From c65daa990e9a11b8708264bc45ca0262cdc88d42 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 30 Oct 2020 15:15:59 +0100 Subject: [PATCH] Rebase on db0f2f382e31 at SELinuxProject - Build with libsepol.so.1 and libsemanage.so.2 - Set X-GNOME-HiddenUnderSystemd=true in restorecond.desktop file - fixfiles: correctly restore context of mountpoints - sepolgen: print extended permissions in hexadecimal --- ...ow-add-include-limits.h-to-sepolgen-.patch | 34 +++++ ...X-GNOME-HiddenUnderSystemd-true-in-r.patch | 26 ++++ ...ectly-restore-context-of-mountpoints.patch | 136 ++++++++++++++++++ ...-extended-permissions-in-hexadecimal.patch | 112 +++++++++++++++ ...sort-extended-rules-like-normal-ones.patch | 109 ++++++++++++++ ...cross-compilation-with-PAM-and-audit.patch | 32 +++++ ...t-to-Xephyr-as-it-works-better-with-.patch | 4 +- ...RD_FILE_CONTEXT-section-in-man-pages.patch | 6 +- ...xecutable-we-don-t-want-to-print-a-p.patch | 6 +- ...sepolicy-manpage-web-functionality.-.patch | 6 +- ...e-the-trailing-newline-for-etc-syste.patch | 4 +- ...-in-manpage.py-to-not-contain-online.patch | 6 +- ...t-be-verbose-if-you-are-not-on-a-tty.patch | 6 +- ...d-interface-file_type_is_executable-.patch | 6 +- ...her-small-optimization-for-mcs-types.patch | 6 +- ...ion-files-into-the-right-sub-directo.patch | 4 +- ...ettext-domains-in-python-gui-sandbox.patch | 4 +- ...al-.pot-files-for-gui-python-sandbox.patch | 4 +- ...setfiles-Improve-description-of-d-sw.patch | 4 +- ...rate-Handle-more-reserved-port-types.patch | 6 +- ...ix-RESOURCE_LEAK-coverity-scan-defec.patch | 4 +- ...hbox-window-manager-instead-of-openb.patch | 4 +- policycoreutils.spec | 47 +++--- 23 files changed, 516 insertions(+), 60 deletions(-) create mode 100644 0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch create mode 100644 0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch create mode 100644 0003-fixfiles-correctly-restore-context-of-mountpoints.patch create mode 100644 0004-sepolgen-print-extended-permissions-in-hexadecimal.patch create mode 100644 0005-sepolgen-sort-extended-rules-like-normal-ones.patch create mode 100644 0006-newrole-support-cross-compilation-with-PAM-and-audit.patch rename 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch => 0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch (92%) rename 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch => 0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch (94%) rename 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch => 0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch (87%) rename 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch => 0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch (97%) rename 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch => 0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch (91%) rename 0006-Fix-title-in-manpage.py-to-not-contain-online.patch => 0012-Fix-title-in-manpage.py-to-not-contain-online.patch (85%) rename 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch => 0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch (82%) rename 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch => 0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch (94%) rename 0009-sepolicy-Another-small-optimization-for-mcs-types.patch => 0015-sepolicy-Another-small-optimization-for-mcs-types.patch (94%) rename 0010-Move-po-translation-files-into-the-right-sub-directo.patch => 0016-Move-po-translation-files-into-the-right-sub-directo.patch (99%) rename 0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch => 0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch (99%) rename 0012-Initial-.pot-files-for-gui-python-sandbox.patch => 0018-Initial-.pot-files-for-gui-python-sandbox.patch (99%) rename 0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch => 0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch (93%) rename 0014-sepolicy-generate-Handle-more-reserved-port-types.patch => 0020-sepolicy-generate-Handle-more-reserved-port-types.patch (96%) rename 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch => 0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch (90%) rename 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch => 0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch (97%) diff --git a/0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch b/0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch new file mode 100644 index 0000000..21a4189 --- /dev/null +++ b/0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch @@ -0,0 +1,34 @@ +From ccd973f721c48945fc706d8fef6b396580853a9f Mon Sep 17 00:00:00 2001 +From: "W. Michael Petullo" +Date: Thu, 16 Jul 2020 15:29:20 -0500 +Subject: [PATCH] python/audit2allow: add #include to + sepolgen-ifgen-attr-helper.c + +I found that building on OpenWrt/musl failed with: + + sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ... + +Musl is less "generous" than glibc in recursively including header +files, and I suspect this is the reason for this error. Explicitly +including limits.h fixes the problem. + +Signed-off-by: W. Michael Petullo +--- + python/audit2allow/sepolgen-ifgen-attr-helper.