rpms/policycoreutils
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import policycoreutils-2.9-10.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-01-27 16:09:16 +00:00 committed by Andrew Lukoshko
commit 05a3860c74
41 changed files with 12658 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
.gitignore vendored Normal file
View File

@ -0,0 +1,13 @@
SOURCES/gui-po.tgz
SOURCES/policycoreutils-2.9.tar.gz
SOURCES/policycoreutils-po.tgz
SOURCES/python-po.tgz
SOURCES/restorecond-2.9.tar.gz
SOURCES/sandbox-po.tgz
SOURCES/selinux-dbus-2.9.tar.gz
SOURCES/selinux-gui-2.9.tar.gz
SOURCES/selinux-python-2.9.tar.gz
SOURCES/selinux-sandbox-2.9.tar.gz
SOURCES/semodule-utils-2.9.tar.gz
SOURCES/sepolicy-icons.tgz
SOURCES/system-config-selinux.png

13
.policycoreutils.metadata Normal file
View File

@ -0,0 +1,13 @@
2acf5c696e1e60cf405b0cadcc090b79269f8812 SOURCES/gui-po.tgz
6e64d9a38fb516738023eb429eef29af5383f443 SOURCES/policycoreutils-2.9.tar.gz
af5375db35a33f9daf4b06e61566c92d0d4f6792 SOURCES/policycoreutils-po.tgz
aac18d02363be7c03fad4ed35f5367f9ca0e397f SOURCES/python-po.tgz
0a34ef54394972870203832c8ce52d4405bd5330 SOURCES/restorecond-2.9.tar.gz
76d7357f34e062dce330d2a97031b1b64dea775f SOURCES/sandbox-po.tgz
8645509cdfc433278c2e4d29ee8f511625c7edcc SOURCES/selinux-dbus-2.9.tar.gz
5c155ae47692389d9fabaa154195e7f978f2a3f0 SOURCES/selinux-gui-2.9.tar.gz
660e1ab824ef80f7a69f0b70f61e231957fd398e SOURCES/selinux-python-2.9.tar.gz
0e208cad193021ad17a445b76b72af3fef8db999 SOURCES/selinux-sandbox-2.9.tar.gz
a4414223e60bb664ada4824e54f8d36ab208d599 SOURCES/semodule-utils-2.9.tar.gz
d849fa76cc3ef4a26047d8a69fef3a55d2f3097f SOURCES/sepolicy-icons.tgz
611a5d497efaddd45ec0dcc3e9b2e5b0f81ebc41 SOURCES/system-config-selinux.png

43
SOURCES/0001-gui-Install-polgengui.py-to-usr-bin-selinux-polgengu.patch Normal file
View File

@ -0,0 +1,43 @@
From c778509dd0ed3b184d720032f31971f975e42973 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 5 Mar 2019 17:38:55 +0100
Subject: [PATCH] gui: Install polgengui.py to /usr/bin/selinux-polgengui
polgengui.py is a standalone gui tool which should be in /usr/bin with other
tools.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
gui/Makefile | 2 +-
gui/modulesPage.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/gui/Makefile b/gui/Makefile
index c2f982de..b2375fbf 100644
--- a/gui/Makefile
+++ b/gui/Makefile
@@ -31,7 +31,7 @@ install: all
-mkdir -p $(DESTDIR)$(DATADIR)/polkit-1/actions/
install -m 755 system-config-selinux.py $(DESTDIR)$(SHAREDIR)
install -m 755 system-config-selinux $(DESTDIR)$(BINDIR)
- install -m 755 polgengui.py $(DESTDIR)$(SHAREDIR)
+ install -m 755 polgengui.py $(DESTDIR)$(BINDIR)/selinux-polgengui
install -m 644 $(TARGETS) $(DESTDIR)$(SHAREDIR)
install -m 644 system-config-selinux.8 $(DESTDIR)$(MANDIR)/man8
install -m 644 selinux-polgengui.8 $(DESTDIR)$(MANDIR)/man8
diff --git a/gui/modulesPage.py b/gui/modulesPage.py
index 34c5d9e3..cb856b2d 100644
--- a/gui/modulesPage.py
+++ b/gui/modulesPage.py
@@ -118,7 +118,7 @@ class modulesPage(semanagePage):
def new_module(self, args):
try:
- Popen(["/usr/share/system-config-selinux/polgengui.py"])
+ Popen(["selinux-polgengui"])
except ValueError as e:
self.error(e.args[0])
--
2.21.0

49
SOURCES/0002-gui-Install-.desktop-files-to-usr-share-applications.patch Normal file
View File

@ -0,0 +1,49 @@
From 04b632e6de14ec0336e14988bf4c2bd581f7308e Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 5 Mar 2019 17:25:00 +0100
Subject: [PATCH] gui: Install .desktop files to /usr/share/applications by
default
/usr/share/applications is a standard directory for .desktop files.
Installation path can be changed using DESKTOPDIR variable in installation
phase, e.g.
make DESKTOPDIR=/usr/local/share/applications install
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
gui/Makefile | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/gui/Makefile b/gui/Makefile
index b2375fbf..ca965c94 100644
--- a/gui/Makefile
+++ b/gui/Makefile
@@ -5,6 +5,7 @@ BINDIR ?= $(PREFIX)/bin
SHAREDIR ?= $(PREFIX)/share/system-config-selinux
DATADIR ?= $(PREFIX)/share
MANDIR ?= $(PREFIX)/share/man
+DESKTOPDIR ?= $(PREFIX)/share/applications
TARGETS= \
booleansPage.py \
@@ -29,6 +30,7 @@ install: all
-mkdir -p $(DESTDIR)$(DATADIR)/pixmaps
-mkdir -p $(DESTDIR)$(DATADIR)/icons/hicolor/24x24/apps
-mkdir -p $(DESTDIR)$(DATADIR)/polkit-1/actions/
+ -mkdir -p $(DESTDIR)$(DESKTOPDIR)
install -m 755 system-config-selinux.py $(DESTDIR)$(SHAREDIR)
install -m 755 system-config-selinux $(DESTDIR)$(BINDIR)
install -m 755 polgengui.py $(DESTDIR)$(BINDIR)/selinux-polgengui
@@ -44,7 +46,7 @@ install: all
install -m 644 system-config-selinux.png $(DESTDIR)$(DATADIR)/pixmaps
install -m 644 system-config-selinux.png $(DESTDIR)$(DATADIR)/icons/hicolor/24x24/apps
install -m 644 system-config-selinux.png $(DESTDIR)$(DATADIR)/system-config-selinux
- install -m 644 *.desktop $(DESTDIR)$(DATADIR)/system-config-selinux
+ install -m 644 *.desktop $(DESTDIR)$(DESKTOPDIR)
-mkdir -p $(DESTDIR)$(DATADIR)/pixmaps
install -m 644 sepolicy_256.png $(DESTDIR)$(DATADIR)/pixmaps/sepolicy.png
for i in 16 22 32 48 256; do \
--
2.21.0

26
SOURCES/0003-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch Normal file
View File

@ -0,0 +1,26 @@
From 52e0583f6adfe70825b009b626e19c290b49763a Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 20 Aug 2015 12:58:41 +0200
Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
recent Fedoras
---
sandbox/sandboxX.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
index eaa500d0..47745280 100644
--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
</openbox_config>
EOF
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
cat > ~/seremote << __EOF
#!/bin/sh
--
2.21.0

46
SOURCES/0004-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch Normal file
View File

@ -0,0 +1,46 @@
From 7504614fdd7dcf11b3a7568ca9b4b921973531dd Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Mon, 21 Apr 2014 13:54:40 -0400
Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
---
python/sepolicy/sepolicy/manpage.py | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 1d367962..24e311a3 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -735,10 +735,13 @@ Default Defined Ports:""")
def _file_context(self):
flist = []
+ flist_non_exec = []
mpaths = []
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
+ if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+ flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0:
@@ -797,12 +800,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
SELinux defines the file context types for the %(domainname)s, if you wanted to
store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
.br
.B restorecon -R -v /srv/my%(domainname)s_content
Note: SELinux often uses regular expressions to specify labels that match multiple files.
-""" % {'domainname': self.domainname, "type": flist[0]})
+""" % {'domainname': self.domainname, "type": flist_non_exec[-1]})
self.fd.write(r"""
.I The following file types are defined for %(domainname)s:
--
2.21.0

27
SOURCES/0005-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch Normal file
View File

@ -0,0 +1,27 @@
From 9847a26b7f8358432ee4c7019efb3cbad0c162b0 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mon, 12 May 2014 14:11:22 +0200
Subject: [PATCH] If there is no executable we don't want to print a part of
STANDARD FILE CONTEXT
---
python/sepolicy/sepolicy/manpage.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 24e311a3..46092be0 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
- self.fd.write(r"""
+ if flist_non_exec:
+ self.fd.write(r"""
.PP
.B STANDARD FILE CONTEXT
--
2.21.0

