* Thu May 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-24
- Man page fixes - sandbox fixes Resolves: #595796 - Move seunshare to base package
This commit is contained in:
parent
be45950990
commit
829762e693
@ -214,3 +214,9 @@ policycoreutils-2.0.77.tgz
|
||||
policycoreutils-2.0.78.tgz
|
||||
sepolgen-1.0.19.tgz
|
||||
policycoreutils-2.0.79.tgz
|
||||
policycoreutils-2.0.80.tgz
|
||||
policycoreutils-2.0.81.tgz
|
||||
sepolgen-1.0.20.tgz
|
||||
sepolgen-1.0.22.tgz
|
||||
policycoreutils-2.0.82.tgz
|
||||
sepolgen-1.0.23.tgz
|
||||
|
File diff suppressed because it is too large
Load Diff
159508
policycoreutils-po.patch
159508
policycoreutils-po.patch
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,6 @@
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py
|
||||
--- nsasepolgen/src/sepolgen/access.py 2009-05-18 13:53:14.000000000 -0400
|
||||
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py 2009-12-08 17:05:49.000000000 -0500
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/access.py
|
||||
--- nsasepolgen/src/sepolgen/access.py 2010-05-19 14:45:51.000000000 -0400
|
||||
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/access.py 2010-04-28 17:12:20.000000000 -0400
|
||||
@@ -32,6 +32,7 @@
|
||||
"""
|
||||
|
||||
@ -18,15 +18,6 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
|
||||
|
||||
# The direction of the information flow represented by this
|
||||
# access vector - used for matching
|
||||
@@ -127,7 +130,7 @@
|
||||
return self.to_string()
|
||||
|
||||
def to_string(self):
|
||||
- return "allow %s %s : %s %s;" % (self.src_type, self.tgt_type,
|
||||
+ return "allow %s %s:%s %s;" % (self.src_type, self.tgt_type,
|
||||
self.obj_class, self.perms.to_space_str())
|
||||
|
||||
def __cmp__(self, other):
|
||||
@@ -253,20 +256,22 @@
|
||||
for av in l:
|
||||
self.add_av(AccessVector(av))
|
||||
@ -54,38 +45,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
|
||||
|
||||
access.perms.update(perms)
|
||||
if audit_msg:
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py
|
||||
--- nsasepolgen/src/sepolgen/audit.py 2009-12-01 15:46:50.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py 2010-01-06 09:52:35.000000000 -0500
|
||||
@@ -23,6 +23,27 @@
|
||||
|
||||
# Convenience functions
|
||||
|
||||
+def get_audit_boot_msgs():
|
||||
+ """Obtain all of the avc and policy load messages from the audit
|
||||
+ log. This function uses ausearch and requires that the current
|
||||
+ process have sufficient rights to run ausearch.
|
||||
+
|
||||
+ Returns:
|
||||
+ string contain all of the audit messages returned by ausearch.
|
||||
+ """
|
||||
+ import subprocess
|
||||
+ import time
|
||||
+ fd=open("/proc/uptime", "r")
|
||||
+ off=float(fd.read().split()[0])
|
||||
+ fd.close
|
||||
+ s = time.localtime(time.time() - off)
|
||||
+ date = time.strftime("%D/%Y", s).split("/")
|
||||
+ bootdate="%s/%s/%s" % (date[0], date[1], date[3])
|
||||
+ boottime = time.strftime("%X", s)
|
||||
+ output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime],
|
||||
+ stdout=subprocess.PIPE).communicate()[0]
|
||||
+ return output
|
||||
+
|
||||
def get_audit_msgs():
|
||||
"""Obtain all of the avc and policy load messages from the audit
|
||||
log. This function uses ausearch and requires that the current
|
||||
@@ -47,6 +68,17 @@
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/audit.py
|
||||
--- nsasepolgen/src/sepolgen/audit.py 2010-05-19 14:45:51.000000000 -0400
|
||||
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/audit.py 2010-04-28 17:12:20.000000000 -0400
|
||||
@@ -68,6 +68,17 @@
|
||||
stdout=subprocess.PIPE).communicate()[0]
|
||||
return output
|
||||
|
||||
@ -103,7 +66,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
|
||||
# Classes representing audit messages
|
||||
|
||||
class AuditMessage:
|
||||
@@ -106,6 +138,9 @@
|
||||
@@ -127,6 +138,9 @@
|
||||
if fields[0] == "path":
|
||||
self.path = fields[1][1:-1]
|
||||
return
|
||||
@ -113,7 +76,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
|
||||
|
||||
class AVCMessage(AuditMessage):
|
||||
"""AVC message representing an access denial or granted message.
