From 953350ddcefce959eadf3ee7081559950057c8a1 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 4 Oct 2016 08:41:54 +0200 Subject: [PATCH] policycoreutils-2.5-17 - sandbox: Use dbus-run-session instead of dbus-launch when available - hll/pp: Change warning for module name not matching filename to match new behavior - Remove LDFLAGS from CFLAGS - sandbox: create a new session for sandboxed processes - sandbox: do not try to setup directories without -X or -M - sandbox: do not run xmodmap in a new X session - sandbox: Use GObject introspection binding instead of pygtk2 - sandbox: fix file labels on copied files - sandbox: tests - close stdout of p - sandbox: tests - use sandbox from cwd - audit2allow: tests should use local copy not system - audit2allow: fix audit2why import from seobject - audit2allow: remove audit2why so that it gets symlinked - semanage: fix man page and help message for import option - semanage: fix error message for fcontext -m - semanage: Fix semanage fcontext -D - semanage: Correct fcontext auditing - semanage: Default serange to "s0" for port modify - semanage: Use socket.getprotobyname for protocol - semanage: fix modify action in node and interface - fixfiles: Pass -n to restorecon for fixfiles check - sepolicy: Check get_rpm_nvr_list() return value - Don't use subprocess.getstatusoutput() in Python 2 code - semanage: Add auditing of changes in records - Remove unused 'q' from semodule getopt string --- policycoreutils-fedora.patch | 1185 +++++++++++++++++--- policycoreutils-fix-semanage-python3.patch | 261 ----- policycoreutils-sandbox-python3.patch | 10 - policycoreutils.spec | 41 +- sepolgen-fedora.patch | 16 + 5 files changed, 1088 insertions(+), 425 deletions(-) delete mode 100644 policycoreutils-fix-semanage-python3.patch delete mode 100644 policycoreutils-sandbox-python3.patch diff --git a/policycoreutils-fedora.patch b/policycoreutils-fedora.patch index edd4c26..31ca0ee 100644 --- a/policycoreutils-fedora.patch +++ b/policycoreutils-fedora.patch @@ -1,8 +1,33 @@ diff --git policycoreutils-2.5/ChangeLog policycoreutils-2.5/ChangeLog -index d8fb067..9090ee2 100644 +index d8fb067..674aa1a 100644 --- policycoreutils-2.5/ChangeLog +++ policycoreutils-2.5/ChangeLog -@@ -1,3 +1,17 @@ +@@ -1,3 +1,42 @@ ++ * sandbox: Use dbus-run-session instead of dbus-launch when available, from Laurent Bigonville. ++ * hll/pp: Change warning for module name not matching filename to match new behavior, from Petr Lautrbach. ++ * Remove LDFLAGS from CFLAGS, from Nicolas Iooss. ++ * sandbox: create a new session for sandboxed processes, from Petr Lautrbach. ++ * sandbox: do not try to setup directories without -X or -M, from Petr Lautrbach. ++ * sandbox: do not run xmodmap in a new X session, from Petr Lautrbach. ++ * sandbox: Use GObject introspection binding instead of pygtk2, from Petr Lautrbach and Laurent Bigonville. ++ * sandbox: fix file labels on copied files, from Petr Lautrbach. ++ * sandbox: tests - close stdout of p1, from Petr Lautrbach. ++ * sandbox: tests - use sandbox from cwd, from Petr Lautrbach. ++ * audit2allow: tests should use local copy not system, from Jason Zaman. ++ * audit2allow: fix audit2why import from seobject, from Jason Zaman. ++ * audit2allow: remove audit2why so that it gets symlinked, from Jason Zaman. ++ * semanage: fix man page and help message for import option, from AJ. ++ * semanage: fix error message for fcontext -m, from Miroslav Vadkerti. ++ * semanage: Fix semanage fcontext -D, from Stephen Smalley. ++ * semanage: Correct fcontext auditing, from Miroslav Vadkerti. ++ * semanage: Default serange to "s0" for port modify, from Miroslav Vadkerti. ++ * semanage: Use socket.getprotobyname for protocol, from Miroslav Vadkerti. ++ * semanage: fix modify action in node and interface, from Miroslav Vadkerti. ++ * fixfiles: Pass -n to restorecon for fixfiles check, from Petr Lautrbach. ++ * sepolicy: Check get_rpm_nvr_list() return value, from Vit Mojzis. ++ * Don't use subprocess.getstatusoutput() in Python 2 code, from Petr Lautrbach. ++ * semanage: Add auditing of changes in records, from Miroslav Vadkerti. ++ * Remove unused 'q' from semodule getopt string, from Petr Lautrbach. + * Remove unused autoconf files from po/, from Petr Lautrbach. + * Remove duplicate, empty translation files, from Piotr Drąg. + * open_init_pty: Do not error on EINTR, from Jason Zaman. @@ -36,16 +61,6 @@ index e23e418..77cba09 100644 +++ policycoreutils-2.5/audit2allow/audit2allow @@ -1,4 +1,4 @@ -#! /usr/bin/python -Es -+#! /usr/bin/python3 -Es - # Authors: Karl MacMillan - # Authors: Dan Walsh - # -diff --git policycoreutils-2.5/audit2allow/audit2why policycoreutils-2.5/audit2allow/audit2why -index b1489ed..6e8ce2e 100644 ---- policycoreutils-2.5/audit2allow/audit2why -+++ policycoreutils-2.5/audit2allow/audit2why -@@ -1,4 +1,4 @@ --#! /usr/bin/python -Es +#! /usr/bin/python3 -Es # Authors: Karl MacMillan # Authors: Dan Walsh @@ -60,6 +75,28 @@ index acf9638..4c8dd5b 100644 # # Authors: Karl MacMillan # +diff --git policycoreutils-2.5/audit2allow/test_audit2allow.py policycoreutils-2.5/audit2allow/test_audit2allow.py +index 765c9ea..a826a9f 100644 +--- policycoreutils-2.5/audit2allow/test_audit2allow.py ++++ policycoreutils-2.5/audit2allow/test_audit2allow.py +@@ -33,7 +33,7 @@ class Audit2allowTests(unittest.TestCase): + + def test_audit2allow(self): + "Verify audit2allow works" +- p = Popen(['audit2allow', "-i", "test.log"], stdout=PIPE) ++ p = Popen(['python', './audit2allow', "-i", "test.log"], stdout=PIPE) + out, err = p.communicate() + if err: + print(out, err) +@@ -41,7 +41,7 @@ class Audit2allowTests(unittest.TestCase): + + def test_audit2why(self): + "Verify audit2why works" +- p = Popen(['audit2why', "-i", "test.log"], stdout=PIPE) ++ p = Popen(['python', './audit2why', "-i", "test.log"], stdout=PIPE) + out, err = p.communicate() + if err: + print(out, err) diff --git policycoreutils-2.5/gui/Makefile policycoreutils-2.5/gui/Makefile index 9d9f820..0c2b390 100644 --- policycoreutils-2.5/gui/Makefile @@ -1796,7 +1833,7 @@ index abf8d3b..f50fcb2 100644 + except ValueError as e: self.error(e.args[0]) diff --git policycoreutils-2.5/hll/pp/pp.c policycoreutils-2.5/hll/pp/pp.c -index 866734f..9245975 100644 +index 866734f..2c9f53f 100644 --- policycoreutils-2.5/hll/pp/pp.c +++ policycoreutils-2.5/hll/pp/pp.c @@ -28,6 +28,7 @@ @@ -1862,7 +1899,7 @@ index 866734f..9245975 100644 + *separator = '\0'; + } + if (strcmp(mod_name, cil_name) != 0) { -+ fprintf(stderr, "Warning: SELinux userspace will refer to the module from %s as %s rather than %s\n", ifile, cil_name, mod_name); ++ fprintf(stderr, "Warning: SELinux userspace will refer to the module from %s as %s rather than %s\n", ifile, mod_name, cil_name); + } + free(cil_path); + } @@ -1870,6 +1907,19 @@ index 866734f..9245975 100644 rc = sepol_module_package_to_cil(out, mod_pkg); if (rc != 0) { goto exit; +diff --git policycoreutils-2.5/newrole/Makefile policycoreutils-2.5/newrole/Makefile +index 646cd4d..8b41428 100644 +--- policycoreutils-2.5/newrole/Makefile ++++ policycoreutils-2.5/newrole/Makefile +@@ -22,7 +22,7 @@ VERSION = $(shell cat ../VERSION) + + CFLAGS ?= -Werror -Wall -W + EXTRA_OBJS = +-override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\"" ++override CFLAGS += -DVERSION=\"$(VERSION)\" -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\"" + LDLIBS += -lselinux -L$(PREFIX)/lib + ifeq ($(PAMH), /usr/include/security/pam_appl.h) + override CFLAGS += -DUSE_PAM diff --git policycoreutils-2.5/po/Makefile policycoreutils-2.5/po/Makefile index a693823..555f381 100644 --- policycoreutils-2.5/po/Makefile @@ -627607,8 +627657,21 @@ index 37805bf..6e25ea3 100644 perror("select()"); exit(EX_IOERR); } +diff --git policycoreutils-2.5/sandbox/Makefile policycoreutils-2.5/sandbox/Makefile +index a4861ea..2716d69 100644 +--- policycoreutils-2.5/sandbox/Makefile ++++ policycoreutils-2.5/sandbox/Makefile +@@ -9,7 +9,7 @@ SBINDIR ?= $(PREFIX)/sbin + MANDIR ?= $(PREFIX)/share/man + LOCALEDIR ?= /usr/share/locale + SHAREDIR ?= $(PREFIX)/share/sandbox +-override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -W ++override CFLAGS += -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -W + LDLIBS += -lselinux -lcap-ng -L$(LIBDIR) + SEUNSHARE_OBJS = seunshare.o + diff --git policycoreutils-2.5/sandbox/sandbox policycoreutils-2.5/sandbox/sandbox -index 9e0024f..e7c5be6 100644 +index 9e0024f..0f600ea 100644 --- policycoreutils-2.5/sandbox/sandbox +++ policycoreutils-2.5/sandbox/sandbox @@ -1,4 +1,4 @@ @@ -627617,71 +627680,119 @@ index 9e0024f..e7c5be6 100644 # Authors: Dan Walsh # Authors: Thomas Liu # Authors: Josh Cogliati -@@ -108,30 +108,29 @@ def copyfile(file, srcdir, dest): - - +@@ -110,16 +110,18 @@ def copyfile(file, srcdir, dest): def savefile(new, orig, X_ind): -- copy = False -- if(X_ind): + copy = False + if(X_ind): - import gtk - dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO, - gtk.BUTTONS_YES_NO, -- _("Do you want to save changes to '%s' (Y/N): ") % orig) -- dlg.set_title(_("Sandbox Message")) ++ import gi ++ gi.require_version('Gtk', '3.0') ++ from gi.repository import Gtk ++ dlg = Gtk.MessageDialog(None, 0, Gtk.MessageType.INFO, ++ Gtk.ButtonsType.YES_NO, + _("Do you want to save changes to '%s' (Y/N): ") % orig) + dlg.set_title(_("Sandbox Message")) - dlg.set_position(gtk.WIN_POS_MOUSE) -- dlg.show_all() -- rc = dlg.run() -- dlg.destroy() ++ dlg.set_position(Gtk.WindowPosition.MOUSE) + dlg.show_all() + rc = dlg.run() + dlg.destroy() - if rc == gtk.RESPONSE_YES: -- copy = True -- else: -- try: -- input = raw_input -- except NameError: -- pass -- ans = input(_("Do