diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 637150a..f74aff5 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,3 +1,15 @@ +diff --git a/policycoreutils/.gitignore b/policycoreutils/.gitignore +index 6f41f6a..50f8b82 100644 +--- a/policycoreutils/.gitignore ++++ b/policycoreutils/.gitignore +@@ -9,6 +9,7 @@ semodule_deps/semodule_deps + semodule_expand/semodule_expand + semodule_link/semodule_link + semodule_package/semodule_package ++semodule_package/semodule_unpackage + sestatus/sestatus + setfiles/restorecon + setfiles/setfiles diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile index 86ed03f..3e95698 100644 --- a/policycoreutils/Makefile @@ -1629,10 +1641,10 @@ index e3b7ea7..2b37e63 100644 +and +.I Thomas Liu diff --git a/policycoreutils/sandbox/sandbox.init b/policycoreutils/sandbox/sandbox.init -index ff8b3ef..66aadfd 100644 +index ff8b3ef..d1ccdc2 100644 --- a/policycoreutils/sandbox/sandbox.init +++ b/policycoreutils/sandbox/sandbox.init -@@ -10,17 +10,12 @@ +@@ -10,25 +10,15 @@ # # chkconfig: 345 1 99 # @@ -1650,13 +1662,21 @@ index ff8b3ef..66aadfd 100644 +# description: sandbox, xguest and other apps that want to use pam_namespace \ +# require this script be run at boot. This service script does \ +# not actually run any service but sets up: \ -+# /var/tmp, /tmp and home directories to be used by these tools.\ ++# / to be shared by any app that starts a separate namespace +# If you do not use sandbox, xguest or pam_namespace you can turn \ +# this service off.\ # # Source function library. -@@ -41,15 +36,6 @@ start() { +-. /etc/init.d/functions +- +-HOMEDIRS="/home" +- +-. /etc/sysconfig/sandbox + + LOCKFILE=/var/lock/subsys/sandbox + +@@ -41,15 +31,6 @@ start() { touch $LOCKFILE mount --make-rshared / || return $? @@ -3004,13 +3024,13 @@ index 0140cd2..2c0cfdd 100644 + except RuntimeError, error: + errorExit(error.args[0]) diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py -index 6842b07..7f11c4e 100644 +index 6842b07..e4b6c0d 100644 --- a/policycoreutils/semanage/seobject.py +++ b/policycoreutils/semanage/seobject.py @@ -1,5 +1,5 @@ #! /usr/bin/python -E -# Copyright (C) 2005, 2006, 2007, 2008, 2009 Red Hat -+# Copyright (C) 2005-2011 2009 Red Hat ++# Copyright (C) 2005-2011 Red Hat # see file 'COPYING' for use and warranty information # # semanage is a tool for managing SELinux configuration files @@ -3339,6 +3359,62 @@ index 6842b07..7f11c4e 100644 - print "%-30s -> %-5s %s" % (k, on_off[ddict[k][2]], self.get_desc(k)) - + print "%-30s (%-5s,%5s) %s" % (k, on_off[selinux.security_get_boolean_active(k)], on_off[ddict[k][2]], self.get_desc(k)) +diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c +index 81d6a3c..5d662e7 100644 +--- a/policycoreutils/semodule/semodule.c ++++ b/policycoreutils/semodule/semodule.c +@@ -45,6 +45,7 @@ static int no_reload; + static int create_store; + static int build; + static int disable_dontaudit; ++static int preserve_tunables; + + static semanage_handle_t *sh = NULL; + static char *store; +@@ -117,6 +118,7 @@ static void usage(char *progname) + printf(" -h,--help print this message and quit\n"); + printf(" -v,--verbose be verbose\n"); + printf(" -D,--disable_dontaudit