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c +index 53f20818722a..f010c9584c1f 100644 +--- a/python/audit2allow/sepolgen-ifgen-attr-helper.c ++++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c +@@ -28,6 +28,7 @@ + + #include + ++#include + #include + #include + #include +-- +2.29.0 + diff --git a/0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch b/0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch new file mode 100644 index 0000000..1dfe625 --- /dev/null +++ b/0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch @@ -0,0 +1,26 @@ +From 9e2b8c61bfd275d0f007a736721c557755edf4a0 Mon Sep 17 00:00:00 2001 +From: Laurent Bigonville +Date: Thu, 16 Jul 2020 14:22:13 +0200 +Subject: [PATCH] restorecond: Set X-GNOME-HiddenUnderSystemd=true in + restorecond.desktop file + +This completely inactivate the .desktop file incase the user session is +managed by systemd as restorecond also provide a service file + +Signed-off-by: Laurent Bigonville +--- + restorecond/restorecond.desktop | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/restorecond/restorecond.desktop b/restorecond/restorecond.desktop +index af7286801c24..7df854727a3f 100644 +--- a/restorecond/restorecond.desktop ++++ b/restorecond/restorecond.desktop +@@ -5,3 +5,4 @@ Comment=Fix file context in owned by the user + Type=Application + StartupNotify=false + X-GNOME-Autostart-enabled=false ++X-GNOME-HiddenUnderSystemd=true +-- +2.29.0 + diff --git a/0003-fixfiles-correctly-restore-context-of-mountpoints.patch b/0003-fixfiles-correctly-restore-context-of-mountpoints.patch new file mode 100644 index 0000000..60dd2e3 --- /dev/null +++ b/0003-fixfiles-correctly-restore-context-of-mountpoints.patch @@ -0,0 +1,136 @@ +From ba2d6c10635a021d2b1a5fc2123fde13b04295a5 Mon Sep 17 00:00:00 2001 +From: bauen1 +Date: Thu, 6 Aug 2020 16:48:36 +0200 +Subject: [PATCH] fixfiles: correctly restore context of mountpoints + +By bind mounting every filesystem we want to relabel we can access all +files without anything hidden due to active mounts. + +This comes at the cost of user experience, because setfiles only +displays the percentage if no path is given or the path is / + +Signed-off-by: Jonathan Hettwer +Acked-by: Stephen Smalley +--- + policycoreutils/scripts/fixfiles | 29 +++++++++++++++++++++++++---- + policycoreutils/scripts/fixfiles.8 | 8 ++++++-- + 2 files changed, 31 insertions(+), 6 deletions(-) + +diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles +index 5d7770348349..30dadb4f4cb6 100755 +--- a/policycoreutils/scripts/fixfiles ++++ b/policycoreutils/scripts/fixfiles +@@ -112,6 +112,7 @@ FORCEFLAG="" + RPMFILES="" + PREFC="" + RESTORE_MODE="" ++BIND_MOUNT_FILESYSTEMS="" + SETFILES=/sbin/setfiles + RESTORECON=/sbin/restorecon + FILESYSTEMSRW=`get_rw_labeled_mounts` +@@ -243,7 +244,23 @@ case "$RESTORE_MODE" in + if [ -n "${FILESYSTEMSRW}" ]; then + LogReadOnly + echo "${OPTION}ing `echo ${FILESYSTEMSRW}`" +- ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW} ++ ++ if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then ++ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW} ++ else ++ # we bind mount so we can fix the labels of files that have already been ++ # mounted over ++ for m in `echo $FILESYSTEMSRW`; do ++ TMP_MOUNT="$(mktemp -d)" ++ test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1 ++ ++ mkdir -p "${TMP_MOUNT}${m}" || exit 1 ++ mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1 ++ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}" ++ umount "${TMP_MOUNT}${m}" || exit 1 ++ rm -rf "${TMP_MOUNT}" || echo "Error cleaning up." ++ done; ++ fi + else + echo >&2 "fixfiles: No suitable file systems found" + fi +@@ -313,6 +330,7 @@ case "$1" in + > /.autorelabel || exit $? + [ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel + [ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel ++ [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel + # Force full relabel if SELinux is not enabled + selinuxenabled || echo -F > /.autorelabel + echo "System will relabel on next boot" +@@ -324,7 +342,7 @@ esac + } + usage() { + echo $""" +-Usage: $0 [-v] [-F] [-f] relabel ++Usage: $0 [-v] [-F] [-M] [-f] relabel + or + Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify } + or +@@ -334,7 +352,7 @@ Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify } + or + Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify } + or +-Usage: $0 [-F] [-B] onboot ++Usage: $0 [-F] [-M] [-B] onboot + """ + } + +@@ -353,7 +371,7 @@ set_restore_mode() { + } + + # See how we were called. +-while getopts "N:BC:FfR:l:v" i; do ++while getopts "N:BC:FfR:l:vM" i; do + case "$i" in + B) + BOOTTIME=`/bin/who -b | awk '{print $3}'` +@@ -379,6 +397,9 @@ while getopts "N:BC:FfR:l:v" i; do + echo "Redirecting output to $OPTARG" + exec >>"$OPTARG" 2>&1 + ;; ++ M) ++ BIND_MOUNT_FILESYSTEMS="-M" ++ ;; + F) + FORCEFLAG="-F" + ;; +diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8 +index 9f447f03d444..123425308416 100644 +--- a/policycoreutils/scripts/fixfiles.8 ++++ b/policycoreutils/scripts/fixfiles.8 +@@ -6,7 +6,7 @@ fixfiles \- fix file SELinux security contexts. + .na + + .B fixfiles +-.I [\-v] [\-F] [\-f] relabel ++.I [\-v] [\-F] [-M] [\-f] relabel + + .B fixfiles + .I [\-v] [\-F] { check | restore | verify } dir/file ... +@@ -21,7 +21,7 @@ fixfiles \- fix file SELinux security contexts. + .I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT { check | restore | verify } + + .B fixfiles +-.I [-F] [-B] onboot ++.I [-F] [-M] [-B] onboot + + .ad + +@@ -68,6 +68,10 @@ Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and + Only act on files created after the specified date. Date must be specified in + "YYYY\-MM\-DD HH:MM" format. Date field will be passed to find \-\-newermt command. + ++.TP ++.B \-M ++Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over. ++ + .TP + .B -v + Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p) +-- +2.29.0 + diff --git a/0004-sepolgen-print-extended-permissions-in-hexadecimal.patch b/0004-sepolgen-print-extended-permissions-in-hexadecimal.patch new file mode 100644 index 0000000..e83a1de --- /dev/null +++ b/0004-sepolgen-print-extended-permissions-in-hexadecimal.patch @@ -0,0 +1,112 @@ +From 9e239e55692b578ba546b4dff2b07604a2ca6baa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Wed, 19 Aug 2020 17:05:33 +0200 +Subject: [PATCH] sepolgen: print extended permissions in hexadecimal +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +All tools like ausearch(8) or sesearch(1) and online documentation[1] +use hexadecimal values for extended permissions. +Hence use them, e.g. for audit2allow output, as well. + +[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h + +Signed-off-by: Christian Göttsche +Acked-by: Stephen Smalley +--- + python/sepolgen/src/sepolgen/refpolicy.py | 5 ++--- + python/sepolgen/tests/test_access.py | 10 +++++----- + python/sepolgen/tests/test_refpolicy.py | 12 ++++++------ + 3 files changed, 13 insertions(+), 14 deletions(-) + +diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py +index 43cecfc77385..747636875ef7 100644 +--- a/python/sepolgen/src/sepolgen/refpolicy.py ++++ b/python/sepolgen/src/sepolgen/refpolicy.py +@@ -407,10 +407,9 @@ class XpermSet(): + + # print single value without braces + if len(self.ranges) == 1 and self.ranges[0][0] == self.ranges[0][1]: +- return compl + str(self.ranges[0][0]) ++ return compl + hex(self.ranges[0][0]) + +- vals = map(lambda x: str(x[0]) if x[0] == x[1] else "%s-%s" % x, +- self.ranges) ++ vals = map(lambda x: hex(x[0]) if x[0] == x[1] else "%s-%s" % (hex(x[0]), hex(x[1]), ), self.ranges) + + return "%s{ %s }" % (compl, " ".join(vals)) + +diff --git a/python/sepolgen/tests/test_access.py b/python/sepolgen/tests/test_access.py +index 73a5407df617..623588e09aeb 100644 +--- a/python/sepolgen/tests/test_access.py ++++ b/python/sepolgen/tests/test_access.py +@@ -171,7 +171,7 @@ class TestAccessVector(unittest.TestCase): + a.merge(b) + self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"]) + self.assertEqual(list(a.xperms.keys()), ["ioctl"]) +- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }") ++ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }") + + def text_merge_xperm2(self): + """Test merging AV that does not contain xperms with AV that does""" +@@ -185,7 +185,7 @@ class TestAccessVector(unittest.TestCase): + a.merge(b) + self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"]) + self.assertEqual(list(a.xperms.keys()), ["ioctl"]) +- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }") ++ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }") + + def test_merge_xperm_diff_op(self): + """Test merging two AVs that contain xperms with different operation""" +@@ -203,8 +203,8 @@ class TestAccessVector(unittest.TestCase): + a.merge(b) + self.assertEqual(list(a.perms), ["read"]) + self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"]) +- self.assertEqual(a.xperms["asdf"].to_string(), "23") +- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }") ++ self.assertEqual(a.xperms["asdf"].to_string(), "0x17") ++ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }") + + def test_merge_xperm_same_op(self): + """Test merging two AVs that contain xperms with same operation""" +@@ -222,7 +222,7 @@ class TestAccessVector(unittest.TestCase): + a.merge(b) + self.assertEqual(list(a.perms), ["read"]) + self.assertEqual(list(a.xperms.keys()), ["ioctl"]) +- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 23 42 12345 }") ++ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x17 0x2a 0x3039 }") + + class TestUtilFunctions(unittest.TestCase): + def test_is_idparam(self): +diff --git a/python/sepolgen/tests/test_refpolicy.py b/python/sepolgen/tests/test_refpolicy.py +index 4b50c8aada96..c7219fd568e9 100644 +--- a/python/sepolgen/tests/test_refpolicy.py ++++ b/python/sepolgen/tests/test_refpolicy.py +@@ -90,17 +90,17 @@ class TestXpermSet(unittest.TestCase): + a.complement = True + self.assertEqual(a.to_string(), "") + a.add(1234) +- self.assertEqual(a.to_string(), "~ 1234") ++ self.assertEqual(a.to_string(), "~ 0x4d2") + a.complement = False +- self.assertEqual(a.to_string(), "1234") ++ self.assertEqual(a.to_string(), "0x4d2") + a.add(2345) +- self.assertEqual(a.to_string(), "{ 1234 2345 }") ++ self.assertEqual(a.to_string(), "{ 