From d4ae6ccd6648591cddec5c8bf0b3bace75ab5297 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Wed, 3 Apr 2013 11:18:44 -0400 Subject: [PATCH] Move sepolicy to policycoreutils-devel pacage, since most of it is used for devel - Apply Miroslav Grepl Patches for sepolicy --- policycoreutils-rhat.patch | 113 +++++++++++++++++++++++++++---------- policycoreutils.spec | 18 ++++-- 2 files changed, 96 insertions(+), 35 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 6b650af..061dd5b 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -3646,7 +3646,7 @@ index b6abdf5..c05c943 100644 Generate an additional HTML man pages for the specified domain(s). diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py -index b25d3b2..c353021 100755 +index b25d3b2..7443ae0 100755 --- a/policycoreutils/sepolicy/sepolicy.py +++ b/policycoreutils/sepolicy/sepolicy.py @@ -22,6 +22,8 @@ @@ -3658,7 +3658,17 @@ index b25d3b2..c353021 100755 from sepolicy import get_os_version import argparse import gettext -@@ -45,7 +47,7 @@ class CheckPath(argparse.Action): +@@ -37,6 +39,9 @@ except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + ++usage = "sepolicy generate [-h] [-n NAME] [-p PATH] [-w [WRITEPATHS [WRITEPATHS ...]]] [" ++usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN','-a ADMIN_DOMAIN',), ' --admin_user':('-a ADMIN_DOMAIN',), ' --application':('COMMAND',), ' --cgi':('COMMAND',), ' --confined_admin':('-a ADMIN_DOMAIN',), ' --dbus':('COMMAND',), ' --desktop_user':('',),' --inetd':('COMMAND',),' --init':('COMMAND',), ' --sandbox':('',), ' --term_user':('',), ' --x_user':('',)} ++ + class CheckPath(argparse.Action): + def __call__(self, parser, namespace, values, option_string=None): + if not os.path.exists(values): +@@ -45,7 +50,7 @@ class CheckPath(argparse.Action): class CheckType(argparse.Action): def __call__(self, parser, namespace, values, option_string=None): @@ -3667,7 +3677,7 @@ index b25d3b2..c353021 100755 if isinstance(values,str): setattr(namespace, self.dest, values) -@@ -58,9 +60,30 @@ class CheckType(argparse.Action): +@@ -58,9 +63,30 @@ class CheckType(argparse.Action): newval.append(v) setattr(namespace, self.dest, newval) @@ -3699,7 +3709,7 @@ index b25d3b2..c353021 100755 if isinstance(values,str): if values not in domains: -@@ -80,7 +103,6 @@ class CheckDomain(argparse.Action): +@@ -80,7 +106,6 @@ class CheckDomain(argparse.Action): all_classes = None class CheckClass(argparse.Action): def __call__(self, parser, namespace, values, option_string=None): @@ -3707,7 +3717,7 @@ index b25d3b2..c353021 100755 global all_classes if not all_classes: all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS)) -@@ -114,7 +136,7 @@ class CheckPort(argparse.Action): +@@ -114,7 +139,7 @@ class CheckPort(argparse.Action): class CheckPortType(argparse.Action): def __call__(self, parser, namespace, values, option_string=None): @@ -3716,7 +3726,7 @@ index b25d3b2..c353021 100755 newval = getattr(namespace, self.dest) if not newval: newval = [] -@@ -140,19 +162,30 @@ class CheckPolicyType(argparse.Action): +@@ -140,19 +165,30 @@ class CheckPolicyType(argparse.Action): class CheckUser(argparse.Action): def __call__(self, parser, namespace, value, option_string=None): @@ -3751,7 +3761,7 @@ index b25d3b2..c353021 100755 if len(portdict) > 0: print "%s: %s %s" % (src, protocol, perm) for p in portdict: -@@ -160,7 +193,7 @@ def _print_net(src, protocol, perm): +@@ -160,7 +196,7 @@ def _print_net(src, protocol, perm): print "\t" + recs def network(args): @@ -3760,7 +3770,7 @@ index b25d3b2..c353021 100755 if args.list_ports: all_ports = [] for i in portrecs: -@@ -201,41 +234,41 @@ def manpage(args): +@@ -201,41 +237,41 @@ def manpage(args): from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains path = args.path @@ -3825,7 +3835,7 @@ index