├── .circleci
└── config.yml
├── .fmf
└── version
├── .github
└── workflows
│ ├── cifuzz.yml
│ ├── run_tests.yml
│ └── tf_testsuite.yml
├── .gitignore
├── CONTRIBUTING.md
├── CleanSpec.mk
├── LICENSE
├── Makefile
├── README.md
├── SECURITY.md
├── VERSION
├── checkpolicy
├── .gitignore
├── LICENSE
├── Makefile
├── VERSION
├── checkmodule.8
├── checkmodule.c
├── checkpolicy.8
├── checkpolicy.c
├── fuzz
│ ├── checkpolicy-fuzzer.c
│ ├── checkpolicy-fuzzer.dict
│ ├── min_pol.conf
│ └── min_pol.mls.conf
├── module_compiler.c
├── module_compiler.h
├── parse_util.c
├── parse_util.h
├── policy_define.c
├── policy_define.h
├── policy_parse.y
├── policy_scan.l
├── queue.c
├── queue.h
├── test
│ ├── .gitignore
│ ├── Makefile
│ ├── dismod.c
│ └── dispol.c
└── tests
│ ├── policy_allonce.conf
│ ├── policy_allonce.expected.conf
│ ├── policy_allonce.expected_opt.conf
│ ├── policy_allonce_mls.conf
│ ├── policy_allonce_mls.expected.conf
│ ├── policy_allonce_mls.expected_opt.conf
│ ├── policy_allonce_xen.conf
│ ├── policy_allonce_xen.expected.conf
│ ├── policy_allonce_xen.expected_opt.conf
│ ├── policy_minimal.conf
│ ├── policy_minimal_mls.conf
│ └── test_roundtrip.sh
├── dbus
├── LICENSE
├── Makefile
├── VERSION
├── org.selinux.conf
├── org.selinux.policy
├── org.selinux.service
├── selinux_client.py
└── selinux_server.py
├── gui
├── LICENSE
├── Makefile
├── VERSION
├── booleansPage.py
├── domainsPage.py
├── fcontextPage.py
├── loginsPage.py
├── modulesPage.py
├── org.selinux.config.policy
├── po
│ ├── Makefile
│ ├── POTFILES
│ ├── af.po
│ ├── am.po
│ ├── ar.po
│ ├── as.po
│ ├── ast.po
│ ├── be.po
│ ├── bg.po
│ ├── bn.po
│ ├── bn_IN.po
│ ├── br.po
│ ├── bs.po
│ ├── ca.po
│ ├── cs.po
│ ├── cy.po
│ ├── da.po
│ ├── de.po
│ ├── de_CH.po
│ ├── el.po
│ ├── en_GB.po
│ ├── eo.po
│ ├── es.po
│ ├── et.po
│ ├── eu.po
│ ├── fa.po
│ ├── fi.po
│ ├── fil.po
│ ├── fr.po
│ ├── fur.po
│ ├── ga.po
│ ├── gl.po
│ ├── gu.po
│ ├── gui.pot
│ ├── he.po
│ ├── hi.po
│ ├── hr.po
│ ├── hu.po
│ ├── ia.po
│ ├── id.po
│ ├── ilo.po
│ ├── is.po
│ ├── it.po
│ ├── ja.po
│ ├── ka.po
│ ├── kk.po
│ ├── km.po
│ ├── kn.po
│ ├── ko.po
│ ├── ky.po
│ ├── lt.po
│ ├── lv.po
│ ├── mai.po
│ ├── mk.po
│ ├── ml.po
│ ├── mn.po
│ ├── mr.po
│ ├── ms.po
│ ├── my.po
│ ├── nb.po
│ ├── nds.po
│ ├── ne.po
│ ├── nl.po
│ ├── nn.po
│ ├── nso.po
│ ├── or.po
│ ├── pa.po
│ ├── pl.po
│ ├── pt.po
│ ├── pt_BR.po
│ ├── ro.po
│ ├── ru.po
│ ├── si.po
│ ├── sk.po
│ ├── sl.po
│ ├── sq.po
│ ├── sr.po
│ ├── sr@latin.po
│ ├── sv.po
│ ├── ta.po
│ ├── te.po
│ ├── tg.po
│ ├── th.po
│ ├── tr.po
│ ├── uk.po
│ ├── ur.po
│ ├── vi.po
│ ├── zh_CN.po
│ ├── zh_HK.po
│ ├── zh_TW.po
│ └── zu.po
├── polgen.ui
├── polgengui.py
├── portsPage.py
├── selinux-polgengui.8
├── selinux-polgengui.desktop
├── semanagePage.py
├── sepolgen
├── sepolicy.desktop
├── sepolicy_16.png
├── sepolicy_22.png
├── sepolicy_256.png
├── sepolicy_32.png
├── sepolicy_48.png
├── statusPage.py
├── system-config-selinux
├── system-config-selinux.8
├── system-config-selinux.desktop
├── system-config-selinux.png
├── system-config-selinux.py
├── system-config-selinux.ui
└── usersPage.py
├── libselinux
├── LICENSE
├── Makefile
├── VERSION
├── fuzz
│ ├── input
│ ├── selabel_file_compiled-fuzzer.c
│ └── selabel_file_text-fuzzer.c
├── include
│ ├── Makefile
│ └── selinux
│ │ ├── avc.h
│ │ ├── context.h
│ │ ├── get_context_list.h
│ │ ├── get_default_type.h
│ │ ├── label.h
│ │ ├── restorecon.h
│ │ └── selinux.h
├── man
│ ├── Makefile
│ ├── man3
│ │ ├── avc_add_callback.3
│ │ ├── avc_audit.3
│ │ ├── avc_av_stats.3
│ │ ├── avc_cache_stats.3
│ │ ├── avc_cleanup.3
│ │ ├── avc_compute_create.3
│ │ ├── avc_compute_member.3
│ │ ├── avc_context_to_sid.3
│ │ ├── avc_destroy.3
│ │ ├── avc_entry_ref_init.3
│ │ ├── avc_get_initial_context.3
│ │ ├── avc_get_initial_sid.3
│ │ ├── avc_has_perm.3
│ │ ├── avc_has_perm_noaudit.3
│ │ ├── avc_init.3
│ │ ├── avc_netlink_acquire_fd.3
│ │ ├── avc_netlink_check_nb.3
│ │ ├── avc_netlink_close.3
│ │ ├── avc_netlink_loop.3
│ │ ├── avc_netlink_open.3
│ │ ├── avc_netlink_release_fd.3
│ │ ├── avc_open.3
│ │ ├── avc_reset.3
│ │ ├── avc_sid_stats.3
│ │ ├── avc_sid_to_context.3
│ │ ├── checkPasswdAccess.3
│ │ ├── context_free.3
│ │ ├── context_new.3
│ │ ├── context_range_get.3
│ │ ├── context_range_set.3
│ │ ├── context_role_get.3
│ │ ├── context_role_set.3
│ │ ├── context_str.3
│ │ ├── context_type_get.3
│ │ ├── context_type_set.3
│ │ ├── context_user_get.3
│ │ ├── context_user_set.3
│ │ ├── fgetfilecon.3
│ │ ├── fgetfilecon_raw.3
│ │ ├── fini_selinuxmnt.3
│ │ ├── freecon.3
│ │ ├── freeconary.3
│ │ ├── fsetfilecon.3
│ │ ├── fsetfilecon_raw.3
│ │ ├── get_default_context.3
│ │ ├── get_default_context_with_level.3
│ │ ├── get_default_context_with_role.3
│ │ ├── get_default_context_with_rolelevel.3
│ │ ├── get_default_type.3
│ │ ├── get_ordered_context_list.3
│ │ ├── get_ordered_context_list_with_level.3
│ │ ├── getcon.3
│ │ ├── getcon_raw.3
│ │ ├── getexeccon.3
│ │ ├── getexeccon_raw.3
│ │ ├── getfilecon.3
│ │ ├── getfilecon_raw.3
│ │ ├── getfscreatecon.3
│ │ ├── getfscreatecon_raw.3
│ │ ├── getkeycreatecon.3
│ │ ├── getkeycreatecon_raw.3
│ │ ├── getpeercon.3
│ │ ├── getpeercon_raw.3
│ │ ├── getpidcon.3
│ │ ├── getpidcon_raw.3
│ │ ├── getpidprevcon.3
│ │ ├── getpidprevcon_raw.3
│ │ ├── getprevcon.3
│ │ ├── getprevcon_raw.3
│ │ ├── getseuserbyname.3
│ │ ├── getsockcreatecon.3
│ │ ├── getsockcreatecon_raw.3
│ │ ├── init_selinuxmnt.3
│ │ ├── is_context_customizable.3
│ │ ├── is_selinux_enabled.3
│ │ ├── is_selinux_mls_enabled.3
│ │ ├── lgetfilecon.3
│ │ ├── lgetfilecon_raw.3
│ │ ├── lsetfilecon.3
│ │ ├── lsetfilecon_raw.3
│ │ ├── manual_user_enter_context.3
│ │ ├── matchmediacon.3
│ │ ├── matchpathcon.3
│ │ ├── matchpathcon_checkmatches.3
│ │ ├── matchpathcon_filespec_add.3
│ │ ├── matchpathcon_filespec_destroy.3
│ │ ├── matchpathcon_filespec_eval.3
│ │ ├── matchpathcon_fini.3
│ │ ├── matchpathcon_index.3
│ │ ├── matchpathcon_init.3
│ │ ├── mode_to_security_class.3
│ │ ├── print_access_vector.3
│ │ ├── query_user_context.3
│ │ ├── rpm_execcon.3
│ │ ├── security_av_perm_to_string.3
│ │ ├── security_av_string.3
│ │ ├── security_check_context.3
│ │ ├── security_check_context_raw.3
│ │ ├── security_class_to_string.3
│ │ ├── security_commit_booleans.3
│ │ ├── security_compute_av.3
│ │ ├── security_compute_av_flags.3
│ │ ├── security_compute_av_flags_raw.3
│ │ ├── security_compute_av_raw.3
│ │ ├── security_compute_create.3
│ │ ├── security_compute_create_name.3
│ │ ├── security_compute_create_name_raw.3
│ │ ├── security_compute_create_raw.3
│ │ ├── security_compute_member.3
│ │ ├── security_compute_member_raw.3
│ │ ├── security_compute_relabel.3
│ │ ├── security_compute_relabel_raw.3
│ │ ├── security_compute_user.3
│ │ ├── security_compute_user_raw.3
│ │ ├── security_deny_unknown.3
│ │ ├── security_disable.3
│ │ ├── security_get_boolean_active.3
│ │ ├── security_get_boolean_names.3
│ │ ├── security_get_boolean_pending.3
│ │ ├── security_get_checkreqprot.3
│ │ ├── security_get_initial_context.3
│ │ ├── security_get_initial_context_raw.3
│ │ ├── security_getenforce.3
│ │ ├── security_load_booleans.3
│ │ ├── security_load_policy.3
│ │ ├── security_mkload_policy.3
│ │ ├── security_policyvers.3
│ │ ├── security_reject_unknown.3
│ │ ├── security_set_boolean.3
│ │ ├── security_set_boolean_list.3
│ │ ├── security_setenforce.3
│ │ ├── security_validatetrans.3
│ │ ├── security_validatetrans_raw.3
│ │ ├── selabel_close.3
│ │ ├── selabel_digest.3
│ │ ├── selabel_get_digests_all_partial_matches.3
│ │ ├── selabel_lookup.3
│ │ ├── selabel_lookup_best_match.3
│ │ ├── selabel_lookup_best_match_raw.3
│ │ ├── selabel_lookup_raw.3
│ │ ├── selabel_open.3
│ │ ├── selabel_partial_match.3
│ │ ├── selabel_stats.3
│ │ ├── selinux_binary_policy_path.3
│ │ ├── selinux_boolean_sub.3
│ │ ├── selinux_check_access.3
│ │ ├── selinux_check_passwd_access.3
│ │ ├── selinux_check_securetty_context.3
│ │ ├── selinux_colors_path.3
│ │ ├── selinux_contexts_path.3
│ │ ├── selinux_current_policy_path.3
│ │ ├── selinux_default_context_path.3
│ │ ├── selinux_default_type_path.3
│ │ ├── selinux_failsafe_context_path.3
│ │ ├── selinux_file_context_cmp.3
│ │ ├── selinux_file_context_homedir_path.3
│ │ ├── selinux_file_context_local_path.3
│ │ ├── selinux_file_context_path.3
│ │ ├── selinux_file_context_verify.3
│ │ ├── selinux_getenforcemode.3
│ │ ├── selinux_getpolicytype.3
│ │ ├── selinux_homedir_context_path.3
│ │ ├── selinux_init_load_policy.3
│ │ ├── selinux_lsetfilecon_default.3
│ │ ├── selinux_media_context_path.3
│ │ ├── selinux_mkload_policy.3
│ │ ├── selinux_netfilter_context_path.3
│ │ ├── selinux_path.3
│ │ ├── selinux_policy_root.3
│ │ ├── selinux_raw_context_to_color.3
│ │ ├── selinux_removable_context_path.3
│ │ ├── selinux_restorecon.3
│ │ ├── selinux_restorecon_default_handle.3
│ │ ├── selinux_restorecon_get_skipped_errors.3
│ │ ├── selinux_restorecon_parallel.3
│ │ ├── selinux_restorecon_set_alt_rootpath.3
│ │ ├── selinux_restorecon_set_exclude_list.3
│ │ ├── selinux_restorecon_set_sehandle.3
│ │ ├── selinux_restorecon_xattr.3
│ │ ├── selinux_securetty_types_path.3
│ │ ├── selinux_sepgsql_context_path.3
│ │ ├── selinux_set_callback.3
│ │ ├── selinux_set_mapping.3
│ │ ├── selinux_set_policy_root.3
│ │ ├── selinux_status_close.3
│ │ ├── selinux_status_deny_unknown.3
│ │ ├── selinux_status_getenforce.3
│ │ ├── selinux_status_open.3
│ │ ├── selinux_status_policyload.3
│ │ ├── selinux_status_updated.3
│ │ ├── selinux_user_contexts_path.3
│ │ ├── selinux_usersconf_path.3
│ │ ├── selinux_x_context_path.3
│ │ ├── set_matchpathcon_flags.3
│ │ ├── set_matchpathcon_invalidcon.3
│ │ ├── set_matchpathcon_printf.3
│ │ ├── set_selinuxmnt.3
│ │ ├── setcon.3
│ │ ├── setcon_raw.3
│ │ ├── setexeccon.3
│ │ ├── setexeccon_raw.3
│ │ ├── setexecfilecon.3
│ │ ├── setfilecon.3
│ │ ├── setfilecon_raw.3
│ │ ├── setfscreatecon.3
│ │ ├── setfscreatecon_raw.3
│ │ ├── setkeycreatecon.3
│ │ ├── setkeycreatecon_raw.3
│ │ ├── setsockcreatecon.3
│ │ ├── setsockcreatecon_raw.3
│ │ ├── sidget.3
│ │ ├── sidput.3
│ │ ├── string_to_av_perm.3
│ │ └── string_to_security_class.3
│ ├── man5
│ │ ├── customizable_types.5
│ │ ├── default_contexts.5
│ │ ├── default_type.5
│ │ ├── failsafe_context.5
│ │ ├── file_contexts.5
│ │ ├── file_contexts.homedirs.5
│ │ ├── file_contexts.local.5
│ │ ├── file_contexts.subs.5
│ │ ├── file_contexts.subs_dist.5
│ │ ├── media.5
│ │ ├── removable_context.5
│ │ ├── secolor.conf.5
│ │ ├── securetty_types.5
│ │ ├── selabel_db.5
│ │ ├── selabel_file.5
│ │ ├── selabel_media.5
│ │ ├── selabel_x.5
│ │ ├── sepgsql_contexts.5
│ │ ├── service_seusers.5
│ │ ├── seusers.5
│ │ ├── user_contexts.5
│ │ ├── virtual_domain_context.5
│ │ ├── virtual_image_context.5
│ │ └── x_contexts.5
│ └── man8
│ │ ├── avcstat.8
│ │ ├── booleans.8
│ │ ├── getenforce.8
│ │ ├── getsebool.8
│ │ ├── matchpathcon.8
│ │ ├── sefcontext_compile.8
│ │ ├── selinux.8
│ │ ├── selinuxenabled.8
│ │ ├── selinuxexeccon.8
│ │ ├── setenforce.8
│ │ └── togglesebool.8
├── src
│ ├── .gitignore
│ ├── Makefile
│ ├── audit2why.c
│ ├── audit2why.map
│ ├── avc.c
│ ├── avc_internal.c
│ ├── avc_internal.h
│ ├── avc_sidtab.c
│ ├── avc_sidtab.h
│ ├── booleans.c
│ ├── callbacks.c
│ ├── callbacks.h
│ ├── canonicalize_context.c
│ ├── checkAccess.c
│ ├── check_context.c
│ ├── checkreqprot.c
│ ├── compute_av.c
│ ├── compute_create.c
│ ├── compute_member.c
│ ├── compute_relabel.c
│ ├── compute_user.c
│ ├── context.c
│ ├── context_internal.h
│ ├── deny_unknown.c
│ ├── disable.c
│ ├── enabled.c
│ ├── exception.sh
│ ├── fgetfilecon.c
│ ├── file_path_suffixes.h
│ ├── freecon.c
│ ├── freeconary.c
│ ├── fsetfilecon.c
│ ├── get_context_list.c
│ ├── get_context_list_internal.h
│ ├── get_default_type.c
│ ├── get_default_type_internal.h
│ ├── get_initial_context.c
│ ├── getenforce.c
│ ├── getfilecon.c
│ ├── getpeercon.c
│ ├── init.c
│ ├── is_customizable_type.c
│ ├── label.c
│ ├── label_backends_android.c
│ ├── label_db.c
│ ├── label_file.c
│ ├── label_file.h
│ ├── label_internal.h
│ ├── label_media.c
│ ├── label_support.c
│ ├── label_x.c
│ ├── lgetfilecon.c
│ ├── libselinux.map
│ ├── libselinux.pc.in
│ ├── load_policy.c
│ ├── lsetfilecon.c
│ ├── mapping.c
│ ├── mapping.h
│ ├── matchmediacon.c
│ ├── matchpathcon.c
│ ├── policy.h
│ ├── policyvers.c
│ ├── procattr.c
│ ├── query_user_context.c
│ ├── regex.c
│ ├── regex.h
│ ├── reject_unknown.c
│ ├── selinux_check_securetty_context.c
│ ├── selinux_config.c
│ ├── selinux_internal.c
│ ├── selinux_internal.h
│ ├── selinux_netlink.h
│ ├── selinux_restorecon.c
│ ├── selinuxswig.i
│ ├── selinuxswig_python.i
│ ├── selinuxswig_python_exception.i
│ ├── selinuxswig_ruby.i
│ ├── sestatus.c
│ ├── setenforce.c
│ ├── setexecfilecon.c
│ ├── setfilecon.c
│ ├── setrans_client.c
│ ├── setrans_internal.h
│ ├── setup.py
│ ├── seusers.c
│ ├── sha256.c
│ ├── sha256.h
│ ├── stringrep.c
│ └── validatetrans.c
└── utils
│ ├── .gitignore
│ ├── Makefile
│ ├── avcstat.c
│ ├── compute_av.c
│ ├── compute_create.c
│ ├── compute_member.c
│ ├── compute_relabel.c
│ ├── getconlist.c
│ ├── getdefaultcon.c
│ ├── getenforce.c
│ ├── getfilecon.c
│ ├── getpidcon.c
│ ├── getpidprevcon.c
│ ├── getpolicyload.c
│ ├── getsebool.c
│ ├── getseuser.c
│ ├── matchpathcon.c
│ ├── policyvers.c
│ ├── sefcontext_compile.c
│ ├── selabel_compare.c
│ ├── selabel_digest.c
│ ├── selabel_get_digests_all_partial_matches.c
│ ├── selabel_lookup.c
│ ├── selabel_lookup_best_match.c
│ ├── selabel_partial_match.c
│ ├── selinux_check_access.c
│ ├── selinux_check_securetty_context.c
│ ├── selinuxenabled.c
│ ├── selinuxexeccon.c
│ ├── setenforce.c
│ ├── setfilecon.c
│ ├── togglesebool.c
│ └── validatetrans.c
├── libsemanage
├── .gitignore
├── LICENSE
├── Makefile
├── VERSION
├── example
│ └── test_fcontext.c
├── include
│ ├── Makefile
│ └── semanage
│ │ ├── boolean_record.h
│ │ ├── booleans_active.h
│ │ ├── booleans_local.h
│ │ ├── booleans_policy.h
│ │ ├── context_record.h
│ │ ├── debug.h
│ │ ├── fcontext_record.h
│ │ ├── fcontexts_local.h
│ │ ├── fcontexts_policy.h
│ │ ├── handle.h
│ │ ├── ibendport_record.h
│ │ ├── ibendports_local.h
│ │ ├── ibendports_policy.h
│ │ ├── ibpkey_record.h
│ │ ├── ibpkeys_local.h
│ │ ├── ibpkeys_policy.h
│ │ ├── iface_record.h
│ │ ├── interfaces_local.h
│ │ ├── interfaces_policy.h
│ │ ├── modules.h
│ │ ├── node_record.h
│ │ ├── nodes_local.h
│ │ ├── nodes_policy.h
│ │ ├── port_record.h
│ │ ├── ports_local.h
│ │ ├── ports_policy.h
│ │ ├── semanage.h
│ │ ├── seuser_record.h
│ │ ├── seusers_local.h
│ │ ├── seusers_policy.h
│ │ ├── user_record.h
│ │ ├── users_local.h
│ │ └── users_policy.h
├── man
│ ├── Makefile
│ ├── man3
│ │ ├── semanage_bool.3
│ │ ├── semanage_bool_count.3
│ │ ├── semanage_bool_count_active.3
│ │ ├── semanage_bool_count_local.3
│ │ ├── semanage_bool_del_local.3
│ │ ├── semanage_bool_exists.3
│ │ ├── semanage_bool_exists_active.3
│ │ ├── semanage_bool_exists_local.3
│ │ ├── semanage_bool_iterate.3
│ │ ├── semanage_bool_iterate_active.3
│ │ ├── semanage_bool_iterate_local.3
│ │ ├── semanage_bool_list.3
│ │ ├── semanage_bool_list_active.3
│ │ ├── semanage_bool_list_local.3
│ │ ├── semanage_bool_modify_local.3
│ │ ├── semanage_bool_query.3
│ │ ├── semanage_bool_query_active.3
│ │ ├── semanage_bool_query_local.3
│ │ ├── semanage_bool_set_active.3
│ │ ├── semanage_count.3
│ │ ├── semanage_del.3
│ │ ├── semanage_exists.3
│ │ ├── semanage_fcontext.3
│ │ ├── semanage_fcontext_count.3
│ │ ├── semanage_fcontext_count_local.3
│ │ ├── semanage_fcontext_del_local.3
│ │ ├── semanage_fcontext_exists.3
│ │ ├── semanage_fcontext_exists_local.3
│ │ ├── semanage_fcontext_iterate.3
│ │ ├── semanage_fcontext_iterate_local.3
│ │ ├── semanage_fcontext_list.3
│ │ ├── semanage_fcontext_list_local.3
│ │ ├── semanage_fcontext_modify_local.3
│ │ ├── semanage_fcontext_query.3
│ │ ├── semanage_fcontext_query_local.3
│ │ ├── semanage_iface.3
│ │ ├── semanage_iface_count.3
│ │ ├── semanage_iface_count_local.3
│ │ ├── semanage_iface_del_local.3
│ │ ├── semanage_iface_exists.3
│ │ ├── semanage_iface_exists_local.3
│ │ ├── semanage_iface_iterate.3
│ │ ├── semanage_iface_iterate_local.3
│ │ ├── semanage_iface_list.3
│ │ ├── semanage_iface_list_local.3
│ │ ├── semanage_iface_modify_local.3
│ │ ├── semanage_iface_query.3
│ │ ├── semanage_iface_query_local.3
│ │ ├── semanage_iterate.3
│ │ ├── semanage_list.3
│ │ ├── semanage_modify.3
│ │ ├── semanage_node.3
│ │ ├── semanage_node_count.3
│ │ ├── semanage_node_count_local.3
│ │ ├── semanage_node_del_local.3
│ │ ├── semanage_node_exists.3
│ │ ├── semanage_node_exists_local.3
│ │ ├── semanage_node_iterate.3
│ │ ├── semanage_node_iterate_local.3
│ │ ├── semanage_node_list.3
│ │ ├── semanage_node_list_local.3
│ │ ├── semanage_node_modify_local.3
│ │ ├── semanage_node_query.3
│ │ ├── semanage_node_query_local.3
│ │ ├── semanage_port.3
│ │ ├── semanage_port_count.3
│ │ ├── semanage_port_count_local.3
│ │ ├── semanage_port_del_local.3
│ │ ├── semanage_port_exists.3
│ │ ├── semanage_port_exists_local.3
│ │ ├── semanage_port_iterate.3
│ │ ├── semanage_port_iterate_local.3
│ │ ├── semanage_port_list.3
│ │ ├── semanage_port_list_local.3
│ │ ├── semanage_port_modify_local.3
│ │ ├── semanage_port_query.3
│ │ ├── semanage_port_query_local.3
│ │ ├── semanage_query.3
│ │ ├── semanage_set_root.3
│ │ ├── semanage_seuser.3
│ │ ├── semanage_seuser_count.3
│ │ ├── semanage_seuser_count_local.3
│ │ ├── semanage_seuser_del_local.3
│ │ ├── semanage_seuser_exists.3
│ │ ├── semanage_seuser_exists_local.3
│ │ ├── semanage_seuser_iterate.3
│ │ ├── semanage_seuser_iterate_local.3
│ │ ├── semanage_seuser_list.3
│ │ ├── semanage_seuser_list_local.3
│ │ ├── semanage_seuser_modify_local.3
│ │ ├── semanage_seuser_query.3
│ │ ├── semanage_seuser_query_local.3
│ │ ├── semanage_user.3
│ │ ├── semanage_user_count.3
│ │ ├── semanage_user_count_local.3
│ │ ├── semanage_user_del_local.3
│ │ ├── semanage_user_exists.3
│ │ ├── semanage_user_exists_local.3
│ │ ├── semanage_user_iterate.3
│ │ ├── semanage_user_iterate_local.3
│ │ ├── semanage_user_list.3
│ │ ├── semanage_user_list_local.3
│ │ ├── semanage_user_modify_local.3
│ │ ├── semanage_user_query.3
│ │ └── semanage_user_query_local.3
│ └── man5
│ │ └── semanage.conf.5
├── src
│ ├── .gitignore
│ ├── Makefile
│ ├── boolean_internal.h
│ ├── boolean_record.c
│ ├── booleans_active.c
│ ├── booleans_activedb.c
│ ├── booleans_file.c
│ ├── booleans_local.c
│ ├── booleans_policy.c
│ ├── booleans_policydb.c
│ ├── compressed_file.c
│ ├── compressed_file.h
│ ├── conf-parse.y
│ ├── conf-scan.l
│ ├── context_record.c
│ ├── database.c
│ ├── database.h
│ ├── database_activedb.c
│ ├── database_activedb.h
│ ├── database_file.c
│ ├── database_file.h
│ ├── database_join.c
│ ├── database_join.h
│ ├── database_llist.c
│ ├── database_llist.h
│ ├── database_policydb.c
│ ├── database_policydb.h
│ ├── debug.c
│ ├── debug.h
│ ├── direct_api.c
│ ├── direct_api.h
│ ├── exception.sh
│ ├── fcontext_internal.h
│ ├── fcontext_record.c
│ ├── fcontexts_file.c
│ ├── fcontexts_local.c
│ ├── fcontexts_policy.c
│ ├── genhomedircon.c
│ ├── genhomedircon.h
│ ├── handle.c
│ ├── handle.h
│ ├── ibendport_internal.h
│ ├── ibendport_record.c
│ ├── ibendports_file.c
│ ├── ibendports_local.c
│ ├── ibendports_policy.c
│ ├── ibendports_policydb.c
│ ├── ibpkey_internal.h
│ ├── ibpkey_record.c
│ ├── ibpkeys_file.c
│ ├── ibpkeys_local.c
│ ├── ibpkeys_policy.c
│ ├── ibpkeys_policydb.c
│ ├── iface_internal.h
│ ├── iface_record.c
│ ├── interfaces_file.c
│ ├── interfaces_local.c
│ ├── interfaces_policy.c
│ ├── interfaces_policydb.c
│ ├── libsemanage.map
│ ├── libsemanage.pc.in
│ ├── modules.c
│ ├── modules.h
│ ├── node_internal.h
│ ├── node_record.c
│ ├── nodes_file.c
│ ├── nodes_local.c
│ ├── nodes_policy.c
│ ├── nodes_policydb.c
│ ├── parse_utils.c
│ ├── parse_utils.h
│ ├── policy.h
│ ├── policy_components.c
│ ├── port_internal.h
│ ├── port_record.c
│ ├── ports_file.c
│ ├── ports_local.c
│ ├── ports_policy.c
│ ├── ports_policydb.c
│ ├── pywrap-test.py
│ ├── semanage.conf
│ ├── semanage_conf.h
│ ├── semanage_store.c
│ ├── semanage_store.h
│ ├── semanageswig.i
│ ├── semanageswig_python.i
│ ├── semanageswig_python_exception.i
│ ├── semanageswig_ruby.i
│ ├── seuser_internal.h
│ ├── seuser_record.c
│ ├── seusers_file.c
│ ├── seusers_local.c
│ ├── seusers_policy.c
│ ├── sha256.c
│ ├── sha256.h
│ ├── user_base_record.c
│ ├── user_extra_record.c
│ ├── user_internal.h
│ ├── user_record.c
│ ├── users_base_file.c
│ ├── users_base_policydb.c
│ ├── users_extra_file.c
│ ├── users_join.c
│ ├── users_local.c
│ ├── users_policy.c
│ ├── utilities.c
│ └── utilities.h
├── tests
│ ├── .gitignore
│ ├── Makefile
│ ├── README
│ ├── libsemanage-tests.c
│ ├── nc_sort_malformed
│ ├── nc_sort_sorted
│ ├── nc_sort_unsorted
│ ├── test_bool.c
│ ├── test_bool.cil
│ ├── test_bool.h
│ ├── test_fcontext.c
│ ├── test_fcontext.cil
│ ├── test_fcontext.h
│ ├── test_handle.c
