From 2c4e323ce58aeb58127f32f07723976325acaa1e Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 4 Nov 2011 10:47:42 -0400 Subject: [PATCH] Upgrade to policycoreutils upstream * sandbox: Maintain the LANG environment into the sandbox * audit2allow: use audit2why internally * fixfiles: label /root but not /var/lib/BackupPC * semanage: update local boolean settings is dealing with localstore * semanage: missing modify=True * semanage: set modified correctly * restorecond: make restorecond dbuss-able * restorecon: Always check return code on asprintf * restorecond: make restorecond -u exit when terminal closes * sandbox: introduce package name and language stuff * semodule_package: remove semodule_unpackage on clean * fix sandbox Makefile to support DESTDIR * semanage: Add -o description to the semanage man page * make use of the new realpath_not_final function * setfiles: close /proc/mounts file when finished * semodule: Document semodule -p in man page * setfiles: fix use before initialized * restorecond: Add .local/share as a directory to watch Upgrade to sepolgen upstream * Ignore permissive qualifier if found in an interface * Return name field in avc data --- policycoreutils-rhat.patch | 1717 +++----------------------------- policycoreutils-sepolgen.patch | 69 +- policycoreutils.spec | 43 +- sources | 4 +- 4 files changed, 198 insertions(+), 1635 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index db02944..0e418a1 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -8,38 +8,6 @@ index 7244a36..3e95698 100644 INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) -diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow -index e9c80f0..e9d5882 100644 ---- a/policycoreutils/audit2allow/audit2allow -+++ b/policycoreutils/audit2allow/audit2allow -@@ -235,25 +235,10 @@ class AuditToPolicy: - import selinux - import seobject - for i in self.__parser.avc_msgs: -- rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses) -+ rc = i.type -+ bools = i.bools - if rc >= 0: - print "%s\n\tWas caused by:" % i.message -- if rc == audit2why.NOPOLICY: -- raise RuntimeError("Must call policy_init first") -- if rc == audit2why.BADTCON: -- print "Invalid Target Context %s\n" % i.tcontext -- continue -- if rc == audit2why.BADSCON: -- print "Invalid Source Context %s\n" % i.scontext -- continue -- if rc == audit2why.BADSCON: -- print "Invalid Type Class %s\n" % i.tclass -- continue -- if rc == audit2why.BADPERM: -- print "Invalid permission %s\n" % i.accesses -- continue -- if rc == audit2why. BADCOMPUTE: -- raise RuntimeError("Error during access vector computation") - if rc == audit2why.ALLOW: - print "\t\tUnknown - would be allowed by active policy\n", - print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n" diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c index 99d0ed7..19e20a8 100644 --- a/policycoreutils/newrole/newrole.c @@ -74,1260 +42,26 @@ index 99d0ed7..19e20a8 100644 if (set_signal_handles()) return -1; -diff --git a/policycoreutils/restorecond/Makefile b/policycoreutils/restorecond/Makefile -index 3f235e6..03a4544 100644 ---- a/policycoreutils/restorecond/Makefile -+++ b/policycoreutils/restorecond/Makefile -@@ -1,17 +1,28 @@ - # Installation directories. - PREFIX ?= ${DESTDIR}/usr - SBINDIR ?= $(PREFIX)/sbin -+LIBDIR ?= $(PREFIX)/lib - MANDIR = $(PREFIX)/share/man -+AUTOSTARTDIR = $(DESTDIR)/etc/xdg/autostart -+DBUSSERVICEDIR = $(DESTDIR)/usr/share/dbus-1/services -+ -+autostart_DATA = sealertauto.desktop - INITDIR = $(DESTDIR)/etc/rc.d/init.d - SELINUXDIR = $(DESTDIR)/etc/selinux - -+DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include -+DBUSLIB = -ldbus-glib-1 -ldbus-1 -+ - CFLAGS ?= -g -Werror -Wall -W --override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64 --LDLIBS += -lselinux -L$(PREFIX)/lib -+override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/lib/glib-2.0/include -+ -+LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR) - - all: restorecond - --restorecond: restorecond.o utmpwatcher.o stringslist.o -+restorecond.o utmpwatcher.o stringslist.o user.o watch.o: restorecond.h -+ -+restorecond: ../setfiles/restore.o restorecond.o utmpwatcher.o stringslist.o user.o watch.o - $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) - - install: all -@@ -22,7 +33,12 @@ install: all - -mkdir -p $(INITDIR) - install -m 755 restorecond.init $(INITDIR)/restorecond - -mkdir -p $(SELINUXDIR) -- install -m 600 restorecond.conf $(SELINUXDIR)/restorecond.conf -+ install -m 644 restorecond.conf $(SELINUXDIR)/restorecond.conf -+ install -m 644 restorecond_user.conf $(SELINUXDIR)/restorecond_user.conf -+ -mkdir -p $(AUTOSTARTDIR) -+ install -m 644 restorecond.desktop $(AUTOSTARTDIR)/restorecond.desktop -+ -mkdir -p $(DBUSSERVICEDIR) -+ install -m 600 org.selinux.Restorecond.service $(DBUSSERVICEDIR)/org.selinux.Restorecond.service - - relabel: install - /sbin/restorecon $(SBINDIR)/restorecond -diff --git a/policycoreutils/restorecond/org.selinux.Restorecond.service b/policycoreutils/restorecond/org.selinux.Restorecond.service -new file mode 100644 -index 0000000..0ef5f0b ---- /dev/null -+++ b/policycoreutils/restorecond/org.selinux.Restorecond.service -@@ -0,0 +1,3 @@ -+[D-BUS Service] -+Name=org.selinux.Restorecond -+Exec=/usr/sbin/restorecond -u -diff --git a/policycoreutils/restorecond/restorecond.8 b/policycoreutils/restorecond/restorecond.8 -index b149dcb..4622d2b 100644 ---- a/policycoreutils/restorecond/restorecond.8 -+++ b/policycoreutils/restorecond/restorecond.8 -@@ -3,7 +3,7 @@ - restorecond \- daemon that watches for file creation and then sets the default SELinux file context - - .SH "SYNOPSIS" --.B restorecond [\-d] -+.B restorecond [\-d] [\-f restorecond_file ] [\-u] [\-v] - .P - - .SH "DESCRIPTION" -@@ -19,13 +19,22 @@ the correct file context associated with the policy. - .B \-d - Turns on debugging mode. Application will stay in the foreground and lots of - debugs messages start printing. -+.TP -+.B \-f restorecond_file -+Use alternative restorecond.conf file. -+.TP -+.B \-u -+Turns on user mode. Runs restorecond in the user session and reads /etc/selinux/restorecond_user.conf. Uses dbus to make sure only one restorecond is running per user session. -+.TP -+.B \-v -+Turns on verbose debugging. (Report missing files) - - .SH "AUTHOR" --This man page was written by Dan Walsh . --The program was written by Dan Walsh . -+This man page and program was written by Dan Walsh . - - .SH "FILES" - /etc/selinux/restorecond.conf -+/etc/selinux/restorecond_user.conf - - .SH "SEE ALSO" - .BR restorecon (8), diff --git a/policycoreutils/restorecond/restorecond.c b/policycoreutils/restorecond/restorecond.c -index 4952632..89f5d97 100644 +index 89f5d97..dfd9629 100644 --- a/policycoreutils/restorecond/restorecond.c +++ b/policycoreutils/restorecond/restorecond.c -@@ -30,9 +30,11 @@ - * and makes sure that there security context matches the systems defaults - * - * USAGE: -- * restorecond [-d] [-v] -+ * restorecond [-d] [-u] [-v] [-f restorecond_file ] - * - * -d Run in debug mode -+ * -f Use alternative restorecond_file -+ * -u Run in user mode - * -v Run in verbose mode (Report missing files) - * - * EXAMPLE USAGE: -@@ -48,297 +50,38 @@ - #include - #include - #include --#include -+#include "../setfiles/restore.h" - #include --#include - #include - #include -+#include -+#include -+#include -+#include - #include -- - #include "restorecond.h" --#include "stringslist.h" - #include "utmpwatcher.h" - --extern char *dirname(char *path); -+const char *homedir; - static int master_fd = -1; --static int master_wd = -1; --static int terminate = 0; -- --#include --#include -- --/* size of the event structure, not counting name */ --#define EVENT_SIZE (sizeof (struct inotify_event)) --/* reasonable guess as to size of 1024 events */ --#define BUF_LEN (1024 * (EVENT_SIZE + 16)) -- --static int debug_mode = 0; --static int verbose_mode = 0; -- --static void restore(const char *filename, int exact); -- --struct watchList { -- struct watchList *next; -- int wd; -- char *dir; -- struct stringsList *files; --}; --struct