Rebase on db0f2f382e31 at SELinuxProject
- Build with libsepol.so.1 and libsemanage.so.2 - Set X-GNOME-HiddenUnderSystemd=true in restorecond.desktop file - fixfiles: correctly restore context of mountpoints - sepolgen: print extended permissions in hexadecimal
This commit is contained in:
parent
d151b2c053
commit
c65daa990e
@ -0,0 +1,34 @@
|
|||||||
|
From ccd973f721c48945fc706d8fef6b396580853a9f Mon Sep 17 00:00:00 2001
|
||||||
|
From: "W. Michael Petullo" <mike@flyn.org>
|
||||||
|
Date: Thu, 16 Jul 2020 15:29:20 -0500
|
||||||
|
Subject: [PATCH] python/audit2allow: add #include <limits.h> to
|
||||||
|
sepolgen-ifgen-attr-helper.c
|
||||||
|
|
||||||
|
I found that building on OpenWrt/musl failed with:
|
||||||
|
|
||||||
|
sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ...
|
||||||
|
|
||||||
|
Musl is less "generous" than glibc in recursively including header
|
||||||
|
files, and I suspect this is the reason for this error. Explicitly
|
||||||
|
including limits.h fixes the problem.
|
||||||
|
|
||||||
|
Signed-off-by: W. Michael Petullo <mike@flyn.org>
|
||||||
|
---
|
||||||
|
python/audit2allow/sepolgen-ifgen-attr-helper.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c
|
||||||
|
index 53f20818722a..f010c9584c1f 100644
|
||||||
|
--- a/python/audit2allow/sepolgen-ifgen-attr-helper.c
|
||||||
|
+++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c
|
||||||
|
@@ -28,6 +28,7 @@
|
||||||
|
|
||||||
|
#include <selinux/selinux.h>
|
||||||
|
|
||||||
|
+#include <limits.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <sys/stat.h>
|
||||||
|
--
|
||||||
|
2.29.0
|
||||||
|
|
@ -0,0 +1,26 @@
|
|||||||
|
From 9e2b8c61bfd275d0f007a736721c557755edf4a0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Laurent Bigonville <bigon@bigon.be>
|
||||||
|
Date: Thu, 16 Jul 2020 14:22:13 +0200
|
||||||
|
Subject: [PATCH] restorecond: Set X-GNOME-HiddenUnderSystemd=true in
|
||||||
|
restorecond.desktop file
|
||||||
|
|
||||||
|
This completely inactivate the .desktop file incase the user session is
|
||||||
|
managed by systemd as restorecond also provide a service file
|
||||||
|
|
||||||
|
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
|
||||||
|
---
|
||||||
|
restorecond/restorecond.desktop | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/restorecond/restorecond.desktop b/restorecond/restorecond.desktop
|
||||||
|
index af7286801c24..7df854727a3f 100644
|
||||||
|
--- a/restorecond/restorecond.desktop
|
||||||
|
+++ b/restorecond/restorecond.desktop
|
||||||
|
@@ -5,3 +5,4 @@ Comment=Fix file context in owned by the user
|
||||||
|
Type=Application
|
||||||
|
StartupNotify=false
|
||||||
|
X-GNOME-Autostart-enabled=false
|
||||||
|
+X-GNOME-HiddenUnderSystemd=true
|
||||||
|
--
|
||||||
|
2.29.0
|
||||||
|
|
136
0003-fixfiles-correctly-restore-context-of-mountpoints.patch
Normal file
136
0003-fixfiles-correctly-restore-context-of-mountpoints.patch
Normal file
@ -0,0 +1,136 @@
|
|||||||
|
From ba2d6c10635a021d2b1a5fc2123fde13b04295a5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: bauen1 <j2468h@googlemail.com>
|
||||||
|
Date: Thu, 6 Aug 2020 16:48:36 +0200
|
||||||
|
Subject: [PATCH] fixfiles: correctly restore context of mountpoints
|
||||||
|
|
||||||
|
By bind mounting every filesystem we want to relabel we can access all
|
||||||
|
files without anything hidden due to active mounts.
|
||||||
|
|
||||||
|
This comes at the cost of user experience, because setfiles only
|
||||||
|
displays the percentage if no path is given or the path is /
|
||||||
|
|
||||||
|
Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
|
||||||
|
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
||||||
|
---
|
||||||
|
policycoreutils/scripts/fixfiles | 29 +++++++++++++++++++++++++----
|
||||||
|
policycoreutils/scripts/fixfiles.8 | 8 ++++++--
|
||||||
|
2 files changed, 31 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
|
||||||
|
index 5d7770348349..30dadb4f4cb6 100755
|
||||||
|
--- a/policycoreutils/scripts/fixfiles
|
||||||
|
+++ b/policycoreutils/scripts/fixfiles
|
||||||
|
@@ -112,6 +112,7 @@ FORCEFLAG=""
|
||||||
|
RPMFILES=""
|
||||||
|
PREFC=""
|
||||||
|
RESTORE_MODE=""
|
||||||
|
+BIND_MOUNT_FILESYSTEMS=""
|
||||||
|
SETFILES=/sbin/setfiles
|
||||||
|
RESTORECON=/sbin/restorecon
|
||||||
|
FILESYSTEMSRW=`get_rw_labeled_mounts`
|
||||||
|
@@ -243,7 +244,23 @@ case "$RESTORE_MODE" in
|
||||||
|
if [ -n "${FILESYSTEMSRW}" ]; then
|
||||||
|
LogReadOnly
|
||||||
|
echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
|
||||||
|
- ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
|
||||||
|
+
|
||||||
|
+ if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then
|
||||||
|
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
|
||||||
|
+ else
|
||||||
|
+ # we bind mount so we can fix the labels of files that have already been
|
||||||
|
+ # mounted over
|
||||||
|
+ for m in `echo $FILESYSTEMSRW`; do
|
||||||
|
+ TMP_MOUNT="$(mktemp -d)"
|
||||||
|
+ test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
|
||||||
|
+
|
||||||
|
+ mkdir -p "${TMP_MOUNT}${m}" || exit 1
|
||||||
|
+ mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
|
||||||
|
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
|
||||||
|
+ umount "${TMP_MOUNT}${m}" || exit 1
|
||||||
|
+ rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
|
||||||
|
+ done;
|
||||||
|
+ fi
|
||||||
|
else
|
||||||
|
echo >&2 "fixfiles: No suitable file systems found"
|
||||||
|
fi
|
||||||
|
@@ -313,6 +330,7 @@ case "$1" in
|
||||||
|
> /.autorelabel || exit $?
