From 4ae915ba4e8bcc391de6e502d70ceaac0ffb21c4 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Wed, 29 Sep 2021 18:18:29 +0200 Subject: [PATCH] SELinux userspace 3.3-rc2 release --- .gitignore | 1 + ...setfiles-do-not-create-useless-setfi.patch | 67 ---- ...t-to-Xephyr-as-it-works-better-with-.patch | 2 +- ...RD_FILE_CONTEXT-section-in-man-pages.patch | 2 +- ...do-not-exclude-dev-and-run-in-C-mode.patch | 50 --- ...xecutable-we-don-t-want-to-print-a-p.patch | 2 +- ...ils-silence-Wextra-semi-stmt-warning.patch | 49 --- ...sepolicy-manpage-web-functionality.-.patch | 6 +- ...free-memory-on-lstat-failure-in-sest.patch | 33 -- ...e-the-trailing-newline-for-etc-syste.patch | 6 +- ...free-memory-of-allocated-context-in-.patch | 42 --- ...-in-manpage.py-to-not-contain-online.patch | 2 +- ...free-memory-of-allocated-context-in-.patch | 30 -- ...t-be-verbose-if-you-are-not-on-a-tty.patch | 2 +- ...d-interface-file_type_is_executable-.patch | 2 +- ...her-small-optimization-for-mcs-types.patch | 2 +- ...ion-files-into-the-right-sub-directo.patch | 2 +- ...ettext-domains-in-python-gui-sandbox.patch | 16 +- ...al-.pot-files-for-gui-python-sandbox.patch | 2 +- ...setfiles-Improve-description-of-d-sw.patch | 2 +- ...rate-Handle-more-reserved-port-types.patch | 2 +- ...ix-RESOURCE_LEAK-coverity-scan-defec.patch | 2 +- ...hbox-window-manager-instead-of-openb.patch | 2 +- ...-flake8-warnings-in-Fedora-only-code.patch | 2 +- 0018-Use-SHA-2-instead-of-SHA-1.patch | 297 ++++++++++++++++++ 0024-Do-not-use-Python-slip.patch | 217 ------------- 0025-dbus-Use-GLib.MainLoop.patch | 45 --- policycoreutils.spec | 62 ++-- sources | 2 +- 29 files changed, 356 insertions(+), 595 deletions(-) delete mode 100644 0001-policycoreutils-setfiles-do-not-create-useless-setfi.patch rename 0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch => 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch (93%) rename 0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch => 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch (96%) delete mode 100644 0002-fixfiles-do-not-exclude-dev-and-run-in-C-mode.patch rename 0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch => 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch (92%) delete mode 100644 0003-policycoreutils-silence-Wextra-semi-stmt-warning.patch rename 0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch => 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch (96%) delete mode 100644 0004-policycoreutils-free-memory-on-lstat-failure-in-sest.patch rename 0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch => 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch (82%) delete mode 100644 0005-policycoreutils-free-memory-of-allocated-context-in-.patch rename 0012-Fix-title-in-manpage.py-to-not-contain-online.patch => 0006-Fix-title-in-manpage.py-to-not-contain-online.patch (91%) delete mode 100644 0006-policycoreutils-free-memory-of-allocated-context-in-.patch rename 0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch => 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch (90%) rename 0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch => 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch (96%) rename 0015-sepolicy-Another-small-optimization-for-mcs-types.patch => 0009-sepolicy-Another-small-optimization-for-mcs-types.patch (96%) rename 0016-Move-po-translation-files-into-the-right-sub-directo.patch => 0010-Move-po-translation-files-into-the-right-sub-directo.patch (99%) rename 0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch => 0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch (95%) rename 0018-Initial-.pot-files-for-gui-python-sandbox.patch => 0012-Initial-.pot-files-for-gui-python-sandbox.patch (99%) rename 0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch => 0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch (94%) rename 0020-sepolicy-generate-Handle-more-reserved-port-types.patch => 0014-sepolicy-generate-Handle-more-reserved-port-types.patch (97%) rename 0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch => 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch (91%) rename 0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch => 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch (97%) rename 0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch => 0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch (96%) create mode 100644 0018-Use-SHA-2-instead-of-SHA-1.patch delete mode 100644 0024-Do-not-use-Python-slip.patch delete mode 100644 0025-dbus-Use-GLib.MainLoop.patch diff --git a/.gitignore b/.gitignore index 2b03fb8..aa8f499 100644 --- a/.gitignore +++ b/.gitignore @@ -337,3 +337,4 @@ policycoreutils-2.0.83.tgz /selinux-sandbox-3.2-rc2.tar.gz /semodule-utils-3.2-rc2.tar.gz /selinux-3.2.tar.gz +/selinux-3.3-rc2.tar.gz diff --git a/0001-policycoreutils-setfiles-do-not-create-useless-setfi.patch b/0001-policycoreutils-setfiles-do-not-create-useless-setfi.patch deleted file mode 100644 index 0ec9b80..0000000 --- a/0001-policycoreutils-setfiles-do-not-create-useless-setfi.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 6cfebe787e258c4c62dbf2018d0a08bc8b70e445 Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Fri, 19 Mar 2021 22:30:59 +0100 -Subject: [PATCH] policycoreutils/setfiles: do not create useless - setfiles.8.man file - -Seems to have been there to allow for some sed substitution over the -text. Now that this is gone, the redundant intermediate file can be -removed, too. - -Signed-off-by: Ondrej Mosnacek ---- - policycoreutils/setfiles/.gitignore | 1 - - policycoreutils/setfiles/Makefile | 9 +++------ - 2 files changed, 3 insertions(+), 7 deletions(-) - delete mode 100644 policycoreutils/setfiles/.gitignore - -diff --git a/policycoreutils/setfiles/.gitignore b/policycoreutils/setfiles/.gitignore -deleted file mode 100644 -index 5e899c95af23..000000000000 ---- a/policycoreutils/setfiles/.gitignore -+++ /dev/null -@@ -1 +0,0 @@ --setfiles.8.man -diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile -index a3bbbe116b7f..63d818509791 100644 ---- a/policycoreutils/setfiles/Makefile -+++ b/policycoreutils/setfiles/Makefile -@@ -13,7 +13,7 @@ ifeq ($(AUDITH), y) - override LDLIBS += -laudit - endif - --all: setfiles restorecon restorecon_xattr man -+all: setfiles restorecon restorecon_xattr - - setfiles: setfiles.o restore.o - -@@ -22,16 +22,13 @@ restorecon: setfiles - - restorecon_xattr: restorecon_xattr.o restore.o - --man: -- @cp -af setfiles.8 setfiles.8.man -- - install: all - [ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8 - -mkdir -p $(DESTDIR)$(SBINDIR) - install -m 755 setfiles $(DESTDIR)$(SBINDIR) - (cd $(DESTDIR)$(SBINDIR) && ln -sf setfiles restorecon) - install -m 755 restorecon_xattr $(DESTDIR)$(SBINDIR) -- install -m 644 setfiles.8.man $(DESTDIR)$(MANDIR)/man8/setfiles.8 -+ install -m 644 setfiles.8 $(DESTDIR)$(MANDIR)/man8/setfiles.8 - install -m 644 restorecon.8 $(DESTDIR)$(MANDIR)/man8/restorecon.8 - install -m 644 restorecon_xattr.8 $(DESTDIR)$(MANDIR)/man8/restorecon_xattr.8 - for lang in $(LINGUAS) ; do \ -@@ -42,7 +39,7 @@ install: all - done - - clean: -- rm -f setfiles restorecon restorecon_xattr *.o setfiles.8.man -+ rm -f setfiles restorecon restorecon_xattr *.o - - indent: - ../../scripts/Lindent $(wildcard *.