import policycoreutils-2.9-9.el8
This commit is contained in:
CentOS Sources
parent
701da42bfc
commit
a8f4f06f82
@ -1,9 +1,9 @@
|
||||
1774f04937a737c415273ee118b0d295e01864f3 SOURCES/gui-po.tgz
|
||||
2acf5c696e1e60cf405b0cadcc090b79269f8812 SOURCES/gui-po.tgz
|
||||
6e64d9a38fb516738023eb429eef29af5383f443 SOURCES/policycoreutils-2.9.tar.gz
|
||||
136d495d4ad657aab34727edad0de2fc6a3c6553 SOURCES/policycoreutils-po.tgz
|
||||
2218891a934c10bea73fd017a8aa5ce9417a78c4 SOURCES/python-po.tgz
|
||||
af5375db35a33f9daf4b06e61566c92d0d4f6792 SOURCES/policycoreutils-po.tgz
|
||||
aac18d02363be7c03fad4ed35f5367f9ca0e397f SOURCES/python-po.tgz
|
||||
0a34ef54394972870203832c8ce52d4405bd5330 SOURCES/restorecond-2.9.tar.gz
|
||||
36c396e7151f3f6d55cbf4983d3d73a79be41899 SOURCES/sandbox-po.tgz
|
||||
76d7357f34e062dce330d2a97031b1b64dea775f SOURCES/sandbox-po.tgz
|
||||
8645509cdfc433278c2e4d29ee8f511625c7edcc SOURCES/selinux-dbus-2.9.tar.gz
|
||||
5c155ae47692389d9fabaa154195e7f978f2a3f0 SOURCES/selinux-gui-2.9.tar.gz
|
||||
660e1ab824ef80f7a69f0b70f61e231957fd398e SOURCES/selinux-python-2.9.tar.gz
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From c778509dd0ed3b184d720032f31971f975e42973 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Tue, 5 Mar 2019 17:38:55 +0100
|
||||
Subject: [PATCH 01/20] gui: Install polgengui.py to /usr/bin/selinux-polgengui
|
||||
Subject: [PATCH] gui: Install polgengui.py to /usr/bin/selinux-polgengui
|
||||
|
||||
polgengui.py is a standalone gui tool which should be in /usr/bin with other
|
||||
tools.
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
From 04b632e6de14ec0336e14988bf4c2bd581f7308e Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Tue, 5 Mar 2019 17:25:00 +0100
|
||||
Subject: [PATCH 02/20] gui: Install .desktop files to /usr/share/applications
|
||||
by default
|
||||
Subject: [PATCH] gui: Install .desktop files to /usr/share/applications by
|
||||
default
|
||||
|
||||
/usr/share/applications is a standard directory for .desktop files.
|
||||
Installation path can be changed using DESKTOPDIR variable in installation
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
From 52e0583f6adfe70825b009b626e19c290b49763a Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Thu, 20 Aug 2015 12:58:41 +0200
|
||||
Subject: [PATCH 03/20] sandbox: add -reset to Xephyr as it works better with
|
||||
it in recent Fedoras
|
||||
Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
|
||||
recent Fedoras
|
||||
|
||||
---
|
||||
sandbox/sandboxX.sh | 2 +-
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 7504614fdd7dcf11b3a7568ca9b4b921973531dd Mon Sep 17 00:00:00 2001
|
||||
From: Dan Walsh <dwalsh@redhat.com>
|
||||
Date: Mon, 21 Apr 2014 13:54:40 -0400
|
||||
Subject: [PATCH 04/20] Fix STANDARD_FILE_CONTEXT section in man pages
|
||||
Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
|
||||
|
||||
Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
|
||||
---
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
From 9847a26b7f8358432ee4c7019efb3cbad0c162b0 Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Mon, 12 May 2014 14:11:22 +0200
|
||||
Subject: [PATCH 05/20] If there is no executable we don't want to print a part
|
||||
of STANDARD FILE CONTEXT
|
||||
Subject: [PATCH] If there is no executable we don't want to print a part of
|
||||
STANDARD FILE CONTEXT
|
||||
|
||||
---
|
||||
python/sepolicy/sepolicy/manpage.py | 3 ++-
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From b2993d464e05291020dbf60fc2948ac152eb0003 Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Thu, 19 Feb 2015 17:45:15 +0100
|
||||
Subject: [PATCH 06/20] Simplication of sepolicy-manpage web functionality.
|
||||
Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
|
||||
system_release is no longer hardcoded and it creates only index.html and html
|
||||
man pages in the directory for the system release.