|
||||||
|
[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
|
||||||
|
[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
|
||||||
|
+ [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel
|
||||||
|
# Force full relabel if SELinux is not enabled
|
||||||
|
selinuxenabled || echo -F > /.autorelabel
|
||||||
|
echo "System will relabel on next boot"
|
||||||
|
@@ -324,7 +342,7 @@ esac
|
||||||
|
}
|
||||||
|
usage() {
|
||||||
|
echo $"""
|
||||||
|
-Usage: $0 [-v] [-F] [-f] relabel
|
||||||
|
+Usage: $0 [-v] [-F] [-M] [-f] relabel
|
||||||
|
or
|
||||||
|
Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify }
|
||||||
|
or
|
||||||
|
@@ -334,7 +352,7 @@ Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify }
|
||||||
|
or
|
||||||
|
Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
|
||||||
|
or
|
||||||
|
-Usage: $0 [-F] [-B] onboot
|
||||||
|
+Usage: $0 [-F] [-M] [-B] onboot
|
||||||
|
"""
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -353,7 +371,7 @@ set_restore_mode() {
|
||||||
|
}
|
||||||
|
|
||||||
|
# See how we were called.
|
||||||
|
-while getopts "N:BC:FfR:l:v" i; do
|
||||||
|
+while getopts "N:BC:FfR:l:vM" i; do
|
||||||
|
case "$i" in
|
||||||
|
B)
|
||||||
|
BOOTTIME=`/bin/who -b | awk '{print $3}'`
|
||||||
|
@@ -379,6 +397,9 @@ while getopts "N:BC:FfR:l:v" i; do
|
||||||
|
echo "Redirecting output to $OPTARG"
|
||||||
|
exec >>"$OPTARG" 2>&1
|
||||||
|
;;
|
||||||
|
+ M)
|
||||||
|
+ BIND_MOUNT_FILESYSTEMS="-M"
|
||||||
|
+ ;;
|
||||||
|
F)
|
||||||
|
FORCEFLAG="-F"
|
||||||
|
;;
|
||||||
|
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
|
||||||
|
index 9f447f03d444..123425308416 100644
|
||||||
|
--- a/policycoreutils/scripts/fixfiles.8
|
||||||
|
+++ b/policycoreutils/scripts/fixfiles.8
|
||||||
|
@@ -6,7 +6,7 @@ fixfiles \- fix file SELinux security contexts.
|
||||||
|
.na
|
||||||
|
|
||||||
|
.B fixfiles
|
||||||
|
-.I [\-v] [\-F] [\-f] relabel
|
||||||
|
+.I [\-v] [\-F] [-M] [\-f] relabel
|
||||||
|
|
||||||
|
.B fixfiles
|
||||||
|
.I [\-v] [\-F] { check | restore | verify } dir/file ...
|
||||||
|
@@ -21,7 +21,7 @@ fixfiles \- fix file SELinux security contexts.
|
||||||
|
.I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT { check | restore | verify }
|
||||||
|
|
||||||
|
.B fixfiles
|
||||||
|
-.I [-F] [-B] onboot
|
||||||
|
+.I [-F] [-M] [-B] onboot
|
||||||
|
|
||||||
|
.ad
|
||||||
|
|
||||||
|
@@ -68,6 +68,10 @@ Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and
|
||||||
|
Only act on files created after the specified date. Date must be specified in
|
||||||
|
"YYYY\-MM\-DD HH:MM" format. Date field will be passed to find \-\-newermt command.
|
||||||
|
|
||||||
|
+.TP
|
||||||
|
+.B \-M
|
||||||
|
+Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over.
|
||||||
|
+
|
||||||
|
.TP
|
||||||
|
.B -v
|
||||||
|
Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)
|
||||||
|
--
|
||||||
|
2.29.0
|
||||||
|
|
112
0004-sepolgen-print-extended-permissions-in-hexadecimal.patch
Normal file
112
0004-sepolgen-print-extended-permissions-in-hexadecimal.patch
Normal file
@ -0,0 +1,112 @@
|
|||||||
|
From 9e239e55692b578ba546b4dff2b07604a2ca6baa Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||||
|
Date: Wed, 19 Aug 2020 17:05:33 +0200
|
||||||
|
Subject: [PATCH] sepolgen: print extended permissions in hexadecimal
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
All tools like ausearch(8) or sesearch(1) and online documentation[1]
|
||||||
|
use hexadecimal values for extended permissions.
|
||||||
|
Hence use them, e.g. for audit2allow output, as well.
