Update to upstream
* genhomedircon: manual page improvements * setfiles/restorecon minor improvements * run_init: If open_init_pty is not available then just use exec * newrole: do not drop capabilities when newrole is run as * restorecon: only update type by default * scripts: Don't syslog setfiles changes on a fixfiles restore * setfiles: do not syslog if no changes * Disable user restorecond by default * Make restorecon return 0 when a file has changed context * setfiles: Fix process_glob error handling * semanage: allow enable/disable under -m * add .tx to gitignore * translations: commit translations from Fedora community * po: silence build process * gui: Checking in policy to support polgengui and sepolgen. * gui: polgen: search for systemd subpackage when generating policy * gui: for exploring booleans * gui: system-config-selinux gui * Add Makefiles to support new gui code * gui: remove lockdown wizard * return equivalency records in fcontext customized * semanage: option to not load new policy into kernel after * sandbox: manpage update to describe standard types * setsebool: -N should not reload policy on changes * semodule: Add -N qualifier to no reload kernel policy * gui: polgen: sort selinux types of user controls * gui: polgen: follow symlinks and get the real path to * gui: Fix missing error function * setfiles: return errors when bad paths are given * fixfiles: tell restorecon to ignore missing paths * setsebool: error when setting multiple options * semanage: use boolean subs. * sandbox: Make sure Xephyr never listens on tcp ports * sepolgen: return and output constraint violation information * semanage: skip comments while reading external configuration files * restorecond: relabel all mount runtime files in the restorecond example * genhomedircon: dynamically create genhomedircon * Allow returning of bastard matches * sepolgen: return and output constraint violation information * audit2allow: one role/type pair per line
This commit is contained in:
parent
92907b214d
commit
775d48fd41
285154
policycoreutils-rhat.patch
285154
policycoreutils-rhat.patch
File diff suppressed because it is too large
Load Diff
@ -1,191 +0,0 @@
|
|||||||
diff --git a/sepolgen/src/sepolgen/access.py b/sepolgen/src/sepolgen/access.py
|
|
||||||
index 649735f..cf13210 100644
|
|
||||||
--- a/sepolgen/src/sepolgen/access.py
|
|
||||||
+++ b/sepolgen/src/sepolgen/access.py
|
|
||||||
@@ -87,7 +87,7 @@ class AccessVector:
|
|
||||||
self.perms = refpolicy.IdSet()
|
|
||||||
self.audit_msgs = []
|
|
||||||
self.type = audit2why.TERULE
|
|
||||||
- self.bools = []
|
|
||||||
+ self.data = []
|
|
||||||
|
|
||||||
# The direction of the information flow represented by this
|
|
||||||
# access vector - used for matching
|
|
||||||
@@ -256,7 +256,7 @@ class AccessVectorSet:
|
|
||||||
for av in l:
|
|
||||||
self.add_av(AccessVector(av))
|
|
||||||
|
|
||||||
- def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, bools=[]):
|
|
||||||
+ def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, data=[]):
|
|
||||||
"""Add an access vector to the set.
|
|
||||||
"""
|
|
||||||
tgt = self.src.setdefault(src_type, { })
|
|
||||||
@@ -269,7 +269,7 @@ class AccessVectorSet:
|
|
||||||
access.src_type = src_type
|
|
||||||
access.tgt_type = tgt_type
|
|
||||||
access.obj_class = obj_class
|
|
||||||
- access.bools = bools
|
|
||||||
+ access.data = data
|
|
||||||
access.type = avc_type
|
|
||||||
cls[obj_class, avc_type] = access
|
|
||||||
|
|
||||||
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
|
|
||||||
index 9e2ccee..73c60f6 100644
