#!/bin/bash
# 
# This script is used for Administration of RSBAC general file/dir attributes
#
#
# Make sure we're really running bash.
#
[ -z "$BASH" ] && { echo "This menu requires bash" 1>&2; exit 1; }

#
# Cache function definitions, turn off posix compliance
#
set -h +o posix

# not used
ATTRIBUTES="security_level mac_categories object_category data_type \
            pm_object_class pm_tp pm_object_type mac_trusted_for_user \
            ms_scanned ms_trusted ms_sock_trusted_tcp ms_sock_trusted_udp \
            ff_flags rc_type_fd rc_force_role rc_initial_role auth_may_setuid \
            auth_may_set_cap \
            log_array_low log_array_high log_program_based min_caps \
            max_caps symlink_add_uid symlink_add_rc_role linux_dac_disable"

# The dir for tmp files
if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi

# Set conf filename
RSBACCONF=/etc/rsbac.conf
# Read settings
if test -f $RSBACCONF
then . $RSBACCONF
fi
if test -f ~/.rsbacrc
then . ~/.rsbacrc
fi
if test -z "$RSBACMOD"
then RSBACMOD='GEN MAC FC SIM PM MS FF RC AUTH ACL CAP JAIL'
fi
for i in $RSBACMOD
do
  export SHOW_${i}=yes
done

# This must be a unique temporary filename
if ! TMPFILE=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX`
then
  TMPFILE=$TMPDIR/rsbac_dialog_tmp.$$
  if test -e $TMPFILE
  then rm $TMPFILE
  fi
fi

# set this to rsbac bin dir, if not in path (trailing / is mandatory!)
#
#if test -z "$RSBACPATH" ; then RSBACPATH=./ ; fi

# set this to initial dir on script startup
LASTDIR='.'

# which dialog tool to use - dialog or kdialog or xdialog...
if test -z $DIALOG
then DIALOG=${RSBACPATH}dialog
fi
if ! $DIALOG --clear
then
  echo $DIALOG menu program required! >&2
  exit
fi
if ! $DIALOG --help 2>&1 | grep -q "help-button"
then
  echo "Newer dialog menu version >= 0.9a-20020309a with '--help-button' option" >&2
  echo "required, please use dialog from admin tools contrib dir or set" >&2
  echo "\$DIALOG to another dialog program, e.g. with rsbac_settings_menu!" >&2
  exit
fi

# test for LINES and COLUMNS (should be exported e.g. in /etc/profile)
if test -z "$LINES" ; then LINES=25 ; fi
if test -z "$COLUMNS" ; then COLUMNS=80 ; fi
export LINES
export COLUMNS
declare -i BL=$LINES-4
declare -i BC=$COLUMNS-4
declare -i MAXLINES=$LINES-10
gl () {
  if test $1 -gt $MAXLINES
  then echo $MAXLINES
  else echo $1
  fi
}

if test -z "$BACKTITLE"
  then BACKTITLE="RSBAC Administration Tools v1.2.1" ; fi
TITLE="`whoami`@`hostname`: RSBAC File/Dir/Fifo/Symlink Administration"
HELPTITLE="`whoami`@`hostname`: RSBAC File/Dir/Fifo/Symlink Administration Help"
ERRTITLE="RSBAC File/Dir/Fifo/Symlink Administration - ERROR"

# set this to your kernel's current Malware Scan accept level
MSL=10

## no changes below this line!

NO_USER=4294967293
ALL_USERS=4294967292
GETMODE=real
GETSWITCH=

#RCTYPEINHPROC=64
#RCTYPEINHPAR=65
#RCUSERINHERIT=64
#RCPROCINHERIT=65
#RCPARINHERIT=66
#RCMIXINHERIT=67
#RCUSEFR=68
RCTYPEINHPROC=4294967295
RCTYPEINHPAR=4294967294
RCUSERINHERIT=4294967295
RCPROCINHERIT=4294967294
RCPARINHERIT=4294967293
RCMIXINHERIT=4294967292
RCUSEFR=4294967291

show_help () {
  case "$RSBACLANG" in
    DE)
      show_help_german "$1"
      ;;
    RU)
      show_help_russian "$1"
      ;;
    *)
      show_help_english "$1"
      ;;
  esac
}

show_help_english () {
 {
  echo "$1"
  echo ""
  case "$1" in
    'FD List:')
        echo "Choose new filesystem object from list."
      ;;

    "FD Name:")
        echo "Enter path to new filesystem object."
      ;;

    "Follow")
        echo "Follow this symbolic link."
      ;;

    'Attribute Get Mode:')
        echo "Toggle whether real or effective (possibly inherited) attribute values"
        echo "are displayed."
      ;;


    'MAC Security Level:')
        echo "Set the MAC model security level."
        echo ""
        $RSBACPATH""attr_get_file_dir -A security_level
      ;;

    'MAC Categories:')
        echo "Set the MAC model categories."
        echo ""
        $RSBACPATH""attr_get_file_dir -A mac_categories
      ;;

    'MAC Trusted for User:')
        echo "Which user can run this program as a MAC model trusted program."
        echo ""
        $RSBACPATH""attr_get_file_dir -A mac_trusted_for_user
      ;;

    'FC Object Category:')
        echo "Set the FC model object categories."
        echo ""
        $RSBACPATH""attr_get_file_dir -A object_category
      ;;

    'SIM Data Type:')
        echo "Set the SIM model data type."
        echo ""
        $RSBACPATH""attr_get_file_dir -A data_type
      ;;

    'PM Object Type:')
        echo "Set object type for PM model."
        echo ""
        $RSBACPATH""attr_get_file_dir -A pm_object_type
      ;;

    'PM TP:')
        echo "Enter the PM model transaction procedure ID."
        echo ""
        $RSBACPATH""attr_get_file_dir -A pm_tp
      ;;

    'PM Object Class:')
        echo "Select the PM model object class."
        echo ""
        $RSBACPATH""attr_get_file_dir -A pm_object_class
      ;;

    'MS Scanned:')
        echo "This attribute shows, whether and with which result the file has been"
        echo "scanned by the MS module. Reset to unscanned to force a rescan."
        echo ""
        echo "Rejected files can only be opened by MS trusted programs."
        echo ""
        $RSBACPATH""attr_get_file_dir -A ms_scanned
      ;;

    'MS Trusted:')
        echo "Toggle, whether this program file is an MS trusted program. Only trusted"
        echo "programs may open infected files."
        echo ""
        $RSBACPATH""attr_get_file_dir -A ms_trusted
      ;;

    'MS Sock Trusted TCP:')
        echo "Toggle, whether this program file is an MS trusted program for TCP"
        echo "sockets. Only programs, which are TCP trusted, can read from a TCP"
        echo "socket, which has been marked as infected."
        echo ""
        $RSBACPATH""attr_get_file_dir -A ms_sock_trusted_tcp
      ;;

    'MS Sock Trusted UDP:')
        echo "Toggle, whether this program file is an MS trusted program for UDP"
        echo "sockets. Only programs, which are UDP trusted, can read from a UDP"
        echo "socket, which has been marked as infected."
        echo ""
        $RSBACPATH""attr_get_file_dir -A ms_sock_trusted_udp
      ;;

    'FF Flags:')
        echo "Select the FF model flags for this object, e.g. read-only."
        echo ""
        $RSBACPATH""attr_get_file_dir -A ff_flags
      ;;

    'RC Type FD:')
        echo "Select the RC model filesystem object type."
        echo ""
        $RSBACPATH""attr_get_file_dir -A rc_type_fd
      ;;

    'RC Force Role:')
        echo "Select an RC role, which is assigned and kept for the process running"
        echo "this program as long as the program runs. User default roles are ignored"
        echo "even on a CHANGE_OWNER (setuid)." 
        echo ""
        $RSBACPATH""attr_get_file_dir -A rc_force_role
      ;;

    'RC Initial Role:')
        echo "Select an RC role, which is assigned to the process starting this"
        echo "program. User default roles are applied on the next CHANGE_OWNER"
        echo "(setuid)."
        echo ""
        echo "Initial roles have precedence over forced roles, so you can use both"
        echo "mechanisms with the same program: the initial role is as given here,"
        echo "but the forced role will be applied on the next CHANGE_OWNER (setuid)."
        echo ""
        $RSBACPATH""attr_get_file_dir -A rc_initial_role
      ;;

    'AUTH May Setuid:')
        echo "Toggle, whether this program is allowed to CHANGE_OWNER (setuid) to"
        echo "any user ID by AUTH model."
        echo ""
        $RSBACPATH""attr_get_file_dir -A auth_may_setuid
      ;;

    'AUTH May Set Cap:')
        echo "Toggle, whether this program may set AUTH setuid capabilities for any"
        echo "process (but not for files)."
        echo "This flag is useful e.g. for authentication daemons. See AUTH"
        echo "description for details."
        echo ""
        $RSBACPATH""attr_get_file_dir -A auth_may_set_cap
      ;;

    'AUTH Capabilities:')
        echo "These are ranges of user IDs, which this program may use in a"
        echo "CHANGE_OWNER (setuid) request. The capabilities are inherited to the"
        echo "process running the program."
      ;;

    'CAP Min Caps:')
        echo "Specify a set of Linux capabilities, which will always be set, when"
        echo "this program is run (ignoring the Max Caps set)."
        echo "Useful to start privileged (root) programs as normal user."
        echo ""
        $RSBACPATH""attr_get_file_dir -A min_caps
      ;;

    'CAP Max Caps:')
        echo "Specify the maximum set of Linux capabilities, which are kept, when"
        echo "this program is run."
        echo "Useful to limit the privileges of a program run by root, e.g. the"
        echo "mailer daemon."
        echo ""
        $RSBACPATH""attr_get_file_dir -A max_caps
      ;;

    'Log Array Low:' | 'Log Array High:')
        echo "Choose object based logging levels for this object."
        echo ""
        $RSBACPATH""attr_get_file_dir -A log_array_low
      ;;

