Update to upstream
* Apply polkit check on all dbus interfaces and restrict to active user from Dan Walsh. * Fix typo in sepolicy gui dbus.relabel_on_boot call from Dan Walsh. - Apply Miroslav Grepl patch to fix TEMPLATETYPE_domtrans description in sepolicy generate
This commit is contained in:
parent
934834e6cb
commit
e0ae96d544
@ -258980,100 +258980,6 @@ index cd1026a..ac44dfe 100644
|
|||||||
+ PyModule_AddIntConstant(m, "SENS", SENS);
|
+ PyModule_AddIntConstant(m, "SENS", SENS);
|
||||||
+ PyModule_AddIntConstant(m, "CATS", CATS);
|
+ PyModule_AddIntConstant(m, "CATS", CATS);
|
||||||
}
|
}
|
||||||
diff --git a/policycoreutils/sepolicy/org.selinux.policy b/policycoreutils/sepolicy/org.selinux.policy
|
|
||||||
index c0a730c..44ae625 100644
|
|
||||||
--- a/policycoreutils/sepolicy/org.selinux.policy
|
|
||||||
+++ b/policycoreutils/sepolicy/org.selinux.policy
|
|
||||||
@@ -11,8 +11,8 @@
|
|
||||||
<description>SELinux write access</description>
|
|
||||||
<message>System policy prevents restorecon access to SELinux</message>
|
|
||||||
<defaults>
|
|
||||||
- <allow_any>auth_admin_keep</allow_any>
|
|
||||||
- <allow_inactive>auth_admin_keep</allow_inactive>
|
|
||||||
+ <allow_any>no</allow_any>
|
|
||||||
+ <allow_inactive>no</allow_inactive>
|
|
||||||
<allow_active>auth_admin_keep</allow_active>
|
|
||||||
</defaults>
|
|
||||||
</action>
|
|
||||||
@@ -20,8 +20,8 @@
|
|
||||||
<description>SELinux write access</description>
|
|
||||||
<message>System policy prevents setenforce access to SELinux</message>
|
|
||||||
<defaults>
|
|
||||||
- <allow_any>auth_admin_keep</allow_any>
|
|
||||||
- <allow_inactive>auth_admin_keep</allow_inactive>
|
|
||||||
+ <allow_any>no</allow_any>
|
|
||||||
+ <allow_inactive>no</allow_inactive>
|
|
||||||
<allow_active>auth_admin_keep</allow_active>
|
|
||||||
</defaults>
|
|
||||||
</action>
|
|
||||||
@@ -29,8 +29,8 @@
|
|
||||||
<description>SELinux write access</description>
|
|
||||||
<message>System policy prevents semanage access to SELinux</message>
|
|
||||||
<defaults>
|
|
||||||
- <allow_any>auth_admin_keep</allow_any>
|
|
||||||
- <allow_inactive>auth_admin_keep</allow_inactive>
|
|
||||||
+ <allow_any>no</allow_any>
|
|
||||||
+ <allow_inactive>no</allow_inactive>
|
|
||||||
<allow_active>auth_admin_keep</allow_active>
|
|
||||||
</defaults>
|
|
||||||
</action>
|
|
||||||
@@ -38,8 +38,8 @@
|
|
||||||
<description>SELinux Read access</description>
|
|
||||||
<message>System policy prevents read access to SELinux</message>
|
|
||||||
<defaults>
|
|
||||||
- <allow_any>yes</allow_any>
|
|
||||||
- <allow_inactive>yes</allow_inactive>
|
|
||||||
+ <allow_any>no</allow_any>
|
|
||||||
+ <allow_inactive>no</allow_inactive>
|
|
||||||
<allow_active>yes</allow_active>
|
|
||||||
</defaults>
|
|
||||||
</action>
|
|
||||||
@@ -47,8 +47,8 @@
|
|
||||||
<description>SELinux list modules access</description>
|
|
||||||
<message>System policy prevents read access to SELinux modules</message>
|
|
||||||
<defaults>
|
|