169
SOURCES/0006-Simplication-of-sepolicy-manpage-web-functionality.-.patch Normal file
View File

@ -0,0 +1,169 @@
From b2993d464e05291020dbf60fc2948ac152eb0003 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu, 19 Feb 2015 17:45:15 +0100
Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
system_release is no longer hardcoded and it creates only index.html and html
man pages in the directory for the system release.
---
python/sepolicy/sepolicy/__init__.py | 25 +++--------
python/sepolicy/sepolicy/manpage.py | 65 +++-------------------------
2 files changed, 13 insertions(+), 77 deletions(-)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 6aed31bd..88a2b8f6 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -1209,27 +1209,14 @@ def boolean_desc(boolean):
def get_os_version():
- os_version = ""
- pkg_name = "selinux-policy"
+ system_release = ""
try:
- try:
- from commands import getstatusoutput
- except ImportError:
- from subprocess import getstatusoutput
- rc, output = getstatusoutput("rpm -q '%s'" % pkg_name)
- if rc == 0:
- os_version = output.split(".")[-2]
- except:
- os_version = ""
-
- if os_version[0:2] == "fc":
- os_version = "Fedora" + os_version[2:]
- elif os_version[0:2] == "el":
- os_version = "RHEL" + os_version[2:]
- else:
- os_version = ""
+ with open('/etc/system-release') as f:
+ system_release = f.readline()
+ except IOError:
+ system_release = "Misc"
- return os_version
+ return system_release
def reinit():
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 46092be0..d60acfaf 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -149,10 +149,6 @@ def prettyprint(f, trim):
manpage_domains = []
manpage_roles = []
-fedora_releases = ["Fedora17", "Fedora18"]
-rhel_releases = ["RHEL6", "RHEL7"]
-
-
def get_alphabet_manpages(manpage_list):
alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
for i in string.ascii_letters:
@@ -182,7 +178,7 @@ def convert_manpage_to_html(html_manpage, manpage):
class HTMLManPages:
"""
- Generate a HHTML Manpages on an given SELinux domains
+ Generate a HTML Manpages on an given SELinux domains
"""
def __init__(self, manpage_roles, manpage_domains, path, os_version):
@@ -190,9 +186,9 @@ class HTMLManPages:
self.manpage_domains = get_alphabet_manpages(manpage_domains)
self.os_version = os_version
self.old_path = path + "/"
- self.new_path = self.old_path + self.os_version + "/"
+ self.new_path = self.old_path
- if self.os_version in fedora_releases or self.os_version in rhel_releases:
+ if self.os_version:
self.__gen_html_manpages()
else:
print("SELinux HTML man pages can not be generated for this %s" % os_version)
@@ -201,7 +197,6 @@ class HTMLManPages:
def __gen_html_manpages(self):
self._write_html_manpage()
self._gen_index()
- self._gen_body()
self._gen_css()
def _write_html_manpage(self):
@@ -219,67 +214,21 @@ class HTMLManPages:
convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
def _gen_index(self):
- index = self.old_path + "index.html"
- fd = open(index, 'w')
- fd.write("""
-<html>
-<head>
- <link rel=stylesheet type="text/css" href="style.css" title="style">
- <title>SELinux man pages online</title>
-</head>
-<body>
-<h1>SELinux man pages</h1>
-<br></br>
-Fedora or Red Hat Enterprise Linux Man Pages.</h2>
-<br></br>
-<hr>
-<h3>Fedora</h3>
-<table><tr>
-<td valign="middle">
-</td>
-</tr></table>
-<pre>
-""")
- for f in fedora_releases:
- fd.write("""
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (f, f, f, f))
-
- fd.write("""
-</pre>
-<hr>
-<h3>RHEL</h3>
-<table><tr>
-<td valign="middle">
-</td>
-</tr></table>
-<pre>
-""")
- for r in rhel_releases:
- fd.write("""
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (r, r, r, r))
-
- fd.write("""
-</pre>
- """)
- fd.close()
- print("%s has been created" % index)
-
- def _gen_body(self):
html = self.new_path + self.os_version + ".html"
fd = open(html, 'w')
fd.write("""
<html>
<head>
- <link rel=stylesheet type="text/css" href="../style.css" title="style">
- <title>Linux man-pages online for Fedora18</title>
+ <link rel=stylesheet type="text/css" href="style.css" title="style">
+ <title>SELinux man pages online</title>
</head>
<body>
-<h1>SELinux man pages for Fedora18</h1>
+<h1>SELinux man pages for %s</h1>
<hr>
<table><tr>
<td valign="middle">
<h3>SELinux roles</h3>
-""")
+""" % self.os_version)
for letter in self.manpage_roles:
if len(self.manpage_roles[letter]):
fd.write("""
--
2.21.0

26
SOURCES/0007-We-want-to-remove-the-trailing-newline-for-etc-syste.patch Normal file
View File

@ -0,0 +1,26 @@
From bfcb599d9424ef6ffcd250931c89675b451edd00 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 20 Feb 2015 16:42:01 +0100
Subject: [PATCH] We want to remove the trailing newline for
/etc/system_release.
---
python/sepolicy/sepolicy/__init__.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 88a2b8f6..0c66f4d5 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -1212,7 +1212,7 @@ def get_os_version():
system_release = ""
try:
with open('/etc/system-release') as f:
- system_release = f.readline()
+ system_release = f.readline().rstrip()
except IOError:
system_release = "Misc"
--
2.21.0

25
SOURCES/0008-Fix-title-in-manpage.py-to-not-contain-online.patch Normal file
View File

@ -0,0 +1,25 @@
From 4ea504acce6389c3e28134c4b8e6bf9072c295ce Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 20 Feb 2015 16:42:53 +0100
Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
---
python/sepolicy/sepolicy/manpage.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index d60acfaf..de8184d8 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -220,7 +220,7 @@ class HTMLManPages:
<html>
<head>
<link rel=stylesheet type="text/css" href="style.css" title="style">
- <title>SELinux man pages online</title>
+ <title>SELinux man pages</title>
</head>
<body>
<h1>SELinux man pages for %s</h1>
--
2.21.0

24
SOURCES/0009-Don-t-be-verbose-if-you-are-not-on-a-tty.patch Normal file
View File

@ -0,0 +1,24 @@
From 8af697659bd662517571577bf47946a2113f34a1 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Fri, 14 Feb 2014 12:32:12 -0500
Subject: [PATCH] Don't be verbose if you are not on a tty
---
policycoreutils/scripts/fixfiles | 1 +
1 file changed, 1 insertion(+)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index b2779581..53d28c7b 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
fullFlag=0
BOOTTIME=""
VERBOSE="-p"
+[ -t 1 ] || VERBOSE=""
FORCEFLAG=""
RPMFILES=""
PREFC=""
--
2.21.0

63
SOURCES/0010-sepolicy-Drop-old-interface-file_type_is_executable-.patch Normal file
View File

@ -0,0 +1,63 @@
From ef0f54ffc6d691d10e66a0793204edd159cd45d0 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 27 Feb 2017 17:12:39 +0100
Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
file_type_is_entrypoint(f)
- use direct queries
- load exec_types and entry_types only once
---
python/sepolicy/sepolicy/manpage.py | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index de8184d8..f8a94fc0 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -125,8 +125,24 @@ def gen_domains():
domains.sort()
return domains
-types = None
+exec_types = None
+
+def _gen_exec_types():
+ global exec_types
+ if exec_types is None:
+ exec_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "exec_type"))["types"]
+ return exec_types
+
+entry_types = None
+
+def _gen_entry_types():
+ global entry_types
+ if entry_types is None:
+ entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
+ return entry_types
+
+types = None
def _gen_types():
global types
@@ -372,6 +388,8 @@ class ManPage:
self.all_file_types = sepolicy.get_all_file_types()
self.role_allows = sepolicy.get_all_role_allows()
self.types = _gen_types()
+ self.exec_types = _gen_exec_types()
+ self.entry_types = _gen_entry_types()
if self.source_files:
self.fcpath = self.root + "file_contexts"
@@ -689,7 +707,7 @@ Default Defined Ports:""")
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
- if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+ if not f in self.exec_types or not f in self.entry_types:
flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
--
2.21.0

53
SOURCES/0011-sepolicy-Another-small-optimization-for-mcs-types.patch Normal file
View File

@ -0,0 +1,53 @@
From e54db76a3bff8e911ddd7c7ce834c024d634d9e1 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 28 Feb 2017 21:29:46 +0100
Subject: [PATCH] sepolicy: Another small optimization for mcs types
---
python/sepolicy/sepolicy/manpage.py | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index f8a94fc0..67d39301 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -142,6 +142,15 @@ def _gen_entry_types():
entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
return entry_types
+mcs_constrained_types = None
+
+def _gen_mcs_constrained_types():
+ global mcs_constrained_types
+ if mcs_constrained_types is None:
+ mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
+ return mcs_constrained_types
+
+
types = None
def _gen_types():
@@ -390,6 +399,7 @@ class ManPage:
self.types = _gen_types()
self.exec_types = _gen_exec_types()
self.entry_types = _gen_entry_types()
+ self.mcs_constrained_types = _gen_mcs_constrained_types()
if self.source_files:
self.fcpath = self.root + "file_contexts"
@@ -944,11 +954,7 @@ All executeables with the default executable label, usually stored in /usr/bin a
%s""" % ", ".join(paths))
def _mcs_types(self):
- try:
- mcs_constrained_type = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
- except StopIteration:
- return
- if self.type not in mcs_constrained_type['types']:
+ if self.type not in self.mcs_constrained_types['types']:
return
self.fd.write ("""
.SH "MCS Constrained"
--
2.21.0