|
||||||
|
|
||||||
|
[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h
|
||||||
|
|
||||||
|
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||||
|
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
||||||
|
---
|
||||||
|
python/sepolgen/src/sepolgen/refpolicy.py | 5 ++---
|
||||||
|
python/sepolgen/tests/test_access.py | 10 +++++-----
|
||||||
|
python/sepolgen/tests/test_refpolicy.py | 12 ++++++------
|
||||||
|
3 files changed, 13 insertions(+), 14 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py
|
||||||
|
index 43cecfc77385..747636875ef7 100644
|
||||||
|
--- a/python/sepolgen/src/sepolgen/refpolicy.py
|
||||||
|
+++ b/python/sepolgen/src/sepolgen/refpolicy.py
|
||||||
|
@@ -407,10 +407,9 @@ class XpermSet():
|
||||||
|
|
||||||
|
# print single value without braces
|
||||||
|
if len(self.ranges) == 1 and self.ranges[0][0] == self.ranges[0][1]:
|
||||||
|
- return compl + str(self.ranges[0][0])
|
||||||
|
+ return compl + hex(self.ranges[0][0])
|
||||||
|
|
||||||
|
- vals = map(lambda x: str(x[0]) if x[0] == x[1] else "%s-%s" % x,
|
||||||
|
- self.ranges)
|
||||||
|
+ vals = map(lambda x: hex(x[0]) if x[0] == x[1] else "%s-%s" % (hex(x[0]), hex(x[1]), ), self.ranges)
|
||||||
|
|
||||||
|
return "%s{ %s }" % (compl, " ".join(vals))
|
||||||
|
|
||||||
|
diff --git a/python/sepolgen/tests/test_access.py b/python/sepolgen/tests/test_access.py
|
||||||
|
index 73a5407df617..623588e09aeb 100644
|
||||||
|
--- a/python/sepolgen/tests/test_access.py
|
||||||
|
+++ b/python/sepolgen/tests/test_access.py
|
||||||
|
@@ -171,7 +171,7 @@ class TestAccessVector(unittest.TestCase):
|
||||||
|
a.merge(b)
|
||||||
|
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
|
||||||
|
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
|
||||||
|
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
|
||||||
|
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
|
||||||
|
|
||||||
|
def text_merge_xperm2(self):
|
||||||
|
"""Test merging AV that does not contain xperms with AV that does"""
|
||||||
|
@@ -185,7 +185,7 @@ class TestAccessVector(unittest.TestCase):
|
||||||
|
a.merge(b)
|
||||||
|
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
|
||||||
|
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
|
||||||
|
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
|
||||||
|
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
|
||||||
|
|
||||||
|
def test_merge_xperm_diff_op(self):
|
||||||
|
"""Test merging two AVs that contain xperms with different operation"""
|
||||||
|
@@ -203,8 +203,8 @@ class TestAccessVector(unittest.TestCase):
|
||||||
|
a.merge(b)
|
||||||
|
self.assertEqual(list(a.perms), ["read"])
|
||||||
|
self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"])
|
||||||
|
- self.assertEqual(a.xperms["asdf"].to_string(), "23")
|
||||||
|
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
|
||||||
|
+ self.assertEqual(a.xperms["asdf"].to_string(), "0x17")
|
||||||
|
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
|
||||||
|
|
||||||
|
def test_merge_xperm_same_op(self):
|
||||||
|
"""Test merging two AVs that contain xperms with same operation"""
|
||||||
|
@@ -222,7 +222,7 @@ class TestAccessVector(unittest.TestCase):
|
||||||
|
a.merge(b)
|
||||||
|
self.assertEqual(list(a.perms), ["read"])
|
||||||
|
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
|
||||||
|
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 23 42 12345 }")
|
||||||
|
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x17 0x2a 0x3039 }")
|
||||||
|
|
||||||
|
class TestUtilFunctions(unittest.TestCase):
|
||||||
|
def test_is_idparam(self):
|
||||||
|
diff --git a/python/sepolgen/tests/test_refpolicy.py b/python/sepolgen/tests/test_refpolicy.py
|
||||||
|
index 4b50c8aada96..c7219fd568e9 100644
|
||||||
|
--- a/python/sepolgen/tests/test_refpolicy.py
|
||||||
|
+++ b/python/sepolgen/tests/test_refpolicy.py
|
||||||
|
@@ -90,17 +90,17 @@ class TestXpermSet(unittest.TestCase):
|
||||||
|
a.complement = True
|
||||||
|
self.assertEqual(a.to_string(), "")
|
||||||
|
a.add(1234)
|
||||||
|
- self.assertEqual(a.to_string(), "~ 1234")
|
||||||
|
+ self.assertEqual(a.to_string(), "~ 0x4d2")
|
||||||
|
a.complement = False
|
||||||
|
- self.assertEqual(a.to_string(), "1234")
|
||||||
|
+ self.assertEqual(a.to_string(), "0x4d2")
|
||||||
|
a.add(2345)
|
||||||
|
- self.assertEqual(a.to_string(), "{ 1234 2345 }")
|
||||||
|
+ self.assertEqual(a.to_string(), "{ 0x4d2 0x929 }")
|
||||||
|
a.complement = True
|
||||||
|
- self.assertEqual(a.to_string(), "~ { 1234 2345 }")
|
||||||
|
+ self.assertEqual(a.to_string(), "~ { 0x4d2 0x929 }")
|
||||||
|
a.add(42,64)
|
||||||
|
- self.assertEqual(a.to_string(), "~ { 42-64 1234 2345 }")
|
||||||
|
+ self.assertEqual(a.to_string(), "~ { 0x2a-0x40 0x4d2 0x929 }")
|
||||||
|
a.complement = False
|
||||||
|
- self.assertEqual(a.to_string(), "{ 42-64 1234 2345 }")
|
||||||
|
+ self.assertEqual(a.to_string(), "{ 0x2a-0x40 0x4d2 0x929 }")
|
||||||
|
|
||||||
|
class TestSecurityContext(unittest.TestCase):
|
||||||
|
def test_init(self):
|
||||||
|
--
|
||||||
|
2.29.0
|
||||||
|
|
109
