diff --git a/0001-Disable-remove-neverallow-options-in-sediff.patch b/0001-Disable-remove-neverallow-options-in-sediff.patch new file mode 100644 index 0000000..d34479a --- /dev/null +++ b/0001-Disable-remove-neverallow-options-in-sediff.patch @@ -0,0 +1,92 @@ +From edf1a80fa41fa34ad849fbf5098eddd4c5339c18 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 9 May 2023 19:22:01 +0200 +Subject: [PATCH] Disable/remove neverallow options in sediff. +Content-type: text/plain + +Apply change from commit 06335957b701 ("Disable/remove neverallow +options in frontends.") to sediff + +Signed-off-by: Petr Lautrbach +--- + man/ru/sediff.1 | 4 ---- + man/sediff.1 | 4 ---- + sediff | 10 +++++++--- + 3 files changed, 7 insertions(+), 11 deletions(-) + +diff --git a/man/ru/sediff.1 b/man/ru/sediff.1 +index c6bf2939443f..af5d8efcf82c 100644 +--- a/man/ru/sediff.1 ++++ b/man/ru/sediff.1 +@@ -57,16 +57,12 @@ sediff \- утилита выявления различий политик SELi + Найти различия правил включения журналирования событий. + .IP "--dontaudit" + Найти различия правил запрета журналирования событий. +-.IP "--neverallow" +-Найти различия запрещающих правил. + .IP "--allowxperm" + Найти различия расширенных разрешительных правил. + .IP "--auditallowxperm" + Найти различия расширенных правил включения журналирования событий. + .IP "--dontauditxperm" + Найти различия расширенных правил запрета журналирования событий. +-.IP "--neverallowxperm" +-Найти различия расширенных запрещающих правил. + .IP "-T, --type_trans" + Найти различия правил перехода типов. + .IP "--type_member" +diff --git a/man/sediff.1 b/man/sediff.1 +index ed3b497db2c4..18466d8aeb68 100644 +--- a/man/sediff.1 ++++ b/man/sediff.1 +@@ -50,16 +50,12 @@ Find differences in allow rules. + Find differences in auditallow rules. + .IP "--dontaudit" + Find differences in dontaudit rules. +-.IP "--neverallow" +-Find differences in neverallow rules. + .IP "--allowxperm" + Find differences in allowxperm rules. + .IP "--auditallowxperm" + Find differences in auditallowxperm rules. + .IP "--dontauditxperm" + Find differences in dontauditxperm rules. +-.IP "--neverallowxperm" +-Find differences in neverallowxperm rules. + .IP "-T, --type_trans" + Find differences in type_transition rules. + .IP "--type_member" +diff --git a/sediff b/sediff +index b2fef9771f18..a39d6f5c8f57 100755 +--- a/sediff ++++ b/sediff +@@ -45,12 +45,12 @@ comp.add_argument("--level", action="store_true", help="Print MLS level definiti + terule = parser.add_argument_group("type enforcement rule differences") + terule.add_argument("-A", action="store_true", help="Print allow and allowxperm rule differences") + terule.add_argument("--allow", action="store_true", help="Print allow rule differences") +-terule.add_argument("--neverallow", action="store_true", help="Print neverallow rule differences") ++# terule.add_argument("--neverallow", action="store_true", help="Print neverallow rule differences") + terule.add_argument("--auditallow", action="store_true", help="Print auditallow rule differences") + terule.add_argument("--dontaudit", action="store_true", help="Print dontaudit rule differences") + terule.add_argument("--allowxperm", action="store_true", help="Print allowxperm rule differences") +-terule.add_argument("--neverallowxperm", action="store_true", +- help="Print neverallowxperm rule differences") ++# terule.add_argument("--neverallowxperm", action="store_true", ++# help="Print