From 205e3429b93ffca19b54e425914aa2c0417d9496 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Thu, 31 Jan 2013 13:58:25 -0500 Subject: [PATCH] Reorginize sepolicy so all get_all functions are in main module - Add -B capability to fixfiles onboot and fixfiles restore, basically searches for all files created since the last boot. --- policycoreutils-rhat.patch | 391 +++++++++++++++++++++---------------- policycoreutils.spec | 6 +- 2 files changed, 228 insertions(+), 169 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 8428893..8a940b1 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -96,7 +96,7 @@ index 1464971..b5abbb9 100644 clean: diff --git a/policycoreutils/gui/domainsPage.py b/policycoreutils/gui/domainsPage.py -index 03451b6..91c88a8 100644 +index 03451b6..6af1e9a 100644 --- a/policycoreutils/gui/domainsPage.py +++ b/policycoreutils/gui/domainsPage.py @@ -26,7 +26,7 @@ import sys @@ -104,7 +104,7 @@ index 03451b6..91c88a8 100644 import selinux from semanagePage import *; -import polgen -+from sepolicy.generate import get_all_domains ++from sepolicy import get_all_entrypoint_domains ## ## I18N @@ -113,7 +113,7 @@ index 03451b6..91c88a8 100644 self.enforcing_button = xml.get_widget("enforcingButton") - self.domains=polgen.get_all_domains() -+ self.domains=get_all_domains() ++ self.domains=get_all_entrypoint_domains() self.load() def get_modules(self): @@ -336583,14 +336583,15 @@ index 4ba51bf..6673f00 100644 +"services." msgstr "" diff --git a/policycoreutils/restorecond/restorecond.conf b/policycoreutils/restorecond/restorecond.conf -index f133755..cfe851e 100644 +index f133755..c64e747 100644 --- a/policycoreutils/restorecond/restorecond.conf +++ b/policycoreutils/restorecond/restorecond.conf -@@ -1,7 +1,6 @@ +@@ -1,7 +1,7 @@ /etc/services /etc/resolv.conf /etc/samba/secrets.tdb -/etc/mtab* ++/etc/updatedb.conf /var/run/utmp /var/log/wtmp /root/* @@ -336836,18 +336837,47 @@ index e08088e..201a988 100644 install: all -mkdir -p $(BINDIR) diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles -index 989b1ae..23ab94d 100755 +index 989b1ae..6901e4d 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles -@@ -114,6 +114,7 @@ exclude_dirs() { +@@ -103,7 +103,7 @@ exclude_dirs_from_relabelling() { + + exclude_dirs() { + exclude= +- for i in /var/lib/BackupPC /home /tmp /dev; do ++ for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC /home /tmp /dev; do + [ -e $i ] && exclude="$exclude -e $i"; + done + exclude="$exclude `exclude_dirs_from_relabelling`" +@@ -114,6 +114,9 @@ exclude_dirs() { # Set global Variables # fullFlag=0 ++BOOTTIME="" ++FORCEFLAG="" +VERBOSE="-p" FORCEFLAG="" DIRS="" RPMILES="" -@@ -176,7 +177,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then +@@ -144,6 +147,17 @@ if [ -n $LOGFILE ]; then + fi + } + # ++# Find files newer then the passed in date and fix the label ++# ++newer() { ++ DATE=$1 ++ for m in `echo $FILESYSTEMSRW`; do ++ find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${VERBOSE} -i -0 -f - ++ done; ++ ++} ++ ++# + # Compare PREVious File Context to currently installed File Context and + # run restorecon on all files affected by the differences. + # +@@ -176,7 +190,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then esac; \ fi; \ done | \ @@ -336856,8 +336886,14 @@ index 989b1ae..23ab94d 100755 rm -f ${TEMPFILE} ${PREFCTEMPFILE} fi } -@@ -206,12 +207,12 @@ if [ ! -z "$PREFC" ]; then +@@ -204,14 +218,18 @@ if [ ! -z "$PREFC" ]; then + diff_filecontext $* + exit $? fi ++if [ ! -z "$BOOTTIME" ]; then ++ newer $BOOTTIME ++ exit $? ++fi if [ ! -z "$RPMFILES" ]; then for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do - rpmlist $i | ${RESTORECON} ${FORCEFLAG} $* -R -i -f - 2>&1 | cat >> $LOGFILE @@ -336871,7 +336907,7 @@ index 989b1ae..23ab94d 100755 return fi [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon -@@ -235,7 +236,7 @@ FC=$TEMPFCFILE +@@ -235,7 +253,7 @@ FC=$TEMPFCFILE fi if [ -n "${FILESYSTEMSRW}" ]; then echo "Relabeling `echo ${FILESYSTEMSRW}`" @@ -336880,7 +336916,7 @@ index 989b1ae..23ab94d 100755 else echo >&2 "fixfiles: No suitable file systems found" fi -@@ -286,12 +287,12 @@ process() { +@@ -286,12 +304,16 @@ process() { # Make sure they specified one of the three valid commands # case "$1" in @@ -336891,17 +336927,25 @@ index 989b1ae..23ab94d 100755 relabel) relabel;; onboot) - touch /.autorelabel -+ echo $FORCEFLAG > /.autorelabel ++ > /.autorelabel ++ [ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel ++ [ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel ++ # Force full relabel if / does not have a label on it ++ getfilecon / > /dev/null 2>&1 || echo -F >/.autorelabel echo "System will relabel on next boot" ;; *) -@@ -317,11 +318,14 @@ if [ $# = 0 ]; then +@@ -317,11 +339,18 @@ if [ $# = 0 ]; then fi # See how we were called. -while getopts "C:FfR:l:" i; do -+while getopts "C:FfR:l:v" i; do ++while getopts "N:BC:FfR:l:v" i; do case "$i" in ++ B) ++ BOOTTIME=`/bin/who -b | awk '{print $3}'` ++ echo $BOOTTIME ++ ;; f) fullFlag=1 ;; @@ -336911,6 +336955,16 @@ index 989b1ae..23ab94d 100755 R) RPMFILES=$OPTARG ;; +@@ -334,6 +363,9 @@ while getopts "C:FfR:l:" i; do + F) + FORCEFLAG="-F" + ;; ++ N) ++ BOOTTIME=$OPTARG ++ ;; + *) + usage + exit 1 diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8 index 0b4cbaa..9ab7334 100644 --- a/policycoreutils/scripts/fixfiles.8 @@ -340156,7 +340210,7 @@ index 0000000..4693bb4 +} diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh new file mode 100644 -index 0000000..28b6767 +index 0000000..82fea52 --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy-bash-completion.sh @@ -0,0 +1,190 @@ @@ -340207,6 +340261,9 @@ index 0000000..28b6767 +__get_all_user_domains () { + seinfo -auserdomain -x 2> /dev/null | tail -n +2 +} ++__get_all_users () { ++ seinfo -u 2> /dev/null | tail -n +2 ++} +__get_all_classes () { + seinfo -c 2> /dev/null | tail -n +2 +} @@ -340219,9 +340276,6 @@ index 0000000..28b6767 +__get_all_domains () { + seinfo -adomain -x 2>/dev/null | sed 's/_t$//g' +} -+__get_all_generate_types () { -+ seinfo -agenerate_type -x 2>/dev/null | tail -n +2 -+} +_sepolicy () { + local command=${COMP_WORDS[1]} + local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} @@ -340241,7 +340295,7 @@ index 0000000..28b6767 + local -A OPTS=( + [booleans]='-h --help -p --path -a -all -b --boolean' + [communicate]='-h --help -s --source -t --target -c --class -S --sourceaccess -T --targetaccess' -+ [generate]='-a --admin --admin_user --application --cgi --confined_admin --customize -d --domain --dbus --desktop_user -h --help --inetd --init -n --name --newuser -p --path --sandbox -T --test --term_user -u --user -w --writepath --x_user' ++ [generate]='-a --admin --admin_user --application --cgi --confined_admin --customize -d --domain --dbus --desktop_user -h --help --inetd --init -n --name --newtype -p --path --sandbox -T --test --term_user -u --user -w --writepath --x_user' + [interface]='-h --help -a --list_admin" -u --list_user -l --list' + [manpage]='-h --help -p --path -a -all -o --os -d --domain -w --web' + [network]='-h --help -d --domain -l --list -p --port -t --type ' @@ -340302,7 +340356,7 @@ index 0000000..28b6767 + COMPREPLY=( $(compgen -W "$( __get_all_admin_interaces ) " -- "$cur") ) + return 0 + elif [ "$prev" = "--user" -o "$prev" = "-u" ]; then -+ COMPREPLY=( $(compgen -W "$( __get_all_user_domains ) " -- "$cur") ) ++ COMPREPLY=( $(compgen -W "$( __get_all_users ) " -- "$cur") ) + return 0 + elif [[ "$cur" == "$verb" || "$cur" == "" || "$cur" == -* ]]; then + COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") ) @@ -340793,10 +340847,10 @@ index 0000000..0748ca9 +selinux(8), sepolicy-booleans(8), sepolicy-communicate(8), sepolicy-generate(8), sepolicy-interface(8), sepolicy-network(8), sepolicy-manpage(8), sepolicy-transition(8) diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py new file mode 100755 -index 0000000..154369d +index 0000000..b25d3b2 --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy.py -@@ -0,0 +1,470 @@ +@@ -0,0 +1,471 @@ +#! /usr/bin/python -Es +# Copyright (C) 2012 Red Hat +# AUTHOR: Dan Walsh @@ -340863,7 +340917,7 @@ index 0000000..154369d + + if isinstance(values,str): + if values not in domains: -+ raise ValueError("%s must be an SELinux process domain" % values) ++ raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains))) + setattr(namespace, self.dest, values) + else: + newval = getattr(namespace, self.dest) @@ -340872,7 +340926,7 @@ index 0000000..154369d + + for v in values: + if v not in domains: -+ raise ValueError("%s must be an SELinux process domain" % values) ++ raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains))) + newval.append(v) + setattr(namespace, self.dest, newval) + @@ -340884,7 +340938,8 @@ index 0000000..154369d + if not all_classes: + all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS)) + if values not in all_classes: -+ raise ValueError("%s must be an SELinux process domain" % values) ++ raise ValueError("%s must be an SELinux class:\nValid classes: %s" % (values, ", ".join(all_classes))) ++ + setattr(namespace, self.dest, values) + +class CheckAdmin(argparse.Action): @@ -340895,7 +340950,7 @@ index 0000000..154369d + newval = [] + admins = get_admin() + if values not in admins: -+ raise ValueError("%s must be an SELinux admin domain" % values) ++ raise ValueError("%s must be an SELinux admin domain:\nValid admin domains: %s" % (values, ", ".join(admins))) + newval.append(values) + setattr(namespace, self.dest, newval) + @@ -340918,7 +340973,7 @@ index 0000000..154369d + newval = [] + for v in values: + if v not in port_types: -+ raise ValueError("%s must be an SELinux port type" % values) ++ raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types))) + newval.append(v) + setattr(namespace, self.dest, values) + @@ -340938,13 +340993,13 @@ index 0000000..154369d + +class CheckUser(argparse.Action): + def __call__(self, parser, namespace, value, option_string=None): -+ from sepolicy.generate import get_all_users ++ from sepolicy import get_all_users + newval = getattr(namespace, self.dest) + if not newval: + newval = [] + users = get_all_users() + if value not in users: -+ raise ValueError("%s must be an SELinux user" % value) ++ raise ValueError("%s must be an SELinux user:\nValid users: %s" % (value, ", ".join(users))) + newval.append(value) + setattr(namespace, self.dest, newval) + @@ -341179,13 +341234,13 @@ index 0000000..154369d + from sepolicy.generate import DAEMON, get_poltype_desc, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER, NEWTYPE + pol = parser.add_parser("generate", + help=_('Generate SELinux Policy module template')) -+ pol.add_argument("-d", "--domain", dest="domain", -+ action=CheckDomain, default=None, ++ pol.add_argument("-d", "--domain", dest="domain", default=[], ++ action=CheckDomain, nargs="*", + help=_("Enter domain type which you will be extending")) -+ pol.add_argument("-u", "--user", dest="user", ++ pol.add_argument("-u", "--user", dest="user", default=[], + action=CheckUser, + help=_("Enter SELinux user(s) which will transition to this domain")) -+ pol.add_argument("-a", "--admin", dest="admin_domain", ++ pol.add_argument("-a", "--admin", dest="admin_domain",default=[], + action=CheckAdmin, + help=_("Enter domain(s) that this confined admin will administrate")) + pol.add_argument("-n", "--name", dest="name", @@ -341269,10 +341324,10 @@ index 0000000..154369d + sys.exit(0) diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py new file mode 100644 -index 0000000..68be859 +index 0000000..5e7415c --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy/__init__.py -@@ -0,0 +1,159 @@ +@@ -0,0 +1,250 @@ +#!