rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Thu May 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-24

Browse Source 
- Man page fixes
- sandbox fixes
Resolves: #595796
- Move seunshare to base package
This commit is contained in:
Daniel J Walsh 2010-05-27 21:23:08 +00:00
parent be45950990
commit 829762e693
10 changed files with 80190 additions and 83772 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.cvsignore
View File

@ -214,3 +214,9 @@ policycoreutils-2.0.77.tgz
policycoreutils-2.0.78.tgz
sepolgen-1.0.19.tgz
policycoreutils-2.0.79.tgz
policycoreutils-2.0.80.tgz
policycoreutils-2.0.81.tgz
sepolgen-1.0.20.tgz
sepolgen-1.0.22.tgz
policycoreutils-2.0.82.tgz
sepolgen-1.0.23.tgz

540
policycoreutils-gui.patch
View File

File diff suppressed because it is too large Load Diff

159512
policycoreutils-po.patch
View File

File diff suppressed because it is too large Load Diff

3164
policycoreutils-rhat.patch
View File

File diff suppressed because it is too large Load Diff

506
policycoreutils-sepolgen.patch
View File

@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py
--- nsasepolgen/src/sepolgen/access.py 2009-05-18 13:53:14.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py 2009-12-08 17:05:49.000000000 -0500
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/access.py
--- nsasepolgen/src/sepolgen/access.py 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/access.py 2010-04-28 17:12:20.000000000 -0400
@@ -32,6 +32,7 @@
"""
@ -18,15 +18,6 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
# The direction of the information flow represented by this
# access vector - used for matching
@@ -127,7 +130,7 @@
return self.to_string()
def to_string(self):
- return "allow %s %s : %s %s;" % (self.src_type, self.tgt_type,
+ return "allow %s %s:%s %s;" % (self.src_type, self.tgt_type,
self.obj_class, self.perms.to_space_str())
def __cmp__(self, other):
@@ -253,20 +256,22 @@
for av in l:
self.add_av(AccessVector(av))
@ -54,38 +45,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
access.perms.update(perms)
if audit_msg:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py
--- nsasepolgen/src/sepolgen/audit.py 2009-12-01 15:46:50.000000000 -0500
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py 2010-01-06 09:52:35.000000000 -0500
@@ -23,6 +23,27 @@
# Convenience functions
+def get_audit_boot_msgs():
+ """Obtain all of the avc and policy load messages from the audit
+ log. This function uses ausearch and requires that the current
+ process have sufficient rights to run ausearch.
+
+ Returns:
+ string contain all of the audit messages returned by ausearch.
+ """
+ import subprocess
+ import time
+ fd=open("/proc/uptime", "r")
+ off=float(fd.read().split()[0])
+ fd.close
+ s = time.localtime(time.time() - off)
+ date = time.strftime("%D/%Y", s).split("/")
+ bootdate="%s/%s/%s" % (date[0], date[1], date[3])
+ boottime = time.strftime("%X", s)
+ output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime],
+ stdout=subprocess.PIPE).communicate()[0]
+ return output
+
def get_audit_msgs():
"""Obtain all of the avc and policy load messages from the audit
log. This function uses ausearch and requires that the current
@@ -47,6 +68,17 @@
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/audit.py
--- nsasepolgen/src/sepolgen/audit.py 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/audit.py 2010-04-28 17:12:20.000000000 -0400
@@ -68,6 +68,17 @@
stdout=subprocess.PIPE).communicate()[0]
return output
@ -103,7 +66,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
# Classes representing audit messages
class AuditMessage:
@@ -106,6 +138,9 @@
@@ -127,6 +138,9 @@
if fields[0] == "path":
self.path = fields[1][1:-1]
return
@ -113,7 +76,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
class AVCMessage(AuditMessage):
"""AVC message representing an access denial or granted message.
@@ -146,6 +181,8 @@
@@ -167,6 +181,8 @@
self.path = ""
self.accesses = []
self.denial = True
@ -122,7 +85,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
def __parse_access(self, recs, start):
# This is kind of sucky - the access that is in a space separated
@@ -205,7 +242,31 @@
@@ -226,7 +242,31 @@
if not found_src or not found_tgt or not found_class or not found_access:
