#!/bin/bash
# 
# This script is used for Administration of RSBAC general file/dir attributes
#
#
# Make sure we're really running bash.
#
[ -z "$BASH" ] && { echo "This menu requires bash" 1>&2; exit 1; }

#
# Cache function definitions, turn off posix compliance
#
set -h +o posix

# The dir for tmp files
if test -z "$TMPDIR" ; then TMPDIR=/tmp ; fi

# Set conf filename
RSBACCONF=/etc/rsbac.conf
# Read settings
if test -f "$RSBACCONF"
then . $RSBACCONF
fi
if test -f ~/.rsbacrc
then . ~/.rsbacrc
fi
if test -z "$RSBACMOD"
then RSBACMOD='GEN MAC FC SIM PM MS FF RC AUTH ACL CAP JAIL RES'
fi
for i in $RSBACMOD
do
  export SHOW_${i}=yes
done

# This must be a unique temporary filename
if ! TMPFILE=`mktemp -q $TMPDIR/rsbac_dialog.XXXXXX`
then
  TMPFILE=$TMPDIR/rsbac_dialog_tmp.$$
  if test -e $TMPFILE
  then rm $TMPFILE
  fi
fi

# set this to rsbac bin dir, if not in path (trailing / is mandatory!)
#
#if test -z "$RSBACPATH" ; then RSBACPATH=./ ; fi

# set this to initial dir on script startup
LASTDIR='.'

# which dialog tool to use - dialog or kdialog or xdialog...
if test -z $DIALOG
then DIALOG=${RSBACPATH}dialog
fi
if ! $DIALOG --clear
then
  echo $DIALOG menu program required! >&2
  exit
fi
if ! $DIALOG --help 2>&1 | grep -q "help-button"
then
  echo "Newer dialog menu version >= 0.9a-20020309a with '--help-button' option" >&2
  echo "required, please use dialog from admin tools contrib dir or set" >&2
  echo "\$DIALOG to another dialog program, e.g. with rsbac_settings_menu!" >&2
  exit
fi

# test for LINES and COLUMNS (should be exported e.g. in /etc/profile)
if test -z "$LINES" ; then LINES=25 ; fi
if test -z "$COLUMNS" ; then COLUMNS=80 ; fi
export LINES
export COLUMNS
declare -i BL=$LINES-4
declare -i BC=$COLUMNS-4
declare -i MAXLINES=$LINES-10
gl () {
  if test $1 -gt $MAXLINES
  then echo $MAXLINES
  else echo $1
  fi
}

if test -z "$BACKTITLE"
  then BACKTITLE="RSBAC Administration Tools v1.2.2" ; fi
TITLE="`whoami`@`hostname`: RSBAC File/Dir/Fifo/Symlink Administration"
HELPTITLE="`whoami`@`hostname`: RSBAC File/Dir/Fifo/Symlink Administration Help"
ERRTITLE="RSBAC File/Dir/Fifo/Symlink Administration - ERROR"

# set this to your kernel's current Malware Scan accept level
MSL=10

## no changes below this line!

NO_USER=4294967293
ALL_USERS=4294967292
GETMODE=real
GETSWITCH=

AUTHSELF=4294967293

#RCTYPEINHPROC=64
#RCTYPEINHPAR=65
#RCUSERINHERIT=64
#RCPROCINHERIT=65
#RCPARINHERIT=66
#RCMIXINHERIT=67
#RCUSEFR=68
RCTYPEINHPROC=4294967295
RCTYPEINHPAR=4294967294
RCUSERINHERIT=4294967295
RCPROCINHERIT=4294967294
RCPARINHERIT=4294967293
RCMIXINHERIT=4294967292
RCUSEFR=4294967291

show_help () {
  case "$RSBACLANG" in
    *)
      show_help_english "$1"
      ;;
  esac
}

show_help_english () {
 {
  echo "$1"
  echo ""
  case "$1" in
    'FD List:')
        echo "Choose new filesystem object from list."
      ;;

    "FD Name:")
        echo "Enter path to new filesystem object."
      ;;

    "Follow")
        echo "Follow this symbolic link."
      ;;

    'Attribute Get Mode:')
        echo "Toggle whether real or effective (possibly inherited) attribute values"
        echo "are displayed."
      ;;


    'MAC Security Level:')
        echo "Set the MAC model security level."
        echo ""
        $RSBACPATH""attr_get_file_dir -A security_level
      ;;

    'MAC Categories:')
        echo "Set the MAC model categories."
        echo ""
        $RSBACPATH""attr_get_file_dir -A mac_categories
      ;;

    'MAC Trusted for User:')
        echo "Which user can run this program as a MAC model trusted program."
        echo ""
        $RSBACPATH""attr_get_file_dir -A mac_trusted_for_user
      ;;

    'MAC Auto:')
        echo "MAC model auto adjusting of current level and categories within the"
        echo "valid boundaries. This attribute's effective value yes is only used,"
        echo "if the process owner also has the mac_allow_auto flags set."
        echo ""
        $RSBACPATH""attr_get_file_dir -A mac_auto
      ;;

    'MAC Prop Trusted:')
        echo "MAC model trusted processes may keep they trusted flag when executing"
        echo "this file, if Propagate Trusted is set."
        echo ""
        $RSBACPATH""attr_get_file_dir -A mac_prop_trusted
      ;;

    'MAC File Flags:')
        echo "Allow MAC model write up, write down, read up to this object, if the"
        echo "object's level is dominated by the user's security level."
        echo "The value trusted is an alias for all others."
        echo "This option is useful for shared directories like /tmp or /var/log."
        echo ""
        echo "If the auto value is set and access has been granted only because of"
        echo "the object flags, the object's level gets raised to the lowest upper"
        echo "boundary of current_level(Subject) and level(Object) to prevent"
        echo "illegal flow of information."
        echo ""
        $RSBACPATH""attr_get_file_dir -A mac_shared
      ;;

    'FC Object Category:')
        echo "Set the FC model object categories."
        echo ""
        $RSBACPATH""attr_get_file_dir -A object_category
      ;;

    'SIM Data Type:')
        echo "Set the SIM model data type."
        echo ""
        $RSBACPATH""attr_get_file_dir -A data_type
      ;;

    'PM Object Type:')
        echo "Set object type for PM model."
        echo ""
        $RSBACPATH""attr_get_file_dir -A pm_object_type
      ;;

    'PM TP:')
        echo "Enter the PM model transaction procedure ID."
        echo ""
        $RSBACPATH""attr_get_file_dir -A pm_tp
      ;;

    'PM Object Class:')
        echo "Select the PM model object class."
        echo ""
        $RSBACPATH""attr_get_file_dir -A pm_object_class
      ;;

    'MS Scanned:')
        echo "This attribute shows, whether and with which result the file has been"
        echo "scanned by the MS module. Reset to unscanned to force a rescan."
        echo ""
        echo "Rejected files can only be opened by MS trusted programs."
        echo ""
        $RSBACPATH""attr_get_file_dir -A ms_scanned
      ;;

    'MS Trusted:')
        echo "Toggle, whether this program file is an MS trusted program. Only trusted"
        echo "programs may open infected files."
        echo ""
        $RSBACPATH""attr_get_file_dir -A ms_trusted
      ;;

    'MS Sock Trusted TCP:')
        echo "Toggle, whether this program file is an MS trusted program for TCP"
        echo "sockets. Only programs, which are TCP trusted, can read from a TCP"
        echo "socket, which has been marked as infected."
        echo ""
        $RSBACPATH""attr_get_file_dir -A ms_sock_trusted_tcp
      ;;

    'MS Sock Trusted UDP:')
        echo "Toggle, whether this program file is an MS trusted program for UDP"
        echo "sockets. Only programs, which are UDP trusted, can read from a UDP"
        echo "socket, which has been marked as infected."
        echo ""
        $RSBACPATH""attr_get_file_dir -A ms_sock_trusted_udp
      ;;

    'MS Need Scan:')
        echo "Choose, when this object (or files in this dir tree) should be scanned:"
        echo "Never, on execute only or on all read accesses."
        echo ""
        echo "The default is to inherit from parent dir."
        echo ""
        $RSBACPATH""attr_get_file_dir -A ms_need_scan
      ;;

    'FF Flags:')
        echo "Select the FF model flags for this object, e.g. read-only."
        echo ""
        $RSBACPATH""attr_get_file_dir -A ff_flags
      ;;

    'RC Type FD:')
        echo "Select the RC model filesystem object type."
        echo ""
        $RSBACPATH""attr_get_file_dir -A rc_type_fd
      ;;

    'RC Force Role:')
        echo "Select an RC role, which is assigned and kept for the process running"
        echo "this program as long as the program runs. User default roles are ignored"
        echo "even on a CHANGE_OWNER (setuid)." 
        echo ""
        $RSBACPATH""attr_get_file_dir -A rc_force_role
      ;;

    'RC Initial Role:')
        echo "Select an RC role, which is assigned to the process starting this"
        echo "program. User default roles are applied on the next CHANGE_OWNER"
        echo "(setuid)."
        echo ""
        echo "Initial roles have precedence over forced roles, so you can use both"
        echo "mechanisms with the same program: the initial role is as given here,"
        echo "but the forced role will be applied on the next CHANGE_OWNER (setuid)."
        echo ""
        $RSBACPATH""attr_get_file_dir -A rc_initial_role
      ;;

    'AUTH May Setuid:')
        echo "Toggle, whether this program is allowed to CHANGE_OWNER (setuid) to"
        echo "any user ID by AUTH model."
        echo ""
        $RSBACPATH""attr_get_file_dir -A auth_may_setuid
      ;;

