From e0ffc386e83a86089a54f50fc456bfb9a80c7db7 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Wed, 16 Nov 2011 15:41:18 -0500 Subject: [PATCH] Add listing of distribution equivalence class from semanage fcontext -l Add checking to semanage fcontext -a to guarantee a file specification will not be masked by an equivalence Allow ~ as a valid part of a filename in sepolgen --- policycoreutils-rhat.patch | 70 ++++++++++++++++++++++++++++++++++++-- policycoreutils.spec | 6 +++- 2 files changed, 73 insertions(+), 3 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index cbe9f63..83c0d52 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -609,7 +609,7 @@ index 48d7baa..2c0cfdd 100644 errorExit(error.args[0]) except KeyError, error: diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py -index a7008fc..e4b6c0d 100644 +index a7008fc..aae1b59 100644 --- a/policycoreutils/semanage/seobject.py +++ b/policycoreutils/semanage/seobject.py @@ -30,11 +30,10 @@ from IPy import IP @@ -723,7 +723,53 @@ index a7008fc..e4b6c0d 100644 (rc, iface) = semanage_iface_create(self.sh) if rc < 0: -@@ -1618,7 +1624,8 @@ class fcontextRecords(semanageRecords): +@@ -1525,6 +1531,7 @@ class fcontextRecords(semanageRecords): + def __init__(self, store = ""): + semanageRecords.__init__(self, store) + self.equiv = {} ++ self.equiv_dist = {} + self.equal_ind = False + try: + fd = open(selinux.selinux_file_context_subs_path(), "r") +@@ -1534,6 +1541,14 @@ class fcontextRecords(semanageRecords): + fd.close() + except IOError: + pass ++ try: ++ fd = open(selinux.selinux_file_context_subs_dist_path(), "r") ++ for i in fd.readlines(): ++ src, dst = i.split() ++ self.equiv_dist[src] = dst ++ fd.close() ++ except IOError: ++ pass + + def commit(self): + if self.equal_ind: +@@ -1589,12 +1604,21 @@ class fcontextRecords(semanageRecords): + + return con + ++ def check_equiv(self, target, fdict): ++ for i in fdict: ++ if target.startswith(i+"/"): ++ t = re.sub(i, fdict[i], target) ++ raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'; Try adding '%s' instead") % (target, i, fdict[i], t)) ++ ++ + def validate(self, target): + if target == "" or target.find("\n") >= 0: + raise ValueError(_("Invalid file specification")) + if target.find(" ") != -1: + raise ValueError(_("File specification can not include spaces")) +- ++ self.check_equiv(target, self.equiv) ++ self.check_equiv(target, self.equiv_dist) ++ + def __add(self, target, type, ftype = "", serange = "", seuser = "system_u"): + self.validate(target) + +@@ -1618,7 +1642,8 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Could not check if file context for %s is defined") % target) if exists: @@ -733,6 +779,26 @@ index a7008fc..e4b6c0d 100644 (rc, fcontext) = semanage_fcontext_create(self.sh) if rc < 0: +@@ -1825,9 +1850,17 @@ class fcontextRecords(semanageRecords): + print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2]) + else: + print "%-50s %-18s <>" % (k[0], k[1]) +- if len(self.equiv.keys()) > 0: ++ ++ ++ if len(self.equiv_dist): ++ if not locallist: ++ if heading: ++ print _("\nSELinux Distribution fcontext Equivalence \n") ++ for src in self.equiv_dist.keys(): ++ print "%s = %s" % (src, self.equiv_dist[src]) ++ if len(self.equiv): + if heading: +- print _("\nSELinux fcontext Equivalence \n") ++ print _("\nSELinux Local fcontext Equivalence \n") + + for src in self.equiv.keys(): + print "%s = %s" % (src, self.equiv[src]) diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c index 9a7d315..e57d34f 100644 --- a/policycoreutils/setfiles/restore.c diff --git a/policycoreutils.spec b/policycoreutils.spec index 6098c28..1e3da80 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.8 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -352,6 +352,10 @@ fi /bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Wed Nov 16 2011 Dan Walsh - 2.1.8-6 +- Add listing of distribution equivalence class from semanage fcontext -l +- Add checking to semanage fcontext -a to guarantee a file specification will not be masked by an equivalence + * Wed Nov 16 2011 Dan Walsh - 2.1.8-5 - Allow ~ as a valid part of a filename in sepolgen