diff --git a/policycoreutils-fedora.patch b/policycoreutils-fedora.patch index e31fa85..c621943 100644 --- a/policycoreutils-fedora.patch +++ b/policycoreutils-fedora.patch @@ -1,8 +1,14 @@ diff --git policycoreutils-2.5/ChangeLog policycoreutils-2.5/ChangeLog -index d8fb067..22ad542 100644 +index d8fb067..06d276e 100644 --- policycoreutils-2.5/ChangeLog +++ policycoreutils-2.5/ChangeLog -@@ -1,3 +1,6 @@ +@@ -1,3 +1,12 @@ ++ * Fix typos in semanage manpages, from Philipp Gesang. ++ * Fix the documentation of -l,--list for semodule, from Petr Lautrbach. ++ * Minor fix in a French translation, from Laurent Bigonville. ++ * Fix the extract example in semodule.8, from Petr Lautrbach. ++ * Update sandbox.8 man page, from Petr Lautrbach. ++ * Remove typos from chcat --help, from Petr Lautrbach. + * Fix multiple spelling errors, from Laurent Bigonville. + * hll/pp: Warn if module name different than output filename, from James Carter + @@ -208108,7 +208114,7 @@ index 93a94e9..2e5d70b 100644 msgid "Loss of data Dialog" msgstr "" diff --git policycoreutils-2.5/po/fr.po policycoreutils-2.5/po/fr.po -index be33d59..322affd 100644 +index be33d59..ea97f27 100644 --- policycoreutils-2.5/po/fr.po +++ policycoreutils-2.5/po/fr.po @@ -1,27 +1,30 @@ @@ -209474,7 +209480,13 @@ index be33d59..322affd 100644 #: ../newrole/newrole.c:1102 #, c-format -@@ -1312,8 +1291,7 @@ msgstr "La stratégie %s est déjà chargée et un chargement initial est requis +@@ -1307,13 +1286,12 @@ msgstr "syntaxe : %s [-q]\n" + #: ../load_policy/load_policy.c:71 + #, c-format + msgid "%s: Policy is already loaded and initial load requested\n" +-msgstr "La stratégie %s est déjà chargée et un chargement initial est requis\n" ++msgstr "%s : La stratégie est déjà chargée et un chargement initial est demandé\n" + #: ../load_policy/load_policy.c:80 #, c-format msgid "%s: Can't load policy and enforcing mode requested: %s\n" @@ -654395,6 +654407,47 @@ index 9e0024f..f15f56e 100644 def reserve(level): sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) +diff --git policycoreutils-2.5/sandbox/sandbox.8 policycoreutils-2.5/sandbox/sandbox.8 +index 0c8cd1e..81f497a 100644 +--- policycoreutils-2.5/sandbox/sandbox.8 ++++ policycoreutils-2.5/sandbox/sandbox.8 +@@ -3,11 +3,11 @@ + sandbox \- Run cmd under an SELinux sandbox + .SH SYNOPSIS + .B sandbox +-[\-C] [\-c] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd ++[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd + + .br + .B sandbox +-[\-C] [\-c] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S ++[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S + .br + .SH DESCRIPTION + .PP +@@ -24,10 +24,10 @@ allows you to run X applications within a sandbox. These applications will star + If directories are specified with \-H or \-T the directory will have its context modified with chcon(1) unless a level is specified with \-l. If the MLS/MCS security level is specified, the user is responsible to set the correct labels. + .PP + .TP +-\fB\-h\ \fB\\-\-help\fR ++\fB\-h\ \fB\-\-help\fR + display usage message + .TP +-\fB\-H\ \fB\\-\-homedir\fR ++\fB\-H\ \fB\-\-homedir\fR + Use alternate homedir to mount over your home directory. Defaults to temporary. Requires \-X or \-M. + .TP + \fB\-i\fR \fB\-\-include\fR +@@ -84,9 +84,6 @@ $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t + \fB\-d\fR \fB\-\-dpi\fR + Set the DPI value for the sandbox X Server. Defaults to the current X Sever DPI. + .TP +-\fB\-c\fR \fB\-\-cgroups\fR +-Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc. +-.TP + \fB\-C\fR \fB\-\-capabilities\fR Use capabilities within the + sandbox. By default applications executed within the sandbox will not + be allowed to use capabilities (setuid apps), with the \-C flag, you diff --git policycoreutils-2.5/sandbox/sandboxX.sh policycoreutils-2.5/sandbox/sandboxX.sh index