From 92a9b8454b249e54b06567c58b6b46246a34c0fb Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Thu, 21 Feb 2013 18:26:12 +0100 Subject: [PATCH] Sepolixy should not throw an exception on an SELinux disabled machine - Switch from using console app to using pkexec, so we will work better with policykit. - Add missing import to fix system-config-selinux startup - Add comment to pamd files about pam_rootok.so - Fix sepolicy generate to not comment out the first line --- policycoreutils-rhat.patch | 127 +++++++++++++++++++++++++++---------- policycoreutils.spec | 22 ++++--- 2 files changed, 105 insertions(+), 44 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 04d36ac..3c32795 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -112,21 +112,20 @@ index a9e8893..0000000 @@ -1 +0,0 @@ -.so man1/audit2allow.1 diff --git a/policycoreutils/gui/Makefile b/policycoreutils/gui/Makefile -index b5abbb9..7218c3e 100644 +index b5abbb9..513f2c4 100644 --- a/policycoreutils/gui/Makefile +++ b/policycoreutils/gui/Makefile -@@ -1,7 +1,10 @@ +@@ -1,7 +1,9 @@ # Installation directories. PREFIX ?= ${DESTDIR}/usr +SYSCONFDIR ?= ${DESTDIR}/etc BINDIR ?= $(PREFIX)/bin SHAREDIR ?= $(PREFIX)/share/system-config-selinux +DATADIR ?= $(PREFIX)/share -+PAMDIR ?= $(SYSCONFDIR)/pam.d TARGETS= \ booleansPage.py \ -@@ -16,6 +19,7 @@ portsPage.py \ +@@ -16,6 +18,7 @@ portsPage.py \ semanagePage.py \ statusPage.py \ system-config-selinux.glade \ @@ -134,28 +133,56 @@ index b5abbb9..7218c3e 100644 usersPage.py all: $(TARGETS) system-config-selinux.py polgengui.py -@@ -23,10 +27,20 @@ all: $(TARGETS) system-config-selinux.py polgengui.py +@@ -23,11 +26,19 @@ all: $(TARGETS) system-config-selinux.py polgengui.py install: all -mkdir -p $(SHAREDIR) -mkdir -p $(BINDIR) + -mkdir -p $(DATADIR)/pixmaps + -mkdir -p $(DATADIR)/icons/hicolor/24x24/apps + -mkdir -p $(SYSCONFDIR) -+ -mkdir -p $(PAMDIR) -+ -mkdir -p $(SYSCONFDIR)/security/console.apps/system-config-selinux ++ -mkdir -p $(DATADIR)/polkit-1/actions/ install -m 755 system-config-selinux.py $(SHAREDIR) ++ install -m 755 system-config-selinux $(BINDIR) install -m 755 polgengui.py $(SHAREDIR) - install -m 755 sepolgen $(BINDIR) install -m 644 $(TARGETS) $(SHAREDIR) +- + install -m 644 system-config-selinux.png $(DATADIR)/pixmaps + install -m 644 system-config-selinux.png $(DATADIR)/icons/hicolor/24x24/apps + install -m 644 system-config-selinux.png $(DATADIR)/system-config-selinux + install -m 644 *.desktop $(DATADIR)/system-config-selinux -+ install -m 644 system-config-selinux.pam $(PAMDIR)/system-config-selinux -+ install -m 644 system-config-selinux.console $(SYSCONFDIR)/security/console.apps/system-config-selinux - ++ install -m 644 org.fedoraproject.config.selinux.policy $(DATADIR)/polkit-1/actions/ clean: + indent: +diff --git a/policycoreutils/gui/org.fedoraproject.config.selinux.policy b/policycoreutils/gui/org.fedoraproject.config.selinux.policy +new file mode 100644 +index 0000000..fcfa81d +--- /dev/null ++++ b/policycoreutils/gui/org.fedoraproject.config.selinux.policy +@@ -0,0 +1,22 @@ ++ ++ ++ ++ ++ System Config SELinux ++ http://fedorahosted.org/system-config-selinux ++ ++ ++ Run System Config SELinux ++ Authentication is required to run system-config-selinux ++ system-selinux ++ ++ no ++ no ++ auth_admin ++ ++ /usr/share/system-config-selinux/system-config-selinux.py ++ true ++ ++ diff --git a/policycoreutils/gui/selinux-polgengui.desktop b/policycoreutils/gui/selinux-polgengui.desktop new file mode 100644 index 0000000..0c2f399 @@ -237,15 +264,15 @@ index 2f0c1cc..0000000 @@ -1,2 +0,0 @@ -#!