    'Log Program Based:')
        echo "Specify the request types, which should always be logged, when"
        echo "issued by this program."
        echo ""
        $RSBACPATH""attr_get_file_dir -A log_program_based
      ;;

    'Symlink Add UID:')
        echo "Add the numeric ID of the user of the calling process to the contents"
        echo "of this symbolic link."
        echo "This can be used to e.g. point to individual /tmp dirs for all users."
        echo ""
        $RSBACPATH""attr_get_file_dir -A symlink_add_uid
      ;;

    'Symlink Add RC Role:')
        echo "Add the role number of the calling process to the contents of this symbolic"
        echo "link."
        echo "This can be used to e.g. point to individual /tmp dirs for all roles."
        echo ""
        $RSBACPATH""attr_get_file_dir -A symlink_add_rc_role
      ;;

    'Linux DAC disable:')
        echo "Disable the Linux access control for this object."
        echo "Specially useful, if you want to do access control by RSBAC only"
        echo "in some selected directory trees, without being hindered by Linux"
        echo "modes."
        echo ""
        echo "Note: This flag is only applied, when RSBAC is running, so you should"
        echo "rather use it than allow full Linux mode access."
        echo ""
        $RSBACPATH""attr_get_file_dir -A linux_dac_disable
      ;;

    'Dev Attributes:')
        echo "Go to device attribute menu."
      ;;

    'ACL Menu:')
        echo "Go to ACL menu."
      ;;

    'Reset Attributes:')
        echo "Call attr_rm_fd to get the attribute object for this filesystem object"
        echo "removed. As result, all attribute values will be reset to their"
        echo "default values. Use with care!"
      ;;

    Quit)
        echo "Quit this menu."
      ;;

    *)
        echo "No help for $1 available!"
  esac
 } > $TMPFILE
  $DIALOG --title "$HELPTITLE" \
          --backtitle "$BACKTITLE" \
          --textbox $TMPFILE $BL $BC
#  sleep 1
}

show_help_german () {
 {
  echo "$1"
  echo ""
  case "$1" in
    'FD List:')
        echo 'Whle neues Dateisystem-Objekt aus einer Liste.'
      ;;

    'FD Name:')
        echo 'Pfad zu Dateisystem-Objekt eingeben.'
      ;;

    'Follow')
        echo 'Folge diesem symbolischen Link.'
      ;;

    'Attribute Get Mode:')
        echo 'Umschalten, ob echte oder effektive (mglicherweise geerbte)'
        echo 'Attribut-Werte angezeigt werden.'
      ;;

    'MAC Security Level:')
        echo 'Setze den Sicherheitslevel fr das MAC-Modells.'
        echo ''
        $RSBACPATH''attr_get_file_dir -A security_level
      ;;

    'MAC Categories:')
        echo 'Setze die Kategorien fr das MAC-Modell.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A mac_categories
      ;;

    'MAC Trusted for User:')
        echo 'Welcher Benutzer dieses Programm als fr MAC vertrauenswrdiges'
        echo 'Programm ausfhren darf.'
        echo ''
        $RSBACPATH''attr_get_file_dir -A mac_trusted_for_user
      ;;

    'FC Object Category:')
        echo 'Setze die Objekt-Kategorien fr das FC-Modell.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A object_category
      ;;

    'SIM Data Type:')
        echo 'Setze den Datentyp fr das SIM-Modell.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A data_type
      ;;

    'PM Object Type:')
        echo 'Setze Objekt-Typ fr das PM-Modell.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A pm_object_type
      ;;

    'PM Object Class:')
        echo 'Setze die Objekt-Klasse fr das PM-Modell.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A pm_object_class
      ;;

    'PM TP:')
        echo 'Nummer der Transaktionsprozedur fr das PM-Modell eingeben.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A pm_tp
      ;;

    'MS Scanned:')
        echo 'Dieses Attribut zeigt, ob und mit welchen Ergebnis diese Datei'
        echo 'vom MS-Modul geprft wurde. Setze auf unscanned, um eine erneute'
        echo 'Prfung zu erzwingen.'
        echo ''
        echo 'Abgewiesene Dateien (Wert rejected) knnen nur von'
        echo 'MS-vertrauenswrdigen Programmen geffnet werden.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A ms_scanned
      ;;

    'MS Trusted:')
        echo 'Umschalten, ob diese Programm-Datei ein MS-vertrauenswrdiges'
        echo 'Programm enthlt. Nur vertrauenswrdige Programme drfen als'
        echo 'infiziert gekennzeichnete Dateien ffnen.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A ms_trusted
      ;;

    'MS Sock Trusted TCP:')
        echo 'Umschalten, ob diese Programm-Datei ein MS-vertrauenswrdiges'
        echo 'Programm fr TCP enthlt. Nur TCP-vertrauenswrdige Programme'
        echo 'drfen von als infiziert gekennzeichneten TCP-Verbindungen'
        echo 'lesen.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A ms_sock_trusted_tcp
      ;;

    'MS Sock Trusted UDP:')
        echo 'Umschalten, ob diese Programm-Datei ein MS-vertrauenswrdiges'
        echo 'Programm fr UDP enthlt. Nur UDP-vertrauenswrdige Programme'
        echo 'drfen von als infiziert gekennzeichneten UDP-Netzwerkendpunkten'
        echo 'lesen.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A ms_sock_trusted_udp
      ;;

    'FF Flags:')
        echo 'Schalter des FF-Modells fr dieses Objekt setzen, e.g. read-only.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A ff_flags
      ;;

    'RC Type FD:')
        echo 'Dateisystem-Objekttyp fr das RC-Modell whlen.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A rc_type_fd
      ;;

    'RC Force Role:')
        echo 'RC-Rolle whlen, die ein Proze, der dieses Programm startet,'
        echo 'annimmt und solange beibehlt, wie er dieses Programm ausfhrt.'
        echo 'Benutzer-Standard-Rollen (default roles) werden ignoriert, sogar'
        echo 'beim Wechsel der Benutzer-ID.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A rc_force_role
      ;;

    'RC Initial Role:')
        echo 'RC-Rolle whlen, die ein Proze, der dieses Programm startet,'
        echo 'annimmt. Benutzer-Standard-Rollen (default roles) werden'
        echo 'angewendet, sobald die Benutzer-ID gewechselt wird'
        echo '(CHANGE_OWNER auf PROCESS, setuid).'
        echo ''
        echo 'Initial roles haben Vorrang vor den forced roles, man kann also'
        echo 'beide gleichzeitig fr das selbe Programm verwenden:'
        echo 'Die initial role gilt wie oben genannt, aber beim nchsten'
        echo 'Benutzerwechsel wird die force role angewendet.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A rc_initial_role
      ;;

    'AUTH May Setuid:')
        echo 'Fr AUTH-Modell umschalten, ob dieses Programm seine Benutzer-ID'
        echo 'beliebig wechseln darf (CHANGE_OWNER auf PROCESS, setuid).'
        echo ''
        $RSBACPATH""attr_get_file_dir -A auth_may_setuid
      ;;

    'AUTH May Set Cap:')
        echo 'Fr AUTH-Modell umschalten, ob dieses Programm AUTH setuid'
        echo 'capabilities fr beliebige Prozesse (aber nicht fr Dateien)'
        echo 'setzen darf.'
        echo 'Dieser Schalter ist sinnvoll z.B. fr Authentisierungs-Daemons,'
        echo 'siehe AUTH-Beschreibung fr Details.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A auth_may_set_cap
      ;;

    'AUTH Capabilities:')
        echo 'Dieses sind Bereiche von Benutzer-IDs, in welche dieses Programm'
        echo 'wechseln darf (CHANGE_OWNER auf PROCESS, setuid).'
        echo 'Die Capabilities werden vom Proze bei Start des Programms geerbt.'
      ;;

    'CAP Min Caps:')
        echo 'Minimaler Satz von Linux-Capabilities, die immer gesetzt werden,'
        echo 'wenn dieses Programm ausgefhrt wird (unabhngig vom maximalen'
        echo 'Satz).'
        echo 'Sinnvoll, um privilegierte (root-)Programme als normaler Benutzer'
        echo 'starten zu knnen.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A min_caps
      ;;

    'CAP Max Caps:')
        echo 'Maximaler Satz an Linux-Capabilities, die bei Ausfhrung dieses'
        echo 'Programmes behalten werden.'
        echo 'Sinnvoll, um die Privilegien eines von root gestarteten Programmes'
        echo 'zu beschrnken, z.B. fr Mail-Server-Programme.'
        echo ""
        $RSBACPATH""attr_get_file_dir -A max_caps
      ;;

    'Log Array Low:' | 'Log Array High:')
        echo 'Whle objektabhngige Logging-Stufen fr dieses Objekt.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A log_array_low
      ;;

    'Log Program Based:')
        echo 'Whle Anfragen, die fr dieses Programm immer protokolliert'
        echo 'werden sollen.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A log_program_based
      ;;

    'Symlink Add UID:')
        echo 'Numerische Benutzer-ID des aufrufenden Prozesses zum Inhalt dieses'
        echo 'symbolischen Links hinzufgen.'
        echo 'Sinnvoll, um z.B. fr alle Benutzer auf individuelle'
        echo '/tmp-Verzeichnisse zu verweisen.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A symlink_add_uid
      ;;

    'Symlink Add RC Role:')
        echo 'Numerische RC-Rollen-ID des aufrufenden Prozesses zum Inhalt'
        echo 'dieses symbolischen Links hinzufgen.'
        echo 'Sinnvoll, um z.B. fr alle RC-Rollen auf individuelle'
        echo '/tmp-Verzeichnisse zu verweisen.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A symlink_add_rc_role
      ;;

