Update Miroslav Grepl Patches

* If there is no executable we don't want to print a part of STANDARD FILE CON
  * Add-manpages-for-typealiased-types
  * Make fixfiles_exclude_dirs working if there is a substituion for the given d
This commit is contained in:
Dan Walsh 2014-05-16 11:48:54 -04:00
parent f8435958ae
commit cbb4c3ee48
2 changed files with 129 additions and 35 deletions

View File

@ -695701,7 +695701,7 @@ index 97f3920..c92e394 100644
}
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 5c29eb9..75d3c8d 100755
index 5c29eb9..097152f 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -116,6 +116,7 @@ exclude_dirs() {
@ -695712,6 +695712,36 @@ index 5c29eb9..75d3c8d 100755
FORCEFLAG=""
DIRS=""
RPMILES=""
@@ -137,6 +138,9 @@ else
FC=/etc/security/selinux/file_contexts
fi
+FC_SUB_DIST=${FC}.subs_dist
+FC_SUB=${FC}.subs
+
#
# Log to either syslog or a LOGFILE
#
@@ -243,6 +247,10 @@ then
logit "skipping the directory ${p}"
done
FC=$TEMPFCFILE
+/bin/cp -p ${TEMPFCFILE} ${TEMPFCFILE}.subs_dist &>/dev/null || exit
+/bin/cp -p ${FC_SUB_DIST} ${TEMPFCFILE}.subs_dist &>/dev/null || exit
+/bin/cp -p ${TEMPFCFILE} ${TEMPFCFILE}.subs &>/dev/null || exit
+/bin/cp -p ${FC_SUB} ${TEMPFCFILE}.subs &>/dev/null || exit
fi
if [ ! -z "$RPMFILES" ]; then
for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
@@ -264,7 +272,7 @@ if [ ${OPTION} != "Relabel" ]; then
return
fi
echo "Cleaning up labels on /tmp"
-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
+rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE ${TEMPFCFILE}.subs_dist ${TEMPFCFILE}.subs
UNDEFINED=`get_undefined_type` || exit $?
UNLABELED=`get_unlabeled_type` || exit $?
diff --git a/policycoreutils/semanage/Makefile b/policycoreutils/semanage/Makefile
index 8fc8e0b..9bb4f24 100644
--- a/policycoreutils/semanage/Makefile
@ -696174,7 +696204,7 @@ index 36b41cd..209c308 100644
sys.exit(1)
diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8
index 0fad36c..ac39862 100644
index 0fad36c..75b782f 100644
--- a/policycoreutils/semanage/semanage.8
+++ b/policycoreutils/semanage/semanage.8
@@ -8,7 +8,7 @@ semanage \- SELinux Policy Management tool
@ -696186,6 +696216,16 @@ index 0fad36c..ac39862 100644
.B export
Output local customizations
@@ -51,8 +51,7 @@ to SELinux user identities (which controls the initial security context
assigned to Linux users when they login and bounds their authorized role set)
as well as security context mappings for various kinds of objects, such
as network ports, interfaces, and nodes (hosts) as well as the file
-context mapping. See the EXAMPLES section below for some examples
-of common usage. Note that the semanage login command deals with the
+context mapping. Note that the semanage login command deals with the
mapping from Linux usernames (logins) to SELinux user identities,
while the semanage user command deals with the mapping from SELinux
user identities to authorized role sets. In most cases, only the
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
deleted file mode 100644
index f8d2243..0000000
@ -704127,10 +704167,10 @@ index bbabb3b..b17f6af 100644
os.remove(v)
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
index ba15b2c..835dc43 100755
index ba15b2c..d5f0f66 100755
--- a/policycoreutils/sepolicy/sepolicy/manpage.py
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py
@@ -30,7 +30,7 @@ import selinux
@@ -30,103 +30,111 @@ import selinux
import sepolicy
from sepolicy import *
@ -704138,8 +704178,16 @@ index ba15b2c..835dc43 100755
+import subprocess
import sys, os, re, time
+
+typealias_types = {
+"antivirus_t":("amavis_t", "clamd_t", "clamscan_t", "freshclam_t"),
+"cluster_t":("rgmanager_t", "corosync_t", "aisexec_t", "pacemaker_t"),
+"svirt_t":("qemu_t"),