│ ├── test_handle.cil
│ ├── test_handle.h
│ ├── test_ibendport.c
│ ├── test_ibendport.cil
│ ├── test_ibendport.h
│ ├── test_iface.c
│ ├── test_iface.cil
│ ├── test_iface.h
│ ├── test_node.c
│ ├── test_node.cil
│ ├── test_node.h
│ ├── test_other.c
│ ├── test_other.h
│ ├── test_port.c
│ ├── test_port.cil
│ ├── test_port.h
│ ├── test_semanage_store.c
│ ├── test_semanage_store.h
│ ├── test_user.c
│ ├── test_user.cil
│ ├── test_user.h
│ ├── test_utilities.c
│ ├── test_utilities.h
│ ├── utilities.c
│ └── utilities.h
└── utils
│ ├── Makefile
│ └── semanage_migrate_store
├── libsepol
├── .gitignore
├── LICENSE
├── Makefile
├── VERSION
├── cil
│ ├── .gitignore
│ ├── include
│ │ └── cil
│ │ │ └── cil.h
│ ├── src
│ │ ├── cil.c
│ │ ├── cil_binary.c
│ │ ├── cil_binary.h
│ │ ├── cil_build_ast.c
│ │ ├── cil_build_ast.h
│ │ ├── cil_copy_ast.c
│ │ ├── cil_copy_ast.h
│ │ ├── cil_deny.c
│ │ ├── cil_deny.h
│ │ ├── cil_find.c
│ │ ├── cil_find.h
│ │ ├── cil_flavor.h
│ │ ├── cil_fqn.c
│ │ ├── cil_fqn.h
│ │ ├── cil_internal.h
│ │ ├── cil_lexer.h
│ │ ├── cil_lexer.l
│ │ ├── cil_list.c
│ │ ├── cil_list.h
│ │ ├── cil_log.c
│ │ ├── cil_log.h
│ │ ├── cil_mem.c
│ │ ├── cil_mem.h
│ │ ├── cil_parser.c
│ │ ├── cil_parser.h
│ │ ├── cil_policy.c
│ │ ├── cil_policy.h
│ │ ├── cil_post.c
│ │ ├── cil_post.h
│ │ ├── cil_reset_ast.c
│ │ ├── cil_reset_ast.h
│ │ ├── cil_resolve_ast.c
│ │ ├── cil_resolve_ast.h
│ │ ├── cil_stack.c
│ │ ├── cil_stack.h
│ │ ├── cil_strpool.c
│ │ ├── cil_strpool.h
│ │ ├── cil_symtab.c
│ │ ├── cil_symtab.h
│ │ ├── cil_tree.c
│ │ ├── cil_tree.h
│ │ ├── cil_verify.c
│ │ ├── cil_verify.h
│ │ ├── cil_write_ast.c
│ │ └── cil_write_ast.h
│ └── test
│ │ ├── integration_testing
│ │ ├── mls_policy.cil
│ │ ├── nonmls.cil
│ │ ├── nonmls.conf
│ │ ├── ordered_lists_bad1.cil
│ │ ├── ordered_lists_bad2.cil
│ │ ├── ordered_lists_bad3.cil
│ │ ├── ordered_lists_easy.cil
│ │ ├── ordered_lists_hard.cil
│ │ └── small.cil
│ │ └── unit
│ │ ├── AllTests.c
│ │ ├── CilTest.c
│ │ ├── CilTest.h
│ │ ├── CuTest.c
│ │ ├── CuTest.h
│ │ ├── test_cil.c
│ │ ├── test_cil.h
│ │ ├── test_cil_build_ast.c
│ │ ├── test_cil_build_ast.h
│ │ ├── test_cil_copy_ast.c
│ │ ├── test_cil_copy_ast.h
│ │ ├── test_cil_fqn.c
│ │ ├── test_cil_fqn.h
│ │ ├── test_cil_lexer.c
│ │ ├── test_cil_lexer.h
│ │ ├── test_cil_list.c
│ │ ├── test_cil_list.h
│ │ ├── test_cil_parser.c
│ │ ├── test_cil_parser.h
│ │ ├── test_cil_post.c
│ │ ├── test_cil_post.h
│ │ ├── test_cil_resolve_ast.c
│ │ ├── test_cil_resolve_ast.h
│ │ ├── test_cil_symtab.c
│ │ ├── test_cil_symtab.h
│ │ ├── test_cil_tree.c
│ │ ├── test_cil_tree.h
│ │ ├── test_integration.c
│ │ └── test_integration.h
├── fuzz
│ ├── binpolicy-fuzzer.c
│ ├── policy.bin
│ └── secilc-fuzzer.c
├── include
│ ├── Makefile
│ └── sepol
│ │ ├── boolean_record.h
│ │ ├── booleans.h
│ │ ├── context.h
│ │ ├── context_record.h
│ │ ├── debug.h
│ │ ├── errcodes.h
│ │ ├── handle.h
│ │ ├── ibendport_record.h
│ │ ├── ibendports.h
│ │ ├── ibpkey_record.h
│ │ ├── ibpkeys.h
│ │ ├── iface_record.h
│ │ ├── interfaces.h
│ │ ├── kernel_to_cil.h
│ │ ├── kernel_to_conf.h
│ │ ├── module.h
│ │ ├── module_to_cil.h
│ │ ├── node_record.h
│ │ ├── nodes.h
│ │ ├── policydb.h
│ │ ├── policydb
│ │ ├── avrule_block.h
│ │ ├── avtab.h
│ │ ├── conditional.h
│ │ ├── constraint.h
│ │ ├── context.h
│ │ ├── ebitmap.h
│ │ ├── expand.h
│ │ ├── flask_types.h
│ │ ├── hashtab.h
│ │ ├── hierarchy.h
│ │ ├── link.h
│ │ ├── mls_types.h
│ │ ├── module.h
│ │ ├── polcaps.h
│ │ ├── policydb.h
│ │ ├── services.h
│ │ ├── sidtab.h
│ │ ├── symtab.h
│ │ └── util.h
│ │ ├── port_record.h
│ │ ├── ports.h
│ │ ├── sepol.h
│ │ ├── user_record.h
│ │ └── users.h
├── man
│ ├── Makefile
│ ├── man3
│ │ └── sepol_check_context.3
│ └── man8
│ │ ├── chkcon.8
│ │ ├── genpolbools.8
│ │ └── genpolusers.8
├── src
│ ├── Makefile
│ ├── assertion.c
│ ├── avrule_block.c
│ ├── avtab.c
│ ├── boolean_internal.h
│ ├── boolean_record.c
│ ├── booleans.c
│ ├── conditional.c
│ ├── constraint.c
│ ├── context.c
│ ├── context.h
│ ├── context_internal.h
│ ├── context_record.c
│ ├── debug.c
│ ├── debug.h
│ ├── ebitmap.c
│ ├── expand.c
│ ├── flask.h
│ ├── handle.c
│ ├── handle.h
│ ├── hashtab.c
│ ├── hierarchy.c
│ ├── ibendport_internal.h
│ ├── ibendport_record.c
│ ├── ibendports.c
│ ├── ibpkey_internal.h
│ ├── ibpkey_record.c
│ ├── ibpkeys.c
│ ├── iface_internal.h
│ ├── iface_record.c
│ ├── interfaces.c
│ ├── kernel_to_cil.c
│ ├── kernel_to_common.c
│ ├── kernel_to_common.h
│ ├── kernel_to_conf.c
│ ├── libsepol.map.in
│ ├── libsepol.pc.in
│ ├── link.c
│ ├── mls.c
│ ├── mls.h
│ ├── module.c
│ ├── module_internal.h
│ ├── module_to_cil.c
│ ├── node_internal.h
│ ├── node_record.c
│ ├── nodes.c
│ ├── optimize.c
│ ├── polcaps.c
│ ├── policydb.c
│ ├── policydb_convert.c
│ ├── policydb_internal.h
│ ├── policydb_public.c
│ ├── policydb_validate.c
│ ├── policydb_validate.h
│ ├── port_internal.h
│ ├── port_record.c
│ ├── ports.c
│ ├── private.h
│ ├── services.c
│ ├── sidtab.c
│ ├── symtab.c
│ ├── user_internal.h
│ ├── user_record.c
│ ├── users.c
│ ├── util.c
│ └── write.c
├── tests
│ ├── .gitignore
│ ├── Makefile
│ ├── debug.c
│ ├── debug.h
│ ├── helpers.c
│ ├── helpers.h
│ ├── libsepol-tests.c
│ ├── policies
│ │ ├── .gitignore
│ │ ├── support
│ │ │ └── misc_macros.spt
│ │ ├── test-cond
│ │ │ └── refpolicy-base.conf
│ │ ├── test-deps
│ │ │ ├── base-metreq.conf
│ │ │ ├── base-notmetreq.conf
│ │ │ ├── modreq-attr-global.conf
│ │ │ ├── modreq-attr-opt.conf
│ │ │ ├── modreq-bool-global.conf
│ │ │ ├── modreq-bool-opt.conf
│ │ │ ├── modreq-obj-global.conf
│ │ │ ├── modreq-obj-opt.conf
│ │ │ ├── modreq-perm-global.conf
│ │ │ ├── modreq-perm-opt.conf
│ │ │ ├── modreq-role-global.conf
│ │ │ ├── modreq-role-opt.conf
│ │ │ ├── modreq-type-global.conf
│ │ │ ├── modreq-type-opt.conf
│ │ │ ├── module.conf
│ │ │ └── small-base.conf
│ │ ├── test-expander
│ │ │ ├── alias-base.conf
│ │ │ ├── alias-module.conf
│ │ │ ├── base-base-only.conf
│ │ │ ├── module.conf
│ │ │ ├── role-base.conf
│ │ │ ├── role-module.conf
│ │ │ ├── small-base.conf
│ │ │ ├── user-base.conf
│ │ │ └── user-module.conf
│ │ ├── test-hooks
│ │ │ ├── cmp_policy.conf
│ │ │ ├── module_add_role_allow_trans.conf
│ │ │ ├── module_add_symbols.conf
│ │ │ └── small-base.conf
│ │ ├── test-linker
│ │ │ ├── module1.conf
│ │ │ ├── module2.conf
│ │ │ └── small-base.conf
│ │ └── test-neverallow
│ │ │ ├── policy.conf
│ │ │ ├── policy_cond.conf
│ │ │ ├── policy_minus_self.conf
│ │ │ └── policy_not_self.conf
│ ├── test-common.c
│ ├── test-common.h
│ ├── test-cond.c
│ ├── test-cond.h
│ ├── test-deps.c
│ ├── test-deps.h
│ ├── test-downgrade.c
│ ├── test-downgrade.h
│ ├── test-ebitmap.c
│ ├── test-ebitmap.h
│ ├── test-expander-attr-map.c
│ ├── test-expander-attr-map.h
│ ├── test-expander-roles.c
│ ├── test-expander-roles.h
│ ├── test-expander-users.c
│ ├── test-expander-users.h
│ ├── test-expander.c
│ ├── test-expander.h
│ ├── test-linker-cond-map.c
│ ├── test-linker-cond-map.h
│ ├── test-linker-roles.c
│ ├── test-linker-roles.h
│ ├── test-linker-types.c
│ ├── test-linker-types.h
│ ├── test-linker.c
│ ├── test-linker.h
│ ├── test-neverallow.c
│ └── test-neverallow.h
└── utils
│ ├── Makefile
│ ├── chkcon.c
│ ├── sepol_check_access.c
│ ├── sepol_compute_av.c
│ ├── sepol_compute_member.c
│ ├── sepol_compute_relabel.c
│ └── sepol_validate_transition.c
├── mcstrans
├── LICENSE
├── Makefile
├── TODO
├── VERSION
├── man
│ ├── Makefile
│ ├── man5
│ │ └── setrans.conf.5
│ └── man8
│ │ ├── mcs.8
│ │ └── mcstransd.8
├── share
│ ├── examples
│ │ ├── default
│ │ │ ├── README
│ │ │ ├── default.test
│ │ │ └── setrans.conf
│ │ ├── include
│ │ │ ├── README
│ │ │ ├── default.test
│ │ │ ├── setrans.conf
│ │ │ └── setrans.d
│ │ │ │ └── include-example
│ │ ├── nato
│ │ │ ├── README
│ │ │ ├── nato.test
│ │ │ ├── setrans.conf
│ │ │ └── setrans.d
│ │ │ │ ├── constraints.conf
│ │ │ │ ├── eyes-only.conf
│ │ │ │ └── rel.conf
│ │ ├── non-mls-color
│ │ │ ├── README
│ │ │ ├── non-mls.color
│ │ │ └── secolor.conf
│ │ ├── pipes
│ │ │ ├── pipes.test
│ │ │ ├── setrans.conf
│ │ │ └── setrans.d
│ │ │ │ └── pipes.conf
│ │ ├── urcsts-via-include
│ │ │ ├── README
│ │ │ ├── secolor.conf
│ │ │ ├── setrans.conf
│ │ │ ├── setrans.d
│ │ │ │ ├── c.conf
│ │ │ │ ├── r.conf
│ │ │ │ ├── s.conf
│ │ │ │ ├── system.conf
│ │ │ │ ├── ts.conf
│ │ │ │ └── u.conf
│ │ │ ├── urcsts.color
│ │ │ └── urcsts.test
│ │ └── urcsts
│ │ │ ├── README
│ │ │ ├── secolor.conf
│ │ │ ├── setrans.conf
│ │ │ ├── urcsts.color
│ │ │ └── urcsts.test
│ └── util
│ │ ├── mlscolor-test
│ │ ├── mlstrans-test
│ │ └── try-all
├── src
│ ├── .gitignore
│ ├── Makefile
│ ├── README
│ ├── mcscolor.c
│ ├── mcscolor.h
│ ├── mcstrans.c
│ ├── mcstrans.h
│ ├── mcstrans.init
│ ├── mcstrans.service
│ ├── mcstransd.c
│ ├── mls_level.c
│ └── mls_level.h
└── utils
│ ├── .gitignore
│ ├── Makefile
│ ├── callgrind-mcstransd
│ ├── transcon.c
│ ├── untranscon.c
│ └── valgrind-mcstransd
├── policycoreutils
├── .gitignore
├── .tx
│ └── config
├── LICENSE
├── Makefile
├── VERSION
├── hll
│ ├── Makefile
│ └── pp
│ │ ├── Makefile
│ │ └── pp.c
├── load_policy
│ ├── Makefile
│ ├── load_policy.8
│ └── load_policy.c
├── man
│ ├── Makefile
│ └── man5
│ │ └── selinux_config.5
├── newrole
│ ├── Makefile
│ ├── hashtab.c
│ ├── hashtab.h
│ ├── newrole-lspp.pamd
│ ├── newrole.1
│ ├── newrole.c
│ └── newrole.pamd
├── po
│ ├── Makefile
│ ├── POTFILES
│ ├── af.po
│ ├── aln.po
│ ├── am.po
│ ├── ar.po
│ ├── as.po
│ ├── ast.po
│ ├── az.po
│ ├── bal.po
│ ├── be.po
│ ├── bg.po
│ ├── bn.po
│ ├── bn_BD.po
│ ├── bn_IN.po
│ ├── bo.po
│ ├── br.po
│ ├── brx.po
│ ├── bs.po
│ ├── ca.po
│ ├── cs.po
│ ├── cy.po
│ ├── da.po
│ ├── de.po
│ ├── de_CH.po
│ ├── dz.po
│ ├── el.po
│ ├── en_GB.po
│ ├── eo.po
│ ├── es.po
│ ├── es_MX.po
│ ├── et.po
│ ├── eu.po
│ ├── fa.po
│ ├── fi.po
│ ├── fr.po
│ ├── ga.po
│ ├── gl.po
│ ├── gu.po
│ ├── he.po
│ ├── hi.po
│ ├── hr.po
│ ├── hu.po
│ ├── hy.po
│ ├── ia.po
│ ├── id.po
│ ├── ilo.po
│ ├── is.po
│ ├── it.po
│ ├── ja.po
│ ├── ka.po
│ ├── kk.po
│ ├── km.po
│ ├── kn.po
│ ├── ko.po
│ ├── ks.po
│ ├── ku.po
│ ├── ky.po
│ ├── la.po
│ ├── lo.po
│ ├── lt.po
│ ├── lt_LT.po
│ ├── lv.po
│ ├── lv_LV.po
│ ├── mai.po
│ ├── mg.po
│ ├── mk.po
│ ├── ml.po
│ ├── mn.po
│ ├── mr.po
│ ├── ms.po
│ ├── my.po
│ ├── nb.po
│ ├── nds.po
│ ├── ne.po
│ ├── nl.po
│ ├── nn.po
│ ├── nso.po
│ ├── or.po
│ ├── pa.po
│ ├── pl.po
│ ├── policycoreutils.pot
│ ├── pt.po
│ ├── pt_BR.po
│ ├── ro.po
│ ├── ru.po
│ ├── si.po
│ ├── si_LK.po
│ ├── sk.po
│ ├── sl.po
│ ├── sq.po
│ ├── sr.po
│ ├── sr@latin.po
│ ├── sv.po
│ ├── ta.po
│ ├── te.po
│ ├── tg.po
│ ├── th.po
│ ├── tl.po
│ ├── tr.po
│ ├── uk.po
│ ├── ur.po
│ ├── vi.po
│ ├── vi_VN.po
│ ├── wo.po
│ ├── xh.po
│ ├── zh_CN.GB2312.po
│ ├── zh_CN.po
│ ├── zh_HK.po
│ ├── zh_TW.Big5.po
│ ├── zh_TW.po
│ └── zu.po
├── run_init
│ ├── Makefile
│ ├── open_init_pty.8
│ ├── open_init_pty.c
│ ├── run_init.8
│ ├── run_init.c
│ └── run_init.pamd
├── scripts
│ ├── .gitignore
│ ├── Makefile
│ ├── fixfiles
│ └── fixfiles.8
├── secon
│ ├── Makefile
│ ├── secon.1
│ └── secon.c
├── semodule
│ ├── .gitignore
│ ├── Makefile
│ ├── genhomedircon.8
│ ├── semodule.8
│ └── semodule.c
├── sestatus
│ ├── Makefile
│ ├── sestatus.8
│ ├── sestatus.c
│ ├── sestatus.conf
│ └── sestatus.conf.5
├── setfiles
│ ├── Makefile
│ ├── restore.c
│ ├── restore.h
│ ├── restorecon.8
│ ├── restorecon_xattr.8
│ ├── restorecon_xattr.c
│ ├── setfiles.8
│ └── setfiles.c
├── setsebool
│ ├── Makefile
│ ├── setsebool-bash-completion.sh
│ ├── setsebool.8
│ └── setsebool.c
└── unsetfiles
│ ├── Makefile
│ ├── unsetfiles.1
│ └── unsetfiles.c
├── python
├── LICENSE
├── Makefile
├── VERSION
├── audit2allow
│ ├── .gitignore
│ ├── Makefile
│ ├── audit2allow
│ ├── audit2allow.1
│ ├── audit2why
│ ├── audit2why.1
│ ├── sepolgen-ifgen
│ ├── sepolgen-ifgen-attr-helper.c
│ ├── test.log
│ ├── test_audit2allow.py
│ └── test_dummy_policy.cil
├── chcat
│ ├── Makefile
│ ├── chcat
│ └── chcat.8
├── po
│ ├── Makefile
│ ├── POTFILES
│ ├── af.po
│ ├── am.po
│ ├── ar.po
│ ├── as.po
│ ├── ast.po
│ ├── bal.po
│ ├── be.po
│ ├── bg.po
│ ├── bn.po
│ ├── bn_IN.po
│ ├── br.po
│ ├── brx.po
│ ├── bs.po
│ ├── ca.po
│ ├── cs.po
│ ├── cy.po
│ ├── da.po
│ ├── de.po
│ ├── de_CH.po
│ ├── el.po
│ ├── en_GB.po
│ ├── eo.po
│ ├── es.po
│ ├── et.po
│ ├── eu.po
│ ├── fa.po
│ ├── fi.po
│ ├── fil.po
│ ├── fr.po
│ ├── fur.po
│ ├── ga.po
│ ├── gl.po
│ ├── gu.po
│ ├── he.po
│ ├── hi.po
│ ├── hr.po
│ ├── hu.po
│ ├── ia.po
│ ├── id.po
│ ├── ilo.po
│ ├── is.po
│ ├── it.po
│ ├── ja.po
│ ├── ka.po
│ ├── kk.po
│ ├── km.po
│ ├── kn.po
│ ├── ko.po
│ ├── ky.po
│ ├── lt.po
│ ├── lv.po
│ ├── mai.po
│ ├── mk.po
│ ├── ml.po
│ ├── mn.po
│ ├── mr.po
│ ├── ms.po
│ ├── my.po
│ ├── nb.po
│ ├── nds.po
│ ├── ne.po
│ ├── nl.po
│ ├── nn.po
│ ├── nso.po
│ ├── or.po
│ ├── pa.po
│ ├── pl.po
│ ├── pt.po
│ ├── pt_BR.po
│ ├── python.pot
│ ├── ro.po
│ ├── ru.po
│ ├── si.po
│ ├── sk.po
│ ├── sl.po
│ ├── sq.po
│ ├── sr.po
│ ├── sr@latin.po
│ ├── sv.po
│ ├── ta.po
│ ├── te.po
│ ├── tg.po
│ ├── th.po
│ ├── tr.po
│ ├── uk.po
│ ├── ur.po
│ ├── vi.po
│ ├── zh_CN.po
│ ├── zh_HK.po
│ ├── zh_TW.po
│ └── zu.po
├── semanage
│ ├── Makefile
│ ├── semanage
│ ├── semanage-bash-completion.sh
│ ├── semanage-boolean.8
│ ├── semanage-dontaudit.8
│ ├── semanage-export.8
│ ├── semanage-fcontext.8
│ ├── semanage-ibendport.8
│ ├── semanage-ibpkey.8
│ ├── semanage-import.8
│ ├── semanage-interface.8
│ ├── semanage-login.8
│ ├── semanage-module.8
│ ├── semanage-node.8
│ ├── semanage-permissive.8
│ ├── semanage-port.8
│ ├── semanage-user.8
│ ├── semanage.8
│ ├── seobject.py
│ └── test-semanage.py
├── sepolgen
│ ├── HACKING
│ ├── LICENSE
│ ├── Makefile
│ ├── VERSION
│ ├── src
│ │ ├── Makefile
│ │ ├── sepolgen
│ │ │ ├── Makefile
│ │ │ ├── __init__.py
│ │ │ ├── access.py
│ │ │ ├── audit.py
│ │ │ ├── classperms.py
│ │ │ ├── defaults.py
│ │ │ ├── interfaces.py
│ │ │ ├── lex.py
│ │ │ ├── matching.py
│ │ │ ├── module.py
│ │ │ ├── objectmodel.py
│ │ │ ├── output.py
│ │ │ ├── policygen.py
│ │ │ ├── refparser.py
│ │ │ ├── refpolicy.py
│ │ │ ├── sepolgeni18n.py
│ │ │ ├── util.py
│ │ │ └── yacc.py
│ │ └── share
│ │ │ ├── Makefile
│ │ │ └── perm_map
│ └── tests
│ │ ├── .gitignore
│ │ ├── Makefile
│ │ ├── audit.txt
│ │ ├── module_compile_test.te
│ │ ├── perm_map
│ │ ├── run-tests.py
│ │ ├── test_access.py
│ │ ├── test_audit.py
│ │ ├── test_data
│ │ ├── audit.log
│ │ ├── httpd.log
│ │ └── short.log
│ │ ├── test_interfaces.py
│ │ ├── test_matching.py
│ │ ├── test_module.py
│ │ ├── test_objectmodel.py
│ │ ├── test_policygen.py
│ │ ├── test_refparser.py
│ │ └── test_refpolicy.py
└── sepolicy
│ ├── .gitignore
│ ├── Makefile
│ ├── sepolgen.8
│ ├── sepolicy-bash-completion.sh
│ ├── sepolicy-booleans.8
│ ├── sepolicy-communicate.8
│ ├── sepolicy-generate.8
│ ├── sepolicy-gui.8
│ ├── sepolicy-interface.8
│ ├── sepolicy-manpage.8
│ ├── sepolicy-network.8
│ ├── sepolicy-transition.8
│ ├── sepolicy.8
│ ├── sepolicy.py
│ ├── sepolicy
│ ├── __init__.py
│ ├── booleans.py
│ ├── communicate.py
│ ├── generate.py
│ ├── gui.py
│ ├── help
│ │ ├── __init__.py
│ │ ├── booleans.png
│ │ ├── booleans.txt
│ │ ├── booleans_more.png
│ │ ├── booleans_more.txt
│ │ ├── booleans_more_show.png
│ │ ├── booleans_more_show.txt
│ │ ├── booleans_toggled.png
│ │ ├── booleans_toggled.txt
│ │ ├── file_equiv.png
│ │ ├── file_equiv.txt
│ │ ├── files_apps.png
│ │ ├── files_apps.txt
│ │ ├── files_exec.png
│ │ ├── files_exec.txt
│ │ ├── files_write.png
│ │ ├── files_write.txt
│ │ ├── lockdown.png
│ │ ├── lockdown.txt
│ │ ├── lockdown_permissive.png
│ │ ├── lockdown_permissive.txt
│ │ ├── lockdown_ptrace.png
│ │ ├── lockdown_ptrace.txt
│ │ ├── lockdown_unconfined.png
│ │ ├── lockdown_unconfined.txt
│ │ ├── login.png
│ │ ├── login.txt
│ │ ├── login_default.png
│ │ ├── login_default.txt
│ │ ├── ports_inbound.png
│ │ ├── ports_inbound.txt
│ │ ├── ports_outbound.png
│ │ ├── ports_outbound.txt
│ │ ├── start.png
│ │ ├── start.txt
│ │ ├── system.png
│ │ ├── system.txt
│ │ ├── system_boot_mode.png
│ │ ├── system_boot_mode.txt
│ │ ├── system_current_mode.png
│ │ ├── system_current_mode.txt
│ │ ├── system_export.png
│ │ ├── system_export.txt
│ │ ├── system_policy_type.png
│ │ ├── system_policy_type.txt
│ │ ├── system_relabel.png
│ │ ├── system_relabel.txt
│ │ ├── transition_file.png
│ │ ├── transition_file.txt
│ │ ├── transition_from.png
│ │ ├── transition_from.txt
│ │ ├── transition_from_boolean.png
│ │ ├── transition_from_boolean.txt
│ │ ├── transition_from_boolean_1.png
│ │ ├── transition_from_boolean_1.txt
│ │ ├── transition_from_boolean_2.png
│ │ ├── transition_from_boolean_2.txt
│ │ ├── transition_to.png
│ │ ├── transition_to.txt
│ │ ├── users.png
│ │ └── users.txt
│ ├── interface.py
│ ├── manpage.py
│ ├── network.py
│ ├── sedbus.py
│ ├── sepolicy.glade
│ ├── templates
│ │ ├── __init__.py
│ │ ├── boolean.py
│ │ ├── etc_rw.py
│ │ ├── executable.py
│ │ ├── network.py
│ │ ├── rw.py
│ │ ├── script.py
│ │ ├── semodule.py
│ │ ├── spec.py
│ │ ├── test_module.py
│ │ ├── tmp.py
│ │ ├── unit_file.py
│ │ ├── user.py
│ │ ├── var_cache.py
│ │ ├── var_lib.py
│ │ ├── var_log.py
│ │ ├── var_run.py
│ │ └── var_spool.py
│ └── transition.py
│ ├── setup.py
│ └── test_sepolicy.py
├── restorecond
├── .gitignore
├── LICENSE
├── Makefile
├── VERSION
├── org.selinux.Restorecond.service
├── restore.c
├── restore.h
├── restorecond.8
├── restorecond.c
├── restorecond.conf
├── restorecond.desktop
├── restorecond.h
├── restorecond.init
├── restorecond.service
├── restorecond_user.conf
├── restorecond_user.service
├── stringslist.c
├── stringslist.h
├── user.c
├── utmpwatcher.c
├── utmpwatcher.h
└── watch.c
├── sandbox
├── .gitignore
├── LICENSE
├── Makefile
├── VERSION
├── po
│ ├── Makefile
│ ├── POTFILES
│ ├── cs.po
│ ├── da.po
│ ├── de.po
│ ├── es.po
│ ├── fi.po
│ ├── fr.po
│ ├── hu.po
│ ├── it.po
│ ├── ja.po
│ ├── ka.po
│ ├── ko.po
│ ├── nl.po
│ ├── pl.po
│ ├── pt_BR.po
│ ├── ru.po
│ ├── sandbox.pot
│ ├── si.po
│ ├── sv.po
│ ├── tr.po
│ ├── uk.po
│ ├── zh_CN.po
│ └── zh_TW.po
├── sandbox
├── sandbox.5
├── sandbox.8
├── sandbox.conf
├── sandbox.config
├── sandbox.init
├── sandboxX.sh
├── seunshare.8
├── seunshare.c
├── start
└── test_sandbox.py
├── scripts
├── .gitignore
├── Lindent
├── env_use_destdir
├── make-update
├── oss-fuzz.sh
├── release
├── run-flake8
└── run-scan-build
├── secilc
├── .gitignore
├── LICENSE
├── Makefile
├── README
├── VERSION
├── docs
│ ├── Makefile
│ ├── README.md
│ ├── cil_access_vector_rules.md
│ ├── cil_call_macro_statements.md
│ ├── cil_class_and_permission_statements.md
│ ├── cil_conditional_statements.md
│ ├── cil_constraint_statements.md
│ ├── cil_container_statements.md
│ ├── cil_context_statement.md
│ ├── cil_default_object_statements.md
│ ├── cil_design.dia
│ ├── cil_design.jpeg
│ ├── cil_file_labeling_statements.md
│ ├── cil_infiniband_statements.md
│ ├── cil_introduction.md
│ ├── cil_mls_labeling_statements.md
│ ├── cil_network_labeling_statements.md
│ ├── cil_policy_config_statements.md
│ ├── cil_reference_guide.md
│ ├── cil_role_statements.md
│ ├── cil_sid_statements.md
│ ├── cil_type_statements.md
│ ├── cil_user_statements.md
│ ├── cil_xen_statements.md
│ ├── secil.xml
│ └── theme.theme
├── secil2conf.8.xml
├── secil2conf.c
├── secil2tree.8.xml
├── secil2tree.c
├── secilc.8.xml
├── secilc.c
└── test
│ ├── anonymous_arg_test.cil
│ ├── block_test.cil
│ ├── bounds.cil
│ ├── deny_rule_test1.cil
│ ├── deny_rule_test2.cil
│ ├── in_test.cil
│ ├── integration.cil
│ ├── minimum.cil
│ ├── name_resolution_test.cil
│ ├── neverallow.cil
│ ├── notself_and_other.cil
│ ├── opt-expected.cil
│ ├── opt-input.cil
│ ├── optional_test.cil
│ └── policy.cil
├── semodule-utils
├── .gitignore
├── LICENSE
├── Makefile
├── VERSION
├── semodule_expand
│ ├── Makefile
│ ├── semodule_expand.8
│ └── semodule_expand.c
├── semodule_link
│ ├── Makefile
│ ├── semodule_link.8
│ └── semodule_link.c
└── semodule_package
│ ├── Makefile
│ ├── semodule_package.8
│ ├── semodule_package.c
│ ├── semodule_unpackage.8
│ └── semodule_unpackage.c
└── tmt
└── plans.fmf
/.fmf/version:
--------------------------------------------------------------------------------
1 | 1
2 |
--------------------------------------------------------------------------------
/.github/workflows/tf_testsuite.yml:
--------------------------------------------------------------------------------
1 | name: Run SELinux testsuite in Testing Farm
2 |
3 | on: [push, pull_request]
4 |
5 | jobs:
6 | tf_testsuite:
7 | runs-on: ubuntu-latest
8 | strategy:
9 | fail-fast: false
10 | matrix:
11 | arch: [x86_64, aarch64]
12 | steps:
13 | - name: Schedule test on Testing Farm
14 | uses: sclorg/testing-farm-as-github-action@main
15 | with:
16 | api_key: ${{ secrets.TESTING_FARM_API_TOKEN }}
17 | arch: ${{ matrix.arch }}
18 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Note: use "git ls-files -i --exclude-standard" to make sure
2 | # no tracked files are ignored as a result of any changes.