watchList *firstDir = NULL; -- --/* Compare two contexts to see if their differences are "significant", -- * or whether the only difference is in the user. */ --static int only_changed_user(const char *a, const char *b) --{ -- char *rest_a, *rest_b; /* Rest of the context after the user */ -- if (!a || !b) -- return 0; -- rest_a = strchr(a, ':'); -- rest_b = strchr(b, ':'); -- if (!rest_a || !rest_b) -- return 0; -- return (strcmp(rest_a, rest_b) == 0); --} -- --/* -- A file was in a direcroty has been created. This function checks to -- see if it is one that we are watching. --*/ -- --static int watch_list_find(int wd, const char *file) --{ -- struct watchList *ptr = NULL; -- ptr = firstDir; -- -- if (debug_mode) -- printf("%d: File=%s\n", wd, file); -- while (ptr != NULL) { -- if (ptr->wd == wd) { -- int exact=0; -- if (strings_list_find(ptr->files, file, &exact) == 0) { -- char *path = NULL; -- if (asprintf(&path, "%s/%s", ptr->dir, file) < -- 0) -- exitApp("Error allocating memory."); -- restore(path, exact); -- free(path); -- return 0; -- } -- if (debug_mode) -- strings_list_print(ptr->files); -- -- /* Not found in this directory */ -- return -1; -- } -- ptr = ptr->next; -- } -- /* Did not find a directory */ -- return -1; --} -- --static void watch_list_free(int fd) --{ -- struct watchList *ptr = NULL; -- struct watchList *prev = NULL; -- ptr = firstDir; -- -- while (ptr != NULL) { -- inotify_rm_watch(fd, ptr->wd); -- strings_list_free(ptr->files); -- free(ptr->dir); -- prev = ptr; -- ptr = ptr->next; -- free(prev); -- } -- firstDir = NULL; --} -- --/* -- Set the file context to the default file context for this system. -- Same as restorecon. --*/ --static void restore(const char *filename, int exact) --{ -- int retcontext = 0; -- security_context_t scontext = NULL; -- security_context_t prev_context = NULL; -- struct stat st; -- int fd = -1; -- if (debug_mode) -- printf("restore %s\n", filename); -- -- fd = open(filename, O_NOFOLLOW | O_RDONLY); -- if (fd < 0) { -- if (verbose_mode) -- syslog(LOG_ERR, "Unable to open file (%s) %s\n", -- filename, strerror(errno)); -- return; -- } -- -- if (fstat(fd, &st) != 0) { -- syslog(LOG_ERR, "Unable to stat file (%s) %s\n", filename, -- strerror(errno)); -- close(fd); -- return; -- } -- -- if (!(st.st_mode & S_IFDIR) && st.st_nlink > 1) { -- if (exact) { -- syslog(LOG_ERR, -- "Will not restore a file with more than one hard link (%s) %s\n", -- filename, strerror(errno)); -- } -- close(fd); -- return; -- } -- -- if (matchpathcon(filename, st.st_mode, &scontext) < 0) { -- if (errno == ENOENT) -- return; -- syslog(LOG_ERR, "matchpathcon(%s) failed %s\n", filename, -- strerror(errno)); -- return; -- } -- retcontext = fgetfilecon_raw(fd, &prev_context); -- -- if (retcontext >= 0 || errno == ENODATA) { -- if (retcontext < 0) -- prev_context = NULL; -- if (retcontext < 0 || (strcmp(prev_context, scontext) != 0)) { -- -- if (only_changed_user(scontext, prev_context) != 0) { -- free(scontext); -- free(prev_context); -- close(fd); -- return; -- } -- -- if (fsetfilecon(fd, scontext) < 0) { -- if (errno != EOPNOTSUPP) -- syslog(LOG_ERR, -- "set context %s->%s failed:'%s'\n", -- filename, scontext, strerror(errno)); -- if (retcontext >= 0) -- free(prev_context); -- free(scontext); -- close(fd); -- return; -- } -- syslog(LOG_WARNING, "Reset file context %s: %s->%s\n", -- filename, prev_context, scontext); -- } -- if (retcontext >= 0) -- free(prev_context); -- } else { -- if (errno != EOPNOTSUPP) -- syslog(LOG_ERR, "get context on %s failed: '%s'\n", -- filename, strerror(errno)); -- } -- free(scontext); -- close(fd); --} -- --static void process_config(int fd, FILE * cfg) --{ -- char *line_buf = NULL; -- size_t len = 0; -- -- while (getline(&line_buf, &len, cfg) > 0) { -- char *buffer = line_buf; -- while (isspace(*buffer)) -- buffer++; -- if (buffer[0] == '#') -- continue; -- int l = strlen(buffer) - 1; -- if (l <= 0) -- continue; -- buffer[l] = 0; -- if (buffer[0] == '~') -- utmpwatcher_add(fd, &buffer[1]); -- else { -- watch_list_add(fd, buffer); -- } -- } -- free(line_buf); --} -- --/* -- Read config file ignoring Comment lines -- Files specified one per line. Files with "~" will be expanded to the logged in users -- homedirs. --*/ -- --static void read_config(int fd) --{ -- char *watch_file_path = "/etc/selinux/restorecond.conf"; -- -- FILE *cfg = NULL; -- if (debug_mode) -- printf("Read Config\n"); - -- watch_list_free(fd); -+static char *server_watch_file = "/etc/selinux/restorecond.conf"; -+static char *user_watch_file = "/etc/selinux/restorecond_user.conf"; -+static char *watch_file; -+static struct restore_opts r_opts; - -- cfg = fopen(watch_file_path, "r"); -- if (!cfg) -- exitApp("Error reading config file."); -- process_config(fd, cfg); -- fclose(cfg); -- -- inotify_rm_watch(fd, master_wd); -- master_wd = -- inotify_add_watch(fd, watch_file_path, IN_MOVED_FROM | IN_MODIFY); -- if (master_wd == -1) -- exitApp("Error watching config file."); --} -- --/* -- Inotify watch loop --*/ --static int watch(int fd) --{ -- char buf[BUF_LEN]; -- int len, i = 0; -- len = read(fd, buf, BUF_LEN); -- if (len < 0) { -- if (terminate == 0) { -- syslog(LOG_ERR, "Read error (%s)", strerror(errno)); -- return 0; -- } -- syslog(LOG_ERR, "terminated"); -- return -1; -- } else if (!len) -- /* BUF_LEN too small? */ -- return -1; -- while (i < len) { -- struct inotify_event *event; -- event = (struct inotify_event *)&buf[i]; -- if (debug_mode) -- printf("wd=%d mask=%u cookie=%u len=%u\n", -- event->wd, event->mask, -- event->cookie, event->len); -- -- if (event->mask & ~IN_IGNORED) { -- if (event->wd == master_wd) -- read_config(fd); -- else { -- switch (utmpwatcher_handle(fd, event->wd)) { -- case -1: /* Message was not for utmpwatcher */ -- if (event->len) -- watch_list_find(event->wd, event->name); -- break; -+#include - -- case 1: /* utmp has changed need to reload */ -- read_config(fd); -- break; -+int debug_mode = 0; -+int terminate = 0; -+int master_wd = -1; -+int run_as_user = 0; - -- default: /* No users logged in or out */ -- break; -- } -- } -- } -- -- i += EVENT_SIZE + event->len; -- } -- return 0; -+static void done(void) { -+ watch_list_free(master_fd); -+ close(master_fd); -+ utmpwatcher_free(); -+ matchpathcon_fini(); - } - - static const char *pidfile = "/var/run/restorecond.pid"; -@@ -377,7 +120,7 @@ static void term_handler() - - static void usage(char *program) - { -- printf("%s [-d] [-v] \n", program); -+ printf("%s [-d] [-f restorecond_file ] [-u] [-v] \n", program); - exit(0); - } - -@@ -393,74 +136,35 @@ void exitApp(const char *msg) - to see if it is one that we are watching. - */ - --void watch_list_add(int fd, const char *path) --{ -- struct watchList *ptr = NULL; -- struct watchList *prev = NULL; -- char *x = strdup(path); -- if (!x) -- exitApp("Out of Memory"); -- char *dir = dirname(x); -- char *file = basename(path); -- ptr = firstDir; -- -- restore(path, 1); -- -- while (ptr != NULL) { -- if (strcmp(dir, ptr->dir) == 0) { -- strings_list_add(&ptr->files, file); -- free(x); -- return; -- } -- prev = ptr; -- ptr = ptr->next; -- } -- ptr = calloc(1, sizeof(struct watchList)); -- -- if (!ptr) -- exitApp("Out of Memory"); -- -- ptr->wd = inotify_add_watch(fd, dir, IN_CREATE | IN_MOVED_TO); -- if (ptr->wd == -1) { -- free(ptr); -- syslog(LOG_ERR, "Unable to watch (%s) %s\n", -- path, strerror(errno)); -- return; -- } -- -- ptr->dir = strdup(dir); -- if (!ptr->dir) -- exitApp("Out of Memory"); -- -- strings_list_add(&ptr->files, file); -- if (prev) -- prev->next = ptr; -- else -- firstDir = ptr; -- -- if (debug_mode) -- printf("%d: Dir=%s, File=%s\n", ptr->wd, ptr->dir, file); -- -- free(x); --} -- - int main(int argc, char **argv) +@@ -140,6 +140,7 @@ int main(int argc, char **argv) { int opt; struct sigaction sa; ++ const char *null_array[1] = { NULL }; --#ifndef DEBUG -- /* Make sure we are root */ -- if (getuid() != 0) { -- fprintf(stderr, "You must be root to run this program.\n"); -- return 1; -- } --#endif -- /* Make sure we are root */ -- if (is_selinux_enabled() != 1) { -- fprintf(stderr, "Daemon requires SELinux be enabled to run.