diff --git a/.gitignore b/.gitignore index 88e9fd7..f044c8f 100644 --- a/.gitignore +++ b/.gitignore @@ -322,3 +322,10 @@ policycoreutils-2.0.83.tgz /selinux-python-3.1.tar.gz /selinux-sandbox-3.1.tar.gz /semodule-utils-3.1.tar.gz +/policycoreutils-3.2-rc1.tar.gz +/restorecond-3.2-rc1.tar.gz +/selinux-dbus-3.2-rc1.tar.gz +/selinux-gui-3.2-rc1.tar.gz +/selinux-python-3.2-rc1.tar.gz +/selinux-sandbox-3.2-rc1.tar.gz +/semodule-utils-3.2-rc1.tar.gz diff --git a/0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch b/0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch deleted file mode 100644 index 21a4189..0000000 --- a/0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch +++ /dev/null @@ -1,34 +0,0 @@ -From ccd973f721c48945fc706d8fef6b396580853a9f Mon Sep 17 00:00:00 2001 -From: "W. Michael Petullo" -Date: Thu, 16 Jul 2020 15:29:20 -0500 -Subject: [PATCH] python/audit2allow: add #include to - sepolgen-ifgen-attr-helper.c - -I found that building on OpenWrt/musl failed with: - - sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ... - -Musl is less "generous" than glibc in recursively including header -files, and I suspect this is the reason for this error. Explicitly -including limits.h fixes the problem. - -Signed-off-by: W. Michael Petullo ---- - python/audit2allow/sepolgen-ifgen-attr-helper.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c -index 53f20818722a..f010c9584c1f 100644 ---- a/python/audit2allow/sepolgen-ifgen-attr-helper.c -+++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c -@@ -28,6 +28,7 @@ - - #include - -+#include - #include - #include - #include --- -2.29.0 - diff --git a/0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch b/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch similarity index 92% rename from 0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch rename to 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch index 1e50ba3..be7a903 100644 --- a/0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch +++ b/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch @@ -1,4 +1,4 @@ -From ea624dcc70d93867f23b94c368b8cf102269c13b Mon Sep 17 00:00:00 2001 +From 560cf8a87edbae33ed5320355890e11c4e1227f5 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 20 Aug 2015 12:58:41 +0200 Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in @@ -22,5 +22,5 @@ index eaa500d08143..4774528027ef 100644 cat > ~/seremote << __EOF #!/bin/sh -- -2.29.0 +2.30.0 diff --git a/0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch b/0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch similarity index 88% rename from 0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch rename to 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch index 4779216..e106b3a 100644 --- a/0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch +++ b/0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch @@ -1,4 +1,4 @@ -From 932c1244bc98d3a05a238f3f0b333cf8c429113b Mon Sep 17 00:00:00 2001 +From ba8c8a07d0ba68035acc9bd5340910588064f6f7 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mon, 21 Apr 2014 13:54:40 -0400 Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages @@ -9,10 +9,10 @@ Signed-off-by: Miroslav Grepl 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index 3e8a3be907e3..a1d70623cff0 100755 +index 2f847abb87e2..dccd778ed4be 100755 --- a/python/sepolicy/sepolicy/manpage.py +++ b/python/sepolicy/sepolicy/manpage.py -@@ -735,10 +735,13 @@ Default Defined Ports:""") +@@ -737,10 +737,13 @@ Default Defined Ports:""") def _file_context(self): flist = [] @@ -26,7 +26,7 @@ index 3e8a3be907e3..a1d70623cff0 100755 if f in self.fcdict: mpaths = mpaths + self.fcdict[f]["regex"] if len(mpaths) == 0: -@@ -797,12 +800,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d +@@ -799,12 +802,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d SELinux defines the file context types for the %(domainname)s, if you wanted to store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. @@ -42,5 +42,5 @@ index 3e8a3be907e3..a1d70623cff0 100755 self.fd.write(r""" .I The following file types are defined for %(domainname)s: -- -2.29.0 +2.30.0 diff --git a/0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch b/0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch deleted file mode 100644 index 1dfe625..0000000 --- a/0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 9e2b8c61bfd275d0f007a736721c557755edf4a0 Mon Sep 17 00:00:00 2001 -From: Laurent Bigonville -Date: Thu, 16 Jul 2020 14:22:13 +0200 -Subject: [PATCH] restorecond: Set X-GNOME-HiddenUnderSystemd=true in - restorecond.desktop file - -This completely inactivate the .desktop file incase the user session is -managed by systemd as restorecond also provide a service file - -Signed-off-by: Laurent Bigonville ---- - restorecond/restorecond.desktop | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/restorecond/restorecond.desktop b/restorecond/restorecond.desktop -index af7286801c24..7df854727a3f 100644 ---- a/restorecond/restorecond.desktop -+++ b/restorecond/restorecond.desktop -@@ -5,3 +5,4 @@ Comment=Fix file context in owned by the user - Type=Application - StartupNotify=false - X-GNOME-Autostart-enabled=false -+X-GNOME-HiddenUnderSystemd=true --- -2.29.0 - diff --git a/0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch b/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch similarity index 80% rename from 0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch rename to 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch index 4feebed..b8732c3 100644 --- a/0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch +++ b/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch @@ -1,4 +1,4 @@ -From ae3780eb560fa5f00a3dd591c8233c2a9068a348 Mon Sep 17 00:00:00 2001 +From 27d137d07e9e6a57a2a962aa9c7f37f48dbf960f Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mon, 12 May 2014 14:11:22 +0200 Subject: [PATCH] If there is no executable we don't want to print a part of @@ -9,10 +9,10 @@ Subject: [PATCH] If there is no executable we don't want to print a part of 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index a1d70623cff0..2d33eabb2536 100755 +index dccd778ed4be..81333928d552 100755 --- a/python/sepolicy/sepolicy/manpage.py +++ b/python/sepolicy/sepolicy/manpage.py -@@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d +@@ -795,7 +795,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d .PP """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]}) @@ -23,5 +23,5 @@ index a1d70623cff0..2d33eabb2536 100755 .B STANDARD FILE CONTEXT -- -2.29.0 +2.30.0 diff --git a/0003-fixfiles-correctly-restore-context-of-mountpoints.patch b/0003-fixfiles-correctly-restore-context-of-mountpoints.patch deleted file mode 100644 index 60dd2e3..0000000 --- a/0003-fixfiles-correctly-restore-context-of-mountpoints.patch +++ /dev/null @@ -1,136 +0,0 @@ -From ba2d6c10635a021d2b1a5fc2123fde13b04295a5 Mon Sep 17 00:00:00 2001 -From: bauen1 -Date: Thu, 6 Aug 2020 16:48:36 +0200 -Subject: [PATCH] fixfiles: correctly restore context of mountpoints - -By bind mounting every filesystem we want to relabel we can access all -files without anything hidden due to active mounts. - -This comes at the cost of user experience, because setfiles only -displays the percentage if no path is given or the path is / - -Signed-off-by: Jonathan Hettwer -Acked-by: Stephen Smalley ---- - policycoreutils/scripts/fixfiles | 29 +++++++++++++++++++++++++---- - policycoreutils/scripts/fixfiles.8 | 8 ++++++-- - 2 files changed, 31 insertions(+), 6 deletions(-) - -diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles -index 5d7770348349..30dadb4f4cb6 100755 ---- a/policycoreutils/scripts/fixfiles -+++ b/policycoreutils/scripts/fixfiles -@@ -112,6 +112,7 @@ FORCEFLAG="" - RPMFILES="" - PREFC="" - RESTORE_MODE="" -+BIND_MOUNT_FILESYSTEMS="" - SETFILES=/sbin/setfiles - RESTORECON=/sbin/restorecon - FILESYSTEMSRW=`get_rw_labeled_mounts` -@@ -243,7 +244,23 @@ case "$RESTORE_MODE" in - if [ -n "${FILESYSTEMSRW}" ]; then - LogReadOnly - echo "${OPTION}ing `echo ${FILESYSTEMSRW}`" -- ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW} -+ -+ if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then -+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW} -+ else -+ # we bind mount so we can fix the labels of files that have already been -+ # mounted over -+ for m in `echo $FILESYSTEMSRW`; do -+ TMP_MOUNT="$(mktemp -d)" -+ test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1 -+ -+ mkdir -p "${TMP_MOUNT}${m}" || exit 1 -+ mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1 -+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}" -+ umount "${TMP_MOUNT}${m}" || exit 1 -+ rm -rf "${TMP_MOUNT}" || echo "Error cleaning up." -+ done; -+ fi - else - echo >&2 "fixfiles: No suitable file systems found" - fi -@@ -313,6 +330,7 @@ case "$1" in - > /.autorelabel || exit $? - [ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel - [ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel -+ [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel - # Force full relabel if SELinux is not enabled - selinuxenabled || echo -F > /.autorelabel - echo "System will relabel on next boot" -@@ -324,7 +342,7 @@ esac - } - usage() { - echo $""" --Usage: $0 [-v] [-F] [-f] relabel -+Usage: $0 [-v] [-F] [-M] [-f] relabel - or - Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify } - or -@@ -334,7 +352,7 @@ Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify } - or - Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify } - or --Usage: $0 [-F] [-B] onboot -+Usage: $0 [-F] [-M] [-B] onboot - """ - } - -@@ -353,7 +371,7 @@ set_restore_mode() { - } - - # See how we were called. --while getopts "N:BC:FfR:l:v" i; do -+while getopts "N:BC:FfR:l:vM" i; do - case "$i" in - B) - BOOTTIME=`/bin/who -b | awk '{print $3}'` -@@ -379,6 +397,9 @@ while getopts "N:BC:FfR:l:v" i; do - echo "Redirecting output to $OPTARG" - exec >>"$OPTARG" 2>&1 - ;; -+ M) -+ BIND_MOUNT_FILESYSTEMS="-M" -+ ;; - F) - FORCEFLAG="-F" - ;; -diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8 -index 9f447f03d444..123425308416 100644 ---- a/policycoreutils/scripts/fixfiles.8 -+++ b/policycoreutils/scripts/fixfiles.8 -@@ -6,7 +6,7 @@ fixfiles \- fix file SELinux security contexts. - .na - - .B fixfiles --.I [\-v] [\-F] [\-f] relabel -+.I [\-v] [\-F] [-M] [\-f] relabel - - .B fixfiles - .I [\-v] [\-F] { check | restore | verify } dir/file ... -@@ -21,7 +21,7 @@ fixfiles \- fix file SELinux security contexts. - .I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT { check | restore | verify } - - .B fixfiles --.I [-F] [-B] onboot -+.I [-F] [-M] [-B] onboot - - .ad - -@@ -68,6 +68,10 @@ Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and - Only act on files created after the specified date. Date must be specified in - "YYYY\-MM\-DD HH:MM" format. Date field will be passed to find \-\-newermt command. - -+.TP -+.B \-M -+Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over. -+ - .TP - .B -v - Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p) --- -2.29.0 - diff --git a/0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch b/0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch similarity index 93% rename from 0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch rename to 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch index 1c08e06..08f7b29 100644 --- a/0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch +++ b/0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch @@ -1,4 +1,4 @@ -From 7d21b9f41c4d00f1e0499a64089a5e13a8f636ab Mon Sep 17 00:00:00 2001 +From e39c09c55ed98490b2f73e6564abca93f36ee81c Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Thu, 19 Feb 2015 17:45:15 +0100 Subject: [PATCH] Simplication of sepolicy-manpage web functionality. @@ -49,10 +49,10 @@ index e4540977d042..ad718797ca68 100644 def reinit(): diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index 2d33eabb2536..acc77f368d95 100755 +index 81333928d552..dc3e5207c57c 100755 --- a/python/sepolicy/sepolicy/manpage.py +++ b/python/sepolicy/sepolicy/manpage.py -@@ -149,10 +149,6 @@ def prettyprint(f, trim): +@@ -151,10 +151,6 @@ def prettyprint(f, trim): manpage_domains = [] manpage_roles = [] @@ -63,7 +63,7 @@ index 2d33eabb2536..acc77f368d95 100755 def get_alphabet_manpages(manpage_list): alphabet_manpages = dict.fromkeys(string.ascii_letters, []) for i in string.ascii_letters: -@@ -182,7 +178,7 @@ def convert_manpage_to_html(html_manpage, manpage): +@@ -184,7 +180,7 @@ def convert_manpage_to_html(html_manpage, manpage): class HTMLManPages: """ @@ -72,7 +72,7 @@ index 2d33eabb2536..acc77f368d95 100755 """ def __init__(self, manpage_roles, manpage_domains, path, os_version): -@@ -190,9 +186,9 @@ class HTMLManPages: +@@ -192,9 +188,9 @@ class HTMLManPages: self.manpage_domains = get_alphabet_manpages(manpage_domains) self.os_version = os_version self.old_path = path + "/" @@ -84,7 +84,7 @@ index 2d33eabb2536..acc77f368d95 100755 self.