policycoreutils-2.5-4
- Add documentation for MCS separated domains - Move svirt man page out of libvirt into its own
This commit is contained in:
parent
86e29572df
commit
e41aa2fbd5
@ -659502,7 +659502,7 @@ index 69078b0..42e79d9 100644
|
|||||||
os.remove(v)
|
os.remove(v)
|
||||||
|
|
||||||
diff --git policycoreutils-2.5/sepolicy/sepolicy/manpage.py policycoreutils-2.5/sepolicy/sepolicy/manpage.py
|
diff --git policycoreutils-2.5/sepolicy/sepolicy/manpage.py policycoreutils-2.5/sepolicy/sepolicy/manpage.py
|
||||||
index 7de2f80..7fb9dd3 100755
|
index 7de2f80..49df6fa 100755
|
||||||
--- policycoreutils-2.5/sepolicy/sepolicy/manpage.py
|
--- policycoreutils-2.5/sepolicy/sepolicy/manpage.py
|
||||||
+++ policycoreutils-2.5/sepolicy/sepolicy/manpage.py
|
+++ policycoreutils-2.5/sepolicy/sepolicy/manpage.py
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
@ -659511,7 +659511,7 @@ index 7de2f80..7fb9dd3 100755
|
|||||||
# Copyright (C) 2012-2013 Red Hat
|
# Copyright (C) 2012-2013 Red Hat
|
||||||
# AUTHOR: Dan Walsh <dwalsh@redhat.com>
|
# AUTHOR: Dan Walsh <dwalsh@redhat.com>
|
||||||
# AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
|
# AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
|
||||||
@@ -29,13 +29,22 @@ import argparse
|
@@ -29,14 +29,23 @@ import argparse
|
||||||
import selinux
|
import selinux
|
||||||
import sepolicy
|
import sepolicy
|
||||||
from sepolicy import *
|
from sepolicy import *
|
||||||
@ -659524,6 +659524,7 @@ index 7de2f80..7fb9dd3 100755
|
|||||||
import re
|
import re
|
||||||
import time
|
import time
|
||||||
|
|
||||||
|
-equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
|
||||||
+
|
+
|
||||||
+typealias_types = {
|
+typealias_types = {
|
||||||
+ "antivirus_t": ("amavis_t", "clamd_t", "clamscan_t", "freshclam_t"),
|
+ "antivirus_t": ("amavis_t", "clamd_t", "clamscan_t", "freshclam_t"),
|
||||||
@ -659532,9 +659533,10 @@ index 7de2f80..7fb9dd3 100755
|
|||||||
+ "httpd_t": ("phpfpm_t"),
|
+ "httpd_t": ("phpfpm_t"),
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
|
+equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
|
||||||
|
|
||||||
equiv_dirs = ["/var"]
|
equiv_dirs = ["/var"]
|
||||||
|
modules_dict = None
|
||||||
@@ -62,7 +71,7 @@ def gen_modules_dict(path="/usr/share/selinux/devel/policy.xml"):
|
@@ -62,7 +71,7 @@ def gen_modules_dict(path="/usr/share/selinux/devel/policy.xml"):
|
||||||
name = "unconfined"
|
name = "unconfined"
|
||||||
for b in m.findall("summary"):
|
for b in m.findall("summary"):
|
||||||
@ -659754,7 +659756,15 @@ index 7de2f80..7fb9dd3 100755
|
|||||||
if k == self.domainname:
|
if k == self.domainname:
|
||||||
for alias in equiv_dict[k]:
|
for alias in equiv_dict[k]:
|
||||||
self.__gen_man_page_link(alias)
|
self.__gen_man_page_link(alias)
|
||||||
@@ -514,9 +477,10 @@ class ManPage:
|
@@ -506,6 +469,7 @@ class ManPage:
|
||||||
|
self._booleans()
|
||||||
|
|
||||||
|
self._port_types()
|
||||||
|
+ self._mcs_types()
|
||||||
|
self._writes()
|
||||||
|
self._footer()
|
||||||
|
|
||||||
|
@@ -514,9 +478,10 @@ class ManPage:
|
||||||
self.fd = open("%s/%s_selinux.8" % (self.path, alias), 'w')
|
self.fd = open("%s/%s_selinux.8" % (self.path, alias), 'w')
|
||||||
self.fd.write(".so man8/%s_selinux.8" % self.domainname)
|
self.fd.write(".so man8/%s_selinux.8" % self.domainname)
|
||||||
self.fd.close()
|
self.fd.close()
|
||||||
@ -659766,7 +659776,7 @@ index 7de2f80..7fb9dd3 100755
|
|||||||
self.anon_list = []
|
self.anon_list = []
|
||||||
|
|
||||||
self.attributes = {}
|
self.attributes = {}
|
||||||
@@ -524,6 +488,16 @@ class ManPage:
|
