There is a new feature in the Standard Test Roles which allows to
use an FMF filter instead of listing all tests manually. All tier
one selinux tests are selected as well, thus extending requires.
- semanage: "semanage user" does not use -s, fix documentation
- semanage: add a missing space in ibendport help
- sepolicy: Update to work with setools-4.2.0
- Fix typo in newrole.1 manpage
- sepolgen: print all AV rules correctly
- sepolgen: fix access vector initialization
- Add xperms support to audit2allow
- semanage: Stop logging loginRecords changes
- semanage: Fix logger class definition
- semanage: Replace bare except with specific one
- semanage: fix Python syntax of catching several exceptions
- sepolgen: return NotImplemented instead of raising it
- sepolgen: fix refpolicy parsing of "permissive"
For the new grub auto-hide feature:
https://fedoraproject.org/wiki/Changes/HiddenGrubMenu
Grub needs to know if the previous boot succeeded. This is tracked
through flags in the grub environment.
A selinux autorelabel is special, because it reboots the machine without
completing the boot in the normal manner.
grub checks the (new) boot_indeterminate grub environment variable to deal
with this. This is a variable containing a count of special boots since
the last successful normal boot. If this variable is 1 then it also treats
the previous boot as successful. The idea is that an autorelabel (or
offline updates) increments boot_indeterminate, so normally after a reboot
it will be 1 and the grub menu stays hidden. But if we end up in a selinux
autorelabel loop for some reason, then it will be bigger then 1 (*) and
the grub menu will be shown allowing the user to try and fix things.
*) grub itself will also increment it if it is 1 so that even if it gets
incremented only once, that still only makes 1 boot count as successful.
This commit makes the selinux-autorelabel script call:
grub2-editenv - incr boot_indeterminate
for proper integration with this new grub feature.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
plymouth by defaults waits for 5 seconds before showing the splash so
that the splash simply gets skipped on real quick boots.
In my testing it seems that --hide-splash is a no-op when run before
the 5 seconds have passed and the splash is shown, causing the splash
to still be there during a relabel. Note this problem only shows when
*not* using disk-encryption.
Switching to plymouth --quit fixes this.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
This can be useful when user has this UEFI boot order e.g.:
Windows | grub | Linux
And decides to boot into grub/Linux. In case the autorelabel service
is being run after the boot into grub, then the reboot after the
autorelabel is done will cause user to boot into Windows again...
This change should make the behaviour more intuitive for the user.
Signed-off-by: David Kaspar [Dee'Kej] <dkaspar@redhat.com>
- sepolicy: Fix translated strings with parameters
- sepolicy: Support non-MLS policy
- sepolicy: Initialize policy.ports as a dict in generate.py
- gui/polgengui.py: Use stop_emission_by_name instead of emit_stop_by_name
- Minor update for bash completion
- semodule_package: fix semodule_unpackage man page
- gui/semanagePage: Close "edit" and "add" dialogues when successfull
- gui/fcontextPage: Set default object class in addDialog\
- sepolgen: fix typo in PolicyGenerator
- build: follow standard semantics for DESTDIR and PREFIX
- use pathfix.py instead of sed
- clean up '*~' files
Fixes:
policycoreutils has broken dependencies in the rawhide tree:
On i386:
python2-policycoreutils-2.7-11.fc28.i686 requires /usr/bin/python22
On armhfp:
python2-policycoreutils-2.7-11.fc28.armv7hl requires /usr/bin/python22