0005-sepolgen-sort-extended-rules-like-normal-ones.patch
Normal file
109
0005-sepolgen-sort-extended-rules-like-normal-ones.patch
Normal file
@ -0,0 +1,109 @@
|
|||||||
|
From 2a60de8eca6bd91e276b60441a5dc72d85c6eda3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||||
|
Date: Wed, 19 Aug 2020 17:05:34 +0200
|
||||||
|
Subject: [PATCH] sepolgen: sort extended rules like normal ones
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Currently:
|
||||||
|
|
||||||
|
#============= sshd_t ==============
|
||||||
|
|
||||||
|
#!!!! This avc is allowed in the current policy
|
||||||
|
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||||
|
allow sshd_t ptmx_t:chr_file ioctl;
|
||||||
|
|
||||||
|
#!!!! This avc is allowed in the current policy
|
||||||
|
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||||
|
allow sshd_t sshd_devpts_t:chr_file ioctl;
|
||||||
|
|
||||||
|
#!!!! This avc is allowed in the current policy
|
||||||
|
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||||
|
allow sshd_t user_devpts_t:chr_file ioctl;
|
||||||
|
|
||||||
|
#============= user_t ==============
|
||||||
|
|
||||||
|
#!!!! This avc is allowed in the current policy
|
||||||
|
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||||
|
allow user_t devtty_t:chr_file ioctl;
|
||||||
|
|
||||||
|
#!!!! This avc is allowed in the current policy
|
||||||
|
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||||
|
allow user_t user_devpts_t:chr_file ioctl;
|
||||||
|
allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
|
||||||
|
allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
|
||||||
|
allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
|
||||||
|
allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
|
||||||
|
allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
|
||||||
|
|
||||||
|
Changed:
|
||||||
|
|
||||||
|
#============= sshd_t ==============
|
||||||
|
|
||||||
|
#!!!! This avc is allowed in the current policy
|
||||||
|
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||||
|
allow sshd_t ptmx_t:chr_file ioctl;
|
||||||
|
allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
|
||||||
|
|
||||||
|
#!!!! This avc is allowed in the current policy
|
||||||
|
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||||
|
allow sshd_t sshd_devpts_t:chr_file ioctl;
|
||||||
|
allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
|
||||||
|
|
||||||
|
#!!!! This avc is allowed in the current policy
|
||||||
|
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||||
|
allow sshd_t user_devpts_t:chr_file ioctl;
|
||||||
|
allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
|
||||||
|
|
||||||
|
#============= user_t ==============
|
||||||
|
|
||||||
|
#!!!! This avc is allowed in the current policy
|
||||||
|
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||||
|
allow user_t devtty_t:chr_file ioctl;
|
||||||
|
allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
|
||||||
|
|
||||||
|
#!!!! This avc is allowed in the current policy
|
||||||
|
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||||
|
allow user_t user_devpts_t:chr_file ioctl;
|
||||||
|
allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
|
||||||
|
|
||||||
|
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||||
|
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
||||||
|
---
|
||||||
|
python/sepolgen/src/sepolgen/output.py | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/python/sepolgen/src/sepolgen/output.py b/python/sepolgen/src/sepolgen/output.py
|
||||||
|
index 3a21b64c19f7..aeeaafc889e7 100644
|
||||||
|
--- a/python/sepolgen/src/sepolgen/output.py
|
||||||
|
+++ b/python/sepolgen/src/sepolgen/output.py
|
||||||
|
@@ -84,7 +84,7 @@ def avrule_cmp(a, b):
|
||||||
|
return ret
|
||||||
|
|
||||||
|
# At this point, who cares - just return something
|
||||||
|
- return cmp(len(a.perms), len(b.perms))
|
||||||
|
+ return 0
|
||||||
|
|
||||||
|
# Compare two interface calls
|
||||||
|
def ifcall_cmp(a, b):
|
||||||
|
@@ -100,7 +100,7 @@ def rule_cmp(a, b):
|
||||||
|
else:
|
||||||
|
return id_set_cmp([a.args[0]], b.src_types)
|
||||||
|
else:
|
||||||
|
- if isinstance(b, refpolicy.AVRule):
|
||||||
|
+ if isinstance(b, refpolicy.AVRule) or isinstance(b, refpolicy.AVExtRule):
|
||||||
|
return avrule_cmp(a,b)
|
||||||
|
else:
|
||||||
|
return id_set_cmp(a.src_types, [b.args[0]])
|
||||||
|
@@ -130,6 +130,7 @@ def sort_filter(module):
|
||||||
|
# we assume is the first argument for interfaces).
|
||||||
|
rules = []
|
||||||
|
rules.extend(node.avrules())
|
||||||
|
+ rules.extend(node.avextrules())
|
||||||
|
rules.extend(node.interface_calls())
|
||||||
|
rules.sort(key=util.cmp_to_key(rule_cmp))
|
||||||
|
|
||||||
|
--
|
||||||
|
2.29.0
|
||||||
|
|
@ -0,0 +1,32 @@
|
|||||||
|
From 8bc865e1fe8f6f734b7306441ccbeec3b7c37f97 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Dominick Grift <dominick.grift@defensec.nl>
|
||||||
|
Date: Tue, 1 Sep 2020 18:16:41 +0200
|
||||||
|
Subject: [PATCH] newrole: support cross-compilation with PAM and audit
|
||||||
|
|
||||||
|
Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation.
