From 8e5935ed03873d039d551cd5a73efde64c3b2ecb Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 13 Aug 2015 17:36:39 +0200 Subject: [PATCH] policycoreutils-2.4-9 - Fix another python3 issues mainly in sepolicy (#1247039,#1247575,#1251713) - The functionality of audit2allow which was disabled in the previous commit should be available again --- policycoreutils-rhat.patch | 272 +++++++++++++++++++++++-------------- policycoreutils.spec | 7 +- sepolgen-rhat.patch | 25 ++-- 3 files changed, 185 insertions(+), 119 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 7ac33d2..4dee5aa 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -658532,7 +658532,7 @@ index 2a9e1c7..365e622 100644 +#endif } diff --git a/policycoreutils-2.4/sepolicy/search.c b/policycoreutils-2.4/sepolicy/search.c -index d9a5aec..513eba8 100644 +index d9a5aec..94124c0 100644 --- a/policycoreutils-2.4/sepolicy/search.c +++ b/policycoreutils-2.4/sepolicy/search.c @@ -189,7 +189,7 @@ static PyObject* get_ra_results(const apol_policy_t * policy, const apol_vector_ @@ -658571,7 +658571,7 @@ index d9a5aec..513eba8 100644 if (py_tuple_insert_obj(tuple, 0, obj)) goto err; obj = PyBool_FromLong(enabled); -@@ -994,14 +994,14 @@ PyObject* search(bool allow, +@@ -994,14 +994,25 @@ PyObject* search(bool allow, static int Dict_ContainsInt(PyObject *dict, const char *key){ PyObject *item = PyDict_GetItemString(dict, key); if (item) @@ -658582,9 +658582,21 @@ index d9a5aec..513eba8 100644 static const char *Dict_ContainsString(PyObject *dict, const char *key){ PyObject *item = PyDict_GetItemString(dict, key); - if (item) +- if (item) - return PyString_AsString(item); -+ return PyBytes_AsString(item); ++ if (item) { ++ if (PyUnicode_Check(item)) { ++ char *str = NULL; ++ PyObject *item_utf8 = PyUnicode_AsUTF8String(item); ++ if (item_utf8) { ++ str = strdup(PyBytes_AsString(item_utf8)); ++ } ++ Py_XDECREF(item_utf8); ++ return str; ++ } else { ++ return PyBytes_AsString(item); ++ } ++ } return NULL; } @@ -658611,15 +658623,21 @@ index 458a4d2..b6088af 100644 + except dbus.DBusException as e: + print(e) diff --git a/policycoreutils-2.4/sepolicy/selinux_server.py b/policycoreutils-2.4/sepolicy/selinux_server.py -index e94c38f..0a91638 100644 +index e94c38f..671be1a 100644 --- a/policycoreutils-2.4/sepolicy/selinux_server.py +++ b/policycoreutils-2.4/sepolicy/selinux_server.py -@@ -1,4 +1,4 @@ +@@ -1,9 +1,9 @@ -#!/usr/bin/python +#!/usr/bin/python3 import dbus import dbus.service + import dbus.mainloop.glib +-import gobject ++from gi.repository import GObject, GLib + import slip.dbus.service + from slip.dbus import polkit + import os @@ -18,7 +18,7 @@ class selinux_server(slip.dbus.service.Object): # # The semanage method runs a transaction on a series of semanage commands, @@ -658687,15 +658705,18 @@ index e94c38f..0a91638 100644 # # The change_default_policy method modifies the policy type -@@ -125,7 +125,7 @@ class selinux_server(slip.dbus.service.Object): +@@ -125,9 +125,9 @@ class selinux_server(slip.dbus.service.Object): if os.path.isdir(path): return self.write_selinux_config(policy=value) raise ValueError("%s does not exist" % path) - + if __name__ == "__main__": - mainloop = gobject.MainLoop() +- mainloop = gobject.MainLoop() ++ mainloop = GLib.MainLoop() dbus.mainloop.glib.DBusGMainLoop(set_as_default=True) + system_bus = dbus.SystemBus() + name = dbus.service.BusName("org.selinux", system_bus) diff --git a/policycoreutils-2.4/sepolicy/sepolicy-bash-completion.sh b/policycoreutils-2.4/sepolicy/sepolicy-bash-completion.sh index 779fd75..29ccbdf 100644 --- a/policycoreutils-2.4/sepolicy/sepolicy-bash-completion.sh @@ -658779,7 +658800,7 @@ index 2e67456..0c5f998 100644 .B sepolicy generate \-\-cgi [\-n NAME] command [\-w WRITE_PATH ] .br diff --git a/policycoreutils-2.4/sepolicy/sepolicy.py b/policycoreutils-2.4/sepolicy/sepolicy.py -index 74fb347..6c7639f 100755 +index 74fb347..50c10d0 100755 --- a/policycoreutils-2.4/sepolicy/sepolicy.py +++ b/policycoreutils-2.4/sepolicy/sepolicy.py @@ -1,4 +1,4 @@ @@ -658788,7 +658809,15 @@ index 74fb347..6c7639f 100755 # Copyright (C) 2012 Red Hat # AUTHOR: Dan Walsh # see file 'COPYING' for use and warranty information -@@ -32,12 +32,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +@@ -25,6 +25,7 @@ import os, sys + import selinux + import sepolicy + from sepolicy import get_os_version, get_conditionals, get_conditionals_format_text ++from sepolgen import util + import argparse + import gettext + PROGNAME="policycoreutils" +@@ -32,12 +33,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale") gettext.textdomain(PROGNAME) try: gettext.install(PROGNAME, @@ -658808,7 +658837,7 @@ index 74fb347..6c7639f 100755 usage = "sepolicy generate [-h] [-n NAME] [-p