    'AUTH May Set Cap:')
        echo "Toggle, whether this program may set AUTH setuid capabilities for any"
        echo "process (but not for files)."
        echo "This flag is useful e.g. for authentication daemons. See AUTH"
        echo "description for details."
        echo ""
        $RSBACPATH""attr_get_file_dir -A auth_may_set_cap
      ;;

    'AUTH Capabilities:')
        echo "These are ranges of user IDs, which this program may use in a"
        echo "CHANGE_OWNER (setuid) request. The capabilities are inherited to the"
        echo "process running the program."
      ;;

    'AUTH Eff Capabilities:')
        echo "These are ranges of user IDs, which this program may use in a"
        echo "CHANGE_DAC_EFF_OWNER (seteuid) request. The capabilities are inherited to the"
        echo "process running the program."
      ;;

    'AUTH FS Capabilities:')
        echo "These are ranges of user IDs, which this program may use in a"
        echo "CHANGE_DAC_FS_OWNER (setfsuid) request. The capabilities are inherited to the"
        echo "process running the program."
      ;;

    'CAP Min Caps:')
        echo "Specify a set of Linux capabilities, which will always be set, when"
        echo "this program is run (ignoring the Max Caps set)."
        echo "Useful to start privileged (root) programs as normal user."
        echo ""
        $RSBACPATH""attr_get_file_dir -A min_caps
      ;;

    'RES Min Resources:')
        echo "Set the minimum resource limits for this program when executed."
        echo "Zero values are ignored."
      ;;

    'RES Max Resources:')
        echo "Set the maximum resource limits for this program when executed."
        echo "Zero values are ignored."
      ;;

    'cpu')
        echo "CPU time limit in milliseconds."
      ;;

    'fsize')
        echo "Size limit for each file."
      ;;

    'data')
        echo "Process data segment size limit in bytes."
      ;;

    'stack')
        echo "Process stack size limit in bytes."
      ;;

    'core')
        echo "Core dump size limit in bytes."
      ;;

    'rss')
        echo "Max resident set size in bytes."
      ;;

    'nproc')
        echo "Maximum number of processes for process owner (global value!)."
      ;;

    'nofile')
        echo "Limit on the number of open files."
      ;;

    'memlock')
        echo "Limit on locked-in-memory address space."
      ;;

    'as')
        echo "Address space (virtual memory) limit."
      ;;

    'locks')
        echo "Limit on number of file locks held (ignored in 2.2 kernels)."
      ;;

    'CAP Max Caps:')
        echo "Specify the maximum set of Linux capabilities, which are kept, when"
        echo "this program is run."
        echo "Useful to limit the privileges of a program run by root, e.g. the"
        echo "mailer daemon."
        echo ""
        $RSBACPATH""attr_get_file_dir -A max_caps
      ;;

    'Log Array Low:' | 'Log Array High:')
        echo "Choose object based logging levels for this object."
        echo ""
        $RSBACPATH""attr_get_file_dir -A log_array_low
      ;;

    'Log Program Based:')
        echo "Specify the request types, which should always be logged, when"
        echo "issued by this program."
        echo ""
        $RSBACPATH""attr_get_file_dir -A log_program_based
      ;;

    'Symlink Add UID:')
        echo "Add the numeric ID of the user of the calling process to the contents"
        echo "of this symbolic link."
        echo "This can be used to e.g. point to individual /tmp dirs for all users."
        echo ""
        $RSBACPATH""attr_get_file_dir -A symlink_add_uid
      ;;

    'Symlink Add MAC Level:')
        echo "Add the current security level of the calling process to the contents"
        echo "of this symbolic link."
        echo "This can be used to e.g. point to individual /tmp dirs for all roles."
        echo ""
        $RSBACPATH""attr_get_file_dir -A symlink_add_mac_level
      ;;

    'Symlink Add RC Role:')
        echo "Add the role number of the calling process to the contents of this symbolic"
        echo "link."
        echo "This can be used to e.g. point to individual /tmp dirs for all roles."
        echo ""
        $RSBACPATH""attr_get_file_dir -A symlink_add_rc_role
      ;;

    'Linux DAC disable:')
        echo "Disable the Linux access control for this object."
        echo "Specially useful, if you want to do access control by RSBAC only"
        echo "in some selected directory trees, without being hindered by Linux"
        echo "modes."
        echo ""
        echo "Note: This flag is only applied, when RSBAC is running, so you should"
        echo "rather use it than allow full Linux mode access."
        echo ""
        $RSBACPATH""attr_get_file_dir -A linux_dac_disable
      ;;

    'Dev Attributes:')
        echo "Go to device attribute menu."
      ;;

    'ACL Menu:')
        echo "Go to ACL menu."
      ;;

    'Reset Attributes:')
        echo "Call attr_rm_fd to get the attribute object for this filesystem object"
        echo "removed. As result, all attribute values will be reset to their"
        echo "default values. Use with care!"
      ;;

    Quit)
        echo "Quit this menu."
      ;;

    *)
        echo "No help for $1 available!"
  esac
 } > $TMPFILE
  $DIALOG --title "$HELPTITLE" \
          --backtitle "$BACKTITLE" \
          --textbox $TMPFILE $BL $BC
#  sleep 1
}

get_attributes () {
  if test "$FILE" != "" 
    then
         if test -L "$FILE" ; then TYPE=SYMLINK
                                   SYMLINK="`ls -l \"$FILE\"|cut -d '>' -f 2|cut -c 2-`"
                                   SUBTYPE="SYMLINK"
         elif test -f "$FILE" ; then TYPE=FILE ; SUBTYPE=FILE
         elif test -b "$FILE" ; then TYPE=FILE ; SUBTYPE=BLOCK
         elif test -c "$FILE" ; then TYPE=FILE ; SUBTYPE=CHAR
         elif test -p "$FILE" ; then TYPE=FIFO ; SUBTYPE=FIFO
         elif test -d "$FILE"
           then TYPE=DIR ; SUBTYPE=DIR
                LASTDIR=`( cd "$FILE" && pwd ) || echo "$FILE"`
                FILE=$LASTDIR
                if test -n "$RSBACLOGFILE"
                then
                  echo "cd `pwd`" >>"$RSBACLOGFILE"
                fi
         else TYPE=NONE
              SECLEVEL=""
              MACCAT=""
              MACTRUSER=""
              MACAUTO=""
              MACPROPTR=""
              MACFLAGS=""
              NEWMTUSER=""
              OBJCAT=""
              DATATYPE=""
              PMCLASS=""
              PMTP=""
              PMOBJTYPE=""
              MSTRUSTED=""
              MSSCANNED=""
              MSSOCKTCP=""
              MSSOCKUDP=""
              MSNEEDSCAN=""
              FFFLAGS=""
              RCTYPEFD=""
              RCFORRO=""
              RCINRO=""
              AUTHSUID=""
              AUTHSCAP=""
              LOGLOW=""
              LOGHIGH=""
              LOGPROG=""
              MINCAPS=""
              MAXCAPS=""
              RESMIN=""
              RESMAX=""
              SYMADDUID=""
              SYMADDRC=""
              DACDIS=""
              return
         fi
         if test "$TYPE" != "DIR"
         then LASTDIR="`dirname \"$FILE\"`"
         fi
        if test "$SHOW_MAC" = "yes"
        then
           SECLEVEL=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" security_level 2>/dev/null`
           MACCAT=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" mac_categories 2>/dev/null`
           MACTRUSER=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" mac_trusted_for_user 2>/dev/null`
           if test -z "$NEWMTUSER"
             then if test "$MACTRUSER" = "$NO_USER" -o "$MACTRUSER" = "$ALL_USERS"
                    then NEWMTUSER='N/A'
                  else NEWMTUSER=$MACTRUSER
                  fi
           fi
           MACAUTO=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" mac_auto 2>/dev/null`
           MACPROPTR=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" mac_prop_trusted 2>/dev/null`
           MACFLAGS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" mac_file_flags 2>/dev/null`
        fi
        if test "$SHOW_FC" = "yes"
        then
           OBJCAT=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" object_category 2>/dev/null`
        fi
        if test "$SHOW_SIM" = "yes"
        then
           DATATYPE=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" data_type 2>/dev/null`
        fi
        if test "$SHOW_PM" = "yes"
        then
           PMCLASS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" pm_object_class 2>/dev/null`
           PMTP=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" pm_tp 2>/dev/null`
           PMOBJTYPE=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" pm_object_type 2>/dev/null`
        fi
        if test "$SHOW_MS" = "yes"
        then
           MSSCANNED=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" ms_scanned 2>/dev/null`
           MSTRUSTED=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" ms_trusted 2>/dev/null`
           MSSOCKTCP=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" ms_sock_trusted_tcp 2>/dev/null`
           MSSOCKUDP=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" ms_sock_trusted_udp 2>/dev/null`
           MSNEEDSCAN=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" ms_need_scan 2>/dev/null`
           if test -n "$MSSCANNED" -a "0$MSSCANNED" -gt "0$MSL"
           then
             if $DIALOG --title "$TITLE" \
                        --backtitle "$BACKTITLE" \
                        --yesno "Returned MS Scan Level $MSSCANNED is higher than menu default $MSL, adjust menu default?" 6 $BC
               2>/dev/null
             then MSL=$MSSCANNED
             fi
           fi
        fi
        if test "$SHOW_FF" = "yes"
        then
         FFFLAGS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" ff_flags 2>/dev/null`
        fi
        if test "$SHOW_RC" = "yes"
        then
         RCTYPEFD=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" rc_type_fd 2>/dev/null`
         RCFORRO=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" rc_force_role 2>/dev/null`
         RCINRO=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" rc_initial_role 2>/dev/null`
        fi
        if test "$SHOW_AUTH" = "yes"
        then
         AUTHSUID=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" auth_may_setuid 2>/dev/null`
         AUTHSCAP=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" auth_may_set_cap 2>/dev/null`
        fi
        if test "$SHOW_CAP" = "yes"
        then
         MINCAPS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" min_caps 2>/dev/null`
         MAXCAPS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" max_caps 2>/dev/null`
        fi
        if test "$SHOW_RES" = "yes"
        then
         RESMIN=`$RSBACPATH""attr_get_file_dir -s $GETSWITCH $TYPE "$FILE" res_min 2>/dev/null`
         RESMAX=`$RSBACPATH""attr_get_file_dir -s $GETSWITCH $TYPE "$FILE" res_max 2>/dev/null`
        fi
        if test "$SHOW_GEN" = "yes"
        then
         LOGLOW=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_array_low 2>/dev/null`
         LOGHIGH=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_array_high 2>/dev/null`
         LOGPROG=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_program_based 2>/dev/null`
         SYMADDUID=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" symlink_add_uid 2>/dev/null`
         SYMADDMAC=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" symlink_add_mac_level 2>/dev/null`
         SYMADDRC=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" symlink_add_rc_role 2>/dev/null`
         DACDIS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" linux_dac_disable 2>/dev/null`
        fi
  fi
}

