Upgrade to policycoreutils upstream

* sandbox: Maintain the LANG environment into the sandbox
	* audit2allow: use audit2why internally
	* fixfiles: label /root but not /var/lib/BackupPC
	* semanage: update local boolean settings is dealing with localstore
	* semanage: missing modify=True
	* semanage: set modified correctly
	* restorecond: make restorecond dbuss-able
	* restorecon: Always check return code on asprintf
	* restorecond: make restorecond -u exit when terminal closes
	* sandbox: introduce package name and language stuff
	* semodule_package: remove semodule_unpackage on clean
	* fix sandbox Makefile to support DESTDIR
	* semanage: Add -o description to the semanage man page
	* make use of the new realpath_not_final function
	* setfiles: close /proc/mounts file when finished
	* semodule: Document semodule -p in man page
	* setfiles: fix use before initialized
	* restorecond: Add .local/share as a directory to watch
Upgrade to sepolgen upstream
	* Ignore permissive qualifier if found in an interface
	* Return name field in avc data
This commit is contained in:
Dan Walsh 2011-11-04 10:47:42 -04:00
parent 2392ca1483
commit 2c4e323ce5
4 changed files with 198 additions and 1635 deletions

File diff suppressed because it is too large Load Diff

View File

@ -1,5 +1,5 @@
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
index 24e308e..1b0a8e5 100644
index 898fbc3..631bab5 100644
--- a/sepolgen/src/sepolgen/audit.py
+++ b/sepolgen/src/sepolgen/audit.py
@@ -68,6 +68,17 @@ def get_dmesg_msgs():
@ -30,11 +30,8 @@ index 24e308e..1b0a8e5 100644
class AVCMessage(AuditMessage):
"""AVC message representing an access denial or granted message.
@@ -165,8 +179,11 @@ class AVCMessage(AuditMessage):
self.comm = ""
self.exe = ""
self.path = ""
+ self.name = ""
@@ -168,6 +182,8 @@ class AVCMessage(AuditMessage):
self.name = ""
self.accesses = []
self.denial = True
+ self.type = audit2why.TERULE
@ -42,12 +39,7 @@ index 24e308e..1b0a8e5 100644
def __parse_access(self, recs, start):
# This is kind of sucky - the access that is in a space separated
@@ -223,10 +240,36 @@ class AVCMessage(AuditMessage):
self.comm = fields[1][1:-1]
elif fields[0] == "exe":
self.exe = fields[1][1:-1]
+ elif fields[0] == "name":
+ self.name = fields[1][1:-1]
@@ -229,7 +245,31 @@ class AVCMessage(AuditMessage):
if not found_src or not found_tgt or not found_class or not found_access:
raise ValueError("AVC message in invalid format [%s]\n" % self.message)
@ -80,7 +72,7 @@ index 24e308e..1b0a8e5 100644
class PolicyLoadMessage(AuditMessage):
"""Audit message indicating that the policy was reloaded."""
def __init__(self, message):
@@ -469,10 +512,10 @@ class AuditParser:
@@ -472,10 +512,10 @@ class AuditParser:
if avc_filter:
if avc_filter.filter(avc):
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
@ -126,7 +118,7 @@ index 1a9a3e5..d56dd92 100644
def __iter__(self):
return iter(self.children)
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
index 0e6b502..6ce892c 100644
index 0e6b502..4882999 100644
--- a/sepolgen/src/sepolgen/policygen.py
+++ b/sepolgen/src/sepolgen/policygen.py
@@ -29,6 +29,8 @@ import objectmodel
@ -189,42 +181,3 @@ index 0e6b502..6ce892c 100644
self.module.children.append(rule)
diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
index 1a2eec8..955784d 100644
--- a/sepolgen/src/sepolgen/refparser.py
+++ b/sepolgen/src/sepolgen/refparser.py
@@ -109,6 +109,7 @@ tokens = (
'DONTAUDIT',
'AUDITALLOW',
'NEVERALLOW',
+ 'PERMISSIVE',
'TYPE_TRANSITION',
'TYPE_CHANGE',
'TYPE_MEMBER',
@@ -170,6 +171,7 @@ reserved = {
'dontaudit' : 'DONTAUDIT',
'auditallow' : 'AUDITALLOW',
'neverallow' : 'NEVERALLOW',
+ 'permissive' : 'PERMISSIVE',
'type_transition' : 'TYPE_TRANSITION',
'type_change' : 'TYPE_CHANGE',
'type_member' : 'TYPE_MEMBER',
@@ -490,6 +492,7 @@ def p_policy_stmt(p):
| interface_call
| role_def
| role_allow
+ | permissive
| type_def
| typealias_def
| attribute_def
@@ -747,6 +750,10 @@ def p_role_allow(p):
r.tgt_roles = p[3]
p[0] = r
+def p_permissive(p):
+ 'permissive : PERMISSIVE names SEMI'
+ t.skip(1)
+
def p_avrule_def(p):
'''avrule_def : ALLOW names names COLON names names SEMI
| DONTAUDIT names names COLON names names SEMI

