policycoreutils-3.4-7

- Rebase on upstream f56a72ac9e86
- sepolicy: fix sepolicy manpage -w
- sandbox: add -R option to alternate XDG_RUNTIME_DIR
- Remove dependency on the Python module distutils
This commit is contained in:
Petr Lautrbach 2022-11-21 16:06:48 +01:00
parent f63d7fa68f
commit 577b79db7e
32 changed files with 1353 additions and 315 deletions

View File

@ -0,0 +1,36 @@
From dd98fa322766760c4e1f029cf19d2515a583304f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 20 May 2022 15:16:10 +0200
Subject: [PATCH] libselinux: declare return value of context_str(3) const
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-type: text/plain
context_str(3) returns a string representation of the given context.
This string is owned by the context and free'd on context_free(3).
Declare it const, as already done in the man page, since it must not be
free'd by the caller.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
policycoreutils/newrole/newrole.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index ae37d7253761..c2afa37e0ac3 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@@ -842,7 +842,7 @@ static int parse_command_line_arguments(int argc, char **argv, char *ttyn,
char *type_ptr = NULL; /* stores malloc'd data from get_default_type */
char *level_s = NULL; /* level spec'd by user in argv[] */
char *range_ptr = NULL;
- char *new_con = NULL;
+ const char *new_con = NULL;
char *tty_con = NULL;
context_t context = NULL; /* manipulatable form of new_context */
const struct option long_options[] = {
--
2.38.1

View File

@ -1,47 +0,0 @@
From 71a2f14767c0ec70c23ecce43d7cbc5404c95552 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Mon, 21 Apr 2014 13:54:40 -0400
Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
Content-type: text/plain
Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
---
python/sepolicy/sepolicy/manpage.py | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 3e61e333193f..82338aeeef32 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -737,10 +737,13 @@ Default Defined Ports:""")
def _file_context(self):
flist = []
+ flist_non_exec = []
mpaths = []
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
+ if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+ flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0:
@@ -799,12 +802,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
SELinux defines the file context types for the %(domainname)s, if you wanted to
store files with these types in a diffent paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
.br
.B restorecon -R -v /srv/my%(domainname)s_content
Note: SELinux often uses regular expressions to specify labels that match multiple files.
-""" % {'domainname': self.domainname, "type": flist[0]})
+""" % {'domainname': self.domainname, "type": flist_non_exec[-1]})
self.fd.write(r"""
.I The following file types are defined for %(domainname)s:
--
2.35.1

View File

@ -0,0 +1,49 @@
From 6d02b2fa29954e239721907e1fce238f25ea4f2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 20 May 2022 15:19:52 +0200
Subject: [PATCH] semodule: avoid toctou on output module
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-type: text/plain
Do not check for file existence and open afterwards, open with the
exclusive flag (supported in Glibc and musl 0.9.6 and also standardized
in C11).
Found by GitHub CodeQL.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
policycoreutils/semodule/semodule.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 1ed8e69054e0..48bc28dd0973 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -550,15 +550,12 @@ int main(int argc, char *argv[])
goto cleanup_extract;
}
- if (access(output_path, F_OK) == 0) {
- fprintf(stderr, "%s: %s is already extracted with extension %s.\n", argv[0], mode_arg, lang_ext);
- result = -1;
- goto cleanup_extract;
- }
-
- output_fd = fopen(output_path, "w");
+ output_fd = fopen(output_path, "wx");
if (output_fd == NULL) {
- fprintf(stderr, "%s: Unable to open %s\n", argv[0], output_path);
+ if (errno == EEXIST)
+ fprintf(stderr, "%s: %s is already extracted with extension %s.\n", argv[0], mode_arg, lang_ext);
+ else
+ fprintf(stderr, "%s: Unable to open %s: %s\n", argv[0], output_path, strerror(errno));
result = -1;
goto cleanup_extract;
}
--
2.38.1

View File

@ -1,28 +0,0 @@
From d55a06c002641dce1301b9b5639bd8e206460724 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mon, 12 May 2014 14:11:22 +0200
Subject: [PATCH] If there is no executable we don't want to print a part of
STANDARD FILE CONTEXT
Content-type: text/plain
---
python/sepolicy/sepolicy/manpage.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 82338aeeef32..ec8aa1cb94a2 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -795,7 +795,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
- self.fd.write(r"""
+ if flist_non_exec:
+ self.fd.write(r"""
.PP
.B STANDARD FILE CONTEXT
--
2.35.1

View File

@ -1,4 +1,4 @@
From 4a53c0c3ee0edba37ba8e62064175c4928f761a8 Mon Sep 17 00:00:00 2001 From abaf812c3877f6b595eb8643582eacef2dd4df3f Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com> From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 30 May 2022 14:20:21 +0200 Date: Mon, 30 May 2022 14:20:21 +0200
Subject: [PATCH] python: Split "semanage import" into two transactions Subject: [PATCH] python: Split "semanage import" into two transactions
@ -18,10 +18,10 @@ Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
1 file changed, 19 insertions(+), 2 deletions(-) 1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage diff --git a/python/semanage/semanage b/python/semanage/semanage
index f45061a601f9..4e8d64d6863a 100644 index 8f4e44a7a9cd..1d8281281d05 100644
--- a/python/semanage/semanage --- a/python/semanage/semanage
+++ b/python/semanage/semanage +++ b/python/semanage/semanage
@@ -853,10 +853,29 @@ def handleImport(args): @@ -852,10 +852,29 @@ def handleImport(args):
trans = seobject.semanageRecords(args) trans = seobject.semanageRecords(args)
trans.start() trans.start()
@ -51,7 +51,7 @@ index f45061a601f9..4e8d64d6863a 100644
try: try:
commandParser = createCommandParser() commandParser = createCommandParser()
args = commandParser.parse_args(mkargv(l)) args = commandParser.parse_args(mkargv(l))
@@ -870,8 +889,6 @@ def handleImport(args): @@ -869,8 +888,6 @@ def handleImport(args):
except KeyboardInterrupt: except KeyboardInterrupt:
sys.exit(0) sys.exit(0)
@ -61,5 +61,5 @@ index f45061a601f9..4e8d64d6863a 100644
def setupImportParser(subparsers): def setupImportParser(subparsers):
importParser = subparsers.add_parser('import', help=_('Import local customizations')) importParser = subparsers.add_parser('import', help=_('Import local customizations'))
-- --
2.36.1 2.38.1

View File

@ -0,0 +1,50 @@
From c14a86af9a2304175e54897634f808b42345325b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 20 May 2022 14:51:07 +0200
Subject: [PATCH] python/audit2allow: close file stream on error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-type: text/plain
sepolgen-ifgen-attr-helper.c: In function load_policy:
sepolgen-ifgen-attr-helper.c:196:17: warning: leak of FILE fp [CWE-775] [-Wanalyzer-file-leak]
196 | fprintf(stderr, "Out of memory!\n");
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
python/audit2allow/sepolgen-ifgen-attr-helper.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c
index 6f3ba96260de..5e6cffc1887d 100644
--- a/python/audit2allow/sepolgen-ifgen-attr-helper.c
+++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c
@@ -194,12 +194,14 @@ static policydb_t *load_policy(const char *filename)
policydb = malloc(sizeof(policydb_t));
if (policydb == NULL) {
fprintf(stderr, "Out of memory!\n");
+ fclose(fp);
return NULL;
}
if (policydb_init(policydb)) {
fprintf(stderr, "Out of memory!\n");
free(policydb);
+ fclose(fp);
return NULL;
}
@@ -208,6 +210,7 @@ static policydb_t *load_policy(const char *filename)
fprintf(stderr,
"error(s) encountered while parsing configuration\n");
free(policydb);
+ fclose(fp);
return NULL;
}
--
2.38.1

View File

@ -1,27 +0,0 @@
From 1747f59fece8183772e5591ce5b5feb5f421f602 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 20 Feb 2015 16:42:01 +0100
Subject: [PATCH] We want to remove the trailing newline for
/etc/system_release.
Content-type: text/plain
---
python/sepolicy/sepolicy/__init__.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 9447812b7450..aa8beda313c8 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -1228,7 +1228,7 @@ def get_os_version():
system_release = ""
try:
with open('/etc/system-release') as f:
- system_release = f.readline()
+ system_release = f.readline().rstrip()
except IOError:
system_release = "Misc"
--
2.35.1