onoff () {
   if test "$1" = "$2"
     then echo on
   else echo off
   fi
}

onoffb () {
   if test "$1" = "1"
     then echo on
   else echo off
   fi
}

list_item () {
   if test -L "$1"
   then echo $1 "SYMLINK->`ls -l \"$1\"|cut -d '>' -f 2|cut -c 2-`"
   elif test -d $1
   then echo $1 DIR
   elif test -f "$1"
   then echo $1 FILE
   elif test -b "$1"
   then echo $1 BLOCK
   elif test -c "$1"
   then echo $1 CHAR
   elif test -p "$1"
   then echo $1 FIFO
   else echo $1 NONE
   fi
}

get_vname () {
  if test "$TYPE" = "NONE"
    then echo " "
         return
  fi
  if test -z "$2"
    then echo "N/A"
         return
  fi

  case $1 in
    onoff)
      case $2 in
        1) echo On
          ;;
        *) echo Off
          ;;
      esac 
      ;;
    seclevel)
      case $2 in
        0) echo unclassified
          ;;
        1) echo confidential
          ;;
        2) echo secret
          ;;
        3) echo top secret
          ;;
        252) echo max. level
          ;;
        253) echo rsbac-internal
          ;;
        254) echo inherit
          ;;
        *) echo N/A
          ;;
      esac 
      ;;
    macauto)
      case $2 in
        0) echo No
          ;;
        1) echo Yes
          ;;
        2) echo inherit
          ;;
        *) echo N/A
          ;;
      esac 
      ;;
    objcat)
      case $2 in
        0) echo General
          ;;
        1) echo Security
          ;;
        2) echo System
          ;;
        3) echo inherit
          ;;
        *) echo N/A
          ;;
      esac 
      ;;
    datatype)
      case $2 in
        0) echo None
          ;;
        1) echo SI
          ;;
        2) echo inherit
          ;;
        *) echo N/A
          ;;
      esac 
      ;;
    pmobjtype)
      case $2 in
        0) echo None
          ;;
        1) echo TP
          ;;
        2) echo Personal Data
          ;;
        3) echo Non-Personal Data
          ;;
        4) echo IPC
          ;;
        5) echo Directory
          ;;
        *) echo N/A
          ;;
      esac 
      ;;
    mactruser)
      case $2 in
        $NO_USER) echo NONE
          ;;
        $ALL_USERS) echo ALL
          ;;
        Error*) echo N/A
          ;;
        Use*) echo N/A
          ;;
        *) echo "`get_name $2` / `full_name $2`"
          ;;
      esac 
      ;;
    mactruserrev)
      case $2 in
        NONE) echo $NO_USER
          ;;
        $NO_USER) echo $NO_USER
          ;;
        ALL) echo $ALL_USERS
          ;;
        $ALL_USERS) echo $ALL_USERS
          ;;
        Error*) echo N/A
          ;;
        Use*) echo N/A
          ;;
        *) echo `get_uid $2`
          ;;
      esac 
      ;;
    msscanned)
      case $2 in
        0) echo Unscanned
          ;;
        1) echo Rejected
          ;;
        Error*) echo N/A
          ;;
        *) if test $2 -lt 2 -o $2 -gt 1000000 2>/dev/null
           then echo N/A
           else echo Accepted - Level $2
           fi
          ;;
      esac 
      ;;
    mstrusted)
      case $2 in
        0) echo Not trusted
          ;;
        1) echo Read trusted
          ;;
        2) echo Full trusted
          ;;
        *) echo N/A
          ;;
      esac 
      ;;
    mssock)
      case $2 in
        0) echo Not Trusted
          ;;
        1) echo Active
          ;;
        2) echo Full
          ;;
        *) echo N/A
          ;;
      esac 
      ;;
    msneedscan)
      case $2 in
        0) echo No
          ;;
        1) echo Execute
          ;;
        2) echo Full
          ;;
        3) echo Inherit
          ;;
        *) echo N/A
          ;;
      esac 
      ;;
    rctypefd)
      case $2 in
        $RCTYPEINHPAR) echo inherit parent dir
          ;;
        Error*) echo N/A
          ;;
        Use*) echo N/A
          ;;
        *) if ! $RSBACPATH""rc_get_item TYPE $2 type_fd_name 2>/dev/null
           then echo $2
           fi
          ;;
      esac 
      ;;
    rcforro)
      case $2 in
        $RCUSERINHERIT) echo "always inherit from user"
          ;;
        $RCPROCINHERIT) echo "inherit process (keep always)"
          ;;
        $RCPARINHERIT) echo "inherit parent dir (default)"
          ;;
        $RCMIXINHERIT) echo "inh. from user on chown only"
          ;;
        Error*) echo N/A
          ;;
        Use*) echo N/A
          ;;
        *) if ! $RSBACPATH""rc_get_item ROLE $2 name 2>/dev/null
           then echo $2
           fi
          ;;
      esac 
      ;;
    rcinro)
      case $2 in
        $RCPARINHERIT) echo "inherit parent dir (default)"
          ;;
        $RCUSEFR) echo "use force_role (root default)"
          ;;
        Error*) echo N/A
          ;;
        Use*) echo N/A
          ;;
        *) if ! $RSBACPATH""rc_get_item ROLE $2 name 2>/dev/null
           then echo $2
           fi
          ;;
      esac 
      ;;
    dacdis)
      case $2 in
        0) echo False
          ;;
        1) echo True
          ;;
        2) echo 'inherit (default)'
          ;;
        *) echo N/A
          ;;
      esac 
      ;;
    loglevel)
      case $2 in
        0) echo None
          ;;
        1) echo Denied
          ;;
        2) echo Full
          ;;
        3) echo Request
          ;;
        *) echo N/A
          ;;
      esac 
      ;;
    *) echo ERROR!
      ;;
  esac
}

full_name () {
  if test "$1" = ""
  then echo " "
  else echo `$RSBACPATH""attr_get_user $1 full_name`
  fi
}

get_uid () {
  if test "$1" = ""
  then echo " "
  else echo `$RSBACPATH""attr_get_user $1 user_nr`
  fi
}

get_name () {
  if test "$1" = ""
  then echo " "
  else echo `$RSBACPATH""attr_get_user $1 user_name`
  fi
}

gen_cap_rem_user () {
  if test "$1" != ""
  then for i in $* ; do echo $i `$RSBACPATH""attr_get_user $i user_name` ; done
  fi
}

get_caps () {
  if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE"
    then $RSBACPATH""auth_set_cap $1 FILE get "$FILE" 2>/dev/null
    else echo " "
  fi
}

gen_cat_list () {
    for i in $*
    do
      TMP=`$RSBACPATH""attr_get_file_dir $TYPE "$FILE" mac_categories $i`
      echo $i `onoffb $TMP` `onoffb $TMP`
    done
}

choose_user () {
        while $DIALOG --title "$TITLE" \
                  --backtitle "$BACKTITLE" \
                  --default-item "$TMP2" \
                  --menu "Username/ID" $BL $BC `gl 15` \
                         "Enter" "Name / Uid / Range A:B" \
                         "$AUTHSELF" "Special: user who started program" \
                         `${RSBACPATH}attr_get_user -bl` \
           2>$TMPFILE
        do TMP2=`cat $TMPFILE`
             case "$TMP2" in
               "Enter")
                 if $DIALOG --title "$TITLE" \
                            --backtitle "$BACKTITLE" \
                            --inputbox "Username/number, range from A to B with A:B" $BL $BC "" \
                   2>$TMPFILE
                 then
                   NEWMTUSER="`cat $TMPFILE|tr ':' ' '`"
                 else
                   NEWMTUSER=""
                 fi
                 return
                 ;;
               *)
                 if $RSBACPATH""attr_get_user $TMP2 user_nr >$TMPFILE
                 then NEWMTUSER=`cat $TMPFILE`
                   return
                 else \
                     $DIALOG --title "$ERRTITLE" \
                            --backtitle "$BACKTITLE" \
                            --msgbox "User: Unknown user $TMP2!" 5 $BC
                     NEWMTUSER=""
                 fi
             esac
        done
        NEWMTUSER=""
}

gen_log_menu_items() {
  if test -e ${TMPFILE}.2
    then rm ${TMPFILE}.2
  fi
  for i in $REQUESTS
  do TMP=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_level $i`
     echo $i `get_vname loglevel $TMP`>>${TMPFILE}.2
  done
}