|
||||
@@ -146,6 +181,8 @@
|
||||
@@ -167,6 +181,8 @@
|
||||
self.path = ""
|
||||
self.accesses = []
|
||||
self.denial = True
|
||||
@ -122,7 +85,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
|
||||
|
||||
def __parse_access(self, recs, start):
|
||||
# This is kind of sucky - the access that is in a space separated
|
||||
@@ -205,7 +242,31 @@
|
||||
@@ -226,7 +242,31 @@
|
||||
|
||||
if not found_src or not found_tgt or not found_class or not found_access:
|
||||
raise ValueError("AVC message in invalid format [%s]\n" % self.message)
|
||||
@ -138,7 +101,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
|
||||
+ else:
|
||||
+ self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
|
||||
+ if self.type == audit2why.NOPOLICY:
|
||||
+ raise ValueError("Must call policy_init first")
|
||||
+ self.type = audit2why.TERULE
|
||||
+ if self.type == audit2why.BADTCON:
|
||||
+ raise ValueError("Invalid Target Context %s\n" % tcontext)
|
||||
+ if self.type == audit2why.BADSCON:
|
||||
@ -155,33 +118,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
|
||||
class PolicyLoadMessage(AuditMessage):
|
||||
"""Audit message indicating that the policy was reloaded."""
|
||||
def __init__(self, message):
|
||||
@@ -285,6 +346,9 @@
|
||||
|
||||
def __initialize(self):
|
||||
self.avc_msgs = []
|
||||
+ self.constraint_msgs = []
|
||||
+ self.dontaudit_msgs = []
|
||||
+ self.rbac_msgs = []
|
||||
self.compute_sid_msgs = []
|
||||
self.invalid_msgs = []
|
||||
self.policy_load_msgs = []
|
||||
@@ -314,7 +378,7 @@
|
||||
elif i == "security_compute_sid:":
|
||||
msg = ComputeSidMessage(line)
|
||||
found = True
|
||||
- elif i == "type=MAC_POLICY_LOAD" or i == "type=1403":
|
||||
+ elif i == "type=MAC_POLICY_LOAD":
|
||||
msg = PolicyLoadMessage(line)
|
||||
found = True
|
||||
elif i == "type=AVC_PATH":
|
||||
@@ -442,16 +506,17 @@
|
||||
audit logs parsed by this object.
|
||||
"""
|
||||
av_set = access.AccessVectorSet()
|
||||
+
|
||||
for avc in self.avc_msgs:
|
||||
if avc.denial != True and only_denials:
|
||||
continue
|
||||
@@ -469,10 +509,10 @@
|
||||
if avc_filter:
|
||||
if avc_filter.filter(avc):
|
||||
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
|
||||
@ -194,15 +131,171 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
|
||||
return av_set
|
||||
|
||||
class AVCTypeFilter:
|
||||
@@ -477,5 +542,3 @@
|
||||
if self.regex.match(avc.tcontext.type):
|
||||
return True
|
||||
return False
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/defaults.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/defaults.py
|
||||
--- nsasepolgen/src/sepolgen/defaults.py 2010-05-19 14:45:51.000000000 -0400
|
||||
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/defaults.py 2010-04-28 17:12:20.000000000 -0400
|
||||
@@ -30,6 +30,9 @@
|
||||
def interface_info():
|
||||
return data_dir() + "/interface_info"
|
||||
|
||||
+def attribute_info():
|
||||
+ return data_dir() + "/attribute_info"
|
||||
+
|
||||
def refpolicy_devel():
|
||||
return "/usr/share/selinux/devel"
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/interfaces.py
|
||||
--- nsasepolgen/src/sepolgen/interfaces.py 2010-05-19 14:45:51.000000000 -0400
|
||||
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/interfaces.py 2010-05-03 09:33:11.000000000 -0400
|
||||
@@ -29,6 +29,8 @@
|
||||
|
||||
from sepolgeni18n import _
|
||||
|
||||
+import copy
|
||||
+
|
||||
class Param:
|
||||
"""
|
||||
Object representing a paramater for an interface.
|
||||
@@ -197,10 +199,48 @@
|
||||
ret = 1
|
||||
|
||||
return ret
|
||||
-
|
||||
-
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
|
||||
--- nsasepolgen/src/sepolgen/policygen.py 2008-09-12 11:48:15.000000000 -0400
|
||||
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2010-01-08 09:33:54.000000000 -0500
|
||||
+
|
||||
+class AttributeVector:
|
||||
+ def __init__(self):
|
||||
+ self.name = ""
|
||||
+ self.access = access.AccessVectorSet()
|
||||
+
|
||||
+ def add_av(self, av):
|
||||
+ self.access.add_av(av)
|
||||
+
|
||||
+class AttributeSet:
|
||||
+ def __init__(self):
|
||||
+ self.attributes = { }
|
||||
+
|
||||
+ def add_attr(self, attr):
|
||||
+ self.attributes[attr.name] = attr
|
||||
+
|
||||
+ def from_file(self, fd):
|
||||
+ def parse_attr(line):
|
||||
+ fields = line[1:-1].split()
|
||||
+ if len(fields) != 2 or fields[0] != "Attribute":
|
||||
+ raise SyntaxError("Syntax error Attribute statement %s" % line)
|
||||
+ a = AttributeVector()
|
||||
+ a.name = fields[1]
|
||||
+
|
||||
+ return a
|
||||
+
|
||||
+ a = None
|
||||
+ for line in fd:
|
||||
+ line = line[:-1]
|
||||
+ if line[0] == "[":
|
||||
+ if a:
|
||||
+ self.add_attr(a)
|
||||
+ a = parse_attr(line)
|
||||
+ elif a:
|
||||
+ l = line.split(",")
|
||||
+ av = access.AccessVector(l)
|
||||
+ a.add_av(av)
|
||||
+ if a:
|
||||
+ self.add_attr(a)
|
||||
|
||||
class InterfaceVector:
|
||||
- def __init__(self, interface=None):
|
||||
+ def __init__(self, interface=None, attributes={}):