[ch]) --- -2.32.0 - diff --git a/0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch b/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch similarity index 93% rename from 0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch rename to 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch index 41e18ea..67d6dc3 100644 --- a/0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch +++ b/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch @@ -1,4 +1,4 @@ -From 6f2adee92a62777aa1a7371a23b4cb08b9a8ac7e Mon Sep 17 00:00:00 2001 +From ec3bf6f3e5468ba7b5164cc588ef5746454808a5 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 20 Aug 2015 12:58:41 +0200 Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in diff --git a/0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch b/0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch similarity index 96% rename from 0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch rename to 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch index 85697b1..048b0b2 100644 --- a/0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch +++ b/0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch @@ -1,4 +1,4 @@ -From 31e28c2217b5ac4c12d60c97d08f0c062f0fce37 Mon Sep 17 00:00:00 2001 +From 7a548cae4303f8429040ba6be67be182b7f9a943 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mon, 21 Apr 2014 13:54:40 -0400 Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages diff --git a/0002-fixfiles-do-not-exclude-dev-and-run-in-C-mode.patch b/0002-fixfiles-do-not-exclude-dev-and-run-in-C-mode.patch deleted file mode 100644 index a69cb72..0000000 --- a/0002-fixfiles-do-not-exclude-dev-and-run-in-C-mode.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 26a4c19ecff545324aa21eb0afbc3d10d3356313 Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Mon, 1 Mar 2021 18:19:22 +0100 -Subject: [PATCH] fixfiles: do not exclude /dev and /run in -C mode - -I can't think of a good reason why they should be excluded. On the -contrary, excluding them can cause trouble very easily if some labeling -rules for these directories change. For example, we changed the label -for /dev/nvme* from nvme_device_t to fixed_disk_device_t in Fedora -(updating the allow rules accordingly) and after policy update they -ended up with an invalid context, causing denials. - -Thus, remove /dev and /run from the excludes. While there, also add -/root to the basic excludes to match the regex that excludes fc rules -(that should be effectively no functional change). - -I did a sanity check on my system by running `restorecon -nv /dev /run` -and it didn't report any label differences. - -Signed-off-by: Ondrej Mosnacek -Acked-by: Petr Lautrbach ---- - policycoreutils/scripts/fixfiles | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles -index 30dadb4f4cb6..6fb12e0451a9 100755 ---- a/policycoreutils/scripts/fixfiles -+++ b/policycoreutils/scripts/fixfiles -@@ -162,7 +162,7 @@ newer() { - # - diff_filecontext() { - EXCLUDEDIRS="`exclude_dirs_from_relabelling`" --for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC /home /tmp /dev; do -+for i in /sys /proc /mnt /var/tmp /var/lib/BackupPC /home /root /tmp; do - [ -e $i ] && EXCLUDEDIRS="${EXCLUDEDIRS} -e $i"; - done - LogExcluded -@@ -175,7 +175,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then - sed -r -e 's,:s0, ,g' $FC | sort -u | \ - /usr/bin/diff -b ${PREFCTEMPFILE} - | \ - grep '^[<>]'|cut -c3-| grep ^/ | \ -- egrep -v '(^/home|^/root|^/tmp|^/dev)' |\ -+ egrep -v '(^/home|^/root|^/tmp)' |\ - sed -r -e 's,[[:blank:]].*,,g' \ - -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \ - -e 's|([/[:alnum:]])\?|{\1,}|g' \ --- -2.32.0 - diff --git a/0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch b/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch similarity index 92% rename from 0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch rename to 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch index 8086438..9ff8301 100644 --- a/0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch +++ b/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch @@ -1,4 +1,4 @@ -From 8fafb8215dbd7affd299f7eb31a1677d7f367ee8 Mon Sep 17 00:00:00 2001 +From b3cb362afe86278c600d6e97cc7abf9c0b102071 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mon, 12 May 2014 14:11:22 +0200 Subject: [PATCH] If there is no executable we don't want to print a part of diff --git a/0003-policycoreutils-silence-Wextra-semi-stmt-warning.patch b/0003-policycoreutils-silence-Wextra-semi-stmt-warning.patch deleted file mode 100644 index 8c1bda3..0000000 --- a/0003-policycoreutils-silence-Wextra-semi-stmt-warning.patch +++ /dev/null @@ -1,49 +0,0 @@ -From e45bc870946ad3c984595a679df86b424f24d09d Mon Sep 17 00:00:00 2001 -From: Nicolas Iooss -Date: Sat, 3 Jul 2021 16:31:21 +0200 -Subject: [PATCH] policycoreutils: silence -Wextra-semi-stmt warning - -On Ubuntu 20.04, when building with clang -Werror -Wextra-semi-stmt -(which is not the default build configuration), the compiler reports: - - secon.c:686:3: error: empty expression statement has no effect; - remove unnecessary ';' to silence this warning - [-Werror,-Wextra-semi-stmt] - }; - ^ - -Signed-off-by: Nicolas Iooss ---- - policycoreutils/newrole/newrole.c | 2 +- - policycoreutils/secon/secon.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c -index 36e2ba9c25d9..0264531acef4 100644 ---- a/policycoreutils/newrole/newrole.c -+++ b/policycoreutils/newrole/newrole.c -@@ -96,7 +96,7 @@ - #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]" - - #ifdef USE_PAM --#define PAM_SERVICE_CONFIG "/etc/selinux/newrole_pam.conf"; -+#define PAM_SERVICE_CONFIG "/etc/selinux/newrole_pam.conf" - #endif - - #define DEFAULT_PATH "/usr/bin:/bin" -diff --git a/policycoreutils/secon/secon.c b/policycoreutils/secon/secon.c -index d257a9a1ca6c..a0957d0914e1 100644 ---- a/policycoreutils/secon/secon.c -+++ b/policycoreutils/secon/secon.c -@@ -683,7 +683,7 @@ static void disp_con(const char *scon_raw) - color.range_bg = strtok(NULL, " "); - - color.valid = 1; -- }; -+ } - - if (!(con = context_new(scon))) - errx(EXIT_FAILURE, "Couldn't create context from: %s", scon); --- -2.32.0 - diff --git a/0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch b/0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch similarity index 96% rename from 0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch rename to 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch index b07df66..87b58c2 100644 --- a/0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch +++ b/0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch @@ -1,4 +1,4 @@ -From 4492465658c7a81237cc753351b3c7bfe095e8f6 Mon Sep 17 00:00:00 2001 +From b954ff8379e03714f707daa85111f6bf2f265772 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Thu, 19 Feb 2015 17:45:15 +0100 Subject: [PATCH] Simplication of sepolicy-manpage web functionality. @@ -11,10 +11,10 @@ Subject: [PATCH] Simplication of sepolicy-manpage web functionality. 