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From bfcb599d9424ef6ffcd250931c89675b451edd00 Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Fri, 20 Feb 2015 16:42:01 +0100
|
||||
Subject: [PATCH 07/20] We want to remove the trailing newline for
|
||||
Subject: [PATCH] We want to remove the trailing newline for
|
||||
/etc/system_release.
|
||||
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 4ea504acce6389c3e28134c4b8e6bf9072c295ce Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Fri, 20 Feb 2015 16:42:53 +0100
|
||||
Subject: [PATCH 08/20] Fix title in manpage.py to not contain 'online'.
|
||||
Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
|
||||
|
||||
---
|
||||
python/sepolicy/sepolicy/manpage.py | 2 +-
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 8af697659bd662517571577bf47946a2113f34a1 Mon Sep 17 00:00:00 2001
|
||||
From: Dan Walsh <dwalsh@redhat.com>
|
||||
Date: Fri, 14 Feb 2014 12:32:12 -0500
|
||||
Subject: [PATCH 09/20] Don't be verbose if you are not on a tty
|
||||
Subject: [PATCH] Don't be verbose if you are not on a tty
|
||||
|
||||
---
|
||||
policycoreutils/scripts/fixfiles | 1 +
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
From ef0f54ffc6d691d10e66a0793204edd159cd45d0 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Mon, 27 Feb 2017 17:12:39 +0100
|
||||
Subject: [PATCH 10/20] sepolicy: Drop old interface file_type_is_executable(f)
|
||||
and file_type_is_entrypoint(f)
|
||||
Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
|
||||
file_type_is_entrypoint(f)
|
||||
|
||||
- use direct queries
|
||||
- load exec_types and entry_types only once
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From e54db76a3bff8e911ddd7c7ce834c024d634d9e1 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Tue, 28 Feb 2017 21:29:46 +0100
|
||||
Subject: [PATCH 11/20] sepolicy: Another small optimization for mcs types
|
||||
Subject: [PATCH] sepolicy: Another small optimization for mcs types
|
||||
|
||||
---
|
||||
python/sepolicy/sepolicy/manpage.py | 16 +++++++++++-----
|
||||
|
||||
@ -1,8 +1,7 @@
|
||||
From 4015e9299bfda622e9d407cdbcc536000688aa8f Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Mon, 6 Aug 2018 13:23:00 +0200
|
||||
Subject: [PATCH 12/20] Move po/ translation files into the right
|
||||
sub-directories
|
||||
Subject: [PATCH] Move po/ translation files into the right sub-directories
|
||||
|
||||
When policycoreutils was split into policycoreutils/ python/ gui/ and sandbox/
|
||||
sub-directories, po/ translation files stayed in policycoreutils/.
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 57cd23e11e1a700802a5955e84a0a7e04c30ec73 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Mon, 6 Aug 2018 13:37:07 +0200
|
||||
Subject: [PATCH 13/20] Use correct gettext domains in python/ gui/ sandbox/
|
||||
Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
|
||||
|
||||
https://github.com/fedora-selinux/selinux/issues/43
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From c8c59758d2fb7f6cbe368c9ff8f356ea7acebb4b Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Mon, 6 Aug 2018 14:23:19 +0200
|
||||
Subject: [PATCH 14/20] Initial .pot files for gui/ python/ sandbox/
|
||||
Subject: [PATCH] Initial .pot files for gui/ python/ sandbox/
|
||||
|
||||
https://github.com/fedora-selinux/selinux/issues/43
|
||||
---
|
||||
|
||||
@ -1,8 +1,7 @@
|
||||
From c8fbb8042852c18775c001999ce949e9b591e381 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Wed, 21 Mar 2018 08:51:31 +0100
|
||||
Subject: [PATCH 16/20] policycoreutils/setfiles: Improve description of -d
|
||||
switch
|
||||
Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
|
||||
|
||||
The "-q" switch is becoming obsolete (completely unused in fedora) and
|
||||
debug output ("-d" switch) makes sense in any scenario. Therefore both
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 3073efc112929b535f3a832c6f99e0dbe3af29ca Mon Sep 17 00:00:00 2001
|
||||
From: Masatake YAMATO <yamato@redhat.com>
|
||||
Date: Thu, 14 Dec 2017 15:57:58 +0900
|
||||
Subject: [PATCH 17/20] sepolicy-generate: Handle more reserved port types
|
||||
Subject: [PATCH] sepolicy-generate: Handle more reserved port types
|
||||
|
||||
Currently only reserved_port_t, port_t and hi_reserved_port_t are
|
||||
handled as special when making a ports-dictionary. However, as fas as
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From f8602180d042e95947fe0bbd35d261771b347705 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Thu, 8 Nov 2018 09:20:58 +0100
|
||||
Subject: [PATCH 18/20] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