+"httpd_t":("phpfpm_t"),
+}
+
equiv_dict={ "smbd" : [ "samba" ], "httpd" : [ "apache" ], "virtd" : [ "virt", "libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t" ], "named" : [ "bind" ], "fsdaemon" : [ "smartmon" ], "mdadm" : [ "raid" ] }
@@ -38,95 +38,95 @@ equiv_dict={ "smbd" : [ "samba" ], "httpd" : [ "apache" ], "virtd" : [ "virt", "
equiv_dirs=[ "/var" ]
modules_dict = None
def gen_modules_dict(path = "/usr/share/selinux/devel/policy.xml"):
@ -704311,7 +704359,7 @@ index ba15b2c..835dc43 100755
def prettyprint(f,trim):
return " ".join(f[:-len(trim)].split("_"))
@@ -135,72 +135,78 @@ def prettyprint(f,trim):
@@ -135,72 +143,78 @@ def prettyprint(f,trim):
manpage_domains = []
manpage_roles = []
@ -704447,7 +704495,7 @@ index ba15b2c..835dc43 100755
<html>
<head>
<link rel=stylesheet type="text/css" href="style.css" title="style">
@@ -219,11 +225,11 @@ Fedora or Red Hat Enterprise Linux Man Pages.</h2>
@@ -219,11 +233,11 @@ Fedora or Red Hat Enterprise Linux Man Pages.</h2>
</tr></table>
<pre>
""")
@ -704462,7 +704510,7 @@ index ba15b2c..835dc43 100755
</pre>
<hr>
<h3>RHEL</h3>
@@ -233,24 +239,24 @@ Fedora or Red Hat Enterprise Linux Man Pages.</h2>
@@ -233,24 +247,24 @@ Fedora or Red Hat Enterprise Linux Man Pages.</h2>
</tr></table>
<pre>
""")
@ -704500,7 +704548,7 @@ index ba15b2c..835dc43 100755
</head>
<body>
<h1>SELinux man pages for Fedora18</h1>
@@ -259,26 +265,26 @@ Fedora or Red Hat Enterprise Linux Man Pages.</h2>
@@ -259,26 +273,26 @@ Fedora or Red Hat Enterprise Linux Man Pages.</h2>
<td valign="middle">
<h3>SELinux roles</h3>
""")
@ -704541,7 +704589,7 @@ index ba15b2c..835dc43 100755
</pre>
<hr>
<table><tr>
@@ -286,38 +292,38 @@ Fedora or Red Hat Enterprise Linux Man Pages.</h2>
@@ -286,38 +300,38 @@ Fedora or Red Hat Enterprise Linux Man Pages.</h2>
<h3>SELinux domains</h3>"""
% rolename_body)
@ -704600,7 +704648,7 @@ index ba15b2c..835dc43 100755
html, body {
background-color: #fcfcfc;
font-family: arial, sans-serif;
@@ -326,9 +332,9 @@ html, body {
@@ -326,9 +340,9 @@ html, body {
}
h1, h2, h3, h4, h5, h5 {
@ -704613,7 +704661,7 @@ index ba15b2c..835dc43 100755
}
a {
@@ -374,159 +380,159 @@ pre.code {
@@ -374,159 +388,198 @@ pre.code {
}
""")
@ -704859,6 +704907,7 @@ index ba15b2c..835dc43 100755
- self._file_context()
- self._public_content()
- self._footer()
+
+ self.anon_list = []
+
+ self.attributes = {}
@ -704866,6 +704915,16 @@ index ba15b2c..835dc43 100755
+ self._get_ptypes()
+
+ for domain_type in self.ptypes:
+ try:
+ if typealias_types[domain_type]:
+ fd = self.fd
+ man_page_path = self.man_page_path
+ for t in typealias_types[domain_type]:
+ self._typealias_gen_man(t)
+ self.fd = fd
+ self.man_page_path = man_page_path
+ except KeyError:
+ continue;
+ self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE,("%s") % domain_type)[0]["attributes"]
+
+ self._header()
@ -704886,6 +704945,34 @@ index ba15b2c..835dc43 100755
+ for f in self.all_domains:
+ if f.startswith(self.short_name) or f.startswith(self.domainname):
+ self.ptypes.append(f)
+
+ def _typealias_gen_man(self, t):
+ self.man_page_path = "%s/%s_selinux.8" % (self.path, t[:-2])
+ self.ports = []
+ self.booltext = ""
+ self.fd = open(self.man_page_path, 'w')
+ self._typealias(t[:-2])
+ self._footer()
+ self.fd.close()
+
+ def _typealias(self,typealias):
+ self.fd.write('.TH "%(typealias)s_selinux" "8" "%(date)s" "%(typealias)s" "SELinux Policy %(typealias)s"'
+ % {'typealias':typealias, 'date': time.strftime("%y-%m-%d")})
+ self.fd.write(r"""
+.SH "NAME"
+%(typealias)s_selinux \- Security Enhanced Linux Policy for the %(typealias)s processes
+.SH "DESCRIPTION"
+
+%(typealias)s_t SELinux domain type is now associated with %(domainname)s domain type (%(domainname)s_t).
