From d2c9993f24da9b432c428f3b893b8b39eb4dc74f Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 3 Sep 2015 23:49:39 +0200 Subject: [PATCH] Another two fixes related to Python 3 - policycoreutils/sepolicy: decode output from subprocess, if error occurred (#1247039) - Use correct variable when creating a permissive domain --- policycoreutils-rhat.patch | 62 ++++++++++++++++++++------------------ policycoreutils.spec | 2 +- 2 files changed, 33 insertions(+), 31 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 2efc178..fb81366 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -656452,7 +656452,7 @@ index 568ebfd..306d9b7 100644 def __init__(self, store): diff --git a/policycoreutils-2.4/semanage/seobject/__init__.py b/policycoreutils-2.4/semanage/seobject/__init__.py new file mode 100644 -index 0000000..c23ebef +index 0000000..33f5fa9 --- /dev/null +++ b/policycoreutils-2.4/semanage/seobject/__init__.py @@ -0,0 +1,2271 @@ @@ -656933,7 +656933,7 @@ index 0000000..c23ebef + raise ValueError(_("The sepolgen python module is required to setup permissive domains.\nIn some distributions it is included in the policycoreutils-devel patckage.\n# yum install policycoreutils-devel\nOr similar for your distro.")) + + name = "permissive_%s" % setype -+ modtxt = "(typepermissive %s)" % type ++ modtxt = "(typepermissive %s)" % setype + + rc = semanage_module_install(self.sh, modtxt, len(modtxt), name, "cil") + if rc >= 0: @@ -662374,7 +662374,7 @@ index bbabb3b..29370ee 100644 os.remove(v) diff --git a/policycoreutils-2.4/sepolicy/sepolicy/manpage.py b/policycoreutils-2.4/sepolicy/sepolicy/manpage.py -index ba15b2c..4da25b9 100755 +index ba15b2c..fdec32a 100755 --- a/policycoreutils-2.4/sepolicy/sepolicy/manpage.py +++ b/policycoreutils-2.4/sepolicy/sepolicy/manpage.py @@ -1,4 +1,4 @@ @@ -662383,9 +662383,11 @@ index ba15b2c..4da25b9 100755 # Copyright (C) 2012-2013 Red Hat # AUTHOR: Dan Walsh # AUTHOR: Miroslav Grepl -@@ -30,103 +30,111 @@ import selinux +@@ -29,104 +29,113 @@ import argparse + import selinux import sepolicy from sepolicy import * ++from sepolgen import util -import commands +import subprocess @@ -662572,7 +662574,7 @@ index ba15b2c..4da25b9 100755 def prettyprint(f,trim): return " ".join(f[:-len(trim)].split("_")) -@@ -135,150 +143,106 @@ def prettyprint(f,trim): +@@ -135,150 +144,106 @@ def prettyprint(f,trim): manpage_domains = [] manpage_roles = [] @@ -662611,7 +662613,7 @@ index ba15b2c..4da25b9 100755 + stderr=subprocess.STDOUT, + shell=True) + except subprocess.CalledProcessError as e: -+ sys.stderr.write(e.output) ++ sys.stderr.write(util.decode_input(e.output)) + return + fd = open(html_manpage,'wb') + fd.write(man_page) @@ -662802,7 +662804,7 @@ index ba15b2c..4da25b9 100755
-@@ -286,38 +250,38 @@ Fedora or Red Hat Enterprise Linux Man Pages. +@@ -286,38 +251,38 @@ Fedora or Red Hat Enterprise Linux Man Pages.