@@ -524,11 +489,22 @@ class ManPage:
|
||||||
self._get_ptypes()
|
self._get_ptypes()
|
||||||
|
|
||||||
for domain_type in self.ptypes:
|
for domain_type in self.ptypes:
|
||||||
@ -659783,7 +659793,13 @@ index 7de2f80..7fb9dd3 100755
|
|||||||
self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"]
|
self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"]
|
||||||
|
|
||||||
self._header()
|
self._header()
|
||||||
@@ -542,6 +516,34 @@ class ManPage:
|
self._entrypoints()
|
||||||
|
self._process_types()
|
||||||
|
+ self._mcs_types()
|
||||||
|
self._booleans()
|
||||||
|
self._nsswitch_domain()
|
||||||
|
self._port_types()
|
||||||
|
@@ -542,6 +518,34 @@ class ManPage:
|
||||||
if f.startswith(self.short_name) or f.startswith(self.domainname):
|
if f.startswith(self.short_name) or f.startswith(self.domainname):
|
||||||
self.ptypes.append(f)
|
self.ptypes.append(f)
|
||||||
|
|
||||||
@ -659818,7 +659834,7 @@ index 7de2f80..7fb9dd3 100755
|
|||||||
def _header(self):
|
def _header(self):
|
||||||
self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"'
|
self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"'
|
||||||
% {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")})
|
% {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")})
|
||||||
@@ -601,7 +603,7 @@ SELinux policy is customizable based on least access required. %s policy is ext
|
@@ -601,7 +605,7 @@ SELinux policy is customizable based on least access required. %s policy is ext
|
||||||
nsswitch_types = []
|
nsswitch_types = []
|
||||||
nsswitch_booleans = ['authlogin_nsswitch_use_ldap', 'kerberos_enabled']
|
nsswitch_booleans = ['authlogin_nsswitch_use_ldap', 'kerberos_enabled']
|
||||||
nsswitchbooltext = ""
|
nsswitchbooltext = ""
|
||||||
@ -659827,7 +659843,7 @@ index 7de2f80..7fb9dd3 100755
|
|||||||
if "nsswitch_domain" in self.attributes[k]:
|
if "nsswitch_domain" in self.attributes[k]:
|
||||||
nsswitch_types.append(k)
|
nsswitch_types.append(k)
|
||||||
|
|
||||||
@@ -691,10 +693,13 @@ Default Defined Ports:""")
|
@@ -691,10 +695,13 @@ Default Defined Ports:""")
|
||||||
|
|
||||||
def _file_context(self):
|
def _file_context(self):
|
||||||
flist = []
|
flist = []
|
||||||
@ -659841,7 +659857,7 @@ index 7de2f80..7fb9dd3 100755
|
|||||||
if f in self.fcdict:
|
if f in self.fcdict:
|
||||||
mpaths = mpaths + self.fcdict[f]["regex"]
|
mpaths = mpaths + self.fcdict[f]["regex"]
|
||||||
if len(mpaths) == 0:
|
if len(mpaths) == 0:
|
||||||
@@ -746,19 +751,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
|
@@ -746,19 +753,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
|
||||||
.PP
|
.PP
|
||||||
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1] })
|
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1] })
|
||||||
|
|
||||||
@ -659865,7 +659881,7 @@ index 7de2f80..7fb9dd3 100755
|
|||||||
|
|
||||||
self.fd.write(r"""
|
self.fd.write(r"""
|
||||||
.I The following file types are defined for %(domainname)s:
|
.I The following file types are defined for %(domainname)s:
|
||||||
@@ -895,7 +901,7 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
|
@@ -895,7 +903,7 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
|
||||||
|
|
||||||
def _entrypoints(self):
|
def _entrypoints(self):
|
||||||
try:
|
try:
|
||||||
@ -659874,7 +659890,7 @@ index 7de2f80..7fb9dd3 100755
|
|||||||
except:
|
except:
|
||||||
return
|
return
|
||||||
|
|
||||||
@@ -911,7 +917,7 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
|
@@ -911,7 +919,7 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
|
||||||
The %s_t SELinux type can be entered via the %s.
|
The %s_t SELinux type can be entered via the %s.
|
||||||
|
|
||||||
The default entrypoint paths for the %s_t domain are the following:
|
The default entrypoint paths for the %s_t domain are the following:
|
||||||
@ -659883,7 +659899,25 @@ index 7de2f80..7fb9dd3 100755
|
|||||||
if "bin_t" in entrypoints:
|
if "bin_t" in entrypoints:
|
||||||
entrypoints.remove("bin_t")
|
entrypoints.remove("bin_t")
|
||||||
self.fd.write ("""
|
self.fd.write ("""
|
||||||
@@ -948,7 +954,7 @@ All executeables with the default executable label, usually stored in /usr/bin a
|
@@ -925,6 +933,17 @@ All executeables with the default executable label, usually stored in /usr/bin a
|
||||||
|
self.fd.write("""
|
||||||
|
%s""" % ", ".join(paths))
|
||||||
|
|
||||||
|
+ def _mcs_types(self):
|
||||||
|
+ attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
|
||||||
|
+ if "mcs_constrained_type" not in attributes:
|
||||||
|
+ return
|
||||||
|
+ self.fd.write ("""
|
||||||
|
+.SH "MCS Constrained"
|
||||||
|
+The SELinux process type %(type)s_t is an MCS (Multi Category Security) constrained type. Sometimes this separation is referred to as sVirt. These types are usually used for securing multi-tenant environments, such as virtualization, containers or separation of users. The tools used to launch MCS types, pick out a different MCS label for each process group.
|
||||||
|
+
|
||||||
|
+For example one process might be launched with %(type)s_t:s0:c1,c2, and another process launched with %(type)s_t:s0:c3,c4. The SELinux kernel only allows these processes can only write to content with a matching MCS label, or a MCS Label of s0. A process running with the MCS level of s0:c1,c2 is not allowed to write to content with the MCS label of s0:c3,c4
|
||||||
|
+""" % {'type': self.domainname})
|
||||||
|
+
|
||||||
|
def _writes(self):
|
||||||
|
permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['open', 'write'], 'class': 'file'})
|
||||||
|
if permlist == None or len(permlist) == 0:
|
||||||
|
@@ -948,7 +967,7 @@ All executeables with the default executable label, usually stored in /usr/bin a
|
||||||
""")
|
""")
|
||||||
self.fd.write ("""
|
self.fd.write ("""
|
||||||
The SELinux process type %s_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
|
The SELinux process type %s_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
|
||||||
@ -659892,7 +659926,7 @@ index 7de2f80..7fb9dd3 100755
|
|||||||
|
|
||||||
all_writes.sort()
|
all_writes.sort()
|
||||||
if "file_type" in all_writes:
|
if "file_type" in all_writes:
|
||||||
@@ -1013,7 +1019,7 @@ If you want to map the one Linux user (joe) to the SELinux user %(user)s, you wo
|
@@ -1013,7 +1032,7 @@ If you want to map the one Linux user (joe) to the SELinux user %(user)s, you wo
|
||||||
|
|
||||||
.B $ semanage login -a -s %(user)s_u joe
|
.B $ semanage login -a -s %(user)s_u joe
|
||||||
|
|
||||||
@ -659901,7 +659935,7 @@ index 7de2f80..7fb9dd3 100755
|
|||||||
|
|
||||||
def _can_sudo(self):
|
def _can_sudo(self):
|
||||||
sudotype = "%s_sudo_t" % self.domainname
|
sudotype = "%s_sudo_t" % self.domainname
|
||||||
@@ -1161,7 +1167,7 @@ Three things can happen when %(type)s attempts to execute a program.