PATH] [" usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN','-a ADMIN_DOMAIN',"[ -w WRITEPATHS ]",), ' --admin_user':('[-r TRANSITION_ROLE ]',"[ -w WRITEPATHS ]",), ' --application':('COMMAND',"[ -w WRITEPATHS ]",), ' --cgi':('COMMAND',"[ -w WRITEPATHS ]",), ' --confined_admin':('-a ADMIN_DOMAIN',"[ -w WRITEPATHS ]",), ' --dbus':('COMMAND',"[ -w WRITEPATHS ]",), ' --desktop_user':('',"[ -w WRITEPATHS ]",),' --inetd':('COMMAND',"[ -w WRITEPATHS ]",),' --init':('COMMAND',"[ -w WRITEPATHS ]",), ' --sandbox':("[ -w WRITEPATHS ]",), ' --term_user':("[ -w WRITEPATHS ]",), ' --x_user':("[ -w WRITEPATHS ]",)} -@@ -45,7 +48,7 @@ usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAI +@@ -45,7 +49,7 @@ usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAI class CheckPath(argparse.Action): def __call__(self, parser, namespace, values, option_string=None): if not os.path.exists(values): @@ -658817,7 +658846,7 @@ index 74fb347..6c7639f 100755 setattr(namespace, self.dest, values) class CheckType(argparse.Action): -@@ -108,7 +111,7 @@ class CheckClass(argparse.Action): +@@ -108,7 +112,7 @@ class CheckClass(argparse.Action): def __call__(self, parser, namespace, values, option_string=None): global all_classes if not all_classes: @@ -658826,7 +658855,7 @@ index 74fb347..6c7639f 100755 if values not in all_classes: raise ValueError("%s must be an SELinux class:\nValid classes: %s" % (values, ", ".join(all_classes))) -@@ -151,16 +154,14 @@ class CheckPortType(argparse.Action): +@@ -151,16 +155,14 @@ class CheckPortType(argparse.Action): class LoadPolicy(argparse.Action): def __call__(self, parser, namespace, values, option_string=None): @@ -658844,7 +658873,7 @@ index 74fb347..6c7639f 100755 setattr(namespace, self.dest, values) class CheckUser(argparse.Action): -@@ -187,21 +188,21 @@ class CheckRole(argparse.Action): +@@ -187,21 +189,21 @@ class CheckRole(argparse.Action): class InterfaceInfo(argparse.Action): def __call__(self, parser, namespace, values, option_string=None): @@ -658871,7 +658900,16 @@ index 74fb347..6c7639f 100755 usage_text = usage_text[:-1] + "]" usage_text = _(usage_text) -@@ -226,7 +227,7 @@ def _print_net(src, protocol, perm): +@@ -218,7 +220,7 @@ def numcmp(val1,val2): + if v1 < v2: + return -1 + except: +- return cmp(val1,val2) ++ return (val1 > val2) - (val1 < val2) + + def _print_net(src, protocol, perm): + import sepolicy.network +@@ -226,7 +228,7 @@ def _print_net(src, protocol, perm): if len(portdict) > 0: bold_start="\033[1m" bold_end="\033[0;0m" @@ -658880,16 +658918,19 @@ index 74fb347..6c7639f 100755 port_strings=[] boolean_text="" for p in portdict: -@@ -239,7 +240,7 @@ def _print_net(src, protocol, perm): +@@ -237,9 +239,9 @@ def _print_net(src, protocol, perm): + port_strings.append("%s (%s) %s" % (", ".join(recs), t, boolean_text)) + else: port_strings.append("%s (%s)" % (", ".join(recs), t)) - port_strings.sort(numcmp) +- port_strings.sort(numcmp) ++ port_strings.sort(key=util.cmp_to_key(numcmp)) for p in port_strings: - print "\t" + p + print("\t" + p) def network(args): portrecs, portrecsbynum = sepolicy.gen_port_dict() -@@ -249,29 +250,29 @@ def network(args): +@@ -249,29 +251,29 @@ def network(args): if i[0] not in all_ports: all_ports.append(i[0]) all_ports.sort() @@ -658929,7 +658970,7 @@ index 74fb347..6c7639f 100755 for a in args.applications: d = sepolicy.get_init_transtype(a) -@@ -317,7 +318,7 @@ def manpage(args): +@@ -317,7 +319,7 @@ def manpage(args): for domain in test_domains: m = ManPage(domain, path, args.root,args.source_files, args.web) @@ -658938,7 +658979,7 @@ index 74fb347..6c7639f 100755 if args.web: HTMLManPages(manpage_roles, manpage_domains, path, args.os) -@@ -375,7 +376,7 @@ def communicate(args): +@@ -375,7 +377,7 @@ def communicate(args): out = list(set(writable) & set(readable)) for t in out: @@ -658947,7 +658988,12 @@ index 74fb347..6c7639f 100755 def gen_communicate_args(parser): comm = parser.add_parser("communicate", -@@ -400,7 +401,7 @@ def booleans(args): +@@ -397,10 +399,12 @@ def booleans(args): + from sepolicy import boolean_desc + if args.all: + rc, args.booleans = selinux.security_get_boolean_names() ++ if util.PY3: ++ args.booleans = [util.decode_input(x) for x in args.booleans] args.booleans.sort() for b in args.booleans: @@ -658956,7 +659002,7 @@ index 74fb347..6c7639f 100755 def gen_booleans_args(parser): bools = parser.add_parser("booleans", -@@ -435,19 +436,19 @@ def print_interfaces(interfaces, args, append=""): +@@ -435,19 +439,19 @@ def print_interfaces(interfaces, args, append=""): for i in interfaces: if args.verbose: try: @@ -658981,7 +659027,7 @@ index 74fb347..6c7639f 100755 if args.list_admin: print_interfaces(get_admin(args.file), args, "_admin") if args.list_user: -@@ -458,7 +459,7 @@ def interface(args): +@@ -458,7 +462,7 @@ def interface(args): print_interfaces(args.interfaces, args) def generate(args): @@ -658990,7 +659036,7 @@ index 74fb347..6c7639f 100755 cmd = None # numbers present POLTYPE defined in sepolicy.generate conflict_args = {'TYPES':(NEWTYPE,), 'DOMAIN':(EUSER,), 'ADMIN_DOMAIN':(AUSER, RUSER, EUSER,)} -@@ -469,7 +470,7 @@ def generate(args): +@@ -469,7 +473,7 @@ def generate(args): for k in usage_dict: error_text += "%s" % (k) print(generate_usage) @@ -658999,7 +659045,7 @@ index 74fb347..6c7639f 100755 sys.exit(1) if args.policytype in APPLICATIONS: -@@ -514,7 +515,7 @@ def generate(args): +@@ -514,7 +518,7 @@ def generate(args): if args.policytype in APPLICATIONS: mypolicy.gen_writeable() mypolicy.gen_symbols() @@ -659008,7 +659054,7 @@ index 74fb347..6c7639f 100755 def gen_interface_args(parser): itf = parser.add_parser("interface", -@@ -542,7 +543,7 @@ def gen_interface_args(parser): +@@ -542,7 +546,7 @@ def gen_interface_args(parser): itf.set_defaults(func=interface) def gen_generate_args(parser): @@ -659017,7 +659063,7 @@ index 74fb347..6c7639f 100755 generate_usage = generate_custom_usage(usage, usage_dict) -@@ -552,7 +553,7 @@ def gen_generate_args(parser): +@@ -552,7 +556,7 @@ def gen_generate_args(parser): action=CheckDomain, nargs="*", help=_("Enter domain type which you will be extending")) pol.add_argument("-u", "--user", dest="user", default=[], @@ -659026,7 +659072,7 @@ index 74fb347..6c7639f 100755 help=_("Enter SELinux user(s) which will transition to this domain")) pol.add_argument("-r", "--role", dest="role", default=[], action=CheckRole, -@@ -566,7 +567,7 @@ def gen_generate_args(parser): +@@ -566,7 +570,7 @@ def gen_generate_args(parser): pol.add_argument("-T", "--test", dest="test", default=False, action="store_true", help=argparse.SUPPRESS) pol.add_argument("-t", "--type", dest="types", default=[], nargs="*", @@ -659035,7 +659081,7 @@ index 74fb347..6c7639f 100755 help="Enter type(s) for which you will generate new definition and rule(s)") pol.add_argument("-p", "--path", dest="path", default=os.getcwd(), help=_("path in which the generated policy files will be stored")) -@@ -590,8 +591,8 @@ def gen_generate_args(parser): +@@ -590,8 +594,8 @@ def gen_generate_args(parser): action="store_const", default=DAEMON, help=_("Generate '%s' policy") % poltype[DAEMON]) @@ -659046,7 +659092,7 @@ index 74fb347..6c7639f 100755 group.add_argument("--admin_user", dest="policytype", const=AUSER, action="store_const", help=_("Generate '%s' policy") % poltype[AUSER]) -@@ -642,12 +643,12 @@ if __name__ == '__main__': +@@ -642,12 +646,12 @@ if __name__ == '__main__': args = parser.parse_args() args.func(args) sys.exit(0) @@ -659063,10 +659109,10 @@ index 74fb347..6c7639f 100755 + print("Out") sys.exit(0) diff --git a/policycoreutils-2.4/sepolicy/sepolicy/__init__.py b/policycoreutils-2.4/sepolicy/sepolicy/__init__.py -index 679725d..78a5c9e 100644 +index 679725d..2e1bfec 100644 --- a/policycoreutils-2.4/sepolicy/sepolicy/__init__.py +++ b/policycoreutils-2.4/sepolicy/sepolicy/__init__.py -@@ -1,25 +1,29 @@ +@@ -1,25 +1,30 @@ -#!/usr/bin/python +#!/usr/bin/python3 @@ -659080,6 +659126,7 @@ index 679725d..78a5c9e 100644 import gettext import sepolgen.defaults as defaults import sepolgen.interfaces as interfaces ++from sepolgen import util import sys +import subprocess gettext.bindtextdomain(PROGNAME, "/usr/share/locale") @@ -659102,7 +659149,7 @@ index 679725d..78a5c9e 100644 TYPE = _policy.TYPE ROLE = _policy.ROLE -@@ -28,6 +32,8 @@ PORT = _policy.PORT +@@ -28,6 +33,8 @@ PORT = _policy.PORT USER = _policy.USER BOOLEAN = _policy.BOOLEAN TCLASS = _policy.CLASS @@ -659111,7 +659158,7 @@ index 679725d..78a5c9e 100644 ALLOW = 'allow' AUDITALLOW = 'auditallow' -@@ -44,8 +50,12 @@ def info(setype, name=None): +@@ -44,8 +51,12 @@ def info(setype, name=None): dict_list = _policy.info(setype, name) return dict_list @@ -659126,7 +659173,7 @@ index 679725d..78a5c9e 100644 valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW] for setype in types: if setype not in valid_types: -@@ -59,7 +69,7 @@ def search(types, info = {}): +@@ -59,7 +70,7 @@ def search(types, info = {}): dict_list = _policy.search(seinfo) if dict_list and len(perms) != 0: @@ -659135,7 +659182,7 @@ index 679725d..78a5c9e 100644 return dict_list def get_conditionals(src,dest,tclass,perm): -@@ -75,7 +85,7 @@ def get_conditionals(src,dest,tclass,perm): +@@ -75,7 +86,7 @@ def get_conditionals(src,dest,tclass,perm): allows=[] allows.append(i) try: @@ -659144,7 +659191,7 @@ index 679725d..78a5c9e 100644 tdict.update({'source':i['source'],'boolean':i['boolean']}) if tdict not in tlist: tlist.append(tdict) -@@ -86,12 +96,42 @@ def get_conditionals(src,dest,tclass,perm): +@@ -86,12 +97,42 @@ def get_conditionals(src,dest,tclass,perm): return (tlist) def get_conditionals_format_text(cond): @@ -659189,7 +659236,7 @@ index 679725d..78a5c9e 100644 file_type_str = {} file_type_str["a"] = _("all files") file_type_str["f"] = _("regular file") -@@ -112,6 +152,44 @@ trans_file_type_str["-s"] = "s" +@@ -112,6 +153,44 @@ trans_file_type_str["-s"] = "s" trans_file_type_str["-l"] = "l" trans_file_type_str["-p"] = "p" @@ -659234,7 +659281,7 @@ index 679725d..78a5c9e 100644 def get_file_types(setype): flist=[] mpaths={} -@@ -169,7 +247,7 @@ def find_file(reg): +@@ -169,7 +248,7 @@ def find_file(reg): try: pat = re.compile(r"%s$" % reg) except: @@ -659243,7 +659290,7 @@ index 679725d..78a5c9e 100644 return [] p = reg if p.endswith("(/.