gen_flags_menu_items() {
    if (($FFFLAGS & 128)) ; then echo 128 add_inherited on
    else echo 128 add_inherited off
    fi
    if (($FFFLAGS & 1)) ; then echo 1 read_only on
    else echo 1 read_only off
    fi
    if (($FFFLAGS & 2)) ; then echo 2 execute_only on
    else echo 2 execute_only off
    fi
    if (($FFFLAGS & 4)) ; then echo 4 search_only on
    else echo 4 search_only off
    fi
    if (($FFFLAGS & 8)) ; then echo 8 write_only on
    else echo 8 write_only off
    fi
    if (($FFFLAGS & 16)) ; then echo 16 secure_delete on
    else echo 16 secure_delete off
    fi
    if (($FFFLAGS & 32)) ; then echo 32 no_execute on
    else echo 32 no_execute off
    fi
    if (($FFFLAGS & 64)) ; then echo 64 no_delete_or_rename on
    else echo 64 no_delete_or_rename off
    fi
    if (($FFFLAGS & 256)) ; then echo 256 append_only on
    else echo 256 append_only off
    fi
    if (($FFFLAGS & 512)) ; then echo 512 no_mount on
    else echo 512 no_mount off
    fi
}

flags_menu () {
  if ! \
  $DIALOG --title "$TITLE" \
         --backtitle "$BACKTITLE" \
         --separate-output \
         --checklist "$FILE: FF Flags ($GETMODE mode)" $BL $BC `gl 9` \
              `gen_flags_menu_items` \
       2>$TMPFILE
   then return
  fi
  FLAGS_ON=`cat $TMPFILE`
  declare -i VAL=0
#  echo FLAGS_ON is $FLAGS_ON, VAL is $VAL
  for i in $FLAGS_ON ; do \
    VAL=$VAL+$i
  done
#  echo FLAGS_ON is $FLAGS_ON, VAL is $VAL
#  sleep 2
  if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" ff_flags $VAL &>$TMPFILE
    then FFFLAGS=$VAL
      if test -n "$RSBACLOGFILE"
      then
        echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" ff_flags $VAL >>"$RSBACLOGFILE"
      fi
    else \
      $DIALOG --title "$ERRTITLE" \
             --backtitle "$BACKTITLE" \
             --msgbox "`head -n 1 $TMPFILE`" $BL $BC
    fi
  return
}

gen_mac_flags_menu_items() {
    if (($MACFLAGS & 2)) ; then echo 2 auto on
    else echo 2 auto off
    fi
    if (($MACFLAGS & 4)) ; then echo 4 trusted on
    else echo 4 trusted off
    fi
    if (($MACFLAGS & 8)) ; then echo 8 write_up on
    else echo 8 write_up off
    fi
    if (($MACFLAGS & 16)) ; then echo 16 read_up on
    else echo 16 read_up off
    fi
    if (($MACFLAGS & 32)) ; then echo 32 write_down on
    else echo 32 write_down off
    fi
}

mac_flags_menu () {
  if ! \
  $DIALOG --title "$TITLE" \
         --backtitle "$BACKTITLE" \
         --separate-output \
         --checklist "$FILE: MAC File Flags ($GETMODE mode)" $BL $BC `gl 9` \
              `gen_mac_flags_menu_items` \
       2>$TMPFILE
   then return
  fi
  FLAGS_ON=`cat $TMPFILE`
  declare -i VAL=0
#  echo FLAGS_ON is $FLAGS_ON, VAL is $VAL
  for i in $FLAGS_ON ; do \
    VAL=$VAL+$i
  done
#  echo FLAGS_ON is $FLAGS_ON, VAL is $VAL
#  sleep 2
  if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" mac_file_flags $VAL &>$TMPFILE
    then MACFLAGS=$VAL
      if test -n "$RSBACLOGFILE"
      then
        echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" mac_file_flags $VAL >>"$RSBACLOGFILE"
      fi
    else \
      $DIALOG --title "$ERRTITLE" \
             --backtitle "$BACKTITLE" \
             --msgbox "`head -n 1 $TMPFILE`" $BL $BC
    fi
  return
}


log_menu () {
  if test -z "$REQUESTS"
    then REQUESTS=`$RSBACPATH""attr_get_file_dir -n $TYPE`
  fi
  gen_log_menu_items
  while true ; do \
    if ! \
    $DIALOG --title "$TITLE" \
           --backtitle "$BACKTITLE" \
           --default-item "$REQ" \
           --menu "$FILE: Log Levels for Requests" $BL $BC `gl 37` \
                `cat ${TMPFILE}.2` \
                "Quit" " " \
         2>$TMPFILE
     then rm ${TMPFILE}.2
          LOGLOW=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_array_low`
          LOGHIGH=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_array_high`
          return
    fi
    REQ=`cat $TMPFILE`
    case "$REQ" in
      Quit)
        rm ${TMPFILE}.2
        LOGLOW=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_array_low`
        LOGHIGH=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_array_high`
        return
        ;;
      *)
        VAL=`grep "^$REQ " ${TMPFILE}.2|cut -f 2 -d ' '`
        if $DIALOG --title "$TITLE" \
                   --backtitle "$BACKTITLE" \
                   --radiolist "Choose Log Level for $FILE / $REQ" $BL $BC 4 \
                          0 `get_vname loglevel 0` `onoff None $VAL` \
                          1 `get_vname loglevel 1` `onoff Denied $VAL` \
                          2 `get_vname loglevel 2` `onoff Full $VAL` \
                          3 `get_vname loglevel 3` `onoff Request $VAL` \
          2>$TMPFILE
        then TMP=`cat $TMPFILE`
          if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" log_level $REQ $TMP &>$TMPFILE
          then
            if test -n "$RSBACLOGFILE"
            then
              echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" log_level $REQ $TMP >>"$RSBACLOGFILE"
            fi
            gen_log_menu_items
          else \
            $DIALOG --title "$ERRTITLE" \
                    --backtitle "$BACKTITLE" \
                    --msgbox "`head -n 1 $TMPFILE`" $BL $BC
          fi
        fi
    esac
done
}

gen_request_list () {
    if test -z "$REQUESTS"
      then REQUESTS=`$RSBACPATH""attr_get_file_dir -n`
    fi
    SETREQUESTS=`$RSBACPATH""attr_get_file_dir $GETSWITCH -p $TYPE "$FILE" log_program_based`
    for i in $REQUESTS
    do
      if echo $SETREQUESTS | grep -q $i
      then
        echo $i on on
      else
        echo $i off off
      fi
    done
}

gen_min_caps_list () {
    if test -z "$CAPS"
      then CAPS=`$RSBACPATH""attr_get_file_dir -c`
    fi
    SETCAPS=`$RSBACPATH""attr_get_file_dir $GETSWITCH -p $TYPE "$FILE" min_caps`
    for i in $CAPS
    do
      if echo $SETCAPS | grep -q $i
      then
        echo $i on on
      else
        echo $i off off
      fi
    done
}

gen_max_caps_list () {
    if test -z "$CAPS"
      then CAPS=`$RSBACPATH""attr_get_file_dir -c`
    fi
    SETCAPS=`$RSBACPATH""attr_get_file_dir $GETSWITCH -p $TYPE "$FILE" max_caps`
    for i in $CAPS
    do
      if echo $SETCAPS | grep -q $i
      then
        echo $i on on
      else
        echo $i off off
      fi
    done
}

declare -i MAXCATLEN=$BC-38
cat_print () {
  if test $MAXCATLEN -ge 64
  then echo $1
  else echo "(too long)"
  fi
}

declare -i MAXNAMELEN=$BC-44
name_print () {
  echo "$1" | cut -c1-$MAXNAMELEN
}

gen_follow_symlink () {
    case $1 in
      1)
        if test "$TYPE" = "SYMLINK"
        then
          echo 'Follow:'
        fi
        ;;
      2)
        if test "$TYPE" = "SYMLINK"
        then
          echo "`name_print \"$SYMLINK\"`"
        fi
        ;;
    esac
}

###################### Menu #################

if test "$1" != ""
then FILE=$1
else FILE=$LASTDIR
fi
if test -n "$RSBACLOGFILE"
then
  {
    echo ""
    echo "# $0 start `date`"
  } >>"$RSBACLOGFILE"
fi
get_attributes "$FILE"
if test "$TYPE" != "DIR" -a -n "$RSBACLOGFILE"
then
  echo "cd `pwd`" >>"$RSBACLOGFILE"
fi