/usr/bin/python + +# Author: Thomas Liu @@ -341322,6 +341377,97 @@ index 0000000..68be859 + pass + raise ValueError(_("No SELinux Policy installed")) + ++all_types = None ++def get_all_types(): ++ global all_types ++ if all_types == None: ++ all_types = map(lambda x: x['name'], info(TYPE)) ++ return all_types ++ ++role_allows = None ++def get_all_role_allows(): ++ global role_allows ++ if role_allows: ++ return role_allows ++ role_allows = {} ++ for r in search([ROLE_ALLOW]): ++ if r["source"] == "system_r" or r["target"] == "system_r": ++ continue ++ if r["source"] in role_allows: ++ role_allows[r["source"]].append(r["target"]) ++ else: ++ role_allows[r["source"]] = [ r["target"] ] ++ ++ return role_allows ++ ++def get_all_entrypoint_domains(): ++ all_domains = [] ++ types=get_all_types() ++ types.sort() ++ for i in types: ++ m = re.findall("(.*)%s" % "_exec_t$", i) ++ if len(m) > 0: ++ if len(re.findall("(.*)%s" % "_initrc$", m[0])) == 0 and m[0] not in all_domains: ++ all_domains.append(m[0]) ++ return all_domains ++ ++all_domains = None ++def get_all_domains(): ++ global all_domains ++ if not all_domains: ++ all_domains = info(ATTRIBUTE,"domain")[0]["types"] ++ return all_domains ++ ++roles = None ++def get_all_roles(): ++ global roles ++ if roles: ++ return roles ++ roles = map(lambda x: x['name'], info(ROLE)) ++ roles.remove("object_r") ++ roles.sort() ++ return roles ++ ++users = None ++def get_all_users(): ++ global users ++ if users: ++ return users ++ users = map(lambda x: x['name'], info(USER)) ++ return users ++ ++file_types = None ++def get_all_file_types(): ++ global file_types ++ if file_types: ++ return file_types ++ file_types = info(ATTRIBUTE,"file_type")[0]["types"] ++ file_types.sort() ++ return file_types ++ ++port_types = None ++def get_all_port_types(): ++ global port_types ++ if port_types: ++ return port_types ++ port_types = info(ATTRIBUTE,"port_type")[0]["types"] ++ port_types.sort() ++ return port_types ++ ++bools = None ++def get_all_bools(): ++ global bools ++ if not bools: ++ bools = info(BOOLEAN) ++ return bools ++ ++all_attributes = None ++def get_all_attributes(): ++ global all_attributes ++ if not all_attributes: ++ all_attributes = map(lambda x: x['name'], info(ATTRIBUTE)) ++ return all_attributes ++ +def policy(policy_file): + try: + _policy.policy(policy_file) @@ -341536,10 +341682,10 @@ index 0000000..a179d95 + diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py new file mode 100644 -index 0000000..6c5e482 +index 0000000..26f8390 --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy/generate.py -@@ -0,0 +1,1378 @@ +@@ -0,0 +1,1354 @@ +#!/usr/bin/python -Es +# +# Copyright (C) 2007-2012 Red Hat @@ -341566,6 +341712,7 @@ index 0000000..6c5e482 +import os, sys, stat +import re +import sepolicy ++from sepolicy import get_all_types, get_all_attributes, get_all_roles +import time +import yum + @@ -341643,13 +341790,6 @@ index 0000000..6c5e482 + + return nvr + -+all_types = None -+def get_all_types(): -+ global all_types -+ if all_types == None: -+ all_types = map(lambda x: x['name'], sepolicy.info(sepolicy.TYPE)) -+ return all_types -+ +def get_all_ports(): + dict = {} + for p in sepolicy.info(sepolicy.PORT): @@ -341660,28 +341800,6 @@ index 0000000..6c5e482 + dict[(p['low'], p['high'], p['protocol'])]=(p['type'], p['range']) + return dict + -+def get_all_roles(): -+ roles = map(lambda x: x['name'], sepolicy.info(sepolicy.ROLE)) -+ roles.remove("object_r") -+ roles.sort() -+ return roles -+ -+def get_all_attributes(): -+ attributes = map(lambda x: x['name'], sepolicy.info(sepolicy.ATTRIBUTE)) -+ attributes.sort() -+ return attributes -+ -+def get_all_domains(): -+ all_domains = [] -+ types=get_all_types() -+ types.sort() -+ for i in types: -+ m = re.findall("(.*)%s" % "_exec_t$", i) -+ if len(m) > 0: -+ if len(re.findall("(.