|
||||
# Enabled is a loose concept currently - we are essentially
|
||||
# not enabling interfaces that we can't handle currently.
|
||||
# See InterfaceVector.add_ifv for more information.
|
||||
@@ -214,10 +254,10 @@
|
||||
# value: Param object).
|
||||
self.params = { }
|
||||
if interface:
|
||||
- self.from_interface(interface)
|
||||
+ self.from_interface(interface, attributes)
|
||||
self.expanded = False
|
||||
|
||||
- def from_interface(self, interface):
|
||||
+ def from_interface(self, interface, attributes={}):
|
||||
self.name = interface.name
|
||||
|
||||
# Add allow rules
|
||||
@@ -232,6 +272,23 @@
|
||||
for av in avs:
|
||||
self.add_av(av)
|
||||
|
||||
+ # Add typeattribute access
|
||||
+ if attributes != None:
|
||||
+ for typeattribute in interface.typeattributes():
|
||||
+ for attr in typeattribute.attributes:
|
||||
+ if not attributes.attributes.has_key(attr):
|
||||
+ # print "missing attribute " + attr
|
||||
+ continue
|
||||
+ attr_vec = attributes.attributes[attr]
|
||||
+ for a in attr_vec.access:
|
||||
+ av = copy.copy(a)
|
||||
+ if av.src_type == attr_vec.name:
|
||||
+ av.src_type = typeattribute.type
|
||||
+ if av.tgt_type == attr_vec.name:
|
||||
+ av.tgt_type = typeattribute.type
|
||||
+ self.add_av(av)
|
||||
+
|
||||
+
|
||||
# Extract paramaters from roles
|
||||
for role in interface.roles():
|
||||
if role_extract_params(role, self.params):
|
||||
@@ -346,13 +403,13 @@
|
||||
l = self.tgt_type_map.setdefault(type, [])
|
||||
l.append(ifv)
|
||||
|
||||
- def add(self, interface):
|
||||
- ifv = InterfaceVector(interface)
|
||||
+ def add(self, interface, attributes={}):
|
||||
+ ifv = InterfaceVector(interface, attributes)
|
||||
self.add_ifv(ifv)
|
||||
|
||||
- def add_headers(self, headers, output=None):
|
||||
+ def add_headers(self, headers, output=None, attributes={}):
|
||||
for i in itertools.chain(headers.interfaces(), headers.templates()):
|
||||
- self.add(i)
|
||||
+ self.add(i, attributes)
|
||||
|
||||
self.expand_ifcalls(headers)
|
||||
self.index()
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/matching.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/matching.py
|
||||
--- nsasepolgen/src/sepolgen/matching.py 2010-05-19 14:45:51.000000000 -0400
|
||||
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/matching.py 2010-04-28 17:12:20.000000000 -0400
|
||||
@@ -50,7 +50,7 @@
|
||||
return 1
|
||||
|
||||
class MatchList:
|
||||
- DEFAULT_THRESHOLD = 120
|
||||
+ DEFAULT_THRESHOLD = 150
|
||||
def __init__(self):
|
||||
# Match objects that pass the threshold
|
||||
self.children = []
|
||||
@@ -63,14 +63,15 @@
|
||||
def best(self):
|
||||
if len(self.children):
|
||||
return self.children[0]
|
||||
- else:
|
||||
- return None
|
||||
+ if len(self.bastards):
|
||||
+ return self.bastards[0]
|
||||
+ return None
|
||||
|
||||
def __len__(self):
|
||||
# Only return the length of the matches so
|
||||
# that this can be used to test if there is
|
||||
# a match.
|
||||
- return len(self.children)
|
||||
+ return len(self.children) + len(self.bastards)
|
||||
|
||||
def __iter__(self):
|
||||
return iter(self.children)
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/policygen.py
|
||||
--- nsasepolgen/src/sepolgen/policygen.py 2010-05-19 14:45:51.000000000 -0400
|
||||
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/policygen.py 2010-05-21 10:36:31.000000000 -0400
|
||||
@@ -29,6 +29,8 @@
|
||||
import access
|
||||
import interfaces
|
||||
@ -212,27 +305,22 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
|
||||
|
||||
# Constants for the level of explanation from the generation
|
||||
# routines
|
||||
@@ -74,7 +76,7 @@
|
||||
self.moduel = module
|
||||
else:
|
||||
self.module = refpolicy.Module()
|
||||
-
|
||||
@@ -77,6 +79,7 @@
|
||||
|
||||
self.dontaudit = False
|
||||
|
||||
+ self.domains = None
|
||||
def set_gen_refpol(self, if_set=None, perm_maps=None):
|
||||
"""Set whether reference policy interfaces are generated.
