.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1 +1,125 @@
-SOURCES/setroubleshoot-plugins-3.3.14.tar.gz
+setroubleshoot-plugins-2.0.4.tar.gz
+setroubleshoot-plugins-2.0.7.tar.gz
+setroubleshoot-plugins-2.0.8.tar.gz
+setroubleshoot-plugins-2.0.9.tar.gz
+setroubleshoot-plugins-2.0.10.tar.gz
+setroubleshoot-plugins-2.0.11.tar.gz
+setroubleshoot-plugins-2.0.12.tar.gz
+setroubleshoot-plugins-2.0.14.tar.gz
+setroubleshoot-plugins-2.0.15.tar.gz
+setroubleshoot-plugins-2.0.16.tar.gz
+setroubleshoot-plugins-2.0.18.tar.gz
+setroubleshoot-plugins-2.1.1.tar.gz
+setroubleshoot-plugins-2.1.2.tar.gz
+setroubleshoot-plugins-2.1.3.tar.gz
+setroubleshoot-plugins-2.1.4.tar.gz
+setroubleshoot-plugins-2.1.5.tar.gz
+setroubleshoot-plugins-2.1.7.tar.gz
+setroubleshoot-plugins-2.1.8.tar.gz
+setroubleshoot-plugins-2.1.9.tar.gz
+setroubleshoot-plugins-2.1.11.tar.gz
+setroubleshoot-plugins-2.1.12.tar.gz
+setroubleshoot-plugins-2.1.13.tar.gz
+setroubleshoot-plugins-2.1.14.tar.gz
+setroubleshoot-plugins-2.1.15.tar.gz
+setroubleshoot-plugins-2.1.16.tar.gz
+setroubleshoot-plugins-2.1.18.tar.gz
+setroubleshoot-plugins-2.1.19.tar.gz
+setroubleshoot-plugins-2.1.20.tar.gz
+setroubleshoot-plugins-2.1.21.tar.gz
+setroubleshoot-plugins-2.1.22.tar.gz
+setroubleshoot-plugins-2.1.23.tar.gz
+setroubleshoot-plugins-2.1.24.tar.gz
+setroubleshoot-plugins-2.1.25.tar.gz
+setroubleshoot-plugins-2.1.26.tar.gz
+setroubleshoot-plugins-2.1.27.tar.gz
+setroubleshoot-plugins-2.1.28.tar.gz
+setroubleshoot-plugins-2.1.29.tar.gz
+setroubleshoot-plugins-2.1.30.tar.gz
+setroubleshoot-plugins-2.1.32.tar.gz
+setroubleshoot-plugins-2.1.33.tar.gz
+setroubleshoot-plugins-2.1.34.tar.gz
+setroubleshoot-plugins-2.1.35.tar.gz
+setroubleshoot-plugins-2.1.36.tar.gz
+setroubleshoot-plugins-2.1.37.tar.gz
+setroubleshoot-plugins-2.1.38.tar.gz
+setroubleshoot-plugins-2.1.39.tar.gz
+setroubleshoot-plugins-2.1.40.tar.gz
+setroubleshoot-plugins-2.1.41.tar.gz
+setroubleshoot-plugins-2.1.42.tar.gz
+setroubleshoot-plugins-2.1.43.tar.gz
+setroubleshoot-plugins-2.1.45.tar.gz
+setroubleshoot-plugins-2.1.46.tar.gz
+setroubleshoot-plugins-2.1.47.tar.gz
+setroubleshoot-plugins-2.1.49.tar.gz
+setroubleshoot-plugins-2.1.50.tar.gz
+setroubleshoot-plugins-2.1.51.tar.gz
+setroubleshoot-plugins-2.1.52.tar.gz
+setroubleshoot-plugins-2.1.53.tar.gz
+setroubleshoot-plugins-2.1.54.tar.gz
+setroubleshoot-plugins-2.1.55.tar.gz
+/setroubleshoot-plugins-3.0.0.tar.gz