    'Linux DAC disable:')
        echo 'Linux-Zugriffskontrolle fr dieses Objekt abschalten.'
        echo 'Sehr sinnvoll, wenn Zugriffskontrolle in bestimmten'
        echo 'Verzeichnisbumen nur mit RSBAC durchgefhrt werden soll, ohne.'
        echo 'von den Linux-Rechten behindert zu werden.'
        echo ''
        echo 'Hinweis: Dieser Schalter wird nur angewendet, wenn RSBAC aktiv'
        echo 'ist. Deshalb ist es sinnvoller, ihn zu benutzen, als vollen'
        echo 'Linux-Zugriff zu erlauben.'
        echo ''
        $RSBACPATH""attr_get_file_dir -A linux_dac_disable
      ;;

    'Dev Attributes:')
        echo 'Gehe zum Device-Attributmen.'
      ;;

    'ACL Menu:')
        echo 'Gehe zum ACL-Men.'
      ;;

    'Reset Attributes:')
        echo "Rufe attr_rm_fd auf, um die Attribut-Objekte fr dieses Objekt"
        echo "zu entfernen. Als Ergebnis werden alle Attribute auf ihre"
        echo "Standardwerte zurckgesetzt. Mit Vorsicht verwenden!"
      ;;

    Quit)
        echo 'Beende dieses Men.'
      ;;

    *)
        echo "Keine Hilfe fr $1 verfgbar!"
  esac
 } > $TMPFILE
  $DIALOG --title "$HELPTITLE" \
          --backtitle "$BACKTITLE" \
          --textbox $TMPFILE $BL $BC
#  sleep 1
}

show_help_russian () {
 {
  echo "$1"
  echo ""
  case "$1" in
    'FD List:')
        echo "Choose new filesystem object from list."
      ;;

    "FD Name:")
        echo "Enter path to new filesystem object."
      ;;

    "Follow")
        echo "Follow this symbolic link."
      ;;

    'Attribute Get Mode:')
        echo "Toggle whether real or effective (possibly inherited) attribute values"
        echo "are displayed."
      ;;


    'MAC Security Level:')
        echo "Set the MAC model security level."
        echo ""
        $RSBACPATH""attr_get_file_dir -A security_level
      ;;

    'MAC Categories:')
        echo "Set the MAC model categories."
        echo ""
        $RSBACPATH""attr_get_file_dir -A mac_categories
      ;;

    'MAC Trusted for User:')
        echo "Which user can run this program as a MAC model trusted program."
        echo ""
        $RSBACPATH""attr_get_file_dir -A mac_trusted_for_user
      ;;

    'FC Object Category:')
        echo "Set the FC model object categories."
        echo ""
        $RSBACPATH""attr_get_file_dir -A object_category
      ;;

    'SIM Data Type:')
        echo "Set the SIM model data type."
        echo ""
        $RSBACPATH""attr_get_file_dir -A data_type
      ;;

    'PM Object Type:')
        echo "Set object type for PM model."
        echo ""
        $RSBACPATH""attr_get_file_dir -A pm_object_type
      ;;

    'PM TP:')
        echo "Enter the PM model transaction procedure ID."
        echo ""
        $RSBACPATH""attr_get_file_dir -A pm_tp
      ;;

    'PM Object Class:')
        echo "Select the PM model object class."
        echo ""
        $RSBACPATH""attr_get_file_dir -A pm_object_class
      ;;

    'MS Scanned:')
        echo "This attribute shows, whether and with which result the file has been"
        echo "scanned by the MS module. Reset to unscanned to force a rescan."
        echo ""
        echo "Rejected files can only be opened by MS trusted programs."
        echo ""
        $RSBACPATH""attr_get_file_dir -A ms_scanned
      ;;

    'MS Trusted:')
        echo "Toggle, whether this program file is an MS trusted program. Only trusted"
        echo "programs may open infected files."
        echo ""
        $RSBACPATH""attr_get_file_dir -A ms_trusted
      ;;

    'MS Sock Trusted TCP:')
        echo "Toggle, whether this program file is an MS trusted program for TCP"
        echo "sockets. Only programs, which are TCP trusted, can read from a TCP"
        echo "socket, which has been marked as infected."
        echo ""
        $RSBACPATH""attr_get_file_dir -A ms_sock_trusted_tcp
      ;;

    'MS Sock Trusted UDP:')
        echo "Toggle, whether this program file is an MS trusted program for UDP"
        echo "sockets. Only programs, which are UDP trusted, can read from a UDP"
        echo "socket, which has been marked as infected."
        echo ""
        $RSBACPATH""attr_get_file_dir -A ms_sock_trusted_udp
      ;;

    'FF Flags:')
        echo "Select the FF model flags for this object, e.g. read-only."
        echo ""
        $RSBACPATH""attr_get_file_dir -A ff_flags
      ;;

    'RC Type FD:')
        echo "Select the RC model filesystem object type."
        echo ""
        $RSBACPATH""attr_get_file_dir -A rc_type_fd
      ;;

    'RC Force Role:')
        echo "Select an RC role, which is assigned and kept for the process running"
        echo "this program as long as the program runs. User default roles are ignored"
        echo "even on a CHANGE_OWNER (setuid)." 
        echo ""
        $RSBACPATH""attr_get_file_dir -A rc_force_role
      ;;

    'RC Initial Role:')
        echo "Select an RC role, which is assigned to the process starting this"
        echo "program. User default roles are applied on the next CHANGE_OWNER"
        echo "(setuid)."
        echo ""
        echo "Initial roles have precedence over forced roles, so you can use both"
        echo "mechanisms with the same program: the initial role is as given here,"
        echo "but the forced role will be applied on the next CHANGE_OWNER (setuid)."
        echo ""
        $RSBACPATH""attr_get_file_dir -A rc_initial_role
      ;;

    'AUTH May Setuid:')
        echo "Toggle, whether this program is allowed to CHANGE_OWNER (setuid) to"
        echo "any user ID by AUTH model."
        echo ""
        $RSBACPATH""attr_get_file_dir -A auth_may_setuid
      ;;

    'AUTH May Set Cap:')
        echo "Toggle, whether this program may set AUTH setuid capabilities for any"
        echo "process (but not for files)."
        echo "This flag is useful e.g. for authentication daemons. See AUTH"
        echo "description for details."
        echo ""
        $RSBACPATH""attr_get_file_dir -A auth_may_set_cap
      ;;

    'AUTH Capabilities:')
        echo "These are ranges of user IDs, which this program may use in a"
        echo "CHANGE_OWNER (setuid) request. The capabilities are inherited to the"
        echo "process running the program."
      ;;

    'CAP Min Caps:')
        echo "Specify a set of Linux capabilities, which will always be set, when"
        echo "this program is run (ignoring the Max Caps set)."
        echo "Useful to start privileged (root) programs as normal user."
        echo ""
        $RSBACPATH""attr_get_file_dir -A min_caps
      ;;

    'CAP Max Caps:')
        echo "Specify the maximum set of Linux capabilities, which are kept, when"
        echo "this program is run."
        echo "Useful to limit the privileges of a program run by root, e.g. the"
        echo "mailer daemon."
        echo ""
        $RSBACPATH""attr_get_file_dir -A max_caps
      ;;

    'Log Array Low:' | 'Log Array High:')
        echo "Choose object based logging levels for this object."
        echo ""
        $RSBACPATH""attr_get_file_dir -A log_array_low
      ;;

    'Log Program Based:')
        echo "Specify the request types, which should always be logged, when"
        echo "issued by this program."
        echo ""
        $RSBACPATH""attr_get_file_dir -A log_program_based
      ;;

    'Symlink Add UID:')
        echo "Add the numeric ID of the user of the calling process to the contents"
        echo "of this symbolic link."
        echo "This can be used to e.g. point to individual /tmp dirs for all users."
        echo ""
        $RSBACPATH""attr_get_file_dir -A symlink_add_uid
      ;;

    'Symlink Add RC Role:')
        echo "Add the role number of the calling process to the contents of this symbolic"
        echo "link."
        echo "This can be used to e.g. point to individual /tmp dirs for all roles."
        echo ""
        $RSBACPATH""attr_get_file_dir -A symlink_add_rc_role
      ;;

    'Linux DAC disable:')
        echo "Disable the Linux access control for this object."
        echo "Specially useful, if you want to do access control by RSBAC only"
        echo "in some selected directory trees, without being hindered by Linux"
        echo "modes."
        echo ""
        echo "Note: This flag is only applied, when RSBAC is running, so you should"
        echo "rather use it than allow full Linux mode access."
        echo ""
        $RSBACPATH""attr_get_file_dir -A linux_dac_disable
      ;;

    'Dev Attributes:')
        echo "Go to device attribute menu."
      ;;

    'ACL Menu:')
        echo "Go to ACL menu."
      ;;

    'Reset Attributes:')
        echo "Call attr_rm_fd to get the attribute object for this filesystem object"
        echo "removed. As result, all attribute values will be reset to their"
        echo "default values. Use with care!"
      ;;

    Quit)
        echo "Quit this menu."
      ;;