3 |
4 | # Object files
5 | *.o
6 | *.lo
7 | *.so
8 | *.so.[0-9]
9 | *.a
10 | *.s
11 | *.mo
12 | *.pc
13 |
14 | # Misc
15 | *.patch
16 | *.gz
17 | *~
18 | *.orig
19 | *.rej
20 | *.pyc
21 | *.pyo
22 | cscope.*
23 | .#*
24 | \#*
25 | .*.swp
26 | # Failsafes
27 | !.gitignore
28 |
--------------------------------------------------------------------------------
/CleanSpec.mk:
--------------------------------------------------------------------------------
1 | # This empty CleanSpec.mk file will prevent the build system
2 | # from descending into subdirs.
3 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | The SELinux userspace tool and library repository contains a number of
2 | different tools and libraries which each carry their own licensing
3 | information. In each tool and library subdirectory look for a LICENSE
4 | file which contains the license information for that portion of the
5 | repository.
6 |
--------------------------------------------------------------------------------
/VERSION:
--------------------------------------------------------------------------------
1 | 3.8.1
2 |
--------------------------------------------------------------------------------
/checkpolicy/.gitignore:
--------------------------------------------------------------------------------
1 | checkmodule
2 | checkpolicy
3 | lex.yy.c
4 | y.tab.c
5 | y.tab.h
6 | tests/testpol.bin
7 | tests/testpol.conf
8 |
--------------------------------------------------------------------------------
/checkpolicy/VERSION:
--------------------------------------------------------------------------------
1 | 3.8.1
2 |
--------------------------------------------------------------------------------
/checkpolicy/test/.gitignore:
--------------------------------------------------------------------------------
1 | dismod
2 | dispol
3 |
--------------------------------------------------------------------------------
/checkpolicy/test/Makefile:
--------------------------------------------------------------------------------
1 | #
2 | # Makefile for building the dispol program
3 | #
4 | CFLAGS ?= -g -Wall -W -Werror -O2
5 |
6 | # If no specific libsepol.a is specified, fall back on LDFLAGS search path
7 | # Otherwise, as $(LIBSEPOLA) already appears in the dependencies, there
8 | # is no need to define a value for LDLIBS_LIBSEPOLA
9 | ifeq ($(LIBSEPOLA),)
10 | LDLIBS_LIBSEPOLA := -l:libsepol.a
11 | endif
12 |
13 | all: dispol dismod
14 |
15 | dispol: dispol.o $(LIBSEPOLA)
16 | $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
17 |
18 | dismod: dismod.o $(LIBSEPOLA)
19 | $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
20 |
21 | clean:
22 | -rm -f dispol dismod *.o
23 |
--------------------------------------------------------------------------------
/checkpolicy/tests/policy_minimal.conf:
--------------------------------------------------------------------------------
1 | # handle_unknown deny
2 | class CLASS1
3 | sid kernel
4 | class CLASS1 { PERM1 }
5 | type TYPE1;
6 | allow TYPE1 self:CLASS1 { PERM1 };
7 | role ROLE1;
8 | role ROLE1 types { TYPE1 };
9 | user USER1 roles ROLE1;
10 | sid kernel USER1:ROLE1:TYPE1
11 |
--------------------------------------------------------------------------------
/checkpolicy/tests/policy_minimal_mls.conf:
--------------------------------------------------------------------------------
1 | # handle_unknown deny
2 | class CLASS1
3 | sid kernel
4 | class CLASS1 { PERM1 }
5 | sensitivity s0;
6 | dominance { s0 }
7 | category c0;
8 | level s0:c0;
9 | mlsconstrain CLASS1 { PERM1 } l1 == l2;
10 | type TYPE1;
11 | allow TYPE1 self:CLASS1 { PERM1 };
12 | role ROLE1;
13 | role ROLE1 types { TYPE1 };
14 | user USER1 roles ROLE1 level s0 range s0 - s0:c0;
15 | sid kernel USER1:ROLE1:TYPE1:s0 - s0
16 |
--------------------------------------------------------------------------------
/dbus/Makefile:
--------------------------------------------------------------------------------
1 | PREFIX ?= /usr
2 |
3 | all:
4 |
5 | clean:
6 |
7 | install:
8 | -mkdir -p $(DESTDIR)/etc/dbus-1/system.d/
9 | install -m 644 org.selinux.conf $(DESTDIR)/etc/dbus-1/system.d/
10 | -mkdir -p $(DESTDIR)$(PREFIX)/share/dbus-1/system-services
11 | install -m 644 org.selinux.service $(DESTDIR)$(PREFIX)/share/dbus-1/system-services
12 | -mkdir -p $(DESTDIR)$(PREFIX)/share/polkit-1/actions/
13 | install -m 644 org.selinux.policy $(DESTDIR)$(PREFIX)/share/polkit-1/actions/
14 | -mkdir -p $(DESTDIR)$(PREFIX)/share/system-config-selinux
15 | install -m 755 selinux_server.py $(DESTDIR)$(PREFIX)/share/system-config-selinux
16 |
17 | relabel:
18 |
19 | test:
20 |
--------------------------------------------------------------------------------
/dbus/VERSION:
--------------------------------------------------------------------------------
1 | 3.8.1
2 |
--------------------------------------------------------------------------------
/dbus/org.selinux.conf:
--------------------------------------------------------------------------------
1 |
2 |
3 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
15 |
16 |
17 |
18 |
19 |
20 |
--------------------------------------------------------------------------------
/dbus/org.selinux.service:
--------------------------------------------------------------------------------
1 | [D-BUS Service]
2 | Name=org.selinux
3 | Exec=/usr/share/system-config-selinux/selinux_server.py
4 | User=root
5 |
--------------------------------------------------------------------------------
/gui/VERSION:
--------------------------------------------------------------------------------
1 | 3.8.1
2 |
--------------------------------------------------------------------------------
/gui/po/POTFILES:
--------------------------------------------------------------------------------
1 | ../booleansPage.py
2 | ../domainsPage.py
3 | ../fcontextPage.py
4 | ../loginsPage.py
5 | ../modulesPage.py
6 | ../org.selinux.config.policy
7 | ../polgengui.py
8 | ../polgen.ui
9 | ../portsPage.py
10 | ../selinux-polgengui.desktop
11 | ../semanagePage.py
12 | ../sepolicy.desktop
13 | ../statusPage.py
14 | ../system-config-selinux.desktop
15 | ../system-config-selinux.py
16 | ../system-config-selinux.ui
17 | ../usersPage.py
18 |
--------------------------------------------------------------------------------
/gui/selinux-polgengui.8:
--------------------------------------------------------------------------------
1 | .TH "selinux-polgengui" "8" "8 April 2013" "System Config Tools Manual" "System Config Tools Manual"
2 |
3 | .SH NAME
4 | selinux\-polgengui \- SELinux Policy Generation Tool
5 |
6 | .SH SYNOPSIS
7 | .B selinux-polgengui
8 |
9 | .SH DESCRIPTION
10 | \fBselinux-polgengui\fP is a graphical tool, which can be used to create a framework for building SELinux Policy.
11 | .SH OPTIONS
12 | None
13 |
14 | .SH FILES
15 | \fi/usr/bin/selinux-polgengui\fP
16 |
17 | .SH Examples
18 | To run the program type:
19 |
20 | selinux-polgengui
21 |
22 | .PP
23 | .SH "SEE ALSO"
24 | .TP
25 | selinux(1), sepolicy(8), sepolicy-generate(8)
26 | .PP
27 |
28 | .SH REPORTING BUGS
29 | Report bugs to .
30 |
31 | .SH LICENSE AND AUTHORS
32 | \fBselinux-polgengui\fP is licensed under the GNU General Public License and
33 | is copyrighted by Red Hat, Inc.
34 | .br
35 | This man page was written by Daniel Walsh
36 |
--------------------------------------------------------------------------------
/gui/sepolgen:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | sepolicy generate $*
3 |
--------------------------------------------------------------------------------
/gui/sepolicy.desktop:
--------------------------------------------------------------------------------
1 | [Desktop Entry]
2 | Name=SELinux Policy Management Tool
3 | Comment=Generate SELinux policy modules
4 | Icon=sepolicy
5 | Exec=/usr/bin/sepolicy gui
6 | Type=Application
7 | Terminal=false
8 | Categories=System;Security;
9 | X-Desktop-File-Install-Version=0.2
10 | Keywords=policy;security;selinux;avc;permission;mac;
11 |
--------------------------------------------------------------------------------
/gui/sepolicy_16.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/gui/sepolicy_16.png
--------------------------------------------------------------------------------
/gui/sepolicy_22.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/gui/sepolicy_22.png
--------------------------------------------------------------------------------
/gui/sepolicy_256.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/gui/sepolicy_256.png
--------------------------------------------------------------------------------
/gui/sepolicy_32.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/gui/sepolicy_32.png
--------------------------------------------------------------------------------
/gui/sepolicy_48.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/gui/sepolicy_48.png
--------------------------------------------------------------------------------
/gui/system-config-selinux:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | exec /usr/bin/pkexec /usr/share/system-config-selinux/system-config-selinux.py
4 |
--------------------------------------------------------------------------------
/gui/system-config-selinux.8:
--------------------------------------------------------------------------------
1 | .TH "system-config-selinux" "8" "8 April 2013" "System Config Tools Manual" "System Config Tools Manual"
2 |
3 | .SH NAME
4 | system\-config\-selinux \- SELinux Management tool
5 |
6 | .SH SYNOPSIS
7 | .B system-config-selinux
8 |
9 | .SH DESCRIPTION
10 | \fBsystem-config-selinux\fP provides a graphical interface for managing the
11 | SELinux configuration.
12 |
13 | .SH OPTIONS
14 | None
15 |
16 | .SH FILES
17 | \fi/usr/bin/system-config-selinux\fP
18 |
19 | .SH Examples
20 | To run the program type:
21 |
22 | system-config-selinux
23 |
24 | .PP
25 | .SH "SEE ALSO"
26 | .TP
27 | selinux(1), semanage(8)
28 | .PP
29 |
30 | .SH REPORTING BUGS
31 | Report bugs to .
32 |
33 | .SH LICENSE AND AUTHORS
34 | \fBsystem-config-selinux\fP is licensed under the GNU General Public License and
35 | is copyrighted by Red Hat, Inc.
36 | .br
37 | This man page was written by Daniel Walsh
38 |
--------------------------------------------------------------------------------
/gui/system-config-selinux.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/gui/system-config-selinux.png
--------------------------------------------------------------------------------
/libselinux/VERSION:
--------------------------------------------------------------------------------
1 | 3.8.1
2 |
--------------------------------------------------------------------------------
/libselinux/fuzz/input:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/libselinux/fuzz/input
--------------------------------------------------------------------------------
/libselinux/include/Makefile:
--------------------------------------------------------------------------------
1 | # Installation directories.
2 | PREFIX ?= /usr
3 | INCDIR = $(PREFIX)/include/selinux
4 |
5 | all:
6 |
7 | install: all
8 | test -d $(DESTDIR)$(INCDIR) || install -m 755 -d $(DESTDIR)$(INCDIR)
9 | install -m 644 $(wildcard selinux/*.h) $(DESTDIR)$(INCDIR)
10 |
11 | relabel:
12 |
13 | indent:
14 | ../../scripts/Lindent $(wildcard selinux/*.h)
15 |
16 | distclean clean:
17 | -rm -f selinux/*~
18 |
19 |
--------------------------------------------------------------------------------
/libselinux/include/selinux/get_default_type.h:
--------------------------------------------------------------------------------
1 | /* get_default_type.h - contains header information and function prototypes
2 | * for functions to get the default type for a role
3 | */
4 |
5 | #ifndef _SELINUX_GET_DEFAULT_TYPE_H_
6 | #define _SELINUX_GET_DEFAULT_TYPE_H_
7 |
8 | #ifdef __cplusplus
9 | extern "C" {
10 | #endif
11 |
12 | /* Return path to default type file. */
13 | extern const char *selinux_default_type_path(void);
14 |
15 | /* Get the default type (domain) for 'role' and set 'type' to refer to it.
16 | Caller must free via free().
17 | Return 0 on success or -1 otherwise. */
18 | extern int get_default_type(const char *role, char **type);
19 |
20 | #ifdef __cplusplus
21 | }
22 | #endif
23 | #endif /* ifndef _GET_DEFAULT_TYPE_H_ */
24 |
--------------------------------------------------------------------------------
/libselinux/man/man3/avc_audit.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_has_perm.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/avc_av_stats.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_cache_stats.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/avc_cleanup.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_open.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/avc_compute_member.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_compute_create.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/avc_destroy.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_open.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/avc_entry_ref_init.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_has_perm.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/avc_get_initial_context.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_context_to_sid.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/avc_get_initial_sid.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_context_to_sid.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/avc_has_perm_noaudit.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_has_perm.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/avc_netlink_acquire_fd.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_netlink_loop.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/avc_netlink_check_nb.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_netlink_loop.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/avc_netlink_close.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_netlink_loop.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/avc_netlink_open.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_netlink_loop.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/avc_netlink_release_fd.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_netlink_loop.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/avc_reset.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_open.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/avc_sid_stats.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_cache_stats.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/avc_sid_to_context.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_context_to_sid.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/checkPasswdAccess.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/context_free.3:
--------------------------------------------------------------------------------
1 | .so man3/context_new.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/context_range_get.3:
--------------------------------------------------------------------------------
1 | .so man3/context_new.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/context_range_set.3:
--------------------------------------------------------------------------------
1 | .so man3/context_new.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/context_role_get.3:
--------------------------------------------------------------------------------
1 | .so man3/context_new.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/context_role_set.3:
--------------------------------------------------------------------------------
1 | .so man3/context_new.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/context_str.3:
--------------------------------------------------------------------------------
1 | .so man3/context_new.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/context_type_get.3:
--------------------------------------------------------------------------------
1 | .so man3/context_new.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/context_type_set.3:
--------------------------------------------------------------------------------
1 | .so man3/context_new.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/context_user_get.3:
--------------------------------------------------------------------------------
1 | .so man3/context_new.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/context_user_set.3:
--------------------------------------------------------------------------------
1 | .so man3/context_new.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/fgetfilecon.3:
--------------------------------------------------------------------------------
1 | .so man3/getfilecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/fgetfilecon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/getfilecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/fini_selinuxmnt.3:
--------------------------------------------------------------------------------
1 | .so man3/init_selinuxmnt.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/freecon.3:
--------------------------------------------------------------------------------
1 | .so man3/getcon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/freeconary.3:
--------------------------------------------------------------------------------
1 | .so man3/getcon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/fsetfilecon.3:
--------------------------------------------------------------------------------
1 | .so man3/setfilecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/fsetfilecon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/setfilecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/get_default_context.3:
--------------------------------------------------------------------------------
1 | .so man3/get_ordered_context_list.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/get_default_context_with_level.3:
--------------------------------------------------------------------------------
1 | .so man3/get_ordered_context_list.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/get_default_context_with_role.3:
--------------------------------------------------------------------------------
1 | .so man3/get_ordered_context_list.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/get_default_context_with_rolelevel.3:
--------------------------------------------------------------------------------
1 | .so man3/get_ordered_context_list.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/get_default_type.3:
--------------------------------------------------------------------------------
1 | .so man3/get_ordered_context_list.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/get_ordered_context_list_with_level.3:
--------------------------------------------------------------------------------
1 | .so man3/get_ordered_context_list.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/getcon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/getcon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/getexeccon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/getexeccon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/getfilecon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/getfilecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/getfscreatecon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/getfscreatecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/getkeycreatecon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/getkeycreatecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/getpeercon.3:
--------------------------------------------------------------------------------
1 | .so man3/getcon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/getpeercon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/getcon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/getpidcon.3:
--------------------------------------------------------------------------------
1 | .so man3/getcon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/getpidcon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/getcon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/getpidprevcon.3:
--------------------------------------------------------------------------------
1 | .so man3/getcon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/getpidprevcon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/getcon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/getprevcon.3:
--------------------------------------------------------------------------------
1 | .so man3/getcon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/getprevcon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/getcon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/getsockcreatecon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/getsockcreatecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/init_selinuxmnt.3:
--------------------------------------------------------------------------------
1 | .TH "init_selinuxmnt" "3" "21 Nov 2009" "" "SELinux API documentation"
2 | .SH "NAME"
3 | init_selinuxmnt \- initialize the global variable selinux_mnt
4 | .
5 | .SH "SYNOPSIS"
6 | .BI "static void init_selinuxmnt(void);"
7 | .sp
8 | .BI "static void fini_selinuxmnt(void);"
9 | .sp
10 | .BI "void set_selinuxmnt(const char *" mnt ");"
11 | .
12 | .SH "DESCRIPTION"
13 | .BR init_selinuxmnt ()
14 | initializes the global variable
15 | .I selinux_mnt
16 | to the selinuxfs mountpoint.
17 |
18 | .BR fini_selinuxmnt ()
19 | deinitializes the global variable
20 | .I selinux_mnt
21 | that stores the selinuxfs mountpoint.
22 |
23 | .BR set_selinuxmnt ()
24 | changes the selinuxfs mountpoint to
25 | .IR mnt .
26 | .
27 | .SH "AUTHOR"
28 | This manual page has been written by Guido Trentalancia
29 | .
30 | .SH "SEE ALSO"
31 | .BR selinux (8),
32 |
--------------------------------------------------------------------------------
/libselinux/man/man3/is_selinux_enabled.3:
--------------------------------------------------------------------------------
1 | .TH "is_selinux_enabled" "3" "7 Mar 2010" "russell@coker.com.au" "SELinux API documentation"
2 | .SH "NAME"
3 | is_selinux_enabled \- check whether SELinux is enabled
4 | .
5 | .SH "NAME"
6 | is_selinux_mls_enabled \- check whether SELinux is enabled for (Multi Level Security) MLS
7 | .
8 | .SH "SYNOPSIS"
9 | .B #include
10 | .sp
11 | .B int is_selinux_enabled(void);
12 | .sp
13 | .B int is_selinux_mls_enabled(void);
14 | .
15 | .SH "DESCRIPTION"
16 | .BR is_selinux_enabled ()
17 | returns 1 if SELinux is running or 0 if it is not.
18 |
19 | .BR is_selinux_mls_enabled ()
20 | returns 1 if SELinux is capable of running in MLS mode or 0 if it is not. To
21 | determine the policy in use on the system, use
22 | .BR selinux_getpolicytype (3).
23 | .
24 | .SH "SEE ALSO"
25 | .BR selinux "(8)"
26 |
--------------------------------------------------------------------------------
/libselinux/man/man3/is_selinux_mls_enabled.3:
--------------------------------------------------------------------------------
1 | .so man3/is_selinux_enabled.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/lgetfilecon.3:
--------------------------------------------------------------------------------
1 | .so man3/getfilecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/lgetfilecon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/getfilecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/lsetfilecon.3:
--------------------------------------------------------------------------------
1 | .so man3/setfilecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/lsetfilecon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/setfilecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/manual_user_enter_context.3:
--------------------------------------------------------------------------------
1 | .so man3/get_ordered_context_list.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/matchmediacon.3:
--------------------------------------------------------------------------------
1 | .TH "matchmediacon" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API documentation"
2 | .SH "NAME"
3 | matchmediacon \- get the default SELinux security context for the specified mediatype from the policy
4 | .
5 | .SH "SYNOPSIS"
6 | .B #include
7 | .sp
8 | .BI "int matchmediacon(const char *" media ", char **" con );
9 | .
10 | .SH "DESCRIPTION"
11 | .BR matchmediacon ()
12 | matches the specified media type with the media contexts configuration and
13 | sets the security context
14 | .I con
15 | to refer to the resulting context.
16 | .sp
17 | .B Note:
18 | Caller must free returned security context
19 | .I con
20 | using
21 | .BR freecon (3).
22 | .
23 | .SH "RETURN VALUE"
24 | Returns 0 on success or \-1 otherwise.
25 | .
26 | .SH Files
27 | .I /etc/selinux/{POLICYTYPE}/contexts/files/media
28 | .
29 | .SH "SEE ALSO"
30 | .BR selinux "(8), " freecon "(3)
31 |
--------------------------------------------------------------------------------
/libselinux/man/man3/matchpathcon_filespec_add.3:
--------------------------------------------------------------------------------
1 | .so man3/matchpathcon_checkmatches.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/matchpathcon_filespec_destroy.3:
--------------------------------------------------------------------------------
1 | .so man3/matchpathcon_checkmatches.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/matchpathcon_filespec_eval.3:
--------------------------------------------------------------------------------
1 | .so man3/matchpathcon_checkmatches.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/matchpathcon_fini.3:
--------------------------------------------------------------------------------
1 | .so man3/matchpathcon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/matchpathcon_index.3:
--------------------------------------------------------------------------------
1 | .so man3/matchpathcon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/matchpathcon_init.3:
--------------------------------------------------------------------------------
1 | .so man3/matchpathcon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/mode_to_security_class.3:
--------------------------------------------------------------------------------
1 | .so man3/security_class_to_string.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/print_access_vector.3:
--------------------------------------------------------------------------------
1 | .so man3/security_class_to_string.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/query_user_context.3:
--------------------------------------------------------------------------------
1 | .so man3/get_ordered_context_list.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/rpm_execcon.3:
--------------------------------------------------------------------------------
1 | .so man3/getexeccon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_av_perm_to_string.3:
--------------------------------------------------------------------------------
1 | .so man3/security_class_to_string.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_av_string.3:
--------------------------------------------------------------------------------
1 | .so man3/security_class_to_string.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_check_context.3:
--------------------------------------------------------------------------------
1 | .TH "security_check_context" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
2 | .SH "NAME"
3 | security_check_context \- check the validity of a SELinux context
4 | .
5 | .SH "SYNOPSIS"
6 | .B #include
7 | .sp
8 | .BI "int security_check_context(const char *" con );
9 | .sp
10 | .BI "int security_check_context_raw(const char *" con );
11 | .
12 | .SH "DESCRIPTION"
13 | .BR security_check_context ()
14 | returns 0 if SELinux is running and the context is valid, otherwise it
15 | returns \-1.
16 |
17 | .BR security_check_context_raw ()
18 | behaves identically to
19 | .BR \%security_check_context ()
20 | but does not perform context translation.
21 | .
22 | .SH "SEE ALSO"
23 | .BR selinux "(8)"
24 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_check_context_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/security_check_context.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_commit_booleans.3:
--------------------------------------------------------------------------------
1 | .so man3/security_load_booleans.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_compute_av_flags.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_compute_av_flags_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_compute_av_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_compute_create.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_compute_create_name.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_compute_create_name_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_compute_create_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_compute_member.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_compute_member_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_compute_relabel.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_compute_relabel_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_compute_user.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_compute_user_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_deny_unknown.3:
--------------------------------------------------------------------------------
1 | .so man3/security_getenforce.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_get_boolean_active.3:
--------------------------------------------------------------------------------
1 | .so man3/security_load_booleans.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_get_boolean_names.3:
--------------------------------------------------------------------------------
1 | .so man3/security_load_booleans.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_get_boolean_pending.3:
--------------------------------------------------------------------------------
1 | .so man3/security_load_booleans.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_get_checkreqprot.3:
--------------------------------------------------------------------------------
1 | .so man3/security_getenforce.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_get_initial_context.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_get_initial_context_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_mkload_policy.3:
--------------------------------------------------------------------------------
1 | .so man3/security_load_policy.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_policyvers.3:
--------------------------------------------------------------------------------
1 | .TH "security_policyvers" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation"
2 | .SH "NAME"
3 | security_policyvers \- get the version of the SELinux policy
4 | .SH "SYNOPSIS"
5 | .B #include
6 | .sp
7 | .B int security_policyvers(void);
8 | .
9 | .SH "DESCRIPTION"
10 | .BR security_policyvers ()
11 | returns the version of the policy (a positive integer) on success, or \-1 on
12 | error.
13 | .
14 | .SH "SEE ALSO"
15 | .BR selinux "(8)"
16 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_reject_unknown.3:
--------------------------------------------------------------------------------
1 | .so man3/security_getenforce.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_set_boolean.3:
--------------------------------------------------------------------------------
1 | .so man3/security_load_booleans.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_set_boolean_list.3:
--------------------------------------------------------------------------------
1 | .so man3/security_load_booleans.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_setenforce.3:
--------------------------------------------------------------------------------
1 | .so security_getenforce.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_validatetrans.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/security_validatetrans_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selabel_close.3:
--------------------------------------------------------------------------------
1 | .so man3/selabel_open.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selabel_lookup_best_match_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/selabel_lookup_best_match.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selabel_lookup_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/selabel_lookup.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_check_access.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_check_passwd_access.3:
--------------------------------------------------------------------------------
1 | .so man3/security_compute_av.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_check_securetty_context.3:
--------------------------------------------------------------------------------
1 | .TH "selinux_check_securetty_context" "3" "1 January 2007" "dwalsh@redhat.com" "SELinux API documentation"
2 | .SH "NAME"
3 | selinux_check_securetty_context \- check whether a SELinux tty security context is defined as a securetty context
4 | .
5 | .SH "SYNOPSIS"
6 | .B #include
7 | .sp
8 | .BI "int selinux_check_securetty_context(const char *" tty_context );
9 | .
10 | .SH "DESCRIPTION"
11 | .BR selinux_check_securetty_context ()
12 | returns 0 if tty_context is a securetty context,
13 | returns < 0 otherwise.
14 | .
15 | .SH "SEE ALSO"
16 | .BR selinux "(8)"
17 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_contexts_path.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_binary_policy_path.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_current_policy_path.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_binary_policy_path.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_default_context_path.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_binary_policy_path.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_default_type_path.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_binary_policy_path.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_failsafe_context_path.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_binary_policy_path.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_file_context_homedir_path.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_binary_policy_path.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_file_context_local_path.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_binary_policy_path.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_file_context_path.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_binary_policy_path.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_getenforcemode.3:
--------------------------------------------------------------------------------
1 | .TH "selinux_getenforcemode" "3" "25 May 2004" "dwalsh@redhat.com" "SELinux API documentation"
2 | .SH "NAME"
3 | selinux_getenforcemode \- get the enforcing state of SELinux
4 | .
5 | .SH "SYNOPSIS"
6 | .B #include
7 | .sp
8 | .BI "int selinux_getenforcemode(int *" enforce );
9 | .
10 | .SH "DESCRIPTION"
11 | .BR selinux_getenforcemode ()
12 | Reads the contents of the
13 | .I /etc/selinux/config
14 | file to determine how the system was setup to run SELinux.
15 |
16 | Sets the value of
17 | .I enforce
18 | to 1 if SELinux should be run in enforcing mode.
19 | Sets the value of
20 | .I enforce
21 | to 0 if SELinux should be run in permissive mode.
22 | Sets the value of
23 | .I enforce
24 | to \-1 if SELinux should be disabled.
25 | .
26 | .SH "RETURN VALUE"
27 | On success, zero is returned.
28 | On failure, \-1 is returned.
29 | .
30 | .SH "SEE ALSO"
31 | .BR selinux "(8)"
32 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_getpolicytype.3:
--------------------------------------------------------------------------------
1 | .TH "selinux_getpolicytype" "3" "24 Sep 2008" "dwalsh@redhat.com" "SELinux API documentation"
2 | .SH "NAME"
3 | selinux_getpolicytype \- get the type of SELinux policy running on the system
4 | .
5 | .SH "SYNOPSIS"
6 | .B #include
7 | .sp
8 | .BI "int selinux_getpolicytype(char **" policytype );
9 | .
10 | .SH "DESCRIPTION"
11 | .BR selinux_getpolicytype ()
12 | Reads the contents of the
13 | .I /etc/selinux/config
14 | file to determine the SELinux policy used on the system, and sets
15 | .I \%policytype
16 | accordingly. Free
17 | .I \%policytype
18 | with
19 | .BR free (3).