View File

@ -1,4 +1,4 @@
From ff2aba6d202f49749cbb19a84bf0e1cdae54c5e9 Mon Sep 17 00:00:00 2001 From 344463076b2a91e1d2c7f5cc3835dc1a53a05e88 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com> From: Vit Mojzis <vmojzis@redhat.com>
Date: Fri, 24 Jun 2022 16:24:25 +0200 Date: Fri, 24 Jun 2022 16:24:25 +0200
Subject: [PATCH] gettext: handle unsupported languages properly Subject: [PATCH] gettext: handle unsupported languages properly
@ -218,7 +218,7 @@ index e779fcc6ebd7..952cb8187599 100755
import builtins import builtins
builtins.__dict__['_'] = str builtins.__dict__['_'] = str
diff --git a/python/semanage/semanage b/python/semanage/semanage diff --git a/python/semanage/semanage b/python/semanage/semanage
index 8f4e44a7a9cd..f45061a601f9 100644 index 1d8281281d05..4e8d64d6863a 100644
--- a/python/semanage/semanage --- a/python/semanage/semanage
+++ b/python/semanage/semanage +++ b/python/semanage/semanage
@@ -38,7 +38,8 @@ try: @@ -38,7 +38,8 @@ try:
@ -275,7 +275,7 @@ index 7ebe0efa88a1..c7a70e094b0c 100755
except: except:
try: try:
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 95520f9bc35d..6bde1971fd7c 100644 index 7208234b4a4a..9c3caa05b80b 100644
--- a/python/sepolicy/sepolicy/__init__.py --- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py +++ b/python/sepolicy/sepolicy/__init__.py
@@ -31,7 +31,8 @@ try: @@ -31,7 +31,8 @@ try:
@ -289,7 +289,7 @@ index 95520f9bc35d..6bde1971fd7c 100644
except: except:
try: try:
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index 3e8b9f9c291d..eff3a8973917 100644 index 67189fc36b99..3717d5d4ed78 100644
--- a/python/sepolicy/sepolicy/generate.py --- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py +++ b/python/sepolicy/sepolicy/generate.py
@@ -56,7 +56,8 @@ try: @@ -56,7 +56,8 @@ try:
@ -331,7 +331,7 @@ index 599f97fdc6e7..43f86443f2c8 100644
except: except:
try: try:
diff --git a/sandbox/sandbox b/sandbox/sandbox diff --git a/sandbox/sandbox b/sandbox/sandbox
index 3ef444a12561..53cc504149c9 100644 index cd5709fb07df..789621e136da 100644
--- a/sandbox/sandbox --- a/sandbox/sandbox
+++ b/sandbox/sandbox +++ b/sandbox/sandbox
@@ -45,7 +45,8 @@ try: @@ -45,7 +45,8 @@ try:
@ -345,5 +345,5 @@ index 3ef444a12561..53cc504149c9 100644
except: except:
try: try:
-- --
2.36.1 2.38.1

View File

@ -1,26 +0,0 @@
From 0bd28bc715034c644405d3c03f160d69ae710500 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 20 Feb 2015 16:42:53 +0100
Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
Content-type: text/plain
---
python/sepolicy/sepolicy/manpage.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index c632d05dbb1b..3ae2f42b2fdf 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -222,7 +222,7 @@ class HTMLManPages:
<html>
<head>
<link rel=stylesheet type="text/css" href="style.css" title="style">
- <title>SELinux man pages online</title>
+ <title>SELinux man pages</title>
</head>
<body>
<h1>SELinux man pages for %s</h1>
--
2.35.1

View File

@ -1,4 +1,4 @@
From afafe02fa9b6b7fdcce883c5e873d46b9d811d66 Mon Sep 17 00:00:00 2001 From 8cc529af51e8aa68a167ce78cf92687604f98619 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com> From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 8 Jun 2022 19:09:54 +0200 Date: Wed, 8 Jun 2022 19:09:54 +0200
Subject: [PATCH] semodule: rename --rebuild-if-modules-changed to --refresh Subject: [PATCH] semodule: rename --rebuild-if-modules-changed to --refresh
@ -40,7 +40,7 @@ index d1735d216276..c56e580f27b8 100644
.B \-D, \-\-disable_dontaudit .B \-D, \-\-disable_dontaudit
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 1ed8e69054e0..ec0794866daa 100644 index 48bc28dd0973..ebe062bf4c6c 100644
--- a/policycoreutils/semodule/semodule.c --- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c +++ b/policycoreutils/semodule/semodule.c
@@ -150,9 +150,12 @@ static void usage(char *progname) @@ -150,9 +150,12 @@ static void usage(char *progname)
@ -78,5 +78,5 @@ index 1ed8e69054e0..ec0794866daa 100644
break; break;
default: default:
-- --
2.36.1 2.38.1

View File

@ -0,0 +1,57 @@
From ebb4a170c024d4bf0d2773b93d916e77a87393d9 Mon Sep 17 00:00:00 2001
From: Elijah Conners <business@elijahpepe.com>
Date: Wed, 15 Jun 2022 22:13:31 -0700
Subject: [PATCH] python: remove IOError in certain cases
Content-type: text/plain
In certain cases, IOError caused the much more general exception OSError
to be unreachable.
Signed-off-by: Elijah Conners <business@elijahpepe.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
python/semanage/semanage | 7 ++-----
sandbox/sandbox | 2 --
2 files changed, 2 insertions(+), 7 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 4e8d64d6863a..10ab3fa67d7f 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -971,8 +971,8 @@ def do_parser():
devnull = os.open(os.devnull, os.O_WRONLY)
os.dup2(devnull, sys.stdout.fileno())
sys.exit(1)
- except IOError as e:
- sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
+ except OSError as e:
+ sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[1]))
sys.exit(1)
except KeyboardInterrupt:
sys.exit(0)
@@ -982,9 +982,6 @@ def do_parser():
except KeyError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[0]))
sys.exit(1)
- except OSError as e:
- sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[1]))
- sys.exit(1)
except RuntimeError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[0]))
sys.exit(1)
diff --git a/sandbox/sandbox b/sandbox/sandbox
index 789621e136da..ffac70232875 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -534,8 +534,6 @@ if __name__ == '__main__':
error_exit(error.args[0])
except KeyError as error:
error_exit(_("Invalid value %s") % error.args[0])
- except IOError as error:
- error_exit(error)
except KeyboardInterrupt:
rc = 0
--
2.38.1

View File

@ -0,0 +1,39 @@
From b5b3afbaed29895d37f6160cc0847ef5de7538ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 8 Aug 2022 19:36:20 +0200
Subject: [PATCH] restorecond: use strict function prototype for definition
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-type: text/plain
Clang 15 starts to complain about non strict function definitions:
user.c:172:10: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
int start() {
^
void
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
restorecond/user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/restorecond/user.c b/restorecond/user.c
index 47b86823ff79..3ae3ebbb7230 100644
--- a/restorecond/user.c
+++ b/restorecond/user.c
@@ -169,7 +169,7 @@ io_channel_callback
return TRUE;
}
-int start() {
+int start(void) {
#ifdef HAVE_DBUS
GDBusConnection *bus;
GError *err = NULL;
--
2.38.1

View File

@ -0,0 +1,56 @@
From c2d58b378b3cf350d042a7b657e2b7f5861c5f26 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 8 Aug 2022 19:36:55 +0200
Subject: [PATCH] Ignore egg-info directories and clean them
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-type: text/plain
Test .gitignore and make clean distclean
error: missing .gitignore entry for libselinux/src/selinux.egg-info/
error: missing .gitignore entry for python/sepolicy/sepolicy.egg-info/
Error: Process completed with exit code 1.
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/PKG-INFO
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/SOURCES.txt
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/dependency_links.txt
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/top_level.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/PKG-INFO
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/SOURCES.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/dependency_links.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/top_level.txt
Error: Process completed with exit code 1.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
python/sepolicy/.gitignore | 1 +
python/sepolicy/Makefile | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/.gitignore b/python/sepolicy/.gitignore
index 3186c860ec0d..32fb47f92a9d 100644
--- a/python/sepolicy/.gitignore
+++ b/python/sepolicy/.gitignore
@@ -1,3 +1,4 @@
build
tmp
*.bak
+sepolicy.egg-info/
diff --git a/python/sepolicy/Makefile b/python/sepolicy/Makefile
index 3361be4ef0bc..d983e409e5e6 100644
--- a/python/sepolicy/Makefile
+++ b/python/sepolicy/Makefile
@@ -18,7 +18,7 @@ python-build:
clean:
$(PYTHON) setup.py clean
- -rm -rf build *~ \#* *pyc .#*
+ -rm -rf build *~ \#* *pyc .#* sepolicy.egg-info/
sepolgen:
ln -sf sepolicy sepolgen
--
2.38.1

