diff --git a/policycoreutils-fedora.patch b/policycoreutils-fedora.patch index 72dadd3..a624d32 100644 --- a/policycoreutils-fedora.patch +++ b/policycoreutils-fedora.patch @@ -659502,7 +659502,7 @@ index 69078b0..42e79d9 100644 os.remove(v) diff --git policycoreutils-2.5/sepolicy/sepolicy/manpage.py policycoreutils-2.5/sepolicy/sepolicy/manpage.py -index 7de2f80..7fb9dd3 100755 +index 7de2f80..49df6fa 100755 --- policycoreutils-2.5/sepolicy/sepolicy/manpage.py +++ policycoreutils-2.5/sepolicy/sepolicy/manpage.py @@ -1,4 +1,4 @@ @@ -659511,7 +659511,7 @@ index 7de2f80..7fb9dd3 100755 # Copyright (C) 2012-2013 Red Hat # AUTHOR: Dan Walsh # AUTHOR: Miroslav Grepl -@@ -29,13 +29,22 @@ import argparse +@@ -29,14 +29,23 @@ import argparse import selinux import sepolicy from sepolicy import * @@ -659524,6 +659524,7 @@ index 7de2f80..7fb9dd3 100755 import re import time +-equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]} + +typealias_types = { + "antivirus_t": ("amavis_t", "clamd_t", "clamscan_t", "freshclam_t"), @@ -659532,9 +659533,10 @@ index 7de2f80..7fb9dd3 100755 + "httpd_t": ("phpfpm_t"), +} + - equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]} ++equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]} equiv_dirs = ["/var"] + modules_dict = None @@ -62,7 +71,7 @@ def gen_modules_dict(path="/usr/share/selinux/devel/policy.xml"): name = "unconfined" for b in m.findall("summary"): @@ -659754,7 +659756,15 @@ index 7de2f80..7fb9dd3 100755 if k == self.domainname: for alias in equiv_dict[k]: self.__gen_man_page_link(alias) -@@ -514,9 +477,10 @@ class ManPage: +@@ -506,6 +469,7 @@ class ManPage: + self._booleans() + + self._port_types() ++ self._mcs_types() + self._writes() + self._footer() + +@@ -514,9 +478,10 @@ class ManPage: self.fd = open("%s/%s_selinux.8" % (self.path, alias), 'w') self.fd.write(".so man8/%s_selinux.8" % self.domainname) self.fd.close() @@ -659766,7 +659776,7 @@ index 7de2f80..7fb9dd3 100755 self.anon_list = [] self.attributes = {} -@@ -524,6 +488,16 @@ class ManPage: +@@ -524,11 +489,22 @@ class ManPage: self._get_ptypes() for domain_type in self.ptypes: @@ -659783,7 +659793,13 @@ index 7de2f80..7fb9dd3 100755 self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"] self._header() -@@ -542,6 +516,34 @@ class ManPage: + self._entrypoints() + self._process_types() ++ self._mcs_types() + self._booleans() + self._nsswitch_domain() + self._port_types() +@@ -542,6 +518,34 @@ class ManPage: if f.startswith(self.short_name) or f.startswith(self.domainname): self.ptypes.append(f) @@ -659818,7 +659834,7 @@ index 7de2f80..7fb9dd3 100755 def _header(self): self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"' % {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")}) -@@ -601,7 +603,7 @@ SELinux policy is customizable based on least access required. %s policy is ext +@@ -601,7 +605,7 @@ SELinux policy is customizable based on least access required. %s policy is ext nsswitch_types = [] nsswitch_booleans = ['authlogin_nsswitch_use_ldap', 'kerberos_enabled'] nsswitchbooltext = "" @@ -659827,7 +659843,7 @@ index 7de2f80..7fb9dd3 100755 if "nsswitch_domain" in self.attributes[k]: nsswitch_types.append(k) -@@ -691,10 +693,13 @@ Default Defined Ports:""") +@@ -691,10 +695,13 @@ Default Defined Ports:""") def _file_context(self): flist = [] @@ -659841,7 +659857,7 @@ index 7de2f80..7fb9dd3 100755 if f in self.fcdict: mpaths = mpaths + self.fcdict[f]["regex"] if len(mpaths) == 0: -@@ -746,19 +751,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d +@@ -746,19 +753,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d .PP """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1] }) @@ -659865,7 +659881,7 @@ index 7de2f80..7fb9dd3 100755 self.fd.write(r""" .I The following file types are defined for %(domainname)s: -@@ -895,7 +901,7 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) +@@ -895,7 +903,7 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) def _entrypoints(self): try: @@ -659874,7 +659890,7 @@ index 7de2f80..7fb9dd3 100755 except: return -@@ -911,7 +917,7 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) +@@ -911,7 +919,7 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) The %s_t SELinux type can be entered via the %s. The default entrypoint paths for the %s_t domain are the following: @@ -659883,7 +659899,25 @@ index 7de2f80..7fb9dd3 100755 