20 | .
21 | .SH "RETURN VALUE"
22 | On success, zero is returned.
23 | On failure, \-1 is returned.
24 | .
25 | .SH "SEE ALSO"
26 | .BR selinux "(8)"
27 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_homedir_context_path.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_binary_policy_path.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_init_load_policy.3:
--------------------------------------------------------------------------------
1 | .so man3/security_load_policy.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_lsetfilecon_default.3:
--------------------------------------------------------------------------------
1 | .TH "selinux_lsetfilecon_default" "3" "21 November 2009" "stephen.smalley.work@gmail.com" "SELinux API documentation"
2 | .SH "NAME"
3 | selinux_lsetfilecon_default \- set the file context to the system defaults
4 | .
5 | .SH "SYNOPSIS"
6 | .B #include
7 | .sp
8 | .BI "int selinux_lsetfilecon_default(const char *" path ");"
9 | .
10 | .SH "DESCRIPTION"
11 | .BR selinux_lsetfilecon_default ()
12 | sets the file context to the system defaults.
13 | .
14 | .SH "RETURN VALUE"
15 | Returns zero on success or \-1 otherwise.
16 | .
17 | .SH "SEE ALSO"
18 | .ad l
19 | .nh
20 | .BR selinux "(8), " selinux_file_context_cmp "(3), " selinux_file_context_verify "(3), " matchpathcon "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)"
21 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_media_context_path.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_binary_policy_path.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_mkload_policy.3:
--------------------------------------------------------------------------------
1 | .so man3/security_load_policy.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_netfilter_context_path.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_binary_policy_path.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_path.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_binary_policy_path.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_removable_context_path.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_binary_policy_path.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_restorecon_parallel.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_restorecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_securetty_types_path.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_binary_policy_path.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_sepgsql_context_path.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_binary_policy_path.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_set_policy_root.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_policy_root.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_status_close.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_status_open.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_status_deny_unknown.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_status_open.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_status_getenforce.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_status_open.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_status_policyload.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_status_open.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_status_updated.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_status_open.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_user_contexts_path.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_binary_policy_path.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_usersconf_path.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_binary_policy_path.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/selinux_x_context_path.3:
--------------------------------------------------------------------------------
1 | .so man3/selinux_binary_policy_path.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/set_matchpathcon_invalidcon.3:
--------------------------------------------------------------------------------
1 | .so man3/set_matchpathcon_flags.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/set_matchpathcon_printf.3:
--------------------------------------------------------------------------------
1 | .so man3/set_matchpathcon_flags.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/set_selinuxmnt.3:
--------------------------------------------------------------------------------
1 | .so man3/init_selinuxmnt.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/setcon.3:
--------------------------------------------------------------------------------
1 | .so man3/getcon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/setcon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/getcon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/setexeccon.3:
--------------------------------------------------------------------------------
1 | .so man3/getexeccon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/setexeccon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/getexeccon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/setexecfilecon.3:
--------------------------------------------------------------------------------
1 | .so man3/getexeccon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/setfilecon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/setfilecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/setfscreatecon.3:
--------------------------------------------------------------------------------
1 | .so man3/getfscreatecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/setfscreatecon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/getfscreatecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/setkeycreatecon.3:
--------------------------------------------------------------------------------
1 | .so man3/getkeycreatecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/setkeycreatecon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/getkeycreatecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/setsockcreatecon.3:
--------------------------------------------------------------------------------
1 | .so man3/getsockcreatecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/setsockcreatecon_raw.3:
--------------------------------------------------------------------------------
1 | .so man3/getsockcreatecon.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/sidget.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_context_to_sid.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/sidput.3:
--------------------------------------------------------------------------------
1 | .so man3/avc_context_to_sid.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/string_to_av_perm.3:
--------------------------------------------------------------------------------
1 | .so man3/security_class_to_string.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man3/string_to_security_class.3:
--------------------------------------------------------------------------------
1 | .so man3/security_class_to_string.3
2 |
--------------------------------------------------------------------------------
/libselinux/man/man5/file_contexts.5:
--------------------------------------------------------------------------------
1 | .so man5/selabel_file.5
2 |
--------------------------------------------------------------------------------
/libselinux/man/man5/file_contexts.homedirs.5:
--------------------------------------------------------------------------------
1 | .so man5/selabel_file.5
2 |
--------------------------------------------------------------------------------
/libselinux/man/man5/file_contexts.local.5:
--------------------------------------------------------------------------------
1 | .so man5/selabel_file.5
2 |
--------------------------------------------------------------------------------
/libselinux/man/man5/file_contexts.subs.5:
--------------------------------------------------------------------------------
1 | .so man5/selabel_file.5
2 |
--------------------------------------------------------------------------------
/libselinux/man/man5/file_contexts.subs_dist.5:
--------------------------------------------------------------------------------
1 | .so man5/selabel_file.5
2 |
--------------------------------------------------------------------------------
/libselinux/man/man5/media.5:
--------------------------------------------------------------------------------
1 | .so man5/selabel_media.5
2 |
--------------------------------------------------------------------------------
/libselinux/man/man5/sepgsql_contexts.5:
--------------------------------------------------------------------------------
1 | .so man5/selabel_db.5
2 |
--------------------------------------------------------------------------------
/libselinux/man/man5/x_contexts.5:
--------------------------------------------------------------------------------
1 | .so man5/selabel_x.5
2 |
--------------------------------------------------------------------------------
/libselinux/man/man8/avcstat.8:
--------------------------------------------------------------------------------
1 | .TH "avcstat" "8" "18 Nov 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
2 | .SH "NAME"
3 | avcstat \- Display SELinux AVC statistics
4 | .
5 | .SH "SYNOPSIS"
6 | .B avcstat
7 | .RB [ \-c ]
8 | .RB [ \-f
9 | .IR status_file ]
10 | .RI [ interval ]
11 | .
12 | .SH "DESCRIPTION"
13 | Display SELinux AVC statistics. If the
14 | .I interval
15 | parameter is specified, the program will loop, displaying updated
16 | statistics every
17 | .I interval
18 | seconds.
19 | Relative values are displayed by default.
20 | .
21 | .SH OPTIONS
22 | .TP
23 | .B \-c
24 | Display the cumulative values.
25 | .TP
26 | .B \-f
27 | Specifies the location of the AVC statistics file, defaulting to
28 | .IR /sys/fs/selinux/avc/cache_stats .
29 | .
30 | .SH AUTHOR
31 | This manual page was written by Dan Walsh .
32 | The program was written by James Morris .
33 | .
34 | .SH "SEE ALSO"
35 | .BR selinux (8)
36 |
--------------------------------------------------------------------------------
/libselinux/man/man8/getenforce.8:
--------------------------------------------------------------------------------
1 | .TH "getenforce" "8" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
2 | .SH "NAME"
3 | getenforce \- get the current mode of SELinux
4 | .
5 | .SH "SYNOPSIS"
6 | .B getenforce
7 | .
8 | .SH "DESCRIPTION"
9 | .B getenforce
10 | reports whether SELinux is enforcing, permissive, or disabled.
11 | .
12 | .SH AUTHOR
13 | Dan Walsh,
14 | .
15 | .SH "SEE ALSO"
16 | .BR selinux (8),
17 | .BR setenforce (8),
18 | .BR selinuxenabled (8)
19 |
--------------------------------------------------------------------------------
/libselinux/man/man8/selinuxenabled.8:
--------------------------------------------------------------------------------
1 | .TH "selinuxenabled" "8" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
2 | .SH "NAME"
3 | selinuxenabled \- tool to be used within shell scripts to determine if selinux is enabled
4 | .
5 | .SH "SYNOPSIS"
6 | .B selinuxenabled
7 | .
8 | .SH "DESCRIPTION"
9 | Indicates whether SELinux is enabled or disabled.
10 | .
11 | .SH "EXIT STATUS"
12 | It exits with status 0 if SELinux is enabled and 1 if it is not enabled.
13 | .
14 | .SH AUTHOR
15 | Dan Walsh,
16 | .
17 | .SH "SEE ALSO"
18 | .BR selinux (8),
19 | .BR setenforce (8),
20 | .BR getenforce (8)
21 |
--------------------------------------------------------------------------------
/libselinux/man/man8/selinuxexeccon.8:
--------------------------------------------------------------------------------
1 | .TH "selinuxexeccon" "8" "14 May 2011" "dwalsh@redhat.com" "SELinux Command Line documentation"
2 | .SH "NAME"
3 | selinuxexeccon \- report SELinux context used for this executable
4 | .
5 | .SH "SYNOPSIS"
6 | .B selinuxexeccon
7 | .I command
8 | .RI [ fromcon ]
9 | .
10 | .SH "DESCRIPTION"
11 | .B selinuxexeccon
12 | reports the SELinux process context for the specified command from the specified context or the current context.
13 | .
14 | .SH EXAMPLE
15 | .nf
16 | # selinuxexeccon /usr/bin/passwd
17 | staff_u:staff_r:passwd_t:s0-s0:c0.c1023
18 |
19 | # selinuxexeccon /usr/sbin/sendmail system_u:system_r:httpd_t:s0
20 | system_u:system_r:system_mail_t:s0
21 | .fi
22 | .
23 | .SH AUTHOR
24 | This manual page was written by Dan Walsh .
25 | .
26 | .SH "SEE ALSO"
27 | .BR secon (8)
28 |
--------------------------------------------------------------------------------
/libselinux/man/man8/setenforce.8:
--------------------------------------------------------------------------------
1 | .TH "setenforce" "8" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
2 | .SH "NAME"
3 | setenforce \- modify the mode SELinux is running in
4 | .
5 | .SH "SYNOPSIS"
6 | .B setenforce
7 | .RB [ Enforcing | Permissive | 1 | 0 ]
8 | .
9 | .SH "DESCRIPTION"
10 | Use
11 | .B Enforcing
12 | or
13 | .B 1
14 | to put SELinux in enforcing mode.
15 | .br
16 | Use
17 | .B Permissive
18 | or
19 | .B 0
20 | to put SELinux in permissive mode.
21 |
22 | If SELinux is disabled and you want to enable it, or SELinux is enabled and you want to disable it, please see
23 | .BR selinux (8).
24 | .
25 | .SH AUTHOR
26 | Dan Walsh,
27 | .
28 | .SH "SEE ALSO"
29 | .BR selinux (8),
30 | .BR getenforce (8),
31 | .BR selinuxenabled (8)
32 |
--------------------------------------------------------------------------------
/libselinux/man/man8/togglesebool.8:
--------------------------------------------------------------------------------
1 | .TH "togglesebool" "8" "26 Oct 2004" "sgrubb@redhat.com" "SELinux Command Line documentation"
2 | .SH "NAME"
3 | togglesebool \- flip the current value of a SELinux boolean
4 | .
5 | .SH "SYNOPSIS"
6 | .B togglesebool
7 | .I boolean...
8 | .
9 | .SH "DESCRIPTION"
10 | .B togglesebool
11 | flips the current value of a list of booleans. If the value is currently a 1,
12 | then it will be changed to a 0 and vice versa. Only the "in memory" values are
13 | changed; the boot-time settings are unaffected.
14 | .
15 | .SH AUTHOR
16 | This man page was written by Steve Grubb
17 | .
18 | .SH "SEE ALSO"
19 | .BR selinux (8),
20 | .BR booleans (8),
21 | .BR getsebool (8),
22 | .BR setsebool (8)
23 |
--------------------------------------------------------------------------------
/libselinux/src/.gitignore:
--------------------------------------------------------------------------------
1 | selinux.py
2 | selinuxswig_python_wrap.c
3 | selinuxswig_ruby_wrap.c
4 | selinux.egg-info/
5 |
--------------------------------------------------------------------------------
/libselinux/src/audit2why.map:
--------------------------------------------------------------------------------
1 | AUDIT2WHY_2.9 {
2 | global:
3 | initaudit2why;
4 | PyInit_audit2why;
5 | local: *;
6 | };
7 |
--------------------------------------------------------------------------------
/libselinux/src/checkreqprot.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include "selinux_internal.h"
8 | #include "policy.h"
9 | #include
10 | #include
11 |
12 | int security_get_checkreqprot(void)
13 | {
14 | int fd, ret, checkreqprot = 0;
15 | char path[PATH_MAX];
16 | char buf[20];
17 |
18 | if (!selinux_mnt) {
19 | errno = ENOENT;
20 | return -1;
21 | }
22 |
23 | snprintf(path, sizeof(path), "%s/checkreqprot", selinux_mnt);
24 | fd = open(path, O_RDONLY | O_CLOEXEC);
25 | if (fd < 0)
26 | return -1;
27 |
28 | memset(buf, 0, sizeof(buf));
29 | ret = read(fd, buf, sizeof(buf) - 1);
30 | close(fd);
31 | if (ret < 0)
32 | return -1;
33 |
34 | if (sscanf(buf, "%d", &checkreqprot) != 1)
35 | return -1;
36 |
37 | return checkreqprot;
38 | }
39 |
40 |
--------------------------------------------------------------------------------
/libselinux/src/context_internal.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 |
--------------------------------------------------------------------------------
/libselinux/src/deny_unknown.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include "selinux_internal.h"
8 | #include "policy.h"
9 | #include
10 | #include
11 |
12 | int security_deny_unknown(void)
13 | {
14 | int fd, ret, deny_unknown = 0;
15 | char path[PATH_MAX];
16 | char buf[20];
17 |
18 | if (!selinux_mnt) {
19 | errno = ENOENT;
20 | return -1;
21 | }
22 |
23 | snprintf(path, sizeof(path), "%s/deny_unknown", selinux_mnt);
24 | fd = open(path, O_RDONLY | O_CLOEXEC);
25 | if (fd < 0)
26 | return -1;
27 |
28 | memset(buf, 0, sizeof(buf));
29 | ret = read(fd, buf, sizeof(buf) - 1);
30 | close(fd);
31 | if (ret < 0)
32 | return -1;
33 |
34 | if (sscanf(buf, "%d", &deny_unknown) != 1)
35 | return -1;
36 |
37 | return deny_unknown;
38 | }
39 |
40 |
--------------------------------------------------------------------------------
/libselinux/src/disable.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include "selinux_internal.h"
8 | #include "policy.h"
9 | #include
10 | #include
11 |
12 | int security_disable(void)
13 | {
14 | int fd, ret;
15 | char path[PATH_MAX];
16 | char buf[20];
17 |
18 | if (!selinux_mnt) {
19 | errno = ENOENT;
20 | return -1;
21 | }
22 |
23 | snprintf(path, sizeof path, "%s/disable", selinux_mnt);
24 | fd = open(path, O_WRONLY | O_CLOEXEC);
25 | if (fd < 0)
26 | return -1;
27 |
28 | buf[0] = '1';
29 | buf[1] = '\0';
30 | ret = write(fd, buf, strlen(buf));
31 | close(fd);
32 | if (ret < 0)
33 | return -1;
34 |
35 | return 0;
36 | }
37 |
38 |
--------------------------------------------------------------------------------
/libselinux/src/freecon.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include "selinux_internal.h"
3 | #include
4 | #include
5 |
6 | void freecon(char * con)
7 | {
8 | free(con);
9 | }
10 |
11 |
--------------------------------------------------------------------------------
/libselinux/src/freeconary.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include "selinux_internal.h"
3 | #include
4 | #include
5 |
6 | void freeconary(char ** con)
7 | {
8 | char **ptr;
9 |
10 | if (!con)
11 | return;
12 |
13 | for (ptr = con; *ptr; ptr++) {
14 | free(*ptr);
15 | }
16 | free(con);
17 | }
18 |
19 |
--------------------------------------------------------------------------------
/libselinux/src/get_context_list_internal.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 |
--------------------------------------------------------------------------------
/libselinux/src/get_default_type_internal.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 |
--------------------------------------------------------------------------------
/libselinux/src/getenforce.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include "selinux_internal.h"
8 | #include "policy.h"
9 | #include
10 | #include
11 |
12 | int security_getenforce(void)
13 | {
14 | int fd, ret, enforce = 0;
15 | char path[PATH_MAX];
16 | char buf[20];
17 |
18 | if (!selinux_mnt) {
19 | errno = ENOENT;
20 | return -1;
21 | }
22 |
23 | snprintf(path, sizeof path, "%s/enforce", selinux_mnt);
24 | fd = open(path, O_RDONLY | O_CLOEXEC);
25 | if (fd < 0)
26 | return -1;
27 |
28 | memset(buf, 0, sizeof buf);
29 | ret = read(fd, buf, sizeof buf - 1);
30 | close(fd);
31 | if (ret < 0)
32 | return -1;
33 |
34 | if (sscanf(buf, "%d", &enforce) != 1)
35 | return -1;
36 |
37 | return !!enforce;
38 | }
39 |
40 |
--------------------------------------------------------------------------------
/libselinux/src/libselinux.pc.in:
--------------------------------------------------------------------------------
1 | prefix=@prefix@
2 | exec_prefix=${prefix}
3 | libdir=@libdir@
4 | includedir=@includedir@
5 |
6 | Name: libselinux
7 | Description: SELinux utility library
8 | Version: @VERSION@
9 | URL: http://userspace.selinuxproject.org/
10 | Requires.private: libsepol @PCRE_MODULE@
11 | Libs: -L${libdir} -lselinux
12 | Cflags: -I${includedir}
13 |
--------------------------------------------------------------------------------
/libselinux/src/policy.h:
--------------------------------------------------------------------------------
1 | #ifndef _POLICY_H_
2 | #define _POLICY_H_
3 |
4 | /* Private definitions used internally by libselinux. */
5 |
6 | /*
7 | * xattr name for SELinux attributes.
8 | * This may have been exported via Kernel uapi header.
9 | */
10 | #ifndef XATTR_NAME_SELINUX
11 | #define XATTR_NAME_SELINUX "security.selinux"
12 | #endif
13 |
14 | /* Initial length guess for getting contexts. */
15 | #define INITCONTEXTLEN 255
16 |
17 | /* selinux file system type */
18 | #define SELINUXFS "selinuxfs"
19 |
20 | /* selinuxfs magic number */
21 | #define SELINUX_MAGIC 0xf97cff8c
22 |
23 | /* Preferred selinux mount location */
24 | #define SELINUXMNT "/sys/fs/selinux"
25 | #define OLDSELINUXMNT "/selinux"
26 |
27 | /* selinuxfs mount point */
28 | extern char *selinux_mnt;
29 |
30 | #define FILECONTEXTS "/etc/security/selinux/file_contexts"
31 |
32 | #define DEFAULT_POLICY_VERSION 15
33 |
34 | #endif
35 |
--------------------------------------------------------------------------------
/libselinux/src/policyvers.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include "selinux_internal.h"
8 | #include
9 | #include "policy.h"
10 | #include
11 |
12 | int security_policyvers(void)
13 | {
14 | int fd, ret;
15 | char path[PATH_MAX];
16 | char buf[20];
17 | unsigned vers = DEFAULT_POLICY_VERSION;
18 |
19 | if (!selinux_mnt) {
20 | errno = ENOENT;
21 | return -1;
22 | }
23 |
24 | snprintf(path, sizeof path, "%s/policyvers", selinux_mnt);
25 | fd = open(path, O_RDONLY | O_CLOEXEC);
26 | if (fd < 0) {
27 | if (errno == ENOENT)
28 | return vers;
29 | else
30 | return -1;
31 | }
32 | memset(buf, 0, sizeof buf);
33 | ret = read(fd, buf, sizeof buf - 1);
34 | close(fd);
35 | if (ret < 0)
36 | return -1;
37 |
38 | if (sscanf(buf, "%u", &vers) != 1)
39 | return -1;
40 |
41 | return vers;
42 | }
43 |
44 |
--------------------------------------------------------------------------------
/libselinux/src/reject_unknown.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include "selinux_internal.h"
8 | #include "policy.h"
9 | #include
10 | #include
11 |
12 | int security_reject_unknown(void)
13 | {
14 | int fd, ret, reject_unknown = 0;
15 | char path[PATH_MAX];
16 | char buf[20];
17 |
18 | if (!selinux_mnt) {
19 | errno = ENOENT;
20 | return -1;
21 | }
22 |
23 | snprintf(path, sizeof(path), "%s/reject_unknown", selinux_mnt);
24 | fd = open(path, O_RDONLY | O_CLOEXEC);
25 | if (fd < 0)
26 | return -1;
27 |
28 | memset(buf, 0, sizeof(buf));
29 | ret = read(fd, buf, sizeof(buf) - 1);
30 | close(fd);
31 | if (ret < 0)
32 | return -1;
33 |
34 | if (sscanf(buf, "%d", &reject_unknown) != 1)
35 | return -1;
36 |
37 | return reject_unknown;
38 | }
39 |
40 |
--------------------------------------------------------------------------------
/libselinux/src/selinux_internal.c:
--------------------------------------------------------------------------------
1 | #include "selinux_internal.h"
2 |
3 | #include
4 | #include
5 | #include
6 |
7 |
8 | #ifndef HAVE_STRLCPY
9 | size_t strlcpy(char *dest, const char *src, size_t size)
10 | {
11 | size_t ret = strlen(src);
12 |
13 | if (size) {
14 | size_t len = (ret >= size) ? size - 1 : ret;
15 | memcpy(dest, src, len);
16 | dest[len] = '\0';
17 | }
18 | return ret;
19 | }
20 | #endif /* HAVE_STRLCPY */
21 |
22 | #ifndef HAVE_REALLOCARRAY
23 | void *reallocarray(void *ptr, size_t nmemb, size_t size)
24 | {
25 | if (size && nmemb > SIZE_MAX / size) {
26 | errno = ENOMEM;
27 | return NULL;
28 | }
29 |
30 | return realloc(ptr, nmemb * size);
31 | }
32 | #endif /* HAVE_REALLOCARRAY */
33 |
--------------------------------------------------------------------------------
/libselinux/src/selinux_netlink.h:
--------------------------------------------------------------------------------
1 | /*
2 | * Netlink event notifications for SELinux.
3 | *
4 | * Author: James Morris
5 | */
6 | #ifndef _LINUX_SELINUX_NETLINK_H
7 | #define _LINUX_SELINUX_NETLINK_H
8 |
9 | /* Message types. */
10 | #define SELNL_MSG_BASE 0x10
11 | enum {
12 | SELNL_MSG_SETENFORCE = SELNL_MSG_BASE,
13 | SELNL_MSG_POLICYLOAD,
14 | SELNL_MSG_MAX
15 | };
16 |
17 | /* Multicast groups */
18 | #define SELNL_GRP_NONE 0x00000000
19 | #define SELNL_GRP_AVC 0x00000001 /* AVC notifications */
20 | #define SELNL_GRP_ALL 0xffffffff
21 |
22 | /* Message structures */
23 | struct selnl_msg_setenforce {
24 | int32_t val;
25 | };
26 |
27 | struct selnl_msg_policyload {
28 | uint32_t seqno;
29 | };
30 |
31 | #endif /* _LINUX_SELINUX_NETLINK_H */
32 |
--------------------------------------------------------------------------------
/libselinux/src/setenforce.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include "selinux_internal.h"
8 | #include "policy.h"
9 | #include
10 | #include
11 |
12 | int security_setenforce(int value)
13 | {
14 | int fd, ret;
15 | char path[PATH_MAX];
16 | char buf[20];
17 |
18 | if (!selinux_mnt) {
19 | errno = ENOENT;
20 | return -1;
21 | }
22 |
23 | snprintf(path, sizeof path, "%s/enforce", selinux_mnt);
24 | fd = open(path, O_RDWR | O_CLOEXEC);
25 | if (fd < 0)
26 | return -1;
27 |
28 | snprintf(buf, sizeof buf, "%d", value);
29 | ret = write(fd, buf, strlen(buf));
30 | close(fd);
31 | if (ret < 0)
32 | return -1;
33 |
34 | return 0;
35 | }
36 |
37 |
--------------------------------------------------------------------------------
/libselinux/src/setrans_internal.h:
--------------------------------------------------------------------------------
1 | /* Author: Trusted Computer Solutions, Inc. */
2 | #include
3 |
4 | #define SETRANS_UNIX_SOCKET SELINUX_TRANS_DIR "/.setrans-unix"
5 |
6 | #define RAW_TO_TRANS_CONTEXT 2
7 | #define TRANS_TO_RAW_CONTEXT 3
8 | #define RAW_CONTEXT_TO_COLOR 4
9 | #define MAX_DATA_BUF 8192
10 |
11 |
--------------------------------------------------------------------------------
/libselinux/src/setup.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3
2 |
3 | from setuptools import Extension, setup
4 |
5 | setup(
6 | name="selinux",
7 | version="3.8.1",
8 | description="SELinux python 3 bindings",
9 | author="SELinux Project",
10 | author_email="selinux@vger.kernel.org",
11 | ext_modules=[
12 | Extension('selinux._selinux',
13 | sources=['selinuxswig_python.i'],
14 | include_dirs=['../include'],
15 | library_dirs=['.'],
16 | libraries=['selinux']),
17 | Extension('selinux.audit2why',
18 | sources=['audit2why.c'],
19 | include_dirs=['../include'],
20 | library_dirs=['.'],
21 | libraries=['selinux'],
22 | extra_link_args=['-l:libsepol.a', '-Wl,--version-script=audit2why.map'])
23 | ],
24 | )
25 |
--------------------------------------------------------------------------------
/libselinux/utils/.gitignore:
--------------------------------------------------------------------------------
1 | avcstat
2 | compute_av
3 | compute_create
4 | compute_member
5 | compute_relabel
6 | compute_user
7 | getconlist
8 | getdefaultcon
9 | getenforce
10 | getfilecon
11 | getpidcon
12 | getpidprevcon
13 | getpolicyload
14 | getsebool
15 | getseuser
16 | matchpathcon
17 | policyvers
18 | sefcontext_compile
19 | selabel_compare
20 | selabel_digest
21 | selabel_get_digests_all_partial_matches
22 | selabel_lookup
23 | selabel_lookup_best_match
24 | selabel_partial_match
25 | selinux_check_securetty_context
26 | selinuxenabled
27 | selinuxexeccon
28 | setenforce
29 | setfilecon
30 | togglesebool
31 | selinux_check_access
32 | validatetrans
33 |
--------------------------------------------------------------------------------
/libselinux/utils/getenforce.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | int main(int argc __attribute__ ((unused)),
9 | char **argv __attribute__ ((unused)))
10 | {
11 | int rc;
12 |
13 | rc = is_selinux_enabled();
14 | if (rc < 0) {
15 | fputs("getenforce: is_selinux_enabled() failed", stderr);
16 | return 2;
17 | }
18 | if (rc == 1) {
19 | rc = security_getenforce();
20 | if (rc < 0) {
21 | fprintf(stderr, "getenforce: security_getenforce() failed: %s\n", strerror(errno));
22 | return 2;
23 | }
24 |
25 | if (rc)
26 | puts("Enforcing");
27 | else
28 | puts("Permissive");
29 | } else {
30 | puts("Disabled");
31 | }
32 |
33 | return 0;
34 | }
35 |
--------------------------------------------------------------------------------
/libselinux/utils/getfilecon.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | int main(int argc, char **argv)
9 | {
10 | char *buf;
11 | int rc, i;
12 |
13 | if (argc < 2) {
14 | fprintf(stderr, "usage: %s path...\n", argv[0]);
15 | exit(1);
16 | }
17 |
18 | for (i = 1; i < argc; i++) {
19 | rc = getfilecon(argv[i], &buf);
20 | if (rc < 0) {
21 | fprintf(stderr, "%s: getfilecon(%s) failed: %s\n", argv[0],
22 | argv[i], strerror(errno));
23 | exit(2);
24 | }
25 | printf("%s\t%s\n", argv[i], buf);
26 | freecon(buf);
27 | }
28 | exit(EXIT_SUCCESS);
29 | }
30 |
--------------------------------------------------------------------------------
/libselinux/utils/getpidcon.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | int main(int argc, char **argv)
9 | {
10 | pid_t pid;
11 | char *buf;
12 | int rc;
13 |
14 | if (argc != 2) {
15 | fprintf(stderr, "usage: %s pid\n", argv[0]);
16 | exit(1);
17 | }
18 |
19 | if (sscanf(argv[1], "%d", &pid) != 1) {
20 | fprintf(stderr, "%s: invalid pid %s\n", argv[0], argv[1]);
21 | exit(2);
22 | }
23 |
24 | rc = getpidcon(pid, &buf);
25 | if (rc < 0) {
26 | fprintf(stderr, "%s: getpidcon() failed: %s\n", argv[0], strerror(errno));
27 | exit(3);
28 | }
29 |
30 | printf("%s\n", buf);
31 | freecon(buf);
32 | exit(EXIT_SUCCESS);
33 | }
34 |
--------------------------------------------------------------------------------
/libselinux/utils/getpidprevcon.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | int main(int argc, char **argv)
9 | {
10 | pid_t pid;
11 | char *buf;
12 | int rc;
13 |
14 | if (argc != 2) {
15 | fprintf(stderr, "usage: %s pid\n", argv[0]);
16 | exit(1);
17 | }
18 |
19 | if (sscanf(argv[1], "%d", &pid) != 1) {
20 | fprintf(stderr, "%s: invalid pid %s\n", argv[0], argv[1]);
21 | exit(2);
22 | }
23 |
24 | rc = getpidprevcon(pid, &buf);
25 | if (rc < 0) {
26 | fprintf(stderr, "%s: getpidprevcon() failed: %s\n", argv[0], strerror(errno));
27 | exit(3);
28 | }
29 |
30 | printf("%s\n", buf);
31 | freecon(buf);
32 | exit(EXIT_SUCCESS);
33 | }
34 |
--------------------------------------------------------------------------------
/libselinux/utils/getpolicyload.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | #include
5 |
6 |
7 | int main(int argc __attribute__ ((unused)),
8 | char* argv[] __attribute__ ((unused))) {
9 | int rc;
10 |
11 | /*
12 | * Do not use netlink as fallback, since selinux_status_policyload(3)
13 | * works only after a first message has been received.
