rpms/policycoreutils
5
0
Fork 0
Code Issues Pull Requests Releases Activity

policycoreutils-2.4-9

Browse Source 
- Fix another python3 issues mainly in sepolicy (#1247039,#1247575,#1251713)
- The functionality of audit2allow which was disabled in the previous
  commit should be available again
This commit is contained in:
Petr Lautrbach 2015-08-13 17:36:39 +02:00
parent d0392a9475
commit 8e5935ed03
3 changed files with 185 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

270
policycoreutils-rhat.patch
View File

@ -658532,7 +658532,7 @@ index 2a9e1c7..365e622 100644
+#endif
}
diff --git a/policycoreutils-2.4/sepolicy/search.c b/policycoreutils-2.4/sepolicy/search.c
index d9a5aec..513eba8 100644
index d9a5aec..94124c0 100644
--- a/policycoreutils-2.4/sepolicy/search.c
+++ b/policycoreutils-2.4/sepolicy/search.c
@@ -189,7 +189,7 @@ static PyObject* get_ra_results(const apol_policy_t * policy, const apol_vector_
@ -658571,7 +658571,7 @@ index d9a5aec..513eba8 100644
if (py_tuple_insert_obj(tuple, 0, obj))
goto err;
obj = PyBool_FromLong(enabled);
@@ -994,14 +994,14 @@ PyObject* search(bool allow,
@@ -994,14 +994,25 @@ PyObject* search(bool allow,
static int Dict_ContainsInt(PyObject *dict, const char *key){
PyObject *item = PyDict_GetItemString(dict, key);
if (item)
@ -658582,9 +658582,21 @@ index d9a5aec..513eba8 100644
static const char *Dict_ContainsString(PyObject *dict, const char *key){
PyObject *item = PyDict_GetItemString(dict, key);
if (item)
- if (item)
- return PyString_AsString(item);
+ if (item) {
+ if (PyUnicode_Check(item)) {
+ char *str = NULL;
+ PyObject *item_utf8 = PyUnicode_AsUTF8String(item);
+ if (item_utf8) {
+ str = strdup(PyBytes_AsString(item_utf8));
+ }
+ Py_XDECREF(item_utf8);
+ return str;
+ } else {
+ return PyBytes_AsString(item);
+ }
+ }
return NULL;
}
@ -658611,15 +658623,21 @@ index 458a4d2..b6088af 100644
+ except dbus.DBusException as e:
+ print(e)
diff --git a/policycoreutils-2.4/sepolicy/selinux_server.py b/policycoreutils-2.4/sepolicy/selinux_server.py
index e94c38f..0a91638 100644
index e94c38f..671be1a 100644
--- a/policycoreutils-2.4/sepolicy/selinux_server.py
+++ b/policycoreutils-2.4/sepolicy/selinux_server.py
@@ -1,4 +1,4 @@
@@ -1,9 +1,9 @@
-#!/usr/bin/python
+#!/usr/bin/python3
import dbus
import dbus.service
import dbus.mainloop.glib
-import gobject
+from gi.repository import GObject, GLib
import slip.dbus.service
from slip.dbus import polkit
import os
@@ -18,7 +18,7 @@ class selinux_server(slip.dbus.service.Object):
#
# The semanage method runs a transaction on a series of semanage commands,
@ -658687,15 +658705,18 @@ index e94c38f..0a91638 100644
#
# The change_default_policy method modifies the policy type
@@ -125,7 +125,7 @@ class selinux_server(slip.dbus.service.Object):
@@ -125,9 +125,9 @@ class selinux_server(slip.dbus.service.Object):
if os.path.isdir(path):
return self.write_selinux_config(policy=value)
raise ValueError("%s does not exist" % path)
-
+
if __name__ == "__main__":
mainloop = gobject.MainLoop()
- mainloop = gobject.MainLoop()
+ mainloop = GLib.MainLoop()
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
system_bus = dbus.SystemBus()
name = dbus.service.BusName("org.selinux", system_bus)
diff --git a/policycoreutils-2.4/sepolicy/sepolicy-bash-completion.sh b/policycoreutils-2.4/sepolicy/sepolicy-bash-completion.sh
index 779fd75..29ccbdf 100644
--- a/policycoreutils-2.4/sepolicy/sepolicy-bash-completion.sh
@ -658779,7 +658800,7 @@ index 2e67456..0c5f998 100644
.B sepolicy generate \-\-cgi [\-n NAME] command [\-w WRITE_PATH ]
.br
diff --git a/policycoreutils-2.4/sepolicy/sepolicy.py b/policycoreutils-2.4/sepolicy/sepolicy.py
index 74fb347..6c7639f 100755
index 74fb347..50c10d0 100755
--- a/policycoreutils-2.4/sepolicy/sepolicy.py
+++ b/policycoreutils-2.4/sepolicy/sepolicy.py
@@ -1,4 +1,4 @@
@ -658788,7 +658809,15 @@ index 74fb347..6c7639f 100755
# Copyright (C) 2012 Red Hat
# AUTHOR: Dan Walsh <dwalsh@redhat.com>
# see file 'COPYING' for use and warranty information
@@ -32,12 +32,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
@@ -25,6 +25,7 @@ import os, sys
import selinux
import sepolicy
from sepolicy import get_os_version, get_conditionals, get_conditionals_format_text
+from sepolgen import util
import argparse
import gettext
PROGNAME="policycoreutils"
@@ -32,12 +33,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
try:
gettext.install(PROGNAME,
@ -658808,7 +658837,7 @@ index 74fb347..6c7639f 100755
usage = "sepolicy generate [-h] [-n NAME] [-p PATH] ["
usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN','-a ADMIN_DOMAIN',"[ -w WRITEPATHS ]",), ' --admin_user':('[-r TRANSITION_ROLE ]',"[ -w WRITEPATHS ]",), ' --application':('COMMAND',"[ -w WRITEPATHS ]",), ' --cgi':('COMMAND',"[ -w WRITEPATHS ]",), ' --confined_admin':('-a ADMIN_DOMAIN',"[ -w WRITEPATHS ]",), ' --dbus':('COMMAND',"[ -w WRITEPATHS ]",), ' --desktop_user':('',"[ -w WRITEPATHS ]",),' --inetd':('COMMAND',"[ -w WRITEPATHS ]",),' --init':('COMMAND',"[ -w WRITEPATHS ]",), ' --sandbox':("[ -w WRITEPATHS ]",), ' --term_user':("[ -w WRITEPATHS ]",), ' --x_user':("[ -w WRITEPATHS ]",)}
@@ -45,7 +48,7 @@ usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAI
@@ -45,7 +49,7 @@ usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAI
class CheckPath(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
if not os.path.exists(values):
@ -658817,7 +658846,7 @@ index 74fb347..6c7639f 100755
setattr(namespace, self.dest, values)
class CheckType(argparse.Action):
@@ -108,7 +111,7 @@ class CheckClass(argparse.Action):
@@ -108,7 +112,7 @@ class CheckClass(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
global all_classes
if not all_classes:
@ -658826,7 +658855,7 @@ index 74fb347..6c7639f 100755
if values not in all_classes:
raise ValueError("%s must be an SELinux class:\nValid classes: %s" % (values, ", ".join(all_classes)))
@@ -151,16 +154,14 @@ class CheckPortType(argparse.Action):
@@ -151,16 +155,14 @@ class CheckPortType(argparse.Action):
class LoadPolicy(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
@ -658844,7 +658873,7 @@ index 74fb347..6c7639f 100755
setattr(namespace, self.dest, values)
class CheckUser(argparse.Action):
@@ -187,21 +188,21 @@ class CheckRole(argparse.Action):
@@ -187,21 +189,21 @@ class CheckRole(argparse.Action):
class InterfaceInfo(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
@ -658871,7 +658900,16 @@ index 74fb347..6c7639f 100755
usage_text = usage_text[:-1] + "]"
usage_text = _(usage_text)
@@ -226,7 +227,7 @@ def _print_net(src, protocol, perm):
@@ -218,7 +220,7 @@ def numcmp(val1,val2):
if v1 < v2:
return -1
except:
- return cmp(val1,val2)
+ return (val1 > val2) - (val1 < val2)
def _print_net(src, protocol, perm):
import sepolicy.network
@@ -226,7 +228,7 @@ def _print_net(src, protocol, perm):
if len(portdict) > 0:
bold_start="\033[1m"
bold_end="\033[0;0m"
@ -658880,16 +658918,19 @@ index 74fb347..6c7639f 100755
port_strings=[]
boolean_text=""
for p in portdict:
@@ -239,7 +240,7 @@ def _print_net(src, protocol, perm):
@@ -237,9 +239,9 @@ def _print_net(src, protocol, perm):
port_strings.append("%s (%s) %s" % (", ".join(recs), t, boolean_text))
else:
port_strings.append("%s (%s)" % (", ".join(recs), t))
port_strings.sort(numcmp)
- port_strings.sort(numcmp)
+ port_strings.sort(key=util.cmp_to_key(numcmp))
for p in port_strings:
- print "\t" + p
+ print("\t" + p)
def network(args):
portrecs, portrecsbynum = sepolicy.gen_port_dict()
@@ -249,29 +250,29 @@ def network(args):
@@ -249,29 +251,29 @@ def network(args):
if i[0] not in all_ports:
all_ports.append(i[0])
all_ports.sort()
@ -658929,7 +658970,7 @@ index 74fb347..6c7639f 100755
for a in args.applications:
d = sepolicy.get_init_transtype(a)
@@ -317,7 +318,7 @@ def manpage(args):
@@ -317,7 +319,7 @@ def manpage(args):
for domain in test_domains:
m = ManPage(domain, path, args.root,args.source_files, args.web)
@ -658938,7 +658979,7 @@ index 74fb347..6c7639f 100755
if args.web:
HTMLManPages(manpage_roles, manpage_domains, path, args.os)
@@ -375,7 +376,7 @@ def communicate(args):
@@ -375,7 +377,7 @@ def communicate(args):
out = list(set(writable) & set(readable))
for t in out:
@ -658947,7 +658988,12 @@ index 74fb347..6c7639f 100755
def gen_communicate_args(parser):
comm = parser.add_parser("communicate",
@@ -400,7 +401,7 @@ def booleans(args):
@@ -397,10 +399,12 @@ def booleans(args):
from sepolicy import boolean_desc
if args.all:
rc, args.booleans = selinux.security_get_boolean_names()
+ if util.PY3:
+ args.booleans = [util.decode_input(x) for x in args.booleans]
args.booleans.sort()
for b in args.booleans:
@ -658956,7 +659002,7 @@ index 74fb347..6c7639f 100755
def gen_booleans_args(parser):
bools = parser.add_parser("booleans",
@@ -435,19 +436,19 @@ def print_interfaces(interfaces, args, append=""):
@@ -435,19 +439,19 @@ def print_interfaces(interfaces, args, append=""):
for i in interfaces:
if args.verbose:
try:
@ -658981,7 +659027,7 @@ index 74fb347..6c7639f 100755
if args.list_admin:
print_interfaces(get_admin(args.file), args, "_admin")
if args.list_user:
@@ -458,7 +459,7 @@ def interface(args):
@@ -458,7 +462,7 @@ def interface(args):
print_interfaces(args.interfaces, args)
def generate(args):
@ -658990,7 +659036,7 @@ index 74fb347..6c7639f 100755
cmd = None
