rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Sepolixy should not throw an exception on an SELinux disabled machine

Browse Source 
- Switch from using console app to using pkexec, so we will work better
with policykit.
- Add missing import to fix system-config-selinux startup
- Add comment to pamd files about pam_rootok.so
- Fix sepolicy generate to not comment out the first line
This commit is contained in:
Dan Walsh 2013-02-21 18:26:12 +01:00
parent 3234f310f1
commit 92a9b8454b
2 changed files with 105 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
policycoreutils-rhat.patch
View File

@ -112,21 +112,20 @@ index a9e8893..0000000
@@ -1 +0,0 @@
-.so man1/audit2allow.1
diff --git a/policycoreutils/gui/Makefile b/policycoreutils/gui/Makefile
index b5abbb9..7218c3e 100644
index b5abbb9..513f2c4 100644
--- a/policycoreutils/gui/Makefile
+++ b/policycoreutils/gui/Makefile
@@ -1,7 +1,10 @@
@@ -1,7 +1,9 @@
# Installation directories.
PREFIX ?= ${DESTDIR}/usr
+SYSCONFDIR ?= ${DESTDIR}/etc
BINDIR ?= $(PREFIX)/bin
SHAREDIR ?= $(PREFIX)/share/system-config-selinux
+DATADIR ?= $(PREFIX)/share
+PAMDIR ?= $(SYSCONFDIR)/pam.d
TARGETS= \
booleansPage.py \
@@ -16,6 +19,7 @@ portsPage.py \
@@ -16,6 +18,7 @@ portsPage.py \
semanagePage.py \
statusPage.py \
system-config-selinux.glade \
@ -134,28 +133,56 @@ index b5abbb9..7218c3e 100644
usersPage.py
all: $(TARGETS) system-config-selinux.py polgengui.py
@@ -23,10 +27,20 @@ all: $(TARGETS) system-config-selinux.py polgengui.py
@@ -23,11 +26,19 @@ all: $(TARGETS) system-config-selinux.py polgengui.py
install: all
-mkdir -p $(SHAREDIR)
-mkdir -p $(BINDIR)
+ -mkdir -p $(DATADIR)/pixmaps
+ -mkdir -p $(DATADIR)/icons/hicolor/24x24/apps
+ -mkdir -p $(SYSCONFDIR)
+ -mkdir -p $(PAMDIR)
+ -mkdir -p $(SYSCONFDIR)/security/console.apps/system-config-selinux
+ -mkdir -p $(DATADIR)/polkit-1/actions/
install -m 755 system-config-selinux.py $(SHAREDIR)
+ install -m 755 system-config-selinux $(BINDIR)
install -m 755 polgengui.py $(SHAREDIR)
- install -m 755 sepolgen $(BINDIR)
install -m 644 $(TARGETS) $(SHAREDIR)
-
+ install -m 644 system-config-selinux.png $(DATADIR)/pixmaps
+ install -m 644 system-config-selinux.png $(DATADIR)/icons/hicolor/24x24/apps
+ install -m 644 system-config-selinux.png $(DATADIR)/system-config-selinux
+ install -m 644 *.desktop $(DATADIR)/system-config-selinux
+ install -m 644 system-config-selinux.pam $(PAMDIR)/system-config-selinux
+ install -m 644 system-config-selinux.console $(SYSCONFDIR)/security/console.apps/system-config-selinux
+ install -m 644 org.fedoraproject.config.selinux.policy $(DATADIR)/polkit-1/actions/
clean:
indent:
diff --git a/policycoreutils/gui/org.fedoraproject.config.selinux.policy b/policycoreutils/gui/org.fedoraproject.config.selinux.policy
new file mode 100644
index 0000000..fcfa81d
--- /dev/null
+++ b/policycoreutils/gui/org.fedoraproject.config.selinux.policy
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC
+"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
+<policyconfig>
+
+ <vendor>System Config SELinux</vendor>
+ <vendor_url>http://fedorahosted.org/system-config-selinux</vendor_url>
+
+ <action id="org.fedoraproject.config.selinux.pkexec.run">
+ <description>Run System Config SELinux</description>
+ <message>Authentication is required to run system-config-selinux</message>
+ <icon_name>system-selinux</icon_name>
+ <defaults>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_admin</allow_active>
+ </defaults>
+ <annotate key="org.freedesktop.policykit.exec.path">/usr/share/system-config-selinux/system-config-selinux.py</annotate>
+ <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
+ </action>
+</policyconfig>
diff --git a/policycoreutils/gui/selinux-polgengui.desktop b/policycoreutils/gui/selinux-polgengui.desktop
new file mode 100644
