ }
if (argc < 2)
- usage();
+ usage(program_name);
if (is_selinux_enabled() <= 0) {
fputs("setsebool: SELinux is disabled.\n", stderr);
return 1;
}
- if (strcmp(argv[1], "-P") == 0) {
- permanent = 1;
- if (argc < 3)
- usage();
- start = 2;
- } else
- start = 1;
-
/* Check to see which way we are being called. If a '=' is passed,
we'll enforce the list syntax. If not we'll enforce the original
syntax for backward compatibility. */
@@ -54,7 +92,7 @@ int main(int argc, char **argv)
char *bool_list[1];
if ((argc - start) != 2)
- usage();
+ usage(program_name);
/* Add 1 for the '=' */
len = strlen(argv[start]) + strlen(argv[start + 1]) + 2;
[-- Attachment #1.3: checkpolicy-ticket1-1672486.patch --]
[-- Type: text/x-patch, Size: 4559 bytes --]
diff -pruN selinux-dev-211109/checkpolicy/checkmodule.8 selinux-dev-211109-patched/checkpolicy/checkmodule.8
--- selinux-dev-211109/checkpolicy/checkmodule.8 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/checkpolicy/checkmodule.8 2009-11-21 22:45:50.000000000 +0100
@@ -21,23 +21,26 @@ the module package into the module store
.SH OPTIONS
.TP
-.B \-b
+.B \-b,\-\-binary
Read an existing binary policy module file rather than a source policy
module file. This option is a development/debugging aid.
.TP
.B \-m
Generate a non-base policy module.
.TP
-.B \-M
+.B \-M,\-\-mls
Enable the MLS/MCS support when checking and compiling the policy module.
.TP
-.B \-V
+.B \-V,\-\-version
Show policy versions created by this program
.TP
-.B \-o filename
+.B \-o,\-\-output filename
Write a binary policy module file to the specified filename.
Otherwise, checkmodule will only check the syntax of the module source file
and will not generate a binary module at all.
+.TP
+.B \-U,\-\-handle-unknown <action>
+Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).
.SH EXAMPLE
.nf
diff -pruN selinux-dev-211109/checkpolicy/checkmodule.c selinux-dev-211109-patched/checkpolicy/checkmodule.c
--- selinux-dev-211109/checkpolicy/checkmodule.c 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/checkpolicy/checkmodule.c 2009-11-21 22:45:50.000000000 +0100
@@ -163,8 +163,18 @@ int main(int argc, char **argv)
int ch;
int show_version = 0;
policydb_t modpolicydb;
+ struct option long_options[] = {
+ {"help", no_argument, NULL, 'h'},
+ {"output", required_argument, NULL, 'o'},
+ {"binary", no_argument, NULL, 'b'},
+ {"version", no_argument, NULL, 'V'},
+ {"handle-unknown", optional_argument, NULL, 'U'},
+ {"debug", no_argument, NULL, 'd'},
+ {"mls", no_argument, NULL, 'M'},
+ {NULL, 0, NULL, 0}
+ };
- while ((ch = getopt(argc, argv, "ho:dbVU:mM")) != EOF) {
+ while ((ch = getopt_long(argc, argv, "ho:bVU:mM", long_options, NULL)) != -1) {
switch (ch) {
case 'h':
usage(argv[0]);
diff -pruN selinux-dev-211109/checkpolicy/checkpolicy.8 selinux-dev-211109-patched/checkpolicy/checkpolicy.8
--- selinux-dev-211109/checkpolicy/checkpolicy.8 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/checkpolicy/checkpolicy.8 2009-11-21 22:45:50.000000000 +0100
@@ -18,20 +18,32 @@ policy.conf or policy, depending on whet
.SH OPTIONS
.TP
-.B \-b
+.B \-b,\-\-binary
Read an existing binary policy file rather than a source policy.conf file.
.TP
-.B \-d
+.B \-d,\-\-debug
Enter debug mode after loading the policy.
.TP
-.B \-M
+.B \-M,\-\-mls
Enable the MLS policy when checking and compiling the policy.
