From 4cc4167518fd81e466751f2cb132cb8d774a2534 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Thu, 28 Feb 2013 14:24:35 -0500 Subject: [PATCH] Allow users with symlinked homedirs to work. call realpath on homedir - Fix sepolicy reorganization of helper functions. --- policycoreutils-rhat.patch | 598 ++++++++++++++++++++++++++++++++++++- policycoreutils.spec | 6 +- 2 files changed, 591 insertions(+), 13 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 1431b4c..99a228c 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -65,6 +65,19 @@ index 8e0c396..9bd66f5 100644 help="Translates SELinux audit messages into a description of why the access was denied") options, args = parser.parse_args() +diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1 +index a854a45..bc70938 100644 +--- a/policycoreutils/audit2allow/audit2allow.1 ++++ b/policycoreutils/audit2allow/audit2allow.1 +@@ -171,7 +171,7 @@ $ semodule -i local.pp + + .B Using audit2allow to generate and build module policy + $ cat /var/log/audit/audit.log | audit2allow -M local +-Generating type enforcment file: local.te ++Generating type enforcement file: local.te + Compiling policy: checkmodule -M -m -o local.mod local.te + Building package: semodule_package -o local.pp -m local.mod + diff --git a/policycoreutils/audit2allow/audit2why.1 b/policycoreutils/audit2allow/audit2why.1 new file mode 100644 index 0000000..a9e8893 @@ -356,6 +369,32 @@ diff --git a/policycoreutils/gui/system-config-selinux.png b/policycoreutils/gui new file mode 100644 index 0000000..68ffcb7 Binary files /dev/null and b/policycoreutils/gui/system-config-selinux.png differ +diff --git a/policycoreutils/load_policy/load_policy.8 b/policycoreutils/load_policy/load_policy.8 +index f9ca36e..a86073f 100644 +--- a/policycoreutils/load_policy/load_policy.8 ++++ b/policycoreutils/load_policy/load_policy.8 +@@ -19,7 +19,7 @@ values in the policy file. + suppress warning messages. + .TP + .B \-i +-inital policy load. Only use this if this is the first time policy is being loaded since boot (usually called from initramfs). ++initial policy load. Only use this if this is the first time policy is being loaded since boot (usually called from initramfs). + + .SH "EXIT STATUS" + .TP +diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5 +index 4963cdc..a55dbed 100644 +--- a/policycoreutils/man/man5/selinux_config.5 ++++ b/policycoreutils/man/man5/selinux_config.5 +@@ -92,7 +92,7 @@ The binary policy name has by convention the SELinux policy version that it supp + .RS + This entry is deprecated and should be removed or set to \fI0\fR. + .sp +-If set to \fI1\fR, then \fBselinux_mkload_policy\fR(3) will read the local customisation for booleans (see \fBbooleans\fR(5)) and users (see \fBlocal.users\fR(5)). ++If set to \fI1\fR, then \fBselinux_mkload_policy\fR(3) will read the local customization for booleans (see \fBbooleans\fR(5)) and users (see \fBlocal.users\fR(5)). + .RE + .sp + .B REQUIRESEUSERS diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c index 8fbf2d0..3510f12 100644 --- a/policycoreutils/newrole/newrole.c @@ -488,6 +527,393 @@ index a377996..9c1486e 100644 refresh-po: Makefile for cat in $(POFILES); do \ +diff --git a/policycoreutils/po/es.po b/policycoreutils/po/es.po +index e84995e..a60b20e 100644 +--- a/policycoreutils/po/es.po ++++ b/policycoreutils/po/es.po +@@ -3,7 +3,9 @@ + # This file is distributed under the same license as the PACKAGE package. + # + # Translators: ++# Adolfo Jayme Barrientos , 2013. + # Domingo Becker , 2006, 2008. ++# , 2013. + # Gladys Guerrero , 2010,2012. + # Héctor Daniel Cabrera , 2010. + msgid "" +@@ -11,8 +13,8 @@ msgstr "" + "Project-Id-Version: Policycoreutils\n" + "Report-Msgid-Bugs-To: \n" + "POT-Creation-Date: 