Remove dontaudits from policy\n"); ++ printf(" -P,--preserve_tunables Preserve tunables in policy\n"); + } + + /* Sets the global mode variable to new_mode, but only if no other +@@ -162,6 +164,7 @@ static void parse_command_line(int argc, char **argv) + {"noreload", 0, NULL, 'n'}, + {"build", 0, NULL, 'B'}, + {"disable_dontaudit", 0, NULL, 'D'}, ++ {"preserve_tunables", 0, NULL, 'P'}, + {"path", required_argument, NULL, 'p'}, + {NULL, 0, NULL, 0} + }; +@@ -171,7 +174,7 @@ static void parse_command_line(int argc, char **argv) + no_reload = 0; + create_store = 0; + while ((i = +- getopt_long(argc, argv, "p:s:b:hi:lvqe:d:r:u:RnBD", opts, ++ getopt_long(argc, argv, "p:s:b:hi:lvqe:d:r:u:RnBDP", opts, + NULL)) != -1) { + switch (i) { + case 'b': +@@ -220,6 +223,9 @@ static void parse_command_line(int argc, char **argv) + case 'D': + disable_dontaudit = 1; + break; ++ case 'P': ++ preserve_tunables = 1; ++ break; + case '?': + default:{ + usage(argv[0]); +@@ -466,6 +472,8 @@ int main(int argc, char *argv[]) + semanage_set_disable_dontaudit(sh, 1); + else if (build) + semanage_set_disable_dontaudit(sh, 0); ++ if (preserve_tunables) ++ semanage_set_preserve_tunables(sh, 1); + + result = semanage_commit(sh); + } diff --git a/policycoreutils/sepolgen-ifgen/.gitignore b/policycoreutils/sepolgen-ifgen/.gitignore new file mode 100644 index 0000000..3816d2e @@ -3616,7 +3692,7 @@ index 0000000..1ce37b0 + return 0; +} diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c -index 48ffcad..7cff7e4 100644 +index 48ffcad..8066162 100644 --- a/policycoreutils/setfiles/restore.c +++ b/policycoreutils/setfiles/restore.c @@ -1,5 +1,6 @@ @@ -3657,7 +3733,18 @@ index 48ffcad..7cff7e4 100644 if (match(my_file, ftsent->fts_statp, &newcon) < 0) /* Check for no matching specification. */ -@@ -143,74 +143,105 @@ static int restore(FTSENT *ftsent) +@@ -113,10 +113,6 @@ static int restore(FTSENT *ftsent) + + if (r_opts->progress) { + r_opts->count++; +- if (r_opts->count % (80 * STAR_COUNT) == 0) { +- fprintf(stdout, "\n"); +- fflush(stdout); +- } + if (r_opts->count % STAR_COUNT == 0) { + fprintf(stdout, "*"); + fflush(stdout); +@@ -143,74 +139,105 @@ static int restore(FTSENT *ftsent) printf("%s: %s matched by %s\n", r_opts->progname, my_file, newcon); } @@ -3751,22 +3838,22 @@ index 48ffcad..7cff7e4 100644 + freecon(newcon); + newcon = strdup(context_str(conb)); + } -+ } + } + context_free(cona); + context_free(conb); + + if (!types_differ || err) { + goto out; - } ++ } ++ } ++ ++ if (r_opts->verbose) { ++ printf("%s reset %s context %s->%s\n", ++ r_opts->progname, my_file, curcon ?: "", newcon); } - if (r_opts->logging && !user_only_changed) { - if (context) -+ if (r_opts->verbose) { -+ printf("%s reset %s context %s->%s\n", -+ r_opts->progname, my_file, curcon ?: "", newcon); -+ } -+ + if (r_opts->logging) { + if (curcon) syslog(LOG_INFO, "relabeling %s from %s to %s\n", @@ -3792,7 +3879,7 @@ index 48ffcad..7cff7e4 100644 goto out; /* -@@ -318,11 +349,16 @@ static int process_one(char *name, int recurse_this_path) +@@ -318,11 +345,16 @@ static int process_one(char *name, int recurse_this_path) ftsent = fts_read(fts_handle); @@ -3812,7 +3899,7 @@ index 48ffcad..7cff7e4 100644 