.TP
-.B \-o filename
+.B \-o,\-\-output filename
Write a binary policy file to the specified filename.
.TP
.B \-c policyvers
Specify the policy version, defaults to the latest.
+.TP
+.B \-t,\-\-target
+Specify the target platform (selinux or xen).
+.TP
+.B \-U,\-\-handle-unknown <action>
+Specify how the kernel should handle unknown classes or permissions (deny, allow or reject).
+.TP
+.B \-V,\-\-version
+Show version information.
+.TP
+.B \-h,\-\-help
+Show usage information.
.SH "SEE ALSO"
SELinux documentation at http://www.nsa.gov/selinux,
diff -pruN selinux-dev-211109/checkpolicy/checkpolicy.c selinux-dev-211109-patched/checkpolicy/checkpolicy.c
--- selinux-dev-211109/checkpolicy/checkpolicy.c 2009-11-21 16:09:55.000000000 +0100
+++ selinux-dev-211109-patched/checkpolicy/checkpolicy.c 2009-11-21 22:45:50.000000000 +0100
@@ -392,8 +392,19 @@ int main(int argc, char **argv)
int state;
int show_version = 0;
struct policy_file pf;
+ struct option long_options[] = {
+ {"output", required_argument, NULL, 'o'},
+ {"target", required_argument, NULL, 't'},
+ {"binary", no_argument, NULL, 'b'},
+ {"debug", no_argument, NULL, 'd'},
+ {"version", no_argument, NULL, 'V'},
+ {"handle-unknown", optional_argument, NULL, 'U'},
+ {"mls", no_argument, NULL, 'M'},
+ {"help", no_argument, NULL, 'h'},
+ {NULL, 0, NULL, 0}
+ };
- while ((ch = getopt(argc, argv, "o:t:dbU:MVc:")) != EOF) {
+ while ((ch = getopt_long(argc, argv, "o:t:dbU:MVc:h", long_options, NULL)) != -1) {
switch (ch) {
case 'o':
outfile = optarg;
@@ -458,6 +469,7 @@ int main(int argc, char **argv)
policyvers = n;
break;
}
+ case 'h':
default:
usage(argv[0]);
}
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5186 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] Support for long-options in policycoreutils and checkpolicy (Ticket #1 [1672486])
2009-11-21 22:03 ` [PATCH] Support for long-options in policycoreutils and checkpolicy (Ticket #1 [1672486]) Guido Trentalancia
@ 2009-11-27 18:42 ` Joshua Brindle
2009-11-27 19:07 ` Joshua Brindle
0 siblings, 1 reply; 10+ messages in thread
From: Joshua Brindle @ 2009-11-27 18:42 UTC (permalink / raw)
To: Guido Trentalancia; +Cc: Eamon Walsh, SELinux
Guido Trentalancia wrote:
> Dear Eamon,
>
> here are the two "maintenance" patches that I did post earlier this
> month (along with the new manual pages). They are intended to close
> Ticket #1 [1672486] that I found open on Tresys pages
> (http://userspace.selinuxproject.org/trac/ticket/1).
>
> I do apologize for not putting the keyword "[PATCH]" in the original
> message.
>
> Here is a summary of what has been changed for policycoreutils:
>
> - introduced proper handling of -h, -V options and their respective long
> formats --help and --version to all binaries that are produced from C
> code. The same issue is not tackled for Python-based tools (e.g.
> semanage);
> - relative manual pages have also been updated accordingly.
>
> And here is what has been changed for checkpolicy/checkmodule:
>
> - introduced proper handling of -h, -V and the long formats --help and
> --version to all binaries (checkpolicy/checkmodule);
> - introduced the handling of long options for some of the other
> available options;
> - manual pages have also been updated accordingly (and a few
> undocumented options have been documented).
>
> One of the original two patches (the one against policycoreutils) did
> not compile cleanly anymore against the current HEAD of SELinux, so I
> have created an updated one, which is the one attached here.
