From c12014f9e3e1887accfb7b40c4866e336ae6f7be Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 28 Feb 2017 21:57:37 +0100 Subject: [PATCH] policycoreutils-2.6-3 - Fix several issues in gui and 'sepolicy manpage' (#1416372) --- policycoreutils-fedora.patch | 154 ++++++++++++++++++++++++++++------- policycoreutils.spec | 5 +- 2 files changed, 129 insertions(+), 30 deletions(-) diff --git a/policycoreutils-fedora.patch b/policycoreutils-fedora.patch index 5ad27ec..4e04fc4 100644 --- a/policycoreutils-fedora.patch +++ b/policycoreutils-fedora.patch @@ -393,10 +393,18 @@ index 3e502a7..5bf9b52 100755 + print("Out") sys.exit(0) diff --git policycoreutils-2.6/sepolicy/sepolicy/__init__.py policycoreutils-2.6/sepolicy/sepolicy/__init__.py -index 8fbd5b4..43144c1 100644 +index 8fbd5b4..254fc67 100644 --- policycoreutils-2.6/sepolicy/sepolicy/__init__.py +++ policycoreutils-2.6/sepolicy/sepolicy/__init__.py -@@ -383,7 +383,12 @@ def get_conditionals(src, dest, tclass, perm): +@@ -171,6 +171,7 @@ def info(setype, name=None): + 'aliases': map(str, x.aliases()), + 'name': str(x), + 'permissive': bool(x.ispermissive), ++ 'attributes': map(str, x.attributes()) + } for x in q.results()) + + elif setype == ROLE: +@@ -383,7 +384,12 @@ def get_conditionals(src, dest, tclass, perm): def get_conditionals_format_text(cond): @@ -410,7 +418,7 @@ index 8fbd5b4..43144c1 100644 return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]), cond)))) -@@ -465,7 +470,7 @@ def find_file(reg): +@@ -465,7 +471,7 @@ def find_file(reg): try: pat = re.compile(r"%s$" % reg) @@ -419,7 +427,7 @@ index 8fbd5b4..43144c1 100644 except: return [] -@@ -589,7 +594,7 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()): +@@ -589,7 +595,7 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()): def get_transitions_into(setype): try: @@ -428,7 +436,7 @@ index 8fbd5b4..43144c1 100644 except (TypeError, AttributeError): pass return None -@@ -605,7 +610,7 @@ def get_transitions(setype): +@@ -605,7 +611,7 @@ def get_transitions(setype): def get_file_transitions(setype): try: @@ -437,7 +445,7 @@ index 8fbd5b4..43144c1 100644 except (TypeError, AttributeError): pass return None -@@ -663,6 +668,23 @@ def get_init_entrypoint(transtype): +@@ -663,6 +669,23 @@ def get_init_entrypoint(transtype): return entrypoints @@ -461,7 +469,7 @@ index 8fbd5b4..43144c1 100644 def get_init_entrypoint_target(entrypoint): try: -@@ -695,7 +717,7 @@ def get_methods(): +@@ -695,7 +718,7 @@ def get_methods(): # List of per_role_template interfaces ifs = interfaces.InterfaceSet() ifs.from_file(fd) @@ -470,7 +478,16 @@ index 8fbd5b4..43144c1 100644 fd.close() except: sys.stderr.write("could not open interface info [%s]\n" % fn) -@@ -752,7 +774,10 @@ def get_all_entrypoint_domains(): +@@ -725,7 +748,7 @@ def get_all_role_allows(): + return role_allows + role_allows = {} + +- q = setools.RBACRuleQuery(_pol, ruletype='allow') ++ q = setools.RBACRuleQuery(_pol, ruletype=[ALLOW]) + for r in q.results(): + src = str(r.source) + tgt = str(r.target) +@@ -752,7 +775,10 @@ def get_all_entrypoint_domains(): def gen_interfaces(): @@ -482,7 +499,7 @@ index 8fbd5b4..43144c1 100644 ifile = defaults.interface_info() headers = defaults.headers() try: -@@ -763,7 +788,7 @@ def gen_interfaces(): +@@ -763,7 +789,7 @@ def gen_interfaces(): if os.getuid() != 0: raise ValueError(_("You must regenerate interface info by running /usr/bin/sepolgen-ifgen")) @@ -491,7 +508,7 @@ index 8fbd5b4..43144c1 100644 def gen_port_dict(): -@@ -1082,24 +1107,14 @@ def boolean_desc(boolean): +@@ -1082,24 +1108,14 @@ def boolean_desc(boolean): def get_os_version(): @@ -1031,7 +1048,7 @@ index c2cb971..8956f39 100644 sys.stderr.write(output) sys.stderr.write(_("\nCompile test for %s failed.