|
||||
|
||||
@@ -141,15 +143,42 @@
|
||||
"""Return the generated module"""
|
||||
return self.module
|
||||
|
||||
- def __add_allow_rules(self, avs):
|
||||
+ def __add_allow_rules(self, avs, dontaudit):
|
||||
for av in avs:
|
||||
- rule = refpolicy.AVRule(av)
|
||||
+ rule = refpolicy.AVRule(av, dontaudit=dontaudit)
|
||||
@@ -151,9 +154,41 @@
|
||||
rule = refpolicy.AVRule(av)
|
||||
if self.dontaudit:
|
||||
rule.rule_type = rule.DONTAUDIT
|
||||
+ rule.comment = ""
|
||||
if self.explain:
|
||||
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
|
||||
- self.module.children.append(rule)
|
||||
+ if av.type == audit2why.ALLOW:
|
||||
+ rule.comment += "#!!!! This avc is allowed in the current policy\n"
|
||||
+ if av.type == audit2why.DONTAUDIT:
|
||||
@ -245,12 +333,16 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
|
||||
+
|
||||
+ if av.type == audit2why.CONSTRAINT:
|
||||
+ rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
|
||||
+ rule.comment += "#Contraint rule: "
|
||||
+
|
||||
+ if av.type == audit2why.TERULE:
|
||||
+ if "write" in av.perms:
|
||||
+ if "dir" in av.obj_class or "open" in av.perms:
|
||||
+ if not self.domains:
|
||||
+ self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
|
||||
+ types=[]
|
||||
+
|
||||
+ try:
|
||||
+ for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
|
||||
+ if i not in self.domains:
|
||||
+ types.append(i)
|
||||
@ -258,75 +350,153 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
|
||||
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
|
||||
+ elif len(types) >= 1:
|
||||
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
|
||||
+
|
||||
self.module.children.append(rule)
|
||||
+ except:
|
||||
+ pass
|
||||
+ self.module.children.append(rule)
|
||||
|
||||
|
||||
- def add_access(self, av_set):
|
||||
+ def add_access(self, av_set, dontaudit=False):
|
||||
"""Add the access from the access vector set to this
|
||||
module.
|
||||
"""
|
||||
@@ -165,7 +194,7 @@
|
||||
raw_allow = av_set
|
||||
def add_access(self, av_set):
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/refparser.py
|
||||
--- nsasepolgen/src/sepolgen/refparser.py 2010-05-19 14:45:51.000000000 -0400
|
||||
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/refparser.py 2010-05-21 10:26:43.000000000 -0400
|
||||
@@ -1044,7 +1044,7 @@
|
||||
# of misc_macros. We are just going to pretend that this is an interface
|
||||
# to make the expansion work correctly.
|
||||
can_exec = refpolicy.Interface("can_exec")
|
||||
- av = access.AccessVector(["$1","$2","file","execute_no_trans","read",
|
||||
+ av = access.AccessVector(["$1","$2","file","execute_no_trans","open", "read",
|
||||
"getattr","lock","execute","ioctl"])
|
||||
|
||||
# Generate the raw allow rules from the filtered list
|
||||
- self.__add_allow_rules(raw_allow)
|
||||
+ self.__add_allow_rules(raw_allow, dontaudit)
|
||||
can_exec.children.append(refpolicy.AVRule(av))
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreutils-2.0.82/sepolgen-1.0.23/src/share/perm_map
|
||||
--- nsasepolgen/src/share/perm_map 2010-05-19 14:45:51.000000000 -0400
|
||||
+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/share/perm_map 2010-04-28 17:12:20.000000000 -0400
|
||||
@@ -124,7 +124,7 @@
|
||||
quotamod w 1
|
||||
quotaget r 1
|
||||
|
||||
def add_role_types(self, role_type_set):
|
||||
for role_type in role_type_set:
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
|
||||
--- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400
|
||||
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -973,7 +973,7 @@
|
||||
def list_headers(root):
|
||||
modules = []
|
||||
support_macros = None
|
||||
- blacklist = ["init.if", "inetd.if", "uml.if", "thunderbird.if"]
|
||||
+ blacklist = ["uml.if", "thunderbird.if", "unconfined.if"]
|
||||
-class file 20
|
||||
+class file 21
|
||||
execute_no_trans r 1
|
||||
entrypoint r 1
|
||||
execmod n 1
|
||||
@@ -141,48 +141,50 @@
|
||||
unlink w 1
|
||||
link w 1
|
||||
rename w 5
|
||||
- execute r 100
|
||||
+ execute r 10
|
||||
swapon b 1
|
||||
quotaon b 1
|
||||
mounton b 1
|
||||
+ open r 1
|
||||
|
||||
for dirpath, dirnames, filenames in os.walk(root):
|
||||
for name in filenames:
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
|
||||
--- nsasepolgen/src/sepolgen/refpolicy.py 2009-10-29 15:21:39.000000000 -0400
|
||||
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2010-01-08 09:33:37.000000000 -0500
|
||||
@@ -398,6 +398,7 @@
|
||||
return "attribute %s;" % self.name
|
||||
-class dir 22
|
||||
- add_name w 5
|
||||
+class dir 23
|
||||
+ add_name w 1
|
||||
remove_name w 1
|
||||
reparent w 1
|
||||
search r 1
|
||||
rmdir b 1
|
||||
ioctl n 1
|
||||
- read r 10
|
||||
- write w 10
|
||||
+ read r 1
|
||||
+ write w 1
|
||||
create w 1
|
||||
- getattr r 7
|
||||
- setattr w 7
|
||||
+ getattr r 1
|
||||
+ setattr w 1
|
||||
lock n 1
|
||||
- relabelfrom r 10
|
||||
- relabelto w 10
|
||||
+ relabelfrom r 1
|
||||
+ relabelto w 1
|
||||
append w 1
|
||||
unlink w 1
|
||||
link w 1
|
||||
- rename w 5
|
||||
+ rename w 1
|
||||
execute r 1
|
||||
swapon b 1
|
||||
quotaon b 1
|
||||
mounton b 1
|
||||
+ open r 1
|
||||
|
||||
# Classes representing rules
|
||||
+import selinux.audit2why as audit2why
|
||||
class fd 1
|
||||
use b 1
|
||||
|
||||
class AVRule(Leaf):
|
||||
"""SELinux access vector (AV) rule.
