rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

policycoreutils-2.5-17

Browse Source 
- sandbox: Use dbus-run-session instead of dbus-launch when available
- hll/pp: Change warning for module name not matching filename to match new behavior
- Remove LDFLAGS from CFLAGS
- sandbox: create a new session for sandboxed processes
- sandbox: do not try to setup directories without -X or -M
- sandbox: do not run xmodmap in a new X session
- sandbox: Use GObject introspection binding instead of pygtk2
- sandbox: fix file labels on copied files
- sandbox: tests - close stdout of p
- sandbox: tests - use sandbox from cwd
- audit2allow: tests should use local copy not system
- audit2allow: fix audit2why import from seobject
- audit2allow: remove audit2why so that it gets symlinked
- semanage: fix man page and help message for import option
- semanage: fix error message for fcontext -m
- semanage: Fix semanage fcontext -D
- semanage: Correct fcontext auditing
- semanage: Default serange to "s0" for port modify
- semanage: Use socket.getprotobyname for protocol
- semanage: fix modify action in node and interface
- fixfiles: Pass -n to restorecon for fixfiles check
- sepolicy: Check get_rpm_nvr_list() return value
- Don't use subprocess.getstatusoutput() in Python 2 code
- semanage: Add auditing of changes in records
- Remove unused 'q' from semodule getopt string
This commit is contained in:
Petr Lautrbach 2016-10-04 08:41:54 +02:00
parent 5e59af1d9e
commit 953350ddce
5 changed files with 1088 additions and 425 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1155
policycoreutils-fedora.patch
View File