do { rc = 0; /* Skip the post order nodes. */ -@@ -390,7 +426,7 @@ int process_one_realpath(char *name, int recurse) +@@ -390,7 +422,7 @@ int process_one_realpath(char *name, int recurse) { int rc = 0; char *p; @@ -3821,7 +3908,7 @@ index 48ffcad..7cff7e4 100644 if (r_opts == NULL){ fprintf(stderr, -@@ -401,7 +437,7 @@ int process_one_realpath(char *name, int recurse) +@@ -401,7 +433,7 @@ int process_one_realpath(char *name, int recurse) if (!r_opts->expand_realpath) { return process_one(name, recurse); } else { @@ -3830,7 +3917,7 @@ index 48ffcad..7cff7e4 100644 if (rc < 0) { if (r_opts->ignore_enoent && errno == ENOENT) return 0; -@@ -486,22 +522,6 @@ int add_exclude(const char *directory) +@@ -486,22 +518,6 @@ int add_exclude(const char *directory) return 0; } @@ -3853,7 +3940,7 @@ index 48ffcad..7cff7e4 100644 /* * Evaluate the association hash table distribution. */ -@@ -568,7 +588,7 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil +@@ -568,7 +584,7 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil { file_spec_t *prevfl, *fl; int h, ret; @@ -3862,7 +3949,7 @@ index 48ffcad..7cff7e4 100644 if (!fl_head) { fl_head = malloc(sizeof(file_spec_t) * HASH_BUCKETS); -@@ -581,7 +601,7 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil +@@ -581,7 +597,7 @@ static int filespec_add(ino_t ino, const security_context_t con, const char *fil for (prevfl = &fl_head[h], fl = fl_head[h].next; fl; prevfl = fl, fl = fl->next) { if (ino == fl->ino) { @@ -3945,7 +4032,7 @@ index c8ea4bb..0eb7293 100644 .SH "ARGUMENTS" .B pathname... diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 -index 7f700ca..5902e8e 100644 +index 7f700ca..2cc3fba 100644 --- a/policycoreutils/setfiles/setfiles.8 +++ b/policycoreutils/setfiles/setfiles.8 @@ -4,7 +4,7 @@ setfiles \- set file SELinux security contexts. @@ -3989,12 +4076,12 @@ index 7f700ca..5902e8e 100644 -.TP -.B \-vv -show changes in file labels, if type, role, or user are changing. -+show changes in file labels ++show changes in file labels. .TP .B \-W display warnings about entries that had no matching files. diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c -index fa0cd6a..590a4e0 100644 +index fa0cd6a..4da428c 100644 --- a/policycoreutils/setfiles/setfiles.c +++ b/policycoreutils/setfiles/setfiles.c @@ -39,7 +39,7 @@ void usage(const char *const name) @@ -4029,7 +4116,7 @@ index fa0cd6a..590a4e0 100644 break; + case 'L': + if (r_opts.selabel_opt_subset) { -+ if (asprintf((char**) &(r_opts.selabel_opt_subset),"%s;%s",r_opts.selabel_opt_subset,optarg) < 0) { ++ if (asprintf((char**) &(r_opts.selabel_opt_subset),"%s:%s",r_opts.selabel_opt_subset,optarg) < 0) { + fprintf(stderr, "Can't allocate memory for labeling prefix %s:%s\n", + optarg, strerror(errno)); + exit(1); diff --git a/policycoreutils.spec b/policycoreutils.spec index 2d5a8cf..d95751f 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.5 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -352,6 +352,9 @@ fi /bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Wed Sep 14 2011 Dan Walsh - 2.1.5-6 +- Change separator on -L from ; to : + * Thu Sep 8 2011 Dan Walsh - 2.1.5-5 - Add back lockdown wizard for booleans using pywebkitgtk