From b185f8151d518e94376a442b9609fc95b7213bf4 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 6 Apr 2017 15:38:16 +0200 Subject: [PATCH] policycoreutils-2.6-5 - semanage: Unify argument handling (#1398987) - setfiles: set up a logging callback for libselinux - setfiles: Fix setfiles progress indicator - setfiles: stdout messages don't need program prefix - setfiles: don't scramble stdout and stderr together (#1435894) - restorecond: Decrease loglevel of termination message (#1264505) - fixfiles should handle path arguments more robustly - fixfiles: handle unexpected spaces in command - fixfiles: remove useless use of cat (#1435894) - semanage: Add checks if a module name is passed in (#1420707) - semanage: fix export of fcontext socket entries (#1435127) - selinux-autorelabel: remove incorrect redirection to /dev/null (#1415674) --- policycoreutils-fedora.patch | 524 ++++++++++++++++++++++++++++++++++- policycoreutils.spec | 20 +- 2 files changed, 533 insertions(+), 11 deletions(-) diff --git a/policycoreutils-fedora.patch b/policycoreutils-fedora.patch index 5f7a5d2..ddaea6b 100644 --- a/policycoreutils-fedora.patch +++ b/policycoreutils-fedora.patch @@ -42,10 +42,36 @@ index 1d262a9..064001b 100644 except ValueError as e: self.error(e.message) return True +diff --git policycoreutils-2.6/gui/portsPage.py policycoreutils-2.6/gui/portsPage.py +index b6445db..ed9d51b 100644 +--- policycoreutils-2.6/gui/portsPage.py ++++ policycoreutils-2.6/gui/portsPage.py +@@ -34,6 +34,12 @@ from semanagePage import * + ## I18N + ## + PROGNAME = "policycoreutils" ++ ++TYPE_COL = 0 ++PROTOCOL_COL = 1 ++MLS_COL = 2 ++PORT_COL = 3 ++ + try: + import gettext + kwargs = {} diff --git policycoreutils-2.6/hll/pp/pp.c policycoreutils-2.6/hll/pp/pp.c -index 2c9f53f..7f9afb0 100644 +index 2c9f53f..bf7582e 100644 --- policycoreutils-2.6/hll/pp/pp.c +++ policycoreutils-2.6/hll/pp/pp.c +@@ -46,7 +46,7 @@ static void log_err(const char *fmt, ...) + } + } + +-static void usage(int err) ++static __attribute__((__noreturn__)) void usage(int err) + { + fprintf(stderr, "Usage: %s [OPTIONS] [IN_FILE [OUT_FILE]]\n", progname); + fprintf(stderr, "\n"); @@ -141,7 +141,7 @@ int main(int argc, char **argv) if (separator) { *separator = '\0'; @@ -55,6 +81,32 @@ index 2c9f53f..7f9afb0 100644 fprintf(stderr, "Warning: SELinux userspace will refer to the module from %s as %s rather than %s\n", ifile, mod_name, cil_name); } free(cil_path); +diff --git policycoreutils-2.6/load_policy/load_policy.c policycoreutils-2.6/load_policy/load_policy.c +index 47d9b0f..7c2c2a7 100644 +--- policycoreutils-2.6/load_policy/load_policy.c ++++ policycoreutils-2.6/load_policy/load_policy.c +@@ -17,7 +17,7 @@ + #define PACKAGE "policycoreutils" /* the name of this package lang translation */ + #endif + +-void usage(char *progname) ++static __attribute__((__noreturn__)) void usage(const char *progname) + { + fprintf(stderr, _("usage: %s [-qi]\n"), progname); + exit(1); +diff --git policycoreutils-2.6/restorecond/watch.c policycoreutils-2.6/restorecond/watch.c +index bdfc99d..b6fa825 100644 +--- policycoreutils-2.6/restorecond/watch.c ++++ policycoreutils-2.6/restorecond/watch.c +@@ -179,7 +179,7 @@ int watch(int fd, const char *watch_file) + syslog(LOG_ERR, "Read error (%s)", strerror(errno)); + return 0; + } +- syslog(LOG_ERR, "terminated"); ++ syslog(LOG_INFO, "terminated"); + return -1; + } else if (!len) + /* BUF_LEN too small? */ diff --git policycoreutils-2.6/sandbox/sandboxX.sh policycoreutils-2.6/sandbox/sandboxX.sh index eaa500d..4774528 100644 --- policycoreutils-2.6/sandbox/sandboxX.sh @@ -69,7 +121,7 @@ index eaa500d..4774528 100644 cat > ~/seremote << __EOF #!