__gen_html_manpages() else: print("SELinux HTML man pages can not be generated for this %s" % os_version) -@@ -201,7 +197,6 @@ class HTMLManPages: +@@ -203,7 +199,6 @@ class HTMLManPages: def __gen_html_manpages(self): self._write_html_manpage() self._gen_index() @@ -92,7 +92,7 @@ index 2d33eabb2536..acc77f368d95 100755 self._gen_css() def _write_html_manpage(self): -@@ -219,67 +214,21 @@ class HTMLManPages: +@@ -221,67 +216,21 @@ class HTMLManPages: convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r) def _gen_index(self): @@ -165,5 +165,5 @@ index 2d33eabb2536..acc77f368d95 100755 if len(self.manpage_roles[letter]): fd.write(""" -- -2.29.0 +2.30.0 diff --git a/0004-sepolgen-print-extended-permissions-in-hexadecimal.patch b/0004-sepolgen-print-extended-permissions-in-hexadecimal.patch deleted file mode 100644 index e83a1de..0000000 --- a/0004-sepolgen-print-extended-permissions-in-hexadecimal.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 9e239e55692b578ba546b4dff2b07604a2ca6baa Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Wed, 19 Aug 2020 17:05:33 +0200 -Subject: [PATCH] sepolgen: print extended permissions in hexadecimal -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -All tools like ausearch(8) or sesearch(1) and online documentation[1] -use hexadecimal values for extended permissions. -Hence use them, e.g. for audit2allow output, as well. - -[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h - -Signed-off-by: Christian Göttsche -Acked-by: Stephen Smalley ---- - python/sepolgen/src/sepolgen/refpolicy.py | 5 ++--- - python/sepolgen/tests/test_access.py | 10 +++++----- - python/sepolgen/tests/test_refpolicy.py | 12 ++++++------ - 3 files changed, 13 insertions(+), 14 deletions(-) - -diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py -index 43cecfc77385..747636875ef7 100644 ---- a/python/sepolgen/src/sepolgen/refpolicy.py -+++ b/python/sepolgen/src/sepolgen/refpolicy.py -@@ -407,10 +407,9 @@ class XpermSet(): - - # print single value without braces - if len(self.ranges) == 1 and self.ranges[0][0] == self.ranges[0][1]: -- return compl + str(self.ranges[0][0]) -+ return compl + hex(self.ranges[0][0]) - -- vals = map(lambda x: str(x[0]) if x[0] == x[1] else "%s-%s" % x, -- self.ranges) -+ vals = map(lambda x: hex(x[0]) if x[0] == x[1] else "%s-%s" % (hex(x[0]), hex(x[1]), ), self.ranges) - - return "%s{ %s }" % (compl, " ".join(vals)) - -diff --git a/python/sepolgen/tests/test_access.py b/python/sepolgen/tests/test_access.py -index 73a5407df617..623588e09aeb 100644 ---- a/python/sepolgen/tests/test_access.py -+++ b/python/sepolgen/tests/test_access.py -@@ -171,7 +171,7 @@ class TestAccessVector(unittest.TestCase): - a.merge(b) - self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"]) - self.assertEqual(list(a.xperms.keys()), ["ioctl"]) -- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }") -+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }") - - def text_merge_xperm2(self): - """Test merging AV that does not contain xperms with AV that does""" -@@ -185,7 +185,7 @@ class TestAccessVector(unittest.TestCase): - a.merge(b) - self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"]) - self.assertEqual(list(a.xperms.keys()), ["ioctl"]) -- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }") -+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }") - - def test_merge_xperm_diff_op(self): - """Test merging two AVs that contain xperms with different operation""" -@@ -203,8 +203,8 @@ class TestAccessVector(unittest.TestCase): - a.merge(b) - self.assertEqual(list(a.perms), ["read"]) - self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"]) -- self.assertEqual(a.xperms["asdf"].to_string(), "23") -- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }") -+ self.assertEqual(a.xperms["asdf"].to_string(), "0x17") -+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }") - - def test_merge_xperm_same_op(self): - """Test merging two AVs that contain xperms with same operation""" -@@ -222,7 +222,7 @@ class TestAccessVector(unittest.TestCase): - a.merge(b) - self.assertEqual(list(a.perms), ["read"]) - self.assertEqual(list(a.xperms.keys()), ["ioctl"]) -- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 23 42 12345 }") -+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x17 0x2a 0x3039 }") - - class TestUtilFunctions(unittest.TestCase): - def test_is_idparam(self): -diff --git a/python/sepolgen/tests/test_refpolicy.py b/python/sepolgen/tests/test_refpolicy.py -index 4b50c8aada96..c7219fd568e9 100644 ---- a/python/sepolgen/tests/test_refpolicy.py -+++ b/python/sepolgen/tests/test_refpolicy.py -@@ -90,17 +90,17 @@ class TestXpermSet(unittest.TestCase): - a.complement = True - self.assertEqual(a.to_string(), "") - a.add(1234) -- self.assertEqual(a.to_string(), "~ 1234") -+ self.assertEqual(a.to_string(), "~ 0x4d2") - a.complement = False -- self.assertEqual(a.to_string(), "1234") -+ self.assertEqual(a.to_string(), "0x4d2") - a.add(2345) -- self.assertEqual(a.to_string(), "{ 1234 2345 }") -+ self.assertEqual(a.to_string(), "{ 0x4d2 0x929 }") - a.complement = True -- self.assertEqual(a.to_string(), "~ { 1234 2345 }") -+ self.assertEqual(a.to_string(), "~ { 0x4d2 0x929 }") - a.add(42,64) -- self.assertEqual(a.to_string(), "~ { 42-64 1234 2345 }") -+ self.assertEqual(a.to_string(), "~ { 0x2a-0x40 0x4d2 0x929 }") - a.complement = False -- self.assertEqual(a.to_string(), "{ 42-64 1234 2345 }") -+ self.assertEqual(a.to_string(), "{ 0x2a-0x40 0x4d2 0x929 }") - - class TestSecurityContext(unittest.TestCase): - def test_init(self): --- -2.29.0 - diff --git a/0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch b/0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch similarity index 91% rename from 0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch rename to 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch index aabb8f1..6de8468 100644 --- a/0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch +++ b/0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch @@ -1,4 +1,4 @@ -From f0f030495dddb2e633403f360fdaaf6951da11ad Mon Sep 17 00:00:00 2001 +From 5c45c9cc13529ba6cb840010a3feda31b7c0fe78 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Fri, 20 Feb 2015 16:42:01 +0100 Subject: [PATCH] We want to remove the trailing newline for @@ -22,5 +22,5 @@ index ad718797ca68..ea05d892bf3b 100644 system_release = "Misc" -- -2.29.0 +2.30.0 diff --git a/0005-sepolgen-sort-extended-rules-like-normal-ones.patch b/0005-sepolgen-sort-extended-rules-like-normal-ones.patch deleted file mode 100644 index 1fcfb52..0000000 --- a/0005-sepolgen-sort-extended-rules-like-normal-ones.