Rebase on db0f2f382e31 at SELinuxProject

- Build with libsepol.so.1 and libsemanage.so.2
- Set X-GNOME-HiddenUnderSystemd=true in restorecond.desktop file
- fixfiles: correctly restore context of mountpoints
- sepolgen: print extended permissions in hexadecimal
This commit is contained in:
Petr Lautrbach 2020-10-30 15:15:59 +01:00
parent d151b2c053
commit c65daa990e
23 changed files with 516 additions and 60 deletions

View File

@ -0,0 +1,34 @@
From ccd973f721c48945fc706d8fef6b396580853a9f Mon Sep 17 00:00:00 2001
From: "W. Michael Petullo" <mike@flyn.org>
Date: Thu, 16 Jul 2020 15:29:20 -0500
Subject: [PATCH] python/audit2allow: add #include <limits.h> to
sepolgen-ifgen-attr-helper.c
I found that building on OpenWrt/musl failed with:
sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ...
Musl is less "generous" than glibc in recursively including header
files, and I suspect this is the reason for this error. Explicitly
including limits.h fixes the problem.
Signed-off-by: W. Michael Petullo <mike@flyn.org>
---
python/audit2allow/sepolgen-ifgen-attr-helper.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c
index 53f20818722a..f010c9584c1f 100644
--- a/python/audit2allow/sepolgen-ifgen-attr-helper.c
+++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c
@@ -28,6 +28,7 @@
#include <selinux/selinux.h>
+#include <limits.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
--
2.29.0

View File

@ -0,0 +1,26 @@
From 9e2b8c61bfd275d0f007a736721c557755edf4a0 Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bigon@bigon.be>
Date: Thu, 16 Jul 2020 14:22:13 +0200
Subject: [PATCH] restorecond: Set X-GNOME-HiddenUnderSystemd=true in
restorecond.desktop file
This completely inactivate the .desktop file incase the user session is
managed by systemd as restorecond also provide a service file
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
restorecond/restorecond.desktop | 1 +
1 file changed, 1 insertion(+)
diff --git a/restorecond/restorecond.desktop b/restorecond/restorecond.desktop
index af7286801c24..7df854727a3f 100644
--- a/restorecond/restorecond.desktop
+++ b/restorecond/restorecond.desktop
@@ -5,3 +5,4 @@ Comment=Fix file context in owned by the user
Type=Application
StartupNotify=false
X-GNOME-Autostart-enabled=false
+X-GNOME-HiddenUnderSystemd=true
--
2.29.0