File diff suppressed because it is too large Load Diff

261
policycoreutils-fix-semanage-python3.patch
View File

@ -1,261 +0,0 @@
diff --git a/policycoreutils/semanage/seobject/__init__.py b/policycoreutils/semanage/seobject/__init__.py
index 33f5fa9..d489a90 100644
--- a/policycoreutils/semanage/seobject/__init__.py
+++ b/policycoreutils/semanage/seobject/__init__.py
@@ -520,7 +520,15 @@ class loginRecords(semanageRecords):
else:
serange = RANGE
- (rc, k) = semanage_seuser_key_create(self.sh, name)
+ (rc, u) = semanage_seuser_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create login mapping for %s") % name)
+
+ rc = semanage_seuser_set_name(self.sh, u, name)
+ if rc < 0:
+ raise ValueError(_("Could not set name for %s") % name)
+
+ (rc, k) = semanage_seuser_key_extract(self.sh, u)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
@@ -529,6 +537,7 @@ class loginRecords(semanageRecords):
raise ValueError(_("Could not check if login mapping for %s is defined") % name)
if exists:
semanage_seuser_key_free(k)
+ semanage_seuser_free(u)
return self.__modify(name, sename, serange)
if name[0] == '%':
@@ -542,14 +551,6 @@ class loginRecords(semanageRecords):
except:
raise ValueError(_("Linux User %s does not exist") % name)
- (rc, u) = semanage_seuser_create(self.sh)
- if rc < 0:
- raise ValueError(_("Could not create login mapping for %s") % name)
-
- rc = semanage_seuser_set_name(self.sh, u, name)
- if rc < 0:
- raise ValueError(_("Could not set name for %s") % name)
-
if serange:
rc = semanage_seuser_set_mlsrange(self.sh, u, serange)
if rc < 0:
@@ -594,7 +595,15 @@ class loginRecords(semanageRecords):
else:
self.serange = RANGE
- (rc, k) = semanage_seuser_key_create(self.sh, name)
+ (rc, tmp_u) = semanage_seuser_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create login mapping for %s") % name)
+
+ rc = semanage_seuser_set_name(self.sh, tmp_u, name)
+ if rc < 0:
+ raise ValueError(_("Could not set name for %s") % name)
+
+ (rc, k) = semanage_seuser_key_extract(self.sh, tmp_u)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
@@ -624,6 +633,7 @@ class loginRecords(semanageRecords):
raise ValueError(_("Could not modify login mapping for %s") % name)
semanage_seuser_key_free(k)
+ semanage_seuser_free(tmp_u)
semanage_seuser_free(u)
self.mylog.log("login", name, sename=self.sename, serange=self.serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange)
@@ -641,7 +651,15 @@ class loginRecords(semanageRecords):
userrec = seluserRecords()
RANGE, (rc, oldserole) = userrec.get(self.oldsename)
- (rc, k) = semanage_seuser_key_create(self.sh, name)
+ (rc, u) = semanage_seuser_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create login mapping for %s") % name)
+
+ rc = semanage_seuser_set_name(self.sh, u, name)
+ if rc < 0:
+ raise ValueError(_("Could not set name for %s") % name)
+
+ (rc, k) = semanage_seuser_key_extract(self.sh, u)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
@@ -662,6 +680,7 @@ class loginRecords(semanageRecords):
raise ValueError(_("Could not delete login mapping for %s") % name)
semanage_seuser_key_free(k)
+ semanage_seuser_free(u)
rec, self.sename, self.serange = selinux.getseuserbyname("__default__")
RANGE, (rc, serole) = userrec.get(self.sename)
@@ -763,7 +782,15 @@ class seluserRecords(semanageRecords):
semanageRecords.__init__(self, store)
def get(self, name):
- (rc, k) = semanage_user_key_create(self.sh, name)
+ (rc, tmp_u) = semanage_user_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create login mapping for %s") % name)
+
+ rc = semanage_user_set_name(self.sh, tmp_u, name)
+ if rc < 0:
+ raise ValueError(_("Could not set name for %s") % name)
+
+ (rc, k) = semanage_user_key_extract(self.sh, tmp_u)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
(rc, exists) = semanage_user_exists(self.sh, k)
@@ -775,6 +802,7 @@ class seluserRecords(semanageRecords):
serange = semanage_user_get_mlsrange(u)
serole = semanage_user_get_roles(self.sh, u)
semanage_user_key_free(k)
+ semanage_user_free(tmp_u)
semanage_user_free(u)
return serange, serole
@@ -793,7 +821,15 @@ class seluserRecords(semanageRecords):
if len(roles) < 1:
raise ValueError(_("You must add at least one role for %s") % name)
- (rc, k) = semanage_user_key_create(self.sh, name)
+ (rc, u) = semanage_user_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create login mapping for %s") % name)
+