eaa500d..4774528 100644 --- policycoreutils-2.5/sandbox/sandboxX.sh @@ -654437,7 +654490,7 @@ index fc406e1..e0a0c2c 100644 rc = subprocess.getstatusoutput(sys.argv[1]) except: diff --git policycoreutils-2.5/scripts/chcat policycoreutils-2.5/scripts/chcat -index 472785c..2b6a592 100755 +index 472785c..3e3cc21 100755 --- policycoreutils-2.5/scripts/chcat +++ policycoreutils-2.5/scripts/chcat @@ -1,4 +1,4 @@ @@ -654446,6 +654499,17 @@ index 472785c..2b6a592 100755 # Copyright (C) 2005 Red Hat # see file 'COPYING' for use and warranty information # +@@ -346,8 +346,8 @@ def translate(cats): + def usage(): + print(_("Usage %s CATEGORY File ...") % sys.argv[0]) + print(_("Usage %s -l CATEGORY user ...") % sys.argv[0]) +- print(_("Usage %s [[+|-]CATEGORY],...]q File ...") % sys.argv[0]) +- print(_("Usage %s -l [[+|-]CATEGORY],...]q user ...") % sys.argv[0]) ++ print(_("Usage %s [[+|-]CATEGORY],...] File ...") % sys.argv[0]) ++ print(_("Usage %s -l [[+|-]CATEGORY],...] user ...") % sys.argv[0]) + print(_("Usage %s -d File ...") % sys.argv[0]) + print(_("Usage %s -l -d user ...") % sys.argv[0]) + print(_("Usage %s -L") % sys.argv[0]) diff --git policycoreutils-2.5/scripts/fixfiles policycoreutils-2.5/scripts/fixfiles index 5c29eb9..db53c0b 100755 --- policycoreutils-2.5/scripts/fixfiles @@ -654704,6 +654768,71 @@ index 7489955..9e5b53d 100644 args = [] if "-o" in sys_args[1:] or "-i" in sys_args[1:]: args = make_io_args(sys_args[1:]) +diff --git policycoreutils-2.5/semanage/semanage-dontaudit.8 policycoreutils-2.5/semanage/semanage-dontaudit.8 +index 122780d..3d29911 100644 +--- policycoreutils-2.5/semanage/semanage-dontaudit.8 ++++ policycoreutils-2.5/semanage/semanage-dontaudit.8 +@@ -8,7 +8,7 @@ + semanage is used to configure certain elements of + SELinux policy without requiring modification to or recompilation + from policy sources. semanage dontaudit toggles whether or not dontaudit rules will be in the policy. Policy writers use dontaudit rules to cause +-confined applications to use alternative paths. Dontaudit rules are denied but not reported in the logs. Some times dontaudit rules can cause bugs in applications but policy writers will not relize it since the AVC is not audited. Turning off dontaudit rules with this command to see if the kernel is blocking an access. ++confined applications to use alternative paths. Dontaudit rules are denied but not reported in the logs. Some times dontaudit rules can cause bugs in applications but policy writers will not realize it since the AVC is not audited. Turning off dontaudit rules with this command to see if the kernel is blocking an access. + + .SH "OPTIONS" + .TP +diff --git policycoreutils-2.5/semanage/semanage-export.8 policycoreutils-2.5/semanage/semanage-export.8 +index 469b1bb..d688224 100644 +--- policycoreutils-2.5/semanage/semanage-export.8 ++++ policycoreutils-2.5/semanage/semanage-export.8 +@@ -7,7 +7,7 @@ + .SH "DESCRIPTION" + semanage is used to configure certain elements of + SELinux policy without requiring modification to or recompilation +-from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a hole group of semanage commands within a file and apply them to a machine in a single transaction. ++from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a whole group of semanage commands within a file and apply them to a machine in a single transaction. + + .SH "OPTIONS" + .TP +diff --git policycoreutils-2.5/semanage/semanage-import.8 policycoreutils-2.5/semanage/semanage-import.8 +index 5437de3..4a9b3e7 100644 +--- policycoreutils-2.5/semanage/semanage-import.8 ++++ policycoreutils-2.5/semanage/semanage-import.8 +@@ -7,7 +7,7 @@ + .SH "DESCRIPTION" + semanage is used to configure certain elements of + SELinux policy without requiring modification to or recompilation +-from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a