|
||||
Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
|
||||
|
||||
---
|
||||
semodule-utils/semodule_package/semodule_package.c | 1 +
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 89895635ae012d1864a03700054ecc723973b5c0 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Wed, 18 Jul 2018 09:09:35 +0200
|
||||
Subject: [PATCH 19/20] sandbox: Use matchbox-window-manager instead of openbox
|
||||
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
|
||||
|
||||
---
|
||||
sandbox/sandbox | 4 ++--
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From b2512e2a92a33360639a3459039cdf2e685655a8 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Mon, 3 Dec 2018 14:40:09 +0100
|
||||
Subject: [PATCH 20/20] python: Use ipaddress instead of IPy
|
||||
Subject: [PATCH] python: Use ipaddress instead of IPy
|
||||
|
||||
ipaddress module was added in python 3.3 and this allows us to drop python3-IPy
|
||||
---
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
From 6051f6a56d0ad63fc8aa7c806d43b0594652a0b9 Mon Sep 17 00:00:00 2001
|
||||
From 5938d18536f4c0a76521d1f0721e981e6570b012 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Thu, 4 Apr 2019 23:02:56 +0200
|
||||
Subject: [PATCH] python/semanage: Do not traceback when the default policy is
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
From 99582e3bf63475b7af5793bb9230e88d847dc7c8 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Tue, 2 Jul 2019 17:11:32 +0200
|
||||
Subject: [PATCH 22/23] policycoreutils/fixfiles: Fix [-B] [-F] onboot
|
||||
Subject: [PATCH] policycoreutils/fixfiles: Fix [-B] [-F] onboot
|
||||
|
||||
Commit 6e289bb7bf3d ("policycoreutils: fixfiles: remove bad modes of "relabel"
|
||||
command") added "$RESTORE_MODE" != DEFAULT test when onboot is used. It makes
|
||||
@ -104,5 +104,5 @@ index 53d28c7b..9dd44213 100755
|
||||
N)
|
||||
BOOTTIME=$OPTARG
|
||||
--
|
||||
2.22.0
|
||||
2.21.0
|
||||
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
From 9bcf8ad7b9b6d8d761f7d097196b2b9bc114fa0a Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Tue, 2 Jul 2019 17:12:07 +0200
|
||||
Subject: [PATCH 23/23] policycoreutils/fixfiles: Force full relabel when
|
||||
SELinux is disabled
|
||||
Subject: [PATCH] policycoreutils/fixfiles: Force full relabel when SELinux is
|
||||
disabled
|
||||
|
||||
The previous check used getfilecon to check whether / slash contains a label,
|
||||
but getfilecon fails only when SELinux is disabled. Therefore it's better to
|
||||
@ -29,5 +29,5 @@ index 9dd44213..a9d27d13 100755
|
||||
;;
|
||||
*)
|
||||
--
|
||||
2.22.0
|
||||
2.21.0
|
||||
|
||||
|
||||
@ -28,5 +28,5 @@ index a9d27d13..df0042aa 100755
|
||||
return
|
||||
fi
|
||||
--
|
||||
2.17.2
|
||||
2.21.0
|
||||
|
||||
|
||||
@ -0,0 +1,38 @@
|
||||
From f6c67c02f25d3a8971dcc5667121236fab85dd65 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Thu, 29 Aug 2019 08:58:20 +0200
|
||||
Subject: [PATCH] gui: Fix remove module in system-config-selinux
|
||||
|
||||
When a user tried to remove a policy module with priority other than 400 via
|
||||
GUI, it failed with a message:
|
||||
|
||||
libsemanage.semanage_direct_remove_key: Unable to remove module somemodule at priority 400. (No such file or directory).
|
||||
|
||||
This is fixed by calling "semodule -x PRIORITY -r NAME" instead of
|
||||
"semodule -r NAME".
|
||||
|
||||
From Jono Hein <fredwacko40@hotmail.com>
|
||||
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
---
|
||||
gui/modulesPage.py | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/gui/modulesPage.py b/gui/modulesPage.py
|
||||
index 26ac5404..35a0129b 100644
|
||||
--- a/gui/modulesPage.py
|
||||
+++ b/gui/modulesPage.py
|
||||
@@ -125,9 +125,10 @@ class modulesPage(semanagePage):
|
||||
def delete(self):
|
||||
store, iter = self.view.get_selection().get_selected()
|
||||
module = store.get_value(iter, 0)
|
||||
+ priority = store.get_value(iter, 1)
|
||||
try:
|
||||
self.wait()
|
||||
- status, output = getstatusoutput("semodule -r %s" % module)
|
||||
+ status, output = getstatusoutput("semodule -X %s -r %s" % (priority, module))
|
||||
self.ready()
|
||||
if status != 0:
|
||||
self.error(output)
|
||||
--
|
||||
2.21.0
|
||||
|
||||
@ -0,0 +1,30 @@
|
||||
From c2e942fc452bff06cc5ed9017afe169c6941f4e4 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Tue, 3 Sep 2019 15:17:27 +0200
|
||||
Subject: [PATCH] python/semanage: Do not use default s0 range in "semanage
|
||||
login -a"
|
||||
|
||||
Using the "s0" default means that new login mappings are always added with "s0"
|
||||
range instead of the range of SELinux user.