View File

@ -0,0 +1,136 @@
From ba2d6c10635a021d2b1a5fc2123fde13b04295a5 Mon Sep 17 00:00:00 2001
From: bauen1 <j2468h@googlemail.com>
Date: Thu, 6 Aug 2020 16:48:36 +0200
Subject: [PATCH] fixfiles: correctly restore context of mountpoints
By bind mounting every filesystem we want to relabel we can access all
files without anything hidden due to active mounts.
This comes at the cost of user experience, because setfiles only
displays the percentage if no path is given or the path is /
Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
policycoreutils/scripts/fixfiles | 29 +++++++++++++++++++++++++----
policycoreutils/scripts/fixfiles.8 | 8 ++++++--
2 files changed, 31 insertions(+), 6 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 5d7770348349..30dadb4f4cb6 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -112,6 +112,7 @@ FORCEFLAG=""
RPMFILES=""
PREFC=""
RESTORE_MODE=""
+BIND_MOUNT_FILESYSTEMS=""
SETFILES=/sbin/setfiles
RESTORECON=/sbin/restorecon
FILESYSTEMSRW=`get_rw_labeled_mounts`
@@ -243,7 +244,23 @@ case "$RESTORE_MODE" in
if [ -n "${FILESYSTEMSRW}" ]; then
LogReadOnly
echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
- ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
+
+ if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
+ else
+ # we bind mount so we can fix the labels of files that have already been
+ # mounted over
+ for m in `echo $FILESYSTEMSRW`; do
+ TMP_MOUNT="$(mktemp -d)"
+ test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
+
+ mkdir -p "${TMP_MOUNT}${m}" || exit 1
+ mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
+ umount "${TMP_MOUNT}${m}" || exit 1
+ rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
+ done;
+ fi
else
echo >&2 "fixfiles: No suitable file systems found"
fi
@@ -313,6 +330,7 @@ case "$1" in
> /.autorelabel || exit $?
[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
+ [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel
# Force full relabel if SELinux is not enabled
selinuxenabled || echo -F > /.autorelabel
echo "System will relabel on next boot"
@@ -324,7 +342,7 @@ esac
}
usage() {
echo $"""
-Usage: $0 [-v] [-F] [-f] relabel
+Usage: $0 [-v] [-F] [-M] [-f] relabel
or
Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify }
or
@@ -334,7 +352,7 @@ Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify }
or
Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
or
-Usage: $0 [-F] [-B] onboot
+Usage: $0 [-F] [-M] [-B] onboot
"""
}
@@ -353,7 +371,7 @@ set_restore_mode() {
}
# See how we were called.
-while getopts "N:BC:FfR:l:v" i; do
+while getopts "N:BC:FfR:l:vM" i; do
case "$i" in
B)
BOOTTIME=`/bin/who -b | awk '{print $3}'`
@@ -379,6 +397,9 @@ while getopts "N:BC:FfR:l:v" i; do
echo "Redirecting output to $OPTARG"
exec >>"$OPTARG" 2>&1
;;
+ M)
+ BIND_MOUNT_FILESYSTEMS="-M"
+ ;;
F)
FORCEFLAG="-F"
;;
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index 9f447f03d444..123425308416 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -6,7 +6,7 @@ fixfiles \- fix file SELinux security contexts.
.na
.B fixfiles
-.I [\-v] [\-F] [\-f] relabel
+.I [\-v] [\-F] [-M] [\-f] relabel
.B fixfiles
.I [\-v] [\-F] { check | restore | verify } dir/file ...
@@ -21,7 +21,7 @@ fixfiles \- fix file SELinux security contexts.
.I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT { check | restore | verify }
.B fixfiles
-.I [-F] [-B] onboot
+.I [-F] [-M] [-B] onboot
.ad
@@ -68,6 +68,10 @@ Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and
Only act on files created after the specified date. Date must be specified in
"YYYY\-MM\-DD HH:MM" format. Date field will be passed to find \-\-newermt command.
+.TP
+.B \-M
+Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over.
+
.TP
.B -v
Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)
--
2.29.0

View File

@ -0,0 +1,112 @@
From 9e239e55692b578ba546b4dff2b07604a2ca6baa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Wed, 19 Aug 2020 17:05:33 +0200
Subject: [PATCH] sepolgen: print extended permissions in hexadecimal
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
All tools like ausearch(8) or sesearch(1) and online documentation[1]
use hexadecimal values for extended permissions.
Hence use them, e.g. for audit2allow output, as well.
[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
python/sepolgen/src/sepolgen/refpolicy.py | 5 ++---
python/sepolgen/tests/test_access.py | 10 +++++-----
python/sepolgen/tests/test_refpolicy.py | 12 ++++++------
3 files changed, 13 insertions(+), 14 deletions(-)
diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py
index 43cecfc77385..747636875ef7 100644
--- a/python/sepolgen/src/sepolgen/refpolicy.py
+++ b/python/sepolgen/src/sepolgen/refpolicy.py
@@ -407,10 +407,9 @@ class XpermSet():
# print single value without braces
if len(self.ranges) == 1 and self.ranges[0][0] == self.ranges[0][1]:
- return compl + str(self.ranges[0][0])
+ return compl + hex(self.ranges[0][0])
- vals = map(lambda x: str(x[0]) if x[0] == x[1] else "%s-%s" % x,
- self.ranges)
+ vals = map(lambda x: hex(x[0]) if x[0] == x[1] else "%s-%s" % (hex(x[0]), hex(x[1]), ), self.ranges)
return "%s{ %s }" % (compl, " ".join(vals))
diff --git a/python/sepolgen/tests/test_access.py b/python/sepolgen/tests/test_access.py
index 73a5407df617..623588e09aeb 100644
--- a/python/sepolgen/tests/test_access.py
+++ b/python/sepolgen/tests/test_access.py
@@ -171,7 +171,7 @@ class TestAccessVector(unittest.TestCase):
a.merge(b)
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
def text_merge_xperm2(self):
"""Test merging AV that does not contain xperms with AV that does"""
@@ -185,7 +185,7 @@ class TestAccessVector(unittest.TestCase):
a.merge(b)
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
def test_merge_xperm_diff_op(self):
"""Test merging two AVs that contain xperms with different operation"""
@@ -203,8 +203,8 @@ class TestAccessVector(unittest.TestCase):
a.merge(b)
self.assertEqual(list(a.perms), ["read"])
self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"])
- self.assertEqual(a.xperms["asdf"].to_string(), "23")
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
+ self.assertEqual(a.xperms["asdf"].to_string(), "0x17")
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
def test_merge_xperm_same_op(self):
"""Test merging two AVs that contain xperms with same operation"""
@@ -222,7 +222,7 @@ class TestAccessVector(unittest.TestCase):
a.merge(b)
self.assertEqual(list(a.perms), ["read"])
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 23 42 12345 }")
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x17 0x2a 0x3039 }")
class TestUtilFunctions(unittest.TestCase):
def test_is_idparam(self):
diff --git a/python/sepolgen/tests/test_refpolicy.py b/python/sepolgen/tests/test_refpolicy.py
index 4b50c8aada96..c7219fd568e9 100644
--- a/python/sepolgen/tests/test_refpolicy.py
+++ b/python/sepolgen/tests/test_refpolicy.py
@@ -90,17 +90,17 @@ class TestXpermSet(unittest.TestCase):
a.complement = True
self.assertEqual(a.to_string(), "")
a.add(1234)
- self.assertEqual(a.to_string(), "~ 1234")
+ self.assertEqual(a.to_string(), "~ 0x4d2")
a.complement = False
- self.assertEqual(a.to_string(), "1234")
+ self.assertEqual(a.to_string(), "0x4d2")
a.add(2345)
- self.assertEqual(a.to_string(), "{ 1234 2345 }")
+ self.assertEqual(a.to_string(), "{ 0x4d2 0x929 }")
a.complement = True
- self.assertEqual(a.to_string(), "~ { 1234 2345 }")
+ self.assertEqual(a.to_string(), "~ { 0x4d2 0x929 }")
a.add(42,64)
- self.assertEqual(a.to_string(), "~ { 42-64 1234 2345 }")
+ self.assertEqual(a.to_string(), "~ { 0x2a-0x40 0x4d2 0x929 }")
a.complement = False
- self.assertEqual(a.to_string(), "{ 42-64 1234 2345 }")
+ self.assertEqual(a.to_string(), "{ 0x2a-0x40 0x4d2 0x929 }")
class TestSecurityContext(unittest.TestCase):
def test_init(self):
--
2.29.0