  {
    echo 'fd_menu ()'
    echo '  {'    
    echo "    $DIALOG --title \"$TITLE\" \\"
    echo '       --backtitle "$BACKTITLE" \'
    echo '       --help-button --default-item "$CHOICE" \'
    echo '       --menu "Main FD Menu" $BL $BC `gl 46` \'
    echo '              "FD List:" "Choose from listing of last dir" \'
    echo '              "FD Name:" "`name_print \"$FILE / $SUBTYPE\"`" \'
    echo '              `gen_follow_symlink 1` `gen_follow_symlink 2` \'
    echo '              "Attribute Get Mode:" "$GETMODE" \'
    echo '              "-------------------" " " \'
    if test "$SHOW_MAC" = "yes"
    then
      echo '              "MAC Security Level:" "$SECLEVEL / `get_vname seclevel $SECLEVEL`" \'
      echo '              "MAC Categories:" "`cat_print $MACCAT`" \'
      echo '              "MAC Trusted for User:" "$MACTRUSER / `get_vname mactruser $MACTRUSER`" \'
      echo '              "MAC Auto:" "$MACAUTO / `get_vname macauto $MACAUTO`" \'
      echo '              "MAC Prop Trusted:" "$MACPROPTR / `get_vname onoff $MACPROPTR`" \'
      echo '              "MAC File Flags:" "$MACFLAGS" \'
    fi
    if test "$SHOW_FC" = "yes"
    then
      echo '              "FC Object Category:" "$OBJCAT / `get_vname objcat $OBJCAT`" \'
    fi
    if test "$SHOW_SIM" = "yes"
    then
      echo '              "SIM Data Type:" "$DATATYPE / `get_vname datatype $DATATYPE`" \'
    fi
    if test "$SHOW_PM" = "yes"
    then
      echo '              "PM Object Class:" "$PMCLASS" \'
      echo '              "PM TP:" "$PMTP" \'
      echo '              "PM Object Type:" "$PMOBJTYPE / `get_vname pmobjtype $PMOBJTYPE`" \'
    fi
    if test "$SHOW_MS" = "yes"
    then
      echo '              "MS Scanned:" "$MSSCANNED / `get_vname msscanned $MSSCANNED`" \'
      echo '              "MS Need Scan:" "$MSNEEDSCAN / `get_vname msneedscan $MSNEEDSCAN`" \'
      echo '              "MS Trusted:" "$MSTRUSTED / `get_vname mstrusted $MSTRUSTED`" \'
      echo '              "MS Sock Trusted TCP:" "$MSSOCKTCP / `get_vname mssock $MSSOCKTCP`" \'
      echo '              "MS Sock Trusted UDP:" "$MSSOCKUDP / `get_vname mssock $MSSOCKUDP`" \'
    fi
    if test "$SHOW_FF" = "yes"
    then
      echo '              "FF Flags:" "$FFFLAGS" \'
    fi
    if test "$SHOW_RC" = "yes"
    then
      echo '              "RC Type FD:" "$RCTYPEFD / `get_vname rctypefd $RCTYPEFD`" \'
      echo '              "RC Force Role:" "$RCFORRO / `get_vname rcforro $RCFORRO`" \'
      echo '              "RC Initial Role:" "$RCINRO / `get_vname rcinro $RCINRO`" \'
    fi
    if test "$SHOW_AUTH" = "yes"
    then
      echo '              "AUTH May Setuid:" "$AUTHSUID / `get_vname onoff $AUTHSUID`" \'
      echo '              "AUTH May Set Cap:" "$AUTHSCAP / `get_vname onoff $AUTHSCAP`" \'
      echo '              "AUTH Capabilities:" "`get_caps`" \'
      echo '              "AUTH Eff Capabilities:" "`get_caps -e`" \'
      echo '              "AUTH FS Capabilities:" "`get_caps -f`" \'
    fi
    if test "$SHOW_CAP" = "yes"
    then
      echo '              "CAP Min Caps:" "$MINCAPS" \'
      echo '              "CAP Max Caps:" "$MAXCAPS" \'
    fi
    if test "$SHOW_RES" = "yes"
    then
      echo '              "RES Min Resources:" "$RESMIN" \'
      echo '              "RES Max Resources:" "$RESMAX" \'
    fi
    if test "$SHOW_GEN" = "yes"
    then
      echo '              "Log Array Low:" "$LOGLOW" \'
      echo '              "Log Array High:" "$LOGHIGH" \'
      echo '              "Log Program Based:" "$LOGPROG" \'
      echo '              "Symlink Add UID:" "$SYMADDUID" \'
      echo '              "Symlink Add MAC Level:" "$SYMADDMAC" \'
      echo '              "Symlink Add RC Role:" "$SYMADDRC" \'
      echo '              "Linux DAC disable:" "$DACDIS / `get_vname dacdis $DACDIS`" \'
    fi
    echo '              "----------------" " " \'
    echo '              "Dev Attributes:" "Go to block/char dev attribute menu" \'
    echo '              "ACL Menu:" "Go to ACL menu" \'
    echo '              "----------------" " " \'
    echo '              "Reset Attributes:" "Reset all values to default values" \'
    echo '              "Quit" ""'
    echo '  }'
  } > $TMPFILE

. $TMPFILE

#cp $TMPFILE /tmp/menu

while true
  do
    if ! fd_menu 2>$TMPFILE
     then rm $TMPFILE ; exit
    fi

  CHOICE="`cat $TMPFILE`"
  echo $CHOICE >>/tmp/temp
  case "$CHOICE" in
    HELP*)
        show_help "${CHOICE:5}"
        CHOICE="${CHOICE:5}"
      ;;
    'FD List:')
        FILETMP="$FILE"
        if test ! -d $LASTDIR
        then $LASTDIR='/'
        fi
        TMP=`ls -1ad $LASTDIR/* $LASTDIR/.*`
        while $DIALOG --title "$TITLE" \
                     --backtitle "$BACKTITLE" \
                     --default-item "$FILETMP" \
                     --menu "File/Dir/Fifo Name (choose cancel for $FILE)" $BL $BC $MAXLINES \
                            `for i in $TMP ; do list_item $i ; done` \
           2>$TMPFILE
        do FILETMP="`cat $TMPFILE`"
          FILE="$FILETMP"
          get_attributes
          if test $TYPE != "DIR"
          then break
          else
          TMP=`ls -1ad $LASTDIR/* $LASTDIR/.*`
          fi
        done
      ;;

    "FD Name:")
        if $DIALOG --title "$TITLE" \
                  --backtitle "$BACKTITLE" \
                  --inputbox "File/Dir/Fifo/Symlink name" $BL $BC "$FILE" \
           2>$TMPFILE
        then FILE=`cat $TMPFILE`
             get_attributes
        fi
      ;;

    "Follow:")
        case "$SYMLINK" in
          /*)
            FILE="$SYMLINK"
            ;;
          *)
            FILE="`dirname $FILE`/$SYMLINK"
            ;;
        esac
        get_attributes
      ;;

    'Attribute Get Mode:')
        if test $GETMODE = "real"
        then GETMODE="effective" ; GETSWITCH="-e"
        else GETMODE="real" ; GETSWITCH=""
        fi
        get_attributes
      ;;


    'MAC Security Level:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose Security Level for $FILE (old value: $SECLEVEL)" $BL $BC 8 \
                                "Enter" "Numeric Value" off \
                                0 "`get_vname seclevel 0`" `onoff 0 $SECLEVEL` \
                                1 "`get_vname seclevel 1`" `onoff 1 $SECLEVEL` \
                                2 "`get_vname seclevel 2`" `onoff 2 $SECLEVEL` \
                                3 "`get_vname seclevel 3`" `onoff 3 $SECLEVEL` \
                                252 "`get_vname seclevel 252`" `onoff 252 $SECLEVEL` \
                                253 "`get_vname seclevel 253`" `onoff 253 $SECLEVEL` \
                                254 "`get_vname seclevel 254`" `onoff 254 $SECLEVEL` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if test "$TMP" = "Enter"
               then
                 if $DIALOG --title "$TITLE" \
                           --backtitle "$BACKTITLE" \
                           --inputbox "MAC security level" $BL $BC "$SECLEVEL" \
                   2>$TMPFILE
                 then
                   TMP="`cat $TMPFILE`"
                   if test $TMP -gt 254
                   then
                     $DIALOG --title "$ERRTITLE" \
                            --backtitle "$BACKTITLE" \
                            --msgbox "Invalid security level value $TMP!" $BL $BC
                     TMP=""
                   fi
                 else
                   TMP=""
                 fi
               fi
               if test -n "$TMP"
               then
                 if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" security_level $TMP &>$TMPFILE
                 then SECLEVEL=$TMP
                   if test -n "$RSBACLOGFILE"
                   then
                     echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" security_level $TMP >>"$RSBACLOGFILE"
                   fi
                 else \
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                 fi
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Security Level: No file/dir specified!" 5 $BC
        fi
      ;;

    'MAC Categories:')
        if test "$TYPE" != "NONE"
        then \
          ALLCATNR=`$RSBACPATH""attr_get_file_dir list_category_nr`
          if $DIALOG --title "MAC Categories for $TYPE $FILE (all 0 = inherit)" \
                    --backtitle "$BACKTITLE" \
                    --checklist "Bits: $MACCAT" $BL $BC $MAXLINES \
                    `gen_cat_list $ALLCATNR` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE|tr -d '"'`
               for i in $ALLCATNR
               do
                 if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" mac_categories $i 0 &>$TMPFILE
                 then
                   if test -n "$RSBACLOGFILE"
                   then
                     echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" mac_categories $i 0 >>"$RSBACLOGFILE"
                   fi
                 else
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                   continue
                 fi
               done
               for i in $TMP
               do
                 if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" mac_categories $i 1 &>$TMPFILE
                 then
                   if test -n "$RSBACLOGFILE"
                   then
                     echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" mac_categories $i 1 >>"$RSBACLOGFILE"
                   fi
                 else
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                   continue
                 fi
               done
               MACCAT=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" mac_categories`
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MAC Categories: No file/dir specified!" 5 $BC
        fi
      ;;

    'MAC Trusted for User:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose User to execute file as MAC Trusted for $FILE" $BL $BC 5 \
                                NONE "$NO_USER (-2)" `onoff $NO_USER $MACTRUSER` \
                                ALL "$ALL_USERS (-3)" `onoff $ALL_USERS $MACTRUSER` \
                                $MACTRUSER "Individual user: `get_vname mactruser $MACTRUSER`" `onoff $NEWMTUSER $MACTRUSER` \
                                "IND"  "Choose individual user" off \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if test "$TMP" = "IND"
                 then choose_user
                      TMP=$NEWMTUSER
               fi
               if test -n "$TMP"
               then
                 TMP=`get_vname mactruserrev $TMP`
                 if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" mac_trusted_for_user $TMP &>$TMPFILE
                 then MACTRUSER=$TMP
                   if test -n "$RSBACLOGFILE"
                   then
                     echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" mac_trusted_for_user $TMP >>"$RSBACLOGFILE"
                   fi
                 else \
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                 fi
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MAC Trusted for User: No file/dir specified!" 5 $BC
        fi
      ;;