you want to save changes to '%s' (y/N): ") % orig) -- if(re.match(_("[yY]"), ans)): -- copy = True -- if(copy): -- shutil.copy2(new, orig) -- -+ copy = False -+ if(X_ind): -+ from gi.repository import Gtk -+ dlg = Gtk.MessageDialog(None, 0, Gtk.MessageType.INFO, -+ Gtk.ButtonsType.YES_NO, -+ _("Do you want to save changes to '%s' (Y/N): ") % orig) -+ dlg.set_title(_("Sandbox Message")) -+ dlg.set_position(Gtk.WindowPosition.MOUSE) -+ dlg.show_all() -+ rc = dlg.run() -+ dlg.destroy() -+ if rc == Gtk.ResponseType.YES: -+ copy = True -+ else: -+ try: -+ input = raw_input -+ except NameError: -+ pass -+ ans = input(_("Do you want to save changes to '%s' (y/N): ") % orig) -+ if(re.match(_("[yY]"),ans)): -+ copy = True -+ if(copy): -+ shutil.copy2(new,orig) ++ if rc == Gtk.ResponseType.YES: + copy = True + else: + try: +@@ -279,12 +281,16 @@ class Sandbox: + command += "'%s' " % p + fd.write("""#! /bin/sh + #TITLE: %s +-/usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap ++# /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap + %s & + WM_PID=$! +-dbus-launch --exit-with-session %s ++if which dbus-run-session >/dev/null 2>&1; then ++ dbus-run-session -- %s ++else ++ dbus-launch --exit-with-session %s ++fi + kill -TERM $WM_PID 2> /dev/null +-""" % (command, wm, command)) ++""" % (command, wm, command, command)) + fd.close() + os.chmod(execfile, 0o700) - def reserve(level): - sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) -@@ -452,8 +451,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- +@@ -424,21 +430,20 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + self.__filecon = "%s:object_r:sandbox_file_t:%s" % (con[0], level) + + def __setup_dir(self): ++ selinux.setfscreatecon(self.__filecon) + if self.__options.homedir: +- selinux.chcon(self.__options.homedir, self.__filecon, recursive=True) + self.__homedir = self.__options.homedir + else: +- selinux.setfscreatecon(self.__filecon) + self.__homedir = mkdtemp(dir="/tmp", prefix=".sandbox_home_") + + if self.__options.tmpdir: +- selinux.chcon(self.__options.tmpdir, self.__filecon, recursive=True) + self.__tmpdir = self.__options.tmpdir + else: +- selinux.setfscreatecon(self.__filecon) + self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_tmp_") +- selinux.setfscreatecon(None) + self.__copyfiles() ++ selinux.chcon(self.__homedir, self.__filecon, recursive=True) ++ selinux.chcon(self.__tmpdir, self.__filecon, recursive=True) ++ selinux.setfscreatecon(None) + + def __execute(self): + try: +@@ -452,8 +457,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- if self.__options.dpi: dpi = self.__options.dpi else: - import gtk - dpi = str(gtk.settings_get_default().props.gtk_xft_dpi / 1024) ++ import gi ++ gi.require_version('Gtk', '3.0') + from gi.repository import Gtk + dpi = str(Gtk.Settings.get_default().props.gtk_xft_dpi / 1024) xmodmapfile = self.__homedir + "/.xmodmap" xd = open(xmodmapfile, "w") +@@ -467,10 +474,15 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + cmds += ["--"] + self.__paths + return subprocess.Popen(cmds).wait() + +- selinux.setexeccon(self.__execcon) +- rc = subprocess.Popen(self.__cmds).wait() +- selinux.setexeccon(None) +- return rc ++ pid = os.fork() ++ if pid == 0: ++ rc = os.setsid() ++ if rc: ++ return rc ++ selinux.setexeccon(self.__execcon) ++ os.execv(self.__cmds[0], self.__cmds) ++ rc = os.waitpid(pid, 0) ++ return os.WEXITSTATUS(rc[1]) + + finally: + for i in self.__paths: +@@ -499,7 +511,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + try: + self.__parse_options() + self.__gen_context() +- self.__setup_dir() ++ if self.__mount: ++ self.__setup_dir() + return self.__execute() + except KeyboardInterrupt: + sys.exit(0) diff --git policycoreutils-2.5/sandbox/sandbox.8 policycoreutils-2.5/sandbox/sandbox.8 index 0c8cd1e..d83fee7 100644 --- policycoreutils-2.5/sandbox/sandbox.8 @@ -627766,22 +627877,136 @@ index 76b75c8..9e105a1 100644 \fB\-v\fR Verbose output diff --git policycoreutils-2.5/sandbox/start policycoreutils-2.5/sandbox/start -index fc406e1..e0a0c2c 100644 +index fc406e1..a2c6a9f 100644 --- policycoreutils-2.5/sandbox/start +++ policycoreutils-2.5/sandbox/start -@@ -1,8 +1,6 @@ - #! /usr/bin/python -Es +@@ -1,10 +1,12 @@ +-#! /usr/bin/python -Es -import gtk -import subprocess --import sys --rc = [-1, ''] -+import subprocess, sys -+rc = [-1,''] ++#! /usr/bin/python3 -Es ++try: ++ from subprocess import getstatusoutput ++except ImportError: ++ from commands import getstatusoutput + import sys + rc = [-1, ''] try: - rc = subprocess.getstatusoutput(sys.argv[1]) +- rc = subprocess.getstatusoutput(sys.argv[1]) ++ rc = getstatusoutput(sys.argv[1]) except: + pass + if rc[0] == 0: +diff --git policycoreutils-2.5/sandbox/test_sandbox.py policycoreutils-2.5/sandbox/test_sandbox.py +index 6f54d0c..bcecf66 100644 +--- policycoreutils-2.5/sandbox/test_sandbox.py ++++ policycoreutils-2.5/sandbox/test_sandbox.py +@@ -1,6 +1,7 @@ + import unittest + import os + import shutil ++import sys + from tempfile import mkdtemp + from subprocess import Popen, PIPE + +@@ -26,63 +27,64 @@ class SandboxTests(unittest.TestCase): + def test_simple_success(self): + "Verify that we can read file descriptors handed to sandbox" + p1 = Popen(['cat', '/etc/passwd'], stdout=PIPE) +- p2 = Popen(['sandbox', 'grep', 'root'], stdin=p1.stdout, stdout=PIPE) ++ p2 = Popen([sys.executable, 'sandbox', 'grep', 'root'], stdin=p1.stdout, stdout=PIPE) ++ p1.stdout.close() + out, err = p2.communicate() + self.assertTrue(b'root' in out) + + def test_cant_kill(self): + "Verify that we cannot send kill signal in the sandbox" + pid = os.getpid() +- p = Popen(['sandbox', 'kill', '-HUP', str(pid)], stdout=PIPE, stderr=PIPE) ++ p = Popen([sys.executable, 'sandbox', 'kill', '-HUP', str(pid)], stdout=PIPE, stderr=PIPE) + out, err = p.communicate() + self.assertDenied(err) + + def test_cant_ping(self): + "Verify that we can't ping within the sandbox" +- p = Popen(['sandbox', 'ping', '-c 1 ', '127.0.0.1'], stdout=PIPE, stderr=PIPE) ++ p = Popen([sys.executable, 'sandbox', 'ping', '-c 1 ', '127.0.0.1'], stdout=PIPE, stderr=PIPE) + out, err = p.communicate() + self.assertDenied(err) + + def test_cant_mkdir(self): + "Verify that we can't mkdir within the sandbox" +- p = Popen(['sandbox', 'mkdir', '~/test'], stdout=PIPE, stderr=PIPE) ++ p = Popen([sys.executable, 'sandbox', 'mkdir', '~/test'], stdout=PIPE, stderr=PIPE) + out, err = p.communicate() + self.assertFailure(p.returncode) + + def test_cant_list_homedir(self): + "Verify that we can't list homedir within the sandbox" +- p = Popen(['sandbox', 'ls', '~'], stdout=PIPE, stderr=PIPE) ++ p = Popen([sys.executable, 'sandbox', 'ls', '~'], stdout=PIPE, stderr=PIPE) + out, err = p.communicate() + self.assertFailure(p.returncode) + + def test_cant_send_mail(self): + "Verify that we can't send mail within the sandbox" +- p = Popen(['sandbox', 'mail'], stdout=PIPE, stderr=PIPE) ++ p = Popen([sys.executable, 'sandbox', 'mail'], stdout=PIPE, stderr=PIPE) + out, err = p.communicate() + self.assertDenied(err) + + def test_cant_sudo(self): + "Verify that we can't run sudo within the sandbox" +- p = Popen(['sandbox', 'sudo'], stdout=PIPE, stderr=PIPE) ++ p = Popen([sys.executable, 'sandbox', 'sudo'], stdout=PIPE, stderr=PIPE) + out, err = p.communicate() + self.assertFailure(p.returncode) + + def test_mount(self): + "Verify that we mount a file system" +- p = Popen(['sandbox', '-M', 'id'], stdout=PIPE, stderr=PIPE) ++ p = Popen([sys.executable, 'sandbox', '-M', 'id'], stdout=PIPE, stderr=PIPE) + out, err = p.communicate() + self.assertSuccess(p.returncode, err) + + def test_set_level(self): + "Verify that we set level a file system" +- p = Popen(['sandbox', '-l', 's0', 'id'], stdout=PIPE, stderr=PIPE) ++ p = Popen([sys.executable, 'sandbox', '-l', 's0', 'id'], stdout=PIPE, stderr=PIPE) + out, err = p.communicate() + self.assertSuccess(p.returncode, err) + + def test_homedir(self): + "Verify that we set homedir a file system" + homedir = mkdtemp(dir=".", prefix=".sandbox_test") +- p = Popen(['sandbox', '-H', homedir, '-M', 'id'], stdout=PIPE, stderr=PIPE) ++ p = Popen([sys.executable, 'sandbox', '-H', homedir, '-M', 'id'], stdout=PIPE, stderr=PIPE) + out, err = p.communicate() + shutil.rmtree(homedir) + self.assertSuccess(p.returncode, err) +@@ -90,11 +92,19 @@ class SandboxTests(unittest.TestCase): + def test_tmpdir(self): + "Verify that we set tmpdir a file system" + tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_test") +- p = Popen(['sandbox', '-T', tmpdir, '-M', 'id'], stdout=PIPE, stderr=PIPE) ++ p = Popen([sys.executable, 'sandbox', '-T', tmpdir, '-M', 'id'], stdout=PIPE, stderr=PIPE) + out, err = p.communicate() + shutil.rmtree(tmpdir) + self.assertSuccess(p.returncode, err) + ++ def test_include_file(self): ++ "Verify that sandbox can copy a file in the sandbox home and use it" ++ p = Popen([sys.executable, 'sandbox', '-i' ,'test_sandbox.py' , '-M', '/bin/cat', 'test_sandbox.py'], ++ stdout=PIPE, stderr=PIPE) ++ out, err = p.communicate() ++ self.assertSuccess(p.returncode, err) ++ ++ + if __name__ == "__main__": + import selinux + if selinux.security_getenforce() == 1: diff --git policycoreutils-2.5/scripts/chcat policycoreutils-2.5/scripts/chcat -index 472785c..3e3cc21 100755 +index 472785c..dd117bb 100755 --- policycoreutils-2.5/scripts/chcat +++ policycoreutils-2.5/scripts/chcat @@ -1,4 +1,4 @@ @@ -627790,7 +628015,73 @@ index 472785c..3e3cc21 100755 # Copyright (C) 2005 Red Hat # see file 'COPYING' for use and warranty information # -@@ -346,8 +346,8 @@ def translate(cats): +@@ -22,7 +22,10 @@ + # 02111-1307 USA + # + # +-import subprocess ++try: ++ from