|
||||
@@ -420,21 +421,26 @@
|
||||
AUDITALLOW = 2
|
||||
NEVERALLOW = 3
|
||||
-class lnk_file 17
|
||||
+class lnk_file 18
|
||||
ioctl n 1
|
||||
- read r 10
|
||||
- write w 10
|
||||
+ read r 1
|
||||
+ write w 1
|
||||
create w 1
|
||||
- getattr r 7
|
||||
- setattr w 7
|
||||
+ getattr r 1
|
||||
+ setattr w 1
|
||||
lock n 1
|
||||
- relabelfrom r 10
|
||||
- relabelto w 10
|
||||
+ relabelfrom r 1
|
||||
+ relabelto w 1
|
||||
append w 1
|
||||
unlink w 1
|
||||
link w 1
|
||||
@@ -191,8 +193,9 @@
|
||||
swapon b 1
|
||||
quotaon b 1
|
||||
mounton b 1
|
||||
+ open r 1
|
||||
|
||||
- def __init__(self, av=None, parent=None):
|
||||
+ def __init__(self, av=None, parent=None, dontaudit=False):
|
||||
Leaf.__init__(self, parent)
|
||||
self.src_types = IdSet()
|
||||
self.tgt_types = IdSet()
|
||||
self.obj_classes = IdSet()
|
||||
self.perms = IdSet()
|
||||
- self.rule_type = self.ALLOW
|
||||
+ if dontaudit:
|
||||
+ self.rule_type = audit2why.DONTAUDIT
|
||||
+ else:
|
||||
+ self.rule_type = audit2why.TERULE
|
||||
if av:
|
||||
self.from_av(av)
|
||||
-class chr_file 20
|
||||
+class chr_file 21
|
||||
execute_no_trans r 1
|
||||
entrypoint r 1
|
||||
execmod n 1
|
||||
@@ -213,8 +216,9 @@
|
||||
swapon b 1
|
||||
quotaon b 1
|
||||
mounton b 1
|
||||
+ open r 1
|
||||
|
||||
def __rule_type_str(self):
|
||||
- if self.rule_type == self.ALLOW:
|
||||
+ if self.rule_type == audit2why.TERULE:
|
||||
return "allow"
|
||||
- elif self.rule_type == self.DONTAUDIT:
|
||||
+ elif self.rule_type == audit2why.DONTAUDIT:
|
||||
return "dontaudit"
|
||||
+ elif self.rule_type == audit2why.CONSTRAINT:
|
||||
+ return "#constraint allow"
|
||||
else:
|
||||
return "auditallow"
|
||||
-class blk_file 17
|
||||
+class blk_file 18
|
||||
ioctl n 1
|
||||
read r 10
|
||||
write w 10
|
||||
@@ -232,8 +236,9 @@
|
||||
swapon b 1
|
||||
quotaon b 1
|
||||
mounton b 1
|
||||
+ open r 1
|
||||
|
||||
-class sock_file 17
|
||||
+class sock_file 18
|
||||
ioctl n 1
|
||||
read r 10
|
||||
write w 10
|
||||
@@ -251,8 +256,9 @@
|
||||
swapon b 1
|
||||
quotaon b 1
|
||||
mounton b 1
|
||||
+ open r 1
|
||||
|
||||
-class fifo_file 17
|
||||
+class fifo_file 18
|
||||
ioctl n 1
|
||||
read r 10
|
||||
write w 10
|
||||
@@ -270,6 +276,7 @@
|
||||
swapon b 1
|
||||
quotaon b 1
|
||||
mounton b 1
|
||||
+ open r 1
|
||||
|
||||
class socket 22
|
||||
ioctl n 1
|
||||
|
@ -1,13 +1,13 @@
|
||||
%define libauditver 1.4.2-1
|
||||
%define libsepolver 2.0.41-1
|
||||
%define libsemanagever 2.0.43-3
|
||||
%define libselinuxver 2.0.90-1
|
||||
%define sepolgenver 1.0.19
|
||||
%define libsepolver 2.0.41-3
|
||||
%define libsemanagever 2.0.43-4
|
||||
%define libselinuxver 2.0.90-3
|
||||
%define sepolgenver 1.0.23
|
||||
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.0.79
|
||||
Release: 1%{?dist}
|
||||
Version: 2.0.82
|
||||
Release: 24%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||
@ -20,7 +20,6 @@ Source5: system-config-selinux.console
|
||||
Source6: selinux-polgengui.desktop
|
||||
Source7: selinux-polgengui.console
|
||||
Source8: policycoreutils_man_ru2.tar.bz2
|
||||
Source9: sandbox.init
|
||||
Patch: policycoreutils-rhat.patch
|
||||
Patch1: policycoreutils-po.patch
|
||||
Patch3: policycoreutils-gui.patch
|
||||
@ -80,12 +79,14 @@ mkdir -p %{buildroot}%{_mandir}/man8
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/pam.d
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/security/console.apps
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/rc.d/init.d
|
||||
install -m0755 %{SOURCE9} %{buildroot}/%{_sysconfdir}/rc.d/init.d/sandbox
|
||||
%{__mkdir} -p %{buildroot}%{_datadir}/icons/hicolor/24x24/apps
|
||||
%{__mkdir} -p %{buildroot}%{_datadir}/pixmaps
|
||||
|
||||
make LSPP_PRIV=y DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
|
||||
make -C sepolgen-%{sepolgenver} DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