if "bin_t" in entrypoints: entrypoints.remove("bin_t") self.fd.write (""" -@@ -948,7 +954,7 @@ All executeables with the default executable label, usually stored in /usr/bin a +@@ -925,6 +933,17 @@ All executeables with the default executable label, usually stored in /usr/bin a + self.fd.write(""" + %s""" % ", ".join(paths)) + ++ def _mcs_types(self): ++ attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"] ++ if "mcs_constrained_type" not in attributes: ++ return ++ self.fd.write (""" ++.SH "MCS Constrained" ++The SELinux process type %(type)s_t is an MCS (Multi Category Security) constrained type. Sometimes this separation is referred to as sVirt. These types are usually used for securing multi-tenant environments, such as virtualization, containers or separation of users. The tools used to launch MCS types, pick out a different MCS label for each process group. ++ ++For example one process might be launched with %(type)s_t:s0:c1,c2, and another process launched with %(type)s_t:s0:c3,c4. The SELinux kernel only allows these processes can only write to content with a matching MCS label, or a MCS Label of s0. A process running with the MCS level of s0:c1,c2 is not allowed to write to content with the MCS label of s0:c3,c4 ++""" % {'type': self.domainname}) ++ + def _writes(self): + permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['open', 'write'], 'class': 'file'}) + if permlist == None or len(permlist) == 0: +@@ -948,7 +967,7 @@ All executeables with the default executable label, usually stored in /usr/bin a """) self.fd.write (""" The SELinux process type %s_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. @@ -659892,7 +659926,7 @@ index 7de2f80..7fb9dd3 100755 all_writes.sort() if "file_type" in all_writes: -@@ -1013,7 +1019,7 @@ If you want to map the one Linux user (joe) to the SELinux user %(user)s, you wo +@@ -1013,7 +1032,7 @@ If you want to map the one Linux user (joe) to the SELinux user %(user)s, you wo .B $ semanage login -a -s %(user)s_u joe @@ -659901,7 +659935,7 @@ index 7de2f80..7fb9dd3 100755 def _can_sudo(self): sudotype = "%s_sudo_t" % self.domainname -@@ -1161,7 +1167,7 @@ Three things can happen when %(type)s attempts to execute a program. +@@ -1161,7 +1180,7 @@ Three things can happen when %(type)s attempts to execute a program. Execute the following to see the types that the SELinux user %(type)s can execute without transitioning: @@ -659910,7 +659944,7 @@ index 7de2f80..7fb9dd3 100755 .TP -@@ -1169,9 +1175,9 @@ Execute the following to see the types that the SELinux user %(type)s can execut +@@ -1169,9 +1188,9 @@ Execute the following to see the types that the SELinux user %(type)s can execut Execute the following to see the types that the SELinux user %(type)s can execute and transition: @@ -659922,7 +659956,7 @@ index 7de2f80..7fb9dd3 100755 def _role_header(self): self.fd.write('.TH "%(user)s_selinux" "8" "%(user)s" "mgrepl@redhat.com" "%(user)s SELinux Policy documentation"' -@@ -1233,7 +1239,7 @@ You need to add %(user)s_r to the staff_u user. You could setup the staff_u use +@@ -1233,7 +1252,7 @@ You need to add %(user)s_r to the staff_u user. You could setup the staff_u use SELinux policy also controls which roles can transition to a different role. You can list these rules using the following command. diff --git a/policycoreutils.spec b/policycoreutils.spec index e37794c..af10dec 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.5 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2 Group: System Environment/Base # https://github.com/SELinuxProject/selinux/wiki/Releases @@ -20,7 +20,7 @@ Source4: sepolicy-icons.tgz # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: # $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils -# HEAD https://github.com/fedora-selinux/selinux/commit/dd55f35aa786ad0c5635391e8a9bde47beb8de1b +# HEAD https://github.com/fedora-selinux/selinux/commit/c3819c97e4231166cfb2ae64e623546bd26a5627 Patch: policycoreutils-fedora.patch # $ VERSION=1.2.3 ./make-fedora-selinux-patch.sh sepolgen Patch1: sepolgen-fedora.patch @@ -408,6 +408,10 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Fri Mar 18 2016 Petr Lautrbach - 2.5-4 +- Add documentation for MCS separated domains +- Move svirt man page out of libvirt into its own + * Thu Mar 17 2016 Petr Lautrbach - 2.5-3 - policycoreutils: use python3 in chcat(#1318408)