* Fri Oct 9 2006 Dan Walsh <dwalsh@redhat.com> 1.32-1
- Add newrole audit patch from sgrubb - Update to upstream * Merged audit2allow -l fix from Yuichi Nakamura. * Merged restorecon -i and -o - support from Karl MacMillan. * Merged semanage/seobject fix from Dan Walsh. * Merged fixfiles -R and verify changes from Dan Walsh.
This commit is contained in:
parent
12eda6fb9a
commit
d0a35325c9
@ -114,3 +114,4 @@ policycoreutils-1.30.27.tgz
|
||||
policycoreutils-1.30.28.tgz
|
||||
policycoreutils-1.30.29.tgz
|
||||
policycoreutils-1.30.30.tgz
|
||||
policycoreutils-1.32.tgz
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,195 +1,17 @@
|
||||
diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/audit2allow/avc.py policycoreutils-1.30.30/audit2allow/avc.py
|
||||
--- nsapolicycoreutils/audit2allow/avc.py 2006-09-14 08:07:24.000000000 -0400
|
||||
+++ policycoreutils-1.30.30/audit2allow/avc.py 2006-09-29 12:58:24.000000000 -0400
|
||||
@@ -357,6 +357,15 @@
|
||||
break
|
||||
else:
|
||||
dict.append(i)
|
||||
+
|
||||
+ if not found:
|
||||
+ regexp = "audit\(\d+\.\d+:\d+\): policy loaded"
|
||||
+ m = re.match(regexp, line)
|
||||
+ if m !=None:
|
||||
+ found =1
|
||||
+ dict.append("load_policy")
|
||||
+ dict.append("granted")
|
||||
+
|
||||
if found:
|
||||
self.translate(dict)
|
||||
found = 0
|
||||
diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/restorecon/restorecon.8 policycoreutils-1.30.30/restorecon/restorecon.8
|
||||
--- nsapolicycoreutils/restorecon/restorecon.8 2006-08-28 16:58:19.000000000 -0400
|
||||
+++ policycoreutils-1.30.30/restorecon/restorecon.8 2006-09-29 12:58:24.000000000 -0400
|
||||
@@ -23,6 +23,9 @@
|
||||
|
||||
.SH "OPTIONS"
|
||||
.TP
|
||||
+.B \-i
|
||||
+ignore files that do not exist
|
||||
+.TP
|
||||
.B \-f infilename
|
||||
infilename contains a list of files to be processed by application. Use \- for stdin.
|
||||
.TP
|
||||
diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.30.30/restorecon/restorecon.c
|
||||
--- nsapolicycoreutils/restorecon/restorecon.c 2006-09-01 22:32:11.000000000 -0400
|
||||
+++ policycoreutils-1.30.30/restorecon/restorecon.c 2006-09-29 12:58:24.000000000 -0400
|
||||
@@ -11,9 +11,10 @@
|
||||
* restorecon [-Rnv] pathname...
|
||||
*
|
||||
* -e Specify directory to exclude
|
||||
+ * -i Ignore error if file does not exist
|
||||
* -n Do not change any file labels.
|
||||
* -v Show changes in file labels.