|
||||
|
||||
install -m 644 %{SOURCE2} %{buildroot}%{_datadir}/system-config-selinux/
|
||||
install -m 644 %{SOURCE2} %{buildroot}%{_datadir}/pixmaps
|
||||
install -m 644 %{SOURCE2} %{buildroot}%{_datadir}/icons/hicolor/24x24/apps
|
||||
install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/system-config-selinux
|
||||
install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/selinux-polgengui
|
||||
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/security/console.apps/system-config-selinux
|
||||
@ -127,11 +128,11 @@ The policycoreutils-python package contains the management tools use to manage a
|
||||
%{_bindir}/chcat
|
||||
%{_bindir}/sandbox
|
||||
%{_bindir}/sepolgen-ifgen
|
||||
%{_bindir}/sepolgen-ifgen-attr-helper
|
||||
%{python_sitelib}/seobject.py*
|
||||
%{python_sitelib}/sepolgen
|
||||
%{python_sitelib}/%{name}
|
||||
%{python_sitelib}/%{name}*.egg-info
|
||||
%{pkgpythondir}/default_encoding_utf8.so
|
||||
%{pkgpythondir}
|
||||
%dir /var/lib/sepolgen
|
||||
%dir /var/lib/selinux
|
||||
/var/lib/sepolgen/perm_map
|
||||
@ -140,12 +141,13 @@ The policycoreutils-python package contains the management tools use to manage a
|
||||
%{_mandir}/man1/audit2why.1*
|
||||
%{_mandir}/man8/chcat.8*
|
||||
%{_mandir}/ru/man8/chcat.8*
|
||||
%{_mandir}/man8/genhomedircon.8*
|
||||
%{_mandir}/man8/sandbox.8*
|
||||
%{_mandir}/man8/semanage.8*
|
||||
%{_mandir}/ru/man8/semanage.8*
|
||||
|
||||
%post python
|
||||
[ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen
|
||||
selinuxenabled && [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 2>/dev/null
|
||||
exit 0
|
||||
|
||||
%package sandbox
|
||||
@ -162,12 +164,10 @@ The policycoreutils-python package contains the scripts to create graphical sand
|
||||
|
||||
%files sandbox
|
||||
%defattr(-,root,root,-)
|
||||
%{_sysconfdir}/rc.d/init.d/sandbox
|
||||
%{_sbindir}/seunshare
|
||||
%{_datadir}/sandbox/sandboxX.sh
|
||||
|
||||
%triggerin python -- selinux-policy
|
||||
[ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen
|
||||
selinuxenabled && [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 2>/dev/null
|
||||
exit 0
|
||||
|
||||
%post sandbox
|
||||
@ -214,11 +214,12 @@ system-config-selinux is a utility for managing the SELinux environment
|
||||
%{_bindir}/sepolgen
|
||||
%{_datadir}/applications/fedora-system-config-selinux.desktop
|
||||
%{_datadir}/applications/fedora-selinux-polgengui.desktop
|
||||
%{_datadir}/icons/hicolor/24x24/apps/system-config-selinux.png
|
||||
%{_datadir}/pixmaps/system-config-selinux.png
|
||||
%dir %{_datadir}/system-config-selinux
|
||||
%dir %{_datadir}/system-config-selinux/templates
|
||||
%{_datadir}/system-config-selinux/*.py*
|
||||
%{_datadir}/system-config-selinux/selinux.tbl
|
||||
%{_datadir}/system-config-selinux/*png
|
||||
%{_datadir}/system-config-selinux/*.glade
|
||||
%{_datadir}/system-config-selinux/templates/*.py*
|
||||
%config(noreplace) %{_sysconfdir}/pam.d/system-config-selinux
|
||||
@ -235,6 +236,7 @@ rm -rf %{buildroot}
|
||||
/sbin/fixfiles
|
||||
/sbin/setfiles
|
||||
/sbin/load_policy
|
||||
%{_sbindir}/seunshare
|
||||
%{_sbindir}/genhomedircon
|
||||
%{_sbindir}/load_policy
|
||||
%{_sbindir}/restorecond
|
||||
@ -248,6 +250,8 @@ rm -rf %{buildroot}
|
||||
%{_bindir}/semodule_expand
|
||||
%{_bindir}/semodule_link
|
||||
%{_bindir}/semodule_package
|
||||
%{_sysconfdir}/rc.d/init.d/sandbox
|
||||
%config(noreplace) %{_sysconfdir}/sysconfig/sandbox
|
||||
%config(noreplace) %{_sysconfdir}/pam.d/newrole
|
||||
%config(noreplace) %{_sysconfdir}/pam.d/run_init
|
||||
%config(noreplace) %{_sysconfdir}/sestatus.conf
|
||||
@ -287,6 +291,7 @@ rm -rf %{buildroot}
|
||||
%{_mandir}/ru/man8/setsebool.8*
|
||||
%{_mandir}/man1/secon.1*
|
||||
%{_mandir}/ru/man1/secon.1*
|
||||
%{_mandir}/man8/seunshare.8*
|
||||
|
||||
%preun
|
||||
if [ $1 -eq 0 ]; then
|
||||