||||||
- <allow_any>yes</allow_any>
|
|
||||||
- <allow_inactive>yes</allow_inactive>
|
|
||||||
+ <allow_any>no</allow_any>
|
|
||||||
+ <allow_inactive>no</allow_inactive>
|
|
||||||
<allow_active>yes</allow_active>
|
|
||||||
</defaults>
|
|
||||||
</action>
|
|
||||||
@@ -56,25 +56,27 @@
|
|
||||||
<description>SELinux write access</description>
|
|
||||||
<message>System policy prevents relabel_on_boot access to SELinux</message>
|
|
||||||
<defaults>
|
|
||||||
- <allow_any>yes</allow_any>
|
|
||||||
+ <allow_any>no</allow_any>
|
|
||||||
+ <allow_inactive>no</allow_inactive>
|
|
||||||
+ <allow_active>auth_admin_keep</allow_active>
|
|
||||||
</defaults>
|
|
||||||
</action>
|
|
||||||
<action id="org.selinux.change_default_policy">
|
|
||||||
<description>SELinux write access</description>
|
|
||||||
<message>System policy prevents change_default_policy access to SELinux</message>
|
|
||||||
<defaults>
|
|
||||||
- <allow_any>auth_admin_keep</allow_any>
|
|
||||||
- <allow_inactive>auth_admin_keep</allow_inactive>
|
|
||||||
- <allow_active>auth_admin_keep</allow_active>
|
|
||||||
+ <allow_any>no</allow_any>
|
|
||||||
+ <allow_inactive>no</allow_inactive>
|
|
||||||
+ <allow_active>auth_admin_keep</allow_active>
|
|
||||||
</defaults>
|
|
||||||
</action>
|
|
||||||
<action id="org.selinux.change_policy_type">
|
|
||||||
<description>SELinux write access</description>
|
|
||||||
<message>System policy prevents change_policy_type access to SELinux</message>
|
|
||||||
<defaults>
|
|
||||||
- <allow_any>auth_admin_keep</allow_any>
|
|
||||||
- <allow_inactive>auth_admin_keep</allow_inactive>
|
|
||||||
- <allow_active>auth_admin_keep</allow_active>
|
|
||||||
+ <allow_any>no</allow_any>
|
|
||||||
+ <allow_inactive>no</allow_inactive>
|
|
||||||
+ <allow_active>auth_admin_keep</allow_active>
|
|
||||||
</defaults>
|
|
||||||
</action>
|
|
||||||
</policyconfig>
|
|
||||||
diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c
|
diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c
|
||||||
index 2a9e1c7..365e622 100644
|
index 2a9e1c7..365e622 100644
|
||||||
--- a/policycoreutils/sepolicy/policy.c
|
--- a/policycoreutils/sepolicy/policy.c
|
||||||
@ -259309,7 +259215,7 @@ index 458a4d2..b6088af 100644
|
|||||||
+ except dbus.DBusException as e:
|
+ except dbus.DBusException as e:
|
||||||
+ print(e)
|
+ print(e)
|
||||||
diff --git a/policycoreutils/sepolicy/selinux_server.py b/policycoreutils/sepolicy/selinux_server.py
|
diff --git a/policycoreutils/sepolicy/selinux_server.py b/policycoreutils/sepolicy/selinux_server.py
|
||||||
index 98dbff4..3cfdc94 100644
|
index e94c38f..3cfdc94 100644
|
||||||
--- a/policycoreutils/sepolicy/selinux_server.py
|
--- a/policycoreutils/sepolicy/selinux_server.py
|
||||||
+++ b/policycoreutils/sepolicy/selinux_server.py
|
+++ b/policycoreutils/sepolicy/selinux_server.py
|
||||||
@@ -18,7 +18,7 @@ class selinux_server(slip.dbus.service.Object):
|
@@ -18,7 +18,7 @@ class selinux_server(slip.dbus.service.Object):
