diff --git a/.gitignore b/.gitignore index f582aad..ed061bc 100644 --- a/.gitignore +++ b/.gitignore @@ -344,3 +344,4 @@ policycoreutils-2.0.83.tgz /selinux-3.4-rc2.tar.gz /selinux-3.4-rc3.tar.gz /selinux-3.4.tar.gz +/selinux-3.5-rc1.tar.gz diff --git a/0001-libselinux-declare-return-value-of-context_str-3-con.patch b/0001-libselinux-declare-return-value-of-context_str-3-con.patch deleted file mode 100644 index bcd29f7..0000000 --- a/0001-libselinux-declare-return-value-of-context_str-3-con.patch +++ /dev/null @@ -1,36 +0,0 @@ -From dd98fa322766760c4e1f029cf19d2515a583304f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Fri, 20 May 2022 15:16:10 +0200 -Subject: [PATCH] libselinux: declare return value of context_str(3) const -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Content-type: text/plain - -context_str(3) returns a string representation of the given context. -This string is owned by the context and free'd on context_free(3). -Declare it const, as already done in the man page, since it must not be -free'd by the caller. - -Signed-off-by: Christian Göttsche -Acked-by: Nicolas Iooss ---- - policycoreutils/newrole/newrole.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c -index ae37d7253761..c2afa37e0ac3 100644 ---- a/policycoreutils/newrole/newrole.c -+++ b/policycoreutils/newrole/newrole.c -@@ -842,7 +842,7 @@ static int parse_command_line_arguments(int argc, char **argv, char *ttyn, - char *type_ptr = NULL; /* stores malloc'd data from get_default_type */ - char *level_s = NULL; /* level spec'd by user in argv[] */ - char *range_ptr = NULL; -- char *new_con = NULL; -+ const char *new_con = NULL; - char *tty_con = NULL; - context_t context = NULL; /* manipulatable form of new_context */ - const struct option long_options[] = { --- -2.38.1 - diff --git a/0018-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch b/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch similarity index 93% rename from 0018-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch rename to 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch index 552aa2b..c3026ad 100644 --- a/0018-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch +++ b/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch @@ -1,4 +1,4 @@ -From 1b9bc42461589e49cd68727ea479cc820e55a2d7 Mon Sep 17 00:00:00 2001 +From 55bc2013b480f5a33803f4b41505ac2a535d2bdf Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 20 Aug 2015 12:58:41 +0200 Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in diff --git a/0019-Don-t-be-verbose-if-you-are-not-on-a-tty.patch b/0002-Don-t-be-verbose-if-you-are-not-on-a-tty.patch similarity index 84% rename from 0019-Don-t-be-verbose-if-you-are-not-on-a-tty.patch rename to 0002-Don-t-be-verbose-if-you-are-not-on-a-tty.patch index a6205ac..0215797 100644 --- a/0019-Don-t-be-verbose-if-you-are-not-on-a-tty.patch +++ b/0002-Don-t-be-verbose-if-you-are-not-on-a-tty.patch @@ -1,4 +1,4 @@ -From 30f3eca067ace9f73ad7612377675e5f777ea869 Mon Sep 17 00:00:00 2001 +From c803df861395e181ed7476df10c04a5ed0dfcdd8 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 14 Feb 2014 12:32:12 -0500 Subject: [PATCH] Don't be verbose if you are not on a tty @@ -9,7 +9,7 @@ Content-type: text/plain 1 file changed, 1 insertion(+) diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles -index c72ca0eb9d61..163ebcd1f232 100755 +index 166af6f360a2..ebe64563c7d7 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles @@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() { diff --git a/0002-semodule-avoid-toctou-on-output-module.patch b/0002-semodule-avoid-toctou-on-output-module.patch deleted file mode 100644 index 6518d4a..0000000 --- a/0002-semodule-avoid-toctou-on-output-module.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 6d02b2fa29954e239721907e1fce238f25ea4f2f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Fri, 20 May 2022 15:19:52 +0200 -Subject: [PATCH] semodule: avoid toctou on output module -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Content-type: text/plain - -Do not check for file existence and open afterwards, open with the -exclusive flag (supported in Glibc and musl 0.9.6 and also standardized -in C11). - -Found by GitHub CodeQL. - -Signed-off-by: Christian Göttsche -Acked-by: Nicolas Iooss ---- - policycoreutils/semodule/semodule.c | 13 +++++-------- - 1 file changed, 5 insertions(+), 8 deletions(-) - -diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c -index 1ed8e69054e0..48bc28dd0973 100644 ---- a/policycoreutils/semodule/semodule.c -+++ b/policycoreutils/semodule/semodule.c -@@ -550,15 +550,12 @@ int main(int argc, char *argv[]) - goto cleanup_extract; - } - -- if (access(output_path, F_OK) == 0) { -- fprintf(stderr, "%s: %s is already extracted with extension %s.\n", argv[0], mode_arg, lang_ext); -- result = -1; -- goto cleanup_extract; -- } -- -- output_fd = fopen(output_path, "w"); -+ output_fd = fopen(output_path, "wx"); - if (output_fd == NULL) { -- fprintf(stderr, "%s: Unable to open %s\n", argv[0], output_path); -+ if (errno == EEXIST) -+ fprintf(stderr, "%s: %s is already extracted with extension %s.\n", argv[0], mode_arg, lang_ext); -+ else -+ fprintf(stderr, "%s: Unable to open %s: %s\n", argv[0], output_path, strerror(errno)); - result = -1; - goto cleanup_extract; - } --- -2.38.1 - diff --git a/0003-python-Split-semanage-import-into-two-transactions.patch b/0003-python-Split-semanage-import-into-two-transactions.patch deleted file mode 100644 index 8506690..0000000 --- a/0003-python-Split-semanage-import-into-two-transactions.patch +++ /dev/null @@ -1,65 +0,0 @@ -From abaf812c3877f6b595eb8643582eacef2dd4df3f Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Mon, 30 May 2022 14:20:21 +0200 -Subject: [PATCH] python: Split "semanage import" into two transactions -Content-type: text/plain - -First transaction applies all deletion operations, so that there are no -collisions when applying the rest of the changes. - -Fixes: - # semanage port -a -t http_cache_port_t -r s0 -p tcp 3024 - # semanage export | semanage import - ValueError: Port tcp/3024 already defined - -Signed-off-by: Vit Mojzis ---- - python/semanage/semanage | 21 +++++++++++++++++++-- - 1 file changed, 19 insertions(+), 2 deletions(-) - -diff --git a/python/semanage/semanage b/python/semanage/semanage -index 8f4e44a7a9cd..1d8281281d05 100644 ---- a/python/semanage/semanage -+++ b/python/semanage/semanage -@@ -852,10 +852,29 @@ def handleImport(args): - trans = seobject.semanageRecords(args) - trans.start() - -+ deleteCommands = [] -+ commands = [] -+ # separate commands for deletion from the rest so they can be -+ # applied in a separate transaction - for l in sys.stdin.readlines(): - if len(l.strip()) == 0: - continue -+ if "-d" in l or "-D" in l: -+ deleteCommands.append(l) -+ else: -+ commands.append(l) -+ -+ if deleteCommands: -+ importHelper(deleteCommands) -+ trans.finish() -+ trans.start() -+ -+ importHelper(commands) -+ trans.finish() - -+ -+def importHelper(commands): -+ for l in commands: - try: - commandParser = createCommandParser() - args = commandParser.parse_args(mkargv(l)) -@@ -869,8 +888,6 @@ def handleImport(args): - except KeyboardInterrupt: - sys.exit(0) - -- trans.finish() -- - - def setupImportParser(subparsers): - importParser = subparsers.add_parser('import', help=_('Import local customizations')) --- -2.38.1 - diff --git a/0020-sepolicy-generate-Handle-more-reserved-port-types.patch b/0003-sepolicy-generate-Handle-more-reserved-port-types.patch similarity index 96% rename from 0020-sepolicy-generate-Handle-more-reserved-port-types.patch rename to 0003-sepolicy-generate-Handle-more-reserved-port-types.patch index 7668c70..13cf6c9 100644 --- a/0020-sepolicy-generate-Handle-more-reserved-port-types.patch +++ b/0003-sepolicy-generate-Handle-more-reserved-port-types.patch @@ -1,4 +1,4 @@ -From f2a1b0dc836ebcf2ef418cd0c85fcea949b556eb Mon Sep 17 00:00:00 2001 +From fb3038c1159ce6bb5094bc2f9feb48554ec8081e Mon Sep 17 00:00:00 2001 From: Masatake YAMATO Date: Thu, 14 Dec 2017 15:57:58 +0900 Subject: [PATCH] sepolicy-generate: Handle more reserved port types @@ -53,7 +53,7 @@ https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redha 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py -index 3717d5d4ed78..eff3a8973917 100644 +index b6df3e91160b..36a3ea1196b1 100644 --- a/python/sepolicy/sepolicy/generate.py +++ b/python/sepolicy/sepolicy/generate.py @@ -100,7 +100,9 @@ def get_all_ports(): diff --git a/0004-python-audit2allow-close-file-stream-on-error.patch b/0004-python-audit2allow-close-file-stream-on-error.patch deleted file mode 100644 index 1995aec..0000000 --- a/0004-python-audit2allow-close-file-stream-on-error.patch +++ /dev/null @@ -1,50 +0,0 @@ -From c14a86af9a2304175e54897634f808b42345325b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Fri, 20 May 2022 14:51:07 +0200 -Subject: [PATCH] python/audit2allow: close file stream on error -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Content-type: text/plain - - sepolgen-ifgen-attr-helper.c: In function ‘load_policy’: - sepolgen-ifgen-attr-helper.c:196:17: warning: leak of FILE ‘fp’ [CWE-775] [-Wanalyzer-file-leak] - 196 | fprintf(stderr, "Out of memory!