+""" % {'typealias':typealias, 'domainname':self.domainname})
+
+ self.fd.write(r"""
+Please see
+
+.B %(domainname)s_selinux
+
+man page for more details.
+""" % {'domainname':self.domainname})
def _header(self):
- self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"'
@ -704897,7 +704984,7 @@ index ba15b2c..835dc43 100755
.SH "NAME"
%(domainname)s_selinux \- Security Enhanced Linux Policy for the %(domainname)s processes
.SH "DESCRIPTION"
@@ -543,20 +549,20 @@ For example:
@@ -543,20 +596,20 @@ For example:
def _format_boolean_desc(self, b):
@ -704930,7 +705017,7 @@ index ba15b2c..835dc43 100755
.PP
If you want to %s, you must turn on the %s boolean. %s by default.
@@ -565,34 +571,34 @@ If you want to %s, you must turn on the %s boolean. %s by default.
@@ -565,34 +618,34 @@ If you want to %s, you must turn on the %s boolean. %s by default.
.EE
""" % (self._format_boolean_desc(b), b, self.enabled_str[enabled], b)
@ -704981,7 +705068,7 @@ index ba15b2c..835dc43 100755
.PP
If you want to %s for the %s, you must turn on the %s boolean.
@@ -601,12 +607,12 @@ If you want to %s for the %s, you must turn on the %s boolean.
@@ -601,12 +654,12 @@ If you want to %s for the %s, you must turn on the %s boolean.
.EE
""" % (self._format_boolean_desc(b),(", ".join(nsswitch_types)), b, b)
@ -704998,7 +705085,7 @@ index ba15b2c..835dc43 100755
.SH PROCESS TYPES
SELinux defines process types (domains) for each process running on the system
.PP
@@ -617,11 +623,11 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
@@ -617,11 +670,11 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP
The following process types are defined for %(domainname)s:
""" % {'domainname':self.domainname})
@ -705012,7 +705099,7 @@ index ba15b2c..835dc43 100755
.PP
Note:
.B semanage permissive -a %(domainname)s_t
@@ -629,14 +635,14 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n
@@ -629,14 +682,14 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n
""" % {'domainname':self.domainname})
def _port_types(self):
@ -705033,7 +705120,7 @@ index ba15b2c..835dc43 100755
.SH PORT TYPES
SELinux defines port types to represent TCP and UDP ports.
.PP
@@ -650,8 +656,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
@@ -650,8 +703,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP
The following port types are defined for %(domainname)s:""" % {'domainname':self.domainname})
@ -705044,7 +705131,7 @@ index ba15b2c..835dc43 100755
.EX
.TP 5
@@ -659,49 +665,52 @@ The following port types are defined for %(domainname)s:""" % {'domainname':self
@@ -659,49 +712,52 @@ The following port types are defined for %(domainname)s:""" % {'domainname':self
.TP 10
.EE
""" % p)
@ -705134,7 +705221,7 @@ index ba15b2c..835dc43 100755
.SH FILE CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
.PP
@@ -712,13 +721,13 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
@@ -712,13 +768,13 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP
""" % {'domainname':self.domainname})
@ -705152,12 +705239,13 @@ index ba15b2c..835dc43 100755
.PP
%(domainname)s policy stores data with multiple different file context types under the %(equiv)s directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command:
.PP
@@ -728,25 +737,25 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
@@ -728,25 +784,26 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP
""" % {'domainname':self.domainname, 'equiv': e, 'alt': e.split('/')[-1] })
- self.fd.write(r"""
+ self.fd.write(r"""
+ if flist_non_exec:
+ self.fd.write(r"""
.PP
.B STANDARD FILE CONTEXT
@ -705184,7 +705272,7 @@ index ba15b2c..835dc43 100755
.EX
.PP
@@ -756,19 +765,19 @@ Note: SELinux often uses regular expressions to specify labels that match multip
@@ -756,19 +813,19 @@ Note: SELinux often uses regular expressions to specify labels that match multip
- %s
""" % ( f, sepolicy.get_description(f)))
@ -705212,7 +705300,7 @@ index ba15b2c..835dc43 100755
.PP
Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
@@ -779,19 +788,19 @@ to apply the labels.
@@ -779,19 +836,19 @@ to apply the labels.
""")
def _see_also(self):
@ -705243,7 +705331,7 @@ index ba15b2c..835dc43 100755
.SH SHARING FILES
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.
.TP
@@ -812,9 +821,9 @@ semanage fcontext -a -t public_content_rw_t "/var/%(domainname)s/incoming(/.*)?"
@@ -812,9 +869,9 @@ semanage fcontext -a -t public_content_rw_t "/var/%(domainname)s/incoming(/.*)?"