subprocess import getstatusoutput ++except ImportError: ++ from commands import getstatusoutput + import sys + import os + import pwd +@@ -92,7 +95,7 @@ def chcat_user_add(newcat, users): + cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) + else: + cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) +- rc = subprocess.getstatusoutput(cmd) ++ rc = getstatusoutput(cmd) + if rc[0] != 0: + print(rc[1]) + errors += 1 +@@ -131,7 +134,7 @@ def chcat_add(orig, newcat, objects, login_ind): + else: + cat_string = cat + cmd = 'chcon -l %s:%s %s' % (sensitivity, cat_string, f) +- rc = subprocess.getstatusoutput(cmd) ++ rc = getstatusoutput(cmd) + if rc[0] != 0: + print(rc[1]) + errors += 1 +@@ -172,7 +175,7 @@ def chcat_user_remove(newcat, users): + cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) + else: + cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) +- rc = subprocess.getstatusoutput(cmd) ++ rc = getstatusoutput(cmd) + if rc[0] != 0: + print(rc[1]) + errors += 1 +@@ -217,7 +220,7 @@ def chcat_remove(orig, newcat, objects, login_ind): + cmd = 'chcon -l %s %s' % (sensitivity, f) + else: + cmd = 'chcon -l %s:%s %s' % (sensitivity, cat, f) +- rc = subprocess.getstatusoutput(cmd) ++ rc = getstatusoutput(cmd) + if rc[0] != 0: + print(rc[1]) + errors += 1 +@@ -245,7 +248,7 @@ def chcat_user_replace(newcat, users): + cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) + else: + cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) +- rc = subprocess.getstatusoutput(cmd) ++ rc = getstatusoutput(cmd) + if rc[0] != 0: + print(rc[1]) + errors += 1 +@@ -268,7 +271,7 @@ def chcat_replace(newcat, objects, login_ind): + for f in objects: + cmd = "%s %s" % (cmd, f) + +- rc = subprocess.getstatusoutput(cmd) ++ rc = getstatusoutput(cmd) + if rc[0] != 0: + print(rc[1]) + errors += 1 +@@ -346,8 +349,8 @@ def translate(cats): def usage(): print(_("Usage %s CATEGORY File ...") % sys.argv[0]) print(_("Usage %s -l CATEGORY user ...") % sys.argv[0]) @@ -627802,7 +628093,7 @@ index 472785c..3e3cc21 100755 print(_("Usage %s -l -d user ...") % sys.argv[0]) print(_("Usage %s -L") % sys.argv[0]) diff --git policycoreutils-2.5/scripts/fixfiles policycoreutils-2.5/scripts/fixfiles -index 5c29eb9..db53c0b 100755 +index 5c29eb9..5906a47 100755 --- policycoreutils-2.5/scripts/fixfiles +++ policycoreutils-2.5/scripts/fixfiles @@ -116,6 +116,7 @@ exclude_dirs() { @@ -627823,7 +628114,36 @@ index 5c29eb9..db53c0b 100755 # # Log to either syslog or a LOGFILE # -@@ -243,6 +247,10 @@ then +@@ -150,8 +154,9 @@ fi + # + newer() { + DATE=$1 ++ shift + for m in `echo $FILESYSTEMSRW`; do +- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} -i -0 -f - ++ find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f - + done; + + } +@@ -190,7 +195,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then + esac; \ + fi; \ + done | \ +- ${RESTORECON} ${VERBOSE} -i -f - -R `exclude_dirs`; \ ++ ${RESTORECON} ${VERBOSE} -i -f - -R $* `exclude_dirs`; \ + rm -f ${TEMPFILE} ${PREFCTEMPFILE} + fi + } +@@ -222,7 +227,7 @@ if [ ! -z "$PREFC" ]; then + exit $? + fi + if [ ! -z "$BOOTTIME" ]; then +- newer $BOOTTIME ++ newer $BOOTTIME $* + exit $? + fi + [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon +@@ -243,6 +248,10 @@ then logit "skipping the directory ${p}" done FC=$TEMPFCFILE @@ -627834,7 +628154,7 @@ index 5c29eb9..db53c0b 100755 fi if [ ! -z "$RPMFILES" ]; then for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do -@@ -264,7 +272,7 @@ if [ ${OPTION} != "Relabel" ]; then +@@ -264,7 +273,7 @@ if [ ${OPTION} != "Relabel" ]; then return fi echo "Cleaning up labels on /tmp" @@ -628002,7 +628322,7 @@ index 0000000..e2befdb + packages=["policycoreutils"], +) diff --git policycoreutils-2.5/semanage/semanage policycoreutils-2.5/semanage/semanage -index 7489955..c6e72a5 100644 +index 7489955..78c36e3 100644 --- policycoreutils-2.5/semanage/semanage +++ policycoreutils-2.5/semanage/semanage @@ -1,4 +1,4 @@ @@ -628011,19 +628331,15 @@ index 7489955..c6e72a5 100644 # Copyright (C) 2012-2013 Red Hat # AUTHOR: Miroslav Grepl # AUTHOR: David Quigley -@@ -23,6 +23,11 @@ +@@ -23,6 +23,7 @@ # # -+try: -+ import policycoreutils.default_encoding_utf8 -+except ImportError: -+ pass -+ ++import traceback import argparse import seobject import sys -@@ -45,25 +50,25 @@ except IOError: +@@ -45,25 +46,25 @@ except IOError: __builtin__.__dict__['_'] = unicode # define custom usages for selected main actions @@ -628056,7 +628372,16 @@ index 7489955..c6e72a5 100644 usage_boolean_dict = {' --modify': ('(', '--on', '|', '--off', ')', 'boolean'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)} import sepolicy -@@ -186,7 +191,7 @@ object_dict = {'login': login_ini, 'user': user_ini, 'port': port_ini, 'module': +@@ -111,7 +112,7 @@ class SetExportFile(argparse.Action): + try: + sys.stdout = open(values, 'w') + except: +- sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e))) ++ sys.stderr.write(traceback.format_exc()) + sys.exit(1) + setattr(namespace, self.dest, values) + +@@ -186,7 +187,7 @@ object_dict = {'login': login_ini, 'user': user_ini, 'port': port_ini, 'module': def generate_custom_usage(usage_text, usage_dict): # generate custom usage from given text and dictonary sorted_keys = [] @@ -628065,7 +628390,7 @@ index 7489955..c6e72a5 100644 sorted_keys.append(i) sorted_keys.sort() for k in sorted_keys: -@@ -202,7 +207,7 @@ def handle_opts(args, dict, target_key): +@@ -202,7 +203,7 @@ def handle_opts(args, dict, target_key): # {action:[conflict_opts,require_opts]} # first we need to catch conflicts @@ -628074,7 +628399,7 @@ index 7489955..c6e72a5 100644 try: if k in dict[target_key][0] and args.__dict__[k]: print("%s option can not be used with --%s" % (target_key, k)) -@@ -210,7 +215,7 @@ def handle_opts(args, dict, target_key): +@@ -210,7 +211,7 @@ def handle_opts(args, dict, target_key): except KeyError: continue @@ -628083,7 +628408,51 @@ index 7489955..c6e72a5 100644 try: if k in dict[target_key][1] and not args.__dict__[k]: print("%s option is needed for %s" % (k, target_key)) -@@ -894,6 +899,8 @@ def make_io_args(args): +@@ -524,7 +525,7 @@ def handleInterface(args): + if args.action is "add": + OBJECT.add(args.interface, args.range, args.type) + if args.action is "modify": +- OBJECT.add(args.interface, args.range, args.type) ++ OBJECT.modify(args.interface, args.range, args.type) + if args.action is "delete": + OBJECT.delete(args.interface) + if args.action is "list": +@@ -607,7 +608,7 @@ def handleNode(args): + if args.action is "add": + OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type) + if args.action is "modify": +- OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type) ++ OBJECT.modify(args.node, args.netmask, args.proto, args.range, args.type) + if args.action is "delete": + OBJECT.delete(args.node, args.netmask, args.proto) + if args.action is "list": +@@ -702,7 +703,7 @@ def handlePermissive(args): + + if args.action is "list": + OBJECT.list(args.noheading) +- elif args.type != None: ++ elif args.type is not None: + if args.action is "add": + OBJECT.add(args.type) + if args.action is "delete": +@@ -839,7 +840,7 @@ def handleImport(args): + + + def setupImportParser(subparsers): +- importParser = subparsers.add_parser('import', help=_('Output local customizations')) ++ importParser = subparsers.add_parser('import', help=_('Import local customizations')) + parser_add_noreload(importParser, "import") + parser_add_store(importParser, "import") + importParser.add_argument('-f', '--input_file', dest='input_file', action=SetImportFile, help=_('Input file')) +@@ -855,6 +856,7 @@ def createCommandParser(): + + #To add a new subcommand define the parser for it in a function above and call it here. + subparsers = commandParser.add_subparsers(dest='subcommand') ++ subparsers.required = True + setupImportParser(subparsers) + setupExportParser(subparsers) + setupLoginParser(subparsers) +@@ -894,6 +896,8 @@ def make_io_args(args): def make_args(sys_args): @@ -628263,12 +628632,345 @@ index 0fad36c..75b782f 100644 mapping from Linux usernames (logins) to SELinux user identities, while the semanage user command deals with the mapping from SELinux user identities to authorized role sets. In most cases, only the +diff --git policycoreutils-2.5/semanage/seobject.py policycoreutils-2.5/semanage/seobject.py +index 3b0b108..bca247b 100644 +--- policycoreutils-2.5/semanage/seobject.py ++++ policycoreutils-2.5/semanage/seobject.py +@@ -23,14 +23,12 @@ + + import pwd + import grp +-import string + import selinux +-import tempfile + import os + import re + import sys + import stat +-import shutil ++import socket + from semanage import * + PROGNAME = "policycoreutils" + import sepolicy +@@ -82,6 +80,17 @@ file_type_str_to_option = {"all files": "a", + "socket file": "s", + "symbolic link": "l", + "named pipe": "p"} ++ ++ftype_to_audit = {"": "any", ++ "a" : "any", ++ "b": "block", ++ "c": "char", ++ "d": "dir", ++ "f": "file", ++ "l": "symlink", ++ "p": "pipe", ++ "s": "socket"} ++ + try: + import audit + +@@ -90,6 +99,7 @@ try: + def __init__(self): + self.audit_fd = audit.audit_open() + self.log_list = [] ++ self.log_change_list = [] + + def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): + +@@ -109,10 +119,17 @@ try: + def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): + self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""]) + ++ def log_change(self, msg): ++ self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", "", "", ""]) ++ + def commit(self, success): + for l in self.log_list: + audit.audit_log_semanage_message(*(l + [success])) ++ for l in self.log_change_list: ++ audit.audit_log_user_comm_message(*(l + [success])) ++ + self.log_list = [] ++ self.log_change_list = [] + except: + class logger: + +@@ -129,15 +146,18 @@ except: + message += " role=" + serole + if oldserole != "": + message += " old_role=" + oldserole +- if serange != "" and serange != None: ++ if serange != "" and serange is not None: + message += " MLSRange=" + serange +- if oldserange != "" and oldserange != None: ++ if oldserange != "" and oldserange is not None: + message += " old_MLSRange=" + oldserange + self.log_list.append(message) + + def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): + self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange) + ++ def log_change(self, msg): ++ self.log_list.append(" %s" % msg) ++ + def commit(self, success): + if success == 1: + message = "Successful: " +@@ -155,6 +175,9 @@ class nulllogger: + def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): + pass + ++ def log_change(self, msg): ++ pass ++ + def commit(self, success): + pass + +@@ -416,7 +439,7 @@ class dontauditClass(semanageRecords): + if dontaudit not in ["on", "off"]: + raise ValueError(_("dontaudit requires either 'on' or 'off'")) + self.begin() +- rc = semanage_set_disable_dontaudit(self.sh, dontaudit == "off") ++ semanage_set_disable_dontaudit(self.sh, dontaudit == "off") + self.commit() + + +@@ -459,7 +482,6 @@ class permissiveRecords(semanageRecords): + print t + + def add(self, type): +- import glob + try: + import sepolgen.module as module + except ImportError: +@@ -834,7 +856,6 @@ class seluserRecords(semanageRecords): + self.mylog.log("seuser", sename=name, serole=",".join(roles), serange=serange) + + def add(self, name, roles, selevel, serange, prefix): +- serole = " ".join(roles) + try: + self.begin() + self.__add(name, roles, selevel, serange, prefix) +@@ -1109,6 +1130,8 @@ class portRecords(semanageRecords): + semanage_port_key_free(k) + semanage_port_free(p) + ++ self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, socket.getprotobyname(proto), "system_u", "object_r", type, serange)) ++ + def add(self, port, proto, serange, type): + self.begin() + self.__add(port, proto, serange, type) +@@ -1138,8 +1161,11 @@ class portRecords(semanageRecords): + + con = semanage_port_get_con(p) + +- if (is_mls_enabled == 1) and (serange != ""): +- semanage_context_set_mls(self.sh, con, untranslate(serange)) ++ if is_mls_enabled == 1: ++ if serange == "": ++ serange = "s0" ++ else: ++ semanage_context_set_mls(self.sh, con, untranslate(serange)) + if setype != "": + semanage_context_set_type(self.sh, con, setype) + +@@ -1150,6 +1176,8 @@ class portRecords(semanageRecords): + semanage_port_key_free(k) + semanage_port_free(p) + ++ self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, socket.getprotobyname(proto), "system_u", "object_r", setype, serange)) ++ + def modify(self, port, proto, serange, setype): + self.begin() + self.__modify(port, proto, serange, setype) +@@ -1168,6 +1196,7 @@ class portRecords(semanageRecords): + low = semanage_port_get_low(port) + high = semanage_port_get_high(port) + port_str = "%s-%s" % (low, high) ++ + (k, proto_d, low, high) = self.__genkey(port_str, proto_str) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % port_str) +@@ -1177,6 +1206,11 @@ class portRecords(semanageRecords): + raise ValueError(_("Could not delete the port %s") % port_str) + semanage_port_key_free(k) + ++ if low == high: ++ port_str = low ++ ++ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, socket.getprotobyname(proto_str))) ++ + self.commit() + + def __delete(self, port, proto): +@@ -1199,6 +1233,8 @@ class portRecords(semanageRecords): + + semanage_port_key_free(k) + ++ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, socket.getprotobyname(proto))) ++ + def delete(self, port, proto): + self.begin() + self.__delete(port, proto) +@@ -1380,6 +1416,8 @@ class nodeRecords(semanageRecords): + semanage_node_key_free(k) + semanage_node_free(node) + ++ self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", ctype, serange)) ++ + def add(self, addr, mask, proto, serange, ctype): + self.begin() + self.__add(addr, mask, proto, serange, ctype) +@@ -1421,6 +1459,8 @@ class nodeRecords(semanageRecords): + semanage_node_key_free(k) + semanage_node_free(node) + ++ self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", setype, serange)) ++ + def modify(self, addr, mask, proto, serange, setype): + self.begin() + self.__modify(addr, mask, proto, serange, setype) +@@ -1452,6 +1492,8 @@ class nodeRecords(semanageRecords): + + semanage_node_key_free(k) + ++ self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]))) ++ + def delete(self, addr, mask, proto): + self.begin() + self.__delete(addr, mask, proto) +@@ -1581,6 +1623,8 @@ class interfaceRecords(semanageRecords): + semanage_iface_key_free(k) + semanage_iface_free(iface) + ++ self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange)) ++ + def add(self, interface, serange, ctype): + self.begin() + self.__add(interface, serange, ctype) +@@ -1618,6 +1662,8 @@ class interfaceRecords(semanageRecords): + semanage_iface_key_free(k) + semanage_iface_free(iface) + ++ self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange)) ++ + def modify(self, interface, serange, setype): + self.begin() + self.__modify(interface, serange, setype) +@@ -1646,6 +1692,8 @@ class interfaceRecords(semanageRecords): + + semanage_iface_key_free(k) + ++ self.mylog.log_change("resrc=interface op=delete netif=%s" % interface) ++ + def delete(self, interface): + self.begin() + self.__delete(interface) +@@ -1775,6 +1823,8 @@ class fcontextRecords(semanageRecords): + if i.startswith(target + "/"): + raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'") % (target, i, fdict[i])) + ++ self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0))) ++ + self.equiv[target] = substitute + self.equal_ind = True + self.commit() +@@ -1785,6 +1835,9 @@ class fcontextRecords(semanageRecords): + raise ValueError(_("Equivalence class for %s does not exists") % target) + self.equiv[target] = substitute + self.equal_ind = True ++ ++ self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0))) ++ + self.commit() + + def createcon(self, target, seuser="system_u"): +@@ -1879,6 +1932,11 @@ class fcontextRecords(semanageRecords): + semanage_fcontext_key_free(k) + semanage_fcontext_free(fcontext) + ++ if not seuser: ++ seuser = "system_u" ++ ++ self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange)) ++ + def add(self, target, type, ftype="", serange="", seuser="system_u"): + self.begin() + self.__add(target, type, ftype, serange, seuser) +@@ -1888,7 +1946,7 @@ class fcontextRecords(semanageRecords): + if serange == "" and setype == "" and seuser == "": + raise ValueError(_("Requires setype, serange or seuser")) + if setype and setype not in self.valid_types: +- raise ValueError(_("Type %s is invalid, must be a port type") % setype) ++ raise ValueError(_("Type %s is invalid, must be a file or device type") % setype) + + self.validate(target) + +@@ -1913,7 +1971,7 @@ class fcontextRecords(semanageRecords): + if setype != "<>": + con = semanage_fcontext_get_con(fcontext) + +- if con == None: ++ if con is None: + con = self.createcon(target) + + if (is_mls_enabled == 1) and (serange != ""): +@@ -1939,6 +1997,11 @@ class fcontextRecords(semanageRecords): + semanage_fcontext_key_free(k) + semanage_fcontext_free(fcontext) + ++ if not seuser: ++ seuser = "system_u" ++ ++ self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", setype, serange)) ++ + def modify(self, target, setype, ftype, serange, seuser): + self.begin() + self.__modify(target, setype, ftype, serange, seuser) +@@ -1964,6 +2027,8 @@ class fcontextRecords(semanageRecords): + raise ValueError(_("Could not delete the file context %s") % target) + semanage_fcontext_key_free(k) + ++ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[file_type_str_to_option[ftype_str]])) ++ + self.equiv = {} + self.equal_ind = True + self.commit() +@@ -1972,6 +2037,9 @@ class fcontextRecords(semanageRecords): + if target in self.equiv.keys(): + self.equiv.pop(target) + self.equal_ind = True ++ ++ self.mylog.log_change("resrc=fcontext op=delete-equal %s" % (audit.audit_encode_nv_string("tglob", target, 0))) ++ + return + + (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) +@@ -1996,6 +2064,8 @@ class fcontextRecords(semanageRecords): + + semanage_fcontext_key_free(k) + ++ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype])) ++ + def delete(self, target, ftype): + self.begin() + self.