515
SOURCES/0012-Move-po-translation-files-into-the-right-sub-directo.patch Normal file
View File

@ -0,0 +1,515 @@
From 4015e9299bfda622e9d407cdbcc536000688aa8f Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 6 Aug 2018 13:23:00 +0200
Subject: [PATCH] Move po/ translation files into the right sub-directories
When policycoreutils was split into policycoreutils/ python/ gui/ and sandbox/
sub-directories, po/ translation files stayed in policycoreutils/.
This commit split original policycoreutils/po directory into
policycoreutils/po
python/po
gui/po
sandbox/po
See https://github.com/fedora-selinux/selinux/issues/43
---
gui/Makefile | 3 ++
gui/po/Makefile | 82 ++++++++++++++++++++++++++++++++++++
gui/po/POTFILES | 17 ++++++++
policycoreutils/po/Makefile | 70 ++-----------------------------
policycoreutils/po/POTFILES | 9 ++++
python/Makefile | 2 +-
python/po/Makefile | 83 +++++++++++++++++++++++++++++++++++++
python/po/POTFILES | 10 +++++
sandbox/Makefile | 2 +
sandbox/po/Makefile | 82 ++++++++++++++++++++++++++++++++++++
sandbox/po/POTFILES | 1 +
11 files changed, 293 insertions(+), 68 deletions(-)
create mode 100644 gui/po/Makefile
create mode 100644 gui/po/POTFILES
create mode 100644 policycoreutils/po/POTFILES
create mode 100644 python/po/Makefile
create mode 100644 python/po/POTFILES
create mode 100644 sandbox/po/Makefile
create mode 100644 sandbox/po/POTFILES
diff --git a/gui/Makefile b/gui/Makefile
index ca965c94..5a5bf6dc 100644
--- a/gui/Makefile
+++ b/gui/Makefile
@@ -22,6 +22,7 @@ system-config-selinux.ui \
usersPage.py
all: $(TARGETS) system-config-selinux.py polgengui.py
+ (cd po && $(MAKE) $@)
install: all
-mkdir -p $(DESTDIR)$(MANDIR)/man8
@@ -54,6 +55,8 @@ install: all
install -m 644 sepolicy_$${i}.png $(DESTDIR)$(DATADIR)/icons/hicolor/$${i}x$${i}/apps/sepolicy.png; \
done
install -m 644 org.selinux.config.policy $(DESTDIR)$(DATADIR)/polkit-1/actions/
+ (cd po && $(MAKE) $@)
+
clean:
indent:
diff --git a/gui/po/Makefile b/gui/po/Makefile
new file mode 100644
index 00000000..a0f5439f
--- /dev/null
+++ b/gui/po/Makefile
@@ -0,0 +1,82 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE = gui
+POTFILE = $(NLSPACKAGE).pot
+INSTALL = /usr/bin/install -c -p
+INSTALL_DATA = $(INSTALL) -m 644
+INSTALL_DIR = /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE = msgmerge
+MSGMERGE_FLAGS = -q
+XGETTEXT = xgettext --default-domain=$(NLSPACKAGE)
+MSGFMT = msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
+POTFILES = $(shell cat POTFILES)
+
+#default:: clean
+
+all:: $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+ $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+ rm -f $(NLSPACKAGE).po; \
+ else \
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
+ fi; \
+
+
+refresh-po: Makefile
+ for cat in $(POFILES); do \
+ lang=`basename $$cat .po`; \
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+ mv -f $$lang.pot $$lang.po ; \
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
+ else \
+ echo "$(MSGMERGE) of $$lang failed" ; \
+ rm -f $$lang.pot ; \
+ fi \
+ done
+
+clean:
+ @rm -fv *mo *~ .depend
+ @rm -rf tmp
+
+install: $(MOFILES)
+ @for n in $(MOFILES); do \
+ l=`basename $$n .mo`; \
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+ done
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+report:
+ @for cat in $(wildcard *.po); do \
+ echo -n "$$cat: "; \
+ msgfmt -v --statistics -o /dev/null $$cat; \
+ done
+
+.PHONY: missing depend
+
+relabel:
diff --git a/gui/po/POTFILES b/gui/po/POTFILES
new file mode 100644
index 00000000..1795c5c1
--- /dev/null
+++ b/gui/po/POTFILES
@@ -0,0 +1,17 @@
+../booleansPage.py
+../domainsPage.py
+../fcontextPage.py
+../loginsPage.py
+../modulesPage.py
+../org.selinux.config.policy
+../polgengui.py
+../polgen.ui
+../portsPage.py
+../selinux-polgengui.desktop
+../semanagePage.py
+../sepolicy.desktop
+../statusPage.py
+../system-config-selinux.desktop
+../system-config-selinux.py
+../system-config-selinux.ui
+../usersPage.py
diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile
index 575e1431..18bc1dff 100644
--- a/policycoreutils/po/Makefile
+++ b/policycoreutils/po/Makefile
@@ -3,7 +3,6 @@
#
PREFIX ?= /usr
-TOP = ../..
# What is this package?
NLSPACKAGE = policycoreutils
@@ -32,74 +31,13 @@ USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
MOFILES = $(patsubst %.po,%.mo,$(POFILES))
-POTFILES = \
- ../run_init/open_init_pty.c \
- ../run_init/run_init.c \
- ../semodule_link/semodule_link.c \
- ../audit2allow/audit2allow \
- ../semanage/seobject.py \
- ../setsebool/setsebool.c \
- ../newrole/newrole.c \
- ../load_policy/load_policy.c \
- ../sestatus/sestatus.c \
- ../semodule/semodule.c \
- ../setfiles/setfiles.c \
- ../semodule_package/semodule_package.c \
- ../semodule_deps/semodule_deps.c \
- ../semodule_expand/semodule_expand.c \
- ../scripts/chcat \
- ../scripts/fixfiles \
- ../restorecond/stringslist.c \
- ../restorecond/restorecond.h \
- ../restorecond/utmpwatcher.h \
- ../restorecond/stringslist.h \
- ../restorecond/restorecond.c \
- ../restorecond/utmpwatcher.c \
- ../gui/booleansPage.py \
- ../gui/fcontextPage.py \
- ../gui/loginsPage.py \
- ../gui/mappingsPage.py \
- ../gui/modulesPage.py \
- ../gui/polgen.glade \
- ../gui/polgengui.py \
- ../gui/portsPage.py \
- ../gui/semanagePage.py \
- ../gui/statusPage.py \
- ../gui/system-config-selinux.glade \
- ../gui/system-config-selinux.py \
- ../gui/usersPage.py \
- ../secon/secon.c \
- booleans.py \
- ../sepolicy/sepolicy.py \
- ../sepolicy/sepolicy/communicate.py \
- ../sepolicy/sepolicy/__init__.py \
- ../sepolicy/sepolicy/network.py \
- ../sepolicy/sepolicy/generate.py \
- ../sepolicy/sepolicy/sepolicy.glade \
- ../sepolicy/sepolicy/gui.py \
- ../sepolicy/sepolicy/manpage.py \
- ../sepolicy/sepolicy/transition.py \
- ../sepolicy/sepolicy/templates/executable.py \
- ../sepolicy/sepolicy/templates/__init__.py \
- ../sepolicy/sepolicy/templates/network.py \
- ../sepolicy/sepolicy/templates/rw.py \
- ../sepolicy/sepolicy/templates/script.py \
- ../sepolicy/sepolicy/templates/semodule.py \
- ../sepolicy/sepolicy/templates/tmp.py \
- ../sepolicy/sepolicy/templates/user.py \
- ../sepolicy/sepolicy/templates/var_lib.py \
- ../sepolicy/sepolicy/templates/var_log.py \
- ../sepolicy/sepolicy/templates/var_run.py \
- ../sepolicy/sepolicy/templates/var_spool.py
+POTFILES = $(shell cat POTFILES)
#default:: clean
-all:: $(MOFILES)
+all:: $(POTFILE) $(MOFILES)
-booleans.py:
- sepolicy booleans -a > booleans.py
-
-$(POTFILE): $(POTFILES) booleans.py
+$(POTFILE): $(POTFILES)
$(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
@if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
rm -f $(NLSPACKAGE).po; \
@@ -107,8 +45,6 @@ $(POTFILE): $(POTFILES) booleans.py
mv -f $(NLSPACKAGE).po $(POTFILE); \
fi; \
-update-po: Makefile $(POTFILE) refresh-po
- @rm -f booleans.py
refresh-po: Makefile
for cat in $(POFILES); do \
diff --git a/policycoreutils/po/POTFILES b/policycoreutils/po/POTFILES
new file mode 100644
index 00000000..12237dc6
--- /dev/null
+++ b/policycoreutils/po/POTFILES
@@ -0,0 +1,9 @@
+../run_init/open_init_pty.c
+../run_init/run_init.c
+../setsebool/setsebool.c
+../newrole/newrole.c
+../load_policy/load_policy.c
+../sestatus/sestatus.c
+../semodule/semodule.c
+../setfiles/setfiles.c
+../secon/secon.c
diff --git a/python/Makefile b/python/Makefile
index 9b66d52f..00312dbd 100644
--- a/python/Makefile
+++ b/python/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = sepolicy audit2allow semanage sepolgen chcat
+SUBDIRS = sepolicy audit2allow semanage sepolgen chcat po
all install relabel clean indent test:
@for subdir in $(SUBDIRS); do \
diff --git a/python/po/Makefile b/python/po/Makefile
new file mode 100644
index 00000000..4e052d5a
--- /dev/null
+++ b/python/po/Makefile
@@ -0,0 +1,83 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE = python
+POTFILE = $(NLSPACKAGE).pot
+INSTALL = /usr/bin/install -c -p
+INSTALL_DATA = $(INSTALL) -m 644
+INSTALL_DIR = /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE = msgmerge
+MSGMERGE_FLAGS = -q
+XGETTEXT = xgettext --default-domain=$(NLSPACKAGE)
+MSGFMT = msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
+POTFILES = $(shell cat POTFILES)
+
+#default:: clean
+
+all:: $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+ $(XGETTEXT) -L Python --keyword=_ --keyword=N_ $(POTFILES)
+ $(XGETTEXT) -j --keyword=_ --keyword=N_ ../sepolicy/sepolicy/sepolicy.glade
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+ rm -f $(NLSPACKAGE).po; \
+ else \
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
+ fi; \
+
+
+refresh-po: Makefile
+ for cat in $(POFILES); do \
+ lang=`basename $$cat .po`; \
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+ mv -f $$lang.pot $$lang.po ; \
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
+ else \
+ echo "$(MSGMERGE) of $$lang failed" ; \
+ rm -f $$lang.pot ; \
+ fi \
+ done
+
+clean:
+ @rm -fv *mo *~ .depend
+ @rm -rf tmp
+
+install: $(MOFILES)
+ @for n in $(MOFILES); do \
+ l=`basename $$n .mo`; \
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+ done
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+report:
+ @for cat in $(wildcard *.po); do \
+ echo -n "$$cat: "; \
+ msgfmt -v --statistics -o /dev/null $$cat; \
+ done
+
+.PHONY: missing depend
+
+relabel:
diff --git a/python/po/POTFILES b/python/po/POTFILES
new file mode 100644
index 00000000..128eb870
--- /dev/null
+++ b/python/po/POTFILES
@@ -0,0 +1,10 @@
+../audit2allow/audit2allow
+../chcat/chcat
+../semanage/semanage
+../semanage/seobject.py
+../sepolgen/src/sepolgen/interfaces.py
+../sepolicy/sepolicy/generate.py
+../sepolicy/sepolicy/gui.py
+../sepolicy/sepolicy/__init__.py
+../sepolicy/sepolicy/interface.py
+../sepolicy/sepolicy.py
diff --git a/sandbox/Makefile b/sandbox/Makefile
index 9da5e58d..b817824e 100644
--- a/sandbox/Makefile
+++ b/sandbox/Makefile
@@ -13,6 +13,7 @@ override LDLIBS += -lselinux -lcap-ng
SEUNSHARE_OBJS = seunshare.o
all: sandbox seunshare sandboxX.sh start
+ (cd po && $(MAKE) $@)
seunshare: $(SEUNSHARE_OBJS)
@@ -39,6 +40,7 @@ install: all
install -m 755 start $(DESTDIR)$(SHAREDIR)
-mkdir -p $(DESTDIR)$(SYSCONFDIR)
install -m 644 sandbox.conf $(DESTDIR)$(SYSCONFDIR)/sandbox
+ (cd po && $(MAKE) $@)
test:
@$(PYTHON) test_sandbox.py -v
diff --git a/sandbox/po/Makefile b/sandbox/po/Makefile
new file mode 100644
index 00000000..0556bbe9
--- /dev/null
+++ b/sandbox/po/Makefile
@@ -0,0 +1,82 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE = sandbox
+POTFILE = $(NLSPACKAGE).pot
+INSTALL = /usr/bin/install -c -p
+INSTALL_DATA = $(INSTALL) -m 644
+INSTALL_DIR = /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE = msgmerge
+MSGMERGE_FLAGS = -q
+XGETTEXT = xgettext -L Python --default-domain=$(NLSPACKAGE)
+MSGFMT = msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
+POTFILES = $(shell cat POTFILES)
+
+#default:: clean
+
+all:: $(POTFILE) $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+ $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+ rm -f $(NLSPACKAGE).po; \
+ else \
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
+ fi; \
+
+
+refresh-po: Makefile
+ for cat in $(POFILES); do \
+ lang=`basename $$cat .po`; \
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+ mv -f $$lang.pot $$lang.po ; \
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
+ else \
+ echo "$(MSGMERGE) of $$lang failed" ; \
+ rm -f $$lang.pot ; \
+ fi \
+ done
+
+clean:
+ @rm -fv *mo *~ .depend
+ @rm -rf tmp
+
+install: $(MOFILES)
+ @for n in $(MOFILES); do \
+ l=`basename $$n .mo`; \
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+ done
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+report:
+ @for cat in $(wildcard *.po); do \
+ echo -n "$$cat: "; \
+ msgfmt -v --statistics -o /dev/null $$cat; \
+ done
+
+.PHONY: missing depend
+
+relabel:
diff --git a/sandbox/po/POTFILES b/sandbox/po/POTFILES
new file mode 100644
index 00000000..deff3f2f
--- /dev/null
+++ b/sandbox/po/POTFILES
@@ -0,0 +1 @@
+../sandbox
--
2.21.0