.br
.B setsebool -P %(domainname)s_anon_write 1
""" % {'domainname':self.domainname})
@ -705256,7 +705344,7 @@ index ba15b2c..835dc43 100755
.PP
If you want to %s, you must turn on the %s boolean.
@@ -824,7 +833,7 @@ If you want to %s, you must turn on the %s boolean.
@@ -824,7 +881,7 @@ If you want to %s, you must turn on the %s boolean.
""" % (desc, b, b))
def _footer(self):
@ -705265,7 +705353,7 @@ index ba15b2c..835dc43 100755
.SH "COMMANDS"
.B semanage fcontext
can also be used to manipulate default file context mappings.
@@ -836,19 +845,19 @@ can also be used to manipulate whether or not a process type is permissive.
@@ -836,19 +893,19 @@ can also be used to manipulate whether or not a process type is permissive.
can also be used to enable/disable/install/remove policy modules.
""")
@ -705290,7 +705378,7 @@ index ba15b2c..835dc43 100755
.PP
.B system-config-selinux
is a GUI tool available to customize SELinux policy settings.
@@ -861,102 +870,102 @@ This manual page was auto-generated using
@@ -861,102 +918,102 @@ This manual page was auto-generated using
selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
""" % (self.domainname))
@ -705456,7 +705544,7 @@ index ba15b2c..835dc43 100755
.SH "NAME"
%(user)s_u \- \fB%(desc)s\fP - Security Enhanced Linux Policy
@@ -989,22 +998,22 @@ If you wanted to change the default user mapping to use the %(user)s_u user, you
@@ -989,22 +1046,22 @@ If you wanted to change the default user mapping to use the %(user)s_u user, you
""" % {'desc': self.desc, 'type':self.type, 'user':self.domainname,'range':self._get_users_range()})
@ -705487,7 +705575,7 @@ index ba15b2c..835dc43 100755
The SELinux user %(user)s can execute sudo.
You can set up sudo to allow %(user)s to transition to an administrative domain:
@@ -1012,14 +1021,14 @@ You can set up sudo to allow %(user)s to transition to an administrative domain:
@@ -1012,14 +1069,14 @@ You can set up sudo to allow %(user)s to transition to an administrative domain:
Add one or more of the following record to sudoers using visudo.
""" % { 'user':self.domainname } )
@ -705505,7 +705593,7 @@ index ba15b2c..835dc43 100755
You might also need to add one or more of these new roles to your SELinux user record.
List the SELinux roles your SELinux user can reach by executing:
@@ -1033,104 +1042,104 @@ Modify the roles list and add %(user)s_r to this list.
@@ -1033,104 +1090,104 @@ Modify the roles list and add %(user)s_r to this list.
For more details you can see semanage man page.
""" % {'user':self.domainname, "roles": " ".join([role] + self.role_allows[role]) } )
@ -705652,7 +705740,7 @@ index ba15b2c..835dc43 100755
.SH TRANSITIONS
Three things can happen when %(type)s attempts to execute a program.
@@ -1143,7 +1152,7 @@ Three things can happen when %(type)s attempts to execute a program.
@@ -1143,7 +1200,7 @@ Three things can happen when %(type)s attempts to execute a program.
Execute the following to see the types that the SELinux user %(type)s can execute without transitioning:
@ -705661,7 +705749,7 @@ index ba15b2c..835dc43 100755
.TP
@@ -1151,15 +1160,15 @@ Execute the following to see the types that the SELinux user %(type)s can execut
@@ -1151,15 +1208,15 @@ Execute the following to see the types that the SELinux user %(type)s can execut
Execute the following to see the types that the SELinux user %(type)s can execute and transition:
@ -705682,7 +705770,7 @@ index ba15b2c..835dc43 100755
.SH "NAME"
%(user)s_r \- \fB%(desc)s\fP - Security Enhanced Linux Policy
@@ -1201,21 +1210,21 @@ You need to add %(user)s_r to the staff_u user. You could setup the staff_u use
@@ -1201,21 +1258,21 @@ You need to add %(user)s_r to the staff_u user. You could setup the staff_u use
.B $ semanage user -m -R 'staff_r system_r %(user)s_r' staff_u
""" % {'desc': self.desc, 'user':self.domainname})

View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.3
Release: 1%{?dist}
Release: 2%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@ -378,6 +378,12 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Fri May 16 2014 Dan Walsh <dwalsh@redhat.com> - 2.3-2
- Update Miroslav Grepl Patches
* If there is no executable we don't want to print a part of STANDARD FILE CON
* Add-manpages-for-typealiased-types
* Make fixfiles_exclude_dirs working if there is a substituion for the given d
* Tue May 6 2014 Dan Walsh <dwalsh@redhat.com> - 2.3-1
- Update to upstream
* Add -P semodule option to man page from Dan Walsh.