2013-01-04 12:01-0500\n" +-"PO-Revision-Date: 2013-01-04 17:02+0000\n" +-"Last-Translator: dwalsh \n" ++"PO-Revision-Date: 2013-02-23 11:46+0000\n" ++"Last-Translator: vareli \n" + "Language-Team: Spanish \n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" +@@ -288,7 +290,7 @@ msgstr "Rango MLS/MCS" + + #: ../semanage/seobject.py:672 + msgid "Service" +-msgstr "" ++msgstr "Servicio" + + #: ../semanage/seobject.py:698 ../semanage/seobject.py:729 + #: ../semanage/seobject.py:796 ../semanage/seobject.py:853 +@@ -425,7 +427,7 @@ msgstr "Se requiere tipo" + #: ../semanage/seobject.py:1814 + #, python-format + msgid "Type %s is invalid, must be a port type" +-msgstr "" ++msgstr "Tipo %s es no válido, debe ser un tipo de puerto" + + #: ../semanage/seobject.py:1000 ../semanage/seobject.py:1062 + #: ../semanage/seobject.py:1117 ../semanage/seobject.py:1123 +@@ -547,12 +549,12 @@ msgstr "Falta el protocolo o es desconocido" + + #: ../semanage/seobject.py:1256 + msgid "SELinux node type is required" +-msgstr "" ++msgstr "Se requiere tipo de nodo SELinux" + + #: ../semanage/seobject.py:1259 ../semanage/seobject.py:1327 + #, python-format + msgid "Type %s is invalid, must be a node type" +-msgstr "" ++msgstr "Tipo %s es no válido, debe ser un tipo nodo" + + #: ../semanage/seobject.py:1263 ../semanage/seobject.py:1331 + #: ../semanage/seobject.py:1367 ../semanage/seobject.py:1465 +@@ -786,7 +788,7 @@ msgstr "La especificación de archivo %s choca con la regla de equivalencia '%s + #: ../semanage/seobject.py:1755 + #, python-format + msgid "Type %s is invalid, must be a file or device type" +-msgstr "" ++msgstr "Tipo %s es no válido, debe ser un tipo fichero o dispositivo" + + #: ../semanage/seobject.py:1763 ../semanage/seobject.py:1768 + #: ../semanage/seobject.py:1824 ../semanage/seobject.py:1906 +@@ -2174,11 +2176,11 @@ msgstr "La ruta en la cual se almacenarán las páginas de manual generadas " + + #: ../sepolicy/sepolicy.py:207 + msgid "name of the OS for man pages" +-msgstr "" ++msgstr "nombre del SO para las páginas de manual" + + #: ../sepolicy/sepolicy.py:209 + msgid "Generate HTML man pages structure for selected SELinux man page" +-msgstr "" ++msgstr "General páginas de manual de estructura HTML para la página de manual SELinux seleccionada" + + #: ../sepolicy/sepolicy.py:213 + msgid "All domains" +@@ -2226,7 +2228,7 @@ msgstr "Solicita la política de SELinux para ver la descripción de booleanos" + + #: ../sepolicy/sepolicy.py:280 + msgid "get all booleans descriptions" +-msgstr "" ++msgstr "obtiene todas las descripciones booleanas" + + #: ../sepolicy/sepolicy.py:282 + msgid "boolean to get description" +@@ -2248,11 +2250,11 @@ msgstr "Dominio de proceso de destino" + + #: ../sepolicy/sepolicy.py:327 + msgid "Command required for this type of policy" +-msgstr "" ++msgstr "Comando requerido para este tipo de política" + + #: ../sepolicy/sepolicy.py:347 + msgid "List SELinux Policy interfaces" +-msgstr "" ++msgstr "Lista las interfaces de la Política SELinux" + + #: ../sepolicy/sepolicy.py:362 + msgid "Generate SELinux Policy module template" +@@ -2260,15 +2262,15 @@ msgstr "Generar plantilla para módulo de política SELinux" + + #: ../sepolicy/sepolicy.py:365 + msgid "Enter domain type which you will be extending" +-msgstr "" ++msgstr "Introduzca el tipo de dominio que usted estaría extendiendo" + + #: ../sepolicy/sepolicy.py:368 + msgid "Enter SELinux user(s) which will transition to this domain" +-msgstr "" ++msgstr "Introduzca el usuario(s) SELinux que transicionará a este dominio" + + #: ../sepolicy/sepolicy.py:371 + msgid "Enter domain(s) that this confined admin will administrate" +-msgstr "" ++msgstr "Introduzca el dominio(s) que este administrador confinado administrará" + + #: ../sepolicy/sepolicy.py:374 + msgid "name of policy to generate" +@@ -2276,7 +2278,7 @@ msgstr "Nombre de política a generar" + + #: ../sepolicy/sepolicy.py:378 + msgid "path in which the generated policy files will be stored" +-msgstr "" ++msgstr "ruta en la que los ficheros de política generados serán almacenados" + + #: ../sepolicy/sepolicy.py:380 + msgid "executable to confine" +@@ -2290,7 +2292,7 @@ msgstr "Ejecutable a confinar" + #: ../sepolicy/sepolicy.py:414 ../sepolicy/sepolicy.py:417 + #, python-format + msgid "Generate Policy for %s" +-msgstr "" ++msgstr "Generar Política para %s" + + #: ../sepolicy/sepolicy.py:422 + msgid "commands" +@@ -2298,16 +2300,16 @@ msgstr "Comandos" + + #: ../sepolicy/sepolicy.py:425 + msgid "Alternate SELinux policy, defaults to /sys/fs/selinux/policy" +-msgstr "" ++msgstr "Política SELinux suplente, por defecto a /sys/fs/selinux/policy" + + #: ../sepolicy/sepolicy/__init__.py:48 + msgid "No SELinux Policy installed" +-msgstr "" ++msgstr "No hay Política SELinux instalada" + + #: ../sepolicy/sepolicy/__init__.py:54 + #, python-format + msgid "Failed to read %s policy file" +-msgstr "" ++msgstr "Fallo al leer el fichero de política %s" + + #: ../sepolicy/sepolicy/__init__.py:127 + msgid "unknown" +@@ -2319,27 +2321,27 @@ msgstr "Demonio de los servicios de Internet" + + #: ../sepolicy/sepolicy/generate.py:177 + msgid "Existing Domain Type" +-msgstr "" ++msgstr "Tipo de Dominio Existente" + + #: ../sepolicy/sepolicy/generate.py:178 + msgid "Minimal Terminal Login User Role" +-msgstr "" ++msgstr "Rol de Acceso de Usuario de Terminal Mínimo" + + #: ../sepolicy/sepolicy/generate.py:179 + msgid "Minimal X Windows Login User Role" +-msgstr "" ++msgstr "Rol de Acceso de Usuario de X Windows Mínima" + + #: ../sepolicy/sepolicy/generate.py:180 + msgid "Desktop Login User Role" +-msgstr "" ++msgstr "Rol de Acceso de Usuario a Escritorio" + + #: ../sepolicy/sepolicy/generate.py:181 + msgid "Administrator Login User Role" +-msgstr "" ++msgstr "Rol de Acceso de Usuario Administrador" + + #: ../sepolicy/sepolicy/generate.py:182 + msgid "Confined Root Administrator Role" +-msgstr "" ++msgstr "Rol de Administrador Confinado Root" + + #: ../sepolicy/sepolicy/generate.py:187 + msgid "Valid Types:\n" +@@ -2352,12 +2354,12 @@ msgstr "Los puertos deben ser números o rangos de números entre 1 y %d" + + #: ../sepolicy/sepolicy/generate.py:231 + msgid "You must enter a valid policy type" +-msgstr "" ++msgstr "Debe introducir un tipo válido de política" + + #: ../sepolicy/sepolicy/generate.py:234 + #, python-format + msgid "You must enter a name for your policy module for your %s." +-msgstr "" ++msgstr "Debe introducir un nombre para su módulo de política para su %s." + + #: ../sepolicy/sepolicy/generate.py:355 + msgid "" +@@ -2396,7 +2398,7 @@ msgstr "USER Types automáticamente obtiene un tipo tmp" + #: ../sepolicy/sepolicy/generate.py:857 + #, python-format + msgid "%s policy modules require existing domains" +-msgstr "" ++msgstr "%s módulo de política requieren dominios existentes" + + #: ../sepolicy/sepolicy/generate.py:1059 + msgid "You must enter the executable path for your confined process" +@@ -2416,7 +2418,7 @@ msgstr "Archivo de contextos de archivo" + + #: ../sepolicy/sepolicy/generate.py:1324 + msgid "Spec file" +-msgstr "" ++msgstr "Fichero spec" + + #: ../sepolicy/sepolicy/generate.py:1325 + msgid "Setup Script" +@@ -2438,11 +2440,11 @@ msgstr "Permite a amavis usar un compilador de JIT" + + #: booleans.py:4 + msgid "Allow antivirus programs to read non security files on a system" +-msgstr "" ++msgstr "Permitir a programas antivirus leer ficheros no asegurados sobre un sistema" + + #: booleans.py:5 + msgid "Allow auditadm to exec content" +-msgstr "" ++msgstr "Permitir al administrador de auditoria ejecutar contenido" + + #: booleans.py:6 + msgid "" +@@ -2456,11 +2458,11 @@ msgstr "Permite a usuarios iniciar sesión mediante un servidor Radius" + + #: booleans.py:8 + msgid "Allow users to login using a yubikey server" +-msgstr "" ++msgstr "Permite a los usuario acceder usando una servidor yubikey" + + #: booleans.py:9 + msgid "Allow awstats to purge Apache logs" +-msgstr "" ++msgstr "Permitir a awstats purgar los registros de Apache" + + #: booleans.py:10 + msgid "" +@@ -2528,11 +2530,11 @@ msgstr "Permite a todos los demonios la lectura y escritura de terminales" + + #: booleans.py:25 + msgid "Allow dan to manage user files" +-msgstr "" ++msgstr "Permitir a dan gestionar los archivos del usuario" + + #: booleans.py:26 + msgid "Allow dan to read user files" +-msgstr "" ++msgstr "Permitir a dan leer los archivos del usuario" + + #: booleans.py:27 + msgid "Allow dbadm to manage files in users home directories" +@@ -2599,7 +2601,7 @@ msgstr "Permite al dominio en valla ejecutar ssh." + + #: booleans.py:42 + msgid "Allow all domains to execute in fips_mode" +-msgstr "" ++msgstr "Permite ejecutar todos los dominios en modo fips" + + #: booleans.py:43 + msgid "Allow ftp to read and write files in the user home directories" +@@ -2699,7 +2701,7 @@ msgstr "Permite a GSSD leer el directorio temp. Para acceder a kerberos tgt." + + #: booleans.py:64 + msgid "Allow guest to exec content" +-msgstr "" ++msgstr "Permite al invitado ejecutar contenido" + + #: booleans.py:65 + msgid "" +@@ -2854,7 +2856,7 @@ msgstr "Permite a HTTPD acceder a puertos Openstack" + + #: booleans.py:100 + msgid "Allow Apache to query NS records" +-msgstr "" ++msgstr "Permite a Apache consultar registros NS" + + #: booleans.py:101 + msgid "Allow icecast to connect to all ports, not just sound ports." +@@ -2951,7 +2953,7 @@ msgstr "Permite a las aplicaciones confinadas usar memoria compartida NSCD " + + #: booleans.py:122 + msgid "Allow openshift to lockdown app" +-msgstr "" ++msgstr "Permite openshift para lockdown app" + + #: booleans.py:123 + msgid "Allow openvpn to read home directories" +@@ -3116,7 +3118,7 @@ msgstr "Permite a SASL leer sombra" + + #: booleans.py:161 + msgid "Allow secadm to exec content" +-msgstr "" ++msgstr "Permita a secadm ejecutar contenido" + + #: booleans.py:162 + msgid "" +@@ -3188,7 +3190,7 @@ msgstr "Permite a scripts y módulos HTTPD la conexión al puerto LDAP" + + #: booleans.py:174 + msgid "Allow user to use ssh chroot environment." +-msgstr "" ++msgstr "Permite al usuario usar el entorno ssh chroot" + + #: booleans.py:175 + msgid "Allow user music sharing" +@@ -3270,7 +3272,7 @@ msgstr "Permitir ingresos ssh como sysadm_r:sysadm_t" + + #: booleans.py:191 + msgid "Allow staff to exec content" +-msgstr "" ++msgstr "Permite a staff ejecutar contenido" + + #: booleans.py:192 + msgid "allow staff user to create and transition to svirt domains." +@@ -3278,7 +3280,7 @@ msgstr "Permite a scripts y módulos HTTPD la conexión al puerto LDAP" + + #: booleans.py:193 + msgid "Allow sysadm to exec content" +-msgstr "" ++msgstr "Permite a sysadm ejecutar contenido" + + #: booleans.py:194 + msgid "" +@@ -3297,7 +3299,7 @@ msgstr "Permite a tftp modificar los archivos públicos utilizados para servicio + + #: booleans.py:197 + msgid "Allow tftp to read and write files in the user home directories" +-msgstr "" ++msgstr "Permite a tftp leer y escribir archivos en los directorios home de usuario" + + #: booleans.py:198 + msgid "Allow tor daemon to bind tcp sockets to all unreserved ports." +@@ -3305,7 +3307,7 @@ msgstr "Permite a scripts y módulos HTTPD la conexión al puerto LDAP" + + #: booleans.py:199 + msgid "Allow tor to act as a relay" +-msgstr "" ++msgstr "Permite a tor actuar como relé" + + #: booleans.py:200 + msgid "" +@@ -3353,7 +3355,7 @@ msgstr "Soporta directorios principales de Samba" + + #: booleans.py:210 + msgid "Allow user to exec content" +-msgstr "" ++msgstr "Permite al usuario ejecutar contenido" + + #: booleans.py:211 + msgid "Allow varnishd to connect to all ports, not just HTTP." +@@ -3383,7 +3385,7 @@ msgstr "Permite a los huéspedes virtuales confinados administrar archivos NFS" + + #: booleans.py:217 + msgid "Allow confined virtual guests to interact with rawip sockets" +-msgstr "" ++msgstr "Permite a los invitados virtuales confinados interactuar con sockets rawip" + + #: booleans.py:218 + msgid "Allow confined virtual guests to manage cifs files" +@@ -3447,7 +3449,7 @@ msgstr "Permite a los usuario xguest configurar el Network Manager y conectar + + #: booleans.py:232 + msgid "Allow xguest to exec content" +-msgstr "" ++msgstr "Permite a xguest ejecutar contenido" + + #: booleans.py:233 + msgid "Allow xguest users to mount removable media" diff --git a/policycoreutils/po/ja.po b/policycoreutils/po/ja.po index 72ae12d..649d288 100644 --- a/policycoreutils/po/ja.po @@ -920,10 +1346,19 @@ index b629006..6631c2d 100644 parser.add_option("-l", "--level", dest="level", diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8 -index 521afcd..a50eef2 100644 +index 521afcd..ef90ce6 100644 --- a/policycoreutils/sandbox/sandbox.8 +++ b/policycoreutils/sandbox/sandbox.8 -@@ -70,7 +70,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz +@@ -59,7 +59,7 @@ sandbox_net_t - All network ports + + .TP + \fB\-T\ tmpdir +-Use alternate tempory directory to mount on /tmp. Defaults to tmpfs. Requires -X or -M. ++Use alternate temporary directory to mount on /tmp. Defaults to tmpfs. Requires -X or -M. + .TP + \fB\-S + Run a full desktop session, Requires level, and home and tmpdir. +@@ -70,14 +70,14 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz \fB\-W windowmanager\fR Select alternative window manager to run within .B sandbox -X. @@ -932,6 +1367,14 @@ index 521afcd..a50eef2 100644 .TP \fB\-X\fR Create an X based Sandbox for gui apps, temporary files for + $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t + .TP + \fB\-d\fR +-Set the DPI value for the sanbox X Server. Defaults to the current X Sever DPI. ++Set the DPI value for the sandbox X Server. Defaults to the current X Sever DPI. + .TP + \fB\-c\fR + Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc. diff --git a/policycoreutils/sandbox/sandboxX.sh b/policycoreutils/sandbox/sandboxX.sh index 23de6f6..171bb05 100644 --- a/policycoreutils/sandbox/sandboxX.sh @@ -958,18 +1401,40 @@ index 23de6f6..171bb05 100644 export DISPLAY=:$D cat > ~/seremote << __EOF diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c -index dbd5977..f10df39 100644 +index dbd5977..68a80c7 100644 --- a/policycoreutils/sandbox/seunshare.c +++ b/policycoreutils/sandbox/seunshare.c -@@ -962,7 +962,7 @@ int main(int argc, char **argv) { +@@ -961,8 +961,9 @@ int main(int argc, char **argv) { + char *display = NULL; char *LANG = NULL; int rc = -1; ++ char *resolved_path = NULL; - if (unshare(CLONE_NEWNS) < 0) { + if (unshare(CLONE_NEWNS | CLONE_NEWIPC) < 0) { perror(_("Failed to unshare")); goto childerr; } +@@ -977,8 +978,10 @@ int main(int argc, char **argv) { + /* assume fsuid==ruid after this point */ + if ((uid_t)setfsuid(uid) != 0) goto childerr; + ++ resolved_path = realpath(pwd->pw_dir,NULL); ++ if (! resolved_path) goto childerr; + /* mount homedir and tmpdir, in this order */ +- if (homedir_s && seunshare_mount(homedir_s, pwd->pw_dir, ++ if (homedir_s && seunshare_mount(homedir_s, resolved_path, + &st_homedir) != 0) goto childerr; + if (tmpdir_s && seunshare_mount(tmpdir_r, "/tmp", + &st_tmpdir_r) != 