neverallowxperm rule differences") + terule.add_argument("--auditallowxperm", action="store_true", + help="Print auditallowxperm rule differences") + terule.add_argument("--dontauditxperm", action="store_true", +@@ -97,6 +97,10 @@ other.add_argument("--typebounds", action="store_true", help="Print typebounds d + + args = parser.parse_args() + ++# neverallow and neverallowxperm options are disabled ++args.neverallow = False ++args.neverallowxperm = False ++ + if args.A: + args.allow = True + args.allowxperm = True +-- +2.41.0 + diff --git a/0002-Improve-man-pages.patch b/0002-Improve-man-pages.patch new file mode 100644 index 0000000..15552a2 --- /dev/null +++ b/0002-Improve-man-pages.patch @@ -0,0 +1,225 @@ +From 2fea8eb0d4aedbbdca2209ee904eb10df69737b8 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Thu, 11 May 2023 18:38:21 +0200 +Subject: [PATCH] Improve man pages +Content-type: text/plain + +- Add missing parameters +- Add examples +- Fix typos + +Signed-off-by: Vit Mojzis +--- + man/sechecker.1 | 6 +++--- + man/sediff.1 | 12 ++++++++++++ + man/sedta.1 | 9 +++++++++ + man/seinfo.1 | 25 +++++++++++++++++++++++++ + man/seinfoflow.1 | 9 +++++++++ + man/sesearch.1 | 12 ++++++++++++ + 6 files changed, 70 insertions(+), 3 deletions(-) + +diff --git a/man/sechecker.1 b/man/sechecker.1 +index 507b8615c26f..e32d6d6114ba 100644 +--- a/man/sechecker.1 ++++ b/man/sechecker.1 +@@ -81,7 +81,7 @@ A space-separated list of object class criteria for the query. + A space-separated list of permissions for the query. + + .PP +-\fBA least one of the above options must be set in this check.\fR ++\fBAt least one of the above options must be set in this check.\fR + + .PP + Additional Options: +@@ -123,7 +123,7 @@ The source role criteria for the query. + The target role criteria for the query. + + .PP +-\fBA least one of the above options must be set in this check.\fR ++\fBAt least one of the above options must be set in this check.\fR + + .PP + Additional Options: +@@ -205,7 +205,7 @@ executable types are read-only.\fR + .\} + .nf + [ro_execs] +-check_type = empty_typeattr ++check_type = ro_execs + desc = Verify that the all executables and libraries are read-only. + .fi + .if n \{\ +diff --git a/man/sediff.1 b/man/sediff.1 +index 18466d8aeb68..9b189885ff3c 100644 +--- a/man/sediff.1 ++++ b/man/sediff.1 +@@ -84,6 +84,10 @@ Find differences in validatetrans rules. + Find differences in mlsvalidatetrans rules. + + .SS Labeling Statement Differences ++.IP "--ibendportcon" ++Find differences in ibendportcon (InfiniBand endport context) statements. ++.IP "--ibpkeycon" ++Find differences in ibpkeycon (InfiniBand parition key context) statements. + .IP "--initialsid" + Find differences in initial SID statements. + .IP "--fs_use" +@@ -136,6 +140,14 @@ For example, a class is modified if one or more permissions are added or removed + .RE + .PP + ++.SH EXAMPLE ++.nf ++Show differences in boolean settings ++# sediff -b /backup/policy.33 /etc/selinux/targeted/policy/policy.33 ++Show statistics for allow and allowxperm rule changes (how many rules where added, removed, or modified) ++#sediff -A --stats /backup/policy.33 /etc/selinux/targeted/policy/policy.33 ++ ++ + .SH AUTHOR + Chris PeBenito + +diff --git a/man/sedta.1 b/man/sedta.1 +index 1d84d92664e0..d3d21db6f172 100644 +--- a/man/sedta.1 ++++ b/man/sedta.1 +@@ -49,6 +49,8 @@ Specify the maximum number of domain transitions to output. The default is unlim + A space-separated list of types to exclude from the analysis. + + .SS General Options ++.IP "--full" ++Print rule lists for transitions. + .IP "--stats" + Print domain transition graph statistics at the end of the analysis. + .IP "-h, --help" +@@ -60,6 +62,13 @@ Print additional informational messages. + .IP "--debug" + Enable debugging output. + ++.SH EXAMPLE ++.nf ++Show the shortest transition paths from httpd_t to unconfined_t, while not using container_runtime_t ++# sedta -s httpd_t -t unconfined_t -S container_runtime_t ++List all domain transition paths shorter than 3 steps from init_t to smbd_t ++# sedta -s init_t -t smbd_t -A 3 ++ + .SH AUTHOR + Chris PeBenito + +diff --git a/man/seinfo.1 b/man/seinfo.1 +index 1adea9868d66..9e7cbde8c06e 100644 +--- a/man/seinfo.1 ++++ b/man/seinfo.1 +@@ -56,6 +56,10 @@ There is no expanded information for this component. + .IP "--genfscon [FS_TYPE]" + Print a list of genfscon statements or, if FS_TYPE is provided, print the statement for the named filesystem type. + There is no expanded information for this component. ++.IP "--ibpkeycon [PKEY[-PKEY]]" ++Print a list of InfiniBand parition key contexts. ++.IP "--ibendportcon [NAME]" ++Print a list of InfiniBand endport contexts. + .IP "--initialsid [NAME]" + Print a list of initial SIDs or, if NAME is provided, print the named initial SID. + With \fI-x\fR, print the context assigned to each displayed SID. +@@ -86,6 +90,18 @@ There is no expanded information for this component. + .IP "--all" + Print all components. + ++.IP "\fB Xen Component Queries: \fR" ++.IP "--ioportcon" ++Print all ioportcon statements. ++.IP "--iomemcon" ++Print all iomemcon statements. ++.IP "--pcidevicecon" ++Print all pcidevicecon statements. ++.IP "--pirqcon" ++Print all pirqcon statements. ++.IP "--devicetreecon" ++Print all devicetreecon statements. ++ + .SH OPTIONS + .IP "-x, --expand" + Print additional details for each component matching the expression. +@@ -101,6 +117,15 @@ Print additional informational messages. + .IP "--debug" + Enable debugging output. + ++.SH EXAMPLE ++.nf ++List aliases of and attributes assigned to type httpd_t ++# seinfo -t httpd_t -x ++List all executable types (all types assigned to "exec_type" attribute) ++# seinfo -a exec_type -x ++List all constrains and mlsconstrains for class "file" ++# seinfo --constrain file ++ + .SH AUTHOR + Chris PeBenito + +diff --git a/man/seinfoflow.1 b/man/seinfoflow.1 +index 2e4a261606bf..75763d6f2378 100644 +--- a/man/seinfoflow.1 ++++ b/man/seinfoflow.1 +@@ -54,6 +54,8 @@ A space-separated list of types to exclude from the analysis. + Print information flow graph statistics at the end of the analysis. + .IP "-h, --help" + Print help information and exit. ++.IP "--full" ++Print full rule lists for information flows. + .IP "--version" + Print version information and exit. + .IP "-v, --verbose" +@@ -61,6 +63,13 @@ Print additional informational messages. + .IP "--debug" + Enable debugging output. + ++.SH EXAMPLE ++.nf ++Show the shortest paths for process running as httpd_t to access user home files, using permission map from /var/lib/sepolgen/perm_map ++# seinfoflow -m /var/lib/sepolgen/perm_map -s httpd_t -t user_home_t -S ++List all data paths shorter than 3 steps from smbd_t to httpd_log_t, when samba_enable_home_dirs and