rpms/policycoreutils
5
0
Fork 0
Code Issues Pull Requests Releases Activity

policycoreutils-2.8-15

Browse Source 
- setsebool: support use of -P on SELinux-disabled hosts
- sepolicy: initialize mislabeled_files in __init__()
- audit2allow: use local sepolgen-ifgen-attr-helper for tests
- audit2allow: allow using audit2why as non-root user
- audit2allow/sepolgen-ifgen: show errors on stderr
- audit2allow/sepolgen-ifgen: add missing \n to error message
- sepolgen: close /etc/selinux/sepolgen.conf after parsing it
- sepolicy: Make policy files sorting more robust
- semanage: Load a store policy and set the store SELinux policy root
This commit is contained in:
Petr Lautrbach 2019-01-21 17:56:37 +01:00
parent 9c1b897074
commit e3a75fa174
3 changed files with 483 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
policycoreutils-fedora.patch
View File

@ -150,3 +150,64 @@ index ccaaf4d..a8a76c8 100644
.TP .TP
.BI \-e \ directory .BI \-e \ directory
directory to exclude (repeat option for more than one directory). directory to exclude (repeat option for more than one directory).
diff --git policycoreutils-2.8/setsebool/setsebool.c policycoreutils-2.8/setsebool/setsebool.c
index 53d3566..a5157ef 100644
--- policycoreutils-2.8/setsebool/setsebool.c
+++ policycoreutils-2.8/setsebool/setsebool.c
@@ -18,7 +18,7 @@
#include <errno.h>
int permanent = 0;
-int reload = 1;
+int no_reload = 0;
int verbose = 0;
int setbool(char **list, size_t start, size_t end);
@@ -38,11 +38,6 @@ int main(int argc, char **argv)
if (argc < 2)
usage();
- if (is_selinux_enabled() <= 0) {
- fputs("setsebool: SELinux is disabled.\n", stderr);
- return 1;
- }
-
while (1) {
clflag = getopt(argc, argv, "PNV");
if (clflag == -1)
@@ -53,7 +48,7 @@ int main(int argc, char **argv)
permanent = 1;
break;
case 'N':
- reload = 0;
+ no_reload = 1;
break;
case 'V':
verbose = 1;
@@ -130,6 +125,7 @@ static int semanage_set_boolean_list(size_t boolcnt,
semanage_bool_key_t *bool_key = NULL;
int managed;
int result;
+ int enabled = is_selinux_enabled();
handle = semanage_handle_create();
if (handle == NULL) {
@@ -191,7 +187,7 @@ static int semanage_set_boolean_list(size_t boolcnt,
boolean) < 0)
goto err;
- if (semanage_bool_set_active(handle, bool_key, boolean) < 0) {
+ if (enabled && semanage_bool_set_active(handle, bool_key, boolean) < 0) {
fprintf(stderr, "Failed to change boolean %s: %m\n",
boollist[j].name);
goto err;
@@ -202,7 +198,8 @@ static int semanage_set_boolean_list(size_t boolcnt,
boolean = NULL;
}
- semanage_set_reload(handle, reload);
+ if (no_reload)
+ semanage_set_reload(handle, 0);
if (semanage_commit(handle) < 0)
goto err;

19
policycoreutils.spec
View File

@ -1,7 +1,7 @@
%global libauditver 2.1.3-4 %global libauditver 2.1.3-4
%global libsepolver 2.8-3 %global libsepolver 2.8-3
%global libsemanagever 2.8-6 %global libsemanagever 2.8-8
%global libselinuxver 2.8-5 %global libselinuxver 2.8-7
%global sepolgenver 2.8 %global sepolgenver 2.8
%global generatorsdir %{_prefix}/lib/systemd/system-generators %global generatorsdir %{_prefix}/lib/systemd/system-generators
@ -12,7 +12,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.8 Version: 2.8
Release: 14%{?dist} Release: 15%{?dist}
License: GPLv2 License: GPLv2
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz
@ -37,7 +37,7 @@ Source22: gui-po.tgz
Source23: sandbox-po.tgz Source23: sandbox-po.tgz
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
# run: # run:
# HEAD https://github.com/fedora-selinux/selinux/commit/15b521e6d24b1cb3a004d49f630f1d33f3e11466 # HEAD https://github.com/fedora-selinux/selinux/commit/10767636b5d9b8f3fa3cf3815e860f4ca4fcb247
# $ for i in policycoreutils selinux-python selinux-gui selinux-sandbox selinux-dbus semodule-utils restorecond; do # $ for i in policycoreutils selinux-python selinux-gui selinux-sandbox selinux-dbus semodule-utils restorecond; do
# VERSION=2.8 ./make-fedora-selinux-patch.sh $i # VERSION=2.8 ./make-fedora-selinux-patch.sh $i
# done # done
@ -530,6 +530,17 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service %systemd_postun_with_restart restorecond.service
%changelog %changelog
* Mon Jan 21 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-15
- setsebool: support use of -P on SELinux-disabled hosts
- sepolicy: initialize mislabeled_files in __init__()
- audit2allow: use local sepolgen-ifgen-attr-helper for tests
- audit2allow: allow using audit2why as non-root user
- audit2allow/sepolgen-ifgen: show errors on stderr
- audit2allow/sepolgen-ifgen: add missing \n to error message
- sepolgen: close /etc/selinux/sepolgen.conf after parsing it
- sepolicy: Make policy files sorting more robust
- semanage: Load a store policy and set the store SELinux policy root
* Thu Dec 20 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-14 * Thu Dec 20 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-14
- chcat: fix removing categories on users with Fedora default setup - chcat: fix removing categories on users with Fedora default setup
- semanage: Include MCS/MLS range when exporting local customizations - semanage: Include MCS/MLS range when exporting local customizations

469
selinux-python-fedora.patch
View File

@ -8,8 +8,48 @@ index 80bc124..891bdee 100644
all install relabel clean indent: all install relabel clean indent:
@for subdir in $(SUBDIRS); do \ @for subdir in $(SUBDIRS); do \
diff --git selinux-python-2.8/audit2allow/.gitignore selinux-python-2.8/audit2allow/.gitignore
index 3816d2e..2cd46af 100644
--- selinux-python-2.8/audit2allow/.gitignore
+++ selinux-python-2.8/audit2allow/.gitignore
@@ -1 +1,2 @@
sepolgen-ifgen-attr-helper
+test_dummy_policy
diff --git selinux-python-2.8/audit2allow/Makefile selinux-python-2.8/audit2allow/Makefile
