Upgrade to policycoreutils upstream

* sandbox: Maintain the LANG environment into the sandbox * audit2allow: use audit2why internally * fixfiles: label /root but not /var/lib/BackupPC * semanage: update local boolean settings is dealing with localstore * semanage: missing modify=True * semanage: set modified correctly * restorecond: make restorecond dbuss-able * restorecon: Always check return code on asprintf * restorecond: make restorecond -u exit when terminal closes * sandbox: introduce package name and language stuff * semodule_package: remove semodule_unpackage on clean * fix sandbox Makefile to support DESTDIR * semanage: Add -o description to the semanage man page * make use of the new realpath_not_final function * setfiles: close /proc/mounts file when finished * semodule: Document semodule -p in man page * setfiles: fix use before initialized * restorecond: Add .local/share as a directory to watch Upgrade to sepolgen upstream * Ignore permissive qualifier if found in an interface * Return name field in avc data
2011-11-04 10:47:42 -04:00 · 2011-11-04 10:47:42 -04:00 · 2c4e323ce5
commit 2c4e323ce5
parent 2392ca1483
4 changed files with 198 additions and 1635 deletions
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
--- a/policycoreutils-sepolgen.patch
+++ b/policycoreutils-sepolgen.patch
@ -1,5 +1,5 @@
 diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
-index 24e308e..1b0a8e5 100644
+index 898fbc3..631bab5 100644
 --- a/sepolgen/src/sepolgen/audit.py
 +++ b/sepolgen/src/sepolgen/audit.py
@@ -68,6 +68,17 @@ def get_dmesg_msgs():
@ -30,11 +30,8 @@ index 24e308e..1b0a8e5 100644
 
 class AVCMessage(AuditMessage):
     """AVC message representing an access denial or granted message.
-@@ -165,8 +179,11 @@ class AVCMessage(AuditMessage):
-         self.comm = ""
-         self.exe = ""
-         self.path = ""
-+        self.name = ""
+@@ -168,6 +182,8 @@ class AVCMessage(AuditMessage):
+         self.name = ""
         self.accesses = []
         self.denial = True
 +        self.type = audit2why.TERULE
@ -42,12 +39,7 @@ index 24e308e..1b0a8e5 100644
 
     def __parse_access(self, recs, start):
         # This is kind of sucky - the access that is in a space separated
-@@ -223,10 +240,36 @@ class AVCMessage(AuditMessage):
-                 self.comm = fields[1][1:-1]
-             elif fields[0] == "exe":
-                 self.exe = fields[1][1:-1]
-+            elif fields[0] == "name":
-+                self.name = fields[1][1:-1]
+@@ -229,7 +245,31 @@ class AVCMessage(AuditMessage):
 
         if not found_src or not found_tgt or not found_class or not found_access:
             raise ValueError("AVC message in invalid format [%s]\n" % self.message)
@ -74,13 +66,13 @@ index 24e308e..1b0a8e5 100644
 +                raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
 +            if self.type == audit2why.BADCOMPUTE:
 +                raise ValueError("Error during access vector computation")
-+            
+
 +            avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools)
 +
 class PolicyLoadMessage(AuditMessage):
     """Audit message indicating that the policy was reloaded."""
     def __init__(self, message):
-@@ -469,10 +512,10 @@ class AuditParser:
+@@ -472,10 +512,10 @@ class AuditParser:
             if avc_filter:
                 if avc_filter.filter(avc):
                     av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
@ -126,7 +118,7 @@ index 1a9a3e5..d56dd92 100644
     def __iter__(self):
         return iter(self.children)
 diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
-index 0e6b502..6ce892c 100644
+index 0e6b502..4882999 100644
 --- a/sepolgen/src/sepolgen/policygen.py
 +++ b/sepolgen/src/sepolgen/policygen.py
@@ -29,6 +29,8 @@ import objectmodel
@ -155,9 +147,9 @@ index 0e6b502..6ce892c 100644
 -                rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
 +                rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
 +            if av.type == audit2why.ALLOW:
-+                rule.comment += "#!!!! This avc is allowed in the current policy\n" 
+                rule.comment += "#!!!! This avc is allowed in the current policy\n"
 +            if av.type == audit2why.DONTAUDIT:
-+                rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n" 
+                rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
 +
 +            if av.type == audit2why.BOOLEAN:
 +                if len(av.bools) > 1:
@ -166,7 +158,7 @@ index 0e6b502..6ce892c 100644
 +                    rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]
 +
 +            if av.type == audit2why.CONSTRAINT:
-+                rule.comment += "#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.\n" 
+                rule.comment += "#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.\n"
 +                rule.comment += "#Constraint rule: "
 +
 +            if av.type == audit2why.TERULE:
@ -175,7 +167,7 @@ index 0e6b502..6ce892c 100644
 +                        if not self.domains:
 +                            self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
 +                        types=[]
-+                        
+
 +                        try:
 +                            for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
 +                                if i not in self.domains:
@ -189,42 +181,3 @@ index 0e6b502..6ce892c 100644
             self.module.children.append(rule)
 