\n"); -- return 1; -- } -+ memset(&r_opts, 0, sizeof(r_opts)); -+ -+ r_opts.progress = 0; -+ r_opts.count = 0; -+ r_opts.debug = 0; -+ r_opts.change = 1; -+ r_opts.verbose = 0; -+ r_opts.logging = 0; -+ r_opts.rootpath = NULL; -+ r_opts.rootpathlen = 0; -+ r_opts.outfile = NULL; -+ r_opts.force = 0; -+ r_opts.hard_links = 0; -+ r_opts.abort_on_error = 0; -+ r_opts.add_assoc = 0; -+ r_opts.expand_realpath = 0; -+ r_opts.fts_flags = FTS_PHYSICAL; -+ r_opts.selabel_opt_validate = NULL; -+ r_opts.selabel_opt_path = NULL; -+ r_opts.ignore_enoent = 1; -+ -+ restore_init(&r_opts); -+ /* If we are not running SELinux then just exit */ -+ if (is_selinux_enabled() != 1) return 0; + memset(&r_opts, 0, sizeof(r_opts)); - /* Register sighandlers */ - sa.sa_flags = 0; -@@ -470,36 +174,59 @@ int main(int argc, char **argv) +@@ -160,6 +161,7 @@ int main(int argc, char **argv) + r_opts.fts_flags = FTS_PHYSICAL; + r_opts.selabel_opt_validate = NULL; + r_opts.selabel_opt_path = NULL; ++ r_opts.selabel_opt_prefixes = null_array; + r_opts.ignore_enoent = 1; - set_matchpathcon_flags(MATCHPATHCON_NOTRANS); - -- master_fd = inotify_init(); -- if (master_fd < 0) -- exitApp("inotify_init"); -- -- while ((opt = getopt(argc, argv, "dv")) > 0) { -+ exclude_non_seclabel_mounts(); -+ atexit( done ); -+ while ((opt = getopt(argc, argv, "df:uv")) > 0) { - switch (opt) { - case 'd': - debug_mode = 1; - break; -+ case 'f': -+ watch_file = optarg; -+ break; -+ case 'u': -+ run_as_user = 1; -+ break; - case 'v': -- verbose_mode = 1; -+ r_opts.verbose++; - break; - case '?': - usage(argv[0]); - } - } -- read_config(master_fd); -+ -+ master_fd = inotify_init(); -+ if (master_fd < 0) -+ exitApp("inotify_init"); -+ -+ uid_t uid = getuid(); -+ struct passwd *pwd = getpwuid(uid); -+ if (!pwd) -+ exitApp("getpwuid"); -+ -+ homedir = pwd->pw_dir; -+ if (uid != 0) { -+ if (run_as_user) -+ return server(master_fd, user_watch_file); -+ if (start() != 0) -+ return server(master_fd, user_watch_file); -+ return 0; -+ } -+ -+ watch_file = server_watch_file; -+ read_config(master_fd, watch_file); - - if (!debug_mode) - daemon(0, 0); - - write_pid_file(); - -- while (watch(master_fd) == 0) { -+ while (watch(master_fd, watch_file) == 0) { - }; - - watch_list_free(master_fd); - close(master_fd); - matchpathcon_fini(); -- utmpwatcher_free(); - if (pidfile) - unlink(pidfile); - -diff --git a/policycoreutils/restorecond/restorecond.conf b/policycoreutils/restorecond/restorecond.conf -index 3fc9376..58b723a 100644 ---- a/policycoreutils/restorecond/restorecond.conf -+++ b/policycoreutils/restorecond/restorecond.conf -@@ -4,8 +4,5 @@ - /etc/mtab - /var/run/utmp - /var/log/wtmp --~/* --/root/.ssh -+/root/* - /root/.ssh/* -- -- -diff --git a/policycoreutils/restorecond/restorecond.desktop b/policycoreutils/restorecond/restorecond.desktop -new file mode 100644 -index 0000000..23ff89d ---- /dev/null -+++ b/policycoreutils/restorecond/restorecond.desktop -@@ -0,0 +1,7 @@ -+[Desktop Entry] -+Name=File Context maintainer -+Exec=/usr/sbin/restorecond -u -+Comment=Fix file context in owned by the user -+Encoding=UTF-8 -+Type=Application -+StartupNotify=false -diff --git a/policycoreutils/restorecond/restorecond.h b/policycoreutils/restorecond/restorecond.h -index e1666bf..8c85ef0 100644 ---- a/policycoreutils/restorecond/restorecond.h -+++ b/policycoreutils/restorecond/restorecond.h -@@ -24,7 +24,22 @@ - #ifndef RESTORED_CONFIG_H - #define RESTORED_CONFIG_H - --void exitApp(const char *msg); --void watch_list_add(int inotify_fd, const char *path); -+extern int debug_mode; -+extern const char *homedir; -+extern int terminate; -+extern int master_wd; -+extern int run_as_user; -+ -+extern int start(void); -+extern int server(int, const char *watch_file); -+ -+extern void exitApp(const char *msg); -+extern void read_config(int fd, const char *watch_file); -+ -+extern int watch(int fd, const char *watch_file); -+extern void watch_list_add(int inotify_fd, const char *path); -+extern int watch_list_find(int wd, const char *file); -+extern void watch_list_free(int fd); -+extern int watch_list_isempty(); - - #endif -diff --git a/policycoreutils/restorecond/restorecond.init b/policycoreutils/restorecond/restorecond.init -index b966db6..775c52b 100644 ---- a/policycoreutils/restorecond/restorecond.init -+++ b/policycoreutils/restorecond/restorecond.init -@@ -26,7 +26,7 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin - # Source function library. - . /etc/rc.d/init.d/functions - --[ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled || exit 0 -+[ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled || exit 7 - - # Check that we are root ... so non-root users stop here - test $EUID = 0 || exit 4 -@@ -75,16 +75,15 @@ case "$1" in - status restorecond - RETVAL=$? - ;; -- restart|reload) -+ force-reload|restart|reload) - restart - ;; - condrestart) - [ -e /var/lock/subsys/restorecond ] && restart || : - ;; - *) -- echo $"Usage: $0 {start|stop|restart|reload|condrestart}" -+ echo $"Usage: $0 {start|stop|restart|force-reload|status|condrestart}" - RETVAL=3 - esac - - exit $RETVAL -- -diff --git a/policycoreutils/restorecond/restorecond_user.conf b/policycoreutils/restorecond/restorecond_user.conf -new file mode 100644 -index 0000000..b4debed ---- /dev/null -+++ b/policycoreutils/restorecond/restorecond_user.conf -@@ -0,0 +1,8 @@ -+~/* -+~/public_html/* -+~/.gnome2/* -+~/local/* -+~/.fonts/* -+~/.cache/* -+~/.config/* -+~/.local/share/* -diff --git a/policycoreutils/restorecond/user.c b/policycoreutils/restorecond/user.c -new file mode 100644 -index 0000000..4257058 ---- /dev/null -+++ b/policycoreutils/restorecond/user.c -@@ -0,0 +1,259 @@ -+/* -+ * restorecond -+ * -+ * Copyright (C) 2006-2009 Red Hat -+ * see file 'COPYING' for use and warranty information -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License as -+ * published by the Free Software Foundation; either version 2 of -+ * the License, or (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+.* -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA -+ * 02111-1307 USA -+ * -+ * Authors: -+ * Dan Walsh -+ * -+*/ -+ -+#define _GNU_SOURCE -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "restorecond.h" -+#include "stringslist.h" -+#include -+#ifdef HAVE_DBUS -+#include -+#include -+#include -+ -+static DBusHandlerResult signal_filter (DBusConnection *connection, DBusMessage *message, void *user_data); -+ -+static const char *PATH="/org/selinux/Restorecond"; -+//static const char *BUSNAME="org.selinux.Restorecond"; -+static const char *INTERFACE="org.selinux.RestorecondIface"; -+static const char *RULE="type='signal',interface='org.selinux.RestorecondIface'"; -+ -+ -+static DBusHandlerResult -+signal_filter (DBusConnection *connection __attribute__ ((__unused__)), DBusMessage *message, void *user_data) -+{ -+ /* User data is the event loop we are running in */ -+ GMainLoop *loop = user_data; -+ -+ /* A signal from the bus saying we are about to be disconnected */ -+ if (dbus_message_is_signal -+ (message, INTERFACE, "Stop")) { -+ -+ /* Tell the main loop to quit */ -+ g_main_loop_quit (loop); -+ /* We have handled this message, don't pass it on */ -+ return DBUS_HANDLER_RESULT_HANDLED; -+ } -+ /* A Ping signal on the com.burtonini.dbus.Signal interface */ -+ else if (dbus_message_is_signal (message, INTERFACE, "Start")) { -+ DBusError error; -+ dbus_error_init (&error); -+ g_print("Start received\n"); -+ return DBUS_HANDLER_RESULT_HANDLED; -+ } -+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; -+} -+ -+static int dbus_server(GMainLoop *loop) { -+ DBusConnection *bus; -+ DBusError error; -+ dbus_error_init (&error); -+ bus = dbus_bus_get (DBUS_BUS_SESSION, &error); -+ if (bus) { -+ dbus_connection_setup_with_g_main (bus, NULL); -+ -+ /* listening to messages from all objects as no path is specified */ -+ dbus_bus_add_match (bus, RULE, &error); // see signals from the given interfacey -+ dbus_connection_add_filter (bus, signal_filter, loop, NULL); -+ return 0; -+ } -+ return -1; -+} -+ -+#endif -+#include -+#include -+ -+/* size of the event structure, not counting name */ -+#define EVENT_SIZE (sizeof (struct inotify_event)) -+/* reasonable guess as to size of 1024 events */ -+#define BUF_LEN (1024 * (EVENT_SIZE + 16)) -+ -+static gboolean -+io_channel_callback -+ (GIOChannel *source, -+ GIOCondition condition, -+ gpointer data __attribute__((__unused__))) -+{ -+ -+ char buffer[BUF_LEN+1]; -+ gsize bytes_read; -+ unsigned int i = 0; -+ -+ if (condition & G_IO_IN) { -+ /* Data is available. */ -+ g_io_channel_read -+ (source, buffer, -+ sizeof (buffer), -+ &bytes_read); -+ -+ if (! bytes_read) { -+ /* Sesssion/Terminal Ended */ -+ exit(0); -+ } -+ -+ while (i < bytes_read) { -+ struct inotify_event *event; -+ event = (struct inotify_event *)&buffer[i]; -+ if (debug_mode) -+ printf("wd=%d mask=%u cookie=%u len=%u\n", -+ event->wd, event->mask, -+ event->cookie, event->len); -+ if (event->len) -+ watch_list_find(event->wd, event->name); -+ -+ i += EVENT_SIZE + event->len; -+ } -+ } -+ -+ /* An error happened while reading -+ the file. */ -+ -+ if (condition & G_IO_NVAL) -+ return FALSE; -+ -+ /* We have reached the end of the -+ file. */ -+ -+ if (condition & G_IO_HUP) { -+ g_io_channel_close (source); -+ exit(0); -+ return FALSE; -+ } -+ -+ /* Returning TRUE will make sure -+ the callback remains associated -+ to the channel. */ -+ -+ return TRUE; -+} -+ -+int start() { -+#ifdef HAVE_DBUS -+ DBusConnection *bus; -+ DBusError error; -+ DBusMessage *message; -+ -+ /* Get a connection to the session bus */ -+ dbus_error_init (&error); -+ bus = dbus_bus_get (DBUS_BUS_SESSION, &error); -+ if (!bus) { -+ if (debug_mode) -+ g_warning ("Failed to connect to the D-BUS daemon: %s", error.message); -+ dbus_error_free (&error); -+ return 1; -+ } -+ -+ -+ /* Create a new signal "Start" on the interface, -+ * from the object */ -+ message = dbus_message_new_signal (PATH, -+ INTERFACE, "Start"); -+ /* Send the signal */ -+ dbus_connection_send (bus, message, NULL); -+ /* Free the signal now we have finished with it */ -+ dbus_message_unref (message); -+#endif /* HAVE_DBUS */ -+ return 0; -+} -+ -+static int local_server() { -+ // ! dbus, run as local service -+ char *ptr=NULL; -+ if (asprintf(&ptr, "%s/.restorecond", homedir) < 0) { -+ if (debug_mode) -+ perror("asprintf"); -+ return -1; -+ } -+ int fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW, S_IRUSR | S_IWUSR); -+ if (debug_mode) -+ g_warning ("Lock file: %s", ptr); -+ -+ free(ptr); -+ if (fd < 0) { -+ if (debug_mode) -+ perror("open"); -+ return -1; -+ } -+ if (flock(fd, LOCK_EX | LOCK_NB) < 0) { -+ if (debug_mode) -+ perror("flock"); -+ return -1; -+ } -+ /* watch for stdin/terminal going away */ -+ GIOChannel *in = g_io_channel_unix_new(0); -+ g_io_add_watch_full( in, -+ G_PRIORITY_HIGH, -+ G_IO_IN|G_IO_ERR|G_IO_HUP, -+ io_channel_callback, NULL, NULL); -+ -+ return 0; -+} -+ -+int server(int master_fd, const char *watch_file) { -+ GMainLoop *loop; -+ -+ loop = g_main_loop_new (NULL, FALSE); -+ -+#ifdef HAVE_DBUS -+ if (dbus_server(loop) != 0) -+#endif /* HAVE_DBUS */ -+ if (local_server()) -+ goto end; -+ -+ read_config(master_fd, watch_file); -+ -+ if (watch_list_isempty()) goto end; -+ -+ set_matchpathcon_flags(MATCHPATHCON_NOTRANS); -+ -+ GIOChannel *c = g_io_channel_unix_new(master_fd); -+ -+ g_io_add_watch_full( c, -+ G_PRIORITY_HIGH, -+ G_IO_IN|G_IO_ERR|G_IO_HUP, -+ io_channel_callback, NULL, NULL); -+ -+ g_main_loop_run (loop); -+ -+end: -+ g_main_loop_unref (loop); -+ return 0; -+} -+ -diff --git a/policycoreutils/restorecond/watch.c b/policycoreutils/restorecond/watch.c -new file mode 100644 -index 0000000..6a833c3 ---- /dev/null -+++ b/policycoreutils/restorecond/watch.c -@@ -0,0 +1,272 @@ -+#define _GNU_SOURCE -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "../setfiles/restore.h" -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "restorecond.h" -+#include "stringslist.h" -+#include "utmpwatcher.h" -+ -+/* size of the event structure, not counting name */ -+#define EVENT_SIZE (sizeof (struct inotify_event)) -+/* reasonable guess as to size of 1024 events */ -+#define BUF_LEN (1024 * (EVENT_SIZE + 16)) -+ -+ -+struct watchList { -+ struct watchList *next; -+ int wd; -+ char *dir; -+ struct stringsList *files; -+}; -+struct watchList *firstDir = NULL; -+ -+int watch_list_isempty() { -+ return firstDir == NULL; -+} -+ -+void watch_list_add(int fd, const char *path) -+{ -+ struct watchList *ptr = NULL; -+ size_t i = 0; -+ struct watchList *prev = NULL; -+ glob_t globbuf; -+ char *x = strdup(path); -+ if (!x) exitApp("Out of Memory"); -+ char *file = basename(x); -+ char *dir = dirname(x); -+ ptr = firstDir; -+ -+ if (exclude(path)) goto end; -+ -+ globbuf.gl_offs = 1; -+ if (glob(path, -+ GLOB_TILDE | GLOB_PERIOD, -+ NULL, -+ &globbuf) >= 0) { -+ for (i=0; i < globbuf.gl_pathc; i++) { -+ int len = strlen(globbuf.gl_pathv[i]) -2; -+ if (len > 0 && strcmp(&globbuf.gl_pathv[i][len--], "/.") == 0) continue; -+ if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) continue; -+ if (process_one_realpath(globbuf.gl_pathv[i], 0) > 0) -+ process_one_realpath(globbuf.gl_pathv[i], 1); -+ } -+ globfree(&globbuf); -+ } -+ -+ while (ptr != NULL) { -+ if (strcmp(dir, ptr->dir) == 0) { -+ strings_list_add(&ptr->files, file); -+ goto end; -+ } -+ prev = ptr; -+ ptr = ptr->next; -+ } -+ ptr = calloc(1, sizeof(struct watchList)); -+ -+ if (!ptr) exitApp("Out of Memory"); -+ -+ ptr->wd = inotify_add_watch(fd, dir, IN_CREATE | IN_MOVED_TO); -+ if (ptr->wd == -1) { -+ free(ptr); -+ if (! run_as_user) -+ syslog(LOG_ERR, "Unable to watch (%s) %s\n", -+ path, strerror(errno)); -+ goto end; -+ } -+ -+ ptr->dir = strdup(dir); -+ if (!ptr->dir) -+ exitApp("Out of Memory"); -+ -+ strings_list_add(&ptr->files, file); -+ if (prev) -+ prev->next = ptr; -+ else -+ firstDir = ptr; -+ -+ if (debug_mode) -+ printf("%d: Dir=%s, File=%s\n", ptr->wd, ptr->dir, file); -+ -+end: -+ free(x); -+ return; -+} -+ -+/* -+ A file was in a direcroty has been created. This function checks to -+ see if it is one that we are watching. -+*/ -+ -+int watch_list_find(int wd, const char *file) -+{ -+ struct watchList *ptr = NULL; -+ ptr = firstDir; -+ if (debug_mode) -+ printf("%d: File=%s\n", wd, file); -+ while (ptr != NULL) { -+ if (ptr->wd == wd) { -+ int exact=0; -+ if (strings_list_find(ptr->files, file, &exact) == 0) { -+ char *path = NULL; -+ if (asprintf(&path, "%s/%s", ptr->dir, file) < -+ 0) -+ exitApp("Error allocating memory."); -+ -+ process_one_realpath(path, 0); -+ free(path); -+ return 0; -+ } -+ if (debug_mode) -+ strings_list_print(ptr->files); -+ -+ /* Not found in this directory */ -+ return -1; -+ } -+ ptr = ptr->next; -+ } -+ /* Did not find a directory */ -+ return -1; -+} -+ -+void watch_list_free(int fd) -+{ -+ struct watchList *ptr = NULL; -+ struct watchList *prev = NULL; -+ ptr = firstDir; -+ -+ while (ptr != NULL) { -+ inotify_rm_watch(fd, ptr->wd); -+ strings_list_free(ptr->files); -+ free(ptr->dir); -+ prev = ptr; -+ ptr = ptr->next; -+ free(prev); -+ } -+ firstDir = NULL; -+} -+ -+/* -+ Inotify watch loop -+*/ -+int watch(int fd, const char *watch_file) -+{ -+ char buf[BUF_LEN]; -+ int len, i = 0; -+ if (firstDir == NULL) return 0; -+ -+ len = read(fd, buf, BUF_LEN); -+ if (len < 0) { -+ if (terminate == 0) { -+ syslog(LOG_ERR, "Read error (%s)", strerror(errno)); -+ return 0; -+ } -+ syslog(LOG_ERR, "terminated"); -+ return -1; -+ } else if (!len) -+ /* BUF_LEN too small? */ -+ return -1; -+ while (i < len) { -+ struct inotify_event *event; -+ event = (struct inotify_event *)&buf[i]; -+ if (debug_mode) -+ printf("wd=%d mask=%u cookie=%u len=%u\n", -+ event->wd, event->mask, -+ event->cookie, event->len); -+ if (event->wd == master_wd) -+ read_config(fd, watch_file); -+ else { -+ switch (utmpwatcher_handle(fd, event->wd)) { -+ case -1: /* Message was not for utmpwatcher */ -+ if (event->len) -+ watch_list_find(event->wd, event->name); -+ break; -+ case 1: /* utmp has changed need to reload */ -+ read_config(fd, watch_file); -+ break; -+ -+ default: /* No users