SELinux domains

""" % rolename_body) @@ -662861,7 +662863,7 @@ index ba15b2c..4da25b9 100755 html, body { background-color: #fcfcfc; font-family: arial, sans-serif; -@@ -326,9 +290,9 @@ html, body { +@@ -326,9 +291,9 @@ html, body { } h1, h2, h3, h4, h5, h5 { @@ -662874,7 +662876,7 @@ index ba15b2c..4da25b9 100755 } a { -@@ -374,159 +338,198 @@ pre.code { +@@ -374,159 +339,198 @@ pre.code { } """) @@ -663197,7 +663199,7 @@ index ba15b2c..4da25b9 100755 .SH "NAME" %(domainname)s_selinux \- Security Enhanced Linux Policy for the %(domainname)s processes .SH "DESCRIPTION" -@@ -543,20 +546,20 @@ For example: +@@ -543,20 +547,20 @@ For example: def _format_boolean_desc(self, b): @@ -663230,7 +663232,7 @@ index ba15b2c..4da25b9 100755 .PP If you want to %s, you must turn on the %s boolean. %s by default. -@@ -565,34 +568,34 @@ If you want to %s, you must turn on the %s boolean. %s by default. +@@ -565,34 +569,34 @@ If you want to %s, you must turn on the %s boolean. %s by default. .EE """ % (self._format_boolean_desc(b), b, self.enabled_str[enabled], b) @@ -663281,7 +663283,7 @@ index ba15b2c..4da25b9 100755 .PP If you want to %s for the %s, you must turn on the %s boolean. -@@ -601,12 +604,12 @@ If you want to %s for the %s, you must turn on the %s boolean. +@@ -601,12 +605,12 @@ If you want to %s for the %s, you must turn on the %s boolean. .EE """ % (self._format_boolean_desc(b),(", ".join(nsswitch_types)), b, b) @@ -663298,7 +663300,7 @@ index ba15b2c..4da25b9 100755 .SH PROCESS TYPES SELinux defines process types (domains) for each process running on the system .PP -@@ -617,11 +620,11 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d +@@ -617,11 +621,11 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d .PP The following process types are defined for %(domainname)s: """ % {'domainname':self.domainname}) @@ -663312,7 +663314,7 @@ index ba15b2c..4da25b9 100755 .PP Note: .B semanage permissive -a %(domainname)s_t -@@ -629,14 +632,14 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n +@@ -629,14 +633,14 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n """ % {'domainname':self.domainname}) def _port_types(self): @@ -663333,7 +663335,7 @@ index ba15b2c..4da25b9 100755 .SH PORT TYPES SELinux defines port types to represent TCP and UDP ports. .PP -@@ -650,8 +653,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d +@@ -650,8 +654,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d .PP The following port types are defined for %(domainname)s:""" % {'domainname':self.domainname}) @@ -663344,7 +663346,7 @@ index ba15b2c..4da25b9 100755 .EX .TP 5 -@@ -659,49 +662,52 @@ The following port types are defined for %(domainname)s:""" % {'domainname':self +@@ -659,49 +663,52 @@ The following port types are defined for %(domainname)s:""" % {'domainname':self .TP 10 .EE """ % p) @@ -663434,7 +663436,7 @@ index ba15b2c..4da25b9 100755 .SH FILE CONTEXTS SELinux requires files to have an extended attribute to define the file type. .PP -@@ -712,13 +718,13 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d +@@ -712,13 +719,13 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d .PP """ % {'domainname':self.domainname}) @@ -663452,7 +663454,7 @@ index ba15b2c..4da25b9 100755 .PP %(domainname)s policy stores data with multiple different file context types under the %(equiv)s directory. If you would like to store the data in a different directory you can use the semanage command to create an equivalence mapping. If you wanted to store this data under the /srv dirctory you would execute the following command: .PP -@@ -728,25 +734,26 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d +@@ -728,25 +735,26 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d .PP """ % {'domainname':self.domainname, 'equiv': e, 'alt': e.split('/')[-1] }) @@ -663485,7 +663487,7 @@ index ba15b2c..4da25b9 100755 .EX .PP -@@ -756,19 +763,19 @@ Note: SELinux often uses regular expressions to specify labels that match multip +@@ -756,19 +764,19 @@ Note: SELinux often uses regular expressions to specify labels that match multip - %s """ % ( f, sepolicy.get_description(f))) @@ -663513,7 +663515,7 @@ index ba15b2c..4da25b9 100755 .PP Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the -@@ -779,19 +786,19 @@ to apply the labels. +@@ -779,19 +787,19 @@ to apply the labels. """) def _see_also(self): @@ -663544,7 +663546,7 @@ index ba15b2c..4da25b9 100755 .SH SHARING FILES If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. .TP -@@ -812,9 +819,9 @@ semanage fcontext -a -t public_content_rw_t "/var/%(domainname)s/incoming(/.