14 | */
15 | rc = selinux_status_open(/*fallback=*/0);
16 | if (rc < 0) {
17 | fprintf(stderr, "%s: failed to open SELinux status map: %m\n", argv[0]);
18 | return EXIT_FAILURE;
19 | }
20 |
21 | rc = selinux_status_policyload();
22 | if (rc < 0)
23 | fprintf(stderr, "%s: failed to read policyload from SELinux status page: %m\n", argv[0]);
24 | else
25 | printf("%d\n", rc);
26 |
27 | selinux_status_close();
28 |
29 | return (rc < 0) ? EXIT_FAILURE : EXIT_SUCCESS;
30 | }
31 |
--------------------------------------------------------------------------------
/libselinux/utils/policyvers.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | int main(int argc __attribute__ ((unused)), char **argv)
9 | {
10 | int rc;
11 |
12 | rc = security_policyvers();
13 | if (rc < 0) {
14 | fprintf(stderr, "%s: security_policyvers() failed: %s\n", argv[0], strerror(errno));
15 | exit(2);
16 | }
17 |
18 | printf("%d\n", rc);
19 | exit(EXIT_SUCCESS);
20 | }
21 |
--------------------------------------------------------------------------------
/libselinux/utils/selinux_check_securetty_context.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include
11 |
12 | static __attribute__ ((__noreturn__)) void usage(const char *progname)
13 | {
14 | fprintf(stderr, "usage: %s tty_context...\n", progname);
15 | exit(1);
16 | }
17 |
18 | int main(int argc, char **argv)
19 | {
20 | int i;
21 | if (argc < 2)
22 | usage(argv[0]);
23 |
24 | for (i = 1; i < argc; i++) {
25 | switch (selinux_check_securetty_context(argv[i])) {
26 | case 0:
27 | printf("%s securetty.\n", argv[i]);
28 | break;
29 | default:
30 | printf("%s not securetty.\n", argv[i]);
31 | break;
32 | }
33 | }
34 | return 0;
35 | }
36 |
--------------------------------------------------------------------------------
/libselinux/utils/selinuxenabled.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 |
6 | int main(void)
7 | {
8 | return !is_selinux_enabled();
9 | }
10 |
--------------------------------------------------------------------------------
/libselinux/utils/setfilecon.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | int main(int argc, char **argv)
9 | {
10 | int rc, i;
11 |
12 | if (argc < 3) {
13 | fprintf(stderr, "usage: %s context path...\n", argv[0]);
14 | exit(1);
15 | }
16 |
17 | for (i = 2; i < argc; i++) {
18 | rc = setfilecon(argv[i], argv[1]);
19 | if (rc < 0) {
20 | fprintf(stderr, "%s: setfilecon(%s,%s) failed: %s\n",
21 | argv[0], argv[i], argv[1], strerror(errno));
22 | exit(2);
23 | }
24 | }
25 | exit(EXIT_SUCCESS);
26 | }
27 |
--------------------------------------------------------------------------------
/libsemanage/.gitignore:
--------------------------------------------------------------------------------
1 | src/conf-parse.c
2 | src/conf-parse.h
3 | src/conf-scan.c
4 |
--------------------------------------------------------------------------------
/libsemanage/Makefile:
--------------------------------------------------------------------------------
1 | all:
2 | $(MAKE) -C src all
3 |
4 | swigify:
5 | $(MAKE) -C src swigify
6 |
7 | pywrap:
8 | $(MAKE) -C src pywrap
9 |
10 | rubywrap:
11 | $(MAKE) -C src rubywrap
12 |
13 | install:
14 | $(MAKE) -C include install
15 | $(MAKE) -C src install
16 | $(MAKE) -C man install
17 | $(MAKE) -C utils install
18 |
19 | install-pywrap:
20 | $(MAKE) -C src install-pywrap
21 |
22 | install-rubywrap:
23 | $(MAKE) -C src install-rubywrap
24 |
25 | relabel:
26 | $(MAKE) -C src relabel
27 |
28 | clean distclean:
29 | $(MAKE) -C src $@
30 | $(MAKE) -C tests $@
31 |
32 | indent:
33 | $(MAKE) -C src $@
34 | $(MAKE) -C include $@
35 |
36 | test: all
37 | $(MAKE) -C tests test
38 |
--------------------------------------------------------------------------------
/libsemanage/VERSION:
--------------------------------------------------------------------------------
1 | 3.8.1
2 |
--------------------------------------------------------------------------------
/libsemanage/include/Makefile:
--------------------------------------------------------------------------------
1 | # Installation directories.
2 | PREFIX ?= /usr
3 | INCDIR ?= $(PREFIX)/include/semanage
4 |
5 | all:
6 |
7 | install: all
8 | test -d $(DESTDIR)$(INCDIR) || install -m 755 -d $(DESTDIR)$(INCDIR)
9 | install -m 644 $(wildcard semanage/*.h) $(DESTDIR)$(INCDIR)
10 |
11 | indent:
12 | ../../scripts/Lindent $(wildcard semanage/*.h)
13 |
--------------------------------------------------------------------------------
/libsemanage/include/semanage/nodes_policy.h:
--------------------------------------------------------------------------------
1 | /* Copyright (C) 2005 Red Hat, Inc. */
2 |
3 | #ifndef _SEMANAGE_NODES_POLICY_H_
4 | #define _SEMANAGE_NODES_POLICY_H_
5 |
6 | #include
7 | #include
8 |
9 | extern int semanage_node_query(semanage_handle_t * handle,
10 | const semanage_node_key_t * key,
11 | semanage_node_t ** response);
12 |
13 | extern int semanage_node_exists(semanage_handle_t * handle,
14 | const semanage_node_key_t * key, int *response);
15 |
16 | extern int semanage_node_count(semanage_handle_t * handle,
17 | unsigned int *response);
18 |
19 | extern int semanage_node_iterate(semanage_handle_t * handle,
20 | int (*handler) (const semanage_node_t * record,
21 | void *varg),
22 | void *handler_arg);
23 |
24 | extern int semanage_node_list(semanage_handle_t * handle,
25 | semanage_node_t *** records, unsigned int *count);
26 |
27 | #endif
28 |
--------------------------------------------------------------------------------
/libsemanage/include/semanage/ports_policy.h:
--------------------------------------------------------------------------------
1 | /* Copyright (C) 2005 Red Hat, Inc. */
2 |
3 | #ifndef _SEMANAGE_PORTS_POLICY_H_
4 | #define _SEMANAGE_PORTS_POLICY_H_
5 |
6 | #include
7 | #include
8 |
9 | extern int semanage_port_query(semanage_handle_t * handle,
10 | const semanage_port_key_t * key,
11 | semanage_port_t ** response);
12 |
13 | extern int semanage_port_exists(semanage_handle_t * handle,
14 | const semanage_port_key_t * key, int *response);
15 |
16 | extern int semanage_port_count(semanage_handle_t * handle,
17 | unsigned int *response);
18 |
19 | extern int semanage_port_iterate(semanage_handle_t * handle,
20 | int (*handler) (const semanage_port_t * record,
21 | void *varg),
22 | void *handler_arg);
23 |
24 | extern int semanage_port_list(semanage_handle_t * handle,
25 | semanage_port_t *** records, unsigned int *count);
26 |
27 | #endif
28 |
--------------------------------------------------------------------------------
/libsemanage/include/semanage/users_policy.h:
--------------------------------------------------------------------------------
1 | /* Copyright (C) 2005 Red Hat, Inc. */
2 |
3 | #ifndef _SEMANAGE_USERS_POLICY_H_
4 | #define _SEMANAGE_USERS_POLICY_H_
5 |
6 | #include
7 | #include
8 |
9 | extern int semanage_user_query(semanage_handle_t * handle,
10 | const semanage_user_key_t * key,
11 | semanage_user_t ** response);
12 |
13 | extern int semanage_user_exists(semanage_handle_t * handle,
14 | const semanage_user_key_t * key, int *response);
15 |
16 | extern int semanage_user_count(semanage_handle_t * handle,
17 | unsigned int *response);
18 |
19 | extern int semanage_user_iterate(semanage_handle_t * handle,
20 | int (*handler) (const semanage_user_t * record,
21 | void *varg),
22 | void *handler_arg);
23 |
24 | extern int semanage_user_list(semanage_handle_t * handle,
25 | semanage_user_t *** records, unsigned int *count);
26 |
27 | #endif
28 |
--------------------------------------------------------------------------------
/libsemanage/man/Makefile:
--------------------------------------------------------------------------------
1 | # Installation directories.
2 | LINGUAS ?=
3 | PREFIX ?= /usr
4 | MANDIR ?= $(PREFIX)/share/man
5 | MAN3SUBDIR ?= man3
6 | MAN5SUBDIR ?= man5
7 | MAN3DIR ?= $(MANDIR)/$(MAN3SUBDIR)
8 | MAN5DIR ?= $(MANDIR)/$(MAN5SUBDIR)
9 |
10 | all:
11 |
12 | install: all
13 | mkdir -p $(DESTDIR)$(MAN3DIR)
14 | mkdir -p $(DESTDIR)$(MAN5DIR)
15 | install -m 644 man3/*.3 $(DESTDIR)$(MAN3DIR)
16 | install -m 644 man5/*.5 $(DESTDIR)$(MAN5DIR)
17 | for lang in $(LINGUAS) ; do \
18 | if [ -e $${lang}/man3 ] ; then \
19 | mkdir -p $(DESTDIR)$(MANDIR)/$${lang}/$(MAN3SUBDIR) ; \
20 | install -m 644 $${lang}/man3/*.3 $(DESTDIR)$(MANDIR)/$${lang}/$(MAN3SUBDIR) ; \
21 | fi ; \
22 | if [ -e $${lang}/man5 ] ; then \
23 | mkdir -p $(DESTDIR)$(MANDIR)/$${lang}/$(MAN5SUBDIR) ; \
24 | install -m 644 $${lang}/man5/*.5 $(DESTDIR)$(MANDIR)/$${lang}/$(MAN5SUBDIR) ; \
25 | fi ; \
26 | done
27 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_bool_count.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_count.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_bool_count_active.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_count.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_bool_count_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_count.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_bool_del_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_del.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_bool_exists.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_exists.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_bool_exists_active.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_exists.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_bool_exists_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_exists.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_bool_iterate.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_iterate.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_bool_iterate_active.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_iterate.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_bool_iterate_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_iterate.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_bool_list.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_list.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_bool_list_active.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_list.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_bool_list_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_list.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_bool_modify_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_modify.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_bool_query.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_query.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_bool_query_active.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_query.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_bool_query_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_query.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_fcontext_count.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_count.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_fcontext_count_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_count.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_fcontext_del_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_del.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_fcontext_exists.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_exists.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_fcontext_exists_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_exists.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_fcontext_iterate.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_iterate.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_fcontext_iterate_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_iterate.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_fcontext_list.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_list.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_fcontext_list_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_list.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_fcontext_modify_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_modify.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_fcontext_query.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_query.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_fcontext_query_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_query.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_iface_count.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_count.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_iface_count_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_count.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_iface_del_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_del.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_iface_exists.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_exists.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_iface_exists_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_exists.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_iface_iterate.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_iterate.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_iface_iterate_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_iterate.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_iface_list.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_list.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_iface_list_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_list.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_iface_modify_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_modify.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_iface_query.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_query.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_iface_query_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_query.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_node_count.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_count.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_node_count_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_count.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_node_del_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_del.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_node_exists.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_exists.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_node_exists_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_exists.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_node_iterate.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_iterate.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_node_iterate_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_iterate.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_node_list.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_list.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_node_list_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_list.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_node_modify_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_modify.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_node_query.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_query.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_node_query_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_query.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_port_count.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_count.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_port_count_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_count.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_port_del_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_del.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_port_exists.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_exists.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_port_exists_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_exists.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_port_iterate.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_iterate.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_port_iterate_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_iterate.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_port_list.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_list.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_port_list_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_list.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_port_modify_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_modify.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_port_query.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_query.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_port_query_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_query.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_seuser_count.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_count.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_seuser_count_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_count.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_seuser_del_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_del.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_seuser_exists.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_exists.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_seuser_exists_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_exists.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_seuser_iterate.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_iterate.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_seuser_iterate_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_iterate.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_seuser_list.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_list.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_seuser_list_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_list.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_seuser_modify_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_modify.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_seuser_query.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_query.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_seuser_query_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_query.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_user_count.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_count.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_user_count_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_count.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_user_del_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_del.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_user_exists.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_exists.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_user_exists_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_exists.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_user_iterate.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_iterate.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_user_iterate_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_iterate.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_user_list.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_list.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_user_list_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_list.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_user_modify_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_modify.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_user_query.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_query.3
2 |
--------------------------------------------------------------------------------
/libsemanage/man/man3/semanage_user_query_local.3:
--------------------------------------------------------------------------------
1 | .so man3/semanage_query.3
2 |
--------------------------------------------------------------------------------
/libsemanage/src/.gitignore:
--------------------------------------------------------------------------------
1 | semanageswig_wrap.c
2 | semanage.py
3 | semanageswig_ruby_wrap.c
4 |
--------------------------------------------------------------------------------
/libsemanage/src/exception.sh:
--------------------------------------------------------------------------------
1 | function except() {
2 | echo "
3 | %exception $1 {
4 | \$action
5 | if (result < 0) {
6 | PyErr_SetFromErrno(PyExc_OSError);
7 | SWIG_fail;
8 | }
9 | }"
10 | }
11 | if ! ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/semanage/semanage.h
12 | then
13 | # clang does not support -aux-info so fall back to gcc
14 | gcc -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/semanage/semanage.h
15 | fi
16 | for i in `awk '/extern int/ { print $6 }' temp.aux`; do except $i ; done
17 | rm -f -- temp.aux temp.o
18 |
--------------------------------------------------------------------------------
/libsemanage/src/fcontext_internal.h:
--------------------------------------------------------------------------------
1 | #ifndef _SEMANAGE_FCONTEXT_INTERNAL_H_
2 | #define _SEMANAGE_FCONTEXT_INTERNAL_H_
3 |
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include "database.h"
9 | #include "handle.h"
10 |
11 | /* FCONTEXT RECORD: method table */
12 | extern const record_table_t SEMANAGE_FCONTEXT_RTABLE;
13 |
14 | extern int fcontext_file_dbase_init(semanage_handle_t * handle,
15 | const char *path_ro,
16 | const char *path_rw,
17 | dbase_config_t * dconfig);
18 |
19 | extern void fcontext_file_dbase_release(dbase_config_t * dconfig);
20 |
21 | extern int semanage_fcontext_validate_local(semanage_handle_t * handle,
22 | const sepol_policydb_t *
23 | policydb);
24 |
25 | #endif
26 |
--------------------------------------------------------------------------------
/libsemanage/src/iface_internal.h:
--------------------------------------------------------------------------------
1 | #ifndef _SEMANAGE_IFACE_INTERNAL_H_
2 | #define _SEMANAGE_IFACE_INTERNAL_H_
3 |
4 | #include
5 | #include
6 | #include
7 | #include "database.h"
8 | #include "handle.h"
9 |
10 | /* IFACE RECORD: method table */
11 | extern const record_table_t SEMANAGE_IFACE_RTABLE;
12 |
13 | extern int iface_policydb_dbase_init(semanage_handle_t * handle,
14 | dbase_config_t * dconfig);
15 |
16 | extern void iface_policydb_dbase_release(dbase_config_t * dconfig);
17 |
18 | extern int iface_file_dbase_init(semanage_handle_t * handle,
19 | const char *path_ro,
20 | const char *path_rw,
21 | dbase_config_t * dconfig);
22 |
23 | extern void iface_file_dbase_release(dbase_config_t * dconfig);
24 |
25 | #endif
26 |
--------------------------------------------------------------------------------
/libsemanage/src/libsemanage.pc.in:
--------------------------------------------------------------------------------
1 | prefix=@prefix@
2 | exec_prefix=${prefix}
3 | libdir=@libdir@
4 | includedir=@includedir@
5 |
6 | Name: libsemanage
7 | Description: SELinux management library
8 | Version: @VERSION@
9 | URL: http://userspace.selinuxproject.org/
10 | Requires.private: libselinux libsepol
11 | Libs: -L${libdir} -lsemanage
12 | Libs.private: -lbz2
13 | Cflags: -I${includedir}
14 |
--------------------------------------------------------------------------------
/libsemanage/src/seuser_internal.h:
--------------------------------------------------------------------------------
1 | #ifndef _SEMANAGE_SEUSER_INTERNAL_H_
2 | #define _SEMANAGE_SEUSER_INTERNAL_H_
3 |
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include "database.h"
9 | #include "handle.h"
10 |
11 | /* SEUSER RECORD: method table */
12 | extern const record_table_t SEMANAGE_SEUSER_RTABLE;
13 |
14 | extern int seuser_file_dbase_init(semanage_handle_t * handle,
15 | const char *path_ro,
16 | const char *path_rw,
17 | dbase_config_t * dconfig);
18 |
19 | extern void seuser_file_dbase_release(dbase_config_t * dconfig);
20 |
21 | extern int semanage_seuser_validate_local(semanage_handle_t * handle,
22 | const sepol_policydb_t *
23 | policydb);
24 |
25 | #endif
26 |
--------------------------------------------------------------------------------
/libsemanage/tests/.gitignore:
--------------------------------------------------------------------------------
1 | libsemanage-tests
2 | *.policy
3 |
--------------------------------------------------------------------------------
/libsemanage/tests/Makefile:
--------------------------------------------------------------------------------
1 | # Add your test source files here:
2 | SOURCES = $(sort $(wildcard *.c))
3 | CILS = $(sort $(wildcard *.cil))
4 |
5 | ###########################################################################
6 |
7 | EXECUTABLE = libsemanage-tests
8 | CFLAGS += -g -O0 -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute
9 | override CFLAGS += -I../src -I../include
10 | override LDLIBS += -lcunit -lbz2 -laudit -lselinux -lsepol
11 |
12 | OBJECTS = $(SOURCES:.c=.o)
13 | POLICIES = $(CILS:.cil=.policy)
14 |
15 | all: $(EXECUTABLE) $(POLICIES)
16 |
17 | $(EXECUTABLE): $(OBJECTS) ../src/libsemanage.a
18 | $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
19 |
20 | %.policy: %.cil
21 | ../../secilc/secilc $*.cil -o $*.policy -f /dev/null
22 |
23 | clean distclean:
24 | rm -rf $(OBJECTS) $(POLICIES) $(EXECUTABLE)
25 |
26 | test: all
27 | ./$(EXECUTABLE)
28 |
29 |
--------------------------------------------------------------------------------
/libsemanage/tests/test_bool.cil:
--------------------------------------------------------------------------------
1 | (typeattribute cil_gen_require)
2 | (roleattribute cil_gen_require)
3 | (handleunknown allow)
4 | (mls true)
5 | (policycap network_peer_controls)
6 | (policycap open_perms)
7 | (sid security)
8 | (sidorder (security))
9 | (sensitivity s0)
10 | (sensitivityorder (s0))
11 | (user system_u)
12 | (userrole system_u object_r)
13 | (userlevel system_u (s0))
14 | (userrange system_u ((s0) (s0)))
15 | (role object_r)
16 | (roletype object_r test_t)
17 | (type test_t)
18 | (sidcontext security (system_u object_r test_t ((s0) (s0))))
19 | (class test_class (test_perm))
20 | (classorder (test_class))
21 | (allow test_t self (test_class (test_perm)))
22 | (boolean first_bool true)
23 | (boolean second_bool false)
24 | (boolean third_bool false)
25 |
--------------------------------------------------------------------------------
/libsemanage/tests/test_fcontext.cil:
--------------------------------------------------------------------------------
1 | (typeattribute cil_gen_require)
2 | (roleattribute cil_gen_require)
3 | (handleunknown allow)
4 | (mls true)
5 | (policycap network_peer_controls)
6 | (policycap open_perms)
7 | (sid security)
8 | (sidorder (security))
9 | (sensitivity s0)
10 | (sensitivityorder (s0))
11 | (user system_u)
12 | (userrole system_u object_r)
13 | (userlevel system_u (s0))
14 | (userrange system_u ((s0) (s0)))
15 | (role object_r)
16 | (roletype object_r first_t)
17 | (roletype object_r second_t)
18 | (roletype object_r third_t)
19 | (type first_t)
20 | (type second_t)
21 | (type third_t)
22 | (sidcontext security (system_u object_r first_t ((s0) (s0))))
23 | (class test_class (test_perm))
24 | (classorder (test_class))
25 | (allow first_t self (test_class (test_perm)))
26 |
--------------------------------------------------------------------------------
/libsemanage/tests/test_handle.cil:
--------------------------------------------------------------------------------
1 | (typeattribute cil_gen_require)
2 | (roleattribute cil_gen_require)
3 | (handleunknown allow)
4 | (mls true)
5 | (policycap network_peer_controls)
6 | (policycap open_perms)
7 | (sid security)
8 | (sidorder (security))
9 | (sensitivity s0)
10 | (sensitivityorder (s0))
11 | (user system_u)
12 | (userrole system_u object_r)
13 | (userlevel system_u (s0))
14 | (userrange system_u ((s0) (s0)))
15 | (role object_r)
16 | (roletype object_r test_t)
17 | (type test_t)
18 | (sidcontext security (system_u object_r test_t ((s0) (s0))))
19 | (class test_class (test_perm))
20 | (classorder (test_class))
21 | (allow test_t self (test_class (test_perm)))
22 |
--------------------------------------------------------------------------------
/libsemanage/tests/test_port.cil:
--------------------------------------------------------------------------------
1 | (typeattribute cil_gen_require)
2 | (roleattribute cil_gen_require)
3 | (handleunknown allow)
4 | (mls true)
5 | (policycap open_perms)
6 | (sid security)
7 | (sidorder (security))
8 | (sensitivity s0)
9 | (sensitivityorder (s0))
10 | (user system_u)
11 | (userrole system_u object_r)
12 | (userlevel system_u (s0))
13 | (userrange system_u ((s0) (s0)))
14 | (role object_r)
15 | (roletype object_r first_port_t)
16 | (roletype object_r second_port_t)
17 | (roletype object_r third_port_t)
18 | (type first_port_t)
19 | (type second_port_t)
20 | (type third_port_t)
21 | (sidcontext security (system_u object_r first_port_t ((s0) (s0))))
22 | (class file (open))
23 | (classorder (file))
24 | (allow first_port_t self (file (open)))
25 | (portcon tcp 80 (system_u object_r first_port_t ((s0) (s0))))
26 | (portcon udp (1 1023) (system_u object_r second_port_t ((s0) (s0))))
27 | (portcon tcp 12345 (system_u object_r third_port_t ((s0) (s0))))
28 |
--------------------------------------------------------------------------------
/libsemanage/tests/test_user.cil:
--------------------------------------------------------------------------------
1 | (typeattribute cil_gen_require)
2 | (roleattribute cil_gen_require)
3 | (handleunknown allow)
4 | (mls true)
5 | (policycap network_peer_controls)
6 | (policycap open_perms)
7 | (sid security)
8 | (sidorder (security))
9 | (sensitivity s0)
10 | (sensitivityorder (s0))
11 | (user first_u)
12 | (user second_u)
13 | (user third_u)
14 | (userrole first_u object_r)
15 | (userlevel first_u (s0))
16 | (userlevel second_u (s0))
17 | (userlevel third_u (s0))
18 | (userrange first_u ((s0) (s0)))
19 | (userrange second_u ((s0) (s0)))
20 | (userrange third_u ((s0) (s0)))
21 | (role object_r)
22 | (roletype object_r test_t)
23 | (type test_t)
24 | (sidcontext security (first_u object_r test_t ((s0) (s0))))
25 | (class test_class (test_perm))
26 | (classorder (test_class))
27 | (allow test_t self (test_class (test_perm)))
28 |
--------------------------------------------------------------------------------
/libsemanage/tests/test_utilities.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | int semanage_utilities_test_init(void);
4 | int semanage_utilities_test_cleanup(void);
5 | int semanage_utilities_add_tests(CU_pSuite suite);
6 |
--------------------------------------------------------------------------------
/libsemanage/utils/Makefile:
--------------------------------------------------------------------------------
1 | # Installation directories.
2 | PREFIX ?= /usr
3 | LIBEXECDIR ?= $(PREFIX)/libexec
4 | SELINUXEXECDIR ?= $(LIBEXECDIR)/selinux/
5 |
6 | all:
7 |
8 | install: all
9 | -mkdir -p $(DESTDIR)$(SELINUXEXECDIR)
10 | install -m 755 semanage_migrate_store $(DESTDIR)$(SELINUXEXECDIR)
11 |
12 | clean:
13 |
14 | distclean: clean
15 |
16 | indent:
17 |
18 | relabel:
19 |
20 |
--------------------------------------------------------------------------------
/libsepol/.gitignore:
--------------------------------------------------------------------------------
1 | utils/chkcon
2 | utils/sepol_check_access
3 | utils/sepol_compute_av
4 | utils/sepol_compute_member
5 | utils/sepol_compute_relabel
6 | utils/sepol_validate_transition
7 | libsepol.map
8 |
--------------------------------------------------------------------------------
/libsepol/Makefile:
--------------------------------------------------------------------------------
1 | DISABLE_CIL ?= n
2 |
3 | export DISABLE_CIL
4 |
5 | all:
6 | $(MAKE) -C src
7 | $(MAKE) -C utils
8 |
9 | install:
10 | $(MAKE) -C include install
11 | $(MAKE) -C src install
12 | $(MAKE) -C utils install
13 | $(MAKE) -C man install
14 |
15 | relabel:
16 | $(MAKE) -C src relabel
17 |
18 | clean:
19 | $(MAKE) -C src clean
20 | $(MAKE) -C utils clean
21 | $(MAKE) -C tests clean
22 |
23 | indent:
24 | $(MAKE) -C src $@
25 | $(MAKE) -C include $@
26 | $(MAKE) -C utils $@
27 |
28 | test:
29 | $(MAKE) -C tests test
30 |
31 |
--------------------------------------------------------------------------------
/libsepol/VERSION:
--------------------------------------------------------------------------------
1 | 3.8.1
2 |
--------------------------------------------------------------------------------
/libsepol/cil/.gitignore:
--------------------------------------------------------------------------------
1 | *.swp
2 | *.gcda
3 | *.gcno
4 | *.o
5 | *.a
6 | src/cil_lexer.c
7 | unit_tests
8 | cov
9 | secilc
10 | docs/pdf/
11 | docs/html/
12 | docs/man8/
13 | policy.*
14 | file_contexts
15 |
--------------------------------------------------------------------------------
/libsepol/cil/src/cil_reset_ast.h:
--------------------------------------------------------------------------------
1 | #ifndef CIL_RESET_AST_H_
2 | #define CIL_RESET_AST_H_
3 |
4 | #include "cil_tree.h"
5 |
6 | int cil_reset_ast(struct cil_tree_node *current);
7 |
8 | #endif /* CIL_RESET_AST_H_ */
9 |
--------------------------------------------------------------------------------
/libsepol/cil/test/integration_testing/ordered_lists_bad1.cil:
--------------------------------------------------------------------------------
1 | ; Minimum policy
2 | ; ****************************
3 |
4 | (class foo (read))
5 |
6 | (type bar)
7 | (allow bar self (foo (read)))
8 |
9 | ; ****************************
10 |
11 | (sensitivity s0)
12 | (sensitivity s1)
13 | (sensitivity s2)
14 | (sensitivity s3)
15 | (sensitivity s4)
16 | (sensitivity s5)
17 | (sensitivity s6)
18 | (sensitivity s7)
19 | (sensitivity s8)
20 | (sensitivity s9)
21 | (dominance (s2 s3 s4))
22 | (dominance (s1 s2 s4 s5))
23 | (dominance (s5 s6 s8))
24 | (dominance (s6 s7 s8 s9))
25 |
26 | (category c0)
27 | (category c1)
28 | (category c2)
29 | (category c3)
30 | (category c4)
31 | (category c5)
32 | (category c6)
33 | (category c7)
34 | (category c8)
35 | (category c9)
36 |
37 | (categoryorder (c1 c3))
38 | (categoryorder (c1 c2 c3))
39 | (categoryorder (c5 c6 c7))
40 | (categoryorder (c3 c4 c5))
41 | (categoryorder (c7 c8 c9))
42 | (categoryorder (c0 c1))
43 |
--------------------------------------------------------------------------------
/libsepol/cil/test/integration_testing/ordered_lists_bad2.cil:
--------------------------------------------------------------------------------
1 | ; Minimum policy
2 | ; ****************************
3 |
4 | (class foo (read))
5 |
6 | (type bar)
7 | (allow bar self (foo (read)))
8 |
9 | ; ****************************
10 |
11 | (sensitivity s0)
12 | (sensitivity s1)
13 | (sensitivity s2)
14 | (sensitivity s3)
15 | (sensitivity s4)
16 | (sensitivity s5)
17 | (sensitivity s6)
18 | (sensitivity s7)
19 | (sensitivity s8)
20 | (sensitivity s9)
21 | (dominance (s2 s3 s4))
22 | (dominance (s1 s2 s4 s5))
23 | (dominance (s5 s6 s8))
24 | (dominance (s6 s7 s8 s9))
25 | (dominance (s0 s1))
26 |
27 | (category c0)
28 | (category c1)
29 | (category c2)
30 | (category c3)
31 | (category c4)
32 | (category c5)
33 | (category c6)
34 | (category c7)
35 | (category c8)
36 | (category c9)
37 |
38 | (categoryorder (c1 c3))
39 | (categoryorder (c1 c2 c3))
40 | (categoryorder (c5 c6 c7))
41 | (categoryorder (c3 c4 c5))
42 | (categoryorder (c7 c8 c9))
43 |
44 |
--------------------------------------------------------------------------------
/libsepol/cil/test/integration_testing/ordered_lists_easy.cil:
--------------------------------------------------------------------------------
1 | ; Minimum policy
2 | ; ****************************
3 |
4 | (class foo (read))
5 |
6 | (type bar)
7 | (allow bar self (foo (read)))
8 |
9 | ; ****************************
10 |
11 | (sensitivity s0)
12 | (sensitivity s1)
13 | (sensitivity s2)
14 | (sensitivity s3)
15 | (sensitivity s4)
16 | (sensitivity s5)
17 | (sensitivity s6)
18 | (sensitivity s7)
19 | (sensitivity s8)
20 | (sensitivity s9)
21 | (dominance (s0 s1 s2 s3 s4 s5 s6 s7 s8 s9))
22 |
23 | (category c0)
24 | (category c1)
25 | (category c2)
26 | (category c3)
27 | (category c4)
28 | (category c5)
29 | (category c6)
30 | (category c7)
31 | (category c8)
32 | (category c9)
33 |
34 | (categoryorder (c2 c3 c4 c5))
35 | (categoryorder (c0 c1 c2 c3))
36 | (categoryorder (c5 c6 c7))
37 | (categoryorder (c7 c8 c9))
38 |
39 |
--------------------------------------------------------------------------------
/libsepol/cil/test/integration_testing/small.cil:
--------------------------------------------------------------------------------
1 | (class foo (read))
2 |
3 | (type bar)
4 | (allow bar self (foo (read)))
5 |
6 |
--------------------------------------------------------------------------------
/libsepol/fuzz/policy.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/libsepol/fuzz/policy.bin
--------------------------------------------------------------------------------
/libsepol/include/Makefile:
--------------------------------------------------------------------------------
1 | # Installation directories.