\n"); - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Signed-off-by: Christian Göttsche -Acked-by: James Carter ---- - python/audit2allow/sepolgen-ifgen-attr-helper.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c -index 6f3ba96260de..5e6cffc1887d 100644 ---- a/python/audit2allow/sepolgen-ifgen-attr-helper.c -+++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c -@@ -194,12 +194,14 @@ static policydb_t *load_policy(const char *filename) - policydb = malloc(sizeof(policydb_t)); - if (policydb == NULL) { - fprintf(stderr, "Out of memory!\n"); -+ fclose(fp); - return NULL; - } - - if (policydb_init(policydb)) { - fprintf(stderr, "Out of memory!\n"); - free(policydb); -+ fclose(fp); - return NULL; - } - -@@ -208,6 +210,7 @@ static policydb_t *load_policy(const char *filename) - fprintf(stderr, - "error(s) encountered while parsing configuration\n"); - free(policydb); -+ fclose(fp); - return NULL; - } - --- -2.38.1 - diff --git a/0021-sandbox-Use-matchbox-window-manager-instead-of-openb.patch b/0004-sandbox-Use-matchbox-window-manager-instead-of-openb.patch similarity index 96% rename from 0021-sandbox-Use-matchbox-window-manager-instead-of-openb.patch rename to 0004-sandbox-Use-matchbox-window-manager-instead-of-openb.patch index 63c81d3..402e931 100644 --- a/0021-sandbox-Use-matchbox-window-manager-instead-of-openb.patch +++ b/0004-sandbox-Use-matchbox-window-manager-instead-of-openb.patch @@ -1,4 +1,4 @@ -From 239f039edd2c4030d373baa31f42651075b5927b Mon Sep 17 00:00:00 2001 +From 09bf2a4318b44c895ea68d13988cb5c3dfa119ba Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Wed, 18 Jul 2018 09:09:35 +0200 Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox @@ -11,7 +11,7 @@ Content-type: text/plain 3 files changed, 3 insertions(+), 17 deletions(-) diff --git a/sandbox/sandbox b/sandbox/sandbox -index 770807345858..df3af9260c7f 100644 +index a2762a7d215a..a32a33ea3cf6 100644 --- a/sandbox/sandbox +++ b/sandbox/sandbox @@ -270,7 +270,7 @@ class Sandbox: diff --git a/0022-Use-SHA-2-instead-of-SHA-1.patch b/0005-Use-SHA-2-instead-of-SHA-1.patch similarity index 99% rename from 0022-Use-SHA-2-instead-of-SHA-1.patch rename to 0005-Use-SHA-2-instead-of-SHA-1.patch index 48c4627..9808935 100644 --- a/0022-Use-SHA-2-instead-of-SHA-1.patch +++ b/0005-Use-SHA-2-instead-of-SHA-1.patch @@ -1,4 +1,4 @@ -From e5a015f1edd5e7ed87f6f4ec6ddb45637fa178ab Mon Sep 17 00:00:00 2001 +From 7fb581c76b547b20a149c6dad3d7c51075192bd8 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 30 Jul 2021 14:14:37 +0200 Subject: [PATCH] Use SHA-2 instead of SHA-1 diff --git a/0005-gettext-handle-unsupported-languages-properly.patch b/0005-gettext-handle-unsupported-languages-properly.patch deleted file mode 100644 index c0d405a..0000000 --- a/0005-gettext-handle-unsupported-languages-properly.patch +++ /dev/null @@ -1,349 +0,0 @@ -From 344463076b2a91e1d2c7f5cc3835dc1a53a05e88 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Fri, 24 Jun 2022 16:24:25 +0200 -Subject: [PATCH] gettext: handle unsupported languages properly -Content-type: text/plain - -With "fallback=True" gettext.translation behaves the same as -gettext.install and uses NullTranslations in case the -translation file for given language was not found (as opposed to -throwing an exception). - -Fixes: - # LANG is set to any "unsupported" language, e.g. en_US.UTF-8 - $ chcat --help - Traceback (most recent call last): - File "/usr/bin/chcat", line 39, in - t = gettext.translation(PROGNAME, - File "/usr/lib64/python3.9/gettext.py", line 592, in translation - raise FileNotFoundError(ENOENT, - FileNotFoundError: [Errno 2] No translation file found for domain: 'selinux-python' - -Signed-off-by: Vit Mojzis -Reviewed-by: Daniel Burgener -Acked-by: Petr Lautrbach ---- - gui/booleansPage.py | 3 ++- - gui/domainsPage.py | 3 ++- - gui/fcontextPage.py | 3 ++- - gui/loginsPage.py | 3 ++- - gui/modulesPage.py | 3 ++- - gui/polgengui.py | 3 ++- - gui/portsPage.py | 3 ++- - gui/semanagePage.py | 3 ++- - gui/statusPage.py | 3 ++- - gui/system-config-selinux.py | 3 ++- - gui/usersPage.py | 3 ++- - python/chcat/chcat | 5 +++-- - python/semanage/semanage | 3 ++- - python/semanage/seobject.py | 3 ++- - python/sepolgen/src/sepolgen/sepolgeni18n.py | 4 +++- - python/sepolicy/sepolicy.py | 3 ++- - python/sepolicy/sepolicy/__init__.py | 3 ++- - python/sepolicy/sepolicy/generate.py | 3 ++- - python/sepolicy/sepolicy/gui.py | 3 ++- - python/sepolicy/sepolicy/interface.py | 3 ++- - sandbox/sandbox | 3 ++- - 21 files changed, 44 insertions(+), 22 deletions(-) - -diff --git a/gui/booleansPage.py b/gui/booleansPage.py -index 5beec58bc360..ad11a9b24c79 100644 ---- a/gui/booleansPage.py -+++ b/gui/booleansPage.py -@@ -46,7 +46,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/domainsPage.py b/gui/domainsPage.py -index e08f34b4d3a9..e6eadd61c1bc 100644 ---- a/gui/domainsPage.py -+++ b/gui/domainsPage.py -@@ -38,7 +38,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py -index bac2bec3ebbd..767664f26ec8 100644 ---- a/gui/fcontextPage.py -+++ b/gui/fcontextPage.py -@@ -55,7 +55,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/loginsPage.py b/gui/loginsPage.py -index 18b93d8c9756..7e08232a90b5 100644 ---- a/gui/loginsPage.py -+++ b/gui/loginsPage.py -@@ -37,7 +37,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/modulesPage.py b/gui/modulesPage.py -index c546d455d4cd..02b79f150a13 100644 ---- a/gui/modulesPage.py -+++ b/gui/modulesPage.py -@@ -38,7 +38,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/polgengui.py b/gui/polgengui.py -index a18f1cba17b9..7a3ecd50c91c 100644 ---- a/gui/polgengui.py -+++ b/gui/polgengui.py -@@ -71,7 +71,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/portsPage.py b/gui/portsPage.py -index 54aa80ded327..bee2bdf17b99 100644 ---- a/gui/portsPage.py -+++ b/gui/portsPage.py -@@ -43,7 +43,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/semanagePage.py b/gui/semanagePage.py -index 1371d4e7dabe..efad14d9b375 100644 ---- a/gui/semanagePage.py -+++ b/gui/semanagePage.py -@@ -30,7 +30,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/statusPage.py b/gui/statusPage.py -index c241ef83dfa0..832849e60d60 100644 ---- a/gui/statusPage.py -+++ b/gui/statusPage.py -@@ -43,7 +43,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py -index 1b460c99363b..9f53b7fe9020 100644 ---- a/gui/system-config-selinux.py -+++ b/gui/system-config-selinux.py -@@ -53,7 +53,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/usersPage.py b/gui/usersPage.py -index d51bd968b77e..9acd3b844056 100644 ---- a/gui/usersPage.py -+++ b/gui/usersPage.py -@@ -37,7 +37,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/chcat/chcat b/python/chcat/chcat -index e779fcc6ebd7..952cb8187599 100755 ---- a/python/chcat/chcat -+++ b/python/chcat/chcat -@@ -38,9 +38,10 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext --except ImportError: -+except: - try: - import builtins - builtins.__dict__['_'] = str -diff --git a/python/semanage/semanage b/python/semanage/semanage -index 1d8281281d05..4e8d64d6863a 100644 ---- a/python/semanage/semanage -+++ b/python/semanage/semanage -@@ -38,7 +38,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py -index ff8f4e9c3008..0782c082dc0c 100644 ---- a/python/semanage/seobject.py -+++ b/python/semanage/seobject.py -@@ -42,7 +42,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py -index 56ebd807c69c..1ff307d9b27d 100644 ---- a/python/sepolgen/src/sepolgen/sepolgeni18n.py -+++ b/python/sepolgen/src/sepolgen/sepolgeni18n.py -@@ -19,7 +19,9 @@ - - try: - import gettext -- t = gettext.translation( 'selinux-python' ) -+ t = gettext.translation("selinux-python", -+ localedir="/usr/share/locale", -+ fallback=True) - _ = t.gettext - except: - def _(str): -diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py -index 7ebe0efa88a1..c7a70e094b0c 100755 ---- a/python/sepolicy/sepolicy.py -+++ b/python/sepolicy/sepolicy.py -@@ -36,7 +36,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py -index 7208234b4a4a..9c3caa05b80b 100644 ---- a/python/sepolicy/sepolicy/__init__.py -+++ b/python/sepolicy/sepolicy/__init__.py -@@ -31,7 +31,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py -index 67189fc36b99..3717d5d4ed78 100644 ---- a/python/sepolicy/sepolicy/generate.py -+++ b/python/sepolicy/sepolicy/generate.py -@@ -56,7 +56,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py -index b0263740a79f..5bdbfebade1d 100644 ---- a/python/sepolicy/sepolicy/gui.py -+++ b/python/sepolicy/sepolicy/gui.py -@@ -49,7 +49,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/sepolicy/sepolicy/interface.py b/python/sepolicy/sepolicy/interface.py -index 599f97fdc6e7..43f86443f2c8 100644 ---- a/python/sepolicy/sepolicy/interface.py -+++ b/python/sepolicy/sepolicy/interface.py -@@ -38,7 +38,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/sandbox/sandbox b/sandbox/sandbox -index cd5709fb07df..789621e136da 100644 ---- a/sandbox/sandbox -+++ b/sandbox/sandbox -@@ -45,7 +45,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: --- -2.38.1 - diff --git a/0006-semodule-rename-rebuild-if-modules-changed-to-refres.patch b/0006-semodule-rename-rebuild-if-modules-changed-to-refres.patch deleted file mode 100644 index 9dbbe35..0000000 --- a/0006-semodule-rename-rebuild-if-modules-changed-to-refres.