From a8f4f06f822a9a2c69d7c1ee34a93d06d028db00 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Apr 2020 05:39:57 -0400 Subject: [PATCH] import policycoreutils-2.9-9.el8 --- .policycoreutils.metadata | 8 +- ...engui.py-to-usr-bin-selinux-polgengu.patch | 2 +- ...ktop-files-to-usr-share-applications.patch | 4 +- ...t-to-Xephyr-as-it-works-better-with-.patch | 4 +- ...RD_FILE_CONTEXT-section-in-man-pages.patch | 2 +- ...xecutable-we-don-t-want-to-print-a-p.patch | 4 +- ...sepolicy-manpage-web-functionality.-.patch | 2 +- ...e-the-trailing-newline-for-etc-syste.patch | 2 +- ...-in-manpage.py-to-not-contain-online.patch | 2 +- ...t-be-verbose-if-you-are-not-on-a-tty.patch | 2 +- ...d-interface-file_type_is_executable-.patch | 4 +- ...her-small-optimization-for-mcs-types.patch | 2 +- ...ion-files-into-the-right-sub-directo.patch | 3 +- ...ettext-domains-in-python-gui-sandbox.patch | 2 +- ...al-.pot-files-for-gui-python-sandbox.patch | 2 +- ...setfiles-Improve-description-of-d-sw.patch | 3 +- ...rate-Handle-more-reserved-port-types.patch | 2 +- ...ix-RESOURCE_LEAK-coverity-scan-defec.patch | 2 +- ...hbox-window-manager-instead-of-openb.patch | 2 +- ...-python-Use-ipaddress-instead-of-IPy.patch | 2 +- ...Do-not-traceback-when-the-default-po.patch | 2 +- ...icycoreutils-fixfiles-Fix-B-F-onboot.patch | 4 +- ...fixfiles-Force-full-relabel-when-SEL.patch | 6 +- ...fixfiles-Fix-unbound-variable-proble.patch | 2 +- ...move-module-in-system-config-selinux.patch | 38 ++++ ...Do-not-use-default-s0-range-in-seman.patch | 30 +++ ...coreutils-fixfiles-Fix-verify-option.patch | 33 +++ ...Improve-handling-of-permissive-state.patch | 102 +++++++++ ...emanage-fix-moduleRecords.customized.patch | 41 ++++ ...Add-support-for-DCCP-and-SCTP-protoc.patch | 45 ++++ ...FoundError-in-org.selinux.relabel_on.patch | 40 ++++ ...x-redundant-console-log-output-error.patch | 200 ++++++++++++++++++ SPECS/policycoreutils.spec | 33 ++- 33 files changed, 593 insertions(+), 39 deletions(-) create mode 100644 SOURCES/0025-gui-Fix-remove-module-in-system-config-selinux.patch create mode 100644 SOURCES/0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch create mode 100644 SOURCES/0027-policycoreutils-fixfiles-Fix-verify-option.patch create mode 100644 SOURCES/0028-python-semanage-Improve-handling-of-permissive-state.patch create mode 100644 SOURCES/0029-python-semanage-fix-moduleRecords.customized.patch create mode 100644 SOURCES/0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch create mode 100644 SOURCES/0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch create mode 100644 SOURCES/0032-restorecond-Fix-redundant-console-log-output-error.patch diff --git a/.policycoreutils.metadata b/.policycoreutils.metadata index e3c572c..9830082 100644 --- a/.policycoreutils.metadata +++ b/.policycoreutils.metadata @@ -1,9 +1,9 @@ -1774f04937a737c415273ee118b0d295e01864f3 SOURCES/gui-po.tgz +2acf5c696e1e60cf405b0cadcc090b79269f8812 SOURCES/gui-po.tgz 6e64d9a38fb516738023eb429eef29af5383f443 SOURCES/policycoreutils-2.9.tar.gz -136d495d4ad657aab34727edad0de2fc6a3c6553 SOURCES/policycoreutils-po.tgz -2218891a934c10bea73fd017a8aa5ce9417a78c4 SOURCES/python-po.tgz +af5375db35a33f9daf4b06e61566c92d0d4f6792 SOURCES/policycoreutils-po.tgz +aac18d02363be7c03fad4ed35f5367f9ca0e397f SOURCES/python-po.tgz 0a34ef54394972870203832c8ce52d4405bd5330 SOURCES/restorecond-2.9.tar.gz -36c396e7151f3f6d55cbf4983d3d73a79be41899 SOURCES/sandbox-po.tgz +76d7357f34e062dce330d2a97031b1b64dea775f SOURCES/sandbox-po.tgz 8645509cdfc433278c2e4d29ee8f511625c7edcc SOURCES/selinux-dbus-2.9.tar.gz 5c155ae47692389d9fabaa154195e7f978f2a3f0 SOURCES/selinux-gui-2.9.tar.gz 660e1ab824ef80f7a69f0b70f61e231957fd398e SOURCES/selinux-python-2.9.tar.gz diff --git a/SOURCES/0001-gui-Install-polgengui.py-to-usr-bin-selinux-polgengu.patch b/SOURCES/0001-gui-Install-polgengui.py-to-usr-bin-selinux-polgengu.patch index 61dfcc7..6fb92fb 100644 --- a/SOURCES/0001-gui-Install-polgengui.py-to-usr-bin-selinux-polgengu.patch +++ b/SOURCES/0001-gui-Install-polgengui.py-to-usr-bin-selinux-polgengu.patch @@ -1,7 +1,7 @@ From c778509dd0ed3b184d720032f31971f975e42973 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 5 Mar 2019 17:38:55 +0100 -Subject: [PATCH 01/20] gui: Install polgengui.py to /usr/bin/selinux-polgengui +Subject: [PATCH] gui: Install polgengui.py to /usr/bin/selinux-polgengui polgengui.py is a standalone gui tool which should be in /usr/bin with other tools. diff --git a/SOURCES/0002-gui-Install-.desktop-files-to-usr-share-applications.patch b/SOURCES/0002-gui-Install-.desktop-files-to-usr-share-applications.patch index 84eeb22..26a16bf 100644 --- a/SOURCES/0002-gui-Install-.desktop-files-to-usr-share-applications.patch +++ b/SOURCES/0002-gui-Install-.desktop-files-to-usr-share-applications.patch @@ -1,8 +1,8 @@ From 04b632e6de14ec0336e14988bf4c2bd581f7308e Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 5 Mar 2019 17:25:00 +0100 -Subject: [PATCH 02/20] gui: Install .desktop files to /usr/share/applications - by default +Subject: [PATCH] gui: Install .desktop files to /usr/share/applications by + default /usr/share/applications is a standard directory for .desktop files. Installation path can be changed using DESKTOPDIR variable in