2 | PREFIX ?= /usr
3 | INCDIR = $(PREFIX)/include/sepol
4 | CILDIR ?= ../cil
5 |
6 | all:
7 |
8 | install: all
9 | test -d $(DESTDIR)$(INCDIR) || install -m 755 -d $(DESTDIR)$(INCDIR)
10 | test -d $(DESTDIR)$(INCDIR)/policydb || install -m 755 -d $(DESTDIR)$(INCDIR)/policydb
11 | test -d $(DESTDIR)$(INCDIR)/cil || install -m 755 -d $(DESTDIR)$(INCDIR)/cil
12 | install -m 644 $(wildcard sepol/*.h) $(DESTDIR)$(INCDIR)
13 | install -m 644 $(wildcard sepol/policydb/*.h) $(DESTDIR)$(INCDIR)/policydb
14 | install -m 644 $(wildcard $(CILDIR)/include/cil/*.h) $(DESTDIR)$(INCDIR)/cil
15 |
16 | indent:
17 | ../../scripts/Lindent $(wildcard sepol/*.h)
18 |
--------------------------------------------------------------------------------
/libsepol/include/sepol/context.h:
--------------------------------------------------------------------------------
1 | #ifndef _SEPOL_CONTEXT_H_
2 | #define _SEPOL_CONTEXT_H_
3 |
4 | #include
5 | #include
6 | #include
7 |
8 | #ifdef __cplusplus
9 | extern "C" {
10 | #endif
11 |
12 | /* -- Deprecated -- */
13 |
14 | extern int sepol_check_context(const char *context);
15 |
16 | /* -- End deprecated -- */
17 |
18 | extern int sepol_context_check(sepol_handle_t * handle,
19 | const sepol_policydb_t * policydb,
20 | const sepol_context_t * context);
21 |
22 | extern int sepol_mls_contains(sepol_handle_t * handle,
23 | const sepol_policydb_t * policydb,
24 | const char *mls1,
25 | const char *mls2, int *response);
26 |
27 | extern int sepol_mls_check(sepol_handle_t * handle,
28 | const sepol_policydb_t * policydb, const char *mls);
29 |
30 | #ifdef __cplusplus
31 | }
32 | #endif
33 |
34 | #endif
35 |
--------------------------------------------------------------------------------
/libsepol/include/sepol/kernel_to_cil.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #include
4 |
5 | int sepol_kernel_policydb_to_cil(FILE *fp, struct policydb *pdb);
6 |
--------------------------------------------------------------------------------
/libsepol/include/sepol/kernel_to_conf.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #include
4 |
5 | int sepol_kernel_policydb_to_conf(FILE *fp, struct policydb *pdb);
6 |
--------------------------------------------------------------------------------
/libsepol/include/sepol/module_to_cil.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #include
4 | #include
5 |
6 | int sepol_module_policydb_to_cil(FILE *fp, struct policydb *pdb, int linked);
7 | int sepol_module_package_to_cil(FILE *fp, struct sepol_module_package *mod_pkg);
8 | int sepol_ppfile_to_module_package(FILE *fp, struct sepol_module_package **mod_pkg);
9 |
--------------------------------------------------------------------------------
/libsepol/include/sepol/policydb/link.h:
--------------------------------------------------------------------------------
1 | /* Authors: Jason Tang
2 | * Joshua Brindle
3 | * Karl MacMillan
4 | */
5 |
6 | #ifndef _SEPOL_POLICYDB_LINK_H
7 | #define _SEPOL_POLICYDB_LINK_H
8 |
9 | #include
10 | #include
11 | #include
12 |
13 |
14 | #include
15 |
16 | #ifdef __cplusplus
17 | extern "C" {
18 | #endif
19 |
20 | extern int link_modules(sepol_handle_t * handle,
21 | policydb_t * b, policydb_t ** mods, int len,
22 | int verbose);
23 |
24 | #ifdef __cplusplus
25 | }
26 | #endif
27 |
28 | #endif
29 |
--------------------------------------------------------------------------------
/libsepol/man/Makefile:
--------------------------------------------------------------------------------
1 | # Installation directories.
2 | LINGUAS ?=
3 | PREFIX ?= /usr
4 | MANDIR ?= $(PREFIX)/share/man
5 | MAN3SUBDIR ?= man3
6 | MAN8SUBDIR ?= man8
7 | MAN3DIR ?= $(MANDIR)/$(MAN3SUBDIR)
8 | MAN8DIR ?= $(MANDIR)/$(MAN8SUBDIR)
9 |
10 | all:
11 |
12 | install: all
13 | mkdir -p $(DESTDIR)$(MAN3DIR)
14 | mkdir -p $(DESTDIR)$(MAN8DIR)
15 | install -m 644 man3/*.3 $(DESTDIR)$(MAN3DIR)
16 | install -m 644 man8/*.8 $(DESTDIR)$(MAN8DIR)
17 | for lang in $(LINGUAS) ; do \
18 | if [ -e $${lang}/man3 ] ; then \
19 | mkdir -p $(DESTDIR)$(MANDIR)/$${lang}/$(MAN3SUBDIR) ; \
20 | install -m 644 $${lang}/man3/*.3 $(DESTDIR)$(MANDIR)/$${lang}/$(MAN3SUBDIR) ; \
21 | fi ; \
22 | if [ -e $${lang}/man8 ] ; then \
23 | mkdir -p $(DESTDIR)$(MANDIR)/$${lang}/$(MAN8SUBDIR) ; \
24 | install -m 644 $${lang}/man8/*.8 $(DESTDIR)$(MANDIR)/$${lang}/$(MAN8SUBDIR) ; \
25 | fi ; \
26 | done
27 |
--------------------------------------------------------------------------------
/libsepol/man/man8/genpolbools.8:
--------------------------------------------------------------------------------
1 | .TH "genpolbools" "8" "11 August 2004" "stephen.smalley.work@gmail.com" "SELinux Command Line documentation"
2 | .SH "NAME"
3 | genpolbools \- Rewrite a binary policy with different boolean settings
4 | .SH "SYNOPSIS"
5 | .B genpolbools oldpolicy booleans newpolicy
6 |
7 | .SH "DESCRIPTION"
8 | .B genpolbools
9 | rewrites an existing binary policy with different boolean settings,
10 | generating a new binary policy. The booleans file specifies the
11 | different boolean settings using name=value lines, where value
12 | can be 0 or false to disable the boolean or 1 or true to enable it.
13 |
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/libsepol/src/boolean_internal.h:
--------------------------------------------------------------------------------
1 | #ifndef _SEPOL_BOOLEAN_INTERNAL_H_
2 | #define _SEPOL_BOOLEAN_INTERNAL_H_
3 |
4 | #include
5 | #include
6 |
7 | #endif
8 |
--------------------------------------------------------------------------------
/libsepol/src/context_internal.h:
--------------------------------------------------------------------------------
1 | #ifndef _SEPOL_CONTEXT_INTERNAL_H_
2 | #define _SEPOL_CONTEXT_INTERNAL_H_
3 |
4 | #include
5 | #include
6 |
7 | #endif
8 |
--------------------------------------------------------------------------------
/libsepol/src/handle.h:
--------------------------------------------------------------------------------
1 | #ifndef _SEPOL_INTERNAL_HANDLE_H_
2 | #define _SEPOL_INTERNAL_HANDLE_H_
3 |
4 | #include
5 |
6 | struct sepol_handle {
7 | /* Error handling */
8 | int msg_level;
9 | const char *msg_channel;
10 | const char *msg_fname;
11 | #ifdef __GNUC__
12 | __attribute__ ((format(printf, 3, 4)))
13 | #endif
14 | void (*msg_callback) (void *varg,
15 | sepol_handle_t * handle, const char *fmt, ...);
16 | void *msg_callback_arg;
17 |
18 | int disable_dontaudit;
19 | int expand_consume_base;
20 | int preserve_tunables;
21 | };
22 |
23 | #endif
24 |
--------------------------------------------------------------------------------
/libsepol/src/ibendport_internal.h:
--------------------------------------------------------------------------------
1 | #ifndef _SEPOL_IBENDPORT_INTERNAL_H_
2 | #define _SEPOL_IBENDPORT_INTERNAL_H_
3 |
4 | #include
5 | #include
6 |
7 | #endif
8 |
--------------------------------------------------------------------------------
/libsepol/src/ibpkey_internal.h:
--------------------------------------------------------------------------------
1 | #ifndef _SEPOL_IBPKEY_INTERNAL_H_
2 | #define _SEPOL_IBPKEY_INTERNAL_H_
3 |
4 | #include
5 | #include
6 |
7 | #endif
8 |
--------------------------------------------------------------------------------
/libsepol/src/iface_internal.h:
--------------------------------------------------------------------------------
1 | #ifndef _SEPOL_IFACE_INTERNAL_H_
2 | #define _SEPOL_IFACE_INTERNAL_H_
3 |
4 | #include
5 | #include
6 |
7 | #endif
8 |
--------------------------------------------------------------------------------
/libsepol/src/libsepol.pc.in:
--------------------------------------------------------------------------------
1 | prefix=@prefix@
2 | exec_prefix=${prefix}
3 | libdir=@libdir@
4 | includedir=@includedir@
5 |
6 | Name: libsepol
7 | Description: SELinux policy library
8 | Version: @VERSION@
9 | URL: http://userspace.selinuxproject.org/
10 | Libs: -L${libdir} -lsepol
11 | Cflags: -I${includedir}
12 |
--------------------------------------------------------------------------------
/libsepol/src/module_internal.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 |
--------------------------------------------------------------------------------
/libsepol/src/node_internal.h:
--------------------------------------------------------------------------------
1 | #ifndef _SEPOL_NODE_INTERNAL_H_
2 | #define _SEPOL_NODE_INTERNAL_H_
3 |
4 | #include
5 | #include
6 |
7 | #endif
8 |
--------------------------------------------------------------------------------
/libsepol/src/policydb_internal.h:
--------------------------------------------------------------------------------
1 | #ifndef _SEPOL_POLICYDB_INTERNAL_H_
2 | #define _SEPOL_POLICYDB_INTERNAL_H_
3 |
4 | #include
5 |
6 | extern const char * const policydb_target_strings[];
7 | #endif
8 |
--------------------------------------------------------------------------------
/libsepol/src/policydb_validate.h:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | #include
4 | #include
5 |
6 | int value_isvalid(uint32_t value, uint32_t nprim);
7 | int policydb_validate(sepol_handle_t *handle, const policydb_t *p);
8 |
--------------------------------------------------------------------------------
/libsepol/src/port_internal.h:
--------------------------------------------------------------------------------
1 | #ifndef _SEPOL_PORT_INTERNAL_H_
2 | #define _SEPOL_PORT_INTERNAL_H_
3 |
4 | #include
5 | #include
6 |
7 | #endif
8 |
--------------------------------------------------------------------------------
/libsepol/src/user_internal.h:
--------------------------------------------------------------------------------
1 | #ifndef _SEPOL_USER_INTERNAL_H_
2 | #define _SEPOL_USER_INTERNAL_H_
3 |
4 | #include
5 | #include
6 |
7 | #endif
8 |
--------------------------------------------------------------------------------
/libsepol/tests/.gitignore:
--------------------------------------------------------------------------------
1 | libsepol-tests
2 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/.gitignore:
--------------------------------------------------------------------------------
1 | test-downgrade/
2 | test-*/*.mls
3 | test-*/*.std
4 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/support/misc_macros.spt:
--------------------------------------------------------------------------------
1 |
2 | ########################################
3 | #
4 | # Helper macros
5 | #
6 |
7 | ########################################
8 | #
9 | # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories])
10 | #
11 | define(`gen_user',`dnl
12 | ifdef(`users_extra',`dnl
13 | ifelse(`$2',,,`user $1 prefix $2;')
14 | ',`dnl
15 | user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')');
16 | ')dnl
17 | ')
18 |
19 | ########################################
20 | #
21 | # gen_context(context,mls_sensitivity,[mcs_categories])
22 | #
23 | define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
24 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-deps/modreq-attr-global.conf:
--------------------------------------------------------------------------------
1 | module modreq_attr_global 1.0;
2 |
3 | require {
4 | attribute attr_req;
5 | }
6 |
7 | type mod_global_t;
8 |
9 | type new_t, attr_req;
10 |
11 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-deps/modreq-attr-opt.conf:
--------------------------------------------------------------------------------
1 | module modreq_attr_opt 1.0;
2 |
3 | require {
4 | class file {read write};
5 |
6 | }
7 |
8 | type mod_global_t;
9 |
10 | optional {
11 | require {
12 | attribute attr_req;
13 | }
14 | type mod_opt_t;
15 | type new_t, attr_req;
16 | }
17 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-deps/modreq-bool-global.conf:
--------------------------------------------------------------------------------
1 | module modreq_bool_global 1.0;
2 |
3 | require {
4 | bool bool_req;
5 | class file { read write };
6 | }
7 |
8 | type mod_global_t;
9 |
10 | type a_t;
11 | type b_t;
12 |
13 | if (bool_req) {
14 | allow a_t b_t : file { read write };
15 | }
16 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-deps/modreq-bool-opt.conf:
--------------------------------------------------------------------------------
1 | module modreq_bool_opt 1.0;
2 |
3 | require {
4 | class file {read write};
5 |
6 | }
7 |
8 | type mod_global_t;
9 |
10 | optional {
11 | require {
12 | bool bool_req;
13 | }
14 |
15 | type a_t;
16 | type b_t;
17 | type mod_opt_t;
18 |
19 | if (bool_req) {
20 | allow a_t b_t : file { read write };
21 | }
22 | }
23 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-deps/modreq-obj-global.conf:
--------------------------------------------------------------------------------
1 | module modreq_obj_global 1.0;
2 |
3 | require {
4 | class sem { create destroy };
5 | }
6 |
7 | type mod_global_t;
8 |
9 | type mod_foo_t;
10 | type mod_bar_t;
11 |
12 | allow mod_foo_t mod_bar_t : sem { create destroy };
13 |
14 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-deps/modreq-obj-opt.conf:
--------------------------------------------------------------------------------
1 | module modreq_obj_global 1.0;
2 |
3 | require {
4 | class file { read };
5 | }
6 |
7 | type mod_global_t;
8 |
9 | type mod_foo_t;
10 | type mod_bar_t;
11 |
12 | optional {
13 | require {
14 | class sem { create destroy };
15 | }
16 |
17 | type mod_opt_t;
18 |
19 | allow mod_foo_t mod_bar_t : sem { create destroy };
20 | }
21 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-deps/modreq-perm-global.conf:
--------------------------------------------------------------------------------
1 | module modreq_perm_global 1.0;
2 |
3 | require {
4 | class msg { send receive };
5 | }
6 |
7 | type mod_global_t;
8 | type a_t;
9 | type b_t;
10 | allow a_t b_t: msg { send receive };
11 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-deps/modreq-perm-opt.conf:
--------------------------------------------------------------------------------
1 | module modreq_perm_opt 1.0;
2 |
3 | require {
4 | class file { read write };
5 | }
6 |
7 | type mod_global_t;
8 |
9 | optional {
10 | require {
11 | class msg { send receive };
12 | }
13 |
14 | type mod_opt_t;
15 | type a_mod_t;
16 | type b_mod_t;
17 | allow a_mod_t b_mod_t: msg { send receive };
18 | }
19 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-deps/modreq-role-global.conf:
--------------------------------------------------------------------------------
1 | module modreq_role_global 1.0;
2 |
3 | require {
4 | role role_req_r, user_r;
5 | }
6 |
7 | type mod_global_t;
8 |
9 | type a_t;
10 |
11 | # role role_req_r types a_t;
12 | allow role_req_r user_r;
13 |
14 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-deps/modreq-role-opt.conf:
--------------------------------------------------------------------------------
1 | module modreq_role_opt 1.0;
2 |
3 | require {
4 | class file {read write};
5 |
6 | }
7 |
8 | type mod_global_t;
9 |
10 | optional {
11 | require {
12 | role role_req_r, user_r;
13 | }
14 | type mod_opt_t;
15 |
16 | allow role_req_r user_r;
17 | }
18 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-deps/modreq-type-global.conf:
--------------------------------------------------------------------------------
1 | module modreq_type_global 1.0;
2 |
3 | require {
4 | type type_req_t;
5 | class file { read write };
6 | }
7 |
8 | type mod_global_t;
9 |
10 | type test_t;
11 |
12 | allow test_t type_req_t : file { read write };
13 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-deps/modreq-type-opt.conf:
--------------------------------------------------------------------------------
1 | module modreq_type_opt 1.0;
2 |
3 | require {
4 | type file_t;
5 | class file { read write };
6 | }
7 |
8 | type mod_global_t;
9 |
10 | optional {
11 | require {
12 | type type_req_t;
13 | }
14 | type mod_opt_t;
15 | allow type_req_t file_t : file { read write };
16 | }
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-deps/module.conf:
--------------------------------------------------------------------------------
1 | module my_module 1.0;
2 |
3 | require {
4 | bool secure_mode;
5 | type system_t, sysadm_t, file_t;
6 | attribute domain;
7 | role system_r;
8 | class file {read write};
9 |
10 | }
11 |
12 | type new_t, domain;
13 | role system_r types new_t;
14 |
15 | allow system_t file_t : file { read write };
16 |
17 | if (secure_mode)
18 | {
19 | allow sysadm_t file_t : file { read write };
20 | }
21 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-expander/alias-module.conf:
--------------------------------------------------------------------------------
1 | module my_module 1.0;
2 |
3 | require {
4 | type alias_check_3_t;
5 | }
6 |
7 | typealias alias_check_3_t alias alias_check_3_a;
8 |
9 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-expander/base-base-only.conf:
--------------------------------------------------------------------------------
1 | class security
2 | class file
3 |
4 | sid kernel
5 |
6 | common file
7 | {
8 | read
9 | }
10 |
11 | class file
12 | inherits file
13 | {
14 | entrypoint
15 | }
16 |
17 | class security
18 | {
19 | compute_av
20 | }
21 |
22 | ifdef(`enable_mls',`
23 | sensitivity s0;
24 |
25 | dominance { s0 }
26 |
27 | category c0;
28 |
29 | level s0:c0;
30 |
31 | mlsconstrain file { read }
32 | ( h1 dom h2 );
33 | ')
34 |
35 | attribute myattr;
36 | type mytype_t;
37 | role myrole_r;
38 | role myrole_r types mytype_t;
39 | bool mybool true;
40 | gen_user(myuser_u,, myrole_r, s0, s0 - s0:c0)
41 |
42 | sid kernel gen_context(myuser_u:myrole_r:mytype_t, s0)
43 |
44 |
45 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-expander/role-module.conf:
--------------------------------------------------------------------------------
1 | module my_module 1.0;
2 |
3 | require {
4 | class file {read write};
5 | role role_check_1;
6 | }
7 |
8 | type role_check_1_2_t;
9 | role role_check_1 types role_check_1_2_t;
10 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-expander/user-module.conf:
--------------------------------------------------------------------------------
1 | module my_module 1.0;
2 |
3 | require {
4 | class file {read write};
5 | ifdef(`enable_mls',`
6 | user user_check_1;
7 | ')
8 | }
9 |
10 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-hooks/module_add_role_allow_trans.conf:
--------------------------------------------------------------------------------
1 | module add_symbol_test 1.0;
2 |
3 | require { class file { read }; }
4 |
5 | role role_a_1;
6 | role role_a_2;
7 | role role_t_1;
8 | role role_t_2;
9 |
10 | type type_rt_1;
11 |
12 |
13 | allow role_a_1 role_a_2;
14 |
15 | role_transition role_t_1 type_rt_1 role_t_2;
16 |
--------------------------------------------------------------------------------
/libsepol/tests/policies/test-hooks/module_add_symbols.conf:
--------------------------------------------------------------------------------
1 | module add_symbol_test 1.0;
2 |
3 | require { class file { read write }; }
4 |
5 | type type_add_1;
6 | attribute attrib_add_1;
7 | role role_add_1;
8 | bool bool_add_1 false;
9 |
10 | ifdef(`enable_mls',`',`
11 | user user_add_1 roles { role_add_1 };
12 | ')
13 |
--------------------------------------------------------------------------------
/libsepol/tests/test-ebitmap.h:
--------------------------------------------------------------------------------
1 | #ifndef TEST_EBITMAP_H__
2 | #define TEST_EBITMAP_H__
3 |
4 | #include
5 |
6 | int ebitmap_test_init(void);
7 | int ebitmap_test_cleanup(void);
8 | int ebitmap_add_tests(CU_pSuite suite);
9 |
10 | #endif /* TEST_EBITMAP_H__ */
11 |
--------------------------------------------------------------------------------
/libsepol/tests/test-neverallow.h:
--------------------------------------------------------------------------------
1 | #ifndef TEST_NEVERALLOW_H__
2 | #define TEST_NEVERALLOW_H__
3 |
4 | #include
5 |
6 | int neverallow_test_init(void);
7 | int neverallow_test_cleanup(void);
8 | int neverallow_add_tests(CU_pSuite suite);
9 |
10 | #endif /* TEST_NEVERALLOW_H__ */
11 |
--------------------------------------------------------------------------------
/libsepol/utils/Makefile:
--------------------------------------------------------------------------------
1 | # Installation directories.
2 | PREFIX ?= /usr
3 | BINDIR ?= $(PREFIX)/bin
4 |
5 | CFLAGS ?= -Wall -Werror
6 | override CFLAGS += -I../include
7 | override LDFLAGS += -L../src
8 | override LDLIBS += -lsepol
9 |
10 | TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c)))
11 |
12 | all: $(TARGETS)
13 |
14 | install: all
15 | -mkdir -p $(DESTDIR)$(BINDIR)
16 | install -m 755 $(TARGETS) $(DESTDIR)$(BINDIR)
17 |
18 | clean:
19 | -rm -f $(TARGETS) *.o
20 |
21 | indent:
22 | ../../scripts/Lindent $(wildcard *.[ch])
23 |
24 | relabel:
25 |
26 |
--------------------------------------------------------------------------------
/mcstrans/Makefile:
--------------------------------------------------------------------------------
1 | PKG_CONFIG ?= pkg-config
2 | PCRE_MODULE := libpcre2-8
3 | PCRE_CFLAGS := $(shell $(PKG_CONFIG) --cflags $(PCRE_MODULE)) -DPCRE2_CODE_UNIT_WIDTH=8
4 | PCRE_LDLIBS := $(shell $(PKG_CONFIG) --libs $(PCRE_MODULE))
5 | export PCRE_MODULE PCRE_CFLAGS PCRE_LDLIBS
6 |
7 | all:
8 | $(MAKE) -C src
9 | $(MAKE) -C utils
10 |
11 | install:
12 | $(MAKE) -C src install
13 | # $(MAKE) -C utils install
14 | $(MAKE) -C man install
15 |
16 | clean:
17 | rm -f *~ \#*
18 | $(MAKE) -C src clean
19 | $(MAKE) -C utils clean
20 | $(MAKE) -C man clean
21 |
22 | relabel:
23 |
24 | test:
25 |
--------------------------------------------------------------------------------
/mcstrans/TODO:
--------------------------------------------------------------------------------
1 | TODO List for mcstrans:
2 |
3 | In compute_raw_from_trans look for conflicting bit patterns and report errors.
4 |
5 | In emit_whitespace look at whitespace characters for any regex special character and escape them.
6 |
7 | Make prefixes and suffixes optional (ex. SECRET REL AUS == SECRET AUS).
8 |
9 | compute_trans_from_raw is an expensive operation that needs to be sped up or threaded so that mcstrans can respond to other requests more quickly.
10 |
11 | Reevaluate the means of determining whether inverse bits are used in a domain.
12 |
--------------------------------------------------------------------------------
/mcstrans/VERSION:
--------------------------------------------------------------------------------
1 | 3.8.1
2 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/default/README:
--------------------------------------------------------------------------------
1 | Original RHEL 5 setrans.conf
2 |
3 | To use:
4 | cp setrans.conf /etc/selinux/mls/setrans.conf
5 | run_init /etc/init.d/mcstrans restart
6 |
7 | To test:
8 | /usr/share/mcstrans/util/mlstrans-test default.test
9 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/default/default.test:
--------------------------------------------------------------------------------
1 | SystemLow==s0
2 | SystemHigh==s15:c0.c1023
3 | SystemLow-SystemHigh==s0-s15:c0.c1023
4 |
5 | Unclassified==s1
6 |
7 | Secret==s2
8 | A==s2:c0
9 | B==s2:c1
10 |
11 | SystemLow-Unclassified==s0-s1
12 | Unclassified-Secret==s1-s2
13 | Unclassified-SystemHigh==s1-s15:c0.c1023
14 |
15 | SystemLow-Secret==s0-s2
16 | SystemLow-Secret:A==s0-s2:c0
17 | SystemLow-Secret:B==s0-s2:c1
18 | SystemLow-Secret:AB==s0-s2:c0,c1
19 | Unclassified-Secret:A==s1-s2:c0
20 | Unclassified-Secret:B==s1-s2:c1
21 | Unclassified-Secret:AB==s1-s2:c0,c1
22 | Secret-Secret:A==s2-s2:c0
23 | Secret-Secret:B==s2-s2:c1
24 | Secret-Secret:AB==s2-s2:c0,c1
25 | Secret-SystemHigh==s2-s15:c0.c1023
26 | Secret:A-Secret:AB==s2:c0-s2:c0,c1
27 | Secret:A-SystemHigh==s2:c0-s15:c0.c1023
28 | Secret:B-Secret:AB==s2:c1-s2:c0,c1
29 | Secret:B-SystemHigh==s2:c1-s15:c0.c1023
30 | Secret:AB-SystemHigh==s2:c0,c1-s15:c0.c1023
31 |
32 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/include/README:
--------------------------------------------------------------------------------
1 | Original RHEL 5 setrans.conf pushed into setrans.d as include file
2 |
3 | To use:
4 | cp setrans.conf /etc/selinux/mls/setrans.conf
5 | cp setrans.d/* /etc/selinux/mls/setrans.d
6 | run_init /etc/init.d/mcstrans restart
7 |
8 | To test:
9 | /usr/share/mcstrans/util/mlstrans-test include.test
10 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/include/default.test:
--------------------------------------------------------------------------------
1 | SystemLow==s0
2 | SystemHigh==s15:c0.c1023
3 | SystemLow-SystemHigh==s0-s15:c0.c1023
4 |
5 | Unclassified==s1
6 |
7 | Secret==s2
8 | A==s2:c0
9 | B==s2:c1
10 |
11 | SystemLow-Unclassified==s0-s1
12 | Unclassified-Secret==s1-s2
13 | Unclassified-SystemHigh==s1-s15:c0.c1023
14 |
15 | SystemLow-Secret==s0-s2
16 | SystemLow-Secret:A==s0-s2:c0
17 | SystemLow-Secret:B==s0-s2:c1
18 | SystemLow-Secret:AB==s0-s2:c0,c1
19 | Unclassified-Secret:A==s1-s2:c0
20 | Unclassified-Secret:B==s1-s2:c1
21 | Unclassified-Secret:AB==s1-s2:c0,c1
22 | Secret-Secret:A==s2-s2:c0
23 | Secret-Secret:B==s2-s2:c1
24 | Secret-Secret:AB==s2-s2:c0,c1
25 | Secret-SystemHigh==s2-s15:c0.c1023
26 | Secret:A-Secret:AB==s2:c0-s2:c0,c1
27 | Secret:A-SystemHigh==s2:c0-s15:c0.c1023
28 | Secret:B-Secret:AB==s2:c1-s2:c0,c1
29 | Secret:B-SystemHigh==s2:c1-s15:c0.c1023
30 | Secret:AB-SystemHigh==s2:c0,c1-s15:c0.c1023
31 |
32 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/include/setrans.conf:
--------------------------------------------------------------------------------
1 | #
2 | # Multi-Level Security translation table for SELinux
3 | #
4 | # Uncomment the following to disable translation library
5 | # disable=1
6 | #
7 | # Objects can be labeled with one of 16 levels and be categorized with 0-1023
8 | # categories defined by the admin.
9 | # Objects can be in more than one category at a time.
10 | # Users can modify this table to translate the MLS labels for different purpose.
