rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

policycoreutils-2.8-9

Browse Source 
- semanage: Stop rejecting aliases in semanage commands
- sepolicy: Stop rejecting aliases in sepolicy commands
- sepolicy: Fix "info" to search aliases as well
- setfiles: Improve description of -d switch
This commit is contained in:
Petr Lautrbach 2018-09-14 21:54:29 +02:00
parent 9d43d20386
commit 6456a752da
3 changed files with 208 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
policycoreutils-fedora.patch
View File

@ -137,3 +137,16 @@ index b277958..53d28c7 100755
FORCEFLAG="" FORCEFLAG=""
RPMFILES="" RPMFILES=""
PREFC="" PREFC=""
diff --git policycoreutils-2.8/setfiles/setfiles.8 policycoreutils-2.8/setfiles/setfiles.8
index ccaaf4d..a8a76c8 100644
--- policycoreutils-2.8/setfiles/setfiles.8
+++ policycoreutils-2.8/setfiles/setfiles.8
@@ -57,7 +57,7 @@ check the validity of the contexts against the specified binary policy.
.TP
.B \-d
show what specification matched each file (do not abort validation
-after ABORT_ON_ERRORS errors).
+after ABORT_ON_ERRORS errors). Not affected by "\-q"
.TP
.BI \-e \ directory
directory to exclude (repeat option for more than one directory).

8
policycoreutils.spec
View File

@ -12,7 +12,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.8 Version: 2.8
Release: 8%{?dist} Release: 9%{?dist}
License: GPLv2 License: GPLv2
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz
@ -531,6 +531,12 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service %systemd_postun_with_restart restorecond.service
%changelog %changelog
* Fri Sep 14 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-9
- semanage: Stop rejecting aliases in semanage commands
- sepolicy: Stop rejecting aliases in sepolicy commands
- sepolicy: Fix "info" to search aliases as well
- setfiles: Improve description of -d switch
* Wed Sep 12 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-8 * Wed Sep 12 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-8
- Update translations - Update translations