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 2a60de8eca6bd91e276b60441a5dc72d85c6eda3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Wed, 19 Aug 2020 17:05:34 +0200 -Subject: [PATCH] sepolgen: sort extended rules like normal ones -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Currently: - - #============= sshd_t ============== - - #!!!! This avc is allowed in the current policy - #!!!! This av rule may have been overridden by an extended permission av rule - allow sshd_t ptmx_t:chr_file ioctl; - - #!!!! This avc is allowed in the current policy - #!!!! This av rule may have been overridden by an extended permission av rule - allow sshd_t sshd_devpts_t:chr_file ioctl; - - #!!!! This avc is allowed in the current policy - #!!!! This av rule may have been overridden by an extended permission av rule - allow sshd_t user_devpts_t:chr_file ioctl; - - #============= user_t ============== - - #!!!! This avc is allowed in the current policy - #!!!! This av rule may have been overridden by an extended permission av rule - allow user_t devtty_t:chr_file ioctl; - - #!!!! This avc is allowed in the current policy - #!!!! This av rule may have been overridden by an extended permission av rule - allow user_t user_devpts_t:chr_file ioctl; - allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 }; - allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401; - allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e }; - allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 }; - allowxperm user_t devtty_t:chr_file ioctl 0x4b33; - -Changed: - - #============= sshd_t ============== - - #!!!! This avc is allowed in the current policy - #!!!! This av rule may have been overridden by an extended permission av rule - allow sshd_t ptmx_t:chr_file ioctl; - allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 }; - - #!!!! This avc is allowed in the current policy - #!!!! This av rule may have been overridden by an extended permission av rule - allow sshd_t sshd_devpts_t:chr_file ioctl; - allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401; - - #!!!! This avc is allowed in the current policy - #!!!! This av rule may have been overridden by an extended permission av rule - allow sshd_t user_devpts_t:chr_file ioctl; - allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e }; - - #============= user_t ============== - - #!!!! This avc is allowed in the current policy - #!!!! This av rule may have been overridden by an extended permission av rule - allow user_t devtty_t:chr_file ioctl; - allowxperm user_t devtty_t:chr_file ioctl 0x4b33; - - #!!!! This avc is allowed in the current policy - #!!!! This av rule may have been overridden by an extended permission av rule - allow user_t user_devpts_t:chr_file ioctl; - allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 }; - -Signed-off-by: Christian Göttsche -Acked-by: Stephen Smalley ---- - python/sepolgen/src/sepolgen/output.py | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/python/sepolgen/src/sepolgen/output.py b/python/sepolgen/src/sepolgen/output.py -index 3a21b64c19f7..aeeaafc889e7 100644 ---- a/python/sepolgen/src/sepolgen/output.py -+++ b/python/sepolgen/src/sepolgen/output.py -@@ -84,7 +84,7 @@ def avrule_cmp(a, b): - return ret - - # At this point, who cares - just return something -- return cmp(len(a.perms), len(b.perms)) -+ return 0 - - # Compare two interface calls - def ifcall_cmp(a, b): -@@ -100,7 +100,7 @@ def rule_cmp(a, b): - else: - return id_set_cmp([a.args[0]], b.src_types) - else: -- if isinstance(b, refpolicy.AVRule): -+ if isinstance(b, refpolicy.AVRule) or isinstance(b, refpolicy.AVExtRule): - return avrule_cmp(a,b) - else: - return id_set_cmp(a.src_types, [b.args[0]]) -@@ -130,6 +130,7 @@ def sort_filter(module): - # we assume is the first argument for interfaces). - rules = [] - rules.extend(node.avrules()) -+ rules.extend(node.avextrules()) - rules.extend(node.interface_calls()) - rules.sort(key=util.cmp_to_key(rule_cmp)) - --- -2.29.0 - diff --git a/0012-Fix-title-in-manpage.py-to-not-contain-online.patch b/0006-Fix-title-in-manpage.py-to-not-contain-online.patch similarity index 80% rename from 0012-Fix-title-in-manpage.py-to-not-contain-online.patch rename to 0006-Fix-title-in-manpage.py-to-not-contain-online.patch index d057d9b..c55c0db 100644 --- a/0012-Fix-title-in-manpage.py-to-not-contain-online.patch +++ b/0006-Fix-title-in-manpage.py-to-not-contain-online.patch @@ -1,4 +1,4 @@ -From 4a18939d21c06d036f1063cbfd2d0b5ae9d0010f Mon Sep 17 00:00:00 2001 +From b7cbbf2d25e2321b9af64db908947877771af257 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Fri, 20 Feb 2015 16:42:53 +0100 Subject: [PATCH] Fix title in manpage.py to not contain 'online'. @@ -8,10 +8,10 @@ Subject: [PATCH] Fix title in manpage.py to not contain 'online'. 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index acc77f368d95..4aeb3e2e51ba 100755 +index dc3e5207c57c..6420ebe2e08e 100755 --- a/python/sepolicy/sepolicy/manpage.py +++ b/python/sepolicy/sepolicy/manpage.py -@@ -220,7 +220,7 @@ class HTMLManPages: +@@ -222,7 +222,7 @@ class HTMLManPages: @@ -21,5 +21,5 @@ index acc77f368d95..4aeb3e2e51ba 100755

SELinux man pages for %s

-- -2.29.0 +2.30.0 diff --git a/0006-newrole-support-cross-compilation-with-PAM-and-audit.patch b/0006-newrole-support-cross-compilation-with-PAM-and-audit.patch deleted file mode 100644 index cb555fc..0000000 --- a/0006-newrole-support-cross-compilation-with-PAM-and-audit.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 8bc865e1fe8f6f734b7306441ccbeec3b7c37f97 Mon Sep 17 00:00:00 2001 -From: Dominick Grift -Date: Tue, 1 Sep 2020 18:16:41 +0200 -Subject: [PATCH] newrole: support cross-compilation with PAM and audit - -Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation. - -Signed-off-by: Dominick Grift -Acked-by: Stephen Smalley ---- - policycoreutils/newrole/Makefile | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile -index 73ebd413da85..0e7ebce3dd56 100644 ---- a/policycoreutils/newrole/Makefile -+++ b/policycoreutils/newrole/Makefile -@@ -5,8 +5,9 @@ BINDIR ?= $(PREFIX)/bin - MANDIR ?= $(PREFIX)/share/man - ETCDIR ?