0x4d2 0x929 }") + a.complement = True +- self.assertEqual(a.to_string(), "~ { 1234 2345 }") ++ self.assertEqual(a.to_string(), "~ { 0x4d2 0x929 }") + a.add(42,64) +- self.assertEqual(a.to_string(), "~ { 42-64 1234 2345 }") ++ self.assertEqual(a.to_string(), "~ { 0x2a-0x40 0x4d2 0x929 }") + a.complement = False +- self.assertEqual(a.to_string(), "{ 42-64 1234 2345 }") ++ self.assertEqual(a.to_string(), "{ 0x2a-0x40 0x4d2 0x929 }") + + class TestSecurityContext(unittest.TestCase): + def test_init(self): +-- +2.29.0 + diff --git a/0005-sepolgen-sort-extended-rules-like-normal-ones.patch b/0005-sepolgen-sort-extended-rules-like-normal-ones.patch new file mode 100644 index 0000000..1fcfb52 --- /dev/null +++ b/0005-sepolgen-sort-extended-rules-like-normal-ones.patch @@ -0,0 +1,109 @@ +From 2a60de8eca6bd91e276b60441a5dc72d85c6eda3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Wed, 19 Aug 2020 17:05:34 +0200 +Subject: [PATCH] sepolgen: sort extended rules like normal ones +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently: + + #============= sshd_t ============== + + #!!!! This avc is allowed in the current policy + #!!!! This av rule may have been overridden by an extended permission av rule + allow sshd_t ptmx_t:chr_file ioctl; + + #!!!! This avc is allowed in the current policy + #!!!! This av rule may have been overridden by an extended permission av rule + allow sshd_t sshd_devpts_t:chr_file ioctl; + + #!!!! This avc is allowed in the current policy + #!!!! This av rule may have been overridden by an extended permission av rule + allow sshd_t user_devpts_t:chr_file ioctl; + + #============= user_t ============== + + #!!!! This avc is allowed in the current policy + #!!!! This av rule may have been overridden by an extended permission av rule + allow user_t devtty_t:chr_file ioctl; + + #!!!! This avc is allowed in the current policy + #!!!! This av rule may have been overridden by an extended permission av rule + allow user_t user_devpts_t:chr_file ioctl; + allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 }; + allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401; + allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e }; + allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 }; + allowxperm user_t devtty_t:chr_file ioctl 0x4b33; + +Changed: + + #============= sshd_t ============== + + #!!!! This avc is allowed in the current policy + #!!!! This av rule may have been overridden by an extended permission av rule + allow sshd_t ptmx_t:chr_file ioctl; + allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 }; + + #!!!! This avc is allowed in the current policy + #!!!! This av rule may have been overridden by an extended permission av rule + allow sshd_t sshd_devpts_t:chr_file ioctl; + allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401; + + #!!!! This avc is allowed in the current policy + #!!!! This av rule may have been overridden by an extended permission av rule + allow sshd_t user_devpts_t:chr_file ioctl; + allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e }; + + #============= user_t ============== + + #!!!! This avc is allowed in the current policy + #!!!! This av rule may have been overridden by an extended permission av rule + allow user_t devtty_t:chr_file ioctl; + allowxperm user_t devtty_t:chr_file ioctl 0x4b33; + + #!!!! This avc is allowed in the current policy + #!!!! This av rule may have been overridden by an extended permission av rule + allow user_t user_devpts_t:chr_file ioctl; + allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 }; + +Signed-off-by: Christian Göttsche +Acked-by: Stephen Smalley +--- + python/sepolgen/src/sepolgen/output.py | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/python/sepolgen/src/sepolgen/output.py b/python/sepolgen/src/sepolgen/output.py +index 3a21b64c19f7..aeeaafc889e7 100644 +--- a/python/sepolgen/src/sepolgen/output.py ++++ b/python/sepolgen/src/sepolgen/output.py +@@ -84,7 +84,7 @@ def avrule_cmp(a, b): + return ret + + # At this point, who cares - just return something +- return cmp(len(a.perms), len(b.perms)) ++ return 0 + + # Compare two interface calls + def ifcall_cmp(a, b): +@@ -100,7 +100,7 @@ def rule_cmp(a, b): + else: + return id_set_cmp([a.args[0]], b.src_types) + else: +- if isinstance(b, refpolicy.AVRule): ++ if isinstance(b, refpolicy.AVRule) or isinstance(b, refpolicy.AVExtRule): + return avrule_cmp(a,b) + else: + return id_set_cmp(a.src_types, [b.args[0]]) +@@ -130,6 +130,7 @@ def sort_filter(module): + # we assume is the first argument for interfaces). + rules = [] + rules.extend(node.avrules()) ++ rules.extend(node.avextrules()) + rules.extend(node.interface_calls()) + rules.sort(key=util.cmp_to_key(rule_cmp)) + +-- +2.29.0 + diff --git a/0006-newrole-support-cross-compilation-with-PAM-and-audit.patch b/0006-newrole-support-cross-compilation-with-PAM-and-audit.patch new file mode 100644 index 0000000..cb555fc --- /dev/null +++ b/0006-newrole-support-cross-compilation-with-PAM-and-audit.patch @@ -0,0 +1,32 @@ +From 8bc865e1fe8f6f734b7306441ccbeec3b7c37f97 Mon Sep 17 00:00:00 2001 +From: Dominick Grift +Date: Tue, 1 Sep 2020 18:16:41 +0200 +Subject: [PATCH] newrole: support cross-compilation with PAM and audit + +Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation. + +Signed-off-by: Dominick Grift +Acked-by: Stephen Smalley +--- + policycoreutils/newrole/Makefile | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile +index 73ebd413da85..0e7ebce3dd56 100644 +--- a/policycoreutils/newrole/Makefile ++++ b/policycoreutils/newrole/Makefile +@@ -5,8 +5,9 @@ BINDIR ?