logged in or out */ -+ break; -+ } -+ } -+ -+ i += EVENT_SIZE + event->len; -+ } -+ return 0; -+} -+ -+static void process_config(int fd, FILE * cfg) -+{ -+ char *line_buf = NULL; -+ size_t len = 0; -+ -+ while (getline(&line_buf, &len, cfg) > 0) { -+ char *buffer = line_buf; -+ while (isspace(*buffer)) -+ buffer++; -+ if (buffer[0] == '#') -+ continue; -+ int l = strlen(buffer) - 1; -+ if (l <= 0) -+ continue; -+ buffer[l] = 0; -+ if (buffer[0] == '~') { -+ if (run_as_user) { -+ char *ptr=NULL; -+ if (asprintf(&ptr, "%s%s", homedir, &buffer[1]) < 0) -+ exitApp("Error allocating memory."); -+ -+ watch_list_add(fd, ptr); -+ free(ptr); -+ } else { -+ utmpwatcher_add(fd, &buffer[1]); -+ } -+ } else { -+ watch_list_add(fd, buffer); -+ } -+ } -+ free(line_buf); -+} -+ -+/* -+ Read config file ignoring Comment lines -+ Files specified one per line. Files with "~" will be expanded to the logged in users -+ homedirs. -+*/ -+ -+void read_config(int fd, const char *watch_file_path) -+{ -+ -+ FILE *cfg = NULL; -+ if (debug_mode) -+ printf("Read Config\n"); -+ -+ watch_list_free(fd); -+ -+ cfg = fopen(watch_file_path, "r"); -+ if (!cfg){ -+ perror(watch_file_path); -+ exitApp("Error reading config file"); -+ } -+ process_config(fd, cfg); -+ fclose(cfg); -+ -+ inotify_rm_watch(fd, master_wd); -+ master_wd = -+ inotify_add_watch(fd, watch_file_path, IN_MOVED_FROM | IN_MODIFY); -+ if (master_wd == -1) -+ exitApp("Error watching config file."); -+} + restore_init(&r_opts); diff --git a/policycoreutils/run_init/run_init.c b/policycoreutils/run_init/run_init.c index 9db766c..068e24c 100644 --- a/policycoreutils/run_init/run_init.c @@ -1351,10 +85,10 @@ index 9db766c..068e24c 100644 } /* main() */ diff --git a/policycoreutils/sandbox/Makefile b/policycoreutils/sandbox/Makefile -index 4764987..924999d 100644 +index 1c458f1..36042a2 100644 --- a/policycoreutils/sandbox/Makefile +++ b/policycoreutils/sandbox/Makefile -@@ -22,7 +22,7 @@ install: all +@@ -23,7 +23,7 @@ install: all install -m 644 sandbox.8 $(MANDIR)/man8/ install -m 644 seunshare.8 $(MANDIR)/man8/ -mkdir -p $(MANDIR)/man5 @@ -1375,96 +109,14 @@ index d1ccdc2..11c391c 100644 LOCKFILE=/var/lock/subsys/sandbox -diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c -index a52b6f1..c493e98 100644 ---- a/policycoreutils/sandbox/seunshare.c -+++ b/policycoreutils/sandbox/seunshare.c -@@ -1,3 +1,8 @@ -+/* -+ * Authors: Dan Walsh -+ * Authors: Thomas Liu -+ */ +diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon +index ab696a7..58b19cd 100644 +--- a/policycoreutils/scripts/genhomedircon ++++ b/policycoreutils/scripts/genhomedircon +@@ -1,2 +1,3 @@ + #!/bin/sh + - #define _GNU_SOURCE - #include - #include -@@ -42,6 +47,10 @@ - #define MS_PRIVATE 1<<18 - #endif - -+#ifndef PACKAGE -+#define PACKAGE "policycoreutils" /* the name of this package lang translation */ -+#endif -+ - #define BUF_SIZE 1024 - #define DEFAULT_PATH "/usr/bin:/bin" - #define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -c ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z CONTEXT ] -- executable [args] ") -@@ -848,6 +857,12 @@ int main(int argc, char **argv) { - } - */ - -+#ifdef USE_NLS -+ setlocale(LC_ALL, ""); -+ bindtextdomain(PACKAGE, LOCALEDIR); -+ textdomain(PACKAGE); -+#endif -+ - struct passwd *pwd=getpwuid(uid); - if (!pwd) { - perror(_("getpwduid failed")); -@@ -944,6 +959,7 @@ int main(int argc, char **argv) { - - if (child == 0) { - char *display = NULL; -+ char *LANG = NULL; - int rc = -1; - - if (unshare(CLONE_NEWNS) < 0) { -@@ -969,12 +985,23 @@ int main(int argc, char **argv) { - goto childerr; - } - } -+ -+ /* construct a new environment */ -+ if ((LANG = getenv("LANG")) != NULL) { -+ if ((LANG = strdup(LANG)) == NULL) { -+ perror(_("Out of memory")); -+ goto childerr; -+ } -+ } -+ - if ((rc = clearenv()) != 0) { - perror(_("Failed to clear environment")); - goto childerr; - } - if (display) - rc |= setenv("DISPLAY", display, 1); -+ if (LANG) -+ rc |= setenv("LANG", LANG, 1); - rc |= setenv("HOME", pwd->pw_dir, 1); - rc |= setenv("SHELL", pwd->pw_shell, 1); - rc |= setenv("USER", pwd->pw_name, 1); -@@ -1000,6 +1027,7 @@ int main(int argc, char **argv) { - fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno)); - childerr: - free(display); -+ free(LANG); - exit(-1); - } - -diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles -index e4e5f0d..27dcccf 100755 ---- a/policycoreutils/scripts/fixfiles -+++ b/policycoreutils/scripts/fixfiles -@@ -103,7 +103,7 @@ exclude_dirs_from_relabelling() { - - exclude_dirs() { - exclude= -- for i in /home /root /tmp /dev; do -+ for i in /var/lib/BackupPC /home /tmp /dev; do - [ -e $i ] && exclude="$exclude -e $i"; - done - exclude="$exclude `exclude_dirs_from_relabelling`" + /usr/sbin/semodule -Bn diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile new file mode 100644 index 0000000..e15a877 @@ -1610,7 +262,7 @@ index 0000000..e2befdb + packages=["policycoreutils"], +) diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage -index ee4d077..2c0cfdd 100644 +index 48d7baa..2c0cfdd 100644 --- a/policycoreutils/semanage/semanage +++ b/policycoreutils/semanage/semanage @@ -20,6 +20,7 @@ @@ -1647,28 +299,7 @@ index ee4d077..2c0cfdd 100644 disable = True if o == "-F" or o == "--file": -@@ -338,9 +342,11 @@ Object-specific Options (see above): - - if o == "--on" or o == "-1": - value = "on" -+ modify = True - - if o == "--off" or o == "-0": - value = "off" -+ modify = True - - if object == "login": - OBJECT = seobject.loginRecords(store) -@@ -362,6 +368,8 @@ Object-specific Options (see above): - - if object == "boolean": - OBJECT = seobject.booleanRecords(store) -+ if use_file: -+ modify = True - - if object == "module": - OBJECT = seobject.moduleRecords(store) -@@ -500,31 +508,36 @@ Object-specific Options (see above): +@@ -504,31 +508,36 @@ Object-specific Options (see above): if len(sys.argv) < 3: usage(_("Requires 2 or more arguments")) @@ -1730,7 +361,7 @@ index ee4d077..2c0cfdd 100644 for o, a in gopts: if o == "-S" or o == '--store': store = a -@@ -554,8 +567,6 @@ Object-specific Options (see above): +@@ -558,8 +567,6 @@ Object-specific Options (see above): else: process_args(sys.argv[1:]) @@ -1739,22 +370,8 @@ index ee4d077..2c0cfdd 100644 except ValueError, error: errorExit(error.args[0]) except KeyError, error: -diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8 -index adcb416..c5e18d9 100644 ---- a/policycoreutils/semanage/semanage.8 -+++ b/policycoreutils/semanage/semanage.8 -@@ -163,6 +163,9 @@ SELinux Type for the object - .I \-i, \-\-input - Take a set of commands from a specified file and load them in a single - transaction. -+.TP -+.I \-o, \-\-output -+Output all local customizations into a file. This file than can be used with the semanage -i command to customize other machines to match the local machine. - - .SH EXAMPLE - .nf diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py -index 5847ba0..e4b6c0d 100644 +index a7008fc..e4b6c0d 100644 --- a/policycoreutils/semanage/seobject.py +++ b/policycoreutils/semanage/seobject.py @@ -30,11 +30,10 @@ from IPy import IP @@ -1773,21 +390,15 @@ index 5847ba0..e4b6c0d 100644 import syslog -@@ -161,10 +160,12 @@ def untranslate(trans, prepend = 1): - return trans - else: - return raw -- -+ - class semanageRecords: +@@ -166,6 +165,7 @@ class semanageRecords: transaction = False handle = None -+ store = None + store = None + def __init__(self, store): global handle -@@ -332,6 +333,7 @@ class permissiveRecords(semanageRecords): +@@ -333,6 +333,7 @@ class permissiveRecords(semanageRecords): name = semanage_module_get_name(mod) if name and name.startswith("permissive_"): l.append(name.split("permissive_")[1]) @@ -1795,7 +406,7 @@ index 5847ba0..e4b6c0d 100644 return l def list(self, heading = 1, locallist = 0): -@@ -430,7 +432,9 @@ class loginRecords(semanageRecords): +@@ -431,7 +432,9 @@ class loginRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if login mapping for %s is defined") % name) if exists: @@ -1806,7 +417,7 @@ index 5847ba0..e4b6c0d 100644 if name[0] == '%': try: grp.getgrnam(name[1:]) -@@ -640,7 +644,8 @@ class seluserRecords(semanageRecords): +@@ -641,7 +644,8 @@ class seluserRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if SELinux user %s is defined") % name) if exists: @@ -1816,7 +427,7 @@ index 5847ba0..e4b6c0d 100644 (rc, u) = semanage_user_create(self.sh) if rc < 0: -@@ -880,6 +885,7 @@ class portRecords(semanageRecords): +@@ -881,6 +885,7 @@ class portRecords(semanageRecords): return ( k, proto_d, low, high ) def __add(self, port, proto, serange, type): @@ -1824,7 +435,7 @@ index 5847ba0..e4b6c0d 100644 if is_mls_enabled == 1: if serange == "": serange = "s0" -@@ -942,6 +948,7 @@ class portRecords(semanageRecords): +@@ -943,6 +948,7 @@ class portRecords(semanageRecords): self.commit() def __modify(self, port, proto, serange, setype): @@ -1832,7 +443,7 @@ index 5847ba0..e4b6c0d 100644 if serange == "" and setype == "": if is_mls_enabled == 1: raise ValueError(_("Requires setype or serange")) -@@ -1155,7 +1162,8 @@ class nodeRecords(semanageRecords): +@@ -1156,7 +1162,8 @@ class nodeRecords(semanageRecords): (rc, exists) = semanage_node_exists(self.sh, k) if exists: @@ -1842,7 +453,7 @@ index 5847ba0..e4b6c0d 100644 (rc, node) = semanage_node_create(self.sh) if rc < 0: -@@ -1171,7 +1179,6 @@ class nodeRecords(semanageRecords): +@@ -1172,7 +1179,6 @@ class nodeRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not set mask for %s") % addr) @@ -1850,7 +461,7 @@ index 5847ba0..e4b6c0d 100644 rc = semanage_context_set_user(self.sh, con, "system_u") if rc < 0: raise ValueError(_("Could not set user in addr context for %s") % addr) -@@ -1223,12 +1230,11 @@ class nodeRecords(semanageRecords): +@@ -1224,12 +1230,11 @@ class nodeRecords(semanageRecords): if not exists: raise ValueError(_("Addr %s is not defined") % addr) @@ -1864,7 +475,7 @@ index 5847ba0..e4b6c0d 100644 if serange != "": semanage_context_set_mls(self.sh, con, untranslate(serange)) if setype != "": -@@ -1356,7 +1362,8 @@ class interfaceRecords(semanageRecords): +@@ -1357,7 +1362,8 @@ class interfaceRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if interface %s is defined") % interface) if exists: @@ -1874,7 +485,7 @@ index 5847ba0..e4b6c0d 100644 (rc, iface) = semanage_iface_create(self.sh) if rc < 0: -@@ -1617,7 +1624,8 @@ class fcontextRecords(semanageRecords): +@@ -1618,7 +1624,8 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Could not check if file context for %s is defined") % target) if exists: @@ -1884,83 +495,8 @@ index 5847ba0..e4b6c0d 100644 (rc, fcontext) = semanage_fcontext_create(self.sh) if rc < 0: -@@ -1842,6 +1850,18 @@ class booleanRecords(semanageRecords): - self.dict["1"] = 1 - self.dict["0"] = 0 - -+ try: -+ rc, self.current_booleans = selinux.security_get_boolean_names() -+ rc, ptype = selinux.selinux_getpolicytype() -+ except: -+ self.current_booleans = [] -+ ptype = None -+ -+ if self.store == None or self.store == ptype: -+ self.modify_local = True -+ else: -+ self.modify_local = False -+ - def __mod(self, name, value): - (rc, k) = semanage_bool_key_create(self.sh, name) - if rc < 0: -@@ -1861,9 +1881,10 @@ class booleanRecords(semanageRecords): - else: - raise ValueError(_("You must specify one of the following values: %s") % ", ".join(self.dict.keys()) ) - -- rc = semanage_bool_set_active(self.sh, k, b) -- if rc < 0: -- raise ValueError(_("Could not set active value of boolean %s") % name) -+ if self.modify_local and name in self.current_booleans: -+ rc = semanage_bool_set_active(self.sh, k, b) -+ if rc < 0: -+ raise ValueError(_("Could not set active value of boolean %s") % name) - rc = semanage_bool_modify_local(self.sh, k, b) - if rc < 0: - raise ValueError(_("Could not modify boolean %s") % name) -@@ -1946,8 +1967,12 @@ class booleanRecords(semanageRecords): - value = [] - name = semanage_bool_get_name(boolean) - value.append(semanage_bool_get_value(boolean)) -- value.append(selinux.security_get_boolean_pending(name)) -- value.append(selinux.security_get_boolean_active(name)) -+ if self.modify_local and boolean in self.current_booleans: -+ value.append(selinux.security_get_boolean_pending(name)) -+ value.append(selinux.security_get_boolean_active(name)) -+ else: -+ value.append(value[0]) -+ value.append(value[0]) - ddict[name] = value - - return ddict -diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8 -index 12191f6..9fb2b78 100644 ---- a/policycoreutils/semodule/semodule.8 -+++ b/policycoreutils/semodule/semodule.8 -@@ -41,6 +41,9 @@ disable existing module - .B \-e,\-\-enable=MODULE_NAME - enable existing module - .TP -+.B \-p,\-\-path=ROOTPATH -+use an alternate root path -+.TP - .B \-r,\-\-remove=MODULE_NAME - remove existing module - .TP -diff --git a/policycoreutils/semodule_package/Makefile b/policycoreutils/semodule_package/Makefile -index f84cd7e..3565f5e 100644 ---- a/policycoreutils/semodule_package/Makefile -+++ b/policycoreutils/semodule_package/Makefile -@@ -24,7 +24,7 @@ install: all - relabel: - - clean: -- -rm -f semodule_package *.o -+ -rm -f semodule_package semodule_unpackage *.o - - indent: - ../../scripts/Lindent $(wildcard *.[ch]) diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c -index ce44c04..373c9b9 100644 +index 9a7d315..e57d34f 100644 --- a/policycoreutils/setfiles/restore.c +++ b/policycoreutils/setfiles/restore.c @@ -1,5 +1,6 @@ @@ -1978,39 +514,44 @@ index ce44c04..373c9b9 100644 struct restore_opts *r_opts = NULL; static void filespec_destroy(void); static void filespec_eval(void); -@@ -59,10 +59,11 @@ void restore_init(struct restore_opts *opts) +@@ -58,11 +58,16 @@ void remove_exclude(const char *directory) + void restore_init(struct restore_opts *opts) { r_opts = opts; - struct selinux_opt selinux_opts[] = { +- struct selinux_opt selinux_opts[] = { - { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate }, - { SELABEL_OPT_PATH, r_opts->selabel_opt_path } -+ { SELABEL_OPT_VALIDATE , { r_opts->selabel_opt_validate } }, -+ { SELABEL_OPT_PATH, {r_opts->selabel_opt_path }}, -+ { SELABEL_OPT_SUBSET,{r_opts->selabel_opt_subset }} - }; +- }; - r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 2); ++ struct selinux_opt selinux_opts[3]; ++ ++ selinux_opts[0].type = SELABEL_OPT_VALIDATE; ++ selinux_opts[0].value = r_opts->selabel_opt_validate; ++ selinux_opts[1].type = SELABEL_OPT_PATH; ++ selinux_opts[1].value = r_opts->selabel_opt_path; ++ selinux_opts[2].type = SELABEL_OPT_PREFIXES; ++ selinux_opts[2].values = r_opts->selabel_opt_prefixes; ++ + r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3); if (!r_opts->hnd) { perror(r_opts->selabel_opt_path); exit(1); -@@ -103,9 +104,8 @@ static int match(const char *name, struct stat *sb, char **con) - static int restore(FTSENT *ftsent) +@@ -104,8 +109,7 @@ static int restore(FTSENT *ftsent) { char *my_file = strdupa(ftsent->fts_path); -- int ret; + int ret = -1; - char *context, *newcon; - int user_only_changed = 0; -+ int ret = -1; + security_context_t curcon = NULL, newcon = NULL; if (match(my_file, ftsent->fts_statp, &newcon) < 0) /* Check for no matching specification. */ -@@ -139,74 +139,105 @@ static int restore(FTSENT *ftsent) +@@ -139,74 +143,105 @@ static int restore(FTSENT *ftsent) printf("%s: %s matched by %s\n", r_opts->progname, my_file, newcon); } -+ /* -+ * Do not relabel if their is no default specification for this file ++ /* ++ * Do not relabel if their is no default specification for this file + */ + + if (strcmp(newcon, "<>") == 0) { @@ -2043,7 +584,7 @@ index ce44c04..373c9b9 100644 - * Do not relabel the file if the matching specification is - * <> or the file is already labeled according to the - * specification. -+ * Do not relabel the file if the file is already labeled according to ++ * Do not relabel the file if the file is already labeled according to + * the specification. */ - if ((strcmp(newcon, "<>") == 0) || @@ -2072,8 +613,8 @@ index ce44c04..373c9b9 100644 - if (r_opts->verbose > 1 || !user_only_changed) { - printf("%s reset %s context %s->%s\n", - r_opts->progname, my_file, context ?: "", newcon); -+ /* -+ * Do not change label unless this is a force or the