rpms/policycoreutils
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI policycoreutils-3.8-1.el10

Browse Source
This commit is contained in:
eabdullin 2025-05-14 15:25:25 +00:00
parent abb9a5618c
commit 14010ed68c
68 changed files with 1133 additions and 10204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
.gitignore vendored
View File

@ -1,13 +1,7 @@
SOURCES/gui-po.tgz
SOURCES/policycoreutils-2.9.tar.gz
SOURCES/policycoreutils-po.tgz
SOURCES/python-po.tgz
SOURCES/restorecond-2.9.tar.gz
SOURCES/sandbox-po.tgz
SOURCES/selinux-dbus-2.9.tar.gz
SOURCES/selinux-gui-2.9.tar.gz
SOURCES/selinux-python-2.9.tar.gz
SOURCES/selinux-sandbox-2.9.tar.gz
SOURCES/semodule-utils-2.9.tar.gz
SOURCES/sepolicy-icons.tgz
SOURCES/system-config-selinux.png
selinux-3.8.tar.gz
selinux-gui.zip
selinux-policycoreutils.zip
selinux-python.zip
selinux-sandbox.zip
sepolicy-icons.tgz
system-config-selinux.png

13
.policycoreutils.metadata
View File

@ -1,13 +0,0 @@
3f355f8cbfdf7be6f9a8190153090af95d2c7358 SOURCES/gui-po.tgz
6e64d9a38fb516738023eb429eef29af5383f443 SOURCES/policycoreutils-2.9.tar.gz
51122ae6029657bf762d72bff94bab38890fd1e7 SOURCES/policycoreutils-po.tgz
c503e61733af54159d5950bbd9fa8080771ee938 SOURCES/python-po.tgz
0a34ef54394972870203832c8ce52d4405bd5330 SOURCES/restorecond-2.9.tar.gz
7df1784ab0c6b0823943571d733b856d10a87f76 SOURCES/sandbox-po.tgz
8645509cdfc433278c2e4d29ee8f511625c7edcc SOURCES/selinux-dbus-2.9.tar.gz
5c155ae47692389d9fabaa154195e7f978f2a3f0 SOURCES/selinux-gui-2.9.tar.gz
660e1ab824ef80f7a69f0b70f61e231957fd398e SOURCES/selinux-python-2.9.tar.gz
0e208cad193021ad17a445b76b72af3fef8db999 SOURCES/selinux-sandbox-2.9.tar.gz
a4414223e60bb664ada4824e54f8d36ab208d599 SOURCES/semodule-utils-2.9.tar.gz
d849fa76cc3ef4a26047d8a69fef3a55d2f3097f SOURCES/sepolicy-icons.tgz
611a5d497efaddd45ec0dcc3e9b2e5b0f81ebc41 SOURCES/system-config-selinux.png

9
SOURCES/0009-Don-t-be-verbose-if-you-are-not-on-a-tty.patch → 0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
View File

@ -1,14 +1,15 @@
From 8af697659bd662517571577bf47946a2113f34a1 Mon Sep 17 00:00:00 2001
From 12f57453e8b53a8aab6d3581fd1a4c921fe36918 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Fri, 14 Feb 2014 12:32:12 -0500
Subject: [PATCH] Don't be verbose if you are not on a tty
Content-type: text/plain
---
policycoreutils/scripts/fixfiles | 1 +
1 file changed, 1 insertion(+)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index b2779581..53d28c7b 100755
index b7cd765c15e4..f2518e96e34c 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
@ -17,8 +18,8 @@ index b2779581..53d28c7b 100755
VERBOSE="-p"
+[ -t 1 ] || VERBOSE=""
FORCEFLAG=""
THREADS=""
RPMFILES=""
PREFC=""
--
2.21.0
2.47.0

7
SOURCES/0017-sepolicy-generate-Handle-more-reserved-port-types.patch → 0002-sepolicy-generate-Handle-more-reserved-port-types.patch
View File

@ -1,7 +1,8 @@
From 3073efc112929b535f3a832c6f99e0dbe3af29ca Mon Sep 17 00:00:00 2001
From fb7357cd097801fcdfa21ed49a17a3875db05e42 Mon Sep 17 00:00:00 2001
From: Masatake YAMATO <yamato@redhat.com>
Date: Thu, 14 Dec 2017 15:57:58 +0900
Subject: [PATCH] sepolicy-generate: Handle more reserved port types
Content-type: text/plain
Currently only reserved_port_t, port_t and hi_reserved_port_t are
handled as special when making a ports-dictionary. However, as fas as
@ -52,7 +53,7 @@ https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redha
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index 7175d36b..93caedee 100644
index adf65f27a822..f726ad51b775 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -100,7 +100,9 @@ def get_all_ports():
@ -67,5 +68,5 @@ index 7175d36b..93caedee 100644
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
return dict
--
2.21.0
2.47.0

31
SOURCES/0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch → 0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
View File

@ -1,7 +1,8 @@
From 89895635ae012d1864a03700054ecc723973b5c0 Mon Sep 17 00:00:00 2001
From f2092a1b859a028f2c5c79b41c70b135ba3ad0fa Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 18 Jul 2018 09:09:35 +0200
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
Content-type: text/plain
---
sandbox/sandbox | 4 ++--
@ -10,10 +11,10 @@ Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
3 files changed, 3 insertions(+), 17 deletions(-)
diff --git a/sandbox/sandbox b/sandbox/sandbox
index a12403b3..707959a6 100644
index e3fd6119ed4d..e01425f0c637 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -268,7 +268,7 @@ class Sandbox:
@@ -270,7 +270,7 @@ class Sandbox:
copyfile(f, "/tmp", self.__tmpdir)
copyfile(f, "/var/tmp", self.__tmpdir)
@ -22,7 +23,7 @@ index a12403b3..707959a6 100644
execfile = self.__homedir + "/.sandboxrc"
fd = open(execfile, "w+")
if self.__options.session:
@@ -362,7 +362,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
@@ -370,7 +370,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
parser.add_option("-W", "--windowmanager", dest="wm",
type="string",
@ -32,24 +33,24 @@ index a12403b3..707959a6 100644
parser.add_option("-l", "--level", dest="level",
diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8
index d83fee76..90ef4951 100644
index 095b9e27042d..1c1870190e51 100644
--- a/sandbox/sandbox.8
+++ b/sandbox/sandbox.8
@@ -77,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
@@ -80,7 +80,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
\fB\-W\fR \fB\-\-windowmanager\fR
Select alternative window manager to run within
Select alternative window manager to run within
.B sandbox \-X.
-Default to /usr/bin/openbox.
+Default to /usr/bin/matchbox-window-manager.
.TP
\fB\-X\fR
\fB\-X\fR
Create an X based Sandbox for gui apps, temporary files for
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
index 47745280..c211ebc1 100644
index 28169182ce42..e2a7ad9b2ac7 100644
--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
@@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
[ -z $2 ] && export DPI="96" || export DPI="$2"
@@ -7,20 +7,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
[ -z $3 ] && export DPI="96" || export DPI="$3"
trap "exit 0" HUP
-mkdir -p ~/.config/openbox
@ -66,9 +67,9 @@ index 47745280..c211ebc1 100644
-</openbox_config>
-EOF
-
(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
cat > ~/seremote << __EOF
if [ "$WAYLAND_NATIVE" == "no" ]; then
if [ -z "$WAYLAND_DISPLAY" ]; then
DISPLAY_COMMAND='/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null'
--
2.21.0
2.47.0

178
0004-Use-SHA-2-instead-of-SHA-1.patch Normal file
View File

@ -0,0 +1,178 @@
From 4780b755bb1171f5aa4cd7545535839d451a2070 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 30 Jul 2021 14:14:37 +0200
Subject: [PATCH] Use SHA-2 instead of SHA-1
Content-type: text/plain
The use of SHA-1 in RHEL9 is deprecated
---
policycoreutils/setfiles/restorecon.8 | 10 +++++-----
policycoreutils/setfiles/restorecon_xattr.8 | 8 ++++----
policycoreutils/setfiles/restorecon_xattr.c | 12 ++++++------
policycoreutils/setfiles/setfiles.8 | 10 +++++-----
4 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index c3cc5c9b0e52..6160aced5922 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -95,14 +95,14 @@ display usage information and exit.
ignore files that do not exist.
.TP
.B \-I
-ignore digest to force checking of labels even if the stored SHA1 digest
-matches the specfiles SHA1 digest. The digest will then be updated provided
+ignore digest to force checking of labels even if the stored SHA256 digest
+matches the specfiles SHA256 digest. The digest will then be updated provided
there are no errors. See the
.B NOTES
section for further details.
.TP
.B \-D
-Set or update any directory SHA1 digests. Use this option to
+Set or update any directory SHA256 digests. Use this option to
enable usage of the
.IR security.sehash
extended attribute.
@@ -200,7 +200,7 @@ the
.B \-D
option to
.B restorecon
-will cause it to store a SHA1 digest of the default specfiles set in an extended
+will cause it to store a SHA256 digest of the default specfiles set in an extended
attribute named
.IR security.sehash
on each directory specified in
@@ -217,7 +217,7 @@ for further details.
.sp
The
.B \-I
-option will ignore the SHA1 digest from each directory specified in
+option will ignore the SHA256 digest from each directory specified in
.IR pathname \ ...
and provided the
.B \-n
diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
index 51d12a4dbb80..09bfd8c40ab4 100644
--- a/policycoreutils/setfiles/restorecon_xattr.8
+++ b/policycoreutils/setfiles/restorecon_xattr.8
@@ -23,7 +23,7 @@ or
.SH "DESCRIPTION"
.B restorecon_xattr
-will display the SHA1 digests added to extended attributes
+will display the SHA256 digests added to extended attributes
.I security.sehash
or delete the attribute completely. These attributes are set by
.BR restorecon (8)
@@ -48,12 +48,12 @@ extended attribute and are automatically excluded from searches.
.sp
By default
.B restorecon_xattr
-will display the SHA1 digests with "Match" appended if they match the default
+will display the SHA256 digests with "Match" appended if they match the default
specfile set or the
.I specfile
set used with the
.B \-f
-option. Non-matching SHA1 digests will be displayed with "No Match" appended.
+option. Non-matching SHA256 digests will be displayed with "No Match" appended.
This feature can be disabled by the
.B \-n
option.
@@ -87,7 +87,7 @@ Do not append "Match" or "No Match" to displayed digests.
recursively descend directories.
.TP
.B \-v
-display SHA1 digest generated by specfile set (Note that this digest is not
+display SHA256 digest generated by specfile set (Note that this digest is not
used to match the
.I security.sehash
directory digest entries, and is shown for reference only).
diff --git a/policycoreutils/setfiles/restorecon_xattr.c b/policycoreutils/setfiles/restorecon_xattr.c
index 31fb82fd2099..bc22d3fd4560 100644
--- a/policycoreutils/setfiles/restorecon_xattr.c
+++ b/policycoreutils/setfiles/restorecon_xattr.c
@@ -38,7 +38,7 @@ int main(int argc, char **argv)
unsigned int xattr_flags = 0, delete_digest = 0, recurse = 0;
unsigned int delete_all_digests = 0, ignore_mounts = 0;
bool display_digest = false;
- char *sha1_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
+ char *sha256_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
unsigned char *fc_digest = NULL;
size_t i, fc_digest_len = 0, num_specfiles;
@@ -133,8 +133,8 @@ int main(int argc, char **argv)
exit(-1);
}
- sha1_buf = malloc(fc_digest_len * 2 + 1);
- if (!sha1_buf) {
+ sha256_buf = malloc(fc_digest_len * 2 + 1);
+ if (!sha256_buf) {
fprintf(stderr,
"Error allocating digest buffer: %s\n",
strerror(errno));
@@ -143,16 +143,16 @@ int main(int argc, char **argv)
}
for (i = 0; i < fc_digest_len; i++)
- sprintf((&sha1_buf[i * 2]), "%02x", fc_digest[i]);
+ sprintf((&sha256_buf[i * 2]), "%02x", fc_digest[i]);
- printf("specfiles SHA1 digest: %s\n", sha1_buf);
+ printf("specfiles SHA256 digest: %s\n", sha256_buf);
printf("calculated using the following specfile(s):\n");
if (specfiles) {
for (i = 0; i < num_specfiles; i++)
printf("%s\n", specfiles[i]);
}
- free(sha1_buf);
+ free(sha256_buf);
printf("\n");
}
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index ee01725050bb..57c663a99d67 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -95,14 +95,14 @@ display usage information and exit.
ignore files that do not exist.
.TP
.B \-I
-ignore digest to force checking of labels even if the stored SHA1 digest
-matches the specfiles SHA1 digest. The digest will then be updated provided
+ignore digest to force checking of labels even if the stored SHA256 digest
+matches the specfiles SHA256 digest. The digest will then be updated provided
there are no errors. See the
.B NOTES
section for further details.
.TP
.B \-D
-Set or update any directory SHA1 digests. Use this option to
+Set or update any directory SHA256 digests. Use this option to
enable usage of the
.IR security.sehash
extended attribute.
@@ -261,7 +261,7 @@ the
.B \-D
option to
.B setfiles
-will cause it to store a SHA1 digest of the
+will cause it to store a SHA256 digest of the
.B spec_file
set in an extended attribute named
.IR security.sehash
@@ -282,7 +282,7 @@ for further details.
.sp
The
.B \-I
-option will ignore the SHA1 digest from each directory specified in
+option will ignore the SHA256 digest from each directory specified in
.IR pathname \ ...
and provided the
.B \-n
--
2.47.0

48
0005-python-sepolicy-Fix-spec-file-dependencies.patch Normal file
View File

@ -0,0 +1,48 @@
From 7e8d67e63daebd675284afaf98aa07530659272f Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 30 May 2023 09:07:28 +0200
Subject: [PATCH] python/sepolicy: Fix spec file dependencies
Content-type: text/plain
semanage is part of policycoreutils-python-utils package, selinuxenabled
is part of libselinux-utils (required by ^^^) and restorecon/load_policy
are part of policycoreutils (also required by policycoreutils-python-utils).
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/sepolicy/sepolicy/templates/spec.py | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/python/sepolicy/sepolicy/templates/spec.py b/python/sepolicy/sepolicy/templates/spec.py
index 433c298a17e0..a6d4508bb670 100644
--- a/python/sepolicy/sepolicy/templates/spec.py
+++ b/python/sepolicy/sepolicy/templates/spec.py
@@ -11,18 +11,20 @@ Version: 1.0
Release: 1%{?dist}
Summary: SELinux policy module for MODULENAME
-Group: System Environment/Base
-License: GPLv2+
+Group: System Environment/Base
+License: GPLv2+
# This is an example. You will need to change it.
+# For a complete guide on packaging your policy
+# see https://fedoraproject.org/wiki/SELinux/IndependentPolicy
URL: http://HOSTNAME
Source0: MODULENAME.pp
Source1: MODULENAME.if
Source2: DOMAINNAME_selinux.8
Source3: DOMAINNAME_u
-Requires: policycoreutils, libselinux-utils
-Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
-Requires(postun): policycoreutils
+Requires: policycoreutils-python-utils, libselinux-utils
+Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils-python-utils
+Requires(postun): policycoreutils-python-utils
"""
mid_section="""\
--
2.47.0

43
SOURCES/0001-gui-Install-polgengui.py-to-usr-bin-selinux-polgengu.patch
View File

@ -1,43 +0,0 @@
From c778509dd0ed3b184d720032f31971f975e42973 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 5 Mar 2019 17:38:55 +0100
Subject: [PATCH] gui: Install polgengui.py to /usr/bin/selinux-polgengui
polgengui.py is a standalone gui tool which should be in /usr/bin with other
tools.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
gui/Makefile | 2 +-
gui/modulesPage.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/gui/Makefile b/gui/Makefile
index c2f982de..b2375fbf 100644
--- a/gui/Makefile
+++ b/gui/Makefile
@@ -31,7 +31,7 @@ install: all
-mkdir -p $(DESTDIR)$(DATADIR)/polkit-1/actions/
install -m 755 system-config-selinux.py $(DESTDIR)$(SHAREDIR)
install -m 755 system-config-selinux $(DESTDIR)$(BINDIR)
- install -m 755 polgengui.py $(DESTDIR)$(SHAREDIR)
+ install -m 755 polgengui.py $(DESTDIR)$(BINDIR)/selinux-polgengui
install -m 644 $(TARGETS) $(DESTDIR)$(SHAREDIR)
install -m 644 system-config-selinux.8 $(DESTDIR)$(MANDIR)/man8
install -m 644 selinux-polgengui.8 $(DESTDIR)$(MANDIR)/man8
diff --git a/gui/modulesPage.py b/gui/modulesPage.py
index 34c5d9e3..cb856b2d 100644
--- a/gui/modulesPage.py
+++ b/gui/modulesPage.py
@@ -118,7 +118,7 @@ class modulesPage(semanagePage):
def new_module(self, args):
try:
- Popen(["/usr/share/system-config-selinux/polgengui.py"])
+ Popen(["selinux-polgengui"])
except ValueError as e:
self.error(e.args[0])
--
2.21.0

49
SOURCES/0002-gui-Install-.desktop-files-to-usr-share-applications.patch
View File

@ -1,49 +0,0 @@
From 04b632e6de14ec0336e14988bf4c2bd581f7308e Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 5 Mar 2019 17:25:00 +0100
Subject: [PATCH] gui: Install .desktop files to /usr/share/applications by
default
/usr/share/applications is a standard directory for .desktop files.
Installation path can be changed using DESKTOPDIR variable in installation
phase, e.g.
make DESKTOPDIR=/usr/local/share/applications install
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
gui/Makefile | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/gui/Makefile b/gui/Makefile
index b2375fbf..ca965c94 100644
--- a/gui/Makefile
+++ b/gui/Makefile
@@ -5,6 +5,7 @@ BINDIR ?= $(PREFIX)/bin
SHAREDIR ?= $(PREFIX)/share/system-config-selinux
DATADIR ?= $(PREFIX)/share
MANDIR ?= $(PREFIX)/share/man
+DESKTOPDIR ?= $(PREFIX)/share/applications
TARGETS= \
booleansPage.py \
@@ -29,6 +30,7 @@ install: all
-mkdir -p $(DESTDIR)$(DATADIR)/pixmaps
-mkdir -p $(DESTDIR)$(DATADIR)/icons/hicolor/24x24/apps
-mkdir -p $(DESTDIR)$(DATADIR)/polkit-1/actions/
+ -mkdir -p $(DESTDIR)$(DESKTOPDIR)
install -m 755 system-config-selinux.py $(DESTDIR)$(SHAREDIR)
install -m 755 system-config-selinux $(DESTDIR)$(BINDIR)
install -m 755 polgengui.py $(DESTDIR)$(BINDIR)/selinux-polgengui
@@ -44,7 +46,7 @@ install: all
install -m 644 system-config-selinux.png $(DESTDIR)$(DATADIR)/pixmaps
install -m 644 system-config-selinux.png $(DESTDIR)$(DATADIR)/icons/hicolor/24x24/apps
install -m 644 system-config-selinux.png $(DESTDIR)$(DATADIR)/system-config-selinux
- install -m 644 *.desktop $(DESTDIR)$(DATADIR)/system-config-selinux
+ install -m 644 *.desktop $(DESTDIR)$(DESKTOPDIR)
-mkdir -p $(DESTDIR)$(DATADIR)/pixmaps
install -m 644 sepolicy_256.png $(DESTDIR)$(DATADIR)/pixmaps/sepolicy.png
for i in 16 22 32 48 256; do \
--
2.21.0

26
SOURCES/0003-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
View File

@ -1,26 +0,0 @@
From 52e0583f6adfe70825b009b626e19c290b49763a Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 20 Aug 2015 12:58:41 +0200
Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
recent Fedoras
---
sandbox/sandboxX.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
index eaa500d0..47745280 100644
--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
</openbox_config>
EOF
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
cat > ~/seremote << __EOF
#!/bin/sh
--
2.21.0

46
SOURCES/0004-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
View File

@ -1,46 +0,0 @@
From 7504614fdd7dcf11b3a7568ca9b4b921973531dd Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Mon, 21 Apr 2014 13:54:40 -0400
Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
---
python/sepolicy/sepolicy/manpage.py | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 1d367962..24e311a3 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -735,10 +735,13 @@ Default Defined Ports:""")
def _file_context(self):
flist = []
+ flist_non_exec = []
mpaths = []
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
+ if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+ flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0:
@@ -797,12 +800,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
SELinux defines the file context types for the %(domainname)s, if you wanted to
store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
.br
.B restorecon -R -v /srv/my%(domainname)s_content
Note: SELinux often uses regular expressions to specify labels that match multiple files.
-""" % {'domainname': self.domainname, "type": flist[0]})
+""" % {'domainname': self.domainname, "type": flist_non_exec[-1]})
self.fd.write(r"""
.I The following file types are defined for %(domainname)s:
--
2.21.0

27
SOURCES/0005-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
View File

@ -1,27 +0,0 @@
From 9847a26b7f8358432ee4c7019efb3cbad0c162b0 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mon, 12 May 2014 14:11:22 +0200
Subject: [PATCH] If there is no executable we don't want to print a part of
STANDARD FILE CONTEXT
---
python/sepolicy/sepolicy/manpage.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 24e311a3..46092be0 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
- self.fd.write(r"""
+ if flist_non_exec:
+ self.fd.write(r"""
.PP
.B STANDARD FILE CONTEXT
--
2.21.0

169
SOURCES/0006-Simplication-of-sepolicy-manpage-web-functionality.-.patch
View File

@ -1,169 +0,0 @@
From b2993d464e05291020dbf60fc2948ac152eb0003 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu, 19 Feb 2015 17:45:15 +0100
Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
system_release is no longer hardcoded and it creates only index.html and html
man pages in the directory for the system release.
---
python/sepolicy/sepolicy/__init__.py | 25 +++--------
python/sepolicy/sepolicy/manpage.py | 65 +++-------------------------
2 files changed, 13 insertions(+), 77 deletions(-)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 6aed31bd..88a2b8f6 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -1209,27 +1209,14 @@ def boolean_desc(boolean):
def get_os_version():
- os_version = ""
- pkg_name = "selinux-policy"
+ system_release = ""
try:
- try:
- from commands import getstatusoutput
- except ImportError:
- from subprocess import getstatusoutput
- rc, output = getstatusoutput("rpm -q '%s'" % pkg_name)
- if rc == 0:
- os_version = output.split(".")[-2]
- except:
- os_version = ""
-
- if os_version[0:2] == "fc":
- os_version = "Fedora" + os_version[2:]
- elif os_version[0:2] == "el":
- os_version = "RHEL" + os_version[2:]
- else:
- os_version = ""
+ with open('/etc/system-release') as f:
+ system_release = f.readline()
+ except IOError:
+ system_release = "Misc"
- return os_version
+ return system_release
def reinit():
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 46092be0..d60acfaf 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -149,10 +149,6 @@ def prettyprint(f, trim):
manpage_domains = []
manpage_roles = []
-fedora_releases = ["Fedora17", "Fedora18"]
-rhel_releases = ["RHEL6", "RHEL7"]
-
-
def get_alphabet_manpages(manpage_list):
alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
for i in string.ascii_letters:
@@ -182,7 +178,7 @@ def convert_manpage_to_html(html_manpage, manpage):
class HTMLManPages:
"""
- Generate a HHTML Manpages on an given SELinux domains
+ Generate a HTML Manpages on an given SELinux domains
"""
def __init__(self, manpage_roles, manpage_domains, path, os_version):
@@ -190,9 +186,9 @@ class HTMLManPages:
self.manpage_domains = get_alphabet_manpages(manpage_domains)
self.os_version = os_version
self.old_path = path + "/"
- self.new_path = self.old_path + self.os_version + "/"
+ self.new_path = self.old_path
- if self.os_version in fedora_releases or self.os_version in rhel_releases:
+ if self.os_version:
self.__gen_html_manpages()
else:
print("SELinux HTML man pages can not be generated for this %s" % os_version)
@@ -201,7 +197,6 @@ class HTMLManPages:
def __gen_html_manpages(self):
self._write_html_manpage()
self._gen_index()
- self._gen_body()
self._gen_css()
def _write_html_manpage(self):
@@ -219,67 +214,21 @@ class HTMLManPages:
convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
def _gen_index(self):
- index = self.old_path + "index.html"
- fd = open(index, 'w')
- fd.write("""
-<html>
-<head>
- <link rel=stylesheet type="text/css" href="style.css" title="style">
- <title>SELinux man pages online</title>
-</head>
-<body>
-<h1>SELinux man pages</h1>
-<br></br>
-Fedora or Red Hat Enterprise Linux Man Pages.</h2>
-<br></br>
-<hr>
-<h3>Fedora</h3>
-<table><tr>
-<td valign="middle">
-</td>
-</tr></table>
-<pre>
-""")
- for f in fedora_releases:
- fd.write("""
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (f, f, f, f))
-
- fd.write("""
-</pre>
-<hr>
-<h3>RHEL</h3>
-<table><tr>
-<td valign="middle">
-</td>
-</tr></table>
-<pre>
-""")
- for r in rhel_releases:
- fd.write("""
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (r, r, r, r))
-
- fd.write("""
-</pre>
- """)
- fd.close()
- print("%s has been created" % index)
-
- def _gen_body(self):
html = self.new_path + self.os_version + ".html"
fd = open(html, 'w')
fd.write("""
<html>
<head>
- <link rel=stylesheet type="text/css" href="../style.css" title="style">
- <title>Linux man-pages online for Fedora18</title>
+ <link rel=stylesheet type="text/css" href="style.css" title="style">
+ <title>SELinux man pages online</title>
</head>
<body>
-<h1>SELinux man pages for Fedora18</h1>
+<h1>SELinux man pages for %s</h1>
<hr>
<table><tr>
<td valign="middle">
<h3>SELinux roles</h3>
-""")
+""" % self.os_version)
for letter in self.manpage_roles:
if len(self.manpage_roles[letter]):
fd.write("""
--
2.21.0

26
SOURCES/0007-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
View File

@ -1,26 +0,0 @@
From bfcb599d9424ef6ffcd250931c89675b451edd00 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 20 Feb 2015 16:42:01 +0100
Subject: [PATCH] We want to remove the trailing newline for
/etc/system_release.
---
python/sepolicy/sepolicy/__init__.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 88a2b8f6..0c66f4d5 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -1212,7 +1212,7 @@ def get_os_version():
system_release = ""
try:
with open('/etc/system-release') as f:
- system_release = f.readline()
+ system_release = f.readline().rstrip()
except IOError:
system_release = "Misc"
--
2.21.0

25
SOURCES/0008-Fix-title-in-manpage.py-to-not-contain-online.patch
View File

@ -1,25 +0,0 @@
From 4ea504acce6389c3e28134c4b8e6bf9072c295ce Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 20 Feb 2015 16:42:53 +0100
Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
---
python/sepolicy/sepolicy/manpage.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index d60acfaf..de8184d8 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -220,7 +220,7 @@ class HTMLManPages:
<html>
<head>
<link rel=stylesheet type="text/css" href="style.css" title="style">
- <title>SELinux man pages online</title>
+ <title>SELinux man pages</title>
</head>
<body>
<h1>SELinux man pages for %s</h1>
--
2.21.0

63
SOURCES/0010-sepolicy-Drop-old-interface-file_type_is_executable-.patch
View File

@ -1,63 +0,0 @@
From ef0f54ffc6d691d10e66a0793204edd159cd45d0 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 27 Feb 2017 17:12:39 +0100
Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
file_type_is_entrypoint(f)
- use direct queries
- load exec_types and entry_types only once
---
python/sepolicy/sepolicy/manpage.py | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index de8184d8..f8a94fc0 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -125,8 +125,24 @@ def gen_domains():
domains.sort()
return domains
-types = None
+exec_types = None
+
+def _gen_exec_types():
+ global exec_types
+ if exec_types is None:
+ exec_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "exec_type"))["types"]
+ return exec_types
+
+entry_types = None
+
+def _gen_entry_types():
+ global entry_types
+ if entry_types is None:
+ entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
+ return entry_types
+
+types = None
def _gen_types():
global types
@@ -372,6 +388,8 @@ class ManPage:
self.all_file_types = sepolicy.get_all_file_types()
self.role_allows = sepolicy.get_all_role_allows()
self.types = _gen_types()
+ self.exec_types = _gen_exec_types()
+ self.entry_types = _gen_entry_types()
if self.source_files:
self.fcpath = self.root + "file_contexts"
@@ -689,7 +707,7 @@ Default Defined Ports:""")
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
- if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+ if not f in self.exec_types or not f in self.entry_types:
flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
--
2.21.0

53
SOURCES/0011-sepolicy-Another-small-optimization-for-mcs-types.patch
View File

@ -1,53 +0,0 @@
From e54db76a3bff8e911ddd7c7ce834c024d634d9e1 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 28 Feb 2017 21:29:46 +0100
Subject: [PATCH] sepolicy: Another small optimization for mcs types
---
python/sepolicy/sepolicy/manpage.py | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index f8a94fc0..67d39301 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -142,6 +142,15 @@ def _gen_entry_types():
entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
return entry_types
+mcs_constrained_types = None
+
+def _gen_mcs_constrained_types():
+ global mcs_constrained_types
+ if mcs_constrained_types is None:
+ mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
+ return mcs_constrained_types
+
+
types = None
def _gen_types():
@@ -390,6 +399,7 @@ class ManPage:
self.types = _gen_types()
self.exec_types = _gen_exec_types()
self.entry_types = _gen_entry_types()
+ self.mcs_constrained_types = _gen_mcs_constrained_types()
if self.source_files:
self.fcpath = self.root + "file_contexts"
@@ -944,11 +954,7 @@ All executeables with the default executable label, usually stored in /usr/bin a
%s""" % ", ".join(paths))
def _mcs_types(self):
- try:
- mcs_constrained_type = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
- except StopIteration:
- return
- if self.type not in mcs_constrained_type['types']:
+ if self.type not in self.mcs_constrained_types['types']:
return
self.fd.write ("""
.SH "MCS Constrained"
--
2.21.0