= /etc - LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale --PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y) --AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y) -+INCLUDEDIR ?= $(PREFIX)/include -+PAMH ?= $(shell test -f $(INCLUDEDIR)/security/pam_appl.h && echo y) -+AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y) - # Enable capabilities to permit newrole to generate audit records. - # This will make newrole a setuid root program. - # The capabilities used are: CAP_AUDIT_WRITE. --- -2.29.0 - diff --git a/0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch b/0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch similarity index 89% rename from 0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch rename to 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch index 8b3d5c3..a964d6b 100644 --- a/0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch +++ b/0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch @@ -1,4 +1,4 @@ -From ffe429b49874175f5ec1156e9c89e75cc67a0ddd Mon Sep 17 00:00:00 2001 +From fb167fc5660dbc83cd516579d73507b0969b5544 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 14 Feb 2014 12:32:12 -0500 Subject: [PATCH] Don't be verbose if you are not on a tty @@ -20,5 +20,5 @@ index 30dadb4f4cb6..e73bb81c3336 100755 RPMFILES="" PREFC="" -- -2.29.0 +2.30.0 diff --git a/0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch b/0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch similarity index 88% rename from 0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch rename to 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch index a365fc3..19647b6 100644 --- a/0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch +++ b/0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch @@ -1,4 +1,4 @@ -From 4a337405da16857dc2a979e4b4963a6fd7b975c6 Mon Sep 17 00:00:00 2001 +From 0b37889f3032e4f456edad469786f72ad344ec8c Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 27 Feb 2017 17:12:39 +0100 Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and @@ -11,10 +11,10 @@ Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index 4aeb3e2e51ba..330b055af214 100755 +index 6420ebe2e08e..d15522135288 100755 --- a/python/sepolicy/sepolicy/manpage.py +++ b/python/sepolicy/sepolicy/manpage.py -@@ -125,8 +125,24 @@ def gen_domains(): +@@ -127,8 +127,24 @@ def gen_domains(): domains.sort() return domains @@ -40,7 +40,7 @@ index 4aeb3e2e51ba..330b055af214 100755 def _gen_types(): global types -@@ -372,6 +388,8 @@ class ManPage: +@@ -374,6 +390,8 @@ class ManPage: self.all_file_types = sepolicy.get_all_file_types() self.role_allows = sepolicy.get_all_role_allows() self.types = _gen_types() @@ -49,7 +49,7 @@ index 4aeb3e2e51ba..330b055af214 100755 if self.source_files: self.fcpath = self.root + "file_contexts" -@@ -689,7 +707,7 @@ Default Defined Ports:""") +@@ -691,7 +709,7 @@ Default Defined Ports:""") for f in self.all_file_types: if f.startswith(self.domainname): flist.append(f) @@ -59,5 +59,5 @@ index 4aeb3e2e51ba..330b055af214 100755 if f in self.fcdict: mpaths = mpaths + self.fcdict[f]["regex"] -- -2.29.0 +2.30.0 diff --git a/0015-sepolicy-Another-small-optimization-for-mcs-types.patch b/0009-sepolicy-Another-small-optimization-for-mcs-types.patch similarity index 86% rename from 0015-sepolicy-Another-small-optimization-for-mcs-types.patch rename to 0009-sepolicy-Another-small-optimization-for-mcs-types.patch index 52ab467..06a1b3d 100644 --- a/0015-sepolicy-Another-small-optimization-for-mcs-types.patch +++ b/0009-sepolicy-Another-small-optimization-for-mcs-types.patch @@ -1,4 +1,4 @@ -From 7c315fff5e7ce74b0598b62d9aa0b21ca6b06b6d Mon Sep 17 00:00:00 2001 +From 268cd1b3a346db400eedb66db6a7d0aac192cd5e Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 28 Feb 2017 21:29:46 +0100 Subject: [PATCH] sepolicy: Another small optimization for mcs types @@ -8,10 +8,10 @@ Subject: [PATCH] sepolicy: Another small optimization for mcs types 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index 330b055af214..f8584436960d 100755 +index d15522135288..ffcedb547993 100755 --- a/python/sepolicy/sepolicy/manpage.py +++ b/python/sepolicy/sepolicy/manpage.py -@@ -142,6 +142,15 @@ def _gen_entry_types(): +@@ -144,6 +144,15 @@ def _gen_entry_types(): entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"] return entry_types @@ -27,7 +27,7 @@ index 330b055af214..f8584436960d 100755 types = None def _gen_types(): -@@ -390,6 +399,7 @@ class ManPage: +@@ -392,6 +401,7 @@ class ManPage: self.types = _gen_types() self.exec_types = _gen_exec_types() self.entry_types = _gen_entry_types() @@ -35,7 +35,7 @@ index 330b055af214..f8584436960d 100755 if self.source_files: self.fcpath = self.root + "file_contexts" -@@ -944,11 +954,7 @@ All executables with the default executable label, usually stored in /usr/bin an +@@ -946,11 +956,7 @@ All executables with the default executable label, usually stored in /usr/bin an %s""" % ", ".join(paths)) def _mcs_types(self): @@ -49,5 +49,5 @@ index 330b055af214..f8584436960d 100755 self.fd.write (""" .SH "MCS Constrained" -- -2.29.0 +2.30.0 diff --git a/0016-Move-po-translation-files-into-the-right-sub-directo.patch b/0010-Move-po-translation-files-into-the-right-sub-directo.patch similarity index 99% rename from 0016-Move-po-translation-files-into-the-right-sub-directo.patch rename to 0010-Move-po-translation-files-into-the-right-sub-directo.patch index e6eba22..4b5a51f 100644 --- a/0016-Move-po-translation-files-into-the-right-sub-directo.patch +++ b/0010-Move-po-translation-files-into-the-right-sub-directo.patch @@ -1,4 +1,4 @@ -From a07e9652785c6196d916dfca3d36c898959406b4 Mon Sep 17 00:00:00 2001 +From 8ea45198560652813d2dad26e28a4220ed690afa Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 6 Aug 2018 13:23:00 +0200 Subject: [PATCH] Move po/ translation files into the right sub-directories @@ -511,5 +511,5 @@ index 000000000000..deff3f2f4656 @@ -0,0 +1 @@ +../sandbox -- -2.29.0 +2.30.0 diff --git a/0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch b/0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch similarity index 97% rename from 0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch rename to 0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch index 8d5bf3c..e1ac444 100644 --- a/0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch +++ b/0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch @@ -1,4 +1,4 @@ -From eab0fc05a38ab2cd47b3e0ff69981850cc7cd538 Mon Sep 17 00:00:00 2001 +From 