raise ValueError("AVC message in invalid format [%s]\n" % self.message)
@ -138,7 +101,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
+ else:
+ self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
+ if self.type == audit2why.NOPOLICY:
+ raise ValueError("Must call policy_init first")
+ self.type = audit2why.TERULE
+ if self.type == audit2why.BADTCON:
+ raise ValueError("Invalid Target Context %s\n" % tcontext)
+ if self.type == audit2why.BADSCON:
@ -149,39 +112,13 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
+ raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
+ if self.type == audit2why.BADCOMPUTE:
+ raise ValueError("Error during access vector computation")
+
+
+ avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools)
+
class PolicyLoadMessage(AuditMessage):
"""Audit message indicating that the policy was reloaded."""
def __init__(self, message):
@@ -285,6 +346,9 @@
def __initialize(self):
self.avc_msgs = []
+ self.constraint_msgs = []
+ self.dontaudit_msgs = []
+ self.rbac_msgs = []
self.compute_sid_msgs = []
self.invalid_msgs = []
self.policy_load_msgs = []
@@ -314,7 +378,7 @@
elif i == "security_compute_sid:":
msg = ComputeSidMessage(line)
found = True
- elif i == "type=MAC_POLICY_LOAD" or i == "type=1403":
+ elif i == "type=MAC_POLICY_LOAD":
msg = PolicyLoadMessage(line)
found = True
elif i == "type=AVC_PATH":
@@ -442,16 +506,17 @@
audit logs parsed by this object.
"""
av_set = access.AccessVectorSet()
+
for avc in self.avc_msgs:
if avc.denial != True and only_denials:
continue
@@ -469,10 +509,10 @@
if avc_filter:
if avc_filter.filter(avc):
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
@ -194,15 +131,171 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
return av_set
class AVCTypeFilter:
@@ -477,5 +542,3 @@
if self.regex.match(avc.tcontext.type):
return True
return False
-
-
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
--- nsasepolgen/src/sepolgen/policygen.py 2008-09-12 11:48:15.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2010-01-08 09:33:54.000000000 -0500
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/defaults.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/defaults.py
--- nsasepolgen/src/sepolgen/defaults.py 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/defaults.py 2010-04-28 17:12:20.000000000 -0400
@@ -30,6 +30,9 @@
def interface_info():
return data_dir() + "/interface_info"
+def attribute_info():
+ return data_dir() + "/attribute_info"
+
def refpolicy_devel():
return "/usr/share/selinux/devel"
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/interfaces.py
--- nsasepolgen/src/sepolgen/interfaces.py 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/interfaces.py 2010-05-03 09:33:11.000000000 -0400
@@ -29,6 +29,8 @@
from sepolgeni18n import _
+import copy
+
class Param:
"""
Object representing a paramater for an interface.
@@ -197,10 +199,48 @@
ret = 1
return ret
-
+
+class AttributeVector:
+ def __init__(self):
+ self.name = ""
+ self.access = access.AccessVectorSet()
+
+ def add_av(self, av):
+ self.access.add_av(av)
+
+class AttributeSet:
+ def __init__(self):
+ self.attributes = { }
+
+ def add_attr(self, attr):
+ self.attributes[attr.name] = attr
+
+ def from_file(self, fd):
+ def parse_attr(line):
+ fields = line[1:-1].split()
+ if len(fields) != 2 or fields[0] != "Attribute":
+ raise SyntaxError("Syntax error Attribute statement %s" % line)
+ a = AttributeVector()
+ a.name = fields[1]
+
+ return a
+
+ a = None
+ for line in fd:
+ line = line[:-1]
+ if line[0] == "[":
+ if a:
+ self.add_attr(a)
+ a = parse_attr(line)
+ elif a:
+ l = line.split(",")
+ av = access.AccessVector(l)
+ a.add_av(av)
+ if a:
+ self.add_attr(a)
class InterfaceVector:
- def __init__(self, interface=None):
+ def __init__(self, interface=None, attributes={}):
# Enabled is a loose concept currently - we are essentially
# not enabling interfaces that we can't handle currently.
# See InterfaceVector.add_ifv for more information.
@@ -214,10 +254,10 @@
# value: Param object).
self.params = { }
if interface:
- self.from_interface(interface)
+ self.from_interface(interface, attributes)
self.expanded = False
- def from_interface(self, interface):
+ def from_interface(self, interface, attributes={}):
self.name = interface.name
# Add allow rules
@@ -232,6 +272,23 @@
for av in avs:
self.add_av(av)
+ # Add typeattribute access
+ if attributes != None:
+ for typeattribute in interface.typeattributes():
+ for attr in typeattribute.attributes:
+ if not attributes.attributes.has_key(attr):
+ # print "missing attribute " + attr
+ continue
+ attr_vec = attributes.attributes[attr]
+ for a in attr_vec.access:
+ av = copy.copy(a)
+ if av.src_type == attr_vec.name:
+ av.src_type = typeattribute.type
+ if av.tgt_type == attr_vec.name:
+ av.tgt_type = typeattribute.type
+ self.add_av(av)
+
+
# Extract paramaters from roles
for role in interface.roles():
if role_extract_params(role, self.params):
@@ -346,13 +403,13 @@
l = self.tgt_type_map.setdefault(type, [])
l.append(ifv)
- def add(self, interface):
- ifv = InterfaceVector(interface)
+ def add(self, interface, attributes={}):
+ ifv = InterfaceVector(interface, attributes)
self.add_ifv(ifv)
- def add_headers(self, headers, output=None):
+ def add_headers(self, headers, output=None, attributes={}):
for i in itertools.chain(headers.interfaces(), headers.templates()):
- self.add(i)
+ self.add(i, attributes)
self.expand_ifcalls(headers)
self.index()
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/matching.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/matching.py
--- nsasepolgen/src/sepolgen/matching.py 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/matching.py 2010-04-28 17:12:20.000000000 -0400
@@ -50,7 +50,7 @@
return 1
class MatchList:
- DEFAULT_THRESHOLD = 120
+ DEFAULT_THRESHOLD = 150
def __init__(self):
# Match objects that pass the threshold
self.children = []
@@ -63,14 +63,15 @@
def best(self):
if len(self.children):
return self.children[0]
- else:
- return None
+ if len(self.bastards):
+ return self.bastards[0]
+ return None
def __len__(self):
# Only return the length of the matches so
# that this can be used to test if there is
# a match.
- return len(self.children)
+ return len(self.children) + len(self.bastards)
def __iter__(self):
return iter(self.children)
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/policygen.py
--- nsasepolgen/src/sepolgen/policygen.py 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/policygen.py 2010-05-21 10:36:31.000000000 -0400
@@ -29,6 +29,8 @@
import access
import interfaces
@ -212,27 +305,22 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
# Constants for the level of explanation from the generation
# routines
@@ -74,7 +76,7 @@
self.moduel = module
else:
self.module = refpolicy.Module()
-
@@ -77,6 +79,7 @@
self.dontaudit = False
+ self.domains = None
def set_gen_refpol(self, if_set=None, perm_maps=None):
"""Set whether reference policy interfaces are generated.
@@ -141,15 +143,42 @@
"""Return the generated module"""
return self.module
- def __add_allow_rules(self, avs):
+ def __add_allow_rules(self, avs, dontaudit):
for av in avs:
- rule = refpolicy.AVRule(av)
+ rule = refpolicy.AVRule(av, dontaudit=dontaudit)
@@ -151,9 +154,41 @@
rule = refpolicy.AVRule(av)
if self.dontaudit:
rule.rule_type = rule.DONTAUDIT
+ rule.comment = ""
if self.explain:
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
- self.module.children.append(rule)
+ if av.type == audit2why.ALLOW:
+ rule.comment += "#!!!! This avc is allowed in the current policy\n"
+ if av.type == audit2why.DONTAUDIT:
@ -245,88 +333,170 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
+
+ if av.type == audit2why.CONSTRAINT:
+ rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
+ rule.comment += "#Contraint rule: "
+
+ if av.type == audit2why.TERULE:
+ if "write" in av.perms:
+ if "dir" in av.obj_class or "open" in av.perms:
+ if not self.domains:
+ self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
+ types=[]
+ for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
+ if i not in self.domains:
+ types.append(i)
+ if len(types) == 1:
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+ elif len(types) >= 1:
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+
self.module.children.append(rule)
+
+ try:
+ for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
+ if i not in self.domains:
+ types.append(i)
+ if len(types) == 1:
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+ elif len(types) >= 1:
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+ except:
+ pass
+ self.module.children.append(rule)