>
> It's just a matter of some really minor issues, but I hope it helps, at
> least the ticket can now be closed...
>
> Kind regards,
>
> Guido
>
Thank you for doing this. Unfortunately it looks like your mail client
decided to base64 encode the attachment.
It is always best to use git to generate patch emails, please see:
http://andrewprice.me.uk/weblog/entry/generating-patch-emails-with-git
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] Support for long-options in policycoreutils and checkpolicy (Ticket #1 [1672486])
2009-11-27 18:42 ` Joshua Brindle
@ 2009-11-27 19:07 ` Joshua Brindle
2009-11-28 1:56 ` Guido Trentalancia
2009-11-28 1:58 ` Guido Trentalancia
0 siblings, 2 replies; 10+ messages in thread
From: Joshua Brindle @ 2009-11-27 19:07 UTC (permalink / raw)
To: Guido Trentalancia; +Cc: Eamon Walsh, SELinux
Joshua Brindle wrote:
> Guido Trentalancia wrote:
>> Dear Eamon,
>>
>> here are the two "maintenance" patches that I did post earlier this
>> month (along with the new manual pages). They are intended to close
>> Ticket #1 [1672486] that I found open on Tresys pages
>> (http://userspace.selinuxproject.org/trac/ticket/1).
>>
>> I do apologize for not putting the keyword "[PATCH]" in the original
>> message.
>>
>> Here is a summary of what has been changed for policycoreutils:
>>
>> - introduced proper handling of -h, -V options and their respective long
>> formats --help and --version to all binaries that are produced from C
>> code. The same issue is not tackled for Python-based tools (e.g.
>> semanage);
>> - relative manual pages have also been updated accordingly.
>>
>> And here is what has been changed for checkpolicy/checkmodule:
>>
>> - introduced proper handling of -h, -V and the long formats --help and
>> --version to all binaries (checkpolicy/checkmodule);
>> - introduced the handling of long options for some of the other
>> available options;
>> - manual pages have also been updated accordingly (and a few
>> undocumented options have been documented).
>>
>> One of the original two patches (the one against policycoreutils) did
>> not compile cleanly anymore against the current HEAD of SELinux, so I
>> have created an updated one, which is the one attached here.
>>
>> It's just a matter of some really minor issues, but I hope it helps, at
>> least the ticket can now be closed...
>>
>> Kind regards,
>>
>> Guido
>>
>
>
> Thank you for doing this. Unfortunately it looks like your mail client
> decided to base64 encode the attachment.
>
> It is always best to use git to generate patch emails, please see:
> http://andrewprice.me.uk/weblog/entry/generating-patch-emails-with-git
>
I also have a couple comments about this patch. First I'm not so sure
about the:
"[program name] version [version]."
format. For people to be able to test versions in shell scripts I think
the output should simply be the version.
I'm not sure what the "libtool" hack thing is all about, why is that
necessary? In fact I'm not sure what the whole opt_program_name thing is
about, what are you trying to address here? That change makes the patch
very messy since you are going through and replacing every occurrence of
argv[0] with program_name. Typically changes should be separated in
patches to ease review, I'm not sure what this has to do with adding
--version to the apps.
Also, why -V rather than -v ?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Contributed manual pages for libselinux
2009-11-21 19:51 ` Guido Trentalancia
@ 2009-11-27 19:23 ` Joshua Brindle
2009-11-27 20:03 ` Joshua Brindle
1 sibling, 0 replies; 10+ messages in thread
From: Joshua Brindle @ 2009-11-27 19:23 UTC (permalink / raw)
To: Guido Trentalancia; +Cc: SELinux, ewalsh
Guido Trentalancia wrote:
> Hello Eamon !
>
> On Fri, 2009-11-20 at 21:42 -0500, Eamon Walsh wrote:
>
>> Hi, thanks for doing this. Some quick review below.
<snip>
> Yes, I have now mentioned that checkPasswdAccess is deprecated. We are
> referring to file security_compute_av.3 as the description of these two
> functions lives there...