11 | #
12 |
13 | # Demonstrate Include by moving everything to an include file
14 | #
15 | Include=/etc/selinux/mls/setrans.d/include-example
16 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/nato/README:
--------------------------------------------------------------------------------
1 | NATO example test setrans.conf
2 |
3 | To use:
4 | mkdir /etc/selinux/mls/mcstrand.d
5 | cp rel.conf /etc/selinux/mls/mcstrand.d
6 | cp eyes-only.conf /etc/selinux/mls/mcstrand.d
7 | cp constraints.conf /etc/selinux/mls/mcstrand.d
8 | cp setrans.conf /etc/selinux/mls/setrans.conf
9 | sudo run_init /etc/init.d/mcstrans restart
10 |
11 | To test:
12 | /usr/share/mcstrans/util/mlstrans-test nato.test
13 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/nato/nato.test:
--------------------------------------------------------------------------------
1 | NATO CONFIDENTIAL==s4:c1,c200.c511
2 | CONFIDENTIAL-NATO SECRET!=s4:c0,c2,c11,c200.c511-s5:c1,c200.c511
3 | NATO SECRET REL NATO==s5:c1,c201.c204,c206.c218,c220.c222,c224.c238,c240.c256,c259,c260,c262.c267,c270.c273,c275.c277,c279.c287,c289.c297,c299,c301.c307,c309,c311.c330,c334.c364,c367.c377,c379,c380,c382.c386,c388.c405,c408.c422,c424.c429,c431.c511
4 | NATO CONFIDENTIAL NATO EYES ONLY==s4:c1,c200.c204,c206.c218,c220.c222,c224.c238,c240.c256,c259,c260,c262.c267,c270.c273,c275.c277,c279.c287,c289.c297,c299,c301.c307,c309,c311.c330,c334.c364,c367.c377,c379,c380,c382.c386,c388.c405,c408.c422,c424.c429,c431.c511
5 | NATO CONFIDENTIAL-NATO SECRET==s4:c1,c200.c511-s5:c1,c200.c511
6 | NATO CONFIDENTIAL REL AUS/US-NATO SECRET REL AUS/US==s4:c1,c201.c214,c216.c429,c431.c511-s5:c1,c201.c214,c216.c429,c431.c511
7 | NATO CONFIDENTIAL DEU EYES ONLY-NATO SECRET DEU EYES ONLY==s4:c1,c200.c257,c259.c511-s5:c1,c200.c257,c259.c511
8 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/nato/setrans.conf:
--------------------------------------------------------------------------------
1 | # UNCLASSIFIED
2 | Domain=NATOEXAMPLE
3 |
4 | s0=SystemLow
5 | s15:c0.c1023=SystemHigh
6 | s0-s15:c0.c1023=SystemLow-SystemHigh
7 |
8 | Base=Sensitivity Levels
9 | s1=UNCLASSIFIED
10 | s3:c0,c2,c11,c200.c511=RESTRICTED
11 | s4:c0,c2,c11,c200.c511=CONFIDENTIAL
12 | s5:c0,c2,c11,c200.c511=SECRET
13 |
14 | s1:c1=NATO UNCLASSIFIED
15 | s3:c1,c200.c511=NATO RESTRICTED
16 | s4:c1,c200.c511=NATO CONFIDENTIAL
17 | s5:c1,c200.c511=NATO SECRET
18 |
19 | Include=/etc/selinux/mls/setrans.d/rel.conf
20 | Include=/etc/selinux/mls/setrans.d/eyes-only.conf
21 | Include=/etc/selinux/mls/setrans.d/constraints.conf
22 |
23 | # UNCLASSIFIED
24 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/nato/setrans.d/constraints.conf:
--------------------------------------------------------------------------------
1 | # UNCLASSIFIED
2 |
3 | # These constraints apply to computed translations,
4 | # not cached or preset translations.
5 | #
6 |
7 | # nato and non-nato are incompatible
8 | c0!c1
9 |
10 | #UNCLASSIFIED
11 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/non-mls-color/README:
--------------------------------------------------------------------------------
1 | Non-MLS color example
2 |
3 | To use:
4 | cp secolor.conf /etc/selinux/mls/
5 | run_init /etc/init.d/mcstrans restart
6 |
7 | To test:
8 | /usr/share/mcstrans/util/mlscolor-test non-mls.color
9 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/non-mls-color/non-mls.color:
--------------------------------------------------------------------------------
1 | system_u:system_r:inetd_t:SystemLow=#000000 #008000 #ffffff #000000 #d2b48c #ffa500 #000000 #008000
2 | system_u:system_r:inetd_t:SystemHigh=#000000 #008000 #ffffff #000000 #d2b48c #ffa500 #000000 #008000
3 | user_u:user_r:user_t:SystemLow=#000000 #008000 #ffffff #000000 #d2b48c #ffa500 #000000 #008000
4 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/non-mls-color/secolor.conf:
--------------------------------------------------------------------------------
1 |
2 | color black = #000000
3 | color green = #008000
4 | color yellow = #ffff00
5 | color blue = #0000ff
6 | color white = #ffffff
7 | color red = #ff0000
8 | color orange = #ffa500
9 | color tan = #D2B48C
10 |
11 | user * = black green
12 | role * = white black
13 | type * = tan orange
14 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/pipes/pipes.test:
--------------------------------------------------------------------------------
1 | Restricted Handle Via Iron Pipes Only==s2:c102,c200.c511
2 | Restricted Handle Via Copper Pipes Only==s2:c103,c200.c511
3 | Restricted Handle Via Plastic Pipes Only==s2:c101,c200.c511
4 | Restricted Handle Via Galvanized Pipes Only==s2:c104,c200.c511
5 | Restricted Handle Via Plastic,Iron,Copper Pipes Only==s2:c101.c103,c200.c511
6 | Restricted Handle Via Iron,Plastic,Copper Pipes Only=s2:c101.c103,c200.c511
7 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/pipes/setrans.conf:
--------------------------------------------------------------------------------
1 |
2 | Domain=PipesTest
3 |
4 | s0=SystemLow
5 | s15:c0.c1023=SystemHigh
6 | s0-s15:c0.c1023=SystemLow-SystemHigh
7 |
8 | Base=Sensitivity Levels
9 | s1=Unclassified
10 | s1=U
11 | s2:c200.c511=Restricted
12 | s2:c200.c511=R
13 | s3:c200.c511=Confidential
14 | s3:c200.c511=C
15 | s4:c200.c511=Secret
16 | s4:c200.c511=S
17 | s5:c200.c511=Top Secret
18 | s5:c200.c511=TS
19 |
20 | Include=/etc/selinux/mls/setrans.d/pipes.conf
21 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/pipes/setrans.d/pipes.conf:
--------------------------------------------------------------------------------
1 | ModifierGroup=Pipes
2 | Prefix=Handle Via
3 | Suffix=Pipes Only
4 | Suffix=Pipes
5 | Whitespace=,
6 | Join=,
7 |
8 | c101=Plastic
9 | c102=Iron
10 | c103=Copper
11 | c104=Galvanized
12 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/urcsts-via-include/README:
--------------------------------------------------------------------------------
1 | Simple handling of
2 | UNCLASSIFIED
3 | RESTRICTED
4 | CONFIDENTIAL
5 | SECRET
6 | TOP SECRET
7 | via include files
8 |
9 | To use:
10 | cp -L setrans.conf /etc/selinux/mls/
11 | cp -L secolor.conf /etc/selinux/mls/
12 | rm -f /etc/selinux/mls/setrans.d/*
13 | cp setrans.d/* /etc/selinux/mls/setrans.d
14 | run_init /etc/init.d/mcstrans restart
15 |
16 | To test:
17 | /usr/share/mcstrans/util/mlstrans-test urcsts.test
18 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/urcsts-via-include/secolor.conf:
--------------------------------------------------------------------------------
1 |
2 | color black = #000000
3 | color green = #008000
4 | color yellow = #ffff00
5 | color blue = #0000ff
6 | color white = #ffffff
7 | color red = #ff0000
8 | color orange = #ffa500
9 | color tan = #D2B48C
10 |
11 | user * = black black
12 | role * = black black
13 | type * = black black
14 | range s0-s0:c0.c1023 = black green
15 | range s1-s1:c0.c1023 = black green
16 | range s3-s3:c0.c1023 = black tan
17 | range s5-s5:c0.c1023 = white blue
18 | range s7-s7:c0.c1023 = black red
19 | range s9-s9:c0.c1023 = black orange
20 | range s15-s15:c0.c1023 = black yellow
21 |
22 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/urcsts-via-include/setrans.conf:
--------------------------------------------------------------------------------
1 | #
2 | # Multi-Level Security translation table for SELinux
3 | #
4 | # Uncomment the following to disable translation library
5 | # disable=1
6 | #
7 | # Objects can be labeled with one of 16 levels and be categorized with 0-1023
8 | # categories defined by the admin.
9 | # Objects can be in more than one category at a time.
10 | # Users can modify this table to translate the MLS labels for different purpose.
11 | #
12 |
13 | # Demonstrate Include by moving everything to an include file
14 | #
15 | Include=/etc/selinux/mls/setrans.d/*.conf
16 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/urcsts-via-include/setrans.d/c.conf:
--------------------------------------------------------------------------------
1 | # UNCLASSIFIED
2 |
3 | s5=CONFIDENTIAL
4 | s5=C O N F I D E N T I A L
5 | s5=C
6 |
7 | # UNCLASSIFIED
8 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/urcsts-via-include/setrans.d/r.conf:
--------------------------------------------------------------------------------
1 | # UNCLASSIFIED
2 |
3 | s3=RESTRICTED
4 | s3=R E S T R I C T E D
5 | s3=R
6 |
7 | # UNCLASSIFIED
8 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/urcsts-via-include/setrans.d/s.conf:
--------------------------------------------------------------------------------
1 | # UNCLASSIFIED
2 |
3 | s7=SECRET
4 | s7=S E C R E T
5 | s7=S
6 |
7 | # UNCLASSIFIED
8 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/urcsts-via-include/setrans.d/system.conf:
--------------------------------------------------------------------------------
1 | # UNCLASSIFIED
2 |
3 | s0=SystemLow
4 | s15:c0.c1023=SystemHigh
5 |
6 | # UNCLASSIFIED
7 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/urcsts-via-include/setrans.d/ts.conf:
--------------------------------------------------------------------------------
1 | # UNCLASSIFIED
2 |
3 | s9=TOP SECRET
4 | s9=T O P S E C R E T
5 | s9=T O P S E C R E T
6 | s9=TS
7 |
8 | # UNCLASSIFIED
9 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/urcsts-via-include/setrans.d/u.conf:
--------------------------------------------------------------------------------
1 | # UNCLASSIFIED
2 |
3 | s1=UNCLASSIFIED
4 | s1=UNCLAS
5 | s1=U
6 |
7 | # UNCLASSIFIED
8 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/urcsts-via-include/urcsts.test:
--------------------------------------------------------------------------------
1 | # UNCLASSIFIED
2 |
3 | SystemLow=s0
4 | SystemHigh=s15:c0.c1023
5 |
6 | UNCLASSIFIED==s1
7 | UNCLAS=s1
8 | U=s1
9 |
10 | RESTRICTED==s3
11 | R E S T R I C T E D=s3
12 | R=s3
13 |
14 | CONFIDENTIAL==s5
15 | C O N F I D E N T I A L=s5
16 | C=s5
17 |
18 | SECRET==s7
19 | S E C R E T=s7
20 | S=s7
21 |
22 | TOP SECRET==s9
23 | T O P S E C R E T=s9
24 | T O P S E C R E T=s9
25 | TS=s9
26 |
27 | # UNCLASSIFIED
28 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/urcsts/README:
--------------------------------------------------------------------------------
1 | Simple handling of
2 | UNCLASSIFIED
3 | RESTRICTED
4 | CONFIDENTIAL
5 | SECRET
6 | TOP SECRET
7 |
8 | To use:
9 | cp setrans.conf /etc/selinux/mls/setrans.conf
10 | cp secolor.conf /etc/selinux/mls/
11 | run_init /etc/init.d/mcstrans restart
12 |
13 | To test:
14 | /usr/share/mcstrans/util/mlstrans-test urcsts.test
15 | /usr/share/mcstrans/util/mlscolor-test urcsts.color
16 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/urcsts/secolor.conf:
--------------------------------------------------------------------------------
1 |
2 | color black = #000000
3 | color green = #008000
4 | color yellow = #ffff00
5 | color blue = #0000ff
6 | color white = #ffffff
7 | color red = #ff0000
8 | color orange = #ffa500
9 | color tan = #D2B48C
10 |
11 | user * = black black
12 | role * = black black
13 | type * = black black
14 | range s0-s0:c0.c1023 = black green
15 | range s1-s1:c0.c1023 = black green
16 | range s3-s3:c0.c1023 = black tan
17 | range s5-s5:c0.c1023 = white blue
18 | range s7-s7:c0.c1023 = black red
19 | range s9-s9:c0.c1023 = black orange
20 | range s15-s15:c0.c1023 = black yellow
21 |
22 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/urcsts/setrans.conf:
--------------------------------------------------------------------------------
1 | # UNCLASSIFIED
2 |
3 | s0=SystemLow
4 | s15:c0.c1023=SystemHigh
5 |
6 | s1=UNCLASSIFIED
7 | s1=UNCLAS
8 | s1=U
9 |
10 | s3=RESTRICTED
11 | s3=R E S T R I C T E D
12 | s3=R
13 |
14 | s5=CONFIDENTIAL
15 | s5=C O N F I D E N T I A L
16 | s5=C
17 |
18 | s7=SECRET
19 | s7=S E C R E T
20 | s7=S
21 |
22 | s9=TOP SECRET
23 | s9=T O P S E C R E T
24 | s9=T O P S E C R E T
25 | s9=TS
26 |
27 | # UNCLASSIFIED
28 |
--------------------------------------------------------------------------------
/mcstrans/share/examples/urcsts/urcsts.test:
--------------------------------------------------------------------------------
1 | # UNCLASSIFIED
2 |
3 | SystemLow=s0
4 | SystemHigh=s15:c0.c1023
5 |
6 | UNCLASSIFIED==s1
7 | UNCLAS=s1
8 | U=s1
9 |
10 | RESTRICTED==s3
11 | R E S T R I C T E D=s3
12 | R=s3
13 |
14 | CONFIDENTIAL==s5
15 | C O N F I D E N T I A L=s5
16 | C=s5
17 |
18 | SECRET==s7
19 | S E C R E T=s7
20 | S=s7
21 |
22 | TOP SECRET==s9
23 | T O P S E C R E T=s9
24 | T O P S E C R E T=s9
25 | TS=s9
26 |
27 | # UNCLASSIFIED
28 |
--------------------------------------------------------------------------------
/mcstrans/src/.gitignore:
--------------------------------------------------------------------------------
1 | mcstransd
2 |
--------------------------------------------------------------------------------
/mcstrans/src/README:
--------------------------------------------------------------------------------
1 | To rebuild with debugging support:
2 | make clean && env CFLAGS="-Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute -DDEBUG -g" LDFLAGS="-g" make
3 |
4 |
--------------------------------------------------------------------------------
/mcstrans/src/mcscolor.h:
--------------------------------------------------------------------------------
1 | #ifndef __mcscolor_h__
2 | #define __mcscolor_h__
3 |
4 | extern void finish_context_colors(void);
5 | extern int init_colors(void);
6 | extern int raw_color(const char *raw, char **color_str);
7 |
8 | #endif
9 |
--------------------------------------------------------------------------------
/mcstrans/src/mcstrans.h:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2006 Trusted Computer Solutions, Inc. */
2 |
3 | #include
4 |
5 | extern int init_translations(void);
6 | extern void finish_context_translations(void);
7 | extern int trans_context(const char *, char **);
8 | extern int untrans_context(const char *, char **);
9 |
--------------------------------------------------------------------------------
/mcstrans/src/mcstrans.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Translates SELinux MCS/MLS labels to human readable form
3 | Documentation=man:mcstransd(8)
4 | ConditionSecurity=selinux
5 | DefaultDependencies=no
6 | Before=shutdown.target sysinit.target
7 | Conflicts=shutdown.target
8 |
9 | [Service]
10 | ExecStart=/sbin/mcstransd -f
11 | RuntimeDirectory=setrans
12 | RuntimeDirectoryPreserve=true
13 |
14 | [Install]
15 | WantedBy=multi-user.target
16 |
--------------------------------------------------------------------------------
/mcstrans/src/mls_level.h:
--------------------------------------------------------------------------------
1 | #ifndef __mls_level_h__
2 | #define __mls_level_h__
3 |
4 | #include
5 |
6 | unsigned int mls_compute_string_len(mls_level_t *r);
7 | mls_level_t *mls_level_from_string(char *mls_context);
8 | char *mls_level_to_string(mls_level_t *r);
9 |
10 | #endif
11 |
--------------------------------------------------------------------------------
/mcstrans/utils/.gitignore:
--------------------------------------------------------------------------------
1 | transcon
2 | untranscon
3 |
--------------------------------------------------------------------------------
/mcstrans/utils/callgrind-mcstransd:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | service mcstrans stop
3 | cd ~root
4 | runcon -u system_u -r system_r -t setrans_t -l s15:c0.c1023 -- valgrind --tool=callgrind /usr/src/redhat/BUILD/*/src/mcstransd
5 | run_init /etc/init.d/mcstrans start
6 |
--------------------------------------------------------------------------------
/mcstrans/utils/transcon.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include "mcstrans.h"
9 |
10 | static __attribute__((__noreturn__)) void usage(const char *progname)
11 | {
12 | fprintf(stderr, "usage: %s context\n", progname);
13 | exit(1);
14 | }
15 |
16 | int main(int argc, char **argv) {
17 | char *scon;
18 | if ( argc != 2 ) usage(argv[0]);
19 | if (init_translations()==0) {
20 | if(trans_context(argv[1],&scon) == 0) {
21 | printf("%s\n", scon);
22 | freecon(scon);
23 | return 0;
24 | }
25 | }
26 | printf("Failed\n");
27 | return -1;
28 | }
29 |
30 |
31 |
--------------------------------------------------------------------------------
/mcstrans/utils/untranscon.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include "mcstrans.h"
9 |
10 | static __attribute__((__noreturn__)) void usage(const char *progname)
11 | {
12 | fprintf(stderr, "usage: %s context\n", progname);
13 | exit(1);
14 | }
15 | int main(int argc, char **argv) {
16 | char *scon;
17 | if ( argc != 2 ) usage(argv[0]);
18 | if (init_translations()==0) {
19 | if(untrans_context(argv[1],&scon) == 0) {
20 | printf("%s\n", scon);
21 | freecon(scon);
22 | return 0;
23 | }
24 | }
25 | return -1;
26 | }
27 |
28 |
29 |
--------------------------------------------------------------------------------
/mcstrans/utils/valgrind-mcstransd:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | service mcstrans stop
3 | #valgrind -v --leak-check=full --show-reachable=yes ../src/mcstransd
4 | runcon -u system_u -r system_r -t setrans_t -l s15:c0.c1023 -- valgrind -v --leak-check=full --show-reachable=yes ../src/mcstransd
5 | run_init /etc/init.d/mcstrans start
6 |
--------------------------------------------------------------------------------
/policycoreutils/.gitignore:
--------------------------------------------------------------------------------
1 | load_policy/load_policy
2 | newrole/newrole
3 | run_init/open_init_pty
4 | run_init/run_init
5 | secon/secon
6 | semodule/semodule
7 | sestatus/sestatus
8 | setfiles/restorecon
9 | setfiles/restorecon_xattr
10 | setfiles/setfiles
11 | setsebool/setsebool
12 | unsetfiles/unsetfiles
13 | hll/pp/pp
14 |
--------------------------------------------------------------------------------
/policycoreutils/.tx/config:
--------------------------------------------------------------------------------
1 | [main]
2 | host = https://www.transifex.com
3 |
4 | [policycoreutils.policycoreutils]
5 | file_filter = po/.po
6 | source_file = po/policycoreutils.pot
7 | source_lang = en
8 | type = PO
9 |
--------------------------------------------------------------------------------
/policycoreutils/Makefile:
--------------------------------------------------------------------------------
1 | SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setsebool scripts po man hll unsetfiles
2 |
3 | all install relabel clean indent:
4 | @for subdir in $(SUBDIRS); do \
5 | (cd $$subdir && $(MAKE) $@) || exit 1; \
6 | done
7 |
8 | test:
9 |
--------------------------------------------------------------------------------
/policycoreutils/VERSION:
--------------------------------------------------------------------------------
1 | 3.8.1
2 |
--------------------------------------------------------------------------------
/policycoreutils/hll/Makefile:
--------------------------------------------------------------------------------
1 | SUBDIRS = pp
2 |
3 | all install relabel clean indent:
4 | @for subdir in $(SUBDIRS); do \
5 | (cd $$subdir && $(MAKE) $@) || exit 1; \
6 | done
7 |
8 | test:
9 |
--------------------------------------------------------------------------------
/policycoreutils/hll/pp/Makefile:
--------------------------------------------------------------------------------
1 | # Installation directories.
2 | PREFIX ?= /usr
3 | LIBEXECDIR ?= $(PREFIX)/libexec
4 | HLLDIR ?= $(LIBEXECDIR)/selinux/hll
5 |
6 | CFLAGS ?= -Werror -Wall -W
7 | override LDLIBS += -lsepol
8 |
9 | PP_SRCS = $(sort $(wildcard *.c))
10 | PP_OBJS = $(patsubst %.c,%.o,$(PP_SRCS))
11 |
12 | all: pp
13 |
14 | pp: $(PP_OBJS)
15 | $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
16 |
17 | %.o: %.c
18 | $(CC) $(CPPFLAGS) $(CFLAGS) -c -o $@ $^
19 |
20 | install: all
21 | -mkdir -p $(DESTDIR)$(HLLDIR)
22 | install -m 755 pp $(DESTDIR)$(HLLDIR)
23 |
24 | relabel:
25 |
26 | clean:
27 | -rm -f pp $(PP_OBJS)
28 |
29 | indent:
30 | ../../scripts/Lindent $(wildcard *.[ch])
31 |
--------------------------------------------------------------------------------
/policycoreutils/man/Makefile:
--------------------------------------------------------------------------------
1 | # Installation directories.
2 | LINGUAS ?=
3 | PREFIX ?= /usr
4 | MANDIR ?= $(PREFIX)/share/man
5 | MAN5DIR ?= $(MANDIR)/man5
6 |
7 | all:
8 |
9 | clean:
10 |
11 | install: all
12 | mkdir -p $(DESTDIR)$(MAN5DIR)
13 | install -m 644 man5/*.5 $(DESTDIR)$(MAN5DIR)
14 | for lang in $(LINGUAS) ; do \
15 | if [ -e $${lang}/man5 ] ; then \
16 | mkdir -p $(DESTDIR)$(MANDIR)/$${lang}/man5 ; \
17 | install -m 644 $${lang}/man5/*.5 $(DESTDIR)$(MANDIR)/$${lang}/man5 ; \
18 | fi ; \
19 | done
20 |
21 | relabel:
22 |
--------------------------------------------------------------------------------
/policycoreutils/newrole/newrole-lspp.pamd:
--------------------------------------------------------------------------------
1 | #%PAM-1.0
2 | auth include system-auth
3 | account include system-auth
4 | password include system-auth
5 | session required pam_namespace.so unmnt_remnt no_unmount_on_close
6 |
--------------------------------------------------------------------------------
/policycoreutils/newrole/newrole.pamd:
--------------------------------------------------------------------------------
1 | #%PAM-1.0
2 | # Uncomment the next line if you do not want to enter your passwd every time
3 | # auth sufficient pam_rootok.so
4 | auth include system-auth
5 | account include system-auth
6 | password include system-auth
7 | session include system-auth
8 | session optional pam_xauth.so
9 |
--------------------------------------------------------------------------------
/policycoreutils/po/POTFILES:
--------------------------------------------------------------------------------
1 | ../run_init/open_init_pty.c
2 | ../run_init/run_init.c
3 | ../setsebool/setsebool.c
4 | ../newrole/newrole.c
5 | ../load_policy/load_policy.c
6 | ../sestatus/sestatus.c
7 | ../semodule/semodule.c
8 | ../setfiles/setfiles.c
9 | ../secon/secon.c
10 |
--------------------------------------------------------------------------------
/policycoreutils/run_init/run_init.pamd:
--------------------------------------------------------------------------------
1 | #%PAM-1.0
2 | # Uncomment the next line if you do not want to enter your passwd every time
3 | #auth sufficient pam_rootok.so
4 | auth include system-auth
5 | account include system-auth
6 | password include system-auth
7 | session include system-auth
8 | session optional pam_xauth.so
9 |
--------------------------------------------------------------------------------
/policycoreutils/scripts/.gitignore:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/policycoreutils/scripts/.gitignore
--------------------------------------------------------------------------------
/policycoreutils/scripts/Makefile:
--------------------------------------------------------------------------------
1 | # Installation directories.
2 | LINGUAS ?=
3 | PREFIX ?= /usr
4 | SBINDIR ?= $(PREFIX)/sbin
5 | MANDIR ?= $(PREFIX)/share/man
6 |
7 | .PHONY: all
8 | all: fixfiles
9 |
10 | install: all
11 | -mkdir -p $(DESTDIR)$(SBINDIR)
12 | install -m 755 fixfiles $(DESTDIR)$(SBINDIR)
13 | -mkdir -p $(DESTDIR)$(MANDIR)/man8
14 | install -m 644 fixfiles.8 $(DESTDIR)$(MANDIR)/man8/
15 | for lang in $(LINGUAS) ; do \
16 | if [ -e $${lang} ] ; then \
17 | mkdir -p $(DESTDIR)$(MANDIR)/$${lang}/man8 ; \
18 | install -m 644 $${lang}/*.8 $(DESTDIR)$(MANDIR)/$${lang}/man8/ ; \
19 | fi ; \
20 | done
21 |
22 | clean:
23 |
24 | indent:
25 |
26 | relabel:
27 |
--------------------------------------------------------------------------------
/policycoreutils/semodule/.gitignore:
--------------------------------------------------------------------------------
1 | genhomedircon
2 |
--------------------------------------------------------------------------------
/policycoreutils/sestatus/sestatus.conf:
--------------------------------------------------------------------------------
1 | [files]
2 | /etc/passwd
3 | /etc/shadow
4 | /bin/bash
5 | /bin/login
6 | /bin/sh
7 | /sbin/agetty
8 | /sbin/init
9 | /sbin/mingetty
10 | /usr/sbin/sshd
11 | /lib/libc.so.6
12 | /lib/ld-linux.so.2
13 | /lib/ld.so.1
14 |
15 | [process]
16 | /sbin/mingetty
17 | /sbin/agetty
18 | /usr/sbin/sshd
19 |
--------------------------------------------------------------------------------
/policycoreutils/unsetfiles/Makefile:
--------------------------------------------------------------------------------
1 | PREFIX ?= /usr
2 | SBINDIR ?= $(PREFIX)/sbin
3 | MANDIR ?= $(PREFIX)/share/man
4 |
5 | override CFLAGS += -D_GNU_SOURCE
6 | override LDLIBS += -lselinux
7 |
8 |
9 | all: unsetfiles
10 |
11 | unsetfiles: unsetfiles.o
12 |
13 | install: all
14 | test -d $(DESTDIR)$(SBINDIR) || install -m 755 -d $(DESTDIR)$(SBINDIR)
15 | test -d $(DESTDIR)$(MANDIR)/man1 || install -m 755 -d $(DESTDIR)$(MANDIR)/man1
16 | install -m 755 unsetfiles $(DESTDIR)$(SBINDIR)
17 | install -m 644 unsetfiles.1 $(DESTDIR)$(MANDIR)/man1/
18 |
19 | clean:
20 | -rm -f unsetfiles *.o
21 |
22 | indent:
23 | ../../scripts/Lindent $(wildcard *.[ch])
24 |
25 | relabel: install
26 | /sbin/restorecon $(DESTDIR)$(SBINDIR)/unsetfiles
27 |
--------------------------------------------------------------------------------
/python/Makefile:
--------------------------------------------------------------------------------
1 | SUBDIRS = sepolicy audit2allow semanage sepolgen chcat po
2 |
3 | all install relabel clean indent test:
4 | @for subdir in $(SUBDIRS); do \
5 | (cd $$subdir && $(MAKE) $@) || exit 1; \
6 | done
7 |
--------------------------------------------------------------------------------
/python/VERSION:
--------------------------------------------------------------------------------
1 | 3.8.1
2 |
--------------------------------------------------------------------------------
/python/audit2allow/.gitignore:
--------------------------------------------------------------------------------
1 | sepolgen-ifgen-attr-helper
2 | test_dummy_policy
3 |
--------------------------------------------------------------------------------
/python/audit2allow/audit2why:
--------------------------------------------------------------------------------
1 | audit2allow
--------------------------------------------------------------------------------
/python/audit2allow/audit2why.1:
--------------------------------------------------------------------------------
1 | .so man1/audit2allow.1
2 |
--------------------------------------------------------------------------------
/python/chcat/Makefile:
--------------------------------------------------------------------------------
1 | # Installation directories.
