rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix sepolicy to be able to work on an SELinux disabled system.

Browse Source 
- Needed to be able to build man pages in selinux-policy package
This commit is contained in:
Dan Walsh 2013-02-22 13:06:49 +01:00
parent 3f69c2f15b
commit 21179e1822
2 changed files with 122 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

136
policycoreutils-rhat.patch
View File

@ -1363,6 +1363,18 @@ index 11b534f..eb86eae 100644
-mkdir -p $(MANDIR)/man8 -mkdir -p $(MANDIR)/man8
install -m 644 *.8 $(MANDIR)/man8 install -m 644 *.8 $(MANDIR)/man8
-mkdir -p $(BASHCOMPLETIONDIR) -mkdir -p $(BASHCOMPLETIONDIR)
diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c
index 4eca22d..eeee0ab 100644
--- a/policycoreutils/sepolicy/policy.c
+++ b/policycoreutils/sepolicy/policy.c
@@ -66,7 +66,6 @@ PyObject *wrap_policy(PyObject *UNUSED(self), PyObject *args){
}
apol_vector_destroy(&mod_paths);
- policy_load_options |= QPOL_POLICY_OPTION_MATCH_SYSTEM;
policy = apol_policy_create_from_policy_path(pol_path, policy_load_options, NULL, NULL);
apol_policy_path_destroy(&pol_path);
if (!policy) {
diff --git a/policycoreutils/sepolicy/sepolgen.8 b/policycoreutils/sepolicy/sepolgen.8 diff --git a/policycoreutils/sepolicy/sepolgen.8 b/policycoreutils/sepolicy/sepolgen.8
new file mode 100644 new file mode 100644
index 0000000..3ecf3eb index 0000000..3ecf3eb
@ -1520,7 +1532,7 @@ index b25d3b2..7a15d88 100755
sys.exit(0) sys.exit(0)
except ValueError,e: except ValueError,e:
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
index 5e7415c..b9cb9cc 100644 index 5e7415c..e0f5f86 100644
--- a/policycoreutils/sepolicy/sepolicy/__init__.py --- a/policycoreutils/sepolicy/sepolicy/__init__.py
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py +++ b/policycoreutils/sepolicy/sepolicy/__init__.py
@@ -37,9 +37,30 @@ CLASS = 'class' @@ -37,9 +37,30 @@ CLASS = 'class'
@ -1556,7 +1568,21 @@ index 5e7415c..b9cb9cc 100644
policies = glob.glob ("%s.*" % path ) policies = glob.glob ("%s.*" % path )
policies.sort() policies.sort()
return policies[-1] return policies[-1]
@@ -71,6 +92,7 @@ def get_all_role_allows(): @@ -54,6 +75,13 @@ def get_all_types():
all_types = map(lambda x: x['name'], info(TYPE))
return all_types
+user_types = None
+def get_user_types():
+ global user_types
+ if user_types == None:
+ user_types = info(ATTRIBUTE,"userdomain")[0]["types"]
+ return user_types
+
role_allows = None
def get_all_role_allows():
global role_allows
@@ -71,6 +99,7 @@ def get_all_role_allows():
return role_allows return role_allows
def get_all_entrypoint_domains(): def get_all_entrypoint_domains():
@ -1564,7 +1590,35 @@ index 5e7415c..b9cb9cc 100644
all_domains = [] all_domains = []
types=get_all_types() types=get_all_types()
types.sort() types.sort()
@@ -85,7 +107,7 @@ all_domains = None @@ -81,11 +110,35 @@ def get_all_entrypoint_domains():
all_domains.append(m[0])
return all_domains
+portrecs = None
+portrecsbynum = None
+
+def gen_port_dict():
+ global portrecs
+ global portrecsbynum
+ if portrecs:
+ return ( portrecs, portrecsbynum )
+ portrecsbynum = {}
+ portrecs = {}
+ for i in info(PORT):
+ if i['low'] == i['high']:
+ port = str(i['low'])
+ else:
+ port = "%s-%s" % (str(i['low']), str(i['high']))
+
+ if (i['type'], i['protocol']) in portrecs:
+ portrecs [(i['type'], i['protocol'])].append(port)
+ else:
+ portrecs [(i['type'], i['protocol'])] = [port]
+
+ portrecsbynum[(i['low'], i['high'],i['protocol'])] = (i['type'], i['range'])
+ return ( portrecs, portrecsbynum )
+
all_domains = None
def get_all_domains(): def get_all_domains():
global all_domains global all_domains
if not all_domains: if not all_domains:
@ -1573,7 +1627,7 @@ index 5e7415c..b9cb9cc 100644
return all_domains return all_domains
roles = None roles = None
@@ -139,49 +161,43 @@ def get_all_attributes(): @@ -139,49 +192,42 @@ def get_all_attributes():
return all_attributes return all_attributes