|
||||||
|
|
||||||
|
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
|
||||||
|
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
||||||
|
---
|
||||||
|
policycoreutils/newrole/Makefile | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
|
||||||
|
index 73ebd413da85..0e7ebce3dd56 100644
|
||||||
|
--- a/policycoreutils/newrole/Makefile
|
||||||
|
+++ b/policycoreutils/newrole/Makefile
|
||||||
|
@@ -5,8 +5,9 @@ BINDIR ?= $(PREFIX)/bin
|
||||||
|
MANDIR ?= $(PREFIX)/share/man
|
||||||
|
ETCDIR ?= /etc
|
||||||
|
LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale
|
||||||
|
-PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
|
||||||
|
-AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
|
||||||
|
+INCLUDEDIR ?= $(PREFIX)/include
|
||||||
|
+PAMH ?= $(shell test -f $(INCLUDEDIR)/security/pam_appl.h && echo y)
|
||||||
|
+AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y)
|
||||||
|
# Enable capabilities to permit newrole to generate audit records.
|
||||||
|
# This will make newrole a setuid root program.
|
||||||
|
# The capabilities used are: CAP_AUDIT_WRITE.
|
||||||
|
--
|
||||||
|
2.29.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 269d3c64978af8053a84ecc54ab2adb7ee481d10 Mon Sep 17 00:00:00 2001
|
From ea624dcc70d93867f23b94c368b8cf102269c13b Mon Sep 17 00:00:00 2001
|
||||||
From: Petr Lautrbach <plautrba@redhat.com>
|
From: Petr Lautrbach <plautrba@redhat.com>
|
||||||
Date: Thu, 20 Aug 2015 12:58:41 +0200
|
Date: Thu, 20 Aug 2015 12:58:41 +0200
|
||||||
Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
|
Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
|
||||||
@ -22,5 +22,5 @@ index eaa500d08143..4774528027ef 100644
|
|||||||
cat > ~/seremote << __EOF
|
cat > ~/seremote << __EOF
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
--
|
--
|
||||||
2.23.0
|
2.29.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From f8714034d527c1eb6bd698abcfd8f02d1542f648 Mon Sep 17 00:00:00 2001
|
From 932c1244bc98d3a05a238f3f0b333cf8c429113b Mon Sep 17 00:00:00 2001
|
||||||
From: Dan Walsh <dwalsh@redhat.com>
|
From: Dan Walsh <dwalsh@redhat.com>
|
||||||
Date: Mon, 21 Apr 2014 13:54:40 -0400
|
Date: Mon, 21 Apr 2014 13:54:40 -0400
|
||||||
Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
|
Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
|
||||||
@ -9,7 +9,7 @@ Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
|
|||||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||||
index 442608191cc8..2ee9e37fde9f 100755
|
index 3e8a3be907e3..a1d70623cff0 100755
|
||||||
--- a/python/sepolicy/sepolicy/manpage.py
|
--- a/python/sepolicy/sepolicy/manpage.py
|
||||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||||
@@ -735,10 +735,13 @@ Default Defined Ports:""")
|
@@ -735,10 +735,13 @@ Default Defined Ports:""")
|
||||||
@ -42,5 +42,5 @@ index 442608191cc8..2ee9e37fde9f 100755
|
|||||||
self.fd.write(r"""
|
self.fd.write(r"""
|
||||||
.I The following file types are defined for %(domainname)s:
|
.I The following file types are defined for %(domainname)s:
|
||||||
--
|
--
|
||||||
2.23.0
|
2.29.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 73cfd014130f4a37b1db29d5a7b840bf414e8f19 Mon Sep 17 00:00:00 2001
|
From ae3780eb560fa5f00a3dd591c8233c2a9068a348 Mon Sep 17 00:00:00 2001
|
||||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||||
Date: Mon, 12 May 2014 14:11:22 +0200
|
Date: Mon, 12 May 2014 14:11:22 +0200
|
||||||
Subject: [PATCH] If there is no executable we don't want to print a part of
|
Subject: [PATCH] If there is no executable we don't want to print a part of
|
||||||
@ -9,7 +9,7 @@ Subject: [PATCH] If there is no executable we don't want to print a part of
|
|||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||||
index 2ee9e37fde9f..ec17fb145375 100755
|
index a1d70623cff0..2d33eabb2536 100755
|
||||||
--- a/python/sepolicy/sepolicy/manpage.py
|
--- a/python/sepolicy/sepolicy/manpage.py
|
||||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||||
@@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
|
@@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
|
||||||
@ -23,5 +23,5 @@ index 2ee9e37fde9f..ec17fb145375 100755
|
|||||||
.B STANDARD FILE CONTEXT
|
.B STANDARD FILE CONTEXT
|
||||||
|
|
||||||
--
|
--
|
||||||
2.23.0
|
2.29.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 66766a7298065ae60819355f2b515fe3fcc248e3 Mon Sep 17 00:00:00 2001
|
From 7d21b9f41c4d00f1e0499a64089a5e13a8f636ab Mon Sep 17 00:00:00 2001
|
||||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||||
Date: Thu, 19 Feb 2015 17:45:15 +0100
|
Date: Thu, 19 Feb 2015 17:45:15 +0100
|
||||||
Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
