rpms/policycoreutils
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import policycoreutils-3.2-8.el9_b

Browse Source
This commit is contained in:
CentOS Sources 2021-11-03 22:35:10 -04:00 committed by Stepan Oksanichenko
commit 80450ec647
35 changed files with 12638 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.gitignore vendored Normal file
View File

@ -0,0 +1,7 @@
SOURCES/gui-po.tgz
SOURCES/policycoreutils-po.tgz
SOURCES/python-po.tgz
SOURCES/sandbox-po.tgz
SOURCES/selinux-3.2.tar.gz
SOURCES/sepolicy-icons.tgz
SOURCES/system-config-selinux.png

7
.policycoreutils.metadata Normal file
View File

@ -0,0 +1,7 @@
e0c82a8693936806c4289f865712ba0e8fc94f91 SOURCES/gui-po.tgz
c8279f87160e2ff16eb775287d529e5c49b19ae3 SOURCES/policycoreutils-po.tgz
606f854b945f4deae897770692707013b753b277 SOURCES/python-po.tgz
413495010fcab556e8ea9f226c67557a23cc1498 SOURCES/sandbox-po.tgz
a195626d0cf709f128cf2d1247079e6a075fa399 SOURCES/selinux-3.2.tar.gz
d849fa76cc3ef4a26047d8a69fef3a55d2f3097f SOURCES/sepolicy-icons.tgz
611a5d497efaddd45ec0dcc3e9b2e5b0f81ebc41 SOURCES/system-config-selinux.png

67
SOURCES/0001-policycoreutils-setfiles-do-not-create-useless-setfi.patch Normal file
View File

@ -0,0 +1,67 @@
From 6cfebe787e258c4c62dbf2018d0a08bc8b70e445 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Fri, 19 Mar 2021 22:30:59 +0100
Subject: [PATCH] policycoreutils/setfiles: do not create useless
setfiles.8.man file
Seems to have been there to allow for some sed substitution over the
text. Now that this is gone, the redundant intermediate file can be
removed, too.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policycoreutils/setfiles/.gitignore | 1 -
policycoreutils/setfiles/Makefile | 9 +++------
2 files changed, 3 insertions(+), 7 deletions(-)
delete mode 100644 policycoreutils/setfiles/.gitignore
diff --git a/policycoreutils/setfiles/.gitignore b/policycoreutils/setfiles/.gitignore
deleted file mode 100644
index 5e899c95af23..000000000000
--- a/policycoreutils/setfiles/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-setfiles.8.man
diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
index a3bbbe116b7f..63d818509791 100644
--- a/policycoreutils/setfiles/Makefile
+++ b/policycoreutils/setfiles/Makefile
@@ -13,7 +13,7 @@ ifeq ($(AUDITH), y)
override LDLIBS += -laudit
endif
-all: setfiles restorecon restorecon_xattr man
+all: setfiles restorecon restorecon_xattr
setfiles: setfiles.o restore.o
@@ -22,16 +22,13 @@ restorecon: setfiles
restorecon_xattr: restorecon_xattr.o restore.o
-man:
- @cp -af setfiles.8 setfiles.8.man
-
install: all
[ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8
-mkdir -p $(DESTDIR)$(SBINDIR)
install -m 755 setfiles $(DESTDIR)$(SBINDIR)
(cd $(DESTDIR)$(SBINDIR) && ln -sf setfiles restorecon)
install -m 755 restorecon_xattr $(DESTDIR)$(SBINDIR)
- install -m 644 setfiles.8.man $(DESTDIR)$(MANDIR)/man8/setfiles.8
+ install -m 644 setfiles.8 $(DESTDIR)$(MANDIR)/man8/setfiles.8
install -m 644 restorecon.8 $(DESTDIR)$(MANDIR)/man8/restorecon.8
install -m 644 restorecon_xattr.8 $(DESTDIR)$(MANDIR)/man8/restorecon_xattr.8
for lang in $(LINGUAS) ; do \
@@ -42,7 +39,7 @@ install: all
done
clean:
- rm -f setfiles restorecon restorecon_xattr *.o setfiles.8.man
+ rm -f setfiles restorecon restorecon_xattr *.o
indent:
../../scripts/Lindent $(wildcard *.[ch])
--
2.32.0

50
SOURCES/0002-fixfiles-do-not-exclude-dev-and-run-in-C-mode.patch Normal file
View File

@ -0,0 +1,50 @@
From 26a4c19ecff545324aa21eb0afbc3d10d3356313 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Mon, 1 Mar 2021 18:19:22 +0100
Subject: [PATCH] fixfiles: do not exclude /dev and /run in -C mode
I can't think of a good reason why they should be excluded. On the
contrary, excluding them can cause trouble very easily if some labeling
rules for these directories change. For example, we changed the label
for /dev/nvme* from nvme_device_t to fixed_disk_device_t in Fedora
(updating the allow rules accordingly) and after policy update they
ended up with an invalid context, causing denials.
Thus, remove /dev and /run from the excludes. While there, also add
/root to the basic excludes to match the regex that excludes fc rules
(that should be effectively no functional change).
I did a sanity check on my system by running `restorecon -nv /dev /run`
and it didn't report any label differences.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/scripts/fixfiles | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 30dadb4f4cb6..6fb12e0451a9 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -162,7 +162,7 @@ newer() {
#
diff_filecontext() {
EXCLUDEDIRS="`exclude_dirs_from_relabelling`"
-for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC /home /tmp /dev; do
+for i in /sys /proc /mnt /var/tmp /var/lib/BackupPC /home /root /tmp; do
[ -e $i ] && EXCLUDEDIRS="${EXCLUDEDIRS} -e $i";
done
LogExcluded
@@ -175,7 +175,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
sed -r -e 's,:s0, ,g' $FC | sort -u | \
/usr/bin/diff -b ${PREFCTEMPFILE} - | \
grep '^[<>]'|cut -c3-| grep ^/ | \
- egrep -v '(^/home|^/root|^/tmp|^/dev)' |\
+ egrep -v '(^/home|^/root|^/tmp)' |\
sed -r -e 's,[[:blank:]].*,,g' \
-e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
-e 's|([/[:alnum:]])\?|{\1,}|g' \
--
2.32.0

49
SOURCES/0003-policycoreutils-silence-Wextra-semi-stmt-warning.patch Normal file
View File

@ -0,0 +1,49 @@
From e45bc870946ad3c984595a679df86b424f24d09d Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sat, 3 Jul 2021 16:31:21 +0200
Subject: [PATCH] policycoreutils: silence -Wextra-semi-stmt warning
On Ubuntu 20.04, when building with clang -Werror -Wextra-semi-stmt
(which is not the default build configuration), the compiler reports:
secon.c:686:3: error: empty expression statement has no effect;
remove unnecessary ';' to silence this warning
[-Werror,-Wextra-semi-stmt]
};
^
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
policycoreutils/newrole/newrole.c | 2 +-
policycoreutils/secon/secon.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index 36e2ba9c25d9..0264531acef4 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@@ -96,7 +96,7 @@
#define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]"
#ifdef USE_PAM
-#define PAM_SERVICE_CONFIG "/etc/selinux/newrole_pam.conf";
+#define PAM_SERVICE_CONFIG "/etc/selinux/newrole_pam.conf"
#endif
#define DEFAULT_PATH "/usr/bin:/bin"
diff --git a/policycoreutils/secon/secon.c b/policycoreutils/secon/secon.c
index d257a9a1ca6c..a0957d0914e1 100644
--- a/policycoreutils/secon/secon.c
+++ b/policycoreutils/secon/secon.c
@@ -683,7 +683,7 @@ static void disp_con(const char *scon_raw)
color.range_bg = strtok(NULL, " ");
color.valid = 1;
- };
+ }
if (!(con = context_new(scon)))
errx(EXIT_FAILURE, "Couldn't create context from: %s", scon);
--
2.32.0

33
SOURCES/0004-policycoreutils-free-memory-on-lstat-failure-in-sest.patch Normal file
View File

@ -0,0 +1,33 @@
From d8b9bd5c2a90d6855478f05c8fb38bd5df2733a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Wed, 14 Jul 2021 20:13:41 +0200
Subject: [PATCH] policycoreutils: free memory on lstat failure in sestatus
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In case lstat(3) fails the memory is not free'd at the end of the for
loop, due to the control flow change by continue.
Found by scan-build.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
policycoreutils/sestatus/sestatus.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/policycoreutils/sestatus/sestatus.c b/policycoreutils/sestatus/sestatus.c
index b37f03533afd..ceee0d523f9a 100644
--- a/policycoreutils/sestatus/sestatus.c
+++ b/policycoreutils/sestatus/sestatus.c
@@ -461,6 +461,7 @@ int main(int argc, char **argv)
("%s (could not check link status (%s)!)\n",
context, strerror(errno));
freecon(context);
+ free(fc[i]);
continue;
}
if (S_ISLNK(m.st_mode)) {
--
2.32.0

42
SOURCES/0005-policycoreutils-free-memory-of-allocated-context-in-.patch Normal file
View File

@ -0,0 +1,42 @@
From f0c354afc07419cfe4f61b72f604a648c995943e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Wed, 14 Jul 2021 20:13:42 +0200
Subject: [PATCH] policycoreutils: free memory of allocated context in run_init
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Found by scan-build.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
policycoreutils/run_init/run_init.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policycoreutils/run_init/run_init.c b/policycoreutils/run_init/run_init.c
index 1c5eb68e7e73..545490a25918 100644
--- a/policycoreutils/run_init/run_init.c
+++ b/policycoreutils/run_init/run_init.c
@@ -406,14 +406,19 @@ int main(int argc, char *argv[])
if (chdir("/")) {
perror("chdir");
+ free(new_context);
exit(-1);
}
if (setexeccon(new_context) < 0) {
fprintf(stderr, _("Could not set exec context to %s.\n"),
new_context);
+ free(new_context);
exit(-1);
}
+
+ free(new_context);
+
if (access("/usr/sbin/open_init_pty", X_OK) != 0) {
if (execvp(argv[1], argv + 1)) {
perror("execvp");
--
2.32.0

