commit df68672e8885fbfdc4151d02540e140a94e1d286 Author: MSVSphere Packaging Team Date: Fri Mar 29 16:11:50 2024 +0300 import policycoreutils-2.9-25.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57456b5 --- /dev/null +++ b/.gitignore @@ -0,0 +1,13 @@ +SOURCES/gui-po.tgz +SOURCES/policycoreutils-2.9.tar.gz +SOURCES/policycoreutils-po.tgz +SOURCES/python-po.tgz +SOURCES/restorecond-2.9.tar.gz +SOURCES/sandbox-po.tgz +SOURCES/selinux-dbus-2.9.tar.gz +SOURCES/selinux-gui-2.9.tar.gz +SOURCES/selinux-python-2.9.tar.gz +SOURCES/selinux-sandbox-2.9.tar.gz +SOURCES/semodule-utils-2.9.tar.gz +SOURCES/sepolicy-icons.tgz +SOURCES/system-config-selinux.png diff --git a/.policycoreutils.metadata b/.policycoreutils.metadata new file mode 100644 index 0000000..e530a47 --- /dev/null +++ b/.policycoreutils.metadata @@ -0,0 +1,13 @@ +3f355f8cbfdf7be6f9a8190153090af95d2c7358 SOURCES/gui-po.tgz +6e64d9a38fb516738023eb429eef29af5383f443 SOURCES/policycoreutils-2.9.tar.gz +51122ae6029657bf762d72bff94bab38890fd1e7 SOURCES/policycoreutils-po.tgz +c503e61733af54159d5950bbd9fa8080771ee938 SOURCES/python-po.tgz +0a34ef54394972870203832c8ce52d4405bd5330 SOURCES/restorecond-2.9.tar.gz +7df1784ab0c6b0823943571d733b856d10a87f76 SOURCES/sandbox-po.tgz +8645509cdfc433278c2e4d29ee8f511625c7edcc SOURCES/selinux-dbus-2.9.tar.gz +5c155ae47692389d9fabaa154195e7f978f2a3f0 SOURCES/selinux-gui-2.9.tar.gz +660e1ab824ef80f7a69f0b70f61e231957fd398e SOURCES/selinux-python-2.9.tar.gz +0e208cad193021ad17a445b76b72af3fef8db999 SOURCES/selinux-sandbox-2.9.tar.gz +a4414223e60bb664ada4824e54f8d36ab208d599 SOURCES/semodule-utils-2.9.tar.gz +d849fa76cc3ef4a26047d8a69fef3a55d2f3097f SOURCES/sepolicy-icons.tgz +611a5d497efaddd45ec0dcc3e9b2e5b0f81ebc41 SOURCES/system-config-selinux.png diff --git a/SOURCES/0001-gui-Install-polgengui.py-to-usr-bin-selinux-polgengu.patch b/SOURCES/0001-gui-Install-polgengui.py-to-usr-bin-selinux-polgengu.patch new file mode 100644 index 0000000..6fb92fb --- /dev/null +++ b/SOURCES/0001-gui-Install-polgengui.py-to-usr-bin-selinux-polgengu.patch @@ -0,0 +1,43 @@ +From c778509dd0ed3b184d720032f31971f975e42973 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 5 Mar 2019 17:38:55 +0100 +Subject: [PATCH] gui: Install polgengui.py to /usr/bin/selinux-polgengui + +polgengui.py is a standalone gui tool which should be in /usr/bin with other +tools. + +Signed-off-by: Petr Lautrbach +--- + gui/Makefile | 2 +- + gui/modulesPage.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gui/Makefile b/gui/Makefile +index c2f982de..b2375fbf 100644 +--- a/gui/Makefile ++++ b/gui/Makefile +@@ -31,7 +31,7 @@ install: all + -mkdir -p $(DESTDIR)$(DATADIR)/polkit-1/actions/ + install -m 755 system-config-selinux.py $(DESTDIR)$(SHAREDIR) + install -m 755 system-config-selinux $(DESTDIR)$(BINDIR) +- install -m 755 polgengui.py $(DESTDIR)$(SHAREDIR) ++ install -m 755 polgengui.py $(DESTDIR)$(BINDIR)/selinux-polgengui + install -m 644 $(TARGETS) $(DESTDIR)$(SHAREDIR) + install -m 644 system-config-selinux.8 $(DESTDIR)$(MANDIR)/man8 + install -m 644 selinux-polgengui.8 $(DESTDIR)$(MANDIR)/man8 +diff --git a/gui/modulesPage.py b/gui/modulesPage.py +index 34c5d9e3..cb856b2d 100644 +--- a/gui/modulesPage.py ++++ b/gui/modulesPage.py +@@ -118,7 +118,7 @@ class modulesPage(semanagePage): + + def new_module(self, args): + try: +- Popen(["/usr/share/system-config-selinux/polgengui.py"]) ++ Popen(["selinux-polgengui"]) + except ValueError as e: + self.error(e.args[0]) + +-- +2.21.0 + diff --git a/SOURCES/0002-gui-Install-.desktop-files-to-usr-share-applications.patch b/SOURCES/0002-gui-Install-.desktop-files-to-usr-share-applications.patch new file mode 100644 index 0000000..26a16bf --- /dev/null +++ b/SOURCES/0002-gui-Install-.desktop-files-to-usr-share-applications.patch @@ -0,0 +1,49 @@ +From 04b632e6de14ec0336e14988bf4c2bd581f7308e Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 5 Mar 2019 17:25:00 +0100 +Subject: [PATCH] gui: Install .desktop files to /usr/share/applications by + default + +/usr/share/applications is a standard directory for .desktop files. +Installation path can be changed using DESKTOPDIR variable in installation +phase, e.g. + +make DESKTOPDIR=/usr/local/share/applications install + +Signed-off-by: Petr Lautrbach +--- + gui/Makefile | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/gui/Makefile b/gui/Makefile +index b2375fbf..ca965c94 100644 +--- a/gui/Makefile ++++ b/gui/Makefile +@@ -5,6 +5,7 @@ BINDIR ?= $(PREFIX)/bin + SHAREDIR ?= $(PREFIX)/share/system-config-selinux + DATADIR ?= $(PREFIX)/share + MANDIR ?= $(PREFIX)/share/man ++DESKTOPDIR ?= $(PREFIX)/share/applications + + TARGETS= \ + booleansPage.py \ +@@ -29,6 +30,7 @@ install: all + -mkdir -p $(DESTDIR)$(DATADIR)/pixmaps + -mkdir -p $(DESTDIR)$(DATADIR)/icons/hicolor/24x24/apps + -mkdir -p $(DESTDIR)$(DATADIR)/polkit-1/actions/ ++ -mkdir -p $(DESTDIR)$(DESKTOPDIR) + install -m 755 system-config-selinux.py $(DESTDIR)$(SHAREDIR) + install -m 755 system-config-selinux $(DESTDIR)$(BINDIR) + install -m 755 polgengui.py $(DESTDIR)$(BINDIR)/selinux-polgengui +@@ -44,7 +46,7 @@ install: all + install -m 644 system-config-selinux.png $(DESTDIR)$(DATADIR)/pixmaps + install -m 644 system-config-selinux.png $(DESTDIR)$(DATADIR)/icons/hicolor/24x24/apps + install -m 644 system-config-selinux.png $(DESTDIR)$(DATADIR)/system-config-selinux +- install -m 644 *.desktop $(DESTDIR)$(DATADIR)/system-config-selinux ++ install -m 644 *.desktop $(DESTDIR)$(DESKTOPDIR) + -mkdir -p $(DESTDIR)$(DATADIR)/pixmaps + install -m 644 sepolicy_256.png $(DESTDIR)$(DATADIR)/pixmaps/sepolicy.png + for i in 16 22 32 48 256; do \ +-- +2.21.0 + diff --git a/SOURCES/0003-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch b/SOURCES/0003-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch new file mode 100644 index 0000000..8802042 --- /dev/null +++ b/SOURCES/0003-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch @@ -0,0 +1,26 @@ +From 52e0583f6adfe70825b009b626e19c290b49763a Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 20 Aug 2015 12:58:41 +0200 +Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in + recent Fedoras + +--- + sandbox/sandboxX.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh +index eaa500d0..47745280 100644 +--- a/sandbox/sandboxX.sh ++++ b/sandbox/sandboxX.sh +@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF + + EOF + +-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do ++(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do + export DISPLAY=:$D + cat > ~/seremote << __EOF + #!/bin/sh +-- +2.21.0 + diff --git a/SOURCES/0004-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch b/SOURCES/0004-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch new file mode 100644 index 0000000..0973405 --- /dev/null +++ b/SOURCES/0004-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch @@ -0,0 +1,46 @@ +From 7504614fdd7dcf11b3a7568ca9b4b921973531dd Mon Sep 17 00:00:00 2001 +From: Dan Walsh +Date: Mon, 21 Apr 2014 13:54:40 -0400 +Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages + +Signed-off-by: Miroslav Grepl +--- + python/sepolicy/sepolicy/manpage.py | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py +index 1d367962..24e311a3 100755 +--- a/python/sepolicy/sepolicy/manpage.py ++++ b/python/sepolicy/sepolicy/manpage.py +@@ -735,10 +735,13 @@ Default Defined Ports:""") + + def _file_context(self): + flist = [] ++ flist_non_exec = [] + mpaths = [] + for f in self.all_file_types: + if f.startswith(self.domainname): + flist.append(f) ++ if not file_type_is_executable(f) or not file_type_is_entrypoint(f): ++ flist_non_exec.append(f) + if f in self.fcdict: + mpaths = mpaths + self.fcdict[f]["regex"] + if len(mpaths) == 0: +@@ -797,12 +800,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d + SELinux defines the file context types for the %(domainname)s, if you wanted to + store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. + +-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?' ++.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?' + .br + .B restorecon -R -v /srv/my%(domainname)s_content + + Note: SELinux often uses regular expressions to specify labels that match multiple files. +-""" % {'domainname': self.domainname, "type": flist[0]}) ++""" % {'domainname': self.domainname, "type": flist_non_exec[-1]}) + + self.fd.write(r""" + .I The following file types are defined for %(domainname)s: +-- +2.21.0 + diff --git a/SOURCES/0005-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch b/SOURCES/0005-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch new file mode 100644 index 0000000..9e7d54f --- /dev/null +++ b/SOURCES/0005-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch @@ -0,0 +1,27 @@ +From 9847a26b7f8358432ee4c7019efb3cbad0c162b0 Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Mon, 12 May 2014 14:11:22 +0200 +Subject: [PATCH] If there is no executable we don't want to print a part of + STANDARD FILE CONTEXT + +--- + python/sepolicy/sepolicy/manpage.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py +index 24e311a3..46092be0 100755 +--- a/python/sepolicy/sepolicy/manpage.py ++++ b/python/sepolicy/sepolicy/manpage.py +@@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d + .PP + """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]}) + +- self.fd.write(r""" ++ if flist_non_exec: ++ self.fd.write(r""" + .PP + .B STANDARD FILE CONTEXT + +-- +2.21.0 + diff --git a/SOURCES/0006-Simplication-of-sepolicy-manpage-web-functionality.-.patch b/SOURCES/0006-Simplication-of-sepolicy-manpage-web-functionality.-.patch new file mode 100644 index 0000000..f87058c --- /dev/null +++ b/SOURCES/0006-Simplication-of-sepolicy-manpage-web-functionality.-.patch @@ -0,0 +1,169 @@ +From b2993d464e05291020dbf60fc2948ac152eb0003 Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Thu, 19 Feb 2015 17:45:15 +0100 +Subject: [PATCH] Simplication of sepolicy-manpage web functionality. + system_release is no longer hardcoded and it creates only index.html and html + man pages in the directory for the system release. + +--- + python/sepolicy/sepolicy/__init__.py | 25 +++-------- + python/sepolicy/sepolicy/manpage.py | 65 +++------------------------- + 2 files changed, 13 insertions(+), 77 deletions(-) + +diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py +index 6aed31bd..88a2b8f6 100644 +--- a/python/sepolicy/sepolicy/__init__.py ++++ b/python/sepolicy/sepolicy/__init__.py +@@ -1209,27 +1209,14 @@ def boolean_desc(boolean): + + + def get_os_version(): +- os_version = "" +- pkg_name = "selinux-policy" ++ system_release = "" + try: +- try: +- from commands import getstatusoutput +- except ImportError: +- from subprocess import getstatusoutput +- rc, output = getstatusoutput("rpm -q '%s'" % pkg_name) +- if rc == 0: +- os_version = output.split(".")[-2] +- except: +- os_version = "" +- +- if os_version[0:2] == "fc": +- os_version = "Fedora" + os_version[2:] +- elif os_version[0:2] == "el": +- os_version = "RHEL" + os_version[2:] +- else: +- os_version = "" ++ with open('/etc/system-release') as f: ++ system_release = f.readline() ++ except IOError: ++ system_release = "Misc" + +- return os_version ++ return system_release + + + def reinit(): +diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py +index 46092be0..d60acfaf 100755 +--- a/python/sepolicy/sepolicy/manpage.py ++++ b/python/sepolicy/sepolicy/manpage.py +@@ -149,10 +149,6 @@ def prettyprint(f, trim): + manpage_domains = [] + manpage_roles = [] + +-fedora_releases = ["Fedora17", "Fedora18"] +-rhel_releases = ["RHEL6", "RHEL7"] +- +- + def get_alphabet_manpages(manpage_list): + alphabet_manpages = dict.fromkeys(string.ascii_letters, []) + for i in string.ascii_letters: +@@ -182,7 +178,7 @@ def convert_manpage_to_html(html_manpage, manpage): + class HTMLManPages: + + """ +- Generate a HHTML Manpages on an given SELinux domains ++ Generate a HTML Manpages on an given SELinux domains + """ + + def __init__(self, manpage_roles, manpage_domains, path, os_version): +@@ -190,9 +186,9 @@ class HTMLManPages: + self.manpage_domains = get_alphabet_manpages(manpage_domains) + self.os_version = os_version + self.old_path = path + "/" +- self.new_path = self.old_path + self.os_version + "/" ++ self.new_path = self.old_path + +- if self.os_version in fedora_releases or self.os_version in rhel_releases: ++ if self.os_version: + self.__gen_html_manpages() + else: + print("SELinux HTML man pages can not be generated for this %s" % os_version) +@@ -201,7 +197,6 @@ class HTMLManPages: + def __gen_html_manpages(self): + self._write_html_manpage() + self._gen_index() +- self._gen_body() + self._gen_css() + + def _write_html_manpage(self): +@@ -219,67 +214,21 @@ class HTMLManPages: + convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r) + + def _gen_index(self): +- index = self.old_path + "index.html" +- fd = open(index, 'w') +- fd.write(""" +- +- +- +- SELinux man pages online +- +- +-

SELinux man pages

+-

+-Fedora or Red Hat Enterprise Linux Man Pages. +-

+-
+-

Fedora

+- +- +-
+-
+-
+-""")
+-        for f in fedora_releases:
+-            fd.write("""
+-%s - SELinux man pages for %s """ % (f, f, f, f))
+-
+-        fd.write("""
+-
+-
+-

RHEL

+- +- +-
+-
+-
+-""")
+-        for r in rhel_releases:
+-            fd.write("""
+-%s - SELinux man pages for %s """ % (r, r, r, r))
+-
+-        fd.write("""
+-
+- """) +- fd.close() +- print("%s has been created" % index) +- +- def _gen_body(self): + html = self.new_path + self.os_version + ".html" + fd = open(html, 'w') + fd.write(""" + + +- +- Linux man-pages online for Fedora18 ++ ++ SELinux man pages online + + +-

SELinux man pages for Fedora18

++

SELinux man pages for %s

+
+ +
+

SELinux roles

+-""") ++""" % self.os_version) + for letter in self.manpage_roles: + if len(self.manpage_roles[letter]): + fd.write(""" +-- +2.21.0 + diff --git a/SOURCES/0007-We-want-to-remove-the-trailing-newline-for-etc-syste.patch b/SOURCES/0007-We-want-to-remove-the-trailing-newline-for-etc-syste.patch new file mode 100644 index 0000000..a96bab9 --- /dev/null +++ b/SOURCES/0007-We-want-to-remove-the-trailing-newline-for-etc-syste.patch @@ -0,0 +1,26 @@ +From bfcb599d9424ef6ffcd250931c89675b451edd00 Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Fri, 20 Feb 2015 16:42:01 +0100 +Subject: [PATCH] We want to remove the trailing newline for + /etc/system_release. + +--- + python/sepolicy/sepolicy/__init__.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py +index 88a2b8f6..0c66f4d5 100644 +--- a/python/sepolicy/sepolicy/__init__.py ++++ b/python/sepolicy/sepolicy/__init__.py +@@ -1212,7 +1212,7 @@ def get_os_version(): + system_release = "" + try: + with open('/etc/system-release') as f: +- system_release = f.readline() ++ system_release = f.readline().rstrip() + except IOError: + system_release = "Misc" + +-- +2.21.0 + diff --git a/SOURCES/0008-Fix-title-in-manpage.py-to-not-contain-online.patch b/SOURCES/0008-Fix-title-in-manpage.py-to-not-contain-online.patch new file mode 100644 index 0000000..a896dfc --- /dev/null +++ b/SOURCES/0008-Fix-title-in-manpage.py-to-not-contain-online.patch @@ -0,0 +1,25 @@ +From 4ea504acce6389c3e28134c4b8e6bf9072c295ce Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Fri, 20 Feb 2015 16:42:53 +0100 +Subject: [PATCH] Fix title in manpage.py to not contain 'online'. + +--- + python/sepolicy/sepolicy/manpage.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py +index d60acfaf..de8184d8 100755 +--- a/python/sepolicy/sepolicy/manpage.py ++++ b/python/sepolicy/sepolicy/manpage.py +@@ -220,7 +220,7 @@ class HTMLManPages: + + + +- SELinux man pages online ++ SELinux man pages + + +