View File

@ -0,0 +1,109 @@
From 2a60de8eca6bd91e276b60441a5dc72d85c6eda3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Wed, 19 Aug 2020 17:05:34 +0200
Subject: [PATCH] sepolgen: sort extended rules like normal ones
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently:
#============= sshd_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t ptmx_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t sshd_devpts_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t user_devpts_t:chr_file ioctl;
#============= user_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t devtty_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t user_devpts_t:chr_file ioctl;
allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
Changed:
#============= sshd_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t ptmx_t:chr_file ioctl;
allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t sshd_devpts_t:chr_file ioctl;
allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t user_devpts_t:chr_file ioctl;
allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
#============= user_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t devtty_t:chr_file ioctl;
allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t user_devpts_t:chr_file ioctl;
allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
python/sepolgen/src/sepolgen/output.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/python/sepolgen/src/sepolgen/output.py b/python/sepolgen/src/sepolgen/output.py
index 3a21b64c19f7..aeeaafc889e7 100644
--- a/python/sepolgen/src/sepolgen/output.py
+++ b/python/sepolgen/src/sepolgen/output.py
@@ -84,7 +84,7 @@ def avrule_cmp(a, b):
return ret
# At this point, who cares - just return something
- return cmp(len(a.perms), len(b.perms))
+ return 0
# Compare two interface calls
def ifcall_cmp(a, b):
@@ -100,7 +100,7 @@ def rule_cmp(a, b):
else:
return id_set_cmp([a.args[0]], b.src_types)
else:
- if isinstance(b, refpolicy.AVRule):
+ if isinstance(b, refpolicy.AVRule) or isinstance(b, refpolicy.AVExtRule):
return avrule_cmp(a,b)
else:
return id_set_cmp(a.src_types, [b.args[0]])
@@ -130,6 +130,7 @@ def sort_filter(module):
# we assume is the first argument for interfaces).
rules = []
rules.extend(node.avrules())
+ rules.extend(node.avextrules())
rules.extend(node.interface_calls())
rules.sort(key=util.cmp_to_key(rule_cmp))
--
2.29.0