index 513bb2b..06fc3b6 100644
--- selinux-python-2.8/audit2allow/Makefile
+++ selinux-python-2.8/audit2allow/Makefile
@@ -1,4 +1,5 @@
PYTHON ?= python
+SECILC ?= secilc
# Installation directories.
PREFIX ?= /usr
@@ -22,9 +23,12 @@ sepolgen-ifgen-attr-helper: sepolgen-ifgen-attr-helper.o $(LIBSEPOLA)
audit2why:
ln -sf audit2allow audit2why
-test: all
+test: all test_dummy_policy
@$(PYTHON) test_audit2allow.py -v
+test_dummy_policy: test_dummy_policy.cil
+ $(SECILC) -o $@ -f /dev/null $<
+
install: all
-mkdir -p $(DESTDIR)$(BINDIR)
install -m 755 audit2allow $(DESTDIR)$(BINDIR)
@@ -36,7 +40,7 @@ install: all
install -m 644 audit2why.1 $(DESTDIR)$(MANDIR)/man1/
clean:
- rm -f *~ *.o sepolgen-ifgen-attr-helper
+ rm -f *~ *.o sepolgen-ifgen-attr-helper test_dummy_policy
indent:
../../scripts/Lindent $(wildcard *.[ch])
diff --git selinux-python-2.8/audit2allow/audit2allow selinux-python-2.8/audit2allow/audit2allow diff --git selinux-python-2.8/audit2allow/audit2allow selinux-python-2.8/audit2allow/audit2allow
index 37ab23a..195f151 100644 index 37ab23a..18fe0a5 100644
--- selinux-python-2.8/audit2allow/audit2allow --- selinux-python-2.8/audit2allow/audit2allow
+++ selinux-python-2.8/audit2allow/audit2allow +++ selinux-python-2.8/audit2allow/audit2allow
@@ -86,6 +86,8 @@ class AuditToPolicy: @@ -86,6 +86,8 @@ class AuditToPolicy:
@ -21,7 +61,35 @@ index 37ab23a..195f151 100644
parser.add_option("--debug", dest="debug", action="store_true", default=False, parser.add_option("--debug", dest="debug", action="store_true", default=False,
help="leave generated modules for -M") help="leave generated modules for -M")
parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=(os.path.basename(sys.argv[0]) == "audit2why"), parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=(os.path.basename(sys.argv[0]) == "audit2why"),
@@ -314,6 +316,10 @@ class AuditToPolicy: @@ -240,7 +242,10 @@ class AuditToPolicy:
def __output_audit2why(self):
import selinux
- import sepolicy
+ try:
+ import sepolicy
+ except (ImportError, ValueError):
+ sepolicy = None
for i in self.__parser.avc_msgs:
rc = i.type
data = i.data
@@ -260,11 +265,13 @@ class AuditToPolicy:
if len(data) > 1:
print("\tOne of the following booleans was set incorrectly.")
for b in data:
- print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(b[0]))
+ if sepolicy is not None:
+ print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(b[0]))
print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1]))
else:
print("\tThe boolean %s was set incorrectly. " % (data[0][0]))
- print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(data[0][0]))
+ if sepolicy is not None:
+ print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(data[0][0]))
print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (data[0][0], data[0][1]))
continue
@@ -314,6 +321,10 @@ class AuditToPolicy:
ifs, perm_maps = self.__load_interface_info() ifs, perm_maps = self.__load_interface_info()
g.set_gen_refpol(ifs, perm_maps) g.set_gen_refpol(ifs, perm_maps)
@ -46,6 +114,60 @@ index 21d286b..c61067b 100644
.B "\-w" | "\-\-why" .B "\-w" | "\-\-why"
Translates SELinux audit messages into a description of why the access was denied Translates SELinux audit messages into a description of why the access was denied
diff --git selinux-python-2.8/audit2allow/sepolgen-ifgen selinux-python-2.8/audit2allow/sepolgen-ifgen
index acf9638..c482f22 100644
--- selinux-python-2.8/audit2allow/sepolgen-ifgen
+++ selinux-python-2.8/audit2allow/sepolgen-ifgen
@@ -56,6 +56,8 @@ def parse_options():
help="print debuging output")
parser.add_option("-d", "--debug", action="store_true", default=False,
help="extra debugging output")
+ parser.add_option("--attr-helper", default=ATTR_HELPER,
+ help="path to sepolgen-ifgen-attr-helper")
parser.add_option("--no_attrs", action="store_true", default=False,
help="do not retrieve attribute access from kernel policy")
options, args = parser.parse_args()
@@ -77,7 +79,7 @@ def get_policy():
return None
-def get_attrs(policy_path):
+def get_attrs(policy_path, attr_helper):
try:
if not policy_path:
policy_path = get_policy()
@@ -93,10 +95,10 @@ def get_attrs(policy_path):
return None
fd = open("/dev/null", "w")
- ret = subprocess.Popen([ATTR_HELPER, policy_path, outfile.name], stdout=fd).wait()
+ ret = subprocess.Popen([attr_helper, policy_path, outfile.name], stdout=fd).wait()
fd.close()
if ret != 0:
- sys.stderr.write("could not run attribute helper")
+ sys.stderr.write("could not run attribute helper\n")
return None
attrs = interfaces.AttributeSet()
@@ -127,7 +129,7 @@ def main():
# Get the attibutes from the binary
attrs = None
if not options.no_attrs:
- attrs = get_attrs(options.policy_path)
+ attrs = get_attrs(options.policy_path, options.attr_helper)
if attrs is None:
return 1
@@ -135,8 +137,7 @@ def main():
try:
headers = refparser.parse_headers(options.headers, output=log, debug=options.debug)
except ValueError as e:
- print("error parsing headers")
- print(str(e))
+ sys.stderr.write("error parsing headers: %s\n" % e)
return 1
if_set = interfaces.InterfaceSet(output=log)
diff --git selinux-python-2.8/audit2allow/test.log selinux-python-2.8/audit2allow/test.log diff --git selinux-python-2.8/audit2allow/test.log selinux-python-2.8/audit2allow/test.log
index 05249dc..718aca7 100644 index 05249dc..718aca7 100644
--- selinux-python-2.8/audit2allow/test.log --- selinux-python-2.8/audit2allow/test.log
@ -56,24 +178,147 @@ index 05249dc..718aca7 100644
