From 6456a752dae61e2c94d5062271bda3ce9e98775d Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 14 Sep 2018 21:54:29 +0200 Subject: [PATCH] policycoreutils-2.8-9 - semanage: Stop rejecting aliases in semanage commands - sepolicy: Stop rejecting aliases in sepolicy commands - sepolicy: Fix "info" to search aliases as well - setfiles: Improve description of -d switch --- policycoreutils-fedora.patch | 13 +++ policycoreutils.spec | 8 +- selinux-python-fedora.patch | 192 ++++++++++++++++++++++++++++++++++- 3 files changed, 208 insertions(+), 5 deletions(-) diff --git a/policycoreutils-fedora.patch b/policycoreutils-fedora.patch index 1c82fb2..d7d40a5 100644 --- a/policycoreutils-fedora.patch +++ b/policycoreutils-fedora.patch @@ -137,3 +137,16 @@ index b277958..53d28c7 100755 FORCEFLAG="" RPMFILES="" PREFC="" +diff --git policycoreutils-2.8/setfiles/setfiles.8 policycoreutils-2.8/setfiles/setfiles.8 +index ccaaf4d..a8a76c8 100644 +--- policycoreutils-2.8/setfiles/setfiles.8 ++++ policycoreutils-2.8/setfiles/setfiles.8 +@@ -57,7 +57,7 @@ check the validity of the contexts against the specified binary policy. + .TP + .B \-d + show what specification matched each file (do not abort validation +-after ABORT_ON_ERRORS errors). ++after ABORT_ON_ERRORS errors). Not affected by "\-q" + .TP + .BI \-e \ directory + directory to exclude (repeat option for more than one directory). diff --git a/policycoreutils.spec b/policycoreutils.spec index 1c37f8f..f7c8d0f 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -12,7 +12,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.8 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2 # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz @@ -531,6 +531,12 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Fri Sep 14 2018 Petr Lautrbach - 2.8-9 +- semanage: Stop rejecting aliases in semanage commands +- sepolicy: Stop rejecting aliases in sepolicy commands +- sepolicy: Fix "info" to search aliases as well +- setfiles: Improve description of -d switch + * Wed Sep 12 2018 Petr Lautrbach - 2.8-8 - Update translations diff --git a/selinux-python-fedora.patch b/selinux-python-fedora.patch index f3dc3d6..b246688 100644 --- a/selinux-python-fedora.patch +++ b/selinux-python-fedora.patch @@ -222,7 +222,7 @@ index 0bdb90f..0cdcfcc 100644 user identities to authorized role sets. In most cases, only the former mapping needs to be adjusted by the administrator; the latter diff --git selinux-python-2.8/semanage/seobject.py selinux-python-2.8/semanage/seobject.py -index c76dce8..27e859e 100644 +index c76dce8..26f3376 100644 --- selinux-python-2.8/semanage/seobject.py +++ selinux-python-2.8/semanage/seobject.py @@ -30,7 +30,7 @@ import sys @@ -309,6 +309,104 @@ index c76dce8..27e859e 100644 raise error def get_all_logins(self): +@@ -1087,7 +1081,7 @@ class portRecords(semanageRecords): + if type == "": + raise ValueError(_("Type is required")) + +- if type not in self.valid_types: ++ if sepolicy.get_real_type_name(type) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be a port type") % type) + + (k, proto_d, low, high) = self.__genkey(port, proto) +@@ -1151,7 +1145,7 @@ class portRecords(semanageRecords): + else: + raise ValueError(_("Requires setype")) + +- if setype and setype not in self.valid_types: ++ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be a port type") % setype) + + (k, proto_d, low, high) = self.__genkey(port, proto) +@@ -1355,7 +1349,7 @@ class ibpkeyRecords(semanageRecords): + if type == "": + raise ValueError(_("Type is required")) + +- if type not in self.valid_types: ++ if sepolicy.get_real_type_name(type) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type) + + (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix) +@@ -1417,7 +1411,7 @@ class ibpkeyRecords(semanageRecords): + else: + raise ValueError(_("Requires setype")) + +- if setype and setype not in self.valid_types: ++ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype) + + (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix) +@@ -1603,7 +1597,7 @@ class ibendportRecords(semanageRecords): + if type == "": + raise ValueError(_("Type is required")) + +- if type not in self.valid_types: ++ if sepolicy.get_real_type_name(type) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be an ibendport type") % type) + (k, ibendport, port) = self.