View File

@ -0,0 +1,68 @@
From a0a216ff7d86004ddc36d516377f0a6ffe88076c Mon Sep 17 00:00:00 2001
From: Paul Moore <paul@paul-moore.com>
Date: Fri, 30 Sep 2022 17:44:12 -0400
Subject: [PATCH] docs: provide a top level LICENSE file
Content-type: text/plain
Provide a top level LICENSE file explaining how multiple the SELinux
userspace is released under multiple different licenses. Also ensure
that all the different license files share a consistent file name,
LICENSE, to make it easier for people to identify the license files.
This is to help meet the OpenSSF Best Practices requirements.
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
dbus/{COPYING => LICENSE} | 0
gui/{COPYING => LICENSE} | 0
policycoreutils/{COPYING => LICENSE} | 0
python/{COPYING => LICENSE} | 0
python/sepolgen/{COPYING => LICENSE} | 0
restorecond/{COPYING => LICENSE} | 0
sandbox/{COPYING => LICENSE} | 0
semodule-utils/{COPYING => LICENSE} | 0
8 files changed, 0 insertions(+), 0 deletions(-)
rename dbus/{COPYING => LICENSE} (100%)
rename gui/{COPYING => LICENSE} (100%)
rename policycoreutils/{COPYING => LICENSE} (100%)
rename python/{COPYING => LICENSE} (100%)
rename python/sepolgen/{COPYING => LICENSE} (100%)
rename restorecond/{COPYING => LICENSE} (100%)
rename sandbox/{COPYING => LICENSE} (100%)
rename semodule-utils/{COPYING => LICENSE} (100%)
diff --git a/dbus/COPYING b/dbus/LICENSE
similarity index 100%
rename from dbus/COPYING
rename to dbus/LICENSE
diff --git a/gui/COPYING b/gui/LICENSE
similarity index 100%
rename from gui/COPYING
rename to gui/LICENSE
diff --git a/policycoreutils/COPYING b/policycoreutils/LICENSE
similarity index 100%
rename from policycoreutils/COPYING
rename to policycoreutils/LICENSE
diff --git a/python/COPYING b/python/LICENSE
similarity index 100%
rename from python/COPYING
rename to python/LICENSE
diff --git a/python/sepolgen/COPYING b/python/sepolgen/LICENSE
similarity index 100%
rename from python/sepolgen/COPYING
rename to python/sepolgen/LICENSE
diff --git a/restorecond/COPYING b/restorecond/LICENSE
similarity index 100%
rename from restorecond/COPYING
rename to restorecond/LICENSE
diff --git a/sandbox/COPYING b/sandbox/LICENSE
similarity index 100%
rename from sandbox/COPYING
rename to sandbox/LICENSE
diff --git a/semodule-utils/COPYING b/semodule-utils/LICENSE
similarity index 100%
rename from semodule-utils/COPYING
rename to semodule-utils/LICENSE
--
2.38.1

View File

@ -1,64 +0,0 @@
From 3748b7eab7434698998edfcf613fe738cf19d5c9 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 27 Feb 2017 17:12:39 +0100
Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
file_type_is_entrypoint(f)
Content-type: text/plain
- use direct queries
- load exec_types and entry_types only once
---
python/sepolicy/sepolicy/manpage.py | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 3ae2f42b2fdf..5a434bd360ae 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -127,8 +127,24 @@ def gen_domains():
domains.sort()
return domains
-types = None
+exec_types = None
+
+def _gen_exec_types():
+ global exec_types
+ if exec_types is None:
+ exec_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "exec_type"))["types"]
+ return exec_types
+
+entry_types = None
+
+def _gen_entry_types():
+ global entry_types
+ if entry_types is None:
+ entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
+ return entry_types
+
+types = None
def _gen_types():
global types
@@ -374,6 +390,8 @@ class ManPage:
self.all_file_types = sepolicy.get_all_file_types()
self.role_allows = sepolicy.get_all_role_allows()
self.types = _gen_types()
+ self.exec_types = _gen_exec_types()
+ self.entry_types = _gen_entry_types()
if self.source_files:
self.fcpath = self.root + "file_contexts"
@@ -691,7 +709,7 @@ Default Defined Ports:""")
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
- if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+ if f not in self.exec_types or f not in self.entry_types:
flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
--
2.35.1

View File

@ -0,0 +1,38 @@
From bba6225abc6c7d8f1642d0c04c819ddc74d426c0 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 11 Oct 2022 16:36:23 +0200
Subject: [PATCH] gui: Fix export file chooser dialog
Content-type: text/plain
It wasn't possible to choose a directory in filechooser dialog using
double-click - the dialog returned the directory name instead of
listing the directory.
Fixes:
Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/sepolicy/gui.py", line 2593, in on_browse_select
self.export_config(filename)
File "/usr/lib/python3.10/site-packages/sepolicy/gui.py", line 2668, in export_config
fd = open(filename, 'w')
IsADirectoryError: [Errno 21] Is a directory: '/root/Downloads'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
python/sepolicy/sepolicy/sepolicy.glade | 1 -
1 file changed, 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/sepolicy.glade b/python/sepolicy/sepolicy/sepolicy.glade
index 52407887fcfc..0724d6c8caa4 100644
--- a/python/sepolicy/sepolicy/sepolicy.glade
+++ b/python/sepolicy/sepolicy/sepolicy.glade
@@ -168,7 +168,6 @@
<object class="GtkBox" id="filechooserdialog-vbox1">
<property name="can_focus">False</property>
<property name="orientation">vertical</property>
- <signal name="button-press-event" handler="on_choose_file" swapped="no"/>
<child internal-child="action_area">
<object class="GtkButtonBox" id="filechooserdialog-action_area1">
<property name="can_focus">False</property>
--
2.38.1

View File

@ -0,0 +1,66 @@
From 7238ad32a3171d82bba9b99660e55399161236fc Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Wed, 19 Oct 2022 14:20:11 -0400
Subject: [PATCH] python: Do not query the local database if the fcontext is
non-local
Content-type: text/plain
Vit Mojzis reports that an error message is produced when modifying
a non-local fcontext.
He gives the following example:
# semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
When modifying an fcontext, the non-local database is checked for the
key and then, if it is not found there, the local database is checked.
If the key doesn't exist, then an error is raised. If the key exists
then the local database is queried first and, if that fails, the non-
local database is queried.
The error is from querying the local database when the fcontext is in
the non-local database.
Instead, if the fcontext is in the non-local database, just query
the non-local database. Only query the local database if the
fcontext was found in it.
Reported-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
---
python/semanage/seobject.py | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 0782c082dc0c..d82da4942987 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -2504,16 +2504,19 @@ class fcontextRecords(semanageRecords):
(rc, exists) = semanage_fcontext_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if file context for %s is defined") % target)
- if not exists:
+ if exists:
+ try:
+ (rc, fcontext) = semanage_fcontext_query(self.sh, k)
+ except OSError:
+ raise ValueError(_("Could not query file context for %s") % target)
+ else:
(rc, exists) = semanage_fcontext_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
if not exists:
raise ValueError(_("File context for %s is not defined") % target)
-
- try:
- (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
- except OSError:
try:
- (rc, fcontext) = semanage_fcontext_query(self.sh, k)
+ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
except OSError:
raise ValueError(_("Could not query file context for %s") % target)
--
2.38.1

View File

@ -0,0 +1,35 @@
From 0fb988c86b66ede7723e179699e29f00000fc57b Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 13 Oct 2022 15:23:11 +0200
Subject: [PATCH] sandbox: Do not try to remove tmpdir twice if uid == 0
Content-type: text/plain
If the user is root, tmpdir is already wiped out.
Fixes:
# sandbox -T /root/tmp -- id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:sandbox_t:s0:c696,c756
Failed to remove directory /tmp/.sandbox-root-KIlB59: No such file or directory
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
sandbox/seunshare.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
index 8917a0f9bd42..dd1d7ddbdc89 100644
--- a/sandbox/seunshare.c
+++ b/sandbox/seunshare.c
@@ -414,7 +414,7 @@ static int cleanup_tmpdir(const char *tmpdir, const char *src,
rc++;
}
- if (rmdir(tmpdir) == -1)
+ if (pwd->pw_uid != 0 && rmdir(tmpdir) == -1)
fprintf(stderr, _("Failed to remove directory %s: %s\n"), tmpdir, strerror(errno));
if ((uid_t)setfsuid(pwd->pw_uid) != 0) {
fprintf(stderr, _("unable to switch back to user after clearing tmp dir\n"));
--
2.38.1