def policy(policy_file): def policy(policy_file):
@ -1600,7 +1654,7 @@ index 5e7415c..b9cb9cc 100644
except: except:
raise ValueError(_("Failed to read %s policy file") % policy_file) raise ValueError(_("Failed to read %s policy file") % policy_file)
-
-policy_file = selinux.selinux_current_policy_path() -policy_file = selinux.selinux_current_policy_path()
-if not policy_file: -if not policy_file:
- policy_file = __get_installed_policy() - policy_file = __get_installed_policy()
@ -1643,10 +1697,18 @@ index 5e7415c..b9cb9cc 100644
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
global booleans_dict global booleans_dict
diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
index 26f8390..19f6056 100644 index 26f8390..a23ce9b 100644
--- a/policycoreutils/sepolicy/sepolicy/generate.py --- a/policycoreutils/sepolicy/sepolicy/generate.py
+++ b/policycoreutils/sepolicy/sepolicy/generate.py +++ b/policycoreutils/sepolicy/sepolicy/generate.py
@@ -1037,7 +1037,8 @@ allow %s_t %s_t:%s_socket name_%s; @@ -63,7 +63,6 @@ except IOError:
import __builtin__
__builtin__.__dict__['_'] = unicode
-user_types = sepolicy.info(sepolicy.ATTRIBUTE,"userdomain")[0]["types"]
methods = []
fn = defaults.interface_info()
try:
@@ -1037,7 +1036,8 @@ allow %s_t %s_t:%s_socket name_%s;
######################################## ########################################
# #
# %s local policy # %s local policy
@ -1657,15 +1719,10 @@ index 26f8390..19f6056 100644
newte += self.generate_process() newte += self.generate_process()
newte += self.generate_network_types() newte += self.generate_network_types()
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
index 25062da..da17c48 100755 index 25062da..b3c24e6 100755
--- a/policycoreutils/sepolicy/sepolicy/manpage.py --- a/policycoreutils/sepolicy/sepolicy/manpage.py
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py +++ b/policycoreutils/sepolicy/sepolicy/manpage.py
@@ -24,11 +24,12 @@ @@ -28,7 +28,7 @@ import string
#
__all__ = [ 'ManPage', 'HTMLManPages', 'manpage_domains', 'manpage_roles', 'gen_domains' ]
+from sepolicy import network
import string
import argparse import argparse
import selinux import selinux
import sepolicy import sepolicy
@ -1674,7 +1731,7 @@ index 25062da..da17c48 100755
import commands import commands
import sys, os, re, time import sys, os, re, time
@@ -416,40 +417,33 @@ class ManPage: @@ -416,40 +416,33 @@ class ManPage:
""" """
Generate a Manpage on an SELinux domain in the specified path Generate a Manpage on an SELinux domain in the specified path
""" """
@ -1695,14 +1752,15 @@ index 25062da..da17c48 100755
- def __init__(self, domainname, path = "/tmp", html = False): - def __init__(self, domainname, path = "/tmp", html = False):
+ def __init__(self, domainname, path = "/tmp", root="/", html = False): + def __init__(self, domainname, path = "/tmp", root="/", html = False):
self.html = html self.html = html
+ self.root = root - self.portrecs = network.portrecs
self.portrecs = network.portrecs
- -
- fcpath = path + "/file_contexts" - fcpath = path + "/file_contexts"
- if os.path.exists(fcpath): - if os.path.exists(fcpath):
- self.fcpath = fcpath - self.fcpath = fcpath
- else: - else:
- self.fcpath = selinux.selinux_file_context_path() - self.fcpath = selinux.selinux_file_context_path()
+ self.root = root
+ self.portrecs = gen_port_dict()[0]
+ self.domains = gen_domains() + self.domains = gen_domains()
+ self.all_domains = get_all_domains() + self.all_domains = get_all_domains()
+ self.all_attributes = get_all_attributes() + self.all_attributes = get_all_attributes()
@ -1732,7 +1790,7 @@ index 25062da..da17c48 100755
self.booleans_dict = gen_bool_dict(self.xmlpath) self.booleans_dict = gen_bool_dict(self.xmlpath)
if domainname.endswith("_t"): if domainname.endswith("_t"):
@@ -947,13 +941,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?" @@ -947,13 +940,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?"