|
||||
- * -o filename save list of files with incorrect context
|
||||
+ * -o filename save list of files with incorrect context
|
||||
* -F Force reset of context to match file_context for customizable files
|
||||
*
|
||||
* pathname... The file(s) to label
|
||||
@@ -41,12 +42,14 @@
|
||||
#include <ftw.h>
|
||||
|
||||
static int change = 1;
|
||||
+static int change_ctr = 0;
|
||||
static int verbose = 0;
|
||||
static int progress = 0;
|
||||
static FILE *outfile = NULL;
|
||||
static char *progname;
|
||||
static int errors = 0;
|
||||
static int recurse = 0;
|
||||
+static int file_exist = 1;
|
||||
static int force = 0;
|
||||
#define STAT_BLOCK_SIZE 1
|
||||
static int pipe_fds[2] = { -1, -1 };
|
||||
@@ -62,6 +65,7 @@
|
||||
static int add_exclude(const char *directory)
|
||||
diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-1.32/newrole/newrole.c
|
||||
--- nsapolicycoreutils/newrole/newrole.c 2006-09-29 11:50:09.000000000 -0400
|
||||
+++ policycoreutils-1.32/newrole/newrole.c 2006-10-20 09:04:57.000000000 -0400
|
||||
@@ -680,6 +680,7 @@
|
||||
{
|
||||
struct stat sb;
|
||||
+ int len=0;
|
||||
if (directory == NULL || directory[0] != '/') {
|
||||
fprintf(stderr, "Full path required for exclude: %s.\n",
|
||||
directory);
|
||||
@@ -85,12 +89,18 @@
|
||||
return 1;
|
||||
fprintf(stderr, _("newrole: incorrect password for %s\n"),
|
||||
pw->pw_name);
|
||||
+ send_audit_message(0, old_context, new_context, ttyn);
|
||||
return (-1);
|
||||
}
|
||||
|
||||
- excludeArray[excludeCtr].directory = strdup(directory);
|
||||
+ len = strlen(directory);
|
||||
+ if (len > 1 && directory[len-1] == '/') {
|
||||
+ excludeArray[excludeCtr].directory = calloc(1,len--);
|
||||
+ strncpy(excludeArray[excludeCtr].directory, directory, len);
|
||||
+ } else
|
||||
+ excludeArray[excludeCtr].directory = strdup(directory);
|
||||
+
|
||||
if (!excludeArray[excludeCtr].directory) {
|
||||
fprintf(stderr, "Out of memory.\n");
|
||||
return 1;
|
||||
}
|
||||
- excludeArray[excludeCtr++].size = strlen(directory);
|
||||
+ excludeArray[excludeCtr++].size = len;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -129,7 +139,7 @@
|
||||
void usage(const char *const name)
|
||||
{
|
||||
fprintf(stderr,
|
||||
- "usage: %s [-FnrRv] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n",
|
||||
+ "usage: %s [-iFnrRv] [-e excludedir ] [-o filename ] [-f filename | pathname... ]\n",
|
||||
name);
|
||||
exit(1);
|
||||
}
|
||||
@@ -160,6 +170,8 @@
|
||||
}
|
||||
|
||||
if (lstat(filename, &st) != 0) {
|
||||
+ if (!file_exist && errno == ENOENT)
|
||||
+ return 0;
|
||||
fprintf(stderr, "lstat(%s) failed: %s\n", filename,
|
||||
strerror(errno));
|
||||
return 1;
|
||||
@@ -249,7 +261,10 @@
|
||||
freecon(scontext);
|
||||
return 1;
|
||||
}
|
||||
- }
|
||||
+ }
|
||||
+ else
|
||||
+ change_ctr++;
|
||||
+
|
||||
if (verbose)
|
||||
printf("%s reset %s context %s->%s\n",
|
||||
progname, filename,
|
||||
@@ -322,6 +337,8 @@
|
||||
close(pipe_fds[1]);
|
||||
if (rc == -1 || rc > 0) {
|
||||
if (nftw(buf, apply_spec, 1024, FTW_PHYS)) {
|
||||
+ if (!file_exist && errno == ENOENT)
|
||||
+ return;
|
||||
fprintf(stderr,
|
||||
"%s: error while labeling files under %s\n",
|
||||
progname, buf);
|
||||
@@ -351,13 +368,17 @@
|
||||
progname = argv[0];
|
||||
if (is_selinux_enabled() <= 0)
|
||||
exit(0);
|
||||
+
|
||||
set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
|
||||
|
||||
- while ((opt = getopt(argc, argv, "pFrRnvf:o:e:")) > 0) {
|
||||
+ while ((opt = getopt(argc, argv, "ipFrRnvf:o:e:")) > 0) {