+/setroubleshoot-plugins-3.0.1.tar.gz
+/setroubleshoot-plugins-3.0.2.tar.gz
+/setroubleshoot-plugins-3.0.3.tar.gz
+/setroubleshoot-plugins-3.0.4.tar.gz
+/setroubleshoot-plugins-3.0.5.tar.gz
+/setroubleshoot-plugins-3.0.6.tar.gz
+/setroubleshoot-plugins-3.0.7.tar.gz
+/setroubleshoot-plugins-3.0.8.tar.gz
+/setroubleshoot-plugins-3.0.9.tar.gz
+/setroubleshoot-plugins-3.0.10.tar.gz
+/setroubleshoot-plugins-3.0.11.tar.gz
+/setroubleshoot-plugins-3.0.12.tar.gz
+/setroubleshoot-plugins-3.0.13.tar.gz
+/setroubleshoot-plugins-3.0.14.tar.gz
+/setroubleshoot-plugins-3.0.17.tar.gz
+/setroubleshoot-plugins-3.0.18.tar.gz
+/setroubleshoot-plugins-3.0.21.tar.gz
+/setroubleshoot-plugins-3.0.22.tar.gz
+/setroubleshoot-plugins-3.0.23.tar.gz
+/setroubleshoot-plugins-3.0.24.tar.gz
+/setroubleshoot-plugins-3.0.25.tar.gz
+/setroubleshoot-plugins-3.0.27.tar.gz
+/setroubleshoot-plugins-3.0.28.tar.gz
+/setroubleshoot-plugins-3.0.30.tar.gz
+/setroubleshoot-plugins-3.0.31.tar.gz
+/setroubleshoot-plugins-3.0.32.tar.gz
+/setroubleshoot-plugins-3.0.33.tar.gz
+/setroubleshoot-plugins-3.0.34.tar.gz
+/setroubleshoot-plugins-3.0.35.tar.gz
+/setroubleshoot-plugins-3.0.36.tar.gz
+/setroubleshoot-plugins-3.0.38.tar.gz
+/setroubleshoot-plugins-3.0.39.tar.gz
+/setroubleshoot-plugins-3.0.40.tar.gz
+/setroubleshoot-plugins-3.0.41.tar.gz
+/setroubleshoot-plugins-3.0.42.tar.gz
+/setroubleshoot-plugins-3.0.45.tar.gz
+/setroubleshoot-plugins-3.0.47.tar.gz
+*.rpm
+/setroubleshoot-plugins-3.0.48.tar.gz
+/setroubleshoot-plugins-3.0.49.tar.gz
+/setroubleshoot-plugins-3.0.50.tar.gz
+/setroubleshoot-plugins-3.0.51.tar.gz
+/setroubleshoot-plugins-3.0.52.tar.gz
+/setroubleshoot-plugins-3.0.53.tar.gz
+/setroubleshoot-plugins-3.0.54.tar.gz
+/setroubleshoot-plugins-3.0.55.tar.gz
+/setroubleshoot-plugins-3.0.57.tar.gz
+/setroubleshoot-plugins-3.0.58.tar.gz
+/setroubleshoot-plugins-3.0.59.tar.gz
+/setroubleshoot-plugins-3.0.60.tar.gz
+/setroubleshoot-plugins-3.0.61.tar.gz
+/setroubleshoot-plugins-3.3.1.tar.gz
+/setroubleshoot-plugins-3.3.2.tar.gz
+/setroubleshoot-plugins-3.3.3.tar.gz
+/setroubleshoot-plugins-3.3.4.tar.gz
+/setroubleshoot-plugins-3.3.5.1.tar.gz
+/setroubleshoot-plugins-3.3.6.tar.gz
+/setroubleshoot-plugins-3.3.7.tar.gz
+/setroubleshoot-plugins-3.3.8.tar.gz
+/setroubleshoot-plugins-3.3.9.tar.gz
+/setroubleshoot-plugins-3.3.10.tar.gz
+/setroubleshoot-plugins-3.3.11.tar.gz
+/setroubleshoot-plugins-3.3.12.tar.gz
+/setroubleshoot-plugins-3.3.14.tar.gz

.setroubleshoot-plugins.metadata

@@ -1 +0,0 @@
-3ab5cfea9ae81f50f0e103d9eadd6a596140158d SOURCES/setroubleshoot-plugins-3.3.14.tar.gz

0001-restorecon.py-exclude-more-paths.patch

@@ -0,0 +1,26 @@
+From 0f508191647a41f92264c0c8fc877b0110bbd468 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Tue, 10 Aug 2021 20:11:20 +0200
+Subject: [PATCH] restorecon.py: exclude more paths
+
+It doesn't make sense to run restorecon on /sys/ /proc/ and /memfd:
+---
+ src/restorecon.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/restorecon.py b/src/restorecon.py
+index e3044c742367..9594c0d59d96 100644
+--- a/src/restorecon.py
++++ b/src/restorecon.py
+@@ -39,7 +39,7 @@ def customizable(target):
+ 
+ 
+ # List of path prefixes for which this plugin is not executed
+-excluded_paths = ["/sys/fs"]
++excluded_paths = ["/sys/", "/proc/", "/memfd:"]
+ # Test if the specified path starts with some excluded prefix
+ def excluded_path(target_path):
+     for path in excluded_paths:
+-- 
+2.32.0
+

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

plans/tests.fmf

@@ -0,0 +1,6 @@
+summary: Tier 1 setroubleshoot-plugins test plan
+discover:
+    how: fmf
+execute:
+    how: tmt
+

setroubleshoot-plugins.spec

@@ -1,19 +1,24 @@
 %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
 
+# Disable automatic compilation of Python files in extra directories
+%global _python_bytecompile_extra 0
+
 Summary: Analysis plugins for use with setroubleshoot
 Name: setroubleshoot-plugins
 Version: 3.3.14
-Release: 1%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
-Group: Applications/System
-URL: https://gitlab.com/setroubleshoot/plugins
+URL: https://github.com/fedora-selinux/setroubleshoot
 Source0: https://releases.pagure.org/setroubleshoot/%{name}-%{version}.tar.gz
-# https://pagure.io/setroubleshoot
-# git format-patch -N setroubleshoot-plugins-<version>
+# git format-patch -N setroubleshoot-plugins-<version> -- plugins
 # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
-Patch0001: 0001-Update-translations.patch
+Patch0001: 0001-restorecon.py-exclude-more-paths.patch
 BuildArch: noarch
 
+# gcc is needed only for ./configure
+# Remove it when the build process is fixed
+BuildRequires: gcc
+BuildRequires: make
 BuildRequires: perl-XML-Parser
 BuildRequires: intltool gettext python3-devel
 # Introduction of get_package_nvr functions
@@ -34,50 +39,77 @@ make PYTHON=%{__python3}
 
 %install 
 rm -rf %{buildroot}
-make DESTDIR=%{buildroot} PYTHON=%{__python3} pkgdocdir=%{_pkgdocdir} install
+%make_install PYTHON=%{__python3} pkgdocdir=%{_pkgdocdir}
 %find_lang %{name}
+# Manually invoke the python byte compile macro for each path that needs byte
+# compilation.
+%py_byte_compile %{__python3} %{buildroot}%{_datadir}/setroubleshoot/plugins
 
-%clean
-rm -rf %{buildroot}
-
-%files -f %{name}.lang
-%defattr(-,root,root,-)
+%files -f %{name}.lang 
 %doc %{_pkgdocdir}
 %{_datadir}/setroubleshoot/plugins
 
 %changelog
-* Mon Sep 27 2021 Vit Mojzis <vmojzis@redhat.com> - 3.3.14-1
-- Update translations (#1962034)
+* Fri Sep  3 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3.14-4
+- restorecon.py: exclude more paths (#1960136)
 
-* Wed Aug 12 2020 Vit Mojzis <vmojzis@redhat.com> - 3.3.13-1
-- Add 'fur' into shipped locales
-- Update translations (#1820571)
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.3.14-3
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Tue Apr 28 2020 Vit Mojzis <vmojzis@redhat.com> - 3.3.12-1
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.3.14-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Mon Mar 29 2021 Vit Mojzis <vmojzis@redhat.com> - 3.3.14-1
+- Update translations
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.12-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.12-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 3.3.12-2
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Tue Apr 21 2020 Vit Mojzis <vmojzis@redhat.com> - 3.3.12-1
 - Use get_package_nvr* functions instead of get_rpm_nvr*
-- Update deprecated type references (#1829306)
+- Update deprecated type references
+- Update translations
 
-* Fri Jan 17 2020 Vit Mojzis <vmojzis@redhat.com> - 3.3.11-2
-- Update translations (#1754992)
-
-* Mon Nov 18 2019 Vit Mojzis <vmojzis@redhat.com> - 3.3.11-1
-- Add plugin which analyzes execmem denials (#1649842)
+* Thu Jan 30 2020 Vit Mojzis <vmojzis@redhat.com> - 3.3.11-1
+- Add plugin which analyzes execmem denials
 - Add missing "If " strings
+- Update qemu_blk_image and qemu_file_image
+- Update "xen_image" plugin
+- Update "file" plugin
+- Update "missing" scripts to automake-1.15
 
-* Mon Aug 19 2019 Vit Mojzis <vmojzis@redhat.com> - 3.3.10-3
-- Rebuild with gating enabled (#1682462)
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.10-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
-* Fri Aug 16 2019 Vit Mojzis <vmojzis@redhat.com> - 3.3.10-2
-- update "file" plugin (#1649818)
-- Update "xen_image" plugin (#1649831)
-- Update qemu_blk_image and qemu_file_image (#1649838)
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.10-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 
-* Fri Dec  7 2018 Petr Lautrbach <plautrba@redhat.com> - 3.3.10-1
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Sat Dec  8 2018 Petr Lautrbach <plautrba@redhat.com> - 3.3.10-1
 - Handle no "allowed_target_types" properly
 - bind_ports: Do not use when there are no allowed_target_types
 - Fix summary and "if" text for AVCs with unknown target path
 - plugins: Update translations
 