SELinux man pages for %s

+-- +2.21.0 + diff --git a/SOURCES/0009-Don-t-be-verbose-if-you-are-not-on-a-tty.patch b/SOURCES/0009-Don-t-be-verbose-if-you-are-not-on-a-tty.patch new file mode 100644 index 0000000..8fbfb11 --- /dev/null +++ b/SOURCES/0009-Don-t-be-verbose-if-you-are-not-on-a-tty.patch @@ -0,0 +1,24 @@ +From 8af697659bd662517571577bf47946a2113f34a1 Mon Sep 17 00:00:00 2001 +From: Dan Walsh +Date: Fri, 14 Feb 2014 12:32:12 -0500 +Subject: [PATCH] Don't be verbose if you are not on a tty + +--- + policycoreutils/scripts/fixfiles | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles +index b2779581..53d28c7b 100755 +--- a/policycoreutils/scripts/fixfiles ++++ b/policycoreutils/scripts/fixfiles +@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() { + fullFlag=0 + BOOTTIME="" + VERBOSE="-p" ++[ -t 1 ] || VERBOSE="" + FORCEFLAG="" + RPMFILES="" + PREFC="" +-- +2.21.0 + diff --git a/SOURCES/0010-sepolicy-Drop-old-interface-file_type_is_executable-.patch b/SOURCES/0010-sepolicy-Drop-old-interface-file_type_is_executable-.patch new file mode 100644 index 0000000..749a2c4 --- /dev/null +++ b/SOURCES/0010-sepolicy-Drop-old-interface-file_type_is_executable-.patch @@ -0,0 +1,63 @@ +From ef0f54ffc6d691d10e66a0793204edd159cd45d0 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Mon, 27 Feb 2017 17:12:39 +0100 +Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and + file_type_is_entrypoint(f) + +- use direct queries +- load exec_types and entry_types only once +--- + python/sepolicy/sepolicy/manpage.py | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py +index de8184d8..f8a94fc0 100755 +--- a/python/sepolicy/sepolicy/manpage.py ++++ b/python/sepolicy/sepolicy/manpage.py +@@ -125,8 +125,24 @@ def gen_domains(): + domains.sort() + return domains + +-types = None + ++exec_types = None ++ ++def _gen_exec_types(): ++ global exec_types ++ if exec_types is None: ++ exec_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "exec_type"))["types"] ++ return exec_types ++ ++entry_types = None ++ ++def _gen_entry_types(): ++ global entry_types ++ if entry_types is None: ++ entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"] ++ return entry_types ++ ++types = None + + def _gen_types(): + global types +@@ -372,6 +388,8 @@ class ManPage: + self.all_file_types = sepolicy.get_all_file_types() + self.role_allows = sepolicy.get_all_role_allows() + self.types = _gen_types() ++ self.exec_types = _gen_exec_types() ++ self.entry_types = _gen_entry_types() + + if self.source_files: + self.fcpath = self.root + "file_contexts" +@@ -689,7 +707,7 @@ Default Defined Ports:""") + for f in self.all_file_types: + if f.startswith(self.domainname): + flist.append(f) +- if not file_type_is_executable(f) or not file_type_is_entrypoint(f): ++ if not f in self.exec_types or not f in self.entry_types: + flist_non_exec.append(f) + if f in self.fcdict: + mpaths = mpaths + self.fcdict[f]["regex"] +-- +2.21.0 + diff --git a/SOURCES/0011-sepolicy-Another-small-optimization-for-mcs-types.patch b/SOURCES/0011-sepolicy-Another-small-optimization-for-mcs-types.patch new file mode 100644 index 0000000..bea01d5 --- /dev/null +++ b/SOURCES/0011-sepolicy-Another-small-optimization-for-mcs-types.patch @@ -0,0 +1,53 @@ +From e54db76a3bff8e911ddd7c7ce834c024d634d9e1 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 28 Feb 2017 21:29:46 +0100 +Subject: [PATCH] sepolicy: Another small optimization for mcs types + +--- + python/sepolicy/sepolicy/manpage.py | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py +index f8a94fc0..67d39301 100755 +--- a/python/sepolicy/sepolicy/manpage.py ++++ b/python/sepolicy/sepolicy/manpage.py +@@ -142,6 +142,15 @@ def _gen_entry_types(): + entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"] + return entry_types + ++mcs_constrained_types = None ++ ++def _gen_mcs_constrained_types(): ++ global mcs_constrained_types ++ if mcs_constrained_types is None: ++ mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type")) ++ return mcs_constrained_types ++ ++ + types = None + + def _gen_types(): +@@ -390,6 +399,7 @@ class ManPage: + self.types = _gen_types() + self.exec_types = _gen_exec_types() + self.entry_types = _gen_entry_types() ++ self.mcs_constrained_types = _gen_mcs_constrained_types() + + if self.source_files: + self.fcpath = self.root + "file_contexts" +@@ -944,11 +954,7 @@ All executeables with the default executable label, usually stored in /usr/bin a + %s""" % ", ".join(paths)) + + def _mcs_types(self): +- try: +- mcs_constrained_type = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type")) +- except StopIteration: +- return +- if self.type not in mcs_constrained_type['types']: ++ if self.type not in self.mcs_constrained_types['types']: + return + self.fd.write (""" + .SH "MCS Constrained" +-- +2.21.0 + diff --git a/SOURCES/0012-Move-po-translation-files-into-the-right-sub-directo.patch b/SOURCES/0012-Move-po-translation-files-into-the-right-sub-directo.patch new file mode 100644 index 0000000..f3524b7 --- /dev/null +++ b/SOURCES/0012-Move-po-translation-files-into-the-right-sub-directo.patch @@ -0,0 +1,515 @@ +From 4015e9299bfda622e9d407cdbcc536000688aa8f Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Mon, 6 Aug 2018 13:23:00 +0200 +Subject: [PATCH] Move po/ translation files into the right sub-directories + +When policycoreutils was split into policycoreutils/ python/ gui/ and sandbox/ +sub-directories, po/ translation files stayed in policycoreutils/. + +This commit split original policycoreutils/po directory into +policycoreutils/po +python/po +gui/po +sandbox/po + +See https://github.com/fedora-selinux/selinux/issues/43 +--- + gui/Makefile | 3 ++ + gui/po/Makefile | 82 ++++++++++++++++++++++++++++++++++++ + gui/po/POTFILES | 17 ++++++++ + policycoreutils/po/Makefile | 70 ++----------------------------- + policycoreutils/po/POTFILES | 9 ++++ + python/Makefile | 2 +- + python/po/Makefile | 83 +++++++++++++++++++++++++++++++++++++ + python/po/POTFILES | 10 +++++ + sandbox/Makefile | 2 + + sandbox/po/Makefile | 82 ++++++++++++++++++++++++++++++++++++ + sandbox/po/POTFILES | 1 + + 11 files changed, 293 insertions(+), 68 deletions(-) + create mode 100644 gui/po/Makefile + create mode 100644 gui/po/POTFILES + create mode 100644 policycoreutils/po/POTFILES + create mode 100644 python/po/Makefile + create mode 100644 python/po/POTFILES + create mode 100644 sandbox/po/Makefile + create mode 100644 sandbox/po/POTFILES + +diff --git a/gui/Makefile b/gui/Makefile +index ca965c94..5a5bf6dc 100644 +--- a/gui/Makefile ++++ b/gui/Makefile +@@ -22,6 +22,7 @@ system-config-selinux.ui \ + usersPage.py + + all: $(TARGETS) system-config-selinux.py polgengui.py ++ (cd po && $(MAKE) $@) + + install: all + -mkdir -p $(DESTDIR)$(MANDIR)/man8 +@@ -54,6 +55,8 @@ install: all + install -m 644 sepolicy_$${i}.png $(DESTDIR)$(DATADIR)/icons/hicolor/$${i}x$${i}/apps/sepolicy.png; \ + done + install -m 644 org.selinux.config.policy $(DESTDIR)$(DATADIR)/polkit-1/actions/ ++ (cd po && $(MAKE) $@) ++ + clean: + + indent: +diff --git a/gui/po/Makefile b/gui/po/Makefile +new file mode 100644 +index 00000000..a0f5439f +--- /dev/null ++++ b/gui/po/Makefile +@@ -0,0 +1,82 @@ ++# ++# Makefile for the PO files (translation) catalog ++# ++ ++PREFIX ?= /usr ++ ++# What is this package? ++NLSPACKAGE = gui ++POTFILE = $(NLSPACKAGE).pot ++INSTALL = /usr/bin/install -c -p ++INSTALL_DATA = $(INSTALL) -m 644 ++INSTALL_DIR = /usr/bin/install -d ++ ++# destination directory ++INSTALL_NLS_DIR = $(PREFIX)/share/locale ++ ++# PO catalog handling ++MSGMERGE = msgmerge ++MSGMERGE_FLAGS = -q ++XGETTEXT = xgettext --default-domain=$(NLSPACKAGE) ++MSGFMT = msgfmt ++ ++# All possible linguas ++PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po))) ++ ++# Only the files matching what the user has set in LINGUAS ++USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS)) ++ ++# if no valid LINGUAS, build all languages ++USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS)) ++ ++POFILES = $(patsubst %,%.po,$(USE_LINGUAS)) ++MOFILES = $(patsubst %.po,%.mo,$(POFILES)) ++POTFILES = $(shell cat POTFILES) ++ ++#default:: clean ++ ++all:: $(MOFILES) ++ ++$(POTFILE): $(POTFILES) ++ $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES) ++ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \ ++ rm -f $(NLSPACKAGE).po; \ ++ else \ ++ mv -f $(NLSPACKAGE).po $(POTFILE); \ ++ fi; \ ++ ++ ++refresh-po: Makefile ++ for cat in $(POFILES); do \ ++ lang=`basename $$cat .po`; \ ++ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \ ++ mv -f $$lang.pot $$lang.po ; \ ++ echo "$(MSGMERGE) of $$lang succeeded" ; \ ++ else \ ++ echo "$(MSGMERGE) of $$lang failed" ; \ ++ rm -f $$lang.pot ; \ ++ fi \ ++ done ++ ++clean: ++ @rm -fv *mo *~ .depend ++ @rm -rf tmp ++ ++install: $(MOFILES) ++ @for n in $(MOFILES); do \ ++ l=`basename $$n .mo`; \ ++ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \ ++ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \ ++ done ++ ++%.mo: %.po ++ $(MSGFMT) -o $@ $< ++report: ++ @for cat in $(wildcard *.po); do \ ++ echo -n "$$cat: "; \ ++ msgfmt -v --statistics -o /dev/null $$cat; \ ++ done ++ ++.PHONY: missing depend ++ ++relabel: +diff --git a/gui/po/POTFILES b/gui/po/POTFILES +new file mode 100644 +index 00000000..1795c5c1 +--- /dev/null ++++ b/gui/po/POTFILES +@@ -0,0 +1,17 @@ ++../booleansPage.py ++../domainsPage.py ++../fcontextPage.py ++../loginsPage.py ++../modulesPage.py ++../org.selinux.config.policy ++../polgengui.py ++../polgen.ui ++../portsPage.py ++../selinux-polgengui.desktop ++../semanagePage.py ++../sepolicy.desktop ++../statusPage.py ++../system-config-selinux.desktop ++../system-config-selinux.py ++../system-config-selinux.ui ++../usersPage.py +diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile +index 575e1431..18bc1dff 100644 +--- a/policycoreutils/po/Makefile ++++ b/policycoreutils/po/Makefile +@@ -3,7 +3,6 @@ + # + + PREFIX ?= /usr +-TOP = ../.. + + # What is this package? + NLSPACKAGE = policycoreutils +@@ -32,74 +31,13 @@ USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS)) + + POFILES = $(patsubst %,%.po,$(USE_LINGUAS)) + MOFILES = $(patsubst %.po,%.mo,$(POFILES)) +-POTFILES = \ +- ../run_init/open_init_pty.c \ +- ../run_init/run_init.c \ +- ../semodule_link/semodule_link.c \ +- ../audit2allow/audit2allow \ +- ../semanage/seobject.py \ +- ../setsebool/setsebool.c \ +- ../newrole/newrole.c \ +- ../load_policy/load_policy.c \ +- ../sestatus/sestatus.c \ +- ../semodule/semodule.c \ +- ../setfiles/setfiles.c \ +- ../semodule_package/semodule_package.c \ +- ../semodule_deps/semodule_deps.c \ +- ../semodule_expand/semodule_expand.c \ +- ../scripts/chcat \ +- ../scripts/fixfiles \ +- ../restorecond/stringslist.c \ +- ../restorecond/restorecond.h \ +- ../restorecond/utmpwatcher.h \ +- ../restorecond/stringslist.h \ +- ../restorecond/restorecond.c \ +- ../restorecond/utmpwatcher.c \ +- ../gui/booleansPage.py \ +- ../gui/fcontextPage.py \ +- ../gui/loginsPage.py \ +- ../gui/mappingsPage.py \ +- ../gui/modulesPage.py \ +- ../gui/polgen.glade \ +- ../gui/polgengui.py \ +- ../gui/portsPage.py \ +- ../gui/semanagePage.py \ +- ../gui/statusPage.py \ +- ../gui/system-config-selinux.glade \ +- ../gui/system-config-selinux.py \ +- ../gui/usersPage.py \ +- ../secon/secon.c \ +- booleans.py \ +- ../sepolicy/sepolicy.py \ +- ../sepolicy/sepolicy/communicate.py \ +- ../sepolicy/sepolicy/__init__.py \ +- ../sepolicy/sepolicy/network.py \ +- ../sepolicy/sepolicy/generate.py \ +- ../sepolicy/sepolicy/sepolicy.glade \ +- ../sepolicy/sepolicy/gui.py \ +- ../sepolicy/sepolicy/manpage.py \ +- ../sepolicy/sepolicy/transition.py \ +- ../sepolicy/sepolicy/templates/executable.py \ +- ../sepolicy/sepolicy/templates/__init__.py \ +- ../sepolicy/sepolicy/templates/network.py \ +- ../sepolicy/sepolicy/templates/rw.py \ +- ../sepolicy/sepolicy/templates/script.py \ +- ../sepolicy/sepolicy/templates/semodule.py \ +- ../sepolicy/sepolicy/templates/tmp.py \ +- ../sepolicy/sepolicy/templates/user.py \ +- ../sepolicy/sepolicy/templates/var_lib.py \ +- ../sepolicy/sepolicy/templates/var_log.py \ +- ../sepolicy/sepolicy/templates/var_run.py \ +- ../sepolicy/sepolicy/templates/var_spool.py ++POTFILES = $(shell cat POTFILES) + + #default:: clean + +-all:: $(MOFILES) ++all:: $(POTFILE) $(MOFILES) + +-booleans.py: +- sepolicy booleans -a > booleans.py +- +-$(POTFILE): $(POTFILES) booleans.py ++$(POTFILE): $(POTFILES) + $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES) + @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \ + rm -f $(NLSPACKAGE).po; \ +@@ -107,8 +45,6 @@ $(POTFILE): $(POTFILES) booleans.py + mv -f $(NLSPACKAGE).po $(POTFILE); \ + fi; \ + +-update-po: Makefile $(POTFILE) refresh-po +- @rm -f booleans.py + + refresh-po: Makefile + for cat in $(POFILES); do \ +diff --git a/policycoreutils/po/POTFILES b/policycoreutils/po/POTFILES +new file mode 100644 +index 00000000..12237dc6 +--- /dev/null ++++ b/policycoreutils/po/POTFILES +@@ -0,0 +1,9 @@ ++../run_init/open_init_pty.c ++../run_init/run_init.c ++../setsebool/setsebool.c ++../newrole/newrole.c ++../load_policy/load_policy.c ++../sestatus/sestatus.c ++../semodule/semodule.c ++../setfiles/setfiles.c ++../secon/secon.c +diff --git a/python/Makefile b/python/Makefile +index 9b66d52f..00312dbd 100644 +--- a/python/Makefile ++++ b/python/Makefile +@@ -1,4 +1,4 @@ +-SUBDIRS = sepolicy audit2allow semanage sepolgen chcat ++SUBDIRS = sepolicy audit2allow semanage sepolgen chcat po + + all install relabel clean indent test: + @for subdir in $(SUBDIRS); do \ +diff --git a/python/po/Makefile b/python/po/Makefile +new file mode 100644 +index 00000000..4e052d5a +--- /dev/null ++++ b/python/po/Makefile +@@ -0,0 +1,83 @@ ++# ++# Makefile for the PO files (translation) catalog ++# ++ ++PREFIX ?= /usr ++ ++# What is this package? ++NLSPACKAGE = python ++POTFILE = $(NLSPACKAGE).pot ++INSTALL = /usr/bin/install -c -p ++INSTALL_DATA = $(INSTALL) -m 644 ++INSTALL_DIR = /usr/bin/install -d ++ ++# destination directory ++INSTALL_NLS_DIR = $(PREFIX)/share/locale ++ ++# PO catalog handling ++MSGMERGE = msgmerge ++MSGMERGE_FLAGS = -q ++XGETTEXT = xgettext --default-domain=$(NLSPACKAGE) ++MSGFMT = msgfmt ++ ++# All possible linguas ++PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po))) ++ ++# Only the files matching what the user has set in LINGUAS ++USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS)) ++ ++# if no valid LINGUAS, build all languages ++USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS)) ++ ++POFILES = $(patsubst %,%.po,$(USE_LINGUAS)) ++MOFILES = $(patsubst %.po,%.mo,$(POFILES)) ++POTFILES = $(shell cat POTFILES) ++ ++#default:: clean ++ ++all:: $(MOFILES) ++ ++$(POTFILE): $(POTFILES) ++ $(XGETTEXT) -L Python --keyword=_ --keyword=N_ $(POTFILES) ++ $(XGETTEXT) -j --keyword=_ --keyword=N_ ../sepolicy/sepolicy/sepolicy.glade ++ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \ ++ rm -f $(NLSPACKAGE).po; \ ++ else \ ++ mv -f $(NLSPACKAGE).po $(POTFILE); \ ++ fi; \ ++ ++ ++refresh-po: Makefile ++ for cat in $(POFILES); do \ ++ lang=`basename $$cat .po`; \ ++ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \ ++ mv -f $$lang.pot $$lang.po ; \ ++ echo "$(MSGMERGE) of $$lang succeeded" ; \ ++ else \ ++ echo "$(MSGMERGE) of $$lang failed" ; \ ++ rm -f $$lang.pot ; \ ++ fi \ ++ done ++ ++clean: ++ @rm -fv *mo *~ .depend ++ @rm -rf tmp ++ ++install: $(MOFILES) ++ @for n in $(MOFILES); do \ ++ l=`basename $$n .mo`; \ ++ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \ ++ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \ ++ done ++ ++%.mo: %.po ++ $(MSGFMT) -o $@ $< ++report: ++ @for cat in $(wildcard *.po); do \ ++ echo -n "$$cat: "; \ ++ msgfmt -v --statistics -o /dev/null $$cat; \ ++ done ++ ++.PHONY: missing depend ++ ++relabel: +diff --git a/python/po/POTFILES b/python/po/POTFILES +new file mode 100644 +index 00000000..128eb870 +--- /dev/null ++++ b/python/po/POTFILES +@@ -0,0 +1,10 @@ ++../audit2allow/audit2allow ++../chcat/chcat ++../semanage/semanage ++../semanage/seobject.py ++../sepolgen/src/sepolgen/interfaces.py ++../sepolicy/sepolicy/generate.py ++../sepolicy/sepolicy/gui.py ++../sepolicy/sepolicy/__init__.py ++../sepolicy/sepolicy/interface.py ++../sepolicy/sepolicy.py +diff --git a/sandbox/Makefile b/sandbox/Makefile +index 9da5e58d..b817824e 100644 +--- a/sandbox/Makefile ++++ b/sandbox/Makefile +@@ -13,6 +13,7 @@ override LDLIBS += -lselinux -lcap-ng + SEUNSHARE_OBJS = seunshare.o + + all: sandbox seunshare sandboxX.sh start ++ (cd po && $(MAKE) $@) + + seunshare: $(SEUNSHARE_OBJS) + +@@ -39,6 +40,7 @@ install: all + install -m 755 start $(DESTDIR)$(SHAREDIR) + -mkdir -p $(DESTDIR)$(SYSCONFDIR) + install -m 644 sandbox.conf $(DESTDIR)$(SYSCONFDIR)/sandbox ++ (cd po && $(MAKE) $@) + + test: + @$(PYTHON) test_sandbox.py -v +diff --git a/sandbox/po/Makefile b/sandbox/po/Makefile +new file mode 100644 +index 00000000..0556bbe9 +--- /dev/null ++++ b/sandbox/po/Makefile +@@ -0,0 +1,82 @@ ++# ++# Makefile for the PO files (translation) catalog ++# ++ ++PREFIX ?= /usr ++ ++# What is this package? ++NLSPACKAGE = sandbox ++POTFILE = $(NLSPACKAGE).pot ++INSTALL = /usr/bin/install -c -p ++INSTALL_DATA = $(INSTALL) -m 644 ++INSTALL_DIR = /usr/bin/install -d ++ ++# destination directory ++INSTALL_NLS_DIR = $(PREFIX)/share/locale ++ ++# PO catalog handling ++MSGMERGE = msgmerge ++MSGMERGE_FLAGS = -q ++XGETTEXT = xgettext -L Python --default-domain=$(NLSPACKAGE) ++MSGFMT = msgfmt ++ ++# All possible linguas ++PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po))) ++ ++# Only the files matching what the user has set in LINGUAS ++USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS)) ++ ++# if no valid LINGUAS, build all languages ++USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS)) ++ ++POFILES = $(patsubst %,%.po,$(USE_LINGUAS)) ++MOFILES = $(patsubst %.po,%.mo,$(POFILES)) ++POTFILES = $(shell cat POTFILES) ++ ++#default:: clean ++ ++all:: $(POTFILE) $(MOFILES) ++ ++$(POTFILE): $(POTFILES) ++ $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES) ++ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \ ++ rm -f $(NLSPACKAGE).po; \ ++ else \ ++ mv -f $(NLSPACKAGE).po $(POTFILE); \ ++ fi; \ ++ ++ ++refresh-po: Makefile ++ for cat in $(POFILES); do \ ++ lang=`basename $$cat .po`; \ ++ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \ ++ mv -f $$lang.pot $$lang.po ; \ ++ echo "$(MSGMERGE) of $$lang succeeded" ; \ ++ else \ ++ echo "$(MSGMERGE) of $$lang failed" ; \ ++ rm -f $$lang.pot ; \ ++ fi \ ++ done ++ ++clean: ++ @rm -fv *mo *~ .depend ++ @rm -rf tmp ++ ++install: $(MOFILES) ++ @for n in $(MOFILES); do \ ++ l=`basename $$n .mo`; \ ++ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \ ++ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \ ++ done ++ ++%.mo: %.po ++ $(MSGFMT) -o $@ $< ++report: ++ @for cat in $(wildcard *.po); do \ ++ echo -n "$$cat: "; \ ++ msgfmt -v --statistics -o /dev/null $$cat; \ ++ done ++ ++.PHONY: missing depend ++ ++relabel: +diff --git a/sandbox/po/POTFILES b/sandbox/po/POTFILES +new file mode 100644 +index 00000000..deff3f2f +--- /dev/null ++++ b/sandbox/po/POTFILES +@@ -0,0 +1 @@ ++../sandbox +-- +2.21.0 + diff --git a/SOURCES/0013-Use-correct-gettext-domains-in-python-gui-sandbox.patch b/SOURCES/0013-Use-correct-gettext-domains-in-python-gui-sandbox.patch new file mode 100644 index 0000000..c214ee4 --- /dev/null +++ b/SOURCES/0013-Use-correct-gettext-domains-in-python-gui-sandbox.patch @@ -0,0 +1,306 @@ +From 57cd23e11e1a700802a5955e84a0a7e04c30ec73 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Mon, 6 Aug 2018 13:37:07 +0200 +Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/ + +https://github.com/fedora-selinux/selinux/issues/43 +--- + gui/booleansPage.py | 2 +- + gui/domainsPage.py | 2 +- + gui/fcontextPage.py | 2 +- + gui/loginsPage.py | 2 +- + gui/modulesPage.py | 2 +- + gui/polgengui.py | 2 +- + gui/portsPage.py | 2 +- + gui/semanagePage.py | 2 +- + gui/statusPage.py | 2 +- + gui/system-config-selinux.py | 2 +- + gui/usersPage.py | 2 +- + python/chcat/chcat | 2 +- + python/semanage/semanage | 2 +- + python/semanage/seobject.py | 2 +- + python/sepolgen/src/sepolgen/sepolgeni18n.py | 2 +- + python/sepolicy/sepolicy.py | 2 +- + python/sepolicy/sepolicy/__init__.py | 2 +- + python/sepolicy/sepolicy/generate.py | 2 +- + python/sepolicy/sepolicy/gui.py | 2 +- + python/sepolicy/sepolicy/interface.py | 2 +- + sandbox/sandbox | 2 +- + 21 files changed, 21 insertions(+), 21 deletions(-) + +diff --git a/gui/booleansPage.py b/gui/booleansPage.py +index 7849bea2..dd12b6d6 100644 +--- a/gui/booleansPage.py ++++ b/gui/booleansPage.py +@@ -38,7 +38,7 @@ DISABLED = 2 + ## + ## I18N + ## +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-gui" + try: + import gettext + kwargs = {} +diff --git a/gui/domainsPage.py b/gui/domainsPage.py +index bad5140d..6bbe4de5 100644 +--- a/gui/domainsPage.py ++++ b/gui/domainsPage.py +@@ -30,7 +30,7 @@ from semanagePage import * + ## + ## I18N + ## +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-gui" + try: + import gettext + kwargs = {} +diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py +index 370bbee4..e424366d 100644 +--- a/gui/fcontextPage.py ++++ b/gui/fcontextPage.py +@@ -47,7 +47,7 @@ class context: + ## + ## I18N + ## +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-gui" + try: + import gettext + kwargs = {} +diff --git a/gui/loginsPage.py b/gui/loginsPage.py +index b67eb8bc..cbfb0cc2 100644 +--- a/gui/loginsPage.py ++++ b/gui/loginsPage.py +@@ -29,7 +29,7 @@ from semanagePage import * + ## + ## I18N + ## +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-gui" + try: + import gettext + kwargs = {} +diff --git a/gui/modulesPage.py b/gui/modulesPage.py +index cb856b2d..26ac5404 100644 +--- a/gui/modulesPage.py ++++ b/gui/modulesPage.py +@@ -30,7 +30,7 @@ from semanagePage import * + ## + ## I18N + ## +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-gui" + try: + import gettext + kwargs = {} +diff --git a/gui/polgengui.py b/gui/polgengui.py +index b1cc9937..46a1bd2c 100644 +--- a/gui/polgengui.py ++++ b/gui/polgengui.py +@@ -63,7 +63,7 @@ def get_all_modules(): + ## + ## I18N + ## +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-gui" + try: + import gettext + kwargs = {} +diff --git a/gui/portsPage.py b/gui/portsPage.py +index 30f58383..a537ecc8 100644 +--- a/gui/portsPage.py ++++ b/gui/portsPage.py +@@ -35,7 +35,7 @@ from semanagePage import * + ## + ## I18N + ## +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-gui" + try: + import gettext + kwargs = {} +diff --git a/gui/semanagePage.py b/gui/semanagePage.py +index 4127804f..5361d69c 100644 +--- a/gui/semanagePage.py ++++ b/gui/semanagePage.py +@@ -22,7 +22,7 @@ from gi.repository import Gdk, Gtk + ## + ## I18N + ## +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-gui" + try: + import gettext + kwargs = {} +diff --git a/gui/statusPage.py b/gui/statusPage.py +index 766854b1..a8f079b9 100644 +--- a/gui/statusPage.py ++++ b/gui/statusPage.py +@@ -35,7 +35,7 @@ RELABELFILE = "/.autorelabel" + ## + ## I18N + ## +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-gui" + try: + import gettext + kwargs = {} +diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py +index c42301b6..1e0d5eb1 100644 +--- a/gui/system-config-selinux.py ++++ b/gui/system-config-selinux.py +@@ -45,7 +45,7 @@ import selinux + ## + ## I18N + ## +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-gui" + try: + import gettext + kwargs = {} +diff --git a/gui/usersPage.py b/gui/usersPage.py +index 26794ed5..d15d4c5a 100644 +--- a/gui/usersPage.py ++++ b/gui/usersPage.py +@@ -29,7 +29,7 @@ from semanagePage import * + ## + ## I18N + ## +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-gui" + try: + import gettext + kwargs = {} +diff --git a/python/chcat/chcat b/python/chcat/chcat +index ba398684..df2509f2 100755 +--- a/python/chcat/chcat ++++ b/python/chcat/chcat +@@ -30,7 +30,7 @@ import getopt + import selinux + import seobject + +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-python" + try: + import gettext + kwargs = {} +diff --git a/python/semanage/semanage b/python/semanage/semanage +index 144cc000..56db3e0d 100644 +--- a/python/semanage/semanage ++++ b/python/semanage/semanage +@@ -27,7 +27,7 @@ import traceback + import argparse + import seobject + import sys +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-python" + try: + import gettext + kwargs = {} +diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py +index 13fdf531..b90b1070 100644 +--- a/python/semanage/seobject.py ++++ b/python/semanage/seobject.py +@@ -29,7 +29,7 @@ import sys + import stat + import socket + from semanage import * +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-python" + import sepolicy + import setools + from IPy import IP +diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py +index 998c4356..56ebd807 100644 +--- a/python/sepolgen/src/sepolgen/sepolgeni18n.py ++++ b/python/sepolgen/src/sepolgen/sepolgeni18n.py +@@ -19,7 +19,7 @@ + + try: + import gettext +- t = gettext.translation( 'yumex' ) ++ t = gettext.translation( 'selinux-python' ) + _ = t.gettext + except: + def _(str): +diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py +index 1934cd86..8bd6a579 100755 +--- a/python/sepolicy/sepolicy.py ++++ b/python/sepolicy/sepolicy.py +@@ -27,7 +27,7 @@ import selinux + import sepolicy + from sepolicy import get_os_version, get_conditionals, get_conditionals_format_text + import argparse +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-python" + try: + import gettext + kwargs = {} +diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py +index 0c66f4d5..b6ca57c3 100644 +--- a/python/sepolicy/sepolicy/__init__.py ++++ b/python/sepolicy/sepolicy/__init__.py +@@ -13,7 +13,7 @@ import os + import re + import gzip + +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-python" + try: + import gettext + kwargs = {} +diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py +index 019e7836..7175d36b 100644 +--- a/python/sepolicy/sepolicy/generate.py ++++ b/python/sepolicy/sepolicy/generate.py +@@ -49,7 +49,7 @@ import sepolgen.defaults as defaults + ## + ## I18N + ## +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-python" + try: + import gettext + kwargs = {} +diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py +index 00fd7a11..805cee67 100644 +--- a/python/sepolicy/sepolicy/gui.py ++++ b/python/sepolicy/sepolicy/gui.py +@@ -41,7 +41,7 @@ import os + import re + import unicodedata + +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-python" + try: + import gettext + kwargs = {} +diff --git a/python/sepolicy/sepolicy/interface.py b/python/sepolicy/sepolicy/interface.py +index 583091ae..e2b8d23b 100644 +--- a/python/sepolicy/sepolicy/interface.py ++++ b/python/sepolicy/sepolicy/interface.py +@@ -30,7 +30,7 @@ __all__ = ['get_all_interfaces', 'get_interfaces_from_xml', 'get_admin', 'get_us + ## + ## I18N + ## +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-python" + try: + import gettext + kwargs = {} +diff --git a/sandbox/sandbox b/sandbox/sandbox +index 1dec07ac..a12403b3 100644 +--- a/sandbox/sandbox ++++ b/sandbox/sandbox +@@ -37,7 +37,7 @@ import sepolicy + + SEUNSHARE = "/usr/sbin/seunshare" + SANDBOXSH = "/usr/share/sandbox/sandboxX.sh" +-PROGNAME = "policycoreutils" ++PROGNAME = "selinux-sandbox" + try: + import gettext + kwargs = {} +-- +2.21.0 + diff --git a/SOURCES/0014-Initial-.pot-files-for-gui-python-sandbox.patch b/SOURCES/0014-Initial-.pot-files-for-gui-python-sandbox.patch new file mode 100644 index 0000000..7b7d340 --- /dev/null +++ b/SOURCES/0014-Initial-.pot-files-for-gui-python-sandbox.patch @@ -0,0 +1,4532 @@ +From c8c59758d2fb7f6cbe368c9ff8f356ea7acebb4b Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Mon, 6 Aug 2018 14:23:19 +0200 +Subject: [PATCH] Initial .pot files for gui/ python/ sandbox/ + +https://github.com/fedora-selinux/selinux/issues/43 +--- + gui/po/gui.pot | 964 ++++++++++++ + python/po/python.pot | 3375 ++++++++++++++++++++++++++++++++++++++++ + sandbox/po/sandbox.pot | 157 ++ + 3 files changed, 4496 insertions(+) + create mode 100644 gui/po/gui.pot + create mode 100644 python/po/python.pot + create mode 100644 sandbox/po/sandbox.pot + +diff --git a/gui/po/gui.pot b/gui/po/gui.pot +new file mode 100644 +index 00000000..1663b4ca +--- /dev/null ++++ b/gui/po/gui.pot +@@ -0,0 +1,964 @@ ++# SOME DESCRIPTIVE TITLE. ++# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER ++# This file is distributed under the same license as the PACKAGE package. ++# FIRST AUTHOR , YEAR. ++# ++#, fuzzy ++msgid "" ++msgstr "" ++"Project-Id-Version: PACKAGE VERSION\n" ++"Report-Msgid-Bugs-To: \n" ++"POT-Creation-Date: 2018-08-06 14:22+0200\n" ++"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" ++"Last-Translator: FULL NAME \n" ++"Language-Team: LANGUAGE \n" ++"Language: \n" ++"MIME-Version: 1.0\n" ++"Content-Type: text/plain; charset=CHARSET\n" ++"Content-Transfer-Encoding: 8bit\n" ++ ++#: ../booleansPage.py:198 ../system-config-selinux.ui:1025 ++msgid "Boolean" ++msgstr "" ++ ++#: ../booleansPage.py:248 ../semanagePage.py:166 ++msgid "all" ++msgstr "" ++ ++#: ../booleansPage.py:250 ../semanagePage.py:168 ++#: ../system-config-selinux.ui:961 ../system-config-selinux.ui:1097 ++#: ../system-config-selinux.ui:1506 ++msgid "Customized" ++msgstr "" ++ ++#: ../domainsPage.py:55 ../system-config-selinux.ui:1834 ++msgid "Process Domain" ++msgstr "" ++ ++#: ../domainsPage.py:63 ++msgid "Domain Name" ++msgstr "" ++ ++#: ../domainsPage.py:68 ++msgid "Mode" ++msgstr "" ++ ++#: ../domainsPage.py:101 ../domainsPage.py:112 ../domainsPage.py:156 ++#: ../statusPage.py:73 ../system-config-selinux.ui:622 ++#: ../system-config-selinux.ui:1755 ++msgid "Permissive" ++msgstr "" ++ ++#: ../fcontextPage.py:72 ../system-config-selinux.ui:1160 ++msgid "File Labeling" ++msgstr "" ++ ++#: ../fcontextPage.py:82 ++msgid "" ++"File\n" ++"Specification" ++msgstr "" ++ ++#: ../fcontextPage.py:89 ++msgid "" ++"Selinux\n" ++"File Type" ++msgstr "" ++ ++#: ../fcontextPage.py:96 ++msgid "" ++"File\n" ++"Type" ++msgstr "" ++ ++#: ../loginsPage.py:55 ../system-config-selinux.ui:1281 ++msgid "User Mapping" ++msgstr "" ++ ++#: ../loginsPage.py:59 ++msgid "" ++"Login\n" ++"Name" ++msgstr "" ++ ++#: ../loginsPage.py:63 ../usersPage.py:60 ++msgid "" ++"SELinux\n" ++"User" ++msgstr "" ++ ++#: ../loginsPage.py:66 ../usersPage.py:65 ++msgid "" ++"MLS/\n" ++"MCS Range" ++msgstr "" ++ ++#: ../loginsPage.py:135 ++#, python-format ++msgid "Login '%s' is required" ++msgstr "" ++ ++#: ../modulesPage.py:55 ../system-config-selinux.ui:1722 ++msgid "Policy Module" ++msgstr "" ++ ++#: ../modulesPage.py:65 ++msgid "Module Name" ++msgstr "" ++ ++#: ../modulesPage.py:70 ++msgid "Priority" ++msgstr "" ++ ++#: ../modulesPage.py:79 ++msgid "Kind" ++msgstr "" ++ ++#: ../modulesPage.py:147 ++msgid "Disable Audit" ++msgstr "" ++ ++#: ../modulesPage.py:150 ../system-config-selinux.ui:1659 ++msgid "Enable Audit" ++msgstr "" ++ ++#: ../modulesPage.py:175 ++msgid "Load Policy Module" ++msgstr "" ++ ++#: ../org.selinux.config.policy:11 ++msgid "Run System Config SELinux" ++msgstr "" ++ ++#: ../org.selinux.config.policy:12 ++msgid "Authentication is required to run system-config-selinux" ++msgstr "" ++ ++#: ../polgengui.py:288 ../polgen.ui:728 ++msgid "Name" ++msgstr "" ++ ++#: ../polgengui.py:290 ../polgen.ui:111 ++msgid "Description" ++msgstr "" ++ ++#: ../polgengui.py:298 ++msgid "Role" ++msgstr "" ++ ++#: ../polgengui.py:305 ++msgid "Existing_User" ++msgstr "" ++ ++#: ../polgengui.py:319 ../polgengui.py:327 ../polgengui.py:341 ++msgid "Application" ++msgstr "" ++ ++#: ../polgengui.py:386 ++#, python-format ++msgid "%s must be a directory" ++msgstr "" ++ ++#: ../polgengui.py:446 ../polgengui.py:727 ++msgid "You must select a user" ++msgstr "" ++ ++#: ../polgengui.py:576 ++msgid "Select executable file to be confined." ++msgstr "" ++ ++#: ../polgengui.py:587 ++msgid "Select init script file to be confined." ++msgstr "" ++ ++#: ../polgengui.py:597 ++msgid "Select file(s) that confined application creates or writes" ++msgstr "" ++ ++#: ../polgengui.py:604 ++msgid "Select directory(s) that the confined application owns and writes into" ++msgstr "" ++ ++#: ../polgengui.py:666 ++msgid "Select directory to generate policy files in" ++msgstr "" ++ ++#: ../polgengui.py:683 ++#, python-format ++msgid "" ++"Type %s_t already defined in current policy.\n" ++"Do you want to continue?" ++msgstr "" ++ ++#: ../polgengui.py:683 ../polgengui.py:687 ++msgid "Verify Name" ++msgstr "" ++ ++#: ../polgengui.py:687 ++#, python-format ++msgid "" ++"Module %s already loaded in current policy.\n" ++"Do you want to continue?" ++msgstr "" ++ ++#: ../polgengui.py:733 ++msgid "" ++"You must add a name made up of letters and numbers and containing no spaces." ++msgstr "" ++ ++#: ../polgengui.py:747 ++msgid "You must enter a executable" ++msgstr "" ++ ++#: ../polgengui.py:772 ../system-config-selinux.py:184 ++msgid "Configue SELinux" ++msgstr "" ++ ++#: ../polgen.ui:9 ++msgid "Red Hat 2007" ++msgstr "" ++ ++#: ../polgen.ui:11 ++msgid "GPL" ++msgstr "" ++ ++#. TRANSLATORS: Replace this string with your names, one name per line. ++#: ../polgen.ui:13 ../system-config-selinux.ui:15 ++msgid "translator-credits" ++msgstr "" ++ ++#: ../polgen.ui:34 ++msgid "Add Booleans Dialog" ++msgstr "" ++ ++#: ../polgen.ui:99 ++msgid "Boolean Name" ++msgstr "" ++ ++#: ../polgen.ui:234 ../selinux-polgengui.desktop:3 ++msgid "SELinux Policy Generation Tool" ++msgstr "" ++ ++#: ../polgen.ui:255 ++msgid "" ++"Select the policy type for the application or user role you want to " ++"confine:" ++msgstr "" ++ ++#: ../polgen.ui:288 ++msgid "Applications" ++msgstr "" ++ ++#: ../polgen.ui:320 ++msgid "Standard Init Daemon" ++msgstr "" ++ ++#: ../polgen.ui:324 ../polgen.ui:340 ++msgid "" ++"Standard Init Daemon are daemons started on boot via init scripts. Usually " ++"requires a script in /etc/rc.d/init.d" ++msgstr "" ++ ++#: ../polgen.ui:336 ++msgid "DBUS System Daemon" ++msgstr "" ++ ++#: ../polgen.ui:353 ++msgid "Internet Services Daemon (inetd)" ++msgstr "" ++ ++#: ../polgen.ui:357 ++msgid "Internet Services Daemon are daemons started by xinetd" ++msgstr "" ++ ++#: ../polgen.ui:370 ++msgid "Web Application/Script (CGI)" ++msgstr "" ++ ++#: ../polgen.ui:374 ++msgid "" ++"Web Applications/Script (CGI) CGI scripts started by the web server (apache)" ++msgstr "" ++ ++#: ../polgen.ui:387 ++msgid "User Application" ++msgstr "" ++ ++#: ../polgen.ui:391 ../polgen.ui:408 ++msgid "" ++"User Application are any application that you would like to confine that is " ++"started by a user" ++msgstr "" ++ ++#: ../polgen.ui:404 ++msgid "Sandbox" ++msgstr "" ++ ++#: ../polgen.ui:450 ++msgid "Login Users" ++msgstr "" ++ ++#: ../polgen.ui:482 ++msgid "Existing User Roles" ++msgstr "" ++ ++#: ../polgen.ui:486 ++msgid "Modify an existing login user record." ++msgstr "" ++ ++#: ../polgen.ui:499 ++msgid "Minimal Terminal User Role" ++msgstr "" ++ ++#: ../polgen.ui:503 ++msgid "" ++"This user will login to a machine only via a terminal or remote login. By " ++"default this user will have no setuid, no networking, no su, no sudo." ++msgstr "" ++ ++#: ../polgen.ui:516 ++msgid "Minimal X Windows User Role" ++msgstr "" ++ ++#: ../polgen.ui:520 ++msgid "" ++"This user can login to a machine via X or terminal. By default this user " ++"will have no setuid, no networking, no sudo, no su" ++msgstr "" ++ ++#: ../polgen.ui:533 ++msgid "User Role" ++msgstr "" ++ ++#: ../polgen.ui:537 ++msgid "" ++"User with full networking, no setuid applications without transition, no " ++"sudo, no su." ++msgstr "" ++ ++#: ../polgen.ui:550 ++msgid "Admin User Role" ++msgstr "" ++ ++#: ../polgen.ui:554 ++msgid "" ++"User with full networking, no setuid applications without transition, no su, " ++"can sudo to Root Administration Roles" ++msgstr "" ++ ++#: ../polgen.ui:596 ++msgid "Root Users" ++msgstr "" ++ ++#: ../polgen.ui:627 ++msgid "Root Admin User Role" ++msgstr "" ++ ++#: ../polgen.ui:631 ++msgid "" ++"Select Root Administrator User Role, if this user will be used to administer " ++"the machine while running as root. This user will not be able to login to " ++"the system directly." ++msgstr "" ++ ++#: ../polgen.ui:705 ++msgid "Enter name of application or user role:" ++msgstr "" ++ ++#: ../polgen.ui:739 ++msgid "Enter complete path for executable to be confined." ++msgstr "" ++ ++#: ../polgen.ui:756 ../polgen.ui:838 ../polgen.ui:2317 ++msgid "..." ++msgstr "" ++ ++#: ../polgen.ui:776 ++msgid "Enter unique name for the confined application or user role." ++msgstr "" ++ ++#: ../polgen.ui:794 ++msgid "Executable" ++msgstr "" ++ ++#: ../polgen.ui:808 ++msgid "Init script" ++msgstr "" ++ ++#: ../polgen.ui:821 ++msgid "" ++"Enter complete path to init script used to start the confined application." ++msgstr "" ++ ++#: ../polgen.ui:883 ++msgid "Select existing role to modify:" ++msgstr "" ++ ++#: ../polgen.ui:904 ++#, python-format ++msgid "Select the user roles that will transiton to the %s domain." ++msgstr "" ++ ++#: ../polgen.ui:921 ++msgid "role tab" ++msgstr "" ++ ++#: ../polgen.ui:937 ++#, python-format ++msgid "Select roles that %s will transition to:" ++msgstr "" ++ ++#: ../polgen.ui:955 ++#, python-format ++msgid "Select applications domains that %s will transition to." ++msgstr "" ++ ++#: ../polgen.ui:972 ++msgid "" ++"transition \n" ++"role tab" ++msgstr "" ++ ++#: ../polgen.ui:989 ++#, python-format ++msgid "Select the user_roles that will transition to %s:" ++msgstr "" ++ ++#: ../polgen.ui:1007 ++msgid "Select the user roles that will transiton to this applications domains." ++msgstr "" ++ ++#: ../polgen.ui:1040 ++#, python-format ++msgid "Select domains that %s will administer:" ++msgstr "" ++ ++#: ../polgen.ui:1058 ../polgen.ui:1109 ++msgid "Select the domains that you would like this user administer." ++msgstr "" ++ ++#: ../polgen.ui:1091 ++#, python-format ++msgid "Select additional roles for %s:" ++msgstr "" ++ ++#: ../polgen.ui:1142 ++#, python-format ++msgid "Enter network ports that %s binds on:" ++msgstr "" ++ ++#: ../polgen.ui:1162 ../polgen.ui:1529 ++msgid "TCP Ports" ++msgstr "" ++ ++#: ../polgen.ui:1199 ../polgen.ui:1366 ../polgen.ui:1561 ../polgen.ui:1670 ++msgid "All" ++msgstr "" ++ ++#: ../polgen.ui:1203 ../polgen.ui:1370 ++#, python-format ++msgid "Allows %s to bind to any udp port" ++msgstr "" ++ ++#: ../polgen.ui:1216 ../polgen.ui:1383 ++msgid "600-1024" ++msgstr "" ++ ++#: ../polgen.ui:1220 ../polgen.ui:1387 ++#, python-format ++msgid "Allow %s to call bindresvport with 0. Binding to port 600-1024" ++msgstr "" ++ ++#: ../polgen.ui:1233 ../polgen.ui:1400 ++msgid "Unreserved Ports (>1024)" ++msgstr "" ++ ++#: ../polgen.ui:1237 ../polgen.ui:1404 ++#, python-format ++msgid "" ++"Enter a comma separated list of udp ports or ranges of ports that %s binds " ++"to. Example: 612, 650-660" ++msgstr "" ++ ++#: ../polgen.ui:1265 ../polgen.ui:1432 ../polgen.ui:1581 ../polgen.ui:1690 ++msgid "Select Ports" ++msgstr "" ++ ++#: ../polgen.ui:1278 ../polgen.ui:1445 ++#, python-format ++msgid "Allows %s to bind to any udp ports > 1024" ++msgstr "" ++ ++#: ../polgen.ui:1329 ../polgen.ui:1638 ++msgid "UDP Ports" ++msgstr "" ++ ++#: ../polgen.ui:1492 ++msgid "" ++"Network\n" ++"Bind tab" ++msgstr "" ++ ++#: ../polgen.ui:1509 ++#, python-format ++msgid "Select network ports that %s connects to:" ++msgstr "" ++ ++#: ../polgen.ui:1565 ++#, python-format ++msgid "Allows %s to connect to any tcp port" ++msgstr "" ++ ++#: ../polgen.ui:1594 ++#, python-format ++msgid "" ++"Enter a comma separated list of tcp ports or ranges of ports that %s " ++"connects to. Example: 612, 650-660" ++msgstr "" ++ ++#: ../polgen.ui:1674 ++#, python-format ++msgid "Allows %s to connect to any udp port" ++msgstr "" ++ ++#: ../polgen.ui:1703 ++#, python-format ++msgid "" ++"Enter a comma separated list of udp ports or ranges of ports that %s " ++"connects to. Example: 612, 650-660" ++msgstr "" ++ ++#: ../polgen.ui:1760 ++#, python-format ++msgid "Select common application traits for %s:" ++msgstr "" ++ ++#: ../polgen.ui:1777 ++msgid "Writes syslog messages\t" ++msgstr "" ++ ++#: ../polgen.ui:1792 ++msgid "Create/Manipulate temporary files in /tmp" ++msgstr "" ++ ++#: ../polgen.ui:1807 ++msgid "Uses Pam for authentication" ++msgstr "" ++ ++#: ../polgen.ui:1822 ++msgid "Uses nsswitch or getpw* calls" ++msgstr "" ++ ++#: ../polgen.ui:1837 ++msgid "Uses dbus" ++msgstr "" ++ ++#: ../polgen.ui:1852 ++msgid "Sends audit messages" ++msgstr "" ++ ++#: ../polgen.ui:1867 ++msgid "Interacts with the terminal" ++msgstr "" ++ ++#: ../polgen.ui:1882 ++msgid "Sends email" ++msgstr "" ++ ++#: ../polgen.ui:1925 ++#, python-format ++msgid "Add files/directories that %s manages" ++msgstr "" ++ ++#: ../polgen.ui:2086 ++#, python-format ++msgid "" ++"Files/Directories which the %s \"manages\". Pid Files, Log Files, /var/lib " ++"Files ..." ++msgstr "" ++ ++#: ../polgen.ui:2126 ++#, python-format ++msgid "Add booleans from the %s policy:" ++msgstr "" ++ ++#: ../polgen.ui:2234 ++#, python-format ++msgid "Add/Remove booleans used by the %s domain" ++msgstr "" ++ ++#: ../polgen.ui:2272 ++#, python-format ++msgid "Which directory you will generate the %s policy?" ++msgstr "" ++ ++#: ../polgen.ui:2290 ++msgid "Policy Directory" ++msgstr "" ++ ++#: ../portsPage.py:60 ../system-config-selinux.ui:1570 ++msgid "Network Port" ++msgstr "" ++ ++#: ../portsPage.py:95 ++msgid "" ++"SELinux Port\n" ++"Type" ++msgstr "" ++ ++#: ../portsPage.py:101 ../system-config-selinux.ui:294 ++msgid "Protocol" ++msgstr "" ++ ++#: ../portsPage.py:106 ../system-config-selinux.ui:355 ++msgid "" ++"MLS/MCS\n" ++"Level" ++msgstr "" ++ ++#: ../portsPage.py:111 ++msgid "Port" ++msgstr "" ++ ++#: ../portsPage.py:213 ++#, python-format ++msgid "Port number \"%s\" is not valid. 0 < PORT_NUMBER < 65536 " ++msgstr "" ++ ++#: ../portsPage.py:258 ++msgid "List View" ++msgstr "" ++ ++#: ../portsPage.py:261 ../system-config-selinux.ui:1492 ++msgid "Group View" ++msgstr "" ++ ++#: ../selinux-polgengui.desktop:32 ../sepolicy.desktop:4 ++msgid "Generate SELinux policy modules" ++msgstr "" ++ ++#: ../selinux-polgengui.desktop:62 ../system-config-selinux.desktop:62 ++msgid "system-config-selinux" ++msgstr "" ++ ++#: ../semanagePage.py:130 ++#, python-format ++msgid "Are you sure you want to delete %s '%s'?" ++msgstr "" ++ ++#: ../semanagePage.py:130 ++#, python-format ++msgid "Delete %s" ++msgstr "" ++ ++#: ../semanagePage.py:138 ++#, python-format ++msgid "Add %s" ++msgstr "" ++ ++#: ../semanagePage.py:152 ++#, python-format ++msgid "Modify %s" ++msgstr "" ++ ++#: ../sepolicy.desktop:3 ++msgid "SELinux Policy Management Tool" ++msgstr "" ++ ++#: ../sepolicy.desktop:5 ++msgid "sepolicy" ++msgstr "" ++ ++#: ../sepolicy.desktop:11 ++msgid "policy;security;selinux;avc;permission;mac;" ++msgstr "" ++ ++#: ../statusPage.py:74 ../system-config-selinux.ui:625 ++#: ../system-config-selinux.ui:1770 ++msgid "Enforcing" ++msgstr "" ++ ++#: ../statusPage.py:79 ../system-config-selinux.ui:619 ++msgid "Disabled" ++msgstr "" ++ ++#: ../statusPage.py:98 ++msgid "Status" ++msgstr "" ++ ++#: ../statusPage.py:137 ++msgid "" ++"Changing the policy type will cause a relabel of the entire file system on " ++"the next boot. Relabeling takes a long time depending on the size of the " ++"file system. Do you wish to continue?" ++msgstr "" ++ ++#: ../statusPage.py:151 ++msgid "" ++"Changing to SELinux disabled requires a reboot. It is not recommended. If " ++"you later decide to turn SELinux back on, the system will be required to " ++"relabel. If you just want to see if SELinux is causing a problem on your " ++"system, you can go to permissive mode which will only log errors and not " ++"enforce SELinux policy. Permissive mode does not require a reboot Do you " ++"wish to continue?" ++msgstr "" ++ ++#: ../statusPage.py:156 ++msgid "" ++"Changing to SELinux enabled will cause a relabel of the entire file system " ++"on the next boot. Relabeling takes a long time depending on the size of the " ++"file system. Do you wish to continue?" ++msgstr "" ++ ++#: ../system-config-selinux.desktop:3 ++msgid "SELinux Management" ++msgstr "" ++ ++#: ../system-config-selinux.desktop:32 ++msgid "Configure SELinux in a graphical setting" ++msgstr "" ++ ++#: ../system-config-selinux.ui:11 ++msgid "" ++"Copyright (c)2006 Red Hat, Inc.\n" ++"Copyright (c) 2006 Dan Walsh " ++msgstr "" ++ ++#: ../system-config-selinux.ui:53 ../system-config-selinux.ui:433 ++msgid "Add SELinux Login Mapping" ++msgstr "" ++ ++#: ../system-config-selinux.ui:117 ++msgid "Login Name" ++msgstr "" ++ ++#: ../system-config-selinux.ui:128 ../system-config-selinux.ui:1402 ++#: ../system-config-selinux.ui:1937 ../usersPage.py:54 ++msgid "SELinux User" ++msgstr "" ++ ++#: ../system-config-selinux.ui:139 ../system-config-selinux.ui:1948 ++msgid "MLS/MCS Range" ++msgstr "" ++ ++#: ../system-config-selinux.ui:219 ++msgid "Add SELinux Network Ports" ++msgstr "" ++ ++#: ../system-config-selinux.ui:283 ++msgid "Port Number" ++msgstr "" ++ ++#: ../system-config-selinux.ui:305 ../system-config-selinux.ui:519 ++msgid "SELinux Type" ++msgstr "" ++ ++#: ../system-config-selinux.ui:406 ++msgid "all files" ++msgstr "" ++ ++#: ../system-config-selinux.ui:409 ++msgid "regular file" ++msgstr "" ++ ++#: ../system-config-selinux.ui:412 ++msgid "directory" ++msgstr "" ++ ++#: ../system-config-selinux.ui:415 ++msgid "character device" ++msgstr "" ++ ++#: ../system-config-selinux.ui:418 ++msgid "block device" ++msgstr "" ++ ++#: ../system-config-selinux.ui:421 ++msgid "socket file" ++msgstr "" ++ ++#: ../system-config-selinux.ui:424 ++msgid "symbolic link" ++msgstr "" ++ ++#: ../system-config-selinux.ui:427 ++msgid "named pipe" ++msgstr "" ++ ++#: ../system-config-selinux.ui:497 ++msgid "File Specification" ++msgstr "" ++ ++#: ../system-config-selinux.ui:508 ++msgid "File Type" ++msgstr "" ++ ++#: ../system-config-selinux.ui:569 ++msgid "MLS" ++msgstr "" ++ ++#: ../system-config-selinux.ui:631 ++msgid "SELinux Administration" ++msgstr "" ++ ++#: ../system-config-selinux.ui:648 ++msgid "_File" ++msgstr "" ++ ++#: ../system-config-selinux.ui:656 ++msgid "_Add" ++msgstr "" ++ ++#: ../system-config-selinux.ui:668 ++msgid "_Properties" ++msgstr "" ++ ++#: ../system-config-selinux.ui:680 ++msgid "_Delete" ++msgstr "" ++ ++#: ../system-config-selinux.ui:707 ++msgid "_Help" ++msgstr "" ++ ++#: ../system-config-selinux.ui:754 ++msgid "Select Management Object" ++msgstr "" ++ ++#: ../system-config-selinux.ui:767 ++msgid "Select:" ++msgstr "" ++ ++#: ../system-config-selinux.ui:797 ++msgid "System Default Enforcing Mode" ++msgstr "" ++ ++#: ../system-config-selinux.ui:826 ++msgid "Current Enforcing Mode" ++msgstr "" ++ ++#: ../system-config-selinux.ui:848 ++msgid "System Default Policy Type: " ++msgstr "" ++ ++#: ../system-config-selinux.ui:871 ++msgid "" ++"Select if you wish to relabel then entire file system on next reboot. " ++"Relabeling can take a very long time, depending on the size of the system. " ++"If you are changing policy types or going from disabled to enforcing, a " ++"relabel is required." ++msgstr "" ++ ++#: ../system-config-selinux.ui:903 ++msgid "Relabel on next reboot." ++msgstr "" ++ ++#: ../system-config-selinux.ui:947 ++msgid "Revert boolean setting to system default" ++msgstr "" ++ ++#: ../system-config-selinux.ui:960 ++msgid "Toggle between Customized and All Booleans" ++msgstr "" ++ ++#: ../system-config-selinux.ui:986 ../system-config-selinux.ui:1122 ++#: ../system-config-selinux.ui:1242 ../system-config-selinux.ui:1363 ++#: ../system-config-selinux.ui:1531 ../system-config-selinux.ui:1683 ++#: ../system-config-selinux.ui:1795 ++msgid "Filter" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1057 ++msgid "Add File Context" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1070 ++msgid "Modify File Context" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1083 ++msgid "Delete File Context" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1096 ++msgid "Toggle between all and customized file context" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1192 ++msgid "Add SELinux User Mapping" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1205 ++msgid "Modify SELinux User Mapping" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1218 ++msgid "Delete SELinux User Mapping" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1313 ++msgid "Add User" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1326 ++msgid "Modify User" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1339 ++msgid "Delete User" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1434 ++msgid "Add Network Port" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1447 ++msgid "Edit Network Port" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1460 ++msgid "Delete Network Port" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1491 ../system-config-selinux.ui:1505 ++msgid "Toggle between Customized and All Ports" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1602 ++msgid "Generate new policy module" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1614 ++msgid "Load policy module" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1627 ++msgid "Remove loadable policy module" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1658 ++msgid "" ++"Enable/Disable additional audit rules, that are normally not reported in the " ++"log files." ++msgstr "" ++ ++#: ../system-config-selinux.ui:1754 ++msgid "Change process mode to permissive." ++msgstr "" ++ ++#: ../system-config-selinux.ui:1769 ++msgid "Change process mode to enforcing" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1873 ++msgid "Add SELinux User" ++msgstr "" ++ ++#: ../system-config-selinux.ui:1970 ../usersPage.py:69 ++msgid "SELinux Roles" ++msgstr "" ++ ++#: ../usersPage.py:142 ++#, python-format ++msgid "SELinux user '%s' is required" ++msgstr "" +diff --git a/python/po/python.pot b/python/po/python.pot +new file mode 100644 +index 00000000..a279b0e8 +--- /dev/null ++++ b/python/po/python.pot +@@ -0,0 +1,3375 @@ ++# SOME DESCRIPTIVE TITLE. ++# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER ++# This file is distributed under the same license as the PACKAGE package. ++# FIRST AUTHOR , YEAR. ++# ++#, fuzzy ++msgid "" ++msgstr "" ++"Project-Id-Version: PACKAGE VERSION\n" ++"Report-Msgid-Bugs-To: \n" ++"POT-Creation-Date: 2018-08-06 14:22+0200\n" ++"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" ++"Last-Translator: FULL NAME \n" ++"Language-Team: LANGUAGE \n" ++"Language: \n" ++"MIME-Version: 1.0\n" ++"Content-Type: text/plain; charset=CHARSET\n" ++"Content-Transfer-Encoding: 8bit\n" ++ ++#: ../audit2allow/audit2allow:237 ++msgid "******************** IMPORTANT ***********************\n" ++msgstr "" ++ ++#: ../audit2allow/audit2allow:238 ++#, python-format ++msgid "" ++"To make this policy package active, execute:\n" ++"\n" ++"semodule -i %s\n" ++"\n" ++msgstr "" ++ ++#: ../chcat/chcat:115 ../chcat/chcat:194 ++msgid "Requires at least one category" ++msgstr "" ++ ++#: ../chcat/chcat:129 ../chcat/chcat:208 ++#, python-format ++msgid "Can not modify sensitivity levels using '+' on %s" ++msgstr "" ++ ++#: ../chcat/chcat:133 ++#, python-format ++msgid "%s is already in %s" ++msgstr "" ++ ++#: ../chcat/chcat:213 ../chcat/chcat:223 ++#, python-format ++msgid "%s is not in %s" ++msgstr "" ++ ++#: ../chcat/chcat:295 ../chcat/chcat:300 ++msgid "Can not combine +/- with other types of categories" ++msgstr "" ++ ++#: ../chcat/chcat:350 ++msgid "Can not have multiple sensitivities" ++msgstr "" ++ ++#: ../chcat/chcat:357 ++#, python-format ++msgid "Usage %s CATEGORY File ..." ++msgstr "" ++ ++#: ../chcat/chcat:358 ++#, python-format ++msgid "Usage %s -l CATEGORY user ..." ++msgstr "" ++ ++#: ../chcat/chcat:359 ++#, python-format ++msgid "Usage %s [[+|-]CATEGORY],...] File ..." ++msgstr "" ++ ++#: ../chcat/chcat:360 ++#, python-format ++msgid "Usage %s -l [[+|-]CATEGORY],...] user ..." ++msgstr "" ++ ++#: ../chcat/chcat:361 ++#, python-format ++msgid "Usage %s -d File ..." ++msgstr "" ++ ++#: ../chcat/chcat:362 ++#, python-format ++msgid "Usage %s -l -d user ..." ++msgstr "" ++ ++#: ../chcat/chcat:363 ++#, python-format ++msgid "Usage %s -L" ++msgstr "" ++ ++#: ../chcat/chcat:364 ++#, python-format ++msgid "Usage %s -L -l user" ++msgstr "" ++ ++#: ../chcat/chcat:365 ++msgid "Use -- to end option list. For example" ++msgstr "" ++ ++#: ../chcat/chcat:366 ++msgid "chcat -- -CompanyConfidential /docs/businessplan.odt" ++msgstr "" ++ ++#: ../chcat/chcat:367 ++msgid "chcat -l +CompanyConfidential juser" ++msgstr "" ++ ++#: ../chcat/chcat:436 ++#, python-format ++msgid "Options Error %s " ++msgstr "" ++ ++#: ../semanage/semanage:203 ++msgid "Select an alternate SELinux Policy Store to manage" ++msgstr "" ++ ++#: ../semanage/semanage:207 ++msgid "Select a priority for module operations" ++msgstr "" ++ ++#: ../semanage/semanage:211 ++#, python-format ++msgid "Do not print heading when listing %s object types" ++msgstr "" ++ ++#: ../semanage/semanage:215 ++msgid "Do not reload policy after commit" ++msgstr "" ++ ++#: ../semanage/semanage:219 ++#, python-format ++msgid "List %s local customizations" ++msgstr "" ++ ++#: ../semanage/semanage:223 ++#, python-format ++msgid "Add a record of the %s object type" ++msgstr "" ++ ++#: ../semanage/semanage:227 ++msgid "SELinux Type for the object" ++msgstr "" ++ ++#: ../semanage/semanage:231 ++msgid "" ++"Default SELinux Level for SELinux user, s0 Default. (MLS/MCS Systems only)" ++msgstr "" ++ ++#: ../semanage/semanage:236 ++msgid "" ++"\n" ++"MLS/MCS Security Range (MLS/MCS Systems only)\n" ++"SELinux Range for SELinux login mapping\n" ++"defaults to the SELinux user record range.\n" ++"SELinux Range for SELinux user defaults to s0.\n" ++msgstr "" ++ ++#: ../semanage/semanage:245 ++msgid "" ++"\n" ++" Protocol for the specified port (tcp|udp) or internet protocol\n" ++" version for the specified node (ipv4|ipv6).\n" ++msgstr "" ++ ++#: ../semanage/semanage:251 ++msgid "" ++"\n" ++" Subnet prefix for the specified infiniband ibpkey.\n" ++msgstr "" ++ ++#: ../semanage/semanage:256 ++msgid "" ++"\n" ++" Name for the specified infiniband end port.\n" ++msgstr "" ++ ++#: ../semanage/semanage:261 ++#, python-format ++msgid "Modify a record of the %s object type" ++msgstr "" ++ ++#: ../semanage/semanage:265 ++#, python-format ++msgid "List records of the %s object type" ++msgstr "" ++ ++#: ../semanage/semanage:269 ++#, python-format ++msgid "Delete a record of the %s object type" ++msgstr "" ++ ++#: ../semanage/semanage:273 ++msgid "Extract customizable commands, for use within a transaction" ++msgstr "" ++ ++#: ../semanage/semanage:277 ++#, python-format ++msgid "Remove all %s objects local customizations" ++msgstr "" ++ ++#: ../semanage/semanage:281 ++msgid "SELinux user name" ++msgstr "" ++ ++#: ../semanage/semanage:286 ++msgid "Manage login mappings between linux users and SELinux confined users" ++msgstr "" ++ ++#: ../semanage/semanage:303 ++#, python-format ++msgid "login_name | %%groupname" ++msgstr "" ++ ++#: ../semanage/semanage:355 ++msgid "Manage file context mapping definitions" ++msgstr "" ++ ++#: ../semanage/semanage:369 ++msgid "" ++"Substitute target path with sourcepath when generating default\n" ++" label. " ++"This is used with fcontext. Requires source and target\n" ++" path " ++"arguments. The context labeling for the target subtree is\n" ++" made " ++"equivalent to that defined for the source." ++msgstr "" ++ ++#: ../semanage/semanage:377 ++msgid "file_spec" ++msgstr "" ++ ++#: ../semanage/semanage:405 ++msgid "Manage SELinux confined users (Roles and levels for an SELinux user)" ++msgstr "" ++ ++#: ../semanage/semanage:423 ++msgid "" ++"\n" ++"SELinux Roles. You must enclose multiple roles within " ++"quotes, separate by spaces. Or specify -R multiple times.\n" ++msgstr "" ++ ++#: ../semanage/semanage:427 ++msgid "selinux_name" ++msgstr "" ++ ++#: ../semanage/semanage:455 ++msgid "Manage network port type definitions" ++msgstr "" ++ ++#: ../semanage/semanage:471 ++msgid "port | port_range" ++msgstr "" ++ ++#: ../semanage/semanage:500 ++msgid "Manage infiniband ibpkey type definitions" ++msgstr "" ++ ++#: ../semanage/semanage:516 ++msgid "pkey | pkey_range" ++msgstr "" ++ ++#: ../semanage/semanage:543 ++msgid "Manage infiniband end port type definitions" ++msgstr "" ++ ++#: ../semanage/semanage:559 ++msgid "ibendport" ++msgstr "" ++ ++#: ../semanage/semanage:586 ++msgid "Manage network interface type definitions" ++msgstr "" ++ ++#: ../semanage/semanage:601 ++msgid "interface_spec" ++msgstr "" ++ ++#: ../semanage/semanage:625 ++msgid "Manage SELinux policy modules" ++msgstr "" ++ ++#: ../semanage/semanage:637 ++msgid "Remove a module" ++msgstr "" ++ ++#: ../semanage/semanage:638 ++msgid "Disable a module" ++msgstr "" ++ ++#: ../semanage/semanage:639 ++msgid "Enable a module" ++msgstr "" ++ ++#: ../semanage/semanage:640 ++msgid "Name of the module to act on" ++msgstr "" ++ ++#: ../semanage/semanage:667 ++msgid "Manage network node type definitions" ++msgstr "" ++ ++#: ../semanage/semanage:681 ++msgid "Network Mask" ++msgstr "" ++ ++#: ../semanage/semanage:685 ++msgid "node" ++msgstr "" ++ ++#: ../semanage/semanage:710 ++msgid "Manage booleans to selectively enable functionality" ++msgstr "" ++ ++#: ../semanage/semanage:715 ++msgid "boolean" ++msgstr "" ++ ++#: ../semanage/semanage:725 ++msgid "Enable the boolean" ++msgstr "" ++ ++#: ../semanage/semanage:726 ++msgid "Disable the boolean" ++msgstr "" ++ ++#: ../semanage/semanage:743 ++msgid "semanage permissive: error: the following argument is required: type\n" ++msgstr "" ++ ++#: ../semanage/semanage:748 ++msgid "Manage process type enforcement mode" ++msgstr "" ++ ++#: ../semanage/semanage:760 ../semanage/seobject.py:2611 ++msgid "type" ++msgstr "" ++ ++#: ../semanage/semanage:771 ++msgid "Disable/Enable dontaudit rules in policy" ++msgstr "" ++ ++#: ../semanage/semanage:791 ++msgid "Output local customizations" ++msgstr "" ++ ++#: ../semanage/semanage:793 ++msgid "Output file" ++msgstr "" ++ ++#: ../semanage/semanage:871 ++msgid "Import local customizations" ++msgstr "" ++ ++#: ../semanage/semanage:874 ++msgid "Input file" ++msgstr "" ++ ++#: ../semanage/seobject.py:274 ++msgid "Could not create semanage handle" ++msgstr "" ++ ++#: ../semanage/seobject.py:282 ++msgid "SELinux policy is not managed or store cannot be accessed." ++msgstr "" ++ ++#: ../semanage/seobject.py:287 ++msgid "Cannot read policy store." ++msgstr "" ++ ++#: ../semanage/seobject.py:292 ++msgid "Could not establish semanage connection" ++msgstr "" ++ ++#: ../semanage/seobject.py:297 ++msgid "Could not test MLS enabled status" ++msgstr "" ++ ++#: ../semanage/seobject.py:303 ../semanage/seobject.py:319 ++msgid "Not yet implemented" ++msgstr "" ++ ++#: ../semanage/seobject.py:307 ++msgid "Semanage transaction already in progress" ++msgstr "" ++ ++#: ../semanage/seobject.py:316 ++msgid "Could not start semanage transaction" ++msgstr "" ++ ++#: ../semanage/seobject.py:330 ++msgid "Could not commit semanage transaction" ++msgstr "" ++ ++#: ../semanage/seobject.py:335 ++msgid "Semanage transaction not in progress" ++msgstr "" ++ ++#: ../semanage/seobject.py:349 ../semanage/seobject.py:469 ++msgid "Could not list SELinux modules" ++msgstr "" ++ ++#: ../semanage/seobject.py:356 ++msgid "Could not get module name" ++msgstr "" ++ ++#: ../semanage/seobject.py:360 ++msgid "Could not get module enabled" ++msgstr "" ++ ++#: ../semanage/seobject.py:364 ++msgid "Could not get module priority" ++msgstr "" ++ ++#: ../semanage/seobject.py:368 ++msgid "Could not get module lang_ext" ++msgstr "" ++ ++#: ../semanage/seobject.py:389 ++msgid "Module Name" ++msgstr "" ++ ++#: ../semanage/seobject.py:389 ++msgid "Priority" ++msgstr "" ++ ++#: ../semanage/seobject.py:389 ++msgid "Language" ++msgstr "" ++ ++#: ../semanage/seobject.py:392 ../sepolicy/sepolicy/sepolicy.glade:3431 ++msgid "Disabled" ++msgstr "" ++ ++#: ../semanage/seobject.py:401 ++#, python-format ++msgid "Module does not exist: %s " ++msgstr "" ++ ++#: ../semanage/seobject.py:405 ../semanage/seobject.py:432 ++#, python-format ++msgid "Invalid priority %d (needs to be between 1 and 999)" ++msgstr "" ++ ++#: ../semanage/seobject.py:415 ++msgid "Could not create module key" ++msgstr "" ++ ++#: ../semanage/seobject.py:419 ++msgid "Could not set module key name" ++msgstr "" ++ ++#: ../semanage/seobject.py:424 ++#, python-format ++msgid "Could not enable module %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:426 ++#, python-format ++msgid "Could not disable module %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:437 ++#, python-format ++msgid "Could not remove module %s (remove failed)" ++msgstr "" ++ ++#: ../semanage/seobject.py:454 ++msgid "dontaudit requires either 'on' or 'off'" ++msgstr "" ++ ++#: ../semanage/seobject.py:484 ++msgid "Builtin Permissive Types" ++msgstr "" ++ ++#: ../semanage/seobject.py:494 ++msgid "Customized Permissive Types" ++msgstr "" ++ ++#: ../semanage/seobject.py:502 ++msgid "" ++"The sepolgen python module is required to setup permissive domains.\n" ++"In some distributions it is included in the policycoreutils-devel package.