+ rc = semanage_user_set_name(self.sh, u, name)
+ if rc < 0:
+ raise ValueError(_("Could not set name for %s") % name)
+
+ (rc, k) = semanage_user_key_extract(self.sh, u)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
@@ -802,16 +838,9 @@ class seluserRecords(semanageRecords):
raise ValueError(_("Could not check if SELinux user %s is defined") % name)
if exists:
semanage_user_key_free(k)
+ semanage_user_free(u)
return self.__modify(name, roles, selevel, serange, prefix)
- (rc, u) = semanage_user_create(self.sh)
- if rc < 0:
- raise ValueError(_("Could not create SELinux user for %s") % name)
-
- rc = semanage_user_set_name(self.sh, u, name)
- if rc < 0:
- raise ValueError(_("Could not set name for %s") % name)
-
for r in roles:
rc = semanage_user_add_role(self.sh, u, r)
if rc < 0:
@@ -859,7 +888,15 @@ class seluserRecords(semanageRecords):
else:
raise ValueError(_("Requires prefix or roles"))
- (rc, k) = semanage_user_key_create(self.sh, name)
+ (rc, tmp_u) = semanage_user_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create login mapping for %s") % name)
+
+ rc = semanage_user_set_name(self.sh, tmp_u, name)
+ if rc < 0:
+ raise ValueError(_("Could not set name for %s") % name)
+
+ (rc, k) = semanage_user_key_extract(self.sh, tmp_u)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
@@ -899,6 +936,7 @@ class seluserRecords(semanageRecords):
raise ValueError(_("Could not modify SELinux user %s") % name)
semanage_user_key_free(k)
+ semanage_user_free(tmp_u)
semanage_user_free(u)
role = ",".join(newroles.split())
@@ -916,7 +954,15 @@ class seluserRecords(semanageRecords):
raise error
def __delete(self, name):
- (rc, k) = semanage_user_key_create(self.sh, name)
+ (rc, tmp_u) = semanage_user_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create login mapping for %s") % name)
+
+ rc = semanage_user_set_name(self.sh, tmp_u, name)
+ if rc < 0:
+ raise ValueError(_("Could not set name for %s") % name)
+
+ (rc, k) = semanage_user_key_extract(self.sh, tmp_u)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
@@ -944,6 +990,7 @@ class seluserRecords(semanageRecords):
raise ValueError(_("Could not delete SELinux user %s") % name)
semanage_user_key_free(k)
+ semanage_user_free(tmp_u)
semanage_user_free(u)
self.mylog.log_remove("seuser", oldsename=name, oldserange=oldserange, oldserole=oldserole)
@@ -2119,7 +2166,14 @@ class booleanRecords(semanageRecords):
def __mod(self, name, value):
name = selinux.selinux_boolean_sub(name)
- (rc, k) = semanage_bool_key_create(self.sh, name)
+ (rc, t_b) = semanage_bool_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create login mapping for %s") % name)
+ rc = semanage_bool_set_name(self.sh, t_b, name)
+ if rc < 0:
+ raise ValueError(_("Could not set name for %s") % name)
+
+ (rc, k) = semanage_bool_key_extract(self.sh, t_b)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
(rc, exists) = semanage_bool_exists(self.sh, k)
@@ -2137,7 +2191,7 @@ class booleanRecords(semanageRecords):
else:
raise ValueError(_("You must specify one of the following values: %s") % ", ".join(list(self.dict.keys())))
- if self.modify_local and name in self.current_booleans:
+ if self.modify_local and name.encode() in self.current_booleans:
rc = semanage_bool_set_active(self.sh, k, b)
if rc < 0:
raise ValueError(_("Could not set active value of boolean %s") % name)
@@ -2145,6 +2199,7 @@ class booleanRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not modify boolean %s") % name)
semanage_bool_key_free(k)
+ semanage_bool_free(t_b)
semanage_bool_free(b)
def modify(self, name, value=None, use_file=False):
@@ -2170,7 +2225,14 @@ class booleanRecords(semanageRecords):
def __delete(self, name):
name = selinux.selinux_boolean_sub(name)
- (rc, k) = semanage_bool_key_create(self.sh, name)
+ (rc, t_b) = semanage_bool_create(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not create login mapping for %s") % name)
+ rc = semanage_bool_set_name(self.sh, t_b, name)
+ if rc < 0:
+ raise ValueError(_("Could not set name for %s") % name)
+
+ (rc, k) = semanage_bool_key_extract(self.sh, t_b)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
(rc, exists) = semanage_bool_exists(self.sh, k)
@@ -2190,6 +2252,7 @@ class booleanRecords(semanageRecords):
raise ValueError(_("Could not delete boolean %s") % name)
semanage_bool_key_free(k)
+ semanage_bool_free(t_b)
def delete(self, name):
self.begin()

