rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to upstream

Browse Source 
* Apply polkit check on all dbus interfaces and restrict to active user from Dan Walsh.
	* Fix typo in sepolicy gui dbus.relabel_on_boot call from Dan Walsh.
- Apply Miroslav Grepl patch to fix TEMPLATETYPE_domtrans description in sepolicy generate
This commit is contained in:
Dan Walsh 2013-11-22 09:06:48 -05:00
parent 934834e6cb
commit e0ae96d544
3 changed files with 38 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
policycoreutils-rhat.patch
View File

@ -258980,100 +258980,6 @@ index cd1026a..ac44dfe 100644
+ PyModule_AddIntConstant(m, "SENS", SENS);
+ PyModule_AddIntConstant(m, "CATS", CATS);
}
diff --git a/policycoreutils/sepolicy/org.selinux.policy b/policycoreutils/sepolicy/org.selinux.policy
index c0a730c..44ae625 100644
--- a/policycoreutils/sepolicy/org.selinux.policy
+++ b/policycoreutils/sepolicy/org.selinux.policy
@@ -11,8 +11,8 @@
<description>SELinux write access</description>
<message>System policy prevents restorecon access to SELinux</message>
<defaults>
- <allow_any>auth_admin_keep</allow_any>
- <allow_inactive>auth_admin_keep</allow_inactive>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
@@ -20,8 +20,8 @@
<description>SELinux write access</description>
<message>System policy prevents setenforce access to SELinux</message>
<defaults>
- <allow_any>auth_admin_keep</allow_any>
- <allow_inactive>auth_admin_keep</allow_inactive>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
@@ -29,8 +29,8 @@
<description>SELinux write access</description>
<message>System policy prevents semanage access to SELinux</message>
<defaults>
- <allow_any>auth_admin_keep</allow_any>
- <allow_inactive>auth_admin_keep</allow_inactive>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
@@ -38,8 +38,8 @@
<description>SELinux Read access</description>
<message>System policy prevents read access to SELinux</message>
<defaults>
- <allow_any>yes</allow_any>
- <allow_inactive>yes</allow_inactive>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
@@ -47,8 +47,8 @@
<description>SELinux list modules access</description>
<message>System policy prevents read access to SELinux modules</message>
<defaults>
- <allow_any>yes</allow_any>
- <allow_inactive>yes</allow_inactive>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
@@ -56,25 +56,27 @@
<description>SELinux write access</description>
<message>System policy prevents relabel_on_boot access to SELinux</message>
<defaults>
- <allow_any>yes</allow_any>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
<action id="org.selinux.change_default_policy">
<description>SELinux write access</description>
<message>System policy prevents change_default_policy access to SELinux</message>
<defaults>
- <allow_any>auth_admin_keep</allow_any>
- <allow_inactive>auth_admin_keep</allow_inactive>
- <allow_active>auth_admin_keep</allow_active>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
<action id="org.selinux.change_policy_type">
<description>SELinux write access</description>
<message>System policy prevents change_policy_type access to SELinux</message>
<defaults>
- <allow_any>auth_admin_keep</allow_any>
- <allow_inactive>auth_admin_keep</allow_inactive>
- <allow_active>auth_admin_keep</allow_active>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
</policyconfig>
diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c
index 2a9e1c7..365e622 100644
--- a/policycoreutils/sepolicy/policy.c
@ -259309,7 +259215,7 @@ index 458a4d2..b6088af 100644
+ except dbus.DBusException as e:
+ print(e)