index 0000000..0c2f399
@ -237,15 +264,15 @@ index 2f0c1cc..0000000
@@ -1,2 +0,0 @@
-#!/bin/sh
-sepolicy generate $*
diff --git a/policycoreutils/gui/system-config-selinux.console b/policycoreutils/gui/system-config-selinux.console
new file mode 100644
index 0000000..42b48a3
diff --git a/policycoreutils/gui/system-config-selinux b/policycoreutils/gui/system-config-selinux
new file mode 100755
index 0000000..5be5ccd
--- /dev/null
+++ b/policycoreutils/gui/system-config-selinux.console
+++ b/policycoreutils/gui/system-config-selinux
@@ -0,0 +1,3 @@
+USER=root
+PROGRAM=/usr/share/system-config-selinux/system-config-selinux.py
+SESSION=true
+#!/bin/sh
+
+exec /usr/bin/pkexec /usr/share/system-config-selinux/system-config-selinux.py
diff --git a/policycoreutils/gui/system-config-selinux.desktop b/policycoreutils/gui/system-config-selinux.desktop
new file mode 100644
index 0000000..8822ce2
@ -319,20 +346,6 @@ index 0000000..8822ce2
+Categories=System;Security;
+X-Desktop-File-Install-Version=0.2
+Keywords=policy;security;selinux;avc;permission;mac;
diff --git a/policycoreutils/gui/system-config-selinux.pam b/policycoreutils/gui/system-config-selinux.pam
new file mode 100644
index 0000000..6a8c230
--- /dev/null
+++ b/policycoreutils/gui/system-config-selinux.pam
@@ -0,0 +1,8 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+auth sufficient pam_timestamp.so
+auth include system-auth
+session required pam_permit.so
+session optional pam_xauth.so
+session optional pam_timestamp.so
+account required pam_permit.so
diff --git a/policycoreutils/gui/system-config-selinux.png b/policycoreutils/gui/system-config-selinux.png
new file mode 100644
index 0000000..68ffcb7
@ -428,6 +441,17 @@ index 8fbf2d0..3510f12 100644
}
/*
diff --git a/policycoreutils/newrole/newrole.pamd b/policycoreutils/newrole/newrole.pamd
index d1b435c..de3582f 100644
--- a/policycoreutils/newrole/newrole.pamd
+++ b/policycoreutils/newrole/newrole.pamd
@@ -1,4 +1,6 @@
#%PAM-1.0
+# Uncomment the next line if you do not want to enter your passwd everytime
+# auth sufficient pam_rootok.so
auth include system-auth
account include system-auth
password include system-auth
diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile
index a377996..9c1486e 100644
--- a/policycoreutils/po/Makefile
@ -856,6 +880,17 @@ index 00a646f..2c28676 100644
g_main_loop_unref (loop);
return 0;
}
diff --git a/policycoreutils/run_init/run_init.pamd b/policycoreutils/run_init/run_init.pamd
index d1b435c..1c323d2 100644
--- a/policycoreutils/run_init/run_init.pamd
+++ b/policycoreutils/run_init/run_init.pamd
@@ -1,4 +1,6 @@
#%PAM-1.0
+# Uncomment the next line if you do not want to enter your passwd everytime
+#auth sufficient pam_rootok.so
auth include system-auth
account include system-auth
password include system-auth
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index b629006..6631c2d 100644
--- a/policycoreutils/sandbox/sandbox
@ -1485,7 +1520,7 @@ index b25d3b2..7a15d88 100755
sys.exit(0)
except ValueError,e:
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
index 5e7415c..10abeec 100644
index 5e7415c..b9cb9cc 100644
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
@@ -37,9 +37,30 @@ CLASS = 'class'
@ -1521,7 +1556,15 @@ index 5e7415c..10abeec 100644
policies = glob.glob ("%s.*" % path )
policies.sort()
return policies[-1]
@@ -85,7 +106,7 @@ all_domains = None
@@ -71,6 +92,7 @@ def get_all_role_allows():
return role_allows
def get_all_entrypoint_domains():
+ import re
all_domains = []
types=get_all_types()
types.sort()
@@ -85,7 +107,7 @@ all_domains = None
def get_all_domains():
global all_domains
if not all_domains:
@ -1530,7 +1573,7 @@ index 5e7415c..10abeec 100644
return all_domains
roles = None
@@ -139,49 +160,43 @@ def get_all_attributes():
@@ -139,49 +161,43 @@ def get_all_attributes():