# numbers present POLTYPE defined in sepolicy.generate
conflict_args = {'TYPES':(NEWTYPE,), 'DOMAIN':(EUSER,), 'ADMIN_DOMAIN':(AUSER, RUSER, EUSER,)}
@@ -469,7 +470,7 @@ def generate(args):
@@ -469,7 +473,7 @@ def generate(args):
for k in usage_dict:
error_text += "%s" % (k)
print(generate_usage)
@ -658999,7 +659045,7 @@ index 74fb347..6c7639f 100755
sys.exit(1)
if args.policytype in APPLICATIONS:
@@ -514,7 +515,7 @@ def generate(args):
@@ -514,7 +518,7 @@ def generate(args):
if args.policytype in APPLICATIONS:
mypolicy.gen_writeable()
mypolicy.gen_symbols()
@ -659008,7 +659054,7 @@ index 74fb347..6c7639f 100755
def gen_interface_args(parser):
itf = parser.add_parser("interface",
@@ -542,7 +543,7 @@ def gen_interface_args(parser):
@@ -542,7 +546,7 @@ def gen_interface_args(parser):
itf.set_defaults(func=interface)
def gen_generate_args(parser):
@ -659017,7 +659063,7 @@ index 74fb347..6c7639f 100755
generate_usage = generate_custom_usage(usage, usage_dict)
@@ -552,7 +553,7 @@ def gen_generate_args(parser):
@@ -552,7 +556,7 @@ def gen_generate_args(parser):
action=CheckDomain, nargs="*",
help=_("Enter domain type which you will be extending"))
pol.add_argument("-u", "--user", dest="user", default=[],
@ -659026,7 +659072,7 @@ index 74fb347..6c7639f 100755
help=_("Enter SELinux user(s) which will transition to this domain"))
pol.add_argument("-r", "--role", dest="role", default=[],
action=CheckRole,
@@ -566,7 +567,7 @@ def gen_generate_args(parser):
@@ -566,7 +570,7 @@ def gen_generate_args(parser):
pol.add_argument("-T", "--test", dest="test", default=False, action="store_true",
help=argparse.SUPPRESS)
pol.add_argument("-t", "--type", dest="types", default=[], nargs="*",
@ -659035,7 +659081,7 @@ index 74fb347..6c7639f 100755
help="Enter type(s) for which you will generate new definition and rule(s)")
pol.add_argument("-p", "--path", dest="path", default=os.getcwd(),
help=_("path in which the generated policy files will be stored"))
@@ -590,8 +591,8 @@ def gen_generate_args(parser):
@@ -590,8 +594,8 @@ def gen_generate_args(parser):
action="store_const", default=DAEMON,
help=_("Generate '%s' policy") % poltype[DAEMON])
@ -659046,7 +659092,7 @@ index 74fb347..6c7639f 100755
group.add_argument("--admin_user", dest="policytype", const=AUSER,
action="store_const",
help=_("Generate '%s' policy") % poltype[AUSER])
@@ -642,12 +643,12 @@ if __name__ == '__main__':
@@ -642,12 +646,12 @@ if __name__ == '__main__':
args = parser.parse_args()
args.func(args)
sys.exit(0)
@ -659063,10 +659109,10 @@ index 74fb347..6c7639f 100755
+ print("Out")
sys.exit(0)
diff --git a/policycoreutils-2.4/sepolicy/sepolicy/__init__.py b/policycoreutils-2.4/sepolicy/sepolicy/__init__.py
index 679725d..78a5c9e 100644
index 679725d..2e1bfec 100644
--- a/policycoreutils-2.4/sepolicy/sepolicy/__init__.py
+++ b/policycoreutils-2.4/sepolicy/sepolicy/__init__.py
@@ -1,25 +1,29 @@
@@ -1,25 +1,30 @@
-#!/usr/bin/python
+#!/usr/bin/python3
@ -659080,6 +659126,7 @@ index 679725d..78a5c9e 100644
import gettext
import sepolgen.defaults as defaults
import sepolgen.interfaces as interfaces
+from sepolgen import util
import sys
+import subprocess
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
@ -659102,7 +659149,7 @@ index 679725d..78a5c9e 100644
TYPE = _policy.TYPE
ROLE = _policy.ROLE
@@ -28,6 +32,8 @@ PORT = _policy.PORT
@@ -28,6 +33,8 @@ PORT = _policy.PORT
USER = _policy.USER
BOOLEAN = _policy.BOOLEAN
TCLASS = _policy.CLASS
@ -659111,7 +659158,7 @@ index 679725d..78a5c9e 100644
ALLOW = 'allow'
AUDITALLOW = 'auditallow'
@@ -44,8 +50,12 @@ def info(setype, name=None):
@@ -44,8 +51,12 @@ def info(setype, name=None):
dict_list = _policy.info(setype, name)
return dict_list
@ -659126,7 +659173,7 @@ index 679725d..78a5c9e 100644
valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW]
for setype in types:
if setype not in valid_types:
@@ -59,7 +69,7 @@ def search(types, info = {}):
@@ -59,7 +70,7 @@ def search(types, info = {}):
dict_list = _policy.search(seinfo)
if dict_list and len(perms) != 0:
@ -659135,7 +659182,7 @@ index 679725d..78a5c9e 100644
return dict_list
def get_conditionals(src,dest,tclass,perm):
@@ -75,7 +85,7 @@ def get_conditionals(src,dest,tclass,perm):
@@ -75,7 +86,7 @@ def get_conditionals(src,dest,tclass,perm):
allows=[]
allows.append(i)
try:
@ -659144,7 +659191,7 @@ index 679725d..78a5c9e 100644
tdict.update({'source':i['source'],'boolean':i['boolean']})
if tdict not in tlist:
tlist.append(tdict)
@@ -86,12 +96,42 @@ def get_conditionals(src,dest,tclass,perm):
@@ -86,12 +97,42 @@ def get_conditionals(src,dest,tclass,perm):
return (tlist)
def get_conditionals_format_text(cond):
@ -659189,7 +659236,7 @@ index 679725d..78a5c9e 100644
file_type_str = {}