View File

@ -1,13 +1,13 @@
%define libauditver 1.4.2-1
%define libsepolver 2.1.2-3
%define libsemanagever 2.1.4-1
%define libselinuxver 2.1.5-5
%define sepolgenver 1.1.2
%define libauditver 2.1.3-4
%define libsepolver 2.1.3-2
%define libsemanagever 2.1.4-3
%define libselinuxver 2.1.7-1
%define sepolgenver 1.1.3
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.7
Release: 5%{?dist}
Version: 2.1.8
Release: 1%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@ -22,8 +22,8 @@ Source6: selinux-polgengui.desktop
Source7: selinux-polgengui.console
Source8: policycoreutils_man_ru2.tar.bz2
Source9: semanage-bash-completion.sh
Patch: policycoreutils-rhat.patch
Source10: restorecond.service
Patch: policycoreutils-rhat.patch
Patch1: policycoreutils-po.patch
Patch3: policycoreutils-gui.patch
Patch4: policycoreutils-sepolgen.patch
@ -352,6 +352,33 @@ fi
/bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
* Fri Nov 4 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-1
- Upgrade to policycoreutils upstream
* sandbox: Maintain the LANG environment into the sandbox
* audit2allow: use audit2why internally
* fixfiles: label /root but not /var/lib/BackupPC
* semanage: update local boolean settings is dealing with localstore
* semanage: missing modify=True
* semanage: set modified correctly
* restorecond: make restorecond dbuss-able
* restorecon: Always check return code on asprintf
* restorecond: make restorecond -u exit when terminal closes
* sandbox: introduce package name and language stuff
* semodule_package: remove semodule_unpackage on clean
* fix sandbox Makefile to support DESTDIR
* semanage: Add -o description to the semanage man page
* make use of the new realpath_not_final function
* setfiles: close /proc/mounts file when finished
* semodule: Document semodule -p in man page
* setfiles: fix use before initialized
* restorecond: Add .local/share as a directory to watch
- Upgrade to sepolgen upstream
* Ignore permissive qualifier if found in an interface
* Return name field in avc data
* Mon Oct 31 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-6
- Rebuild versus newer libsepol
* Fri Oct 28 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-5
- A couple of minor coverity fixes for a potential leaked file descriptor
- An an unchecked return code.

View File

@ -1,3 +1,3 @@
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
c372e90a754ee87e1cc40b09134b8f31 sepolgen-1.1.2.tgz
98688cfeab65386a0dfbd921511952ac policycoreutils-2.1.7.tgz
135674afd4eecd02ef441a9fd1d2c08a policycoreutils-2.1.8.tgz
3bd4588bcf8608c6e8a18ad5a8b68971 sepolgen-1.1.3.tgz