|
||||
switch (opt) {
|
||||
case 'n':
|
||||
change = 0;
|
||||
break;
|
||||
+ case 'i':
|
||||
+ file_exist = 0;
|
||||
+ break;
|
||||
case 'r':
|
||||
case 'R':
|
||||
recurse = 1;
|
||||
@@ -370,13 +391,17 @@
|
||||
exit(1);
|
||||
break;
|
||||
case 'o':
|
||||
- outfile = fopen(optarg, "w");
|
||||
- if (!outfile) {
|
||||
- fprintf(stderr, "Error opening %s: %s\n",
|
||||
- optarg, strerror(errno));
|
||||
- usage(argv[0]);
|
||||
+ if (strcmp(optarg,"-") == 0)
|
||||
+ outfile=stdout;
|
||||
+ else {
|
||||
+ outfile = fopen(optarg, "w");
|
||||
+ if (!outfile) {
|
||||
+ fprintf(stderr, "Error opening %s: %s\n",
|
||||
+ optarg, strerror(errno));
|
||||
+ usage(argv[0]);
|
||||
+ }
|
||||
+ __fsetlocking(outfile, FSETLOCKING_BYCALLER);
|
||||
}
|
||||
- __fsetlocking(outfile, FSETLOCKING_BYCALLER);
|
||||
break;
|
||||
case 'v':
|
||||
if (progress) {
|
||||
@@ -421,6 +446,7 @@
|
||||
if (strcmp(file_name, "-") != 0)
|
||||
fclose(f);
|
||||
} else {
|
||||
+ if (optind >= argc) usage(argv[0]);
|
||||
for (i = optind; i < argc; i++) {
|
||||
process(argv[i]);
|
||||
}
|
||||
@@ -428,5 +454,7 @@
|
||||
if (outfile)
|
||||
fclose(outfile);
|
||||
|
||||
+ if (! change) return change_ctr;
|
||||
+
|
||||
return errors;
|
||||
}
|
||||
diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-1.30.30/restorecond/Makefile
|
||||
/* If we reach here, then we have authenticated the user. */
|
||||
diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-1.32/restorecond/Makefile
|
||||
--- nsapolicycoreutils/restorecond/Makefile 2006-08-28 16:58:19.000000000 -0400
|
||||
+++ policycoreutils-1.30.30/restorecond/Makefile 2006-09-29 13:01:57.000000000 -0400
|
||||
+++ policycoreutils-1.32/restorecond/Makefile 2006-10-17 12:59:55.000000000 -0400
|
||||
@@ -5,8 +5,9 @@
|
||||
INITDIR = $(DESTDIR)/etc/rc.d/init.d
|
||||
SELINUXDIR = $(DESTDIR)/etc/selinux
|
||||
@ -202,74 +24,31 @@ diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/restore
|
||||
LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib
|
||||
|
||||
all: restorecond
|
||||
diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.30.30/scripts/fixfiles
|
||||
--- nsapolicycoreutils/scripts/fixfiles 2006-09-01 22:32:11.000000000 -0400
|
||||
+++ policycoreutils-1.30.30/scripts/fixfiles 2006-09-29 12:58:24.000000000 -0400
|
||||
@@ -117,8 +117,8 @@
|
||||
exit $?
|
||||
fi
|
||||
if [ ! -z "$RPMFILES" ]; then
|
||||
- for i in `echo $RPMFILES | sed 's/,/ /g'`; do
|
||||
- rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} -R $* -f - 2>&1 >> $LOGFILE
|
||||
+ for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
|
||||
+ rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -i -f - 2>&1 >> $LOGFILE
|
||||
done
|
||||
exit $?
|
||||
fi
|
||||
@@ -219,7 +219,7 @@
|
||||
# check if they specified both DIRS and RPMFILES
|
||||
#
|
||||
|
||||
-if [ ! -z $RPMFILES ]; then
|
||||
+if [ ! -z "$RPMFILES" ]; then
|
||||
if [ $OPTIND -le $# ]; then
|
||||
usage
|
||||
fi
|
||||
@@ -236,6 +236,7 @@
|
||||
case "$command" in
|
||||
restore) restore -p ;;
|
||||
check) restore -n -v ;;
|
||||
+ verify) restore -n -o -;;
|
||||
relabel) relabel;;
|
||||
*)
|
||||
usage
|
||||
diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-1.30.30/scripts/fixfiles.8
|
||||
--- nsapolicycoreutils/scripts/fixfiles.8 2006-08-28 16:58:19.000000000 -0400
|
||||
+++ policycoreutils-1.30.30/scripts/fixfiles.8 2006-09-29 12:58:24.000000000 -0400
|
||||
@@ -3,9 +3,9 @@
|
||||
fixfiles \- fix file security contexts.