>
> By the way, it has been pointed out that this function should not
> hard-code a string. I also agree with him, there is a generic constant
> for such "passwd" object class, it is defined in flask.h could be used
> instead of the string, thus avoiding hard-coding and also allowing to
> save a few cycles and be theoretically future-proof (if ever the name
> would change, say to "password", "auth-token" or anything else).
>
You can see here:
http://marc.info/?l=selinux&m=118115728003670&w=2
That the way it is now is quite intentional. For many years we relied on
the hardcoded offsets in flask.h and it prevented us from removing, or
reordering object classes. Therefore we now export the values out of the
kernel in /selinux/class and use those values rather than the ones from
flask.h (which hopefully could go away some day.)
> --- libselinux/src/checkAccess.c.orig 2009-11-21 20:07:21.000000000
> +0100
> +++ libselinux/src/checkAccess.c 2009-11-21 20:08:36.000000000
> +0100
> @@ -13,17 +13,12 @@ int selinux_check_passwd_access(access_v
> if (is_selinux_enabled() == 0)
> return 0;
> if (getprevcon_raw(&user_context) == 0) {
> - security_class_t passwd_class;
> struct av_decision avd;
> int retval;
>
> - passwd_class = string_to_security_class("passwd");
> - if (passwd_class == 0)
> - return 0;
> -
> retval = security_compute_av_raw(user_context,
> user_context,
> - passwd_class,
> + SECCLASS_PASSWD,
> requested,
> &avd);
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Contributed manual pages for libselinux
2009-11-21 19:51 ` Guido Trentalancia
2009-11-27 19:23 ` Joshua Brindle
@ 2009-11-27 20:03 ` Joshua Brindle
1 sibling, 0 replies; 10+ messages in thread
From: Joshua Brindle @ 2009-11-27 20:03 UTC (permalink / raw)
To: Guido Trentalancia; +Cc: SELinux, ewalsh
Guido Trentalancia wrote:
> Hello Eamon !
>
> On Fri, 2009-11-20 at 21:42 -0500, Eamon Walsh wrote:
>
>> Hi, thanks for doing this. Some quick review below.
>
> You are welcome, I suppose it was a boring task for many...
>
> Thanks very much for reviewing the changes. And please accept my
> apologies for not placing "[PATCH]" in the subject of the original post.
> I had just subscribed to the list.
>
> I left you cc address intact here...
>
>> There is too much in matchpathcon(3) now. It's going to need to be
>> split up into different pages, perhaps the init/fini/teardown stuff in
>> one page, the lookup calls in another, and the non-matchpathcon prefixed
>> calls in a third page.
>>
>> Also, .so manpage links are needed for all the calls here.
>
> Yes, matchpathcon is a mess. Following your guidelines, I have now
> splitted the huge and messy page in several different man pages. It's
> easier to consult and easier to maintain.
>
> The first part (page) is strictly related to _init, its variant
> _init_index, _fini, matchpathcon and its variant matchpathcon_index.
> Nice and concise. References are provided in the "SEE ALSO" section to
> the rest.
>
> The second page describes the auxiliary lookup calls
> (matchpathcon_checkmatches) and the inode associations functions
> (matchpathcon_filespec_{add,destroy,eval}). The reference section points
> to the main matchpathcon page.
>
> A third page has been created for the functions that are used to set the
> flags (set_matchpathcon_flags) or to configure the behaviour of the main
> matchpathcon functions (set_matchpathcon_invalidcon and
> set_matchpathcon_printf).
>
> A fourth and fifth page is devoted to functions that should never had
> ended up in matchpathcon (selinux_file_context_cmp and
> selinux_file_context_verify in one page and selinux_lsetfilecon_default
> in another one): we do not really need to save electrons needed for new
> pages...
>
>>
>>> * print_access_vector
>>>
>> Looks good.
>
> No modifications.
>
>>> * security_disable
>>>
>> See the selinux.h comments for this. It needs to be documented that
>> this function can only be called at startup time.
