rpms
/
policycoreutils
21
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c
rpms:c8
rpms:i8c-beta
rpms:c8-beta
rpms:i9c-beta
rpms:c9-beta
rpms:i9c
rpms:c9
...
pull from: rpms:c8
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c
rpms:c8
rpms:i8c-beta
rpms:c8-beta
rpms:i9c-beta
rpms:c9-beta
rpms:i9c
rpms:c9

No commits in common. 'c9' and 'c8' have entirely different histories.
c9 ... c8

74 changed files with 10009 additions and 4941 deletions
Show Stats

16
.gitignore vendored
Unescape View File

@ -1,7 +1,13 @@
SOURCES/selinux-3.5.tar.gz
SOURCES/selinux-gui.zip
SOURCES/selinux-policycoreutils.zip
SOURCES/selinux-python.zip
SOURCES/selinux-sandbox.zip
SOURCES/gui-po.tgz
SOURCES/policycoreutils-2.9.tar.gz
SOURCES/policycoreutils-po.tgz
SOURCES/python-po.tgz
SOURCES/restorecond-2.9.tar.gz
SOURCES/sandbox-po.tgz
SOURCES/selinux-dbus-2.9.tar.gz
SOURCES/selinux-gui-2.9.tar.gz
SOURCES/selinux-python-2.9.tar.gz
SOURCES/selinux-sandbox-2.9.tar.gz
SOURCES/semodule-utils-2.9.tar.gz
SOURCES/sepolicy-icons.tgz
SOURCES/system-config-selinux.png

16
.policycoreutils.metadata
Unescape View File

@ -1,7 +1,13 @@
28e8c0a58e01436b1c931559da3844d5774f8186 SOURCES/selinux-3.5.tar.gz
c2957ae26fcabe856439915bc03fb7d25c91b724 SOURCES/selinux-gui.zip
8aec9d92a940e35756c4cf66891db7b070e00c5c SOURCES/selinux-policycoreutils.zip
6a9a8a86bf4b66b484533e5a5b91acd9f2ba4ed1 SOURCES/selinux-python.zip
c9b684345b0b6940afd38d8679e2838ad7ef5ffe SOURCES/selinux-sandbox.zip
3f355f8cbfdf7be6f9a8190153090af95d2c7358 SOURCES/gui-po.tgz
6e64d9a38fb516738023eb429eef29af5383f443 SOURCES/policycoreutils-2.9.tar.gz
51122ae6029657bf762d72bff94bab38890fd1e7 SOURCES/policycoreutils-po.tgz
c503e61733af54159d5950bbd9fa8080771ee938 SOURCES/python-po.tgz
0a34ef54394972870203832c8ce52d4405bd5330 SOURCES/restorecond-2.9.tar.gz
7df1784ab0c6b0823943571d733b856d10a87f76 SOURCES/sandbox-po.tgz
8645509cdfc433278c2e4d29ee8f511625c7edcc SOURCES/selinux-dbus-2.9.tar.gz
5c155ae47692389d9fabaa154195e7f978f2a3f0 SOURCES/selinux-gui-2.9.tar.gz
660e1ab824ef80f7a69f0b70f61e231957fd398e SOURCES/selinux-python-2.9.tar.gz
0e208cad193021ad17a445b76b72af3fef8db999 SOURCES/selinux-sandbox-2.9.tar.gz
a4414223e60bb664ada4824e54f8d36ab208d599 SOURCES/semodule-utils-2.9.tar.gz
d849fa76cc3ef4a26047d8a69fef3a55d2f3097f SOURCES/sepolicy-icons.tgz
611a5d497efaddd45ec0dcc3e9b2e5b0f81ebc41 SOURCES/system-config-selinux.png

43
SOURCES/0001-gui-Install-polgengui.py-to-usr-bin-selinux-polgengu.patch
Unescape View File

@ -0,0 +1,43 @@
From c778509dd0ed3b184d720032f31971f975e42973 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 5 Mar 2019 17:38:55 +0100
Subject: [PATCH] gui: Install polgengui.py to /usr/bin/selinux-polgengui
polgengui.py is a standalone gui tool which should be in /usr/bin with other
tools.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
gui/Makefile | 2 +-
gui/modulesPage.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/gui/Makefile b/gui/Makefile
index c2f982de..b2375fbf 100644
--- a/gui/Makefile
+++ b/gui/Makefile
@@ -31,7 +31,7 @@ install: all
-mkdir -p $(DESTDIR)$(DATADIR)/polkit-1/actions/
install -m 755 system-config-selinux.py $(DESTDIR)$(SHAREDIR)
install -m 755 system-config-selinux $(DESTDIR)$(BINDIR)
- install -m 755 polgengui.py $(DESTDIR)$(SHAREDIR)
+ install -m 755 polgengui.py $(DESTDIR)$(BINDIR)/selinux-polgengui
install -m 644 $(TARGETS) $(DESTDIR)$(SHAREDIR)
install -m 644 system-config-selinux.8 $(DESTDIR)$(MANDIR)/man8
install -m 644 selinux-polgengui.8 $(DESTDIR)$(MANDIR)/man8
diff --git a/gui/modulesPage.py b/gui/modulesPage.py
index 34c5d9e3..cb856b2d 100644
--- a/gui/modulesPage.py
+++ b/gui/modulesPage.py
@@ -118,7 +118,7 @@ class modulesPage(semanagePage):
def new_module(self, args):
try:
- Popen(["/usr/share/system-config-selinux/polgengui.py"])
+ Popen(["selinux-polgengui"])
except ValueError as e:
self.error(e.args[0])
--
2.21.0

49
SOURCES/0002-gui-Install-.desktop-files-to-usr-share-applications.patch
Unescape View File

@ -0,0 +1,49 @@
From 04b632e6de14ec0336e14988bf4c2bd581f7308e Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 5 Mar 2019 17:25:00 +0100
Subject: [PATCH] gui: Install .desktop files to /usr/share/applications by
default
/usr/share/applications is a standard directory for .desktop files.
Installation path can be changed using DESKTOPDIR variable in installation
phase, e.g.
make DESKTOPDIR=/usr/local/share/applications install
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
gui/Makefile | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/gui/Makefile b/gui/Makefile
index b2375fbf..ca965c94 100644
--- a/gui/Makefile
+++ b/gui/Makefile
@@ -5,6 +5,7 @@ BINDIR ?= $(PREFIX)/bin
SHAREDIR ?= $(PREFIX)/share/system-config-selinux
DATADIR ?= $(PREFIX)/share
MANDIR ?= $(PREFIX)/share/man
+DESKTOPDIR ?= $(PREFIX)/share/applications
TARGETS= \
booleansPage.py \
@@ -29,6 +30,7 @@ install: all
-mkdir -p $(DESTDIR)$(DATADIR)/pixmaps
-mkdir -p $(DESTDIR)$(DATADIR)/icons/hicolor/24x24/apps
-mkdir -p $(DESTDIR)$(DATADIR)/polkit-1/actions/
+ -mkdir -p $(DESTDIR)$(DESKTOPDIR)
install -m 755 system-config-selinux.py $(DESTDIR)$(SHAREDIR)
install -m 755 system-config-selinux $(DESTDIR)$(BINDIR)
install -m 755 polgengui.py $(DESTDIR)$(BINDIR)/selinux-polgengui
@@ -44,7 +46,7 @@ install: all
install -m 644 system-config-selinux.png $(DESTDIR)$(DATADIR)/pixmaps
install -m 644 system-config-selinux.png $(DESTDIR)$(DATADIR)/icons/hicolor/24x24/apps
install -m 644 system-config-selinux.png $(DESTDIR)$(DATADIR)/system-config-selinux
- install -m 644 *.desktop $(DESTDIR)$(DATADIR)/system-config-selinux
+ install -m 644 *.desktop $(DESTDIR)$(DESKTOPDIR)
-mkdir -p $(DESTDIR)$(DATADIR)/pixmaps
install -m 644 sepolicy_256.png $(DESTDIR)$(DATADIR)/pixmaps/sepolicy.png
for i in 16 22 32 48 256; do \
--
2.21.0

7
SOURCES/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch → SOURCES/0003-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
Unescape View File

@ -1,16 +1,15 @@
From 31ccf6f0fc5e77870f496fac4bea94a6ba2e5c30 Mon Sep 17 00:00:00 2001
From 52e0583f6adfe70825b009b626e19c290b49763a Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 20 Aug 2015 12:58:41 +0200
Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
recent Fedoras
Content-type: text/plain
---
sandbox/sandboxX.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
index eaa500d08143..4774528027ef 100644
index eaa500d0..47745280 100644
--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
@ -23,5 +22,5 @@ index eaa500d08143..4774528027ef 100644
cat > ~/seremote << __EOF
#!/bin/sh
--
2.39.1
2.21.0

13
SOURCES/0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch → SOURCES/0004-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
Unescape View File

@ -1,8 +1,7 @@
From 837c347bbee5db90d11144363525113edc8baed3 Mon Sep 17 00:00:00 2001
From 7504614fdd7dcf11b3a7568ca9b4b921973531dd Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Mon, 21 Apr 2014 13:54:40 -0400
Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
Content-type: text/plain
Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
---
@ -10,10 +9,10 @@ Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index a488dcbf54f2..7d90ffb5a22f 100755
index 1d367962..24e311a3 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -679,10 +679,13 @@ Default Defined Ports:""")
@@ -735,10 +735,13 @@ Default Defined Ports:""")
def _file_context(self):
flist = []
@ -27,9 +26,9 @@ index a488dcbf54f2..7d90ffb5a22f 100755
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0:
@@ -741,12 +744,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
@@ -797,12 +800,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
SELinux defines the file context types for the %(domainname)s, if you wanted to
store files with these types in a different paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
@ -43,5 +42,5 @@ index a488dcbf54f2..7d90ffb5a22f 100755
self.fd.write(r"""
.I The following file types are defined for %(domainname)s:
--
2.39.1
2.21.0

11
SOURCES/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch → SOURCES/0005-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
Unescape View File

@ -1,28 +1,27 @@
From f21d5f9316094015c81339d25d69d3dc7150bd8a Mon Sep 17 00:00:00 2001
From 9847a26b7f8358432ee4c7019efb3cbad0c162b0 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mon, 12 May 2014 14:11:22 +0200
Subject: [PATCH] If there is no executable we don't want to print a part of
STANDARD FILE CONTEXT
Content-type: text/plain
---
python/sepolicy/sepolicy/manpage.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 7d90ffb5a22f..11809dcede43 100755
index 24e311a3..46092be0 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -737,7 +737,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
@@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
- self.fd.write(r"""
+ if flist_non_exec:
+ self.fd.write(r"""
+ self.fd.write(r"""
.PP
.B STANDARD FILE CONTEXT
--
2.39.1
2.21.0

169
SOURCES/0006-Simplication-of-sepolicy-manpage-web-functionality.-.patch
Unescape View File

@ -0,0 +1,169 @@
From b2993d464e05291020dbf60fc2948ac152eb0003 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu, 19 Feb 2015 17:45:15 +0100
Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
system_release is no longer hardcoded and it creates only index.html and html
man pages in the directory for the system release.
---
python/sepolicy/sepolicy/__init__.py | 25 +++--------
python/sepolicy/sepolicy/manpage.py | 65 +++-------------------------
2 files changed, 13 insertions(+), 77 deletions(-)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 6aed31bd..88a2b8f6 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -1209,27 +1209,14 @@ def boolean_desc(boolean):
def get_os_version():
- os_version = ""
- pkg_name = "selinux-policy"
+ system_release = ""
try:
- try:
- from commands import getstatusoutput
- except ImportError:
- from subprocess import getstatusoutput
- rc, output = getstatusoutput("rpm -q '%s'" % pkg_name)
- if rc == 0:
- os_version = output.split(".")[-2]
- except:
- os_version = ""
-
- if os_version[0:2] == "fc":
- os_version = "Fedora" + os_version[2:]
- elif os_version[0:2] == "el":
- os_version = "RHEL" + os_version[2:]
- else:
- os_version = ""
+ with open('/etc/system-release') as f:
+ system_release = f.readline()
+ except IOError:
+ system_release = "Misc"
- return os_version
+ return system_release
def reinit():
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 46092be0..d60acfaf 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -149,10 +149,6 @@ def prettyprint(f, trim):
manpage_domains = []
manpage_roles = []
-fedora_releases = ["Fedora17", "Fedora18"]
-rhel_releases = ["RHEL6", "RHEL7"]
-
-
def get_alphabet_manpages(manpage_list):
alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
for i in string.ascii_letters:
@@ -182,7 +178,7 @@ def convert_manpage_to_html(html_manpage, manpage):
class HTMLManPages:
"""
- Generate a HHTML Manpages on an given SELinux domains
+ Generate a HTML Manpages on an given SELinux domains
"""
def __init__(self, manpage_roles, manpage_domains, path, os_version):
@@ -190,9 +186,9 @@ class HTMLManPages:
self.manpage_domains = get_alphabet_manpages(manpage_domains)
self.os_version = os_version
self.old_path = path + "/"
- self.new_path = self.old_path + self.os_version + "/"
+ self.new_path = self.old_path
- if self.os_version in fedora_releases or self.os_version in rhel_releases:
+ if self.os_version:
self.__gen_html_manpages()
else:
print("SELinux HTML man pages can not be generated for this %s" % os_version)
@@ -201,7 +197,6 @@ class HTMLManPages:
def __gen_html_manpages(self):
self._write_html_manpage()
self._gen_index()
- self._gen_body()
self._gen_css()
def _write_html_manpage(self):
@@ -219,67 +214,21 @@ class HTMLManPages:
convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
def _gen_index(self):
- index = self.old_path + "index.html"
- fd = open(index, 'w')
- fd.write("""
-<html>
-<head>
- <link rel=stylesheet type="text/css" href="style.css" title="style">
- <title>SELinux man pages online</title>
-</head>
-<body>
-<h1>SELinux man pages</h1>
-<br></br>
-Fedora or Red Hat Enterprise Linux Man Pages.</h2>
-<br></br>
-<hr>
-<h3>Fedora</h3>
-<table><tr>
-<td valign="middle">
-</td>
-</tr></table>
-<pre>
-""")
- for f in fedora_releases:
- fd.write("""
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (f, f, f, f))
-
- fd.write("""
-</pre>
-<hr>
-<h3>RHEL</h3>
-<table><tr>
-<td valign="middle">
-</td>
-</tr></table>
-<pre>
-""")
- for r in rhel_releases:
- fd.write("""
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (r, r, r, r))
-
- fd.write("""
-</pre>
- """)
- fd.close()
- print("%s has been created" % index)
-
- def _gen_body(self):
html = self.new_path + self.os_version + ".html"
fd = open(html, 'w')
fd.write("""
<html>
<head>
- <link rel=stylesheet type="text/css" href="../style.css" title="style">
- <title>Linux man-pages online for Fedora18</title>
+ <link rel=stylesheet type="text/css" href="style.css" title="style">
+ <title>SELinux man pages online</title>
</head>
<body>
-<h1>SELinux man pages for Fedora18</h1>
+<h1>SELinux man pages for %s</h1>
<hr>
<table><tr>
<td valign="middle">
<h3>SELinux roles</h3>
-""")
+""" % self.os_version)
for letter in self.manpage_roles:
if len(self.manpage_roles[letter]):
fd.write("""
--
2.21.0

298
SOURCES/0007-Use-SHA-2-instead-of-SHA-1.patch
Unescape View File

@ -1,298 +0,0 @@
From 604a275f53750e4c1e1101bd53c4fd448cc0b5e3 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 30 Jul 2021 14:14:37 +0200
Subject: [PATCH] Use SHA-2 instead of SHA-1
Content-type: text/plain
The use of SHA-1 in RHEL9 is deprecated
---
policycoreutils/setfiles/restorecon.8 | 10 +++++-----
policycoreutils/setfiles/restorecon_xattr.8 | 8 ++++----
policycoreutils/setfiles/restorecon_xattr.c | 12 ++++++------
policycoreutils/setfiles/ru/restorecon.8 | 8 ++++----
policycoreutils/setfiles/ru/restorecon_xattr.8 | 10 +++++-----
policycoreutils/setfiles/ru/setfiles.8 | 8 ++++----
policycoreutils/setfiles/setfiles.8 | 10 +++++-----
7 files changed, 33 insertions(+), 33 deletions(-)
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index e07db2c87dc4..dbd55ce7c512 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -95,14 +95,14 @@ display usage information and exit.
ignore files that do not exist.
.TP
.B \-I
-ignore digest to force checking of labels even if the stored SHA1 digest
-matches the specfiles SHA1 digest. The digest will then be updated provided
+ignore digest to force checking of labels even if the stored SHA256 digest
+matches the specfiles SHA256 digest. The digest will then be updated provided
there are no errors. See the
.B NOTES
section for further details.
.TP
.B \-D
-Set or update any directory SHA1 digests. Use this option to
+Set or update any directory SHA256 digests. Use this option to
enable usage of the
.IR security.sehash
extended attribute.
@@ -200,7 +200,7 @@ the
.B \-D
option to
.B restorecon
-will cause it to store a SHA1 digest of the default specfiles set in an extended
+will cause it to store a SHA256 digest of the default specfiles set in an extended
attribute named
.IR security.sehash
on each directory specified in
@@ -217,7 +217,7 @@ for further details.
.sp
The
.B \-I
-option will ignore the SHA1 digest from each directory specified in
+option will ignore the SHA256 digest from each directory specified in
.IR pathname \ ...
and provided the
.B \-n
diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
index e04528e60824..4b1ce304d995 100644
--- a/policycoreutils/setfiles/restorecon_xattr.8
+++ b/policycoreutils/setfiles/restorecon_xattr.8
@@ -23,7 +23,7 @@ or
.SH "DESCRIPTION"
.B restorecon_xattr
-will display the SHA1 digests added to extended attributes
+will display the SHA256 digests added to extended attributes
.I security.sehash
or delete the attribute completely. These attributes are set by
.BR restorecon (8)
@@ -48,12 +48,12 @@ extended attribute and are automatically excluded from searches.
.sp
By default
.B restorecon_xattr
-will display the SHA1 digests with "Match" appended if they match the default
+will display the SHA256 digests with "Match" appended if they match the default
specfile set or the
.I specfile
set used with the
.B \-f
-option. Non-matching SHA1 digests will be displayed with "No Match" appended.
+option. Non-matching SHA256 digests will be displayed with "No Match" appended.
This feature can be disabled by the
.B \-n
option.
@@ -87,7 +87,7 @@ Do not append "Match" or "No Match" to displayed digests.
recursively descend directories.
.TP
.B \-v
-display SHA1 digest generated by specfile set (Note that this digest is not
+display SHA256 digest generated by specfile set (Note that this digest is not
used to match the
.I security.sehash
directory digest entries, and is shown for reference only).
diff --git a/policycoreutils/setfiles/restorecon_xattr.c b/policycoreutils/setfiles/restorecon_xattr.c
index 31fb82fd2099..bc22d3fd4560 100644
--- a/policycoreutils/setfiles/restorecon_xattr.c
+++ b/policycoreutils/setfiles/restorecon_xattr.c
@@ -38,7 +38,7 @@ int main(int argc, char **argv)
unsigned int xattr_flags = 0, delete_digest = 0, recurse = 0;
unsigned int delete_all_digests = 0, ignore_mounts = 0;
bool display_digest = false;
- char *sha1_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
+ char *sha256_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
unsigned char *fc_digest = NULL;
size_t i, fc_digest_len = 0, num_specfiles;
@@ -133,8 +133,8 @@ int main(int argc, char **argv)
exit(-1);
}
- sha1_buf = malloc(fc_digest_len * 2 + 1);
- if (!sha1_buf) {
+ sha256_buf = malloc(fc_digest_len * 2 + 1);
+ if (!sha256_buf) {
fprintf(stderr,
"Error allocating digest buffer: %s\n",
strerror(errno));
@@ -143,16 +143,16 @@ int main(int argc, char **argv)
}
for (i = 0; i < fc_digest_len; i++)
- sprintf((&sha1_buf[i * 2]), "%02x", fc_digest[i]);
+ sprintf((&sha256_buf[i * 2]), "%02x", fc_digest[i]);
- printf("specfiles SHA1 digest: %s\n", sha1_buf);
+ printf("specfiles SHA256 digest: %s\n", sha256_buf);
printf("calculated using the following specfile(s):\n");
if (specfiles) {
for (i = 0; i < num_specfiles; i++)
printf("%s\n", specfiles[i]);
}
- free(sha1_buf);
+ free(sha256_buf);
printf("\n");
}
diff --git a/policycoreutils/setfiles/ru/restorecon.8 b/policycoreutils/setfiles/ru/restorecon.8
index 9be3a63db356..745135020f4b 100644
--- a/policycoreutils/setfiles/ru/restorecon.8
+++ b/policycoreutils/setfiles/ru/restorecon.8
@@ -82,11 +82,11 @@ restorecon \- восстановить SELinux-контексты безопас
игнорировать файлы, которые не существуют.
.TP
.B \-I
-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
+игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
.B ПРИМЕЧАНИЯ.
.TP
.B \-D
-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
+установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
.IR security.restorecon_last.
.TP
.B \-m
@@ -159,7 +159,7 @@ GNU
.B \-D
команды
.B restorecon
-обеспечит сохранение дайджеста SHA1 файлов спецификации по умолчанию в расширенном атрибуте с именем
+обеспечит сохранение дайджеста SHA256 файлов спецификации по умолчанию в расширенном атрибуте с именем
.IR security.restorecon_last
для каталогов, указанных в соответствующих путях
.IR pathname \ ...
@@ -173,7 +173,7 @@ GNU
.sp
Параметр
.B \-I
-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в
+позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в
.IR pathname \ ...
, и, при условии, что НЕ установлен параметр
.B \-n
diff --git a/policycoreutils/setfiles/ru/restorecon_xattr.8 b/policycoreutils/setfiles/ru/restorecon_xattr.8
index 41c441b8c5c2..25c4c3033334 100644
--- a/policycoreutils/setfiles/ru/restorecon_xattr.8
+++ b/policycoreutils/setfiles/ru/restorecon_xattr.8
@@ -23,7 +23,7 @@ restorecon_xattr \- управление записями расширенных
.SH "ОПИСАНИЕ"
.B restorecon_xattr
-покажет дайджесты SHA1, добавленные в расширенные атрибуты
+покажет дайджесты SHA256, добавленные в расширенные атрибуты
.I security.restorecon_last,
или полностью удалит эти атрибуты. Эти атрибуты устанавливаются командой
.BR restorecon (8)
@@ -47,11 +47,11 @@ restorecon_xattr \- управление записями расширенных
.sp
По умолчанию
.B restorecon_xattr
-показывает дайджесты SHA1, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации
+показывает дайджесты SHA256, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации
.I specfile,
который установлен с помощью параметра
.B \-f.
-Несоответствующие дайджесты SHA1 будут показаны с добавлением "No Match" в конце.
+Несоответствующие дайджесты SHA256 будут показаны с добавлением "No Match" в конце.
Эту возможность можно отключить с помощью параметра
.B \-n.
@@ -81,7 +81,7 @@ restorecon_xattr \- управление записями расширенных
рекурсивно спускаться по каталогам.
.TP
.B \-v
-показать дайджест SHA1, созданный установленным файлом спецификации.
+показать дайджест SHA256, созданный установленным файлом спецификации.
.TP
.B \-e
.I directory
@@ -97,7 +97,7 @@ restorecon_xattr \- управление записями расширенных
.BR file_contexts (5).
Он будет использоваться
.BR selabel_open (3)
-для получения набора записей меток; получение дайджеста SHA1 выполняется с помощью
+для получения набора записей меток; получение дайджеста SHA256 выполняется с помощью
.BR selabel_digest (3).
Если этот параметр не указан, будет использоваться файл file_contexts по умолчанию.
diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8
index 910101452625..7f2daa09191b 100644
--- a/policycoreutils/setfiles/ru/setfiles.8
+++ b/policycoreutils/setfiles/ru/setfiles.8
@@ -69,11 +69,11 @@ setfiles \- установить SELinux-контексты безопаснос
игнорировать файлы, которые не существуют.
.TP
.B \-I
-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
+игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
.B ПРИМЕЧАНИЯ.
.TP
.B \-D
-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
+установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
.IR security.restorecon_last.
.TP
.B \-l
@@ -186,7 +186,7 @@ GNU
.B \-D
команды
.B setfiles .
-Он обеспечивает сохранение дайджеста SHA1 файла спецификации
+Он обеспечивает сохранение дайджеста SHA256 файла спецификации
.B spec_file
в расширенном атрибуте с именем
.IR security.restorecon_last
@@ -204,7 +204,7 @@ GNU
.sp
Параметр
.B \-I
-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в
+позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в
.IR pathname \ ...
, и, при условии, что НЕ установлен параметр
.B \-n
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index bf26e161a71d..36fe6b369548 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -95,14 +95,14 @@ display usage information and exit.
ignore files that do not exist.
.TP
.B \-I
-ignore digest to force checking of labels even if the stored SHA1 digest
-matches the specfiles SHA1 digest. The digest will then be updated provided
+ignore digest to force checking of labels even if the stored SHA256 digest
+matches the specfiles SHA256 digest. The digest will then be updated provided
there are no errors. See the
.B NOTES
section for further details.
.TP
.B \-D
-Set or update any directory SHA1 digests. Use this option to
+Set or update any directory SHA256 digests. Use this option to
enable usage of the
.IR security.sehash
extended attribute.
@@ -261,7 +261,7 @@ the
.B \-D
option to
.B setfiles
-will cause it to store a SHA1 digest of the
+will cause it to store a SHA256 digest of the
.B spec_file
set in an extended attribute named
.IR security.sehash
@@ -282,7 +282,7 @@ for further details.
.sp
The
.B \-I
-option will ignore the SHA1 digest from each directory specified in
+option will ignore the SHA256 digest from each directory specified in
.IR pathname \ ...
and provided the
.B \-n
--
2.39.1

26
SOURCES/0007-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
Unescape View File

@ -0,0 +1,26 @@
From bfcb599d9424ef6ffcd250931c89675b451edd00 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 20 Feb 2015 16:42:01 +0100
Subject: [PATCH] We want to remove the trailing newline for
/etc/system_release.
---
python/sepolicy/sepolicy/__init__.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 88a2b8f6..0c66f4d5 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -1212,7 +1212,7 @@ def get_os_version():
system_release = ""
try:
with open('/etc/system-release') as f:
- system_release = f.readline()
+ system_release = f.readline().rstrip()
except IOError:
system_release = "Misc"
--
2.21.0

25
SOURCES/0008-Fix-title-in-manpage.py-to-not-contain-online.patch
Unescape View File

@ -0,0 +1,25 @@
From 4ea504acce6389c3e28134c4b8e6bf9072c295ce Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 20 Feb 2015 16:42:53 +0100
Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
---
python/sepolicy/sepolicy/manpage.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index d60acfaf..de8184d8 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -220,7 +220,7 @@ class HTMLManPages:
<html>
<head>
<link rel=stylesheet type="text/css" href="style.css" title="style">
- <title>SELinux man pages online</title>
+ <title>SELinux man pages</title>
</head>
<body>
<h1>SELinux man pages for %s</h1>
--
2.21.0

9
SOURCES/0004-Don-t-be-verbose-if-you-are-not-on-a-tty.patch → SOURCES/0009-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
Unescape View File

@ -1,15 +1,14 @@
From 9e22ab3619d68277c89926f3f31e37a9101ca082 Mon Sep 17 00:00:00 2001
From 8af697659bd662517571577bf47946a2113f34a1 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Fri, 14 Feb 2014 12:32:12 -0500
Subject: [PATCH] Don't be verbose if you are not on a tty
Content-type: text/plain
---
policycoreutils/scripts/fixfiles | 1 +
1 file changed, 1 insertion(+)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 166af6f360a2..ebe64563c7d7 100755
index b2779581..53d28c7b 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
@ -18,8 +17,8 @@ index 166af6f360a2..ebe64563c7d7 100755
VERBOSE="-p"
+[ -t 1 ] || VERBOSE=""
FORCEFLAG=""
THREADS=""
RPMFILES=""
PREFC=""
--
2.39.1
2.21.0

75
SOURCES/0009-python-chcat-Improve-man-pages.patch
Unescape View File

@ -1,75 +0,0 @@
From 09ad91e1fb8640e48cef895ead49d9c770016915 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 4 May 2023 14:04:47 +0200
Subject: [PATCH] python/chcat: Improve man pages
Content-type: text/plain
- Explain applying range/list of categories
- "-d" removes all categories of given file/user
- Add examples
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
python/chcat/chcat.8 | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/python/chcat/chcat.8 b/python/chcat/chcat.8
index d095a2558d3a..3e1f7ca23361 100644
--- a/python/chcat/chcat.8
+++ b/python/chcat/chcat.8
@@ -1,6 +1,6 @@
.TH CHCAT "8" "September 2005" "chcat" "User Commands"
.SH NAME
-chcat \- change file SELinux security category
+chcat \- change SELinux security categories of files/users
.SH SYNOPSIS
.B chcat
\fIcategory file\fR...
@@ -25,23 +25,33 @@ chcat \- change file SELinux security category
.br
.SH DESCRIPTION
.PP
-Change/Remove the security \fIcategory\fR for each \fIfile\fR or \fIuser\fR.
-.PP
-Use +/- to add/remove categories from a \fIfile\fR or \fIuser\fR.
+Use +/- to add/remove categories from a \fIfile\fR or \fIuser\fR (only a single category can be specified at a time). Or specify the desired list/range of categories to be applied (replacing the existing categories).
.PP
.B
Note:
-When removing a category you must specify '\-\-' on the command line before using the \-Category syntax. This tells the command that you have finished entering options and are now specifying a category name instead.
+When removing a category you must specify '\-\-' on the command line before using the \-Category syntax. This tells the command that you have finished entering options and are now specifying a category name instead.
.TP
\fB\-d\fR
-delete the category from each FILE/USER.
+delete all categories from given FILE/USER.
.TP
\fB\-L\fR
list available categories.
.TP
\fB\-l\fR
Tells chcat to operate on users instead of files.
+
+.SH EXAMPLE
+.nf
+Replace categories of user "test" with c0.c6
+# chcat -l c0.c6 test
+Add category c1023 to user "test"
+# chcat -l +c1023 test
+Remove category c5 from file "file"
+# chcat -- -c5 file
+Remove all categories from file "file"
+# chcat -d file
+
.SH "SEE ALSO"
.TP
chcon(1), selinux(8), semanage(8)
@@ -52,4 +62,3 @@ When operating on files this script wraps the chcon command.
/etc/selinux/{SELINUXTYPE}/setrans.conf
.br
/etc/selinux/{SELINUXTYPE}/seusers
-
--
2.41.0

80
SOURCES/0010-python-audit2allow-Add-missing-options-to-man-page.patch
Unescape View File

@ -1,80 +0,0 @@
From b67240b8663c3df471e8ce06b087ec7fb8b9d57c Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 4 May 2023 14:04:48 +0200
Subject: [PATCH] python/audit2allow: Add missing options to man page
Content-type: text/plain
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/audit2allow/audit2allow.1 | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/python/audit2allow/audit2allow.1 b/python/audit2allow/audit2allow.1
index 04ec32398011..c31021d39489 100644
--- a/python/audit2allow/audit2allow.1
+++ b/python/audit2allow/audit2allow.1
@@ -40,10 +40,10 @@
Read input from audit and message log, conflicts with \-i
.TP
.B "\-b" | "\-\-boot"
-Read input from audit messages since last boot conflicts with \-i
+Read input from audit messages since last boot, conflicts with \-i
.TP
.B "\-d" | "\-\-dmesg"
-Read input from output of
+Read input from output of
.I /bin/dmesg.
Note that all audit messages are not available via dmesg when
auditd is running; use "ausearch \-m avc | audit2allow" or "\-a" instead.
@@ -51,15 +51,22 @@ auditd is running; use "ausearch \-m avc | audit2allow" or "\-a" instead.
.B "\-D" | "\-\-dontaudit"
Generate dontaudit rules (Default: allow)
.TP
+.B "\-e" | "\-\-explain"
+Fully explain generated output
+.TP
.B "\-h" | "\-\-help"
Print a short usage message
.TP
.B "\-i <inputfile>" | "\-\-input <inputfile>"
-read input from
+Read input from
.I <inputfile>
.TP
+.B "\-\-interface-info=<interface_info_file>"
+Read interface information from
+.I <interface_info_file>
+.TP
.B "\-l" | "\-\-lastreload"
-read input only after last policy reload
+Read input only after last policy reload
.TP
.B "\-m <modulename>" | "\-\-module <modulename>"
Generate module/require output <modulename>
@@ -70,8 +77,12 @@ Generate loadable module package, conflicts with \-o
.B "\-p <policyfile>" | "\-\-policy <policyfile>"
Policy file to use for analysis
.TP
+.B "\-\-perm-map <perm_map_file>"
+Read permission map from
+.I <perm_map_file>
+.TP
.B "\-o <outputfile>" | "\-\-output <outputfile>"
-append output to
+Append output to
.I <outputfile>
.TP
.B "\-r" | "\-\-requires"
@@ -85,6 +96,9 @@ This is the default behavior.
Generate reference policy using installed macros.
This attempts to match denials against interfaces and may be inaccurate.
.TP
+.B "\-t <type_regex>" | "\-\-type=<type_regex>"
+Only process messages with a type that matches this regex
+.TP
.B "\-x" | "\-\-xperms"
Generate extended permission access vector rules
.TP
--
2.41.0

15
SOURCES/0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch → SOURCES/0010-sepolicy-Drop-old-interface-file_type_is_executable-.patch
Unescape View File

@ -1,9 +1,8 @@
From b9b94a3254905518f00c4746c0bd712921af31cb Mon Sep 17 00:00:00 2001
From ef0f54ffc6d691d10e66a0793204edd159cd45d0 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 27 Feb 2017 17:12:39 +0100
Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
file_type_is_entrypoint(f)
Content-type: text/plain
- use direct queries
- load exec_types and entry_types only once
@ -12,10 +11,10 @@ Content-type: text/plain
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 11809dcede43..543fef6c8d13 100755
index de8184d8..f8a94fc0 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -127,8 +127,24 @@ def gen_domains():
@@ -125,8 +125,24 @@ def gen_domains():
domains.sort()
return domains
@ -41,7 +40,7 @@ index 11809dcede43..543fef6c8d13 100755
def _gen_types():
global types
@@ -368,6 +384,8 @@ class ManPage:
@@ -372,6 +388,8 @@ class ManPage:
self.all_file_types = sepolicy.get_all_file_types()
self.role_allows = sepolicy.get_all_role_allows()
self.types = _gen_types()
@ -50,15 +49,15 @@ index 11809dcede43..543fef6c8d13 100755
if self.source_files:
self.fcpath = self.root + "file_contexts"
@@ -684,7 +702,7 @@ Default Defined Ports:""")
@@ -689,7 +707,7 @@ Default Defined Ports:""")
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
- if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+ if f not in self.exec_types or f not in self.entry_types:
+ if not f in self.exec_types or not f in self.entry_types:
flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
--
2.39.1
2.21.0