515
SOURCES/0012-Move-po-translation-files-into-the-right-sub-directo.patch
View File

@ -1,515 +0,0 @@
From 4015e9299bfda622e9d407cdbcc536000688aa8f Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 6 Aug 2018 13:23:00 +0200
Subject: [PATCH] Move po/ translation files into the right sub-directories
When policycoreutils was split into policycoreutils/ python/ gui/ and sandbox/
sub-directories, po/ translation files stayed in policycoreutils/.
This commit split original policycoreutils/po directory into
policycoreutils/po
python/po
gui/po
sandbox/po
See https://github.com/fedora-selinux/selinux/issues/43
---
gui/Makefile | 3 ++
gui/po/Makefile | 82 ++++++++++++++++++++++++++++++++++++
gui/po/POTFILES | 17 ++++++++
policycoreutils/po/Makefile | 70 ++-----------------------------
policycoreutils/po/POTFILES | 9 ++++
python/Makefile | 2 +-
python/po/Makefile | 83 +++++++++++++++++++++++++++++++++++++
python/po/POTFILES | 10 +++++
sandbox/Makefile | 2 +
sandbox/po/Makefile | 82 ++++++++++++++++++++++++++++++++++++
sandbox/po/POTFILES | 1 +
11 files changed, 293 insertions(+), 68 deletions(-)
create mode 100644 gui/po/Makefile
create mode 100644 gui/po/POTFILES
create mode 100644 policycoreutils/po/POTFILES
create mode 100644 python/po/Makefile
create mode 100644 python/po/POTFILES
create mode 100644 sandbox/po/Makefile
create mode 100644 sandbox/po/POTFILES
diff --git a/gui/Makefile b/gui/Makefile
index ca965c94..5a5bf6dc 100644
--- a/gui/Makefile
+++ b/gui/Makefile
@@ -22,6 +22,7 @@ system-config-selinux.ui \
usersPage.py
all: $(TARGETS) system-config-selinux.py polgengui.py
+ (cd po && $(MAKE) $@)
install: all
-mkdir -p $(DESTDIR)$(MANDIR)/man8
@@ -54,6 +55,8 @@ install: all
install -m 644 sepolicy_$${i}.png $(DESTDIR)$(DATADIR)/icons/hicolor/$${i}x$${i}/apps/sepolicy.png; \
done
install -m 644 org.selinux.config.policy $(DESTDIR)$(DATADIR)/polkit-1/actions/
+ (cd po && $(MAKE) $@)
+
clean:
indent:
diff --git a/gui/po/Makefile b/gui/po/Makefile
new file mode 100644
index 00000000..a0f5439f
--- /dev/null
+++ b/gui/po/Makefile
@@ -0,0 +1,82 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE = gui
+POTFILE = $(NLSPACKAGE).pot
+INSTALL = /usr/bin/install -c -p
+INSTALL_DATA = $(INSTALL) -m 644
+INSTALL_DIR = /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE = msgmerge
+MSGMERGE_FLAGS = -q
+XGETTEXT = xgettext --default-domain=$(NLSPACKAGE)
+MSGFMT = msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
+POTFILES = $(shell cat POTFILES)
+
+#default:: clean
+
+all:: $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+ $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+ rm -f $(NLSPACKAGE).po; \
+ else \
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
+ fi; \
+
+
+refresh-po: Makefile
+ for cat in $(POFILES); do \
+ lang=`basename $$cat .po`; \
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+ mv -f $$lang.pot $$lang.po ; \
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
+ else \
+ echo "$(MSGMERGE) of $$lang failed" ; \
+ rm -f $$lang.pot ; \
+ fi \
+ done
+
+clean:
+ @rm -fv *mo *~ .depend
+ @rm -rf tmp
+
+install: $(MOFILES)
+ @for n in $(MOFILES); do \
+ l=`basename $$n .mo`; \
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+ done
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+report:
+ @for cat in $(wildcard *.po); do \
+ echo -n "$$cat: "; \
+ msgfmt -v --statistics -o /dev/null $$cat; \
+ done
+
+.PHONY: missing depend
+
+relabel:
diff --git a/gui/po/POTFILES b/gui/po/POTFILES
new file mode 100644
index 00000000..1795c5c1
--- /dev/null
+++ b/gui/po/POTFILES
@@ -0,0 +1,17 @@
+../booleansPage.py
+../domainsPage.py
+../fcontextPage.py
+../loginsPage.py
+../modulesPage.py
+../org.selinux.config.policy
+../polgengui.py
+../polgen.ui
+../portsPage.py
+../selinux-polgengui.desktop
+../semanagePage.py
+../sepolicy.desktop
+../statusPage.py
+../system-config-selinux.desktop
+../system-config-selinux.py
+../system-config-selinux.ui
+../usersPage.py
diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile
index 575e1431..18bc1dff 100644
--- a/policycoreutils/po/Makefile
+++ b/policycoreutils/po/Makefile
@@ -3,7 +3,6 @@
#
PREFIX ?= /usr
-TOP = ../..
# What is this package?
NLSPACKAGE = policycoreutils
@@ -32,74 +31,13 @@ USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
MOFILES = $(patsubst %.po,%.mo,$(POFILES))
-POTFILES = \
- ../run_init/open_init_pty.c \
- ../run_init/run_init.c \
- ../semodule_link/semodule_link.c \
- ../audit2allow/audit2allow \
- ../semanage/seobject.py \
- ../setsebool/setsebool.c \
- ../newrole/newrole.c \
- ../load_policy/load_policy.c \
- ../sestatus/sestatus.c \
- ../semodule/semodule.c \
- ../setfiles/setfiles.c \
- ../semodule_package/semodule_package.c \
- ../semodule_deps/semodule_deps.c \
- ../semodule_expand/semodule_expand.c \
- ../scripts/chcat \
- ../scripts/fixfiles \
- ../restorecond/stringslist.c \
- ../restorecond/restorecond.h \
- ../restorecond/utmpwatcher.h \
- ../restorecond/stringslist.h \
- ../restorecond/restorecond.c \
- ../restorecond/utmpwatcher.c \
- ../gui/booleansPage.py \
- ../gui/fcontextPage.py \
- ../gui/loginsPage.py \
- ../gui/mappingsPage.py \
- ../gui/modulesPage.py \
- ../gui/polgen.glade \
- ../gui/polgengui.py \
- ../gui/portsPage.py \
- ../gui/semanagePage.py \
- ../gui/statusPage.py \
- ../gui/system-config-selinux.glade \
- ../gui/system-config-selinux.py \
- ../gui/usersPage.py \
- ../secon/secon.c \
- booleans.py \
- ../sepolicy/sepolicy.py \
- ../sepolicy/sepolicy/communicate.py \
- ../sepolicy/sepolicy/__init__.py \
- ../sepolicy/sepolicy/network.py \
- ../sepolicy/sepolicy/generate.py \
- ../sepolicy/sepolicy/sepolicy.glade \
- ../sepolicy/sepolicy/gui.py \
- ../sepolicy/sepolicy/manpage.py \
- ../sepolicy/sepolicy/transition.py \
- ../sepolicy/sepolicy/templates/executable.py \
- ../sepolicy/sepolicy/templates/__init__.py \
- ../sepolicy/sepolicy/templates/network.py \
- ../sepolicy/sepolicy/templates/rw.py \
- ../sepolicy/sepolicy/templates/script.py \
- ../sepolicy/sepolicy/templates/semodule.py \
- ../sepolicy/sepolicy/templates/tmp.py \
- ../sepolicy/sepolicy/templates/user.py \
- ../sepolicy/sepolicy/templates/var_lib.py \
- ../sepolicy/sepolicy/templates/var_log.py \
- ../sepolicy/sepolicy/templates/var_run.py \
- ../sepolicy/sepolicy/templates/var_spool.py
+POTFILES = $(shell cat POTFILES)
#default:: clean
-all:: $(MOFILES)
+all:: $(POTFILE) $(MOFILES)
-booleans.py:
- sepolicy booleans -a > booleans.py
-
-$(POTFILE): $(POTFILES) booleans.py
+$(POTFILE): $(POTFILES)
$(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
@if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
rm -f $(NLSPACKAGE).po; \
@@ -107,8 +45,6 @@ $(POTFILE): $(POTFILES) booleans.py
mv -f $(NLSPACKAGE).po $(POTFILE); \
fi; \
-update-po: Makefile $(POTFILE) refresh-po
- @rm -f booleans.py
refresh-po: Makefile
for cat in $(POFILES); do \
diff --git a/policycoreutils/po/POTFILES b/policycoreutils/po/POTFILES
new file mode 100644
index 00000000..12237dc6
--- /dev/null
+++ b/policycoreutils/po/POTFILES
@@ -0,0 +1,9 @@
+../run_init/open_init_pty.c
+../run_init/run_init.c
+../setsebool/setsebool.c
+../newrole/newrole.c
+../load_policy/load_policy.c
+../sestatus/sestatus.c
+../semodule/semodule.c
+../setfiles/setfiles.c
+../secon/secon.c
diff --git a/python/Makefile b/python/Makefile
index 9b66d52f..00312dbd 100644
--- a/python/Makefile
+++ b/python/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = sepolicy audit2allow semanage sepolgen chcat
+SUBDIRS = sepolicy audit2allow semanage sepolgen chcat po
all install relabel clean indent test:
@for subdir in $(SUBDIRS); do \
diff --git a/python/po/Makefile b/python/po/Makefile
new file mode 100644
index 00000000..4e052d5a
--- /dev/null
+++ b/python/po/Makefile
@@ -0,0 +1,83 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE = python
+POTFILE = $(NLSPACKAGE).pot
+INSTALL = /usr/bin/install -c -p
+INSTALL_DATA = $(INSTALL) -m 644
+INSTALL_DIR = /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE = msgmerge
+MSGMERGE_FLAGS = -q
+XGETTEXT = xgettext --default-domain=$(NLSPACKAGE)
+MSGFMT = msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
+POTFILES = $(shell cat POTFILES)
+
+#default:: clean
+
+all:: $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+ $(XGETTEXT) -L Python --keyword=_ --keyword=N_ $(POTFILES)
+ $(XGETTEXT) -j --keyword=_ --keyword=N_ ../sepolicy/sepolicy/sepolicy.glade
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+ rm -f $(NLSPACKAGE).po; \
+ else \
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
+ fi; \
+
+
+refresh-po: Makefile
+ for cat in $(POFILES); do \
+ lang=`basename $$cat .po`; \
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+ mv -f $$lang.pot $$lang.po ; \
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
+ else \
+ echo "$(MSGMERGE) of $$lang failed" ; \
+ rm -f $$lang.pot ; \
+ fi \
+ done
+
+clean:
+ @rm -fv *mo *~ .depend
+ @rm -rf tmp
+
+install: $(MOFILES)
+ @for n in $(MOFILES); do \
+ l=`basename $$n .mo`; \
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+ done
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+report:
+ @for cat in $(wildcard *.po); do \
+ echo -n "$$cat: "; \
+ msgfmt -v --statistics -o /dev/null $$cat; \
+ done
+
+.PHONY: missing depend
+
+relabel:
diff --git a/python/po/POTFILES b/python/po/POTFILES
new file mode 100644
index 00000000..128eb870
--- /dev/null
+++ b/python/po/POTFILES
@@ -0,0 +1,10 @@
+../audit2allow/audit2allow
+../chcat/chcat
+../semanage/semanage
+../semanage/seobject.py
+../sepolgen/src/sepolgen/interfaces.py
+../sepolicy/sepolicy/generate.py
+../sepolicy/sepolicy/gui.py
+../sepolicy/sepolicy/__init__.py
+../sepolicy/sepolicy/interface.py
+../sepolicy/sepolicy.py
diff --git a/sandbox/Makefile b/sandbox/Makefile
index 9da5e58d..b817824e 100644
--- a/sandbox/Makefile
+++ b/sandbox/Makefile
@@ -13,6 +13,7 @@ override LDLIBS += -lselinux -lcap-ng
SEUNSHARE_OBJS = seunshare.o
all: sandbox seunshare sandboxX.sh start
+ (cd po && $(MAKE) $@)
seunshare: $(SEUNSHARE_OBJS)
@@ -39,6 +40,7 @@ install: all
install -m 755 start $(DESTDIR)$(SHAREDIR)
-mkdir -p $(DESTDIR)$(SYSCONFDIR)
install -m 644 sandbox.conf $(DESTDIR)$(SYSCONFDIR)/sandbox
+ (cd po && $(MAKE) $@)
test:
@$(PYTHON) test_sandbox.py -v
diff --git a/sandbox/po/Makefile b/sandbox/po/Makefile
new file mode 100644
index 00000000..0556bbe9
--- /dev/null
+++ b/sandbox/po/Makefile
@@ -0,0 +1,82 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE = sandbox
+POTFILE = $(NLSPACKAGE).pot
+INSTALL = /usr/bin/install -c -p
+INSTALL_DATA = $(INSTALL) -m 644
+INSTALL_DIR = /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE = msgmerge
+MSGMERGE_FLAGS = -q
+XGETTEXT = xgettext -L Python --default-domain=$(NLSPACKAGE)
+MSGFMT = msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
+POTFILES = $(shell cat POTFILES)
+
+#default:: clean
+
+all:: $(POTFILE) $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+ $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+ rm -f $(NLSPACKAGE).po; \
+ else \
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
+ fi; \
+
+
+refresh-po: Makefile
+ for cat in $(POFILES); do \
+ lang=`basename $$cat .po`; \
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+ mv -f $$lang.pot $$lang.po ; \
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
+ else \
+ echo "$(MSGMERGE) of $$lang failed" ; \
+ rm -f $$lang.pot ; \
+ fi \
+ done
+
+clean:
+ @rm -fv *mo *~ .depend
+ @rm -rf tmp
+
+install: $(MOFILES)
+ @for n in $(MOFILES); do \
+ l=`basename $$n .mo`; \
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+ done
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+report:
+ @for cat in $(wildcard *.po); do \
+ echo -n "$$cat: "; \
+ msgfmt -v --statistics -o /dev/null $$cat; \
+ done
+
+.PHONY: missing depend
+
+relabel:
diff --git a/sandbox/po/POTFILES b/sandbox/po/POTFILES
new file mode 100644
index 00000000..deff3f2f
--- /dev/null
+++ b/sandbox/po/POTFILES
@@ -0,0 +1 @@
+../sandbox
--
2.21.0

306
SOURCES/0013-Use-correct-gettext-domains-in-python-gui-sandbox.patch
View File

@ -1,306 +0,0 @@
From 57cd23e11e1a700802a5955e84a0a7e04c30ec73 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 6 Aug 2018 13:37:07 +0200
Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
https://github.com/fedora-selinux/selinux/issues/43
---
gui/booleansPage.py | 2 +-
gui/domainsPage.py | 2 +-
gui/fcontextPage.py | 2 +-
gui/loginsPage.py | 2 +-
gui/modulesPage.py | 2 +-
gui/polgengui.py | 2 +-
gui/portsPage.py | 2 +-
gui/semanagePage.py | 2 +-
gui/statusPage.py | 2 +-
gui/system-config-selinux.py | 2 +-
gui/usersPage.py | 2 +-
python/chcat/chcat | 2 +-
python/semanage/semanage | 2 +-
python/semanage/seobject.py | 2 +-
python/sepolgen/src/sepolgen/sepolgeni18n.py | 2 +-
python/sepolicy/sepolicy.py | 2 +-
python/sepolicy/sepolicy/__init__.py | 2 +-
python/sepolicy/sepolicy/generate.py | 2 +-
python/sepolicy/sepolicy/gui.py | 2 +-
python/sepolicy/sepolicy/interface.py | 2 +-
sandbox/sandbox | 2 +-
21 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/gui/booleansPage.py b/gui/booleansPage.py
index 7849bea2..dd12b6d6 100644
--- a/gui/booleansPage.py
+++ b/gui/booleansPage.py
@@ -38,7 +38,7 @@ DISABLED = 2
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/domainsPage.py b/gui/domainsPage.py
index bad5140d..6bbe4de5 100644
--- a/gui/domainsPage.py
+++ b/gui/domainsPage.py
@@ -30,7 +30,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
index 370bbee4..e424366d 100644
--- a/gui/fcontextPage.py
+++ b/gui/fcontextPage.py
@@ -47,7 +47,7 @@ class context:
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/loginsPage.py b/gui/loginsPage.py
index b67eb8bc..cbfb0cc2 100644
--- a/gui/loginsPage.py
+++ b/gui/loginsPage.py
@@ -29,7 +29,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/modulesPage.py b/gui/modulesPage.py
index cb856b2d..26ac5404 100644
--- a/gui/modulesPage.py
+++ b/gui/modulesPage.py
@@ -30,7 +30,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/polgengui.py b/gui/polgengui.py
index b1cc9937..46a1bd2c 100644
--- a/gui/polgengui.py
+++ b/gui/polgengui.py
@@ -63,7 +63,7 @@ def get_all_modules():
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/portsPage.py b/gui/portsPage.py
index 30f58383..a537ecc8 100644
--- a/gui/portsPage.py
+++ b/gui/portsPage.py
@@ -35,7 +35,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/semanagePage.py b/gui/semanagePage.py
index 4127804f..5361d69c 100644
--- a/gui/semanagePage.py
+++ b/gui/semanagePage.py
@@ -22,7 +22,7 @@ from gi.repository import Gdk, Gtk
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/statusPage.py b/gui/statusPage.py
index 766854b1..a8f079b9 100644
--- a/gui/statusPage.py
+++ b/gui/statusPage.py
@@ -35,7 +35,7 @@ RELABELFILE = "/.autorelabel"
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py
index c42301b6..1e0d5eb1 100644
--- a/gui/system-config-selinux.py
+++ b/gui/system-config-selinux.py
@@ -45,7 +45,7 @@ import selinux
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/usersPage.py b/gui/usersPage.py
index 26794ed5..d15d4c5a 100644
--- a/gui/usersPage.py
+++ b/gui/usersPage.py
@@ -29,7 +29,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/python/chcat/chcat b/python/chcat/chcat
index ba398684..df2509f2 100755
--- a/python/chcat/chcat
+++ b/python/chcat/chcat
@@ -30,7 +30,7 @@ import getopt
import selinux
import seobject
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 144cc000..56db3e0d 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -27,7 +27,7 @@ import traceback
import argparse
import seobject
import sys
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 13fdf531..b90b1070 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -29,7 +29,7 @@ import sys
import stat
import socket
from semanage import *
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
import sepolicy
import setools
from IPy import IP
diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py
index 998c4356..56ebd807 100644
--- a/python/sepolgen/src/sepolgen/sepolgeni18n.py
+++ b/python/sepolgen/src/sepolgen/sepolgeni18n.py
@@ -19,7 +19,7 @@
try:
import gettext
- t = gettext.translation( 'yumex' )
+ t = gettext.translation( 'selinux-python' )
_ = t.gettext
except:
def _(str):
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index 1934cd86..8bd6a579 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -27,7 +27,7 @@ import selinux
import sepolicy
from sepolicy import get_os_version, get_conditionals, get_conditionals_format_text
import argparse
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 0c66f4d5..b6ca57c3 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -13,7 +13,7 @@ import os
import re
import gzip
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index 019e7836..7175d36b 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -49,7 +49,7 @@ import sepolgen.defaults as defaults
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index 00fd7a11..805cee67 100644
--- a/python/sepolicy/sepolicy/gui.py
+++ b/python/sepolicy/sepolicy/gui.py
@@ -41,7 +41,7 @@ import os
import re
import unicodedata
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/interface.py b/python/sepolicy/sepolicy/interface.py
index 583091ae..e2b8d23b 100644
--- a/python/sepolicy/sepolicy/interface.py
+++ b/python/sepolicy/sepolicy/interface.py
@@ -30,7 +30,7 @@ __all__ = ['get_all_interfaces', 'get_interfaces_from_xml', 'get_admin', 'get_us
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/sandbox/sandbox b/sandbox/sandbox
index 1dec07ac..a12403b3 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -37,7 +37,7 @@ import sepolicy
SEUNSHARE = "/usr/sbin/seunshare"
SANDBOXSH = "/usr/share/sandbox/sandboxX.sh"
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-sandbox"
try:
import gettext
kwargs = {}
--
2.21.0

4532
SOURCES/0014-Initial-.pot-files-for-gui-python-sandbox.patch
View File

File diff suppressed because it is too large Load Diff

30
SOURCES/0016-policycoreutils-setfiles-Improve-description-of-d-sw.patch
View File

@ -1,30 +0,0 @@
From c8fbb8042852c18775c001999ce949e9b591e381 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 21 Mar 2018 08:51:31 +0100
Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
The "-q" switch is becoming obsolete (completely unused in fedora) and
debug output ("-d" switch) makes sense in any scenario. Therefore both
options can be specified at once.
Resolves: rhbz#1271327
---
policycoreutils/setfiles/setfiles.8 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index ccaaf4de..a8a76c86 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -57,7 +57,7 @@ check the validity of the contexts against the specified binary policy.
.TP
.B \-d
show what specification matched each file (do not abort validation
-after ABORT_ON_ERRORS errors).
+after ABORT_ON_ERRORS errors). Not affected by "\-q"
.TP
.BI \-e \ directory
directory to exclude (repeat option for more than one directory).
--
2.21.0

24
SOURCES/0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
View File

@ -1,24 +0,0 @@
From f8602180d042e95947fe0bbd35d261771b347705 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 8 Nov 2018 09:20:58 +0100
Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
---
semodule-utils/semodule_package/semodule_package.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/semodule-utils/semodule_package/semodule_package.c b/semodule-utils/semodule_package/semodule_package.c
index 3515234e..7b75b3fd 100644
--- a/semodule-utils/semodule_package/semodule_package.c
+++ b/semodule-utils/semodule_package/semodule_package.c
@@ -74,6 +74,7 @@ static int file_to_data(const char *path, char **data, size_t * len)
}
if (!sb.st_size) {
*len = 0;
+ close(fd);
return 0;
}
--
2.21.0

45
SOURCES/0020-python-Use-ipaddress-instead-of-IPy.patch
View File

@ -1,45 +0,0 @@
From b2512e2a92a33360639a3459039cdf2e685655a8 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 3 Dec 2018 14:40:09 +0100
Subject: [PATCH] python: Use ipaddress instead of IPy
ipaddress module was added in python 3.3 and this allows us to drop python3-IPy
---
python/semanage/seobject.py | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index b90b1070..58497e3b 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -32,7 +32,7 @@ from semanage import *
PROGNAME = "selinux-python"
import sepolicy
import setools
-from IPy import IP
+import ipaddress
try:
import gettext
@@ -1851,13 +1851,13 @@ class nodeRecords(semanageRecords):
# verify valid comination
if len(mask) == 0 or mask[0] == "/":
- i = IP(addr + mask)
- newaddr = i.strNormal(0)
- newmask = str(i.netmask())
- if newmask == "0.0.0.0" and i.version() == 6:
+ i = ipaddress.ip_network(addr + mask)
+ newaddr = str(i.network_address)
+ newmask = str(i.netmask)
+ if newmask == "0.0.0.0" and i.version == 6:
newmask = "::"
- protocol = "ipv%d" % i.version()
+ protocol = "ipv%d" % i.version
try:
newprotocol = self.protocol.index(protocol)
--
2.21.0

93
SOURCES/0021-python-semanage-Do-not-traceback-when-the-default-po.patch
View File

@ -1,93 +0,0 @@
From 5938d18536f4c0a76521d1f0721e981e6570b012 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 4 Apr 2019 23:02:56 +0200
Subject: [PATCH] python/semanage: Do not traceback when the default policy is
not available
"import seobject" causes "import sepolicy" which crashes when the system policy
is not available. It's better to provide an error message instead.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
python/semanage/semanage | 37 +++++++++++++++++++++----------------
1 file changed, 21 insertions(+), 16 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 56db3e0d..4c766ae3 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -25,7 +25,6 @@
import traceback
import argparse
-import seobject
import sys
PROGNAME = "selinux-python"
try:
@@ -129,21 +128,6 @@ class SetImportFile(argparse.Action):
sys.exit(1)
setattr(namespace, self.dest, values)
-# define dictonary for seobject OBEJCTS
-object_dict = {
- 'login': seobject.loginRecords,
- 'user': seobject.seluserRecords,
- 'port': seobject.portRecords,
- 'module': seobject.moduleRecords,
- 'interface': seobject.interfaceRecords,
- 'node': seobject.nodeRecords,
- 'fcontext': seobject.fcontextRecords,
- 'boolean': seobject.booleanRecords,
- 'permissive': seobject.permissiveRecords,
- 'dontaudit': seobject.dontauditClass,
- 'ibpkey': seobject.ibpkeyRecords,
- 'ibendport': seobject.ibendportRecords
-}
def generate_custom_usage(usage_text, usage_dict):
# generate custom usage from given text and dictonary
@@ -608,6 +592,7 @@ def setupInterfaceParser(subparsers):
def handleModule(args):
+ import seobject
OBJECT = seobject.moduleRecords(args)
if args.action_add:
OBJECT.add(args.action_add[0], args.priority)
@@ -846,6 +831,7 @@ def mkargv(line):
def handleImport(args):
+ import seobject
trans = seobject.semanageRecords(args)
trans.start()
@@ -887,6 +873,25 @@ def createCommandParser():
#To add a new subcommand define the parser for it in a function above and call it here.
subparsers = commandParser.add_subparsers(dest='subcommand')
subparsers.required = True
+
+ import seobject
+ # define dictonary for seobject OBEJCTS
+ global object_dict
+ object_dict = {
+ 'login': seobject.loginRecords,
+ 'user': seobject.seluserRecords,
+ 'port': seobject.portRecords,
+ 'module': seobject.moduleRecords,
+ 'interface': seobject.interfaceRecords,
+ 'node': seobject.nodeRecords,
+ 'fcontext': seobject.fcontextRecords,
+ 'boolean': seobject.booleanRecords,
+ 'permissive': seobject.permissiveRecords,
+ 'dontaudit': seobject.dontauditClass,
+ 'ibpkey': seobject.ibpkeyRecords,
+ 'ibendport': seobject.ibendportRecords
+ }
+
setupImportParser(subparsers)
setupExportParser(subparsers)
setupLoginParser(subparsers)
--
2.21.0

108
SOURCES/0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch
View File

@ -1,108 +0,0 @@
From 99582e3bf63475b7af5793bb9230e88d847dc7c8 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 2 Jul 2019 17:11:32 +0200
Subject: [PATCH] policycoreutils/fixfiles: Fix [-B] [-F] onboot
Commit 6e289bb7bf3d ("policycoreutils: fixfiles: remove bad modes of "relabel"
command") added "$RESTORE_MODE" != DEFAULT test when onboot is used. It makes
`fixfiles -B onboot` to show usage instead of updating /.autorelabel
The code is restructured to handle -B for different modes correctly.
Fixes:
# fixfiles -B onboot
Usage: /usr/sbin/fixfiles [-v] [-F] [-f] relabel
...
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/scripts/fixfiles | 29 +++++++++++++++--------------
1 file changed, 15 insertions(+), 14 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 53d28c7b..9dd44213 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -112,7 +112,7 @@ VERBOSE="-p"
FORCEFLAG=""
RPMFILES=""
PREFC=""
-RESTORE_MODE="DEFAULT"
+RESTORE_MODE=""
SETFILES=/sbin/setfiles
RESTORECON=/sbin/restorecon
FILESYSTEMSRW=`get_rw_labeled_mounts`
@@ -214,16 +214,17 @@ restore () {
OPTION=$1
shift
-case "$RESTORE_MODE" in
- PREFC)
- diff_filecontext $*
- return
- ;;
- BOOTTIME)
+# [-B | -N time ]
+if [ -z "$BOOTTIME" ]; then
newer $BOOTTIME $*
return
- ;;
-esac
+fi
+
+# -C PREVIOUS_FILECONTEXT
+if [ "$RESTORE_MODE" == PREFC ]; then
+ diff_filecontext $*
+ return
+fi
[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
@@ -239,7 +240,7 @@ case "$RESTORE_MODE" in
FILEPATH)
${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH"
;;
- DEFAULT)
+ *)
if [ -n "${FILESYSTEMSRW}" ]; then
LogReadOnly
echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
@@ -272,7 +273,7 @@ fullrelabel() {
relabel() {
- if [ "$RESTORE_MODE" != DEFAULT ]; then
+ if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
usage
exit 1
fi
@@ -306,7 +307,7 @@ case "$1" in
verify) restore Verify -n;;
relabel) relabel;;
onboot)
- if [ "$RESTORE_MODE" != DEFAULT ]; then
+ if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
usage
exit 1
fi
@@ -344,7 +345,7 @@ if [ $# -eq 0 ]; then
fi
set_restore_mode() {
- if [ "$RESTORE_MODE" != DEFAULT ]; then
+ if [ -n "$RESTORE_MODE" ]; then
# can't specify two different modes
usage
exit 1
@@ -357,7 +358,7 @@ while getopts "N:BC:FfR:l:v" i; do
case "$i" in
B)
BOOTTIME=`/bin/who -b | awk '{print $3}'`
- set_restore_mode BOOTTIME
+ set_restore_mode DEFAULT
;;
N)
BOOTTIME=$OPTARG
--
2.21.0

33
SOURCES/0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch
View File

@ -1,33 +0,0 @@
From 9bcf8ad7b9b6d8d761f7d097196b2b9bc114fa0a Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 2 Jul 2019 17:12:07 +0200
Subject: [PATCH] policycoreutils/fixfiles: Force full relabel when SELinux is
disabled
The previous check used getfilecon to check whether / slash contains a label,
but getfilecon fails only when SELinux is disabled. Therefore it's better to
check this using selinuxenabled.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/scripts/fixfiles | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 9dd44213..a9d27d13 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -314,8 +314,8 @@ case "$1" in
> /.autorelabel || exit $?
[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
- # Force full relabel if / does not have a label on it
- getfilecon / > /dev/null 2>&1 || echo -F >/.autorelabel
+ # Force full relabel if SELinux is not enabled
+ selinuxenabled || echo -F > /.autorelabel
echo "System will relabel on next boot"
;;
*)
--
2.21.0

32
SOURCES/0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch
View File

@ -1,32 +0,0 @@
From 7383f8fbab82826de21d3013a43680867642e49e Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 21 Aug 2019 17:43:25 +0200
Subject: [PATCH] policycoreutils/fixfiles: Fix unbound variable problem
Fix a typo introduced in commit d3f8b2c3cd909 ("policycoreutils/fixfiles: Fix
[-B] [-F] onboot"), which broke "fixfiles relabel":
#fixfiles relabel
/sbin/fixfiles: line 151: $1: unbound variable
Resolves: rhbz#1743213
---
policycoreutils/scripts/fixfiles | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index a9d27d13..df0042aa 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -215,7 +215,7 @@ OPTION=$1
shift
# [-B | -N time ]
-if [ -z "$BOOTTIME" ]; then
+if [ -n "$BOOTTIME" ]; then
newer $BOOTTIME $*
return
fi
--
2.21.0

38
SOURCES/0025-gui-Fix-remove-module-in-system-config-selinux.patch
View File

@ -1,38 +0,0 @@
From f6c67c02f25d3a8971dcc5667121236fab85dd65 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 29 Aug 2019 08:58:20 +0200
Subject: [PATCH] gui: Fix remove module in system-config-selinux
When a user tried to remove a policy module with priority other than 400 via
GUI, it failed with a message:
libsemanage.semanage_direct_remove_key: Unable to remove module somemodule at priority 400. (No such file or directory).
This is fixed by calling "semodule -x PRIORITY -r NAME" instead of
"semodule -r NAME".
From Jono Hein <fredwacko40@hotmail.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
gui/modulesPage.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gui/modulesPage.py b/gui/modulesPage.py
index 26ac5404..35a0129b 100644
--- a/gui/modulesPage.py
+++ b/gui/modulesPage.py
@@ -125,9 +125,10 @@ class modulesPage(semanagePage):
def delete(self):
store, iter = self.view.get_selection().get_selected()
module = store.get_value(iter, 0)
+ priority = store.get_value(iter, 1)
try:
self.wait()
- status, output = getstatusoutput("semodule -r %s" % module)
+ status, output = getstatusoutput("semodule -X %s -r %s" % (priority, module))
self.ready()
if status != 0:
self.error(output)
--
2.21.0

30
SOURCES/0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch
View File

@ -1,30 +0,0 @@
From c2e942fc452bff06cc5ed9017afe169c6941f4e4 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 3 Sep 2019 15:17:27 +0200
Subject: [PATCH] python/semanage: Do not use default s0 range in "semanage
login -a"
Using the "s0" default means that new login mappings are always added with "s0"
range instead of the range of SELinux user.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
python/semanage/semanage | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 4c766ae3..fa78afce 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -221,7 +221,7 @@ def parser_add_level(parser, name):
def parser_add_range(parser, name):
- parser.add_argument('-r', '--range', default="s0",
+ parser.add_argument('-r', '--range', default='',
help=_('''
MLS/MCS Security Range (MLS/MCS Systems only)
SELinux Range for SELinux login mapping
--
2.21.0

33
SOURCES/0027-policycoreutils-fixfiles-Fix-verify-option.patch
View File

@ -1,33 +0,0 @@
From 4733a594c5df14f64293d19f16498e68dc5e3a98 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 24 Sep 2019 08:41:30 +0200
Subject: [PATCH] policycoreutils/fixfiles: Fix "verify" option
"restorecon -n" (used in the "restore" function) has to be used with
"-v" to display the files whose labels would be changed.
Fixes:
Fixfiles verify does not report misslabelled files unless "-v" option is
used.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
policycoreutils/scripts/fixfiles | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index df0042aa..be19e56c 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -304,7 +304,7 @@ process() {
case "$1" in
restore) restore Relabel;;
check) VERBOSE="-v"; restore Check -n;;
- verify) restore Verify -n;;
+ verify) VERBOSE="-v"; restore Verify -n;;
relabel) relabel;;
onboot)
if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
--
2.21.0

102
SOURCES/0028-python-semanage-Improve-handling-of-permissive-state.patch
View File

@ -1,102 +0,0 @@
From 0803fcb2c014b2cedf8f4d92b80fc382916477ee Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Fri, 27 Sep 2019 16:13:47 +0200
Subject: [PATCH] python/semanage: Improve handling of "permissive" statements
- Add "customized" method to permissiveRecords which is than used for
"semanage permissive --extract" and "semanage export"
- Enable "semanage permissive --deleteall" (already implemented)
- Add "permissive" to the list of modules exported using
"semanage export"
- Update "semanage permissive" man page
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/semanage | 11 ++++++++---
python/semanage/semanage-permissive.8 | 8 +++++++-
python/semanage/seobject.py | 3 +++
3 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index fa78afce..b2bd9df9 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -722,6 +722,11 @@ def handlePermissive(args):
if args.action == "list":
OBJECT.list(args.noheading)
+ elif args.action == "deleteall":
+ OBJECT.deleteall()
+ elif args.action == "extract":
+ for i in OBJECT.customized():
+ print("permissive %s" % str(i))
elif args.type is not None:
if args.action == "add":
OBJECT.add(args.type)
@@ -737,9 +742,9 @@ def setupPermissiveParser(subparsers):
pgroup = permissiveParser.add_mutually_exclusive_group(required=True)
parser_add_add(pgroup, "permissive")
parser_add_delete(pgroup, "permissive")
+ parser_add_deleteall(pgroup, "permissive")
+ parser_add_extract(pgroup, "permissive")
parser_add_list(pgroup, "permissive")
- #TODO: probably should be also added => need to implement own option handling
- #parser_add_deleteall(pgroup)
parser_add_noheading(permissiveParser, "permissive")
parser_add_noreload(permissiveParser, "permissive")
@@ -763,7 +768,7 @@ def setupDontauditParser(subparsers):
def handleExport(args):
- manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey"]
+ manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey", "permissive"]
for i in manageditems:
print("%s -D" % i)
for i in manageditems:
diff --git a/python/semanage/semanage-permissive.8 b/python/semanage/semanage-permissive.8
index 1999a451..5c3364fa 100644
--- a/python/semanage/semanage-permissive.8
+++ b/python/semanage/semanage-permissive.8
@@ -2,7 +2,7 @@
.SH "NAME"
.B semanage\-permissive \- SELinux Policy Management permissive mapping tool
.SH "SYNOPSIS"
-.B semanage permissive [\-h] (\-a | \-d | \-l) [\-n] [\-N] [\-S STORE] [type]
+.B semanage permissive [\-h] [\-n] [\-N] [\-S STORE] (\-\-add TYPE | \-\-delete TYPE | \-\-deleteall | \-\-extract | \-\-list)
.SH "DESCRIPTION"
semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage permissive adds or removes a SELinux Policy permissive module.
@@ -18,9 +18,15 @@ Add a record of the specified object type
.I \-d, \-\-delete
Delete a record of the specified object type
.TP
+.I \-D, \-\-deleteall
+Remove all local customizations of permissive domains
+.TP
.I \-l, \-\-list
List records of the specified object type
.TP
+.I \-E, \-\-extract
+Extract customizable commands, for use within a transaction
+.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
.TP
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 58497e3b..3959abc8 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -478,6 +478,9 @@ class permissiveRecords(semanageRecords):
l.append(name.split("permissive_")[1])
return l
+ def customized(self):
+ return ["-a %s" % x for x in sorted(self.get_all())]
+
def list(self, heading=1, locallist=0):
all = [y["name"] for y in [x for x in sepolicy.info(sepolicy.TYPE) if x["permissive"]]]
if len(all) == 0:
--
2.21.0

41
SOURCES/0029-python-semanage-fix-moduleRecords.customized.patch
View File

@ -1,41 +0,0 @@
From 7cc31c4799dd94ed516a39d853744bd1ffb6dc69 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 30 Sep 2019 09:49:04 +0200
Subject: [PATCH] python/semanage: fix moduleRecords.customized()
Return value of "customized" has to be iterable.
Fixes:
"semanage export" with no modules in the system (eg. monolithic policy)
crashes:
Traceback (most recent call last):
File "/usr/sbin/semanage", line 970, in <module>
do_parser()
File "/usr/sbin/semanage", line 949, in do_parser
args.func(args)
File "/usr/sbin/semanage", line 771, in handleExport
for c in OBJECT.customized():
TypeError: 'NoneType' object is not iterable
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/seobject.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 3959abc8..16edacaa 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -380,7 +380,7 @@ class moduleRecords(semanageRecords):
def customized(self):
all = self.get_all()
if len(all) == 0:
- return
+ return []
return ["-d %s" % x[0] for x in [t for t in all if t[1] == 0]]
def list(self, heading=1, locallist=0):
--
2.21.0