>
> Ok. I have stressed that now and also mentioned that after the policy
> has been loaded at startup, then only "setenforce" can be used to alter
> (not disable) the mode of the SELinux kernel code (for example by
> placing it into "permissive" mode).
>
>>> * security_set_boolean_list
>>>
>> a RETURN VALUE section is needed in this page, documenting at least this
>> call if not the others in that page.
>
> I have now added a "RETURN VALUE" section.
>
> Also, to avoid confusion, I have rephrased the word "returns" in
> "provides" when not strictly referring the to the return value of the
> function (take for example security_get_boolean_names(), strictly
> speaking the function returns an integer representing 0=success or
> -1=failure, although from a conceptual point of view it also returns a
> list trough modification of one of its parameters passed by reference).
>
> Usually when an application developer looks at the "RETURN VALUE"
> section it is because he/she has already planned/coded the call to the
> function (and thus also the handling to parameters passed by reference)
> and only needs to check for the function exit status so that it can be
> handled properly at the call point.
>
>>> * selinux_check_passwd_access
>>>
>> This is a replacement for the inconsistently named "checkPasswdAccess"
>> function. So, the existing description of checkPasswdAccess should be
>> moved to this function, and checkPasswdAccess should be changed to "this
>> is a deprecated alias for selinux_check_passwd_access".
>
> Yes, I have now mentioned that checkPasswdAccess is deprecated. We are
> referring to file security_compute_av.3 as the description of these two
> functions lives there...
>
> By the way, it has been pointed out that this function should not
> hard-code a string. I also agree with him, there is a generic constant
> for such "passwd" object class, it is defined in flask.h could be used
> instead of the string, thus avoiding hard-coding and also allowing to
> save a few cycles and be theoretically future-proof (if ever the name
> would change, say to "password", "auth-token" or anything else).
>
> --- libselinux/src/checkAccess.c.orig 2009-11-21 20:07:21.000000000
> +0100
> +++ libselinux/src/checkAccess.c 2009-11-21 20:08:36.000000000
> +0100
> @@ -13,17 +13,12 @@ int selinux_check_passwd_access(access_v
> if (is_selinux_enabled() == 0)
> return 0;
> if (getprevcon_raw(&user_context) == 0) {
> - security_class_t passwd_class;
> struct av_decision avd;
> int retval;
>
> - passwd_class = string_to_security_class("passwd");
> - if (passwd_class == 0)
> - return 0;
> -
> retval = security_compute_av_raw(user_context,
> user_context,
> - passwd_class,
> + SECCLASS_PASSWD,
> requested,
> &avd);
>
> Note that the above code, should really live in the application and not
> in the selinux library. It used to be like that, then for some reason it
> has been introduced. Redhat's passwd and cronie are calling the library
> function and thus at the moment they rely on it. But for example,
> util-linux-ng has the code in it and does not call this function, as I
> believe it should be. A very minor issue anyway...
>
>>> * selinux_init_load_policy
>>>
>> A paragraph break is needed in the DESCRIPTION section before this function.
>
> Done. I have also added a note to the already mentioned fact that after
> initial policy load, SELinux cannot be anymore disabled using calls to
> security_disable(3).
>
>>> * selinux_lsetfilecon_default
>>>
>> See notes above about the matchpathcon manpage.
>
> Yes, separate man page now.
>
>>> * selinux_mkload_policy
>>>
>> Looks good.
>
> No modifications.
>
>>> * set_selinuxmnt
>>>
>> This manpage includes two static functions that are not part of the
>> libselinux API (at least, not anymore) and should be removed.
>>
>> Also, I'm not comfortable with the description given. Instead, use the
>> comments in selinux.h, which are more accurate and verbose.
>>
>
> Please let me know if things are any better now.
>
> I did also provide on the same day a patch for beautifying and improving
> the command-line option parsing of a few utilities (a ticket had been
> created by somebody). That patch provides those improvement according to
> GNU-style parsing of "help" and "version" options (including long-option
> variants). I think it also fixes a couple of typos here and there. Feel
> free to include that patch too if you like it, so that the ticket can be
> closed ! I will attach it again in another separate message: it has been
> slightly modified in order to apply cleanly to the latest git snapshot.