773adcbd26efe16b5738dcf40e9ec757101417d5 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 6 Aug 2018 13:37:07 +0200 Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/ @@ -185,13 +185,13 @@ index fdd2e46ee3f9..839ddd3b54b6 100755 import gettext kwargs = {} diff --git a/python/semanage/semanage b/python/semanage/semanage -index b2fabea67a87..3cc30a160a74 100644 +index 125271df5265..026502b537cb 100644 --- a/python/semanage/semanage +++ b/python/semanage/semanage -@@ -27,7 +27,7 @@ import traceback - import argparse - import seobject +@@ -30,7 +30,7 @@ import seobject import sys + import traceback + -PROGNAME = "policycoreutils" +PROGNAME = "selinux-python" try: @@ -302,5 +302,5 @@ index ca5f1e030a51..16c43b51eaaa 100644 import gettext kwargs = {} -- -2.29.0 +2.30.0 diff --git a/0018-Initial-.pot-files-for-gui-python-sandbox.patch b/0012-Initial-.pot-files-for-gui-python-sandbox.patch similarity index 99% rename from 0018-Initial-.pot-files-for-gui-python-sandbox.patch rename to 0012-Initial-.pot-files-for-gui-python-sandbox.patch index 4bc6e55..4fc90f5 100644 --- a/0018-Initial-.pot-files-for-gui-python-sandbox.patch +++ b/0012-Initial-.pot-files-for-gui-python-sandbox.patch @@ -1,4 +1,4 @@ -From ffca591cb3055c4962cdc968662bd52bb876e640 Mon Sep 17 00:00:00 2001 +From cfa051df61b1901f5e1012877965b632d287d5a7 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 6 Aug 2018 14:23:19 +0200 Subject: [PATCH] Initial .pot files for gui/ python/ sandbox/ @@ -4528,5 +4528,5 @@ index 000000000000..328b4f0159d3 +msgid "Invalid value %s" +msgstr "" -- -2.29.0 +2.30.0 diff --git a/0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch b/0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch similarity index 93% rename from 0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch rename to 0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch index 08681fc..eb4dff2 100644 --- a/0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch +++ b/0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch @@ -1,4 +1,4 @@ -From 4277ef04de699e1939c95c4813de6a78d1ea1656 Mon Sep 17 00:00:00 2001 +From 37a871b6138f9783d832d2fa6f5482fb648c4928 Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Wed, 21 Mar 2018 08:51:31 +0100 Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch @@ -26,5 +26,5 @@ index e328a5628682..02e0960289d3 100644 .BI \-e \ directory directory to exclude (repeat option for more than one directory). -- -2.29.0 +2.30.0 diff --git a/0020-sepolicy-generate-Handle-more-reserved-port-types.patch b/0014-sepolicy-generate-Handle-more-reserved-port-types.patch similarity index 97% rename from 0020-sepolicy-generate-Handle-more-reserved-port-types.patch rename to 0014-sepolicy-generate-Handle-more-reserved-port-types.patch index e77da11..eae41f4 100644 --- a/0020-sepolicy-generate-Handle-more-reserved-port-types.patch +++ b/0014-sepolicy-generate-Handle-more-reserved-port-types.patch @@ -1,4 +1,4 @@ -From fa94b0faf12a79158d971f363e8ec65227d67de3 Mon Sep 17 00:00:00 2001 +From 649f11933105597d23cf4c4abc3a895fd0ae1f3e Mon Sep 17 00:00:00 2001 From: Masatake YAMATO Date: Thu, 14 Dec 2017 15:57:58 +0900 Subject: [PATCH] sepolicy-generate: Handle more reserved port types @@ -67,5 +67,5 @@ index 43180ca6fda4..d60a08e1d72c 100644 dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range')) return dict -- -2.29.0 +2.30.0 diff --git a/0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch b/0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch similarity index 90% rename from 0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch rename to 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch index 930c670..6226c53 100644 --- a/0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch +++ b/0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch @@ -1,4 +1,4 @@ -From 122e35c4d11b5b623e8bc463f81c6792385523cb Mon Sep 17 00:00:00 2001 +From e6821b5aa7f631efaceffd8de130f83c56a5c81a Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 8 Nov 2018 09:20:58 +0100 Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects @@ -20,5 +20,5 @@ index 3515234e36de..7b75b3fd9bb4 100644 } -- -2.29.0 +2.30.0 diff --git a/0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch b/0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch similarity index 97% rename from 0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch rename to 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch index 187f564..0bdd1cd 100644 --- a/0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch +++ b/0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch @@ -1,4 +1,4 @@ -From e63814eb18bdbb48a7e6bf79b17d79d6a9ca56d6 Mon Sep 17 00:00:00 2001 +From df67934eb3bf24e38b11278b06db816a069fab3f Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Wed, 18 Jul 2018 09:09:35 +0200 Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox @@ -70,5 +70,5 @@ index 4774528027ef..c211ebc14549 100644 export DISPLAY=:$D cat > ~/seremote << __EOF -- -2.29.0 +2.30.0 diff --git a/0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch b/0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch similarity index 89% rename from 0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch rename to 0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch index 8924769..87458b7 100644 --- a/0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch +++ b/0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch @@ -1,4 +1,4 @@ -From b1f380c75f8a4ea7a4062d3735d190a1dcbc3aaa Mon Sep 17 00:00:00 2001 +From a7e9864865f3f72f51d943ff5bf684638cc7e921 Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Tue, 28 Jul 2020 14:37:13 +0200 Subject: [PATCH] sepolicy: Fix flake8 warnings in Fedora-only code @@ -20,10 +20,10 @@ Signed-off-by: Ondrej Mosnacek 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index f8584436960d..6a3e08fca58c 100755 +index ffcedb547993..c013c0d48502 100755 --- a/python/sepolicy/sepolicy/manpage.py +++ b/python/sepolicy/sepolicy/manpage.py -@@ -717,7 +717,7 @@ Default Defined Ports:""") +@@ -719,7 +719,7 @@ Default Defined Ports:""") for f in self.all_file_types: if f.startswith(self.domainname): flist.append(f) @@ -32,7 +32,7 @@ index f8584436960d..6a3e08fca58c 100755 flist_non_exec.append(f) if f in self.fcdict: mpaths = mpaths + self.fcdict[f]["regex"] -@@ -771,7 +771,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d +@@ -773,7 +773,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]}) if