2 files changed, 13 insertions(+), 77 deletions(-) diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py -index 7309875c7e27..37abc7b83a37 100644 +index e8654abbceb3..a2475d22547a 100644 --- a/python/sepolicy/sepolicy/__init__.py +++ b/python/sepolicy/sepolicy/__init__.py -@@ -1215,27 +1215,14 @@ def boolean_desc(boolean): +@@ -1225,27 +1225,14 @@ def boolean_desc(boolean): def get_os_version(): diff --git a/0004-policycoreutils-free-memory-on-lstat-failure-in-sest.patch b/0004-policycoreutils-free-memory-on-lstat-failure-in-sest.patch deleted file mode 100644 index 4d5fd0d..0000000 --- a/0004-policycoreutils-free-memory-on-lstat-failure-in-sest.patch +++ /dev/null @@ -1,33 +0,0 @@ -From d8b9bd5c2a90d6855478f05c8fb38bd5df2733a2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Wed, 14 Jul 2021 20:13:41 +0200 -Subject: [PATCH] policycoreutils: free memory on lstat failure in sestatus -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In case lstat(3) fails the memory is not free'd at the end of the for -loop, due to the control flow change by continue. - -Found by scan-build. - -Signed-off-by: Christian Göttsche ---- - policycoreutils/sestatus/sestatus.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policycoreutils/sestatus/sestatus.c b/policycoreutils/sestatus/sestatus.c -index b37f03533afd..ceee0d523f9a 100644 ---- a/policycoreutils/sestatus/sestatus.c -+++ b/policycoreutils/sestatus/sestatus.c -@@ -461,6 +461,7 @@ int main(int argc, char **argv) - ("%s (could not check link status (%s)!)\n", - context, strerror(errno)); - freecon(context); -+ free(fc[i]); - continue; - } - if (S_ISLNK(m.st_mode)) { --- -2.32.0 - diff --git a/0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch b/0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch similarity index 82% rename from 0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch rename to 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch index 23abb82..7d20801 100644 --- a/0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch +++ b/0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch @@ -1,4 +1,4 @@ -From 18d06e7f84adad94efe1823a2fdccf62b04bf396 Mon Sep 17 00:00:00 2001 +From 7572bbec8b6a422e722864348a53d5e0f855e7f6 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Fri, 20 Feb 2015 16:42:01 +0100 Subject: [PATCH] We want to remove the trailing newline for @@ -9,10 +9,10 @@ Subject: [PATCH] We want to remove the trailing newline for 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py -index 37abc7b83a37..481c5d86232f 100644 +index a2475d22547a..8055a12f6020 100644 --- a/python/sepolicy/sepolicy/__init__.py +++ b/python/sepolicy/sepolicy/__init__.py -@@ -1218,7 +1218,7 @@ def get_os_version(): +@@ -1228,7 +1228,7 @@ def get_os_version(): system_release = "" try: with open('/etc/system-release') as f: diff --git a/0005-policycoreutils-free-memory-of-allocated-context-in-.patch b/0005-policycoreutils-free-memory-of-allocated-context-in-.patch deleted file mode 100644 index 4d14620..0000000 --- a/0005-policycoreutils-free-memory-of-allocated-context-in-.patch +++ /dev/null @@ -1,42 +0,0 @@ -From f0c354afc07419cfe4f61b72f604a648c995943e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Wed, 14 Jul 2021 20:13:42 +0200 -Subject: [PATCH] policycoreutils: free memory of allocated context in run_init -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Found by scan-build. - -Signed-off-by: Christian Göttsche ---- - policycoreutils/run_init/run_init.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/policycoreutils/run_init/run_init.c b/policycoreutils/run_init/run_init.c -index 1c5eb68e7e73..545490a25918 100644 ---- a/policycoreutils/run_init/run_init.c -+++ b/policycoreutils/run_init/run_init.c -@@ -406,14 +406,19 @@ int main(int argc, char *argv[]) - - if (chdir("/")) { - perror("chdir"); -+ free(new_context); - exit(-1); - } - - if (setexeccon(new_context) < 0) { - fprintf(stderr, _("Could not set exec context to %s.\n"), - new_context); -+ free(new_context); - exit(-1); - } -+ -+ free(new_context); -+ - if (access("/usr/sbin/open_init_pty", X_OK) != 0) { - if (execvp(argv[1], argv + 1)) { - perror("execvp"); --- -2.32.0 - diff --git a/0012-Fix-title-in-manpage.py-to-not-contain-online.patch b/0006-Fix-title-in-manpage.py-to-not-contain-online.patch similarity index 91% rename from 0012-Fix-title-in-manpage.py-to-not-contain-online.patch rename to 0006-Fix-title-in-manpage.py-to-not-contain-online.patch index cb37d3d..8af8682 100644 --- a/0012-Fix-title-in-manpage.py-to-not-contain-online.patch +++ b/0006-Fix-title-in-manpage.py-to-not-contain-online.patch @@ -1,4 +1,4 @@ -From ddf7238fa3579a64145ed092b3a023d60cd2847c Mon Sep 17 00:00:00 2001 +From a4d59dcce863a02895fe40e487176149f3a4ad5b Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Fri, 20 Feb 2015 16:42:53 +0100 Subject: [PATCH] Fix title in manpage.py to not contain 'online'. diff --git a/0006-policycoreutils-free-memory-of-allocated-context-in-.patch b/0006-policycoreutils-free-memory-of-allocated-context-in-.patch deleted file mode 100644 index 0864436..0000000 --- a/0006-policycoreutils-free-memory-of-allocated-context-in-.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 32611aea6543e3a8f32635857e37b4332b0b5c99 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Wed, 14 Jul 2021 20:13:43 +0200 -Subject: [PATCH] policycoreutils: free memory of allocated context in newrole -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Found by scan-build. - -Signed-off-by: Christian Göttsche ---- - policycoreutils/newrole/newrole.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c -index 0264531acef4..7c1f062f5a2a 100644 ---- a/policycoreutils/newrole/newrole.c -+++ b/policycoreutils/newrole/newrole.c -@@ -1239,6 +1239,7 @@ int main(int argc, char *argv[]) - free(pw.pw_dir); - free(pw.pw_shell); - free(shell_argv0); -+ free(new_context); - return exit_code; - } - --- -2.32.0 - diff --git a/0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch b/0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch similarity index 90% rename from 0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch rename to 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch index a56a2c7..216cdb2 100644 --- a/0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch +++ b/0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch @@ -1,4 +1,4 @@ -From fb7fb754e2c4d8931a5834e34ef88dfaf764bb8f Mon Sep 17 00:00:00 2001 +From f183dd36c66069c95726e1dab47639e76077d86a Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 14 Feb 2014 12:32:12 -0500 Subject: [PATCH] Don't be verbose if you are not on a tty diff --git a/0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch b/0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch similarity index 96% rename from 0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch rename to 