306
SOURCES/0013-Use-correct-gettext-domains-in-python-gui-sandbox.patch Normal file
View File

@ -0,0 +1,306 @@
From 57cd23e11e1a700802a5955e84a0a7e04c30ec73 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 6 Aug 2018 13:37:07 +0200
Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
https://github.com/fedora-selinux/selinux/issues/43
---
gui/booleansPage.py | 2 +-
gui/domainsPage.py | 2 +-
gui/fcontextPage.py | 2 +-
gui/loginsPage.py | 2 +-
gui/modulesPage.py | 2 +-
gui/polgengui.py | 2 +-
gui/portsPage.py | 2 +-
gui/semanagePage.py | 2 +-
gui/statusPage.py | 2 +-
gui/system-config-selinux.py | 2 +-
gui/usersPage.py | 2 +-
python/chcat/chcat | 2 +-
python/semanage/semanage | 2 +-
python/semanage/seobject.py | 2 +-
python/sepolgen/src/sepolgen/sepolgeni18n.py | 2 +-
python/sepolicy/sepolicy.py | 2 +-
python/sepolicy/sepolicy/__init__.py | 2 +-
python/sepolicy/sepolicy/generate.py | 2 +-
python/sepolicy/sepolicy/gui.py | 2 +-
python/sepolicy/sepolicy/interface.py | 2 +-
sandbox/sandbox | 2 +-
21 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/gui/booleansPage.py b/gui/booleansPage.py
index 7849bea2..dd12b6d6 100644
--- a/gui/booleansPage.py
+++ b/gui/booleansPage.py
@@ -38,7 +38,7 @@ DISABLED = 2
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/domainsPage.py b/gui/domainsPage.py
index bad5140d..6bbe4de5 100644
--- a/gui/domainsPage.py
+++ b/gui/domainsPage.py
@@ -30,7 +30,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
index 370bbee4..e424366d 100644
--- a/gui/fcontextPage.py
+++ b/gui/fcontextPage.py
@@ -47,7 +47,7 @@ class context:
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/loginsPage.py b/gui/loginsPage.py
index b67eb8bc..cbfb0cc2 100644
--- a/gui/loginsPage.py
+++ b/gui/loginsPage.py
@@ -29,7 +29,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/modulesPage.py b/gui/modulesPage.py
index cb856b2d..26ac5404 100644
--- a/gui/modulesPage.py
+++ b/gui/modulesPage.py
@@ -30,7 +30,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/polgengui.py b/gui/polgengui.py
index b1cc9937..46a1bd2c 100644
--- a/gui/polgengui.py
+++ b/gui/polgengui.py
@@ -63,7 +63,7 @@ def get_all_modules():
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/portsPage.py b/gui/portsPage.py
index 30f58383..a537ecc8 100644
--- a/gui/portsPage.py
+++ b/gui/portsPage.py
@@ -35,7 +35,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/semanagePage.py b/gui/semanagePage.py
index 4127804f..5361d69c 100644
--- a/gui/semanagePage.py
+++ b/gui/semanagePage.py
@@ -22,7 +22,7 @@ from gi.repository import Gdk, Gtk
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/statusPage.py b/gui/statusPage.py
index 766854b1..a8f079b9 100644
--- a/gui/statusPage.py
+++ b/gui/statusPage.py
@@ -35,7 +35,7 @@ RELABELFILE = "/.autorelabel"
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py
index c42301b6..1e0d5eb1 100644
--- a/gui/system-config-selinux.py
+++ b/gui/system-config-selinux.py
@@ -45,7 +45,7 @@ import selinux
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/usersPage.py b/gui/usersPage.py
index 26794ed5..d15d4c5a 100644
--- a/gui/usersPage.py
+++ b/gui/usersPage.py
@@ -29,7 +29,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/python/chcat/chcat b/python/chcat/chcat
index ba398684..df2509f2 100755
--- a/python/chcat/chcat
+++ b/python/chcat/chcat
@@ -30,7 +30,7 @@ import getopt
import selinux
import seobject
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 144cc000..56db3e0d 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -27,7 +27,7 @@ import traceback
import argparse
import seobject
import sys
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 13fdf531..b90b1070 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -29,7 +29,7 @@ import sys
import stat
import socket
from semanage import *
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
import sepolicy
import setools
from IPy import IP
diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py
index 998c4356..56ebd807 100644
--- a/python/sepolgen/src/sepolgen/sepolgeni18n.py
+++ b/python/sepolgen/src/sepolgen/sepolgeni18n.py
@@ -19,7 +19,7 @@
try:
import gettext
- t = gettext.translation( 'yumex' )
+ t = gettext.translation( 'selinux-python' )
_ = t.gettext
except:
def _(str):
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index 1934cd86..8bd6a579 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -27,7 +27,7 @@ import selinux
import sepolicy
from sepolicy import get_os_version, get_conditionals, get_conditionals_format_text
import argparse
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 0c66f4d5..b6ca57c3 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -13,7 +13,7 @@ import os
import re
import gzip
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index 019e7836..7175d36b 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -49,7 +49,7 @@ import sepolgen.defaults as defaults
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index 00fd7a11..805cee67 100644
--- a/python/sepolicy/sepolicy/gui.py
+++ b/python/sepolicy/sepolicy/gui.py
@@ -41,7 +41,7 @@ import os
import re
import unicodedata
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/interface.py b/python/sepolicy/sepolicy/interface.py
index 583091ae..e2b8d23b 100644
--- a/python/sepolicy/sepolicy/interface.py
+++ b/python/sepolicy/sepolicy/interface.py
@@ -30,7 +30,7 @@ __all__ = ['get_all_interfaces', 'get_interfaces_from_xml', 'get_admin', 'get_us
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/sandbox/sandbox b/sandbox/sandbox
index 1dec07ac..a12403b3 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -37,7 +37,7 @@ import sepolicy
SEUNSHARE = "/usr/sbin/seunshare"
SANDBOXSH = "/usr/share/sandbox/sandboxX.sh"
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-sandbox"
try:
import gettext
kwargs = {}
--
2.21.0

4532
SOURCES/0014-Initial-.pot-files-for-gui-python-sandbox.patch Normal file
View File

File diff suppressed because it is too large Load Diff

30
SOURCES/0016-policycoreutils-setfiles-Improve-description-of-d-sw.patch Normal file
View File

@ -0,0 +1,30 @@
From c8fbb8042852c18775c001999ce949e9b591e381 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 21 Mar 2018 08:51:31 +0100
Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
The "-q" switch is becoming obsolete (completely unused in fedora) and
debug output ("-d" switch) makes sense in any scenario. Therefore both
options can be specified at once.
Resolves: rhbz#1271327
---
policycoreutils/setfiles/setfiles.8 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index ccaaf4de..a8a76c86 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -57,7 +57,7 @@ check the validity of the contexts against the specified binary policy.
.TP
.B \-d
show what specification matched each file (do not abort validation
-after ABORT_ON_ERRORS errors).
+after ABORT_ON_ERRORS errors). Not affected by "\-q"
.TP
.BI \-e \ directory
directory to exclude (repeat option for more than one directory).
--
2.21.0