node=lilly.example.com type=AVC msg=audit(1164783469.561:109): avc: denied { append } for pid=8311 comm="smbd" name="log.current" dev=dm-0 ino=130930 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:default_t:s0 tclass=dir node=lilly.example.com type=AVC msg=audit(1164783469.561:109): avc: denied { append } for pid=8311 comm="smbd" name="log.current" dev=dm-0 ino=130930 scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:default_t:s0 tclass=dir
+node=lilly.example.com type=AVC msg=audit(1164783469.561:109): avc: denied { ioctl } for pid=8311 comm="smbd" name="log.current" ioctlcmd=0x2a scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:default_t:s0 tclass=tcp_socket +node=lilly.example.com type=AVC msg=audit(1164783469.561:109): avc: denied { ioctl } for pid=8311 comm="smbd" name="log.current" ioctlcmd=0x2a scontext=root:system_r:smbd_t:s0 tcontext=root:object_r:default_t:s0 tclass=tcp_socket
diff --git selinux-python-2.8/audit2allow/test_audit2allow.py selinux-python-2.8/audit2allow/test_audit2allow.py diff --git selinux-python-2.8/audit2allow/test_audit2allow.py selinux-python-2.8/audit2allow/test_audit2allow.py
index a826a9f..4427dea 100644 index a826a9f..87e5504 100644
--- selinux-python-2.8/audit2allow/test_audit2allow.py --- selinux-python-2.8/audit2allow/test_audit2allow.py
+++ selinux-python-2.8/audit2allow/test_audit2allow.py +++ selinux-python-2.8/audit2allow/test_audit2allow.py
@@ -47,5 +47,14 @@ class Audit2allowTests(unittest.TestCase): @@ -1,6 +1,7 @@
import unittest
import os
-import shutil
+import os.path
+import sys
from tempfile import mkdtemp
from subprocess import Popen, PIPE
@@ -25,15 +26,22 @@ class Audit2allowTests(unittest.TestCase):
def test_sepolgen_ifgen(self):
"Verify sepolgen-ifgen works"
- p = Popen(['sudo', 'sepolgen-ifgen'], stdout=PIPE)
+ temp_directory = mkdtemp(suffix='audit2allow_test')
+ output_file = os.path.join(temp_directory, 'interface_info')
+ p = Popen([
+ sys.executable, './sepolgen-ifgen', '-p', 'test_dummy_policy', '-o', output_file,
+ '--attr-helper', './sepolgen-ifgen-attr-helper'
+ ], stdout=PIPE)
out, err = p.communicate()
if err:
print(out, err)
self.assertSuccess("sepolgen-ifgen", p.returncode, err)
+ os.unlink(output_file)
+ os.rmdir(temp_directory)
def test_audit2allow(self):
"Verify audit2allow works"
- p = Popen(['python', './audit2allow', "-i", "test.log"], stdout=PIPE)
+ p = Popen([sys.executable, './audit2allow', '-p', 'test_dummy_policy', '-i', 'test.log'], stdout=PIPE)
out, err = p.communicate()
if err:
print(out, err)
@@ -41,11 +49,21 @@ class Audit2allowTests(unittest.TestCase):
def test_audit2why(self):
"Verify audit2why works"
- p = Popen(['python', './audit2why', "-i", "test.log"], stdout=PIPE)
+ p = Popen([sys.executable, './audit2why', '-p', 'test_dummy_policy', '-i', 'test.log'], stdout=PIPE)
out, err = p.communicate()
if err:
print(out, err) print(out, err)
self.assertSuccess("audit2why", p.returncode, err) self.assertSuccess("audit2why", p.returncode, err)
+ def test_xperms(self): + def test_xperms(self):
+ "Verify that xperms generation works" + "Verify that xperms generation works"
+ p = Popen(['python', './audit2allow', "-x", "-i", "test.log"], stdout=PIPE) + p = Popen([sys.executable, './audit2allow', '-x', '-p', 'test_dummy_policy', '-i', 'test.log'], stdout=PIPE)
+ out, err = p.communicate() + out, err = p.communicate()
+ if err: + if err:
+ print(out, err) + print(out, err)
+ self.assertTrue(b"allowxperm" in out) + self.assertTrue(b"allowxperm" in out)
+ self.assertSuccess("xperms", p.returncode, err) + self.assertSuccess("xperms", p.returncode, err)
+
+ +
if __name__ == "__main__": if __name__ == "__main__":
unittest.main() unittest.main()
diff --git selinux-python-2.8/audit2allow/test_dummy_policy.cil selinux-python-2.8/audit2allow/test_dummy_policy.cil
new file mode 100644
index 0000000..795fedc
--- /dev/null
+++ selinux-python-2.8/audit2allow/test_dummy_policy.cil
@@ -0,0 +1,75 @@
+; This is a dummy policy which main aim is to be compatible with test.log
+
+; Define one category and one sensitivity in order to make things work
+(mls true)
+(category c0)
+(categoryorder (c0))
+(sensitivity s0)
+(sensitivityorder (s0))
+(sensitivitycategory s0 (c0))
+
+; Define some users and roles
+(user system_u)
+(user root)
+(user unconfined_u)
+(role system_r)
+(role unconfined_r)
+(userrole root system_r)
+(userrole system_u system_r)
+(userrole unconfined_u unconfined_r)
+(userlevel system_u (s0))
+(userlevel root (s0))
+(userlevel unconfined_u (s0))
+(userrange system_u ((s0)(s0 (c0))))
+(userrange root ((s0)(s0 (c0))))
+(userrange unconfined_u ((s0)(s0 (c0))))
+
+; Define domain types
+(type automount_t)
+(type ftpd_t)
+(type httpd_t)
+(type kernel_t)
+(type nsplugin_t)
+(type postfix_local_t)
+(type qemu_t)
+(type smbd_t)
+
+(roletype system_r automount_t)
+(roletype system_r ftpd_t)
+(roletype system_r httpd_t)
+(roletype system_r kernel_t)
+(roletype system_r postfix_local_t)
+(roletype system_r qemu_t)
+(roletype system_r smbd_t)
+(roletype unconfined_r nsplugin_t)
+
+; Define file types
+(type automount_lock_t)
+(type default_t)
+(type fixed_disk_device_t)
+(type home_root_t)
+(type httpd_sys_content_t)
+(type httpd_sys_script_exec_t)
+(type mail_spool_t)
+(type ssh_home_t)
+(type usr_t)
+(type var_t)
+
+; Define port types
+(type mysqld_port_t)
+(type reserved_port_t)
+
+; Define initial SID
+(sid kernel)
+(sidorder (kernel))
+(sidcontext kernel (system_u system_r kernel_t ((s0) (s0))))
+
+; Define classes
+(class blk_file (getattr open read write))
+(class dir (append open search))
+(class file (execute execute_no_trans getattr open read write))
+(class tcp_socket (ioctl name_bind name_connect))