    'MAC Auto:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose MAC Auto for $FILE" $BL $BC 3 \
                                0 "`get_vname macauto 0`" `onoff 0 $MACAUTO` \
                                1 "`get_vname macauto 1`" `onoff 1 $MACAUTO` \
                                2 "`get_vname macauto 2`" `onoff 2 $MACAUTO` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" mac_auto $TMP &>$TMPFILE
               then MACAUTO=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" mac_auto $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MAC Auto: No file/dir specified!" 5 $BC
        fi
      ;;

    'MAC Prop Trusted:')
        if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE"
        then \
           if test $MACPROPTR = "0"
           then TMP="1"
           else TMP="0"
           fi
           if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" mac_prop_trusted $TMP &>$TMPFILE
           then MACPROPTR=$TMP
             if test -n "$RSBACLOGFILE"
             then
               echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" mac_prop_trusted $TMP >>"$RSBACLOGFILE"
             fi
           else \
             $DIALOG --title "$ERRTITLE" \
                    --backtitle "$BACKTITLE" \
                    --msgbox "`head -n 1 $TMPFILE`" $BL $BC
           fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MAC Prop Trusted: No regular file specified!" 5 $BC
        fi
      ;;

    'MAC File Flags:')
        if test "$TYPE" != "NONE"
        then
          mac_flags_menu
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MAC File Flags: No file/dir specified!" 5 $BC
        fi
      ;;


    'FC Object Category:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose Object Category for $FILE" $BL $BC 4 \
                                0 "`get_vname objcat 0`" `onoff 0 $OBJCAT` \
                                1 "`get_vname objcat 1`" `onoff 1 $OBJCAT` \
                                2 "`get_vname objcat 2`" `onoff 2 $OBJCAT` \
                                3 "`get_vname objcat 3`" `onoff 3 $OBJCAT` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" object_category $TMP &>$TMPFILE
               then OBJCAT=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" object_category $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Object Category: No file/dir specified!" 5 $BC
        fi
      ;;

    'SIM Data Type:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose Data Type for $FILE" $BL $BC 3 \
                                0 "`get_vname datatype 0`" `onoff 0 $DATATYPE` \
                                1 "`get_vname datatype 1`" `onoff 1 $DATATYPE` \
                                2 "`get_vname datatype 2`" `onoff 2 $DATATYPE` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" data_type $TMP &>$TMPFILE
               then DATATYPE=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" data_type $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Data Type: No file/dir specified!" 5 $BC
        fi
      ;;

    'PM Object Class:')
        if test "$TYPE" != "NONE"
        then \
           if $DIALOG --title "$TITLE" \
                     --backtitle "$BACKTITLE" \
                     --inputbox "PM Object Class (long integer) for $FILE" \
                                $BL $BC "$PMCLASS" \
              2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" pm_object_class $TMP &>$TMPFILE
               then PMCLASS=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" pm_object_class $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "PM Object Class: No file/dir specified!" 5 $BC
        fi
      ;;

    'PM TP:')
        if test "$TYPE" != "NONE"
        then \
           if $DIALOG --title "$TITLE" \
                     --backtitle "$BACKTITLE" \
                     --inputbox "PM TP (long integer) for $FILE" \
                                $BL $BC "$PMTP" \
              2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" pm_tp $TMP &>$TMPFILE
               then PMTP=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" pm_tp $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "PM TP: No file/dir specified!" 5 $BC
        fi
      ;;

    'PM Object Type:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose PM Object Type for $FILE" $BL $BC 6 \
                                0 "`get_vname pmobjtype 0`" `onoff 0 $PMOBJTYPE` \
                                1 "`get_vname pmobjtype 1`" `onoff 1 $PMOBJTYPE` \
                                2 "`get_vname pmobjtype 2`" `onoff 2 $PMOBJTYPE` \
                                3 "`get_vname pmobjtype 3`" `onoff 3 $PMOBJTYPE` \
                                4 "`get_vname pmobjtype 4`" `onoff 4 $PMOBJTYPE` \
                                5 "`get_vname pmobjtype 5`" `onoff 5 $PMOBJTYPE` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" pm_object_type $TMP &>$TMPFILE
               then PMOBJTYPE=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" pm_object_type $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "PM Object Type: No file/dir specified!" 5 $BC
        fi
      ;;

    'MS Scanned:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose MS Scanned Status for $FILE" $BL $BC 5 \
                                0 "`get_vname msscanned 0`" `onoff 0 $MSSCANNED` \
                                1 "`get_vname msscanned 1`" `onoff 1 $MSSCANNED` \
                                $MSL "`get_vname msscanned $MSL`" `onoff $MSL $MSSCANNED` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" ms_scanned $TMP &>$TMPFILE
               then MSSCANNED=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" ms_scanned $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MS Scanned: No file/dir specified!" 5 $BC
        fi
      ;;

    'MS Need Scan:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose MS Need Scan for $FILE" $BL $BC 6 \
                                0 "`get_vname msneedscan 0`" `onoff 0 $MSNEEDSCAN` \
                                1 "`get_vname msneedscan 1`" `onoff 1 $MSNEEDSCAN` \
                                2 "`get_vname msneedscan 2`" `onoff 2 $MSNEEDSCAN` \
                                3 "`get_vname msneedscan 3`" `onoff 3 $MSNEEDSCAN` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" ms_need_scan $TMP &>$TMPFILE
               then MSNEEDSCAN=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" ms_need_scan $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MS Need Scan: No file/dir specified!" 5 $BC
        fi
      ;;

    'MS Trusted:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose MS Trusted for $FILE" $BL $BC 6 \
                                0 "`get_vname mstrusted 0`" `onoff 0 $MSTRUSTED` \
                                1 "`get_vname mstrusted 1`" `onoff 1 $MSTRUSTED` \
                                2 "`get_vname mstrusted 2`" `onoff 2 $MSTRUSTED` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" ms_trusted $TMP &>$TMPFILE
               then MSTRUSTED=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" ms_trusted $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MS Trusted: No file/dir specified!" 5 $BC
        fi
      ;;

    'MS Sock Trusted TCP:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose MS Sock Trusted TCP for $FILE" $BL $BC 6 \
                                0 "`get_vname mssock 0`" `onoff 0 $MSSOCKTCP` \
                                1 "`get_vname mssock 1`" `onoff 1 $MSSOCKTCP` \
                                2 "`get_vname mssock 2`" `onoff 2 $MSSOCKTCP` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" ms_sock_trusted_tcp $TMP &>$TMPFILE
               then MSSOCKTCP=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" ms_sock_trusted_tcp $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MS Sock Trusted TCP: No file/dir specified!" 5 $BC
        fi
      ;;

    'MS Sock Trusted UDP:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose MS Sock Trusted UDP for $FILE" $BL $BC 6 \
                                0 "`get_vname mssock 0`" `onoff 0 $MSSOCKUDP` \
                                1 "`get_vname mssock 1`" `onoff 1 $MSSOCKUDP` \
                                2 "`get_vname mssock 2`" `onoff 2 $MSSOCKUDP` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" ms_sock_trusted_udp $TMP &>$TMPFILE
               then MSSOCKUDP=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" ms_sock_trusted_udp $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "MS Sock Trusted UDP: No file/dir specified!" 5 $BC
        fi
      ;;

    'FF Flags:')
        if test "$TYPE" != "NONE"
        then \
          flags_menu
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "FF Flags: No file/dir specified!" 5 $BC
        fi
      ;;

    'RC Type FD:')
        if test "$TYPE" != "NONE"
        then \
          if $RSBACPATH""rc_get_item list_fd_types >$TMPFILE
          then \
            TYPELIST=`cat $TMPFILE`
            if $DIALOG --title "$TITLE" \
                      --backtitle "$BACKTITLE" \
                      --default-item "$RCTYPE" \
                      --menu "Choose RC Type FD for $FILE" $BL $BC $MAXLINES \
                      $RCTYPEINHPAR "Inherit from parent dir" \
                      $TYPELIST \
               2>$TMPFILE
            then TMP=`cat $TMPFILE`
              if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" rc_type_fd $TMP &>$TMPFILE
              then RCTYPEFD=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" rc_type_fd $TMP >>"$RSBACLOGFILE"
                 fi
              else \
                $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
              fi
            fi
          else \
            if $DIALOG --title "$TITLE" \
                      --backtitle "$BACKTITLE" \
                      --inputbox "RC Type FD (integer) for $FILE ($RCTYPEINHPAR = inherit)" \
                                 $BL $BC "$RCTYPEFD" \
                2>$TMPFILE
            then TMP=`cat $TMPFILE`
                 if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" rc_type_fd $TMP &>$TMPFILE
                 then RCTYPEFD=$TMP
                   if test -n "$RSBACLOGFILE"
                   then
                     echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" rc_type_fd $TMP >>"$RSBACLOGFILE"
                   fi
                 else \
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                 fi
            fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "RC Type FD: No file/dir specified!" 5 $BC
        fi
      ;;