|
||||
|
||||
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
---
|
||||
python/semanage/semanage | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/python/semanage/semanage b/python/semanage/semanage
|
||||
index 4c766ae3..fa78afce 100644
|
||||
--- a/python/semanage/semanage
|
||||
+++ b/python/semanage/semanage
|
||||
@@ -221,7 +221,7 @@ def parser_add_level(parser, name):
|
||||
|
||||
|
||||
def parser_add_range(parser, name):
|
||||
- parser.add_argument('-r', '--range', default="s0",
|
||||
+ parser.add_argument('-r', '--range', default='',
|
||||
help=_('''
|
||||
MLS/MCS Security Range (MLS/MCS Systems only)
|
||||
SELinux Range for SELinux login mapping
|
||||
--
|
||||
2.21.0
|
||||
|
||||
@ -0,0 +1,33 @@
|
||||
From 4733a594c5df14f64293d19f16498e68dc5e3a98 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Tue, 24 Sep 2019 08:41:30 +0200
|
||||
Subject: [PATCH] policycoreutils/fixfiles: Fix "verify" option
|
||||
|
||||
"restorecon -n" (used in the "restore" function) has to be used with
|
||||
"-v" to display the files whose labels would be changed.
|
||||
|
||||
Fixes:
|
||||
Fixfiles verify does not report misslabelled files unless "-v" option is
|
||||
used.
|
||||
|
||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||
---
|
||||
policycoreutils/scripts/fixfiles | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
|
||||
index df0042aa..be19e56c 100755
|
||||
--- a/policycoreutils/scripts/fixfiles
|
||||
+++ b/policycoreutils/scripts/fixfiles
|
||||
@@ -304,7 +304,7 @@ process() {
|
||||
case "$1" in
|
||||
restore) restore Relabel;;
|
||||
check) VERBOSE="-v"; restore Check -n;;
|
||||
- verify) restore Verify -n;;
|
||||
+ verify) VERBOSE="-v"; restore Verify -n;;
|
||||
relabel) relabel;;
|
||||
onboot)
|
||||
if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
|
||||
--
|
||||
2.21.0
|
||||
|
||||
@ -0,0 +1,102 @@
|
||||
From 0803fcb2c014b2cedf8f4d92b80fc382916477ee Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Fri, 27 Sep 2019 16:13:47 +0200
|
||||
Subject: [PATCH] python/semanage: Improve handling of "permissive" statements
|
||||
|
||||
- Add "customized" method to permissiveRecords which is than used for
|
||||
"semanage permissive --extract" and "semanage export"
|
||||
- Enable "semanage permissive --deleteall" (already implemented)
|
||||
- Add "permissive" to the list of modules exported using
|
||||
"semanage export"
|
||||
- Update "semanage permissive" man page
|
||||
|
||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||
---
|
||||
python/semanage/semanage | 11 ++++++++---
|
||||
python/semanage/semanage-permissive.8 | 8 +++++++-
|
||||
python/semanage/seobject.py | 3 +++
|
||||
3 files changed, 18 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/python/semanage/semanage b/python/semanage/semanage
|
||||
index fa78afce..b2bd9df9 100644
|
||||
--- a/python/semanage/semanage
|
||||
+++ b/python/semanage/semanage
|
||||
@@ -722,6 +722,11 @@ def handlePermissive(args):
|
||||
|
||||
if args.action == "list":
|
||||
OBJECT.list(args.noheading)
|
||||
+ elif args.action == "deleteall":
|
||||
+ OBJECT.deleteall()
|
||||
+ elif args.action == "extract":
|
||||
+ for i in OBJECT.customized():
|
||||
+ print("permissive %s" % str(i))
|
||||
elif args.type is not None:
|
||||
if args.action == "add":
|
||||
OBJECT.add(args.type)
|
||||
@@ -737,9 +742,9 @@ def setupPermissiveParser(subparsers):
|
||||
pgroup = permissiveParser.add_mutually_exclusive_group(required=True)
|
||||
parser_add_add(pgroup, "permissive")
|
||||
parser_add_delete(pgroup, "permissive")
|
||||
+ parser_add_deleteall(pgroup, "permissive")
|
||||
+ parser_add_extract(pgroup, "permissive")
|
||||
parser_add_list(pgroup, "permissive")
|
||||
- #TODO: probably should be also added => need to implement own option handling
|
||||
- #parser_add_deleteall(pgroup)
|
||||
|
||||
parser_add_noheading(permissiveParser, "permissive")
|
||||
parser_add_noreload(permissiveParser, "permissive")
|
||||
@@ -763,7 +768,7 @@ def setupDontauditParser(subparsers):
|
||||
|
||||
|
||||
def handleExport(args):
|
||||
- manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey"]
|
||||
+ manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey", "permissive"]
|
||||
for i in manageditems:
|
||||
print("%s -D" % i)
|
||||
for i in manageditems:
|
||||
diff --git a/python/semanage/semanage-permissive.8 b/python/semanage/semanage-permissive.8
|
||||
index 1999a451..5c3364fa 100644
|
||||
--- a/python/semanage/semanage-permissive.8
|
||||
+++ b/python/semanage/semanage-permissive.8
|
||||
@@ -2,7 +2,7 @@
|
||||
.SH "NAME"
|
||||
.B semanage\-permissive \- SELinux Policy Management permissive mapping tool
|
||||
.SH "SYNOPSIS"
|
||||
-.B semanage permissive [\-h] (\-a | \-d | \-l) [\-n] [\-N] [\-S STORE] [type]
|
||||
+.B semanage permissive [\-h] [\-n] [\-N] [\-S STORE] (\-\-add TYPE | \-\-delete TYPE | \-\-deleteall | \-\-extract | \-\-list)
|
||||
|
||||
.SH "DESCRIPTION"
|
||||
semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage permissive adds or removes a SELinux Policy permissive module.