45
SOURCES/0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch
View File

@ -1,45 +0,0 @@
From 7cbfcec89a6972f9c700687ed3cef25ff0846461 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 8 Oct 2019 14:22:13 +0200
Subject: [PATCH] python/semanage: Add support for DCCP and SCTP protocols
Fixes:
# semanage port -a -p sctp -t port_t 1234
ValueError: Protocol udp or tcp is required
# semanage port -d -p sctp -t port_t 1234
ValueError: Protocol udp or tcp is required
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/seobject.py | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 16edacaa..70ebfd08 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -1058,13 +1058,15 @@ class portRecords(semanageRecords):
pass
def __genkey(self, port, proto):
- if proto == "tcp":
- proto_d = SEMANAGE_PROTO_TCP
+ protocols = {"tcp": SEMANAGE_PROTO_TCP,
+ "udp": SEMANAGE_PROTO_UDP,
+ "sctp": SEMANAGE_PROTO_SCTP,
+ "dccp": SEMANAGE_PROTO_DCCP}
+
+ if proto in protocols.keys():
+ proto_d = protocols[proto]
else:
- if proto == "udp":
- proto_d = SEMANAGE_PROTO_UDP
- else:
- raise ValueError(_("Protocol udp or tcp is required"))
+ raise ValueError(_("Protocol has to be one of udp, tcp, dccp or sctp"))
if port == "":
raise ValueError(_("Port is required"))
--
2.21.0

40
SOURCES/0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch
View File

@ -1,40 +0,0 @@
From 6e5ccf2dd3329b400b70b7806b9c6128c5c50995 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 15 Nov 2019 09:15:49 +0100
Subject: [PATCH] dbus: Fix FileNotFoundError in org.selinux.relabel_on_boot
When org.selinux.relabel_on_boot(0) was called twice, it failed with
FileNotFoundError.
Fixes:
$ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:1
method return sender=:1.53 -> dest=:1.54 reply_serial=2
$ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:0
method return sender=:1.53 -> dest=:1.55 reply_serial=2
$ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:0
Error org.freedesktop.DBus.Python.FileNotFoundError: FileNotFoundError: [Errno 2] No such file or directory: '/.autorelabel'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
dbus/selinux_server.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
index b9debc071485..be4f4557a9fa 100644
--- a/dbus/selinux_server.py
+++ b/dbus/selinux_server.py
@@ -85,7 +85,10 @@ class selinux_server(slip.dbus.service.Object):
fd = open("/.autorelabel", "w")
fd.close()
else:
- os.unlink("/.autorelabel")
+ try:
+ os.unlink("/.autorelabel")
+ except FileNotFoundError:
+ pass
def write_selinux_config(self, enforcing=None, policy=None):
path = selinux.selinux_path() + "config"
--
2.23.0

200
SOURCES/0032-restorecond-Fix-redundant-console-log-output-error.patch
View File

@ -1,200 +0,0 @@
From 76371721bafed56efcb7a83b3fa3285383ede5b7 Mon Sep 17 00:00:00 2001
From: Baichuan Kong <kongbaichuan@huawei.com>
Date: Thu, 14 Nov 2019 10:48:07 +0800
Subject: [PATCH] restorecond: Fix redundant console log output error
When starting restorecond without any option the following redundant
console log is outputed:
/dev/log 100.0%
/var/volatile/run/syslogd.pid 100.0%
...
This is caused by two global variables of same name r_opts. When
executes r_opts = opts in restore_init(), it originally intends
to assign the address of struct r_opts in "restorecond.c" to the
pointer *r_opts in "restore.c".
However, the address is assigned to the struct r_opts and covers
the value of low eight bytes in it. That causes unexpected value
of member varibale 'nochange' and 'verbose' in struct r_opts, thus
affects value of 'restorecon_flags' and executes unexpected operations
when restorecon the files such as the redundant console log output or
file label nochange.
Cause restorecond/restore.c is copied from policycoreutils/setfiles,
which share the same pattern. It also has potential risk to generate
same problems, So fix it in case.
Signed-off-by: Baichuan Kong <kongbaichuan@huawei.com>
(cherry-picked from SElinuxProject
commit ad2208ec220f55877a4d31084be2b4d6413ee082)
Resolves: rhbz#1626468
---
policycoreutils/setfiles/restore.c | 42 ++++++++++++++----------------
restorecond/restore.c | 40 +++++++++++++---------------
2 files changed, 37 insertions(+), 45 deletions(-)
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index 9dea5656..d3335d1a 100644
--- a/policycoreutils/setfiles/restore.c
+++ b/policycoreutils/setfiles/restore.c
@@ -17,40 +17,37 @@
char **exclude_list;
int exclude_count;
-struct restore_opts *r_opts;
-
void restore_init(struct restore_opts *opts)
{
int rc;
- r_opts = opts;
struct selinux_opt selinux_opts[] = {
- { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate },
- { SELABEL_OPT_PATH, r_opts->selabel_opt_path },
- { SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest }
+ { SELABEL_OPT_VALIDATE, opts->selabel_opt_validate },
+ { SELABEL_OPT_PATH, opts->selabel_opt_path },
+ { SELABEL_OPT_DIGEST, opts->selabel_opt_digest }
};
- r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
- if (!r_opts->hnd) {
- perror(r_opts->selabel_opt_path);
+ opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
+ if (!opts->hnd) {
+ perror(opts->selabel_opt_path);
exit(1);
}
- r_opts->restorecon_flags = 0;
- r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose |
- r_opts->progress | r_opts->set_specctx |
- r_opts->add_assoc | r_opts->ignore_digest |
- r_opts->recurse | r_opts->userealpath |
- r_opts->xdev | r_opts->abort_on_error |
- r_opts->syslog_changes | r_opts->log_matches |
- r_opts->ignore_noent | r_opts->ignore_mounts |
- r_opts->mass_relabel;
+ opts->restorecon_flags = 0;
+ opts->restorecon_flags = opts->nochange | opts->verbose |
+ opts->progress | opts->set_specctx |
+ opts->add_assoc | opts->ignore_digest |
+ opts->recurse | opts->userealpath |
+ opts->xdev | opts->abort_on_error |
+ opts->syslog_changes | opts->log_matches |
+ opts->ignore_noent | opts->ignore_mounts |
+ opts->mass_relabel;
/* Use setfiles, restorecon and restorecond own handles */
- selinux_restorecon_set_sehandle(r_opts->hnd);
+ selinux_restorecon_set_sehandle(opts->hnd);
- if (r_opts->rootpath) {
- rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath);
+ if (opts->rootpath) {
+ rc = selinux_restorecon_set_alt_rootpath(opts->rootpath);
if (rc) {
fprintf(stderr,
"selinux_restorecon_set_alt_rootpath error: %s.\n",
@@ -81,7 +78,6 @@ int process_glob(char *name, struct restore_opts *opts)
size_t i = 0;
int len, rc, errors;
- r_opts = opts;
memset(&globbuf, 0, sizeof(globbuf));
errors = glob(name, GLOB_TILDE | GLOB_PERIOD |
@@ -96,7 +92,7 @@ int process_glob(char *name, struct restore_opts *opts)
if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
continue;
rc = selinux_restorecon(globbuf.gl_pathv[i],
- r_opts->restorecon_flags);
+ opts->restorecon_flags);
if (rc < 0)
errors = rc;
}
diff --git a/restorecond/restore.c b/restorecond/restore.c
index f6e30001..b93b5fdb 100644
--- a/restorecond/restore.c
+++ b/restorecond/restore.c
@@ -12,39 +12,36 @@
char **exclude_list;
int exclude_count;
-struct restore_opts *r_opts;
-
void restore_init(struct restore_opts *opts)
{
int rc;
- r_opts = opts;
struct selinux_opt selinux_opts[] = {
- { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate },
- { SELABEL_OPT_PATH, r_opts->selabel_opt_path },
- { SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest }
+ { SELABEL_OPT_VALIDATE, opts->selabel_opt_validate },
+ { SELABEL_OPT_PATH, opts->selabel_opt_path },
+ { SELABEL_OPT_DIGEST, opts->selabel_opt_digest }
};
- r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
- if (!r_opts->hnd) {
- perror(r_opts->selabel_opt_path);
+ opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
+ if (!opts->hnd) {
+ perror(opts->selabel_opt_path);
exit(1);
}
- r_opts->restorecon_flags = 0;
- r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose |
- r_opts->progress | r_opts->set_specctx |
- r_opts->add_assoc | r_opts->ignore_digest |
- r_opts->recurse | r_opts->userealpath |
- r_opts->xdev | r_opts->abort_on_error |
- r_opts->syslog_changes | r_opts->log_matches |
- r_opts->ignore_noent | r_opts->ignore_mounts;
+ opts->restorecon_flags = 0;
+ opts->restorecon_flags = opts->nochange | opts->verbose |
+ opts->progress | opts->set_specctx |
+ opts->add_assoc | opts->ignore_digest |
+ opts->recurse | opts->userealpath |
+ opts->xdev | opts->abort_on_error |
+ opts->syslog_changes | opts->log_matches |
+ opts->ignore_noent | opts->ignore_mounts;
/* Use setfiles, restorecon and restorecond own handles */
- selinux_restorecon_set_sehandle(r_opts->hnd);
+ selinux_restorecon_set_sehandle(opts->hnd);
- if (r_opts->rootpath) {
- rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath);
+ if (opts->rootpath) {
+ rc = selinux_restorecon_set_alt_rootpath(opts->rootpath);
if (rc) {
fprintf(stderr,
"selinux_restorecon_set_alt_rootpath error: %s.\n",
@@ -75,7 +72,6 @@ int process_glob(char *name, struct restore_opts *opts)
size_t i = 0;
int len, rc, errors;
- r_opts = opts;
memset(&globbuf, 0, sizeof(globbuf));
errors = glob(name, GLOB_TILDE | GLOB_PERIOD |
@@ -90,7 +86,7 @@ int process_glob(char *name, struct restore_opts *opts)
if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
continue;
rc = selinux_restorecon(globbuf.gl_pathv[i],
- r_opts->restorecon_flags);
+ opts->restorecon_flags);
if (rc < 0)
errors = rc;
}
--
2.21.0

55
SOURCES/0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch
View File

@ -1,55 +0,0 @@
From 0bed778c53a4f93b1b092b3db33e8c36aabfa39d Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 5 Jan 2021 17:00:21 +0100
Subject: [PATCH] python/semanage: empty stdout before exiting on
BrokenPipeError
Empty stdout buffer before exiting when BrokenPipeError is
encountered. Otherwise python will flush the bufer during exit, which
may trigger the exception again.
https://docs.python.org/3/library/signal.html#note-on-sigpipe
Fixes:
#semanage fcontext -l | egrep -q -e '^/home'
BrokenPipeError: [Errno 32] Broken pipe
Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='UTF-8'>
BrokenPipeError: [Errno 32] Broken pipe
Note that the error above only appears occasionally (usually only the
first line is printed).
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
python/semanage/semanage | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index b2bd9df9..1abe3536 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -26,6 +26,7 @@
import traceback
import argparse
import sys
+import os
PROGNAME = "selinux-python"
try:
import gettext
@@ -953,6 +954,13 @@ def do_parser():
args = commandParser.parse_args(make_args(sys.argv))
args.func(args)
sys.exit(0)
+ except BrokenPipeError as e:
+ sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
+ # Python flushes standard streams on exit; redirect remaining output
+ # to devnull to avoid another BrokenPipeError at shutdown
+ devnull = os.open(os.devnull, os.O_WRONLY)
+ os.dup2(devnull, sys.stdout.fileno())
+ sys.exit(1)
except IOError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
sys.exit(1)
--
2.29.2

41
SOURCES/0034-python-semanage-Sort-imports-in-alphabetical-order.patch
View File

@ -1,41 +0,0 @@
From 4b0e627d42f9a8e09dcd064a6ae897f4c2e9cf6c Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 6 Jan 2021 10:00:07 +0100
Subject: [PATCH] python/semanage: Sort imports in alphabetical order
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/semanage | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 1abe3536..781e8645 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -23,10 +23,12 @@
#
#
-import traceback
import argparse
-import sys
import os
+import re
+import sys
+import traceback
+
PROGNAME = "selinux-python"
try:
import gettext
@@ -786,8 +788,6 @@ def setupExportParser(subparsers):
exportParser.add_argument('-f', '--output_file', dest='output_file', action=SetExportFile, help=_('Output file'))
exportParser.set_defaults(func=handleExport)
-import re
-
def mkargv(line):
dquote = "\""
--
2.29.2

49
SOURCES/0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch
View File

@ -1,49 +0,0 @@
From e0a1cdb6181bcf3a23fe63b8e67fd5020e81d05e Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Fri, 22 Jan 2021 16:25:52 +0100
Subject: [PATCH] python/sepolgen: allow any policy statement in if(n)def
"ifdef/ifndef" statements can be used to conditionally define
an interface, but this syntax is not recognised by sepolgen-ifgen.
Fix sepolgen-ifgen to allow any policy statement inside an
"ifdef/ifndef" statement.
Fixes:
$ cat <<EOF > i.if
ifndef(`apache_manage_pid_files',`
interface(`apache_manage_pid_files',`
manage_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
')
')
#sepolgen-ifgen --interface=i.if
i.if: Syntax error on line 2 interface [type=INTERFACE]
i.if: Syntax error on line 4 ' [type=SQUOTE]
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
[OM: s/fidef/ifdef/]
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
python/sepolgen/src/sepolgen/refparser.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py
index f506dc3a..5d77e2a3 100644
--- a/python/sepolgen/src/sepolgen/refparser.py
+++ b/python/sepolgen/src/sepolgen/refparser.py
@@ -431,9 +431,9 @@ def p_ifelse(p):
def p_ifdef(p):
- '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
- | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
- | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+ '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
+ | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
+ | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
'''
x = refpolicy.IfDef(p[4])
if p[1] == 'ifdef':
--
2.29.2

68
SOURCES/0036-setfiles-Do-not-abort-on-labeling-error.patch
View File

@ -1,68 +0,0 @@
From 53ccdd55adfbec60fb4277286f2ad94660838504 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 13 Jan 2021 22:09:47 +0100
Subject: [PATCH] setfiles: Do not abort on labeling error
Commit 602347c7422e ("policycoreutils: setfiles - Modify to use
selinux_restorecon") changed behavior of setfiles. Original
implementation skipped files which it couldn't set context to while the
new implementation aborts on them. setfiles should abort only if it
can't validate a context from spec_file.
Reproducer:
# mkdir -p r/1 r/2 r/3
# touch r/1/1 r/2/1
# chattr +i r/2/1
# touch r/3/1
# setfiles -r r -v /etc/selinux/targeted/contexts/files/file_contexts r
Relabeled r from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:root_t:s0
Relabeled r/2 from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:default_t:s0
setfiles: Could not set context for r/2/1: Operation not permitted
r/3 and r/1 are not relabeled.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/setfiles/setfiles.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index bc83c27b4c06..68eab45aa2b4 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -182,6 +182,7 @@ int main(int argc, char **argv)
policyfile = NULL;
nerr = 0;
+ r_opts.abort_on_error = 0;
r_opts.progname = strdup(argv[0]);
if (!r_opts.progname) {
fprintf(stderr, "%s: Out of memory!\n", argv[0]);
@@ -194,7 +195,6 @@ int main(int argc, char **argv)
* setfiles:
* Recursive descent,
* Does not expand paths via realpath,
- * Aborts on errors during the file tree walk,
* Try to track inode associations for conflict detection,
* Does not follow mounts (sets SELINUX_RESTORECON_XDEV),
* Validates all file contexts at init time.
@@ -202,7 +202,6 @@ int main(int argc, char **argv)
iamrestorecon = 0;
r_opts.recurse = SELINUX_RESTORECON_RECURSE;
r_opts.userealpath = 0; /* SELINUX_RESTORECON_REALPATH */
- r_opts.abort_on_error = SELINUX_RESTORECON_ABORT_ON_ERROR;
r_opts.add_assoc = SELINUX_RESTORECON_ADD_ASSOC;
/* FTS_PHYSICAL and FTS_NOCHDIR are always set by selinux_restorecon(3) */
r_opts.xdev = SELINUX_RESTORECON_XDEV;
@@ -226,7 +225,6 @@ int main(int argc, char **argv)
iamrestorecon = 1;
r_opts.recurse = 0;
r_opts.userealpath = SELINUX_RESTORECON_REALPATH;
- r_opts.abort_on_error = 0;
r_opts.add_assoc = 0;
r_opts.xdev = 0;
r_opts.ignore_mounts = 0;
--
2.30.0

110
SOURCES/0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch
View File

@ -1,110 +0,0 @@
From 2f135022f4372dc34198c48cfd67b91044e6dfd7 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 13 Jan 2021 22:09:48 +0100
Subject: [PATCH] setfiles: drop ABORT_ON_ERRORS and related code
`setfiles -d` doesn't have any impact on number of errors before it
aborts. It always aborts on first invalid context in spec file.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/setfiles/Makefile | 3 ---
policycoreutils/setfiles/ru/setfiles.8 | 2 +-
policycoreutils/setfiles/setfiles.8 | 3 +--
policycoreutils/setfiles/setfiles.c | 18 ------------------
4 files changed, 2 insertions(+), 24 deletions(-)
diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
index bc5a8db789a5..a3bbbe116b7f 100644
--- a/policycoreutils/setfiles/Makefile
+++ b/policycoreutils/setfiles/Makefile
@@ -5,8 +5,6 @@ SBINDIR ?= /sbin
MANDIR = $(PREFIX)/share/man
AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
-ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
-
CFLAGS ?= -g -Werror -Wall -W
override LDLIBS += -lselinux -lsepol
@@ -26,7 +24,6 @@ restorecon_xattr: restorecon_xattr.o restore.o
man:
@cp -af setfiles.8 setfiles.8.man
- @sed -i "s/ABORT_ON_ERRORS/$(ABORT_ON_ERRORS)/g" setfiles.8.man
install: all
[ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8
diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8
index 27815a3f1eee..910101452625 100644
--- a/policycoreutils/setfiles/ru/setfiles.8
+++ b/policycoreutils/setfiles/ru/setfiles.8
@@ -47,7 +47,7 @@ setfiles \- установить SELinux-контексты безопаснос
проверить действительность контекстов относительно указанной двоичной политики.
.TP
.B \-d
-показать, какая спецификация соответствует каждому из файлов (не прекращать проверку после получения ошибок ABORT_ON_ERRORS).
+показать, какая спецификация соответствует каждому из файлов.
.TP
.BI \-e \ directory
исключить каталог (чтобы исключить более одного каталога, этот параметр необходимо использовать соответствующее количество раз).
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index a8a76c860dac..b7d3cefb96ff 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -56,8 +56,7 @@ option will force a replacement of the entire context.
check the validity of the contexts against the specified binary policy.
.TP
.B \-d
-show what specification matched each file (do not abort validation
-after ABORT_ON_ERRORS errors). Not affected by "\-q"
+show what specification matched each file. Not affected by "\-q"
.TP
.BI \-e \ directory
directory to exclude (repeat option for more than one directory).
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index 68eab45aa2b4..bcbdfbfe53e2 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -23,14 +23,6 @@ static int nerr;
#define STAT_BLOCK_SIZE 1
-/* setfiles will abort its operation after reaching the
- * following number of errors (e.g. invalid contexts),
- * unless it is used in "debug" mode (-d option).
- */
-#ifndef ABORT_ON_ERRORS
-#define ABORT_ON_ERRORS 10
-#endif
-
#define SETFILES "setfiles"
#define RESTORECON "restorecon"
static int iamrestorecon;
@@ -57,15 +49,6 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
exit(-1);
}
-void inc_err(void)
-{
- nerr++;
- if (nerr > ABORT_ON_ERRORS - 1 && !r_opts.debug) {
- fprintf(stderr, "Exiting after %d errors.\n", ABORT_ON_ERRORS);
- exit(-1);
- }
-}
-
void set_rootpath(const char *arg)
{
if (strlen(arg) == 1 && strncmp(arg, "/", 1) == 0) {
@@ -98,7 +81,6 @@ int canoncon(char **contextp)
*contextp = tmpcon;
} else if (errno != ENOENT) {
rc = -1;
- inc_err();
}
return rc;
--
2.30.0

44
SOURCES/0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch
View File

@ -1,44 +0,0 @@
From a691da617a2d3c864786ff2742d9a9f87ecc7d05 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 1 Feb 2021 15:24:32 +0100
Subject: [PATCH] policycoreutils/setfiles: Drop unused nerr variable
Suggested-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/setfiles/setfiles.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index bcbdfbfe53e2..82d0aaa75893 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -19,7 +19,6 @@ static int warn_no_match;
static int null_terminated;
static int request_digest;
static struct restore_opts r_opts;
-static int nerr;
#define STAT_BLOCK_SIZE 1
@@ -162,7 +161,6 @@ int main(int argc, char **argv)
warn_no_match = 0;
request_digest = 0;
policyfile = NULL;
- nerr = 0;
r_opts.abort_on_error = 0;
r_opts.progname = strdup(argv[0]);
@@ -417,9 +415,6 @@ int main(int argc, char **argv)
r_opts.selabel_opt_digest = (request_digest ? (char *)1 : NULL);
r_opts.selabel_opt_path = altpath;
- if (nerr)
- exit(-1);
-
restore_init(&r_opts);
if (use_input_file) {
--
2.30.0

62
SOURCES/0039-selinux-8-5-Describe-fcontext-regular-expressions.patch
View File

@ -1,62 +0,0 @@
From c556c6ad0b94cf3ba4b441a1a0930f2468434227 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 10 Feb 2021 18:05:29 +0100
Subject: [PATCH] selinux(8,5): Describe fcontext regular expressions
Describe which type of regular expression is used in file context
definitions and which flags are in effect.
Explain how local file context modifications are processed.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
python/semanage/semanage | 2 +-
python/semanage/semanage-fcontext.8 | 18 ++++++++++++++++++
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 781e8645..ebb93ea5 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -366,7 +366,7 @@ If you do not specify a file type, the file type will default to "all files".
parser_add_seuser(fcontextParser, "fcontext")
parser_add_type(fcontextParser, "fcontext")
parser_add_range(fcontextParser, "fcontext")
- fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('file_spec'))
+ fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('Path to be labeled (may be in the form of a Perl compatible regular expression)'))
fcontextParser.set_defaults(func=handleFcontext)
diff --git a/python/semanage/semanage-fcontext.8 b/python/semanage/semanage-fcontext.8
index 561123af..49635ba7 100644
--- a/python/semanage/semanage-fcontext.8
+++ b/python/semanage/semanage-fcontext.8
@@ -11,6 +11,24 @@ SELinux policy without requiring modification to or recompilation
from policy sources. semanage fcontext is used to manage the default
file system labeling on an SELinux system. This command maps file paths using regular expressions to SELinux labels.
+FILE_SPEC may contain either a fully qualified path,
+or a Perl compatible regular expression (PCRE),
+describing fully qualified path(s). The only PCRE flag in use is PCRE2_DOTALL,
+which causes a wildcard '.' to match anything, including a new line.
+Strings representing paths are processed as bytes (as opposed to Unicode),
+meaning that non-ASCII characters are not matched by a single wildcard.
+
+Note, that file context definitions specified using 'semanage fcontext'
+(i.e. local file context modifications stored in file_contexts.local)
+have higher priority than those specified in policy modules.
+This means that whenever a match for given file path is found in
+file_contexts.local, no other file context definitions are considered.
+Entries in file_contexts.local are processed from most recent one to the oldest,
+with first match being used (as opposed to the most specific match,
+which is used when matching other file context definitions).
+All regular expressions should therefore be as specific as possible,
+to avoid unintentionally impacting other parts of the filesystem.
+
.SH "OPTIONS"
.TP
.I \-h, \-\-help
--
2.29.2

69
SOURCES/0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch
View File

@ -1,69 +0,0 @@
From d10e773c014a12b17fefd9caef0bd02528d75d18 Mon Sep 17 00:00:00 2001
From: Antoine Tenart <antoine.tenart@bootlin.com>
Date: Tue, 7 Jul 2020 16:35:01 +0200
Subject: [PATCH] policycoreutils: setfiles: do not restrict checks against a
binary policy
The -c option allows to check the validity of contexts against a
specified binary policy. Its use is restricted: no pathname can be used
when a binary policy is given to setfiles. It's not clear if this is
intentional as the built-in help and the man page are not stating the
same thing about this (the man page document -c as a normal option,
while the built-in help shows it is restricted).
When generating full system images later used with SELinux in enforcing
mode, the extended attributed of files have to be set by the build
machine. The issue is setfiles always checks the contexts against a
policy (ctx_validate = 1) and using an external binary policy is not
currently possible when using a pathname. This ends up in setfiles
failing early as the contexts of the target image are not always
compatible with the ones of the build machine.
This patch reworks a check on optind only made when -c is used, that
enforced the use of a single argument to allow 1+ arguments, allowing to
use setfiles with an external binary policy and pathnames. The following
command is then allowed, as already documented in the man page:
$ setfiles -m -r target/ -c policy.32 file_contexts target/
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
(cherry-picked from SElinuxProject
commit: c94e542c98da2f26863c1cbd9d7ad9bc5cca6aff )
---
policycoreutils/setfiles/setfiles.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index 82d0aaa7..4fd3d756 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -39,11 +39,10 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
name, name);
} else {
fprintf(stderr,
- "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n"
- "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n"
- "usage: %s -s [-diIDlmnpqvFW] spec_file\n"
- "usage: %s -c policyfile spec_file\n",
- name, name, name, name);
+ "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
+ "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
+ "usage: %s -s [-diIDlmnpqvFW] spec_file\n",
+ name, name, name);
}
exit(-1);
}
@@ -376,7 +375,7 @@ int main(int argc, char **argv)
if (!iamrestorecon) {
if (policyfile) {
- if (optind != (argc - 1))
+ if (optind > (argc - 1))
usage(argv[0]);
} else if (use_input_file) {
if (optind != (argc - 1)) {
--
2.30.2

674
SOURCES/0041-semodule-add-m-checksum-option.patch
View File

@ -1,674 +0,0 @@
From e748832819b781507903838483376d308c90ca79 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 16 Nov 2021 14:27:11 +0100
Subject: [PATCH] semodule: add -m | --checksum option
Since cil doesn't store module name and module version in module itself,
there's no simple way how to compare that installed module is the same
version as the module which is supposed to be installed. Even though the
version was not used by semodule itself, it was apparently used by some
team.
With `semodule -l --checksum` users get SHA256 hashes of modules and
could compare them with their files which is faster than installing
modules again and again.
E.g.
# time (
semodule -l --checksum | grep localmodule
/usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
)
localmodule db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd
db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd -
real 0m0.876s
user 0m0.849s
sys 0m0.028s
vs
# time semodule -i localmodule.pp
real 0m6.147s
user 0m5.800s
sys 0m0.231s
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
policycoreutils/semodule/Makefile | 2 +-
policycoreutils/semodule/semodule.8 | 6 +
policycoreutils/semodule/semodule.c | 95 ++++++++-
policycoreutils/semodule/sha256.c | 294 ++++++++++++++++++++++++++++
policycoreutils/semodule/sha256.h | 89 +++++++++
5 files changed, 480 insertions(+), 6 deletions(-)
create mode 100644 policycoreutils/semodule/sha256.c
create mode 100644 policycoreutils/semodule/sha256.h
diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
index 73801e487a76..9875ac383280 100644
--- a/policycoreutils/semodule/Makefile
+++ b/policycoreutils/semodule/Makefile
@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
CFLAGS ?= -Werror -Wall -W
override LDLIBS += -lsepol -lselinux -lsemanage
-SEMODULE_OBJS = semodule.o
+SEMODULE_OBJS = semodule.o sha256.o
all: semodule genhomedircon
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index 18d4f708661c..3a2fb21c2481 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -95,6 +95,9 @@ only modules listed in \-\-extract after this option.
.B \-H,\-\-hll
Extract module as an HLL file. This only affects the \-\-extract option and
only modules listed in \-\-extract after this option.
+.TP
+.B \-m,\-\-checksum
+Add SHA256 checksum of modules to the list output.
.SH EXAMPLE
.nf
@@ -130,6 +133,9 @@ $ semodule \-B \-S "/tmp/var/lib/selinux"
# Write the HLL version of puppet and the CIL version of wireshark
# modules at priority 400 to the current working directory
$ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
+# Check whether a module in "localmodule.pp" file is same as installed module "localmodule"
+$ /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
+$ semodule -l -m | grep localmodule
.fi
.SH SEE ALSO
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index a76797f505cd..300a97d735cc 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -24,6 +24,8 @@
#include <semanage/modules.h>
+#include "sha256.h"
+
enum client_modes {
NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M,
LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M
@@ -56,6 +58,7 @@ static semanage_handle_t *sh = NULL;
static char *store;
static char *store_root;
int extract_cil = 0;
+static int checksum = 0;
extern char *optarg;
extern int optind;
@@ -146,6 +149,7 @@ static void usage(char *progname)
printf(" -S,--store-path use an alternate path for the policy store root\n");
printf(" -c, --cil extract module as cil. This only affects module extraction.\n");
printf(" -H, --hll extract module as hll. This only affects module extraction.\n");
+ printf(" -m, --checksum print module checksum (SHA256).\n");
}
/* Sets the global mode variable to new_mode, but only if no other
@@ -199,6 +203,7 @@ static void parse_command_line(int argc, char **argv)
{"disable", required_argument, NULL, 'd'},
{"path", required_argument, NULL, 'p'},
{"store-path", required_argument, NULL, 'S'},
+ {"checksum", 0, NULL, 'm'},
{NULL, 0, NULL, 0}
};
int extract_selected = 0;
@@ -209,7 +214,7 @@ static void parse_command_line(int argc, char **argv)
no_reload = 0;
priority = 400;
while ((i =
- getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cH", opts,
+ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts,
NULL)) != -1) {
switch (i) {
case 'b':
@@ -286,6 +291,9 @@ static void parse_command_line(int argc, char **argv)
case 'd':
set_mode(DISABLE_M, optarg);
break;
+ case 'm':
+ checksum = 1;
+ break;
case '?':
default:{
usage(argv[0]);
@@ -337,6 +345,61 @@ static void parse_command_line(int argc, char **argv)
}
}
+/* Get module checksum */
+static char *hash_module_data(const char *module_name, const int prio) {
+ semanage_module_info_t *extract_info = NULL;
+ semanage_module_key_t *modkey = NULL;
+ Sha256Context context;
+ uint8_t sha256_hash[SHA256_HASH_SIZE];
+ char *sha256_buf = NULL;
+ void *data;
+ size_t data_len = 0, i;
+ int result;
+
+ result = semanage_module_key_create(sh, &modkey);
+ if (result != 0) {
+ goto cleanup_extract;
+ }
+
+ result = semanage_module_key_set_name(sh, modkey, module_name);
+ if (result != 0) {
+ goto cleanup_extract;
+ }
+
+ result = semanage_module_key_set_priority(sh, modkey, prio);
+ if (result != 0) {
+ goto cleanup_extract;
+ }
+
+ result = semanage_module_extract(sh, modkey, 1, &data, &data_len,
+ &extract_info);
+ if (result != 0) {
+ goto cleanup_extract;
+ }
+
+ Sha256Initialise(&context);
+ Sha256Update(&context, data, data_len);
+
+ Sha256Finalise(&context, (SHA256_HASH *)sha256_hash);
+
+ sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1);
+
+ if (sha256_buf == NULL)
+ goto cleanup_extract;
+
+ for (i = 0; i < SHA256_HASH_SIZE; i++) {
+ sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]);
+ }
+ sha256_buf[i * 2] = 0;
+
+cleanup_extract:
+ semanage_module_info_destroy(sh, extract_info);
+ free(extract_info);
+ semanage_module_key_destroy(sh, modkey);
+ free(modkey);
+ return sha256_buf;
+}
+
int main(int argc, char *argv[])
{
int i, commit = 0;
@@ -544,6 +607,8 @@ cleanup_extract:
int modinfos_len = 0;
semanage_module_info_t *m = NULL;
int j = 0;
+ char *module_checksum = NULL;
+ uint16_t pri = 0;
if (verbose) {
printf
@@ -568,7 +633,18 @@ cleanup_extract:
result = semanage_module_info_get_name(sh, m, &name);
if (result != 0) goto cleanup_list;
- printf("%s\n", name);
+ result = semanage_module_info_get_priority(sh, m, &pri);
+ if (result != 0) goto cleanup_list;
+
+ printf("%s", name);
+ if (checksum) {
+ module_checksum = hash_module_data(name, pri);
+ if (module_checksum) {
+ printf(" %s", module_checksum);
+ free(module_checksum);
+ }
+ }
+ printf("\n");
}
}
else if (strcmp(mode_arg, "full") == 0) {
@@ -583,11 +659,12 @@ cleanup_extract:
}
/* calculate column widths */
- size_t column[4] = { 0, 0, 0, 0 };
+ size_t column[5] = { 0, 0, 0, 0, 0 };
/* fixed width columns */
column[0] = sizeof("000") - 1;
column[3] = sizeof("disabled") - 1;
+ column[4] = 64; /* SHA256_HASH_SIZE * 2 */
/* variable width columns */
const char *tmp = NULL;
@@ -610,7 +687,6 @@ cleanup_extract:
/* print out each module */
for (j = 0; j < modinfos_len; j++) {
- uint16_t pri = 0;
const char *name = NULL;
int enabled = 0;
const char *lang_ext = NULL;
@@ -629,11 +705,20 @@ cleanup_extract:
result = semanage_module_info_get_lang_ext(sh, m, &lang_ext);
if (result != 0) goto cleanup_list;
- printf("%0*u %-*s %-*s %-*s\n",
+ printf("%0*u %-*s %-*s %-*s",
(int)column[0], pri,
(int)column[1], name,
(int)column[2], lang_ext,
(int)column[3], enabled ? "" : "disabled");
+ if (checksum) {
+ module_checksum = hash_module_data(name, pri);
+ if (module_checksum) {
+ printf(" %-*s", (int)column[4], module_checksum);
+ free(module_checksum);
+ }
+ }
+ printf("\n");
+
}
}
else {
diff --git a/policycoreutils/semodule/sha256.c b/policycoreutils/semodule/sha256.c
new file mode 100644
index 000000000000..fe2aeef07f53
--- /dev/null
+++ b/policycoreutils/semodule/sha256.c
@@ -0,0 +1,294 @@
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// WjCryptLib_Sha256
+//
+// Implementation of SHA256 hash function.
+// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
+// Modified by WaterJuice retaining Public Domain license.
+//
+// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// IMPORTS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+#include "sha256.h"
+#include <memory.h>
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// MACROS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
+
+#define MIN(x, y) ( ((x)<(y))?(x):(y) )
+
+#define STORE32H(x, y) \
+ { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \
+ (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); }
+
+#define LOAD32H(x, y) \
+ { x = ((uint32_t)((y)[0] & 255)<<24) | \
+ ((uint32_t)((y)[1] & 255)<<16) | \
+ ((uint32_t)((y)[2] & 255)<<8) | \
+ ((uint32_t)((y)[3] & 255)); }
+
+#define STORE64H(x, y) \
+ { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \
+ (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \
+ (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \
+ (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); }
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// CONSTANTS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+// The K array
+static const uint32_t K[64] = {
+ 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
+ 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
+ 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
+ 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
+ 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
+ 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
+ 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
+ 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
+ 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
+ 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
+ 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
+ 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
+ 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
+};
+
+#define BLOCK_SIZE 64
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// INTERNAL FUNCTIONS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+// Various logical functions
+#define Ch( x, y, z ) (z ^ (x & (y ^ z)))
+#define Maj( x, y, z ) (((x | y) & z) | (x & y))
+#define S( x, n ) ror((x),(n))
+#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n))
+#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22))
+#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25))
+#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3))
+#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10))
+
+#define Sha256Round( a, b, c, d, e, f, g, h, i ) \
+ t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \
+ t1 = Sigma0(a) + Maj(a, b, c); \
+ d += t0; \
+ h = t0 + t1;
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// TransformFunction
+//
+// Compress 512-bits
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+static
+void
+ TransformFunction
+ (
+ Sha256Context* Context,
+ uint8_t const* Buffer
+ )
+{
+ uint32_t S[8];
+ uint32_t W[64];
+ uint32_t t0;
+ uint32_t t1;
+ uint32_t t;
+ int i;
+
+ // Copy state into S
+ for( i=0; i<8; i++ )
+ {
+ S[i] = Context->state[i];
+ }
+
+ // Copy the state into 512-bits into W[0..15]
+ for( i=0; i<16; i++ )
+ {
+ LOAD32H( W[i], Buffer + (4*i) );
+ }
+
+ // Fill W[16..63]
+ for( i=16; i<64; i++ )
+ {
+ W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16];
+ }
+
+ // Compress
+ for( i=0; i<64; i++ )
+ {
+ Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i );
+ t = S[7];
+ S[7] = S[6];
+ S[6] = S[5];
+ S[5] = S[4];
+ S[4] = S[3];
+ S[3] = S[2];
+ S[2] = S[1];
+ S[1] = S[0];
+ S[0] = t;
+ }
+
+ // Feedback
+ for( i=0; i<8; i++ )
+ {
+ Context->state[i] = Context->state[i] + S[i];
+ }
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// PUBLIC FUNCTIONS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Initialise
+//
+// Initialises a SHA256 Context. Use this to initialise/reset a context.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Initialise
+ (
+ Sha256Context* Context // [out]
+ )
+{
+ Context->curlen = 0;
+ Context->length = 0;
+ Context->state[0] = 0x6A09E667UL;
+ Context->state[1] = 0xBB67AE85UL;
+ Context->state[2] = 0x3C6EF372UL;
+ Context->state[3] = 0xA54FF53AUL;
+ Context->state[4] = 0x510E527FUL;
+ Context->state[5] = 0x9B05688CUL;
+ Context->state[6] = 0x1F83D9ABUL;
+ Context->state[7] = 0x5BE0CD19UL;
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Update
+//
+// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
+// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Update
+ (
+ Sha256Context* Context, // [in out]
+ void const* Buffer, // [in]
+ uint32_t BufferSize // [in]
+ )
+{
+ uint32_t n;
+
+ if( Context->curlen > sizeof(Context->buf) )
+ {
+ return;
+ }
+
+ while( BufferSize > 0 )
+ {
+ if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE )
+ {
+ TransformFunction( Context, (uint8_t*)Buffer );
+ Context->length += BLOCK_SIZE * 8;
+ Buffer = (uint8_t*)Buffer + BLOCK_SIZE;
+ BufferSize -= BLOCK_SIZE;
+ }
+ else
+ {
+ n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) );
+ memcpy( Context->buf + Context->curlen, Buffer, (size_t)n );
+ Context->curlen += n;
+ Buffer = (uint8_t*)Buffer + n;
+ BufferSize -= n;
+ if( Context->curlen == BLOCK_SIZE )
+ {
+ TransformFunction( Context, Context->buf );
+ Context->length += 8*BLOCK_SIZE;
+ Context->curlen = 0;
+ }
+ }
+ }
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Finalise
+//
+// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
+// calling this, Sha256Initialised must be used to reuse the context.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Finalise
+ (
+ Sha256Context* Context, // [in out]
+ SHA256_HASH* Digest // [out]
+ )
+{
+ int i;
+
+ if( Context->curlen >= sizeof(Context->buf) )
+ {
+ return;
+ }
+
+ // Increase the length of the message
+ Context->length += Context->curlen * 8;
+
+ // Append the '1' bit
+ Context->buf[Context->curlen++] = (uint8_t)0x80;
+
+ // if the length is currently above 56 bytes we append zeros
+ // then compress. Then we can fall back to padding zeros and length
+ // encoding like normal.
+ if( Context->curlen > 56 )
+ {
+ while( Context->curlen < 64 )
+ {
+ Context->buf[Context->curlen++] = (uint8_t)0;
+ }
+ TransformFunction(Context, Context->buf);
+ Context->curlen = 0;
+ }
+
+ // Pad up to 56 bytes of zeroes
+ while( Context->curlen < 56 )
+ {
+ Context->buf[Context->curlen++] = (uint8_t)0;
+ }
+
+ // Store length
+ STORE64H( Context->length, Context->buf+56 );
+ TransformFunction( Context, Context->buf );
+
+ // Copy output
+ for( i=0; i<8; i++ )
+ {
+ STORE32H( Context->state[i], Digest->bytes+(4*i) );
+ }
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Calculate
+//
+// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
+// buffer.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Calculate
+ (
+ void const* Buffer, // [in]
+ uint32_t BufferSize, // [in]
+ SHA256_HASH* Digest // [in]
+ )
+{
+ Sha256Context context;
+
+ Sha256Initialise( &context );
+ Sha256Update( &context, Buffer, BufferSize );
+ Sha256Finalise( &context, Digest );
+}
diff --git a/policycoreutils/semodule/sha256.h b/policycoreutils/semodule/sha256.h
new file mode 100644
index 000000000000..406ed869cd82
--- /dev/null
+++ b/policycoreutils/semodule/sha256.h
@@ -0,0 +1,89 @@
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// WjCryptLib_Sha256
+//
+// Implementation of SHA256 hash function.
+// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
+// Modified by WaterJuice retaining Public Domain license.
+//
+// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+#pragma once
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// IMPORTS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+#include <stdint.h>
+#include <stdio.h>
+
+typedef struct
+{
+ uint64_t length;
+ uint32_t state[8];
+ uint32_t curlen;
+ uint8_t buf[64];
+} Sha256Context;
+
+#define SHA256_HASH_SIZE ( 256 / 8 )
+
+typedef struct
+{
+ uint8_t bytes [SHA256_HASH_SIZE];
+} SHA256_HASH;
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// PUBLIC FUNCTIONS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Initialise
+//
+// Initialises a SHA256 Context. Use this to initialise/reset a context.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Initialise
+ (
+ Sha256Context* Context // [out]
+ );
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Update
+//
+// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
+// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Update
+ (
+ Sha256Context* Context, // [in out]
+ void const* Buffer, // [in]
+ uint32_t BufferSize // [in]
+ );
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Finalise
+//
+// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
+// calling this, Sha256Initialised must be used to reuse the context.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Finalise
+ (
+ Sha256Context* Context, // [in out]
+ SHA256_HASH* Digest // [out]
+ );
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Calculate
+//
+// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
+// buffer.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Calculate
+ (
+ void const* Buffer, // [in]
+ uint32_t BufferSize, // [in]
+ SHA256_HASH* Digest // [in]
+ );
--
2.33.1