View File

@ -0,0 +1,32 @@
From 8bc865e1fe8f6f734b7306441ccbeec3b7c37f97 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@defensec.nl>
Date: Tue, 1 Sep 2020 18:16:41 +0200
Subject: [PATCH] newrole: support cross-compilation with PAM and audit
Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation.
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
policycoreutils/newrole/Makefile | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
index 73ebd413da85..0e7ebce3dd56 100644
--- a/policycoreutils/newrole/Makefile
+++ b/policycoreutils/newrole/Makefile
@@ -5,8 +5,9 @@ BINDIR ?= $(PREFIX)/bin
MANDIR ?= $(PREFIX)/share/man
ETCDIR ?= /etc
LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale
-PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
-AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
+INCLUDEDIR ?= $(PREFIX)/include
+PAMH ?= $(shell test -f $(INCLUDEDIR)/security/pam_appl.h && echo y)
+AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y)
# Enable capabilities to permit newrole to generate audit records.
# This will make newrole a setuid root program.
# The capabilities used are: CAP_AUDIT_WRITE.
--
2.29.0

View File

@ -1,4 +1,4 @@
From 269d3c64978af8053a84ecc54ab2adb7ee481d10 Mon Sep 17 00:00:00 2001
From ea624dcc70d93867f23b94c368b8cf102269c13b Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 20 Aug 2015 12:58:41 +0200
Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
@ -22,5 +22,5 @@ index eaa500d08143..4774528027ef 100644
cat > ~/seremote << __EOF
#!/bin/sh
--
2.23.0
2.29.0

View File

@ -1,4 +1,4 @@
From f8714034d527c1eb6bd698abcfd8f02d1542f648 Mon Sep 17 00:00:00 2001
From 932c1244bc98d3a05a238f3f0b333cf8c429113b Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Mon, 21 Apr 2014 13:54:40 -0400
Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
@ -9,7 +9,7 @@ Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 442608191cc8..2ee9e37fde9f 100755
index 3e8a3be907e3..a1d70623cff0 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -735,10 +735,13 @@ Default Defined Ports:""")
@ -42,5 +42,5 @@ index 442608191cc8..2ee9e37fde9f 100755
self.fd.write(r"""
.I The following file types are defined for %(domainname)s:
--
2.23.0
2.29.0

View File

@ -1,4 +1,4 @@
From 73cfd014130f4a37b1db29d5a7b840bf414e8f19 Mon Sep 17 00:00:00 2001
From ae3780eb560fa5f00a3dd591c8233c2a9068a348 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mon, 12 May 2014 14:11:22 +0200
Subject: [PATCH] If there is no executable we don't want to print a part of
@ -9,7 +9,7 @@ Subject: [PATCH] If there is no executable we don't want to print a part of
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 2ee9e37fde9f..ec17fb145375 100755
index a1d70623cff0..2d33eabb2536 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
@ -23,5 +23,5 @@ index 2ee9e37fde9f..ec17fb145375 100755
.B STANDARD FILE CONTEXT
--
2.23.0
2.29.0

View File

@ -1,4 +1,4 @@
From 66766a7298065ae60819355f2b515fe3fcc248e3 Mon Sep 17 00:00:00 2001
From 7d21b9f41c4d00f1e0499a64089a5e13a8f636ab Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu, 19 Feb 2015 17:45:15 +0100
Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
@ -49,7 +49,7 @@ index e4540977d042..ad718797ca68 100644
def reinit():
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index ec17fb145375..8c529ddb07cd 100755
index 2d33eabb2536..acc77f368d95 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -149,10 +149,6 @@ def prettyprint(f, trim):
@ -165,5 +165,5 @@ index ec17fb145375..8c529ddb07cd 100755
if len(self.manpage_roles[letter]):
fd.write("""
--
2.23.0
2.29.0

View File

@ -1,4 +1,4 @@
From 59d6989beb341fb17f87b270e4fc8d55351d3a51 Mon Sep 17 00:00:00 2001
From f0f030495dddb2e633403f360fdaaf6951da11ad Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 20 Feb 2015 16:42:01 +0100
Subject: [PATCH] We want to remove the trailing newline for
@ -22,5 +22,5 @@ index ad718797ca68..ea05d892bf3b 100644
system_release = "Misc"
--
2.23.0
2.29.0

View File

@ -1,4 +1,4 @@
From 600fda8edf440acc3e5b32a31a044b16d65cbef9 Mon Sep 17 00:00:00 2001
From 4a18939d21c06d036f1063cbfd2d0b5ae9d0010f Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 20 Feb 2015 16:42:53 +0100
Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
@ -8,7 +8,7 @@ Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 8c529ddb07cd..10e2c1745f8b 100755
index acc77f368d95..4aeb3e2e51ba 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -220,7 +220,7 @@ class HTMLManPages:
@ -21,5 +21,5 @@ index 8c529ddb07cd..10e2c1745f8b 100755
<body>
<h1>SELinux man pages for %s</h1>
--
2.23.0
2.29.0

View File

@ -1,4 +1,4 @@
From b45d202d954bad6cd4e96fe22d35677717e5eff9 Mon Sep 17 00:00:00 2001
From ffe429b49874175f5ec1156e9c89e75cc67a0ddd Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Fri, 14 Feb 2014 12:32:12 -0500
Subject: [PATCH] Don't be verbose if you are not on a tty
@ -8,7 +8,7 @@ Subject: [PATCH] Don't be verbose if you are not on a tty
1 file changed, 1 insertion(+)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 5d7770348349..fd43aab0cb6a 100755
index 30dadb4f4cb6..e73bb81c3336 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
@ -20,5 +20,5 @@ index 5d7770348349..fd43aab0cb6a 100755
RPMFILES=""
PREFC=""
--
2.23.0
2.29.0

View File

@ -1,4 +1,4 @@
From 61fcb9e5af82482d79c9e9edacb1a7f30686ee4a Mon Sep 17 00:00:00 2001
From 4a337405da16857dc2a979e4b4963a6fd7b975c6 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 27 Feb 2017 17:12:39 +0100
Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
@ -11,7 +11,7 @@ Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 10e2c1745f8b..9a4b24743aca 100755
index 4aeb3e2e51ba..330b055af214 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -125,8 +125,24 @@ def gen_domains():
@ -59,5 +59,5 @@ index 10e2c1745f8b..9a4b24743aca 100755
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
--
2.23.0
2.29.0

View File

@ -1,4 +1,4 @@
From 15d2491e3c455f740a20eaf93f2c6a9b89e79d7a Mon Sep 17 00:00:00 2001
From 7c315fff5e7ce74b0598b62d9aa0b21ca6b06b6d Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 28 Feb 2017 21:29:46 +0100
Subject: [PATCH] sepolicy: Another small optimization for mcs types
@ -8,7 +8,7 @@ Subject: [PATCH] sepolicy: Another small optimization for mcs types
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 9a4b24743aca..736ae13b0524 100755
index 330b055af214..f8584436960d 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -142,6 +142,15 @@ def _gen_entry_types():
@ -49,5 +49,5 @@ index 9a4b24743aca..736ae13b0524 100755
self.fd.write ("""
.SH "MCS Constrained"
--
2.23.0
2.29.0

View File

@ -1,4 +1,4 @@
From 8e02b757f90827f4e850b732ccea32c2897036a8 Mon Sep 17 00:00:00 2001
From a07e9652785c6196d916dfca3d36c898959406b4 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 6 Aug 2018 13:23:00 +0200
Subject: [PATCH] Move po/ translation files into the right sub-directories
@ -511,5 +511,5 @@ index 000000000000..deff3f2f4656
@@ -0,0 +1 @@
+../sandbox
--
2.23.0
2.29.0

View File

@ -1,4 +1,4 @@
From c19dde7c189cba536d79331baff24d987b3fae4d Mon Sep 17 00:00:00 2001
From eab0fc05a38ab2cd47b3e0ff69981850cc7cd538 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 6 Aug 2018 13:37:07 +0200
Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
@ -302,5 +302,5 @@ index ca5f1e030a51..16c43b51eaaa 100644
import gettext
kwargs = {}
--
2.26.2
2.29.0

View File

@ -1,4 +1,4 @@
From 8384f31cdcf0afd2b13f93f4e8bc42254b4b7928 Mon Sep 17 00:00:00 2001
From ffca591cb3055c4962cdc968662bd52bb876e640 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 6 Aug 2018 14:23:19 +0200
Subject: [PATCH] Initial .pot files for gui/ python/ sandbox/
@ -4528,5 +4528,5 @@ index 000000000000..328b4f0159d3
+msgid "Invalid value %s"
+msgstr ""
--
2.23.0
2.29.0

View File

@ -1,4 +1,4 @@
From 38586b84c3bae778883e43d72700ef1491abae17 Mon Sep 17 00:00:00 2001
From 4277ef04de699e1939c95c4813de6a78d1ea1656 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 21 Mar 2018 08:51:31 +0100
Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
@ -26,5 +26,5 @@ index e328a5628682..02e0960289d3 100644
.BI \-e \ directory
directory to exclude (repeat option for more than one directory).
--
2.26.2
2.29.0

View File

@ -1,4 +1,4 @@
From f2625885226a65df2b0d7f825bafe462a6454c49 Mon Sep 17 00:00:00 2001
From fa94b0faf12a79158d971f363e8ec65227d67de3 Mon Sep 17 00:00:00 2001
From: Masatake YAMATO <yamato@redhat.com>
Date: Thu, 14 Dec 2017 15:57:58 +0900
Subject: [PATCH] sepolicy-generate: Handle more reserved port types
@ -52,7 +52,7 @@ https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redha
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index 744ee13f692d..a6309783e85e 100644
index 43180ca6fda4..d60a08e1d72c 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -99,7 +99,9 @@ def get_all_ports():
@ -67,5 +67,5 @@ index 744ee13f692d..a6309783e85e 100644
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
return dict
--
2.23.0
2.29.0

View File

@ -1,4 +1,4 @@
From 6f510c03e54b0058b74fabae6489099f5369a957 Mon Sep 17 00:00:00 2001
From 122e35c4d11b5b623e8bc463f81c6792385523cb Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 8 Nov 2018 09:20:58 +0100
Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
@ -20,5 +20,5 @@ index 3515234e36de..7b75b3fd9bb4 100644
}
--
2.23.0
2.29.0

View File

@ -1,4 +1,4 @@
From 7afddf20e889731126fda14b2fa713a367d9dd84 Mon Sep 17 00:00:00 2001
From e63814eb18bdbb48a7e6bf79b17d79d6a9ca56d6 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 18 Jul 2018 09:09:35 +0200
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
@ -70,5 +70,5 @@ index 4774528027ef..c211ebc14549 100644
export DISPLAY=:$D
cat > ~/seremote << __EOF
--
2.23.0
2.29.0

View File

@ -1,8 +1,8 @@
%global libauditver 3.0
%global libsepolver 3.1
%global libsemanagever 3.1
%global libselinuxver 3.1
%global sepolgenver 3.1
%global libsepolver 3.1-4
%global libsemanagever 3.1-4
%global libselinuxver 3.1-4
%global sepolgenver 3.1-4
%global generatorsdir %{_prefix}/lib/systemd/system-generators
@ -38,22 +38,29 @@ Source23: sandbox-po.tgz
# $ git format-patch -N 20200710 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
# $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
# Patch list start
Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
Patch0002: 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
Patch0003: 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
Patch0004: 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch
Patch0005: 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
Patch0006: 0006-Fix-title-in-manpage.py-to-not-contain-online.patch
Patch0007: 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
Patch0008: 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch
Patch0009: 0009-sepolicy-Another-small-optimization-for-mcs-types.patch
Patch0010: 0010-Move-po-translation-files-into-the-right-sub-directo.patch
Patch0011: 0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch
Patch0012: 0012-Initial-.pot-files-for-gui-python-sandbox.patch
Patch0013: 0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch
Patch0014: 0014-sepolicy-generate-Handle-more-reserved-port-types.patch
Patch0015: 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
Patch0016: 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
Patch0001: 0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch
Patch0002: 0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch
Patch0003: 0003-fixfiles-correctly-restore-context-of-mountpoints.patch
Patch0004: 0004-sepolgen-print-extended-permissions-in-hexadecimal.patch
Patch0005: 0005-sepolgen-sort-extended-rules-like-normal-ones.patch
Patch0006: 0006-newrole-support-cross-compilation-with-PAM-and-audit.patch
Patch0007: 0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
Patch0008: 0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
Patch0009: 0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
Patch0010: 0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch
Patch0011: 0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
Patch0012: 0012-Fix-title-in-manpage.py-to-not-contain-online.patch
Patch0013: 0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
Patch0014: 0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch
Patch0015: 0015-sepolicy-Another-small-optimization-for-mcs-types.patch
Patch0016: 0016-Move-po-translation-files-into-the-right-sub-directo.patch
Patch0017: 0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch
Patch0018: 0018-Initial-.pot-files-for-gui-python-sandbox.patch
Patch0019: 0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch
Patch0020: 0020-sepolicy-generate-Handle-more-reserved-port-types.patch
Patch0021: 0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
Patch0022: 0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
Patch0023: 0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
# Patch list end
Obsoletes: policycoreutils < 2.0.61-2