30
SOURCES/0006-policycoreutils-free-memory-of-allocated-context-in-.patch Normal file
View File

@ -0,0 +1,30 @@
From 32611aea6543e3a8f32635857e37b4332b0b5c99 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Wed, 14 Jul 2021 20:13:43 +0200
Subject: [PATCH] policycoreutils: free memory of allocated context in newrole
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Found by scan-build.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
policycoreutils/newrole/newrole.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index 0264531acef4..7c1f062f5a2a 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@@ -1239,6 +1239,7 @@ int main(int argc, char *argv[])
free(pw.pw_dir);
free(pw.pw_shell);
free(shell_argv0);
+ free(new_context);
return exit_code;
}
--
2.32.0

26
SOURCES/0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch Normal file
View File

@ -0,0 +1,26 @@
From 6f2adee92a62777aa1a7371a23b4cb08b9a8ac7e Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 20 Aug 2015 12:58:41 +0200
Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
recent Fedoras
---
sandbox/sandboxX.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
index eaa500d08143..4774528027ef 100644
--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
</openbox_config>
EOF
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
cat > ~/seremote << __EOF
#!/bin/sh
--
2.32.0

46
SOURCES/0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch Normal file
View File

@ -0,0 +1,46 @@
From 31e28c2217b5ac4c12d60c97d08f0c062f0fce37 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Mon, 21 Apr 2014 13:54:40 -0400
Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
---
python/sepolicy/sepolicy/manpage.py | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 2f847abb87e2..dccd778ed4be 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -737,10 +737,13 @@ Default Defined Ports:""")
def _file_context(self):
flist = []
+ flist_non_exec = []
mpaths = []
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
+ if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+ flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0:
@@ -799,12 +802,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
SELinux defines the file context types for the %(domainname)s, if you wanted to
store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
.br
.B restorecon -R -v /srv/my%(domainname)s_content
Note: SELinux often uses regular expressions to specify labels that match multiple files.
-""" % {'domainname': self.domainname, "type": flist[0]})
+""" % {'domainname': self.domainname, "type": flist_non_exec[-1]})
self.fd.write(r"""
.I The following file types are defined for %(domainname)s:
--
2.32.0

27
SOURCES/0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch Normal file
View File

@ -0,0 +1,27 @@
From 8fafb8215dbd7affd299f7eb31a1677d7f367ee8 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mon, 12 May 2014 14:11:22 +0200
Subject: [PATCH] If there is no executable we don't want to print a part of
STANDARD FILE CONTEXT
---
python/sepolicy/sepolicy/manpage.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index dccd778ed4be..81333928d552 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -795,7 +795,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
- self.fd.write(r"""
+ if flist_non_exec:
+ self.fd.write(r"""
.PP
.B STANDARD FILE CONTEXT
--
2.32.0

169
SOURCES/0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch Normal file
View File

@ -0,0 +1,169 @@
From 4492465658c7a81237cc753351b3c7bfe095e8f6 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu, 19 Feb 2015 17:45:15 +0100
Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
system_release is no longer hardcoded and it creates only index.html and html
man pages in the directory for the system release.
---
python/sepolicy/sepolicy/__init__.py | 25 +++--------
python/sepolicy/sepolicy/manpage.py | 65 +++-------------------------
2 files changed, 13 insertions(+), 77 deletions(-)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 7309875c7e27..37abc7b83a37 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -1215,27 +1215,14 @@ def boolean_desc(boolean):
def get_os_version():
- os_version = ""
- pkg_name = "selinux-policy"
+ system_release = ""
try:
- try:
- from commands import getstatusoutput
- except ImportError:
- from subprocess import getstatusoutput
- rc, output = getstatusoutput("rpm -q '%s'" % pkg_name)
- if rc == 0:
- os_version = output.split(".")[-2]
- except:
- os_version = ""
-
- if os_version[0:2] == "fc":
- os_version = "Fedora" + os_version[2:]
- elif os_version[0:2] == "el":
- os_version = "RHEL" + os_version[2:]
- else:
- os_version = ""
+ with open('/etc/system-release') as f:
+ system_release = f.readline()
+ except IOError:
+ system_release = "Misc"
- return os_version
+ return system_release
def reinit():
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 81333928d552..dc3e5207c57c 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -151,10 +151,6 @@ def prettyprint(f, trim):
manpage_domains = []
manpage_roles = []
-fedora_releases = ["Fedora17", "Fedora18"]
-rhel_releases = ["RHEL6", "RHEL7"]
-
-
def get_alphabet_manpages(manpage_list):
alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
for i in string.ascii_letters:
@@ -184,7 +180,7 @@ def convert_manpage_to_html(html_manpage, manpage):
class HTMLManPages:
"""
- Generate a HHTML Manpages on an given SELinux domains
+ Generate a HTML Manpages on an given SELinux domains
"""
def __init__(self, manpage_roles, manpage_domains, path, os_version):
@@ -192,9 +188,9 @@ class HTMLManPages:
self.manpage_domains = get_alphabet_manpages(manpage_domains)
self.os_version = os_version
self.old_path = path + "/"
- self.new_path = self.old_path + self.os_version + "/"
+ self.new_path = self.old_path
- if self.os_version in fedora_releases or self.os_version in rhel_releases:
+ if self.os_version:
self.__gen_html_manpages()
else:
print("SELinux HTML man pages can not be generated for this %s" % os_version)
@@ -203,7 +199,6 @@ class HTMLManPages:
def __gen_html_manpages(self):
self._write_html_manpage()
self._gen_index()
- self._gen_body()
self._gen_css()
def _write_html_manpage(self):
@@ -221,67 +216,21 @@ class HTMLManPages:
convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
def _gen_index(self):
- index = self.old_path + "index.html"
- fd = open(index, 'w')
- fd.write("""
-<html>
-<head>
- <link rel=stylesheet type="text/css" href="style.css" title="style">
- <title>SELinux man pages online</title>
-</head>
-<body>
-<h1>SELinux man pages</h1>
-<br></br>
-Fedora or Red Hat Enterprise Linux Man Pages.</h2>
-<br></br>
-<hr>
-<h3>Fedora</h3>
-<table><tr>
-<td valign="middle">
-</td>
-</tr></table>
-<pre>
-""")
- for f in fedora_releases:
- fd.write("""
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (f, f, f, f))
-
- fd.write("""
-</pre>
-<hr>
-<h3>RHEL</h3>
-<table><tr>
-<td valign="middle">
-</td>
-</tr></table>
-<pre>
-""")
- for r in rhel_releases:
- fd.write("""
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (r, r, r, r))
-
- fd.write("""
-</pre>
- """)
- fd.close()
- print("%s has been created" % index)
-
- def _gen_body(self):
html = self.new_path + self.os_version + ".html"
fd = open(html, 'w')
fd.write("""
<html>
<head>
- <link rel=stylesheet type="text/css" href="../style.css" title="style">
- <title>Linux man-pages online for Fedora18</title>
+ <link rel=stylesheet type="text/css" href="style.css" title="style">
+ <title>SELinux man pages online</title>
</head>
<body>
-<h1>SELinux man pages for Fedora18</h1>
+<h1>SELinux man pages for %s</h1>
<hr>
<table><tr>
<td valign="middle">
<h3>SELinux roles</h3>
-""")
+""" % self.os_version)
for letter in self.manpage_roles:
if len(self.manpage_roles[letter]):
fd.write("""
--
2.32.0

26
SOURCES/0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch Normal file
View File

@ -0,0 +1,26 @@
From 18d06e7f84adad94efe1823a2fdccf62b04bf396 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 20 Feb 2015 16:42:01 +0100
Subject: [PATCH] We want to remove the trailing newline for
/etc/system_release.
---
python/sepolicy/sepolicy/__init__.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 37abc7b83a37..481c5d86232f 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -1218,7 +1218,7 @@ def get_os_version():
system_release = ""
try:
with open('/etc/system-release') as f:
- system_release = f.readline()
+ system_release = f.readline().rstrip()
except IOError:
system_release = "Misc"
--
2.32.0

25
SOURCES/0012-Fix-title-in-manpage.py-to-not-contain-online.patch Normal file
View File

@ -0,0 +1,25 @@
From ddf7238fa3579a64145ed092b3a023d60cd2847c Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 20 Feb 2015 16:42:53 +0100
Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
---
python/sepolicy/sepolicy/manpage.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index dc3e5207c57c..6420ebe2e08e 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -222,7 +222,7 @@ class HTMLManPages:
<html>
<head>
<link rel=stylesheet type="text/css" href="style.css" title="style">
- <title>SELinux man pages online</title>
+ <title>SELinux man pages</title>
</head>
<body>
<h1>SELinux man pages for %s</h1>
--
2.32.0

24
SOURCES/0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch Normal file
View File

@ -0,0 +1,24 @@
From fb7fb754e2c4d8931a5834e34ef88dfaf764bb8f Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Fri, 14 Feb 2014 12:32:12 -0500
Subject: [PATCH] Don't be verbose if you are not on a tty
---
policycoreutils/scripts/fixfiles | 1 +
1 file changed, 1 insertion(+)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 6fb12e0451a9..cb20002ab613 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
fullFlag=0
BOOTTIME=""
VERBOSE="-p"
+[ -t 1 ] || VERBOSE=""
FORCEFLAG=""
RPMFILES=""
PREFC=""
--
2.32.0