/bin/sh -sepolicy generate $* -diff --git a/policycoreutils/gui/system-config-selinux.console b/policycoreutils/gui/system-config-selinux.console -new file mode 100644 -index 0000000..42b48a3 +diff --git a/policycoreutils/gui/system-config-selinux b/policycoreutils/gui/system-config-selinux +new file mode 100755 +index 0000000..5be5ccd --- /dev/null -+++ b/policycoreutils/gui/system-config-selinux.console ++++ b/policycoreutils/gui/system-config-selinux @@ -0,0 +1,3 @@ -+USER=root -+PROGRAM=/usr/share/system-config-selinux/system-config-selinux.py -+SESSION=true ++#!/bin/sh ++ ++exec /usr/bin/pkexec /usr/share/system-config-selinux/system-config-selinux.py diff --git a/policycoreutils/gui/system-config-selinux.desktop b/policycoreutils/gui/system-config-selinux.desktop new file mode 100644 index 0000000..8822ce2 @@ -319,20 +346,6 @@ index 0000000..8822ce2 +Categories=System;Security; +X-Desktop-File-Install-Version=0.2 +Keywords=policy;security;selinux;avc;permission;mac; -diff --git a/policycoreutils/gui/system-config-selinux.pam b/policycoreutils/gui/system-config-selinux.pam -new file mode 100644 -index 0000000..6a8c230 ---- /dev/null -+++ b/policycoreutils/gui/system-config-selinux.pam -@@ -0,0 +1,8 @@ -+#%PAM-1.0 -+auth sufficient pam_rootok.so -+auth sufficient pam_timestamp.so -+auth include system-auth -+session required pam_permit.so -+session optional pam_xauth.so -+session optional pam_timestamp.so -+account required pam_permit.so diff --git a/policycoreutils/gui/system-config-selinux.png b/policycoreutils/gui/system-config-selinux.png new file mode 100644 index 0000000..68ffcb7 @@ -428,6 +441,17 @@ index 8fbf2d0..3510f12 100644 } /* +diff --git a/policycoreutils/newrole/newrole.pamd b/policycoreutils/newrole/newrole.pamd +index d1b435c..de3582f 100644 +--- a/policycoreutils/newrole/newrole.pamd ++++ b/policycoreutils/newrole/newrole.pamd +@@ -1,4 +1,6 @@ + #%PAM-1.0 ++# Uncomment the next line if you do not want to enter your passwd everytime ++# auth sufficient pam_rootok.so + auth include system-auth + account include system-auth + password include system-auth diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile index a377996..9c1486e 100644 --- a/policycoreutils/po/Makefile @@ -856,6 +880,17 @@ index 00a646f..2c28676 100644 g_main_loop_unref (loop); return 0; } +diff --git a/policycoreutils/run_init/run_init.pamd b/policycoreutils/run_init/run_init.pamd +index d1b435c..1c323d2 100644 +--- a/policycoreutils/run_init/run_init.pamd ++++ b/policycoreutils/run_init/run_init.pamd +@@ -1,4 +1,6 @@ + #%PAM-1.0 ++# Uncomment the next line if you do not want to enter your passwd everytime ++#auth sufficient pam_rootok.so + auth include system-auth + account include system-auth + password include system-auth diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox index b629006..6631c2d 100644 --- a/policycoreutils/sandbox/sandbox @@ -1485,7 +1520,7 @@ index b25d3b2..7a15d88 100755 sys.exit(0) except ValueError,e: diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py -index 5e7415c..10abeec 100644 +index 5e7415c..b9cb9cc 100644 --- a/policycoreutils/sepolicy/sepolicy/__init__.py +++ b/policycoreutils/sepolicy/sepolicy/__init__.py @@ -37,9 +37,30 @@ CLASS = 'class' @@ -1521,7 +1556,15 @@ index 5e7415c..10abeec 100644 policies = glob.glob ("%s.*" % path ) policies.sort() return policies[-1] -@@ -85,7 +106,7 @@ all_domains = None +@@ -71,6 +92,7 @@ def get_all_role_allows(): + return role_allows + + def get_all_entrypoint_domains(): ++ import re + all_domains = [] + types=get_all_types() + types.sort() +@@ -85,7 +107,7 @@ all_domains = None def get_all_domains(): global all_domains if not all_domains: @@ -1530,7 +1573,7 @@ index 5e7415c..10abeec 100644 return all_domains roles = None -@@ -139,49 +160,43 @@ def get_all_attributes(): +@@ -139,49 +161,43 @@ def get_all_attributes(): return all_attributes def policy(policy_file): @@ -1562,8 +1605,8 @@ index 5e7415c..10abeec 100644 -if not policy_file: - policy_file = __get_installed_policy() - -+policy_file = get_installed_policy() try: ++ policy_file = get_installed_policy() policy(policy_file) except ValueError, e: if selinux.is_selinux_enabled() == 1: @@ -1599,6 +1642,20 @@ index 5e7415c..10abeec 100644 booleans_dict = None def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): global booleans_dict +diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py +index 26f8390..19f6056 100644 +--- a/policycoreutils/sepolicy/sepolicy/generate.py ++++ b/policycoreutils/sepolicy/sepolicy/generate.py +@@ -1037,7 +1037,8 @@ allow %s_t %s_t:%s_socket name_%s; + ######################################## + # + # %s local policy +-#""" % self.name ++# ++""" % self.name + newte += self.generate_capabilities() + newte += self.generate_process() + newte += self.generate_network_types() diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py index 25062da..da17c48 100755 --- a/policycoreutils/sepolicy/sepolicy/manpage.py diff --git a/policycoreutils.spec b/policycoreutils.spec index 726d2aa..c20b273 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.14 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -87,12 +87,7 @@ rm -f %{buildroot}/usr/share/man/ru/man8/genhomedircon.8.gz rm -f %{buildroot}/usr/share/man/ru/man8/open_init_pty.8.gz rm -f %{buildroot}/usr/share/man/man8/open_init_pty.8 rm -f %{buildroot}/usr/sbin/open_init_pty -rm -f %{buildroot}/usr/sbin/run_init -rm -f %{buildroot}/usr/share/man/ru/man8/run_init.8* -rm -f %{buildroot}/usr/share/man/man8/run_init.8* -rm -f %{buildroot}/etc/pam.d/run_init* -ln -sf consolehelper %{buildroot}%{_bindir}/system-config-selinux ln -sf /usr/share/system-config-selinux/polgengui.py %{buildroot}%{_bindir}/selinux-polgengui desktop-file-install --vendor fedora \ @@ -234,12 +229,11 @@ system-config-selinux is a utility for managing the SELinux environment %{_datadir}/applications/fedora-selinux-polgengui.desktop %{_datadir}/icons/hicolor/24x24/apps/system-config-selinux.png %{_datadir}/pixmaps/system-config-selinux.png +%{_datadir}/polkit-1/actions/org.fedoraproject.config.selinux.policy %dir %{_datadir}/system-config-selinux %{_datadir}/system-config-selinux/system-config-selinux.png %{_datadir}/system-config-selinux/*.py* %{_datadir}/system-config-selinux/*.glade -%config(noreplace) %{_sysconfdir}/pam.d/system-config-selinux -%config(noreplace) %{_sysconfdir}/security/console.apps/system-config-selinux %clean rm -rf %{buildroot} @@ -249,6 +243,7 @@ rm -rf %{buildroot} %{_sbindir}/restorecon %{_sbindir}/fixfiles %{_sbindir}/setfiles +%{_sbindir}/run_init %{_sbindir}/load_policy %{_sbindir}/genhomedircon %{_sbindir}/setsebool @@ -266,6 +261,8 @@ rm -rf %{buildroot} %{_mandir}/man5/sestatus.conf.5.gz %{_mandir}/man8/fixfiles.8* %{_mandir}/ru/man8/fixfiles.8* +%{_mandir}/man8/run_init.8* +%{_mandir}/ru/man8/run_init.8* %{_mandir}/man8/load_policy.8* %{_mandir}/ru/man8/load_policy.8* %{_mandir}/man8/restorecon.8* @@ -326,11 +323,18 @@ The policycoreutils-restorecond package contains the restorecond service. %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Thu Feb 21 2013 Dan Walsh - 2.1.14-8 +- Sepolixy should not throw an exception on an SELinux disabled machine +- Switch from using console app to using pkexec, so we will work better +with policykit. +- Add missing import to fix system-config-selinux startup +- Add comment to pamd files about pam_rootok.so +- Fix sepolicy generate to not comment out the first line + * Wed Feb 20 2013 Dan Walsh - 2.1.14-7 - Add --root/-r flag to sepolicy manpage, - This allows us to generate man pages on the fly in the selinux-policy build - * Mon Feb 18 2013 Dan Walsh - 2.1.14-6 - Fix newrole to retain cap_audit_write when compiled with namespace, also do not drop capabilities when run as root.