    *)
        echo "No help for $1 available!"
  esac
 } > $TMPFILE
  $DIALOG --title "$HELPTITLE" \
          --backtitle "$BACKTITLE" \
          --textbox $TMPFILE $BL $BC
#  sleep 1
}

get_attributes () {
  if test "$FILE" != "" 
    then
         if test -L "$FILE" ; then TYPE=SYMLINK
                                   SYMLINK="`ls -l \"$FILE\"|cut -d '>' -f 2|cut -c 2-`"
                                   SUBTYPE="SYMLINK"
         elif test -f "$FILE" ; then TYPE=FILE ; SUBTYPE=FILE
         elif test -b "$FILE" ; then TYPE=FILE ; SUBTYPE=BLOCK
         elif test -c "$FILE" ; then TYPE=FILE ; SUBTYPE=CHAR
         elif test -p "$FILE" ; then TYPE=FIFO ; SUBTYPE=FIFO
         elif test -d "$FILE"
           then TYPE=DIR ; SUBTYPE=DIR
                LASTDIR=`( cd "$FILE" && pwd ) || echo "$FILE"`
                FILE=$LASTDIR
                if test -n "$RSBACLOGFILE"
                then
                  echo "cd `pwd`" >>"$RSBACLOGFILE"
                fi
         else TYPE=NONE
              SECLEVEL=""
              MACCAT=""
              MACTRUSER=""
              NEWMTUSER=""
              OBJCAT=""
              DATATYPE=""
              PMCLASS=""
              PMTP=""
              PMOBJTYPE=""
              MSTRUSTED=""
              MSSCANNED=""
              MSSOCKTCP=""
              MSSOCKUDP=""
              FFFLAGS=""
              RCTYPEFD=""
              RCFORRO=""
              RCINRO=""
              AUTHSUID=""
              AUTHSCAP=""
              LOGLOW=""
              LOGHIGH=""
              LOGPROG=""
              MINCAPS=""
              MAXCAPS=""
              SYMADDUID=""
              SYMADDRC=""
              DACDIS=""
              return
         fi
         if test "$TYPE" != "DIR"
         then LASTDIR="`dirname \"$FILE\"`"
         fi
        if test "$SHOW_MAC" = "yes"
        then
           SECLEVEL=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" security_level`
           MACCAT=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" mac_categories`
           MACTRUSER=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" mac_trusted_for_user`
           if test -z "$NEWMTUSER"
             then if test "$MACTRUSER" = "$NO_USER" -o "$MACTRUSER" = "$ALL_USERS"
                    then NEWMTUSER='N/A'
                  else NEWMTUSER=$MACTRUSER
                  fi
           fi
        fi
        if test "$SHOW_FC" = "yes"
        then
           OBJCAT=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" object_category`
        fi
        if test "$SHOW_SIM" = "yes"
        then
           DATATYPE=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" data_type`
        fi
        if test "$SHOW_PM" = "yes"
        then
           PMCLASS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" pm_object_class`
           PMTP=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" pm_tp`
           PMOBJTYPE=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" pm_object_type`
        fi
        if test "$SHOW_MS" = "yes"
        then
           MSSCANNED=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" ms_scanned`
           MSTRUSTED=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" ms_trusted`
           MSSOCKTCP=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" ms_sock_trusted_tcp`
           MSSOCKUDP=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" ms_sock_trusted_udp`
           if test $MSSCANNED -gt $MSL
           then
             if $DIALOG --title "$TITLE" \
                        --backtitle "$BACKTITLE" \
                        --yesno "Returned MS Scan Level $MSSCANNED is higher than menu default $MSL, adjust menu default?" 6 $BC
               2>/dev/null
             then MSL=$MSSCANNED
             fi
           fi
        fi
        if test "$SHOW_FF" = "yes"
        then
         FFFLAGS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" ff_flags`
        fi
        if test "$SHOW_RC" = "yes"
        then
         RCTYPEFD=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" rc_type_fd`
         RCFORRO=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" rc_force_role`
         RCINRO=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" rc_initial_role`
        fi
        if test "$SHOW_AUTH" = "yes"
        then
         AUTHSUID=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" auth_may_setuid`
         AUTHSCAP=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" auth_may_set_cap`
        fi
        if test "$SHOW_CAP" = "yes"
        then
         MINCAPS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" min_caps`
         MAXCAPS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" max_caps`
        fi
        if test "$SHOW_GEN" = "yes"
        then
         LOGLOW=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_array_low`
         LOGHIGH=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_array_high`
         LOGPROG=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_program_based`
         SYMADDUID=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" symlink_add_uid`
         SYMADDRC=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" symlink_add_rc_role`
         DACDIS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" linux_dac_disable`
        fi
  fi
}

onoff () {
   if test "$1" = "$2"
     then echo on
   else echo off
   fi
}

onoffb () {
   if test "$1" = "1"
     then echo on
   else echo off
   fi
}

list_item () {
   if test -L "$1"
   then echo $1 "SYMLINK->`ls -l \"$1\"|cut -d '>' -f 2|cut -c 2-`"
   elif test -d $1
   then echo $1 DIR
   elif test -f "$1"
   then echo $1 FILE
   elif test -b "$1"
   then echo $1 BLOCK
   elif test -c "$1"
   then echo $1 CHAR
   elif test -p "$1"
   then echo $1 FIFO
   else echo $1 NONE
   fi
}

get_vname () {
  if test "$TYPE" = "NONE"
    then echo " "
         return
  fi
  if test -z "$2"
    then echo "N/A"
         return
  fi

  case $1 in
    onoff)
      case $2 in
        1) echo On
          ;;
        *) echo Off
          ;;
      esac 
      ;;
    seclevel)
      case $2 in
        0) echo unclassified
          ;;
        1) echo confidential
          ;;
        2) echo secret
          ;;
        3) echo top secret
          ;;
        252) echo max. level
          ;;
        253) echo rsbac-internal
          ;;
        254) echo inherit
          ;;
        *) echo N/A
          ;;
      esac 
      ;;
    objcat)
      case $2 in
        0) echo General
          ;;
        1) echo Security
          ;;
        2) echo System
          ;;
        3) echo inherit
          ;;
        *) echo N/A
          ;;
      esac 
      ;;
    datatype)
      case $2 in
        0) echo None
          ;;
        1) echo SI
          ;;
        2) echo inherit
          ;;
        *) echo N/A
          ;;
      esac 
      ;;
    pmobjtype)
      case $2 in
        0) echo None
          ;;
        1) echo TP
          ;;
        2) echo Personal Data
          ;;
        3) echo Non-Personal Data
          ;;
        4) echo IPC
          ;;
        5) echo Directory
          ;;
        *) echo N/A
          ;;
      esac 
      ;;
    mactruser)
      case $2 in
        $NO_USER) echo NONE
          ;;
        $ALL_USERS) echo ALL
          ;;
        Error*) echo N/A
          ;;
        Use*) echo N/A
          ;;
        *) echo "`get_name $2` / `full_name $2`"
          ;;
      esac 
      ;;
    mactruserrev)
      case $2 in
        NONE) echo $NO_USER
          ;;
        $NO_USER) echo $NO_USER
          ;;
        ALL) echo $ALL_USERS
          ;;
        $ALL_USERS) echo $ALL_USERS
          ;;
        Error*) echo N/A
          ;;
        Use*) echo N/A
          ;;
        *) echo `get_uid $2`
          ;;
      esac 
      ;;
    msscanned)
      case $2 in
        0) echo Unscanned
          ;;
        1) echo Rejected
          ;;
        Error*) echo N/A
          ;;
        *) if test $2 -lt 2 -o $2 -gt 10000
           then echo N/A
           else echo Accepted - Level $2
           fi
          ;;
      esac 
      ;;
    mstrusted)
      case $2 in
        0) echo Not trusted
          ;;
        1) echo Read trusted
          ;;
        2) echo Full trusted
          ;;
        *) echo N/A
          ;;
      esac 
      ;;
    mssock)
      case $2 in
        0) echo Not Trusted
          ;;
        1) echo Active
          ;;
        2) echo Full
          ;;
        *) echo N/A
          ;;
      esac 
      ;;
    rctypefd)
      case $2 in
        $RCTYPEINHPAR) echo inherit parent dir
          ;;
        Error*) echo N/A
          ;;
        Use*) echo N/A
          ;;
        *) if ! $RSBACPATH""rc_get_item TYPE $2 type_fd_name 2>/dev/null
           then echo $2
           fi
          ;;
      esac 
      ;;
    rcforro)
      case $2 in
        $RCUSERINHERIT) echo "always inherit from user"
          ;;
        $RCPROCINHERIT) echo "inherit process (keep always)"
          ;;
        $RCPARINHERIT) echo "inherit parent dir (default)"
          ;;
        $RCMIXINHERIT) echo "inh. from user on chown only"
          ;;
        Error*) echo N/A
          ;;
        Use*) echo N/A
          ;;
        *) if ! $RSBACPATH""rc_get_item ROLE $2 name 2>/dev/null
           then echo $2
           fi
          ;;
      esac 
      ;;
    rcinro)
      case $2 in
        $RCPARINHERIT) echo "inherit parent dir (default)"
          ;;
        $RCUSEFR) echo "use force_role (root default)"
          ;;
        Error*) echo N/A
          ;;
        Use*) echo N/A
          ;;
        *) if ! $RSBACPATH""rc_get_item ROLE $2 name 2>/dev/null
           then echo $2
           fi
          ;;
      esac 
      ;;
    dacdis)
      case $2 in
        0) echo False
          ;;
        1) echo True
          ;;
        2) echo 'inherit (default)'
          ;;
        *) echo N/A
          ;;
      esac 
      ;;
    loglevel)
      case $2 in
        0) echo None
          ;;
        1) echo Denied
          ;;
        2) echo Full
          ;;
        3) echo Request
          ;;
        *) echo N/A
          ;;
      esac 
      ;;
    *) echo ERROR!
      ;;
  esac
}

full_name () {
  if test "$1" = ""
  then echo " "
  else echo `$RSBACPATH""attr_get_user $1 full_name`
  fi
}

get_uid () {
  if test "$1" = ""
  then echo " "
  else echo `$RSBACPATH""attr_get_user $1 user_nr`
  fi
}

get_name () {
  if test "$1" = ""
  then echo " "
  else echo `$RSBACPATH""attr_get_user $1 user_name`
  fi
}

gen_cap_rem_user () {
  if test "$1" != ""
  then for i in $* ; do echo $i `$RSBACPATH""attr_get_user $i user_name` ; done
  fi
}

get_caps () {
  if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE"
    then $RSBACPATH""auth_set_cap FILE get "$FILE"
    else echo " "
  fi
}

gen_cat_list () {
    for i in $*
    do
      TMP=`$RSBACPATH""attr_get_file_dir $TYPE "$FILE" mac_categories $i`
      echo $i `onoffb $TMP` `onoffb $TMP`
    done
}