29
SOURCES/0042-semodule-Fix-lang_ext-column-index.patch
View File

@ -1,29 +0,0 @@
From 14084bad4f5bcfdb769ba39c9a6f12e4787ab909 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 16 Nov 2021 16:11:22 +0100
Subject: [PATCH] semodule: Fix lang_ext column index
lang_ext is 3. column - index number 2.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
policycoreutils/semodule/semodule.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 300a97d735cc..c677cc4f1d81 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -682,7 +682,7 @@ cleanup_extract:
if (result != 0) goto cleanup_list;
size = strlen(tmp);
- if (size > column[3]) column[3] = size;
+ if (size > column[2]) column[2] = size;
}
/* print out each module */
--
2.33.1

32
SOURCES/0043-semodule-Don-t-forget-to-munmap-data.patch
View File

@ -1,32 +0,0 @@
From 61f05b6d26063e1ebdc06609c29a067d44579b41 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 23 Nov 2021 17:38:51 +0100
Subject: [PATCH] semodule: Don't forget to munmap() data
semanage_module_extract() mmap()'s the module raw data but it leaves on
the caller to munmap() them.
Reported-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
policycoreutils/semodule/semodule.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index c677cc4f1d81..dc227058b073 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -393,6 +393,9 @@ static char *hash_module_data(const char *module_name, const int prio) {
sha256_buf[i * 2] = 0;
cleanup_extract:
+ if (data_len > 0) {
+ munmap(data, data_len);
+ }
semanage_module_info_destroy(sh, extract_info);
free(extract_info);
semanage_module_key_destroy(sh, modkey);
--
2.33.1

41
SOURCES/0044-policycoreutils-Improve-error-message-when-selabel_o.patch
View File

@ -1,41 +0,0 @@
From 69da6239d8505a9d6ca547187f71a351df17f157 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 10 Jan 2022 18:35:27 +0100
Subject: [PATCH] policycoreutils: Improve error message when selabel_open
fails
When selabel_open fails to locate file_context files and
selabel_opt_path is not specified (e.g. when the policy type is
missconfigured in /etc/selinux/config), perror only prints
"No such file or directory".
This can be confusing in case of "restorecon" since it's
not apparent that the issue is in policy store.
Before:
\# restorecon -v /tmp/foo.txt
No such file or directory
After:
\# restorecon -v /tmp/foo.txt
/etc/selinux/yolo/contexts/files/file_contexts: No such file or directory
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
policycoreutils/setfiles/restore.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index d3335d1a..ba2668b3 100644
--- a/policycoreutils/setfiles/restore.c
+++ b/policycoreutils/setfiles/restore.c
@@ -29,7 +29,7 @@ void restore_init(struct restore_opts *opts)
opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
if (!opts->hnd) {
- perror(opts->selabel_opt_path);
+ perror(opts->selabel_opt_path ? opts->selabel_opt_path : selinux_file_context_path());
exit(1);
}
--
2.30.2

539
SOURCES/0045-semodule-libsemanage-move-module-hashing-into-libsem.patch
View File

@ -1,539 +0,0 @@
From 066007029b3dd250305d7fac0bfd53aa1e4543cf Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Thu, 3 Feb 2022 17:53:23 +0100
Subject: [PATCH] semodule,libsemanage: move module hashing into libsemanage
The main goal of this move is to have the SHA-256 implementation under
libsemanage, since upcoming patches will make use of SHA-256 for a
different (but similar) purpose in libsemanage. Having the hashing code
in libsemanage will reduce code duplication and allow for easier hash
algorithm upgrade in the future.
Note that libselinux currently also contains a hash function
implementation (for yet another different purpose). This patch doesn't
make any effort to address that duplicity yet.
This patch also changes the format of the hash string printed by
semodule to include the name of the hash. The intent is to avoid
ambiguity and potential collisions when the algorithm is potentially
changed in the future.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policycoreutils/semodule/Makefile | 2 +-
policycoreutils/semodule/semodule.c | 53 ++---
policycoreutils/semodule/sha256.c | 294 ----------------------------
policycoreutils/semodule/sha256.h | 89 ---------
4 files changed, 17 insertions(+), 421 deletions(-)
delete mode 100644 policycoreutils/semodule/sha256.c
delete mode 100644 policycoreutils/semodule/sha256.h
diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
index 9875ac38..73801e48 100644
--- a/policycoreutils/semodule/Makefile
+++ b/policycoreutils/semodule/Makefile
@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
CFLAGS ?= -Werror -Wall -W
override LDLIBS += -lsepol -lselinux -lsemanage
-SEMODULE_OBJS = semodule.o sha256.o
+SEMODULE_OBJS = semodule.o
all: semodule genhomedircon
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index dc227058..243b1add 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -24,8 +24,6 @@
#include <semanage/modules.h>
-#include "sha256.h"
-
enum client_modes {
NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M,
LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M
@@ -347,60 +345,38 @@ static void parse_command_line(int argc, char **argv)
/* Get module checksum */
static char *hash_module_data(const char *module_name, const int prio) {
- semanage_module_info_t *extract_info = NULL;
semanage_module_key_t *modkey = NULL;
- Sha256Context context;
- uint8_t sha256_hash[SHA256_HASH_SIZE];
- char *sha256_buf = NULL;
- void *data;
- size_t data_len = 0, i;
+ char *hash_str = NULL;
+ void *hash = NULL;
+ size_t hash_len = 0;
int result;
result = semanage_module_key_create(sh, &modkey);
if (result != 0) {
- goto cleanup_extract;
+ goto cleanup;
}
result = semanage_module_key_set_name(sh, modkey, module_name);
if (result != 0) {
- goto cleanup_extract;
+ goto cleanup;
}
result = semanage_module_key_set_priority(sh, modkey, prio);
if (result != 0) {
- goto cleanup_extract;
+ goto cleanup;
}
- result = semanage_module_extract(sh, modkey, 1, &data, &data_len,
- &extract_info);
+ result = semanage_module_compute_checksum(sh, modkey, 1, &hash_str,
+ &hash_len);
if (result != 0) {
- goto cleanup_extract;
- }
-
- Sha256Initialise(&context);
- Sha256Update(&context, data, data_len);
-
- Sha256Finalise(&context, (SHA256_HASH *)sha256_hash);
-
- sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1);
-
- if (sha256_buf == NULL)
- goto cleanup_extract;
-
- for (i = 0; i < SHA256_HASH_SIZE; i++) {
- sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]);
+ goto cleanup;
}
- sha256_buf[i * 2] = 0;
-cleanup_extract:
- if (data_len > 0) {
- munmap(data, data_len);
- }
- semanage_module_info_destroy(sh, extract_info);
- free(extract_info);
+cleanup:
+ free(hash);
semanage_module_key_destroy(sh, modkey);
free(modkey);
- return sha256_buf;
+ return hash_str;
}
int main(int argc, char *argv[])
@@ -667,7 +643,10 @@ cleanup_extract:
/* fixed width columns */
column[0] = sizeof("000") - 1;
column[3] = sizeof("disabled") - 1;
- column[4] = 64; /* SHA256_HASH_SIZE * 2 */
+
+ result = semanage_module_compute_checksum(sh, NULL, 0, NULL,
+ &column[4]);
+ if (result != 0) goto cleanup_list;
/* variable width columns */
const char *tmp = NULL;
diff --git a/policycoreutils/semodule/sha256.c b/policycoreutils/semodule/sha256.c
deleted file mode 100644
index fe2aeef0..00000000
--- a/policycoreutils/semodule/sha256.c
+++ /dev/null
@@ -1,294 +0,0 @@
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// WjCryptLib_Sha256
-//
-// Implementation of SHA256 hash function.
-// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
-// Modified by WaterJuice retaining Public Domain license.
-//
-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// IMPORTS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-#include "sha256.h"
-#include <memory.h>
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// MACROS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
-
-#define MIN(x, y) ( ((x)<(y))?(x):(y) )
-
-#define STORE32H(x, y) \
- { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \
- (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); }
-
-#define LOAD32H(x, y) \
- { x = ((uint32_t)((y)[0] & 255)<<24) | \
- ((uint32_t)((y)[1] & 255)<<16) | \
- ((uint32_t)((y)[2] & 255)<<8) | \
- ((uint32_t)((y)[3] & 255)); }
-
-#define STORE64H(x, y) \
- { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \
- (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \
- (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \
- (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); }
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// CONSTANTS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-// The K array
-static const uint32_t K[64] = {
- 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
- 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
- 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
- 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
- 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
- 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
- 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
- 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
- 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
- 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
- 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
- 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
- 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
-};
-
-#define BLOCK_SIZE 64
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// INTERNAL FUNCTIONS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-// Various logical functions
-#define Ch( x, y, z ) (z ^ (x & (y ^ z)))
-#define Maj( x, y, z ) (((x | y) & z) | (x & y))
-#define S( x, n ) ror((x),(n))
-#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n))
-#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22))
-#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25))
-#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3))
-#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10))
-
-#define Sha256Round( a, b, c, d, e, f, g, h, i ) \
- t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \
- t1 = Sigma0(a) + Maj(a, b, c); \
- d += t0; \
- h = t0 + t1;
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// TransformFunction
-//
-// Compress 512-bits
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-static
-void
- TransformFunction
- (
- Sha256Context* Context,
- uint8_t const* Buffer
- )
-{
- uint32_t S[8];
- uint32_t W[64];
- uint32_t t0;
- uint32_t t1;
- uint32_t t;
- int i;
-
- // Copy state into S
- for( i=0; i<8; i++ )
- {
- S[i] = Context->state[i];
- }
-
- // Copy the state into 512-bits into W[0..15]
- for( i=0; i<16; i++ )
- {
- LOAD32H( W[i], Buffer + (4*i) );
- }
-
- // Fill W[16..63]
- for( i=16; i<64; i++ )
- {
- W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16];
- }
-
- // Compress
- for( i=0; i<64; i++ )
- {
- Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i );
- t = S[7];
- S[7] = S[6];
- S[6] = S[5];
- S[5] = S[4];
- S[4] = S[3];
- S[3] = S[2];
- S[2] = S[1];
- S[1] = S[0];
- S[0] = t;
- }
-
- // Feedback
- for( i=0; i<8; i++ )
- {
- Context->state[i] = Context->state[i] + S[i];
- }
-}
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// PUBLIC FUNCTIONS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Initialise
-//
-// Initialises a SHA256 Context. Use this to initialise/reset a context.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Initialise
- (
- Sha256Context* Context // [out]
- )
-{
- Context->curlen = 0;
- Context->length = 0;
- Context->state[0] = 0x6A09E667UL;
- Context->state[1] = 0xBB67AE85UL;
- Context->state[2] = 0x3C6EF372UL;
- Context->state[3] = 0xA54FF53AUL;
- Context->state[4] = 0x510E527FUL;
- Context->state[5] = 0x9B05688CUL;
- Context->state[6] = 0x1F83D9ABUL;
- Context->state[7] = 0x5BE0CD19UL;
-}
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Update
-//
-// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
-// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Update
- (
- Sha256Context* Context, // [in out]
- void const* Buffer, // [in]
- uint32_t BufferSize // [in]
- )
-{
- uint32_t n;
-
- if( Context->curlen > sizeof(Context->buf) )
- {
- return;
- }
-
- while( BufferSize > 0 )
- {
- if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE )
- {
- TransformFunction( Context, (uint8_t*)Buffer );
- Context->length += BLOCK_SIZE * 8;
- Buffer = (uint8_t*)Buffer + BLOCK_SIZE;
- BufferSize -= BLOCK_SIZE;
- }
- else
- {
- n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) );
- memcpy( Context->buf + Context->curlen, Buffer, (size_t)n );
- Context->curlen += n;
- Buffer = (uint8_t*)Buffer + n;
- BufferSize -= n;
- if( Context->curlen == BLOCK_SIZE )
- {
- TransformFunction( Context, Context->buf );
- Context->length += 8*BLOCK_SIZE;
- Context->curlen = 0;
- }
- }
- }
-}
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Finalise
-//
-// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
-// calling this, Sha256Initialised must be used to reuse the context.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Finalise
- (
- Sha256Context* Context, // [in out]
- SHA256_HASH* Digest // [out]
- )
-{
- int i;
-
- if( Context->curlen >= sizeof(Context->buf) )
- {
- return;
- }
-
- // Increase the length of the message
- Context->length += Context->curlen * 8;
-
- // Append the '1' bit
- Context->buf[Context->curlen++] = (uint8_t)0x80;
-
- // if the length is currently above 56 bytes we append zeros
- // then compress. Then we can fall back to padding zeros and length
- // encoding like normal.
- if( Context->curlen > 56 )
- {
- while( Context->curlen < 64 )
- {
- Context->buf[Context->curlen++] = (uint8_t)0;
- }
- TransformFunction(Context, Context->buf);
- Context->curlen = 0;
- }
-
- // Pad up to 56 bytes of zeroes
- while( Context->curlen < 56 )
- {
- Context->buf[Context->curlen++] = (uint8_t)0;
- }
-
- // Store length
- STORE64H( Context->length, Context->buf+56 );
- TransformFunction( Context, Context->buf );
-
- // Copy output
- for( i=0; i<8; i++ )
- {
- STORE32H( Context->state[i], Digest->bytes+(4*i) );
- }
-}
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Calculate
-//
-// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
-// buffer.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Calculate
- (
- void const* Buffer, // [in]
- uint32_t BufferSize, // [in]
- SHA256_HASH* Digest // [in]
- )
-{
- Sha256Context context;
-
- Sha256Initialise( &context );
- Sha256Update( &context, Buffer, BufferSize );
- Sha256Finalise( &context, Digest );
-}
diff --git a/policycoreutils/semodule/sha256.h b/policycoreutils/semodule/sha256.h
deleted file mode 100644
index 406ed869..00000000
--- a/policycoreutils/semodule/sha256.h
+++ /dev/null
@@ -1,89 +0,0 @@
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// WjCryptLib_Sha256
-//
-// Implementation of SHA256 hash function.
-// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
-// Modified by WaterJuice retaining Public Domain license.
-//
-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-#pragma once
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// IMPORTS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-#include <stdint.h>
-#include <stdio.h>
-
-typedef struct
-{
- uint64_t length;
- uint32_t state[8];
- uint32_t curlen;
- uint8_t buf[64];
-} Sha256Context;
-
-#define SHA256_HASH_SIZE ( 256 / 8 )
-
-typedef struct
-{
- uint8_t bytes [SHA256_HASH_SIZE];
-} SHA256_HASH;
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// PUBLIC FUNCTIONS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Initialise
-//
-// Initialises a SHA256 Context. Use this to initialise/reset a context.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Initialise
- (
- Sha256Context* Context // [out]
- );
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Update
-//
-// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
-// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Update
- (
- Sha256Context* Context, // [in out]
- void const* Buffer, // [in]
- uint32_t BufferSize // [in]
- );
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Finalise
-//
-// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
-// calling this, Sha256Initialised must be used to reuse the context.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Finalise
- (
- Sha256Context* Context, // [in out]
- SHA256_HASH* Digest // [out]
- );
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Calculate
-//
-// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
-// buffer.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Calculate
- (
- void const* Buffer, // [in]
- uint32_t BufferSize, // [in]
- SHA256_HASH* Digest // [in]
- );
--
2.30.2

144
SOURCES/0046-semodule-add-command-line-option-to-detect-module-ch.patch
View File

@ -1,144 +0,0 @@
From e3fc737e43561ecadcb977ce4c9a1db44be636ae Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Thu, 3 Feb 2022 17:53:27 +0100
Subject: [PATCH] semodule: add command-line option to detect module changes
Add a new command-line option "--rebuild-if-modules-changed" to control
the newly introduced check_ext_changes libsemanage flag.
For example, running `semodule --rebuild-if-modules-changed` will ensure
that any externally added/removed modules (e.g. by an RPM transaction)
are reflected in the compiled policy, while skipping the most expensive
part of the rebuild if no module change was deteceted since the last
libsemanage transaction.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policycoreutils/semodule/semodule.8 | 7 +++++++
policycoreutils/semodule/semodule.c | 32 ++++++++++++++++++++++-------
2 files changed, 32 insertions(+), 7 deletions(-)
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index 3a2fb21c..d1735d21 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -23,6 +23,13 @@ force a reload of policy
.B \-B, \-\-build
force a rebuild of policy (also reloads unless \-n is used)
.TP
+.B \-\-rebuild-if-modules-changed
+Force a rebuild of the policy if any changes to module content are detected
+(by comparing with checksum from the last transaction). One can use this
+instead of \-B to ensure that any changes to the module store done by an
+external tool (e.g. a package manager) are applied, while automatically
+skipping the rebuild if there are no new changes.
+.TP
.B \-D, \-\-disable_dontaudit
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
.TP
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 243b1add..22a42a75 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -46,6 +46,7 @@ static int verbose;
static int reload;
static int no_reload;
static int build;
+static int check_ext_changes;
static int disable_dontaudit;
static int preserve_tunables;
static int ignore_module_cache;
@@ -148,6 +149,9 @@ static void usage(char *progname)
printf(" -c, --cil extract module as cil. This only affects module extraction.\n");
printf(" -H, --hll extract module as hll. This only affects module extraction.\n");
printf(" -m, --checksum print module checksum (SHA256).\n");
+ printf(" --rebuild-if-modules-changed\n"
+ " force policy rebuild if module content changed since\n"
+ " last rebuild (based on checksum)\n");
}
/* Sets the global mode variable to new_mode, but only if no other
@@ -179,6 +183,7 @@ static void set_mode(enum client_modes new_mode, char *arg)
static void parse_command_line(int argc, char **argv)
{
static struct option opts[] = {
+ {"rebuild-if-modules-changed", 0, NULL, '\0'},
{"store", required_argument, NULL, 's'},
{"base", required_argument, NULL, 'b'},
{"help", 0, NULL, 'h'},
@@ -206,15 +211,26 @@ static void parse_command_line(int argc, char **argv)
};
int extract_selected = 0;
int cil_hll_set = 0;
- int i;
+ int i, longind;
verbose = 0;
reload = 0;
no_reload = 0;
+ check_ext_changes = 0;
priority = 400;
while ((i =
- getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts,
- NULL)) != -1) {
+ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm",
+ opts, &longind)) != -1) {
switch (i) {
+ case '\0':
+ switch(longind) {
+ case 0: /* --rebuild-if-modules-changed */
+ check_ext_changes = 1;
+ break;
+ default:
+ usage(argv[0]);
+ exit(1);
+ }
+ break;
case 'b':
fprintf(stderr, "The --base option is deprecated. Use --install instead.\n");
set_mode(INSTALL_M, optarg);
@@ -299,13 +315,13 @@ static void parse_command_line(int argc, char **argv)
}
}
}
- if ((build || reload) && num_commands) {
+ if ((build || reload || check_ext_changes) && num_commands) {
fprintf(stderr,
"build or reload should not be used with other commands\n");
usage(argv[0]);
exit(1);
}
- if (num_commands == 0 && reload == 0 && build == 0) {
+ if (num_commands == 0 && reload == 0 && build == 0 && check_ext_changes == 0) {
fprintf(stderr, "At least one mode must be specified.\n");
usage(argv[0]);
exit(1);
@@ -392,7 +408,7 @@ int main(int argc, char *argv[])
}
parse_command_line(argc, argv);
- if (build)
+ if (build || check_ext_changes)
commit = 1;
sh = semanage_handle_create();
@@ -431,7 +447,7 @@ int main(int argc, char *argv[])
}
}
- if (build) {
+ if (build || check_ext_changes) {
if ((result = semanage_begin_transaction(sh)) < 0) {
fprintf(stderr, "%s: Could not begin transaction: %s\n",
argv[0], errno ? strerror(errno) : "");
@@ -805,6 +821,8 @@ cleanup_disable:
semanage_set_reload(sh, 0);
if (build)
semanage_set_rebuild(sh, 1);
+ if (check_ext_changes)
+ semanage_set_check_ext_changes(sh, 1);
if (disable_dontaudit)
semanage_set_disable_dontaudit(sh, 1);
else if (build)
--
2.30.2

64
SOURCES/0047-python-Split-semanage-import-into-two-transactions.patch
View File

@ -1,64 +0,0 @@
From 09c944561c76146b1fc11e99e95b6a674366cddf Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 30 May 2022 14:20:21 +0200
Subject: [PATCH] python: Split "semanage import" into two transactions
First transaction applies all deletion operations, so that there are no
collisions when applying the rest of the changes.
Fixes:
# semanage port -a -t http_cache_port_t -r s0 -p tcp 3024
# semanage export | semanage import
ValueError: Port tcp/3024 already defined
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/semanage | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index ebb93ea5..b8842d28 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -841,10 +841,29 @@ def handleImport(args):
trans = seobject.semanageRecords(args)
trans.start()
+ deleteCommands = []
+ commands = []
+ # separate commands for deletion from the rest so they can be
+ # applied in a separate transaction
for l in sys.stdin.readlines():
if len(l.strip()) == 0:
continue
+ if "-d" in l or "-D" in l:
+ deleteCommands.append(l)
+ else:
+ commands.append(l)
+
+ if deleteCommands:
+ importHelper(deleteCommands)
+ trans.finish()
+ trans.start()
+
+ importHelper(commands)
+ trans.finish()
+
+def importHelper(commands):
+ for l in commands:
try:
commandParser = createCommandParser()
args = commandParser.parse_args(mkargv(l))
@@ -858,8 +877,6 @@ def handleImport(args):
except KeyboardInterrupt:
sys.exit(0)
- trans.finish()
-
def setupImportParser(subparsers):
importParser = subparsers.add_parser('import', help=_('Import local customizations'))
--
2.35.3

81
SOURCES/0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch
View File

@ -1,81 +0,0 @@
From c0ca652dce6b1d5d11e697cc3a4695d87944f9ad Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 8 Jun 2022 19:09:54 +0200
Subject: [PATCH] semodule: rename --rebuild-if-modules-changed to --refresh
After the last commit this option's name and description no longer
matches the semantic, so give it a new one and update the descriptions.
The old name is still recognized and aliased to the new one for
backwards compatibility.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
policycoreutils/semodule/semodule.8 | 12 ++++++------
policycoreutils/semodule/semodule.c | 13 ++++++++++---
2 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index d1735d21..c56e580f 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -23,12 +23,12 @@ force a reload of policy
.B \-B, \-\-build
force a rebuild of policy (also reloads unless \-n is used)
.TP
-.B \-\-rebuild-if-modules-changed
-Force a rebuild of the policy if any changes to module content are detected
-(by comparing with checksum from the last transaction). One can use this
-instead of \-B to ensure that any changes to the module store done by an
-external tool (e.g. a package manager) are applied, while automatically
-skipping the rebuild if there are no new changes.
+.B \-\-refresh
+Like \-\-build, but reuses existing linked policy if no changes to module
+files are detected (by comparing with checksum from the last transaction).
+One can use this instead of \-B to ensure that any changes to the module
+store done by an external tool (e.g. a package manager) are applied, while
+automatically skipping the module re-linking if there are no module changes.
.TP
.B \-D, \-\-disable_dontaudit
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 22a42a75..324ec9fb 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -149,9 +149,12 @@ static void usage(char *progname)
printf(" -c, --cil extract module as cil. This only affects module extraction.\n");
printf(" -H, --hll extract module as hll. This only affects module extraction.\n");
printf(" -m, --checksum print module checksum (SHA256).\n");
- printf(" --rebuild-if-modules-changed\n"
- " force policy rebuild if module content changed since\n"
- " last rebuild (based on checksum)\n");
+ printf(" --refresh like --build, but reuses existing linked policy if no\n"
+ " changes to module files are detected (via checksum)\n");
+ printf("Deprecated options:\n");
+ printf(" -b,--base same as --install\n");
+ printf(" --rebuild-if-modules-changed\n"
+ " same as --refresh\n");
}
/* Sets the global mode variable to new_mode, but only if no other
@@ -184,6 +187,7 @@ static void parse_command_line(int argc, char **argv)
{
static struct option opts[] = {
{"rebuild-if-modules-changed", 0, NULL, '\0'},
+ {"refresh", 0, NULL, '\0'},
{"store", required_argument, NULL, 's'},
{"base", required_argument, NULL, 'b'},
{"help", 0, NULL, 'h'},
@@ -224,6 +228,9 @@ static void parse_command_line(int argc, char **argv)
case '\0':
switch(longind) {
case 0: /* --rebuild-if-modules-changed */
+ fprintf(stderr, "The --rebuild-if-modules-changed option is deprecated. Use --refresh instead.\n");
+ /* fallthrough */
+ case 1: /* --refresh */
check_ext_changes = 1;
break;
default:
--
2.35.3

79
SOURCES/0049-python-Harden-tools-against-rogue-modules.patch
View File

@ -1,79 +0,0 @@
From 72c7e9123980b003a21d51e2805529a3e90b2460 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 13 Oct 2022 17:33:18 +0200
Subject: [PATCH] python: Harden tools against "rogue" modules
Python scripts present in "/usr/sbin" override regular modules.
Make sure /usr/sbin is not present in PYTHONPATH.
Fixes:
#cat > /usr/sbin/audit.py <<EOF
import sys
print("BAD GUY!", file=sys.stderr)
sys.exit(1)
EOF
#semanage boolean -l
BAD GUY!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/audit2allow/audit2allow | 2 +-
python/audit2allow/sepolgen-ifgen | 2 +-
python/chcat/chcat | 2 +-
python/semanage/semanage | 2 +-
python/sepolicy/sepolicy.py | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
index 09b06f66..eafeea88 100644
--- a/python/audit2allow/audit2allow
+++ b/python/audit2allow/audit2allow
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
# Authors: Dan Walsh <dwalsh@redhat.com>
#
diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen
index be2d093b..f25f8af1 100644
--- a/python/audit2allow/sepolgen-ifgen
+++ b/python/audit2allow/sepolgen-ifgen
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
#
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
diff --git a/python/chcat/chcat b/python/chcat/chcat
index df2509f2..5671cec6 100755
--- a/python/chcat/chcat
+++ b/python/chcat/chcat
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2005 Red Hat
# see file 'COPYING' for use and warranty information
#
diff --git a/python/semanage/semanage b/python/semanage/semanage
index b8842d28..1f170f60 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2012-2013 Red Hat
# AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
# AUTHOR: David Quigley <selinux@davequigley.com>
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index 8bd6a579..0c1d9641 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2012 Red Hat
# AUTHOR: Dan Walsh <dwalsh@redhat.com>
# see file 'COPYING' for use and warranty information
--
2.37.3