__genkey(ibendport, ibdev_name) + +@@ -1664,7 +1658,7 @@ class ibendportRecords(semanageRecords): + else: + raise ValueError(_("Requires setype")) + +- if setype and setype not in self.valid_types: ++ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype) + + (k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name) +@@ -1853,7 +1847,7 @@ class nodeRecords(semanageRecords): + if ctype == "": + raise ValueError(_("SELinux node type is required")) + +- if ctype not in self.valid_types: ++ if sepolicy.get_real_type_name(ctype) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be a node type") % ctype) + + (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) +@@ -1922,7 +1916,7 @@ class nodeRecords(semanageRecords): + if serange == "" and setype == "": + raise ValueError(_("Requires setype or serange")) + +- if setype and setype not in self.valid_types: ++ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be a node type") % setype) + + (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) +@@ -2241,7 +2235,6 @@ class fcontextRecords(semanageRecords): + try: + valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"]) + valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"]) +- valid_types.append("<>") + except RuntimeError: + valid_types = [] + +@@ -2369,7 +2362,7 @@ class fcontextRecords(semanageRecords): + if type == "": + raise ValueError(_("SELinux Type is required")) + +- if type not in self.valid_types: ++ if type != "<>" and sepolicy.get_real_type_name(type) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be a file or device type") % type) + + (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) +@@ -2432,7 +2425,7 @@ class fcontextRecords(semanageRecords): + def __modify(self, target, setype, ftype, serange, seuser): + if serange == "" and setype == "" and seuser == "": + raise ValueError(_("Requires setype, serange or seuser")) +- if setype and setype not in self.valid_types: ++ if setype not in ["", "<>"] and sepolicy.get_real_type_name(setype) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be a file or device type") % setype) + + self.validate(target) diff --git selinux-python-2.8/sepolgen/src/sepolgen/access.py selinux-python-2.8/sepolgen/src/sepolgen/access.py index a5d8698..ba80f93 100644 --- selinux-python-2.8/sepolgen/src/sepolgen/access.py @@ -1353,7 +1451,7 @@ index 16e6680..64c48df 100644 def test_init(self): a = refpolicy.TypeRule() diff --git selinux-python-2.8/sepolicy/sepolicy.py selinux-python-2.8/sepolicy/sepolicy.py -index 141f64e..580972c 100755 +index 141f64e..6287502 100755 --- selinux-python-2.8/sepolicy/sepolicy.py +++ selinux-python-2.8/sepolicy/sepolicy.py @@ -27,7 +27,7 @@ import selinux @@ -1365,8 +1463,44 @@ index 141f64e..580972c 100755 try: import gettext kwargs = {} +@@ -60,8 +60,6 @@ class CheckPath(argparse.Action): + class CheckType(argparse.Action): + + def __call__(self, parser, namespace, values, option_string=None): +- domains = sepolicy.get_all_domains() +- + if isinstance(values, str): + setattr(namespace, self.dest, values) + else: +@@ -103,7 +101,7 @@ class CheckDomain(argparse.Action): + domains = sepolicy.get_all_domains() + + if isinstance(values, str): +- if values not in domains: ++ if sepolicy.get_real_type_name(values) not in domains: + raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains))) + setattr(namespace, self.dest, values) + else: +@@ -112,7 +110,7 @@ class CheckDomain(argparse.Action): + newval = [] + + for v in values: +- if v not in domains: ++ if sepolicy.get_real_type_name(v) not in domains: + raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains))) + newval.append(v) + setattr(namespace, self.dest, newval) +@@ -167,7 +165,7 @@ class CheckPortType(argparse.Action): + if not newval: + newval = [] + for v in values: +- if v not in port_types: ++ if sepolicy.get_real_type_name(v) not in port_types: + raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types))) + newval.append(v) + setattr(namespace, self.dest, values) diff --git selinux-python-2.8/sepolicy/sepolicy/__init__.py selinux-python-2.8/sepolicy/sepolicy/__init__.py -index 89346ab..8132055 100644 +index 89346ab..2e77286 100644 --- selinux-python-2.8/sepolicy/sepolicy/__init__.py +++ selinux-python-2.8/sepolicy/sepolicy/__init__.py @@ -15,7 +15,7 @@ import os @@ -1378,7 +1512,57 @@ index 89346ab..8132055 100644 try: import gettext kwargs = {} -@@ -1160,27 +1160,14 @@ def boolean_desc(boolean): +@@ -168,15 +168,21 @@ except ValueError as e: + def info(setype, name=None): + if setype == TYPE: + q = setools.TypeQuery(_pol) +- if name: +- q.name = name ++ q.name = name ++ results = list(q.results()) ++ ++ if name and len(results) < 1: ++ #type not found, try alias ++ q.name = None ++ q.alias = name ++ results = list(q.results()) + + return ({ + 'aliases': list(map(str, x.aliases())), + 'name': str(x), + 'permissive': bool(x.ispermissive), + 'attributes': list(map(str, x.attributes())) +- } for x in q.results()) ++ } for x in results) + + elif setype == ROLE: + q = setools.RoleQuery(_pol) +@@ -437,6 +443,15 @@ def get_file_types(setype): + return mpaths + + ++# determine if entered type is an alias ++# and return corresponding type name ++def get_real_type_name(name): ++ try: ++ return next(info(TYPE, name))["name"] ++ except RuntimeError: ++ return None ++ ++ + def get_writable_files(setype): + file_types = get_all_file_types() + all_writes = [] +@@ -1051,7 +1066,7 @@ def gen_short_name(setype): + domainname = setype[:-2] + else: + domainname = setype +- if domainname + "_t" not in all_domains: ++ if get_real_type_name(domainname + "_t") not in all_domains: + raise ValueError("domain %s_t does not exist" % domainname) + if domainname[-1] == 'd': + short_name = domainname[:-1] + "_" +@@ -1160,27 +1175,14 @@ def boolean_desc(boolean): def get_os_version():