Compare commits

...

No commits in common. 'cs10' and 'c9' have entirely different histories.
cs10 ... c9

2
.gitignore vendored

@ -1,4 +1,4 @@
SOURCES/selinux-3.7.tar.gz
SOURCES/selinux-3.5.tar.gz
SOURCES/selinux-gui.zip
SOURCES/selinux-policycoreutils.zip
SOURCES/selinux-python.zip

@ -1,4 +1,4 @@
23d580978cd81f6c9044c130618819bd127d2449 SOURCES/selinux-3.7.tar.gz
28e8c0a58e01436b1c931559da3844d5774f8186 SOURCES/selinux-3.5.tar.gz
c2957ae26fcabe856439915bc03fb7d25c91b724 SOURCES/selinux-gui.zip
8aec9d92a940e35756c4cf66891db7b070e00c5c SOURCES/selinux-policycoreutils.zip
6a9a8a86bf4b66b484533e5a5b91acd9f2ba4ed1 SOURCES/selinux-python.zip

@ -0,0 +1,27 @@
From 31ccf6f0fc5e77870f496fac4bea94a6ba2e5c30 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 20 Aug 2015 12:58:41 +0200
Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
recent Fedoras
Content-type: text/plain
---
sandbox/sandboxX.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
index eaa500d08143..4774528027ef 100644
--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
</openbox_config>
EOF
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
cat > ~/seremote << __EOF
#!/bin/sh
--
2.39.1

@ -0,0 +1,47 @@
From 837c347bbee5db90d11144363525113edc8baed3 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Mon, 21 Apr 2014 13:54:40 -0400
Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
Content-type: text/plain
Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
---
python/sepolicy/sepolicy/manpage.py | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index a488dcbf54f2..7d90ffb5a22f 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -679,10 +679,13 @@ Default Defined Ports:""")
def _file_context(self):
flist = []
+ flist_non_exec = []
mpaths = []
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
+ if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+ flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0:
@@ -741,12 +744,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
SELinux defines the file context types for the %(domainname)s, if you wanted to
store files with these types in a different paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
.br
.B restorecon -R -v /srv/my%(domainname)s_content
Note: SELinux often uses regular expressions to specify labels that match multiple files.
-""" % {'domainname': self.domainname, "type": flist[0]})
+""" % {'domainname': self.domainname, "type": flist_non_exec[-1]})
self.fd.write(r"""
.I The following file types are defined for %(domainname)s:
--
2.39.1

@ -0,0 +1,28 @@
From f21d5f9316094015c81339d25d69d3dc7150bd8a Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mon, 12 May 2014 14:11:22 +0200
Subject: [PATCH] If there is no executable we don't want to print a part of
STANDARD FILE CONTEXT
Content-type: text/plain
---
python/sepolicy/sepolicy/manpage.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 7d90ffb5a22f..11809dcede43 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -737,7 +737,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
- self.fd.write(r"""
+ if flist_non_exec:
+ self.fd.write(r"""
.PP
.B STANDARD FILE CONTEXT
--
2.39.1

@ -1,4 +1,4 @@
From 7030465cd94d22aef6824e46df69f82b256195c8 Mon Sep 17 00:00:00 2001
From 9e22ab3619d68277c89926f3f31e37a9101ca082 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Fri, 14 Feb 2014 12:32:12 -0500
Subject: [PATCH] Don't be verbose if you are not on a tty
@ -9,7 +9,7 @@ Content-type: text/plain
1 file changed, 1 insertion(+)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index cb50fef3ca65..13ac07414c14 100755
index 166af6f360a2..ebe64563c7d7 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
@ -21,5 +21,5 @@ index cb50fef3ca65..13ac07414c14 100755
THREADS=""
RPMFILES=""
--
2.44.0
2.39.1

@ -1,178 +0,0 @@
From 4884c917237e53e34d3fc75dcf4f07217cfd7584 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 30 Jul 2021 14:14:37 +0200
Subject: [PATCH] Use SHA-2 instead of SHA-1
Content-type: text/plain
The use of SHA-1 in RHEL9 is deprecated
---
policycoreutils/setfiles/restorecon.8 | 10 +++++-----
policycoreutils/setfiles/restorecon_xattr.8 | 8 ++++----
policycoreutils/setfiles/restorecon_xattr.c | 12 ++++++------
policycoreutils/setfiles/setfiles.8 | 10 +++++-----
4 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index c3cc5c9b0e52..6160aced5922 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -95,14 +95,14 @@ display usage information and exit.
ignore files that do not exist.
.TP
.B \-I
-ignore digest to force checking of labels even if the stored SHA1 digest
-matches the specfiles SHA1 digest. The digest will then be updated provided
+ignore digest to force checking of labels even if the stored SHA256 digest
+matches the specfiles SHA256 digest. The digest will then be updated provided
there are no errors. See the
.B NOTES
section for further details.
.TP
.B \-D
-Set or update any directory SHA1 digests. Use this option to
+Set or update any directory SHA256 digests. Use this option to
enable usage of the
.IR security.sehash
extended attribute.
@@ -200,7 +200,7 @@ the
.B \-D
option to
.B restorecon
-will cause it to store a SHA1 digest of the default specfiles set in an extended
+will cause it to store a SHA256 digest of the default specfiles set in an extended
attribute named
.IR security.sehash
on each directory specified in
@@ -217,7 +217,7 @@ for further details.
.sp
The
.B \-I
-option will ignore the SHA1 digest from each directory specified in
+option will ignore the SHA256 digest from each directory specified in
.IR pathname \ ...
and provided the
.B \-n
diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
index 51d12a4dbb80..09bfd8c40ab4 100644
--- a/policycoreutils/setfiles/restorecon_xattr.8
+++ b/policycoreutils/setfiles/restorecon_xattr.8
@@ -23,7 +23,7 @@ or
.SH "DESCRIPTION"
.B restorecon_xattr
-will display the SHA1 digests added to extended attributes
+will display the SHA256 digests added to extended attributes
.I security.sehash
or delete the attribute completely. These attributes are set by
.BR restorecon (8)
@@ -48,12 +48,12 @@ extended attribute and are automatically excluded from searches.
.sp
By default
.B restorecon_xattr
-will display the SHA1 digests with "Match" appended if they match the default
+will display the SHA256 digests with "Match" appended if they match the default
specfile set or the
.I specfile
set used with the
.B \-f
-option. Non-matching SHA1 digests will be displayed with "No Match" appended.
+option. Non-matching SHA256 digests will be displayed with "No Match" appended.
This feature can be disabled by the
.B \-n
option.
@@ -87,7 +87,7 @@ Do not append "Match" or "No Match" to displayed digests.
recursively descend directories.
.TP
.B \-v
-display SHA1 digest generated by specfile set (Note that this digest is not
+display SHA256 digest generated by specfile set (Note that this digest is not
used to match the
.I security.sehash
directory digest entries, and is shown for reference only).
diff --git a/policycoreutils/setfiles/restorecon_xattr.c b/policycoreutils/setfiles/restorecon_xattr.c
index 31fb82fd2099..bc22d3fd4560 100644
--- a/policycoreutils/setfiles/restorecon_xattr.c
+++ b/policycoreutils/setfiles/restorecon_xattr.c
@@ -38,7 +38,7 @@ int main(int argc, char **argv)
unsigned int xattr_flags = 0, delete_digest = 0, recurse = 0;
unsigned int delete_all_digests = 0, ignore_mounts = 0;
bool display_digest = false;
- char *sha1_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
+ char *sha256_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
unsigned char *fc_digest = NULL;
size_t i, fc_digest_len = 0, num_specfiles;
@@ -133,8 +133,8 @@ int main(int argc, char **argv)
exit(-1);
}
- sha1_buf = malloc(fc_digest_len * 2 + 1);
- if (!sha1_buf) {
+ sha256_buf = malloc(fc_digest_len * 2 + 1);
+ if (!sha256_buf) {
fprintf(stderr,
"Error allocating digest buffer: %s\n",
strerror(errno));
@@ -143,16 +143,16 @@ int main(int argc, char **argv)
}
for (i = 0; i < fc_digest_len; i++)
- sprintf((&sha1_buf[i * 2]), "%02x", fc_digest[i]);
+ sprintf((&sha256_buf[i * 2]), "%02x", fc_digest[i]);
- printf("specfiles SHA1 digest: %s\n", sha1_buf);
+ printf("specfiles SHA256 digest: %s\n", sha256_buf);
printf("calculated using the following specfile(s):\n");
if (specfiles) {
for (i = 0; i < num_specfiles; i++)
printf("%s\n", specfiles[i]);
}
- free(sha1_buf);
+ free(sha256_buf);
printf("\n");
}
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index ee01725050bb..57c663a99d67 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -95,14 +95,14 @@ display usage information and exit.
ignore files that do not exist.
.TP
.B \-I
-ignore digest to force checking of labels even if the stored SHA1 digest
-matches the specfiles SHA1 digest. The digest will then be updated provided
+ignore digest to force checking of labels even if the stored SHA256 digest
+matches the specfiles SHA256 digest. The digest will then be updated provided
there are no errors. See the
.B NOTES
section for further details.
.TP
.B \-D
-Set or update any directory SHA1 digests. Use this option to
+Set or update any directory SHA256 digests. Use this option to
enable usage of the
.IR security.sehash
extended attribute.
@@ -261,7 +261,7 @@ the
.B \-D
option to
.B setfiles
-will cause it to store a SHA1 digest of the
+will cause it to store a SHA256 digest of the
.B spec_file
set in an extended attribute named
.IR security.sehash
@@ -282,7 +282,7 @@ for further details.
.sp
The
.B \-I
-option will ignore the SHA1 digest from each directory specified in
+option will ignore the SHA256 digest from each directory specified in
.IR pathname \ ...
and provided the
.B \-n
--
2.44.0

@ -1,4 +1,4 @@
From 856ac05345d8557a38e82d012a4d13b4d34efd6f Mon Sep 17 00:00:00 2001
From be8bd714f37e6114661f02df4ddb7cb7b25cd0a1 Mon Sep 17 00:00:00 2001
From: Masatake YAMATO <yamato@redhat.com>
Date: Thu, 14 Dec 2017 15:57:58 +0900
Subject: [PATCH] sepolicy-generate: Handle more reserved port types
@ -53,7 +53,7 @@ https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redha
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index adf65f27a822..f726ad51b775 100644
index b6df3e91160b..36a3ea1196b1 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -100,7 +100,9 @@ def get_all_ports():
@ -68,5 +68,5 @@ index adf65f27a822..f726ad51b775 100644
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
return dict
--
2.44.0
2.39.1

@ -1,4 +1,4 @@
From 8f7a90cb77a79aaef2ceca75bc25679a7b17ff98 Mon Sep 17 00:00:00 2001
From f4b78eeb59ae1ef4b5926c004debce04ee28dfe7 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 18 Jul 2018 09:09:35 +0200
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
@ -11,7 +11,7 @@ Content-type: text/plain
3 files changed, 3 insertions(+), 17 deletions(-)
diff --git a/sandbox/sandbox b/sandbox/sandbox
index e3fd6119ed4d..e01425f0c637 100644
index a2762a7d215a..a32a33ea3cf6 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -270,7 +270,7 @@ class Sandbox:
@ -23,7 +23,7 @@ index e3fd6119ed4d..e01425f0c637 100644
execfile = self.__homedir + "/.sandboxrc"
fd = open(execfile, "w+")
if self.__options.session:
@@ -370,7 +370,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
@@ -369,7 +369,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
parser.add_option("-W", "--windowmanager", dest="wm",
type="string",
@ -33,7 +33,7 @@ index e3fd6119ed4d..e01425f0c637 100644
parser.add_option("-l", "--level", dest="level",
diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8
index 095b9e27042d..1c1870190e51 100644
index 1ee0ecea96d1..775e4b231204 100644
--- a/sandbox/sandbox.8
+++ b/sandbox/sandbox.8
@@ -80,7 +80,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
@ -46,11 +46,11 @@ index 095b9e27042d..1c1870190e51 100644
\fB\-X\fR
Create an X based Sandbox for gui apps, temporary files for
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
index 28169182ce42..e2a7ad9b2ac7 100644
index 4774528027ef..c211ebc14549 100644
--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
@@ -7,20 +7,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
[ -z $3 ] && export DPI="96" || export DPI="$3"
@@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
[ -z $2 ] && export DPI="96" || export DPI="$2"
trap "exit 0" HUP
-mkdir -p ~/.config/openbox
@ -67,9 +67,9 @@ index 28169182ce42..e2a7ad9b2ac7 100644
-</openbox_config>
-EOF
-
if [ "$WAYLAND_NATIVE" == "no" ]; then
if [ -z "$WAYLAND_DISPLAY" ]; then
DISPLAY_COMMAND='/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null'
(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
cat > ~/seremote << __EOF
--
2.44.0
2.39.1

@ -1,44 +0,0 @@
From dc3eca6bd964e545fda4a1e19d07c26a347c5d9a Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Mon, 19 Aug 2024 19:51:51 +0200
Subject: [PATCH] sepolgen-ifgen: allow M4 escaped filenames
Content-type: text/plain
When a file name in type transition rule used in an interface is same as
a keyword, it needs to be M4 escaped so that the keyword is not expanded
by M4, e.g.
- filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "interface")
+ filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "``interface''")
But sepolgen-ifgen could not parse such string:
# sepolgen-ifgen
Illegal character '`'
This change allows M4 escaping inside quoted strings and fixed described
problem.
https://bugzilla.redhat.com/show_bug.cgi?id=2254206
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
python/sepolgen/src/sepolgen/refparser.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py
index e261d3f78f87..9622ee9a29ce 100644
--- a/python/sepolgen/src/sepolgen/refparser.py
+++ b/python/sepolgen/src/sepolgen/refparser.py
@@ -261,7 +261,7 @@ def t_IDENTIFIER(t):
return t
def t_FILENAME(t):
- r'\"[a-zA-Z0-9_\-\+\.\$\*~ :\[\]]+\"'
+ r'\"`*[a-zA-Z0-9_\-\+\.\$\*~ :\[\]]+\'*\"'
# Handle any keywords
t.type = reserved.get(t.value,'FILENAME')
return t
--
2.46.0

@ -0,0 +1,298 @@
From 604a275f53750e4c1e1101bd53c4fd448cc0b5e3 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 30 Jul 2021 14:14:37 +0200
Subject: [PATCH] Use SHA-2 instead of SHA-1
Content-type: text/plain
The use of SHA-1 in RHEL9 is deprecated
---
policycoreutils/setfiles/restorecon.8 | 10 +++++-----
policycoreutils/setfiles/restorecon_xattr.8 | 8 ++++----
policycoreutils/setfiles/restorecon_xattr.c | 12 ++++++------
policycoreutils/setfiles/ru/restorecon.8 | 8 ++++----
policycoreutils/setfiles/ru/restorecon_xattr.8 | 10 +++++-----
policycoreutils/setfiles/ru/setfiles.8 | 8 ++++----
policycoreutils/setfiles/setfiles.8 | 10 +++++-----
7 files changed, 33 insertions(+), 33 deletions(-)
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index e07db2c87dc4..dbd55ce7c512 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -95,14 +95,14 @@ display usage information and exit.
ignore files that do not exist.
.TP
.B \-I
-ignore digest to force checking of labels even if the stored SHA1 digest
-matches the specfiles SHA1 digest. The digest will then be updated provided
+ignore digest to force checking of labels even if the stored SHA256 digest
+matches the specfiles SHA256 digest. The digest will then be updated provided
there are no errors. See the
.B NOTES
section for further details.
.TP
.B \-D
-Set or update any directory SHA1 digests. Use this option to
+Set or update any directory SHA256 digests. Use this option to
enable usage of the
.IR security.sehash
extended attribute.
@@ -200,7 +200,7 @@ the
.B \-D
option to
.B restorecon
-will cause it to store a SHA1 digest of the default specfiles set in an extended
+will cause it to store a SHA256 digest of the default specfiles set in an extended
attribute named
.IR security.sehash
on each directory specified in
@@ -217,7 +217,7 @@ for further details.
.sp
The
.B \-I
-option will ignore the SHA1 digest from each directory specified in
+option will ignore the SHA256 digest from each directory specified in
.IR pathname \ ...
and provided the
.B \-n
diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
index e04528e60824..4b1ce304d995 100644
--- a/policycoreutils/setfiles/restorecon_xattr.8
+++ b/policycoreutils/setfiles/restorecon_xattr.8
@@ -23,7 +23,7 @@ or
.SH "DESCRIPTION"
.B restorecon_xattr
-will display the SHA1 digests added to extended attributes
+will display the SHA256 digests added to extended attributes
.I security.sehash
or delete the attribute completely. These attributes are set by
.BR restorecon (8)
@@ -48,12 +48,12 @@ extended attribute and are automatically excluded from searches.
.sp
By default
.B restorecon_xattr
-will display the SHA1 digests with "Match" appended if they match the default
+will display the SHA256 digests with "Match" appended if they match the default
specfile set or the
.I specfile
set used with the
.B \-f
-option. Non-matching SHA1 digests will be displayed with "No Match" appended.
+option. Non-matching SHA256 digests will be displayed with "No Match" appended.
This feature can be disabled by the
.B \-n
option.
@@ -87,7 +87,7 @@ Do not append "Match" or "No Match" to displayed digests.
recursively descend directories.
.TP
.B \-v
-display SHA1 digest generated by specfile set (Note that this digest is not
+display SHA256 digest generated by specfile set (Note that this digest is not
used to match the
.I security.sehash
directory digest entries, and is shown for reference only).
diff --git a/policycoreutils/setfiles/restorecon_xattr.c b/policycoreutils/setfiles/restorecon_xattr.c
index 31fb82fd2099..bc22d3fd4560 100644
--- a/policycoreutils/setfiles/restorecon_xattr.c
+++ b/policycoreutils/setfiles/restorecon_xattr.c
@@ -38,7 +38,7 @@ int main(int argc, char **argv)
unsigned int xattr_flags = 0, delete_digest = 0, recurse = 0;
unsigned int delete_all_digests = 0, ignore_mounts = 0;
bool display_digest = false;
- char *sha1_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
+ char *sha256_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
unsigned char *fc_digest = NULL;
size_t i, fc_digest_len = 0, num_specfiles;
@@ -133,8 +133,8 @@ int main(int argc, char **argv)
exit(-1);
}
- sha1_buf = malloc(fc_digest_len * 2 + 1);
- if (!sha1_buf) {
+ sha256_buf = malloc(fc_digest_len * 2 + 1);
+ if (!sha256_buf) {
fprintf(stderr,
"Error allocating digest buffer: %s\n",
strerror(errno));
@@ -143,16 +143,16 @@ int main(int argc, char **argv)
}
for (i = 0; i < fc_digest_len; i++)
- sprintf((&sha1_buf[i * 2]), "%02x", fc_digest[i]);
+ sprintf((&sha256_buf[i * 2]), "%02x", fc_digest[i]);
- printf("specfiles SHA1 digest: %s\n", sha1_buf);
+ printf("specfiles SHA256 digest: %s\n", sha256_buf);
printf("calculated using the following specfile(s):\n");
if (specfiles) {
for (i = 0; i < num_specfiles; i++)
printf("%s\n", specfiles[i]);
}
- free(sha1_buf);
+ free(sha256_buf);
printf("\n");
}
diff --git a/policycoreutils/setfiles/ru/restorecon.8 b/policycoreutils/setfiles/ru/restorecon.8
index 9be3a63db356..745135020f4b 100644
--- a/policycoreutils/setfiles/ru/restorecon.8
+++ b/policycoreutils/setfiles/ru/restorecon.8
@@ -82,11 +82,11 @@ restorecon \- восстановить SELinux-контексты безопас
игнорировать файлы, которые не существуют.
.TP
.B \-I
-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
+игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
.B ПРИМЕЧАНИЯ.
.TP
.B \-D
-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
+установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
.IR security.restorecon_last.
.TP
.B \-m
@@ -159,7 +159,7 @@ GNU
.B \-D
команды
.B restorecon
-обеспечит сохранение дайджеста SHA1 файлов спецификации по умолчанию в расширенном атрибуте с именем
+обеспечит сохранение дайджеста SHA256 файлов спецификации по умолчанию в расширенном атрибуте с именем
.IR security.restorecon_last
для каталогов, указанных в соответствующих путях
.IR pathname \ ...
@@ -173,7 +173,7 @@ GNU
.sp
Параметр
.B \-I
-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в
+позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в
.IR pathname \ ...
, и, при условии, что НЕ установлен параметр
.B \-n
diff --git a/policycoreutils/setfiles/ru/restorecon_xattr.8 b/policycoreutils/setfiles/ru/restorecon_xattr.8
index 41c441b8c5c2..25c4c3033334 100644
--- a/policycoreutils/setfiles/ru/restorecon_xattr.8
+++ b/policycoreutils/setfiles/ru/restorecon_xattr.8
@@ -23,7 +23,7 @@ restorecon_xattr \- управление записями расширенных
.SH "ОПИСАНИЕ"
.B restorecon_xattr
-покажет дайджесты SHA1, добавленные в расширенные атрибуты
+покажет дайджесты SHA256, добавленные в расширенные атрибуты
.I security.restorecon_last,
или полностью удалит эти атрибуты. Эти атрибуты устанавливаются командой
.BR restorecon (8)
@@ -47,11 +47,11 @@ restorecon_xattr \- управление записями расширенных
.sp
По умолчанию
.B restorecon_xattr
-показывает дайджесты SHA1, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации
+показывает дайджесты SHA256, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации
.I specfile,
который установлен с помощью параметра
.B \-f.
-Несоответствующие дайджесты SHA1 будут показаны с добавлением "No Match" в конце.
+Несоответствующие дайджесты SHA256 будут показаны с добавлением "No Match" в конце.
Эту возможность можно отключить с помощью параметра
.B \-n.
@@ -81,7 +81,7 @@ restorecon_xattr \- управление записями расширенных
рекурсивно спускаться по каталогам.
.TP
.B \-v
-показать дайджест SHA1, созданный установленным файлом спецификации.
+показать дайджест SHA256, созданный установленным файлом спецификации.
.TP
.B \-e
.I directory
@@ -97,7 +97,7 @@ restorecon_xattr \- управление записями расширенных
.BR file_contexts (5).
Он будет использоваться
.BR selabel_open (3)
-для получения набора записей меток; получение дайджеста SHA1 выполняется с помощью
+для получения набора записей меток; получение дайджеста SHA256 выполняется с помощью
.BR selabel_digest (3).
Если этот параметр не указан, будет использоваться файл file_contexts по умолчанию.
diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8
index 910101452625..7f2daa09191b 100644
--- a/policycoreutils/setfiles/ru/setfiles.8
+++ b/policycoreutils/setfiles/ru/setfiles.8
@@ -69,11 +69,11 @@ setfiles \- установить SELinux-контексты безопаснос
игнорировать файлы, которые не существуют.
.TP
.B \-I
-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
+игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
.B ПРИМЕЧАНИЯ.
.TP
.B \-D
-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
+установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
.IR security.restorecon_last.
.TP
.B \-l
@@ -186,7 +186,7 @@ GNU
.B \-D
команды
.B setfiles .
-Он обеспечивает сохранение дайджеста SHA1 файла спецификации
+Он обеспечивает сохранение дайджеста SHA256 файла спецификации
.B spec_file
в расширенном атрибуте с именем
.IR security.restorecon_last
@@ -204,7 +204,7 @@ GNU
.sp
Параметр
.B \-I
-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в
+позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в
.IR pathname \ ...
, и, при условии, что НЕ установлен параметр
.B \-n
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index bf26e161a71d..36fe6b369548 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -95,14 +95,14 @@ display usage information and exit.
ignore files that do not exist.
.TP
.B \-I
-ignore digest to force checking of labels even if the stored SHA1 digest
-matches the specfiles SHA1 digest. The digest will then be updated provided
+ignore digest to force checking of labels even if the stored SHA256 digest
+matches the specfiles SHA256 digest. The digest will then be updated provided
there are no errors. See the
.B NOTES
section for further details.
.TP
.B \-D
-Set or update any directory SHA1 digests. Use this option to
+Set or update any directory SHA256 digests. Use this option to
enable usage of the
.IR security.sehash
extended attribute.
@@ -261,7 +261,7 @@ the
.B \-D
option to
.B setfiles
-will cause it to store a SHA1 digest of the
+will cause it to store a SHA256 digest of the
.B spec_file
set in an extended attribute named
.IR security.sehash
@@ -282,7 +282,7 @@ for further details.
.sp
The
.B \-I
-option will ignore the SHA1 digest from each directory specified in
+option will ignore the SHA256 digest from each directory specified in
.IR pathname \ ...
and provided the
.B \-n
--
2.39.1