71
SOURCES/0017-sepolicy-generate-Handle-more-reserved-port-types.patch Normal file
View File

@ -0,0 +1,71 @@
From 3073efc112929b535f3a832c6f99e0dbe3af29ca Mon Sep 17 00:00:00 2001
From: Masatake YAMATO <yamato@redhat.com>
Date: Thu, 14 Dec 2017 15:57:58 +0900
Subject: [PATCH] sepolicy-generate: Handle more reserved port types
Currently only reserved_port_t, port_t and hi_reserved_port_t are
handled as special when making a ports-dictionary. However, as fas as
corenetwork.te.in of serefpolicy, unreserved_port_t and
ephemeral_port_t should be handled in the same way, too.
(Details) I found the need of this change when I was using
selinux-polgengui. Though tcp port 12345, which my application may
use, was given to the gui, selinux-polgengui generates expected te
file and sh file which didn't utilize the tcp port.
selinux-polgengui checks whether a port given via gui is already typed
or not.
If it is already typed, selinux-polgengui generates a te file having
rules to allow the application to use the port. (A)
If not, it seems for me that selinux-polgengui is designed to generate
a te file having rules to allow the application to own(?) the port;
and a sh file having a command line to assign the application own type
to the port. (B)
As we can see the output of `semanage port -l' some of ports for
specified purpose have types already. The important point is that the
rest of ports also have types already:
hi_reserved_port_t tcp 512-1023
hi_reserved_port_t udp 512-1023
unreserved_port_t tcp 1024-32767, 61001-65535
unreserved_port_t udp 1024-32767, 61001-65535
ephemeral_port_t tcp 32768-61000
ephemeral_port_t udp 32768-61000
As my patch shows, the original selinux-polgengui ignored
hi_reserved_port_t; though hi_reserved_port_t is assigned,
selinux-polgengui considered ports 512-1023 are not used. As the
result selinux-polgengui generates file sets of (B).
For the purpose of selinux-polgengui, I think unreserved_port_t and
ephemeral_port_t are treated as the same as hi_reserved_port_t.
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
Fedora only patch:
https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redhat.com/
---
python/sepolicy/sepolicy/generate.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index 7175d36b..93caedee 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -100,7 +100,9 @@ def get_all_ports():
for p in sepolicy.info(sepolicy.PORT):
if p['type'] == "reserved_port_t" or \
p['type'] == "port_t" or \
- p['type'] == "hi_reserved_port_t":
+ p['type'] == "hi_reserved_port_t" or \
+ p['type'] == "ephemeral_port_t" or \
+ p['type'] == "unreserved_port_t":
continue
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
return dict
--
2.21.0

24
SOURCES/0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch Normal file
View File

@ -0,0 +1,24 @@
From f8602180d042e95947fe0bbd35d261771b347705 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 8 Nov 2018 09:20:58 +0100
Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
---
semodule-utils/semodule_package/semodule_package.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/semodule-utils/semodule_package/semodule_package.c b/semodule-utils/semodule_package/semodule_package.c
index 3515234e..7b75b3fd 100644
--- a/semodule-utils/semodule_package/semodule_package.c
+++ b/semodule-utils/semodule_package/semodule_package.c
@@ -74,6 +74,7 @@ static int file_to_data(const char *path, char **data, size_t * len)
}
if (!sb.st_size) {
*len = 0;
+ close(fd);
return 0;
}
--
2.21.0

74
SOURCES/0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch Normal file
View File

@ -0,0 +1,74 @@
From 89895635ae012d1864a03700054ecc723973b5c0 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 18 Jul 2018 09:09:35 +0200
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
---
sandbox/sandbox | 4 ++--
sandbox/sandbox.8 | 2 +-
sandbox/sandboxX.sh | 14 --------------
3 files changed, 3 insertions(+), 17 deletions(-)
diff --git a/sandbox/sandbox b/sandbox/sandbox
index a12403b3..707959a6 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -268,7 +268,7 @@ class Sandbox:
copyfile(f, "/tmp", self.__tmpdir)
copyfile(f, "/var/tmp", self.__tmpdir)
- def __setup_sandboxrc(self, wm="/usr/bin/openbox"):
+ def __setup_sandboxrc(self, wm="/usr/bin/matchbox-window-manager"):
execfile = self.__homedir + "/.sandboxrc"
fd = open(execfile, "w+")
if self.__options.session:
@@ -362,7 +362,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
parser.add_option("-W", "--windowmanager", dest="wm",
type="string",
- default="/usr/bin/openbox",
+ default="/usr/bin/matchbox-window-manager",
help=_("alternate window manager"))
parser.add_option("-l", "--level", dest="level",
diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8
index d83fee76..90ef4951 100644
--- a/sandbox/sandbox.8
+++ b/sandbox/sandbox.8
@@ -77,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
\fB\-W\fR \fB\-\-windowmanager\fR
Select alternative window manager to run within
.B sandbox \-X.
-Default to /usr/bin/openbox.
+Default to /usr/bin/matchbox-window-manager.
.TP
\fB\-X\fR
Create an X based Sandbox for gui apps, temporary files for
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
index 47745280..c211ebc1 100644
--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
@@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
[ -z $2 ] && export DPI="96" || export DPI="$2"
trap "exit 0" HUP
-mkdir -p ~/.config/openbox
-cat > ~/.config/openbox/rc.xml << EOF
-<openbox_config xmlns="http://openbox.org/3.4/rc"
- xmlns:xi="http://www.w3.org/2001/XInclude">
-<applications>
- <application class="*">
- <decor>no</decor>
- <desktop>all</desktop>
- <maximized>yes</maximized>
- </application>
-</applications>
-</openbox_config>
-EOF
-
(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
cat > ~/seremote << __EOF
--
2.21.0

45
SOURCES/0020-python-Use-ipaddress-instead-of-IPy.patch Normal file
View File

@ -0,0 +1,45 @@
From b2512e2a92a33360639a3459039cdf2e685655a8 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 3 Dec 2018 14:40:09 +0100
Subject: [PATCH] python: Use ipaddress instead of IPy
ipaddress module was added in python 3.3 and this allows us to drop python3-IPy
---
python/semanage/seobject.py | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index b90b1070..58497e3b 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -32,7 +32,7 @@ from semanage import *
PROGNAME = "selinux-python"
import sepolicy
import setools
-from IPy import IP
+import ipaddress
try:
import gettext
@@ -1851,13 +1851,13 @@ class nodeRecords(semanageRecords):
# verify valid comination
if len(mask) == 0 or mask[0] == "/":
- i = IP(addr + mask)
- newaddr = i.strNormal(0)
- newmask = str(i.netmask())
- if newmask == "0.0.0.0" and i.version() == 6:
+ i = ipaddress.ip_network(addr + mask)
+ newaddr = str(i.network_address)
+ newmask = str(i.netmask)
+ if newmask == "0.0.0.0" and i.version == 6:
newmask = "::"
- protocol = "ipv%d" % i.version()
+ protocol = "ipv%d" % i.version
try:
newprotocol = self.protocol.index(protocol)
--
2.21.0

93
SOURCES/0021-python-semanage-Do-not-traceback-when-the-default-po.patch Normal file
View File

@ -0,0 +1,93 @@
From 5938d18536f4c0a76521d1f0721e981e6570b012 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 4 Apr 2019 23:02:56 +0200
Subject: [PATCH] python/semanage: Do not traceback when the default policy is
not available
"import seobject" causes "import sepolicy" which crashes when the system policy
is not available. It's better to provide an error message instead.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
python/semanage/semanage | 37 +++++++++++++++++++++----------------
1 file changed, 21 insertions(+), 16 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 56db3e0d..4c766ae3 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -25,7 +25,6 @@
import traceback
import argparse
-import seobject
import sys
PROGNAME = "selinux-python"
try:
@@ -129,21 +128,6 @@ class SetImportFile(argparse.Action):
sys.exit(1)
setattr(namespace, self.dest, values)
-# define dictonary for seobject OBEJCTS
-object_dict = {
- 'login': seobject.loginRecords,
- 'user': seobject.seluserRecords,
- 'port': seobject.portRecords,
- 'module': seobject.moduleRecords,
- 'interface': seobject.interfaceRecords,
- 'node': seobject.nodeRecords,
- 'fcontext': seobject.fcontextRecords,
- 'boolean': seobject.booleanRecords,
- 'permissive': seobject.permissiveRecords,
- 'dontaudit': seobject.dontauditClass,
- 'ibpkey': seobject.ibpkeyRecords,
- 'ibendport': seobject.ibendportRecords
-}
def generate_custom_usage(usage_text, usage_dict):
# generate custom usage from given text and dictonary
@@ -608,6 +592,7 @@ def setupInterfaceParser(subparsers):
def handleModule(args):
+ import seobject
OBJECT = seobject.moduleRecords(args)
if args.action_add:
OBJECT.add(args.action_add[0], args.priority)
@@ -846,6 +831,7 @@ def mkargv(line):
def handleImport(args):
+ import seobject
trans = seobject.semanageRecords(args)
trans.start()
@@ -887,6 +873,25 @@ def createCommandParser():
#To add a new subcommand define the parser for it in a function above and call it here.
subparsers = commandParser.add_subparsers(dest='subcommand')
subparsers.required = True
+
+ import seobject
+ # define dictonary for seobject OBEJCTS
+ global object_dict
+ object_dict = {
+ 'login': seobject.loginRecords,
+ 'user': seobject.seluserRecords,
+ 'port': seobject.portRecords,
+ 'module': seobject.moduleRecords,
+ 'interface': seobject.interfaceRecords,
+ 'node': seobject.nodeRecords,
+ 'fcontext': seobject.fcontextRecords,
+ 'boolean': seobject.booleanRecords,
+ 'permissive': seobject.permissiveRecords,
+ 'dontaudit': seobject.dontauditClass,
+ 'ibpkey': seobject.ibpkeyRecords,
+ 'ibendport': seobject.ibendportRecords
+ }
+
setupImportParser(subparsers)
setupExportParser(subparsers)
setupLoginParser(subparsers)
--
2.21.0