|
||||
@@ -18,9 +18,15 @@ Add a record of the specified object type
|
||||
.I \-d, \-\-delete
|
||||
Delete a record of the specified object type
|
||||
.TP
|
||||
+.I \-D, \-\-deleteall
|
||||
+Remove all local customizations of permissive domains
|
||||
+.TP
|
||||
.I \-l, \-\-list
|
||||
List records of the specified object type
|
||||
.TP
|
||||
+.I \-E, \-\-extract
|
||||
+Extract customizable commands, for use within a transaction
|
||||
+.TP
|
||||
.I \-n, \-\-noheading
|
||||
Do not print heading when listing the specified object type
|
||||
.TP
|
||||
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
|
||||
index 58497e3b..3959abc8 100644
|
||||
--- a/python/semanage/seobject.py
|
||||
+++ b/python/semanage/seobject.py
|
||||
@@ -478,6 +478,9 @@ class permissiveRecords(semanageRecords):
|
||||
l.append(name.split("permissive_")[1])
|
||||
return l
|
||||
|
||||
+ def customized(self):
|
||||
+ return ["-a %s" % x for x in sorted(self.get_all())]
|
||||
+
|
||||
def list(self, heading=1, locallist=0):
|
||||
all = [y["name"] for y in [x for x in sepolicy.info(sepolicy.TYPE) if x["permissive"]]]
|
||||
if len(all) == 0:
|
||||
--
|
||||
2.21.0
|
||||
|
||||
@ -0,0 +1,41 @@
|
||||
From 7cc31c4799dd94ed516a39d853744bd1ffb6dc69 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Mon, 30 Sep 2019 09:49:04 +0200
|
||||
Subject: [PATCH] python/semanage: fix moduleRecords.customized()
|
||||
|
||||
Return value of "customized" has to be iterable.
|
||||
|
||||
Fixes:
|
||||
"semanage export" with no modules in the system (eg. monolithic policy)
|
||||
crashes:
|
||||
|
||||
Traceback (most recent call last):
|
||||
File "/usr/sbin/semanage", line 970, in <module>
|
||||
do_parser()
|
||||
File "/usr/sbin/semanage", line 949, in do_parser
|
||||
args.func(args)
|
||||
File "/usr/sbin/semanage", line 771, in handleExport
|
||||
for c in OBJECT.customized():
|
||||
TypeError: 'NoneType' object is not iterable
|
||||
|
||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||
---
|
||||
python/semanage/seobject.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
|
||||
index 3959abc8..16edacaa 100644
|
||||
--- a/python/semanage/seobject.py
|
||||
+++ b/python/semanage/seobject.py
|
||||
@@ -380,7 +380,7 @@ class moduleRecords(semanageRecords):
|
||||
def customized(self):
|
||||
all = self.get_all()
|
||||
if len(all) == 0:
|
||||
- return
|
||||
+ return []
|
||||
return ["-d %s" % x[0] for x in [t for t in all if t[1] == 0]]
|
||||
|
||||
def list(self, heading=1, locallist=0):
|
||||
--
|
||||
2.21.0
|
||||
|
||||
@ -0,0 +1,45 @@
|
||||
From 7cbfcec89a6972f9c700687ed3cef25ff0846461 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Tue, 8 Oct 2019 14:22:13 +0200
|
||||
Subject: [PATCH] python/semanage: Add support for DCCP and SCTP protocols
|
||||
|
||||
Fixes:
|
||||
# semanage port -a -p sctp -t port_t 1234
|
||||
ValueError: Protocol udp or tcp is required
|
||||
# semanage port -d -p sctp -t port_t 1234
|
||||
ValueError: Protocol udp or tcp is required
|
||||
|
||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||
---
|
||||
python/semanage/seobject.py | 14 ++++++++------
|
||||
1 file changed, 8 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
|
||||
index 16edacaa..70ebfd08 100644
|
||||
--- a/python/semanage/seobject.py
|
||||
+++ b/python/semanage/seobject.py
|
||||
@@ -1058,13 +1058,15 @@ class portRecords(semanageRecords):
|
||||
pass
|
||||
|
||||
def __genkey(self, port, proto):
|
||||
- if proto == "tcp":
|
||||
- proto_d = SEMANAGE_PROTO_TCP
|
||||
+ protocols = {"tcp": SEMANAGE_PROTO_TCP,
|
||||
+ "udp": SEMANAGE_PROTO_UDP,
|
||||
+ "sctp": SEMANAGE_PROTO_SCTP,
|
||||
+ "dccp": SEMANAGE_PROTO_DCCP}
|
||||
+
|
||||
+ if proto in protocols.keys():
|
||||
+ proto_d = protocols[proto]
|
||||
else:
|
||||
- if proto == "udp":
|
||||
- proto_d = SEMANAGE_PROTO_UDP
|
||||
- else:
|
||||
- raise ValueError(_("Protocol udp or tcp is required"))
|
||||
+ raise ValueError(_("Protocol has to be one of udp, tcp, dccp or sctp"))
|
||||
if port == "":
|
||||
raise ValueError(_("Port is required"))
|
||||
|
||||
--
|
||||
2.21.0
|
||||
|
||||
@ -0,0 +1,40 @@
|
||||
From 6e5ccf2dd3329b400b70b7806b9c6128c5c50995 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Fri, 15 Nov 2019 09:15:49 +0100
|
||||
Subject: [PATCH] dbus: Fix FileNotFoundError in org.selinux.relabel_on_boot
|
||||
|
||||
When org.selinux.relabel_on_boot(0) was called twice, it failed with
|
||||
FileNotFoundError.