|
|
||||||
--- a/sepolgen/src/sepolgen/audit.py
|
|
||||||
+++ b/sepolgen/src/sepolgen/audit.py
|
|
||||||
@@ -173,7 +173,6 @@ class AVCMessage(AuditMessage):
|
|
||||||
self.accesses = []
|
|
||||||
self.denial = True
|
|
||||||
self.type = audit2why.TERULE
|
|
||||||
- self.bools = []
|
|
||||||
|
|
||||||
def __parse_access(self, recs, start):
|
|
||||||
# This is kind of sucky - the access that is in a space separated
|
|
||||||
@@ -241,10 +240,12 @@ class AVCMessage(AuditMessage):
|
|
||||||
tcontext = self.tcontext.to_string()
|
|
||||||
scontext = self.scontext.to_string()
|
|
||||||
access_tuple = tuple( self.accesses)
|
|
||||||
+ self.data = []
|
|
||||||
+
|
|
||||||
if (scontext, tcontext, self.tclass, access_tuple) in avcdict.keys():
|
|
||||||
- self.type, self.bools = avcdict[(scontext, tcontext, self.tclass, access_tuple)]
|
|
||||||
+ self.type, self.data = avcdict[(scontext, tcontext, self.tclass, access_tuple)]
|
|
||||||
else:
|
|
||||||
- self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
|
|
||||||
+ self.type, self.data = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
|
|
||||||
if self.type == audit2why.NOPOLICY:
|
|
||||||
self.type = audit2why.TERULE
|
|
||||||
if self.type == audit2why.BADTCON:
|
|
||||||
@@ -258,7 +259,16 @@ class AVCMessage(AuditMessage):
|
|
||||||
if self.type == audit2why.BADCOMPUTE:
|
|
||||||
raise ValueError("Error during access vector computation")
|
|
||||||
|
|
||||||
- avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools)
|
|
||||||
+ if self.type == audit2why.CONSTRAINT:
|
|
||||||
+ self.data = []
|
|
||||||
+ if self.scontext.user != self.tcontext.user:
|
|
||||||
+ self.data.append("user")
|
|
||||||
+ if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":
|
|
||||||
+ self.data.append("role")
|
|
||||||
+ if self.scontext.level != self.tcontext.level:
|
|
||||||
+ self.data.append("level")
|
|
||||||
+
|
|
||||||
+ avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data)
|
|
||||||
|
|
||||||
class PolicyLoadMessage(AuditMessage):
|
|
||||||
"""Audit message indicating that the policy was reloaded."""
|
|
||||||
@@ -507,10 +517,10 @@ class AuditParser:
|
|
||||||
if avc_filter:
|
|
||||||
if avc_filter.filter(avc):
|
|
||||||
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
|
|
||||||
- avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
|
|
||||||
+ avc.accesses, avc, avc_type=avc.type, data=avc.data)
|
|
||||||
else:
|
|
||||||
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
|
|
||||||
- avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
|
|
||||||
+ avc.accesses, avc, avc_type=avc.type, data=avc.data)
|
|
||||||
return av_set
|
|
||||||
|
|
||||||
class AVCTypeFilter:
|
|
||||||
diff --git a/sepolgen/src/sepolgen/matching.py b/sepolgen/src/sepolgen/matching.py
|
|
||||||
index 1a9a3e5..d56dd92 100644
|
|
||||||
--- a/sepolgen/src/sepolgen/matching.py
|
|
||||||
+++ b/sepolgen/src/sepolgen/matching.py
|
|
||||||
@@ -50,7 +50,7 @@ class Match:
|
|
||||||
return 1
|
|
||||||
|
|
||||||
class MatchList:
|
|
||||||
- DEFAULT_THRESHOLD = 120
|
|
||||||
+ DEFAULT_THRESHOLD = 150
|
|
||||||
def __init__(self):
|
|
||||||
# Match objects that pass the threshold
|
|
||||||
self.children = []
|
|
||||||
@@ -63,14 +63,15 @@ class MatchList:
|
|
||||||
def best(self):
|
|
||||||
if len(self.children):
|
|
||||||
return self.children[0]
|
|
||||||
- else:
|
|
||||||
- return None
|
|
||||||
+ if len(self.bastards):
|
|
||||||
+ return self.bastards[0]
|
|
||||||
+ return None
|
|
||||||
|
|
||||||
def __len__(self):