 
-diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
-index 1a2eec8..955784d 100644
--- a/sepolgen/src/sepolgen/refparser.py
-+++ b/sepolgen/src/sepolgen/refparser.py
-@@ -109,6 +109,7 @@ tokens = (
-     'DONTAUDIT',
-     'AUDITALLOW',
-     'NEVERALLOW',
-+    'PERMISSIVE',
-     'TYPE_TRANSITION',
-     'TYPE_CHANGE',
-     'TYPE_MEMBER',
-@@ -170,6 +171,7 @@ reserved = {
-     'dontaudit' : 'DONTAUDIT',
-     'auditallow' : 'AUDITALLOW',
-     'neverallow' : 'NEVERALLOW',
-+    'permissive' : 'PERMISSIVE',
-     'type_transition' : 'TYPE_TRANSITION',
-     'type_change' : 'TYPE_CHANGE',
-     'type_member' : 'TYPE_MEMBER',
-@@ -490,6 +492,7 @@ def p_policy_stmt(p):
-                    | interface_call
-                    | role_def
-                    | role_allow
-+                   | permissive
-                    | type_def
-                    | typealias_def
-                    | attribute_def
-@@ -747,6 +750,10 @@ def p_role_allow(p):
-     r.tgt_roles = p[3]
-     p[0] = r
- 
-+def p_permissive(p):
-+    'permissive : PERMISSIVE names SEMI'
-+    t.skip(1)
-+
- def p_avrule_def(p):
-     '''avrule_def : ALLOW names names COLON names names SEMI
-                   | DONTAUDIT names names COLON names names SEMI
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -1,13 +1,13 @@
-%define	libauditver	1.4.2-1
-%define libsepolver 	2.1.2-3
-%define	libsemanagever	2.1.4-1
-%define	libselinuxver	2.1.5-5
-%define	sepolgenver	1.1.2
+%define	libauditver	2.1.3-4
+%define libsepolver 	2.1.3-2
+%define	libsemanagever	2.1.4-3
+%define	libselinuxver	2.1.7-1
+%define	sepolgenver	1.1.3

 Summary: SELinux policy core utilities
 Name:	 policycoreutils
-Version: 2.1.7
-Release: 5%{?dist}
+Version: 2.1.8
+Release: 1%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@ -22,8 +22,8 @@ Source6: selinux-polgengui.desktop
 Source7: selinux-polgengui.console
 Source8: policycoreutils_man_ru2.tar.bz2
 Source9: semanage-bash-completion.sh
-Patch:	 policycoreutils-rhat.patch
 Source10: restorecond.service
+Patch:	 policycoreutils-rhat.patch
 Patch1:	 policycoreutils-po.patch
 Patch3:	 policycoreutils-gui.patch
 Patch4:	 policycoreutils-sepolgen.patch
@ -352,6 +352,33 @@ fi
 /bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :

 %changelog
+* Fri Nov 4 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-1
+- Upgrade to policycoreutils upstream
+	* sandbox: Maintain the LANG environment into the sandbox
+	* audit2allow: use audit2why internally
+	* fixfiles: label /root but not /var/lib/BackupPC
+	* semanage: update local boolean settings is dealing with localstore
+	* semanage: missing modify=True
+	* semanage: set modified correctly
+	* restorecond: make restorecond dbuss-able
+	* restorecon: Always check return code on asprintf
+	* restorecond: make restorecond -u exit when terminal closes
+	* sandbox: introduce package name and language stuff
+	* semodule_package: remove semodule_unpackage on clean
+	* fix sandbox Makefile to support DESTDIR
+	* semanage: Add -o description to the semanage man page
+	* make use of the new realpath_not_final function
+	* setfiles: close /proc/mounts file when finished
+	* semodule: Document semodule -p in man page
+	* setfiles: fix use before initialized
+	* restorecond: Add .local/share as a directory to watch
+- Upgrade to sepolgen upstream
+	* Ignore permissive qualifier if found in an interface
+	* Return name field in avc data
+
+* Mon Oct 31 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-6
+- Rebuild versus newer libsepol 
+
 * Fri Oct 28 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-5
 - A couple of minor coverity fixes for a potential leaked file descriptor
 - An an unchecked return code.
--- a/4
+++ b/4
@ -1,3 +1,3 @@
 59d33101d57378ce69889cc078addf90  policycoreutils_man_ru2.tar.bz2
-c372e90a754ee87e1cc40b09134b8f31  sepolgen-1.1.2.tgz
-98688cfeab65386a0dfbd921511952ac  policycoreutils-2.1.7.tgz
+135674afd4eecd02ef441a9fd1d2c08a  policycoreutils-2.1.8.tgz
+3bd4588bcf8608c6e8a18ad5a8b68971  sepolgen-1.1.3.tgz