10
policycoreutils-sandbox-python3.patch
View File

@ -1,10 +0,0 @@
diff --git a/policycoreutils/sandbox/start b/policycoreutils/sandbox/start
index e0a0c2c..cdc4a3e 100644
--- a/policycoreutils/sandbox/start
+++ b/policycoreutils/sandbox/start
@@ -1,4 +1,4 @@
-#! /usr/bin/python -Es
+#! /usr/bin/python3 -Es
import subprocess, sys
rc = [-1,'']
try:

41
policycoreutils.spec
View File

@ -1,7 +1,7 @@
%global libauditver 2.1.3-4
%global libsepolver 2.5-9
%global libsemanagever 2.5-7
%global libselinuxver 2.5-11
%global libsepolver 2.5-10
%global libsemanagever 2.5-8
%global libselinuxver 2.5-12
%global sepolgenver 1.2.3
%global generatorsdir %{_prefix}/lib/systemd/system-generators
@ -9,7 +9,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.5
Release: 16%{?dist}
Release: 17%{?dist}
License: GPLv2
Group: System Environment/Base
# https://github.com/SELinuxProject/selinux/wiki/Releases
@ -27,12 +27,10 @@ Source9: selinux-autorelabel-generator.sh
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
# run:
# $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils
# HEAD https://github.com/fedora-selinux/selinux/commit/dbf42c22e798a5e2cf9c1fc711c803e7da20cfb4
# HEAD https://github.com/fedora-selinux/selinux/commit/caefad506ca46db441952ab64ebfc6202897516b
Patch: policycoreutils-fedora.patch
# $ VERSION=1.2.3 ./make-fedora-selinux-patch.sh sepolgen
Patch1: sepolgen-fedora.patch
Patch100: policycoreutils-fix-semanage-python3.patch
Patch101: policycoreutils-sandbox-python3.patch
Obsoletes: policycoreutils < 2.0.61-2
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
# initscripts < 9.66 shipped fedora-autorelabel services which are renamed to selinux-relabel
@ -68,8 +66,6 @@ to switch roles.
%setup -q -c -n selinux
%patch -p0 -b .policycoreutils-fedora
pushd policycoreutils-2.5
%patch100 -p2 -b .semanage-python3
%patch101 -p2 -b .sandbox-python3
popd
cp %{SOURCE3} policycoreutils-2.5/gui/
@ -436,6 +432,33 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Mon Oct 03 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-17
- sandbox: Use dbus-run-session instead of dbus-launch when available
- hll/pp: Change warning for module name not matching filename to match new behavior
- Remove LDFLAGS from CFLAGS
- sandbox: create a new session for sandboxed processes
- sandbox: do not try to setup directories without -X or -M
- sandbox: do not run xmodmap in a new X session
- sandbox: Use GObject introspection binding instead of pygtk2
- sandbox: fix file labels on copied files
- sandbox: tests - close stdout of p
- sandbox: tests - use sandbox from cwd
- audit2allow: tests should use local copy not system
- audit2allow: fix audit2why import from seobject
- audit2allow: remove audit2why so that it gets symlinked
- semanage: fix man page and help message for import option
- semanage: fix error message for fcontext -m
- semanage: Fix semanage fcontext -D
- semanage: Correct fcontext auditing
- semanage: Default serange to "s0" for port modify
- semanage: Use socket.getprotobyname for protocol
- semanage: fix modify action in node and interface
- fixfiles: Pass -n to restorecon for fixfiles check
- sepolicy: Check get_rpm_nvr_list() return value
- Don't use subprocess.getstatusoutput() in Python 2 code
- semanage: Add auditing of changes in records
- Remove unused 'q' from semodule getopt string
* Mon Aug 01 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-16
- Remove unused autoconf files from po/
- Remove duplicate, empty translation files

16
sepolgen-fedora.patch
View File

@ -376,3 +376,19 @@ index 924a9be..e17eef2 100644
test:
$(PYTHON) run-tests.py
diff --git sepolgen-1.2.3/tests/module_compile_test.te sepolgen-1.2.3/tests/module_compile_test.te
index 446c8dc..b365448 100644
--- sepolgen-1.2.3/tests/module_compile_test.te
+++ sepolgen-1.2.3/tests/module_compile_test.te
@@ -1,8 +1,8 @@
-module foo 1.0;
+module module_compile_test 1.0;
require {
type foo, bar;
class file { read write };
}
-allow foo bar : file { read write };
\ No newline at end of file
+allow foo bar : file { read write };