= $(PREFIX)/bin + MANDIR ?= $(PREFIX)/share/man + ETCDIR ?= /etc + LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale +-PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y) +-AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y) ++INCLUDEDIR ?= $(PREFIX)/include ++PAMH ?= $(shell test -f $(INCLUDEDIR)/security/pam_appl.h && echo y) ++AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y) + # Enable capabilities to permit newrole to generate audit records. + # This will make newrole a setuid root program. + # The capabilities used are: CAP_AUDIT_WRITE. +-- +2.29.0 + diff --git a/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch b/0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch similarity index 92% rename from 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch rename to 0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch index 51de0ba..1e50ba3 100644 --- a/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch +++ b/0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch @@ -1,4 +1,4 @@ -From 269d3c64978af8053a84ecc54ab2adb7ee481d10 Mon Sep 17 00:00:00 2001 +From ea624dcc70d93867f23b94c368b8cf102269c13b Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 20 Aug 2015 12:58:41 +0200 Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in @@ -22,5 +22,5 @@ index eaa500d08143..4774528027ef 100644 cat > ~/seremote << __EOF #!/bin/sh -- -2.23.0 +2.29.0 diff --git a/0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch b/0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch similarity index 94% rename from 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch rename to 0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch index 3d6bd88..4779216 100644 --- a/0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch +++ b/0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch @@ -1,4 +1,4 @@ -From f8714034d527c1eb6bd698abcfd8f02d1542f648 Mon Sep 17 00:00:00 2001 +From 932c1244bc98d3a05a238f3f0b333cf8c429113b Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mon, 21 Apr 2014 13:54:40 -0400 Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages @@ -9,7 +9,7 @@ Signed-off-by: Miroslav Grepl 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index 442608191cc8..2ee9e37fde9f 100755 +index 3e8a3be907e3..a1d70623cff0 100755 --- a/python/sepolicy/sepolicy/manpage.py +++ b/python/sepolicy/sepolicy/manpage.py @@ -735,10 +735,13 @@ Default Defined Ports:""") @@ -42,5 +42,5 @@ index 442608191cc8..2ee9e37fde9f 100755 self.fd.write(r""" .I The following file types are defined for %(domainname)s: -- -2.23.0 +2.29.0 diff --git a/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch b/0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch similarity index 87% rename from 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch rename to 0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch index c761c89..4feebed 100644 --- a/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch +++ b/0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch @@ -1,4 +1,4 @@ -From 73cfd014130f4a37b1db29d5a7b840bf414e8f19 Mon Sep 17 00:00:00 2001 +From ae3780eb560fa5f00a3dd591c8233c2a9068a348 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mon, 12 May 2014 14:11:22 +0200 Subject: [PATCH] If there is no executable we don't want to print a part of @@ -9,7 +9,7 @@ Subject: [PATCH] If there is no executable we don't want to print a part of 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index 2ee9e37fde9f..ec17fb145375 100755 +index a1d70623cff0..2d33eabb2536 100755 --- a/python/sepolicy/sepolicy/manpage.py +++ b/python/sepolicy/sepolicy/manpage.py @@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d @@ -23,5 +23,5 @@ index 2ee9e37fde9f..ec17fb145375 100755 .B STANDARD FILE CONTEXT -- -2.23.0 +2.29.0 diff --git a/0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch b/0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch similarity index 97% rename from 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch rename to 0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch index 8f0f939..1c08e06 100644 --- a/0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch +++ b/0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch @@ -1,4 +1,4 @@ -From 66766a7298065ae60819355f2b515fe3fcc248e3 Mon Sep 17 00:00:00 2001 +From 7d21b9f41c4d00f1e0499a64089a5e13a8f636ab Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Thu, 19 Feb 2015 17:45:15 +0100 Subject: [PATCH] Simplication of sepolicy-manpage web functionality. @@ -49,7 +49,7 @@ index e4540977d042..ad718797ca68 100644 def reinit(): diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index ec17fb145375..8c529ddb07cd 100755 +index 