*)?"): -@@ -181,19 +259,19 @@ def find_file(reg): +@@ -181,19 +260,19 @@ def find_file(reg): if path[-1] != "/": # is pass in it breaks without try block path += "/" except IndexError: @@ -659266,7 +659313,7 @@ index 679725d..78a5c9e 100644 if exe.endswith("_exec_t") and exe not in exclude_list: for path in executable_files[exe]: for f in find_file(path): -@@ -221,7 +299,7 @@ def read_file_equiv(edict, fc_path, modify): +@@ -221,7 +300,7 @@ def read_file_equiv(edict, fc_path, modify): f = e.split() edict[f[0]] = { "equiv" : f[1], "modify" : modify } return edict @@ -659275,7 +659322,7 @@ index 679725d..78a5c9e 100644 file_equiv_modified=None def get_file_equiv_modified(fc_path = selinux.selinux_file_context_path()): global file_equiv_modified -@@ -239,7 +317,7 @@ def get_file_equiv(fc_path = selinux.selinux_file_context_path()): +@@ -239,7 +318,7 @@ def get_file_equiv(fc_path = selinux.selinux_file_context_path()): file_equiv = get_file_equiv_modified(fc_path) file_equiv = read_file_equiv(file_equiv, fc_path + ".subs_dist", modify = False) return file_equiv @@ -659284,7 +659331,7 @@ index 679725d..78a5c9e 100644 local_files=None def get_local_file_paths(fc_path = selinux.selinux_file_context_path()): global local_files -@@ -309,7 +387,7 @@ def get_fcdict(fc_path = selinux.selinux_file_context_path()): +@@ -309,7 +388,7 @@ def get_fcdict(fc_path = selinux.selinux_file_context_path()): def get_transitions_into(setype): try: @@ -659293,7 +659340,7 @@ index 679725d..78a5c9e 100644 except TypeError: pass return None -@@ -323,7 +401,7 @@ def get_transitions(setype): +@@ -323,7 +402,7 @@ def get_transitions(setype): def get_file_transitions(setype): try: @@ -659302,7 +659349,7 @@ index 679725d..78a5c9e 100644 except TypeError: pass return None -@@ -347,7 +425,7 @@ def get_all_entrypoints(): +@@ -347,7 +426,7 @@ def get_all_entrypoints(): def get_entrypoint_types(setype): entrypoints = [] try: @@ -659311,7 +659358,7 @@ index 679725d..78a5c9e 100644 except TypeError: pass return entrypoints -@@ -355,7 +433,7 @@ def get_entrypoint_types(setype): +@@ -355,7 +434,7 @@ def get_entrypoint_types(setype): def get_init_transtype(path): entrypoint = selinux.getfilecon(path)[1].split(":")[2] try: @@ -659320,7 +659367,7 @@ index 679725d..78a5c9e 100644 if len(entrypoints) == 0: return None return entrypoints[0]["transtype"] -@@ -365,7 +443,7 @@ def get_init_transtype(path): +@@ -365,7 +444,7 @@ def get_init_transtype(path): def get_init_entrypoint(transtype): try: @@ -659329,7 +659376,7 @@ index 679725d..78a5c9e 100644 if len(entrypoints) == 0: return None return entrypoints[0]["target"] -@@ -375,7 +453,7 @@ def get_init_entrypoint(transtype): +@@ -375,7 +454,7 @@ def get_init_entrypoint(transtype): def get_init_entrypoint_target(entrypoint): try: @@ -659338,7 +659385,7 @@ index 679725d..78a5c9e 100644 return entrypoints[0] except TypeError: pass -@@ -413,7 +491,7 @@ def get_methods(): +@@ -413,7 +492,7 @@ def get_methods(): # List of per_role_template interfaces ifs = interfaces.InterfaceSet() ifs.from_file(fd) @@ -659347,7 +659394,7 @@ index 679725d..78a5c9e 100644 fd.close() except: sys.stderr.write("could not open interface info [%s]\n" % fn) -@@ -426,7 +504,7 @@ all_types = None +@@ -426,7 +505,7 @@ all_types = None def get_all_types(): global all_types if all_types == None: @@ -659356,7 +659403,7 @@ index 679725d..78a5c9e 100644 return all_types user_types = None -@@ -468,7 +546,6 @@ portrecs = None +@@ -468,7 +547,6 @@ portrecs = None portrecsbynum = None def gen_interfaces(): @@ -659364,7 +659411,7 @@ index 679725d..78a5c9e 100644 ifile = defaults.interface_info() headers = defaults.headers() rebuild = False -@@ -480,7 +557,9 @@ def gen_interfaces(): +@@ -480,7 +558,9 @@ def gen_interfaces(): if os.getuid() != 0: raise ValueError(_("You must regenerate interface info by running /usr/bin/sepolgen-ifgen")) @@ -659375,12 +659422,12 @@ index 679725d..78a5c9e 100644 def gen_port_dict(): global portrecs -@@ -514,12 +593,26 @@ def get_all_domains(): +@@ -514,12 +594,26 @@ def get_all_domains(): all_domains = info(ATTRIBUTE,"domain")[0]["types"] return all_domains +def mls_cmp(x,y): -+ return cmp(int(x[1:]), int(y[1:])) ++ return (int(x[1:]) > int(y[1:])) - (int(x[1:]) < int(y[1:])) + +mls_range = None +def get_mls_range(): @@ -659389,7 +659436,7 @@ index 679725d..78a5c9e 100644 + return mls_rangeroles + range_dict = info(SENS) + keys = range_dict.keys() -+ keys.sort(cmp=mls_cmp) ++ keys.sort(key=util.cmp_to_key(mls_cmp)) + mls_range = "%s-%s" % (keys[0], range_dict[keys[-1]]) + return mls_range + @@ -659403,7 +659450,7 @@ index 679725d..78a5c9e 100644 roles.remove("object_r") roles.sort() return roles -@@ -552,7 +645,7 @@ def get_login_mappings(): +@@ -552,7 +646,7 @@ def get_login_mappings(): return login_mappings def get_all_users(): @@ -659412,7 +659459,7 @@ index 679725d..78a5c9e 100644 users.sort() return users -@@ -700,7 +793,7 @@ all_attributes = None +@@ -700,7 +794,7 @@ all_attributes = None def get_all_attributes(): global all_attributes if not all_attributes: @@ -659421,7 +659468,7 @@ index 679725d..78a5c9e 100644 return all_attributes def policy(policy_file): -@@ -730,7 +823,7 @@ def policy(policy_file): +@@ -730,7 +824,7 @@ def policy(policy_file): try: policy_file = get_installed_policy() policy(policy_file) @@ -659430,7 +659477,7 @@ index 679725d..78a5c9e 100644 if selinux.is_selinux_enabled() == 1: raise e -@@ -758,7 +851,7 @@ def get_bools(setype): +@@ -758,7 +852,7 @@ def get_bools(setype): bools = [] domainbools = [] domainname, short_name = gen_short_name(setype) @@ -659439,7 +659486,16 @@ index 679725d..78a5c9e 100644 for b in i: if not isinstance(b,tuple): continue -@@ -821,7 +914,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): +@@ -779,6 +873,8 @@ def get_all_booleans(): + global booleans + if not booleans: + booleans = selinux.security_get_boolean_names()[1] ++ if util.PY3: ++ booleans = [util.decode_input(x) for x in booleans] + return booleans + + booleans_dict = None +@@ -821,7 +917,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): desc = i.find("desc").find("p").text.strip("\n") desc = re.sub("\n", " ", desc) booleans_dict[i.get('name')] = ("global", i.get('dftval'), desc) @@ -659448,7 +659504,7 @@ index 679725d..78a5c9e 100644 pass return booleans_dict -@@ -841,24 +934,14 @@ def boolean_desc(boolean): +@@ -841,24 +937,14 @@ def boolean_desc(boolean): return "Allow %s to %s" % (desc[0], " ".join(desc[1:])) def get_os_version(): @@ -659479,7 +659535,7 @@ index 679725d..78a5c9e 100644 def reinit(): global all_attributes -@@ -871,7 +954,7 @@ def reinit(): +@@ -871,7 +957,7 @@ def reinit(): global file_types global local_files global methods @@ -659526,7 +659582,7 @@ index 9b9a09a..b99b6d4 100755 return tlist diff --git a/policycoreutils-2.4/sepolicy/sepolicy/generate.py b/policycoreutils-2.4/sepolicy/sepolicy/generate.py -index 6b53035..340a10a 100644 +index 6b53035..a06c6c4 100644 --- a/policycoreutils-2.4/sepolicy/sepolicy/generate.py +++ b/policycoreutils-2.4/sepolicy/sepolicy/generate.py @@ -1,4 +1,4 @@ @@ -659535,7 +659591,7 @@ index 6b53035..340a10a 100644 # # Copyright (C) 2007-2012 Red Hat # see file 'COPYING' for use and warranty information -@@ -27,21 +27,21 @@ import sepolicy +@@ -27,23 +27,24 @@ import sepolicy from sepolicy import get_all_types, get_all_attributes, get_all_roles import time @@ -659571,8 +659627,11 @@ index 6b53035..340a10a 100644 +from .templates import user import sepolgen.interfaces as interfaces import sepolgen.defaults as defaults ++from sepolgen import util -@@ -55,12 +55,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale") + ## + ## I18N +@@ -55,18 +56,26 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale") gettext.textdomain(PROGNAME) try: gettext.install(PROGNAME, @@ -659592,7 +659651,18 @@ index 6b53035..340a10a 100644 def get_rpm_nvr_from_header(hdr): 'Given an RPM header return the package NVR as a string' -@@ -82,7 +85,7 @@ def get_rpm_nvr_list(package): + name = hdr['name'] + version = hdr['version'] + release = hdr['release'] ++ if util.PY3: ++ name = util.decode_input(name) ++ version = util.decode_input(version) ++ release = util.decode_input(release) ++ + release_version = version+"-"+release.split(".")[0] + os_version = release.split(".")