@ -0,0 +1,64 @@
From b9b94a3254905518f00c4746c0bd712921af31cb Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 27 Feb 2017 17:12:39 +0100
Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
file_type_is_entrypoint(f)
Content-type: text/plain
- use direct queries
- load exec_types and entry_types only once
---
python/sepolicy/sepolicy/manpage.py | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 11809dcede43..543fef6c8d13 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -127,8 +127,24 @@ def gen_domains():
domains.sort()
return domains
-types = None
+exec_types = None
+
+def _gen_exec_types():
+ global exec_types
+ if exec_types is None:
+ exec_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "exec_type"))["types"]
+ return exec_types
+
+entry_types = None
+
+def _gen_entry_types():
+ global entry_types
+ if entry_types is None:
+ entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
+ return entry_types
+
+types = None
def _gen_types():
global types
@@ -368,6 +384,8 @@ class ManPage:
self.all_file_types = sepolicy.get_all_file_types()
self.role_allows = sepolicy.get_all_role_allows()
self.types = _gen_types()
+ self.exec_types = _gen_exec_types()
+ self.entry_types = _gen_entry_types()
if self.source_files:
self.fcpath = self.root + "file_contexts"
@@ -684,7 +702,7 @@ Default Defined Ports:""")
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
- if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+ if f not in self.exec_types or f not in self.entry_types:
flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
--
2.39.1

@ -0,0 +1,75 @@
From 09ad91e1fb8640e48cef895ead49d9c770016915 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 4 May 2023 14:04:47 +0200
Subject: [PATCH] python/chcat: Improve man pages
Content-type: text/plain
- Explain applying range/list of categories
- "-d" removes all categories of given file/user
- Add examples
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
python/chcat/chcat.8 | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/python/chcat/chcat.8 b/python/chcat/chcat.8
index d095a2558d3a..3e1f7ca23361 100644
--- a/python/chcat/chcat.8
+++ b/python/chcat/chcat.8
@@ -1,6 +1,6 @@
.TH CHCAT "8" "September 2005" "chcat" "User Commands"
.SH NAME
-chcat \- change file SELinux security category
+chcat \- change SELinux security categories of files/users
.SH SYNOPSIS
.B chcat
\fIcategory file\fR...
@@ -25,23 +25,33 @@ chcat \- change file SELinux security category
.br
.SH DESCRIPTION
.PP
-Change/Remove the security \fIcategory\fR for each \fIfile\fR or \fIuser\fR.
-.PP
-Use +/- to add/remove categories from a \fIfile\fR or \fIuser\fR.
+Use +/- to add/remove categories from a \fIfile\fR or \fIuser\fR (only a single category can be specified at a time). Or specify the desired list/range of categories to be applied (replacing the existing categories).
.PP
.B
Note:
-When removing a category you must specify '\-\-' on the command line before using the \-Category syntax. This tells the command that you have finished entering options and are now specifying a category name instead.
+When removing a category you must specify '\-\-' on the command line before using the \-Category syntax. This tells the command that you have finished entering options and are now specifying a category name instead.
.TP
\fB\-d\fR
-delete the category from each FILE/USER.
+delete all categories from given FILE/USER.
.TP
\fB\-L\fR
list available categories.
.TP
\fB\-l\fR
Tells chcat to operate on users instead of files.
+
+.SH EXAMPLE
+.nf
+Replace categories of user "test" with c0.c6
+# chcat -l c0.c6 test
+Add category c1023 to user "test"
+# chcat -l +c1023 test
+Remove category c5 from file "file"
+# chcat -- -c5 file
+Remove all categories from file "file"
+# chcat -d file
+
.SH "SEE ALSO"
.TP
chcon(1), selinux(8), semanage(8)
@@ -52,4 +62,3 @@ When operating on files this script wraps the chcon command.
/etc/selinux/{SELINUXTYPE}/setrans.conf
.br
/etc/selinux/{SELINUXTYPE}/seusers
-
--
2.41.0

@ -0,0 +1,80 @@
From b67240b8663c3df471e8ce06b087ec7fb8b9d57c Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 4 May 2023 14:04:48 +0200
Subject: [PATCH] python/audit2allow: Add missing options to man page
Content-type: text/plain
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/audit2allow/audit2allow.1 | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/python/audit2allow/audit2allow.1 b/python/audit2allow/audit2allow.1
index 04ec32398011..c31021d39489 100644
--- a/python/audit2allow/audit2allow.1
+++ b/python/audit2allow/audit2allow.1
@@ -40,10 +40,10 @@
Read input from audit and message log, conflicts with \-i
.TP
.B "\-b" | "\-\-boot"
-Read input from audit messages since last boot conflicts with \-i
+Read input from audit messages since last boot, conflicts with \-i
.TP
.B "\-d" | "\-\-dmesg"
-Read input from output of
+Read input from output of
.I /bin/dmesg.
Note that all audit messages are not available via dmesg when
auditd is running; use "ausearch \-m avc | audit2allow" or "\-a" instead.
@@ -51,15 +51,22 @@ auditd is running; use "ausearch \-m avc | audit2allow" or "\-a" instead.
.B "\-D" | "\-\-dontaudit"
Generate dontaudit rules (Default: allow)
.TP
+.B "\-e" | "\-\-explain"
+Fully explain generated output
+.TP
.B "\-h" | "\-\-help"
Print a short usage message
.TP
.B "\-i <inputfile>" | "\-\-input <inputfile>"
-read input from
+Read input from
.I <inputfile>
.TP
+.B "\-\-interface-info=<interface_info_file>"
+Read interface information from
+.I <interface_info_file>
+.TP
.B "\-l" | "\-\-lastreload"
-read input only after last policy reload
+Read input only after last policy reload
.TP
.B "\-m <modulename>" | "\-\-module <modulename>"
Generate module/require output <modulename>
@@ -70,8 +77,12 @@ Generate loadable module package, conflicts with \-o
.B "\-p <policyfile>" | "\-\-policy <policyfile>"
Policy file to use for analysis
.TP
+.B "\-\-perm-map <perm_map_file>"
+Read permission map from
+.I <perm_map_file>
+.TP
.B "\-o <outputfile>" | "\-\-output <outputfile>"
-append output to
+Append output to
.I <outputfile>
.TP
.B "\-r" | "\-\-requires"
@@ -85,6 +96,9 @@ This is the default behavior.
Generate reference policy using installed macros.
This attempts to match denials against interfaces and may be inaccurate.
.TP
+.B "\-t <type_regex>" | "\-\-type=<type_regex>"
+Only process messages with a type that matches this regex
+.TP
.B "\-x" | "\-\-xperms"
Generate extended permission access vector rules
.TP
--
2.41.0

@ -0,0 +1,465 @@
From 4ebc1057f6e5494909045bbcc7ea8896bd32a094 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 4 May 2023 14:04:49 +0200
Subject: [PATCH] python/semanage: Improve man pages
Content-type: text/plain
- Add missing options
- Add more examples
- Note special cases
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/semanage-boolean.8 | 9 ++++++---
python/semanage/semanage-dontaudit.8 | 8 +++++---
python/semanage/semanage-export.8 | 10 +++++++++-
python/semanage/semanage-fcontext.8 | 17 +++++++++++------
python/semanage/semanage-ibendport.8 | 6 ++++--
python/semanage/semanage-ibpkey.8 | 6 ++++--
python/semanage/semanage-import.8 | 10 +++++++++-
python/semanage/semanage-interface.8 | 8 ++++++--
python/semanage/semanage-login.8 | 14 ++++++++------
python/semanage/semanage-module.8 | 15 ++++++++++-----
python/semanage/semanage-node.8 | 16 +++++++++++++---
python/semanage/semanage-permissive.8 | 8 +++++---
python/semanage/semanage-port.8 | 10 ++++++----
python/semanage/semanage-user.8 | 8 +++++---
14 files changed, 101 insertions(+), 44 deletions(-)
diff --git a/python/semanage/semanage-boolean.8 b/python/semanage/semanage-boolean.8
index 1282d10626ff..3b664023d3fe 100644
--- a/python/semanage/semanage-boolean.8
+++ b/python/semanage/semanage-boolean.8
@@ -7,11 +7,14 @@ semanage\-boolean \- SELinux Policy Management boolean tool
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage boolean command controls the settings of booleans in SELinux policy. booleans are if\-then\-else rules written in SELinux Policy. They can be used to customize the way that SELinux Policy rules effect a confined domain.
+from policy sources.
+.B semanage boolean
+command controls the settings of booleans in SELinux policy. Booleans are if\-then\-else rules written in SELinux Policy. They can be used to customize the way that SELinux Policy rules effect a confined domain.
+
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
@@ -45,7 +48,7 @@ Disable the boolean
.SH EXAMPLE
.nf
-Turn on the apache can send mail boolean
+Turn on the "apache can send mail" boolean (persistent version of #setsebool httpd_can_sendmail on)
# semanage boolean \-m \-\-on httpd_can_sendmail
List customized booleans
diff --git a/python/semanage/semanage-dontaudit.8 b/python/semanage/semanage-dontaudit.8
index 81accc6f83de..51d1f4b6b0e0 100644
--- a/python/semanage/semanage-dontaudit.8
+++ b/python/semanage/semanage-dontaudit.8
@@ -7,13 +7,15 @@
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage dontaudit toggles whether or not dontaudit rules will be in the policy. Policy writers use dontaudit rules to cause
-confined applications to use alternative paths. Dontaudit rules are denied but not reported in the logs. Some times dontaudit rules can cause bugs in applications but policy writers will not realize it since the AVC is not audited. Turning off dontaudit rules with this command to see if the kernel is blocking an access.
+from policy sources.
+.B semanage dontaudit
+toggles whether or not dontaudit rules will be in the policy. Policy writers use dontaudit rules to cause
+confined applications to use alternative paths. Dontaudit rules are denied but not reported in the logs. Sometimes dontaudit rules can cause bugs in applications but policy writers will not realize it since the AVC is not audited. Turn off dontaudit rules with this command to see if the kernel is blocking an access.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-S STORE, \-\-store STORE
Select an alternate SELinux Policy Store to manage
diff --git a/python/semanage/semanage-export.8 b/python/semanage/semanage-export.8
index d422683bd5c8..5198479306df 100644
--- a/python/semanage/semanage-export.8
+++ b/python/semanage/semanage-export.8
@@ -7,7 +7,15 @@
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a whole group of semanage commands within a file and apply them to a machine in a single transaction.
+from policy sources.
+.B semanage import
+and
+.B export
+can be used to extract the SELinux modifications from one machine and apply them to another. Please note that this will remove all current semanage customizations on the second machine as the command list generated using
+.B semanage export
+start with
+.I <command> -D
+for all semanage sub-commands. You can put a whole group of semanage commands within a file and apply them to a machine in a single transaction.
.SH "OPTIONS"
.TP
diff --git a/python/semanage/semanage-fcontext.8 b/python/semanage/semanage-fcontext.8
index 1ebf085faed8..3e327d88d146 100644
--- a/python/semanage/semanage-fcontext.8
+++ b/python/semanage/semanage-fcontext.8
@@ -8,8 +8,10 @@ semanage\-fcontext \- SELinux Policy Management file context tool
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage fcontext is used to manage the default
-file system labeling on an SELinux system. This command maps file paths using regular expressions to SELinux labels.
+from policy sources.
+.B semanage fcontext
+is used to manage the default file system labeling on an SELinux system.
+This command maps file paths using regular expressions to SELinux labels.
FILE_SPEC may contain either a fully qualified path,
or a Perl compatible regular expression (PCRE),
@@ -32,7 +34,7 @@ to avoid unintentionally impacting other parts of the filesystem.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
@@ -82,12 +84,13 @@ MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login ma
.SH EXAMPLE
.nf
-.I remember to run restorecon after you set the file context
-Add file-context for everything under /web
+.I Remember to run restorecon after you set the file context
+Add file-context httpd_sys_content_t for everything under /web
# semanage fcontext \-a \-t httpd_sys_content_t "/web(/.*)?"
# restorecon \-R \-v /web
Substitute /home1 with /home when setting file context
+i.e. label everything under /home1 the same way /home is labeled
# semanage fcontext \-a \-e /home /home1
# restorecon \-R \-v /home1
@@ -99,7 +102,9 @@ execute the following commands.
.SH "SEE ALSO"
.BR selinux (8),
-.BR semanage (8)
+.BR semanage (8),
+.BR restorecon (8),
+.BR selabel_file (5)
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git a/python/semanage/semanage-ibendport.8 b/python/semanage/semanage-ibendport.8
index 0a29eae18031..53fe4ee8512a 100644
--- a/python/semanage/semanage-ibendport.8
+++ b/python/semanage/semanage-ibendport.8
@@ -5,12 +5,14 @@
.B semanage ibendport [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE \-z IBDEV_NAME \-r RANGE port | \-\-delete \-z IBDEV_NAME port | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-z IBDEV_NAME \-r RANGE port ]
.SH "DESCRIPTION"
-semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage ibendport controls the ibendport number to ibendport type definitions.
+semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.
+.B semanage ibendport
+controls the ibendport number to ibendport type definitions.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
diff --git a/python/semanage/semanage-ibpkey.8 b/python/semanage/semanage-ibpkey.8
index 51f455abaeab..6cc5e02fbcb6 100644
--- a/python/semanage/semanage-ibpkey.8
+++ b/python/semanage/semanage-ibpkey.8
@@ -5,12 +5,14 @@
.B semanage ibpkey [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE \-x SUBNET_PREFIX \-r RANGE ibpkey_name | ibpkey_range | \-\-delete \-x SUBNET_PREFIX ibpkey_name | ibpkey_range | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-x SUBNET_PREFIX \-r RANGE ibpkey_name | ibpkey_range ]
.SH "DESCRIPTION"
-semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage ibpkey controls the ibpkey number to ibpkey type definitions.
+semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.
+.B semanage ibpkey
+controls the ibpkey number to ibpkey type definitions.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
diff --git a/python/semanage/semanage-import.8 b/python/semanage/semanage-import.8
index 4a9b3e765f34..041e9ab052fb 100644
--- a/python/semanage/semanage-import.8
+++ b/python/semanage/semanage-import.8
@@ -7,7 +7,15 @@
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a whole group of semanage commands within a file and apply them to a machine in a single transaction.
+from policy sources.
+.B semanage import
+and
+.B export
+can be used to extract the SELinux modifications from one machine and apply them to another. Please note that this will remove all current semanage customizations on the second machine as the command list generated using
+.B semanage export
+start with
+.I <command> -D
+for all semanage sub-commands. You can put a whole group of semanage commands within a file and apply them to a machine in a single transaction.
.SH "OPTIONS"
.TP
diff --git a/python/semanage/semanage-interface.8 b/python/semanage/semanage-interface.8
index d9d526dc7391..080db70b6ec2 100644
--- a/python/semanage/semanage-interface.8
+++ b/python/semanage/semanage-interface.8
@@ -7,12 +7,14 @@
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage interface controls the labels assigned to network interfaces.
+from policy sources.
+.B semanage interface
+controls the labels assigned to network interfaces.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
@@ -54,6 +56,8 @@ MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login ma
.nf
list all interface definitions
# semanage interface \-l
+Assign type netif_t and MLS/MCS range s0:c0.c1023 to interface eth0
+# semanage interface \-a \-t netif_t \-r s0:c0.c1023 eth0
.SH "SEE ALSO"
.BR selinux (8),
diff --git a/python/semanage/semanage-login.8 b/python/semanage/semanage-login.8
index f451bdc65d53..9076a1edcedb 100644
--- a/python/semanage/semanage-login.8
+++ b/python/semanage/semanage-login.8
@@ -7,12 +7,14 @@
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage login controls the mapping between a Linux User and the SELinux User. It can be used to turn on confined users. For example you could define that a particular user or group of users will login to a system as the user_u user. Prefix the group name with a '%' sign to indicate a group name.
+from policy sources.
+.B semanage login
+controls the mapping between a Linux User and the SELinux User. It can be used to turn on confined users. For example you could define that a particular user or group of users will login to a system as the user_u user. Prefix the group name with a '%' sign to indicate a group name.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
@@ -52,11 +54,11 @@ MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login ma
.SH EXAMPLE
.nf
-Modify the default user on the system to the guest_u user
+Set the default SELinux user on the system to guest_u
# semanage login \-m \-s guest_u __default__
-Assign gijoe user on an MLS machine a range and to the staff_u user
-# semanage login \-a \-s staff_u \-rSystemLow-Secret gijoe
-Assign all users in the engineering group to the staff_u user
+Map user gijoe to SELinux user staff_u and assign MLS range SystemLow\-Secret
+# semanage login \-a \-s staff_u \-rSystemLow\-Secret gijoe
+Map all users in the engineering group to SELinux user staff_u
# semanage login \-a \-s staff_u %engineering
.SH "SEE ALSO"
diff --git a/python/semanage/semanage-module.8 b/python/semanage/semanage-module.8
index e00571672565..6913b0cd47d9 100644
--- a/python/semanage/semanage-module.8
+++ b/python/semanage/semanage-module.8
@@ -5,12 +5,14 @@
.B semanage module [\-h] [\-n] [\-N] [\-S STORE] (\-a | \-r | \-e | \-d | \-\-extract | \-\-list [\-C] | \-\-deleteall) [module_name]
.SH "DESCRIPTION"
-semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage module installs, removes, disables SELinux Policy modules.
+semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.
+.B semanage module
+installs, removes, disables, or enables SELinux Policy modules.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
@@ -22,11 +24,14 @@ Do not reload policy after commit
Select an alternate SELinux Policy Store to manage
.TP
.I \-a, \-\-add
-Install specified module
+Install specified module. Accepts both binary policy files (.pp) and CIL source files
.TP
.I \-r, \-\-remove
Remove specified module
.TP
+.I \-D, \-\-deleteall
+Remove all local customizations related to modules
+.TP
.I \-d \-\-disable
Disable specified module
.TP
@@ -48,8 +53,8 @@ List all modules
# semanage module \-l
Disable unconfined module
# semanage module \-\-disable unconfined
-Install custom apache policy module
-# semanage module \-a myapache
+Install custom apache policy module (same as #semodule -i myapache.pp)
+# semanage module \-a myapache.pp
.SH "SEE ALSO"
.BR selinux (8),
diff --git a/python/semanage/semanage-node.8 b/python/semanage/semanage-node.8
index a0098221c85b..c78d6c3eaf76 100644
--- a/python/semanage/semanage-node.8
+++ b/python/semanage/semanage-node.8
@@ -7,12 +7,14 @@
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage controls the ipaddress to node type definitions.
+from policy sources.
+.B semanage node
+controls the IP address to node type definitions.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
@@ -54,5 +56,13 @@ SELinux type for the object
MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0.
.TP
.I \-p PROTO, \-\-proto PROTO
-
Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6).
+
+.SH "EXAMPLE"
+.nf
+Apply type node_t to ipv4 node 127.0.0.2
+# semanage node \-a \-t node_t \-p ipv4 \-M 255.255.255.255 127.0.0.2
+
+.SH "SEE ALSO"
+.BR selinux (8),
+.BR semanage (8)
diff --git a/python/semanage/semanage-permissive.8 b/python/semanage/semanage-permissive.8
index 5c3364fa54f8..0414a850082a 100644
--- a/python/semanage/semanage-permissive.8
+++ b/python/semanage/semanage-permissive.8
@@ -5,12 +5,14 @@
.B semanage permissive [\-h] [\-n] [\-N] [\-S STORE] (\-\-add TYPE | \-\-delete TYPE | \-\-deleteall | \-\-extract | \-\-list)
.SH "DESCRIPTION"
-semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage permissive adds or removes a SELinux Policy permissive module.
+semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.
+.B semanage permissive
+adds or removes a SELinux Policy permissive module. Please note that this command can make any domain permissive, but can only remove the permissive property from domains where it was added by semanage permissive ("semanage permissive -d" can only be used on types listed as "Customized Permissive Types" by "semanage permissive -l").
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-a, \-\-add
Add a record of the specified object type
@@ -38,7 +40,7 @@ Select an alternate SELinux Policy Store to manage
.SH EXAMPLE
.nf
-List all permissive modules
+List all permissive domains ("Builtin Permissive Types" where set by the system policy, or a custom policy module)
# semanage permissive \-l
Make httpd_t (Web Server) a permissive domain
# semanage permissive \-a httpd_t
diff --git a/python/semanage/semanage-port.8 b/python/semanage/semanage-port.8
index 12ec14c2cb33..c6048660ca21 100644
--- a/python/semanage/semanage-port.8
+++ b/python/semanage/semanage-port.8
@@ -5,12 +5,14 @@
.B semanage port [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range | \-\-delete \-p PROTOCOL port_name | port_range | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range ]
.SH "DESCRIPTION"
-semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage port controls the port number to port type definitions.
+semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources.
+.B semanage port
+controls the port number to port type definitions.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
@@ -55,9 +57,9 @@ Protocol for the specified port (tcp|udp|dccp|sctp) or internet protocol version
.nf
List all port definitions
# semanage port \-l
-Allow Apache to listen on tcp port 81
+Allow Apache to listen on tcp port 81 (i.e. assign tcp port 81 label http_port_t, which apache is allowed to listen on)
# semanage port \-a \-t http_port_t \-p tcp 81
-Allow sshd to listen on tcp port 8991
+Allow sshd to listen on tcp port 8991 (i.e. assign tcp port 8991 label ssh_port_t, which sshd is allowed to listen on)
# semanage port \-a \-t ssh_port_t \-p tcp 8991
.SH "SEE ALSO"
diff --git a/python/semanage/semanage-user.8 b/python/semanage/semanage-user.8
index 23fec698e042..50d50bea7af8 100644
--- a/python/semanage/semanage-user.8
+++ b/python/semanage/semanage-user.8
@@ -7,12 +7,14 @@
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-from policy sources. semanage user controls the mapping between an SELinux User and the roles and MLS/MCS levels.
+from policy sources.
+.B semanage user
+controls the mapping between an SELinux User and the roles and MLS/MCS levels.
.SH "OPTIONS"
.TP
.I \-h, \-\-help
-show this help message and exit
+Show this help message and exit
.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
@@ -59,7 +61,7 @@ List SELinux users
# semanage user \-l
Modify groups for staff_u user
# semanage user \-m \-R "system_r unconfined_r staff_r" staff_u
-Add level for TopSecret Users
+Assign user topsecret_u role staff_r and range s0\-TopSecret
# semanage user \-a \-R "staff_r" \-rs0\-TopSecret topsecret_u
.SH "SEE ALSO"
--
2.41.0