63
SOURCES/0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch Normal file
View File

@ -0,0 +1,63 @@
From 7d68ca4cc7ab8bcdf65194a58b7db63914228494 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 27 Feb 2017 17:12:39 +0100
Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
file_type_is_entrypoint(f)
- use direct queries
- load exec_types and entry_types only once
---
python/sepolicy/sepolicy/manpage.py | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 6420ebe2e08e..d15522135288 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -127,8 +127,24 @@ def gen_domains():
domains.sort()
return domains
-types = None
+exec_types = None
+
+def _gen_exec_types():
+ global exec_types
+ if exec_types is None:
+ exec_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "exec_type"))["types"]
+ return exec_types
+
+entry_types = None
+
+def _gen_entry_types():
+ global entry_types
+ if entry_types is None:
+ entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
+ return entry_types
+
+types = None
def _gen_types():
global types
@@ -374,6 +390,8 @@ class ManPage:
self.all_file_types = sepolicy.get_all_file_types()
self.role_allows = sepolicy.get_all_role_allows()
self.types = _gen_types()
+ self.exec_types = _gen_exec_types()
+ self.entry_types = _gen_entry_types()
if self.source_files:
self.fcpath = self.root + "file_contexts"
@@ -691,7 +709,7 @@ Default Defined Ports:""")
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
- if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+ if not f in self.exec_types or not f in self.entry_types:
flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
--
2.32.0

53
SOURCES/0015-sepolicy-Another-small-optimization-for-mcs-types.patch Normal file
View File

@ -0,0 +1,53 @@
From 54d85eb009defdf93b24cf0131b88179490b56a2 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 28 Feb 2017 21:29:46 +0100
Subject: [PATCH] sepolicy: Another small optimization for mcs types
---
python/sepolicy/sepolicy/manpage.py | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index d15522135288..ffcedb547993 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -144,6 +144,15 @@ def _gen_entry_types():
entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
return entry_types
+mcs_constrained_types = None
+
+def _gen_mcs_constrained_types():
+ global mcs_constrained_types
+ if mcs_constrained_types is None:
+ mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
+ return mcs_constrained_types
+
+
types = None
def _gen_types():
@@ -392,6 +401,7 @@ class ManPage:
self.types = _gen_types()
self.exec_types = _gen_exec_types()
self.entry_types = _gen_entry_types()
+ self.mcs_constrained_types = _gen_mcs_constrained_types()
if self.source_files:
self.fcpath = self.root + "file_contexts"
@@ -946,11 +956,7 @@ All executables with the default executable label, usually stored in /usr/bin an
%s""" % ", ".join(paths))
def _mcs_types(self):
- try:
- mcs_constrained_type = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
- except StopIteration:
- return
- if self.type not in mcs_constrained_type['types']:
+ if self.type not in self.mcs_constrained_types['types']:
return
self.fd.write ("""
.SH "MCS Constrained"
--
2.32.0