@ -306,7 +311,132 @@ fi
|
||||
exit 0
|
||||
|
||||
%changelog
|
||||
* Thu Feb 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-1
|
||||
* Thu May 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-24
|
||||
- Man page fixes
|
||||
- sandbox fixes
|
||||
Resolves: #595796
|
||||
- Move seunshare to base package
|
||||
|
||||
* Fri May 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-23
|
||||
- Fix seunshare translations
|
||||
- Fix seunshare to work on all arches
|
||||
- Fix icon for system-config-selinux
|
||||
Resolves: #595276
|
||||
|
||||
* Fri May 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-22
|
||||
- Fix can_exec definition in sepolgen
|
||||
|
||||
* Fri May 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-21
|
||||
- Add man page for seunshare and genhomedircon
|
||||
Resolves: #594303
|
||||
- Fix node management via semanage
|
||||
Resolves: #591135
|
||||
|
||||
* Wed May 19 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-20
|
||||
- Fixes from upstream for sandbox command
|
||||
Resolves: #580938
|
||||
|
||||
* Thu May 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-18
|
||||
- Fix sandbox error handling on copyfile
|
||||
- Fix desktop files
|
||||
|
||||
* Tue May 11 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-17
|
||||
- Fix policy tool to have correct name in menus
|
||||
- Fix seunshare to handle /tmp being in ~/home
|
||||
- Fix saving of altered files
|
||||
- Update translations
|
||||
|
||||
* Tue May 4 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-15
|
||||
- Allow audit2allow to specify alternative policy file for analysis
|
||||
|
||||
* Mon May 3 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-14
|
||||
- Update po
|
||||
- Fix sepolgen --no_attrs
|
||||
Resolves: #588280
|
||||
|
||||
* Thu Apr 29 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-13
|
||||
- Make semanage boolean work on disabled machines and during livecd xguest
|
||||
- Fix homedir and tmpdir handling in sandbox
|
||||
Resolves: #587263
|
||||
|
||||
* Wed Apr 28 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-11
|
||||
- Make semanage boolean work on disabled machines
|
||||
|
||||
* Tue Apr 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-10
|
||||
- Make sepolgen-ifgen be quiet
|
||||
|
||||
* Wed Apr 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-8
|
||||
- Make sepolgen report on more interfaces
|
||||
- Fix system-config-selinux display of modules
|
||||
|
||||
* Thu Apr 15 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-7
|
||||
- Fix crash when args are empty
|
||||
Resolves: #582542
|
||||
- Fix semange to exit on bad options
|
||||
- Fix semanage dontaudit man page section
|
||||
Resolves: #582533
|
||||
|
||||
* Wed Apr 14 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-6
|
||||
- Remove debug line from semanage
|
||||
- Update po
|
||||
|
||||
* Tue Apr 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-5
|
||||
- Fix sandbox comment on HOMEDIRS
|
||||
- Fix sandbox to throw error on bad executable
|
||||
|
||||
* Tue Apr 6 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-4
|
||||
- Fix spacing in templates
|
||||
|
||||
* Wed Mar 31 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-3
|
||||
- Fix semanage return codes
|
||||
|
||||
* Tue Mar 30 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-2
|
||||
- Fix sepolgen to confirm to the "Reference Policy Style Guide"
|
||||
|
||||
* Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-1
|
||||
- Update to upstream
|
||||
* Add avc's since boot from Dan Walsh.
|
||||
* Fix unit tests from Dan Walsh.
|
||||
|
||||
* Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-4
|
||||
- Update to upstream - sepolgen
|
||||
* Add since-last-boot option to audit2allow from Dan Walsh.
|
||||
* Fix sepolgen output to match what Chris expects for upstream
|
||||
refpolicy from Dan Walsh.