2 | LINGUAS ?=
3 | PREFIX ?= /usr
4 | BINDIR ?= $(PREFIX)/bin
5 | MANDIR ?= $(PREFIX)/share/man
6 |
7 | .PHONY: all
8 | all: chcat
9 |
10 | install: all
11 | -mkdir -p $(DESTDIR)$(BINDIR)
12 | install -m 755 chcat $(DESTDIR)$(BINDIR)
13 | -mkdir -p $(DESTDIR)$(MANDIR)/man8
14 | install -m 644 chcat.8 $(DESTDIR)$(MANDIR)/man8/
15 | for lang in $(LINGUAS) ; do \
16 | if [ -e $${lang} ] ; then \
17 | mkdir -p $(DESTDIR)$(MANDIR)/$${lang}/man8 ; \
18 | install -m 644 $${lang}/*.8 $(DESTDIR)$(MANDIR)/$${lang}/man8/ ; \
19 | fi ; \
20 | done
21 |
22 | clean:
23 |
24 | indent:
25 |
26 | relabel:
27 |
28 | test:
29 |
--------------------------------------------------------------------------------
/python/po/POTFILES:
--------------------------------------------------------------------------------
1 | ../audit2allow/audit2allow
2 | ../chcat/chcat
3 | ../semanage/semanage
4 | ../semanage/seobject.py
5 | ../sepolgen/src/sepolgen/interfaces.py
6 | ../sepolicy/sepolicy/generate.py
7 | ../sepolicy/sepolicy/gui.py
8 | ../sepolicy/sepolicy/__init__.py
9 | ../sepolicy/sepolicy/interface.py
10 | ../sepolicy/sepolicy.py
11 |
--------------------------------------------------------------------------------
/python/sepolgen/Makefile:
--------------------------------------------------------------------------------
1 | all: ;
2 |
3 | install:
4 | $(MAKE) -C src $@
5 |
6 | relabel: ;
7 |
8 | clean:
9 | $(MAKE) -C src $@
10 | $(MAKE) -C tests $@
11 | rm -f *~ *.pyc
12 | rm -f parser.out parsetab.py
13 |
14 | indent: ;
15 |
16 | test:
17 | $(MAKE) -C tests $@
18 |
19 |
20 |
21 |
--------------------------------------------------------------------------------
/python/sepolgen/VERSION:
--------------------------------------------------------------------------------
1 | 3.8.1
2 |
--------------------------------------------------------------------------------
/python/sepolgen/src/Makefile:
--------------------------------------------------------------------------------
1 | all: ;
2 |
3 | install:
4 | $(MAKE) -C sepolgen $@
5 | $(MAKE) -C share $@
6 |
7 | relabel: ;
8 |
9 | clean:
10 | $(MAKE) -C sepolgen $@
11 | $(MAKE) -C share $@
12 | rm -f *~ *.pyc
13 | rm -f parser.out parsetab.py
14 |
15 | indent: ;
16 |
17 |
18 | test: ;
19 |
20 |
21 |
22 |
--------------------------------------------------------------------------------
/python/sepolgen/src/sepolgen/Makefile:
--------------------------------------------------------------------------------
1 | PREFIX ?= /usr
2 | PYTHON ?= python3
3 | PYTHONLIBDIR ?= $(shell $(PYTHON) -c "import sysconfig; print(sysconfig.get_path('purelib', vars={'platbase': '$(PREFIX)', 'base': '$(PREFIX)'}))")
4 | PACKAGEDIR ?= /$(PYTHONLIBDIR)/sepolgen
5 |
6 | all:
7 |
8 | install: all
9 | -mkdir -p $(DESTDIR)$(PACKAGEDIR)
10 | install -m 644 *.py $(DESTDIR)$(PACKAGEDIR)
11 |
12 | clean:
13 | rm -f parser.out parsetab.py
14 | rm -f *~ *.pyc
15 | rm -rf __pycache__
16 |
--------------------------------------------------------------------------------
/python/sepolgen/src/sepolgen/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolgen/src/sepolgen/__init__.py
--------------------------------------------------------------------------------
/python/sepolgen/src/share/Makefile:
--------------------------------------------------------------------------------
1 | SHAREDIR ?= /var/lib/sepolgen
2 |
3 | all:
4 |
5 | install: all
6 | -mkdir -p $(DESTDIR)$(SHAREDIR)
7 | install -m 644 perm_map $(DESTDIR)$(SHAREDIR)
8 |
9 | clean:
10 | rm -f *~
11 |
--------------------------------------------------------------------------------
/python/sepolgen/tests/.gitignore:
--------------------------------------------------------------------------------
1 | module_compile_test.fc
2 | module_compile_test.if
3 | output
4 | tmp/
5 |
--------------------------------------------------------------------------------
/python/sepolgen/tests/Makefile:
--------------------------------------------------------------------------------
1 | PYTHON ?= python3
2 |
3 | clean:
4 | rm -f *~ *.pyc
5 | rm -f parser.out parsetab.py
6 | rm -f out.txt
7 | rm -f module_compile_test.fc
8 | rm -f module_compile_test.if
9 | rm -f module_compile_test.pp
10 | rm -f output
11 | rm -rf __pycache__ tmp
12 |
13 | test:
14 | $(PYTHON) run-tests.py
15 |
--------------------------------------------------------------------------------
/python/sepolgen/tests/module_compile_test.te:
--------------------------------------------------------------------------------
1 | module module_compile_test 1.0;
2 |
3 | require {
4 | type foo, bar;
5 | class file { read write };
6 | }
7 |
8 | allow foo bar : file { read write };
9 |
--------------------------------------------------------------------------------
/python/sepolgen/tests/run-tests.py:
--------------------------------------------------------------------------------
1 | import unittest
2 | import sys
3 |
4 | sys.path.insert(0, "../src/.")
5 | from test_access import *
6 | from test_audit import *
7 | from test_refpolicy import *
8 | from test_refparser import *
9 | from test_policygen import *
10 | from test_matching import *
11 | from test_interfaces import *
12 | from test_objectmodel import *
13 | from test_module import *
14 |
15 | if __name__ == "__main__":
16 | unittest.main()
17 |
--------------------------------------------------------------------------------
/python/sepolicy/.gitignore:
--------------------------------------------------------------------------------
1 | build
2 | tmp
3 | *.bak
4 | sepolicy.egg-info/
5 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolgen.8:
--------------------------------------------------------------------------------
1 | .so man8/sepolicy-generate.8
2 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy-gui.8:
--------------------------------------------------------------------------------
1 | .TH "sepolicy-gui" "8" "20121005" "" ""
2 | .SH "NAME"
3 | sepolicy-gui \- Graphical User Interface for SELinux policy.
4 |
5 | .SH "SYNOPSIS"
6 |
7 | Common options
8 |
9 | .B sepolicy gui [\-h ] [ \-d DOMAIN ]
10 |
11 | .br
12 |
13 | .SH "DESCRIPTION"
14 | Use \fBsepolicy gui\fP to run the graphical user interface, which
15 | allows you to explore how SELinux confines different process domains.
16 |
17 | .SH "OPTIONS"
18 | .TP
19 | .I \-h, \-\-help
20 | Display help message
21 | .TP
22 | .I \-d, \-\-domain
23 | Initialize gui to the selected domain
24 |
25 | .SH "AUTHOR"
26 | This man page was written by Daniel Walsh
27 |
28 | .SH "SEE ALSO"
29 | sepolicy(8), selinux(8)
30 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/__init__.py
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/booleans.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/booleans.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/booleans.txt:
--------------------------------------------------------------------------------
1 | You are viewing the booleans page for the application domain.
2 |
3 |
4 | SELinux Policy writers have written booleans, if-than-else rules, into the policy. This allows the administrator to change the way SELinux enforces policy on an application. The administrator can tighten or loosen the SELinux policy based on his needs.
5 |
6 | You can use the 'Filter Text Entry' to search for appropriate booleans. The Show Modified Only toggle, will show the booleans that your system has customized.
7 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/booleans_more.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/booleans_more.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/booleans_more.txt:
--------------------------------------------------------------------------------
1 | You are viewing the booleans page for the application domain.
2 |
3 |
4 | Selecting the 'More...' button will open a dialog containing the SELinux allow rules that are turned on by the selected boolean.
5 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/booleans_more_show.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/booleans_more_show.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/booleans_more_show.txt:
--------------------------------------------------------------------------------
1 | You are viewing the booleans page for the application domain.
2 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/booleans_toggled.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/booleans_toggled.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/booleans_toggled.txt:
--------------------------------------------------------------------------------
1 | You are viewing the booleans page for the application domain.
2 |
3 |
4 | Toggle the button to turn on or off the boolean. This will not happen immediately. All changes on the application screen are bundled up into a single transaction. You need to select the update button to apply all of your changes to the system.
5 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/file_equiv.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/file_equiv.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/files_apps.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/files_apps.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/files_apps.txt:
--------------------------------------------------------------------------------
1 | This screen shows application types that are defined for process running with the '%(APP)s' type.
2 |
3 |
4 | The description should give you a decent description for what the application is allowed to do with the type. If your application type is being denied access to a particular file, you might want to change the label of that file.
5 |
6 | It is recommended that you use one of the types defined on this page.
7 |
8 | Note if the label of the content that is being denied is owned by another domain, you might have to write policy or use 'audit2allow -M mypol' to allow access.
9 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/files_exec.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/files_exec.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/files_exec.txt:
--------------------------------------------------------------------------------
1 | This screen shows application types that can transition to a process running with the '%(APP)s' type.
2 |
3 |
4 | In SELinux these are called entrypoints. SELinux controls the executable files that can be used as an entrypoint to an confined domain. If you have an alternate executable that you would like to run in the '%(APP)s' domain, you need to change the executable file type to the entrypoint type.
5 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/files_write.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/files_write.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/files_write.txt:
--------------------------------------------------------------------------------
1 | This screen shows files types to which a process running with the '%(APP)s' type is allowed to write.
2 |
3 |
4 | The description should give you a decent description for what the application is allowed to do with the type. If your application type is being denied access to a particular file, you might want to change the label of that file.
5 |
6 | It is recommended that you use one of the types defined on this page.
7 |
8 | Note if the label of the content that is being denied is owned by another domain, you might have to write policy or use 'audit2allow -M mypol'
9 | to allow access.
10 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/lockdown.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/lockdown.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/lockdown.txt:
--------------------------------------------------------------------------------
1 | The Lockdown Screen allows you to tighten the SELinux Security on your machine.
2 |
3 |
4 | These lockdown measures are recommended, but can cause SELinux issues. If you have a machine you truly want to secure, and are confident in your understanding of SELinux you should try some of these options.
5 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/lockdown_permissive.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/lockdown_permissive.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/lockdown_permissive.txt:
--------------------------------------------------------------------------------
1 | Disable Permissive Processes
2 |
3 |
4 | Disabling the 'permissivedomains' module allows you to remove all permissive domains shipped with the distribution.
5 |
6 | When the distribution policy writers write a new confined domain, they initially ship the policy for that domain in permissive mode. Permissive mode means that a process running in the domain will not be confined by SELinux. The kernel will log the AVC messages, access denials, that would have happened had the process been run in enforcing mode.
7 |
8 | Permissive domain policies are experimental and will be turned to enforcing in future Operation System Releases.
9 |
10 | Note if you disable the permissive domains module, you may see an increase in the denials in your log files.
11 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/lockdown_ptrace.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/lockdown_ptrace.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/lockdown_unconfined.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/lockdown_unconfined.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/lockdown_unconfined.txt:
--------------------------------------------------------------------------------
1 | Disable Unconfined System Processes
2 |
3 |
4 | By default any system process that is started at boot that do not have SELinux Policy defined for them, run as initrc_t or init_t. These domains are unconfined by SELinux. Other similar processes which do not have SELinux Policy written for them run also unconfined. By disabling the unconfined module moves you closer to what used to be called strict policy, and locks down your machine tighter.
5 |
6 | Disabling the unconfined module will leave certain unconfined domains running on your system, specifically the unconfined_t user. If you do not
7 | want unconfined_t users on your system you would need to remove them from the 'Login Mapping' and Users Screens.
8 |
9 | Note if you disable the unconfined module, you may see an increase in the denials, and if you have processes running as initrc_t, you may need to write policy for them.
10 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/login.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/login.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/login.txt:
--------------------------------------------------------------------------------
1 | By Default on a SELinux Targeted Policy system, all users login using the unconfined_t user.
2 |
3 |
4 | But SELinux has a very powerful concept called confined users. You can setup individual users on your system to login with different SELinux user types. This Login Mapping Screen allows you to map a Linux login user to an SELinux User.
5 |
6 | Default SELinux Users:
7 |
8 | * Terminal user/ssh - guest_u
9 | - No Network, No setuid, no exec in homedir
10 |
11 | * Browser user/kiosk - xguest_u
12 | - Web access ports only. No setuid, no exec in homedir
13 |
14 | * Full Desktop user - User_u
15 | - Full Network, No SETUID.
16 |
17 | * Confined Admin/Desktop User - Staff_u
18 | - Full Network, sudo to admin only, no root password. Usually a confined admin
19 |
20 | * Unconfined user - unconfined_u (Default)
21 | - SELinux does not block access.
22 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/login_default.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/login_default.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/login_default.txt:
--------------------------------------------------------------------------------
1 | The Login Mapping Screen has a special Login user called __default__. This record is used to setup the default login user for any login account that is not specified separately.
2 |
3 |
4 | If this is a desktop system you might want to specify the user_u or xguest_u user. If this is a terminal server the guest_u user might be a good match.
5 |
6 | Then you would need to add the admin users or a Linux group with a different label. Perhaps as unconfined_u or staff_u.
7 |
8 | You could use %%wheel to indicate the wheel group.
9 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/ports_inbound.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/ports_inbound.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/ports_inbound.txt:
--------------------------------------------------------------------------------
1 | This screen shows the network ports that processes running with the '%(APP)s' type is allowed to bind to.
2 |
3 |
4 | SELinux controls the network ports that a application is allowed to bind to based on SELinux Port types.
5 |
6 | This screen allows you to modify the port number/port type definitions, which the '%(APP)s' is currently allowed to bind.
7 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/ports_outbound.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/ports_outbound.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/ports_outbound.txt:
--------------------------------------------------------------------------------
1 | This screen shows the network ports to which processes running with the '%(APP)s' type is allowed to connect.
2 |
3 |
4 | SELinux controls the network ports that a applications are allowed to connect, based on SELinux Port types.
5 |
6 | This screen allows you to modify the port number/port type definitions, which the '%(APP)s' is currently allowed to connect.
7 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/start.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/start.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/start.txt:
--------------------------------------------------------------------------------
1 | You must 'Select' the initial screen to view for SELinux Configuration.
2 |
3 |
4 | This application allows you to browse SELinux confinement per application. You can enter the name of the application to see how SELinux confines it, or you could enter the SELinux name for the running process.
5 |
6 | Alternatively you can select to manage SELinux on the system, lockdown the system via SELinux. You can also manage confined users and confined user mappings. Finally you could setup File System Labeling equivalence.
7 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/system.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/system.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/system.txt:
--------------------------------------------------------------------------------
1 | This screen allows you to view modify the way SELinux is running on your system.
2 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/system_boot_mode.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/system_boot_mode.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/system_boot_mode.txt:
--------------------------------------------------------------------------------
1 | SELinux Systems can boot in three different modes.
2 |
3 |
4 | * Enforcing mode (Default)
5 | - SELinux security policy is enforced.
6 | * Permissive
7 | - SELinux prints warnings instead of enforcing.
8 | * Disabled
9 | - No SELinux policy is loaded, SELinux does not run.
10 |
11 | You can use this screen to change the enforcing mode.
12 |
13 | Note if you disable SELinux, you will need to reboot, to turn it off. Also the next time you turn SELinux on, a full system relabel will be performed.
14 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/system_current_mode.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/system_current_mode.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/system_current_mode.txt:
--------------------------------------------------------------------------------
1 | You can switch SELinux between Enforcing mode and Permissive mode.
2 |
3 |
4 | When a machine is in permissive mode, SELinux will continue to log SELinux AVC messages, that would have been denied if the machine was in enforcing mode.
5 |
6 | Changing the current mode of the system will not survive a reboot. You would need to change the system mode for this.
7 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/system_export.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/system_export.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/system_export.txt:
--------------------------------------------------------------------------------
1 | SELinux allows you to export/import the current configuration of the machine.
2 |
3 |
4 | If you have several machines configured the same way you may want to modify the SELinux configuration on one machine and then export the configuration to a file. Then you could copy that file to another machine and import it on that machine.
5 |
6 | Note, If you import a configuration to a machine, the local configuration will get removed.
7 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/system_policy_type.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/system_policy_type.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/system_policy_type.txt:
--------------------------------------------------------------------------------
1 | If you have more then one policy type installed, the advanced screen will become visible. You can select the advanced tab and modify the policy type that SELinux is running with.
2 |
3 | Policy types are installed as sub-directories of /etc/selinux.
4 |
5 | Changing the policy type of the machine will require a system relabeled in permissive mode. The gui will insure that proper labels get assigned on the next reboot.
6 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/system_relabel.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/system_relabel.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/system_relabel.txt:
--------------------------------------------------------------------------------
1 | SELinux is a labeling system. Sometimes the labels on disk can get messed up. One way to fix this is to trigger a full relabel on the next boot.
2 |
3 |
4 | You can toggle this behavior using this screen.
5 |
6 | Note: Sometimes a simple restorecon is all you need to fix the labels on a file or directory.
7 |
8 | If you add a new disk which does not have labels you could simply execute
9 |
10 | # restorecon -R -v PATHTODISK
11 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/transition_file.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/transition_file.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/transition_from.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/transition_from.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/transition_from.txt:
--------------------------------------------------------------------------------
1 | This screen shows when a process running with the '%(APP)s' type executes 'Commands File Paths' that they will transition to the specified types.
2 |
3 |
4 | Under SELinux, when a process running with a 'type' attempts to execute an executable, one of three things can happen.
5 |
6 | 1. The process can be prevented from running the executable.
7 | 2. The executable executes with the same label as parent.
8 | 3. The executable 'transitions' to a new 'type' based on policy.
9 |
10 | This screen shows the executables that transition to another domain when '%(APP)s' executes them, and the 'SELinux Application Type' of the newly created process.
11 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/transition_from_boolean.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/transition_from_boolean.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/transition_from_boolean.txt:
--------------------------------------------------------------------------------
1 | Transitions can be controlled by SELinux Booleans.
2 |
3 |
4 | SELinux Booleans are If-then-else rules in policy, that allow the administrator to modify the access control on a process type.
5 |
6 | Transition rules are either always allowed or can be turned on and off based on the boolean settings. If the 'Boolean Enabled' column has an arrow on it, this indicates the transition is controlled by a boolean.
7 |
8 | Go to the next screen to see the effect of clicking on the arrow.
9 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/transition_from_boolean_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/transition_from_boolean_1.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/transition_from_boolean_1.txt:
--------------------------------------------------------------------------------
1 | After selecting the arrow under Boolean Enabled column, the line will expand to show a link which you can click. This will take you to the booleans page and allow you to enable the boolean which will enable or disable the transition.
2 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/transition_from_boolean_2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/transition_from_boolean_2.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/transition_from_boolean_2.txt:
--------------------------------------------------------------------------------
1 | This screen shows you the boolean page with the boolean selected.
2 |
3 |
4 | Enable or disable the boolean to turn on or off the transition.
5 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/transition_to.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/transition_to.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/transition_to.txt:
--------------------------------------------------------------------------------
1 | This screen shows the SELinux process 'types' which will transition to the '%(APP)s' type when executing the 'Commands File Paths'.
2 |
3 |
4 | Under SELinux, when a process running with a 'type' attempts to execute an executable, one of three things can happen.
5 |
6 | 1. The process can be prevented from running the executable.
7 | 2. The executable executes with the same label as parent.
8 | 3. The executable 'transitions' to a new 'type' based on policy.
9 |
10 | This screen shows the executables that transition to another domain when '%(APP)s' executes them, and the 'SELinux Application Type' of the newly created process.
11 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/users.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/python/sepolicy/sepolicy/help/users.png
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/help/users.txt:
--------------------------------------------------------------------------------
1 | By Default on a SELinux Targeted Policy system, all users login using the unconfined_t user.
2 |
3 | SELinux has a very powerful concept called confined users. You can setup individual users on your system to login with different SELinux user types. This SELinux User Screen allows you to create/modify SELinux Users and map them to SELinux Roles and MLS/MCS Ranges
4 |
5 | Default SELinux Users:
6 |
7 | * Terminal user/ssh - guest_u
8 | - No Network, No setuid, no exec in homedir
9 |
10 | * Browser user/kiosk - xguest_u
11 | - Web access ports only. No setuid, no exec in homedir
12 |
13 | * Full Desktop user - User_u
14 | - Full Network, No SETUID.
15 |
16 | * Confined Admin/Desktop User - Staff_u
17 | - Full Network, sudo to admin only, no root password. Usually a confined admin
18 |
19 | * Unconfined user - unconfined_u (Default)
20 | - SELinux does not block access.
21 |
--------------------------------------------------------------------------------
/python/sepolicy/sepolicy/templates/__init__.py:
--------------------------------------------------------------------------------
1 | #
2 | # Copyright (C) 2007-2012 Red Hat
3 | #
4 | # This program is free software; you can redistribute it and/or modify
5 | # it under the terms of the GNU General Public License as published by
6 | # the Free Software Foundation; either version 2 of the License, or
7 | # (at your option) any later version.
8 | #
9 | # This program is distributed in the hope that it will be useful,
10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 | # GNU General Public License for more details.
13 | #
14 | # You should have received a copy of the GNU General Public License
15 | # along with this program; if not, write to the Free Software
16 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
17 | #
18 |
--------------------------------------------------------------------------------
/python/sepolicy/setup.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3
2 |
3 | # Author: Thomas Liu
4 | # Author: Dan Walsh
5 | from setuptools import setup
6 |
7 | setup(
8 | name="sepolicy",
9 | version="3.8.1",
10 | description="Python SELinux Policy Analyses bindings",
11 | author="Daniel Walsh",
12 | author_email="dwalsh@redhat.com",
13 | packages=[
14 | "sepolicy",
15 | "sepolicy.templates",
16 | "sepolicy.help"
17 | ],
18 | package_data={
19 | 'sepolicy': ['*.glade'],
20 | 'sepolicy.help': ['*.txt', '*.png']
21 | }
22 | )
23 |
--------------------------------------------------------------------------------
/restorecond/.gitignore:
--------------------------------------------------------------------------------
1 | restorecond
2 |
--------------------------------------------------------------------------------
/restorecond/VERSION:
--------------------------------------------------------------------------------
1 | 3.8.1
2 |
--------------------------------------------------------------------------------
/restorecond/org.selinux.Restorecond.service:
--------------------------------------------------------------------------------
1 | [D-BUS Service]
2 | Name=org.selinux.Restorecond
3 | Exec=/usr/sbin/restorecond -u
4 | SystemdService=restorecond_user.service
5 |
--------------------------------------------------------------------------------
/restorecond/restorecond.conf:
--------------------------------------------------------------------------------
1 | /etc/services
2 | /etc/resolv.conf
3 | /etc/samba/secrets.tdb
4 | /etc/updatedb.conf
5 | /run/utmp
6 | /var/log/wtmp
7 | /root/*
8 | /root/.ssh/*
9 |
--------------------------------------------------------------------------------
/restorecond/restorecond.desktop:
--------------------------------------------------------------------------------
1 | [Desktop Entry]
2 | Name=File Context maintainer
3 | Exec=/usr/sbin/restorecond -u
4 | Comment=Fix file context in owned by the user
5 | Type=Application
6 | StartupNotify=false
7 | X-GNOME-Autostart-enabled=false
8 | X-GNOME-HiddenUnderSystemd=true
9 |
--------------------------------------------------------------------------------
/restorecond/restorecond.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Restorecon maintaining path file context
3 | Documentation=man:restorecond(8)
4 | ConditionPathExists=/etc/selinux/restorecond.conf
5 | ConditionSecurity=selinux
6 |
7 | [Service]
8 | Type=forking
9 | ExecStart=/usr/sbin/restorecond
10 | PIDFile=/run/restorecond.pid
11 |
12 | [Install]
13 | WantedBy=multi-user.target
14 |
--------------------------------------------------------------------------------
/restorecond/restorecond_user.conf:
--------------------------------------------------------------------------------
1 | ~/*
2 | ~/public_html/*
3 | ~/.gnome2/*
4 | ~/local/*
5 | ~/.fonts/*
6 | ~/.cache/*
7 | ~/.config/*
8 | ~/.local/share/*
9 |
--------------------------------------------------------------------------------
/restorecond/restorecond_user.service:
--------------------------------------------------------------------------------
1 | [Unit]
2 | Description=Restorecon maintaining path file context (user service)
3 | Documentation=man:restorecond(8)
4 | ConditionPathExists=/etc/selinux/restorecond_user.conf
5 | ConditionSecurity=selinux
6 |
7 | [Service]
8 | Type=dbus
9 | BusName=org.selinux.Restorecond
10 | ExecStart=/usr/sbin/restorecond -u
11 |
--------------------------------------------------------------------------------
/sandbox/.gitignore:
--------------------------------------------------------------------------------
1 | seunshare
2 |
--------------------------------------------------------------------------------
/sandbox/VERSION:
--------------------------------------------------------------------------------
1 | 3.8.1
2 |
--------------------------------------------------------------------------------
/sandbox/po/POTFILES:
--------------------------------------------------------------------------------
1 | ../sandbox
2 |
--------------------------------------------------------------------------------
/sandbox/sandbox.conf:
--------------------------------------------------------------------------------
1 | # Control group configuration
2 | NAME=sandbox
3 | CPUAFFINITY=ALL
4 | MEMUSAGE=80%
5 | CPUUSAGE=80%
6 |
--------------------------------------------------------------------------------
/sandbox/sandbox.config:
--------------------------------------------------------------------------------
1 | # Space separate list of homedirs
2 | HOMEDIRS="/home"
3 |
--------------------------------------------------------------------------------
/sandbox/start:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3 -EsI
2 | try:
3 | from subprocess import getstatusoutput
4 | except ImportError:
5 | from commands import getstatusoutput
6 | import sys
7 | rc = [-1, '']
8 | try:
9 | rc = getstatusoutput(sys.argv[1])
10 | except:
11 | pass
12 | if rc[0] == 0:
13 | print(rc[1])
14 |
--------------------------------------------------------------------------------
/scripts/.gitignore:
--------------------------------------------------------------------------------
1 | /output-scan-build/
2 |
--------------------------------------------------------------------------------
/scripts/Lindent:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | PARAM="-npro -kr -i8 -ts8 -sob -l80 -ss -ncs -cp1"
3 | RES=`indent --version`
4 | V1=`echo $RES | cut -d' ' -f3 | cut -d'.' -f1`
5 | V2=`echo $RES | cut -d' ' -f3 | cut -d'.' -f2`
6 | V3=`echo $RES | cut -d' ' -f3 | cut -d'.' -f3`
7 | if [ $V1 -gt 2 ]; then
8 | PARAM="$PARAM -il0"
9 | elif [ $V1 -eq 2 ]; then
10 | if [ $V2 -gt 2 ]; then
11 | PARAM="$PARAM -il0";
12 | elif [ $V2 -eq 2 ]; then
13 | if [ $V3 -ge 10 ]; then
14 | PARAM="$PARAM -il0"
15 | fi
16 | fi
17 | fi
18 | indent $PARAM "$@"
19 |
--------------------------------------------------------------------------------
/scripts/make-update:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | if [ $# != 2 ]; then
4 | echo "Usage: $0 last-release-date package-to-update"
5 | echo " e.g. $0 20131030 sepolgen"
6 | exit 1
7 | fi
8 |
9 | TAG=$1
10 | PKG=$2
11 |
12 | DEST=../update-$TAG
13 | mkdir -p $DEST
14 |
15 | if [ \! -d $PKG ]; then
16 | echo "$PKG does not exist."
17 | exit 1
18 | fi
19 |
20 | cd $PKG
21 | VERS=`cat VERSION`
22 | ARCHIVE=$PKG-$VERS.tar.gz
23 | git tag $PKG-$VERS
24 | git archive --format=tar --prefix=$PKG-$VERS/ $PKG-$VERS | gzip > ../$DEST/$ARCHIVE
25 | cd ..
26 |
27 | cd $DEST
28 |
29 | echo "Copy $ARCHIVE from $DEST to the server and update its download link and checksum on the Releases wiki page:"
30 |
31 | echo ""
32 |
33 | echo "[http://userspace.selinuxproject.org/releases/$TAG/$ARCHIVE $ARCHIVE]"
34 | echo ""
35 | echo "`sha256sum $ARCHIVE`"
36 | echo ""
37 |
--------------------------------------------------------------------------------
/secilc/.gitignore:
--------------------------------------------------------------------------------
1 | secilc
2 | secilc.8
3 | secil2conf
4 | secil2conf.8
5 | secil2tree
6 | secil2tree.8
7 | policy.*
8 | file_contexts
9 | docs/html
10 | docs/pdf
11 | docs/tmp
12 | opt-actual.bin
13 | opt-actual.cil
14 |
--------------------------------------------------------------------------------
/secilc/VERSION:
--------------------------------------------------------------------------------
1 | 3.8.1
2 |
--------------------------------------------------------------------------------
/secilc/docs/cil_design.dia:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/secilc/docs/cil_design.dia
--------------------------------------------------------------------------------
/secilc/docs/cil_design.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fedora-selinux/selinux/4a078ef23bcd87f8df9f024208ec61d21986b527/secilc/docs/cil_design.jpeg
--------------------------------------------------------------------------------
/secilc/test/minimum.cil:
--------------------------------------------------------------------------------
1 | (class CLASS (PERM))
2 | (classorder (CLASS))
3 | (sid SID)
4 | (sidorder (SID))
5 | (user USER)
6 | (role ROLE)
7 | (type TYPE)
8 | (category CAT)
9 | (categoryorder (CAT))
10 | (sensitivity SENS)
11 | (sensitivityorder (SENS))
12 | (sensitivitycategory SENS (CAT))
13 | (allow TYPE self (CLASS (PERM)))
14 | (roletype ROLE TYPE)
15 | (userrole USER ROLE)
16 | (userlevel USER (SENS))
17 | (userrange USER ((SENS)(SENS (CAT))))
18 | (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
--------------------------------------------------------------------------------
/semodule-utils/.gitignore:
--------------------------------------------------------------------------------
1 | semodule_package/semodule_package
2 | semodule_package/semodule_unpackage
3 | semodule_expand/semodule_expand
4 | semodule_link/semodule_link
5 |
--------------------------------------------------------------------------------
/semodule-utils/Makefile:
--------------------------------------------------------------------------------
1 | SUBDIRS = semodule_package semodule_link semodule_expand
2 |
3 | all install relabel clean indent:
4 | @for subdir in $(SUBDIRS); do \
5 | (cd $$subdir && $(MAKE) $@) || exit 1; \
6 | done
7 |
8 | test:
9 |
--------------------------------------------------------------------------------
/semodule-utils/VERSION:
--------------------------------------------------------------------------------
1 | 3.8.1
2 |
--------------------------------------------------------------------------------
/semodule-utils/semodule_package/semodule_unpackage.8:
--------------------------------------------------------------------------------
1 | .TH SEMODULE_PACKAGE "8" "Nov 2005" "Security Enhanced Linux"
2 | .SH NAME
3 | semodule_unpackage \- Extract policy module and file context file from an SELinux policy module package.
4 |
5 | .SH SYNOPSIS
6 | .B semodule_unpackage ppfile modfile [fcfile]
7 | .br
8 | .SH DESCRIPTION
9 | .PP
10 | semodule_unpackage is a tool used to extract SELinux policy module
11 | file and file context file from an SELinux Policy Package.
12 |
13 | .SH EXAMPLE
14 | .nf
15 | # Extract the httpd module file from httpd policy package.
16 | $ semodule_unpackage httpd.pp httpd.mod httpd.fc
17 | .fi
18 |
19 | .SH SEE ALSO
20 | .B semodule_package(8)
21 | .SH AUTHORS
22 | .nf
23 | This manual page was written by Dan Walsh .
24 | The program was written by Stephen Smalley
25 |
--------------------------------------------------------------------------------