diff --git a/.cvsignore b/.cvsignore index 06eedfc..6c601e2 100644 --- a/.cvsignore +++ b/.cvsignore @@ -46,3 +46,4 @@ policycoreutils-1.25.4.tgz policycoreutils-1.25.5.tgz policycoreutils-1.25.6.tgz policycoreutils-1.25.7.tgz +policycoreutils-1.25.9.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index ad12b7e..034256e 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,24 +1,169 @@ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.25.7/restorecon/restorecon.c ---- nsapolicycoreutils/restorecon/restorecon.c 2005-07-27 09:58:39.000000000 -0400 -+++ policycoreutils-1.25.7/restorecon/restorecon.c 2005-08-26 14:20:10.000000000 -0400 -@@ -186,7 +186,7 @@ - freecon(scontext); - return 0; - } -- retcontext=lgetfilecon(filename,&prev_context); -+ retcontext=lgetfilecon_raw(filename,&prev_context); - - if (retcontext >= 0 || errno == ENODATA) { - int customizable=0; -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-1.25.7/setfiles/setfiles.c ---- nsapolicycoreutils/setfiles/setfiles.c 2005-04-11 16:00:46.000000000 -0400 -+++ policycoreutils-1.25.7/setfiles/setfiles.c 2005-08-26 14:20:28.000000000 -0400 -@@ -285,7 +285,7 @@ - } +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.25.7/scripts/fixfiles +--- nsapolicycoreutils/scripts/fixfiles 2005-08-25 16:18:08.000000000 -0400 ++++ policycoreutils-1.25.7/scripts/fixfiles 2005-08-26 16:05:39.000000000 -0400 +@@ -61,7 +61,11 @@ + if [ -f ${PREFC} -a -x /usr/bin/diff ]; then + TEMPFILE=`mktemp ${FC}.XXXXXXXXXX` + test -z "$TEMPFILE" && exit +- /usr/bin/diff $PREFC $FC | grep '^[<>]'|cut -c3-| grep ^/ | \ ++ PREFCTEMPFILE=`mktemp ${PREFC}.XXXXXXXXXX` ++ sed -r -e 's,:s0[[:space:]], ,g' $PREFC > ${PREFCTEMPFILE} ++ sed -r -e 's,:s0[[:space:]], ,g' $FC | \ ++ /usr/bin/diff -b ${PREFCTEMPFILE} - | \ ++ grep '^[<>]'|cut -c3-| grep ^/ | \ + egrep -v '(^/home|^/root|^/tmp|^/dev)' |\ + sed -r -e 's,[[:blank:]].*,,g' \ + -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \ +@@ -85,7 +89,7 @@ + while read pattern ; do find $pattern \( -fstype ext2 -o -fstype ext3 -o -fstype jfs -o -fstype xfs \) -print; done 2> /dev/null | \ + egrep -v '(^/home|^/root|^/tmp|^/dev)' |\ + ${RESTORECON} $2 -v -f - +- rm -f ${TEMPFILE} ++ rm -f ${TEMPFILE} ${PREFCTEMPFILE} + fi + } + # +--- nsapolicycoreutils/semodule_package/Makefile 2005-07-28 09:46:02.000000000 -0400 ++++ policycoreutils-1.25.7/semodule_package/Makefile 2005-08-30 10:31:41.000000000 -0400 +@@ -3,6 +3,7 @@ + INCLUDEDIR ?= $(PREFIX)/include + BINDIR ?= $(PREFIX)/bin + LIBDIR ?= ${PREFIX}/lib ++SELINUXDIR ?= ${DESTDIR}/etc/selinux - /* Get the current context of the file. */ -- ret = lgetfilecon(my_file, &context); -+ ret = lgetfilecon_raw(my_file, &context); - if (ret < 0) { - if (errno == ENODATA) { - context = malloc(10); + CFLAGS ?= -Werror -Wall -W + override CFLAGS += -I$(INCLUDEDIR) +@@ -14,7 +15,9 @@ + + install: all + -mkdir -p $(BINDIR) ++ -mkdir -p $(SELINUXDIR) + install -m 755 semodule_package $(BINDIR) ++ install -m 640 semod.conf $(SELINUXDIR)/semod.conf + + relabel: + +--- nsapolicycoreutils/semodule_package/semod.conf 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.25.7/semodule_package/semod.conf 2005-08-30 10:24:54.000000000 -0400 +@@ -0,0 +1,96 @@ ++# Authors: Jason Tang ++# ++# Copyright (C) 2004-2005 Tresys Technology, LLC ++# ++# This library is free software; you