file_type_str["a"] = _("all files")
file_type_str["f"] = _("regular file")
@@ -112,6 +152,44 @@ trans_file_type_str["-s"] = "s"
@@ -112,6 +153,44 @@ trans_file_type_str["-s"] = "s"
trans_file_type_str["-l"] = "l"
trans_file_type_str["-p"] = "p"
@ -659234,7 +659281,7 @@ index 679725d..78a5c9e 100644
def get_file_types(setype):
flist=[]
mpaths={}
@@ -169,7 +247,7 @@ def find_file(reg):
@@ -169,7 +248,7 @@ def find_file(reg):
try:
pat = re.compile(r"%s$" % reg)
except:
@ -659243,7 +659290,7 @@ index 679725d..78a5c9e 100644
return []
p = reg
if p.endswith("(/.*)?"):
@@ -181,19 +259,19 @@ def find_file(reg):
@@ -181,19 +260,19 @@ def find_file(reg):
if path[-1] != "/": # is pass in it breaks without try block
path += "/"
except IndexError:
@ -659266,7 +659313,7 @@ index 679725d..78a5c9e 100644
if exe.endswith("_exec_t") and exe not in exclude_list:
for path in executable_files[exe]:
for f in find_file(path):
@@ -221,7 +299,7 @@ def read_file_equiv(edict, fc_path, modify):
@@ -221,7 +300,7 @@ def read_file_equiv(edict, fc_path, modify):
f = e.split()
edict[f[0]] = { "equiv" : f[1], "modify" : modify }
return edict
@ -659275,7 +659322,7 @@ index 679725d..78a5c9e 100644
file_equiv_modified=None
def get_file_equiv_modified(fc_path = selinux.selinux_file_context_path()):
global file_equiv_modified
@@ -239,7 +317,7 @@ def get_file_equiv(fc_path = selinux.selinux_file_context_path()):
@@ -239,7 +318,7 @@ def get_file_equiv(fc_path = selinux.selinux_file_context_path()):
file_equiv = get_file_equiv_modified(fc_path)
file_equiv = read_file_equiv(file_equiv, fc_path + ".subs_dist", modify = False)
return file_equiv
@ -659284,7 +659331,7 @@ index 679725d..78a5c9e 100644
local_files=None
def get_local_file_paths(fc_path = selinux.selinux_file_context_path()):
global local_files
@@ -309,7 +387,7 @@ def get_fcdict(fc_path = selinux.selinux_file_context_path()):
@@ -309,7 +388,7 @@ def get_fcdict(fc_path = selinux.selinux_file_context_path()):
def get_transitions_into(setype):
try:
@ -659293,7 +659340,7 @@ index 679725d..78a5c9e 100644
except TypeError:
pass
return None
@@ -323,7 +401,7 @@ def get_transitions(setype):
@@ -323,7 +402,7 @@ def get_transitions(setype):
def get_file_transitions(setype):
try:
@ -659302,7 +659349,7 @@ index 679725d..78a5c9e 100644
except TypeError:
pass
return None
@@ -347,7 +425,7 @@ def get_all_entrypoints():
@@ -347,7 +426,7 @@ def get_all_entrypoints():
def get_entrypoint_types(setype):
entrypoints = []
try:
@ -659311,7 +659358,7 @@ index 679725d..78a5c9e 100644
except TypeError:
pass
return entrypoints
@@ -355,7 +433,7 @@ def get_entrypoint_types(setype):
@@ -355,7 +434,7 @@ def get_entrypoint_types(setype):
def get_init_transtype(path):
entrypoint = selinux.getfilecon(path)[1].split(":")[2]
try:
@ -659320,7 +659367,7 @@ index 679725d..78a5c9e 100644
if len(entrypoints) == 0:
return None
return entrypoints[0]["transtype"]
@@ -365,7 +443,7 @@ def get_init_transtype(path):
@@ -365,7 +444,7 @@ def get_init_transtype(path):
def get_init_entrypoint(transtype):
try:
@ -659329,7 +659376,7 @@ index 679725d..78a5c9e 100644
if len(entrypoints) == 0:
return None
return entrypoints[0]["target"]
@@ -375,7 +453,7 @@ def get_init_entrypoint(transtype):
@@ -375,7 +454,7 @@ def get_init_entrypoint(transtype):
def get_init_entrypoint_target(entrypoint):
try:
@ -659338,7 +659385,7 @@ index 679725d..78a5c9e 100644
return entrypoints[0]
except TypeError:
pass
@@ -413,7 +491,7 @@ def get_methods():
@@ -413,7 +492,7 @@ def get_methods():
# List of per_role_template interfaces
ifs = interfaces.InterfaceSet()
ifs.from_file(fd)
@ -659347,7 +659394,7 @@ index 679725d..78a5c9e 100644
fd.close()
except:
sys.stderr.write("could not open interface info [%s]\n" % fn)
@@ -426,7 +504,7 @@ all_types = None
@@ -426,7 +505,7 @@ all_types = None
def get_all_types():
global all_types
if all_types == None:
@ -659356,7 +659403,7 @@ index 679725d..78a5c9e 100644
return all_types
user_types = None
@@ -468,7 +546,6 @@ portrecs = None
@@ -468,7 +547,6 @@ portrecs = None
portrecsbynum = None
def gen_interfaces():
@ -659364,7 +659411,7 @@ index 679725d..78a5c9e 100644
ifile = defaults.interface_info()
headers = defaults.headers()
rebuild = False
@@ -480,7 +557,9 @@ def gen_interfaces():
@@ -480,7 +558,9 @@ def gen_interfaces():
if os.getuid() != 0:
raise ValueError(_("You must regenerate interface info by running /usr/bin/sepolgen-ifgen"))
@ -659375,12 +659422,12 @@ index 679725d..78a5c9e 100644
def gen_port_dict():
global portrecs
@@ -514,12 +593,26 @@ def get_all_domains():
@@ -514,12 +594,26 @@ def get_all_domains():
all_domains = info(ATTRIBUTE,"domain")[0]["types"]
return all_domains
+def mls_cmp(x,y):