515
SOURCES/0016-Move-po-translation-files-into-the-right-sub-directo.patch Normal file
View File

@ -0,0 +1,515 @@
From a8c4ac47f370e319c434fe1e6afcfae83d7390e9 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 6 Aug 2018 13:23:00 +0200
Subject: [PATCH] Move po/ translation files into the right sub-directories
When policycoreutils was split into policycoreutils/ python/ gui/ and sandbox/
sub-directories, po/ translation files stayed in policycoreutils/.
This commit split original policycoreutils/po directory into
policycoreutils/po
python/po
gui/po
sandbox/po
See https://github.com/fedora-selinux/selinux/issues/43
---
gui/Makefile | 3 ++
gui/po/Makefile | 82 ++++++++++++++++++++++++++++++++++++
gui/po/POTFILES | 17 ++++++++
policycoreutils/po/Makefile | 70 ++-----------------------------
policycoreutils/po/POTFILES | 9 ++++
python/Makefile | 2 +-
python/po/Makefile | 83 +++++++++++++++++++++++++++++++++++++
python/po/POTFILES | 10 +++++
sandbox/Makefile | 2 +
sandbox/po/Makefile | 82 ++++++++++++++++++++++++++++++++++++
sandbox/po/POTFILES | 1 +
11 files changed, 293 insertions(+), 68 deletions(-)
create mode 100644 gui/po/Makefile
create mode 100644 gui/po/POTFILES
create mode 100644 policycoreutils/po/POTFILES
create mode 100644 python/po/Makefile
create mode 100644 python/po/POTFILES
create mode 100644 sandbox/po/Makefile
create mode 100644 sandbox/po/POTFILES
diff --git a/gui/Makefile b/gui/Makefile
index ca965c942912..5a5bf6dcae19 100644
--- a/gui/Makefile
+++ b/gui/Makefile
@@ -22,6 +22,7 @@ system-config-selinux.ui \
usersPage.py
all: $(TARGETS) system-config-selinux.py polgengui.py
+ (cd po && $(MAKE) $@)
install: all
-mkdir -p $(DESTDIR)$(MANDIR)/man8
@@ -54,6 +55,8 @@ install: all
install -m 644 sepolicy_$${i}.png $(DESTDIR)$(DATADIR)/icons/hicolor/$${i}x$${i}/apps/sepolicy.png; \
done
install -m 644 org.selinux.config.policy $(DESTDIR)$(DATADIR)/polkit-1/actions/
+ (cd po && $(MAKE) $@)
+
clean:
indent:
diff --git a/gui/po/Makefile b/gui/po/Makefile
new file mode 100644
index 000000000000..a0f5439f2d1c
--- /dev/null
+++ b/gui/po/Makefile
@@ -0,0 +1,82 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE = gui
+POTFILE = $(NLSPACKAGE).pot
+INSTALL = /usr/bin/install -c -p
+INSTALL_DATA = $(INSTALL) -m 644
+INSTALL_DIR = /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE = msgmerge
+MSGMERGE_FLAGS = -q
+XGETTEXT = xgettext --default-domain=$(NLSPACKAGE)
+MSGFMT = msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
+POTFILES = $(shell cat POTFILES)
+
+#default:: clean
+
+all:: $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+ $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+ rm -f $(NLSPACKAGE).po; \
+ else \
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
+ fi; \
+
+
+refresh-po: Makefile
+ for cat in $(POFILES); do \
+ lang=`basename $$cat .po`; \
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+ mv -f $$lang.pot $$lang.po ; \
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
+ else \
+ echo "$(MSGMERGE) of $$lang failed" ; \
+ rm -f $$lang.pot ; \
+ fi \
+ done
+
+clean:
+ @rm -fv *mo *~ .depend
+ @rm -rf tmp
+
+install: $(MOFILES)
+ @for n in $(MOFILES); do \
+ l=`basename $$n .mo`; \
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+ done
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+report:
+ @for cat in $(wildcard *.po); do \
+ echo -n "$$cat: "; \
+ msgfmt -v --statistics -o /dev/null $$cat; \
+ done
+
+.PHONY: missing depend
+
+relabel:
diff --git a/gui/po/POTFILES b/gui/po/POTFILES
new file mode 100644
index 000000000000..1795c5c1951b
--- /dev/null
+++ b/gui/po/POTFILES
@@ -0,0 +1,17 @@
+../booleansPage.py
+../domainsPage.py
+../fcontextPage.py
+../loginsPage.py
+../modulesPage.py
+../org.selinux.config.policy
+../polgengui.py
+../polgen.ui
+../portsPage.py
+../selinux-polgengui.desktop
+../semanagePage.py
+../sepolicy.desktop
+../statusPage.py
+../system-config-selinux.desktop
+../system-config-selinux.py
+../system-config-selinux.ui
+../usersPage.py
diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile
index 575e143122e6..18bc1dff8d1f 100644
--- a/policycoreutils/po/Makefile
+++ b/policycoreutils/po/Makefile
@@ -3,7 +3,6 @@
#
PREFIX ?= /usr
-TOP = ../..
# What is this package?
NLSPACKAGE = policycoreutils
@@ -32,74 +31,13 @@ USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
MOFILES = $(patsubst %.po,%.mo,$(POFILES))
-POTFILES = \
- ../run_init/open_init_pty.c \
- ../run_init/run_init.c \
- ../semodule_link/semodule_link.c \
- ../audit2allow/audit2allow \
- ../semanage/seobject.py \
- ../setsebool/setsebool.c \
- ../newrole/newrole.c \
- ../load_policy/load_policy.c \
- ../sestatus/sestatus.c \
- ../semodule/semodule.c \
- ../setfiles/setfiles.c \
- ../semodule_package/semodule_package.c \
- ../semodule_deps/semodule_deps.c \
- ../semodule_expand/semodule_expand.c \
- ../scripts/chcat \
- ../scripts/fixfiles \
- ../restorecond/stringslist.c \
- ../restorecond/restorecond.h \
- ../restorecond/utmpwatcher.h \
- ../restorecond/stringslist.h \
- ../restorecond/restorecond.c \
- ../restorecond/utmpwatcher.c \
- ../gui/booleansPage.py \
- ../gui/fcontextPage.py \
- ../gui/loginsPage.py \
- ../gui/mappingsPage.py \
- ../gui/modulesPage.py \
- ../gui/polgen.glade \
- ../gui/polgengui.py \
- ../gui/portsPage.py \
- ../gui/semanagePage.py \
- ../gui/statusPage.py \
- ../gui/system-config-selinux.glade \
- ../gui/system-config-selinux.py \
- ../gui/usersPage.py \
- ../secon/secon.c \
- booleans.py \
- ../sepolicy/sepolicy.py \
- ../sepolicy/sepolicy/communicate.py \
- ../sepolicy/sepolicy/__init__.py \
- ../sepolicy/sepolicy/network.py \
- ../sepolicy/sepolicy/generate.py \
- ../sepolicy/sepolicy/sepolicy.glade \
- ../sepolicy/sepolicy/gui.py \
- ../sepolicy/sepolicy/manpage.py \
- ../sepolicy/sepolicy/transition.py \
- ../sepolicy/sepolicy/templates/executable.py \
- ../sepolicy/sepolicy/templates/__init__.py \
- ../sepolicy/sepolicy/templates/network.py \
- ../sepolicy/sepolicy/templates/rw.py \
- ../sepolicy/sepolicy/templates/script.py \
- ../sepolicy/sepolicy/templates/semodule.py \
- ../sepolicy/sepolicy/templates/tmp.py \
- ../sepolicy/sepolicy/templates/user.py \
- ../sepolicy/sepolicy/templates/var_lib.py \
- ../sepolicy/sepolicy/templates/var_log.py \
- ../sepolicy/sepolicy/templates/var_run.py \
- ../sepolicy/sepolicy/templates/var_spool.py
+POTFILES = $(shell cat POTFILES)
#default:: clean
-all:: $(MOFILES)
+all:: $(POTFILE) $(MOFILES)
-booleans.py:
- sepolicy booleans -a > booleans.py
-
-$(POTFILE): $(POTFILES) booleans.py
+$(POTFILE): $(POTFILES)
$(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
@if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
rm -f $(NLSPACKAGE).po; \
@@ -107,8 +45,6 @@ $(POTFILE): $(POTFILES) booleans.py
mv -f $(NLSPACKAGE).po $(POTFILE); \
fi; \
-update-po: Makefile $(POTFILE) refresh-po
- @rm -f booleans.py
refresh-po: Makefile
for cat in $(POFILES); do \
diff --git a/policycoreutils/po/POTFILES b/policycoreutils/po/POTFILES
new file mode 100644
index 000000000000..12237dc61ee4
--- /dev/null
+++ b/policycoreutils/po/POTFILES
@@ -0,0 +1,9 @@
+../run_init/open_init_pty.c
+../run_init/run_init.c
+../setsebool/setsebool.c
+../newrole/newrole.c
+../load_policy/load_policy.c
+../sestatus/sestatus.c
+../semodule/semodule.c
+../setfiles/setfiles.c
+../secon/secon.c
diff --git a/python/Makefile b/python/Makefile
index 9b66d52fbd4d..00312dbdb5c6 100644
--- a/python/Makefile
+++ b/python/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = sepolicy audit2allow semanage sepolgen chcat
+SUBDIRS = sepolicy audit2allow semanage sepolgen chcat po
all install relabel clean indent test:
@for subdir in $(SUBDIRS); do \
diff --git a/python/po/Makefile b/python/po/Makefile
new file mode 100644
index 000000000000..4e052d5a2bd7
--- /dev/null
+++ b/python/po/Makefile
@@ -0,0 +1,83 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE = python
+POTFILE = $(NLSPACKAGE).pot
+INSTALL = /usr/bin/install -c -p
+INSTALL_DATA = $(INSTALL) -m 644
+INSTALL_DIR = /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE = msgmerge
+MSGMERGE_FLAGS = -q
+XGETTEXT = xgettext --default-domain=$(NLSPACKAGE)
+MSGFMT = msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
+POTFILES = $(shell cat POTFILES)
+
+#default:: clean
+
+all:: $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+ $(XGETTEXT) -L Python --keyword=_ --keyword=N_ $(POTFILES)
+ $(XGETTEXT) -j --keyword=_ --keyword=N_ ../sepolicy/sepolicy/sepolicy.glade
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+ rm -f $(NLSPACKAGE).po; \
+ else \
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
+ fi; \
+
+
+refresh-po: Makefile
+ for cat in $(POFILES); do \
+ lang=`basename $$cat .po`; \
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+ mv -f $$lang.pot $$lang.po ; \
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
+ else \
+ echo "$(MSGMERGE) of $$lang failed" ; \
+ rm -f $$lang.pot ; \
+ fi \
+ done
+
+clean:
+ @rm -fv *mo *~ .depend
+ @rm -rf tmp
+
+install: $(MOFILES)
+ @for n in $(MOFILES); do \
+ l=`basename $$n .mo`; \
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+ done
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+report:
+ @for cat in $(wildcard *.po); do \
+ echo -n "$$cat: "; \
+ msgfmt -v --statistics -o /dev/null $$cat; \
+ done
+
+.PHONY: missing depend
+
+relabel:
diff --git a/python/po/POTFILES b/python/po/POTFILES
new file mode 100644
index 000000000000..128eb870a69e
--- /dev/null
+++ b/python/po/POTFILES
@@ -0,0 +1,10 @@
+../audit2allow/audit2allow
+../chcat/chcat
+../semanage/semanage
+../semanage/seobject.py
+../sepolgen/src/sepolgen/interfaces.py
+../sepolicy/sepolicy/generate.py
+../sepolicy/sepolicy/gui.py
+../sepolicy/sepolicy/__init__.py
+../sepolicy/sepolicy/interface.py
+../sepolicy/sepolicy.py
diff --git a/sandbox/Makefile b/sandbox/Makefile
index 9da5e58db9e6..b817824e2102 100644
--- a/sandbox/Makefile
+++ b/sandbox/Makefile
@@ -13,6 +13,7 @@ override LDLIBS += -lselinux -lcap-ng
SEUNSHARE_OBJS = seunshare.o
all: sandbox seunshare sandboxX.sh start
+ (cd po && $(MAKE) $@)
seunshare: $(SEUNSHARE_OBJS)
@@ -39,6 +40,7 @@ install: all
install -m 755 start $(DESTDIR)$(SHAREDIR)
-mkdir -p $(DESTDIR)$(SYSCONFDIR)
install -m 644 sandbox.conf $(DESTDIR)$(SYSCONFDIR)/sandbox
+ (cd po && $(MAKE) $@)
test:
@$(PYTHON) test_sandbox.py -v
diff --git a/sandbox/po/Makefile b/sandbox/po/Makefile
new file mode 100644
index 000000000000..0556bbe953f0
--- /dev/null
+++ b/sandbox/po/Makefile
@@ -0,0 +1,82 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE = sandbox
+POTFILE = $(NLSPACKAGE).pot
+INSTALL = /usr/bin/install -c -p
+INSTALL_DATA = $(INSTALL) -m 644
+INSTALL_DIR = /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE = msgmerge
+MSGMERGE_FLAGS = -q
+XGETTEXT = xgettext -L Python --default-domain=$(NLSPACKAGE)
+MSGFMT = msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
+POTFILES = $(shell cat POTFILES)
+
+#default:: clean
+
+all:: $(POTFILE) $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+ $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+ rm -f $(NLSPACKAGE).po; \
+ else \
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
+ fi; \
+
+
+refresh-po: Makefile
+ for cat in $(POFILES); do \
+ lang=`basename $$cat .po`; \
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+ mv -f $$lang.pot $$lang.po ; \
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
+ else \
+ echo "$(MSGMERGE) of $$lang failed" ; \
+ rm -f $$lang.pot ; \
+ fi \
+ done
+
+clean:
+ @rm -fv *mo *~ .depend
+ @rm -rf tmp
+
+install: $(MOFILES)
+ @for n in $(MOFILES); do \
+ l=`basename $$n .mo`; \
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+ done
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+report:
+ @for cat in $(wildcard *.po); do \
+ echo -n "$$cat: "; \
+ msgfmt -v --statistics -o /dev/null $$cat; \
+ done
+
+.PHONY: missing depend
+
+relabel:
diff --git a/sandbox/po/POTFILES b/sandbox/po/POTFILES
new file mode 100644
index 000000000000..deff3f2f4656
--- /dev/null
+++ b/sandbox/po/POTFILES
@@ -0,0 +1 @@
+../sandbox
--
2.32.0