465
SOURCES/0011-python-semanage-Improve-man-pages.patch
Unescape View File

@ -1,465 +0,0 @@
From 4ebc1057f6e5494909045bbcc7ea8896bd32a094 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 4 May 2023 14:04:49 +0200
Subject: [PATCH] python/semanage: Improve man pages
Content-type: text/plain
- Add missing options
- Add more examples
- Note special cases
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/semanage-boolean.8 | 9 ++++++---
python/semanage/semanage-dontaudit.8 | 8 +++++---
python/semanage/semanage-export.8 | 10 +++++++++-
python/semanage/semanage-fcontext.8 | 17 +++++++++++------
python/semanage/semanage-ibendport.8 | 6 ++++--
python/semanage/semanage-ibpkey.8 | 6 ++++--
python/semanage/semanage-import.8 | 10 +++++++++-
python/semanage/semanage-interface.8 | 8 ++++++--
python/semanage/semanage-login.8 | 14 ++++++++------
python/semanage/semanage-module.8 | 15 ++++++++++-----
python/semanage/semanage-node.8 | 16 +++++++++++++---
python/semanage/semanage-permissive.8 | 8 +++++---
python/semanage/semanage-port.8 | 10 ++++++----
python/semanage/semanage-user.8 | 8 +++++---
14 files changed, 101 insertions(+), 44 deletions(-)
diff --git a/python/semanage/semanage-boolean.8 b/python/semanage/semanage-boolean.8
index 1282d10626ff..3b664023d3fe 100644
--- a/python/semanage/semanage-boolean.8
+++ b/python/semanage/semanage-boolean.8
@@ -7,11 +7,14 @@ semanage\-boolean \- SELinux Policy Management boolean tool
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage boolean command controls the settings of booleans in SELinux policy. booleans are if\-then\-else rules written in SELinux Policy. They can be used to customize the way that SELinux Policy rules effect a confined domain.
+from policy sources.
+.B semanage boolean
+command controls the settings of booleans in SELinux policy. Booleans are if\-then\-else rules written in SELinux Policy. They can be used to customize the way that SELinux Policy rules effect a confined domain.
+
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
@@ -45,7 +48,7 @@ Disable the boolean
.SH EXAMPLE
.nf
-Turn on the apache can send mail boolean
+Turn on the "apache can send mail" boolean (persistent version of #setsebool httpd_can_sendmail on)
# semanage boolean \-m \-\-on httpd_can_sendmail
List customized booleans
diff --git a/python/semanage/semanage-dontaudit.8 b/python/semanage/semanage-dontaudit.8
index 81accc6f83de..51d1f4b6b0e0 100644
--- a/python/semanage/semanage-dontaudit.8
+++ b/python/semanage/semanage-dontaudit.8
@@ -7,13 +7,15 @@
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage dontaudit toggles whether or not dontaudit rules will be in the policy. Policy writers use dontaudit rules to cause
-confined applications to use alternative paths. Dontaudit rules are denied but not reported in the logs. Some times dontaudit rules can cause bugs in applications but policy writers will not realize it since the AVC is not audited. Turning off dontaudit rules with this command to see if the kernel is blocking an access.
+from policy sources.
+.B semanage dontaudit
+toggles whether or not dontaudit rules will be in the policy. Policy writers use dontaudit rules to cause
+confined applications to use alternative paths. Dontaudit rules are denied but not reported in the logs. Sometimes dontaudit rules can cause bugs in applications but policy writers will not realize it since the AVC is not audited. Turn off dontaudit rules with this command to see if the kernel is blocking an access.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-S STORE, \-\-store STORE
Select an alternate SELinux Policy Store to manage
diff --git a/python/semanage/semanage-export.8 b/python/semanage/semanage-export.8
index d422683bd5c8..5198479306df 100644
--- a/python/semanage/semanage-export.8
+++ b/python/semanage/semanage-export.8
@@ -7,7 +7,15 @@
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a whole group of semanage commands within a file and apply them to a machine in a single transaction.
+from policy sources.
+.B semanage import
+and
+.B export
+can be used to extract the SELinux modifications from one machine and apply them to another. Please note that this will remove all current semanage customizations on the second machine as the command list generated using
+.B semanage export
+start with
+.I <command> -D
+for all semanage sub-commands. You can put a whole group of semanage commands within a file and apply them to a machine in a single transaction.
.SH "OPTIONS"
.TP
diff --git a/python/semanage/semanage-fcontext.8 b/python/semanage/semanage-fcontext.8
index 1ebf085faed8..3e327d88d146 100644
--- a/python/semanage/semanage-fcontext.8
+++ b/python/semanage/semanage-fcontext.8
@@ -8,8 +8,10 @@ semanage\-fcontext \- SELinux Policy Management file context tool
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage fcontext is used to manage the default
-file system labeling on an SELinux system. This command maps file paths using regular expressions to SELinux labels.
+from policy sources.
+.B semanage fcontext
+is used to manage the default file system labeling on an SELinux system.
+This command maps file paths using regular expressions to SELinux labels.
FILE_SPEC may contain either a fully qualified path,
or a Perl compatible regular expression (PCRE),
@@ -32,7 +34,7 @@ to avoid unintentionally impacting other parts of the filesystem.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
@@ -82,12 +84,13 @@ MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login ma
.SH EXAMPLE
.nf
-.I remember to run restorecon after you set the file context
-Add file-context for everything under /web
+.I Remember to run restorecon after you set the file context
+Add file-context httpd_sys_content_t for everything under /web
# semanage fcontext \-a \-t httpd_sys_content_t "/web(/.*)?"
# restorecon \-R \-v /web
Substitute /home1 with /home when setting file context
+i.e. label everything under /home1 the same way /home is labeled
# semanage fcontext \-a \-e /home /home1
# restorecon \-R \-v /home1
@@ -99,7 +102,9 @@ execute the following commands.
.SH "SEE ALSO"
.BR selinux (8),
-.BR semanage (8)
+.BR semanage (8),
+.BR restorecon (8),
+.BR selabel_file (5)
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git a/python/semanage/semanage-ibendport.8 b/python/semanage/semanage-ibendport.8
index 0a29eae18031..53fe4ee8512a 100644
--- a/python/semanage/semanage-ibendport.8
+++ b/python/semanage/semanage-ibendport.8
@@ -5,12 +5,14 @@
.B semanage ibendport [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE \-z IBDEV_NAME \-r RANGE port | \-\-delete \-z IBDEV_NAME port | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-z IBDEV_NAME \-r RANGE port ]
.SH "DESCRIPTION"
-semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage ibendport controls the ibendport number to ibendport type definitions.
+semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.
+.B semanage ibendport
+controls the ibendport number to ibendport type definitions.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
diff --git a/python/semanage/semanage-ibpkey.8 b/python/semanage/semanage-ibpkey.8
index 51f455abaeab..6cc5e02fbcb6 100644
--- a/python/semanage/semanage-ibpkey.8
+++ b/python/semanage/semanage-ibpkey.8
@@ -5,12 +5,14 @@
.B semanage ibpkey [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE \-x SUBNET_PREFIX \-r RANGE ibpkey_name | ibpkey_range | \-\-delete \-x SUBNET_PREFIX ibpkey_name | ibpkey_range | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-x SUBNET_PREFIX \-r RANGE ibpkey_name | ibpkey_range ]
.SH "DESCRIPTION"
-semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage ibpkey controls the ibpkey number to ibpkey type definitions.
+semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.
+.B semanage ibpkey
+controls the ibpkey number to ibpkey type definitions.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
diff --git a/python/semanage/semanage-import.8 b/python/semanage/semanage-import.8
index 4a9b3e765f34..041e9ab052fb 100644
--- a/python/semanage/semanage-import.8
+++ b/python/semanage/semanage-import.8
@@ -7,7 +7,15 @@
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a whole group of semanage commands within a file and apply them to a machine in a single transaction.
+from policy sources.
+.B semanage import
+and
+.B export
+can be used to extract the SELinux modifications from one machine and apply them to another. Please note that this will remove all current semanage customizations on the second machine as the command list generated using
+.B semanage export
+start with
+.I <command> -D
+for all semanage sub-commands. You can put a whole group of semanage commands within a file and apply them to a machine in a single transaction.
.SH "OPTIONS"
.TP
diff --git a/python/semanage/semanage-interface.8 b/python/semanage/semanage-interface.8
index d9d526dc7391..080db70b6ec2 100644
--- a/python/semanage/semanage-interface.8
+++ b/python/semanage/semanage-interface.8
@@ -7,12 +7,14 @@
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage interface controls the labels assigned to network interfaces.
+from policy sources.
+.B semanage interface
+controls the labels assigned to network interfaces.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
@@ -54,6 +56,8 @@ MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login ma
.nf
list all interface definitions
# semanage interface \-l
+Assign type netif_t and MLS/MCS range s0:c0.c1023 to interface eth0
+# semanage interface \-a \-t netif_t \-r s0:c0.c1023 eth0
.SH "SEE ALSO"
.BR selinux (8),
diff --git a/python/semanage/semanage-login.8 b/python/semanage/semanage-login.8
index f451bdc65d53..9076a1edcedb 100644
--- a/python/semanage/semanage-login.8
+++ b/python/semanage/semanage-login.8
@@ -7,12 +7,14 @@
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage login controls the mapping between a Linux User and the SELinux User. It can be used to turn on confined users. For example you could define that a particular user or group of users will login to a system as the user_u user. Prefix the group name with a '%' sign to indicate a group name.
+from policy sources.
+.B semanage login
+controls the mapping between a Linux User and the SELinux User. It can be used to turn on confined users. For example you could define that a particular user or group of users will login to a system as the user_u user. Prefix the group name with a '%' sign to indicate a group name.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
@@ -52,11 +54,11 @@ MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login ma
.SH EXAMPLE
.nf
-Modify the default user on the system to the guest_u user
+Set the default SELinux user on the system to guest_u
# semanage login \-m \-s guest_u __default__
-Assign gijoe user on an MLS machine a range and to the staff_u user
-# semanage login \-a \-s staff_u \-rSystemLow-Secret gijoe
-Assign all users in the engineering group to the staff_u user
+Map user gijoe to SELinux user staff_u and assign MLS range SystemLow\-Secret
+# semanage login \-a \-s staff_u \-rSystemLow\-Secret gijoe
+Map all users in the engineering group to SELinux user staff_u
# semanage login \-a \-s staff_u %engineering
.SH "SEE ALSO"
diff --git a/python/semanage/semanage-module.8 b/python/semanage/semanage-module.8
index e00571672565..6913b0cd47d9 100644
--- a/python/semanage/semanage-module.8
+++ b/python/semanage/semanage-module.8
@@ -5,12 +5,14 @@
.B semanage module [\-h] [\-n] [\-N] [\-S STORE] (\-a | \-r | \-e | \-d | \-\-extract | \-\-list [\-C] | \-\-deleteall) [module_name]
.SH "DESCRIPTION"
-semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage module installs, removes, disables SELinux Policy modules.
+semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.
+.B semanage module
+installs, removes, disables, or enables SELinux Policy modules.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
@@ -22,11 +24,14 @@ Do not reload policy after commit
Select an alternate SELinux Policy Store to manage
.TP
.I \-a, \-\-add
-Install specified module
+Install specified module. Accepts both binary policy files (.pp) and CIL source files
.TP
.I \-r, \-\-remove
Remove specified module
.TP
+.I \-D, \-\-deleteall
+Remove all local customizations related to modules
+.TP
.I \-d \-\-disable
Disable specified module
.TP
@@ -48,8 +53,8 @@ List all modules
# semanage module \-l
Disable unconfined module
# semanage module \-\-disable unconfined
-Install custom apache policy module
-# semanage module \-a myapache
+Install custom apache policy module (same as #semodule -i myapache.pp)
+# semanage module \-a myapache.pp
.SH "SEE ALSO"
.BR selinux (8),
diff --git a/python/semanage/semanage-node.8 b/python/semanage/semanage-node.8
index a0098221c85b..c78d6c3eaf76 100644
--- a/python/semanage/semanage-node.8
+++ b/python/semanage/semanage-node.8
@@ -7,12 +7,14 @@
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage controls the ipaddress to node type definitions.
+from policy sources.
+.B semanage node
+controls the IP address to node type definitions.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
@@ -54,5 +56,13 @@ SELinux type for the object
MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0.
.TP
.I \-p PROTO, \-\-proto PROTO
-
Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6).
+
+.SH "EXAMPLE"
+.nf
+Apply type node_t to ipv4 node 127.0.0.2
+# semanage node \-a \-t node_t \-p ipv4 \-M 255.255.255.255 127.0.0.2
+
+.SH "SEE ALSO"
+.BR selinux (8),
+.BR semanage (8)
diff --git a/python/semanage/semanage-permissive.8 b/python/semanage/semanage-permissive.8
index 5c3364fa54f8..0414a850082a 100644
--- a/python/semanage/semanage-permissive.8
+++ b/python/semanage/semanage-permissive.8
@@ -5,12 +5,14 @@
.B semanage permissive [\-h] [\-n] [\-N] [\-S STORE] (\-\-add TYPE | \-\-delete TYPE | \-\-deleteall | \-\-extract | \-\-list)
.SH "DESCRIPTION"
-semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage permissive adds or removes a SELinux Policy permissive module.
+semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.
+.B semanage permissive
+adds or removes a SELinux Policy permissive module. Please note that this command can make any domain permissive, but can only remove the permissive property from domains where it was added by semanage permissive ("semanage permissive -d" can only be used on types listed as "Customized Permissive Types" by "semanage permissive -l").
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-a, \-\-add
Add a record of the specified object type
@@ -38,7 +40,7 @@ Select an alternate SELinux Policy Store to manage
.SH EXAMPLE
.nf
-List all permissive modules
+List all permissive domains ("Builtin Permissive Types" where set by the system policy, or a custom policy module)
# semanage permissive \-l
Make httpd_t (Web Server) a permissive domain
# semanage permissive \-a httpd_t
diff --git a/python/semanage/semanage-port.8 b/python/semanage/semanage-port.8
index 12ec14c2cb33..c6048660ca21 100644
--- a/python/semanage/semanage-port.8
+++ b/python/semanage/semanage-port.8
@@ -5,12 +5,14 @@
.B semanage port [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range | \-\-delete \-p PROTOCOL port_name | port_range | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range ]
.SH "DESCRIPTION"
-semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage port controls the port number to port type definitions.
+semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.
+.B semanage port
+controls the port number to port type definitions.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
@@ -55,9 +57,9 @@ Protocol for the specified port (tcp|udp|dccp|sctp) or internet protocol version
.nf
List all port definitions
# semanage port \-l
-Allow Apache to listen on tcp port 81
+Allow Apache to listen on tcp port 81 (i.e. assign tcp port 81 label http_port_t, which apache is allowed to listen on)
# semanage port \-a \-t http_port_t \-p tcp 81
-Allow sshd to listen on tcp port 8991
+Allow sshd to listen on tcp port 8991 (i.e. assign tcp port 8991 label ssh_port_t, which sshd is allowed to listen on)
# semanage port \-a \-t ssh_port_t \-p tcp 8991
.SH "SEE ALSO"
diff --git a/python/semanage/semanage-user.8 b/python/semanage/semanage-user.8
index 23fec698e042..50d50bea7af8 100644
--- a/python/semanage/semanage-user.8
+++ b/python/semanage/semanage-user.8
@@ -7,12 +7,14 @@
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage user controls the mapping between an SELinux User and the roles and MLS/MCS levels.
+from policy sources.
+.B semanage user
+controls the mapping between an SELinux User and the roles and MLS/MCS levels.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
@@ -59,7 +61,7 @@ List SELinux users
# semanage user \-l
Modify groups for staff_u user
# semanage user \-m \-R "system_r unconfined_r staff_r" staff_u
-Add level for TopSecret Users
+Assign user topsecret_u role staff_r and range s0\-TopSecret
# semanage user \-a \-R "staff_r" \-rs0\-TopSecret topsecret_u
.SH "SEE ALSO"
--
2.41.0

53
SOURCES/0011-sepolicy-Another-small-optimization-for-mcs-types.patch
Unescape View File

@ -0,0 +1,53 @@
From e54db76a3bff8e911ddd7c7ce834c024d634d9e1 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 28 Feb 2017 21:29:46 +0100
Subject: [PATCH] sepolicy: Another small optimization for mcs types
---
python/sepolicy/sepolicy/manpage.py | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index f8a94fc0..67d39301 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -142,6 +142,15 @@ def _gen_entry_types():
entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
return entry_types
+mcs_constrained_types = None
+
+def _gen_mcs_constrained_types():
+ global mcs_constrained_types
+ if mcs_constrained_types is None:
+ mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
+ return mcs_constrained_types
+
+
types = None
def _gen_types():
@@ -390,6 +399,7 @@ class ManPage:
self.types = _gen_types()
self.exec_types = _gen_exec_types()
self.entry_types = _gen_entry_types()
+ self.mcs_constrained_types = _gen_mcs_constrained_types()
if self.source_files:
self.fcpath = self.root + "file_contexts"
@@ -944,11 +954,7 @@ All executeables with the default executable label, usually stored in /usr/bin a
%s""" % ", ".join(paths))
def _mcs_types(self):
- try:
- mcs_constrained_type = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
- except StopIteration:
- return
- if self.type not in mcs_constrained_type['types']:
+ if self.type not in self.mcs_constrained_types['types']:
return
self.fd.write ("""
.SH "MCS Constrained"
--
2.21.0

515
SOURCES/0012-Move-po-translation-files-into-the-right-sub-directo.patch
Unescape View File

@ -0,0 +1,515 @@
From 4015e9299bfda622e9d407cdbcc536000688aa8f Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 6 Aug 2018 13:23:00 +0200
Subject: [PATCH] Move po/ translation files into the right sub-directories
When policycoreutils was split into policycoreutils/ python/ gui/ and sandbox/
sub-directories, po/ translation files stayed in policycoreutils/.
This commit split original policycoreutils/po directory into
policycoreutils/po
python/po
gui/po
sandbox/po
See https://github.com/fedora-selinux/selinux/issues/43
---
gui/Makefile | 3 ++
gui/po/Makefile | 82 ++++++++++++++++++++++++++++++++++++
gui/po/POTFILES | 17 ++++++++
policycoreutils/po/Makefile | 70 ++-----------------------------
policycoreutils/po/POTFILES | 9 ++++
python/Makefile | 2 +-
python/po/Makefile | 83 +++++++++++++++++++++++++++++++++++++
python/po/POTFILES | 10 +++++
sandbox/Makefile | 2 +
sandbox/po/Makefile | 82 ++++++++++++++++++++++++++++++++++++
sandbox/po/POTFILES | 1 +
11 files changed, 293 insertions(+), 68 deletions(-)
create mode 100644 gui/po/Makefile
create mode 100644 gui/po/POTFILES
create mode 100644 policycoreutils/po/POTFILES
create mode 100644 python/po/Makefile
create mode 100644 python/po/POTFILES
create mode 100644 sandbox/po/Makefile
create mode 100644 sandbox/po/POTFILES
diff --git a/gui/Makefile b/gui/Makefile
index ca965c94..5a5bf6dc 100644
--- a/gui/Makefile
+++ b/gui/Makefile
@@ -22,6 +22,7 @@ system-config-selinux.ui \
usersPage.py
all: $(TARGETS) system-config-selinux.py polgengui.py
+ (cd po && $(MAKE) $@)
install: all
-mkdir -p $(DESTDIR)$(MANDIR)/man8
@@ -54,6 +55,8 @@ install: all
install -m 644 sepolicy_$${i}.png $(DESTDIR)$(DATADIR)/icons/hicolor/$${i}x$${i}/apps/sepolicy.png; \
done
install -m 644 org.selinux.config.policy $(DESTDIR)$(DATADIR)/polkit-1/actions/
+ (cd po && $(MAKE) $@)
+
clean:
indent:
diff --git a/gui/po/Makefile b/gui/po/Makefile
new file mode 100644
index 00000000..a0f5439f
--- /dev/null
+++ b/gui/po/Makefile
@@ -0,0 +1,82 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE = gui
+POTFILE = $(NLSPACKAGE).pot
+INSTALL = /usr/bin/install -c -p
+INSTALL_DATA = $(INSTALL) -m 644
+INSTALL_DIR = /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE = msgmerge
+MSGMERGE_FLAGS = -q
+XGETTEXT = xgettext --default-domain=$(NLSPACKAGE)
+MSGFMT = msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
+POTFILES = $(shell cat POTFILES)
+
+#default:: clean
+
+all:: $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+ $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+ rm -f $(NLSPACKAGE).po; \
+ else \
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
+ fi; \
+
+
+refresh-po: Makefile
+ for cat in $(POFILES); do \
+ lang=`basename $$cat .po`; \
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+ mv -f $$lang.pot $$lang.po ; \
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
+ else \
+ echo "$(MSGMERGE) of $$lang failed" ; \
+ rm -f $$lang.pot ; \
+ fi \
+ done
+
+clean:
+ @rm -fv *mo *~ .depend
+ @rm -rf tmp
+
+install: $(MOFILES)
+ @for n in $(MOFILES); do \
+ l=`basename $$n .mo`; \
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+ done
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+report:
+ @for cat in $(wildcard *.po); do \
+ echo -n "$$cat: "; \
+ msgfmt -v --statistics -o /dev/null $$cat; \
+ done
+
+.PHONY: missing depend
+
+relabel:
diff --git a/gui/po/POTFILES b/gui/po/POTFILES
new file mode 100644
index 00000000..1795c5c1
--- /dev/null
+++ b/gui/po/POTFILES
@@ -0,0 +1,17 @@
+../booleansPage.py
+../domainsPage.py
+../fcontextPage.py
+../loginsPage.py
+../modulesPage.py
+../org.selinux.config.policy
+../polgengui.py
+../polgen.ui
+../portsPage.py
+../selinux-polgengui.desktop
+../semanagePage.py
+../sepolicy.desktop
+../statusPage.py
+../system-config-selinux.desktop
+../system-config-selinux.py
+../system-config-selinux.ui
+../usersPage.py
diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile
index 575e1431..18bc1dff 100644
--- a/policycoreutils/po/Makefile
+++ b/policycoreutils/po/Makefile
@@ -3,7 +3,6 @@
#
PREFIX ?= /usr
-TOP = ../..
# What is this package?
NLSPACKAGE = policycoreutils
@@ -32,74 +31,13 @@ USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
MOFILES = $(patsubst %.po,%.mo,$(POFILES))
-POTFILES = \
- ../run_init/open_init_pty.c \
- ../run_init/run_init.c \
- ../semodule_link/semodule_link.c \
- ../audit2allow/audit2allow \
- ../semanage/seobject.py \
- ../setsebool/setsebool.c \
- ../newrole/newrole.c \
- ../load_policy/load_policy.c \
- ../sestatus/sestatus.c \
- ../semodule/semodule.c \
- ../setfiles/setfiles.c \
- ../semodule_package/semodule_package.c \
- ../semodule_deps/semodule_deps.c \
- ../semodule_expand/semodule_expand.c \
- ../scripts/chcat \
- ../scripts/fixfiles \
- ../restorecond/stringslist.c \
- ../restorecond/restorecond.h \
- ../restorecond/utmpwatcher.h \
- ../restorecond/stringslist.h \
- ../restorecond/restorecond.c \
- ../restorecond/utmpwatcher.c \
- ../gui/booleansPage.py \
- ../gui/fcontextPage.py \
- ../gui/loginsPage.py \
- ../gui/mappingsPage.py \
- ../gui/modulesPage.py \
- ../gui/polgen.glade \
- ../gui/polgengui.py \
- ../gui/portsPage.py \
- ../gui/semanagePage.py \
- ../gui/statusPage.py \
- ../gui/system-config-selinux.glade \
- ../gui/system-config-selinux.py \
- ../gui/usersPage.py \
- ../secon/secon.c \
- booleans.py \
- ../sepolicy/sepolicy.py \
- ../sepolicy/sepolicy/communicate.py \
- ../sepolicy/sepolicy/__init__.py \
- ../sepolicy/sepolicy/network.py \
- ../sepolicy/sepolicy/generate.py \
- ../sepolicy/sepolicy/sepolicy.glade \
- ../sepolicy/sepolicy/gui.py \
- ../sepolicy/sepolicy/manpage.py \
- ../sepolicy/sepolicy/transition.py \
- ../sepolicy/sepolicy/templates/executable.py \
- ../sepolicy/sepolicy/templates/__init__.py \
- ../sepolicy/sepolicy/templates/network.py \
- ../sepolicy/sepolicy/templates/rw.py \
- ../sepolicy/sepolicy/templates/script.py \
- ../sepolicy/sepolicy/templates/semodule.py \
- ../sepolicy/sepolicy/templates/tmp.py \
- ../sepolicy/sepolicy/templates/user.py \
- ../sepolicy/sepolicy/templates/var_lib.py \
- ../sepolicy/sepolicy/templates/var_log.py \
- ../sepolicy/sepolicy/templates/var_run.py \
- ../sepolicy/sepolicy/templates/var_spool.py
+POTFILES = $(shell cat POTFILES)
#default:: clean
-all:: $(MOFILES)
+all:: $(POTFILE) $(MOFILES)
-booleans.py:
- sepolicy booleans -a > booleans.py
-
-$(POTFILE): $(POTFILES) booleans.py
+$(POTFILE): $(POTFILES)
$(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
@if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
rm -f $(NLSPACKAGE).po; \
@@ -107,8 +45,6 @@ $(POTFILE): $(POTFILES) booleans.py
mv -f $(NLSPACKAGE).po $(POTFILE); \
fi; \
-update-po: Makefile $(POTFILE) refresh-po
- @rm -f booleans.py
refresh-po: Makefile
for cat in $(POFILES); do \
diff --git a/policycoreutils/po/POTFILES b/policycoreutils/po/POTFILES
new file mode 100644
index 00000000..12237dc6
--- /dev/null
+++ b/policycoreutils/po/POTFILES
@@ -0,0 +1,9 @@
+../run_init/open_init_pty.c
+../run_init/run_init.c
+../setsebool/setsebool.c
+../newrole/newrole.c
+../load_policy/load_policy.c
+../sestatus/sestatus.c
+../semodule/semodule.c
+../setfiles/setfiles.c
+../secon/secon.c
diff --git a/python/Makefile b/python/Makefile
index 9b66d52f..00312dbd 100644
--- a/python/Makefile
+++ b/python/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = sepolicy audit2allow semanage sepolgen chcat
+SUBDIRS = sepolicy audit2allow semanage sepolgen chcat po
all install relabel clean indent test:
@for subdir in $(SUBDIRS); do \
diff --git a/python/po/Makefile b/python/po/Makefile
new file mode 100644
index 00000000..4e052d5a
--- /dev/null
+++ b/python/po/Makefile
@@ -0,0 +1,83 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE = python
+POTFILE = $(NLSPACKAGE).pot
+INSTALL = /usr/bin/install -c -p
+INSTALL_DATA = $(INSTALL) -m 644
+INSTALL_DIR = /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE = msgmerge
+MSGMERGE_FLAGS = -q
+XGETTEXT = xgettext --default-domain=$(NLSPACKAGE)
+MSGFMT = msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
+POTFILES = $(shell cat POTFILES)
+
+#default:: clean
+
+all:: $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+ $(XGETTEXT) -L Python --keyword=_ --keyword=N_ $(POTFILES)
+ $(XGETTEXT) -j --keyword=_ --keyword=N_ ../sepolicy/sepolicy/sepolicy.glade
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+ rm -f $(NLSPACKAGE).po; \
+ else \
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
+ fi; \
+
+
+refresh-po: Makefile
+ for cat in $(POFILES); do \
+ lang=`basename $$cat .po`; \
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+ mv -f $$lang.pot $$lang.po ; \
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
+ else \
+ echo "$(MSGMERGE) of $$lang failed" ; \
+ rm -f $$lang.pot ; \
+ fi \
+ done
+
+clean:
+ @rm -fv *mo *~ .depend
+ @rm -rf tmp
+
+install: $(MOFILES)
+ @for n in $(MOFILES); do \
+ l=`basename $$n .mo`; \
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+ done
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+report:
+ @for cat in $(wildcard *.po); do \
+ echo -n "$$cat: "; \
+ msgfmt -v --statistics -o /dev/null $$cat; \
+ done
+
+.PHONY: missing depend
+
+relabel:
diff --git a/python/po/POTFILES b/python/po/POTFILES
new file mode 100644
index 00000000..128eb870
--- /dev/null
+++ b/python/po/POTFILES
@@ -0,0 +1,10 @@
+../audit2allow/audit2allow
+../chcat/chcat
+../semanage/semanage
+../semanage/seobject.py
+../sepolgen/src/sepolgen/interfaces.py
+../sepolicy/sepolicy/generate.py
+../sepolicy/sepolicy/gui.py
+../sepolicy/sepolicy/__init__.py
+../sepolicy/sepolicy/interface.py
+../sepolicy/sepolicy.py
diff --git a/sandbox/Makefile b/sandbox/Makefile
index 9da5e58d..b817824e 100644
--- a/sandbox/Makefile
+++ b/sandbox/Makefile
@@ -13,6 +13,7 @@ override LDLIBS += -lselinux -lcap-ng
SEUNSHARE_OBJS = seunshare.o
all: sandbox seunshare sandboxX.sh start
+ (cd po && $(MAKE) $@)
seunshare: $(SEUNSHARE_OBJS)
@@ -39,6 +40,7 @@ install: all
install -m 755 start $(DESTDIR)$(SHAREDIR)
-mkdir -p $(DESTDIR)$(SYSCONFDIR)
install -m 644 sandbox.conf $(DESTDIR)$(SYSCONFDIR)/sandbox
+ (cd po && $(MAKE) $@)
test:
@$(PYTHON) test_sandbox.py -v
diff --git a/sandbox/po/Makefile b/sandbox/po/Makefile
new file mode 100644
index 00000000..0556bbe9
--- /dev/null
+++ b/sandbox/po/Makefile
@@ -0,0 +1,82 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE = sandbox
+POTFILE = $(NLSPACKAGE).pot
+INSTALL = /usr/bin/install -c -p
+INSTALL_DATA = $(INSTALL) -m 644
+INSTALL_DIR = /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE = msgmerge
+MSGMERGE_FLAGS = -q
+XGETTEXT = xgettext -L Python --default-domain=$(NLSPACKAGE)
+MSGFMT = msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
+POTFILES = $(shell cat POTFILES)
+
+#default:: clean
+
+all:: $(POTFILE) $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+ $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+ rm -f $(NLSPACKAGE).po; \
+ else \
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
+ fi; \
+
+
+refresh-po: Makefile
+ for cat in $(POFILES); do \
+ lang=`basename $$cat .po`; \
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+ mv -f $$lang.pot $$lang.po ; \
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
+ else \
+ echo "$(MSGMERGE) of $$lang failed" ; \
+ rm -f $$lang.pot ; \
+ fi \
+ done
+
+clean:
+ @rm -fv *mo *~ .depend
+ @rm -rf tmp
+
+install: $(MOFILES)
+ @for n in $(MOFILES); do \
+ l=`basename $$n .mo`; \
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+ done
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+report:
+ @for cat in $(wildcard *.po); do \
+ echo -n "$$cat: "; \
+ msgfmt -v --statistics -o /dev/null $$cat; \
+ done
+
+.PHONY: missing depend
+
+relabel:
diff --git a/sandbox/po/POTFILES b/sandbox/po/POTFILES
new file mode 100644
index 00000000..deff3f2f
--- /dev/null
+++ b/sandbox/po/POTFILES
@@ -0,0 +1 @@
+../sandbox
--
2.21.0

30
SOURCES/0012-python-audit2allow-Remove-unused-debug-option.patch
Unescape View File

@ -1,30 +0,0 @@
From 52da97653bd64bcc603ab7e0b5c08cb687b833ab Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 4 May 2023 14:04:50 +0200
Subject: [PATCH] python/audit2allow: Remove unused "debug" option
Content-type: text/plain
The option is not referenced anywhere in the code and I couldn't figure
out its purpose from the description.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/audit2allow/audit2allow | 2 --
1 file changed, 2 deletions(-)
diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
index eafeea88aa21..5587a2dbb006 100644
--- a/python/audit2allow/audit2allow
+++ b/python/audit2allow/audit2allow
@@ -88,8 +88,6 @@ class AuditToPolicy:
parser.add_option("--interface-info", dest="interface_info", help="file name of interface information")
parser.add_option("-x", "--xperms", action="store_true", dest="xperms",
default=False, help="generate extended permission rules")
- parser.add_option("--debug", dest="debug", action="store_true", default=False,
- help="leave generated modules for -M")
parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=(os.path.basename(sys.argv[0]) == "audit2why"),
help="Translates SELinux audit messages into a description of why the access was denied")
--
2.41.0

306
SOURCES/0013-Use-correct-gettext-domains-in-python-gui-sandbox.patch
Unescape View File

@ -0,0 +1,306 @@
From 57cd23e11e1a700802a5955e84a0a7e04c30ec73 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 6 Aug 2018 13:37:07 +0200
Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
https://github.com/fedora-selinux/selinux/issues/43
---
gui/booleansPage.py | 2 +-
gui/domainsPage.py | 2 +-
gui/fcontextPage.py | 2 +-
gui/loginsPage.py | 2 +-
gui/modulesPage.py | 2 +-
gui/polgengui.py | 2 +-
gui/portsPage.py | 2 +-
gui/semanagePage.py | 2 +-
gui/statusPage.py | 2 +-
gui/system-config-selinux.py | 2 +-
gui/usersPage.py | 2 +-
python/chcat/chcat | 2 +-
python/semanage/semanage | 2 +-
python/semanage/seobject.py | 2 +-
python/sepolgen/src/sepolgen/sepolgeni18n.py | 2 +-
python/sepolicy/sepolicy.py | 2 +-
python/sepolicy/sepolicy/__init__.py | 2 +-
python/sepolicy/sepolicy/generate.py | 2 +-
python/sepolicy/sepolicy/gui.py | 2 +-
python/sepolicy/sepolicy/interface.py | 2 +-
sandbox/sandbox | 2 +-
21 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/gui/booleansPage.py b/gui/booleansPage.py
index 7849bea2..dd12b6d6 100644
--- a/gui/booleansPage.py
+++ b/gui/booleansPage.py
@@ -38,7 +38,7 @@ DISABLED = 2
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/domainsPage.py b/gui/domainsPage.py
index bad5140d..6bbe4de5 100644
--- a/gui/domainsPage.py
+++ b/gui/domainsPage.py
@@ -30,7 +30,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
index 370bbee4..e424366d 100644
--- a/gui/fcontextPage.py
+++ b/gui/fcontextPage.py
@@ -47,7 +47,7 @@ class context:
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/loginsPage.py b/gui/loginsPage.py
index b67eb8bc..cbfb0cc2 100644
--- a/gui/loginsPage.py
+++ b/gui/loginsPage.py
@@ -29,7 +29,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/modulesPage.py b/gui/modulesPage.py
index cb856b2d..26ac5404 100644
--- a/gui/modulesPage.py
+++ b/gui/modulesPage.py
@@ -30,7 +30,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/polgengui.py b/gui/polgengui.py
index b1cc9937..46a1bd2c 100644
--- a/gui/polgengui.py
+++ b/gui/polgengui.py
@@ -63,7 +63,7 @@ def get_all_modules():
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/portsPage.py b/gui/portsPage.py
index 30f58383..a537ecc8 100644
--- a/gui/portsPage.py
+++ b/gui/portsPage.py
@@ -35,7 +35,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/semanagePage.py b/gui/semanagePage.py
index 4127804f..5361d69c 100644
--- a/gui/semanagePage.py
+++ b/gui/semanagePage.py
@@ -22,7 +22,7 @@ from gi.repository import Gdk, Gtk
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/statusPage.py b/gui/statusPage.py
index 766854b1..a8f079b9 100644
--- a/gui/statusPage.py
+++ b/gui/statusPage.py
@@ -35,7 +35,7 @@ RELABELFILE = "/.autorelabel"
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py
index c42301b6..1e0d5eb1 100644
--- a/gui/system-config-selinux.py
+++ b/gui/system-config-selinux.py
@@ -45,7 +45,7 @@ import selinux
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/usersPage.py b/gui/usersPage.py
index 26794ed5..d15d4c5a 100644
--- a/gui/usersPage.py
+++ b/gui/usersPage.py
@@ -29,7 +29,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/python/chcat/chcat b/python/chcat/chcat
index ba398684..df2509f2 100755
--- a/python/chcat/chcat
+++ b/python/chcat/chcat
@@ -30,7 +30,7 @@ import getopt
import selinux
import seobject
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 144cc000..56db3e0d 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -27,7 +27,7 @@ import traceback
import argparse
import seobject
import sys
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 13fdf531..b90b1070 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -29,7 +29,7 @@ import sys
import stat
import socket
from semanage import *
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
import sepolicy
import setools
from IPy import IP
diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py
index 998c4356..56ebd807 100644
--- a/python/sepolgen/src/sepolgen/sepolgeni18n.py
+++ b/python/sepolgen/src/sepolgen/sepolgeni18n.py
@@ -19,7 +19,7 @@
try:
import gettext
- t = gettext.translation( 'yumex' )
+ t = gettext.translation( 'selinux-python' )
_ = t.gettext
except:
def _(str):
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index 1934cd86..8bd6a579 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -27,7 +27,7 @@ import selinux
import sepolicy
from sepolicy import get_os_version, get_conditionals, get_conditionals_format_text
import argparse
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 0c66f4d5..b6ca57c3 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -13,7 +13,7 @@ import os
import re
import gzip
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index 019e7836..7175d36b 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -49,7 +49,7 @@ import sepolgen.defaults as defaults
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index 00fd7a11..805cee67 100644
--- a/python/sepolicy/sepolicy/gui.py
+++ b/python/sepolicy/sepolicy/gui.py
@@ -41,7 +41,7 @@ import os
import re
import unicodedata
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/interface.py b/python/sepolicy/sepolicy/interface.py
index 583091ae..e2b8d23b 100644
--- a/python/sepolicy/sepolicy/interface.py
+++ b/python/sepolicy/sepolicy/interface.py
@@ -30,7 +30,7 @@ __all__ = ['get_all_interfaces', 'get_interfaces_from_xml', 'get_admin', 'get_us
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/sandbox/sandbox b/sandbox/sandbox
index 1dec07ac..a12403b3 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -37,7 +37,7 @@ import sepolicy
SEUNSHARE = "/usr/sbin/seunshare"
SANDBOXSH = "/usr/share/sandbox/sandboxX.sh"
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-sandbox"
try:
import gettext
kwargs = {}
--
2.21.0