108
SOURCES/0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch Normal file
View File

@ -0,0 +1,108 @@
From 99582e3bf63475b7af5793bb9230e88d847dc7c8 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 2 Jul 2019 17:11:32 +0200
Subject: [PATCH] policycoreutils/fixfiles: Fix [-B] [-F] onboot
Commit 6e289bb7bf3d ("policycoreutils: fixfiles: remove bad modes of "relabel"
command") added "$RESTORE_MODE" != DEFAULT test when onboot is used. It makes
`fixfiles -B onboot` to show usage instead of updating /.autorelabel
The code is restructured to handle -B for different modes correctly.
Fixes:
# fixfiles -B onboot
Usage: /usr/sbin/fixfiles [-v] [-F] [-f] relabel
...
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/scripts/fixfiles | 29 +++++++++++++++--------------
1 file changed, 15 insertions(+), 14 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 53d28c7b..9dd44213 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -112,7 +112,7 @@ VERBOSE="-p"
FORCEFLAG=""
RPMFILES=""
PREFC=""
-RESTORE_MODE="DEFAULT"
+RESTORE_MODE=""
SETFILES=/sbin/setfiles
RESTORECON=/sbin/restorecon
FILESYSTEMSRW=`get_rw_labeled_mounts`
@@ -214,16 +214,17 @@ restore () {
OPTION=$1
shift
-case "$RESTORE_MODE" in
- PREFC)
- diff_filecontext $*
- return
- ;;
- BOOTTIME)
+# [-B | -N time ]
+if [ -z "$BOOTTIME" ]; then
newer $BOOTTIME $*
return
- ;;
-esac
+fi
+
+# -C PREVIOUS_FILECONTEXT
+if [ "$RESTORE_MODE" == PREFC ]; then
+ diff_filecontext $*
+ return
+fi
[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
@@ -239,7 +240,7 @@ case "$RESTORE_MODE" in
FILEPATH)
${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH"
;;
- DEFAULT)
+ *)
if [ -n "${FILESYSTEMSRW}" ]; then
LogReadOnly
echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
@@ -272,7 +273,7 @@ fullrelabel() {
relabel() {
- if [ "$RESTORE_MODE" != DEFAULT ]; then
+ if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
usage
exit 1
fi
@@ -306,7 +307,7 @@ case "$1" in
verify) restore Verify -n;;
relabel) relabel;;
onboot)
- if [ "$RESTORE_MODE" != DEFAULT ]; then
+ if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
usage
exit 1
fi
@@ -344,7 +345,7 @@ if [ $# -eq 0 ]; then
fi
set_restore_mode() {
- if [ "$RESTORE_MODE" != DEFAULT ]; then
+ if [ -n "$RESTORE_MODE" ]; then
# can't specify two different modes
usage
exit 1
@@ -357,7 +358,7 @@ while getopts "N:BC:FfR:l:v" i; do
case "$i" in
B)
BOOTTIME=`/bin/who -b | awk '{print $3}'`
- set_restore_mode BOOTTIME
+ set_restore_mode DEFAULT
;;
N)
BOOTTIME=$OPTARG
--
2.21.0

33
SOURCES/0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch Normal file
View File

@ -0,0 +1,33 @@
From 9bcf8ad7b9b6d8d761f7d097196b2b9bc114fa0a Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 2 Jul 2019 17:12:07 +0200
Subject: [PATCH] policycoreutils/fixfiles: Force full relabel when SELinux is
disabled
The previous check used getfilecon to check whether / slash contains a label,
but getfilecon fails only when SELinux is disabled. Therefore it's better to
check this using selinuxenabled.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/scripts/fixfiles | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 9dd44213..a9d27d13 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -314,8 +314,8 @@ case "$1" in
> /.autorelabel || exit $?
[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
- # Force full relabel if / does not have a label on it
- getfilecon / > /dev/null 2>&1 || echo -F >/.autorelabel
+ # Force full relabel if SELinux is not enabled
+ selinuxenabled || echo -F > /.autorelabel
echo "System will relabel on next boot"
;;
*)
--
2.21.0

32
SOURCES/0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch Normal file
View File

@ -0,0 +1,32 @@
From 7383f8fbab82826de21d3013a43680867642e49e Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 21 Aug 2019 17:43:25 +0200
Subject: [PATCH] policycoreutils/fixfiles: Fix unbound variable problem
Fix a typo introduced in commit d3f8b2c3cd909 ("policycoreutils/fixfiles: Fix
[-B] [-F] onboot"), which broke "fixfiles relabel":
#fixfiles relabel
/sbin/fixfiles: line 151: $1: unbound variable
Resolves: rhbz#1743213
---
policycoreutils/scripts/fixfiles | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index a9d27d13..df0042aa 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -215,7 +215,7 @@ OPTION=$1
shift
# [-B | -N time ]
-if [ -z "$BOOTTIME" ]; then
+if [ -n "$BOOTTIME" ]; then
newer $BOOTTIME $*
return
fi
--
2.21.0

38
SOURCES/0025-gui-Fix-remove-module-in-system-config-selinux.patch Normal file
View File

@ -0,0 +1,38 @@
From f6c67c02f25d3a8971dcc5667121236fab85dd65 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 29 Aug 2019 08:58:20 +0200
Subject: [PATCH] gui: Fix remove module in system-config-selinux
When a user tried to remove a policy module with priority other than 400 via
GUI, it failed with a message:
libsemanage.semanage_direct_remove_key: Unable to remove module somemodule at priority 400. (No such file or directory).
This is fixed by calling "semodule -x PRIORITY -r NAME" instead of
"semodule -r NAME".
From Jono Hein <fredwacko40@hotmail.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
gui/modulesPage.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gui/modulesPage.py b/gui/modulesPage.py
index 26ac5404..35a0129b 100644
--- a/gui/modulesPage.py
+++ b/gui/modulesPage.py
@@ -125,9 +125,10 @@ class modulesPage(semanagePage):
def delete(self):
store, iter = self.view.get_selection().get_selected()
module = store.get_value(iter, 0)
+ priority = store.get_value(iter, 1)
try:
self.wait()
- status, output = getstatusoutput("semodule -r %s" % module)
+ status, output = getstatusoutput("semodule -X %s -r %s" % (priority, module))
self.ready()
if status != 0:
self.error(output)
--
2.21.0

30
SOURCES/0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch Normal file
View File

@ -0,0 +1,30 @@
From c2e942fc452bff06cc5ed9017afe169c6941f4e4 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 3 Sep 2019 15:17:27 +0200
Subject: [PATCH] python/semanage: Do not use default s0 range in "semanage
login -a"
Using the "s0" default means that new login mappings are always added with "s0"
range instead of the range of SELinux user.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
python/semanage/semanage | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 4c766ae3..fa78afce 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -221,7 +221,7 @@ def parser_add_level(parser, name):
def parser_add_range(parser, name):
- parser.add_argument('-r', '--range', default="s0",
+ parser.add_argument('-r', '--range', default='',
help=_('''
MLS/MCS Security Range (MLS/MCS Systems only)
SELinux Range for SELinux login mapping
--
2.21.0

33
SOURCES/0027-policycoreutils-fixfiles-Fix-verify-option.patch Normal file
View File

@ -0,0 +1,33 @@
From 4733a594c5df14f64293d19f16498e68dc5e3a98 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 24 Sep 2019 08:41:30 +0200
Subject: [PATCH] policycoreutils/fixfiles: Fix "verify" option
"restorecon -n" (used in the "restore" function) has to be used with
"-v" to display the files whose labels would be changed.
Fixes:
Fixfiles verify does not report misslabelled files unless "-v" option is
used.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
policycoreutils/scripts/fixfiles | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index df0042aa..be19e56c 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -304,7 +304,7 @@ process() {
case "$1" in
restore) restore Relabel;;
check) VERBOSE="-v"; restore Check -n;;
- verify) restore Verify -n;;
+ verify) VERBOSE="-v"; restore Verify -n;;
relabel) relabel;;
onboot)
if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
--
2.21.0

102
SOURCES/0028-python-semanage-Improve-handling-of-permissive-state.patch Normal file
View File

@ -0,0 +1,102 @@
From 0803fcb2c014b2cedf8f4d92b80fc382916477ee Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Fri, 27 Sep 2019 16:13:47 +0200
Subject: [PATCH] python/semanage: Improve handling of "permissive" statements
- Add "customized" method to permissiveRecords which is than used for
"semanage permissive --extract" and "semanage export"
- Enable "semanage permissive --deleteall" (already implemented)
- Add "permissive" to the list of modules exported using
"semanage export"
- Update "semanage permissive" man page
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/semanage | 11 ++++++++---
python/semanage/semanage-permissive.8 | 8 +++++++-
python/semanage/seobject.py | 3 +++
3 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index fa78afce..b2bd9df9 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -722,6 +722,11 @@ def handlePermissive(args):
if args.action == "list":
OBJECT.list(args.noheading)
+ elif args.action == "deleteall":
+ OBJECT.deleteall()
+ elif args.action == "extract":
+ for i in OBJECT.customized():
+ print("permissive %s" % str(i))
elif args.type is not None:
if args.action == "add":
OBJECT.add(args.type)
@@ -737,9 +742,9 @@ def setupPermissiveParser(subparsers):
pgroup = permissiveParser.add_mutually_exclusive_group(required=True)
parser_add_add(pgroup, "permissive")
parser_add_delete(pgroup, "permissive")
+ parser_add_deleteall(pgroup, "permissive")
+ parser_add_extract(pgroup, "permissive")
parser_add_list(pgroup, "permissive")
- #TODO: probably should be also added => need to implement own option handling
- #parser_add_deleteall(pgroup)
parser_add_noheading(permissiveParser, "permissive")
parser_add_noreload(permissiveParser, "permissive")
@@ -763,7 +768,7 @@ def setupDontauditParser(subparsers):
def handleExport(args):
- manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey"]
+ manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey", "permissive"]
for i in manageditems:
print("%s -D" % i)
for i in manageditems:
diff --git a/python/semanage/semanage-permissive.8 b/python/semanage/semanage-permissive.8
index 1999a451..5c3364fa 100644
--- a/python/semanage/semanage-permissive.8
+++ b/python/semanage/semanage-permissive.8
@@ -2,7 +2,7 @@
.SH "NAME"
.B semanage\-permissive \- SELinux Policy Management permissive mapping tool
.SH "SYNOPSIS"
-.B semanage permissive [\-h] (\-a | \-d | \-l) [\-n] [\-N] [\-S STORE] [type]
+.B semanage permissive [\-h] [\-n] [\-N] [\-S STORE] (\-\-add TYPE | \-\-delete TYPE | \-\-deleteall | \-\-extract | \-\-list)
.SH "DESCRIPTION"
semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage permissive adds or removes a SELinux Policy permissive module.
@@ -18,9 +18,15 @@ Add a record of the specified object type
.I \-d, \-\-delete
Delete a record of the specified object type
.TP
+.I \-D, \-\-deleteall
+Remove all local customizations of permissive domains
+.TP
.I \-l, \-\-list
List records of the specified object type
.TP
+.I \-E, \-\-extract
+Extract customizable commands, for use within a transaction
+.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
.TP
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 58497e3b..3959abc8 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -478,6 +478,9 @@ class permissiveRecords(semanageRecords):
l.append(name.split("permissive_")[1])
return l
+ def customized(self):
+ return ["-a %s" % x for x in sorted(self.get_all())]
+
def list(self, heading=1, locallist=0):
all = [y["name"] for y in [x for x in sepolicy.info(sepolicy.TYPE) if x["permissive"]]]
if len(all) == 0:
--
2.21.0

