diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index bbcb29d..4404fad 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -13614,7 +13614,7 @@ index 0000000..398c6f2 +""" diff --git a/policycoreutils/gui/templates/var_cache.py b/policycoreutils/gui/templates/var_cache.py new file mode 100644 -index 0000000..84b342f +index 0000000..8efc1d9 --- /dev/null +++ b/policycoreutils/gui/templates/var_cache.py @@ -0,0 +1,132 @@ @@ -13690,7 +13690,7 @@ index 0000000..84b342f + ') + + files_search_var($1) -+ read_files_pattern($1, TEMPLATETYPE_cache_t TEMPLATETYPE_cache_t) ++ read_files_pattern($1, TEMPLATETYPE_cache_t, TEMPLATETYPE_cache_t) +') + +######################################## @@ -245858,7 +245858,7 @@ index 0000000..e2befdb + packages=["policycoreutils"], +) diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage -index 0c7c186..1986ab1 100644 +index 0c7c186..d21f9c6 100644 --- a/policycoreutils/semanage/semanage +++ b/policycoreutils/semanage/semanage @@ -1,5 +1,5 @@ @@ -245885,7 +245885,98 @@ index 0c7c186..1986ab1 100644 codeset = 'utf-8') except IOError: import __builtin__ -@@ -283,11 +284,9 @@ Object-specific Options (see above): +@@ -52,16 +53,16 @@ if __name__ == '__main__': + semanage [ -S store ] -i [ input_file | - ] + semanage [ -S store ] -o [ output_file | - ] + +-semanage login -{a|d|m|l|D|E} [-nsr] login_name | %groupname +-semanage user -{a|d|m|l|D|E} [-LnrRP] selinux_name +-semanage port -{a|d|m|l|D|E} [-ntr] [ -p proto ] port | port_range +-semanage interface -{a|d|m|l|D|E} [-ntr] interface_spec +-semanage module -{a|d|m} [--enable|--disable] module +-semanage node -{a|d|m|l|D|E} [-ntr] [ -p protocol ] [-M netmask] addr +-semanage fcontext -{a|d|m|l|D|E} [-efnrst] file_spec +-semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file +-semanage permissive -{d|a|l} [-n] type +-semanage dontaudit [ on | off ] ++semanage login -{a|d|m|l|D|E} [-Nnsr] login_name | %groupname ++semanage user -{a|d|m|l|D|E} [-LNnrRP] selinux_name ++semanage port -{a|d|m|l|D|E} [-Nntr] [ -p proto ] port | port_range ++semanage interface -{a|d|m|l|D|E} [-Nntr] interface_spec ++semanage module -{a|d|m} [--enable|--disable] [-N] module ++semanage node -{a|d|m|l|D|E} [-Nntr] [ -p protocol ] [-M netmask] addr ++semanage fcontext -{a|d|m|l|D|E} [-Nefnrst] file_spec ++semanage boolean -{d|m} [--on|--off|-1|-0] [-N] -F boolean | boolean_file ++semanage permissive -{d|a|l} [-Nn] type ++semanage dontaudit [ on | off ] [-N] + + Primary Options: + +@@ -94,6 +95,7 @@ Object-specific Options (see above): + -F, --file Treat target as an input file for command, change multiple settings + -p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6) + -M, --mask Netmask ++ -N, --noreload Do not reload policy after commit + -e, --equal Substitue source path for dest path when labeling + -P, --prefix Prefix for home directory labeling + -L, --level Default SELinux Level (MLS/MCS Systems only) +@@ -119,22 +121,22 @@ Object-specific Options (see above): + valid_option["login"] = [] + valid_option["login"] += valid_everyone + valid_local + [ '-s', '--seuser', '-r', '--range'] + valid_option["user"] = [] +- valid_option["user"] += valid_everyone + valid_local + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix' ] ++ valid_option["user"] += valid_everyone + valid_local + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix', '-N', '--noreload' ] + valid_option["port"] = [] +- valid_option["port"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range', '-p', '--proto' ] ++ valid_option["port"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range', '-p', '--proto' , '-N', '--noreload' ] + valid_option["interface"] = [] +- valid_option["interface"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range'] ++ valid_option["interface"] += valid_everyone + valid_local + [ '-t', '--type', '-r', '--range', '-N', '--noreload' ] + valid_option["node"] = [] +- valid_option["node"] += valid_everyone + valid_local + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol'] ++ valid_option["node"] += valid_everyone + valid_local + [ '-M', '--mask', '-t', '--type', '-r', '--range', '-p', '--protocol', '-N', '--noreload' ] + valid_option["module"] = [] +- valid_option["module"] += valid_everyone + [ '--enable', '--disable'] ++ valid_option["module"] += valid_everyone + [ '--enable', '--disable', '-N', '--noreload' ] + valid_option["fcontext"] = [] +- valid_option["fcontext"] += valid_everyone + valid_local + [ '-e', '--equal', '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range'] ++ valid_option["fcontext"] += valid_everyone + valid_local + [ '-e', '--equal', '-f', '--ftype', '-s', '--seuser', '-t', '--type', '-r', '--range', '-N', '--noreload' ] + valid_option["dontaudit"] = [ '-S', '--store' ] + valid_option["boolean"] = [] +- valid_option["boolean"] += valid_everyone + valid_local + [ '--on', "--off", "-1", "-0", "-F", "--file"] ++ valid_option["boolean"] += valid_everyone + valid_local + [ '--on', "--off", "-1", "-0", "-F", "--file", '-N', '--noreload' ] + valid_option["permissive"] = [] +- valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ] ++ valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' , '-N', '--noreload' ] + return valid_option + + def mkargv(line): +@@ -197,6 +199,7 @@ Object-specific Options (see above): + seuser = "" + prefix = "user" + heading = True ++ reload = True + value = None + add = False + modify = False +@@ -222,7 +225,7 @@ Object-specific Options (see above): + + try: + gopts, cmds = getopt.getopt(args, +- '01adEe:f:i:lhmnp:s:FCDR:L:r:t:P:S:M:', ++ '01adEe:f:i:lhmNnp:s:FCDR:L:r:t:P:S:M:', + ['add', + 'delete', + 'deleteall', +@@ -237,6 +240,7 @@ Object-specific Options (see above): + 'list', + 'modify', + 'noheading', ++ 'noreload', + 'localist', + 'off', + 'on', +@@ -283,11 +287,9 @@ Object-specific Options (see above): equal = a if o == "--enable": @@ -245897,6 +245988,32 @@ index 0c7c186..1986ab1 100644 disable = True if o == "-F" or o == "--file": +@@ -299,6 +301,9 @@ Object-specific Options (see above): + if o == "-n" or o == "--noheading": + heading = False + ++ if o == "-N" or o == "--noreload": ++ reload = False ++ + if o == "-C" or o == "--locallist": + locallist = True + +@@ -380,6 +385,7 @@ Object-specific Options (see above): + OBJECT.list(heading, locallist) + return + ++ OBJECT.set_reload(reload) + if deleteall: + OBJECT.deleteall() + return +@@ -554,6 +560,7 @@ Object-specific Options (see above): + trans.start() + for l in fd.readlines(): + process_args(mkargv(l)) ++ trans.set_reload(reload) + trans.finish() + else: + process_args(sys.argv[1:]) diff --git a/policycoreutils/semanage/semanage-bash-completion.sh b/policycoreutils/semanage/semanage-bash-completion.sh index ff1285a..edefd9a 100644 --- a/policycoreutils/semanage/semanage-bash-completion.sh @@ -245911,10 +246028,47 @@ index ff1285a..edefd9a 100644 __get_permissive_opts () { echo '$ALL_OPTS -a --add -d --delete' ; } diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8 -index c5e18d9..9e086d1 100644 +index c5e18d9..c1e70ae 100644 --- a/policycoreutils/semanage/semanage.8 +++ b/policycoreutils/semanage/semanage.8 -@@ -44,9 +44,13 @@ Manage network node type definitions +@@ -14,54 +14,58 @@ Input local customizations + Manage booleans. Booleans allow the administrator to modify the confinement of + processes based on his configuration. + .br +-.B semanage