/bin/sh diff --git policycoreutils-2.6/scripts/fixfiles policycoreutils-2.6/scripts/fixfiles -index fa43a53..301fc34 100755 +index fa43a53..cc504b7 100755 --- policycoreutils-2.6/scripts/fixfiles +++ policycoreutils-2.6/scripts/fixfiles @@ -116,14 +116,11 @@ exclude_dirs() { @@ -107,7 +159,7 @@ index fa43a53..301fc34 100755 fi } # -@@ -244,6 +244,10 @@ then +@@ -244,20 +244,24 @@ then logit "skipping the directory ${p}" done FC=$TEMPFCFILE @@ -118,6 +170,23 @@ index fa43a53..301fc34 100755 fi if [ ! -z "$RPMFILES" ]; then for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do +- rpmlist $i | ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} $* -R -i -f - 2>&1 | cat >> $LOGFILE ++ rpmlist $i | ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} $* -R -i -f - >>$LOGFILE 2>&1 + done + exit $? + fi + if [ ! -z "$FILEPATH" ]; then +- ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* $FILEPATH 2>&1 | cat >> $LOGFILE ++ ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* -- "$FILEPATH" >>$LOGFILE 2>&1 + return + fi + if [ -n "${FILESYSTEMSRW}" ]; then + echo "${OPTION}ing `echo ${FILESYSTEMSRW}`" +- ${SETFILES} ${VERBOSE} $exclude_dirs -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE ++ ${SETFILES} ${VERBOSE} $exclude_dirs -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} >>$LOGFILE 2>&1 + else + echo >&2 "fixfiles: No suitable file systems found" + fi @@ -265,7 +269,7 @@ if [ ${OPTION} != "Relabel" ]; then return fi @@ -136,6 +205,129 @@ index fa43a53..301fc34 100755 relabel) relabel;; onboot) > /.autorelabel +@@ -382,8 +386,8 @@ done + shift $(( OPTIND - 1 )) + + # Check for the command +-command=$1 +-if [ -z $command ]; then ++command="$1" ++if [ -z "$command" ]; then + usage + fi + +@@ -395,17 +399,17 @@ shift + # + + if [ ! -z "$RPMFILES" ]; then +- process $command ++ process "$command" + if [ $# -gt 0 ]; then + usage + fi + else + if [ -z "$1" ]; then +- process $command ++ process "$command" + else + while [ -n "$1" ]; do +- FILEPATH=$1 +- process $command ++ FILEPATH="$1" ++ process "$command" + shift + done + fi +diff --git policycoreutils-2.6/secon/secon.c policycoreutils-2.6/secon/secon.c +index 134f4ee..c29d9fb 100644 +--- policycoreutils-2.6/secon/secon.c ++++ policycoreutils-2.6/secon/secon.c +@@ -73,7 +73,7 @@ struct { + FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, + FALSE, FALSE, FALSE, OPTS_FROM_ARG, {0} } }; + +-static void usage(const char *name, int exit_code) ++static __attribute__((__noreturn__)) void usage(const char *name, int exit_code) + { + fprintf(exit_code ? stderr : stdout, + " Usage: %s [-%s] [ context | - ]\n" +diff --git policycoreutils-2.6/semanage/semanage policycoreutils-2.6/semanage/semanage +index 19a6c51..c109716 100644 +--- policycoreutils-2.6/semanage/semanage ++++ policycoreutils-2.6/semanage/semanage +@@ -50,7 +50,7 @@ usage_login = "semanage login [-h] [-n] [-N] [-S STORE] [" + usage_login_dict = {' --add': ('-s SEUSER', '-r RANGE', 'LOGIN',), ' --modify': ('-s SEUSER', '-r RANGE', 'LOGIN',), ' --delete': ('LOGIN',), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)} + + usage_fcontext = "semanage fcontext [-h] [-n] [-N] [-S STORE] [" +-usage_fcontext_dict = {' --add': ('(', '-t TYPE', '-f FTYPE', '-r RANGE', '-s SEUSER', '|', '-e EQUAL', ')', 'FILE_SPEC', ')',), ' --delete': ('(', '-t TYPE', '-f FTYPE', '|', '-e EQUAL', ')', 'FILE_SPEC', ')',), ' --modify': ('(', '-t TYPE', '-f FTYPE', '-r RANGE', '-s SEUSER', '|', '-e EQUAL', ')', 'FILE_SPEC )',), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)} ++usage_fcontext_dict = {' --add': ('(', '-t TYPE', '-f