306
SOURCES/0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch Normal file
View File

@ -0,0 +1,306 @@
From ea70711fce9127c7dd3146bc8161086f97745d11 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 6 Aug 2018 13:37:07 +0200
Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
https://github.com/fedora-selinux/selinux/issues/43
---
gui/booleansPage.py | 2 +-
gui/domainsPage.py | 2 +-
gui/fcontextPage.py | 2 +-
gui/loginsPage.py | 2 +-
gui/modulesPage.py | 2 +-
gui/polgengui.py | 2 +-
gui/portsPage.py | 2 +-
gui/semanagePage.py | 2 +-
gui/statusPage.py | 2 +-
gui/system-config-selinux.py | 2 +-
gui/usersPage.py | 2 +-
python/chcat/chcat | 2 +-
python/semanage/semanage | 2 +-
python/semanage/seobject.py | 2 +-
python/sepolgen/src/sepolgen/sepolgeni18n.py | 2 +-
python/sepolicy/sepolicy.py | 2 +-
python/sepolicy/sepolicy/__init__.py | 2 +-
python/sepolicy/sepolicy/generate.py | 2 +-
python/sepolicy/sepolicy/gui.py | 2 +-
python/sepolicy/sepolicy/interface.py | 2 +-
sandbox/sandbox | 2 +-
21 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/gui/booleansPage.py b/gui/booleansPage.py
index 7849bea26a06..dd12b6d6ab86 100644
--- a/gui/booleansPage.py
+++ b/gui/booleansPage.py
@@ -38,7 +38,7 @@ DISABLED = 2
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/domainsPage.py b/gui/domainsPage.py
index bad5140d8c59..6bbe4de5884f 100644
--- a/gui/domainsPage.py
+++ b/gui/domainsPage.py
@@ -30,7 +30,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
index d26aa1b405a9..52292cae01d2 100644
--- a/gui/fcontextPage.py
+++ b/gui/fcontextPage.py
@@ -47,7 +47,7 @@ class context:
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/loginsPage.py b/gui/loginsPage.py
index b67eb8bc42af..cbfb0cc23f65 100644
--- a/gui/loginsPage.py
+++ b/gui/loginsPage.py
@@ -29,7 +29,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/modulesPage.py b/gui/modulesPage.py
index 0584acf9b3a4..35a0129bab9c 100644
--- a/gui/modulesPage.py
+++ b/gui/modulesPage.py
@@ -30,7 +30,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/polgengui.py b/gui/polgengui.py
index d284ded65279..01f541bafae8 100644
--- a/gui/polgengui.py
+++ b/gui/polgengui.py
@@ -63,7 +63,7 @@ def get_all_modules():
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/portsPage.py b/gui/portsPage.py
index 30f58383bc1d..a537ecc8c0a1 100644
--- a/gui/portsPage.py
+++ b/gui/portsPage.py
@@ -35,7 +35,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/semanagePage.py b/gui/semanagePage.py
index 4127804fbbee..5361d69c1313 100644
--- a/gui/semanagePage.py
+++ b/gui/semanagePage.py
@@ -22,7 +22,7 @@ from gi.repository import Gdk, Gtk
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/statusPage.py b/gui/statusPage.py
index 766854b19cba..a8f079b9b163 100644
--- a/gui/statusPage.py
+++ b/gui/statusPage.py
@@ -35,7 +35,7 @@ RELABELFILE = "/.autorelabel"
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py
index 3f70122b87e8..8c46c987b974 100644
--- a/gui/system-config-selinux.py
+++ b/gui/system-config-selinux.py
@@ -45,7 +45,7 @@ import selinux
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/usersPage.py b/gui/usersPage.py
index 26794ed5c3f3..d15d4c5a71dd 100644
--- a/gui/usersPage.py
+++ b/gui/usersPage.py
@@ -29,7 +29,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/python/chcat/chcat b/python/chcat/chcat
index fdd2e46ee3f9..839ddd3b54b6 100755
--- a/python/chcat/chcat
+++ b/python/chcat/chcat
@@ -30,7 +30,7 @@ import getopt
import selinux
import seobject
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 18a2710531ca..0980aecb6311 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -30,7 +30,7 @@ import seobject
import sys
import traceback
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 6a14f7b47dd5..b51a7e3e7ca3 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -29,7 +29,7 @@ import sys
import stat
import socket
from semanage import *
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
import sepolicy
import setools
import ipaddress
diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py
index 998c4356415c..56ebd807c69c 100644
--- a/python/sepolgen/src/sepolgen/sepolgeni18n.py
+++ b/python/sepolgen/src/sepolgen/sepolgeni18n.py
@@ -19,7 +19,7 @@
try:
import gettext
- t = gettext.translation( 'yumex' )
+ t = gettext.translation( 'selinux-python' )
_ = t.gettext
except:
def _(str):
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index 7b2230651099..32956e58f52e 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -28,7 +28,7 @@ import sepolicy
from multiprocessing import Pool
from sepolicy import get_os_version, get_conditionals, get_conditionals_format_text
import argparse
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 481c5d86232f..df773a6b314e 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -13,7 +13,7 @@ import os
import re
import gzip
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index 4e1ed4e9dc31..43180ca6fda4 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -48,7 +48,7 @@ import sepolgen.defaults as defaults
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index 1e86422b864a..c9ca158ddd09 100644
--- a/python/sepolicy/sepolicy/gui.py
+++ b/python/sepolicy/sepolicy/gui.py
@@ -41,7 +41,7 @@ import os
import re
import unicodedata
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/interface.py b/python/sepolicy/sepolicy/interface.py
index bdffb770f364..9d40aea1498d 100644
--- a/python/sepolicy/sepolicy/interface.py
+++ b/python/sepolicy/sepolicy/interface.py
@@ -30,7 +30,7 @@ __all__ = ['get_all_interfaces', 'get_interfaces_from_xml', 'get_admin', 'get_us
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/sandbox/sandbox b/sandbox/sandbox
index ca5f1e030a51..16c43b51eaaa 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -37,7 +37,7 @@ import sepolicy
SEUNSHARE = "/usr/sbin/seunshare"
SANDBOXSH = "/usr/share/sandbox/sandboxX.sh"
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-sandbox"
try:
import gettext
kwargs = {}
--
2.32.0

4532
SOURCES/0018-Initial-.pot-files-for-gui-python-sandbox.patch Normal file
View File

File diff suppressed because it is too large Load Diff

30
SOURCES/0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch Normal file
View File

@ -0,0 +1,30 @@
From 4ee71fa678b4a9ce85d2ec2f9ebf561c8c183124 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 21 Mar 2018 08:51:31 +0100
Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
The "-q" switch is becoming obsolete (completely unused in fedora) and
debug output ("-d" switch) makes sense in any scenario. Therefore both
options can be specified at once.
Resolves: rhbz#1271327
---
policycoreutils/setfiles/setfiles.8 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index 4d28bc9a95c1..8e6c4ab94841 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -57,7 +57,7 @@ option will force a replacement of the entire context.
check the validity of the contexts against the specified binary policy.
.TP
.B \-d
-show what specification matched each file.
+show what specification matched each file. Not affected by "\-q".
.TP
.BI \-e \ directory
directory to exclude (repeat option for more than one directory).
--
2.32.0

71
SOURCES/0020-sepolicy-generate-Handle-more-reserved-port-types.patch Normal file
View File

@ -0,0 +1,71 @@
From c0137252dd3ce52f006162d7b1cb4677c45bea21 Mon Sep 17 00:00:00 2001
From: Masatake YAMATO <yamato@redhat.com>
Date: Thu, 14 Dec 2017 15:57:58 +0900
Subject: [PATCH] sepolicy-generate: Handle more reserved port types
Currently only reserved_port_t, port_t and hi_reserved_port_t are
handled as special when making a ports-dictionary. However, as fas as
corenetwork.te.in of serefpolicy, unreserved_port_t and
ephemeral_port_t should be handled in the same way, too.
(Details) I found the need of this change when I was using
selinux-polgengui. Though tcp port 12345, which my application may
use, was given to the gui, selinux-polgengui generates expected te
file and sh file which didn't utilize the tcp port.
selinux-polgengui checks whether a port given via gui is already typed
or not.
If it is already typed, selinux-polgengui generates a te file having
rules to allow the application to use the port. (A)
If not, it seems for me that selinux-polgengui is designed to generate
a te file having rules to allow the application to own(?) the port;
and a sh file having a command line to assign the application own type
to the port. (B)
As we can see the output of `semanage port -l' some of ports for
specified purpose have types already. The important point is that the
rest of ports also have types already:
hi_reserved_port_t tcp 512-1023
hi_reserved_port_t udp 512-1023
unreserved_port_t tcp 1024-32767, 61001-65535
unreserved_port_t udp 1024-32767, 61001-65535
ephemeral_port_t tcp 32768-61000
ephemeral_port_t udp 32768-61000
As my patch shows, the original selinux-polgengui ignored
hi_reserved_port_t; though hi_reserved_port_t is assigned,
selinux-polgengui considered ports 512-1023 are not used. As the
result selinux-polgengui generates file sets of (B).
For the purpose of selinux-polgengui, I think unreserved_port_t and
ephemeral_port_t are treated as the same as hi_reserved_port_t.
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
Fedora only patch:
https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redhat.com/
---
python/sepolicy/sepolicy/generate.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index 43180ca6fda4..d60a08e1d72c 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -99,7 +99,9 @@ def get_all_ports():
for p in sepolicy.info(sepolicy.PORT):
if p['type'] == "reserved_port_t" or \
p['type'] == "port_t" or \
- p['type'] == "hi_reserved_port_t":
+ p['type'] == "hi_reserved_port_t" or \
+ p['type'] == "ephemeral_port_t" or \
+ p['type'] == "unreserved_port_t":
continue
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
return dict
--
2.32.0

24
SOURCES/0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch Normal file
View File

@ -0,0 +1,24 @@
From d6476f30ddaf384ed7f563ca4ad31cbfc7ad6bbd Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 8 Nov 2018 09:20:58 +0100
Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
---
semodule-utils/semodule_package/semodule_package.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/semodule-utils/semodule_package/semodule_package.c b/semodule-utils/semodule_package/semodule_package.c
index 3515234e36de..7b75b3fd9bb4 100644
--- a/semodule-utils/semodule_package/semodule_package.c
+++ b/semodule-utils/semodule_package/semodule_package.c
@@ -74,6 +74,7 @@ static int file_to_data(const char *path, char **data, size_t * len)
}
if (!sb.st_size) {
*len = 0;
+ close(fd);
return 0;
}
--
2.32.0

74
SOURCES/0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch Normal file
View File

@ -0,0 +1,74 @@
From d61a3517017921d6b6f4618e1de0c4f4a33fe951 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 18 Jul 2018 09:09:35 +0200
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
---
sandbox/sandbox | 4 ++--
sandbox/sandbox.8 | 2 +-
sandbox/sandboxX.sh | 14 --------------
3 files changed, 3 insertions(+), 17 deletions(-)
diff --git a/sandbox/sandbox b/sandbox/sandbox
index 16c43b51eaaa..7709a6585665 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -268,7 +268,7 @@ class Sandbox:
copyfile(f, "/tmp", self.__tmpdir)
copyfile(f, "/var/tmp", self.__tmpdir)
- def __setup_sandboxrc(self, wm="/usr/bin/openbox"):
+ def __setup_sandboxrc(self, wm="/usr/bin/matchbox-window-manager"):
execfile = self.__homedir + "/.sandboxrc"
fd = open(execfile, "w+")
if self.__options.session:
@@ -362,7 +362,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
parser.add_option("-W", "--windowmanager", dest="wm",
type="string",
- default="/usr/bin/openbox",
+ default="/usr/bin/matchbox-window-manager",
help=_("alternate window manager"))
parser.add_option("-l", "--level", dest="level",
diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8
index d83fee76f335..90ef4951c8c2 100644
--- a/sandbox/sandbox.8
+++ b/sandbox/sandbox.8
@@ -77,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
\fB\-W\fR \fB\-\-windowmanager\fR
Select alternative window manager to run within
.B sandbox \-X.
-Default to /usr/bin/openbox.
+Default to /usr/bin/matchbox-window-manager.
.TP
\fB\-X\fR
Create an X based Sandbox for gui apps, temporary files for
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
index 4774528027ef..c211ebc14549 100644
--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
@@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
[ -z $2 ] && export DPI="96" || export DPI="$2"
trap "exit 0" HUP
-mkdir -p ~/.config/openbox
-cat > ~/.config/openbox/rc.xml << EOF
-<openbox_config xmlns="http://openbox.org/3.4/rc"
- xmlns:xi="http://www.w3.org/2001/XInclude">
-<applications>
- <application class="*">
- <decor>no</decor>
- <desktop>all</desktop>
- <maximized>yes</maximized>
- </application>
-</applications>
-</openbox_config>
-EOF
-
(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
cat > ~/seremote << __EOF
--
2.32.0