|
||||
|
||||
Fixes:
|
||||
$ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:1
|
||||
method return sender=:1.53 -> dest=:1.54 reply_serial=2
|
||||
$ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:0
|
||||
method return sender=:1.53 -> dest=:1.55 reply_serial=2
|
||||
$ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:0
|
||||
Error org.freedesktop.DBus.Python.FileNotFoundError: FileNotFoundError: [Errno 2] No such file or directory: '/.autorelabel'
|
||||
|
||||
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
---
|
||||
dbus/selinux_server.py | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
|
||||
index b9debc071485..be4f4557a9fa 100644
|
||||
--- a/dbus/selinux_server.py
|
||||
+++ b/dbus/selinux_server.py
|
||||
@@ -85,7 +85,10 @@ class selinux_server(slip.dbus.service.Object):
|
||||
fd = open("/.autorelabel", "w")
|
||||
fd.close()
|
||||
else:
|
||||
- os.unlink("/.autorelabel")
|
||||
+ try:
|
||||
+ os.unlink("/.autorelabel")
|
||||
+ except FileNotFoundError:
|
||||
+ pass
|
||||
|
||||
def write_selinux_config(self, enforcing=None, policy=None):
|
||||
path = selinux.selinux_path() + "config"
|
||||
--
|
||||
2.23.0
|
||||
|
||||
@ -0,0 +1,200 @@
|
||||
From 76371721bafed56efcb7a83b3fa3285383ede5b7 Mon Sep 17 00:00:00 2001
|
||||
From: Baichuan Kong <kongbaichuan@huawei.com>
|
||||
Date: Thu, 14 Nov 2019 10:48:07 +0800
|
||||
Subject: [PATCH] restorecond: Fix redundant console log output error
|
||||
|
||||
When starting restorecond without any option the following redundant
|
||||
console log is outputed:
|
||||
|
||||
/dev/log 100.0%
|
||||
/var/volatile/run/syslogd.pid 100.0%
|
||||
...
|
||||
|
||||
This is caused by two global variables of same name r_opts. When
|
||||
executes r_opts = opts in restore_init(), it originally intends
|
||||
to assign the address of struct r_opts in "restorecond.c" to the
|
||||
pointer *r_opts in "restore.c".
|
||||
|
||||
However, the address is assigned to the struct r_opts and covers
|
||||
the value of low eight bytes in it. That causes unexpected value
|
||||
of member varibale 'nochange' and 'verbose' in struct r_opts, thus
|
||||
affects value of 'restorecon_flags' and executes unexpected operations
|
||||
when restorecon the files such as the redundant console log output or
|
||||
file label nochange.
|
||||
|
||||
Cause restorecond/restore.c is copied from policycoreutils/setfiles,
|
||||
which share the same pattern. It also has potential risk to generate
|
||||
same problems, So fix it in case.