+ return cmp(int(x[1:]), int(y[1:]))
+ return (int(x[1:]) > int(y[1:])) - (int(x[1:]) < int(y[1:]))
+
+mls_range = None
+def get_mls_range():
@ -659389,7 +659436,7 @@ index 679725d..78a5c9e 100644
+ return mls_rangeroles
+ range_dict = info(SENS)
+ keys = range_dict.keys()
+ keys.sort(cmp=mls_cmp)
+ keys.sort(key=util.cmp_to_key(mls_cmp))
+ mls_range = "%s-%s" % (keys[0], range_dict[keys[-1]])
+ return mls_range
+
@ -659403,7 +659450,7 @@ index 679725d..78a5c9e 100644
roles.remove("object_r")
roles.sort()
return roles
@@ -552,7 +645,7 @@ def get_login_mappings():
@@ -552,7 +646,7 @@ def get_login_mappings():
return login_mappings
def get_all_users():
@ -659412,7 +659459,7 @@ index 679725d..78a5c9e 100644
users.sort()
return users
@@ -700,7 +793,7 @@ all_attributes = None
@@ -700,7 +794,7 @@ all_attributes = None
def get_all_attributes():
global all_attributes
if not all_attributes:
@ -659421,7 +659468,7 @@ index 679725d..78a5c9e 100644
return all_attributes
def policy(policy_file):
@@ -730,7 +823,7 @@ def policy(policy_file):
@@ -730,7 +824,7 @@ def policy(policy_file):
try:
policy_file = get_installed_policy()
policy(policy_file)
@ -659430,7 +659477,7 @@ index 679725d..78a5c9e 100644
if selinux.is_selinux_enabled() == 1:
raise e
@@ -758,7 +851,7 @@ def get_bools(setype):
@@ -758,7 +852,7 @@ def get_bools(setype):
bools = []
domainbools = []
domainname, short_name = gen_short_name(setype)
@ -659439,7 +659486,16 @@ index 679725d..78a5c9e 100644
for b in i:
if not isinstance(b,tuple):
continue
@@ -821,7 +914,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
@@ -779,6 +873,8 @@ def get_all_booleans():
global booleans
if not booleans:
booleans = selinux.security_get_boolean_names()[1]
+ if util.PY3:
+ booleans = [util.decode_input(x) for x in booleans]
return booleans
booleans_dict = None
@@ -821,7 +917,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
desc = i.find("desc").find("p").text.strip("\n")
desc = re.sub("\n", " ", desc)
booleans_dict[i.get('name')] = ("global", i.get('dftval'), desc)
@ -659448,7 +659504,7 @@ index 679725d..78a5c9e 100644
pass
return booleans_dict
@@ -841,24 +934,14 @@ def boolean_desc(boolean):
@@ -841,24 +937,14 @@ def boolean_desc(boolean):
return "Allow %s to %s" % (desc[0], " ".join(desc[1:]))
def get_os_version():
@ -659479,7 +659535,7 @@ index 679725d..78a5c9e 100644
def reinit():
global all_attributes
@@ -871,7 +954,7 @@ def reinit():
@@ -871,7 +957,7 @@ def reinit():
global file_types
global local_files
global methods
@ -659526,7 +659582,7 @@ index 9b9a09a..b99b6d4 100755
return tlist
diff --git a/policycoreutils-2.4/sepolicy/sepolicy/generate.py b/policycoreutils-2.4/sepolicy/sepolicy/generate.py
index 6b53035..340a10a 100644
index 6b53035..a06c6c4 100644
--- a/policycoreutils-2.4/sepolicy/sepolicy/generate.py
+++ b/policycoreutils-2.4/sepolicy/sepolicy/generate.py
@@ -1,4 +1,4 @@
@ -659535,7 +659591,7 @@ index 6b53035..340a10a 100644
#
# Copyright (C) 2007-2012 Red Hat
# see file 'COPYING' for use and warranty information
@@ -27,21 +27,21 @@ import sepolicy
@@ -27,23 +27,24 @@ import sepolicy
from sepolicy import get_all_types, get_all_attributes, get_all_roles
import time
@ -659571,8 +659627,11 @@ index 6b53035..340a10a 100644
+from .templates import user
import sepolgen.interfaces as interfaces
import sepolgen.defaults as defaults
+from sepolgen import util
@@ -55,12 +55,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
##
## I18N
@@ -55,18 +56,26 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
try:
gettext.install(PROGNAME,
@ -659592,7 +659651,18 @@ index 6b53035..340a10a 100644
def get_rpm_nvr_from_header(hdr):
'Given an RPM header return the package NVR as a string'
@@ -82,7 +85,7 @@ def get_rpm_nvr_list(package):
name = hdr['name']
version = hdr['version']
release = hdr['release']
+ if util.PY3:
+ name = util.decode_input(name)
+ version = util.decode_input(version)
+ release = util.decode_input(release)
+
release_version = version+"-"+release.split(".")[0]
os_version = release.split(".")[1]
@@ -82,7 +91,7 @@ def get_rpm_nvr_list(package):
nvr = get_rpm_nvr_from_header(h)
break
except:
@ -659601,7 +659671,7 @@ index 6b53035..340a10a 100644
nvr = None
return nvr
@@ -98,7 +101,7 @@ def get_all_ports():
@@ -98,7 +107,7 @@ def get_all_ports():
return dict
def get_all_users():
@ -659610,7 +659680,7 @@ index 6b53035..340a10a 100644
users.remove("system_u")
users.remove("root")
users.sort()
@@ -141,13 +144,13 @@ poltype[RUSER] = _("Confined Root Administrator Role")
@@ -141,13 +150,13 @@ poltype[RUSER] = _("Confined Root Administrator Role")
poltype[NEWTYPE] = _("Module information for a new type")
def get_poltype_desc():