|
||||
|
||||
.SH "SYNOPSIS"
|
||||
-.B fixfiles [-F] [ -R rpmpackagename[,rpmpackagename...] ] [ -C PREVIOUS_FILECONTEXT ] [-l logfile ] [-o outputfile ] { check | restore | [-F] relabel }"
|
||||
+.B fixfiles [-F] [ -R rpmpackagename[,rpmpackagename...] ] [ -C PREVIOUS_FILECONTEXT ] [-l logfile ] [-o outputfile ] { check | restore | [-F] relabel | verify }"
|
||||
|
||||
-.B fixfiles [-F] [-l logfile ] [-o outputfile ] { check | restore|[-f] relabel } [[dir/file] ... ]
|
||||
+.B fixfiles [-F] [-l logfile ] [-o outputfile ] { check | restore|[-f] relabel | verify } [[dir/file] ... ]
|
||||
|
||||
.SH "DESCRIPTION"
|
||||
This manual page describes the
|
||||
@@ -48,7 +48,7 @@
|
||||
One of:
|
||||
diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-1.32/semanage/semanage.8
|
||||
--- nsapolicycoreutils/semanage/semanage.8 2006-09-14 08:07:24.000000000 -0400
|
||||
+++ policycoreutils-1.32/semanage/semanage.8 2006-10-19 07:55:00.000000000 -0400
|
||||
@@ -7,7 +7,7 @@
|
||||
.br
|
||||
.B semanage login \-{a|d|m} [\-sr] login_name
|
||||
.br
|
||||
-.B semanage user \-{a|d|m} [\-LrR] selinux_name
|
||||
+.B semanage user \-{a|d|m} [\-LrRP] selinux_name
|
||||
.br
|
||||
.B semanage port \-{a|d|m} [\-tr] [\-p protocol] port | port_range
|
||||
.br
|
||||
@@ -71,6 +71,9 @@
|
||||
.I \-R, \-\-role
|
||||
SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
|
||||
.TP
|
||||
.B check
|
||||
-show any incorrect file context labels but do not change them.
|
||||
+print any incorrect file context labels, showing old and new context, but do not change them.
|
||||
.TP
|
||||
.B restore
|
||||
change any incorrect file context labels.
|
||||
@@ -56,6 +56,9 @@
|
||||
.B relabel
|
||||
Prompt for removal of contents of /tmp directory and then change any inccorect file context labels to match the install file_contexts file.
|
||||
.TP
|
||||
+.B verify
|
||||
+List out files with incorrect file context labels, but do not change them.
|
||||
+.I \-P, \-\-prefix
|
||||
+SELinux Prefix. Prefix added to home_dir_t and home_t for labeling users home directories.
|
||||
+.TP
|
||||
.B [[dir/file] ... ]
|
||||
List of files or directories trees that you wish to check file context on.
|
||||
|
||||
diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.30.30/semanage/seobject.py
|
||||
--- nsapolicycoreutils/semanage/seobject.py 2006-09-14 08:07:24.000000000 -0400
|
||||
+++ policycoreutils-1.30.30/semanage/seobject.py 2006-09-29 12:58:48.000000000 -0400
|
||||
.I \-s, \-\-seuser
|
||||
SELinux user name
|
||||
.TP
|
||||
diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.32/semanage/seobject.py
|
||||
--- nsapolicycoreutils/semanage/seobject.py 2006-10-17 12:04:55.000000000 -0400
|
||||
+++ policycoreutils-1.32/semanage/seobject.py 2006-10-17 12:59:55.000000000 -0400
|
||||
@@ -456,7 +456,8 @@
|
||||
rc = semanage_user_set_mlslevel(self.sh, u, selevel)
|
||||
if rc < 0:
|
||||
@ -280,15 +59,7 @@ diff --exclude-from=exclude --exclude='*.po' -N -u -r nsapolicycoreutils/semanag
|
||||
rc = semanage_user_set_prefix(self.sh, u, prefix)
|
||||
if rc < 0:
|
||||
raise ValueError(_("Could not add prefix %s for %s") % (r, prefix))
|
||||
@@ -486,6 +487,7 @@
|
||||
|
||||
def modify(self, name, roles = [], selevel = "", serange = "", prefix = ""):
|
||||
oldroles = ""
|
||||
+ oldserange = ""
|
||||
newroles = string.join(roles, ' ');
|
||||
try:
|
||||
if prefix == "" and len(roles) == 0 and serange == "" and selevel == "":
|
||||
@@ -521,7 +523,9 @@
|
||||
@@ -522,7 +523,9 @@
|
||||
semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
|
||||
|
||||
if prefix != "":
|
||||
|
@ -1,10 +1,10 @@
|
||||
%define libauditver 1.1.4-3
|
||||
%define libsepolver 1.12.27-1
|
||||
%define libsepolver 1.12.28-1
|
||||
%define libsemanagever 1.6.17-1
|
||||
%define libselinuxver 1.30.27-1
|
||||
%define libselinuxver 1.30.29-2
|
||||
Summary: SELinux policy core utilities.