\n" ++"# yum install policycoreutils-devel\n" ++"Or similar for your distro." ++msgstr "" ++ ++#: ../semanage/seobject.py:512 ++#, python-format ++msgid "Could not set permissive domain %s (module installation failed)" ++msgstr "" ++ ++#: ../semanage/seobject.py:518 ++#, python-format ++msgid "Could not remove permissive domain %s (remove failed)" ++msgstr "" ++ ++#: ../semanage/seobject.py:555 ../semanage/seobject.py:627 ++#: ../semanage/seobject.py:674 ../semanage/seobject.py:794 ++#: ../semanage/seobject.py:824 ../semanage/seobject.py:889 ++#: ../semanage/seobject.py:945 ../semanage/seobject.py:1209 ++#: ../semanage/seobject.py:1468 ../semanage/seobject.py:2442 ++#: ../semanage/seobject.py:2512 ../semanage/seobject.py:2536 ++#: ../semanage/seobject.py:2664 ../semanage/seobject.py:2715 ++#, python-format ++msgid "Could not create a key for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:559 ../semanage/seobject.py:631 ++#: ../semanage/seobject.py:678 ../semanage/seobject.py:684 ++#, python-format ++msgid "Could not check if login mapping for %s is defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:561 ++#, python-format ++msgid "Login mapping for %s is already defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:566 ++#, python-format ++msgid "Linux Group %s does not exist" ++msgstr "" ++ ++#: ../semanage/seobject.py:571 ++#, python-format ++msgid "Linux User %s does not exist" ++msgstr "" ++ ++#: ../semanage/seobject.py:575 ++#, python-format ++msgid "Could not create login mapping for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:579 ../semanage/seobject.py:838 ++#, python-format ++msgid "Could not set name for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:584 ../semanage/seobject.py:848 ++#, python-format ++msgid "Could not set MLS range for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:588 ++#, python-format ++msgid "Could not set SELinux user for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:592 ++#, python-format ++msgid "Could not add login mapping for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:610 ++msgid "Requires seuser or serange" ++msgstr "" ++ ++#: ../semanage/seobject.py:633 ../semanage/seobject.py:680 ++#, python-format ++msgid "Login mapping for %s is not defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:637 ++#, python-format ++msgid "Could not query seuser for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:652 ++#, python-format ++msgid "Could not modify login mapping for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:686 ++#, python-format ++msgid "Login mapping for %s is defined in policy, cannot be deleted" ++msgstr "" ++ ++#: ../semanage/seobject.py:690 ++#, python-format ++msgid "Could not delete login mapping for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:712 ../semanage/seobject.py:745 ++#: ../semanage/seobject.py:988 ++msgid "Could not list login mappings" ++msgstr "" ++ ++#: ../semanage/seobject.py:769 ../semanage/seobject.py:781 ++#: ../sepolicy/sepolicy/sepolicy.glade:1162 ++#: ../sepolicy/sepolicy/sepolicy.glade:3156 ++msgid "Login Name" ++msgstr "" ++ ++#: ../semanage/seobject.py:769 ../semanage/seobject.py:781 ++#: ../semanage/seobject.py:1035 ../semanage/seobject.py:1040 ++#: ../sepolicy/sepolicy/sepolicy.glade:1188 ++#: ../sepolicy/sepolicy/sepolicy.glade:3174 ++#: ../sepolicy/sepolicy/sepolicy.glade:3260 ++#: ../sepolicy/sepolicy/sepolicy.glade:4915 ++msgid "SELinux User" ++msgstr "" ++ ++#: ../semanage/seobject.py:769 ++msgid "MLS/MCS Range" ++msgstr "" ++ ++#: ../semanage/seobject.py:769 ++msgid "Service" ++msgstr "" ++ ++#: ../semanage/seobject.py:797 ../semanage/seobject.py:828 ++#: ../semanage/seobject.py:893 ../semanage/seobject.py:949 ++#: ../semanage/seobject.py:955 ++#, python-format ++msgid "Could not check if SELinux user %s is defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:800 ../semanage/seobject.py:899 ++#: ../semanage/seobject.py:961 ++#, python-format ++msgid "Could not query user for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:820 ++#, python-format ++msgid "You must add at least one role for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:830 ++#, python-format ++msgid "SELinux user %s is already defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:834 ++#, python-format ++msgid "Could not create SELinux user for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:843 ++#, python-format ++msgid "Could not add role %s for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:852 ++#, python-format ++msgid "Could not set MLS level for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:855 ++#, python-format ++msgid "Could not add prefix %s for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:858 ++#, python-format ++msgid "Could not extract key for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:862 ++#, python-format ++msgid "Could not add SELinux user %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:883 ++msgid "Requires prefix, roles, level or range" ++msgstr "" ++ ++#: ../semanage/seobject.py:885 ++msgid "Requires prefix or roles" ++msgstr "" ++ ++#: ../semanage/seobject.py:895 ../semanage/seobject.py:951 ++#, python-format ++msgid "SELinux user %s is not defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:924 ++#, python-format ++msgid "Could not modify SELinux user %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:957 ++#, python-format ++msgid "SELinux user %s is defined in policy, cannot be deleted" ++msgstr "" ++ ++#: ../semanage/seobject.py:968 ++#, python-format ++msgid "Could not delete SELinux user %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1006 ++msgid "Could not list SELinux users" ++msgstr "" ++ ++#: ../semanage/seobject.py:1012 ++#, python-format ++msgid "Could not list roles for user %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1034 ++msgid "Labeling" ++msgstr "" ++ ++#: ../semanage/seobject.py:1034 ++msgid "MLS/" ++msgstr "" ++ ++#: ../semanage/seobject.py:1035 ++msgid "Prefix" ++msgstr "" ++ ++#: ../semanage/seobject.py:1035 ++msgid "MCS Level" ++msgstr "" ++ ++#: ../semanage/seobject.py:1035 ++msgid "MCS Range" ++msgstr "" ++ ++#: ../semanage/seobject.py:1035 ../semanage/seobject.py:1040 ++#: ../sepolicy/sepolicy/sepolicy.glade:3280 ++#: ../sepolicy/sepolicy/sepolicy.glade:5251 ++#: ../sepolicy/sepolicy/sepolicy.glade:5400 ++msgid "SELinux Roles" ++msgstr "" ++ ++#: ../semanage/seobject.py:1061 ++msgid "Protocol udp or tcp is required" ++msgstr "" ++ ++#: ../semanage/seobject.py:1063 ++msgid "Port is required" ++msgstr "" ++ ++#: ../semanage/seobject.py:1073 ++msgid "Invalid Port" ++msgstr "" ++ ++#: ../semanage/seobject.py:1077 ../semanage/seobject.py:1345 ++#, python-format ++msgid "Could not create a key for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1088 ../semanage/seobject.py:1356 ++#: ../semanage/seobject.py:1604 ++msgid "Type is required" ++msgstr "" ++ ++#: ../semanage/seobject.py:1091 ../semanage/seobject.py:1155 ++#, python-format ++msgid "Type %s is invalid, must be a port type" ++msgstr "" ++ ++#: ../semanage/seobject.py:1097 ../semanage/seobject.py:1161 ++#: ../semanage/seobject.py:1227 ../semanage/seobject.py:1233 ++#, python-format ++msgid "Could not check if port %s/%s is defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:1099 ++#, python-format ++msgid "Port %s/%s already defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:1103 ++#, python-format ++msgid "Could not create port for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1109 ../semanage/seobject.py:1377 ++#: ../semanage/seobject.py:1624 ++#, python-format ++msgid "Could not create context for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1113 ++#, python-format ++msgid "Could not set user in port context for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1117 ++#, python-format ++msgid "Could not set role in port context for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1121 ++#, python-format ++msgid "Could not set type in port context for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1126 ++#, python-format ++msgid "Could not set mls fields in port context for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1130 ++#, python-format ++msgid "Could not set port context for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1134 ++#, python-format ++msgid "Could not add port %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1150 ../semanage/seobject.py:1416 ++#: ../semanage/seobject.py:1663 ../semanage/seobject.py:1923 ++#: ../semanage/seobject.py:2125 ++msgid "Requires setype or serange" ++msgstr "" ++ ++#: ../semanage/seobject.py:1152 ../semanage/seobject.py:1418 ++#: ../semanage/seobject.py:1665 ++msgid "Requires setype" ++msgstr "" ++ ++#: ../semanage/seobject.py:1163 ../semanage/seobject.py:1229 ++#, python-format ++msgid "Port %s/%s is not defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:1167 ++#, python-format ++msgid "Could not query port %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1181 ++#, python-format ++msgid "Could not modify port %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1196 ++msgid "Could not list the ports" ++msgstr "" ++ ++#: ../semanage/seobject.py:1213 ++#, python-format ++msgid "Could not delete the port %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1235 ++#, python-format ++msgid "Port %s/%s is defined in policy, cannot be deleted" ++msgstr "" ++ ++#: ../semanage/seobject.py:1239 ++#, python-format ++msgid "Could not delete port %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1257 ../semanage/seobject.py:1277 ++msgid "Could not list ports" ++msgstr "" ++ ++#: ../semanage/seobject.py:1311 ../sepolicy/sepolicy/sepolicy.glade:2676 ++#: ../sepolicy/sepolicy/sepolicy.glade:2774 ++#: ../sepolicy/sepolicy/sepolicy.glade:4648 ++msgid "SELinux Port Type" ++msgstr "" ++ ++#: ../semanage/seobject.py:1311 ++msgid "Proto" ++msgstr "" ++ ++#: ../semanage/seobject.py:1311 ../semanage/seobject.py:1801 ++#: ../sepolicy/sepolicy/sepolicy.glade:1413 ++msgid "Port Number" ++msgstr "" ++ ++#: ../semanage/seobject.py:1331 ++msgid "Subnet Prefix is required" ++msgstr "" ++ ++#: ../semanage/seobject.py:1341 ++msgid "Invalid Pkey" ++msgstr "" ++ ++#: ../semanage/seobject.py:1359 ../semanage/seobject.py:1421 ++#, python-format ++msgid "Type %s is invalid, must be a ibpkey type" ++msgstr "" ++ ++#: ../semanage/seobject.py:1365 ../semanage/seobject.py:1427 ++#: ../semanage/seobject.py:1481 ../semanage/seobject.py:1487 ++#, python-format ++msgid "Could not check if ibpkey %s/%s is defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:1367 ++#, python-format ++msgid "ibpkey %s/%s already defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:1371 ++#, python-format ++msgid "Could not create ibpkey for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1381 ++#, python-format ++msgid "Could not set user in ibpkey context for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1385 ++#, python-format ++msgid "Could not set role in ibpkey context for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1389 ++#, python-format ++msgid "Could not set type in ibpkey context for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1394 ++#, python-format ++msgid "Could not set mls fields in ibpkey context for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1398 ++#, python-format ++msgid "Could not set ibpkey context for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1402 ++#, python-format ++msgid "Could not add ibpkey %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1429 ../semanage/seobject.py:1483 ++#, python-format ++msgid "ibpkey %s/%s is not defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:1433 ++#, python-format ++msgid "Could not query ibpkey %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1444 ++#, python-format ++msgid "Could not modify ibpkey %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1457 ++msgid "Could not list the ibpkeys" ++msgstr "" ++ ++#: ../semanage/seobject.py:1472 ++#, python-format ++msgid "Could not delete the ibpkey %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1489 ++#, python-format ++msgid "ibpkey %s/%s is defined in policy, cannot be deleted" ++msgstr "" ++ ++#: ../semanage/seobject.py:1493 ++#, python-format ++msgid "Could not delete ibpkey %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1509 ../semanage/seobject.py:1530 ++msgid "Could not list ibpkeys" ++msgstr "" ++ ++#: ../semanage/seobject.py:1564 ++msgid "SELinux IB Pkey Type" ++msgstr "" ++ ++#: ../semanage/seobject.py:1564 ++msgid "Subnet_Prefix" ++msgstr "" ++ ++#: ../semanage/seobject.py:1564 ++msgid "Pkey Number" ++msgstr "" ++ ++#: ../semanage/seobject.py:1584 ++msgid "IB device name is required" ++msgstr "" ++ ++#: ../semanage/seobject.py:1589 ++msgid "Invalid Port Number" ++msgstr "" ++ ++#: ../semanage/seobject.py:1593 ++#, python-format ++msgid "Could not create a key for ibendport %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1607 ../semanage/seobject.py:1668 ++#, python-format ++msgid "Type %s is invalid, must be an ibendport type" ++msgstr "" ++ ++#: ../semanage/seobject.py:1612 ../semanage/seobject.py:1674 ++#: ../semanage/seobject.py:1726 ../semanage/seobject.py:1732 ++#, python-format ++msgid "Could not check if ibendport %s/%s is defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:1614 ++#, python-format ++msgid "ibendport %s/%s already defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:1618 ++#, python-format ++msgid "Could not create ibendport for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1628 ++#, python-format ++msgid "Could not set user in ibendport context for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1632 ++#, python-format ++msgid "Could not set role in ibendport context for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1636 ++#, python-format ++msgid "Could not set type in ibendport context for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1641 ++#, python-format ++msgid "Could not set mls fields in ibendport context for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1645 ++#, python-format ++msgid "Could not set ibendport context for %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1649 ++#, python-format ++msgid "Could not add ibendport %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1676 ../semanage/seobject.py:1728 ++#, python-format ++msgid "ibendport %s/%s is not defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:1680 ++#, python-format ++msgid "Could not query ibendport %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1691 ++#, python-format ++msgid "Could not modify ibendport %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1704 ++msgid "Could not list the ibendports" ++msgstr "" ++ ++#: ../semanage/seobject.py:1713 ++#, python-format ++msgid "Could not create a key for %s/%d" ++msgstr "" ++ ++#: ../semanage/seobject.py:1717 ++#, python-format ++msgid "Could not delete the ibendport %s/%d" ++msgstr "" ++ ++#: ../semanage/seobject.py:1734 ++#, python-format ++msgid "ibendport %s/%s is defined in policy, cannot be deleted" ++msgstr "" ++ ++#: ../semanage/seobject.py:1738 ++#, python-format ++msgid "Could not delete ibendport %s/%s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1754 ../semanage/seobject.py:1774 ++msgid "Could not list ibendports" ++msgstr "" ++ ++#: ../semanage/seobject.py:1801 ++msgid "SELinux IB End Port Type" ++msgstr "" ++ ++#: ../semanage/seobject.py:1801 ++msgid "IB Device Name" ++msgstr "" ++ ++#: ../semanage/seobject.py:1825 ++msgid "Node Address is required" ++msgstr "" ++ ++#: ../semanage/seobject.py:1840 ++msgid "Unknown or missing protocol" ++msgstr "" ++ ++#: ../semanage/seobject.py:1854 ++msgid "SELinux node type is required" ++msgstr "" ++ ++#: ../semanage/seobject.py:1857 ../semanage/seobject.py:1926 ++#, python-format ++msgid "Type %s is invalid, must be a node type" ++msgstr "" ++ ++#: ../semanage/seobject.py:1861 ../semanage/seobject.py:1930 ++#: ../semanage/seobject.py:1968 ../semanage/seobject.py:2066 ++#: ../semanage/seobject.py:2129 ../semanage/seobject.py:2165 ++#: ../semanage/seobject.py:2377 ++#, python-format ++msgid "Could not create key for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1863 ../semanage/seobject.py:1934 ++#: ../semanage/seobject.py:1972 ../semanage/seobject.py:1978 ++#, python-format ++msgid "Could not check if addr %s is defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:1867 ++#, python-format ++msgid "Addr %s already defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:1871 ++#, python-format ++msgid "Could not create addr for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1877 ../semanage/seobject.py:2081 ++#: ../semanage/seobject.py:2333 ++#, python-format ++msgid "Could not create context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1881 ++#, python-format ++msgid "Could not set mask for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1885 ++#, python-format ++msgid "Could not set user in addr context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1889 ++#, python-format ++msgid "Could not set role in addr context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1893 ++#, python-format ++msgid "Could not set type in addr context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1898 ++#, python-format ++msgid "Could not set mls fields in addr context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1902 ++#, python-format ++msgid "Could not set addr context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1906 ++#, python-format ++msgid "Could not add addr %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1936 ../semanage/seobject.py:1974 ++#, python-format ++msgid "Addr %s is not defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:1940 ++#, python-format ++msgid "Could not query addr %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1950 ++#, python-format ++msgid "Could not modify addr %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1980 ++#, python-format ++msgid "Addr %s is defined in policy, cannot be deleted" ++msgstr "" ++ ++#: ../semanage/seobject.py:1984 ++#, python-format ++msgid "Could not delete addr %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:1998 ++msgid "Could not deleteall node mappings" ++msgstr "" ++ ++#: ../semanage/seobject.py:2012 ++msgid "Could not list addrs" ++msgstr "" ++ ++#: ../semanage/seobject.py:2062 ../semanage/seobject.py:2370 ++msgid "SELinux Type is required" ++msgstr "" ++ ++#: ../semanage/seobject.py:2070 ../semanage/seobject.py:2133 ++#: ../semanage/seobject.py:2169 ../semanage/seobject.py:2175 ++#, python-format ++msgid "Could not check if interface %s is defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:2072 ++#, python-format ++msgid "Interface %s already defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:2076 ++#, python-format ++msgid "Could not create interface for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2085 ++#, python-format ++msgid "Could not set user in interface context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2089 ++#, python-format ++msgid "Could not set role in interface context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2093 ++#, python-format ++msgid "Could not set type in interface context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2098 ++#, python-format ++msgid "Could not set mls fields in interface context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2102 ++#, python-format ++msgid "Could not set interface context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2106 ++#, python-format ++msgid "Could not set message context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2110 ++#, python-format ++msgid "Could not add interface %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2135 ../semanage/seobject.py:2171 ++#, python-format ++msgid "Interface %s is not defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:2139 ++#, python-format ++msgid "Could not query interface %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2150 ++#, python-format ++msgid "Could not modify interface %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2177 ++#, python-format ++msgid "Interface %s is defined in policy, cannot be deleted" ++msgstr "" ++ ++#: ../semanage/seobject.py:2181 ++#, python-format ++msgid "Could not delete interface %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2195 ++msgid "Could not delete all interface mappings" ++msgstr "" ++ ++#: ../semanage/seobject.py:2209 ++msgid "Could not list interfaces" ++msgstr "" ++ ++#: ../semanage/seobject.py:2231 ++msgid "SELinux Interface" ++msgstr "" ++ ++#: ../semanage/seobject.py:2231 ../semanage/seobject.py:2611 ++msgid "Context" ++msgstr "" ++ ++#: ../semanage/seobject.py:2299 ++#, python-format ++msgid "Target %s is not valid. Target is not allowed to end with '/'" ++msgstr "" ++ ++#: ../semanage/seobject.py:2302 ++#, python-format ++msgid "Substiture %s is not valid. Substitute is not allowed to end with '/'" ++msgstr "" ++ ++#: ../semanage/seobject.py:2305 ++#, python-format ++msgid "Equivalence class for %s already exists" ++msgstr "" ++ ++#: ../semanage/seobject.py:2311 ++#, python-format ++msgid "File spec %s conflicts with equivalency rule '%s %s'" ++msgstr "" ++ ++#: ../semanage/seobject.py:2322 ++#, python-format ++msgid "Equivalence class for %s does not exist" ++msgstr "" ++ ++#: ../semanage/seobject.py:2339 ++#, python-format ++msgid "Could not set user in file context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2343 ++#, python-format ++msgid "Could not set role in file context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2348 ../semanage/seobject.py:2406 ++#, python-format ++msgid "Could not set mls fields in file context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2354 ++msgid "Invalid file specification" ++msgstr "" ++ ++#: ../semanage/seobject.py:2356 ++msgid "File specification can not include spaces" ++msgstr "" ++ ++#: ../semanage/seobject.py:2361 ++#, python-format ++msgid "" ++"File spec %s conflicts with equivalency rule '%s %s'; Try adding '%s' instead" ++msgstr "" ++ ++#: ../semanage/seobject.py:2373 ../semanage/seobject.py:2436 ++#, python-format ++msgid "Type %s is invalid, must be a file or device type" ++msgstr "" ++ ++#: ../semanage/seobject.py:2381 ../semanage/seobject.py:2386 ++#: ../semanage/seobject.py:2446 ../semanage/seobject.py:2540 ++#: ../semanage/seobject.py:2544 ++#, python-format ++msgid "Could not check if file context for %s is defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:2389 ++#, python-format ++msgid "File context for %s already defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:2393 ++#, python-format ++msgid "Could not create file context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2401 ++#, python-format ++msgid "Could not set type in file context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2409 ../semanage/seobject.py:2476 ++#: ../semanage/seobject.py:2480 ++#, python-format ++msgid "Could not set file context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2415 ++#, python-format ++msgid "Could not add file context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2434 ++msgid "Requires setype, serange or seuser" ++msgstr "" ++ ++#: ../semanage/seobject.py:2450 ../semanage/seobject.py:2548 ++#, python-format ++msgid "File context for %s is not defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:2458 ++#, python-format ++msgid "Could not query file context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2484 ++#, python-format ++msgid "Could not modify file context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2502 ++msgid "Could not list the file contexts" ++msgstr "" ++ ++#: ../semanage/seobject.py:2516 ++#, python-format ++msgid "Could not delete the file context %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2546 ++#, python-format ++msgid "File context for %s is defined in policy, cannot be deleted" ++msgstr "" ++ ++#: ../semanage/seobject.py:2552 ++#, python-format ++msgid "Could not delete file context for %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2569 ++msgid "Could not list file contexts" ++msgstr "" ++ ++#: ../semanage/seobject.py:2573 ++msgid "Could not list file contexts for home directories" ++msgstr "" ++ ++#: ../semanage/seobject.py:2577 ++msgid "Could not list local file contexts" ++msgstr "" ++ ++#: ../semanage/seobject.py:2611 ++msgid "SELinux fcontext" ++msgstr "" ++ ++#: ../semanage/seobject.py:2624 ++msgid "" ++"\n" ++"SELinux Distribution fcontext Equivalence \n" ++msgstr "" ++ ++#: ../semanage/seobject.py:2629 ++msgid "" ++"\n" ++"SELinux Local fcontext Equivalence \n" ++msgstr "" ++ ++#: ../semanage/seobject.py:2667 ../semanage/seobject.py:2718 ++#: ../semanage/seobject.py:2724 ++#, python-format ++msgid "Could not check if boolean %s is defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:2669 ../semanage/seobject.py:2720 ++#, python-format ++msgid "Boolean %s is not defined" ++msgstr "" ++ ++#: ../semanage/seobject.py:2673 ++#, python-format ++msgid "Could not query file context %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2678 ++#, python-format ++msgid "You must specify one of the following values: %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2683 ++#, python-format ++msgid "Could not set active value of boolean %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2686 ++#, python-format ++msgid "Could not modify boolean %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2702 ++#, python-format ++msgid "Bad format %s: Record %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2726 ++#, python-format ++msgid "Boolean %s is defined in policy, cannot be deleted" ++msgstr "" ++ ++#: ../semanage/seobject.py:2730 ++#, python-format ++msgid "Could not delete boolean %s" ++msgstr "" ++ ++#: ../semanage/seobject.py:2742 ../semanage/seobject.py:2759 ++msgid "Could not list booleans" ++msgstr "" ++ ++#: ../semanage/seobject.py:2792 ++msgid "off" ++msgstr "" ++ ++#: ../semanage/seobject.py:2792 ++msgid "on" ++msgstr "" ++ ++#: ../semanage/seobject.py:2804 ++msgid "SELinux boolean" ++msgstr "" ++ ++#: ../semanage/seobject.py:2804 ++msgid "State" ++msgstr "" ++ ++#: ../semanage/seobject.py:2804 ++msgid "Default" ++msgstr "" ++ ++#: ../semanage/seobject.py:2804 ../sepolicy/sepolicy/sepolicy.glade:2148 ++#: ../sepolicy/sepolicy/sepolicy.glade:2518 ++#: ../sepolicy/sepolicy/sepolicy.glade:5117 ++msgid "Description" ++msgstr "" ++ ++#: ../sepolgen/src/sepolgen/interfaces.py:486 ++msgid "Found circular interface class" ++msgstr "" ++ ++#: ../sepolgen/src/sepolgen/interfaces.py:491 ++#, python-format ++msgid "Missing interface definition for %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:141 ++msgid "Standard Init Daemon" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:142 ++msgid "DBUS System Daemon" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:143 ++msgid "Internet Services Daemon" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:144 ++msgid "Web Application/Script (CGI)" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:145 ++msgid "Sandbox" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:146 ++msgid "User Application" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:147 ++msgid "Existing Domain Type" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:148 ++msgid "Minimal Terminal Login User Role" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:149 ++msgid "Minimal X Windows Login User Role" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:150 ++msgid "Desktop Login User Role" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:151 ++msgid "Administrator Login User Role" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:152 ++msgid "Confined Root Administrator Role" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:153 ++msgid "Module information for a new type" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:159 ++msgid "Valid Types:\n" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:194 ++#, python-format ++msgid "Ports must be numbers or ranges of numbers from 1 to %d " ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:206 ++msgid "You must enter a valid policy type" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:209 ++#, python-format ++msgid "You must enter a name for your policy module for your '%s'." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:347 ++msgid "" ++"Name must be alpha numberic with no spaces. Consider using option \"-n " ++"MODULENAME\"" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:439 ++msgid "User Role types can not be assigned executables." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:445 ++msgid "Only Daemon apps can use an init script.." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:463 ++msgid "use_resolve must be a boolean value " ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:469 ++msgid "use_syslog must be a boolean value " ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:475 ++msgid "use_kerberos must be a boolean value " ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:481 ++msgid "manage_krb5_rcache must be a boolean value " ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:511 ++msgid "USER Types automatically get a tmp type" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:848 ++#, python-format ++msgid "'%s' policy modules require existing domains" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:873 ++msgid "Type field required" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:886 ++#, python-format ++msgid "" ++"You need to define a new type which ends with: \n" ++" %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:1114 ++msgid "You must enter the executable path for your confined process" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:1381 ++msgid "Type Enforcement file" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:1382 ++msgid "Interface file" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:1383 ++msgid "File Contexts file" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:1386 ++msgid "Spec file" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/generate.py:1387 ++msgid "Setup Script" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:68 ../sepolicy/sepolicy/sepolicy.glade:3742 ++#: ../sepolicy/sepolicy/sepolicy.glade:3844 ++#: ../sepolicy/sepolicy/sepolicy.glade:3907 ++#: ../sepolicy/sepolicy/sepolicy.glade:3970 ++msgid "No" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:68 ../sepolicy/sepolicy/sepolicy.glade:3725 ++#: ../sepolicy/sepolicy/sepolicy.glade:3826 ++#: ../sepolicy/sepolicy/sepolicy.glade:3890 ++#: ../sepolicy/sepolicy/sepolicy.glade:3953 ++msgid "Yes" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:69 ++msgid "Disable" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:69 ++msgid "Enable" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:82 ../sepolicy/sepolicy/sepolicy.glade:726 ++#: ../sepolicy/sepolicy/sepolicy.glade:1467 ++#: ../sepolicy/sepolicy/sepolicy.glade:3511 ++msgid "Advanced >>" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:82 ++msgid "Advanced <<" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:83 ../sepolicy/sepolicy/sepolicy.glade:80 ++msgid "Advanced Search >>" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:83 ++msgid "Advanced Search <<" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:108 ++msgid "" ++"\n" ++"To change from Disabled to Enforcing mode\n" ++"- Change the system mode from Disabled to Permissive\n" ++"- Reboot, so that the system can relabel\n" ++"- Once the system is working as planned\n" ++" * Change the system mode to Enforcing\n" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:503 ++#, python-format ++msgid "%s is not a valid domain" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:652 ++msgid "System Status: Disabled" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:750 ++msgid "Help: Start Page" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:754 ++msgid "Help: Booleans Page" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:760 ++msgid "Help: Executable Files Page" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:763 ++msgid "Help: Writable Files Page" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:766 ++msgid "Help: Application Types Page" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:771 ++msgid "Help: Outbound Network Connections Page" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:774 ++msgid "Help: Inbound Network Connections Page" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:780 ++msgid "Help: Transition from application Page" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:783 ++msgid "Help: Transition into application Page" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:786 ++msgid "Help: Transition application file Page" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:790 ++msgid "Help: Systems Page" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:794 ++msgid "Help: Lockdown Page" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:798 ++msgid "Help: Login Page" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:802 ++msgid "Help: SELinux User Page" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:806 ++msgid "Help: File Equivalence Page" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:951 ../sepolicy/sepolicy/gui.py:1242 ++#: ../sepolicy/sepolicy/gui.py:1682 ../sepolicy/sepolicy/gui.py:1929 ++#: ../sepolicy/sepolicy/gui.py:2717 ++msgid "More..." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1059 ++#, python-format ++msgid "File path used to enter the '%s' domain." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1060 ++#, python-format ++msgid "Files to which the '%s' domain can write." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1061 ++#, python-format ++msgid "Network Ports to which the '%s' is allowed to connect." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1062 ++#, python-format ++msgid "Network Ports to which the '%s' is allowed to listen." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1063 ++#, python-format ++msgid "File Types defined for the '%s'." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1064 ++#, python-format ++msgid "" ++"Display boolean information that can be used to modify the policy for the " ++"'%s'." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1065 ++#, python-format ++msgid "Display file type information that can be used by the '%s'." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1066 ++#, python-format ++msgid "Display network ports to which the '%s' can connect or listen to." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1067 ++#, python-format ++msgid "Application Transitions Into '%s'" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1068 ++#, python-format ++msgid "Application Transitions From '%s'" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1069 ++#, python-format ++msgid "File Transitions From '%s'" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1070 ++#, python-format ++msgid "" ++"Executables which will transition to '%s', when executing selected domains " ++"entrypoint." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1071 ++#, python-format ++msgid "" ++"Executables which will transition to a different domain, when '%s' executes " ++"them." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1072 ++#, python-format ++msgid "Files by '%s' with transitions to a different label." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1073 ++#, python-format ++msgid "Display applications that can transition into or out of the '%s'." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1167 ../sepolicy/sepolicy/__init__.py:74 ++msgid "all files" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1181 ++msgid "MISSING FILE PATH" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1296 ++#, python-format ++msgid "To disable this transition, go to the %sBoolean section%s." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1298 ++#, python-format ++msgid "To enable this transition, go to the %sBoolean section%s." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1355 ++msgid "executable" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1358 ++msgid "writable" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1361 ++msgid "application" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1362 ++#, python-format ++msgid "Add new %(TYPE)s file path for '%(DOMAIN)s' domains." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1363 ++#, python-format ++msgid "Delete %(TYPE)s file paths for '%(DOMAIN)s' domain." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1364 ++#, python-format ++msgid "" ++"Modify %(TYPE)s file path for '%(DOMAIN)s' domain. Only bolded items in the " ++"list can be selected, this indicates they were modified previously." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1376 ++msgid "connect" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1379 ++msgid "listen for inbound connections" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1381 ++#, python-format ++msgid "" ++"Add new port definition to which the '%(APP)s' domain is allowed to %(PERM)s." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1382 ++#, python-format ++msgid "" ++"Delete modified port definitions to which the '%(APP)s' domain is allowed to " ++"%(PERM)s." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1383 ++#, python-format ++msgid "" ++"Modify port definitions to which the '%(APP)s' domain is allowed to %(PERM)s." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1412 ++msgid "Add new SELinux User/Role definition." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1413 ++msgid "Delete modified SELinux User/Role definitions." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1414 ++msgid "Modify selected modified SELinux User/Role definitions." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1421 ++msgid "Add new Login Mapping definition." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1422 ++msgid "Delete modified Login Mapping definitions." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1423 ++msgid "Modify selected modified Login Mapping definitions." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1430 ++msgid "Add new File Equivalence definition." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1431 ++msgid "Delete modified File Equivalence definitions." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1432 ++msgid "" ++"Modify selected modified File Equivalence definitions. Only bolded items in " ++"the list can be selected, this indicates they were modified previously." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1460 ++#, python-format ++msgid "Boolean %s Allow Rules" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1473 ++#, python-format ++msgid "Add Network Port for %s. Ports will be created when update is applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1474 ++#, python-format ++msgid "Add Network Port for %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1479 ++#, python-format ++msgid "" ++"Add File Labeling for %s. File labels will be created when update is applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1480 ../sepolicy/sepolicy/gui.py:1533 ++#, python-format ++msgid "Add File Labeling for %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1490 ++msgid "Add Login Mapping. User Mapping will be created when Update is applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1491 ++msgid "Add Login Mapping" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1496 ++msgid "" ++"Add SELinux User Role. SELinux user roles will be created when update is " ++"applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1497 ++msgid "Add SELinux Users" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1504 ++msgid "" ++"Add File Equivalency Mapping. Mapping will be created when update is applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1505 ++msgid "Add SELinux File Equivalency" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1532 ++#, python-format ++msgid "" ++"Modify File Labeling for %s. File labels will be created when update is " ++"applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1588 ++msgid "" ++"Modify SELinux User Role. SELinux user roles will be modified when update is " ++"applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1589 ++msgid "Modify SELinux Users" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1597 ++msgid "" ++"Modify Login Mapping. Login Mapping will be modified when Update is applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1598 ++msgid "Modify Login Mapping" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1604 ++msgid "" ++"Modify File Equivalency Mapping. Mapping will be created when update is " ++"applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1605 ++msgid "Modify SELinux File Equivalency" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1690 ++#, python-format ++msgid "" ++"Modify Network Port for %s. Ports will be created when update is applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1691 ++#, python-format ++msgid "Modify Network Port for %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1910 ++#, python-format ++msgid "The entry '%s' is not a valid path. Paths must begin with a '/'." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:1923 ++msgid "Port number must be between 1 and 65536" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2203 ++#, python-format ++msgid "SELinux name: %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2214 ++#, python-format ++msgid "Add file labeling for %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2216 ++#, python-format ++msgid "Delete file labeling for %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2218 ++#, python-format ++msgid "Modify file labeling for %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2222 ++#, python-format ++msgid "File path: %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2225 ++#, python-format ++msgid "File class: %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2228 ../sepolicy/sepolicy/gui.py:2252 ++#, python-format ++msgid "SELinux file type: %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2237 ++#, python-format ++msgid "Add ports for %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2239 ++#, python-format ++msgid "Delete ports for %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2241 ++#, python-format ++msgid "Modify ports for %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2244 ++#, python-format ++msgid "Network ports: %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2247 ++#, python-format ++msgid "Network protocol: %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2261 ++msgid "Add user" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2263 ++msgid "Delete user" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2265 ++msgid "Modify user" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2268 ++#, python-format ++msgid "SELinux User : %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2273 ++#, python-format ++msgid "Roles: %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2277 ../sepolicy/sepolicy/gui.py:2302 ++#, python-format ++msgid "MLS/MCS Range: %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2286 ++msgid "Add login mapping" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2288 ++msgid "Delete login mapping" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2290 ++msgid "Modify login mapping" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2294 ++#, python-format ++msgid "Login Name : %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2298 ++#, python-format ++msgid "SELinux User: %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2311 ++msgid "Add file equiv labeling." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2313 ++msgid "Delete file equiv labeling." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2315 ++msgid "Modify file equiv labeling." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2319 ++#, python-format ++msgid "File path : %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2323 ++#, python-format ++msgid "Equivalence: %s" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2354 ../sepolicy/sepolicy/sepolicy.glade:129 ++#: ../sepolicy/sepolicy/sepolicy.glade:1898 ++#: ../sepolicy/sepolicy/sepolicy.glade:3803 ++msgid "System" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2363 ../sepolicy/sepolicy/sepolicy.glade:95 ++msgid "File Equivalence" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2373 ../sepolicy/sepolicy/sepolicy.glade:112 ++msgid "Users" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2426 ++#, python-format ++msgid "" ++"Run restorecon on %(PATH)s to change its type from %(CUR_CONTEXT)s to the " ++"default %(DEF_CONTEXT)s?" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2436 ../sepolicy/sepolicy/sepolicy.glade:4226 ++msgid "Update" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2438 ++msgid "Update Changes" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2440 ++msgid "Revert Changes" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2571 ++msgid "System Status: Enforcing" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2574 ++msgid "System Status: Permissive" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2638 ++msgid "" ++"Changing the policy type will cause a relabel of the entire file system on " ++"the next boot. Relabeling takes a long time depending on the size of the " ++"file system. Do you wish to continue?" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2768 ++msgid "" ++"Changing to SELinux disabled requires a reboot. It is not recommended. If " ++"you later decide to turn SELinux back on, the system will be required to " ++"relabel. If you just want to see if SELinux is causing a problem on your " ++"system, you can go to permissive mode which will only log errors and not " ++"enforce SELinux policy. Permissive mode does not require a reboot. Do you " ++"wish to continue?" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2772 ++msgid "" ++"Changing to SELinux enabled will cause a relabel of the entire file system " ++"on the next boot. Relabeling takes a long time depending on the size of the " ++"file system. Do you wish to continue?" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2802 ++msgid "" ++"You are attempting to close the application without applying your changes.\n" ++" * To apply changes you have made during this session, click No and " ++"click Update.\n" ++" * To leave the application without applying your changes, click Yes. " ++"All changes that you have made during this session will be lost." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/gui.py:2802 ++msgid "Loss of data Dialog" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/__init__.py:75 ++msgid "regular file" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/__init__.py:76 ++msgid "directory" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/__init__.py:77 ++msgid "character device" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/__init__.py:78 ++msgid "block device" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/__init__.py:79 ++msgid "socket file" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/__init__.py:80 ++msgid "symbolic link" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/__init__.py:81 ++msgid "named pipe" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/__init__.py:130 ++msgid "No SELinux Policy installed" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/__init__.py:157 ++#, python-format ++msgid "Failed to read %s policy file" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/__init__.py:418 ++#, python-format ++msgid "-- Allowed %s [ %s ]" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/__init__.py:831 ++msgid "You must regenerate interface info by running /usr/bin/sepolgen-ifgen" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/__init__.py:1150 ++msgid "unknown" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/interface.py:223 ++#, python-format ++msgid "Compiling %s interface" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/interface.py:231 ++#, python-format ++msgid "" ++"\n" ++"Compile test for %s failed.\n" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/interface.py:234 ++#, python-format ++msgid "" ++"\n" ++"Compile test for %s has not run. %s\n" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/interface.py:240 ++#, python-format ++msgid "" ++"\n" ++"Compiling of %s interface is not supported." ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:227 ++#, python-format ++msgid "Interface %s does not exist." ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:324 ++msgid "You need to install policycoreutils-gui package to use the gui option" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:329 ++msgid "Graphical User Interface for SELinux Policy" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:332 ../sepolicy/sepolicy.py:380 ++msgid "Domain name(s) of man pages to be created" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:345 ++msgid "Alternative root needs to be setup" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:362 ++msgid "Generate SELinux man pages" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:365 ++msgid "path in which the generated SELinux man pages will be stored" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:367 ++msgid "name of the OS for man pages" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:369 ++msgid "Generate HTML man pages structure for selected SELinux man page" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:371 ++msgid "Alternate root directory, defaults to /" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:373 ++msgid "" ++"With this flag, alternative root path needs to include file context files " ++"and policy.xml file" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:377 ++msgid "All domains" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:386 ++msgid "Query SELinux policy network information" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:391 ++msgid "list all SELinux port types" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:394 ++msgid "show SELinux type related to the port" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:397 ++msgid "Show ports defined for this SELinux type" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:400 ++msgid "show ports to which this domain can bind and/or connect" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:403 ++msgid "show ports to which this application can bind and/or connect" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:420 ++msgid "query SELinux policy to see if domains can communicate with each other" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:423 ++msgid "Source Domain" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:426 ++msgid "Target Domain" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:447 ++msgid "query SELinux Policy to see description of booleans" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:451 ++msgid "get all booleans descriptions" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:454 ++msgid "boolean to get description" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:466 ++msgid "" ++"query SELinux Policy to see how a source process domain can transition to " ++"the target process domain" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:469 ++msgid "source process domain" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:472 ++msgid "target process domain" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:517 ++#, python-format ++msgid "sepolicy generate: error: one of the arguments %s is required" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:522 ++msgid "Command required for this type of policy" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:533 ++#, python-format ++msgid "" ++"-t option can not be used with '%s' domains. Read usage for more details." ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:538 ++#, python-format ++msgid "" ++"-d option can not be used with '%s' domains. Read usage for more details." ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:542 ++#, python-format ++msgid "" ++"-a option can not be used with '%s' domains. Read usage for more details." ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:546 ++msgid "-w option can not be used with the --newtype option" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:567 ++msgid "List SELinux Policy interfaces" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:587 ++msgid "Enter interface names, you wish to query" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:597 ++msgid "Generate SELinux Policy module template" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:600 ++msgid "Enter domain type which you will be extending" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:603 ++msgid "Enter SELinux user(s) which will transition to this domain" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:606 ++msgid "Enter SELinux role(s) to which the administror domain will transition" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:609 ++msgid "Enter domain(s) which this confined admin will administrate" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:612 ++msgid "name of policy to generate" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:619 ++msgid "path in which the generated policy files will be stored" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:621 ++msgid "path to which the confined processes will need to write" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:622 ++msgid "Policy types which require a command" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:626 ../sepolicy/sepolicy.py:629 ++#: ../sepolicy/sepolicy.py:632 ../sepolicy/sepolicy.py:635 ++#: ../sepolicy/sepolicy.py:638 ../sepolicy/sepolicy.py:644 ++#: ../sepolicy/sepolicy.py:647 ../sepolicy/sepolicy.py:650 ++#: ../sepolicy/sepolicy.py:656 ../sepolicy/sepolicy.py:659 ++#: ../sepolicy/sepolicy.py:662 ../sepolicy/sepolicy.py:665 ++#, python-format ++msgid "Generate '%s' policy" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:653 ++#, python-format ++msgid "Generate '%s' policy " ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:667 ++msgid "executable to confine" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:672 ++msgid "commands" ++msgstr "" ++ ++#: ../sepolicy/sepolicy.py:675 ++msgid "Alternate SELinux policy, defaults to /sys/fs/selinux/policy" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:25 ++#: ../sepolicy/sepolicy/sepolicy.glade:4330 ++msgid "Applications" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:52 ++msgid "Select domain" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:189 ++#: ../sepolicy/sepolicy/sepolicy.glade:4367 ++#: ../sepolicy/sepolicy/sepolicy.glade:4460 ++#: ../sepolicy/sepolicy/sepolicy.glade:4606 ++#: ../sepolicy/sepolicy/sepolicy.glade:4755 ++#: ../sepolicy/sepolicy/sepolicy.glade:4889 ++#: ../sepolicy/sepolicy/sepolicy.glade:5030 ++#: ../sepolicy/sepolicy/sepolicy.glade:5103 ++#: ../sepolicy/sepolicy/sepolicy.glade:5238 ++msgid "Select" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:204 ++#: ../sepolicy/sepolicy/sepolicy.glade:539 ++#: ../sepolicy/sepolicy/sepolicy.glade:684 ++#: ../sepolicy/sepolicy/sepolicy.glade:1239 ++#: ../sepolicy/sepolicy/sepolicy.glade:1535 ++#: ../sepolicy/sepolicy/sepolicy.glade:4540 ++#: ../sepolicy/sepolicy/sepolicy.glade:4690 ++#: ../sepolicy/sepolicy/sepolicy.glade:4821 ++#: ../sepolicy/sepolicy/sepolicy.glade:4955 ++#: ../sepolicy/sepolicy/sepolicy.glade:5173 ++#: ../sepolicy/sepolicy/sepolicy.glade:5304 ++#: ../sepolicy/sepolicy/sepolicy.glade:5464 ++msgid "Cancel" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:332 ++msgid "" ++"The entry that was entered is incorrect. Please try again in the " ++"ex:/.../... format." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:358 ++msgid "Retry" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:442 ++#: ../sepolicy/sepolicy/sepolicy.glade:1120 ++#: ../sepolicy/sepolicy/sepolicy.glade:1368 ++#: ../sepolicy/sepolicy/sepolicy.glade:5332 ++msgid "Network Port Definitions" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:458 ++msgid "" ++"Add file Equivalence Mapping. Mapping will be created when Update is " ++"applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:483 ++#: ../sepolicy/sepolicy/sepolicy.glade:4046 ++msgid "Path" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:493 ++#: ../sepolicy/sepolicy/sepolicy.glade:5384 ++msgid "" ++"Specify a new SELinux user name. By convention SELinux User names usually " ++"end in an _u." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:497 ++msgid "Enter the path to which you want to setup an equivalence label." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:510 ++#: ../sepolicy/sepolicy/sepolicy.glade:4063 ++#: ../sepolicy/sepolicy/sepolicy.glade:4781 ++msgid "Equivalence Path" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:524 ++#: ../sepolicy/sepolicy/sepolicy.glade:669 ++#: ../sepolicy/sepolicy/sepolicy.glade:1224 ++#: ../sepolicy/sepolicy/sepolicy.glade:1520 ++#: ../sepolicy/sepolicy/sepolicy.glade:5449 ++msgid "Save to update" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:564 ++msgid "" ++"Specify the mapping between the new path and the equivalence path. " ++"Everything under this new path will be labeled as if they were under the " ++"equivalence path." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:621 ++msgid "Add a file" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:638 ++msgid "" ++" File Labeling for . File labels will be created " ++"when update is applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:711 ++#: ../sepolicy/sepolicy/sepolicy.glade:1485 ++msgid "MLS" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:747 ++#: ../sepolicy/sepolicy/sepolicy.glade:2306 ++#: ../sepolicy/sepolicy/sepolicy.glade:2418 ++#: ../sepolicy/sepolicy/sepolicy.glade:2540 ++#: ../sepolicy/sepolicy/sepolicy.glade:4500 ++msgid "Class" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:763 ++msgid "Type" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:777 ++msgid "" ++"Select the file class to which this label will be applied. Defaults to all " ++"classes." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:804 ++msgid "Make Path Recursive" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:808 ++msgid "" ++"Select Make Path Recursive if you want to apply this label to all children " ++"of the specified directory path. objects under the directory to have this " ++"label." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:821 ++msgid "Browse" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:825 ++msgid "Browse to select the file/directory for labeling." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:869 ++msgid "Path " ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:880 ++msgid "" ++"Specify the path using regular expressions that you would like to modify the " ++"labeling." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:902 ++msgid "Select the SELinux file type to assign to this path." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:929 ++msgid "Enter the MLS Label to assign to this file path." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:933 ++msgid "SELinux MLS Label you wish to assign to this path." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1070 ++msgid "Analyzing Policy..." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1137 ++msgid "" ++"Add Login Mapping. Login Mapping will be created when update is applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1172 ++msgid "" ++"Enter the login user name of the user to which you wish to add SELinux User " ++"confinement." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1201 ++msgid "" ++"Select the SELinux User to assign to this login user. Login users by " ++"default get assigned by the __default__ user." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1264 ++msgid "" ++"Enter MLS/MCS Range for this login User. Defaults to the range for the " ++"Selected SELinux User." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1267 ++#: ../sepolicy/sepolicy/sepolicy.glade:3192 ++#: ../sepolicy/sepolicy/sepolicy.glade:3313 ++#: ../sepolicy/sepolicy/sepolicy.glade:5414 ++msgid "MLS Range" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1279 ++msgid "" ++"Specify the MLS Range for this user to login in with. Defaults to the " ++"selected SELinux Users MLS Range." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1385 ++msgid "" ++" Network Port for . Ports will be created when " ++"update is applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1423 ++msgid "Enter the port number or range to which you want to add a port type." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1439 ++#: ../sepolicy/sepolicy/sepolicy.glade:2658 ++#: ../sepolicy/sepolicy/sepolicy.glade:2756 ++#: ../sepolicy/sepolicy/sepolicy.glade:4633 ++msgid "Protocol" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1453 ++msgid "Port Type" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1498 ++msgid "Select the port type you want to assign to the specified port number." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1562 ++msgid "tcp" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1566 ++msgid "" ++"Select tcp if the port type should be assigned to tcp port numbers." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1579 ++msgid "udp" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1583 ++msgid "" ++"Select udp if the port type should be assigned to udp port numbers." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1605 ++msgid "Enter the MLS Label to assign to this port." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1707 ++msgid "SELinux Configuration" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1743 ++msgid "Select..." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1792 ++#: ../sepolicy/sepolicy/sepolicy.glade:2212 ++msgid "Booleans" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1796 ++msgid "" ++"Display boolean information that can be used to modify the policy for the " ++"'selected domain'." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1810 ++#: ../sepolicy/sepolicy/sepolicy.glade:2597 ++msgid "Files" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1814 ++msgid "" ++"Display file type information that can be used by the 'selected domain'." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1828 ++#: ../sepolicy/sepolicy/sepolicy.glade:2830 ++msgid "Network" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1832 ++msgid "" ++"Display network ports to which the 'selected domain' can connect or listen " ++"to." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1846 ++#: ../sepolicy/sepolicy/sepolicy.glade:3121 ++msgid "Transitions" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1850 ++msgid "" ++"Display applications that can transition into or out of the 'selected " ++"domain'." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1864 ++#: ../sepolicy/sepolicy/sepolicy.glade:3222 ++msgid "Login Mapping" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1867 ++#: ../sepolicy/sepolicy/sepolicy.glade:1884 ++#: ../sepolicy/sepolicy/sepolicy.glade:1901 ++msgid "Manage the SELinux configuration" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1881 ++#: ../sepolicy/sepolicy/sepolicy.glade:3344 ++msgid "SELinux Users" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1915 ++#: ../sepolicy/sepolicy/sepolicy.glade:4016 ++msgid "Lockdown" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1918 ++msgid "" ++"Lockdown the SELinux System.\n" ++"This screen can be used to turn up the SELinux Protections." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1933 ++msgid "radiobutton" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:1993 ++msgid "Filter" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2021 ++msgid "Show Modified Only" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2060 ++msgid "Mislabeled files exist" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2080 ++msgid "Show mislabeled files only" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2120 ++#: ../sepolicy/sepolicy/sepolicy.glade:3244 ++msgid "" ++"If-Then-Else rules written in policy that can\n" ++"allow alternative access control." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2132 ++msgid "Enabled" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2183 ++msgid "Name" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2252 ++#: ../sepolicy/sepolicy/sepolicy.glade:2364 ++#: ../sepolicy/sepolicy/sepolicy.glade:2482 ++#: ../sepolicy/sepolicy/sepolicy.glade:4473 ++#: ../sepolicy/sepolicy/sepolicy.glade:4768 ++msgid "File Path" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2288 ++#: ../sepolicy/sepolicy/sepolicy.glade:2399 ++msgid "SELinux File Type" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2332 ++msgid "File path used to enter the 'selected domain'." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2333 ++msgid "Executable Files" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2448 ++msgid "Files to which the 'selected domain' can write." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2449 ++msgid "Writable files" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2571 ++msgid "File Types defined for the 'selected domain'." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2572 ++msgid "Application File Types" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2639 ++#: ../sepolicy/sepolicy/sepolicy.glade:2738 ++#: ../sepolicy/sepolicy/sepolicy.glade:4619 ++msgid "Port" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2704 ++msgid "Network Ports to which the 'selected domain' is allowed to connect." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2705 ++msgid "Outbound" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2804 ++msgid "Network Ports to which the 'selected domain' is allowed to listen." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2805 ++msgid "Inbound" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2866 ++#: ../sepolicy/sepolicy/sepolicy.glade:2956 ++msgid "" ++"Boolean\n" ++"Enabled" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2892 ++msgid "Boolean name" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2909 ++msgid "SELinux Application Type" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2930 ++msgid "" ++"Executables which will transition to a different domain, when the 'selected " ++"domain' executes them." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2933 ++msgid "Application Transitions From 'select domain'" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2972 ++msgid "Calling Process Domain" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:2988 ++msgid "Executable File" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3012 ++msgid "" ++"Executables which will transition to the 'selected domain', when executing a " ++"selected domains entrypoint." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3013 ++msgid "Application Transitions Into 'select domain'" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3028 ++msgid "" ++"File Transitions define what happens when the current domain creates the " ++"content of a particular class in a directory of the destination type. " ++"Optionally a file name could be specified for the transition." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3036 ++msgid "SELinux Directory Type" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3049 ++msgid "Destination Class" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3063 ++msgid "SELinux Destination Type" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3076 ++msgid "File Name" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3098 ++msgid "File Transitions From 'select domain'" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3297 ++#: ../sepolicy/sepolicy/sepolicy.glade:5508 ++msgid "Default Level" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3383 ++msgid "Select the system mode when the system first boots up" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3395 ++#: ../sepolicy/sepolicy/sepolicy.glade:3469 ++msgid "Enforcing" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3414 ++#: ../sepolicy/sepolicy/sepolicy.glade:3487 ++msgid "Permissive" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3456 ++msgid "Select the system mode for the current session" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3533 ++msgid "System Policy Type:" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3594 ++msgid "System Mode" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3632 ++msgid "Import system settings from another machine" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3640 ++msgid "Import" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3659 ++msgid "Export system settings to a file" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3669 ++msgid "Export" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3688 ++msgid "Relabel all files back to system defaults on reboot" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3783 ++msgid "System Configuration" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3830 ++#: ../sepolicy/sepolicy/sepolicy.glade:3848 ++msgid "" ++"An unconfined domain is a process label that allows the process to do what " ++"it wants, without SELinux interfering. Applications started at boot by the " ++"init system that SELinux do not have defined SELinux policy will run as " ++"unconfined if this module is enabled. Disabling it means all daemons will " ++"now be confined. To disable the unconfined_t user you must first remove " ++"unconfined_t from the users/login screens." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3866 ++msgid "Disable ability to run unconfined system processes?" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3894 ++#: ../sepolicy/sepolicy/sepolicy.glade:3911 ++#: ../sepolicy/sepolicy/sepolicy.glade:3957 ++#: ../sepolicy/sepolicy/sepolicy.glade:3974 ++msgid "" ++"A permissive domain is a process label that allows the process to do what it " ++"wants, with SELinux only logging the denials, but not enforcing them. " ++"Usually permissive domains indicate experimental policy, disabling the " ++"module could cause SELinux to deny access to a domain, that should be " ++"allowed." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3929 ++msgid "Disable all permissive processes?" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:3995 ++msgid "Deny all processes from ptracing or debugging other processes?" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4032 ++msgid "" ++"File equivalence cause the system to label content under the new path as if " ++"it were under the equivalence path." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4088 ++msgid "Files Equivalence" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4101 ++msgid "...SELECT TO VIEW DATA..." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4132 ++msgid "Delete" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4148 ++msgid "Modify" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4163 ++msgid "Add" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4209 ++msgid "Revert" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4214 ++msgid "" ++"Revert button will launch a dialog window which allows you to revert changes " ++"within the current transaction." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4231 ++msgid "Commit all changes in your current transaction to the server." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4279 ++msgid "Applications - Advanced Search" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4344 ++msgid "Process Types" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4385 ++msgid "More Details" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4421 ++#: ../sepolicy/sepolicy/sepolicy.glade:4715 ++msgid "Delete Modified File Labeling" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4439 ++msgid "" ++"Select file labeling to delete. File labeling will be deleted when update is " ++"applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4486 ++msgid "SELinux File Label" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4525 ++#: ../sepolicy/sepolicy/sepolicy.glade:4675 ++#: ../sepolicy/sepolicy/sepolicy.glade:4806 ++#: ../sepolicy/sepolicy/sepolicy.glade:4940 ++#: ../sepolicy/sepolicy/sepolicy.glade:5289 ++msgid "Save to Update" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4565 ++msgid "Delete Modified Ports" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4583 ++msgid "Select ports to delete. Ports will be deleted when update is applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4733 ++msgid "" ++"Select file equivalence labeling to delete. File equivalence labeling will " ++"be deleted when update is applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4849 ++#: ../sepolicy/sepolicy/sepolicy.glade:5198 ++msgid "Delete Modified Users Mapping." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4867 ++msgid "" ++"Select login user mapping to delete. Login user mapping will be deleted when " ++"update is applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4902 ++msgid "Login name" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:4983 ++msgid "More Types" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:5010 ++msgid "Types" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:5069 ++msgid "" ++"Review the updates you have made before committing them to the system. To " ++"reset an item, uncheck the checkbox. All items checked will be updated in " ++"the system when you select update." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:5132 ++msgid "Action" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:5158 ++msgid "Apply" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:5216 ++msgid "" ++"Select users mapping to delete.Users mapping will be deleted when update is " ++"applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:5264 ++msgid "SELinux Username" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:5349 ++msgid "" ++"Add User Roles. SELinux User Roles will be created when Update is applied." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:5374 ++msgid "SELinux User Name" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:5489 ++msgid "" ++"Enter MLS/MCS Range for this SELinux User.\n" ++"s0-s0:c1023" ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:5520 ++msgid "" ++"Specify the default level that you would like this SELinux user to login " ++"with. Defaults to s0." ++msgstr "" ++ ++#: ../sepolicy/sepolicy/sepolicy.glade:5524 ++msgid "Enter Default Level for SELinux User to login with. Default s0" ++msgstr "" +diff --git a/sandbox/po/sandbox.pot b/sandbox/po/sandbox.pot +new file mode 100644 +index 00000000..328b4f01 +--- /dev/null ++++ b/sandbox/po/sandbox.pot +@@ -0,0 +1,157 @@ ++# SOME DESCRIPTIVE TITLE. ++# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER ++# This file is distributed under the same license as the PACKAGE package. ++# FIRST AUTHOR , YEAR. ++# ++#, fuzzy ++msgid "" ++msgstr "" ++"Project-Id-Version: PACKAGE VERSION\n" ++"Report-Msgid-Bugs-To: \n" ++"POT-Creation-Date: 2018-08-06 14:22+0200\n" ++"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" ++"Last-Translator: FULL NAME \n" ++"Language-Team: LANGUAGE \n" ++"Language: \n" ++"MIME-Version: 1.0\n" ++"Content-Type: text/plain; charset=CHARSET\n" ++"Content-Transfer-Encoding: 8bit\n" ++ ++#: ../sandbox:119 ++#, python-format ++msgid "Do you want to save changes to '%s' (Y/N): " ++msgstr "" ++ ++#: ../sandbox:120 ++msgid "Sandbox Message" ++msgstr "" ++ ++#: ../sandbox:132 ++#, python-format ++msgid "Do you want to save changes to '%s' (y/N): " ++msgstr "" ++ ++#: ../sandbox:133 ++msgid "[yY]" ++msgstr "" ++ ++#: ../sandbox:156 ++msgid "User account must be setup with an MCS Range" ++msgstr "" ++ ++#: ../sandbox:184 ++msgid "" ++"Failed to find any unused category sets. Consider a larger MCS range for " ++"this user." ++msgstr "" ++ ++#: ../sandbox:215 ++msgid "Homedir and tempdir required for level mounts" ++msgstr "" ++ ++#: ../sandbox:218 ../sandbox:229 ../sandbox:234 ++#, python-format ++msgid "" ++"\n" ++"%s is required for the action you want to perform.\n" ++msgstr "" ++ ++#: ../sandbox:305 ++#, python-format ++msgid "" ++"\n" ++"Policy defines the following types for use with the -t:\n" ++"\t%s\n" ++msgstr "" ++ ++#: ../sandbox:312 ++#, python-format ++msgid "" ++"\n" ++"sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I " ++"includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t " ++"type ] command\n" ++"\n" ++"sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I " ++"includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t " ++"type ] -S\n" ++"%s\n" ++msgstr "" ++ ++#: ../sandbox:324 ++msgid "include file in sandbox" ++msgstr "" ++ ++#: ../sandbox:327 ++msgid "read list of files to include in sandbox from INCLUDEFILE" ++msgstr "" ++ ++#: ../sandbox:329 ++msgid "run sandbox with SELinux type" ++msgstr "" ++ ++#: ../sandbox:332 ++msgid "mount new home and/or tmp directory" ++msgstr "" ++ ++#: ../sandbox:336 ++msgid "dots per inch for X display" ++msgstr "" ++ ++#: ../sandbox:339 ++msgid "run complete desktop session within sandbox" ++msgstr "" ++ ++#: ../sandbox:342 ++msgid "Shred content before tempory directories are removed" ++msgstr "" ++ ++#: ../sandbox:346 ++msgid "run X application within a sandbox" ++msgstr "" ++ ++#: ../sandbox:352 ++msgid "alternate home directory to use for mounting" ++msgstr "" ++ ++#: ../sandbox:357 ++msgid "alternate /tmp directory to use for mounting" ++msgstr "" ++ ++#: ../sandbox:366 ++msgid "alternate window manager" ++msgstr "" ++ ++#: ../sandbox:369 ++msgid "MCS/MLS level for the sandbox" ++msgstr "" ++ ++#: ../sandbox:385 ++msgid "" ++"Sandbox Policy is not currently installed.\n" ++"You need to install the selinux-policy-sandbox package in order to run this " ++"command" ++msgstr "" ++ ++#: ../sandbox:397 ++msgid "" ++"You must specify a Homedir and tempdir when setting up a session sandbox" ++msgstr "" ++ ++#: ../sandbox:399 ++msgid "Commands are not allowed in a session sandbox" ++msgstr "" ++ ++#: ../sandbox:409 ++msgid "Command required" ++msgstr "" ++ ++#: ../sandbox:412 ++#, python-format ++msgid "%s is not an executable" ++msgstr "" ++ ++#: ../sandbox:535 ++#, python-format ++msgid "Invalid value %s" ++msgstr "" +-- +2.21.0 + diff --git a/SOURCES/0016-policycoreutils-setfiles-Improve-description-of-d-sw.patch b/SOURCES/0016-policycoreutils-setfiles-Improve-description-of-d-sw.patch new file mode 100644 index 0000000..4120fce --- /dev/null +++ b/SOURCES/0016-policycoreutils-setfiles-Improve-description-of-d-sw.patch @@ -0,0 +1,30 @@ +From c8fbb8042852c18775c001999ce949e9b591e381 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Wed, 21 Mar 2018 08:51:31 +0100 +Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch + +The "-q" switch is becoming obsolete (completely unused in fedora) and +debug output ("-d" switch) makes sense in any scenario. Therefore both +options can be specified at once. + +Resolves: rhbz#1271327 +--- + policycoreutils/setfiles/setfiles.8 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 +index ccaaf4de..a8a76c86 100644 +--- a/policycoreutils/setfiles/setfiles.8 ++++ b/policycoreutils/setfiles/setfiles.8 +@@ -57,7 +57,7 @@ check the validity of the contexts against the specified binary policy. + .TP + .B \-d + show what specification matched each file (do not abort validation +-after ABORT_ON_ERRORS errors). ++after ABORT_ON_ERRORS errors). Not affected by "\-q" + .TP + .BI \-e \ directory + directory to exclude (repeat option for more than one directory). +-- +2.21.0 + diff --git a/SOURCES/0017-sepolicy-generate-Handle-more-reserved-port-types.patch b/SOURCES/0017-sepolicy-generate-Handle-more-reserved-port-types.patch new file mode 100644 index 0000000..b4a9fd4 --- /dev/null +++ b/SOURCES/0017-sepolicy-generate-Handle-more-reserved-port-types.patch @@ -0,0 +1,71 @@ +From 3073efc112929b535f3a832c6f99e0dbe3af29ca Mon Sep 17 00:00:00 2001 +From: Masatake YAMATO +Date: Thu, 14 Dec 2017 15:57:58 +0900 +Subject: [PATCH] sepolicy-generate: Handle more reserved port types + +Currently only reserved_port_t, port_t and hi_reserved_port_t are +handled as special when making a ports-dictionary. However, as fas as +corenetwork.te.in of serefpolicy, unreserved_port_t and +ephemeral_port_t should be handled in the same way, too. + +(Details) I found the need of this change when I was using +selinux-polgengui. Though tcp port 12345, which my application may +use, was given to the gui, selinux-polgengui generates expected te +file and sh file which didn't utilize the tcp port. + +selinux-polgengui checks whether a port given via gui is already typed +or not. + +If it is already typed, selinux-polgengui generates a te file having +rules to allow the application to use the port. (A) + +If not, it seems for me that selinux-polgengui is designed to generate +a te file having rules to allow the application to own(?) the port; +and a sh file having a command line to assign the application own type +to the port. (B) + +As we can see the output of `semanage port -l' some of ports for +specified purpose have types already. The important point is that the +rest of ports also have types already: + + hi_reserved_port_t tcp 512-1023 + hi_reserved_port_t udp 512-1023 + unreserved_port_t tcp 1024-32767, 61001-65535 + unreserved_port_t udp 1024-32767, 61001-65535 + ephemeral_port_t tcp 32768-61000 + ephemeral_port_t udp 32768-61000 + +As my patch shows, the original selinux-polgengui ignored +hi_reserved_port_t; though hi_reserved_port_t is assigned, +selinux-polgengui considered ports 512-1023 are not used. As the +result selinux-polgengui generates file sets of (B). + +For the purpose of selinux-polgengui, I think unreserved_port_t and +ephemeral_port_t are treated as the same as hi_reserved_port_t. + +Signed-off-by: Masatake YAMATO + +Fedora only patch: +https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redhat.com/ +--- + python/sepolicy/sepolicy/generate.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py +index 7175d36b..93caedee 100644 +--- a/python/sepolicy/sepolicy/generate.py ++++ b/python/sepolicy/sepolicy/generate.py +@@ -100,7 +100,9 @@ def get_all_ports(): + for p in sepolicy.info(sepolicy.PORT): + if p['type'] == "reserved_port_t" or \ + p['type'] == "port_t" or \ +- p['type'] == "hi_reserved_port_t": ++ p['type'] == "hi_reserved_port_t" or \ ++ p['type'] == "ephemeral_port_t" or \ ++ p['type'] == "unreserved_port_t": + continue + dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range')) + return dict +-- +2.21.0 + diff --git a/SOURCES/0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch b/SOURCES/0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch new file mode 100644 index 0000000..73b9c7a --- /dev/null +++ b/SOURCES/0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch @@ -0,0 +1,24 @@ +From f8602180d042e95947fe0bbd35d261771b347705 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 8 Nov 2018 09:20:58 +0100 +Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects + +--- + semodule-utils/semodule_package/semodule_package.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/semodule-utils/semodule_package/semodule_package.c b/semodule-utils/semodule_package/semodule_package.c +index 3515234e..7b75b3fd 100644 +--- a/semodule-utils/semodule_package/semodule_package.c ++++ b/semodule-utils/semodule_package/semodule_package.c +@@ -74,6 +74,7 @@ static int file_to_data(const char *path, char **data, size_t * len) + } + if (!sb.st_size) { + *len = 0; ++ close(fd); + return 0; + } + +-- +2.21.0 + diff --git a/SOURCES/0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch b/SOURCES/0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch new file mode 100644 index 0000000..b9674eb --- /dev/null +++ b/SOURCES/0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch @@ -0,0 +1,74 @@ +From 89895635ae012d1864a03700054ecc723973b5c0 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 18 Jul 2018 09:09:35 +0200 +Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox + +--- + sandbox/sandbox | 4 ++-- + sandbox/sandbox.8 | 2 +- + sandbox/sandboxX.sh | 14 -------------- + 3 files changed, 3 insertions(+), 17 deletions(-) + +diff --git a/sandbox/sandbox b/sandbox/sandbox +index a12403b3..707959a6 100644 +--- a/sandbox/sandbox ++++ b/sandbox/sandbox +@@ -268,7 +268,7 @@ class Sandbox: + copyfile(f, "/tmp", self.__tmpdir) + copyfile(f, "/var/tmp", self.__tmpdir) + +- def __setup_sandboxrc(self, wm="/usr/bin/openbox"): ++ def __setup_sandboxrc(self, wm="/usr/bin/matchbox-window-manager"): + execfile = self.__homedir + "/.sandboxrc" + fd = open(execfile, "w+") + if self.__options.session: +@@ -362,7 +362,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + + parser.add_option("-W", "--windowmanager", dest="wm", + type="string", +- default="/usr/bin/openbox", ++ default="/usr/bin/matchbox-window-manager", + help=_("alternate window manager")) + + parser.add_option("-l", "--level", dest="level", +diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8 +index d83fee76..90ef4951 100644 +--- a/sandbox/sandbox.8 ++++ b/sandbox/sandbox.8 +@@ -77,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz + \fB\-W\fR \fB\-\-windowmanager\fR + Select alternative window manager to run within + .B sandbox \-X. +-Default to /usr/bin/openbox. ++Default to /usr/bin/matchbox-window-manager. + .TP + \fB\-X\fR + Create an X based Sandbox for gui apps, temporary files for +diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh +index 47745280..c211ebc1 100644 +--- a/sandbox/sandboxX.sh ++++ b/sandbox/sandboxX.sh +@@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8 + [ -z $2 ] && export DPI="96" || export DPI="$2" + trap "exit 0" HUP + +-mkdir -p ~/.config/openbox +-cat > ~/.config/openbox/rc.xml << EOF +- +- +- +- no +- all +- yes +- +- +- +-EOF +- + (/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do + export DISPLAY=:$D + cat > ~/seremote << __EOF +-- +2.21.0 + diff --git a/SOURCES/0020-python-Use-ipaddress-instead-of-IPy.patch b/SOURCES/0020-python-Use-ipaddress-instead-of-IPy.patch new file mode 100644 index 0000000..6ba17e2 --- /dev/null +++ b/SOURCES/0020-python-Use-ipaddress-instead-of-IPy.patch @@ -0,0 +1,45 @@ +From b2512e2a92a33360639a3459039cdf2e685655a8 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Mon, 3 Dec 2018 14:40:09 +0100 +Subject: [PATCH] python: Use ipaddress instead of IPy + +ipaddress module was added in python 3.3 and this allows us to drop python3-IPy +--- + python/semanage/seobject.py | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py +index b90b1070..58497e3b 100644 +--- a/python/semanage/seobject.py ++++ b/python/semanage/seobject.py +@@ -32,7 +32,7 @@ from semanage import * + PROGNAME = "selinux-python" + import sepolicy + import setools +-from IPy import IP ++import ipaddress + + try: + import gettext +@@ -1851,13 +1851,13 @@ class nodeRecords(semanageRecords): + + # verify valid comination + if len(mask) == 0 or mask[0] == "/": +- i = IP(addr + mask) +- newaddr = i.strNormal(0) +- newmask = str(i.netmask()) +- if newmask == "0.0.0.0" and i.version() == 6: ++ i = ipaddress.ip_network(addr + mask) ++ newaddr = str(i.network_address) ++ newmask = str(i.netmask) ++ if newmask == "0.0.0.0" and i.version == 6: + newmask = "::" + +- protocol = "ipv%d" % i.version() ++ protocol = "ipv%d" % i.version + + try: + newprotocol = self.protocol.index(protocol) +-- +2.21.0 + diff --git a/SOURCES/0021-python-semanage-Do-not-traceback-when-the-default-po.patch b/SOURCES/0021-python-semanage-Do-not-traceback-when-the-default-po.patch new file mode 100644 index 0000000..8aa249f --- /dev/null +++ b/SOURCES/0021-python-semanage-Do-not-traceback-when-the-default-po.patch @@ -0,0 +1,93 @@ +From 5938d18536f4c0a76521d1f0721e981e6570b012 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 4 Apr 2019 23:02:56 +0200 +Subject: [PATCH] python/semanage: Do not traceback when the default policy is + not available + +"import seobject" causes "import sepolicy" which crashes when the system policy +is not available. It's better to provide an error message instead. + +Signed-off-by: Petr Lautrbach +--- + python/semanage/semanage | 37 +++++++++++++++++++++---------------- + 1 file changed, 21 insertions(+), 16 deletions(-) + +diff --git a/python/semanage/semanage b/python/semanage/semanage +index 56db3e0d..4c766ae3 100644 +--- a/python/semanage/semanage ++++ b/python/semanage/semanage +@@ -25,7 +25,6 @@ + + import traceback + import argparse +-import seobject + import sys + PROGNAME = "selinux-python" + try: +@@ -129,21 +128,6 @@ class SetImportFile(argparse.Action): + sys.exit(1) + setattr(namespace, self.dest, values) + +-# define dictonary for seobject OBEJCTS +-object_dict = { +- 'login': seobject.loginRecords, +- 'user': seobject.seluserRecords, +- 'port': seobject.portRecords, +- 'module': seobject.moduleRecords, +- 'interface': seobject.interfaceRecords, +- 'node': seobject.nodeRecords, +- 'fcontext': seobject.fcontextRecords, +- 'boolean': seobject.booleanRecords, +- 'permissive': seobject.permissiveRecords, +- 'dontaudit': seobject.dontauditClass, +- 'ibpkey': seobject.ibpkeyRecords, +- 'ibendport': seobject.ibendportRecords +-} + + def generate_custom_usage(usage_text, usage_dict): + # generate custom usage from given text and dictonary +@@ -608,6 +592,7 @@ def setupInterfaceParser(subparsers): + + + def handleModule(args): ++ import seobject + OBJECT = seobject.moduleRecords(args) + if args.action_add: + OBJECT.add(args.action_add[0], args.priority) +@@ -846,6 +831,7 @@ def mkargv(line): + + + def handleImport(args): ++ import seobject + trans = seobject.semanageRecords(args) + trans.start() + +@@ -887,6 +873,25 @@ def createCommandParser(): + #To add a new subcommand define the parser for it in a function above and call it here. + subparsers = commandParser.add_subparsers(dest='subcommand') + subparsers.required = True ++ ++ import seobject ++ # define dictonary for seobject OBEJCTS ++ global object_dict ++ object_dict = { ++ 'login': seobject.loginRecords, ++ 'user': seobject.seluserRecords, ++ 'port': seobject.portRecords, ++ 'module': seobject.moduleRecords, ++ 'interface': seobject.interfaceRecords, ++ 'node': seobject.nodeRecords, ++ 'fcontext': seobject.fcontextRecords, ++ 'boolean': seobject.booleanRecords, ++ 'permissive': seobject.permissiveRecords, ++ 'dontaudit': seobject.dontauditClass, ++ 'ibpkey': seobject.ibpkeyRecords, ++ 'ibendport': seobject.ibendportRecords ++ } ++ + setupImportParser(subparsers) + setupExportParser(subparsers) + setupLoginParser(subparsers) +-- +2.21.0 + diff --git a/SOURCES/0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch b/SOURCES/0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch new file mode 100644 index 0000000..eca127b --- /dev/null +++ b/SOURCES/0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch @@ -0,0 +1,108 @@ +From 99582e3bf63475b7af5793bb9230e88d847dc7c8 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 2 Jul 2019 17:11:32 +0200 +Subject: [PATCH] policycoreutils/fixfiles: Fix [-B] [-F] onboot + +Commit 6e289bb7bf3d ("policycoreutils: fixfiles: remove bad modes of "relabel" +command") added "$RESTORE_MODE" != DEFAULT test when onboot is used. It makes +`fixfiles -B onboot` to show usage instead of updating /.autorelabel + +The code is restructured to handle -B for different modes correctly. + +Fixes: + # fixfiles -B onboot + Usage: /usr/sbin/fixfiles [-v] [-F] [-f] relabel + ... + +Signed-off-by: Petr Lautrbach +--- + policycoreutils/scripts/fixfiles | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles +index 53d28c7b..9dd44213 100755 +--- a/policycoreutils/scripts/fixfiles ++++ b/policycoreutils/scripts/fixfiles +@@ -112,7 +112,7 @@ VERBOSE="-p" + FORCEFLAG="" + RPMFILES="" + PREFC="" +-RESTORE_MODE="DEFAULT" ++RESTORE_MODE="" + SETFILES=/sbin/setfiles + RESTORECON=/sbin/restorecon + FILESYSTEMSRW=`get_rw_labeled_mounts` +@@ -214,16 +214,17 @@ restore () { + OPTION=$1 + shift + +-case "$RESTORE_MODE" in +- PREFC) +- diff_filecontext $* +- return +- ;; +- BOOTTIME) ++# [-B | -N time ] ++if [ -z "$BOOTTIME" ]; then + newer $BOOTTIME $* + return +- ;; +-esac ++fi ++ ++# -C PREVIOUS_FILECONTEXT ++if [ "$RESTORE_MODE" == PREFC ]; then ++ diff_filecontext $* ++ return ++fi + + [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon + +@@ -239,7 +240,7 @@ case "$RESTORE_MODE" in + FILEPATH) + ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH" + ;; +- DEFAULT) ++ *) + if [ -n "${FILESYSTEMSRW}" ]; then + LogReadOnly + echo "${OPTION}ing `echo ${FILESYSTEMSRW}`" +@@ -272,7 +273,7 @@ fullrelabel() { + + + relabel() { +- if [ "$RESTORE_MODE" != DEFAULT ]; then ++ if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then + usage + exit 1 + fi +@@ -306,7 +307,7 @@ case "$1" in + verify) restore Verify -n;; + relabel) relabel;; + onboot) +- if [ "$RESTORE_MODE" != DEFAULT ]; then ++ if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then + usage + exit 1 + fi +@@ -344,7 +345,7 @@ if [ $# -eq 0 ]; then + fi + + set_restore_mode() { +- if [ "$RESTORE_MODE" != DEFAULT ]; then ++ if [ -n "$RESTORE_MODE" ]; then + # can't specify two different modes + usage + exit 1 +@@ -357,7 +358,7 @@ while getopts "N:BC:FfR:l:v" i; do + case "$i" in + B) + BOOTTIME=`/bin/who -b | awk '{print $3}'` +- set_restore_mode BOOTTIME ++ set_restore_mode DEFAULT + ;; + N) + BOOTTIME=$OPTARG +-- +2.21.0 + diff --git a/SOURCES/0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch b/SOURCES/0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch new file mode 100644 index 0000000..4d30a77 --- /dev/null +++ b/SOURCES/0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch @@ -0,0 +1,33 @@ +From 9bcf8ad7b9b6d8d761f7d097196b2b9bc114fa0a Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 2 Jul 2019 17:12:07 +0200 +Subject: [PATCH] policycoreutils/fixfiles: Force full relabel when SELinux is + disabled + +The previous check used getfilecon to check whether / slash contains a label, +but getfilecon fails only when SELinux is disabled. Therefore it's better to +check this using selinuxenabled. + +Signed-off-by: Petr Lautrbach +--- + policycoreutils/scripts/fixfiles | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles +index 9dd44213..a9d27d13 100755 +--- a/policycoreutils/scripts/fixfiles ++++ b/policycoreutils/scripts/fixfiles +@@ -314,8 +314,8 @@ case "$1" in + > /.autorelabel || exit $? + [ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel + [ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel +- # Force full relabel if / does not have a label on it +- getfilecon / > /dev/null 2>&1 || echo -F >/.autorelabel ++ # Force full relabel if SELinux is not enabled ++ selinuxenabled || echo -F > /.autorelabel + echo "System will relabel on next boot" + ;; + *) +-- +2.21.0 + diff --git a/SOURCES/0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch b/SOURCES/0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch new file mode 100644 index 0000000..c5ae9ba --- /dev/null +++ b/SOURCES/0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch @@ -0,0 +1,32 @@ +From 7383f8fbab82826de21d3013a43680867642e49e Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Wed, 21 Aug 2019 17:43:25 +0200 +Subject: [PATCH] policycoreutils/fixfiles: Fix unbound variable problem + +Fix a typo introduced in commit d3f8b2c3cd909 ("policycoreutils/fixfiles: Fix +[-B] [-F] onboot"), which broke "fixfiles relabel": + + #fixfiles relabel + /sbin/fixfiles: line 151: $1: unbound variable + +Resolves: rhbz#1743213 +--- + policycoreutils/scripts/fixfiles | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles +index a9d27d13..df0042aa 100755 +--- a/policycoreutils/scripts/fixfiles ++++ b/policycoreutils/scripts/fixfiles +@@ -215,7 +215,7 @@ OPTION=$1 + shift + + # [-B | -N time ] +-if [ -z "$BOOTTIME" ]; then ++if [ -n "$BOOTTIME" ]; then + newer $BOOTTIME $* + return + fi +-- +2.21.0 + diff --git a/SOURCES/0025-gui-Fix-remove-module-in-system-config-selinux.patch b/SOURCES/0025-gui-Fix-remove-module-in-system-config-selinux.patch new file mode 100644 index 0000000..660e5bb --- /dev/null +++ b/SOURCES/0025-gui-Fix-remove-module-in-system-config-selinux.patch @@ -0,0 +1,38 @@ +From f6c67c02f25d3a8971dcc5667121236fab85dd65 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 29 Aug 2019 08:58:20 +0200 +Subject: [PATCH] gui: Fix remove module in system-config-selinux + +When a user tried to remove a policy module with priority other than 400 via +GUI, it failed with a message: + +libsemanage.semanage_direct_remove_key: Unable to remove module somemodule at priority 400. (No such file or directory). + +This is fixed by calling "semodule -x PRIORITY -r NAME" instead of +"semodule -r NAME". + +From Jono Hein +Signed-off-by: Petr Lautrbach +--- + gui/modulesPage.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/gui/modulesPage.py b/gui/modulesPage.py +index 26ac5404..35a0129b 100644 +--- a/gui/modulesPage.py ++++ b/gui/modulesPage.py +@@ -125,9 +125,10 @@ class modulesPage(semanagePage): + def delete(self): + store, iter = self.view.get_selection().get_selected() + module = store.get_value(iter, 0) ++ priority = store.get_value(iter, 1) + try: + self.wait() +- status, output = getstatusoutput("semodule -r %s" % module) ++ status, output = getstatusoutput("semodule -X %s -r %s" % (priority, module)) + self.ready() + if status != 0: + self.error(output) +-- +2.21.0 + diff --git a/SOURCES/0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch b/SOURCES/0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch new file mode 100644 index 0000000..df5bf20 --- /dev/null +++ b/SOURCES/0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch @@ -0,0 +1,30 @@ +From c2e942fc452bff06cc5ed9017afe169c6941f4e4 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 3 Sep 2019 15:17:27 +0200 +Subject: [PATCH] python/semanage: Do not use default s0 range in "semanage + login -a" + +Using the "s0" default means that new login mappings are always added with "s0" +range instead of the range of SELinux user. + +Signed-off-by: Petr Lautrbach +--- + python/semanage/semanage | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/python/semanage/semanage b/python/semanage/semanage +index 4c766ae3..fa78afce 100644 +--- a/python/semanage/semanage ++++ b/python/semanage/semanage +@@ -221,7 +221,7 @@ def parser_add_level(parser, name): + + + def parser_add_range(parser, name): +- parser.add_argument('-r', '--range', default="s0", ++ parser.add_argument('-r', '--range', default='', + help=_(''' + MLS/MCS Security Range (MLS/MCS Systems only) + SELinux Range for SELinux login mapping +-- +2.21.0 + diff --git a/SOURCES/0027-policycoreutils-fixfiles-Fix-verify-option.patch b/SOURCES/0027-policycoreutils-fixfiles-Fix-verify-option.patch new file mode 100644 index 0000000..df5bd65 --- /dev/null +++ b/SOURCES/0027-policycoreutils-fixfiles-Fix-verify-option.patch @@ -0,0 +1,33 @@ +From 4733a594c5df14f64293d19f16498e68dc5e3a98 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 24 Sep 2019 08:41:30 +0200 +Subject: [PATCH] policycoreutils/fixfiles: Fix "verify" option + +"restorecon -n" (used in the "restore" function) has to be used with +"-v" to display the files whose labels would be changed. + +Fixes: + Fixfiles verify does not report misslabelled files unless "-v" option is + used. + +Signed-off-by: Vit Mojzis +--- + policycoreutils/scripts/fixfiles | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles +index df0042aa..be19e56c 100755 +--- a/policycoreutils/scripts/fixfiles ++++ b/policycoreutils/scripts/fixfiles +@@ -304,7 +304,7 @@ process() { + case "$1" in + restore) restore Relabel;; + check) VERBOSE="-v"; restore Check -n;; +- verify) restore Verify -n;; ++ verify) VERBOSE="-v"; restore Verify -n;; + relabel) relabel;; + onboot) + if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then +-- +2.21.0 + diff --git a/SOURCES/0028-python-semanage-Improve-handling-of-permissive-state.patch b/SOURCES/0028-python-semanage-Improve-handling-of-permissive-state.patch new file mode 100644 index 0000000..0965a9a --- /dev/null +++ b/SOURCES/0028-python-semanage-Improve-handling-of-permissive-state.patch @@ -0,0 +1,102 @@ +From 0803fcb2c014b2cedf8f4d92b80fc382916477ee Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Fri, 27 Sep 2019 16:13:47 +0200 +Subject: [PATCH] python/semanage: Improve handling of "permissive" statements + +- Add "customized" method to permissiveRecords which is than used for + "semanage permissive --extract" and "semanage export" +- Enable "semanage permissive --deleteall" (already implemented) +- Add "permissive" to the list of modules exported using + "semanage export" +- Update "semanage permissive" man page + +Signed-off-by: Vit Mojzis +--- + python/semanage/semanage | 11 ++++++++--- + python/semanage/semanage-permissive.8 | 8 +++++++- + python/semanage/seobject.py | 3 +++ + 3 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/python/semanage/semanage b/python/semanage/semanage +index fa78afce..b2bd9df9 100644 +--- a/python/semanage/semanage ++++ b/python/semanage/semanage +@@ -722,6 +722,11 @@ def handlePermissive(args): + + if args.action == "list": + OBJECT.list(args.noheading) ++ elif args.action == "deleteall": ++ OBJECT.deleteall() ++ elif args.action == "extract": ++ for i in OBJECT.customized(): ++ print("permissive %s" % str(i)) + elif args.type is not None: + if args.action == "add": + OBJECT.add(args.type) +@@ -737,9 +742,9 @@ def setupPermissiveParser(subparsers): + pgroup = permissiveParser.add_mutually_exclusive_group(required=True) + parser_add_add(pgroup, "permissive") + parser_add_delete(pgroup, "permissive") ++ parser_add_deleteall(pgroup, "permissive") ++ parser_add_extract(pgroup, "permissive") + parser_add_list(pgroup, "permissive") +- #TODO: probably should be also added => need to implement own option handling +- #parser_add_deleteall(pgroup) + + parser_add_noheading(permissiveParser, "permissive") + parser_add_noreload(permissiveParser, "permissive") +@@ -763,7 +768,7 @@ def setupDontauditParser(subparsers): + + + def handleExport(args): +- manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey"] ++ manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey", "permissive"] + for i in manageditems: + print("%s -D" % i) + for i in manageditems: +diff --git a/python/semanage/semanage-permissive.8 b/python/semanage/semanage-permissive.8 +index 1999a451..5c3364fa 100644 +--- a/python/semanage/semanage-permissive.8 ++++ b/python/semanage/semanage-permissive.8 +@@ -2,7 +2,7 @@ + .SH "NAME" + .B semanage\-permissive \- SELinux Policy Management permissive mapping tool + .SH "SYNOPSIS" +-.B semanage permissive [\-h] (\-a | \-d | \-l) [\-n] [\-N] [\-S STORE] [type] ++.B semanage permissive [\-h] [\-n] [\-N] [\-S STORE] (\-\-add TYPE | \-\-delete TYPE | \-\-deleteall | \-\-extract | \-\-list) + + .SH "DESCRIPTION" + semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage permissive adds or removes a SELinux Policy permissive module. +@@ -18,9 +18,15 @@ Add a record of the specified object type + .I \-d, \-\-delete + Delete a record of the specified object type + .TP ++.I \-D, \-\-deleteall ++Remove all local customizations of permissive domains ++.TP + .I \-l, \-\-list + List records of the specified object type + .TP ++.I \-E, \-\-extract ++Extract customizable commands, for use within a transaction ++.TP + .I \-n, \-\-noheading + Do not print heading when listing the specified object type + .TP +diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py +index 58497e3b..3959abc8 100644 +--- a/python/semanage/seobject.py ++++ b/python/semanage/seobject.py +@@ -478,6 +478,9 @@ class permissiveRecords(semanageRecords): + l.append(name.split("permissive_")[1]) + return l + ++ def customized(self): ++ return ["-a %s" % x for x in sorted(self.get_all())] ++ + def list(self, heading=1, locallist=0): + all = [y["name"] for y in [x for x in sepolicy.info(sepolicy.TYPE) if x["permissive"]]] + if len(all) == 0: +-- +2.21.0 + diff --git a/SOURCES/0029-python-semanage-fix-moduleRecords.customized.patch b/SOURCES/0029-python-semanage-fix-moduleRecords.customized.patch new file mode 100644 index 0000000..37ed550 --- /dev/null +++ b/SOURCES/0029-python-semanage-fix-moduleRecords.customized.patch @@ -0,0 +1,41 @@ +From 7cc31c4799dd94ed516a39d853744bd1ffb6dc69 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Mon, 30 Sep 2019 09:49:04 +0200 +Subject: [PATCH] python/semanage: fix moduleRecords.customized() + +Return value of "customized" has to be iterable. + +Fixes: + "semanage export" with no modules in the system (eg. monolithic policy) + crashes: + + Traceback (most recent call last): + File "/usr/sbin/semanage", line 970, in + do_parser() + File "/usr/sbin/semanage", line 949, in do_parser + args.func(args) + File "/usr/sbin/semanage", line 771, in handleExport + for c in OBJECT.customized(): + TypeError: 'NoneType' object is not iterable + +Signed-off-by: Vit Mojzis +--- + python/semanage/seobject.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py +index 3959abc8..16edacaa 100644 +--- a/python/semanage/seobject.py ++++ b/python/semanage/seobject.py +@@ -380,7 +380,7 @@ class moduleRecords(semanageRecords): + def customized(self): + all = self.get_all() + if len(all) == 0: +- return ++ return [] + return ["-d %s" % x[0] for x in [t for t in all if t[1] == 0]] + + def list(self, heading=1, locallist=0): +-- +2.21.0 + diff --git a/SOURCES/0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch b/SOURCES/0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch new file mode 100644 index 0000000..16dbfb3 --- /dev/null +++ b/SOURCES/0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch @@ -0,0 +1,45 @@ +From 7cbfcec89a6972f9c700687ed3cef25ff0846461 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 8 Oct 2019 14:22:13 +0200 +Subject: [PATCH] python/semanage: Add support for DCCP and SCTP protocols + +Fixes: + # semanage port -a -p sctp -t port_t 1234 + ValueError: Protocol udp or tcp is required + # semanage port -d -p sctp -t port_t 1234 + ValueError: Protocol udp or tcp is required + +Signed-off-by: Vit Mojzis +--- + python/semanage/seobject.py | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py +index 16edacaa..70ebfd08 100644 +--- a/python/semanage/seobject.py ++++ b/python/semanage/seobject.py +@@ -1058,13 +1058,15 @@ class portRecords(semanageRecords): + pass + + def __genkey(self, port, proto): +- if proto == "tcp": +- proto_d = SEMANAGE_PROTO_TCP ++ protocols = {"tcp": SEMANAGE_PROTO_TCP, ++ "udp": SEMANAGE_PROTO_UDP, ++ "sctp": SEMANAGE_PROTO_SCTP, ++ "dccp": SEMANAGE_PROTO_DCCP} ++ ++ if proto in protocols.keys(): ++ proto_d = protocols[proto] + else: +- if proto == "udp": +- proto_d = SEMANAGE_PROTO_UDP +- else: +- raise ValueError(_("Protocol udp or tcp is required")) ++ raise ValueError(_("Protocol has to be one of udp, tcp, dccp or sctp")) + if port == "": + raise ValueError(_("Port is required")) + +-- +2.21.0 + diff --git a/SOURCES/0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch b/SOURCES/0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch new file mode 100644 index 0000000..ef5f2b6 --- /dev/null +++ b/SOURCES/0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch @@ -0,0 +1,40 @@ +From 6e5ccf2dd3329b400b70b7806b9c6128c5c50995 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 15 Nov 2019 09:15:49 +0100 +Subject: [PATCH] dbus: Fix FileNotFoundError in org.selinux.relabel_on_boot + +When org.selinux.relabel_on_boot(0) was called twice, it failed with +FileNotFoundError. + +Fixes: + $ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:1 + method return sender=:1.53 -> dest=:1.54 reply_serial=2 + $ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:0 + method return sender=:1.53 -> dest=:1.55 reply_serial=2 + $ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:0 + Error org.freedesktop.DBus.Python.FileNotFoundError: FileNotFoundError: [Errno 2] No such file or directory: '/.autorelabel' + +Signed-off-by: Petr Lautrbach +--- + dbus/selinux_server.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py +index b9debc071485..be4f4557a9fa 100644 +--- a/dbus/selinux_server.py ++++ b/dbus/selinux_server.py +@@ -85,7 +85,10 @@ class selinux_server(slip.dbus.service.Object): + fd = open("/.autorelabel", "w") + fd.close() + else: +- os.unlink("/.autorelabel") ++ try: ++ os.unlink("/.autorelabel") ++ except FileNotFoundError: ++ pass + + def write_selinux_config(self, enforcing=None, policy=None): + path = selinux.selinux_path() + "config" +-- +2.23.0 + diff --git a/SOURCES/0032-restorecond-Fix-redundant-console-log-output-error.patch b/SOURCES/0032-restorecond-Fix-redundant-console-log-output-error.patch new file mode 100644 index 0000000..166c6bd --- /dev/null +++ b/SOURCES/0032-restorecond-Fix-redundant-console-log-output-error.patch @@ -0,0 +1,200 @@ +From 76371721bafed56efcb7a83b3fa3285383ede5b7 Mon Sep 17 00:00:00 2001 +From: Baichuan Kong +Date: Thu, 14 Nov 2019 10:48:07 +0800 +Subject: [PATCH] restorecond: Fix redundant console log output error + +When starting restorecond without any option the following redundant +console log is outputed: + +/dev/log 100.0% +/var/volatile/run/syslogd.pid 100.0% +... + +This is caused by two global variables of same name r_opts. When +executes r_opts = opts in restore_init(), it originally intends +to assign the address of struct r_opts in "restorecond.c" to the +pointer *r_opts in "restore.c". + +However, the address is assigned to the struct r_opts and covers +the value of low eight bytes in it. That causes unexpected value +of member varibale 'nochange' and 'verbose' in struct r_opts, thus +affects value of 'restorecon_flags' and executes unexpected operations +when restorecon the files such as the redundant console log output or +file label nochange. + +Cause restorecond/restore.c is copied from policycoreutils/setfiles, +which share the same pattern. It also has potential risk to generate +same problems, So fix it in case. + +Signed-off-by: Baichuan Kong + +(cherry-picked from SElinuxProject +commit ad2208ec220f55877a4d31084be2b4d6413ee082) + +Resolves: rhbz#1626468 +--- + policycoreutils/setfiles/restore.c | 42 ++++++++++++++---------------- + restorecond/restore.c | 40 +++++++++++++--------------- + 2 files changed, 37 insertions(+), 45 deletions(-) + +diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c +index 9dea5656..d3335d1a 100644 +--- a/policycoreutils/setfiles/restore.c ++++ b/policycoreutils/setfiles/restore.c +@@ -17,40 +17,37 @@ + char **exclude_list; + int exclude_count; + +-struct restore_opts *r_opts; +- + void restore_init(struct restore_opts *opts) + { + int rc; + +- r_opts = opts; + struct selinux_opt selinux_opts[] = { +- { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate }, +- { SELABEL_OPT_PATH, r_opts->selabel_opt_path }, +- { SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest } ++ { SELABEL_OPT_VALIDATE, opts->selabel_opt_validate }, ++ { SELABEL_OPT_PATH, opts->selabel_opt_path }, ++ { SELABEL_OPT_DIGEST, opts->selabel_opt_digest } + }; + +- r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3); +- if (!r_opts->hnd) { +- perror(r_opts->selabel_opt_path); ++ opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3); ++ if (!opts->hnd) { ++ perror(opts->selabel_opt_path); + exit(1); + } + +- r_opts->restorecon_flags = 0; +- r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose | +- r_opts->progress | r_opts->set_specctx | +- r_opts->add_assoc | r_opts->ignore_digest | +- r_opts->recurse | r_opts->userealpath | +- r_opts->xdev | r_opts->abort_on_error | +- r_opts->syslog_changes | r_opts->log_matches | +- r_opts->ignore_noent | r_opts->ignore_mounts | +- r_opts->mass_relabel; ++ opts->restorecon_flags = 0; ++ opts->restorecon_flags = opts->nochange | opts->verbose | ++ opts->progress | opts->set_specctx | ++ opts->add_assoc | opts->ignore_digest | ++ opts->recurse | opts->userealpath | ++ opts->xdev | opts->abort_on_error | ++ opts->syslog_changes | opts->log_matches | ++ opts->ignore_noent | opts->ignore_mounts | ++ opts->mass_relabel; + + /* Use setfiles, restorecon and restorecond own handles */ +- selinux_restorecon_set_sehandle(r_opts->hnd); ++ selinux_restorecon_set_sehandle(opts->hnd); + +- if (r_opts->rootpath) { +- rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath); ++ if (opts->rootpath) { ++ rc = selinux_restorecon_set_alt_rootpath(opts->rootpath); + if (rc) { + fprintf(stderr, + "selinux_restorecon_set_alt_rootpath error: %s.\n", +@@ -81,7 +78,6 @@ int process_glob(char *name, struct restore_opts *opts) + size_t i = 0; + int len, rc, errors; + +- r_opts = opts; + memset(&globbuf, 0, sizeof(globbuf)); + + errors = glob(name, GLOB_TILDE | GLOB_PERIOD | +@@ -96,7 +92,7 @@ int process_glob(char *name, struct restore_opts *opts) + if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) + continue; + rc = selinux_restorecon(globbuf.gl_pathv[i], +- r_opts->restorecon_flags); ++ opts->restorecon_flags); + if (rc < 0) + errors = rc; + } +diff --git a/restorecond/restore.c b/restorecond/restore.c +index f6e30001..b93b5fdb 100644 +--- a/restorecond/restore.c ++++ b/restorecond/restore.c +@@ -12,39 +12,36 @@ + char **exclude_list; + int exclude_count; + +-struct restore_opts *r_opts; +- + void restore_init(struct restore_opts *opts) + { + int rc; + +- r_opts = opts; + struct selinux_opt selinux_opts[] = { +- { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate }, +- { SELABEL_OPT_PATH, r_opts->selabel_opt_path }, +- { SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest } ++ { SELABEL_OPT_VALIDATE, opts->selabel_opt_validate }, ++ { SELABEL_OPT_PATH, opts->selabel_opt_path }, ++ { SELABEL_OPT_DIGEST, opts->selabel_opt_digest } + }; + +- r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3); +- if (!r_opts->hnd) { +- perror(r_opts->selabel_opt_path); ++ opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3); ++ if (!opts->hnd) { ++ perror(opts->selabel_opt_path); + exit(1); + } + +- r_opts->restorecon_flags = 0; +- r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose | +- r_opts->progress | r_opts->set_specctx | +- r_opts->add_assoc | r_opts->ignore_digest | +- r_opts->recurse | r_opts->userealpath | +- r_opts->xdev | r_opts->abort_on_error | +- r_opts->syslog_changes | r_opts->log_matches | +- r_opts->ignore_noent | r_opts->ignore_mounts; ++ opts->restorecon_flags = 0; ++ opts->restorecon_flags = opts->nochange | opts->verbose | ++ opts->progress | opts->set_specctx | ++ opts->add_assoc | opts->ignore_digest | ++ opts->recurse | opts->userealpath | ++ opts->xdev | opts->abort_on_error | ++ opts->syslog_changes | opts->log_matches | ++ opts->ignore_noent | opts->ignore_mounts; + + /* Use setfiles, restorecon and restorecond own handles */ +- selinux_restorecon_set_sehandle(r_opts->hnd); ++ selinux_restorecon_set_sehandle(opts->hnd); + +- if (r_opts->rootpath) { +- rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath); ++ if (opts->rootpath) { ++ rc = selinux_restorecon_set_alt_rootpath(opts->rootpath); + if (rc) { + fprintf(stderr, + "selinux_restorecon_set_alt_rootpath error: %s.\n", +@@ -75,7 +72,6 @@ int process_glob(char *name, struct restore_opts *opts) + size_t i = 0; + int len, rc, errors; + +- r_opts = opts; + memset(&globbuf, 0, sizeof(globbuf)); + + errors = glob(name, GLOB_TILDE | GLOB_PERIOD | +@@ -90,7 +86,7 @@ int process_glob(char *name, struct restore_opts *opts) + if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) + continue; + rc = selinux_restorecon(globbuf.gl_pathv[i], +- r_opts->restorecon_flags); ++ opts->restorecon_flags); + if (rc < 0) + errors = rc; + } +-- +2.21.0 + diff --git a/SOURCES/0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch b/SOURCES/0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch new file mode 100644 index 0000000..56a271b --- /dev/null +++ b/SOURCES/0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch @@ -0,0 +1,55 @@ +From 0bed778c53a4f93b1b092b3db33e8c36aabfa39d Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 5 Jan 2021 17:00:21 +0100 +Subject: [PATCH] python/semanage: empty stdout before exiting on + BrokenPipeError + +Empty stdout buffer before exiting when BrokenPipeError is +encountered. Otherwise python will flush the bufer during exit, which +may trigger the exception again. +https://docs.python.org/3/library/signal.html#note-on-sigpipe + +Fixes: + #semanage fcontext -l | egrep -q -e '^/home' + BrokenPipeError: [Errno 32] Broken pipe + Exception ignored in: <_io.TextIOWrapper name='' mode='w' encoding='UTF-8'> + BrokenPipeError: [Errno 32] Broken pipe + +Note that the error above only appears occasionally (usually only the +first line is printed). + +Signed-off-by: Vit Mojzis +Acked-by: Nicolas Iooss +--- + python/semanage/semanage | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/python/semanage/semanage b/python/semanage/semanage +index b2bd9df9..1abe3536 100644 +--- a/python/semanage/semanage ++++ b/python/semanage/semanage +@@ -26,6 +26,7 @@ + import traceback + import argparse + import sys ++import os + PROGNAME = "selinux-python" + try: + import gettext +@@ -953,6 +954,13 @@ def do_parser(): + args = commandParser.parse_args(make_args(sys.argv)) + args.func(args) + sys.exit(0) ++ except BrokenPipeError as e: ++ sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e))) ++ # Python flushes standard streams on exit; redirect remaining output ++ # to devnull to avoid another BrokenPipeError at shutdown ++ devnull = os.open(os.devnull, os.O_WRONLY) ++ os.dup2(devnull, sys.stdout.fileno()) ++ sys.exit(1) + except IOError as e: + sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e))) + sys.exit(1) +-- +2.29.2 + diff --git a/SOURCES/0034-python-semanage-Sort-imports-in-alphabetical-order.patch b/SOURCES/0034-python-semanage-Sort-imports-in-alphabetical-order.patch new file mode 100644 index 0000000..8c1bab7 --- /dev/null +++ b/SOURCES/0034-python-semanage-Sort-imports-in-alphabetical-order.patch @@ -0,0 +1,41 @@ +From 4b0e627d42f9a8e09dcd064a6ae897f4c2e9cf6c Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Wed, 6 Jan 2021 10:00:07 +0100 +Subject: [PATCH] python/semanage: Sort imports in alphabetical order + +Signed-off-by: Vit Mojzis +--- + python/semanage/semanage | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/python/semanage/semanage b/python/semanage/semanage +index 1abe3536..781e8645 100644 +--- a/python/semanage/semanage ++++ b/python/semanage/semanage +@@ -23,10 +23,12 @@ + # + # + +-import traceback + import argparse +-import sys + import os ++import re ++import sys ++import traceback ++ + PROGNAME = "selinux-python" + try: + import gettext +@@ -786,8 +788,6 @@ def setupExportParser(subparsers): + exportParser.add_argument('-f', '--output_file', dest='output_file', action=SetExportFile, help=_('Output file')) + exportParser.set_defaults(func=handleExport) + +-import re +- + + def mkargv(line): + dquote = "\"" +-- +2.29.2 + diff --git a/SOURCES/0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch b/SOURCES/0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch new file mode 100644 index 0000000..4ad47e4 --- /dev/null +++ b/SOURCES/0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch @@ -0,0 +1,49 @@ +From e0a1cdb6181bcf3a23fe63b8e67fd5020e81d05e Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Fri, 22 Jan 2021 16:25:52 +0100 +Subject: [PATCH] python/sepolgen: allow any policy statement in if(n)def + +"ifdef/ifndef" statements can be used to conditionally define +an interface, but this syntax is not recognised by sepolgen-ifgen. +Fix sepolgen-ifgen to allow any policy statement inside an +"ifdef/ifndef" statement. + +Fixes: + $ cat < i.if +ifndef(`apache_manage_pid_files',` + interface(`apache_manage_pid_files',` + manage_files_pattern($1, httpd_var_run_t, httpd_var_run_t) + ') +') + + #sepolgen-ifgen --interface=i.if + i.if: Syntax error on line 2 interface [type=INTERFACE] + i.if: Syntax error on line 4 ' [type=SQUOTE] + +Signed-off-by: Vit Mojzis +[OM: s/fidef/ifdef/] +Signed-off-by: Ondrej Mosnacek +--- + python/sepolgen/src/sepolgen/refparser.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py +index f506dc3a..5d77e2a3 100644 +--- a/python/sepolgen/src/sepolgen/refparser.py ++++ b/python/sepolgen/src/sepolgen/refparser.py +@@ -431,9 +431,9 @@ def p_ifelse(p): + + + def p_ifdef(p): +- '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi +- | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi +- | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi ++ '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi ++ | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi ++ | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi + ''' + x = refpolicy.IfDef(p[4]) + if p[1] == 'ifdef': +-- +2.29.2 + diff --git a/SOURCES/0036-setfiles-Do-not-abort-on-labeling-error.patch b/SOURCES/0036-setfiles-Do-not-abort-on-labeling-error.patch new file mode 100644 index 0000000..aab207b --- /dev/null +++ b/SOURCES/0036-setfiles-Do-not-abort-on-labeling-error.patch @@ -0,0 +1,68 @@ +From 53ccdd55adfbec60fb4277286f2ad94660838504 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 13 Jan 2021 22:09:47 +0100 +Subject: [PATCH] setfiles: Do not abort on labeling error + +Commit 602347c7422e ("policycoreutils: setfiles - Modify to use +selinux_restorecon") changed behavior of setfiles. Original +implementation skipped files which it couldn't set context to while the +new implementation aborts on them. setfiles should abort only if it +can't validate a context from spec_file. + +Reproducer: + + # mkdir -p r/1 r/2 r/3 + # touch r/1/1 r/2/1 + # chattr +i r/2/1 + # touch r/3/1 + # setfiles -r r -v /etc/selinux/targeted/contexts/files/file_contexts r + Relabeled r from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:root_t:s0 + Relabeled r/2 from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:default_t:s0 + setfiles: Could not set context for r/2/1: Operation not permitted + +r/3 and r/1 are not relabeled. + +Signed-off-by: Petr Lautrbach +--- + policycoreutils/setfiles/setfiles.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c +index bc83c27b4c06..68eab45aa2b4 100644 +--- a/policycoreutils/setfiles/setfiles.c ++++ b/policycoreutils/setfiles/setfiles.c +@@ -182,6 +182,7 @@ int main(int argc, char **argv) + policyfile = NULL; + nerr = 0; + ++ r_opts.abort_on_error = 0; + r_opts.progname = strdup(argv[0]); + if (!r_opts.progname) { + fprintf(stderr, "%s: Out of memory!\n", argv[0]); +@@ -194,7 +195,6 @@ int main(int argc, char **argv) + * setfiles: + * Recursive descent, + * Does not expand paths via realpath, +- * Aborts on errors during the file tree walk, + * Try to track inode associations for conflict detection, + * Does not follow mounts (sets SELINUX_RESTORECON_XDEV), + * Validates all file contexts at init time. +@@ -202,7 +202,6 @@ int main(int argc, char **argv) + iamrestorecon = 0; + r_opts.recurse = SELINUX_RESTORECON_RECURSE; + r_opts.userealpath = 0; /* SELINUX_RESTORECON_REALPATH */ +- r_opts.abort_on_error = SELINUX_RESTORECON_ABORT_ON_ERROR; + r_opts.add_assoc = SELINUX_RESTORECON_ADD_ASSOC; + /* FTS_PHYSICAL and FTS_NOCHDIR are always set by selinux_restorecon(3) */ + r_opts.xdev = SELINUX_RESTORECON_XDEV; +@@ -226,7 +225,6 @@ int main(int argc, char **argv) + iamrestorecon = 1; + r_opts.recurse = 0; + r_opts.userealpath = SELINUX_RESTORECON_REALPATH; +- r_opts.abort_on_error = 0; + r_opts.add_assoc = 0; + r_opts.xdev = 0; + r_opts.ignore_mounts = 0; +-- +2.30.0 + diff --git a/SOURCES/0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch b/SOURCES/0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch new file mode 100644 index 0000000..349c675 --- /dev/null +++ b/SOURCES/0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch @@ -0,0 +1,110 @@ +From 2f135022f4372dc34198c48cfd67b91044e6dfd7 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 13 Jan 2021 22:09:48 +0100 +Subject: [PATCH] setfiles: drop ABORT_ON_ERRORS and related code + +`setfiles -d` doesn't have any impact on number of errors before it +aborts. It always aborts on first invalid context in spec file. + +Signed-off-by: Petr Lautrbach +--- + policycoreutils/setfiles/Makefile | 3 --- + policycoreutils/setfiles/ru/setfiles.8 | 2 +- + policycoreutils/setfiles/setfiles.8 | 3 +-- + policycoreutils/setfiles/setfiles.c | 18 ------------------ + 4 files changed, 2 insertions(+), 24 deletions(-) + +diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile +index bc5a8db789a5..a3bbbe116b7f 100644 +--- a/policycoreutils/setfiles/Makefile ++++ b/policycoreutils/setfiles/Makefile +@@ -5,8 +5,6 @@ SBINDIR ?= /sbin + MANDIR = $(PREFIX)/share/man + AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y) + +-ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }') +- + CFLAGS ?= -g -Werror -Wall -W + override LDLIBS += -lselinux -lsepol + +@@ -26,7 +24,6 @@ restorecon_xattr: restorecon_xattr.o restore.o + + man: + @cp -af setfiles.8 setfiles.8.man +- @sed -i "s/ABORT_ON_ERRORS/$(ABORT_ON_ERRORS)/g" setfiles.8.man + + install: all + [ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8 +diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8 +index 27815a3f1eee..910101452625 100644 +--- a/policycoreutils/setfiles/ru/setfiles.8 ++++ b/policycoreutils/setfiles/ru/setfiles.8 +@@ -47,7 +47,7 @@ setfiles \- установить SELinux-контексты безопаснос + проверить действительность контекстов относительно указанной двоичной политики. + .TP + .B \-d +-показать, какая спецификация соответствует каждому из файлов (не прекращать проверку после получения ошибок ABORT_ON_ERRORS). ++показать, какая спецификация соответствует каждому из файлов. + .TP + .BI \-e \ directory + исключить каталог (чтобы исключить более одного каталога, этот параметр необходимо использовать соответствующее количество раз). +diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 +index a8a76c860dac..b7d3cefb96ff 100644 +--- a/policycoreutils/setfiles/setfiles.8 ++++ b/policycoreutils/setfiles/setfiles.8 +@@ -56,8 +56,7 @@ option will force a replacement of the entire context. + check the validity of the contexts against the specified binary policy. + .TP + .B \-d +-show what specification matched each file (do not abort validation +-after ABORT_ON_ERRORS errors). Not affected by "\-q" ++show what specification matched each file. Not affected by "\-q" + .TP + .BI \-e \ directory + directory to exclude (repeat option for more than one directory). +diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c +index 68eab45aa2b4..bcbdfbfe53e2 100644 +--- a/policycoreutils/setfiles/setfiles.c ++++ b/policycoreutils/setfiles/setfiles.c +@@ -23,14 +23,6 @@ static int nerr; + + #define STAT_BLOCK_SIZE 1 + +-/* setfiles will abort its operation after reaching the +- * following number of errors (e.g. invalid contexts), +- * unless it is used in "debug" mode (-d option). +- */ +-#ifndef ABORT_ON_ERRORS +-#define ABORT_ON_ERRORS 10 +-#endif +- + #define SETFILES "setfiles" + #define RESTORECON "restorecon" + static int iamrestorecon; +@@ -57,15 +49,6 @@ static __attribute__((__noreturn__)) void usage(const char *const name) + exit(-1); + } + +-void inc_err(void) +-{ +- nerr++; +- if (nerr > ABORT_ON_ERRORS - 1 && !r_opts.debug) { +- fprintf(stderr, "Exiting after %d errors.\n", ABORT_ON_ERRORS); +- exit(-1); +- } +-} +- + void set_rootpath(const char *arg) + { + if (strlen(arg) == 1 && strncmp(arg, "/", 1) == 0) { +@@ -98,7 +81,6 @@ int canoncon(char **contextp) + *contextp = tmpcon; + } else if (errno != ENOENT) { + rc = -1; +- inc_err(); + } + + return rc; +-- +2.30.0 + diff --git a/SOURCES/0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch b/SOURCES/0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch new file mode 100644 index 0000000..31b9a34 --- /dev/null +++ b/SOURCES/0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch @@ -0,0 +1,44 @@ +From a691da617a2d3c864786ff2742d9a9f87ecc7d05 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Mon, 1 Feb 2021 15:24:32 +0100 +Subject: [PATCH] policycoreutils/setfiles: Drop unused nerr variable + +Suggested-by: Nicolas Iooss +Signed-off-by: Petr Lautrbach +--- + policycoreutils/setfiles/setfiles.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c +index bcbdfbfe53e2..82d0aaa75893 100644 +--- a/policycoreutils/setfiles/setfiles.c ++++ b/policycoreutils/setfiles/setfiles.c +@@ -19,7 +19,6 @@ static int warn_no_match; + static int null_terminated; + static int request_digest; + static struct restore_opts r_opts; +-static int nerr; + + #define STAT_BLOCK_SIZE 1 + +@@ -162,7 +161,6 @@ int main(int argc, char **argv) + warn_no_match = 0; + request_digest = 0; + policyfile = NULL; +- nerr = 0; + + r_opts.abort_on_error = 0; + r_opts.progname = strdup(argv[0]); +@@ -417,9 +415,6 @@ int main(int argc, char **argv) + r_opts.selabel_opt_digest = (request_digest ? (char *)1 : NULL); + r_opts.selabel_opt_path = altpath; + +- if (nerr) +- exit(-1); +- + restore_init(&r_opts); + + if (use_input_file) { +-- +2.30.0 + diff --git a/SOURCES/0039-selinux-8-5-Describe-fcontext-regular-expressions.patch b/SOURCES/0039-selinux-8-5-Describe-fcontext-regular-expressions.patch new file mode 100644 index 0000000..b1f95a2 --- /dev/null +++ b/SOURCES/0039-selinux-8-5-Describe-fcontext-regular-expressions.patch @@ -0,0 +1,62 @@ +From c556c6ad0b94cf3ba4b441a1a0930f2468434227 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Wed, 10 Feb 2021 18:05:29 +0100 +Subject: [PATCH] selinux(8,5): Describe fcontext regular expressions + +Describe which type of regular expression is used in file context +definitions and which flags are in effect. + +Explain how local file context modifications are processed. + +Signed-off-by: Vit Mojzis +Acked-by: Petr Lautrbach +--- + python/semanage/semanage | 2 +- + python/semanage/semanage-fcontext.8 | 18 ++++++++++++++++++ + 2 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/python/semanage/semanage b/python/semanage/semanage +index 781e8645..ebb93ea5 100644 +--- a/python/semanage/semanage ++++ b/python/semanage/semanage +@@ -366,7 +366,7 @@ If you do not specify a file type, the file type will default to "all files". + parser_add_seuser(fcontextParser, "fcontext") + parser_add_type(fcontextParser, "fcontext") + parser_add_range(fcontextParser, "fcontext") +- fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('file_spec')) ++ fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('Path to be labeled (may be in the form of a Perl compatible regular expression)')) + fcontextParser.set_defaults(func=handleFcontext) + + +diff --git a/python/semanage/semanage-fcontext.8 b/python/semanage/semanage-fcontext.8 +index 561123af..49635ba7 100644 +--- a/python/semanage/semanage-fcontext.8 ++++ b/python/semanage/semanage-fcontext.8 +@@ -11,6 +11,24 @@ SELinux policy without requiring modification to or recompilation + from policy sources. semanage fcontext is used to manage the default + file system labeling on an SELinux system. This command maps file paths using regular expressions to SELinux labels. + ++FILE_SPEC may contain either a fully qualified path, ++or a Perl compatible regular expression (PCRE), ++describing fully qualified path(s). The only PCRE flag in use is PCRE2_DOTALL, ++which causes a wildcard '.' to match anything, including a new line. ++Strings representing paths are processed as bytes (as opposed to Unicode), ++meaning that non-ASCII characters are not matched by a single wildcard. ++ ++Note, that file context definitions specified using 'semanage fcontext' ++(i.e. local file context modifications stored in file_contexts.local) ++have higher priority than those specified in policy modules. ++This means that whenever a match for given file path is found in ++file_contexts.local, no other file context definitions are considered. ++Entries in file_contexts.local are processed from most recent one to the oldest, ++with first match being used (as opposed to the most specific match, ++which is used when matching other file context definitions). ++All regular expressions should therefore be as specific as possible, ++to avoid unintentionally impacting other parts of the filesystem. ++ + .SH "OPTIONS" + .TP + .I \-h, \-\-help +-- +2.29.2 + diff --git a/SOURCES/0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch b/SOURCES/0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch new file mode 100644 index 0000000..3f7a839 --- /dev/null +++ b/SOURCES/0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch @@ -0,0 +1,69 @@ +From d10e773c014a12b17fefd9caef0bd02528d75d18 Mon Sep 17 00:00:00 2001 +From: Antoine Tenart +Date: Tue, 7 Jul 2020 16:35:01 +0200 +Subject: [PATCH] policycoreutils: setfiles: do not restrict checks against a + binary policy + +The -c option allows to check the validity of contexts against a +specified binary policy. Its use is restricted: no pathname can be used +when a binary policy is given to setfiles. It's not clear if this is +intentional as the built-in help and the man page are not stating the +same thing about this (the man page document -c as a normal option, +while the built-in help shows it is restricted). + +When generating full system images later used with SELinux in enforcing +mode, the extended attributed of files have to be set by the build +machine. The issue is setfiles always checks the contexts against a +policy (ctx_validate = 1) and using an external binary policy is not +currently possible when using a pathname. This ends up in setfiles +failing early as the contexts of the target image are not always +compatible with the ones of the build machine. + +This patch reworks a check on optind only made when -c is used, that +enforced the use of a single argument to allow 1+ arguments, allowing to +use setfiles with an external binary policy and pathnames. The following +command is then allowed, as already documented in the man page: + + $ setfiles -m -r target/ -c policy.32 file_contexts target/ + +Signed-off-by: Antoine Tenart +Acked-by: Stephen Smalley + +(cherry-picked from SElinuxProject + commit: c94e542c98da2f26863c1cbd9d7ad9bc5cca6aff ) +--- + policycoreutils/setfiles/setfiles.