309
SOURCES/0013-policycoreutils-Add-examples-to-man-pages.patch
Unescape View File

@ -1,309 +0,0 @@
From b580a630378623df1c87c5fab1ffd63a41b3501e Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 1 Jun 2023 16:39:11 +0200
Subject: [PATCH] policycoreutils: Add examples to man pages
Content-type: text/plain
While at it, remove trailing whitespaces.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
---
policycoreutils/scripts/fixfiles.8 | 34 +++++++++++++--------
policycoreutils/secon/secon.1 | 12 ++++++--
policycoreutils/semodule/semodule.8 | 14 ++++-----
policycoreutils/setfiles/restorecon.8 | 9 ++++++
policycoreutils/setfiles/restorecon_xattr.8 | 7 +++++
policycoreutils/setfiles/setfiles.8 | 9 ++++++
policycoreutils/setsebool/setsebool.8 | 16 +++++++---
7 files changed, 74 insertions(+), 27 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index 9a317d9181e2..928b82004b1a 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -14,7 +14,7 @@ fixfiles \- fix file SELinux security contexts.
.B fixfiles
.I [\-v] [\-F] [\-B | \-N time ] [\-T nthreads] { check | restore | verify }
-.B fixfiles
+.B fixfiles
.I [\-v] [\-F] [\-T nthreads] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify }
.B fixfiles
@@ -31,7 +31,7 @@ This manual page describes the
script.
.P
This script is primarily used to correct the security context
-database (extended attributes) on filesystems.
+database (extended attributes) on filesystems.
.P
It can also be run at any time to relabel when adding support for
new policy, or just check whether the file contexts are all
@@ -41,29 +41,29 @@ option. You can use the \-R flag to use rpmpackages as an alternative.
The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
excluded from relabeling.
.P
-.B fixfiles onboot
+.B fixfiles onboot
will setup the machine to relabel on the next reboot.
.SH "OPTIONS"
-.TP
+.TP
.B \-B
If specified with onboot, this fixfiles will record the current date in the /.autorelabel file, so that it can be used later to speed up labeling. If used with restore, the restore will only affect files that were modified today.
.TP
.B \-F
Force reset of context to match file_context for customizable files
-.TP
+.TP
.B \-f
Clear /tmp directory with out prompt for removal.
-.TP
+.TP
.B \-R rpmpackagename[,rpmpackagename...]
Use the rpm database to discover all files within the specified packages and restore the file contexts.
.TP
.B \-C PREVIOUS_FILECONTEXT
Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and restore the context of all affected files.
-.TP
+.TP
.B \-N time
Only act on files created after the specified date. Date must be specified in
"YYYY\-MM\-DD HH:MM" format. Date field will be passed to find \-\-newermt command.
@@ -83,19 +83,28 @@ Use parallel relabeling, see
.SH "ARGUMENTS"
One of:
-.TP
+.TP
.B check | verify
print any incorrect file context labels, showing old and new context, but do not change them.
-.TP
+.TP
.B restore
change any incorrect file context labels.
-.TP
+.TP
.B relabel
Prompt for removal of contents of /tmp directory and then change any incorrect file context labels to match the install file_contexts file.
-.TP
-.B [[dir/file] ... ]
+.TP
+.B [[dir/file] ... ]
List of files or directories trees that you wish to check file context on.
+.SH EXAMPLE
+.nf
+Relabel the whole filesystem, except paths listed in /etc/selinux/fixfiles_exclude_dirs
+# fixfiles relabel
+Schedule the machine to relabel on the next boot and force relabeling of customizable types
+# fixfiles -F onboot
+Check labeling of all files from the samba package (while not changing any labels)
+# fixfiles -R samba check
+
.SH "AUTHOR"
This man page was written by Richard Hally <rhally@mindspring.com>.
The script was written by Dan Walsh <dwalsh@redhat.com>
@@ -103,4 +112,3 @@ The script was written by Dan Walsh <dwalsh@redhat.com>
.SH "SEE ALSO"
.BR setfiles (8),
.BR restorecon (8)
-
diff --git a/policycoreutils/secon/secon.1 b/policycoreutils/secon/secon.1
index 501b5cb8c410..c0e8b05a6b66 100644
--- a/policycoreutils/secon/secon.1
+++ b/policycoreutils/secon/secon.1
@@ -107,16 +107,24 @@ then the context will be read from stdin.
.br
If there is no argument,
.B secon
-will try reading a context from stdin, if that is not a tty, otherwise
+will try reading a context from stdin, if that is not a tty, otherwise
.B secon
will act as though \fB\-\-self\fR had been passed.
.PP
If none of \fB\-\-user\fR, \fB\-\-role\fR, \fB\-\-type\fR, \fB\-\-level\fR or
\fB\-\-mls\-range\fR is passed.
Then all of them will be output.
+
+.SH EXAMPLE
+.nf
+Show SElinux context of the init process
+# secon --pid 1
+Parse the type portion of given security context
+# secon -t system_u:object_r:httpd_sys_rw_content_t:s0
+
.PP
.SH SEE ALSO
.BR chcon (1)
.SH AUTHORS
.nf
-James Antill (james.antill@redhat.com)
+James Antill (james.antill@redhat.com)
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index c56e580f27b8..01757b005e4a 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -1,5 +1,5 @@
.TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA
-.SH NAME
+.SH NAME
semodule \- Manage SELinux policy modules.
.SH SYNOPSIS
@@ -8,7 +8,7 @@ semodule \- Manage SELinux policy modules.
.SH DESCRIPTION
.PP
semodule is the tool used to manage SELinux policy modules,
-including installing, upgrading, listing and removing modules.
+including installing, upgrading, listing and removing modules.
semodule may also be used to force a rebuild of policy from the
module store and/or to force a reload of policy without performing
any other transaction. semodule acts on module packages created
@@ -39,7 +39,7 @@ install/replace a module package
.B \-u,\-\-upgrade=MODULE_PKG
deprecated, alias for --install
.TP
-.B \-b,\-\-base=MODULE_PKG
+.B \-b,\-\-base=MODULE_PKG
deprecated, alias for --install
.TP
.B \-r,\-\-remove=MODULE_NAME
@@ -77,7 +77,7 @@ name of the store to operate on
.B \-n,\-\-noreload,\-N
do not reload policy after commit
.TP
-.B \-h,\-\-help
+.B \-h,\-\-help
prints help message and quit
.TP
.B \-P,\-\-preserve_tunables
@@ -92,7 +92,7 @@ Use an alternate path for the policy root
.B \-S,\-\-store-path
Use an alternate path for the policy store root
.TP
-.B \-v,\-\-verbose
+.B \-v,\-\-verbose
be verbose
.TP
.B \-c,\-\-cil
@@ -131,8 +131,6 @@ $ semodule \-B
$ semodule \-d alsa
# Install a module at a specific priority.
$ semodule \-X 100 \-i alsa.pp
-# List all modules.
-$ semodule \-\-list=full
# Set an alternate path for the policy root
$ semodule \-B \-p "/tmp"
# Set an alternate path for the policy store root
@@ -143,6 +141,8 @@ $ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
# Check whether a module in "localmodule.pp" file is same as installed module "localmodule"
$ /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
$ semodule -l -m | grep localmodule
+# Translate binary module file into CIL (useful for debugging installation errors)
+$ /usr/libexec/selinux/hll/pp alsa.pp > alsa.cil
.fi
.SH SEE ALSO
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index dbd55ce7c512..6160aced5922 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -224,6 +224,15 @@ and provided the
option is NOT set and recursive mode is set, files will be relabeled as
required with the digests then being updated provided there are no errors.
+.SH EXAMPLE
+.nf
+Fix labeling of /var/www/ including all sub-directories and list all context changes
+# restorecon -rv /var/www/
+List mislabeled files in user home directory and what the correct label should be
+# restorecon -nvr ~
+Fix labeling of files listed in file_list file, ignoring any that do not exist
+# restorecon -vif file_list
+
.SH "AUTHOR"
This man page was written by Dan Walsh <dwalsh@redhat.com>.
Some of the content of this man page was taken from the setfiles
diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
index 4b1ce304d995..09bfd8c40ab4 100644
--- a/policycoreutils/setfiles/restorecon_xattr.8
+++ b/policycoreutils/setfiles/restorecon_xattr.8
@@ -112,6 +112,13 @@ If the option is not specified, then the default file_contexts will be used.
.br
the pathname of the directory tree to be searched.
+.SH EXAMPLE
+.nf
+List all paths that where assigned a checksum by "restorecon/setfiles -D"
+# restorecon_xattr -r /
+Remove all non-matching checksums
+# restorecon_xattr -rd /
+
.SH "SEE ALSO"
.BR restorecon (8),
.BR setfiles (8)
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index 36fe6b369548..6071d9ba3d38 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -289,6 +289,15 @@ and provided the
option is NOT set, files will be relabeled as required with the digests then
being updated provided there are no errors.
+.SH EXAMPLE
+.nf
+Fix labeling of /var/www/ including all sub-directories, using targeted policy file context definitions and list all context changes
+# setfiles -v /etc/selinux/targeted/contexts/files/file_contexts /var/www/
+List mislabeled files in user home directory and what the label should be based on targeted policy file context definitions
+# setfiles -nv /etc/selinux/targeted/contexts/files/file_contexts ~
+Fix labeling of files listed in file_list file, ignoring any that do not exist
+# setfiles -vif file_list /etc/selinux/targeted/contexts/files/file_contexts
+
.SH "AUTHOR"
This man page was written by Russell Coker <russell@coker.com.au>.
The program was written by Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/policycoreutils/setsebool/setsebool.8 b/policycoreutils/setsebool/setsebool.8
index 52936f5a0ffb..f54664fb5c2a 100644
--- a/policycoreutils/setsebool/setsebool.8
+++ b/policycoreutils/setsebool/setsebool.8
@@ -7,13 +7,13 @@ setsebool \- set SELinux boolean value
.I "[ \-PNV ] boolean value | bool1=val1 bool2=val2 ..."
.SH "DESCRIPTION"
-.B setsebool
-sets the current state of a particular SELinux boolean or a list of booleans
-to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it.
+.B setsebool
+sets the current state of a particular SELinux boolean or a list of booleans
+to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it.
Without the \-P option, only the current boolean value is
-affected; the boot-time default settings
-are not changed.
+affected; the boot-time default settings
+are not changed.
If the \-P option is given, all pending values are written to
the policy file on disk. So they will be persistent across reboots.
@@ -22,6 +22,12 @@ If the \-N option is given, the policy on disk is not reloaded into the kernel.
If the \-V option is given, verbose error messages will be printed from semanage libraries.
+.SH EXAMPLE
+.nf
+Enable container_use_devices boolean (will return to persistent value after reboot)
+# setsebool container_use_devices 1
+Persistently enable samba_create_home_dirs and samba_enable_home_dirs booleans
+# setsebool -P samba_create_home_dirs=on samba_enable_home_dirs=on
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
--
2.41.0

4532
SOURCES/0014-Initial-.pot-files-for-gui-python-sandbox.patch
View File

File diff suppressed because it is too large Load Diff

391
SOURCES/0014-python-sepolicy-Improve-man-pages.patch
Unescape View File

@ -1,391 +0,0 @@
From 72420ec0eb2ca8cf4cc9099dcd495695eeab308b Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 1 Jun 2023 16:39:12 +0200
Subject: [PATCH] python/sepolicy: Improve man pages
Content-type: text/plain
- Add missing options
- Add examples
- Emphasize keywords
- Remove trailing whitespaces
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
---
python/sepolicy/sepolicy-booleans.8 | 15 +++++++++---
python/sepolicy/sepolicy-communicate.8 | 14 ++++++++---
python/sepolicy/sepolicy-generate.8 | 34 ++++++++++++--------------
python/sepolicy/sepolicy-gui.8 | 4 +--
python/sepolicy/sepolicy-interface.8 | 18 +++++++++++---
python/sepolicy/sepolicy-manpage.8 | 25 ++++++++++++++-----
python/sepolicy/sepolicy-network.8 | 17 ++++++-------
python/sepolicy/sepolicy-transition.8 | 19 +++++++++-----
8 files changed, 96 insertions(+), 50 deletions(-)
diff --git a/python/sepolicy/sepolicy-booleans.8 b/python/sepolicy/sepolicy-booleans.8
index f8d8b56d5d4d..7f4b18e75ac8 100644
--- a/python/sepolicy/sepolicy-booleans.8
+++ b/python/sepolicy/sepolicy-booleans.8
@@ -8,12 +8,16 @@ sepolicy-booleans \- Query SELinux Policy to see description of booleans
.B sepolicy booleans [\-h] [ \-a | \-b booleanname ... ]
.SH "DESCRIPTION"
-sepolicy booleans will show all booleans and their descriptions, or you can
-choose individual booleans to display
+.B sepolicy booleans
+will show all booleans and their descriptions, or you can
+choose individual booleans to display.
+Please make sure that selinux-policy-devel is present in your system since it contains boolean descriptions extracted from the policy source code. Otherwise
+.B sepolicy booleans
+will only show descriptions generated based on boolean names.
.SH "OPTIONS"
.TP
-.I \-h, \-\-help
+.I \-h, \-\-help
Display help message
.TP
.I \-a, \-\-all
@@ -22,6 +26,11 @@ Display all boolean descriptions
.I \-b, \-\-boolean
boolean to get description
+.SH EXAMPLE
+.nf
+List descriptions of samba_create_home_dirs and samba_enable_home_dirs booleans
+# sepolicy booleans -b samba_create_home_dirs samba_enable_home_dirs
+
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git a/python/sepolicy/sepolicy-communicate.8 b/python/sepolicy/sepolicy-communicate.8
index 050aa475eef1..5ecf6eff0f6b 100644
--- a/python/sepolicy/sepolicy-communicate.8
+++ b/python/sepolicy/sepolicy-communicate.8
@@ -8,7 +8,9 @@ sepolicy-communicate \- Generate a report showing if two SELinux Policy Domains
.B sepolicy communicate [\-h] \-s SOURCE \-t TARGET [\-c TCLASS] [\-S SOURCEACCESS] [\-T TARGETACCESS]
.SH "DESCRIPTION"
-Use sepolicy communicate to examine SELinux Policy to if a source SELinux Domain can communicate with a target SELinux Domain.
+Use
+.B sepolicy communicate
+to examine SELinux Policy and determine if a source SELinux Domain can communicate with a target SELinux Domain.
The default command looks to see if there are any file types that the source domain can write, which the target domain can read.
.SH "OPTIONS"
@@ -16,7 +18,7 @@ The default command looks to see if there are any file types that the source dom
.I \-c, \-\-class
Specify the SELinux class which the source domain will attempt to communicate with the target domain. (Default file)
.TP
-.I \-h, \-\-help
+.I \-h, \-\-help
Display help message
.TP
.I \-s, \-\-source
@@ -31,9 +33,15 @@ Specify the target SELinux domain type.
.I \-T, \-\-targetaccess
Specify the list of accesses used by the target SELinux domain type to receive communications from the source domain. Default Open, Read.
+.SH EXAMPLE
+.nf
+List types that can be used to communicate between samba daemon and apache server
+# sepolicy communicate -s httpd_t -t smbd_t
+Consider a type to be accessible by the source domain when it can be opened and appended to (as opposed to opened and written to)
+# sepolicy communicate -s httpd_t -t smbd_t -S open,append
+
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>
.SH "SEE ALSO"
sepolicy(8), selinux(8)
-
diff --git a/python/sepolicy/sepolicy-generate.8 b/python/sepolicy/sepolicy-generate.8
index 0c5f998f5412..72d0e8e41b6e 100644
--- a/python/sepolicy/sepolicy-generate.8
+++ b/python/sepolicy/sepolicy-generate.8
@@ -57,32 +57,29 @@ path. \fBsepolicy generate\fP will use the rpm payload of the
application along with \fBnm \-D APPLICATION\fP to help it generate
types and policy rules for your policy files.
-.B Type Enforcing File NAME.te
+.B NAME.te
.br
-This file can be used to define all the types rules for a particular domain.
+This file can be used to define all the types enforcement rules for a particular domain.
.I Note:
-Policy generated by \fBsepolicy generate\fP will automatically add a permissive DOMAIN to your te file. When you are satisfied that your policy works, you need to remove the permissive line from the te file to run your domain in enforcing mode.
+Policy generated by \fBsepolicy generate\fP will automatically add a \fIpermissive DOMAIN\fP to your \fB.te\fP file. When you are satisfied that your policy works, you need to remove the permissive line from the \fB.te\fP file to run your domain in enforcing mode.
-.B Interface File NAME.if
+.B NAME.if
.br
-This file defines the interfaces for the types generated in the te file, which can be used by other policy domains.
+This file defines the interfaces for the types generated in the \fB.te\fP file, which can be used by other policy domains.
-.B File Context NAME.fc
+.B NAME.fc
.br
-This file defines the default file context for the system, it takes the file types created in the te file and associates
+This file defines the default file context for the system, it takes the file types created in the \fB.te\fP file and associates
file paths to the types. Tools like restorecon and RPM will use these paths to put down labels.
-.B RPM Spec File NAME_selinux.spec
+.B NAME_selinux.spec
.br
-This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use \fBsepolicy manpage \-d NAME\fP to generate the man page.
+This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use \fBsepolicy manpage \-d NAME\fP to generate the man page.
-.B Shell File NAME.sh
+.B NAME.sh
.br
-This is a helper shell script to compile, install and fix the labeling on your test system. It will also generate a man page based on the installed policy, and
-compile and build an RPM suitable to be installed on other machines
-
-If a generate is possible, this tool will print out all generate paths from the source domain to the target domain
+This is a helper shell script to compile, install and fix the labeling on your test system. It will also generate a man page based on the installed policy, and compile and build an RPM suitable to be installed on other machines.
.SH "OPTIONS"
.TP
@@ -97,10 +94,11 @@ Specify alternate name of policy. The policy will default to the executable or n
.TP
.I \-p, \-\-path
Specify the directory to store the created policy files. (Default to current working directory )
+.TP
optional arguments:
.TP
.I \-r, \-\-role
-Enter role(s) to which this admin user will transition.
+Enter role(s) to which this admin user will transition
.TP
.I \-t, \-\-type
Enter type(s) for which you will generate new definition and rule(s)
@@ -109,12 +107,12 @@ Enter type(s) for which you will generate new definition and rule(s)
SELinux user(s) which will transition to this domain
.TP
.I \-w, \-\-writepath
-Path(s) which the confined processes need to write
+Path(s) which the confined processes need to write to
.TP
.I \-a, \-\-admin
Domain(s) which the confined admin will administrate
.TP
-.I \-\-admin_user
+.I \-\-admin_user
Generate Policy for Administrator Login User Role
.TP
.I \-\-application
@@ -142,7 +140,7 @@ Generate Policy for Internet Services Daemon
Generate Policy for Standard Init Daemon (Default)
.TP
.I \-\-newtype
-Generate new policy for new types to add to an existing policy.
+Generate new policy for new types to add to an existing policy
.TP
.I \-\-sandbox
Generate Policy for Sandbox
diff --git a/python/sepolicy/sepolicy-gui.8 b/python/sepolicy/sepolicy-gui.8
index ed744cdb914e..65b69faba144 100644
--- a/python/sepolicy/sepolicy-gui.8
+++ b/python/sepolicy/sepolicy-gui.8
@@ -11,7 +11,7 @@ Common options
.br
.SH "DESCRIPTION"
-Use \fBsepolicy gui\fP to run a the graphical user interface, which
+Use \fBsepolicy gui\fP to run the graphical user interface, which
allows you to explore how SELinux confines different process domains.
.SH "OPTIONS"
@@ -20,7 +20,7 @@ allows you to explore how SELinux confines different process domains.
Display help message
.TP
.I \-d, \-\-domain
-Initialize gui to the selected domain.
+Initialize gui to the selected domain
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git a/python/sepolicy/sepolicy-interface.8 b/python/sepolicy/sepolicy-interface.8
index 3e74ea627a79..a70a930629ea 100644
--- a/python/sepolicy/sepolicy-interface.8
+++ b/python/sepolicy/sepolicy-interface.8
@@ -5,10 +5,10 @@ sepolicy-interface \- Print interface information based on the installed SELinux
.SH "SYNOPSIS"
.br
-.B sepolicy interface [\-h] [\-c] [\-v] [\-a | \-u | \-l | \-i INTERFACE [INTERFACE ... ]]
+.B sepolicy interface [\-h] [\-c] [\-v] [\-f FILE] [\-a | \-u | \-l | \-i INTERFACE [INTERFACE ... ]]
.SH "DESCRIPTION"
-Use sepolicy interface to print interfaces information based on SELinux Policy.
+Use \fBsepolicy interface\fP to print interface information based on SELinux Policy.
.SH "OPTIONS"
.TP
@@ -18,7 +18,7 @@ List all domains with admin interface
.I \-c, \-\-compile
Test compile of interfaces
.TP
-.I \-h, \-\-help
+.I \-h, \-\-help
Display help message
.TP
.I \-i, \-\-interface
@@ -32,6 +32,18 @@ List all domains with SELinux user role interface
.TP
.I \-v, \-\-verbose
Display extended information about the interface including parameters and description if available.
+.TP
+.I \-f, \-\-file
+Interface file to be explored
+
+.SH EXAMPLE
+.nf
+Show description of given interface
+# sepolicy interface -vi samba_rw_config
+List interfaces in given interface file and show their description
+# sepolicy interface -f my_policy.if -lv
+Run compile test for all interfaces in given file
+# sepolicy interface -f my_policy.if -lc
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git a/python/sepolicy/sepolicy-manpage.8 b/python/sepolicy/sepolicy-manpage.8
index c05c94305633..4991f645ba38 100644
--- a/python/sepolicy/sepolicy-manpage.8
+++ b/python/sepolicy/sepolicy-manpage.8
@@ -8,27 +8,40 @@ sepolicy-manpage \- Generate a man page based on the installed SELinux Policy
.B sepolicy manpage [\-w] [\-h] [\-p PATH ] [\-r ROOTDIR ] [\-a | \-d ]
.SH "DESCRIPTION"
-Use sepolicy manpage to generate manpages based on SELinux Policy.
+Use \fBsepolicy manpage\fP to generate manpages based on SELinux Policy.
.SH "OPTIONS"
.TP
-.I \-a, \-\-all
+.I \-a, \-\-all
Generate Man Pages for All Domains
.TP
-.I \-d, \-\-domain
+.I \-d, \-\-domain
Generate a Man Page for the specified domain. (Supports multiple commands)
.TP
-.I \-h, \-\-help
+.I \-h, \-\-help
Display help message
.TP
+.I \-o, \-\-os
+Specify the name of the OS to be used in the man page (only affects HTML man pages)
+.TP
.I \-p, \-\-path
Specify the directory to store the created man pages. (Default to /tmp)
.TP
.I \-r, \-\-root
-Specify alternate root directory to generate man pages from. (Default to /)
+Specify alternative root directory to generate man pages from. (Default to /)
+.TP
+.I \-\-source_files
+Use file_contexts and policy.xml files from the specified root directory (the alternative root needs to include both files)
.TP
.I \-w, \-\-web
-Generate an additional HTML man pages for the specified domain(s).
+Generate an additional HTML man pages for the specified domain(s)
+
+.SH EXAMPLE
+.nf
+Generate man pages for all available domains
+# sepolicy manpage -a
+Generate an HTML man page for domain alsa_t, setting the OS name to "My_distro"
+# sepolicy manpage -o My_distro -d alsa_t -w
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git a/python/sepolicy/sepolicy-network.8 b/python/sepolicy/sepolicy-network.8
index dcddec756774..6faf60ab7a44 100644
--- a/python/sepolicy/sepolicy-network.8
+++ b/python/sepolicy/sepolicy-network.8
@@ -8,27 +8,27 @@ sepolicy-network \- Examine the SELinux Policy and generate a network report
.B sepolicy network [\-h] (\-l | \-a application [application ...] | \-p PORT [PORT ...] | \-t TYPE [TYPE ...] | \-d DOMAIN [DOMAIN ...])
.SH "DESCRIPTION"
-Use sepolicy network to examine SELinux Policy and generate network reports.
+Use \fBsepolicy network\fP to examine SELinux Policy and generate network reports.
.SH "OPTIONS"
.TP
.I \-a, \-\-application
-Generate a report listing the ports to which the specified init application is allowed to connect and or bind.
+Generate a report listing the ports to which the specified init application is allowed to connect and or bind
.TP
-.I \-d, \-\-domain
-Generate a report listing the ports to which the specified domain is allowed to connect and or bind.
+.I \-d, \-\-domain
+Generate a report listing the ports to which the specified domain is allowed to connect and or bind
.TP
-.I \-l, \-\-list
+.I \-l, \-\-list
List all Network Port Types defined in SELinux Policy
.TP
-.I \-h, \-\-help
+.I \-h, \-\-help
Display help message
.TP
.I \-t, \-\-type
-Generate a report listing the port numbers associate with the specified SELinux port type.
+Generate a report listing the port numbers associate with the specified SELinux port type
.TP
.I \-p, \-\-port
-Generate a report listing the SELinux port types associate with the specified port number.
+Generate a report listing the SELinux port types associate with the specified port number
.SH "EXAMPLES"
@@ -88,4 +88,3 @@ This man page was written by Daniel Walsh <dwalsh@redhat.com>
.SH "SEE ALSO"
sepolicy(8), selinux(8), semanage(8)
-
diff --git a/python/sepolicy/sepolicy-transition.8 b/python/sepolicy/sepolicy-transition.8
index 897f0c4c418e..9f9ff5a52165 100644
--- a/python/sepolicy/sepolicy-transition.8
+++ b/python/sepolicy/sepolicy-transition.8
@@ -11,21 +11,28 @@ sepolicy-transition \- Examine the SELinux Policy and generate a process transit
.B sepolicy transition [\-h] \-s SOURCE \-t TARGET
.SH "DESCRIPTION"
-sepolicy transition will show all domains that a give SELinux source domain can transition to, including the entrypoint.
+\fBsepolicy transition\fP will show all domains that a given SELinux source domain can transition to, including the entrypoint.
-If a target domain is given, sepolicy transition will examine policy for all transition paths from the source domain to the target domain, and will list the
-paths. If a transition is possible, this tool will print out all transition paths from the source domain to the target domain
+If a target domain is given, sepolicy transition will examine policy for all transition paths from the source domain to the target domain, and will list the
+paths.
.SH "OPTIONS"
.TP
-.I \-h, \-\-help
+.I \-h, \-\-help
Display help message
.TP
.I \-s, \-\-source
-Specify the source SELinux domain type.
+Specify the source SELinux domain type
.TP
.I \-t, \-\-target
-Specify the target SELinux domain type.
+Specify the target SELinux domain type
+
+.SH EXAMPLE
+.nf
+List all domain transition paths from init_t to httpd_t
+# sepolicy transition -s init_t -t httpd_t
+List all transitions available from samba domain, including entry points and booleans controlling each transition
+# sepolicy transition -s smbd_t
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>
--
2.41.0

129
SOURCES/0015-sandbox-Add-examples-to-man-pages.patch
Unescape View File

@ -1,129 +0,0 @@
From 9366d1925db4e095a77125f03f3d1648f4c179f5 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 1 Jun 2023 16:39:13 +0200
Subject: [PATCH] sandbox: Add examples to man pages
Content-type: text/plain
While at it, remove trailing whitespaces.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
---
sandbox/sandbox.8 | 28 ++++++++++++++++++----------
sandbox/seunshare.8 | 21 ++++++++++++++-------
2 files changed, 32 insertions(+), 17 deletions(-)
diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8
index 775e4b231204..1c1870190e51 100644
--- a/sandbox/sandbox.8
+++ b/sandbox/sandbox.8
@@ -11,12 +11,12 @@ sandbox \- Run cmd under an SELinux sandbox
.br
.SH DESCRIPTION
.PP
-Run the
-.I cmd
+Run the
+.I cmd
application within a tightly confined SELinux domain. The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files. The \-M option will mount an alternate homedir and tmpdir to be used by the sandbox.
-If you have the
-.I policycoreutils-sandbox
+If you have the
+.I policycoreutils-sandbox
package installed, you can use the \-X option and the \-M option.
.B sandbox \-X
allows you to run X applications within a sandbox. These applications will start up their own X Server and create a temporary home directory and /tmp. The default SELinux policy does not allow any capabilities or network access. It also prevents all access to the users other processes and files. Files specified on the command that are in the home directory or /tmp will be copied into the sandbox directories.
@@ -78,27 +78,35 @@ Run a full desktop session, Requires level, and home and tmpdir.
Specifies the windowsize when creating an X based Sandbox. The default windowsize is 1000x700.
.TP
\fB\-W\fR \fB\-\-windowmanager\fR
-Select alternative window manager to run within
+Select alternative window manager to run within
.B sandbox \-X.
Default to /usr/bin/matchbox-window-manager.
.TP
-\fB\-X\fR
+\fB\-X\fR
Create an X based Sandbox for gui apps, temporary files for
$HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
.TP
\fB\-d\fR \fB\-\-dpi\fR
Set the DPI value for the sandbox X Server. Defaults to the current X Sever DPI.
.TP
-\fB\-C\fR \fB\-\-capabilities\fR Use capabilities within the
-sandbox. By default applications executed within the sandbox will not
-be allowed to use capabilities (setuid apps), with the \-C flag, you
-can use programs requiring capabilities.
+\fB\-C\fR \fB\-\-capabilities\fR
+Use capabilities within the sandbox. By default applications executed within the sandbox will not be allowed to use capabilities (setuid apps), with the \-C flag, you can use programs requiring capabilities.
.PP
.SH "SEE ALSO"
.TP
runcon(1), seunshare(8), selinux(8)
.PP
+.SH EXAMPLE
+.nf
+Run a graphical application inside the sandbox
+# sandbox -X evince
+Run a graphical application that requires the use of network
+# sandbox X t sandbox_web_t firefox
+Preserve data from one session to the next
+# mkdir -p ~/sandbox/home ~/sandbox/tmp
+# sandbox -H ~/sandbox/home -T ~/sandbox/tmp -X libreoffice --writer
+
.SH AUTHOR
This manual page was written by
.I Dan Walsh <dwalsh@redhat.com>
diff --git a/sandbox/seunshare.8 b/sandbox/seunshare.8
index 09cf7feae45d..5339a3b1fb20 100644
--- a/sandbox/seunshare.8
+++ b/sandbox/seunshare.8
@@ -9,29 +9,36 @@ seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
.PP
Run the
.I executable
-within the specified context, using the alternate home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context.
+within the specified context, using custom home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context.
.TP
\fB\-h homedir\fR
-Alternate homedir to be used by the application. Homedir must be owned by the user.
+Alternate homedir to be used by the application. Homedir must be owned by the user
.TP
\fB\-t\ tmpdir
-Use alternate temporary directory to mount on /tmp. tmpdir must be owned by the user.
+Use alternate temporary directory to mount on /tmp. tmpdir must be owned by the user
.TP
\fB\-r\ runuserdir
-Use alternate temporary directory to mount on XDG_RUNTIME_DIR (/run/user/$UID). runuserdir must be owned by the user.
+Use alternate temporary directory to mount on XDG_RUNTIME_DIR (/run/user/$UID). runuserdir must be owned by the user
.TP
\fB\-C --capabilities\fR
-Allow apps executed within the namespace to use capabilities. Default is no capabilities.
+Allow apps executed within the namespace to use capabilities. Default is no capabilities
.TP
\fB\-k --kill\fR
-Kill all processes with matching MCS level.
+Kill all processes with matching MCS level
.TP
\fB\-Z\ context
-Use alternate SELinux context while running the executable.
+Use alternate SELinux context while running the executable
.TP
\fB\-v\fR
Verbose output
+
+.SH EXAMPLE
+.nf
+Run bash with temporary /home and /tmp directory
+# USERHOMEDIR=`mktemp -d /tmp/home.XXXXXX`; USERTEMPDIR=`mktemp -d /tmp/temp.XXXXXX`
+# seunshare -v -h ${USERHOMEDIR} -t ${USERTEMPDIR} -- /bin/bash
+
.SH "SEE ALSO"
.TP
runcon(1), sandbox(8), selinux(8)
--
2.41.0

30
SOURCES/0016-policycoreutils-setfiles-Improve-description-of-d-sw.patch
Unescape View File

@ -0,0 +1,30 @@
From c8fbb8042852c18775c001999ce949e9b591e381 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 21 Mar 2018 08:51:31 +0100
Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
The "-q" switch is becoming obsolete (completely unused in fedora) and
debug output ("-d" switch) makes sense in any scenario. Therefore both
options can be specified at once.
Resolves: rhbz#1271327
---
policycoreutils/setfiles/setfiles.8 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index ccaaf4de..a8a76c86 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -57,7 +57,7 @@ check the validity of the contexts against the specified binary policy.
.TP
.B \-d
show what specification matched each file (do not abort validation
-after ABORT_ON_ERRORS errors).
+after ABORT_ON_ERRORS errors). Not affected by "\-q"
.TP
.BI \-e \ directory
directory to exclude (repeat option for more than one directory).
--
2.21.0