0) goto childerr; +@@ -1033,6 +1036,7 @@ int main(int argc, char **argv) { + execv(argv[optind], argv + optind); + fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno)); + childerr: ++ free(resolved_path); + free(display); + free(LANG); + exit(-1); diff --git a/policycoreutils/scripts/Makefile b/policycoreutils/scripts/Makefile index 201a988..f5d6e9d 100644 --- a/policycoreutils/scripts/Makefile @@ -998,6 +1463,28 @@ index 201a988..f5d6e9d 100644 install -m 644 chcat.8 $(MANDIR)/man8/ clean: +diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8 +index 9ab7334..f263805 100644 +--- a/policycoreutils/scripts/fixfiles.8 ++++ b/policycoreutils/scripts/fixfiles.8 +@@ -30,7 +30,7 @@ as you expect. By default it will relabel all mounted ext2, ext3, xfs and + jfs file systems as long as they do not have a security context mount + option. You can use the -R flag to use rpmpackages as an alternative. + The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories +-excluded from relabelling. ++excluded from relabeling. + .P + .B fixfiles onboot + will setup the machine to relabel on the next reboot. +@@ -56,7 +56,7 @@ Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and + + .TP + .B -v +-Modify verbosity from progess to verbose. (Run restorecon with -v instead of -p) ++Modify verbosity from progress to verbose. (Run restorecon with -v instead of -p) + + .SH "ARGUMENTS" + One of: diff --git a/policycoreutils/scripts/genhomedircon.8 b/policycoreutils/scripts/genhomedircon.8 deleted file mode 100644 index 8ec509c..0000000 @@ -1028,6 +1515,19 @@ index 8ec509c..0000000 - -.SH "SEE ALSO" -semanage.conf(5), semodule(8), semanage(8), getpwent(3), getpwent_r(3) +diff --git a/policycoreutils/secon/secon.1 b/policycoreutils/secon/secon.1 +index 6c30734..5e7f885 100644 +--- a/policycoreutils/secon/secon.1 ++++ b/policycoreutils/secon/secon.1 +@@ -96,7 +96,7 @@ If that argument is + .I - + then the context will be read from stdin. + .br +-If there is no arugment, ++If there is no argument, + .B secon + will try reading a context from stdin, if that is not a tty, otherwise + .B secon diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile new file mode 100644 index 0000000..e15a877 @@ -1350,6 +1850,18 @@ index 17b4fa5..6947b37 100644 parse_command_line(argc, argv); if (build) +diff --git a/policycoreutils/semodule_package/semodule_unpackage.8 b/policycoreutils/semodule_package/semodule_unpackage.8 +index 62dd53e..d6e1be0 100644 +--- a/policycoreutils/semodule_package/semodule_unpackage.8 ++++ b/policycoreutils/semodule_package/semodule_unpackage.8 +@@ -1,6 +1,6 @@ + .TH SEMODULE_PACKAGE "8" "Nov 2005" "Security Enhanced Linux" NSA + .SH NAME +-semodule_unpackage \- Extract polciy module and file context file from an SELinux policy module unpackage. ++semodule_unpackage \- Extract policy module and file context file from an SELinux policy module unpackage. + + .SH SYNOPSIS + .B semodule_unpackage [] diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile index 11b534f..eb86eae 100644 --- a/policycoreutils/sepolicy/Makefile @@ -1436,7 +1948,7 @@ index b6abdf5..c05c943 100644 Generate an additional HTML man pages for the specified domain(s). diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py -index b25d3b2..7a15d88 100755 +index b25d3b2..600eee2 100755 --- a/policycoreutils/sepolicy/sepolicy.py +++ b/policycoreutils/sepolicy/sepolicy.py @@ -22,6 +22,8 @@ @@ -1448,12 +1960,74 @@ index b25d3b2..7a15d88 100755 from sepolicy import get_os_version import argparse import gettext -@@ -198,44 +200,44 @@ def network(args): - _print_net(d, net, "name_bind") +@@ -45,7 +47,7 @@ class CheckPath(argparse.Action): - def manpage(args): -- from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains -+ from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains, get_all_domains + class CheckType(argparse.Action): + def __call__(self, parser, namespace, values, option_string=None): +- from sepolicy.network import domains ++ domains = sepolicy.get_all_domains() + + if isinstance(values,str): + setattr(namespace, self.dest, values) +@@ -60,7 +62,7 @@ class CheckType(argparse.Action): + + class CheckDomain(argparse.Action): + def __call__(self, parser, namespace, values, option_string=None): +- from sepolicy.network import domains ++ domains = sepolicy.get_all_domains() + + if isinstance(values,str): + if values not in domains: +@@ -80,7 +82,6 @@ class CheckDomain(argparse.Action): + all_classes = None + class CheckClass(argparse.Action): + def __call__(self, parser, namespace, values, option_string=None): +- import sepolicy + global all_classes + if not all_classes: + all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS)) +@@ -114,7 +115,7 @@ class CheckPort(argparse.Action): + + class CheckPortType(argparse.Action): + def __call__(self, parser, namespace, values, option_string=None): +- from sepolicy.network import port_types ++ domains = sepolicy.get_all_port_types() + newval = getattr(namespace, self.dest) + if not newval: + newval = [] +@@ -140,19 +141,17 @@ class CheckPolicyType(argparse.Action): + + class CheckUser(argparse.Action): + def __call__(self, parser, namespace, value, option_string=None): +- from sepolicy import get_all_users + newval = getattr(namespace, self.dest) + if not newval: + newval = [] +- users = get_all_users() ++ users = sepolicy.get_all_users() + if value not in users: + raise ValueError("%s must be an SELinux user:\nValid users: %s" % (value, ", ".join(users))) + newval.append(value) + setattr(namespace, self.dest, newval) + + def _print_net(src, protocol, perm): +- from sepolicy.network import get_network_connect +- portdict = get_network_connect(src, protocol, perm) ++ portdict = sepolicy.get_network_connect(src, protocol, perm) + if len(portdict) > 0: + print "%s: %s %s" % (src, protocol, perm) + for p in portdict: +@@ -160,7 +159,7 @@ def _print_net(src, protocol, perm): + print "\t" + recs + + def network(args): +- from sepolicy.network import portrecsbynum, portrecs, get_network_connect ++ portrecs, portrecsbynum = sepolicy.gen_port_dict() + if args.list_ports: + all_ports = [] + for i in portrecs: +@@ -201,41 +200,41 @@ def manpage(args): + from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains path = args.path - if args.policy: @@ -1517,7 +2091,7 @@ index b25d3b2..7a15d88 100755 def gen_network_args(parser): net = parser.add_parser("network", -@@ -283,7 +285,6 @@ def gen_communicate_args(parser): +@@ -283,7 +282,6 @@ def gen_communicate_args(parser): comm.set_defaults(func=communicate) def booleans(args): @@ -1525,7 +2099,7 @@ index b25d3b2..7a15d88 100755 from sepolicy import boolean_desc if args.all: rc, args.booleans = selinux.security_get_boolean_names() -@@ -461,7 +462,10 @@ if __name__ == '__main__': +@@ -461,7 +459,10 @@ if __name__ == '__main__': gen_transition_args(subparsers) try: diff --git a/policycoreutils.spec b/policycoreutils.spec index 93bebf3..361e422 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.14 -Release: 13%{?dist} +Release: 14%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -324,6 +324,10 @@ The policycoreutils-restorecond package contains the restorecond service. %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Thu Feb 28 2013 Dan Walsh - 2.1.14-14 +- Allow users with symlinked homedirs to work. call realpath on homedir +- Fix sepolicy reorganization of helper functions. + * Sun Feb 24 2013 Dan Walsh - 2.1.14-13 - Update trans - Fix sepolicy reorganization of helper functions.