hole group of semanage commands within a file and apply them to a machine in a single transaction. ++from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a whole group of semanage commands within a file and apply them to a machine in a single transaction. + + .SH "OPTIONS" + .TP +diff --git policycoreutils-2.5/semanage/semanage-interface.8 policycoreutils-2.5/semanage/semanage-interface.8 +index d318bb8..fe8b250 100644 +--- policycoreutils-2.5/semanage/semanage-interface.8 ++++ policycoreutils-2.5/semanage/semanage-interface.8 +@@ -52,7 +52,7 @@ MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login ma + + .SH EXAMPLE + .nf +-list all interface defitions ++list all interface definitions + # semanage interface \-l + + .SH "SEE ALSO" +diff --git policycoreutils-2.5/semanage/semanage-port.8 policycoreutils-2.5/semanage/semanage-port.8 +index 3f067c5..5a6a57f 100644 +--- policycoreutils-2.5/semanage/semanage-port.8 ++++ policycoreutils-2.5/semanage/semanage-port.8 +@@ -53,7 +53,7 @@ Protocol for the specified port (tcp|udp) or internet protocol version for the s + + .SH EXAMPLE + .nf +-List all port defitions ++List all port definitions + # semanage port \-l + Allow Apache to listen on tcp port 81 + # semanage port \-a \-t http_port_t \-p tcp 81 diff --git policycoreutils-2.5/semanage/semanage.8 policycoreutils-2.5/semanage/semanage.8 index 0fad36c..75b782f 100644 --- policycoreutils-2.5/semanage/semanage.8 @@ -657045,6 +657174,64 @@ index 0000000..7735c59 + download_url = '', + packages=["seobject"], +) +diff --git policycoreutils-2.5/semodule/semodule.8 policycoreutils-2.5/semodule/semodule.8 +index 6db390c..0c5fdf7 100644 +--- policycoreutils-2.5/semodule/semodule.8 ++++ policycoreutils-2.5/semodule/semodule.8 +@@ -38,7 +38,7 @@ deprecated, alias for --install + .B \-r,\-\-remove=MODULE_NAME + remove existing module + .TP +-.B \-l,\-\-list-modules=[KIND] ++.B \-l[KIND],\-\-list-modules[=KIND] + display list of installed modules (other than base) + .TP + .B \-E,\-\-extract=MODULE_PKG +@@ -88,10 +88,12 @@ Use an alternate path for the policy store root + be verbose + .TP + .B \-c,\-\-cil +-Extract module as a CIL file. This only affects the \-\-extract option. ++Extract module as a CIL file. This only affects the \-\-extract option and ++only modules listed in \-\-extract after this option. + .TP + .B \-H,\-\-hll +-Extract module as an HLL file. This only affects the \-\-extract option. ++Extract module as an HLL file. This only affects the \-\-extract option and ++only modules listed in \-\-extract after this option. + + .SH EXAMPLE + .nf +@@ -114,14 +116,14 @@ $ semodule \-d alsa + # Install a module at a specific priority. + $ semodule \-X 100 \-i alsa.pp + # List all modules. +-$ semodule \-l full ++$ semodule \-\-list=full + # Set an alternate path for the policy root + $ semodule \-B \-p "/tmp" + # Set an alternate path for the policy store root + $ semodule \-B \-S "/tmp/var/lib/selinux" + # Write the HLL version of puppet and the CIL version of wireshark + # modules at priority 400 to the current working directory +-$ semodule \-X 400 \-g wireshark \-\-cil \-g puppet \-\-hll ++$ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark + .fi + + .SH SEE ALSO +diff --git policycoreutils-2.5/semodule/semodule.c policycoreutils-2.5/semodule/semodule.c +index bcfaa2b..63900f4 100644 +--- policycoreutils-2.5/semodule/semodule.c ++++ policycoreutils-2.5/semodule/semodule.c +@@ -127,7 +127,7 @@ static void usage(char *progname) + printf(" -B, --build build and reload policy\n"); + printf(" -i,--install=MODULE_PKG install a new module\n"); + printf(" -r,--remove=MODULE_NAME remove existing module\n"); +- printf(" -l,--list-modules=[KIND] display list of installed modules\n"); ++ printf(" -l[KIND],--list-modules[=KIND] display list of installed modules\n"); + printf(" KIND: standard list highest priority, enabled modules\n"); + printf(" full list all modules\n"); + printf(" -X,--priority=PRIORITY set priority for following operations (1-999)\n"); diff --git policycoreutils-2.5/sepolicy/common.h policycoreutils-2.5/sepolicy/common.h index dc3ce6a..3b93845 100644 --- policycoreutils-2.5/sepolicy/common.h diff --git a/policycoreutils.spec b/policycoreutils.spec index a00b5f1..e2bc822 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,13 +1,13 @@ %global libauditver 2.1.3-4 -%global libsepolver 2.5 -%global libsemanagever 2.5 -%global libselinuxver 2.5 +%global libsepolver 2.5-7 +%global libsemanagever 2.5-5 +%global libselinuxver 2.5-7 %global sepolgenver 1.2.3 Summary: SELinux policy core utilities Name: policycoreutils Version: 2.5 -Release: 9%{?dist} +Release: 10%{?dist} License: GPLv2 Group: System Environment/Base # https://github.com/SELinuxProject/selinux/wiki/Releases @@ -23,7 +23,7 @@ Source7: selinux-autorelabel-mark.service # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: # $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils -# HEAD https://github.com/fedora-selinux/selinux/commit/b4fd6cda6dede7a90892aac8f138b86b3ebda3e8 +# HEAD https://github.com/fedora-selinux/selinux/commit/9abe77e2a670f2f2dfb91f9cec46ee37f9c23995 Patch: policycoreutils-fedora.patch # $ VERSION=1.2.3 ./make-fedora-selinux-patch.sh sepolgen Patch1: sepolgen-fedora.patch @@ -427,6 +427,15 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Thu Jun 23 2016 Petr Lautrbach - 2.5-10 +- Fix typos in semanage manpages +- Fix the documentation of -l,--list for semodule +- Minor fix in a French translation +- Fix the extract example in semodule.8 +- Update sandbox.8 man page +- Remove typos from chcat --help +- sepolgen: Remove additional files when cleaning + * Wed May 11 2016 Petr Lautrbach - 2.5-9 - Fix multiple spelling errors - Rebuild with libsepol-2.5-6 diff --git a/sepolgen-fedora.patch b/sepolgen-fedora.patch index aec6b32..66e7767 100644 --- a/sepolgen-fedora.patch +++ b/sepolgen-fedora.patch @@ -1,13 +1,25 @@ diff --git sepolgen-1.2.3/ChangeLog sepolgen-1.2.3/ChangeLog -index 7cc0a18..c1ee815 100644 +index 7cc0a18..bda7a2e 100644 --- sepolgen-1.2.3/ChangeLog +++ sepolgen-1.2.3/ChangeLog -@@ -1,3 +1,5 @@ +@@ -1,3 +1,6 @@ ++ * Remove additional files when cleaning, from Nicolas Iooss. + * Add support for TYPEBOUNDS statement in INTERFACE policy files, from Miroslav Grepl. + 1.2.3 2016-02-23 * Support latest refpolicy interfaces, from Nicolas Iooss. * Make sepolgen-ifgen output deterministic with Python>=3.3, from Nicolas Iooss. +diff --git sepolgen-1.2.3/src/sepolgen/Makefile sepolgen-1.2.3/src/sepolgen/Makefile +index 9ac7651..d3aa771 100644 +--- sepolgen-1.2.3/src/sepolgen/Makefile ++++ sepolgen-1.2.3/src/sepolgen/Makefile +@@ -11,5 +11,4 @@ install: all + clean: + rm -f parser.out parsetab.py + rm -f *~ *.pyc +- +- ++ rm -rf __pycache__ diff --git sepolgen-1.2.3/src/sepolgen/access.py sepolgen-1.2.3/src/sepolgen/access.py index a5d8698..7606561 100644 --- sepolgen-1.2.3/src/sepolgen/access.py @@ -338,3 +350,29 @@ index 31b40d8..2ee029c 100644 class RoleAllow(Leaf): def __init__(self, parent=None): +diff --git sepolgen-1.2.3/tests/.gitignore sepolgen-1.2.3/tests/.gitignore +new file mode 100644 +index 0000000..c120af8 +--- /dev/null ++++ sepolgen-1.2.3/tests/.gitignore +@@ -0,0 +1,4 @@ ++module_compile_test.fc ++module_compile_test.if ++output ++tmp/ +diff --git sepolgen-1.2.3/tests/Makefile sepolgen-1.2.3/tests/Makefile +index 924a9be..e17eef2 100644 +--- sepolgen-1.2.3/tests/Makefile ++++ sepolgen-1.2.3/tests/Makefile +@@ -4,8 +4,11 @@ clean: + rm -f *~ *.pyc + rm -f parser.out parsetab.py + rm -f out.txt ++ rm -f module_compile_test.fc ++ rm -f module_compile_test.if + rm -f module_compile_test.pp + rm -f output ++ rm -rf __pycache__ tmp + + test: + $(PYTHON) run-tests.py