|
||||
Name: policycoreutils
|
||||
Version: 1.30.30
|
||||
Version: 1.32
|
||||
Release: 1
|
||||
License: GPL
|
||||
Group: System Environment/Base
|
||||
@ -59,6 +59,19 @@ make LOG_AUDIT_PRIV=y DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" in
|
||||
%clean
|
||||
rm -rf %{buildroot}
|
||||
|
||||
%package newrole
|
||||
Summary: newrole application for RBAC/MLS
|
||||
Group: Development/Libraries
|
||||
Requires: policycoreutils = %{version}-%{release}
|
||||
|
||||
%description newrole
|
||||
RBAC/MLS policy machines require newrole as a way of changing the role
|
||||
or level of a logged in user.
|
||||
|
||||
%files newrole
|
||||
%{_bindir}/newrole
|
||||
%{_mandir}/man1/newrole.1.gz
|
||||
|
||||
%files -f %{name}.lang
|
||||
%defattr(-,root,root)
|
||||
/sbin/restorecon
|
||||
@ -74,7 +87,6 @@ rm -rf %{buildroot}
|
||||
%{_sbindir}/sestatus
|
||||
%{_sbindir}/run_init
|
||||
%{_sbindir}/open_init_pty
|
||||
%{_bindir}/newrole
|
||||
%{_bindir}/audit2allow
|
||||
%{_bindir}/chcat
|
||||
%{_bindir}/secon
|
||||
@ -101,7 +113,6 @@ rm -rf %{buildroot}
|
||||
%{_mandir}/man8/setsebool.8.gz
|
||||
%{_mandir}/man8/run_init.8.gz
|
||||
%{_mandir}/man1/audit2allow.1.gz
|
||||
%{_mandir}/man1/newrole.1.gz
|
||||
%{_mandir}/man1/secon.1.gz
|
||||
%config %{_sysconfdir}/pam.d/newrole
|
||||
%config %{_sysconfdir}/pam.d/run_init
|
||||
@ -122,6 +133,17 @@ fi
|
||||
[ -x /sbin/service ] && /sbin/service restorecond condrestart
|
||||
|
||||
%changelog
|
||||
* Fri Oct 9 2006 Dan Walsh <dwalsh@redhat.com> 1.32-1
|
||||
- Add newrole audit patch from sgrubb
|
||||
- Update to upstream
|
||||
* Merged audit2allow -l fix from Yuichi Nakamura.
|
||||
* Merged restorecon -i and -o - support from Karl MacMillan.
|
||||
* Merged semanage/seobject fix from Dan Walsh.
|
||||
* Merged fixfiles -R and verify changes from Dan Walsh.
|
||||
|
||||
* Fri Oct 6 2006 Dan Walsh <dwalsh@redhat.com> 1.30.30-2
|
||||
- Separate out newrole into its own package
|
||||
|
||||
* Fri Sep 29 2006 Dan Walsh <dwalsh@redhat.com> 1.30.30-1
|
||||
- Update to upstream
|
||||
* Merged newrole auditing of failures due to user actions from
|
||||
|
Loading…
Reference in New Issue
Block a user