|
Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
|
||||||
@ -49,7 +49,7 @@ index e4540977d042..ad718797ca68 100644
|
|||||||
|
|
||||||
def reinit():
|
def reinit():
|
||||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||||
index ec17fb145375..8c529ddb07cd 100755
|
index 2d33eabb2536..acc77f368d95 100755
|
||||||
--- a/python/sepolicy/sepolicy/manpage.py
|
--- a/python/sepolicy/sepolicy/manpage.py
|
||||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||||
@@ -149,10 +149,6 @@ def prettyprint(f, trim):
|
@@ -149,10 +149,6 @@ def prettyprint(f, trim):
|
||||||
@ -165,5 +165,5 @@ index ec17fb145375..8c529ddb07cd 100755
|
|||||||
if len(self.manpage_roles[letter]):
|
if len(self.manpage_roles[letter]):
|
||||||
fd.write("""
|
fd.write("""
|
||||||
--
|
--
|
||||||
2.23.0
|
2.29.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 59d6989beb341fb17f87b270e4fc8d55351d3a51 Mon Sep 17 00:00:00 2001
|
From f0f030495dddb2e633403f360fdaaf6951da11ad Mon Sep 17 00:00:00 2001
|
||||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||||
Date: Fri, 20 Feb 2015 16:42:01 +0100
|
Date: Fri, 20 Feb 2015 16:42:01 +0100
|
||||||
Subject: [PATCH] We want to remove the trailing newline for
|
Subject: [PATCH] We want to remove the trailing newline for
|
||||||
@ -22,5 +22,5 @@ index ad718797ca68..ea05d892bf3b 100644
|
|||||||
system_release = "Misc"
|
system_release = "Misc"
|
||||||
|
|
||||||
--
|
--
|
||||||
2.23.0
|
2.29.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 600fda8edf440acc3e5b32a31a044b16d65cbef9 Mon Sep 17 00:00:00 2001
|
From 4a18939d21c06d036f1063cbfd2d0b5ae9d0010f Mon Sep 17 00:00:00 2001
|
||||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||||
Date: Fri, 20 Feb 2015 16:42:53 +0100
|
Date: Fri, 20 Feb 2015 16:42:53 +0100
|
||||||
Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
|
Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
|
||||||
@ -8,7 +8,7 @@ Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
|
|||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||||
index 8c529ddb07cd..10e2c1745f8b 100755
|
index acc77f368d95..4aeb3e2e51ba 100755
|
||||||
--- a/python/sepolicy/sepolicy/manpage.py
|
--- a/python/sepolicy/sepolicy/manpage.py
|
||||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||||
@@ -220,7 +220,7 @@ class HTMLManPages:
|
@@ -220,7 +220,7 @@ class HTMLManPages:
|
||||||
@ -21,5 +21,5 @@ index 8c529ddb07cd..10e2c1745f8b 100755
|
|||||||
<body>
|
<body>
|
||||||
<h1>SELinux man pages for %s</h1>
|
<h1>SELinux man pages for %s</h1>
|
||||||
--
|
--
|
||||||
2.23.0
|
2.29.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From b45d202d954bad6cd4e96fe22d35677717e5eff9 Mon Sep 17 00:00:00 2001
|
From ffe429b49874175f5ec1156e9c89e75cc67a0ddd Mon Sep 17 00:00:00 2001
|
||||||
From: Dan Walsh <dwalsh@redhat.com>
|
From: Dan Walsh <dwalsh@redhat.com>
|
||||||
Date: Fri, 14 Feb 2014 12:32:12 -0500
|
Date: Fri, 14 Feb 2014 12:32:12 -0500
|
||||||
Subject: [PATCH] Don't be verbose if you are not on a tty
|
Subject: [PATCH] Don't be verbose if you are not on a tty
|
||||||
@ -8,7 +8,7 @@ Subject: [PATCH] Don't be verbose if you are not on a tty
|
|||||||
1 file changed, 1 insertion(+)
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
|
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
|
||||||
index 5d7770348349..fd43aab0cb6a 100755
|
index 30dadb4f4cb6..e73bb81c3336 100755
|
||||||
--- a/policycoreutils/scripts/fixfiles
|
--- a/policycoreutils/scripts/fixfiles
|
||||||
+++ b/policycoreutils/scripts/fixfiles
|
+++ b/policycoreutils/scripts/fixfiles
|
||||||
@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
|
@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
|
||||||
@ -20,5 +20,5 @@ index 5d7770348349..fd43aab0cb6a 100755
|
|||||||
RPMFILES=""
|
RPMFILES=""
|
||||||
PREFC=""
|
PREFC=""
|
||||||
--
|
--
|
||||||
2.23.0
|
2.29.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 61fcb9e5af82482d79c9e9edacb1a7f30686ee4a Mon Sep 17 00:00:00 2001
|
From 4a337405da16857dc2a979e4b4963a6fd7b975c6 Mon Sep 17 00:00:00 2001
|
||||||
From: Petr Lautrbach <plautrba@redhat.com>
|
From: Petr Lautrbach <plautrba@redhat.com>
|
||||||
Date: Mon, 27 Feb 2017 17:12:39 +0100
|
Date: Mon, 27 Feb 2017 17:12:39 +0100
|
||||||
Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
|
Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
|
||||||
@ -11,7 +11,7 @@ Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
|
|||||||
1 file changed, 20 insertions(+), 2 deletions(-)
|
1 file changed, 20 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||||
index 10e2c1745f8b..9a4b24743aca 100755
|
index 4aeb3e2e51ba..330b055af214 100755