46
SOURCES/0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch Normal file
View File

@ -0,0 +1,46 @@
From 257d7d95f541bd4b85c518562278cdc4f928f8af Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Tue, 28 Jul 2020 14:37:13 +0200
Subject: [PATCH] sepolicy: Fix flake8 warnings in Fedora-only code
Fixes:
$ PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8
Analyzing 187 Python scripts
./installdir/usr/lib/python3.8/site-packages/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in'
./installdir/usr/lib/python3.8/site-packages/sepolicy/manpage.py:774:17: E117 over-indented
./python/sepolicy/build/lib/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in'
./python/sepolicy/build/lib/sepolicy/manpage.py:774:17: E117 over-indented
./python/sepolicy/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in'
./python/sepolicy/sepolicy/manpage.py:774:17: E117 over-indented
The command "PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8" exited with 1.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
python/sepolicy/sepolicy/manpage.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index ffcedb547993..c013c0d48502 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -719,7 +719,7 @@ Default Defined Ports:""")
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
- if not f in self.exec_types or not f in self.entry_types:
+ if f not in self.exec_types or f not in self.entry_types:
flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
@@ -773,7 +773,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
if flist_non_exec:
- self.fd.write(r"""
+ self.fd.write(r"""
.PP
.B STANDARD FILE CONTEXT
--
2.32.0

217
SOURCES/0024-Do-not-use-Python-slip.patch Normal file
View File

@ -0,0 +1,217 @@
From 10a970733c5b31c237abd7357421384597fe0510 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 15 Apr 2021 17:39:39 +0200
Subject: [PATCH] Do not use Python slip
Python slip is not actively maintained anymore and it was use just as
polkit proxy. It looks like polkit dbus interface is quite simple to use
it directly via python dbus module.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
dbus/selinux_server.py | 69 ++++++++++++++++++------------
python/sepolicy/sepolicy/sedbus.py | 9 ----
2 files changed, 41 insertions(+), 37 deletions(-)
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
index be4f4557a9fa..b7c9378bcb5d 100644
--- a/dbus/selinux_server.py
+++ b/dbus/selinux_server.py
@@ -4,26 +4,33 @@ import dbus
import dbus.service
import dbus.mainloop.glib
from gi.repository import GObject
-import slip.dbus.service
-from slip.dbus import polkit
import os
import selinux
from subprocess import Popen, PIPE, STDOUT
-class selinux_server(slip.dbus.service.Object):
+class selinux_server(dbus.service.Object):
default_polkit_auth_required = "org.selinux.semanage"
def __init__(self, *p, **k):
super(selinux_server, self).__init__(*p, **k)
+ def is_authorized(self, sender, action_id):
+ bus = dbus.SystemBus()
+ proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority')
+ authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority')
+ subject = ('system-bus-name', {'name': sender})
+ result = authority.CheckAuthorization(subject, action_id, {}, 1, '')
+ return result[0]
+
#
# The semanage method runs a transaction on a series of semanage commands,
# these commands can take the output of customized
#
- @slip.dbus.polkit.require_auth("org.selinux.semanage")
- @dbus.service.method("org.selinux", in_signature='s')
- def semanage(self, buf):
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+ def semanage(self, buf, sender):
+ if not self.is_authorized(sender, "org.selinux.semanage"):
+ raise dbus.exceptions.DBusException("Not authorized")
p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True)
p.stdin.write(buf)
output = p.communicate()
@@ -35,9 +42,10 @@ class selinux_server(slip.dbus.service.Object):
# on the server. This output can be used with the semanage method on
# another server to make the two systems have duplicate policy.
#
- @slip.dbus.polkit.require_auth("org.selinux.customized")
- @dbus.service.method("org.selinux", in_signature='', out_signature='s')
- def customized(self):
+ @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
+ def customized(self, sender):
+ if not self.is_authorized(sender, "org.selinux.customized"):
+ raise dbus.exceptions.DBusException("Not authorized")
p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
buf = p.stdout.read()
output = p.communicate()
@@ -49,9 +57,10 @@ class selinux_server(slip.dbus.service.Object):
# The semodule_list method will return the output of semodule --list=full, using the customized polkit,
# since this is a readonly behaviour
#
- @slip.dbus.polkit.require_auth("org.selinux.semodule_list")
- @dbus.service.method("org.selinux", in_signature='', out_signature='s')
- def semodule_list(self):
+ @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
+ def semodule_list(self, sender):
+ if not self.is_authorized(sender, "org.selinux.semodule_list"):
+ raise dbus.exceptions.DBusException("Not authorized")
p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
buf = p.stdout.read()
output = p.communicate()
@@ -62,25 +71,28 @@ class selinux_server(slip.dbus.service.Object):
#
# The restorecon method modifies any file path to the default system label
#
- @slip.dbus.polkit.require_auth("org.selinux.restorecon")
- @dbus.service.method("org.selinux", in_signature='s')
- def restorecon(self, path):
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+ def restorecon(self, path, sender):
+ if not self.is_authorized(sender, "org.selinux.restorecon"):
+ raise dbus.exceptions.DBusException("Not authorized")
selinux.restorecon(str(path), recursive=1)
#
# The setenforce method turns off the current enforcement of SELinux
#
- @slip.dbus.polkit.require_auth("org.selinux.setenforce")
- @dbus.service.method("org.selinux", in_signature='i')
- def setenforce(self, value):
+ @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
+ def setenforce(self, value, sender):
+ if not self.is_authorized(sender, "org.selinux.setenforce"):
+ raise dbus.exceptions.DBusException("Not authorized")
selinux.security_setenforce(value)
#
# The setenforce method turns off the current enforcement of SELinux
#
- @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot")
- @dbus.service.method("org.selinux", in_signature='i')
- def relabel_on_boot(self, value):
+ @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
+ def relabel_on_boot(self, value, sender):
+ if not self.is_authorized(sender, "org.selinux.relabel_on_boot"):
+ raise dbus.exceptions.DBusException("Not authorized")
if value == 1:
fd = open("/.autorelabel", "w")
fd.close()
@@ -111,9 +123,10 @@ class selinux_server(slip.dbus.service.Object):
#
# The change_default_enforcement modifies the current enforcement mode
#
- @slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
- @dbus.service.method("org.selinux", in_signature='s')
- def change_default_mode(self, value):
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+ def change_default_mode(self, value, sender):
+ if not self.is_authorized(sender, "org.selinux.change_default_mode"):
+ raise dbus.exceptions.DBusException("Not authorized")
values = ["enforcing", "permissive", "disabled"]
if value not in values:
raise ValueError("Enforcement mode must be %s" % ", ".join(values))
@@ -122,9 +135,10 @@ class selinux_server(slip.dbus.service.Object):
#
# The change_default_policy method modifies the policy type
#
- @slip.dbus.polkit.require_auth("org.selinux.change_default_policy")
- @dbus.service.method("org.selinux", in_signature='s')
- def change_default_policy(self, value):
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+ def change_default_policy(self, value, sender):
+ if not self.is_authorized(sender, "org.selinux.change_default_policy"):
+ raise dbus.exceptions.DBusException("Not authorized")
path = selinux.selinux_path() + value
if os.path.isdir(path):
return self.write_selinux_config(policy=value)
@@ -136,5 +150,4 @@ if __name__ == "__main__":
system_bus = dbus.SystemBus()
name = dbus.service.BusName("org.selinux", system_bus)
object = selinux_server(system_bus, "/org/selinux/object")
- slip.dbus.service.set_mainloop(mainloop)
mainloop.run()
diff --git a/python/sepolicy/sepolicy/sedbus.py b/python/sepolicy/sepolicy/sedbus.py
index 76b259ae27e8..39b53d47753a 100644
--- a/python/sepolicy/sepolicy/sedbus.py
+++ b/python/sepolicy/sepolicy/sedbus.py
@@ -2,7 +2,6 @@ import sys
import dbus
import dbus.service
import dbus.mainloop.glib
-from slip.dbus import polkit
class SELinuxDBus (object):
@@ -11,42 +10,34 @@ class SELinuxDBus (object):
self.bus = dbus.SystemBus()
self.dbus_object = self.bus.get_object("org.selinux", "/org/selinux/object")
- @polkit.enable_proxy
def semanage(self, buf):
ret = self.dbus_object.semanage(buf, dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def restorecon(self, path):
ret = self.dbus_object.restorecon(path, dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def setenforce(self, value):
ret = self.dbus_object.setenforce(value, dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def customized(self):
ret = self.dbus_object.customized(dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def semodule_list(self):
ret = self.dbus_object.semodule_list(dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def relabel_on_boot(self, value):
ret = self.dbus_object.relabel_on_boot(value, dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def change_default_mode(self, value):
ret = self.dbus_object.change_default_mode(value, dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def change_default_policy(self, value):
ret = self.dbus_object.change_default_policy(value, dbus_interface="org.selinux")
return ret
--
2.32.0