samba_create_home_dirs booleans are enabled ++# seinfoflow -m /var/lib/sepolgen/perm_map -s smbd_t -t user_home_t -A 3 -b "samba_enable_home_dirs:true,samba_create_home_dirs:true" ++ + .SH AUTHOR + Chris PeBenito + +diff --git a/man/sesearch.1 b/man/sesearch.1 +index 35f16c4ba33e..edc18346673c 100644 +--- a/man/sesearch.1 ++++ b/man/sesearch.1 +@@ -48,6 +48,7 @@ Find type_change rules. + Find role allow rules. + .IP "--role_trans" + Find role_transition rules. ++.IP "Note: TE/MLS rule searches cannot be mixed with RBAC rule searches" + + .SS MLS Rule Types + .IP "--range_trans" +@@ -80,6 +81,8 @@ A matching rule must have the specified target attribute/type/role explicitly, i + A matching rule must have all specified Booleans, instead of matching any of the specified Boolean. + .IP "-ep" + A matching rule must have exactly the specified permissions, instead of matching any of the specified permission. ++.IP "-ex" ++A matching rule must have exactly the specified extended permissions, instead of matching any listed extended permission. + .IP "-Sp" + A matching rule must have permissions where are a superset of the specified permissions, instead of matching any of the permissions. + .IP "-rs" +@@ -103,6 +106,15 @@ Print additional informational messages. + .IP "--debug" + Enable debugging output. + ++.SH EXAMPLE ++.nf ++List allow (and allowxperm) rules for accessing files labeled container_file_t from domains with attribute container_domain ++# sesearch -A -s container_domain -t container_file_t -c file ++List allow and dontaudit rules for accessing chr_files labeled container_file_t, that are controlled by boolean container_use_devices ++# sesearch -A --dontaudit -t container_file_t -c chr_file -b container_use_devices ++List dontaudit rules assigned via application_domain_type attribute (rules concerning specific types with that attribute are excluded) ++# sesearch --dontaudit -s application_domain_type -ds ++ + .SH AUTHOR + Chris PeBenito + +-- +2.41.0 + diff --git a/0003-tox.ini-Change-environments-to-use-python-instead-of.patch b/0003-tox.ini-Change-environments-to-use-python-instead-of.patch new file mode 100644 index 0000000..a49f91f --- /dev/null +++ b/0003-tox.ini-Change-environments-to-use-python-instead-of.patch @@ -0,0 +1,62 @@ +From 6425b45e2748605b99d4e45b286fbf5bb8e8243e Mon Sep 17 00:00:00 2001 +From: Chris PeBenito +Date: Mon, 17 Jul 2023 16:45:01 -0400 +Subject: [PATCH] tox.ini: Change environments to use "python" instead of "py". +Content-type: text/plain + +Signed-off-by: Chris PeBenito +--- + .github/workflows/tests.yml | 12 ++++++------ + tox.ini | 8 ++++---- + 2 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml +index eb443ae7f0f7..c3c8d552ca15 100644 +--- a/.github/workflows/tests.yml ++++ b/.github/workflows/tests.yml +@@ -27,12 +27,12 @@ jobs: + + matrix: + build-opts: +- - {python: '3.6', tox: py36} +- - {python: '3.7', tox: py37} +- - {python: '3.8', tox: py38} +- - {python: '3.9', tox: py39} +- - {python: '3.10', tox: py310} +- - {python: '3.11', tox: py311} ++ - {python: '3.6', tox: python3.6} ++ - {python: '3.7', tox: python3.7} ++ - {python: '3.8', tox: python3.8} ++ - {python: '3.9', tox: python3.9} ++ - {python: '3.10', tox: python3.10} ++ - {python: '3.11', tox: python3.11} + - {python: '3.6', tox: pep8} + - {python: '3.6', tox: lint} + - {python: '3.6', tox: mypy} +diff --git a/tox.ini b/tox.ini +index b2f6b51858e6..a668bb3de425 100644 +--- a/tox.ini ++++ b/tox.ini +@@ -1,6 +1,6 @@ + [tox] + minversion = 1.4 +-envlist = py3, pep8, lint, mypy ++envlist = python3, pep8, lint, mypy + + [pycodestyle] + max-line-length = 100 +@@ -53,8 +53,8 @@ passenv = USERSPACE_SRC + deps = networkx>=2.0 + cython>=0.27 + pytest +- py38: cython>=0.29.14 +- py39: networkx>=2.6 +- py39: cython>=0.29.14 ++ python38: cython>=0.29.14 ++ python39: networkx>=2.6 ++ python39: cython>=0.29.14 + commands_pre = {envpython} setup.py build_ext -i + commands = pytest tests +-- +2.41.0 + diff --git a/0004-seinfoflow-Add-r-option-to-get-flows-into-the-source.patch b/0004-seinfoflow-Add-r-option-to-get-flows-into-the-source.patch new file mode 100644 index 0000000..14e7864 --- /dev/null +++ b/0004-seinfoflow-Add-r-option-to-get-flows-into-the-source.patch @@ -0,0 +1,51 @@ +From 8ec295066289cf74df0e3f2c6e068abe503f1121 Mon Sep 17 00:00:00 2001 +From: Chris PeBenito +Date: Wed, 21 Jun 2023 08:56:08 -0400 +Subject: [PATCH] seinfoflow: Add -r option to get flows into the source type. +Content-type: text/plain + +Signed-off-by: Chris PeBenito +--- + man/seinfoflow.1 | 2 ++ + seinfoflow | 5 ++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/man/seinfoflow.1 b/man/seinfoflow.1 +index 75763d6f2378..63c70c0e7b14 100644 +--- a/man/seinfoflow.1 ++++ b/man/seinfoflow.1 +@@ -50,6 +50,8 @@ Specify the maximum number of information flows to output. The default is unlimi + A space-separated list of types to exclude from the analysis. + + .SS General Options ++.IP "-r, --reverse" ++Display information flows into the source type. No effect if a target type is specified. + .IP "--stats" + Print information flow graph statistics at the end of the analysis. + .IP "-h, --help" +diff --git a/seinfoflow b/seinfoflow +index 5f4e7642ecf9..9bd1bec41da8 100755 +--- a/seinfoflow ++++ b/seinfoflow +@@ -42,6 +42,9 @@ alg.add_argument("-A", "--all_paths", type=int, metavar="MAX_STEPS", + help="Calculate all paths, with the specified maximum path length. (Expensive)") + + opts = parser.add_argument_group("Analysis options") ++opts.add_argument("-r", "--reverse", action="store_false", ++ help="Display information flows into the source type. " ++ "No effect if a target type is specified.") + opts.add_argument("-w", "--min_weight", default=3, type=int, + help="Minimum permission weight. Default is 3.") + opts.add_argument("-l", "--limit_flows", default=0, type=int, +@@ -119,7 +122,7 @@ try: + + else: # single direct info flow + flownum = 0 +- for flownum, flow in enumerate(g.infoflows(args.source), start=1): ++ for flownum, flow in enumerate(g.infoflows(args.source, out=args.reverse), start=1): + print("Flow {0}: {1} -> {2}".format(flownum, flow.source, flow.target)) + + if args.full: +-- +2.41.0 + diff --git a/0005-seinfoflow.1-Remove-references-to-sepolgen-permissio.patch b/0005-seinfoflow.1-Remove-references-to-sepolgen-permissio.patch new file mode 100644 index 0000000..f1ed9e7 --- /dev/null +++ b/0005-seinfoflow.1-Remove-references-to-sepolgen-permissio.patch @@ -0,0 +1,34 @@ +From 32ebd2c802ca0fcf3b920b298f0d2d8b2972cfa9 Mon Sep 17 00:00:00 2001 +From: Chris PeBenito +Date: Wed, 21 Jun 2023 08:56:53 -0400 +Subject: [PATCH] seinfoflow.1: Remove references to sepolgen permission map. +Content-type: text/plain + +SETools ships with its own so that it is usable on non-SELinux systems. + +Signed-off-by: Chris PeBenito +--- + man/seinfoflow.1 | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/man/seinfoflow.1 b/man/seinfoflow.1 +index 63c70c0e7b14..e482520a8b82 100644 +--- a/man/seinfoflow.1 ++++ b/man/seinfoflow.1 +@@ -67,10 +67,10 @@ Enable debugging output. + + .SH EXAMPLE + .nf +-Show the shortest paths for process running as httpd_t to access user home files, using permission map from /var/lib/sepolgen/perm_map +-# seinfoflow -m /var/lib/sepolgen/perm_map -s httpd_t -t user_home_t -S ++Show the shortest paths for process running as httpd_t to access user home files, using the default permission map: ++# seinfoflow -s httpd_t -t user_home_t -S + List all data paths shorter than 3 steps from smbd_t to httpd_log_t, when samba_enable_home_dirs and samba_create_home_dirs booleans are enabled +-# seinfoflow -m /var/lib/sepolgen/perm_map -s smbd_t -t user_home_t -A 3 -b "samba_enable_home_dirs:true,samba_create_home_dirs:true" ++# seinfoflow -s smbd_t -t user_home_t -A 3 -b "samba_enable_home_dirs:true,samba_create_home_dirs:true" + + .SH AUTHOR + Chris PeBenito +-- +2.41.0 + diff --git a/0006-AVRule-AVRuleXperm-Treat-rules-with-no-permissions-a.patch b/0006-AVRule-AVRuleXperm-Treat-rules-with-no-permissions-a.patch new file mode 100644 index 0000000..8b8df96 --- /dev/null +++ b/0006-AVRule-AVRuleXperm-Treat-rules-with-no-permissions-a.patch @@ -0,0 +1,55 @@ +From 725d224e8dd8af3a5a56c71b9de7936d098cae61 Mon Sep 17 00:00:00 2001 +From: Chris PeBenito +Date: Tue, 16 May 2023 13:21:09 -0400 +Subject: [PATCH] AVRule/AVRuleXperm: Treat rules with no permissions as + invalid policy. +Content-type: text/plain + +Signed-off-by: Chris PeBenito +--- + setools/policyrep/terule.pxi | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/setools/policyrep/terule.pxi b/setools/policyrep/terule.pxi +index 6c869ed08ad9..4f4a95f553bc 100644 +--- a/setools/policyrep/terule.pxi ++++ b/setools/policyrep/terule.pxi +@@ -120,6 +120,17 @@ cdef class AVRule(BaseTERule): + r._conditional = conditional + r._conditional_block = conditional_block + r.origin = None ++ ++ if not r.perms: ++ rule_string = f"{r.ruletype} {r.source} {r.target}:{r.tclass} {{ }};" ++ try: ++ rule_string += f" [ {r.conditional} ]:{r.conditional_block}" ++ except RuleNotConditional: ++ pass ++ ++ raise LowLevelPolicyError("Invalid policy: Found a rule with no permissions: " ++ f"{rule_string}") ++ + return r + + def __hash__(self): +@@ -319,6 +330,17 @@ cdef class AVRuleXperm(BaseTERule): + r._conditional = conditional + r._conditional_block = conditional_block + r.origin = None ++ ++ if not perms: ++ rule_string = f"{r.ruletype} {r.source} {r.target}:{r.tclass} {r.xperm_type} {{ }};" ++ try: ++ rule_string += f" [ {r.conditional} ]:{r.conditional_block}" ++ except RuleNotConditional: ++ pass ++ ++ raise LowLevelPolicyError( ++ f"Invalid policy: Found a rule with no extended permissions: {rule_string}.") ++ + return r + + def __hash__(self): +-- +2.41.0 + diff --git a/0007-SELinuxPolicy-Add-explicit-cast-for-libspol-message-.patch b/0007-SELinuxPolicy-Add-explicit-cast-for-libspol-message-.patch new file mode 100644 index 0000000..caa96f3 --- /dev/null +++ b/0007-SELinuxPolicy-Add-explicit-cast-for-libspol-message-.patch @@ -0,0 +1,52 @@ +From fc443b5a0379f3644e071a458e996ea6115ccba3 Mon Sep 17 00:00:00 2001 +From: Chris PeBenito +Date: Mon, 17 Jul 2023 16:08:21 -0400 +Subject: [PATCH] SELinuxPolicy: Add explicit cast for libspol message + callback. +Content-type: text/plain + +Cython 3.0 is more strict. The change fixes this issue: + +setools/policyrep/selinuxpolicy.pxi:685:46: Cannot assign type 'void (void *, sepol_handle_t *, const char *, ...) except *' to 'msg_callback' + +Additionally, the msg_callback is not typedef-ed in sepol/debug.h, so it must +be explicitly defined in sepol.pxd for the casting to work. + +Signed-off-by: Chris PeBenito +--- + setools/policyrep/selinuxpolicy.pxi | 2 +- + setools/policyrep/sepol.pxd | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/setools/policyrep/selinuxpolicy.pxi b/setools/policyrep/selinuxpolicy.pxi +index 9267a0c43abc..236316f1c6c5 100644 +--- a/setools/policyrep/selinuxpolicy.pxi ++++ b/setools/policyrep/selinuxpolicy.pxi +@@ -668,7 +668,7 @@ cdef class SELinuxPolicy: + if self.sh == NULL: + raise MemoryError + +- sepol.sepol_msg_set_callback(self.sh, sepol_logging_callback, self.handle) ++ sepol.sepol_msg_set_callback(self.sh, sepol_logging_callback, self.handle) + + if sepol.sepol_policydb_create(&self.handle) < 0: + raise MemoryError +diff --git a/setools/policyrep/sepol.pxd b/setools/policyrep/sepol.pxd +index 769498f2c5fd..36589ed1a607 100644 +--- a/setools/policyrep/sepol.pxd ++++ b/setools/policyrep/sepol.pxd +@@ -16,8 +16,10 @@ cdef extern from "": + void sepol_handle_destroy(sepol_handle_t *sh) + + ++ctypedef void (*msg_callback)(void *varg, sepol_handle_t *handle, const char *fmt, ...) ++ ++ + cdef extern from "": +- ctypedef void (*msg_callback)(void *varg, sepol_handle_t *handle, const char *fmt, ...) + void sepol_msg_set_callback(sepol_handle * handle, msg_callback cb, void *cb_arg) + + +-- +2.41.0 + diff --git a/setools.spec b/setools.spec index 8dce1c7..04ac4bf 100644 --- a/setools.spec +++ b/setools.spec @@ -3,7 +3,7 @@ Name: setools Version: 4.4.2 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Policy analysis tools for SELinux License: GPL-2.0-only and LGPL-2.1-only @@ -11,6 +11,14 @@ URL: https://github.com/SELinuxProject/setools/wiki Source0: https://github.com/SELinuxProject/setools/archive/%{version}.tar.gz Source1: setools.pam Source2: apol.desktop +Patch0001: 0001-Disable-remove-neverallow-options-in-sediff.patch +Patch0002: 0002-Improve-man-pages.patch +Patch0003: 0003-tox.ini-Change-environments-to-use-python-instead-of.patch +Patch0004: 0004-seinfoflow-Add-r-option-to-get-flows-into-the-source.patch +Patch0005: 0005-seinfoflow.1-Remove-references-to-sepolgen-permissio.patch +Patch0006: 0006-AVRule-AVRuleXperm-Treat-rules-with-no-permissions-a.patch +Patch0007: 0007-SELinuxPolicy-Add-explicit-cast-for-libspol-message-.patch + Obsoletes: setools < 4.0.0, setools-devel < 4.0.0 BuildRequires: flex, bison BuildRequires: glibc-devel, gcc, git-core @@ -143,6 +151,14 @@ Python modules designed to facilitate SELinux policy analysis. %{_mandir}/ru/man1/apol* %changelog +* Wed Jul 26 2023 Petr Lautrbach - 4.4.2-4 +- Disable/remove neverallow options in sediff. +- Improve man pages +- seinfoflow: Add -r option to get flows into the source type. +- seinfoflow.1: Remove references to sepolgen permission map. +- AVRule/AVRuleXperm: Treat rules with no permissions as invalid policy. +- SELinuxPolicy: Add explicit cast for libspol message + * Sat Jul 22 2023 Fedora Release Engineering - 4.4.2-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild