From f00bc4f487fe9fbf2b3736f687956b7e30b4fae5 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 4 Oct 2013 18:24:43 -0400 Subject: [PATCH] Fixes for fixfiles * exclude_from_dirs should apply to all types of restorecon calls * fixfiles check now works * exit with the correct status --- policycoreutils-rhat.patch | 1071 +++++++++++++++++++++--------------- policycoreutils.spec | 10 +- 2 files changed, 624 insertions(+), 457 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index c988372..a277edd 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -218715,7 +218715,7 @@ index c962641..864cc74 100644 +msgid "Boolean %s Allow Rules" msgstr "" diff --git a/policycoreutils/po/it.po b/policycoreutils/po/it.po -index 94385a0..a2d72cd 100644 +index 94385a0..27b8d47 100644 --- a/policycoreutils/po/it.po +++ b/policycoreutils/po/it.po @@ -3,15 +3,17 @@ @@ -218736,7 +218736,7 @@ index 94385a0..a2d72cd 100644 -"PO-Revision-Date: 2013-01-04 17:02+0000\n" -"Last-Translator: dwalsh \n" +"POT-Creation-Date: 2013-07-10 16:36-0400\n" -+"PO-Revision-Date: 2013-09-29 13:50+0000\n" ++"PO-Revision-Date: 2013-10-02 20:23+0000\n" +"Last-Translator: massimo81 \n" "Language-Team: Italian \n" "MIME-Version: 1.0\n" @@ -218814,7 +218814,8 @@ index 94385a0..a2d72cd 100644 -#: ../semanage/seobject.py:360 +#: ../semanage/seobject.py:362 msgid "Builtin Permissive Types" - msgstr "" +-msgstr "" ++msgstr "Tipi Permissivi Incorporati" -#: ../semanage/seobject.py:370 +#: ../semanage/seobject.py:372 @@ -219415,7 +219416,8 @@ index 94385a0..a2d72cd 100644 -#: ../semanage/seobject.py:1395 +#: ../semanage/seobject.py:1407 msgid "Could not deleteall node mappings" - msgstr "" +-msgstr "" ++msgstr "Impossibile eliminare l'intera mappatura del nodo" -#: ../semanage/seobject.py:1409 +#: ../semanage/seobject.py:1421 @@ -219516,7 +219518,8 @@ index 94385a0..a2d72cd 100644 -#: ../semanage/seobject.py:1589 +#: ../semanage/seobject.py:1601 msgid "Could not delete all interface mappings" - msgstr "" +-msgstr "" ++msgstr "Impossibile eliminare l'intera mappatura dell'interfaccia" -#: ../semanage/seobject.py:1603 +#: ../semanage/seobject.py:1615 @@ -220195,7 +220198,7 @@ index 94385a0..a2d72cd 100644 #: ../gui/polgen.glade:34 msgid "Add Booleans Dialog" -@@ -1405,66 +1442,66 @@ msgstr "" +@@ -1405,74 +1442,74 @@ msgstr "" #: ../gui/polgen.glade:230 msgid "SELinux Policy Generation Tool" @@ -220281,16 +220284,129 @@ index 94385a0..a2d72cd 100644 #: ../gui/polgen.glade:478 msgid "Existing User Roles" -@@ -1533,7 +1570,8 @@ msgstr "" +-msgstr "" ++msgstr "Regole Utente Esistenti" + + #: ../gui/polgen.glade:482 + msgid "Modify an existing login user record." +-msgstr "" ++msgstr "Modificare un record utente di un login esistente." + + #: ../gui/polgen.glade:495 + msgid "Minimal Terminal User Role" +@@ -1482,7 +1519,7 @@ msgstr "" + msgid "" + "This user will login to a machine only via a terminal or remote login. By " + "default this user will have no setuid, no networking, no su, no sudo." +-msgstr "" ++msgstr "L' utente dovrà accedere ad una macchina solo tramite un terminale o un login remoto . Per impostazione predefinita l'utente non avrà setuid , rete , su, sudo ." + + #: ../gui/polgen.glade:512 + msgid "Minimal X Windows User Role" +@@ -1492,83 +1529,84 @@ msgstr "" + msgid "" + "This user can login to a machine via X or terminal. By default this user " + "will have no setuid, no networking, no sudo, no su" +-msgstr "" ++msgstr "Questo utente può accedere ad una macchina tramite X o terminale . Per impostazione predefinita l'utente non avrà setuid , rete , sudo , su" + + #: ../gui/polgen.glade:529 + msgid "User Role" +-msgstr "" ++msgstr "Regola Utente" + + #: ../gui/polgen.glade:533 + msgid "" + "User with full networking, no setuid applications without transition, no " + "sudo, no su." +-msgstr "" ++msgstr "Utente con rete completa, senza le applicazioni setuid senza transizione , senza sudo , senza su." + + #: ../gui/polgen.glade:546 + msgid "Admin User Role" +-msgstr "" ++msgstr "Regola Utente Admin" + + #: ../gui/polgen.glade:550 + msgid "" + "User with full networking, no setuid applications without transition, no su," + " can sudo to Root Administration Roles" +-msgstr "" ++msgstr "Utente con rete completa, senza applicazioni setuid senza transizione, senza su, con sudo per le Regole di Amministrazione Root" + + #: ../gui/polgen.glade:592 + msgid "Root Users" +-msgstr "" ++msgstr "Utenti Root" + + #: ../gui/polgen.glade:623 + msgid "Root Admin User Role" +-msgstr "" ++msgstr "Regola Root Utente Admin" + + #: ../gui/polgen.glade:627 + msgid "" + "Select Root Administrator User Role, if this user will be used to administer" + " the machine while running as root. This user will not be able to login to " + "the system directly." +-msgstr "" ++msgstr "Seleziona la Regola Root Utente Amministratore, se questo utente sarà utilizzato per amministrare la macchina durante l'esecuzione come root. Questo utente non potrà effettuare il login direttamente con il sistema." + + #: ../gui/polgen.glade:705 msgid "Enter name of application or user role:" - msgstr "" +-msgstr "" ++msgstr "Inserire il nome dell'applicazione o della regola utente:" -#: ../gui/polgen.glade:728 ../gui/polgengui.py:267 +#: ../gui/polgen.glade:728 ../gui/polgengui.py:272 +#: ../sepolicy/sepolicy/sepolicy.glade:279 msgid "Name" - msgstr "" +-msgstr "" ++msgstr "Nome" + #: ../gui/polgen.glade:739 + msgid "Enter complete path for executable to be confined." +-msgstr "" ++msgstr "Inserire il percorso completo per l'eseguibile da confinare." + + #: ../gui/polgen.glade:756 ../gui/polgen.glade:838 ../gui/polgen.glade:2361 + msgid "..." +-msgstr "" ++msgstr "..." + + #: ../gui/polgen.glade:776 + msgid "Enter unique name for the confined application or user role." +-msgstr "" ++msgstr "Inserire un nome univoco per l'applicazione confinata o la regola utente." + + #: ../gui/polgen.glade:794 + msgid "Executable" +-msgstr "" ++msgstr "Eseguibile" + + #: ../gui/polgen.glade:808 + msgid "Init script" +-msgstr "" ++msgstr "Script Init" + + #: ../gui/polgen.glade:821 + msgid "" + "Enter complete path to init script used to start the confined application." +-msgstr "" ++msgstr "Inserire il percorso completo per lo script init utilizzato per avviare l'applicazione confinata." + + #: ../gui/polgen.glade:887 + msgid "Select existing role to modify:" +-msgstr "" ++msgstr "Selezionare una regola esistente da modificare:" + + #: ../gui/polgen.glade:908 + msgid "Select the user roles that will transiton to the %s domain." +-msgstr "" ++msgstr "Selezionare le regole utente che transiteranno verso il dominio %s." + + #: ../gui/polgen.glade:928 + msgid "role tab" @@ -1749,75 +1787,75 @@ msgstr "" msgid "Policy Directory" msgstr "" @@ -220815,291 +220931,433 @@ index 94385a0..a2d72cd 100644 -msgid "Interface file" +#: booleans.py:57 +msgid "Determine whether Git system daemon can access nfs file systems." -+msgstr "" -+ + msgstr "" + +-#: ../sepolicy/sepolicy/generate.py:1323 +-msgid "File Contexts file" +#: booleans.py:58 +msgid "Determine whether Gitosis can send mail." -+msgstr "" -+ + msgstr "" + +-#: ../sepolicy/sepolicy/generate.py:1324 +-msgid "Spec file" +#: booleans.py:59 +msgid "Enable reading of urandom for all domains." -+msgstr "" -+ + msgstr "" + +-#: ../sepolicy/sepolicy/generate.py:1325 +-msgid "Setup Script" +#: booleans.py:60 +msgid "" +"Allow glusterfsd to modify public files used for public file transfer " +"services. Files/Directories must be labeled public_content_rw_t." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:1 +-msgid "" +-"Allow ABRT to modify public files used for public file transfer services." +#: booleans.py:61 +msgid "Allow glusterfsd to share any file/directory read only." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:2 +#: booleans.py:62 +msgid "Allow glusterfsd to share any file/directory read/write." +msgstr "" + +#: booleans.py:63 -+msgid "" + msgid "" +-"Allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts" +"Allow usage of the gpg-agent --write-env-file option. This also allows gpg-" +"agent to manage user files." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:3 +-msgid "Allow amavis to use JIT compiler" +#: booleans.py:64 +msgid "" +"Allow gpg web domain to modify public files used for public file transfer " +"services." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:4 +-msgid "Allow antivirus programs to read non security files on a system" +#: booleans.py:65 +msgid "Allow gssd to read temp directory. For access to kerberos tgt." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:5 +-msgid "Allow auditadm to exec content" +#: booleans.py:66 +msgid "Allow guest to exec content" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:6 +#: booleans.py:67 -+msgid "" + msgid "" +-"Allow users to resolve user passwd entries directly from ldap rather then " +-"using a sssd server" +"Allow Apache to modify public files used for public file transfer services. " +"Directories/Files must be labeled public_content_rw_t." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:7 +-msgid "Allow users to login using a radius server" +#: booleans.py:68 +msgid "Allow httpd to use built in scripting (usually php)" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:8 +-msgid "Allow users to login using a yubikey server" +#: booleans.py:69 +msgid "Allow http daemon to check spam" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:9 +-msgid "Allow awstats to purge Apache logs" +#: booleans.py:70 +msgid "" +"Allow httpd to act as a FTP client connecting to the ftp port and ephemeral " +"ports" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:10 +-msgid "" +-"Allow cdrecord to read various content. nfs, samba, removable devices, user " +-"temp and untrusted content files" +#: booleans.py:71 +msgid "Allow httpd to connect to the ldap port" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:11 +-msgid "Allow clamd to use JIT compiler" +#: booleans.py:72 +msgid "Allow http daemon to connect to mythtv" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:12 +-msgid "Allow clamscan to non security files on a system" +#: booleans.py:73 +msgid "Allow http daemon to connect to zabbix" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:13 +-msgid "Allow clamscan to read user content" +#: booleans.py:74 +msgid "Allow HTTPD scripts and modules to connect to the network using TCP." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:14 +#: booleans.py:75 -+msgid "" + msgid "" +-"Allow Cobbler to modify public files used for public file transfer services." +"Allow HTTPD scripts and modules to connect to cobbler over the network." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:15 +-msgid "Allow Cobbler to connect to the network using TCP." +#: booleans.py:76 +msgid "" +"Allow HTTPD scripts and modules to connect to databases over the network." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:16 +-msgid "Allow Cobbler to access cifs file systems." +#: booleans.py:77 +msgid "Allow httpd to connect to memcache server" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:17 +-msgid "Allow Cobbler to access nfs file systems." +#: booleans.py:78 +msgid "Allow httpd to act as a relay" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:18 +-msgid "Allow collectd to connect to the network using TCP." +#: booleans.py:79 +msgid "Allow http daemon to send mail" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:19 +-msgid "Allow codnor domain to connect to the network using TCP." +#: booleans.py:80 +msgid "Allow Apache to communicate with avahi service via dbus" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:20 +-msgid "" +-"Allow system cron jobs to relabel filesystem for restoring file contexts." +#: booleans.py:81 +msgid "Allow httpd cgi support" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:21 +-msgid "Allow cvs daemon to read shadow" +#: booleans.py:82 +msgid "Allow httpd to act as a FTP server by listening on the ftp port." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:22 +-msgid "Allow all daemons to write corefiles to /" +#: booleans.py:83 +msgid "Allow httpd to read home directories" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:23 +-msgid "Allow all daemons to use tcp wrappers." +#: booleans.py:84 +msgid "Allow httpd scripts and modules execmem/execstack" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:24 +-msgid "Allow all daemons the ability to read/write terminals" +#: booleans.py:85 +msgid "Allow HTTPD to connect to port 80 for graceful shutdown" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:25 +-msgid "Allow dan to manage user files" +#: booleans.py:86 +msgid "Allow httpd processes to manage IPA content" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:26 +-msgid "Allow dan to read user files" +#: booleans.py:87 +msgid "Allow Apache to use mod_auth_ntlm_winbind" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:27 +-msgid "Allow dbadm to manage files in users home directories" +#: booleans.py:88 +msgid "Allow Apache to use mod_auth_pam" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:28 +-msgid "Allow dbadm to read files in users home directories" +#: booleans.py:89 +msgid "Allow httpd to read user content" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:29 +-msgid "" +-"Deny user domains applications to map a memory region as both executable and" +-" writable, this is dangerous and the executable should be reported in " +-"bugzilla" +#: booleans.py:90 +msgid "Allow Apache to run in stickshift mode, not transition to passenger" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:30 +-msgid "Allow sysadm to debug or ptrace all processes." +#: booleans.py:91 +msgid "Allow HTTPD scripts and modules to server cobbler files." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:31 +-msgid "Allow dhcpc client applications to execute iptables commands" +#: booleans.py:92 +msgid "Allow httpd daemon to change its resource limits" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:32 +-msgid "Allow DHCP daemon to use LDAP backends" +#: booleans.py:93 +msgid "" +"Allow HTTPD to run SSI executables in the same domain as system CGI scripts." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:33 +-msgid "Allow all domains to use other domains file descriptors" +#: booleans.py:94 +msgid "" +"Allow apache scripts to write to public content, directories/files must be " +"labeled public_rw_content_t." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:34 +-msgid "Allow all domains to have the kernel load modules" +#: booleans.py:95 +msgid "Allow Apache to execute tmp content." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:35 +-msgid "Allow the use of the audio devices as the source for the entropy feeds" +#: booleans.py:96 +msgid "" +"Unify HTTPD to communicate with the terminal. Needed for entering the " +"passphrase for certificates at the terminal." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:36 +-msgid "Allow exim to connect to databases (postgres, mysql)" +#: booleans.py:97 +msgid "Unify HTTPD handling of all content files." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:37 +-msgid "Allow exim to create, read, write, and delete unprivileged user files." +#: booleans.py:98 +msgid "Allow httpd to access cifs file systems" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:38 +-msgid "Allow exim to read unprivileged user files." +#: booleans.py:99 +msgid "Allow httpd to access FUSE file systems" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:39 +-msgid "Enable extra rules in the cron domain to support fcron." +#: booleans.py:100 +msgid "Allow httpd to run gpg" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:40 +-msgid "Allow fenced domain to connect to the network using TCP." +#: booleans.py:101 +msgid "Allow httpd to access nfs file systems" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:41 +-msgid "Allow fenced domain to execute ssh." +#: booleans.py:102 +msgid "Allow httpd to access openstack ports" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:42 +-msgid "Allow all domains to execute in fips_mode" +#: booleans.py:103 +msgid "Allow httpd to connect to sasl" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:43 +-msgid "Allow ftp to read and write files in the user home directories" +#: booleans.py:104 +msgid "Allow Apache to query NS records" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:44 +#: booleans.py:105 +msgid "Determine whether icecast can listen on and connect to any TCP port." +msgstr "" + +#: booleans.py:106 -+msgid "" + msgid "" +-"Allow ftp servers to upload files, used for public file transfer services. " +-"Directories must be labeled public_content_rw_t." +"Determine whether irc clients can listen on and connect to any unreserved " +"TCP ports." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:45 +-msgid "Allow ftp servers to connect to all ports > 1023" +#: booleans.py:107 +msgid "" +"Allow the Irssi IRC Client to connect to any port, and to bind to any " +"unreserved port." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:46 +-msgid "Allow ftp servers to connect to mysql database ports" +#: booleans.py:108 +msgid "Allow confined applications to run with kerberos." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:47 +-msgid "" +-"Allow ftp servers to login to local users and read/write all files on the " +-"system, governed by DAC." +#: booleans.py:109 +msgid "Allow ksmtuned to use cifs/Samba file systems" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:48 +-msgid "Allow ftp servers to use cifs used for public file transfer services." +#: booleans.py:110 +msgid "Allow ksmtuned to use nfs file systems" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:49 +-msgid "Allow ftp servers to use nfs used for public file transfer services." +#: booleans.py:111 +msgid "Allow syslogd daemon to send mail" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:50 +-msgid "Allow ftp servers to use bind to all unreserved ports for passive mode" +#: booleans.py:112 +msgid "Allow syslogd the ability to read/write terminals" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:51 +-msgid "Determine whether Git CGI can search home directories." +#: booleans.py:113 +msgid "Allow logging in and using the system from /dev/console." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:52 +-msgid "Determine whether Git CGI can access cifs file systems." +#: booleans.py:114 +msgid "Allow mailman to access FUSE file systems" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:53 +-msgid "Determine whether Git CGI can access nfs file systems." +#: booleans.py:115 +msgid "Determine whether mcelog supports client mode." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:54 +-msgid "" +-"Determine whether Git session daemon can bind TCP sockets to all unreserved " +-"ports." +#: booleans.py:116 +msgid "Determine whether mcelog can execute scripts." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:55 +-msgid "" +-"Determine whether calling user domains can execute Git daemon in the " +-"git_session_t domain." +#: booleans.py:117 +msgid "Determine whether mcelog can use all the user ttys." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:56 +-msgid "Determine whether Git system daemon can search home directories." +#: booleans.py:118 +msgid "Determine whether mcelog supports server mode." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:57 +-msgid "Determine whether Git system daemon can access cifs file systems." +#: booleans.py:119 +msgid "" +"Control the ability to mmap a low area of the address space, as configured " +"by /proc/sys/kernel/mmap_min_addr." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:58 +-msgid "Determine whether Git system daemon can access nfs file systems." +#: booleans.py:120 +msgid "Allow mock to read files in home directories." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:59 +-msgid "Allow gitisis daemon to send mail" +#: booleans.py:121 +msgid "Allow the mount commands to mount any directory or file." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:60 +-msgid "Enable reading of urandom for all domains." +#: booleans.py:122 +msgid "Allow mozilla plugin domain to connect to the network using TCP." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:61 +#: booleans.py:123 +msgid "Allow mozilla plugin to support GPS." +msgstr "" @@ -221137,11 +221395,14 @@ index 94385a0..a2d72cd 100644 +msgstr "" + +#: booleans.py:132 -+msgid "" + msgid "" +-"Allow usage of the gpg-agent --write-env-file option. This also allows gpg-" +-"agent to manage user files." +"Determine whether Bind can write to master zone files. Generally this is " +"used for dynamic DNS or zone transfers." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:62 +#: booleans.py:133 +msgid "Allow any files/directories to be exported read/only via NFS." +msgstr "" @@ -221151,15 +221412,21 @@ index 94385a0..a2d72cd 100644 +msgstr "" + +#: booleans.py:135 -+msgid "" + msgid "" +-"Allow gpg web domain to modify public files used for public file transfer " +-"services." +"Allow nfs servers to modify public files used for public file transfer " +"services. Files/Directories must be labeled public_content_rw_t." -+msgstr "" -+ + msgstr "" + +-#: booleans.py:63 +-msgid "Allow gssd to read temp directory. For access to kerberos tgt." +#: booleans.py:136 +msgid "Allow system to run with NIS" -+msgstr "" -+ + msgstr "" + +-#: booleans.py:64 +-msgid "Allow guest to exec content" +#: booleans.py:137 +msgid "Allow confined applications to use nscd shared memory." +msgstr "" @@ -221307,460 +221574,310 @@ index 94385a0..a2d72cd 100644 + +#: booleans.py:172 +msgid "Allow sanlock to read/write fuse files" - msgstr "" - --#: ../sepolicy/sepolicy/generate.py:1323 --msgid "File Contexts file" ++msgstr "" ++ +#: booleans.py:173 +msgid "Allow sanlock to manage nfs files" - msgstr "" - --#: ../sepolicy/sepolicy/generate.py:1324 --msgid "Spec file" ++msgstr "" ++ +#: booleans.py:174 +msgid "Allow sanlock to manage cifs files" - msgstr "" - --#: ../sepolicy/sepolicy/generate.py:1325 --msgid "Setup Script" ++msgstr "" ++ +#: booleans.py:175 +msgid "Allow sasl to read shadow" - msgstr "" - --#: booleans.py:1 --msgid "" --"Allow ABRT to modify public files used for public file transfer services." ++msgstr "" ++ +#: booleans.py:176 +msgid "Allow secadm to exec content" - msgstr "" - --#: booleans.py:2 ++msgstr "" ++ +#: booleans.py:177 - msgid "" --"Allow ABRT to run in abrt_handle_event_t domain to handle ABRT event scripts" ++msgid "" +"disallow programs, such as newrole, from transitioning to administrative " +"user domains." - msgstr "" - --#: booleans.py:3 --msgid "Allow amavis to use JIT compiler" ++msgstr "" ++ +#: booleans.py:178 +msgid "Disable kernel module loading." - msgstr "" - --#: booleans.py:4 --msgid "Allow antivirus programs to read non security files on a system" ++msgstr "" ++ +#: booleans.py:179 +msgid "" +"Boolean to determine whether the system permits loading policy, setting " +"enforcing mode, and changing boolean values. Set this to true and you have " +"to reboot to set it back." - msgstr "" - --#: booleans.py:5 --msgid "Allow auditadm to exec content" ++msgstr "" ++ +#: booleans.py:180 +msgid "Allow regular users direct dri device access" - msgstr "" - --#: booleans.py:6 ++msgstr "" ++ +#: booleans.py:181 - msgid "" --"Allow users to resolve user passwd entries directly from ldap rather then " --"using a sssd server" ++msgid "" +"Allow unconfined executables to make their heap memory executable. Doing " +"this is a really bad idea. Probably indicates a badly coded executable, but " +"could indicate an attack. This executable should be reported in bugzilla" - msgstr "" - --#: booleans.py:7 --msgid "Allow users to login using a radius server" ++msgstr "" ++ +#: booleans.py:182 +msgid "" +"Allow all unconfined executables to use libraries requiring text relocation " +"that are not labeled textrel_shlib_t" - msgstr "" - --#: booleans.py:8 --msgid "Allow users to login using a yubikey server" ++msgstr "" ++ +#: booleans.py:183 +msgid "" +"Allow unconfined executables to make their stack executable. This should " +"never, ever be necessary. Probably indicates a badly coded executable, but " +"could indicate an attack. This executable should be reported in bugzilla" - msgstr "" - --#: booleans.py:9 --msgid "Allow awstats to purge Apache logs" ++msgstr "" ++ +#: booleans.py:184 +msgid "Allow users to connect to the local mysql server" - msgstr "" - --#: booleans.py:10 ++msgstr "" ++ +#: booleans.py:185 - msgid "" --"Allow cdrecord to read various content. nfs, samba, removable devices, user " --"temp and untrusted content files" ++msgid "" +"Allow confined users the ability to execute the ping and traceroute " +"commands." - msgstr "" - --#: booleans.py:11 --msgid "Allow clamd to use JIT compiler" ++msgstr "" ++ +#: booleans.py:186 +msgid "Allow users to connect to PostgreSQL" - msgstr "" - --#: booleans.py:12 --msgid "Allow clamscan to non security files on a system" ++msgstr "" ++ +#: booleans.py:187 +msgid "" +"Allow user to r/w files on filesystems that do not have extended attributes " +"(FAT, CDROM, FLOPPY)" - msgstr "" - --#: booleans.py:13 --msgid "Allow clamscan to read user content" ++msgstr "" ++ +#: booleans.py:188 +msgid "Allow user music sharing" - msgstr "" - --#: booleans.py:14 ++msgstr "" ++ +#: booleans.py:189 - msgid "" --"Allow Cobbler to modify public files used for public file transfer services." --msgstr "" -- --#: booleans.py:15 --msgid "Allow Cobbler to connect to the network using TCP." ++msgid "" +"Allow users to run TCP servers (bind to ports and accept connection from the" +" same domain and outside users) disabling this forces FTP passive mode and " +"may change other protocols." - msgstr "" - --#: booleans.py:16 --msgid "Allow Cobbler to access cifs file systems." ++msgstr "" ++ +#: booleans.py:190 +msgid "Allow user to use ssh chroot environment." - msgstr "" - --#: booleans.py:17 --msgid "Allow Cobbler to access nfs file systems." ++msgstr "" ++ +#: booleans.py:191 +msgid "" +"Determine whether sftpd can modify public files used for public file " +"transfer services. Directories/Files must be labeled public_content_rw_t." - msgstr "" - --#: booleans.py:18 --msgid "Allow collectd to connect to the network using TCP." ++msgstr "" ++ +#: booleans.py:192 +msgid "" +"Determine whether sftpd-can read and write files in user home directories." - msgstr "" - --#: booleans.py:19 --msgid "Allow codnor domain to connect to the network using TCP." ++msgstr "" ++ +#: booleans.py:193 +msgid "" +"Determine whether sftpd-can login to local users and read and write all " +"files on the system, governed by DAC." - msgstr "" - --#: booleans.py:20 ++msgstr "" ++ +#: booleans.py:194 - msgid "" --"Allow system cron jobs to relabel filesystem for restoring file contexts." ++msgid "" +"Determine whether sftpd can read and write files in user ssh home " +"directories." - msgstr "" - --#: booleans.py:21 --msgid "Allow cvs daemon to read shadow" ++msgstr "" ++ +#: booleans.py:195 +msgid "Allow sge to connect to the network using any TCP port" - msgstr "" - --#: booleans.py:22 --msgid "Allow all daemons to write corefiles to /" ++msgstr "" ++ +#: booleans.py:196 +msgid "Allow sge to access nfs file systems." - msgstr "" - --#: booleans.py:23 --msgid "Allow all daemons to use tcp wrappers." ++msgstr "" ++ +#: booleans.py:197 +msgid "Determine whether smartmon can support devices on 3ware controllers." - msgstr "" - --#: booleans.py:24 --msgid "Allow all daemons the ability to read/write terminals" ++msgstr "" ++ +#: booleans.py:198 +msgid "" +"Allow samba to modify public files used for public file transfer services. " +"Files/Directories must be labeled public_content_rw_t." - msgstr "" - --#: booleans.py:25 --msgid "Allow dan to manage user files" ++msgstr "" ++ +#: booleans.py:199 +msgid "Allow user spamassassin clients to use the network." - msgstr "" - --#: booleans.py:26 --msgid "Allow dan to read user files" ++msgstr "" ++ +#: booleans.py:200 +msgid "Allow spamd to read/write user home directories." - msgstr "" - --#: booleans.py:27 --msgid "Allow dbadm to manage files in users home directories" ++msgstr "" ++ +#: booleans.py:201 +msgid "Determine whether squid can connect to all TCP ports." - msgstr "" - --#: booleans.py:28 --msgid "Allow dbadm to read files in users home directories" ++msgstr "" ++ +#: booleans.py:202 +msgid "Determine whether squid can run as a transparent proxy." - msgstr "" - --#: booleans.py:29 ++msgstr "" ++ +#: booleans.py:203 - msgid "" --"Deny user domains applications to map a memory region as both executable and" --" writable, this is dangerous and the executable should be reported in " --"bugzilla" ++msgid "" +"Allow ssh with chroot env to read and write files in the user home " +"directories" - msgstr "" - --#: booleans.py:30 --msgid "Allow sysadm to debug or ptrace all processes." ++msgstr "" ++ +#: booleans.py:204 +msgid "allow host key based authentication" - msgstr "" - --#: booleans.py:31 --msgid "Allow dhcpc client applications to execute iptables commands" ++msgstr "" ++ +#: booleans.py:205 +msgid "Allow ssh logins as sysadm_r:sysadm_t" - msgstr "" - --#: booleans.py:32 --msgid "Allow DHCP daemon to use LDAP backends" ++msgstr "" ++ +#: booleans.py:206 +msgid "Allow staff to exec content" - msgstr "" - --#: booleans.py:33 --msgid "Allow all domains to use other domains file descriptors" ++msgstr "" ++ +#: booleans.py:207 +msgid "allow staff user to create and transition to svirt domains." - msgstr "" - --#: booleans.py:34 --msgid "Allow all domains to have the kernel load modules" ++msgstr "" ++ +#: booleans.py:208 +msgid "Allow sysadm to exec content" - msgstr "" - --#: booleans.py:35 --msgid "Allow the use of the audio devices as the source for the entropy feeds" ++msgstr "" ++ +#: booleans.py:209 +msgid "" +"Allow the Telepathy connection managers to connect to any network port." - msgstr "" - --#: booleans.py:36 --msgid "Allow exim to connect to databases (postgres, mysql)" ++msgstr "" ++ +#: booleans.py:210 +msgid "" +"Allow the Telepathy connection managers to connect to any generic TCP port." - msgstr "" - --#: booleans.py:37 --msgid "Allow exim to create, read, write, and delete unprivileged user files." ++msgstr "" ++ +#: booleans.py:211 +msgid "Allow testpolicy to exec content" - msgstr "" - --#: booleans.py:38 --msgid "Allow exim to read unprivileged user files." ++msgstr "" ++ +#: booleans.py:212 +msgid "" +"Allow tftp to modify public files used for public file transfer services." - msgstr "" - --#: booleans.py:39 --msgid "Enable extra rules in the cron domain to support fcron." ++msgstr "" ++ +#: booleans.py:213 +msgid "Allow tftp to read and write files in the user home directories" - msgstr "" - --#: booleans.py:40 --msgid "Allow fenced domain to connect to the network using TCP." ++msgstr "" ++ +#: booleans.py:214 +msgid "Determine whether tor can bind tcp sockets to all unreserved ports." - msgstr "" - --#: booleans.py:41 --msgid "Allow fenced domain to execute ssh." ++msgstr "" ++ +#: booleans.py:215 +msgid "Allow tor to act as a relay" - msgstr "" - --#: booleans.py:42 --msgid "Allow all domains to execute in fips_mode" ++msgstr "" ++ +#: booleans.py:216 +msgid "" +"allow unconfined users to transition to the chrome sandbox domains when " +"running chrome-sandbox" - msgstr "" - --#: booleans.py:43 --msgid "Allow ftp to read and write files in the user home directories" ++msgstr "" ++ +#: booleans.py:217 +msgid "Allow a user to login as an unconfined domain" - msgstr "" - --#: booleans.py:44 ++msgstr "" ++ +#: booleans.py:218 - msgid "" --"Allow ftp servers to upload files, used for public file transfer services. " --"Directories must be labeled public_content_rw_t." ++msgid "" +"Allow unconfined users to transition to the Mozilla plugin domain when " +"running xulrunner plugin-container." - msgstr "" - --#: booleans.py:45 --msgid "Allow ftp servers to connect to all ports > 1023" ++msgstr "" ++ +#: booleans.py:219 +msgid "Allow unprivledged user to create and transition to svirt domains." - msgstr "" - --#: booleans.py:46 --msgid "Allow ftp servers to connect to mysql database ports" ++msgstr "" ++ +#: booleans.py:220 +msgid "Support ecryptfs home directories" - msgstr "" - --#: booleans.py:47 --msgid "" --"Allow ftp servers to login to local users and read/write all files on the " --"system, governed by DAC." ++msgstr "" ++ +#: booleans.py:221 +msgid "Support fusefs home directories" - msgstr "" - --#: booleans.py:48 --msgid "Allow ftp servers to use cifs used for public file transfer services." ++msgstr "" ++ +#: booleans.py:222 +msgid "Determine whether to support lpd server." - msgstr "" - --#: booleans.py:49 --msgid "Allow ftp servers to use nfs used for public file transfer services." ++msgstr "" ++ +#: booleans.py:223 +msgid "Support NFS home directories" - msgstr "" - --#: booleans.py:50 --msgid "Allow ftp servers to use bind to all unreserved ports for passive mode" ++msgstr "" ++ +#: booleans.py:224 +msgid "Support SAMBA home directories" - msgstr "" - --#: booleans.py:51 --msgid "Determine whether Git CGI can search home directories." ++msgstr "" ++ +#: booleans.py:225 +msgid "Allow user to exec content" - msgstr "" - --#: booleans.py:52 --msgid "Determine whether Git CGI can access cifs file systems." ++msgstr "" ++ +#: booleans.py:226 +msgid "Determine whether varnishd can use the full TCP network." - msgstr "" - --#: booleans.py:53 --msgid "Determine whether Git CGI can access nfs file systems." ++msgstr "" ++ +#: booleans.py:227 +msgid "" +"Determine whether attempts by vbetool to mmap low regions should be silently" +" blocked." - msgstr "" - --#: booleans.py:54 ++msgstr "" ++ +#: booleans.py:228 - msgid "" --"Determine whether Git session daemon can bind TCP sockets to all unreserved " --"ports." ++msgid "" +"Allow confined virtual guests to use serial/parallel communication ports" - msgstr "" - --#: booleans.py:55 ++msgstr "" ++ +#: booleans.py:229 - msgid "" --"Determine whether calling user domains can execute Git daemon in the " --"git_session_t domain." ++msgid "" +"Allow confined virtual guests to use executable memory and executable stack" - msgstr "" - --#: booleans.py:56 --msgid "Determine whether Git system daemon can search home directories." ++msgstr "" ++ +#: booleans.py:230 +msgid "Allow confined virtual guests to read fuse files" - msgstr "" - --#: booleans.py:57 --msgid "Determine whether Git system daemon can access cifs file systems." ++msgstr "" ++ +#: booleans.py:231 +msgid "Allow confined virtual guests to manage nfs files" - msgstr "" - --#: booleans.py:58 --msgid "Determine whether Git system daemon can access nfs file systems." ++msgstr "" ++ +#: booleans.py:232 +msgid "Allow confined virtual guests to interact with rawip sockets" - msgstr "" - --#: booleans.py:59 --msgid "Allow gitisis daemon to send mail" ++msgstr "" ++ +#: booleans.py:233 +msgid "Allow confined virtual guests to manage cifs files" - msgstr "" - --#: booleans.py:60 --msgid "Enable reading of urandom for all domains." ++msgstr "" ++ +#: booleans.py:234 +msgid "Allow confined virtual guests to interact with the sanlock" - msgstr "" - --#: booleans.py:61 --msgid "" --"Allow usage of the gpg-agent --write-env-file option. This also allows gpg-" --"agent to manage user files." ++msgstr "" ++ +#: booleans.py:235 +msgid "Allow confined virtual guests to use usb devices" - msgstr "" - --#: booleans.py:62 --msgid "" --"Allow gpg web domain to modify public files used for public file transfer " --"services." ++msgstr "" ++ +#: booleans.py:236 +msgid "Allow confined virtual guests to interact with the xserver" - msgstr "" - --#: booleans.py:63 --msgid "Allow gssd to read temp directory. For access to kerberos tgt." ++msgstr "" ++ +#: booleans.py:237 +msgid "Determine whether webadm can manage generic user files." - msgstr "" - --#: booleans.py:64 --msgid "Allow guest to exec content" ++msgstr "" ++ +#: booleans.py:238 +msgid "Determine whether webadm can read generic user files." msgstr "" @@ -510410,7 +510527,7 @@ index 7c6d75a..d095a25 100644 .TP \fB\-d\fR diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles -index 6901e4d..8899c02 100755 +index 6901e4d..2dee8d8 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles @@ -3,7 +3,7 @@ @@ -510482,7 +510599,7 @@ index 6901e4d..8899c02 100755 + [[ ! "${i}" =~ ^/.* ]] && continue + [[ ! -d "${i}" ]] && continue + exclude_from_relabelling="$exclude_from_relabelling -e $i" -+ logit "skipping the directory $i from relabelling" ++ logit "skipping the directory $i" + done < /etc/selinux/fixfiles_exclude_dirs fi echo "$exclude_from_relabelling" @@ -510589,7 +510706,27 @@ index 6901e4d..8899c02 100755 if [ ! -z "$PREFC" ]; then diff_filecontext $* exit $? -@@ -241,8 +244,8 @@ then +@@ -222,41 +225,45 @@ if [ ! -z "$BOOTTIME" ]; then + newer $BOOTTIME + exit $? + fi +-if [ ! -z "$RPMFILES" ]; then +- for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do +- rpmlist $i | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -R -i -f - 2>&1 | cat >> $LOGFILE +- done +- exit $? +-fi +-if [ ! -z "$FILEPATH" ]; then +- ${RESTORECON} ${FORCEFLAG} ${VERBOSE} -R $* $FILEPATH 2>&1 | cat >> $LOGFILE +- return +-fi + [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon + LogReadOnly + # +-exclude_dirs="`exclude_dirs_from_relabelling`" ++exclude_dirs="`exclude_dirs_from_relabelling $OPTION`" + if [ -n "${exclude_dirs}" ] + then TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX` test -z "$TEMPFCFILE" && exit /bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit @@ -510600,9 +510737,22 @@ index 6901e4d..8899c02 100755 do p="${p%/}" p1="${p}(/.*)? -- <>" -@@ -252,11 +255,15 @@ then + echo "${p1}" >> $TEMPFCFILE +- logit "skipping the directory ${p} from relabelling" ++ logit "skipping the directory ${p}" + done FC=$TEMPFCFILE fi ++if [ ! -z "$RPMFILES" ]; then ++ for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do ++ rpmlist $i | ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} $* -R -i -f - 2>&1 | cat >> $LOGFILE ++ done ++ exit $? ++fi ++if [ ! -z "$FILEPATH" ]; then ++ ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* $FILEPATH 2>&1 | cat >> $LOGFILE ++ return ++fi if [ -n "${FILESYSTEMSRW}" ]; then - echo "Relabeling `echo ${FILESYSTEMSRW}`" - ${SETFILES} ${VERBOSE} -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE @@ -510618,16 +510768,17 @@ index 6901e4d..8899c02 100755 rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE UNDEFINED=`get_undefined_type` || exit $? -@@ -265,7 +272,7 @@ find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) \( -typ +@@ -265,20 +272,20 @@ find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) \( -typ find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /tmp {} \; find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \; find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \; -[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \; +-exit $? +[ ! -e /var/lib/debug ] || find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \; - exit $? ++exit 0 } -@@ -273,12 +280,12 @@ fullrelabel() { + fullrelabel() { logit "Cleaning out /tmp" find /tmp/ -mindepth 1 -delete LogReadOnly @@ -510672,7 +510823,7 @@ index 6901e4d..8899c02 100755 - check) restore -n -v;; - verify) restore -n -o -;; + restore) restore Relabel;; -+ check) restore Check -n -v;; ++ check) VERBOSE="-v"; restore Check -n;; + verify) restore Verify -n -o -;; relabel) relabel;; onboot) @@ -510722,7 +510873,15 @@ index 6901e4d..8899c02 100755 PREFC=$OPTARG ;; F) -@@ -397,11 +403,11 @@ else +@@ -371,7 +377,6 @@ while getopts "N:BC:FfR:l:v" i; do + exit 1 + esac + done +- + # Move out processed options from arguments + shift $(( OPTIND - 1 )) + +@@ -397,11 +402,11 @@ else if [ -z "$1" ]; then process $command else @@ -511039,7 +511198,7 @@ index 0000000..e2befdb + packages=["policycoreutils"], +) diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage -index 6e33c85..e4ecada 100644 +index 6e33c85..1be8937 100644 --- a/policycoreutils/semanage/semanage +++ b/policycoreutils/semanage/semanage @@ -1,5 +1,7 @@ @@ -511051,20 +511210,20 @@ index 6e33c85..e4ecada 100644 # see file 'COPYING' for use and warranty information # # semanage is a tool for managing SELinux configuration files -@@ -19,564 +21,821 @@ +@@ -19,564 +21,820 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA # 02111-1307 USA # -# -import sys, getopt, re +-import seobject +-import selinux +-PROGNAME="policycoreutils" +# -+ + +import policycoreutils.default_encoding_utf8 +import argparse - import seobject - import selinux --PROGNAME="policycoreutils" -- ++import seobject +import sys import gettext -gettext.bindtextdomain(PROGNAME, "/usr/share/locale") diff --git a/policycoreutils.spec b/policycoreutils.spec index a5263bf..2484322 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.14 -Release: 84%{?dist} +Release: 85%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -344,6 +344,14 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Fro Oct 4 2013 Dan Walsh - 2.1.14-85 +- Fixes for fixfiles + * exclude_from_dirs should apply to all types of restorecon calls + * fixfiles check now works + * exit with the correct status + +- semanage no longer import selinux + * Wed Oct 2 2013 Dan Walsh - 2.1.14-84 - Fixes for sepolicy gui - Fix setsebool to return 0 on success