can redistribute it and/or ++# modify it under the terms of the GNU Lesser General Public ++# License as published by the Free Software Foundation; either ++# version 2.1 of the License, or (at your option) any later version. ++# ++# This library is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# Lesser General Public License for more details. ++# ++# You should have received a copy of the GNU Lesser General Public ++# License along with this library; if not, write to the Free Software ++# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ++ ++# Specify how libsemanage will interact with the module store. The three ++# options are: ++# ++# "direct" - libsemanage will write directly to the store. ++# /foo/bar - Write by way of a policy server, whose named socket ++# is at /foo/bar. The path must begin with a '/'. ++# foo.com:4242 - Establish a TCP connection to a remote policy server ++# at foo.com. If there is a colon then the remainder ++# is interpreted as a port number; otherwise default ++# to port 4242. ++module-store = direct ++ ++# When generating the final linked and expanded policy, by default ++# semodule will set the policy version to POLICYDB_VERSION_MAX, as ++# given in . Change this setting if a different ++# version is necessary. ++#policy-version = 19 ++ ++# After a policy has been created this library will attempt to load it ++# by calling the load_policy utility. If there are special ++# requirements (e.g., read booleans from a certain file) then add them ++# here. Below are the default values. Within 'args', the special ++# sequence "$@" will be replaced with the policy filename. ++#[load_policy] ++#path = /usr/sbin/load_policy ++#args = -b $@ ++#[end] ++ ++# In addition to loading a policy libsemanage will validate file contexts ++# by calling the setfiles utility. As above, "$@" will be replaced ++# with the policy filename. In addition "$<" will be replaced with ++# the file contexts filename. ++#[setfiles] ++#path = /usr/sbin/setfiles ++#args = -q -c $@ $< ++#[end] ++ ++# Each program specified within a [verify] block is run during ++# committing. There are three types of verifies allowed: module, ++# linked, and kernel. Multiple verifies may exist for a stage; place ++# each program within its own [verify] block. For each stage the ++# programs are executed in the order given below. If a program ever ++# returns a non-zero value then the entire commit is aborted. ++# ++# Module verifies are executed for each source module prior to ++# linking. After they have been linked each link verifier is run ++# against the linked base module. Finally, each kernel verifier is ++# run against the final expanded kernel policy. If these verifiers ++# all exit with a return value of 0 then that kernel policy will be ++# loaded. ++# ++# 'path' gives a path the verificaton program. 