94
SOURCES/0016-python-sepolicy-Fix-template-for-confined-user-polic.patch
Unescape View File

@ -1,94 +0,0 @@
From cf06052cc5fece8ec1ae655aecf941420385bf4d Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 1 Jun 2023 18:34:30 +0200
Subject: [PATCH] python/sepolicy: Fix template for confined user policy
modules
Content-type: text/plain
The following commit
https://github.com/SELinuxProject/refpolicy/commit/330b0fc3331d3b836691464734c96f3da3044490
changed the userdom_base_user_template, which now requires a role
corresponding to the user being created to be defined outside of the
template.
Similar change was also done to fedora-selinux/selinux-policy
https://github.com/fedora-selinux/selinux-policy/commit/e1e216b25df1bdb4eb7dbb8f73f32927ad6f3d1f
Although I believe the template should define the role (just as it
defines the new user), that will require extensive changes to refpolicy.
In the meantime the role needs to be defined separately.
Fixes:
# sepolicy generate --term_user -n newuser
Created the following files:
/root/a/test/newuser.te # Type Enforcement file
/root/a/test/newuser.if # Interface file
/root/a/test/newuser.fc # File Contexts file
/root/a/test/newuser_selinux.spec # Spec file
/root/a/test/newuser.sh # Setup Script
# ./newuser.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile newuser.pp
Compiling targeted newuser module
Creating targeted newuser.pp policy package
rm tmp/newuser.mod tmp/newuser.mod.fc
+ /usr/sbin/semodule -i newuser.pp
Failed to resolve roleattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/newuser/cil:8
Failed to resolve AST
/usr/sbin/semodule: Failed!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
---
python/sepolicy/sepolicy/templates/user.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/python/sepolicy/sepolicy/templates/user.py b/python/sepolicy/sepolicy/templates/user.py
index 1ff9d2ce8e75..7081fbaec496 100644
--- a/python/sepolicy/sepolicy/templates/user.py
+++ b/python/sepolicy/sepolicy/templates/user.py
@@ -28,6 +28,8 @@ policy_module(TEMPLATETYPE, 1.0.0)
#
# Declarations
#
+role TEMPLATETYPE_r;
+
userdom_unpriv_user_template(TEMPLATETYPE)
"""
@@ -38,6 +40,8 @@ policy_module(TEMPLATETYPE, 1.0.0)
#
# Declarations
#
+role TEMPLATETYPE_r;
+
userdom_admin_user_template(TEMPLATETYPE)
"""
@@ -48,6 +52,7 @@ policy_module(TEMPLATETYPE, 1.0.0)
#
# Declarations
#
+role TEMPLATETYPE_r;
userdom_restricted_user_template(TEMPLATETYPE)
"""
@@ -59,6 +64,7 @@ policy_module(TEMPLATETYPE, 1.0.0)
#
# Declarations
#
+role TEMPLATETYPE_r;
userdom_restricted_xwindows_user_template(TEMPLATETYPE)
"""
@@ -89,6 +95,7 @@ gen_tunable(TEMPLATETYPE_manage_user_files, false)
#
# Declarations
#
+role TEMPLATETYPE_r;
userdom_base_user_template(TEMPLATETYPE)
"""
--
2.41.0

48
SOURCES/0017-python-sepolicy-Fix-spec-file-dependencies.patch
Unescape View File

@ -1,48 +0,0 @@
From 1af71ea06bbb57082a627854ec77134428f8fb15 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 30 May 2023 09:07:28 +0200
Subject: [PATCH] python/sepolicy: Fix spec file dependencies
Content-type: text/plain
semanage is part of policycoreutils-python-utils package, selinuxenabled
is part of libselinux-utils (required by ^^^) and restorecon/load_policy
are part of policycoreutils (also required by policycoreutils-python-utils).
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/sepolicy/sepolicy/templates/spec.py | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/python/sepolicy/sepolicy/templates/spec.py b/python/sepolicy/sepolicy/templates/spec.py
index 16a22081b44b..cb3b2f63005b 100644
--- a/python/sepolicy/sepolicy/templates/spec.py
+++ b/python/sepolicy/sepolicy/templates/spec.py
@@ -11,18 +11,20 @@ Version: 1.0
Release: 1%{?dist}
Summary: SELinux policy module for MODULENAME
-Group: System Environment/Base
-License: GPLv2+
+Group: System Environment/Base
+License: GPLv2+
# This is an example. You will need to change it.
+# For a complete guide on packaging your policy
+# see https://fedoraproject.org/wiki/SELinux/IndependentPolicy
URL: http://HOSTNAME
Source0: MODULENAME.pp
Source1: MODULENAME.if
Source2: DOMAINNAME_selinux.8
Source3: DOMAINNAME_u
-Requires: policycoreutils, libselinux-utils
-Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
-Requires(postun): policycoreutils
+Requires: policycoreutils-python-utils, libselinux-utils
+Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils-python-utils
+Requires(postun): policycoreutils-python-utils
"""
mid_section="""\
--
2.41.0

7
SOURCES/0005-sepolicy-generate-Handle-more-reserved-port-types.patch → SOURCES/0017-sepolicy-generate-Handle-more-reserved-port-types.patch
Unescape View File

@ -1,8 +1,7 @@
From be8bd714f37e6114661f02df4ddb7cb7b25cd0a1 Mon Sep 17 00:00:00 2001
From 3073efc112929b535f3a832c6f99e0dbe3af29ca Mon Sep 17 00:00:00 2001
From: Masatake YAMATO <yamato@redhat.com>
Date: Thu, 14 Dec 2017 15:57:58 +0900
Subject: [PATCH] sepolicy-generate: Handle more reserved port types
Content-type: text/plain
Currently only reserved_port_t, port_t and hi_reserved_port_t are
handled as special when making a ports-dictionary. However, as fas as
@ -53,7 +52,7 @@ https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redha
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index b6df3e91160b..36a3ea1196b1 100644
index 7175d36b..93caedee 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -100,7 +100,9 @@ def get_all_ports():
@ -68,5 +67,5 @@ index b6df3e91160b..36a3ea1196b1 100644
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
return dict
--
2.39.1
2.21.0

455
SOURCES/0018-python-improve-format-strings-for-proper-localizatio.patch
Unescape View File

@ -1,455 +0,0 @@
From 9bef6943871822d82a3428dda13a871e1848acad Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Tue, 16 May 2023 15:45:05 +0200
Subject: [PATCH] python: improve format strings for proper localization
Content-type: text/plain
If a string contains more than one unnamed argument it's hard for
translators to proper localize as they don't know which value is
represented by a unnamed argument. It also blocks them to use a
different order of arguments which would make better sense in other
languages.
Fixes:
$ xgettext --default-domain=python -L Python --keyword=_ --keyword=N_ ../audit2allow/audit2allow ../chcat/chcat ../semanage/semanage ../semanage/seobject.py ../sepolgen/src/sepolgen/interfaces.py ../sepolicy/sepolicy/generate.py ../sepolicy/sepolicy/gui.py ../sepolicy/sepolicy/__init__.py ../sepolicy/sepolicy/interface.py ../sepolicy/sepolicy.py
../chcat/chcat:220: warning: 'msgid' format string with unnamed arguments cannot be properly localized:
The translator cannot reorder the arguments.
Please consider using a format string with named arguments,
and a mapping instead of a tuple for the arguments.
../semanage/seobject.py:1178: warning: 'msgid' format string with unnamed arguments cannot be properly localized:
The translator cannot reorder the arguments.
Please consider using a format string with named arguments,
and a mapping instead of a tuple for the arguments.
...
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
python/chcat/chcat | 6 +-
python/semanage/seobject.py | 130 ++++++++++++++++++------------------
2 files changed, 68 insertions(+), 68 deletions(-)
diff --git a/python/chcat/chcat b/python/chcat/chcat
index 68718ec5f102..c4f592291821 100755
--- a/python/chcat/chcat
+++ b/python/chcat/chcat
@@ -125,7 +125,7 @@ def chcat_add(orig, newcat, objects, login_ind):
if len(clist) > 1:
if cat in clist[1:]:
- print(_("%s is already in %s") % (f, orig))
+ print(_("{target} is already in {category}").format(target=f, category=orig))
continue
clist.append(cat)
cats = clist[1:]
@@ -207,7 +207,7 @@ def chcat_remove(orig, newcat, objects, login_ind):
if len(clist) > 1:
if cat not in clist[1:]:
- print(_("%s is not in %s") % (f, orig))
+ print(_("{target} is not in {category}").format(target=f, category=orig))
continue
clist.remove(cat)
if len(clist) > 1:
@@ -217,7 +217,7 @@ def chcat_remove(orig, newcat, objects, login_ind):
else:
cat = ""
else:
- print(_("%s is not in %s") % (f, orig))
+ print(_("{target} is not in {category}").format(target=f, category=orig))
continue
if len(cat) == 0:
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index d82da4942987..2b1eb44ce8a3 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -843,7 +843,7 @@ class seluserRecords(semanageRecords):
for r in roles:
rc = semanage_user_add_role(self.sh, u, r)
if rc < 0:
- raise ValueError(_("Could not add role %s for %s") % (r, name))
+ raise ValueError(_("Could not add role {role} for {name}").format(role=r, name=name))
if is_mls_enabled == 1:
rc = semanage_user_set_mlsrange(self.sh, u, serange)
@@ -855,7 +855,7 @@ class seluserRecords(semanageRecords):
raise ValueError(_("Could not set MLS level for %s") % name)
rc = semanage_user_set_prefix(self.sh, u, prefix)
if rc < 0:
- raise ValueError(_("Could not add prefix %s for %s") % (r, prefix))
+ raise ValueError(_("Could not add prefix {prefix} for {role}").format(role=r, prefix=prefix))
(rc, key) = semanage_user_key_extract(self.sh, u)
if rc < 0:
raise ValueError(_("Could not extract key for %s") % name)
@@ -1088,7 +1088,7 @@ class portRecords(semanageRecords):
(rc, k) = semanage_port_key_create(self.sh, low, high, proto_d)
if rc < 0:
- raise ValueError(_("Could not create a key for %s/%s") % (proto, port))
+ raise ValueError(_("Could not create a key for {proto}/{port}").format(proto=proto, port=port))
return (k, proto_d, low, high)
def __add(self, port, proto, serange, type):
@@ -1110,44 +1110,44 @@ class portRecords(semanageRecords):
(rc, exists) = semanage_port_exists(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
+ raise ValueError(_("Could not check if port {proto}/{port} is defined").format(proto=proto, port=port))
if exists:
- raise ValueError(_("Port %s/%s already defined") % (proto, port))
+ raise ValueError(_("Port {proto}/{port} already defined").format(proto=proto, port=port))
(rc, p) = semanage_port_create(self.sh)
if rc < 0:
- raise ValueError(_("Could not create port for %s/%s") % (proto, port))
+ raise ValueError(_("Could not create port for {proto}/{port}").format(proto=proto, port=port))
semanage_port_set_proto(p, proto_d)
semanage_port_set_range(p, low, high)
(rc, con) = semanage_context_create(self.sh)
if rc < 0:
- raise ValueError(_("Could not create context for %s/%s") % (proto, port))
+ raise ValueError(_("Could not create context for {proto}/{port}").format(proto=proto, port=port))
rc = semanage_context_set_user(self.sh, con, "system_u")
if rc < 0:
- raise ValueError(_("Could not set user in port context for %s/%s") % (proto, port))
+ raise ValueError(_("Could not set user in port context for {proto}/{port}").format(proto=proto, port=port))
rc = semanage_context_set_role(self.sh, con, "object_r")
if rc < 0:
- raise ValueError(_("Could not set role in port context for %s/%s") % (proto, port))
+ raise ValueError(_("Could not set role in port context for {proto}/{port}").format(proto=proto, port=port))
rc = semanage_context_set_type(self.sh, con, type)
if rc < 0:
- raise ValueError(_("Could not set type in port context for %s/%s") % (proto, port))
+ raise ValueError(_("Could not set type in port context for {proto}/{port}").format(proto=proto, port=port))
if (is_mls_enabled == 1) and (serange != ""):
rc = semanage_context_set_mls(self.sh, con, serange)
if rc < 0:
- raise ValueError(_("Could not set mls fields in port context for %s/%s") % (proto, port))
+ raise ValueError(_("Could not set mls fields in port context for {proto}/{port}").format(proto=proto, port=port))
rc = semanage_port_set_con(self.sh, p, con)
if rc < 0:
- raise ValueError(_("Could not set port context for %s/%s") % (proto, port))
+ raise ValueError(_("Could not set port context for {proto}/{port}").format(proto=proto, port=port))
rc = semanage_port_modify_local(self.sh, k, p)
if rc < 0:
- raise ValueError(_("Could not add port %s/%s") % (proto, port))
+ raise ValueError(_("Could not add port {proto}/{port}").format(proto=proto, port=port))
semanage_context_free(con)
semanage_port_key_free(k)
@@ -1175,13 +1175,13 @@ class portRecords(semanageRecords):
(rc, exists) = semanage_port_exists(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
+ raise ValueError(_("Could not check if port {proto}/{port} is defined").format(proto=proto, port=port))
if not exists:
- raise ValueError(_("Port %s/%s is not defined") % (proto, port))
+ raise ValueError(_("Port {proto}/{port} is not defined").format(proto=proto, port=port))
(rc, p) = semanage_port_query(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not query port %s/%s") % (proto, port))
+ raise ValueError(_("Could not query port {proto}/{port}").format(proto=proto, port=port))
con = semanage_port_get_con(p)
@@ -1195,7 +1195,7 @@ class portRecords(semanageRecords):
rc = semanage_port_modify_local(self.sh, k, p)
if rc < 0:
- raise ValueError(_("Could not modify port %s/%s") % (proto, port))
+ raise ValueError(_("Could not modify port {proto}/{port}").format(proto=proto, port=port))
semanage_port_key_free(k)
semanage_port_free(p)
@@ -1241,19 +1241,19 @@ class portRecords(semanageRecords):
(k, proto_d, low, high) = self.__genkey(port, proto)
(rc, exists) = semanage_port_exists(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
+ raise ValueError(_("Could not check if port {proto}/{port} is defined").format(proto=proto, port=port))
if not exists:
- raise ValueError(_("Port %s/%s is not defined") % (proto, port))
+ raise ValueError(_("Port {proto}/{port} is not defined").format(proto=proto, port=port))
(rc, exists) = semanage_port_exists_local(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
+ raise ValueError(_("Could not check if port {proto}/{port} is defined").format(proto=proto, port=port))
if not exists:
- raise ValueError(_("Port %s/%s is defined in policy, cannot be deleted") % (proto, port))
+ raise ValueError(_("Port {proto}/{port} is defined in policy, cannot be deleted").format(proto=proto, port=port))
rc = semanage_port_del_local(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not delete port %s/%s") % (proto, port))
+ raise ValueError(_("Could not delete port {proto}/{port}").format(proto=proto, port=port))
semanage_port_key_free(k)
@@ -1362,7 +1362,7 @@ class ibpkeyRecords(semanageRecords):
(rc, k) = semanage_ibpkey_key_create(self.sh, subnet_prefix, low, high)
if rc < 0:
- raise ValueError(_("Could not create a key for %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not create a key for {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
return (k, subnet_prefix, low, high)
def __add(self, pkey, subnet_prefix, serange, type):
@@ -1384,44 +1384,44 @@ class ibpkeyRecords(semanageRecords):
(rc, exists) = semanage_ibpkey_exists(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not check if ibpkey {subnet_prefix}/{pkey} is defined").formnat(subnet_prefix=subnet_prefix, pkey=pkey))
if exists:
- raise ValueError(_("ibpkey %s/%s already defined") % (subnet_prefix, pkey))
+ raise ValueError(_("ibpkey {subnet_prefix}/{pkey} already defined").format(subnet_prefix=subnet_prefix, pkey=pkey))
(rc, p) = semanage_ibpkey_create(self.sh)
if rc < 0:
- raise ValueError(_("Could not create ibpkey for %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not create ibpkey for {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
semanage_ibpkey_set_subnet_prefix(self.sh, p, subnet_prefix)
semanage_ibpkey_set_range(p, low, high)
(rc, con) = semanage_context_create(self.sh)
if rc < 0:
- raise ValueError(_("Could not create context for %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not create context for {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
rc = semanage_context_set_user(self.sh, con, "system_u")
if rc < 0:
- raise ValueError(_("Could not set user in ibpkey context for %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not set user in ibpkey context for {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
rc = semanage_context_set_role(self.sh, con, "object_r")
if rc < 0:
- raise ValueError(_("Could not set role in ibpkey context for %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not set role in ibpkey context for {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
rc = semanage_context_set_type(self.sh, con, type)
if rc < 0:
- raise ValueError(_("Could not set type in ibpkey context for %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not set type in ibpkey context for {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
if (is_mls_enabled == 1) and (serange != ""):
rc = semanage_context_set_mls(self.sh, con, serange)
if rc < 0:
- raise ValueError(_("Could not set mls fields in ibpkey context for %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not set mls fields in ibpkey context for {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
rc = semanage_ibpkey_set_con(self.sh, p, con)
if rc < 0:
- raise ValueError(_("Could not set ibpkey context for %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not set ibpkey context for {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
rc = semanage_ibpkey_modify_local(self.sh, k, p)
if rc < 0:
- raise ValueError(_("Could not add ibpkey %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not add ibpkey {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
semanage_context_free(con)
semanage_ibpkey_key_free(k)
@@ -1448,13 +1448,13 @@ class ibpkeyRecords(semanageRecords):
(rc, exists) = semanage_ibpkey_exists(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not check if ibpkey {subnet_prefix}/{pkey} is defined").format(subnet_prefix=subnet_prefix, pkey=pkey))
if not exists:
- raise ValueError(_("ibpkey %s/%s is not defined") % (subnet_prefix, pkey))
+ raise ValueError(_("ibpkey {subnet_prefix}/{pkey} is not defined").format(subnet_prefix=subnet_prefix, pkey=pkey))
(rc, p) = semanage_ibpkey_query(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not query ibpkey %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not query ibpkey {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
con = semanage_ibpkey_get_con(p)
@@ -1465,7 +1465,7 @@ class ibpkeyRecords(semanageRecords):
rc = semanage_ibpkey_modify_local(self.sh, k, p)
if rc < 0:
- raise ValueError(_("Could not modify ibpkey %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not modify ibpkey {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
semanage_ibpkey_key_free(k)
semanage_ibpkey_free(p)
@@ -1502,19 +1502,19 @@ class ibpkeyRecords(semanageRecords):
(k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
(rc, exists) = semanage_ibpkey_exists(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not check if ibpkey {subnet_prefix}/{pkey} is defined").format(subnet_prefix=subnet_prefix, pkey=pkey))
if not exists:
- raise ValueError(_("ibpkey %s/%s is not defined") % (subnet_prefix, pkey))
+ raise ValueError(_("ibpkey {subnet_prefix}/{pkey} is not defined").format(subnet_prefix=subnet_prefix, pkey=pkey))
(rc, exists) = semanage_ibpkey_exists_local(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not check if ibpkey {subnet_prefix}/{pkey} is defined").format(subnet_prefix=subnet_prefix, pkey=pkey))
if not exists:
- raise ValueError(_("ibpkey %s/%s is defined in policy, cannot be deleted") % (subnet_prefix, pkey))
+ raise ValueError(_("ibpkey {subnet_prefix}/{pkey} is defined in policy, cannot be deleted").format(subnet_prefix=subnet_prefix, pkey=pkey))
rc = semanage_ibpkey_del_local(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not delete ibpkey %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not delete ibpkey {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
semanage_ibpkey_key_free(k)
@@ -1617,7 +1617,7 @@ class ibendportRecords(semanageRecords):
(rc, k) = semanage_ibendport_key_create(self.sh, ibdev_name, port)
if rc < 0:
- raise ValueError(_("Could not create a key for ibendport %s/%s") % (ibdev_name, ibendport))
+ raise ValueError(_("Could not create a key for ibendport {ibdev_name}/{ibendport}").format(ibdev_name=ibdev_name, ibendport=ibendport))
return (k, ibdev_name, port)
def __add(self, ibendport, ibdev_name, serange, type):
@@ -1638,44 +1638,44 @@ class ibendportRecords(semanageRecords):
(rc, exists) = semanage_ibendport_exists(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, port))
+ raise ValueError(_("Could not check if ibendport {ibdev_name}/{port} is defined").format(ibdev_name=ibdev_name, port=port))
if exists:
- raise ValueError(_("ibendport %s/%s already defined") % (ibdev_name, port))
+ raise ValueError(_("ibendport {ibdev_name}/{port} already defined").format(ibdev_name=ibdev_name, port=port))
(rc, p) = semanage_ibendport_create(self.sh)
if rc < 0:
- raise ValueError(_("Could not create ibendport for %s/%s") % (ibdev_name, port))
+ raise ValueError(_("Could not create ibendport for {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
semanage_ibendport_set_ibdev_name(self.sh, p, ibdev_name)
semanage_ibendport_set_port(p, port)
(rc, con) = semanage_context_create(self.sh)
if rc < 0:
- raise ValueError(_("Could not create context for %s/%s") % (ibdev_name, port))
+ raise ValueError(_("Could not create context for {ibendport}/{port}").format(ibdev_name=ibdev_name, port=port))
rc = semanage_context_set_user(self.sh, con, "system_u")
if rc < 0:
- raise ValueError(_("Could not set user in ibendport context for %s/%s") % (ibdev_name, port))
+ raise ValueError(_("Could not set user in ibendport context for {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
rc = semanage_context_set_role(self.sh, con, "object_r")
if rc < 0:
- raise ValueError(_("Could not set role in ibendport context for %s/%s") % (ibdev_name, port))
+ raise ValueError(_("Could not set role in ibendport context for {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
rc = semanage_context_set_type(self.sh, con, type)
if rc < 0:
- raise ValueError(_("Could not set type in ibendport context for %s/%s") % (ibdev_name, port))
+ raise ValueError(_("Could not set type in ibendport context for {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
if (is_mls_enabled == 1) and (serange != ""):
rc = semanage_context_set_mls(self.sh, con, serange)
if rc < 0:
- raise ValueError(_("Could not set mls fields in ibendport context for %s/%s") % (ibdev_name, port))
+ raise ValueError(_("Could not set mls fields in ibendport context for {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
rc = semanage_ibendport_set_con(self.sh, p, con)
if rc < 0:
- raise ValueError(_("Could not set ibendport context for %s/%s") % (ibdev_name, port))
+ raise ValueError(_("Could not set ibendport context for {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
rc = semanage_ibendport_modify_local(self.sh, k, p)
if rc < 0:
- raise ValueError(_("Could not add ibendport %s/%s") % (ibdev_name, port))
+ raise ValueError(_("Could not add ibendport {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
semanage_context_free(con)
semanage_ibendport_key_free(k)
@@ -1702,13 +1702,13 @@ class ibendportRecords(semanageRecords):
(rc, exists) = semanage_ibendport_exists(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, ibendport))
+ raise ValueError(_("Could not check if ibendport {ibdev_name}/{ibendport} is defined").format(ibdev_name=ibdev_name, ibendport=ibendport))
if not exists:
- raise ValueError(_("ibendport %s/%s is not defined") % (ibdev_name, ibendport))
+ raise ValueError(_("ibendport {ibdev_name}/{ibendport} is not defined").format(ibdev_name=ibdev_name, ibendport=ibendport))
(rc, p) = semanage_ibendport_query(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not query ibendport %s/%s") % (ibdev_name, ibendport))
+ raise ValueError(_("Could not query ibendport {ibdev_name}/{ibendport}").format(ibdev_name=ibdev_name, ibendport=ibendport))
con = semanage_ibendport_get_con(p)
@@ -1719,7 +1719,7 @@ class ibendportRecords(semanageRecords):
rc = semanage_ibendport_modify_local(self.sh, k, p)
if rc < 0:
- raise ValueError(_("Could not modify ibendport %s/%s") % (ibdev_name, ibendport))
+ raise ValueError(_("Could not modify ibendport {ibdev_name}/{ibendport}").format(ibdev_name=ibdev_name, ibendport=ibendport))
semanage_ibendport_key_free(k)
semanage_ibendport_free(p)
@@ -1741,11 +1741,11 @@ class ibendportRecords(semanageRecords):
port = semanage_ibendport_get_port(ibendport)
(k, ibdev_name, port) = self.__genkey(str(port), ibdev_name)
if rc < 0:
- raise ValueError(_("Could not create a key for %s/%d") % (ibdevname, port))
+ raise ValueError(_("Could not create a key for {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
rc = semanage_ibendport_del_local(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not delete the ibendport %s/%d") % (ibdev_name, port))
+ raise ValueError(_("Could not delete the ibendport {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
semanage_ibendport_key_free(k)
self.commit()
@@ -1754,19 +1754,19 @@ class ibendportRecords(semanageRecords):
(k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name)
(rc, exists) = semanage_ibendport_exists(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, ibendport))
+ raise ValueError(_("Could not check if ibendport {ibdev_name}/{ibendport} is defined").format(ibdev_name=ibdev_name, ibendport=ibendport))
if not exists:
- raise ValueError(_("ibendport %s/%s is not defined") % (ibdev_name, ibendport))
+ raise ValueError(_("ibendport {ibdev_name}/{ibendport} is not defined").format(ibdev_name=ibdev_name, ibendport=ibendport))
(rc, exists) = semanage_ibendport_exists_local(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, ibendport))
+ raise ValueError(_("Could not check if ibendport {ibdev_name}/{ibendport} is defined").format(ibdev_name=ibdev_name, ibendport=ibendport))
if not exists:
- raise ValueError(_("ibendport %s/%s is defined in policy, cannot be deleted") % (ibdev_name, ibendport))
+ raise ValueError(_("ibendport {ibdev_name}/{ibendport} is defined in policy, cannot be deleted").format(ibdev_name=ibdev_name, ibendport=ibendport))
rc = semanage_ibendport_del_local(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not delete ibendport %s/%s") % (ibdev_name, ibendport))
+ raise ValueError(_("Could not delete ibendport {ibdev_name}/{ibendport}").format(ibdev_name=ibdev_name, ibendport=ibendport))
semanage_ibendport_key_free(k)
@@ -2765,7 +2765,7 @@ class booleanRecords(semanageRecords):
try:
boolname, val = b.split("=")
except ValueError:
- raise ValueError(_("Bad format %s: Record %s" % (name, b)))
+ raise ValueError(_("Bad format {filename}: Record {record}").format(filename=name, record=b))
self.__mod(boolname.strip(), val.strip())
fd.close()
else:
--
2.41.0

24
SOURCES/0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
Unescape View File

@ -0,0 +1,24 @@
From f8602180d042e95947fe0bbd35d261771b347705 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 8 Nov 2018 09:20:58 +0100
Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
---
semodule-utils/semodule_package/semodule_package.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/semodule-utils/semodule_package/semodule_package.c b/semodule-utils/semodule_package/semodule_package.c
index 3515234e..7b75b3fd 100644
--- a/semodule-utils/semodule_package/semodule_package.c
+++ b/semodule-utils/semodule_package/semodule_package.c
@@ -74,6 +74,7 @@ static int file_to_data(const char *path, char **data, size_t * len)
}
if (!sb.st_size) {
*len = 0;
+ close(fd);
return 0;
}
--
2.21.0

148
SOURCES/0019-python-Drop-hard-formating-from-localized-strings.patch
Unescape View File

@ -1,148 +0,0 @@
From 9001fe7d0d4007b5dac28422f46a9a605efefc0a Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Wed, 17 May 2023 12:18:54 +0200
Subject: [PATCH] python: Drop hard formating from localized strings
Content-type: text/plain
It confuses translators and new lines are dropped by parser module anyway.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
python/audit2allow/audit2allow | 14 ++++++--
python/semanage/semanage | 60 +++++++++++++---------------------
2 files changed, 34 insertions(+), 40 deletions(-)
diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
index 5587a2dbb006..35b0b151ac86 100644
--- a/python/audit2allow/audit2allow
+++ b/python/audit2allow/audit2allow
@@ -234,9 +234,17 @@ class AuditToPolicy:
print(e)
sys.exit(1)
- sys.stdout.write(_("******************** IMPORTANT ***********************\n"))
- sys.stdout.write((_("To make this policy package active, execute:" +
- "\n\nsemodule -i %s\n\n") % packagename))
+ sys.stdout.write(
+"""******************** {important} ***********************
+{text}
+
+semodule -i {packagename}
+
+""".format(
+ important=_("IMPORTANT"),
+ text=_("To make this policy package active, execute:"),
+ packagename=packagename
+))
def __output_audit2why(self):
import selinux
diff --git a/python/semanage/semanage b/python/semanage/semanage
index e0bd98a95c77..4fdb490f7df4 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -238,30 +238,22 @@ def parser_add_level(parser, name):
def parser_add_range(parser, name):
- parser.add_argument('-r', '--range', default='',
- help=_('''
-MLS/MCS Security Range (MLS/MCS Systems only)
-SELinux Range for SELinux login mapping
-defaults to the SELinux user record range.
-SELinux Range for SELinux user defaults to s0.
-'''))
+ parser.add_argument('-r', '--range', default='', help=_(
+ "MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. \
+SELinux Range for SELinux user defaults to s0."
+ ))
def parser_add_proto(parser, name):
- parser.add_argument('-p', '--proto', help=_('''
- Protocol for the specified port (tcp|udp|dccp|sctp) or internet protocol
- version for the specified node (ipv4|ipv6).
-'''))
+ parser.add_argument('-p', '--proto', help=_(
+ "Protocol for the specified port (tcp|udp|dccp|sctp) or internet protocol version for the specified node (ipv4|ipv6)."
+ ))
def parser_add_subnet_prefix(parser, name):
- parser.add_argument('-x', '--subnet_prefix', help=_('''
- Subnet prefix for the specified infiniband ibpkey.
-'''))
+ parser.add_argument('-x', '--subnet_prefix', help=_('Subnet prefix for the specified infiniband ibpkey.'))
def parser_add_ibdev_name(parser, name):
- parser.add_argument('-z', '--ibdev_name', help=_('''
- Name for the specified infiniband end port.
-'''))
+ parser.add_argument('-z', '--ibdev_name', help=_("Name for the specified infiniband end port."))
def parser_add_modify(parser, name):
parser.add_argument('-m', '--modify', dest='action', action='store_const', const='modify', help=_("Modify a record of the %s object type") % name)
@@ -348,15 +340,6 @@ def handleFcontext(args):
def setupFcontextParser(subparsers):
- ftype_help = '''
-File Type. This is used with fcontext. Requires a file type
-as shown in the mode field by ls, e.g. use d to match only
-directories or f to match only regular files. The following
-file type options can be passed:
-f (regular file),d (directory),c (character device),
-b (block device),s (socket),l (symbolic link),p (named pipe)
-If you do not specify a file type, the file type will default to "all files".
-'''
generate_usage = generate_custom_usage(usage_fcontext, usage_fcontext_dict)
fcontextParser = subparsers.add_parser('fcontext', usage=generate_usage, help=_("Manage file context mapping definitions"))
parser_add_locallist(fcontextParser, "fcontext")
@@ -372,11 +355,16 @@ If you do not specify a file type, the file type will default to "all files".
parser_add_extract(fcontext_action, "fcontext")
parser_add_deleteall(fcontext_action, "fcontext")
- fcontextParser.add_argument('-e', '--equal', help=_('''Substitute target path with sourcepath when generating default
- label. This is used with fcontext. Requires source and target
- path arguments. The context labeling for the target subtree is
- made equivalent to that defined for the source.'''))
- fcontextParser.add_argument('-f', '--ftype', default="", choices=["a", "f", "d", "c", "b", "s", "l", "p"], help=_(ftype_help))
+ fcontextParser.add_argument('-e', '--equal', help=_(
+ 'Substitute target path with sourcepath when generating default label. This is used with fcontext. Requires source and target \
+path arguments. The context labeling for the target subtree is made equivalent to that defined for the source.'
+ ))
+ fcontextParser.add_argument('-f', '--ftype', default="", choices=["a", "f", "d", "c", "b", "s", "l", "p"], help=_(
+ 'File Type. This is used with fcontext. Requires a file type as shown in the mode field by ls, e.g. use d to match only \
+directories or f to match only regular files. The following file type options can be passed: f (regular file), d (directory), \
+c (character device), b (block device), s (socket), l (symbolic link), p (named pipe). \
+If you do not specify a file type, the file type will default to "all files".'
+ ))
parser_add_seuser(fcontextParser, "fcontext")
parser_add_type(fcontextParser, "fcontext")
parser_add_range(fcontextParser, "fcontext")
@@ -426,9 +414,7 @@ def setupUserParser(subparsers):
parser_add_range(userParser, "user")
userParser.add_argument('-R', '--roles', default=[],
action=CheckRole,
- help=_('''
-SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify -R multiple times.
-'''))
+ help=_("SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify -R multiple times."))
userParser.add_argument('-P', '--prefix', default="user", help=argparse.SUPPRESS)
userParser.add_argument('selinux_name', nargs='?', default=None, help=_('selinux_name'))
userParser.set_defaults(func=handleUser)
@@ -901,9 +887,9 @@ def setupImportParser(subparsers):
def createCommandParser():
commandParser = seParser(prog='semanage',
formatter_class=argparse.ArgumentDefaultsHelpFormatter,
- description='''semanage is used to configure certain elements
- of SELinux policy with-out requiring modification
- to or recompilation from policy source.''')
+ description=_(
+ "semanage is used to configure certain elements of SELinux policy with-out requiring modification or recompilation from policy source."
+ ))
#To add a new subcommand define the parser for it in a function above and call it here.
subparsers = commandParser.add_subparsers(dest='subcommand')
--
2.41.0

17
SOURCES/0006-sandbox-Use-matchbox-window-manager-instead-of-openb.patch → SOURCES/0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
Unescape View File

@ -1,8 +1,7 @@
From f4b78eeb59ae1ef4b5926c004debce04ee28dfe7 Mon Sep 17 00:00:00 2001
From 89895635ae012d1864a03700054ecc723973b5c0 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 18 Jul 2018 09:09:35 +0200
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
Content-type: text/plain
---
sandbox/sandbox | 4 ++--
@ -11,10 +10,10 @@ Content-type: text/plain
3 files changed, 3 insertions(+), 17 deletions(-)
diff --git a/sandbox/sandbox b/sandbox/sandbox
index a2762a7d215a..a32a33ea3cf6 100644
index a12403b3..707959a6 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -270,7 +270,7 @@ class Sandbox:
@@ -268,7 +268,7 @@ class Sandbox:
copyfile(f, "/tmp", self.__tmpdir)
copyfile(f, "/var/tmp", self.__tmpdir)
@ -23,7 +22,7 @@ index a2762a7d215a..a32a33ea3cf6 100644
execfile = self.__homedir + "/.sandboxrc"
fd = open(execfile, "w+")
if self.__options.session:
@@ -369,7 +369,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
@@ -362,7 +362,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
parser.add_option("-W", "--windowmanager", dest="wm",
type="string",
@ -33,10 +32,10 @@ index a2762a7d215a..a32a33ea3cf6 100644
parser.add_option("-l", "--level", dest="level",
diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8
index 1ee0ecea96d1..775e4b231204 100644
index d83fee76..90ef4951 100644
--- a/sandbox/sandbox.8
+++ b/sandbox/sandbox.8
@@ -80,7 +80,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
@@ -77,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
\fB\-W\fR \fB\-\-windowmanager\fR
Select alternative window manager to run within
.B sandbox \-X.
@ -46,7 +45,7 @@ index 1ee0ecea96d1..775e4b231204 100644
\fB\-X\fR
Create an X based Sandbox for gui apps, temporary files for
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
index 4774528027ef..c211ebc14549 100644
index 47745280..c211ebc1 100644
--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
@@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
@ -71,5 +70,5 @@ index 4774528027ef..c211ebc14549 100644
export DISPLAY=:$D
cat > ~/seremote << __EOF
--
2.39.1
2.21.0

45
SOURCES/0020-python-Use-ipaddress-instead-of-IPy.patch
Unescape View File

@ -0,0 +1,45 @@
From b2512e2a92a33360639a3459039cdf2e685655a8 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 3 Dec 2018 14:40:09 +0100
Subject: [PATCH] python: Use ipaddress instead of IPy
ipaddress module was added in python 3.3 and this allows us to drop python3-IPy
---
python/semanage/seobject.py | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index b90b1070..58497e3b 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -32,7 +32,7 @@ from semanage import *
PROGNAME = "selinux-python"
import sepolicy
import setools
-from IPy import IP
+import ipaddress
try:
import gettext
@@ -1851,13 +1851,13 @@ class nodeRecords(semanageRecords):
# verify valid comination
if len(mask) == 0 or mask[0] == "/":
- i = IP(addr + mask)
- newaddr = i.strNormal(0)
- newmask = str(i.netmask())
- if newmask == "0.0.0.0" and i.version() == 6:
+ i = ipaddress.ip_network(addr + mask)
+ newaddr = str(i.network_address)
+ newmask = str(i.netmask)
+ if newmask == "0.0.0.0" and i.version == 6:
newmask = "::"
- protocol = "ipv%d" % i.version()
+ protocol = "ipv%d" % i.version
try:
newprotocol = self.protocol.index(protocol)
--
2.21.0