b25d3b2..c353021 100755 def gen_network_args(parser): net = parser.add_parser("network", -@@ -283,7 +316,6 @@ def gen_communicate_args(parser): +@@ -283,7 +319,6 @@ def gen_communicate_args(parser): comm.set_defaults(func=communicate) def booleans(args): @@ -3833,7 +3843,7 @@ index b25d3b2..c353021 100755 from sepolicy import boolean_desc if args.all: rc, args.booleans = selinux.security_get_boolean_names() -@@ -300,6 +332,7 @@ def gen_booleans_args(parser): +@@ -300,6 +335,7 @@ def gen_booleans_args(parser): action="store_true", help=_("get all booleans descriptions")) group.add_argument("-b", "--boolean", dest="booleans", nargs="+", @@ -3841,7 +3851,7 @@ index b25d3b2..c353021 100755 help=_("boolean to get description")) bools.set_defaults(func=booleans) -@@ -320,7 +353,7 @@ def gen_transition_args(parser): +@@ -320,7 +356,7 @@ def gen_transition_args(parser): trans.set_defaults(func=transition) def interface(args): @@ -3850,7 +3860,7 @@ index b25d3b2..c353021 100755 if args.list_admin: for a in get_admin(): print a -@@ -328,13 +361,16 @@ def interface(args): +@@ -328,13 +364,25 @@ def interface(args): for a in get_user(): print a if args.list: @@ -3864,13 +3874,22 @@ index b25d3b2..c353021 100755 cmd = None - if args.policytype not in USERS + [ SANDBOX, NEWTYPE]: +# numbers present POLTYPE defined in sepolicy.generate -+ conflict_args = {'TYPES':(NEWTYPE,), 'DOMAIN':(EUSER,), 'ADMIN_DOMAIN':(AUSER, RUSER,)} ++ conflict_args = {'TYPES':(NEWTYPE,), 'DOMAIN':(EUSER,), 'ADMIN_DOMAIN':(AUSER, RUSER, EUSER,)} ++ error_text = "" ++ ++ if args.policytype is None: ++ generate_usage = generate_custom_usage(usage, usage_dict) ++ for k in usage_dict: ++ error_text += "%s" % (k) ++ print(generate_usage) ++ print(_("sepolicy generate: error: one of the arguments %s is required") % error_text) ++ sys.exit(1) + + if args.policytype in APPLICATIONS: if not args.command: raise ValueError(_("Command required for this type of policy")) cmd = os.path.realpath(args.command) -@@ -346,8 +382,18 @@ def generate(args): +@@ -346,8 +394,18 @@ def generate(args): mypolicy.set_program(cmd) if args.types: @@ -3889,7 +3908,7 @@ index b25d3b2..c353021 100755 for p in args.writepaths: if os.path.isdir(p): mypolicy.add_dir(p) -@@ -368,10 +414,10 @@ def gen_interface_args(parser): +@@ -368,10 +426,10 @@ def gen_interface_args(parser): help=_('List SELinux Policy interfaces')) group = itf.add_mutually_exclusive_group(required=True) group.add_argument("-a", "--list_admin", dest="list_admin",action="store_true", default=False, @@ -3902,21 +3921,19 @@ index b25d3b2..c353021 100755 group.add_argument("-l", "--list", dest="list",action="store_true", default=False, help="List all interfaces") -@@ -379,7 +425,12 @@ def gen_interface_args(parser): +@@ -379,7 +437,10 @@ def gen_interface_args(parser): def gen_generate_args(parser): from sepolicy.generate import DAEMON, get_poltype_desc, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER, NEWTYPE - pol = parser.add_parser("generate", + -+ generate_usage = "sepolicy generate [-h] [-n NAME] [-p PATH] [-w [WRITEPATHS [WRITEPATHS ...]]] [" -+ generate_usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN',), ' --admin_user':('-a ADMIN_DOMAIN',), ' --application':('COMMAND',), ' --cgi':('COMMAND',), ' --confined_admin':('-a ADMIN_DOMAIN',), ' --dbus':('COMMAND',), ' --desktop_user':('',),' --inetd':('COMMAND',),' --init':('COMMAND',), ' --sandbox':('',), ' --term_user':('',), ' --x_user':('',)} -+ generate_usage = generate_custom_usage(generate_usage, generate_usage_dict) ++ generate_usage = generate_custom_usage(usage, usage_dict) + + pol = parser.add_parser("generate", usage = generate_usage, help=_('Generate SELinux Policy module template')) pol.add_argument("-d", "--domain", dest="domain", default=[], action=CheckDomain, nargs="*", -@@ -397,53 +448,57 @@ def gen_generate_args(parser): +@@ -397,53 +458,57 @@ def gen_generate_args(parser): help=argparse.SUPPRESS) pol.add_argument("-t", "--type", dest="types", default=[], nargs="*", action=CheckType, @@ -3931,7 +3948,7 @@ index b25d3b2..c353021 100755 - group = pol.add_mutually_exclusive_group(required=False) - group.add_argument("--newtype", dest="policytype", const=NEWTYPE, + cmdtype = pol.add_argument_group(_("Policy types which require a command")) -+ cmdgroup = cmdtype.add_mutually_exclusive_group(required=True) ++ cmdgroup = cmdtype.add_mutually_exclusive_group(required=False) + cmdgroup.add_argument("--application", dest="policytype", const=USER, action="store_const", - help=_("Generate Policy for %s") % poltype[NEWTYPE]) @@ -3956,7 +3973,7 @@ index b25d3b2..c353021 100755 + help=_("Generate '%s' policy") % poltype[DAEMON]) + + type = pol.add_argument_group("Policy types which do not require a command") -+ group = type.add_mutually_exclusive_group(required=True) ++ group = type.add_mutually_exclusive_group(required=False) + group.add_argument("--admin_user", dest="policytype", const=AUSER, + action="store_const", + help=_("Generate '%s' policy") % poltype[AUSER]) @@ -4000,7 +4017,7 @@ index b25d3b2..c353021 100755 pol.set_defaults(func=generate) if __name__ == '__main__': -@@ -461,7 +516,10 @@ if __name__ == '__main__': +@@ -461,7 +526,10 @@ if __name__ == '__main__': gen_transition_args(subparsers) try: @@ -4220,7 +4237,7 @@ index 5e7415c..5267ed9 100644 booleans_dict = None def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py -index 26f8390..c83883f 100644 +index 26f8390..4739025 100644 --- a/policycoreutils/sepolicy/sepolicy/generate.py +++ b/policycoreutils/sepolicy/sepolicy/generate.py @@ -63,20 +63,6 @@ except IOError: @@ -4285,6 +4302,15 @@ index 26f8390..c83883f 100644 return newte def generate_new_rules(self): +@@ -1014,7 +1007,7 @@ allow %s_t %s_t:%s_socket name_%s; + + def generate_roles_rules(self): + newte = "" +- if self.type in ( TUSER, XUSER, AUSER, LUSER, EUSER): ++ if self.type in ( TUSER, XUSER, AUSER, LUSER ): + roles = "" + if len(self.roles) > 0: + newte += re.sub("TEMPLATETYPE", self.name, user.te_sudo_rules) @@ -1030,14 +1023,15 @@ allow %s_t %s_t:%s_socket name_%s; if len(self.DEFAULT_DIRS[d][1]) > 0: # CGI scripts already have a rw_t @@ -4303,7 +4329,7 @@ index 26f8390..c83883f 100644 newte += self.generate_capabilities() newte += self.generate_process() newte += self.generate_network_types() -@@ -1048,11 +1042,20 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1048,11 +1042,22 @@ allow %s_t %s_t:%s_socket name_%s; for d in self.DEFAULT_KEYS: if len(self.DEFAULT_DIRS[d][1]) > 0: @@ -4313,8 +4339,10 @@ index 26f8390..c83883f 100644 - newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules) - break + if self.type == EUSER: ++ newte_tmp = "" + for domain in self.existing_domains: -+ newte += re.sub("TEMPLATETYPE", domain[:-2], self.DEFAULT_DIRS[d][2].te_rules) ++ newte_tmp += re.sub("TEMPLATETYPE_t", domain[:-2]+"_t", self.DEFAULT_DIRS[d][2].te_rules) ++ newte += re.sub("TEMPLATETYPE_rw_t", self.name+"_rw_t", newte_tmp) + else: + newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_rules) + for i in self.DEFAULT_DIRS[d][1]: @@ -4329,7 +4357,7 @@ index 26f8390..c83883f 100644 newte += self.generate_tmp_rules() newte += self.generate_network_rules() -@@ -1079,7 +1082,7 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1079,7 +1084,7 @@ allow %s_t %s_t:%s_socket name_%s; fclist = [] if self.type in USERS + [ SANDBOX ]: return executable.fc_user @@ -4338,8 +4366,24 @@ index 26f8390..c83883f 100644 raise ValueError(_("You must enter the executable path for your confined process")) if self.program: -@@ -1123,7 +1126,7 @@ allow %s_t %s_t:%s_socket name_%s; - tmp = re.sub("TEMPLATETYPE", self.name, script.users) +@@ -1109,7 +1114,7 @@ allow %s_t %s_t:%s_socket name_%s; + + def generate_user_sh(self): + newsh = "" +- if self.type not in ( TUSER, XUSER, AUSER, LUSER, EUSER): ++ if self.type not in ( TUSER, XUSER, AUSER, LUSER, RUSER): + return newsh + + roles = "" +@@ -1117,13 +1122,10 @@ allow %s_t %s_t:%s_socket name_%s; + roles += " %s_r" % role + if roles != "": + roles += " system_r" +- if self.type == EUSER: +- tmp = re.sub("TEMPLATETYPE", self.name, script.eusers) +- else: +- tmp = re.sub("TEMPLATETYPE", self.name, script.users) ++ tmp = re.sub("TEMPLATETYPE", self.name, script.users) newsh += re.sub("ROLES", roles, tmp) - if self.type == RUSER: @@ -4408,7 +4452,7 @@ index 8b063ca..c9036c3 100644 trans_list.append(m[0]) return trans_list diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py -index 25062da..f184b0c 100755 +index 25062da..2747e4f 100755 --- a/policycoreutils/sepolicy/sepolicy/manpage.py +++ b/policycoreutils/sepolicy/sepolicy/manpage.py @@ -28,12 +28,12 @@ import string @@ -4504,7 +4548,7 @@ index 25062da..f184b0c 100755 self.booleans_dict = gen_bool_dict(self.xmlpath) if domainname.endswith("_t"): -@@ -459,7 +450,10 @@ class ManPage: +@@ -459,13 +450,16 @@ class ManPage: if self.domainname + "_t" not in self.all_domains: raise ValueError("domain %s_t does not exist" % self.domainname) @@ -4516,6 +4560,13 @@ index 25062da..f184b0c 100755 self.type = self.domainname + "_t" self._gen_bools() + self.man_page_path = "%s/%s_selinux.8" % (path, self.domainname) + self.fd = open(self.man_page_path, 'w') +- if domainname + "_r" in self.all_roles: ++ if self.domainname + "_r" in self.all_roles: + self.__gen_user_man_page() + if self.html: + manpage_roles.append(self.man_page_path) @@ -483,16 +477,23 @@ class ManPage: def _gen_bools(self): self.bools=[] diff --git a/policycoreutils.spec b/policycoreutils.spec index b8e7f8b..d1b05cc 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -114,7 +114,6 @@ an SELinux environment. %{_sbindir}/semanage %{_bindir}/chcat %{_bindir}/sandbox -%{_bindir}/sepolicy %{python_sitearch}/seobject.py* %{python_sitearch}/sepolgen %{python_sitearch}/sepolicy @@ -126,12 +125,9 @@ an SELinux environment. %{_mandir}/ru/man8/chcat.8* %{_mandir}/man8/sandbox.8* %{_mandir}/man8/semanage.8* -%{_mandir}/man8/sepolicy*.8* -%{_mandir}/man8/sepolgen.8* %{_mandir}/ru/man8/semanage.8* %{_usr}/share/bash-completion/completions/semanage %{_usr}/share/bash-completion/completions/setsebool -%{_usr}/share/bash-completion/completions/sepolicy %package devel Summary: SELinux policy core policy devel utilities @@ -155,6 +151,10 @@ The policycoreutils-devel package contains the management tools use to develop p %{_mandir}/man1/audit2allow.1* %{_mandir}/ru/man1/audit2allow.1* %{_mandir}/man1/audit2why.1* +%{_bindir}/sepolicy +%{_mandir}/man8/sepolicy*.8* +%{_mandir}/man8/sepolgen.8* +%{_usr}/share/bash-completion/completions/sepolicy %post devel selinuxenabled && [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 2>/dev/null @@ -321,6 +321,16 @@ The policycoreutils-restorecond package contains the restorecond service. %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Wed Apr 3 2013 Dan Walsh - 2.1.14-32 +- Move sepolicy to policycoreutils-devel pacage, since most of it is used for devel +- Apply Miroslav Grepl Patches for sepolicy +* Fix generate mutually groups option handling +* EUSER is used for existing policy +* customize options can be used together with admin_domain option +* Fix manpage.py to generate correct man pages for SELinux users +* Fix policy *.te file generated by customize+writepaths options +* Fix install script for confined_admin option + * Mon Apr 1 2013 Dan Walsh - 2.1.14-31 - Add post install scripts for gui to make sure Icon Cache is refreshed. - Fix grammar issue in secon man page