choose_user () {
        while $DIALOG --title "$TITLE" \
                  --backtitle "$BACKTITLE" \
                  --default-item "$TMP2" \
                  --menu "Username/ID" $BL $BC `gl 15` \
                         "Enter" "Name / Uid / Range A:B" \
                         `${RSBACPATH}attr_get_user -bl` \
           2>$TMPFILE
        do TMP2=`cat $TMPFILE`
             case "$TMP2" in
               "Enter")
                 if $DIALOG --title "$TITLE" \
                            --backtitle "$BACKTITLE" \
                            --inputbox "Username/number, range from A to B with A:B" $BL $BC "" \
                   2>$TMPFILE
                 then
                   NEWMTUSER="`cat $TMPFILE|tr ':' ' '`"
                 else
                   NEWMTUSER=""
                 fi
                 return
                 ;;
               *)
                 if $RSBACPATH""attr_get_user $TMP2 user_nr >$TMPFILE
                 then NEWMTUSER=`cat $TMPFILE`
                   return
                 else \
                     $DIALOG --title "$ERRTITLE" \
                            --backtitle "$BACKTITLE" \
                            --msgbox "User: Unknown user $TMP2!" 5 $BC
                     NEWMTUSER=""
                 fi
             esac
        done
        NEWMTUSER=""
}

gen_log_menu_items() {
  if test -e ${TMPFILE}.2
    then rm ${TMPFILE}.2
  fi
  for i in $REQUESTS
  do TMP=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_level $i`
     echo $i `get_vname loglevel $TMP`>>${TMPFILE}.2
  done
}

gen_flags_menu_items() {
    if (($FFFLAGS & 128)) ; then echo 128 add_inherited on
    else echo 128 add_inherited off
    fi
    if (($FFFLAGS & 1)) ; then echo 1 read_only on
    else echo 1 read_only off
    fi
    if (($FFFLAGS & 2)) ; then echo 2 execute_only on
    else echo 2 execute_only off
    fi
    if (($FFFLAGS & 4)) ; then echo 4 search_only on
    else echo 4 search_only off
    fi
    if (($FFFLAGS & 8)) ; then echo 8 write_only on
    else echo 8 write_only off
    fi
    if (($FFFLAGS & 16)) ; then echo 16 secure_delete on
    else echo 16 secure_delete off
    fi
    if (($FFFLAGS & 32)) ; then echo 32 no_execute on
    else echo 32 no_execute off
    fi
    if (($FFFLAGS & 64)) ; then echo 64 no_delete_or_rename on
    else echo 64 no_delete_or_rename off
    fi
    if (($FFFLAGS & 256)) ; then echo 256 append_only on
    else echo 256 append_only off
    fi
}

flags_menu () {
  if ! \
  $DIALOG --title "$TITLE" \
         --backtitle "$BACKTITLE" \
         --separate-output \
         --checklist "$FILE: FF Flags ($GETMODE mode)" $BL $BC `gl 9` \
              `gen_flags_menu_items` \
       2>$TMPFILE
   then return
  fi
  FLAGS_ON=`cat $TMPFILE`
  declare -i VAL=0
#  echo FLAGS_ON is $FLAGS_ON, VAL is $VAL
  for i in $FLAGS_ON ; do \
    VAL=$VAL+$i
  done
#  echo FLAGS_ON is $FLAGS_ON, VAL is $VAL
#  sleep 2
  if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" ff_flags $VAL &>$TMPFILE
    then FFFLAGS=$VAL
      if test -n "$RSBACLOGFILE"
      then
        echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" ff_flags $VAL >>"$RSBACLOGFILE"
      fi
    else \
      $DIALOG --title "$ERRTITLE" \
             --backtitle "$BACKTITLE" \
             --msgbox "`head -n 1 $TMPFILE`" $BL $BC
    fi
  return
}

log_menu () {
  if test -z "$REQUESTS"
    then REQUESTS=`$RSBACPATH""attr_get_file_dir -n $TYPE`
  fi
  gen_log_menu_items
  while true ; do \
    if ! \
    $DIALOG --title "$TITLE" \
           --backtitle "$BACKTITLE" \
           --default-item "$REQ" \
           --menu "$FILE: Log Levels for Requests" $BL $BC `gl 37` \
                `cat ${TMPFILE}.2` \
                "Quit" " " \
         2>$TMPFILE
     then rm ${TMPFILE}.2
          LOGLOW=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_array_low`
          LOGHIGH=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_array_high`
          return
    fi
    REQ=`cat $TMPFILE`
    case "$REQ" in
      Quit)
        rm ${TMPFILE}.2
        LOGLOW=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_array_low`
        LOGHIGH=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_array_high`
        return
        ;;
      *)
        VAL=`grep "^$REQ " ${TMPFILE}.2|cut -f 2 -d ' '`
        if $DIALOG --title "$TITLE" \
                   --backtitle "$BACKTITLE" \
                   --radiolist "Choose Log Level for $FILE / $REQ" $BL $BC 4 \
                          0 `get_vname loglevel 0` `onoff None $VAL` \
                          1 `get_vname loglevel 1` `onoff Denied $VAL` \
                          2 `get_vname loglevel 2` `onoff Full $VAL` \
                          3 `get_vname loglevel 3` `onoff Request $VAL` \
          2>$TMPFILE
        then TMP=`cat $TMPFILE`
          if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" log_level $REQ $TMP &>$TMPFILE
          then
            if test -n "$RSBACLOGFILE"
            then
              echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" log_level $REQ $TMP >>"$RSBACLOGFILE"
            fi
            gen_log_menu_items
          else \
            $DIALOG --title "$ERRTITLE" \
                    --backtitle "$BACKTITLE" \
                    --msgbox "`head -n 1 $TMPFILE`" $BL $BC
          fi
        fi
    esac
done
}

gen_request_list () {
    if test -z "$REQUESTS"
      then REQUESTS=`$RSBACPATH""attr_get_file_dir -n`
    fi
    SETREQUESTS=`$RSBACPATH""attr_get_file_dir $GETSWITCH -p $TYPE "$FILE" log_program_based`
    for i in $REQUESTS
    do
      if echo $SETREQUESTS | grep -q $i
      then
        echo $i on on
      else
        echo $i off off
      fi
    done
}

gen_min_caps_list () {
    if test -z "$CAPS"
      then CAPS=`$RSBACPATH""attr_get_file_dir -c`
    fi
    SETCAPS=`$RSBACPATH""attr_get_file_dir $GETSWITCH -p $TYPE "$FILE" min_caps`
    for i in $CAPS
    do
      if echo $SETCAPS | grep -q $i
      then
        echo $i on on
      else
        echo $i off off
      fi
    done
}

gen_max_caps_list () {
    if test -z "$CAPS"
      then CAPS=`$RSBACPATH""attr_get_file_dir -c`
    fi
    SETCAPS=`$RSBACPATH""attr_get_file_dir $GETSWITCH -p $TYPE "$FILE" max_caps`
    for i in $CAPS
    do
      if echo $SETCAPS | grep -q $i
      then
        echo $i on on
      else
        echo $i off off
      fi
    done
}

declare -i MAXCATLEN=$BC-38
cat_print () {
  if test $MAXCATLEN -ge 64
  then echo $1
  else echo "(too long)"
  fi
}

declare -i MAXNAMELEN=$BC-44
name_print () {
  echo "$1" | cut -c1-$MAXNAMELEN
}

gen_follow_symlink () {
    case $1 in
      1)
        if test "$TYPE" = "SYMLINK"
        then
          echo 'Follow:'
        fi
        ;;
      2)
        if test "$TYPE" = "SYMLINK"
        then
          echo "`name_print \"$SYMLINK\"`"
        fi
        ;;
    esac
}

###################### Menu #################

if test "$1" != ""
then FILE=$1
else FILE=$LASTDIR
fi
if test -n "$RSBACLOGFILE"
then
  {
    echo ""
    echo "# $0 start `date`"
  } >>"$RSBACLOGFILE"
fi
get_attributes "$FILE"
if test "$TYPE" != "DIR" -a -n "$RSBACLOGFILE"
then
  echo "cd `pwd`" >>"$RSBACLOGFILE"
fi