|
||||||
@ -259334,7 +259240,7 @@ index 98dbff4..3cfdc94 100644
|
|||||||
# another server to make the two systems have duplicate policy.
|
# another server to make the two systems have duplicate policy.
|
||||||
#
|
#
|
||||||
@slip.dbus.polkit.require_auth("org.selinux.customized")
|
@slip.dbus.polkit.require_auth("org.selinux.customized")
|
||||||
@@ -42,12 +42,12 @@ class selinux_server(slip.dbus.service.Object):
|
@@ -42,7 +42,7 @@ class selinux_server(slip.dbus.service.Object):
|
||||||
if p.returncode and p.returncode != 0:
|
if p.returncode and p.returncode != 0:
|
||||||
raise OSError("Failed to read SELinux configuration: %s", output)
|
raise OSError("Failed to read SELinux configuration: %s", output)
|
||||||
return buf
|
return buf
|
||||||
@ -259343,13 +259249,7 @@ index 98dbff4..3cfdc94 100644
|
|||||||
#
|
#
|
||||||
# The semodule_list method will return the output of semodule -l, using the customized polkit,
|
# The semodule_list method will return the output of semodule -l, using the customized polkit,
|
||||||
# since this is a readonly behaviour
|
# since this is a readonly behaviour
|
||||||
#
|
@@ -56,7 +56,7 @@ class selinux_server(slip.dbus.service.Object):
|
||||||
- @slip.dbus.polkit.require_auth("org.selinux.customized")
|
|
||||||
+ @slip.dbus.polkit.require_auth("org.selinux.semodule_list")
|
|
||||||
@dbus.service.method("org.selinux", in_signature='', out_signature='s')
|
|
||||||
def semodule_list(self):
|
|
||||||
p = Popen(["/usr/sbin/semodule", "-l"],stdout=PIPE, stderr=PIPE)
|
|
||||||
@@ -56,10 +56,11 @@ class selinux_server(slip.dbus.service.Object):
|
|
||||||
if p.returncode and p.returncode != 0:
|
if p.returncode and p.returncode != 0:
|
||||||
raise OSError("Failed to list SELinux modules: %s", output)
|
raise OSError("Failed to list SELinux modules: %s", output)
|
||||||
return buf
|
return buf
|
||||||
@ -259358,27 +259258,7 @@ index 98dbff4..3cfdc94 100644
|
|||||||
#
|
#
|
||||||
# The restorecon method modifies any file path to the default system label
|
# The restorecon method modifies any file path to the default system label
|
||||||
#
|
#
|
||||||
+ @slip.dbus.polkit.require_auth("org.selinux.restorecon")
|
@@ -86,7 +86,7 @@ class selinux_server(slip.dbus.service.Object):
|
||||||
@dbus.service.method("org.selinux", in_signature='s')
|
|
||||||
def restorecon(self, path):
|
|
||||||
selinux.restorecon(str(path), recursive=1)
|
|
||||||
@@ -67,6 +68,7 @@ class selinux_server(slip.dbus.service.Object):
|
|
||||||
#
|
|
||||||
# The setenforce method turns off the current enforcement of SELinux
|
|
||||||
#
|
|
||||||
+ @slip.dbus.polkit.require_auth("org.selinux.setenforce")
|
|
||||||
@dbus.service.method("org.selinux", in_signature='i')
|
|
||||||
def setenforce(self, value):
|
|
||||||
selinux.security_setenforce(value)
|
|
||||||
@@ -74,6 +76,7 @@ class selinux_server(slip.dbus.service.Object):
|
|
||||||
#
|
|
||||||
# The setenforce method turns off the current enforcement of SELinux
|
|
||||||
#
|
|
||||||
+ @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot")
|
|
||||||
@dbus.service.method("org.selinux", in_signature='i')
|
|
||||||
def relabel_on_boot(self, value):
|
|
||||||
if value == 1:
|
|
||||||
@@ -83,7 +86,7 @@ class selinux_server(slip.dbus.service.Object):
|
|
||||||
os.unlink("/.autorelabel")
|
os.unlink("/.autorelabel")
|
||||||
|
|
||||||
def write_selinux_config(self, enforcing=None, policy=None):
|
def write_selinux_config(self, enforcing=None, policy=None):
|
||||||
@ -259387,17 +259267,16 @@ index 98dbff4..3cfdc94 100644
|
|||||||
backup_path = path + ".bck"
|
backup_path = path + ".bck"
|
||||||
fd = open(path)
|
fd = open(path)
|
||||||
lines = fd.readlines()
|
lines = fd.readlines()
|
||||||
@@ -101,26 +104,28 @@ class selinux_server(slip.dbus.service.Object):
|
@@ -104,7 +104,7 @@ class selinux_server(slip.dbus.service.Object):