@ -659626,7 +659696,7 @@ index 6b53035..340a10a 100644
APPLICATIONS = [ DAEMON, DBUS, INETD, USER, CGI ]
USERS = [ XUSER, TUSER, LUSER, AUSER, RUSER]
@@ -181,7 +184,7 @@ def verify_ports(ports):
@@ -181,7 +190,7 @@ def verify_ports(ports):
class policy:
@ -659635,7 +659705,7 @@ index 6b53035..340a10a 100644
self.rpms = []
self.ports = []
self.all_roles = get_all_roles()
@@ -190,14 +193,14 @@ class policy:
@@ -190,14 +199,14 @@ class policy:
if type not in poltype:
raise ValueError(_("You must enter a valid policy type"))
@ -659655,7 +659725,7 @@ index 6b53035..340a10a 100644
self.symbols = {}
self.symbols["openlog"] = "set_use_kerberos(True)"
@@ -289,32 +292,32 @@ class policy:
@@ -289,32 +298,32 @@ class policy:
self.symbols["audit_control"] = "add_capability('audit_control')"
self.symbols["setfcap"] = "add_capability('setfcap')"
@ -659711,7 +659781,7 @@ index 6b53035..340a10a 100644
( self.generate_daemon_types, self.generate_daemon_rules), \
( self.generate_dbusd_types, self.generate_dbusd_rules), \
( self.generate_inetd_types, self.generate_inetd_rules), \
@@ -331,47 +334,47 @@ class policy:
@@ -331,47 +340,47 @@ class policy:
if not re.match(r"^[a-zA-Z0-9-_]+$", name):
raise ValueError(_("Name must be alpha numberic with no spaces. Consider using option \"-n MODULENAME\""))
@ -659790,7 +659860,7 @@ index 6b53035..340a10a 100644
self.roles = []
def __isnetset(self, l):
@@ -414,162 +417,162 @@ class policy:
@@ -414,162 +423,162 @@ class policy:
return self.use_tcp() or self.use_udp()
def find_port(self, port, protocol="tcp"):
@ -660015,7 +660085,7 @@ index 6b53035..340a10a 100644
newte =""
if self.use_mail:
newte = re.sub("TEMPLATETYPE", self.name, executable.te_mail_rules)
@@ -589,7 +592,7 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -589,7 +598,7 @@ allow %s_t %s_t:%s_socket name_%s;
""" % (port_name, self.name, port_name, protocol, action)
return line
@ -660024,7 +660094,7 @@ index 6b53035..340a10a 100644
for i in self.in_tcp[PORTS]:
rec = self.find_port(int(i), "tcp")
if rec == None:
@@ -627,7 +630,7 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -627,7 +636,7 @@ allow %s_t %s_t:%s_socket name_%s;
return re.sub("TEMPLATETYPE", self.name, network.te_types)
return ""
@ -660033,7 +660103,7 @@ index 6b53035..340a10a 100644
for d in self.DEFAULT_DIRS:
if file.find(d) == 0:
self.DEFAULT_DIRS[d][1].append(file)
@@ -635,34 +638,34 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -635,34 +644,34 @@ allow %s_t %s_t:%s_socket name_%s;
self.DEFAULT_DIRS["rw"][1].append(file)
return self.DEFAULT_DIRS["rw"]
@ -660078,7 +660148,7 @@ index 6b53035..340a10a 100644
newte = ""
self.processes.sort()
if len(self.processes) > 0:
@@ -670,9 +673,9 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -670,9 +679,9 @@ allow %s_t %s_t:%s_socket name_%s;
return newte
@ -660091,7 +660161,7 @@ index 6b53035..340a10a 100644
newte = "\n"
newte += re.sub("TEMPLATETYPE", self.name, network.te_network)
@@ -725,7 +728,7 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -725,7 +734,7 @@ allow %s_t %s_t:%s_socket name_%s;
for i in self.found_udp_ports:
newte += i
@ -660100,7 +660170,7 @@ index 6b53035..340a10a 100644
def generate_transition_rules(self):
newte = ""
@@ -750,11 +753,11 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -750,11 +759,11 @@ allow %s_t %s_t:%s_socket name_%s;
tmp = re.sub("TEMPLATETYPE", name, user.te_admin_domain_rules)
if role not in self.all_roles:
tmp = re.sub(role, "system_r", tmp)
@ -660115,7 +660185,7 @@ index 6b53035..340a10a 100644
if self.type == RUSER:
newte += re.sub("TEMPLATETYPE", self.name, user.te_admin_rules)
@@ -772,7 +775,7 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -772,7 +781,7 @@ allow %s_t %s_t:%s_socket name_%s;
return newte
@ -660124,7 +660194,7 @@ index 6b53035..340a10a 100644
newif = ""
if self.use_dbus:
newif = re.sub("TEMPLATETYPE", self.name, executable.if_dbus_rules)
@@ -808,31 +811,31 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -808,31 +817,31 @@ allow %s_t %s_t:%s_socket name_%s;
return ""
@ -660173,7 +660243,7 @@ index 6b53035..340a10a 100644
if len(self.existing_domains) == 0:
raise ValueError(_("'%s' policy modules require existing domains") % poltype[self.type])
newte = re.sub("TEMPLATETYPE", self.name, user.te_existing_user_types)
@@ -844,27 +847,27 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -844,27 +853,27 @@ allow %s_t %s_t:%s_socket name_%s;
role = d.split("_t")[0] + "_r"
if role in self.all_roles:
newte += """
@ -660210,7 +660280,7 @@ index 6b53035..340a10a 100644
newte += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].te_types)
break