FTYPE', '-r RANGE', '-s SEUSER', '|', '-e EQUAL', ')', 'FILE_SPEC',), ' --delete': ('(', '-t TYPE', '-f FTYPE', '|', '-e EQUAL', ')', 'FILE_SPEC',), ' --modify': ('(', '-t TYPE', '-f FTYPE', '-r RANGE', '-s SEUSER', '|', '-e EQUAL', ')', 'FILE_SPEC',), ' --list': ('[-C]',), ' --extract': ('',), ' --deleteall': ('',)} + + usage_user = "semanage user [-h] [-n] [-N] [-S STORE] [" + usage_user_dict = {' --add': ('(', '-L LEVEL', '-R ROLES', '-r RANGE', '-s SEUSER', 'selinux_name'')'), ' --delete': ('selinux_name',), ' --modify': ('(', '-L LEVEL', '-R ROLES', '-r RANGE', '-s SEUSER', 'selinux_name', ')'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)} +@@ -99,8 +99,8 @@ class seParser(argparse.ArgumentParser): + def error(self, message): + if len(sys.argv) == 2: + self.print_help() +- sys.exit(2) +- self.print_usage() ++ else: ++ self.print_usage() + self.exit(2, ('%s: error: %s\n') % (self.prog, message)) + + +@@ -346,10 +346,7 @@ def handleFcontext(args): + # we can not use mutually for equal because we can define some actions together with equal + fcontext_equal_args = {'equal': [('list', 'locallist', 'type', 'ftype', 'seuser', 'deleteall', 'extract'), ()]} + +- if args.action is None: +- print("usage: " + "%s" % generate_custom_usage(usage_fcontext, usage_fcontext_dict)) +- sys.exit(2) +- elif args.action and args.equal: ++ if args.action and args.equal: + handle_opts(args, fcontext_equal_args, "equal") + else: + handle_opts(args, fcontext_args, args.action) +@@ -398,7 +395,7 @@ If you do not specify a file type, the file type will default to "all files". + parser_add_noreload(fcontextParser, "fcontext") + parser_add_store(fcontextParser, "fcontext") + +- fcontext_action = fcontextParser.add_mutually_exclusive_group(required=False) ++ fcontext_action = fcontextParser.add_mutually_exclusive_group(required=True) + parser_add_add(fcontext_action, "fcontext") + parser_add_delete(fcontext_action, "fcontext") + parser_add_modify(fcontext_action, "fcontext") +@@ -645,19 +642,9 @@ def setupNodeParser(subparsers): + + + def handleBoolean(args): +- boolean_args = {'list': [('state', 'boolean'), ('')], 'modify': [('localist'), ('')], 'extract': [('locallist', 'state', 'boolean'), ('')], 'deleteall': [('locallist'), ('')], 'state': [('locallist', 'list', 'extract', 'deleteall'), ('modify')]} +- if args.action is None: +- print("Usage: " + "%s" % generate_custom_usage(usage_boolean, usage_boolean_dict)) +- sys.exit(2) +- # TODO: should be added to handle_opts logic +- elif args.action is "modify" and not args.boolean: +- print("boolean name required ") +- sys.exit(1) +- elif args.action is "modify" and args.boolean and not args.state: +- print("state option is needed") +- sys.exit(1) +- else: +- handle_opts(args, boolean_args, args.action) ++ boolean_args = {'list': [('state', 'boolean'), ('')], 'modify': [('localist'), ('boolean', 'state')], 'extract': [('locallist', 'state', 'boolean'), ('')], 'deleteall': [('locallist'), ('')], 'state': [('locallist', 'list', 'extract', 'deleteall'), ('modify')]} ++ ++ handle_opts(args, boolean_args, args.action) + + OBJECT = object_dict['boolean']() + OBJECT.set_reload(args.noreload) +@@ -683,7 +670,7 @@ def setupBooleanParser(subparsers): + parser_add_store(booleanParser, "boolean") + booleanParser.add_argument('boolean', nargs="?", default=None, help=_('boolean')) + +- boolean_action = booleanParser.add_mutually_exclusive_group(required=False) ++ boolean_action = booleanParser.add_mutually_exclusive_group(required=True) + #add_add(boolean_action) + parser_add_modify(boolean_action, "boolean") + parser_add_list(boolean_action, "boolean") diff --git