|
||||
|
||||
* Mon Mar 22 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-3
|
||||
- Allow restorecon on > 2 Gig files
|
||||
|
||||
* Tue Mar 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-2
|
||||
- Fix semanage handling of boolean options
|
||||
- Update translations
|
||||
|
||||
* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-1
|
||||
- Update to upstream
|
||||
* Add dontaudit flag to audit2allow from Dan Walsh.
|
||||
|
||||
* Thu Mar 11 2010 Dan Walsh <dwalsh@redhat.com> 2.0.80-2
|
||||
- Use --rbind in sandbox init scripts
|
||||
|
||||
* Mon Mar 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.80-1
|
||||
- Update to upstream
|
||||
* Module enable/disable support from Dan Walsh.
|
||||
|
||||
* Mon Mar 1 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-5
|
||||
- Rewrite of sandbox script, add unit test for sandbox
|
||||
- Update translations
|
||||
|
||||
* Mon Mar 1 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-4
|
||||
- Fix patch for dontaudit rules from audit2allow for upstream acceptance
|
||||
|
||||
* Fri Feb 26 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-3
|
||||
- Fixes for fixfiles
|
||||
|
||||
* Wed Feb 17 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-2
|
||||
- Fix sandbox to complain if mount-shared has not been run
|
||||
- Fix to use /etc/sysconfig/sandbox
|
||||
|
||||
* Tue Feb 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-1
|
||||
- Update to upstream
|
||||
* Fix double-free in newrole
|
||||
- Fix python language handling
|
||||
|
60
sandbox.init
60
sandbox.init
@ -1,60 +0,0 @@
|
||||
#!/bin/bash
|
||||
## BEGIN INIT INFO
|
||||
# Provides: sandbox
|
||||
# Default-Start: 5
|
||||
# Default-Stop: 0 1 2 3 4 6
|
||||
# Required-Start:
|
||||
#
|
||||
## END INIT INFO
|
||||
# sandbox: Set up / mountpoint to be shared, /var/tmp, /tmp, /home/sandbox unshared
|
||||
#
|
||||
# chkconfig: 5 1 99
|
||||
#
|
||||
# Description: sandbox is using pam_namespace to share the /var/tmp, /tmp and
|
||||
# /home/sandbox accounts. This script will setup the / mount
|
||||
# point as shared and all of the subdirectories just these
|
||||
# directories as unshared.
|
||||
#
|
||||
|
||||
# Source function library.
|
||||
. /etc/init.d/functions
|
||||
|
||||
LOCKFILE=/var/lock/subsys/sandbox
|
||||
|
||||
base=${0##*/}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
[ -f "$LOCKFILE" ] && exit 0
|
||||
|
||||
touch $LOCKFILE
|
||||
mount --make-rshared /
|
||||
mount --bind /tmp /tmp
|
||||
mount --bind /var/tmp /var/tmp
|
||||
mount --bind /home /home
|
||||
mount --make-private /home
|
||||
mount --make-private /tmp
|
||||
mount --make-private /var/tmp
|
||||
RETVAL=$?
|
||||
exit $RETVAL
|
||||
;;
|
||||
|
||||
status)
|
||||
if [ -f "$LOCKFILE" ]; then
|
||||
echo "$base is running"
|
||||
else
|
||||
echo "$base is stopped"
|
||||
fi
|
||||
exit 0
|
||||
;;
|
||||
|
||||
stop)
|
||||
rm -f $LOCKFILE
|
||||
exit 0
|
||||
;;
|
||||
|
||||
*)
|
||||
echo $"Usage: $0 {start|stop}"
|
||||
exit 3
|
||||
;;
|
||||
esac
|
@ -1,9 +1,8 @@
|
||||
[Desktop Entry]
|
||||
Name=SELinux Policy Generation Tool
|
||||
GenericName=SELinux
|
||||
Comment=Generate SELinux policy modules
|
||||
StartupNotify=true
|
||||
Icon=/usr/share/system-config-selinux/system-config-selinux.png
|
||||
Icon=system-config-selinux
|
||||
Exec=/usr/bin/selinux-polgengui
|
||||
Type=Application
|
||||
Terminal=false
|
||||
|
4
sources
4
sources
@ -1,3 +1,3 @@
|
||||
2ae1a9f7242e33413aae036d2edeb1d8 sepolgen-1.0.19.tgz
|
||||
e09466b2b02ca5672ce3b43e02c5498f policycoreutils-2.0.79.tgz
|
||||
e4deacb4df1e2ec081a91fd59da1dcc5 policycoreutils-2.0.82.tgz
|
||||
49faa2e5f343317bcfcf34d7286f6037 sepolgen-1.0.23.tgz
|
||||
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
|
||||
|
@ -1,9 +1,8 @@
|
||||
[Desktop Entry]
|
||||
Name=SELinux Management
|
||||
GenericName=SELinux
|
||||
Comment=Configure SELinux in a graphical setting
|
||||
StartupNotify=true
|
||||
Icon=/usr/share/system-config-selinux/system-config-selinux.png
|
||||
Icon=system-config-selinux
|
||||
Exec=/usr/bin/system-config-selinux
|
||||
Type=Application
|
||||
Terminal=false
|
||||
|
Loading…
Reference in New Issue
Block a user