@@ -876,46 +879,46 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -876,46 +885,46 @@ allow %s_t %s_t:%s_socket name_%s;
return newte
@ -660270,7 +660340,7 @@ index 6b53035..340a10a 100644
newif = ""
for t in self.types:
for i in self.DEFAULT_EXT:
@@ -925,46 +928,46 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -925,46 +934,46 @@ allow %s_t %s_t:%s_socket name_%s;
break
return newif
@ -660342,7 +660412,7 @@ index 6b53035..340a10a 100644
newif =""
if self.use_terminal or self.type == USER:
newif = re.sub("TEMPLATETYPE", self.name, executable.if_user_program_rules)
@@ -973,7 +976,7 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -973,7 +982,7 @@ allow %s_t %s_t:%s_socket name_%s;
newif += re.sub("TEMPLATETYPE", self.name, executable.if_role_change_rules)
return newif
@ -660351,7 +660421,7 @@ index 6b53035..340a10a 100644
newif = ""
newif += re.sub("TEMPLATETYPE", self.name, executable.if_heading_rules)
if self.program:
@@ -982,8 +985,8 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -982,8 +991,8 @@ allow %s_t %s_t:%s_socket name_%s;
newif += re.sub("TEMPLATETYPE", self.name, executable.if_initscript_rules)
for d in self.DEFAULT_KEYS:
@ -660362,7 +660432,7 @@ index 6b53035..340a10a 100644
for i in self.DEFAULT_DIRS[d][1]:
if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]):
newif += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].if_stream_rules)
@@ -995,17 +998,17 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -995,17 +1004,17 @@ allow %s_t %s_t:%s_socket name_%s;
newif += self.generate_new_type_if()
newif += self.generate_new_rules()
@ -660385,7 +660455,7 @@ index 6b53035..340a10a 100644
newte = ""
if self.type in ( TUSER, XUSER, AUSER, LUSER ):
roles = ""
@@ -1017,12 +1020,12 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -1017,12 +1026,12 @@ allow %s_t %s_t:%s_socket name_%s;
newte += re.sub("ROLE", role, tmp)
return newte
@ -660403,7 +660473,7 @@ index 6b53035..340a10a 100644
newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_types)
if self.type != EUSER:
@@ -1034,14 +1037,14 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -1034,14 +1043,14 @@ allow %s_t %s_t:%s_socket name_%s;
""" % self.name
newte += self.generate_capabilities()
newte += self.generate_process()
@ -660424,7 +660494,7 @@ index 6b53035..340a10a 100644
if self.type == EUSER:
newte_tmp = ""
for domain in self.existing_domains:
@@ -1059,40 +1062,40 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -1059,40 +1068,40 @@ allow %s_t %s_t:%s_socket name_%s;
newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules)
break
@ -660492,7 +660562,7 @@ index 6b53035..340a10a 100644
fclist.append(re.sub("FILETYPE", self.dirs[i][0], t2))
if self.type in USERS + [ SANDBOX ]:
@@ -1112,9 +1115,9 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -1112,9 +1121,9 @@ allow %s_t %s_t:%s_socket name_%s;
fclist.sort()
newfc="\n".join(fclist)
@ -660504,7 +660574,7 @@ index 6b53035..340a10a 100644
newsh = ""
if self.type not in ( TUSER, XUSER, AUSER, LUSER, RUSER):
return newsh
@@ -1140,7 +1143,7 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -1140,7 +1149,7 @@ allow %s_t %s_t:%s_socket name_%s;
return newsh
@ -660513,7 +660583,7 @@ index 6b53035..340a10a 100644
temp = re.sub("TEMPLATETYPE", self.file_name, script.compile)
temp = re.sub("DOMAINTYPE", self.name, temp)
if self.type == EUSER:
@@ -1154,11 +1157,11 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -1154,11 +1163,11 @@ allow %s_t %s_t:%s_socket name_%s;
if self.initscript != "":
newsh += re.sub("FILENAME", self.initscript, script.restorecon)
@ -660529,7 +660599,7 @@ index 6b53035..340a10a 100644
for i in self.in_tcp[PORTS] + self.out_tcp[PORTS]:
if self.find_port(i,"tcp") == None:
@@ -1167,97 +1170,99 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -1167,97 +1176,99 @@ allow %s_t %s_t:%s_socket name_%s;
for i in self.in_udp[PORTS]:
if self.find_port(i,"udp") == None:
@ -660712,7 +660782,7 @@ index 6b53035..340a10a 100644
for b in self.DEFAULT_DIRS:
if b == "/etc":
continue
@@ -1267,8 +1272,9 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -1267,8 +1278,9 @@ allow %s_t %s_t:%s_socket name_%s;
else:
self.add_dir(fname)
@ -660724,7 +660794,7 @@ index 6b53035..340a10a 100644
for b in self.DEFAULT_DIRS:
if b == "/etc":
continue
@@ -1281,8 +1287,8 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -1281,8 +1293,8 @@ allow %s_t %s_t:%s_socket name_%s;
# some packages have own systemd subpackage
# tor-systemd for example
binary_name = self.program.split("/")[-1]
@ -660735,7 +660805,7 @@ index 6b53035..340a10a 100644
for b in self.DEFAULT_DIRS:
if b == "/etc":
continue
@@ -1316,10 +1322,10 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -1316,10 +1328,10 @@ allow %s_t %s_t:%s_socket name_%s;