flist_non_exec: @@ -42,5 +42,5 @@ index f8584436960d..6a3e08fca58c 100755 .B STANDARD FILE CONTEXT -- -2.29.0 +2.30.0 diff --git a/0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch b/0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch deleted file mode 100644 index 339cb4a..0000000 --- a/0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 99450e5c391f0e5b7da9234588123edca0993794 Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Wed, 11 Nov 2020 17:23:40 +0100 -Subject: [PATCH] selinux_config(5): add a note that runtime disable is - deprecated - -...and refer to selinux(8), which explains it further. - -Signed-off-by: Ondrej Mosnacek ---- - policycoreutils/man/man5/selinux_config.5 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5 -index 1ffade150128..58b42a0e234d 100644 ---- a/policycoreutils/man/man5/selinux_config.5 -+++ b/policycoreutils/man/man5/selinux_config.5 -@@ -48,7 +48,7 @@ SELinux security policy is enforced. - .IP \fIpermissive\fR 4 - SELinux security policy is not enforced but logs the warnings (i.e. the action is allowed to proceed). - .IP \fIdisabled\fR --SELinux is disabled and no policy is loaded. -+No SELinux policy is loaded. This option was used to disable SELinux completely, which is now deprecated. Use the \fBselinux=0\fR kernel boot option instead (see \fBselinux\fR(8)). - .RE - .sp - The entry can be determined using the \fBsestatus\fR(8) command or \fBselinux_getenforcemode\fR(3). --- -2.29.2 - diff --git a/0025-python-sepolicy-allow-to-override-manpage-date.patch b/0025-python-sepolicy-allow-to-override-manpage-date.patch deleted file mode 100644 index c205e6a..0000000 --- a/0025-python-sepolicy-allow-to-override-manpage-date.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 794dbdb6b1336cae872f45b5adaa594796e4806b Mon Sep 17 00:00:00 2001 -From: "Bernhard M. Wiedemann" -Date: Fri, 30 Oct 2020 22:53:09 +0100 -Subject: [PATCH] python/sepolicy: allow to override manpage date - -in order to make builds reproducible. -See https://reproducible-builds.org/ for why this is good -and https://reproducible-builds.org/specs/source-date-epoch/ -for the definition of this variable. - -This patch was done while working on reproducible builds for openSUSE. - -Signed-off-by: Bernhard M. Wiedemann ---- - python/sepolicy/sepolicy/manpage.py | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index 6a3e08fca58c..c013c0d48502 100755 ---- a/python/sepolicy/sepolicy/manpage.py -+++ b/python/sepolicy/sepolicy/manpage.py -@@ -39,6 +39,8 @@ typealias_types = { - equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]} - - equiv_dirs = ["/var"] -+man_date = time.strftime("%y-%m-%d", time.gmtime( -+ int(os.environ.get('SOURCE_DATE_EPOCH', time.time())))) - modules_dict = None - - -@@ -546,7 +548,7 @@ class ManPage: - - def _typealias(self,typealias): - self.fd.write('.TH "%(typealias)s_selinux" "8" "%(date)s" "%(typealias)s" "SELinux Policy %(typealias)s"' -- % {'typealias':typealias, 'date': time.strftime("%y-%m-%d")}) -+ % {'typealias':typealias, 'date': man_date}) - self.fd.write(r""" - .SH "NAME" - %(typealias)s_selinux \- Security Enhanced Linux Policy for the %(typealias)s processes -@@ -565,7 +567,7 @@ man page for more details. - - def _header(self): - self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"' -- % {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")}) -+ % {'domainname': self.domainname, 'date': man_date}) - self.fd.write(r""" - .SH "NAME" - %(domainname)s_selinux \- Security Enhanced Linux Policy for the %(domainname)s processes --- -2.29.2 - diff --git a/policycoreutils.spec b/policycoreutils.spec index d4fd220..d327cae 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,7 +1,7 @@ %global libauditver 3.0 -%global libsepolver 3.1-5 -%global libsemanagever 3.1-5 -%global libselinuxver 3.1-5 +%global libsepolver 3.2-0.rc1 +%global libsemanagever 3.2-0.rc1 +%global libselinuxver 3.2-0.rc1 %global generatorsdir %{_prefix}/lib/systemd/system-generators @@ -10,17 +10,17 @@ Summary: SELinux policy core utilities Name: policycoreutils -Version: 3.1 -Release: 8%{?dist} +Version: 3.2 +Release: 0.rc1.1%{?dist} License: GPLv2 # https://github.com/SELinuxProject/selinux/wiki/Releases -Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/policycoreutils-3.1.tar.gz -Source1: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-python-3.1.tar.gz -Source2: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-gui-3.1.tar.gz -Source3: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-sandbox-3.1.tar.gz -Source4: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-dbus-3.1.tar.gz -Source5: https://github.com/SELinuxProject/selinux/releases/download/20200710/semodule-utils-3.1.tar.gz -Source6: https://github.com/SELinuxProject/selinux/releases/download/20200710/restorecond-3.1.tar.gz +Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2-rc1/policycoreutils-3.2-rc1.tar.gz +Source1: https://github.com/SELinuxProject/selinux/releases/download/3.2-rc1/selinux-python-3.2-rc1.tar.gz +Source2: https://github.com/SELinuxProject/selinux/releases/download/3.2-rc1/selinux-gui-3.2-rc1.tar.gz +Source3: https://github.com/SELinuxProject/selinux/releases/download/3.2-rc1/selinux-sandbox-3.2-rc1.tar.gz +Source4: https://github.com/SELinuxProject/selinux/releases/download/3.2-rc1/selinux-dbus-3.2-rc1.tar.gz +Source5: https://github.com/SELinuxProject/selinux/releases/download/3.2-rc1/semodule-utils-3.2-rc1.tar.gz +Source6: https://github.com/SELinuxProject/selinux/releases/download/3.2-rc1/restorecond-3.2-rc1.tar.gz URL: https://github.com/SELinuxProject/selinux Source13: system-config-selinux.png Source14: sepolicy-icons.tgz @@ -34,34 +34,26 @@ Source21: python-po.tgz Source22: gui-po.tgz Source23: sandbox-po.tgz # https://github.com/fedora-selinux/selinux -# $ git format-patch -N 20200710 -- policycoreutils python gui sandbox dbus semodule-utils restorecond +# $ git format-patch -N 3.2-rc1 -- policycoreutils python gui sandbox dbus semodule-utils restorecond # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done # Patch list start -Patch0001: 0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch -Patch0002: 0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch -Patch0003: 0003-fixfiles-correctly-restore-context-of-mountpoints.patch -Patch0004: 0004-sepolgen-print-extended-permissions-in-hexadecimal.patch -Patch0005: 0005-sepolgen-sort-extended-rules-like-normal-ones.patch -Patch0006: 