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c +index 82d0aaa7..4fd3d756 100644 +--- a/policycoreutils/setfiles/setfiles.c ++++ b/policycoreutils/setfiles/setfiles.c +@@ -39,11 +39,10 @@ static __attribute__((__noreturn__)) void usage(const char *const name) + name, name); + } else { + fprintf(stderr, +- "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n" +- "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n" +- "usage: %s -s [-diIDlmnpqvFW] spec_file\n" +- "usage: %s -c policyfile spec_file\n", +- name, name, name, name); ++ "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n" ++ "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n" ++ "usage: %s -s [-diIDlmnpqvFW] spec_file\n", ++ name, name, name); + } + exit(-1); + } +@@ -376,7 +375,7 @@ int main(int argc, char **argv) + + if (!iamrestorecon) { + if (policyfile) { +- if (optind != (argc - 1)) ++ if (optind > (argc - 1)) + usage(argv[0]); + } else if (use_input_file) { + if (optind != (argc - 1)) { +-- +2.30.2 + diff --git a/SOURCES/0041-semodule-add-m-checksum-option.patch b/SOURCES/0041-semodule-add-m-checksum-option.patch new file mode 100644 index 0000000..0fa0c54 --- /dev/null +++ b/SOURCES/0041-semodule-add-m-checksum-option.patch @@ -0,0 +1,674 @@ +From e748832819b781507903838483376d308c90ca79 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 16 Nov 2021 14:27:11 +0100 +Subject: [PATCH] semodule: add -m | --checksum option + +Since cil doesn't store module name and module version in module itself, +there's no simple way how to compare that installed module is the same +version as the module which is supposed to be installed. Even though the +version was not used by semodule itself, it was apparently used by some +team. + +With `semodule -l --checksum` users get SHA256 hashes of modules and +could compare them with their files which is faster than installing +modules again and again. + +E.g. + + # time ( + semodule -l --checksum | grep localmodule + /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum + ) + localmodule db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd + db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd - + + real 0m0.876s + user 0m0.849s + sys 0m0.028s + +vs + + # time semodule -i localmodule.pp + + real 0m6.147s + user 0m5.800s + sys 0m0.231s + +Signed-off-by: Petr Lautrbach +Acked-by: James Carter +--- + policycoreutils/semodule/Makefile | 2 +- + policycoreutils/semodule/semodule.8 | 6 + + policycoreutils/semodule/semodule.c | 95 ++++++++- + policycoreutils/semodule/sha256.c | 294 ++++++++++++++++++++++++++++ + policycoreutils/semodule/sha256.h | 89 +++++++++ + 5 files changed, 480 insertions(+), 6 deletions(-) + create mode 100644 policycoreutils/semodule/sha256.c + create mode 100644 policycoreutils/semodule/sha256.h + +diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile +index 73801e487a76..9875ac383280 100644 +--- a/policycoreutils/semodule/Makefile ++++ b/policycoreutils/semodule/Makefile +@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man + + CFLAGS ?= -Werror -Wall -W + override LDLIBS += -lsepol -lselinux -lsemanage +-SEMODULE_OBJS = semodule.o ++SEMODULE_OBJS = semodule.o sha256.o + + all: semodule genhomedircon + +diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8 +index 18d4f708661c..3a2fb21c2481 100644 +--- a/policycoreutils/semodule/semodule.8 ++++ b/policycoreutils/semodule/semodule.8 +@@ -95,6 +95,9 @@ only modules listed in \-\-extract after this option. + .B \-H,\-\-hll + Extract module as an HLL file. This only affects the \-\-extract option and + only modules listed in \-\-extract after this option. ++.TP ++.B \-m,\-\-checksum ++Add SHA256 checksum of modules to the list output. + + .SH EXAMPLE + .nf +@@ -130,6 +133,9 @@ $ semodule \-B \-S "/tmp/var/lib/selinux" + # Write the HLL version of puppet and the CIL version of wireshark + # modules at priority 400 to the current working directory + $ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark ++# Check whether a module in "localmodule.pp" file is same as installed module "localmodule" ++$ /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum ++$ semodule -l -m | grep localmodule + .fi + + .SH SEE ALSO +diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c +index a76797f505cd..300a97d735cc 100644 +--- a/policycoreutils/semodule/semodule.c ++++ b/policycoreutils/semodule/semodule.c +@@ -24,6 +24,8 @@ + + #include + ++#include "sha256.h" ++ + enum client_modes { + NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M, + LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M +@@ -56,6 +58,7 @@ static semanage_handle_t *sh = NULL; + static char *store; + static char *store_root; + int extract_cil = 0; ++static int checksum = 0; + + extern char *optarg; + extern int optind; +@@ -146,6 +149,7 @@ static void usage(char *progname) + printf(" -S,--store-path use an alternate path for the policy store root\n"); + printf(" -c, --cil extract module as cil. This only affects module extraction.\n"); + printf(" -H, --hll extract module as hll. This only affects module extraction.\n"); ++ printf(" -m, --checksum print module checksum (SHA256).\n"); + } + + /* Sets the global mode variable to new_mode, but only if no other +@@ -199,6 +203,7 @@ static void parse_command_line(int argc, char **argv) + {"disable", required_argument, NULL, 'd'}, + {"path", required_argument, NULL, 'p'}, + {"store-path", required_argument, NULL, 'S'}, ++ {"checksum", 0, NULL, 'm'}, + {NULL, 0, NULL, 0} + }; + int extract_selected = 0; +@@ -209,7 +214,7 @@ static void parse_command_line(int argc, char **argv) + no_reload = 0; + priority = 400; + while ((i = +- getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cH", opts, ++ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts, + NULL)) != -1) { + switch (i) { + case 'b': +@@ -286,6 +291,9 @@ static void parse_command_line(int argc, char **argv) + case 'd': + set_mode(DISABLE_M, optarg); + break; ++ case 'm': ++ checksum = 1; ++ break; + case '?': + default:{ + usage(argv[0]); +@@ -337,6 +345,61 @@ static void parse_command_line(int argc, char **argv) + } + } + ++/* Get module checksum */ ++static char *hash_module_data(const char *module_name, const int prio) { ++ semanage_module_info_t *extract_info = NULL; ++ semanage_module_key_t *modkey = NULL; ++ Sha256Context context; ++ uint8_t sha256_hash[SHA256_HASH_SIZE]; ++ char *sha256_buf = NULL; ++ void *data; ++ size_t data_len = 0, i; ++ int result; ++ ++ result = semanage_module_key_create(sh, &modkey); ++ if (result != 0) { ++ goto cleanup_extract; ++ } ++ ++ result = semanage_module_key_set_name(sh, modkey, module_name); ++ if (result != 0) { ++ goto cleanup_extract; ++ } ++ ++ result = semanage_module_key_set_priority(sh, modkey, prio); ++ if (result != 0) { ++ goto cleanup_extract; ++ } ++ ++ result = semanage_module_extract(sh, modkey, 1, &data, &data_len, ++ &extract_info); ++ if (result != 0) { ++ goto cleanup_extract; ++ } ++ ++ Sha256Initialise(&context); ++ Sha256Update(&context, data, data_len); ++ ++ Sha256Finalise(&context, (SHA256_HASH *)sha256_hash); ++ ++ sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1); ++ ++ if (sha256_buf == NULL) ++ goto cleanup_extract; ++ ++ for (i = 0; i < SHA256_HASH_SIZE; i++) { ++ sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]); ++ } ++ sha256_buf[i * 2] = 0; ++ ++cleanup_extract: ++ semanage_module_info_destroy(sh, extract_info); ++ free(extract_info); ++ semanage_module_key_destroy(sh, modkey); ++ free(modkey); ++ return sha256_buf; ++} ++ + int main(int argc, char *argv[]) + { + int i, commit = 0; +@@ -544,6 +607,8 @@ cleanup_extract: + int modinfos_len = 0; + semanage_module_info_t *m = NULL; + int j = 0; ++ char *module_checksum = NULL; ++ uint16_t pri = 0; + + if (verbose) { + printf +@@ -568,7 +633,18 @@ cleanup_extract: + result = semanage_module_info_get_name(sh, m, &name); + if (result != 0) goto cleanup_list; + +- printf("%s\n", name); ++ result = semanage_module_info_get_priority(sh, m, &pri); ++ if (result != 0) goto cleanup_list; ++ ++ printf("%s", name); ++ if (checksum) { ++ module_checksum = hash_module_data(name, pri); ++ if (module_checksum) { ++ printf(" %s", module_checksum); ++ free(module_checksum); ++ } ++ } ++ printf("\n"); + } + } + else if (strcmp(mode_arg, "full") == 0) { +@@ -583,11 +659,12 @@ cleanup_extract: + } + + /* calculate column widths */ +- size_t column[4] = { 0, 0, 0, 0 }; ++ size_t column[5] = { 0, 0, 0, 0, 0 }; + + /* fixed width columns */ + column[0] = sizeof("000") - 1; + column[3] = sizeof("disabled") - 1; ++ column[4] = 64; /* SHA256_HASH_SIZE * 2 */ + + /* variable width columns */ + const char *tmp = NULL; +@@ -610,7 +687,6 @@ cleanup_extract: + + /* print out each module */ + for (j = 0; j < modinfos_len; j++) { +- uint16_t pri = 0; + const char *name = NULL; + int enabled = 0; + const char *lang_ext = NULL; +@@ -629,11 +705,20 @@ cleanup_extract: + result = semanage_module_info_get_lang_ext(sh, m, &lang_ext); + if (result != 0) goto cleanup_list; + +- printf("%0*u %-*s %-*s %-*s\n", ++ printf("%0*u %-*s %-*s %-*s", + (int)column[0], pri, + (int)column[1], name, + (int)column[2], lang_ext, + (int)column[3], enabled ? "" : "disabled"); ++ if (checksum) { ++ module_checksum = hash_module_data(name, pri); ++ if (module_checksum) { ++ printf(" %-*s", (int)column[4], module_checksum); ++ free(module_checksum); ++ } ++ } ++ printf("\n"); ++ + } + } + else { +diff --git a/policycoreutils/semodule/sha256.c b/policycoreutils/semodule/sha256.c +new file mode 100644 +index 000000000000..fe2aeef07f53 +--- /dev/null ++++ b/policycoreutils/semodule/sha256.c +@@ -0,0 +1,294 @@ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// WjCryptLib_Sha256 ++// ++// Implementation of SHA256 hash function. ++// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org ++// Modified by WaterJuice retaining Public Domain license. ++// ++// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// IMPORTS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#include "sha256.h" ++#include ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// MACROS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits)))) ++ ++#define MIN(x, y) ( ((x)<(y))?(x):(y) ) ++ ++#define STORE32H(x, y) \ ++ { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \ ++ (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); } ++ ++#define LOAD32H(x, y) \ ++ { x = ((uint32_t)((y)[0] & 255)<<24) | \ ++ ((uint32_t)((y)[1] & 255)<<16) | \ ++ ((uint32_t)((y)[2] & 255)<<8) | \ ++ ((uint32_t)((y)[3] & 255)); } ++ ++#define STORE64H(x, y) \ ++ { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \ ++ (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \ ++ (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \ ++ (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); } ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// CONSTANTS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++// The K array ++static const uint32_t K[64] = { ++ 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, ++ 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, ++ 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, ++ 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, ++ 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, ++ 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, ++ 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, ++ 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, ++ 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, ++ 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL, ++ 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, ++ 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, ++ 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL ++}; ++ ++#define BLOCK_SIZE 64 ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// INTERNAL FUNCTIONS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++// Various logical functions ++#define Ch( x, y, z ) (z ^ (x & (y ^ z))) ++#define Maj( x, y, z ) (((x | y) & z) | (x & y)) ++#define S( x, n ) ror((x),(n)) ++#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n)) ++#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22)) ++#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25)) ++#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3)) ++#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10)) ++ ++#define Sha256Round( a, b, c, d, e, f, g, h, i ) \ ++ t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \ ++ t1 = Sigma0(a) + Maj(a, b, c); \ ++ d += t0; \ ++ h = t0 + t1; ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// TransformFunction ++// ++// Compress 512-bits ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++static ++void ++ TransformFunction ++ ( ++ Sha256Context* Context, ++ uint8_t const* Buffer ++ ) ++{ ++ uint32_t S[8]; ++ uint32_t W[64]; ++ uint32_t t0; ++ uint32_t t1; ++ uint32_t t; ++ int i; ++ ++ // Copy state into S ++ for( i=0; i<8; i++ ) ++ { ++ S[i] = Context->state[i]; ++ } ++ ++ // Copy the state into 512-bits into W[0..15] ++ for( i=0; i<16; i++ ) ++ { ++ LOAD32H( W[i], Buffer + (4*i) ); ++ } ++ ++ // Fill W[16..63] ++ for( i=16; i<64; i++ ) ++ { ++ W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16]; ++ } ++ ++ // Compress ++ for( i=0; i<64; i++ ) ++ { ++ Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i ); ++ t = S[7]; ++ S[7] = S[6]; ++ S[6] = S[5]; ++ S[5] = S[4]; ++ S[4] = S[3]; ++ S[3] = S[2]; ++ S[2] = S[1]; ++ S[1] = S[0]; ++ S[0] = t; ++ } ++ ++ // Feedback ++ for( i=0; i<8; i++ ) ++ { ++ Context->state[i] = Context->state[i] + S[i]; ++ } ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// PUBLIC FUNCTIONS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Initialise ++// ++// Initialises a SHA256 Context. Use this to initialise/reset a context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Initialise ++ ( ++ Sha256Context* Context // [out] ++ ) ++{ ++ Context->curlen = 0; ++ Context->length = 0; ++ Context->state[0] = 0x6A09E667UL; ++ Context->state[1] = 0xBB67AE85UL; ++ Context->state[2] = 0x3C6EF372UL; ++ Context->state[3] = 0xA54FF53AUL; ++ Context->state[4] = 0x510E527FUL; ++ Context->state[5] = 0x9B05688CUL; ++ Context->state[6] = 0x1F83D9ABUL; ++ Context->state[7] = 0x5BE0CD19UL; ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Update ++// ++// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on ++// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Update ++ ( ++ Sha256Context* Context, // [in out] ++ void const* Buffer, // [in] ++ uint32_t BufferSize // [in] ++ ) ++{ ++ uint32_t n; ++ ++ if( Context->curlen > sizeof(Context->buf) ) ++ { ++ return; ++ } ++ ++ while( BufferSize > 0 ) ++ { ++ if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE ) ++ { ++ TransformFunction( Context, (uint8_t*)Buffer ); ++ Context->length += BLOCK_SIZE * 8; ++ Buffer = (uint8_t*)Buffer + BLOCK_SIZE; ++ BufferSize -= BLOCK_SIZE; ++ } ++ else ++ { ++ n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) ); ++ memcpy( Context->buf + Context->curlen, Buffer, (size_t)n ); ++ Context->curlen += n; ++ Buffer = (uint8_t*)Buffer + n; ++ BufferSize -= n; ++ if( Context->curlen == BLOCK_SIZE ) ++ { ++ TransformFunction( Context, Context->buf ); ++ Context->length += 8*BLOCK_SIZE; ++ Context->curlen = 0; ++ } ++ } ++ } ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Finalise ++// ++// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After ++// calling this, Sha256Initialised must be used to reuse the context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Finalise ++ ( ++ Sha256Context* Context, // [in out] ++ SHA256_HASH* Digest // [out] ++ ) ++{ ++ int i; ++ ++ if( Context->curlen >= sizeof(Context->buf) ) ++ { ++ return; ++ } ++ ++ // Increase the length of the message ++ Context->length += Context->curlen * 8; ++ ++ // Append the '1' bit ++ Context->buf[Context->curlen++] = (uint8_t)0x80; ++ ++ // if the length is currently above 56 bytes we append zeros ++ // then compress. Then we can fall back to padding zeros and length ++ // encoding like normal. ++ if( Context->curlen > 56 ) ++ { ++ while( Context->curlen < 64 ) ++ { ++ Context->buf[Context->curlen++] = (uint8_t)0; ++ } ++ TransformFunction(Context, Context->buf); ++ Context->curlen = 0; ++ } ++ ++ // Pad up to 56 bytes of zeroes ++ while( Context->curlen < 56 ) ++ { ++ Context->buf[Context->curlen++] = (uint8_t)0; ++ } ++ ++ // Store length ++ STORE64H( Context->length, Context->buf+56 ); ++ TransformFunction( Context, Context->buf ); ++ ++ // Copy output ++ for( i=0; i<8; i++ ) ++ { ++ STORE32H( Context->state[i], Digest->bytes+(4*i) ); ++ } ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Calculate ++// ++// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the ++// buffer. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Calculate ++ ( ++ void const* Buffer, // [in] ++ uint32_t BufferSize, // [in] ++ SHA256_HASH* Digest // [in] ++ ) ++{ ++ Sha256Context context; ++ ++ Sha256Initialise( &context ); ++ Sha256Update( &context, Buffer, BufferSize ); ++ Sha256Finalise( &context, Digest ); ++} +diff --git a/policycoreutils/semodule/sha256.h b/policycoreutils/semodule/sha256.h +new file mode 100644 +index 000000000000..406ed869cd82 +--- /dev/null ++++ b/policycoreutils/semodule/sha256.h +@@ -0,0 +1,89 @@ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// WjCryptLib_Sha256 ++// ++// Implementation of SHA256 hash function. ++// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org ++// Modified by WaterJuice retaining Public Domain license. ++// ++// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#pragma once ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// IMPORTS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#include ++#include ++ ++typedef struct ++{ ++ uint64_t length; ++ uint32_t state[8]; ++ uint32_t curlen; ++ uint8_t buf[64]; ++} Sha256Context; ++ ++#define SHA256_HASH_SIZE ( 256 / 8 ) ++ ++typedef struct ++{ ++ uint8_t bytes [SHA256_HASH_SIZE]; ++} SHA256_HASH; ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// PUBLIC FUNCTIONS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Initialise ++// ++// Initialises a SHA256 Context. Use this to initialise/reset a context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Initialise ++ ( ++ Sha256Context* Context // [out] ++ ); ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Update ++// ++// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on ++// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Update ++ ( ++ Sha256Context* Context, // [in out] ++ void const* Buffer, // [in] ++ uint32_t BufferSize // [in] ++ ); ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Finalise ++// ++// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After ++// calling this, Sha256Initialised must be used to reuse the context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Finalise ++ ( ++ Sha256Context* Context, // [in out] ++ SHA256_HASH* Digest // [out] ++ ); ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Calculate ++// ++// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the ++// buffer. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Calculate ++ ( ++ void const* Buffer, // [in] ++ uint32_t BufferSize, // [in] ++ SHA256_HASH* Digest // [in] ++ ); +-- +2.33.1 + diff --git a/SOURCES/0042-semodule-Fix-lang_ext-column-index.patch b/SOURCES/0042-semodule-Fix-lang_ext-column-index.patch new file mode 100644 index 0000000..2fa24dc --- /dev/null +++ b/SOURCES/0042-semodule-Fix-lang_ext-column-index.patch @@ -0,0 +1,29 @@ +From 14084bad4f5bcfdb769ba39c9a6f12e4787ab909 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 16 Nov 2021 16:11:22 +0100 +Subject: [PATCH] semodule: Fix lang_ext column index + +lang_ext is 3. column - index number 2. + +Signed-off-by: Petr Lautrbach +Acked-by: James Carter +--- + policycoreutils/semodule/semodule.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c +index 300a97d735cc..c677cc4f1d81 100644 +--- a/policycoreutils/semodule/semodule.c ++++ b/policycoreutils/semodule/semodule.c +@@ -682,7 +682,7 @@ cleanup_extract: + if (result != 0) goto cleanup_list; + + size = strlen(tmp); +- if (size > column[3]) column[3] = size; ++ if (size > column[2]) column[2] = size; + } + + /* print out each module */ +-- +2.33.1 + diff --git a/SOURCES/0043-semodule-Don-t-forget-to-munmap-data.patch b/SOURCES/0043-semodule-Don-t-forget-to-munmap-data.patch new file mode 100644 index 0000000..799c7e5 --- /dev/null +++ b/SOURCES/0043-semodule-Don-t-forget-to-munmap-data.patch @@ -0,0 +1,32 @@ +From 61f05b6d26063e1ebdc06609c29a067d44579b41 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 23 Nov 2021 17:38:51 +0100 +Subject: [PATCH] semodule: Don't forget to munmap() data + +semanage_module_extract() mmap()'s the module raw data but it leaves on +the caller to munmap() them. + +Reported-by: Ondrej Mosnacek +Signed-off-by: Petr Lautrbach +Acked-by: James Carter +--- + policycoreutils/semodule/semodule.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c +index c677cc4f1d81..dc227058b073 100644 +--- a/policycoreutils/semodule/semodule.c ++++ b/policycoreutils/semodule/semodule.c +@@ -393,6 +393,9 @@ static char *hash_module_data(const char *module_name, const int prio) { + sha256_buf[i * 2] = 0; + + cleanup_extract: ++ if (data_len > 0) { ++ munmap(data, data_len); ++ } + semanage_module_info_destroy(sh, extract_info); + free(extract_info); + semanage_module_key_destroy(sh, modkey); +-- +2.33.1 + diff --git a/SOURCES/0044-policycoreutils-Improve-error-message-when-selabel_o.patch b/SOURCES/0044-policycoreutils-Improve-error-message-when-selabel_o.patch new file mode 100644 index 0000000..634a69b --- /dev/null +++ b/SOURCES/0044-policycoreutils-Improve-error-message-when-selabel_o.patch @@ -0,0 +1,41 @@ +From 69da6239d8505a9d6ca547187f71a351df17f157 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Mon, 10 Jan 2022 18:35:27 +0100 +Subject: [PATCH] policycoreutils: Improve error message when selabel_open + fails + +When selabel_open fails to locate file_context files and +selabel_opt_path is not specified (e.g. when the policy type is +missconfigured in /etc/selinux/config), perror only prints +"No such file or directory". +This can be confusing in case of "restorecon" since it's +not apparent that the issue is in policy store. + +Before: + \# restorecon -v /tmp/foo.txt + No such file or directory +After: + \# restorecon -v /tmp/foo.txt + /etc/selinux/yolo/contexts/files/file_contexts: No such file or directory + +Signed-off-by: Vit Mojzis +--- + policycoreutils/setfiles/restore.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c +index d3335d1a..ba2668b3 100644 +--- a/policycoreutils/setfiles/restore.c ++++ b/policycoreutils/setfiles/restore.c +@@ -29,7 +29,7 @@ void restore_init(struct restore_opts *opts) + + opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3); + if (!opts->hnd) { +- perror(opts->selabel_opt_path); ++ perror(opts->selabel_opt_path ? opts->selabel_opt_path : selinux_file_context_path()); + exit(1); + } + +-- +2.30.2 + diff --git a/SOURCES/0045-semodule-libsemanage-move-module-hashing-into-libsem.patch b/SOURCES/0045-semodule-libsemanage-move-module-hashing-into-libsem.patch new file mode 100644 index 0000000..1c5d05b --- /dev/null +++ b/SOURCES/0045-semodule-libsemanage-move-module-hashing-into-libsem.patch @@ -0,0 +1,539 @@ +From 066007029b3dd250305d7fac0bfd53aa1e4543cf Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Thu, 3 Feb 2022 17:53:23 +0100 +Subject: [PATCH] semodule,libsemanage: move module hashing into libsemanage + +The main goal of this move is to have the SHA-256 implementation under +libsemanage, since upcoming patches will make use of SHA-256 for a +different (but similar) purpose in libsemanage. Having the hashing code +in libsemanage will reduce code duplication and allow for easier hash +algorithm upgrade in the future. + +Note that libselinux currently also contains a hash function +implementation (for yet another different purpose). This patch doesn't +make any effort to address that duplicity yet. + +This patch also changes the format of the hash string printed by +semodule to include the name of the hash. The intent is to avoid +ambiguity and potential collisions when the algorithm is potentially +changed in the future. + +Signed-off-by: Ondrej Mosnacek +--- + policycoreutils/semodule/Makefile | 2 +- + policycoreutils/semodule/semodule.c | 53 ++--- + policycoreutils/semodule/sha256.c | 294 ---------------------------- + policycoreutils/semodule/sha256.h | 89 --------- + 4 files changed, 17 insertions(+), 421 deletions(-) + delete mode 100644 policycoreutils/semodule/sha256.c + delete mode 100644 policycoreutils/semodule/sha256.h + +diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile +index 9875ac38..73801e48 100644 +--- a/policycoreutils/semodule/Makefile ++++ b/policycoreutils/semodule/Makefile +@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man + + CFLAGS ?= -Werror -Wall -W + override LDLIBS += -lsepol -lselinux -lsemanage +-SEMODULE_OBJS = semodule.o sha256.o ++SEMODULE_OBJS = semodule.o + + all: semodule genhomedircon + +diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c +index dc227058..243b1add 100644 +--- a/policycoreutils/semodule/semodule.c ++++ b/policycoreutils/semodule/semodule.c +@@ -24,8 +24,6 @@ + + #include + +-#include "sha256.h" +- + enum client_modes { + NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M, + LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M +@@ -347,60 +345,38 @@ static void parse_command_line(int argc, char **argv) + + /* Get module checksum */ + static char *hash_module_data(const char *module_name, const int prio) { +- semanage_module_info_t *extract_info = NULL; + semanage_module_key_t *modkey = NULL; +- Sha256Context context; +- uint8_t sha256_hash[SHA256_HASH_SIZE]; +- char *sha256_buf = NULL; +- void *data; +- size_t data_len = 0, i; ++ char *hash_str = NULL; ++ void *hash = NULL; ++ size_t hash_len = 0; + int result; + + result = semanage_module_key_create(sh, &modkey); + if (result != 0) { +- goto cleanup_extract; ++ goto cleanup; + } + + result = semanage_module_key_set_name(sh, modkey, module_name); + if (result != 0) { +- goto cleanup_extract; ++ goto cleanup; + } + + result = semanage_module_key_set_priority(sh, modkey, prio); + if (result != 0) { +- goto cleanup_extract; ++ goto cleanup; + } + +- result = semanage_module_extract(sh, modkey, 1, &data, &data_len, +- &extract_info); ++ result = semanage_module_compute_checksum(sh, modkey, 1, &hash_str, ++ &hash_len); + if (result != 0) { +- goto cleanup_extract; +- } +- +- Sha256Initialise(&context); +- Sha256Update(&context, data, data_len); +- +- Sha256Finalise(&context, (SHA256_HASH *)sha256_hash); +- +- sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1); +- +- if (sha256_buf == NULL) +- goto cleanup_extract; +- +- for (i = 0; i < SHA256_HASH_SIZE; i++) { +- sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]); ++ goto cleanup; + } +- sha256_buf[i * 2] = 0; + +-cleanup_extract: +- if (data_len > 0) { +- munmap(data, data_len); +- } +- semanage_module_info_destroy(sh, extract_info); +- free(extract_info); ++cleanup: ++ free(hash); + semanage_module_key_destroy(sh, modkey); + free(modkey); +- return sha256_buf; ++ return hash_str; + } + + int main(int argc, char *argv[]) +@@ -667,7 +643,10 @@ cleanup_extract: + /* fixed width columns */ + column[0] = sizeof("000") - 1; + column[3] = sizeof("disabled") - 1; +- column[4] = 64; /* SHA256_HASH_SIZE * 2 */ ++ ++ result = semanage_module_compute_checksum(sh, NULL, 0, NULL, ++ &column[4]); ++ if (result != 0) goto cleanup_list; + + /* variable width columns */ + const char *tmp = NULL; +diff --git a/policycoreutils/semodule/sha256.c b/policycoreutils/semodule/sha256.c +deleted file mode 100644 +index fe2aeef0..00000000 +--- a/policycoreutils/semodule/sha256.c ++++ /dev/null +@@ -1,294 +0,0 @@ +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// WjCryptLib_Sha256 +-// +-// Implementation of SHA256 hash function. +-// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org +-// Modified by WaterJuice retaining Public Domain license. +-// +-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// IMPORTS +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#include "sha256.h" +-#include +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// MACROS +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits)))) +- +-#define MIN(x, y) ( ((x)<(y))?(x):(y) ) +- +-#define STORE32H(x, y) \ +- { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \ +- (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); } +- +-#define LOAD32H(x, y) \ +- { x = ((uint32_t)((y)[0] & 255)<<24) | \ +- ((uint32_t)((y)[1] & 255)<<16) | \ +- ((uint32_t)((y)[2] & 255)<<8) | \ +- ((uint32_t)((y)[3] & 255)); } +- +-#define STORE64H(x, y) \ +- { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \ +- (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \ +- (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \ +- (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); } +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// CONSTANTS +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-// The K array +-static const uint32_t K[64] = { +- 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, +- 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, +- 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, +- 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, +- 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, +- 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, +- 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, +- 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, +- 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, +- 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL, +- 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, +- 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, +- 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL +-}; +- +-#define BLOCK_SIZE 64 +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// INTERNAL FUNCTIONS +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-// Various logical functions +-#define Ch( x, y, z ) (z ^ (x & (y ^ z))) +-#define Maj( x, y, z ) (((x | y) & z) | (x & y)) +-#define S( x, n ) ror((x),(n)) +-#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n)) +-#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22)) +-#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25)) +-#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3)) +-#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10)) +- +-#define Sha256Round( a, b, c, d, e, f, g, h, i ) \ +- t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \ +- t1 = Sigma0(a) + Maj(a, b, c); \ +- d += t0; \ +- h = t0 + t1; +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// TransformFunction +-// +-// Compress 512-bits +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-static +-void +- TransformFunction +- ( +- Sha256Context* Context, +- uint8_t const* Buffer +- ) +-{ +- uint32_t S[8]; +- uint32_t W[64]; +- uint32_t t0; +- uint32_t t1; +- uint32_t t; +- int i; +- +- // Copy state into S +- for( i=0; i<8; i++ ) +- { +- S[i] = Context->state[i]; +- } +- +- // Copy the state into 512-bits into W[0..15] +- for( i=0; i<16; i++ ) +- { +- LOAD32H( W[i], Buffer + (4*i) ); +- } +- +- // Fill W[16..63] +- for( i=16; i<64; i++ ) +- { +- W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16]; +- } +- +- // Compress +- for( i=0; i<64; i++ ) +- { +- Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i ); +- t = S[7]; +- S[7] = S[6]; +- S[6] = S[5]; +- S[5] = S[4]; +- S[4] = S[3]; +- S[3] = S[2]; +- S[2] = S[1]; +- S[1] = S[0]; +- S[0] = t; +- } +- +- // Feedback +- for( i=0; i<8; i++ ) +- { +- Context->state[i] = Context->state[i] + S[i]; +- } +-} +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// PUBLIC FUNCTIONS +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha256Initialise +-// +-// Initialises a SHA256 Context. Use this to initialise/reset a context. +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha256Initialise +- ( +- Sha256Context* Context // [out] +- ) +-{ +- Context->curlen = 0; +- Context->length = 0; +- Context->state[0] = 0x6A09E667UL; +- Context->state[1] = 0xBB67AE85UL; +- Context->state[2] = 0x3C6EF372UL; +- Context->state[3] = 0xA54FF53AUL; +- Context->state[4] = 0x510E527FUL; +- Context->state[5] = 0x9B05688CUL; +- Context->state[6] = 0x1F83D9ABUL; +- Context->state[7] = 0x5BE0CD19UL; +-} +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha256Update +-// +-// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on +-// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha256Update +- ( +- Sha256Context* Context, // [in out] +- void const* Buffer, // [in] +- uint32_t BufferSize // [in] +- ) +-{ +- uint32_t n; +- +- if( Context->curlen > sizeof(Context->buf) ) +- { +- return; +- } +- +- while( BufferSize > 0 ) +- { +- if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE ) +- { +- TransformFunction( Context, (uint8_t*)Buffer ); +- Context->length += BLOCK_SIZE * 8; +- Buffer = (uint8_t*)Buffer + BLOCK_SIZE; +- BufferSize -= BLOCK_SIZE; +- } +- else +- { +- n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) ); +- memcpy( Context->buf + Context->curlen, Buffer, (size_t)n ); +- Context->curlen += n; +- Buffer = (uint8_t*)Buffer + n; +- BufferSize -= n; +- if( Context->curlen == BLOCK_SIZE ) +- { +- TransformFunction( Context, Context->buf ); +- Context->length += 8*BLOCK_SIZE; +- Context->curlen = 0; +- } +- } +- } +-} +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha256Finalise +-// +-// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After +-// calling this, Sha256Initialised must be used to reuse the context. +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha256Finalise +- ( +- Sha256Context* Context, // [in out] +- SHA256_HASH* Digest // [out] +- ) +-{ +- int i; +- +- if( Context->curlen >= sizeof(Context->buf) ) +- { +- return; +- } +- +- // Increase the length of the message +- Context->length += Context->curlen * 8; +- +- // Append the '1' bit +- Context->buf[Context->curlen++] = (uint8_t)0x80; +- +- // if the length is currently above 56 bytes we append zeros +- // then compress. Then we can fall back to padding zeros and length +- // encoding like normal. +- if( Context->curlen > 56 ) +- { +- while( Context->curlen < 64 ) +- { +- Context->buf[Context->curlen++] = (uint8_t)0; +- } +- TransformFunction(Context, Context->buf); +- Context->curlen = 0; +- } +- +- // Pad up to 56 bytes of zeroes +- while( Context->curlen < 56 ) +- { +- Context->buf[Context->curlen++] = (uint8_t)0; +- } +- +- // Store length +- STORE64H( Context->length, Context->buf+56 ); +- TransformFunction( Context, Context->buf ); +- +- // Copy output +- for( i=0; i<8; i++ ) +- { +- STORE32H( Context->state[i], Digest->bytes+(4*i) ); +- } +-} +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha256Calculate +-// +-// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the +-// buffer. +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha256Calculate +- ( +- void const* Buffer, // [in] +- uint32_t BufferSize, // [in] +- SHA256_HASH* Digest // [in] +- ) +-{ +- Sha256Context context; +- +- Sha256Initialise( &context ); +- Sha256Update( &context, Buffer, BufferSize ); +- Sha256Finalise( &context, Digest ); +-} +diff --git a/policycoreutils/semodule/sha256.h b/policycoreutils/semodule/sha256.h +deleted file mode 100644 +index 406ed869..00000000 +--- a/policycoreutils/semodule/sha256.h ++++ /dev/null +@@ -1,89 +0,0 @@ +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// WjCryptLib_Sha256 +-// +-// Implementation of SHA256 hash function. +-// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org +-// Modified by WaterJuice retaining Public Domain license. +-// +-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#pragma once +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// IMPORTS +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#include +-#include +- +-typedef struct +-{ +- uint64_t length; +- uint32_t state[8]; +- uint32_t curlen; +- uint8_t buf[64]; +-} Sha256Context; +- +-#define SHA256_HASH_SIZE ( 256 / 8 ) +- +-typedef struct +-{ +- uint8_t bytes [SHA256_HASH_SIZE]; +-} SHA256_HASH; +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// PUBLIC FUNCTIONS +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha256Initialise +-// +-// Initialises a SHA256 Context. Use this to initialise/reset a context. +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha256Initialise +- ( +- Sha256Context* Context // [out] +- ); +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha256Update +-// +-// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on +-// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha256Update +- ( +- Sha256Context* Context, // [in out] +- void const* Buffer, // [in] +- uint32_t BufferSize // [in] +- ); +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha256Finalise +-// +-// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After +-// calling this, Sha256Initialised must be used to reuse the context. +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha256Finalise +- ( +- Sha256Context* Context, // [in out] +- SHA256_HASH* Digest // [out] +- ); +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha256Calculate +-// +-// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the +-// buffer. +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha256Calculate +- ( +- void const* Buffer, // [in] +- uint32_t BufferSize, // [in] +- SHA256_HASH* Digest // [in] +- ); +-- +2.30.2 + diff --git a/SOURCES/0046-semodule-add-command-line-option-to-detect-module-ch.patch b/SOURCES/0046-semodule-add-command-line-option-to-detect-module-ch.patch new file mode 100644 index 0000000..f280b9f --- /dev/null +++ b/SOURCES/0046-semodule-add-command-line-option-to-detect-module-ch.patch @@ -0,0 +1,144 @@ +From e3fc737e43561ecadcb977ce4c9a1db44be636ae Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Thu, 3 Feb 2022 17:53:27 +0100 +Subject: [PATCH] semodule: add command-line option to detect module changes + +Add a new command-line option "--rebuild-if-modules-changed" to control +the newly introduced check_ext_changes libsemanage flag. + +For example, running `semodule --rebuild-if-modules-changed` will ensure +that any externally added/removed modules (e.g. by an RPM transaction) +are reflected in the compiled policy, while skipping the most expensive +part of the rebuild if no module change was deteceted since the last +libsemanage transaction. + +Signed-off-by: Ondrej Mosnacek +--- + policycoreutils/semodule/semodule.8 | 7 +++++++ + policycoreutils/semodule/semodule.c | 32 ++++++++++++++++++++++------- + 2 files changed, 32 insertions(+), 7 deletions(-) + +diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8 +index 3a2fb21c..d1735d21 100644 +--- a/policycoreutils/semodule/semodule.8 ++++ b/policycoreutils/semodule/semodule.8 +@@ -23,6 +23,13 @@ force a reload of policy + .B \-B, \-\-build + force a rebuild of policy (also reloads unless \-n is used) + .TP ++.B \-\-rebuild-if-modules-changed ++Force a rebuild of the policy if any changes to module content are detected ++(by comparing with checksum from the last transaction). One can use this ++instead of \-B to ensure that any changes to the module store done by an ++external tool (e.g. a package manager) are applied, while automatically ++skipping the rebuild if there are no new changes. ++.TP + .B \-D, \-\-disable_dontaudit + Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt + .TP +diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c +index 243b1add..22a42a75 100644 +--- a/policycoreutils/semodule/semodule.c ++++ b/policycoreutils/semodule/semodule.c +@@ -46,6 +46,7 @@ static int verbose; + static int reload; + static int no_reload; + static int build; ++static int check_ext_changes; + static int disable_dontaudit; + static int preserve_tunables; + static int ignore_module_cache; +@@ -148,6 +149,9 @@ static void usage(char *progname) + printf(" -c, --cil extract module as cil. This only affects module extraction.\n"); + printf(" -H, --hll extract module as hll. This only affects module extraction.\n"); + printf(" -m, --checksum print module checksum (SHA256).\n"); ++ printf(" --rebuild-if-modules-changed\n" ++ " force policy rebuild if module content changed since\n" ++ " last rebuild (based on checksum)\n"); + } + + /* Sets the global mode variable to new_mode, but only if no other +@@ -179,6 +183,7 @@ static void set_mode(enum client_modes new_mode, char *arg) + static void parse_command_line(int argc, char **argv) + { + static struct option opts[] = { ++ {"rebuild-if-modules-changed", 0, NULL, '\0'}, + {"store", required_argument, NULL, 's'}, + {"base", required_argument, NULL, 'b'}, + {"help", 0, NULL, 'h'}, +@@ -206,15 +211,26 @@ static void parse_command_line(int argc, char **argv) + }; + int extract_selected = 0; + int cil_hll_set = 0; +- int i; ++ int i, longind; + verbose = 0; + reload = 0; + no_reload = 0; ++ check_ext_changes = 0; + priority = 400; + while ((i = +- getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts, +- NULL)) != -1) { ++ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", ++ opts, &longind)) != -1) { + switch (i) { ++ case '\0': ++ switch(longind) { ++ case 0: /* --rebuild-if-modules-changed */ ++ check_ext_changes = 1; ++ break; ++ default: ++ usage(argv[0]); ++ exit(1); ++ } ++ break; + case 'b': + fprintf(stderr, "The --base option is deprecated. Use --install instead.\n"); + set_mode(INSTALL_M, optarg); +@@ -299,13 +315,13 @@ static void parse_command_line(int argc, char **argv) + } + } + } +- if ((build || reload) && num_commands) { ++ if ((build || reload || check_ext_changes) && num_commands) { + fprintf(stderr, + "build or reload should not be used with other commands\n"); + usage(argv[0]); + exit(1); + } +- if (num_commands == 0 && reload == 0 && build == 0) { ++ if (num_commands == 0 && reload == 0 && build == 0 && check_ext_changes == 0) { + fprintf(stderr, "At least one mode must be specified.\n"); + usage(argv[0]); + exit(1); +@@ -392,7 +408,7 @@ int main(int argc, char *argv[]) + } + parse_command_line(argc, argv); + +- if (build) ++ if (build || check_ext_changes) + commit = 1; + + sh = semanage_handle_create(); +@@ -431,7 +447,7 @@ int main(int argc, char *argv[]) + } + } + +- if (build) { ++ if (build || check_ext_changes) { + if ((result = semanage_begin_transaction(sh)) < 0) { + fprintf(stderr, "%s: Could not begin transaction: %s\n", + argv[0], errno ? strerror(errno) : ""); +@@ -805,6 +821,8 @@ cleanup_disable: + semanage_set_reload(sh, 0); + if (build) + semanage_set_rebuild(sh, 1); ++ if (check_ext_changes) ++ semanage_set_check_ext_changes(sh, 1); + if (disable_dontaudit) + semanage_set_disable_dontaudit(sh, 1); + else if (build) +-- +2.30.2 + diff --git a/SOURCES/0047-python-Split-semanage-import-into-two-transactions.patch b/SOURCES/0047-python-Split-semanage-import-into-two-transactions.patch new file mode 100644 index 0000000..8a915b6 --- /dev/null +++ b/SOURCES/0047-python-Split-semanage-import-into-two-transactions.patch @@ -0,0 +1,64 @@ +From 09c944561c76146b1fc11e99e95b6a674366cddf Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Mon, 30 May 2022 14:20:21 +0200 +Subject: [PATCH] python: Split "semanage import" into two transactions + +First transaction applies all deletion operations, so that there are no +collisions when applying the rest of the changes. + +Fixes: + # semanage port -a -t http_cache_port_t -r s0 -p tcp 3024 + # semanage export | semanage import + ValueError: Port tcp/3024 already defined + +Signed-off-by: Vit Mojzis +--- + python/semanage/semanage | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/python/semanage/semanage b/python/semanage/semanage +index ebb93ea5..b8842d28 100644 +--- a/python/semanage/semanage ++++ b/python/semanage/semanage +@@ -841,10 +841,29 @@ def handleImport(args): + trans = seobject.semanageRecords(args) + trans.start() + ++ deleteCommands = [] ++ commands = [] ++ # separate commands for deletion from the rest so they can be ++ # applied in a separate transaction + for l in sys.stdin.readlines(): + if len(l.strip()) == 0: + continue ++ if "-d" in l or "-D" in l: ++ deleteCommands.append(l) ++ else: ++ commands.append(l) ++ ++ if deleteCommands: ++ importHelper(deleteCommands) ++ trans.finish() ++ trans.start() ++ ++ importHelper(commands) ++ trans.finish() + ++ ++def importHelper(commands): ++ for l in commands: + try: + commandParser = createCommandParser() + args = commandParser.parse_args(mkargv(l)) +@@ -858,8 +877,6 @@ def handleImport(args): + except KeyboardInterrupt: + sys.exit(0) + +- trans.finish() +- + + def setupImportParser(subparsers): + importParser = subparsers.add_parser('import', help=_('Import local customizations')) +-- +2.35.3 + diff --git a/SOURCES/0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch b/SOURCES/0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch new file mode 100644 index 0000000..5aeb379 --- /dev/null +++ b/SOURCES/0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch @@ -0,0 +1,81 @@ +From c0ca652dce6b1d5d11e697cc3a4695d87944f9ad Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Wed, 8 Jun 2022 19:09:54 +0200 +Subject: [PATCH] semodule: rename --rebuild-if-modules-changed to --refresh + +After the last commit this option's name and description no longer +matches the semantic, so give it a new one and update the descriptions. +The old name is still recognized and aliased to the new one for +backwards compatibility. + +Signed-off-by: Ondrej Mosnacek +Acked-by: Nicolas Iooss +--- + policycoreutils/semodule/semodule.8 | 12 ++++++------ + policycoreutils/semodule/semodule.c | 13 ++++++++++--- + 2 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8 +index d1735d21..c56e580f 100644 +--- a/policycoreutils/semodule/semodule.8 ++++ b/policycoreutils/semodule/semodule.8 +@@ -23,12 +23,12 @@ force a reload of policy + .B \-B, \-\-build + force a rebuild of policy (also reloads unless \-n is used) + .TP +-.B \-\-rebuild-if-modules-changed +-Force a rebuild of the policy if any changes to module content are detected +-(by comparing with checksum from the last transaction). One can use this +-instead of \-B to ensure that any changes to the module store done by an +-external tool (e.g. a package manager) are applied, while automatically +-skipping the rebuild if there are no new changes. ++.B \-\-refresh ++Like \-\-build, but reuses existing linked policy if no changes to module ++files are detected (by comparing with checksum from the last transaction). ++One can use this instead of \-B to ensure that any changes to the module ++store done by an external tool (e.g. a package manager) are applied, while ++automatically skipping the module re-linking if there are no module changes. + .TP + .B \-D, \-\-disable_dontaudit + Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt +diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c +index 22a42a75..324ec9fb 100644 +--- a/policycoreutils/semodule/semodule.c ++++ b/policycoreutils/semodule/semodule.c +@@ -149,9 +149,12 @@ static void usage(char *progname) + printf(" -c, --cil extract module as cil. This only affects module extraction.\n"); + printf(" -H, --hll extract module as hll. This only affects module extraction.\n"); + printf(" -m, --checksum print module checksum (SHA256).\n"); +- printf(" --rebuild-if-modules-changed\n" +- " force policy rebuild if module content changed since\n" +- " last rebuild (based on checksum)\n"); ++ printf(" --refresh like --build, but reuses existing linked policy if no\n" ++ " changes to module files are detected (via checksum)\n"); ++ printf("Deprecated options:\n"); ++ printf(" -b,--base same as --install\n"); ++ printf(" --rebuild-if-modules-changed\n" ++ " same as --refresh\n"); + } + + /* Sets the global mode variable to new_mode, but only if no other +@@ -184,6 +187,7 @@ static void parse_command_line(int argc, char **argv) + { + static struct option opts[] = { + {"rebuild-if-modules-changed", 0, NULL, '\0'}, ++ {"refresh", 0, NULL, '\0'}, + {"store", required_argument, NULL, 's'}, + {"base", required_argument, NULL, 'b'}, + {"help", 0, NULL, 'h'}, +@@ -224,6 +228,9 @@ static void parse_command_line(int argc, char **argv) + case '\0': + switch(longind) { + case 0: /* --rebuild-if-modules-changed */ ++ fprintf(stderr, "The --rebuild-if-modules-changed option is deprecated. Use --refresh instead.\n"); ++ /* fallthrough */ ++ case 1: /* --refresh */ + check_ext_changes = 1; + break; + default: +-- +2.35.3 + diff --git a/SOURCES/0049-python-Harden-tools-against-rogue-modules.patch b/SOURCES/0049-python-Harden-tools-against-rogue-modules.patch new file mode 100644 index 0000000..8796c90 --- /dev/null +++ b/SOURCES/0049-python-Harden-tools-against-rogue-modules.patch @@ -0,0 +1,79 @@ +From 72c7e9123980b003a21d51e2805529a3e90b2460 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Thu, 13 Oct 2022 17:33:18 +0200 +Subject: [PATCH] python: Harden tools against "rogue" modules + +Python scripts present in "/usr/sbin" override regular modules. +Make sure /usr/sbin is not present in PYTHONPATH. + +Fixes: + #cat > /usr/sbin/audit.py < +--- + python/audit2allow/audit2allow | 2 +- + python/audit2allow/sepolgen-ifgen | 2 +- + python/chcat/chcat | 2 +- + python/semanage/semanage | 2 +- + python/sepolicy/sepolicy.py | 2 +- + 5 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow +index 09b06f66..eafeea88 100644 +--- a/python/audit2allow/audit2allow ++++ b/python/audit2allow/audit2allow +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # Authors: Karl MacMillan + # Authors: Dan Walsh + # +diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen +index be2d093b..f25f8af1 100644 +--- a/python/audit2allow/sepolgen-ifgen ++++ b/python/audit2allow/sepolgen-ifgen +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # + # Authors: Karl MacMillan + # +diff --git a/python/chcat/chcat b/python/chcat/chcat +index df2509f2..5671cec6 100755 +--- a/python/chcat/chcat ++++ b/python/chcat/chcat +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # Copyright (C) 2005 Red Hat + # see file 'COPYING' for use and warranty information + # +diff --git a/python/semanage/semanage b/python/semanage/semanage +index b8842d28..1f170f60 100644 +--- a/python/semanage/semanage ++++ b/python/semanage/semanage +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # Copyright (C) 2012-2013 Red Hat + # AUTHOR: Miroslav Grepl + # AUTHOR: David Quigley +diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py +index 8bd6a579..0c1d9641 100755 +--- a/python/sepolicy/sepolicy.py ++++ b/python/sepolicy/sepolicy.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # Copyright (C) 2012 Red Hat + # AUTHOR: Dan Walsh + # see file 'COPYING' for use and warranty information +-- +2.37.3 + diff --git a/SOURCES/0050-python-Do-not-query-the-local-database-if-the-fconte.patch b/SOURCES/0050-python-Do-not-query-the-local-database-if-the-fconte.patch new file mode 100644 index 0000000..eb08953 --- /dev/null +++ b/SOURCES/0050-python-Do-not-query-the-local-database-if-the-fconte.patch @@ -0,0 +1,65 @@ +From f33e40265d192e5d725e7b82e5f14f603e1fba48 Mon Sep 17 00:00:00 2001 +From: James Carter +Date: Wed, 19 Oct 2022 14:20:11 -0400 +Subject: [PATCH] python: Do not query the local database if the fcontext is + non-local + +Vit Mojzis reports that an error message is produced when modifying +a non-local fcontext. + +He gives the following example: + # semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd + libsemanage.dbase_llist_query: could not query record value (No such file or directory). + +When modifying an fcontext, the non-local database is checked for the +key and then, if it is not found there, the local database is checked. +If the key doesn't exist, then an error is raised. If the key exists +then the local database is queried first and, if that fails, the non- +local database is queried. + +The error is from querying the local database when the fcontext is in +the non-local database. + +Instead, if the fcontext is in the non-local database, just query +the non-local database. Only query the local database if the +fcontext was found in it. + +Reported-by: Vit Mojzis +Signed-off-by: James Carter +--- + python/semanage/seobject.py | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py +index 70ebfd08..0e923a0d 100644 +--- a/python/semanage/seobject.py ++++ b/python/semanage/seobject.py +@@ -2490,16 +2490,19 @@ class fcontextRecords(semanageRecords): + (rc, exists) = semanage_fcontext_exists(self.sh, k) + if rc < 0: + raise ValueError(_("Could not check if file context for %s is defined") % target) +- if not exists: ++ if exists: ++ try: ++ (rc, fcontext) = semanage_fcontext_query(self.sh, k) ++ except OSError: ++ raise ValueError(_("Could not query file context for %s") % target) ++ else: + (rc, exists) = semanage_fcontext_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if file context for %s is defined") % target) + if not exists: + raise ValueError(_("File context for %s is not defined") % target) +- +- try: +- (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) +- except OSError: + try: +- (rc, fcontext) = semanage_fcontext_query(self.sh, k) ++ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) + except OSError: + raise ValueError(_("Could not query file context for %s") % target) + +-- +2.37.3 + diff --git a/SOURCES/0051-python-sepolicy-add-missing-booleans-to-man-pages.patch b/SOURCES/0051-python-sepolicy-add-missing-booleans-to-man-pages.patch new file mode 100644 index 0000000..ccfe7da --- /dev/null +++ b/SOURCES/0051-python-sepolicy-add-missing-booleans-to-man-pages.patch @@ -0,0 +1,112 @@ +From f3ddbd8220d9646072c9a4c9ed37f2dff998a53c Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 10 Jan 2023 11:37:26 +0100 +Subject: [PATCH] python/sepolicy: add missing booleans to man pages + +get_bools should return a list of booleans that can affect given type, +but it did not handle non trivial conditional statements properly +(returning the whole conditional statement instead of a list of booleans +in the statement). + +e.g. for +allow httpd_t spamc_t:process transition; [ httpd_can_check_spam && httpd_can_sendmail ]:True +get_bools used to return [("httpd_can_check_spam && httpd_can_sendmail", False)] instead of +[("httpd_can_check_spam", False), ("httpd_can_sendmail", False)] + +- rename "boolean" in sepolicy rule dictionary to "booleans" to suggest + it can contain multiple values and make sure it is populated correctly +- add "conditional" key to the rule dictionary to accommodate + get_conditionals, which requires the whole conditional statement +- extend get_bools search to dontaudit rules so that it covers booleans + like httpd_dontaudit_search_dirs + +Note: get_bools uses security_get_boolean_active to get the boolean + value, but the value is later used to represent the default. + Not ideal, but I'm not aware of a way to get the actual defaults. + +Fixes: + "sepolicy manpage" generates man pages that are missing booleans + which are included in non trivial conditional expressions + e.g. httpd_selinux(8) does not include httpd_can_check_spam, + httpd_tmp_exec, httpd_unified, or httpd_use_gpg + + This fix, however, also adds some not strictly related booleans + to some man pages. e.g. use_nfs_home_dirs and + use_samba_home_dirs are added to httpd_selinux(8) + +Signed-off-by: Vit Mojzis +Acked-by: Jason Zaman +--- + python/sepolicy/sepolicy/__init__.py | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py +index b6ca57c3..0f51174d 100644 +--- a/python/sepolicy/sepolicy/__init__.py ++++ b/python/sepolicy/sepolicy/__init__.py +@@ -324,7 +324,12 @@ def _setools_rule_to_dict(rule): + pass + + try: +- d['boolean'] = [(str(rule.conditional), enabled)] ++ d['booleans'] = [(str(b), b.state) for b in rule.conditional.booleans] ++ except AttributeError: ++ pass ++ ++ try: ++ d['conditional'] = str(rule.conditional) + except AttributeError: + pass + +@@ -426,12 +431,12 @@ def get_conditionals(src, dest, tclass, perm): + x['source'] in src_list and + x['target'] in dest_list and + set(perm).issubset(x[PERMS]) and +- 'boolean' in x, ++ 'conditional' in x, + get_all_allow_rules())) + + try: + for i in allows: +- tdict.update({'source': i['source'], 'boolean': i['boolean']}) ++ tdict.update({'source': i['source'], 'conditional': (i['conditional'], i['enabled'])}) + if tdict not in tlist: + tlist.append(tdict) + tdict = {} +@@ -445,10 +450,10 @@ def get_conditionals_format_text(cond): + + enabled = False + for x in cond: +- if x['boolean'][0][1]: ++ if x['conditional'][1]: + enabled = True + break +- return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]), cond)))) ++ return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['conditional'][0], x['conditional'][1]), cond)))) + + + def get_types_from_attribute(attribute): +@@ -703,9 +708,9 @@ def get_boolean_rules(setype, boolean): + boollist = [] + permlist = search([ALLOW], {'source': setype}) + for p in permlist: +- if "boolean" in p: ++ if "booleans" in p: + try: +- for b in p["boolean"]: ++ for b in p["booleans"]: + if boolean in b: + boollist.append(p) + except: +@@ -1124,7 +1129,7 @@ def get_bools(setype): + bools = [] + domainbools = [] + domainname, short_name = gen_short_name(setype) +- for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x and x['source'] == setype, get_all_allow_rules())): ++ for i in map(lambda x: x['booleans'], filter(lambda x: 'booleans' in x and x['source'] == setype, search([ALLOW, DONTAUDIT]))): + for b in i: + if not isinstance(b, tuple): + continue +-- +2.37.3 + diff --git a/SOURCES/0052-python-sepolicy-Cache-conditional-rule-queries.patch b/SOURCES/0052-python-sepolicy-Cache-conditional-rule-queries.patch new file mode 100644 index 0000000..0dac123 --- /dev/null +++ b/SOURCES/0052-python-sepolicy-Cache-conditional-rule-queries.patch @@ -0,0 +1,73 @@ +From 25373db5cac520b85350db91b8a7ed0737d3316c Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 24 Jan 2023 21:05:05 +0100 +Subject: [PATCH] python/sepolicy: Cache conditional rule queries + +Commit 7506771e4b630fe0ab853f96574e039055cb72eb +"add missing booleans to man pages" dramatically slowed down +"sepolicy manpage -a" by removing caching of setools rule query. +Re-add said caching and update the query to only return conditional +rules. + +Before commit 7506771e: + #time sepolicy manpage -a + real 1m43.153s + # time sepolicy manpage -d httpd_t + real 0m4.493s + +After commit 7506771e: + #time sepolicy manpage -a + real 1h56m43.153s + # time sepolicy manpage -d httpd_t + real 0m8.352s + +After this commit: + #time sepolicy manpage -a + real 1m41.074s + # time sepolicy manpage -d httpd_t + real 0m7.358s + +Signed-off-by: Vit Mojzis +--- + python/sepolicy/sepolicy/__init__.py | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py +index 0f51174d..f48231e9 100644 +--- a/python/sepolicy/sepolicy/__init__.py ++++ b/python/sepolicy/sepolicy/__init__.py +@@ -114,6 +114,7 @@ all_attributes = None + booleans = None + booleans_dict = None + all_allow_rules = None ++all_bool_rules = None + all_transitions = None + + +@@ -1119,6 +1120,14 @@ def get_all_allow_rules(): + all_allow_rules = search([ALLOW]) + return all_allow_rules + ++def get_all_bool_rules(): ++ global all_bool_rules ++ if not all_bool_rules: ++ q = setools.TERuleQuery(_pol, boolean=".*", boolean_regex=True, ++ ruletype=[ALLOW, DONTAUDIT]) ++ all_bool_rules = [_setools_rule_to_dict(x) for x in q.results()] ++ return all_bool_rules ++ + def get_all_transitions(): + global all_transitions + if not all_transitions: +@@ -1129,7 +1138,7 @@ def get_bools(setype): + bools = [] + domainbools = [] + domainname, short_name = gen_short_name(setype) +- for i in map(lambda x: x['booleans'], filter(lambda x: 'booleans' in x and x['source'] == setype, search([ALLOW, DONTAUDIT]))): ++ for i in map(lambda x: x['booleans'], filter(lambda x: 'booleans' in x and x['source'] == setype, get_all_bool_rules())): + for b in i: + if not isinstance(b, tuple): + continue +-- +2.37.3 + diff --git a/SOURCES/0053-python-Harden-more-tools-against-rogue-modules.patch b/SOURCES/0053-python-Harden-more-tools-against-rogue-modules.patch new file mode 100644 index 0000000..06db59d --- /dev/null +++ b/SOURCES/0053-python-Harden-more-tools-against-rogue-modules.patch @@ -0,0 +1,98 @@ +From 7aef364bc6607953a34cb9e8fe9ea51c88379a5c Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Wed, 6 Dec 2023 15:31:51 +0100 +Subject: [PATCH] python: Harden more tools against "rogue" modules + +Python scripts present in the same directory as the tool +override regular modules. + +Fixes: + #cat > /usr/bin/signal.py < +Acked-by: James Carter +--- + dbus/selinux_server.py | 2 +- + gui/polgengui.py | 2 +- + gui/system-config-selinux.py | 6 +++--- + sandbox/sandbox | 2 +- + sandbox/start | 2 +- + 5 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py +index 97bf91ba..eae38de5 100644 +--- a/dbus/selinux_server.py ++++ b/dbus/selinux_server.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 ++#!/usr/bin/python3 -EsI + + import dbus + import dbus.service +diff --git a/gui/polgengui.py b/gui/polgengui.py +index 46a1bd2c..0402e82c 100644 +--- a/gui/polgengui.py ++++ b/gui/polgengui.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # + # polgengui.py - GUI for SELinux Config tool in system-config-selinux + # +diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py +index 1e0d5eb1..c344c076 100644 +--- a/gui/system-config-selinux.py ++++ b/gui/system-config-selinux.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # + # system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux + # +@@ -32,6 +32,8 @@ except RuntimeError as e: + print("This is a graphical application and requires DISPLAY to be set.") + sys.exit(1) + ++sys.path.append('/usr/share/system-config-selinux') ++ + from gi.repository import GObject + import statusPage + import booleansPage +@@ -65,8 +67,6 @@ except: + + version = "1.0" + +-sys.path.append('/usr/share/system-config-selinux') +- + + ## + ## Pull in the Glade file +diff --git a/sandbox/sandbox b/sandbox/sandbox +index 707959a6..e276e594 100644 +--- a/sandbox/sandbox ++++ b/sandbox/sandbox +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # Authors: Dan Walsh + # Authors: Thomas Liu + # Authors: Josh Cogliati +diff --git a/sandbox/start b/sandbox/start +index 4ed3cb5c..3c1a1783 100644 +--- a/sandbox/start ++++ b/sandbox/start +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + try: + from subprocess import getstatusoutput + except ImportError: +-- +2.43.0 + diff --git a/SOURCES/0054-sepolicy-port-to-dnf4-python-API.patch b/SOURCES/0054-sepolicy-port-to-dnf4-python-API.patch new file mode 100644 index 0000000..587caea --- /dev/null +++ b/SOURCES/0054-sepolicy-port-to-dnf4-python-API.patch @@ -0,0 +1,95 @@ +From ea93da38a16eb44307b522f8a26f2d8f967fcc01 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 22 Nov 2023 12:29:43 +0100 +Subject: [PATCH] sepolicy: port to dnf4 python API + +yum module is not available since RHEL 7. + +Drop -systemd related code as it's obsoleted these days - only 2 +packages ship their .service in -systemd subpackage + +Signed-off-by: Petr Lautrbach +Acked-by: James Carter +Acked-by: Ondrej Mosnacek +--- + python/sepolicy/sepolicy/generate.py | 56 +++++++++++++--------------- + 1 file changed, 25 insertions(+), 31 deletions(-) + +diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py +index 93caedee..c841a499 100644 +--- a/python/sepolicy/sepolicy/generate.py ++++ b/python/sepolicy/sepolicy/generate.py +@@ -1265,24 +1265,20 @@ allow %s_t %s_t:%s_socket name_%s; + return fcfile + + def __extract_rpms(self): +- import yum +- yb = yum.YumBase() +- yb.setCacheDir() +- +- for pkg in yb.rpmdb.searchProvides(self.program): +- self.rpms.append(pkg.name) +- for fname in pkg.dirlist + pkg.filelist + pkg.ghostlist: +- for b in self.DEFAULT_DIRS: +- if b == "/etc": +- continue +- if fname.startswith(b): +- if os.path.isfile(fname): +- self.add_file(fname) +- else: +- self.add_dir(fname) ++ import dnf ++ ++ with dnf.Base() as base: ++ base.read_all_repos() ++ base.fill_sack(load_system_repo=True) ++ ++ query = base.sack.query() + +- for bpkg in yb.rpmdb.searchNames([pkg.base_package_name]): +- for fname in bpkg.dirlist + bpkg.filelist + bpkg.ghostlist: ++ pq = query.available() ++ pq = pq.filter(file=self.program) ++ ++ for pkg in pq: ++ self.rpms.append(pkg.name) ++ for fname in pkg.files: + for b in self.DEFAULT_DIRS: + if b == "/etc": + continue +@@ -1291,20 +1287,18 @@ allow %s_t %s_t:%s_socket name_%s; + self.add_file(fname) + else: + self.add_dir(fname) +- +- # some packages have own systemd subpackage +- # tor-systemd for example +- binary_name = self.program.split("/")[-1] +- for bpkg in yb.rpmdb.searchNames(["%s-systemd" % binary_name]): +- for fname in bpkg.filelist + bpkg.ghostlist + bpkg.dirlist: +- for b in self.DEFAULT_DIRS: +- if b == "/etc": +- continue +- if fname.startswith(b): +- if os.path.isfile(fname): +- self.add_file(fname) +- else: +- self.add_dir(fname) ++ sq = query.available() ++ sq = sq.filter(provides=pkg.source_name) ++ for bpkg in sq: ++ for fname in bpkg.files: ++ for b in self.DEFAULT_DIRS: ++ if b == "/etc": ++ continue ++ if fname.startswith(b): ++ if os.path.isfile(fname): ++ self.add_file(fname) ++ else: ++ self.add_dir(fname) + + def gen_writeable(self): + try: +-- +2.43.0 + diff --git a/SOURCES/selinux-autorelabel b/SOURCES/selinux-autorelabel new file mode 100755 index 0000000..f0b5cfa --- /dev/null +++ b/SOURCES/selinux-autorelabel @@ -0,0 +1,73 @@ +#!/bin/bash +# +# Do automatic relabelling +# + +# . /etc/init.d/functions + +# If the user has this (or similar) UEFI boot order: +# +# Windows | grub | Linux +# +# And decides to boot into grub/Linux, then the reboot at the end of autorelabel +# would cause the system to boot into Windows again, if the autorelabel was run. +# +# This function restores the UEFI boot order, so the user will boot into the +# previously set (and expected) partition. +efi_set_boot_next() { + # NOTE: The [ -x /usr/sbin/efibootmgr ] test is not sufficent -- it could + # succeed even on system which is not EFI-enabled... + if ! efibootmgr > /dev/null 2>&1; then + return + fi + + # NOTE: It it possible that some other services might be setting the + # 'BootNext' item for any reasons, and we shouldn't override it if so. + if ! efibootmgr | grep --quiet -e 'BootNext'; then + CURRENT_BOOT="$(efibootmgr | grep -e 'BootCurrent' | sed -re 's/(^.