[1] + +@@ -82,7 +91,7 @@ def get_rpm_nvr_list(package): nvr = get_rpm_nvr_from_header(h) break except: @@ -659601,7 +659671,7 @@ index 6b53035..340a10a 100644 nvr = None return nvr -@@ -98,7 +101,7 @@ def get_all_ports(): +@@ -98,7 +107,7 @@ def get_all_ports(): return dict def get_all_users(): @@ -659610,7 +659680,7 @@ index 6b53035..340a10a 100644 users.remove("system_u") users.remove("root") users.sort() -@@ -141,13 +144,13 @@ poltype[RUSER] = _("Confined Root Administrator Role") +@@ -141,13 +150,13 @@ poltype[RUSER] = _("Confined Root Administrator Role") poltype[NEWTYPE] = _("Module information for a new type") def get_poltype_desc(): @@ -659626,7 +659696,7 @@ index 6b53035..340a10a 100644 APPLICATIONS = [ DAEMON, DBUS, INETD, USER, CGI ] USERS = [ XUSER, TUSER, LUSER, AUSER, RUSER] -@@ -181,7 +184,7 @@ def verify_ports(ports): +@@ -181,7 +190,7 @@ def verify_ports(ports): class policy: @@ -659635,7 +659705,7 @@ index 6b53035..340a10a 100644 self.rpms = [] self.ports = [] self.all_roles = get_all_roles() -@@ -190,14 +193,14 @@ class policy: +@@ -190,14 +199,14 @@ class policy: if type not in poltype: raise ValueError(_("You must enter a valid policy type")) @@ -659655,7 +659725,7 @@ index 6b53035..340a10a 100644 self.symbols = {} self.symbols["openlog"] = "set_use_kerberos(True)" -@@ -289,32 +292,32 @@ class policy: +@@ -289,32 +298,32 @@ class policy: self.symbols["audit_control"] = "add_capability('audit_control')" self.symbols["setfcap"] = "add_capability('setfcap')" @@ -659711,7 +659781,7 @@ index 6b53035..340a10a 100644 ( self.generate_daemon_types, self.generate_daemon_rules), \ ( self.generate_dbusd_types, self.generate_dbusd_rules), \ ( self.generate_inetd_types, self.generate_inetd_rules), \ -@@ -331,47 +334,47 @@ class policy: +@@ -331,47 +340,47 @@ class policy: if not re.match(r"^[a-zA-Z0-9-_]+$", name): raise ValueError(_("Name must be alpha numberic with no spaces. Consider using option \"-n MODULENAME\"")) @@ -659790,7 +659860,7 @@ index 6b53035..340a10a 100644 self.roles = [] def __isnetset(self, l): -@@ -414,162 +417,162 @@ class policy: +@@ -414,162 +423,162 @@ class policy: return self.use_tcp() or self.use_udp() def find_port(self, port, protocol="tcp"): @@ -660015,7 +660085,7 @@ index 6b53035..340a10a 100644 newte ="" if self.use_mail: newte = re.sub("TEMPLATETYPE", self.name, executable.te_mail_rules) -@@ -589,7 +592,7 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -589,7 +598,7 @@ allow %s_t %s_t:%s_socket name_%s; """ % (port_name, self.name, port_name, protocol, action) return line @@ -660024,7 +660094,7 @@ index 6b53035..340a10a 100644 for i in self.in_tcp[PORTS]: rec = self.find_port(int(i), "tcp") if rec == None: -@@ -627,7 +630,7 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -627,7 +636,7 @@ allow %s_t %s_t:%s_socket name_%s; return re.sub("TEMPLATETYPE", self.name, network.te_types) return "" @@ -660033,7 +660103,7 @@ index 6b53035..340a10a 100644 for d in self.DEFAULT_DIRS: if file.find(d) == 0: self.DEFAULT_DIRS[d][1].append(file) -@@ -635,34 +638,34 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -635,34 +644,34 @@ allow %s_t %s_t:%s_socket name_%s; self.DEFAULT_DIRS["rw"][1].append(file) return self.DEFAULT_DIRS["rw"] @@ -660078,7 +660148,7 @@ index 6b53035..340a10a 100644 newte = "" self.processes.sort() if len(self.processes) > 0: -@@ -670,9 +673,9 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -670,9 +679,9 @@ allow %s_t %s_t:%s_socket name_%s; return newte @@ -660091,7 +660161,7 @@ index 6b53035..340a10a 100644 newte = "\n" newte += re.sub("TEMPLATETYPE", self.name, network.te_network) -@@ -725,7 +728,7 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -725,7 +734,7 @@ allow %s_t %s_t:%s_socket name_%s; for i in self.found_udp_ports: newte += i @@ -660100,7 +660170,7 @@ index 6b53035..340a10a 100644 def generate_transition_rules(self): newte = "" -@@ -750,11 +753,11 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -750,11 +759,11 @@ allow %s_t %s_t:%s_socket name_%s; tmp = re.sub("TEMPLATETYPE", name, user.te_admin_domain_rules) if role not in self.all_roles: tmp = re.sub(role, "system_r", tmp) @@ -660115,7 +660185,7 @@ index 6b53035..340a10a 100644 if self.type == RUSER: newte += re.sub("TEMPLATETYPE", self.name, user.te_admin_rules) -@@ -772,7 +775,7 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -772,7 +781,7 @@ allow %s_t %s_t:%s_socket name_%s; return newte @@ -660124,7 +660194,7 @@ index 6b53035..340a10a 100644 newif = "" if self.use_dbus: newif = re.sub("TEMPLATETYPE", self.name, executable.if_dbus_rules) -@@ -808,31 +811,31 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -808,31 +817,31 @@ allow %s_t %s_t:%s_socket name_%s; return "" @@ -660173,7 +660243,7 @@ index 6b53035..340a10a 100644 if len(self.existing_domains) == 0: raise ValueError(_("'%s' policy modules require existing domains") % poltype[self.type]) newte = re.sub("TEMPLATETYPE", self.name, user.te_existing_user_types) -@@ -844,27 +847,27 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -844,27 +853,27 @@ allow %s_t %s_t:%s_socket name_%s; role = d.split("_t")[0] + "_r" if role in self.all_roles: newte += """ @@ -660210,7 +660280,7 @@ index 6b53035..340a10a 100644 newte += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].te_types) break -@@ -876,46 +879,46 