rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- semanage_migrate_store: add -r <root> option for migrating inside chroots

Browse Source 
- fixes needed for secadm_r and auditadm_r in MLS policy
This commit is contained in:
Petr Lautrbach 2015-05-25 16:37:16 +02:00
parent be16d7c136
commit dec177337d
1 changed files with 102 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
policycoreutils-rhat.patch
View File

@ -1778,6 +1778,76 @@ index 93804ac..1451903 100644
- except ValueError, e: - except ValueError, e:
+ except ValueError as e: + except ValueError as e:
self.error(e.args[0]) self.error(e.args[0])
diff --git a/policycoreutils-2.4/hll/pp/pp.c b/policycoreutils-2.4/hll/pp/pp.c
index b863346..d994891 100644
--- a/policycoreutils-2.4/hll/pp/pp.c
+++ b/policycoreutils-2.4/hll/pp/pp.c
@@ -1995,12 +1995,23 @@ static int role_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN
// one of these roles in base, the declaration will not appeaer in
// the resulting policy, likely resulting in a compilation error in
// CIL.
+ //
+ // To make things more complicated, the auditadm_r and secadm_r
+ // roles could actually be in either the base module or a non-base
+ // module, or both. So we can't rely on this same behavior. So for
+ // these roles, don't declare them here, even if they are in a base
+ // or non-base module. Instead we will just declare them in the
+ // base module elsewhere.
int is_base_role = (!strcmp(key, "user_r") ||
!strcmp(key, "staff_r") ||
!strcmp(key, "sysadm_r") ||
!strcmp(key, "system_r") ||
!strcmp(key, "unconfined_r"));
- if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) || !is_base_role) {
+ int is_builtin_role = (!strcmp(key, "auditadm_r") ||
+ !strcmp(key, "secadm_r"));
+ if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) ||
+ (!is_base_role && !is_builtin_role)) {
+
cil_println(indent, "(role %s)", key);
}
}
@@ -2051,7 +2062,9 @@ static int role_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN
for (i = 0; i < num_types; i++) {
- cil_println(indent, "(roletype %s %s)", key, types[i]);
+ if (is_id_in_scope(pdb, decl_stack, types[i], SYM_TYPES)) {
+ cil_println(indent, "(roletype %s %s)", key, types[i]);
+ }
}
break;
@@ -3594,6 +3607,17 @@ static int generate_default_object(void)
return 0;
}
+static int generate_builtin_roles(void)
+{
+ // due to inconsistentencies between policies and CIL not allowing
+ // duplicate roles, some roles are always created, regardless of if they
+ // are declared in modules or not
+ cil_println(0, "(role auditadm_r)");
+ cil_println(0, "(role secadm_r)");
+
+ return 0;
+}
+
static int generate_gen_require_attribute(void)
{
cil_println(0, "(typeattribute " GEN_REQUIRE_ATTR ")");
@@ -3679,6 +3703,11 @@ static int module_package_to_cil(struct sepol_module_package *mod_pkg)
goto exit;
}
+ rc = generate_builtin_roles();
+ if (rc != 0) {
+ goto exit;
+ }
+
// default attribute to be used to mimic gen_require in CIL
rc = generate_gen_require_attribute();
if (rc != 0) {
diff --git a/policycoreutils-2.4/newrole/newrole.c b/policycoreutils-2.4/newrole/newrole.c diff --git a/policycoreutils-2.4/newrole/newrole.c b/policycoreutils-2.4/newrole/newrole.c
index 94794e9..55e8d39 100644 index 94794e9..55e8d39 100644
--- a/policycoreutils-2.4/newrole/newrole.c --- a/policycoreutils-2.4/newrole/newrole.c
@ -662731,7 +662801,7 @@ index 2a7cfa3..95fba09 100644
char path[PATH_MAX + 1]; char path[PATH_MAX + 1];
diff --git a/policycoreutils-2.4/setfiles/setfiles.c b/policycoreutils-2.4/setfiles/setfiles.c diff --git a/policycoreutils-2.4/setfiles/setfiles.c b/policycoreutils-2.4/setfiles/setfiles.c
index 86d3f28..a9c182c 100644 index 86d3f28..e39b500 100644
--- a/policycoreutils-2.4/setfiles/setfiles.c --- a/policycoreutils-2.4/setfiles/setfiles.c
+++ b/policycoreutils-2.4/setfiles/setfiles.c +++ b/policycoreutils-2.4/setfiles/setfiles.c
@@ -153,6 +153,9 @@ int main(int argc, char **argv) @@ -153,6 +153,9 @@ int main(int argc, char **argv)
@ -662744,7 +662814,23 @@ index 86d3f28..a9c182c 100644
memset(&r_opts, 0, sizeof(r_opts)); memset(&r_opts, 0, sizeof(r_opts));
@@ -225,8 +228,13 @@ int main(int argc, char **argv) @@ -196,6 +199,7 @@ int main(int argc, char **argv)
r_opts.add_assoc = 1;
r_opts.fts_flags = FTS_PHYSICAL | FTS_XDEV;
ctx_validate = 1;
+ opts = sopts;
} else {
/*
* restorecon:
@@ -215,6 +219,7 @@ int main(int argc, char **argv)
r_opts.add_assoc = 0;
r_opts.fts_flags = FTS_PHYSICAL;
ctx_validate = 0;
+ opts = ropts;
/* restorecon only: silent exit if no SELinux.
Allows unconditional execution by scripts. */
@@ -225,8 +230,13 @@ int main(int argc, char **argv)
/* This must happen before getopt. */ /* This must happen before getopt. */
r_opts.nfile = exclude_non_seclabel_mounts(); r_opts.nfile = exclude_non_seclabel_mounts();
@ -662759,16 +662845,27 @@ index 86d3f28..a9c182c 100644
switch (opt) { switch (opt) {
case 'c': case 'c':
{ {
@@ -326,7 +334,7 @@ int main(int argc, char **argv) @@ -315,18 +325,13 @@ int main(int argc, char **argv)
recurse = 1;
break;
}
- if (optind + 1 >= argc) {
- fprintf(stderr, "usage: %s -r rootpath\n",
- argv[0]);
- exit(-1);
- }
if (NULL != r_opts.rootpath) {
fprintf(stderr,
"%s: only one -r can be specified\n",
argv[0]); argv[0]);
exit(-1); exit(-1);
} }
- set_rootpath(argv[optind++]); - set_rootpath(argv[optind++]);
+ set_rootpath(argv[optind]); + set_rootpath(optarg);
break; break;
case 's': case 's':
use_input_file = 1; use_input_file = 1;
@@ -337,7 +345,7 @@ int main(int argc, char **argv) @@ -337,7 +342,7 @@ int main(int argc, char **argv)
if (r_opts.progress) { if (r_opts.progress) {
fprintf(stderr, fprintf(stderr,
"Progress and Verbose mutually exclusive\n"); "Progress and Verbose mutually exclusive\n");