installation diff --git a/SOURCES/0003-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch b/SOURCES/0003-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch index deed0f4..8802042 100644 --- a/SOURCES/0003-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch +++ b/SOURCES/0003-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch @@ -1,8 +1,8 @@ From 52e0583f6adfe70825b009b626e19c290b49763a Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 20 Aug 2015 12:58:41 +0200 -Subject: [PATCH 03/20] sandbox: add -reset to Xephyr as it works better with - it in recent Fedoras +Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in + recent Fedoras --- sandbox/sandboxX.sh | 2 +- diff --git a/SOURCES/0004-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch b/SOURCES/0004-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch index 72c1043..0973405 100644 --- a/SOURCES/0004-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch +++ b/SOURCES/0004-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch @@ -1,7 +1,7 @@ From 7504614fdd7dcf11b3a7568ca9b4b921973531dd Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mon, 21 Apr 2014 13:54:40 -0400 -Subject: [PATCH 04/20] Fix STANDARD_FILE_CONTEXT section in man pages +Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages Signed-off-by: Miroslav Grepl --- diff --git a/SOURCES/0005-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch b/SOURCES/0005-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch index da1c1a2..9e7d54f 100644 --- a/SOURCES/0005-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch +++ b/SOURCES/0005-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch @@ -1,8 +1,8 @@ From 9847a26b7f8358432ee4c7019efb3cbad0c162b0 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mon, 12 May 2014 14:11:22 +0200 -Subject: [PATCH 05/20] If there is no executable we don't want to print a part - of STANDARD FILE CONTEXT +Subject: [PATCH] If there is no executable we don't want to print a part of + STANDARD FILE CONTEXT --- python/sepolicy/sepolicy/manpage.py | 3 ++- diff --git a/SOURCES/0006-Simplication-of-sepolicy-manpage-web-functionality.-.patch b/SOURCES/0006-Simplication-of-sepolicy-manpage-web-functionality.-.patch index a2a2dd9..f87058c 100644 --- a/SOURCES/0006-Simplication-of-sepolicy-manpage-web-functionality.-.patch +++ b/SOURCES/0006-Simplication-of-sepolicy-manpage-web-functionality.-.patch @@ -1,7 +1,7 @@ From b2993d464e05291020dbf60fc2948ac152eb0003 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Thu, 19 Feb 2015 17:45:15 +0100 -Subject: [PATCH 06/20] Simplication of sepolicy-manpage web functionality. +Subject: [PATCH] Simplication of sepolicy-manpage web functionality. system_release is no longer hardcoded and it creates only index.html and html man pages in the directory for the system release. diff --git a/SOURCES/0007-We-want-to-remove-the-trailing-newline-for-etc-syste.patch b/SOURCES/0007-We-want-to-remove-the-trailing-newline-for-etc-syste.patch index 9680bf2..a96bab9 100644 --- a/SOURCES/0007-We-want-to-remove-the-trailing-newline-for-etc-syste.patch +++ b/SOURCES/0007-We-want-to-remove-the-trailing-newline-for-etc-syste.patch @@ -1,7 +1,7 @@ From bfcb599d9424ef6ffcd250931c89675b451edd00 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Fri, 20 Feb 2015 16:42:01 +0100 -Subject: [PATCH 07/20] We want to remove the trailing newline for +Subject: [PATCH] We want to remove the trailing newline for /etc/system_release. --- diff --git a/SOURCES/0008-Fix-title-in-manpage.py-to-not-contain-online.patch b/SOURCES/0008-Fix-title-in-manpage.py-to-not-contain-online.patch index eb9315b..a896dfc 100644 --- a/SOURCES/0008-Fix-title-in-manpage.py-to-not-contain-online.patch +++ b/SOURCES/0008-Fix-title-in-manpage.py-to-not-contain-online.patch @@ -1,7 +1,7 @@ From 4ea504acce6389c3e28134c4b8e6bf9072c295ce Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Fri, 20 Feb 2015 16:42:53 +0100 -Subject: [PATCH 08/20] Fix title in manpage.py to not contain 'online'. +Subject: [PATCH] Fix title in manpage.py to not contain 'online'. --- python/sepolicy/sepolicy/manpage.py | 2 +- diff --git a/SOURCES/0009-Don-t-be-verbose-if-you-are-not-on-a-tty.patch b/SOURCES/0009-Don-t-be-verbose-if-you-are-not-on-a-tty.patch index 7e332bf..8fbfb11 100644 --- a/SOURCES/0009-Don-t-be-verbose-if-you-are-not-on-a-tty.patch +++ b/SOURCES/0009-Don-t-be-verbose-if-you-are-not-on-a-tty.patch @@ -1,7 +1,7 @@ From 8af697659bd662517571577bf47946a2113f34a1 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 14 Feb 2014 12:32:12 -0500 -Subject: [PATCH 09/20] Don't be verbose if you are not on a tty +Subject: [PATCH] Don't be verbose if you are not on a tty --- policycoreutils/scripts/fixfiles | 1 + diff --git a/SOURCES/0010-sepolicy-Drop-old-interface-file_type_is_executable-.patch b/SOURCES/0010-sepolicy-Drop-old-interface-file_type_is_executable-.patch index acf85da..749a2c4 100644 --- a/SOURCES/0010-sepolicy-Drop-old-interface-file_type_is_executable-.patch +++ b/SOURCES/0010-sepolicy-Drop-old-interface-file_type_is_executable-.patch @@ -1,8 +1,8 @@ From ef0f54ffc6d691d10e66a0793204edd159cd45d0 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 27 Feb 2017 17:12:39 +0100 -Subject: [PATCH 10/20] sepolicy: Drop old interface file_type_is_executable(f) - and file_type_is_entrypoint(f) +Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and + file_type_is_entrypoint(f) - use direct queries - load exec_types and entry_types only once diff --git a/SOURCES/0011-sepolicy-Another-small-optimization-for-mcs-types.patch b/SOURCES/0011-sepolicy-Another-small-optimization-for-mcs-types.patch index 98d30be..bea01d5 100644 --- a/SOURCES/0011-sepolicy-Another-small-optimization-for-mcs-types.patch +++ b/SOURCES/0011-sepolicy-Another-small-optimization-for-mcs-types.patch @@ -1,7 +1,7 @@ From e54db76a3bff8e911ddd7c7ce834c024d634d9e1 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 28 Feb 2017 21:29:46 +0100 -Subject: [PATCH 11/20] sepolicy: Another small optimization for mcs types +Subject: [PATCH] sepolicy: Another small optimization for mcs types --- python/sepolicy/sepolicy/manpage.py | 16 +++++++++++----- diff --git a/SOURCES/0012-Move-po-translation-files-into-the-right-sub-directo.patch b/SOURCES/0012-Move-po-translation-files-into-the-right-sub-directo.patch index 38a569e..f3524b7 100644 --- a/SOURCES/0012-Move-po-translation-files-into-the-right-sub-directo.patch +++ b/SOURCES/0012-Move-po-translation-files-into-the-right-sub-directo.patch @@ -1,8 +1,7 @@ From 4015e9299bfda622e9d407cdbcc536000688aa8f Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 6 Aug 2018 13:23:00 +0200 -Subject: [PATCH 12/20] Move po/ translation files into the right - sub-directories +Subject: [PATCH] Move po/ translation files into the right sub-directories When policycoreutils was split into policycoreutils/ python/ gui/ and sandbox/ sub-directories, po/ translation files stayed in policycoreutils/. diff --git a/SOURCES/0013-Use-correct-gettext-domains-in-python-gui-sandbox.patch b/SOURCES/0013-Use-correct-gettext-domains-in-python-gui-sandbox.patch index 895077e..c214ee4 100644 --- a/SOURCES/0013-Use-correct-gettext-domains-in-python-gui-sandbox.patch +++ b/SOURCES/0013-Use-correct-gettext-domains-in-python-gui-sandbox.patch @@ -1,7 +1,7 @@ From 57cd23e11e1a700802a5955e84a0a7e04c30ec73 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 6 Aug 2018 13:37:07 +0200 -Subject: [PATCH 13/20] Use correct gettext domains in python/ gui/ sandbox/ +Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/ https://github.com/fedora-selinux/selinux/issues/43 --- diff --git a/SOURCES/0014-Initial-.pot-files-for-gui-python-sandbox.patch b/SOURCES/0014-Initial-.pot-files-for-gui-python-sandbox.patch index c3d65d2..7b7d340 100644 --- a/SOURCES/0014-Initial-.pot-files-for-gui-python-sandbox.patch +++ b/SOURCES/0014-Initial-.pot-files-for-gui-python-sandbox.patch @@ -1,7 +1,7 @@ From c8c59758d2fb7f6cbe368c9ff8f356ea7acebb4b Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 6 Aug 2018 14:23:19 +0200 -Subject: [PATCH 14/20] Initial .pot files for gui/ python/ sandbox/ +Subject: [PATCH] Initial .pot files for gui/ python/ sandbox/ https://github.com/fedora-selinux/selinux/issues/43 --- diff --git a/SOURCES/0016-policycoreutils-setfiles-Improve-description-of-d-sw.patch b/SOURCES/0016-policycoreutils-setfiles-Improve-description-of-d-sw.patch index 1149a84..4120fce 100644 --- a/SOURCES/0016-policycoreutils-setfiles-Improve-description-of-d-sw.patch +++ b/SOURCES/0016-policycoreutils-setfiles-Improve-description-of-d-sw.patch @@ -1,8 +1,7 @@ From c8fbb8042852c18775c001999ce949e9b591e381 Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Wed, 21 Mar 2018 08:51:31 +0100 -Subject: [PATCH 16/20] policycoreutils/setfiles: Improve description of -d - switch +Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch The "-q" switch is becoming obsolete (completely unused in fedora) and debug output ("-d" switch) makes sense in any scenario. Therefore both diff --git a/SOURCES/0017-sepolicy-generate-Handle-more-reserved-port-types.patch b/SOURCES/0017-sepolicy-generate-Handle-more-reserved-port-types.patch index 382e4ea..b4a9fd4 100644 --- a/SOURCES/0017-sepolicy-generate-Handle-more-reserved-port-types.patch +++ b/SOURCES/0017-sepolicy-generate-Handle-more-reserved-port-types.patch @@ -1,7 +1,7 @@ From 3073efc112929b535f3a832c6f99e0dbe3af29ca Mon Sep 17 00:00:00 2001 From: Masatake YAMATO Date: Thu, 14 Dec 2017 15:57:58 +0900 -Subject: [PATCH 17/20] sepolicy-generate: Handle more reserved port types +Subject: [PATCH] sepolicy-generate: Handle more reserved port types Currently only reserved_port_t, port_t and hi_reserved_port_t are handled as special when making a ports-dictionary. However, as fas as diff --git a/SOURCES/0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch b/SOURCES/0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch index a3771a0..73b9c7a 100644 --- a/SOURCES/0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch +++ b/SOURCES/0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch @@ -1,7 +1,7 @@ From f8602180d042e95947fe0bbd35d261771b347705 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 8 Nov 2018 09:20:58 +0100 -Subject: [PATCH 18/20] semodule-utils: Fix RESOURCE_LEAK coverity scan defects +Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects --- semodule-utils/semodule_package/semodule_package.c | 1 + diff --git a/SOURCES/0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch b/SOURCES/0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch index 84d6a67..b9674eb 100644 --- a/SOURCES/0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch +++ b/SOURCES/0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch @@ -1,7 +1,7 @@ From 89895635ae012d1864a03700054ecc723973b5c0 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Wed, 18 Jul 2018 09:09:35 +0200 -Subject: [PATCH 19/20] sandbox: Use matchbox-window-manager instead of openbox +Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox --- sandbox/sandbox | 4 ++-- diff --git a/SOURCES/0020-python-Use-ipaddress-instead-of-IPy.patch b/SOURCES/0020-python-Use-ipaddress-instead-of-IPy.patch index 6f2d075..6ba17e2 100644 --- a/SOURCES/0020-python-Use-ipaddress-instead-of-IPy.patch +++ b/SOURCES/0020-python-Use-ipaddress-instead-of-IPy.patch @@ -1,7 +1,7 @@ From b2512e2a92a33360639a3459039cdf2e685655a8 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 3 Dec 2018 14:40:09 +0100 -Subject: [PATCH 20/20] python: Use ipaddress instead of IPy +Subject: [PATCH] python: Use ipaddress instead of IPy ipaddress module was added in python 3.3 and this allows us to drop python3-IPy --- diff --git a/SOURCES/0021-python-semanage-Do-not-traceback-when-the-default-po.patch b/SOURCES/0021-python-semanage-Do-not-traceback-when-the-default-po.patch index f4a0800..8aa249f 100644 --- a/SOURCES/0021-python-semanage-Do-not-traceback-when-the-default-po.patch +++ b/SOURCES/0021-python-semanage-Do-not-traceback-when-the-default-po.patch @@ -1,4 +1,4 @@ -From 6051f6a56d0ad63fc8aa7c806d43b0594652a0b9 Mon Sep 17 00:00:00 2001 +From 5938d18536f4c0a76521d1f0721e981e6570b012 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 4 Apr 2019 23:02:56 +0200 Subject: [PATCH] python/semanage: Do not traceback when the default policy is diff --git a/SOURCES/0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch b/SOURCES/0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch index 7fb0ec5..eca127b 100644 --- a/SOURCES/0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch +++ b/SOURCES/0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch @@ -1,7 +1,7 @@ From 99582e3bf63475b7af5793bb9230e88d847dc7c8 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 2 Jul 2019 17:11:32 +0200 -Subject: [PATCH 22/23] policycoreutils/fixfiles: Fix [-B] [-F] onboot +Subject: [PATCH] policycoreutils/fixfiles: Fix [-B] [-F] onboot Commit 6e289bb7bf3d ("policycoreutils: fixfiles: remove bad modes of "relabel" command") added "$RESTORE_MODE" != DEFAULT test when onboot is used. It makes @@ -104,5 +104,5 @@ index 53d28c7b..9dd44213 100755 N) BOOTTIME=$OPTARG -- -2.22.0 +2.21.0 diff --git a/SOURCES/0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch b/SOURCES/0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch index e0b7e1b..4d30a77 100644 --- a/SOURCES/0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch +++ b/SOURCES/0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch @@ -1,8 +1,8 @@ From 9bcf8ad7b9b6d8d761f7d097196b2b9bc114fa0a Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 2 Jul 2019 17:12:07 +0200 -Subject: [PATCH 23/23] policycoreutils/fixfiles: Force full relabel when - SELinux is disabled +Subject: [PATCH] policycoreutils/fixfiles: Force full relabel when SELinux is + disabled The previous check used getfilecon to check whether / slash contains a label, but getfilecon fails only when SELinux is disabled. Therefore it's better to @@ -29,5 +29,5 @@ index 9dd44213..a9d27d13 100755 ;; *) -- -2.22.0 +2.21.0 diff --git a/SOURCES/0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch b/SOURCES/0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch index b05c325..c5ae9ba 100644 --- a/SOURCES/0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch +++ b/SOURCES/0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch @@ -28,5 +28,5 @@ index a9d27d13..df0042aa 100755 return fi -- -2.17.2 +2.21.0 diff --git a/SOURCES/0025-gui-Fix-remove-module-in-system-config-selinux.patch b/SOURCES/0025-gui-Fix-remove-module-in-system-config-selinux.patch new file mode 100644 index 0000000..660e5bb --- /dev/null +++ b/SOURCES/0025-gui-Fix-remove-module-in-system-config-selinux.patch @@ -0,0 +1,38 @@ +From f6c67c02f25d3a8971dcc5667121236fab85dd65 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 29 Aug 2019 08:58:20 +0200 +Subject: [PATCH] gui: Fix remove module in system-config-selinux + +When a user tried to remove a policy module with priority other than 400 via +GUI, it failed with a message: + +libsemanage.semanage_direct_remove_key: Unable to remove module somemodule at priority 400. (No such file or directory). + +This is fixed by calling "semodule -x PRIORITY -r NAME" instead of +"semodule -r NAME". + +From Jono Hein +Signed-off-by: Petr Lautrbach +--- + gui/modulesPage.