+(classorder (blk_file file dir tcp_socket))
+
+; The policy compiler requires at least one rule
+(allow kernel_t default_t (file (open read write)))
diff --git selinux-python-2.8/chcat/chcat selinux-python-2.8/chcat/chcat diff --git selinux-python-2.8/chcat/chcat selinux-python-2.8/chcat/chcat
index 4bd9fc6..27c537e 100755 index 4bd9fc6..27c537e 100755
--- selinux-python-2.8/chcat/chcat --- selinux-python-2.8/chcat/chcat
@ -399,7 +644,7 @@ index 0000000..128eb87
+../sepolicy/sepolicy/interface.py +../sepolicy/sepolicy/interface.py
+../sepolicy/sepolicy.py +../sepolicy/sepolicy.py
diff --git selinux-python-2.8/semanage/semanage selinux-python-2.8/semanage/semanage diff --git selinux-python-2.8/semanage/semanage selinux-python-2.8/semanage/semanage
index 8d8a086..301207e 100644 index 8d8a086..18f4a6a 100644
--- selinux-python-2.8/semanage/semanage --- selinux-python-2.8/semanage/semanage
+++ selinux-python-2.8/semanage/semanage +++ selinux-python-2.8/semanage/semanage
@@ -27,7 +27,7 @@ import traceback @@ -27,7 +27,7 @@ import traceback
@ -438,12 +683,13 @@ index 8d8a086..301207e 100644
class CheckRole(argparse.Action): class CheckRole(argparse.Action):
@@ -82,7 +82,11 @@ class CheckRole(argparse.Action): @@ -82,7 +82,12 @@ class CheckRole(argparse.Action):
newval = getattr(namespace, self.dest) newval = getattr(namespace, self.dest)
if not newval: if not newval:
newval = [] newval = []
- roles = sepolicy.get_all_roles() - roles = sepolicy.get_all_roles()
+ try: + try:
+ # sepolicy tries to load the SELinux policy and raises ValueError if it fails.
+ import sepolicy + import sepolicy
+ roles = sepolicy.get_all_roles() + roles = sepolicy.get_all_roles()
+ except ValueError: + except ValueError:
@ -451,7 +697,7 @@ index 8d8a086..301207e 100644
for v in value.split(): for v in value.split():
if v not in roles: if v not in roles:
raise ValueError("%s must be an SELinux role:\nValid roles: %s" % (v, ", ".join(roles))) raise ValueError("%s must be an SELinux role:\nValid roles: %s" % (v, ", ".join(roles)))
@@ -421,7 +425,7 @@ def setupUserParser(subparsers): @@ -421,7 +426,7 @@ def setupUserParser(subparsers):
userParser.add_argument('-R', '--roles', default=[], userParser.add_argument('-R', '--roles', default=[],
action=CheckRole, action=CheckRole,
help=_(''' help=_('''
@ -460,7 +706,7 @@ index 8d8a086..301207e 100644
''')) '''))
userParser.add_argument('-P', '--prefix', default="user", help=argparse.SUPPRESS) userParser.add_argument('-P', '--prefix', default="user", help=argparse.SUPPRESS)
userParser.add_argument('selinux_name', nargs='?', default=None, help=_('selinux_name')) userParser.add_argument('selinux_name', nargs='?', default=None, help=_('selinux_name'))
@@ -604,19 +608,19 @@ def setupInterfaceParser(subparsers): @@ -604,19 +609,19 @@ def setupInterfaceParser(subparsers):
def handleModule(args): def handleModule(args):
OBJECT = seobject.moduleRecords(args) OBJECT = seobject.moduleRecords(args)
@ -490,7 +736,7 @@ index 8d8a086..301207e 100644
for i in OBJECT.customized(): for i in OBJECT.customized():
print("module %s" % str(i)) print("module %s" % str(i))
@@ -630,14 +634,13 @@ def setupModuleParser(subparsers): @@ -630,14 +635,13 @@ def setupModuleParser(subparsers):
parser_add_priority(moduleParser, "module") parser_add_priority(moduleParser, "module")
mgroup = moduleParser.add_mutually_exclusive_group(required=True) mgroup = moduleParser.add_mutually_exclusive_group(required=True)
@ -509,7 +755,7 @@ index 8d8a086..301207e 100644
moduleParser.set_defaults(func=handleModule) moduleParser.set_defaults(func=handleModule)
@@ -739,9 +742,7 @@ def handlePermissive(args): @@ -739,9 +743,7 @@ def handlePermissive(args):
if args.action is "delete": if args.action is "delete":
OBJECT.delete(args.type) OBJECT.delete(args.type)
else: else:
@ -520,7 +766,7 @@ index 8d8a086..301207e 100644
def setupPermissiveParser(subparsers): def setupPermissiveParser(subparsers):
@@ -776,7 +777,7 @@ def setupDontauditParser(subparsers): @@ -776,7 +778,7 @@ def setupDontauditParser(subparsers):
def handleExport(args): def handleExport(args):
@ -559,7 +805,7 @@ index 0bdb90f..0cdcfcc 100644
user identities to authorized role sets. In most cases, only the user identities to authorized role sets. In most cases, only the
former mapping needs to be adjusted by the administrator; the latter former mapping needs to be adjusted by the administrator; the latter
diff --git selinux-python-2.8/semanage/seobject.py selinux-python-2.8/semanage/seobject.py diff --git selinux-python-2.8/semanage/seobject.py selinux-python-2.8/semanage/seobject.py
index c76dce8..59df249 100644 index c76dce8..ffd3e14 100644
--- selinux-python-2.8/semanage/seobject.py --- selinux-python-2.8/semanage/seobject.py
+++ selinux-python-2.8/semanage/seobject.py +++ selinux-python-2.8/semanage/seobject.py
@@ -30,10 +30,10 @@ import sys @@ -30,10 +30,10 @@ import sys
@ -593,15 +839,16 @@ index c76dce8..59df249 100644
class logger: class logger:
def __init__(self): def __init__(self):
@@ -258,6 +260,7 @@ class semanageRecords: @@ -258,6 +260,8 @@ class semanageRecords:
if self.store == "" or self.store == localstore: if self.store == "" or self.store == localstore:
self.mylog = logger() self.mylog = logger()
else: else:
+ sepolicy.load_store_policy(self.store) + sepolicy.load_store_policy(self.store)
+ selinux.selinux_set_policy_root("%s%s" % (selinux.selinux_path(), self.store))
self.mylog = nulllogger() self.mylog = nulllogger()
def set_reload(self, load): def set_reload(self, load):
@@ -397,6 +400,8 @@ class moduleRecords(semanageRecords): @@ -397,6 +401,8 @@ class moduleRecords(semanageRecords):