View File

@ -0,0 +1,245 @@
From ecfcb1d6a8ecb914f2a7c72453c872b5f0099f4d Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 13 Oct 2022 15:23:12 +0200
Subject: [PATCH] sandbox: Use temporary directory for XDG_RUNTIME_DIR
Content-type: text/plain
XDG_RUNTIME_DIR (/run/user/$UID) is used for user-specific data files
such as sockets, named pipes and so on. Therefore, it should not be
available to sandboxed processes.
Usage:
# ls -a $XDG_RUNTIME_DIR
. .. bus pipewire-0 systemd
# sandbox -R /root/sandbox/user -- sh -c "ls -a $XDG_RUNTIME_DIR"
. ..
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
sandbox/sandbox | 15 ++++++++++++++-
sandbox/sandbox.8 | 7 +++++--
sandbox/seunshare.8 | 3 +++
sandbox/seunshare.c | 45 +++++++++++++++++++++++++++++++++++----------
4 files changed, 57 insertions(+), 13 deletions(-)
diff --git a/sandbox/sandbox b/sandbox/sandbox
index ffac70232875..770807345858 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -209,6 +209,7 @@ class Sandbox:
self.__level = None
self.__homedir = None
self.__tmpdir = None
+ self.__runuserdir = None
def __validate_mount(self):
if self.__options.level:
@@ -357,6 +358,11 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
action="callback", callback=self.__validdir,
help=_("alternate /tmp directory to use for mounting"))
+ parser.add_option("-R", "--runuserdir", dest="runuserdir",
+ type="string",
+ action="callback", callback=self.__validdir,
+ help=_("alternate XDG_RUNTIME_DIR - /run/user/$UID - directory to use for mounting"))
+
parser.add_option("-w", "--windowsize", dest="windowsize",
type="string", default=DEFAULT_WINDOWSIZE,
help="size of the sandbox window")
@@ -401,10 +407,12 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
self.__options.X_ind = True
self.__homedir = self.__options.homedir
self.__tmpdir = self.__options.tmpdir
+ self.__runuserdir = self.__options.runuserdir
else:
if self.__options.level:
self.__homedir = self.__options.homedir
self.__tmpdir = self.__options.tmpdir
+ self.__runuserdir = self.__options.runuserdir
if len(cmds) == 0:
self.usage(_("Command required"))
@@ -442,9 +450,14 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
self.__tmpdir = self.__options.tmpdir
else:
self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_tmp_")
+ if self.__options.runuserdir:
+ self.__runuserdir = self.__options.runuserdir
+ else:
+ self.__runuserdir = mkdtemp(dir="/tmp", prefix=".sandbox_runuser_")
self.__copyfiles()
selinux.chcon(self.__homedir, self.__filecon, recursive=True)
selinux.chcon(self.__tmpdir, self.__filecon, recursive=True)
+ selinux.chcon(self.__runuserdir, self.__filecon, recursive=True)
selinux.setfscreatecon(None)
def __execute(self):
@@ -453,7 +466,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
if self.__options.usecaps:
cmds.append('-C')
if self.__mount:
- cmds += ["-t", self.__tmpdir, "-h", self.__homedir]
+ cmds += ["-t", self.__tmpdir, "-h", self.__homedir, "-r", self.__runuserdir]
if self.__options.X_ind:
if self.__options.dpi:
diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8
index d83fee76f335..1ee0ecea96d1 100644
--- a/sandbox/sandbox.8
+++ b/sandbox/sandbox.8
@@ -3,11 +3,11 @@
sandbox \- Run cmd under an SELinux sandbox
.SH SYNOPSIS
.B sandbox
-[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd
+[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [ \-R runuserdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd
.br
.B sandbox
-[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S
+[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [ \-R runuserdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S
.br
.SH DESCRIPTION
.PP
@@ -67,6 +67,9 @@ sandbox_net_client_t \- All network ports
\fB\-T\fR \fB\-\-tmpdir\fR
Use alternate temporary directory to mount on /tmp. Defaults to tmpfs. Requires \-X or \-M.
.TP
+\fB\-R\fR \fB\-\-runuserdir\fR
+Use alternate temporary directory to mount on XDG_RUNTIME_DIR (/run/user/$UID).
+.TP
\fB\-S\fR \fB\-\-session\fR
Run a full desktop session, Requires level, and home and tmpdir.
.TP
diff --git a/sandbox/seunshare.8 b/sandbox/seunshare.8
index 0da352613485..09cf7feae45d 100644
--- a/sandbox/seunshare.8
+++ b/sandbox/seunshare.8
@@ -18,6 +18,9 @@ Alternate homedir to be used by the application. Homedir must be owned by the u
\fB\-t\ tmpdir
Use alternate temporary directory to mount on /tmp. tmpdir must be owned by the user.
.TP
+\fB\-r\ runuserdir
+Use alternate temporary directory to mount on XDG_RUNTIME_DIR (/run/user/$UID). runuserdir must be owned by the user.
+.TP
\fB\-C --capabilities\fR
Allow apps executed within the namespace to use capabilities. Default is no capabilities.
.TP
diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
index dd1d7ddbdc89..1d38ea92b9ae 100644
--- a/sandbox/seunshare.c
+++ b/sandbox/seunshare.c
@@ -52,7 +52,7 @@
#define BUF_SIZE 1024
#define DEFAULT_PATH "/usr/bin:/bin"
-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z CONTEXT ] -- executable [args] ")
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -r runuserdir ] [ -Z CONTEXT ] -- executable [args] ")
static int verbose = 0;
static int child = 0;
@@ -623,15 +623,20 @@ int main(int argc, char **argv) {
char *homedir_s = NULL; /* homedir spec'd by user in argv[] */
char *tmpdir_s = NULL; /* tmpdir spec'd by user in argv[] */
char *tmpdir_r = NULL; /* tmpdir created by seunshare */
+ char *runuserdir_s = NULL; /* /var/run/user/UID spec'd by user in argv[] */
+ char *runuserdir_r = NULL; /* /var/run/user/UID created by seunshare */
struct stat st_curhomedir;
struct stat st_homedir;
struct stat st_tmpdir_s;
struct stat st_tmpdir_r;
+ struct stat st_runuserdir_s;
+ struct stat st_runuserdir_r;
const struct option long_options[] = {
{"homedir", 1, 0, 'h'},
{"tmpdir", 1, 0, 't'},
+ {"runuserdir", 1, 0, 'r'},
{"kill", 1, 0, 'k'},
{"verbose", 1, 0, 'v'},
{"context", 1, 0, 'Z'},
@@ -665,7 +670,7 @@ int main(int argc, char **argv) {
}
while (1) {
- clflag = getopt_long(argc, argv, "Ccvh:t:Z:", long_options, NULL);
+ clflag = getopt_long(argc, argv, "Ccvh:r:t:Z:", long_options, NULL);
if (clflag == -1)
break;
@@ -679,6 +684,9 @@ int main(int argc, char **argv) {
case 'h':
homedir_s = optarg;
break;
+ case 'r':
+ runuserdir_s = optarg;
+ break;
case 'v':
verbose++;
break;
@@ -729,6 +737,10 @@ int main(int argc, char **argv) {
if (tmpdir_s && (
verify_directory(tmpdir_s, NULL, &st_tmpdir_s) < 0 ||
check_owner_uid(uid, tmpdir_s, &st_tmpdir_s))) return -1;
+ if (runuserdir_s && (
+ verify_directory(runuserdir_s, NULL, &st_runuserdir_s) < 0 ||
+ check_owner_uid(uid, runuserdir_s, &st_runuserdir_s))) return -1;
+
if ((uid_t)setfsuid(0) != uid) return -1;
/* create runtime tmpdir */
@@ -737,6 +749,12 @@ int main(int argc, char **argv) {
fprintf(stderr, _("Failed to create runtime temporary directory\n"));
return -1;
}
+ /* create runtime runuserdir */
+ if (runuserdir_s && (runuserdir_r = create_tmpdir(runuserdir_s, &st_runuserdir_s,
+ &st_runuserdir_r, pwd, execcon)) == NULL) {
+ fprintf(stderr, _("Failed to create runtime $XDG_RUNTIME_DIR directory\n"));
+ return -1;
+ }
/* spawn child process */
child = fork();
@@ -775,7 +793,21 @@ int main(int argc, char **argv) {
if (check_owner_uid(uid, resolved_path, &st_curhomedir) < 0)
goto childerr;
- /* mount homedir and tmpdir, in this order */
+ if ((RUNTIME_DIR = getenv("XDG_RUNTIME_DIR")) != NULL) {
+ if ((RUNTIME_DIR = strdup(RUNTIME_DIR)) == NULL) {
+ perror(_("Out of memory"));
+ goto childerr;
+ }
+ } else {
+ if (asprintf(&RUNTIME_DIR, "/run/user/%d", uid) == -1) {
+ perror(_("Out of memory\n"));
+ goto childerr;
+ }
+ }
+
+ /* mount homedir, runuserdir and tmpdir, in this order */
+ if (runuserdir_s && seunshare_mount(runuserdir_s, RUNTIME_DIR,
+ &st_runuserdir_s) != 0) goto childerr;
if (homedir_s && seunshare_mount(homedir_s, resolved_path,
&st_homedir) != 0) goto childerr;
if (tmpdir_s && seunshare_mount(tmpdir_r, "/tmp",
@@ -799,13 +831,6 @@ int main(int argc, char **argv) {
}
}
- if ((RUNTIME_DIR = getenv("XDG_RUNTIME_DIR")) != NULL) {
- if ((RUNTIME_DIR = strdup(RUNTIME_DIR)) == NULL) {
- perror(_("Out of memory"));
- goto childerr;
- }
- }
-
if ((rc = clearenv()) != 0) {
perror(_("Failed to clear environment"));
goto childerr;
--
2.38.1