|
||||
|
||||
Signed-off-by: Baichuan Kong <kongbaichuan@huawei.com>
|
||||
|
||||
(cherry-picked from SElinuxProject
|
||||
commit ad2208ec220f55877a4d31084be2b4d6413ee082)
|
||||
|
||||
Resolves: rhbz#1626468
|
||||
---
|
||||
policycoreutils/setfiles/restore.c | 42 ++++++++++++++----------------
|
||||
restorecond/restore.c | 40 +++++++++++++---------------
|
||||
2 files changed, 37 insertions(+), 45 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
|
||||
index 9dea5656..d3335d1a 100644
|
||||
--- a/policycoreutils/setfiles/restore.c
|
||||
+++ b/policycoreutils/setfiles/restore.c
|
||||
@@ -17,40 +17,37 @@
|
||||
char **exclude_list;
|
||||
int exclude_count;
|
||||
|
||||
-struct restore_opts *r_opts;
|
||||
-
|
||||
void restore_init(struct restore_opts *opts)
|
||||
{
|
||||
int rc;
|
||||
|
||||
- r_opts = opts;
|
||||
struct selinux_opt selinux_opts[] = {
|
||||
- { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate },
|
||||
- { SELABEL_OPT_PATH, r_opts->selabel_opt_path },
|
||||
- { SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest }
|
||||
+ { SELABEL_OPT_VALIDATE, opts->selabel_opt_validate },
|
||||
+ { SELABEL_OPT_PATH, opts->selabel_opt_path },
|
||||
+ { SELABEL_OPT_DIGEST, opts->selabel_opt_digest }
|
||||
};
|
||||
|
||||
- r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
|
||||
- if (!r_opts->hnd) {
|
||||
- perror(r_opts->selabel_opt_path);
|
||||
+ opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
|
||||
+ if (!opts->hnd) {
|
||||
+ perror(opts->selabel_opt_path);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- r_opts->restorecon_flags = 0;
|
||||
- r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose |
|
||||
- r_opts->progress | r_opts->set_specctx |
|
||||
- r_opts->add_assoc | r_opts->ignore_digest |
|
||||
- r_opts->recurse | r_opts->userealpath |
|
||||
- r_opts->xdev | r_opts->abort_on_error |
|
||||
- r_opts->syslog_changes | r_opts->log_matches |
|
||||
- r_opts->ignore_noent | r_opts->ignore_mounts |
|
||||
- r_opts->mass_relabel;
|
||||
+ opts->restorecon_flags = 0;
|
||||
+ opts->restorecon_flags = opts->nochange | opts->verbose |
|
||||
+ opts->progress | opts->set_specctx |
|
||||
+ opts->add_assoc | opts->ignore_digest |
|
||||
+ opts->recurse | opts->userealpath |
|
||||
+ opts->xdev | opts->abort_on_error |
|
||||
+ opts->syslog_changes | opts->log_matches |
|
||||
+ opts->ignore_noent | opts->ignore_mounts |
|
||||
+ opts->mass_relabel;
|
||||
|
||||
/* Use setfiles, restorecon and restorecond own handles */
|
||||
- selinux_restorecon_set_sehandle(r_opts->hnd);
|
||||
+ selinux_restorecon_set_sehandle(opts->hnd);
|
||||
|
||||
- if (r_opts->rootpath) {
|
||||
- rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath);
|
||||
+ if (opts->rootpath) {
|
||||
+ rc = selinux_restorecon_set_alt_rootpath(opts->rootpath);
|
||||
if (rc) {
|
||||
fprintf(stderr,
|
||||
"selinux_restorecon_set_alt_rootpath error: %s.\n",
|
||||
@@ -81,7 +78,6 @@ int process_glob(char *name, struct restore_opts *opts)
|
||||
size_t i = 0;
|
||||
int len, rc, errors;
|
||||
|
||||
- r_opts = opts;
|
||||
memset(&globbuf, 0, sizeof(globbuf));
|
||||
|
||||
errors = glob(name, GLOB_TILDE | GLOB_PERIOD |
|
||||
@@ -96,7 +92,7 @@ int process_glob(char *name, struct restore_opts *opts)
|
||||
if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
|
||||
continue;
|
||||
rc = selinux_restorecon(globbuf.gl_pathv[i],
|
||||
- r_opts->restorecon_flags);
|
||||
+ opts->restorecon_flags);
|
||||
if (rc < 0)
|
||||
errors = rc;
|
||||
}
|
||||
diff --git a/restorecond/restore.c b/restorecond/restore.c
|
||||
index f6e30001..b93b5fdb 100644
|
||||
--- a/restorecond/restore.c
|
||||
+++ b/restorecond/restore.c
|
||||
@@ -12,39 +12,36 @@
|
||||
char **exclude_list;
|
||||
int exclude_count;
|
||||
|
||||
-struct restore_opts *r_opts;
|
||||
-
|
||||
void restore_init(struct restore_opts *opts)
|
||||
{
|
||||
int rc;
|
||||
|
||||
- r_opts = opts;
|
||||
struct selinux_opt selinux_opts[] = {
|
||||
- { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate },
|
||||
- { SELABEL_OPT_PATH, r_opts->selabel_opt_path },
|
||||
- { SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest }
|
||||
+ { SELABEL_OPT_VALIDATE, opts->selabel_opt_validate },
|
||||
+ { SELABEL_OPT_PATH, opts->selabel_opt_path },
|
||||
+ { SELABEL_OPT_DIGEST, opts->selabel_opt_digest }
|
||||
};
|
||||
|
||||
- r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
|
||||
- if (!r_opts->hnd) {
|
||||
- perror(r_opts->selabel_opt_path);
|
||||
+ opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
|
||||
+ if (!opts->hnd) {
|
||||
+ perror(opts->selabel_opt_path);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- r_opts->restorecon_flags = 0;
|
||||
- r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose |
|
||||
- r_opts->progress | r_opts->set_specctx |
|
||||
- r_opts->add_assoc | r_opts->ignore_digest |
|
||||
- r_opts->recurse | r_opts->userealpath |
|
||||
- r_opts->xdev | r_opts->abort_on_error |
|
||||
- r_opts->syslog_changes | r_opts->log_matches |
|
||||
- r_opts->ignore_noent | r_opts->ignore_mounts;
|
||||
+ opts->restorecon_flags = 0;
|
||||
+ opts->restorecon_flags = opts->nochange | opts->verbose |
|
||||
+ opts->progress | opts->set_specctx |
|
||||
+ opts->add_assoc | opts->ignore_digest |
|
||||
+ opts->recurse | opts->userealpath |
|
||||
+ opts->xdev | opts->abort_on_error |
|
||||
+ opts->syslog_changes | opts->log_matches |
|
||||
+ opts->ignore_noent | opts->ignore_mounts;
|
||||
|
||||
/* Use setfiles, restorecon and restorecond own handles */
|
||||
- selinux_restorecon_set_sehandle(r_opts->hnd);
|
||||
+ selinux_restorecon_set_sehandle(opts->hnd);
|
||||
|
||||
- if (r_opts->rootpath) {
|
||||
- rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath);
|
||||
+ if (opts->rootpath) {
|
||||
+ rc = selinux_restorecon_set_alt_rootpath(opts->rootpath);
|
||||
if (rc) {
|
||||
fprintf(stderr,
|
||||
"selinux_restorecon_set_alt_rootpath error: %s.\n",
|
||||
@@ -75,7 +72,6 @@ int process_glob(char *name, struct restore_opts *opts)
|
||||
size_t i = 0;
|
||||
int len, rc, errors;
|
||||
|
||||
- r_opts = opts;
|
||||
memset(&globbuf, 0, sizeof(globbuf));
|
||||
|
||||
errors = glob(name, GLOB_TILDE | GLOB_PERIOD |
|
||||
@@ -90,7 +86,7 @@ int process_glob(char *name, struct restore_opts *opts)
|
||||
if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
|
||||
continue;
|
||||
rc = selinux_restorecon(globbuf.gl_pathv[i],
|
||||
- r_opts->restorecon_flags);
|
||||
+ opts->restorecon_flags);
|
||||
if (rc < 0)
|
||||
errors = rc;
|
||||
}
|
||||
--
|
||||
2.21.0
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
%global libauditver 3.0
|
||||
%global libsepolver 2.9-1
|
||||
%global libsemanagever 2.9-1
|
||||
%global libsemanagever 2.9-2
|
||||
%global libselinuxver 2.9-1
|
||||
%global sepolgenver 2.9
|
||||
|
||||
@ -12,7 +12,7 @@
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.9
|
||||
Release: 3%{?dist}.1
|
||||
Release: 9%{?dist}
|
||||
License: GPLv2
|
||||
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
|
||||
@ -62,6 +62,14 @@ Patch0021: 0021-python-semanage-Do-not-traceback-when-the-default-po.patch
|
||||
Patch0022: 0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch
|
||||
Patch0023: 0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch
|
||||
Patch0024: 0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch
|
||||
Patch0025: 0025-gui-Fix-remove-module-in-system-config-selinux.patch
|
||||
Patch0026: 0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch
|
||||
Patch0027: 0027-policycoreutils-fixfiles-Fix-verify-option.patch
|
||||
Patch0028: 0028-python-semanage-Improve-handling-of-permissive-state.patch
|
||||
Patch0029: 0029-python-semanage-fix-moduleRecords.customized.patch
|
||||
Patch0030: 0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch
|
||||
Patch0031: 0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch
|
||||
Patch0032: 0032-restorecond-Fix-redundant-console-log-output-error.patch
|
||||
|
||||
Obsoletes: policycoreutils < 2.0.61-2
|
||||
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
|
||||
@ -499,9 +507,28 @@ The policycoreutils-restorecond package contains the restorecond service.
|
||||
%systemd_postun_with_restart restorecond.service
|
||||
|
||||
%changelog
|
||||
* Fri Nov 29 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-3.1
|
||||
* Fri Jan 17 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-9
|
||||
- Update translations (#1754978)
|
||||
|
||||
* Thu Nov 21 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-8
|
||||
- restorecond: Fix redundant console log output error (#1626468)
|
||||
|
||||
* Tue Nov 19 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-7
|
||||
- dbus: Fix FileNotFoundError in org.selinux.relabel_on_boot (#1754873)
|
||||
|
||||
* Tue Nov 12 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-6
|
||||
- Configure autorelabel service to output to journal and to console if set (#1766578)
|
||||
|
||||
* Wed Nov 06 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-5
|
||||
- fixfiles: Fix "verify" option (#1647532)
|
||||
- semanage: Improve handling of "permissive" statements (#1417455)
|
||||
- semanage: fix moduleRecords.customized()
|
||||
- semanage: Add support for DCCP and SCTP protocols (#1563742)
|
||||
|
||||
* Wed Sep 4 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-4
|
||||
- semanage: Do not use default s0 range in "semanage login -a" (#1554360)
|
||||
- gui: Fix remove module in system-config-selinux (#1748763)
|
||||
|
||||
* Thu Aug 22 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-3
|
||||
- fixfiles: Fix unbound variable problem (#1743213)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user