__delete(target, ftype) +@@ -2091,7 +2161,7 @@ class booleanRecords(semanageRecords): + self.current_booleans = [] + ptype = None + +- if self.store == None or self.store == ptype: ++ if self.store is None or self.store == ptype: + self.modify_local = True + else: + self.modify_local = False diff --git policycoreutils-2.5/semanage/seobject/__init__.py policycoreutils-2.5/semanage/seobject/__init__.py new file mode 100644 -index 0000000..33f5fa9 +index 0000000..d364434 --- /dev/null +++ policycoreutils-2.5/semanage/seobject/__init__.py -@@ -0,0 +1,2271 @@ +@@ -0,0 +1,2405 @@ +#! /usr/bin/python3 -Es +# Copyright (C) 2005-2013 Red Hat +# see file 'COPYING' for use and warranty information @@ -628301,6 +629003,7 @@ index 0000000..33f5fa9 +import sys +import stat +import shutil ++import socket +from semanage import * +PROGNAME = "policycoreutils" +import sepolicy @@ -628361,12 +629064,25 @@ index 0000000..33f5fa9 + "socket file":"s", + "symbolic link":"l", + "named pipe":"p"} ++ ++ftype_to_audit = {"": "any", ++ "a": "any", ++ "b": "block", ++ "c": "char", ++ "d": "dir", ++ "f": "file", ++ "l": "symlink", ++ "p": "pipe", ++ "s": "socket"} ++ +try: + import audit + class logger: + def __init__(self): + self.audit_fd = audit.audit_open() + self.log_list = [] ++ self.log_change_list = [] ++ + def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): + + sep = "-" @@ -628385,10 +629101,16 @@ index 0000000..33f5fa9 + def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): + self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""]) + ++ def log_change(self, msg): ++ self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", "", "", ""]) ++ + def commit(self, success): + for l in self.log_list: + audit.audit_log_semanage_message(*(l + [success])) ++ for l in self.log_change_list: ++ audit.audit_log_user_comm_message(*(l + [success])) + self.log_list = [] ++ self.log_change_list = [] +except: + class logger: + def __init__(self): @@ -628413,6 +629135,9 @@ index 0000000..33f5fa9 + def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): + self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange) + ++ def log_change(self, msg): ++ self.log_list.append(" %s" % msg) ++ + def commit(self, success): + if success == 1: + message = "Successful: " @@ -628428,6 +629153,9 @@ index 0000000..33f5fa9 + def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): + pass + ++ def log_change(self, msg): ++ pass ++ + def commit(self, success): + pass + @@ -628791,7 +629519,15 @@ index 0000000..33f5fa9 + else: + serange = RANGE + -+ (rc, k) = semanage_seuser_key_create(self.sh, name) ++ (rc, u) = semanage_seuser_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create login mapping for %s") % name) ++ ++ rc = semanage_seuser_set_name(self.sh, u, name) ++ if rc < 0: ++ raise ValueError(_("Could not set name for %s") % name) ++ ++ (rc, k) = semanage_seuser_key_extract(self.sh, u) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) + @@ -628800,6 +629536,7 @@ index 0000000..33f5fa9 + raise ValueError(_("Could not check if login mapping for %s is defined") % name) + if exists: + semanage_seuser_key_free(k) ++ semanage_seuser_free(u) + return self.__modify(name, sename, serange) + + if name[0] == '%': @@ -628813,14 +629550,6 @@ index 0000000..33f5fa9 + except: + raise ValueError(_("Linux User %s does not exist") % name) + -+ (rc, u) = semanage_seuser_create(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not create login mapping for %s") % name) -+ -+ rc = semanage_seuser_set_name(self.sh, u, name) -+ if rc < 0: -+ raise ValueError(_("Could not set name for %s") % name) -+ + if serange: + rc = semanage_seuser_set_mlsrange(self.sh, u, serange) + if rc < 0: @@ -628865,7 +629594,15 @@ index 0000000..33f5fa9 + else: + self.serange = RANGE + -+ (rc, k) = semanage_seuser_key_create(self.sh, name) ++ (rc, tmp_u) = semanage_seuser_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create login mapping for %s") % name) ++ ++ rc = semanage_seuser_set_name(self.sh, tmp_u, name) ++ if rc < 0: ++ raise ValueError(_("Could not set name for %s") % name) ++ ++ (rc, k) = semanage_seuser_key_extract(self.sh, tmp_u) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) + @@ -628895,6 +629632,7 @@ index 0000000..33f5fa9 + raise ValueError(_("Could not modify login mapping for %s") % name) + + semanage_seuser_key_free(k) ++ semanage_seuser_free(tmp_u) + semanage_seuser_free(u) + self.mylog.log("login", name, sename=self.sename, serange=self.serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange) + @@ -628912,7 +629650,15 @@ index 0000000..33f5fa9 + userrec = seluserRecords() + RANGE, (rc, oldserole) = userrec.get(self.oldsename) + -+ (rc, k) = semanage_seuser_key_create(self.sh, name) ++ (rc, u) = semanage_seuser_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create login mapping for %s") % name) ++ ++ rc = semanage_seuser_set_name(self.sh, u, name) ++ if rc < 0: ++ raise ValueError(_("Could not set name for %s") % name) ++ ++ (rc, k) = semanage_seuser_key_extract(self.sh, u) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) + @@ -628933,6 +629679,7 @@ index 0000000..33f5fa9 + raise ValueError(_("Could not delete login mapping for %s") % name) + + semanage_seuser_key_free(k) ++ semanage_seuser_free(u) + + rec, self.sename, self.serange = selinux.getseuserbyname("__default__") + RANGE, (rc, serole) = userrec.get(self.sename) @@ -629034,7 +629781,15 @@ index 0000000..33f5fa9 + semanageRecords.__init__(self, store) + + def get(self, name): -+ (rc, k) = semanage_user_key_create(self.sh, name) ++ (rc, tmp_u) = semanage_user_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create login mapping for %s") % name) ++ ++ rc = semanage_user_set_name(self.sh, tmp_u, name) ++ if rc < 0: ++ raise ValueError(_("Could not set name for %s") % name) ++ ++ (rc, k) = semanage_user_key_extract(self.sh, tmp_u) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) + (rc, exists) = semanage_user_exists(self.sh, k) @@ -629046,6 +629801,7 @@ index 0000000..33f5fa9 + serange = semanage_user_get_mlsrange(u) + serole = semanage_user_get_roles(self.sh, u) + semanage_user_key_free(k) ++ semanage_user_free(tmp_u) + semanage_user_free(u) + return serange, serole + @@ -629064,7 +629820,15 @@ index 0000000..33f5fa9 + if len(roles) < 1: + raise ValueError(_("You must add at least one role for %s") % name) + -+ (rc, k) = semanage_user_key_create(self.sh, name) ++ (rc, u) = semanage_user_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create login mapping for %s") % name) ++ ++ rc = semanage_user_set_name(self.sh, u, name) ++ if rc < 0: ++ raise ValueError(_("Could not set name for %s") % name) ++ ++ (rc, k) = semanage_user_key_extract(self.sh, u) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) + @@ -629073,16 +629837,9 @@ index 0000000..33f5fa9 + raise ValueError(_("Could not check if SELinux user %s is defined") % name) + if exists: + semanage_user_key_free(k) ++ semanage_user_free(u) + return self.__modify(name, roles, selevel, serange, prefix) + -+ (rc, u) = semanage_user_create(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not create SELinux user for %s") % name) -+ -+ rc = semanage_user_set_name(self.sh, u, name) -+ if rc < 0: -+ raise ValueError(_("Could not set name for %s") % name) -+ + for r in roles: + rc = semanage_user_add_role(self.sh, u, r) + if rc < 0: @@ -629130,7 +629887,15 @@ index 0000000..33f5fa9 + else: + raise ValueError(_("Requires prefix or roles")) + -+ (rc, k) = semanage_user_key_create(self.sh, name) ++ (rc, tmp_u) = semanage_user_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create login mapping for %s") % name) ++ ++ rc = semanage_user_set_name(self.sh, tmp_u, name) ++ if rc < 0: ++ raise ValueError(_("Could not set name for %s") % name) ++ ++ (rc, k) = semanage_user_key_extract(self.sh, tmp_u) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) + @@ -629170,6 +629935,7 @@ index 0000000..33f5fa9 + raise ValueError(_("Could not modify SELinux user %s") % name) + + semanage_user_key_free(k) ++ semanage_user_free(tmp_u) + semanage_user_free(u) + + role = ",".join(newroles.split()) @@ -629187,7 +629953,15 @@ index 0000000..33f5fa9 + raise error + + def __delete(self, name): -+ (rc, k) = semanage_user_key_create(self.sh, name) ++ (rc, tmp_u) = semanage_user_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create login mapping for %s") % name) ++ ++ rc = semanage_user_set_name(self.sh, tmp_u, name) ++ if rc < 0: ++ raise ValueError(_("Could not set name for %s") % name) ++ ++ (rc, k) = semanage_user_key_extract(self.sh, tmp_u) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) + @@ -629215,6 +629989,7 @@ index 0000000..33f5fa9 + raise ValueError(_("Could not delete SELinux user %s") % name) + + semanage_user_key_free(k) ++ semanage_user_free(tmp_u) + semanage_user_free(u) + + self.mylog.log_remove("seuser", oldsename=name, oldserange=oldserange, oldserole=oldserole) @@ -629391,6 +630166,8 @@ index 0000000..33f5fa9 + semanage_port_key_free(k) + semanage_port_free(p) + ++ self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, socket.getprotobyname(proto), "system_u", "object_r", type, serange)) ++ + def add(self, port, proto, serange, type): + self.begin() + self.__add(port, proto, serange, type) @@ -629404,7 +630181,7 @@ index 0000000..33f5fa9 + raise ValueError(_("Requires setype")) + + if setype and setype not in self.valid_types: -+ raise ValueError(_("Type %s is invalid, must be a port type") % setype) ++ raise ValueError(_("Type %s is invalid, must be a file or device type") % setype) + + (k, proto_d, low, high) = self.__genkey(port, proto) + @@ -629422,6 +630199,8 @@ index 0000000..33f5fa9 + + if serange: + semanage_context_set_mls(self.sh, con, untranslate(serange)) ++ else: ++ serange = "s0" + if setype != "": + semanage_context_set_type(self.sh, con, setype) + @@ -629432,6 +630211,8 @@ index 0000000..33f5fa9 + semanage_port_key_free(k) + semanage_port_free(p) + ++ self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, socket.getprotobyname(proto), "system_u", "object_r", setype, serange)) ++ + def modify(self, port, proto, serange, setype): + self.begin() + self.__modify(port, proto, serange, setype) @@ -629445,19 +630226,24 @@ index 0000000..33f5fa9 + self.begin() + + for port in plist: -+ proto = semanage_port_get_proto(port) -+ proto_str = semanage_port_get_proto_str(proto) -+ low = semanage_port_get_low(port) -+ high = semanage_port_get_high(port) -+ port_str = "%s-%s" % (low, high) -+ (k, proto_d, low, high) = self.__genkey(port_str , proto_str) -+ if rc < 0: -+ raise ValueError(_("Could not create a key for %s") % port_str) ++ proto = semanage_port_get_proto(port) ++ proto_str = semanage_port_get_proto_str(proto) ++ low = semanage_port_get_low(port) ++ high = semanage_port_get_high(port) ++ port_str = "%s-%s" % (low, high) ++ (k, proto_d, low, high) = self.