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 8cc529af51e8aa68a167ce78cf92687604f98619 Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Wed, 8 Jun 2022 19:09:54 +0200 -Subject: [PATCH] semodule: rename --rebuild-if-modules-changed to --refresh -Content-type: text/plain - -After the last commit this option's name and description no longer -matches the semantic, so give it a new one and update the descriptions. -The old name is still recognized and aliased to the new one for -backwards compatibility. - -Signed-off-by: Ondrej Mosnacek -Acked-by: Nicolas Iooss ---- - policycoreutils/semodule/semodule.8 | 12 ++++++------ - policycoreutils/semodule/semodule.c | 13 ++++++++++--- - 2 files changed, 16 insertions(+), 9 deletions(-) - -diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8 -index d1735d216276..c56e580f27b8 100644 ---- a/policycoreutils/semodule/semodule.8 -+++ b/policycoreutils/semodule/semodule.8 -@@ -23,12 +23,12 @@ force a reload of policy - .B \-B, \-\-build - force a rebuild of policy (also reloads unless \-n is used) - .TP --.B \-\-rebuild-if-modules-changed --Force a rebuild of the policy if any changes to module content are detected --(by comparing with checksum from the last transaction). One can use this --instead of \-B to ensure that any changes to the module store done by an --external tool (e.g. a package manager) are applied, while automatically --skipping the rebuild if there are no new changes. -+.B \-\-refresh -+Like \-\-build, but reuses existing linked policy if no changes to module -+files are detected (by comparing with checksum from the last transaction). -+One can use this instead of \-B to ensure that any changes to the module -+store done by an external tool (e.g. a package manager) are applied, while -+automatically skipping the module re-linking if there are no module changes. - .TP - .B \-D, \-\-disable_dontaudit - Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt -diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c -index 48bc28dd0973..ebe062bf4c6c 100644 ---- a/policycoreutils/semodule/semodule.c -+++ b/policycoreutils/semodule/semodule.c -@@ -150,9 +150,12 @@ static void usage(char *progname) - printf(" -c, --cil extract module as cil. This only affects module extraction.\n"); - printf(" -H, --hll extract module as hll. This only affects module extraction.\n"); - printf(" -m, --checksum print module checksum (SHA256).\n"); -- printf(" --rebuild-if-modules-changed\n" -- " force policy rebuild if module content changed since\n" -- " last rebuild (based on checksum)\n"); -+ printf(" --refresh like --build, but reuses existing linked policy if no\n" -+ " changes to module files are detected (via checksum)\n"); -+ printf("Deprecated options:\n"); -+ printf(" -b,--base same as --install\n"); -+ printf(" --rebuild-if-modules-changed\n" -+ " same as --refresh\n"); - } - - /* Sets the global mode variable to new_mode, but only if no other -@@ -185,6 +188,7 @@ static void parse_command_line(int argc, char **argv) - { - static struct option opts[] = { - {"rebuild-if-modules-changed", 0, NULL, '\0'}, -+ {"refresh", 0, NULL, '\0'}, - {"store", required_argument, NULL, 's'}, - {"base", required_argument, NULL, 'b'}, - {"help", 0, NULL, 'h'}, -@@ -225,6 +229,9 @@ static void parse_command_line(int argc, char **argv) - case '\0': - switch(longind) { - case 0: /* --rebuild-if-modules-changed */ -+ fprintf(stderr, "The --rebuild-if-modules-changed option is deprecated. Use --refresh instead.\n"); -+ /* fallthrough */ -+ case 1: /* --refresh */ - check_ext_changes = 1; - break; - default: --- -2.38.1 - diff --git a/0007-python-remove-IOError-in-certain-cases.patch b/0007-python-remove-IOError-in-certain-cases.patch deleted file mode 100644 index 039293c..0000000 --- a/0007-python-remove-IOError-in-certain-cases.patch +++ /dev/null @@ -1,57 +0,0 @@ -From ebb4a170c024d4bf0d2773b93d916e77a87393d9 Mon Sep 17 00:00:00 2001 -From: Elijah Conners -Date: Wed, 15 Jun 2022 22:13:31 -0700 -Subject: [PATCH] python: remove IOError in certain cases -Content-type: text/plain - -In certain cases, IOError caused the much more general exception OSError -to be unreachable. - -Signed-off-by: Elijah Conners -Acked-by: Petr Lautrbach ---- - python/semanage/semanage | 7 ++----- - sandbox/sandbox | 2 -- - 2 files changed, 2 insertions(+), 7 deletions(-) - -diff --git a/python/semanage/semanage b/python/semanage/semanage -index 4e8d64d6863a..10ab3fa67d7f 100644 ---- a/python/semanage/semanage -+++ b/python/semanage/semanage -@@ -971,8 +971,8 @@ def do_parser(): - devnull = os.open(os.devnull, os.O_WRONLY) - os.dup2(devnull, sys.stdout.fileno()) - sys.exit(1) -- except IOError as e: -- sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e))) -+ except OSError as e: -+ sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[1])) - sys.exit(1) - except KeyboardInterrupt: - sys.exit(0) -@@ -982,9 +982,6 @@ def do_parser(): - except KeyError as e: - sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[0])) - sys.exit(1) -- except OSError as e: -- sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[1])) -- sys.exit(1) - except RuntimeError as e: - sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[0])) - sys.exit(1) -diff --git a/sandbox/sandbox b/sandbox/sandbox -index 789621e136da..ffac70232875 100644 ---- a/sandbox/sandbox -+++ b/sandbox/sandbox -@@ -534,8 +534,6 @@ if __name__ == '__main__': - error_exit(error.args[0]) - except KeyError as error: - error_exit(_("Invalid value %s") % error.args[0]) -- except IOError as error: -- error_exit(error) - except KeyboardInterrupt: - rc = 0 - --- -2.38.1 - diff --git a/0008-restorecond-use-strict-function-prototype-for-defini.patch b/0008-restorecond-use-strict-function-prototype-for-defini.patch deleted file mode 100644 index 29a6ea7..0000000 --- a/0008-restorecond-use-strict-function-prototype-for-defini.patch +++ /dev/null @@ -1,39 +0,0 @@ -From b5b3afbaed29895d37f6160cc0847ef5de7538ed Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 8 Aug 2022 19:36:20 +0200 -Subject: [PATCH] restorecond: use strict function prototype for definition -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Content-type: text/plain - -Clang 15 starts to complain about non strict function definitions: - - user.c:172:10: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] - int start() { - ^ - void - -Signed-off-by: Christian Göttsche -Reviewed-by: Daniel Burgener -Acked-by: James Carter ---- - restorecond/user.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/restorecond/user.c b/restorecond/user.c -index 47b86823ff79..3ae3ebbb7230 100644 ---- a/restorecond/user.c -+++ b/restorecond/user.c -@@ -169,7 +169,7 @@ io_channel_callback - return TRUE; - } - --int start() { -+int start(void) { - #ifdef HAVE_DBUS - GDBusConnection *bus; - GError *err = NULL; --- -2.38.1 - diff --git a/0009-Ignore-egg-info-directories-and-clean-them.patch b/0009-Ignore-egg-info-directories-and-clean-them.patch deleted file mode 100644 index 80f7b39..0000000 --- a/0009-Ignore-egg-info-directories-and-clean-them.patch +++ /dev/null @@ -1,56 +0,0 @@ -From c2d58b378b3cf350d042a7b657e2b7f5861c5f26 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Mon, 8 Aug 2022 19:36:55 +0200 -Subject: [PATCH] Ignore egg-info directories and clean them -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Content-type: text/plain - - Test .gitignore and make clean distclean - error: missing .gitignore entry for libselinux/src/selinux.egg-info/ - error: missing .gitignore entry for python/sepolicy/sepolicy.egg-info/ - Error: Process completed with exit code 1. - - error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/PKG-INFO - error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/SOURCES.txt - error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/dependency_links.txt - error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/top_level.txt - error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/PKG-INFO - error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/SOURCES.txt - error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/dependency_links.txt - error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/top_level.txt - Error: Process completed with exit code 1. - -Signed-off-by: Christian Göttsche -Acked-by: James Carter ---- - python/sepolicy/.gitignore | 1 + - python/sepolicy/Makefile | 2 +- - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/python/sepolicy/.gitignore b/python/sepolicy/.gitignore -index 3186c860ec0d..32fb47f92a9d 100644 ---- a/python/sepolicy/.gitignore -+++ b/python/sepolicy/.gitignore -@@ -1,3 +1,4 @@ - build - tmp - *.bak -+sepolicy.egg-info/ -diff --git a/python/sepolicy/Makefile b/python/sepolicy/Makefile -index 3361be4ef0bc..d983e409e5e6 100644 ---- a/python/sepolicy/Makefile -+++ b/python/sepolicy/Makefile -@@ -18,7 +18,7 @@ python-build: - - clean: - $(PYTHON) setup.py clean -- -rm -rf build *~ \#* *pyc .