- def add_access(self, av_set):
+ def add_access(self, av_set, dontaudit=False):
"""Add the access from the access vector set to this
module.
"""
@@ -165,7 +194,7 @@
raw_allow = av_set
def add_access(self, av_set):
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/refparser.py 2010-05-21 10:26:43.000000000 -0400
@@ -1044,7 +1044,7 @@
# of misc_macros. We are just going to pretend that this is an interface
# to make the expansion work correctly.
can_exec = refpolicy.Interface("can_exec")
- av = access.AccessVector(["$1","$2","file","execute_no_trans","read",
+ av = access.AccessVector(["$1","$2","file","execute_no_trans","open", "read",
"getattr","lock","execute","ioctl"])
# Generate the raw allow rules from the filtered list
- self.__add_allow_rules(raw_allow)
+ self.__add_allow_rules(raw_allow, dontaudit)
can_exec.children.append(refpolicy.AVRule(av))
diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreutils-2.0.82/sepolgen-1.0.23/src/share/perm_map
--- nsasepolgen/src/share/perm_map 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/share/perm_map 2010-04-28 17:12:20.000000000 -0400
@@ -124,7 +124,7 @@
quotamod w 1
quotaget r 1
def add_role_types(self, role_type_set):
for role_type in role_type_set:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:05:49.000000000 -0500
@@ -973,7 +973,7 @@
def list_headers(root):
modules = []
support_macros = None
- blacklist = ["init.if", "inetd.if", "uml.if", "thunderbird.if"]
+ blacklist = ["uml.if", "thunderbird.if", "unconfined.if"]
-class file 20
+class file 21
execute_no_trans r 1
entrypoint r 1
execmod n 1
@@ -141,48 +141,50 @@
unlink w 1
link w 1
rename w 5
- execute r 100
+ execute r 10
swapon b 1
quotaon b 1
mounton b 1
+ open r 1
for dirpath, dirnames, filenames in os.walk(root):
for name in filenames:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
--- nsasepolgen/src/sepolgen/refpolicy.py 2009-10-29 15:21:39.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2010-01-08 09:33:37.000000000 -0500
@@ -398,6 +398,7 @@
return "attribute %s;" % self.name
-class dir 22
- add_name w 5
+class dir 23
+ add_name w 1
remove_name w 1
reparent w 1
search r 1
rmdir b 1
ioctl n 1
- read r 10
- write w 10
+ read r 1
+ write w 1
create w 1
- getattr r 7
- setattr w 7
+ getattr r 1
+ setattr w 1
lock n 1
- relabelfrom r 10
- relabelto w 10
+ relabelfrom r 1
+ relabelto w 1
append w 1
unlink w 1
link w 1
- rename w 5
+ rename w 1
execute r 1
swapon b 1
quotaon b 1
mounton b 1
+ open r 1
# Classes representing rules
+import selinux.audit2why as audit2why
class fd 1
use b 1
class AVRule(Leaf):
"""SELinux access vector (AV) rule.
@@ -420,21 +421,26 @@
AUDITALLOW = 2
NEVERALLOW = 3
-class lnk_file 17
+class lnk_file 18
ioctl n 1
- read r 10
- write w 10
+ read r 1
+ write w 1
create w 1
- getattr r 7
- setattr w 7
+ getattr r 1
+ setattr w 1
lock n 1
- relabelfrom r 10
- relabelto w 10
+ relabelfrom r 1
+ relabelto w 1
append w 1
unlink w 1
link w 1
@@ -191,8 +193,9 @@
swapon b 1
quotaon b 1
mounton b 1
+ open r 1
- def __init__(self, av=None, parent=None):
+ def __init__(self, av=None, parent=None, dontaudit=False):
Leaf.__init__(self, parent)
self.src_types = IdSet()
self.tgt_types = IdSet()
self.obj_classes = IdSet()
self.perms = IdSet()
- self.rule_type = self.ALLOW
+ if dontaudit:
+ self.rule_type = audit2why.DONTAUDIT
+ else:
+ self.rule_type = audit2why.TERULE
if av:
self.from_av(av)
-class chr_file 20
+class chr_file 21
execute_no_trans r 1
entrypoint r 1
execmod n 1
@@ -213,8 +216,9 @@
swapon b 1
quotaon b 1
mounton b 1
+ open r 1
def __rule_type_str(self):
- if self.rule_type == self.ALLOW:
+ if self.rule_type == audit2why.TERULE:
return "allow"
- elif self.rule_type == self.DONTAUDIT:
+ elif self.rule_type == audit2why.DONTAUDIT:
return "dontaudit"
+ elif self.rule_type == audit2why.CONSTRAINT:
+ return "#constraint allow"
else:
return "auditallow"
-class blk_file 17
+class blk_file 18
ioctl n 1
read r 10
write w 10
@@ -232,8 +236,9 @@
swapon b 1
quotaon b 1
mounton b 1
+ open r 1
-class sock_file 17
+class sock_file 18
ioctl n 1
read r 10
write w 10
@@ -251,8 +256,9 @@
swapon b 1
quotaon b 1
mounton b 1
+ open r 1
-class fifo_file 17
+class fifo_file 18
ioctl n 1
read r 10
write w 10
@@ -270,6 +276,7 @@
swapon b 1
quotaon b 1
mounton b 1
+ open r 1
class socket 22
ioctl n 1