0006-newrole-support-cross-compilation-with-PAM-and-audit.patch -Patch0007: 0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch -Patch0008: 0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch -Patch0009: 0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch -Patch0010: 0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch -Patch0011: 0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch -Patch0012: 0012-Fix-title-in-manpage.py-to-not-contain-online.patch -Patch0013: 0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch -Patch0014: 0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch -Patch0015: 0015-sepolicy-Another-small-optimization-for-mcs-types.patch -Patch0016: 0016-Move-po-translation-files-into-the-right-sub-directo.patch -Patch0017: 0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch -Patch0018: 0018-Initial-.pot-files-for-gui-python-sandbox.patch -Patch0019: 0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch -Patch0020: 0020-sepolicy-generate-Handle-more-reserved-port-types.patch -Patch0021: 0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch -Patch0022: 0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch -Patch0023: 0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch -Patch0024: 0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch -Patch0025: 0025-python-sepolicy-allow-to-override-manpage-date.patch +Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch +Patch0002: 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch +Patch0003: 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch +Patch0004: 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch +Patch0005: 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch +Patch0006: 0006-Fix-title-in-manpage.py-to-not-contain-online.patch +Patch0007: 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch +Patch0008: 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch +Patch0009: 0009-sepolicy-Another-small-optimization-for-mcs-types.patch +Patch0010: 0010-Move-po-translation-files-into-the-right-sub-directo.patch +Patch0011: 0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch +Patch0012: 0012-Initial-.pot-files-for-gui-python-sandbox.patch +Patch0013: 0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch +Patch0014: 0014-sepolicy-generate-Handle-more-reserved-port-types.patch +Patch0015: 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch +Patch0016: 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch +Patch0017: 0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch # Patch list end Obsoletes: policycoreutils < 2.0.61-2 @@ -107,7 +99,7 @@ to switch roles. %autosetup -S git -N -T -D -a 6 -n selinux for i in *; do - git mv $i ${i/-%{version}/} + git mv $i ${i/-%{version}-rc1/} git commit -q --allow-empty -a --author 'rpm-build ' -m "$i -> ${i/-%{version}/}" done @@ -132,7 +124,7 @@ tar -x -f %{SOURCE23} -C sandbox -z %set_build_flags export PYTHON=%{__python3} -make -C policycoreutils LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C policycoreutils SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" all make -C python SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all make -C gui SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all make -C sandbox SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all @@ -539,6 +531,9 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Wed Jan 20 2021 Petr Lautrbach - 3.2-0.rc1.1 +- SELinux userspace 3.2-rc1 release + * Tue Nov 24 2020 Petr Lautrbach - 3.1-8 - Fix BuildRequires to libsemanage-devel diff --git a/sources b/sources index 1248b72..00d999e 100644 --- a/sources +++ b/sources @@ -1,10 +1,10 @@ -SHA512 (policycoreutils-3.1.tar.gz) = 0592f218563a99ba95d2cfd07fdc3761b61c1cc3c01a17ab89ad840169e1a7d4083521d5cacc72d1b76911d516bf592db7a3f90d9ef0cc11ceed007e4580e140 -SHA512 (restorecond-3.1.tar.gz) = cdcf299f48b89a7c641ded9507b9b966bf648497394f8e988a9cb1ceb3224c86369706027f3416a4f9750836f7a8f4580a4b3df76673e03f897b383d7ed0e2c8 -SHA512 (selinux-dbus-3.1.tar.gz) = d5e1715539ec9aeef2285fc141617b7c25f39ddacc3968d2d19722553b97b873632545a2c7002faef44b671604b2cfca52e9624c57cedbae64d616a080cc955f -SHA512 (selinux-gui-3.1.tar.gz) = c8bd618da3bd1dcc8aeb470e8410765ea7d38e861b0be78aaddaa5384ec3de12d364de1b63e2d9e3262e1179463f0ee78cb60f11ab72c996899bd72af137ae7c -SHA512 (selinux-python-3.1.tar.gz) = 5dd98f77ae8ea8bac6a89ec7def76e12496b9a9f8c9612c4cc1dac7a8e8c60380a00c857426bfefbcb4273706addd2594e9b467f69408ef284f082a09d45bd49 -SHA512 (selinux-sandbox-3.1.tar.gz) = e9a772c720704de3fc33a70316780d5995442a1e25ba7df6dc68dd7b7a4eb59dfd2b68e4576051053fe81fbea207fcb1648baad3ea2d56d5b3005e9ca4b8ceb7 -SHA512 (semodule-utils-3.1.tar.gz) = b92794bbfbce5834ee7f62fddb40b5506e9291e8fa7c5d669b2e281089b8f8dc40c4522ea287ac5deffdaee751442ba8e691e2ac45fdd378b60d5d6b2527d157 +SHA512 (policycoreutils-3.2-rc1.tar.gz) = 91e1660542c1c050ecae3319c2227833ccab16ddb2a6a066c92598b565aafcf2d753f50ec0a7a6bc08c8e8f579d65429acf7443ad058ee1d5ab29e6340023d89 +SHA512 (restorecond-3.2-rc1.tar.gz) = 34b39dfb160518e725127920898fde38aa9fc8783090836f9601c6b791fc5c29e89f7b291dad7703e30d0bbbd65761533266e6749fd1bbe05f3c95324a99b255 +SHA512 (selinux-dbus-3.2-rc1.tar.gz) = e568950980d88608f236d222ecd59d1f12b64704a5dc262cdb5eb23fc6b2916ab0be06ea0c53ec51f174efa4ca9cccbd47a6fb4e7d7de7debd81d328d4c7bdb4 +SHA512 (selinux-gui-3.2-rc1.tar.gz) = 71a28e44adb73677c2b7b8ba8cfcf04396a3332a9596b7260e19a5a6a1eddfb14ec2e93fa8851cdb94e2e61f8bcfee9134cb8dc073c339de8d10e1b57439588c +SHA512 (selinux-python-3.2-rc1.tar.gz) = 5996fe9e28f41b8a25e625352f0c16d1858e730aae20b590825c599e57a2c3e4288441c16759bfcadc76469d2d4b613b5e19a04ed9ea36c27205112fe2b4341c +SHA512 (selinux-sandbox-3.2-rc1.tar.gz) = 192e8f526e5d3144ce9eb7e07076011eb3b6984edbd7d3ad885d69a0cd2dd0afbd720f960f1ad5df422e48d48f23800e4cf61fccc8384b07a156c1c48d9677ba +SHA512 (semodule-utils-3.2-rc1.tar.gz) = 9e46ea1af299c272017847dd8b3bbb827af2bc685ab536a9020cf58c75f58c335b9502a135ee1a65bf21cfa5d8571840ecb3587e701e96b92b5453dada97a04d SHA512 (gui-po.tgz) = 8e0855256b825eea422b8e2b82cc0decf66b902c9930840905c5ad5dda7bef3679943a22db62709907d48f8a331d67edc5efed3e2638b53e379959b14077b4ea SHA512 (policycoreutils-po.tgz) = 66b908f7a167225bebded46f9cf92f42eb194daa2a083d48de43c2a5d33fa42724c5add0a9d029ac9d62c500f6f1c8d3bc138dd598b1fd97e609d7cc7160be72 SHA512 (python-po.tgz) = 7f2a082b77c7b4417d5d3dac35d86dd635635a9c05a80e5f9284d03604e2f2a06ec879fb29b056d1a46d3fc448cd76e6fd25196834c18a161fd6677f2e11b2be