45
SOURCES/0025-dbus-Use-GLib.MainLoop.patch Normal file
View File

@ -0,0 +1,45 @@
From 86be303a7c5ed5057d0357a85e27cdb6885122fe Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 12 May 2021 19:19:29 +0200
Subject: [PATCH] dbus: Use GLib.MainLoop()
Fixes:
PyGIDeprecationWarning: GObject.MainLoop is deprecated; use GLib.MainLoop instead
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
dbus/selinux_server.py | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
index b7c9378bcb5d..a969f2268ceb 100644
--- a/dbus/selinux_server.py
+++ b/dbus/selinux_server.py
@@ -2,8 +2,9 @@
import dbus
import dbus.service
-import dbus.mainloop.glib
+from dbus.mainloop.glib import DBusGMainLoop
from gi.repository import GObject
+from gi.repository import GLib
import os
import selinux
from subprocess import Popen, PIPE, STDOUT
@@ -145,9 +146,10 @@ class selinux_server(dbus.service.Object):
raise ValueError("%s does not exist" % path)
if __name__ == "__main__":
- mainloop = GObject.MainLoop()
- dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
+ DBusGMainLoop(set_as_default=True)
+ mainloop = GLib.MainLoop()
+
system_bus = dbus.SystemBus()
name = dbus.service.BusName("org.selinux", system_bus)
- object = selinux_server(system_bus, "/org/selinux/object")
+ server = selinux_server(system_bus, "/org/selinux/object")
mainloop.run()
--
2.32.0

297
SOURCES/0026-Use-SHA-2-instead-of-SHA-1.patch Normal file
View File

@ -0,0 +1,297 @@
From 23337de69ad667d909964ba82f47f5166903ff50 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 30 Jul 2021 14:14:37 +0200
Subject: [PATCH] Use SHA-2 instead of SHA-1
The use of SHA-1 in RHEL9 is deprecated
---
policycoreutils/setfiles/restorecon.8 | 10 +++++-----
policycoreutils/setfiles/restorecon_xattr.8 | 8 ++++----
policycoreutils/setfiles/restorecon_xattr.c | 12 ++++++------
policycoreutils/setfiles/ru/restorecon.8 | 8 ++++----
policycoreutils/setfiles/ru/restorecon_xattr.8 | 10 +++++-----
policycoreutils/setfiles/ru/setfiles.8 | 8 ++++----
policycoreutils/setfiles/setfiles.8 | 10 +++++-----
7 files changed, 33 insertions(+), 33 deletions(-)
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index 668486f66113..a8900f02b3f3 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -93,14 +93,14 @@ display usage information and exit.
ignore files that do not exist.
.TP
.B \-I
-ignore digest to force checking of labels even if the stored SHA1 digest
-matches the specfiles SHA1 digest. The digest will then be updated provided
+ignore digest to force checking of labels even if the stored SHA256 digest
+matches the specfiles SHA256 digest. The digest will then be updated provided
there are no errors. See the
.B NOTES
section for further details.
.TP
.B \-D
-Set or update any directory SHA1 digests. Use this option to
+Set or update any directory SHA256 digests. Use this option to
enable usage of the
.IR security.sehash
extended attribute.
@@ -191,7 +191,7 @@ the
.B \-D
option to
.B restorecon
-will cause it to store a SHA1 digest of the default specfiles set in an extended
+will cause it to store a SHA256 digest of the default specfiles set in an extended
attribute named
.IR security.sehash
on each directory specified in
@@ -208,7 +208,7 @@ for further details.
.sp
The
.B \-I
-option will ignore the SHA1 digest from each directory specified in
+option will ignore the SHA256 digest from each directory specified in
.IR pathname \ ...
and provided the
.B \-n
diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
index e04528e60824..4b1ce304d995 100644
--- a/policycoreutils/setfiles/restorecon_xattr.8
+++ b/policycoreutils/setfiles/restorecon_xattr.8
@@ -23,7 +23,7 @@ or
.SH "DESCRIPTION"
.B restorecon_xattr
-will display the SHA1 digests added to extended attributes
+will display the SHA256 digests added to extended attributes
.I security.sehash
or delete the attribute completely. These attributes are set by
.BR restorecon (8)
@@ -48,12 +48,12 @@ extended attribute and are automatically excluded from searches.
.sp
By default
.B restorecon_xattr
-will display the SHA1 digests with "Match" appended if they match the default
+will display the SHA256 digests with "Match" appended if they match the default
specfile set or the
.I specfile
set used with the
.B \-f
-option. Non-matching SHA1 digests will be displayed with "No Match" appended.
+option. Non-matching SHA256 digests will be displayed with "No Match" appended.
This feature can be disabled by the
.B \-n
option.
@@ -87,7 +87,7 @@ Do not append "Match" or "No Match" to displayed digests.
recursively descend directories.
.TP
.B \-v
-display SHA1 digest generated by specfile set (Note that this digest is not
+display SHA256 digest generated by specfile set (Note that this digest is not
used to match the
.I security.sehash
directory digest entries, and is shown for reference only).
diff --git a/policycoreutils/setfiles/restorecon_xattr.c b/policycoreutils/setfiles/restorecon_xattr.c
index 31fb82fd2099..bc22d3fd4560 100644
--- a/policycoreutils/setfiles/restorecon_xattr.c
+++ b/policycoreutils/setfiles/restorecon_xattr.c
@@ -38,7 +38,7 @@ int main(int argc, char **argv)
unsigned int xattr_flags = 0, delete_digest = 0, recurse = 0;
unsigned int delete_all_digests = 0, ignore_mounts = 0;
bool display_digest = false;
- char *sha1_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
+ char *sha256_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
unsigned char *fc_digest = NULL;
size_t i, fc_digest_len = 0, num_specfiles;
@@ -133,8 +133,8 @@ int main(int argc, char **argv)
exit(-1);
}
- sha1_buf = malloc(fc_digest_len * 2 + 1);
- if (!sha1_buf) {
+ sha256_buf = malloc(fc_digest_len * 2 + 1);
+ if (!sha256_buf) {
fprintf(stderr,
"Error allocating digest buffer: %s\n",
strerror(errno));
@@ -143,16 +143,16 @@ int main(int argc, char **argv)
}
for (i = 0; i < fc_digest_len; i++)
- sprintf((&sha1_buf[i * 2]), "%02x", fc_digest[i]);
+ sprintf((&sha256_buf[i * 2]), "%02x", fc_digest[i]);
- printf("specfiles SHA1 digest: %s\n", sha1_buf);
+ printf("specfiles SHA256 digest: %s\n", sha256_buf);
printf("calculated using the following specfile(s):\n");
if (specfiles) {
for (i = 0; i < num_specfiles; i++)
printf("%s\n", specfiles[i]);
}
- free(sha1_buf);
+ free(sha256_buf);
printf("\n");
}
diff --git a/policycoreutils/setfiles/ru/restorecon.8 b/policycoreutils/setfiles/ru/restorecon.8
index 9be3a63db356..745135020f4b 100644
--- a/policycoreutils/setfiles/ru/restorecon.8
+++ b/policycoreutils/setfiles/ru/restorecon.8
@@ -82,11 +82,11 @@ restorecon \- восстановить SELinux-контексты безопас
игнорировать файлы, которые не существуют.
.TP
.B \-I
-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
+игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
.B ПРИМЕЧАНИЯ.
.TP
.B \-D
-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
+установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
.IR security.restorecon_last.
.TP
.B \-m
@@ -159,7 +159,7 @@ GNU
.B \-D
команды
.B restorecon
-обеспечит сохранение дайджеста SHA1 файлов спецификации по умолчанию в расширенном атрибуте с именем
+обеспечит сохранение дайджеста SHA256 файлов спецификации по умолчанию в расширенном атрибуте с именем
.IR security.restorecon_last
для каталогов, указанных в соответствующих путях
.IR pathname \ ...
@@ -173,7 +173,7 @@ GNU
.sp
Параметр
.B \-I
-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в
+позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в
.IR pathname \ ...
, и, при условии, что НЕ установлен параметр
.B \-n
diff --git a/policycoreutils/setfiles/ru/restorecon_xattr.8 b/policycoreutils/setfiles/ru/restorecon_xattr.8
index 41c441b8c5c2..25c4c3033334 100644
--- a/policycoreutils/setfiles/ru/restorecon_xattr.8
+++ b/policycoreutils/setfiles/ru/restorecon_xattr.8
@@ -23,7 +23,7 @@ restorecon_xattr \- управление записями расширенных
.SH "ОПИСАНИЕ"
.B restorecon_xattr
-покажет дайджесты SHA1, добавленные в расширенные атрибуты
+покажет дайджесты SHA256, добавленные в расширенные атрибуты
.I security.restorecon_last,
или полностью удалит эти атрибуты. Эти атрибуты устанавливаются командой
.BR restorecon (8)
@@ -47,11 +47,11 @@ restorecon_xattr \- управление записями расширенных
.sp
По умолчанию
.B restorecon_xattr
-показывает дайджесты SHA1, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации
+показывает дайджесты SHA256, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации
.I specfile,
который установлен с помощью параметра
.B \-f.
-Несоответствующие дайджесты SHA1 будут показаны с добавлением "No Match" в конце.
+Несоответствующие дайджесты SHA256 будут показаны с добавлением "No Match" в конце.
Эту возможность можно отключить с помощью параметра
.B \-n.
@@ -81,7 +81,7 @@ restorecon_xattr \- управление записями расширенных
рекурсивно спускаться по каталогам.
.TP
.B \-v
-показать дайджест SHA1, созданный установленным файлом спецификации.
+показать дайджест SHA256, созданный установленным файлом спецификации.
.TP
.B \-e
.I directory
@@ -97,7 +97,7 @@ restorecon_xattr \- управление записями расширенных
.BR file_contexts (5).
Он будет использоваться
.BR selabel_open (3)
-для получения набора записей меток; получение дайджеста SHA1 выполняется с помощью
+для получения набора записей меток; получение дайджеста SHA256 выполняется с помощью
.BR selabel_digest (3).
Если этот параметр не указан, будет использоваться файл file_contexts по умолчанию.
diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8
index 910101452625..7f2daa09191b 100644
--- a/policycoreutils/setfiles/ru/setfiles.8
+++ b/policycoreutils/setfiles/ru/setfiles.8
@@ -69,11 +69,11 @@ setfiles \- установить SELinux-контексты безопаснос
игнорировать файлы, которые не существуют.
.TP
.B \-I
-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
+игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
.B ПРИМЕЧАНИЯ.
.TP
.B \-D
-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
+установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
.IR security.restorecon_last.
.TP
.B \-l
@@ -186,7 +186,7 @@ GNU
.B \-D
команды
.B setfiles .
-Он обеспечивает сохранение дайджеста SHA1 файла спецификации
+Он обеспечивает сохранение дайджеста SHA256 файла спецификации
.B spec_file
в расширенном атрибуте с именем
.IR security.restorecon_last
@@ -204,7 +204,7 @@ GNU
.sp
Параметр
.B \-I
-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в
+позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в
.IR pathname \ ...
, и, при условии, что НЕ установлен параметр
.B \-n
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index 8e6c4ab94841..0692121f2f4d 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -85,14 +85,14 @@ display usage information and exit.
ignore files that do not exist.
.TP
.B \-I
-ignore digest to force checking of labels even if the stored SHA1 digest
-matches the specfiles SHA1 digest. The digest will then be updated provided
+ignore digest to force checking of labels even if the stored SHA256 digest
+matches the specfiles SHA256 digest. The digest will then be updated provided
there are no errors. See the
.B NOTES
section for further details.
.TP
.B \-D
-Set or update any directory SHA1 digests. Use this option to
+Set or update any directory SHA256 digests. Use this option to
enable usage of the
.IR security.sehash
extended attribute.
@@ -230,7 +230,7 @@ the
.B \-D
option to
.B setfiles
-will cause it to store a SHA1 digest of the
+will cause it to store a SHA256 digest of the
.B spec_file
set in an extended attribute named
.IR security.sehash
@@ -251,7 +251,7 @@ for further details.
.sp
The
.B \-I
-option will ignore the SHA1 digest from each directory specified in
+option will ignore the SHA256 digest from each directory specified in
.IR pathname \ ...
and provided the
.B \-n
--
2.32.0