164
policycoreutils.spec
View File

@ -1,13 +1,13 @@
%define libauditver 1.4.2-1
%define libsepolver 2.0.41-1
%define libsemanagever 2.0.43-3
%define libselinuxver 2.0.90-1
%define sepolgenver 1.0.19
%define libsepolver 2.0.41-3
%define libsemanagever 2.0.43-4
%define libselinuxver 2.0.90-3
%define sepolgenver 1.0.23
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.79
Release: 1%{?dist}
Version: 2.0.82
Release: 24%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -20,7 +20,6 @@ Source5: system-config-selinux.console
Source6: selinux-polgengui.desktop
Source7: selinux-polgengui.console
Source8: policycoreutils_man_ru2.tar.bz2
Source9: sandbox.init
Patch: policycoreutils-rhat.patch
Patch1: policycoreutils-po.patch
Patch3: policycoreutils-gui.patch
@ -80,12 +79,14 @@ mkdir -p %{buildroot}%{_mandir}/man8
mkdir -p %{buildroot}%{_sysconfdir}/pam.d
mkdir -p %{buildroot}%{_sysconfdir}/security/console.apps
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/rc.d/init.d
install -m0755 %{SOURCE9} %{buildroot}/%{_sysconfdir}/rc.d/init.d/sandbox
%{__mkdir} -p %{buildroot}%{_datadir}/icons/hicolor/24x24/apps
%{__mkdir} -p %{buildroot}%{_datadir}/pixmaps
make LSPP_PRIV=y DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
make -C sepolgen-%{sepolgenver} DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
install -m 644 %{SOURCE2} %{buildroot}%{_datadir}/system-config-selinux/
install -m 644 %{SOURCE2} %{buildroot}%{_datadir}/pixmaps
install -m 644 %{SOURCE2} %{buildroot}%{_datadir}/icons/hicolor/24x24/apps
install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/system-config-selinux
install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/selinux-polgengui
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/security/console.apps/system-config-selinux
@ -127,11 +128,11 @@ The policycoreutils-python package contains the management tools use to manage a
%{_bindir}/chcat
%{_bindir}/sandbox
%{_bindir}/sepolgen-ifgen
%{_bindir}/sepolgen-ifgen-attr-helper
%{python_sitelib}/seobject.py*
%{python_sitelib}/sepolgen
%{python_sitelib}/%{name}
%{python_sitelib}/%{name}*.egg-info
%{pkgpythondir}/default_encoding_utf8.so
%{pkgpythondir}
%dir /var/lib/sepolgen
%dir /var/lib/selinux
/var/lib/sepolgen/perm_map
@ -140,12 +141,13 @@ The policycoreutils-python package contains the management tools use to manage a
%{_mandir}/man1/audit2why.1*
%{_mandir}/man8/chcat.8*
%{_mandir}/ru/man8/chcat.8*
%{_mandir}/man8/genhomedircon.8*
%{_mandir}/man8/sandbox.8*
%{_mandir}/man8/semanage.8*
%{_mandir}/ru/man8/semanage.8*
%post python
[ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen
selinuxenabled && [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 2>/dev/null
exit 0
%package sandbox
@ -162,12 +164,10 @@ The policycoreutils-python package contains the scripts to create graphical sand
%files sandbox
%defattr(-,root,root,-)
%{_sysconfdir}/rc.d/init.d/sandbox
%{_sbindir}/seunshare
%{_datadir}/sandbox/sandboxX.sh
%triggerin python -- selinux-policy
[ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen
selinuxenabled && [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 2>/dev/null
exit 0
%post sandbox
@ -214,11 +214,12 @@ system-config-selinux is a utility for managing the SELinux environment
%{_bindir}/sepolgen
%{_datadir}/applications/fedora-system-config-selinux.desktop
%{_datadir}/applications/fedora-selinux-polgengui.desktop
%{_datadir}/icons/hicolor/24x24/apps/system-config-selinux.png
%{_datadir}/pixmaps/system-config-selinux.png
%dir %{_datadir}/system-config-selinux
%dir %{_datadir}/system-config-selinux/templates
%{_datadir}/system-config-selinux/*.py*
%{_datadir}/system-config-selinux/selinux.tbl
%{_datadir}/system-config-selinux/*png
%{_datadir}/system-config-selinux/*.glade
%{_datadir}/system-config-selinux/templates/*.py*
%config(noreplace) %{_sysconfdir}/pam.d/system-config-selinux
@ -235,6 +236,7 @@ rm -rf %{buildroot}
/sbin/fixfiles
/sbin/setfiles
/sbin/load_policy
%{_sbindir}/seunshare
%{_sbindir}/genhomedircon
%{_sbindir}/load_policy
%{_sbindir}/restorecond
@ -248,6 +250,8 @@ rm -rf %{buildroot}
%{_bindir}/semodule_expand
%{_bindir}/semodule_link
%{_bindir}/semodule_package
%{_sysconfdir}/rc.d/init.d/sandbox
%config(noreplace) %{_sysconfdir}/sysconfig/sandbox
%config(noreplace) %{_sysconfdir}/pam.d/newrole
%config(noreplace) %{_sysconfdir}/pam.d/run_init
%config(noreplace) %{_sysconfdir}/sestatus.conf
@ -287,6 +291,7 @@ rm -rf %{buildroot}
%{_mandir}/ru/man8/setsebool.8*
%{_mandir}/man1/secon.1*
%{_mandir}/ru/man1/secon.1*
%{_mandir}/man8/seunshare.8*
%preun