View File

@ -0,0 +1,81 @@
From c08cf24f39989cfc610a481ae3dc380b61e9ca5f Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Fri, 28 Oct 2022 16:16:22 -0400
Subject: [PATCH] python: Remove dependency on the Python module distutils
Content-type: text/plain
The distutils package is deprecated and scheduled to be removed in
Python 3.12. Use the setuptools and sysconfig modules instead.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
python/semanage/Makefile | 2 +-
python/sepolgen/src/sepolgen/Makefile | 2 +-
python/sepolicy/sepolicy/gui.py | 4 ++--
python/sepolicy/setup.py | 2 +-
4 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/python/semanage/Makefile b/python/semanage/Makefile
index 024e9640fed0..b53ee33db6ac 100644
--- a/python/semanage/Makefile
+++ b/python/semanage/Makefile
@@ -5,7 +5,7 @@ LINGUAS ?= ru
PREFIX ?= /usr
SBINDIR ?= $(PREFIX)/sbin
MANDIR = $(PREFIX)/share/man
-PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(prefix='$(PREFIX)'))")
+PYTHONLIBDIR ?= $(shell $(PYTHON) -c "import sysconfig; print(sysconfig.get_path('purelib', vars={'platbase': '$(PREFIX)', 'base': '$(PREFIX)'}))")
PACKAGEDIR ?= $(PYTHONLIBDIR)
BASHCOMPLETIONDIR ?= $(PREFIX)/share/bash-completion/completions
diff --git a/python/sepolgen/src/sepolgen/Makefile b/python/sepolgen/src/sepolgen/Makefile
index cac8def7204e..a10392273181 100644
--- a/python/sepolgen/src/sepolgen/Makefile
+++ b/python/sepolgen/src/sepolgen/Makefile
@@ -1,6 +1,6 @@
PREFIX ?= /usr
PYTHON ?= python3
-PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(prefix='$(PREFIX)'))")
+PYTHONLIBDIR ?= $(shell $(PYTHON) -c "import sysconfig; print(sysconfig.get_path('purelib', vars={'platbase': '$(PREFIX)', 'base': '$(PREFIX)'}))")
PACKAGEDIR ?= /$(PYTHONLIBDIR)/sepolgen
all:
diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index 5bdbfebade1d..335be582b668 100644
--- a/python/sepolicy/sepolicy/gui.py
+++ b/python/sepolicy/sepolicy/gui.py
@@ -77,7 +77,7 @@ def cmp(a, b):
return 1
return (a > b) - (a < b)
-import distutils.sysconfig
+import sysconfig
ADVANCED_LABEL = (_("Advanced >>"), _("Advanced <<"))
ADVANCED_SEARCH_LABEL = (_("Advanced Search >>"), _("Advanced Search <<"))
OUTBOUND_PAGE = 0
@@ -130,7 +130,7 @@ class SELinuxGui():
self.application = app
self.filter_txt = ""
builder = Gtk.Builder() # BUILDER OBJ
- self.code_path = distutils.sysconfig.get_python_lib(plat_specific=False) + "/sepolicy/"
+ self.code_path = sysconfig.get_python_lib(plat_specific=False) + "/sepolicy/"
glade_file = self.code_path + "sepolicy.glade"
builder.add_from_file(glade_file)
self.outer_notebook = builder.get_object("outer_notebook")
diff --git a/python/sepolicy/setup.py b/python/sepolicy/setup.py
index b0f9650df875..c82206647f9b 100644
--- a/python/sepolicy/setup.py
+++ b/python/sepolicy/setup.py
@@ -2,7 +2,7 @@
# Author: Thomas Liu <tliu@redhat.com>
# Author: Dan Walsh <dwalsh@redhat.com>
-from distutils.core import setup
+from setuptools import setup
setup(
name="sepolicy",
--
2.38.1

View File

@ -0,0 +1,81 @@
From 48602370acabffea96759bf66edd00ca829f5d17 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 18 Oct 2022 22:36:59 +0200
Subject: [PATCH] python: Harden tools against "rogue" modules
Content-type: text/plain
Python scripts present in "/usr/sbin" override regular modules.
Make sure /usr/sbin is not present in PYTHONPATH.
Fixes:
#cat > /usr/sbin/audit.py <<EOF
import sys
print("BAD GUY!", file=sys.stderr)
sys.exit(1)
EOF
#semanage boolean -l
BAD GUY!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
python/audit2allow/audit2allow | 2 +-
python/audit2allow/sepolgen-ifgen | 2 +-
python/chcat/chcat | 2 +-
python/semanage/semanage | 2 +-
python/sepolicy/sepolicy.py | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
index 09b06f664bc4..eafeea88aa21 100644
--- a/python/audit2allow/audit2allow
+++ b/python/audit2allow/audit2allow
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
# Authors: Dan Walsh <dwalsh@redhat.com>
#
diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen
index b7a04c719acc..f2cc0c32f2b0 100644
--- a/python/audit2allow/sepolgen-ifgen
+++ b/python/audit2allow/sepolgen-ifgen
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
#
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
diff --git a/python/chcat/chcat b/python/chcat/chcat
index 952cb8187599..68718ec5f102 100755
--- a/python/chcat/chcat
+++ b/python/chcat/chcat
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2005 Red Hat
# see file 'COPYING' for use and warranty information
#
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 10ab3fa67d7f..b21d1484ab85 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2012-2013 Red Hat
# AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
# AUTHOR: David Quigley <selinux@davequigley.com>
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index c7a70e094b0c..733d40484709 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2012 Red Hat
# AUTHOR: Dan Walsh <dwalsh@redhat.com>
# see file 'COPYING' for use and warranty information
--
2.38.1

View File

@ -1,4 +1,4 @@
From f361ee407490bc74b43ec408b1edc70cd647d4e0 Mon Sep 17 00:00:00 2001 From 1b9bc42461589e49cd68727ea479cc820e55a2d7 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com> From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 20 Aug 2015 12:58:41 +0200 Date: Thu, 20 Aug 2015 12:58:41 +0200
Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
@ -23,5 +23,5 @@ index eaa500d08143..4774528027ef 100644
cat > ~/seremote << __EOF cat > ~/seremote << __EOF
#!/bin/sh #!/bin/sh
-- --
2.35.1 2.38.1

View File

@ -1,4 +1,4 @@
From f204dd292340689c2d7ab75612b9fd81337fcbc3 Mon Sep 17 00:00:00 2001 From 30f3eca067ace9f73ad7612377675e5f777ea869 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com> From: Dan Walsh <dwalsh@redhat.com>
Date: Fri, 14 Feb 2014 12:32:12 -0500 Date: Fri, 14 Feb 2014 12:32:12 -0500
Subject: [PATCH] Don't be verbose if you are not on a tty Subject: [PATCH] Don't be verbose if you are not on a tty
@ -21,5 +21,5 @@ index c72ca0eb9d61..163ebcd1f232 100755
THREADS="" THREADS=""
RPMFILES="" RPMFILES=""
-- --
2.35.1 2.38.1

View File

@ -1,4 +1,4 @@
From d8f51aa7d299383247213b69ec7cbb68c1fa3bc4 Mon Sep 17 00:00:00 2001 From f2a1b0dc836ebcf2ef418cd0c85fcea949b556eb Mon Sep 17 00:00:00 2001
From: Masatake YAMATO <yamato@redhat.com> From: Masatake YAMATO <yamato@redhat.com>
Date: Thu, 14 Dec 2017 15:57:58 +0900 Date: Thu, 14 Dec 2017 15:57:58 +0900
Subject: [PATCH] sepolicy-generate: Handle more reserved port types Subject: [PATCH] sepolicy-generate: Handle more reserved port types
@ -53,10 +53,10 @@ https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redha
1 file changed, 3 insertions(+), 1 deletion(-) 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index 43180ca6fda4..d60a08e1d72c 100644 index 3717d5d4ed78..eff3a8973917 100644
--- a/python/sepolicy/sepolicy/generate.py --- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py +++ b/python/sepolicy/sepolicy/generate.py
@@ -99,7 +99,9 @@ def get_all_ports(): @@ -100,7 +100,9 @@ def get_all_ports():
for p in sepolicy.info(sepolicy.PORT): for p in sepolicy.info(sepolicy.PORT):
if p['type'] == "reserved_port_t" or \ if p['type'] == "reserved_port_t" or \
p['type'] == "port_t" or \ p['type'] == "port_t" or \
@ -68,5 +68,5 @@ index 43180ca6fda4..d60a08e1d72c 100644
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range')) dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
return dict return dict
-- --
2.35.1 2.38.1

View File

@ -1,4 +1,4 @@
From 8054dc44cf105b959864a1424fe857fac3ba3d73 Mon Sep 17 00:00:00 2001 From 239f039edd2c4030d373baa31f42651075b5927b Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com> From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 18 Jul 2018 09:09:35 +0200 Date: Wed, 18 Jul 2018 09:09:35 +0200
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
@ -11,10 +11,10 @@ Content-type: text/plain
3 files changed, 3 insertions(+), 17 deletions(-) 3 files changed, 3 insertions(+), 17 deletions(-)
diff --git a/sandbox/sandbox b/sandbox/sandbox diff --git a/sandbox/sandbox b/sandbox/sandbox
index 16c43b51eaaa..7709a6585665 100644 index 770807345858..df3af9260c7f 100644
--- a/sandbox/sandbox --- a/sandbox/sandbox
+++ b/sandbox/sandbox +++ b/sandbox/sandbox
@@ -268,7 +268,7 @@ class Sandbox: @@ -270,7 +270,7 @@ class Sandbox:
copyfile(f, "/tmp", self.__tmpdir) copyfile(f, "/tmp", self.__tmpdir)
copyfile(f, "/var/tmp", self.__tmpdir) copyfile(f, "/var/tmp", self.__tmpdir)
@ -23,7 +23,7 @@ index 16c43b51eaaa..7709a6585665 100644
execfile = self.__homedir + "/.sandboxrc" execfile = self.__homedir + "/.sandboxrc"
fd = open(execfile, "w+") fd = open(execfile, "w+")
if self.__options.session: if self.__options.session:
@@ -362,7 +362,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- @@ -369,7 +369,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
parser.add_option("-W", "--windowmanager", dest="wm", parser.add_option("-W", "--windowmanager", dest="wm",
type="string", type="string",
@ -33,10 +33,10 @@ index 16c43b51eaaa..7709a6585665 100644
parser.add_option("-l", "--level", dest="level", parser.add_option("-l", "--level", dest="level",
diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8 diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8
index d83fee76f335..90ef4951c8c2 100644 index 1ee0ecea96d1..775e4b231204 100644
--- a/sandbox/sandbox.8 --- a/sandbox/sandbox.8
+++ b/sandbox/sandbox.8 +++ b/sandbox/sandbox.8
@@ -77,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz @@ -80,7 +80,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
\fB\-W\fR \fB\-\-windowmanager\fR \fB\-W\fR \fB\-\-windowmanager\fR
Select alternative window manager to run within Select alternative window manager to run within
.B sandbox \-X. .B sandbox \-X.
@ -71,5 +71,5 @@ index 4774528027ef..c211ebc14549 100644
export DISPLAY=:$D export DISPLAY=:$D
cat > ~/seremote << __EOF cat > ~/seremote << __EOF
-- --
2.35.1 2.38.1

View File

@ -1,4 +1,4 @@
From 53d085d8d6edc05886d473e412a8025b7f8d9ce4 Mon Sep 17 00:00:00 2001 From e5a015f1edd5e7ed87f6f4ec6ddb45637fa178ab Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com> From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 30 Jul 2021 14:14:37 +0200 Date: Fri, 30 Jul 2021 14:14:37 +0200
Subject: [PATCH] Use SHA-2 instead of SHA-1 Subject: [PATCH] Use SHA-2 instead of SHA-1
@ -254,10 +254,10 @@ index 910101452625..7f2daa09191b 100644
, и, при условии, что НЕ установлен параметр , и, при условии, что НЕ установлен параметр
.B \-n .B \-n
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index 19b59a2cc90d..bad9f37a9ac4 100644 index bf26e161a71d..36fe6b369548 100644
--- a/policycoreutils/setfiles/setfiles.8 --- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8 +++ b/policycoreutils/setfiles/setfiles.8
@@ -87,14 +87,14 @@ display usage information and exit. @@ -95,14 +95,14 @@ display usage information and exit.
ignore files that do not exist. ignore files that do not exist.
.TP .TP
.B \-I .B \-I
@ -275,7 +275,7 @@ index 19b59a2cc90d..bad9f37a9ac4 100644
enable usage of the enable usage of the
.IR security.sehash .IR security.sehash
extended attribute. extended attribute.
@@ -239,7 +239,7 @@ the @@ -261,7 +261,7 @@ the
.B \-D .B \-D
option to option to
.B setfiles .B setfiles
@ -284,7 +284,7 @@ index 19b59a2cc90d..bad9f37a9ac4 100644
.B spec_file .B spec_file
set in an extended attribute named set in an extended attribute named
.IR security.sehash .IR security.sehash
@@ -260,7 +260,7 @@ for further details. @@ -282,7 +282,7 @@ for further details.
.sp .sp
The The
.B \-I .B \-I
@ -294,5 +294,5 @@ index 19b59a2cc90d..bad9f37a9ac4 100644
and provided the and provided the
.B \-n .B \-n
-- --
2.35.1 2.38.1

View File

@ -0,0 +1,28 @@
From 5e9f9478cc6eeaa46e0e8172a458a49e49d4e258 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 9 Nov 2022 11:53:28 +0100
Subject: [PATCH] python: Fix typo in audit2allow.1 example
Content-type: text/plain
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
python/audit2allow/audit2allow.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/audit2allow/audit2allow.1 b/python/audit2allow/audit2allow.1
index c61067b33688..04ec32398011 100644
--- a/python/audit2allow/audit2allow.1
+++ b/python/audit2allow/audit2allow.1
@@ -151,7 +151,7 @@ policy_module(local, 1.0)
gen_require(`
type myapp_t;
type etc_t;
- };
+\[aq])
files_read_etc_files(myapp_t)
<review local.te and customize as desired>
--
2.38.1

View File

@ -0,0 +1,102 @@
From 762090ae1a67b040b37cc4863f1ceb0b45c66717 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Fri, 18 Nov 2022 13:51:52 +0100
Subject: [PATCH] python/sepolicy: Fix sepolicy manpage -w ...
Content-type: text/plain
Commit 7494bb1298b3 ("sepolicy: generate man pages in parallel")
improved sepolicy performance but broke `sepolicy manpage -w ...` as it
didn't collect data about domains and roles from ManPage() and so
HTMLManPages() generated only empty page. This is fixed now, domains
and roles are being collected and used for HTML pages.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
python/sepolicy/sepolicy.py | 13 +++++++++++--
python/sepolicy/sepolicy/manpage.py | 12 +++++-------
2 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index 733d40484709..82ff6af2bc2d 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -332,9 +332,10 @@ def manpage_work(domain, path, root, source_files, web):
from sepolicy.manpage import ManPage
m = ManPage(domain, path, root, source_files, web)
print(m.get_man_page_path())
+ return (m.manpage_domains, m.manpage_roles)
def manpage(args):
- from sepolicy.manpage import HTMLManPages, manpage_domains, manpage_roles, gen_domains
+ from sepolicy.manpage import HTMLManPages, gen_domains
path = args.path
if not args.policy and args.root != "/":
@@ -347,9 +348,17 @@ def manpage(args):
else:
test_domains = args.domain
+ manpage_domains = set()
+ manpage_roles = set()
p = Pool()
+ async_results = []
for domain in test_domains:
- p.apply_async(manpage_work, [domain, path, args.root, args.source_files, args.web])
+ async_results.append(p.apply_async(manpage_work, [domain, path, args.root, args.source_files, args.web]))
+ for result in async_results:
+ domains, roles = result.get()
+ manpage_domains.update(domains)
+ manpage_roles.update(roles)
+
p.close()
p.join()
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 3e61e333193f..de72cb6cda5f 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -21,7 +21,7 @@
# 02111-1307 USA
#
#
-__all__ = ['ManPage', 'HTMLManPages', 'manpage_domains', 'manpage_roles', 'gen_domains']
+__all__ = ['ManPage', 'HTMLManPages', 'gen_domains']
import string
import selinux
@@ -147,10 +147,6 @@ def _gen_types():
def prettyprint(f, trim):
return " ".join(f[:-len(trim)].split("_"))
-# for HTML man pages
-manpage_domains = []
-manpage_roles = []
-
fedora_releases = ["Fedora17", "Fedora18"]
rhel_releases = ["RHEL6", "RHEL7"]
@@ -408,6 +404,8 @@ class ManPage:
"""
modules_dict = None
enabled_str = ["Disabled", "Enabled"]
+ manpage_domains = []
+ manpage_roles = []
def __init__(self, domainname, path="/tmp", root="/", source_files=False, html=False):
self.html = html
@@ -453,10 +451,10 @@ class ManPage:
if self.domainname + "_r" in self.all_roles:
self.__gen_user_man_page()
if self.html:
- manpage_roles.append(self.man_page_path)
+ self.manpage_roles.append(self.man_page_path)
else:
if self.html:
- manpage_domains.append(self.man_page_path)
+ self.manpage_domains.append(self.man_page_path)
self.__gen_man_page()
self.fd.close()
--
2.38.1

View File

@ -0,0 +1,57 @@
From fe825bf76f7a6727a3654c96e7bc55ddc7069b76 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Fri, 18 Nov 2022 13:51:53 +0100
Subject: [PATCH] python/sepolicy: Use distro module to get os version
Content-type: text/plain
distro module uses /etc/os-release file which contains operating system
identification data, see os-release(5). Given that the mechanism doesn't
use `rpm` it should be possible to generate man pages on other
distributions.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
python/sepolicy/sepolicy/__init__.py | 25 ++++++-------------------
1 file changed, 6 insertions(+), 19 deletions(-)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 9c3caa05b80b..baa4c8e62e97 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -1226,27 +1226,14 @@ def boolean_desc(boolean):
def get_os_version():
- os_version = ""
- pkg_name = "selinux-policy"
+ system_release = ""
try:
- try:
- from commands import getstatusoutput
- except ImportError:
- from subprocess import getstatusoutput
- rc, output = getstatusoutput("rpm -q '%s'" % pkg_name)
- if rc == 0:
- os_version = output.split(".")[-2]
- except:
- os_version = ""
-
- if os_version[0:2] == "fc":
- os_version = "Fedora" + os_version[2:]
- elif os_version[0:2] == "el":
- os_version = "RHEL" + os_version[2:]
- else:
- os_version = ""
+ import distro
+ system_release = distro.name(pretty=True)
+ except IOError:
+ system_release = "Misc"
- return os_version
+ return system_release
def reinit():
--
2.38.1