41
SOURCES/0029-python-semanage-fix-moduleRecords.customized.patch Normal file
View File

@ -0,0 +1,41 @@
From 7cc31c4799dd94ed516a39d853744bd1ffb6dc69 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 30 Sep 2019 09:49:04 +0200
Subject: [PATCH] python/semanage: fix moduleRecords.customized()
Return value of "customized" has to be iterable.
Fixes:
"semanage export" with no modules in the system (eg. monolithic policy)
crashes:
Traceback (most recent call last):
File "/usr/sbin/semanage", line 970, in <module>
do_parser()
File "/usr/sbin/semanage", line 949, in do_parser
args.func(args)
File "/usr/sbin/semanage", line 771, in handleExport
for c in OBJECT.customized():
TypeError: 'NoneType' object is not iterable
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/seobject.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 3959abc8..16edacaa 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -380,7 +380,7 @@ class moduleRecords(semanageRecords):
def customized(self):
all = self.get_all()
if len(all) == 0:
- return
+ return []
return ["-d %s" % x[0] for x in [t for t in all if t[1] == 0]]
def list(self, heading=1, locallist=0):
--
2.21.0

45
SOURCES/0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch Normal file
View File

@ -0,0 +1,45 @@
From 7cbfcec89a6972f9c700687ed3cef25ff0846461 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 8 Oct 2019 14:22:13 +0200
Subject: [PATCH] python/semanage: Add support for DCCP and SCTP protocols
Fixes:
# semanage port -a -p sctp -t port_t 1234
ValueError: Protocol udp or tcp is required
# semanage port -d -p sctp -t port_t 1234
ValueError: Protocol udp or tcp is required
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/seobject.py | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 16edacaa..70ebfd08 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -1058,13 +1058,15 @@ class portRecords(semanageRecords):
pass
def __genkey(self, port, proto):
- if proto == "tcp":
- proto_d = SEMANAGE_PROTO_TCP
+ protocols = {"tcp": SEMANAGE_PROTO_TCP,
+ "udp": SEMANAGE_PROTO_UDP,
+ "sctp": SEMANAGE_PROTO_SCTP,
+ "dccp": SEMANAGE_PROTO_DCCP}
+
+ if proto in protocols.keys():
+ proto_d = protocols[proto]
else:
- if proto == "udp":
- proto_d = SEMANAGE_PROTO_UDP
- else:
- raise ValueError(_("Protocol udp or tcp is required"))
+ raise ValueError(_("Protocol has to be one of udp, tcp, dccp or sctp"))
if port == "":
raise ValueError(_("Port is required"))
--
2.21.0

40
SOURCES/0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch Normal file
View File

@ -0,0 +1,40 @@
From 6e5ccf2dd3329b400b70b7806b9c6128c5c50995 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 15 Nov 2019 09:15:49 +0100
Subject: [PATCH] dbus: Fix FileNotFoundError in org.selinux.relabel_on_boot
When org.selinux.relabel_on_boot(0) was called twice, it failed with
FileNotFoundError.
Fixes:
$ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:1
method return sender=:1.53 -> dest=:1.54 reply_serial=2
$ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:0
method return sender=:1.53 -> dest=:1.55 reply_serial=2
$ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:0
Error org.freedesktop.DBus.Python.FileNotFoundError: FileNotFoundError: [Errno 2] No such file or directory: '/.autorelabel'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
dbus/selinux_server.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
index b9debc071485..be4f4557a9fa 100644
--- a/dbus/selinux_server.py
+++ b/dbus/selinux_server.py
@@ -85,7 +85,10 @@ class selinux_server(slip.dbus.service.Object):
fd = open("/.autorelabel", "w")
fd.close()
else:
- os.unlink("/.autorelabel")
+ try:
+ os.unlink("/.autorelabel")
+ except FileNotFoundError:
+ pass
def write_selinux_config(self, enforcing=None, policy=None):
path = selinux.selinux_path() + "config"
--
2.23.0

200
SOURCES/0032-restorecond-Fix-redundant-console-log-output-error.patch Normal file
View File

@ -0,0 +1,200 @@
From 76371721bafed56efcb7a83b3fa3285383ede5b7 Mon Sep 17 00:00:00 2001
From: Baichuan Kong <kongbaichuan@huawei.com>
Date: Thu, 14 Nov 2019 10:48:07 +0800
Subject: [PATCH] restorecond: Fix redundant console log output error
When starting restorecond without any option the following redundant
console log is outputed:
/dev/log 100.0%
/var/volatile/run/syslogd.pid 100.0%
...
This is caused by two global variables of same name r_opts. When
executes r_opts = opts in restore_init(), it originally intends
to assign the address of struct r_opts in "restorecond.c" to the
pointer *r_opts in "restore.c".
However, the address is assigned to the struct r_opts and covers
the value of low eight bytes in it. That causes unexpected value
of member varibale 'nochange' and 'verbose' in struct r_opts, thus
affects value of 'restorecon_flags' and executes unexpected operations
when restorecon the files such as the redundant console log output or
file label nochange.
Cause restorecond/restore.c is copied from policycoreutils/setfiles,
which share the same pattern. It also has potential risk to generate
same problems, So fix it in case.
Signed-off-by: Baichuan Kong <kongbaichuan@huawei.com>
(cherry-picked from SElinuxProject
commit ad2208ec220f55877a4d31084be2b4d6413ee082)
Resolves: rhbz#1626468
---
policycoreutils/setfiles/restore.c | 42 ++++++++++++++----------------
restorecond/restore.c | 40 +++++++++++++---------------
2 files changed, 37 insertions(+), 45 deletions(-)
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index 9dea5656..d3335d1a 100644
--- a/policycoreutils/setfiles/restore.c
+++ b/policycoreutils/setfiles/restore.c
@@ -17,40 +17,37 @@
char **exclude_list;
int exclude_count;
-struct restore_opts *r_opts;
-
void restore_init(struct restore_opts *opts)
{
int rc;
- r_opts = opts;
struct selinux_opt selinux_opts[] = {
- { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate },
- { SELABEL_OPT_PATH, r_opts->selabel_opt_path },
- { SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest }
+ { SELABEL_OPT_VALIDATE, opts->selabel_opt_validate },
+ { SELABEL_OPT_PATH, opts->selabel_opt_path },
+ { SELABEL_OPT_DIGEST, opts->selabel_opt_digest }
};
- r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
- if (!r_opts->hnd) {
- perror(r_opts->selabel_opt_path);
+ opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
+ if (!opts->hnd) {
+ perror(opts->selabel_opt_path);
exit(1);
}
- r_opts->restorecon_flags = 0;
- r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose |
- r_opts->progress | r_opts->set_specctx |
- r_opts->add_assoc | r_opts->ignore_digest |
- r_opts->recurse | r_opts->userealpath |
- r_opts->xdev | r_opts->abort_on_error |
- r_opts->syslog_changes | r_opts->log_matches |
- r_opts->ignore_noent | r_opts->ignore_mounts |
- r_opts->mass_relabel;
+ opts->restorecon_flags = 0;
+ opts->restorecon_flags = opts->nochange | opts->verbose |
+ opts->progress | opts->set_specctx |
+ opts->add_assoc | opts->ignore_digest |
+ opts->recurse | opts->userealpath |
+ opts->xdev | opts->abort_on_error |
+ opts->syslog_changes | opts->log_matches |
+ opts->ignore_noent | opts->ignore_mounts |
+ opts->mass_relabel;
/* Use setfiles, restorecon and restorecond own handles */
- selinux_restorecon_set_sehandle(r_opts->hnd);
+ selinux_restorecon_set_sehandle(opts->hnd);
- if (r_opts->rootpath) {
- rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath);
+ if (opts->rootpath) {
+ rc = selinux_restorecon_set_alt_rootpath(opts->rootpath);
if (rc) {
fprintf(stderr,
"selinux_restorecon_set_alt_rootpath error: %s.\n",
@@ -81,7 +78,6 @@ int process_glob(char *name, struct restore_opts *opts)
size_t i = 0;
int len, rc, errors;
- r_opts = opts;
memset(&globbuf, 0, sizeof(globbuf));
errors = glob(name, GLOB_TILDE | GLOB_PERIOD |
@@ -96,7 +92,7 @@ int process_glob(char *name, struct restore_opts *opts)
if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
continue;
rc = selinux_restorecon(globbuf.gl_pathv[i],
- r_opts->restorecon_flags);
+ opts->restorecon_flags);
if (rc < 0)
errors = rc;
}
diff --git a/restorecond/restore.c b/restorecond/restore.c
index f6e30001..b93b5fdb 100644
--- a/restorecond/restore.c
+++ b/restorecond/restore.c
@@ -12,39 +12,36 @@
char **exclude_list;
int exclude_count;
-struct restore_opts *r_opts;
-
void restore_init(struct restore_opts *opts)
{
int rc;
- r_opts = opts;
struct selinux_opt selinux_opts[] = {
- { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate },
- { SELABEL_OPT_PATH, r_opts->selabel_opt_path },
- { SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest }
+ { SELABEL_OPT_VALIDATE, opts->selabel_opt_validate },
+ { SELABEL_OPT_PATH, opts->selabel_opt_path },
+ { SELABEL_OPT_DIGEST, opts->selabel_opt_digest }
};
- r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
- if (!r_opts->hnd) {
- perror(r_opts->selabel_opt_path);
+ opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
+ if (!opts->hnd) {
+ perror(opts->selabel_opt_path);
exit(1);
}
- r_opts->restorecon_flags = 0;
- r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose |
- r_opts->progress | r_opts->set_specctx |
- r_opts->add_assoc | r_opts->ignore_digest |
- r_opts->recurse | r_opts->userealpath |
- r_opts->xdev | r_opts->abort_on_error |
- r_opts->syslog_changes | r_opts->log_matches |
- r_opts->ignore_noent | r_opts->ignore_mounts;
+ opts->restorecon_flags = 0;
+ opts->restorecon_flags = opts->nochange | opts->verbose |
+ opts->progress | opts->set_specctx |
+ opts->add_assoc | opts->ignore_digest |
+ opts->recurse | opts->userealpath |
+ opts->xdev | opts->abort_on_error |
+ opts->syslog_changes | opts->log_matches |
+ opts->ignore_noent | opts->ignore_mounts;
/* Use setfiles, restorecon and restorecond own handles */
- selinux_restorecon_set_sehandle(r_opts->hnd);
+ selinux_restorecon_set_sehandle(opts->hnd);
- if (r_opts->rootpath) {
- rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath);
+ if (opts->rootpath) {
+ rc = selinux_restorecon_set_alt_rootpath(opts->rootpath);
if (rc) {
fprintf(stderr,
"selinux_restorecon_set_alt_rootpath error: %s.\n",
@@ -75,7 +72,6 @@ int process_glob(char *name, struct restore_opts *opts)
size_t i = 0;
int len, rc, errors;
- r_opts = opts;
memset(&globbuf, 0, sizeof(globbuf));
errors = glob(name, GLOB_TILDE | GLOB_PERIOD |
@@ -90,7 +86,7 @@ int process_glob(char *name, struct restore_opts *opts)
if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
continue;
rc = selinux_restorecon(globbuf.gl_pathv[i],
- r_opts->restorecon_flags);
+ opts->restorecon_flags);
if (rc < 0)
errors = rc;
}
--
2.21.0