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/gui/modulesPage.py b/gui/modulesPage.py +index 26ac5404..35a0129b 100644 +--- a/gui/modulesPage.py ++++ b/gui/modulesPage.py +@@ -125,9 +125,10 @@ class modulesPage(semanagePage): + def delete(self): + store, iter = self.view.get_selection().get_selected() + module = store.get_value(iter, 0) ++ priority = store.get_value(iter, 1) + try: + self.wait() +- status, output = getstatusoutput("semodule -r %s" % module) ++ status, output = getstatusoutput("semodule -X %s -r %s" % (priority, module)) + self.ready() + if status != 0: + self.error(output) +-- +2.21.0 + diff --git a/SOURCES/0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch b/SOURCES/0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch new file mode 100644 index 0000000..df5bf20 --- /dev/null +++ b/SOURCES/0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch @@ -0,0 +1,30 @@ +From c2e942fc452bff06cc5ed9017afe169c6941f4e4 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 3 Sep 2019 15:17:27 +0200 +Subject: [PATCH] python/semanage: Do not use default s0 range in "semanage + login -a" + +Using the "s0" default means that new login mappings are always added with "s0" +range instead of the range of SELinux user. + +Signed-off-by: Petr Lautrbach +--- + python/semanage/semanage | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/python/semanage/semanage b/python/semanage/semanage +index 4c766ae3..fa78afce 100644 +--- a/python/semanage/semanage ++++ b/python/semanage/semanage +@@ -221,7 +221,7 @@ def parser_add_level(parser, name): + + + def parser_add_range(parser, name): +- parser.add_argument('-r', '--range', default="s0", ++ parser.add_argument('-r', '--range', default='', + help=_(''' + MLS/MCS Security Range (MLS/MCS Systems only) + SELinux Range for SELinux login mapping +-- +2.21.0 + diff --git a/SOURCES/0027-policycoreutils-fixfiles-Fix-verify-option.patch b/SOURCES/0027-policycoreutils-fixfiles-Fix-verify-option.patch new file mode 100644 index 0000000..df5bd65 --- /dev/null +++ b/SOURCES/0027-policycoreutils-fixfiles-Fix-verify-option.patch @@ -0,0 +1,33 @@ +From 4733a594c5df14f64293d19f16498e68dc5e3a98 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 24 Sep 2019 08:41:30 +0200 +Subject: [PATCH] policycoreutils/fixfiles: Fix "verify" option + +"restorecon -n" (used in the "restore" function) has to be used with +"-v" to display the files whose labels would be changed. + +Fixes: + Fixfiles verify does not report misslabelled files unless "-v" option is + used. + +Signed-off-by: Vit Mojzis +--- + policycoreutils/scripts/fixfiles | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles +index df0042aa..be19e56c 100755 +--- a/policycoreutils/scripts/fixfiles ++++ b/policycoreutils/scripts/fixfiles +@@ -304,7 +304,7 @@ process() { + case "$1" in + restore) restore Relabel;; + check) VERBOSE="-v"; restore Check -n;; +- verify) restore Verify -n;; ++ verify) VERBOSE="-v"; restore Verify -n;; + relabel) relabel;; + onboot) + if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then +-- +2.21.0 + diff --git a/SOURCES/0028-python-semanage-Improve-handling-of-permissive-state.patch b/SOURCES/0028-python-semanage-Improve-handling-of-permissive-state.patch new file mode 100644 index 0000000..0965a9a --- /dev/null +++ b/SOURCES/0028-python-semanage-Improve-handling-of-permissive-state.patch @@ -0,0 +1,102 @@ +From 0803fcb2c014b2cedf8f4d92b80fc382916477ee Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Fri, 27 Sep 2019 16:13:47 +0200 +Subject: [PATCH] python/semanage: Improve handling of "permissive" statements + +- Add "customized" method to permissiveRecords which is than used for + "semanage permissive --extract" and "semanage export" +- Enable "semanage permissive --deleteall" (already implemented) +- Add "permissive" to the list of modules exported using + "semanage export" +- Update "semanage permissive" man page + +Signed-off-by: Vit Mojzis +--- + python/semanage/semanage | 11 ++++++++--- + python/semanage/semanage-permissive.8 | 8 +++++++- + python/semanage/seobject.py | 3 +++ + 3 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/python/semanage/semanage b/python/semanage/semanage +index fa78afce..b2bd9df9 100644 +--- a/python/semanage/semanage ++++ b/python/semanage/semanage +@@ -722,6 +722,11 @@ def handlePermissive(args): + + if args.action == "list": + OBJECT.list(args.noheading) ++ elif args.action == "deleteall": ++ OBJECT.deleteall() ++ elif args.action == "extract": ++ for i in OBJECT.customized(): ++ print("permissive %s" % str(i)) + elif args.type is not None: + if args.action == "add": + OBJECT.add(args.type) +@@ -737,9 +742,9 @@ def setupPermissiveParser(subparsers): + pgroup = permissiveParser.add_mutually_exclusive_group(required=True) + parser_add_add(pgroup, "permissive") + parser_add_delete(pgroup, "permissive") ++ parser_add_deleteall(pgroup, "permissive") ++ parser_add_extract(pgroup, "permissive") + parser_add_list(pgroup, "permissive") +- #TODO: probably should be also added => need to implement own option handling +- #parser_add_deleteall(pgroup) + + parser_add_noheading(permissiveParser, "permissive") + parser_add_noreload(permissiveParser, "permissive") +@@ -763,7 +768,7 @@ def setupDontauditParser(subparsers): + + + def handleExport(args): +- manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey"] ++ manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey", "permissive"] + for i in manageditems: + print("%s -D" % i) + for i in manageditems: +diff --git a/python/semanage/semanage-permissive.8 b/python/semanage/semanage-permissive.8 +index 1999a451..5c3364fa 100644 +--- a/python/semanage/semanage-permissive.8 ++++ b/python/semanage/semanage-permissive.8 +@@ -2,7 +2,7 @@ + .SH "NAME" + .B semanage\-permissive \- SELinux Policy Management permissive mapping tool + .SH "SYNOPSIS" +-.B semanage permissive [\-h] (\-a | \-d | \-l) [\-n] [\-N] [\-S STORE] [type] ++.B semanage permissive [\-h] [\-n] [\-N] [\-S STORE] (\-\-add TYPE | \-\-delete TYPE | \-\-deleteall | \-\-extract | \-\-list) + + .SH "DESCRIPTION" + semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage permissive adds or removes a SELinux Policy permissive module. +@@ -18,9 +18,15 @@ Add a record of the specified object type + .I \-d, \-\-delete + Delete a record of the specified object type + .TP ++.I \-D, \-\-deleteall ++Remove all local customizations of permissive domains ++.TP + .I \-l, \-\-list + List records of the specified object type + .TP ++.I \-E, \-\-extract ++Extract customizable commands, for use within a transaction ++.TP + .I \-n, \-\-noheading + Do not print heading when listing the specified object type + .TP +diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py +index 58497e3b..3959abc8 100644 +--- a/python/semanage/seobject.py ++++ b/python/semanage/seobject.py +@@ -478,6 +478,9 @@ class permissiveRecords(semanageRecords): + l.append(name.split("permissive_")[1]) + return l + ++ def customized(self): ++ return ["-a %s" % x for x in sorted(self.get_all())] ++ + def list(self, heading=1, locallist=0): + all = [y["name"] for y in [x for x in sepolicy.info(sepolicy.TYPE) if x["permissive"]]] + if len(all) == 0: +-- +2.21.0 + diff --git a/SOURCES/0029-python-semanage-fix-moduleRecords.customized.patch b/SOURCES/0029-python-semanage-fix-moduleRecords.customized.patch new file mode 100644 index 0000000..37ed550 --- /dev/null +++ b/SOURCES/0029-python-semanage-fix-moduleRecords.customized.patch @@ -0,0 +1,41 @@ +From 7cc31c4799dd94ed516a39d853744bd1ffb6dc69 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Mon, 30 Sep 2019 09:49:04 +0200 +Subject: [PATCH] python/semanage: fix moduleRecords.customized() + +Return value of "customized" has to be iterable. + +Fixes: + "semanage export" with no modules in the system (eg. monolithic policy) + crashes: + + Traceback (most recent call last): + File "/usr/sbin/semanage", line 970, in + do_parser() + File "/usr/sbin/semanage", line 949, in do_parser + args.func(args) + File "/usr/sbin/semanage", line 771, in handleExport + for c in OBJECT.customized(): + TypeError: 'NoneType' object is not iterable + +Signed-off-by: Vit Mojzis +--- + python/semanage/seobject.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py +index 3959abc8..16edacaa 100644 +--- a/python/semanage/seobject.py ++++ b/python/semanage/seobject.py +@@ -380,7 +380,7 @@ class moduleRecords(semanageRecords): + def customized(self): + all = self.get_all() + if len(all) == 0: +- return ++ return [] + return ["-d %s" % x[0] for x in [t for t in all if t[1] == 0]] + + def list(self, heading=1, locallist=0): +-- +2.21.0 + diff --git a/SOURCES/0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch b/SOURCES/0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch new file mode 100644 index 0000000..16dbfb3 --- /dev/null +++ b/SOURCES/0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch @@ -0,0 +1,45 @@ +From 7cbfcec89a6972f9c700687ed3cef25ff0846461 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 8 Oct 2019 14:22:13 +0200 +Subject: [PATCH] python/semanage: Add support for DCCP and SCTP protocols + +Fixes: + # semanage port -a -p sctp -t port_t 1234 + ValueError: Protocol udp or tcp is required + # semanage port -d -p sctp -t port_t 1234 + ValueError: Protocol udp or tcp is required + +Signed-off-by: Vit Mojzis +--- + python/semanage/seobject.py | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py +index 16edacaa..70ebfd08 100644 +--- a/python/semanage/seobject.py ++++ b/python/semanage/seobject.py +@@ -1058,13 +1058,15 @@ class portRecords(semanageRecords): + pass + + def __genkey(self, port, proto): +- if proto == "tcp": +- proto_d = SEMANAGE_PROTO_TCP ++ protocols = {"tcp": SEMANAGE_PROTO_TCP, ++ "udp": SEMANAGE_PROTO_UDP, ++ "sctp": SEMANAGE_PROTO_SCTP, ++ "dccp": SEMANAGE_PROTO_DCCP} ++ ++ if proto in protocols.keys(): ++ proto_d = protocols[proto] + else: +- if proto == "udp": +- proto_d = SEMANAGE_PROTO_UDP +- else: +- raise ValueError(_("Protocol udp or tcp is required")) ++ raise ValueError(_("Protocol has to be one of udp, tcp, dccp or sctp")) + if port == "": + raise ValueError(_("Port is required")) + +-- +2.21.0 + diff --git a/SOURCES/0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch b/SOURCES/0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch new file mode 100644 index 0000000..ef5f2b6 --- /dev/null +++ b/SOURCES/0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch @@ -0,0 +1,40 @@ +From 6e5ccf2dd3329b400b70b7806b9c6128c5c50995 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 15 Nov 2019 09:15:49 +0100 +Subject: [PATCH] dbus: Fix FileNotFoundError in org.selinux.relabel_on_boot + +When org.selinux.relabel_on_boot(0) was called twice, it failed with +FileNotFoundError. + +Fixes: + $ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:1 + method return sender=:1.53 -> dest=:1.54 reply_serial=2 + $ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:0 + method return sender=:1.53 -> dest=:1.55 reply_serial=2 + $ dbus-send --system --print-reply --dest=org.selinux /org/selinux/object org.selinux.relabel_on_boot int64:0 + Error org.freedesktop.DBus.Python.FileNotFoundError: FileNotFoundError: [Errno 2] No such file or directory: '/.autorelabel' + +Signed-off-by: Petr Lautrbach +--- + dbus/selinux_server.