>
> More important, I was also thinking about fingerprinting (and
> subsequently checking) the libraries with some cryptographic hash
> function such as the NIST-recommended SHA2. It is beginning to be done
> for security-related projects like OpenSSL, so I believe it is even more
> essential for SELinux. Ever thought about anything like that ?
>
> Best regards,
>
> Guido
Merged in libselinux 2.0.90
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] Support for long-options in policycoreutils and checkpolicy (Ticket #1 [1672486])
2009-11-27 19:07 ` Joshua Brindle
@ 2009-11-28 1:56 ` Guido Trentalancia
2009-11-28 1:58 ` Guido Trentalancia
1 sibling, 0 replies; 10+ messages in thread
From: Guido Trentalancia @ 2009-11-28 1:56 UTC (permalink / raw)
To: Joshua Brindle; +Cc: SELinux
Dear Joshua,
thanks for your reply and for your comments.
My reply follows the quoted text.
On Fri, 2009-11-27 at 14:07 -0500, Joshua Brindle wrote:
> Joshua Brindle wrote:
> > Guido Trentalancia wrote:
> >> Dear Eamon,
> >>
> >> here are the two "maintenance" patches that I did post earlier this
> >> month (along with the new manual pages). They are intended to close
> >> Ticket #1 [1672486] that I found open on Tresys pages
> >> (http://userspace.selinuxproject.org/trac/ticket/1).
> >>
> >> I do apologize for not putting the keyword "[PATCH]" in the original
> >> message.
> >>
> >> Here is a summary of what has been changed for policycoreutils:
> >>
> >> - introduced proper handling of -h, -V options and their respective long
> >> formats --help and --version to all binaries that are produced from C
> >> code. The same issue is not tackled for Python-based tools (e.g.
> >> semanage);
> >> - relative manual pages have also been updated accordingly.
> >>
> >> And here is what has been changed for checkpolicy/checkmodule:
> >>
> >> - introduced proper handling of -h, -V and the long formats --help and
> >> --version to all binaries (checkpolicy/checkmodule);
> >> - introduced the handling of long options for some of the other
> >> available options;
> >> - manual pages have also been updated accordingly (and a few
> >> undocumented options have been documented).
> >>
> >> One of the original two patches (the one against policycoreutils) did
> >> not compile cleanly anymore against the current HEAD of SELinux, so I
> >> have created an updated one, which is the one attached here.
> >>
> >> It's just a matter of some really minor issues, but I hope it helps, at
> >> least the ticket can now be closed...
> >>
> >> Kind regards,
> >>
> >> Guido
> >>
> >
> >
> > Thank you for doing this. Unfortunately it looks like your mail client
> > decided to base64 encode the attachment.
> >
> > It is always best to use git to generate patch emails, please see:
> > http://andrewprice.me.uk/weblog/entry/generating-patch-emails-with-git
> >
>
> I also have a couple comments about this patch. First I'm not so sure
> about the:
> "[program name] version [version]."
>
> format. For people to be able to test versions in shell scripts I think
> the output should simply be the version.
>
> I'm not sure what the "libtool" hack thing is all about, why is that
> necessary? In fact I'm not sure what the whole opt_program_name thing is
> about, what are you trying to address here? That change makes the patch
> very messy since you are going through and replacing every occurrence of
> argv[0] with program_name. Typically changes should be separated in
> patches to ease review, I'm not sure what this has to do with adding
> --version to the apps.
>
> Also, why -V rather than -v ?
The "[program name] version [version] is the standard (see other GNU
packages like gcc or binutils). Scripts that only need the "version"
argument can still filter out the rest using awk or something like that.
The opt_program_name thing has been taken from secon.c. It is intended
to provide the name of the program without the path to the binary or
other garbage. It has to do with adding version simply because of the
standard format mentioned above which requires the name of the program.
If you have not received the patch because of the encoding performed by
my mail client, I can send it again.
I look forward to hearing from you. Thank you.