print("%-25s %-9s %-5s %s" % (t[0], t[2], t[3], disabled)) print("%-25s %-9s %-5s %s" % (t[0], t[2], t[3], disabled))
def add(self, file, priority): def add(self, file, priority):
@ -610,7 +857,7 @@ index c76dce8..59df249 100644
if not os.path.exists(file): if not os.path.exists(file):
raise ValueError(_("Module does not exist: %s ") % file) raise ValueError(_("Module does not exist: %s ") % file)
@@ -409,7 +414,9 @@ class moduleRecords(semanageRecords): @@ -409,7 +415,9 @@ class moduleRecords(semanageRecords):
self.commit() self.commit()
def set_enabled(self, module, enable): def set_enabled(self, module, enable):
@ -621,7 +868,7 @@ index c76dce8..59df249 100644
rc, key = semanage_module_key_create(self.sh) rc, key = semanage_module_key_create(self.sh)
if rc < 0: if rc < 0:
raise ValueError(_("Could not create module key")) raise ValueError(_("Could not create module key"))
@@ -431,7 +438,9 @@ class moduleRecords(semanageRecords): @@ -431,7 +439,9 @@ class moduleRecords(semanageRecords):
if rc < 0: if rc < 0:
raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority) raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority)
@ -632,7 +879,7 @@ index c76dce8..59df249 100644
rc = semanage_module_remove(self.sh, m) rc = semanage_module_remove(self.sh, m)
if rc < 0 and rc != -2: if rc < 0 and rc != -2:
raise ValueError(_("Could not remove module %s (remove failed)") % m) raise ValueError(_("Could not remove module %s (remove failed)") % m)
@@ -593,7 +602,6 @@ class loginRecords(semanageRecords): @@ -593,7 +603,6 @@ class loginRecords(semanageRecords):
semanage_seuser_key_free(k) semanage_seuser_key_free(k)
semanage_seuser_free(u) semanage_seuser_free(u)
@ -640,7 +887,7 @@ index c76dce8..59df249 100644
def add(self, name, sename, serange): def add(self, name, sename, serange):
try: try:
@@ -601,7 +609,6 @@ class loginRecords(semanageRecords): @@ -601,7 +610,6 @@ class loginRecords(semanageRecords):
self.__add(name, sename, serange) self.__add(name, sename, serange)
self.commit() self.commit()
except ValueError as error: except ValueError as error:
@ -648,7 +895,7 @@ index c76dce8..59df249 100644
raise error raise error
def __modify(self, name, sename="", serange=""): def __modify(self, name, sename="", serange=""):
@@ -653,7 +660,6 @@ class loginRecords(semanageRecords): @@ -653,7 +661,6 @@ class loginRecords(semanageRecords):
semanage_seuser_key_free(k) semanage_seuser_key_free(k)
semanage_seuser_free(u) semanage_seuser_free(u)
@ -656,7 +903,7 @@ index c76dce8..59df249 100644
def modify(self, name, sename="", serange=""): def modify(self, name, sename="", serange=""):
try: try:
@@ -661,7 +667,6 @@ class loginRecords(semanageRecords): @@ -661,7 +668,6 @@ class loginRecords(semanageRecords):
self.__modify(name, sename, serange) self.__modify(name, sename, serange)
self.commit() self.commit()
except ValueError as error: except ValueError as error:
@ -664,7 +911,7 @@ index c76dce8..59df249 100644
raise error raise error
def __delete(self, name): def __delete(self, name):
@@ -694,8 +699,6 @@ class loginRecords(semanageRecords): @@ -694,8 +700,6 @@ class loginRecords(semanageRecords):
rec, self.sename, self.serange = selinux.getseuserbyname("__default__") rec, self.sename, self.serange = selinux.getseuserbyname("__default__")
range, (rc, serole) = userrec.get(self.sename) range, (rc, serole) = userrec.get(self.sename)
@ -673,7 +920,7 @@ index c76dce8..59df249 100644
def delete(self, name): def delete(self, name):
try: try:
self.begin() self.begin()
@@ -703,7 +706,6 @@ class loginRecords(semanageRecords): @@ -703,7 +707,6 @@ class loginRecords(semanageRecords):
self.commit() self.commit()
except ValueError as error: except ValueError as error:
@ -681,7 +928,7 @@ index c76dce8..59df249 100644
raise error raise error
def deleteall(self): def deleteall(self):
@@ -717,7 +719,6 @@ class loginRecords(semanageRecords): @@ -717,7 +720,6 @@ class loginRecords(semanageRecords):
self.__delete(semanage_seuser_get_name(u)) self.__delete(semanage_seuser_get_name(u))
self.commit() self.commit()
except ValueError as error: except ValueError as error:
@ -689,7 +936,7 @@ index c76dce8..59df249 100644
raise error raise error
def get_all_logins(self): def get_all_logins(self):
@@ -753,7 +754,10 @@ class loginRecords(semanageRecords): @@ -753,7 +755,10 @@ class loginRecords(semanageRecords):
l = [] l = []
ddict = self.get_all(True) ddict = self.get_all(True)
for k in sorted(ddict.keys()): for k in sorted(ddict.keys()):
@ -701,7 +948,7 @@ index c76dce8..59df249 100644
return l return l
def list(self, heading=1, locallist=0): def list(self, heading=1, locallist=0):
@@ -1020,7 +1024,10 @@ class seluserRecords(semanageRecords): @@ -1020,7 +1025,10 @@ class seluserRecords(semanageRecords):
l = [] l = []
ddict = self.get_all(True) ddict = self.get_all(True)
for k in sorted(ddict.keys()): for k in sorted(ddict.keys()):
@ -713,7 +960,7 @@ index c76dce8..59df249 100644
return l return l
def list(self, heading=1, locallist=0): def list(self, heading=1, locallist=0):
@@ -1043,13 +1050,15 @@ class seluserRecords(semanageRecords): @@ -1043,13 +1051,15 @@ class seluserRecords(semanageRecords):
class portRecords(semanageRecords): class portRecords(semanageRecords):
@ -733,7 +980,7 @@ index c76dce8..59df249 100644
def __genkey(self, port, proto): def __genkey(self, port, proto):
if proto == "tcp": if proto == "tcp":
@@ -1087,6 +1096,8 @@ class portRecords(semanageRecords): @@ -1087,6 +1097,8 @@ class portRecords(semanageRecords):
if type == "": if type == "":