#* -+ -rm -rf build *~ \#* *pyc .#* sepolicy.egg-info/ - - sepolgen: - ln -sf sepolicy sepolgen --- -2.38.1 - diff --git a/0011-docs-provide-a-top-level-LICENSE-file.patch b/0011-docs-provide-a-top-level-LICENSE-file.patch deleted file mode 100644 index 4234674..0000000 --- a/0011-docs-provide-a-top-level-LICENSE-file.patch +++ /dev/null @@ -1,68 +0,0 @@ -From a0a216ff7d86004ddc36d516377f0a6ffe88076c Mon Sep 17 00:00:00 2001 -From: Paul Moore -Date: Fri, 30 Sep 2022 17:44:12 -0400 -Subject: [PATCH] docs: provide a top level LICENSE file -Content-type: text/plain - -Provide a top level LICENSE file explaining how multiple the SELinux -userspace is released under multiple different licenses. Also ensure -that all the different license files share a consistent file name, -LICENSE, to make it easier for people to identify the license files. - -This is to help meet the OpenSSF Best Practices requirements. - -Signed-off-by: Paul Moore ---- - dbus/{COPYING => LICENSE} | 0 - gui/{COPYING => LICENSE} | 0 - policycoreutils/{COPYING => LICENSE} | 0 - python/{COPYING => LICENSE} | 0 - python/sepolgen/{COPYING => LICENSE} | 0 - restorecond/{COPYING => LICENSE} | 0 - sandbox/{COPYING => LICENSE} | 0 - semodule-utils/{COPYING => LICENSE} | 0 - 8 files changed, 0 insertions(+), 0 deletions(-) - rename dbus/{COPYING => LICENSE} (100%) - rename gui/{COPYING => LICENSE} (100%) - rename policycoreutils/{COPYING => LICENSE} (100%) - rename python/{COPYING => LICENSE} (100%) - rename python/sepolgen/{COPYING => LICENSE} (100%) - rename restorecond/{COPYING => LICENSE} (100%) - rename sandbox/{COPYING => LICENSE} (100%) - rename semodule-utils/{COPYING => LICENSE} (100%) - -diff --git a/dbus/COPYING b/dbus/LICENSE -similarity index 100% -rename from dbus/COPYING -rename to dbus/LICENSE -diff --git a/gui/COPYING b/gui/LICENSE -similarity index 100% -rename from gui/COPYING -rename to gui/LICENSE -diff --git a/policycoreutils/COPYING b/policycoreutils/LICENSE -similarity index 100% -rename from policycoreutils/COPYING -rename to policycoreutils/LICENSE -diff --git a/python/COPYING b/python/LICENSE -similarity index 100% -rename from python/COPYING -rename to python/LICENSE -diff --git a/python/sepolgen/COPYING b/python/sepolgen/LICENSE -similarity index 100% -rename from python/sepolgen/COPYING -rename to python/sepolgen/LICENSE -diff --git a/restorecond/COPYING b/restorecond/LICENSE -similarity index 100% -rename from restorecond/COPYING -rename to restorecond/LICENSE -diff --git a/sandbox/COPYING b/sandbox/LICENSE -similarity index 100% -rename from sandbox/COPYING -rename to sandbox/LICENSE -diff --git a/semodule-utils/COPYING b/semodule-utils/LICENSE -similarity index 100% -rename from semodule-utils/COPYING -rename to semodule-utils/LICENSE --- -2.38.1 - diff --git a/0012-gui-Fix-export-file-chooser-dialog.patch b/0012-gui-Fix-export-file-chooser-dialog.patch deleted file mode 100644 index 4fde689..0000000 --- a/0012-gui-Fix-export-file-chooser-dialog.patch +++ /dev/null @@ -1,38 +0,0 @@ -From bba6225abc6c7d8f1642d0c04c819ddc74d426c0 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Tue, 11 Oct 2022 16:36:23 +0200 -Subject: [PATCH] gui: Fix export file chooser dialog -Content-type: text/plain - -It wasn't possible to choose a directory in filechooser dialog using -double-click - the dialog returned the directory name instead of -listing the directory. - -Fixes: -Traceback (most recent call last): - File "/usr/lib/python3.10/site-packages/sepolicy/gui.py", line 2593, in on_browse_select - self.export_config(filename) - File "/usr/lib/python3.10/site-packages/sepolicy/gui.py", line 2668, in export_config - fd = open(filename, 'w') -IsADirectoryError: [Errno 21] Is a directory: '/root/Downloads' - -Signed-off-by: Petr Lautrbach ---- - python/sepolicy/sepolicy/sepolicy.glade | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/python/sepolicy/sepolicy/sepolicy.glade b/python/sepolicy/sepolicy/sepolicy.glade -index 52407887fcfc..0724d6c8caa4 100644 ---- a/python/sepolicy/sepolicy/sepolicy.glade -+++ b/python/sepolicy/sepolicy/sepolicy.glade -@@ -168,7 +168,6 @@ - - False - vertical -- - - - False --- -2.38.1 - diff --git a/0013-python-Do-not-query-the-local-database-if-the-fconte.patch b/0013-python-Do-not-query-the-local-database-if-the-fconte.patch deleted file mode 100644 index 2f557b0..0000000 --- a/0013-python-Do-not-query-the-local-database-if-the-fconte.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 7238ad32a3171d82bba9b99660e55399161236fc Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Wed, 19 Oct 2022 14:20:11 -0400 -Subject: [PATCH] python: Do not query the local database if the fcontext is - non-local -Content-type: text/plain - -Vit Mojzis reports that an error message is produced when modifying -a non-local fcontext. - -He gives the following example: - # semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd - libsemanage.dbase_llist_query: could not query record value (No such file or directory). - -When modifying an fcontext, the non-local database is checked for the -key and then, if it is not found there, the local database is checked. -If the key doesn't exist, then an error is raised. If the key exists -then the local database is queried first and, if that fails, the non- -local database is queried. - -The error is from querying the local database when the fcontext is in -the non-local database. - -Instead, if the fcontext is in the non-local database, just query -the non-local database. Only query the local database if the -fcontext was found in it. - -Reported-by: Vit Mojzis -Signed-off-by: James Carter ---- - python/semanage/seobject.py | 15 +++++++++------ - 1 file changed, 9 insertions(+), 6 deletions(-) - -diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py -index 0782c082dc0c..d82da4942987 100644 ---- a/python/semanage/seobject.py -+++ b/python/semanage/seobject.py -@@ -2504,16 +2504,19 @@ class fcontextRecords(semanageRecords): - (rc, exists) = semanage_fcontext_exists(self.sh, k) - if rc < 0: - raise ValueError(_("Could not check if file context for %s is defined") % target) -- if not exists: -+ if exists: -+ try: -+ (rc, fcontext) = semanage_fcontext_query(self.sh, k) -+ except OSError: -+ raise ValueError(_("Could not query file context for %s") % target) -+ else: - (rc, exists) = semanage_fcontext_exists_local(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not check if file context for %s is defined") % target) - if not exists: - raise ValueError(_("File context for %s is not defined") % target) -- -- try: -- (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) -- except OSError: - try: -- (rc, fcontext) = semanage_fcontext_query(self.sh, k) -+ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) - except OSError: - raise ValueError(_("Could not query file context for %s") % target) - --- -2.38.1 - diff --git a/0014-sandbox-Do-not-try-to-remove-tmpdir-twice-if-uid-0.patch b/0014-sandbox-Do-not-try-to-remove-tmpdir-twice-if-uid-0.patch deleted file mode 100644 index 6b4830a..0000000 --- a/0014-sandbox-Do-not-try-to-remove-tmpdir-twice-if-uid-0.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 0fb988c86b66ede7723e179699e29f00000fc57b Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Thu, 13 Oct 2022 15:23:11 +0200 -Subject: [PATCH] sandbox: Do not try to remove tmpdir twice if uid == 0 -Content-type: text/plain - -If the user is root, tmpdir is already wiped out. - -Fixes: - # sandbox -T /root/tmp -- id - uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:sandbox_t:s0:c696,c756 - Failed to remove directory /tmp/.sandbox-root-KIlB59: No such file or directory - -Signed-off-by: Petr Lautrbach -Acked-by: James Carter ---- - sandbox/seunshare.