return all_attributes
def policy(policy_file):
@ -1562,8 +1605,8 @@ index 5e7415c..10abeec 100644
-if not policy_file:
- policy_file = __get_installed_policy()
-
+policy_file = get_installed_policy()
try:
+ policy_file = get_installed_policy()
policy(policy_file)
except ValueError, e:
if selinux.is_selinux_enabled() == 1:
@ -1599,6 +1642,20 @@ index 5e7415c..10abeec 100644
booleans_dict = None
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
global booleans_dict
diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
index 26f8390..19f6056 100644
--- a/policycoreutils/sepolicy/sepolicy/generate.py
+++ b/policycoreutils/sepolicy/sepolicy/generate.py
@@ -1037,7 +1037,8 @@ allow %s_t %s_t:%s_socket name_%s;
########################################
#
# %s local policy
-#""" % self.name
+#
+""" % self.name
newte += self.generate_capabilities()
newte += self.generate_process()
newte += self.generate_network_types()
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
index 25062da..da17c48 100755
--- a/policycoreutils/sepolicy/sepolicy/manpage.py

22
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.14
Release: 7%{?dist}
Release: 8%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@ -87,12 +87,7 @@ rm -f %{buildroot}/usr/share/man/ru/man8/genhomedircon.8.gz
rm -f %{buildroot}/usr/share/man/ru/man8/open_init_pty.8.gz
rm -f %{buildroot}/usr/share/man/man8/open_init_pty.8
rm -f %{buildroot}/usr/sbin/open_init_pty
rm -f %{buildroot}/usr/sbin/run_init
rm -f %{buildroot}/usr/share/man/ru/man8/run_init.8*
rm -f %{buildroot}/usr/share/man/man8/run_init.8*
rm -f %{buildroot}/etc/pam.d/run_init*
ln -sf consolehelper %{buildroot}%{_bindir}/system-config-selinux
ln -sf /usr/share/system-config-selinux/polgengui.py %{buildroot}%{_bindir}/selinux-polgengui
desktop-file-install --vendor fedora \
@ -234,12 +229,11 @@ system-config-selinux is a utility for managing the SELinux environment
%{_datadir}/applications/fedora-selinux-polgengui.desktop
%{_datadir}/icons/hicolor/24x24/apps/system-config-selinux.png
%{_datadir}/pixmaps/system-config-selinux.png
%{_datadir}/polkit-1/actions/org.fedoraproject.config.selinux.policy
%dir %{_datadir}/system-config-selinux
%{_datadir}/system-config-selinux/system-config-selinux.png
%{_datadir}/system-config-selinux/*.py*
%{_datadir}/system-config-selinux/*.glade
%config(noreplace) %{_sysconfdir}/pam.d/system-config-selinux
%config(noreplace) %{_sysconfdir}/security/console.apps/system-config-selinux
%clean
rm -rf %{buildroot}
@ -249,6 +243,7 @@ rm -rf %{buildroot}
%{_sbindir}/restorecon
%{_sbindir}/fixfiles
%{_sbindir}/setfiles
%{_sbindir}/run_init
%{_sbindir}/load_policy
%{_sbindir}/genhomedircon
%{_sbindir}/setsebool
@ -266,6 +261,8 @@ rm -rf %{buildroot}
%{_mandir}/man5/sestatus.conf.5.gz
%{_mandir}/man8/fixfiles.8*
%{_mandir}/ru/man8/fixfiles.8*
%{_mandir}/man8/run_init.8*
%{_mandir}/ru/man8/run_init.8*
%{_mandir}/man8/load_policy.8*
%{_mandir}/ru/man8/load_policy.8*
%{_mandir}/man8/restorecon.8*
@ -326,11 +323,18 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
* Thu Feb 21 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-8
- Sepolixy should not throw an exception on an SELinux disabled machine
- Switch from using console app to using pkexec, so we will work better
with policykit.
- Add missing import to fix system-config-selinux startup
- Add comment to pamd files about pam_rootok.so
- Fix sepolicy generate to not comment out the first line
* Wed Feb 20 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-7
- Add --root/-r flag to sepolicy manpage,
- This allows us to generate man pages on the fly in the selinux-policy build
* Mon Feb 18 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-6
- Fix newrole to retain cap_audit_write when compiled with namespace, also
do not drop capabilities when run as root.