policycoreutils-2.6/semanage/semanage.8 policycoreutils-2.6/semanage/semanage.8 index ac39862..75b782f 100644 --- policycoreutils-2.6/semanage/semanage.8 @@ -151,19 +343,56 @@ index ac39862..75b782f 100644 while the semanage user command deals with the mapping from SELinux user identities to authorized role sets. In most cases, only the diff --git policycoreutils-2.6/semanage/seobject.py policycoreutils-2.6/semanage/seobject.py -index bb049c0..c836cc5 100644 +index bb049c0..a977d68 100644 --- policycoreutils-2.6/semanage/seobject.py +++ policycoreutils-2.6/semanage/seobject.py -@@ -386,7 +386,7 @@ class moduleRecords(semanageRecords): +@@ -84,7 +84,7 @@ file_type_str_to_option = {"all files": "a", + "directory": "d", + "character device": "c", + "block device": "b", +- "socket file": "s", ++ "socket": "s", + "symbolic link": "l", + "named pipe": "p"} + +@@ -385,8 +385,10 @@ class moduleRecords(semanageRecords): + print("%-25s %-9s %-5s %s" % (t[0], t[2], t[3], disabled)) def add(self, file, priority): ++ if not file: ++ raise ValueError(_("You did not define module.")) if not os.path.exists(file): - raise ValueError(_("Module does not exists %s ") % file) + raise ValueError(_("Module does not exist: %s ") % file) rc = semanage_set_default_priority(self.sh, priority) if rc < 0: -@@ -492,7 +492,7 @@ class permissiveRecords(semanageRecords): +@@ -397,6 +399,8 @@ class moduleRecords(semanageRecords): + self.commit() + + def set_enabled(self, module, enable): ++ if not module: ++ raise ValueError(_("You did not define module name.")) + for m in module.split(): + rc, key = semanage_module_key_create(self.sh) + if rc < 0: +@@ -415,11 +419,15 @@ class moduleRecords(semanageRecords): + self.commit() + + def modify(self, file): ++ if not file: ++ raise ValueError(_("You did not define module.")) + rc = semanage_module_update_file(self.sh, file) + if rc >= 0: + self.commit() + + def delete(self, module, priority): ++ if not module: ++ raise ValueError(_("You did not define module name.")) + rc = semanage_set_default_priority(self.sh, priority) + if rc < 0: + raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority) +@@ -492,7 +500,7 @@ class permissiveRecords(semanageRecords): try: import sepolgen.module as module except ImportError: @@ -172,7 +401,7 @@ index bb049c0..c836cc5 100644 name = "permissive_%s" % type modtxt = "(typepermissive %s)" % type -@@ -1823,7 +1823,7 @@ class fcontextRecords(semanageRecords): +@@ -1823,7 +1831,7 @@ class fcontextRecords(semanageRecords): def modify_equal(self, target, substitute): self.begin() if target not in self.equiv.keys(): @@ -181,7 +410,7 @@ index bb049c0..c836cc5 100644 self.equiv[target] = substitute self.equal_ind = True -@@ -1953,10 +1953,12 @@ class fcontextRecords(semanageRecords): +@@ -1953,10 +1961,12 @@ class fcontextRecords(semanageRecords): if not exists: raise ValueError(_("File context for %s is not defined") % target) @@ -1747,3 +1976,282 @@ index 4b9534d..f267993 100644 """ if_initscript_admin_types=""" +diff --git policycoreutils-2.6/setfiles/.gitignore policycoreutils-2.6/setfiles/.gitignore +index 583eb6c..5e899c9 100644 +--- policycoreutils-2.6/setfiles/.gitignore ++++ policycoreutils-2.6/setfiles/.gitignore +@@ -1,2 +1 @@ +-restorecon.8.man + setfiles.8.man +diff --git policycoreutils-2.6/setfiles/Makefile policycoreutils-2.6/setfiles/Makefile +index 43364f9..92300c9 100644 +--- policycoreutils-2.6/setfiles/Makefile ++++ policycoreutils-2.6/setfiles/Makefile +@@ -5,7 +5,6 @@ MANDIR = $(PREFIX)/share/man + LIBDIR ?= $(PREFIX)/lib + AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null) + +-PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }') + ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }') + + CFLAGS ?