.B restorecon -F -R -v /var/%(domainname)s .B restorecon -F -R -v /var/%(domainname)s
.pp .pp
.TP .TP
@ -1749,7 +1807,7 @@ index 25062da..da17c48 100755
""" % {'domainname':self.domainname}) """ % {'domainname':self.domainname})
for b in self.anon_list: for b in self.anon_list:
desc = self.booleans_dict[b][2][0].lower() + self.booleans_dict[b][2][1:] desc = self.booleans_dict[b][2][0].lower() + self.booleans_dict[b][2][1:]
@@ -1230,6 +1225,7 @@ The SELinux user %s_u is not able to terminal login. @@ -1230,6 +1224,7 @@ The SELinux user %s_u is not able to terminal login.
""" % self.domainname) """ % self.domainname)
def _network(self): def _network(self):
@ -1757,6 +1815,46 @@ index 25062da..da17c48 100755
self.fd.write(""" self.fd.write("""
.SH NETWORK .SH NETWORK
""") """)
diff --git a/policycoreutils/sepolicy/sepolicy/network.py b/policycoreutils/sepolicy/sepolicy/network.py
index 66efe26..a446d68 100755
--- a/policycoreutils/sepolicy/sepolicy/network.py
+++ b/policycoreutils/sepolicy/sepolicy/network.py
@@ -25,27 +25,6 @@ import sepolicy
search=sepolicy.search
info=sepolicy.info
-def _gen_port_dict():
- portrecsbynum = {}
- portrecs = {}
- for i in info(sepolicy.PORT):
- if i['low'] == i['high']:
- port = str(i['low'])
- else:
- port = "%s-%s" % (str(i['low']), str(i['high']))
-
- if (i['type'], i['protocol']) in portrecs:
- portrecs [(i['type'], i['protocol'])].append(port)
- else:
- portrecs [(i['type'], i['protocol'])] = [port]
-
- portrecsbynum[(i['low'], i['high'],i['protocol'])] = (i['type'], i['range'])
- return ( portrecs, portrecsbynum )
-portrecs, portrecsbynum = _gen_port_dict()
-
-port_types = sepolicy.info(sepolicy.ATTRIBUTE,"port_type")[0]["types"]
-domains = sepolicy.info(sepolicy.ATTRIBUTE,"domain")[0]["types"]
-
def get_types(src, tclass, perm):
allows=search([sepolicy.ALLOW],{sepolicy.SOURCE:src,sepolicy.CLASS:tclass, sepolicy.PERMS:perm})
nlist=[]
@@ -57,6 +36,7 @@ def get_types(src, tclass, perm):
def get_network_connect(src, protocol, perm):
+ portrecs, portrecsbynum = sepolicy.gen_port_dict()
d={}
tlist = get_types(src, "%s_socket" % protocol, [perm])
if len(tlist) > 0:
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index 80b6d6e..07c5ee2 100644 index 80b6d6e..07c5ee2 100644
--- a/policycoreutils/setfiles/restorecon.8 --- a/policycoreutils/setfiles/restorecon.8

6
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.1.14 Version: 2.1.14
Release: 9%{?dist} Release: 10%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
# Based on git repository with tag 20101221 # Based on git repository with tag 20101221
@ -324,6 +324,10 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog %changelog
* Fri Feb 22 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-10
- Fix sepolicy to be able to work on an SELinux disabled system.
- Needed to be able to build man pages in selinux-policy package
* Thu Feb 21 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-9 * Thu Feb 21 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-9
- Add yum to requires of policycoreutils-python since sepolicy requires it. - Add yum to requires of policycoreutils-python since sepolicy requires it.