    'RC Force Role:')
        if test "$TYPE" != "NONE"
        then \
          if $RSBACPATH""rc_get_item list_roles >$TMPFILE
          then \
            TMP="$RCFORRO"
            ROLELIST=`cat $TMPFILE`
            while $DIALOG --title "$TITLE" \
                      --backtitle "$BACKTITLE" \
                      --help-button --default-item "$TMP" \
                      --menu "Choose RC Forced Role for $TYPE $FILE" $BL $BC $MAXLINES \
                      $RCUSERINHERIT "always inherit from user" \
                      $RCPROCINHERIT "inherit process (keep role)" \
                      $RCPARINHERIT "inherit parent dir (default)" \
                      $RCMIXINHERIT "mixed inherit proc/user (root dir default)" \
                      $ROLELIST \
               2>$TMPFILE
            do TMP=`cat $TMPFILE`
              case "$TMP" in
                HELP*)
                  show_help "${TMP:5}"
                  TMP="${TMP:5}"
                  ;;
                *)
                  if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" rc_force_role $TMP &>$TMPFILE
                  then RCFORRO=$TMP
                    if test -n "$RSBACLOGFILE"
                    then
                      echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" rc_force_role $TMP >>"$RSBACLOGFILE"
                    fi
                    break
                  else \
                    $DIALOG --title "$ERRTITLE" \
                           --backtitle "$BACKTITLE" \
                           --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                  fi
              esac
            done
          else \
            if $DIALOG --title "$TITLE" \
                      --backtitle "$BACKTITLE" \
                      --inputbox "RC Force Role (integer) for $TYPE $FILE ($RCUSERINHERIT = always inherit from user, $RCPROCINHERIT = inherit from process (keep role), $RCMIXINHERIT = mixed inherit (default))" \
                                 $BL $BC "$RCFORRO" \
                2>$TMPFILE
            then TMP=`cat $TMPFILE`
                 if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" rc_force_role $TMP &>$TMPFILE
                 then RCFORRO=$TMP
                   if test -n "$RSBACLOGFILE"
                   then
                     echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" rc_force_role $TMP >>"$RSBACLOGFILE"
                   fi
                 else \
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                 fi
            fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "RC Force Role: No file/dir specified!" 5 $BC
        fi
      ;;

    'RC Initial Role:')
        if test "$TYPE" != "NONE"
        then \
          if $RSBACPATH""rc_get_item list_roles >$TMPFILE
          then \
            TMP="$RCINRO"
            ROLELIST=`cat $TMPFILE`
            while $DIALOG --title "$TITLE" \
                      --backtitle "$BACKTITLE" \
                      --help-button --default-item "$TMP" \
                      --menu "Choose RC Initial Role for $TYPE $FILE" $BL $BC $MAXLINES \
                      $RCPARINHERIT "inherit parent dir (default)" \
                      $RCUSEFR "use force_role value (root dir default)" \
                      $ROLELIST \
               2>$TMPFILE
            do TMP=`cat $TMPFILE`
              case "$TMP" in
                HELP*)
                  show_help "${TMP:5}"
                  TMP="${TMP:5}"
                  ;;
                *)
                  if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" rc_initial_role $TMP &>$TMPFILE
                  then RCINRO=$TMP
                    if test -n "$RSBACLOGFILE"
                    then
                      echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" rc_initial_role $TMP >>"$RSBACLOGFILE"
                    fi
                    break
                  else \
                    $DIALOG --title "$ERRTITLE" \
                           --backtitle "$BACKTITLE" \
                           --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                  fi
              esac
            done
          else \
            if $DIALOG --title "$TITLE" \
                      --backtitle "$BACKTITLE" \
                      --inputbox "RC Initial Role (integer) for $TYPE $FILE ($RCPARINHERIT = inherit parent (default), $RCUSEFR = use force_role value (root default))" \
                                 $BL $BC "$RCINRO" \
                2>$TMPFILE
            then TMP=`cat $TMPFILE`
                 if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" rc_initial_role $TMP &>$TMPFILE
                 then RCINRO=$TMP
                   if test -n "$RSBACLOGFILE"
                   then
                     echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" rc_initial_role $TMP >>"$RSBACLOGFILE"
                   fi
                 else \
                   $DIALOG --title "$ERRTITLE" \
                          --backtitle "$BACKTITLE" \
                          --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                 fi
            fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "RC Initial Role: No file/dir specified!" 5 $BC
        fi
      ;;

    'AUTH May Setuid:')
        if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE"
        then \
           if test $AUTHSUID = "0"
           then TMP="1"
           else TMP="0"
           fi
           if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" auth_may_setuid $TMP &>$TMPFILE
           then AUTHSUID=$TMP
             if test -n "$RSBACLOGFILE"
             then
               echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" auth_may_setuid $TMP >>"$RSBACLOGFILE"
             fi
           else \
             $DIALOG --title "$ERRTITLE" \
                    --backtitle "$BACKTITLE" \
                    --msgbox "`head -n 1 $TMPFILE`" $BL $BC
           fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "AUTH May Setuid: No regular file specified!" 5 $BC
        fi
      ;;

    'AUTH May Set Cap:')
        if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE"
        then \
           if test $AUTHSCAP = "0"
           then TMP="1"
           else TMP="0"
           fi
           if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" auth_may_set_cap $TMP &>$TMPFILE
           then AUTHSCAP=$TMP
             if test -n "$RSBACLOGFILE"
             then
               echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" auth_may_set_cap $TMP >>"$RSBACLOGFILE"
             fi
           else \
             $DIALOG --title "$ERRTITLE" \
                    --backtitle "$BACKTITLE" \
                    --msgbox "`head -n 1 $TMPFILE`" $BL $BC
           fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "AUTH May Set Cap: No regular file specified!" 5 $BC
        fi
      ;;

    'AUTH Capabilities:' | 'AUTH Eff Capabilities:' | 'AUTH FS Capabilities:')
        if test "$TYPE" = "FILE" -a "$SUBTYPE" = "FILE"
        then \
          case "$CHOICE" in
            'AUTH Eff Capabilities:')
              CAPFLAGS='-e'
              ;;
            'AUTH FS Capabilities:')
              CAPFLAGS='-f'
              ;;
            *)
              CAPFLAGS=''
              ;;
          esac
          while true ; do
            if \
            TMP=
            $DIALOG --title "$TITLE" \
                   --backtitle "$BACKTITLE" \
                   --default-item "$TMP" \
                   --menu "$FILE: $CHOICE `get_caps $CAPFLAGS`" $BL $BC `gl 3` \
                          "Add" "Capability" \
                          "Remove" "Capability" \
                          "Quit" "" \
               2>$TMPFILE
            then
              TMP=`cat $TMPFILE`
              case $TMP in
                Quit)
                  break
                  ;;
                Add)
                  choose_user
                  if test -n "$NEWMTUSER"
                  then
                    if ! $RSBACPATH""auth_set_cap $CAPFLAGS FILE add "$FILE" $NEWMTUSER &>$TMPFILE
                    then \
                      $DIALOG --title "$ERRTITLE" \
                             --backtitle "$BACKTITLE" \
                             --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                    fi
                  fi
                  ;;
                Remove)
                  TMP=`get_caps $CAPFLAGS`
                  while $DIALOG --title "$TITLE" \
                            --backtitle "$BACKTITLE" \
                            --menu "Username/ID to be removed from $FILE file caps" $BL $BC $MAXLINES \
                              `gen_cap_rem_user $TMP` \
                    2>$TMPFILE
                  do TMP=`cat $TMPFILE|tr ':' ' '`
                    if $RSBACPATH""auth_set_cap $CAPFLAGS FILE remove "$FILE" $TMP &>$TMPFILE
                    then \
                      break
                    else
                      $DIALOG --title "$ERRTITLE" \
                              --backtitle "$BACKTITLE" \
                              --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                    fi
                  done
                  ;;
              esac
            else
              break
            fi
          done
        else
          $DIALOG --title "$ERRTITLE" \
                 --backtitle "$BACKTITLE" \
                 --msgbox "$CHOICE: No regular file specified!" 5 $BC
        fi
      ;;

    'CAP Min Caps:')
        if test "$TYPE" = "FILE"
        then \
          if $DIALOG --title "CAP min_caps for $TYPE $FILE" \
                    --backtitle "$BACKTITLE" \
                    --checklist "Bits: $MINCAPS" $BL $BC $MAXLINES \
              `gen_min_caps_list` \
              '--------------' '-----------------' off \
              UA 'Unset ALL' off \
              A  'Set ALL' off \
              FS_MASK  'Set all filesystem caps' off \
             2>$TMPFILE
          then TMP=`cat $TMPFILE|tr -d '"'`
            if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" min_caps $TMP &>$TMPFILE
            then \
              MINCAPS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" min_caps`
              if test -n "$RSBACLOGFILE"
              then
                echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" min_caps $TMP >>"$RSBACLOGFILE"
              fi
            else \
              $DIALOG --title "$ERRTITLE" \
                     --backtitle "$BACKTITLE" \
                     --msgbox "`head -n 1 $TMPFILE`" $BL $BC
            fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "CAP Min Caps: No file specified!" 5 $BC
        fi
      ;;

    'CAP Max Caps:')
        if test "$TYPE" = "FILE"
        then \
          if $DIALOG --title "CAP max_caps for $TYPE $FILE" \
                    --backtitle "$BACKTITLE" \
                    --checklist "Bits: $MAXCAPS" $BL $BC $MAXLINES \
              `gen_max_caps_list` \
              '--------------' '-----------------' off \
              UA 'Unset ALL' off \
              A  'Set ALL' off \
              FS_MASK  'Set all filesystem caps' off \
             2>$TMPFILE
          then TMP=`cat $TMPFILE|tr -d '"'`
            if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" max_caps $TMP &>$TMPFILE
            then \
              MAXCAPS=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" max_caps`
              if test -n "$RSBACLOGFILE"
              then
                echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" max_caps $TMP >>"$RSBACLOGFILE"
              fi
            else \
              $DIALOG --title "$ERRTITLE" \
                     --backtitle "$BACKTITLE" \
                     --msgbox "`head -n 1 $TMPFILE`" $BL $BC
            fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "CAP Max Caps: No file specified!" 5 $BC
        fi
      ;;