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c -index 8917a0f9bd42..dd1d7ddbdc89 100644 ---- a/sandbox/seunshare.c -+++ b/sandbox/seunshare.c -@@ -414,7 +414,7 @@ static int cleanup_tmpdir(const char *tmpdir, const char *src, - rc++; - } - -- if (rmdir(tmpdir) == -1) -+ if (pwd->pw_uid != 0 && rmdir(tmpdir) == -1) - fprintf(stderr, _("Failed to remove directory %s: %s\n"), tmpdir, strerror(errno)); - if ((uid_t)setfsuid(pwd->pw_uid) != 0) { - fprintf(stderr, _("unable to switch back to user after clearing tmp dir\n")); --- -2.38.1 - diff --git a/0015-sandbox-Use-temporary-directory-for-XDG_RUNTIME_DIR.patch b/0015-sandbox-Use-temporary-directory-for-XDG_RUNTIME_DIR.patch deleted file mode 100644 index ada2342..0000000 --- a/0015-sandbox-Use-temporary-directory-for-XDG_RUNTIME_DIR.patch +++ /dev/null @@ -1,245 +0,0 @@ -From ecfcb1d6a8ecb914f2a7c72453c872b5f0099f4d Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Thu, 13 Oct 2022 15:23:12 +0200 -Subject: [PATCH] sandbox: Use temporary directory for XDG_RUNTIME_DIR -Content-type: text/plain - -XDG_RUNTIME_DIR (/run/user/$UID) is used for user-specific data files -such as sockets, named pipes and so on. Therefore, it should not be -available to sandboxed processes. - -Usage: - # ls -a $XDG_RUNTIME_DIR - . .. bus pipewire-0 systemd - # sandbox -R /root/sandbox/user -- sh -c "ls -a $XDG_RUNTIME_DIR" - . .. - -Signed-off-by: Petr Lautrbach -Acked-by: James Carter ---- - sandbox/sandbox | 15 ++++++++++++++- - sandbox/sandbox.8 | 7 +++++-- - sandbox/seunshare.8 | 3 +++ - sandbox/seunshare.c | 45 +++++++++++++++++++++++++++++++++++---------- - 4 files changed, 57 insertions(+), 13 deletions(-) - -diff --git a/sandbox/sandbox b/sandbox/sandbox -index ffac70232875..770807345858 100644 ---- a/sandbox/sandbox -+++ b/sandbox/sandbox -@@ -209,6 +209,7 @@ class Sandbox: - self.__level = None - self.__homedir = None - self.__tmpdir = None -+ self.__runuserdir = None - - def __validate_mount(self): - if self.__options.level: -@@ -357,6 +358,11 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- - action="callback", callback=self.__validdir, - help=_("alternate /tmp directory to use for mounting")) - -+ parser.add_option("-R", "--runuserdir", dest="runuserdir", -+ type="string", -+ action="callback", callback=self.__validdir, -+ help=_("alternate XDG_RUNTIME_DIR - /run/user/$UID - directory to use for mounting")) -+ - parser.add_option("-w", "--windowsize", dest="windowsize", - type="string", default=DEFAULT_WINDOWSIZE, - help="size of the sandbox window") -@@ -401,10 +407,12 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- - self.__options.X_ind = True - self.__homedir = self.__options.homedir - self.__tmpdir = self.__options.tmpdir -+ self.__runuserdir = self.__options.runuserdir - else: - if self.__options.level: - self.__homedir = self.__options.homedir - self.__tmpdir = self.__options.tmpdir -+ self.__runuserdir = self.__options.runuserdir - - if len(cmds) == 0: - self.usage(_("Command required")) -@@ -442,9 +450,14 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- - self.__tmpdir = self.__options.tmpdir - else: - self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_tmp_") -+ if self.__options.runuserdir: -+ self.__runuserdir = self.__options.runuserdir -+ else: -+ self.__runuserdir = mkdtemp(dir="/tmp", prefix=".sandbox_runuser_") - self.__copyfiles() - selinux.chcon(self.__homedir, self.__filecon, recursive=True) - selinux.chcon(self.__tmpdir, self.__filecon, recursive=True) -+ selinux.chcon(self.__runuserdir, self.__filecon, recursive=True) - selinux.setfscreatecon(None) - - def __execute(self): -@@ -453,7 +466,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- - if self.__options.usecaps: - cmds.append('-C') - if self.__mount: -- cmds += ["-t", self.__tmpdir, "-h", self.__homedir] -+ cmds += ["-t", self.__tmpdir, "-h", self.__homedir, "-r", self.__runuserdir] - - if self.__options.X_ind: - if self.__options.dpi: -diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8 -index d83fee76f335..1ee0ecea96d1 100644 ---- a/sandbox/sandbox.8 -+++ b/sandbox/sandbox.8 -@@ -3,11 +3,11 @@ - sandbox \- Run cmd under an SELinux sandbox - .SH SYNOPSIS - .B sandbox --[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd -+[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [ \-R runuserdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd - - .br - .B sandbox --[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S -+[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [ \-R runuserdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S - .br - .SH DESCRIPTION - .PP -@@ -67,6 +67,9 @@ sandbox_net_client_t \- All network ports - \fB\-T\fR \fB\-\-tmpdir\fR - Use alternate temporary directory to mount on /tmp. Defaults to tmpfs. Requires \-X or \-M. - .TP -+\fB\-R\fR \fB\-\-runuserdir\fR -+Use alternate temporary directory to mount on XDG_RUNTIME_DIR (/run/user/$UID). -+.TP - \fB\-S\fR \fB\-\-session\fR - Run a full desktop session, Requires level, and home and tmpdir. - .TP -diff --git a/sandbox/seunshare.8 b/sandbox/seunshare.8 -index 0da352613485..09cf7feae45d 100644 ---- a/sandbox/seunshare.8 -+++ b/sandbox/seunshare.8 -@@ -18,6 +18,9 @@ Alternate homedir to be used by the application. Homedir must be owned by the u - \fB\-t\ tmpdir - Use alternate temporary directory to mount on /tmp. tmpdir must be owned by the user. - .TP -+\fB\-r\ runuserdir -+Use alternate temporary directory to mount on XDG_RUNTIME_DIR (/run/user/$UID). runuserdir must be owned by the user. -+.TP - \fB\-C --capabilities\fR - Allow apps executed within the namespace to use capabilities. Default is no capabilities. - .TP -diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c -index dd1d7ddbdc89..1d38ea92b9ae 100644 ---- a/sandbox/seunshare.c -+++ b/sandbox/seunshare.c -@@ -52,7 +52,7 @@ - - #define BUF_SIZE 1024 - #define DEFAULT_PATH "/usr/bin:/bin" --#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z CONTEXT ] -- executable [args] ") -+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -r runuserdir ] [ -Z CONTEXT ] -- executable [args] ") - - static int verbose = 0; - static int child = 0; -@@ -623,15 +623,20 @@ int main(int argc, char **argv) { - char *homedir_s = NULL; /* homedir spec'd by user in argv[] */ - char *tmpdir_s = NULL; /* tmpdir spec'd by user in argv[] */ - char *tmpdir_r = NULL; /* tmpdir created by seunshare */ -+ char *runuserdir_s = NULL; /* /var/run/user/UID spec'd by user in argv[] */ -+ char *runuserdir_r = NULL; /* /var/run/user/UID created by seunshare */ - - struct stat st_curhomedir; - struct stat st_homedir; - struct stat st_tmpdir_s; - struct stat st_tmpdir_r; -+ struct stat st_runuserdir_s; -+ struct stat st_runuserdir_r; - - const struct option long_options[] = { - {"homedir", 1, 0, 'h'}, - {"tmpdir", 1, 0, 't'}, -+ {"runuserdir", 1, 0, 'r'}, - {"kill", 1, 0, 'k'}, - {"verbose", 1, 0, 'v'}, - {"context", 1, 0, 'Z'}, -@@ -665,7 +670,7 @@ int main(int argc, char **argv) { - } - - while (1) { -- clflag = getopt_long(argc, argv, "Ccvh:t:Z:", long_options, NULL); -+ clflag = getopt_long(argc, argv, "Ccvh:r:t:Z:", long_options, NULL); - if (clflag == -1) - break; - -@@ -679,6 +684,9 @@ int main(int argc, char **argv) { - case 'h': - homedir_s = optarg; - break; -+ case 'r': -+ runuserdir_s = optarg; -+ break; - case 'v': - verbose++; - break; -@@ -729,6 +737,10 @@ int main(int argc, char **argv) { - if (tmpdir_s && ( - verify_directory(tmpdir_s, NULL, &st_tmpdir_s) < 0 || - check_owner_uid(uid, tmpdir_s, &st_tmpdir_s))) return -1; -+ if (runuserdir_s && ( -+ verify_directory(runuserdir_s, NULL, &st_runuserdir_s) < 0 || -+ check_owner_uid(uid, runuserdir_s, &st_runuserdir_s))) return -1; -+ - if ((uid_t)setfsuid(0) != uid) return -1; - - /* create runtime tmpdir */ -@@ -737,6 +749,12 @@ int main(int argc, char **argv) { - fprintf(stderr, _("Failed to create runtime temporary directory\n")); - return -1; - } -+ /* create runtime runuserdir */ -+ if (runuserdir_s && (runuserdir_r = create_tmpdir(runuserdir_s, &st_runuserdir_s, -+ &st_runuserdir_r, pwd, execcon)) == NULL) { -+ fprintf(stderr, _("Failed to create runtime $XDG_RUNTIME_DIR directory\n")); -+ return -1; -+ } - - /* spawn child process */ - child = fork(); -@@ -775,7 +793,21 @@ int main(int argc, char **argv) { - if (check_owner_uid(uid, resolved_path, &st_curhomedir) < 0) - goto childerr; - -- /* mount homedir and tmpdir, in this order */ -+ if ((RUNTIME_DIR = getenv("XDG_RUNTIME_DIR")) != NULL) { -+ if ((RUNTIME_DIR = strdup(RUNTIME_DIR)) == NULL) { -+ perror(_("Out of memory")); -+ goto childerr; -+ } -+ } else { -+ if (asprintf(&RUNTIME_DIR, "/run/user/%d", uid) == -1) { -+ perror(_("Out of memory\n")); -+ goto childerr; -+ } -+ } -+ -+ /* mount homedir, runuserdir and tmpdir, in this order */ -+ if (runuserdir_s && seunshare_mount(runuserdir_s, RUNTIME_DIR, -+ &st_runuserdir_s) != 0) goto childerr; - if (homedir_s && seunshare_mount(homedir_s, resolved_path, - &st_homedir) != 0) goto childerr; - if (tmpdir_s && seunshare_mount(tmpdir_r, "/tmp", -@@ -799,13 +831,6 @@ int main(int argc, char **argv) { - } - } - -- if ((RUNTIME_DIR = getenv("XDG_RUNTIME_DIR")) != NULL) { -- if ((RUNTIME_DIR = strdup(RUNTIME_DIR)) == NULL) { -- perror(_("Out of memory")); -- goto childerr; -- } -- } -- - if ((rc = clearenv()) != 0) { - perror(_("Failed to clear environment")); - goto childerr; --- -2.38.1 - diff --git a/0016-python-Remove-dependency-on-the-Python-module-distut.patch b/0016-python-Remove-dependency-on-the-Python-module-distut.patch deleted file mode 100644 index 81b36c2..0000000 --- a/0016-python-Remove-dependency-on-the-Python-module-distut.patch +++ /dev/null @@ -1,81 +0,0 @@ -From c08cf24f39989cfc610a481ae3dc380b61e9ca5f Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Fri, 28 Oct 2022 16:16:22 -0400 -Subject: [PATCH] python: Remove dependency on the Python module distutils -Content-type: text/plain - -The distutils package is deprecated and scheduled to be removed in -Python 3.12. Use the setuptools and sysconfig modules instead. - -Signed-off-by: James Carter -Acked-by: Petr Lautrbach ---- - python/semanage/Makefile | 2 +- - python/sepolgen/src/sepolgen/Makefile | 2 +- - python/sepolicy/sepolicy/gui.py | 4 ++-- - python/sepolicy/setup.py | 2 +- - 4 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/python/semanage/Makefile b/python/semanage/Makefile -index 024e9640fed0..b53ee33db6ac 100644 ---- a/python/semanage/Makefile -+++ b/python/semanage/Makefile -@@ -5,7 +5,7 @@ LINGUAS ?