192
selinux-python-fedora.patch
View File

@ -222,7 +222,7 @@ index 0bdb90f..0cdcfcc 100644
user identities to authorized role sets. In most cases, only the user identities to authorized role sets. In most cases, only the
former mapping needs to be adjusted by the administrator; the latter former mapping needs to be adjusted by the administrator; the latter
diff --git selinux-python-2.8/semanage/seobject.py selinux-python-2.8/semanage/seobject.py diff --git selinux-python-2.8/semanage/seobject.py selinux-python-2.8/semanage/seobject.py
index c76dce8..27e859e 100644 index c76dce8..26f3376 100644
--- selinux-python-2.8/semanage/seobject.py --- selinux-python-2.8/semanage/seobject.py
+++ selinux-python-2.8/semanage/seobject.py +++ selinux-python-2.8/semanage/seobject.py
@@ -30,7 +30,7 @@ import sys @@ -30,7 +30,7 @@ import sys
@ -309,6 +309,104 @@ index c76dce8..27e859e 100644
raise error raise error
def get_all_logins(self): def get_all_logins(self):
@@ -1087,7 +1081,7 @@ class portRecords(semanageRecords):
if type == "":
raise ValueError(_("Type is required"))
- if type not in self.valid_types:
+ if sepolicy.get_real_type_name(type) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a port type") % type)
(k, proto_d, low, high) = self.__genkey(port, proto)
@@ -1151,7 +1145,7 @@ class portRecords(semanageRecords):
else:
raise ValueError(_("Requires setype"))
- if setype and setype not in self.valid_types:
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a port type") % setype)
(k, proto_d, low, high) = self.__genkey(port, proto)
@@ -1355,7 +1349,7 @@ class ibpkeyRecords(semanageRecords):
if type == "":
raise ValueError(_("Type is required"))
- if type not in self.valid_types:
+ if sepolicy.get_real_type_name(type) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type)
(k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
@@ -1417,7 +1411,7 @@ class ibpkeyRecords(semanageRecords):
else:
raise ValueError(_("Requires setype"))
- if setype and setype not in self.valid_types:
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype)
(k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
@@ -1603,7 +1597,7 @@ class ibendportRecords(semanageRecords):
if type == "":
raise ValueError(_("Type is required"))
- if type not in self.valid_types:
+ if sepolicy.get_real_type_name(type) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
(k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
@@ -1664,7 +1658,7 @@ class ibendportRecords(semanageRecords):
else:
raise ValueError(_("Requires setype"))
- if setype and setype not in self.valid_types:
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype)
(k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name)
@@ -1853,7 +1847,7 @@ class nodeRecords(semanageRecords):
if ctype == "":
raise ValueError(_("SELinux node type is required"))
- if ctype not in self.valid_types:
+ if sepolicy.get_real_type_name(ctype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a node type") % ctype)
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
@@ -1922,7 +1916,7 @@ class nodeRecords(semanageRecords):
if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange"))
- if setype and setype not in self.valid_types:
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a node type") % setype)
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
@@ -2241,7 +2235,6 @@ class fcontextRecords(semanageRecords):
try:
valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"])
valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"])
- valid_types.append("<<none>>")
except RuntimeError:
valid_types = []
@@ -2369,7 +2362,7 @@ class fcontextRecords(semanageRecords):
if type == "":
raise ValueError(_("SELinux Type is required"))
- if type not in self.valid_types:
+ if type != "<<none>>" and sepolicy.get_real_type_name(type) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a file or device type") % type)
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
@@ -2432,7 +2425,7 @@ class fcontextRecords(semanageRecords):
def __modify(self, target, setype, ftype, serange, seuser):
if serange == "" and setype == "" and seuser == "":
raise ValueError(_("Requires setype, serange or seuser"))
- if setype and setype not in self.valid_types:
+ if setype not in ["", "<<none>>"] and sepolicy.get_real_type_name(setype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a file or device type") % setype)
self.validate(target)
diff --git selinux-python-2.8/sepolgen/src/sepolgen/access.py selinux-python-2.8/sepolgen/src/sepolgen/access.py diff --git selinux-python-2.8/sepolgen/src/sepolgen/access.py selinux-python-2.8/sepolgen/src/sepolgen/access.py
index a5d8698..ba80f93 100644 index a5d8698..ba80f93 100644
--- selinux-python-2.8/sepolgen/src/sepolgen/access.py --- selinux-python-2.8/sepolgen/src/sepolgen/access.py
@ -1353,7 +1451,7 @@ index 16e6680..64c48df 100644
def test_init(self): def test_init(self):
a = refpolicy.TypeRule() a = refpolicy.TypeRule()
diff --git selinux-python-2.8/sepolicy/sepolicy.py selinux-python-2.8/sepolicy/sepolicy.py diff --git selinux-python-2.8/sepolicy/sepolicy.py selinux-python-2.8/sepolicy/sepolicy.py
index 141f64e..580972c 100755 index 141f64e..6287502 100755
--- selinux-python-2.8/sepolicy/sepolicy.py --- selinux-python-2.8/sepolicy/sepolicy.py
+++ selinux-python-2.8/sepolicy/sepolicy.py +++ selinux-python-2.8/sepolicy/sepolicy.py
@@ -27,7 +27,7 @@ import selinux @@ -27,7 +27,7 @@ import selinux
@ -1365,8 +1463,44 @@ index 141f64e..580972c 100755
try: try:
import gettext import gettext
kwargs = {} kwargs = {}
@@ -60,8 +60,6 @@ class CheckPath(argparse.Action):
class CheckType(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
- domains = sepolicy.get_all_domains()
-
if isinstance(values, str):
setattr(namespace, self.dest, values)
else:
@@ -103,7 +101,7 @@ class CheckDomain(argparse.Action):
domains = sepolicy.get_all_domains()
if isinstance(values, str):
- if values not in domains:
+ if sepolicy.get_real_type_name(values) not in domains:
raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains)))
setattr(namespace, self.dest, values)
else:
@@ -112,7 +110,7 @@ class CheckDomain(argparse.Action):
newval = []
for v in values:
- if v not in domains:
+ if sepolicy.get_real_type_name(v) not in domains:
raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains)))
newval.append(v)
setattr(namespace, self.dest, newval)
@@ -167,7 +165,7 @@ class CheckPortType(argparse.Action):
if not newval:
newval = []
for v in values:
- if v not in port_types:
+ if sepolicy.get_real_type_name(v) not in port_types:
raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types)))
newval.append(v)
setattr(namespace, self.dest, values)
diff --git selinux-python-2.8/sepolicy/sepolicy/__init__.py selinux-python-2.8/sepolicy/sepolicy/__init__.py diff --git selinux-python-2.8/sepolicy/sepolicy/__init__.py selinux-python-2.8/sepolicy/sepolicy/__init__.py
index 89346ab..8132055 100644 index 89346ab..2e77286 100644
--- selinux-python-2.8/sepolicy/sepolicy/__init__.py --- selinux-python-2.8/sepolicy/sepolicy/__init__.py
+++ selinux-python-2.8/sepolicy/sepolicy/__init__.py +++ selinux-python-2.8/sepolicy/sepolicy/__init__.py
@@ -15,7 +15,7 @@ import os @@ -15,7 +15,7 @@ import os
@ -1378,7 +1512,57 @@ index 89346ab..8132055 100644
try: try:
import gettext import gettext
kwargs = {} kwargs = {}
@@ -1160,27 +1160,14 @@ def boolean_desc(boolean): @@ -168,15 +168,21 @@ except ValueError as e:
def info(setype, name=None):
if setype == TYPE:
q = setools.TypeQuery(_pol)
- if name:
- q.name = name
+ q.name = name
+ results = list(q.results())
+
+ if name and len(results) < 1:
+ #type not found, try alias
+ q.name = None
+ q.alias = name
+ results = list(q.results())
return ({
'aliases': list(map(str, x.aliases())),
'name': str(x),
'permissive': bool(x.ispermissive),
'attributes': list(map(str, x.attributes()))
- } for x in q.results())
+ } for x in results)
elif setype == ROLE:
q = setools.RoleQuery(_pol)
@@ -437,6 +443,15 @@ def get_file_types(setype):
return mpaths
+# determine if entered type is an alias
+# and return corresponding type name
+def get_real_type_name(name):
+ try:
+ return next(info(TYPE, name))["name"]
+ except RuntimeError:
+ return None
+
+
def get_writable_files(setype):
file_types = get_all_file_types()
all_writes = []
@@ -1051,7 +1066,7 @@ def gen_short_name(setype):
domainname = setype[:-2]
else:
domainname = setype
- if domainname + "_t" not in all_domains:
+ if get_real_type_name(domainname + "_t") not in all_domains:
raise ValueError("domain %s_t does not exist" % domainname)
if domainname[-1] == 'd':
short_name = domainname[:-1] + "_"
@@ -1160,27 +1175,14 @@ def boolean_desc(boolean):
def get_os_version(): def get_os_version():