@ -0,0 +1,30 @@
From 52da97653bd64bcc603ab7e0b5c08cb687b833ab Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 4 May 2023 14:04:50 +0200
Subject: [PATCH] python/audit2allow: Remove unused "debug" option
Content-type: text/plain
The option is not referenced anywhere in the code and I couldn't figure
out its purpose from the description.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/audit2allow/audit2allow | 2 --
1 file changed, 2 deletions(-)
diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
index eafeea88aa21..5587a2dbb006 100644
--- a/python/audit2allow/audit2allow
+++ b/python/audit2allow/audit2allow
@@ -88,8 +88,6 @@ class AuditToPolicy:
parser.add_option("--interface-info", dest="interface_info", help="file name of interface information")
parser.add_option("-x", "--xperms", action="store_true", dest="xperms",
default=False, help="generate extended permission rules")
- parser.add_option("--debug", dest="debug", action="store_true", default=False,
- help="leave generated modules for -M")
parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=(os.path.basename(sys.argv[0]) == "audit2why"),
help="Translates SELinux audit messages into a description of why the access was denied")
--
2.41.0

@ -0,0 +1,309 @@
From b580a630378623df1c87c5fab1ffd63a41b3501e Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 1 Jun 2023 16:39:11 +0200
Subject: [PATCH] policycoreutils: Add examples to man pages
Content-type: text/plain
While at it, remove trailing whitespaces.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
---
policycoreutils/scripts/fixfiles.8 | 34 +++++++++++++--------
policycoreutils/secon/secon.1 | 12 ++++++--
policycoreutils/semodule/semodule.8 | 14 ++++-----
policycoreutils/setfiles/restorecon.8 | 9 ++++++
policycoreutils/setfiles/restorecon_xattr.8 | 7 +++++
policycoreutils/setfiles/setfiles.8 | 9 ++++++
policycoreutils/setsebool/setsebool.8 | 16 +++++++---
7 files changed, 74 insertions(+), 27 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index 9a317d9181e2..928b82004b1a 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -14,7 +14,7 @@ fixfiles \- fix file SELinux security contexts.
.B fixfiles
.I [\-v] [\-F] [\-B | \-N time ] [\-T nthreads] { check | restore | verify }
-.B fixfiles
+.B fixfiles
.I [\-v] [\-F] [\-T nthreads] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify }
.B fixfiles
@@ -31,7 +31,7 @@ This manual page describes the
script.
.P
This script is primarily used to correct the security context
-database (extended attributes) on filesystems.
+database (extended attributes) on filesystems.
.P
It can also be run at any time to relabel when adding support for
new policy, or just check whether the file contexts are all
@@ -41,29 +41,29 @@ option. You can use the \-R flag to use rpmpackages as an alternative.
The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
excluded from relabeling.
.P
-.B fixfiles onboot
+.B fixfiles onboot
will setup the machine to relabel on the next reboot.
.SH "OPTIONS"
-.TP
+.TP
.B \-B
If specified with onboot, this fixfiles will record the current date in the /.autorelabel file, so that it can be used later to speed up labeling. If used with restore, the restore will only affect files that were modified today.
.TP
.B \-F
Force reset of context to match file_context for customizable files
-.TP
+.TP
.B \-f
Clear /tmp directory with out prompt for removal.
-.TP
+.TP
.B \-R rpmpackagename[,rpmpackagename...]
Use the rpm database to discover all files within the specified packages and restore the file contexts.
.TP
.B \-C PREVIOUS_FILECONTEXT
Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and restore the context of all affected files.
-.TP
+.TP
.B \-N time
Only act on files created after the specified date. Date must be specified in
"YYYY\-MM\-DD HH:MM" format. Date field will be passed to find \-\-newermt command.
@@ -83,19 +83,28 @@ Use parallel relabeling, see
.SH "ARGUMENTS"
One of:
-.TP
+.TP
.B check | verify
print any incorrect file context labels, showing old and new context, but do not change them.
-.TP
+.TP
.B restore
change any incorrect file context labels.
-.TP
+.TP
.B relabel
Prompt for removal of contents of /tmp directory and then change any incorrect file context labels to match the install file_contexts file.
-.TP
-.B [[dir/file] ... ]
+.TP
+.B [[dir/file] ... ]
List of files or directories trees that you wish to check file context on.
+.SH EXAMPLE
+.nf
+Relabel the whole filesystem, except paths listed in /etc/selinux/fixfiles_exclude_dirs
+# fixfiles relabel
+Schedule the machine to relabel on the next boot and force relabeling of customizable types
+# fixfiles -F onboot
+Check labeling of all files from the samba package (while not changing any labels)
+# fixfiles -R samba check
+
.SH "AUTHOR"
This man page was written by Richard Hally <rhally@mindspring.com>.
The script was written by Dan Walsh <dwalsh@redhat.com>
@@ -103,4 +112,3 @@ The script was written by Dan Walsh <dwalsh@redhat.com>
.SH "SEE ALSO"
.BR setfiles (8),
.BR restorecon (8)
-
diff --git a/policycoreutils/secon/secon.1 b/policycoreutils/secon/secon.1
index 501b5cb8c410..c0e8b05a6b66 100644
--- a/policycoreutils/secon/secon.1
+++ b/policycoreutils/secon/secon.1
@@ -107,16 +107,24 @@ then the context will be read from stdin.
.br
If there is no argument,
.B secon
-will try reading a context from stdin, if that is not a tty, otherwise
+will try reading a context from stdin, if that is not a tty, otherwise
.B secon
will act as though \fB\-\-self\fR had been passed.
.PP
If none of \fB\-\-user\fR, \fB\-\-role\fR, \fB\-\-type\fR, \fB\-\-level\fR or
\fB\-\-mls\-range\fR is passed.
Then all of them will be output.
+
+.SH EXAMPLE
+.nf
+Show SElinux context of the init process
+# secon --pid 1
+Parse the type portion of given security context
+# secon -t system_u:object_r:httpd_sys_rw_content_t:s0
+
.PP
.SH SEE ALSO
.BR chcon (1)
.SH AUTHORS
.nf
-James Antill (james.antill@redhat.com)
+James Antill (james.antill@redhat.com)
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index c56e580f27b8..01757b005e4a 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -1,5 +1,5 @@
.TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA
-.SH NAME
+.SH NAME
semodule \- Manage SELinux policy modules.
.SH SYNOPSIS
@@ -8,7 +8,7 @@ semodule \- Manage SELinux policy modules.
.SH DESCRIPTION
.PP
semodule is the tool used to manage SELinux policy modules,
-including installing, upgrading, listing and removing modules.
+including installing, upgrading, listing and removing modules.
semodule may also be used to force a rebuild of policy from the
module store and/or to force a reload of policy without performing
any other transaction. semodule acts on module packages created
@@ -39,7 +39,7 @@ install/replace a module package
.B \-u,\-\-upgrade=MODULE_PKG
deprecated, alias for --install
.TP
-.B \-b,\-\-base=MODULE_PKG
+.B \-b,\-\-base=MODULE_PKG
deprecated, alias for --install
.TP
.B \-r,\-\-remove=MODULE_NAME
@@ -77,7 +77,7 @@ name of the store to operate on
.B \-n,\-\-noreload,\-N
do not reload policy after commit
.TP
-.B \-h,\-\-help
+.B \-h,\-\-help
prints help message and quit
.TP
.B \-P,\-\-preserve_tunables
@@ -92,7 +92,7 @@ Use an alternate path for the policy root
.B \-S,\-\-store-path
Use an alternate path for the policy store root
.TP
-.B \-v,\-\-verbose
+.B \-v,\-\-verbose
be verbose
.TP
.B \-c,\-\-cil
@@ -131,8 +131,6 @@ $ semodule \-B
$ semodule \-d alsa
# Install a module at a specific priority.
$ semodule \-X 100 \-i alsa.pp
-# List all modules.
-$ semodule \-\-list=full
# Set an alternate path for the policy root
$ semodule \-B \-p "/tmp"
# Set an alternate path for the policy store root
@@ -143,6 +141,8 @@ $ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
# Check whether a module in "localmodule.pp" file is same as installed module "localmodule"
$ /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
$ semodule -l -m | grep localmodule
+# Translate binary module file into CIL (useful for debugging installation errors)
+$ /usr/libexec/selinux/hll/pp alsa.pp > alsa.cil
.fi
.SH SEE ALSO
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index dbd55ce7c512..6160aced5922 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -224,6 +224,15 @@ and provided the
option is NOT set and recursive mode is set, files will be relabeled as
required with the digests then being updated provided there are no errors.
+.SH EXAMPLE
+.nf
+Fix labeling of /var/www/ including all sub-directories and list all context changes
+# restorecon -rv /var/www/
+List mislabeled files in user home directory and what the correct label should be
+# restorecon -nvr ~
+Fix labeling of files listed in file_list file, ignoring any that do not exist
+# restorecon -vif file_list
+
.SH "AUTHOR"
This man page was written by Dan Walsh <dwalsh@redhat.com>.
Some of the content of this man page was taken from the setfiles
diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
index 4b1ce304d995..09bfd8c40ab4 100644
--- a/policycoreutils/setfiles/restorecon_xattr.8
+++ b/policycoreutils/setfiles/restorecon_xattr.8
@@ -112,6 +112,13 @@ If the option is not specified, then the default file_contexts will be used.
.br
the pathname of the directory tree to be searched.
+.SH EXAMPLE
+.nf
+List all paths that where assigned a checksum by "restorecon/setfiles -D"
+# restorecon_xattr -r /
+Remove all non-matching checksums
+# restorecon_xattr -rd /
+
.SH "SEE ALSO"
.BR restorecon (8),
.BR setfiles (8)
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index 36fe6b369548..6071d9ba3d38 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -289,6 +289,15 @@ and provided the
option is NOT set, files will be relabeled as required with the digests then
being updated provided there are no errors.
+.SH EXAMPLE
+.nf
+Fix labeling of /var/www/ including all sub-directories, using targeted policy file context definitions and list all context changes
+# setfiles -v /etc/selinux/targeted/contexts/files/file_contexts /var/www/
+List mislabeled files in user home directory and what the label should be based on targeted policy file context definitions
+# setfiles -nv /etc/selinux/targeted/contexts/files/file_contexts ~
+Fix labeling of files listed in file_list file, ignoring any that do not exist
+# setfiles -vif file_list /etc/selinux/targeted/contexts/files/file_contexts
+
.SH "AUTHOR"
This man page was written by Russell Coker <russell@coker.com.au>.
The program was written by Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/policycoreutils/setsebool/setsebool.8 b/policycoreutils/setsebool/setsebool.8
index 52936f5a0ffb..f54664fb5c2a 100644
--- a/policycoreutils/setsebool/setsebool.8
+++ b/policycoreutils/setsebool/setsebool.8
@@ -7,13 +7,13 @@ setsebool \- set SELinux boolean value
.I "[ \-PNV ] boolean value | bool1=val1 bool2=val2 ..."
.SH "DESCRIPTION"
-.B setsebool
-sets the current state of a particular SELinux boolean or a list of booleans
-to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it.
+.B setsebool
+sets the current state of a particular SELinux boolean or a list of booleans
+to a given value. The value may be 1 or true or on to enable the boolean, or 0 or false or off to disable it.
Without the \-P option, only the current boolean value is
-affected; the boot-time default settings
-are not changed.
+affected; the boot-time default settings
+are not changed.
If the \-P option is given, all pending values are written to
the policy file on disk. So they will be persistent across reboots.
@@ -22,6 +22,12 @@ If the \-N option is given, the policy on disk is not reloaded into the kernel.
If the \-V option is given, verbose error messages will be printed from semanage libraries.
+.SH EXAMPLE
+.nf
+Enable container_use_devices boolean (will return to persistent value after reboot)
+# setsebool container_use_devices 1
+Persistently enable samba_create_home_dirs and samba_enable_home_dirs booleans
+# setsebool -P samba_create_home_dirs=on samba_enable_home_dirs=on
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
--
2.41.0

@ -0,0 +1,391 @@
From 72420ec0eb2ca8cf4cc9099dcd495695eeab308b Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 1 Jun 2023 16:39:12 +0200
Subject: [PATCH] python/sepolicy: Improve man pages
Content-type: text/plain
- Add missing options
- Add examples
- Emphasize keywords
- Remove trailing whitespaces
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
---
python/sepolicy/sepolicy-booleans.8 | 15 +++++++++---
python/sepolicy/sepolicy-communicate.8 | 14 ++++++++---
python/sepolicy/sepolicy-generate.8 | 34 ++++++++++++--------------
python/sepolicy/sepolicy-gui.8 | 4 +--
python/sepolicy/sepolicy-interface.8 | 18 +++++++++++---
python/sepolicy/sepolicy-manpage.8 | 25 ++++++++++++++-----
python/sepolicy/sepolicy-network.8 | 17 ++++++-------
python/sepolicy/sepolicy-transition.8 | 19 +++++++++-----
8 files changed, 96 insertions(+), 50 deletions(-)
diff --git a/python/sepolicy/sepolicy-booleans.8 b/python/sepolicy/sepolicy-booleans.8
index f8d8b56d5d4d..7f4b18e75ac8 100644
--- a/python/sepolicy/sepolicy-booleans.8
+++ b/python/sepolicy/sepolicy-booleans.8
@@ -8,12 +8,16 @@ sepolicy-booleans \- Query SELinux Policy to see description of booleans
.B sepolicy booleans [\-h] [ \-a | \-b booleanname ... ]
.SH "DESCRIPTION"
-sepolicy booleans will show all booleans and their descriptions, or you can
-choose individual booleans to display
+.B sepolicy booleans
+will show all booleans and their descriptions, or you can
+choose individual booleans to display.
+Please make sure that selinux-policy-devel is present in your system since it contains boolean descriptions extracted from the policy source code. Otherwise
+.B sepolicy booleans
+will only show descriptions generated based on boolean names.
.SH "OPTIONS"
.TP
-.I \-h, \-\-help
+.I \-h, \-\-help
Display help message
.TP
.I \-a, \-\-all
@@ -22,6 +26,11 @@ Display all boolean descriptions
.I \-b, \-\-boolean
boolean to get description
+.SH EXAMPLE
+.nf
+List descriptions of samba_create_home_dirs and samba_enable_home_dirs booleans
+# sepolicy booleans -b samba_create_home_dirs samba_enable_home_dirs
+
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git a/python/sepolicy/sepolicy-communicate.8 b/python/sepolicy/sepolicy-communicate.8
index 050aa475eef1..5ecf6eff0f6b 100644
--- a/python/sepolicy/sepolicy-communicate.8
+++ b/python/sepolicy/sepolicy-communicate.8
@@ -8,7 +8,9 @@ sepolicy-communicate \- Generate a report showing if two SELinux Policy Domains
.B sepolicy communicate [\-h] \-s SOURCE \-t TARGET [\-c TCLASS] [\-S SOURCEACCESS] [\-T TARGETACCESS]
.SH "DESCRIPTION"
-Use sepolicy communicate to examine SELinux Policy to if a source SELinux Domain can communicate with a target SELinux Domain.
+Use
+.B sepolicy communicate
+to examine SELinux Policy and determine if a source SELinux Domain can communicate with a target SELinux Domain.
The default command looks to see if there are any file types that the source domain can write, which the target domain can read.
.SH "OPTIONS"
@@ -16,7 +18,7 @@ The default command looks to see if there are any file types that the source dom
.I \-c, \-\-class
Specify the SELinux class which the source domain will attempt to communicate with the target domain. (Default file)
.TP
-.I \-h, \-\-help
+.I \-h, \-\-help
Display help message
.TP
.I \-s, \-\-source
@@ -31,9 +33,15 @@ Specify the target SELinux domain type.
.I \-T, \-\-targetaccess
Specify the list of accesses used by the target SELinux domain type to receive communications from the source domain. Default Open, Read.
+.SH EXAMPLE
+.nf
+List types that can be used to communicate between samba daemon and apache server
+# sepolicy communicate -s httpd_t -t smbd_t
+Consider a type to be accessible by the source domain when it can be opened and appended to (as opposed to opened and written to)
+# sepolicy communicate -s httpd_t -t smbd_t -S open,append
+
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>
.SH "SEE ALSO"
sepolicy(8), selinux(8)
-
diff --git a/python/sepolicy/sepolicy-generate.8 b/python/sepolicy/sepolicy-generate.8
index 0c5f998f5412..72d0e8e41b6e 100644
--- a/python/sepolicy/sepolicy-generate.8
+++ b/python/sepolicy/sepolicy-generate.8
@@ -57,32 +57,29 @@ path. \fBsepolicy generate\fP will use the rpm payload of the
application along with \fBnm \-D APPLICATION\fP to help it generate
types and policy rules for your policy files.
-.B Type Enforcing File NAME.te
+.B NAME.te
.br
-This file can be used to define all the types rules for a particular domain.
+This file can be used to define all the types enforcement rules for a particular domain.
.I Note:
-Policy generated by \fBsepolicy generate\fP will automatically add a permissive DOMAIN to your te file. When you are satisfied that your policy works, you need to remove the permissive line from the te file to run your domain in enforcing mode.
+Policy generated by \fBsepolicy generate\fP will automatically add a \fIpermissive DOMAIN\fP to your \fB.te\fP file. When you are satisfied that your policy works, you need to remove the permissive line from the \fB.te\fP file to run your domain in enforcing mode.
-.B Interface File NAME.if
+.B NAME.if
.br
-This file defines the interfaces for the types generated in the te file, which can be used by other policy domains.
+This file defines the interfaces for the types generated in the \fB.te\fP file, which can be used by other policy domains.
-.B File Context NAME.fc
+.B NAME.fc
.br
-This file defines the default file context for the system, it takes the file types created in the te file and associates
+This file defines the default file context for the system, it takes the file types created in the \fB.te\fP file and associates
file paths to the types. Tools like restorecon and RPM will use these paths to put down labels.
-.B RPM Spec File NAME_selinux.spec
+.B NAME_selinux.spec
.br
-This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use \fBsepolicy manpage \-d NAME\fP to generate the man page.
+This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use \fBsepolicy manpage \-d NAME\fP to generate the man page.
-.B Shell File NAME.sh
+.B NAME.sh
.br
-This is a helper shell script to compile, install and fix the labeling on your test system. It will also generate a man page based on the installed policy, and
-compile and build an RPM suitable to be installed on other machines
-
-If a generate is possible, this tool will print out all generate paths from the source domain to the target domain
+This is a helper shell script to compile, install and fix the labeling on your test system. It will also generate a man page based on the installed policy, and compile and build an RPM suitable to be installed on other machines.
.SH "OPTIONS"
.TP
@@ -97,10 +94,11 @@ Specify alternate name of policy. The policy will default to the executable or n
.TP
.I \-p, \-\-path
Specify the directory to store the created policy files. (Default to current working directory )
+.TP
optional arguments:
.TP
.I \-r, \-\-role
-Enter role(s) to which this admin user will transition.
+Enter role(s) to which this admin user will transition
.TP
.I \-t, \-\-type
Enter type(s) for which you will generate new definition and rule(s)
@@ -109,12 +107,12 @@ Enter type(s) for which you will generate new definition and rule(s)
SELinux user(s) which will transition to this domain
.TP
.I \-w, \-\-writepath
-Path(s) which the confined processes need to write
+Path(s) which the confined processes need to write to
.TP
.I \-a, \-\-admin
Domain(s) which the confined admin will administrate
.TP
-.I \-\-admin_user
+.I \-\-admin_user
Generate Policy for Administrator Login User Role
.TP
.I \-\-application
@@ -142,7 +140,7 @@ Generate Policy for Internet Services Daemon
Generate Policy for Standard Init Daemon (Default)
.TP
.I \-\-newtype
-Generate new policy for new types to add to an existing policy.
+Generate new policy for new types to add to an existing policy
.TP
.I \-\-sandbox
Generate Policy for Sandbox
diff --git a/python/sepolicy/sepolicy-gui.8 b/python/sepolicy/sepolicy-gui.8
index ed744cdb914e..65b69faba144 100644
--- a/python/sepolicy/sepolicy-gui.8
+++ b/python/sepolicy/sepolicy-gui.8
@@ -11,7 +11,7 @@ Common options
.br
.SH "DESCRIPTION"
-Use \fBsepolicy gui\fP to run a the graphical user interface, which
+Use \fBsepolicy gui\fP to run the graphical user interface, which
allows you to explore how SELinux confines different process domains.
.SH "OPTIONS"
@@ -20,7 +20,7 @@ allows you to explore how SELinux confines different process domains.
Display help message
.TP
.I \-d, \-\-domain
-Initialize gui to the selected domain.
+Initialize gui to the selected domain
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git a/python/sepolicy/sepolicy-interface.8 b/python/sepolicy/sepolicy-interface.8
index 3e74ea627a79..a70a930629ea 100644
--- a/python/sepolicy/sepolicy-interface.8
+++ b/python/sepolicy/sepolicy-interface.8
@@ -5,10 +5,10 @@ sepolicy-interface \- Print interface information based on the installed SELinux
.SH "SYNOPSIS"
.br
-.B sepolicy interface [\-h] [\-c] [\-v] [\-a | \-u | \-l | \-i INTERFACE [INTERFACE ... ]]
+.B sepolicy interface [\-h] [\-c] [\-v] [\-f FILE] [\-a | \-u | \-l | \-i INTERFACE [INTERFACE ... ]]
.SH "DESCRIPTION"
-Use sepolicy interface to print interfaces information based on SELinux Policy.
+Use \fBsepolicy interface\fP to print interface information based on SELinux Policy.
.SH "OPTIONS"
.TP
@@ -18,7 +18,7 @@ List all domains with admin interface
.I \-c, \-\-compile
Test compile of interfaces
.TP
-.I \-h, \-\-help
+.I \-h, \-\-help
Display help message
.TP
.I \-i, \-\-interface
@@ -32,6 +32,18 @@ List all domains with SELinux user role interface
.TP
.I \-v, \-\-verbose
Display extended information about the interface including parameters and description if available.
+.TP
+.I \-f, \-\-file
+Interface file to be explored
+
+.SH EXAMPLE
+.nf
+Show description of given interface
+# sepolicy interface -vi samba_rw_config
+List interfaces in given interface file and show their description
+# sepolicy interface -f my_policy.if -lv
+Run compile test for all interfaces in given file
+# sepolicy interface -f my_policy.if -lc
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git a/python/sepolicy/sepolicy-manpage.8 b/python/sepolicy/sepolicy-manpage.8
index c05c94305633..4991f645ba38 100644
--- a/python/sepolicy/sepolicy-manpage.8
+++ b/python/sepolicy/sepolicy-manpage.8
@@ -8,27 +8,40 @@ sepolicy-manpage \- Generate a man page based on the installed SELinux Policy
.B sepolicy manpage [\-w] [\-h] [\-p PATH ] [\-r ROOTDIR ] [\-a | \-d ]
.SH "DESCRIPTION"
-Use sepolicy manpage to generate manpages based on SELinux Policy.
+Use \fBsepolicy manpage\fP to generate manpages based on SELinux Policy.
.SH "OPTIONS"
.TP
-.I \-a, \-\-all
+.I \-a, \-\-all
Generate Man Pages for All Domains
.TP
-.I \-d, \-\-domain
+.I \-d, \-\-domain
Generate a Man Page for the specified domain. (Supports multiple commands)
.TP
-.I \-h, \-\-help
+.I \-h, \-\-help
Display help message
.TP
+.I \-o, \-\-os
+Specify the name of the OS to be used in the man page (only affects HTML man pages)
+.TP
.I \-p, \-\-path
Specify the directory to store the created man pages. (Default to /tmp)
.TP
.I \-r, \-\-root
-Specify alternate root directory to generate man pages from. (Default to /)
+Specify alternative root directory to generate man pages from. (Default to /)
+.TP
+.I \-\-source_files
+Use file_contexts and policy.xml files from the specified root directory (the alternative root needs to include both files)
.TP
.I \-w, \-\-web
-Generate an additional HTML man pages for the specified domain(s).
+Generate an additional HTML man pages for the specified domain(s)
+
+.SH EXAMPLE
+.nf
+Generate man pages for all available domains
+# sepolicy manpage -a
+Generate an HTML man page for domain alsa_t, setting the OS name to "My_distro"
+# sepolicy manpage -o My_distro -d alsa_t -w
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>
diff --git a/python/sepolicy/sepolicy-network.8 b/python/sepolicy/sepolicy-network.8
index dcddec756774..6faf60ab7a44 100644
--- a/python/sepolicy/sepolicy-network.8
+++ b/python/sepolicy/sepolicy-network.8
@@ -8,27 +8,27 @@ sepolicy-network \- Examine the SELinux Policy and generate a network report
.B sepolicy network [\-h] (\-l | \-a application [application ...] | \-p PORT [PORT ...] | \-t TYPE [TYPE ...] | \-d DOMAIN [DOMAIN ...])
.SH "DESCRIPTION"
-Use sepolicy network to examine SELinux Policy and generate network reports.
+Use \fBsepolicy network\fP to examine SELinux Policy and generate network reports.
.SH "OPTIONS"
.TP
.I \-a, \-\-application
-Generate a report listing the ports to which the specified init application is allowed to connect and or bind.
+Generate a report listing the ports to which the specified init application is allowed to connect and or bind
.TP
-.I \-d, \-\-domain
-Generate a report listing the ports to which the specified domain is allowed to connect and or bind.
+.I \-d, \-\-domain
+Generate a report listing the ports to which the specified domain is allowed to connect and or bind
.TP
-.I \-l, \-\-list
+.I \-l, \-\-list
List all Network Port Types defined in SELinux Policy
.TP
-.I \-h, \-\-help
+.I \-h, \-\-help
Display help message
.TP
.I \-t, \-\-type
-Generate a report listing the port numbers associate with the specified SELinux port type.
+Generate a report listing the port numbers associate with the specified SELinux port type
.TP
.I \-p, \-\-port
-Generate a report listing the SELinux port types associate with the specified port number.
+Generate a report listing the SELinux port types associate with the specified port number
.SH "EXAMPLES"
@@ -88,4 +88,3 @@ This man page was written by Daniel Walsh <dwalsh@redhat.com>
.SH "SEE ALSO"
sepolicy(8), selinux(8), semanage(8)
-
diff --git a/python/sepolicy/sepolicy-transition.8 b/python/sepolicy/sepolicy-transition.8
index 897f0c4c418e..9f9ff5a52165 100644
--- a/python/sepolicy/sepolicy-transition.8
+++ b/python/sepolicy/sepolicy-transition.8
@@ -11,21 +11,28 @@ sepolicy-transition \- Examine the SELinux Policy and generate a process transit
.B sepolicy transition [\-h] \-s SOURCE \-t TARGET
.SH "DESCRIPTION"
-sepolicy transition will show all domains that a give SELinux source domain can transition to, including the entrypoint.
+\fBsepolicy transition\fP will show all domains that a given SELinux source domain can transition to, including the entrypoint.
-If a target domain is given, sepolicy transition will examine policy for all transition paths from the source domain to the target domain, and will list the
-paths. If a transition is possible, this tool will print out all transition paths from the source domain to the target domain
+If a target domain is given, sepolicy transition will examine policy for all transition paths from the source domain to the target domain, and will list the
+paths.
.SH "OPTIONS"
.TP
-.I \-h, \-\-help
+.I \-h, \-\-help
Display help message
.TP
.I \-s, \-\-source
-Specify the source SELinux domain type.
+Specify the source SELinux domain type
.TP
.I \-t, \-\-target
-Specify the target SELinux domain type.
+Specify the target SELinux domain type
+
+.SH EXAMPLE
+.nf
+List all domain transition paths from init_t to httpd_t
+# sepolicy transition -s init_t -t httpd_t
+List all transitions available from samba domain, including entry points and booleans controlling each transition
+# sepolicy transition -s smbd_t
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com>
--
2.41.0