if [ $1 -eq 0 ]; then
@ -306,7 +311,132 @@ fi
exit 0
%changelog
* Thu Feb 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-1
* Thu May 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-24
- Man page fixes
- sandbox fixes
Resolves: #595796
- Move seunshare to base package
* Fri May 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-23
- Fix seunshare translations
- Fix seunshare to work on all arches
- Fix icon for system-config-selinux
Resolves: #595276
* Fri May 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-22
- Fix can_exec definition in sepolgen
* Fri May 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-21
- Add man page for seunshare and genhomedircon
Resolves: #594303
- Fix node management via semanage
Resolves: #591135
* Wed May 19 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-20
- Fixes from upstream for sandbox command
Resolves: #580938
* Thu May 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-18
- Fix sandbox error handling on copyfile
- Fix desktop files
* Tue May 11 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-17
- Fix policy tool to have correct name in menus
- Fix seunshare to handle /tmp being in ~/home
- Fix saving of altered files
- Update translations
* Tue May 4 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-15
- Allow audit2allow to specify alternative policy file for analysis
* Mon May 3 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-14
- Update po
- Fix sepolgen --no_attrs
Resolves: #588280
* Thu Apr 29 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-13
- Make semanage boolean work on disabled machines and during livecd xguest
- Fix homedir and tmpdir handling in sandbox
Resolves: #587263
* Wed Apr 28 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-11
- Make semanage boolean work on disabled machines
* Tue Apr 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-10
- Make sepolgen-ifgen be quiet
* Wed Apr 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-8
- Make sepolgen report on more interfaces
- Fix system-config-selinux display of modules
* Thu Apr 15 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-7
- Fix crash when args are empty
Resolves: #582542
- Fix semange to exit on bad options
- Fix semanage dontaudit man page section
Resolves: #582533
* Wed Apr 14 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-6
- Remove debug line from semanage
- Update po
* Tue Apr 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-5
- Fix sandbox comment on HOMEDIRS
- Fix sandbox to throw error on bad executable
* Tue Apr 6 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-4
- Fix spacing in templates
* Wed Mar 31 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-3
- Fix semanage return codes
* Tue Mar 30 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-2
- Fix sepolgen to confirm to the "Reference Policy Style Guide"
* Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-1
- Update to upstream
* Add avc's since boot from Dan Walsh.
* Fix unit tests from Dan Walsh.
* Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-4
- Update to upstream - sepolgen
* Add since-last-boot option to audit2allow from Dan Walsh.
* Fix sepolgen output to match what Chris expects for upstream
refpolicy from Dan Walsh.
* Mon Mar 22 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-3
- Allow restorecon on > 2 Gig files
* Tue Mar 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-2
- Fix semanage handling of boolean options
- Update translations
* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-1
- Update to upstream
* Add dontaudit flag to audit2allow from Dan Walsh.
* Thu Mar 11 2010 Dan Walsh <dwalsh@redhat.com> 2.0.80-2
- Use --rbind in sandbox init scripts
* Mon Mar 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.80-1
- Update to upstream
* Module enable/disable support from Dan Walsh.
* Mon Mar 1 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-5
- Rewrite of sandbox script, add unit test for sandbox
- Update translations
* Mon Mar 1 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-4
- Fix patch for dontaudit rules from audit2allow for upstream acceptance
* Fri Feb 26 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-3
- Fixes for fixfiles
* Wed Feb 17 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-2
- Fix sandbox to complain if mount-shared has not been run
- Fix to use /etc/sysconfig/sandbox
* Tue Feb 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-1
- Update to upstream
* Fix double-free in newrole
- Fix python language handling