diff --git a/policycoreutils/sepolicy/selinux_server.py b/policycoreutils/sepolicy/selinux_server.py
index 98dbff4..3cfdc94 100644
index e94c38f..3cfdc94 100644
--- a/policycoreutils/sepolicy/selinux_server.py
+++ b/policycoreutils/sepolicy/selinux_server.py
@@ -18,7 +18,7 @@ class selinux_server(slip.dbus.service.Object):
@ -259334,7 +259240,7 @@ index 98dbff4..3cfdc94 100644
# another server to make the two systems have duplicate policy.
#
@slip.dbus.polkit.require_auth("org.selinux.customized")
@@ -42,12 +42,12 @@ class selinux_server(slip.dbus.service.Object):
@@ -42,7 +42,7 @@ class selinux_server(slip.dbus.service.Object):
if p.returncode and p.returncode != 0:
raise OSError("Failed to read SELinux configuration: %s", output)
return buf
@ -259343,13 +259249,7 @@ index 98dbff4..3cfdc94 100644
#
# The semodule_list method will return the output of semodule -l, using the customized polkit,
# since this is a readonly behaviour
#
- @slip.dbus.polkit.require_auth("org.selinux.customized")
+ @slip.dbus.polkit.require_auth("org.selinux.semodule_list")
@dbus.service.method("org.selinux", in_signature='', out_signature='s')
def semodule_list(self):
p = Popen(["/usr/sbin/semodule", "-l"],stdout=PIPE, stderr=PIPE)
@@ -56,10 +56,11 @@ class selinux_server(slip.dbus.service.Object):
@@ -56,7 +56,7 @@ class selinux_server(slip.dbus.service.Object):
if p.returncode and p.returncode != 0:
raise OSError("Failed to list SELinux modules: %s", output)
return buf
@ -259358,27 +259258,7 @@ index 98dbff4..3cfdc94 100644
#
# The restorecon method modifies any file path to the default system label
#
+ @slip.dbus.polkit.require_auth("org.selinux.restorecon")
@dbus.service.method("org.selinux", in_signature='s')
def restorecon(self, path):
selinux.restorecon(str(path), recursive=1)
@@ -67,6 +68,7 @@ class selinux_server(slip.dbus.service.Object):
#
# The setenforce method turns off the current enforcement of SELinux
#
+ @slip.dbus.polkit.require_auth("org.selinux.setenforce")
@dbus.service.method("org.selinux", in_signature='i')
def setenforce(self, value):
selinux.security_setenforce(value)
@@ -74,6 +76,7 @@ class selinux_server(slip.dbus.service.Object):
#
# The setenforce method turns off the current enforcement of SELinux
#
+ @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot")
@dbus.service.method("org.selinux", in_signature='i')
def relabel_on_boot(self, value):
if value == 1:
@@ -83,7 +86,7 @@ class selinux_server(slip.dbus.service.Object):
@@ -86,7 +86,7 @@ class selinux_server(slip.dbus.service.Object):
os.unlink("/.autorelabel")
def write_selinux_config(self, enforcing=None, policy=None):
@ -259387,17 +259267,16 @@ index 98dbff4..3cfdc94 100644
backup_path = path + ".bck"
fd = open(path)
lines = fd.readlines()
@@ -101,26 +104,28 @@ class selinux_server(slip.dbus.service.Object):
@@ -104,7 +104,7 @@ class selinux_server(slip.dbus.service.Object):
os.rename(backup_path, path)
#
- # The change_default_enforcement modifies the current enforcement mode
+ # The change_default_enforcement modifies the current enforcement mode
#
+ @slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
@slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
@dbus.service.method("org.selinux", in_signature='s')
def change_default_mode(self, value):
values = [ "enforcing", "permissive", "disabled" ]
@@ -113,7 +113,7 @@ class selinux_server(slip.dbus.service.Object):
if value not in values:
raise ValueError("Enforcement mode must be %s" % ", ".join(values))
self.write_selinux_config(enforcing=value)
@ -259406,11 +259285,7 @@ index 98dbff4..3cfdc94 100644
#
# The change_default_policy method modifies the policy type
#
+ @slip.dbus.polkit.require_auth("org.selinux.change_default_policy")