65
SOURCES/0050-python-Do-not-query-the-local-database-if-the-fconte.patch
View File

@ -1,65 +0,0 @@
From f33e40265d192e5d725e7b82e5f14f603e1fba48 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Wed, 19 Oct 2022 14:20:11 -0400
Subject: [PATCH] python: Do not query the local database if the fcontext is
non-local
Vit Mojzis reports that an error message is produced when modifying
a non-local fcontext.
He gives the following example:
# semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
When modifying an fcontext, the non-local database is checked for the
key and then, if it is not found there, the local database is checked.
If the key doesn't exist, then an error is raised. If the key exists
then the local database is queried first and, if that fails, the non-
local database is queried.
The error is from querying the local database when the fcontext is in
the non-local database.
Instead, if the fcontext is in the non-local database, just query
the non-local database. Only query the local database if the
fcontext was found in it.
Reported-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
---
python/semanage/seobject.py | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 70ebfd08..0e923a0d 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -2490,16 +2490,19 @@ class fcontextRecords(semanageRecords):
(rc, exists) = semanage_fcontext_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if file context for %s is defined") % target)
- if not exists:
+ if exists:
+ try:
+ (rc, fcontext) = semanage_fcontext_query(self.sh, k)
+ except OSError:
+ raise ValueError(_("Could not query file context for %s") % target)
+ else:
(rc, exists) = semanage_fcontext_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
if not exists:
raise ValueError(_("File context for %s is not defined") % target)
-
- try:
- (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
- except OSError:
try:
- (rc, fcontext) = semanage_fcontext_query(self.sh, k)
+ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
except OSError:
raise ValueError(_("Could not query file context for %s") % target)
--
2.37.3

112
SOURCES/0051-python-sepolicy-add-missing-booleans-to-man-pages.patch
View File

@ -1,112 +0,0 @@
From f3ddbd8220d9646072c9a4c9ed37f2dff998a53c Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 10 Jan 2023 11:37:26 +0100
Subject: [PATCH] python/sepolicy: add missing booleans to man pages
get_bools should return a list of booleans that can affect given type,
but it did not handle non trivial conditional statements properly
(returning the whole conditional statement instead of a list of booleans
in the statement).
e.g. for
allow httpd_t spamc_t:process transition; [ httpd_can_check_spam && httpd_can_sendmail ]:True
get_bools used to return [("httpd_can_check_spam && httpd_can_sendmail", False)] instead of
[("httpd_can_check_spam", False), ("httpd_can_sendmail", False)]
- rename "boolean" in sepolicy rule dictionary to "booleans" to suggest
it can contain multiple values and make sure it is populated correctly
- add "conditional" key to the rule dictionary to accommodate
get_conditionals, which requires the whole conditional statement
- extend get_bools search to dontaudit rules so that it covers booleans
like httpd_dontaudit_search_dirs
Note: get_bools uses security_get_boolean_active to get the boolean
value, but the value is later used to represent the default.
Not ideal, but I'm not aware of a way to get the actual defaults.
Fixes:
"sepolicy manpage" generates man pages that are missing booleans
which are included in non trivial conditional expressions
e.g. httpd_selinux(8) does not include httpd_can_check_spam,
httpd_tmp_exec, httpd_unified, or httpd_use_gpg
This fix, however, also adds some not strictly related booleans
to some man pages. e.g. use_nfs_home_dirs and
use_samba_home_dirs are added to httpd_selinux(8)
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Jason Zaman <jason@perfinion.com>
---
python/sepolicy/sepolicy/__init__.py | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index b6ca57c3..0f51174d 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -324,7 +324,12 @@ def _setools_rule_to_dict(rule):
pass
try:
- d['boolean'] = [(str(rule.conditional), enabled)]
+ d['booleans'] = [(str(b), b.state) for b in rule.conditional.booleans]
+ except AttributeError:
+ pass
+
+ try:
+ d['conditional'] = str(rule.conditional)
except AttributeError:
pass
@@ -426,12 +431,12 @@ def get_conditionals(src, dest, tclass, perm):
x['source'] in src_list and
x['target'] in dest_list and
set(perm).issubset(x[PERMS]) and
- 'boolean' in x,
+ 'conditional' in x,
get_all_allow_rules()))
try:
for i in allows:
- tdict.update({'source': i['source'], 'boolean': i['boolean']})
+ tdict.update({'source': i['source'], 'conditional': (i['conditional'], i['enabled'])})
if tdict not in tlist:
tlist.append(tdict)
tdict = {}
@@ -445,10 +450,10 @@ def get_conditionals_format_text(cond):
enabled = False
for x in cond:
- if x['boolean'][0][1]:
+ if x['conditional'][1]:
enabled = True
break
- return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]), cond))))
+ return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['conditional'][0], x['conditional'][1]), cond))))
def get_types_from_attribute(attribute):
@@ -703,9 +708,9 @@ def get_boolean_rules(setype, boolean):
boollist = []
permlist = search([ALLOW], {'source': setype})
for p in permlist:
- if "boolean" in p:
+ if "booleans" in p:
try:
- for b in p["boolean"]:
+ for b in p["booleans"]:
if boolean in b:
boollist.append(p)
except:
@@ -1124,7 +1129,7 @@ def get_bools(setype):
bools = []
domainbools = []
domainname, short_name = gen_short_name(setype)
- for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x and x['source'] == setype, get_all_allow_rules())):
+ for i in map(lambda x: x['booleans'], filter(lambda x: 'booleans' in x and x['source'] == setype, search([ALLOW, DONTAUDIT]))):
for b in i:
if not isinstance(b, tuple):
continue
--
2.37.3

73
SOURCES/0052-python-sepolicy-Cache-conditional-rule-queries.patch
View File

@ -1,73 +0,0 @@
From 25373db5cac520b85350db91b8a7ed0737d3316c Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 24 Jan 2023 21:05:05 +0100
Subject: [PATCH] python/sepolicy: Cache conditional rule queries
Commit 7506771e4b630fe0ab853f96574e039055cb72eb
"add missing booleans to man pages" dramatically slowed down
"sepolicy manpage -a" by removing caching of setools rule query.
Re-add said caching and update the query to only return conditional
rules.
Before commit 7506771e:
#time sepolicy manpage -a
real 1m43.153s
# time sepolicy manpage -d httpd_t
real 0m4.493s
After commit 7506771e:
#time sepolicy manpage -a
real 1h56m43.153s
# time sepolicy manpage -d httpd_t
real 0m8.352s
After this commit:
#time sepolicy manpage -a
real 1m41.074s
# time sepolicy manpage -d httpd_t
real 0m7.358s
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/sepolicy/sepolicy/__init__.py | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 0f51174d..f48231e9 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -114,6 +114,7 @@ all_attributes = None
booleans = None
booleans_dict = None
all_allow_rules = None
+all_bool_rules = None
all_transitions = None
@@ -1119,6 +1120,14 @@ def get_all_allow_rules():
all_allow_rules = search([ALLOW])
return all_allow_rules
+def get_all_bool_rules():
+ global all_bool_rules
+ if not all_bool_rules:
+ q = setools.TERuleQuery(_pol, boolean=".*", boolean_regex=True,
+ ruletype=[ALLOW, DONTAUDIT])
+ all_bool_rules = [_setools_rule_to_dict(x) for x in q.results()]
+ return all_bool_rules
+
def get_all_transitions():
global all_transitions
if not all_transitions:
@@ -1129,7 +1138,7 @@ def get_bools(setype):
bools = []
domainbools = []
domainname, short_name = gen_short_name(setype)
- for i in map(lambda x: x['booleans'], filter(lambda x: 'booleans' in x and x['source'] == setype, search([ALLOW, DONTAUDIT]))):
+ for i in map(lambda x: x['booleans'], filter(lambda x: 'booleans' in x and x['source'] == setype, get_all_bool_rules())):
for b in i:
if not isinstance(b, tuple):
continue
--
2.37.3

98
SOURCES/0053-python-Harden-more-tools-against-rogue-modules.patch
View File

@ -1,98 +0,0 @@
From 7aef364bc6607953a34cb9e8fe9ea51c88379a5c Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 6 Dec 2023 15:31:51 +0100
Subject: [PATCH] python: Harden more tools against "rogue" modules
Python scripts present in the same directory as the tool
override regular modules.
Fixes:
#cat > /usr/bin/signal.py <<EOF
import sys
print("BAD GUY!", file=sys.stderr)
sys.exit(1)
EOF
#sandbox date
BAD GUY!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
dbus/selinux_server.py | 2 +-
gui/polgengui.py | 2 +-
gui/system-config-selinux.py | 6 +++---
sandbox/sandbox | 2 +-
sandbox/start | 2 +-
5 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
index 97bf91ba..eae38de5 100644
--- a/dbus/selinux_server.py
+++ b/dbus/selinux_server.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/bin/python3 -EsI
import dbus
import dbus.service
diff --git a/gui/polgengui.py b/gui/polgengui.py
index 46a1bd2c..0402e82c 100644
--- a/gui/polgengui.py
+++ b/gui/polgengui.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
#
# polgengui.py - GUI for SELinux Config tool in system-config-selinux
#
diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py
index 1e0d5eb1..c344c076 100644
--- a/gui/system-config-selinux.py
+++ b/gui/system-config-selinux.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
#
# system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux
#
@@ -32,6 +32,8 @@ except RuntimeError as e:
print("This is a graphical application and requires DISPLAY to be set.")
sys.exit(1)
+sys.path.append('/usr/share/system-config-selinux')
+
from gi.repository import GObject
import statusPage
import booleansPage
@@ -65,8 +67,6 @@ except:
version = "1.0"
-sys.path.append('/usr/share/system-config-selinux')
-
##
## Pull in the Glade file
diff --git a/sandbox/sandbox b/sandbox/sandbox
index 707959a6..e276e594 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Authors: Dan Walsh <dwalsh@redhat.com>
# Authors: Thomas Liu <tliu@fedoraproject.org>
# Authors: Josh Cogliati
diff --git a/sandbox/start b/sandbox/start
index 4ed3cb5c..3c1a1783 100644
--- a/sandbox/start
+++ b/sandbox/start
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
try:
from subprocess import getstatusoutput
except ImportError:
--
2.43.0

95
SOURCES/0054-sepolicy-port-to-dnf4-python-API.patch
View File

@ -1,95 +0,0 @@
From ea93da38a16eb44307b522f8a26f2d8f967fcc01 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Wed, 22 Nov 2023 12:29:43 +0100
Subject: [PATCH] sepolicy: port to dnf4 python API
yum module is not available since RHEL 7.
Drop -systemd related code as it's obsoleted these days - only 2
packages ship their .service in -systemd subpackage
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
---
python/sepolicy/sepolicy/generate.py | 56 +++++++++++++---------------
1 file changed, 25 insertions(+), 31 deletions(-)
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index 93caedee..c841a499 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -1265,24 +1265,20 @@ allow %s_t %s_t:%s_socket name_%s;
return fcfile
def __extract_rpms(self):
- import yum
- yb = yum.YumBase()
- yb.setCacheDir()
-
- for pkg in yb.rpmdb.searchProvides(self.program):
- self.rpms.append(pkg.name)
- for fname in pkg.dirlist + pkg.filelist + pkg.ghostlist:
- for b in self.DEFAULT_DIRS:
- if b == "/etc":
- continue
- if fname.startswith(b):
- if os.path.isfile(fname):
- self.add_file(fname)
- else:
- self.add_dir(fname)
+ import dnf
+
+ with dnf.Base() as base:
+ base.read_all_repos()
+ base.fill_sack(load_system_repo=True)
+
+ query = base.sack.query()
- for bpkg in yb.rpmdb.searchNames([pkg.base_package_name]):
- for fname in bpkg.dirlist + bpkg.filelist + bpkg.ghostlist:
+ pq = query.available()
+ pq = pq.filter(file=self.program)
+
+ for pkg in pq:
+ self.rpms.append(pkg.name)
+ for fname in pkg.files:
for b in self.DEFAULT_DIRS:
if b == "/etc":
continue
@@ -1291,20 +1287,18 @@ allow %s_t %s_t:%s_socket name_%s;
self.add_file(fname)
else:
self.add_dir(fname)
-
- # some packages have own systemd subpackage
- # tor-systemd for example
- binary_name = self.program.split("/")[-1]
- for bpkg in yb.rpmdb.searchNames(["%s-systemd" % binary_name]):
- for fname in bpkg.filelist + bpkg.ghostlist + bpkg.dirlist:
- for b in self.DEFAULT_DIRS:
- if b == "/etc":
- continue
- if fname.startswith(b):
- if os.path.isfile(fname):
- self.add_file(fname)
- else:
- self.add_dir(fname)
+ sq = query.available()
+ sq = sq.filter(provides=pkg.source_name)
+ for bpkg in sq:
+ for fname in bpkg.files:
+ for b in self.DEFAULT_DIRS:
+ if b == "/etc":
+ continue
+ if fname.startswith(b):
+ if os.path.isfile(fname):
+ self.add_file(fname)
+ else:
+ self.add_dir(fname)
def gen_writeable(self):
try:
--
2.43.0

64
SOURCES/0055-python-semanage-Do-not-sort-local-fcontext-definitio.patch
View File

@ -1,64 +0,0 @@
From b6fa6e77d5d40a5c1b5f4be95500aa1a05147e5b Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 7 Feb 2024 15:46:23 +0100
Subject: [PATCH] python/semanage: Do not sort local fcontext definitions
Entries in file_contexts.local are processed from the most recent one to
the oldest, with first match being used. Therefore it is important to
preserve their order when listing (semanage fcontext -lC) and exporting
(semanage export).
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
gui/fcontextPage.py | 6 +++++-
python/semanage/seobject.py | 9 +++++++--
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
index e424366d..01a403a2 100644
--- a/gui/fcontextPage.py
+++ b/gui/fcontextPage.py
@@ -125,7 +125,11 @@ class fcontextPage(semanagePage):
self.fcontext = seobject.fcontextRecords()
self.store.clear()
fcon_dict = self.fcontext.get_all(self.local)
- for k in sorted(fcon_dict.keys()):
+ if self.local:
+ fkeys = fcon_dict.keys()
+ else:
+ fkeys = sorted(fcon_dict.keys())
+ for k in fkeys:
if not self.match(fcon_dict, k, filter):
continue
iter = self.store.append()
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 0e923a0d..dd915a69 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -2644,7 +2644,7 @@ class fcontextRecords(semanageRecords):
def customized(self):
l = []
fcon_dict = self.get_all(True)
- for k in sorted(fcon_dict.keys()):
+ for k in fcon_dict.keys():
if fcon_dict[k]:
if fcon_dict[k][3]:
l.append("-a -f %s -t %s -r '%s' '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], fcon_dict[k][3], k[0]))
@@ -2661,7 +2661,12 @@ class fcontextRecords(semanageRecords):
if len(fcon_dict) != 0:
if heading:
print("%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context")))
- for k in sorted(fcon_dict.keys()):
+ # do not sort local customizations since they are evaluated based on the order they where added in
+ if locallist:
+ fkeys = fcon_dict.keys()
+ else:
+ fkeys = sorted(fcon_dict.keys())
+ for k in fkeys:
if fcon_dict[k]:
if is_mls_enabled:
print("%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1], fcon_dict[k][2], translate(fcon_dict[k][3], False)))
--
2.43.0

396
SOURCES/0056-python-semanage-Allow-modifying-records-on-add.patch
View File

@ -1,396 +0,0 @@
From 108a7d43dd8fa4f5cb682f9df9c15304fa4eddea Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 14 Feb 2024 13:08:40 +0100
Subject: [PATCH] python/semanage: Allow modifying records on "add"
When trying to add a record with a key that already exists, modify
the existing record instead.
Also, fix "semanage -m -e" (add_equal was called instead of
modify_equal), which meant that existing local equivalency couldn't be
modified (though a user could remove it and add a modified
equivalency).
Fixes:
https://github.com/SELinuxProject/selinux/issues/412
When a port or login definition present in the policy is modified
using "semanage port -m", "semanage export" exports the command as
"port -a" instead of "port -m". This results in "semanage import"
failing (port already defined). The same is true for port, user,
login, ibpkey, ibendport, node, interface and fcontext.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
python/semanage/semanage | 2 +-
python/semanage/seobject.py | 208 +++++++++++++++++++++++++-----------
2 files changed, 147 insertions(+), 63 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 1f170f60..f55751b6 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -316,7 +316,7 @@ def handleFcontext(args):
OBJECT.add(args.file_spec, args.type, args.ftype, args.range, args.seuser)
if args.action == "modify":
if args.equal:
- OBJECT.add_equal(args.file_spec, args.equal)
+ OBJECT.modify_equal(args.file_spec, args.equal)
else:
OBJECT.modify(args.file_spec, args.type, args.ftype, args.range, args.seuser)
if args.action == "delete":
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index dd915a69..f6c559a7 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -560,11 +560,6 @@ class loginRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
- (rc, exists) = semanage_seuser_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if login mapping for %s is defined") % name)
- if exists:
- raise ValueError(_("Login mapping for %s is already defined") % name)
if name[0] == '%':
try:
grp.getgrnam(name[1:])
@@ -603,11 +598,29 @@ class loginRecords(semanageRecords):
def add(self, name, sename, serange):
try:
self.begin()
- self.__add(name, sename, serange)
+ # Add a new mapping, or modify an existing one
+ if self.__exists(name):
+ print(_("Login mapping for %s is already defined, modifying instead") % name)
+ self.__modify(name, sename, serange)
+ else:
+ self.__add(name, sename, serange)
self.commit()
except ValueError as error:
raise error
+ # check if login mapping for given user exists
+ def __exists(self, name):
+ (rc, k) = semanage_seuser_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % name)
+
+ (rc, exists) = semanage_seuser_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if login mapping for %s is defined") % name)
+ semanage_seuser_key_free(k)
+
+ return exists
+
def __modify(self, name, sename="", serange=""):
rec, self.oldsename, self.oldserange = selinux.getseuserbyname(name)
if sename == "" and serange == "":
@@ -824,12 +837,6 @@ class seluserRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
- (rc, exists) = semanage_user_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if SELinux user %s is defined") % name)
- if exists:
- raise ValueError(_("SELinux user %s is already defined") % name)
-
(rc, u) = semanage_user_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create SELinux user for %s") % name)
@@ -869,12 +876,28 @@ class seluserRecords(semanageRecords):
def add(self, name, roles, selevel, serange, prefix):
try:
self.begin()
- self.__add(name, roles, selevel, serange, prefix)
+ if self.__exists(name):
+ print(_("SELinux user %s is already defined, modifying instead") % name)
+ self.__modify(name, roles, selevel, serange, prefix)
+ else:
+ self.__add(name, roles, selevel, serange, prefix)
self.commit()
except ValueError as error:
self.mylog.commit(0)
raise error
+ def __exists(self, name):
+ (rc, k) = semanage_user_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % name)
+
+ (rc, exists) = semanage_user_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if SELinux user %s is defined") % name)
+ semanage_user_key_free(k)
+
+ return exists
+
def __modify(self, name, roles=[], selevel="", serange="", prefix=""):
oldserole = ""
oldserange = ""
@@ -1102,12 +1125,6 @@ class portRecords(semanageRecords):
(k, proto_d, low, high) = self.__genkey(port, proto)
- (rc, exists) = semanage_port_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
- if exists:
- raise ValueError(_("Port %s/%s already defined") % (proto, port))
-
(rc, p) = semanage_port_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create port for %s/%s") % (proto, port))
@@ -1151,9 +1168,23 @@ class portRecords(semanageRecords):
def add(self, port, proto, serange, type):
self.begin()
- self.__add(port, proto, serange, type)
+ if self.__exists(port, proto):
+ print(_("Port {proto}/{port} already defined, modifying instead").format(proto=proto, port=port))
+ self.__modify(port, proto, serange, type)
+ else:
+ self.__add(port, proto, serange, type)
self.commit()
+ def __exists(self, port, proto):
+ (k, proto_d, low, high) = self.__genkey(port, proto)
+
+ (rc, exists) = semanage_port_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if port {proto}/{port} is defined").format(proto=proto, port=port))
+ semanage_port_key_free(k)
+
+ return exists
+
def __modify(self, port, proto, serange, setype):
if serange == "" and setype == "":
if is_mls_enabled == 1:
@@ -1376,12 +1407,6 @@ class ibpkeyRecords(semanageRecords):
(k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
- (rc, exists) = semanage_ibpkey_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
- if exists:
- raise ValueError(_("ibpkey %s/%s already defined") % (subnet_prefix, pkey))
-
(rc, p) = semanage_ibpkey_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create ibpkey for %s/%s") % (subnet_prefix, pkey))
@@ -1423,9 +1448,23 @@ class ibpkeyRecords(semanageRecords):
def add(self, pkey, subnet_prefix, serange, type):
self.begin()
- self.__add(pkey, subnet_prefix, serange, type)
+ if self.__exists(pkey, subnet_prefix):
+ print(_("ibpkey {subnet_prefix}/{pkey} already defined, modifying instead").format(subnet_prefix=subnet_prefix, pkey=pkey))
+ self.__modify(pkey, subnet_prefix, serange, type)
+ else:
+ self.__add(pkey, subnet_prefix, serange, type)
self.commit()
+ def __exists(self, pkey, subnet_prefix):
+ (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
+
+ (rc, exists) = semanage_ibpkey_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibpkey {subnet_prefix}/{pkey} is defined").formnat(subnet_prefix=subnet_prefix, pkey=pkey))
+ semanage_ibpkey_key_free(k)
+
+ return exists
+
def __modify(self, pkey, subnet_prefix, serange, setype):
if serange == "" and setype == "":
if is_mls_enabled == 1:
@@ -1630,12 +1669,6 @@ class ibendportRecords(semanageRecords):
raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
(k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
- (rc, exists) = semanage_ibendport_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, port))
- if exists:
- raise ValueError(_("ibendport %s/%s already defined") % (ibdev_name, port))
-
(rc, p) = semanage_ibendport_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create ibendport for %s/%s") % (ibdev_name, port))
@@ -1677,9 +1710,23 @@ class ibendportRecords(semanageRecords):
def add(self, ibendport, ibdev_name, serange, type):
self.begin()
- self.__add(ibendport, ibdev_name, serange, type)
+ if self.__exists(ibendport, ibdev_name):
+ print(_("ibendport {ibdev_name}/{port} already defined, modifying instead").format(ibdev_name=ibdev_name, port=port))
+ self.__modify(ibendport, ibdev_name, serange, type)
+ else:
+ self.__add(ibendport, ibdev_name, serange, type)
self.commit()
+ def __exists(self, ibendport, ibdev_name):
+ (k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
+
+ (rc, exists) = semanage_ibendport_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibendport {ibdev_name}/{port} is defined").format(ibdev_name=ibdev_name, port=port))
+ semanage_ibendport_key_free(k)
+
+ return exists
+
def __modify(self, ibendport, ibdev_name, serange, setype):
if serange == "" and setype == "":
if is_mls_enabled == 1:
@@ -1891,12 +1938,6 @@ class nodeRecords(semanageRecords):
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
if rc < 0:
raise ValueError(_("Could not create key for %s") % addr)
- if rc < 0:
- raise ValueError(_("Could not check if addr %s is defined") % addr)
-
- (rc, exists) = semanage_node_exists(self.sh, k)
- if exists:
- raise ValueError(_("Addr %s already defined") % addr)
(rc, node) = semanage_node_create(self.sh)
if rc < 0:
@@ -1945,9 +1986,27 @@ class nodeRecords(semanageRecords):
def add(self, addr, mask, proto, serange, ctype):
self.begin()
- self.__add(addr, mask, proto, serange, ctype)
+ if self.__exists(addr, mask, proto):
+ print(_("Addr %s already defined, modifying instead") % addr)
+ self.__modify(addr, mask, proto, serange, ctype)
+ else:
+ self.__add(addr, mask, proto, serange, ctype)
self.commit()
+ def __exists(self, addr, mask, proto):
+ addr, mask, proto = self.validate(addr, mask, proto)
+
+ (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % addr)
+
+ (rc, exists) = semanage_node_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if addr %s is defined") % addr)
+ semanage_node_key_free(k)
+
+ return exists
+
def __modify(self, addr, mask, proto, serange, setype):
addr, mask, proto = self.validate(addr, mask, proto)
@@ -2102,12 +2161,6 @@ class interfaceRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not create key for %s") % interface)
- (rc, exists) = semanage_iface_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if interface %s is defined") % interface)
- if exists:
- raise ValueError(_("Interface %s already defined") % interface)
-
(rc, iface) = semanage_iface_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create interface for %s") % interface)
@@ -2154,9 +2207,25 @@ class interfaceRecords(semanageRecords):
def add(self, interface, serange, ctype):
self.begin()
- self.__add(interface, serange, ctype)
+ if self.__exists(interface):
+ print(_("Interface %s already defined, modifying instead") % interface)
+ self.__modify(interface, serange, ctype)
+ else:
+ self.__add(interface, serange, ctype)
self.commit()
+ def __exists(self, interface):
+ (rc, k) = semanage_iface_key_create(self.sh, interface)
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % interface)
+
+ (rc, exists) = semanage_iface_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if interface %s is defined") % interface)
+ semanage_iface_key_free(k)
+
+ return exists
+
def __modify(self, interface, serange, setype):
if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange"))
@@ -2344,7 +2413,13 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Substitute %s is not valid. Substitute is not allowed to end with '/'") % substitute)
if target in self.equiv.keys():
- raise ValueError(_("Equivalence class for %s already exists") % target)
+ print(_("Equivalence class for %s already exists, modifying instead") % target)
+ self.equiv[target] = substitute
+ self.equal_ind = True
+ self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+ self.commit()
+ return
+
self.validate(target)
for fdict in (self.equiv, self.equiv_dist):
@@ -2420,18 +2495,6 @@ class fcontextRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not create key for %s") % target)
- (rc, exists) = semanage_fcontext_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if file context for %s is defined") % target)
-
- if not exists:
- (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if file context for %s is defined") % target)
-
- if exists:
- raise ValueError(_("File context for %s already defined") % target)
-
(rc, fcontext) = semanage_fcontext_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create file context for %s") % target)
@@ -2470,9 +2533,30 @@ class fcontextRecords(semanageRecords):
def add(self, target, type, ftype="", serange="", seuser="system_u"):
self.begin()
- self.__add(target, type, ftype, serange, seuser)
+ if self.__exists(target, ftype):
+ print(_("File context for %s already defined, modifying instead") % target)
+ self.__modify(target, type, ftype, serange, seuser)
+ else:
+ self.__add(target, type, ftype, serange, seuser)
self.commit()
+ def __exists(self, target, ftype):
+ (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % target)
+
+ (rc, exists) = semanage_fcontext_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
+
+ if not exists:
+ (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
+ semanage_fcontext_key_free(k)
+
+ return exists
+
def __modify(self, target, setype, ftype, serange, seuser):
if serange == "" and setype == "" and seuser == "":
raise ValueError(_("Requires setype, serange or seuser"))
--
2.43.0

438
bachradsusi.gpg Normal file
View File

@ -0,0 +1,438 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBE97JQcBEAC/aeBxbuToAJokMiVxtMVFoUMgCbcVQDB21YhMq4i5a/HDzFno
qVPhQjGViGTKXQYR7SnT8CCfC3ggG7hqU0oaWKN3D003V6e/ivTJwMKrQRFqf5/A
vN7ELulXFxEt/ZjYmvTukpW5Li2AU7JBD0aO243Ld9jYdZOZn2zdfA8IpnE9Bmm3
K/LO1Xb2F9ujF9faI5/IlJvdUFk3uiCKTSvM8kGwOmAwBI921Z5x/CYvy5kKEazU
lUxMqECl+Tu2YS6NDhWYNkifAIZ7lsUvGjW3/wfh7AvmAQyt/CxOXu9LL2nGzFhw
CIS4jVIxy5bDswNfHcaMX7B5WEyqTPtjzPAEMiLL4yHJZrHDPd26QHSaqtilVA4K
AeTYbME8iZIdacquFEq02PO9qAM21O48OknCTSolF7z6nBkk6l26W3EL+Gz5I2Et
3S9pab3FMjiiKVavM6UA5D0DQkNxxDn9blDXZyhX4HFrk+NnoETcGYFymPbbijgi
kFC4339/Z1aK31aJLkxiana5mqLthD4jCeg3B8Cp5IurqPr8QEh3FH8ZZhtdx2fX
TXHTmGQF/lXG4tg1eH5cb6wWGU93wD+5mf6czJlUZTY+kdevKtZCQnA0/2ENCOFW
Jdm/oMTUw6ozPd474ctzWKeO78e8yMvZst/Zp3Gq6SD9kcoPgiuMQ+BOkwARAQAB
tCRQZXRyIExhdXRyYmFjaCA8cGxhdXRyYmFAcmVkaGF0LmNvbT6JAjgEEwECACIF
Ak97JQcCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGOorUuYLENzy1MP
/2c4fH8eXWbqoot/vLE+hJ14k0leYOQhVSo4lNlxRlbKNd5MQSX/QjkQgJNECbB3
LM0KxE/zwVOZ+umvmxLxNskOxjubE6NzoF7Sm9ydoqjwzenIpR9BVtg71mfjBOoL
PNrst7tHRE5btSnnnOS9ddt/y9JOIvQpkjtBTI2TfVcp2b4Domg7i4qU/hJ7hu45
5oAi6rPPkr0pcGiDKTqi46l7+9orsj9Mxs1XTmrTMMB/eV6PCU7Fo4WJNXS8SXd3
sEVxXvpyYjUTTnDuewjT1q8NL7anrsckS16WYSVGKzRhqtP1Vudt1F/D5cWKVqQp
vQl/XW/uQS2IsgEWsbRmIAEZIUOy4TnuF494C/A+1BbJBdUr4Nl9zPH2bjrJeqYk
TsvGQr1icgO4pUg5oC456htkqCxCuPRqqrGDAZBx54TldgPwvCo31+aPQJlOlWvI
uWD/depp0De3oTK9FDnHh3swE0vyn4Ht96+vM+KNnDYgJ1FEaw1efYePFACobvEB
o2ZpLbnDyqAT4MzfHpHSbwzUOk52ZOnkl/KrUIOxhXtf4dxRS6J70Rzb+HWS3rY/
LgaMO5Q0BJfbvknguKmE8dO8jx0pTlVER9ujqp+bVPXmFMha1j8vyGhJ3eLJZaRL
k3jgfRjiUUb4lNp+hXpvBwIYeFWl5kFVKg2aPywgnnFWiEYEExECAAYFAlBq4WgA
CgkQ4J/vJdlkhKxmjQCfevlawFaGTx58nDFN+4j/2U6uaGcAn2g1sZcTUrEEYHdL
byAyw1GNLksOiF4EEBEIAAYFAk99mCMACgkQ/2iSBAM3HxDivAD+Lu8U54iGgL5+
h9KpeV+ZlHgIpj4cD+BVL85L6AQ3GP0A/1TwZ1tS6Ag3ut2G6AL2wewR3v9Mgu68
E0M5esz5of4oiQEcBBMBAgAGBQJPh9ZuAAoJEBliWhMliBCHMSUH/30V/E930OTT
oWeq+QKkTJuMF0lrA5NaAy+xWtrynMKoiAuM0KFNGPfrPehkoxR4D+MKXH+xh0j2
bHl6fXOHJCKZLhCtsC/o8j7kkjIJjixBlwYMul21rxecke7Zt4XpxHARJx4208Lk
ztpzOd7ZnDP6KYav3itpxK8Eyj4g8N2omoTQ2Dcd+sCa0jgRkyskpPxdt0fK0D04
XW7b1LZkxwzwrAGSpjAZVzpKBXANcSmUQDAaIhGvYSKoiwVe2eaE5lUmvAaJQaTr
Ud/LCIwFofTLSaBRX8fEOe+UwvW36VtynPyETyROeTMp//Cm5e2CQVPoDv79soyi
E/oUW9DFDhCJARwEEwECAAYFAk+Oe6EACgkQlGXZM5TcxIlIRwf/VjfbN3eVf648
vXvDctsXfucl37i6Yue2COJiGYuZOrN7wYxVvH2to8P3V53YV9OqDpJl2NXUro1V
iUjFHuIKp23VbtyBAYsrLeTMmHLjnXlaUPSr6JUDHUQhCF34BTk17e9y7tXlEshF
YVyPlGum7JhyarHB2rRdjQk8kyTqmQ4yHjw/nP/HlvVxdgb+mTmudTPVBafOT1R9
MJ/SN2x4bclT4cQ0hjNEy/TsFzVduQj8yNOMFG9r6p1Vb+u1wn3BTANIh55R9aDh
3JFFIV/jBTkxukxR5iyGQiR53nl0e0qnQFxpfhFGclh0RktjrHZ3DBAzcuYXp540
Vu9aq9QuPIkCHAQQAQIABgUCT4bdRgAKCRDCPZG7HYJE34FtEACfqPwWSItk1lNX
E0HOM1YuHXFfMGURF1AotskJatwtjGy9oDUQkjfsPROnWjgH9s0xD2UmlTrjJfWi
BdH0kTLiExVUOmvnM9VFMRhYxQZMwiHecm4FZ5IWUz4e05oGCkHFbMswXEoEG+qq
btOfLNpX67yy/JM6We+8PiXV/c2vaErpH5S8YChb5wD9lEWNM2aPBOUmbzONM1/f
EFd8AF6fUVYN7htuyG1n5zTv+oowmO2c0terJRGmMgVuLugIEnKKhaQ+H1K6bdZJ
7mX4xxx5izEyYeYhi9DhBHSwCLhWR+Yilqkc5U0nrF+3Z+Cb9THHppi071OIQ7pX
rGsQSpDzGRXCw0nKEBm0Li13re8cOoHMlPD0RHWZEIRZGSYX1YKBtVuv4kpSq8GN
85lZSDKGRNtbJBS7Qj4vyOlOrBO1eyyd4lepQCe2Ri3gU97rek52tOM+fAIibz7V
b4a0qbbphrz6PVMbDGiBxM92+YpdDyZGyL7wJ4g6DhRRcEUQahlZ1n7y+YQ60ETs
zt7+kD08Zi2BoJpiMHsFfoas2pot7VePFxGutwvq0p+OHSVlwkLgOaORPHumLA8u
J3BGlJTHsErUB2EEgdc/Tv1vsZzEI3Zi+hqw1gcbke21Ii8aDfshbeKW9hYJAhnW
m8VdF3n80UX5Eg56iybrLCjEyiAEYYkCHAQQAQIABgUCT7yYRAAKCRBOBfZjp6Qb
nnyTD/4gVbq8H5ka7fVdSAnX65/kFn5xkqGzbpCkjcqe/5uI2CvdYtjeQ4K6sm7I
5RLoyu/EE/JPbCRHiucsEak42WAZSRte/Wn2yTQpIb0mQ0wXJvuM+Hx7DSx2R12P
9rIZ4mGo/rEtdG7Y9Vog9M/XGx7w5IqSw2DF2yiYQJXsOzHjphfYB8JfoqjW/73k
n4E2IRJtCuWhfiJZJ+GEGceSBIredH3o01ThtbAeh/gzPRF3FU1361zyA1sXtmGe
qwnhNL1spHRlpub3cvAXQ8RSYrNdiFZB5zohNt+iL+qzVWaUJo+vYZal1Co5/roI
HN5nJef8kp1ngaYKvf1hIVvsdQsilVQIXKFWMd47aU6W8gPr1W2+U4yw+q+OXari
eo7gpH7/OvMSe/3wOhGVD8KJrMwAVnr3M4wo2CM6zlwxPGdltQI+IxDD8NTGTmNT
rRARYRQaFQyqd1SrVt4sSkeoegrpOG4oWXya/v4SeXHD4vt8vvvX3A4szB73a355
IfbyRXDER3EfFfW5c+BnR3bxhfATTE6T0AKz1Gq30Xm2ycTGYCAZ2yBKewaegTpx
3O/E6APTXUnVWTIPQay8T4iVUiLFs7W1UFMY/RvmIvKKFIQWcm5O0L+27PJK+YSx
Uoo1Ivt1pclTuetbRbN8VnR3K9Pp5uZ4KLz6ZkffmJg2sOSu74kCHAQSAQgABgUC
WWMlagAKCRAyfirUINN1OOtFD/4jW0ZMGigpruCnvY0nr47rA12X6dJ6+KIBE+XB
QxuaQRjM5u44geksDwrqZ0nXrNvsa4SVwAhKVOrgMJVdzvUa1m2yeNCFHOTjln6Q
GjZ5f3a6aj6n/X5tlPptdklUr9ucEwXVd5fFMpWAiwaqZt38I2u0Pi+/qHDt0kLy
RSukmRPzRuS/kO1ugGO4aoO+sanVDl2Pq6LIwubL1Unk2HUerg8VCAyQrxYtZtHc
coyhmBTlAb+EmZnUVbQZ3Uy3eA89OuNTBhJWCk8vqROFm257MiH6gvG/V8CTrJfz
lpE+s9E6kxXhXpQWZUwtwWObq7vrJVkJhRwBsO9N2erxe+biBauFErYQPw3bg6xL
1BJLxDWnKUlMWs5o+h7lyjp+1B/gbnnlrUIlpW8IKVZRHwRUPGRN07SbbEO1lDk5
uJDMk+r2KrOUNVYCEp794P014xodkLvB8X7ml6tcABE4V9d4uVDX3SsktOLMvtWg
nL6xWMoBYiVOXi3Rsm8vESBOb8JFQL/ItciUyAioM4Zjq5eqotVq90HMBO9kqcjC
YsYEs6RACRmyE+TNmzGoucIPTwPEi5Ib4gj+LG6iPOBprk5DSjD7F0/wnQPoq8PY
HIufb4+PgOXKf/ROQXDRLeD6eZBtPcDUJOgW19m7QcXZ8fvo6B91COe9jTF/H/i3
A7NjR4kCHAQTAQgABgUCUQZ8hwAKCRDZsFd72T6Y/MoUD/9xxmXbPL2Zto6qECXs
Q1GFuydiYlURxDsVUiuc1tSgEoDb8XcXl37l/IKX1QmcpvHMPzeT0g8sNwIXSnL6
BNCnFcfrd0tEz8uBPxVnzMiGwaHP1kB6Vs6sNV31+CJcTz8BHHbOdXZnhHqXSb02
SonqAYeWVSlE08Ejvq0HIWRn6NIGdGqv6icBExryJjS3ZChRFpvgAJwsVO5f6BKH
oZnEn79uQR4XPHwuxRbm4hf6iYEbOhE7Hod6kTzS9vYIhyuTFTz5Kz/YxlMoZX/j
TIYsX0nZ3r+Tshur8iUXJhKvvXVlGyrGO2HXfEuIpJqEx4/qM9jUNP0EE7aPzZ6f
BP7Xq49Dx9lnZuSQ1jeXxEEpO+AND2xmnjCHr3EfgYZrrhCSxMQhvJh7wypkzu30
D41BHPOPSotmM7WLceHWmYui0Wuq9X2hom5jq11XwACEtmNiP/odXjF0ovfK0d8l
j/kivgrXAZdN/ONJapVSLkRMS71S6eln+urR9HfswEfM7IPt0cRwN1oNIhXmK14+
XBWvvwvalfuxG2UfxD8K0JXMwARlpGlV8lXpuzDV8EcrvLipKpqiQWaJer64kaQb
8qHEtT6+JNoGkymohrfeVagxKmPzDWR4v1a9lgZwY1FTRHNVPM0P8LWlN9q0CrYc
poBwkhTMV1YJ1OBSrkM9IM2vsokCMwQTAQgAHRYhBGMZHOlBgwmGicq4237xN+yT
Ww6vBQJjLRkzAAoJEH7xN+yTWw6vZSYP/36Bt4QhRtIh6HPWbHraFSl4omnuISu6
lTHsqhik81nbIUiLZ5e/KN6ONSgD2jfMVQOLiPTQFOoxVZvOjaHmHvMuF7BCbr90
Afh1qXW9txuPbVkhtC6hqIMn87b8UHEnt1l5MiafQnPHhoociqaqwfls/iu0nJGu
Jf5eVMXpdeWRk+ckGkqP+tXp/0G933jibSdYqwG1Tsw9D98xnGV3a/+zIqRtJflp
HPEjHPT6rVKAZxk7gkYSSsv6ONBwZHqwe9W1I+U4t6OPkGo5kNbMPBORB6/7B2Qo
LHx3+KYZs1j6glI+F/8IX2+JSFs07saMnsDhE7w5FzmwWV2JcUt42RSf8DVub438
jgA/Ht5yPROEJ87de78aD/t/gPq/Gm3bnUz1BW0jxBidjqg1qPOMYjC7n4dH8X0N
cRfX6tWOdSXmDBbPg/vQi6CEIhsGVisKlnrgYi1wDZExU6UVMnBNvllUu9PXye+7
51cIbrb+fwAWiwmu+AsL0qsjxZYo+9ozOLh9wLUhxOY5MZM82alN/mlUGzEiXN3R
i7D3rDrNFHdI4LGGLbO2hjPYrG4hdNHS+6WbU6qYcpBEhrqBtnUjoVqIKP2boBLR
ara7hHqVO120s8kgGtf/AoYpggD0H4qqUy4EFNjVdcL5T08w6ldQIYo7CEa1iHFt
ML4bsPcJh8lciQIzBBIBCAAdFiEEcQCq365ubpQNLgrWVeRaWujKfIoFAmMsvIwA
CgkQVeRaWujKfIqNXA//fjCpyIPPd6RnJhagWH8XCp5NB4cCT+LqAIR5yZfz1QE8
Qbzpoobz9ysgXZ5XjLp/lbVffGyg986j0wUtSW1+g3kJcYXBUKjSWoBwwmZgyZky
95U+uklY8CdPjSeuzr2I5X/LogHNH1378d9aEmQXBfX1uW5g4Aqgnl0OOgkCVzgs
FFOO2o1j6svrrDVG52/mwXhNRm0yYK/hFB8T3PO2IvMQGDGJLHl6N5Kl7P2jtkyF
Isi4AEzJeop/2GJYXQ+VkUTSNRKQj8oOS5qe9/0RkF9uqeamoc81n2But8MZN2fv
R7ug2EuG2LHp9/pwu5ekohXmY8EtMbVbU7TYKgduK0FMBaK36jXN4Bapakfxr1z5
pwdDjN4QiqUefBQlG1CJ6fGrqbdAupzRRDqN974rs5HafnbxioYRYjoo4H0zC8XN
UwgmA2wrwIIY/cyNCSnUuT8yVAnroPiFgmMoL8RM7C5pHQYh0u3fXPfvNBswjXmR
pJ6mhTqG6SS4qIaPhqoZqA1iyA6+Ua3YLBDT5wqvuqNMnfLtLUvMuridmlj97cRc
srQIr022NdpafDQVAiVhZO0CRyFd/++XT35iiDoiv20+LewC0VVza466AE1fkAme
rKlurlET8U/+U0JB6IP77ErjMgCzotV8e1DJkp/M37nMeNzazAb//ovsdkNM6P6J
AjMEEwEIAB0WIQRFaBEoRJtl+IDGF5c6hKlGtLpirgUCYy3RvAAKCRA6hKlGtLpi
rvhHD/99Lvgf+CjbhwC87CoKX84MyAyBlYACCSuySQBnEsVigz8sCVyTYDx52h1h
/SEj7XfTylAfIl1CjUedH4w3hk+7IN4scmhf5eeEMvQd8q+Q/hWQcXIUpwgKOcVD
NbUgYcbakJAPtilK1CeQvDdBD+aYoMsJTsII/f7FJzwjPM1XGf5EoODUC8BtQf/W
KAVoESwwAUwN6Y5XeYSwMqu1s7IHs3yNYLV8C6A7EQPVaVVlORqI+33rKyqAhK5X
ErNvAREQPYJMfRnQlIW7alSORwdG0JBgVLgV+jvoFo4a1AQImHDDtKxs2X5BCVG1
I687uYDBy5Assl/VxRMIUpx5+zWvXyDZX/6nlL7AMokTlyosgP4iiifBS+5KMhan
phMgnDXYIJE10V46Bdw2tjd7wMKey6BcKgfbZSvU5z+SuVnQXCyl3/blRML54I5o
EomXPg6lgVxSb6BBnaJXzx4JKgLer5uom1OGsLgPMqEHRoO3bucr2xFdtq1Zegw4
9S3qDhQ3bn8pg9JlYwmAAhBd3Xy5cPv01mV6ompOQ38SlMCJzcAGASdMw5scaxUl
7MloV2Nl32HIzPjK47bF7aVOFX7Tz+rEFLmJCchqmUSdxi42rJyHKVRqiAlNfZ9S
9FeaEfU+vBxOHsLNqVO7ErvrTafT5fjphZqvUTqZGCUiJUjPnYkCMwQTAQgAHRYh
BOJeJUyO5NMDVUv1r+xwGh2klMXrBQJjL1NOAAoJEOxwGh2klMXrYaIP/ifHM9eU
UT6JD0m6Oa3P3T161NhOvNqr71LDSztClsWo3XX0+ZK3wpjoC6vKqgx0Cc8OL1S2
GqwCaxb5JqWpsoqR3NW6bTqTTUGREj/e0JHDeBzv57OEUTe4ea7qzqjhCX6iyzHa
qDP9fiAogMQ7uT2oCghDV5yo4JUrG5brw8GkMLEvRSs2BEv7xFAySRaGwNj+oziZ
VzL7sBzp1bCr5cwNZVYxoo3VAv6FUcExp1TydxzPVB8/VvxOa4zrht+hFTn6mjUi
NHBc7DYECgh4jlDR6TnAdvpg0FsujTXiN6A0obOUl9jGz2uFmdY+2ojlVtzqKXoP
+PDz8o2zMrRoQYkni9VyIc536E4OFIhfO6CrThMjJjPNn22Tq+fzRYkWTrlJom9b
nOldQ1BdUXQt2QNigdzqjhZTIgF5OEOTERh80dvwIbZ+7vN00BOsuncR5GUBQerU
F6+SksVRAaOg2lyoDdxUQ+Z28RU8R/n7VjMV8ctFkQvHHLBqKkpET8LRh0C/jSNh
gB8zLPc3Oa4wTf2xZWO58S18esbYMr74vRYrsACbmwxH5Tz+L6Br70Fmcz608+IQ
ESKW3657gemZgFud3AGokzKG5AuWykSinydiZbK8MRGLsdfPUojaVIgXFqnWKtkH
At9gkD8YbqGYzuVwBnljBNRdTUMk0ClgV6pjuQINBFom2R0BEAC9k1Ky6AIe9sPP
xrgsrXRe0dyYcoHufzeU3jFssl3+S4cRuvYCzdZfRfdjfHa4n+CxTaOd7xkefwJg
GpaR9KJbu8dqHm61GIiS5ZbMCRU8FAW6ohVeDqEwFrPAzZjtO41OTpeXCrPu5H5A
Tg/kDnabzlD2H8JWAqr0DYRRhFtJUihXUey9zK03wSjUi5E1+YHUC/fOpbS+msNN
945CeQNBN4Ljap9Q183Fkh0Wm4Q8C0OS1WN8a0XtqSALRCGAZ+EV6UrmQVP9PCC4
/J0hoKQPv2bfpBAsrUGAO3Fnsw7804i2TY7O3JA8gGDYX6fwOVJMUXdD7FX7LM2P
pESqAdPrjqmPqHT8cPfq27GYgqHv3N4hP9Rjt9wxmHYFbJT0YCHw2ZMiAO/VcvvN
miGr590ZFiQEb1MJN1r+h5UDE1CtF6nTieirSXi9oMilHlo2NY5nAItv/T9PKk4X
+kaH3UoicMxrkT34tACGwxi4VIRYWL+ZquxE+bwXqAvbGJ0p3XbyREURCaO96J/2
w951EvZErpFRQu4zzClmoMiNbwkQ8QdesSaqjMirlHyFI8T9BZrXbPazdVNUwfyR
LFil1q/kgXjXeJDoje73UiyGhqhlVOlEbunGzCwEBzrtQdPTDeFQr476/4pe0v4u
gdNYkL/gY8Izodn47d1XH68AuRSrzwARAQABiQI2BBgBCgAgFiEE6FPBhIsBhc9C
hk3zY6itS5gsQ3MFAlom2R0CGyAACgkQY6itS5gsQ3PQSA/8CZGTxQDbD2oLkGb6
tyECIs5A1RsfwJ9aj0R/HuEO39ki8yM88fwi8F5AfzNcmYwp0rxyYDDYM0itObSv
A9WBB8YFZ2PKT1YHrwTzWbne+spmQYDRdFt+0Kx0JLvgv7SYvQ1jNdCazixH1SAM
9O+Tn5oFybVHjRavWsQYHp1CvXY5kOHOEDHhz37pGwFvyVyFdSYS5PWT0+0XU/g6
Uq2HeFCurhUGuDXJ6WA6Ipvmu0vbi8GpyeiWCRoG76sqbBfQ7dd0oDMUHitewWGq
LP1Kioke9hu5p9CbkjYwGZjJWZEV6WHxOmICfFcBRPeIJyO8Kfa/vVBfQZj9fhqs
3sHSfAGIdKIB3tX0qKhMRdu/QoM14YQ1yK80JTUUOcrKLDt6QJinF1UQ/OcYQqGB
CXaRk1OKGFuuij16QudnX56+aYbNPltf7cLs1O7aodQcRxmMSgxSE/2ckthPYBsX
PWuDMYZCb3e6JMWsdnCI7iPpoPFAJmId7SWJebXZxntoX6YwZ7Tx58/QMLEqxMfE
ExQTAFg8/owvxCG12KaharLr4GpLx0aU39QEJenG1LqGLwiQh9Vxsejw+MkebZJE
6zhs7XBpenrd5c9OFOtb/Goxwal/6UXz7a62jZ7wDNpJw9xOfC3/eX/56+6dLVef
RFj/LOIu9reM4boTiY2dmGj1QC25Ag0EWibSSgEQAMhQB2Q329FSozPk7V6dYBO+
jDBMr1jHWvNMCR/2DkwXfDAKK3haSWSqr51/wua9skFRezQvc9PhgvOIJi1jsxRf
xNoM82a2OpYJdj16FG5RVQ/ApojiywNvp1YPJbmq4DfXSuUA6q+OephsFLrx2cPY
nyDQaI6mrqTBecET4cdQTZK0nKKUPj3U2bI96zTBIYK8Kr7GMKXm8R1eV8bktwHT
HyDjI7hN5EjZViYqZYDQ3jt2vC1Aj6XpFw5K7Sv6f0l91zyjfcu6Llsfo8xtRhAl
lub8EBuO6ljJ5uWqDgjqTOkDXcIAUkhUCg8ztweR15zgJQQ/On0XDcHLtyi7zuQd
xNaKYKkD3oROTqce+YbNN3qnP4bV0qa0JLlTOrE/0/zmif7Q1zYOidcmMgGeF6Gp
pGQkkxY4gSKet8kD8h4AZXGlpFu4e9sue1ENDRmgWaqSzIWudMRZ3z0/s9EGNNiW
60nwJ1NBoySeQEmnwMzAHXneRM9pRGQ1S3/CKttq/0eWEH3Y/Td9xi4DNvTXcvgJ
uUUwoclWP2PCPg3zE+EQ1q/Kt2oYrT8NcemM9EO8btNzJ/Y1wSDLFAFNikHwYjTM
86jWoeGhSM3fD9HJjfqoB41gDKvNIVlhQavhe6df4+AoCo/mGosLYAPFaHHdkmqn
eT0Y0BnTRIS9yLcO8CBVABEBAAGJBGwEGAEIACAWIQToU8GEiwGFz0KGTfNjqK1L
mCxDcwUCWibSSgIbAgJACRBjqK1LmCxDc8F0IAQZAQgAHRYhBNalthyaVTQWgpLb
Z74iCR4+9iJ1BQJaJtJKAAoJEL4iCR4+9iJ1D2AP/1VMC8KOmzPYyiFY+1xHu2rv
siB0f80GH1jXwDSM/IKvsH1axCD0hMV5sSi52epCov37czSlR3MpQjo0xK32wJB9
26AgbzJYZO48qulDUXUhPWJ9bxiyIcxI/3KEspY1RMoWv8AfYA/qSma1cSdT4IMo
SGJzPh3RyrUpeFP5QT02oGa5TuSQPiJwy/b9u+RVOi1SSqzHMJdKzZehGays65Pd
jC8Xtf4ipdYRBr6mIyUISOB+FBkY2MttFzNDUBdDrOepyjStQLZ1vUXnYKIiSRHX
o3XTW/W8fh72o26zeDbQcALywQMZqnwtrZluzKHZxF07whKmXvw9pUHXX6hbJDvm
GVMxnB/F6grPNi/V+Bv75sKOdImgnJBUp1Jz7288SPbNQwrqFKV2ZD3f0PFmolFj
Cz/Oc+UUk+swfnsT3pV6LClTThsOH8WlKJYxZLneX75HuVx4CmT+qv6GlFQuixjc
H0LtsbbSjAx7J2LRNVtfI+2DfMcIi8KJxe69MAKGqqxDyDPSWeFrs0MHmyD6/6m+
GTovgUT5jOZbR6GVKelW054bmby0zQevWnRieANVeFoFsnwclJnqKIRzQiGod1p1
b8HhSCw4nOeOQSifaOf3zcnFhYyByDMOtl3/AqGoLp/61u3Bk9h+BP4VPR3RUWzc
ggjmxJM0MrLzjaSXSedjzuQQAIq9g35FGpnaB8d/EjufED1TVSOkvNK/qJ+dD4Xz
f5RvnbprofMnzfEyy8jJ1Vqc3QZQU3IDQt/Un2ZywX0OboKGAIn/gyfwdkpnxJ0j
JoxRBuMplNpfNBw+oe0nFuozO9idFozKM+SWoE051/jvGHp1FqEPLnAAGeSbWB0L
RlAsnMjc5u6+SKHeFGRKYg7U0sO7ZKbVIT4ZmRnsQLDakHwbAgfcIakh9Whj0Ou5
r78Cs+DcM3XAdtZ04d81jV5TsveR8/Cn473c6dvPIfnA2P4uClTCaCDv+jXG2f9a
FIuJhYCO+TdYs7qjAsXWngJUebRFiHbfSuYDw92/eqLdKD1Hoff4MnW5YOtDpp6E
sdCDuINeRtUtnidw2vIPezX+xdmycXIq9Fb+GvKrIDsKu0VO8HObVviLa/RE11ds
EHYlrarj4mqzS2MhvmU79Bazg9rDDB4WVs502n3uJaf6Sod/+ke1c3ff7AUPox2n
pjH/bVmkZJsOq5EqcvlH3m2FZUHSFWS/yTR1rPuJoHBMHVc4OPlTuSqT3qmKL2vb
vD1l3D4zHZs1paRLddYXiaex4qPU/0YpP61XU070MmFGYE8Z43TbMPHu/6LYBpw9
p5Vj3VZwn2edNl4LGx+05hIABzM23I7JoQ44uPoTbohmYXF/DUGJ6h2LYdp81AVC
lSFWuQINBE97JQcBEACpbBqvDl8J65jEhPjOWczcDVB+WfG7GBHB7T6RxSNFIahy
mDqzx73zZD6n4NnZogPDPopYdRJ56u5AfF0bDZlgebl8+VEgPHGoay74Gf6k0B+c
pEkp5PaWQHHEqXINotVg29hTsf1u0sb+yjgcc+9WHw3MtpChsgk8Rc5N8Xvr1FJc
L+xynSvUCcLIwfgvLHYPPBYGIRpvz4ek/zgHvaGftDfnyMwrMbgi8kadrSb7PQgc
eWeTL7CQN1B88TPJFqKt/QxMdXaPy+Cr3P4XVy5V3/QEVFUizrtCCqJgxHMAeCP5
QxwYEWmA2zxUzGA/t/QUDFbccKt2BdpdKBFtHLliE+yn9FHw98JayjhAJxxeCkrp
MED9N2aGHI1q44sbmeLKQ8EuIbCamfq7fqLXgkEy8jgivv2J9YfXejjjEobGLkss
Jlxaq9JeQgFEVl6f0jJ0PgkYPd11RxTcVLy4RB417cxc9LHcoKdAtcgBTcZXPPYO
L+eM9S7rTvFTna9IdF4bbnJFNjHDMhb/9XomxxBsekpTUXEm2DGoTpO2W/jwWcZY
LVrdhikkkF8b88EdWk94fUTcFA90I+Ch0YbS8XGM/WIklrMGa0JpA4OQW5oMhKDn
gqAcV7gxRYt6ylBPVh94/AIMz++wmfqBxETFP8HMgTVEApLBLjwru9B/4lRStwAR
AQABiQIfBBgBAgAJBQJPeyUHAhsMAAoJEGOorUuYLENzegsQAL6NuhGuzQf2GELc
O5J8/BW2yF9sxHWDLrw0Pntq8D35kgGfZLB52tN3DI4NwL0vE931bXC7ovi4kHPS
sazv+WPUckYfJ7qskWVD1yDtHsADduwudJpAflfZ4VIvMJqJ7FUw5Fy9ennw/Idp
H7LC+ubn6XT6Kh9oKvVmp+BQEOsdisjVw848Thik+gS08WvAjK9m+g7++FFwKy08
5iXuuqZpvi94eU1QPvzxzzRZz6M4gQaz+pCq/5yf6I+Hu8G+5nq2foFN+G7FRkx7
KJmJ3SAEsG3M23V9MKWON49ZbhTe5xW+1at/TKKoNGzNIYs07jApR2/E4J57yMWj
zsAqg77hTDRiV0jhHl0DJw3RHFi3z+SrK+6ie6mrq8WEPj62q9qdM8dFs+y5X3UT
x0nxly7GjOxxhi+Nt83PAG2wVFpqmhVLuyPnruvxzyrVFc8Dvx46DiKCzt4PPK/Y
+jnVIQ7Jr2Jm2ZCpzZZT5QNJuDp46mKHlNBkvSy3q3+pM6cM8vKSuCFd9+dw3dX/
GptLebMrPOvLVDl4Bm9hSmG7rLpJy8U8Ns8pYSS1zaxHM8KqMaPuS/Zlx1SRIj/E
afefnHd5fIlmsH9C2O5fb18SFjmD14FCLcVTG7bwh3ZfbGo9sOJSShPxppPW2OoT
jwfANmj1cSg/VFr1d4HAEc83jFgumQINBGNZjyYBEACk7biPgvCVldNWq1CwVoJa
/Fvc4T49tqxcc/sY4uVlGo6oSi4fQcXE9XKPPBuRLmvpmMWvODQLzPxJMWUfJq6L
yYFmX2U9VRTcyITdmJs8itkEaDwq8BtXkeQfUDAVSFy6V6/uvVmNWD7pGXqJE1Gx
uV44Ihlh6v2YyqSzDG/rZur771hke8VZmlKMVMs1RSeOBA3nUmvZQ58+uqkhJNYq
OeQhxGIxDOHo7QhzTG+SlX+uQq6mzACKygVJJl33toaUwVAX5R02a0u67A5wC0wh
AoLSHInc3P7ayivWV/iESAz+gMIkuvJWns/Ak14J7MTGgjD6rle7PNMsPDCCwQSc