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch index f2d4e2d..20bf928 100644 --- a/0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch +++ b/0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch @@ -1,4 +1,4 @@ -From 7d68ca4cc7ab8bcdf65194a58b7db63914228494 Mon Sep 17 00:00:00 2001 +From fae31a306e7b6084710c02b658ace668766fc004 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 27 Feb 2017 17:12:39 +0100 Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and diff --git a/0015-sepolicy-Another-small-optimization-for-mcs-types.patch b/0009-sepolicy-Another-small-optimization-for-mcs-types.patch similarity index 96% rename from 0015-sepolicy-Another-small-optimization-for-mcs-types.patch rename to 0009-sepolicy-Another-small-optimization-for-mcs-types.patch index 0755114..35d2276 100644 --- a/0015-sepolicy-Another-small-optimization-for-mcs-types.patch +++ b/0009-sepolicy-Another-small-optimization-for-mcs-types.patch @@ -1,4 +1,4 @@ -From 54d85eb009defdf93b24cf0131b88179490b56a2 Mon Sep 17 00:00:00 2001 +From afe686ec783ccf442c8e2bbcb9dbdb7650328253 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 28 Feb 2017 21:29:46 +0100 Subject: [PATCH] sepolicy: Another small optimization for mcs types diff --git a/0016-Move-po-translation-files-into-the-right-sub-directo.patch b/0010-Move-po-translation-files-into-the-right-sub-directo.patch similarity index 99% rename from 0016-Move-po-translation-files-into-the-right-sub-directo.patch rename to 0010-Move-po-translation-files-into-the-right-sub-directo.patch index 9b5c65e..49a1477 100644 --- a/0016-Move-po-translation-files-into-the-right-sub-directo.patch +++ b/0010-Move-po-translation-files-into-the-right-sub-directo.patch @@ -1,4 +1,4 @@ -From a8c4ac47f370e319c434fe1e6afcfae83d7390e9 Mon Sep 17 00:00:00 2001 +From 28879b771a804242d00a8a978bdbc4b85210814d Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 6 Aug 2018 13:23:00 +0200 Subject: [PATCH] Move po/ translation files into the right sub-directories diff --git a/0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch b/0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch similarity index 95% rename from 0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch rename to 0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch index 46ee3ad..fa55c2e 100644 --- a/0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch +++ b/0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch @@ -1,4 +1,4 @@ -From ea70711fce9127c7dd3146bc8161086f97745d11 Mon Sep 17 00:00:00 2001 +From a8cacf2944ddd803909d2111bdf2d43ab90e1111 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 6 Aug 2018 13:37:07 +0200 Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/ @@ -198,7 +198,7 @@ index 18a2710531ca..0980aecb6311 100644 import gettext kwargs = {} diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py -index 6a14f7b47dd5..b51a7e3e7ca3 100644 +index 21adbf6eb74f..69e60db80060 100644 --- a/python/semanage/seobject.py +++ b/python/semanage/seobject.py @@ -29,7 +29,7 @@ import sys @@ -208,8 +208,8 @@ index 6a14f7b47dd5..b51a7e3e7ca3 100644 -PROGNAME = "policycoreutils" +PROGNAME = "selinux-python" import sepolicy - import setools - import ipaddress + from setools.policyrep import SELinuxPolicy + from setools.typequery import TypeQuery diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py index 998c4356415c..56ebd807c69c 100644 --- a/python/sepolgen/src/sepolgen/sepolgeni18n.py @@ -237,12 +237,12 @@ index 7b2230651099..32956e58f52e 100755 import gettext kwargs = {} diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py -index 481c5d86232f..df773a6b314e 100644 +index 8055a12f6020..aa8beda313c8 100644 --- a/python/sepolicy/sepolicy/__init__.py +++ b/python/sepolicy/sepolicy/__init__.py -@@ -13,7 +13,7 @@ import os - import re - import gzip +@@ -23,7 +23,7 @@ from setools.typeattrquery import TypeAttributeQuery + from setools.typequery import TypeQuery + from setools.userquery import UserQuery -PROGNAME = "policycoreutils" +PROGNAME = "selinux-python" diff --git a/0018-Initial-.pot-files-for-gui-python-sandbox.patch b/0012-Initial-.pot-files-for-gui-python-sandbox.patch similarity index 99% rename from 0018-Initial-.pot-files-for-gui-python-sandbox.patch rename to 0012-Initial-.pot-files-for-gui-python-sandbox.patch index 76768dd..9a6b2e8 100644 --- a/0018-Initial-.pot-files-for-gui-python-sandbox.patch +++ b/0012-Initial-.pot-files-for-gui-python-sandbox.patch @@ -1,4 +1,4 @@ -From b30964691f11946791c0b852c1b7eebf59a6dcf6 Mon Sep 17 00:00:00 2001 +From a4183d4c2d335fca940f741bec1f1839394ea783 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 6 Aug 2018 14:23:19 +0200 Subject: [PATCH] Initial .pot files for gui/ python/ sandbox/ diff --git a/0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch b/0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch similarity index 94% rename from 0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch rename to 0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch index 0f634a6..f4d6b78 100644 --- a/0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch +++ b/0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch @@ -1,4 +1,4 @@ -From 4ee71fa678b4a9ce85d2ec2f9ebf561c8c183124 Mon Sep 17 00:00:00 2001 +From f5045f645cfa10fed01b4225d26d98ea9f81f085 Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Wed, 21 Mar 2018 08:51:31 +0100 Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch diff --git a/0020-sepolicy-generate-Handle-more-reserved-port-types.patch b/0014-sepolicy-generate-Handle-more-reserved-port-types.patch similarity index 97% rename from 0020-sepolicy-generate-Handle-more-reserved-port-types.patch rename to 0014-sepolicy-generate-Handle-more-reserved-port-types.patch index 42e3c02..d64acff 100644 --- a/0020-sepolicy-generate-Handle-more-reserved-port-types.patch +++ b/0014-sepolicy-generate-Handle-more-reserved-port-types.patch @@ -1,4 +1,4 @@ -From c0137252dd3ce52f006162d7b1cb4677c45bea21 Mon Sep 17 00:00:00 2001 +From 53c27e891b9053a9bbbbca5a854deb4fc526a8a2 Mon Sep 17 00:00:00 2001 From: Masatake YAMATO Date: Thu, 14 Dec 2017 15:57:58 +0900 Subject: [PATCH] sepolicy-generate: Handle more reserved port types diff --git a/0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch b/0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch similarity index 91% rename from 0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch rename to 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch index d2ae420..e39c750 100644 --- a/0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch +++ b/0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch @@ -1,4 +1,4 @@ -From d6476f30ddaf384ed7f563ca4ad31cbfc7ad6bbd Mon Sep 17 00:00:00 2001 +From f1acc9a3057e199d62c6b8ec6e77fc33ca3db1d1 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 8 Nov 2018 09:20:58 +0100 Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects diff --git a/0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch b/0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch similarity index 97% rename from 