type is different ++ /* ++ * Do not change label unless this is a force or the type is different + */ + if (!r_opts->force && curcon) { + int types_differ = 0; @@ -2088,7 +629,7 @@ index ce44c04..373c9b9 100644 + if (! conb) { + context_free(cona); + goto out; -+ } + } + + types_differ = strcmp(context_type_get(cona), context_type_get(conb)); + if (types_differ) { @@ -2102,19 +643,19 @@ index ce44c04..373c9b9 100644 + } + context_free(cona); + context_free(conb); -+ ++ + if (!types_differ || err) { + goto out; - } ++ } ++ } ++ ++ if (r_opts->verbose) { ++ printf("%s reset %s context %s->%s\n", ++ r_opts->progname, my_file, curcon ?: "", newcon); } - if (r_opts->logging && !user_only_changed) { - if (context) -+ if (r_opts->verbose) { -+ printf("%s reset %s context %s->%s\n", -+ r_opts->progname, my_file, curcon ?: "", newcon); -+ } -+ + if (r_opts->logging) { + if (curcon) syslog(LOG_INFO, "relabeling %s from %s to %s\n", @@ -2140,16 +681,23 @@ index ce44c04..373c9b9 100644 goto out; /* -@@ -218,7 +249,7 @@ static int restore(FTSENT *ftsent) - r_opts->progname, my_file, newcon, strerror(errno)); - goto skip; +@@ -220,12 +255,15 @@ static int restore(FTSENT *ftsent) } -- ret = 1; -+ ret = 0; + ret = 1; out: ++ freecon(curcon); freecon(newcon); return ret; -@@ -487,22 +518,6 @@ int add_exclude(const char *directory) + skip: ++ freecon(curcon); + freecon(newcon); + return SKIP; + err: ++ freecon(curcon); + freecon(newcon); + return ERR; + } +@@ -447,22 +485,6 @@ int add_exclude(const char *directory) return 0; } @@ -2173,19 +721,19 @@ index ce44c04..373c9b9 100644 * Evaluate the association hash table distribution. */ diff --git a/policycoreutils/setfiles/restore.h b/policycoreutils/setfiles/restore.h -index ac27222..3909d15 100644 +index ac27222..4b39972 100644 --- a/policycoreutils/setfiles/restore.h +++ b/policycoreutils/setfiles/restore.h @@ -40,6 +40,7 @@ struct restore_opts { int fts_flags; /* Flags to fts, e.g. follow links, follow mounts */ const char *selabel_opt_validate; const char *selabel_opt_path; -+ char *selabel_opt_subset; ++ const char **selabel_opt_prefixes; }; void restore_init(struct restore_opts *opts); diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 -index c8ea4bb..0eb7293 100644 +index c8ea4bb..65a59de 100644 --- a/policycoreutils/setfiles/restorecon.8 +++ b/policycoreutils/setfiles/restorecon.8 @@ -4,22 +4,27 @@ restorecon \- restore file(s) default SELinux security contexts. @@ -2211,10 +759,10 @@ index c8ea4bb..0eb7293 100644 It can be run at any time to correct errors, to add support for new policy, or with the \-n option it can just check whether the file contexts are all as you expect. -+.P -+If a file object does not have a context, restorecon will write the default -+context to the file object's extended attributes. If a file object has a -+context, restorecon will only modify the type portion of the security context. ++.P ++If a file object does not have a context, restorecon will write the default ++context to the file object's extended attributes. If a file object has a ++context, restorecon will only modify the type portion of the security context. +The -F option will force a replacement of the entire context. .SH "OPTIONS" @@ -2228,7 +776,7 @@ index c8ea4bb..0eb7293 100644 + +# restorecon -R -v -L /dev /dev + -+.TP ++.TP .B \-R \-r change files and directories file labels recursively .TP @@ -2246,7 +794,7 @@ index c8ea4bb..0eb7293 100644 .SH "ARGUMENTS" .B pathname... diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 -index 7f700ca..2cc3fba 100644 +index 7f700ca..2741919 100644 --- a/policycoreutils/setfiles/setfiles.8 +++ b/policycoreutils/setfiles/setfiles.8 @@ -4,7 +4,7 @@ setfiles \- set file SELinux security contexts. @@ -2262,26 +810,27 @@ index 7f700ca..2cc3fba 100644 It can also be run at any time to correct errors, to add support for new policy, or with the \-n option it can just check whether the file contexts are all as you expect. -+.P -+If a file object does not have a context, setfiles will write the default -+context to the file object's extended attributes. If a file object has a -+context, setfiles will only modify the type portion of the security context. ++.P ++If a file object does not have a context, setfiles will write the default ++context to the file object's extended attributes. If a file object has a ++context, setfiles will only modify the type portion of the security context. +The -F option will force a replacement of the entire context. .SH "OPTIONS" .TP -@@ -45,7 +50,10 @@ use an alternate root path +@@ -45,8 +50,11 @@ use an alternate root path directory to exclude (repeat option for more than one directory.) .TP .B \-F -Force reset of context to match file_context for customizable files +Force reset of context to match file_context for customizable files, and the default file context, changing the user, role, range portion as well as the type. -+.TP + .TP +.B \-L labelprefix +Tells selinux to only use the file context that match this prefix for labeling, -L can be called multiple times. Can speed up labeling if you are only doing one directory. - .TP ++.TP .B \-o filename save list of files with incorrect context in filename. + .TP @@ -55,10 +63,7 @@ take a list of files from standard input instead of using a pathname on the command line. .TP @@ -2295,7 +844,7 @@ index 7f700ca..2cc3fba 100644 .B \-W display warnings about entries that had no matching files. diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c -index fa0cd6a..4da428c 100644 +index fa0cd6a..0ec0eff 100644 --- a/policycoreutils/setfiles/setfiles.c +++ b/policycoreutils/setfiles/setfiles.c @@ -39,7 +39,7 @@ void usage(const char *const name) @@ -2307,15 +856,33 @@ index fa0cd6a..4da428c 100644 name); } else { fprintf(stderr, -@@ -160,6 +160,7 @@ int main(int argc, char **argv) +@@ -137,7 +137,7 @@ static void maybe_audit_mass_relabel(int mass_relabel, int mass_relabel_errs) + int main(int argc, char **argv) + { + struct stat sb; +- int opt, i = 0; ++ int opt, i; + char *input_filename = NULL; + int use_input_file = 0; + char *buf = NULL; +@@ -145,6 +145,8 @@ int main(int argc, char **argv) + int recurse; /* Recursive descent. */ + char *base; + int mass_relabel = 0, errors = 0; ++ int num_prefixes = 0; ++ const char *null_array[1] = { NULL }; + + memset(&r_opts, 0, sizeof(r_opts)); + +@@ -160,6 +162,7 @@ int main(int argc, char **argv) r_opts.outfile = NULL; r_opts.force = 0; r_opts.hard_links = 1; -+ r_opts.selabel_opt_subset = 0; ++ r_opts.selabel_opt_prefixes = null_array; altpath = NULL; -@@ -217,7 +218,7 @@ int main(int argc, char **argv) +@@ -217,7 +220,7 @@ int main(int argc, char **argv) exclude_non_seclabel_mounts(); /* Process any options. */ @@ -2324,31 +891,43 @@ index fa0cd6a..4da428c 100644 switch (opt) { case 'c': { -@@ -280,6 +281,23 @@ int main(int argc, char **argv) +@@ -280,6 +283,35 @@ int main(int argc, char **argv) case 'n': r_opts.change = 0; break; + case 'L': -+ if (r_opts.selabel_opt_subset) { -+ if (asprintf((char**) &(r_opts.selabel_opt_subset),"%s:%s",r_opts.selabel_opt_subset,optarg) < 0) { -+ fprintf(stderr, "Can't allocate memory for labeling prefix %s:%s\n", -+ optarg, strerror(errno)); -+ exit(1); -+ } ++ { ++ char **new_prefixes; ++ ++ /* we need 1 for this entry and 1 for the NULL entry */ ++ new_prefixes = malloc(sizeof(*new_prefixes) * (num_prefixes + 2)); ++ if (!new_prefixes) { ++ fprintf(stderr, "Can't allocate memory for labeling prefix %s:%s\n", ++ optarg, strerror(errno)); ++ exit(1); + } -+ else { -+ r_opts.selabel_opt_subset = strdup(optarg); -+ if (! r_opts.selabel_opt_subset) { -+ fprintf(stderr, "Can't allocate memory for labeling prefix %s:%s\n", -+ optarg, strerror(errno)); -+ exit(1); -+ } ++ ++ memcpy(new_prefixes, r_opts.selabel_opt_prefixes, sizeof(*new_prefixes) * num_prefixes); ++ new_prefixes[num_prefixes] = strdup(optarg); ++ if (!new_prefixes[num_prefixes]) { ++ fprintf(stderr, "Can't allocate memory for labeling prefix %s:%s\n", ++ optarg, strerror(errno)); ++ exit(1); + } ++ ++ new_prefixes[num_prefixes + 1] = NULL; ++ num_prefixes++; ++ ++ if (r_opts.selabel_opt_prefixes != null_array) ++ free(r_opts.selabel_opt_prefixes); ++ ++ r_opts.selabel_opt_prefixes = (const char **)new_prefixes; + break; ++ } case 'o': if (strcmp(optarg, "-") == 0) { r_opts.outfile = stdout; -@@ -433,7 +451,11 @@ int main(int argc, char **argv) +@@ -433,7 +465,15 @@ int main(int argc, char **argv) if (r_opts.outfile) fclose(r_opts.outfile); @@ -2358,7 +937,11 @@ index fa0cd6a..4da428c 100644 + printf("\n"); + + free(r_opts.progname); -+ free(r_opts.selabel_opt_subset); ++ i = 0; ++ while (r_opts.selabel_opt_prefixes[i]) ++ free((void *)r_opts.selabel_opt_prefixes[i++]); ++ if (r_opts.selabel_opt_prefixes != null_array) ++ free(r_opts.selabel_opt_prefixes); + free(r_opts.rootpath); exit(errors); } diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch index f4087ea..d6fdfdb 100644 --- a/policycoreutils-sepolgen.patch +++ b/policycoreutils-sepolgen.patch @@ -1,5 +1,5 @@ diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py -index 24e308e..1b0a8e5 100644 +index 898fbc3..631bab5 100644 --- a/sepolgen/src/sepolgen/audit.py +++ b/sepolgen/src/sepolgen/audit.py @@ -68,6 +68,17 @@ def get_dmesg_msgs(): @@ -30,11 +30,8 @@ index 24e308e..1b0a8e5 100644 class AVCMessage(AuditMessage): """AVC message representing an access denial or granted message. -@@ -165,8 +179,11 @@ class AVCMessage(AuditMessage): - self.comm = "" - self.exe = "" - self.path = "" -+ self.name = "" +@@ -168,6 +182,8 @@ class AVCMessage(AuditMessage): + self.name = "" self.accesses = [] self.denial = True + self.type = audit2why.TERULE @@ -42,12 +39,7 @@ index 24e308e..1b0a8e5 100644 def __parse_access(self, recs, start): # This is kind of sucky - the access that is in a space separated -@@ -223,10 +240,36 @@ class AVCMessage(AuditMessage): - self.comm = fields[1][1:-1] - elif fields[0] == "exe": - self.exe = fields[1][1:-1] -+ elif fields[0] == "name": -+ self.name = fields[1][1:-1] +@@ -229,7 +245,31 @@ class AVCMessage(AuditMessage): if not found_src or not found_tgt or not found_class or not found_access: raise ValueError("AVC message in invalid format [%s]\n" % self.message) @@ -74,13 +66,13 @@ index 24e308e..1b0a8e5 100644 + raise ValueError("Invalid permission %s\n" % " ".join(self.accesses)) + if self.type == audit2why.BADCOMPUTE: + raise ValueError("Error during access vector computation") -+ ++ + avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools) + class PolicyLoadMessage(AuditMessage): """Audit message indicating that the policy was reloaded.""" def __init__(self, message): -@@ -469,10 +512,10 @@ class AuditParser: +@@ -472,10 +512,10 @@ class AuditParser: if avc_filter: if avc_filter.filter(avc): av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass, @@ -126,7 +118,7 @@ index 1a9a3e5..d56dd92 100644 def __iter__(self): return iter(self.children) diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py -index 0e6b502..6ce892c 100644 +index 0e6b502..4882999 100644 --- a/sepolgen/src/sepolgen/policygen.py +++ b/sepolgen/src/sepolgen/policygen.py @@ -29,6 +29,8 @@ import objectmodel @@ -155,9 +147,9 @@ index 0e6b502..6ce892c 100644 - rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain)) + rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain))) + if av.type == audit2why.ALLOW: -+ rule.comment += "#!!!! This avc is allowed in the current policy\n" ++ rule.comment += "#!!!! This avc is allowed in the current policy\n" + if av.type == audit2why.DONTAUDIT: -+ rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n" ++ rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n" + + if av.type == audit2why.BOOLEAN: + if len(av.bools) > 1: @@ -166,7 +158,7 @@ index 0e6b502..6ce892c 100644 + rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0] + + if av.type == audit2why.CONSTRAINT: -+ rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n" ++ rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n" + rule.comment += "#Constraint rule: " + + if av.type == audit2why.TERULE: @@ -175,7 +167,7 @@ index 0e6b502..6ce892c 100644 + if not self.domains: + self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"] + types=[] -+ ++ + try: + for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})): + if i not in self.domains: @@ -189,42 +181,3 @@ index 0e6b502..6ce892c 100644 self.module.children.append(rule) -diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py -index 1a2eec8..955784d 100644 ---- a/sepolgen/src/sepolgen/refparser.py -+++ b/sepolgen/src/sepolgen/refparser.py -@@ -109,6 +109,7 @@ tokens = ( - 'DONTAUDIT', - 'AUDITALLOW', - 'NEVERALLOW', -+ 'PERMISSIVE', - 'TYPE_TRANSITION', - 'TYPE_CHANGE', - 'TYPE_MEMBER', -@@ -170,6 +171,7 @@ reserved = { - 'dontaudit' : 'DONTAUDIT', - 'auditallow' : 'AUDITALLOW', - 'neverallow' : 'NEVERALLOW', -+ 'permissive' : 'PERMISSIVE', - 'type_transition' : 'TYPE_TRANSITION', - 'type_change' : 'TYPE_CHANGE', - 'type_member' : 'TYPE_MEMBER', -@@ -490,6 +492,7 @@ def p_policy_stmt(p): - | interface_call - | role_def - | role_allow -+ | permissive - | type_def - | typealias_def - | attribute_def -@@ -747,6 +750,10 @@ def p_role_allow(p): - r.tgt_roles = p[3] - p[0] = r - -+def p_permissive(p): -+ 'permissive : PERMISSIVE names SEMI' -+ t.skip(1) -+ - def p_avrule_def(p): - '''avrule_def : ALLOW names names COLON names names SEMI - | DONTAUDIT names names COLON names names SEMI diff --git a/policycoreutils.spec b/policycoreutils.spec index 423167e..1fd6fc4 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,13 +1,13 @@ -%define libauditver 1.4.2-1 -%define libsepolver 2.1.2-3 -%define libsemanagever 2.1.4-1 -%define libselinuxver 2.1.5-5 -%define sepolgenver 1.1.2 +%define libauditver 2.1.3-4 +%define libsepolver 2.1.3-2 +%define libsemanagever 2.1.4-3 +%define libselinuxver 2.1.7-1 +%define sepolgenver 1.1.3 Summary: SELinux policy core utilities Name: policycoreutils -Version: 2.1.7 -Release: 5%{?dist} +Version: 2.1.8 +Release: 1%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -22,8 +22,8 @@ Source6: selinux-polgengui.desktop Source7: selinux-polgengui.console Source8: policycoreutils_man_ru2.tar.bz2 Source9: semanage-bash-completion.sh -Patch: policycoreutils-rhat.patch Source10: restorecond.service +Patch: policycoreutils-rhat.patch Patch1: policycoreutils-po.patch Patch3: policycoreutils-gui.patch Patch4: policycoreutils-sepolgen.patch @@ -352,6 +352,33 @@ fi /bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Fri Nov 4 2011 Dan Walsh - 2.1.8-1 +- Upgrade to policycoreutils upstream + * sandbox: Maintain the LANG environment into the sandbox + * audit2allow: use audit2why internally + * fixfiles: label /root but not /var/lib/BackupPC + * semanage: update local boolean settings is dealing with localstore + * semanage: missing modify=True + * semanage: set modified correctly + * restorecond: make restorecond dbuss-able + * restorecon: Always check return code on asprintf + * restorecond: make restorecond -u exit when terminal closes + * sandbox: introduce package name and language stuff + * semodule_package: remove semodule_unpackage on clean + * fix sandbox Makefile to support DESTDIR + * semanage: Add -o description to the semanage man page + * make use of the new realpath_not_final function + * setfiles: close /proc/mounts file when finished + * semodule: Document semodule -p in man page + * setfiles: fix use before initialized + * restorecond: Add .local/share as a directory to watch +- Upgrade to sepolgen upstream + * Ignore permissive qualifier if found in an interface + * Return name field in avc data + +* Mon Oct 31 2011 Dan Walsh - 2.1.7-6 +- Rebuild versus newer libsepol + * Fri Oct 28 2011 Dan Walsh - 2.1.7-5 - A couple of minor coverity fixes for a potential leaked file descriptor - An an unchecked return code. diff --git a/sources b/sources index d79a1e8..b2af9b5 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2 -c372e90a754ee87e1cc40b09134b8f31 sepolgen-1.1.2.tgz -98688cfeab65386a0dfbd921511952ac policycoreutils-2.1.7.tgz +135674afd4eecd02ef441a9fd1d2c08a policycoreutils-2.1.8.tgz +3bd4588bcf8608c6e8a18ad5a8b68971 sepolgen-1.1.3.tgz