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py +index b9debc071485..be4f4557a9fa 100644 +--- a/dbus/selinux_server.py ++++ b/dbus/selinux_server.py +@@ -85,7 +85,10 @@ class selinux_server(slip.dbus.service.Object): + fd = open("/.autorelabel", "w") + fd.close() + else: +- os.unlink("/.autorelabel") ++ try: ++ os.unlink("/.autorelabel") ++ except FileNotFoundError: ++ pass + + def write_selinux_config(self, enforcing=None, policy=None): + path = selinux.selinux_path() + "config" +-- +2.23.0 + diff --git a/SOURCES/0032-restorecond-Fix-redundant-console-log-output-error.patch b/SOURCES/0032-restorecond-Fix-redundant-console-log-output-error.patch new file mode 100644 index 0000000..166c6bd --- /dev/null +++ b/SOURCES/0032-restorecond-Fix-redundant-console-log-output-error.patch @@ -0,0 +1,200 @@ +From 76371721bafed56efcb7a83b3fa3285383ede5b7 Mon Sep 17 00:00:00 2001 +From: Baichuan Kong +Date: Thu, 14 Nov 2019 10:48:07 +0800 +Subject: [PATCH] restorecond: Fix redundant console log output error + +When starting restorecond without any option the following redundant +console log is outputed: + +/dev/log 100.0% +/var/volatile/run/syslogd.pid 100.0% +... + +This is caused by two global variables of same name r_opts. When +executes r_opts = opts in restore_init(), it originally intends +to assign the address of struct r_opts in "restorecond.c" to the +pointer *r_opts in "restore.c". + +However, the address is assigned to the struct r_opts and covers +the value of low eight bytes in it. That causes unexpected value +of member varibale 'nochange' and 'verbose' in struct r_opts, thus +affects value of 'restorecon_flags' and executes unexpected operations +when restorecon the files such as the redundant console log output or +file label nochange. + +Cause restorecond/restore.c is copied from policycoreutils/setfiles, +which share the same pattern. It also has potential risk to generate +same problems, So fix it in case. + +Signed-off-by: Baichuan Kong + +(cherry-picked from SElinuxProject +commit ad2208ec220f55877a4d31084be2b4d6413ee082) + +Resolves: rhbz#1626468 +--- + policycoreutils/setfiles/restore.c | 42 ++++++++++++++---------------- + restorecond/restore.c | 40 +++++++++++++--------------- + 2 files changed, 37 insertions(+), 45 deletions(-) + +diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c +index 9dea5656..d3335d1a 100644 +--- a/policycoreutils/setfiles/restore.c ++++ b/policycoreutils/setfiles/restore.c +@@ -17,40 +17,37 @@ + char **exclude_list; + int exclude_count; + +-struct restore_opts *r_opts; +- + void restore_init(struct restore_opts *opts) + { + int rc; + +- r_opts = opts; + struct selinux_opt selinux_opts[] = { +- { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate }, +- { SELABEL_OPT_PATH, r_opts->selabel_opt_path }, +- { SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest } ++ { SELABEL_OPT_VALIDATE, opts->selabel_opt_validate }, ++ { SELABEL_OPT_PATH, opts->selabel_opt_path }, ++ { SELABEL_OPT_DIGEST, opts->selabel_opt_digest } + }; + +- r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3); +- if (!r_opts->hnd) { +- perror(r_opts->selabel_opt_path); ++ opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3); ++ if (!opts->hnd) { ++ perror(opts->selabel_opt_path); + exit(1); + } + +- r_opts->restorecon_flags = 0; +- r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose | +- r_opts->progress | r_opts->set_specctx | +- r_opts->add_assoc | r_opts->ignore_digest | +- r_opts->recurse | r_opts->userealpath | +- r_opts->xdev | r_opts->abort_on_error | +- r_opts->syslog_changes | r_opts->log_matches | +- r_opts->ignore_noent | r_opts->ignore_mounts | +- r_opts->mass_relabel; ++ opts->restorecon_flags = 0; ++ opts->restorecon_flags = opts->nochange | opts->verbose | ++ opts->progress | opts->set_specctx | ++ opts->add_assoc | opts->ignore_digest | ++ opts->recurse | opts->userealpath | ++ opts->xdev | opts->abort_on_error | ++ opts->syslog_changes | opts->log_matches | ++ opts->ignore_noent | opts->ignore_mounts | ++ opts->mass_relabel; + + /* Use setfiles, restorecon and restorecond own handles */ +- selinux_restorecon_set_sehandle(r_opts->hnd); ++ selinux_restorecon_set_sehandle(opts->hnd); + +- if (r_opts->rootpath) { +- rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath); ++ if (opts->rootpath) { ++ rc = selinux_restorecon_set_alt_rootpath(opts->rootpath); + if (rc) { + fprintf(stderr, + "selinux_restorecon_set_alt_rootpath error: %s.