Greetings,
Guido Trentalancia
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] Support for long-options in policycoreutils and checkpolicy (Ticket #1 [1672486])
2009-11-27 19:07 ` Joshua Brindle
2009-11-28 1:56 ` Guido Trentalancia
@ 2009-11-28 1:58 ` Guido Trentalancia
1 sibling, 0 replies; 10+ messages in thread
From: Guido Trentalancia @ 2009-11-28 1:58 UTC (permalink / raw)
To: Joshua Brindle; +Cc: SELinux
Dear Joshua,
in your previous message you were also asking why the option "-V"
instead of "-v" has been used for getting the version of the program.
Again, this is according to the GNU coding style (because "-v" is
generally used for making the program "verbose").
Regards,
Guido
On Fri, 2009-11-27 at 14:07 -0500, Joshua Brindle wrote:
> Joshua Brindle wrote:
> > Guido Trentalancia wrote:
> >> Dear Eamon,
> >>
> >> here are the two "maintenance" patches that I did post earlier this
> >> month (along with the new manual pages). They are intended to close
> >> Ticket #1 [1672486] that I found open on Tresys pages
> >> (http://userspace.selinuxproject.org/trac/ticket/1).
> >>
> >> I do apologize for not putting the keyword "[PATCH]" in the original
> >> message.
> >>
> >> Here is a summary of what has been changed for policycoreutils:
> >>
> >> - introduced proper handling of -h, -V options and their respective long
> >> formats --help and --version to all binaries that are produced from C
> >> code. The same issue is not tackled for Python-based tools (e.g.
> >> semanage);
> >> - relative manual pages have also been updated accordingly.
> >>
> >> And here is what has been changed for checkpolicy/checkmodule:
> >>
> >> - introduced proper handling of -h, -V and the long formats --help and
> >> --version to all binaries (checkpolicy/checkmodule);
> >> - introduced the handling of long options for some of the other
> >> available options;
> >> - manual pages have also been updated accordingly (and a few
> >> undocumented options have been documented).
> >>
> >> One of the original two patches (the one against policycoreutils) did
> >> not compile cleanly anymore against the current HEAD of SELinux, so I
> >> have created an updated one, which is the one attached here.
> >>
> >> It's just a matter of some really minor issues, but I hope it helps, at
> >> least the ticket can now be closed...
> >>
> >> Kind regards,
> >>
> >> Guido
> >>
> >
> >
> > Thank you for doing this. Unfortunately it looks like your mail client
> > decided to base64 encode the attachment.
> >
> > It is always best to use git to generate patch emails, please see:
> > http://andrewprice.me.uk/weblog/entry/generating-patch-emails-with-git
> >
>
> I also have a couple comments about this patch. First I'm not so sure
> about the:
> "[program name] version [version]."
>
> format. For people to be able to test versions in shell scripts I think
> the output should simply be the version.
>
> I'm not sure what the "libtool" hack thing is all about, why is that
> necessary? In fact I'm not sure what the whole opt_program_name thing is
> about, what are you trying to address here? That change makes the patch
> very messy since you are going through and replacing every occurrence of
> argv[0] with program_name. Typically changes should be separated in
> patches to ease review, I'm not sure what this has to do with adding
> --version to the apps.
>
> Also, why -V rather than -v ?
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2009-11-28 1:58 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-11-02 23:57 Contributed manual pages for libselinux Guido Trentalancia
2009-11-21 2:42 ` Eamon Walsh
2009-11-21 19:51 ` Guido Trentalancia
2009-11-27 19:23 ` Joshua Brindle
2009-11-27 20:03 ` Joshua Brindle
2009-11-21 22:03 ` [PATCH] Support for long-options in policycoreutils and checkpolicy (Ticket #1 [1672486]) Guido Trentalancia
2009-11-27 18:42 ` Joshua Brindle
2009-11-27 19:07 ` Joshua Brindle
2009-11-28 1:56 ` Guido Trentalancia
2009-11-28 1:58 ` Guido Trentalancia
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.