From fefce8f581c34721269c126432fc3f0b7715b5b8 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 1 Mar 2013 14:18:15 -0500 Subject: [PATCH] Fix sepoicy interface to work properly --- policycoreutils-rhat.patch | 317 ++++++++++++++++++++++++++++++++++--- policycoreutils.spec | 5 +- 2 files changed, 302 insertions(+), 20 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 019d3a7..7507c35 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1464,10 +1464,164 @@ index 201a988..f5d6e9d 100644 clean: diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles -index 6901e4d..337d652 100755 +index 6901e4d..5acb111 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles -@@ -241,8 +241,8 @@ then +@@ -3,7 +3,7 @@ + # + # Script to restore labels on a SELinux box + # +-# Copyright (C) 2004-2011 Red Hat, Inc. ++# Copyright (C) 2004-2013 Red Hat, Inc. + # Authors: Dan Walsh + # + # This program is free software; you can redistribute it and/or modify +@@ -26,11 +26,11 @@ + # number if the current is less than 2.6.30 and 0 if they are the same. + # + function useseclabel { +- VER=`uname -r` +- SUP=2.6.30 +- expr '(' "$VER" : '\([^.]*\)' ')' '-' '(' "$SUP" : '\([^.]*\)' ')' '|' \ +- '(' "$VER.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0" : '[^.]*[.]\([^.]*\)' ')' '|' \ +- '(' "$VER.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' ++ VER=`uname -r` ++ SUP=2.6.30 ++ expr '(' "$VER" : '\([^.]*\)' ')' '-' '(' "$SUP" : '\([^.]*\)' ')' '|' \ ++ '(' "$VER.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0" : '[^.]*[.]\([^.]*\)' ')' '|' \ ++ '(' "$VER.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' + } + + # +@@ -65,7 +65,7 @@ done + } + + # +-# Get the default label returned from the kernel for a file with a lable the ++# Get the default label returned from the kernel for a file with a lable the + # kernel does not understand + # + get_undefined_type() { +@@ -78,25 +78,25 @@ get_undefined_type() { + # + get_unlabeled_type() { + SELINUXMNT=`grep selinuxfs /proc/self/mountinfo | head -1 | awk '{ print $5 }'` +- cat $SELINUXMNT/initial_contexts/file | secon -t ++ cat $SELINUXMNT/initial_contexts/file | secon -t + } + + exclude_dirs_from_relabelling() { + exclude_from_relabelling= + if [ -e /etc/selinux/fixfiles_exclude_dirs ] + then +- while read i +- do +- # skip blank line and comment +- # skip not absolute path +- # skip not directory +- [ -z "${i}" ] && continue +- [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue +- [[ ! "${i}" =~ ^/.* ]] && continue +- [[ ! -d "${i}" ]] && continue +- exclude_from_relabelling="$exclude_from_relabelling -e $i" +- logit "skipping the directory $i from relabelling" +- done < /etc/selinux/fixfiles_exclude_dirs ++ while read i ++ do ++ # skip blank line and comment ++ # skip not absolute path ++ # skip not directory ++ [ -z "${i}" ] && continue ++ [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue ++ [[ ! "${i}" =~ ^/.* ]] && continue ++ [[ ! -d "${i}" ]] && continue ++ exclude_from_relabelling="$exclude_from_relabelling -e $i" ++ logit "skipping the directory $i from relabelling" ++ done < /etc/selinux/fixfiles_exclude_dirs + fi + echo "$exclude_from_relabelling" + } +@@ -104,7 +104,7 @@ exclude_dirs_from_relabelling() { + exclude_dirs() { + exclude= + for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC /home /tmp /dev; do +- [ -e $i ] && exclude="$exclude -e $i"; ++ [ -e $i ] && exclude="$exclude -e $i"; + done + exclude="$exclude `exclude_dirs_from_relabelling`" + echo "$exclude" +@@ -133,7 +133,7 @@ FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO" + SELINUXTYPE="targeted" + if [ -e /etc/selinux/config ]; then + . /etc/selinux/config +- FC=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts ++ FC=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts + else + FC=/etc/security/selinux/file_contexts + fi +@@ -158,7 +158,7 @@ newer() { + } + + # +-# Compare PREVious File Context to currently installed File Context and ++# Compare PREVious File Context to currently installed File Context and + # run restorecon on all files affected by the differences. + # + diff_filecontext() { +@@ -172,30 +172,31 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then + grep '^[<>]'|cut -c3-| grep ^/ | \ + egrep -v '(^/home|^/root|^/tmp|^/dev)' |\ + sed -r -e 's,[[:blank:]].*,,g' \ +- -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \ ++ -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \ + -e 's|([/[:alnum:]])\?|{\1,}|g' \ +- -e 's|\?.*|*|g' \ ++ -e 's|\?.*|*|g' \ ++ -e 's|\{.*|*|g' \ + -e 's|\(.*|*|g' \ + -e 's|\[.*|*|g' \ +- -e 's|\.\*.*|*|g' \ +- -e 's|\.\+.*|*|g' | \ ++ -e 's|\.\*.*|*|g' \ ++ -e 's|\.\+.*|*|g' | \ + # These two sorts need to be separate commands \ + sort -u | \ + sort -d | \ +- while read pattern ; \ ++ while read pattern ; \ + do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null; then \ +- echo "$pattern"; \ +- case "$pattern" in *"*") \ +- echo "$pattern" | sed -e 's,^,^,' -e 's,\*$,,g' >> ${TEMPFILE};; +- esac; \ +- fi; \ +- done | \ ++ echo "$pattern"; \ ++ case "$pattern" in *"*") \ ++ echo "$pattern" | sed -e 's,^,^,' -e 's,\*$,,g' >> ${TEMPFILE};; ++ esac; \ ++ fi; \ ++ done | \ + ${RESTORECON} ${VERBOSE} -i -f - -R `exclude_dirs`; \ + rm -f ${TEMPFILE} ${PREFCTEMPFILE} + fi + } + # +-# Log all Read Only file systems ++# Log all Read Only file systems + # + LogReadOnly() { + if [ ! -z "$FILESYSTEMSRO" ]; then +@@ -209,7 +210,7 @@ rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' ' + [ ${PIPESTATUS[0]} != 0 ] && echo "$1 not found" >/dev/stderr + } + +-# ++# + # restore + # if called with -n will only check file context + # +@@ -241,8 +242,8 @@ then TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX` test -z "$TEMPFCFILE" && exit /bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit @@ -1478,7 +1632,7 @@ index 6901e4d..337d652 100755 do p="${p%/}" p1="${p}(/.*)? -- <>" -@@ -253,7 +253,7 @@ FC=$TEMPFCFILE +@@ -253,7 +254,7 @@ FC=$TEMPFCFILE fi if [ -n "${FILESYSTEMSRW}" ]; then echo "Relabeling `echo ${FILESYSTEMSRW}`" @@ -1487,6 +1641,76 @@ index 6901e4d..337d652 100755 else echo >&2 "fixfiles: No suitable file systems found" fi +@@ -278,7 +279,7 @@ fullrelabel() { + + relabel() { + if [ ! -z "$RPMFILES" ]; then +- restore ++ restore + fi + + if [ $fullFlag == 1 ]; then +@@ -286,13 +287,13 @@ relabel() { + fi + + echo -n " +- Files in the /tmp directory may be labeled incorrectly, this command +- can remove all files in /tmp. If you choose to remove files from /tmp, ++ Files in the /tmp directory may be labeled incorrectly, this command ++ can remove all files in /tmp. If you choose to remove files from /tmp, + a reboot will be required after completion. +- ++ + Do you wish to clean out the /tmp directory [N]? " + read answer +- if [ "$answer" = y -o "$answer" = Y ]; then ++ if [ "$answer" = y -o "$answer" = Y ]; then + fullrelabel + else + restore +@@ -322,8 +323,8 @@ case "$1" in + esac + } + usage() { +- echo $""" +-Usage: $0 [-F] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ] ++ echo $""" ++Usage: $0 [-F] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ] + or + Usage: $0 [-F] -R rpmpackage[,rpmpackage...] [-l logfile ] { check | restore | verify } + or +@@ -351,13 +352,13 @@ while getopts "N:BC:FfR:l:v" i; do + v) + VERBOSE="-v" + ;; +- R) ++ R) + RPMFILES=$OPTARG + ;; +- l) ++ l) + LOGFILE=$OPTARG + ;; +- C) ++ C) + PREFC=$OPTARG + ;; + F) +@@ -397,11 +398,11 @@ else + if [ -z "$1" ]; then + process $command + else +- while [ -n "$1" ]; do ++ while [ -n "$1" ]; do + FILEPATH=$1 +- process $command ++ process $command + shift +- done ++ done + fi + fi + exit $? diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8 index 9ab7334..f263805 100644 --- a/policycoreutils/scripts/fixfiles.8 @@ -1972,7 +2196,7 @@ index b6abdf5..c05c943 100644 Generate an additional HTML man pages for the specified domain(s). diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py -index b25d3b2..600eee2 100755 +index b25d3b2..0ca3fc3 100755 --- a/policycoreutils/sepolicy/sepolicy.py +++ b/policycoreutils/sepolicy/sepolicy.py @@ -22,6 +22,8 @@ @@ -2123,6 +2347,37 @@ index b25d3b2..600eee2 100755 from sepolicy import boolean_desc if args.all: rc, args.booleans = selinux.security_get_boolean_names() +@@ -320,7 +318,7 @@ def gen_transition_args(parser): + trans.set_defaults(func=transition) + + def interface(args): +- from sepolicy.interface import get_admin, get, get_user ++ from sepolicy.interface import get_admin, get_user + if args.list_admin: + for a in get_admin(): + print a +@@ -328,7 +326,7 @@ def interface(args): + for a in get_user(): + print a + if args.list: +- for m in get(): ++ for m in sepolicy.get_methods(): + print m + + def generate(args): +@@ -368,10 +366,10 @@ def gen_interface_args(parser): + help=_('List SELinux Policy interfaces')) + group = itf.add_mutually_exclusive_group(required=True) + group.add_argument("-a", "--list_admin", dest="list_admin",action="store_true", default=False, +- help="List all domains with admin interface") ++ help="List all domains with admin interface - DOMAIN_admin()") + group.add_argument("-u", "--list_user", dest="list_user",action="store_true", + default=False, +- help="List all domains with SELinux user role interface") ++ help="List all domains with SELinux user role interface - DOMAIN_role()") + group.add_argument("-l", "--list", dest="list",action="store_true", + default=False, + help="List all interfaces") @@ -461,7 +459,10 @@ if __name__ == '__main__': gen_transition_args(subparsers) @@ -2136,10 +2391,20 @@ index b25d3b2..600eee2 100755 sys.exit(0) except ValueError,e: diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py -index 5e7415c..9f4a774 100644 +index 5e7415c..35c3758 100644 --- a/policycoreutils/sepolicy/sepolicy/__init__.py +++ b/policycoreutils/sepolicy/sepolicy/__init__.py -@@ -37,9 +37,30 @@ CLASS = 'class' +@@ -7,6 +7,9 @@ import _policy + import selinux, glob + PROGNAME="policycoreutils" + import gettext ++import sepolgen.defaults as defaults ++import sepolgen.interfaces as interfaces ++import sys + gettext.bindtextdomain(PROGNAME, "/usr/share/locale") + gettext.textdomain(PROGNAME) + try: +@@ -37,9 +40,30 @@ CLASS = 'class' TRANSITION = 'transition' ROLE_ALLOW = 'role_allow' @@ -2172,7 +2437,7 @@ index 5e7415c..9f4a774 100644 policies = glob.glob ("%s.