32
SOURCES/0020-semanage-Drop-unnecessary-import-from-seobject.patch
Unescape View File

@ -1,32 +0,0 @@
From 0387db55278c10e04a7a507d2e1a6d028d5de0bf Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Wed, 17 May 2023 13:09:58 +0200
Subject: [PATCH] semanage: Drop unnecessary import from seobject
Content-type: text/plain
sepolgen.module is not used for permissive domains
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
python/semanage/seobject.py | 5 -----
1 file changed, 5 deletions(-)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 2b1eb44ce8a3..361205d11c10 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -504,11 +504,6 @@ class permissiveRecords(semanageRecords):
print(t)
def add(self, type):
- try:
- import sepolgen.module as module
- except ImportError:
- raise ValueError(_("The sepolgen python module is required to setup permissive domains.\nIn some distributions it is included in the policycoreutils-devel package.\n# yum install policycoreutils-devel\nOr similar for your distro."))
-
name = "permissive_%s" % type
modtxt = "(typepermissive %s)" % type
--
2.41.0

93
SOURCES/0021-python-semanage-Do-not-traceback-when-the-default-po.patch
Unescape View File

@ -0,0 +1,93 @@
From 5938d18536f4c0a76521d1f0721e981e6570b012 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 4 Apr 2019 23:02:56 +0200
Subject: [PATCH] python/semanage: Do not traceback when the default policy is
not available
"import seobject" causes "import sepolicy" which crashes when the system policy
is not available. It's better to provide an error message instead.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
python/semanage/semanage | 37 +++++++++++++++++++++----------------
1 file changed, 21 insertions(+), 16 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 56db3e0d..4c766ae3 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -25,7 +25,6 @@
import traceback
import argparse
-import seobject
import sys
PROGNAME = "selinux-python"
try:
@@ -129,21 +128,6 @@ class SetImportFile(argparse.Action):
sys.exit(1)
setattr(namespace, self.dest, values)
-# define dictonary for seobject OBEJCTS
-object_dict = {
- 'login': seobject.loginRecords,
- 'user': seobject.seluserRecords,
- 'port': seobject.portRecords,
- 'module': seobject.moduleRecords,
- 'interface': seobject.interfaceRecords,
- 'node': seobject.nodeRecords,
- 'fcontext': seobject.fcontextRecords,
- 'boolean': seobject.booleanRecords,
- 'permissive': seobject.permissiveRecords,
- 'dontaudit': seobject.dontauditClass,
- 'ibpkey': seobject.ibpkeyRecords,
- 'ibendport': seobject.ibendportRecords
-}
def generate_custom_usage(usage_text, usage_dict):
# generate custom usage from given text and dictonary
@@ -608,6 +592,7 @@ def setupInterfaceParser(subparsers):
def handleModule(args):
+ import seobject
OBJECT = seobject.moduleRecords(args)
if args.action_add:
OBJECT.add(args.action_add[0], args.priority)
@@ -846,6 +831,7 @@ def mkargv(line):
def handleImport(args):
+ import seobject
trans = seobject.semanageRecords(args)
trans.start()
@@ -887,6 +873,25 @@ def createCommandParser():
#To add a new subcommand define the parser for it in a function above and call it here.
subparsers = commandParser.add_subparsers(dest='subcommand')
subparsers.required = True
+
+ import seobject
+ # define dictonary for seobject OBEJCTS
+ global object_dict
+ object_dict = {
+ 'login': seobject.loginRecords,
+ 'user': seobject.seluserRecords,
+ 'port': seobject.portRecords,
+ 'module': seobject.moduleRecords,
+ 'interface': seobject.interfaceRecords,
+ 'node': seobject.nodeRecords,
+ 'fcontext': seobject.fcontextRecords,
+ 'boolean': seobject.booleanRecords,
+ 'permissive': seobject.permissiveRecords,
+ 'dontaudit': seobject.dontauditClass,
+ 'ibpkey': seobject.ibpkeyRecords,
+ 'ibendport': seobject.ibendportRecords
+ }
+
setupImportParser(subparsers)
setupExportParser(subparsers)
setupLoginParser(subparsers)
--
2.21.0

2009
SOURCES/0021-python-update-python.pot.patch
View File

File diff suppressed because it is too large Load Diff

108
SOURCES/0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch
Unescape View File

@ -0,0 +1,108 @@
From 99582e3bf63475b7af5793bb9230e88d847dc7c8 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 2 Jul 2019 17:11:32 +0200
Subject: [PATCH] policycoreutils/fixfiles: Fix [-B] [-F] onboot
Commit 6e289bb7bf3d ("policycoreutils: fixfiles: remove bad modes of "relabel"
command") added "$RESTORE_MODE" != DEFAULT test when onboot is used. It makes
`fixfiles -B onboot` to show usage instead of updating /.autorelabel
The code is restructured to handle -B for different modes correctly.
Fixes:
# fixfiles -B onboot
Usage: /usr/sbin/fixfiles [-v] [-F] [-f] relabel
...
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/scripts/fixfiles | 29 +++++++++++++++--------------
1 file changed, 15 insertions(+), 14 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 53d28c7b..9dd44213 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -112,7 +112,7 @@ VERBOSE="-p"
FORCEFLAG=""
RPMFILES=""
PREFC=""
-RESTORE_MODE="DEFAULT"
+RESTORE_MODE=""
SETFILES=/sbin/setfiles
RESTORECON=/sbin/restorecon
FILESYSTEMSRW=`get_rw_labeled_mounts`
@@ -214,16 +214,17 @@ restore () {
OPTION=$1
shift
-case "$RESTORE_MODE" in
- PREFC)
- diff_filecontext $*
- return
- ;;
- BOOTTIME)
+# [-B | -N time ]
+if [ -z "$BOOTTIME" ]; then
newer $BOOTTIME $*
return
- ;;
-esac
+fi
+
+# -C PREVIOUS_FILECONTEXT
+if [ "$RESTORE_MODE" == PREFC ]; then
+ diff_filecontext $*
+ return
+fi
[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
@@ -239,7 +240,7 @@ case "$RESTORE_MODE" in
FILEPATH)
${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH"
;;
- DEFAULT)
+ *)
if [ -n "${FILESYSTEMSRW}" ]; then
LogReadOnly
echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
@@ -272,7 +273,7 @@ fullrelabel() {
relabel() {
- if [ "$RESTORE_MODE" != DEFAULT ]; then
+ if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
usage
exit 1
fi
@@ -306,7 +307,7 @@ case "$1" in
verify) restore Verify -n;;
relabel) relabel;;
onboot)
- if [ "$RESTORE_MODE" != DEFAULT ]; then
+ if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
usage
exit 1
fi
@@ -344,7 +345,7 @@ if [ $# -eq 0 ]; then
fi
set_restore_mode() {
- if [ "$RESTORE_MODE" != DEFAULT ]; then
+ if [ -n "$RESTORE_MODE" ]; then
# can't specify two different modes
usage
exit 1
@@ -357,7 +358,7 @@ while getopts "N:BC:FfR:l:v" i; do
case "$i" in
B)
BOOTTIME=`/bin/who -b | awk '{print $3}'`
- set_restore_mode BOOTTIME
+ set_restore_mode DEFAULT
;;
N)
BOOTTIME=$OPTARG
--
2.21.0

33
SOURCES/0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch
Unescape View File

@ -0,0 +1,33 @@
From 9bcf8ad7b9b6d8d761f7d097196b2b9bc114fa0a Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 2 Jul 2019 17:12:07 +0200
Subject: [PATCH] policycoreutils/fixfiles: Force full relabel when SELinux is
disabled
The previous check used getfilecon to check whether / slash contains a label,
but getfilecon fails only when SELinux is disabled. Therefore it's better to
check this using selinuxenabled.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/scripts/fixfiles | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 9dd44213..a9d27d13 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -314,8 +314,8 @@ case "$1" in
> /.autorelabel || exit $?
[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
- # Force full relabel if / does not have a label on it
- getfilecon / > /dev/null 2>&1 || echo -F >/.autorelabel
+ # Force full relabel if SELinux is not enabled
+ selinuxenabled || echo -F > /.autorelabel
echo "System will relabel on next boot"
;;
*)
--
2.21.0

32
SOURCES/0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch
Unescape View File

@ -0,0 +1,32 @@
From 7383f8fbab82826de21d3013a43680867642e49e Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 21 Aug 2019 17:43:25 +0200
Subject: [PATCH] policycoreutils/fixfiles: Fix unbound variable problem
Fix a typo introduced in commit d3f8b2c3cd909 ("policycoreutils/fixfiles: Fix
[-B] [-F] onboot"), which broke "fixfiles relabel":
#fixfiles relabel
/sbin/fixfiles: line 151: $1: unbound variable
Resolves: rhbz#1743213
---
policycoreutils/scripts/fixfiles | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index a9d27d13..df0042aa 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -215,7 +215,7 @@ OPTION=$1
shift
# [-B | -N time ]
-if [ -z "$BOOTTIME" ]; then
+if [ -n "$BOOTTIME" ]; then
newer $BOOTTIME $*
return
fi
--
2.21.0

38
SOURCES/0025-gui-Fix-remove-module-in-system-config-selinux.patch
Unescape View File

@ -0,0 +1,38 @@
From f6c67c02f25d3a8971dcc5667121236fab85dd65 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 29 Aug 2019 08:58:20 +0200
Subject: [PATCH] gui: Fix remove module in system-config-selinux
When a user tried to remove a policy module with priority other than 400 via
GUI, it failed with a message:
libsemanage.semanage_direct_remove_key: Unable to remove module somemodule at priority 400. (No such file or directory).
This is fixed by calling "semodule -x PRIORITY -r NAME" instead of
"semodule -r NAME".
From Jono Hein <fredwacko40@hotmail.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
gui/modulesPage.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gui/modulesPage.py b/gui/modulesPage.py
index 26ac5404..35a0129b 100644
--- a/gui/modulesPage.py
+++ b/gui/modulesPage.py
@@ -125,9 +125,10 @@ class modulesPage(semanagePage):
def delete(self):
store, iter = self.view.get_selection().get_selected()
module = store.get_value(iter, 0)
+ priority = store.get_value(iter, 1)
try:
self.wait()
- status, output = getstatusoutput("semodule -r %s" % module)
+ status, output = getstatusoutput("semodule -X %s -r %s" % (priority, module))
self.ready()
if status != 0:
self.error(output)
--
2.21.0

30
SOURCES/0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch
Unescape View File

@ -0,0 +1,30 @@
From c2e942fc452bff06cc5ed9017afe169c6941f4e4 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 3 Sep 2019 15:17:27 +0200
Subject: [PATCH] python/semanage: Do not use default s0 range in "semanage
login -a"
Using the "s0" default means that new login mappings are always added with "s0"
range instead of the range of SELinux user.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
python/semanage/semanage | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 4c766ae3..fa78afce 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -221,7 +221,7 @@ def parser_add_level(parser, name):
def parser_add_range(parser, name):
- parser.add_argument('-r', '--range', default="s0",
+ parser.add_argument('-r', '--range', default='',
help=_('''
MLS/MCS Security Range (MLS/MCS Systems only)
SELinux Range for SELinux login mapping
--
2.21.0

33
SOURCES/0027-policycoreutils-fixfiles-Fix-verify-option.patch
Unescape View File

@ -0,0 +1,33 @@
From 4733a594c5df14f64293d19f16498e68dc5e3a98 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 24 Sep 2019 08:41:30 +0200
Subject: [PATCH] policycoreutils/fixfiles: Fix "verify" option
"restorecon -n" (used in the "restore" function) has to be used with
"-v" to display the files whose labels would be changed.
Fixes:
Fixfiles verify does not report misslabelled files unless "-v" option is
used.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
policycoreutils/scripts/fixfiles | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index df0042aa..be19e56c 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -304,7 +304,7 @@ process() {
case "$1" in
restore) restore Relabel;;
check) VERBOSE="-v"; restore Check -n;;
- verify) restore Verify -n;;
+ verify) VERBOSE="-v"; restore Verify -n;;
relabel) relabel;;
onboot)
if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
--
2.21.0

102
SOURCES/0028-python-semanage-Improve-handling-of-permissive-state.patch
Unescape View File

@ -0,0 +1,102 @@
From 0803fcb2c014b2cedf8f4d92b80fc382916477ee Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Fri, 27 Sep 2019 16:13:47 +0200
Subject: [PATCH] python/semanage: Improve handling of "permissive" statements
- Add "customized" method to permissiveRecords which is than used for
"semanage permissive --extract" and "semanage export"
- Enable "semanage permissive --deleteall" (already implemented)
- Add "permissive" to the list of modules exported using
"semanage export"
- Update "semanage permissive" man page
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/semanage | 11 ++++++++---
python/semanage/semanage-permissive.8 | 8 +++++++-
python/semanage/seobject.py | 3 +++
3 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index fa78afce..b2bd9df9 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -722,6 +722,11 @@ def handlePermissive(args):
if args.action == "list":
OBJECT.list(args.noheading)
+ elif args.action == "deleteall":
+ OBJECT.deleteall()
+ elif args.action == "extract":
+ for i in OBJECT.customized():
+ print("permissive %s" % str(i))
elif args.type is not None:
if args.action == "add":
OBJECT.add(args.type)
@@ -737,9 +742,9 @@ def setupPermissiveParser(subparsers):
pgroup = permissiveParser.add_mutually_exclusive_group(required=True)
parser_add_add(pgroup, "permissive")
parser_add_delete(pgroup, "permissive")
+ parser_add_deleteall(pgroup, "permissive")
+ parser_add_extract(pgroup, "permissive")
parser_add_list(pgroup, "permissive")
- #TODO: probably should be also added => need to implement own option handling
- #parser_add_deleteall(pgroup)
parser_add_noheading(permissiveParser, "permissive")
parser_add_noreload(permissiveParser, "permissive")
@@ -763,7 +768,7 @@ def setupDontauditParser(subparsers):
def handleExport(args):
- manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey"]
+ manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey", "permissive"]
for i in manageditems:
print("%s -D" % i)
for i in manageditems:
diff --git a/python/semanage/semanage-permissive.8 b/python/semanage/semanage-permissive.8
index 1999a451..5c3364fa 100644
--- a/python/semanage/semanage-permissive.8
+++ b/python/semanage/semanage-permissive.8
@@ -2,7 +2,7 @@
.SH "NAME"
.B semanage\-permissive \- SELinux Policy Management permissive mapping tool
.SH "SYNOPSIS"
-.B semanage permissive [\-h] (\-a | \-d | \-l) [\-n] [\-N] [\-S STORE] [type]
+.B semanage permissive [\-h] [\-n] [\-N] [\-S STORE] (\-\-add TYPE | \-\-delete TYPE | \-\-deleteall | \-\-extract | \-\-list)
.SH "DESCRIPTION"
semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage permissive adds or removes a SELinux Policy permissive module.
@@ -18,9 +18,15 @@ Add a record of the specified object type
.I \-d, \-\-delete
Delete a record of the specified object type
.TP
+.I \-D, \-\-deleteall
+Remove all local customizations of permissive domains
+.TP
.I \-l, \-\-list
List records of the specified object type
.TP
+.I \-E, \-\-extract
+Extract customizable commands, for use within a transaction
+.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
.TP
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 58497e3b..3959abc8 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -478,6 +478,9 @@ class permissiveRecords(semanageRecords):
l.append(name.split("permissive_")[1])
return l
+ def customized(self):
+ return ["-a %s" % x for x in sorted(self.get_all())]
+
def list(self, heading=1, locallist=0):
all = [y["name"] for y in [x for x in sepolicy.info(sepolicy.TYPE) if x["permissive"]]]
if len(all) == 0:
--
2.21.0

41
SOURCES/0029-python-semanage-fix-moduleRecords.customized.patch
Unescape View File

@ -0,0 +1,41 @@
From 7cc31c4799dd94ed516a39d853744bd1ffb6dc69 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 30 Sep 2019 09:49:04 +0200
Subject: [PATCH] python/semanage: fix moduleRecords.customized()
Return value of "customized" has to be iterable.
Fixes:
"semanage export" with no modules in the system (eg. monolithic policy)
crashes:
Traceback (most recent call last):
File "/usr/sbin/semanage", line 970, in <module>
do_parser()
File "/usr/sbin/semanage", line 949, in do_parser
args.func(args)
File "/usr/sbin/semanage", line 771, in handleExport
for c in OBJECT.customized():
TypeError: 'NoneType' object is not iterable
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/seobject.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 3959abc8..16edacaa 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -380,7 +380,7 @@ class moduleRecords(semanageRecords):
def customized(self):
all = self.get_all()
if len(all) == 0:
- return
+ return []
return ["-d %s" % x[0] for x in [t for t in all if t[1] == 0]]
def list(self, heading=1, locallist=0):
--
2.21.0

45
SOURCES/0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch
Unescape View File

@ -0,0 +1,45 @@
From 7cbfcec89a6972f9c700687ed3cef25ff0846461 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 8 Oct 2019 14:22:13 +0200
Subject: [PATCH] python/semanage: Add support for DCCP and SCTP protocols
Fixes:
# semanage port -a -p sctp -t port_t 1234
ValueError: Protocol udp or tcp is required
# semanage port -d -p sctp -t port_t 1234
ValueError: Protocol udp or tcp is required
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/seobject.py | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 16edacaa..70ebfd08 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -1058,13 +1058,15 @@ class portRecords(semanageRecords):
pass
def __genkey(self, port, proto):
- if proto == "tcp":
- proto_d = SEMANAGE_PROTO_TCP
+ protocols = {"tcp": SEMANAGE_PROTO_TCP,
+ "udp": SEMANAGE_PROTO_UDP,
+ "sctp": SEMANAGE_PROTO_SCTP,
+ "dccp": SEMANAGE_PROTO_DCCP}
+
+ if proto in protocols.keys():
+ proto_d = protocols[proto]
else:
- if proto == "udp":
- proto_d = SEMANAGE_PROTO_UDP
- else:
- raise ValueError(_("Protocol udp or tcp is required"))
+ raise ValueError(_("Protocol has to be one of udp, tcp, dccp or sctp"))
if port == "":
raise ValueError(_("Port is required"))
--
2.21.0

40
SOURCES/0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch
Unescape View File

@ -0,0 +1,40 @@
From 6e5ccf2dd3329b400b70b7806b9c6128c5c50995 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 15 Nov 2019 09:15:49 +0100
Subject: [PATCH] dbus: Fix FileNotFoundError in org.selinux.relabel_on_boot
When org.selinux.relabel_on_boot(0) was called twice, it failed with
FileNotFoundError.
Fixes:
$ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:1
method return sender=:1.53 -> dest=:1.54 reply_serial=2
$ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:0
method return sender=:1.53 -> dest=:1.55 reply_serial=2
$ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:0
Error org.freedesktop.DBus.Python.FileNotFoundError: FileNotFoundError: [Errno 2] No such file or directory: '/.autorelabel'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
dbus/selinux_server.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
index b9debc071485..be4f4557a9fa 100644
--- a/dbus/selinux_server.py
+++ b/dbus/selinux_server.py
@@ -85,7 +85,10 @@ class selinux_server(slip.dbus.service.Object):
fd = open("/.autorelabel", "w")
fd.close()
else:
- os.unlink("/.autorelabel")
+ try:
+ os.unlink("/.autorelabel")
+ except FileNotFoundError:
+ pass
def write_selinux_config(self, enforcing=None, policy=None):
path = selinux.selinux_path() + "config"
--
2.23.0

200
SOURCES/0032-restorecond-Fix-redundant-console-log-output-error.patch
Unescape View File

@ -0,0 +1,200 @@
From 76371721bafed56efcb7a83b3fa3285383ede5b7 Mon Sep 17 00:00:00 2001
From: Baichuan Kong <kongbaichuan@huawei.com>
Date: Thu, 14 Nov 2019 10:48:07 +0800
Subject: [PATCH] restorecond: Fix redundant console log output error
When starting restorecond without any option the following redundant
console log is outputed:
/dev/log 100.0%
/var/volatile/run/syslogd.pid 100.0%
...
This is caused by two global variables of same name r_opts. When
executes r_opts = opts in restore_init(), it originally intends
to assign the address of struct r_opts in "restorecond.c" to the
pointer *r_opts in "restore.c".
However, the address is assigned to the struct r_opts and covers
the value of low eight bytes in it. That causes unexpected value
of member varibale 'nochange' and 'verbose' in struct r_opts, thus
affects value of 'restorecon_flags' and executes unexpected operations
when restorecon the files such as the redundant console log output or
file label nochange.
Cause restorecond/restore.c is copied from policycoreutils/setfiles,
which share the same pattern. It also has potential risk to generate
same problems, So fix it in case.
Signed-off-by: Baichuan Kong <kongbaichuan@huawei.com>
(cherry-picked from SElinuxProject
commit ad2208ec220f55877a4d31084be2b4d6413ee082)
Resolves: rhbz#1626468
---
policycoreutils/setfiles/restore.c | 42 ++++++++++++++----------------
restorecond/restore.c | 40 +++++++++++++---------------
2 files changed, 37 insertions(+), 45 deletions(-)
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index 9dea5656..d3335d1a 100644
--- a/policycoreutils/setfiles/restore.c
+++ b/policycoreutils/setfiles/restore.c
@@ -17,40 +17,37 @@
char **exclude_list;
int exclude_count;
-struct restore_opts *r_opts;
-
void restore_init(struct restore_opts *opts)
{
int rc;
- r_opts = opts;
struct selinux_opt selinux_opts[] = {
- { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate },
- { SELABEL_OPT_PATH, r_opts->selabel_opt_path },
- { SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest }
+ { SELABEL_OPT_VALIDATE, opts->selabel_opt_validate },
+ { SELABEL_OPT_PATH, opts->selabel_opt_path },
+ { SELABEL_OPT_DIGEST, opts->selabel_opt_digest }
};
- r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
- if (!r_opts->hnd) {
- perror(r_opts->selabel_opt_path);
+ opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
+ if (!opts->hnd) {
+ perror(opts->selabel_opt_path);
exit(1);
}
- r_opts->restorecon_flags = 0;
- r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose |
- r_opts->progress | r_opts->set_specctx |
- r_opts->add_assoc | r_opts->ignore_digest |
- r_opts->recurse | r_opts->userealpath |
- r_opts->xdev | r_opts->abort_on_error |
- r_opts->syslog_changes | r_opts->log_matches |
- r_opts->ignore_noent | r_opts->ignore_mounts |
- r_opts->mass_relabel;
+ opts->restorecon_flags = 0;
+ opts->restorecon_flags = opts->nochange | opts->verbose |
+ opts->progress | opts->set_specctx |
+ opts->add_assoc | opts->ignore_digest |
+ opts->recurse | opts->userealpath |
+ opts->xdev | opts->abort_on_error |
+ opts->syslog_changes | opts->log_matches |
+ opts->ignore_noent | opts->ignore_mounts |
+ opts->mass_relabel;
/* Use setfiles, restorecon and restorecond own handles */
- selinux_restorecon_set_sehandle(r_opts->hnd);
+ selinux_restorecon_set_sehandle(opts->hnd);
- if (r_opts->rootpath) {
- rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath);
+ if (opts->rootpath) {
+ rc = selinux_restorecon_set_alt_rootpath(opts->rootpath);
if (rc) {
fprintf(stderr,
"selinux_restorecon_set_alt_rootpath error: %s.\n",
@@ -81,7 +78,6 @@ int process_glob(char *name, struct restore_opts *opts)
size_t i = 0;
int len, rc, errors;
- r_opts = opts;
memset(&globbuf, 0, sizeof(globbuf));
errors = glob(name, GLOB_TILDE | GLOB_PERIOD |
@@ -96,7 +92,7 @@ int process_glob(char *name, struct restore_opts *opts)
if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
continue;
rc = selinux_restorecon(globbuf.gl_pathv[i],
- r_opts->restorecon_flags);
+ opts->restorecon_flags);
if (rc < 0)
errors = rc;
}
diff --git a/restorecond/restore.c b/restorecond/restore.c
index f6e30001..b93b5fdb 100644
--- a/restorecond/restore.c
+++ b/restorecond/restore.c
@@ -12,39 +12,36 @@
char **exclude_list;
int exclude_count;
-struct restore_opts *r_opts;
-
void restore_init(struct restore_opts *opts)
{
int rc;
- r_opts = opts;
struct selinux_opt selinux_opts[] = {
- { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate },
- { SELABEL_OPT_PATH, r_opts->selabel_opt_path },
- { SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest }
+ { SELABEL_OPT_VALIDATE, opts->selabel_opt_validate },
+ { SELABEL_OPT_PATH, opts->selabel_opt_path },
+ { SELABEL_OPT_DIGEST, opts->selabel_opt_digest }
};
- r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
- if (!r_opts->hnd) {
- perror(r_opts->selabel_opt_path);
+ opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
+ if (!opts->hnd) {
+ perror(opts->selabel_opt_path);
exit(1);
}
- r_opts->restorecon_flags = 0;
- r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose |
- r_opts->progress | r_opts->set_specctx |
- r_opts->add_assoc | r_opts->ignore_digest |
- r_opts->recurse | r_opts->userealpath |
- r_opts->xdev | r_opts->abort_on_error |
- r_opts->syslog_changes | r_opts->log_matches |
- r_opts->ignore_noent | r_opts->ignore_mounts;
+ opts->restorecon_flags = 0;
+ opts->restorecon_flags = opts->nochange | opts->verbose |
+ opts->progress | opts->set_specctx |
+ opts->add_assoc | opts->ignore_digest |
+ opts->recurse | opts->userealpath |
+ opts->xdev | opts->abort_on_error |
+ opts->syslog_changes | opts->log_matches |
+ opts->ignore_noent | opts->ignore_mounts;
/* Use setfiles, restorecon and restorecond own handles */
- selinux_restorecon_set_sehandle(r_opts->hnd);
+ selinux_restorecon_set_sehandle(opts->hnd);
- if (r_opts->rootpath) {
- rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath);
+ if (opts->rootpath) {
+ rc = selinux_restorecon_set_alt_rootpath(opts->rootpath);
if (rc) {
fprintf(stderr,
"selinux_restorecon_set_alt_rootpath error: %s.\n",
@@ -75,7 +72,6 @@ int process_glob(char *name, struct restore_opts *opts)
size_t i = 0;
int len, rc, errors;
- r_opts = opts;
memset(&globbuf, 0, sizeof(globbuf));
errors = glob(name, GLOB_TILDE | GLOB_PERIOD |
@@ -90,7 +86,7 @@ int process_glob(char *name, struct restore_opts *opts)
if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
continue;
rc = selinux_restorecon(globbuf.gl_pathv[i],
- r_opts->restorecon_flags);
+ opts->restorecon_flags);
if (rc < 0)
errors = rc;
}
--
2.21.0

55
SOURCES/0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch
Unescape View File

@ -0,0 +1,55 @@
From 0bed778c53a4f93b1b092b3db33e8c36aabfa39d Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 5 Jan 2021 17:00:21 +0100
Subject: [PATCH] python/semanage: empty stdout before exiting on
BrokenPipeError
Empty stdout buffer before exiting when BrokenPipeError is
encountered. Otherwise python will flush the bufer during exit, which
may trigger the exception again.
https://docs.python.org/3/library/signal.html#note-on-sigpipe
Fixes:
#semanage fcontext -l | egrep -q -e '^/home'
BrokenPipeError: [Errno 32] Broken pipe
Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='UTF-8'>
BrokenPipeError: [Errno 32] Broken pipe
Note that the error above only appears occasionally (usually only the
first line is printed).
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
python/semanage/semanage | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index b2bd9df9..1abe3536 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -26,6 +26,7 @@
import traceback
import argparse
import sys
+import os
PROGNAME = "selinux-python"
try:
import gettext
@@ -953,6 +954,13 @@ def do_parser():
args = commandParser.parse_args(make_args(sys.argv))
args.func(args)
sys.exit(0)
+ except BrokenPipeError as e:
+ sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
+ # Python flushes standard streams on exit; redirect remaining output
+ # to devnull to avoid another BrokenPipeError at shutdown
+ devnull = os.open(os.devnull, os.O_WRONLY)
+ os.dup2(devnull, sys.stdout.fileno())
+ sys.exit(1)
except IOError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
sys.exit(1)
--
2.29.2

41
SOURCES/0034-python-semanage-Sort-imports-in-alphabetical-order.patch
Unescape View File

@ -0,0 +1,41 @@
From 4b0e627d42f9a8e09dcd064a6ae897f4c2e9cf6c Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 6 Jan 2021 10:00:07 +0100
Subject: [PATCH] python/semanage: Sort imports in alphabetical order
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/semanage | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 1abe3536..781e8645 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -23,10 +23,12 @@
#
#
-import traceback
import argparse
-import sys
import os
+import re
+import sys
+import traceback
+
PROGNAME = "selinux-python"
try:
import gettext
@@ -786,8 +788,6 @@ def setupExportParser(subparsers):
exportParser.add_argument('-f', '--output_file', dest='output_file', action=SetExportFile, help=_('Output file'))
exportParser.set_defaults(func=handleExport)
-import re
-
def mkargv(line):
dquote = "\""
--
2.29.2

49
SOURCES/0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch
Unescape View File

@ -0,0 +1,49 @@
From e0a1cdb6181bcf3a23fe63b8e67fd5020e81d05e Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Fri, 22 Jan 2021 16:25:52 +0100
Subject: [PATCH] python/sepolgen: allow any policy statement in if(n)def
"ifdef/ifndef" statements can be used to conditionally define
an interface, but this syntax is not recognised by sepolgen-ifgen.
Fix sepolgen-ifgen to allow any policy statement inside an
"ifdef/ifndef" statement.
Fixes:
$ cat <<EOF > i.if
ifndef(`apache_manage_pid_files',`
interface(`apache_manage_pid_files',`
manage_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
')
')
#sepolgen-ifgen --interface=i.if
i.if: Syntax error on line 2 interface [type=INTERFACE]
i.if: Syntax error on line 4 ' [type=SQUOTE]
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
[OM: s/fidef/ifdef/]
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
python/sepolgen/src/sepolgen/refparser.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py
index f506dc3a..5d77e2a3 100644
--- a/python/sepolgen/src/sepolgen/refparser.py
+++ b/python/sepolgen/src/sepolgen/refparser.py
@@ -431,9 +431,9 @@ def p_ifelse(p):
def p_ifdef(p):
- '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
- | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
- | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+ '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
+ | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
+ | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
'''
x = refpolicy.IfDef(p[4])
if p[1] == 'ifdef':
--
2.29.2

68
SOURCES/0036-setfiles-Do-not-abort-on-labeling-error.patch
Unescape View File

@ -0,0 +1,68 @@
From 53ccdd55adfbec60fb4277286f2ad94660838504 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 13 Jan 2021 22:09:47 +0100
Subject: [PATCH] setfiles: Do not abort on labeling error
Commit 602347c7422e ("policycoreutils: setfiles - Modify to use
selinux_restorecon") changed behavior of setfiles. Original
implementation skipped files which it couldn't set context to while the
new implementation aborts on them. setfiles should abort only if it
can't validate a context from spec_file.
Reproducer:
# mkdir -p r/1 r/2 r/3
# touch r/1/1 r/2/1
# chattr +i r/2/1
# touch r/3/1
# setfiles -r r -v /etc/selinux/targeted/contexts/files/file_contexts r
Relabeled r from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:root_t:s0
Relabeled r/2 from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:default_t:s0
setfiles: Could not set context for r/2/1: Operation not permitted
r/3 and r/1 are not relabeled.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/setfiles/setfiles.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index bc83c27b4c06..68eab45aa2b4 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -182,6 +182,7 @@ int main(int argc, char **argv)
policyfile = NULL;
nerr = 0;
+ r_opts.abort_on_error = 0;
r_opts.progname = strdup(argv[0]);
if (!r_opts.progname) {
fprintf(stderr, "%s: Out of memory!\n", argv[0]);
@@ -194,7 +195,6 @@ int main(int argc, char **argv)
* setfiles:
* Recursive descent,
* Does not expand paths via realpath,
- * Aborts on errors during the file tree walk,
* Try to track inode associations for conflict detection,
* Does not follow mounts (sets SELINUX_RESTORECON_XDEV),
* Validates all file contexts at init time.
@@ -202,7 +202,6 @@ int main(int argc, char **argv)
iamrestorecon = 0;
r_opts.recurse = SELINUX_RESTORECON_RECURSE;
r_opts.userealpath = 0; /* SELINUX_RESTORECON_REALPATH */
- r_opts.abort_on_error = SELINUX_RESTORECON_ABORT_ON_ERROR;
r_opts.add_assoc = SELINUX_RESTORECON_ADD_ASSOC;
/* FTS_PHYSICAL and FTS_NOCHDIR are always set by selinux_restorecon(3) */
r_opts.xdev = SELINUX_RESTORECON_XDEV;
@@ -226,7 +225,6 @@ int main(int argc, char **argv)
iamrestorecon = 1;
r_opts.recurse = 0;
r_opts.userealpath = SELINUX_RESTORECON_REALPATH;
- r_opts.abort_on_error = 0;
r_opts.add_assoc = 0;
r_opts.xdev = 0;
r_opts.ignore_mounts = 0;
--
2.30.0

110
SOURCES/0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch
Unescape View File

@ -0,0 +1,110 @@
From 2f135022f4372dc34198c48cfd67b91044e6dfd7 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 13 Jan 2021 22:09:48 +0100
Subject: [PATCH] setfiles: drop ABORT_ON_ERRORS and related code
`setfiles -d` doesn't have any impact on number of errors before it
aborts. It always aborts on first invalid context in spec file.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/setfiles/Makefile | 3 ---
policycoreutils/setfiles/ru/setfiles.8 | 2 +-
policycoreutils/setfiles/setfiles.8 | 3 +--
policycoreutils/setfiles/setfiles.c | 18 ------------------
4 files changed, 2 insertions(+), 24 deletions(-)
diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
index bc5a8db789a5..a3bbbe116b7f 100644
--- a/policycoreutils/setfiles/Makefile
+++ b/policycoreutils/setfiles/Makefile
@@ -5,8 +5,6 @@ SBINDIR ?= /sbin
MANDIR = $(PREFIX)/share/man
AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
-ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
-
CFLAGS ?= -g -Werror -Wall -W
override LDLIBS += -lselinux -lsepol
@@ -26,7 +24,6 @@ restorecon_xattr: restorecon_xattr.o restore.o
man:
@cp -af setfiles.8 setfiles.8.man
- @sed -i "s/ABORT_ON_ERRORS/$(ABORT_ON_ERRORS)/g" setfiles.8.man
install: all
[ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8
diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8
index 27815a3f1eee..910101452625 100644
--- a/policycoreutils/setfiles/ru/setfiles.8
+++ b/policycoreutils/setfiles/ru/setfiles.8
@@ -47,7 +47,7 @@ setfiles \- установить SELinux-контексты безопаснос
проверить действительность контекстов относительно указанной двоичной политики.
.TP
.B \-d
-показать, какая спецификация соответствует каждому из файлов (не прекращать проверку после получения ошибок ABORT_ON_ERRORS).
+показать, какая спецификация соответствует каждому из файлов.
.TP
.BI \-e \ directory
исключить каталог (чтобы исключить более одного каталога, этот параметр необходимо использовать соответствующее количество раз).
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index a8a76c860dac..b7d3cefb96ff 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -56,8 +56,7 @@ option will force a replacement of the entire context.
check the validity of the contexts against the specified binary policy.
.TP
.B \-d
-show what specification matched each file (do not abort validation
-after ABORT_ON_ERRORS errors). Not affected by "\-q"
+show what specification matched each file. Not affected by "\-q"
.TP
.BI \-e \ directory
directory to exclude (repeat option for more than one directory).
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index 68eab45aa2b4..bcbdfbfe53e2 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -23,14 +23,6 @@ static int nerr;
#define STAT_BLOCK_SIZE 1
-/* setfiles will abort its operation after reaching the
- * following number of errors (e.g. invalid contexts),
- * unless it is used in "debug" mode (-d option).
- */
-#ifndef ABORT_ON_ERRORS
-#define ABORT_ON_ERRORS 10
-#endif
-
#define SETFILES "setfiles"
#define RESTORECON "restorecon"
static int iamrestorecon;
@@ -57,15 +49,6 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
exit(-1);
}
-void inc_err(void)
-{
- nerr++;
- if (nerr > ABORT_ON_ERRORS - 1 && !r_opts.debug) {
- fprintf(stderr, "Exiting after %d errors.\n", ABORT_ON_ERRORS);
- exit(-1);
- }
-}
-
void set_rootpath(const char *arg)
{
if (strlen(arg) == 1 && strncmp(arg, "/", 1) == 0) {
@@ -98,7 +81,6 @@ int canoncon(char **contextp)
*contextp = tmpcon;
} else if (errno != ENOENT) {
rc = -1;
- inc_err();
}
return rc;
--
2.30.0

44
SOURCES/0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch
Unescape View File

@ -0,0 +1,44 @@
From a691da617a2d3c864786ff2742d9a9f87ecc7d05 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 1 Feb 2021 15:24:32 +0100
Subject: [PATCH] policycoreutils/setfiles: Drop unused nerr variable
Suggested-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/setfiles/setfiles.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index bcbdfbfe53e2..82d0aaa75893 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -19,7 +19,6 @@ static int warn_no_match;
static int null_terminated;
static int request_digest;
static struct restore_opts r_opts;
-static int nerr;
#define STAT_BLOCK_SIZE 1
@@ -162,7 +161,6 @@ int main(int argc, char **argv)
warn_no_match = 0;
request_digest = 0;
policyfile = NULL;
- nerr = 0;
r_opts.abort_on_error = 0;
r_opts.progname = strdup(argv[0]);
@@ -417,9 +415,6 @@ int main(int argc, char **argv)
r_opts.selabel_opt_digest = (request_digest ? (char *)1 : NULL);
r_opts.selabel_opt_path = altpath;
- if (nerr)
- exit(-1);
-
restore_init(&r_opts);
if (use_input_file) {
--
2.30.0

62
SOURCES/0039-selinux-8-5-Describe-fcontext-regular-expressions.patch
Unescape View File

@ -0,0 +1,62 @@
From c556c6ad0b94cf3ba4b441a1a0930f2468434227 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 10 Feb 2021 18:05:29 +0100
Subject: [PATCH] selinux(8,5): Describe fcontext regular expressions
Describe which type of regular expression is used in file context
definitions and which flags are in effect.
Explain how local file context modifications are processed.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
python/semanage/semanage | 2 +-
python/semanage/semanage-fcontext.8 | 18 ++++++++++++++++++
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 781e8645..ebb93ea5 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -366,7 +366,7 @@ If you do not specify a file type, the file type will default to "all files".
parser_add_seuser(fcontextParser, "fcontext")
parser_add_type(fcontextParser, "fcontext")
parser_add_range(fcontextParser, "fcontext")
- fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('file_spec'))
+ fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('Path to be labeled (may be in the form of a Perl compatible regular expression)'))
fcontextParser.set_defaults(func=handleFcontext)
diff --git a/python/semanage/semanage-fcontext.8 b/python/semanage/semanage-fcontext.8
index 561123af..49635ba7 100644
--- a/python/semanage/semanage-fcontext.8
+++ b/python/semanage/semanage-fcontext.8
@@ -11,6 +11,24 @@ SELinux policy without requiring modification to or recompilation
from policy sources. semanage fcontext is used to manage the default
file system labeling on an SELinux system. This command maps file paths using regular expressions to SELinux labels.
+FILE_SPEC may contain either a fully qualified path,
+or a Perl compatible regular expression (PCRE),
+describing fully qualified path(s). The only PCRE flag in use is PCRE2_DOTALL,
+which causes a wildcard '.' to match anything, including a new line.
+Strings representing paths are processed as bytes (as opposed to Unicode),
+meaning that non-ASCII characters are not matched by a single wildcard.
+
+Note, that file context definitions specified using 'semanage fcontext'
+(i.e. local file context modifications stored in file_contexts.local)
+have higher priority than those specified in policy modules.
+This means that whenever a match for given file path is found in
+file_contexts.local, no other file context definitions are considered.
+Entries in file_contexts.local are processed from most recent one to the oldest,
+with first match being used (as opposed to the most specific match,
+which is used when matching other file context definitions).
+All regular expressions should therefore be as specific as possible,
+to avoid unintentionally impacting other parts of the filesystem.
+
.SH "OPTIONS"
.TP
.I \-h, \-\-help
--
2.29.2

69
SOURCES/0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch
Unescape View File

@ -0,0 +1,69 @@
From d10e773c014a12b17fefd9caef0bd02528d75d18 Mon Sep 17 00:00:00 2001
From: Antoine Tenart <antoine.tenart@bootlin.com>
Date: Tue, 7 Jul 2020 16:35:01 +0200
Subject: [PATCH] policycoreutils: setfiles: do not restrict checks against a
binary policy
The -c option allows to check the validity of contexts against a
specified binary policy. Its use is restricted: no pathname can be used
when a binary policy is given to setfiles. It's not clear if this is
intentional as the built-in help and the man page are not stating the
same thing about this (the man page document -c as a normal option,
while the built-in help shows it is restricted).
When generating full system images later used with SELinux in enforcing
mode, the extended attributed of files have to be set by the build
machine. The issue is setfiles always checks the contexts against a
policy (ctx_validate = 1) and using an external binary policy is not
currently possible when using a pathname. This ends up in setfiles
failing early as the contexts of the target image are not always
compatible with the ones of the build machine.
This patch reworks a check on optind only made when -c is used, that
enforced the use of a single argument to allow 1+ arguments, allowing to
use setfiles with an external binary policy and pathnames. The following
command is then allowed, as already documented in the man page:
$ setfiles -m -r target/ -c policy.32 file_contexts target/
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
(cherry-picked from SElinuxProject
commit: c94e542c98da2f26863c1cbd9d7ad9bc5cca6aff )
---
policycoreutils/setfiles/setfiles.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index 82d0aaa7..4fd3d756 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -39,11 +39,10 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
name, name);
} else {
fprintf(stderr,
- "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n"
- "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n"
- "usage: %s -s [-diIDlmnpqvFW] spec_file\n"
- "usage: %s -c policyfile spec_file\n",
- name, name, name, name);
+ "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
+ "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
+ "usage: %s -s [-diIDlmnpqvFW] spec_file\n",
+ name, name, name);
}
exit(-1);
}
@@ -376,7 +375,7 @@ int main(int argc, char **argv)
if (!iamrestorecon) {
if (policyfile) {
- if (optind != (argc - 1))
+ if (optind > (argc - 1))
usage(argv[0]);
} else if (use_input_file) {
if (optind != (argc - 1)) {
--
2.30.2

674
SOURCES/0041-semodule-add-m-checksum-option.patch
Unescape View File

@ -0,0 +1,674 @@
From e748832819b781507903838483376d308c90ca79 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 16 Nov 2021 14:27:11 +0100
Subject: [PATCH] semodule: add -m | --checksum option
Since cil doesn't store module name and module version in module itself,
there's no simple way how to compare that installed module is the same
version as the module which is supposed to be installed. Even though the
version was not used by semodule itself, it was apparently used by some
team.
With `semodule -l --checksum` users get SHA256 hashes of modules and
could compare them with their files which is faster than installing
modules again and again.
E.g.
# time (
semodule -l --checksum | grep localmodule
/usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
)
localmodule db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd
db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd -
real 0m0.876s
user 0m0.849s
sys 0m0.028s
vs
# time semodule -i localmodule.pp
real 0m6.147s
user 0m5.800s
sys 0m0.231s
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
policycoreutils/semodule/Makefile | 2 +-
policycoreutils/semodule/semodule.8 | 6 +
policycoreutils/semodule/semodule.c | 95 ++++++++-
policycoreutils/semodule/sha256.c | 294 ++++++++++++++++++++++++++++
policycoreutils/semodule/sha256.h | 89 +++++++++
5 files changed, 480 insertions(+), 6 deletions(-)
create mode 100644 policycoreutils/semodule/sha256.c
create mode 100644 policycoreutils/semodule/sha256.h
diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
index 73801e487a76..9875ac383280 100644
--- a/policycoreutils/semodule/Makefile
+++ b/policycoreutils/semodule/Makefile
@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
CFLAGS ?= -Werror -Wall -W
override LDLIBS += -lsepol -lselinux -lsemanage
-SEMODULE_OBJS = semodule.o
+SEMODULE_OBJS = semodule.o sha256.o
all: semodule genhomedircon
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index 18d4f708661c..3a2fb21c2481 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -95,6 +95,9 @@ only modules listed in \-\-extract after this option.
.B \-H,\-\-hll
Extract module as an HLL file. This only affects the \-\-extract option and
only modules listed in \-\-extract after this option.
+.TP
+.B \-m,\-\-checksum
+Add SHA256 checksum of modules to the list output.
.SH EXAMPLE
.nf
@@ -130,6 +133,9 @@ $ semodule \-B \-S "/tmp/var/lib/selinux"
# Write the HLL version of puppet and the CIL version of wireshark
# modules at priority 400 to the current working directory
$ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
+# Check whether a module in "localmodule.pp" file is same as installed module "localmodule"
+$ /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
+$ semodule -l -m | grep localmodule
.fi
.SH SEE ALSO
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index a76797f505cd..300a97d735cc 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -24,6 +24,8 @@
#include <semanage/modules.h>
+#include "sha256.h"
+
enum client_modes {
NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M,
LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M
@@ -56,6 +58,7 @@ static semanage_handle_t *sh = NULL;
static char *store;
static char *store_root;
int extract_cil = 0;
+static int checksum = 0;
extern char *optarg;
extern int optind;
@@ -146,6 +149,7 @@ static void usage(char *progname)
printf(" -S,--store-path use an alternate path for the policy store root\n");
printf(" -c, --cil extract module as cil. This only affects module extraction.\n");
printf(" -H, --hll extract module as hll. This only affects module extraction.\n");
+ printf(" -m, --checksum print module checksum (SHA256).\n");
}
/* Sets the global mode variable to new_mode, but only if no other
@@ -199,6 +203,7 @@ static void parse_command_line(int argc, char **argv)
{"disable", required_argument, NULL, 'd'},
{"path", required_argument, NULL, 'p'},
{"store-path", required_argument, NULL, 'S'},
+ {"checksum", 0, NULL, 'm'},
{NULL, 0, NULL, 0}
};
int extract_selected = 0;
@@ -209,7 +214,7 @@ static void parse_command_line(int argc, char **argv)
no_reload = 0;
priority = 400;
while ((i =
- getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cH", opts,
+ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts,
NULL)) != -1) {
switch (i) {
case 'b':
@@ -286,6 +291,9 @@ static void parse_command_line(int argc, char **argv)
case 'd':
set_mode(DISABLE_M, optarg);
break;
+ case 'm':
+ checksum = 1;
+ break;
case '?':
default:{
usage(argv[0]);
@@ -337,6 +345,61 @@ static void parse_command_line(int argc, char **argv)
}
}
+/* Get module checksum */
+static char *hash_module_data(const char *module_name, const int prio) {
+ semanage_module_info_t *extract_info = NULL;
+ semanage_module_key_t *modkey = NULL;
+ Sha256Context context;
+ uint8_t sha256_hash[SHA256_HASH_SIZE];
+ char *sha256_buf = NULL;
+ void *data;
+ size_t data_len = 0, i;
+ int result;
+
+ result = semanage_module_key_create(sh, &modkey);
+ if (result != 0) {
+ goto cleanup_extract;
+ }
+
+ result = semanage_module_key_set_name(sh, modkey, module_name);
+ if (result != 0) {
+ goto cleanup_extract;
+ }
+
+ result = semanage_module_key_set_priority(sh, modkey, prio);
+ if (result != 0) {
+ goto cleanup_extract;
+ }
+
+ result = semanage_module_extract(sh, modkey, 1, &data, &data_len,
+ &extract_info);
+ if (result != 0) {
+ goto cleanup_extract;
+ }
+
+ Sha256Initialise(&context);
+ Sha256Update(&context, data, data_len);
+
+ Sha256Finalise(&context, (SHA256_HASH *)sha256_hash);
+
+ sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1);
+
+ if (sha256_buf == NULL)
+ goto cleanup_extract;
+
+ for (i = 0; i < SHA256_HASH_SIZE; i++) {
+ sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]);
+ }
+ sha256_buf[i * 2] = 0;
+
+cleanup_extract:
+ semanage_module_info_destroy(sh, extract_info);
+ free(extract_info);
+ semanage_module_key_destroy(sh, modkey);
+ free(modkey);
+ return sha256_buf;
+}
+
int main(int argc, char *argv[])
{
int i, commit = 0;
@@ -544,6 +607,8 @@ cleanup_extract:
int modinfos_len = 0;
semanage_module_info_t *m = NULL;
int j = 0;
+ char *module_checksum = NULL;
+ uint16_t pri = 0;
if (verbose) {
printf
@@ -568,7 +633,18 @@ cleanup_extract:
result = semanage_module_info_get_name(sh, m, &name);
if (result != 0) goto cleanup_list;
- printf("%s\n", name);
+ result = semanage_module_info_get_priority(sh, m, &pri);
+ if (result != 0) goto cleanup_list;
+
+ printf("%s", name);
+ if (checksum) {
+ module_checksum = hash_module_data(name, pri);
+ if (module_checksum) {
+ printf(" %s", module_checksum);
+ free(module_checksum);
+ }
+ }
+ printf("\n");
}
}
else if (strcmp(mode_arg, "full") == 0) {
@@ -583,11 +659,12 @@ cleanup_extract:
}
/* calculate column widths */
- size_t column[4] = { 0, 0, 0, 0 };
+ size_t column[5] = { 0, 0, 0, 0, 0 };
/* fixed width columns */
column[0] = sizeof("000") - 1;
column[3] = sizeof("disabled") - 1;
+ column[4] = 64; /* SHA256_HASH_SIZE * 2 */
/* variable width columns */
const char *tmp = NULL;
@@ -610,7 +687,6 @@ cleanup_extract:
/* print out each module */
for (j = 0; j < modinfos_len; j++) {
- uint16_t pri = 0;
const char *name = NULL;
int enabled = 0;
const char *lang_ext = NULL;
@@ -629,11 +705,20 @@ cleanup_extract:
result = semanage_module_info_get_lang_ext(sh, m, &lang_ext);
if (result != 0) goto cleanup_list;
- printf("%0*u %-*s %-*s %-*s\n",
+ printf("%0*u %-*s %-*s %-*s",
(int)column[0], pri,
(int)column[1], name,
(int)column[2], lang_ext,
(int)column[3], enabled ? "" : "disabled");
+ if (checksum) {
+ module_checksum = hash_module_data(name, pri);
+ if (module_checksum) {
+ printf(" %-*s", (int)column[4], module_checksum);
+ free(module_checksum);
+ }
+ }
+ printf("\n");
+
}
}
else {
diff --git a/policycoreutils/semodule/sha256.c b/policycoreutils/semodule/sha256.c
new file mode 100644
index 000000000000..fe2aeef07f53
--- /dev/null
+++ b/policycoreutils/semodule/sha256.c
@@ -0,0 +1,294 @@
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// WjCryptLib_Sha256
+//
+// Implementation of SHA256 hash function.
+// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
+// Modified by WaterJuice retaining Public Domain license.
+//
+// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// IMPORTS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+#include "sha256.h"
+#include <memory.h>
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// MACROS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
+
+#define MIN(x, y) ( ((x)<(y))?(x):(y) )
+
+#define STORE32H(x, y) \
+ { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \
+ (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); }
+
+#define LOAD32H(x, y) \
+ { x = ((uint32_t)((y)[0] & 255)<<24) | \
+ ((uint32_t)((y)[1] & 255)<<16) | \
+ ((uint32_t)((y)[2] & 255)<<8) | \
+ ((uint32_t)((y)[3] & 255)); }
+
+#define STORE64H(x, y) \
+ { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \
+ (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \
+ (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \
+ (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); }
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// CONSTANTS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+// The K array
+static const uint32_t K[64] = {
+ 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
+ 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
+ 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
+ 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
+ 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
+ 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
+ 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
+ 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
+ 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
+ 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
+ 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
+ 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
+ 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
+};
+
+#define BLOCK_SIZE 64
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// INTERNAL FUNCTIONS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+// Various logical functions
+#define Ch( x, y, z ) (z ^ (x & (y ^ z)))
+#define Maj( x, y, z ) (((x | y) & z) | (x & y))
+#define S( x, n ) ror((x),(n))
+#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n))
+#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22))
+#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25))
+#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3))
+#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10))
+
+#define Sha256Round( a, b, c, d, e, f, g, h, i ) \
+ t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \
+ t1 = Sigma0(a) + Maj(a, b, c); \
+ d += t0; \
+ h = t0 + t1;
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// TransformFunction
+//
+// Compress 512-bits
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+static
+void
+ TransformFunction
+ (
+ Sha256Context* Context,
+ uint8_t const* Buffer
+ )
+{
+ uint32_t S[8];
+ uint32_t W[64];
+ uint32_t t0;
+ uint32_t t1;
+ uint32_t t;
+ int i;
+
+ // Copy state into S
+ for( i=0; i<8; i++ )
+ {
+ S[i] = Context->state[i];
+ }
+
+ // Copy the state into 512-bits into W[0..15]
+ for( i=0; i<16; i++ )
+ {
+ LOAD32H( W[i], Buffer + (4*i) );
+ }
+
+ // Fill W[16..63]
+ for( i=16; i<64; i++ )
+ {
+ W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16];
+ }
+
+ // Compress
+ for( i=0; i<64; i++ )
+ {
+ Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i );
+ t = S[7];
+ S[7] = S[6];
+ S[6] = S[5];
+ S[5] = S[4];
+ S[4] = S[3];
+ S[3] = S[2];
+ S[2] = S[1];
+ S[1] = S[0];
+ S[0] = t;
+ }
+
+ // Feedback
+ for( i=0; i<8; i++ )
+ {
+ Context->state[i] = Context->state[i] + S[i];
+ }
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// PUBLIC FUNCTIONS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Initialise
+//
+// Initialises a SHA256 Context. Use this to initialise/reset a context.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Initialise
+ (
+ Sha256Context* Context // [out]
+ )
+{
+ Context->curlen = 0;
+ Context->length = 0;
+ Context->state[0] = 0x6A09E667UL;
+ Context->state[1] = 0xBB67AE85UL;
+ Context->state[2] = 0x3C6EF372UL;
+ Context->state[3] = 0xA54FF53AUL;
+ Context->state[4] = 0x510E527FUL;
+ Context->state[5] = 0x9B05688CUL;
+ Context->state[6] = 0x1F83D9ABUL;
+ Context->state[7] = 0x5BE0CD19UL;
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Update
+//
+// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
+// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Update
+ (
+ Sha256Context* Context, // [in out]
+ void const* Buffer, // [in]
+ uint32_t BufferSize // [in]
+ )
+{
+ uint32_t n;
+
+ if( Context->curlen > sizeof(Context->buf) )
+ {
+ return;
+ }
+
+ while( BufferSize > 0 )
+ {
+ if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE )
+ {
+ TransformFunction( Context, (uint8_t*)Buffer );
+ Context->length += BLOCK_SIZE * 8;
+ Buffer = (uint8_t*)Buffer + BLOCK_SIZE;
+ BufferSize -= BLOCK_SIZE;
+ }
+ else
+ {
+ n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) );
+ memcpy( Context->buf + Context->curlen, Buffer, (size_t)n );
+ Context->curlen += n;
+ Buffer = (uint8_t*)Buffer + n;
+ BufferSize -= n;
+ if( Context->curlen == BLOCK_SIZE )
+ {
+ TransformFunction( Context, Context->buf );
+ Context->length += 8*BLOCK_SIZE;
+ Context->curlen = 0;
+ }
+ }
+ }
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Finalise
+//
+// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
+// calling this, Sha256Initialised must be used to reuse the context.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Finalise
+ (
+ Sha256Context* Context, // [in out]
+ SHA256_HASH* Digest // [out]
+ )
+{
+ int i;
+
+ if( Context->curlen >= sizeof(Context->buf) )
+ {
+ return;
+ }
+
+ // Increase the length of the message
+ Context->length += Context->curlen * 8;
+
+ // Append the '1' bit
+ Context->buf[Context->curlen++] = (uint8_t)0x80;
+
+ // if the length is currently above 56 bytes we append zeros
+ // then compress. Then we can fall back to padding zeros and length
+ // encoding like normal.
+ if( Context->curlen > 56 )
+ {
+ while( Context->curlen < 64 )
+ {
+ Context->buf[Context->curlen++] = (uint8_t)0;
+ }
+ TransformFunction(Context, Context->buf);
+ Context->curlen = 0;
+ }
+
+ // Pad up to 56 bytes of zeroes
+ while( Context->curlen < 56 )
+ {
+ Context->buf[Context->curlen++] = (uint8_t)0;
+ }
+
+ // Store length
+ STORE64H( Context->length, Context->buf+56 );
+ TransformFunction( Context, Context->buf );
+
+ // Copy output
+ for( i=0; i<8; i++ )
+ {
+ STORE32H( Context->state[i], Digest->bytes+(4*i) );
+ }
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Calculate
+//
+// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
+// buffer.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Calculate
+ (
+ void const* Buffer, // [in]
+ uint32_t BufferSize, // [in]
+ SHA256_HASH* Digest // [in]
+ )
+{
+ Sha256Context context;
+
+ Sha256Initialise( &context );
+ Sha256Update( &context, Buffer, BufferSize );
+ Sha256Finalise( &context, Digest );
+}
diff --git a/policycoreutils/semodule/sha256.h b/policycoreutils/semodule/sha256.h
new file mode 100644
index 000000000000..406ed869cd82
--- /dev/null
+++ b/policycoreutils/semodule/sha256.h
@@ -0,0 +1,89 @@
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// WjCryptLib_Sha256
+//
+// Implementation of SHA256 hash function.
+// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
+// Modified by WaterJuice retaining Public Domain license.
+//
+// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+#pragma once
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// IMPORTS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+#include <stdint.h>
+#include <stdio.h>
+
+typedef struct
+{
+ uint64_t length;
+ uint32_t state[8];
+ uint32_t curlen;
+ uint8_t buf[64];
+} Sha256Context;
+
+#define SHA256_HASH_SIZE ( 256 / 8 )
+
+typedef struct
+{
+ uint8_t bytes [SHA256_HASH_SIZE];
+} SHA256_HASH;
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// PUBLIC FUNCTIONS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Initialise
+//
+// Initialises a SHA256 Context. Use this to initialise/reset a context.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Initialise
+ (
+ Sha256Context* Context // [out]
+ );
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Update
+//
+// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
+// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Update
+ (
+ Sha256Context* Context, // [in out]
+ void const* Buffer, // [in]
+ uint32_t BufferSize // [in]
+ );
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Finalise
+//
+// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
+// calling this, Sha256Initialised must be used to reuse the context.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Finalise
+ (
+ Sha256Context* Context, // [in out]
+ SHA256_HASH* Digest // [out]
+ );
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Calculate
+//
+// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
+// buffer.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Calculate
+ (
+ void const* Buffer, // [in]
+ uint32_t BufferSize, // [in]
+ SHA256_HASH* Digest // [in]
+ );
--
2.33.1

29
SOURCES/0042-semodule-Fix-lang_ext-column-index.patch
Unescape View File

@ -0,0 +1,29 @@
From 14084bad4f5bcfdb769ba39c9a6f12e4787ab909 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 16 Nov 2021 16:11:22 +0100
Subject: [PATCH] semodule: Fix lang_ext column index
lang_ext is 3. column - index number 2.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
policycoreutils/semodule/semodule.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 300a97d735cc..c677cc4f1d81 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -682,7 +682,7 @@ cleanup_extract:
if (result != 0) goto cleanup_list;
size = strlen(tmp);
- if (size > column[3]) column[3] = size;
+ if (size > column[2]) column[2] = size;
}
/* print out each module */
--
2.33.1

32
SOURCES/0043-semodule-Don-t-forget-to-munmap-data.patch
Unescape View File

@ -0,0 +1,32 @@
From 61f05b6d26063e1ebdc06609c29a067d44579b41 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 23 Nov 2021 17:38:51 +0100
Subject: [PATCH] semodule: Don't forget to munmap() data
semanage_module_extract() mmap()'s the module raw data but it leaves on
the caller to munmap() them.
Reported-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
policycoreutils/semodule/semodule.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index c677cc4f1d81..dc227058b073 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -393,6 +393,9 @@ static char *hash_module_data(const char *module_name, const int prio) {
sha256_buf[i * 2] = 0;
cleanup_extract:
+ if (data_len > 0) {
+ munmap(data, data_len);
+ }
semanage_module_info_destroy(sh, extract_info);
free(extract_info);
semanage_module_key_destroy(sh, modkey);
--
2.33.1

41
SOURCES/0044-policycoreutils-Improve-error-message-when-selabel_o.patch
Unescape View File

@ -0,0 +1,41 @@
From 69da6239d8505a9d6ca547187f71a351df17f157 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 10 Jan 2022 18:35:27 +0100
Subject: [PATCH] policycoreutils: Improve error message when selabel_open
fails
When selabel_open fails to locate file_context files and
selabel_opt_path is not specified (e.g. when the policy type is
missconfigured in /etc/selinux/config), perror only prints
"No such file or directory".
This can be confusing in case of "restorecon" since it's
not apparent that the issue is in policy store.
Before:
\# restorecon -v /tmp/foo.txt
No such file or directory
After:
\# restorecon -v /tmp/foo.txt
/etc/selinux/yolo/contexts/files/file_contexts: No such file or directory
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
policycoreutils/setfiles/restore.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index d3335d1a..ba2668b3 100644
--- a/policycoreutils/setfiles/restore.c
+++ b/policycoreutils/setfiles/restore.c
@@ -29,7 +29,7 @@ void restore_init(struct restore_opts *opts)
opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
if (!opts->hnd) {
- perror(opts->selabel_opt_path);
+ perror(opts->selabel_opt_path ? opts->selabel_opt_path : selinux_file_context_path());
exit(1);
}
--
2.30.2

539
SOURCES/0045-semodule-libsemanage-move-module-hashing-into-libsem.patch
Unescape View File

@ -0,0 +1,539 @@
From 066007029b3dd250305d7fac0bfd53aa1e4543cf Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Thu, 3 Feb 2022 17:53:23 +0100
Subject: [PATCH] semodule,libsemanage: move module hashing into libsemanage
The main goal of this move is to have the SHA-256 implementation under
libsemanage, since upcoming patches will make use of SHA-256 for a
different (but similar) purpose in libsemanage. Having the hashing code
in libsemanage will reduce code duplication and allow for easier hash
algorithm upgrade in the future.
Note that libselinux currently also contains a hash function
implementation (for yet another different purpose). This patch doesn't
make any effort to address that duplicity yet.
This patch also changes the format of the hash string printed by
semodule to include the name of the hash. The intent is to avoid
ambiguity and potential collisions when the algorithm is potentially
changed in the future.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policycoreutils/semodule/Makefile | 2 +-
policycoreutils/semodule/semodule.c | 53 ++---
policycoreutils/semodule/sha256.c | 294 ----------------------------
policycoreutils/semodule/sha256.h | 89 ---------
4 files changed, 17 insertions(+), 421 deletions(-)
delete mode 100644 policycoreutils/semodule/sha256.c
delete mode 100644 policycoreutils/semodule/sha256.h
diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
index 9875ac38..73801e48 100644
--- a/policycoreutils/semodule/Makefile
+++ b/policycoreutils/semodule/Makefile
@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
CFLAGS ?= -Werror -Wall -W
override LDLIBS += -lsepol -lselinux -lsemanage
-SEMODULE_OBJS = semodule.o sha256.o
+SEMODULE_OBJS = semodule.o
all: semodule genhomedircon
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index dc227058..243b1add 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -24,8 +24,6 @@
#include <semanage/modules.h>
-#include "sha256.h"
-
enum client_modes {
NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M,
LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M
@@ -347,60 +345,38 @@ static void parse_command_line(int argc, char **argv)
/* Get module checksum */
static char *hash_module_data(const char *module_name, const int prio) {
- semanage_module_info_t *extract_info = NULL;
semanage_module_key_t *modkey = NULL;
- Sha256Context context;
- uint8_t sha256_hash[SHA256_HASH_SIZE];
- char *sha256_buf = NULL;
- void *data;
- size_t data_len = 0, i;
+ char *hash_str = NULL;
+ void *hash = NULL;
+ size_t hash_len = 0;
int result;
result = semanage_module_key_create(sh, &modkey);
if (result != 0) {
- goto cleanup_extract;
+ goto cleanup;
}
result = semanage_module_key_set_name(sh, modkey, module_name);
if (result != 0) {
- goto cleanup_extract;
+ goto cleanup;
}
result = semanage_module_key_set_priority(sh, modkey, prio);
if (result != 0) {
- goto cleanup_extract;
+ goto cleanup;
}
- result = semanage_module_extract(sh, modkey, 1, &data, &data_len,
- &extract_info);
+ result = semanage_module_compute_checksum(sh, modkey, 1, &hash_str,
+ &hash_len);
if (result != 0) {
- goto cleanup_extract;
- }
-
- Sha256Initialise(&context);
- Sha256Update(&context, data, data_len);
-
- Sha256Finalise(&context, (SHA256_HASH *)sha256_hash);
-
- sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1);
-
- if (sha256_buf == NULL)
- goto cleanup_extract;
-
- for (i = 0; i < SHA256_HASH_SIZE; i++) {
- sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]);
+ goto cleanup;
}
- sha256_buf[i * 2] = 0;
-cleanup_extract:
- if (data_len > 0) {
- munmap(data, data_len);
- }
- semanage_module_info_destroy(sh, extract_info);
- free(extract_info);
+cleanup:
+ free(hash);
semanage_module_key_destroy(sh, modkey);
free(modkey);
- return sha256_buf;
+ return hash_str;
}
int main(int argc, char *argv[])
@@ -667,7 +643,10 @@ cleanup_extract:
/* fixed width columns */
column[0] = sizeof("000") - 1;
column[3] = sizeof("disabled") - 1;
- column[4] = 64; /* SHA256_HASH_SIZE * 2 */
+
+ result = semanage_module_compute_checksum(sh, NULL, 0, NULL,
+ &column[4]);
+ if (result != 0) goto cleanup_list;
/* variable width columns */
const char *tmp = NULL;
diff --git a/policycoreutils/semodule/sha256.c b/policycoreutils/semodule/sha256.c
deleted file mode 100644
index fe2aeef0..00000000
--- a/policycoreutils/semodule/sha256.c
+++ /dev/null
@@ -1,294 +0,0 @@
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// WjCryptLib_Sha256
-//
-// Implementation of SHA256 hash function.
-// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
-// Modified by WaterJuice retaining Public Domain license.
-//
-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// IMPORTS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-#include "sha256.h"
-#include <memory.h>
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// MACROS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
-
-#define MIN(x, y) ( ((x)<(y))?(x):(y) )
-
-#define STORE32H(x, y) \
- { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \
- (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); }
-
-#define LOAD32H(x, y) \
- { x = ((uint32_t)((y)[0] & 255)<<24) | \
- ((uint32_t)((y)[1] & 255)<<16) | \
- ((uint32_t)((y)[2] & 255)<<8) | \
- ((uint32_t)((y)[3] & 255)); }
-
-#define STORE64H(x, y) \
- { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \
- (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \
- (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \
- (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); }
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// CONSTANTS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-// The K array
-static const uint32_t K[64] = {
- 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
- 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
- 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
- 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
- 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
- 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
- 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
- 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
- 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
- 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
- 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
- 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
- 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
-};
-
-#define BLOCK_SIZE 64
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// INTERNAL FUNCTIONS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-// Various logical functions
-#define Ch( x, y, z ) (z ^ (x & (y ^ z)))
-#define Maj( x, y, z ) (((x | y) & z) | (x & y))
-#define S( x, n ) ror((x),(n))
-#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n))
-#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22))
-#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25))
-#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3))
-#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10))
-
-#define Sha256Round( a, b, c, d, e, f, g, h, i ) \
- t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \
- t1 = Sigma0(a) + Maj(a, b, c); \
- d += t0; \
- h = t0 + t1;
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// TransformFunction
-//
-// Compress 512-bits
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-static
-void
- TransformFunction
- (
- Sha256Context* Context,
- uint8_t const* Buffer
- )
-{
- uint32_t S[8];
- uint32_t W[64];
- uint32_t t0;
- uint32_t t1;
- uint32_t t;
- int i;
-
- // Copy state into S
- for( i=0; i<8; i++ )
- {
- S[i] = Context->state[i];
- }
-
- // Copy the state into 512-bits into W[0..15]
- for( i=0; i<16; i++ )
- {
- LOAD32H( W[i], Buffer + (4*i) );
- }
-
- // Fill W[16..63]
- for( i=16; i<64; i++ )
- {
- W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16];
- }
-
- // Compress
- for( i=0; i<64; i++ )
- {
- Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i );
- t = S[7];
- S[7] = S[6];
- S[6] = S[5];
- S[5] = S[4];
- S[4] = S[3];
- S[3] = S[2];
- S[2] = S[1];
- S[1] = S[0];
- S[0] = t;
- }
-
- // Feedback
- for( i=0; i<8; i++ )
- {
- Context->state[i] = Context->state[i] + S[i];
- }
-}
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// PUBLIC FUNCTIONS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Initialise
-//
-// Initialises a SHA256 Context. Use this to initialise/reset a context.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Initialise
- (
- Sha256Context* Context // [out]
- )
-{
- Context->curlen = 0;
- Context->length = 0;
- Context->state[0] = 0x6A09E667UL;
- Context->state[1] = 0xBB67AE85UL;
- Context->state[2] = 0x3C6EF372UL;
- Context->state[3] = 0xA54FF53AUL;
- Context->state[4] = 0x510E527FUL;
- Context->state[5] = 0x9B05688CUL;
- Context->state[6] = 0x1F83D9ABUL;
- Context->state[7] = 0x5BE0CD19UL;
-}
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Update
-//
-// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
-// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Update
- (
- Sha256Context* Context, // [in out]
- void const* Buffer, // [in]
- uint32_t BufferSize // [in]
- )
-{
- uint32_t n;
-
- if( Context->curlen > sizeof(Context->buf) )
- {
- return;
- }
-
- while( BufferSize > 0 )
- {
- if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE )
- {
- TransformFunction( Context, (uint8_t*)Buffer );
- Context->length += BLOCK_SIZE * 8;
- Buffer = (uint8_t*)Buffer + BLOCK_SIZE;
- BufferSize -= BLOCK_SIZE;
- }
- else
- {
- n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) );
- memcpy( Context->buf + Context->curlen, Buffer, (size_t)n );
- Context->curlen += n;
- Buffer = (uint8_t*)Buffer + n;
- BufferSize -= n;
- if( Context->curlen == BLOCK_SIZE )
- {
- TransformFunction( Context, Context->buf );
- Context->length += 8*BLOCK_SIZE;
- Context->curlen = 0;
- }
- }
- }
-}
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Finalise
-//
-// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
-// calling this, Sha256Initialised must be used to reuse the context.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Finalise
- (
- Sha256Context* Context, // [in out]
- SHA256_HASH* Digest // [out]
- )
-{
- int i;
-
- if( Context->curlen >= sizeof(Context->buf) )
- {
- return;
- }
-
- // Increase the length of the message
- Context->length += Context->curlen * 8;
-
- // Append the '1' bit
- Context->buf[Context->curlen++] = (uint8_t)0x80;
-
- // if the length is currently above 56 bytes we append zeros
- // then compress. Then we can fall back to padding zeros and length
- // encoding like normal.
- if( Context->curlen > 56 )
- {
- while( Context->curlen < 64 )
- {
- Context->buf[Context->curlen++] = (uint8_t)0;
- }
- TransformFunction(Context, Context->buf);
- Context->curlen = 0;
- }
-
- // Pad up to 56 bytes of zeroes
- while( Context->curlen < 56 )
- {
- Context->buf[Context->curlen++] = (uint8_t)0;
- }
-
- // Store length
- STORE64H( Context->length, Context->buf+56 );
- TransformFunction( Context, Context->buf );
-
- // Copy output
- for( i=0; i<8; i++ )
- {
- STORE32H( Context->state[i], Digest->bytes+(4*i) );
- }
-}
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Calculate
-//
-// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
-// buffer.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Calculate
- (
- void const* Buffer, // [in]
- uint32_t BufferSize, // [in]
- SHA256_HASH* Digest // [in]
- )
-{
- Sha256Context context;
-
- Sha256Initialise( &context );
- Sha256Update( &context, Buffer, BufferSize );
- Sha256Finalise( &context, Digest );
-}
diff --git a/policycoreutils/semodule/sha256.h b/policycoreutils/semodule/sha256.h
deleted file mode 100644
index 406ed869..00000000
--- a/policycoreutils/semodule/sha256.h
+++ /dev/null
@@ -1,89 +0,0 @@
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// WjCryptLib_Sha256
-//
-// Implementation of SHA256 hash function.
-// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
-// Modified by WaterJuice retaining Public Domain license.
-//
-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-#pragma once
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// IMPORTS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-#include <stdint.h>
-#include <stdio.h>
-
-typedef struct
-{
- uint64_t length;
- uint32_t state[8];
- uint32_t curlen;
- uint8_t buf[64];
-} Sha256Context;
-
-#define SHA256_HASH_SIZE ( 256 / 8 )
-
-typedef struct
-{
- uint8_t bytes [SHA256_HASH_SIZE];
-} SHA256_HASH;
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// PUBLIC FUNCTIONS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Initialise
-//
-// Initialises a SHA256 Context. Use this to initialise/reset a context.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Initialise
- (
- Sha256Context* Context // [out]
- );
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Update
-//
-// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
-// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Update
- (
- Sha256Context* Context, // [in out]
- void const* Buffer, // [in]
- uint32_t BufferSize // [in]
- );
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Finalise
-//
-// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
-// calling this, Sha256Initialised must be used to reuse the context.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Finalise
- (
- Sha256Context* Context, // [in out]
- SHA256_HASH* Digest // [out]
- );
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Calculate
-//
-// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
-// buffer.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Calculate
- (
- void const* Buffer, // [in]
- uint32_t BufferSize, // [in]
- SHA256_HASH* Digest // [in]
- );
--
2.30.2