__genkey(port_str , proto_str) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % port_str) + -+ rc = semanage_port_del_local(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not delete the port %s") % port_str) -+ semanage_port_key_free(k) ++ rc = semanage_port_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete the port %s") % port_str) ++ semanage_port_key_free(k) ++ ++ if low == high: ++ port_str = low ++ ++ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, socket.getprotobyname(proto_str))) + + self.commit() + @@ -629481,6 +630267,8 @@ index 0000000..33f5fa9 + + semanage_port_key_free(k) + ++ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, socket.getprotobyname(proto))) ++ + def delete(self, port, proto): + self.begin() + self.__delete(port, proto) @@ -629666,6 +630454,8 @@ index 0000000..33f5fa9 + semanage_node_key_free(k) + semanage_node_free(node) + ++ self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", ctype, serange)) ++ + def add(self, addr, mask, proto, serange, ctype): + self.begin() + self.__add(addr, mask, proto, serange, ctype) @@ -629707,6 +630497,8 @@ index 0000000..33f5fa9 + semanage_node_key_free(k) + semanage_node_free(node) + ++ self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", setype, serange)) ++ + def modify(self, addr, mask, proto, serange, setype): + self.begin() + self.__modify(addr, mask, proto, serange, setype) @@ -629738,6 +630530,8 @@ index 0000000..33f5fa9 + + semanage_node_key_free(k) + ++ self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]))) ++ + def delete(self, addr, mask, proto): + self.begin() + self.__delete(addr, mask, proto) @@ -629867,6 +630661,8 @@ index 0000000..33f5fa9 + semanage_iface_key_free(k) + semanage_iface_free(iface) + ++ self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange)) ++ + def add(self, interface, serange, ctype): + self.begin() + self.__add(interface, serange, ctype) @@ -629904,6 +630700,8 @@ index 0000000..33f5fa9 + semanage_iface_key_free(k) + semanage_iface_free(iface) + ++ self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange)) ++ + def modify(self, interface, serange, setype): + self.begin() + self.__modify(interface, serange, setype) @@ -629932,6 +630730,8 @@ index 0000000..33f5fa9 + + semanage_iface_key_free(k) + ++ self.mylog.log_change("resrc=interface op=delete netif=%s" % interface) ++ + def delete(self, interface): + self.begin() + self.__delete(interface) @@ -630060,6 +630860,8 @@ index 0000000..33f5fa9 + if i.startswith(target + "/"): + raise ValueError(_("File spec %(TARGET)s conflicts with equivalency rule '%(SOURCE)s %(DEST)s'") % {"TARGET": target, "SOURCE": i, "DEST": fdict[i]}) + ++ self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0))) ++ + self.equiv[target] = substitute + self.equal_ind = True + self.commit() @@ -630070,6 +630872,7 @@ index 0000000..33f5fa9 + raise ValueError(_("Equivalence class for %s does not exists") % target) + self.equiv[target] = substitute + self.equal_ind = True ++ self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0))) + self.commit() + + def createcon(self, target, seuser="system_u"): @@ -630172,6 +630975,11 @@ index 0000000..33f5fa9 + semanage_fcontext_key_free(k) + semanage_fcontext_free(fcontext) + ++ if not seuser: ++ seuser = "system_u" ++ ++ self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange)) ++ + def add(self, target, type, ftype="", serange=None, seuser="system_u"): + self.begin() + self.__add(target, type, ftype, serange, seuser) @@ -630232,6 +631040,11 @@ index 0000000..33f5fa9 + semanage_fcontext_key_free(k) + semanage_fcontext_free(fcontext) + ++ if not seuser: ++ seuser = "system_u" ++ ++ self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", setype, serange)) ++ + def modify(self, target, setype, ftype, serange, seuser): + self.begin() + self.__modify(target, setype, ftype, serange, seuser) @@ -630257,6 +631070,8 @@ index 0000000..33f5fa9 + raise ValueError(_("Could not delete the file context %s") % target) + semanage_fcontext_key_free(k) + ++ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[file_type_str_to_option[ftype_str]])) ++ + self.equiv = {} + self.equal_ind = True + self.commit() @@ -630265,6 +631080,9 @@ index 0000000..33f5fa9 + if target in list(self.equiv.keys()): + self.equiv.pop(target) + self.equal_ind = True ++ ++ self.mylog.log_change("resrc=fcontext op=delete-equal %s" % (audit.audit_encode_nv_string("tglob", target, 0))) ++ + return + + (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) @@ -630289,6 +631107,8 @@ index 0000000..33f5fa9 + + semanage_fcontext_key_free(k) + ++ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype])) ++ + def delete(self, target, ftype): + self.begin() + self.__delete(target, ftype) @@ -630390,7 +631210,14 @@ index 0000000..33f5fa9 + def __mod(self, name, value): + name = selinux.selinux_boolean_sub(name) + -+ (rc, k) = semanage_bool_key_create(self.sh, name) ++ (rc, t_b) = semanage_bool_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create login mapping for %s") % name) ++ rc = semanage_bool_set_name(self.sh, t_b, name) ++ if rc < 0: ++ raise ValueError(_("Could not set name for %s") % name) ++ ++ (rc, k) = semanage_bool_key_extract(self.sh, t_b) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) + (rc, exists) = semanage_bool_exists(self.sh, k) @@ -630408,7 +631235,7 @@ index 0000000..33f5fa9 + else: + raise ValueError(_("You must specify one of the following values: %s") % ", ".join(list(self.dict.keys()))) + -+ if self.modify_local and name in self.current_booleans: ++ if self.modify_local and name.encode() in self.current_booleans: + rc = semanage_bool_set_active(self.sh, k, b) + if rc < 0: + raise ValueError(_("Could not set active value of boolean %s") % name) @@ -630416,6 +631243,7 @@ index 0000000..33f5fa9 + if rc < 0: + raise ValueError(_("Could not modify boolean %s") % name) + semanage_bool_key_free(k) ++ semanage_bool_free(t_b) + semanage_bool_free(b) + + def modify(self, name, value=None, use_file=False): @@ -630441,7 +631269,14 @@ index 0000000..33f5fa9 + def __delete(self, name): + name = selinux.selinux_boolean_sub(name) + -+ (rc, k) = semanage_bool_key_create(self.sh, name) ++ (rc, t_b) = semanage_bool_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create login mapping for %s") % name) ++ rc = semanage_bool_set_name(self.sh, t_b, name) ++ if rc < 0: ++ raise ValueError(_("Could not set name for %s") % name) ++ ++ (rc, k) = semanage_bool_key_extract(self.sh, t_b) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % name) + (rc, exists) = semanage_bool_exists(self.sh, k) @@ -630461,6 +631296,7 @@ index 0000000..33f5fa9 + raise ValueError(_("Could not delete boolean %s") % name) + + semanage_bool_key_free(k) ++ semanage_bool_free(t_b) + + def delete(self, name): + self.begin() @@ -630581,6 +631417,19 @@ index 0000000..7735c59 + download_url = '', + packages=["seobject"], +) +diff --git policycoreutils-2.5/semanage/test-semanage.py policycoreutils-2.5/semanage/test-semanage.py +index 293e1fd..4deb827 100644 +--- policycoreutils-2.5/semanage/test-semanage.py ++++ policycoreutils-2.5/semanage/test-semanage.py +@@ -1,8 +1,5 @@ + import unittest +-import os +-import shutil + import sys +-from tempfile import mkdtemp + from subprocess import Popen, PIPE + + import argparse diff --git policycoreutils-2.5/semodule/semodule.8 policycoreutils-2.5/semodule/semodule.8 index 6db390c..0c5fdf7 100644 --- policycoreutils-2.5/semodule/semodule.8 @@ -630627,7 +631476,7 @@ index 6db390c..0c5fdf7 100644 .SH SEE ALSO diff --git policycoreutils-2.5/semodule/semodule.c policycoreutils-2.5/semodule/semodule.c -index bcfaa2b..63900f4 100644 +index bcfaa2b..ce048bc 100644 --- policycoreutils-2.5/semodule/semodule.c +++ policycoreutils-2.5/semodule/semodule.c @@ -127,7 +127,7 @@ static void usage(char *progname) @@ -630639,6 +631488,15 @@ index bcfaa2b..63900f4 100644 printf(" KIND: standard list highest priority, enabled modules\n"); printf(" full list all modules\n"); printf(" -X,--priority=PRIORITY set priority for following operations (1-999)\n"); +@@ -209,7 +209,7 @@ static void parse_command_line(int argc, char **argv) + no_reload = 0; + priority = 400; + while ((i = +- getopt_long(argc, argv, "s:b:hi:l::vqr:u:RnNBDCPX:e:d:p:S:E:cH", opts, ++ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cH", opts, + NULL)) != -1) { + switch (i) { + case 'b': diff --git policycoreutils-2.5/sepolicy/common.h policycoreutils-2.5/sepolicy/common.h index dc3ce6a..3b93845 100644 --- policycoreutils-2.5/sepolicy/common.h @@ -632056,9 +632914,15 @@ index 693c6fe..6da7075 100644 def reinit(): diff --git policycoreutils-2.5/sepolicy/sepolicy/booleans.py policycoreutils-2.5/sepolicy/sepolicy/booleans.py -index 56bef26..97236b6 100644 +index 56bef26..72f7221 100644 --- policycoreutils-2.5/sepolicy/sepolicy/booleans.py +++ policycoreutils-2.5/sepolicy/sepolicy/booleans.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -Es ++#! /usr/bin/python3 -Es + # Copyright (C) 2012 Red Hat + # see file 'COPYING' for use and warranty information + # @@ -39,6 +39,6 @@ def get_types(src, tclass, perm): raise TypeError("The %s type is not allowed to %s any types" % (src, ",".join(perm))) @@ -632068,9 +632932,15 @@ index 56bef26..97236b6 100644 tlist = tlist + expand_attribute(l) return tlist diff --git policycoreutils-2.5/sepolicy/sepolicy/communicate.py policycoreutils-2.5/sepolicy/sepolicy/communicate.py -index 9939c23..27be126 100755 +index 9939c23..04d4bbb 100755 --- policycoreutils-2.5/sepolicy/sepolicy/communicate.py +++ policycoreutils-2.5/sepolicy/sepolicy/communicate.