qA8F0x4OChCixbZGZn6Mr0u8+01VCEe2IjJwVUfFI/G4n1FZ1RAdqjkHfZJeD20L
GHSbjJLcnqLLFx3LDpI5dAxo5K2kFvz0VowrB58aHoofW8/g8yZygGQ4Zpw4JnpU
maPnMTiD5yvnFzEihM5L9DuaWqSK3sb9qzoaXABYRYI7OmX4B5nmMzFteHHq0tMt
aKWf0HkAsCP0BLJcS9Oc1/0I0+gC4oKLRD8a4+kaEpNr6BXvWnj7Y1h0Zr/CZS6+
gi34CxWMl2Q34OSqtS37mzzBu+UZxffPR0aV2RXcEpc0c5HW550Thq1NF9EmFOoy
eG4J2ox9JRANZXLh/i7mNwARAQABtCVQZXRyIExhdXRyYmFjaCA8bGF1dHJiYWNo
QHJlZGhhdC5jb20+iQJXBBMBCABBFiEEuGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZ
jyYCGwMFCQPCZwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQvDkF8jUX
nPGeAA//ScQ3kJMqI6FRULXo0aF7CpafPXVWdvj+mfQMlZzuGwXXTmM42T0DXnXR
BSjstWkmOXP/UqkN7bNeXH/S3D3GCJ2l0qx8Qp6fP0FloJIbemyxNtzl7yvAE7kW
vuBuLvUdm23cntv49gAzj+ElDqCxtT6A6qaqM6r7DLUvw+G+r6gkeu1hNQbtRpEK
9Dt8tHriQyI410qFRMbi3QxU+iTJ79HXwrXiYpX7V7T+ugiU9lgIiC/hWJCo6SY4
knt9E6zhegUWN6zErl2HY8FBM2P9eHOTqToEOAhKeM1fXZvxe3m49fGq/spmRM1R
UUl1V9WFEaMiLg/Z2rmbD8LX9YtfYlQCbEwyX2nkIP1QIcr/DEfcmCA2MXCQCgsq
I/2XS3BTLPyjuqAYnXxrk+T/Cydcg4W3ZBYI/wT56GH02TQzB/wJsn0cW6EMG46V
SDY/mZ2/gwi54G/Pqb2R3ZC9I7wQ6/FFxuu8myI/QVmEiTlvTxBoyOdNlliBQxCk
Dczs1rxd/o8Wfjo1vwRHW84jZrCP3xr7xPJWuzsrmPU8kFHTgepGoY+4b/h3jGwl
V103RpRUK4JidwHsmYDVk6pgeUH69hf0iVcbFfKiViFTR+DwjbAOxTdsFgsYYn+7
hBj2l+pV/uzeA0akL2dkgfJc9pAf6ItRUnGC+RlntZ0Pf2NbwIS5Ag0EY1mPJgEQ
AMRQDbNHBQ376nDF8miBZOAV1txpmbHc5D/X63PNapP0P1/I7SfcJU9D3wX8c4vm
xkjEYtH23s4lmT1VLsU7PisS3MacRemm9pL2bD53hs9XQEuU9OtJsZn1ZJ+Ynh6i
5sfW1bG3OiV/TWgYXW66GwE1hn9PuP8arodUmhEft+64G2u8Xtxr5yqlQJEUThV6
280OJrxVbduaMi5C6UNeeGE5wuhfrQ0TNYZiwQ4KYbU3QhlWhHVjJlJ5hCLiktwF
DyR24P+wlTIziWA407mo2enQT+mz3bO7Paf4mBionGsJMoADqBThf4B69BxjJ7Yg
7oQVIZ7560YIRRmNo4tk5Mhep11OtQgZjZJR6MhWDaUO17w1qScrOPRj6G1IXP1R
5NarydJpLyAVb/5WFZ5jxUGMGtq3mYn4nKbbHUg2WzvCJvPctDE6EV2vaiRy5N1f
QjsHgSa29F2feh14p4ngFCmHjpdbcdjfv6rWL8tgkSpQlDdeHRRd1q03TKAg/byP
auAHKzvV+iWlmw1f6KBWjeTn0fofmk9eeQ+P1j0a3/XTxMOjB34SzqPRWzmLPLF6
YmujBK2gymM+JLirJFFzao1i4lgmxqkDhQoNYHXmVYEd7w+/qUYbfKwO9eJOWzuU
WajxvJ1Vgv6z4CPy9if0gwfhrx0OOcIpBE/xZU+SwQQpABEBAAGJAjwEGAEIACYW
IQS4aChHdk32DfUtmSy8OQXyNRec8QUCY1mPJgIbDAUJA8JnAAAKCRC8OQXyNRec
8a+qD/4whGQ9J+td1iLFMpNRAqvuGtTnM6shZJNnC5CB56Cu7ElIpr74sk0R98Ia
1pJlBcLALbYSrqwluZaLiRVDPdub6tGSRVssqQdZcKThz33waTru9IfLhCrRSNd0
ZMHJaOG1ErU0noWw2d4ifVJK+vvuvMeEyNm4H5pZOYzYeikqVUYzS143cSzMEwtv
PSdP5JkTQi4WNF09khH1D+QpJoXEgVEQla7Sr955Zdt3q5OlpYxxw+X62vslZ2OM
iKZ14kWVSRbVQ+WdnjtRYS4vivB6ko9QL770jZ131hKhC/BcWpEYSjfPpVua2oKb
ccKHXheIFEJ06kGkMeeoQPxmzPRBYIw/E+d5sZp7YXDyBGOAxBeiOaOnZ8vLBzy7
2HFng3oB3hkVGTTHq+PsHdSSaRME3QrNpDsaGeSjw62FG3I4zK985GtrXAHEzN/F
fd17srl4mcRQ+8QM/a+XbF/8ugjE/RHhhFf8sWVAPutYzVE8lF+uqcduPuq/rTcU
BuzSVjnSRfXWqCokjh+ypUpHNUO8fZDzkTLuE5rwMG1xpPueDBTzvoGDQRqc2eoX
pJnDBmdlz83zHsoR2gIHcdqyc/hCV+fTvR8E0v9ZG3Jr6RFgWdD008PsGxUevIDg
MAYFwasZSTofEnzg49/WeIFU1rGB5HZVlmOJKZnKRuBiTakEP7kCDQRjWY9xARAA
rEkjlUH4hoSQAkVJCWWk+nF+daAP5IszrGEQH7TyOVwXbRZndSPFSUqKU2kEgHbM
m+wFYoZe95h9tjDh2sLCs338pVu5Chhz3dNseTF7/rbckw2rCU+JbalEiwck7tKL
qobvbh77jnrbQnkrZNc+nMeHHLrYyc5gHW6cSn4UlU42MKmTlSeOG4Ly9wXhgaKC
heIXNX3U/D682Tffl7Gopcm7pPZF92dwY4nIpCxU2ATimkSyulbhzk2CjZ1JYUJ1
LHctMHm9F0LEGtc1GxDShzVZP8dOWpDs9BBwZDLXxCzC4rvZ+z5BJCDFbuNTKZQ5
JEoW2sM8yP1LLZGXz44hsab1aPrvB3vcdS5ETP6bqT5267ZiotdhUifU/pTV5ze4
7wNuaZenQtGd9olyh2dAqOk2DQrcBQFA0gRp55b4U62hLTYXxT+7jEbSVAxeXDPR
qPvqh/4kVn86llYjV6dAoASN1wWz423QH3u4ZK+S6g8HZ0HrY2+NBYgqthb6H/X6
FiF5VcHWstkk967g4Xt0PgN/rlCtpXh4WK9sScX/CFdOURsHlb78ZN2LexaYaVBq
QuqvfHaAPJaIElXqMheZ8aYrO6Df4yzJ+6eTs3s4PqM6EMir5waFonx5Gh50X4xL
9p7IVqgNPhQsU8Z5U5hGYbmUH766GtENv4CI1upFA1cAEQEAAYkCPAQYAQgAJhYh
BLhoKEd2TfYN9S2ZLLw5BfI1F5zxBQJjWY9xAhsgBQkDwmcAAAoJELw5BfI1F5zx
4cMP+wbjKu2xCr63oyn+lo7NqMDLBYl4zHunYTZhG/egDakVWp5Ikj5/k3i+hVSY
fUyUhqQ/b/H096ropB7GA6EzS44GS+hLMdQOJOmEbjvAP/9dJDX2FQnYZzaA2f/e
Ikgaw283oOLnmYz0x7YAW/oxlnPn+7Sg7DGGqqn3nKofDUUrowfX0tQGwkGmJJqQ
gOH/ZfU4t51UCKzF6hWRbberBI8ezp24vYngA2kGef1fCUC+EIFhoYcdHHCtC1Ti
KmOUaeB9ZMiVXkP60fmCLKObwcKTyYpAFPqM05xgsMPFaXN+fQ7YVAGpCdthk53N
5Go+QqehwLoJk77CHZxIWJIf43p3UiuH1FsuXF7OdExzIhUSiUum6MoCI8BpVwn9
uSKfXKLOdGDR6IJI8jqdC9LYoXqxZtDhpcqD70hFWJwJzZg+U2SvxZyhOqwtKXtD
TDtee3yGzPacSAJD7mFURc/DRi62UBMiFcqO1YW/5LgC4yjtzo7MTQPkaGbQLduH
IlCKa8pHWPqaLFdMawwqNrTNHWXCD4XxijJYwdAue3NUG/utekNm82mqnbbWw/AX
URIzefQsbyqiNYMztudJ9hAS8yCdkfb9SKVIvWYPQ77tHltOZF7K/NzOGeJaJr8l
vqZCfXpWmOduTpWaD2kIvU2Kx7gB4jXdMa2ai9N+/Hdr3lLouQINBGNZj8YBEADg
Y6HOawiThxQVI+0uvAAU9yisew1SSVO6mAsQtZM7s7BpLA3RGPj3UGojZIeejA+k
fq7A+PVLBhz/kSBTtw9/s3o4rlqNzz7SLaix6XKWCpHOBs84n3/LF6u9KMMVk9vT
sjKz8iDF9mBR2bmCfLvEk0HDiMyApv5SbOsZMB8k5PWyK8HYPyMI5umEaOsaC3tA
eihO3nzAxEf3oZl53J1pIw+ecdrQLbWbH0aqKngfCddD8Q0oMr/Iwly3W49+5eqJ
oelR9/dut/dg0a3Nn1wIGYRzC62CCsF5IZwKdyPh7nilEUFpA5Vlz+HfIFch2LfR
F3Q/GZD8fKzKxhjDIdgyaWSTsMbityKxX2G/pcjshyMsZT7I3Hx7SwQfFro58s2D
FsFLEZgBhJv+nW/HckeedaveXmXdHKjtsa8+rvGADti4wohOl+N5tbpYW3/zR3AY
qlh47hG0ikUJ8Tusnu865j3Z5mE+KqS68ypRVBMRrdJl2lGPDCnXGhl2720VPNMC
/jB2Mgm/L1mvQM1jPfdC3KgokDAH5NMzKvav6A71aLSUJli3UdkGHkX5d5urs3k3
WmCt7XeTb30MBvNzBcSYTbw2UGIRE8G0CFc3wtiWWiQKPeFXYhn0+COCoW/EXpIC
VaAuMPMgcsldM13bKGyGo3NngsNEdopNFfr0KKW5XwARAQABiQRyBBgBCAAmFiEE
uGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZj8YCGwIFCQPCZwACQAkQvDkF8jUXnPHB
dCAEGQEIAB0WIQQb4sD/CJSWIxAv0lZGlYgcJUUI0QUCY1mPxgAKCRBGlYgcJUUI
0ZkHD/9TlRvAaZETf+pv4/IceeL3KHwj5lrC/gojXxN0AjhAXljLSRCu0EyICxZy
3158h4k0vwjdv8699yHEN97PdF84m81mqxOz+juKBRHFK/EwAAgOdSlzGnUYgNkm
mCROFWtjeneNWaFdEnq9MItx1OascPeyxnWMjq7LLYMSESP4tgUV5KdlaVAXR6q/
833u27/NodkDcNH2UK+IyT+Kt/uCOoIIL4ttxo/PvZTphzV8n6s0sJJE3/BrRxgv
CTkVU6zosyJsyau8/vayQYGPuBuEQVs4Tr+vZ42izbkHgElcZv9oYjJsxaqZqqMz
fWPte7m6Pl/pvtmlhPmpZ+ej7y8SRysBV+3aHNXaE1J3sIOmYxighlgZapSjHl/A
9N/KXdoLAjIZtBAOQ2ZFyRz/c2+VUqJgwiwdxoaFaYn2eUM+HSTbZfdGXBS/yyZL
YsM+L4M2aizQvDIRXzy8vG0vpHQEvPlXL0Gg0gyk0fox0OsAP5CfXmHC/AvYOHM8
y81X2QqDf33Au1RIgog4cLqq2wpXEARWbAj0BAMIeJoCDCu9Mz2juK1ui2wr8AZ0
42PCUgZK6CdUI18AsvApUhPsNunF7ZOc5mFMuaEGjjWJvrTG3qyrCY73ySBiGXWo
92ZB7FXu2MzgujPBEigByqeF6IV2x0EBHw/VrcxXq6Slgmik6G0SD/48l5mGCxM0
Wr91raB9zQlwDbtD3PCbjA6DtkMrRyAq+81g75N6uiztGPCVw9n1HoGOSjN1hAhe
SgQQlcXbDLpzfdPFowDEHclFFfUODCIOuF+FgmxlAz5Exr9JkJdozBFqRZ4iF/tf
E5sHB0rzeUcY3J6VjTsjULjE4GSg5trsOc8GHUnFn9wwwkf9nR/Mr1RYcX0GkTcy
iUskw+AoRz6svOfAWIDJY450wgD0MHZK08IfUUsYTGecoXcvWf/hITtv/Af5MpQA
wuGEDltVDeu9EAu65SZlMkkMuQD1h3KOQjUJ6nY4a4M2CQ51ggs/c+vsemxsuYlG
vSuhrfXt6HGD3dhsOEeyEvIcjjpP1Ku5mqrPhqXFli1swfohhYGGVO+fM7G3l7wF
kAIi0B1szn0K13qRqBIwjnWL+orP1KLzvczCH6yD0FZY90CDdMtM0VB6AqT4BFh6
5+ygjA4YiA7fFYBm8510ybUcNfzU3gUIJ5pF8MdGizO54tCPSK6U+iVRY4qfCFdu
IiOZ7FUUn78VIxQUMYMrozy7kn/0PQZa7KKRbXJ8sg0sgrQapwpgUjdMwuYZPGGv
1Jw5/+WUGWMbGxmlpHcEOmsPZpITH557M/kHyk9Ud0iKwciBI2mGLxiafCuLrUY4
TknzOqbZgjdllcUG4cDBEQuBO/GSj1LUfpkCDQRnKRF7ARAAo5H9/6cStbyjWFeb
G6qDn6pT+4v1rlbRZo0rYwWkDmEAjOZMRC9SJipTCdQeNFlv6HEiiCvl3bmZIqrZ
+zvLI6U1+2dH7k06xNqIFLTV0zbr+tUkOwspg5nr59KsuNP01WBS0ELzunO/zHj+
BOEdPg1KvB0IQFtqAwaAfuny67YvTr9O7Yz07ZCfTxPtHf6FJ80FPeRa0LoZYnW4
UmSGtm1f59VD9+qe4yhRtNanamXUKjf8BTw0rQwjoJhVT5Mg0Z6hW6fhFrD57Lgd
8fBi5ZHHUlR4z1+nqGCUoHlHjc0JVyK8j8fofKafow/79ITaOqBzv+P3psY9ecBg
7wGaOHrqzRzRxAfKYRO2IaFHRGnsEE8FnwSEL00uPVxpiiTavrLJFEjku9GmP3OY
3rbwIPXbw1m9mZG1yAVbSEEf58WSWeoBp0O6qrwAdIbdgUX4BkQ8bX5MtUjXp5tm
0StmjQiZ7O91cg0VuWtrfj/I4E3xtloNzhtG2QLI4s7iAL1orhClxEuZRO9alUCS
cnRvhmw2Dh6sB6i56evcZdUFwxMXOByxfWr0fxX4QlR8jYqMPj7UMNj2PccTBOQX
umIW2cdGEeni9vrE9cLfZRSNCwPWAXWtr1zQW54Jx5DjCGHobQk53Z7kE+MZVAje
gOaT0u50cljBNfJootuln4+gbGMAEQEAAbQlUGV0ciBMYXV0cmJhY2ggPGxhdXRy
YmFjaEByZWRoYXQuY29tPokCVwQTAQgAQRYhBGjSGCM0KhNoOus+TvtMaFtdwcE+
BQJnKRF7AhsDBQkDwmcABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEPtM
aFtdwcE+doMQAI5mnNA8aH0dfeOZnz/NrMwY6H7jK/+lYatCx05e1TfK+zz9feRK
sxgP3Pjj0p9igo3jIdPcN5/YnlmVEeplDmSiKOOdendviy+sA8sukMo07Q+m1pYW
NzFtyiZd+c44mp9I1l7h6rktIY9XDedrlAkNog1VlUet9eNpmgXt2OmJNDmYftWc
KIpyw/ZLaubjRcAmxwsn7I6dWnT66Ffg9H8trcRlWipVWP8imO0EIpwC8RbhuNgk
xjt/cVf3CEpzokF4n0k3nqYmt90NNtGc0kG5QAlTvlUuHpNWzuzvdAPtMy3KEaXI
fu3IEZeIKCxSgWXTm7zRKUn0F6jKAsLXhK/WOA1Aa7NdAUwMxrEndfNoqBrusaLD
lpzWU7USv2YT+Pf3aQ7u1szg2J8V5eqRP+E8wwe54RNCgQrcDgUq5abyncsvull3
GqJvzvZC7/Q3Th/g5Wc+dRaGBz0O9FBuRPQwjrnB932xW1fDf17cScpVKAvV/jwn
tpWXf7nSv2M0o9fihnTBl4d2c2EBKtTdp5W0IpeRl5uLad3AYoouP6RoZ+/Id/Zg
NeaQKH/ZlCxk5S9GLzYhm665ysOYRkh7NfoThRtvAqAeDcTKWGDG1nQok2KKOSyq
S81PT2AlMz7A26R0vsH/9lQ1uZFIhIGbxZXlGERZwXd1s+lgfWTbB5K+iQIzBBAB
CAAdFiEEuGgoR3ZN9g31LZksvDkF8jUXnPEFAmcpGAUACgkQvDkF8jUXnPFdGQ/+
L7uA7EMB+Yh0urhZuOltZSNtge6b+UbLZTd8DRsf044e+Z0NJWdQ2saLBptGhIcn
as4Qd0gS+QkWB7lMrJ31uux15ZBjFsGtyqK+VoH8JIPvV8Mr5XojqA+UYUpXP6ns
ILrdkUvNzpeA51IxYuVMWcut8SUVYzjD11YG1P8LFzydsImaYe7se+RE85F3/2Po
kZNe0d0Gh36uyfJSND80XrrxLpROgabQgHNG0drL/DHjdoa3F0V5EUoG7NBwUrmB
RlWKYCLUFfW+8mQn6RVK8JIV9WaHrzi/KAZLonZb5dCjO0e+Ol16pyUofLA8SN7B
aqjens8ho297GtE3darkXmj5p3p4YPur/D+oZCNIH+BYMsht46VtE3v6V10P8KA2
6MgNo5qME1Q0kC1DUYi68cPeDgrQBMWa+nF+m9i2aGeAyi3qDhZu03JLhOYAhv45
OVRawm9vFqyKiBRANVogTRr+ch4zywaapwfVLQ+xiwVLqlT5n/iIzWCQ0hA15eKZ
gJV0kTXL4OWKBeJqSNnnLVm4AhZ2OpKHMsjE7BEopvCe9JZWFIrjtQ9TrriByOx0
3anWkmm7b4lZ1HKDOI/Cxyz8BZvYizo7hSOdGjLrFBTD/Wk0swvpzB4NKh5I6N7k
gppXMTaWp36+KmQx66JzaZjepGl1VMNFdgiP6Sw6pO+5Ag0EZykRewEQAK4EY+06
GeuX4wLlUqAMWCnbFELuhBZGWFLEIvP6WJS1WOvee45RVcpVfYMp3AqymiNRahAl
RMtSQ9YtXSdlBPkhtNcoV/hqjcNywMdbsy+Rs27pRk/DJVC0yVL4ABrSSlwhfNa4
6X4ZvPr8GGDvjAUhK6NXQ7WrZJxYR9/U0nqRGtGuPBLhFey1H60n5axP8+2f9pFC
NbDJ13HbrhVju+RUeE8Gq5WJI5dea5SfYnXFERsT/zO+pw7ZaaSDmWKR1a88P6Bk
DD7e63ZIaAa849M/Dz+OgzNEgbyRjvgbO0OEIrS2x61lGoW7F9prEgzj97NIiBu6
qpNCYJefkpfPENrk+wmOUthJfh6E7uphlliQams6dqXAc3Z+xBN9jFf74RpzVmIP
K/MFNr0EcUMFgURpBtaTrk4dGMh++v5i4qKxxwJHf4RsGCDsgH9ZZDemKz5q8uFN
TI1kbTnsKNt+d7L45U+3/mRm4l22g8eu+AvD6R4GfKjsyzEFCyGK7TmVYj0Y+EGR
9+YbRQ1GahXqtrR/aLC09LSyxQTqYfKU8KusnoceEbBOigEZUNPybpzibwHl1VEV
9crR5eT8MPHgs8xdpjQ7gRuPi12fvc83unpUsNIHSCxZqXoilGsz2+zpX2si3PxB
tK/tTo6ZFRLijhHs250Y1agp4MyXYq91A2VTABEBAAGJAjwEGAEIACYWIQRo0hgj
NCoTaDrrPk77TGhbXcHBPgUCZykRewIbDAUJA8JnAAAKCRD7TGhbXcHBPozGD/0Y
fkktGwGq2vPZUI/Fscv+VnEqVt94dBnS0/6GyYvhI7Tf81v+72URlQeX8TUQox9B
8d3Aru5b2+iSkPcvH70PbY8jt/yTwHtSlFzf6+YPIl+oyTz7DoiILSjrO51ntl8g
KmIb8Q9W74xV6VFIJ4m8rH04MKFpIlzUDq660JYQIGtOUFugSfg7aLVU/0j4WKKE
KfAfg93wYTKKd+JgRFy4FZPriem7HvlUSi2VKffdrrUF/PX35X74iKdPQoEADZi8
KkMZULDtyQ6ZOu2hiDpArjo5hDadKM314Z65VnM11hjiEhmTF3IyGBllb0qBIk0L
nBVHuMYmiqBNJEbaqHLqIju8/RvFlYV+AMISeA7B68knbJcao13ogtDpuJ4hpgCj
j2B1n0NWMcju0gteu1sfsIaQbWHevH2vgl5LJDCNtUJN/NoWB2Uov27wEvsongwY
3du40TnM+5ejwf4r8D3wX+JpVCAhfr3Oc0knw14nRqFPAe1E7DNURJ8xfEV9iPRA
swo6qoh7IIxNETUG1rywRExNt6tHsojx0Wb0I0IB7CnWRK9F6oNRp0S4kVgp+Jeh
a9NGXFK2hn8qBD/rpUPsj/OdkiBN+C7Ai07rCNez+IKdnUfXkOJqLCOyeUwC9WPl
uFPB9RnnghYM4xhMWf8XvSLOOk/vgPxiqR5ANLObsbkCDQRnKRLhARAAuh+b2Oxj
9q+RRZ+pkDVf/M6P01yDmDhwtYHzi/LW8PFHC6iQlzMReyv1R5n3uCEpAZ++mdUe
Cgo2TmFnYdpmxEgdaMIW98uqe4fuHhoXU2Mh4eiN7jyJvXQCsijCDYzifoj03HY7
nTVjw4+BSSu9kA3/vEqU9A5YjG01MmVSMaIaTrqZqsnypK6r2exJa7YVRYwRqpLY
C5ksikDVK9ftdfhjnsnYGS4pYyfMNSHY1KBMpHjT7wEkM+KZ2WRpjTZZ7nP9u4Lf
fJMKgcclRgf+13CeSaJfVIhjJlxGVLkloE8XJbOeh2vkK257e9BenEFgQnyLCpGJ
8YNsnsJVhxU1aA62dT7jmnOVMBhnGoNhMyzzfvUw0REz2VbpZBkiwZRfZ9MWUBsy
bneH8NwzZMQQLCc/yo/jnPrmDS+tgl4CXGzBtpxPUZSMuY4tHZZ2vBb0zcfhY7P1
CrHuylXLFzkOO/XRP3w1F8I1UqJCjdTKjdjCDF/VWtedHee1iEsSHxPGH8fHp4Qp
rBDDwZ4NnfilYNHMDWm6U1bzhX2ynqcGArQSd1Ny/oL7JzE1qoH/nNrwVvOSSNWF
UTXFXeLy+SOXJdFJpGP+/wV+gYfyczoUP6vmCdK1Hs15WQvKzyP/nmLS5uLilfxV
KrxZDI6SNrS4f/XkHcGnYByFKUhq5gVN0ZcAEQEAAYkEcgQYAQgAJhYhBGjSGCM0
KhNoOus+TvtMaFtdwcE+BQJnKRLhAhsCBQkDwmcAAkAJEPtMaFtdwcE+wXQgBBkB
CAAdFiEEcgDrLD9eSIRjwM6ezcroySfGvjEFAmcpEuEACgkQzcroySfGvjExiQ//
TKQ2Ci+sqNSVIcwg/k0Go1i4cA7lhKNdYRBCaIThB9jMqNg2zgPzgELBcaVJL8xw
0E2x2ZvBejM4X+eTrmkdufcxHR8B/zBF8oPlD2pgs/zZmZEO1gq4Cdab7yIoVNNr
foCZShxOCPR2wIixcYZtt5f7Z3zSXqkjIec6sTOedT75ZXrpQbvINeUkvOJfMCOi
ailauvDfv8k5iJUVbP+Dx1vOc88bvewVJcbLID4HIRr/PS+k1D10zGbnF71TnxGZ
r7anMZCSFCHJ5WV+BSwHHKtxRy+bJ1x9ML45Jcr1anTXeaHIeSKNzFBigJQSgHv0
euegkD3Rmw+IcxNb4l536selaNR0UAwx1DC1qpjBtnE9/pXdTEsZQxq9kMrj0d+f
VKFjOKADVIpkx7o0dZ1jmbUmdjQVyGDgHE+Emgdd726/2ftWriW2uPeUC6YZiqbt
vBnCnwF+aV6P1nrE0BWJchLyBjDCe5Y2oXBAYF6xwpDPfMPr4oscqzPV4TWVULBi
brtRWgSxmvinIGFx9T9wQCVfX254dqBaAEhRMImoT/YP+6evRZKqQODRhI44OG7u
V71IVAJ8BHEBN8hxvQM3WPs1fhwMBFCyGfr/x/U4/c78R9JhxkU9VwmMbLGQP7VP
1QgfiHqZpHMk8ZUmQn6KLeurzWcnwPFkwgFPZED8OQOMXxAAio3DhWr5KDd3mICH
ALNY0A2ipb/JH6LSHxu0S3MLa/bF6PbqRY1+fKMT/cFVxln99rNUrX+hDRbc7qbh
KkxvGmcnXnkcTHah9bfUghEanlKkBr1g1ik3zgEnpO/x3+X39Ov+ge92MDawV0nq
k9R/9tS+ZD/ph72Q9kx3ZfVNSL0eWxjuwBzFW0Zwh5TAX4raSmyQCmAXi05O3YmN
iq4arSUg5oAOMRZ+d96DsrAS4Sdtlx6/CuKTBzEaGPQLQ9wJNB0Vmd/eQWTP99KY
cAdIwj5BJ5P0Z7+xhsVjQOntn4otnP6vN6RuDtYrS6M7TCN/ZeKCvN/G0nRac4D+
IJX3CYYtYXgaoDuoetUWtc7O5PzHRETaBt/46ob2lzf6cT5QyVujTfz+i0rGEc63
pvXK8mV+K7BFY/DHpdEhl1pDw2YYLbBmUthQWdsL6/TVvpMe/wZadvJ/by3AeRzQ
eusUucuSo9UNN7Yj8u3dRhxNgsSiU96A/SFlAoB5s3Onh5K4WEVCBu/INjdi+r2B
LJePSnA3I7VkRE9Haf1D28jtBzm3Xbft2rs3lO18FcCqw6kd7Ih3e0tZ8uUG9UDv
qTDHTUHLAWvwrq38gKKAu2RMaU06A5kR87RcQiizxOwBIwiHuUWMU4/Hyx6fXsOD
hEs0O6AFDarNDZGee2amKTAyZpG5Ag0EZykTxQEQAOwGV1boBD3vDLsoAT62nGxb
SqXiBsObxnpWbNifOzM9BUGPOIpHsSH32PZGG/+LNjNdECfyyP1RysH5OT7j92Q8
vgRQoG3X985gbOjYyZc0xvAkTSvWxOiy5CuF3X8sJ3NSerQDXwjP9qVqLVj/3FB8
nka1HFS7KzC3Zo/kzCoxeZ3/hV3PTWIjcoJvtBSCKPZyOJxnRqWfi5BNJo3S2SR1
mxV967zawXiZ8MeeBl6rLhOfCBtz9g+bqrXZYoenuMn5Js2mcH0haYeMSV3UWIC4
kinzr1EJxs+L1/hVCVBNiiDc6DXcFXoz9ZVc9kjpZTOMoZVDkRkyOeen+5Sya9wK
4teLmDLME4+pgeHCS/Wa4KrYyEWe7NpG1VTkSJnRS+fyYGTWtwEiuwT6J9U0t1d5
hbxhM7YAhlnOEnNVmqa3Bq3yqJs9G/7gicZ7CIJ9JBHKTJzOnKfpGhxBSOgOoCOa
WW6uVCzDqfrYPmCUIKQmanB441xJFGuHVPMLBjVjswoMKGkK3gM6KMRCDYQ53u6s
FK+Jcl8HobBSezVIUKpKVX3IW9d506cE0FhSW/NvWJv0FIMVloyC2BpOjSWVgEwX
tk/m3SKPsgCAcCqzi7xlloR8+E9C2xci9cdGG5faghgSjaP6j0qDww/slRPQJc5A
DIeukkOYTCiSiDwQtblJABEBAAGJAjMEGAEIACcWIQRo0hgjNCoTaDrrPk77TGhb
XcHBPgUCZykTxQMbIAQFCQPCZwAAADcWD/4qJRLn7TcMtRMF43Yn+dX+O13YrxBC
T4n1QVmiPsGrUca4Vg1J+trV6IMsGrhktpiaV0qeL/km0h02m4gEDZKDyWWXdeWh
EXFaTVy9yCpSXUWJl5gSXTSwxrqBWyWLlLLk4UT9l9sk5mMdy0JA8unobV4M/eXQ
ggR11DL3ji7aO0hsqxyxXkJcawWjVGW5KL1EaoDKIJ/CwxOI5ipFueMIRQjQvw9A
o/w2fq11qVXY9zknk6pFkp/RDHLes+wVHDtebZfJ9xV7Mb1mf/k03dT56GaA/U3E
XvJ2FdgWR+zf+YMEa9MPDHYo2UNEvk9mOk247M8s+OeexdlkPgyKW5A8mtYuY/dR
j8W6C4pLcMWa+d/vIUpm5Guw0F5q0AWk9/FbBe9HLztEevvRnuHXmfTZeto/nCAi
Yg4pCj6p3JoN5CLebR8YtWm9AJBbX1kgVvqSU2VgwYIFsxBEz8Wu2h7z/eSCSeIg
ARFbTlJ6cBrRkXCVyhbv0LPWWUfAUqiEtdGxrA4Xx/jKrI02JjRdW/bZkXjSka8K
+cDlpcr9ixBWW5LkWsOdiL8jExfTGw25FA7Wd1HiHnBv36Mu/zb+0/I63d+fLq93
e3lmmVx9qQF8p5Okf4ojY9YoIHVkLS7t9AgFjm/ucmpEGbXxyPk2Cr3l+b5R41x3
dBW9kxiuWpZN3Q==
=iuRK
-----END PGP PUBLIC KEY BLOCK-----