+:[[:space:]]*)([[:xdigit:]]+)/\2/')" + efibootmgr -n "${CURRENT_BOOT}" > /dev/null 2>&1 + fi +} + +relabel_selinux() { + # if /sbin/init is not labeled correctly this process is running in the + # wrong context, so a reboot will be required after relabel + AUTORELABEL= + . /etc/selinux/config + echo "0" > /sys/fs/selinux/enforce + [ -x /bin/plymouth ] && plymouth --quit + + if [ "$AUTORELABEL" = "0" ]; then + echo + echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. " + echo $"*** /etc/selinux/config indicates you want to manually fix labeling" + echo $"*** problems. Dropping you to a shell; the system will reboot" + echo $"*** when you leave the shell." + sulogin + + else + echo + echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required." + echo $"*** Relabeling could take a very long time, depending on file" + echo $"*** system size and speed of hard drives." + + FORCE=`cat /.autorelabel` + [ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug + /sbin/fixfiles $FORCE restore + fi + + rm -f /.autorelabel + /usr/lib/dracut/dracut-initramfs-restore + efi_set_boot_next + if [ -x /usr/bin/grub2-editenv ]; then + grub2-editenv - incr boot_indeterminate >/dev/null 2>&1 + fi + sync + systemctl reboot +} + +# Check to see if a full relabel is needed +if [ "$READONLY" != "yes" ]; then + restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1 + relabel_selinux +fi diff --git a/SOURCES/selinux-autorelabel-generator.sh b/SOURCES/selinux-autorelabel-generator.sh new file mode 100644 index 0000000..be60487 --- /dev/null +++ b/SOURCES/selinux-autorelabel-generator.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +# This systemd.generator(7) detects if SELinux is running and if the +# user requested an autorelabel, and if so sets the default target to +# selinux-autorelabel.target, which will cause the filesystem to be +# relabelled and then the system will reboot again and boot into the +# real default target. + +PATH=/usr/sbin:$PATH +unitdir=/usr/lib/systemd/system + +# If invoked with no arguments (for testing) write to /tmp. +earlydir="/tmp" +if [ -n "$2" ]; then + earlydir="$2" +fi + +set_target () +{ + ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target" +} + +if selinuxenabled; then + if test -f /.autorelabel; then + set_target + elif grep -sqE "\bautorelabel\b" /proc/cmdline; then + set_target + fi +fi diff --git a/SOURCES/selinux-autorelabel-mark.service b/SOURCES/selinux-autorelabel-mark.service new file mode 100644 index 0000000..dc17df3 --- /dev/null +++ b/SOURCES/selinux-autorelabel-mark.service @@ -0,0 +1,18 @@ +[Unit] +Description=Mark the need to relabel after reboot +DefaultDependencies=no +Requires=local-fs.target +Conflicts=shutdown.target +After=local-fs.target +Before=sysinit.target shutdown.target +ConditionSecurity=!selinux +ConditionPathIsDirectory=/etc/selinux +ConditionPathExists=!/.autorelabel + +[Service] +ExecStart=-/bin/touch /.autorelabel +Type=oneshot +RemainAfterExit=yes + +[Install] +WantedBy=sysinit.target diff --git a/SOURCES/selinux-autorelabel.service b/SOURCES/selinux-autorelabel.service new file mode 100644 index 0000000..9a0ea3b --- /dev/null +++ b/SOURCES/selinux-autorelabel.service @@ -0,0 +1,14 @@ +[Unit] +Description=Relabel all filesystems +DefaultDependencies=no +Conflicts=shutdown.target +After=sysinit.target +Before=shutdown.target +ConditionSecurity=selinux + +[Service] +ExecStart=/usr/libexec/selinux/selinux-autorelabel +Type=oneshot +TimeoutSec=0 +RemainAfterExit=yes +StandardOutput=journal+console diff --git a/SOURCES/selinux-autorelabel.target b/SOURCES/selinux-autorelabel.target new file mode 100644 index 0000000..a4f63ab --- /dev/null +++ b/SOURCES/selinux-autorelabel.target @@ -0,0 +1,7 @@ +[Unit] +Description=Relabel all filesystems and reboot +DefaultDependencies=no +Requires=sysinit.target selinux-autorelabel.service +Conflicts=shutdown.target +After=sysinit.target selinux-autorelabel.service +ConditionSecurity=selinux diff --git a/SPECS/policycoreutils.spec b/SPECS/policycoreutils.spec new file mode 100644 index 0000000..eee2b04 --- /dev/null +++ b/SPECS/policycoreutils.spec @@ -0,0 +1,5525 @@ +%global libauditver 3.0 +%global libsepolver 2.9-1 +%global libsemanagever 2.9-7 +%global libselinuxver 2.9-1 +%global sepolgenver 2.9 + +%global generatorsdir %{_prefix}/lib/systemd/system-generators + +# Disable automatic compilation of Python files in extra directories +%global _python_bytecompile_extra 0 + +Summary: SELinux policy core utilities +Name: policycoreutils +Version: 2.9 +Release: 25%{?dist} +License: GPLv2 +# https://github.com/SELinuxProject/selinux/wiki/Releases +Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz +Source1: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-python-2.9.tar.gz +Source2: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-gui-2.9.tar.gz +Source3: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-sandbox-2.9.tar.gz +Source4: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-dbus-2.9.tar.gz +Source5: https://github.com/SELinuxProject/selinux/releases/download/20190315/semodule-utils-2.9.tar.gz +Source6: https://github.com/SELinuxProject/selinux/releases/download/20190315/restorecond-2.9.tar.gz +URL: https://github.com/SELinuxProject/selinux +Source13: system-config-selinux.png +Source14: sepolicy-icons.tgz +Source15: selinux-autorelabel +Source16: selinux-autorelabel.service +Source17: selinux-autorelabel-mark.service +Source18: selinux-autorelabel.target +Source19: selinux-autorelabel-generator.sh +Source20: policycoreutils-po.tgz +Source21: python-po.tgz +Source22: gui-po.tgz +Source23: sandbox-po.tgz +# https://gitlab.cee.redhat.com/SELinux/selinux +# $ git format-patch -N 20190315 -- policycoreutils python gui sandbox dbus semodule-utils restorecond +# $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done +Patch0001: 0001-gui-Install-polgengui.py-to-usr-bin-selinux-polgengu.patch +Patch0002: 0002-gui-Install-.desktop-files-to-usr-share-applications.patch +Patch0003: 0003-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch +Patch0004: 0004-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch +Patch0005: 0005-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch +Patch0006: 0006-Simplication-of-sepolicy-manpage-web-functionality.-.patch +Patch0007: 0007-We-want-to-remove-the-trailing-newline-for-etc-syste.patch +Patch0008: 0008-Fix-title-in-manpage.py-to-not-contain-online.patch +Patch0009: 0009-Don-t-be-verbose-if-you-are-not-on-a-tty.patch +Patch0010: 0010-sepolicy-Drop-old-interface-file_type_is_executable-.patch +Patch0011: 0011-sepolicy-Another-small-optimization-for-mcs-types.patch +Patch0012: 0012-Move-po-translation-files-into-the-right-sub-directo.patch +Patch0013: 0013-Use-correct-gettext-domains-in-python-gui-sandbox.patch +Patch0014: 0014-Initial-.pot-files-for-gui-python-sandbox.patch +# this is too big and it's covered by sources 20 - 23 +# Patch0015: 0015-Update-.po-files-from-fedora.zanata.org.patch +Patch0016: 0016-policycoreutils-setfiles-Improve-description-of-d-sw.patch +Patch0017: 0017-sepolicy-generate-Handle-more-reserved-port-types.patch +Patch0018: 0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch +Patch0019: 0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch +Patch0020: 0020-python-Use-ipaddress-instead-of-IPy.patch +Patch0021: 0021-python-semanage-Do-not-traceback-when-the-default-po.patch +Patch0022: 0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch +Patch0023: 0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch +Patch0024: 0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch +Patch0025: 0025-gui-Fix-remove-module-in-system-config-selinux.patch +Patch0026: 0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch +Patch0027: 0027-policycoreutils-fixfiles-Fix-verify-option.patch +Patch0028: 0028-python-semanage-Improve-handling-of-permissive-state.patch +Patch0029: 0029-python-semanage-fix-moduleRecords.customized.patch +Patch0030: 0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch +Patch0031: 0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch +Patch0032: 0032-restorecond-Fix-redundant-console-log-output-error.patch +Patch0033: 0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch +Patch0034: 0034-python-semanage-Sort-imports-in-alphabetical-order.patch +Patch0035: 0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch +Patch0036: 0036-setfiles-Do-not-abort-on-labeling-error.patch +Patch0037: 0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch +Patch0038: 0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch +Patch0039: 0039-selinux-8-5-Describe-fcontext-regular-expressions.patch +Patch0040: 0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch +Patch0041: 0041-semodule-add-m-checksum-option.patch +Patch0042: 0042-semodule-Fix-lang_ext-column-index.patch +Patch0043: 0043-semodule-Don-t-forget-to-munmap-data.patch +Patch0044: 0044-policycoreutils-Improve-error-message-when-selabel_o.patch +Patch0045: 0045-semodule-libsemanage-move-module-hashing-into-libsem.patch +Patch0046: 0046-semodule-add-command-line-option-to-detect-module-ch.patch +Patch0047: 0047-python-Split-semanage-import-into-two-transactions.patch +Patch0048: 0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch +Patch0049: 0049-python-Harden-tools-against-rogue-modules.patch +Patch0050: 0050-python-Do-not-query-the-local-database-if-the-fconte.patch +Patch0051: 0051-python-sepolicy-add-missing-booleans-to-man-pages.patch +Patch0052: 0052-python-sepolicy-Cache-conditional-rule-queries.patch +Patch0053: 0053-python-Harden-more-tools-against-rogue-modules.patch +Patch0054: 0054-sepolicy-port-to-dnf4-python-API.patch + +Obsoletes: policycoreutils < 2.0.61-2 +Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138 +# initscripts < 9.66 shipped fedora-autorelabel services which are renamed to selinux-relabel +Conflicts: initscripts < 9.66 +Provides: /sbin/fixfiles +Provides: /sbin/restorecon + +BuildRequires: gcc +BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext +BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel +BuildRequires: python3-devel +BuildRequires: systemd +BuildRequires: git +Requires: util-linux grep gawk diffutils rpm sed +Requires: libsepol >= %{libsepolver} coreutils libselinux-utils >= %{libselinuxver} + +%description +Security-enhanced Linux is a feature of the Linux® kernel and a number +of utilities with enhanced security functionality designed to add +mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These +architectural components provide general support for the enforcement +of many kinds of mandatory access control policies, including those +based on the concepts of Type Enforcement®, Role-based Access +Control, and Multi-level Security. + +policycoreutils contains the policy core utilities that are required +for basic operation of a SELinux system. These utilities include +load_policy to load policies, setfiles to label filesystems, newrole +to switch roles. + +%prep -p /usr/bin/bash +# create selinux/ directory and extract sources +%autosetup -S git -N -c -n selinux +%autosetup -S git -N -T -D -a 1 -n selinux +%autosetup -S git -N -T -D -a 2 -n selinux +%autosetup -S git -N -T -D -a 3 -n selinux +%autosetup -S git -N -T -D -a 4 -n selinux +%autosetup -S git -N -T -D -a 5 -n selinux +%autosetup -S git -N -T -D -a 6 -n selinux + +for i in *; do + git mv $i ${i/-%{version}/} + git commit -q --allow-empty -a --author 'rpm-build ' -m "$i -> ${i/-%{version}/}" +done + +for i in selinux-*; do + git mv $i ${i#selinux-} + git commit -q --allow-empty -a --author 'rpm-build ' -m "$i -> ${i#selinux-}" +done + +git am %{_sourcedir}/[0-9]*.patch + +cp %{SOURCE13} gui/ +tar -xvf %{SOURCE14} -C python/sepolicy/ + +# Since patches containing translation changes were too big, translations were moved to separate tarballs +# For more information see README.translations +# First remove old translation files +rm -f policycoreutils/po/*.po python/po/*.po gui/po/*.po sandbox/po/*.po +tar -x -f %{SOURCE20} -C policycoreutils -z +tar -x -f %{SOURCE21} -C python -z +tar -x -f %{SOURCE22} -C gui -z +tar -x -f %{SOURCE23} -C sandbox -z + +%build +%set_build_flags +export PYTHON=%{__python3} + +make -C policycoreutils LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C python SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C gui SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C sandbox SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C dbus SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C semodule-utils SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C restorecond SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all + +%install +mkdir -p %{buildroot}%{_bindir} +mkdir -p %{buildroot}%{_sbindir} +mkdir -p %{buildroot}%{_mandir}/man1 +mkdir -p %{buildroot}%{_mandir}/man5 +mkdir -p %{buildroot}%{_mandir}/man8 +%{__mkdir} -p %{buildroot}/%{_usr}/share/doc/%{name}/ + +make -C policycoreutils LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" install + +make -C python PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install + +make -C gui PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install + +make -C sandbox PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install + +make -C dbus PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install + +make -C semodule-utils PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install + +make -C restorecond PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install + +# Fix perms on newrole so that objcopy can process it +chmod 0755 %{buildroot}%{_bindir}/newrole + +# Systemd +rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/restorecond + +rm -f %{buildroot}/usr/share/man/ru/man8/genhomedircon.8.gz +rm -f %{buildroot}/usr/share/man/ru/man8/open_init_pty.8* +rm -f %{buildroot}/usr/share/man/ru/man8/semodule_deps.8.gz +rm -f %{buildroot}/usr/share/man/man8/open_init_pty.8 +rm -f %{buildroot}/usr/sbin/open_init_pty +rm -f %{buildroot}/usr/sbin/run_init +rm -f %{buildroot}/usr/share/man/ru/man8/run_init.8* +rm -f %{buildroot}/usr/share/man/man8/run_init.8* +rm -f %{buildroot}/etc/pam.d/run_init* + +mkdir -m 755 -p %{buildroot}/%{generatorsdir} +install -m 644 -p %{SOURCE16} %{buildroot}/%{_unitdir}/ +install -m 644 -p %{SOURCE17} %{buildroot}/%{_unitdir}/ +install -m 644 -p %{SOURCE18} %{buildroot}/%{_unitdir}/ +install -m 755 -p %{SOURCE19} %{buildroot}/%{generatorsdir}/ +install -m 755 -p %{SOURCE15} %{buildroot}/%{_libexecdir}/selinux/ + +# change /usr/bin/python to %%{__python3} in policycoreutils-python3 +pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{python3_sitelib} + +# change /usr/bin/python to %%{__python3} in policycoreutils-python-utils +pathfix.py -i "%{__python3} -EsI" -p \ + %{buildroot}%{_sbindir}/semanage \ + %{buildroot}%{_bindir}/chcat \ + %{buildroot}%{_bindir}/sandbox \ + %{buildroot}%{_datadir}/sandbox/start \ + %{buildroot}%{_bindir}/audit2allow \ + %{buildroot}%{_bindir}/sepolicy \ + %{buildroot}%{_bindir}/sepolgen-ifgen \ + %{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.py \ + %{buildroot}%{_datadir}/system-config-selinux/selinux_server.py \ + %nil + +# clean up ~ files from pathfix - https://bugzilla.redhat.com/show_bug.cgi?id=1546990 +find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \ + %{buildroot}%{_sbindir} %{buildroot}%{_bindir} %{buildroot}%{_datadir} \ + -type f -name '*~' | xargs rm -f + +# Manually invoke the python byte compile macro for each path that needs byte +# compilation. +%py_byte_compile %{__python3} %{buildroot}%{_datadir}/system-config-selinux + +%find_lang policycoreutils +%find_lang selinux-python +%find_lang selinux-gui +%find_lang selinux-sandbox + +%package python-utils +Summary: SELinux policy core python utilities +Requires: python3-policycoreutils = %{version}-%{release} +Obsoletes: policycoreutils-python <= 2.4-4 +BuildArch: noarch + +%description python-utils +The policycoreutils-python-utils package contains the management tools use to manage +an SELinux environment. + +%files python-utils +%{_sbindir}/semanage +%{_bindir}/chcat +%{_bindir}/sandbox +%{_bindir}/audit2allow +%{_bindir}/audit2why +%{_mandir}/man1/audit2allow.1* +%{_mandir}/ru/man1/audit2allow.1* +%{_mandir}/man1/audit2why.1* +%{_mandir}/ru/man1/audit2why.1* +%{_sysconfdir}/dbus-1/system.d/org.selinux.conf +%{_mandir}/man8/chcat.8* +%{_mandir}/ru/man8/chcat.8* +%{_mandir}/man8/sandbox.8* +%{_mandir}/ru/man8/sandbox.8* +%{_mandir}/man8/semanage*.8* +%{_mandir}/ru/man8/semanage*.8* +%{_datadir}/bash-completion/completions/semanage + +%package dbus +Summary: SELinux policy core DBUS api +Requires: python3-policycoreutils = %{version}-%{release} +Requires: python3-slip-dbus +BuildArch: noarch + +%description dbus +The policycoreutils-dbus package contains the management DBUS API use to manage +an SELinux environment. + +%files dbus +%{_sysconfdir}/dbus-1/system.d/org.selinux.conf +%{_datadir}/dbus-1/system-services/org.selinux.service +%{_datadir}/polkit-1/actions/org.selinux.policy +%{_datadir}/polkit-1/actions/org.selinux.config.policy +%{_datadir}/system-config-selinux/selinux_server.py +%dir %{_datadir}/system-config-selinux/__pycache__ +%{_datadir}/system-config-selinux/__pycache__/selinux_server.* + +%package -n python3-policycoreutils +%{?python_provide:%python_provide python3-policycoreutils} +# Remove before F31 +Provides: %{name}-python3 = %{version}-%{release} +Provides: %{name}-python3 = %{version}-%{release} +Obsoletes: %{name}-python3 < %{version}-%{release} +Summary: SELinux policy core python3 interfaces +Requires:policycoreutils = %{version}-%{release} +Requires:python3-libsemanage >= %{libsemanagever} python3-libselinux +# no python3-audit-libs yet +Requires:audit-libs-python3 >= %{libauditver} +Requires: checkpolicy +Requires: python3-setools >= 4.1.1 +BuildArch: noarch + +%description -n python3-policycoreutils +The python3-policycoreutils package contains the interfaces that can be used +by python 3 in an SELinux environment. + +%files -f selinux-python.lang -n python3-policycoreutils +%{python3_sitelib}/seobject.py* +%{python3_sitelib}/__pycache__ +%{python3_sitelib}/sepolgen +%dir %{python3_sitelib}/sepolicy +%{python3_sitelib}/sepolicy/templates +%dir %{python3_sitelib}/sepolicy/help +%{python3_sitelib}/sepolicy/help/* +%{python3_sitelib}/sepolicy/__init__.py* +%{python3_sitelib}/sepolicy/booleans.py* +%{python3_sitelib}/sepolicy/communicate.py* +%{python3_sitelib}/sepolicy/generate.py* +%{python3_sitelib}/sepolicy/interface.py* +%{python3_sitelib}/sepolicy/manpage.py* +%{python3_sitelib}/sepolicy/network.py* +%{python3_sitelib}/sepolicy/transition.py* +%{python3_sitelib}/sepolicy/sedbus.py* +%{python3_sitelib}/sepolicy*.egg-info +%{python3_sitelib}/sepolicy/__pycache__ + +%package devel +Summary: SELinux policy core policy devel utilities +Requires: policycoreutils-python-utils = %{version}-%{release} +Requires: /usr/bin/make dnf +Requires: selinux-policy-devel + +%description devel +The policycoreutils-devel package contains the management tools use to develop policy in an SELinux environment. + +%files devel +%{_bindir}/sepolgen +%{_bindir}/sepolgen-ifgen +%{_bindir}/sepolgen-ifgen-attr-helper +%dir /var/lib/sepolgen +/var/lib/sepolgen/perm_map +%{_bindir}/sepolicy +%{_mandir}/man8/sepolgen.8* +%{_mandir}/ru/man8/sepolgen.8* +%{_mandir}/man8/sepolicy-booleans.8* +%{_mandir}/man8/sepolicy-generate.8* +%{_mandir}/man8/sepolicy-interface.8* +%{_mandir}/man8/sepolicy-network.8* +%{_mandir}/man8/sepolicy.8* +%{_mandir}/man8/sepolicy-communicate.8* +%{_mandir}/man8/sepolicy-manpage.8* +%{_mandir}/man8/sepolicy-transition.8* +%{_mandir}/ru/man8/sepolicy*.8* +%{_usr}/share/bash-completion/completions/sepolicy + + +%package sandbox +Summary: SELinux sandbox utilities +Requires: python3-policycoreutils = %{version}-%{release} +Requires: xorg-x11-server-Xephyr >= 1.14.1-2 /usr/bin/rsync /usr/bin/xmodmap +Requires: matchbox-window-manager +BuildRequires: libcap-ng-devel + +%description sandbox +The policycoreutils-sandbox package contains the scripts to create graphical +sandboxes + +%files -f selinux-sandbox.lang sandbox +%config(noreplace) %{_sysconfdir}/sysconfig/sandbox +%{_datadir}/sandbox/sandboxX.sh +%{_datadir}/sandbox/start +%caps(cap_setpcap,cap_setuid,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare +%{_mandir}/man8/seunshare.8* +%{_mandir}/ru/man8/seunshare.8* +%{_mandir}/man5/sandbox.5* +%{_mandir}/ru/man5/sandbox.5* + +%package newrole +Summary: The newrole application for RBAC/MLS +Requires: policycoreutils = %{version}-%{release} + +%description newrole +RBAC/MLS policy machines require newrole as a way of changing the role +or level of a logged in user. + +%files newrole +%attr(0755,root,root) %caps(cap_dac_read_search,cap_setpcap,cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole +%{_mandir}/man1/newrole.1.gz +%{_mandir}/ru/man1/newrole.1.gz +%config(noreplace) %{_sysconfdir}/pam.d/newrole + +%package gui +Summary: SELinux configuration GUI +Requires: policycoreutils-devel = %{version}-%{release}, python3-policycoreutils = %{version}-%{release} +Requires: policycoreutils-dbus = %{version}-%{release} +Requires: gtk3, python3-gobject +BuildRequires: desktop-file-utils +BuildArch: noarch + +%description gui +system-config-selinux is a utility for managing the SELinux environment + +%files -f selinux-gui.lang gui +%{_bindir}/system-config-selinux +%{_bindir}/selinux-polgengui +%{_datadir}/applications/sepolicy.desktop +%{_datadir}/applications/system-config-selinux.desktop +%{_datadir}/applications/selinux-polgengui.desktop +%{_datadir}/icons/hicolor/24x24/apps/system-config-selinux.png +%{_datadir}/pixmaps/system-config-selinux.png +%dir %{_datadir}/system-config-selinux +%dir %{_datadir}/system-config-selinux/__pycache__ +%{_datadir}/system-config-selinux/system-config-selinux.png +%{_datadir}/system-config-selinux/*Page.py +%{_datadir}/system-config-selinux/__pycache__/*Page.* +%{_datadir}/system-config-selinux/system-config-selinux.py +%{_datadir}/system-config-selinux/__pycache__/system-config-selinux.* +%{_datadir}/system-config-selinux/*.ui +%{python3_sitelib}/sepolicy/gui.py* +%{python3_sitelib}/sepolicy/sepolicy.glade +%{_datadir}/icons/hicolor/*/apps/sepolicy.png +%{_datadir}/pixmaps/sepolicy.png +%{_mandir}/man8/system-config-selinux.8* +%{_mandir}/ru/man8/system-config-selinux.8* +%{_mandir}/man8/selinux-polgengui.8* +%{_mandir}/ru/man8/selinux-polgengui.8* +%{_mandir}/man8/sepolicy-gui.8* +%{_mandir}/ru/man8/sepolicy-gui.8* + +%files -f %{name}.lang +%{_sbindir}/restorecon +%{_sbindir}/restorecon_xattr +%{_sbindir}/fixfiles +%{_sbindir}/setfiles +%{_sbindir}/load_policy +%{_sbindir}/genhomedircon +%{_sbindir}/setsebool +%{_sbindir}/semodule +%{_sbindir}/sestatus +%{_bindir}/secon +%{_bindir}/semodule_expand +%{_bindir}/semodule_link +%{_bindir}/semodule_package +%{_bindir}/semodule_unpackage +%{_libexecdir}/selinux/hll +%{_libexecdir}/selinux/selinux-autorelabel +%{_unitdir}/selinux-autorelabel-mark.service +%{_unitdir}/selinux-autorelabel.service +%{_unitdir}/selinux-autorelabel.target +%{generatorsdir}/selinux-autorelabel-generator.sh +%config(noreplace) %{_sysconfdir}/sestatus.conf +%{_mandir}/man5/selinux_config.5.gz +%{_mandir}/ru/man5/selinux_config.5.gz +%{_mandir}/man5/sestatus.conf.5.gz +%{_mandir}/ru/man5/sestatus.conf.5.gz +%{_mandir}/man8/fixfiles.8* +%{_mandir}/ru/man8/fixfiles.8* +%{_mandir}/man8/load_policy.8* +%{_mandir}/ru/man8/load_policy.8* +%{_mandir}/man8/restorecon.8* +%{_mandir}/ru/man8/restorecon.8* +%{_mandir}/man8/restorecon_xattr.8* +%{_mandir}/ru/man8/restorecon_xattr.8* +%{_mandir}/man8/semodule.8* +%{_mandir}/ru/man8/semodule.8* +%{_mandir}/man8/sestatus.8* +%{_mandir}/ru/man8/sestatus.8* +%{_mandir}/man8/setfiles.8* +%{_mandir}/ru/man8/setfiles.8* +%{_mandir}/man8/setsebool.8* +%{_mandir}/ru/man8/setsebool.8* +%{_mandir}/man1/secon.1* +%{_mandir}/ru/man1/secon.1* +%{_mandir}/man8/genhomedircon.8* +%{_mandir}/ru/man8/genhomedircon.8* +%{_mandir}/man8/semodule_expand.8* +%{_mandir}/ru/man8/semodule_expand.8* +%{_mandir}/man8/semodule_link.8* +%{_mandir}/ru/man8/semodule_link.8* +%{_mandir}/man8/semodule_unpackage.8* +%{_mandir}/ru/man8/semodule_unpackage.8* +%{_mandir}/man8/semodule_package.8* +%{_mandir}/ru/man8/semodule_package.8* +%dir %{_datadir}/bash-completion +%{_datadir}/bash-completion/completions/setsebool +%{!?_licensedir:%global license %%doc} +%license policycoreutils/COPYING +%doc %{_usr}/share/doc/%{name} + +%package restorecond +Summary: SELinux restorecond utilities +BuildRequires: systemd-units + +%description restorecond +The policycoreutils-restorecond package contains the restorecond service. + +%files restorecond +%{_sbindir}/restorecond +%{_unitdir}/restorecond.service +%config(noreplace) %{_sysconfdir}/selinux/restorecond.conf +%config(noreplace) %{_sysconfdir}/selinux/restorecond_user.conf +%{_sysconfdir}/xdg/autostart/restorecond.desktop +%{_datadir}/dbus-1/services/org.selinux.Restorecond.service +%{_mandir}/man8/restorecond.8* +%{_mandir}/ru/man8/restorecond.8* +%{!?_licensedir:%global license %%doc} +%license policycoreutils/COPYING + +%post +%systemd_post selinux-autorelabel-mark.service + +%preun +%systemd_preun selinux-autorelabel-mark.service + +%post restorecond +%systemd_post restorecond.service + +%preun restorecond +%systemd_preun restorecond.service + +%postun restorecond +%systemd_postun_with_restart restorecond.service + +%changelog +* Tue Feb 06 2024 Vit Mojzis - 2.9-25 +- Harden more tools against "rogue" modules (RHEL-17351) +- sepolicy: port to dnf4 python API (RHEL-17398) + +* Wed Feb 15 2023 Vit Mojzis - 2.9-24 +- Update translations (#2124826) + +* Wed Feb 08 2023 Vit Mojzis - 2.9-23 +- python/sepolicy: Cache conditional rule queries (#2155540) + +* Mon Jan 09 2023 Vit Mojzis - 2.9-22 +- python/sepolicy: add missing booleans to man pages (#2155540) + +* Mon Dec 19 2022 Vit Mojzis - 2.9-21.1 +- python: Harden tools against "rogue" modules (#2128976) +- Update "pathfix" arguments to match ^^^ (#2128976) +- python: Do not query the local database if the fcontext is non-local (#2124825) + +* Thu Jul 07 2022 Vit Mojzis - 2.9-20 +- python: Split "semanage import" into two transactions (#2063353) +- semodule: rename --rebuild-if-modules-changed to --refresh (#2089802) +- selinux-autorelabel: Do not force reboot (#2093133) + +* Thu Feb 17 2022 Vit Mojzis - 2.9-19 +- semodule: move module hashing into libsemanage (requires libsemanage-2.9-7) +- semodule: add command-line option to detect module changes (#2049189) + +* Fri Jan 14 2022 Vit Mojzis - 2.9-18 +- Improve error message when selabel_open fails (#1926511) + +* Tue Nov 30 2021 Petr Lautrbach - 2.9-17 +- semodule: add -m | --checksum option + +* Thu Sep 16 2021 Vit Mojzis - 2.9-16 +- Update translations (#1962009) + +* Mon Jul 19 2021 Vit Mojzis - 2.9-15 +- setfiles: do not restrict checks against a binary policy (#1973754) + +* Tue Mar 09 2021 Vit Mojzis - 2.9-14 +- Update translations (#1899695) + +* Mon Feb 22 2021 Vit Mojzis - 2.9-13 +- selinux(8,5): Describe fcontext regular expressions (#1904059) + +* Tue Feb 2 2021 Petr Lautrbach - 2.9-12 +- setfiles: Do not abort on labeling error (#1794518) + +* Wed Jan 27 2021 Vit Mojzis - 2.9-11 +- python/sepolgen: allow any policy statement in if(n)def (#1868717) + +* Sat Jan 16 2021 Vit Mojzis - 2.9-10 +- python/semanage: Sort imports in alphabetical order +- python/semanage: empty stdout before exiting on BrokenPipeError (#1822100) + +* Fri Jan 17 2020 Vit Mojzis - 2.9-9 +- Update translations (#1754978) + +* Thu Nov 21 2019 Vit Mojzis - 2.9-8 +- restorecond: Fix redundant console log output error (#1626468) + +* Tue Nov 19 2019 Petr Lautrbach - 2.9-7 +- dbus: Fix FileNotFoundError in org.selinux.relabel_on_boot (#1754873) + +* Tue Nov 12 2019 Petr Lautrbach - 2.9-6 +- Configure autorelabel service to output to journal and to console if set (#1766578) + +* Wed Nov 06 2019 Vit Mojzis - 2.9-5 +- fixfiles: Fix "verify" option (#1647532) +- semanage: Improve handling of "permissive" statements (#1417455) +- semanage: fix moduleRecords.customized() +- semanage: Add support for DCCP and SCTP protocols (#1563742) + +* Wed Sep 4 2019 Petr Lautrbach - 2.9-4 +- semanage: Do not use default s0 range in "semanage login -a" (#1554360) +- gui: Fix remove module in system-config-selinux (#1748763) + +* Thu Aug 22 2019 Vit Mojzis - 2.9-3 +- fixfiles: Fix unbound variable problem (#1743213) + +* Tue Jul 2 2019 Petr Lautrbach - 2.9-2 +- Update transition +- fixfiles: Fix [-B] [-F] onboot + +* Mon Mar 18 2019 Petr Lautrbach - 2.9-1 +- SELinux userspace 2.9 release + +* Fri Dec 14 2018 Petr Lautrbach - 2.8-16.1 +- semanage: move valid_types initialisations to class constructors +- semanage: import sepolicy only when it's needed +- sepolicy: Add sepolicy.load_store_policy(store) +- semanage: Start exporting "ibendport" and "ibpkey" entries + +* Wed Dec 5 2018 Petr Lautrbach - 2.8-15 +- chcat: use check_call instead of getstatusoutput +- semanage: Use standard argparse.error() method +- semanage: Fix handling of -a/-e/-d/-r options + +* Tue Dec 4 2018 Petr Lautrbach - 2.8-14 +- Update translations + +* Mon Dec 3 2018 Petr Lautrbach - 2.8-13 +- Use ipaddress module instead of IPy + +* Tue Nov 13 2018 Petr Lautrbach - 2.8-12 +- Handle more reserved port types +- Replace aliases with corresponding type names + +* Thu Nov 8 2018 Petr Lautrbach - 2.8-11.1 +- Fix RESOURCE_LEAK coverity scan defects + +* Thu Oct 25 2018 Petr Lautrbach - 2.8-10 +- sepolicy: Update to work with setools-4.2.0 +- gui: Make all polgen button labels translatable + +* Tue Oct 16 2018 Petr Lautrbach - 2.8-9 +- sepolicy: Fix get_real_type_name to handle query failure properly + +* Mon Oct 15 2018 Petr Lautrbach - 2.8-8 +- sepolicy: search() for dontaudit rules as well + +* Fri Sep 14 2018 Petr Lautrbach - 2.8-7 +- setfiles: Improve description of -d switch +- Fix typo in newrole.1 manpage +- semanage: Stop rejecting aliases in semanage commands +- sepolicy: Stop rejecting aliases in sepolicy commands +- sepolicy: Fix "info" to search aliases as well +- sepolgen: fix refpolicy parsing of "permissive" +- sepolgen: return NotImplemented instead of raising it +- semanage: fix Python syntax of catching several exceptions +- semanage: Replace bare except with specific one +- semanage: Fix logger class definition +- semanage: Stop logging loginRecords changes +- add xperms support to audit2allow +- sepolgen: fix access vector initialization +- sepolgen: print all AV rules correctly + +* Thu Sep 13 2018 Petr Lautrbach - 2.8-6.1 +- Update translations + +* Tue Jul 24 2018 Petr Lautrbach - 2.8-5 +- sandbox: Use matchbox-window-manager instead of openbox (#1568295) + +* Thu Jul 19 2018 Petr Lautrbach - 2.8-4 +- selinux-autorelabel: Use plymouth --quit rather then --hide-splash (#1592221) +- selinux-autorelabel: Increment boot_indeterminate grub environment variable (#1592221) +- Do not require libcgroup - it's not used anymore + +* Tue Jun 26 2018 Petr Lautrbach - 2.8-3 +- Do not use symlinks to enable selinux-autorelabel-mark.service (#1589720) + +* Wed Jun 6 2018 Petr Lautrbach - 2.8-2 +- Don't build the Python 2 subpackages (#1567354) + +* Fri May 25 2018 Petr Lautrbach - 2.8-1.1 +- SELinux userspace 2.8 release + +* Tue May 22 2018 Petr Lautrbach - 2.7-19 +- selinux-autorelabel: set UEFI boot order (BootNext) same as BootCurrent +- selinux-autorelabel: synchronize cached writes before reboot (#1385272) + +* Tue Apr 3 2018 Petr Lautrbach - 2.7-18 +- Move semodule_* utilities to policycoreutils package (#1562549) + +* Thu Mar 22 2018 Petr Lautrbach - 2.7-17 +- semanage/seobject.py: Fix undefined store check (#1559174) + +* Fri Mar 16 2018 Petr Lautrbach - 2.7-16 +- Build python only subpackages as noarch +- Move semodule_package to policycoreutils-devel + +* Tue Mar 13 2018 Petr Lautrbach - 2.7-15 +- sepolicy: Fix translated strings with parameters +- sepolicy: Support non-MLS policy +- sepolicy: Initialize policy.ports as a dict in generate.py +- gui/polgengui.py: Use stop_emission_by_name instead of emit_stop_by_name +- Minor update for bash completion +- semodule_package: fix semodule_unpackage man page +- gui/semanagePage: Close "edit" and "add" dialogues when successfull +- gui/fcontextPage: Set default object class in addDialog\ +- sepolgen: fix typo in PolicyGenerator +- build: follow standard semantics for DESTDIR and PREFIX + +* Mon Feb 26 2018 Petr Lautrbach - 2.7-14 +- Use Fedora RPM build flags (#1548740) + +* Tue Feb 20 2018 Petr Lautrbach - 2.7-13 +- Fix mangling of python shebangs + +* Mon Feb 19 2018 Miro Hrončok - 2.7-12 +- Rename the python3 subpackage to have prefix, not suffix +- Use python3 prefixes in requires where possible + +* Thu Feb 15 2018 Petr Lautrbach - 2.7-11 +- Rewrite selinux-polgengui to use Gtk3 +- Drop python2 and gnome-python2 from gui Requires + +* Fri Feb 09 2018 Fedora Release Engineering - 2.7-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Jan 31 2018 Petr Lautrbach - 2.7-9 +- Require audit-libs-python2 + +* Thu Jan 18 2018 Igor Gnatenko - 2.7-8 +- Remove obsolete scriptlets + +* Wed Dec 20 2017 Petr Lautrbach - 2.7-7 +- semanage: bring semanageRecords.set_reload back to seobject.py (#1527745) + +* Wed Dec 13 2017 Petr Lautrbach - 2.7-6 +- semanage: make seobject.py backward compatible +- Own %%{pythonX_sitelib}/site-packages/sepolicy directories (#1522942) + +* Wed Nov 22 2017 Petr Lautrbach - 2.7-5 +- sepolicy: Fix sepolicy manpage +- semanage: Update Infiniband code to work on python3 +- semanage: Fix export of ibendport entries +- semanage: Enforce noreload only if it's requested by -N option + +* Fri Oct 20 2017 Petr Lautrbach - 2.7-4 +- restorecond: check write() and daemon() results +- sepolicy: do not fail when file_contexts.local or .subs do not exist +- sepolicy: remove stray space in section "SEE ALSO" +- sepolicy: fix misspelling of _ra_content_t suffix +- gui: port to Python 3 by migrating to PyGI +- gui: remove the status bar +- gui: fix parsing of "semodule -lfull" in tab Modules +- gui: delete overridden definition of usersPage.delete() +- Enable listing file_contexts.homedirs (#1409813) +- remove semodule_deps + +* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek - 2.7-3 +- Also add Provides for the old name without %%_isa + +* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek - 2.7-2 +- Python 2 binary package renamed to python2-policycoreutils + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Mon Aug 07 2017 Petr Lautrbach - 2.7-1 +- Update to upstream release 2017-08-04 +- Move DBUS API from -gui to -dbus package + +* Thu Aug 03 2017 Fedora Release Engineering - 2.6-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Sun Jul 30 2017 Florian Weimer - 2.6-8 +- Rebuild with binutils fix for ppc64le (#1475636) + +* Fri Jul 28 2017 Petr Lautrbach - 2.6-7 +- Make 'sepolicy manpage' and 'sepolicy transition' faster +- open_init_pty: restore stdin/stdout to blocking upon exit +- fixfiles: do not dereference link files in tmp +- fixfiles: use a consistent order for options to restorecon +- fixfiles: don't ignore `-F` when run in `-C` mode +- fixfiles: remove bad modes of "relabel" command +- fixfiles: refactor into the `set -u` dialect +- fixfiles: if restorecon aborts, we should too +- fixfiles: usage errors are fatal +- fixfiles: syntax error +- fixfiles: remove two unused variables +- fixfiles: tidy up usage(), manpage synopsis +- fixfiles: deprecate -l option +- fixfiles: move logit call outside of redirected function +- fixfiles: fix logging about R/O filesystems +- fixfiles: clarify exclude_dirs() +- fixfiles: remove (broken) redundant code + + +* Thu Jul 27 2017 Fedora Release Engineering - 2.6-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Apr 06 2017 Petr Lautrbach - 2.6-5 +- semanage: Unify argument handling (#1398987) +- setfiles: set up a logging callback for libselinux +- setfiles: Fix setfiles progress indicator +- setfiles: stdout messages don't need program prefix +- setfiles: don't scramble stdout and stderr together (#1435894) +- restorecond: Decrease loglevel of termination message (#1264505) +- fixfiles should handle path arguments more robustly +- fixfiles: handle unexpected spaces in command +- fixfiles: remove useless use of cat (#1435894) +- semanage: Add checks if a module name is passed in (#1420707) +- semanage: fix export of fcontext socket entries (#1435127) +- selinux-autorelabel: remove incorrect redirection to /dev/null (#1415674) + +* Fri Mar 17 2017 Petr Lautrbach - 2.6-4 +- Fix selinux-polgengui (#1432337) +- sepolicy - fix obtaining domain name in HTMLManPages + +* Tue Feb 28 2017 Petr Lautrbach - 2.6-3 +- Fix several issues in gui and 'sepolicy manpage' (#1416372) + +* Thu Feb 23 2017 Petr Lautrbach - 2.6-2 +- Use %%{__python3} instead of python3 + +* Mon Feb 20 2017 Petr Lautrbach - 2.6-1.1 +- Fix pp crash when processing base module (#1417200) +- Update to upstream release 2016-10-14 + +* Wed Feb 15 2017 Igor Gnatenko - 2.5-22 +- Rebuild for brp-python-bytecompile + +* Sat Feb 11 2017 Fedora Release Engineering - 2.5-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Dec 21 2016 Kevin Fenzi - 2.5-20 +- Rebuild for python 3.6 + +* Thu Dec 01 2016 Petr Lautrbach - 2.5-19 +- seobject: Handle python error returns correctly +- policycoreutils/sepolicy/gui: fix current selinux state radiobutton +- policycoreutils: semodule_package: do not fail with an empty fc file + +* Tue Nov 22 2016 Petr Lautrbach - 2.5-18 +- Update translations +- Fix fcontextPage editing features (#1344842) + +* Mon Oct 03 2016 Petr Lautrbach 2.5-17 +- sandbox: Use dbus-run-session instead of dbus-launch when available +- hll/pp: Change warning for module name not matching filename to match new behavior +- Remove LDFLAGS from CFLAGS +- sandbox: create a new session for sandboxed processes +- sandbox: do not try to setup directories without -X or -M +- sandbox: do not run xmodmap in a new X session +- sandbox: Use GObject introspection binding instead of pygtk2 +- sandbox: fix file labels on copied files +- sandbox: tests - close stdout of p +- sandbox: tests - use sandbox from cwd +- audit2allow: tests should use local copy not system +- audit2allow: fix audit2why import from seobject +- audit2allow: remove audit2why so that it gets symlinked +- semanage: fix man page and help message for import option +- semanage: fix error message for fcontext -m +- semanage: Fix semanage fcontext -D +- semanage: Correct fcontext auditing +- semanage: Default serange to "s0" for port modify +- semanage: Use socket.getprotobyname for protocol +- semanage: fix modify action in node and interface +- fixfiles: Pass -n to restorecon for fixfiles check +- sepolicy: Check get_rpm_nvr_list() return value +- Don't use subprocess.getstatusoutput() in Python 2 code +- semanage: Add auditing of changes in records +- Remove unused 'q' from semodule getopt string + +* Mon Aug 01 2016 Petr Lautrbach 2.5-16 +- Remove unused autoconf files from po/ +- Remove duplicate, empty translation files +- Rebuilt with libsepol-2.5-9, libselinux-2.5-11, libsemanage-2.5-7 + +* Thu Jul 21 2016 Petr Lautrbach 2.5-15 +- Fix sandbox -X issue related to python3 (#1358138) + +* Wed Jul 20 2016 Richard W.M. Jones - 2.5-14 +- Use generator approach to fix autorelabel + +* Tue Jul 19 2016 Fedora Release Engineering - 2.5-13 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Thu Jul 14 2016 Petr Lautrbach - 2.5-12 +- open_init_pty: Do not error on EINTR +- Fix [-s STORE] typos in semanage +- Update sandbox types in sandbox manual +- Update translations + +* Mon Jun 27 2016 Petr Lautrbach - 2.5-11 +- Convert sandbox to gtk-3 using pygi-convert.sh (#1343166) + +* Thu Jun 23 2016 Petr Lautrbach - 2.5-10 +- Fix typos in semanage manpages +- Fix the documentation of -l,--list for semodule +- Minor fix in a French translation +- Fix the extract example in semodule.8 +- Update sandbox.8 man page +- Remove typos from chcat --help +- sepolgen: Remove additional files when cleaning + +* Wed May 11 2016 Petr Lautrbach - 2.5-9 +- Fix multiple spelling errors +- Rebuild with libsepol-2.5-6 + +* Mon May 02 2016 Petr Lautrbach - 2.5-8 +- Rebuilt with libsepol-2.5-5 + +* Fri Apr 29 2016 Petr Lautrbach - 2.5-7 +- hll/pp: Warn if module name different than output filename + +* Mon Apr 25 2016 Petr Lautrbach - 2.5-6 +- Ship selinux-autorelabel utility and systemd unit files (#1328825) + +* Fri Apr 08 2016 Petr Lautrbach - 2.5-5 +- sepolgen: Add support for TYPEBOUNDS statement in INTERFACE policy files (#1319338) + +* Fri Mar 18 2016 Petr Lautrbach - 2.5-4 +- Add documentation for MCS separated domains +- Move svirt man page out of libvirt into its own + +* Thu Mar 17 2016 Petr Lautrbach - 2.5-3 +- policycoreutils: use python3 in chcat(#1318408) + +* Sat Mar 05 2016 Petr Lautrbach 2.5-2 +- policycoreutils/sepolicy: selinux_server.py to use GLib instead of gobject +- policycoreutils-gui requires python-slip-dbus (#1314685) + +* Tue Feb 23 2016 Petr Lautrbach 2.5-1 +- Update to upstream release 2016-02-23 + +* Thu Feb 04 2016 Fedora Release Engineering - 2.4-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Dec 14 2015 Petr Lautrbach - 2.4-20 +- Fix 'semanage permissive -l' subcommand (#1286325) +- Several 'sepolicy gui' fixes (#1281309,#1281309,#1282382) + +* Tue Nov 17 2015 Petr Lautrbach 2.4-19 +- Require at least one argument for 'semanage permissive -d' (#1255676) + +* Mon Nov 16 2015 Petr Lautrbach 2.4-18 +- Improve sepolicy command line interface +- Fix sandbox to propagate specified MCS/MLS Security Level. (#1279006) +- Fix 'audit2allow -R' (#1280418) + +* Thu Nov 12 2015 Fedora Release Engineering - 2.4-17 +- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 + +* Mon Nov 09 2015 Petr Lautrbach 2.4-16 +- policycoreutils-gui needs policycoreutils-python (#1279046) + +* Wed Nov 04 2015 Robert Kuska - 2.4-15 +- Rebuilt for Python3.5 rebuild + +* Thu Oct 08 2015 Petr Lautrbach 2.4-14 +- Revert the attempt to port -gui to GTK 3 (#1269328, #1266059) + +* Fri Oct 02 2015 Petr Lautrbach 2.4-13 +- newrole: Set keepcaps around setresuid calls +- newrole: Open stdin as read/write + +* Fri Sep 04 2015 Petr Lautrbach 2.4-12 +- Fix several semanage issue (#1247714) +- Decode output from subprocess, if error occurred (#1247039) + +* Wed Sep 02 2015 Petr Lautrbach 2.4-11 +- audit2allow, audit2why - ignore setlocale errors (#1208529) + +* Fri Aug 21 2015 Petr Lautrbach 2.4-10 +- Port sandbox to GTK 3 and fix issue with Xephyr + +* Thu Aug 13 2015 Petr Lautrbach 2.4-9 +- Fix another python3 issues mainly in sepolicy (#1247039,#1247575,#1251713) + +* Thu Aug 06 2015 Petr Lautrbach 2.4-8 +- Fix multiple python3 issues in sepolgen (#1249388,#1247575,#1247564) + +* Mon Jul 27 2015 Petr Lautrbach 2.4-7 +- policycoreutils-python3 depends on python-IPy-python3 + +* Mon Jul 27 2015 Petr Lautrbach 2.4-6 +- policycoreutils-devel depends on policycoreutils-python-utils (#1246818) + +* Fri Jul 24 2015 Petr Lautrbach 2.4-5 +- Move python utilities from -python to -python-utilities +- All scripts originally from policycoreutils-python use python 3 now + +* Fri Jul 24 2015 Petr Lautrbach 2.4-4 +- policycoreutils: semanage: fix moduleRecords deleteall method + +* Thu Jul 23 2015 Petr Lautrbach 2.4-3 +- Improve compatibility with python 3 +- Add sepolgen module to python3 package + +* Tue Jul 21 2015 Petr Lautrbach 2.4-2 +- Add Python3 support for sepolgen module (#1125208,#1125209) + +* Tue Jul 21 2015 Petr Lautrbach 2.4-1.1 +- Update to 2.4 release + +* Wed Jul 15 2015 Petr Lautrbach 2.4-0.7 +- Fix typo in semanage args for minimum policy store + +* Fri Jul 03 2015 Petr Lautrbach 2.4-0.6 +- policycoreutils: semanage: update to new source policy infrastructure +- semanage: move permissive module creation to /tmp + +* Thu Jun 18 2015 Fedora Release Engineering - 2.3-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed May 06 2015 Petr Lautrbach 2.3-17 +- setfiles/restorecon: fix -r/-R option (#1211721) + +* Mon Apr 13 2015 Petr Lautrbach 2.4-0.4 +- Update to upstream 2.4 + +* Tue Feb 24 2015 Petr Lautrbach 2.3-16 +- Temporary removed Requires:audit-libs-python from policycoreutils-python3 subpackage (#1195139) +- Simplication of sepolicy-manpage web functionality (#1193552) + +* Mon Feb 02 2015 Petr Lautrbach 2.3-15 +- We need to cover file_context.XXX.homedir to have fixfiles with exclude_dirs working correctly +- Use dnf instead of yum (#1156547) + +* Tue Nov 18 2014 Dan Walsh - 2.3-14 +- Audit2allow will check for mislabeled files, and tells user to fix the label. +- Also checks for basefiles and suggests creating a different label. +- Patch from Ryan Hallisey + +* Wed Nov 5 2014 Miroslav Grepl - 2.3-13 +- Switch back to yum. Need additional fixes to make it working correctly. + +* Wed Nov 5 2014 Miroslav Grepl - 2.3-12 +- Switch over to dnf from yum + +* Tue Sep 23 2014 Miroslav Grepl - 2.3-11 +- Improvements to audit2allow from rhallise@redhat.com + * Check for mislabeled files. + * Check for base file use and + * Suggest writable files as alternatives + +* Sun Aug 17 2014 Fedora Release Engineering - 2.3-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Mon Aug 4 2014 Dan Walsh - 2.3-9 +- Remove build requires for openbox, not needed + +* Thu Jul 31 2014 Tom Callaway - 2.3-8 +- fix license handling + +* Wed Jul 23 2014 Miroslav Grepl - 2.3-7 +- Examples are no longer in the main semanage man page (#1084390) +- Add support for Fedora22 man pages. We need to fix it to not using hardcoding. +- Print usage for all mutually exclusive options. +- Fix selinux man page to refer seinfo and sesearch tools. + +* Sat Jun 07 2014 Fedora Release Engineering - 2.3-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed May 28 2014 Kalev Lember - 2.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 + +* Tue May 20 2014 Miroslav Grepl - 2.3-4 +- Fix setfiles to work correctly if -r option is defined + +* Fri May 16 2014 Dan Walsh - 2.3-3 +- Update Miroslav Grepl Patches + * If there is no executable we don't want to print a part of STANDARD FILE CON + * Add-manpages-for-typealiased-types + * Make fixfiles_exclude_dirs working if there is a substituion for the given d + +* Mon May 12 2014 Miroslav Grepl - 2.3-2 +- If there is no executable we don't want to print a part of STANDARD FILE CONTEXT + +* Tue May 6 2014 Dan Walsh - 2.3-1 +- Update to upstream + * Add -P semodule option to man page from Dan Walsh. + * selinux_current_policy_path will return none on a disabled SELinux system from Dan Walsh. + * Add new icons for sepolicy gui from Dan Walsh. + * Only return writeable files that are enabled from Dan Walsh. + * Add domain to short list of domains, when -t and -d from Dan Walsh. + * Fix up desktop files to match current standards from Dan Walsh. + * Add support to return sensitivities and categories for python from Dan Walsh. + * Cleanup whitespace from Dan Walsh. + * Add message to tell user to install sandbox policy from Dan Walsh. + * Add systemd unit file for mcstrans from Laurent Bigonville. + * Improve restorecond systemd unit file from Laurent Bigonville. + * Minor man pages improvements from Laurent Bigonville. + +* Tue May 6 2014 Miroslav Grepl - 2.2.5-15 +- Apply patch to use setcon in seunshare from luto@mit.edu + +* Wed Apr 30 2014 Dan Walsh - 2.2.5-14 +- Remove requirement for systemd-units + +* Fri Apr 25 2014 Miroslav Grepl - 2.2.5-13 +- Fix previous Fix-STANDARD_FILE_CONTEXT patch to exclude if non_exec does not exist + +* Thu Apr 24 2014 Miroslav Grepl - 2.2.5-12 +- Add policycoreutils-rhat-revert.patch to revert the last two commits to make build working +- Add 0001-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages patch + +* Tue Apr 1 2014 Dan Walsh - 2.2.5-11 +- Update Translations + +* Thu Mar 27 2014 Miroslav Grepl - 2.2.5-10 +- Add support for Fedora21 html manpage structure +- Fix broken dependencies to require only usermode-gtk + +* Wed Mar 26 2014 Dan Walsh - 2.2.5-9 +- mgrepl [PATCH] Deleteall user customization fails if there is a user used +- for the default login. We do not want to fail on it and continue to delete +- customizations for users which are not used for default login. + +* Mon Mar 24 2014 Dan Walsh - 2.2.5-8 +- Update Translations +- Make selinux-policy build working also on another architectures related to s +- Miroslav grepl patch to fix the creation of man pages on different architectures. +- Add ability to list the actual active modules +- Fix spelling mistake on sesearch in generate man pages. + +* Fri Feb 14 2014 Dan Walsh - 2.2.5-7 +- Allow manpages to be built on aarch64 + +* Fri Feb 14 2014 Dan Walsh - 2.2.5-6 +- Don't be verbose in fixfiles if there is not tty + +* Thu Feb 13 2014 Dan Walsh - 2.2.5-5 +- Yum should only be required for policycoreutils-devel + +* Tue Jan 21 2014 Dan Walsh - 2.2.5-4 +- Update translations + +* Thu Jan 16 2014 Dan Walsh - 2.2.5-3 +- Add Miroslav patch to +- Fix previously_modified_initialize() to show modified changes properly for all selections + +* Wed Jan 8 2014 Dan Walsh - 2.2.5-2 +- Do not require /usr/share/selinux/devel/Makefile to build permissive domains + +* Mon Jan 6 2014 Dan Walsh - 2.2.5-1 +- Update to upstream + * Ignore selevel/serange if MLS is disabled from Sven Vermeulen. + +* Fri Jan 3 2014 Dan Walsh - 2.2.4-8 +- Update Tranlations +- Patch from Yuri Chornoivan to fix typos + +* Fri Jan 3 2014 Dan Walsh - 2.2.4-7 +- Fixes Customized booleans causing a crash of the sepolicy gui + +* Fri Dec 20 2013 Dan Walsh - 2.2.4-6 +- Fix sepolicy gui selection for advanced screen +- Update Translations +- Move requires checkpolicy requirement into policycoreutils-python + +* Mon Dec 16 2013 Dan Walsh - 2.2.4-5 +- Fix semanage man page description of import command +- Fix policy kit file to allow changing to permissive mode + +* Mon Dec 16 2013 Dan Walsh - 2.2.4-4 +- Fix broken dependencies. + +* Fri Dec 13 2013 Dan Walsh - 2.2.4-3 +- Break out python3 code into separate package + +* Fri Dec 6 2013 Dan Walsh - 2.2.4-2 +- Add mgrepl patch +- ptrace should be a part of deny_ptrace boolean in TEMPLATETYPE_admin + +* Tue Dec 3 2013 Dan Walsh - 2.2.4-1 +- Update to upstream + * Revert automatic setting of serange and seuser in seobject; was breaking non-MLS systems. +- Add patches for sepolicy gui from mgrepl to + Fix advanced_item_button_push() to allow to select an application in advanced search menu + Fix previously_modified_initialize() to show modified changes properly for all selections + + +* Fri Nov 22 2013 Dan Walsh - 2.2.3-1 +- Update to upstream + * Apply polkit check on all dbus interfaces and restrict to active user from Dan Walsh. + * Fix typo in sepolicy gui dbus.relabel_on_boot call from Dan Walsh. +- Apply Miroslav Grepl patch to fix TEMPLATETYPE_domtrans description in sepolicy generate + +* Wed Nov 20 2013 Dan Walsh - 2.2.2-2 +- Fix selinux-polgengui, get_all_modules call + +* Fri Nov 15 2013 Dan Walsh - 2.2.2-1 +- Speed up startup time of sepolicy gui +- Clean up ports screen to only show enabled ports. +- Update to upstream + * Remove import policycoreutils.default_encoding_utf8 from semanage from Dan Walsh. + * Make yum/extract_rpms optional for sepolicy generate from Dan Walsh. + * Add test suite for audit2allow and sepolgen-ifgen from Dan Walsh. + +* Thu Oct 31 2013 Dan Walsh - 2.2-2 +- Shift around some of the files to more appropriate packages. + * semodule_* packages are required for devel. +* Thu Oct 31 2013 Dan Walsh - 2.2-1 +- Update to upstream + * Properly build the swig exception file from Laurent Bigonville. + * Fix man pages from Laurent Bigonville. + * Support overriding PATH and INITDIR in Makefile from Laurent Bigonville. + * Fix LDFLAGS usage from Laurent Bigonville. + * Fix init_policy warning from Laurent Bigonville. + * Fix semanage logging from Laurent Bigonville. + * Open newrole stdin as read/write from Sven Vermeulen. + * Fix sepolicy transition from Sven Vermeulen. + * Support overriding CFLAGS from Simon Ruderich. + * Create correct man directory for run_init from Russell Coker. + * restorecon GLOB_BRACE change from Michal Trunecka. + * Extend audit2why to report additional constraint information. + * Catch IOError errors within audit2allow from Dan Walsh. + * semanage export/import fixes from Dan Walsh. + * Improve setfiles progress reporting from Dan Walsh. + * Document setfiles -o option in usage from Dan Walsh. + * Change setfiles to always return -1 on failure from Dan Walsh. + * Improve setsebool error r eporting from Dan Walsh. + * Major overhaul of gui from Dan Walsh. + * Fix sepolicy handling of non-MLS policy from Dan Walsh. + * Support returning type aliases from Dan Walsh. + * Add sepolicy tests from Dan Walsh. + * Add org.selinux.config.policy from Dan Walsh. + * Improve range and user input checking by semanage from Dan Walsh. + * Prevent source or target arguments that end with / for substitutions from Dan Walsh. + * Allow use of <> for semanage fcontext from Dan Walsh. + * Report customized user levels from Dan Walsh. + * Support deleteall for restoring disabled modules from Dan Walsh. + * Improve semanage error reporting from Dan Walsh. + * Only list disabled modules for module locallist from Dan Walsh. + * Fix logging from Dan Walsh. + * Define new constants for file type character codes from Dan Walsh. + * Improve bash completions from Dan Walsh. + * Convert semanage to argparse from Dan Walsh (originally by Dave Quigley). + * Add semanage tests from Dan Walsh. + * Split semanage man pages from Dan Walsh. + * Move bash completion scripts from Dan Walsh. + * Replace genhomedircon script with a link to semodule from Dan Walsh. + * Fix fixfiles from Dan Walsh. + * Add support for systemd service for restorecon from Dan Walsh. + * Spelling corrections from Dan Walsh. + * Improve sandbox support for home dir symlinks and file caps from Dan Walsh. + * Switch sandbox to openbox window manager from Dan Walsh. + * Coalesce audit2why and audit2allow from Dan Walsh. + * Change audit2allow to append to output file from Dan Walsh. + * Update translations from Dan Walsh. + * Change audit2why to use selinux_current_policy_path from Dan Walsh. + +* Fri Oct 25 2013 Dan Walsh - 2.1.14-89 +- Fix handling of man pages. + +* Wed Oct 16 2013 Dan Walsh - 2.1.14-88 +- Cleanup errors found by pychecker +- Apply patch from Michal Trunecka to allow restorecon to handle {} in globs + +* Fri Oct 11 2013 Dan Walsh - 2.1.14-87 +- sepolicy gui + - mgrepl fixes for users and login +- Update Translations. + +* Fri Oct 11 2013 Dan Walsh - 2.1.14-86 +- sepolicy gui + - mgrepl added delete screens for users and login + - Fix lots of bugs. +- Update Translations. + + +* Fri Oct 4 2013 Dan Walsh - 2.1.14-85 +- Fixes for fixfiles + * exclude_from_dirs should apply to all types of restorecon calls + * fixfiles check now works + * exit with the correct status + +- semanage no longer import selinux + +* Wed Oct 2 2013 Dan Walsh - 2.1.14-84 +- Fixes for sepolicy gui +- Fix setsebool to return 0 on success +- Update Po + +* Mon Sep 30 2013 Dan Walsh - 2.1.14-83 +- Fix sizes of help screens in sepolicy gui + +* Sat Sep 28 2013 Dan Walsh - 2.1.14-82 +- Improvements to sepolicy gui + - Add more help information + - Cleanup code + - Add deny_ptrace on lockdown screen + - Make unconfined/permissivedomains lockdown work + - Add more support for file equivalency + +* Wed Sep 18 2013 Dan Walsh - 2.1.14-81 +- Add back in the help png files +- Begin Adding support for file equivalency. + +* Wed Sep 4 2013 Dan Walsh - 2.1.14-80 +- Random fixes for sepolicy gui + * Do not prompt for password until you make a change + * Add user mappings and selinux users page + * lots of code cleanup + +- Verify homedir is owned by user before mounting over it with seunshare +- Fix fixfiles to handle Relabel properly +- Fix semanage fcontext -e / command to allow "/" + +* Wed Sep 4 2013 Dan Walsh - 2.1.14-79 +- Add Miroslav Grepl setsebool patch to give better error message on bad boolean names +- Additional help screens for sepolicy gui + +* Tue Sep 3 2013 Dan Walsh - 2.1.14-78 +- Random fixes for sepolicy gui +- Update Translations + +* Fri Aug 30 2013 Dan Walsh - 2.1.14-77 +- Add help screens for each page +- Fixes for system page + +* Mon Aug 26 2013 Dan Walsh - 2.1.14-76 +- Add Miroslav Grepl Patch to handle semanage -i and semanage -o better +- Update Translations + +* Thu Aug 15 2013 Dan Walsh - 2.1.14-75 +- Update sepolicy gui code, cleanups and add file transition tab +- Fix semanage fcontext -a --ftype code to work. + +* Wed Aug 7 2013 Dan Walsh - 2.1.14-74 +- If policy is not installed get_bools should not crash + +* Wed Aug 7 2013 Dan Walsh - 2.1.14-73 +- Fix doc versioning + +* Tue Aug 6 2013 Dan Walsh - 2.1.14-72 +- Update sepolicy gui code, cleanups and add file transition tab +- Fix semanage argparse problems + +* Fri Aug 2 2013 Dan Walsh - 2.1.14-71 +- Update sepolicy gui code, adding dbus calls +- Update Translations + +* Fri Jul 26 2013 Dan Walsh - 2.1.14-70 +- Fix semanage argparse bugs +- Update Translations +- Add test suite for semanage command lines + +* Wed Jul 24 2013 Dan Walsh - 2.1.14-69 +- Fix semanage argparse bugs + +* Tue Jul 23 2013 Dan Walsh - 2.1.14-68 +- Fix bugs introduced by previous patch. semanage port +- Update Translations +- Add test suite for sepolicy command lines + +* Fri Jul 19 2013 Dan Walsh - 2.1.14-67 +- Fix bugs introduced by previous patch. semanage port +- Update Translations + +* Wed Jul 17 2013 Dan Walsh - 2.1.14-66 +- Rewrite argparse code in semanage and fix reload problem. + +* Tue Jul 16 2013 Dan Walsh - 2.1.14-65 +- Do not generate shell script or spec file for sepolicy generate --newtype +- Update translations +- Fix sepolicy generate --admin_user man page again +- Fix setsebool to print less verbose error messages by default, add -V for ve + +* Mon Jul 15 2013 Dan Walsh - 2.1.14-64 +- Move audit2allow and audit2why back into -python package + +* Wed Jul 10 2013 Dan Walsh - 2.1.14-63 +- Update sepolicy gui. +- Error out of you call sepolicy gui without policycoreutils-gui package installed +- Fix semanage login -d command +- Update Translations + +* Wed Jul 10 2013 Dan Walsh - 2.1.14-62 +- Update sepolicy gui. + +* Fri Jul 5 2013 Dan Walsh - 2.1.14-61 +- Add Ryan Hallisey sepolicy gui. +- Update Translations + +* Mon Jun 24 2013 Dan Walsh - 2.1.14-60 +- Fix semanage module error handling + +* Sun Jun 23 2013 Dan Walsh - 2.1.14-59 +- Add back default exception handling for errors, which argparse rewrite removed. + +* Fri Jun 21 2013 Dan Walsh - 2.1.14-58 +- Fix generation of booleans in man pages + +* Fri Jun 21 2013 Dan Walsh - 2.1.14-57 +- Remove requires for systemd-sysv +- Move systemd-units require to restorecond section +- Update Tranlasions +- More sepolicy interfaces for gui +- Cleanup man pages for sepolicy generate + +* Wed Jun 19 2013 Dan Walsh - 2.1.14-56 +- Fix semanage export/import commands +- Fix semange module command +- Remove --version option from sandbox + +* Tue Jun 18 2013 Dan Walsh - 2.1.14-55 +- Add man page doc for --role and bash complestion support for sepolicy --role + +* Tue Jun 18 2013 Dan Walsh - 2.1.14-54 +- Make fcdict return a dictionary of dictionaries +- Fix for sepolicy manpage + +* Mon Jun 17 2013 Dan Walsh - 2.1.14-53 +- Add new man pages for each semanage subsection + +* Mon Jun 17 2013 Dan Walsh - 2.1.14-52 +- Fix handling of sepolicy network sorting. +- Additional interfaces needed for sepolicy gui + +* Thu Jun 6 2013 Dan Walsh - 2.1.14-51 +- Fix handling of semanage args + +* Thu Jun 6 2013 Dan Walsh - 2.1.14-50 +- Fix sepolicy generate --confined_admin to generate tunables +- Add new interface to generate entrypoints for use with new gui + +* Wed Jun 5 2013 Dan Walsh - 2.1.14-49 +- Fix handing of semanage with no args + +* Tue Jun 4 2013 Dan Walsh - 2.1.14-48 +- Fix audit2allow -o to open file for append +- Fix the name of the spec file generated in the build script + +* Fri May 31 2013 Dan Walsh - 2.1.14-47 +- Fix mgrepl patch to support all semanage command parsing + +* Sun May 26 2013 Dan Walsh - 2.1.14-46 +- Fix the name of the spec file generated in the build script +- Add mgrepl patch to support argparse for semanage command parsing + +* Tue May 21 2013 Dan Walsh - 2.1.14-45 +- Fix sandbox to always use sandbox_file_t, so generated policy will work. +- Update Translations + +* Thu May 16 2013 Dan Walsh - 2.1.14-44 +- Fix sepolicy-generate man page to clear up options/policy type +- Add Miroslav Grepl to not generate man page when doing + sepolicy generate --customize +- Add support for executing semanage user within spec file +- Fix generation of confined admin domains, to handle booleans properly. + +* Tue May 14 2013 Dan Walsh - 2.1.14-43 +- Need to handle gziped policy.xml as well as not compressed. + +* Tue May 14 2013 Dan Walsh - 2.1.14-42 +- Add support for Xephyr -resizable, so sandbox can now resize window +- Add support for compressed policy.xml +- Miroslav Grepl patch to allow sepolicy interface on individual interface fil +- Also add capability to test interfaces for correctness. + +* Mon May 13 2013 Dan Walsh - 2.1.14-41 +- Apply patches from Sven Vermeulen for sepolgen to fix typos. + +* Mon May 13 2013 Dan Walsh - 2.1.14-40 +- Only require selinux-policy-devel for policycoreutils-devel, this will shrink the size of the livecd. + +* Sun May 12 2013 Dan Walsh - 2.1.14-39 +- Run sepolgen-ifgen in audit2allow and sepolicy generate, if needed, first time +- Add Sven Vermeulen patches to cleanup man pages + +* Fri May 10 2013 Dan Walsh - 2.1.14-38 +- No longer run sepolgen-ifgen at install time. +- Run sepolgen-ifgen in audit2allow and sepolicy generate, if needed. +- Update Translations + +* Mon Apr 22 2013 Dan Walsh - 2.1.14-37 +- Fix exceptionion hanling in audit2allow -o +- Generate Man pages for everydomain, not just ones with exec_t entrypoints +- sepolicy comunicate should return ValueError not TypeError +- Trim header line in sepolicy manpage to use less space +- Add missing options to restorecon man page + +* Thu Apr 11 2013 Dan Walsh - 2.1.14-36 +- Raise proper Exception on sepolicy communicate with invalid value + +* Wed Apr 10 2013 Dan Walsh - 2.1.14-35 +- Update translations +- Add patch by Miroslav Grepl to add compile test for sepolicy interface command. + +* Tue Apr 9 2013 Dan Walsh - 2.1.14-34 +- Update translations +- Add patch inspired by Miroslav Grepl to add extended information for sepolicy interface command. + +* Mon Apr 8 2013 Dan Walsh - 2.1.14-33 +- Update translations +- Add missing man pages and fixup existing man pages + +* Wed Apr 3 2013 Dan Walsh - 2.1.14-32 +- Move sepolicy to policycoreutils-devel pacage, since most of it is used for devel +- Apply Miroslav Grepl Patches for sepolicy +-- Fix generate mutually groups option handling +-- EUSER is used for existing policy +-- customize options can be used together with admin_domain option +-- Fix manpage.py to generate correct man pages for SELinux users +-- Fix policy *.te file generated by customize+writepaths options +-- Fix install script for confined_admin option + +* Mon Apr 1 2013 Dan Walsh - 2.1.14-31 +- Add post install scripts for gui to make sure Icon Cache is refreshed. +- Fix grammar issue in secon man page +- Update Translations + +* Thu Mar 28 2013 Dan Walsh - 2.1.14-30 +- Add buildrequires for OpenBox to prevent me from accidently building into RHEL7 +- Add support for returning alias data to sepolicy.info python bindings + +* Wed Mar 27 2013 Dan Walsh - 2.1.14-28 +- Fix audit2allow output to better align analysys with the allow rules +- Apply Miroslav Grepl patch to clean up sepolicy generate usage +- Apply Miroslav Grepl patch to fixupt handing of admin_user generation +- Update Tranlslations + +* Wed Mar 27 2013 Dan Walsh - 2.1.14-27 +- Allow semanage fcontext -a -t "<>" ... to work + +* Mon Mar 25 2013 Dan Walsh - 2.1.14-26 +- Can not unshare IPC in sandbox, since it blows up Xephyr +- Remove bogus error message sandbox about reseting setfsuid + +* Thu Mar 21 2013 Dan Walsh - 2.1.14-25 +- Fix sepolicy generate --customize to generate policy with -w commands + +* Thu Mar 21 2013 Dan Walsh - 2.1.14-24 +- sepolgen-ifgen needs to handle filename transition rules containing ":" + +* Tue Mar 19 2013 Dan Walsh - 2.1.14-23 +- sepolicy manpage: +- use nroff instead of man2html +- Remove checking for name of person who created the man page +- audit2allow +- Fix output to show the level that is different. + +* Thu Mar 14 2013 Dan Walsh - 2.1.14-22 +- Fix newrole to not drop capabilities from the bounding set. +- Stop dropping capabilities from its children. +- Add better error messages. +- Change location of bash_completion files to /usr/share/bash-completion/compl + +* Mon Mar 11 2013 Dan Walsh - 2.1.14-21 +- sepolicy generate should look for booleans that effect equivalence names, and add them to the man page + +* Thu Mar 7 2013 Dan Walsh - 2.1.14-20 +- Mention creation of permissive domains in sepolicy generate man page +- Change sepolicy manpage to use shortname with an "_" to stop accidently grabbing unrelated types for a domain. +- Fix audit2allow to show better information on constraint violations. + +* Wed Mar 6 2013 Dan Walsh - 2.1.14-19 +- Have restorecon exit -1 on errors for consistancy. + +* Tue Mar 5 2013 Dan Walsh - 2.1.14-18 +- Need to provide a value to semanage boolean -m + +* Mon Mar 4 2013 Dan Walsh - 2.1.14-17 +- Fix cut and paste errors for sepolicy network command + +* Fri Mar 1 2013 Dan Walsh - 2.1.14-16 +- Fix sepoicy interface to work properly + +* Thu Feb 28 2013 Dan Walsh - 2.1.14-15 +- Fix fixfiles to use exclude_dirs on fixfiles restore + +* Thu Feb 28 2013 Dan Walsh - 2.1.14-14 +- Allow users with symlinked homedirs to work. call realpath on homedir +- Fix sepolicy reorganization of helper functions. + +* Sun Feb 24 2013 Dan Walsh - 2.1.14-13 +- Update trans +- Fix sepolicy reorganization of helper functions. + +* Sun Feb 24 2013 Rahul Sundaram - 2.1.14-13 +- remove vendor tag from desktop file. https://fedorahosted.org/fpc/ticket/247 +- clean up spec to follow current guidelines + +* Fri Feb 22 2013 Dan Walsh - 2.1.14-12 +- Do not load interface file by default when sepolicy is called, mov get_all_methods to the sepolicy package + +* Fri Feb 22 2013 Dan Walsh - 2.1.14-11 +- sepolgen-ifgen should use the current policy path if selinux is enabled + +* Fri Feb 22 2013 Dan Walsh - 2.1.14-10 +- Fix sepolicy to be able to work on an SELinux disabled system. +- Needed to be able to build man pages in selinux-policy package + +* Thu Feb 21 2013 Dan Walsh - 2.1.14-9 +- Add yum to requires of policycoreutils-python since sepolicy requires it. + +* Thu Feb 21 2013 Dan Walsh - 2.1.14-8 +- Sepolixy should not throw an exception on an SELinux disabled machine +- Switch from using console app to using pkexec, so we will work better +with policykit. +- Add missing import to fix system-config-selinux startup +- Add comment to pamd files about pam_rootok.so +- Fix sepolicy generate to not comment out the first line + +* Wed Feb 20 2013 Dan Walsh - 2.1.14-7 +- Add --root/-r flag to sepolicy manpage, +- This allows us to generate man pages on the fly in the selinux-policy build + +* Mon Feb 18 2013 Dan Walsh - 2.1.14-6 +- Fix newrole to retain cap_audit_write when compiled with namespace, also +do not drop capabilities when run as root. + +* Thu Feb 14 2013 Dan Walsh - 2.1.14-5 +- Fix man page generation and public_content description + +* Thu Feb 14 2013 Dan Walsh - 2.1.14-4 +- Revert some changes which are causing the wrong policy version file to be created +- Switch sandbox to start using openbox rather then matchbox +- Make sepolgen a symlink to sepolicy +- update translations + +* Wed Feb 13 2013 Dan Walsh - 2.1.14-3 +- Fix empty system-config-selinux.png, again + +* Tue Feb 12 2013 Dan Walsh - 2.1.14-2 +- Fix empty system-config-selinux.png + +* Thu Feb 7 2013 Dan Walsh - 2.1.14-1 +- Update to upstream + * setfiles: estimate percent progress + * load_policy: make link at the destination directory + * Rebuild polgen.glade with glade-3 + * sepolicy: new command to unite small utilities + * sepolicy: Update Makefiles and po files + * sandbox: use sepolicy to look for sandbox_t + * gui: switch to use sepolicy + * gui: sepolgen: use sepolicy to generate + * semanage: use sepolicy for boolean dictionary + * add po file configuration information + * po: stop running update-po on all + * semanage: seobject verify policy types before allowing you to assign them. + * gui: Start using Popen, instead of os.spawnl + * sandbox: Copy /var/tmp to /tmp as they are the same inside + * qualifier to shred content + * semanage: Fix handling of boolean_sub names when using the -F flag + * semanage: man: roles instead of role + * gui: system-config-selinux: Catch no DISPLAY= error + * setfiles: print error if no default label found + * semanage: list logins file entries in semanage login -l + * semanage: good error message is sepolgen python module missing + * gui: system-config-selinux: do not use lokkit + * secon: add support for setrans color information in prompt output + * restorecond: remove /etc/mtab from default list + * gui: If you are not able to read enforcemode set it to False + * genhomedircon: regenerate genhomedircon more often + * restorecond: Add /etc/udpatedb.conf to restorecond.conf + * genhomedircon generation to allow spec file to pass in SEMODULE_PATH + * fixfiles: relabel only after specific date + * po: update translations + * sandbox: seunshare: do not reassign realloc value + * seunshare: do checking on setfsuid + * sestatus: rewrite to shut up coverity + +* Thu Jan 31 2013 Dan Walsh - 2.1.12-58 +- Reorginize sepolicy so all get_all functions are in main module +- Add -B capability to fixfiles onboot and fixfiles restore, basically searches for all files created since the last boot. + +* Fri Jan 25 2013 Dan Walsh - 2.1.12-57 +- Update to latest patches from eparis/Upstream +- fixfiles onboot will write any flags handed to it to /.autorelabel. +- * Patch sent to initscripts to have fedora-autorelabel pass flags back to fixfiles restore +- * This should allow fixfiles -F onboot, to force a hard relabel. +- Add -p to show progress on full relabel. + +* Tue Jan 15 2013 Dan Walsh - 2.1.12-56 +- Additional changes for bash completsion and generate man page to match the w +- Add newtype as a new qualifier to sepolicy generate. This new mechanism wil +- a policy write to generate types after the initial policy has been written a +- will autogenerate all of the interfaces. +- I also added a -w options to allow policy writers from the command line to s +- the writable directories of files. +- +- Modify network.py to include interface definitions for newly created port type +- Standardize of te_types just like all of the other templates. + +- Change permissive domains creation to raise exception if sepolgen is not ins +- get_te_results no longer needs or uses the opts parameter. +- The compliler was complaining so I just removed the option. +- Start returning analysis data for audit2allow + +* Tue Jan 15 2013 Dan Walsh - 2.1.12-55 +- Update Translations +- Fix handling of semanage generate --cgi -n MODULE PATHTO/CGI +- This fixes the spec file and script file getting wrong names for modules and types. + +* Wed Jan 9 2013 Dan Walsh - 2.1.12-54 +- Additional patch from Miroslav to handle role attributes + +* Wed Jan 9 2013 Dan Walsh - 2.1.12-53 +- Update with Miroslav patch to handle role attributes +- Update Translations +- import sepolicy will only throw exception on missing policy iff selinux is enabled + +* Sat Jan 5 2013 Dan Walsh - 2.1.12-52 +- Update to latest patches from eparis/Upstream +- secon: add support for setrans color information in prompt output +- Update translations + +* Fri Jan 4 2013 Dan Walsh - 2.1.12-51 +- Update translations +- Fix sepolicy booleans to handle autogenerated booleans descriptions +- Cleanups of sepolicy manpage +- Fix crash on git_shell man page generation + +* Thu Jan 3 2013 Dan Walsh - 2.1.12-50 +- Update translations +- update sepolicy manpage to generate fcontext equivalence data and to list +default file context paths. +- Add ability to generate policy for confined admins and domains like puppet. + +* Thu Dec 20 2012 Dan Walsh - 2.1.12-49 +- Fix semanage permissive , this time with the patch. +- Update translations + +* Wed Dec 19 2012 Dan Walsh - 2.1.12-48 +- Fix semanage permissive +- Change to use correct gtk forward button +- Update po + +* Mon Dec 17 2012 Dan Walsh - 2.1.12-47 +- Move audit2why to -devel package + +* Mon Dec 17 2012 Dan Walsh - 2.1.12-46 +- sepolicy transition was blowing up. Also cleanup output when only source is specified. +- sepolicy generate should allow policy modules names that include - or _ + +* Mon Dec 10 2012 Dan Walsh - 2.1.12-45 +- Apply patch from Miroslav to display proper range description in man pages g +- Should print warning on missing default label when run in recusive mode iff +- Remove extra -R description, and fix recursive description + +* Thu Dec 6 2012 Dan Walsh - 2.1.12-44 +- Additional fixes for disabled SELinux Box +- system-config-selinux no longer relies on lokkit for /etc/selinux/config + +* Thu Dec 6 2012 Dan Walsh - 2.1.12-43 +- sepolicy should failover to installed policy file on a disabled SELinux box, if it exists. + +* Wed Dec 5 2012 Dan Walsh - 2.1.12-42 +- Update Translations +- sepolicy network -d needs to accept multiple domains + +* Fri Nov 30 2012 Dan Walsh - 2.1.12-41 +- Add --path as a parameter to sepolicy generate +- Print warning message if program does not exists when generating policy, and do not attempt to run nm command +- Fix sepolicy generate -T to not take an argument, and supress the help message +- Since this is really just a testing tool + +* Fri Nov 30 2012 Dan Walsh - 2.1.12-40 +- Fix sepolicy communicate to handle invalid input + +* Thu Nov 29 2012 Dan Walsh - 2.1.12-39 +- Fix sepolicy network -p to handle high ports + +* Thu Nov 29 2012 Dan Walsh - 2.1.12-38 +- Fix handling of manpages without entrypoints, nsswitch domains +- Update Translations + +* Wed Nov 28 2012 Dan Walsh - 2.1.12-37 +- Move sepogen python bindings back into policycoreutils-python out of -devel, since sepolicy is using the + +* Tue Nov 27 2012 Dan Walsh - 2.1.12-36 +- Fix sepolicy/__init__.py to handle _() + +* Wed Nov 21 2012 Dan Walsh - 2.1.12-35 +- Add Miroslav Grepl patch to create etc_rw_t sock files policy + +* Fri Nov 16 2012 Dan Walsh - 2.1.12-34 +- Fix semanage to work without policycoreutils-devel installed +- Update translations + +* Tue Nov 13 2012 Dan Walsh - 2.1.12-33 +- Fix semanage login -l to list contents of /etc/selinux/POLICY/logins directory + +* Tue Nov 13 2012 Dan Walsh - 2.1.12-32 +- Fix booleansPage not showing booleans +- Fix audit2allow -b + +* Tue Nov 13 2012 Dan Walsh - 2.1.12-31 +- Fix sepolicy booleans again +- Fix man page + +* Mon Nov 12 2012 Dan Walsh - 2.1.12-30 +- Move policy generation tools into policycoreutils-devel + +* Mon Nov 12 2012 Dan Walsh - 2.1.12-29 +- Document and fix sepolicy booleans +- Update Translations +- Fix several spelling mistakes + +* Wed Nov 7 2012 Dan Walsh - 2.1.12-27 +- Only report restorecon warning for missing default label, if not running +recusively +- Update translations + +* Mon Nov 5 2012 Dan Walsh - 2.1.12-26 +- Fix semanage booleans -l, move more boolean_dict handling into sepolicy +- Update translations +- Fixup sepolicy generate to discover /var/log, /var/run and /var/lib directories if they match the name +- Fix kill function call should indicate signal_perms not kill capability +- Error out cleanly in system-config-selinux, if it can not contact XServer + +* Mon Nov 5 2012 Dan Walsh - 2.1.12-25 +- Remove run_init, no longer needed with systemd. +- Fix sepolicy generate to not include subdirs in generated fcontext file. (mgrepl patch) + +* Sat Nov 3 2012 Dan Walsh - 2.1.12-24 +- Fix manpage to generate proper man pages for alternate policy, +basically allow me to build RHEL6 man pages on a Fedora 18 box, as long as +I pull the policy, policy.xml and file_contexts and file_contexts.homedir + +* Thu Nov 1 2012 Dan Walsh - 2.1.12-23 +- Fix some build problems in sepolicy manpage and sepolicy transition + +* Tue Oct 30 2012 Dan Walsh - 2.1.12-22 +- Add alias man pages to sepolicy manpage + +* Mon Oct 29 2012 Dan Walsh - 2.1.12-21 +- Redesign sepolicy to only read the policy file once, not for every call + +* Mon Oct 29 2012 Dan Walsh - 2.1.12-20 +- Fixes to sepolicy transition, allow it to list all transitions from a domain + +* Sat Oct 27 2012 Dan Walsh - 2.1.12-19 +- Change sepolicy python bindings to have python pick policy file, fixes weird memory problems in sepolicy network + +* Fri Oct 26 2012 Dan Walsh - 2.1.12-18 +- Allow sepolicy to specify the policy to generate content from + +* Thu Oct 25 2012 Dan Walsh - 2.1.12-17 +- Fix semanage boolean -F to handle boolean subs + +* Thu Oct 25 2012 Dan Walsh - 2.1.12-16 +- Add Miroslav Grepl patch to generate html man pages +- Update Translations +- Add option to sandbox to shred files before deleting + +* Mon Oct 22 2012 Dan Walsh - 2.1.12-15 +- Add Requires(post) PKGNAME to sepolicy generate /usr/bin/pkg + +* Fri Oct 19 2012 Dan Walsh - 2.1.12-14 +- Add role_allow to sepolicy.search python bindings, this allows us to remove last requirement for setools-cmdline in gui tools. +- Fix man page generator. + +* Wed Oct 17 2012 Dan Walsh - 2.1.12-13 +- Remove dwalsh@redhat.com from man pages +- Fix spec file for sepolicy generate + +* Wed Oct 17 2012 Dan Walsh - 2.1.12-12 +- Add missing spec.py from templates directory needed for sepolicy generate +- Add /var/tmp as collection point for sandbox apps. + +* Tue Oct 16 2012 Dan Walsh - 2.1.12-11 +- Handle audit2allow -b in foreign locales + +* Tue Oct 16 2012 Dan Walsh - 2.1.12-10 +- Update sepolicy generate with patch to create spec file and man page. +- Patch initiated by Miroslav Grepl + +* Wed Oct 10 2012 Dan Walsh - 2.1.12-9 +- Fix semanage to verify that types are appropriate for commands. + * Patch initiated by mgrepl + * Fixes problem of specifying non file_types for fcontext, or not port_types for semanage port + +* Tue Oct 9 2012 Dan Walsh - 2.1.12-8 +- Fix typo in preunstall line for restorecond +- Add mgrepl patch to consolidate file context generated by sepolicy generate + +* Mon Oct 8 2012 Dan Walsh - 2.1.12-7 +- Fix manpage generation, missing import +- Add equiv_dict to get samba booleans into smbd_selinux +- Add proper translations for booleans and remove selinux.tbl + +* Sat Oct 6 2012 Dan Walsh - 2.1.12-6 +- Fix system-config-selinux to use sepolicy.generate instead of sepolgen + +* Thu Oct 4 2012 Dan Walsh - 2.1.12-5 +- Add sepolicy commands, and change tools to use them. + +* Tue Sep 25 2012 Dan Walsh - 2.1.12-4 +- Rebuild without bogus prebuild 64 bit seunshare app + +* Sun Sep 16 2012 Dan Walsh - 2.1.12-3 +- Allow fixfiles to specify -v, so they can get verbosity rather then progress. +- Fix load_file Makefile to use SBINDIR rather then real OS. +- Fix man pages in setfiles and restorecon to reflect what happens when you relabel the entire OS. + +* Sun Sep 16 2012 Dan Walsh - 2.1.12-2 +- Use systemd post install scriptlets + +* Thu Sep 13 2012 Dan Walsh - 2.1.12-1 +- Update to upstream + * genhomedircon: manual page improvements + * setfiles/restorecon minor improvements + * run_init: If open_init_pty is not available then just use exec + * newrole: do not drop capabilities when newrole is run as + * restorecon: only update type by default + * scripts: Don't syslog setfiles changes on a fixfiles restore + * setfiles: do not syslog if no changes + * Disable user restorecond by default + * Make restorecon return 0 when a file has changed context + * setfiles: Fix process_glob error handling + * semanage: allow enable/disable under -m + * add .tx to gitignore + * translations: commit translations from Fedora community + * po: silence build process + * gui: Checking in policy to support polgengui and sepolgen. + * gui: polgen: search for systemd subpackage when generating policy + * gui: for exploring booleans + * gui: system-config-selinux gui + * Add Makefiles to support new gui code + * gui: remove lockdown wizard + * return equivalency records in fcontext customized + * semanage: option to not load new policy into kernel after + * sandbox: manpage update to describe standard types + * setsebool: -N should not reload policy on changes + * semodule: Add -N qualifier to no reload kernel policy + * gui: polgen: sort selinux types of user controls + * gui: polgen: follow symlinks and get the real path to + * gui: Fix missing error function + * setfiles: return errors when bad paths are given + * fixfiles: tell restorecon to ignore missing paths + * setsebool: error when setting multiple options + * semanage: use boolean subs. + * sandbox: Make sure Xephyr never listens on tcp ports + * sepolgen: return and output constraint violation information + * semanage: skip comments while reading external configuration files + * restorecond: relabel all mount runtime files in the restorecond example + * genhomedircon: dynamically create genhomedircon + * Allow returning of bastard matches + * sepolgen: return and output constraint violation information + * audit2allow: one role/type pair per line + +* Wed Aug 8 2012 Dan Walsh - 2.1.11-6 +- Change polgen to generate dbus apps as optional so they can compile on minimal policy system, patch from Miroslav Grepl + +* Fri Jul 27 2012 Dan Walsh - 2.1.11-5 +- Fix sepolgen/audit2allow to handle multiple role/types in avc messages properly + +* Thu Jul 19 2012 Dan Walsh - 2.1.11-4 +- Fix restorecon to generate a better percentage of completion on restorecon -R /. +- Have audit2allow look at the constaint violation and tell the user whether it +- is because of user,role or level + + +* Wed Jul 11 2012 Dan Walsh - 2.1.11-3 +- userapps is generating sandbox code in polgengui + +* Thu Jul 5 2012 Dan Walsh - 2.1.11-2 +- Remove load_policy symbolic link on usrmove systems this breaks the system + +* Wed Jul 4 2012 Dan Walsh - 2.1.11-1 +- Update to upstream + - policycoreutils + * restorecond: wrong options should exit with non-zero error code + * restorecond: Add -h option to get usage command + * resorecond: user: fix fd leak + * mcstrans: add -f to run in foreground + * semanage: fix man page range and level defaults + * semanage: bash completion for modules should include -a,-m, -d + * semanage: manpage update for -e + * semanage: dontaudit off should work + * semanage: locallist option does not take an argument + * sepolgen: Make use of setools optional within sepolgen + - sepolgen + * Make use of setools optional within sepolgen + * We need to support files that have a + in them + +* Thu May 24 2012 Dan Walsh - 2.1.11-18 +- Make restorecon exit with an error on a bad path + +* Thu May 24 2012 Dan Walsh - 2.1.11-17 +- Fix setsebool command, handling of = broken. +- Add missing error option in booleansPage + +* Sun May 20 2012 Dan Walsh - 2.1.11-16 +- Fix sepolgen to use realpath on executables handed to it. - Brian Bickford + +* Fri May 18 2012 Dan Walsh - 2.1.11-15 +- Allow stream sock_files to be stored in /tmp and etc_rw_t directories by sepolgen +- Trigger on selinux-policy needs to change to selinux-policy-devel +- Update translations +- Fix semanage dontaudit off/on exception + +* Tue May 8 2012 Dan Walsh - 2.1.11-12 +- Add -N qualifier to semanage, setsebool and semodule to allow you to update +- policy without reloading it into the kernel. + +* Thu May 3 2012 Dan Walsh - 2.1.11-11 +- add some definition to the standard types available for sandboxes + +* Tue May 1 2012 Dan Walsh - 2.1.11-10 +- Remove lockdown wizard + +* Mon Apr 30 2012 Dan Walsh - 2.1.11-9 +- Fix semanage fcontext -E to extract the equivalance customizations. + +* Thu Apr 26 2012 Dan Walsh - 2.1.11-8 +- Add mgrepl patch to have sepolgen search for -systemd rpm packages + +* Tue Apr 24 2012 Dan Walsh - 2.1.11-7 +- Apply Stef Walter patch for semanage man page + +* Mon Apr 23 2012 Dan Walsh - 2.1.11-6 +- Rebuild to get latest libsepol which fixes the file_name transition problems +- Update translations +- Fix calls to close fd for restorecond + +* Fri Apr 13 2012 Dan Walsh - 2.1.11-5 +- Update translations +- Fix sepolgen to discover unit files in /lib/systemd/ + +* Tue Apr 3 2012 Dan Walsh - 2.1.11-4 +- Update translations +- Fix segfault on restorecon + +* Tue Apr 3 2012 Dan Walsh - 2.1.11-3 +- Allow filename transitions to use + in a file name + +* Fri Mar 30 2012 Dan Walsh - 2.1.11-2 +- Change policycoreutils-python to require selinux-policy-devel package + +* Thu Mar 29 2012 Dan Walsh - 2.1.11-1 +- Update to upstream + - policycoreutils + * sandbox: do not propogate inside mounts outside + * sandbox: Removing sandbox init script, should no longer be necessary + * restorecond: Stop using deprecated interfaces for g_io + * semanage: proper auditting of user changes for LSPP + * semanage: audit message to show what record(s) and item(s) have chaged + * scripts: Update Makefiles to handle /usrmove + * mcstrans: Version should have been bumped on last check in + * seunshare: Only drop caps not the Bounding Set from seunshare + * Add bash-completion scripts for setsebool and semanage + * newrole: Use correct capng calls in newrole + * Fix infinite loop with inotify on 2.6.31 kernels + * fix ftbfs with hardening flags + * Only run setfiles if we found read-write filesystems to run it on + * update .po files + * remove empty po files + * do not fail to install if unable to make load_policy lnk file + + - sepolgen + * Fix dead links to www.nsa.gov/selinux + * audit.py Dont crash if empty data is passed to sepolgen + * do not use md5 when calculating hash signatures + * fix detection of policy loads + +* Wed Mar 28 2012 Dan Walsh - 2.1.10-30 +- Have sepolgen script specify the pp file with the make command. From mgrepl. + +* Wed Mar 21 2012 Dan Walsh - 2.1.10-29 +- Fix sepolgen handling of unit files. + +* Thu Mar 8 2012 Dan Walsh - 2.1.10-28 +- Require selinux-policy-doc + +* Thu Mar 8 2012 Dan Walsh - 2.1.10-27 +- Fix unit file handling in sepolgen + +* Wed Feb 29 2012 Dan Walsh - 2.1.10-26 +- Add bash_command completion for setsebool/getsebool + +* Mon Feb 27 2012 Dan Walsh - 2.1.10-25 +- Disable restorecond on desktop by default +- Change seunshare to not modify the bounding set + +* Mon Feb 20 2012 Dan Walsh - 2.1.10-24 +- Stop using sandbox init in post install since it no longer exists. + +* Thu Feb 16 2012 Dan Walsh - 2.1.10-23 +- Change to use new selinux_current_policy_path() + +* Wed Feb 15 2012 Dan Walsh - 2.1.10-22 +- Change to use new selinux_binary_policy_path() +- Add systemd_passwd_agent_exec($1), and systemd_read_fifo_file_passwd_run($1) to templates for _admin interface + +* Fri Feb 3 2012 Dan Walsh - 2.1.10-21 +- On full relabels we will now show a estimated percent complete rather then +just *s. + +* Wed Feb 1 2012 Dan Walsh - 2.1.10-20 +- Add unit_file.py for sepolgen + +* Tue Jan 31 2012 Dan Walsh - 2.1.10-19 +- Change sepolgen to use sha256 instead of md5 + +* Mon Jan 30 2012 Dan Walsh - 2.1.10-18 +- Stop syslogging on full restore +- Stop syslogging when restorecon is not changing values + +* Fri Jan 27 2012 Dan Walsh - 2.1.10-17 +- Change semanage to produce proper audit records for Common Criteria +- Cleanup packaging for usrmove + +* Thu Jan 26 2012 Harald Hoyer 2.1.10-16 +- fixed load_policy location + +* Thu Jan 26 2012 Harald Hoyer 2.1.10-15 +- fixed load_policy location + +* Thu Jan 26 2012 Harald Hoyer 2.1.10-14 +- fixed load_policy location + +* Wed Jan 25 2012 Harald Hoyer 2.1.10-13 +- add filesystem guard + +* Wed Jan 25 2012 Harald Hoyer 2.1.10-12 +- install everything in /usr + https://fedoraproject.org/wiki/Features/UsrMove + +* Tue Jan 24 2012 Dan Walsh - 2.1.10-11 +- restorecond fixes: + Stop using depracated g_io interfaces + Exit with non zero exit code if wrong options given + Add -h option + +* Thu Jan 19 2012 Dan Walsh - 2.1.10-10 +- Eliminate not needed Requires + +* Wed Jan 18 2012 Dan Walsh - 2.1.10-9 +- fix sepolgen to not crash on echo "" | audit2allow + +* Mon Jan 16 2012 Dan Walsh - 2.1.10-8 +- Remove sandbox init script, should no longer be necessary + +* Sun Jan 15 2012 Dan Walsh - 2.1.10-7 +- Add unit file support to sepolgen, and cleanup some of the output. + +* Mon Jan 9 2012 Dan Walsh - 2.1.10-5 +- Fix English in templates for sepolgen + +* Fri Dec 23 2011 Dan Walsh - 2.1.10-4 +- Fix the handling of namespaces in seunshare/sandbox. +- Currently mounting of directories within sandbox is propogating to the +- parent namesspace. + +* Thu Dec 22 2011 Dan Walsh - 2.1.10-3 +- Add umount code to seunshare to cleanup left over mounts of /var/tmp + +* Wed Dec 21 2011 Dan Walsh - 2.1.10-2 +- Remove open_init_pty + +* Wed Dec 21 2011 Dan Walsh - 2.1.10-1 +-Update to upstream +- sepolgen + * better analysis of why things broke +- policycoreutils + * Remove excess whitespace + * sandbox: Add back in . functions to sandbox.init script + * Fix Makefile to match other policycoreutils Makefiles + * semanage: drop unused translation getopt + +* Thu Dec 15 2011 Dan Walsh - 2.1.9-3 +- Bump libsepol version requires rebuild + +* Wed Dec 7 2011 Dan Walsh - 2.1.9-2 +- Add back accidently dropped patches for semanage + +* Tue Dec 6 2011 Dan Walsh - 2.1.9-1 +- Upgrade to upstream + * sandbox: move sandbox.conf.5 to just sandbox.5 + * po: Makefile use -p to preserve times to allow multilib simultatious installs + * of po files + * sandbox: Allow user to specify the DPI value for X in a sandbox + * sandbox: make sure the domain launching sandbox has at least 100 categories + * sandbox: do not try forever to find available category set + * sandbox: only complain if sandbox unable to launch + * sandbox: init script run twice is still successful + * semanage: print local and dristo equiv rules + * semanage: check file equivalence rules for conflict + * semanage: Make sure semanage fcontext -l -C prints even if local keys + * are not defined + * semanage: change src,dst to target,substitute for equivalency + * sestatus: Updated sestatus and man pages. + * Added SELinux config file man page. + * add clean target to man Makefile + +* Wed Nov 30 2011 Dan Walsh - 2.1.8-8 +- Fix semange fcontext -a to check for more conflicts on equivalency + +* Tue Nov 29 2011 Dan Walsh - 2.1.8-7 +- Fix dpi handling in sandbox +- Make sure semanage fcontext -l -C prints if only local equiv have changed + +* Wed Nov 16 2011 Dan Walsh - 2.1.8-6 +- Add listing of distribution equivalence class from semanage fcontext -l +- Add checking to semanage fcontext -a to guarantee a file specification will not be masked by an equivalence + +* Wed Nov 16 2011 Dan Walsh - 2.1.8-5 +- Allow ~ as a valid part of a filename in sepolgen + +* Fri Nov 11 2011 Dan Walsh - 2.1.8-4 +- sandbox init script should always return 0 +- sandbox command needs to check range of categories and report error if not big enough + +* Mon Nov 7 2011 Dan Walsh - 2.1.8-3 +- Allow user to specify DPI when running sandbox + +* Mon Nov 7 2011 Dan Walsh - 2.1.8-2 +- Add Miroslav patch to return all attributes + +* Fri Nov 4 2011 Dan Walsh - 2.1.8-1 +- Upgrade to policycoreutils upstream + * sandbox: Maintain the LANG environment into the sandbox + * audit2allow: use audit2why internally + * fixfiles: label /root but not /var/lib/BackupPC + * semanage: update local boolean settings is dealing with localstore + * semanage: missing modify=True + * semanage: set modified correctly + * restorecond: make restorecond dbuss-able + * restorecon: Always check return code on asprintf + * restorecond: make restorecond -u exit when terminal closes + * sandbox: introduce package name and language stuff + * semodule_package: remove semodule_unpackage on clean + * fix sandbox Makefile to support DESTDIR + * semanage: Add -o description to the semanage man page + * make use of the new realpath_not_final function + * setfiles: close /proc/mounts file when finished + * semodule: Document semodule -p in man page + * setfiles: fix use before initialized + * restorecond: Add .local/share as a directory to watch +- Upgrade to sepolgen upstream + * Ignore permissive qualifier if found in an interface + * Return name field in avc data + +* Mon Oct 31 2011 Dan Walsh - 2.1.7-6 +- Rebuild versus newer libsepol + +* Fri Oct 28 2011 Dan Walsh - 2.1.7-5 +- A couple of minor coverity fixes for a potential leaked file descriptor +- An an unchecked return code. +- Add ~/.local/share/* to restorecond_user watches + +* Thu Oct 13 2011 Dan Walsh - 2.1.7-4 +- Have sepolgen return name field in AVC + +* Thu Oct 6 2011 Dan Walsh - 2.1.7-3 +- restorecond -u needs to watch terminal for exit if run outside of dbus. + +* Tue Oct 4 2011 Dan Walsh - 2.1.7-2 +- Do not drop capabilities if running newrole as root + +* Fri Sep 30 2011 Dan Walsh - 2.1.7-1 +-Update to upstream + * semanage: fix indentation error in seobject + +* Thu Sep 29 2011 Dan Walsh - 2.1.6-3 +- Ignore permissive commands in interfaces + +* Thu Sep 29 2011 Dan Walsh - 2.1.6-2 +- Remove gnome requirement from polgengui + +* Mon Sep 19 2011 Dan Walsh - 2.1.6-1 +-Update to upstream + policycoreutils-2.1.6 + * sepolgen-ifgen: new attr-helper does something + * audit2allow: use alternate policy file + * audit2allow: sepolgen-ifgen use the attr helper + * setfiles: switch from stat to stat64 + * setfiles: Fix potential crash using dereferenced ftsent + * setfiles: do not wrap * output at 80 characters + * sandbox: add -Wall and -Werror to makefile + * sandbox: add sandbox cgroup support + * sandbox: rewrite /tmp handling + * sandbox: do not bind mount so much + * sandbox: add level based kill option + * sandbox: cntrl-c should kill entire process control group + * Create a new preserve_tunables flag in sepol_handle_t. + * semanage: show running and disk setting for booleans + * semanage: Dont print heading if no items selected + * sepolgen: audit2allow is mistakakenly not allowing valid module names + * semanage: Catch RuntimeErrors, that can be generated when SELinux is disabled + * More files to ignore + * tree: default make target to all not install + * sandbox: do not load unused generic init functions + sepolgen-1.1.2 + * src: sepolgen: add attribute storing infrastructure + * Change perm-map and add open to try to get better results on + * look for booleans that might solve problems + * sepolgen: audit2allow is mistakakenly not allowing valid module names + * tree: default make target to all not install + +* Wed Sep 14 2011 Dan Walsh - 2.1.5-6 +- Change separator on -L from ; to : + +* Thu Sep 8 2011 Dan Walsh - 2.1.5-5 +- Add back lockdown wizard for booleans using pywebkitgtk + +* Wed Sep 7 2011 Dan Walsh - 2.1.5-4 +- Maintain the LANG environment Variable into the sandbox +- Change restorecon/setfiles to only change type part of the context unless + -f qualifier is given + +* Tue Sep 6 2011 Dan Walsh - 2.1.5-3 +- Remove lockdown wizard, since gtkhtml2 is no longer supported. + +* Fri Sep 2 2011 Dan Walsh - 2.1.5-2 +- Allow setfiles and restorecon to use labeledprefix to speed up processing +and limit memory. + +* Tue Aug 30 2011 Dan Walsh - 2.1.5-1 +-Update to upstream + * policycoreutils + * setfiles: Fix process_glob to handle error situations + * sandbox: Allow seunshare to run as root + * sandbox: trap sigterm to make sure sandbox + * sandbox: pass DPI from the desktop + * sandbox: seunshare: introduce helper spawn_command + * sandbox: seunshare: introduce new filesystem helpers + * sandbox: add -C option to not drop + * sandbox: split seunshare caps dropping + * sandbox: use dbus-launch + * sandbox: numerous simple updates to sandbox + * sandbox: do not require selinux context + * sandbox: Makefile: new man pages + * sandbox: rename dir to srcdir + * sandbox: allow users specify sandbox window size + * sandbox: check for paths up front + * sandbox: use defined values for paths rather + * sandbox: move seunshare globals to the top + * sandbox: whitespace fix + * semodule_package: Add semodule_unpackage executable + * setfiles: get rid of some stupid globals + * setfiles: move exclude_non_seclabel_mounts to a generic location + * sepolgen + * refparser: include open among valid permissions + * refparser: add support for filename_trans rules + +* Thu Aug 18 2011 Dan Walsh - 2.1.4-2 +- Fix bug in glob handling for restorecon + +* Thu Aug 18 2011 Dan Walsh - 2.1.4-1 +-Update to upstream +2.1.4 2011-08-17 + * run_init: clarification of the usage in the + * semanage: fix usage header around booleans + * semanage: remove useless empty lines + * semanage: update man page with new examples + * semanage: update usage text + * semanage: introduce file context equivalencies + * semanage: enable and disable modules + * semanage: output all local modifications + * semanage: introduce extraction of local configuration + * semanage: cleanup error on invalid operation + * semanage: handle being called with no arguments + * semanage: return sooner to save CPU time + * semanage: surround getopt with try/except + * semanage: use define/raise instead of lots of + * semanage: some options are only valid for + * semanage: introduce better deleteall support + * semanage: do not allow spaces in file + * semanage: distinguish between builtin and local permissive + * semanage: centralized ip node handling + * setfiles: make the restore function exclude() non-static + * setfiles: use glob to handle ~ and + * fixfiles: do not hard code types + * fixfiles: stop trying to be smart about + * fixfiles: use new kernel seclabel option + * fixfiles: pipe everything to cat before sending + * fixfiles: introduce /etc/selinux/fixfiles_exclude_dirs + * semodule: support for alternative root paths + +2.1.3 2011-08-03 + * semanage: fix indention + * semodule_package: fix man page typo + * semodule_expand: update man page with -a + * semanage: handle os errors + * semanage: fix traceback with bad options + * semanage: show usage on -h or --help + * semanage: introduce more deleteall options + * semanage: verify ports < 65536 + * transaction into semanageRecords + * make get_handle a method of semanageRecords + * remove a needless blank line + * make process_one error if not initialized correctly + * fixfiles: correct usage for r_opts.rootpath + * put -p in help for restorecon and + * fixfiles: do not try to only label + * fixfiles clean up /var/run and /var/lib/debug + * fixfiles delete tmp sockets and pipes rather + * fixfile use find -delete instead of pipe + * chcat man page typo + * add man page for genhomedircon + * setfiles fix typo + * setsebool should inform users they need to + * setsebool typos + * open_init_tty man page typos + * Don't add user site directory to sys.path + * newrole retain CAP_SETPCAP + +2.1.2 2011-08-02 + * seunshare: define _GNU_SOURCE earlier + * make ignore_enoent do something + * restorecond: first user logged in is not noticed + * Repo: update .gitignore + +2.1.1 2011-08-01 + * Man page updates + * restorecon fix for bad inotify assumptions + +2.1.0 2011-07-27 + * Release, minor version bump + +* Tue Jul 26 2011 Dan Walsh 2.0.86-20 +- Fix sepolgen usage statement +- Stop using -k insandbox +- Fix seunshare usage statement + +* Thu Jul 7 2011 Dan Walsh 2.0.86-18 +- Change seunshare to send kill signals to the childs session. +- Also add signal handler to catch sigint, so if user enters ctrl-C sandbox will shutdown. + +* Wed Jul 6 2011 Dan Walsh 2.0.86-17 +- Add -k qualifier to seunshare to have it attempt to kill all processes with +the matching MCS label. + +* Tue Jul 5 2011 Dan Walsh 2.0.86-16 +- Add -C option to sandbox and seunshare to maintain capabilities, otherwise +the bounding set will be dropped. +- Change --cgroups short name -c rather then -C for consistancy +- Fix memory and fd leaks in seunshare + +* Wed Jun 29 2011 Jóhann B. Guðmundsson - 2.0.86-15 +- Introduce systemd unit file for restorecond drop SysV support + +* Mon Jun 13 2011 Dan Walsh 2.0.86-14 +- Do not drop capability bounding set in seunshare, this allows sandbox to +- run setuid apps. + +* Fri Jun 10 2011 Dan Walsh 2.0.86-13 +- Add semanage-bash-completion.sh script + +* Tue Jun 7 2011 Dan Walsh 2.0.86-12 +- Remove mount -o bind calls from sandbox init script +- pam_namespace now has this built in. + +* Tue Jun 7 2011 Dan Walsh 2.0.86-11 +- Pass desktop dpi to sandbox Xephyr window + +* Mon Jun 6 2011 Dan Walsh 2.0.86-10 +- Allow semodule to pick alternate root for selinux files +- Add ~/.config/* to restorcond_user.conf, so restorecond will watch for mislabeled files in this directory. + +* Wed May 25 2011 Dan Walsh 2.0.86-9 +- Fix var_spool template read_spool_files +- Fix sepolgen to handle filename transitions + +* Mon May 23 2011 Dan Walsh 2.0.86-8 +- Templates cleanedup by Dominic Grift + +* Fri Apr 29 2011 Dan Walsh 2.0.86-7 +- Clean up some of the templates for sepolgen + +* Fri Apr 22 2011 Dan Walsh 2.0.86-6 +- Apply patches from Christoph A. + * fix sandbox title + * stop xephyr from li +- Also ignore errors on sandbox include of directory missing files + +* Thu Apr 21 2011 Dan Walsh 2.0.86-5 +- rebuild versus latest libsepol + +* Mon Apr 18 2011 Dan Walsh 2.0.86-4 +- Change fixfiles restore to delete unlabeled sockets in /tmp + +* Mon Apr 18 2011 Dan Walsh 2.0.86-2 +- rebuild versus latest libsepol + +* Tue Apr 12 2011 Dan Walsh 2.0.86-1 +- Update to upstream + * Use correct color range in mcstrand by Richard Haines. + +* Mon Apr 11 2011 Dan Walsh 2.0.85-30 +- Add Elia Pinto patches to allow user to specify directories to ignore + +* Tue Apr 5 2011 Dan Walsh 2.0.85-29 +- Fix policycoreutils-sandbox description + +* Tue Mar 29 2011 Dan Walsh 2.0.85-28 +- rsynccmd should run outside of execcon + +* Thu Mar 24 2011 Dan Walsh 2.0.85-27 +- Fix semange node handling of ipv6 addresses + +* Wed Mar 23 2011 Dan Walsh 2.0.85-26 +- Fix sepolgen-ifgen call, add -p option + +* Wed Mar 23 2011 Dan Walsh 2.0.85-25 +- Fix sepolgen-ifgen call + +* Fri Mar 18 2011 Dan Walsh 2.0.85-24 +- Fix rsync command to work if the directory is old. +- Fix all tests + +* Wed Mar 16 2011 Dan Walsh 2.0.85-23 +- Fix sepolgen to generate network polcy using generic_if and genric_node versus all_if and all_node + +* Wed Mar 16 2011 Dan Walsh 2.0.85-22 +- Return to original seunshare man page + +* Fri Mar 11 2011 Dan Walsh 2.0.85-21 +- change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_* +- This will allow default sandboxes to work on NFS homedirs without allowing + access to homedir data + +* Fri Mar 11 2011 Dan Walsh 2.0.85-20 +- Change sepolgen-ifgen to search all available policy files +- Exit in restorecond if it can not find a UID in the passwd database + +* Wed Mar 9 2011 Dan Walsh 2.0.85-19 +- Fix portspage in system-config-selinux to not crash +- More fixes for seunshare from Tomas Hoger + +* Tue Mar 8 2011 Dan Walsh 2.0.85-18 +- put back in old handling of -T in sandbox command +- Put back setsid in seunshare +- Fix rsync to maintain times + +* Tue Mar 8 2011 Dan Walsh 2.0.85-17 +- Use rewritten seunshare from thoger + +* Mon Mar 7 2011 Dan Walsh 2.0.85-16 +- Require python-IPy for policycoreutils-python package +- Fixes for sepologen + - Usage statement needs -n name + - Names with _ are being prevented + - dbus apps should get _chat interface + +* Thu Mar 3 2011 Dan Walsh 2.0.85-15 +- Fix error message in seunshare, check for tmpdir existance before unlink. + +* Fri Feb 25 2011 Dan Walsh 2.0.85-13 +- Rewrite seunshare to make sure /tmp is mounted stickybit owned by root +- Only allow names in polgengui that contain letters and numbers +- Fix up node handling in semanage command +- Update translations + +* Wed Feb 09 2011 Fedora Release Engineering - 2.0.85-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Feb 3 2011 Dan Walsh 2.0.85-11 +- Fix sandbox policy creation with udp connect ports + +* Thu Feb 3 2011 Dan Walsh 2.0.85-10 +- Cleaup selinux-polgengui to be a little more modern, fix comments and use selected name +- Cleanup chcat man page + +* Wed Feb 2 2011 Dan Walsh 2.0.85-9 +- Report full errors on OSError on Sandbox + +* Fri Jan 21 2011 Dan Walsh 2.0.85-8 +- Fix newrole hanlding of pcap + +* Wed Jan 19 2011 Dan Walsh 2.0.85-7 +- Have restorecond watch more directories in homedir + +* Fri Jan 14 2011 Dan Walsh 2.0.85-6 +- Add sandbox to sepolgen + +* Thu Jan 6 2011 Dan Walsh 2.0.85-4 +- Fix proper handling of getopt errors +- Do not allow modules names to contain spaces + +* Wed Jan 5 2011 Dan Walsh 2.0.85-3 +- Polgengui raises the wrong type of exception. #471078 +- Change semanage to not allow it to semanage module -D +- Change setsebool to suggest run as root on failure + +* Wed Dec 22 2010 Dan Walsh 2.0.85-2 +- Fix restorecond watching utmp file for people logging in our out + +* Tue Dec 21 2010 Dan Walsh 2.0.85-1 +- Update to upstream + +* Thu Dec 16 2010 Dan Walsh 2.0.84-5 +- Change to allow sandbox to run on nfs homedirs, add start python script + +* Wed Dec 15 2010 Dan Walsh 2.0.84-4 +- Move seunshare to sandbox package + +* Mon Nov 29 2010 Dan Walsh 2.0.84-3 +- Fix sandbox to show correct types in usage statement + +* Mon Nov 29 2010 Dan Walsh 2.0.84-2 +- Stop fixfiles from complaining about missing dirs + +* Mon Nov 22 2010 Dan Walsh 2.0.84-1 +- Update to upstream +- List types available for sandbox in usage statement + +* Mon Nov 22 2010 Dan Walsh 2.0.83-37 +- Don't report error on load_policy when system is disabled. + +* Mon Nov 8 2010 Dan Walsh 2.0.83-36 +- Fix up problems pointed out by solar designer on dropping capabilities + +* Mon Nov 1 2010 Dan Walsh 2.0.83-35 +- Check if you have full privs and reset otherwise dont drop caps + +* Mon Nov 1 2010 Dan Walsh 2.0.83-34 +- Fix setools require line + +* Fri Oct 29 2010 Dan Walsh 2.0.83-33 +- Move /etc/pam.d/newrole in to polcicycoreutils-newrole +- Additional capability checking in sepolgen + +* Mon Oct 25 2010 Dan Walsh 2.0.83-32 +- Remove setuid flag and replace with file capabilities +- Fix sandbox handling of files with spaces in them + +* Wed Sep 29 2010 jkeating - 2.0.83-31 +- Rebuilt for gcc bug 634757 + +* Thu Sep 23 2010 Dan Walsh 2.0.83-30 +- Move restorecond into its own subpackage + +* Thu Sep 23 2010 Dan Walsh 2.0.83-29 +- Fix semanage man page + +* Mon Sep 13 2010 Dan Walsh 2.0.83-28 +- Add seremote, to allow the execution of command inside the sandbox from outside the sandbox. + +* Mon Sep 13 2010 Dan Walsh 2.0.83-27 +- Fix sandbox copyfile when copying a dir with a socket, print error + +* Fri Sep 10 2010 Dan Walsh 2.0.83-26 +- Stop polgengui from crashing if selinux policy is not installed + +* Thu Sep 9 2010 Dan Walsh 2.0.83-25 +- Fix bug preventing sandbox from using -l + +* Tue Sep 7 2010 Dan Walsh 2.0.83-24 +- Eliminate quotes fro desktop files + +* Mon Aug 30 2010 Dan Walsh 2.0.83-23 +- Add -w windowsize patch from Christoph A. + +* Mon Aug 30 2010 Dan Walsh 2.0.83-22 +- Update po + +* Wed Aug 25 2010 Dan Walsh 2.0.83-21 +- Update po + +* Tue Aug 24 2010 Dan Walsh 2.0.83-20 +- Tighten down seunshare to create /tmp dir with sticky bit and MS_NODEV | MS_NOSUID | MS_NOEXEC; +- Remove setsid on seunshare so ^c on sandbox will cause apps to exit +- Add dbus-launch --exit-with-session so all processes launched within the sandbox exit with the sandbox +- Clean up error handling so error will get sent back to sandbox tool + +* Mon Aug 23 2010 Dan Walsh 2.0.83-19 +- Fix translation handling in file context page of system-config-selinux + +* Fri Aug 13 2010 Dan Walsh 2.0.83-18 +- Fix sandbox error handling + +* Fri Aug 13 2010 Dan Walsh 2.0.83-17 +- Apply patch to restorecond from Chris Adams, which will cause restorecond +- to watch first user that logs in. + +* Thu Aug 12 2010 Dan Walsh 2.0.83-16 +- Add COPYING file to doc dir + +* Thu Aug 5 2010 Dan Walsh 2.0.83-15 +- Update po and translations +Resolves: #610473 + +* Thu Aug 5 2010 Dan Walsh 2.0.83-14 +- More fixes for polgen tools + +* Thu Aug 5 2010 Dan Walsh 2.0.83-13 +- Remove requirement to run selinux-polgen as root + +* Thu Aug 5 2010 Dan Walsh 2.0.83-12 +- Update po and translations +- Fix gui policy generation tools + +* Wed Aug 4 2010 Dan Walsh 2.0.83-11 +- Update po and translations + +* Sat Jul 31 2010 David Malcolm - 2.0.83-10 +- rebuild against python 2.7 + +* Wed Jul 28 2010 Dan Walsh 2.0.83-9 +- Update selinux-polgengui to sepolgen policy generation + +* Wed Jul 28 2010 Dan Walsh 2.0.83-8 +- Fix invalid free in seunshare and fix man page + +* Tue Jul 27 2010 Dan Walsh 2.0.83-7 +- Update translations + +* Mon Jul 26 2010 Dan Walsh 2.0.83-6 +- Fix sandbox man page + +* Wed Jul 21 2010 David Malcolm - 2.0.83-5 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Tue Jul 20 2010 Dan Walsh 2.0.83-4 +- Add translations for menus +- Fixup man page from Russell Coker + +* Tue Jun 15 2010 Dan Walsh 2.0.83-3 +- Change python scripts to use -s flag +- Update po + +* Tue Jun 15 2010 Dan Walsh 2.0.83-1 +- Update to upstream + * Add sandbox support from Dan Walsh with modifications from Steve Lawrence. + +* Tue Jun 15 2010 Dan Walsh 2.0.82-31 +- Fix sepolgen code generation +Resolve: #603001 + +* Tue Jun 8 2010 Dan Walsh 2.0.82-30 +- Add cgroup support for sandbox + +* Mon Jun 7 2010 Dan Walsh 2.0.82-29 +- Allow creation of /var/cache/DOMAIN from sepolgen + +* Thu Jun 3 2010 Dan Walsh 2.0.82-28 +- Fix sandbox init script +- Add dbus-launch to sandbox -X +Resolve: #599599 + +* Thu Jun 3 2010 Dan Walsh 2.0.82-27 +- Move genhomedircon.8 to same package as genhomedircon +- Fix sandbox to pass unit test +Resolves: #595796 + +* Wed Jun 2 2010 Dan Walsh 2.0.82-26 +- Fix listing of booleans from audit2allow + +* Wed Jun 2 2010 Dan Walsh 2.0.82-25 +- Fix audit2allow to output if the current policy has avc +- Update translations +- Fix icon + +* Thu May 27 2010 Dan Walsh 2.0.82-24 +- Man page fixes +- sandbox fixes +- Move seunshare to base package + +* Fri May 21 2010 Dan Walsh 2.0.82-23 +- Fix seunshare translations +- Fix seunshare to work on all arches +- Fix icon for system-config-selinux +Resolves: #595276 + +* Fri May 21 2010 Dan Walsh 2.0.82-22 +- Fix can_exec definition in sepolgen + +* Fri May 21 2010 Dan Walsh 2.0.82-21 +- Add man page for seunshare and genhomedircon +Resolves: #594303 +- Fix node management via semanage + +* Wed May 19 2010 Dan Walsh 2.0.82-20 +- Fixes from upstream for sandbox command +Resolves: #580938 + +* Thu May 13 2010 Dan Walsh 2.0.82-18 +- Fix sandbox error handling on copyfile +- Fix desktop files + +* Tue May 11 2010 Dan Walsh 2.0.82-17 +- Fix policy tool to have correct name in menus +- Fix seunshare to handle /tmp being in ~/home +- Fix saving of altered files +- Update translations + +* Tue May 4 2010 Dan Walsh 2.0.82-15 +- Allow audit2allow to specify alternative policy file for analysis + +* Mon May 3 2010 Dan Walsh 2.0.82-14 +- Update po +- Fix sepolgen --no_attrs +Resolves: #588280 + +* Thu Apr 29 2010 Dan Walsh 2.0.82-13 +- Make semanage boolean work on disabled machines and during livecd xguest +- Fix homedir and tmpdir handling in sandbox +Resolves: #587263 + +* Wed Apr 28 2010 Dan Walsh 2.0.82-11 +- Make semanage boolean work on disabled machines + +* Tue Apr 27 2010 Dan Walsh 2.0.82-10 +- Make sepolgen-ifgen be quiet + +* Wed Apr 21 2010 Dan Walsh 2.0.82-8 +- Make sepolgen report on more interfaces +- Fix system-config-selinux display of modules + +* Thu Apr 15 2010 Dan Walsh 2.0.82-7 +- Fix crash when args are empty +Resolves: #582542 +- Fix semange to exit on bad options +- Fix semanage dontaudit man page section +Resolves: #582533 + +* Wed Apr 14 2010 Dan Walsh 2.0.82-6 +- Remove debug line from semanage +- Update po + +* Tue Apr 13 2010 Dan Walsh 2.0.82-5 +- Fix sandbox comment on HOMEDIRS +- Fix sandbox to throw error on bad executable + +* Tue Apr 6 2010 Dan Walsh 2.0.82-4 +- Fix spacing in templates + +* Wed Mar 31 2010 Dan Walsh 2.0.82-3 +- Fix semanage return codes + +* Tue Mar 30 2010 Dan Walsh 2.0.82-2 +- Fix sepolgen to confirm to the "Reference Policy Style Guide" + +* Tue Mar 23 2010 Dan Walsh 2.0.82-1 +- Update to upstream + * Add avc's since boot from Dan Walsh. + * Fix unit tests from Dan Walsh. + +* Tue Mar 23 2010 Dan Walsh 2.0.81-4 +- Update to upstream - sepolgen + * Add since-last-boot option to audit2allow from Dan Walsh. + * Fix sepolgen output to match what Chris expects for upstream + refpolicy from Dan Walsh. + +* Mon Mar 22 2010 Dan Walsh 2.0.81-3 +- Allow restorecon on > 2 Gig files + +* Tue Mar 16 2010 Dan Walsh 2.0.81-2 +- Fix semanage handling of boolean options +- Update translations + +* Fri Mar 12 2010 Dan Walsh 2.0.81-1 +- Update to upstream + * Add dontaudit flag to audit2allow from Dan Walsh. + +* Thu Mar 11 2010 Dan Walsh 2.0.80-2 +- Use --rbind in sandbox init scripts + +* Mon Mar 8 2010 Dan Walsh 2.0.80-1 +- Update to upstream + * Module enable/disable support from Dan Walsh. + +* Mon Mar 1 2010 Dan Walsh 2.0.79-5 +- Rewrite of sandbox script, add unit test for sandbox +- Update translations + +* Mon Mar 1 2010 Dan Walsh 2.0.79-4 +- Fix patch for dontaudit rules from audit2allow for upstream acceptance + +* Fri Feb 26 2010 Dan Walsh 2.0.79-3 +- Fixes for fixfiles + +* Wed Feb 17 2010 Dan Walsh 2.0.79-2 +- Fix sandbox to complain if mount-shared has not been run +- Fix to use /etc/sysconfig/sandbox + +* Tue Feb 16 2010 Dan Walsh 2.0.79-1 +- Update to upstream + * Fix double-free in newrole +- Fix python language handling + +* Thu Feb 11 2010 Dan Walsh 2.0.78-21 +- Fix display of command in sandbox + +* Fri Feb 5 2010 Dan Walsh 2.0.78-20 +- Catch OSError in semanage + +* Wed Feb 3 2010 Dan Walsh 2.0.78-19 +- Fix seobject and fixfiles + +* Fri Jan 29 2010 Dan Walsh 2.0.78-17 +- Change seobject to use translations properly + +* Thu Jan 28 2010 Dan Walsh 2.0.78-16 +- Cleanup spec file +Resolves: 555835 + +* Thu Jan 28 2010 Dan Walsh 2.0.78-15 +- Add use_resolve to sepolgen + +* Wed Jan 27 2010 Dan Walsh 2.0.78-14 +- Add session capability to sandbox +- sandbox -SX -H ~/.homedir -t unconfined_t -l s0:c15 /etc/gdm/Xsession + +* Thu Jan 21 2010 Dan Walsh 2.0.78-13 +- Fix executable template for fifo files + +* Tue Jan 19 2010 Dan Walsh 2.0.78-12 +- Fix patch xod xmodmap +- Exit 0 from script + +* Thu Jan 14 2010 Dan Walsh 2.0.78-11 +- Run with the same xdmodmap in sandbox as outside +- Patch from Josh Cogliati + +* Fri Jan 8 2010 Dan Walsh 2.0.78-10 +- Fix sepolgen to not generate user sh section on non user policy + +* Fri Jan 8 2010 Dan Walsh 2.0.78-9 +- Add -e to semanage man page +- Add -D qualifier to audit2allow to generate dontaudit rules + +* Wed Jan 6 2010 Dan Walsh 2.0.78-8 +- Speed up audit2allow processing of audit2why comments + +* Fri Dec 18 2009 Dan Walsh 2.0.78-7 +- Fixes to sandbox man page + +* Thu Dec 17 2009 Dan Walsh 2.0.78-6 +- Add setools-libs-python to requires for gui + +* Wed Dec 16 2009 Dan Walsh 2.0.78-5 +- If restorecond running as a user has no files to watch then it should exit. (NFS Homedirs) + +* Thu Dec 10 2009 Dan Walsh 2.0.78-4 +- Move sandbox man page to base package + +* Tue Dec 8 2009 Dan Walsh 2.0.78-3 +- Fix audit2allow to report constraints, dontaudits, types, booleans + +* Fri Dec 4 2009 Dan Walsh 2.0.78-2 +- Fix restorecon -i to ignore enoent + +* Tue Dec 1 2009 Dan Walsh 2.0.78-1 +- Update to upstream + * Remove non-working OUTFILE from fixfiles from Dan Walsh. + * Additional exception handling in chcat from Dan Walsh. + + * fix sepolgen to read a "type 1403" msg as a policy load by Stephen + Smalley + * Add support for Xen ocontexts from Paul Nuzzi. + +* Tue Nov 24 2009 Dan Walsh 2.0.77-1 +- Update to upstream + * Fixed bug preventing semanage node -a from working + from Chad Sellers + * Fixed bug preventing semanage fcontext -l from working + from Chad Sellers +- Change semanage to use unicode + +* Wed Nov 18 2009 Dan Walsh 2.0.76-1 +- Update to upstream + * Remove setrans management from semanage, as it does not work + from Dan Walsh. + * Move load_policy from /usr/sbin to /sbin from Dan Walsh. + +* Mon Nov 16 2009 Dan Walsh 2.0.75-3 +- Raise exception if user tries to add file context with an embedded space + +* Wed Nov 11 2009 Dan Walsh 2.0.75-2 +- Fix sandbox to setsid so it can run under mozilla without crashing the session + +* Mon Nov 2 2009 Dan Walsh 2.0.75-1 +- Update to upstream + * Factor out restoring logic from setfiles.c into restore.c + +* Fri Oct 30 2009 Dan Walsh 2.0.74-15 +- Fix typo in seobject.py + +* Fri Oct 30 2009 Dan Walsh 2.0.74-14 +- Allow semanage -i and semanage -o to generate customization files. +- semanage -o will generate a customization file that semanage -i can read and set a machines to the same selinux configuration + +* Tue Oct 20 2009 Dan Walsh 2.0.74-13 +- Fix restorecond man page + +* Mon Oct 19 2009 Dan Walsh 2.0.74-12 +- Add generation of the users context file to polgengui + +* Fri Oct 16 2009 Dan Walsh 2.0.74-11 +- Remove tabs from system-config-selinux glade file + +* Thu Oct 15 2009 Dan Walsh 2.0.74-10 +- Remove translations screen from system-config-selinux + +* Wed Oct 14 2009 Dan Walsh 2.0.74-9 +- Move fixfiles man pages into the correct package +- Add genhomedircon to fixfiles restore + +* Tue Oct 6 2009 Dan Walsh 2.0.74-8 +- Add check to sandbox to verify save changes - Chris Pardy +- Fix memory leak in restorecond - Steve Grubb + +* Thu Oct 1 2009 Dan Walsh 2.0.74-7 +- Fixes Templates + +* Thu Oct 1 2009 Dan Walsh 2.0.74-6 +- Fixes for polgengui to handle tcp ports correctly +- Fix semanage node -a + +* Wed Sep 30 2009 Dan Walsh 2.0.74-5 +- Fixes for semanage -equiv, readded modules, --enable, --disable + +* Sun Sep 20 2009 Dan Walsh 2.0.74-4 +- Close sandbox when eclipse exits + +* Fri Sep 18 2009 Dan Walsh 2.0.74-3 +- Security fixes for seunshare +- Fix Sandbox to handle non file input to command. + +* Thu Sep 17 2009 Dan Walsh 2.0.74-2 +- Security fixes for seunshare + +* Thu Sep 17 2009 Dan Walsh 2.0.74-1 +- Update to upstream + * Change semodule upgrade behavior to install even if the module + is not present from Dan Walsh. + * Make setfiles label if selinux is disabled and a seclabel aware + kernel is running from Caleb Case. + * Clarify forkpty() error message in run_init from Manoj Srivastava. + +* Mon Sep 14 2009 Dan Walsh 2.0.73-5 +- Fix sandbox to handle relative paths + +* Mon Sep 14 2009 Dan Walsh 2.0.73-4 +- Add symbolic link to load_policy + +* Mon Sep 14 2009 Dan Walsh 2.0.73-3 +- Fix restorecond script to use force-reload + +* Tue Sep 8 2009 Dan Walsh 2.0.73-2 +- Fix init script to show status in usage message + +* Tue Sep 8 2009 Dan Walsh 2.0.73-1 +- Update to upstream + * Add semanage dontaudit to turn off dontaudits from Dan Walsh. + * Fix semanage to set correct mode for setrans file from Dan Walsh. + * Fix malformed dictionary in portRecord from Dan Walsh. + * Restore symlink handling support to restorecon based on a patch by + Martin Orr. This fixes the restorecon /dev/stdin performed by Debian + udev scripts that was broken by policycoreutils 2.0.70. + +* Thu Sep 3 2009 Dan Walsh 2.0.71-15 +- Add DAC_OVERRIED to seunshare + +* Wed Sep 2 2009 Bill Nottingham 2.0.71-15 +- Fix typo + +* Fri Aug 28 2009 Dan Walsh 2.0.71-14 +- Add enable/disable patch + +* Thu Aug 27 2009 Tomas Mraz - 2.0.71-13 +- rebuilt with new audit + +* Wed Aug 26 2009 Dan Walsh 2.0.71-12 +- Tighten up controls on seunshare.c + +* Wed Aug 26 2009 Dan Walsh 2.0.71-11 +- Add sandboxX + +* Sat Aug 22 2009 Dan Walsh 2.0.71-10 +- Fix realpath usage to only happen on argv input from user + +* Fri Aug 21 2009 Ville Skyttä - 2.0.71-9 +- Don't try to remove restorecond after last erase (done already in %%preun). +- Ensure scriptlets exit with status 0. +- Fix %%post and %%pr + +* Thu Aug 20 2009 Dan Walsh 2.0.71-7 +- Fix glob handling of /.. + +* Wed Aug 19 2009 Dan Walsh 2.0.71-6 +- Redesign restorecond to use setfiles/restore functionality + +* Wed Aug 19 2009 Dan Walsh 2.0.71-5 +- Fix sepolgen again + +* Tue Aug 18 2009 Dan Walsh 2.0.71-4 +- Add --boot flag to audit2allow to get all AVC messages since last boot + +* Tue Aug 18 2009 Dan Walsh 2.0.71-3 +- Fix semanage command + +* Thu Aug 13 2009 Dan Walsh 2.0.71-2 +- exclude unconfined.if from sepolgen + +* Thu Aug 13 2009 Dan Walsh 2.0.71-1 +- Fix chcat to report error on non existing file +- Update to upstream + * Modify setfiles/restorecon checking of exclude paths. Only check + user-supplied exclude paths (not automatically generated ones based on + lack of seclabel support), don't require them to be directories, and + ignore permission denied errors on them (it is ok to exclude a path to + which the caller lacks permission). + +* Mon Aug 10 2009 Dan Walsh 2.0.70-2 +- Don't warn if the user did not specify the exclude if root can not stat file system + +* Wed Aug 5 2009 Dan Walsh 2.0.70-1 +- Update to upstream + * Modify restorecon to only call realpath() on user-supplied pathnames + from Stephen Smalley. + * Fix typo in fixfiles that prevented it from relabeling btrfs + filesystems from Dan Walsh. + +* Wed Jul 29 2009 Dan Walsh 2.0.68-1 +- Fix location of man pages +- Update to upstream + * Modify setfiles to exclude mounts without seclabel option in + /proc/mounts on kernels >= 2.6.30 from Thomas Liu. + * Re-enable disable_dontaudit rules upon semodule -B from Christopher + Pardy and Dan Walsh. + * setfiles converted to fts from Thomas Liu. + +* Sun Jul 26 2009 Fedora Release Engineering - 2.0.64-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Tue Jul 7 2009 Tom "spot" Callaway 2.0.64-2 +- fix multiple directory ownership of mandirs + +* Fri Jun 26 2009 Dan Walsh 2.0.64-1 +- Update to upstream + * Keep setfiles from spamming console from Dan Walsh. + * Fix chcat's category expansion for users from Dan Walsh. +- Update po files +- Fix sepolgen + +* Thu Jun 4 2009 Dan Walsh 2.0.63-5 +- Add sepolgen executable + +* Mon Jun 1 2009 Dan Walsh 2.0.63-4 +- Fix Sandbox option handling +- Fix fixfiles handling of btrfs + +* Tue May 26 2009 Dan Walsh 2.0.63-3 +- Fix sandbox to be able to execute files in homedir + +* Fri May 22 2009 Dan Walsh 2.0.63-2 +- Change polgen.py to be able to generate policy + +* Wed May 20 2009 Dan Walsh 2.0.63-1 +- Update to upstream + * Fix transaction checking from Dan Walsh. + * Make fixfiles -R (for rpm) recursive. + * Make semanage permissive clean up after itself from Dan Walsh. + * add /root/.ssh/* to restorecond.conf + +* Wed Apr 22 2009 Dan Walsh 2.0.62-14 +- Fix audit2allow -a to retun /var/log/messages + +* Wed Apr 22 2009 Dan Walsh 2.0.62-13 +- Run restorecond as a user service + +* Thu Apr 16 2009 Dan Walsh 2.0.62-12 +- Add semanage module support + +* Tue Apr 14 2009 Dan Walsh 2.0.62-10 +- Do not print \n, if count < 1000; + +* Sat Apr 11 2009 Dan Walsh 2.0.62-9 +- Handle case where subs file does not exist + +* Wed Apr 8 2009 Dan Walsh 2.0.62-8 +- Update po files +- Add --equiv command for semanage + +* Tue Mar 31 2009 Dan Walsh 2.0.62-7 +- Cleanup creation of permissive domains +- Update po files + +* Mon Mar 23 2009 Dan Walsh 2.0.62-6 +- Update po files + +* Thu Mar 12 2009 Dan Walsh 2.0.62-5 +- Fix semanage transations + +* Sat Mar 7 2009 Dan Walsh 2.0.62-4 +- Update polgengui templates to match current upstream policy + +* Thu Feb 26 2009 Fedora Release Engineering - 2.0.62-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Feb 23 2009 Dan Walsh 2.0.62-2 +- Add /root/.ssh to restorecond.conf +- fixfiles -R package should recursively fix files + +* Wed Feb 18 2009 Dan Walsh 2.0.62-1 +- Update to upstream + * Add btrfs to fixfiles from Dan Walsh. + * Remove restorecond error for matching globs with multiple hard links + and fix some error messages from Dan Walsh. + * Make removing a non-existant module a warning rather than an error + from Dan Walsh. + * Man page fixes from Dan Walsh. + +* Mon Feb 16 2009 Dan Walsh 2.0.61-10 +- Fix script created by polgengui to not refer to selinux-policy-devel + +* Mon Feb 9 2009 Dan Walsh 2.0.61-9 +- Change initc scripts to use proper labeling on gui + +* Mon Feb 9 2009 Dan Walsh 2.0.61-8 +- Add obsoletes to cause policycoreuils to update both python and non python version + +* Fri Jan 30 2009 Dan Walsh 2.0.61-7 +- Dont report errors on glob match and multiple links + +* Thu Jan 22 2009 Dan Walsh 2.0.61-6 +- Move sepolgen-ifgen to post python + +* Wed Jan 21 2009 Dan Walsh 2.0.61-4 +- Fix Translations + +* Tue Jan 20 2009 Dan Walsh 2.0.61-3 +- Add Domains Page to system-config-selinux +- Add ability to create dbus confined applications to polgen + +* Wed Jan 14 2009 Dan Walsh 2.0.61-2 +- Split python into a separate package + +* Tue Jan 13 2009 Dan Walsh 2.0.61-1 +- Update to upstream + * chcat: cut categories at arbitrary point (25) from Dan Walsh + * semodule: use new interfaces in libsemanage for compressed files + from Dan Walsh + * audit2allow: string changes for usage + +* Tue Jan 6 2009 Dan Walsh 2.0.60-7 +- Don't error out when removing a non existing module + +* Mon Dec 15 2008 Dan Walsh 2.0.60-6 +- fix audit2allow man page + +* Wed Dec 10 2008 Dan Walsh 2.0.60-5 +- Fix Japanese translations + +* Sat Dec 6 2008 Dan Walsh 2.0.60-4 +- Change md5 to hashlib.md5 in sepolgen + +* Thu Dec 04 2008 Ignacio Vazquez-Abrams - 2.0.60-3 +- Rebuild for Python 2.6 + +* Tue Dec 2 2008 Dan Walsh 2.0.60-2 +- Fix error checking in restorecond, for inotify_add_watch + +* Mon Dec 1 2008 Dan Walsh 2.0.60-1 +- Update to upstream + * semanage: use semanage_mls_enabled() from Stephen Smalley. + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 2.0.59-2 +- Rebuild for Python 2.6 + +* Tue Nov 11 2008 Dan Walsh 2.0.59-1 +- Update to upstream + * fcontext add checked local records twice, fix from Dan Walsh. + +* Mon Nov 10 2008 Dan Walsh 2.0.58-1 +- Update to upstream + * Allow local file context entries to override policy entries in + semanage from Dan Walsh. + * Newrole error message corrections from Dan Walsh. + * Add exception to audit2why call in audit2allow from Dan Walsh. + +* Fri Nov 7 2008 Dan Walsh 2.0.57-12 +- add compression + +* Tue Nov 04 2008 Jesse Keating - 2.0.57-11 +- Move the usermode-gtk requires to the -gui subpackage. + +* Thu Oct 30 2008 Dan Walsh 2.0.57-10 +- Fix traceback in audit2why + +* Wed Oct 29 2008 Dan Walsh 2.0.57-9 +- Make GUI use translations + +* Wed Oct 29 2008 Dan Walsh 2.0.57-8 +- Fix typo in man page + +* Tue Oct 28 2008 Dan Walsh 2.0.57-7 +- Handle selinux disabled correctly +- Handle manipulation of fcontext file correctly + +* Mon Oct 27 2008 Dan Walsh 2.0.57-6 +- Add usermode-gtk requires + +* Thu Oct 23 2008 Dan Walsh 2.0.57-5 +- Allow addition of local modifications of fcontext policy. + +* Mon Oct 20 2008 Dan Walsh 2.0.57-4 +- Fix system-config-selinux booleanspage throwing and exception +- Update po files + +* Fri Oct 17 2008 Dan Walsh 2.0.57-3 +- Fix text in newrole +- Fix revertbutton on booleans page in system-config-selinux + +* Wed Oct 1 2008 Dan Walsh 2.0.57-2 +- Change semodule calls for libsemanage + +* Wed Oct 1 2008 Dan Walsh 2.0.57-1 +- Update to upstream + * Update po files from Dan Walsh. + +* Fri Sep 12 2008 Dan Walsh 2.0.56-1 +- Fix semanage help display +- Update to upstream + * fixfiles will now remove all files in /tmp and will check for + unlabeled_t in /tmp and /var/tmp from Dan Walsh. + * add glob support to restorecond from Dan Walsh. + * allow semanage to handle multi-line commands in a single transaction + from Dan Walsh. + +* Thu Sep 11 2008 Dan Walsh 2.0.55-8 +- Only call gen_requires once in sepolgen + +* Tue Sep 9 2008 Dan Walsh 2.0.55-7 +- Change Requires line to gnome-python2-gnome +- Fix spelling mistakes +- Require libselinux-utils + +* Mon Sep 8 2008 Dan Walsh 2.0.55-5 +- Add node support to semanage + +* Mon Sep 8 2008 Dan Walsh 2.0.55-4 +- Fix fixfiles to correct unlabeled_t files and remove .? files + +* Wed Sep 3 2008 Dan Walsh 2.0.55-2 +- Add glob support to restorecond so it can check every file in the homedir + +* Thu Aug 28 2008 Dan Walsh 2.0.55-1 +- Update to upstream + * Merged semanage node support from Christian Kuester. + +* Fri Aug 15 2008 Dan Walsh 2.0.54-7 +- Add require libsemanage-python + +* Mon Aug 11 2008 Dan Walsh 2.0.54-6 +- Add missing html_util.py file + +* Thu Aug 7 2008 Dan Walsh 2.0.54-5 +- Fixes for multiple transactions + +* Wed Aug 6 2008 Dan Walsh 2.0.54-2 +- Allow multiple transactions in one semanage command + +* Tue Aug 5 2008 Dan Walsh 2.0.54-1 +- Update to upstream + * Add support for boolean files and group support for seusers from Dan Walsh. + * Ensure that setfiles -p output is newline terminated from Russell Coker. + +* Fri Aug 1 2008 Dan Walsh 2.0.53-3 +- Allow semanage user to add group lists % groupname + +* Tue Jul 29 2008 Dan Walsh 2.0.53-2 +- Fix help + +* Tue Jul 29 2008 Dan Walsh 2.0.53-1 +- Update to upstream + * Change setfiles to validate all file_contexts files when using -c from Stephen Smalley. + +* Tue Jul 29 2008 Dan Walsh 2.0.52-6 +- Fix boolean handling +- Upgrade to latest sepolgen +- Update po patch + +* Wed Jul 9 2008 Dan Walsh 2.0.52-5 +- Additial cleanup of boolean handling for semanage + +* Tue Jul 8 2008 Dan Walsh 2.0.52-4 +- Handle ranges of ports in gui + +* Tue Jul 8 2008 Dan Walsh 2.0.52-3 +- Fix indent problems in seobject + +* Wed Jul 2 2008 Dan Walsh 2.0.52-2 +- Add lockdown wizard +- Allow semanage booleans to take an input file an process lots of booleans at once. + +* Wed Jul 2 2008 Dan Walsh 2.0.52-1 +- Default prefix to "user" + +* Tue Jul 1 2008 Dan Walsh 2.0.50-2 +- Remove semodule use within semanage +- Fix launching of polgengui from toolbar + +* Mon Jun 30 2008 Dan Walsh 2.0.50-1 +- Update to upstream + * Fix audit2allow generation of role-type rules from Karl MacMillan. + +* Tue Jun 24 2008 Dan Walsh 2.0.49-10 +- Fix spelling of enforcement + +* Mon Jun 23 2008 Dan Walsh 2.0.49-8 +- Fix sepolgen/audit2allow handling of roles + +* Mon Jun 16 2008 Dan Walsh 2.0.49-7 +- Fix sepolgen-ifgen processing + +* Thu Jun 12 2008 Dan Walsh 2.0.49-6 +- Add deleteall to semanage permissive, cleanup error handling + +* Thu Jun 12 2008 Dan Walsh 2.0.49-5 +- Complete removal of rhpl requirement + +* Wed Jun 11 2008 Dan Walsh 2.0.49-4 +- Add semanage permissive * + +* Fri May 16 2008 Dan Walsh 2.0.49-3 +- Fix fixfiles to cleanup /tmp and /var/tmp + +* Fri May 16 2008 Dan Walsh 2.0.49-2 +- Fix listing of types in gui + +* Mon May 12 2008 Dan Walsh 2.0.49-1 +- Update to upstream + * Remove security_check_context calls for prefix validation from semanage. + * Change setfiles and restorecon to not relabel if the file already has the correct context value even if -F/force is specified. + +* Mon May 12 2008 Dan Walsh 2.0.47-3 +- Remove /usr/share/locale/sr@Latn/LC_MESSAGES/policycoreutils.mo + +* Wed May 7 2008 Dan Walsh 2.0.47-2 +- Add rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* to fixfiles restore +- So that mislabeled files will get removed on full relabel + +* Wed May 7 2008 Dan Walsh 2.0.47-1 +- Make restorecond not start by default +- Fix polgengui to allow defining of confined roles. +- Add patches from Lubomir Rintel + * Add necessary runtime dependencies on setools-console for -gui + * separate stderr when run seinfo commands +- Update to upstream + * Update semanage man page for booleans from Dan Walsh. + * Add further error checking to seobject.py for setting booleans. + +* Fri Apr 18 2008 Matthias Clasen - 2.0.46-5 +- Uninvasive (ie no string or widget changes) HIG approximations + in