\n") % interface) diff --git policycoreutils-2.6/sepolicy/sepolicy/manpage.py policycoreutils-2.6/sepolicy/sepolicy/manpage.py -index 7365f93..9d54ab0 100755 +index 7365f93..5103272 100755 --- policycoreutils-2.6/sepolicy/sepolicy/manpage.py +++ policycoreutils-2.6/sepolicy/sepolicy/manpage.py @@ -27,11 +27,17 @@ __all__ = ['ManPage', 'HTMLManPages', 'manpage_domains', 'manpage_roles', 'gen_d @@ -1054,7 +1071,55 @@ index 7365f93..9d54ab0 100755 equiv_dirs = ["/var"] modules_dict = None -@@ -144,10 +150,6 @@ def prettyprint(f, trim): +@@ -88,11 +94,10 @@ def get_all_users_info(): + + all_entrypoints = None + +- + def get_entrypoints(): + global all_entrypoints + if not all_entrypoints: +- all_entrypoints = sepolicy.info(sepolicy.ATTRIBUTE, "entry_type")[0]["types"] ++ all_entrypoints = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"] + return all_entrypoints + + domains = None +@@ -120,8 +125,33 @@ def gen_domains(): + domains.sort() + return domains + +-types = None + ++exec_types = None ++ ++def _gen_exec_types(): ++ global exec_types ++ if exec_types is None: ++ exec_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "exec_type"))["types"] ++ return exec_types ++ ++entry_types = None ++ ++def _gen_entry_types(): ++ global entry_types ++ if entry_types is None: ++ entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"] ++ return entry_types ++ ++mcs_constrained_types = None ++ ++def _gen_mcs_constrained_types(): ++ global mcs_constrained_types ++ if mcs_constrained_types is None: ++ mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type")) ++ return mcs_constrained_types ++ ++ ++types = None + + def _gen_types(): + global types +@@ -144,10 +174,6 @@ def prettyprint(f, trim): manpage_domains = [] manpage_roles = [] @@ -1065,7 +1130,7 @@ index 7365f93..9d54ab0 100755 def get_alphabet_manpages(manpage_list): alphabet_manpages = dict.fromkeys(string.ascii_letters, []) for i in string.ascii_letters: -@@ -162,7 +164,11 @@ def get_alphabet_manpages(manpage_list): +@@ -162,7 +188,11 @@ def get_alphabet_manpages(manpage_list): def convert_manpage_to_html(html_manpage, manpage): @@ -1078,7 +1143,7 @@ index 7365f93..9d54ab0 100755 if rc == 0: print(html_manpage, "has been created") fd = open(html_manpage, 'w') -@@ -173,7 +179,7 @@ def convert_manpage_to_html(html_manpage, manpage): +@@ -173,7 +203,7 @@ def convert_manpage_to_html(html_manpage, manpage): class HTMLManPages: """ @@ -1087,7 +1152,7 @@ index 7365f93..9d54ab0 100755 """ def __init__(self, manpage_roles, manpage_domains, path, os_version): -@@ -181,9 +187,9 @@ class HTMLManPages: +@@ -181,9 +211,9 @@ class HTMLManPages: self.manpage_domains = get_alphabet_manpages(manpage_domains) self.os_version = os_version self.old_path = path + "/" @@ -1099,7 +1164,7 @@ index 7365f93..9d54ab0 100755 self.__gen_html_manpages() else: print("SELinux HTML man pages can not be generated for this %s" % os_version) -@@ -192,7 +198,6 @@ class HTMLManPages: +@@ -192,7 +222,6 @@ class HTMLManPages: def __gen_html_manpages(self): self._write_html_manpage() self._gen_index() @@ -1107,7 +1172,7 @@ index 7365f93..9d54ab0 100755 self._gen_css() def _write_html_manpage(self): -@@ -210,67 +215,21 @@ class HTMLManPages: +@@ -210,67 +239,21 @@ class HTMLManPages: convert_manpage_to_html((self.new_path + r.split("_selinux")[0] + ".html"), self.old_path + r) def _gen_index(self): @@ -1179,7 +1244,26 @@ index 7365f93..9d54ab0 100755 for letter in self.manpage_roles: if len(self.manpage_roles[letter]): fd.write(""" -@@ -501,6 +460,7 @@ class ManPage: +@@ -414,6 +397,9 @@ class ManPage: + self.all_file_types = sepolicy.get_all_file_types() + self.role_allows = sepolicy.get_all_role_allows() + self.types = _gen_types() ++ self.exec_types = _gen_exec_types() ++ self.entry_types = _gen_entry_types() ++ self.mcs_constrained_types = _gen_mcs_constrained_types() + + if self.source_files: + self.fcpath = self.root + "file_contexts" +@@ -485,7 +471,7 @@ class ManPage: + self.desc = "%s user role" % self.domainname + + if self.domainname in self.all_users: +- self.attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"] ++ self.attributes = next(sepolicy.info(sepolicy.TYPE, (self.type)))["attributes"] + self._user_header() + self._user_attribute() + self._can_sudo() +@@ -501,6 +487,7 @@ class ManPage: self._booleans() self._port_types() @@ -1187,10 +1271,11 @@ index 7365f93..9d54ab0 100755 self._writes() self._footer() -@@ -519,11 +479,22 @@ class ManPage: +@@ -519,11 +506,22 @@ class ManPage: self._get_ptypes() for domain_type in self.ptypes: +- self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"] + try: + if typealias_types[domain_type]: + fd = self.fd @@ -1201,7 +1286,7 @@ index 7365f93..9d54ab0 100755 + self.man_page_path = man_page_path + except KeyError: + continue; - self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"] ++ self.attributes[domain_type] = next(sepolicy.info(sepolicy.TYPE, ("%s") % domain_type))["attributes"] self._header() self._entrypoints() @@ -1210,7 +1295,7 @@ index 7365f93..9d54ab0 100755 self._booleans() self._nsswitch_domain() self._port_types() -@@ -537,6 +508,34 @@ class ManPage: +@@ -537,6 +535,34 @@ class ManPage: if f.startswith(self.short_name) or f.startswith(self.domainname): self.ptypes.append(f) @@ -1245,7 +1330,7 @@ index 7365f93..9d54ab0 100755 def _header(self): self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"' % {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")}) -@@ -686,10 +685,13 @@ Default Defined Ports:""") +@@ -686,10 +712,13 @@ Default Defined Ports:""") def _file_context(self): flist = [] @@ -1254,12 +1339,12 @@ index 7365f93..9d54ab0 100755 for f in self.all_file_types: if f.startswith(self.domainname): flist.append(f) -+ if not file_type_is_executable(f) or not file_type_is_entrypoint(f): ++ if not f in self.exec_types or not f in self.entry_types: + flist_non_exec.append(f) if f in self.fcdict: mpaths = mpaths + self.fcdict[f]["regex"] if len(mpaths) == 0: -@@ -741,19 +743,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d +@@ -741,19 +770,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d .PP """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]}) @@ -1283,13 +1368,24 @@ index 7365f93..9d54ab0 100755 self.fd.write(r""" .I The following file types are defined for %(domainname)s: -@@ -920,6 +923,17 @@ All executeables with the default executable label, usually stored in /usr/bin a +@@ -889,9 +919,8 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) + return True + + def _entrypoints(self): +- try: +- entrypoints = map(lambda x: x['target'], sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['entrypoint'], 'class': 'file'})) +- except: ++ entrypoints = [x['target'] for x in sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['entrypoint'], 'class': 'file'})] ++ if len(entrypoints) == 0: + return + + self.fd.write(""" +@@ -920,6 +949,16 @@ All executeables with the default executable label, usually stored in /usr/bin a self.fd.write(""" %s""" % ", ".join(paths)) + def _mcs_types(self): -+ attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"] -+ if "mcs_constrained_type" not in attributes: ++ if self.type not in self.mcs_constrained_types['types']: + return + self.fd.write (""" +.SH "MCS Constrained" @@ -1301,7 +1397,7 @@ index 7365f93..9d54ab0 100755 def _writes(self): permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['open', 'write'], 'class': 'file'}) if permlist is None or len(permlist) == 0: -@@ -1156,7 +1170,7 @@ Three things can happen when %(type)s attempts to execute a program. +@@ -1156,7 +1195,7 @@ Three things can happen when %(type)s attempts to execute a program. Execute the following to see the types that the SELinux user %(type)s can execute without transitioning: @@ -1310,7 +1406,7 @@ index 7365f93..9d54ab0 100755 .TP -@@ -1164,7 +1178,7 @@ Execute the following to see the types that the SELinux user %(type)s can execut +@@ -1164,7 +1203,7 @@ Execute the following to see the types that the SELinux user %(type)s can execut Execute the following to see the types that the SELinux user %(type)s can execute and transition: diff --git a/policycoreutils.spec b/policycoreutils.spec index 4d32af6..8979066 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -9,7 +9,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.6 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2 Group: System Environment/Base # https://github.com/SELinuxProject/selinux/wiki/Releases @@ -445,6 +445,9 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Tue Feb 28 2017 Petr Lautrbach - 2.6-3 +- Fix several issues in gui and 'sepolicy manpage' (#1416372) + * Thu Feb 23 2017 Petr Lautrbach - 2.6-2 - Use %{__python3} instead of python3