0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch rename to 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch index 12c297a..6ab6f4a 100644 --- a/0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch +++ b/0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch @@ -1,4 +1,4 @@ -From d61a3517017921d6b6f4618e1de0c4f4a33fe951 Mon Sep 17 00:00:00 2001 +From be804ecd456a52803067e1aa11e20ef69788221c Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Wed, 18 Jul 2018 09:09:35 +0200 Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox diff --git a/0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch b/0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch similarity index 96% rename from 0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch rename to 0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch index c8e7e43..1a3e957 100644 --- a/0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch +++ b/0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch @@ -1,4 +1,4 @@ -From 257d7d95f541bd4b85c518562278cdc4f928f8af Mon Sep 17 00:00:00 2001 +From 0e40b5541773c6daf58bba7048fae6918d74de74 Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Tue, 28 Jul 2020 14:37:13 +0200 Subject: [PATCH] sepolicy: Fix flake8 warnings in Fedora-only code diff --git a/0018-Use-SHA-2-instead-of-SHA-1.patch b/0018-Use-SHA-2-instead-of-SHA-1.patch new file mode 100644 index 0000000..143f805 --- /dev/null +++ b/0018-Use-SHA-2-instead-of-SHA-1.patch @@ -0,0 +1,297 @@ +From ec1b147076345478636de763ce5d4e8daa69afd6 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 30 Jul 2021 14:14:37 +0200 +Subject: [PATCH] Use SHA-2 instead of SHA-1 + +The use of SHA-1 in RHEL9 is deprecated +--- + policycoreutils/setfiles/restorecon.8 | 10 +++++----- + policycoreutils/setfiles/restorecon_xattr.8 | 8 ++++---- + policycoreutils/setfiles/restorecon_xattr.c | 12 ++++++------ + policycoreutils/setfiles/ru/restorecon.8 | 8 ++++---- + policycoreutils/setfiles/ru/restorecon_xattr.8 | 10 +++++----- + policycoreutils/setfiles/ru/setfiles.8 | 8 ++++---- + policycoreutils/setfiles/setfiles.8 | 10 +++++----- + 7 files changed, 33 insertions(+), 33 deletions(-) + +diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 +index 668486f66113..a8900f02b3f3 100644 +--- a/policycoreutils/setfiles/restorecon.8 ++++ b/policycoreutils/setfiles/restorecon.8 +@@ -93,14 +93,14 @@ display usage information and exit. + ignore files that do not exist. + .TP + .B \-I +-ignore digest to force checking of labels even if the stored SHA1 digest +-matches the specfiles SHA1 digest. The digest will then be updated provided ++ignore digest to force checking of labels even if the stored SHA256 digest ++matches the specfiles SHA256 digest. The digest will then be updated provided + there are no errors. See the + .B NOTES + section for further details. + .TP + .B \-D +-Set or update any directory SHA1 digests. Use this option to ++Set or update any directory SHA256 digests. Use this option to + enable usage of the + .IR security.sehash + extended attribute. +@@ -191,7 +191,7 @@ the + .B \-D + option to + .B restorecon +-will cause it to store a SHA1 digest of the default specfiles set in an extended ++will cause it to store a SHA256 digest of the default specfiles set in an extended + attribute named + .IR security.sehash + on each directory specified in +@@ -208,7 +208,7 @@ for further details. + .sp + The + .B \-I +-option will ignore the SHA1 digest from each directory specified in ++option will ignore the SHA256 digest from each directory specified in + .IR pathname \ ... + and provided the + .B \-n +diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8 +index e04528e60824..4b1ce304d995 100644 +--- a/policycoreutils/setfiles/restorecon_xattr.8 ++++ b/policycoreutils/setfiles/restorecon_xattr.8 +@@ -23,7 +23,7 @@ or + + .SH "DESCRIPTION" + .B restorecon_xattr +-will display the SHA1 digests added to extended attributes ++will display the SHA256 digests added to extended attributes + .I security.sehash + or delete the attribute completely. These attributes are set by + .BR restorecon (8) +@@ -48,12 +48,12 @@ extended attribute and are automatically excluded from searches. + .sp + By default + .B restorecon_xattr +-will display the SHA1 digests with "Match" appended if they match the default ++will display the SHA256 digests with "Match" appended if they match the default + specfile set or the + .I specfile + set used with the + .B \-f +-option. Non-matching SHA1 digests will be displayed with "No Match" appended. ++option. Non-matching SHA256 digests will be displayed with "No Match" appended. + This feature can be disabled by the + .B \-n + option. +@@ -87,7 +87,7 @@ Do not append "Match" or "No Match" to displayed digests. + recursively descend directories. + .TP + .B \-v +-display SHA1 digest generated by specfile set (Note that this digest is not ++display SHA256 digest generated by specfile set (Note that this digest is not + used to match the + .I security.sehash + directory digest entries, and is shown for reference only). +diff --git a/policycoreutils/setfiles/restorecon_xattr.c b/policycoreutils/setfiles/restorecon_xattr.c +index 31fb82fd2099..bc22d3fd4560 100644 +--- a/policycoreutils/setfiles/restorecon_xattr.c ++++ b/policycoreutils/setfiles/restorecon_xattr.c +@@ -38,7 +38,7 @@ int main(int argc, char **argv) + unsigned int xattr_flags = 0, delete_digest = 0, recurse = 0; + unsigned int delete_all_digests = 0, ignore_mounts = 0; + bool display_digest = false; +- char *sha1_buf, **specfiles, *fc_file = NULL, *pathname = NULL; ++ char *sha256_buf, **specfiles, *fc_file = NULL, *pathname = NULL; + unsigned char *fc_digest = NULL; + size_t i, fc_digest_len = 0, num_specfiles; + +@@ -133,8 +133,8 @@ int main(int argc, char **argv) + exit(-1); + } + +- sha1_buf = malloc(fc_digest_len * 2 + 1); +- if (!sha1_buf) { ++ sha256_buf = malloc(fc_digest_len * 2 + 1); ++ if (!sha256_buf) { + fprintf(stderr, + "Error allocating digest buffer: %s\n", + strerror(errno)); +@@ -143,16 +143,16 @@ int main(int argc, char **argv) + } + + for (i = 0; i < fc_digest_len; i++) +- sprintf((&sha1_buf[i * 2]), "%02x", fc_digest[i]); ++ sprintf((&sha256_buf[i * 2]), "%02x", fc_digest[i]); + +- printf("specfiles SHA1 digest: %s\n", sha1_buf); ++ printf("specfiles SHA256 digest: %s\n", sha256_buf); + + printf("calculated using the following specfile(s):\n"); + if (specfiles) { + for (i = 0; i < num_specfiles; i++) + printf("%s\n", specfiles[i]); + } +- free(sha1_buf); ++ free(sha256_buf); + printf("\n"); + } + +diff --git a/policycoreutils/setfiles/ru/restorecon.8 b/policycoreutils/setfiles/ru/restorecon.8 +index 9be3a63db356..745135020f4b 100644 +--- a/policycoreutils/setfiles/ru/restorecon.8 ++++ b/policycoreutils/setfiles/ru/restorecon.8 +@@ -82,11 +82,11 @@ restorecon \- восстановить SELinux-контексты безопас + игнорировать файлы, которые не существуют. + .TP + .B \-I +-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе ++игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе + .B ПРИМЕЧАНИЯ. + .TP + .B \-D +-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута ++установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута + .IR security.restorecon_last. + .TP + .B \-m +@@ -159,7 +159,7 @@ GNU + .B \-D + команды + .B restorecon +-обеспечит сохранение дайджеста SHA1 файлов спецификации по умолчанию в расширенном атрибуте с именем ++обеспечит сохранение дайджеста SHA256 файлов спецификации по умолчанию в расширенном атрибуте с именем + .IR security.restorecon_last + для каталогов, указанных в соответствующих путях + .IR pathname \ ... +@@ -173,7 +173,7 @@ GNU + .sp + Параметр + .B \-I +-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в ++позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в + .IR pathname \ ... + , и, при условии, что НЕ установлен параметр + .B \-n +diff --git a/policycoreutils/setfiles/ru/restorecon_xattr.8 b/policycoreutils/setfiles/ru/restorecon_xattr.8 +index 41c441b8c5c2..25c4c3033334 100644 +--- a/policycoreutils/setfiles/ru/restorecon_xattr.8 ++++ b/policycoreutils/setfiles/ru/restorecon_xattr.8 +@@ -23,7 +23,7 @@ restorecon_xattr \- управление записями расширенных + + .SH "ОПИСАНИЕ" + .B restorecon_xattr +-покажет дайджесты SHA1, добавленные в расширенные атрибуты ++покажет дайджесты SHA256, добавленные в расширенные атрибуты + .I security.restorecon_last, + или полностью удалит эти атрибуты. Эти атрибуты устанавливаются командой + .BR restorecon (8) +@@ -47,11 +47,11 @@ restorecon_xattr \- управление записями расширенных + .sp + По умолчанию + .B restorecon_xattr +-показывает дайджесты SHA1, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации ++показывает дайджесты SHA256, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации + .I specfile, + который установлен с помощью параметра + .B \-f. +-Несоответствующие дайджесты SHA1 будут показаны с добавлением "No Match" в конце. ++Несоответствующие дайджесты SHA256 будут показаны с добавлением "No Match" в конце. + Эту возможность можно отключить с помощью параметра + .B \-n. + +@@ -81,7 +81,7 @@ restorecon_xattr \- управление записями расширенных + рекурсивно спускаться по каталогам. + .TP + .B \-v +-показать дайджест SHA1, созданный установленным файлом спецификации. ++показать дайджест SHA256, созданный установленным файлом спецификации. + .TP + .B \-e + .I directory +@@ -97,7 +97,7 @@ restorecon_xattr \- управление записями расширенных + .BR file_contexts (5). + Он будет использоваться + .BR selabel_open (3) +-для получения набора записей меток; получение дайджеста SHA1 выполняется с помощью ++для получения набора записей меток; получение дайджеста SHA256 выполняется с помощью + .BR selabel_digest (3). + Если этот параметр не указан, будет использоваться файл file_contexts по умолчанию. + +diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8 +index 910101452625..7f2daa09191b 100644 +--- a/policycoreutils/setfiles/ru/setfiles.8 ++++ b/policycoreutils/setfiles/ru/setfiles.8 +@@ -69,11 +69,11 @@ setfiles \- установить SELinux-контексты безопаснос + игнорировать файлы, которые не существуют. + .TP + .B \-I +-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе ++игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе + .B ПРИМЕЧАНИЯ. + .TP + .B \-D +-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута ++установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута + .IR security.restorecon_last. + .TP + .B \-l +@@ -186,7 +186,7 @@ GNU + .B \-D + команды + .B setfiles . +-Он обеспечивает сохранение дайджеста SHA1 файла спецификации ++Он обеспечивает сохранение дайджеста SHA256 файла спецификации + .B spec_file + в расширенном атрибуте с именем + .IR security.restorecon_last +@@ -204,7 +204,7 @@ GNU + .sp + Параметр + .B \-I +-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в ++позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в + .IR pathname \ ... + , и, при условии, что НЕ установлен параметр + .B \-n +diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 +index 8e6c4ab94841..0692121f2f4d 100644 +--- a/policycoreutils/setfiles/setfiles.8 ++++ b/policycoreutils/setfiles/setfiles.8 +@@ -85,14 +85,14 @@ display usage information and exit. + ignore files that do not exist. + .TP + .B \-I +-ignore digest to force checking of labels even if the stored SHA1 digest +-matches the specfiles SHA1 digest. The digest will then be updated provided ++ignore digest to force checking of labels even if the stored SHA256 digest ++matches the specfiles SHA256 digest. The digest will then be updated provided + there are no errors. See the + .B NOTES + section for further details. + .TP + .B \-D +-Set or update any directory SHA1 digests. Use this option to ++Set or update any directory SHA256 digests. Use this option to + enable usage of the + .IR security.sehash + extended attribute. +@@ -230,7 +230,7 @@ the + .B \-D + option to + .B setfiles +-will cause it to store a SHA1 digest of the ++will cause it to store a SHA256 digest of the + .B spec_file + set in an extended attribute named + .IR security.sehash +@@ -251,7 +251,7 @@ for further details. + .sp + The + .B \-I +-option will ignore the SHA1 digest from each directory specified in ++option will ignore the SHA256 digest from each directory specified in + .IR pathname \ ... + and provided the + .B \-n +-- +2.32.0 + diff --git a/0024-Do-not-use-Python-slip.patch b/0024-Do-not-use-Python-slip.patch deleted file mode 100644 index eafcf56..0000000 --- a/0024-Do-not-use-Python-slip.patch +++ /dev/null @@ -1,217 +0,0 @@ -From 10a970733c5b31c237abd7357421384597fe0510 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Thu, 15 Apr 2021 17:39:39 +0200 -Subject: [PATCH] Do not use Python slip - -Python slip is not actively maintained anymore and it was use just as -polkit proxy. It looks like polkit dbus interface is quite simple to use -it directly via python dbus module. - -Signed-off-by: Petr Lautrbach ---- - dbus/selinux_server.py | 69 ++++++++++++++++++------------ - python/sepolicy/sepolicy/sedbus.py | 9 ---- - 2 files changed, 41 insertions(+), 37 deletions(-) - -diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py -index be4f4557a9fa..b7c9378bcb5d 100644 ---- a/dbus/selinux_server.py -+++ b/dbus/selinux_server.py -@@ -4,26 +4,33 @@ import dbus - import dbus.service - import dbus.mainloop.glib - from gi.repository import GObject --import slip.dbus.service --from slip.dbus import polkit - import os - import selinux - from subprocess import Popen, PIPE, STDOUT - - --class selinux_server(slip.dbus.service.Object): -+class selinux_server(dbus.service.Object): - default_polkit_auth_required = "org.selinux.semanage" - - def __init__(self, *p, **k): - super(selinux_server, self).