*)%s" % "_initrc$", m[0])) == 0 and m[0] not in all_domains: -+ all_domains.append(m[0]) -+ return all_domains -+ +def get_all_users(): + users = map(lambda x: x['name'], sepolicy.info(sepolicy.USER)) + users.remove("system_u") @@ -341770,6 +341888,7 @@ index 0000000..6c5e482 + self.rpms = [] + self.ports = [] + self.all_roles = get_all_roles() ++ self.types = [] + + if type not in poltype: + raise ValueError(_("You must enter a valid policy type")) @@ -342436,10 +342555,13 @@ index 0000000..6c5e482 + + def generate_new_types(self): + newte = "" ++ if len(self.types) == 0: ++ raise ValueError(_("Type field required")) ++ + for t in self.types: + for i in self.DEFAULT_EXT: + if t.endswith(i): -+ newte += re.sub("TEMPLATETYPE", t[:len(i)], self.DEFAULT_EXT[i].te_types) ++ newte += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].te_types) + break + return newte + @@ -342644,8 +342766,8 @@ index 0000000..6c5e482 + newfc = "" + fclist = [] + if self.type in USERS + [ SANDBOX ]: -+ return re.sub("EXECUTABLE", self.program, executable.fc_user) -+ if self.type != NEWTYPE and self.program: ++ return executable.fc_user ++ if self.type != NEWTYPE and not self.program: + raise ValueError(_("You must enter the executable path for your confined process")) + + if self.program: @@ -343007,10 +343129,10 @@ index 0000000..8b063ca + return trans_list diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py new file mode 100755 -index 0000000..a321faa +index 0000000..25062da --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy/manpage.py -@@ -0,0 +1,1432 @@ +@@ -0,0 +1,1365 @@ +#! /usr/bin/python -Es +# Copyright (C) 2012-2013 Red Hat +# AUTHOR: Dan Walsh @@ -343041,7 +343163,7 @@ index 0000000..a321faa +import argparse +import selinux +import sepolicy -+from sepolicy import network, gen_bool_dict ++from sepolicy import network, gen_bool_dict, get_all_file_types, get_all_domains, get_all_roles, get_all_users, get_all_port_types, get_all_bools, get_all_attributes, get_all_role_allows + +import commands +import sys, os, re, time @@ -343074,12 +343196,28 @@ index 0000000..a321faa + pass + return modules_dict + -+all_attributes = None -+def get_all_attributes(): -+ global all_attributes -+ if not all_attributes: -+ all_attributes = map(lambda x: x['name'], sepolicy.info(sepolicy.ATTRIBUTE)) -+ return all_attributes ++users = None ++users_range = None ++def get_all_users_info(): ++ global users ++ global users_range ++ if users and users_range: ++ return users, users_range ++ ++ users = [] ++ users_range ={} ++ allusers = [] ++ allusers_info = info(USER) ++ ++ for d in allusers_info: ++ allusers.append(d['name']) ++ users_range[d['name'].split("_")[0]] = d['range'] ++ ++ for u in allusers: ++ if u not in [ "system_u", "root", "unconfined_u" ]: ++ users.append(u.replace("_u","")) ++ users.sort() ++ return users, users_range + +all_entrypoints = None +def get_entrypoints(): @@ -343088,25 +343226,6 @@ index 0000000..a321faa + all_entrypoints = sepolicy.info(sepolicy.ATTRIBUTE,"entry_type")[0]["types"] + return all_entrypoints + -+all_domains = None -+def get_all_domains(): -+ global all_domains -+ if not all_domains: -+ all_domains = sepolicy.info(sepolicy.ATTRIBUTE,"domain")[0]["types"] -+ return all_domains -+ -+roles = None -+def get_all_roles(): -+ global roles -+ if roles: -+ return roles -+ roles = [] -+ allroles = map(lambda x: x['name'], sepolicy.info(sepolicy.ROLE)) -+ for r in allroles: -+ if r not in [ "system_r", "object_r" ]: -+ roles.append(r[:-2]) -+ return roles -+ +domains = None +def gen_domains(): + global domains @@ -343123,9 +343242,9 @@ index 0000000..a321faa + domains.append(domain) + + for role in get_all_roles(): -+ if role in domains: ++ if role[:-2] in domains or role == "system_r": + continue -+ domains.append(role) ++ domains.append(role[:-2]) + + domains.sort() + return domains @@ -343163,45 +343282,6 @@ index 0000000..a321faa + fcdict["samba_share_t"] = [ "use this label for random content that will be shared using samba" ] + return fcdict + -+role_allows = None -+def get_all_role_allows(): -+ global role_allows -+ if role_allows: -+ return role_allows -+ role_allows = {} -+ for r in sepolicy.search([sepolicy.ROLE_ALLOW]): -+ if r["source"] == "system_r" or r["target"] == "system_r": -+ continue -+ if r["source"] in role_allows: -+ role_allows[r["source"]].append(r["target"]) -+ else: -+ role_allows[r["source"]] = [ r["target"] ] -+ -+ return role_allows -+ -+users = None -+users_range = None -+def get_all_users(): -+ global users -+ global users_range -+ if users and users_range: -+ return users, users_range -+ -+ users = [] -+ users_range ={} -+ allusers = [] -+ allusers_info = sepolicy.info(sepolicy.USER) -+ -+ for d in allusers_info: -+ allusers.append(d['name']) -+ users_range[d['name'].split("_")[0]] = d['range'] -+ -+ for u in allusers: -+ if u not in [ "system_u", "root", "unconfined_u" ]: -+ users.append(u.replace("_u","")) -+ users.sort() -+ return users, users_range -+ +types = None +def _gen_types(): + global types @@ -343216,31 +343296,6 @@ index 0000000..a321faa + types[rec["name"]] = [] + return types + -+file_types = None -+def get_all_file_types(): -+ global file_types -+ if file_types: -+ return file_types -+ file_types = sepolicy.info(sepolicy.ATTRIBUTE,"file_type")[0]["types"] -+ file_types.sort() -+ return file_types -+ -+port_types = None -+def get_all_port_types(): -+ global port_types -+ if port_types: -+ return port_types -+ port_types = sepolicy.info(sepolicy.ATTRIBUTE,"port_type")[0]["types"] -+ port_types.sort() -+ return port_types -+ -+bools = None -+def get_all_bools(): -+ global bools -+ if not bools: -+ bools = sepolicy.info(sepolicy.BOOLEAN) -+ return bools -+ +def prettyprint(f,trim): + return " ".join(f[:-len(trim)].split("_")) + @@ -343501,8 +343556,8 @@ index 0000000..a321faa + all_bools = get_all_bools() + all_port_types = get_all_port_types() + all_roles = get_all_roles() -+ all_users = get_all_users()[0] -+ all_users_range = get_all_users()[1] ++ all_users = get_all_users_info()[0] ++ all_users_range = get_all_users_info()[1] + all_file_types = get_all_file_types() + types = _gen_types() + modules_dict = None @@ -343545,7 +343600,7 @@ index 0000000..a321faa + self._gen_bools() + self.man_page_path = "%s/%s_selinux.8" % (path, self.domainname) + self.fd = open(self.man_page_path, 'w') -+ if domainname in self.all_roles: ++ if domainname + "_r" in self.all_roles: + self.__gen_user_man_page() + if self.html: + manpage_roles.append(self.man_page_path) @@ -344756,7 +344811,7 @@ index 0000000..dcf445e +""" diff --git a/policycoreutils/sepolicy/sepolicy/templates/executable.py b/policycoreutils/sepolicy/sepolicy/templates/executable.py new file mode 100644 -index 0000000..092a53e +index 0000000..4b9534d --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy/templates/executable.py @@ -0,0 +1,454 @@ @@ -345208,7 +345263,7 @@ index 0000000..092a53e +""" + +fc_user="""\ -+# Users do not have file context, leave blank ++# No file context, leave blank +""" + +fc_initscript="""\ diff --git a/policycoreutils.spec b/policycoreutils.spec index 5b90325..f096572 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.13 -Release: 57%{?dist} +Release: 58%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -338,6 +338,10 @@ The policycoreutils-restorecond package contains the restorecond service. %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Thu Jan 31 2013 Dan Walsh - 2.1.12-58 +- Reorginize sepolicy so all get_all functions are in main module +- Add -B capability to fixfiles onboot and fixfiles restore, basically searches for all files created since the last boot. + * Fri Jan 25 2013 Dan Walsh - 2.1.12-57 - Update to latest patches from eparis/Upstream - fixfiles onboot will write any flags handed to it to /.autorelabel.