@ -0,0 +1,129 @@
From 9366d1925db4e095a77125f03f3d1648f4c179f5 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 1 Jun 2023 16:39:13 +0200
Subject: [PATCH] sandbox: Add examples to man pages
Content-type: text/plain
While at it, remove trailing whitespaces.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
---
sandbox/sandbox.8 | 28 ++++++++++++++++++----------
sandbox/seunshare.8 | 21 ++++++++++++++-------
2 files changed, 32 insertions(+), 17 deletions(-)
diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8
index 775e4b231204..1c1870190e51 100644
--- a/sandbox/sandbox.8
+++ b/sandbox/sandbox.8
@@ -11,12 +11,12 @@ sandbox \- Run cmd under an SELinux sandbox
.br
.SH DESCRIPTION
.PP
-Run the
-.I cmd
+Run the
+.I cmd
application within a tightly confined SELinux domain. The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files. The \-M option will mount an alternate homedir and tmpdir to be used by the sandbox.
-If you have the
-.I policycoreutils-sandbox
+If you have the
+.I policycoreutils-sandbox
package installed, you can use the \-X option and the \-M option.
.B sandbox \-X
allows you to run X applications within a sandbox. These applications will start up their own X Server and create a temporary home directory and /tmp. The default SELinux policy does not allow any capabilities or network access. It also prevents all access to the users other processes and files. Files specified on the command that are in the home directory or /tmp will be copied into the sandbox directories.
@@ -78,27 +78,35 @@ Run a full desktop session, Requires level, and home and tmpdir.
Specifies the windowsize when creating an X based Sandbox. The default windowsize is 1000x700.
.TP
\fB\-W\fR \fB\-\-windowmanager\fR
-Select alternative window manager to run within
+Select alternative window manager to run within
.B sandbox \-X.
Default to /usr/bin/matchbox-window-manager.
.TP
-\fB\-X\fR
+\fB\-X\fR
Create an X based Sandbox for gui apps, temporary files for
$HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
.TP
\fB\-d\fR \fB\-\-dpi\fR
Set the DPI value for the sandbox X Server. Defaults to the current X Sever DPI.
.TP
-\fB\-C\fR \fB\-\-capabilities\fR Use capabilities within the
-sandbox. By default applications executed within the sandbox will not
-be allowed to use capabilities (setuid apps), with the \-C flag, you
-can use programs requiring capabilities.
+\fB\-C\fR \fB\-\-capabilities\fR
+Use capabilities within the sandbox. By default applications executed within the sandbox will not be allowed to use capabilities (setuid apps), with the \-C flag, you can use programs requiring capabilities.
.PP
.SH "SEE ALSO"
.TP
runcon(1), seunshare(8), selinux(8)
.PP
+.SH EXAMPLE
+.nf
+Run a graphical application inside the sandbox
+# sandbox -X evince
+Run a graphical application that requires the use of network
+# sandbox X t sandbox_web_t firefox
+Preserve data from one session to the next
+# mkdir -p ~/sandbox/home ~/sandbox/tmp
+# sandbox -H ~/sandbox/home -T ~/sandbox/tmp -X libreoffice --writer
+
.SH AUTHOR
This manual page was written by
.I Dan Walsh <dwalsh@redhat.com>
diff --git a/sandbox/seunshare.8 b/sandbox/seunshare.8
index 09cf7feae45d..5339a3b1fb20 100644
--- a/sandbox/seunshare.8
+++ b/sandbox/seunshare.8
@@ -9,29 +9,36 @@ seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
.PP
Run the
.I executable
-within the specified context, using the alternate home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context.
+within the specified context, using custom home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context.
.TP
\fB\-h homedir\fR
-Alternate homedir to be used by the application. Homedir must be owned by the user.
+Alternate homedir to be used by the application. Homedir must be owned by the user
.TP
\fB\-t\ tmpdir
-Use alternate temporary directory to mount on /tmp. tmpdir must be owned by the user.
+Use alternate temporary directory to mount on /tmp. tmpdir must be owned by the user
.TP
\fB\-r\ runuserdir
-Use alternate temporary directory to mount on XDG_RUNTIME_DIR (/run/user/$UID). runuserdir must be owned by the user.
+Use alternate temporary directory to mount on XDG_RUNTIME_DIR (/run/user/$UID). runuserdir must be owned by the user
.TP
\fB\-C --capabilities\fR
-Allow apps executed within the namespace to use capabilities. Default is no capabilities.
+Allow apps executed within the namespace to use capabilities. Default is no capabilities
.TP
\fB\-k --kill\fR
-Kill all processes with matching MCS level.
+Kill all processes with matching MCS level
.TP
\fB\-Z\ context
-Use alternate SELinux context while running the executable.
+Use alternate SELinux context while running the executable
.TP
\fB\-v\fR
Verbose output
+
+.SH EXAMPLE
+.nf
+Run bash with temporary /home and /tmp directory
+# USERHOMEDIR=`mktemp -d /tmp/home.XXXXXX`; USERTEMPDIR=`mktemp -d /tmp/temp.XXXXXX`
+# seunshare -v -h ${USERHOMEDIR} -t ${USERTEMPDIR} -- /bin/bash
+
.SH "SEE ALSO"
.TP
runcon(1), sandbox(8), selinux(8)
--
2.41.0

@ -0,0 +1,94 @@
From cf06052cc5fece8ec1ae655aecf941420385bf4d Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 1 Jun 2023 18:34:30 +0200
Subject: [PATCH] python/sepolicy: Fix template for confined user policy
modules
Content-type: text/plain
The following commit
https://github.com/SELinuxProject/refpolicy/commit/330b0fc3331d3b836691464734c96f3da3044490
changed the userdom_base_user_template, which now requires a role
corresponding to the user being created to be defined outside of the
template.
Similar change was also done to fedora-selinux/selinux-policy
https://github.com/fedora-selinux/selinux-policy/commit/e1e216b25df1bdb4eb7dbb8f73f32927ad6f3d1f
Although I believe the template should define the role (just as it
defines the new user), that will require extensive changes to refpolicy.
In the meantime the role needs to be defined separately.
Fixes:
# sepolicy generate --term_user -n newuser
Created the following files:
/root/a/test/newuser.te # Type Enforcement file
/root/a/test/newuser.if # Interface file
/root/a/test/newuser.fc # File Contexts file
/root/a/test/newuser_selinux.spec # Spec file
/root/a/test/newuser.sh # Setup Script
# ./newuser.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile newuser.pp
Compiling targeted newuser module
Creating targeted newuser.pp policy package
rm tmp/newuser.mod tmp/newuser.mod.fc
+ /usr/sbin/semodule -i newuser.pp
Failed to resolve roleattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/newuser/cil:8
Failed to resolve AST
/usr/sbin/semodule: Failed!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
---
python/sepolicy/sepolicy/templates/user.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/python/sepolicy/sepolicy/templates/user.py b/python/sepolicy/sepolicy/templates/user.py
index 1ff9d2ce8e75..7081fbaec496 100644
--- a/python/sepolicy/sepolicy/templates/user.py
+++ b/python/sepolicy/sepolicy/templates/user.py
@@ -28,6 +28,8 @@ policy_module(TEMPLATETYPE, 1.0.0)
#
# Declarations
#
+role TEMPLATETYPE_r;
+
userdom_unpriv_user_template(TEMPLATETYPE)
"""
@@ -38,6 +40,8 @@ policy_module(TEMPLATETYPE, 1.0.0)
#
# Declarations
#
+role TEMPLATETYPE_r;
+
userdom_admin_user_template(TEMPLATETYPE)
"""
@@ -48,6 +52,7 @@ policy_module(TEMPLATETYPE, 1.0.0)
#
# Declarations
#
+role TEMPLATETYPE_r;
userdom_restricted_user_template(TEMPLATETYPE)
"""
@@ -59,6 +64,7 @@ policy_module(TEMPLATETYPE, 1.0.0)
#
# Declarations
#
+role TEMPLATETYPE_r;
userdom_restricted_xwindows_user_template(TEMPLATETYPE)
"""
@@ -89,6 +95,7 @@ gen_tunable(TEMPLATETYPE_manage_user_files, false)
#
# Declarations
#
+role TEMPLATETYPE_r;
userdom_base_user_template(TEMPLATETYPE)
"""
--
2.41.0

@ -1,4 +1,4 @@
From cb1b3bdca016edaa90e92b49d51544f8a38cba19 Mon Sep 17 00:00:00 2001
From 1af71ea06bbb57082a627854ec77134428f8fb15 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 30 May 2023 09:07:28 +0200
Subject: [PATCH] python/sepolicy: Fix spec file dependencies
@ -14,7 +14,7 @@ Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/python/sepolicy/sepolicy/templates/spec.py b/python/sepolicy/sepolicy/templates/spec.py
index 433c298a17e0..a6d4508bb670 100644
index 16a22081b44b..cb3b2f63005b 100644
--- a/python/sepolicy/sepolicy/templates/spec.py
+++ b/python/sepolicy/sepolicy/templates/spec.py
@@ -11,18 +11,20 @@ Version: 1.0
@ -44,5 +44,5 @@ index 433c298a17e0..a6d4508bb670 100644
mid_section="""\
--
2.44.0
2.41.0