raise ValueError(_("Type is required")) raise ValueError(_("Type is required"))
@ -742,7 +989,7 @@ index c76dce8..59df249 100644
if type not in self.valid_types: if type not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a port type") % type) raise ValueError(_("Type %s is invalid, must be a port type") % type)
@@ -1151,6 +1162,7 @@ class portRecords(semanageRecords): @@ -1151,6 +1163,7 @@ class portRecords(semanageRecords):
else: else:
raise ValueError(_("Requires setype")) raise ValueError(_("Requires setype"))
@ -750,7 +997,7 @@ index c76dce8..59df249 100644
if setype and setype not in self.valid_types: if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a port type") % setype) raise ValueError(_("Type %s is invalid, must be a port type") % setype)
@@ -1295,10 +1307,11 @@ class portRecords(semanageRecords): @@ -1295,10 +1308,11 @@ class portRecords(semanageRecords):
l = [] l = []
ddict = self.get_all(True) ddict = self.get_all(True)
for k in sorted(ddict.keys()): for k in sorted(ddict.keys()):
@ -765,7 +1012,29 @@ index c76dce8..59df249 100644
return l return l
def list(self, heading=1, locallist=0): def list(self, heading=1, locallist=0):
@@ -1355,6 +1368,8 @@ class ibpkeyRecords(semanageRecords): @@ -1317,14 +1331,16 @@ class portRecords(semanageRecords):
print(rec)
class ibpkeyRecords(semanageRecords):
- try:
- q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibpkey_type"])
- valid_types = sorted(str(t) for t in q.results())
- except:
- valid_types = []
+
+ valid_types = []
def __init__(self, args = None):
semanageRecords.__init__(self, args)
+ try:
+ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_store_policy(self.store)), attrs=["ibpkey_type"])
+ self.valid_types = sorted(str(t) for t in q.results())
+ except:
+ pass
def __genkey(self, pkey, subnet_prefix):
if subnet_prefix == "":
@@ -1355,6 +1371,8 @@ class ibpkeyRecords(semanageRecords):
if type == "": if type == "":
raise ValueError(_("Type is required")) raise ValueError(_("Type is required"))
@ -774,7 +1043,7 @@ index c76dce8..59df249 100644
if type not in self.valid_types: if type not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type) raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type)
@@ -1417,6 +1432,8 @@ class ibpkeyRecords(semanageRecords): @@ -1417,6 +1435,8 @@ class ibpkeyRecords(semanageRecords):
else: else:
raise ValueError(_("Requires setype")) raise ValueError(_("Requires setype"))
@ -783,7 +1052,7 @@ index c76dce8..59df249 100644
if setype and setype not in self.valid_types: if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype) raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype)
@@ -1548,10 +1565,11 @@ class ibpkeyRecords(semanageRecords): @@ -1548,10 +1568,11 @@ class ibpkeyRecords(semanageRecords):
ddict = self.get_all(True) ddict = self.get_all(True)
for k in sorted(ddict.keys()): for k in sorted(ddict.keys()):
@ -798,7 +1067,29 @@ index c76dce8..59df249 100644
return l return l
def list(self, heading=1, locallist=0): def list(self, heading=1, locallist=0):
@@ -1603,6 +1621,8 @@ class ibendportRecords(semanageRecords): @@ -1570,14 +1591,16 @@ class ibpkeyRecords(semanageRecords):
print(rec)
class ibendportRecords(semanageRecords):
- try:
- q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibendport_type"])
- valid_types = set(str(t) for t in q.results())
- except:
- valid_types = []
+
+ valid_types = []
def __init__(self, args = None):
semanageRecords.__init__(self, args)
+ try:
+ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_store_policy(self.store)), attrs=["ibendport_type"])
+ self.valid_types = set(str(t) for t in q.results())
+ except:
+ pass
def __genkey(self, ibendport, ibdev_name):
if ibdev_name == "":
@@ -1603,6 +1626,8 @@ class ibendportRecords(semanageRecords):
if type == "": if type == "":
raise ValueError(_("Type is required")) raise ValueError(_("Type is required"))
@ -807,7 +1098,7 @@ index c76dce8..59df249 100644
if type not in self.valid_types: if type not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be an ibendport type") % type) raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
(k, ibendport, port) = self.__genkey(ibendport, ibdev_name) (k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
@@ -1664,6 +1684,8 @@ class ibendportRecords(semanageRecords): @@ -1664,6 +1689,8 @@ class ibendportRecords(semanageRecords):
else: else:
raise ValueError(_("Requires setype")) raise ValueError(_("Requires setype"))
@ -816,7 +1107,7 @@ index c76dce8..59df249 100644
if setype and setype not in self.valid_types: if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype) raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype)
@@ -1788,7 +1810,10 @@ class ibendportRecords(semanageRecords): @@ -1788,7 +1815,10 @@ class ibendportRecords(semanageRecords):
ddict = self.get_all(True) ddict = self.get_all(True)
for k in sorted(ddict.keys()): for k in sorted(ddict.keys()):
@ -828,7 +1119,7 @@ index c76dce8..59df249 100644
return l return l
def list(self, heading=1, locallist=0): def list(self, heading=1, locallist=0):
@@ -1807,14 +1832,16 @@ class ibendportRecords(semanageRecords): @@ -1807,14 +1837,16 @@ class ibendportRecords(semanageRecords):
print(rec) print(rec)
class nodeRecords(semanageRecords): class nodeRecords(semanageRecords):
@ -849,7 +1140,7 @@ index c76dce8..59df249 100644
def validate(self, addr, mask, protocol): def validate(self, addr, mask, protocol):
newaddr = addr newaddr = addr
@@ -1826,13 +1853,13 @@ class nodeRecords(semanageRecords): @@ -1826,13 +1858,13 @@ class nodeRecords(semanageRecords):