View File

@ -1,70 +1,31 @@
From b180f7679c5e09535416f47d48afd0c0738f5fa9 Mon Sep 17 00:00:00 2001 From 1fad73e62fdda5290e3939464df09796fca6871d Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com> From: Petr Lautrbach <lautrbach@redhat.com>
Date: Thu, 19 Feb 2015 17:45:15 +0100 Date: Fri, 18 Nov 2022 13:51:55 +0100
Subject: [PATCH] Simplication of sepolicy-manpage web functionality. Subject: [PATCH] python/sepolicy: Simplify generation of man pages
system_release is no longer hardcoded and it creates only index.html and html
man pages in the directory for the system release.
Content-type: text/plain Content-type: text/plain
--- And do not hardcode Fedora and RHEL versions.
python/sepolicy/sepolicy/__init__.py | 25 +++--------
python/sepolicy/sepolicy/manpage.py | 65 +++------------------------- Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
2 files changed, 13 insertions(+), 77 deletions(-) ---
python/sepolicy/sepolicy/manpage.py | 71 ++++-------------------------
1 file changed, 8 insertions(+), 63 deletions(-)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 203ca25f4210..9447812b7450 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -1225,27 +1225,14 @@ def boolean_desc(boolean):
def get_os_version():
- os_version = ""
- pkg_name = "selinux-policy"
+ system_release = ""
try:
- try:
- from commands import getstatusoutput
- except ImportError:
- from subprocess import getstatusoutput
- rc, output = getstatusoutput("rpm -q '%s'" % pkg_name)
- if rc == 0:
- os_version = output.split(".")[-2]
- except:
- os_version = ""
-
- if os_version[0:2] == "fc":
- os_version = "Fedora" + os_version[2:]
- elif os_version[0:2] == "el":
- os_version = "RHEL" + os_version[2:]
- else:
- os_version = ""
+ with open('/etc/system-release') as f:
+ system_release = f.readline()
+ except IOError:
+ system_release = "Misc"
- return os_version
+ return system_release
def reinit():
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index ec8aa1cb94a2..c632d05dbb1b 100755 index de72cb6cda5f..edeb3b77e759 100755
--- a/python/sepolicy/sepolicy/manpage.py --- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py +++ b/python/sepolicy/sepolicy/manpage.py
@@ -151,10 +151,6 @@ def prettyprint(f, trim): @@ -147,9 +147,6 @@ def _gen_types():
manpage_domains = [] def prettyprint(f, trim):
manpage_roles = [] return " ".join(f[:-len(trim)].split("_"))
-fedora_releases = ["Fedora17", "Fedora18"] -fedora_releases = ["Fedora17", "Fedora18"]
-rhel_releases = ["RHEL6", "RHEL7"] -rhel_releases = ["RHEL6", "RHEL7"]
- -
-
def get_alphabet_manpages(manpage_list): def get_alphabet_manpages(manpage_list):
alphabet_manpages = dict.fromkeys(string.ascii_letters, []) alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
for i in string.ascii_letters: @@ -180,7 +177,7 @@ def convert_manpage_to_html(html_manpage, manpage):
@@ -184,7 +180,7 @@ def convert_manpage_to_html(html_manpage, manpage):
class HTMLManPages: class HTMLManPages:
""" """
@ -73,19 +34,20 @@ index ec8aa1cb94a2..c632d05dbb1b 100755
""" """
def __init__(self, manpage_roles, manpage_domains, path, os_version): def __init__(self, manpage_roles, manpage_domains, path, os_version):
@@ -192,9 +188,9 @@ class HTMLManPages: @@ -188,18 +185,12 @@ class HTMLManPages:
self.manpage_domains = get_alphabet_manpages(manpage_domains) self.manpage_domains = get_alphabet_manpages(manpage_domains)
self.os_version = os_version self.os_version = os_version
self.old_path = path + "/" self.old_path = path + "/"
- self.new_path = self.old_path + self.os_version + "/" - self.new_path = self.old_path + self.os_version + "/"
+ self.new_path = self.old_path -
- if self.os_version in fedora_releases or self.os_version in rhel_releases: - if self.os_version in fedora_releases or self.os_version in rhel_releases:
+ if self.os_version: - self.__gen_html_manpages()
self.__gen_html_manpages() - else:
else: - print("SELinux HTML man pages can not be generated for this %s" % os_version)
print("SELinux HTML man pages can not be generated for this %s" % os_version) - exit(1)
@@ -203,7 +199,6 @@ class HTMLManPages: + self.new_path = self.old_path
+ self.__gen_html_manpages()
def __gen_html_manpages(self): def __gen_html_manpages(self):
self._write_html_manpage() self._write_html_manpage()
self._gen_index() self._gen_index()
@ -93,7 +55,7 @@ index ec8aa1cb94a2..c632d05dbb1b 100755
self._gen_css() self._gen_css()
def _write_html_manpage(self): def _write_html_manpage(self):
@@ -221,67 +216,21 @@ class HTMLManPages: @@ -217,67 +208,21 @@ class HTMLManPages:
convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r) convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
def _gen_index(self): def _gen_index(self):
@ -143,7 +105,8 @@ index ec8aa1cb94a2..c632d05dbb1b 100755
- print("%s has been created" % index) - print("%s has been created" % index)
- -
- def _gen_body(self): - def _gen_body(self):
html = self.new_path + self.os_version + ".html" - html = self.new_path + self.os_version + ".html"
+ html = self.new_path + "index.html"
fd = open(html, 'w') fd = open(html, 'w')
fd.write(""" fd.write("""
<html> <html>
@ -151,7 +114,7 @@ index ec8aa1cb94a2..c632d05dbb1b 100755
- <link rel=stylesheet type="text/css" href="../style.css" title="style"> - <link rel=stylesheet type="text/css" href="../style.css" title="style">
- <title>Linux man-pages online for Fedora18</title> - <title>Linux man-pages online for Fedora18</title>
+ <link rel=stylesheet type="text/css" href="style.css" title="style"> + <link rel=stylesheet type="text/css" href="style.css" title="style">
+ <title>SELinux man pages online</title> + <title>SELinux man pages</title>
</head> </head>
<body> <body>
-<h1>SELinux man pages for Fedora18</h1> -<h1>SELinux man pages for Fedora18</h1>
@ -166,5 +129,5 @@ index ec8aa1cb94a2..c632d05dbb1b 100755
if len(self.manpage_roles[letter]): if len(self.manpage_roles[letter]):
fd.write(""" fd.write("""
-- --
2.35.1 2.38.1

View File

@ -0,0 +1,160 @@
From 3fb03f54d0dad5119cdd3e1d2b13370b8296040b Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Mon, 21 Nov 2022 11:39:32 +0100
Subject: [PATCH] Fix E275 missing whitespace after keyword
Content-type: text/plain
Fixes:
./gui/polgengui.py:484:18: E275 missing whitespace after keyword
./gui/polgengui.py:530:18: E275 missing whitespace after keyword
./python/sepolgen/src/sepolgen/policygen.py:327:19: E275 missing whitespace after keyword
./python/sepolgen/src/sepolgen/policygen.py:329:11: E275 missing whitespace after keyword
./python/sepolicy/sepolicy/__init__.py:453:15: E275 missing whitespace after keyword
./python/sepolicy/sepolicy/generate.py:1351:28: E275 missing whitespace after keyword
./python/sepolicy/sepolicy/generate.py:1353:28: E275 missing whitespace after keyword
./python/sepolicy/sepolicy/gui.py:638:24: E275 missing whitespace after keyword
./python/sepolicy/sepolicy/gui.py:863:23: E275 missing whitespace after keyword
./python/sepolicy/sepolicy/gui.py:2177:16: E275 missing whitespace after keyword
./sandbox/sandbox:114:7: E275 missing whitespace after keyword
./sandbox/sandbox:134:11: E275 missing whitespace after keyword
./sandbox/sandbox:136:7: E275 missing whitespace after keyword
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
gui/polgengui.py | 4 ++--
python/sepolgen/src/sepolgen/policygen.py | 4 ++--
python/sepolicy/sepolicy/__init__.py | 4 ++--
python/sepolicy/sepolicy/generate.py | 4 ++--
python/sepolicy/sepolicy/gui.py | 6 +++---
sandbox/sandbox | 6 +++---
6 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/gui/polgengui.py b/gui/polgengui.py
index 7a3ecd50c91c..16116ba68b61 100644
--- a/gui/polgengui.py
+++ b/gui/polgengui.py
@@ -481,7 +481,7 @@ class childWindow:
my_policy = sepolicy.generate.policy(self.get_name(), self.get_type())
iter = self.boolean_store.get_iter_first()
- while(iter):
+ while iter:
my_policy.add_boolean(self.boolean_store.get_value(iter, 0), self.boolean_store.get_value(iter, 1))
iter = self.boolean_store.iter_next(iter)
@@ -527,7 +527,7 @@ class childWindow:
my_policy.set_out_udp(self.out_udp_all_checkbutton.get_active(), self.out_udp_entry.get_text())
iter = self.store.get_iter_first()
- while(iter):
+ while iter:
if self.store.get_value(iter, 1) == FILE:
my_policy.add_file(self.store.get_value(iter, 0))
else:
diff --git a/python/sepolgen/src/sepolgen/policygen.py b/python/sepolgen/src/sepolgen/policygen.py
index 8f0ce26e4dc7..183b41a93d50 100644
--- a/python/sepolgen/src/sepolgen/policygen.py
+++ b/python/sepolgen/src/sepolgen/policygen.py
@@ -324,9 +324,9 @@ def call_interface(interface, av):
ifcall.args.append(av.obj_class)
else:
print(params[i].type)
- assert(0)
+ assert 0
- assert(len(ifcall.args) > 0)
+ assert len(ifcall.args) > 0
return ifcall
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index baa4c8e62e97..68907a4f9759 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -450,9 +450,9 @@ def get_conditionals(src, dest, tclass, perm):
tlist.append(tdict)
tdict = {}
except KeyError:
- return(tlist)
+ return tlist
- return (tlist)
+ return tlist
def get_conditionals_format_text(cond):
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index eff3a8973917..36a3ea1196b1 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -1348,9 +1348,9 @@ allow %s_t %s_t:%s_socket name_%s;
if len(temp_dirs) != 0:
for i in temp_dirs:
if i in self.dirs.keys():
- del(self.dirs[i])
+ del self.dirs[i]
elif i in self.files.keys():
- del(self.files[i])
+ del self.files[i]
else:
continue
diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index 335be582b668..c8f33f522a2d 100644
--- a/python/sepolicy/sepolicy/gui.py
+++ b/python/sepolicy/sepolicy/gui.py
@@ -635,7 +635,7 @@ class SELinuxGui():
for k in self.cur_dict:
for j in self.cur_dict[k]:
if i == ctr:
- del(self.cur_dict[k][j])
+ del self.cur_dict[k][j]
return
i += 1
@@ -860,7 +860,7 @@ class SELinuxGui():
if val is True or val is False or val is None:
continue
# Returns true if filter_txt exists within the val
- if(val.find(self.filter_txt) != -1 or val.lower().find(self.filter_txt) != -1):
+ if val.find(self.filter_txt) != -1 or val.lower().find(self.filter_txt) != -1:
return True
except (AttributeError, TypeError):
pass
@@ -2174,7 +2174,7 @@ class SELinuxGui():
model.set_value(iter, 0, not model.get_value(iter, 0))
active = model.get_value(iter, 0)
if name in self.cur_dict["boolean"]:
- del(self.cur_dict["boolean"][name])
+ del self.cur_dict["boolean"][name]
else:
self.cur_dict["boolean"][name] = {"active": active}
self.new_updates()
diff --git a/sandbox/sandbox b/sandbox/sandbox
index df3af9260c7f..a32a33ea3cf6 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -111,7 +111,7 @@ def copyfile(file, srcdir, dest):
def savefile(new, orig, X_ind):
copy = False
- if(X_ind):
+ if X_ind:
import gi
gi.require_version('Gtk', '3.0')
from gi.repository import Gtk
@@ -131,9 +131,9 @@ def savefile(new, orig, X_ind):
except NameError:
pass
ans = input(_("Do you want to save changes to '%s' (y/N): ") % orig)
- if(re.match(_("[yY]"), ans)):
+ if re.match(_("[yY]"), ans):
copy = True
- if(copy):
+ if copy:
shutil.copy2(new, orig)
--
2.38.1