__init__(*p, **k) - -+ def is_authorized(self, sender, action_id): -+ bus = dbus.SystemBus() -+ proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority') -+ authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority') -+ subject = ('system-bus-name', {'name': sender}) -+ result = authority.CheckAuthorization(subject, action_id, {}, 1, '') -+ return result[0] -+ - # - # The semanage method runs a transaction on a series of semanage commands, - # these commands can take the output of customized - # -- @slip.dbus.polkit.require_auth("org.selinux.semanage") -- @dbus.service.method("org.selinux", in_signature='s') -- def semanage(self, buf): -+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") -+ def semanage(self, buf, sender): -+ if not self.is_authorized(sender, "org.selinux.semanage"): -+ raise dbus.exceptions.DBusException("Not authorized") - p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True) - p.stdin.write(buf) - output = p.communicate() -@@ -35,9 +42,10 @@ class selinux_server(slip.dbus.service.Object): - # on the server. This output can be used with the semanage method on - # another server to make the two systems have duplicate policy. - # -- @slip.dbus.polkit.require_auth("org.selinux.customized") -- @dbus.service.method("org.selinux", in_signature='', out_signature='s') -- def customized(self): -+ @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender") -+ def customized(self, sender): -+ if not self.is_authorized(sender, "org.selinux.customized"): -+ raise dbus.exceptions.DBusException("Not authorized") - p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True) - buf = p.stdout.read() - output = p.communicate() -@@ -49,9 +57,10 @@ class selinux_server(slip.dbus.service.Object): - # The semodule_list method will return the output of semodule --list=full, using the customized polkit, - # since this is a readonly behaviour - # -- @slip.dbus.polkit.require_auth("org.selinux.semodule_list") -- @dbus.service.method("org.selinux", in_signature='', out_signature='s') -- def semodule_list(self): -+ @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender") -+ def semodule_list(self, sender): -+ if not self.is_authorized(sender, "org.selinux.semodule_list"): -+ raise dbus.exceptions.DBusException("Not authorized") - p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True) - buf = p.stdout.read() - output = p.communicate() -@@ -62,25 +71,28 @@ class selinux_server(slip.dbus.service.Object): - # - # The restorecon method modifies any file path to the default system label - # -- @slip.dbus.polkit.require_auth("org.selinux.restorecon") -- @dbus.service.method("org.selinux", in_signature='s') -- def restorecon(self, path): -+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") -+ def restorecon(self, path, sender): -+ if not self.is_authorized(sender, "org.selinux.restorecon"): -+ raise dbus.exceptions.DBusException("Not authorized") - selinux.restorecon(str(path), recursive=1) - - # - # The setenforce method turns off the current enforcement of SELinux - # -- @slip.dbus.polkit.require_auth("org.selinux.setenforce") -- @dbus.service.method("org.selinux", in_signature='i') -- def setenforce(self, value): -+ @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender") -+ def setenforce(self, value, sender): -+ if not self.is_authorized(sender, "org.selinux.setenforce"): -+ raise dbus.exceptions.DBusException("Not authorized") - selinux.security_setenforce(value) - - # - # The setenforce method turns off the current enforcement of SELinux - # -- @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot") -- @dbus.service.method("org.selinux", in_signature='i') -- def relabel_on_boot(self, value): -+ @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender") -+ def relabel_on_boot(self, value, sender): -+ if not self.is_authorized(sender, "org.selinux.relabel_on_boot"): -+ raise dbus.exceptions.DBusException("Not authorized") - if value == 1: - fd = open("/.autorelabel", "w") - fd.close() -@@ -111,9 +123,10 @@ class selinux_server(slip.dbus.service.Object): - # - # The change_default_enforcement modifies the current enforcement mode - # -- @slip.dbus.polkit.require_auth("org.selinux.change_default_mode") -- @dbus.service.method("org.selinux", in_signature='s') -- def change_default_mode(self, value): -+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") -+ def change_default_mode(self, value, sender): -+ if not self.is_authorized(sender, "org.selinux.change_default_mode"): -+ raise dbus.exceptions.DBusException("Not authorized") - values = ["enforcing", "permissive", "disabled"] - if value not in values: - raise ValueError("Enforcement mode must be %s" % ", ".join(values)) -@@ -122,9 +135,10 @@ class selinux_server(slip.dbus.service.Object): - # - # The change_default_policy method modifies the policy type - # -- @slip.dbus.polkit.require_auth("org.selinux.change_default_policy") -- @dbus.service.method("org.selinux", in_signature='s') -- def change_default_policy(self, value): -+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") -+ def change_default_policy(self, value, sender): -+ if not self.is_authorized(sender, "org.selinux.change_default_policy"): -+ raise dbus.exceptions.DBusException("Not authorized") - path = selinux.selinux_path() + value - if os.path.isdir(path): - return self.write_selinux_config(policy=value) -@@ -136,5 +150,4 @@ if __name__ == "__main__": - system_bus = dbus.SystemBus() - name = dbus.service.BusName("org.selinux", system_bus) - object = selinux_server(system_bus, "/org/selinux/object") -- slip.dbus.service.set_mainloop(mainloop) - mainloop.run() -diff --git a/python/sepolicy/sepolicy/sedbus.py b/python/sepolicy/sepolicy/sedbus.py -index 76b259ae27e8..39b53d47753a 100644 ---- a/python/sepolicy/sepolicy/sedbus.py -+++ b/python/sepolicy/sepolicy/sedbus.py -@@ -2,7 +2,6 @@ import sys - import dbus - import dbus.service - import dbus.mainloop.glib --from slip.dbus import polkit - - - class SELinuxDBus (object): -@@ -11,42 +10,34 @@ class SELinuxDBus (object): - self.bus = dbus.SystemBus() - self.dbus_object = self.bus.get_object("org.selinux", "/org/selinux/object") - -- @polkit.enable_proxy - def semanage(self, buf): - ret = self.dbus_object.semanage(buf, dbus_interface="org.selinux") - return ret - -- @polkit.enable_proxy - def restorecon(self, path): - ret = self.dbus_object.restorecon(path, dbus_interface="org.selinux") - return ret - -- @polkit.enable_proxy - def setenforce(self, value): - ret = self.dbus_object.setenforce(value, dbus_interface="org.selinux") - return ret - -- @polkit.enable_proxy - def customized(self): - ret = self.dbus_object.customized(dbus_interface="org.selinux") - return ret - -- @polkit.enable_proxy - def semodule_list(self): - ret = self.dbus_object.semodule_list(dbus_interface="org.selinux") - return ret - -- @polkit.enable_proxy - def relabel_on_boot(self, value): - ret = self.dbus_object.relabel_on_boot(value, dbus_interface="org.selinux") - return ret - -- @polkit.enable_proxy - def change_default_mode(self, value): - ret = self.dbus_object.change_default_mode(value, dbus_interface="org.selinux") - return ret - -- @polkit.enable_proxy - def change_default_policy(self, value): - ret = self.dbus_object.change_default_policy(value, dbus_interface="org.selinux") - return ret --- -2.32.0 - diff --git a/0025-dbus-Use-GLib.MainLoop.patch b/0025-dbus-Use-GLib.MainLoop.patch deleted file mode 100644 index 10fb63d..0000000 --- a/0025-dbus-Use-GLib.MainLoop.