# verify valid comination # verify valid comination
if len(mask) == 0 or mask[0] == "/": if len(mask) == 0 or mask[0] == "/":
@ -868,7 +1159,7 @@ index c76dce8..59df249 100644
try: try:
newprotocol = self.protocol.index(protocol) newprotocol = self.protocol.index(protocol)
@@ -1853,6 +1880,8 @@ class nodeRecords(semanageRecords): @@ -1853,6 +1885,8 @@ class nodeRecords(semanageRecords):
if ctype == "": if ctype == "":
raise ValueError(_("SELinux node type is required")) raise ValueError(_("SELinux node type is required"))
@ -877,7 +1168,7 @@ index c76dce8..59df249 100644
if ctype not in self.valid_types: if ctype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a node type") % ctype) raise ValueError(_("Type %s is invalid, must be a node type") % ctype)
@@ -1922,6 +1951,8 @@ class nodeRecords(semanageRecords): @@ -1922,6 +1956,8 @@ class nodeRecords(semanageRecords):
if serange == "" and setype == "": if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange")) raise ValueError(_("Requires setype or serange"))
@ -886,7 +1177,7 @@ index c76dce8..59df249 100644
if setype and setype not in self.valid_types: if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a node type") % setype) raise ValueError(_("Type %s is invalid, must be a node type") % setype)
@@ -2024,7 +2055,10 @@ class nodeRecords(semanageRecords): @@ -2024,7 +2060,10 @@ class nodeRecords(semanageRecords):
l = [] l = []
ddict = self.get_all(True) ddict = self.get_all(True)
for k in sorted(ddict.keys()): for k in sorted(ddict.keys()):
@ -898,7 +1189,7 @@ index c76dce8..59df249 100644
return l return l
def list(self, heading=1, locallist=0): def list(self, heading=1, locallist=0):
@@ -2218,7 +2252,10 @@ class interfaceRecords(semanageRecords): @@ -2218,7 +2257,10 @@ class interfaceRecords(semanageRecords):
l = [] l = []
ddict = self.get_all(True) ddict = self.get_all(True)
for k in sorted(ddict.keys()): for k in sorted(ddict.keys()):
@ -910,7 +1201,7 @@ index c76dce8..59df249 100644
return l return l
def list(self, heading=1, locallist=0): def list(self, heading=1, locallist=0):
@@ -2238,15 +2275,17 @@ class interfaceRecords(semanageRecords): @@ -2238,15 +2280,17 @@ class interfaceRecords(semanageRecords):
class fcontextRecords(semanageRecords): class fcontextRecords(semanageRecords):
@ -934,7 +1225,7 @@ index c76dce8..59df249 100644
self.equiv = {} self.equiv = {}
self.equiv_dist = {} self.equiv_dist = {}
self.equal_ind = False self.equal_ind = False
@@ -2369,8 +2408,10 @@ class fcontextRecords(semanageRecords): @@ -2369,8 +2413,10 @@ class fcontextRecords(semanageRecords):
if type == "": if type == "":
raise ValueError(_("SELinux Type is required")) raise ValueError(_("SELinux Type is required"))
@ -947,7 +1238,7 @@ index c76dce8..59df249 100644
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
if rc < 0: if rc < 0:
@@ -2432,8 +2473,10 @@ class fcontextRecords(semanageRecords): @@ -2432,8 +2478,10 @@ class fcontextRecords(semanageRecords):
def __modify(self, target, setype, ftype, serange, seuser): def __modify(self, target, setype, ftype, serange, seuser):
if serange == "" and setype == "" and seuser == "": if serange == "" and setype == "" and seuser == "":
raise ValueError(_("Requires setype, serange or seuser")) raise ValueError(_("Requires setype, serange or seuser"))
@ -960,7 +1251,7 @@ index c76dce8..59df249 100644
self.validate(target) self.validate(target)
@@ -2597,7 +2640,10 @@ class fcontextRecords(semanageRecords): @@ -2597,7 +2645,10 @@ class fcontextRecords(semanageRecords):
fcon_dict = self.get_all(True) fcon_dict = self.get_all(True)
for k in sorted(fcon_dict.keys()): for k in sorted(fcon_dict.keys()):
if fcon_dict[k]: if fcon_dict[k]:
@ -1122,6 +1413,30 @@ index 26ce6c9..daed58c 100644
return av_set return av_set
class AVCTypeFilter: class AVCTypeFilter:
diff --git selinux-python-2.8/sepolgen/src/sepolgen/defaults.py selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
index 9591063..e8d7b6a 100644
--- selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
+++ selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
@@ -32,12 +32,13 @@ class PathChoooser(object):
self.config_pathname = pathname
ignore = re.compile(r"^\s*(?:#.+)?$")
consider = re.compile(r"^\s*(\w+)\s*=\s*(.+?)\s*$")
- for lineno, line in enumerate(open(pathname)):
- if ignore.match(line): continue
- mo = consider.match(line)
- if not mo:
- raise ValueError("%s:%d: line is not in key = value format" % (pathname, lineno+1))
- self.config[mo.group(1)] = mo.group(2)
+ with open(pathname, "r") as fd:
+ for lineno, line in enumerate(fd):
+ if ignore.match(line): continue
+ mo = consider.match(line)
+ if not mo:
+ raise ValueError("%s:%d: line is not in key = value format" % (pathname, lineno+1))
+ self.config[mo.group(1)] = mo.group(2)
# We're only exporting one useful function, so why not be a function
def __call__(self, testfilename, pathset="SELINUX_DEVEL_PATH"):
diff --git selinux-python-2.8/sepolgen/src/sepolgen/policygen.py selinux-python-2.8/sepolgen/src/sepolgen/policygen.py diff --git selinux-python-2.8/sepolgen/src/sepolgen/policygen.py selinux-python-2.8/sepolgen/src/sepolgen/policygen.py
index ee664fb..319da15 100644 index ee664fb..319da15 100644
--- selinux-python-2.8/sepolgen/src/sepolgen/policygen.py --- selinux-python-2.8/sepolgen/src/sepolgen/policygen.py
@ -2067,7 +2382,7 @@ index 141f64e..5880176 100755
class LoadPolicy(argparse.Action): class LoadPolicy(argparse.Action):
diff --git selinux-python-2.8/sepolicy/sepolicy/__init__.py selinux-python-2.8/sepolicy/sepolicy/__init__.py diff --git selinux-python-2.8/sepolicy/sepolicy/__init__.py selinux-python-2.8/sepolicy/sepolicy/__init__.py