|
|
||||||
# Only return the length of the matches so
|
|
||||||
# that this can be used to test if there is
|
|
||||||
# a match.
|
|
||||||
- return len(self.children)
|
|
||||||
+ return len(self.children) + len(self.bastards)
|
|
||||||
|
|
||||||
def __iter__(self):
|
|
||||||
return iter(self.children)
|
|
||||||
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
|
|
||||||
index c3d665c..cc9f8ea 100644
|
|
||||||
--- a/sepolgen/src/sepolgen/policygen.py
|
|
||||||
+++ b/sepolgen/src/sepolgen/policygen.py
|
|
||||||
@@ -166,14 +166,16 @@ class PolicyGenerator:
|
|
||||||
rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
|
|
||||||
|
|
||||||
if av.type == audit2why.BOOLEAN:
|
|
||||||
- if len(av.bools) > 1:
|
|
||||||
- rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.bools))
|
|
||||||
+ if len(av.data) > 1:
|
|
||||||
+ rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.data))
|
|
||||||
else:
|
|
||||||
- rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]
|
|
||||||
+ rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]
|
|
||||||
|
|
||||||
if av.type == audit2why.CONSTRAINT:
|
|
||||||
rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
|
|
||||||
rule.comment += "#Constraint rule: "
|
|
||||||
+ for reason in av.data:
|
|
||||||
+ rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason
|
|
||||||
|
|
||||||
try:
|
|
||||||
if ( av.type == audit2why.TERULE and
|
|
||||||
diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py
|
|
||||||
index b138e3d..1399225 100644
|
|
||||||
--- a/sepolgen/src/sepolgen/refpolicy.py
|
|
||||||
+++ b/sepolgen/src/sepolgen/refpolicy.py
|
|
||||||
@@ -363,7 +363,10 @@ class Role(Leaf):
|
|
||||||
self.types = IdSet()
|
|
||||||
|
|
||||||
def to_string(self):
|
|
||||||
- return "role %s types %s;" % (self.role, self.types.to_comma_str())
|
|
||||||
+ s = ""
|
|
||||||
+ for t in self.types:
|
|
||||||
+ s += "role %s types %s;\n" % (self.role, t)
|
|
||||||
+ return s
|
|
||||||
|
|
||||||
class Type(Leaf):
|
|
||||||
def __init__(self, name="", parent=None):
|
|
||||||
@@ -511,7 +514,10 @@ class RoleType(Leaf):
|
|
||||||
self.types = IdSet()
|
|
||||||
|
|
||||||
def to_string(self):
|
|
||||||
- return "role %s types %s;" % (self.role, self.types.to_comma_str())
|
|
||||||
+ s = ""
|
|
||||||
+ for t in self.types:
|
|
||||||
+ s += "role %s types %s;\n" % (self.role, t)
|
|
||||||
+ return s
|
|
||||||
|
|
||||||
class ModuleDeclaration(Leaf):
|
|
||||||
def __init__(self, parent=None):
|
|
||||||
@@ -799,7 +805,7 @@ class Require(Leaf):
|
|
||||||
self.types = IdSet()
|
|
||||||
self.obj_classes = { }
|
|
||||||
self.roles = IdSet()
|
|
||||||
- self.bools = IdSet()
|
|
||||||
+ self.data = IdSet()
|
|
||||||
self.users = IdSet()
|
|
||||||
|
|
||||||
def add_obj_class(self, obj_class, perms):
|
|
||||||
@@ -816,7 +822,7 @@ class Require(Leaf):
|
|
||||||
s.append("\tclass %s %s;" % (obj_class, perms.to_space_str()))
|
|
||||||
for role in self.roles:
|
|
||||||
s.append("\trole %s;" % role)
|
|
||||||
- for bool in self.bools:
|
|
||||||
+ for bool in self.data:
|
|
||||||
s.append("\tbool %s;" % bool)
|
|
||||||
for user in self.users:
|
|
||||||
s.append("\tuser %s;" % user)
|
|
@ -1,13 +1,13 @@
|
|||||||
%define libauditver 2.1.3-4
|
%define libauditver 2.1.3-4
|
||||||
%define libsepolver 2.1.7-4
|
%define libsepolver 2.1.8-1
|
||||||
%define libsemanagever 2.1.8-4
|
%define libsemanagever 2.1.9-1
|
||||||
%define libselinuxver 2.1.11-4
|
%define libselinuxver 2.1.12-1
|
||||||
%define sepolgenver 1.1.7
|
%define sepolgenver 1.1.8
|
||||||
|
|
||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.1.12
|
Version: 2.1.13
|
||||||
Release: 6%{?dist}
|
Release: 1%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
# Based on git repository with tag 20101221
|
# Based on git repository with tag 20101221
|
||||||
@ -23,7 +23,7 @@ Source7: selinux-polgengui.console
|
|||||||
Source8: policycoreutils_man_ru2.tar.bz2
|
Source8: policycoreutils_man_ru2.tar.bz2
|
||||||
Source10: restorecond.service
|
Source10: restorecond.service
|
||||||
Patch: policycoreutils-rhat.patch
|
Patch: policycoreutils-rhat.patch
|
||||||
Patch4: policycoreutils-sepolgen.patch
|
#Patch4: policycoreutils-sepolgen.patch
|
||||||
Obsoletes: policycoreutils < 2.0.61-2
|
Obsoletes: policycoreutils < 2.0.61-2
|
||||||
Conflicts: filesystem < 3
|
Conflicts: filesystem < 3
|
||||||
Provides: /sbin/fixfiles
|
Provides: /sbin/fixfiles
|
||||||
@ -64,7 +64,7 @@ context.