@dbus.service.method("org.selinux", in_signature='s')
def change_default_policy(self, value):
path = selinux.selinux_path() + value
@@ -125,7 +125,7 @@ class selinux_server(slip.dbus.service.Object):
if os.path.isdir(path):
return self.write_selinux_config(policy=value)
raise ValueError("%s does not exist" % path)
@ -261362,7 +261237,7 @@ index 6b53035..32ea970 100644
out += "%s # %s\n" % (self.write_te(out_dir), _("Type Enforcement file"))
out += "%s # %s\n" % (self.write_if(out_dir), _("Interface file"))
diff --git a/policycoreutils/sepolicy/sepolicy/gui.py b/policycoreutils/sepolicy/sepolicy/gui.py
index 0123e6c..ac3e513 100644
index 94ddb72..ac3e513 100644
--- a/policycoreutils/sepolicy/sepolicy/gui.py
+++ b/policycoreutils/sepolicy/sepolicy/gui.py
@@ -47,12 +47,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
@ -261844,13 +261719,11 @@ index 0123e6c..ac3e513 100644
self.dbus.setenforce(button.get_active())
self.set_enforce_text(button.get_active())
@@ -2727,8 +2681,8 @@ class SELinuxGui():
if not active and not exists:
@@ -2728,7 +2682,7 @@ class SELinuxGui():
return
try:
- self.dbus.relabel_on_boots(active)
self.dbus.relabel_on_boot(active)
- except dbus.exceptions.DBusException, e:
+ self.dbus.relabel_on_boot(active)
+ except dbus.exceptions.DBusException as e:
self.error(e)
@ -263713,7 +263586,7 @@ index 1275c7f..e3137db 100644
<signal name="row-activated" handler="on_advanced_search_treeview_row_activated" swapped="no"/>
<child internal-child="selection">
diff --git a/policycoreutils/sepolicy/sepolicy/templates/executable.py b/policycoreutils/sepolicy/sepolicy/templates/executable.py
index 4b9534d..0db6b9c 100644
index 4b9534d..1d55f80 100644
--- a/policycoreutils/sepolicy/sepolicy/templates/executable.py
+++ b/policycoreutils/sepolicy/sepolicy/templates/executable.py
@@ -86,6 +86,7 @@ roleattribute system_r TEMPLATETYPE_roles;
@ -263724,6 +263597,23 @@ index 4b9534d..0db6b9c 100644
permissive TEMPLATETYPE_t;
"""
@@ -219,7 +220,7 @@ if_program_rules="""
########################################
## <summary>
-## Execute TEMPLATE in the TEMPLATETYPE domin.
+## Execute TEMPLATETYPE in the TEMPLATETYPE domain.
## </summary>
## <param name=\"domain\">
## <summary>
@@ -235,6 +236,7 @@ interface(`TEMPLATETYPE_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, TEMPLATETYPE_exec_t, TEMPLATETYPE_t)
')
+
"""
if_user_program_rules="""
diff --git a/policycoreutils/sepolicy/sepolicy/templates/spec.py b/policycoreutils/sepolicy/sepolicy/templates/spec.py
index 16a2208..d8ee42f 100644
--- a/policycoreutils/sepolicy/sepolicy/templates/spec.py

10
policycoreutils.spec
View File

@ -6,8 +6,8 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.2.2
Release: 2%{?dist}
Version: 2.2.3
Release: 1%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@ -370,6 +370,12 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Fri Nov 22 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.3-1
- Update to upstream
* Apply polkit check on all dbus interfaces and restrict to active user from Dan Walsh.
* Fix typo in sepolicy gui dbus.relabel_on_boot call from Dan Walsh.
- Apply Miroslav Grepl patch to fix TEMPLATETYPE_domtrans description in sepolicy generate
* Wed Nov 20 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.2-2
- Fix selinux-polgengui, get_all_modules call

2
sources
View File

@ -1,3 +1,3 @@
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
332411668be7367aa74257048ac762d6 policycoreutils-2.2.2.tgz
e9134b52e6620c14cbce9234a6b67b20 sepolgen-1.2.1.tgz
f8e993902b7cd9a9f1a5fddf3f21dec7 policycoreutils-2.2.3.tgz