144
SOURCES/0046-semodule-add-command-line-option-to-detect-module-ch.patch
Unescape View File

@ -0,0 +1,144 @@
From e3fc737e43561ecadcb977ce4c9a1db44be636ae Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Thu, 3 Feb 2022 17:53:27 +0100
Subject: [PATCH] semodule: add command-line option to detect module changes
Add a new command-line option "--rebuild-if-modules-changed" to control
the newly introduced check_ext_changes libsemanage flag.
For example, running `semodule --rebuild-if-modules-changed` will ensure
that any externally added/removed modules (e.g. by an RPM transaction)
are reflected in the compiled policy, while skipping the most expensive
part of the rebuild if no module change was deteceted since the last
libsemanage transaction.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policycoreutils/semodule/semodule.8 | 7 +++++++
policycoreutils/semodule/semodule.c | 32 ++++++++++++++++++++++-------
2 files changed, 32 insertions(+), 7 deletions(-)
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index 3a2fb21c..d1735d21 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -23,6 +23,13 @@ force a reload of policy
.B \-B, \-\-build
force a rebuild of policy (also reloads unless \-n is used)
.TP
+.B \-\-rebuild-if-modules-changed
+Force a rebuild of the policy if any changes to module content are detected
+(by comparing with checksum from the last transaction). One can use this
+instead of \-B to ensure that any changes to the module store done by an
+external tool (e.g. a package manager) are applied, while automatically
+skipping the rebuild if there are no new changes.
+.TP
.B \-D, \-\-disable_dontaudit
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
.TP
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 243b1add..22a42a75 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -46,6 +46,7 @@ static int verbose;
static int reload;
static int no_reload;
static int build;
+static int check_ext_changes;
static int disable_dontaudit;
static int preserve_tunables;
static int ignore_module_cache;
@@ -148,6 +149,9 @@ static void usage(char *progname)
printf(" -c, --cil extract module as cil. This only affects module extraction.\n");
printf(" -H, --hll extract module as hll. This only affects module extraction.\n");
printf(" -m, --checksum print module checksum (SHA256).\n");
+ printf(" --rebuild-if-modules-changed\n"
+ " force policy rebuild if module content changed since\n"
+ " last rebuild (based on checksum)\n");
}
/* Sets the global mode variable to new_mode, but only if no other
@@ -179,6 +183,7 @@ static void set_mode(enum client_modes new_mode, char *arg)
static void parse_command_line(int argc, char **argv)
{
static struct option opts[] = {
+ {"rebuild-if-modules-changed", 0, NULL, '\0'},
{"store", required_argument, NULL, 's'},
{"base", required_argument, NULL, 'b'},
{"help", 0, NULL, 'h'},
@@ -206,15 +211,26 @@ static void parse_command_line(int argc, char **argv)
};
int extract_selected = 0;
int cil_hll_set = 0;
- int i;
+ int i, longind;
verbose = 0;
reload = 0;
no_reload = 0;
+ check_ext_changes = 0;
priority = 400;
while ((i =
- getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts,
- NULL)) != -1) {
+ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm",
+ opts, &longind)) != -1) {
switch (i) {
+ case '\0':
+ switch(longind) {
+ case 0: /* --rebuild-if-modules-changed */
+ check_ext_changes = 1;
+ break;
+ default:
+ usage(argv[0]);
+ exit(1);
+ }
+ break;
case 'b':
fprintf(stderr, "The --base option is deprecated. Use --install instead.\n");
set_mode(INSTALL_M, optarg);
@@ -299,13 +315,13 @@ static void parse_command_line(int argc, char **argv)
}
}
}
- if ((build || reload) && num_commands) {
+ if ((build || reload || check_ext_changes) && num_commands) {
fprintf(stderr,
"build or reload should not be used with other commands\n");
usage(argv[0]);
exit(1);
}
- if (num_commands == 0 && reload == 0 && build == 0) {
+ if (num_commands == 0 && reload == 0 && build == 0 && check_ext_changes == 0) {
fprintf(stderr, "At least one mode must be specified.\n");
usage(argv[0]);
exit(1);
@@ -392,7 +408,7 @@ int main(int argc, char *argv[])
}
parse_command_line(argc, argv);
- if (build)
+ if (build || check_ext_changes)
commit = 1;
sh = semanage_handle_create();
@@ -431,7 +447,7 @@ int main(int argc, char *argv[])
}
}
- if (build) {
+ if (build || check_ext_changes) {
if ((result = semanage_begin_transaction(sh)) < 0) {
fprintf(stderr, "%s: Could not begin transaction: %s\n",
argv[0], errno ? strerror(errno) : "");
@@ -805,6 +821,8 @@ cleanup_disable:
semanage_set_reload(sh, 0);
if (build)
semanage_set_rebuild(sh, 1);
+ if (check_ext_changes)
+ semanage_set_check_ext_changes(sh, 1);
if (disable_dontaudit)
semanage_set_disable_dontaudit(sh, 1);
else if (build)
--
2.30.2

64
SOURCES/0047-python-Split-semanage-import-into-two-transactions.patch
Unescape View File

@ -0,0 +1,64 @@
From 09c944561c76146b1fc11e99e95b6a674366cddf Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 30 May 2022 14:20:21 +0200
Subject: [PATCH] python: Split "semanage import" into two transactions
First transaction applies all deletion operations, so that there are no
collisions when applying the rest of the changes.
Fixes:
# semanage port -a -t http_cache_port_t -r s0 -p tcp 3024
# semanage export | semanage import
ValueError: Port tcp/3024 already defined
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/semanage | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index ebb93ea5..b8842d28 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -841,10 +841,29 @@ def handleImport(args):
trans = seobject.semanageRecords(args)
trans.start()
+ deleteCommands = []
+ commands = []
+ # separate commands for deletion from the rest so they can be
+ # applied in a separate transaction
for l in sys.stdin.readlines():
if len(l.strip()) == 0:
continue
+ if "-d" in l or "-D" in l:
+ deleteCommands.append(l)
+ else:
+ commands.append(l)
+
+ if deleteCommands:
+ importHelper(deleteCommands)
+ trans.finish()
+ trans.start()
+
+ importHelper(commands)
+ trans.finish()
+
+def importHelper(commands):
+ for l in commands:
try:
commandParser = createCommandParser()
args = commandParser.parse_args(mkargv(l))
@@ -858,8 +877,6 @@ def handleImport(args):
except KeyboardInterrupt:
sys.exit(0)
- trans.finish()
-
def setupImportParser(subparsers):
importParser = subparsers.add_parser('import', help=_('Import local customizations'))
--
2.35.3

81
SOURCES/0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch
Unescape View File

@ -0,0 +1,81 @@
From c0ca652dce6b1d5d11e697cc3a4695d87944f9ad Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 8 Jun 2022 19:09:54 +0200
Subject: [PATCH] semodule: rename --rebuild-if-modules-changed to --refresh
After the last commit this option's name and description no longer
matches the semantic, so give it a new one and update the descriptions.
The old name is still recognized and aliased to the new one for
backwards compatibility.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
policycoreutils/semodule/semodule.8 | 12 ++++++------
policycoreutils/semodule/semodule.c | 13 ++++++++++---
2 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index d1735d21..c56e580f 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -23,12 +23,12 @@ force a reload of policy
.B \-B, \-\-build
force a rebuild of policy (also reloads unless \-n is used)
.TP
-.B \-\-rebuild-if-modules-changed
-Force a rebuild of the policy if any changes to module content are detected
-(by comparing with checksum from the last transaction). One can use this
-instead of \-B to ensure that any changes to the module store done by an
-external tool (e.g. a package manager) are applied, while automatically
-skipping the rebuild if there are no new changes.
+.B \-\-refresh
+Like \-\-build, but reuses existing linked policy if no changes to module
+files are detected (by comparing with checksum from the last transaction).
+One can use this instead of \-B to ensure that any changes to the module
+store done by an external tool (e.g. a package manager) are applied, while
+automatically skipping the module re-linking if there are no module changes.
.TP
.B \-D, \-\-disable_dontaudit
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 22a42a75..324ec9fb 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -149,9 +149,12 @@ static void usage(char *progname)
printf(" -c, --cil extract module as cil. This only affects module extraction.\n");
printf(" -H, --hll extract module as hll. This only affects module extraction.\n");
printf(" -m, --checksum print module checksum (SHA256).\n");
- printf(" --rebuild-if-modules-changed\n"
- " force policy rebuild if module content changed since\n"
- " last rebuild (based on checksum)\n");
+ printf(" --refresh like --build, but reuses existing linked policy if no\n"
+ " changes to module files are detected (via checksum)\n");
+ printf("Deprecated options:\n");
+ printf(" -b,--base same as --install\n");
+ printf(" --rebuild-if-modules-changed\n"
+ " same as --refresh\n");
}
/* Sets the global mode variable to new_mode, but only if no other
@@ -184,6 +187,7 @@ static void parse_command_line(int argc, char **argv)
{
static struct option opts[] = {
{"rebuild-if-modules-changed", 0, NULL, '\0'},
+ {"refresh", 0, NULL, '\0'},
{"store", required_argument, NULL, 's'},
{"base", required_argument, NULL, 'b'},
{"help", 0, NULL, 'h'},
@@ -224,6 +228,9 @@ static void parse_command_line(int argc, char **argv)
case '\0':
switch(longind) {
case 0: /* --rebuild-if-modules-changed */
+ fprintf(stderr, "The --rebuild-if-modules-changed option is deprecated. Use --refresh instead.\n");
+ /* fallthrough */
+ case 1: /* --refresh */
check_ext_changes = 1;
break;
default:
--
2.35.3

79
SOURCES/0049-python-Harden-tools-against-rogue-modules.patch
Unescape View File

@ -0,0 +1,79 @@
From 72c7e9123980b003a21d51e2805529a3e90b2460 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 13 Oct 2022 17:33:18 +0200
Subject: [PATCH] python: Harden tools against "rogue" modules
Python scripts present in "/usr/sbin" override regular modules.
Make sure /usr/sbin is not present in PYTHONPATH.
Fixes:
#cat > /usr/sbin/audit.py <<EOF
import sys
print("BAD GUY!", file=sys.stderr)
sys.exit(1)
EOF
#semanage boolean -l
BAD GUY!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/audit2allow/audit2allow | 2 +-
python/audit2allow/sepolgen-ifgen | 2 +-
python/chcat/chcat | 2 +-
python/semanage/semanage | 2 +-
python/sepolicy/sepolicy.py | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
index 09b06f66..eafeea88 100644
--- a/python/audit2allow/audit2allow
+++ b/python/audit2allow/audit2allow
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
# Authors: Dan Walsh <dwalsh@redhat.com>
#
diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen
index be2d093b..f25f8af1 100644
--- a/python/audit2allow/sepolgen-ifgen
+++ b/python/audit2allow/sepolgen-ifgen
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
#
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
diff --git a/python/chcat/chcat b/python/chcat/chcat
index df2509f2..5671cec6 100755
--- a/python/chcat/chcat
+++ b/python/chcat/chcat
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2005 Red Hat
# see file 'COPYING' for use and warranty information
#
diff --git a/python/semanage/semanage b/python/semanage/semanage
index b8842d28..1f170f60 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2012-2013 Red Hat
# AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
# AUTHOR: David Quigley <selinux@davequigley.com>
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index 8bd6a579..0c1d9641 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2012 Red Hat
# AUTHOR: Dan Walsh <dwalsh@redhat.com>
# see file 'COPYING' for use and warranty information
--
2.37.3

65
SOURCES/0050-python-Do-not-query-the-local-database-if-the-fconte.patch
Unescape View File

@ -0,0 +1,65 @@
From f33e40265d192e5d725e7b82e5f14f603e1fba48 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Wed, 19 Oct 2022 14:20:11 -0400
Subject: [PATCH] python: Do not query the local database if the fcontext is
non-local
Vit Mojzis reports that an error message is produced when modifying
a non-local fcontext.
He gives the following example:
# semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
When modifying an fcontext, the non-local database is checked for the
key and then, if it is not found there, the local database is checked.
If the key doesn't exist, then an error is raised. If the key exists
then the local database is queried first and, if that fails, the non-
local database is queried.
The error is from querying the local database when the fcontext is in
the non-local database.
Instead, if the fcontext is in the non-local database, just query
the non-local database. Only query the local database if the
fcontext was found in it.
Reported-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
---
python/semanage/seobject.py | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 70ebfd08..0e923a0d 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -2490,16 +2490,19 @@ class fcontextRecords(semanageRecords):
(rc, exists) = semanage_fcontext_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if file context for %s is defined") % target)
- if not exists:
+ if exists:
+ try:
+ (rc, fcontext) = semanage_fcontext_query(self.sh, k)
+ except OSError:
+ raise ValueError(_("Could not query file context for %s") % target)
+ else:
(rc, exists) = semanage_fcontext_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
if not exists:
raise ValueError(_("File context for %s is not defined") % target)
-
- try:
- (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
- except OSError:
try:
- (rc, fcontext) = semanage_fcontext_query(self.sh, k)
+ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
except OSError:
raise ValueError(_("Could not query file context for %s") % target)
--
2.37.3

112
SOURCES/0051-python-sepolicy-add-missing-booleans-to-man-pages.patch
Unescape View File

@ -0,0 +1,112 @@
From f3ddbd8220d9646072c9a4c9ed37f2dff998a53c Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 10 Jan 2023 11:37:26 +0100
Subject: [PATCH] python/sepolicy: add missing booleans to man pages
get_bools should return a list of booleans that can affect given type,
but it did not handle non trivial conditional statements properly
(returning the whole conditional statement instead of a list of booleans
in the statement).
e.g. for
allow httpd_t spamc_t:process transition; [ httpd_can_check_spam && httpd_can_sendmail ]:True
get_bools used to return [("httpd_can_check_spam && httpd_can_sendmail", False)] instead of
[("httpd_can_check_spam", False), ("httpd_can_sendmail", False)]
- rename "boolean" in sepolicy rule dictionary to "booleans" to suggest
it can contain multiple values and make sure it is populated correctly
- add "conditional" key to the rule dictionary to accommodate
get_conditionals, which requires the whole conditional statement
- extend get_bools search to dontaudit rules so that it covers booleans
like httpd_dontaudit_search_dirs
Note: get_bools uses security_get_boolean_active to get the boolean
value, but the value is later used to represent the default.
Not ideal, but I'm not aware of a way to get the actual defaults.
Fixes:
"sepolicy manpage" generates man pages that are missing booleans
which are included in non trivial conditional expressions
e.g. httpd_selinux(8) does not include httpd_can_check_spam,
httpd_tmp_exec, httpd_unified, or httpd_use_gpg
This fix, however, also adds some not strictly related booleans
to some man pages. e.g. use_nfs_home_dirs and
use_samba_home_dirs are added to httpd_selinux(8)
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Jason Zaman <jason@perfinion.com>
---
python/sepolicy/sepolicy/__init__.py | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index b6ca57c3..0f51174d 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -324,7 +324,12 @@ def _setools_rule_to_dict(rule):
pass
try:
- d['boolean'] = [(str(rule.conditional), enabled)]
+ d['booleans'] = [(str(b), b.state) for b in rule.conditional.booleans]
+ except AttributeError:
+ pass
+
+ try:
+ d['conditional'] = str(rule.conditional)
except AttributeError:
pass
@@ -426,12 +431,12 @@ def get_conditionals(src, dest, tclass, perm):
x['source'] in src_list and
x['target'] in dest_list and
set(perm).issubset(x[PERMS]) and
- 'boolean' in x,
+ 'conditional' in x,
get_all_allow_rules()))
try:
for i in allows:
- tdict.update({'source': i['source'], 'boolean': i['boolean']})
+ tdict.update({'source': i['source'], 'conditional': (i['conditional'], i['enabled'])})
if tdict not in tlist:
tlist.append(tdict)
tdict = {}
@@ -445,10 +450,10 @@ def get_conditionals_format_text(cond):
enabled = False
for x in cond:
- if x['boolean'][0][1]:
+ if x['conditional'][1]:
enabled = True
break
- return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]), cond))))
+ return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['conditional'][0], x['conditional'][1]), cond))))
def get_types_from_attribute(attribute):
@@ -703,9 +708,9 @@ def get_boolean_rules(setype, boolean):
boollist = []
permlist = search([ALLOW], {'source': setype})
for p in permlist:
- if "boolean" in p:
+ if "booleans" in p:
try:
- for b in p["boolean"]:
+ for b in p["booleans"]:
if boolean in b:
boollist.append(p)
except:
@@ -1124,7 +1129,7 @@ def get_bools(setype):
bools = []
domainbools = []
domainname, short_name = gen_short_name(setype)
- for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x and x['source'] == setype, get_all_allow_rules())):
+ for i in map(lambda x: x['booleans'], filter(lambda x: 'booleans' in x and x['source'] == setype, search([ALLOW, DONTAUDIT]))):
for b in i:
if not isinstance(b, tuple):
continue
--
2.37.3

73
SOURCES/0052-python-sepolicy-Cache-conditional-rule-queries.patch
Unescape View File

@ -0,0 +1,73 @@
From 25373db5cac520b85350db91b8a7ed0737d3316c Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 24 Jan 2023 21:05:05 +0100
Subject: [PATCH] python/sepolicy: Cache conditional rule queries
Commit 7506771e4b630fe0ab853f96574e039055cb72eb
"add missing booleans to man pages" dramatically slowed down
"sepolicy manpage -a" by removing caching of setools rule query.
Re-add said caching and update the query to only return conditional
rules.
Before commit 7506771e:
#time sepolicy manpage -a
real 1m43.153s
# time sepolicy manpage -d httpd_t
real 0m4.493s
After commit 7506771e:
#time sepolicy manpage -a
real 1h56m43.153s
# time sepolicy manpage -d httpd_t
real 0m8.352s
After this commit:
#time sepolicy manpage -a
real 1m41.074s
# time sepolicy manpage -d httpd_t
real 0m7.358s
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/sepolicy/sepolicy/__init__.py | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 0f51174d..f48231e9 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -114,6 +114,7 @@ all_attributes = None
booleans = None
booleans_dict = None
all_allow_rules = None
+all_bool_rules = None
all_transitions = None
@@ -1119,6 +1120,14 @@ def get_all_allow_rules():
all_allow_rules = search([ALLOW])
return all_allow_rules
+def get_all_bool_rules():
+ global all_bool_rules
+ if not all_bool_rules:
+ q = setools.TERuleQuery(_pol, boolean=".*", boolean_regex=True,
+ ruletype=[ALLOW, DONTAUDIT])
+ all_bool_rules = [_setools_rule_to_dict(x) for x in q.results()]
+ return all_bool_rules
+
def get_all_transitions():
global all_transitions
if not all_transitions:
@@ -1129,7 +1138,7 @@ def get_bools(setype):
bools = []
domainbools = []
domainname, short_name = gen_short_name(setype)
- for i in map(lambda x: x['booleans'], filter(lambda x: 'booleans' in x and x['source'] == setype, search([ALLOW, DONTAUDIT]))):
+ for i in map(lambda x: x['booleans'], filter(lambda x: 'booleans' in x and x['source'] == setype, get_all_bool_rules())):
for b in i:
if not isinstance(b, tuple):
continue
--
2.37.3

98
SOURCES/0053-python-Harden-more-tools-against-rogue-modules.patch
Unescape View File

@ -0,0 +1,98 @@
From 7aef364bc6607953a34cb9e8fe9ea51c88379a5c Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 6 Dec 2023 15:31:51 +0100
Subject: [PATCH] python: Harden more tools against "rogue" modules
Python scripts present in the same directory as the tool
override regular modules.
Fixes:
#cat > /usr/bin/signal.py <<EOF
import sys
print("BAD GUY!", file=sys.stderr)
sys.exit(1)
EOF
#sandbox date
BAD GUY!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
dbus/selinux_server.py | 2 +-
gui/polgengui.py | 2 +-
gui/system-config-selinux.py | 6 +++---
sandbox/sandbox | 2 +-
sandbox/start | 2 +-
5 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
index 97bf91ba..eae38de5 100644
--- a/dbus/selinux_server.py
+++ b/dbus/selinux_server.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/bin/python3 -EsI
import dbus
import dbus.service
diff --git a/gui/polgengui.py b/gui/polgengui.py
index 46a1bd2c..0402e82c 100644
--- a/gui/polgengui.py
+++ b/gui/polgengui.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
#
# polgengui.py - GUI for SELinux Config tool in system-config-selinux
#
diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py
index 1e0d5eb1..c344c076 100644
--- a/gui/system-config-selinux.py
+++ b/gui/system-config-selinux.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
#
# system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux
#
@@ -32,6 +32,8 @@ except RuntimeError as e:
print("This is a graphical application and requires DISPLAY to be set.")
sys.exit(1)
+sys.path.append('/usr/share/system-config-selinux')
+
from gi.repository import GObject
import statusPage
import booleansPage
@@ -65,8 +67,6 @@ except:
version = "1.0"
-sys.path.append('/usr/share/system-config-selinux')
-
##
## Pull in the Glade file
diff --git a/sandbox/sandbox b/sandbox/sandbox
index 707959a6..e276e594 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Authors: Dan Walsh <dwalsh@redhat.com>
# Authors: Thomas Liu <tliu@fedoraproject.org>
# Authors: Josh Cogliati
diff --git a/sandbox/start b/sandbox/start
index 4ed3cb5c..3c1a1783 100644
--- a/sandbox/start
+++ b/sandbox/start
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
try:
from subprocess import getstatusoutput
except ImportError:
--
2.43.0

95
SOURCES/0054-sepolicy-port-to-dnf4-python-API.patch
Unescape View File

@ -0,0 +1,95 @@
From ea93da38a16eb44307b522f8a26f2d8f967fcc01 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Wed, 22 Nov 2023 12:29:43 +0100
Subject: [PATCH] sepolicy: port to dnf4 python API
yum module is not available since RHEL 7.
Drop -systemd related code as it's obsoleted these days - only 2
packages ship their .service in -systemd subpackage
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
---
python/sepolicy/sepolicy/generate.py | 56 +++++++++++++---------------
1 file changed, 25 insertions(+), 31 deletions(-)
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index 93caedee..c841a499 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -1265,24 +1265,20 @@ allow %s_t %s_t:%s_socket name_%s;
return fcfile
def __extract_rpms(self):
- import yum
- yb = yum.YumBase()
- yb.setCacheDir()
-
- for pkg in yb.rpmdb.searchProvides(self.program):
- self.rpms.append(pkg.name)
- for fname in pkg.dirlist + pkg.filelist + pkg.ghostlist:
- for b in self.DEFAULT_DIRS:
- if b == "/etc":
- continue
- if fname.startswith(b):
- if os.path.isfile(fname):
- self.add_file(fname)
- else:
- self.add_dir(fname)
+ import dnf
+
+ with dnf.Base() as base:
+ base.read_all_repos()
+ base.fill_sack(load_system_repo=True)
+
+ query = base.sack.query()
- for bpkg in yb.rpmdb.searchNames([pkg.base_package_name]):
- for fname in bpkg.dirlist + bpkg.filelist + bpkg.ghostlist:
+ pq = query.available()
+ pq = pq.filter(file=self.program)
+
+ for pkg in pq:
+ self.rpms.append(pkg.name)
+ for fname in pkg.files:
for b in self.DEFAULT_DIRS:
if b == "/etc":
continue
@@ -1291,20 +1287,18 @@ allow %s_t %s_t:%s_socket name_%s;
self.add_file(fname)
else:
self.add_dir(fname)
-
- # some packages have own systemd subpackage
- # tor-systemd for example
- binary_name = self.program.split("/")[-1]
- for bpkg in yb.rpmdb.searchNames(["%s-systemd" % binary_name]):
- for fname in bpkg.filelist + bpkg.ghostlist + bpkg.dirlist:
- for b in self.DEFAULT_DIRS:
- if b == "/etc":
- continue
- if fname.startswith(b):
- if os.path.isfile(fname):
- self.add_file(fname)
- else:
- self.add_dir(fname)
+ sq = query.available()
+ sq = sq.filter(provides=pkg.source_name)
+ for bpkg in sq:
+ for fname in bpkg.files:
+ for b in self.DEFAULT_DIRS:
+ if b == "/etc":
+ continue
+ if fname.startswith(b):
+ if os.path.isfile(fname):
+ self.add_file(fname)
+ else:
+ self.add_dir(fname)
def gen_writeable(self):
try:
--
2.43.0

64
SOURCES/0055-python-semanage-Do-not-sort-local-fcontext-definitio.patch
Unescape View File

@ -0,0 +1,64 @@
From b6fa6e77d5d40a5c1b5f4be95500aa1a05147e5b Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 7 Feb 2024 15:46:23 +0100
Subject: [PATCH] python/semanage: Do not sort local fcontext definitions
Entries in file_contexts.local are processed from the most recent one to
the oldest, with first match being used. Therefore it is important to
preserve their order when listing (semanage fcontext -lC) and exporting
(semanage export).
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
gui/fcontextPage.py | 6 +++++-
python/semanage/seobject.py | 9 +++++++--
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
index e424366d..01a403a2 100644
--- a/gui/fcontextPage.py
+++ b/gui/fcontextPage.py
@@ -125,7 +125,11 @@ class fcontextPage(semanagePage):
self.fcontext = seobject.fcontextRecords()
self.store.clear()
fcon_dict = self.fcontext.get_all(self.local)
- for k in sorted(fcon_dict.keys()):
+ if self.local:
+ fkeys = fcon_dict.keys()
+ else:
+ fkeys = sorted(fcon_dict.keys())
+ for k in fkeys:
if not self.match(fcon_dict, k, filter):
continue
iter = self.store.append()
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 0e923a0d..dd915a69 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -2644,7 +2644,7 @@ class fcontextRecords(semanageRecords):
def customized(self):
l = []
fcon_dict = self.get_all(True)
- for k in sorted(fcon_dict.keys()):
+ for k in fcon_dict.keys():
if fcon_dict[k]:
if fcon_dict[k][3]:
l.append("-a -f %s -t %s -r '%s' '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], fcon_dict[k][3], k[0]))
@@ -2661,7 +2661,12 @@ class fcontextRecords(semanageRecords):
if len(fcon_dict) != 0:
if heading:
print("%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context")))
- for k in sorted(fcon_dict.keys()):
+ # do not sort local customizations since they are evaluated based on the order they where added in
+ if locallist:
+ fkeys = fcon_dict.keys()
+ else:
+ fkeys = sorted(fcon_dict.keys())
+ for k in fkeys:
if fcon_dict[k]:
if is_mls_enabled:
print("%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1], fcon_dict[k][2], translate(fcon_dict[k][3], False)))
--
2.43.0

396
SOURCES/0056-python-semanage-Allow-modifying-records-on-add.patch
Unescape View File

@ -0,0 +1,396 @@
From 108a7d43dd8fa4f5cb682f9df9c15304fa4eddea Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 14 Feb 2024 13:08:40 +0100
Subject: [PATCH] python/semanage: Allow modifying records on "add"
When trying to add a record with a key that already exists, modify
the existing record instead.
Also, fix "semanage -m -e" (add_equal was called instead of
modify_equal), which meant that existing local equivalency couldn't be
modified (though a user could remove it and add a modified
equivalency).
Fixes:
https://github.com/SELinuxProject/selinux/issues/412
When a port or login definition present in the policy is modified
using "semanage port -m", "semanage export" exports the command as
"port -a" instead of "port -m". This results in "semanage import"
failing (port already defined). The same is true for port, user,
login, ibpkey, ibendport, node, interface and fcontext.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
python/semanage/semanage | 2 +-
python/semanage/seobject.py | 208 +++++++++++++++++++++++++-----------
2 files changed, 147 insertions(+), 63 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 1f170f60..f55751b6 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -316,7 +316,7 @@ def handleFcontext(args):
OBJECT.add(args.file_spec, args.type, args.ftype, args.range, args.seuser)
if args.action == "modify":
if args.equal:
- OBJECT.add_equal(args.file_spec, args.equal)
+ OBJECT.modify_equal(args.file_spec, args.equal)
else:
OBJECT.modify(args.file_spec, args.type, args.ftype, args.range, args.seuser)
if args.action == "delete":
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index dd915a69..f6c559a7 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -560,11 +560,6 @@ class loginRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
- (rc, exists) = semanage_seuser_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if login mapping for %s is defined") % name)
- if exists:
- raise ValueError(_("Login mapping for %s is already defined") % name)
if name[0] == '%':
try:
grp.getgrnam(name[1:])
@@ -603,11 +598,29 @@ class loginRecords(semanageRecords):
def add(self, name, sename, serange):
try:
self.begin()
- self.__add(name, sename, serange)
+ # Add a new mapping, or modify an existing one
+ if self.__exists(name):
+ print(_("Login mapping for %s is already defined, modifying instead") % name)
+ self.__modify(name, sename, serange)
+ else:
+ self.__add(name, sename, serange)
self.commit()
except ValueError as error:
raise error
+ # check if login mapping for given user exists
+ def __exists(self, name):
+ (rc, k) = semanage_seuser_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % name)
+
+ (rc, exists) = semanage_seuser_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if login mapping for %s is defined") % name)
+ semanage_seuser_key_free(k)
+
+ return exists
+
def __modify(self, name, sename="", serange=""):
rec, self.oldsename, self.oldserange = selinux.getseuserbyname(name)
if sename == "" and serange == "":
@@ -824,12 +837,6 @@ class seluserRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
- (rc, exists) = semanage_user_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if SELinux user %s is defined") % name)
- if exists:
- raise ValueError(_("SELinux user %s is already defined") % name)
-
(rc, u) = semanage_user_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create SELinux user for %s") % name)
@@ -869,12 +876,28 @@ class seluserRecords(semanageRecords):
def add(self, name, roles, selevel, serange, prefix):
try:
self.begin()
- self.__add(name, roles, selevel, serange, prefix)
+ if self.__exists(name):
+ print(_("SELinux user %s is already defined, modifying instead") % name)
+ self.__modify(name, roles, selevel, serange, prefix)
+ else:
+ self.__add(name, roles, selevel, serange, prefix)
self.commit()
except ValueError as error:
self.mylog.commit(0)
raise error
+ def __exists(self, name):
+ (rc, k) = semanage_user_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % name)
+
+ (rc, exists) = semanage_user_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if SELinux user %s is defined") % name)
+ semanage_user_key_free(k)
+
+ return exists
+
def __modify(self, name, roles=[], selevel="", serange="", prefix=""):
oldserole = ""
oldserange = ""
@@ -1102,12 +1125,6 @@ class portRecords(semanageRecords):
(k, proto_d, low, high) = self.__genkey(port, proto)
- (rc, exists) = semanage_port_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
- if exists:
- raise ValueError(_("Port %s/%s already defined") % (proto, port))
-
(rc, p) = semanage_port_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create port for %s/%s") % (proto, port))
@@ -1151,9 +1168,23 @@ class portRecords(semanageRecords):
def add(self, port, proto, serange, type):
self.begin()
- self.__add(port, proto, serange, type)
+ if self.__exists(port, proto):
+ print(_("Port {proto}/{port} already defined, modifying instead").format(proto=proto, port=port))
+ self.__modify(port, proto, serange, type)
+ else:
+ self.__add(port, proto, serange, type)
self.commit()
+ def __exists(self, port, proto):
+ (k, proto_d, low, high) = self.__genkey(port, proto)
+
+ (rc, exists) = semanage_port_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if port {proto}/{port} is defined").format(proto=proto, port=port))
+ semanage_port_key_free(k)
+
+ return exists
+
def __modify(self, port, proto, serange, setype):
if serange == "" and setype == "":
if is_mls_enabled == 1:
@@ -1376,12 +1407,6 @@ class ibpkeyRecords(semanageRecords):
(k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
- (rc, exists) = semanage_ibpkey_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
- if exists:
- raise ValueError(_("ibpkey %s/%s already defined") % (subnet_prefix, pkey))
-
(rc, p) = semanage_ibpkey_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create ibpkey for %s/%s") % (subnet_prefix, pkey))
@@ -1423,9 +1448,23 @@ class ibpkeyRecords(semanageRecords):
def add(self, pkey, subnet_prefix, serange, type):
self.begin()
- self.__add(pkey, subnet_prefix, serange, type)
+ if self.__exists(pkey, subnet_prefix):
+ print(_("ibpkey {subnet_prefix}/{pkey} already defined, modifying instead").format(subnet_prefix=subnet_prefix, pkey=pkey))
+ self.__modify(pkey, subnet_prefix, serange, type)
+ else:
+ self.__add(pkey, subnet_prefix, serange, type)
self.commit()
+ def __exists(self, pkey, subnet_prefix):
+ (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
+
+ (rc, exists) = semanage_ibpkey_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibpkey {subnet_prefix}/{pkey} is defined").formnat(subnet_prefix=subnet_prefix, pkey=pkey))
+ semanage_ibpkey_key_free(k)
+
+ return exists
+
def __modify(self, pkey, subnet_prefix, serange, setype):
if serange == "" and setype == "":
if is_mls_enabled == 1:
@@ -1630,12 +1669,6 @@ class ibendportRecords(semanageRecords):
raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
(k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
- (rc, exists) = semanage_ibendport_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, port))
- if exists:
- raise ValueError(_("ibendport %s/%s already defined") % (ibdev_name, port))
-
(rc, p) = semanage_ibendport_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create ibendport for %s/%s") % (ibdev_name, port))
@@ -1677,9 +1710,23 @@ class ibendportRecords(semanageRecords):
def add(self, ibendport, ibdev_name, serange, type):
self.begin()
- self.__add(ibendport, ibdev_name, serange, type)
+ if self.__exists(ibendport, ibdev_name):
+ print(_("ibendport {ibdev_name}/{port} already defined, modifying instead").format(ibdev_name=ibdev_name, port=port))
+ self.__modify(ibendport, ibdev_name, serange, type)
+ else:
+ self.__add(ibendport, ibdev_name, serange, type)
self.commit()
+ def __exists(self, ibendport, ibdev_name):
+ (k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
+
+ (rc, exists) = semanage_ibendport_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibendport {ibdev_name}/{port} is defined").format(ibdev_name=ibdev_name, port=port))
+ semanage_ibendport_key_free(k)
+
+ return exists
+
def __modify(self, ibendport, ibdev_name, serange, setype):
if serange == "" and setype == "":
if is_mls_enabled == 1:
@@ -1891,12 +1938,6 @@ class nodeRecords(semanageRecords):
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
if rc < 0:
raise ValueError(_("Could not create key for %s") % addr)
- if rc < 0:
- raise ValueError(_("Could not check if addr %s is defined") % addr)
-
- (rc, exists) = semanage_node_exists(self.sh, k)
- if exists:
- raise ValueError(_("Addr %s already defined") % addr)
(rc, node) = semanage_node_create(self.sh)
if rc < 0:
@@ -1945,9 +1986,27 @@ class nodeRecords(semanageRecords):
def add(self, addr, mask, proto, serange, ctype):
self.begin()
- self.__add(addr, mask, proto, serange, ctype)
+ if self.__exists(addr, mask, proto):
+ print(_("Addr %s already defined, modifying instead") % addr)
+ self.__modify(addr, mask, proto, serange, ctype)
+ else:
+ self.__add(addr, mask, proto, serange, ctype)
self.commit()
+ def __exists(self, addr, mask, proto):
+ addr, mask, proto = self.validate(addr, mask, proto)
+
+ (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % addr)
+
+ (rc, exists) = semanage_node_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if addr %s is defined") % addr)
+ semanage_node_key_free(k)
+
+ return exists
+
def __modify(self, addr, mask, proto, serange, setype):
addr, mask, proto = self.validate(addr, mask, proto)
@@ -2102,12 +2161,6 @@ class interfaceRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not create key for %s") % interface)
- (rc, exists) = semanage_iface_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if interface %s is defined") % interface)
- if exists:
- raise ValueError(_("Interface %s already defined") % interface)
-
(rc, iface) = semanage_iface_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create interface for %s") % interface)
@@ -2154,9 +2207,25 @@ class interfaceRecords(semanageRecords):
def add(self, interface, serange, ctype):
self.begin()
- self.__add(interface, serange, ctype)
+ if self.__exists(interface):
+ print(_("Interface %s already defined, modifying instead") % interface)
+ self.__modify(interface, serange, ctype)
+ else:
+ self.__add(interface, serange, ctype)
self.commit()
+ def __exists(self, interface):
+ (rc, k) = semanage_iface_key_create(self.sh, interface)
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % interface)
+
+ (rc, exists) = semanage_iface_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if interface %s is defined") % interface)
+ semanage_iface_key_free(k)
+
+ return exists
+
def __modify(self, interface, serange, setype):
if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange"))
@@ -2344,7 +2413,13 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Substitute %s is not valid. Substitute is not allowed to end with '/'") % substitute)
if target in self.equiv.keys():
- raise ValueError(_("Equivalence class for %s already exists") % target)
+ print(_("Equivalence class for %s already exists, modifying instead") % target)
+ self.equiv[target] = substitute
+ self.equal_ind = True
+ self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+ self.commit()
+ return
+
self.validate(target)
for fdict in (self.equiv, self.equiv_dist):
@@ -2420,18 +2495,6 @@ class fcontextRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not create key for %s") % target)
- (rc, exists) = semanage_fcontext_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if file context for %s is defined") % target)
-
- if not exists:
- (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if file context for %s is defined") % target)
-
- if exists:
- raise ValueError(_("File context for %s already defined") % target)
-
(rc, fcontext) = semanage_fcontext_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create file context for %s") % target)
@@ -2470,9 +2533,30 @@ class fcontextRecords(semanageRecords):
def add(self, target, type, ftype="", serange="", seuser="system_u"):
self.begin()
- self.__add(target, type, ftype, serange, seuser)
+ if self.__exists(target, ftype):
+ print(_("File context for %s already defined, modifying instead") % target)
+ self.__modify(target, type, ftype, serange, seuser)
+ else:
+ self.__add(target, type, ftype, serange, seuser)
self.commit()
+ def __exists(self, target, ftype):
+ (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % target)
+
+ (rc, exists) = semanage_fcontext_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
+
+ if not exists:
+ (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
+ semanage_fcontext_key_free(k)
+
+ return exists
+
def __modify(self, target, setype, ftype, serange, seuser):
if serange == "" and setype == "" and seuser == "":
raise ValueError(_("Requires setype, serange or seuser"))
--
2.43.0