= ru - PREFIX ?= /usr - SBINDIR ?= $(PREFIX)/sbin - MANDIR = $(PREFIX)/share/man --PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(prefix='$(PREFIX)'))") -+PYTHONLIBDIR ?= $(shell $(PYTHON) -c "import sysconfig; print(sysconfig.get_path('purelib', vars={'platbase': '$(PREFIX)', 'base': '$(PREFIX)'}))") - PACKAGEDIR ?= $(PYTHONLIBDIR) - BASHCOMPLETIONDIR ?= $(PREFIX)/share/bash-completion/completions - -diff --git a/python/sepolgen/src/sepolgen/Makefile b/python/sepolgen/src/sepolgen/Makefile -index cac8def7204e..a10392273181 100644 ---- a/python/sepolgen/src/sepolgen/Makefile -+++ b/python/sepolgen/src/sepolgen/Makefile -@@ -1,6 +1,6 @@ - PREFIX ?= /usr - PYTHON ?= python3 --PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(prefix='$(PREFIX)'))") -+PYTHONLIBDIR ?= $(shell $(PYTHON) -c "import sysconfig; print(sysconfig.get_path('purelib', vars={'platbase': '$(PREFIX)', 'base': '$(PREFIX)'}))") - PACKAGEDIR ?= /$(PYTHONLIBDIR)/sepolgen - - all: -diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py -index 5bdbfebade1d..335be582b668 100644 ---- a/python/sepolicy/sepolicy/gui.py -+++ b/python/sepolicy/sepolicy/gui.py -@@ -77,7 +77,7 @@ def cmp(a, b): - return 1 - return (a > b) - (a < b) - --import distutils.sysconfig -+import sysconfig - ADVANCED_LABEL = (_("Advanced >>"), _("Advanced <<")) - ADVANCED_SEARCH_LABEL = (_("Advanced Search >>"), _("Advanced Search <<")) - OUTBOUND_PAGE = 0 -@@ -130,7 +130,7 @@ class SELinuxGui(): - self.application = app - self.filter_txt = "" - builder = Gtk.Builder() # BUILDER OBJ -- self.code_path = distutils.sysconfig.get_python_lib(plat_specific=False) + "/sepolicy/" -+ self.code_path = sysconfig.get_python_lib(plat_specific=False) + "/sepolicy/" - glade_file = self.code_path + "sepolicy.glade" - builder.add_from_file(glade_file) - self.outer_notebook = builder.get_object("outer_notebook") -diff --git a/python/sepolicy/setup.py b/python/sepolicy/setup.py -index b0f9650df875..c82206647f9b 100644 ---- a/python/sepolicy/setup.py -+++ b/python/sepolicy/setup.py -@@ -2,7 +2,7 @@ - - # Author: Thomas Liu - # Author: Dan Walsh --from distutils.core import setup -+from setuptools import setup - - setup( - name="sepolicy", --- -2.38.1 - diff --git a/0017-python-Harden-tools-against-rogue-modules.patch b/0017-python-Harden-tools-against-rogue-modules.patch deleted file mode 100644 index 0d2d809..0000000 --- a/0017-python-Harden-tools-against-rogue-modules.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 48602370acabffea96759bf66edd00ca829f5d17 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Tue, 18 Oct 2022 22:36:59 +0200 -Subject: [PATCH] python: Harden tools against "rogue" modules -Content-type: text/plain - -Python scripts present in "/usr/sbin" override regular modules. -Make sure /usr/sbin is not present in PYTHONPATH. - -Fixes: - #cat > /usr/sbin/audit.py < -Acked-by: James Carter ---- - python/audit2allow/audit2allow | 2 +- - python/audit2allow/sepolgen-ifgen | 2 +- - python/chcat/chcat | 2 +- - python/semanage/semanage | 2 +- - python/sepolicy/sepolicy.py | 2 +- - 5 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow -index 09b06f664bc4..eafeea88aa21 100644 ---- a/python/audit2allow/audit2allow -+++ b/python/audit2allow/audit2allow -@@ -1,4 +1,4 @@ --#!/usr/bin/python3 -Es -+#!/usr/bin/python3 -EsI - # Authors: Karl MacMillan - # Authors: Dan Walsh - # -diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen -index b7a04c719acc..f2cc0c32f2b0 100644 ---- a/python/audit2allow/sepolgen-ifgen -+++ b/python/audit2allow/sepolgen-ifgen -@@ -1,4 +1,4 @@ --#!/usr/bin/python3 -Es -+#!/usr/bin/python3 -EsI - # - # Authors: Karl MacMillan - # -diff --git a/python/chcat/chcat b/python/chcat/chcat -index 952cb8187599..68718ec5f102 100755 ---- a/python/chcat/chcat -+++ b/python/chcat/chcat -@@ -1,4 +1,4 @@ --#!/usr/bin/python3 -Es -+#!/usr/bin/python3 -EsI - # Copyright (C) 2005 Red Hat - # see file 'COPYING' for use and warranty information - # -diff --git a/python/semanage/semanage b/python/semanage/semanage -index 10ab3fa67d7f..b21d1484ab85 100644 ---- a/python/semanage/semanage -+++ b/python/semanage/semanage -@@ -1,4 +1,4 @@ --#!/usr/bin/python3 -Es -+#!/usr/bin/python3 -EsI - # Copyright (C) 2012-2013 Red Hat - # AUTHOR: Miroslav Grepl - # AUTHOR: David Quigley -diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py -index c7a70e094b0c..733d40484709 100755 ---- a/python/sepolicy/sepolicy.py -+++ b/python/sepolicy/sepolicy.py -@@ -1,4 +1,4 @@ --#!/usr/bin/python3 -Es -+#!/usr/bin/python3 -EsI - # Copyright (C) 2012 Red Hat - # AUTHOR: Dan Walsh - # see file 'COPYING' for use and warranty information --- -2.38.1 - diff --git a/0023-python-Fix-typo-in-audit2allow.1-example.patch b/0023-python-Fix-typo-in-audit2allow.1-example.patch deleted file mode 100644 index 31b0081..0000000 --- a/0023-python-Fix-typo-in-audit2allow.1-example.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 5e9f9478cc6eeaa46e0e8172a458a49e49d4e258 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Wed, 9 Nov 2022 11:53:28 +0100 -Subject: [PATCH] python: Fix typo in audit2allow.1 example -Content-type: text/plain - -Signed-off-by: Petr Lautrbach -Acked-by: James Carter ---- - python/audit2allow/audit2allow.1 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/python/audit2allow/audit2allow.1 b/python/audit2allow/audit2allow.1 -index c61067b33688..04ec32398011 100644 ---- a/python/audit2allow/audit2allow.1 -+++ b/python/audit2allow/audit2allow.1 -@@ -151,7 +151,7 @@ policy_module(local, 1.0) - gen_require(` - type myapp_t; - type etc_t; -- }; -+\[aq]) - - files_read_etc_files(myapp_t) - --- -2.38.1 - diff --git a/0024-python-sepolicy-Fix-sepolicy-manpage-w.patch b/0024-python-sepolicy-Fix-sepolicy-manpage-w.patch deleted file mode 100644 index 97a224e..0000000 --- a/0024-python-sepolicy-Fix-sepolicy-manpage-w.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 762090ae1a67b040b37cc4863f1ceb0b45c66717 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Fri, 18 Nov 2022 13:51:52 +0100 -Subject: [PATCH] python/sepolicy: Fix sepolicy manpage -w ... -Content-type: text/plain - -Commit 7494bb1298b3 ("sepolicy: generate man pages in parallel") -improved sepolicy performance but broke `sepolicy manpage -w ...` as it -didn't collect data about domains and roles from ManPage() and so -HTMLManPages() generated only empty page. This is fixed now, domains -and roles are being collected and used for HTML pages. - -Signed-off-by: Petr Lautrbach ---- - python/sepolicy/sepolicy.py | 13 +++++++++++-- - python/sepolicy/sepolicy/manpage.py | 12 +++++------- - 2 files changed, 16 insertions(+), 9 deletions(-) - -diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py -index 733d40484709..82ff6af2bc2d 100755 ---- a/python/sepolicy/sepolicy.py -+++ b/python/sepolicy/sepolicy.py -@@ -332,9 +332,10 @@ def manpage_work(domain, path, root, source_files, web): - from sepolicy.manpage import ManPage - m = ManPage(domain, path, root, source_files, web) - print(m.get_man_page_path()) -+ return (m.manpage_domains, m.manpage_roles) - - def manpage(args): -- from sepolicy.manpage import HTMLManPages, manpage_domains, manpage_roles, gen_domains -+ from sepolicy.manpage import HTMLManPages, gen_domains - - path = args.path - if not args.policy and args.root != "/": -@@ -347,9 +348,17 @@ def manpage(args): - else: - test_domains = args.domain - -+ manpage_domains = set() -+ manpage_roles = set() - p = Pool() -+ async_results = [] - for domain in test_domains: -- p.apply_async(manpage_work, [domain, path, args.root, args.source_files, args.web]) -+ async_results.append(p.apply_async(manpage_work, [domain, path, args.root, args.source_files, args.web])) -+ for result in async_results: -+ domains, roles = result.get() -+ manpage_domains.update(domains) -+ manpage_roles.update(roles) -+ - p.close() - p.join() - -diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index 3e61e333193f..de72cb6cda5f 100755 ---- a/python/sepolicy/sepolicy/manpage.py -+++ b/python/sepolicy/sepolicy/manpage.py -@@ -21,7 +21,7 @@ - # 02111-1307 USA - # - # --__all__ = ['ManPage', 'HTMLManPages', 'manpage_domains', 'manpage_roles', 'gen_domains'] -+__all__ = ['ManPage', 'HTMLManPages', 'gen_domains'] - - import string - import selinux -@@ -147,10 +147,6 @@ def _gen_types(): - def prettyprint(f, trim): - return " ".join(f[:-len(trim)].split("_")) - --# for HTML man pages --manpage_domains = [] --manpage_roles = [] -- - fedora_releases = ["Fedora17", "Fedora18"] - rhel_releases = ["RHEL6", "RHEL7"] - -@@ -408,6 +404,8 @@ class ManPage: - """ - modules_dict = None - enabled_str = ["Disabled", "Enabled"] -+ manpage_domains = [] -+ manpage_roles = [] - - def __init__(self, domainname, path="/tmp", root="/", source_files=False, html=False): - self.html = html -@@ -453,10 +451,10 @@ class ManPage: - if self.domainname + "_r" in self.all_roles: - self.