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -Es ++#! /usr/bin/python3 -Es + # Copyright (C) 2012 Red Hat + # see file 'COPYING' for use and warranty information + # @@ -47,6 +47,6 @@ def get_types(src, tclass, perm): raise ValueError("The %s type is not allowed to %s any types" % (src, ",".join(perm))) @@ -632080,7 +632950,7 @@ index 9939c23..27be126 100755 tlist = tlist + expand_attribute(l) return tlist diff --git policycoreutils-2.5/sepolicy/sepolicy/generate.py policycoreutils-2.5/sepolicy/sepolicy/generate.py -index a92783a..de1c5ef 100644 +index a92783a..8b3b131 100644 --- policycoreutils-2.5/sepolicy/sepolicy/generate.py +++ policycoreutils-2.5/sepolicy/sepolicy/generate.py @@ -1,4 +1,4 @@ @@ -632273,7 +633143,7 @@ index a92783a..de1c5ef 100644 newsh += re.sub("FILENAME", i, script.restorecon) for i in self.in_tcp[PORTS] + self.out_tcp[PORTS]: -@@ -1176,8 +1184,7 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1176,28 +1184,31 @@ allow %s_t %s_t:%s_socket name_%s; newsh += re.sub("TEMPLATETYPE", self.name, t1) newsh += self.generate_user_sh() @@ -632283,7 +633153,20 @@ index a92783a..de1c5ef 100644 return newsh -@@ -1192,12 +1199,12 @@ allow %s_t %s_t:%s_socket name_%s; + def generate_spec(self): + newspec = "" + +- selinux_policyver = get_rpm_nvr_list("selinux-policy")[1] +- POLICYCOREUTILSVER = get_rpm_nvr_list("checkpolicy")[1] ++ selinux_policynvr = get_rpm_nvr_list("selinux-policy") ++ ++ if selinux_policynvr is None: ++ selinux_policyver = "0.0.0" ++ else: ++ selinux_policyver = selinux_policynvr[1] + + newspec += spec.header_comment_section + if self.type in APPLICATIONS: newspec += spec.define_relabel_files_begin if self.program: newspec += re.sub("FILENAME", self.program, spec.define_relabel_files_end) @@ -632302,7 +633185,7 @@ index a92783a..de1c5ef 100644 newspec += re.sub("VERSION", selinux_policyver, spec.base_section) newspec = re.sub("MODULENAME", self.file_name, newspec) -@@ -1239,7 +1246,7 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1239,7 +1250,7 @@ allow %s_t %s_t:%s_socket name_%s; fd = open(shfile, "w") fd.write(self.generate_sh()) fd.close() @@ -632311,7 +633194,7 @@ index a92783a..de1c5ef 100644 return shfile def write_if(self, out_dir): -@@ -1257,13 +1264,15 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1257,13 +1268,15 @@ allow %s_t %s_t:%s_socket name_%s; return fcfile def __extract_rpms(self): @@ -632332,7 +633215,7 @@ index a92783a..de1c5ef 100644 for b in self.DEFAULT_DIRS: if b == "/etc": continue -@@ -1273,8 +1282,9 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1273,8 +1286,9 @@ allow %s_t %s_t:%s_socket name_%s; else: self.add_dir(fname) @@ -632344,7 +633227,7 @@ index a92783a..de1c5ef 100644 for b in self.DEFAULT_DIRS: if b == "/etc": continue -@@ -1287,8 +1297,8 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1287,8 +1301,8 @@ allow %s_t %s_t:%s_socket name_%s; # some packages have own systemd subpackage # tor-systemd for example binary_name = self.program.split("/")[-1] @@ -632355,7 +633238,7 @@ index a92783a..de1c5ef 100644 for b in self.DEFAULT_DIRS: if b == "/etc": continue -@@ -1325,7 +1335,7 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1325,7 +1339,7 @@ allow %s_t %s_t:%s_socket name_%s; # we don't want to have subdir in the .fc policy file # if we already specify labeling for parent dir temp_basepath = [] @@ -632364,7 +633247,7 @@ index a92783a..de1c5ef 100644 temp_dirs = [] try: temp_basepath = self.DEFAULT_DIRS[p][1][0] + "/" -@@ -1340,9 +1350,9 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1340,9 +1354,9 @@ allow %s_t %s_t:%s_socket name_%s; if len(temp_dirs) is not 0: for i in temp_dirs: @@ -632376,7 +633259,7 @@ index a92783a..de1c5ef 100644 del(self.files[i]) else: continue -@@ -1364,7 +1374,7 @@ Warning %s does not exist +@@ -1364,7 +1378,7 @@ Warning %s does not exist for s in fd.read().split(): for b in self.symbols: if s.startswith(b): @@ -632385,7 +633268,7 @@ index a92783a..de1c5ef 100644 fd.close() def generate(self, out_dir=os.getcwd()): -@@ -1373,7 +1383,6 @@ Warning %s does not exist +@@ -1373,7 +1387,6 @@ Warning %s does not exist out += "%s # %s\n" % (self.write_if(out_dir), _("Interface file")) out += "%s # %s\n" % (self.write_fc(out_dir), _("File Contexts file")) if self.type != NEWTYPE: @@ -633659,9 +634542,15 @@ index 7de2f80..49df6fa 100755 SELinux policy allows the %s role%s can transition to the %s_r role. diff --git policycoreutils-2.5/sepolicy/sepolicy/network.py policycoreutils-2.5/sepolicy/sepolicy/network.py -index 1ca3158..ccaeff3 100755 +index 1ca3158..126df7c 100755 --- policycoreutils-2.5/sepolicy/sepolicy/network.py +++ policycoreutils-2.5/sepolicy/sepolicy/network.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -Es ++#! /usr/bin/python3 -Es + # Copyright (C) 2012 Red Hat + # see file 'COPYING' for use and warranty information + # @@ -25,20 +25,22 @@ search = sepolicy.search info = sepolicy.info @@ -633954,9 +634843,15 @@ index 893a204..3a3faa6 100644 # Local policy # diff --git policycoreutils-2.5/sepolicy/sepolicy/transition.py policycoreutils-2.5/sepolicy/sepolicy/transition.py -index 15b0eb1..a8edb69 100755 +index 15b0eb1..ecac908 100755 --- policycoreutils-2.5/sepolicy/sepolicy/transition.py +++ policycoreutils-2.5/sepolicy/sepolicy/transition.py +@@ -1,4 +1,4 @@ +-#! /usr/bin/python -Es ++#! /usr/bin/python3 -Es + # Copyright (C) 2011 Red Hat + # see file 'COPYING' for use and warranty information + # @@ -81,4 +81,4 @@ class setrans: def output(self): diff --git a/policycoreutils-fix-semanage-python3.patch b/policycoreutils-fix-semanage-python3.patch deleted file mode 100644 index e4f2676..0000000 --- a/policycoreutils-fix-semanage-python3.patch +++ /dev/null @@ -1,261 +0,0 @@ -diff --git a/policycoreutils/semanage/seobject/__init__.py b/policycoreutils/semanage/seobject/__init__.py -index 33f5fa9..d489a90 100644 ---- a/policycoreutils/semanage/seobject/__init__.py -+++ b/policycoreutils/semanage/seobject/__init__.py -@@ -520,7 +520,15 @@ class loginRecords(semanageRecords): - else: - serange = RANGE - -- (rc, k) = semanage_seuser_key_create(self.sh, name) -+ (rc, u) = semanage_seuser_create(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not create login mapping for %s") % name) -+ -+ rc = semanage_seuser_set_name(self.sh, u, name) -+ if rc < 0: -+ raise ValueError(_("Could not set name for %s") % name) -+ -+ (rc, k) = semanage_seuser_key_extract(self.sh, u) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) - -@@ -529,6 +537,7 @@ class loginRecords(semanageRecords): - raise ValueError(_("Could not check if login mapping for %s is defined") % name) - if exists: - semanage_seuser_key_free(k) -+ semanage_seuser_free(u) - return self.__modify(name, sename, serange) - - if name[0] == '%': -@@ -542,14 +551,6 @@ class loginRecords(semanageRecords): - except: - raise ValueError(_("Linux User %s does not exist") % name) - -- (rc, u) = semanage_seuser_create(self.sh) -- if rc < 0: -- raise ValueError(_("Could not create login mapping for %s") % name) -- -- rc = semanage_seuser_set_name(self.sh, u, name) -- if rc < 0: -- raise ValueError(_("Could not set name for %s") % name) -- - if serange: - rc = semanage_seuser_set_mlsrange(self.sh, u, serange) - if rc < 0: -@@ -594,7 +595,15 @@ class loginRecords(semanageRecords): - else: - self.serange = RANGE - -- (rc, k) = semanage_seuser_key_create(self.sh, name) -+ (rc, tmp_u) = semanage_seuser_create(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not create login mapping for %s") % name) -+ -+ rc = semanage_seuser_set_name(self.sh, tmp_u, name) -+ if rc < 0: -+ raise ValueError(_("Could not set name for %s") % name) -+ -+ (rc, k) = semanage_seuser_key_extract(self.sh, tmp_u) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) - -@@ -624,6 +633,7 @@ class loginRecords(semanageRecords): - raise ValueError(_("Could not modify login mapping for %s") % name) - - semanage_seuser_key_free(k) -+ semanage_seuser_free(tmp_u) - semanage_seuser_free(u) - self.mylog.log("login", name, sename=self.sename, serange=self.serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange) - -@@ -641,7 +651,15 @@ class loginRecords(semanageRecords): - userrec = seluserRecords() - RANGE, (rc, oldserole) = userrec.get(self.oldsename) - -- (rc, k) = semanage_seuser_key_create(self.sh, name) -+ (rc, u) = semanage_seuser_create(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not create login mapping for %s") % name) -+ -+ rc = semanage_seuser_set_name(self.sh, u, name) -+ if rc < 0: -+ raise ValueError(_("Could not set name for %s") % name) -+ -+ (rc, k) = semanage_seuser_key_extract(self.sh, u) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) - -@@ -662,6 +680,7 @@ class loginRecords(semanageRecords): - raise ValueError(_("Could not delete login mapping for %s") % name) - - semanage_seuser_key_free(k) -+ semanage_seuser_free(u) - - rec, self.sename, self.serange = selinux.getseuserbyname("__default__") - RANGE, (rc, serole) = userrec.get(self.sename) -@@ -763,7 +782,15 @@ class seluserRecords(semanageRecords): - semanageRecords.