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 86be303a7c5ed5057d0357a85e27cdb6885122fe Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Wed, 12 May 2021 19:19:29 +0200 -Subject: [PATCH] dbus: Use GLib.MainLoop() - -Fixes: - PyGIDeprecationWarning: GObject.MainLoop is deprecated; use GLib.MainLoop instead - -Signed-off-by: Petr Lautrbach ---- - dbus/selinux_server.py | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py -index b7c9378bcb5d..a969f2268ceb 100644 ---- a/dbus/selinux_server.py -+++ b/dbus/selinux_server.py -@@ -2,8 +2,9 @@ - - import dbus - import dbus.service --import dbus.mainloop.glib -+from dbus.mainloop.glib import DBusGMainLoop - from gi.repository import GObject -+from gi.repository import GLib - import os - import selinux - from subprocess import Popen, PIPE, STDOUT -@@ -145,9 +146,10 @@ class selinux_server(dbus.service.Object): - raise ValueError("%s does not exist" % path) - - if __name__ == "__main__": -- mainloop = GObject.MainLoop() -- dbus.mainloop.glib.DBusGMainLoop(set_as_default=True) -+ DBusGMainLoop(set_as_default=True) -+ mainloop = GLib.MainLoop() -+ - system_bus = dbus.SystemBus() - name = dbus.service.BusName("org.selinux", system_bus) -- object = selinux_server(system_bus, "/org/selinux/object") -+ server = selinux_server(system_bus, "/org/selinux/object") - mainloop.run() --- -2.32.0 - diff --git a/policycoreutils.spec b/policycoreutils.spec index 89373ea..11361ab 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,7 +1,7 @@ %global libauditver 3.0 -%global libsepolver 3.2-3 -%global libsemanagever 3.2-4 -%global libselinuxver 3.2-4 +%global libsepolver 3.3-0.rc2 +%global libsemanagever 3.3-0.rc2 +%global libselinuxver 3.3-0.rc2 %global generatorsdir %{_prefix}/lib/systemd/system-generators @@ -10,11 +10,11 @@ Summary: SELinux policy core utilities Name: policycoreutils -Version: 3.2 -Release: 6%{?dist} +Version: 3.3 +Release: 0.rc2.1%{?dist} License: GPLv2 # https://github.com/SELinuxProject/selinux/wiki/Releases -Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2/selinux-3.2.tar.gz +Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3-rc2/selinux-3.3-rc2.tar.gz URL: https://github.com/SELinuxProject/selinux Source13: system-config-selinux.png Source14: sepolicy-icons.tgz @@ -28,34 +28,27 @@ Source21: python-po.tgz Source22: gui-po.tgz Source23: sandbox-po.tgz # https://github.com/fedora-selinux/selinux -# $ git format-patch -N 3.2 -- policycoreutils python gui sandbox dbus semodule-utils restorecond +# $ git format-patch -N 3.3-rc2 -- policycoreutils python gui sandbox dbus semodule-utils restorecond # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done # Patch list start -Patch0001: 0001-policycoreutils-setfiles-do-not-create-useless-setfi.patch -Patch0002: 0002-fixfiles-do-not-exclude-dev-and-run-in-C-mode.patch -Patch0003: 0003-policycoreutils-silence-Wextra-semi-stmt-warning.patch -Patch0004: 0004-policycoreutils-free-memory-on-lstat-failure-in-sest.patch -Patch0005: 0005-policycoreutils-free-memory-of-allocated-context-in-.patch -Patch0006: 0006-policycoreutils-free-memory-of-allocated-context-in-.patch -Patch0007: 0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch -Patch0008: 0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch -Patch0009: 0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch -Patch0010: 0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch -Patch0011: 0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch -Patch0012: 0012-Fix-title-in-manpage.py-to-not-contain-online.patch -Patch0013: 0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch -Patch0014: 0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch -Patch0015: 0015-sepolicy-Another-small-optimization-for-mcs-types.patch -Patch0016: 0016-Move-po-translation-files-into-the-right-sub-directo.patch -Patch0017: 0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch -Patch0018: 0018-Initial-.pot-files-for-gui-python-sandbox.patch -Patch0019: 0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch -Patch0020: 0020-sepolicy-generate-Handle-more-reserved-port-types.patch -Patch0021: 0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch -Patch0022: 0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch -Patch0023: 0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch -Patch0024: 0024-Do-not-use-Python-slip.patch -Patch0025: 0025-dbus-Use-GLib.MainLoop.patch +Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch +Patch0002: 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch +Patch0003: 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch +Patch0004: 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch +Patch0005: 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch +Patch0006: 0006-Fix-title-in-manpage.py-to-not-contain-online.patch +Patch0007: 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch +Patch0008: 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch +Patch0009: 0009-sepolicy-Another-small-optimization-for-mcs-types.patch +Patch0010: 0010-Move-po-translation-files-into-the-right-sub-directo.patch +Patch0011: 0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch +Patch0012: 0012-Initial-.pot-files-for-gui-python-sandbox.patch +Patch0013: 0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch +Patch0014: 0014-sepolicy-generate-Handle-more-reserved-port-types.patch +Patch0015: 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch +Patch0016: 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch +Patch0017: 0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch +Patch0018: 0018-Use-SHA-2-instead-of-SHA-1.patch # Patch list end Obsoletes: policycoreutils < 2.0.61-2 @@ -91,7 +84,7 @@ load_policy to load policies, setfiles to label filesystems, newrole to switch roles. %prep -p /usr/bin/bash -%autosetup -n selinux-%{version} -p 1 +%autosetup -n selinux-%{version}-rc2 -p 1 cp %{SOURCE13} gui/ tar -xvf %{SOURCE14} -C python/sepolicy/ @@ -482,6 +475,9 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Wed Sep 29 2021 Petr Lautrbach - 3.3-0.rc2.1 +- SELinux userspace 3.3-rc2 release + * Tue Aug 3 2021 Petr Lautrbach - 3.2-6 - Drop forgotten ru/ man pages from -restorecond diff --git a/sources b/sources index 88caf11..960dab4 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (selinux-3.2.tar.gz) = 27618a3fb457eb1af09f4120d6afc94e2302cc54d2953811ee74a15ffc7ab4caa1c0e3c8cbb2784f0d028ce7847d9537683278ca45b6d33ff8ae3b493eced6ff +SHA512 (selinux-3.3-rc2.tar.gz) = fbf4371280e7bc8aeb119cce49eaa365dd79cd8c65903369161561a408bf05398eff52ba28ee21d6ca8256dbc7ff402f2c32c71b739bb9d8d4355b1e216f3d23 SHA512 (gui-po.tgz) = 8e0855256b825eea422b8e2b82cc0decf66b902c9930840905c5ad5dda7bef3679943a22db62709907d48f8a331d67edc5efed3e2638b53e379959b14077b4ea SHA512 (policycoreutils-po.tgz) = 66b908f7a167225bebded46f9cf92f42eb194daa2a083d48de43c2a5d33fa42724c5add0a9d029ac9d62c500f6f1c8d3bc138dd598b1fd97e609d7cc7160be72 SHA512 (python-po.tgz) = 7f2a082b77c7b4417d5d3dac35d86dd635635a9c05a80e5f9284d03604e2f2a06ec879fb29b056d1a46d3fc448cd76e6fd25196834c18a161fd6677f2e11b2be