selinux-polgenui + +* Fri Apr 18 2008 Matthias Clasen - 2.0.46-4 +- Move s-c-selinux to the right menu + +* Sun Apr 6 2008 Dan Walsh 2.0.46-3 +- Fix boolean descriptions +- Fix semanage man page + +* Wed Mar 19 2008 Dan Walsh 2.0.46-2 +- Don't use prefix in gui + +* Tue Mar 18 2008 Dan Walsh 2.0.46-1 +- Update to upstream + * Update audit2allow to report dontaudit cases from Dan Walsh. + * Fix semanage port to use --proto from Caleb Case. + +* Fri Feb 22 2008 Dan Walsh 2.0.44-1 +- Update to upstream + * Fix for segfault when conf file parse error occurs. + +* Wed Feb 13 2008 Dan Walsh 2.0.43-2 +- Don't show tabs on polgengui + +* Wed Feb 13 2008 Dan Walsh 2.0.43-1 +- Update to upstream + * Merged fix fixfiles option processing from Vaclav Ovsik. +- Added existing users, staff and user_t users to polgengui + +* Fri Feb 8 2008 Dan Walsh 2.0.42-3 +- Add messages for audit2allow DONTAUDIT + +* Tue Feb 5 2008 Dan Walsh 2.0.42-2 +- Add ability to transition to roles via polgengui + +* Sat Feb 2 2008 Dan Walsh 2.0.42-1 +- Update to upstream + * Make semodule_expand use sepol_set_expand_consume_base to reduce + peak memory usage. + +* Tue Jan 29 2008 Dan Walsh 2.0.41-1 +- Update to upstream + * Merged audit2why fix and semanage boolean --on/--off/-1/-0 support from Dan Walsh. + * Merged a second fixfiles -C fix from Marshall Miller. + + +* Thu Jan 24 2008 Dan Walsh 2.0.39-1 +- Don't initialize audit2allow for audit2why call. Use default +- Update to upstream + * Merged fixfiles -C fix from Marshall Miller. + +* Thu Jan 24 2008 Dan Walsh 2.0.38-1 +- Update to upstream + * Merged audit2allow cleanups and boolean descriptions from Dan Walsh. + * Merged setfiles -0 support by Benny Amorsen via Dan Walsh. + * Merged fixfiles fixes and support for ext4 and gfs2 from Dan Walsh. + +* Wed Jan 23 2008 Dan Walsh 2.0.37-1 +- Update to upstream + * Merged replacement for audit2why from Dan Walsh. + +* Wed Jan 23 2008 Dan Walsh 2.0.36-2 +- Cleanup fixfiles -f message in man page + +* Wed Jan 23 2008 Dan Walsh 2.0.36-1 +- Update to upstream + * Merged update to chcat, fixfiles, and semanage scripts from Dan Walsh. + * Merged sepolgen fixes from Dan Walsh. + +* Tue Jan 22 2008 Dan Walsh 2.0.35-5 +- handle files with spaces on upgrades + +* Tue Jan 22 2008 Dan Walsh 2.0.35-4 +- Add support in fixfiles for ext4 ext4dev and gfs2 + +* Mon Jan 21 2008 Dan Walsh 2.0.35-3 +- Allow files with spaces to be used by setfiles + +* Tue Jan 15 2008 Dan Walsh 2.0.35-2 +- Add descriptions of booleans to audit2allow + +* Fri Jan 11 2008 Dan Walsh 2.0.35-1 +- Update to upstream + * Merged support for non-interactive newrole command invocation from Tim Reed. + +* Thu Jan 10 2008 Dan Walsh 2.0.34-8 +- Change to use selinux bindings to audit2why + +* Tue Jan 8 2008 Dan Walsh 2.0.34-7 +- Fix fixfiles to handle no args + +* Mon Dec 31 2007 Dan Walsh 2.0.34-5 +- Fix roles output when creating a module + +* Mon Dec 31 2007 Dan Walsh 2.0.34-4 +- Handle files with spaces in fixfiles + +* Fri Dec 21 2007 Dan Walsh 2.0.34-3 +- Catch SELINUX_ERR with audit2allow and generate policy + +* Thu Dec 20 2007 Dan Walsh 2.0.34-2 +- Make sepolgen set error exit code when partial failure +- audit2why now checks booleans for avc diagnosis + +* Wed Dec 19 2007 Dan Walsh 2.0.34-1 +- Update to upstream + * Update Makefile to not build restorecond if + /usr/include/sys/inotify.h is not present + +* Wed Dec 19 2007 Dan Walsh 2.0.33-4 +- Fix sepolgen to be able to parse Fedora 9 policy + Handle ifelse statements + Handle refpolicywarn inside of define + Add init.if and inetd.if into parse + Add parse_file to syntax error message + +* Fri Dec 14 2007 Dan Walsh 2.0.33-3 +- Add scroll bar to fcontext gui page + +* Tue Dec 11 2007 Dan Walsh 2.0.33-2 +- Add Russion Man pages + +* Mon Dec 10 2007 Dan Walsh 2.0.33-1 +- Upgrade from NSA + * Drop verbose output on fixfiles -C from Dan Walsh. + * Fix argument handling in fixfiles from Dan Walsh. + * Enhance boolean support in semanage, including using the .xml description when available, from Dan Walsh. +- Fix handling of final screen in polgengui + +* Sun Dec 2 2007 Dan Walsh 2.0.32-2 +- Fix handling of disable selinux button in gui + +* Mon Nov 19 2007 Dan Walsh 2.0.32-1 +- Upgrade from NSA + * load_policy initial load option from Chad Sellers. + +* Mon Nov 19 2007 Dan Walsh 2.0.31-20 +- Don't show error on missing policy.xml + +* Mon Nov 19 2007 Dan Walsh 2.0.31-19 +- GUI Enhancements + - Fix cgi generation + - Use more patterns + +* Mon Nov 19 2007 Dan Walsh 2.0.31-18 +- Remove codec hacking, which seems to be fixed in python + +* Fri Nov 16 2007 Dan Walsh 2.0.31-17 +- Fix typo +- Change to upstream minimal privledge interfaces + +* Fri Nov 16 2007 Dan Walsh 2.0.31-16 +- Fix fixfiles argument parsing + +* Thu Nov 15 2007 Dan Walsh 2.0.31-15 +- Fix File Labeling add + +* Thu Nov 8 2007 Dan Walsh 2.0.31-14 +- Fix semanage to handle state where policy.xml is not installed + +* Mon Nov 5 2007 Dan Walsh 2.0.31-13 +- Remove -v from restorecon in fixfiles + +* Mon Nov 5 2007 Dan Walsh 2.0.31-12 +- Fix filter and search capabilities, add wait cursor + +* Fri Nov 2 2007 Dan Walsh 2.0.31-11 +- Translate booleans via policy.xml +- Allow booleans to be set via semanage + +* Thu Nov 1 2007 Dan Walsh 2.0.31-10 +- Require use of selinux-policy-devel + +* Wed Oct 31 2007 Dan Walsh 2.0.31-9 +- Validate semanage fcontext input +- Fix template names for log files in gui + +* Fri Oct 19 2007 Dan Walsh 2.0.31-8 +- Fix template to generate correct content + +* Fri Oct 19 2007 Dan Walsh 2.0.31-7 +- Fix consolekit link to selinux-polgengui + +* Thu Oct 18 2007 Dan Walsh 2.0.31-6 +- Fix the generation templates + +* Tue Oct 16 2007 Dan Walsh 2.0.31-5 +- Fix enable/disable audit messages + +* Mon Oct 15 2007 Dan Walsh 2.0.31-4 +- Add booleans page + +* Mon Oct 15 2007 Dan Walsh 2.0.31-3 +- Lots of updates to gui + +* Mon Oct 15 2007 Dan Walsh 2.0.31-1 +- Remove no.po +- Update to upstream + * Fix semodule option handling from Dan Walsh. + * Add deleteall support for ports and fcontexts in semanage from Dan Walsh. + +* Thu Oct 11 2007 Dan Walsh 2.0.29-2 +- Fix semodule parameter checking + +* Sun Oct 7 2007 Dan Walsh 2.0.29-1 +- Update to upstream + * Add genhomedircon script to invoke semodule -Bn from Dan Walsh. +- Add deleteall for ports and fcontext + +* Fri Oct 5 2007 Dan Walsh 2.0.28-1 +- Update to upstream + * Update semodule man page for -D from Dan Walsh. + * Add boolean, locallist, deleteall, and store support to semanage from Dan Walsh. + +* Tue Oct 2 2007 Dan Walsh 2.0.27-7 +- Add genhomedircon script to rebuild file_context for shadow-utils + +* Tue Oct 2 2007 Dan Walsh 2.0.27-6 +- Update translations + +* Tue Oct 2 2007 Dan Walsh 2.0.27-5 +- Additional checkboxes for application policy + +* Fri Sep 28 2007 Dan Walsh 2.0.27-4 +- Allow policy writer to select user types to transition to there users + +* Thu Sep 27 2007 Dan Walsh 2.0.27-3 +- Fix bug in building policy with polgengui +- Creating ports correctly + +* Wed Sep 26 2007 Dan Walsh 2.0.27-1 +- Update to upstream + * Improve semodule reporting of system errors from Stephen Smalley. + +* Mon Sep 24 2007 Dan Walsh 2.0.26-3 +- Show local changes with semanage + +* Mon Sep 24 2007 Dan Walsh 2.0.26-2 +- Fixed spelling mistakes in booleans defs +- Update po + +* Tue Sep 18 2007 Dan Walsh 2.0.26-1 +- Update to upstream + * Fix setfiles selabel option flag setting for 64-bit from Stephen Smalley. + +* Tue Sep 18 2007 Dan Walsh 2.0.25-15 +- Fix wording in policy generation tool + +* Fri Sep 14 2007 Dan Walsh 2.0.25-14 +- Fix calls to _admin interfaces + +* Thu Sep 13 2007 Dan Walsh 2.0.25-13 +- Upgrade version of sepolgen from NSA + * Expand the sepolgen parser to parse all current refpolicy modules from Karl MacMillan. + * Suppress generation of rules for non-denials from Karl MacMillan (take 3). + +* Tue Sep 11 2007 Dan Walsh 2.0.25-12 +- Remove bogus import libxml2 + +* Mon Sep 10 2007 Dan Walsh 2.0.25-11 +- Lots of fixes for polgengui + +* Thu Sep 6 2007 Dan Walsh 2.0.25-10 +- Change Requires /bin/rpm to rpm + +* Wed Sep 5 2007 Dan Walsh 2.0.25-9 +- Bump libsemanage version for disable dontaudit +- New gui features for creating admin users + +* Fri Aug 31 2007 Dan Walsh 2.0.25-8 +- Fix generated code for admin policy + +* Fri Aug 31 2007 Dan Walsh 2.0.25-7 +- Lots of fixes for role templates + +* Tue Aug 28 2007 Dan Walsh 2.0.25-6 +- Add more role_templates + +* Tue Aug 28 2007 Dan Walsh 2.0.25-5 +- Update genpolgui to add creation of user domains + +* Mon Aug 27 2007 Dan Walsh 2.0.25-4 +- Fix location of sepolgen-ifgen + +* Sat Aug 25 2007 Dan Walsh 2.0.25-3 +- Add selinux-polgengui to desktop + +* Fri Aug 24 2007 Dan Walsh 2.0.25-2 +- Cleanup spec + +* Thu Aug 23 2007 Dan Walsh 2.0.25-1 +- Update semodule man page + * Fix genhomedircon searching for USER from Todd Miller + * Install run_init with mode 0755 from Dan Walsh. + * Fix chcat from Dan Walsh. + * Fix fixfiles pattern expansion and error reporting from Dan Walsh. + * Optimize genhomedircon to compile regexes once from Dan Walsh. + * Fix semanage gettext call from Dan Walsh. + +* Thu Aug 23 2007 Dan Walsh 2.0.23-2 +- Update semodule man page + +* Mon Aug 20 2007 Dan Walsh 2.0.23-1 +- Update to match NSA + * Disable dontaudits via semodule -D + +* Wed Aug 1 2007 Dan Walsh 2.0.22-13 +- Speed up genhomedircon by an order of magnitude by compiling regex +- Allow semanage fcontext -a -t <> /path to work + +* Fri Jul 27 2007 Dan Walsh 2.0.22-11 +- Fixfiles update required to match new regex + +* Fri Jul 27 2007 Dan Walsh 2.0.22-10 +- Update booleans translations + +* Wed Jul 25 2007 Jeremy Katz - 2.0.22-9 +- rebuild for toolchain bug + +* Tue Jul 24 2007 Dan Walsh 2.0.22-8 +- Add requires libselinux-python + +* Mon Jul 23 2007 Dan Walsh 2.0.22-7 +- Fix fixfiles to report incorrect rpm +- Patch provided by Tony Nelson + +* Fri Jul 20 2007 Dan Walsh 2.0.22-6 +- Clean up spec file + +* Fri Jul 13 2007 Dan Walsh 2.0.22-5 +- Require newer libselinux version + +* Sat Jul 7 2007 Dan Walsh 2.0.22-4 +- Fix checking for conflicting directory specification in genhomedircon + +* Mon Jun 25 2007 Dan Walsh 2.0.22-3 +- Fix spelling mistakes in GUI + +* Fri Jun 22 2007 Dan Walsh 2.0.22-2 +- Fix else path in chcat + +* Thu Jun 21 2007 Dan Walsh 2.0.22-1 +- Update to match NSA + * Rebase setfiles to use new labeling interface. + +* Wed Jun 13 2007 Dan Walsh 2.0.21-2 +- Add filter to all system-config-selinux lists + +* Wed Jun 13 2007 Dan Walsh 2.0.21-1 +- Update to match NSA + * Fixed setsebool (falling through to error path on success). + +* Mon Jun 11 2007 Dan Walsh 2.0.20-1 +- Update to match NSA + * Merged genhomedircon fixes from Dan Walsh. + * Merged setfiles -c usage fix from Dan Walsh. + * Merged restorecon fix from Yuichi Nakamura. + * Dropped -lsepol where no longer needed. + +* Mon Jun 11 2007 Dan Walsh 2.0.19-5 +- Fix translations code, Add more filters to gui + +* Mon Jun 4 2007 Dan Walsh 2.0.19-4 +- Fix setfiles -c to make it work + +* Mon Jun 4 2007 Dan Walsh 2.0.19-3 +- Fix french translation to not crash system-config-selinux + +* Fri Jun 1 2007 Dan Walsh 2.0.19-2 +- Fix genhomedircon to work in stage2 builds of anaconda + +* Sat May 19 2007 Dan Walsh 2.0.19-1 +- Update to match NSA + +* Thu May 17 2007 Dan Walsh 2.0.16-2 +- Fixes for polgentool templates file + +* Fri May 4 2007 Dan Walsh 2.0.16-1 +- Updated version of policycoreutils + * Merged support for modifying the prefix via semanage from Dan Walsh. +- Fixed genhomedircon to find homedirs correctly. + +* Tue May 1 2007 Dan Walsh 2.0.15-1 +- Updated version of policycoreutils + * Merged po file updates from Dan Walsh. +- Fix semanage to be able to modify prefix in user record + +* Mon Apr 30 2007 Dan Walsh 2.0.14-2 +- Fix title on system-config-selinux + +* Wed Apr 25 2007 Dan Walsh 2.0.14-1 +- Updated version of policycoreutils + * Build fix for setsebool. + +* Wed Apr 25 2007 Dan Walsh 2.0.13-1 +- Updated version of policycoreutils + * Merged setsebool patch to only use libsemanage for persistent boolean changes from Stephen Smalley. + * Merged genhomedircon patch to use the __default__ setting from Dan Walsh. + * Dropped -b option from load_policy in preparation for always preserving booleans across reloads in the kernel. + +* Tue Apr 24 2007 Dan Walsh 2.0.10-2 +- Fixes for polgengui + +* Tue Apr 24 2007 Dan Walsh 2.0.10-1 +- Updated version of policycoreutils + * Merged chcat, fixfiles, genhomedircon, restorecond, and restorecon patches from Dan Walsh. + +* Fri Apr 20 2007 Dan Walsh 2.0.9-10 +- Fix genhomedircon to handle non user_u for the default user + +* Wed Apr 18 2007 Dan Walsh 2.0.9-9 +- More cleanups for gui + +* Wed Apr 18 2007 Dan Walsh 2.0.9-8 +- Fix size and use_tmp problem on gui + +* Wed Apr 18 2007 Dan Walsh 2.0.9-7 +- Fix restorecon crash + +* Wed Apr 18 2007 Dan Walsh 2.0.9-6 +- Change polgengui to a druid + +* Tue Apr 17 2007 Dan Walsh 2.0.9-5 +- Fully path script.py + +* Mon Apr 16 2007 Dan Walsh 2.0.9-4 +- Add -l flag to restorecon to not traverse file systems + +* Sat Apr 14 2007 Dan Walsh 2.0.9-3 +- Fixes for policygengui + +* Fri Apr 13 2007 Dan Walsh 2.0.9-2 +- Add polgengui + +* Thu Apr 12 2007 Dan Walsh 2.0.9-1 +- Updated version of sepolgen + * Merged seobject setransRecords patch to return the first alias from Xavier Toth. + +* Wed Apr 11 2007 Dan Walsh 2.0.8-1 +- Updated version of sepolgen + * Merged updates to sepolgen-ifgen from Karl MacMillan. + * Merged updates to sepolgen parser and tools from Karl MacMillan. + This includes improved debugging support, handling of interface + calls with list parameters, support for role transition rules, + updated range transition rule support, and looser matching. + +* Mon Apr 9 2007 Dan Walsh 2.0.7-11 +- Don't generate invalid context with genhomedircon + +* Mon Apr 9 2007 Dan Walsh 2.0.7-10 +- Add filter to booleans page + +* Tue Apr 3 2007 Dan Walsh 2.0.7-9 +- Fix polgen.py to not generate udp rules on tcp input + +* Fri Mar 30 2007 Dan Walsh 2.0.7-8 +- system-config-selinux should be able to run on a disabled system, +- at least enough to get it enabled. + +* Thu Mar 29 2007 Dan Walsh 2.0.7-7 +- Many fixes to polgengui + +* Fri Mar 23 2007 Dan Walsh 2.0.7-6 +- Updated version of sepolgen + * Merged patch to discard self from types when generating requires from Karl MacMillan. + +* Fri Mar 23 2007 Dan Walsh 2.0.7-5 +- Change location of audit2allow and sepol-ifgen to sbin +- Updated version of sepolgen + * Merged patch to move the sepolgen runtime data from /usr/share to /var/lib to facilitate a read-only /usr from Karl MacMillan. + +* Mon Mar 19 2007 Dan Walsh 2.0.7-4 +- Add polgen gui +- Many fixes to system-config-selinux + +* Mon Mar 12 2007 Dan Walsh 2.0.7-3 +- service restorecond status needs to set exit value correctly + +* Mon Mar 12 2007 Dan Walsh 2.0.7-2 +- Fix gui + +* Thu Mar 1 2007 Dan Walsh 2.0.7-1 +- Update to upstream + * Merged restorecond init script LSB compliance patch from Steve Grubb. + -sepolgen + * Merged better matching for refpolicy style from Karl MacMillan + * Merged support for extracting interface paramaters from interface calls from Karl MacMillan + * Merged support for parsing USER_AVC audit messages from Karl MacMillan. + +* Tue Feb 27 2007 Dan Walsh 2.0.6-3 +- Update to upstream + -sepolgen + * Merged support for enabling parser debugging from Karl MacMillan. +- Add sgrupp cleanup of restorcon init script + +* Mon Feb 26 2007 Dan Walsh 2.0.6-2 +- Add Bill Nottinham patch to run restorcond condrestart in postun + +* Fri Feb 23 2007 Dan Walsh 2.0.6-1 +- Update to upstream + - policycoreutils + * Merged newrole O_NONBLOCK fix from Linda Knippers. + * Merged sepolgen and audit2allow patches to leave generated files + in the current directory from Karl MacMillan. + * Merged restorecond memory leak fix from Steve Grubb. + -sepolgen + * Merged patch to leave generated files (e.g. local.te) in current directory from Karl MacMillan. + * Merged patch to make run-tests.py use unittest.main from Karl MacMillan. + * Merged patch to update PLY from Karl MacMillan. + * Merged patch to update the sepolgen parser to handle the latest reference policy from Karl MacMillan. + +* Thu Feb 22 2007 Dan Walsh 2.0.3-2 +- Do not fail on sepolgen-ifgen + +* Thu Feb 22 2007 Dan Walsh 2.0.3-1 +- Update to upstream + * Merged translations update from Dan Walsh. + * Merged chcat fixes from Dan Walsh. + * Merged man page fixes from Dan Walsh. + * Merged seobject prefix validity checking from Dan Walsh. + * Merged Makefile and refparser.py patch from Dan Walsh. + Fixes PYTHONLIBDIR definition and error handling on interface files. + +* Tue Feb 20 2007 Dan Walsh 2.0.2-3 +- Updated newrole NONBlOCK patch + +* Tue Feb 20 2007 Dan Walsh 2.0.2-2 +- Remove Requires: %%{name}-plugins + +* Tue Feb 20 2007 Dan Walsh 2.0.2-1 +- Update to upstream + * Merged seobject exception handler fix from Caleb Case. + * Merged setfiles memory leak patch from Todd Miller. + +* Thu Feb 15 2007 Dan Walsh 2.0.1-2 +- Cleanup man pages syntax +- Add sepolgen + +* Mon Feb 12 2007 Dan Walsh 2.0.1-1 +- Update to upstream + * Merged small fix to correct include of errcodes.h in semodule_deps from Dan Walsh. + +* Wed Feb 7 2007 Dan Walsh 2.0.0-1 +- Update to upstream + * Merged new audit2allow from Karl MacMillan. + This audit2allow depends on the new sepolgen python module. + Note that you must run the sepolgen-ifgen tool to generate + the data needed by audit2allow to generate refpolicy. + * Fixed newrole non-pam build. +- Fix Changelog and spelling error in man page + +* Thu Feb 1 2007 Dan Walsh 1.34.1-4 +- Fix audit2allow on missing translations + +* Wed Jan 24 2007 Dan Walsh 1.34.1-3 +- More chcat fixes + +* Wed Jan 24 2007 Dan Walsh 1.34.1-2 +- Change chcat to exec semodule so file context is maintained + +* Wed Jan 24 2007 Dan Walsh 1.34.1-1 +- Fix system-config-selinux ports view +- Update to upstream + * Fixed newrole non-pam build. + * Updated version for stable branch. + +* Wed Jan 17 2007 Dan Walsh 1.33.15-1 +- Update to upstream + * Merged unicode-to-string fix for seobject audit from Dan Walsh. + * Merged man page updates to make "apropos selinux" work from Dan Walsh. +* Tue Jan 16 2007 Dan Walsh 1.33.14-1 + * Merged newrole man page patch from Michael Thompson. + * Merged patch to fix python unicode problem from Dan Walsh. + +* Tue Jan 16 2007 Dan Walsh 1.33.12-3 +- Fix handling of audit messages for useradd change +Resolves: #222159 + +* Fri Jan 12 2007 Dan Walsh 1.33.12-2 +- Update man pages by adding SELinux to header to fix apropos database +Resolves: #217881 + +* Tue Jan 9 2007 Dan Walsh 1.33.12-1 +- Want to update to match api +- Update to upstream + * Merged newrole securetty check from Dan Walsh. + * Merged semodule patch to generalize list support from Karl MacMillan. +Resolves: #200110 + +* Tue Jan 9 2007 Dan Walsh 1.33.11-1 +- Update to upstream + * Merged fixfiles and seobject fixes from Dan Walsh. + * Merged semodule support for list of modules after -i from Karl MacMillan. + +* Tue Jan 9 2007 Dan Walsh 1.33.10-1 +- Update to upstream + * Merged patch to correctly handle a failure during semanage handle + creation from Karl MacMillan. + * Merged patch to fix seobject role modification from Dan Walsh. + +* Fri Jan 5 2007 Dan Walsh 1.33.8-2 +- Stop newrole -l from working on non secure ttys +Resolves: #200110 + +* Thu Jan 4 2007 Dan Walsh 1.33.8-1 +- Update to upstream + * Merged patches from Dan Walsh to: + - omit the optional name from audit2allow + - use the installed python version in the Makefiles + - re-open the tty with O_RDWR in newrole + +* Wed Jan 3 2007 Dan Walsh 1.33.7-1 +- Update to upstream + * Patch from Dan Walsh to correctly suppress warnings in load_policy. + +* Tue Jan 2 2007 Dan Walsh 1.33.6-9 +- Fix fixfiles script to use tty command correctly. If this command fails, it +should set the LOGFILE to /dev/null +Resolves: #220879 + +* Wed Dec 20 2006 Dan Walsh 1.33.6-8 +- Remove hard coding of python2.4 from Makefiles + +* Tue Dec 19 2006 Dan Walsh 1.33.6-7 +- add exists switch to semanage to tell it not to check for existance of Linux user +Resolves: #219421 + +* Mon Dec 18 2006 Dan Walsh 1.33.6-6 +- Fix audit2allow generating reference policy +- Fix semanage to manage user roles properly +Resolves: #220071 + +* Fri Dec 8 2006 Dan Walsh 1.33.6-5 +- Update po files +- Fix newrole to open stdout and stderr rdrw so more will work on MLS machines +Resolves: #216920 + +* Thu Dec 7 2006 Jeremy Katz - 1.33.6-4 +- rebuild for python 2.5 + +* Wed Dec 6 2006 Dan Walsh 1.33.6-3 +- Update po files +Resolves: #216920 + +* Fri Dec 1 2006 Dan Walsh 1.33.6-2 +- Update po files +Resolves: #216920 + +* Wed Nov 29 2006 Dan Walsh 1.33.6-1 +- Update to upstream + * Patch from Dan Walsh to add an pam_acct_msg call to run_init + * Patch from Dan Walsh to fix error code returns in newrole + * Patch from Dan Walsh to remove verbose flag from semanage man page + * Patch from Dan Walsh to make audit2allow use refpolicy Makefile + in /usr/share/selinux/ + +* Wed Nov 29 2006 Dan Walsh 1.33.5-4 +- Fixing the Makefile line again to build with LSPP support +Resolves: #208838 + +* Wed Nov 29 2006 Dan Walsh 1.33.5-3 +- Don't report errors on restorecond when file system does not support XATTRS +Resolves: #217694 + +* Tue Nov 28 2006 Dan Walsh 1.33.5-2 +- Fix -q qualifier on load_policy +Resolves: #214827 + +* Tue Nov 28 2006 Dan Walsh 1.33.5-1 +- Merge to upstream +- Fix makefile line +Resolves: #208838 + +* Fri Nov 24 2006 Dan Walsh 1.33.4-2 +- Additional po changes +- Added all booleans definitions + +* Wed Nov 22 2006 Dan Walsh 1.33.4-1 +- Upstream accepted my patches + * Merged setsebool patch from Karl MacMillan. + This fixes a bug reported by Yuichi Nakamura with + always setting booleans persistently on an unmanaged system. + +* Mon Nov 20 2006 Dan Walsh 1.33.2-2 +- Fixes for the gui + +* Mon Nov 20 2006 Dan Walsh 1.33.2-1 +- Upstream accepted my patches + +* Fri Nov 17 2006 Dan Walsh 1.33.1-9 +- Add Amy Grifis Patch to preserve newrole exit status + +* Thu Nov 16 2006 Dan Walsh 1.33.1-8 +- Fix display of gui + +* Thu Nov 16 2006 Dan Walsh 1.33.1-7 +- Add patch by Jose Plans to make run_init use pam_acct_mgmt + +* Wed Nov 15 2006 Dan Walsh 1.33.1-6 +- More fixes to gui + +* Wed Nov 15 2006 Dan Walsh 1.33.1-5 +- Fix audit2allow to generate referene policy + +* Wed Nov 15 2006 Dan Walsh 1.33.1-4 +- Add group sort for portsPage.py +- Add enable/disableaudit to modules page + +* Wed Nov 15 2006 Dan Walsh 1.33.1-3 +- Add glade file + +* Tue Nov 14 2006 Dan Walsh 1.33.1-2 +- Fix Module handling in system-config-selinux + +* Tue Nov 14 2006 Dan Walsh 1.33.1-1 +- Update to upstream + * Merged newrole patch set from Michael Thompson. +- Add policycoreutils-gui + +* Thu Nov 9 2006 Dan Walsh 1.32-3 +- No longer requires rhpl + +* Mon Nov 6 2006 Dan Walsh 1.32-2 +- Fix genhomedircon man page + +* Mon Oct 9 2006 Dan Walsh 1.32-1 +- Add newrole audit patch from sgrubb +- Update to upstream + * Merged audit2allow -l fix from Yuichi Nakamura. + * Merged restorecon -i and -o - support from Karl MacMillan. + * Merged semanage/seobject fix from Dan Walsh. + * Merged fixfiles -R and verify changes from Dan Walsh. + +* Fri Oct 6 2006 Dan Walsh 1.30.30-2 +- Separate out newrole into its own package + +* Fri Sep 29 2006 Dan Walsh 1.30.30-1 +- Update to upstream + * Merged newrole auditing of failures due to user actions from + Michael Thompson. + +* Thu Sep 21 2006 Dan Walsh 1.30.29-6 +- Pass -i qualifier to restorecon for fixfiles -R +- Update translations + +* Thu Sep 21 2006 Dan Walsh 1.30.29-5 +- Remove recursion from fixfiles -R calls +- Fix semanage to verify prefix + +* Thu Sep 21 2006 Dan Walsh 1.30.29-4 +- More translations +- Compile with -pie + +* Mon Sep 18 2006 Dan Walsh 1.30.29-3 +- Add translations +- Fix audit2allow -l + +* Thu Sep 14 2006 Dan Walsh 1.30.29-2 +- Rebuild + +* Thu Sep 14 2006 Dan Walsh 1.30.29-1 +- Update to upstream +- Change -o to take "-" for stdout + +* Wed Sep 13 2006 Dan Walsh 1.30.28-9 +- Add -h support for genhomedircon + +* Wed Sep 13 2006 Dan Walsh 1.30.28-8 +- Fix fixfiles handling of -o + +* Mon Sep 11 2006 Dan Walsh 1.30.28-7 +- Make restorecon return the number of changes files if you use the -n flag + +* Fri Sep 8 2006 Dan Walsh 1.30.28-6 +- Change setfiles and restorecon to use stderr except for -o flag +- Also -o flag will now output files + +* Thu Sep 7 2006 Dan Walsh 1.30.28-5 +- Put back Erich's change + +* Wed Sep 6 2006 Dan Walsh 1.30.28-4 +- Remove recursive switch when using rpm + +* Wed Sep 6 2006 Dan Walsh 1.30.28-3 +- Fix fixfiles to handle multiple rpm and make -o work + +* Fri Sep 1 2006 Dan Walsh 1.30.28-2 +- Apply patch + +* Fri Sep 1 2006 Dan Walsh 1.30.28-1 +- Security fixes to run python in a more locked down manner +- More Translations +- Update to upstream + * Merged fix for restorecon // handling from Erich Schubert. + * Merged translations update and fixfiles fix from Dan Walsh. + +* Thu Aug 31 2006 Dan Walsh 1.30.27-5 +- Change scripts to use /usr/sbin/python + +* Thu Aug 31 2006 Dan Walsh 1.30.27-4 +- Add -i qualified to restorecon to tell it to ignore files that do not exist +- Fixfiles also modified for this change + +* Thu Aug 31 2006 Dan Walsh 1.30.27-3 +- Ignore sigpipe + +* Thu Aug 31 2006 Dan Walsh 1.30.27-2 +- Fix init script and add translations + +* Thu Aug 24 2006 Dan Walsh 1.30.27-1 +- Update to upstream + * Merged fix for restorecon symlink handling from Erich Schubert. + +* Sat Aug 12 2006 Dan Walsh 1.30.26-1 +- Update to upstream + * Merged semanage local file contexts patch from Chris PeBenito. +- Fix fixfiles log creation +- More translations + +* Thu Aug 3 2006 Dan Walsh 1.30.25-1 +- Update to upstream + * Merged patch from Dan Walsh with: + * audit2allow: process MAC_POLICY_LOAD events + * newrole: run shell with - prefix to start a login shell + * po: po file updates + * restorecond: bail if SELinux not enabled + * fixfiles: omit -q + * genhomedircon: fix exit code if non-root + * semodule_deps: install man page + * Merged secon Makefile fix from Joshua Brindle. + * Merged netfilter contexts support patch from Chris PeBenito. + +* Wed Aug 2 2006 Dan Walsh 1.30.22-3 +- Fix audit2allow to handle reload of policy + +* Wed Aug 2 2006 Dan Walsh 1.30.22-2 +- Stop restorecond init script when selinux is not enabled + +* Tue Aug 1 2006 Dan Walsh 1.30.22-1 +- Update to upstream + * Merged restorecond size_t fix from Joshua Brindle. + * Merged secon keycreate patch from Michael LeMay. + * Merged restorecond fixes from Dan Walsh. + Merged updated po files from Dan Walsh. + * Merged python gettext patch from Stephen Bennett. + * Merged semodule_deps from Karl MacMillan. + +* Thu Jul 27 2006 Dan Walsh 1.30.17-7 +- Change newrole to exec a login shell to prevent suspend. + +* Fri Jul 21 2006 Dan Walsh 1.30.17-6 +- Report error when selinux not enabled in restorecond + +* Tue Jul 18 2006 Dan Walsh 1.30.17-5 +- Fix handling of restorecond + +* Mon Jul 17 2006 Dan Walsh 1.30.17-4 +- Fix creation of restorecond pidfile + +* Mon Jul 17 2006 Dan Walsh 1.30.17-3 +- Update translations +- Update to new GCC + +* Mon Jul 10 2006 Dan Walsh 1.30.17-2 +- Add verbose flag to restorecond and update translations + +* Tue Jul 4 2006 Dan Walsh 1.30.17-1 +- Update to upstream + * Lindent. + * Merged patch from Dan Walsh with: + * -p option (progress) for setfiles and restorecon. + * disable context translation for setfiles and restorecon. + * on/off values for setsebool. + * Merged setfiles and semodule_link fixes from Joshua Brindle. + +* Thu Jun 22 2006 Dan Walsh 1.30.14-5 +- Add progress indicator on fixfiles/setfiles/restorecon + +* Wed Jun 21 2006 Dan Walsh 1.30.14-4 +- Don't use translations with matchpathcon + +* Tue Jun 20 2006 Dan Walsh 1.30.14-3 +- Prompt for selinux-policy-devel package in audit2allow + +* Mon Jun 19 2006 Dan Walsh 1.30.14-2 +- Allow setsebool to use on/off +- Update translations + +* Fri Jun 16 2006 Dan Walsh 1.30.14-1 +- Update to upstream + * Merged fix for setsebool error path from Serge Hallyn. + * Merged patch from Dan Walsh with: + * Updated po files. + * Fixes for genhomedircon and seobject. + * Audit message for mass relabel by setfiles. + +* Tue Jun 13 2006 James Antill 1.30.12-5 +- Update audit mass relabel to only compile in when audit is installed. + +* Mon Jun 12 2006 Dan Walsh 1.30.12-4 +- Update to required versions +- Update translation + +* Wed Jun 7 2006 Dan Walsh 1.30.12-3 +- Fix shell selection + +* Mon Jun 5 2006 Dan Walsh 1.30.12-2 +- Add BuildRequires for gettext + +* Mon Jun 5 2006 Dan Walsh 1.30.12-1 + * Updated fixfiles script for new setfiles location in /sbin. + +* Tue May 30 2006 Dan Walsh 1.30.11-1 +- Update to upstream + * Merged more translations from Dan Walsh. + * Merged patch to relocate setfiles to /sbin for early relabel + when /usr might not be mounted from Dan Walsh. + * Merged semanage/seobject patch to preserve fcontext ordering in list. + * Merged secon patch from James Antill. + +* Fri May 26 2006 Dan Walsh 1.30.10-4 +- Fix seobject.py to not sort the file_context file. +- move setfiles to /sbin + +* Wed May 24 2006 James Antill 1.30.10-3 +- secon man page and getopt fixes. +- Enable mass relabel audit, even though it doesn't work. + +* Wed May 24 2006 James Antill 1.30.10-2 +- secon fixes for --self-exec etc. +- secon change from level => sensitivity, add clearance. +- Add mass relabel AUDIT patch, but disable it until kernel problem solved. + +* Tue May 23 2006 Dan Walsh 1.30.10-1 +- Update to upstream + * Merged patch with updates to audit2allow, secon, genhomedircon, + and semanage from Dan Walsh. + +* Sat May 20 2006 Dan Walsh 1.30.9-4 +- Fix exception in genhomedircon + +* Mon May 15 2006 James Antill 1.30.9-3 +- Add rhpl dependancy + +* Mon May 15 2006 James Antill 1.30.9-2 +- Add secon man page and prompt options. + +* Mon May 15 2006 Dan Walsh 1.30.9-1 +- Update to upstream + * Fixed audit2allow and po Makefiles for DESTDIR= builds. + * Merged .po file patch from Dan Walsh. + * Merged bug fix for genhomedircon. + +* Wed May 10 2006 Dan Walsh 1.30.8-2 +- Fix exception on bad file_context + +* Mon May 8 2006 Dan Walsh 1.30.8-1 +- Update to upstream + * Merged fix warnings patch from Karl MacMillan. + * Merged patch from Dan Walsh. + This includes audit2allow changes for analysis plugins, + internationalization support for several additional programs + and added po files, some fixes for semanage, and several cleanups. + It also adds a new secon utility. + +* Sun May 7 2006 Dan Walsh 1.30.6-5 +- Fix genhomedircon to catch duplicate homedir problem + +* Thu May 4 2006 Dan Walsh 1.30.6-4 +- Add secon program +- Add translations + +* Thu Apr 20 2006 Dan Walsh 1.30.6-3 +- Fix check for "msg" + +* Mon Apr 17 2006 Dan Walsh 1.30.6-2 +- Ship avc.py + +* Fri Apr 14 2006 Dan Walsh 1.30.6-1 +- Add /etc/samba/secrets.tdb to restorecond.conf +- Update from upstream + * Merged semanage prefix support from Russell Coker. + * Added a test to setfiles to check that the spec file is + a regular file. + +* Thu Apr 06 2006 Karsten Hopp 1.30.4-4 +- added some missing buildrequires +- added Requires: initscripts for /sbin/service + +* Thu Apr 06 2006 Karsten Hopp 1.30.4-3 +- use absolute path /sbin/service + +* Wed Apr 5 2006 Dan Walsh 1.30.4-2 +- Fix audit2allow to not require ausearch. +- Fix man page +- Add libflashplayer to restorecond.conf + +* Wed Mar 29 2006 Dan Walsh 1.30.4-1 +- Update from upstream + * Merged audit2allow fixes for refpolicy from Dan Walsh. + * Merged fixfiles patch from Dan Walsh. + * Merged restorecond daemon from Dan Walsh. + * Merged semanage non-MLS fixes from Chris PeBenito. + * Merged semanage and semodule man page examples from Thomas Bleher. + +* Tue Mar 28 2006 Dan Walsh 1.30.1-4 +- Clean up reference policy generation in audit2allow + +* Tue Mar 21 2006 Dan Walsh 1.30.1-3 +- Add IN_MOVED_TO to catch renames + +* Tue Mar 21 2006 Dan Walsh 1.30.1-2 +- make restorecond only ignore non directories with lnk > 1 + +* Tue Mar 21 2006 Dan Walsh 1.30.1-1 +- Make audit2allow translate dontaudit as well as allow rules +- Update from upstream + * Merged semanage labeling prefix patch from Ivan Gyurdiev. + +* Tue Mar 21 2006 Dan Walsh 1.30-5 +- Fix audit2allow to retrieve dontaudit rules + +* Mon Mar 20 2006 Dan Walsh 1.30-4 +- Open file descriptor to make sure file does not change from underneath. + +* Fri Mar 17 2006 Dan Walsh 1.30-3 +- Fixes for restorecond attack via symlinks +- Fixes for fixfiles + +* Fri Mar 17 2006 Dan Walsh 1.30-2 +- Restorecon has to handle suspend/resume + +* Fri Mar 17 2006 Dan Walsh 1.30-1 +- Update to upstream + +* Fri Mar 10 2006 Dan Walsh 1.29.27-1 +- Add restorecond + +* Fri Mar 10 2006 Dan Walsh 1.29.26-6 +- Remove prereq + +* Mon Mar 6 2006 Dan Walsh 1.29.26-5 +- Fix audit2allow to generate all rules + +* Fri Mar 3 2006 Dan Walsh 1.29.26-4 +- Minor fixes to chcat and semanage + +* Fri Feb 24 2006 Dan Walsh 1.29.26-3 +- Add missing setsebool man page + +* Thu Feb 23 2006 Dan Walsh 1.29.26-2 +- Change audit2allow to use devel instead of refpolicy + +* Mon Feb 20 2006 Dan Walsh 1.29.26-1 +- Update from upstream + * Merged semanage bug fix patch from Ivan Gyurdiev. + * Merged improve bindings patch from Ivan Gyurdiev. + * Merged semanage usage patch from Ivan Gyurdiev. + * Merged use PyList patch from Ivan Gyurdiev. + +* Mon Feb 13 2006 Dan Walsh 1.29.23-1 +- Update from upstream + * Merged newrole -V/--version support from Glauber de Oliveira Costa. + * Merged genhomedircon prefix patch from Dan Walsh. + * Merged optionals in base patch from Joshua Brindle. + +* Fri Feb 10 2006 Jesse Keating - 1.29.20-2.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Dan Walsh 1.29.20-2 +- Fix auditing to semanage +- Change genhomedircon to use new prefix interface in libselinux + +* Tue Feb 07 2006 Dan Walsh 1.29.20-1 +- Update from upstream + * Merged seuser/user_extra support patch to semodule_package + from Joshua Brindle. + * Merged getopt type fix for semodule_link/expand and sestatus + from Chris PeBenito. +- Fix genhomedircon output + +* Tue Feb 07 2006 Jesse Keating - 1.29.18-2.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Feb 3 2006 Dan Walsh 1.29.18-2 +- Add auditing to semanage + +* Thu Feb 2 2006 Dan Walsh 1.29.18-1 +- Update from upstream + * Merged clone record on set_con patch from Ivan Gyurdiev. + +* Mon Jan 30 2006 Dan Walsh 1.29.17-1 +- Update from upstream + * Merged genhomedircon fix from Dan Walsh. + * Merged seusers.system patch from Ivan Gyurdiev. + * Merged improve port/fcontext API patch from Ivan Gyurdiev. + * Merged genhomedircon patch from Dan Walsh. + +* Fri Jan 27 2006 Dan Walsh 1.29.15-1 +- Update from upstream + * Merged newrole audit patch from Steve Grubb. + * Merged seuser -> seuser local rename patch from Ivan Gyurdiev. + * Merged semanage and semodule access check patches from Joshua Brindle. +* Wed Jan 25 2006 Dan Walsh 1.29.12-1 +- Add a default of /export/home + +* Wed Jan 25 2006 Dan Walsh 1.29.11-3 +- Cleanup of the patch + +* Wed Jan 25 2006 Dan Walsh 1.29.11-2 +- Correct handling of symbolic links in restorecon + +* Wed Jan 25 2006 Dan Walsh 1.29.11-1 +- Added translation support to semanage +- Update from upstream + * Modified newrole and run_init to use the loginuid when + supported to obtain the Linux user identity to re-authenticate, + and to fall back to real uid. Dropped the use of the SELinux + user identity, as Linux users are now mapped to SELinux users + via seusers and the SELinux user identity space is separate. + * Merged semanage bug fixes from Ivan Gyurdiev. + * Merged semanage fixes from Russell Coker. + * Merged chcat.8 and genhomedircon patches from Dan Walsh. + +* Thu Jan 19 2006 Dan Walsh 1.29.9-2 +- Fix genhomedircon to work on MLS policy + +* Thu Jan 19 2006 Dan Walsh 1.29.9-1 +- Update to match NSA + * Merged chcat, semanage, and setsebool patches from Dan Walsh. + +* Thu Jan 19 2006 Dan Walsh 1.29.8-4 +- Fixes for "add"-"modify" error messages +- Fixes for chcat + +* Wed Jan 18 2006 Dan Walsh 1.29.8-3 +- Add management of translation file to semaange and seobject + +* Wed Jan 18 2006 Dan Walsh 1.29.8-2 +- Fix chcat -l -L to work while not root + +* Wed Jan 18 2006 Dan Walsh 1.29.8-1 +- Update to match NSA + * Merged semanage fixes from Ivan Gyurdiev. + * Merged semanage fixes from Russell Coker. + * Merged chcat, genhomedircon, and semanage diffs from Dan Walsh. + +* Tue Jan 17 2006 Dan Walsh 1.29.7-4 +- Update chcat to manage user categories also + +* Sat Jan 14 2006 Dan Walsh 1.29.7-3 +- Add check for root for semanage, genhomedircon + +* Sat Jan 14 2006 Dan Walsh 1.29.7-2 +- Add ivans patch + +* Fri Jan 13 2006 Dan Walsh 1.29.7-1 +- Update to match NSA + * Merged newrole cleanup patch from Steve Grubb. + * Merged setfiles/restorecon performance patch from Russell Coker. + * Merged genhomedircon and semanage patches from Dan Walsh. + * Merged remove add_local/set_local patch from Ivan Gyurdiev. + +* Tue Jan 10 2006 Dan Walsh 1.29.5-3 +- Fixes for mls policy + +* Tue Jan 10 2006 Dan Walsh 1.29.5-2 +- Update semanage and split out seobject +- Fix labeleing of home_root + +* Thu Jan 5 2006 Dan Walsh 1.29.5-1 +- Update to match NSA + * Added filename to semodule error reporting. + +* Thu Jan 5 2006 Dan Walsh 1.29.4-1 +- Update to match NSA + * Merged genhomedircon and semanage patch from Dan Walsh. + * Changed semodule error reporting to include argv[0]. + +* Wed Jan 4 2006 Dan Walsh 1.29.3-1 +- Update to match NSA + * Merged semanage getpwnam bug fix from Serge Hallyn (IBM). + * Merged patch series from Ivan Gyurdiev. + This includes patches to: + - cleanup setsebool + - update setsebool to apply active booleans through libsemanage + - update semodule to use the new semanage_set_rebuild() interface + - fix various bugs in semanage + * Merged patch from Dan Walsh (Red Hat). + This includes fixes for restorecon, chcat, fixfiles, genhomedircon, + and semanage. + +* Mon Jan 2 2006 Dan Walsh 1.29.2-10 +- Fix restorecon to not say it is changing user section when -vv is specified + +* Tue Dec 27 2005 Dan Walsh 1.29.2-9 +- Fixes for semanage, patch from Ivan and added a test script + +* Sat Dec 24 2005 Dan Walsh 1.29.2-8 +- Fix getpwnam call + +* Fri Dec 23 2005 Dan Walsh 1.29.2-7 +- Anaconda fixes + +* Thu Dec 22 2005 Dan Walsh 1.29.2-6 +- Turn off try catch block to debug anaconda failure + +* Tue Dec 20 2005 Dan Walsh 1.29.2-5 +- More fixes for chcat + +* Tue Dec 20 2005 Dan Walsh 1.29.2-4 +- Add try catch for files that may not exists + +* Mon Dec 19 2005 Dan Walsh 1.29.2-3 +- Remove commands from genhomedircon for installer + +* Wed Dec 14 2005 Dan Walsh 1.29.2-1 +- Fix genhomedircon to work in installer +- Update to match NSA + * Merged patch for chcat script from Dan Walsh. + +* Fri Dec 9 2005 Dan Walsh 1.29.1-2 +- More fixes to chcat + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Thu Dec 8 2005 Dan Walsh 1.29.1-1 +- Update to match NSA + * Merged fix for audit2allow long option list from Dan Walsh. + * Merged -r option for restorecon (alias for -R) from Dan Walsh. + * Merged chcat script and man page from Dan Walsh. + +* Wed Dec 7 2005 Dan Walsh 1.28-1 +- Update to match NSA +- Add gfs support + +* Wed Dec 7 2005 Dan Walsh 1.27.37-1 +- Update to match NSA +- Add chcat to policycoreutils, adding +/- syntax +` +* Tue Dec 6 2005 Dan Walsh 1.27.36-2 +- Require new version of libsemanage + +* Mon Dec 5 2005 Dan Walsh 1.27.36-1 +- Update to match NSA + * Changed genhomedircon to warn on use of ROLE in homedir_template + if using managed policy, as libsemanage does not yet support it. + +* Sun Dec 4 2005 Dan Walsh 1.27.35-1 +- Update to match NSA + * Merged genhomedircon bug fix from Dan Walsh. + * Revised semodule* man pages to refer to checkmodule and + to include example sections. + +* Thu Dec 1 2005 Dan Walsh 1.27.33-1 +- Update to match NSA + * Merged audit2allow --tefile and --fcfile support from Dan Walsh. + * Merged genhomedircon fix from Dan Walsh. + * Merged semodule* man pages from Dan Walsh, and edited them. + * Changed setfiles to set the MATCHPATHCON_VALIDATE flag to + retain validation/canonicalization of contexts during init. + +* Wed Nov 30 2005 Dan Walsh 1.27.31-1 +- Update to match NSA + * Changed genhomedircon to always use user_r for the role in the + managed case since user_get_defrole is broken. +- Add te file capabilities to audit2allow +- Add man pages for semodule + +* Tue Nov 29 2005 Dan Walsh 1.27.30-1 +- Update to match NSA + * Merged sestatus, audit2allow, and semanage patch from Dan Walsh. + * Fixed semodule -v option. + +* Mon Nov 28 2005 Dan Walsh 1.27.29-1 +- Update to match NSA + * Merged audit2allow python script from Dan Walsh. + (old script moved to audit2allow.perl, will be removed later). + * Merged genhomedircon fixes from Dan Walsh. + * Merged semodule quieting patch from Dan Walsh + (inverts default, use -v to restore original behavior). + +* Thu Nov 17 2005 Dan Walsh 1.27.28-3 +- Audit2allow + * Add more error checking + * Add gen policy package + * Add gen requires + +* Wed Nov 16 2005 Dan Walsh 1.27.28-2 +- Update to match NSA + * Merged genhomedircon rewrite from Dan Walsh. +- Rewrite audit2allow to python + +* Mon Nov 14 2005 Dan Walsh 1.27.27-5 +- Fix genhomedircon to work with non libsemanage systems + +* Fri Nov 11 2005 Dan Walsh 1.27.27-3 +- Patch genhomedircon to use libsemanage.py stuff + +* Wed Nov 9 2005 Dan Walsh 1.27.27-1 +- Update to match NSA + * Merged setsebool cleanup patch from Ivan Gyurdiev. + +* Wed Nov 9 2005 Dan Walsh 1.27.26-4 +- Fix genhomedircon to use seusers file, temporary fix until swigified semanage + +* Tue Nov 8 2005 Dan Walsh 1.27.26-1 + * Added -B (--build) option to semodule to force a rebuild. + * Reverted setsebool patch to call semanage_set_reload_bools(). + * Changed setsebool to disable policy reload and to call + security_set_boolean_list to update the runtime booleans. + * Changed setfiles -c to use new flag to set_matchpathcon_flags() + to disable context translation by matchpathcon_init(). + +* Tue Nov 8 2005 Dan Walsh 1.27.23-1 +- Update to match NSA + * Changed setfiles for the context canonicalization support. + * Changed setsebool to call semanage_is_managed() interface + and fall back to security_set_boolean_list() if policy is + not managed. + * Merged setsebool memory leak fix from Ivan Gyurdiev. + * Merged setsebool patch to call semanage_set_reload_bools() + interface from Ivan Gyurdiev. + +* Mon Nov 7 2005 Dan Walsh 1.27.20-1 +- Update to match NSA + * Merged setsebool patch from Ivan Gyurdiev. + This moves setsebool from libselinux/utils to policycoreutils, + and rewrites it to use libsemanage for permanent boolean changes. + +* Tue Oct 25 2005 Dan Walsh 1.27.19-2 +- Rebuild to use latest libselinux, libsemanage, and libsepol + +* Tue Oct 25 2005 Dan Walsh 1.27.19-1 +- Update to match NSA + * Merged semodule support for reload, noreload, and store options + from Joshua Brindle. + * Merged semodule_package rewrite from Joshua Brindle. + +* Thu Oct 20 2005 Dan Walsh 1.27.18-1 +- Update to match NSA + * Cleaned up usage and error messages and releasing of memory by + semodule utilities. + * Corrected error reporting by semodule. + * Updated semodule_expand for change to sepol interface. + * Merged fixes for make DESTDIR= builds from Joshua Brindle. + +* Tue Oct 18 2005 Dan Walsh 1.27.14-1 +- Update to match NSA + * Updated semodule_package for sepol interface changes. + +* Tue Oct 18 2005 Dan Walsh 1.27.13-1 +- Update to match NSA + * Updated semodule_expand/link for sepol interface changes. + +* Sat Oct 15 2005 Dan Walsh 1.27.12-1 +- Update to match NSA + * Merged non-PAM Makefile support for newrole and run_init from Timothy Wood. + +* Fri Oct 14 2005 Dan Walsh 1.27.11-1 +- Update to match NSA + * Updated semodule_expand to use get interfaces for hidden sepol_module_package type. + * Merged newrole and run_init pam config patches from Dan Walsh (Red Hat). + * Merged fixfiles patch from Dan Walsh (Red Hat). + * Updated semodule for removal of semanage_strerror. + + +* Thu Oct 13 2005 Dan Walsh 1.27.7-2 +- Fix run_init.pamd and spec file + +* Wed Oct 12 2005 Dan Walsh 1.27.7-1 +- Update to match NSA + * Updated semodule_link and semodule_expand to use shared libsepol. + Fixed audit2why to call policydb_init prior to policydb_read (still + uses the static libsepol). + +* Mon Oct 10 2005 Dan Walsh 1.27.6-1 +- Update to match NSA + * Updated for changes to libsepol. + Changed semodule and semodule_package to use the shared libsepol. + Disabled build of semodule_link and semodule_expand for now. + Updated audit2why for relocated policydb internal headers, + still needs to be converted to a shared lib interface. + +* Fri Oct 7 2005 Dan Walsh 1.27.5-3 +- Update newrole pam file to remove pam-stack +- Update run_init pam file to remove pam-stack + +* Thu Oct 6 2005 Dan Walsh 1.27.5-1 +- Update to match NSA + * Fixed warnings in load_policy. + * Rewrote load_policy to use the new selinux_mkload_policy() + interface provided by libselinux. + +* Wed Oct 5 2005 Dan Walsh 1.27.3-2 +- Rebuild with newer libararies + +* Wed Sep 28 2005 Dan Walsh 1.27.3-1 +- Update to match NSA + * Merged patch to update semodule to the new libsemanage API + and improve the user interface from Karl MacMillan (Tresys). + * Modified semodule for the create/connect API split. + +* Wed Sep 28 2005 Dan Walsh 1.27.2-2 +- More fixes to stop find from following nfs paths + +* Wed Sep 21 2005 Dan Walsh 1.27.2-1 +- Update to match NSA + * Merged run_init open_init_pty bug fix from Manoj Srivastava + (unblock SIGCHLD). Bug reported by Erich Schubert. + +* Tue Sep 20 2005 Dan Walsh 1.27.1-1 +- Update to match NSA + * Merged error shadowing bug fix for restorecon from Dan Walsh. + * Merged setfiles usage/man page update for -r option from Dan Walsh. + * Merged fixfiles -C patch to ignore :s0 addition on update + to a MCS/MLS policy from Dan Walsh. + +* Thu Sep 15 2005 Dan Walsh 1.26-3 +- Add chcat script for use with chcon. + +* Tue Sep 13 2005 Dan Walsh 1.26-2 +- Fix restorecon to exit with error code + +* Mon Sep 12 2005 Dan Walsh 1.26-1 + * Updated version for release. + +* Tue Sep 6 2005 Dan Walsh 1.25.9-2 +- Add prereq for mount command + +* Thu Sep 1 2005 Dan Walsh 1.25.9-1 +- Update to match NSA + * Changed setfiles -c to translate the context to raw format + prior to calling libsepol. + +* Fri Aug 26 2005 Dan Walsh 1.25.7-3 +- Use new version of libsemange and require it for install + +* Fri Aug 26 2005 Dan Walsh 1.25.7-2 +- Ignore s0 in file context + +* Thu Aug 25 2005 Dan Walsh 1.25.7-1 +- Update to match NSA + * Merged patch for fixfiles -C from Dan Walsh. + +* Tue Aug 23 2005 Dan Walsh 1.25.6-1 +- Update to match NSA + * Merged fixes for semodule_link and sestatus from Serge Hallyn (IBM). + Bugs found by Coverity. + +* Mon Aug 22 2005 Dan Walsh 1.25.5-3 +- Fix fixfiles to call sort -u followed by sort -d. + +* Wed Aug 17 2005 Dan Walsh 1.25.5-2 +- Change fixfiles to ignore /home directory on updates + +* Fri Aug 5 2005 Dan Walsh 1.25.5-1 +- Update to match NSA + * Merged patch to move module read/write code from libsemanage + to libsepol from Jason Tang (Tresys). + +* Thu Jul 28 2005 Dan Walsh 1.25.4-1 +- Update to match NSA + * Changed semodule* to link with libsemanage. + +* Wed Jul 27 2005 Dan Walsh 1.25.3-1 +- Update to match NSA + * Merged restorecon patch from Ivan Gyurdiev. + +* Mon Jul 18 2005 Dan Walsh 1.25.2-1 +- Update to match NSA + * Merged load_policy, newrole, and genhomedircon patches from Red Hat. + +* Thu Jul 7 2005 Dan Walsh 1.25.1-1 +- Update to match NSA + * Merged loadable module support from Tresys Technology. + +* Wed Jun 29 2005 Dan Walsh 1.24-1 +- Update to match NSA + * Updated version for release. + +* Tue Jun 14 2005 Dan Walsh 1.23.11-4 +- Fix Ivan's patch for user role changes + +* Sat May 28 2005 Dan Walsh 1.23.11-3 +- Add Ivan's patch for user role changes in genhomedircon + +* Thu May 26 2005 Dan Walsh 1.23.11-2 +- Fix warning message on reload of booleans + + +* Fri May 20 2005 Dan Walsh 1.23.11-1 +- Update to match NSA + * Merged fixfiles and newrole patch from Dan Walsh. + * Merged audit2why man page from Dan Walsh. + +* Thu May 19 2005 Dan Walsh 1.23.10-2 +- Add call to pam_acct_mgmt in newrole. + +* Tue May 17 2005 Dan Walsh 1.23.10-1 +- Update to match NSA + * Extended audit2why to incorporate booleans and local user + settings when analyzing audit messages. + +* Mon May 16 2005 Dan Walsh 1.23.9-1 +- Update to match NSA + * Updated audit2why for sepol_ prefixes on Flask types to + avoid namespace collision with libselinux, and to + include now. + +* Fri May 13 2005 Dan Walsh 1.23.8-1 +- Fix fixfiles to accept -f +- Update to match NSA + * Added audit2why utility. + +* Fri Apr 29 2005 Dan Walsh 1.23.7-1 +- Change -f flag in fixfiles to remove stuff from /tmp +- Change -F flag to pass -F flag to restorecon/fixfiles. (IE Force relabel). + +* Thu Apr 14 2005 Dan Walsh 1.23.6-1 +- Update to match NSA + * Fixed signed/unsigned pointer bug in load_policy. + * Reverted context validation patch for genhomedircon. + +* Wed Apr 13 2005 Dan Walsh 1.23.5-1 +- Update to match NSA + * Reverted load_policy is_selinux_enabled patch from Dan Walsh. + Otherwise, an initial policy load cannot be performed using + load_policy, e.g. for anaconda. + + +* Mon Apr 11 2005 Dan Walsh 1.23.4-3 +- remove is_selinux_enabled check from load_policy (Bad idea) + +* Mon Apr 11 2005 Dan Walsh 1.23.4-1 +- Update to version from NSA + * Merged load_policy is_selinux_enabled patch from Dan Walsh. + * Merged restorecon verbose output patch from Dan Walsh. + * Merged setfiles altroot patch from Chris PeBenito. + +* Thu Apr 7 2005 Dan Walsh 1.23.3-2 +- Don't run load_policy on a non SELinux kernel. + +* Wed Apr 6 2005 Dan Walsh 1.23.3-1 +- Update to version from NSA + * Merged context validation patch for genhomedircon from Eric Paris. +- Fix verbose output of restorecon + +* Thu Mar 17 2005 Dan Walsh 1.23.2-1 +- Update to version from NSA + * Changed setfiles -c to call set_matchpathcon_flags(3) to + turn off processing of .homedirs and .local. + +* Tue Mar 15 2005 Dan Walsh 1.23.1-1 +- Update to released version from NSA + * Merged rewrite of genhomedircon by Eric Paris. + * Changed fixfiles to relabel jfs since it now supports security xattrs + (as of 2.6.11). Removed reiserfs until 2.6.12 is released with + fixed support for reiserfs and selinux. + +* Thu Mar 10 2005 Dan Walsh 1.22-2 +- Update to released version from NSA +- Patch genhomedircon to handle passwd in different places. + +* Wed Mar 9 2005 Dan Walsh 1.21.22-2 +- Fix genhomedircon to not put bad userad error in file_contexts.homedir + +* Tue Mar 8 2005 Dan Walsh 1.21.22-1 +- Cleanup error reporting + +* Tue Mar 1 2005 Dan Walsh 1.21.21-1 + * Merged load_policy and genhomedircon patch from Dan Walsh. + +* Mon Feb 28 2005 Dan Walsh 1.21.20-3 +- Fix genhomedircon to add extr "\n" + +* Fri Feb 25 2005 Dan Walsh 1.21.20-2 +- Fix genhomedircon to handle blank users + +* Fri Feb 25 2005 Dan Walsh 1.21.20-1 +- Update to latest from NSA +- Add call to libsepol + +* Thu Feb 24 2005 Dan Walsh 1.21.19-4 +- Fix genhomedircon to handle root +- Fix fixfiles to better handle file system types + +* Wed Feb 23 2005 Dan Walsh 1.21.19-2 +- Fix genhomedircon to handle spaces in SELINUXPOLICYTYPE + +* Tue Feb 22 2005 Dan Walsh 1.21.19-1 +- Update to latest from NSA + * Merged several fixes from Ulrich Drepper. + +* Mon Feb 21 2005 Dan Walsh 1.21.18-2 +- Apply Uli patch + * The Makefiles should use the -Wall option even if compiled in beehive + * Add -W, too + * use -Werror when used outside of beehive. This could also be used unconditionally + * setfiles/setfiles.c: fix resulting warning + * restorecon/restorecon.c: Likewise + * run_init/open_init_pty.c: argc hasn't been checked, the program would crash if +called without parameters. ignore the return value of nice properly. + * run_init: don't link with -ldl lutil + * load_policy: that's the bad bug. pointer to unsigned int is passed, size_t is +written to. fails on 64-bit archs + * sestatus: signed vs unsigned problem + * newrole: don't link with -ldl + +* Sat Feb 19 2005 Dan Walsh 1.21.18-1 +- Update to latest from NSA + * Changed load_policy to fall back to the original policy upon + an error from sepol_genusers(). + +* Thu Feb 17 2005 Dan Walsh 1.21.17-2 +- Only restorecon on ext[23], reiser and xfs + +* Thu Feb 17 2005 Dan Walsh 1.21.17-1 +- Update to latest from NSA + * Merged new genhomedircon script from Dan Walsh. + * Changed load_policy to call sepol_genusers(). + +* Thu Feb 17 2005 Dan Walsh 1.21.15-9 +- Remove Red Hat rhpl usage +- Add back in original syntax +- Update man page to match new syntax + +* Fri Feb 11 2005 Dan Walsh 1.21.15-8 +- Fix genhomedircon regular expression +- Fix exclude in restorecon + +* Thu Feb 10 2005 Dan Walsh 1.21.15-5 +- Trap failure on write +- Rewrite genhomedircon to generate file_context.homedirs +- several passes + +* Thu Feb 10 2005 Dan Walsh 1.21.15-1 +- Update from NSA + * Changed relabel Makefile target to use restorecon. + +* Wed Feb 9 2005 Dan Walsh 1.21.14-1 +- Update from NSA + * Merged restorecon patch from Dan Walsh. + +* Tue Feb 8 2005 Dan Walsh 1.21.13-1 +- Update from NSA + * Merged further change to fixfiles -C from Dan Walsh. + * Merged updated fixfiles script from Dan Walsh. +- Fix error handling of restorecon + + +* Mon Feb 7 2005 Dan Walsh 1.21.12-2 +- Fix sestatus for longer booleans + +* Wed Feb 2 2005 Dan Walsh 1.21.12-1 +- More cleanup of fixfiles sed patch + * Merged further patches for restorecon/setfiles -e and fixfiles -C. + +* Wed Feb 2 2005 Dan Walsh 1.21.10-2 +- More cleanup of fixfiles sed patch + +* Mon Jan 31 2005 Dan Walsh 1.21.10-1 +- More cleanup of fixfiles sed patch +- Upgrade to latest from NSA + * Merged patch for open_init_pty from Manoj Srivastava. + +* Fri Jan 28 2005 Dan Walsh 1.21.9-1 +- More cleanup of sed patch +- Upgrade to latest from NSA + * Merged updated fixfiles script from Dan Walsh. + * Merged updated man page for fixfiles from Dan Walsh and re-added unzipped. + * Reverted fixfiles patch for file_contexts.local; + obsoleted by setfiles rewrite. + * Merged error handling patch for restorecon from Dan Walsh. + * Merged semi raw mode for open_init_pty helper from Manoj Srivastava. + * Rewrote setfiles to use matchpathcon and the new interfaces + exported by libselinux (>= 1.21.5). + + +* Fri Jan 28 2005 Dan Walsh 1.21.7-3 +- Fix fixfiles patch +- Upgrade to latest from NSA + * Prevent overflow of spec array in setfiles. +- Add diff comparason between file_contexts to fixfiles +- Allow restorecon to give an warning on file not found instead of exiting + +* Thu Jan 27 2005 Dan Walsh 1.21.5-1 +- Upgrade to latest from NSA + * Merged newrole -l support from Darrel Goeddel (TCS). +- Fix genhomedircon STARTING_UID + +* Wed Jan 26 2005 Dan Walsh 1.21.4-1 +- Upgrade to latest from NSA + * Merged fixfiles patch for file_contexts.local from Dan Walsh. + +* Fri Jan 21 2005 Dan Walsh 1.21.3-2 +- Temp file needs to be created in /etc/selinux/POLICYTYPE/contexts/files/ directory. + +* Fri Jan 21 2005 Dan Walsh 1.21.3-1 +- Upgrade to latest from NSA + * Fixed restorecon to not treat errors from is_context_customizable() + as a customizable context. + * Merged setfiles/restorecon patch to not reset user field unless + -F option is specified from Dan Walsh. + * Merged open_init_pty helper for run_init from Manoj Srivastava. + * Merged audit2allow and genhomedircon man pages from Manoj Srivastava. + +* Fri Jan 21 2005 Dan Walsh 1.21.1-3 +- Don't change user componant if it is all that changed unless forced. +- Change fixfiles to concatinate file_context.local for setfiles + +* Thu Jan 20 2005 Dan Walsh 1.21.1-1 +- Update to latest from NSA + +* Mon Jan 10 2005 Dan Walsh 1.20.1-2 +- Fix restorecon segfault + +* Mon Jan 3 2005 Dan Walsh 1.20.1-1 +- Update to latest from NSA + * Merged fixfiles rewrite from Dan Walsh. + * Merged restorecon patch from Dan Walsh. + +* Mon Jan 3 2005 Dan Walsh 1.19.3-1 +- Update to latest from NSA + * Merged fixfiles and restorecon patches from Dan Walsh. + * Don't display change if only user part changed. + +* Mon Jan 3 2005 Dan Walsh 1.19.2-4 +- Fix fixfiles handling of rpm +- Fix restorecon to not warn on symlinks unless -v -v +- Fix output of verbose to show old context as well as new context + +* Wed Dec 29 2004 Dan Walsh 1.19.2-1 +- Update to latest from NSA + * Changed restorecon to ignore ENOENT errors from matchpathcon. + * Merged nonls patch from Chris PeBenito. + +* Mon Dec 20 2004 Dan Walsh 1.19.1-1 +- Update to latest from NSA + * Removed fixfiles.cron. + * Merged run_init.8 patch from Dan Walsh. + +* Thu Nov 18 2004 Dan Walsh 1.18.1-3 +- Fix run_init.8 to refer to correct location of initrc_context + +* Wed Nov 3 2004 Dan Walsh 1.18.1-1 +- Upgrade to latest from NSA + +* Wed Oct 27 2004 Steve Grubb 1.17.7-3 +- Add code to sestatus to output the current policy from config file + +* Fri Oct 22 2004 Dan Walsh 1.17.7-2 +- Patch audit2allow to return self and no brackets if only one rule + +* Fri Oct 22 2004 Dan Walsh 1.17.7-1 +- Update to latest from NSA +- Eliminate fixfiles.cron + +* Tue Oct 12 2004 Dan Walsh 1.17.6-2 +- Only run fixfiles.cron once a week, and eliminate null message + +* Fri Oct 1 2004 Dan Walsh 1.17.6-1 +- Update with NSA + * Added -l option to setfiles to log changes via syslog. + * Merged -e option to setfiles to exclude directories. + * Merged -R option to restorecon for recursive descent. +* Fri Oct 1 2004 Dan Walsh 1.17.5-6 +- Add -e (exclude directory) switch to setfiles +- Add syslog to setfiles + +* Fri Sep 24 2004 Dan Walsh 1.17.5-5 +- Add -R (recursive) switch to restorecon. + +* Thu Sep 23 2004 Dan Walsh 1.17.5-4 +- Change to only display to terminal if tty is specified + +* Tue Sep 21 2004 Dan Walsh 1.17.5-3 +- Only display to stdout if logfile not specified + +* Thu Sep 9 2004 Dan Walsh 1.17.5-2 +- Add Steve Grubb patch to cleanup log files. + +* Mon Aug 30 2004 Dan Walsh 1.17.5-1 +- Add optargs +- Update to match NSA + +* Wed Aug 25 2004 Dan Walsh 1.17.4-1 +- Add fix to get cdrom info from /proc/media in fixfiles. + +* Wed Aug 25 2004 Dan Walsh 1.17.3-4 +- Add Steve Grub patches for + * Fix fixfiles.cron MAILTO + * Several problems in sestatus + +* Wed Aug 25 2004 Dan Walsh 1.17.3-3 +- Add -q (quiet) qualifier to load_policy to not report warnings + +* Tue Aug 24 2004 Dan Walsh 1.17.3-2 +- Add requires for libsepol >= 1.1.1 + +* Tue Aug 24 2004 Dan Walsh 1.17.3-1 +- Update to latest from upstream + +* Mon Aug 23 2004 Dan Walsh 1.17.2-1 +- Update to latest from upstream +- Includes Colin patch for verifying file_contexts + +* Sun Aug 22 2004 Dan Walsh 1.17.1-1 +- Update to latest from upstream + +* Mon Aug 16 2004 Dan Walsh 1.15.7-1 +- Update to latest from upstream + +* Thu Aug 12 2004 Dan Walsh 1.15.6-1 +- Add Man page for load_policy + +* Tue Aug 10 2004 Dan Walsh 1.15.5-1 +- new version from NSA uses libsepol + +* Mon Aug 2 2004 Dan Walsh 1.15.3-2 +- Fix genhomedircon join command + +* Thu Jul 29 2004 Dan Walsh 1.15.3-1 +- Latest from NSA + +* Mon Jul 26 2004 Dan Walsh 1.15.2-4 +- Change fixfiles to not change when running a check + +* Tue Jul 20 2004 Dan Walsh 1.15.2-3 +- Fix restorecon getopt call to stop hang on IBM Arches + +* Mon Jul 19 2004 Dan Walsh 1.15.2-2 +- Only mail files less than 100 lines from fixfiles.cron +- Add Russell's fix for genhomedircon + +* Fri Jul 16 2004 Dan Walsh 1.15.2-1 +- Latest from NSA + +* Thu Jul 8 2004 Dan Walsh 1.15.1-2 +- Add ro warnings + +* Thu Jul 8 2004 Dan Walsh 1.15.1-1 +- Latest from NSA +- Fix fixfiles.cron to delete outfile + +* Tue Jul 6 2004 Dan Walsh 1.14.1-2 +- Fix fixfiles.cron to not run on non SELinux boxes +- Fix several problems in fixfiles and fixfiles.cron + +* Wed Jun 30 2004 Dan Walsh 1.14.1-1 +- Update from NSA +- Add cron capability to fixfiles + +* Fri Jun 25 2004 Dan Walsh 1.13.4-1 +- Update from NSA + +* Thu Jun 24 2004 Dan Walsh 1.13.3-2 +- Fix fixfiles to handle no rpm file on relabel + +* Wed Jun 23 2004 Dan Walsh 1.13.3-1 +- Update latest from NSA +- Add -o option to setfiles to save output of any files with incorrect context. + +* Tue Jun 22 2004 Dan Walsh 1.13.2-2 +- Add rpm support to fixfiles +- Update restorecon to add file input support + +* Fri Jun 18 2004 Dan Walsh 1.13.2-1 +- Update with NSA Latest + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Sat Jun 12 2004 Dan Walsh 1.13.1-2 +- Fix run_init to use policy formats + +* Wed Jun 2 2004 Dan Walsh 1.13.1-1 +- Update from NSA + +* Tue May 25 2004 Dan Walsh 1.13-3 +- Change location of file_context file + +* Tue May 25 2004 Dan Walsh 1.13-2 +- Change to use /etc/sysconfig/selinux to determine location of policy files + +* Fri May 21 2004 Dan Walsh 1.13-1 +- Update to latest from NSA +- Change fixfiles to prompt before deleteing /tmp files + +* Tue May 18 2004 Dan Walsh 1.12-2 +- have restorecon ingnore <> +- Hand matchpathcon the file status + +* Thu May 13 2004 Dan Walsh 1.12-1 +- Update to match NSA + +* Mon May 10 2004 Dan Walsh 1.11-4 +- Move location of log file to /var/tmp + +* Mon May 10 2004 Dan Walsh 1.11-3 +- Better grep command for bind + +* Fri May 7 2004 Dan Walsh 1.11-2 +- Eliminate bind and context mounts + +* Wed May 5 2004 Dan Walsh 1.11-1 +- update to match NSA + +* Wed Apr 28 2004 Dan Walsh 1.10-4 +- Log fixfiles to the /tmp directory + +* Wed Apr 21 2004 Colin Walters 1.10-3 +- Add patch to fall back to authenticating via uid if + the current user's SELinux user identity is the default + identity +- Add BuildRequires pam-devel + +* Mon Apr 12 2004 Dan Walsh 1.10-2 +- Add man page, thanks to Richard Halley + +* Thu Apr 8 2004 Dan Walsh 1.10-1 +- Upgrade to latest from NSA + +* Fri Apr 2 2004 Dan Walsh 1.9.2-1 +- Update with latest from gentoo and NSA + +* Thu Apr 1 2004 Dan Walsh 1.9.1-1 +- Check return codes in sestatus.c + +* Mon Mar 29 2004 Dan Walsh 1.9-19 +- Fix sestatus to not double free +- Fix sestatus.conf to be unix format + +* Mon Mar 29 2004 Dan Walsh 1.9-18 +- Warn on setfiles failure to relabel. + +* Mon Mar 29 2004 Dan Walsh 1.9-17 +- Updated version of sestatus + +* Mon Mar 29 2004 Dan Walsh 1.9-16 +- Fix fixfiles to checklabel properly + +* Fri Mar 26 2004 Dan Walsh 1.9-15 +- add sestatus + +* Thu Mar 25 2004 Dan Walsh 1.9-14 +- Change free call to freecon +- Cleanup + +* Tue Mar 23 2004 Dan Walsh 1.9-12 +- Remove setfiles-assoc patch +- Fix restorecon to not crash on missing dir + +* Thu Mar 18 2004 Dan Walsh 1.9-11 +- Eliminate trailing / in restorecon + +* Thu Mar 18 2004 Dan Walsh 1.9-10 +- Add Verbosity check + +* Thu Mar 18 2004 Dan Walsh 1.9-9 +- Change restorecon to not follow symlinks. It is too difficult and confusing +- to figure out the file context for the file pointed to by a symlink. + +* Wed Mar 17 2004 Dan Walsh 1.9-8 +- Fix restorecon +* Wed Mar 17 2004 Dan Walsh 1.9-7 +- Read restorecon patch + +* Wed Mar 17 2004 Dan Walsh 1.9-6 +- Change genhomedircon to take POLICYSOURCEDIR from command line + +* Wed Mar 17 2004 Dan Walsh 1.9-5 +- Add checkselinux +- move fixfiles and restorecon to /sbin + +* Wed Mar 17 2004 Dan Walsh 1.9-4 +- Restore patch of genhomedircon + +* Mon Mar 15 2004 Dan Walsh 1.9-3 +- Add setfiles-assoc patch to try to freeup memory use + +* Mon Mar 15 2004 Dan Walsh 1.9-2 +- Add fixlabels + +* Mon Mar 15 2004 Dan Walsh 1.9-1 +- Update to latest from NSA + +* Wed Mar 10 2004 Dan Walsh 1.6-8 +- Increase the size of buffer accepted by setfiles to BUFSIZ. + +* Tue Mar 9 2004 Dan Walsh 1.6-7 +- genhomedircon should complete even if it can't read /etc/default/useradd + +* Tue Mar 9 2004 Dan Walsh 1.6-6 +- fix restorecon to relabel unlabled files. + +* Fri Mar 5 2004 Dan Walsh 1.6-5 +- Add genhomedircon from tresys +- Fixed patch for restorecon + +* Thu Feb 26 2004 Dan Walsh 1.6-4 +- exit out when selinux is not enabled + +* Thu Feb 26 2004 Dan Walsh 1.6-3 +- Fix minor bugs in restorecon + +* Thu Feb 26 2004 Dan Walsh 1.6-2 +- Add restorecon c program + +* Tue Feb 24 2004 Dan Walsh 1.6-1 +- Update to latest tarball from NSA + +* Thu Feb 19 2004 Dan Walsh 1.4-9 +- Add sort patch + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Thu Jan 29 2004 Dan Walsh 1.4-7 +- remove mods to run_init since init scripts don't require it anymore + +* Wed Jan 28 2004 Dan Walsh 1.4-6 +- fix genhomedircon not to return and error + +* Wed Jan 28 2004 Dan Walsh 1.4-5 +- add setfiles quiet patch + +* Tue Jan 27 2004 Dan Walsh 1.4-4 +- add checkcon to verify context match file_context + +* Wed Jan 7 2004 Dan Walsh 1.4-3 +- fix command parsing restorecon + +* Tue Jan 6 2004 Dan Walsh 1.4-2 +- Add restorecon + +* Sat Dec 6 2003 Dan Walsh 1.4-1 +- Update to latest NSA 1.4 + +* Tue Nov 25 2003 Dan Walsh 1.2-9 +- Change run_init.console to run as run_init_t + +* Tue Oct 14 2003 Dan Walsh 1.2-8 +- Remove dietcc since load_policy is not in mkinitrd +- Change to use CONSOLEHELPER flag + +* Tue Oct 14 2003 Dan Walsh 1.2-7 +- Don't authenticate run_init when used with consolehelper + +* Wed Oct 01 2003 Dan Walsh 1.2-6 +- Add run_init consolehelper link + +* Wed Sep 24 2003 Dan Walsh 1.2-5 +- Add russell spead up patch to deal with file path stems + +* Fri Sep 12 2003 Dan Walsh 1.2-4 +- Build load_policy with diet gcc in order to save space on initrd + +* Fri Sep 12 2003 Dan Walsh 1.2-3 +- Update with NSA latest + +* Thu Aug 7 2003 Dan Walsh 1.2-1 +- remove i18n +- Temp remove gtk support + +* Thu Aug 7 2003 Dan Walsh 1.1-4 +- Remove wnck requirement + +* Thu Aug 7 2003 Dan Walsh 1.1-3 +- Add gtk support to run_init + +* Tue Aug 5 2003 Dan Walsh 1.1-2 +- Add internationalization + +* Mon Jun 2 2003 Dan Walsh 1.0-1 +- Initial version