  {
    echo 'fd_menu ()'
    echo '  {'    
    echo "    $DIALOG --title \"$TITLE\" \\"
    echo '       --backtitle "$BACKTITLE" \'
    echo '       --help-button --default-item "$CHOICE" \'
    echo '       --menu "Main FD Menu" $BL $BC `gl 37` \'
    echo '              "FD List:" "Choose from listing of last dir" \'
    echo '              "FD Name:" "`name_print \"$FILE / $SUBTYPE\"`" \'
    echo '              `gen_follow_symlink 1` `gen_follow_symlink 2` \'
    echo '              "Attribute Get Mode:" "$GETMODE" \'
    echo '              "-------------------" " " \'
    if test "$SHOW_MAC" = "yes"
    then
      echo '              "MAC Security Level:" "$SECLEVEL / `get_vname seclevel $SECLEVEL`" \'
      echo '              "MAC Categories:" "`cat_print $MACCAT`" \'
      echo '              "MAC Trusted for User:" "$MACTRUSER / `get_vname mactruser $MACTRUSER`" \'
    fi
    if test "$SHOW_FC" = "yes"
    then
      echo '              "FC Object Category:" "$OBJCAT / `get_vname objcat $OBJCAT`" \'
    fi
    if test "$SHOW_SIM" = "yes"
    then
      echo '              "SIM Data Type:" "$DATATYPE / `get_vname datatype $DATATYPE`" \'
    fi
    if test "$SHOW_PM" = "yes"
    then
      echo '              "PM Object Class:" "$PMCLASS" \'
      echo '              "PM TP:" "$PMTP" \'
      echo '              "PM Object Type:" "$PMOBJTYPE / `get_vname pmobjtype $PMOBJTYPE`" \'
    fi
    if test "$SHOW_MS" = "yes"
    then
      echo '              "MS Scanned:" "$MSSCANNED / `get_vname msscanned $MSSCANNED`" \'
      echo '              "MS Trusted:" "$MSTRUSTED / `get_vname mstrusted $MSTRUSTED`" \'
      echo '              "MS Sock Trusted TCP:" "$MSSOCKTCP / `get_vname mssock $MSSOCKTCP`" \'
      echo '              "MS Sock Trusted UDP:" "$MSSOCKUDP / `get_vname mssock $MSSOCKUDP`" \'
    fi
    if test "$SHOW_FF" = "yes"
    then
      echo '              "FF Flags:" "$FFFLAGS" \'
    fi
    if test "$SHOW_RC" = "yes"
    then
      echo '              "RC Type FD:" "$RCTYPEFD / `get_vname rctypefd $RCTYPEFD`" \'
      echo '              "RC Force Role:" "$RCFORRO / `get_vname rcforro $RCFORRO`" \'
      echo '              "RC Initial Role:" "$RCINRO / `get_vname rcinro $RCINRO`" \'
    fi
    if test "$SHOW_AUTH" = "yes"
    then
      echo '              "AUTH May Setuid:" "$AUTHSUID / `get_vname onoff $AUTHSUID`" \'
      echo '              "AUTH May Set Cap:" "$AUTHSCAP / `get_vname onoff $AUTHSCAP`" \'
      echo '              "AUTH Capabilities:" "`get_caps`" \'
    fi
    if test "$SHOW_CAP" = "yes"
    then
      echo '              "CAP Min Caps:" "$MINCAPS" \'
      echo '              "CAP Max Caps:" "$MAXCAPS" \'
    fi
    if test "$SHOW_GEN" = "yes"
    then
      echo '              "Log Array Low:" "$LOGLOW" \'
      echo '              "Log Array High:" "$LOGHIGH" \'
      echo '              "Log Program Based:" "$LOGPROG" \'
      echo '              "Symlink Add UID:" "$SYMADDUID" \'
      echo '              "Symlink Add RC Role:" "$SYMADDRC" \'
      echo '              "Linux DAC disable:" "$DACDIS / `get_vname dacdis $DACDIS`" \'
    fi
    echo '              "----------------" " " \'
    echo '              "Dev Attributes:" "Go to block/char dev attribute menu" \'
    echo '              "ACL Menu:" "Go to ACL menu" \'
    echo '              "----------------" " " \'
    echo '              "Reset Attributes:" "Reset all values to default values" \'
    echo '              "Quit" ""'
    echo '  }'
  } > $TMPFILE

. $TMPFILE

#cp $TMPFILE /tmp/menu

while true
  do
    if ! fd_menu 2>$TMPFILE
     then rm $TMPFILE ; exit
    fi

  CHOICE="`cat $TMPFILE`"
  case "$CHOICE" in
    HELP*)
        show_help "${CHOICE:5}"
        CHOICE="${CHOICE:5}"
      ;;
    'FD List:')
        FILETMP="$FILE"
        if test ! -d $LASTDIR
        then $LASTDIR='/'
        fi
        TMP=`ls -1ad $LASTDIR/* $LASTDIR/.*`
        while $DIALOG --title "$TITLE" \
                     --backtitle "$BACKTITLE" \
                     --default-item "$FILETMP" \
                     --menu "File/Dir/Fifo Name (choose cancel for $FILE)" $BL $BC $MAXLINES \
                            `for i in $TMP ; do list_item $i ; done` \
           2>$TMPFILE
        do FILETMP="`cat $TMPFILE`"
          FILE="$FILETMP"
          get_attributes
          if test $TYPE != "DIR"
          then break
          else
          TMP=`ls -1ad $LASTDIR/* $LASTDIR/.*`
          fi
        done
      ;;

    "FD Name:")
        if $DIALOG --title "$TITLE" \
                  --backtitle "$BACKTITLE" \
                  --inputbox "File/Dir/Fifo/Symlink name" $BL $BC "$FILE" \
           2>$TMPFILE
        then FILE=`cat $TMPFILE`
             get_attributes
        fi
      ;;

    "Follow:")
        case "$SYMLINK" in
          /*)
            FILE="$SYMLINK"
            ;;
          *)
            FILE="`dirname $FILE`/$SYMLINK"
            ;;
        esac
        get_attributes
      ;;

    'Attribute Get Mode:')
        if test $GETMODE = "real"
        then GETMODE="effective" ; GETSWITCH="-e"
        else GETMODE="real" ; GETSWITCH=""
        fi
        get_attributes
      ;;


    'MAC Security Level:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose Security Level for $FILE (old value: $SECLEVEL)" $BL $BC 8 \
                                "Enter" "Numeric Value" off \
                                0 "`get_vname seclevel 0`" `onoff 0 $SECLEVEL` \
                                1 "`get_vname seclevel 1`" `onoff 1 $SECLEVEL` \
                                2 "`get_vname seclevel 2`" `onoff 2 $SECLEVEL` \
                                3 "`get_vname seclevel 3`" `onoff 3 $SECLEVEL` \
                                252 "`get_vname seclevel 252`" `onoff 252 $SECLEVEL` \
                                253 "`get_vname seclevel 253`" `onoff 253 $SECLEVEL` \
                                254 "`get_vname seclevel 254`" `onoff 254 $SECLEVEL` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if test "$TMP" = "Enter"
               then
                 if $DIALOG --title "$TITLE" \
                           --backtitle "$BACKTITLE" \
                           --inputbox "MAC security level" $BL $BC "$SECLEVEL" \
                   2>$TMPFILE
                 then
                   TMP="`cat $TMPFILE`"
                   if test $TMP -gt 254
                   then
                     $DIALOG --title "$ERRTITLE" \
                            --backtitle "$BACKTITLE" \
                            --msgbox "Invalid security level value $TMP!" $BL $BC
                     TMP=""
                   fi
                 else
                   TMP=""
                 fi
               fi
               if test -n "$TMP"
               then
                 if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" security_level $TMP &>$TMPFILE
                 then SECLEVEL=$TMP
                   if test -n "$RSBACLOGFILE"
                   then
                     echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" security_level $TMP >>"$RSBACLOGFILE"
                   fi
                 else \
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                 fi
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Security Level: No file/dir specified!" 5 $BC
        fi
      ;;

    'MAC Categories:')
        if test "$TYPE" != "NONE"
        then \
          ALLCATNR=`$RSBACPATH""attr_get_file_dir list_category_nr`
          if $DIALOG --title "MAC Categories for $TYPE $FILE (all 0 = inherit)" \
                    --backtitle "$BACKTITLE" \
                    --checklist "Bits: $MACCAT" $BL $BC $MAXLINES \
                    `gen_cat_list $ALLCATNR` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE|tr -d '"'`
               for i in $ALLCATNR
               do
                 if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" mac_categories $i 0 &>$TMPFILE
                 then
                   if test -n "$RSBACLOGFILE"
                   then
                     echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" mac_categories $i 0 >>"$RSBACLOGFILE"
                   fi
                 else
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                   continue
                 fi
               done
               for i in $TMP
               do
                 if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" mac_categories $i 1 &>$TMPFILE
                 then
                   if test -n "$RSBACLOGFILE"
                   then
                     echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" mac_categories $i 1 >>"$RSBACLOGFILE"
                   fi
                 else
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                   continue
                 fi
               done
               MACCAT=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" mac_categories`
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MAC Categories: No file/dir specified!" 5 $BC
        fi
      ;;

    'MAC Trusted for User:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose User to execute file as MAC Trusted for $FILE" $BL $BC 5 \
                                NONE "$NO_USER (-2)" `onoff $NO_USER $MACTRUSER` \
                                ALL "$ALL_USERS (-3)" `onoff $ALL_USERS $MACTRUSER` \
                                $MACTRUSER "Individual user: `get_vname mactruser $MACTRUSER`" `onoff $NEWMTUSER $MACTRUSER` \
                                "IND"  "Choose individual user" off \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if test "$TMP" = "IND"
                 then choose_user
                      TMP=$NEWMTUSER
               fi
               if test -n "$TMP"
               then
                 TMP=`get_vname mactruserrev $TMP`
                 if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" mac_trusted_for_user $TMP &>$TMPFILE
                 then MACTRUSER=$TMP
                   if test -n "$RSBACLOGFILE"
                   then
                     echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" mac_trusted_for_user $TMP >>"$RSBACLOGFILE"
                   fi
                 else \
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                 fi
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MAC Trusted for User: No file/dir specified!" 5 $BC
        fi
      ;;

    'FC Object Category:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose Object Category for $FILE" $BL $BC 4 \
                                0 "`get_vname objcat 0`" `onoff 0 $OBJCAT` \
                                1 "`get_vname objcat 1`" `onoff 1 $OBJCAT` \
                                2 "`get_vname objcat 2`" `onoff 2 $OBJCAT` \
                                3 "`get_vname objcat 3`" `onoff 3 $OBJCAT` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" object_category $TMP &>$TMPFILE
               then OBJCAT=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" object_category $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Object Category: No file/dir specified!" 5 $BC
        fi
      ;;

    'SIM Data Type:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose Data Type for $FILE" $BL $BC 3 \
                                0 "`get_vname datatype 0`" `onoff 0 $DATATYPE` \
                                1 "`get_vname datatype 1`" `onoff 1 $DATATYPE` \
                                2 "`get_vname datatype 2`" `onoff 2 $DATATYPE` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" data_type $TMP &>$TMPFILE
               then DATATYPE=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" data_type $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Data Type: No file/dir specified!" 5 $BC
        fi
      ;;