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.9-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 3.3.9-5
+- Rebuilt for Python 3.7
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.9-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
 * Thu Nov 23 2017 Petr Lautrbach <plautrba@redhat.com> - 3.3.9-3
 - Update translations
 

sources

@@ -0,0 +1 @@
+SHA512 (setroubleshoot-plugins-3.3.14.tar.gz) = da6882a998aeade67891a722a5b94e2ba1072d9db5d73031854a2c0b51083a0eaf9519dd7987938a86c1f8d263d08882642ac447d7b4bbcd8a859db4b44d61c1

tests/Regression/use-of-aliases-in-plugins/main.fmf

@@ -0,0 +1,18 @@
+summary: Make sure all types used in setroubleshoot plugins are defined in the policy
+    and are not aliases
+contact: Vit Mojzis <vmojzis@redhat.com>
+component:
+  - setroubleshoot-plugins
+test: ./runtest.sh
+framework: beakerlib
+recommend:
+  - git
+  - libselinux-utils
+  - setroubleshoot-plugins
+  - policycoreutils
+  - selinux-policy-targeted
+  - python3-policycoreutils
+  - /usr/bin/python3
+duration: 10m
+extra-summary: /CoreOS/setroubleshoot-plugins/Regression/use-of-aliases-in-plugins
+extra-task: /CoreOS/setroubleshoot-plugins/Regression/use-of-aliases-in-plugins

tests/Regression/use-of-aliases-in-plugins/runtest.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/setroubleshoot-plugins/Regression/use-of-aliases-in-plugins
+#   Description: Make sure all types used in setroubleshoot plugins are
+#                defined in the policy and are not aliases
+#   Author: Vit Mojzis <vmojzis@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2020 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="setroubleshoot-plugins"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlRun "selinuxenabled" 0
+    rlPhaseEnd
+
+    rlPhaseStartTest "bz#1794807 - look for aliases and undefined types in plugins"
+        # lists all types not defined in the policy as "type_t not found"
+        # and all aliases as "alias_t is an alias of type_t"
+        # all issues are prefixed with a list of offending plugins
+        # returns 1 if an issue was found
+        rlRun "./test_aliases.py" 0
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
+

tests/Regression/use-of-aliases-in-plugins/test_aliases.py

@@ -0,0 +1,65 @@
+#!/usr/bin/python3
+
+# lists all types not defined in the policy as "type_t not found"
+# and all aliases as "alias_t is an alias of type_t"
+# all issues are prefixed with a list of offending plugins
+# returns 1 if an issue was found
+
+import subprocess
+import sepolicy
+import sys
+import re
+from collections import defaultdict
+
+plugin_path = "/usr/share/setroubleshoot/plugins"
+error_code = 0
+
+if len(sys.argv) > 1:
+	plugin_path = sys.argv[1]
+
+try:
+	# search all plugin files in given location for the following pattern
+	# <plugin path>:<delimiter><type name>_t<delimiter>
+	g = subprocess.check_output('grep -I [^A-Za-z_][A-Za-z][A-Za-z_]*_t[^A-Za-z_] -o {}/*.py'.format(plugin_path),
+				     universal_newlines=True, shell=True)
+	lines = g.split('\n')
+except:
+	exit(1)
+# matches 2 groups: file name and type name
+# <path to plugins>(<plugin file name>):<delimiter>(<type name>_t)<delimiter>
+reg = re.compile('.*/(.+):[^A-Za-z_]([A-Za-z_]*_t)[^A-Za-z_]')
+# generate a dictionary of of all type names used in setroubleshoot plugins
+# where types are keys and lists of files where each type appeared are data
+found = defaultdict(set)
+
+for l in lines:
+	m = reg.match(l)
+
+	if m is None:
+		continue
+
+	try:
+		t = m.group(2)
+		if "_TYPE_" in t:
+			continue
+		found[t].add(m.group(1))
+	except:
+		# failed to match
+		continue
+
+for t in sorted(found.keys()):
+	try:
+		# try to find each type in system policy
+		i = next(sepolicy.info(sepolicy.TYPE, t))['name']
+		if t != i:
+			# <plugin file names>: alias_t is an alias of type_t
+			print("{}: {} is an alias of {}".format(", ".join(found[t]), t, i))
+			error_code = 1
+	except:
+		# skip types defined in selinux-policy modules that are not shipped any more
+		if t not in ["vbetool_t"]:
+			# <plugin file names>: type_t not found
+			print("{}: {} not found".format(", ".join(found[t]), t))
+			error_code = 1
+
+exit(error_code)