689
SPECS/policycoreutils.spec → policycoreutils.spec
View File

@ -1,8 +1,12 @@
## START: Set by rpmautospec
## (rpmautospec version 0.6.5)
## RPMAUTOSPEC: autochangelog
## END: Set by rpmautospec
%global libauditver 3.0
%global libsepolver 2.9-1
%global libsemanagever 2.9-7
%global libselinuxver 2.9-1
%global sepolgenver 2.9
%global libsepolver 3.8-1
%global libsemanagever 3.8-1
%global libselinuxver 3.8-1
%global generatorsdir %{_prefix}/lib/systemd/system-generators
@ -11,17 +15,13 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.9
Release: 26%{?dist}
License: GPLv2
Version: 3.8
Release: 1%{?dist}
License: GPL-2.0-or-later
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
Source1: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-python-2.9.tar.gz
Source2: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-gui-2.9.tar.gz
Source3: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-sandbox-2.9.tar.gz
Source4: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-dbus-2.9.tar.gz
Source5: https://github.com/SELinuxProject/selinux/releases/download/20190315/semodule-utils-2.9.tar.gz
Source6: https://github.com/SELinuxProject/selinux/releases/download/20190315/restorecond-2.9.tar.gz
Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-%{version}.tar.gz
Source1: https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-%{version}.tar.gz.asc
Source2: https://github.com/bachradsusi.gpg
URL: https://github.com/SELinuxProject/selinux
Source13: system-config-selinux.png
Source14: sepolicy-icons.tgz
@ -30,70 +30,25 @@ Source16: selinux-autorelabel.service
Source17: selinux-autorelabel-mark.service
Source18: selinux-autorelabel.target
Source19: selinux-autorelabel-generator.sh
Source20: policycoreutils-po.tgz
Source21: python-po.tgz
Source22: gui-po.tgz
Source23: sandbox-po.tgz
# https://gitlab.cee.redhat.com/SELinux/selinux
# $ git format-patch -N 20190315 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
# Drop this when upstream updates translations and the package is rebased
# wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/policycoreutils --output ./
Source20: selinux-policycoreutils.zip
# wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/python --output ./
Source21: selinux-python.zip
# wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/gui --output ./
Source22: selinux-gui.zip
# wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/sandbox --output ./
Source23: selinux-sandbox.zip
# https://github.com/fedora-selinux/selinux
# $ git format-patch -N 3.8 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
# $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
Patch0001: 0001-gui-Install-polgengui.py-to-usr-bin-selinux-polgengu.patch
Patch0002: 0002-gui-Install-.desktop-files-to-usr-share-applications.patch
Patch0003: 0003-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
Patch0004: 0004-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
Patch0005: 0005-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
Patch0006: 0006-Simplication-of-sepolicy-manpage-web-functionality.-.patch
Patch0007: 0007-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
Patch0008: 0008-Fix-title-in-manpage.py-to-not-contain-online.patch
Patch0009: 0009-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
Patch0010: 0010-sepolicy-Drop-old-interface-file_type_is_executable-.patch
Patch0011: 0011-sepolicy-Another-small-optimization-for-mcs-types.patch
Patch0012: 0012-Move-po-translation-files-into-the-right-sub-directo.patch
Patch0013: 0013-Use-correct-gettext-domains-in-python-gui-sandbox.patch
Patch0014: 0014-Initial-.pot-files-for-gui-python-sandbox.patch
# this is too big and it's covered by sources 20 - 23
# Patch0015: 0015-Update-.po-files-from-fedora.zanata.org.patch
Patch0016: 0016-policycoreutils-setfiles-Improve-description-of-d-sw.patch
Patch0017: 0017-sepolicy-generate-Handle-more-reserved-port-types.patch
Patch0018: 0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
Patch0019: 0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
Patch0020: 0020-python-Use-ipaddress-instead-of-IPy.patch
Patch0021: 0021-python-semanage-Do-not-traceback-when-the-default-po.patch
Patch0022: 0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch
Patch0023: 0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch
Patch0024: 0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch
Patch0025: 0025-gui-Fix-remove-module-in-system-config-selinux.patch
Patch0026: 0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch
Patch0027: 0027-policycoreutils-fixfiles-Fix-verify-option.patch
Patch0028: 0028-python-semanage-Improve-handling-of-permissive-state.patch
Patch0029: 0029-python-semanage-fix-moduleRecords.customized.patch
Patch0030: 0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch
Patch0031: 0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch
Patch0032: 0032-restorecond-Fix-redundant-console-log-output-error.patch
Patch0033: 0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch
Patch0034: 0034-python-semanage-Sort-imports-in-alphabetical-order.patch
Patch0035: 0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch
Patch0036: 0036-setfiles-Do-not-abort-on-labeling-error.patch
Patch0037: 0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch
Patch0038: 0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch
Patch0039: 0039-selinux-8-5-Describe-fcontext-regular-expressions.patch
Patch0040: 0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch
Patch0041: 0041-semodule-add-m-checksum-option.patch
Patch0042: 0042-semodule-Fix-lang_ext-column-index.patch
Patch0043: 0043-semodule-Don-t-forget-to-munmap-data.patch
Patch0044: 0044-policycoreutils-Improve-error-message-when-selabel_o.patch
Patch0045: 0045-semodule-libsemanage-move-module-hashing-into-libsem.patch
Patch0046: 0046-semodule-add-command-line-option-to-detect-module-ch.patch
Patch0047: 0047-python-Split-semanage-import-into-two-transactions.patch
Patch0048: 0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch
Patch0049: 0049-python-Harden-tools-against-rogue-modules.patch
Patch0050: 0050-python-Do-not-query-the-local-database-if-the-fconte.patch
Patch0051: 0051-python-sepolicy-add-missing-booleans-to-man-pages.patch
Patch0052: 0052-python-sepolicy-Cache-conditional-rule-queries.patch
Patch0053: 0053-python-Harden-more-tools-against-rogue-modules.patch
Patch0054: 0054-sepolicy-port-to-dnf4-python-API.patch
Patch0056: 0055-python-semanage-Do-not-sort-local-fcontext-definitio.patch
Patch0057: 0056-python-semanage-Allow-modifying-records-on-add.patch
# Patch list start
Patch0001: 0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
Patch0002: 0002-sepolicy-generate-Handle-more-reserved-port-types.patch
Patch0003: 0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
Patch0004: 0004-Use-SHA-2-instead-of-SHA-1.patch
Patch0005: 0005-python-sepolicy-Fix-spec-file-dependencies.patch
# Patch list end
Obsoletes: policycoreutils < 2.0.61-2
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@ -102,12 +57,13 @@ Conflicts: initscripts < 9.66
Provides: /sbin/fixfiles
Provides: /sbin/restorecon
BuildRequires: gcc
BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext
BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel
BuildRequires: python3-devel
BuildRequires: gcc make
BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext
BuildRequires: desktop-file-utils dbus-devel glib2-devel
BuildRequires: python3-devel python3-setuptools python3-wheel python3-pip
BuildRequires: systemd
BuildRequires: git
BuildRequires: git-core
BuildRequires: gnupg2
Requires: util-linux grep gawk diffutils rpm sed
Requires: libsepol >= %{libsepolver} coreutils libselinux-utils >= %{libselinuxver}
@ -128,44 +84,31 @@ load_policy to load policies, setfiles to label filesystems, newrole
to switch roles.
%prep -p /usr/bin/bash
# create selinux/ directory and extract sources
%autosetup -S git -N -c -n selinux
%autosetup -S git -N -T -D -a 1 -n selinux
%autosetup -S git -N -T -D -a 2 -n selinux
%autosetup -S git -N -T -D -a 3 -n selinux
%autosetup -S git -N -T -D -a 4 -n selinux
%autosetup -S git -N -T -D -a 5 -n selinux
%autosetup -S git -N -T -D -a 6 -n selinux
for i in *; do
git mv $i ${i/-%{version}/}
git commit -q --allow-empty -a --author 'rpm-build <rpm-build>' -m "$i -> ${i/-%{version}/}"
done
for i in selinux-*; do
git mv $i ${i#selinux-}
git commit -q --allow-empty -a --author 'rpm-build <rpm-build>' -m "$i -> ${i#selinux-}"
done
git am %{_sourcedir}/[0-9]*.patch
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%autosetup -p 1 -n selinux-%{version}
cp %{SOURCE13} gui/
tar -xvf %{SOURCE14} -C python/sepolicy/
# Temporary disabled since upstream updated translations in this release
# Since patches containing translation changes were too big, translations were moved to separate tarballs
# For more information see README.translations
# First remove old translation files
rm -f policycoreutils/po/*.po python/po/*.po gui/po/*.po sandbox/po/*.po
tar -x -f %{SOURCE20} -C policycoreutils -z
tar -x -f %{SOURCE21} -C python -z
tar -x -f %{SOURCE22} -C gui -z
tar -x -f %{SOURCE23} -C sandbox -z
# rm -f policycoreutils/po/*.po python/po/*.po gui/po/*.po sandbox/po/*.po
# unzip %{SOURCE20}
# cp -r selinux/policycoreutils/po policycoreutils
# unzip %{SOURCE21}
# cp -r selinux/python/po python
# unzip %{SOURCE22}
# cp -r selinux/gui/po gui
# unzip %{SOURCE23}
# cp -r selinux/sandbox/po sandbox
%build
%set_build_flags
export PYTHON=%{__python3}
make -C policycoreutils LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C policycoreutils SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C python SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C gui SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C sandbox SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
@ -181,19 +124,19 @@ mkdir -p %{buildroot}%{_mandir}/man5
mkdir -p %{buildroot}%{_mandir}/man8
%{__mkdir} -p %{buildroot}/%{_usr}/share/doc/%{name}/
make -C policycoreutils LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" install
%make_install -C policycoreutils LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a"
make -C python PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
%make_install -C python PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
make -C gui PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
%make_install -C gui PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
make -C sandbox PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
%make_install -C sandbox PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
make -C dbus PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
%make_install -C dbus PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
make -C semodule-utils PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
%make_install -C semodule-utils PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
make -C restorecond PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
%make_install -C restorecond PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
# Fix perms on newrole so that objcopy can process it
chmod 0755 %{buildroot}%{_bindir}/newrole
@ -201,13 +144,9 @@ chmod 0755 %{buildroot}%{_bindir}/newrole
# Systemd
rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/restorecond
rm -f %{buildroot}/usr/share/man/ru/man8/genhomedircon.8.gz
rm -f %{buildroot}/usr/share/man/ru/man8/open_init_pty.8*
rm -f %{buildroot}/usr/share/man/ru/man8/semodule_deps.8.gz
rm -f %{buildroot}/usr/share/man/man8/open_init_pty.8
rm -f %{buildroot}/usr/sbin/open_init_pty
rm -f %{buildroot}/usr/sbin/run_init
rm -f %{buildroot}/usr/share/man/ru/man8/run_init.8*
rm -f %{buildroot}/usr/share/man/man8/run_init.8*
rm -f %{buildroot}/etc/pam.d/run_init*
@ -218,27 +157,6 @@ install -m 644 -p %{SOURCE18} %{buildroot}/%{_unitdir}/
install -m 755 -p %{SOURCE19} %{buildroot}/%{generatorsdir}/
install -m 755 -p %{SOURCE15} %{buildroot}/%{_libexecdir}/selinux/
# change /usr/bin/python to %%{__python3} in policycoreutils-python3
pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{python3_sitelib}
# change /usr/bin/python to %%{__python3} in policycoreutils-python-utils
pathfix.py -i "%{__python3} -EsI" -p \
%{buildroot}%{_sbindir}/semanage \
%{buildroot}%{_bindir}/chcat \
%{buildroot}%{_bindir}/sandbox \
%{buildroot}%{_datadir}/sandbox/start \
%{buildroot}%{_bindir}/audit2allow \
%{buildroot}%{_bindir}/sepolicy \
%{buildroot}%{_bindir}/sepolgen-ifgen \
%{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.py \
%{buildroot}%{_datadir}/system-config-selinux/selinux_server.py \
%nil
# clean up ~ files from pathfix - https://bugzilla.redhat.com/show_bug.cgi?id=1546990
find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
%{buildroot}%{_sbindir} %{buildroot}%{_bindir} %{buildroot}%{_datadir} \
-type f -name '*~' | xargs rm -f
# Manually invoke the python byte compile macro for each path that needs byte
# compilation.
%py_byte_compile %{__python3} %{buildroot}%{_datadir}/system-config-selinux
@ -261,26 +179,20 @@ an SELinux environment.
%files python-utils
%{_sbindir}/semanage
%{_bindir}/chcat
%{_bindir}/sandbox
%{_bindir}/audit2allow
%{_bindir}/audit2why
%{_mandir}/man1/audit2allow.1*
%{_mandir}/ru/man1/audit2allow.1*
%{_mandir}/man1/audit2why.1*
%{_mandir}/ru/man1/audit2why.1*
%{_sysconfdir}/dbus-1/system.d/org.selinux.conf
%{_mandir}/man8/chcat.8*
%{_mandir}/ru/man8/chcat.8*
%{_mandir}/man8/sandbox.8*
%{_mandir}/ru/man8/sandbox.8*
%{_mandir}/man8/semanage*.8*
%{_mandir}/ru/man8/semanage*.8*
%{_datadir}/bash-completion/completions/semanage
%package dbus
Summary: SELinux policy core DBUS api
Requires: python3-policycoreutils = %{version}-%{release}
Requires: python3-slip-dbus
Requires: python3-gobject-base
Requires: polkit
BuildArch: noarch
%description dbus
@ -308,7 +220,8 @@ Requires:python3-libsemanage >= %{libsemanagever} python3-libselinux
# no python3-audit-libs yet
Requires:audit-libs-python3 >= %{libauditver}
Requires: checkpolicy
Requires: python3-setools >= 4.1.1
Requires: python3-setools >= 4.4.0
Requires: python3-distro
BuildArch: noarch
%description -n python3-policycoreutils
@ -332,14 +245,14 @@ by python 3 in an SELinux environment.
%{python3_sitelib}/sepolicy/network.py*
%{python3_sitelib}/sepolicy/transition.py*
%{python3_sitelib}/sepolicy/sedbus.py*
%{python3_sitelib}/sepolicy*.egg-info
%{python3_sitelib}/sepolicy*.dist-info/
%{python3_sitelib}/sepolicy/__pycache__
%package devel
Summary: SELinux policy core policy devel utilities
Requires: policycoreutils-python-utils = %{version}-%{release}
Requires: /usr/bin/make dnf
Requires: selinux-policy-devel
Requires: /usr/bin/make python3-dnf
Requires: (selinux-policy-devel if selinux-policy)
%description devel
The policycoreutils-devel package contains the management tools use to develop policy in an SELinux environment.
@ -352,7 +265,6 @@ The policycoreutils-devel package contains the management tools use to develop p
/var/lib/sepolgen/perm_map
%{_bindir}/sepolicy
%{_mandir}/man8/sepolgen.8*
%{_mandir}/ru/man8/sepolgen.8*
%{_mandir}/man8/sepolicy-booleans.8*
%{_mandir}/man8/sepolicy-generate.8*
%{_mandir}/man8/sepolicy-interface.8*
@ -361,15 +273,18 @@ The policycoreutils-devel package contains the management tools use to develop p
%{_mandir}/man8/sepolicy-communicate.8*
%{_mandir}/man8/sepolicy-manpage.8*
%{_mandir}/man8/sepolicy-transition.8*
%{_mandir}/ru/man8/sepolicy*.8*
%{_usr}/share/bash-completion/completions/sepolicy
%package sandbox
Summary: SELinux sandbox utilities
Requires: python3-policycoreutils = %{version}-%{release}
Requires: xorg-x11-server-Xephyr >= 1.14.1-2 /usr/bin/rsync /usr/bin/xmodmap
%if 0%{?fedora} || 0%{?rhel} <= 9
Requires: xorg-x11-server-Xephyr >= 1.14.1-2
Requires: xmodmap
Requires: matchbox-window-manager
%endif
Requires: rsync
BuildRequires: libcap-ng-devel
%description sandbox
@ -382,9 +297,9 @@ sandboxes
%{_datadir}/sandbox/start
%caps(cap_setpcap,cap_setuid,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
%{_mandir}/man8/seunshare.8*
%{_mandir}/ru/man8/seunshare.8*
%{_bindir}/sandbox
%{_mandir}/man5/sandbox.5*
%{_mandir}/ru/man5/sandbox.5*
%{_mandir}/man8/sandbox.8*
%package newrole
Summary: The newrole application for RBAC/MLS
@ -397,7 +312,6 @@ or level of a logged in user.
%files newrole
%attr(0755,root,root) %caps(cap_dac_read_search,cap_setpcap,cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole
%{_mandir}/man1/newrole.1.gz
%{_mandir}/ru/man1/newrole.1.gz
%config(noreplace) %{_sysconfdir}/pam.d/newrole
%package gui
@ -432,11 +346,8 @@ system-config-selinux is a utility for managing the SELinux environment
%{_datadir}/icons/hicolor/*/apps/sepolicy.png
%{_datadir}/pixmaps/sepolicy.png
%{_mandir}/man8/system-config-selinux.8*
%{_mandir}/ru/man8/system-config-selinux.8*
%{_mandir}/man8/selinux-polgengui.8*
%{_mandir}/ru/man8/selinux-polgengui.8*
%{_mandir}/man8/sepolicy-gui.8*
%{_mandir}/ru/man8/sepolicy-gui.8*
%files -f %{name}.lang
%{_sbindir}/restorecon
@ -447,12 +358,15 @@ system-config-selinux is a utility for managing the SELinux environment
%{_sbindir}/genhomedircon
%{_sbindir}/setsebool
%{_sbindir}/semodule
%{_sbindir}/unsetfiles
# symlink to %%{_bindir}/sestatus
%{_sbindir}/sestatus
%{_bindir}/secon
%{_bindir}/semodule_expand
%{_bindir}/semodule_link
%{_bindir}/semodule_package
%{_bindir}/semodule_unpackage
%{_bindir}/sestatus
%{_libexecdir}/selinux/hll
%{_libexecdir}/selinux/selinux-autorelabel
%{_unitdir}/selinux-autorelabel-mark.service
@ -461,41 +375,26 @@ system-config-selinux is a utility for managing the SELinux environment
%{generatorsdir}/selinux-autorelabel-generator.sh
%config(noreplace) %{_sysconfdir}/sestatus.conf
%{_mandir}/man5/selinux_config.5.gz
%{_mandir}/ru/man5/selinux_config.5.gz
%{_mandir}/man5/sestatus.conf.5.gz
%{_mandir}/ru/man5/sestatus.conf.5.gz
%{_mandir}/man8/fixfiles.8*
%{_mandir}/ru/man8/fixfiles.8*
%{_mandir}/man8/load_policy.8*
%{_mandir}/ru/man8/load_policy.8*
%{_mandir}/man8/restorecon.8*
%{_mandir}/ru/man8/restorecon.8*
%{_mandir}/man8/restorecon_xattr.8*
%{_mandir}/ru/man8/restorecon_xattr.8*
%{_mandir}/man8/semodule.8*
%{_mandir}/ru/man8/semodule.8*
%{_mandir}/man8/sestatus.8*
%{_mandir}/ru/man8/sestatus.8*
%{_mandir}/man8/setfiles.8*
%{_mandir}/ru/man8/setfiles.8*
%{_mandir}/man8/setsebool.8*
%{_mandir}/ru/man8/setsebool.8*
%{_mandir}/man1/secon.1*
%{_mandir}/ru/man1/secon.1*
%{_mandir}/man1/unsetfiles.1*
%{_mandir}/man8/genhomedircon.8*
%{_mandir}/ru/man8/genhomedircon.8*
%{_mandir}/man8/semodule_expand.8*
%{_mandir}/ru/man8/semodule_expand.8*
%{_mandir}/man8/semodule_link.8*
%{_mandir}/ru/man8/semodule_link.8*
%{_mandir}/man8/semodule_unpackage.8*
%{_mandir}/ru/man8/semodule_unpackage.8*
%{_mandir}/man8/semodule_package.8*
%{_mandir}/ru/man8/semodule_package.8*
%dir %{_datadir}/bash-completion
%{_datadir}/bash-completion/completions/setsebool
%{!?_licensedir:%global license %%doc}
%license policycoreutils/COPYING
%license policycoreutils/LICENSE
%doc %{_usr}/share/doc/%{name}
%package restorecond
@ -508,14 +407,15 @@ The policycoreutils-restorecond package contains the restorecond service.
%files restorecond
%{_sbindir}/restorecond
%{_unitdir}/restorecond.service
%{_userunitdir}/restorecond_user.service
%config(noreplace) %{_sysconfdir}/selinux/restorecond.conf
%config(noreplace) %{_sysconfdir}/selinux/restorecond_user.conf
%{_sysconfdir}/xdg/autostart/restorecond.desktop
%{_datadir}/dbus-1/services/org.selinux.Restorecond.service
%{_mandir}/man8/restorecond.8*
%{_mandir}/ru/man8/restorecond.8*
%{!?_licensedir:%global license %%doc}
%license policycoreutils/COPYING
%license policycoreutils/LICENSE
%post
%systemd_post selinux-autorelabel-mark.service
@ -533,171 +433,370 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Wed Mar 06 2024 Vit Mojzis <vmojzis@redhat.com> - 2.9-26
- python/semanage: Allow modifying records on "add" (RHEL-28167)
- python/semanage: Do not sort local fcontext definitions (RHEL-24461)
## START: Generated by rpmautospec
* Fri Jan 31 2025 Petr Lautrbach <lautrbach@redhat.com> - 3.8-1
- SELinux userspace 3.8 release
* Tue Feb 06 2024 Vit Mojzis <vmojzis@redhat.com> - 2.9-25
- Harden more tools against "rogue" modules (RHEL-17351)
- sepolicy: port to dnf4 python API (RHEL-17398)
* Wed Dec 18 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.8-0.rc3.1
- SELinux userspace 3.8-rc3 release
* Wed Feb 15 2023 Vit Mojzis <vmojzis@redhat.com> - 2.9-24
- Update translations (#2124826)
* Thu Dec 05 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.8-0.rc1.1
- SELinux userspace 3.8-rc1 release
* Wed Feb 08 2023 Vit Mojzis <vmojzis@redhat.com> - 2.9-23
- python/sepolicy: Cache conditional rule queries (#2155540)
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.7-3
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Mon Jan 09 2023 Vit Mojzis <vmojzis@redhat.com> - 2.9-22
- python/sepolicy: add missing booleans to man pages (#2155540)
* Tue Aug 20 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.7-2
- sepolgen-ifgen: allow M4 escaped filenames
* Mon Dec 19 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-21.1
- python: Harden tools against "rogue" modules (#2128976)
- Update "pathfix" arguments to match ^^^ (#2128976)
- python: Do not query the local database if the fcontext is non-local (#2124825)
* Thu Jun 27 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.7-1
- SELinux userspace 3.7 release
* Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-20
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.6-5
- Bump release for June 2024 mass rebuild
* Thu May 09 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.6-4
- Add Wayland support
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Dec 14 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.6-1
- SELinux userspace 3.6 release
* Thu Nov 23 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.6-0.rc2.1
- SELinux userspace 3.6-rc2 release
* Tue Nov 14 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.6-0.rc1.1
- SELinux userspace 3.6-rc1 release
* Mon Oct 30 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-8
- Update translations
https://translate.fedoraproject.org/projects/selinux/
* Tue Aug 1 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-7
- python: improve format strings for proper localization
- python: Drop hard formating from localized strings
- sepolicy: port to dnf4 python API (rhbz#2209404)
* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed Jun 21 2023 Vit Mojzis <vmojzis@redhat.com> - 3.5-5
- python/sepolicy: Fix spec file dependencies
- python/sepolicy: Fix template for confined user policy modules
- Improve man pages and add examples
* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 3.5-4
- Rebuilt for Python 3.12
* Fri May 26 2023 Miro Hrončok <mhroncok@redhat.com> - 3.5-3
- Fix build with pip 23.1.2+
- Fixes: rhbz#2209016
* Wed May 10 2023 Tomas Popela <tpopela@redhat.com> - 3.5-2
- Drop unused BR on dbus-glib and explicitly BR glib2
* Fri Feb 24 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-1
- SELinux userspace 3.5 release
* Mon Feb 13 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc3.1
- SELinux userspace 3.5-rc3 release
* Wed Feb 8 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc2.3
- Attach tty to selinux-autorelabel.service when AUTORELABEL=0
* Thu Jan 26 2023 Vit Mojzis <vmojzis@redhat.com> - 3.5-0.rc2.2
- python/sepolicy: Cache conditional rule queries
* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5-0.rc2.1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Jan 16 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc2.1
- SELinux userspace 3.5-rc2 release
* Fri Dec 23 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc1.1
- SELinux userspace 3.5-rc1 release
* Mon Nov 21 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.4-7.1
- Rebase on upstream f56a72ac9e86
- sepolicy: fix sepolicy manpage -w
- sandbox: add -R option to alternate XDG_RUNTIME_DIR
- Remove dependency on the Python module distutils
* Tue Aug 2 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-6
- Run autorelabel in parallel by default
https://fedoraproject.org/wiki/Changes/SELinux_Parallel_Autorelabel
* Mon Jul 25 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-5
- gettext: handle unsupported languages properly (#2100378)
- semodule: rename --rebuild-if-modules-changed to --refresh
- python: Split "semanage import" into two transactions (#2063353)
- semodule: rename --rebuild-if-modules-changed to --refresh (#2089802)
- selinux-autorelabel: Do not force reboot (#2093133)
* Thu Feb 17 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-19
- semodule: move module hashing into libsemanage (requires libsemanage-2.9-7)
- semodule: add command-line option to detect module changes (#2049189)
* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.4-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Fri Jan 14 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-18
- Improve error message when selabel_open fails (#1926511)
* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 3.4-3
- Rebuilt for Python 3.11
* Tue Nov 30 2021 Petr Lautrbach <plautrba@redhat.com> - 2.9-17
* Wed May 25 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-2
- rebuilt
* Thu May 19 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-1
- SELinux userspace 3.4 release
* Tue May 10 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-0.rc3.1
- SELinux userspace 3.4-rc3 release
* Thu Apr 21 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-0.rc.1
- SELinux userspace 3.4-rc2 release
* Wed Apr 13 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-0.rc.1
- SELinux userspace 3.4-rc1 release
* Tue Feb 22 2022 Petr Lautrbach <plautrba@redhat.com> - 3.3-5
- Improve error message when selabel_open fails
* Sat Feb 19 2022 Petr Lautrbach <plautrba@redhat.com> - 3.3-4
- semodule: add command-line option to detect module changes
- fixfiles: Use parallel relabeling
* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Mon Nov 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-2
- setfiles/restorecon: support parallel relabeling with -T <N> option
- semodule: add -m | --checksum option
* Thu Sep 16 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-16
- Update translations (#1962009)
* Fri Oct 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-1
- SELinux userspace 3.3 release
* Mon Jul 19 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-15
- setfiles: do not restrict checks against a binary policy (#1973754)
* Mon Oct 11 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc3.1
- SELinux userspace 3.3-rc3 release
* Tue Mar 09 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-14
- Update translations (#1899695)
* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
- SELinux userspace 3.3-rc2 release
* Mon Feb 22 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-13
- selinux(8,5): Describe fcontext regular expressions (#1904059)
* Tue Aug 3 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-6
- Drop forgotten ru/ man pages from -restorecond
* Tue Feb 2 2021 Petr Lautrbach <plautrba@redhat.com> - 2.9-12
- setfiles: Do not abort on labeling error (#1794518)
* Wed Jul 28 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-5
- Rebase on upstream commit 32611aea6543
* Wed Jan 27 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-11
- python/sepolgen: allow any policy statement in if(n)def (#1868717)
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Sat Jan 16 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-10
- python/semanage: Sort imports in alphabetical order
- python/semanage: empty stdout before exiting on BrokenPipeError (#1822100)
* Thu Jun 03 2021 Python Maint <python-maint@redhat.com> - 3.2-3
- Rebuilt for Python 3.10
* Fri Jan 17 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-9
- Update translations (#1754978)
* Mon May 10 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-2
- Do not use Python slip
- fixfiles: do not exclude /dev and /run in -C mode
- dbus: use GLib.MainLoop
* Thu Nov 21 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-8
- restorecond: Fix redundant console log output error (#1626468)
* Mon Mar 8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-1
- SELinux userspace 3.2 release
* Tue Nov 19 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-7
- dbus: Fix FileNotFoundError in org.selinux.relabel_on_boot (#1754873)
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.2-0.rc2.1.1
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Tue Nov 12 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-6
- Configure autorelabel service to output to journal and to console if set (#1766578)
* Fri Feb 5 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc2.1
- SELinux userspace 3.2-rc2 release
* Wed Nov 06 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-5
- fixfiles: Fix "verify" option (#1647532)
- semanage: Improve handling of "permissive" statements (#1417455)
- semanage: fix moduleRecords.customized()
- semanage: Add support for DCCP and SCTP protocols (#1563742)
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-0.rc1.1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Sep 4 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-4
- semanage: Do not use default s0 range in "semanage login -a" (#1554360)
- gui: Fix remove module in system-config-selinux (#1748763)
* Wed Jan 20 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc1.1
- SELinux userspace 3.2-rc1 release
* Thu Aug 22 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-3
- fixfiles: Fix unbound variable problem (#1743213)
* Tue Nov 24 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-8
- Fix BuildRequires to libsemanage-devel
* Tue Jul 2 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-2
- Update transition
* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-7
- python/sepolicy: allow to override manpage date
- selinux_config(5): add a note that runtime disable is deprecated
* Mon Nov 9 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-6
- Require latest setools
* Fri Oct 30 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
- Build with libsepol.so.1 and libsemanage.so.2
- Set X-GNOME-HiddenUnderSystemd=true in restorecond.desktop file
- fixfiles: correctly restore context of mountpoints
- sepolgen: print extended permissions in hexadecimal
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.1-4
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 3.1-2
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Fri Jul 10 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-1
- SELinux userspace 3.1 release
* Mon Jun 1 2020 Petr Lautrbach <plautrba@redhat.com> - 3.0-4
- policycoreutils-dbus requires python3-gobject-base
* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 3.0-3
- Rebuilt for Python 3.9
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Dec 6 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-1
- SELinux userspace 3.0 release
* Wed Sep 4 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-7
- semanage: Do not use default s0 range in "semanage login -a" (#1312283)
* Thu Aug 29 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-6
- gui: Fix remove module in system-config-selinux (#1740936)
* Fri Aug 23 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-5
- fixfiles: Fix unbound variable problem
* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9-4
- Rebuilt for Python 3.8
* Mon Aug 5 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-3
- Drop python2-policycoreutils
- Update ru man page translations
- fixfiles: Fix [-B] [-F] onboot
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Mar 18 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1
- SELinux userspace 2.9 release
* Fri Dec 14 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-16.1
- semanage: move valid_types initialisations to class constructors
- semanage: import sepolicy only when it's needed
- sepolicy: Add sepolicy.load_store_policy(store)
* Mon Mar 11 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc2.1
- SELinux userspace 2.9-rc2 release
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-0.rc1.1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc1.1
- SELinux userspace 2.9-rc1 release candidate
* Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-17
- python2-policycoreutils requires python2-ipaddress (#1669230)
* Tue Jan 22 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-16
- restorecond: Install DBUS service file with 644 permissions
* Mon Jan 21 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-15
- setsebool: support use of -P on SELinux-disabled hosts
- sepolicy: initialize mislabeled_files in __init__()
- audit2allow: use local sepolgen-ifgen-attr-helper for tests
- audit2allow: allow using audit2why as non-root user
- audit2allow/sepolgen-ifgen: show errors on stderr
- audit2allow/sepolgen-ifgen: add missing \n to error message
- sepolgen: close /etc/selinux/sepolgen.conf after parsing it
- sepolicy: Make policy files sorting more robust
- semanage: Load a store policy and set the store SELinux policy root
* Thu Dec 20 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-14
- chcat: fix removing categories on users with Fedora default setup
- semanage: Include MCS/MLS range when exporting local customizations
- semanage: Start exporting "ibendport" and "ibpkey" entries
- semanage: do not show "None" levels when using a non-MLS policy
- sepolicy: Add sepolicy.load_store_policy(store)
- semanage: import sepolicy only when it's needed
- semanage: move valid_types initialisations to class constructors
* Wed Dec 5 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-15
* Mon Dec 10 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-13
- chcat: use check_call instead of getstatusoutput
- semanage: Use standard argparse.error() method
- Use matchbox-window-manager instead of openbox
- Use ipaddress python module instead of IPy
- semanage: Fix handling of -a/-e/-d/-r options
- semanage: Use standard argparse.error() method
* Tue Dec 4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-14
- Update translations
* Mon Dec 3 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-13
- Use ipaddress module instead of IPy
* Tue Nov 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-12
- Handle more reserved port types
- Replace aliases with corresponding type names
* Thu Nov 8 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-11.1
* Mon Nov 12 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-12
- sepolicy,semanage: replace aliases with corresponding type names
- sepolicy-generate: Handle more reserved port types
- Fix RESOURCE_LEAK coverity scan defects
* Thu Oct 25 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-10
- sepolicy: Update to work with setools-4.2.0
- gui: Make all polgen button labels translatable
* Tue Oct 16 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-9
* Tue Oct 16 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-11
- sepolicy: Fix get_real_type_name to handle query failure properly
* Mon Oct 15 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-8
- sepolicy: search() for dontaudit rules as well
* Fri Sep 14 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-7
- setfiles: Improve description of -d switch
- Fix typo in newrole.1 manpage
* Tue Oct 2 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-10
- semanage: "semanage user" does not use -s, fix documentation
- semanage: add a missing space in ibendport help
- sepolicy: Update to work with setools-4.2.0
* Fri Sep 14 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-9
- semanage: Stop rejecting aliases in semanage commands
- sepolicy: Stop rejecting aliases in sepolicy commands
- sepolicy: Fix "info" to search aliases as well
- sepolgen: fix refpolicy parsing of "permissive"
- sepolgen: return NotImplemented instead of raising it
- semanage: fix Python syntax of catching several exceptions
- semanage: Replace bare except with specific one
- semanage: Fix logger class definition
- semanage: Stop logging loginRecords changes
- add xperms support to audit2allow
- sepolgen: fix access vector initialization
- sepolgen: print all AV rules correctly
- setfiles: Improve description of -d switch
* Thu Sep 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-6.1
* Wed Sep 12 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-8
- Update translations
* Tue Jul 24 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-5
- sandbox: Use matchbox-window-manager instead of openbox (#1568295)
* Tue Sep 4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-7
- Fix typo in newrole.1 manpage
- sepolgen: print all AV rules correctly
- sepolgen: fix access vector initialization
- Add xperms support to audit2allow
- semanage: Stop logging loginRecords changes
- semanage: Fix logger class definition
- semanage: Replace bare except with specific one
- semanage: fix Python syntax of catching several exceptions
- sepolgen: return NotImplemented instead of raising it
- sepolgen: fix refpolicy parsing of "permissive"
* Thu Jul 19 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-4
* Mon Aug 6 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-6
- Use split translation files
https://github.com/fedora-selinux/selinux/issues/43
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8-4
- Rebuilt for Python 3.7
* Mon Jun 18 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-3
- selinux-autorelabel: Use plymouth --quit rather then --hide-splash (#1592221)
- selinux-autorelabel: Increment boot_indeterminate grub environment variable (#1592221)
- Do not require libcgroup - it's not used anymore
* Tue Jun 26 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-3
- Do not use symlinks to enable selinux-autorelabel-mark.service (#1589720)
* Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8-2
- Rebuilt for Python 3.7
* Wed Jun 6 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-2
- Don't build the Python 2 subpackages (#1567354)
* Fri May 25 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-1.1
* Fri May 25 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-1
- SELinux userspace 2.8 release
* Tue May 22 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-19
* Tue May 22 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc3.2
- selinux-autorelabel: set UEFI boot order (BootNext) same as BootCurrent
- selinux-autorelabel: synchronize cached writes before reboot (#1385272)
* Tue May 15 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc3.1
- SELinux userspace 2.8-rc2 release candidate
* Fri May 4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc2.1
- SELinux userspace 2.8-rc2 release candidate
* Mon Apr 23 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc1.1
- SELinux userspace 2.8-rc1 release candidate
* Thu Apr 19 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-20
- Drop python2 sepolicy gui files from policycoreutils-gui (#1566618)
* Wed Apr 18 2018 Iryna Shcherbina <shcherbina.iryna@gmail.com> - 2.7-19
- Update Python 2 dependency declarations to new packaging standards
(See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
* Tue Apr 3 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-18
- Move semodule_* utilities to policycoreutils package (#1562549)
@ -1088,7 +1187,7 @@ The policycoreutils-restorecond package contains the restorecond service.
- If there is no executable we don't want to print a part of STANDARD FILE CONTEXT
* Tue May 6 2014 Dan Walsh <dwalsh@redhat.com> - 2.3-1
- Update to upstream
- Update to upstream
* Add -P semodule option to man page from Dan Walsh.
* selinux_current_policy_path will return none on a disabled SELinux system from Dan Walsh.
* Add new icons for sepolicy gui from Dan Walsh.
@ -1106,7 +1205,7 @@ The policycoreutils-restorecond package contains the restorecond service.
- Apply patch to use setcon in seunshare from luto@mit.edu
* Wed Apr 30 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.5-14
- Remove requirement for systemd-units
- Remove requirement for systemd-units
* Fri Apr 25 2014 Miroslav Grepl <mgreplh@redhat.com> - 2.2.5-13
- Fix previous Fix-STANDARD_FILE_CONTEXT patch to exclude if non_exec does not exist
@ -1154,7 +1253,7 @@ The policycoreutils-restorecond package contains the restorecond service.
- Do not require /usr/share/selinux/devel/Makefile to build permissive domains
* Mon Jan 6 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.5-1
- Update to upstream
- Update to upstream
* Ignore selevel/serange if MLS is disabled from Sven Vermeulen.
* Fri Jan 3 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.4-8
@ -1184,7 +1283,7 @@ The policycoreutils-restorecond package contains the restorecond service.
- ptrace should be a part of deny_ptrace boolean in TEMPLATETYPE_admin
* Tue Dec 3 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.4-1
- Update to upstream
- Update to upstream
* Revert automatic setting of serange and seuser in seobject; was breaking non-MLS systems.
- Add patches for sepolicy gui from mgrepl to
Fix advanced_item_button_push() to allow to select an application in advanced search menu
@ -1192,7 +1291,7 @@ The policycoreutils-restorecond package contains the restorecond service.
* Fri Nov 22 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.3-1
- Update to upstream
- Update to upstream
* Apply polkit check on all dbus interfaces and restrict to active user from Dan Walsh.
* Fix typo in sepolicy gui dbus.relabel_on_boot call from Dan Walsh.
- Apply Miroslav Grepl patch to fix TEMPLATETYPE_domtrans description in sepolicy generate
@ -1203,7 +1302,7 @@ The policycoreutils-restorecond package contains the restorecond service.
* Fri Nov 15 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.2-1
- Speed up startup time of sepolicy gui
- Clean up ports screen to only show enabled ports.
- Update to upstream
- Update to upstream
* Remove import policycoreutils.default_encoding_utf8 from semanage from Dan Walsh.
* Make yum/extract_rpms optional for sepolicy generate from Dan Walsh.
* Add test suite for audit2allow and sepolgen-ifgen from Dan Walsh.
@ -1212,7 +1311,7 @@ The policycoreutils-restorecond package contains the restorecond service.
- Shift around some of the files to more appropriate packages.
* semodule_* packages are required for devel.
* Thu Oct 31 2013 Dan Walsh <dwalsh@redhat.com> - 2.2-1
- Update to upstream
- Update to upstream
* Properly build the swig exception file from Laurent Bigonville.
* Fix man pages from Laurent Bigonville.
* Support overriding PATH and INITDIR in Makefile from Laurent Bigonville.
@ -5529,3 +5628,5 @@ written to. fails on 64-bit archs
* Mon Jun 2 2003 Dan Walsh <dwalsh@redhat.com> 1.0-1
- Initial version
## END: Generated by rpmautospec

16
selinux-3.8.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEcgDrLD9eSIRjwM6ezcroySfGvjEFAmeaa/8ACgkQzcroySfG
vjH2og//XNOPQw/9CCuW55KAJL2U2zU4mq9kL3WrkT4ViKhgctPFmPc77oMU+sZp
K8+FNxenNgObe9c+rv3tWMwSHRBKc+PTzrI9E2pm9ZB7JJIYwPkrJEW9DKP22E5q
3ccMuIUQbml9s7OPwHXLEHeL0WHUunTR47xgAuvVODYYuTVhumHOWY/E5cEEh4Of
GeStN6nAtCRohP7lqOWnCRgo0u8EDMX41zsE6EgUZonxZF+u5tx4FU0yBhfKhlgA
uvZYqFQdw/wOwWqKqljR22TCGJG9l1lTJVGGIICkOQNmmJa185dvRX/yTP0FIkfQ
vRkpchYicctix3rgfH6wvuYaCWyI/xZgCOakGKXoe5PBBMRsNUAW0z1gUC+Y0SQu
dukGrHlHn4jBvd0IsgxIsEac7Vt6dmlxK2CiWh+pJlKe3tItyYBerpMyMcvUQMv5
OKtqvGoaJBiavENzjDbv7Bzo+kgZuo70y6CV7g+tljboWT29N2QimSssS4Cr81KG
WFfUTDk+vvOFwDEOePufMPR0XMeybT5DDabNYOKr2kRlbktkpZKFyTAiIvwdKgpg
DAcudeTjlVeMXu2lZ1tC1MHXppAreWSiq88J6HIrmQJ3A99OVpCHHi+rGAyjcTRV
LueGRWy4PfovMKUMSkqftLPdjEY0W9J9WxLrmLSCLxTBwYnbyNU=
=0ej6
-----END PGP SIGNATURE-----

12
SOURCES/selinux-autorelabel → selinux-autorelabel
View File

@ -51,9 +51,15 @@ relabel_selinux() {
echo $"*** Relabeling could take a very long time, depending on file"
echo $"*** system size and speed of hard drives."
FORCE=`cat /.autorelabel`
[ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug
/sbin/fixfiles $FORCE restore
OPTS=`cat /.autorelabel`
# by default, use as many threads as there are available
# another -T X in $OPTS will override the default value
OPTS="-T 0 $OPTS"
[ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug
echo
echo $"Running: /sbin/fixfiles $OPTS restore"
/sbin/fixfiles $OPTS restore
fi
rm -f /.autorelabel

11
SOURCES/selinux-autorelabel-generator.sh → selinux-autorelabel-generator.sh
View File

@ -1,4 +1,4 @@
#!/bin/sh
#!/bin/bash
# This systemd.generator(7) detects if SELinux is running and if the
# user requested an autorelabel, and if so sets the default target to
@ -18,6 +18,15 @@ fi
set_target ()
{
ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target"
AUTORELABEL="1"
source /etc/selinux/config
if [ "$AUTORELABEL" = "0" ]; then
mkdir -p "$earlydir/selinux-autorelabel.service.d"
cat > "$earlydir/selinux-autorelabel.service.d/tty.conf" <<EOF
[Service]
StandardInput=tty
EOF
fi
}
if selinuxenabled; then

0
SOURCES/selinux-autorelabel-mark.service → selinux-autorelabel-mark.service
View File

0
SOURCES/selinux-autorelabel.service → selinux-autorelabel.service
View File

0
SOURCES/selinux-autorelabel.target → selinux-autorelabel.target
View File

7
sources Normal file
View File

@ -0,0 +1,7 @@
SHA512 (selinux-3.8.tar.gz) = 58d05cd17ebcb4975e49573d2019304e6bbe0692f0ec230d79dfbcd144c2ff695c137b83318cc5e04c618031db7764e697162a3a8ff753ecfa314e552ccb8b81
SHA512 (selinux-gui.zip) = 3ae41eba5dd6d34e10dfdb97f4194d170ace2f3044e984077db7d26d05bdaad86625e48e5694e3e8680487ad99a50861d4bea30c4bf08e2820e3b7a8671270c7
SHA512 (selinux-policycoreutils.zip) = 0df9dc274e0d1a2e4e2467f95a18a5bf7b6de2428ac90a0a73d7f3bd766a897062af142ba3cf39cdb79565ba78af960bcd2e35865cc26e14bf2305321780c918
SHA512 (selinux-python.zip) = 35d209f8bcff498f66465499fcc4cef0780781276a4ba060b2d1d56eed1dd72d253f6b0eae5f679d46cf426b967a7aadac909363513be5d483c95a31249eacdd
SHA512 (selinux-sandbox.zip) = ecbc0c8280eb6c013b039a2e63ee5a361cd84807613962a012ac0a98092357e9809bea23c3c71bd8ae4745b1dd12a4fce43db5e1cab31614f386a2a8db88b733
SHA512 (sepolicy-icons.tgz) = 38b03f68450b086a790789f1604ab1b2bdd8aa104c345a73101016d6ddd38742ddc73cde206ce1a799474cc3b587751f1d75903d79bd7db2271bc3a6075b3430
SHA512 (system-config-selinux.png) = d38e7dd12edbfd256df7b704f12658f0c3ba9d61da9d472c9a4794668c430c429a13cd836e5766b85288250936edfcb0db814a71f1bf4d267c3472d5ff8c4a5d