'args' is any ++# free-form string that supplies command line arguments to the ++# verifier. Within args single quotes, double quotes, and backslashes ++# are metacharacters handled similarly to bash. Within 'args', the ++# special sequence "$@" will be replaced with a filename to the entity ++# being checked: source module for module verifiers, linked module for ++# linked, kernel policy for kernel. The sequence "$<" will be ++# replaced with the previous filename, if applicable. If an older ++# version does not exist "$<" expands to an empty string. ++#[verify module] ++#path = /usr/bin/some_module_verifier ++#args = -Wall -ansi -pedantic $@ $< ++#[end] ++ ++#[verify module] ++#path = /another/module/verify/program ++#args = -With -some_more arguments ++#[end] ++ ++#[verify linked] ++#path = /usr/local/bin/some_link_verifier ++#[end] ++ ++#[verify kernel] ++#path = /usr/sbin/kernel_verifier ++#args = "some argument" "some other parameter" -k $@ ++#[end] +--- nsapolicycoreutils/setfiles/setfiles.8 2005-03-17 10:29:50.000000000 -0500 ++++ policycoreutils-1.25.7/setfiles/setfiles.8 2005-08-29 12:52:49.000000000 -0400 +@@ -35,6 +35,9 @@ + .B \-q + suppress non-error output. + .TP ++.B \-r ++use an alternate root path ++.TP + .B \-e directory + directory to exclude (repeat option for more than one directory.) + .TP +--- nsapolicycoreutils/setfiles/setfiles.c 2005-04-11 16:00:46.000000000 -0400 ++++ policycoreutils-1.25.7/setfiles/setfiles.c 2005-08-29 12:50:56.000000000 -0400 +@@ -198,8 +198,8 @@ + void usage(const char * const name) + { + fprintf(stderr, +- "usage: %s [-dnqvW] [-o filename] spec_file pathname...\n" +- "usage: %s [-c policyfile] spec_file\n" ++ "usage: %s [-dnqvW] [-o filename] [-r alt_root_path ] spec_file pathname...\n" ++ "usage: %s -c policyfile spec_file\n" + "usage: %s -s [-dnqvW] [-o filename ] spec_file\n", name, name, name); + exit(1); + } diff --git a/policycoreutils.spec b/policycoreutils.spec index c5f4f0a..bc97797 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,18 +1,18 @@ -%define libselinuxver 1.25.4-1 -%define libsepolver 1.7.20-1 -%define libsemanagever 1.1.3-1 +%define libselinuxver 1.25.6-1 +%define libsepolver 1.7.24-1 +%define libsemanagever 1.1.4-1 Summary: SELinux policy core utilities. Name: policycoreutils -Version: 1.25.7 +Version: 1.25.9 Release: 1 License: GPL Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz -#Patch: policycoreutils-rhat.patch +Patch: policycoreutils-rhat.patch BuildRequires: libselinux-devel >= %{libselinuxver} pam-devel libsepol-devel >= %{libsepolver} libsemanage-devel >= %{libsemanagever} -Requires: libselinux >= %{libselinuxver} libsepol >= %{libsepolver} +Requires: libselinux >= %{libselinuxver} libsepol >= %{libsepolver} BuildRoot: %{_tmppath}/%{name}-buildroot @@ -35,6 +35,7 @@ context. %prep %setup -q +%patch -p1 -b .rhat %build make LIBDIR="%{_libdir}" CFLAGS="%{optflags}" all @@ -83,10 +84,22 @@ rm -rf ${RPM_BUILD_ROOT} %{_mandir}/man1/audit2allow.1.gz %{_mandir}/man1/newrole.1.gz %config %{_sysconfdir}/pam.d/newrole +%config %{_sysconfdir}/selinux/semod.conf %config %{_sysconfdir}/pam.d/run_init %config(noreplace) %{_sysconfdir}/sestatus.conf %changelog +* Thu Sep 1 2005 Dan Walsh 1.25.9-1 +- Update to match NSA + * Changed setfiles -c to translate the context to raw format + prior to calling libsepol. + +* Fri Aug 26 2005 Dan Walsh 1.25.7-3 +- Use new version of libsemange and require it for install + +* Fri Aug 26 2005 Dan Walsh 1.25.7-2 +- Ignore s0 in file context + * Thu Aug 25 2005 Dan Walsh 1.25.7-1 - Update to match NSA * Merged patch for fixfiles -C from Dan Walsh. diff --git a/sources b/sources index 0aa6f52..e537d66 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -5139e99f462c5ae689f105d47adf0ce5 policycoreutils-1.25.7.tgz +cefb5a0c070be495b8e0ab07229137a8 policycoreutils-1.25.9.tgz