    'PM Object Class:')
        if test "$TYPE" != "NONE"
        then \
           if $DIALOG --title "$TITLE" \
                     --backtitle "$BACKTITLE" \
                     --inputbox "PM Object Class (long integer) for $FILE" \
                                $BL $BC "$PMCLASS" \
              2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" pm_object_class $TMP &>$TMPFILE
               then PMCLASS=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" pm_object_class $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "PM Object Class: No file/dir specified!" 5 $BC
        fi
      ;;

    'PM TP:')
        if test "$TYPE" != "NONE"
        then \
           if $DIALOG --title "$TITLE" \
                     --backtitle "$BACKTITLE" \
                     --inputbox "PM TP (long integer) for $FILE" \
                                $BL $BC "$PMTP" \
              2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" pm_tp $TMP &>$TMPFILE
               then PMTP=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" pm_tp $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "PM TP: No file/dir specified!" 5 $BC
        fi
      ;;

    'PM Object Type:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose PM Object Type for $FILE" $BL $BC 6 \
                                0 "`get_vname pmobjtype 0`" `onoff 0 $PMOBJTYPE` \
                                1 "`get_vname pmobjtype 1`" `onoff 1 $PMOBJTYPE` \
                                2 "`get_vname pmobjtype 2`" `onoff 2 $PMOBJTYPE` \
                                3 "`get_vname pmobjtype 3`" `onoff 3 $PMOBJTYPE` \
                                4 "`get_vname pmobjtype 4`" `onoff 4 $PMOBJTYPE` \
                                5 "`get_vname pmobjtype 5`" `onoff 5 $PMOBJTYPE` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" pm_object_type $TMP &>$TMPFILE
               then PMOBJTYPE=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" pm_object_type $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "PM Object Type: No file/dir specified!" 5 $BC
        fi
      ;;

    'MS Scanned:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose MS Scanned Status for $FILE" $BL $BC 5 \
                                0 "`get_vname msscanned 0`" `onoff 0 $MSSCANNED` \
                                1 "`get_vname msscanned 1`" `onoff 1 $MSSCANNED` \
                                $MSL "`get_vname msscanned $MSL`" `onoff $MSL $MSSCANNED` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" ms_scanned $TMP &>$TMPFILE
               then MSSCANNED=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" ms_scanned $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MS Scanned: No file/dir specified!" 5 $BC
        fi
      ;;

    'MS Trusted:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose MS Trusted $FILE" $BL $BC 6 \
                                0 "`get_vname mstrusted 0`" `onoff 0 $MSTRUSTED` \
                                1 "`get_vname mstrusted 1`" `onoff 1 $MSTRUSTED` \
                                2 "`get_vname mstrusted 2`" `onoff 2 $MSTRUSTED` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" ms_trusted $TMP &>$TMPFILE
               then MSTRUSTED=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" ms_trusted $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MS Trusted: No file/dir specified!" 5 $BC
        fi
      ;;

    'MS Sock Trusted TCP:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose MS Sock Trusted TCP for $FILE" $BL $BC 6 \
                                0 "`get_vname mssock 0`" `onoff 0 $MSSOCKTCP` \
                                1 "`get_vname mssock 1`" `onoff 1 $MSSOCKTCP` \
                                2 "`get_vname mssock 2`" `onoff 2 $MSSOCKTCP` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" ms_sock_trusted_tcp $TMP &>$TMPFILE
               then MSSOCKTCP=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" ms_sock_trusted_tcp $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MS Sock Trusted TCP: No file/dir specified!" 5 $BC
        fi
      ;;

    'MS Sock Trusted UDP:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose MS Sock Trusted UDP for $FILE" $BL $BC 6 \
                                0 "`get_vname mssock 0`" `onoff 0 $MSSOCKUDP` \
                                1 "`get_vname mssock 1`" `onoff 1 $MSSOCKUDP` \
                                2 "`get_vname mssock 2`" `onoff 2 $MSSOCKUDP` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" ms_sock_trusted_udp $TMP &>$TMPFILE
               then MSSOCKUDP=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" ms_sock_trusted_udp $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MS Sock Trusted UDP: No file/dir specified!" 5 $BC
        fi
      ;;

    'FF Flags:')
        if test "$TYPE" != "NONE"
        then \
          flags_menu
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "FF Flags: No file/dir specified!" 5 $BC
        fi
      ;;

    'RC Type FD:')
        if test "$TYPE" != "NONE"
        then \
          if $RSBACPATH""rc_get_item list_fd_types >$TMPFILE
          then \
            TYPELIST=`cat $TMPFILE`
            if $DIALOG --title "$TITLE" \
                      --backtitle "$BACKTITLE" \
                      --default-item "$RCTYPE" \
                      --menu "Choose RC Type FD for $FILE" $BL $BC $MAXLINES \
                      $RCTYPEINHPAR "Inherit from parent dir" \
                      $TYPELIST \
               2>$TMPFILE
            then TMP=`cat $TMPFILE`
              if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" rc_type_fd $TMP &>$TMPFILE
              then RCTYPEFD=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" rc_type_fd $TMP >>"$RSBACLOGFILE"
                 fi
              else \
                $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
              fi
            fi
          else \
            if $DIALOG --title "$TITLE" \
                      --backtitle "$BACKTITLE" \
                      --inputbox "RC Type FD (integer) for $FILE ($RCTYPEINHPAR = inherit)" \
                                 $BL $BC "$RCTYPEFD" \
                2>$TMPFILE
            then TMP=`cat $TMPFILE`
                 if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" rc_type_fd $TMP &>$TMPFILE
                 then RCTYPEFD=$TMP
                   if test -n "$RSBACLOGFILE"
                   then
                     echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" rc_type_fd $TMP >>"$RSBACLOGFILE"
                   fi
                 else \
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                 fi
            fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "RC Type FD: No file/dir specified!" 5 $BC
        fi
      ;;

    'RC Force Role:')
        if test "$TYPE" != "NONE"
        then \
          if $RSBACPATH""rc_get_item list_roles >$TMPFILE
          then \
            TMP="$RCFORRO"
            ROLELIST=`cat $TMPFILE`
            while $DIALOG --title "$TITLE" \
                      --backtitle "$BACKTITLE" \
                      --help-button --default-item "$TMP" \
                      --menu "Choose RC Forced Role for $TYPE $FILE" $BL $BC $MAXLINES \
                      $RCUSERINHERIT "always inherit from user" \
                      $RCPROCINHERIT "inherit process (keep role)" \
                      $RCPARINHERIT "inherit parent dir (default)" \
                      $RCMIXINHERIT "mixed inherit proc/user (root dir default)" \
                      $ROLELIST \
               2>$TMPFILE
            do TMP=`cat $TMPFILE`
              case "$TMP" in
                HELP*)
                  show_help "${TMP:5}"
                  TMP="${TMP:5}"
                  ;;
                *)
                  if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" rc_force_role $TMP &>$TMPFILE
                  then RCFORRO=$TMP
                    if test -n "$RSBACLOGFILE"
                    then
                      echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" rc_force_role $TMP >>"$RSBACLOGFILE"
                    fi
                    break
                  else \
                    $DIALOG --title "$ERRTITLE" \
                           --backtitle "$BACKTITLE" \
                           --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                  fi
              esac
            done
          else \
            if $DIALOG --title "$TITLE" \
                      --backtitle "$BACKTITLE" \
                      --inputbox "RC Force Role (integer) for $TYPE $FILE ($RCUSERINHERIT = always inherit from user, $RCPROCINHERIT = inherit from process (keep role), $RCMIXINHERIT = mixed inherit (default))" \
                                 $BL $BC "$RCFORRO" \
                2>$TMPFILE
            then TMP=`cat $TMPFILE`
                 if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" rc_force_role $TMP &>$TMPFILE
                 then RCFORRO=$TMP
                   if test -n "$RSBACLOGFILE"
                   then
                     echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" rc_force_role $TMP >>"$RSBACLOGFILE"
                   fi
                 else \
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                 fi
            fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "RC Force Role: No file/dir specified!" 5 $BC
        fi
      ;;

    'RC Initial Role:')
        if test "$TYPE" != "NONE"
        then \
          if $RSBACPATH""rc_get_item list_roles >$TMPFILE
          then \
            TMP="$RCINRO"
            ROLELIST=`cat $TMPFILE`
            while $DIALOG --title "$TITLE" \
                      --backtitle "$BACKTITLE" \
                      --help-button --default-item "$TMP" \
                      --menu "Choose RC Initial Role for $TYPE $FILE" $BL $BC $MAXLINES \
                      $RCPARINHERIT "inherit parent dir (default)" \
                      $RCUSEFR "use force_role value (root dir default)" \
                      $ROLELIST \
               2>$TMPFILE
            do TMP=`cat $TMPFILE`
              case "$TMP" in
                HELP*)
                  show_help "${TMP:5}"
                  TMP="${TMP:5}"
                  ;;
                *)
                  if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" rc_initial_role $TMP &>$TMPFILE
                  then RCINRO=$TMP
                    if test -n "$RSBACLOGFILE"
                    then
                      echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" rc_initial_role $TMP >>"$RSBACLOGFILE"
                    fi
                    break
                  else \
                    $DIALOG --title "$ERRTITLE" \
                           --backtitle "$BACKTITLE" \
                           --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                  fi
              esac
            done
          else \
            if $DIALOG --title "$TITLE" \
                      --backtitle "$BACKTITLE" \
                      --inputbox "RC Initial Role (integer) for $TYPE $FILE ($RCPARINHERIT = inherit parent (default), $RCUSEFR = use force_role value (root default))" \
                                 $BL $BC "$RCINRO" \
                2>$TMPFILE
            then TMP=`cat $TMPFILE`
                 if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" rc_initial_role $TMP &>$TMPFILE
                 then RCINRO=$TMP
                   if test -n "$RSBACLOGFILE"
                   then
                     echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" rc_initial_role $TMP >>"$RSBACLOGFILE"
                   fi
                 else \
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                 fi
            fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "RC Initial Role: No file/dir specified!" 5 $BC
        fi
      ;;