@ -0,0 +1,455 @@
From 9bef6943871822d82a3428dda13a871e1848acad Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Tue, 16 May 2023 15:45:05 +0200
Subject: [PATCH] python: improve format strings for proper localization
Content-type: text/plain
If a string contains more than one unnamed argument it's hard for
translators to proper localize as they don't know which value is
represented by a unnamed argument. It also blocks them to use a
different order of arguments which would make better sense in other
languages.
Fixes:
$ xgettext --default-domain=python -L Python --keyword=_ --keyword=N_ ../audit2allow/audit2allow ../chcat/chcat ../semanage/semanage ../semanage/seobject.py ../sepolgen/src/sepolgen/interfaces.py ../sepolicy/sepolicy/generate.py ../sepolicy/sepolicy/gui.py ../sepolicy/sepolicy/__init__.py ../sepolicy/sepolicy/interface.py ../sepolicy/sepolicy.py
../chcat/chcat:220: warning: 'msgid' format string with unnamed arguments cannot be properly localized:
The translator cannot reorder the arguments.
Please consider using a format string with named arguments,
and a mapping instead of a tuple for the arguments.
../semanage/seobject.py:1178: warning: 'msgid' format string with unnamed arguments cannot be properly localized:
The translator cannot reorder the arguments.
Please consider using a format string with named arguments,
and a mapping instead of a tuple for the arguments.
...
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
python/chcat/chcat | 6 +-
python/semanage/seobject.py | 130 ++++++++++++++++++------------------
2 files changed, 68 insertions(+), 68 deletions(-)
diff --git a/python/chcat/chcat b/python/chcat/chcat
index 68718ec5f102..c4f592291821 100755
--- a/python/chcat/chcat
+++ b/python/chcat/chcat
@@ -125,7 +125,7 @@ def chcat_add(orig, newcat, objects, login_ind):
if len(clist) > 1:
if cat in clist[1:]:
- print(_("%s is already in %s") % (f, orig))
+ print(_("{target} is already in {category}").format(target=f, category=orig))
continue
clist.append(cat)
cats = clist[1:]
@@ -207,7 +207,7 @@ def chcat_remove(orig, newcat, objects, login_ind):
if len(clist) > 1:
if cat not in clist[1:]:
- print(_("%s is not in %s") % (f, orig))
+ print(_("{target} is not in {category}").format(target=f, category=orig))
continue
clist.remove(cat)
if len(clist) > 1:
@@ -217,7 +217,7 @@ def chcat_remove(orig, newcat, objects, login_ind):
else:
cat = ""
else:
- print(_("%s is not in %s") % (f, orig))
+ print(_("{target} is not in {category}").format(target=f, category=orig))
continue
if len(cat) == 0:
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index d82da4942987..2b1eb44ce8a3 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -843,7 +843,7 @@ class seluserRecords(semanageRecords):
for r in roles:
rc = semanage_user_add_role(self.sh, u, r)
if rc < 0:
- raise ValueError(_("Could not add role %s for %s") % (r, name))
+ raise ValueError(_("Could not add role {role} for {name}").format(role=r, name=name))
if is_mls_enabled == 1:
rc = semanage_user_set_mlsrange(self.sh, u, serange)
@@ -855,7 +855,7 @@ class seluserRecords(semanageRecords):
raise ValueError(_("Could not set MLS level for %s") % name)
rc = semanage_user_set_prefix(self.sh, u, prefix)
if rc < 0:
- raise ValueError(_("Could not add prefix %s for %s") % (r, prefix))
+ raise ValueError(_("Could not add prefix {prefix} for {role}").format(role=r, prefix=prefix))
(rc, key) = semanage_user_key_extract(self.sh, u)
if rc < 0:
raise ValueError(_("Could not extract key for %s") % name)
@@ -1088,7 +1088,7 @@ class portRecords(semanageRecords):
(rc, k) = semanage_port_key_create(self.sh, low, high, proto_d)
if rc < 0:
- raise ValueError(_("Could not create a key for %s/%s") % (proto, port))
+ raise ValueError(_("Could not create a key for {proto}/{port}").format(proto=proto, port=port))
return (k, proto_d, low, high)
def __add(self, port, proto, serange, type):
@@ -1110,44 +1110,44 @@ class portRecords(semanageRecords):
(rc, exists) = semanage_port_exists(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
+ raise ValueError(_("Could not check if port {proto}/{port} is defined").format(proto=proto, port=port))
if exists:
- raise ValueError(_("Port %s/%s already defined") % (proto, port))
+ raise ValueError(_("Port {proto}/{port} already defined").format(proto=proto, port=port))
(rc, p) = semanage_port_create(self.sh)
if rc < 0:
- raise ValueError(_("Could not create port for %s/%s") % (proto, port))
+ raise ValueError(_("Could not create port for {proto}/{port}").format(proto=proto, port=port))
semanage_port_set_proto(p, proto_d)
semanage_port_set_range(p, low, high)
(rc, con) = semanage_context_create(self.sh)
if rc < 0:
- raise ValueError(_("Could not create context for %s/%s") % (proto, port))
+ raise ValueError(_("Could not create context for {proto}/{port}").format(proto=proto, port=port))
rc = semanage_context_set_user(self.sh, con, "system_u")
if rc < 0:
- raise ValueError(_("Could not set user in port context for %s/%s") % (proto, port))
+ raise ValueError(_("Could not set user in port context for {proto}/{port}").format(proto=proto, port=port))
rc = semanage_context_set_role(self.sh, con, "object_r")
if rc < 0:
- raise ValueError(_("Could not set role in port context for %s/%s") % (proto, port))
+ raise ValueError(_("Could not set role in port context for {proto}/{port}").format(proto=proto, port=port))
rc = semanage_context_set_type(self.sh, con, type)
if rc < 0:
- raise ValueError(_("Could not set type in port context for %s/%s") % (proto, port))
+ raise ValueError(_("Could not set type in port context for {proto}/{port}").format(proto=proto, port=port))
if (is_mls_enabled == 1) and (serange != ""):
rc = semanage_context_set_mls(self.sh, con, serange)
if rc < 0:
- raise ValueError(_("Could not set mls fields in port context for %s/%s") % (proto, port))
+ raise ValueError(_("Could not set mls fields in port context for {proto}/{port}").format(proto=proto, port=port))
rc = semanage_port_set_con(self.sh, p, con)
if rc < 0:
- raise ValueError(_("Could not set port context for %s/%s") % (proto, port))
+ raise ValueError(_("Could not set port context for {proto}/{port}").format(proto=proto, port=port))
rc = semanage_port_modify_local(self.sh, k, p)
if rc < 0:
- raise ValueError(_("Could not add port %s/%s") % (proto, port))
+ raise ValueError(_("Could not add port {proto}/{port}").format(proto=proto, port=port))
semanage_context_free(con)
semanage_port_key_free(k)
@@ -1175,13 +1175,13 @@ class portRecords(semanageRecords):
(rc, exists) = semanage_port_exists(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
+ raise ValueError(_("Could not check if port {proto}/{port} is defined").format(proto=proto, port=port))
if not exists:
- raise ValueError(_("Port %s/%s is not defined") % (proto, port))
+ raise ValueError(_("Port {proto}/{port} is not defined").format(proto=proto, port=port))
(rc, p) = semanage_port_query(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not query port %s/%s") % (proto, port))
+ raise ValueError(_("Could not query port {proto}/{port}").format(proto=proto, port=port))
con = semanage_port_get_con(p)
@@ -1195,7 +1195,7 @@ class portRecords(semanageRecords):
rc = semanage_port_modify_local(self.sh, k, p)
if rc < 0:
- raise ValueError(_("Could not modify port %s/%s") % (proto, port))
+ raise ValueError(_("Could not modify port {proto}/{port}").format(proto=proto, port=port))
semanage_port_key_free(k)
semanage_port_free(p)
@@ -1241,19 +1241,19 @@ class portRecords(semanageRecords):
(k, proto_d, low, high) = self.__genkey(port, proto)
(rc, exists) = semanage_port_exists(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
+ raise ValueError(_("Could not check if port {proto}/{port} is defined").format(proto=proto, port=port))
if not exists:
- raise ValueError(_("Port %s/%s is not defined") % (proto, port))
+ raise ValueError(_("Port {proto}/{port} is not defined").format(proto=proto, port=port))
(rc, exists) = semanage_port_exists_local(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
+ raise ValueError(_("Could not check if port {proto}/{port} is defined").format(proto=proto, port=port))
if not exists:
- raise ValueError(_("Port %s/%s is defined in policy, cannot be deleted") % (proto, port))
+ raise ValueError(_("Port {proto}/{port} is defined in policy, cannot be deleted").format(proto=proto, port=port))
rc = semanage_port_del_local(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not delete port %s/%s") % (proto, port))
+ raise ValueError(_("Could not delete port {proto}/{port}").format(proto=proto, port=port))
semanage_port_key_free(k)
@@ -1362,7 +1362,7 @@ class ibpkeyRecords(semanageRecords):
(rc, k) = semanage_ibpkey_key_create(self.sh, subnet_prefix, low, high)
if rc < 0:
- raise ValueError(_("Could not create a key for %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not create a key for {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
return (k, subnet_prefix, low, high)
def __add(self, pkey, subnet_prefix, serange, type):
@@ -1384,44 +1384,44 @@ class ibpkeyRecords(semanageRecords):
(rc, exists) = semanage_ibpkey_exists(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not check if ibpkey {subnet_prefix}/{pkey} is defined").formnat(subnet_prefix=subnet_prefix, pkey=pkey))
if exists:
- raise ValueError(_("ibpkey %s/%s already defined") % (subnet_prefix, pkey))
+ raise ValueError(_("ibpkey {subnet_prefix}/{pkey} already defined").format(subnet_prefix=subnet_prefix, pkey=pkey))
(rc, p) = semanage_ibpkey_create(self.sh)
if rc < 0:
- raise ValueError(_("Could not create ibpkey for %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not create ibpkey for {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
semanage_ibpkey_set_subnet_prefix(self.sh, p, subnet_prefix)
semanage_ibpkey_set_range(p, low, high)
(rc, con) = semanage_context_create(self.sh)
if rc < 0:
- raise ValueError(_("Could not create context for %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not create context for {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
rc = semanage_context_set_user(self.sh, con, "system_u")
if rc < 0:
- raise ValueError(_("Could not set user in ibpkey context for %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not set user in ibpkey context for {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
rc = semanage_context_set_role(self.sh, con, "object_r")
if rc < 0:
- raise ValueError(_("Could not set role in ibpkey context for %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not set role in ibpkey context for {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
rc = semanage_context_set_type(self.sh, con, type)
if rc < 0:
- raise ValueError(_("Could not set type in ibpkey context for %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not set type in ibpkey context for {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
if (is_mls_enabled == 1) and (serange != ""):
rc = semanage_context_set_mls(self.sh, con, serange)
if rc < 0:
- raise ValueError(_("Could not set mls fields in ibpkey context for %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not set mls fields in ibpkey context for {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
rc = semanage_ibpkey_set_con(self.sh, p, con)
if rc < 0:
- raise ValueError(_("Could not set ibpkey context for %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not set ibpkey context for {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
rc = semanage_ibpkey_modify_local(self.sh, k, p)
if rc < 0:
- raise ValueError(_("Could not add ibpkey %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not add ibpkey {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
semanage_context_free(con)
semanage_ibpkey_key_free(k)
@@ -1448,13 +1448,13 @@ class ibpkeyRecords(semanageRecords):
(rc, exists) = semanage_ibpkey_exists(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not check if ibpkey {subnet_prefix}/{pkey} is defined").format(subnet_prefix=subnet_prefix, pkey=pkey))
if not exists:
- raise ValueError(_("ibpkey %s/%s is not defined") % (subnet_prefix, pkey))
+ raise ValueError(_("ibpkey {subnet_prefix}/{pkey} is not defined").format(subnet_prefix=subnet_prefix, pkey=pkey))
(rc, p) = semanage_ibpkey_query(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not query ibpkey %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not query ibpkey {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
con = semanage_ibpkey_get_con(p)
@@ -1465,7 +1465,7 @@ class ibpkeyRecords(semanageRecords):
rc = semanage_ibpkey_modify_local(self.sh, k, p)
if rc < 0:
- raise ValueError(_("Could not modify ibpkey %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not modify ibpkey {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
semanage_ibpkey_key_free(k)
semanage_ibpkey_free(p)
@@ -1502,19 +1502,19 @@ class ibpkeyRecords(semanageRecords):
(k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
(rc, exists) = semanage_ibpkey_exists(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not check if ibpkey {subnet_prefix}/{pkey} is defined").format(subnet_prefix=subnet_prefix, pkey=pkey))
if not exists:
- raise ValueError(_("ibpkey %s/%s is not defined") % (subnet_prefix, pkey))
+ raise ValueError(_("ibpkey {subnet_prefix}/{pkey} is not defined").format(subnet_prefix=subnet_prefix, pkey=pkey))
(rc, exists) = semanage_ibpkey_exists_local(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not check if ibpkey {subnet_prefix}/{pkey} is defined").format(subnet_prefix=subnet_prefix, pkey=pkey))
if not exists:
- raise ValueError(_("ibpkey %s/%s is defined in policy, cannot be deleted") % (subnet_prefix, pkey))
+ raise ValueError(_("ibpkey {subnet_prefix}/{pkey} is defined in policy, cannot be deleted").format(subnet_prefix=subnet_prefix, pkey=pkey))
rc = semanage_ibpkey_del_local(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not delete ibpkey %s/%s") % (subnet_prefix, pkey))
+ raise ValueError(_("Could not delete ibpkey {subnet_prefix}/{pkey}").format(subnet_prefix=subnet_prefix, pkey=pkey))
semanage_ibpkey_key_free(k)
@@ -1617,7 +1617,7 @@ class ibendportRecords(semanageRecords):
(rc, k) = semanage_ibendport_key_create(self.sh, ibdev_name, port)
if rc < 0:
- raise ValueError(_("Could not create a key for ibendport %s/%s") % (ibdev_name, ibendport))
+ raise ValueError(_("Could not create a key for ibendport {ibdev_name}/{ibendport}").format(ibdev_name=ibdev_name, ibendport=ibendport))
return (k, ibdev_name, port)
def __add(self, ibendport, ibdev_name, serange, type):
@@ -1638,44 +1638,44 @@ class ibendportRecords(semanageRecords):
(rc, exists) = semanage_ibendport_exists(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, port))
+ raise ValueError(_("Could not check if ibendport {ibdev_name}/{port} is defined").format(ibdev_name=ibdev_name, port=port))
if exists:
- raise ValueError(_("ibendport %s/%s already defined") % (ibdev_name, port))
+ raise ValueError(_("ibendport {ibdev_name}/{port} already defined").format(ibdev_name=ibdev_name, port=port))
(rc, p) = semanage_ibendport_create(self.sh)
if rc < 0:
- raise ValueError(_("Could not create ibendport for %s/%s") % (ibdev_name, port))
+ raise ValueError(_("Could not create ibendport for {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
semanage_ibendport_set_ibdev_name(self.sh, p, ibdev_name)
semanage_ibendport_set_port(p, port)
(rc, con) = semanage_context_create(self.sh)
if rc < 0:
- raise ValueError(_("Could not create context for %s/%s") % (ibdev_name, port))
+ raise ValueError(_("Could not create context for {ibendport}/{port}").format(ibdev_name=ibdev_name, port=port))
rc = semanage_context_set_user(self.sh, con, "system_u")
if rc < 0:
- raise ValueError(_("Could not set user in ibendport context for %s/%s") % (ibdev_name, port))
+ raise ValueError(_("Could not set user in ibendport context for {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
rc = semanage_context_set_role(self.sh, con, "object_r")
if rc < 0:
- raise ValueError(_("Could not set role in ibendport context for %s/%s") % (ibdev_name, port))
+ raise ValueError(_("Could not set role in ibendport context for {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
rc = semanage_context_set_type(self.sh, con, type)
if rc < 0:
- raise ValueError(_("Could not set type in ibendport context for %s/%s") % (ibdev_name, port))
+ raise ValueError(_("Could not set type in ibendport context for {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
if (is_mls_enabled == 1) and (serange != ""):
rc = semanage_context_set_mls(self.sh, con, serange)
if rc < 0:
- raise ValueError(_("Could not set mls fields in ibendport context for %s/%s") % (ibdev_name, port))
+ raise ValueError(_("Could not set mls fields in ibendport context for {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
rc = semanage_ibendport_set_con(self.sh, p, con)
if rc < 0:
- raise ValueError(_("Could not set ibendport context for %s/%s") % (ibdev_name, port))
+ raise ValueError(_("Could not set ibendport context for {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
rc = semanage_ibendport_modify_local(self.sh, k, p)
if rc < 0:
- raise ValueError(_("Could not add ibendport %s/%s") % (ibdev_name, port))
+ raise ValueError(_("Could not add ibendport {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
semanage_context_free(con)
semanage_ibendport_key_free(k)
@@ -1702,13 +1702,13 @@ class ibendportRecords(semanageRecords):
(rc, exists) = semanage_ibendport_exists(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, ibendport))
+ raise ValueError(_("Could not check if ibendport {ibdev_name}/{ibendport} is defined").format(ibdev_name=ibdev_name, ibendport=ibendport))
if not exists:
- raise ValueError(_("ibendport %s/%s is not defined") % (ibdev_name, ibendport))
+ raise ValueError(_("ibendport {ibdev_name}/{ibendport} is not defined").format(ibdev_name=ibdev_name, ibendport=ibendport))
(rc, p) = semanage_ibendport_query(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not query ibendport %s/%s") % (ibdev_name, ibendport))
+ raise ValueError(_("Could not query ibendport {ibdev_name}/{ibendport}").format(ibdev_name=ibdev_name, ibendport=ibendport))
con = semanage_ibendport_get_con(p)
@@ -1719,7 +1719,7 @@ class ibendportRecords(semanageRecords):
rc = semanage_ibendport_modify_local(self.sh, k, p)
if rc < 0:
- raise ValueError(_("Could not modify ibendport %s/%s") % (ibdev_name, ibendport))
+ raise ValueError(_("Could not modify ibendport {ibdev_name}/{ibendport}").format(ibdev_name=ibdev_name, ibendport=ibendport))
semanage_ibendport_key_free(k)
semanage_ibendport_free(p)
@@ -1741,11 +1741,11 @@ class ibendportRecords(semanageRecords):
port = semanage_ibendport_get_port(ibendport)
(k, ibdev_name, port) = self.__genkey(str(port), ibdev_name)
if rc < 0:
- raise ValueError(_("Could not create a key for %s/%d") % (ibdevname, port))
+ raise ValueError(_("Could not create a key for {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
rc = semanage_ibendport_del_local(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not delete the ibendport %s/%d") % (ibdev_name, port))
+ raise ValueError(_("Could not delete the ibendport {ibdev_name}/{port}").format(ibdev_name=ibdev_name, port=port))
semanage_ibendport_key_free(k)
self.commit()
@@ -1754,19 +1754,19 @@ class ibendportRecords(semanageRecords):
(k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name)
(rc, exists) = semanage_ibendport_exists(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, ibendport))
+ raise ValueError(_("Could not check if ibendport {ibdev_name}/{ibendport} is defined").format(ibdev_name=ibdev_name, ibendport=ibendport))
if not exists:
- raise ValueError(_("ibendport %s/%s is not defined") % (ibdev_name, ibendport))
+ raise ValueError(_("ibendport {ibdev_name}/{ibendport} is not defined").format(ibdev_name=ibdev_name, ibendport=ibendport))
(rc, exists) = semanage_ibendport_exists_local(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, ibendport))
+ raise ValueError(_("Could not check if ibendport {ibdev_name}/{ibendport} is defined").format(ibdev_name=ibdev_name, ibendport=ibendport))
if not exists:
- raise ValueError(_("ibendport %s/%s is defined in policy, cannot be deleted") % (ibdev_name, ibendport))
+ raise ValueError(_("ibendport {ibdev_name}/{ibendport} is defined in policy, cannot be deleted").format(ibdev_name=ibdev_name, ibendport=ibendport))
rc = semanage_ibendport_del_local(self.sh, k)
if rc < 0:
- raise ValueError(_("Could not delete ibendport %s/%s") % (ibdev_name, ibendport))
+ raise ValueError(_("Could not delete ibendport {ibdev_name}/{ibendport}").format(ibdev_name=ibdev_name, ibendport=ibendport))
semanage_ibendport_key_free(k)
@@ -2765,7 +2765,7 @@ class booleanRecords(semanageRecords):
try:
boolname, val = b.split("=")
except ValueError:
- raise ValueError(_("Bad format %s: Record %s" % (name, b)))
+ raise ValueError(_("Bad format {filename}: Record {record}").format(filename=name, record=b))
self.__mod(boolname.strip(), val.strip())
fd.close()
else:
--
2.41.0

@ -0,0 +1,148 @@
From 9001fe7d0d4007b5dac28422f46a9a605efefc0a Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Wed, 17 May 2023 12:18:54 +0200
Subject: [PATCH] python: Drop hard formating from localized strings
Content-type: text/plain
It confuses translators and new lines are dropped by parser module anyway.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
python/audit2allow/audit2allow | 14 ++++++--
python/semanage/semanage | 60 +++++++++++++---------------------
2 files changed, 34 insertions(+), 40 deletions(-)
diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
index 5587a2dbb006..35b0b151ac86 100644
--- a/python/audit2allow/audit2allow
+++ b/python/audit2allow/audit2allow
@@ -234,9 +234,17 @@ class AuditToPolicy:
print(e)
sys.exit(1)
- sys.stdout.write(_("******************** IMPORTANT ***********************\n"))
- sys.stdout.write((_("To make this policy package active, execute:" +
- "\n\nsemodule -i %s\n\n") % packagename))
+ sys.stdout.write(
+"""******************** {important} ***********************
+{text}
+
+semodule -i {packagename}
+
+""".format(
+ important=_("IMPORTANT"),
+ text=_("To make this policy package active, execute:"),
+ packagename=packagename
+))
def __output_audit2why(self):
import selinux
diff --git a/python/semanage/semanage b/python/semanage/semanage
index e0bd98a95c77..4fdb490f7df4 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -238,30 +238,22 @@ def parser_add_level(parser, name):
def parser_add_range(parser, name):
- parser.add_argument('-r', '--range', default='',
- help=_('''
-MLS/MCS Security Range (MLS/MCS Systems only)
-SELinux Range for SELinux login mapping
-defaults to the SELinux user record range.
-SELinux Range for SELinux user defaults to s0.
-'''))
+ parser.add_argument('-r', '--range', default='', help=_(
+ "MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. \
+SELinux Range for SELinux user defaults to s0."
+ ))
def parser_add_proto(parser, name):
- parser.add_argument('-p', '--proto', help=_('''
- Protocol for the specified port (tcp|udp|dccp|sctp) or internet protocol
- version for the specified node (ipv4|ipv6).
-'''))
+ parser.add_argument('-p', '--proto', help=_(
+ "Protocol for the specified port (tcp|udp|dccp|sctp) or internet protocol version for the specified node (ipv4|ipv6)."
+ ))
def parser_add_subnet_prefix(parser, name):
- parser.add_argument('-x', '--subnet_prefix', help=_('''
- Subnet prefix for the specified infiniband ibpkey.
-'''))
+ parser.add_argument('-x', '--subnet_prefix', help=_('Subnet prefix for the specified infiniband ibpkey.'))
def parser_add_ibdev_name(parser, name):
- parser.add_argument('-z', '--ibdev_name', help=_('''
- Name for the specified infiniband end port.
-'''))
+ parser.add_argument('-z', '--ibdev_name', help=_("Name for the specified infiniband end port."))
def parser_add_modify(parser, name):
parser.add_argument('-m', '--modify', dest='action', action='store_const', const='modify', help=_("Modify a record of the %s object type") % name)
@@ -348,15 +340,6 @@ def handleFcontext(args):
def setupFcontextParser(subparsers):
- ftype_help = '''
-File Type. This is used with fcontext. Requires a file type
-as shown in the mode field by ls, e.g. use d to match only
-directories or f to match only regular files. The following
-file type options can be passed:
-f (regular file),d (directory),c (character device),
-b (block device),s (socket),l (symbolic link),p (named pipe)
-If you do not specify a file type, the file type will default to "all files".
-'''
generate_usage = generate_custom_usage(usage_fcontext, usage_fcontext_dict)
fcontextParser = subparsers.add_parser('fcontext', usage=generate_usage, help=_("Manage file context mapping definitions"))
parser_add_locallist(fcontextParser, "fcontext")
@@ -372,11 +355,16 @@ If you do not specify a file type, the file type will default to "all files".
parser_add_extract(fcontext_action, "fcontext")
parser_add_deleteall(fcontext_action, "fcontext")
- fcontextParser.add_argument('-e', '--equal', help=_('''Substitute target path with sourcepath when generating default
- label. This is used with fcontext. Requires source and target
- path arguments. The context labeling for the target subtree is
- made equivalent to that defined for the source.'''))
- fcontextParser.add_argument('-f', '--ftype', default="", choices=["a", "f", "d", "c", "b", "s", "l", "p"], help=_(ftype_help))
+ fcontextParser.add_argument('-e', '--equal', help=_(
+ 'Substitute target path with sourcepath when generating default label. This is used with fcontext. Requires source and target \
+path arguments. The context labeling for the target subtree is made equivalent to that defined for the source.'
+ ))
+ fcontextParser.add_argument('-f', '--ftype', default="", choices=["a", "f", "d", "c", "b", "s", "l", "p"], help=_(
+ 'File Type. This is used with fcontext. Requires a file type as shown in the mode field by ls, e.g. use d to match only \
+directories or f to match only regular files. The following file type options can be passed: f (regular file), d (directory), \
+c (character device), b (block device), s (socket), l (symbolic link), p (named pipe). \
+If you do not specify a file type, the file type will default to "all files".'
+ ))
parser_add_seuser(fcontextParser, "fcontext")
parser_add_type(fcontextParser, "fcontext")
parser_add_range(fcontextParser, "fcontext")
@@ -426,9 +414,7 @@ def setupUserParser(subparsers):
parser_add_range(userParser, "user")
userParser.add_argument('-R', '--roles', default=[],
action=CheckRole,
- help=_('''
-SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify -R multiple times.
-'''))
+ help=_("SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify -R multiple times."))
userParser.add_argument('-P', '--prefix', default="user", help=argparse.SUPPRESS)
userParser.add_argument('selinux_name', nargs='?', default=None, help=_('selinux_name'))
userParser.set_defaults(func=handleUser)
@@ -901,9 +887,9 @@ def setupImportParser(subparsers):
def createCommandParser():
commandParser = seParser(prog='semanage',
formatter_class=argparse.ArgumentDefaultsHelpFormatter,
- description='''semanage is used to configure certain elements
- of SELinux policy with-out requiring modification
- to or recompilation from policy source.''')
+ description=_(
+ "semanage is used to configure certain elements of SELinux policy with-out requiring modification or recompilation from policy source."
+ ))
#To add a new subcommand define the parser for it in a function above and call it here.
subparsers = commandParser.add_subparsers(dest='subcommand')
--
2.41.0

@ -0,0 +1,32 @@
From 0387db55278c10e04a7a507d2e1a6d028d5de0bf Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Wed, 17 May 2023 13:09:58 +0200
Subject: [PATCH] semanage: Drop unnecessary import from seobject
Content-type: text/plain
sepolgen.module is not used for permissive domains
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
python/semanage/seobject.py | 5 -----
1 file changed, 5 deletions(-)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 2b1eb44ce8a3..361205d11c10 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -504,11 +504,6 @@ class permissiveRecords(semanageRecords):
print(t)
def add(self, type):
- try:
- import sepolgen.module as module
- except ImportError:
- raise ValueError(_("The sepolgen python module is required to setup permissive domains.\nIn some distributions it is included in the policycoreutils-devel package.\n# yum install policycoreutils-devel\nOr similar for your distro."))
-
name = "permissive_%s" % type
modtxt = "(typepermissive %s)" % type
--
2.41.0