*" % path ) policies.sort() return policies[-1] -@@ -47,6 +68,25 @@ def __get_installed_policy(): +@@ -47,6 +71,26 @@ def __get_installed_policy(): pass raise ValueError(_("No SELinux Policy installed")) @@ -2192,13 +2457,14 @@ index 5e7415c..9f4a774 100644 + except: + sys.stderr.write("could not open interface info [%s]\n" % fn) + sys.exit(1) -+ ++ ++ methods.sort() + return methods + all_types = None def get_all_types(): global all_types -@@ -54,6 +94,13 @@ def get_all_types(): +@@ -54,6 +98,13 @@ def get_all_types(): all_types = map(lambda x: x['name'], info(TYPE)) return all_types @@ -2212,7 +2478,7 @@ index 5e7415c..9f4a774 100644 role_allows = None def get_all_role_allows(): global role_allows -@@ -71,6 +118,7 @@ def get_all_role_allows(): +@@ -71,6 +122,7 @@ def get_all_role_allows(): return role_allows def get_all_entrypoint_domains(): @@ -2220,7 +2486,7 @@ index 5e7415c..9f4a774 100644 all_domains = [] types=get_all_types() types.sort() -@@ -81,11 +129,35 @@ def get_all_entrypoint_domains(): +@@ -81,11 +133,35 @@ def get_all_entrypoint_domains(): all_domains.append(m[0]) return all_domains @@ -2257,7 +2523,7 @@ index 5e7415c..9f4a774 100644 return all_domains roles = None -@@ -139,49 +211,42 @@ def get_all_attributes(): +@@ -139,49 +215,42 @@ def get_all_attributes(): return all_attributes def policy(policy_file): @@ -2371,19 +2637,28 @@ index 26f8390..898ec43 100644 newte += self.generate_process() newte += self.generate_network_types() diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py -index 8b063ca..5e92c7c 100644 +index 8b063ca..c9036c3 100644 --- a/policycoreutils/sepolicy/sepolicy/interface.py +++ b/policycoreutils/sepolicy/sepolicy/interface.py -@@ -27,7 +27,7 @@ import sepolgen.interfaces as interfaces - import sepolgen.defaults as defaults +@@ -22,14 +22,12 @@ + # + # + import re +- +-import sepolgen.interfaces as interfaces +-import sepolgen.defaults as defaults ++import sepolicy ADMIN_TRANSITION_INTERFACE = "_admin$" USER_TRANSITION_INTERFACE = "_role$" -from sepolicy.generate import get_all_types +import selinux - __all__ = [ 'get', 'get_admin', 'get_user' ] +-__all__ = [ 'get', 'get_admin', 'get_user' ] ++__all__ = [ 'get_admin', 'get_user' ] -@@ -48,24 +48,10 @@ except IOError: + ## + ## I18N +@@ -48,24 +46,10 @@ except IOError: import __builtin__ __builtin__.__dict__['_'] = unicode @@ -2409,8 +2684,12 @@ index 8b063ca..5e92c7c 100644 if i.endswith("_admin"): admin_list.append(i.split("_admin")[0]) return admin_list -@@ -76,6 +62,6 @@ def get_user(): - for i in get(): +@@ -73,9 +57,9 @@ def get_admin(): + def get_user(): + """ Get all domains with SELinux user role interface""" + trans_list = [] +- for i in get(): ++ for i in sepolicy.get_methods(): m = re.findall("(.*)%s" % USER_TRANSITION_INTERFACE, i) if len(m) > 0: - if "%s_exec_t" % m[0] in get_all_types(): diff --git a/policycoreutils.spec b/policycoreutils.spec index ab9a5ce..4129734 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.14 -Release: 15%{?dist} +Release: 16%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -310,6 +310,9 @@ The policycoreutils-restorecond package contains the restorecond service. %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Fri Mar 1 2013 Dan Walsh - 2.1.14-16 +- Fix sepoicy interface to work properly + * Thu Feb 28 2013 Dan Walsh - 2.1.14-15 - Fix fixfiles to use exclude_dirs on fixfiles restore