\n", +@@ -81,7 +78,6 @@ int process_glob(char *name, struct restore_opts *opts) + size_t i = 0; + int len, rc, errors; + +- r_opts = opts; + memset(&globbuf, 0, sizeof(globbuf)); + + errors = glob(name, GLOB_TILDE | GLOB_PERIOD | +@@ -96,7 +92,7 @@ int process_glob(char *name, struct restore_opts *opts) + if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) + continue; + rc = selinux_restorecon(globbuf.gl_pathv[i], +- r_opts->restorecon_flags); ++ opts->restorecon_flags); + if (rc < 0) + errors = rc; + } +diff --git a/restorecond/restore.c b/restorecond/restore.c +index f6e30001..b93b5fdb 100644 +--- a/restorecond/restore.c ++++ b/restorecond/restore.c +@@ -12,39 +12,36 @@ + char **exclude_list; + int exclude_count; + +-struct restore_opts *r_opts; +- + void restore_init(struct restore_opts *opts) + { + int rc; + +- r_opts = opts; + struct selinux_opt selinux_opts[] = { +- { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate }, +- { SELABEL_OPT_PATH, r_opts->selabel_opt_path }, +- { SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest } ++ { SELABEL_OPT_VALIDATE, opts->selabel_opt_validate }, ++ { SELABEL_OPT_PATH, opts->selabel_opt_path }, ++ { SELABEL_OPT_DIGEST, opts->selabel_opt_digest } + }; + +- r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3); +- if (!r_opts->hnd) { +- perror(r_opts->selabel_opt_path); ++ opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3); ++ if (!opts->hnd) { ++ perror(opts->selabel_opt_path); + exit(1); + } + +- r_opts->restorecon_flags = 0; +- r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose | +- r_opts->progress | r_opts->set_specctx | +- r_opts->add_assoc | r_opts->ignore_digest | +- r_opts->recurse | r_opts->userealpath | +- r_opts->xdev | r_opts->abort_on_error | +- r_opts->syslog_changes | r_opts->log_matches | +- r_opts->ignore_noent | r_opts->ignore_mounts; ++ opts->restorecon_flags = 0; ++ opts->restorecon_flags = opts->nochange | opts->verbose | ++ opts->progress | opts->set_specctx | ++ opts->add_assoc | opts->ignore_digest | ++ opts->recurse | opts->userealpath | ++ opts->xdev | opts->abort_on_error | ++ opts->syslog_changes | opts->log_matches | ++ opts->ignore_noent | opts->ignore_mounts; + + /* Use setfiles, restorecon and restorecond own handles */ +- selinux_restorecon_set_sehandle(r_opts->hnd); ++ selinux_restorecon_set_sehandle(opts->hnd); + +- if (r_opts->rootpath) { +- rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath); ++ if (opts->rootpath) { ++ rc = selinux_restorecon_set_alt_rootpath(opts->rootpath); + if (rc) { + fprintf(stderr, + "selinux_restorecon_set_alt_rootpath error: %s.\n", +@@ -75,7 +72,6 @@ int process_glob(char *name, struct restore_opts *opts) + size_t i = 0; + int len, rc, errors; + +- r_opts = opts; + memset(&globbuf, 0, sizeof(globbuf)); + + errors = glob(name, GLOB_TILDE | GLOB_PERIOD | +@@ -90,7 +86,7 @@ int process_glob(char *name, struct restore_opts *opts) + if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) + continue; + rc = selinux_restorecon(globbuf.gl_pathv[i], +- r_opts->restorecon_flags); ++ opts->restorecon_flags); + if (rc < 0) + errors = rc; + } +-- +2.21.0 + diff --git a/SPECS/policycoreutils.spec b/SPECS/policycoreutils.spec index efbd06c..24ffe1c 100644 --- a/SPECS/policycoreutils.spec +++ b/SPECS/policycoreutils.spec @@ -1,6 +1,6 @@ %global libauditver 3.0 %global libsepolver 2.9-1 -%global libsemanagever 2.9-1 +%global libsemanagever 2.9-2 %global libselinuxver 2.9-1 %global sepolgenver 2.9 @@ -12,7 +12,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.9 -Release: 3%{?dist}.1 +Release: 9%{?dist} License: GPLv2 # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz @@ -62,6 +62,14 @@ Patch0021: 0021-python-semanage-Do-not-traceback-when-the-default-po.patch Patch0022: 0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch Patch0023: 0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch Patch0024: 0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch +Patch0025: 0025-gui-Fix-remove-module-in-system-config-selinux.patch +Patch0026: 0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch +Patch0027: 0027-policycoreutils-fixfiles-Fix-verify-option.patch +Patch0028: 0028-python-semanage-Improve-handling-of-permissive-state.patch +Patch0029: 0029-python-semanage-fix-moduleRecords.customized.patch +Patch0030: 0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch +Patch0031: 0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch +Patch0032: 0032-restorecond-Fix-redundant-console-log-output-error.patch Obsoletes: policycoreutils < 2.0.61-2 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138 @@ -499,9 +507,28 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog -* Fri Nov 29 2019 Petr Lautrbach - 2.9-3.1 +* Fri Jan 17 2020 Vit Mojzis - 2.9-9 +- Update translations (#1754978) + +* Thu Nov 21 2019 Vit Mojzis - 2.9-8 +- restorecond: Fix redundant console log output error (#1626468) + +* Tue Nov 19 2019 Petr Lautrbach - 2.9-7 +- dbus: Fix FileNotFoundError in org.selinux.relabel_on_boot (#1754873) + +* Tue Nov 12 2019 Petr Lautrbach - 2.9-6 - Configure autorelabel service to output to journal and to console if set (#1766578) +* Wed Nov 06 2019 Vit Mojzis - 2.9-5 +- fixfiles: Fix "verify" option (#1647532) +- semanage: Improve handling of "permissive" statements (#1417455) +- semanage: fix moduleRecords.customized() +- semanage: Add support for DCCP and SCTP protocols (#1563742) + +* Wed Sep 4 2019 Petr Lautrbach - 2.9-4 +- semanage: Do not use default s0 range in "semanage login -a" (#1554360) +- gui: Fix remove module in system-config-selinux (#1748763) + * Thu Aug 22 2019 Vit Mojzis - 2.9-3 - fixfiles: Fix unbound variable problem (#1743213)