= -g -Werror -Wall -W +@@ -28,8 +27,6 @@ restorecon_xattr: restorecon_xattr.o restore.o + + man: + @cp -af setfiles.8 setfiles.8.man +- @cp -af restorecon.8 restorecon.8.man +- @sed -i "s/STAR_COUNT/$(PROGRESS_STEP)/g" setfiles.8.man restorecon.8.man + @sed -i "s/ABORT_ON_ERRORS/$(ABORT_ON_ERRORS)/g" setfiles.8.man + + install: all +@@ -39,11 +36,11 @@ install: all + (cd $(SBINDIR) && ln -sf setfiles restorecon) + install -m 755 restorecon_xattr $(SBINDIR) + install -m 644 setfiles.8.man $(MANDIR)/man8/setfiles.8 +- install -m 644 restorecon.8.man $(MANDIR)/man8/restorecon.8 ++ install -m 644 restorecon.8 $(MANDIR)/man8/restorecon.8 + install -m 644 restorecon_xattr.8 $(MANDIR)/man8/restorecon_xattr.8 + + clean: +- rm -f setfiles restorecon restorecon_xattr *.o setfiles.8.man restorecon.8.man ++ rm -f setfiles restorecon restorecon_xattr *.o setfiles.8.man + + indent: + ../../scripts/Lindent $(wildcard *.[ch]) +diff --git policycoreutils-2.6/setfiles/restore.c policycoreutils-2.6/setfiles/restore.c +index cf04e96..50d192a 100644 +--- policycoreutils-2.6/setfiles/restore.c ++++ policycoreutils-2.6/setfiles/restore.c +@@ -35,7 +35,8 @@ void restore_init(struct restore_opts *opts) + r_opts->recurse | r_opts->userealpath | + r_opts->xdev | r_opts->abort_on_error | + r_opts->syslog_changes | r_opts->log_matches | +- r_opts->ignore_noent | r_opts->ignore_mounts; ++ r_opts->ignore_noent | r_opts->ignore_mounts | ++ r_opts->mass_relabel; + + /* Use setfiles, restorecon and restorecond own handles */ + selinux_restorecon_set_sehandle(r_opts->hnd); +diff --git policycoreutils-2.6/setfiles/restore.h policycoreutils-2.6/setfiles/restore.h +index 97fbdf4..b64042a 100644 +--- policycoreutils-2.6/setfiles/restore.h ++++ policycoreutils-2.6/setfiles/restore.h +@@ -17,18 +17,12 @@ + #include + #include + +-/* +- * STAR_COUNT is also defined in libselinux/src/selinux_restorecon.c where it +- * is used to output "*" for each number of files processed. Defined here for +- * inclusion in man pages. +-*/ +-#define STAR_COUNT 1000 +- + /* Things that need to be init'd */ + struct restore_opts { + unsigned int nochange; + unsigned int verbose; + unsigned int progress; ++ unsigned int mass_relabel; + unsigned int set_specctx; + unsigned int add_assoc; + unsigned int ignore_digest; +@@ -49,7 +43,6 @@ struct restore_opts { + const char *selabel_opt_path; + const char *selabel_opt_digest; + int debug; +- FILE *outfile; + }; + + void restore_init(struct restore_opts *opts); +diff --git policycoreutils-2.6/setfiles/restorecon.8 policycoreutils-2.6/setfiles/restorecon.8 +index fdb468b..3b28482 100644 +--- policycoreutils-2.6/setfiles/restorecon.8 ++++ policycoreutils-2.6/setfiles/restorecon.8 +@@ -109,10 +109,10 @@ don't change any file labels (passive check). To display the files whose labels + .BR \-v . + .TP + .BI \-o \ outfilename +-Deprecated, SELinux policy will probably block this access. Use shell redirection to save list of files with incorrect context in filename. ++Deprecated - This option is no longer supported. + .TP + .B \-p +-show progress by printing * every STAR_COUNT files unless relabeling the entire ++show progress by printing the number of files in 1k blocks unless relabeling the entire + OS, that will then show the approximate percentage complete. Note that the + .B \-p + and +diff --git policycoreutils-2.6/setfiles/restorecon_xattr.c policycoreutils-2.6/setfiles/restorecon_xattr.c +index 1c39efe..91c087f 100644 +--- policycoreutils-2.6/setfiles/restorecon_xattr.c ++++ policycoreutils-2.6/setfiles/restorecon_xattr.c +@@ -14,7 +14,7 @@ + + #include "restore.h" + +-static void usage(const char *progname) ++static __attribute__((__noreturn__)) void usage(const char *progname) + { + fprintf(stderr, + "\nusage: %s [-vnrmdD] [-e directory] [-f specfile] pathname\n" +diff --git policycoreutils-2.6/setfiles/setfiles.8 policycoreutils-2.6/setfiles/setfiles.8 +index 6901e13..9501845 100644 +--- policycoreutils-2.6/setfiles/setfiles.8 ++++ policycoreutils-2.6/setfiles/setfiles.8 +@@ -106,11 +106,11 @@ seclabel fs mounted on a directory below this. + .B \-n + don't change any file labels (passive check). + .TP +-.BI \-o \ filename +-Deprecated, SELinux policy will probably block this access. Use shell redirection to save list of files with incorrect context in filename. ++.BI \-o \ outfilename ++Deprecated - This option is no longer supported. + .TP + .B \-p +-show progress by printing * every STAR_COUNT files unless relabeling the entire ++show progress by printing the number of files in 1k blocks unless relabeling the entire + OS, that will then show the approximate percentage complete. Note that the + .B \-p + and +diff --git policycoreutils-2.6/setfiles/setfiles.c policycoreutils-2.6/setfiles/setfiles.c +index 1a2d711..bc83c27 100644 +--- policycoreutils-2.6/setfiles/setfiles.c ++++ policycoreutils-2.6/setfiles/setfiles.c +@@ -39,7 +39,7 @@ static int iamrestorecon; + static int ctx_validate; /* Validate contexts */ + static const char *altpath; /* Alternate path to file_contexts */ + +-void usage(const char *const name) ++static __attribute__((__noreturn__)) void usage(const char *const name) + { + if (iamrestorecon) { + fprintf(stderr, +@@ -138,6 +138,26 @@ static void maybe_audit_mass_relabel(int mass_relabel, int mass_relabel_errs) + #endif + } + ++static int __attribute__ ((format(printf, 2, 3))) ++log_callback(int type, const char *fmt, ...) ++{ ++ int rc; ++ FILE *out; ++ va_list ap; ++ ++ if (type == SELINUX_INFO) { ++ out = stdout; ++ } else { ++ out = stderr; ++ fflush(stdout); ++ fprintf(out, "%s: ", r_opts.progname); ++ } ++ va_start(ap, fmt); ++ rc = vfprintf(out, fmt, ap); ++ va_end(ap); ++ return rc; ++} ++ + int main(int argc, char **argv) + { + struct stat sb; +@@ -147,10 +167,11 @@ int main(int argc, char **argv) + char *buf = NULL; + size_t buf_len; + const char *base; +- int mass_relabel = 0, errors = 0; ++ int errors = 0; + const char *ropts = "e:f:hiIDlmno:pqrsvFRW0"; + const char *sopts = "c:de:f:hiIDlmno:pqr:svFR:W0"; + const char *opts; ++ union selinux_callback cb; + + /* Initialize variables */ + memset(&r_opts, 0, sizeof(r_opts)); +@@ -304,19 +325,8 @@ int main(int argc, char **argv) + r_opts.nochange = SELINUX_RESTORECON_NOCHANGE; + break; + case 'o': /* Deprecated */ +- if (strcmp(optarg, "-") == 0) { +- r_opts.outfile = stdout; +- break; +- } +- +- r_opts.outfile = fopen(optarg, "w"); +- if (!r_opts.outfile) { +- fprintf(stderr, "Error opening %s: %s\n", +- optarg, strerror(errno)); +- +- usage(argv[0]); +- } +- __fsetlocking(r_opts.outfile, FSETLOCKING_BYCALLER); ++ fprintf(stderr, "%s: -o option no longer supported\n", ++ r_opts.progname); + break; + case 'q': + /* Deprecated - Was only used to say whether print +@@ -380,9 +390,12 @@ int main(int argc, char **argv) + + for (i = optind; i < argc; i++) { + if (!strcmp(argv[i], "/")) +- mass_relabel = 1; ++ r_opts.mass_relabel = SELINUX_RESTORECON_MASS_RELABEL; + } + ++ cb.func_log = log_callback; ++ selinux_set_callback(SELINUX_CB_LOG, cb); ++ + if (!iamrestorecon) { + if (policyfile) { + if (optind != (argc - 1)) +@@ -401,8 +414,8 @@ int main(int argc, char **argv) + * we can support either