__init__(self, store) - - def get(self, name): -- (rc, k) = semanage_user_key_create(self.sh, name) -+ (rc, tmp_u) = semanage_user_create(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not create login mapping for %s") % name) -+ -+ rc = semanage_user_set_name(self.sh, tmp_u, name) -+ if rc < 0: -+ raise ValueError(_("Could not set name for %s") % name) -+ -+ (rc, k) = semanage_user_key_extract(self.sh, tmp_u) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) - (rc, exists) = semanage_user_exists(self.sh, k) -@@ -775,6 +802,7 @@ class seluserRecords(semanageRecords): - serange = semanage_user_get_mlsrange(u) - serole = semanage_user_get_roles(self.sh, u) - semanage_user_key_free(k) -+ semanage_user_free(tmp_u) - semanage_user_free(u) - return serange, serole - -@@ -793,7 +821,15 @@ class seluserRecords(semanageRecords): - if len(roles) < 1: - raise ValueError(_("You must add at least one role for %s") % name) - -- (rc, k) = semanage_user_key_create(self.sh, name) -+ (rc, u) = semanage_user_create(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not create login mapping for %s") % name) -+ -+ rc = semanage_user_set_name(self.sh, u, name) -+ if rc < 0: -+ raise ValueError(_("Could not set name for %s") % name) -+ -+ (rc, k) = semanage_user_key_extract(self.sh, u) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) - -@@ -802,16 +838,9 @@ class seluserRecords(semanageRecords): - raise ValueError(_("Could not check if SELinux user %s is defined") % name) - if exists: - semanage_user_key_free(k) -+ semanage_user_free(u) - return self.__modify(name, roles, selevel, serange, prefix) - -- (rc, u) = semanage_user_create(self.sh) -- if rc < 0: -- raise ValueError(_("Could not create SELinux user for %s") % name) -- -- rc = semanage_user_set_name(self.sh, u, name) -- if rc < 0: -- raise ValueError(_("Could not set name for %s") % name) -- - for r in roles: - rc = semanage_user_add_role(self.sh, u, r) - if rc < 0: -@@ -859,7 +888,15 @@ class seluserRecords(semanageRecords): - else: - raise ValueError(_("Requires prefix or roles")) - -- (rc, k) = semanage_user_key_create(self.sh, name) -+ (rc, tmp_u) = semanage_user_create(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not create login mapping for %s") % name) -+ -+ rc = semanage_user_set_name(self.sh, tmp_u, name) -+ if rc < 0: -+ raise ValueError(_("Could not set name for %s") % name) -+ -+ (rc, k) = semanage_user_key_extract(self.sh, tmp_u) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) - -@@ -899,6 +936,7 @@ class seluserRecords(semanageRecords): - raise ValueError(_("Could not modify SELinux user %s") % name) - - semanage_user_key_free(k) -+ semanage_user_free(tmp_u) - semanage_user_free(u) - - role = ",".join(newroles.split()) -@@ -916,7 +954,15 @@ class seluserRecords(semanageRecords): - raise error - - def __delete(self, name): -- (rc, k) = semanage_user_key_create(self.sh, name) -+ (rc, tmp_u) = semanage_user_create(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not create login mapping for %s") % name) -+ -+ rc = semanage_user_set_name(self.sh, tmp_u, name) -+ if rc < 0: -+ raise ValueError(_("Could not set name for %s") % name) -+ -+ (rc, k) = semanage_user_key_extract(self.sh, tmp_u) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) - -@@ -944,6 +990,7 @@ class seluserRecords(semanageRecords): - raise ValueError(_("Could not delete SELinux user %s") % name) - - semanage_user_key_free(k) -+ semanage_user_free(tmp_u) - semanage_user_free(u) - - self.mylog.log_remove("seuser", oldsename=name, oldserange=oldserange, oldserole=oldserole) -@@ -2119,7 +2166,14 @@ class booleanRecords(semanageRecords): - def __mod(self, name, value): - name = selinux.selinux_boolean_sub(name) - -- (rc, k) = semanage_bool_key_create(self.sh, name) -+ (rc, t_b) = semanage_bool_create(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not create login mapping for %s") % name) -+ rc = semanage_bool_set_name(self.sh, t_b, name) -+ if rc < 0: -+ raise ValueError(_("Could not set name for %s") % name) -+ -+ (rc, k) = semanage_bool_key_extract(self.sh, t_b) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) - (rc, exists) = semanage_bool_exists(self.sh, k) -@@ -2137,7 +2191,7 @@ class booleanRecords(semanageRecords): - else: - raise ValueError(_("You must specify one of the following values: %s") % ", ".join(list(self.dict.keys()))) - -- if self.modify_local and name in self.current_booleans: -+ if self.modify_local and name.encode() in self.current_booleans: - rc = semanage_bool_set_active(self.sh, k, b) - if rc < 0: - raise ValueError(_("Could not set active value of boolean %s") % name) -@@ -2145,6 +2199,7 @@ class booleanRecords(semanageRecords): - if rc < 0: - raise ValueError(_("Could not modify boolean %s") % name) - semanage_bool_key_free(k) -+ semanage_bool_free(t_b) - semanage_bool_free(b) - - def modify(self, name, value=None, use_file=False): -@@ -2170,7 +2225,14 @@ class booleanRecords(semanageRecords): - def __delete(self, name): - name = selinux.selinux_boolean_sub(name) - -- (rc, k) = semanage_bool_key_create(self.sh, name) -+ (rc, t_b) = semanage_bool_create(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not create login mapping for %s") % name) -+ rc = semanage_bool_set_name(self.sh, t_b, name) -+ if rc < 0: -+ raise ValueError(_("Could not set name for %s") % name) -+ -+ (rc, k) = semanage_bool_key_extract(self.sh, t_b) - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) - (rc, exists) = semanage_bool_exists(self.sh, k) -@@ -2190,6 +2252,7 @@ class booleanRecords(semanageRecords): - raise ValueError(_("Could not delete boolean %s") % name) - - semanage_bool_key_free(k) -+ semanage_bool_free(t_b) - - def delete(self, name): - self.begin() diff --git a/policycoreutils-sandbox-python3.patch b/policycoreutils-sandbox-python3.patch deleted file mode 100644 index 317b8e4..0000000 --- a/policycoreutils-sandbox-python3.patch +++ /dev/null @@ -1,10 +0,0 @@ -diff --git a/policycoreutils/sandbox/start b/policycoreutils/sandbox/start -index e0a0c2c..cdc4a3e 100644 ---- a/policycoreutils/sandbox/start -+++ b/policycoreutils/sandbox/start -@@ -1,4 +1,4 @@ --#! /usr/bin/python -Es -+#! /usr/bin/python3 -Es - import subprocess, sys - rc = [-1,''] - try: diff --git a/policycoreutils.spec b/policycoreutils.spec index 17d0871..f26db5a 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,7 +1,7 @@ %global libauditver 2.1.3-4 -%global libsepolver 2.5-9 -%global libsemanagever 2.5-7 -%global libselinuxver 2.5-11 +%global libsepolver 2.5-10 +%global libsemanagever 2.5-8 +%global libselinuxver 2.5-12 %global sepolgenver 1.2.3 %global generatorsdir %{_prefix}/lib/systemd/system-generators @@ -9,7 +9,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.5 -Release: 16%{?dist} +Release: 17%{?dist} License: GPLv2 Group: System Environment/Base # https://github.com/SELinuxProject/selinux/wiki/Releases @@ -27,12 +27,10 @@ Source9: selinux-autorelabel-generator.sh # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: # $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils -# HEAD https://github.com/fedora-selinux/selinux/commit/dbf42c22e798a5e2cf9c1fc711c803e7da20cfb4 +# HEAD https://github.com/fedora-selinux/selinux/commit/caefad506ca46db441952ab64ebfc6202897516b Patch: policycoreutils-fedora.patch # $ VERSION=1.2.3 ./make-fedora-selinux-patch.sh sepolgen Patch1: sepolgen-fedora.patch -Patch100: policycoreutils-fix-semanage-python3.patch -Patch101: policycoreutils-sandbox-python3.patch Obsoletes: policycoreutils < 2.0.61-2 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138 # initscripts < 9.66 shipped fedora-autorelabel services which are renamed to selinux-relabel @@ -68,8 +66,6 @@ to switch roles. %setup -q -c -n selinux %patch -p0 -b .policycoreutils-fedora pushd policycoreutils-2.5 -%patch100 -p2 -b .semanage-python3 -%patch101 -p2 -b .sandbox-python3 popd cp %{SOURCE3} policycoreutils-2.5/gui/ @@ -436,6 +432,33 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Mon Oct 03 2016 Petr Lautrbach 2.5-17 +- sandbox: Use dbus-run-session instead of dbus-launch when available +- hll/pp: Change warning for module name not matching filename to match new behavior +- Remove LDFLAGS from CFLAGS +- sandbox: create a new session for sandboxed processes +- sandbox: do not try to setup directories without -X or -M +- sandbox: do not run xmodmap in a new X session +- sandbox: Use GObject introspection binding instead of pygtk2 +- sandbox: fix file labels on copied files +- sandbox: tests - close stdout of p +- sandbox: tests - use sandbox from cwd +- audit2allow: tests should use local copy not system +- audit2allow: fix audit2why import from seobject +- audit2allow: remove audit2why so that it gets symlinked +- semanage: fix man page and help message for import option +- semanage: fix error message for fcontext -m +- semanage: Fix semanage fcontext -D +- semanage: Correct fcontext auditing +- semanage: Default serange to "s0" for port modify +- semanage: Use socket.getprotobyname for protocol +- semanage: fix modify action in node and interface +- fixfiles: Pass -n to restorecon for fixfiles check +- sepolicy: Check get_rpm_nvr_list() return value +- Don't use subprocess.getstatusoutput() in Python 2 code +- semanage: Add auditing of changes in records +- Remove unused 'q' from semodule getopt string + * Mon Aug 01 2016 Petr Lautrbach 2.5-16 - Remove unused autoconf files from po/ - Remove duplicate, empty translation files diff --git a/sepolgen-fedora.patch b/sepolgen-fedora.patch index 66e7767..7a33ad5 100644 --- a/sepolgen-fedora.patch +++ b/sepolgen-fedora.patch @@ -376,3 +376,19 @@ index 924a9be..e17eef2 100644 test: $(PYTHON) run-tests.py +diff --git sepolgen-1.2.3/tests/module_compile_test.te sepolgen-1.2.3/tests/module_compile_test.te +index 446c8dc..b365448 100644 +--- sepolgen-1.2.3/tests/module_compile_test.te ++++ sepolgen-1.2.3/tests/module_compile_test.te +@@ -1,8 +1,8 @@ +-module foo 1.0; ++module module_compile_test 1.0; + + require { + type foo, bar; + class file { read write }; + } + +-allow foo bar : file { read write }; +\ No newline at end of file ++allow foo bar : file { read write };