    'RES Min Resources:')
        if test "$TYPE" = "FILE"
        then
          while $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --help-button --default-item "$RESSEL" \
                    --menu "RES Minimum Resources for $TYPE $FILE" $BL $BC $MAXLINES \
              `$RSBACPATH""attr_get_file_dir $TYPE "$FILE" res_min` \
             2>$TMPFILE
          do
            RESSEL=`cat $TMPFILE`
            case "$RESSEL" in
              HELP*)
                  show_help "${RESSEL:5}"
                  RESSEL="${RESSEL:5}"
                ;;
              *)
                  if $DIALOG --title "$TITLE" \
                             --backtitle "$BACKTITLE" \
                             --inputbox "Minimum $RESSEL resource limit for $FILE (0 = unset)" \
                               $BL $BC "`$RSBACPATH""attr_get_file_dir $TYPE "$FILE" res_min $RESSEL`" \
                    2>$TMPFILE
                  then TMP=`cat $TMPFILE`
                     if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" res_min $RESSEL $TMP &>$TMPFILE
                     then RESMIN=`$RSBACPATH""attr_get_file_dir -s $TYPE "$FILE" res_min`
                       if test -n "$RSBACLOGFILE"
                       then
                         echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" res_min $RESSEL $TMP >>"$RSBACLOGFILE"
                       fi
                     else
                       $DIALOG --title "$ERRTITLE" \
                               --backtitle "$BACKTITLE" \
                               --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                     fi
                  fi
                ;;
            esac
          done
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "RES Min Resources: No file specified!" 5 $BC
        fi
      ;;

    'RES Max Resources:')
        if test "$TYPE" = "FILE"
        then
          while $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --help-button --default-item "$RESSEL" \
                    --menu "RES Maximum Resources for $TYPE $FILE" $BL $BC $MAXLINES \
              `$RSBACPATH""attr_get_file_dir $TYPE "$FILE" res_max` \
             2>$TMPFILE
          do
            RESSEL=`cat $TMPFILE`
            case "$RESSEL" in
              HELP*)
                  show_help "${RESSEL:5}"
                  RESSEL="${RESSEL:5}"
                ;;
              *)
                  if $DIALOG --title "$TITLE" \
                             --backtitle "$BACKTITLE" \
                             --inputbox "Maximum $RESSEL resource limit for $FILE (0 = unset)" \
                               $BL $BC "`$RSBACPATH""attr_get_file_dir $TYPE "$FILE" res_max $RESSEL`" \
                    2>$TMPFILE
                  then TMP=`cat $TMPFILE`
                     if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" res_max $RESSEL $TMP &>$TMPFILE
                     then RESMAX=`$RSBACPATH""attr_get_file_dir -s $TYPE "$FILE" res_max`
                       if test -n "$RSBACLOGFILE"
                       then
                         echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" res_max $RESSEL $TMP >>"$RSBACLOGFILE"
                       fi
                     else
                       $DIALOG --title "$ERRTITLE" \
                               --backtitle "$BACKTITLE" \
                               --msgbox "`head -n 1 $TMPFILE`" $BL $BC
                     fi
                  fi
                ;;
            esac
          done
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "RES Max Resources: No file specified!" 5 $BC
        fi
      ;;

    'Log Array Low:')
        if test "$TYPE" != "NONE"
        then \
          log_menu
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Log Array Low: No file/dir specified!" 5 $BC
        fi
      ;;

    'Log Array High:')
        if test "$TYPE" != "NONE"
        then \
          log_menu
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Log Array High: No file/dir specified!" 5 $BC
        fi
      ;;

    'Log Program Based:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "log_program_based for $TYPE $FILE" \
                    --backtitle "$BACKTITLE" \
                    --checklist "Bits: $LOGPROG" $BL $BC $MAXLINES \
              `gen_request_list` \
              '--------------' '-----------------' off \
              UA 'Unset ALL' off \
              A  'Set ALL' off \
              R  'Set Read Requests' off \
              RW 'Set Read-Write R.' off \
              W  'Set Write Requests' off \
              SY 'Set System R.' off \
              SE 'Set Security R.' off \
             2>$TMPFILE
          then TMP=`cat $TMPFILE|tr -d '"'`
            if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" log_program_based $TMP &>$TMPFILE
            then \
              LOGPROG=`$RSBACPATH""attr_get_file_dir $GETSWITCH $TYPE "$FILE" log_program_based`
              if test -n "$RSBACLOGFILE"
              then
                echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" log_program_based $TMP >>"$RSBACLOGFILE"
              fi
            else \
              $DIALOG --title "$ERRTITLE" \
                     --backtitle "$BACKTITLE" \
                     --msgbox "`head -n 1 $TMPFILE`" $BL $BC
            fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Log Program Based: No file/dir specified!" 5 $BC
        fi
      ;;

    'Symlink Add UID:')
        if test "$TYPE" = "SYMLINK"
        then \
           if test $SYMADDUID = "0"
           then TMP="1"
           else TMP="0"
           fi
           if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" symlink_add_uid $TMP &>$TMPFILE
           then SYMADDUID=$TMP
             if test -n "$RSBACLOGFILE"
             then
               echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" symlink_add_uid $TMP >>"$RSBACLOGFILE"
             fi
           else \
             $DIALOG --title "$ERRTITLE" \
                    --backtitle "$BACKTITLE" \
                    --msgbox "`head -n 1 $TMPFILE`" $BL $BC
           fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Symlink Add UID: No symlink specified!" 5 $BC
        fi
      ;;

    'Symlink Add MAC Level:')
        if test "$TYPE" = "SYMLINK"
        then \
           if test $SYMADDMAC = "0"
           then TMP="1"
           else TMP="0"
           fi
           if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" symlink_add_mac_level $TMP &>$TMPFILE
           then SYMADDMAC=$TMP
             if test -n "$RSBACLOGFILE"
             then
               echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" symlink_add_mac_level $TMP >>"$RSBACLOGFILE"
             fi
           else \
             $DIALOG --title "$ERRTITLE" \
                    --backtitle "$BACKTITLE" \
                    --msgbox "`head -n 1 $TMPFILE`" $BL $BC
           fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Symlink Add MAC Level: No symlink specified!" 5 $BC
        fi
      ;;

    'Symlink Add RC Role:')
        if test "$TYPE" = "SYMLINK"
        then \
           if test $SYMADDRC = "0"
           then TMP="1"
           else TMP="0"
           fi
           if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" symlink_add_rc_role $TMP &>$TMPFILE
           then SYMADDRC=$TMP
             if test -n "$RSBACLOGFILE"
             then
               echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" symlink_add_rc_role $TMP >>"$RSBACLOGFILE"
             fi
           else \
             $DIALOG --title "$ERRTITLE" \
                    --backtitle "$BACKTITLE" \
                    --msgbox "`head -n 1 $TMPFILE`" $BL $BC
           fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Symlink Add RC Role: No symlink specified!" 5 $BC
        fi
      ;;

    'Linux DAC disable:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --radiolist "Choose Linux DAC disable value for $FILE" $BL $BC 6 \
                                0 "`get_vname dacdis 0`" `onoff 0 $DACDIS` \
                                1 "`get_vname dacdis 1`" `onoff 1 $DACDIS` \
                                2 "`get_vname dacdis 2`" `onoff 2 $DACDIS` \
             2>$TMPFILE
          then TMP=`cat $TMPFILE`
               if $RSBACPATH""attr_set_file_dir $TYPE "$FILE" linux_dac_disable $TMP &>$TMPFILE
               then DACDIS=$TMP
                 if test -n "$RSBACLOGFILE"
                 then
                   echo $RSBACPATH""attr_set_file_dir $TYPE \"$FILE\" linux_dac_disable $TMP >>"$RSBACLOGFILE"
                 fi
               else \
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "`head -n 1 $TMPFILE`" $BL $BC
               fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Linux DAC disable: No file/dir specified!" 5 $BC
        fi
      ;;

    'Dev Attributes:')
        $RSBACPATH""rsbac_dev_menu "$FILE"
      ;;

    'ACL Menu:')
        $RSBACPATH""rsbac_acl_menu FD "$FILE"
      ;;

    'Reset Attributes:')
        if test "$TYPE" != "NONE"
        then \
          if $DIALOG --title "$TITLE" \
                    --backtitle "$BACKTITLE" \
                    --yesno "Reset all attributes to default values?" 5 $BC \
             2>/dev/null
          then
            if $RSBACPATH""attr_rm_file_dir $TYPE "$FILE" &>$TMPFILE
            then get_attributes
            else \
              $DIALOG --title "$ERRTITLE" \
                     --backtitle "$BACKTITLE" \
                     --msgbox "`head -n 1 $TMPFILE`" $BL $BC
            fi
          fi
        else
                 $DIALOG --title "$ERRTITLE" \
                        --backtitle "$BACKTITLE" \
                        --msgbox "Reset Attributes: No file/dir specified!" 5 $BC
        fi
      ;;

    Quit)
        rm $TMPFILE ; exit
      ;;

    *)
        $DIALOG --title "$ERRTITLE" \
               --backtitle "$BACKTITLE" \
               --msgbox "Main Menu: Selection Error!" 5 $BC
  esac
# sleep 2
done