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -876,46 +885,46 @@ allow %s_t %s_t:%s_socket name_%s; return newte @@ -660270,7 +660340,7 @@ index 6b53035..340a10a 100644 newif = "" for t in self.types: for i in self.DEFAULT_EXT: -@@ -925,46 +928,46 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -925,46 +934,46 @@ allow %s_t %s_t:%s_socket name_%s; break return newif @@ -660342,7 +660412,7 @@ index 6b53035..340a10a 100644 newif ="" if self.use_terminal or self.type == USER: newif = re.sub("TEMPLATETYPE", self.name, executable.if_user_program_rules) -@@ -973,7 +976,7 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -973,7 +982,7 @@ allow %s_t %s_t:%s_socket name_%s; newif += re.sub("TEMPLATETYPE", self.name, executable.if_role_change_rules) return newif @@ -660351,7 +660421,7 @@ index 6b53035..340a10a 100644 newif = "" newif += re.sub("TEMPLATETYPE", self.name, executable.if_heading_rules) if self.program: -@@ -982,8 +985,8 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -982,8 +991,8 @@ allow %s_t %s_t:%s_socket name_%s; newif += re.sub("TEMPLATETYPE", self.name, executable.if_initscript_rules) for d in self.DEFAULT_KEYS: @@ -660362,7 +660432,7 @@ index 6b53035..340a10a 100644 for i in self.DEFAULT_DIRS[d][1]: if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]): newif += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].if_stream_rules) -@@ -995,17 +998,17 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -995,17 +1004,17 @@ allow %s_t %s_t:%s_socket name_%s; newif += self.generate_new_type_if() newif += self.generate_new_rules() @@ -660385,7 +660455,7 @@ index 6b53035..340a10a 100644 newte = "" if self.type in ( TUSER, XUSER, AUSER, LUSER ): roles = "" -@@ -1017,12 +1020,12 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1017,12 +1026,12 @@ allow %s_t %s_t:%s_socket name_%s; newte += re.sub("ROLE", role, tmp) return newte @@ -660403,7 +660473,7 @@ index 6b53035..340a10a 100644 newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_types) if self.type != EUSER: -@@ -1034,14 +1037,14 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1034,14 +1043,14 @@ allow %s_t %s_t:%s_socket name_%s; """ % self.name newte += self.generate_capabilities() newte += self.generate_process() @@ -660424,7 +660494,7 @@ index 6b53035..340a10a 100644 if self.type == EUSER: newte_tmp = "" for domain in self.existing_domains: -@@ -1059,40 +1062,40 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1059,40 +1068,40 @@ allow %s_t %s_t:%s_socket name_%s; newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules) break @@ -660492,7 +660562,7 @@ index 6b53035..340a10a 100644 fclist.append(re.sub("FILETYPE", self.dirs[i][0], t2)) if self.type in USERS + [ SANDBOX ]: -@@ -1112,9 +1115,9 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1112,9 +1121,9 @@ allow %s_t %s_t:%s_socket name_%s; fclist.sort() newfc="\n".join(fclist) @@ -660504,7 +660574,7 @@ index 6b53035..340a10a 100644 newsh = "" if self.type not in ( TUSER, XUSER, AUSER, LUSER, RUSER): return newsh -@@ -1140,7 +1143,7 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1140,7 +1149,7 @@ allow %s_t %s_t:%s_socket name_%s; return newsh @@ -660513,7 +660583,7 @@ index 6b53035..340a10a 100644 temp = re.sub("TEMPLATETYPE", self.file_name, script.compile) temp = re.sub("DOMAINTYPE", self.name, temp) if self.type == EUSER: -@@ -1154,11 +1157,11 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1154,11 +1163,11 @@ allow %s_t %s_t:%s_socket name_%s; if self.initscript != "": newsh += re.sub("FILENAME", self.initscript, script.restorecon) @@ -660529,7 +660599,7 @@ index 6b53035..340a10a 100644 for i in self.in_tcp[PORTS] + self.out_tcp[PORTS]: if self.find_port(i,"tcp") == None: -@@ -1167,97 +1170,99 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1167,97 +1176,99 @@ allow %s_t %s_t:%s_socket name_%s; for i in self.in_udp[PORTS]: if self.find_port(i,"udp") == None: @@ -660712,7 +660782,7 @@ index 6b53035..340a10a 100644 for b in self.DEFAULT_DIRS: if b == "/etc": continue -@@ -1267,8 +1272,9 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1267,8 +1278,9 @@ allow %s_t %s_t:%s_socket name_%s; else: self.add_dir(fname) @@ -660724,7 +660794,7 @@ index 6b53035..340a10a 100644 for b in self.DEFAULT_DIRS: if b == "/etc": continue -@@ -1281,8 +1287,8 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1281,8 +1293,8 @@ allow %s_t %s_t:%s_socket name_%s; # some packages have own systemd subpackage # tor-systemd for example binary_name = self.program.split("/")[-1] @@ -660735,7 +660805,7 @@ index 6b53035..340a10a 100644 for b in self.DEFAULT_DIRS: if b == "/etc": continue -@@ -1316,10 +1322,10 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1316,10 +1328,10 @@ allow %s_t %s_t:%s_socket name_%s; if