File diff suppressed because it is too large Load Diff

@ -1,321 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBE97JQcBEAC/aeBxbuToAJokMiVxtMVFoUMgCbcVQDB21YhMq4i5a/HDzFno
qVPhQjGViGTKXQYR7SnT8CCfC3ggG7hqU0oaWKN3D003V6e/ivTJwMKrQRFqf5/A
vN7ELulXFxEt/ZjYmvTukpW5Li2AU7JBD0aO243Ld9jYdZOZn2zdfA8IpnE9Bmm3
K/LO1Xb2F9ujF9faI5/IlJvdUFk3uiCKTSvM8kGwOmAwBI921Z5x/CYvy5kKEazU
lUxMqECl+Tu2YS6NDhWYNkifAIZ7lsUvGjW3/wfh7AvmAQyt/CxOXu9LL2nGzFhw
CIS4jVIxy5bDswNfHcaMX7B5WEyqTPtjzPAEMiLL4yHJZrHDPd26QHSaqtilVA4K
AeTYbME8iZIdacquFEq02PO9qAM21O48OknCTSolF7z6nBkk6l26W3EL+Gz5I2Et
3S9pab3FMjiiKVavM6UA5D0DQkNxxDn9blDXZyhX4HFrk+NnoETcGYFymPbbijgi
kFC4339/Z1aK31aJLkxiana5mqLthD4jCeg3B8Cp5IurqPr8QEh3FH8ZZhtdx2fX
TXHTmGQF/lXG4tg1eH5cb6wWGU93wD+5mf6czJlUZTY+kdevKtZCQnA0/2ENCOFW
Jdm/oMTUw6ozPd474ctzWKeO78e8yMvZst/Zp3Gq6SD9kcoPgiuMQ+BOkwARAQAB
tCRQZXRyIExhdXRyYmFjaCA8cGxhdXRyYmFAcmVkaGF0LmNvbT6JAjgEEwECACIF
Ak97JQcCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGOorUuYLENzy1MP
/2c4fH8eXWbqoot/vLE+hJ14k0leYOQhVSo4lNlxRlbKNd5MQSX/QjkQgJNECbB3
LM0KxE/zwVOZ+umvmxLxNskOxjubE6NzoF7Sm9ydoqjwzenIpR9BVtg71mfjBOoL
PNrst7tHRE5btSnnnOS9ddt/y9JOIvQpkjtBTI2TfVcp2b4Domg7i4qU/hJ7hu45
5oAi6rPPkr0pcGiDKTqi46l7+9orsj9Mxs1XTmrTMMB/eV6PCU7Fo4WJNXS8SXd3
sEVxXvpyYjUTTnDuewjT1q8NL7anrsckS16WYSVGKzRhqtP1Vudt1F/D5cWKVqQp
vQl/XW/uQS2IsgEWsbRmIAEZIUOy4TnuF494C/A+1BbJBdUr4Nl9zPH2bjrJeqYk
TsvGQr1icgO4pUg5oC456htkqCxCuPRqqrGDAZBx54TldgPwvCo31+aPQJlOlWvI
uWD/depp0De3oTK9FDnHh3swE0vyn4Ht96+vM+KNnDYgJ1FEaw1efYePFACobvEB
o2ZpLbnDyqAT4MzfHpHSbwzUOk52ZOnkl/KrUIOxhXtf4dxRS6J70Rzb+HWS3rY/
LgaMO5Q0BJfbvknguKmE8dO8jx0pTlVER9ujqp+bVPXmFMha1j8vyGhJ3eLJZaRL
k3jgfRjiUUb4lNp+hXpvBwIYeFWl5kFVKg2aPywgnnFWiEYEExECAAYFAlBq4WgA
CgkQ4J/vJdlkhKxmjQCfevlawFaGTx58nDFN+4j/2U6uaGcAn2g1sZcTUrEEYHdL
byAyw1GNLksOiF4EEBEIAAYFAk99mCMACgkQ/2iSBAM3HxDivAD+Lu8U54iGgL5+
h9KpeV+ZlHgIpj4cD+BVL85L6AQ3GP0A/1TwZ1tS6Ag3ut2G6AL2wewR3v9Mgu68
E0M5esz5of4oiQEcBBMBAgAGBQJPh9ZuAAoJEBliWhMliBCHMSUH/30V/E930OTT
oWeq+QKkTJuMF0lrA5NaAy+xWtrynMKoiAuM0KFNGPfrPehkoxR4D+MKXH+xh0j2
bHl6fXOHJCKZLhCtsC/o8j7kkjIJjixBlwYMul21rxecke7Zt4XpxHARJx4208Lk
ztpzOd7ZnDP6KYav3itpxK8Eyj4g8N2omoTQ2Dcd+sCa0jgRkyskpPxdt0fK0D04
XW7b1LZkxwzwrAGSpjAZVzpKBXANcSmUQDAaIhGvYSKoiwVe2eaE5lUmvAaJQaTr
Ud/LCIwFofTLSaBRX8fEOe+UwvW36VtynPyETyROeTMp//Cm5e2CQVPoDv79soyi
E/oUW9DFDhCJARwEEwECAAYFAk+Oe6EACgkQlGXZM5TcxIlIRwf/VjfbN3eVf648
vXvDctsXfucl37i6Yue2COJiGYuZOrN7wYxVvH2to8P3V53YV9OqDpJl2NXUro1V
iUjFHuIKp23VbtyBAYsrLeTMmHLjnXlaUPSr6JUDHUQhCF34BTk17e9y7tXlEshF
YVyPlGum7JhyarHB2rRdjQk8kyTqmQ4yHjw/nP/HlvVxdgb+mTmudTPVBafOT1R9
MJ/SN2x4bclT4cQ0hjNEy/TsFzVduQj8yNOMFG9r6p1Vb+u1wn3BTANIh55R9aDh
3JFFIV/jBTkxukxR5iyGQiR53nl0e0qnQFxpfhFGclh0RktjrHZ3DBAzcuYXp540
Vu9aq9QuPIkCHAQQAQIABgUCT4bdRgAKCRDCPZG7HYJE34FtEACfqPwWSItk1lNX
E0HOM1YuHXFfMGURF1AotskJatwtjGy9oDUQkjfsPROnWjgH9s0xD2UmlTrjJfWi
BdH0kTLiExVUOmvnM9VFMRhYxQZMwiHecm4FZ5IWUz4e05oGCkHFbMswXEoEG+qq
btOfLNpX67yy/JM6We+8PiXV/c2vaErpH5S8YChb5wD9lEWNM2aPBOUmbzONM1/f
EFd8AF6fUVYN7htuyG1n5zTv+oowmO2c0terJRGmMgVuLugIEnKKhaQ+H1K6bdZJ
7mX4xxx5izEyYeYhi9DhBHSwCLhWR+Yilqkc5U0nrF+3Z+Cb9THHppi071OIQ7pX
rGsQSpDzGRXCw0nKEBm0Li13re8cOoHMlPD0RHWZEIRZGSYX1YKBtVuv4kpSq8GN
85lZSDKGRNtbJBS7Qj4vyOlOrBO1eyyd4lepQCe2Ri3gU97rek52tOM+fAIibz7V
b4a0qbbphrz6PVMbDGiBxM92+YpdDyZGyL7wJ4g6DhRRcEUQahlZ1n7y+YQ60ETs
zt7+kD08Zi2BoJpiMHsFfoas2pot7VePFxGutwvq0p+OHSVlwkLgOaORPHumLA8u
J3BGlJTHsErUB2EEgdc/Tv1vsZzEI3Zi+hqw1gcbke21Ii8aDfshbeKW9hYJAhnW
m8VdF3n80UX5Eg56iybrLCjEyiAEYYkCHAQQAQIABgUCT7yYRAAKCRBOBfZjp6Qb
nnyTD/4gVbq8H5ka7fVdSAnX65/kFn5xkqGzbpCkjcqe/5uI2CvdYtjeQ4K6sm7I
5RLoyu/EE/JPbCRHiucsEak42WAZSRte/Wn2yTQpIb0mQ0wXJvuM+Hx7DSx2R12P
9rIZ4mGo/rEtdG7Y9Vog9M/XGx7w5IqSw2DF2yiYQJXsOzHjphfYB8JfoqjW/73k
n4E2IRJtCuWhfiJZJ+GEGceSBIredH3o01ThtbAeh/gzPRF3FU1361zyA1sXtmGe
qwnhNL1spHRlpub3cvAXQ8RSYrNdiFZB5zohNt+iL+qzVWaUJo+vYZal1Co5/roI
HN5nJef8kp1ngaYKvf1hIVvsdQsilVQIXKFWMd47aU6W8gPr1W2+U4yw+q+OXari
eo7gpH7/OvMSe/3wOhGVD8KJrMwAVnr3M4wo2CM6zlwxPGdltQI+IxDD8NTGTmNT
rRARYRQaFQyqd1SrVt4sSkeoegrpOG4oWXya/v4SeXHD4vt8vvvX3A4szB73a355
IfbyRXDER3EfFfW5c+BnR3bxhfATTE6T0AKz1Gq30Xm2ycTGYCAZ2yBKewaegTpx
3O/E6APTXUnVWTIPQay8T4iVUiLFs7W1UFMY/RvmIvKKFIQWcm5O0L+27PJK+YSx
Uoo1Ivt1pclTuetbRbN8VnR3K9Pp5uZ4KLz6ZkffmJg2sOSu74kCHAQSAQgABgUC
WWMlagAKCRAyfirUINN1OOtFD/4jW0ZMGigpruCnvY0nr47rA12X6dJ6+KIBE+XB
QxuaQRjM5u44geksDwrqZ0nXrNvsa4SVwAhKVOrgMJVdzvUa1m2yeNCFHOTjln6Q
GjZ5f3a6aj6n/X5tlPptdklUr9ucEwXVd5fFMpWAiwaqZt38I2u0Pi+/qHDt0kLy
RSukmRPzRuS/kO1ugGO4aoO+sanVDl2Pq6LIwubL1Unk2HUerg8VCAyQrxYtZtHc
coyhmBTlAb+EmZnUVbQZ3Uy3eA89OuNTBhJWCk8vqROFm257MiH6gvG/V8CTrJfz
lpE+s9E6kxXhXpQWZUwtwWObq7vrJVkJhRwBsO9N2erxe+biBauFErYQPw3bg6xL
1BJLxDWnKUlMWs5o+h7lyjp+1B/gbnnlrUIlpW8IKVZRHwRUPGRN07SbbEO1lDk5
uJDMk+r2KrOUNVYCEp794P014xodkLvB8X7ml6tcABE4V9d4uVDX3SsktOLMvtWg
nL6xWMoBYiVOXi3Rsm8vESBOb8JFQL/ItciUyAioM4Zjq5eqotVq90HMBO9kqcjC
YsYEs6RACRmyE+TNmzGoucIPTwPEi5Ib4gj+LG6iPOBprk5DSjD7F0/wnQPoq8PY
HIufb4+PgOXKf/ROQXDRLeD6eZBtPcDUJOgW19m7QcXZ8fvo6B91COe9jTF/H/i3
A7NjR4kCHAQTAQgABgUCUQZ8hwAKCRDZsFd72T6Y/MoUD/9xxmXbPL2Zto6qECXs
Q1GFuydiYlURxDsVUiuc1tSgEoDb8XcXl37l/IKX1QmcpvHMPzeT0g8sNwIXSnL6
BNCnFcfrd0tEz8uBPxVnzMiGwaHP1kB6Vs6sNV31+CJcTz8BHHbOdXZnhHqXSb02
SonqAYeWVSlE08Ejvq0HIWRn6NIGdGqv6icBExryJjS3ZChRFpvgAJwsVO5f6BKH
oZnEn79uQR4XPHwuxRbm4hf6iYEbOhE7Hod6kTzS9vYIhyuTFTz5Kz/YxlMoZX/j
TIYsX0nZ3r+Tshur8iUXJhKvvXVlGyrGO2HXfEuIpJqEx4/qM9jUNP0EE7aPzZ6f
BP7Xq49Dx9lnZuSQ1jeXxEEpO+AND2xmnjCHr3EfgYZrrhCSxMQhvJh7wypkzu30
D41BHPOPSotmM7WLceHWmYui0Wuq9X2hom5jq11XwACEtmNiP/odXjF0ovfK0d8l
j/kivgrXAZdN/ONJapVSLkRMS71S6eln+urR9HfswEfM7IPt0cRwN1oNIhXmK14+
XBWvvwvalfuxG2UfxD8K0JXMwARlpGlV8lXpuzDV8EcrvLipKpqiQWaJer64kaQb
8qHEtT6+JNoGkymohrfeVagxKmPzDWR4v1a9lgZwY1FTRHNVPM0P8LWlN9q0CrYc
poBwkhTMV1YJ1OBSrkM9IM2vsokCMwQTAQgAHRYhBGMZHOlBgwmGicq4237xN+yT
Ww6vBQJjLRkzAAoJEH7xN+yTWw6vZSYP/36Bt4QhRtIh6HPWbHraFSl4omnuISu6
lTHsqhik81nbIUiLZ5e/KN6ONSgD2jfMVQOLiPTQFOoxVZvOjaHmHvMuF7BCbr90
Afh1qXW9txuPbVkhtC6hqIMn87b8UHEnt1l5MiafQnPHhoociqaqwfls/iu0nJGu
Jf5eVMXpdeWRk+ckGkqP+tXp/0G933jibSdYqwG1Tsw9D98xnGV3a/+zIqRtJflp
HPEjHPT6rVKAZxk7gkYSSsv6ONBwZHqwe9W1I+U4t6OPkGo5kNbMPBORB6/7B2Qo
LHx3+KYZs1j6glI+F/8IX2+JSFs07saMnsDhE7w5FzmwWV2JcUt42RSf8DVub438
jgA/Ht5yPROEJ87de78aD/t/gPq/Gm3bnUz1BW0jxBidjqg1qPOMYjC7n4dH8X0N
cRfX6tWOdSXmDBbPg/vQi6CEIhsGVisKlnrgYi1wDZExU6UVMnBNvllUu9PXye+7
51cIbrb+fwAWiwmu+AsL0qsjxZYo+9ozOLh9wLUhxOY5MZM82alN/mlUGzEiXN3R
i7D3rDrNFHdI4LGGLbO2hjPYrG4hdNHS+6WbU6qYcpBEhrqBtnUjoVqIKP2boBLR
ara7hHqVO120s8kgGtf/AoYpggD0H4qqUy4EFNjVdcL5T08w6ldQIYo7CEa1iHFt
ML4bsPcJh8lciQIzBBIBCAAdFiEEcQCq365ubpQNLgrWVeRaWujKfIoFAmMsvIwA
CgkQVeRaWujKfIqNXA//fjCpyIPPd6RnJhagWH8XCp5NB4cCT+LqAIR5yZfz1QE8
Qbzpoobz9ysgXZ5XjLp/lbVffGyg986j0wUtSW1+g3kJcYXBUKjSWoBwwmZgyZky
95U+uklY8CdPjSeuzr2I5X/LogHNH1378d9aEmQXBfX1uW5g4Aqgnl0OOgkCVzgs
FFOO2o1j6svrrDVG52/mwXhNRm0yYK/hFB8T3PO2IvMQGDGJLHl6N5Kl7P2jtkyF
Isi4AEzJeop/2GJYXQ+VkUTSNRKQj8oOS5qe9/0RkF9uqeamoc81n2But8MZN2fv
R7ug2EuG2LHp9/pwu5ekohXmY8EtMbVbU7TYKgduK0FMBaK36jXN4Bapakfxr1z5
pwdDjN4QiqUefBQlG1CJ6fGrqbdAupzRRDqN974rs5HafnbxioYRYjoo4H0zC8XN
UwgmA2wrwIIY/cyNCSnUuT8yVAnroPiFgmMoL8RM7C5pHQYh0u3fXPfvNBswjXmR
pJ6mhTqG6SS4qIaPhqoZqA1iyA6+Ua3YLBDT5wqvuqNMnfLtLUvMuridmlj97cRc
srQIr022NdpafDQVAiVhZO0CRyFd/++XT35iiDoiv20+LewC0VVza466AE1fkAme
rKlurlET8U/+U0JB6IP77ErjMgCzotV8e1DJkp/M37nMeNzazAb//ovsdkNM6P6J
AjMEEwEIAB0WIQRFaBEoRJtl+IDGF5c6hKlGtLpirgUCYy3RvAAKCRA6hKlGtLpi
rvhHD/99Lvgf+CjbhwC87CoKX84MyAyBlYACCSuySQBnEsVigz8sCVyTYDx52h1h
/SEj7XfTylAfIl1CjUedH4w3hk+7IN4scmhf5eeEMvQd8q+Q/hWQcXIUpwgKOcVD
NbUgYcbakJAPtilK1CeQvDdBD+aYoMsJTsII/f7FJzwjPM1XGf5EoODUC8BtQf/W
KAVoESwwAUwN6Y5XeYSwMqu1s7IHs3yNYLV8C6A7EQPVaVVlORqI+33rKyqAhK5X
ErNvAREQPYJMfRnQlIW7alSORwdG0JBgVLgV+jvoFo4a1AQImHDDtKxs2X5BCVG1
I687uYDBy5Assl/VxRMIUpx5+zWvXyDZX/6nlL7AMokTlyosgP4iiifBS+5KMhan
phMgnDXYIJE10V46Bdw2tjd7wMKey6BcKgfbZSvU5z+SuVnQXCyl3/blRML54I5o
EomXPg6lgVxSb6BBnaJXzx4JKgLer5uom1OGsLgPMqEHRoO3bucr2xFdtq1Zegw4
9S3qDhQ3bn8pg9JlYwmAAhBd3Xy5cPv01mV6ompOQ38SlMCJzcAGASdMw5scaxUl
7MloV2Nl32HIzPjK47bF7aVOFX7Tz+rEFLmJCchqmUSdxi42rJyHKVRqiAlNfZ9S
9FeaEfU+vBxOHsLNqVO7ErvrTafT5fjphZqvUTqZGCUiJUjPnYkCMwQTAQgAHRYh
BOJeJUyO5NMDVUv1r+xwGh2klMXrBQJjL1NOAAoJEOxwGh2klMXrYaIP/ifHM9eU
UT6JD0m6Oa3P3T161NhOvNqr71LDSztClsWo3XX0+ZK3wpjoC6vKqgx0Cc8OL1S2
GqwCaxb5JqWpsoqR3NW6bTqTTUGREj/e0JHDeBzv57OEUTe4ea7qzqjhCX6iyzHa
qDP9fiAogMQ7uT2oCghDV5yo4JUrG5brw8GkMLEvRSs2BEv7xFAySRaGwNj+oziZ
VzL7sBzp1bCr5cwNZVYxoo3VAv6FUcExp1TydxzPVB8/VvxOa4zrht+hFTn6mjUi
NHBc7DYECgh4jlDR6TnAdvpg0FsujTXiN6A0obOUl9jGz2uFmdY+2ojlVtzqKXoP
+PDz8o2zMrRoQYkni9VyIc536E4OFIhfO6CrThMjJjPNn22Tq+fzRYkWTrlJom9b
nOldQ1BdUXQt2QNigdzqjhZTIgF5OEOTERh80dvwIbZ+7vN00BOsuncR5GUBQerU
F6+SksVRAaOg2lyoDdxUQ+Z28RU8R/n7VjMV8ctFkQvHHLBqKkpET8LRh0C/jSNh
gB8zLPc3Oa4wTf2xZWO58S18esbYMr74vRYrsACbmwxH5Tz+L6Br70Fmcz608+IQ
ESKW3657gemZgFud3AGokzKG5AuWykSinydiZbK8MRGLsdfPUojaVIgXFqnWKtkH
At9gkD8YbqGYzuVwBnljBNRdTUMk0ClgV6pjuQINBFom2R0BEAC9k1Ky6AIe9sPP
xrgsrXRe0dyYcoHufzeU3jFssl3+S4cRuvYCzdZfRfdjfHa4n+CxTaOd7xkefwJg
GpaR9KJbu8dqHm61GIiS5ZbMCRU8FAW6ohVeDqEwFrPAzZjtO41OTpeXCrPu5H5A
Tg/kDnabzlD2H8JWAqr0DYRRhFtJUihXUey9zK03wSjUi5E1+YHUC/fOpbS+msNN
945CeQNBN4Ljap9Q183Fkh0Wm4Q8C0OS1WN8a0XtqSALRCGAZ+EV6UrmQVP9PCC4
/J0hoKQPv2bfpBAsrUGAO3Fnsw7804i2TY7O3JA8gGDYX6fwOVJMUXdD7FX7LM2P
pESqAdPrjqmPqHT8cPfq27GYgqHv3N4hP9Rjt9wxmHYFbJT0YCHw2ZMiAO/VcvvN
miGr590ZFiQEb1MJN1r+h5UDE1CtF6nTieirSXi9oMilHlo2NY5nAItv/T9PKk4X
+kaH3UoicMxrkT34tACGwxi4VIRYWL+ZquxE+bwXqAvbGJ0p3XbyREURCaO96J/2
w951EvZErpFRQu4zzClmoMiNbwkQ8QdesSaqjMirlHyFI8T9BZrXbPazdVNUwfyR
LFil1q/kgXjXeJDoje73UiyGhqhlVOlEbunGzCwEBzrtQdPTDeFQr476/4pe0v4u
gdNYkL/gY8Izodn47d1XH68AuRSrzwARAQABiQI2BBgBCgAgFiEE6FPBhIsBhc9C
hk3zY6itS5gsQ3MFAlom2R0CGyAACgkQY6itS5gsQ3PQSA/8CZGTxQDbD2oLkGb6
tyECIs5A1RsfwJ9aj0R/HuEO39ki8yM88fwi8F5AfzNcmYwp0rxyYDDYM0itObSv
A9WBB8YFZ2PKT1YHrwTzWbne+spmQYDRdFt+0Kx0JLvgv7SYvQ1jNdCazixH1SAM
9O+Tn5oFybVHjRavWsQYHp1CvXY5kOHOEDHhz37pGwFvyVyFdSYS5PWT0+0XU/g6
Uq2HeFCurhUGuDXJ6WA6Ipvmu0vbi8GpyeiWCRoG76sqbBfQ7dd0oDMUHitewWGq
LP1Kioke9hu5p9CbkjYwGZjJWZEV6WHxOmICfFcBRPeIJyO8Kfa/vVBfQZj9fhqs
3sHSfAGIdKIB3tX0qKhMRdu/QoM14YQ1yK80JTUUOcrKLDt6QJinF1UQ/OcYQqGB
CXaRk1OKGFuuij16QudnX56+aYbNPltf7cLs1O7aodQcRxmMSgxSE/2ckthPYBsX
PWuDMYZCb3e6JMWsdnCI7iPpoPFAJmId7SWJebXZxntoX6YwZ7Tx58/QMLEqxMfE
ExQTAFg8/owvxCG12KaharLr4GpLx0aU39QEJenG1LqGLwiQh9Vxsejw+MkebZJE
6zhs7XBpenrd5c9OFOtb/Goxwal/6UXz7a62jZ7wDNpJw9xOfC3/eX/56+6dLVef
RFj/LOIu9reM4boTiY2dmGj1QC25Ag0EWibSSgEQAMhQB2Q329FSozPk7V6dYBO+
jDBMr1jHWvNMCR/2DkwXfDAKK3haSWSqr51/wua9skFRezQvc9PhgvOIJi1jsxRf
xNoM82a2OpYJdj16FG5RVQ/ApojiywNvp1YPJbmq4DfXSuUA6q+OephsFLrx2cPY
nyDQaI6mrqTBecET4cdQTZK0nKKUPj3U2bI96zTBIYK8Kr7GMKXm8R1eV8bktwHT