*)?" +@@ -812,9 +820,9 @@ semanage fcontext -a -t public_content_rw_t "/var/%(domainname)s/incoming(/.*)?" .br .B setsebool -P %(domainname)s_anon_write 1 """ % {'domainname':self.domainname}) @@ -663557,7 +663559,7 @@ index ba15b2c..4da25b9 100755 .PP If you want to %s, you must turn on the %s boolean. -@@ -824,7 +831,7 @@ If you want to %s, you must turn on the %s boolean. +@@ -824,7 +832,7 @@ If you want to %s, you must turn on the %s boolean. """ % (desc, b, b)) def _footer(self): @@ -663566,7 +663568,7 @@ index ba15b2c..4da25b9 100755 .SH "COMMANDS" .B semanage fcontext can also be used to manipulate default file context mappings. -@@ -836,19 +843,19 @@ can also be used to manipulate whether or not a process type is permissive. +@@ -836,19 +844,19 @@ can also be used to manipulate whether or not a process type is permissive. can also be used to enable/disable/install/remove policy modules. """) @@ -663591,7 +663593,7 @@ index ba15b2c..4da25b9 100755 .PP .B system-config-selinux is a GUI tool available to customize SELinux policy settings. -@@ -861,102 +868,102 @@ This manual page was auto-generated using +@@ -861,102 +869,102 @@ This manual page was auto-generated using selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) """ % (self.domainname)) @@ -663757,7 +663759,7 @@ index ba15b2c..4da25b9 100755 .SH "NAME" %(user)s_u \- \fB%(desc)s\fP - Security Enhanced Linux Policy -@@ -989,22 +996,22 @@ If you wanted to change the default user mapping to use the %(user)s_u user, you +@@ -989,22 +997,22 @@ If you wanted to change the default user mapping to use the %(user)s_u user, you """ % {'desc': self.desc, 'type':self.type, 'user':self.domainname,'range':self._get_users_range()}) @@ -663788,7 +663790,7 @@ index ba15b2c..4da25b9 100755 The SELinux user %(user)s can execute sudo. You can set up sudo to allow %(user)s to transition to an administrative domain: -@@ -1012,14 +1019,14 @@ You can set up sudo to allow %(user)s to transition to an administrative domain: +@@ -1012,14 +1020,14 @@ You can set up sudo to allow %(user)s to transition to an administrative domain: Add one or more of the following record to sudoers using visudo. """ % { 'user':self.domainname } ) @@ -663806,7 +663808,7 @@ index ba15b2c..4da25b9 100755 You might also need to add one or more of these new roles to your SELinux user record. List the SELinux roles your SELinux user can reach by executing: -@@ -1033,104 +1040,104 @@ Modify the roles list and add %(user)s_r to this list. +@@ -1033,104 +1041,104 @@ Modify the roles list and add %(user)s_r to this list. For more details you can see semanage man page. """ % {'user':self.domainname, "roles": " ".join([role] + self.role_allows[role]) } ) @@ -663953,7 +663955,7 @@ index ba15b2c..4da25b9 100755 .SH TRANSITIONS Three things can happen when %(type)s attempts to execute a program. -@@ -1143,7 +1150,7 @@ Three things can happen when %(type)s attempts to execute a program. +@@ -1143,7 +1151,7 @@ Three things can happen when %(type)s attempts to execute a program. Execute the following to see the types that the SELinux user %(type)s can execute without transitioning: @@ -663962,7 +663964,7 @@ index ba15b2c..4da25b9 100755 .TP -@@ -1151,15 +1158,15 @@ Execute the following to see the types that the SELinux user %(type)s can execut +@@ -1151,15 +1159,15 @@ Execute the following to see the types that the SELinux user %(type)s can execut Execute the following to see the types that the SELinux user %(type)s can execute and transition: @@ -663983,7 +663985,7 @@ index ba15b2c..4da25b9 100755 .SH "NAME" %(user)s_r \- \fB%(desc)s\fP - Security Enhanced Linux Policy -@@ -1201,21 +1208,21 @@ You need to add %(user)s_r to the staff_u user. You could setup the staff_u use +@@ -1201,21 +1209,21 @@ You need to add %(user)s_r to the staff_u user. You could setup the staff_u use .B $ semanage user -m -R 'staff_r system_r %(user)s_r' staff_u """ % {'desc': self.desc, 'user':self.domainname}) diff --git a/policycoreutils.spec b/policycoreutils.spec index c929288..b6d1458 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -18,7 +18,7 @@ Source2: policycoreutils_man_ru2.tar.bz2 Source3: system-config-selinux.png Source4: sepolicy-icons.tgz # use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/ -# HEAD https://github.com/fedora-selinux/selinux/commit/c8400be1e608ae21a27568d70d93e70e4dc808b6 +# HEAD https://github.com/fedora-selinux/selinux/commit/eb5c289a0e39d67b1cb12c85a166be236892b08a Patch: policycoreutils-rhat.patch Patch1: sepolgen-rhat.patch Obsoletes: policycoreutils < 2.0.61-2