55
SOURCES/0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch Normal file
View File

@ -0,0 +1,55 @@
From 0bed778c53a4f93b1b092b3db33e8c36aabfa39d Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 5 Jan 2021 17:00:21 +0100
Subject: [PATCH] python/semanage: empty stdout before exiting on
BrokenPipeError
Empty stdout buffer before exiting when BrokenPipeError is
encountered. Otherwise python will flush the bufer during exit, which
may trigger the exception again.
https://docs.python.org/3/library/signal.html#note-on-sigpipe
Fixes:
#semanage fcontext -l | egrep -q -e '^/home'
BrokenPipeError: [Errno 32] Broken pipe
Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='UTF-8'>
BrokenPipeError: [Errno 32] Broken pipe
Note that the error above only appears occasionally (usually only the
first line is printed).
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
python/semanage/semanage | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index b2bd9df9..1abe3536 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -26,6 +26,7 @@
import traceback
import argparse
import sys
+import os
PROGNAME = "selinux-python"
try:
import gettext
@@ -953,6 +954,13 @@ def do_parser():
args = commandParser.parse_args(make_args(sys.argv))
args.func(args)
sys.exit(0)
+ except BrokenPipeError as e:
+ sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
+ # Python flushes standard streams on exit; redirect remaining output
+ # to devnull to avoid another BrokenPipeError at shutdown
+ devnull = os.open(os.devnull, os.O_WRONLY)
+ os.dup2(devnull, sys.stdout.fileno())
+ sys.exit(1)
except IOError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
sys.exit(1)
--
2.29.2

41
SOURCES/0034-python-semanage-Sort-imports-in-alphabetical-order.patch Normal file
View File

@ -0,0 +1,41 @@
From 4b0e627d42f9a8e09dcd064a6ae897f4c2e9cf6c Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 6 Jan 2021 10:00:07 +0100
Subject: [PATCH] python/semanage: Sort imports in alphabetical order
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/semanage | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 1abe3536..781e8645 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -23,10 +23,12 @@
#
#
-import traceback
import argparse
-import sys
import os
+import re
+import sys
+import traceback
+
PROGNAME = "selinux-python"
try:
import gettext
@@ -786,8 +788,6 @@ def setupExportParser(subparsers):
exportParser.add_argument('-f', '--output_file', dest='output_file', action=SetExportFile, help=_('Output file'))
exportParser.set_defaults(func=handleExport)
-import re
-
def mkargv(line):
dquote = "\""
--
2.29.2

73
SOURCES/selinux-autorelabel Executable file
View File

@ -0,0 +1,73 @@
#!/bin/bash
#
# Do automatic relabelling
#
# . /etc/init.d/functions
# If the user has this (or similar) UEFI boot order:
#
# Windows | grub | Linux
#
# And decides to boot into grub/Linux, then the reboot at the end of autorelabel
# would cause the system to boot into Windows again, if the autorelabel was run.
#
# This function restores the UEFI boot order, so the user will boot into the
# previously set (and expected) partition.
efi_set_boot_next() {
# NOTE: The [ -x /usr/sbin/efibootmgr ] test is not sufficent -- it could
# succeed even on system which is not EFI-enabled...
if ! efibootmgr > /dev/null 2>&1; then
return
fi
# NOTE: It it possible that some other services might be setting the
# 'BootNext' item for any reasons, and we shouldn't override it if so.
if ! efibootmgr | grep --quiet -e 'BootNext'; then
CURRENT_BOOT="$(efibootmgr | grep -e 'BootCurrent' | sed -re 's/(^.+:[[:space:]]*)([[:xdigit:]]+)/\2/')"
efibootmgr -n "${CURRENT_BOOT}" > /dev/null 2>&1
fi
}
relabel_selinux() {
# if /sbin/init is not labeled correctly this process is running in the
# wrong context, so a reboot will be required after relabel
AUTORELABEL=
. /etc/selinux/config
echo "0" > /sys/fs/selinux/enforce
[ -x /bin/plymouth ] && plymouth --quit
if [ "$AUTORELABEL" = "0" ]; then
echo
echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. "
echo $"*** /etc/selinux/config indicates you want to manually fix labeling"
echo $"*** problems. Dropping you to a shell; the system will reboot"
echo $"*** when you leave the shell."
sulogin
else
echo
echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
echo $"*** Relabeling could take a very long time, depending on file"
echo $"*** system size and speed of hard drives."
FORCE=`cat /.autorelabel`
[ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug
/sbin/fixfiles $FORCE restore
fi
rm -f /.autorelabel
/usr/lib/dracut/dracut-initramfs-restore
efi_set_boot_next
if [ -x /usr/bin/grub2-editenv ]; then
grub2-editenv - incr boot_indeterminate >/dev/null 2>&1
fi
sync
systemctl --force reboot
}
# Check to see if a full relabel is needed
if [ "$READONLY" != "yes" ]; then
restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1
relabel_selinux
fi

29
SOURCES/selinux-autorelabel-generator.sh Normal file
View File

@ -0,0 +1,29 @@
#!/bin/sh
# This systemd.generator(7) detects if SELinux is running and if the
# user requested an autorelabel, and if so sets the default target to
# selinux-autorelabel.target, which will cause the filesystem to be
# relabelled and then the system will reboot again and boot into the
# real default target.
PATH=/usr/sbin:$PATH
unitdir=/usr/lib/systemd/system
# If invoked with no arguments (for testing) write to /tmp.
earlydir="/tmp"
if [ -n "$2" ]; then
earlydir="$2"
fi
set_target ()
{
ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target"
}
if selinuxenabled; then
if test -f /.autorelabel; then
set_target
elif grep -sqE "\bautorelabel\b" /proc/cmdline; then
set_target
fi
fi

18
SOURCES/selinux-autorelabel-mark.service Normal file
View File

@ -0,0 +1,18 @@
[Unit]
Description=Mark the need to relabel after reboot
DefaultDependencies=no
Requires=local-fs.target
Conflicts=shutdown.target
After=local-fs.target
Before=sysinit.target shutdown.target
ConditionSecurity=!selinux
ConditionPathIsDirectory=/etc/selinux
ConditionPathExists=!/.autorelabel
[Service]
ExecStart=-/bin/touch /.autorelabel
Type=oneshot
RemainAfterExit=yes
[Install]
WantedBy=sysinit.target

14
SOURCES/selinux-autorelabel.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=Relabel all filesystems
DefaultDependencies=no
Conflicts=shutdown.target
After=sysinit.target
Before=shutdown.target
ConditionSecurity=selinux
[Service]
ExecStart=/usr/libexec/selinux/selinux-autorelabel
Type=oneshot
TimeoutSec=0
RemainAfterExit=yes
StandardOutput=journal+console

7
SOURCES/selinux-autorelabel.target Normal file
View File

@ -0,0 +1,7 @@
[Unit]
Description=Relabel all filesystems and reboot
DefaultDependencies=no
Requires=sysinit.target selinux-autorelabel.service
Conflicts=shutdown.target
After=sysinit.target selinux-autorelabel.service
ConditionSecurity=selinux

5452
SPECS/policycoreutils.spec Normal file
View File

File diff suppressed because it is too large Load Diff