    'AUTH May Setuid:')
        if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE"
        then \
           if test $AUTHSUID = "0"
           then TMP="1"
           else TMP="0"
           fi
           if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" auth_may_setuid $TMP &>$TMPFILE
           then AUTHSUID=$TMP
             if test -n "$RSBACLOGFILE"
             then
               echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" auth_may_setuid $TMP >>"$RSBACLOGFILE"
             fi
           else \
             $DIALOG --title "$ERRTITLE" \
                    --backtitle "$BACKTITLE" \
                    --msgbox "`head -n 1 $TMPFILE`" $BL $BC
           fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "AUTH May Setuid: No regular file specified!" 5 $BC
        fi
      ;;

    'AUTH May Set Cap:')
        if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE"
        then \
           if test $AUTHSCAP = "0"
           then TMP="1"
           else TMP="0"
           fi
           if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" auth_may_set_cap $TMP &>$TMPFILE
           then AUTHSCAP=$TMP
             if test -n "$RSBACLOGFILE"
             then
               echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" auth_may_set_cap $TMP >>"$RSBACLOGFILE"
             fi
           else \
             $DIALOG --title "$ERRTITLE" \
                    --backtitle "$BACKTITLE" \
                    --msgbox "`head -n 1 $TMPFILE`" $BL $BC
           fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "AUTH May Set Cap: No regular file specified!" 5 $BC
        fi
      ;;

    'AUTH Capabilities:')
        if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE"
        then \
          while true ; do
            if \
            TMP=
            $DIALOG --title "$TITLE" \
                   --backtitle "$BACKTITLE" \
                   --default-item "$TMP" \
                   --menu "$FILE: Caps: `get_caps`" $BL $BC `gl 3` \
                          "Add" "Capability" \
                          "Remove" "Capability" \
                          "Quit" "" \
               2>$TMPFILE
            then
              TMP=`cat $TMPFILE`
              case $TMP in
                Quit)
                  break
                  ;;
                Add)
                  choose_user
                  if test -n "$NEWMTUSER"
                  then
                    if ! $RSBACPATH""auth_set_cap FILE add "$FILE" $NEWMTUSER &>$TMPFILE
                    then \
                      $DIALOG --title "$ERRTITLE" \
                             --backtitle "$BACKTITLE" \
                             --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                    fi
                  fi
                  ;;
                Remove)
                  TMP=`get_caps`
                  while $DIALOG --title "$TITLE" \
                            --backtitle "$BACKTITLE" \
                            --menu "Username/ID to be removed from $FILE file caps" $BL $BC $MAXLINES \
                              `gen_cap_rem_user $TMP` \
                    2>$TMPFILE
                  do TMP=`cat $TMPFILE|tr ':' ' '`
                    if $RSBACPATH""auth_set_cap FILE remove "$FILE" $TMP &>$TMPFILE
                    then \
                      break
                    else
                      $DIALOG --title "$ERRTITLE" \
                              --backtitle "$BACKTITLE" \
                              --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                    fi
                  done
                  ;;
              esac
            else
              break
            fi
          done
        else
          $DIALOG --title "$ERRTITLE" \
                 --backtitle "$BACKTITLE" \
                 --msgbox "AUTH Capabilities: No regular file specified!" 5 $BC
        fi
      ;;

    'CAP Min Caps:')
        if test "$TYPE" = "FILE"
        then \
          if $DIALOG --title "CAP min_caps for $TYPE $FILE" \
                    --backtitle "$BACKTITLE" \
                    --checklist "Bits: $MINCAPS" $BL $BC $MAXLINES \
              `gen_min_caps_list` \
              '--------------' '-----------------' off \
              UA 'Unset ALL' off \
              A  'Set ALL' off \
              FS_MASK  'Set all filesystem caps' off \
             2>$TMPFILE
          then TMP=`cat $TMPFILE|tr -d '"'`
            if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" min_caps $TMP &>$TMPFILE
            then \
              MINCAPS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" min_caps`
              if test -n "$RSBACLOGFILE"
              then
                echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" min_caps $TMP >>"$RSBACLOGFILE"
              fi
            else \
              $DIALOG --title "$ERRTITLE" \
                     --backtitle "$BACKTITLE" \
                     --msgbox "`head -n 1 $TMPFILE`" $BL $BC
            fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "CAP Min Caps: No file specified!" 5 $BC
        fi
      ;;

    'CAP Max Caps:')
        if test "$TYPE" = "FILE"
        then \
          if $DIALOG --title "CAP max_caps for $TYPE $FILE" \
                    --backtitle "$BACKTITLE" \
                    --checklist "Bits: $MAXCAPS" $BL $BC $MAXLINES \
              `gen_max_caps_list` \
              '--------------' '-----------------' off \
              UA 'Unset ALL' off \
              A  'Set ALL' off \
              FS_MASK  'Set all filesystem caps' off \
             2>$TMPFILE
          then TMP=`cat $TMPFILE|tr -d '"'`
            if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" max_caps $TMP &>$TMPFILE
            then \
              MAXCAPS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" max_caps`
              if test -n "$RSBACLOGFILE"
              then
                echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" max_caps $TMP >>"$RSBACLOGFILE"
              fi
            else \
              $DIALOG --title "$ERRTITLE" \
                     --backtitle "$BACKTITLE" \
                     --msgbox "`head -n 1 $TMPFILE`" $BL $BC
            fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "CAP Max Caps: No file specified!" 5 $BC
        fi
      ;;

    'Log Array Low:')
        if test "$TYPE" != "NONE"
        then \
          log_menu
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Log Array Low: No file/dir specified!" 5 $BC
        fi
      ;;

    'Log Array High:')
        if test "$TYPE" != "NONE"
        then \
          log_menu
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Log Array High: No file/dir specified!" 5 $BC
        fi
      ;;

    'Log Program Based:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "log_program_based for $TYPE $FILE" \
                    --backtitle "$BACKTITLE" \
                    --checklist "Bits: $LOGPROG" $BL $BC $MAXLINES \
              `gen_request_list` \
              '--------------' '-----------------' off \
              UA 'Unset ALL' off \
              A  'Set ALL' off \
              R  'Set Read Requests' off \
              RW 'Set Read-Write R.' off \
              W  'Set Write Requests' off \
              SY 'Set System R.' off \
              SE 'Set Security R.' off \
             2>$TMPFILE
          then TMP=`cat $TMPFILE|tr -d '"'`
            if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" log_program_based $TMP &>$TMPFILE
            then \
              LOGPROG=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_program_based`
              if test -n "$RSBACLOGFILE"
              then
                echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" log_program_based $TMP >>"$RSBACLOGFILE"
              fi
            else \
              $DIALOG --title "$ERRTITLE" \
                     --backtitle "$BACKTITLE" \
                     --msgbox "`head -n 1 $TMPFILE`" $BL $BC
            fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Log Program Based: No file/dir specified!" 5 $BC
        fi
      ;;

    'Symlink Add UID:')
        if test "$TYPE" = "SYMLINK"
        then \
           if test $SYMADDUID = "0"
           then TMP="1"
           else TMP="0"
           fi
           if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" symlink_add_uid $TMP &>$TMPFILE
           then SYMADDUID=$TMP
             if test -n "$RSBACLOGFILE"
             then
               echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" symlink_add_uid $TMP >>"$RSBACLOGFILE"
             fi
           else \
             $DIALOG --title "$ERRTITLE" \
                    --backtitle "$BACKTITLE" \
                    --msgbox "`head -n 1 $TMPFILE`" $BL $BC
           fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Symlink Add UID: No symlink specified!" 5 $BC
        fi
      ;;

    'Symlink Add RC Role:')
        if test "$TYPE" = "SYMLINK"
        then \
           if test $SYMADDRC = "0"
           then TMP="1"
           else TMP="0"
           fi
           if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" symlink_add_rc_role $TMP &>$TMPFILE
           then SYMADDRC=$TMP
             if test -n "$RSBACLOGFILE"
             then
               echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" symlink_add_rc_role $TMP >>"$RSBACLOGFILE"
             fi
           else \
             $DIALOG --title "$ERRTITLE" \
                    --backtitle "$BACKTITLE" \
                    --msgbox "`head -n 1 $TMPFILE`" $BL $BC
           fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Symlink Add RC Role: No symlink specified!" 5 $BC
        fi
      ;;

    'Linux DAC disable:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose Linux DAC disable value for $FILE" $BL $BC 6 \
                                0 "`get_vname dacdis 0`" `onoff 0 $DACDIS` \
                                1 "`get_vname dacdis 1`" `onoff 1 $DACDIS` \
                                2 "`get_vname dacdis 2`" `onoff 2 $DACDIS` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" linux_dac_disable $TMP &>$TMPFILE
               then DACDIS=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" linux_dac_disable $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Linux DAC disable: No file/dir specified!" 5 $BC
        fi
      ;;

    'Dev Attributes:')
        $RSBACPATH""rsbac_dev_menu "$FILE"
      ;;

    'ACL Menu:')
        $RSBACPATH""rsbac_acl_menu FD "$FILE"
      ;;

    'Reset Attributes:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --yesno "Reset all attributes to default values?" 5 $BC \
             2>/dev/null
          then
            if $RSBACPATH""attr_rm_file_dir $TYPE "$FILE" &>$TMPFILE
            then get_attributes
            else \
              $DIALOG --title "$ERRTITLE" \
                     --backtitle "$BACKTITLE" \
                     --msgbox "`head -n 1 $TMPFILE`" $BL $BC
            fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Reset Attributes: No file/dir specified!" 5 $BC
        fi
      ;;

    Quit)
        rm $TMPFILE ; exit
      ;;

    *)
        $DIALOG --title "$ERRTITLE" \
               --backtitle "$BACKTITLE" \
               --msgbox "Main Menu: Selection Error!" 5 $BC
  esac
# sleep 2
done