56
SOURCES/0027-python-sepolicy-Fix-COPY_PASTE_ERROR-CWE-398.patch Normal file
View File

@ -0,0 +1,56 @@
From d39dacc352feb35c89b41225e142dd08e932c0c0 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 30 Jul 2021 13:48:18 +0200
Subject: [PATCH] python/sepolicy: Fix COPY_PASTE_ERROR (CWE-398)
Fixes:
Error: COPY_PASTE_ERROR (CWE-398): [#def3]
selinux/python/sepolicy/sepolicy/__init__.py:1032: original: ""_key_t"" looks like the original copy.
selinux/python/sepolicy/sepolicy/__init__.py:1035: copy_paste_error: ""_key_t"" looks like a copy-paste error.
selinux/python/sepolicy/sepolicy/__init__.py:1035: remediation: Should it say ""_secret_t"" instead?
# 1033|
# 1034| if f.endswith("_secret_t"):
# 1035|-> return txt + "treat the files as %s secret data." % prettyprint(f, "_key_t")
# 1036|
# 1037| if f.endswith("_ra_t"):
Error: COPY_PASTE_ERROR (CWE-398): [#def4]
selinux/python/sepolicy/sepolicy/__init__.py:1065: original: ""_tmp_t"" looks like the original copy.
selinux/python/sepolicy/sepolicy/__init__.py:1067: copy_paste_error: ""_tmp_t"" looks like a copy-paste error.
selinux/python/sepolicy/sepolicy/__init__.py:1067: remediation: Should it say ""_etc_t"" instead?
# 1065| return txt + "store %s temporary files in the /tmp directories." % prettyprint(f, "_tmp_t")
# 1066| if f.endswith("_etc_t"):
# 1067|-> return txt + "store %s files in the /etc directories." % prettyprint(f, "_tmp_t")
# 1068| if f.endswith("_home_t"):
# 1069| return txt + "store %s files in the users home directory." % prettyprint(f, "_home_t")
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
python/sepolicy/sepolicy/__init__.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index df773a6b314e..6b6160a449df 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -1039,7 +1039,7 @@ def get_description(f, markup=markup):
return txt + "treat the files as %s key data." % prettyprint(f, "_key_t")
if f.endswith("_secret_t"):
- return txt + "treat the files as %s secret data." % prettyprint(f, "_key_t")
+ return txt + "treat the files as %s secret data." % prettyprint(f, "_secret_t")
if f.endswith("_ra_t"):
return txt + "treat the files as %s read/append content." % prettyprint(f, "_ra_t")
@@ -1071,7 +1071,7 @@ def get_description(f, markup=markup):
if f.endswith("_tmp_t"):
return txt + "store %s temporary files in the /tmp directories." % prettyprint(f, "_tmp_t")
if f.endswith("_etc_t"):
- return txt + "store %s files in the /etc directories." % prettyprint(f, "_tmp_t")
+ return txt + "store %s files in the /etc directories." % prettyprint(f, "_etc_t")
if f.endswith("_home_t"):
return txt + "store %s files in the users home directory." % prettyprint(f, "_home_t")
if f.endswith("_tmpfs_t"):
--
2.32.0

73
SOURCES/selinux-autorelabel Executable file
View File

@ -0,0 +1,73 @@
#!/bin/bash
#
# Do automatic relabelling
#
# . /etc/init.d/functions
# If the user has this (or similar) UEFI boot order:
#
# Windows | grub | Linux
#
# And decides to boot into grub/Linux, then the reboot at the end of autorelabel
# would cause the system to boot into Windows again, if the autorelabel was run.
#
# This function restores the UEFI boot order, so the user will boot into the
# previously set (and expected) partition.
efi_set_boot_next() {
# NOTE: The [ -x /usr/sbin/efibootmgr ] test is not sufficent -- it could
# succeed even on system which is not EFI-enabled...
if ! efibootmgr > /dev/null 2>&1; then
return
fi
# NOTE: It it possible that some other services might be setting the
# 'BootNext' item for any reasons, and we shouldn't override it if so.
if ! efibootmgr | grep --quiet -e 'BootNext'; then
CURRENT_BOOT="$(efibootmgr | grep -e 'BootCurrent' | sed -re 's/(^.+:[[:space:]]*)([[:xdigit:]]+)/\2/')"
efibootmgr -n "${CURRENT_BOOT}" > /dev/null 2>&1
fi
}
relabel_selinux() {
# if /sbin/init is not labeled correctly this process is running in the
# wrong context, so a reboot will be required after relabel
AUTORELABEL=
. /etc/selinux/config
echo "0" > /sys/fs/selinux/enforce
[ -x /bin/plymouth ] && plymouth --quit
if [ "$AUTORELABEL" = "0" ]; then
echo
echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. "
echo $"*** /etc/selinux/config indicates you want to manually fix labeling"
echo $"*** problems. Dropping you to a shell; the system will reboot"
echo $"*** when you leave the shell."
sulogin
else
echo
echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
echo $"*** Relabeling could take a very long time, depending on file"
echo $"*** system size and speed of hard drives."
FORCE=`cat /.autorelabel`
[ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug
/sbin/fixfiles $FORCE restore
fi
rm -f /.autorelabel
/usr/lib/dracut/dracut-initramfs-restore
efi_set_boot_next
if [ -x /usr/bin/grub2-editenv ]; then
grub2-editenv - incr boot_indeterminate >/dev/null 2>&1
fi
sync
systemctl --force reboot
}
# Check to see if a full relabel is needed
if [ "$READONLY" != "yes" ]; then
restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1
relabel_selinux
fi

29
SOURCES/selinux-autorelabel-generator.sh Normal file
View File

@ -0,0 +1,29 @@
#!/bin/sh
# This systemd.generator(7) detects if SELinux is running and if the
# user requested an autorelabel, and if so sets the default target to
# selinux-autorelabel.target, which will cause the filesystem to be
# relabelled and then the system will reboot again and boot into the
# real default target.
PATH=/usr/sbin:$PATH
unitdir=/usr/lib/systemd/system
# If invoked with no arguments (for testing) write to /tmp.
earlydir="/tmp"
if [ -n "$2" ]; then
earlydir="$2"
fi
set_target ()
{
ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target"
}
if selinuxenabled; then
if test -f /.autorelabel; then
set_target
elif grep -sqE "\bautorelabel\b" /proc/cmdline; then
set_target
fi
fi

18
SOURCES/selinux-autorelabel-mark.service Normal file
View File

@ -0,0 +1,18 @@
[Unit]
Description=Mark the need to relabel after reboot
DefaultDependencies=no
Requires=local-fs.target
Conflicts=shutdown.target
After=local-fs.target
Before=sysinit.target shutdown.target
ConditionSecurity=!selinux
ConditionPathIsDirectory=/etc/selinux
ConditionPathExists=!/.autorelabel
[Service]
ExecStart=-/bin/touch /.autorelabel
Type=oneshot
RemainAfterExit=yes
[Install]
WantedBy=sysinit.target

14
SOURCES/selinux-autorelabel.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=Relabel all filesystems
DefaultDependencies=no
Conflicts=shutdown.target
After=sysinit.target
Before=shutdown.target
ConditionSecurity=selinux
[Service]
ExecStart=/usr/libexec/selinux/selinux-autorelabel
Type=oneshot
TimeoutSec=0
RemainAfterExit=yes
StandardOutput=journal+console

7
SOURCES/selinux-autorelabel.target Normal file
View File

@ -0,0 +1,7 @@
[Unit]
Description=Relabel all filesystems and reboot
DefaultDependencies=no
Requires=sysinit.target selinux-autorelabel.service
Conflicts=shutdown.target
After=sysinit.target selinux-autorelabel.service
ConditionSecurity=selinux

5540
SPECS/policycoreutils.spec Normal file
View File

File diff suppressed because it is too large Load Diff