12
SOURCES/selinux-autorelabel
Unescape View File

@ -51,15 +51,9 @@ relabel_selinux() {
echo $"*** Relabeling could take a very long time, depending on file"
echo $"*** system size and speed of hard drives."
OPTS=`cat /.autorelabel`
# by default, use as many threads as there are available
# another -T X in $OPTS will override the default value
OPTS="-T 0 $OPTS"
[ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug
echo
echo $"Running: /sbin/fixfiles $OPTS restore"
/sbin/fixfiles $OPTS restore
FORCE=`cat /.autorelabel`
[ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug
/sbin/fixfiles $FORCE restore
fi
rm -f /.autorelabel

9
SOURCES/selinux-autorelabel-generator.sh
Unescape View File

@ -18,15 +18,6 @@ fi
set_target ()
{
ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target"
AUTORELABEL="1"
source /etc/selinux/config
if [ "$AUTORELABEL" = "0" ]; then
mkdir -p "$earlydir/selinux-autorelabel.service.d"
cat > "$earlydir/selinux-autorelabel.service.d/tty.conf" <<EOF
[Service]
StandardInput=tty
EOF
fi
}
if selinuxenabled; then

559
SPECS/policycoreutils.spec
Unescape View File

@ -1,7 +1,8 @@
%global libauditver 3.0
%global libsepolver 3.5-1
%global libsemanagever 3.5-1
%global libselinuxver 3.5-1
%global libsepolver 2.9-1
%global libsemanagever 2.9-7
%global libselinuxver 2.9-1
%global sepolgenver 2.9
%global generatorsdir %{_prefix}/lib/systemd/system-generators
@ -10,11 +11,17 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 3.5
Release: 3%{?dist}
License: GPL-2.0-or-later
Version: 2.9
Release: 26%{?dist}
License: GPLv2
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.5/selinux-3.5.tar.gz
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
Source1: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-python-2.9.tar.gz
Source2: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-gui-2.9.tar.gz
Source3: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-sandbox-2.9.tar.gz
Source4: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-dbus-2.9.tar.gz
Source5: https://github.com/SELinuxProject/selinux/releases/download/20190315/semodule-utils-2.9.tar.gz
Source6: https://github.com/SELinuxProject/selinux/releases/download/20190315/restorecond-2.9.tar.gz
URL: https://github.com/SELinuxProject/selinux
Source13: system-config-selinux.png
Source14: sepolicy-icons.tgz
@ -23,41 +30,71 @@ Source16: selinux-autorelabel.service
Source17: selinux-autorelabel-mark.service
Source18: selinux-autorelabel.target
Source19: selinux-autorelabel-generator.sh
# Drop this when upstream updates translations and the package is rebased
# wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/policycoreutils --output ./
Source20: selinux-policycoreutils.zip
# wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/python --output ./
Source21: selinux-python.zip
# wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/gui --output ./
Source22: selinux-gui.zip
# wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/sandbox --output ./
Source23: selinux-sandbox.zip
# https://github.com/fedora-selinux/selinux
# $ git format-patch -N 3.5 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
Source20: policycoreutils-po.tgz
Source21: python-po.tgz
Source22: gui-po.tgz
Source23: sandbox-po.tgz
# https://gitlab.cee.redhat.com/SELinux/selinux
# $ git format-patch -N 20190315 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
# $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
# Patch list start
Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
Patch0002: 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
Patch0003: 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
Patch0004: 0004-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
Patch0005: 0005-sepolicy-generate-Handle-more-reserved-port-types.patch
Patch0006: 0006-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
Patch0007: 0007-Use-SHA-2-instead-of-SHA-1.patch
Patch0008: 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch
Patch0009: 0009-python-chcat-Improve-man-pages.patch
Patch0010: 0010-python-audit2allow-Add-missing-options-to-man-page.patch
Patch0011: 0011-python-semanage-Improve-man-pages.patch
Patch0012: 0012-python-audit2allow-Remove-unused-debug-option.patch
Patch0013: 0013-policycoreutils-Add-examples-to-man-pages.patch
Patch0014: 0014-python-sepolicy-Improve-man-pages.patch
Patch0015: 0015-sandbox-Add-examples-to-man-pages.patch
Patch0016: 0016-python-sepolicy-Fix-template-for-confined-user-polic.patch
Patch0017: 0017-python-sepolicy-Fix-spec-file-dependencies.patch
Patch0018: 0018-python-improve-format-strings-for-proper-localizatio.patch
Patch0019: 0019-python-Drop-hard-formating-from-localized-strings.patch
Patch0020: 0020-semanage-Drop-unnecessary-import-from-seobject.patch
Patch0021: 0021-python-update-python.pot.patch
# Patch list end
Patch0001: 0001-gui-Install-polgengui.py-to-usr-bin-selinux-polgengu.patch
Patch0002: 0002-gui-Install-.desktop-files-to-usr-share-applications.patch
Patch0003: 0003-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
Patch0004: 0004-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
Patch0005: 0005-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
Patch0006: 0006-Simplication-of-sepolicy-manpage-web-functionality.-.patch
Patch0007: 0007-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
Patch0008: 0008-Fix-title-in-manpage.py-to-not-contain-online.patch
Patch0009: 0009-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
Patch0010: 0010-sepolicy-Drop-old-interface-file_type_is_executable-.patch
Patch0011: 0011-sepolicy-Another-small-optimization-for-mcs-types.patch
Patch0012: 0012-Move-po-translation-files-into-the-right-sub-directo.patch
Patch0013: 0013-Use-correct-gettext-domains-in-python-gui-sandbox.patch
Patch0014: 0014-Initial-.pot-files-for-gui-python-sandbox.patch
# this is too big and it's covered by sources 20 - 23
# Patch0015: 0015-Update-.po-files-from-fedora.zanata.org.patch
Patch0016: 0016-policycoreutils-setfiles-Improve-description-of-d-sw.patch
Patch0017: 0017-sepolicy-generate-Handle-more-reserved-port-types.patch
Patch0018: 0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
Patch0019: 0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
Patch0020: 0020-python-Use-ipaddress-instead-of-IPy.patch
Patch0021: 0021-python-semanage-Do-not-traceback-when-the-default-po.patch
Patch0022: 0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch
Patch0023: 0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch
Patch0024: 0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch
Patch0025: 0025-gui-Fix-remove-module-in-system-config-selinux.patch
Patch0026: 0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch
Patch0027: 0027-policycoreutils-fixfiles-Fix-verify-option.patch
Patch0028: 0028-python-semanage-Improve-handling-of-permissive-state.patch
Patch0029: 0029-python-semanage-fix-moduleRecords.customized.patch
Patch0030: 0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch
Patch0031: 0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch
Patch0032: 0032-restorecond-Fix-redundant-console-log-output-error.patch
Patch0033: 0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch
Patch0034: 0034-python-semanage-Sort-imports-in-alphabetical-order.patch
Patch0035: 0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch
Patch0036: 0036-setfiles-Do-not-abort-on-labeling-error.patch
Patch0037: 0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch
Patch0038: 0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch
Patch0039: 0039-selinux-8-5-Describe-fcontext-regular-expressions.patch
Patch0040: 0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch
Patch0041: 0041-semodule-add-m-checksum-option.patch
Patch0042: 0042-semodule-Fix-lang_ext-column-index.patch
Patch0043: 0043-semodule-Don-t-forget-to-munmap-data.patch
Patch0044: 0044-policycoreutils-Improve-error-message-when-selabel_o.patch
Patch0045: 0045-semodule-libsemanage-move-module-hashing-into-libsem.patch
Patch0046: 0046-semodule-add-command-line-option-to-detect-module-ch.patch
Patch0047: 0047-python-Split-semanage-import-into-two-transactions.patch
Patch0048: 0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch
Patch0049: 0049-python-Harden-tools-against-rogue-modules.patch
Patch0050: 0050-python-Do-not-query-the-local-database-if-the-fconte.patch
Patch0051: 0051-python-sepolicy-add-missing-booleans-to-man-pages.patch
Patch0052: 0052-python-sepolicy-Cache-conditional-rule-queries.patch
Patch0053: 0053-python-Harden-more-tools-against-rogue-modules.patch
Patch0054: 0054-sepolicy-port-to-dnf4-python-API.patch
Patch0056: 0055-python-semanage-Do-not-sort-local-fcontext-definitio.patch
Patch0057: 0056-python-semanage-Allow-modifying-records-on-add.patch
Obsoletes: policycoreutils < 2.0.61-2
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
# initscripts < 9.66 shipped fedora-autorelabel services which are renamed to selinux-relabel
@ -65,12 +102,12 @@ Conflicts: initscripts < 9.66
Provides: /sbin/fixfiles
Provides: /sbin/restorecon
BuildRequires: gcc make
BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext
BuildRequires: gcc
BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext
BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel
BuildRequires: python3-devel python3-pip
BuildRequires: python3-devel
BuildRequires: systemd
BuildRequires: git-core
BuildRequires: git
Requires: util-linux grep gawk diffutils rpm sed
Requires: libsepol >= %{libsepolver} coreutils libselinux-utils >= %{libselinuxver}
@ -91,7 +128,26 @@ load_policy to load policies, setfiles to label filesystems, newrole
to switch roles.
%prep -p /usr/bin/bash
%autosetup -p 1 -n selinux-%{version}
# create selinux/ directory and extract sources
%autosetup -S git -N -c -n selinux
%autosetup -S git -N -T -D -a 1 -n selinux
%autosetup -S git -N -T -D -a 2 -n selinux
%autosetup -S git -N -T -D -a 3 -n selinux
%autosetup -S git -N -T -D -a 4 -n selinux
%autosetup -S git -N -T -D -a 5 -n selinux
%autosetup -S git -N -T -D -a 6 -n selinux
for i in *; do
git mv $i ${i/-%{version}/}
git commit -q --allow-empty -a --author 'rpm-build <rpm-build>' -m "$i -> ${i/-%{version}/}"
done
for i in selinux-*; do
git mv $i ${i#selinux-}
git commit -q --allow-empty -a --author 'rpm-build <rpm-build>' -m "$i -> ${i#selinux-}"
done
git am %{_sourcedir}/[0-9]*.patch
cp %{SOURCE13} gui/
tar -xvf %{SOURCE14} -C python/sepolicy/
@ -100,20 +156,16 @@ tar -xvf %{SOURCE14} -C python/sepolicy/
# For more information see README.translations
# First remove old translation files
rm -f policycoreutils/po/*.po python/po/*.po gui/po/*.po sandbox/po/*.po
unzip %{SOURCE20}
cp -r selinux/policycoreutils/po policycoreutils
unzip %{SOURCE21}
cp -r selinux/python/po python
unzip %{SOURCE22}
cp -r selinux/gui/po gui
unzip %{SOURCE23}
cp -r selinux/sandbox/po sandbox
%Build
tar -x -f %{SOURCE20} -C policycoreutils -z
tar -x -f %{SOURCE21} -C python -z
tar -x -f %{SOURCE22} -C gui -z
tar -x -f %{SOURCE23} -C sandbox -z
%build
%set_build_flags
export PYTHON=%{__python3}
make -C policycoreutils SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C policycoreutils LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C python SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C gui SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C sandbox SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
@ -129,19 +181,19 @@ mkdir -p %{buildroot}%{_mandir}/man5
mkdir -p %{buildroot}%{_mandir}/man8
%{__mkdir} -p %{buildroot}/%{_usr}/share/doc/%{name}/
%make_install -C policycoreutils LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a"
make -C policycoreutils LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" install
%make_install -C python PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
make -C python PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
%make_install -C gui PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
make -C gui PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
%make_install -C sandbox PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
make -C sandbox PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
%make_install -C dbus PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
make -C dbus PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
%make_install -C semodule-utils PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
make -C semodule-utils PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
%make_install -C restorecond PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
make -C restorecond PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
# Fix perms on newrole so that objcopy can process it
chmod 0755 %{buildroot}%{_bindir}/newrole
@ -166,6 +218,27 @@ install -m 644 -p %{SOURCE18} %{buildroot}/%{_unitdir}/
install -m 755 -p %{SOURCE19} %{buildroot}/%{generatorsdir}/
install -m 755 -p %{SOURCE15} %{buildroot}/%{_libexecdir}/selinux/
# change /usr/bin/python to %%{__python3} in policycoreutils-python3
pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{python3_sitelib}
# change /usr/bin/python to %%{__python3} in policycoreutils-python-utils
pathfix.py -i "%{__python3} -EsI" -p \
%{buildroot}%{_sbindir}/semanage \
%{buildroot}%{_bindir}/chcat \
%{buildroot}%{_bindir}/sandbox \
%{buildroot}%{_datadir}/sandbox/start \
%{buildroot}%{_bindir}/audit2allow \
%{buildroot}%{_bindir}/sepolicy \
%{buildroot}%{_bindir}/sepolgen-ifgen \
%{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.py \
%{buildroot}%{_datadir}/system-config-selinux/selinux_server.py \
%nil
# clean up ~ files from pathfix - https://bugzilla.redhat.com/show_bug.cgi?id=1546990
find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
%{buildroot}%{_sbindir} %{buildroot}%{_bindir} %{buildroot}%{_datadir} \
-type f -name '*~' | xargs rm -f
# Manually invoke the python byte compile macro for each path that needs byte
# compilation.
%py_byte_compile %{__python3} %{buildroot}%{_datadir}/system-config-selinux
@ -188,6 +261,7 @@ an SELinux environment.
%files python-utils
%{_sbindir}/semanage
%{_bindir}/chcat
%{_bindir}/sandbox
%{_bindir}/audit2allow
%{_bindir}/audit2why
%{_mandir}/man1/audit2allow.1*
@ -197,6 +271,8 @@ an SELinux environment.
%{_sysconfdir}/dbus-1/system.d/org.selinux.conf
%{_mandir}/man8/chcat.8*
%{_mandir}/ru/man8/chcat.8*
%{_mandir}/man8/sandbox.8*
%{_mandir}/ru/man8/sandbox.8*
%{_mandir}/man8/semanage*.8*
%{_mandir}/ru/man8/semanage*.8*
%{_datadir}/bash-completion/completions/semanage
@ -204,8 +280,7 @@ an SELinux environment.
%package dbus
Summary: SELinux policy core DBUS api
Requires: python3-policycoreutils = %{version}-%{release}
Requires: python3-gobject-base
Requires: polkit
Requires: python3-slip-dbus
BuildArch: noarch
%description dbus
@ -233,8 +308,7 @@ Requires:python3-libsemanage >= %{libsemanagever} python3-libselinux
# no python3-audit-libs yet
Requires:audit-libs-python3 >= %{libauditver}
Requires: checkpolicy
Requires: python3-setools >= 4.4.0
Requires: python3-distro
Requires: python3-setools >= 4.1.1
BuildArch: noarch
%description -n python3-policycoreutils
@ -265,7 +339,7 @@ by python 3 in an SELinux environment.
Summary: SELinux policy core policy devel utilities
Requires: policycoreutils-python-utils = %{version}-%{release}
Requires: /usr/bin/make dnf
Requires: (selinux-policy-devel if selinux-policy)
Requires: selinux-policy-devel
%description devel
The policycoreutils-devel package contains the management tools use to develop policy in an SELinux environment.
@ -309,11 +383,8 @@ sandboxes
%caps(cap_setpcap,cap_setuid,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
%{_mandir}/man8/seunshare.8*
%{_mandir}/ru/man8/seunshare.8*
%{_bindir}/sandbox
%{_mandir}/man5/sandbox.5*
%{_mandir}/ru/man5/sandbox.5*
%{_mandir}/man8/sandbox.8*
%{_mandir}/ru/man8/sandbox.8*
%package newrole
Summary: The newrole application for RBAC/MLS
@ -376,14 +447,12 @@ system-config-selinux is a utility for managing the SELinux environment
%{_sbindir}/genhomedircon
%{_sbindir}/setsebool
%{_sbindir}/semodule
# symlink to %%{_bindir}/sestatus
%{_sbindir}/sestatus
%{_bindir}/secon
%{_bindir}/semodule_expand
%{_bindir}/semodule_link
%{_bindir}/semodule_package
%{_bindir}/semodule_unpackage
%{_bindir}/sestatus
%{_libexecdir}/selinux/hll
%{_libexecdir}/selinux/selinux-autorelabel
%{_unitdir}/selinux-autorelabel-mark.service
@ -426,7 +495,7 @@ system-config-selinux is a utility for managing the SELinux environment
%dir %{_datadir}/bash-completion
%{_datadir}/bash-completion/completions/setsebool
%{!?_licensedir:%global license %%doc}
%license policycoreutils/LICENSE
%license policycoreutils/COPYING
%doc %{_usr}/share/doc/%{name}
%package restorecond
@ -439,16 +508,14 @@ The policycoreutils-restorecond package contains the restorecond service.
%files restorecond
%{_sbindir}/restorecond
%{_unitdir}/restorecond.service
%{_userunitdir}/restorecond_user.service
%config(noreplace) %{_sysconfdir}/selinux/restorecond.conf
%config(noreplace) %{_sysconfdir}/selinux/restorecond_user.conf
%{_sysconfdir}/xdg/autostart/restorecond.desktop
%{_datadir}/dbus-1/services/org.selinux.Restorecond.service
%{_mandir}/man8/restorecond.8*
%{_mandir}/ru/man8/restorecond.8*
%{!?_licensedir:%global license %%doc}
%license policycoreutils/LICENSE
%license policycoreutils/COPYING
%post
%systemd_post selinux-autorelabel-mark.service
@ -466,293 +533,171 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Mon Oct 30 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-3
- Update translations
https://translate.fedoraproject.org/projects/selinux/
* Wed Mar 06 2024 Vit Mojzis <vmojzis@redhat.com> - 2.9-26
- python/semanage: Allow modifying records on "add" (RHEL-28167)
- python/semanage: Do not sort local fcontext definitions (RHEL-24461)
* Tue Jun 27 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-2
- Improve man pages (RHEL-672)
- Unwrap strings - remove hard returns and initial white spaces from strings (RHEL-606)
* Tue Feb 06 2024 Vit Mojzis <vmojzis@redhat.com> - 2.9-25
- Harden more tools against "rogue" modules (RHEL-17351)
- sepolicy: port to dnf4 python API (RHEL-17398)
* Thu Feb 23 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-1
- SELinux userspace 3.5 release
* Wed Feb 15 2023 Vit Mojzis <vmojzis@redhat.com> - 2.9-24
- Update translations (#2124826)
* Tue Feb 14 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc3.1.1
- SELinux userspace 3.5-rc3 release
* Wed Feb 08 2023 Vit Mojzis <vmojzis@redhat.com> - 2.9-23
- python/sepolicy: Cache conditional rule queries (#2155540)
* Wed Feb 8 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc2.3
- Attach tty to selinux-autorelabel.service when AUTORELABEL=0
* Mon Jan 09 2023 Vit Mojzis <vmojzis@redhat.com> - 2.9-22
- python/sepolicy: add missing booleans to man pages (#2155540)
* Thu Jan 26 2023 Vit Mojzis <vmojzis@redhat.com> - 3.5-0.rc2.2
- python/sepolicy: Cache conditional rule queries
* Mon Dec 19 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-21.1
- python: Harden tools against "rogue" modules (#2128976)
- Update "pathfix" arguments to match ^^^ (#2128976)
- python: Do not query the local database if the fcontext is non-local (#2124825)
* Tue Jan 17 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc2.1
- SELinux userspace 3.5-rc2 release
* Mon Jan 2 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc1.2
- SELinux userspace 3.5-rc1 release
* Tue Sep 06 2022 Vit Mojzis <vmojzis@redhat.com> - 3.4-4
- Update translations (#2062630)
* Mon Aug 8 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-3
- Run autorelabel in parallel by default
https://fedoraproject.org/wiki/Changes/SELinux_Parallel_Autorelabel
* Mon Jul 18 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-2
- gettext: handle unsupported languages properly (#2100378)
- semodule: rename --rebuild-if-modules-changed to --refresh
* Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-20
- python: Split "semanage import" into two transactions (#2063353)
- semodule: rename --rebuild-if-modules-changed to --refresh (#2089802)
- selinux-autorelabel: Do not force reboot (#2093133)
* Thu May 19 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-1
- SELinux userspace 3.4 release
* Tue Feb 15 2022 Petr Lautrbach <plautrba@redhat.com> - 3.3-4.2
- semodule: add command-line option to detect module changes
* Tue Feb 15 2022 Petr Lautrbach <plautrba@redhat.com> - 3.3-5
- Improve error message when selabel_open fails
* Thu Feb 17 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-19
- semodule: move module hashing into libsemanage (requires libsemanage-2.9-7)
- semodule: add command-line option to detect module changes (#2049189)
* Mon Feb 14 2022 Petr Lautrbach <plautrba@redhat.com> - 3.3-3
- fixfiles: Use parallel relabeling
* Fri Jan 14 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-18
- Improve error message when selabel_open fails (#1926511)
* Mon Nov 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-2
- setfiles/restorecon: support parallel relabeling with -T <N> option
* Tue Nov 30 2021 Petr Lautrbach <plautrba@redhat.com> - 2.9-17
- semodule: add -m | --checksum option
* Fri Oct 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-1
- SELinux userspace 3.3 release
* Mon Oct 11 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc3.1
- SELinux userspace 3.3-rc3 release
* Wed Sep 29 2021 Vit Mojzis <vmojzis@redhat.com> - 3.3-0.rc2.2
- Update translations (#2003127)
* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
- SELinux userspace 3.3-rc2 release
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-7
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Aug 3 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-6
- Drop forgotten ru/ man pages from -restorecond
* Thu Sep 16 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-16
- Update translations (#1962009)
* Fri Jul 30 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-5
- Use SHA-2 instead of SHA-1 (#1934964)
- Fix COPY_PASTE_ERROR (CWE-398)
* Mon Jul 19 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-15
- setfiles: do not restrict checks against a binary policy (#1973754)
* Thu May 13 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-4
- policycoreutils-dbus requires polkit
- fixfiles: do not exclude /dev and /run in -C mode
- dbus: use GLib.MainLoop
* Tue Mar 09 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-14
- Update translations (#1899695)
* Fri Apr 23 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-3.1
- Do not use Python slip (#1949841)
* Mon Feb 22 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-13
- selinux(8,5): Describe fcontext regular expressions (#1904059)
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Feb 2 2021 Petr Lautrbach <plautrba@redhat.com> - 2.9-12
- setfiles: Do not abort on labeling error (#1794518)
* Mon Mar 8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-1
- SELinux userspace 3.2 release
* Wed Jan 27 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-11
- python/sepolgen: allow any policy statement in if(n)def (#1868717)
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.2-0.rc2.1.1
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Sat Jan 16 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-10
- python/semanage: Sort imports in alphabetical order
- python/semanage: empty stdout before exiting on BrokenPipeError (#1822100)
* Fri Feb 5 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc2.1
- SELinux userspace 3.2-rc2 release
* Fri Jan 17 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-9
- Update translations (#1754978)
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-0.rc1.1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Nov 21 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-8
- restorecond: Fix redundant console log output error (#1626468)
* Wed Jan 20 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc1.1
- SELinux userspace 3.2-rc1 release
* Tue Nov 19 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-7
- dbus: Fix FileNotFoundError in org.selinux.relabel_on_boot (#1754873)
* Tue Nov 24 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-8
- Fix BuildRequires to libsemanage-devel
* Tue Nov 12 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-6
- Configure autorelabel service to output to journal and to console if set (#1766578)
* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-7
- python/sepolicy: allow to override manpage date
- selinux_config(5): add a note that runtime disable is deprecated
* Wed Nov 06 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-5
- fixfiles: Fix "verify" option (#1647532)
- semanage: Improve handling of "permissive" statements (#1417455)
- semanage: fix moduleRecords.customized()
- semanage: Add support for DCCP and SCTP protocols (#1563742)
* Mon Nov 9 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-6
- Require latest setools
* Wed Sep 4 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-4
- semanage: Do not use default s0 range in "semanage login -a" (#1554360)
- gui: Fix remove module in system-config-selinux (#1748763)
* Fri Oct 30 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
- Build with libsepol.so.1 and libsemanage.so.2
- Set X-GNOME-HiddenUnderSystemd=true in restorecond.desktop file
- fixfiles: correctly restore context of mountpoints
- sepolgen: print extended permissions in hexadecimal
* Thu Aug 22 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-3
- fixfiles: Fix unbound variable problem (#1743213)
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.1-4
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 3.1-2
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Fri Jul 10 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-1
- SELinux userspace 3.1 release
* Mon Jun 1 2020 Petr Lautrbach <plautrba@redhat.com> - 3.0-4
- policycoreutils-dbus requires python3-gobject-base
* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 3.0-3
- Rebuilt for Python 3.9
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Dec 6 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-1
- SELinux userspace 3.0 release
* Wed Sep 4 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-7
- semanage: Do not use default s0 range in "semanage login -a" (#1312283)
* Thu Aug 29 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-6
- gui: Fix remove module in system-config-selinux (#1740936)
* Fri Aug 23 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-5
- fixfiles: Fix unbound variable problem
* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9-4
- Rebuilt for Python 3.8
* Mon Aug 5 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-3
- Drop python2-policycoreutils
- Update ru man page translations
* Tue Jul 2 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-2
- Update transition
- fixfiles: Fix [-B] [-F] onboot
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Mar 18 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1
- SELinux userspace 2.9 release
* Mon Mar 11 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc2.1
- SELinux userspace 2.9-rc2 release
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-0.rc1.1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc1.1
- SELinux userspace 2.9-rc1 release candidate
* Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-17
- python2-policycoreutils requires python2-ipaddress (#1669230)
* Tue Jan 22 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-16
- restorecond: Install DBUS service file with 644 permissions
* Mon Jan 21 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-15
- setsebool: support use of -P on SELinux-disabled hosts
- sepolicy: initialize mislabeled_files in __init__()
- audit2allow: use local sepolgen-ifgen-attr-helper for tests
- audit2allow: allow using audit2why as non-root user
- audit2allow/sepolgen-ifgen: show errors on stderr
- audit2allow/sepolgen-ifgen: add missing \n to error message
- sepolgen: close /etc/selinux/sepolgen.conf after parsing it
- sepolicy: Make policy files sorting more robust
- semanage: Load a store policy and set the store SELinux policy root
* Thu Dec 20 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-14
- chcat: fix removing categories on users with Fedora default setup
- semanage: Include MCS/MLS range when exporting local customizations
- semanage: Start exporting "ibendport" and "ibpkey" entries
- semanage: do not show "None" levels when using a non-MLS policy
- sepolicy: Add sepolicy.load_store_policy(store)
- semanage: import sepolicy only when it's needed
* Fri Dec 14 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-16.1
- semanage: move valid_types initialisations to class constructors
- semanage: import sepolicy only when it's needed
- sepolicy: Add sepolicy.load_store_policy(store)
- semanage: Start exporting "ibendport" and "ibpkey" entries
* Mon Dec 10 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-13
* Wed Dec 5 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-15
- chcat: use check_call instead of getstatusoutput
- Use matchbox-window-manager instead of openbox
- Use ipaddress python module instead of IPy
- semanage: Fix handling of -a/-e/-d/-r options
- semanage: Use standard argparse.error() method
- semanage: Fix handling of -a/-e/-d/-r options
* Mon Nov 12 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-12
- sepolicy,semanage: replace aliases with corresponding type names
- sepolicy-generate: Handle more reserved port types
* Tue Dec 4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-14
- Update translations
* Mon Dec 3 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-13
- Use ipaddress module instead of IPy
* Tue Nov 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-12
- Handle more reserved port types
- Replace aliases with corresponding type names
* Thu Nov 8 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-11.1
- Fix RESOURCE_LEAK coverity scan defects
* Tue Oct 16 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-11
* Thu Oct 25 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-10
- sepolicy: Update to work with setools-4.2.0
- gui: Make all polgen button labels translatable
* Tue Oct 16 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-9
- sepolicy: Fix get_real_type_name to handle query failure properly
- sepolicy: search() for dontaudit rules as well
* Tue Oct 2 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-10
- semanage: "semanage user" does not use -s, fix documentation
- semanage: add a missing space in ibendport help
- sepolicy: Update to work with setools-4.2.0
* Mon Oct 15 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-8
- sepolicy: search() for dontaudit rules as well
* Fri Sep 14 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-9
* Fri Sep 14 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-7
- setfiles: Improve description of -d switch
- Fix typo in newrole.1 manpage
- semanage: Stop rejecting aliases in semanage commands
- sepolicy: Stop rejecting aliases in sepolicy commands
- sepolicy: Fix "info" to search aliases as well
- setfiles: Improve description of -d switch
* Wed Sep 12 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-8
- Update translations
* Tue Sep 4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-7
- Fix typo in newrole.1 manpage
- sepolgen: print all AV rules correctly
- sepolgen: fix access vector initialization
- Add xperms support to audit2allow
- semanage: Stop logging loginRecords changes
- semanage: Fix logger class definition
- semanage: Replace bare except with specific one
- semanage: fix Python syntax of catching several exceptions
- sepolgen: return NotImplemented instead of raising it
- sepolgen: fix refpolicy parsing of "permissive"
- sepolgen: return NotImplemented instead of raising it
- semanage: fix Python syntax of catching several exceptions
- semanage: Replace bare except with specific one
- semanage: Fix logger class definition
- semanage: Stop logging loginRecords changes
- add xperms support to audit2allow
- sepolgen: fix access vector initialization
- sepolgen: print all AV rules correctly
* Mon Aug 6 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-6
- Use split translation files
https://github.com/fedora-selinux/selinux/issues/43
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Sep 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-6.1
- Update translations
* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8-4
- Rebuilt for Python 3.7
* Tue Jul 24 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-5
- sandbox: Use matchbox-window-manager instead of openbox (#1568295)
* Mon Jun 18 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-3
* Thu Jul 19 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-4
- selinux-autorelabel: Use plymouth --quit rather then --hide-splash (#1592221)
- selinux-autorelabel: Increment boot_indeterminate grub environment variable (#1592221)
- Do not require libcgroup - it's not used anymore
* Tue Jun 26 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-3
- Do not use symlinks to enable selinux-autorelabel-mark.service (#1589720)
* Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8-2
- Rebuilt for Python 3.7
* Wed Jun 6 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-2
- Don't build the Python 2 subpackages (#1567354)
* Fri May 25 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-1
* Fri May 25 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-1.1
- SELinux userspace 2.8 release
* Tue May 22 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc3.2
* Tue May 22 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-19
- selinux-autorelabel: set UEFI boot order (BootNext) same as BootCurrent
- selinux-autorelabel: synchronize cached writes before reboot (#1385272)
* Tue May 15 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc3.1
- SELinux userspace 2.8-rc2 release candidate
* Fri May 4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc2.1
- SELinux userspace 2.8-rc2 release candidate
* Mon Apr 23 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc1.1
- SELinux userspace 2.8-rc1 release candidate
* Thu Apr 19 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-20
- Drop python2 sepolicy gui files from policycoreutils-gui (#1566618)
* Wed Apr 18 2018 Iryna Shcherbina <shcherbina.iryna@gmail.com> - 2.7-19
- Update Python 2 dependency declarations to new packaging standards
(See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
* Tue Apr 3 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-18
- Move semodule_* utilities to policycoreutils package (#1562549)

Write Preview
Loading…
Cancel
Save