|
||||||
--- a/python/sepolicy/sepolicy/manpage.py
|
--- a/python/sepolicy/sepolicy/manpage.py
|
||||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||||
@@ -125,8 +125,24 @@ def gen_domains():
|
@@ -125,8 +125,24 @@ def gen_domains():
|
||||||
@ -59,5 +59,5 @@ index 10e2c1745f8b..9a4b24743aca 100755
|
|||||||
if f in self.fcdict:
|
if f in self.fcdict:
|
||||||
mpaths = mpaths + self.fcdict[f]["regex"]
|
mpaths = mpaths + self.fcdict[f]["regex"]
|
||||||
--
|
--
|
||||||
2.23.0
|
2.29.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 15d2491e3c455f740a20eaf93f2c6a9b89e79d7a Mon Sep 17 00:00:00 2001
|
From 7c315fff5e7ce74b0598b62d9aa0b21ca6b06b6d Mon Sep 17 00:00:00 2001
|
||||||
From: Petr Lautrbach <plautrba@redhat.com>
|
From: Petr Lautrbach <plautrba@redhat.com>
|
||||||
Date: Tue, 28 Feb 2017 21:29:46 +0100
|
Date: Tue, 28 Feb 2017 21:29:46 +0100
|
||||||
Subject: [PATCH] sepolicy: Another small optimization for mcs types
|
Subject: [PATCH] sepolicy: Another small optimization for mcs types
|
||||||
@ -8,7 +8,7 @@ Subject: [PATCH] sepolicy: Another small optimization for mcs types
|
|||||||
1 file changed, 11 insertions(+), 5 deletions(-)
|
1 file changed, 11 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||||
index 9a4b24743aca..736ae13b0524 100755
|
index 330b055af214..f8584436960d 100755
|
||||||
--- a/python/sepolicy/sepolicy/manpage.py
|
--- a/python/sepolicy/sepolicy/manpage.py
|
||||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||||
@@ -142,6 +142,15 @@ def _gen_entry_types():
|
@@ -142,6 +142,15 @@ def _gen_entry_types():
|
||||||
@ -49,5 +49,5 @@ index 9a4b24743aca..736ae13b0524 100755
|
|||||||
self.fd.write ("""
|
self.fd.write ("""
|
||||||
.SH "MCS Constrained"
|
.SH "MCS Constrained"
|
||||||
--
|
--
|
||||||
2.23.0
|
2.29.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 8e02b757f90827f4e850b732ccea32c2897036a8 Mon Sep 17 00:00:00 2001
|
From a07e9652785c6196d916dfca3d36c898959406b4 Mon Sep 17 00:00:00 2001
|
||||||
From: Petr Lautrbach <plautrba@redhat.com>
|
From: Petr Lautrbach <plautrba@redhat.com>
|
||||||
Date: Mon, 6 Aug 2018 13:23:00 +0200
|
Date: Mon, 6 Aug 2018 13:23:00 +0200
|
||||||
Subject: [PATCH] Move po/ translation files into the right sub-directories
|
Subject: [PATCH] Move po/ translation files into the right sub-directories
|
||||||
@ -511,5 +511,5 @@ index 000000000000..deff3f2f4656
|
|||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1 @@
|
||||||
+../sandbox
|
+../sandbox
|
||||||
--
|
--
|
||||||
2.23.0
|
2.29.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From c19dde7c189cba536d79331baff24d987b3fae4d Mon Sep 17 00:00:00 2001
|
From eab0fc05a38ab2cd47b3e0ff69981850cc7cd538 Mon Sep 17 00:00:00 2001
|
||||||
From: Petr Lautrbach <plautrba@redhat.com>
|
From: Petr Lautrbach <plautrba@redhat.com>
|
||||||
Date: Mon, 6 Aug 2018 13:37:07 +0200
|
Date: Mon, 6 Aug 2018 13:37:07 +0200
|
||||||
Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
|
Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
|
||||||
@ -302,5 +302,5 @@ index ca5f1e030a51..16c43b51eaaa 100644
|
|||||||
import gettext
|
import gettext
|
||||||
kwargs = {}
|
kwargs = {}
|
||||||
--
|
--
|
||||||
2.26.2
|
2.29.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 8384f31cdcf0afd2b13f93f4e8bc42254b4b7928 Mon Sep 17 00:00:00 2001
|
From ffca591cb3055c4962cdc968662bd52bb876e640 Mon Sep 17 00:00:00 2001
|
||||||
From: Petr Lautrbach <plautrba@redhat.com>
|
From: Petr Lautrbach <plautrba@redhat.com>
|
||||||
Date: Mon, 6 Aug 2018 14:23:19 +0200
|
Date: Mon, 6 Aug 2018 14:23:19 +0200
|
||||||
Subject: [PATCH] Initial .pot files for gui/ python/ sandbox/
|
Subject: [PATCH] Initial .pot files for gui/ python/ sandbox/
|
||||||
@ -4528,5 +4528,5 @@ index 000000000000..328b4f0159d3
|
|||||||
+msgid "Invalid value %s"
|
+msgid "Invalid value %s"
|
||||||
+msgstr ""
|
+msgstr ""
|
||||||
--
|
--
|
||||||
2.23.0
|
2.29.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 38586b84c3bae778883e43d72700ef1491abae17 Mon Sep 17 00:00:00 2001
|
From 4277ef04de699e1939c95c4813de6a78d1ea1656 Mon Sep 17 00:00:00 2001
|
||||||
From: Vit Mojzis <vmojzis@redhat.com>
|
From: Vit Mojzis <vmojzis@redhat.com>
|
||||||
Date: Wed, 21 Mar 2018 08:51:31 +0100
|
Date: Wed, 21 Mar 2018 08:51:31 +0100
|
||||||
Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
|
Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
|
||||||
@ -26,5 +26,5 @@ index e328a5628682..02e0960289d3 100644
|
|||||||
.BI \-e \ directory
|
.BI \-e \ directory
|
||||||
directory to exclude (repeat option for more than one directory).
|
directory to exclude (repeat option for more than one directory).