boolean [\-S store] \-{d|m|l|D} [\-n] [\-\-on|\-\-off|\-\1|\-0] -F boolean | boolean_file ++.B semanage boolean [\-S store] \-{d|m|l|D} [\-nN] [\-\-on|\-\-off|\-\1|\-0] -F boolean | boolean_file + + Manage SELinux confined users (Roles and levels for an SELinux user) + .br +-.B semanage user [\-S store] \-{a|d|m|l|D} [\-LnPrR] selinux_name ++.B semanage user [\-S store] \-{a|d|m|l|D} [\-LnNPrR] selinux_name + + Manage login mappings between linux users and SELinux confined users. + .br +-.B semanage login [\-S store] \-{a|d|m|l|D} [\-nrs] login_name | %groupname ++.B semanage login [\-S store] \-{a|d|m|l|D} [\-nNrs] login_name | %groupname + + Manage policy modules. + .br +-.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] module_name ++.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] [\-N] module_name + + Manage network port type definitions + .br +-.B semanage port [\-S store] \-{a|d|m|l|D} [\-nrt] [\-p proto] port | port_range ++.B semanage port [\-S store] \-{a|d|m|l|D} [\-nNrt] [\-p proto] port | port_range + .br + + Manage network interface type definitions + .br +-.B semanage interface [\-S store] \-{a|d|m|l|D} [\-nrt] interface_spec ++.B semanage interface [\-S store] \-{a|d|m|l|D} [\-nNrt] interface_spec + + Manage network node type definitions + .br +-.B semanage node [\-S store] -{a|d|m|l|D} [-nrt] [ -p protocol ] [-M netmask] address ++.B semanage node [\-S store] -{a|d|m|l|D} [-nNrt] [ -p protocol ] [-M netmask] address + .br Manage file context mapping definitions .br @@ -245922,14 +246076,32 @@ index c5e18d9..9e086d1 100644 +.B semanage fcontext [\-S store] \-{l} [\-Cn] .br -.B semanage fcontext [\-S store] \-{a|d|m|l|D} [\-n] \-e replacement target -+.B semanage fcontext [\-S store] \-D ++.B semanage fcontext [\-S store] \-D [\-N] +.br -+.B semanage fcontext [\-S store] \-{a|d|m} [\-frst] file_spec ++.B semanage fcontext [\-S store] \-{a|d|m} [\-Nfrst] file_spec +.br +.B semanage fcontext [\-S store] \-{a|d|m} \-e replacement target .br Manage processes type enforcement mode + .br +-.B semanage permissive [\-S store] \-{a|d|l|D} [\-n] type ++.B semanage permissive [\-S store] \-{a|d|l|D} [\-nN] type + .br + + Disable/Enable dontaudit rules in policy + .br +-.B semanage dontaudit [\-S store] [ on | off ] ++.B semanage dontaudit [\-N] [\-S store] [ on | off ] + .P + + Execute multiple commands within a single transaction. + .br +-.B semanage [\-S store] \-i command-file ++.B semanage [\-S store] [\-N] \-i command-file + .br + + .SH "DESCRIPTION" @@ -128,7 +132,7 @@ List the OBJECTS List only locally defined settings, not base policy settings. .TP @@ -245939,7 +246111,15 @@ index c5e18d9..9e086d1 100644 .TP .I \-m, \-\-modify Modify a OBJECT record NAME -@@ -144,6 +148,8 @@ Protocol for the specified port (tcp|udp) or internet protocol version for the s +@@ -139,11 +143,16 @@ Network Mask + .I \-n, \-\-noheading + Do not print heading when listing OBJECTS. + .TP ++.B \-N,\-\-noreload ++do not reload policy after commit ++.TP + .I \-p, \-\-proto + Protocol for the specified port (tcp|udp) or internet protocol version for the specified node (ipv4|ipv6). .TP .I \-r, \-\-range MLS/MCS Security Range (MLS/MCS Systems only) @@ -245949,7 +246129,7 @@ index c5e18d9..9e086d1 100644 .I \-R, \-\-role SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times. diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py -index 9745102..28cf30e 100644 +index 9745102..13b5843 100644 --- a/policycoreutils/semanage/seobject.py +++ b/policycoreutils/semanage/seobject.py @@ -30,11 +30,10 @@ from IPy import IP @@ -245968,7 +246148,34 @@ index 9745102..28cf30e 100644 import syslog -@@ -483,7 +482,9 @@ class loginRecords(semanageRecords): +@@ -203,7 +202,7 @@ class semanageRecords: + store = None + def __init__(self, store): + global handle +- ++ self.reload = True + self.sh = self.get_handle(store) + + rc, localstore = selinux.selinux_getpolicytype() +@@ -212,6 +211,9 @@ class semanageRecords: + else: + self.mylog = nulllogger() + ++ def set_reload(self, reload): ++ self.reload = reload ++ + def get_handle(self, store): + global is_mls_enabled + +@@ -269,6 +271,7 @@ class semanageRecords: + def commit(self): + if semanageRecords.transaction: + return ++ semanage_set_reload(self.sh, self.reload) + rc = semanage_commit(self.sh) + if rc < 0: + self.mylog.commit(0) +@@ -483,7 +486,9 @@ class loginRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if login mapping for %s is defined") % name) if exists: @@ -245979,7 +246186,7 @@ index 9745102..28cf30e 100644 if name[0] == '%': try: grp.getgrnam(name[1:]) -@@ -728,7 +729,8 @@ class seluserRecords(semanageRecords): +@@ -728,7 +733,8 @@ class seluserRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if SELinux user %s is defined") % name) if exists: @@ -245989,7 +246196,7 @@ index 9745102..28cf30e 100644 (rc, u) = semanage_user_create(self.sh) if rc < 0: -@@ -1252,7 +1254,8 @@ class nodeRecords(semanageRecords): +@@ -1252,7 +1258,8 @@ class nodeRecords(semanageRecords): (rc, exists) = semanage_node_exists(self.sh, k) if exists: @@ -245999,7 +246206,7 @@ index 9745102..28cf30e 100644 (rc, node) = semanage_node_create(self.sh) if rc < 0: -@@ -1450,7 +1453,8 @@ class interfaceRecords(semanageRecords): +@@ -1450,7 +1457,8 @@ class interfaceRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if interface %s is defined") % interface) if exists: @@ -246009,7 +246216,7 @@ index 9745102..28cf30e 100644 (rc, iface) = semanage_iface_create(self.sh) if rc < 0: -@@ -1733,7 +1737,8 @@ class fcontextRecords(semanageRecords): +@@ -1733,7 +1741,8 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Could not check if file context for %s is defined") % target) if exists: @@ -246019,7 +246226,7 @@ index 9745102..28cf30e 100644 (rc, fcontext) = semanage_fcontext_create(self.sh) if rc < 0: -@@ -1920,6 +1925,10 @@ class fcontextRecords(semanageRecords): +@@ -1920,6 +1929,10 @@ class fcontextRecords(semanageRecords): for k in keys: if fcon_dict[k]: l.append("-a -f '%s' -t %s '%s'" % (k[1], fcon_dict[k][2], k[0])) @@ -246030,6 +246237,51 @@ index 9745102..28cf30e 100644 return l def list(self, heading = 1, locallist = 0 ): +diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8 +index 9fb2b78..9f911fb 100644 +--- a/policycoreutils/semodule/semodule.8 ++++ b/policycoreutils/semodule/semodule.8 +@@ -53,7 +53,7 @@ display list of installed modules (other than base) + .B \-s,\-\-store + name of the store to operate on + .TP +-.B \-n,\-\-noreload ++.B \-n,\-\-noreload,\-N + do not reload policy after commit + .TP + .B \-h,\-\-help +diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c +index 764d476..17b4fa5 100644 +--- a/policycoreutils/semodule/semodule.c ++++ b/policycoreutils/semodule/semodule.c +@@ -114,7 +114,7 @@ static void usage(char *progname) + (" -l,--list-modules display list of installed modules\n"); + printf("Other options:\n"); + printf(" -s,--store name of the store to operate on\n"); +- printf(" -n,--noreload do not reload policy after commit\n"); ++ printf(" -N,-n,--noreload do not reload policy after commit\n"); + printf(" -h,--help print this message and quit\n"); + printf(" -v,--verbose be verbose\n"); + printf(" -D,--disable_dontaudit Remove dontaudits from policy\n"); +@@ -175,7 +175,7 @@ static void parse_command_line(int argc, char **argv) + no_reload = 0; + create_store = 0; + while ((i = +- getopt_long(argc, argv, "p:s:b:hi:lvqe:d:r:u:RnBDP", opts, ++ getopt_long(argc, argv, "p:s:b:hi:lvqe:d:r:u:RnNBDP", opts, + NULL)) != -1) { + switch (i) { + case 'b': +@@ -218,6 +218,9 @@ static void parse_command_line(int argc, char **argv) + case 'n': + no_reload = 1; + break; ++ case 'N': ++ no_reload = 1; ++ break; + case 'B': + build = 1; + break; diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c index 9a7d315..1b59e2f 100644 --- a/policycoreutils/setfiles/restore.c @@ -246666,3 +246918,109 @@ index fa0cd6a..f64ee16 100644 + free(r_opts.rootpath); exit(errors); } +diff --git a/policycoreutils/setsebool/setsebool.8 b/policycoreutils/setsebool/setsebool.8 +index 2b66bad..38abeb8 100644 +--- a/policycoreutils/setsebool/setsebool.8 ++++ b/policycoreutils/setsebool/setsebool.8 +@@ -4,7 +4,7 @@ setsebool \- set SELinux boolean value + + .SH "SYNOPSIS" + .B setsebool +-.I "[ -P ] boolean value | bool1=val1 bool2=val2 ..." ++.I "[ -PN ] boolean value | bool1=val1 bool2=val2 ..." + + .SH "DESCRIPTION" + .B setsebool +@@ -18,6 +18,9 @@ are not changed. + If the -P option is given, all pending values are written to + the policy file on disk. So they will be persistent across reboots. + ++If the -N option is given, the policy on disk is not reloaded into the kernel. ++ ++ + .SH AUTHOR + This manual page was written by Dan Walsh . + The program was written by Tresys Technology. +diff --git a/policycoreutils/setsebool/setsebool.c b/policycoreutils/setsebool/setsebool.c +index d6c041b..ba118f3 100644 +--- a/policycoreutils/setsebool/setsebool.c ++++ b/policycoreutils/setsebool/setsebool.c +@@ -6,6 +6,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -15,13 +16,14 @@ + #include + + int permanent = 0; ++int reload = 1; + + int setbool(char **list, size_t start, size_t end); + + void usage(void) + { + fputs +- ("\nUsage: setsebool [ -P ] boolean value | bool1=val1 bool2=val2...\n\n", ++ ("\nUsage: setsebool [ -NP ] boolean value | bool1=val1 bool2=val2...\n\n", + stderr); + exit(1); + } +@@ -29,7 +31,7 @@ void usage(void) + int main(int argc, char **argv) + { + size_t rc, start; +- ++ int clflag; /* holds codes for command line flags */ + if (argc < 2) + usage(); + +@@ -38,14 +40,30 @@ int main(int argc, char **argv) + return 1; + } + +- if (strcmp(argv[1], "-P") == 0) { +- permanent = 1; +- if (argc < 3) ++ while (1) { ++ clflag = getopt(argc, argv, "PN"); ++ if (clflag == -1) ++ break; ++ ++ switch (clflag) { ++ case 'P': ++ permanent = 1; ++ break; ++ case 'N': ++ reload = 0; ++ break; ++ default: + usage(); +- start = 2; +- } else +- start = 1; ++ break; ++ } ++ } ++ ++ if (argc - optind < 1) { ++ fprintf(stderr, "Error: boolean name required\n"); ++ usage(); ++ } + ++ start = argc-optind; + /* Check to see which way we are being called. If a '=' is passed, + we'll enforce the list syntax. If not we'll enforce the original + syntax for backward compatibility. */ +@@ -165,7 +183,7 @@ static int semanage_set_boolean_list(size_t boolcnt, + boolean = NULL; + } + +- semanage_set_reload(handle, 0); ++ semanage_set_reload(handle, reload); + if (semanage_commit(handle) < 0) + goto err; + diff --git a/policycoreutils.spec b/policycoreutils.spec index 6e2c217..90f712b 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.11 -Release: 11%{?dist} +Release: 12%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -340,6 +340,10 @@ fi %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Tue May 8 2012 Dan Walsh - 2.1.11-12 +- Add -N qualifier to semanage, setsebool and semodule to allow you to update +- policy without reloading it into the kernel. + * Thu May 3 2012 Dan Walsh - 2.1.11-11 - add some definition to the standard types available for sandboxes