60
sandbox.init
View File

@ -1,60 +0,0 @@
#!/bin/bash
## BEGIN INIT INFO
# Provides: sandbox
# Default-Start: 5
# Default-Stop: 0 1 2 3 4 6
# Required-Start:
#
## END INIT INFO
# sandbox: Set up / mountpoint to be shared, /var/tmp, /tmp, /home/sandbox unshared
#
# chkconfig: 5 1 99
#
# Description: sandbox is using pam_namespace to share the /var/tmp, /tmp and
# /home/sandbox accounts. This script will setup the / mount
# point as shared and all of the subdirectories just these
# directories as unshared.
#
# Source function library.
. /etc/init.d/functions
LOCKFILE=/var/lock/subsys/sandbox
base=${0##*/}
case "$1" in
start)
[ -f "$LOCKFILE" ] && exit 0
touch $LOCKFILE
mount --make-rshared /
mount --bind /tmp /tmp
mount --bind /var/tmp /var/tmp
mount --bind /home /home
mount --make-private /home
mount --make-private /tmp
mount --make-private /var/tmp
RETVAL=$?
exit $RETVAL
;;
status)
if [ -f "$LOCKFILE" ]; then
echo "$base is running"
else
echo "$base is stopped"
fi
exit 0
;;
stop)
rm -f $LOCKFILE
exit 0
;;
*)
echo $"Usage: $0 {start|stop}"
exit 3
;;
esac

3
selinux-polgengui.desktop
View File

@ -1,9 +1,8 @@
[Desktop Entry]
Name=SELinux Policy Generation Tool
GenericName=SELinux
Comment=Generate SELinux policy modules
StartupNotify=true
Icon=/usr/share/system-config-selinux/system-config-selinux.png
Icon=system-config-selinux
Exec=/usr/bin/selinux-polgengui
Type=Application
Terminal=false

4
sources
View File

@ -1,3 +1,3 @@
2ae1a9f7242e33413aae036d2edeb1d8 sepolgen-1.0.19.tgz
e09466b2b02ca5672ce3b43e02c5498f policycoreutils-2.0.79.tgz
e4deacb4df1e2ec081a91fd59da1dcc5 policycoreutils-2.0.82.tgz
49faa2e5f343317bcfcf34d7286f6037 sepolgen-1.0.23.tgz
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2

3
system-config-selinux.desktop
View File

@ -1,9 +1,8 @@
[Desktop Entry]
Name=SELinux Management
GenericName=SELinux
Comment=Configure SELinux in a graphical setting
StartupNotify=true
Icon=/usr/share/system-config-selinux/system-config-selinux.png
Icon=system-config-selinux
Exec=/usr/bin/system-config-selinux
Type=Application
Terminal=false