|
||||||
--
|
--
|
||||||
2.26.2
|
2.29.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From f2625885226a65df2b0d7f825bafe462a6454c49 Mon Sep 17 00:00:00 2001
|
From fa94b0faf12a79158d971f363e8ec65227d67de3 Mon Sep 17 00:00:00 2001
|
||||||
From: Masatake YAMATO <yamato@redhat.com>
|
From: Masatake YAMATO <yamato@redhat.com>
|
||||||
Date: Thu, 14 Dec 2017 15:57:58 +0900
|
Date: Thu, 14 Dec 2017 15:57:58 +0900
|
||||||
Subject: [PATCH] sepolicy-generate: Handle more reserved port types
|
Subject: [PATCH] sepolicy-generate: Handle more reserved port types
|
||||||
@ -52,7 +52,7 @@ https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redha
|
|||||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
|
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
|
||||||
index 744ee13f692d..a6309783e85e 100644
|
index 43180ca6fda4..d60a08e1d72c 100644
|
||||||
--- a/python/sepolicy/sepolicy/generate.py
|
--- a/python/sepolicy/sepolicy/generate.py
|
||||||
+++ b/python/sepolicy/sepolicy/generate.py
|
+++ b/python/sepolicy/sepolicy/generate.py
|
||||||
@@ -99,7 +99,9 @@ def get_all_ports():
|
@@ -99,7 +99,9 @@ def get_all_ports():
|
||||||
@ -67,5 +67,5 @@ index 744ee13f692d..a6309783e85e 100644
|
|||||||
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
|
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
|
||||||
return dict
|
return dict
|
||||||
--
|
--
|
||||||
2.23.0
|
2.29.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 6f510c03e54b0058b74fabae6489099f5369a957 Mon Sep 17 00:00:00 2001
|
From 122e35c4d11b5b623e8bc463f81c6792385523cb Mon Sep 17 00:00:00 2001
|
||||||
From: Petr Lautrbach <plautrba@redhat.com>
|
From: Petr Lautrbach <plautrba@redhat.com>
|
||||||
Date: Thu, 8 Nov 2018 09:20:58 +0100
|
Date: Thu, 8 Nov 2018 09:20:58 +0100
|
||||||
Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
|
Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
|
||||||
@ -20,5 +20,5 @@ index 3515234e36de..7b75b3fd9bb4 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
--
|
--
|
||||||
2.23.0
|
2.29.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 7afddf20e889731126fda14b2fa713a367d9dd84 Mon Sep 17 00:00:00 2001
|
From e63814eb18bdbb48a7e6bf79b17d79d6a9ca56d6 Mon Sep 17 00:00:00 2001
|
||||||
From: Petr Lautrbach <plautrba@redhat.com>
|
From: Petr Lautrbach <plautrba@redhat.com>
|
||||||
Date: Wed, 18 Jul 2018 09:09:35 +0200
|
Date: Wed, 18 Jul 2018 09:09:35 +0200
|
||||||
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
|
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
|
||||||
@ -70,5 +70,5 @@ index 4774528027ef..c211ebc14549 100644
|
|||||||
export DISPLAY=:$D
|
export DISPLAY=:$D
|
||||||
cat > ~/seremote << __EOF
|
cat > ~/seremote << __EOF
|
||||||
--
|
--
|
||||||
2.23.0
|
2.29.0
|
||||||
|
|
@ -1,8 +1,8 @@
|
|||||||
%global libauditver 3.0
|
%global libauditver 3.0
|
||||||
%global libsepolver 3.1
|
%global libsepolver 3.1-4
|
||||||
%global libsemanagever 3.1
|
%global libsemanagever 3.1-4
|
||||||
%global libselinuxver 3.1
|
%global libselinuxver 3.1-4
|
||||||
%global sepolgenver 3.1
|
%global sepolgenver 3.1-4
|
||||||
|
|
||||||
%global generatorsdir %{_prefix}/lib/systemd/system-generators
|
%global generatorsdir %{_prefix}/lib/systemd/system-generators
|
||||||
|
|
||||||
@ -38,22 +38,29 @@ Source23: sandbox-po.tgz
|
|||||||
# $ git format-patch -N 20200710 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
|
# $ git format-patch -N 20200710 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
|
||||||
# $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
|
# $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
|
||||||
# Patch list start
|
# Patch list start
|
||||||
Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
|
Patch0001: 0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch
|
||||||
Patch0002: 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
|
Patch0002: 0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch
|
||||||
Patch0003: 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
|
Patch0003: 0003-fixfiles-correctly-restore-context-of-mountpoints.patch
|
||||||
Patch0004: 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch
|
Patch0004: 0004-sepolgen-print-extended-permissions-in-hexadecimal.patch
|
||||||
Patch0005: 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
|
Patch0005: 0005-sepolgen-sort-extended-rules-like-normal-ones.patch
|
||||||
Patch0006: 0006-Fix-title-in-manpage.py-to-not-contain-online.patch
|
Patch0006: 0006-newrole-support-cross-compilation-with-PAM-and-audit.patch
|
||||||
Patch0007: 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
|
Patch0007: 0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
|
||||||
Patch0008: 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch
|
Patch0008: 0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
|
||||||
Patch0009: 0009-sepolicy-Another-small-optimization-for-mcs-types.patch
|
Patch0009: 0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
|
||||||
Patch0010: 0010-Move-po-translation-files-into-the-right-sub-directo.patch
|
Patch0010: 0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch
|
||||||
Patch0011: 0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch
|
Patch0011: 0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
|
||||||
Patch0012: 0012-Initial-.pot-files-for-gui-python-sandbox.patch
|
Patch0012: 0012-Fix-title-in-manpage.py-to-not-contain-online.patch
|
||||||
Patch0013: 0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch
|
Patch0013: 0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
|
||||||
Patch0014: 0014-sepolicy-generate-Handle-more-reserved-port-types.patch
|
Patch0014: 0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch
|
||||||
Patch0015: 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
|
Patch0015: 0015-sepolicy-Another-small-optimization-for-mcs-types.patch
|
||||||
Patch0016: 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
|
Patch0016: 0016-Move-po-translation-files-into-the-right-sub-directo.patch
|
||||||
|
Patch0017: 0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch
|
||||||
|
Patch0018: 0018-Initial-.pot-files-for-gui-python-sandbox.patch
|
||||||
|
Patch0019: 0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch
|
||||||
|
Patch0020: 0020-sepolicy-generate-Handle-more-reserved-port-types.patch
|
||||||
|
Patch0021: 0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
|
||||||
|
Patch0022: 0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
|
||||||
|
Patch0023: 0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
|
||||||
# Patch list end
|
# Patch list end
|
||||||
|
|
||||||
Obsoletes: policycoreutils < 2.0.61-2
|
Obsoletes: policycoreutils < 2.0.61-2
|
||||||
|
Loading…
Reference in New Issue
Block a user