os.path.isfile("/etc/rc.d/init.d/%s" % self.name): self.set_init_script("/etc/rc\.d/init\.d/%s" % self.name) @@ -660748,7 +660818,7 @@ index 6b53035..340a10a 100644 temp_dirs = [] try: temp_basepath = self.DEFAULT_DIRS[p][1][0] + "/" -@@ -1334,9 +1340,9 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1334,9 +1346,9 @@ allow %s_t %s_t:%s_socket name_%s; if len(temp_dirs) is not 0: for i in temp_dirs: @@ -660760,7 +660830,7 @@ index 6b53035..340a10a 100644 del(self.files[i]) else: continue -@@ -1358,10 +1364,10 @@ Warning %s does not exist +@@ -1358,10 +1370,10 @@ Warning %s does not exist for s in fd.read().split(): for b in self.symbols: if s.startswith(b): @@ -661563,7 +661633,7 @@ index bbabb3b..29370ee 100644 os.remove(v) diff --git a/policycoreutils-2.4/sepolicy/sepolicy/manpage.py b/policycoreutils-2.4/sepolicy/sepolicy/manpage.py -index ba15b2c..b12f379 100755 +index ba15b2c..4da25b9 100755 --- a/policycoreutils-2.4/sepolicy/sepolicy/manpage.py +++ b/policycoreutils-2.4/sepolicy/sepolicy/manpage.py @@ -1,4 +1,4 @@ @@ -661802,7 +661872,7 @@ index ba15b2c..b12f379 100755 + except subprocess.CalledProcessError as e: + sys.stderr.write(e.output) + return -+ fd = open(html_manpage,'w') ++ fd = open(html_manpage,'wb') + fd.write(man_page) + fd.close() + print(html_manpage) diff --git a/policycoreutils.spec b/policycoreutils.spec index c87334c..0cbe3b1 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.4 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2 Group: System Environment/Base # https://github.com/SELinuxProject/selinux/wiki/Releases @@ -18,7 +18,7 @@ Source2: policycoreutils_man_ru2.tar.bz2 Source3: system-config-selinux.png Source4: sepolicy-icons.tgz # use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/ -# HEAD https://github.com/fedora-selinux/selinux/commit/38d05b08329cb56bba1e64a37b9b166f2fa9f85c +# HEAD https://github.com/fedora-selinux/selinux/commit/997cfe77c75093964f3952754f767f2d375f5cb5 Patch: policycoreutils-rhat.patch Patch1: sepolgen-rhat.patch Obsoletes: policycoreutils < 2.0.61-2 @@ -399,6 +399,9 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Thu Aug 13 2015 Petr Lautrbach 2.4-9 +- Fix another python3 issues mainly in sepolicy (#1247039,#1247575,#1251713) + * Thu Aug 06 2015 Petr Lautrbach 2.4-8 - Fix multiple python3 issues in sepolgen (#1249388,#1247575,#1247564) diff --git a/sepolgen-rhat.patch b/sepolgen-rhat.patch index 490c231..ebeee2e 100644 --- a/sepolgen-rhat.patch +++ b/sepolgen-rhat.patch @@ -122,7 +122,7 @@ index cf13210..60ff4e9 100644 else: role_type = refpolicy.RoleType() diff --git a/sepolgen-1.2.2/src/sepolgen/audit.py b/sepolgen-1.2.2/src/sepolgen/audit.py -index 56919be..1c94daa 100644 +index 56919be..dad0724 100644 --- a/sepolgen-1.2.2/src/sepolgen/audit.py +++ b/sepolgen-1.2.2/src/sepolgen/audit.py @@ -17,11 +17,12 @@ @@ -206,7 +206,7 @@ index 56919be..1c94daa 100644 self.by_header[msg.header].append(msg) else: self.by_header[msg.header] = [msg] -@@ -492,6 +506,68 @@ class AuditParser: +@@ -492,6 +506,61 @@ class AuditParser: return role_types @@ -231,9 +231,6 @@ index 56919be..1c94daa 100644 + stderr=subprocess.STDOUT, + shell=True, + universal_newlines=True) -+ if util.PY3: -+ output = util.decode_input(output) -+ + try: + ino = int(inode) + except ValueError: @@ -250,14 +247,11 @@ index 56919be..1c94daa 100644 + return path + + def __store_base_types(self): -+ # FIXME: this is a temporary workaround until sepolicy is ported to python 3 -+ # import sepolicy -+ # self.base_types = sepolicy.get_types_from_attribute("base_file_type") -+ self.base_types = [] ++ import sepolicy ++ self.base_types = sepolicy.get_types_from_attribute("base_file_type") + + def __get_base_type(self, tcontext, scontext): -+ # FIXME: uncomment the following code when sepolicy is ported to python 3 -+ # import sepolicy ++ import sepolicy + # Prevent unnecessary searching + if (self.old_scontext == scontext and + self.old_tcontext == tcontext): @@ -266,16 +260,15 @@ index 56919be..1c94daa 100644 + self.old_tcontext = tcontext + for btype in self.base_types: + if btype == tcontext: -+ # FIXME: uncomment the following code when sepolicy is ported to python 3 -+ # for writable in sepolicy.get_writable_files(scontext): -+ # if writable.endswith(tcontext) and writable.startswith(scontext.rstrip("_t")): -+ # return writable ++ for writable in sepolicy.get_writable_files(scontext): ++ if writable.endswith(tcontext) and writable.startswith(scontext.rstrip("_t")): ++ return writable + return 0 + def to_access(self, avc_filter=None, only_denials=True): """Convert the audit logs access into a an access vector set. -@@ -510,16 +586,23 @@ class AuditParser: +@@ -510,16 +579,23 @@ class AuditParser: audit logs parsed by this object. """ av_set = access.AccessVectorSet()