|
||||||
os.rename(backup_path, path)
|
os.rename(backup_path, path)
|
||||||
|
|
||||||
#
|
#
|
||||||
- # The change_default_enforcement modifies the current enforcement mode
|
- # The change_default_enforcement modifies the current enforcement mode
|
||||||
+ # The change_default_enforcement modifies the current enforcement mode
|
+ # The change_default_enforcement modifies the current enforcement mode
|
||||||
#
|
#
|
||||||
+ @slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
|
@slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
|
||||||
@dbus.service.method("org.selinux", in_signature='s')
|
@dbus.service.method("org.selinux", in_signature='s')
|
||||||
def change_default_mode(self, value):
|
@@ -113,7 +113,7 @@ class selinux_server(slip.dbus.service.Object):
|
||||||
values = [ "enforcing", "permissive", "disabled" ]
|
|
||||||
if value not in values:
|
if value not in values:
|
||||||
raise ValueError("Enforcement mode must be %s" % ", ".join(values))
|
raise ValueError("Enforcement mode must be %s" % ", ".join(values))
|
||||||
self.write_selinux_config(enforcing=value)
|
self.write_selinux_config(enforcing=value)
|
||||||
@ -259406,11 +259285,7 @@ index 98dbff4..3cfdc94 100644
|
|||||||
|
|
||||||
#
|
#
|
||||||
# The change_default_policy method modifies the policy type
|
# The change_default_policy method modifies the policy type
|
||||||
#
|
@@ -125,7 +125,7 @@ class selinux_server(slip.dbus.service.Object):
|
||||||
+ @slip.dbus.polkit.require_auth("org.selinux.change_default_policy")
|
|
||||||
@dbus.service.method("org.selinux", in_signature='s')
|
|
||||||
def change_default_policy(self, value):
|
|
||||||
path = selinux.selinux_path() + value
|
|
||||||
if os.path.isdir(path):
|
if os.path.isdir(path):
|
||||||
return self.write_selinux_config(policy=value)
|
return self.write_selinux_config(policy=value)
|
||||||
raise ValueError("%s does not exist" % path)
|
raise ValueError("%s does not exist" % path)
|
||||||
@ -261362,7 +261237,7 @@ index 6b53035..32ea970 100644
|
|||||||
out += "%s # %s\n" % (self.write_te(out_dir), _("Type Enforcement file"))
|
out += "%s # %s\n" % (self.write_te(out_dir), _("Type Enforcement file"))
|
||||||
out += "%s # %s\n" % (self.write_if(out_dir), _("Interface file"))
|
out += "%s # %s\n" % (self.write_if(out_dir), _("Interface file"))
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy/gui.py b/policycoreutils/sepolicy/sepolicy/gui.py
|
diff --git a/policycoreutils/sepolicy/sepolicy/gui.py b/policycoreutils/sepolicy/sepolicy/gui.py
|
||||||
index 0123e6c..ac3e513 100644
|
index 94ddb72..ac3e513 100644
|
||||||
--- a/policycoreutils/sepolicy/sepolicy/gui.py
|
--- a/policycoreutils/sepolicy/sepolicy/gui.py
|
||||||
+++ b/policycoreutils/sepolicy/sepolicy/gui.py
|
+++ b/policycoreutils/sepolicy/sepolicy/gui.py
|
||||||
@@ -47,12 +47,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
|
@@ -47,12 +47,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
|
||||||
@ -261844,13 +261719,11 @@ index 0123e6c..ac3e513 100644
|
|||||||
self.dbus.setenforce(button.get_active())
|
self.dbus.setenforce(button.get_active())
|
||||||
self.set_enforce_text(button.get_active())
|
self.set_enforce_text(button.get_active())
|
||||||
|
|
||||||
@@ -2727,8 +2681,8 @@ class SELinuxGui():
|
@@ -2728,7 +2682,7 @@ class SELinuxGui():
|
||||||
if not active and not exists:
|
|
||||||
return
|
return
|
||||||
try:
|
try:
|
||||||
- self.dbus.relabel_on_boots(active)
|
self.dbus.relabel_on_boot(active)
|
||||||
- except dbus.exceptions.DBusException, e:
|
- except dbus.exceptions.DBusException, e:
|
||||||
+ self.dbus.relabel_on_boot(active)
|
|
||||||
+ except dbus.exceptions.DBusException as e:
|
+ except dbus.exceptions.DBusException as e:
|
||||||
self.error(e)
|
self.error(e)
|
||||||
|
|
||||||
@ -263713,7 +263586,7 @@ index 1275c7f..e3137db 100644
|
|||||||