if os.path.isfile("/etc/rc.d/init.d/%s" % self.name):
self.set_init_script("/etc/rc\.d/init\.d/%s" % self.name)
@ -660748,7 +660818,7 @@ index 6b53035..340a10a 100644
temp_dirs = []
try:
temp_basepath = self.DEFAULT_DIRS[p][1][0] + "/"
@@ -1334,9 +1340,9 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -1334,9 +1346,9 @@ allow %s_t %s_t:%s_socket name_%s;
if len(temp_dirs) is not 0:
for i in temp_dirs:
@ -660760,7 +660830,7 @@ index 6b53035..340a10a 100644
del(self.files[i])
else:
continue
@@ -1358,10 +1364,10 @@ Warning %s does not exist
@@ -1358,10 +1370,10 @@ Warning %s does not exist
for s in fd.read().split():
for b in self.symbols:
if s.startswith(b):
@ -661563,7 +661633,7 @@ index bbabb3b..29370ee 100644
os.remove(v)
diff --git a/policycoreutils-2.4/sepolicy/sepolicy/manpage.py b/policycoreutils-2.4/sepolicy/sepolicy/manpage.py
index ba15b2c..b12f379 100755
index ba15b2c..4da25b9 100755
--- a/policycoreutils-2.4/sepolicy/sepolicy/manpage.py
+++ b/policycoreutils-2.4/sepolicy/sepolicy/manpage.py
@@ -1,4 +1,4 @@
@ -661802,7 +661872,7 @@ index ba15b2c..b12f379 100755
+ except subprocess.CalledProcessError as e:
+ sys.stderr.write(e.output)
+ return
+ fd = open(html_manpage,'w')
+ fd = open(html_manpage,'wb')
+ fd.write(man_page)
+ fd.close()
+ print(html_manpage)

7
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.4
Release: 8%{?dist}
Release: 9%{?dist}
License: GPLv2
Group: System Environment/Base
# https://github.com/SELinuxProject/selinux/wiki/Releases
@ -18,7 +18,7 @@ Source2: policycoreutils_man_ru2.tar.bz2
Source3: system-config-selinux.png
Source4: sepolicy-icons.tgz
# use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/
# HEAD https://github.com/fedora-selinux/selinux/commit/38d05b08329cb56bba1e64a37b9b166f2fa9f85c
# HEAD https://github.com/fedora-selinux/selinux/commit/997cfe77c75093964f3952754f767f2d375f5cb5
Patch: policycoreutils-rhat.patch
Patch1: sepolgen-rhat.patch
Obsoletes: policycoreutils < 2.0.61-2
@ -399,6 +399,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Thu Aug 13 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-9
- Fix another python3 issues mainly in sepolicy (#1247039,#1247575,#1251713)
* Thu Aug 06 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-8
- Fix multiple python3 issues in sepolgen (#1249388,#1247575,#1247564)

25
sepolgen-rhat.patch
View File

@ -122,7 +122,7 @@ index cf13210..60ff4e9 100644
else:
role_type = refpolicy.RoleType()
diff --git a/sepolgen-1.2.2/src/sepolgen/audit.py b/sepolgen-1.2.2/src/sepolgen/audit.py
index 56919be..1c94daa 100644
index 56919be..dad0724 100644
--- a/sepolgen-1.2.2/src/sepolgen/audit.py
+++ b/sepolgen-1.2.2/src/sepolgen/audit.py
@@ -17,11 +17,12 @@
@ -206,7 +206,7 @@ index 56919be..1c94daa 100644
self.by_header[msg.header].append(msg)
else:
self.by_header[msg.header] = [msg]
@@ -492,6 +506,68 @@ class AuditParser:
@@ -492,6 +506,61 @@ class AuditParser:
return role_types
@ -231,9 +231,6 @@ index 56919be..1c94daa 100644
+ stderr=subprocess.STDOUT,
+ shell=True,
+ universal_newlines=True)
+ if util.PY3:
+ output = util.decode_input(output)
+
+ try:
+ ino = int(inode)
+ except ValueError:
@ -250,14 +247,11 @@ index 56919be..1c94daa 100644
+ return path
+
+ def __store_base_types(self):
+ # FIXME: this is a temporary workaround until sepolicy is ported to python 3
+ # import sepolicy
+ # self.base_types = sepolicy.get_types_from_attribute("base_file_type")
+ self.base_types = []
+ import sepolicy
+ self.base_types = sepolicy.get_types_from_attribute("base_file_type")
+
+ def __get_base_type(self, tcontext, scontext):
+ # FIXME: uncomment the following code when sepolicy is ported to python 3
+ # import sepolicy
+ import sepolicy
+ # Prevent unnecessary searching
+ if (self.old_scontext == scontext and
+ self.old_tcontext == tcontext):
@ -266,16 +260,15 @@ index 56919be..1c94daa 100644
+ self.old_tcontext = tcontext
+ for btype in self.base_types:
+ if btype == tcontext:
+ # FIXME: uncomment the following code when sepolicy is ported to python 3
+ # for writable in sepolicy.get_writable_files(scontext):
+ # if writable.endswith(tcontext) and writable.startswith(scontext.rstrip("_t")):
+ # return writable
+ for writable in sepolicy.get_writable_files(scontext):
+ if writable.endswith(tcontext) and writable.startswith(scontext.rstrip("_t")):
+ return writable
+ return 0
+
def to_access(self, avc_filter=None, only_denials=True):
"""Convert the audit logs access into a an access vector set.
@@ -510,16 +586,23 @@ class AuditParser:
@@ -510,16 +579,23 @@ class AuditParser:
audit logs parsed by this object.
"""
av_set = access.AccessVectorSet()