index 89346ab..6039489 100644 index 89346ab..1b116f6 100644
--- selinux-python-2.8/sepolicy/sepolicy/__init__.py --- selinux-python-2.8/sepolicy/sepolicy/__init__.py
+++ selinux-python-2.8/sepolicy/sepolicy/__init__.py +++ selinux-python-2.8/sepolicy/sepolicy/__init__.py
@@ -15,7 +15,7 @@ import os @@ -15,7 +15,7 @@ import os
@ -2079,21 +2394,43 @@ index 89346ab..6039489 100644
try: try:
import gettext import gettext
kwargs = {} kwargs = {}
@@ -129,6 +129,13 @@ def get_installed_policy(root="/"): @@ -119,16 +119,34 @@ all_allow_rules = None
all_transitions = None
+def policy_sortkey(policy_path):
+ # Parse the extension of a policy path which looks like .../policy/policy.31
+ extension = policy_path.rsplit('/policy.', 1)[1]
+ try:
+ return int(extension), policy_path
+ except ValueError:
+ # Fallback with sorting on the full path
+ return 0, policy_path
+
def get_installed_policy(root="/"):
try:
path = root + selinux.selinux_binary_policy_path()
policies = glob.glob("%s.*" % path)
- policies.sort()
+ policies.sort(key=policy_sortkey)
return policies[-1]
except:
pass pass
raise ValueError(_("No SELinux Policy installed")) raise ValueError(_("No SELinux Policy installed"))
+def get_store_policy(store, root="/"): +def get_store_policy(store):
+ try: + """Get the path to the policy file located in the given store name"""
+ policies = glob.glob("%s%s/policy/policy.*" % (selinux.selinux_path(), store)) + policies = glob.glob("%s%s/policy/policy.*" %
+ policies.sort() + (selinux.selinux_path(), store))
+ return policies[-1] + if not policies:
+ except:
+ return None + return None
+ # Return the policy with the higher version number
+ policies.sort(key=policy_sortkey)
+ return policies[-1]
def policy(policy_file): def policy(policy_file):
global all_domains global all_domains
@@ -156,6 +163,11 @@ def policy(policy_file): @@ -156,6 +174,11 @@ def policy(policy_file):
except: except:
raise ValueError(_("Failed to read %s policy file") % policy_file) raise ValueError(_("Failed to read %s policy file") % policy_file)
@ -2105,7 +2442,7 @@ index 89346ab..6039489 100644
try: try:
policy_file = get_installed_policy() policy_file = get_installed_policy()
@@ -168,15 +180,21 @@ except ValueError as e: @@ -168,15 +191,21 @@ except ValueError as e:
def info(setype, name=None): def info(setype, name=None):
if setype == TYPE: if setype == TYPE:
q = setools.TypeQuery(_pol) q = setools.TypeQuery(_pol)
@ -2130,7 +2467,7 @@ index 89346ab..6039489 100644
elif setype == ROLE: elif setype == ROLE:
q = setools.RoleQuery(_pol) q = setools.RoleQuery(_pol)
@@ -272,34 +290,38 @@ def _setools_rule_to_dict(rule): @@ -272,34 +301,38 @@ def _setools_rule_to_dict(rule):
'class': str(rule.tclass), 'class': str(rule.tclass),
} }
@ -2178,7 +2515,7 @@ index 89346ab..6039489 100644
pass pass
return d return d
@@ -334,6 +356,8 @@ def search(types, seinfo=None): @@ -334,6 +367,8 @@ def search(types, seinfo=None):
tertypes.append(NEVERALLOW) tertypes.append(NEVERALLOW)
if AUDITALLOW in types: if AUDITALLOW in types:
tertypes.append(AUDITALLOW) tertypes.append(AUDITALLOW)
@ -2187,7 +2524,7 @@ index 89346ab..6039489 100644
if len(tertypes) > 0: if len(tertypes) > 0:
q = setools.TERuleQuery(_pol, q = setools.TERuleQuery(_pol,
@@ -437,6 +461,20 @@ def get_file_types(setype): @@ -437,6 +472,20 @@ def get_file_types(setype):
return mpaths return mpaths
@ -2208,7 +2545,7 @@ index 89346ab..6039489 100644
def get_writable_files(setype): def get_writable_files(setype):
file_types = get_all_file_types() file_types = get_all_file_types()
all_writes = [] all_writes = []
@@ -1048,6 +1086,8 @@ def _dict_has_perms(dict, perms): @@ -1048,6 +1097,8 @@ def _dict_has_perms(dict, perms):
def gen_short_name(setype): def gen_short_name(setype):
all_domains = get_all_domains() all_domains = get_all_domains()
if setype.endswith("_t"): if setype.endswith("_t"):
@ -2217,7 +2554,7 @@ index 89346ab..6039489 100644
domainname = setype[:-2] domainname = setype[:-2]
else: else:
domainname = setype domainname = setype
@@ -1160,27 +1200,14 @@ def boolean_desc(boolean): @@ -1160,27 +1211,14 @@ def boolean_desc(boolean):
def get_os_version(): def get_os_version():
@ -2276,7 +2613,7 @@ index f814e27..8e53033 100644
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range')) dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
return dict return dict
diff --git selinux-python-2.8/sepolicy/sepolicy/gui.py selinux-python-2.8/sepolicy/sepolicy/gui.py diff --git selinux-python-2.8/sepolicy/sepolicy/gui.py selinux-python-2.8/sepolicy/sepolicy/gui.py
index 537d516..63aa02c 100644 index 537d516..1e3c3f3 100644
--- selinux-python-2.8/sepolicy/sepolicy/gui.py --- selinux-python-2.8/sepolicy/sepolicy/gui.py
+++ selinux-python-2.8/sepolicy/sepolicy/gui.py +++ selinux-python-2.8/sepolicy/sepolicy/gui.py
@@ -43,7 +43,7 @@ import os @@ -43,7 +43,7 @@ import os
@ -2288,6 +2625,14 @@ index 537d516..63aa02c 100644
try: try:
import gettext import gettext
kwargs = {} kwargs = {}
@@ -149,6 +149,7 @@ class SELinuxGui():
self.clear_entry = True
self.files_add = False
self.network_add = False
+ self.mislabeled_files = False
self.all_domains = []
self.installed_list = []
diff --git selinux-python-2.8/sepolicy/sepolicy/interface.py selinux-python-2.8/sepolicy/sepolicy/interface.py diff --git selinux-python-2.8/sepolicy/sepolicy/interface.py selinux-python-2.8/sepolicy/sepolicy/interface.py
index 18374dc..ca0122d 100644 index 18374dc..ca0122d 100644
--- selinux-python-2.8/sepolicy/sepolicy/interface.py --- selinux-python-2.8/sepolicy/sepolicy/interface.py