From 087b49520160585bf1496d1172db133c27246e71 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 3 Jul 2015 10:23:25 +0200 Subject: [PATCH] update from bachradsusi/selinux branch 2.4 policycoreutils-2.4-0.6 - policycoreutils: semanage: update to new source policy infrastructure - semanage: move permissive module creation to /tmp --- policycoreutils-rhat.patch | 117 +++++++++++++++++++------------------ policycoreutils.spec | 10 +++- 2 files changed, 66 insertions(+), 61 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 055871f..8747217 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -655003,10 +655003,10 @@ index 0fad36c..75b782f 100644 user identities to authorized role sets. In most cases, only the diff --git a/policycoreutils-2.4/semanage/seobject/__init__.py b/policycoreutils-2.4/semanage/seobject/__init__.py new file mode 100644 -index 0000000..05d931c +index 0000000..e3ac4c1 --- /dev/null +++ b/policycoreutils-2.4/semanage/seobject/__init__.py -@@ -0,0 +1,2250 @@ +@@ -0,0 +1,2251 @@ +#! /usr/bin/python -Es +# Copyright (C) 2005-2013 Red Hat +# see file 'COPYING' for use and warranty information @@ -655030,7 +655030,7 @@ index 0000000..05d931c +# +# + -+import pwd, grp, string, selinux, os, re, sys, stat ++import pwd, grp, string, selinux, tempfile, os, re, sys, stat, shutil +from semanage import *; +PROGNAME = "policycoreutils" +import sepolicy @@ -655295,20 +655295,41 @@ index 0000000..05d931c + + def get_all(self): + l = [] -+ (rc, mlist, number) = semanage_module_list(self.sh) ++ (rc, mlist, number) = semanage_module_list_all(self.sh) + if rc < 0: + raise ValueError(_("Could not list SELinux modules")) + + for i in range(number): + mod = semanage_module_list_nth(mlist, i) -+ l.append((semanage_module_get_name(mod), semanage_module_get_version(mod), semanage_module_get_enabled(mod))) ++ ++ rc, name = semanage_module_info_get_name(self.sh, mod) ++ if rc < 0: ++ raise ValueError(_("Could not get module name")) ++ ++ rc, enabled = semanage_module_info_get_enabled(self.sh, mod) ++ if rc < 0: ++ raise ValueError(_("Could not get module enabled")) ++ ++ rc, priority = semanage_module_info_get_priority(self.sh, mod) ++ if rc < 0: ++ raise ValueError(_("Could not get module priority")) ++ ++ rc, lang_ext = semanage_module_info_get_lang_ext(self.sh, mod) ++ if rc < 0: ++ raise ValueError(_("Could not get module lang_ext")) ++ ++ l.append((name, enabled, priority, lang_ext)) ++ ++ # sort the list so they are in name order, but with higher priorities coming first ++ l.sort(key = lambda t: t[3], reverse=True) ++ l.sort(key = lambda t: t[0]) + return l + + def customized(self): + ALL = self.get_all() + if len(ALL) == 0: + return -+ return ["-d %s" % x[0] for x in [t for t in ALL if t[2] == 0]] ++ return ["-d %s" % x[0] for x in [t for t in ALL if t[1] == 0]] + + def list(self, heading = True, locallist = False): + ALL = self.get_all() @@ -655316,50 +655337,47 @@ index 0000000..05d931c + return + + if heading: -+ print("\n%-25s%-10s\n" % (_("Modules Name"), _("Version"))) ++ print("\n%-25s %-9s %s\n" % (_("Module Name"), _("Priority"), _("Language"))) + for t in ALL: -+ if t[2] == 0: ++ if t[1] == 0: + disabled = _("Disabled") + else: + if locallist: + continue + disabled = "" -+ print("%-25s%-10s%s" % (t[0], t[1], disabled)) ++ print("%-25s %-9s %-5s %s" % (t[0], t[2], t[3], disabled)) + -+ def add(self, module): ++ def add(self, module, priority): + if not module: + raise ValueError(_("You did not define module name.")) + if not os.path.exists(module): + raise ValueError(_("Module does not exists %s ") % module) ++ ++ rc = semanage_set_default_priority(self.sh, priority) ++ if rc < 0: ++ raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority) ++ + rc = semanage_module_install_file(self.sh, module); + if rc >= 0: + self.commit() + -+ def disable(self, module): -+ need_commit = False -+ if not module: -+ raise ValueError(_("You did not define module name.")) ++ def set_enabled(self, module, enable): + for m in module.split(): -+ rc = semanage_module_disable(self.sh, m) -+ if rc < 0 and rc != -3: -+ raise ValueError(_("Could not disable module %s (remove failed)") % m) -+ if rc != -3: -+ need_commit = True -+ if need_commit: -+ self.commit() ++ rc, key = semanage_module_key_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create module key")) + -+ def enable(self, module): -+ need_commit = False -+ if not module: -+ raise ValueError(_("You did not define module name.")) -+ for m in module.split(): -+ rc = semanage_module_enable(self.sh, m) -+ if rc < 0 and rc != -3: -+ raise ValueError(_("Could not enable module %s (remove failed)") % m) -+ if rc != -3: -+ need_commit = True -+ if need_commit: -+ self.commit() ++ rc = semanage_module_key_set_name(self.sh, key, m) ++ if rc < 0: ++ raise ValueError(_("Could not set module key name")) ++ ++ rc = semanage_module_set_enabled(self.sh, key, enable) ++ if rc < 0: ++ if enable: ++ raise ValueError(_("Could not enable module %s") % m) ++ else: ++ raise ValueError(_("Could not disable module %s") % m) ++ self.commit() + + def modify(self, file): + if not module: @@ -655368,9 +655386,13 @@ index 0000000..05d931c + if rc >= 0: + self.commit() + -+ def delete(self, module): ++ def delete(self, module, priority): + if not module: + raise ValueError(_("You did not define module name.")) ++ rc = semanage_set_default_priority(self.sh, priority) ++ if rc < 0: ++ raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority) ++ + for m in module.split(): + rc = semanage_module_remove(self.sh, m) + if rc < 0 and rc != -2: @@ -655379,7 +655401,7 @@ index 0000000..05d931c + self.commit() + + def deleteall(self): -+ l = [x[0] for x in [t for t in self.get_all() if t[2] == 0]] ++ l = [x[0] for x in [t for t in self.get_all() if t[1] == 0]] + for m in l: + self.enable(m) + @@ -655443,33 +655465,12 @@ index 0000000..05d931c + raise ValueError(_("The sepolgen python module is required to setup permissive domains.\nIn some distributions it is included in the policycoreutils-devel patckage.\n# yum install policycoreutils-devel\nOr similar for your distro.")) + + name = "permissive_%s" % setype -+ dirname = "/var/lib/selinux" -+ os.chdir(dirname) -+ filename = "%s.te" % name -+ modtxt = """ -+module %s 1.0; ++ modtxt = "(typepermissive %s)" % type + -+require { -+ type %s; -+} -+ -+permissive %s; -+""" % (name, setype, setype) -+ fd = open(filename, 'w') -+ fd.write(modtxt) -+ fd.close() -+ mc = module.ModuleCompiler() -+ mc.create_module_package(filename, False) -+ fd = open("%s.pp" % name) -+ data = fd.read() -+ fd.close() -+ -+ rc = semanage_module_install(self.sh, data, len(data)); ++ rc = semanage_module_install(self.sh, modtxt, len(modtxt), name, "cil"); + if rc >= 0: + self.commit() + -+ for i in glob.glob("permissive_%s.*" % setype): -+ os.remove(i) + if rc < 0: + raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name) + diff --git a/policycoreutils.spec b/policycoreutils.spec index 2d10064..bc00592 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.4 -Release: 0%{?dist}.5 +Release: 0%{?dist}.6 License: GPLv2 Group: System Environment/Base # https://github.com/SELinuxProject/selinux/wiki/Releases @@ -17,8 +17,8 @@ URL: http://www.selinuxproject.org Source2: policycoreutils_man_ru2.tar.bz2 Source3: system-config-selinux.png Source4: sepolicy-icons.tgz -# use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/ -# https://github.com/fedora-selinux/selinux/commit/18f0a0563ab5a00d260f325e7a53ee838ae22c99 +# use make-rhat-patches.sh to create following patches +# HEAD https://github.com/bachradsusi/selinux/commit/0eb3ecad178187fda63f5ecb0f8f661f87a9647f Patch: policycoreutils-rhat.patch Patch1: sepolgen-rhat.patch Obsoletes: policycoreutils < 2.0.61-2 @@ -386,6 +386,10 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Fri Jul 03 2015 Petr Lautrbach 2.4-0.6 +- policycoreutils: semanage: update to new source policy infrastructure +- semanage: move permissive module creation to /tmp + * Mon Apr 13 2015 Petr Lautrbach 2.4-0.4 - Update to upstream 2.4