|
|||||||
%prep
|
%prep
|
||||||
%setup -q -a 1
|
%setup -q -a 1
|
||||||
%patch -p2 -b .rhat
|
%patch -p2 -b .rhat
|
||||||
%patch4 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
|
#%patch4 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
|
||||||
|
|
||||||
%build
|
%build
|
||||||
make LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
|
make LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
|
||||||
@ -340,6 +340,49 @@ fi
|
|||||||
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
|
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Sep 13 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-1
|
||||||
|
- Update to upstream
|
||||||
|
* genhomedircon: manual page improvements
|
||||||
|
* setfiles/restorecon minor improvements
|
||||||
|
* run_init: If open_init_pty is not available then just use exec
|
||||||
|
* newrole: do not drop capabilities when newrole is run as
|
||||||
|
* restorecon: only update type by default
|
||||||
|
* scripts: Don't syslog setfiles changes on a fixfiles restore
|
||||||
|
* setfiles: do not syslog if no changes
|
||||||
|
* Disable user restorecond by default
|
||||||
|
* Make restorecon return 0 when a file has changed context
|
||||||
|
* setfiles: Fix process_glob error handling
|
||||||
|
* semanage: allow enable/disable under -m
|
||||||
|
* add .tx to gitignore
|
||||||
|
* translations: commit translations from Fedora community
|
||||||
|
* po: silence build process
|
||||||
|
* gui: Checking in policy to support polgengui and sepolgen.
|
||||||
|
* gui: polgen: search for systemd subpackage when generating policy
|
||||||
|
* gui: for exploring booleans
|
||||||
|
* gui: system-config-selinux gui
|
||||||
|
* Add Makefiles to support new gui code
|
||||||
|
* gui: remove lockdown wizard
|
||||||
|
* return equivalency records in fcontext customized
|
||||||
|
* semanage: option to not load new policy into kernel after
|
||||||
|
* sandbox: manpage update to describe standard types
|
||||||
|
* setsebool: -N should not reload policy on changes
|
||||||
|
* semodule: Add -N qualifier to no reload kernel policy
|
||||||
|
* gui: polgen: sort selinux types of user controls
|
||||||
|
* gui: polgen: follow symlinks and get the real path to
|
||||||
|
* gui: Fix missing error function
|
||||||
|
* setfiles: return errors when bad paths are given
|
||||||
|
* fixfiles: tell restorecon to ignore missing paths
|
||||||
|
* setsebool: error when setting multiple options
|
||||||
|
* semanage: use boolean subs.
|
||||||
|
* sandbox: Make sure Xephyr never listens on tcp ports
|
||||||
|
* sepolgen: return and output constraint violation information
|
||||||
|
* semanage: skip comments while reading external configuration files
|
||||||
|
* restorecond: relabel all mount runtime files in the restorecond example
|
||||||
|
* genhomedircon: dynamically create genhomedircon
|
||||||
|
* Allow returning of bastard matches
|
||||||
|
* sepolgen: return and output constraint violation information
|
||||||
|
* audit2allow: one role/type pair per line
|
||||||
|
|
||||||
* Wed Aug 8 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-6
|
* Wed Aug 8 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-6
|
||||||
- Change polgen to generate dbus apps as optional so they can compile on minimal policy system, patch from Miroslav Grepl
|
- Change polgen to generate dbus apps as optional so they can compile on minimal policy system, patch from Miroslav Grepl
|
||||||
|
|
||||||
|
4
sources
4
sources
@ -1,3 +1,3 @@
|
|||||||
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
|
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
|
||||||
3c815de58ad31221802931cb9aa1ab28 policycoreutils-2.1.12.tgz
|
381607ecf76bcb9397286143c93071cb sepolgen-1.1.8.tgz
|
||||||
ee3b0481920390f1fee7e2ec2c424b02 sepolgen-1.1.7.tgz
|
5e77fd08ecced60753647675502dc75a policycoreutils-2.1.13.tgz
|
||||||
|
Loading…
Reference in New Issue
Block a user