__gen_user_man_page() - if self.html: -- manpage_roles.append(self.man_page_path) -+ self.manpage_roles.append(self.man_page_path) - else: - if self.html: -- manpage_domains.append(self.man_page_path) -+ self.manpage_domains.append(self.man_page_path) - self.__gen_man_page() - self.fd.close() - --- -2.38.1 - diff --git a/0025-python-sepolicy-Use-distro-module-to-get-os-version.patch b/0025-python-sepolicy-Use-distro-module-to-get-os-version.patch deleted file mode 100644 index 606207b..0000000 --- a/0025-python-sepolicy-Use-distro-module-to-get-os-version.patch +++ /dev/null @@ -1,57 +0,0 @@ -From fe825bf76f7a6727a3654c96e7bc55ddc7069b76 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Fri, 18 Nov 2022 13:51:53 +0100 -Subject: [PATCH] python/sepolicy: Use distro module to get os version -Content-type: text/plain - -distro module uses /etc/os-release file which contains operating system -identification data, see os-release(5). Given that the mechanism doesn't -use `rpm` it should be possible to generate man pages on other -distributions. - -Signed-off-by: Petr Lautrbach ---- - python/sepolicy/sepolicy/__init__.py | 25 ++++++------------------- - 1 file changed, 6 insertions(+), 19 deletions(-) - -diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py -index 9c3caa05b80b..baa4c8e62e97 100644 ---- a/python/sepolicy/sepolicy/__init__.py -+++ b/python/sepolicy/sepolicy/__init__.py -@@ -1226,27 +1226,14 @@ def boolean_desc(boolean): - - - def get_os_version(): -- os_version = "" -- pkg_name = "selinux-policy" -+ system_release = "" - try: -- try: -- from commands import getstatusoutput -- except ImportError: -- from subprocess import getstatusoutput -- rc, output = getstatusoutput("rpm -q '%s'" % pkg_name) -- if rc == 0: -- os_version = output.split(".")[-2] -- except: -- os_version = "" -- -- if os_version[0:2] == "fc": -- os_version = "Fedora" + os_version[2:] -- elif os_version[0:2] == "el": -- os_version = "RHEL" + os_version[2:] -- else: -- os_version = "" -+ import distro -+ system_release = distro.name(pretty=True) -+ except IOError: -+ system_release = "Misc" - -- return os_version -+ return system_release - - - def reinit(): --- -2.38.1 - diff --git a/0026-python-sepolicy-Simplify-generation-of-man-pages.patch b/0026-python-sepolicy-Simplify-generation-of-man-pages.patch deleted file mode 100644 index 1835db5..0000000 --- a/0026-python-sepolicy-Simplify-generation-of-man-pages.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 1fad73e62fdda5290e3939464df09796fca6871d Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Fri, 18 Nov 2022 13:51:55 +0100 -Subject: [PATCH] python/sepolicy: Simplify generation of man pages -Content-type: text/plain - -And do not hardcode Fedora and RHEL versions. - -Signed-off-by: Petr Lautrbach ---- - python/sepolicy/sepolicy/manpage.py | 71 ++++------------------------- - 1 file changed, 8 insertions(+), 63 deletions(-) - -diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index de72cb6cda5f..edeb3b77e759 100755 ---- a/python/sepolicy/sepolicy/manpage.py -+++ b/python/sepolicy/sepolicy/manpage.py -@@ -147,9 +147,6 @@ def _gen_types(): - def prettyprint(f, trim): - return " ".join(f[:-len(trim)].split("_")) - --fedora_releases = ["Fedora17", "Fedora18"] --rhel_releases = ["RHEL6", "RHEL7"] -- - - def get_alphabet_manpages(manpage_list): - alphabet_manpages = dict.fromkeys(string.ascii_letters, []) -@@ -180,7 +177,7 @@ def convert_manpage_to_html(html_manpage, manpage): - class HTMLManPages: - - """ -- Generate a HHTML Manpages on an given SELinux domains -+ Generate a HTML Manpages on an given SELinux domains - """ - - def __init__(self, manpage_roles, manpage_domains, path, os_version): -@@ -188,18 +185,12 @@ class HTMLManPages: - self.manpage_domains = get_alphabet_manpages(manpage_domains) - self.os_version = os_version - self.old_path = path + "/" -- self.new_path = self.old_path + self.os_version + "/" -- -- if self.os_version in fedora_releases or self.os_version in rhel_releases: -- self.__gen_html_manpages() -- else: -- print("SELinux HTML man pages can not be generated for this %s" % os_version) -- exit(1) -+ self.new_path = self.old_path -+ self.__gen_html_manpages() - - def __gen_html_manpages(self): - self._write_html_manpage() - self._gen_index() -- self._gen_body() - self._gen_css() - - def _write_html_manpage(self): -@@ -217,67 +208,21 @@ class HTMLManPages: - convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r) - - def _gen_index(self): -- index = self.old_path + "index.html" -- fd = open(index, 'w') -- fd.write(""" -- -- -- -- SELinux man pages online -- -- --

SELinux man pages

--

--Fedora or Red Hat Enterprise Linux Man Pages. --

--
--

Fedora

-- -- --
--
--
--""")
--        for f in fedora_releases:
--            fd.write("""
--%s - SELinux man pages for %s """ % (f, f, f, f))
--
--        fd.write("""
--
--
--

RHEL

-- -- --
--
--
--""")
--        for r in rhel_releases:
--            fd.write("""
--%s - SELinux man pages for %s """ % (r, r, r, r))
--
--        fd.write("""
--
-- """) -- fd.close() -- print("%s has been created" % index) -- -- def _gen_body(self): -- html = self.new_path + self.os_version + ".html" -+ html = self.new_path + "index.html" - fd = open(html, 'w') - fd.write(""" - - -- -- Linux man-pages online for Fedora18 -+ -+ SELinux man pages - - --

SELinux man pages for Fedora18

-+

SELinux man pages for %s

-
- -
-

SELinux roles

--""") -+""" % self.os_version) - for letter in self.manpage_roles: - if len(self.manpage_roles[letter]): - fd.write(""" --- -2.38.1 - diff --git a/0027-Fix-E275-missing-whitespace-after-keyword.patch b/0027-Fix-E275-missing-whitespace-after-keyword.patch deleted file mode 100644 index e86d3c6..0000000 --- a/0027-Fix-E275-missing-whitespace-after-keyword.patch +++ /dev/null @@ -1,160 +0,0 @@ -From 3fb03f54d0dad5119cdd3e1d2b13370b8296040b Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Mon, 21 Nov 2022 11:39:32 +0100 -Subject: [PATCH] Fix E275 missing whitespace after keyword -Content-type: text/plain - -Fixes: - ./gui/polgengui.py:484:18: E275 missing whitespace after keyword - ./gui/polgengui.py:530:18: E275 missing whitespace after keyword - ./python/sepolgen/src/sepolgen/policygen.py:327:19: E275 missing whitespace after keyword - ./python/sepolgen/src/sepolgen/policygen.py:329:11: E275 missing whitespace after keyword - ./python/sepolicy/sepolicy/__init__.py:453:15: E275 missing whitespace after keyword - ./python/sepolicy/sepolicy/generate.py:1351:28: E275 missing whitespace after keyword - ./python/sepolicy/sepolicy/generate.py:1353:28: E275 missing whitespace after keyword - ./python/sepolicy/sepolicy/gui.py:638:24: E275 missing whitespace after keyword - ./python/sepolicy/sepolicy/gui.py:863:23: E275 missing whitespace after keyword - ./python/sepolicy/sepolicy/gui.py:2177:16: E275 missing whitespace after keyword - ./sandbox/sandbox:114:7: E275 missing whitespace after keyword - ./sandbox/sandbox:134:11: E275 missing whitespace after keyword - ./sandbox/sandbox:136:7: E275 missing whitespace after keyword - -Signed-off-by: Petr Lautrbach ---- - gui/polgengui.py | 4 ++-- - python/sepolgen/src/sepolgen/policygen.py | 4 ++-- - python/sepolicy/sepolicy/__init__.py | 4 ++-- - python/sepolicy/sepolicy/generate.py | 4 ++-- - python/sepolicy/sepolicy/gui.py | 6 +++--- - sandbox/sandbox | 6 +++--- - 6 files changed, 14 insertions(+), 14 deletions(-) - -diff --git a/gui/polgengui.py b/gui/polgengui.py -index 7a3ecd50c91c..16116ba68b61 100644 ---- a/gui/polgengui.py -+++ b/gui/polgengui.py -@@ -481,7 +481,7 @@ class childWindow: - my_policy = sepolicy.generate.policy(self.get_name(), self.get_type()) - - iter = self.boolean_store.get_iter_first() -- while(iter): -+ while iter: - my_policy.add_boolean(self.boolean_store.get_value(iter, 0), self.boolean_store.get_value(iter, 1)) - iter = self.boolean_store.iter_next(iter) - -@@ -527,7 +527,7 @@ class childWindow: - my_policy.set_out_udp(self.out_udp_all_checkbutton.get_active(), self.out_udp_entry.get_text()) - - iter = self.store.get_iter_first() -- while(iter): -+ while iter: - if self.store.get_value(iter, 1) == FILE: - my_policy.add_file(self.store.get_value(iter, 0)) - else: -diff --git a/python/sepolgen/src/sepolgen/policygen.py b/python/sepolgen/src/sepolgen/policygen.py -index 8f0ce26e4dc7..183b41a93d50 100644 ---- a/python/sepolgen/src/sepolgen/policygen.py -+++ b/python/sepolgen/src/sepolgen/policygen.py -@@ -324,9 +324,9 @@ def call_interface(interface, av): - ifcall.args.append(av.obj_class) - else: - print(params[i].type) -- assert(0) -+ assert 0 - -- assert(len(ifcall.args) > 0) -+ assert len(ifcall.args) > 0 - - return ifcall - -diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py -index baa4c8e62e97..68907a4f9759 100644 ---- a/python/sepolicy/sepolicy/__init__.py -+++ b/python/sepolicy/sepolicy/__init__.py -@@ -450,9 +450,9 @@ def get_conditionals(src, dest, tclass, perm): - tlist.append(tdict) - tdict = {} - except KeyError: -- return(tlist) -+ return tlist - -- return (tlist) -+ return tlist - - - def get_conditionals_format_text(cond): -diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py -index eff3a8973917..36a3ea1196b1 100644 ---- a/python/sepolicy/sepolicy/generate.py -+++ b/python/sepolicy/sepolicy/generate.py -@@ -1348,9 +1348,9 @@ allow %s_t %s_t:%s_socket name_%s; - if len(temp_dirs) != 0: - for i in temp_dirs: - if i in self.dirs.keys(): -- del(self.dirs[i]) -+ del self.dirs[i] - elif i in self.files.keys(): -- del(self.files[i]) -+ del self.files[i] - else: - continue - -diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py -index 335be582b668..c8f33f522a2d 100644 ---- a/python/sepolicy/sepolicy/gui.py -+++ b/python/sepolicy/sepolicy/gui.py -@@ -635,7 +635,7 @@ class SELinuxGui(): - for k in self.cur_dict: - for j in self.cur_dict[k]: - if i == ctr: -- del(self.cur_dict[k][j]) -+ del self.cur_dict[k][j] - return - i += 1 - -@@ -860,7 +860,7 @@ class SELinuxGui(): - if val is True or val is False or val is None: - continue - # Returns true if filter_txt exists within the val -- if(val.find(self.filter_txt) != -1 or val.lower().find(self.filter_txt) != -1): -+ if val.find(self.filter_txt) != -1 or val.lower().find(self.filter_txt) != -1: - return True - except (AttributeError, TypeError): - pass -@@ -2174,7 +2174,7 @@ class SELinuxGui(): - model.set_value(iter, 0, not model.get_value(iter, 0)) - active = model.get_value(iter, 0) - if name in self.cur_dict["boolean"]: -- del(self.cur_dict["boolean"][name]) -+ del self.cur_dict["boolean"][name] - else: - self.cur_dict["boolean"][name] = {"active": active} - self.new_updates() -diff --git a/sandbox/sandbox b/sandbox/sandbox -index df3af9260c7f..a32a33ea3cf6 100644 ---- a/sandbox/sandbox -+++ b/sandbox/sandbox -@@ -111,7 +111,7 @@ def copyfile(file, srcdir, dest): - - def savefile(new, orig, X_ind): - copy = False -- if(X_ind): -+ if X_ind: - import gi - gi.require_version('Gtk', '3.0') - from gi.repository import Gtk -@@ -131,9 +131,9 @@ def savefile(new, orig, X_ind): - except NameError: - pass - ans = input(_("Do you want to save changes to '%s' (y/N): ") % orig) -- if(re.match(_("[yY]"), ans)): -+ if re.match(_("[yY]"), ans): - copy = True -- if(copy): -+ if copy: - shutil.copy2(new, orig) - - --- -2.38.1 - diff --git a/policycoreutils.spec b/policycoreutils.spec index 0908756..3fa7f23 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,7 +1,7 @@ %global libauditver 3.0 -%global libsepolver 3.4-4 -%global libsemanagever 3.4-6 -%global libselinuxver 3.4-6 +%global libsepolver 3.5-0 +%global libsemanagever 3.5-0 +%global libselinuxver 3.5-0 %global generatorsdir %{_prefix}/lib/systemd/system-generators @@ -10,11 +10,11 @@ Summary: SELinux policy core utilities Name: policycoreutils -Version: 3.4 -Release: 7.1%{?dist} +Version: 3.5 +Release: 0.rc1.1%{?dist} License: GPL-2.0-or-later # https://github.com/SELinuxProject/selinux/wiki/Releases -Source0: https://github.com/SELinuxProject/selinux/releases/download/3.4/selinux-3.4.tar.gz +Source0: https://github.com/SELinuxProject/selinux/releases/download/3.5-rc1/selinux-3.5-rc1.tar.gz URL: https://github.com/SELinuxProject/selinux Source13: system-config-selinux.png Source14: sepolicy-icons.tgz @@ -28,36 +28,14 @@ Source21: python-po.tgz Source22: gui-po.tgz Source23: sandbox-po.tgz # https://github.com/fedora-selinux/selinux -# $ git format-patch -N 3.4 -- policycoreutils python gui sandbox dbus semodule-utils restorecond +# $ git format-patch -N 3.5-rc1 -- policycoreutils python gui sandbox dbus semodule-utils restorecond # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done # Patch list start -Patch0001: 0001-libselinux-declare-return-value-of-context_str-3-con.patch -Patch0002: 0002-semodule-avoid-toctou-on-output-module.patch -Patch0003: 0003-python-Split-semanage-import-into-two-transactions.patch -Patch0004: 0004-python-audit2allow-close-file-stream-on-error.patch -Patch0005: 0005-gettext-handle-unsupported-languages-properly.patch -Patch0006: 0006-semodule-rename-rebuild-if-modules-changed-to-refres.patch -Patch0007: 0007-python-remove-IOError-in-certain-cases.patch -Patch0008: 0008-restorecond-use-strict-function-prototype-for-defini.patch -Patch0009: 0009-Ignore-egg-info-directories-and-clean-them.patch -# Patch0010: 0010-Update-translations.patch -Patch0011: 0011-docs-provide-a-top-level-LICENSE-file.patch -Patch0012: 0012-gui-Fix-export-file-chooser-dialog.patch -Patch0013: 0013-python-Do-not-query-the-local-database-if-the-fconte.patch -Patch0014: 0014-sandbox-Do-not-try-to-remove-tmpdir-twice-if-uid-0.patch -Patch0015: 0015-sandbox-Use-temporary-directory-for-XDG_RUNTIME_DIR.patch -Patch0016: 0016-python-Remove-dependency-on-the-Python-module-distut.patch -Patch0017: 0017-python-Harden-tools-against-rogue-modules.patch -Patch0018: 0018-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch -Patch0019: 0019-Don-t-be-verbose-if-you-are-not-on-a-tty.patch -Patch0020: 0020-sepolicy-generate-Handle-more-reserved-port-types.patch -Patch0021: 0021-sandbox-Use-matchbox-window-manager-instead-of-openb.patch -Patch0022: 0022-Use-SHA-2-instead-of-SHA-1.patch -Patch0023: 0023-python-Fix-typo-in-audit2allow.1-example.patch -Patch0024: 0024-python-sepolicy-Fix-sepolicy-manpage-w.patch -Patch0025: 0025-python-sepolicy-Use-distro-module-to-get-os-version.patch -Patch0026: 0026-python-sepolicy-Simplify-generation-of-man-pages.patch -Patch0027: 0027-Fix-E275-missing-whitespace-after-keyword.patch +Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch +Patch0002: 0002-Don-t-be-verbose-if-you-are-not-on-a-tty.patch +Patch0003: 0003-sepolicy-generate-Handle-more-reserved-port-types.patch +Patch0004: 0004-sandbox-Use-matchbox-window-manager-instead-of-openb.patch +Patch0005: 0005-Use-SHA-2-instead-of-SHA-1.patch # Patch list end Obsoletes: policycoreutils < 2.0.61-2 @@ -70,7 +48,7 @@ Provides: /sbin/restorecon BuildRequires: gcc make BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel -BuildRequires: python3-devel python3-setuptools +BuildRequires: python3-devel python3-setuptools python3-pip BuildRequires: systemd BuildRequires: git-core Requires: util-linux grep gawk diffutils rpm sed @@ -93,7 +71,7 @@ load_policy to load policies, setfiles to label filesystems, newrole to switch roles. %prep -p /usr/bin/bash -%autosetup -n selinux-%{version} -p 1 +%autosetup -p 1 -n selinux-%{version}-rc1 cp %{SOURCE13} gui/ tar -xvf %{SOURCE14} -C python/sepolicy/ @@ -106,7 +84,7 @@ tar -xvf %{SOURCE14} -C python/sepolicy/ # tar -x -f %{SOURCE20} -C policycoreutils -z # tar -x -f %{SOURCE21} -C python -z # tar -x -f %{SOURCE22} -C gui -z -tar -x -f %{SOURCE23} -C sandbox -z +# tar -x -f %{SOURCE23} -C sandbox -z %build %set_build_flags @@ -486,6 +464,9 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Fri Dec 23 2022 Petr Lautrbach - 3.5-0.rc1.1 +- SELinux userspace 3.5-rc1 release + * Mon Nov 21 2022 Petr Lautrbach - 3.4-7.1 - Rebase on upstream f56a72ac9e86 - sepolicy: fix sepolicy manpage -w diff --git a/sources b/sources index c617bc5..487300c 100644 --- a/sources +++ b/sources @@ -2,4 +2,4 @@ SHA512 (gui-po.tgz) = 8e0855256b825eea422b8e2b82cc0decf66b902c9930840905c5ad5dda SHA512 (policycoreutils-po.tgz) = 66b908f7a167225bebded46f9cf92f42eb194daa2a083d48de43c2a5d33fa42724c5add0a9d029ac9d62c500f6f1c8d3bc138dd598b1fd97e609d7cc7160be72 SHA512 (python-po.tgz) = 7f2a082b77c7b4417d5d3dac35d86dd635635a9c05a80e5f9284d03604e2f2a06ec879fb29b056d1a46d3fc448cd76e6fd25196834c18a161fd6677f2e11b2be SHA512 (sandbox-po.tgz) = 3d4b389b56bab1a6dddce9884dcebdefbefd1017fec6d987ac22a0705f409ed56722387aaca8fe7d9c468862136387bc703062e2b6de8fd102e13fed04ce811b -SHA512 (selinux-3.4.tar.gz) = 9b619f6b2c632cc5cfebf5e9a9c1aa4130ef1efe9b85954d5a9da4f7a9bc15e82b9efcb4aa9c7ba2e16bac79cf116163a5d4d9cb7cbba3c96c88e01509bd60ab +SHA512 (selinux-3.5-rc1.tar.gz) = 82643c99343088c7eb7d96ba9f77d463b15bd900e24f6cdb8a9730ee12db7b87d143da4bb2c706514bc2c3de3e864bc68e13e639212bd1b53acee0f0b562618f