checking against the active policy or + * checking against a binary policy file. + */ +- selinux_set_callback(SELINUX_CB_VALIDATE, +- (union selinux_callback)&canoncon); ++ cb.func_validate = canoncon; ++ selinux_set_callback(SELINUX_CB_VALIDATE, cb); + + if (stat(argv[optind], &sb) < 0) { + perror(argv[optind]); +@@ -449,7 +462,7 @@ int main(int argc, char **argv) + while ((len = getdelim(&buf, &buf_len, delim, f)) > 0) { + buf[len - 1] = 0; + if (!strcmp(buf, "/")) +- mass_relabel = 1; ++ r_opts.mass_relabel = SELINUX_RESTORECON_MASS_RELABEL; + errors |= process_glob(buf, &r_opts) < 0; + } + if (strcmp(input_filename, "-") != 0) +@@ -459,7 +472,7 @@ int main(int argc, char **argv) + errors |= process_glob(argv[i], &r_opts) < 0; + } + +- maybe_audit_mass_relabel(mass_relabel, errors); ++ maybe_audit_mass_relabel(r_opts.mass_relabel, errors); + + if (warn_no_match) + selabel_stats(r_opts.hnd); +@@ -467,8 +480,8 @@ int main(int argc, char **argv) + selabel_close(r_opts.hnd); + restore_finish(); + +- if (r_opts.outfile) +- fclose(r_opts.outfile); ++ if (r_opts.progress) ++ fprintf(stdout, "\n"); + + exit(errors ? -1 : 0); + } +diff --git policycoreutils-2.6/setsebool/setsebool.c policycoreutils-2.6/setsebool/setsebool.c +index b101f08..53d3566 100644 +--- policycoreutils-2.6/setsebool/setsebool.c ++++ policycoreutils-2.6/setsebool/setsebool.c +@@ -23,7 +23,7 @@ int verbose = 0; + + int setbool(char **list, size_t start, size_t end); + +-void usage(void) ++static __attribute__((__noreturn__)) void usage(void) + { + fputs + ("\nUsage: setsebool [ -NPV ] boolean value | bool1=val1 bool2=val2...\n\n", diff --git a/policycoreutils.spec b/policycoreutils.spec index 5fed359..542ef68 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,7 +1,7 @@ %global libauditver 2.1.3-4 %global libsepolver 2.6-0 %global libsemanagever 2.6-0 -%global libselinuxver 2.6-0 +%global libselinuxver 2.6-5 %global sepolgenver 2.6 %global generatorsdir %{_prefix}/lib/systemd/system-generators @@ -9,7 +9,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.6 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2 Group: System Environment/Base # https://github.com/SELinuxProject/selinux/wiki/Releases @@ -27,7 +27,7 @@ Source9: selinux-autorelabel-generator.sh # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: # $ VERSION=2.6 ./make-fedora-selinux-patch.sh policycoreutils -# FIXME: HEAD https://github.com/fedora-selinux/selinux/commit/223fc83c6e68cead9b3d8d4e5ca7e95a580952e7 +# HEAD https://github.com/fedora-selinux/selinux/commit/8a1941594a7221ec948b82b26636ad5a0d2dc724 Patch: policycoreutils-fedora.patch # $ VERSION=2.6 ./make-fedora-selinux-patch.sh sepolgen # Patch1: sepolgen-fedora.patch @@ -445,6 +445,20 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Thu Apr 06 2017 Petr Lautrbach - 2.6-5 +- semanage: Unify argument handling (#1398987) +- setfiles: set up a logging callback for libselinux +- setfiles: Fix setfiles progress indicator +- setfiles: stdout messages don't need program prefix +- setfiles: don't scramble stdout and stderr together (#1435894) +- restorecond: Decrease loglevel of termination message (#1264505) +- fixfiles should handle path arguments more robustly +- fixfiles: handle unexpected spaces in command +- fixfiles: remove useless use of cat (#1435894) +- semanage: Add checks if a module name is passed in (#1420707) +- semanage: fix export of fcontext socket entries (#1435127) +- selinux-autorelabel: remove incorrect redirection to /dev/null (#1415674) + * Fri Mar 17 2017 Petr Lautrbach - 2.6-4 - Fix selinux-polgengui (#1432337) - sepolicy - fix obtaining domain name in HTMLManPages