<signal name="row-activated" handler="on_advanced_search_treeview_row_activated" swapped="no"/>
|
<signal name="row-activated" handler="on_advanced_search_treeview_row_activated" swapped="no"/>
|
||||||
<child internal-child="selection">
|
<child internal-child="selection">
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy/templates/executable.py b/policycoreutils/sepolicy/sepolicy/templates/executable.py
|
diff --git a/policycoreutils/sepolicy/sepolicy/templates/executable.py b/policycoreutils/sepolicy/sepolicy/templates/executable.py
|
||||||
index 4b9534d..0db6b9c 100644
|
index 4b9534d..1d55f80 100644
|
||||||
--- a/policycoreutils/sepolicy/sepolicy/templates/executable.py
|
--- a/policycoreutils/sepolicy/sepolicy/templates/executable.py
|
||||||
+++ b/policycoreutils/sepolicy/sepolicy/templates/executable.py
|
+++ b/policycoreutils/sepolicy/sepolicy/templates/executable.py
|
||||||
@@ -86,6 +86,7 @@ roleattribute system_r TEMPLATETYPE_roles;
|
@@ -86,6 +86,7 @@ roleattribute system_r TEMPLATETYPE_roles;
|
||||||
@ -263724,6 +263597,23 @@ index 4b9534d..0db6b9c 100644
|
|||||||
|
|
||||||
permissive TEMPLATETYPE_t;
|
permissive TEMPLATETYPE_t;
|
||||||
"""
|
"""
|
||||||
|
@@ -219,7 +220,7 @@ if_program_rules="""
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
-## Execute TEMPLATE in the TEMPLATETYPE domin.
|
||||||
|
+## Execute TEMPLATETYPE in the TEMPLATETYPE domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name=\"domain\">
|
||||||
|
## <summary>
|
||||||
|
@@ -235,6 +236,7 @@ interface(`TEMPLATETYPE_domtrans',`
|
||||||
|
corecmd_search_bin($1)
|
||||||
|
domtrans_pattern($1, TEMPLATETYPE_exec_t, TEMPLATETYPE_t)
|
||||||
|
')
|
||||||
|
+
|
||||||
|
"""
|
||||||
|
|
||||||
|
if_user_program_rules="""
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy/templates/spec.py b/policycoreutils/sepolicy/sepolicy/templates/spec.py
|
diff --git a/policycoreutils/sepolicy/sepolicy/templates/spec.py b/policycoreutils/sepolicy/sepolicy/templates/spec.py
|
||||||
index 16a2208..d8ee42f 100644
|
index 16a2208..d8ee42f 100644
|
||||||
--- a/policycoreutils/sepolicy/sepolicy/templates/spec.py
|
--- a/policycoreutils/sepolicy/sepolicy/templates/spec.py
|
||||||
|
@ -6,8 +6,8 @@
|
|||||||
|
|
||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.2.2
|
Version: 2.2.3
|
||||||
Release: 2%{?dist}
|
Release: 1%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
# Based on git repository with tag 20101221
|
# Based on git repository with tag 20101221
|
||||||
@ -370,6 +370,12 @@ The policycoreutils-restorecond package contains the restorecond service.
|
|||||||
%systemd_postun_with_restart restorecond.service
|
%systemd_postun_with_restart restorecond.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Nov 22 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.3-1
|
||||||
|
- Update to upstream
|
||||||
|
* Apply polkit check on all dbus interfaces and restrict to active user from Dan Walsh.
|
||||||
|
* Fix typo in sepolicy gui dbus.relabel_on_boot call from Dan Walsh.
|
||||||
|
- Apply Miroslav Grepl patch to fix TEMPLATETYPE_domtrans description in sepolicy generate
|
||||||
|
|
||||||
* Wed Nov 20 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.2-2
|
* Wed Nov 20 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.2-2
|
||||||
- Fix selinux-polgengui, get_all_modules call
|
- Fix selinux-polgengui, get_all_modules call
|
||||||
|
|
||||||
|
2
sources
2
sources
@ -1,3 +1,3 @@
|
|||||||
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
|
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
|
||||||
332411668be7367aa74257048ac762d6 policycoreutils-2.2.2.tgz
|
|
||||||
e9134b52e6620c14cbce9234a6b67b20 sepolgen-1.2.1.tgz
|
e9134b52e6620c14cbce9234a6b67b20 sepolgen-1.2.1.tgz
|
||||||
|
f8e993902b7cd9a9f1a5fddf3f21dec7 policycoreutils-2.2.3.tgz
|
||||||
|
Loading…
Reference in New Issue
Block a user