HyDjI7hN5EjZViYqZYDQ3jt2vC1Aj6XpFw5K7Sv6f0l91zyjfcu6Llsfo8xtRhAl
lub8EBuO6ljJ5uWqDgjqTOkDXcIAUkhUCg8ztweR15zgJQQ/On0XDcHLtyi7zuQd
xNaKYKkD3oROTqce+YbNN3qnP4bV0qa0JLlTOrE/0/zmif7Q1zYOidcmMgGeF6Gp
pGQkkxY4gSKet8kD8h4AZXGlpFu4e9sue1ENDRmgWaqSzIWudMRZ3z0/s9EGNNiW
60nwJ1NBoySeQEmnwMzAHXneRM9pRGQ1S3/CKttq/0eWEH3Y/Td9xi4DNvTXcvgJ
uUUwoclWP2PCPg3zE+EQ1q/Kt2oYrT8NcemM9EO8btNzJ/Y1wSDLFAFNikHwYjTM
86jWoeGhSM3fD9HJjfqoB41gDKvNIVlhQavhe6df4+AoCo/mGosLYAPFaHHdkmqn
eT0Y0BnTRIS9yLcO8CBVABEBAAGJBGwEGAEIACAWIQToU8GEiwGFz0KGTfNjqK1L
mCxDcwUCWibSSgIbAgJACRBjqK1LmCxDc8F0IAQZAQgAHRYhBNalthyaVTQWgpLb
Z74iCR4+9iJ1BQJaJtJKAAoJEL4iCR4+9iJ1D2AP/1VMC8KOmzPYyiFY+1xHu2rv
siB0f80GH1jXwDSM/IKvsH1axCD0hMV5sSi52epCov37czSlR3MpQjo0xK32wJB9
26AgbzJYZO48qulDUXUhPWJ9bxiyIcxI/3KEspY1RMoWv8AfYA/qSma1cSdT4IMo
SGJzPh3RyrUpeFP5QT02oGa5TuSQPiJwy/b9u+RVOi1SSqzHMJdKzZehGays65Pd
jC8Xtf4ipdYRBr6mIyUISOB+FBkY2MttFzNDUBdDrOepyjStQLZ1vUXnYKIiSRHX
o3XTW/W8fh72o26zeDbQcALywQMZqnwtrZluzKHZxF07whKmXvw9pUHXX6hbJDvm
GVMxnB/F6grPNi/V+Bv75sKOdImgnJBUp1Jz7288SPbNQwrqFKV2ZD3f0PFmolFj
Cz/Oc+UUk+swfnsT3pV6LClTThsOH8WlKJYxZLneX75HuVx4CmT+qv6GlFQuixjc
H0LtsbbSjAx7J2LRNVtfI+2DfMcIi8KJxe69MAKGqqxDyDPSWeFrs0MHmyD6/6m+
GTovgUT5jOZbR6GVKelW054bmby0zQevWnRieANVeFoFsnwclJnqKIRzQiGod1p1
b8HhSCw4nOeOQSifaOf3zcnFhYyByDMOtl3/AqGoLp/61u3Bk9h+BP4VPR3RUWzc
ggjmxJM0MrLzjaSXSedjzuQQAIq9g35FGpnaB8d/EjufED1TVSOkvNK/qJ+dD4Xz
f5RvnbprofMnzfEyy8jJ1Vqc3QZQU3IDQt/Un2ZywX0OboKGAIn/gyfwdkpnxJ0j
JoxRBuMplNpfNBw+oe0nFuozO9idFozKM+SWoE051/jvGHp1FqEPLnAAGeSbWB0L
RlAsnMjc5u6+SKHeFGRKYg7U0sO7ZKbVIT4ZmRnsQLDakHwbAgfcIakh9Whj0Ou5
r78Cs+DcM3XAdtZ04d81jV5TsveR8/Cn473c6dvPIfnA2P4uClTCaCDv+jXG2f9a
FIuJhYCO+TdYs7qjAsXWngJUebRFiHbfSuYDw92/eqLdKD1Hoff4MnW5YOtDpp6E
sdCDuINeRtUtnidw2vIPezX+xdmycXIq9Fb+GvKrIDsKu0VO8HObVviLa/RE11ds
EHYlrarj4mqzS2MhvmU79Bazg9rDDB4WVs502n3uJaf6Sod/+ke1c3ff7AUPox2n
pjH/bVmkZJsOq5EqcvlH3m2FZUHSFWS/yTR1rPuJoHBMHVc4OPlTuSqT3qmKL2vb
vD1l3D4zHZs1paRLddYXiaex4qPU/0YpP61XU070MmFGYE8Z43TbMPHu/6LYBpw9
p5Vj3VZwn2edNl4LGx+05hIABzM23I7JoQ44uPoTbohmYXF/DUGJ6h2LYdp81AVC
lSFWuQINBE97JQcBEACpbBqvDl8J65jEhPjOWczcDVB+WfG7GBHB7T6RxSNFIahy
mDqzx73zZD6n4NnZogPDPopYdRJ56u5AfF0bDZlgebl8+VEgPHGoay74Gf6k0B+c
pEkp5PaWQHHEqXINotVg29hTsf1u0sb+yjgcc+9WHw3MtpChsgk8Rc5N8Xvr1FJc
L+xynSvUCcLIwfgvLHYPPBYGIRpvz4ek/zgHvaGftDfnyMwrMbgi8kadrSb7PQgc
eWeTL7CQN1B88TPJFqKt/QxMdXaPy+Cr3P4XVy5V3/QEVFUizrtCCqJgxHMAeCP5
QxwYEWmA2zxUzGA/t/QUDFbccKt2BdpdKBFtHLliE+yn9FHw98JayjhAJxxeCkrp
MED9N2aGHI1q44sbmeLKQ8EuIbCamfq7fqLXgkEy8jgivv2J9YfXejjjEobGLkss
Jlxaq9JeQgFEVl6f0jJ0PgkYPd11RxTcVLy4RB417cxc9LHcoKdAtcgBTcZXPPYO
L+eM9S7rTvFTna9IdF4bbnJFNjHDMhb/9XomxxBsekpTUXEm2DGoTpO2W/jwWcZY
LVrdhikkkF8b88EdWk94fUTcFA90I+Ch0YbS8XGM/WIklrMGa0JpA4OQW5oMhKDn
gqAcV7gxRYt6ylBPVh94/AIMz++wmfqBxETFP8HMgTVEApLBLjwru9B/4lRStwAR
AQABiQIfBBgBAgAJBQJPeyUHAhsMAAoJEGOorUuYLENzegsQAL6NuhGuzQf2GELc
O5J8/BW2yF9sxHWDLrw0Pntq8D35kgGfZLB52tN3DI4NwL0vE931bXC7ovi4kHPS
sazv+WPUckYfJ7qskWVD1yDtHsADduwudJpAflfZ4VIvMJqJ7FUw5Fy9ennw/Idp
H7LC+ubn6XT6Kh9oKvVmp+BQEOsdisjVw848Thik+gS08WvAjK9m+g7++FFwKy08
5iXuuqZpvi94eU1QPvzxzzRZz6M4gQaz+pCq/5yf6I+Hu8G+5nq2foFN+G7FRkx7
KJmJ3SAEsG3M23V9MKWON49ZbhTe5xW+1at/TKKoNGzNIYs07jApR2/E4J57yMWj
zsAqg77hTDRiV0jhHl0DJw3RHFi3z+SrK+6ie6mrq8WEPj62q9qdM8dFs+y5X3UT
x0nxly7GjOxxhi+Nt83PAG2wVFpqmhVLuyPnruvxzyrVFc8Dvx46DiKCzt4PPK/Y
+jnVIQ7Jr2Jm2ZCpzZZT5QNJuDp46mKHlNBkvSy3q3+pM6cM8vKSuCFd9+dw3dX/
GptLebMrPOvLVDl4Bm9hSmG7rLpJy8U8Ns8pYSS1zaxHM8KqMaPuS/Zlx1SRIj/E
afefnHd5fIlmsH9C2O5fb18SFjmD14FCLcVTG7bwh3ZfbGo9sOJSShPxppPW2OoT
jwfANmj1cSg/VFr1d4HAEc83jFgumQINBGNZjyYBEACk7biPgvCVldNWq1CwVoJa
/Fvc4T49tqxcc/sY4uVlGo6oSi4fQcXE9XKPPBuRLmvpmMWvODQLzPxJMWUfJq6L
yYFmX2U9VRTcyITdmJs8itkEaDwq8BtXkeQfUDAVSFy6V6/uvVmNWD7pGXqJE1Gx
uV44Ihlh6v2YyqSzDG/rZur771hke8VZmlKMVMs1RSeOBA3nUmvZQ58+uqkhJNYq
OeQhxGIxDOHo7QhzTG+SlX+uQq6mzACKygVJJl33toaUwVAX5R02a0u67A5wC0wh
AoLSHInc3P7ayivWV/iESAz+gMIkuvJWns/Ak14J7MTGgjD6rle7PNMsPDCCwQSc
qA8F0x4OChCixbZGZn6Mr0u8+01VCEe2IjJwVUfFI/G4n1FZ1RAdqjkHfZJeD20L
GHSbjJLcnqLLFx3LDpI5dAxo5K2kFvz0VowrB58aHoofW8/g8yZygGQ4Zpw4JnpU
maPnMTiD5yvnFzEihM5L9DuaWqSK3sb9qzoaXABYRYI7OmX4B5nmMzFteHHq0tMt
aKWf0HkAsCP0BLJcS9Oc1/0I0+gC4oKLRD8a4+kaEpNr6BXvWnj7Y1h0Zr/CZS6+
gi34CxWMl2Q34OSqtS37mzzBu+UZxffPR0aV2RXcEpc0c5HW550Thq1NF9EmFOoy
eG4J2ox9JRANZXLh/i7mNwARAQABtCVQZXRyIExhdXRyYmFjaCA8bGF1dHJiYWNo
QHJlZGhhdC5jb20+iQJXBBMBCABBFiEEuGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZ
jyYCGwMFCQPCZwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQvDkF8jUX
nPGeAA//ScQ3kJMqI6FRULXo0aF7CpafPXVWdvj+mfQMlZzuGwXXTmM42T0DXnXR
BSjstWkmOXP/UqkN7bNeXH/S3D3GCJ2l0qx8Qp6fP0FloJIbemyxNtzl7yvAE7kW
vuBuLvUdm23cntv49gAzj+ElDqCxtT6A6qaqM6r7DLUvw+G+r6gkeu1hNQbtRpEK
9Dt8tHriQyI410qFRMbi3QxU+iTJ79HXwrXiYpX7V7T+ugiU9lgIiC/hWJCo6SY4
knt9E6zhegUWN6zErl2HY8FBM2P9eHOTqToEOAhKeM1fXZvxe3m49fGq/spmRM1R
UUl1V9WFEaMiLg/Z2rmbD8LX9YtfYlQCbEwyX2nkIP1QIcr/DEfcmCA2MXCQCgsq
I/2XS3BTLPyjuqAYnXxrk+T/Cydcg4W3ZBYI/wT56GH02TQzB/wJsn0cW6EMG46V
SDY/mZ2/gwi54G/Pqb2R3ZC9I7wQ6/FFxuu8myI/QVmEiTlvTxBoyOdNlliBQxCk
Dczs1rxd/o8Wfjo1vwRHW84jZrCP3xr7xPJWuzsrmPU8kFHTgepGoY+4b/h3jGwl
V103RpRUK4JidwHsmYDVk6pgeUH69hf0iVcbFfKiViFTR+DwjbAOxTdsFgsYYn+7
hBj2l+pV/uzeA0akL2dkgfJc9pAf6ItRUnGC+RlntZ0Pf2NbwIS5Ag0EY1mPJgEQ
AMRQDbNHBQ376nDF8miBZOAV1txpmbHc5D/X63PNapP0P1/I7SfcJU9D3wX8c4vm
xkjEYtH23s4lmT1VLsU7PisS3MacRemm9pL2bD53hs9XQEuU9OtJsZn1ZJ+Ynh6i
5sfW1bG3OiV/TWgYXW66GwE1hn9PuP8arodUmhEft+64G2u8Xtxr5yqlQJEUThV6
280OJrxVbduaMi5C6UNeeGE5wuhfrQ0TNYZiwQ4KYbU3QhlWhHVjJlJ5hCLiktwF
DyR24P+wlTIziWA407mo2enQT+mz3bO7Paf4mBionGsJMoADqBThf4B69BxjJ7Yg
7oQVIZ7560YIRRmNo4tk5Mhep11OtQgZjZJR6MhWDaUO17w1qScrOPRj6G1IXP1R
5NarydJpLyAVb/5WFZ5jxUGMGtq3mYn4nKbbHUg2WzvCJvPctDE6EV2vaiRy5N1f
QjsHgSa29F2feh14p4ngFCmHjpdbcdjfv6rWL8tgkSpQlDdeHRRd1q03TKAg/byP
auAHKzvV+iWlmw1f6KBWjeTn0fofmk9eeQ+P1j0a3/XTxMOjB34SzqPRWzmLPLF6
YmujBK2gymM+JLirJFFzao1i4lgmxqkDhQoNYHXmVYEd7w+/qUYbfKwO9eJOWzuU
WajxvJ1Vgv6z4CPy9if0gwfhrx0OOcIpBE/xZU+SwQQpABEBAAGJAjwEGAEIACYW
IQS4aChHdk32DfUtmSy8OQXyNRec8QUCY1mPJgIbDAUJA8JnAAAKCRC8OQXyNRec
8a+qD/4whGQ9J+td1iLFMpNRAqvuGtTnM6shZJNnC5CB56Cu7ElIpr74sk0R98Ia
1pJlBcLALbYSrqwluZaLiRVDPdub6tGSRVssqQdZcKThz33waTru9IfLhCrRSNd0
ZMHJaOG1ErU0noWw2d4ifVJK+vvuvMeEyNm4H5pZOYzYeikqVUYzS143cSzMEwtv
PSdP5JkTQi4WNF09khH1D+QpJoXEgVEQla7Sr955Zdt3q5OlpYxxw+X62vslZ2OM
iKZ14kWVSRbVQ+WdnjtRYS4vivB6ko9QL770jZ131hKhC/BcWpEYSjfPpVua2oKb
ccKHXheIFEJ06kGkMeeoQPxmzPRBYIw/E+d5sZp7YXDyBGOAxBeiOaOnZ8vLBzy7
2HFng3oB3hkVGTTHq+PsHdSSaRME3QrNpDsaGeSjw62FG3I4zK985GtrXAHEzN/F
fd17srl4mcRQ+8QM/a+XbF/8ugjE/RHhhFf8sWVAPutYzVE8lF+uqcduPuq/rTcU
BuzSVjnSRfXWqCokjh+ypUpHNUO8fZDzkTLuE5rwMG1xpPueDBTzvoGDQRqc2eoX
pJnDBmdlz83zHsoR2gIHcdqyc/hCV+fTvR8E0v9ZG3Jr6RFgWdD008PsGxUevIDg
MAYFwasZSTofEnzg49/WeIFU1rGB5HZVlmOJKZnKRuBiTakEP7kCDQRjWY9xARAA
rEkjlUH4hoSQAkVJCWWk+nF+daAP5IszrGEQH7TyOVwXbRZndSPFSUqKU2kEgHbM
m+wFYoZe95h9tjDh2sLCs338pVu5Chhz3dNseTF7/rbckw2rCU+JbalEiwck7tKL
qobvbh77jnrbQnkrZNc+nMeHHLrYyc5gHW6cSn4UlU42MKmTlSeOG4Ly9wXhgaKC
heIXNX3U/D682Tffl7Gopcm7pPZF92dwY4nIpCxU2ATimkSyulbhzk2CjZ1JYUJ1
LHctMHm9F0LEGtc1GxDShzVZP8dOWpDs9BBwZDLXxCzC4rvZ+z5BJCDFbuNTKZQ5
JEoW2sM8yP1LLZGXz44hsab1aPrvB3vcdS5ETP6bqT5267ZiotdhUifU/pTV5ze4
7wNuaZenQtGd9olyh2dAqOk2DQrcBQFA0gRp55b4U62hLTYXxT+7jEbSVAxeXDPR
qPvqh/4kVn86llYjV6dAoASN1wWz423QH3u4ZK+S6g8HZ0HrY2+NBYgqthb6H/X6
FiF5VcHWstkk967g4Xt0PgN/rlCtpXh4WK9sScX/CFdOURsHlb78ZN2LexaYaVBq
QuqvfHaAPJaIElXqMheZ8aYrO6Df4yzJ+6eTs3s4PqM6EMir5waFonx5Gh50X4xL
9p7IVqgNPhQsU8Z5U5hGYbmUH766GtENv4CI1upFA1cAEQEAAYkCPAQYAQgAJhYh
BLhoKEd2TfYN9S2ZLLw5BfI1F5zxBQJjWY9xAhsgBQkDwmcAAAoJELw5BfI1F5zx
4cMP+wbjKu2xCr63oyn+lo7NqMDLBYl4zHunYTZhG/egDakVWp5Ikj5/k3i+hVSY
fUyUhqQ/b/H096ropB7GA6EzS44GS+hLMdQOJOmEbjvAP/9dJDX2FQnYZzaA2f/e
Ikgaw283oOLnmYz0x7YAW/oxlnPn+7Sg7DGGqqn3nKofDUUrowfX0tQGwkGmJJqQ
gOH/ZfU4t51UCKzF6hWRbberBI8ezp24vYngA2kGef1fCUC+EIFhoYcdHHCtC1Ti
KmOUaeB9ZMiVXkP60fmCLKObwcKTyYpAFPqM05xgsMPFaXN+fQ7YVAGpCdthk53N
5Go+QqehwLoJk77CHZxIWJIf43p3UiuH1FsuXF7OdExzIhUSiUum6MoCI8BpVwn9
uSKfXKLOdGDR6IJI8jqdC9LYoXqxZtDhpcqD70hFWJwJzZg+U2SvxZyhOqwtKXtD
TDtee3yGzPacSAJD7mFURc/DRi62UBMiFcqO1YW/5LgC4yjtzo7MTQPkaGbQLduH
IlCKa8pHWPqaLFdMawwqNrTNHWXCD4XxijJYwdAue3NUG/utekNm82mqnbbWw/AX
URIzefQsbyqiNYMztudJ9hAS8yCdkfb9SKVIvWYPQ77tHltOZF7K/NzOGeJaJr8l
vqZCfXpWmOduTpWaD2kIvU2Kx7gB4jXdMa2ai9N+/Hdr3lLouQINBGNZj8YBEADg
Y6HOawiThxQVI+0uvAAU9yisew1SSVO6mAsQtZM7s7BpLA3RGPj3UGojZIeejA+k
fq7A+PVLBhz/kSBTtw9/s3o4rlqNzz7SLaix6XKWCpHOBs84n3/LF6u9KMMVk9vT
sjKz8iDF9mBR2bmCfLvEk0HDiMyApv5SbOsZMB8k5PWyK8HYPyMI5umEaOsaC3tA
eihO3nzAxEf3oZl53J1pIw+ecdrQLbWbH0aqKngfCddD8Q0oMr/Iwly3W49+5eqJ
oelR9/dut/dg0a3Nn1wIGYRzC62CCsF5IZwKdyPh7nilEUFpA5Vlz+HfIFch2LfR
F3Q/GZD8fKzKxhjDIdgyaWSTsMbityKxX2G/pcjshyMsZT7I3Hx7SwQfFro58s2D
FsFLEZgBhJv+nW/HckeedaveXmXdHKjtsa8+rvGADti4wohOl+N5tbpYW3/zR3AY
qlh47hG0ikUJ8Tusnu865j3Z5mE+KqS68ypRVBMRrdJl2lGPDCnXGhl2720VPNMC
/jB2Mgm/L1mvQM1jPfdC3KgokDAH5NMzKvav6A71aLSUJli3UdkGHkX5d5urs3k3
WmCt7XeTb30MBvNzBcSYTbw2UGIRE8G0CFc3wtiWWiQKPeFXYhn0+COCoW/EXpIC
VaAuMPMgcsldM13bKGyGo3NngsNEdopNFfr0KKW5XwARAQABiQRyBBgBCAAmFiEE
uGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZj8YCGwIFCQPCZwACQAkQvDkF8jUXnPHB
dCAEGQEIAB0WIQQb4sD/CJSWIxAv0lZGlYgcJUUI0QUCY1mPxgAKCRBGlYgcJUUI
0ZkHD/9TlRvAaZETf+pv4/IceeL3KHwj5lrC/gojXxN0AjhAXljLSRCu0EyICxZy
3158h4k0vwjdv8699yHEN97PdF84m81mqxOz+juKBRHFK/EwAAgOdSlzGnUYgNkm
mCROFWtjeneNWaFdEnq9MItx1OascPeyxnWMjq7LLYMSESP4tgUV5KdlaVAXR6q/
833u27/NodkDcNH2UK+IyT+Kt/uCOoIIL4ttxo/PvZTphzV8n6s0sJJE3/BrRxgv
CTkVU6zosyJsyau8/vayQYGPuBuEQVs4Tr+vZ42izbkHgElcZv9oYjJsxaqZqqMz
fWPte7m6Pl/pvtmlhPmpZ+ej7y8SRysBV+3aHNXaE1J3sIOmYxighlgZapSjHl/A
9N/KXdoLAjIZtBAOQ2ZFyRz/c2+VUqJgwiwdxoaFaYn2eUM+HSTbZfdGXBS/yyZL
YsM+L4M2aizQvDIRXzy8vG0vpHQEvPlXL0Gg0gyk0fox0OsAP5CfXmHC/AvYOHM8
y81X2QqDf33Au1RIgog4cLqq2wpXEARWbAj0BAMIeJoCDCu9Mz2juK1ui2wr8AZ0
42PCUgZK6CdUI18AsvApUhPsNunF7ZOc5mFMuaEGjjWJvrTG3qyrCY73ySBiGXWo
92ZB7FXu2MzgujPBEigByqeF6IV2x0EBHw/VrcxXq6Slgmik6G0SD/48l5mGCxM0
Wr91raB9zQlwDbtD3PCbjA6DtkMrRyAq+81g75N6uiztGPCVw9n1HoGOSjN1hAhe
SgQQlcXbDLpzfdPFowDEHclFFfUODCIOuF+FgmxlAz5Exr9JkJdozBFqRZ4iF/tf
E5sHB0rzeUcY3J6VjTsjULjE4GSg5trsOc8GHUnFn9wwwkf9nR/Mr1RYcX0GkTcy
iUskw+AoRz6svOfAWIDJY450wgD0MHZK08IfUUsYTGecoXcvWf/hITtv/Af5MpQA
wuGEDltVDeu9EAu65SZlMkkMuQD1h3KOQjUJ6nY4a4M2CQ51ggs/c+vsemxsuYlG
vSuhrfXt6HGD3dhsOEeyEvIcjjpP1Ku5mqrPhqXFli1swfohhYGGVO+fM7G3l7wF
kAIi0B1szn0K13qRqBIwjnWL+orP1KLzvczCH6yD0FZY90CDdMtM0VB6AqT4BFh6
5+ygjA4YiA7fFYBm8510ybUcNfzU3gUIJ5pF8MdGizO54tCPSK6U+iVRY4qfCFdu
IiOZ7FUUn78VIxQUMYMrozy7kn/0PQZa7KKRbXJ8sg0sgrQapwpgUjdMwuYZPGGv
1Jw5/+WUGWMbGxmlpHcEOmsPZpITH557M/kHyk9Ud0iKwciBI2mGLxiafCuLrUY4
TknzOqbZgjdllcUG4cDBEQuBO/GSj1LUfg==
=I8Dr
-----END PGP PUBLIC KEY BLOCK-----