2d33eabb2536..acc77f368d95 100755 --- a/python/sepolicy/sepolicy/manpage.py +++ b/python/sepolicy/sepolicy/manpage.py @@ -149,10 +149,6 @@ def prettyprint(f, trim): @@ -165,5 +165,5 @@ index ec17fb145375..8c529ddb07cd 100755 if len(self.manpage_roles[letter]): fd.write(""" -- -2.23.0 +2.29.0 diff --git a/0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch b/0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch similarity index 91% rename from 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch rename to 0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch index ebe33a1..aabb8f1 100644 --- a/0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch +++ b/0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch @@ -1,4 +1,4 @@ -From 59d6989beb341fb17f87b270e4fc8d55351d3a51 Mon Sep 17 00:00:00 2001 +From f0f030495dddb2e633403f360fdaaf6951da11ad Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Fri, 20 Feb 2015 16:42:01 +0100 Subject: [PATCH] We want to remove the trailing newline for @@ -22,5 +22,5 @@ index ad718797ca68..ea05d892bf3b 100644 system_release = "Misc" -- -2.23.0 +2.29.0 diff --git a/0006-Fix-title-in-manpage.py-to-not-contain-online.patch b/0012-Fix-title-in-manpage.py-to-not-contain-online.patch similarity index 85% rename from 0006-Fix-title-in-manpage.py-to-not-contain-online.patch rename to 0012-Fix-title-in-manpage.py-to-not-contain-online.patch index 5bfb2f3..d057d9b 100644 --- a/0006-Fix-title-in-manpage.py-to-not-contain-online.patch +++ b/0012-Fix-title-in-manpage.py-to-not-contain-online.patch @@ -1,4 +1,4 @@ -From 600fda8edf440acc3e5b32a31a044b16d65cbef9 Mon Sep 17 00:00:00 2001 +From 4a18939d21c06d036f1063cbfd2d0b5ae9d0010f Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Fri, 20 Feb 2015 16:42:53 +0100 Subject: [PATCH] Fix title in manpage.py to not contain 'online'. @@ -8,7 +8,7 @@ Subject: [PATCH] Fix title in manpage.py to not contain 'online'. 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index 8c529ddb07cd..10e2c1745f8b 100755 +index acc77f368d95..4aeb3e2e51ba 100755 --- a/python/sepolicy/sepolicy/manpage.py +++ b/python/sepolicy/sepolicy/manpage.py @@ -220,7 +220,7 @@ class HTMLManPages: @@ -21,5 +21,5 @@ index 8c529ddb07cd..10e2c1745f8b 100755

SELinux man pages for %s

-- -2.23.0 +2.29.0 diff --git a/0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch b/0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch similarity index 82% rename from 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch rename to 0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch index b685e9a..8b3d5c3 100644 --- a/0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch +++ b/0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch @@ -1,4 +1,4 @@ -From b45d202d954bad6cd4e96fe22d35677717e5eff9 Mon Sep 17 00:00:00 2001 +From ffe429b49874175f5ec1156e9c89e75cc67a0ddd Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 14 Feb 2014 12:32:12 -0500 Subject: [PATCH] Don't be verbose if you are not on a tty @@ -8,7 +8,7 @@ Subject: [PATCH] Don't be verbose if you are not on a tty 1 file changed, 1 insertion(+) diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles -index 5d7770348349..fd43aab0cb6a 100755 +index 30dadb4f4cb6..e73bb81c3336 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles @@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() { @@ -20,5 +20,5 @@ index 5d7770348349..fd43aab0cb6a 100755 RPMFILES="" PREFC="" -- -2.23.0 +2.29.0 diff --git a/0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch b/0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch similarity index 94% rename from 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch rename to 0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch index 6f610e0..a365fc3 100644 --- a/0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch +++ b/0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch @@ -1,4 +1,4 @@ -From 61fcb9e5af82482d79c9e9edacb1a7f30686ee4a Mon Sep 17 00:00:00 2001 +From 4a337405da16857dc2a979e4b4963a6fd7b975c6 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 27 Feb 2017 17:12:39 +0100 Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and @@ -11,7 +11,7 @@ Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index 10e2c1745f8b..9a4b24743aca 100755 +index 4aeb3e2e51ba..330b055af214 100755 --- a/python/sepolicy/sepolicy/manpage.py +++ b/python/sepolicy/sepolicy/manpage.py @@ -125,8 +125,24 @@ def gen_domains(): @@ -59,5 +59,5 @@ index 10e2c1745f8b..9a4b24743aca 100755 if f in self.fcdict: mpaths = mpaths + self.fcdict[f]["regex"] -- -2.23.0 +2.29.0 diff --git a/0009-sepolicy-Another-small-optimization-for-mcs-types.patch b/0015-sepolicy-Another-small-optimization-for-mcs-types.patch similarity index 94% rename from 0009-sepolicy-Another-small-optimization-for-mcs-types.patch rename to 0015-sepolicy-Another-small-optimization-for-mcs-types.patch index 50a5148..52ab467 100644 --- a/0009-sepolicy-Another-small-optimization-for-mcs-types.patch +++ b/0015-sepolicy-Another-small-optimization-for-mcs-types.patch @@ -1,4 +1,4 @@ -From 15d2491e3c455f740a20eaf93f2c6a9b89e79d7a Mon Sep 17 00:00:00 2001 +From 7c315fff5e7ce74b0598b62d9aa0b21ca6b06b6d Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 28 Feb 2017 21:29:46 +0100 Subject: [PATCH] sepolicy: Another small optimization for mcs types @@ -8,7 +8,7 @@ Subject: [PATCH] sepolicy: Another small optimization for mcs types 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index 9a4b24743aca..736ae13b0524 100755 +index 330b055af214..f8584436960d 100755 --- a/python/sepolicy/sepolicy/manpage.py +++ b/python/sepolicy/sepolicy/manpage.py @@ -142,6 +142,15 @@ def _gen_entry_types(): @@ -49,5 +49,5 @@ index 9a4b24743aca..736ae13b0524 100755 self.fd.write (""" .SH "MCS Constrained" -- -2.23.0 +2.29.0 diff --git a/0010-Move-po-translation-files-into-the-right-sub-directo.patch b/0016-Move-po-translation-files-into-the-right-sub-directo.patch similarity index 99% rename from 0010-Move-po-translation-files-into-the-right-sub-directo.patch rename to 0016-Move-po-translation-files-into-the-right-sub-directo.patch index b6b05c9..e6eba22 100644 --- a/0010-Move-po-translation-files-into-the-right-sub-directo.patch +++ b/0016-Move-po-translation-files-into-the-right-sub-directo.patch @@ -1,4 +1,4 @@ -From 8e02b757f90827f4e850b732ccea32c2897036a8 Mon Sep 17 00:00:00 2001 +From a07e9652785c6196d916dfca3d36c898959406b4 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 6 Aug 2018 13:23:00 +0200 Subject: [PATCH] Move po/ translation files into the right sub-directories @@ -511,5 +511,5 @@ index 000000000000..deff3f2f4656 @@ -0,0 +1 @@ +../sandbox -- -2.23.0 +2.29.0 diff --git a/0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch b/0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch similarity index 99% rename from 0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch rename to 0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch index e45dc9d..8d5bf3c 100644 --- a/0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch +++ b/0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch @@ -1,4 +1,4 @@ -From c19dde7c189cba536d79331baff24d987b3fae4d Mon Sep 17 00:00:00 2001 +From eab0fc05a38ab2cd47b3e0ff69981850cc7cd538 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 6 Aug 2018 13:37:07 +0200 Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/ @@ -302,5 +302,5 @@ index ca5f1e030a51..16c43b51eaaa 100644 import gettext kwargs = {} -- -2.26.2 +2.29.0 diff --git a/0012-Initial-.pot-files-for-gui-python-sandbox.patch b/0018-Initial-.pot-files-for-gui-python-sandbox.patch similarity index 99% rename from 0012-Initial-.pot-files-for-gui-python-sandbox.patch rename to 0018-Initial-.pot-files-for-gui-python-sandbox.patch index ed68ad5..4bc6e55 100644 --- a/0012-Initial-.pot-files-for-gui-python-sandbox.patch +++ b/0018-Initial-.pot-files-for-gui-python-sandbox.patch @@ -1,4 +1,4 @@ -From 8384f31cdcf0afd2b13f93f4e8bc42254b4b7928 Mon Sep 17 00:00:00 2001 +From ffca591cb3055c4962cdc968662bd52bb876e640 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 6 Aug 2018 14:23:19 +0200 Subject: [PATCH] Initial .pot files for gui/ python/ sandbox/ @@ -4528,5 +4528,5 @@ index 000000000000..328b4f0159d3 +msgid "Invalid value %s" +msgstr "" -- -2.23.0 +2.29.0 diff --git a/0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch b/0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch similarity index 93% rename from 0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch rename to 0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch index 6379d4f..08681fc 100644 --- a/0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch +++ b/0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch @@ -1,4 +1,4 @@ -From 38586b84c3bae778883e43d72700ef1491abae17 Mon Sep 17 00:00:00 2001 +From 4277ef04de699e1939c95c4813de6a78d1ea1656 Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Wed, 21 Mar 2018 08:51:31 +0100 Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch @@ -26,5 +26,5 @@ index e328a5628682..02e0960289d3 100644 .BI \-e \ directory directory to exclude (repeat option for more than one directory). -- -2.26.2 +2.29.0 diff --git a/0014-sepolicy-generate-Handle-more-reserved-port-types.patch b/0020-sepolicy-generate-Handle-more-reserved-port-types.patch similarity index 96% rename from 0014-sepolicy-generate-Handle-more-reserved-port-types.patch rename to 0020-sepolicy-generate-Handle-more-reserved-port-types.patch index 90be182..e77da11 100644 --- a/0014-sepolicy-generate-Handle-more-reserved-port-types.patch +++ b/0020-sepolicy-generate-Handle-more-reserved-port-types.patch @@ -1,4 +1,4 @@ -From f2625885226a65df2b0d7f825bafe462a6454c49 Mon Sep 17 00:00:00 2001 +From fa94b0faf12a79158d971f363e8ec65227d67de3 Mon Sep 17 00:00:00 2001 From: Masatake YAMATO Date: Thu, 14 Dec 2017 15:57:58 +0900 Subject: [PATCH] sepolicy-generate: Handle more reserved port types @@ -52,7 +52,7 @@ https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redha 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py -index 744ee13f692d..a6309783e85e 100644 +index 43180ca6fda4..d60a08e1d72c 100644 --- a/python/sepolicy/sepolicy/generate.py +++ b/python/sepolicy/sepolicy/generate.py @@ -99,7 +99,9 @@ def get_all_ports(): @@ -67,5 +67,5 @@ index 744ee13f692d..a6309783e85e 100644 dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range')) return dict -- -2.23.0 +2.29.0 diff --git a/0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch b/0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch similarity index 90% rename from 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch rename to 0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch index 662d230..930c670 100644 --- a/0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch +++ b/0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch @@ -1,4 +1,4 @@ -From 6f510c03e54b0058b74fabae6489099f5369a957 Mon Sep 17 00:00:00 2001 +From 122e35c4d11b5b623e8bc463f81c6792385523cb Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 8 Nov 2018 09:20:58 +0100 Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects @@ -20,5 +20,5 @@ index 3515234e36de..7b75b3fd9bb4 100644 } -- -2.23.0 +2.29.0 diff --git a/0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch b/0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch similarity index 97% rename from 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch rename to 0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch index 7adede7..187f564 100644 --- a/0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch +++ b/0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch @@ -1,4 +1,4 @@ -From 7afddf20e889731126fda14b2fa713a367d9dd84 Mon Sep 17 00:00:00 2001 +From e63814eb18bdbb48a7e6bf79b17d79d6a9ca56d6 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Wed, 18 Jul 2018 09:09:35 +0200 Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox @@ -70,5 +70,5 @@ index 4774528027ef..c211ebc14549 100644 export DISPLAY=:$D cat > ~/seremote << __EOF -- -2.23.0 +2.29.0 diff --git a/policycoreutils.spec b/policycoreutils.spec index aef9a52..c037530 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,8 +1,8 @@ %global libauditver 3.0 -%global libsepolver 3.1 -%global libsemanagever 3.1 -%global libselinuxver 3.1 -%global sepolgenver 3.1 +%global libsepolver 3.1-4 +%global libsemanagever 3.1-4 +%global libselinuxver 3.1-4 +%global sepolgenver 3.1-4 %global generatorsdir %{_prefix}/lib/systemd/system-generators @@ -38,22 +38,29 @@ Source23: sandbox-po.tgz # $ git format-patch -N 20200710 -- policycoreutils python gui sandbox dbus semodule-utils restorecond # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done # Patch list start -Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch -Patch0002: 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch -Patch0003: 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch -Patch0004: 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch -Patch0005: 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch -Patch0006: 0006-Fix-title-in-manpage.py-to-not-contain-online.patch -Patch0007: 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch -Patch0008: 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch -Patch0009: 0009-sepolicy-Another-small-optimization-for-mcs-types.patch -Patch0010: 0010-Move-po-translation-files-into-the-right-sub-directo.patch -Patch0011: 0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch -Patch0012: 0012-Initial-.pot-files-for-gui-python-sandbox.patch -Patch0013: 0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch -Patch0014: 0014-sepolicy-generate-Handle-more-reserved-port-types.patch -Patch0015: 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch -Patch0016: 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch +Patch0001: 0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch +Patch0002: 0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch +Patch0003: 0003-fixfiles-correctly-restore-context-of-mountpoints.patch +Patch0004: 0004-sepolgen-print-extended-permissions-in-hexadecimal.patch +Patch0005: 0005-sepolgen-sort-extended-rules-like-normal-ones.patch +Patch0006: 0006-newrole-support-cross-compilation-with-PAM-and-audit.patch +Patch0007: 0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch +Patch0008: 0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch +Patch0009: 0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch +Patch0010: 0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch +Patch0011: 0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch +Patch0012: 0012-Fix-title-in-manpage.py-to-not-contain-online.patch +Patch0013: 0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch +Patch0014: 0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch +Patch0015: 0015-sepolicy-Another-small-optimization-for-mcs-types.patch +Patch0016: 0016-Move-po-translation-files-into-the-right-sub-directo.patch +Patch0017: 0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch +Patch0018: 0018-Initial-.pot-files-for-gui-python-sandbox.patch +Patch0019: 0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch +Patch0020: 0020-sepolicy-generate-Handle-more-reserved-port-types.patch +Patch0021: 0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch +Patch0022: 0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch +Patch0023: 0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch # Patch list end Obsoletes: policycoreutils < 2.0.61-2