|
@@ -1161,7 +1180,7 @@ Three things can happen when %(type)s attempts to execute a program.
|
||||||
|
|
||||||
Execute the following to see the types that the SELinux user %(type)s can execute without transitioning:
|
Execute the following to see the types that the SELinux user %(type)s can execute without transitioning:
|
||||||
|
|
||||||
@ -659910,7 +659944,7 @@ index 7de2f80..7fb9dd3 100755
|
|||||||
|
|
||||||
.TP
|
.TP
|
||||||
|
|
||||||
@@ -1169,9 +1175,9 @@ Execute the following to see the types that the SELinux user %(type)s can execut
|
@@ -1169,9 +1188,9 @@ Execute the following to see the types that the SELinux user %(type)s can execut
|
||||||
|
|
||||||
Execute the following to see the types that the SELinux user %(type)s can execute and transition:
|
Execute the following to see the types that the SELinux user %(type)s can execute and transition:
|
||||||
|
|
||||||
@ -659922,7 +659956,7 @@ index 7de2f80..7fb9dd3 100755
|
|||||||
|
|
||||||
def _role_header(self):
|
def _role_header(self):
|
||||||
self.fd.write('.TH "%(user)s_selinux" "8" "%(user)s" "mgrepl@redhat.com" "%(user)s SELinux Policy documentation"'
|
self.fd.write('.TH "%(user)s_selinux" "8" "%(user)s" "mgrepl@redhat.com" "%(user)s SELinux Policy documentation"'
|
||||||
@@ -1233,7 +1239,7 @@ You need to add %(user)s_r to the staff_u user. You could setup the staff_u use
|
@@ -1233,7 +1252,7 @@ You need to add %(user)s_r to the staff_u user. You could setup the staff_u use
|
||||||
SELinux policy also controls which roles can transition to a different role.
|
SELinux policy also controls which roles can transition to a different role.
|
||||||
You can list these rules using the following command.
|
You can list these rules using the following command.
|
||||||
|
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.5
|
Version: 2.5
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||||
@ -20,7 +20,7 @@ Source4: sepolicy-icons.tgz
|
|||||||
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
|
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
|
||||||
# run:
|
# run:
|
||||||
# $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils
|
# $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils
|
||||||
# HEAD https://github.com/fedora-selinux/selinux/commit/dd55f35aa786ad0c5635391e8a9bde47beb8de1b
|
# HEAD https://github.com/fedora-selinux/selinux/commit/c3819c97e4231166cfb2ae64e623546bd26a5627
|
||||||
Patch: policycoreutils-fedora.patch
|
Patch: policycoreutils-fedora.patch
|
||||||
# $ VERSION=1.2.3 ./make-fedora-selinux-patch.sh sepolgen
|
# $ VERSION=1.2.3 ./make-fedora-selinux-patch.sh sepolgen
|
||||||
Patch1: sepolgen-fedora.patch
|
Patch1: sepolgen-fedora.patch
|
||||||
@ -408,6 +408,10 @@ The policycoreutils-restorecond package contains the restorecond service.
|
|||||||
%systemd_postun_with_restart restorecond.service
|
%systemd_postun_with_restart restorecond.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Mar 18 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-4
|
||||||
|
- Add documentation for MCS separated domains
|
||||||
|
- Move svirt man page out of libvirt into its own
|
||||||
|
|
||||||
* Thu Mar 17 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3
|
* Thu Mar 17 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3
|
||||||
- policycoreutils: use python3 in chcat(#1318408)
|
- policycoreutils: use python3 in chcat(#1318408)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user