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEG+LA/wiUliMQL9JWRpWIHCVFCNEFAmZ9iuEACgkQRpWIHCVF
CNER6A/9Fh2zHvfY0E11VufqyTKuW/XAyUVzVVZQT4RP4Xq324k+FIQC5tepFppI
xfoHL0XyklceHxnNGQfq+LqXi25HKG/+8ozvX5gqB7liGgnxWg30oFRGBHHuzF6b
aHLUNPVvWrgeLPOhSmbPmm29zlbIT+2Fpam8jhNfKe7ISqFQFE7JTh7KIwSmmreq
IniEh0DUChZ/3jlxwWTg3XfVBCWuE11845Jmz09EZyE3vNCvsBCZIgojkpAsi73B
CS9Ia1KQFxap0cmMkvwYEQyHmF0KjUecUINb4gqHstJaXua17yqbU8EqOFrUo6C6
GJ262L+jflnDCx9XKbeMJ8sFzFLsqCnDZwoWBPlYoi2+661D8cI64eBHz+9SAEz4
LikVBhXYVq8iuKiXgNo5s090F4yk1LHDIKufD26jAngiXXX59SrLhjvMHp+bJ4T/
tC/wRkDOh/UAwfPSXGGu5fR2JlCeXxRgo+125xAQF92dlCwelN5IST0I5Y3i7Asx
WiK+ocN0LFKDqv7JN+2B5PKsZBSmkxfGrjFxEm0JFPwA1Qlv1+MXCBrRxcr+BXxK
lv9NsWv7NFSrAv/cLNEB/7OrbV41K9l/bp71RK+VqhM94SKbUtm4thoYqlZS36nW
rtHqpVao4pv5Ab9QLGhCfZWqL97qmCnu/MseYWSTRKxSSduld5o=
=AOSm
-----END PGP SIGNATURE-----

@ -1,4 +1,4 @@
#!/bin/bash
#!/bin/sh
# This systemd.generator(7) detects if SELinux is running and if the
# user requested an autorelabel, and if so sets the default target to

@ -1,12 +1,7 @@
## START: Set by rpmautospec
## (rpmautospec version 0.6.5)
## RPMAUTOSPEC: autochangelog
## END: Set by rpmautospec
%global libauditver 3.0
%global libsepolver 3.7-1
%global libsemanagever 3.7-1
%global libselinuxver 3.7-1
%global libsepolver 3.5-1
%global libsemanagever 3.5-1
%global libselinuxver 3.5-1
%global generatorsdir %{_prefix}/lib/systemd/system-generators
@ -15,13 +10,11 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 3.7
Version: 3.5
Release: 3%{?dist}
License: GPL-2.0-or-later
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.7/selinux-3.7.tar.gz
Source1: https://github.com/SELinuxProject/selinux/releases/download/3.7/selinux-3.7.tar.gz.asc
Source2: https://github.com/bachradsusi.gpg
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.5/selinux-3.5.tar.gz
URL: https://github.com/SELinuxProject/selinux
Source13: system-config-selinux.png
Source14: sepolicy-icons.tgz
@ -40,17 +33,31 @@ Source22: selinux-gui.zip
# wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/sandbox --output ./
Source23: selinux-sandbox.zip
# https://github.com/fedora-selinux/selinux
# $ git format-patch -N 3.7 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
# $ git format-patch -N 3.5 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
# $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
# Patch list start
Patch0001: 0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
Patch0002: 0002-sepolicy-generate-Handle-more-reserved-port-types.patch
Patch0003: 0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
Patch0004: 0004-Use-SHA-2-instead-of-SHA-1.patch
Patch0005: 0005-python-sepolicy-Fix-spec-file-dependencies.patch
Patch0006: 0006-sepolgen-ifgen-allow-M4-escaped-filenames.patch
Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
Patch0002: 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
Patch0003: 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
Patch0004: 0004-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
Patch0005: 0005-sepolicy-generate-Handle-more-reserved-port-types.patch
Patch0006: 0006-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
Patch0007: 0007-Use-SHA-2-instead-of-SHA-1.patch
Patch0008: 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch
Patch0009: 0009-python-chcat-Improve-man-pages.patch
Patch0010: 0010-python-audit2allow-Add-missing-options-to-man-page.patch
Patch0011: 0011-python-semanage-Improve-man-pages.patch
Patch0012: 0012-python-audit2allow-Remove-unused-debug-option.patch
Patch0013: 0013-policycoreutils-Add-examples-to-man-pages.patch
Patch0014: 0014-python-sepolicy-Improve-man-pages.patch
Patch0015: 0015-sandbox-Add-examples-to-man-pages.patch
Patch0016: 0016-python-sepolicy-Fix-template-for-confined-user-polic.patch
Patch0017: 0017-python-sepolicy-Fix-spec-file-dependencies.patch
Patch0018: 0018-python-improve-format-strings-for-proper-localizatio.patch
Patch0019: 0019-python-Drop-hard-formating-from-localized-strings.patch
Patch0020: 0020-semanage-Drop-unnecessary-import-from-seobject.patch
Patch0021: 0021-python-update-python.pot.patch
# Patch list end
Obsoletes: policycoreutils < 2.0.61-2
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
# initscripts < 9.66 shipped fedora-autorelabel services which are renamed to selinux-relabel
@ -60,11 +67,10 @@ Provides: /sbin/restorecon
BuildRequires: gcc make
BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext
BuildRequires: desktop-file-utils dbus-devel glib2-devel
BuildRequires: python3-devel python3-setuptools python3-wheel python3-pip
BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel
BuildRequires: python3-devel python3-pip
BuildRequires: systemd
BuildRequires: git-core
BuildRequires: gnupg2
Requires: util-linux grep gawk diffutils rpm sed
Requires: libsepol >= %{libsepolver} coreutils libselinux-utils >= %{libselinuxver}
@ -85,27 +91,25 @@ load_policy to load policies, setfiles to label filesystems, newrole
to switch roles.
%prep -p /usr/bin/bash
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%autosetup -p 1 -n selinux-%{version}
cp %{SOURCE13} gui/
tar -xvf %{SOURCE14} -C python/sepolicy/
# Temporary disabled since upstream updated translations in this release
# Since patches containing translation changes were too big, translations were moved to separate tarballs
# For more information see README.translations
# First remove old translation files
# rm -f policycoreutils/po/*.po python/po/*.po gui/po/*.po sandbox/po/*.po
# unzip %{SOURCE20}
# cp -r selinux/policycoreutils/po policycoreutils
# unzip %{SOURCE21}
# cp -r selinux/python/po python
# unzip %{SOURCE22}
# cp -r selinux/gui/po gui
# unzip %{SOURCE23}
# cp -r selinux/sandbox/po sandbox
%build
rm -f policycoreutils/po/*.po python/po/*.po gui/po/*.po sandbox/po/*.po
unzip %{SOURCE20}
cp -r selinux/policycoreutils/po policycoreutils
unzip %{SOURCE21}
cp -r selinux/python/po python
unzip %{SOURCE22}
cp -r selinux/gui/po gui
unzip %{SOURCE23}
cp -r selinux/sandbox/po sandbox
%Build
%set_build_flags
export PYTHON=%{__python3}
@ -145,9 +149,13 @@ chmod 0755 %{buildroot}%{_bindir}/newrole
# Systemd
rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/restorecond
rm -f %{buildroot}/usr/share/man/ru/man8/genhomedircon.8.gz
rm -f %{buildroot}/usr/share/man/ru/man8/open_init_pty.8*
rm -f %{buildroot}/usr/share/man/ru/man8/semodule_deps.8.gz
rm -f %{buildroot}/usr/share/man/man8/open_init_pty.8
rm -f %{buildroot}/usr/sbin/open_init_pty
rm -f %{buildroot}/usr/sbin/run_init
rm -f %{buildroot}/usr/share/man/ru/man8/run_init.8*
rm -f %{buildroot}/usr/share/man/man8/run_init.8*
rm -f %{buildroot}/etc/pam.d/run_init*
@ -183,10 +191,14 @@ an SELinux environment.
%{_bindir}/audit2allow
%{_bindir}/audit2why
%{_mandir}/man1/audit2allow.1*
%{_mandir}/ru/man1/audit2allow.1*
%{_mandir}/man1/audit2why.1*
%{_mandir}/ru/man1/audit2why.1*
%{_sysconfdir}/dbus-1/system.d/org.selinux.conf
%{_mandir}/man8/chcat.8*
%{_mandir}/ru/man8/chcat.8*
%{_mandir}/man8/semanage*.8*
%{_mandir}/ru/man8/semanage*.8*
%{_datadir}/bash-completion/completions/semanage
%package dbus
@ -246,13 +258,13 @@ by python 3 in an SELinux environment.
%{python3_sitelib}/sepolicy/network.py*
%{python3_sitelib}/sepolicy/transition.py*
%{python3_sitelib}/sepolicy/sedbus.py*
%{python3_sitelib}/sepolicy*.dist-info/
%{python3_sitelib}/sepolicy*.egg-info
%{python3_sitelib}/sepolicy/__pycache__
%package devel
Summary: SELinux policy core policy devel utilities
Requires: policycoreutils-python-utils = %{version}-%{release}
Requires: /usr/bin/make python3-dnf
Requires: /usr/bin/make dnf
Requires: (selinux-policy-devel if selinux-policy)
%description devel
@ -266,6 +278,7 @@ The policycoreutils-devel package contains the management tools use to develop p
/var/lib/sepolgen/perm_map
%{_bindir}/sepolicy
%{_mandir}/man8/sepolgen.8*
%{_mandir}/ru/man8/sepolgen.8*
%{_mandir}/man8/sepolicy-booleans.8*
%{_mandir}/man8/sepolicy-generate.8*
%{_mandir}/man8/sepolicy-interface.8*
@ -274,18 +287,15 @@ The policycoreutils-devel package contains the management tools use to develop p
%{_mandir}/man8/sepolicy-communicate.8*
%{_mandir}/man8/sepolicy-manpage.8*
%{_mandir}/man8/sepolicy-transition.8*
%{_mandir}/ru/man8/sepolicy*.8*
%{_usr}/share/bash-completion/completions/sepolicy
%package sandbox
Summary: SELinux sandbox utilities
Requires: python3-policycoreutils = %{version}-%{release}
%if 0%{?fedora} || 0%{?rhel} <= 9
Requires: xorg-x11-server-Xephyr >= 1.14.1-2
Requires: xmodmap
Requires: xorg-x11-server-Xephyr >= 1.14.1-2 /usr/bin/rsync /usr/bin/xmodmap
Requires: matchbox-window-manager
%endif
Requires: rsync
BuildRequires: libcap-ng-devel
%description sandbox
@ -298,9 +308,12 @@ sandboxes
%{_datadir}/sandbox/start
%caps(cap_setpcap,cap_setuid,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
%{_mandir}/man8/seunshare.8*
%{_mandir}/ru/man8/seunshare.8*
%{_bindir}/sandbox
%{_mandir}/man5/sandbox.5*
%{_mandir}/ru/man5/sandbox.5*
%{_mandir}/man8/sandbox.8*
%{_mandir}/ru/man8/sandbox.8*
%package newrole
Summary: The newrole application for RBAC/MLS
@ -313,6 +326,7 @@ or level of a logged in user.
%files newrole
%attr(0755,root,root) %caps(cap_dac_read_search,cap_setpcap,cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole
%{_mandir}/man1/newrole.1.gz
%{_mandir}/ru/man1/newrole.1.gz
%config(noreplace) %{_sysconfdir}/pam.d/newrole
%package gui
@ -347,8 +361,11 @@ system-config-selinux is a utility for managing the SELinux environment
%{_datadir}/icons/hicolor/*/apps/sepolicy.png
%{_datadir}/pixmaps/sepolicy.png
%{_mandir}/man8/system-config-selinux.8*
%{_mandir}/ru/man8/system-config-selinux.8*
%{_mandir}/man8/selinux-polgengui.8*
%{_mandir}/ru/man8/selinux-polgengui.8*
%{_mandir}/man8/sepolicy-gui.8*
%{_mandir}/ru/man8/sepolicy-gui.8*
%files -f %{name}.lang
%{_sbindir}/restorecon
@ -375,21 +392,37 @@ system-config-selinux is a utility for managing the SELinux environment
%{generatorsdir}/selinux-autorelabel-generator.sh
%config(noreplace) %{_sysconfdir}/sestatus.conf
%{_mandir}/man5/selinux_config.5.gz
%{_mandir}/ru/man5/selinux_config.5.gz
%{_mandir}/man5/sestatus.conf.5.gz
%{_mandir}/ru/man5/sestatus.conf.5.gz
%{_mandir}/man8/fixfiles.8*
%{_mandir}/ru/man8/fixfiles.8*
%{_mandir}/man8/load_policy.8*
%{_mandir}/ru/man8/load_policy.8*
%{_mandir}/man8/restorecon.8*
%{_mandir}/ru/man8/restorecon.8*
%{_mandir}/man8/restorecon_xattr.8*
%{_mandir}/ru/man8/restorecon_xattr.8*
%{_mandir}/man8/semodule.8*
%{_mandir}/ru/man8/semodule.8*
%{_mandir}/man8/sestatus.8*
%{_mandir}/ru/man8/sestatus.8*
%{_mandir}/man8/setfiles.8*
%{_mandir}/ru/man8/setfiles.8*
%{_mandir}/man8/setsebool.8*
%{_mandir}/ru/man8/setsebool.8*
%{_mandir}/man1/secon.1*
%{_mandir}/ru/man1/secon.1*
%{_mandir}/man8/genhomedircon.8*
%{_mandir}/ru/man8/genhomedircon.8*
%{_mandir}/man8/semodule_expand.8*
%{_mandir}/ru/man8/semodule_expand.8*
%{_mandir}/man8/semodule_link.8*
%{_mandir}/ru/man8/semodule_link.8*
%{_mandir}/man8/semodule_unpackage.8*
%{_mandir}/ru/man8/semodule_unpackage.8*
%{_mandir}/man8/semodule_package.8*
%{_mandir}/ru/man8/semodule_package.8*
%dir %{_datadir}/bash-completion
%{_datadir}/bash-completion/completions/setsebool
%{!?_licensedir:%global license %%doc}
@ -412,6 +445,7 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_sysconfdir}/xdg/autostart/restorecond.desktop
%{_datadir}/dbus-1/services/org.selinux.Restorecond.service
%{_mandir}/man8/restorecond.8*
%{_mandir}/ru/man8/restorecond.8*
%{!?_licensedir:%global license %%doc}
%license policycoreutils/LICENSE
@ -432,68 +466,18 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
## START: Generated by rpmautospec
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.7-5
- Bump release for October 2024 mass rebuild:
* Tue Aug 20 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.7-2
- sepolgen-ifgen: allow M4 escaped filenames
* Thu Jun 27 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.7-1
- SELinux userspace 3.7 release
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.6-5
- Bump release for June 2024 mass rebuild
* Thu May 09 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.6-4
- Add Wayland support
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Dec 14 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.6-1
- SELinux userspace 3.6 release
* Thu Nov 23 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.6-0.rc2.1
- SELinux userspace 3.6-rc2 release
* Tue Nov 14 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.6-0.rc1.1
- SELinux userspace 3.6-rc1 release
* Mon Oct 30 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-8
* Mon Oct 30 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-3
- Update translations
https://translate.fedoraproject.org/projects/selinux/
* Tue Aug 1 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-7
- python: improve format strings for proper localization
- python: Drop hard formating from localized strings
- sepolicy: port to dnf4 python API (rhbz#2209404)
* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed Jun 21 2023 Vit Mojzis <vmojzis@redhat.com> - 3.5-5
- python/sepolicy: Fix spec file dependencies
- python/sepolicy: Fix template for confined user policy modules
- Improve man pages and add examples
* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 3.5-4
- Rebuilt for Python 3.12
* Fri May 26 2023 Miro Hrončok <mhroncok@redhat.com> - 3.5-3
- Fix build with pip 23.1.2+
- Fixes: rhbz#2209016
* Wed May 10 2023 Tomas Popela <tpopela@redhat.com> - 3.5-2
- Drop unused BR on dbus-glib and explicitly BR glib2
* Tue Jun 27 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-2
- Improve man pages (RHEL-672)
- Unwrap strings - remove hard returns and initial white spaces from strings (RHEL-606)
* Fri Feb 24 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-1
* Thu Feb 23 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-1
- SELinux userspace 3.5 release
* Mon Feb 13 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc3.1
* Tue Feb 14 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc3.1.1
- SELinux userspace 3.5-rc3 release
* Wed Feb 8 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc2.3
@ -502,62 +486,37 @@ The policycoreutils-restorecond package contains the restorecond service.
* Thu Jan 26 2023 Vit Mojzis <vmojzis@redhat.com> - 3.5-0.rc2.2
- python/sepolicy: Cache conditional rule queries
* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5-0.rc2.1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Jan 16 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc2.1
* Tue Jan 17 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc2.1
- SELinux userspace 3.5-rc2 release
* Fri Dec 23 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc1.1
* Mon Jan 2 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc1.2
- SELinux userspace 3.5-rc1 release
* Mon Nov 21 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.4-7.1
- Rebase on upstream f56a72ac9e86
- sepolicy: fix sepolicy manpage -w
- sandbox: add -R option to alternate XDG_RUNTIME_DIR
- Remove dependency on the Python module distutils
* Tue Sep 06 2022 Vit Mojzis <vmojzis@redhat.com> - 3.4-4
- Update translations (#2062630)
* Tue Aug 2 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-6
* Mon Aug 8 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-3
- Run autorelabel in parallel by default
https://fedoraproject.org/wiki/Changes/SELinux_Parallel_Autorelabel
* Mon Jul 25 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-5
* Mon Jul 18 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-2
- gettext: handle unsupported languages properly (#2100378)
- semodule: rename --rebuild-if-modules-changed to --refresh
- python: Split "semanage import" into two transactions (#2063353)
- selinux-autorelabel: Do not force reboot (#2093133)
* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.4-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 3.4-3
- Rebuilt for Python 3.11
* Wed May 25 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-2
- rebuilt
* Thu May 19 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-1
- SELinux userspace 3.4 release
* Tue May 10 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-0.rc3.1
- SELinux userspace 3.4-rc3 release
* Thu Apr 21 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-0.rc.1
- SELinux userspace 3.4-rc2 release
* Wed Apr 13 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-0.rc.1
- SELinux userspace 3.4-rc1 release
* Tue Feb 15 2022 Petr Lautrbach <plautrba@redhat.com> - 3.3-4.2
- semodule: add command-line option to detect module changes
* Tue Feb 22 2022 Petr Lautrbach <plautrba@redhat.com> - 3.3-5
* Tue Feb 15 2022 Petr Lautrbach <plautrba@redhat.com> - 3.3-5
- Improve error message when selabel_open fails
* Sat Feb 19 2022 Petr Lautrbach <plautrba@redhat.com> - 3.3-4
- semodule: add command-line option to detect module changes
* Mon Feb 14 2022 Petr Lautrbach <plautrba@redhat.com> - 3.3-3
- fixfiles: Use parallel relabeling
* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Mon Nov 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-2
- setfiles/restorecon: support parallel relabeling with -T <N> option
- semodule: add -m | --checksum option
@ -568,26 +527,34 @@ The policycoreutils-restorecond package contains the restorecond service.
* Mon Oct 11 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc3.1
- SELinux userspace 3.3-rc3 release
* Wed Sep 29 2021 Vit Mojzis <vmojzis@redhat.com> - 3.3-0.rc2.2
- Update translations (#2003127)
* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
- SELinux userspace 3.3-rc2 release
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-7
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Aug 3 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-6
- Drop forgotten ru/ man pages from -restorecond
* Wed Jul 28 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-5
- Rebase on upstream commit 32611aea6543
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Fri Jul 30 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-5
- Use SHA-2 instead of SHA-1 (#1934964)
- Fix COPY_PASTE_ERROR (CWE-398)
* Thu Jun 03 2021 Python Maint <python-maint@redhat.com> - 3.2-3
- Rebuilt for Python 3.10
* Mon May 10 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-2
- Do not use Python slip
* Thu May 13 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-4
- policycoreutils-dbus requires polkit
- fixfiles: do not exclude /dev and /run in -C mode
- dbus: use GLib.MainLoop
* Fri Apr 23 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-3.1
- Do not use Python slip (#1949841)
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Mon Mar 8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-1
- SELinux userspace 3.2 release
@ -5617,5 +5584,3 @@ written to. fails on 64-bit archs
* Mon Jun 2 2003 Dan Walsh <dwalsh@redhat.com> 1.0-1
- Initial version
## END: Generated by rpmautospec

Loading…
Cancel
Save