View File

@ -1,7 +1,7 @@
%global libauditver 3.0 %global libauditver 3.0
%global libsepolver 3.4-1 %global libsepolver 3.4-4
%global libsemanagever 3.4-1 %global libsemanagever 3.4-6
%global libselinuxver 3.4-1 %global libselinuxver 3.4-6
%global generatorsdir %{_prefix}/lib/systemd/system-generators %global generatorsdir %{_prefix}/lib/systemd/system-generators
@ -11,7 +11,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 3.4 Version: 3.4
Release: 6%{?dist} Release: 7%{?dist}
License: GPL-2.0-or-later License: GPL-2.0-or-later
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.4/selinux-3.4.tar.gz Source0: https://github.com/SELinuxProject/selinux/releases/download/3.4/selinux-3.4.tar.gz
@ -31,20 +31,33 @@ Source23: sandbox-po.tgz
# $ git format-patch -N 3.4 -- policycoreutils python gui sandbox dbus semodule-utils restorecond # $ git format-patch -N 3.4 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
# $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
# Patch list start # Patch list start
Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch Patch0001: 0001-libselinux-declare-return-value-of-context_str-3-con.patch
Patch0002: 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch Patch0002: 0002-semodule-avoid-toctou-on-output-module.patch
Patch0003: 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch Patch0003: 0003-python-Split-semanage-import-into-two-transactions.patch
Patch0004: 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch Patch0004: 0004-python-audit2allow-close-file-stream-on-error.patch
Patch0005: 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch Patch0005: 0005-gettext-handle-unsupported-languages-properly.patch
Patch0006: 0006-Fix-title-in-manpage.py-to-not-contain-online.patch Patch0006: 0006-semodule-rename-rebuild-if-modules-changed-to-refres.patch
Patch0007: 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch Patch0007: 0007-python-remove-IOError-in-certain-cases.patch
Patch0008: 0008-sepolicy-generate-Handle-more-reserved-port-types.patch Patch0008: 0008-restorecond-use-strict-function-prototype-for-defini.patch
Patch0009: 0009-sandbox-Use-matchbox-window-manager-instead-of-openb.patch Patch0009: 0009-Ignore-egg-info-directories-and-clean-them.patch
Patch0010: 0010-Use-SHA-2-instead-of-SHA-1.patch # Patch0010: 0010-Update-translations.patch
Patch0011: 0011-sepolicy-Drop-old-interface-file_type_is_executable-.patch Patch0011: 0011-docs-provide-a-top-level-LICENSE-file.patch
Patch0012: 0012-gettext-handle-unsupported-languages-properly.patch Patch0012: 0012-gui-Fix-export-file-chooser-dialog.patch
Patch0013: 0013-semodule-rename-rebuild-if-modules-changed-to-refres.patch Patch0013: 0013-python-Do-not-query-the-local-database-if-the-fconte.patch
Patch0014: 0014-python-Split-semanage-import-into-two-transactions.patch Patch0014: 0014-sandbox-Do-not-try-to-remove-tmpdir-twice-if-uid-0.patch
Patch0015: 0015-sandbox-Use-temporary-directory-for-XDG_RUNTIME_DIR.patch
Patch0016: 0016-python-Remove-dependency-on-the-Python-module-distut.patch
Patch0017: 0017-python-Harden-tools-against-rogue-modules.patch
Patch0018: 0018-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
Patch0019: 0019-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
Patch0020: 0020-sepolicy-generate-Handle-more-reserved-port-types.patch
Patch0021: 0021-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
Patch0022: 0022-Use-SHA-2-instead-of-SHA-1.patch
Patch0023: 0023-python-Fix-typo-in-audit2allow.1-example.patch
Patch0024: 0024-python-sepolicy-Fix-sepolicy-manpage-w.patch
Patch0025: 0025-python-sepolicy-Use-distro-module-to-get-os-version.patch
Patch0026: 0026-python-sepolicy-Simplify-generation-of-man-pages.patch
Patch0027: 0027-Fix-E275-missing-whitespace-after-keyword.patch
# Patch list end # Patch list end
Obsoletes: policycoreutils < 2.0.61-2 Obsoletes: policycoreutils < 2.0.61-2
@ -57,7 +70,7 @@ Provides: /sbin/restorecon
BuildRequires: gcc make BuildRequires: gcc make
BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext
BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel
BuildRequires: python3-devel BuildRequires: python3-devel python3-setuptools
BuildRequires: systemd BuildRequires: systemd
BuildRequires: git-core BuildRequires: git-core
Requires: util-linux grep gawk diffutils rpm sed Requires: util-linux grep gawk diffutils rpm sed
@ -432,7 +445,7 @@ system-config-selinux is a utility for managing the SELinux environment
%dir %{_datadir}/bash-completion %dir %{_datadir}/bash-completion
%{_datadir}/bash-completion/completions/setsebool %{_datadir}/bash-completion/completions/setsebool
%{!?_licensedir:%global license %%doc} %{!?_licensedir:%global license %%doc}
%license policycoreutils/COPYING %license policycoreutils/LICENSE
%doc %{_usr}/share/doc/%{name} %doc %{_usr}/share/doc/%{name}
%package restorecond %package restorecond
@ -454,7 +467,7 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_mandir}/ru/man8/restorecond.8* %{_mandir}/ru/man8/restorecond.8*
%{!?_licensedir:%global license %%doc} %{!?_licensedir:%global license %%doc}
%license policycoreutils/COPYING %license policycoreutils/LICENSE
%post %post
%systemd_post selinux-autorelabel-mark.service %systemd_post selinux-autorelabel-mark.service
@ -472,6 +485,12 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service %systemd_postun_with_restart restorecond.service
%changelog %changelog
* Mon Nov 21 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.4-7
- Rebase on upstream f56a72ac9e86
- sepolicy: fix sepolicy manpage -w
- sandbox: add -R option to alternate XDG_RUNTIME_DIR
- Remove dependency on the Python module distutils
* Tue Aug 2 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-6 * Tue Aug 2 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-6
- Run autorelabel in parallel by default - Run autorelabel in parallel by default
https://fedoraproject.org/wiki/Changes/SELinux_Parallel_Autorelabel https://fedoraproject.org/wiki/Changes/SELinux_Parallel_Autorelabel